diff --git a/.claude/settings.local.json b/.claude/settings.local.json deleted file mode 100644 index 3b11005..0000000 --- a/.claude/settings.local.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "permissions": { - "allow": [ - "Bash(dir:*)", - "Bash(findstr:*)" - ] - } -} diff --git a/.gitattributes b/.gitattributes index ac73c08..da98514 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1 @@ -util/bb-sdk/extra/phnt.h linguist-generated *.rs linguist-detectable=true diff --git a/.gitignore b/.gitignore index b4e6742..3eefd66 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /target +/.claude nul \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..fc8feca --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "crates/bb-sparse/sparse"] + path = crates/bb-sparse/sparse + url = https://github.com/cristeigabriela/sparse.git +[submodule "crates/bb-sdk/phnt"] + path = crates/bb-sdk/phnt + url = https://github.com/mrexodia/phnt-single-header.git diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..14ca959 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,155 @@ +# CLAUDE.md + +Instructions for AI assistants working on this project. + +## What is bb? + +**Benowin Blanc** (bb) is a set of Windows SDK/PHNT header analysis tools. It parses C/C++ headers via libclang and provides struct layouts, constant values, and function declarations with full ABI awareness (register/stack parameter locations per architecture and calling convention). + +The project runs on Windows only (requires MSVC build tools + libclang.dll). + +## Workspace structure + +``` +bb/ +├── crates/ # Libraries (never produce binaries) +│ ├── bb-arch # Architecture enums, registers, ABI location types, JSON serialization +│ ├── bb-clang # libclang abstractions: Struct, Enum, Constant, Function, Param, TypeInfo +│ ├── bb-cli # Shared CLI args (SharedArgs), suggestions, terminal_width, helpers +│ ├── bb-sdk # Windows SDK + PHNT header config, parsing, architecture defines +│ ├── bb-shared # Tiny utilities: glob_match, levenshtein, suggest_closest +│ ├── bb-sparse # Embedded MSDN API metadata (compressed JSON from sparse submodule) +│ ├── bb-sql # Generic SQL WHERE evaluator + SQLite export (rusqlite, sqlparser) +│ └── bb-tui # Shared TUI framework (ratatui app loop, keybinds, layout) +├── cli/ # CLI binaries (each has a lib + bin) +│ ├── bb-types # Struct/class layout inspector +│ ├── bb-consts # Constant/enum/macro inspector +│ └── bb-funcs # Function inspector with ABI, sparse metadata, SQL filtering +├── tui/ # TUI binaries +│ ├── bb-types-tui # Interactive struct browser +│ └── bb-consts-tui # Interactive constant browser +├── tests/ # Integration tests (bb-tests crate) +├── update-submodules.ps1 +└── Cargo.toml # Workspace root +``` + +## Dependency flow + +``` +bb-arch ← bb-clang ← bb-sdk ← bb-cli + ↑ + bb-shared bb-sparse bb-sql + ↓ + cli/{bb-types, bb-consts, bb-funcs} + ↓ + tui/{bb-types-tui, bb-consts-tui} +``` + +- `bb-clang` is the core parsing library. It must NOT depend on `bb-sparse`, `bb-sdk`, `bb-sql`, or any CLI/TUI crate. +- `bb-sparse` is a pure data crate. It must NOT depend on `bb-clang`. +- `bb-sql` is a standalone SQL crate. It must NOT depend on `bb-clang`. +- `bb-funcs` joins `bb-clang` + `bb-sparse` via its `enriched` module. +- All CLIs use `bb-sql` for `--sqlite` export and (bb-funcs) `--where` filtering. + +## Building + +Requires MSVC build tools, LLVM/Clang (libclang.dll >= 18.1), Python >= 3.9, Rust 2024 edition. + +```powershell +# On Windows, MSVC link.exe must be on PATH before Git's /usr/bin/link.exe +# If cargo fails to link, prepend MSVC to PATH or use a Developer Command Prompt + +.\update-submodules.ps1 # init phnt + sparse submodules +cargo build --release +``` + +The `bb-sparse` build.rs auto-generates MSDN metadata from the sparse submodule (Python required). The `bb-sdk` build.rs auto-generates phnt.h from the phnt submodule. Both cache results and skip regeneration when the submodule hasn't changed. + +### Environment variable overrides + +| Variable | Purpose | +|----------|---------| +| `BB_PHNT_HEADER` | Use a custom phnt.h instead of generating from submodule | +| `BB_SPARSE_JSON` | Use a pre-generated sparse.json instead of running Python | + +## Running tests + +```powershell +# MSVC link.exe must be first on PATH +$env:PATH = "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.44.35207\bin\Hostx64\x64;$env:PATH" + +cargo test --workspace --verbose +# or just integration tests: +cargo test --package bb-tests -- --test-threads=1 +# or just bb-funcs unit tests: +cargo test --package bb-funcs +# or just bb-sql unit tests (evaluator + SQLite export): +cargo test --package bb-sql +``` + +Tests use `serial_test` because libclang is not fully thread-safe. Integration tests parse real Windows SDK headers and assert on well-known types/functions (e.g., `_GUID`, `CreateFileW`, `CloseHandle`). + +## Code style and conventions + +- **Module doc comments** (`//!`) at the top of every file describing what the module does. +- **Section separators** using `/* ──── Section Name ──── */` Unicode box-drawing comments. +- **`#[must_use]`** on all public functions that return values. +- **`colored` crate** for CLI ANSI colors. `ratatui` for TUI rendering. +- **Semantic color roles**: cyan = type names, green = return types/sizes, yellow = ABI locations, white+bold = identifiers, dimmed = metadata/connectors. +- **Tree connectors**: `├─`, `╰─`, `│` (dimmed) for tree-style output. +- **Error types**: per-entity error enums in `crates/bb-clang/src/error.rs`. Use `thiserror` derive. +- **Serialization**: all bb-clang types derive `Serialize`. The `ToJson` trait in `json.rs` provides structured JSON output. `--sqlite` exports mirror `--json` detail via `export_json_to_sqlite`. +- **Filter pattern**: each CLI has a `FuncFilter`/`StructFilter`/`ConstFilter` struct with pre-parse (Entity-level) and post-parse (constructed type-level) filtering. +- **Stack offsets are callee-entry RSP/ESP-relative** (after CALL, before prologue). Not RBP-relative. + +## Key architectural decisions + +- **`Param::is_stack()`** and **`Param::size()`** are methods on the Param type for ABI queries. +- **`entity_in_header()`** in `bb-clang/location.rs` is the shared header-matching helper used by all filter structs. +- **`bb_cli::current_command_string()`** is used by all CLIs for JSON `"command"` fields. +- **`format_abi_param()`** in `bb-clang/display/function.rs` is the shared ABI row formatter. +- **`format_tags()`** returns `Vec` so callers can extend before joining. +- **`TypeInfo`** in `bb-clang/type_info.rs` is the shared type metadata struct embedded (via `#[serde(flatten)]`) in both `Field` and `Param`. Constructed via `From`. Exposes `underlying_type`, `is_const`, `is_volatile`, `is_restrict`, `is_pointer`, `pointer_depth`, `is_function_pointer`, `is_array`, `array_size`. +- **bb-funcs `enriched` module** owns the sparse metadata rendering. Enriched JSON is composed by starting from `p.to_json()` / `f.to_json()` and extending with sparse metadata. bb-clang stays generic. +- **bb-funcs `where_filter` module** evaluates SQL WHERE clauses via `bb-sql::Evaluator`. +- **`bb_cli::terminal_width()`** is the shared terminal width helper used by all CLIs. +- **`bb-sql`** provides a generic `Evaluator` with a column resolver closure, plus `export_json_to_sqlite` for serde-based SQLite export. All CLIs support `--sqlite`. + +## File naming in bb-clang + +| File | Contents | +|------|----------| +| `function/abi.rs` | Calling conventions + ABI parameter assignment engine | +| `function/param.rs` | Param type with `is_stack()`, `size()`, embeds `TypeInfo` | +| `type_info.rs` | Shared `TypeInfo` struct: type classification (pointer, array, const, volatile, function pointer, underlying type) | +| `constant/tokens.rs` | Clang ↔ cexpr token conversion | +| `constant/macro_.rs` | Macro resolution with identifier substitution | +| `ext.rs` | Extension traits for clang types (`UnderlyingType`, `AnonymousType`, etc.) | +| `json.rs` | `ToJson` trait + impls for all entity types (Struct, Field, Enum, Constant, Function, Param) | +| `display/constant.rs` | Constant rendering | +| `display/function.rs` | Function rendering (list, detail, shared formatters) | + +Files using trailing underscores (`struct_/`, `enum_/`, `macro_.rs`) follow the Rust convention for avoiding keyword conflicts. + +## Submodules + +| Path | Repo | Purpose | +|------|------|---------| +| `crates/bb-sparse/sparse` | cristeigabriela/sparse | MSDN API metadata generator | +| `crates/bb-sdk/phnt` | mrexodia/phnt-single-header | PHNT NT header generator | + +Both have nested submodules (sdk-api, systeminformer). Use `.\update-submodules.ps1` to manage them. + +## Self-maintenance + +When making changes to this project, keep this file up to date: + +- If you add, rename, or remove a crate, update the workspace structure diagram. +- If you change the dependency flow between crates, update the dependency diagram. +- If you add new conventions or architectural patterns, document them. +- If you rename files in bb-clang, update the file naming section. +- If you add new environment variables, update the overrides table. +- If you change the submodule setup, update the submodules table. +- After every implementation session, review this file and update any sections that have drifted from the current state. + +This file should always reflect the current state of the project, not its history. diff --git a/Cargo.lock b/Cargo.lock index e96a133..74cf426 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2,6 +2,12 @@ # It is not intended for manual editing. version = 4 +[[package]] +name = "adler2" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa" + [[package]] name = "aho-corasick" version = "1.1.4" @@ -73,6 +79,15 @@ version = "1.0.100" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" +[[package]] +name = "ar_archive_writer" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7eb93bbb63b9c227414f6eb3a0adfddca591a8ce1e9b60661bb08969b87e340b" +dependencies = [ + "object", +] + [[package]] name = "atomic" version = "0.6.1" @@ -94,10 +109,21 @@ version = "0.22.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" +[[package]] +name = "bb-arch" +version = "0.1.0" +dependencies = [ + "clap", + "serde", + "serde_json", + "thiserror 2.0.18", +] + [[package]] name = "bb-clang" version = "0.1.0" dependencies = [ + "bb-arch", "bb-shared", "cexpr", "clang", @@ -116,6 +142,7 @@ dependencies = [ "bb-shared", "clap", "colored", + "terminal_size", ] [[package]] @@ -127,6 +154,7 @@ dependencies = [ "bb-cli", "bb-sdk", "bb-shared", + "bb-sql", "clang", "clap", "colored", @@ -155,13 +183,18 @@ name = "bb-funcs" version = "0.1.0" dependencies = [ "anyhow", + "bb-arch", "bb-clang", "bb-cli", + "bb-consts", "bb-sdk", "bb-shared", + "bb-sparse", + "bb-sql", "clang", "clap", "colored", + "comfy-table", "serde", "serde_json", "serial_test", @@ -172,6 +205,7 @@ name = "bb-sdk" version = "0.1.0" dependencies = [ "anyhow", + "bb-arch", "bb-clang", "clang", "clap", @@ -182,13 +216,34 @@ dependencies = [ name = "bb-shared" version = "0.1.0" +[[package]] +name = "bb-sparse" +version = "0.1.0" +dependencies = [ + "flate2", + "serde", + "serde_json", +] + +[[package]] +name = "bb-sql" +version = "0.1.0" +dependencies = [ + "anyhow", + "rusqlite", + "serde_json", + "sqlparser", +] + [[package]] name = "bb-tests" version = "0.1.0" dependencies = [ "anyhow", + "bb-arch", "bb-clang", "bb-consts", + "bb-funcs", "bb-sdk", "bb-types", "clang", @@ -213,6 +268,7 @@ dependencies = [ "bb-cli", "bb-sdk", "bb-shared", + "bb-sql", "clang", "clap", "serde", @@ -292,6 +348,16 @@ dependencies = [ "rustversion", ] +[[package]] +name = "cc" +version = "1.2.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e1e928d4b69e3077709075a938a05ffbedfa53a84c8f766efbf8220bb1ff60e1" +dependencies = [ + "find-msvc-tools", + "shlex", +] + [[package]] name = "cexpr" version = "0.6.0" @@ -389,6 +455,17 @@ dependencies = [ "windows-sys 0.59.0", ] +[[package]] +name = "comfy-table" +version = "7.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "958c5d6ecf1f214b4c2bbbbf6ab9523a864bd136dcf71a7e8904799acfe1ad47" +dependencies = [ + "crossterm", + "unicode-segmentation", + "unicode-width", +] + [[package]] name = "compact_str" version = "0.9.0" @@ -421,6 +498,15 @@ dependencies = [ "libc", ] +[[package]] +name = "crc32fast" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511" +dependencies = [ + "cfg-if", +] + [[package]] name = "crossterm" version = "0.29.0" @@ -589,6 +675,18 @@ dependencies = [ "num-traits", ] +[[package]] +name = "fallible-iterator" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2acce4a10f12dc2fb14a218589d4f1f62ef011b2d0cc4b3cb1bba8e94da14649" + +[[package]] +name = "fallible-streaming-iterator" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a" + [[package]] name = "fancy-regex" version = "0.11.0" @@ -610,6 +708,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "find-msvc-tools" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" + [[package]] name = "finl_unicode" version = "1.4.0" @@ -622,12 +726,28 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" +[[package]] +name = "flate2" +version = "1.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c" +dependencies = [ + "crc32fast", + "miniz_oxide", +] + [[package]] name = "fnv" version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + [[package]] name = "foldhash" version = "0.2.0" @@ -698,6 +818,15 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280" +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash 0.1.5", +] + [[package]] name = "hashbrown" version = "0.16.1" @@ -706,7 +835,16 @@ checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" dependencies = [ "allocator-api2", "equivalent", - "foldhash", + "foldhash 0.2.0", +] + +[[package]] +name = "hashlink" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1" +dependencies = [ + "hashbrown 0.15.5", ] [[package]] @@ -786,7 +924,7 @@ version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8fe90c1150662e858c7d5f945089b7517b0a80d8bf7ba4b1b5ffc984e7230a5b" dependencies = [ - "hashbrown", + "hashbrown 0.16.1", "portable-atomic", "thiserror 2.0.18", ] @@ -809,6 +947,17 @@ version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" +[[package]] +name = "libsqlite3-sys" +version = "0.32.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fbb8270bb4060bd76c6e96f20c52d80620f1d82a3470885694e41e0f81ef6fe7" +dependencies = [ + "cc", + "pkg-config", + "vcpkg", +] + [[package]] name = "line-clipping" version = "0.3.5" @@ -851,7 +1000,7 @@ version = "0.16.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a1dc47f592c06f33f8e3aea9591776ec7c9f9e4124778ff8a3c3b87159f7e593" dependencies = [ - "hashbrown", + "hashbrown 0.16.1", ] [[package]] @@ -891,6 +1040,16 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" +[[package]] +name = "miniz_oxide" +version = "0.8.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316" +dependencies = [ + "adler2", + "simd-adler32", +] + [[package]] name = "mio" version = "1.1.1" @@ -961,6 +1120,15 @@ dependencies = [ "libc", ] +[[package]] +name = "object" +version = "0.37.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe" +dependencies = [ + "memchr", +] + [[package]] name = "once_cell" version = "1.21.3" @@ -1112,6 +1280,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkg-config" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" + [[package]] name = "portable-atomic" version = "1.13.1" @@ -1133,6 +1307,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "psm" +version = "0.1.30" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3852766467df634d74f0b2d7819bf8dc483a0eb2e3b0f50f756f9cfe8b0d18d8" +dependencies = [ + "ar_archive_writer", + "cc", +] + [[package]] name = "quote" version = "1.0.44" @@ -1185,7 +1369,7 @@ checksum = "5ef8dea09a92caaf73bff7adb70b76162e5937524058a7e5bff37869cbbec293" dependencies = [ "bitflags 2.10.0", "compact_str", - "hashbrown", + "hashbrown 0.16.1", "indoc", "itertools", "kasuari", @@ -1236,7 +1420,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7dbfa023cd4e604c2553483820c5fe8aa9d71a42eea5aa77c6e7f35756612db" dependencies = [ "bitflags 2.10.0", - "hashbrown", + "hashbrown 0.16.1", "indoc", "instability", "itertools", @@ -1248,6 +1432,26 @@ dependencies = [ "unicode-width", ] +[[package]] +name = "recursive" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0786a43debb760f491b1bc0269fe5e84155353c67482b9e60d0cfb596054b43e" +dependencies = [ + "recursive-proc-macro-impl", + "stacker", +] + +[[package]] +name = "recursive-proc-macro-impl" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "76009fbe0614077fc1a2ce255e3a1881a2e3a3527097d5dc6d8212c585e7e38b" +dependencies = [ + "quote", + "syn 2.0.114", +] + [[package]] name = "redox_syscall" version = "0.5.18" @@ -1286,6 +1490,20 @@ version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" +[[package]] +name = "rusqlite" +version = "0.34.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "37e34486da88d8e051c7c0e23c3f15fd806ea8546260aa2fec247e97242ec143" +dependencies = [ + "bitflags 2.10.0", + "fallible-iterator", + "fallible-streaming-iterator", + "hashlink", + "libsqlite3-sys", + "smallvec", +] + [[package]] name = "rustc_version" version = "0.4.1" @@ -1427,6 +1645,12 @@ dependencies = [ "digest", ] +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "signal-hook" version = "0.3.18" @@ -1458,6 +1682,12 @@ dependencies = [ "libc", ] +[[package]] +name = "simd-adler32" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214" + [[package]] name = "siphasher" version = "1.0.2" @@ -1476,6 +1706,29 @@ version = "1.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" +[[package]] +name = "sqlparser" +version = "0.61.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dbf5ea8d4d7c808e1af1cbabebca9a2abe603bcefc22294c5b95018d53200cb7" +dependencies = [ + "log", + "recursive", +] + +[[package]] +name = "stacker" +version = "0.1.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08d74a23609d509411d10e2176dc2a4346e3b4aea2e7b1869f19fdedbc71c013" +dependencies = [ + "cc", + "cfg-if", + "libc", + "psm", + "windows-sys 0.59.0", +] + [[package]] name = "static_assertions" version = "1.1.0" @@ -1531,6 +1784,16 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "terminal_size" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "230a1b821ccbd75b185820a1f1ff7b14d21da1e442e22c0863ea5f08771a8874" +dependencies = [ + "rustix", + "windows-sys 0.61.2", +] + [[package]] name = "terminfo" version = "0.9.0" @@ -1714,6 +1977,12 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.5" diff --git a/Cargo.toml b/Cargo.toml index bda6c8c..0c5d58c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,23 @@ [workspace] -members = ["tests", "bb-types", "util/bb-clang", "util/bb-shared", "util/bb-sdk", "util/bb-cli", "util/bb-tui", "bb-consts", "bb-consts-tui", "bb-types-tui", "bb-funcs"] +members = [ + "tests", + # Libraries + "crates/bb-arch", + "crates/bb-clang", + "crates/bb-shared", + "crates/bb-sdk", + "crates/bb-sparse", + "crates/bb-cli", + "crates/bb-sql", + "crates/bb-tui", + # CLI binaries + "cli/bb-types", + "cli/bb-consts", + "cli/bb-funcs", + # TUI binaries + "tui/bb-types-tui", + "tui/bb-consts-tui", +] resolver = "3" [workspace.package] @@ -14,11 +32,14 @@ keywords = ["windows", "cli", "tui", "parser"] categories = ["command-line-utilities", "development-tools", "parsing-tools"] [workspace.dependencies] -bb-clang = { path = "util/bb-clang" } -bb-shared = { path = "util/bb-shared" } -bb-sdk = { path = "util/bb-sdk" } -bb-cli = { path = "util/bb-cli" } -bb-tui = { path = "util/bb-tui" } +bb-arch = { path = "crates/bb-arch" } +bb-clang = { path = "crates/bb-clang" } +bb-sparse = { path = "crates/bb-sparse" } +bb-shared = { path = "crates/bb-shared" } +bb-sdk = { path = "crates/bb-sdk" } +bb-cli = { path = "crates/bb-cli" } +bb-sql = { path = "crates/bb-sql" } +bb-tui = { path = "crates/bb-tui" } clang = { version = "2.0.0", features = ["clang_10_0"] } clap = { version = "4", features = ["derive"] } @@ -28,5 +49,10 @@ serde = { version = "1", features = ["derive"] } serde_json = "1" colored = "2" cexpr = "0.6.0" +comfy-table = "7" +sqlparser = "0.61" +rusqlite = { version = "0.34", features = ["bundled"] } +terminal_size = "0.4" +flate2 = "1" ratatui = "0.30.0" serial_test = "3.2.0" diff --git a/README.md b/README.md index 7e4574e..7f59e84 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,9 @@ A set of command-line tools that parse **Windows SDK** and **PHNT** headers via libclang and let you inspect what's actually in them: struct layouts, field offsets, -enum values, constants, `#define` macros, functions — the works. +enum values, constants, `#define` macros, and **function declarations with full ABI breakdowns** — the works. -Think of it as `dt` from WinDbg, but you don't need a debugger running, +Think of it as `dt` + `x` from WinDbg, but you don't need a debugger running, and it works against any SDK version, architecture, or PHNT release you throw at it. @@ -19,6 +19,29 @@ and it works against any SDK version, architecture, or PHNT release you throw at
+
+ +### [**Try bb viewer in your browser**](https://cristeigabriela.github.io/bb-viewer/index.html) + +bb-viewer — a vanilla TypeScript SPA built with Bun, powered by bb's JSON exports. + +Browse **8,000+ functions**, **5,000+ types**, and **25,000+ constants** from the Windows SDK and PHNT headers across all architectures (amd64, x86, arm64, arm) — with ABI layouts, memory visualizations, C expressions, and an interactive type graph. No install required. + + + + + + + + + + +
bb viewer dashboardCreateFileW function detail
Dashboard — stats, charts, top typesCreateFileW — ABI layout, metadata, known values
+ +
+ +
+
@@ -63,9 +86,9 @@ and it works against any SDK version, architecture, or PHNT release you throw at ## What is this? -Windows ships with thousands of C/C++ headers (the **Windows SDK**) that define every struct, enum, constant, and macro the OS exposes. Separately, the community-maintained **PHNT** (Process Hacker NT headers) documents internal structures that Microsoft doesn't publish. +Windows ships with thousands of C/C++ headers (the **Windows SDK**) that define every struct, enum, constant, macro, and function the OS exposes. Separately, the community-maintained **PHNT** (Process Hacker NT headers) documents internal structures and syscalls that Microsoft doesn't publish. -`bb` parses these headers with **libclang** and gives you fast, searchable, pretty-printed access to all of it **(hell, even TUIs!)** — no debugger, no IDE, no digging through `.h` files by hand. +`bb` parses these headers with **libclang** and gives you fast, searchable, pretty-printed access to all of it — struct layouts, constant values, **function ABIs with per-parameter register/stack locations**, and more **(hell, even TUIs!)** — no debugger, no IDE, no digging through `.h` files by hand. @@ -77,7 +100,8 @@ Windows ships with thousands of C/C++ headers (the **Windows SDK**) that define - Reverse-engineer Windows internals; - Write kernel drivers or need to check struct layouts across architectures; - Want a quick `dt`-style lookup without spinning up WinDbg; -- Need to export struct/constant definitions as JSON for your own tooling; +- Need to see exactly which register or stack slot each function parameter lands in; +- Need to export struct/constant/function definitions as JSON or SQLite for your own tooling; - Are just curious about what's inside those headers! @@ -94,13 +118,29 @@ On a Windows host, you will need the following: - Visual Studio 2019/2022 **Build Tools** - LLVM + Clang (**libclang.dll**) version **>=18.1** - Rust **2024 edition** +- Python **>=3.9** (for submodule setup) Afterwards, you may produce the binaries by invoking the following command: -```bash +```powershell +.\update-submodules.ps1 # init + generate submodule data cargo build --release ``` +The project uses two submodules, managed by `update-submodules.ps1`: + +| Submodule | Purpose | Required for | Setup | +| --- | --- | --- | --- | +| **phnt** | PHNT NT header generation ([phnt-single-header](https://github.com/mrexodia/phnt-single-header)) | `--phnt` flag | `.\update-submodules.ps1 phnt` | +| **sparse** | MSDN API metadata ([sparse](https://github.com/cristeigabriela/sparse)) | Enriched function views | `.\update-submodules.ps1 sparse` | + +You can update them individually or all at once (`.\update-submodules.ps1`). Both support env var overrides for custom data: + +| Env var | What it does | +| --- | --- | +| `BB_PHNT_HEADER` | Use a custom `phnt.h` instead of generating from the submodule | +| `BB_SPARSE_JSON` | Use a pre-generated `sparse.json` instead of running the Python tool | + ### First commands **Inspect a struct layout:** @@ -139,14 +179,38 @@ bb-consts --name "_MINIDUMP_TYPE::*" bb-types --arch arm64 --struct _CONTEXT ``` -**Export as JSON for your own tooling:** +**Inspect a function's ABI breakdown:** + +```bash +bb-funcs --name CreateFileW +``` + +**List exported functions from a header:** + +```bash +bb-funcs --name "Create*" --filter fileapi.h --exported +``` + +**Filter functions with SQL WHERE clauses:** + +```bash +bb-funcs --where "params > 3 AND return_type = 'BOOL'" +bb-funcs --where "name LIKE '%File%' AND is_exported = true" +``` + +**Export as JSON or SQLite for your own tooling:** ```bash bb-types --arch arm64 --struct _CONTEXT --json bb-consts --name "PROCESS_*" --json +bb-funcs --name "Nt*" --phnt --json + +# or export to SQLite +bb-funcs --name "Create*" --sqlite funcs.db +bb-types --struct "_*" --sqlite types.db ``` -JSON mode in `bb-types` performs full nested type expansion, producing all matched types alongside their deduplicated `referenced_types` — regardless of the `--depth` flag. +JSON mode in `bb-types` performs full nested type expansion, producing all matched types alongside their deduplicated `referenced_types` — regardless of the `--depth` flag. SQLite exports mirror the same level of detail as JSON. **Typo? Both CLIs suggest close matches:** @@ -174,8 +238,9 @@ error: no structs matching '_PBE' | Crate | What it does | | --- | --- | -| [`bb-types`](bb-types/) | Inspect struct and class layouts | -| [`bb-consts`](bb-consts/) | Inspect constants, enums, and `#define` macros | +| [`bb-types`](cli/bb-types/) | Inspect struct and class layouts | +| [`bb-consts`](cli/bb-consts/) | Inspect constants, enums, and `#define` macros | +| [`bb-funcs`](cli/bb-funcs/) | Inspect function declarations with ABI parameter locations | @@ -200,26 +265,25 @@ error: no structs matching '_PBE' | Crate | What it does | | --- | --- | -| [`bb-clang`](util/bb-clang/) | libclang abstractions for types and constants | -| [`bb-sdk`](util/bb-sdk/) | Windows SDK / PHNT header management | -| [`bb-cli`](util/bb-cli/) | Shared CLI argument definitions | -| [`bb-tui`](util/bb-tui/) | Shared TUI framework on [`ratatui`](https://ratatui.rs/) | -| [`bb-shared`](util/bb-shared/) | Small shared utilities | +| [`bb-arch`](crates/bb-arch/) | Architecture definitions, register sets, and ABI location types | +| [`bb-clang`](crates/bb-clang/) | libclang abstractions for types, constants, and functions | +| [`bb-sparse`](crates/bb-sparse/) | Embedded Windows API metadata from MSDN (via [sparse](https://github.com/cristeigabriela/sparse)) | +| [`bb-sdk`](crates/bb-sdk/) | Windows SDK / PHNT header management | +| [`bb-sql`](crates/bb-sql/) | SQL WHERE evaluator + SQLite export | +| [`bb-cli`](crates/bb-cli/) | Shared CLI argument definitions | +| [`bb-tui`](crates/bb-tui/) | Shared TUI framework on [`ratatui`](https://ratatui.rs/) | +| [`bb-shared`](crates/bb-shared/) | Small shared utilities |
@@ -184,8 +249,8 @@ error: no structs matching '_PBE' | Crate | What it does | | --- | --- | -| [`bb-types-tui`](bb-types-tui/) | Interactive struct browser | -| [`bb-consts-tui`](bb-consts-tui/) | Interactive constant browser | +| [`bb-types-tui`](tui/bb-types-tui/) | Interactive struct browser | +| [`bb-consts-tui`](tui/bb-consts-tui/) | Interactive constant browser |
-### Future support - -Support for functions is currently in development, to be implemented with [sparse](https://github.com/cristeigabriela/sparse). +### Web viewer - -

- A diagram illustrating the process described below. - A diagram illustrating the process described below. -

+| | What it does | +| --- | --- | +| [**bb-viewer**](https://github.com/cristeigabriela/bb-viewer) | [Web explorer](https://cristeigabriela.github.io/bb-viewer/index.html) for bb's JSON output — functions, types, constants, type graph | --- @@ -261,7 +325,7 @@ bb-consts --phnt --name "STATUS_*" ## Architecture support -Both tools support cross-compilation via `--arch` — inspect struct layouts for any target from any host: +All tools support cross-compilation via `--arch` — inspect layouts and ABIs for any target from any host: | Flag | Target | Notes | | --- | --- | --- | @@ -281,8 +345,8 @@ bb-types --arch arm64 --struct _CONTEXT The flow is described below:

- Diagram showing the bb crate dependency flow: bb-sdk feeds into bb-clang, which branches into bb-types, bb-funcs bb-consts (CLI frontends), each flowing down to bb-types-tui, bb-funcs-tui and bb-consts-tui (TUI frontends) - Diagram showing the bb crate dependency flow: bb-sdk feeds into bb-clang, which branches into bb-types, bb-funcs bb-consts (CLI frontends), each flowing down to bb-types-tui, bb-funcs-tui and bb-consts-tui (TUI frontends) + Diagram showing the bb crate dependency flow: bb-sdk feeds into bb-clang, which branches into bb-types, bb-funcs bb-consts (CLI frontends), each flowing down to bb-types-tui and bb-consts-tui (TUI frontends) + Diagram showing the bb crate dependency flow: bb-sdk feeds into bb-clang, which branches into bb-types, bb-funcs bb-consts (CLI frontends), each flowing down to bb-types-tui and bb-consts-tui (TUI frontends)

@@ -290,4 +354,6 @@ We use `bb-sdk` to discover (or gather) the SDK environment, then we generate a From the translation unit, we lift the AST entities into `bb-clang` serializable objects, and we use the information that we expose there to develop the tools. +For functions, `bb-clang` computes the full ABI layout: which register or stack slot each parameter occupies, per architecture and calling convention (cdecl, stdcall, fastcall). `bb-funcs` enriches this with MSDN metadata (DLL, lib, min Windows version) from [sparse](https://github.com/cristeigabriela/sparse) and cross-references known constant values for each parameter. SQL `WHERE` clause filtering is supported via `bb-sql`. + For macros specifically, `bb-consts` does a two-pass resolution: first pass evaluates simple literals and variables, second pass substitutes known constant names into unresolved macro token streams before re-evaluating. This handles things like `#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)`. \ No newline at end of file diff --git a/bb-funcs/src/lib.rs b/bb-funcs/src/lib.rs deleted file mode 100644 index a3dbf8b..0000000 --- a/bb-funcs/src/lib.rs +++ /dev/null @@ -1,20 +0,0 @@ -//! This is a library that exposes the utilities necessary to make the -//! [`bb-funcs`] CLI. - -use bb_clang::Function; -use clang::{Entity, EntityKind, TranslationUnit}; - -/* ────────────────────── Parse, iter, collect, filter ────────────────────── */ - -pub fn collect_funcs<'a>(tu: &'a TranslationUnit<'a>) -> Vec> { - iter_funcs(tu) - .filter_map(|e| Function::try_from(e).ok()) - .collect() -} - -pub fn iter_funcs<'a>(tu: &'a TranslationUnit<'a>) -> impl Iterator> { - tu.get_entity() - .get_children() - .into_iter() - .filter(|e| matches!(e.get_kind(), EntityKind::FunctionDecl)) -} diff --git a/bb-funcs/src/main.rs b/bb-funcs/src/main.rs deleted file mode 100644 index 1551ebb..0000000 --- a/bb-funcs/src/main.rs +++ /dev/null @@ -1,71 +0,0 @@ -use std::collections::HashSet; - -use anyhow::Result; -use bb_clang::Function; -use bb_cli::get_header_config; -use bb_funcs_lib::iter_funcs; -use clang::{Clang, Entity, EntityKind, Index}; -use clap::Parser; - -/* ─────────────────────────────────── CLI ────────────────────────────────── */ - -#[derive(Parser, Debug)] -#[command( - before_help = "Benowin Blanc (bb): Windows through a detective's lens...", - name = "bb-consts", - about = "Parse Windows SDK or PHNT embedded headers and extract functions." -)] -struct Args { - #[command(flatten)] - shared: bb_cli::SharedArgs, -} - -fn main() -> Result<()> { - let args = Args::parse(); - - // Build header configuration. - let config = get_header_config(&args.shared)?; - - // Set up Clang. - let clang_instance = Clang::new().expect("failed to initialize clang"); - let index = Index::new(&clang_instance, false, args.shared.diagnostics); - - // Parse headers. - let tu = config.parse(&index, false)?; - - let mut set: HashSet = HashSet::new(); - let ccs: Vec<_> = iter_funcs(&tu) - .filter_map(|x| x.get_type()) - .filter_map(|x| x.get_calling_convention()) - .collect(); - dbg!(ccs.len()); - for entry in ccs { - set.insert(entry); - } - - dbg!(&set); - - let mut funcs = iter_funcs(&tu); - let f = funcs.nth(1337).unwrap(); - dbg!(f.get_name()); - let t = f.get_type().unwrap(); - dbg!(t.get_calling_convention()); - - // there can be other children like dllimport, typeref for return type, etc - let args: Vec> = f.get_children(); - dbg!(&args); - let all_children_kind = iter_funcs(&tu).flat_map(|x| x.get_children()); - let mut ek: HashSet = HashSet::new(); - for entry in all_children_kind { - if entry.get_kind() == EntityKind::DllImport { - dbg!(&entry); - } - ek.insert(entry.get_kind()); - } - dbg!(&ek); - - let _f = Function::try_from(f).unwrap(); - //dbg!(&f); - - Ok(()) -} diff --git a/bb-consts/Cargo.toml b/cli/bb-consts/Cargo.toml similarity index 95% rename from bb-consts/Cargo.toml rename to cli/bb-consts/Cargo.toml index 2c544f4..72f0a2e 100644 --- a/bb-consts/Cargo.toml +++ b/cli/bb-consts/Cargo.toml @@ -16,6 +16,7 @@ bb-sdk.workspace = true bb-clang.workspace = true bb-shared.workspace = true bb-cli.workspace = true +bb-sql.workspace = true clang.workspace = true clap.workspace = true anyhow.workspace = true diff --git a/bb-consts/README.md b/cli/bb-consts/README.md similarity index 93% rename from bb-consts/README.md rename to cli/bb-consts/README.md index 242c14a..8a7762e 100644 --- a/bb-consts/README.md +++ b/cli/bb-consts/README.md @@ -41,14 +41,14 @@ This also works for `--enum` patterns. --- -### Shared with `bb-types` +### Shared with `bb-types` and `bb-funcs`
Expand shared arguments
-These arguments are managed by [`bb-cli`](./util/bb-cli/) and are shared across all CLI apps. +These arguments are managed by [`bb-cli`](../../crates/bb-cli/) and are shared across all CLI apps. | Flag | Default | Description | | --- | --- | --- | diff --git a/bb-consts/src/lib.rs b/cli/bb-consts/src/lib.rs similarity index 94% rename from bb-consts/src/lib.rs rename to cli/bb-consts/src/lib.rs index b0c4721..a017362 100644 --- a/bb-consts/src/lib.rs +++ b/cli/bb-consts/src/lib.rs @@ -57,19 +57,9 @@ pub struct ConstFilter { impl ConstFilter { #[must_use] pub fn matches_header(&self, entity: &Entity) -> bool { - let Some(ref filter) = self.header_filter else { - return true; - }; - - entity - .get_location() - .and_then(|loc| loc.get_file_location().file) - .is_some_and(|f| { - f.get_path() - .to_string_lossy() - .to_lowercase() - .ends_with(filter) - }) + self.header_filter + .as_ref() + .is_none_or(|f| bb_clang::entity_in_header(entity, f)) } #[must_use] @@ -176,6 +166,7 @@ pub fn iter_constants<'a>(tu: &'a TranslationUnit<'a>) -> impl Iterator value lookup table from all known constants (used for /// display-time composition rendering). +#[must_use] pub fn build_lookup_table(enums: &[Enum], vars: &[Constant]) -> ConstLookup { let mut known = HashMap::new(); for e in enums { diff --git a/bb-consts/src/main.rs b/cli/bb-consts/src/main.rs similarity index 76% rename from bb-consts/src/main.rs rename to cli/bb-consts/src/main.rs index d441631..310596c 100644 --- a/bb-consts/src/main.rs +++ b/cli/bb-consts/src/main.rs @@ -1,13 +1,17 @@ +use std::path::PathBuf; + use anyhow::Result; use bb_clang::{ConstLookup, Constant, Enum, ToJson, build_referred_components, render_constants}; -use bb_cli::{get_header_config, print_suggestions}; +use bb_cli::{current_command_string, get_header_config, print_suggestions}; use bb_consts_lib::{ ConstFilter, build_lookup_table, collect_constants, collect_enums, filter_constants_by_name, iter_enums, parse_name_pattern, }; use bb_shared::glob_match; +use bb_sql::export_json_to_sqlite; use clang::{Clang, Index}; use clap::Parser; +use serde_json::Value; /* ─────────────────────────────────── CLI ────────────────────────────────── */ @@ -47,6 +51,9 @@ struct Args { #[arg(short = 'c', long = "case-sensitive", help = "Case-sensitive matching")] case_sensitive: bool, + + #[arg(long = "sqlite", help = "Export results to a SQLite database file")] + sqlite: Option, } fn main() -> Result<()> { @@ -109,7 +116,9 @@ fn main() -> Result<()> { ); } - if args.json { + if let Some(ref path) = args.sqlite { + export_consts_sqlite(&enums, &vars, path)?; + } else if args.json { print_json(&enums, &vars, &filter)?; } else { print_display(&enums, &vars, &filter, &known); @@ -148,7 +157,7 @@ fn print_json(enums: &[Enum], vars: &[Constant], filter: &ConstFilter) -> Result }) .collect(); - let command = std::env::args().collect::>().join(" "); + let command = current_command_string(); let referred = build_referred_components(vars.iter().map(|c| c.get_name().to_string()), vars.iter()); @@ -163,3 +172,36 @@ fn print_json(enums: &[Enum], vars: &[Constant], filter: &ConstFilter) -> Result println!("{}", serde_json::to_string_pretty(&output)?); Ok(()) } + +/* ──────────────────────────── SQLite export ───────────────────────────── */ + +fn export_consts_sqlite(enums: &[Enum], vars: &[Constant], path: &std::path::Path) -> Result<()> { + // Export standalone constants to their own table. + let const_rows: Vec = vars.iter().map(|c| c.to_json()).collect(); + if !const_rows.is_empty() { + export_json_to_sqlite(path, "constants", &const_rows)?; + } + + // Export enum constants to a separate table (includes parent enum name). + let mut enum_const_rows: Vec = Vec::new(); + for e in enums { + for c in e.get_constants() { + let mut val = c.to_json(); + if let Some(obj) = val.as_object_mut() { + obj.insert("enum".to_string(), Value::String(e.get_name().to_string())); + } + enum_const_rows.push(val); + } + } + if !enum_const_rows.is_empty() { + export_json_to_sqlite(path, "enum_constants", &enum_const_rows)?; + } + + // Export enums themselves as a third table. + let enum_rows: Vec = enums.iter().map(|e| e.to_json()).collect(); + if !enum_rows.is_empty() { + export_json_to_sqlite(path, "enums", &enum_rows)?; + } + + Ok(()) +} diff --git a/bb-funcs/Cargo.toml b/cli/bb-funcs/Cargo.toml similarity index 75% rename from bb-funcs/Cargo.toml rename to cli/bb-funcs/Cargo.toml index befb801..ae600f0 100644 --- a/bb-funcs/Cargo.toml +++ b/cli/bb-funcs/Cargo.toml @@ -12,8 +12,11 @@ name = "bb_funcs_lib" path = "src/lib.rs" [dependencies] +bb-arch.workspace = true +bb-consts = { path = "../bb-consts" } # sibling in cli/ bb-sdk.workspace = true bb-clang.workspace = true +bb-sparse.workspace = true bb-shared.workspace = true bb-cli.workspace = true clang.workspace = true @@ -21,6 +24,8 @@ clap.workspace = true anyhow.workspace = true serde_json.workspace = true colored.workspace = true +comfy-table.workspace = true +bb-sql.workspace = true serde.workspace = true [dev-dependencies] diff --git a/cli/bb-funcs/README.md b/cli/bb-funcs/README.md new file mode 100644 index 0000000..f88c6c1 --- /dev/null +++ b/cli/bb-funcs/README.md @@ -0,0 +1,171 @@ +# bb-funcs + +> CLI application for querying and exporting `Function` entities from **Windows SDK** / **PHNT** headers. + +`bb-funcs` is a CLI application dedicated to querying, and exporting, information extracted from `Function` entities with `bb-clang`, from the respective SDK (**Windows SDK**/**PHNT**) of your choice. + +Each function is parsed with full ABI awareness: the target architecture is detected from the translation unit, and every parameter is assigned its calling-convention location (register, stack offset, or indirect pointer). + +When [`bb-sparse`](../../crates/bb-sparse/) data is embedded, the detail view is enriched with MSDN metadata: DLL/lib linkage, Windows version requirements, function variants, SAL parameter annotations, and known constant values with source locations cross-referenced from `bb-consts`. + +--- + +## Arguments + +### Filtering + +| Flag | Description | +| --- | --- | +| `--name` / `-n` | Function name pattern (supports `*` wildcard) | +| `--filter` / `-H` | Filter by header file (e.g., `fileapi.h`) | +| `--case-sensitive` / `-c` | Case-sensitive matching | +| `--exported` | Show only exported (dllimport) functions | +| `--params` / `-p` | Filter by parameter count (`3`, `0`, `3..7`, `3..`, `..5`) | +| `--signature` | Parameter type signature pattern (see [syntax](#--signature-syntax)) | +| `--return` / `-r` | Filter by return type (supports `*` wildcard) | +| `--has-body` | Show only functions with a body | +| `--where` / `-w` | SQL WHERE clause for advanced filtering (see [syntax](#--where-syntax)) | + +Filters are combined with AND logic. Simple flags filter first, then `--where` filters the remaining results. + +### Sorting and limiting + +| Flag | Description | +| --- | --- | +| `--sort` | Sort key: `params`, `name`, `stack-size`, `max-stack-param` | +| `--sort-dir` | Sort direction: `asc` (default), `desc` | +| `--first` / `-f` | Limit to first N results. `-f` alone = 1, `-f 5` = first 5 | + +### Output + +| Flag | Description | +| --- | --- | +| `--detail` / `-d` | Force detailed ABI breakdown for all results (auto for single result) | +| `--json` | Output as JSON with structured ABI, metadata, and constant values | + +--- + +## Detail view + +When a query matches exactly one function (or `-d` is used), `bb-funcs` shows a detailed breakdown: + +- **C prototype** with SAL annotations (`/* in */`, `/* out, optional */`) +- **ABI table** — register/stack location for each parameter with index, kind, offset, size +- **Arguments** — per-parameter constant value tables with names, hex values, and source locations (cross-referenced from the SDK headers via `bb-consts`) +- **Info** — minimum Windows version, DLL/lib linkage, alternative DLL locations + +The enriched view requires [`bb-sparse`](../../crates/bb-sparse/) data to be embedded at build time (run `.\update-submodules.ps1 sparse`). Without it, the plain ABI-only view is shown. + +--- + +## `--signature` syntax + +Comma-separated positional type slots. Matches parameter *types only* (not names). Use `...` for "any number of params" and `_` for "any single type": + +| Pattern | Meaning | +| --- | --- | +| `HANDLE,_,DWORD` | Param 1 = HANDLE, 2 = any, 3 = DWORD (exactly 3 params) | +| `HANDLE,...` | HANDLE at position 1, any number of params after | +| `...,HANDLE,...` | HANDLE at any position | +| `HANDLE,...,DWORD` | HANDLE at 1, then DWORD at some later position (exactly) | +| `...,HANDLE,...,DWORD,...` | HANDLE then DWORD somewhere, any surrounding params | + +Type slots also support `*` glob wildcards (e.g., `*HANDLE*` matches `LPHANDLE`). + +--- + +## `--where` syntax + +SQL WHERE clause for advanced filtering. + +**Available columns:** + +| Column | Type | Description | +| --- | --- | --- | +| `name` | string | Function name | +| `return_type` | string | Return type name | +| `params` | int | Number of parameters | +| `stack_size` | int | Total bytes of stack-passed params | +| `arch` | string | Architecture (`x64`, `x86`, `ARM64`, `ARM32`) | +| `calling_convention` | string | `cdecl`, `stdcall`, `fastcall` | +| `is_exported` | bool | Whether the function is exported (dllimport) | +| `has_body` | bool | Whether the function has a body | +| `header` | string | Source header file name | + +**Supported operators:** `=`, `!=`, `<`, `>`, `<=`, `>=`, `AND`, `OR`, `NOT`, `LIKE`, `IN`, `BETWEEN`, `IS NULL`. + +String comparisons are case-insensitive. `LIKE` uses SQL wildcards (`%` = any, `_` = single char). + +--- + +## Fuzzy suggestions + +When an exact (non-wildcard) name doesn't match anything, `bb-funcs` suggests close matches: + +```bash +bb-funcs --name CloseHandl +error: no functions matching 'CloseHandl' + + did you mean? + + CloseHandle +``` + +--- + +## Examples + +```bash +# Inspect a single function (auto-detail) +bb-funcs --name CreateFileW + +# List functions in a header +bb-funcs --filter handleapi.h + +# Functions with HANDLE as first param, sorted by param count +bb-funcs --signature HANDLE,... --filter handleapi.h --sort params + +# Functions returning BOOL with 5+ parameters +bb-funcs --return BOOL --params 5.. + +# Exported functions sorted by name +bb-funcs --filter processthreadsapi.h --exported --sort name + +# SQL-style filtering +bb-funcs --where "params > 3 AND return_type = 'BOOL'" --first 5 + +# Find functions with the largest stack parameters on x86 +bb-funcs -a x86 --sort max-stack-param --sort-dir desc --first 3 + +# Combine flags + SQL + signature +bb-funcs --exported --signature "HANDLE,..." --where "params > 2" --first 10 --sort params + +# Export as JSON +bb-funcs --name CreateFileW --json + +# PHNT internal functions +bb-funcs --phnt --name "Nt*" --first 10 +``` + +--- + +### Shared with `bb-types` and `bb-consts` + +
+Expand shared arguments + +
+ +These arguments are managed by [`bb-cli`](../../crates/bb-cli/) and are shared across all CLI apps. + +| Flag | Default | Description | +| --- | --- | --- | +| `--winsdk [VERSION]` | *(default SDK)* | Use Windows SDK headers. Optionally specify a version present in your environment | +| `--phnt [VERSION]` | -- | Use PHNT headers instead. Optionally specify a Windows version target | +| `--mode` / `-m` | `user` | `user` or `kernel` (defines `_KERNEL_MODE` for kernel) | +| `--arch` / `-a` | host | `x86` / `amd64` / `arm` / `arm64` -- supports cross-compilation | +| `--diagnostics` | off | Show Clang diagnostics. Useful for troubleshooting | + +**PHNT version targets:** `win2k` `win-xp` `ws03` `vista` `win7` `win8` `win-blue` `threshold` `threshold2` `redstone` `redstone2` `redstone3` `redstone4` `redstone5` `19H1` `19H2` `20H1` `20H2` `21H1` `Win10-21H2` `Win10-22H2` `win11` `Win11-22H2` + +
diff --git a/cli/bb-funcs/src/enriched.rs b/cli/bb-funcs/src/enriched.rs new file mode 100644 index 0000000..b181880 --- /dev/null +++ b/cli/bb-funcs/src/enriched.rs @@ -0,0 +1,497 @@ +//! Enriched function types that join bb-clang's parsed functions +//! with bb-sparse's Windows API metadata and bb-consts cross-references. +//! +//! This module lives in bb-funcs (not bb-clang) so that bb-clang stays +//! reusable without Windows API metadata dependencies. Both CLI and TUI +//! consume these types for rendering. + +use std::collections::HashMap; +use std::fmt::Write; + +use bb_arch::display::{param_abi_to_json, return_abi_to_json}; +use bb_clang::display::{format_abi_param, format_return_location, format_tags}; +use bb_clang::{Constant, Function, Param, SourceLocation, ToJson}; +use bb_cli::terminal_width; +use bb_consts_lib::{ConstFilter, collect_constants, collect_enums}; +use bb_sparse::{FuncMetadata, ParamMetadata}; +use colored::Colorize; +use comfy_table::{Attribute, Cell, CellAlignment, ContentArrangement, Table, presets}; +use serde_json::{Value, json}; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// A [`Function`] enriched with optional sparse metadata. +pub struct EnrichedFunction<'a> { + pub function: &'a Function<'a>, + pub metadata: Option<&'static FuncMetadata>, +} + +impl<'a> EnrichedFunction<'a> { + #[must_use] + pub fn new_ref(function: &'a Function<'a>) -> Self { + let metadata = bb_sparse::lookup(function.get_name()); + Self { function, metadata } + } +} + +/// Resolved constant info for cross-referencing param values. +pub struct ConstantInfo { + pub value: u64, + pub location: Option, +} + +/// A lookup table of constant name -> resolved info. +pub type ConstantLookup = HashMap; + +/// Build a [`ConstantLookup`] from collected constants. +#[must_use] +pub fn build_constant_lookup(constants: &[Constant]) -> ConstantLookup { + let mut map = HashMap::new(); + for c in constants { + if let Some(v) = c.get_value().as_u64() { + map.insert( + c.get_name().to_string(), + ConstantInfo { + value: v, + location: c.get_location().cloned(), + }, + ); + } + } + map +} + +/// Build a [`ConstantLookup`] from a macro-preprocessed translation unit. +/// +/// Collects all constants and enum constants from the TU and resolves +/// their values and source locations for cross-referencing with sparse +/// parameter values. +#[must_use] +pub fn build_constant_lookup_from_tu(tu: &clang::TranslationUnit) -> ConstantLookup { + let no_filter = ConstFilter { + header_filter: None, + enum_pattern: None, + const_pattern: None, + case_sensitive: true, + scoped_to_enum: false, + }; + let enums = collect_enums(tu, &no_filter); + let constants = collect_constants(tu, &no_filter); + + let mut lookup = build_constant_lookup(&constants); + for e in &enums { + for c in e.get_constants() { + if let Some(v) = c.get_value().as_u64() { + lookup.insert( + c.get_name().to_string(), + ConstantInfo { + value: v, + location: c.get_location().cloned(), + }, + ); + } + } + } + lookup +} + +/* ─────────────────────── Full enriched detail view ─────────────────────── */ + +/// Render the full enriched detail view for a function. +#[must_use] +pub fn render_enriched_detail(f: &Function, const_lookup: Option<&ConstantLookup>) -> String { + let ef = EnrichedFunction::new_ref(f); + let meta = ef.metadata; + let mut out = String::new(); + + render_prototype(&mut out, f, meta); + render_header_tags(&mut out, f, meta); + render_abi_section(&mut out, f); + if let Some(meta) = meta { + render_arguments_section(&mut out, f, meta, const_lookup); + render_info_section(&mut out, meta); + } + + out +} + +/* ───────────────────────── Section renderers ────────────────────────────── */ + +/// Tags line + variants. +fn render_header_tags(out: &mut String, f: &Function, meta: Option<&FuncMetadata>) { + let mut tags = format_tags(f); + if let Some(meta) = meta { + if let Some(dll) = meta.dll_display() { + let lib = meta.lib_display().unwrap_or_else(|| "?".into()); + tags.push(format!("{dll} ({lib})")); + } + } + let _ = writeln!(out, " {}", tags.join(" · ").bright_black()); + + if let Some(meta) = meta { + if let Some(ref api) = meta.metadata { + let names = api.names(); + if names.len() > 1 { + let _ = writeln!( + out, + " {} {}", + "variants:".dimmed(), + names.join(", ").bright_black() + ); + } + } + } +} + +/// ABI section: stack note, param rows, return location. +fn render_abi_section(out: &mut String, f: &Function) { + let _ = writeln!(out); + let _ = writeln!(out, " {}", "ABI".white().bold().underline()); + + let params = f.get_params(); + if params.iter().any(bb_clang::Param::is_stack) { + let _ = writeln!( + out, + " {}", + "callee-entry offsets (before prologue)".bright_black() + ); + } + let _ = writeln!(out); + + if params.is_empty() { + let _ = writeln!(out, " {}", "(no parameters)".dimmed()); + } else { + for (i, p) in params.iter().enumerate() { + let is_last = i == params.len() - 1; + let connector = if is_last { "╰─" } else { "├─" }; + let _ = writeln!(out, " {} {}", connector.dimmed(), format_abi_param(i, p)); + } + } + + let ret_type = f.get_return_type_name().cyan(); + let ret_loc = format_return_location(f.get_return_location()).yellow(); + let _ = writeln!(out, " {} {ret_loc} {ret_type}", "╰".dimmed()); +} + +/// Arguments section: per-param constant values in tables. +fn render_arguments_section( + out: &mut String, + f: &Function, + meta: &FuncMetadata, + const_lookup: Option<&ConstantLookup>, +) { + let params_with_values: Vec<_> = f + .get_params() + .iter() + .filter_map(|p| { + let name = p.get_name()?; + let pm = meta.params.get(name)?; + if pm.values.is_empty() { + return None; + } + Some((name, pm)) + }) + .collect(); + + if params_with_values.is_empty() { + return; + } + + let _ = writeln!(out); + let _ = writeln!(out, " {}", "Arguments".white().bold().underline()); + + for (name, pm) in ¶ms_with_values { + let dirs = pm.direction_strings(); + let dir_str = if dirs.is_empty() { + String::new() + } else { + format!(" {}", format!("[{}]", dirs.join(", ")).bright_black()) + }; + + let _ = writeln!(out); + let _ = writeln!(out, " {}{dir_str}", name.cyan().bold()); + render_values_table(out, pm, const_lookup); + } +} + +/// Info section: requirements + linkage. +fn render_info_section(out: &mut String, meta: &FuncMetadata) { + let has_info = meta.min_client_str().is_some() + || meta.min_server_str().is_some() + || meta + .metadata + .as_ref() + .is_some_and(|a| a.locations().len() > 1); + + if !has_info { + return; + } + + let _ = writeln!(out); + let _ = writeln!(out, " {}", "Info".white().bold().underline()); + + if let Some(c) = meta.min_client_str() { + let _ = writeln!(out, " {} {c}", "client:".dimmed()); + } + if let Some(s) = meta.min_server_str() { + let _ = writeln!(out, " {} {s}", "server:".dimmed()); + } + if let Some(ref api) = meta.metadata { + let locations = api.locations(); + if locations.len() > 1 { + let _ = writeln!(out, " {} {}", "also in:".dimmed(), locations.join(", ")); + } + } +} + +/* ──────────────────────── C prototype rendering ────────────────────────── */ + +fn render_prototype(out: &mut String, f: &Function, meta: Option<&FuncMetadata>) { + let ret = f.get_return_type_name().green(); + let name = f.get_name().cyan().bold(); + + let params = f.get_params(); + + // Right-align location to terminal edge. + let loc_raw = f + .get_location() + .map(std::string::ToString::to_string) + .unwrap_or_default(); + + if params.is_empty() { + let prefix = format!(" {} {}(void)", f.get_return_type_name(), f.get_name()); + let pad = terminal_width().saturating_sub(prefix.len() + loc_raw.len()); + let _ = writeln!(out, " {ret} {name}(void){:>pad$}{}", "", loc_raw.dimmed()); + return; + } + + let prefix = format!(" {} {}(", f.get_return_type_name(), f.get_name()); + let pad = terminal_width().saturating_sub(prefix.len() + loc_raw.len()); + let _ = writeln!(out, " {ret} {name}({:>pad$}{}", "", loc_raw.dimmed()); + + let sal_width = params + .iter() + .map(|p| sal_for_param(p, meta).len()) + .max() + .unwrap_or(0); + let type_width = params + .iter() + .map(|p| p.get_type_name().len()) + .max() + .unwrap_or(0); + + for (i, p) in params.iter().enumerate() { + let is_last = i == params.len() - 1; + let sal = sal_for_param(p, meta); + let sal_styled = if sal.is_empty() { + format!("{:>width$}", "", width = sal_width + 6) + } else { + format!("/* {sal:".dimmed().to_string(), + |n| n.white().bold().to_string(), + ); + let comma = if is_last { "" } else { "," }; + let _ = writeln!( + out, + " {sal_styled} {type_name:) -> String { + let Some(meta) = meta else { + return String::new(); + }; + let Some(name) = p.get_name() else { + return String::new(); + }; + let Some(pm) = meta.params.get(name) else { + return String::new(); + }; + let dirs = pm.direction_strings(); + if dirs.is_empty() { + return String::new(); + } + dirs.join(", ") +} + +/* ──────────────────── Values table rendering ───────────────────────────── */ + +fn render_values_table( + out: &mut String, + pm: &ParamMetadata, + const_lookup: Option<&ConstantLookup>, +) { + let mut entries: Vec<(String, String, String)> = pm + .values + .iter() + .filter_map(|(name, sparse_val)| { + if let Some(lookup) = const_lookup { + if let Some(info) = lookup.get(name.as_str()) { + let loc_str = info + .location + .as_ref() + .map(std::string::ToString::to_string) + .unwrap_or_default(); + return Some((name.clone(), format!("{:#X}", info.value), loc_str)); + } + } + let val_str = match sparse_val.as_i64() { + Some(v) => format!("{v:#X}"), + None if sparse_val.is_null() => return None, + None => sparse_val.to_string(), + }; + Some((name.clone(), val_str, String::new())) + }) + .collect(); + + entries.sort_by(|a, b| a.0.cmp(&b.0)); + + if entries.is_empty() { + return; + } + + let mut table = Table::new(); + table + .load_preset(presets::UTF8_BORDERS_ONLY) + .set_content_arrangement(ContentArrangement::Dynamic); + + table.set_header(vec![ + Cell::new("Name").add_attribute(Attribute::Bold), + Cell::new("Value") + .add_attribute(Attribute::Bold) + .set_alignment(CellAlignment::Right), + Cell::new("Source").add_attribute(Attribute::Bold), + ]); + + for (name, val, loc) in &entries { + table.add_row(vec![ + Cell::new(name), + Cell::new(val).set_alignment(CellAlignment::Right), + Cell::new(loc), + ]); + } + + for line in table.to_string().lines() { + let _ = writeln!(out, " {line}"); + } +} + +/* ──────────────────────── JSON serialization ────────────────────────────── */ + +/// Serialize the enriched param values (cross-ref'd with bb-consts) to JSON. +fn param_values_to_json(pm: &ParamMetadata, const_lookup: Option<&ConstantLookup>) -> Value { + let mut obj = serde_json::Map::new(); + + for (name, sparse_val) in &pm.values { + // Cross-ref with bb-consts first. + if let Some(lookup) = const_lookup { + if let Some(info) = lookup.get(name.as_str()) { + let loc_json = info + .location + .as_ref() + .and_then(|l| serde_json::to_value(l).ok()) + .unwrap_or(Value::Null); + obj.insert( + name.clone(), + json!({ "value": info.value, "source": loc_json }), + ); + + // No need to proceed. + continue; + } + } + + // If present, fall back on sparse default value. + if !sparse_val.is_null() { + let val = sparse_val.as_i64().map_or_else( + || json!({ "value": sparse_val, "source": null }), + |v| json!({ "value": v, "source": null }), + ); + obj.insert(name.clone(), val); + } + } + + Value::Object(obj) +} + +/// Serialize a single function to enriched JSON. +#[must_use] +pub fn function_to_enriched_json(f: &Function, const_lookup: Option<&ConstantLookup>) -> Value { + let ef = EnrichedFunction::new_ref(f); + let meta = ef.metadata; + + // Start from the base serde JSON for each param, then enrich with + // sparse metadata and reformatted ABI info. + let params: Vec = f + .get_params() + .iter() + .enumerate() + .map(|(i, p)| { + let mut pj = p.to_json(); + let obj = pj.as_object_mut().unwrap(); + + // Replace raw abi_location with the enriched format. + obj.remove("abi_location"); + obj.insert("index".into(), json!(i)); + obj.insert("abi".into(), param_abi_to_json(p.get_abi_location())); + + // Add sparse metadata (directions, known constant values). + let pm = meta.and_then(|m| p.get_name().and_then(|n| m.params.get(n))); + let dirs: Vec = pm + .map(bb_sparse::ParamMetadata::direction_strings) + .unwrap_or_default(); + obj.insert("directions".into(), json!(dirs)); + obj.insert( + "values".into(), + pm.map_or_else(|| json!({}), |m| param_values_to_json(m, const_lookup)), + ); + + pj + }) + .collect(); + + // Build the function-level JSON from the base serde output, then enrich. + let mut fj = f.to_json(); + let obj = fj.as_object_mut().unwrap(); + obj.insert("params".into(), json!(params)); + obj.insert( + "return_abi".into(), + return_abi_to_json(f.get_return_location()), + ); + + if let Some(m) = meta { + let api = m.metadata.as_ref(); + obj.insert( + "metadata".into(), + json!({ + "dll": m.dll_display(), + "lib": m.lib_display(), + "min_client": m.min_client_str(), + "min_server": m.min_server_str(), + "variants": api.map(bb_sparse::ApiMetadata::names).unwrap_or_default(), + "locations": api.map(bb_sparse::ApiMetadata::locations).unwrap_or_default(), + }), + ); + } + + fj +} + +/// Serialize a slice of functions to enriched JSON array. +#[must_use] +pub fn functions_to_enriched_json( + funcs: &[Function], + const_lookup: Option<&ConstantLookup>, +) -> Value { + Value::Array( + funcs + .iter() + .map(|f| function_to_enriched_json(f, const_lookup)) + .collect(), + ) +} diff --git a/cli/bb-funcs/src/lib.rs b/cli/bb-funcs/src/lib.rs new file mode 100644 index 0000000..318fb76 --- /dev/null +++ b/cli/bb-funcs/src/lib.rs @@ -0,0 +1,588 @@ +//! Shared library for the `bb-funcs` CLI and future TUI. +//! +//! Provides [`FuncFilter`] (pre-parse and post-parse filtering, sorting, +//! SQL `WHERE` evaluation via `bb-sql`), [`collect_funcs_filtered`] (returns +//! `Result` — propagates WHERE parse errors), and the [`enriched`] module +//! for sparse metadata integration. + +pub mod enriched; +pub mod where_filter; + +use std::str::FromStr; + +use bb_clang::Function; +use bb_shared::glob_match; +use clang::{Entity, EntityKind, TranslationUnit}; + +/* ────────────────────── Parse, iter, collect, filter ────────────────────── */ + +#[must_use] +pub fn collect_funcs<'a>(tu: &'a TranslationUnit<'a>) -> Vec> { + iter_funcs(tu) + .filter_map(|e| Function::try_from(e).ok()) + .collect() +} + +pub fn collect_funcs_filtered<'a>( + tu: &'a TranslationUnit<'a>, + filter: &FuncFilter, +) -> Result>, String> { + let funcs: Vec> = iter_funcs(tu) + .filter(|e| filter.matches(e)) + .filter_map(|e| Function::try_from(e).ok()) + .collect(); + + filter.post_filter(funcs) +} + +/// Iterate over function declarations in a [`TranslationUnit`]. +pub fn iter_funcs<'a>(tu: &'a TranslationUnit<'a>) -> impl Iterator> { + tu.get_entity() + .get_children() + .into_iter() + .filter(|e| matches!(e.get_kind(), EntityKind::FunctionDecl)) +} + +/* ──────────────────── Comma-separated glob splitting ───────────────────── */ + +/// Split a string by commas, respecting `\,` as a literal comma escape. +fn split_escaped_commas(s: &str) -> Vec { + let mut result = Vec::new(); + let mut current = String::new(); + let mut chars = s.chars().peekable(); + + while let Some(c) = chars.next() { + if c == '\\' && chars.peek() == Some(&',') { + current.push(chars.next().unwrap()); + } else if c == ',' { + result.push(current); + current = String::new(); + } else { + current.push(c); + } + } + result.push(current); + result +} + +/// A parsed param-type pattern: a sequence of segments separated by `...`. +/// +/// - `HANDLE,_,DWORD` → one fixed segment anchored at position 0. +/// - `...,HANDLE,DWORD` → one segment, may start at any position. +/// - `HANDLE,...,DWORD` → two segments with a gap of any size between them. +/// - `...,HANDLE,...,DWORD,...` → two segments, floating start and open tail. +/// - `_` as a standalone slot → matches any single param type. +#[derive(Debug, Clone)] +struct ParamTypePattern { + /// Whether `...` appears before the first segment. + anchored_start: bool, + /// Whether `...` appears after the last segment. + open_tail: bool, + /// Contiguous runs of per-position globs, separated by `...` in the input. + /// Empty string in a slot means "any" (from `_` or empty). + segments: Vec>, +} + +fn parse_param_type_pattern(raw: &str) -> ParamTypePattern { + // Split the raw string by the `...` delimiter (which itself is comma-separated). + let parts: Vec<&str> = raw.split("...").collect(); + + let anchored_start = !parts.first().is_some_and(|s| s.is_empty()); + let open_tail = parts.last().is_some_and(|s| s.is_empty()); + + let segments: Vec> = parts + .iter() + .map(|part| { + let trimmed = part.trim_matches(','); + if trimmed.is_empty() { + return Vec::new(); + } + split_escaped_commas(trimmed) + .into_iter() + .map(|s| if s == "_" { String::new() } else { s }) + .collect() + }) + .filter(|seg| !seg.is_empty()) + .collect(); + + ParamTypePattern { + anchored_start, + open_tail, + segments, + } +} + +/// Recursively match pattern segments against a parameter list. +/// +/// - `seg_idx`: current segment index. +/// - `from`: earliest param position this segment can start at. +/// - `anchored_start`: if true, the first segment must start at position 0. +/// - `open_tail`: if true, unmatched trailing params are allowed. +fn match_segments( + segments: &[Vec], + seg_idx: usize, + from: usize, + params_len: usize, + anchored_start: bool, + open_tail: bool, + seg_matches: &dyn Fn(&[String], usize) -> bool, +) -> bool { + // All segments matched — check if trailing params are allowed. + if seg_idx >= segments.len() { + return open_tail || from == params_len; + } + + let seg = &segments[seg_idx]; + if from + seg.len() > params_len { + return false; + } + + // First segment respects anchored_start; subsequent segments float. + let can_float = seg_idx > 0 || !anchored_start; + let max_start = if can_float { + params_len - seg.len() + } else { + from + }; + + for start in from..=max_start { + if seg_matches(seg, start) + && match_segments( + segments, + seg_idx + 1, + start + seg.len(), + params_len, + anchored_start, + open_tail, + seg_matches, + ) + { + return true; + } + } + false +} + +/* ──────────────────────── Parameter count filter ───────────────────────── */ + +/// Filter by parameter count: exact value or a range. +/// +/// Accepted formats: `3` (exact), `3..` (min), `..7` (max), `3..7` (range). +#[derive(Debug, Clone)] +pub enum ParamCountFilter { + Exact(usize), + Range { min: usize, max: Option }, +} + +impl ParamCountFilter { + #[must_use] + pub fn contains(&self, count: usize) -> bool { + match self { + Self::Exact(n) => count == *n, + Self::Range { min, max } => count >= *min && max.is_none_or(|m| count <= m), + } + } +} + +impl FromStr for ParamCountFilter { + type Err = String; + + fn from_str(s: &str) -> Result { + if let Some((left, right)) = s.split_once("..") { + let min = if left.is_empty() { + 0 + } else { + left.parse::() + .map_err(|_| format!("invalid min in range: '{left}'"))? + }; + let max = if right.is_empty() { + None + } else { + Some( + right + .parse::() + .map_err(|_| format!("invalid max in range: '{right}'"))?, + ) + }; + Ok(Self::Range { min, max }) + } else { + let n = s + .parse::() + .map_err(|_| format!("invalid parameter count: '{s}'"))?; + Ok(Self::Exact(n)) + } + } +} + +/* ─────────────────────────── Sort key ──────────────────────────────────── */ + +/// Sort key for function results. +#[derive(Debug, Clone, PartialEq, Eq, clap::ValueEnum)] +pub enum FuncSort { + /// Sort by number of parameters. + Params, + /// Sort by function name (alphabetical). + Name, + /// Sort by total bytes of stack-passed parameters (not including + /// local variables or return address — only the caller-pushed args). + StackSize, + /// Sort by the size of the largest individual stack parameter. + MaxStackParam, +} + +/// Sort direction. +#[derive(Debug, Clone, Default, PartialEq, Eq, clap::ValueEnum)] +pub enum SortDir { + /// Ascending (smallest first). + #[default] + Asc, + /// Descending (largest first). + Desc, +} + +/* ────────────────────────────────── Match ───────────────────────────────── */ + +pub struct FuncFilter { + // Pre-parse filters (applied on Entity, before Function construction). + pub name_pattern: Option, + pub header_filter: Option, + pub case_sensitive: bool, + + // Post-parse filters (applied on constructed Function). + pub dllimport_only: bool, + pub param_count: Option, + pub param_type_pattern: Option, + pub return_type_pattern: Option, + pub has_body: Option, + + // Sort (applied after all filters). + pub sort: Option, + pub sort_dir: SortDir, + + // SQL `WHERE` clause (applied after all other filters). + pub where_clause: Option, + + // Limit (applied last, after sort). + pub first: Option, +} + +impl FuncFilter { + /* ──────────────── Pre-parse (Entity-level) matching ─────────────────── */ + + #[must_use] + pub fn matches(&self, entity: &Entity) -> bool { + self.matches_name(entity) && self.matches_header(entity) + } + + #[must_use] + fn matches_name(&self, entity: &Entity) -> bool { + match (&self.name_pattern, entity.get_name()) { + (Some(pattern), Some(name)) => glob_match(&name, pattern, self.case_sensitive), + (Some(_), None) => false, + (None, _) => true, + } + } + + #[must_use] + fn matches_header(&self, entity: &Entity) -> bool { + self.header_filter + .as_ref() + .is_none_or(|f| bb_clang::entity_in_header(entity, f)) + } + + /* ──────────────── Post-parse (Function-level) filtering ────────────── */ + + /// Apply all post-parse filters and sorting to collected functions. + /// + /// Returns `Err` if the `WHERE` clause is present but fails to parse. + pub fn post_filter<'a>(&self, funcs: Vec>) -> Result>, String> { + let mut result: Vec> = funcs + .into_iter() + .filter(|f| !self.dllimport_only || f.is_dllimport()) + .filter(|f| self.matches_param_count(f)) + .filter(|f| self.matches_param_type(f)) + .filter(|f| self.matches_return_type(f)) + .filter(|f| self.matches_has_body(f)) + .collect(); + + if let Some(ref sort) = self.sort { + match sort { + FuncSort::Params => result.sort_by_key(|f| f.get_params().len()), + FuncSort::Name => result.sort_by(|a, b| a.get_name().cmp(b.get_name())), + FuncSort::StackSize => result.sort_by_key(|f| Self::stack_param_bytes(f)), + FuncSort::MaxStackParam => result.sort_by_key(|f| Self::max_stack_param_size(f)), + } + if matches!(self.sort_dir, SortDir::Desc) { + result.reverse(); + } + } + + // Apply SQL `WHERE` clause. + if let Some(ref clause) = self.where_clause { + let expr = where_filter::parse_where(clause)?; + result.retain(|f| where_filter::eval_where(&expr, f)); + } + + // Apply `--first` limit. + if let Some(n) = self.first { + result.truncate(n); + } + + Ok(result) + } + + /// Total bytes of stack-passed parameters. + fn stack_param_bytes(f: &Function) -> usize { + f.get_params() + .iter() + .filter(|p| p.is_stack()) + .map(bb_clang::Param::size) + .sum() + } + + /// Size of the largest individual stack-passed parameter. + fn max_stack_param_size(f: &Function) -> usize { + f.get_params() + .iter() + .filter(|p| p.is_stack()) + .map(bb_clang::Param::size) + .max() + .unwrap_or(0) + } + + fn matches_param_count(&self, f: &Function) -> bool { + self.param_count + .as_ref() + .is_none_or(|pc| pc.contains(f.get_params().len())) + } + + /// Parameter type matching with segments separated by `...`. + /// + /// - `"HANDLE,_,DWORD"` — fixed: param 0=HANDLE, 1=any, 2=DWORD. + /// - `"...,HANDLE,DWORD"` — HANDLE,DWORD at any consecutive positions. + /// - `"HANDLE,...,DWORD"` — HANDLE somewhere, then DWORD at a later position. + /// - `"...,HANDLE,...,DWORD,..."` — both floating, gap between, open tail. + /// - `"HANDLE,DWORD,..."` — HANDLE,DWORD at 0-1, any trailing params OK. + /// - `_` in a slot matches any single type. + fn matches_param_type(&self, f: &Function) -> bool { + let Some(ref raw) = self.param_type_pattern else { + return true; + }; + + let pat = parse_param_type_pattern(raw); + let params = f.get_params(); + let case = self.case_sensitive; + + if pat.segments.is_empty() { + return true; + } + + let min_total: usize = pat.segments.iter().map(Vec::len).sum(); + if min_total > params.len() { + return false; + } + + // Match each slot against the parameter's *type name* only + // (not the parameter name). + let seg_matches = |seg: &[String], start: usize| -> bool { + seg.iter().enumerate().all(|(j, slot)| { + slot.is_empty() + || slot == "*" + || glob_match(params[start + j].get_type_name(), slot, case) + }) + }; + + match_segments( + &pat.segments, + 0, + 0, + params.len(), + pat.anchored_start, + pat.open_tail, + &seg_matches, + ) + } + + fn matches_return_type(&self, f: &Function) -> bool { + let Some(ref pattern) = self.return_type_pattern else { + return true; + }; + glob_match(f.get_return_type_name(), pattern, self.case_sensitive) + } + + fn matches_has_body(&self, f: &Function) -> bool { + self.has_body.is_none_or(|b| f.has_body() == b) + } +} + +/* ─────────────────────────────── Tests ──────────────────────────────────── */ + +#[cfg(test)] +mod tests { + use super::*; + + /* ──────────────── split_escaped_commas ──────────────────── */ + + #[test] + fn split_simple() { + assert_eq!(split_escaped_commas("a,b,c"), vec!["a", "b", "c"]); + } + + #[test] + fn split_empty_slots() { + assert_eq!( + split_escaped_commas(",,,HANDLE"), + vec!["", "", "", "HANDLE"] + ); + } + + #[test] + fn split_escaped_comma() { + assert_eq!(split_escaped_commas(r"a\,b,c"), vec!["a,b", "c"]); + } + + #[test] + fn split_single() { + assert_eq!(split_escaped_commas("HANDLE"), vec!["HANDLE"]); + } + + #[test] + fn split_all_empty() { + assert_eq!(split_escaped_commas(",,"), vec!["", "", ""]); + } + + #[test] + fn split_trailing_escape() { + // backslash not followed by comma is kept as-is + assert_eq!(split_escaped_commas(r"a\b,c"), vec![r"a\b", "c"]); + } + + /* ──────────────── ParamCountFilter parsing ─────────────── */ + + #[test] + fn param_count_exact() { + let f = ParamCountFilter::from_str("3").unwrap(); + assert!(f.contains(3)); + assert!(!f.contains(2)); + assert!(!f.contains(4)); + } + + #[test] + fn param_count_zero() { + let f = ParamCountFilter::from_str("0").unwrap(); + assert!(f.contains(0)); + assert!(!f.contains(1)); + } + + #[test] + fn param_count_open_range() { + let f = ParamCountFilter::from_str("3..").unwrap(); + assert!(!f.contains(2)); + assert!(f.contains(3)); + assert!(f.contains(100)); + } + + #[test] + fn param_count_bounded_range() { + let f = ParamCountFilter::from_str("2..5").unwrap(); + assert!(!f.contains(1)); + assert!(f.contains(2)); + assert!(f.contains(5)); + assert!(!f.contains(6)); + } + + #[test] + fn param_count_max_only() { + let f = ParamCountFilter::from_str("..3").unwrap(); + assert!(f.contains(0)); + assert!(f.contains(3)); + assert!(!f.contains(4)); + } + + #[test] + fn param_count_invalid() { + assert!(ParamCountFilter::from_str("abc").is_err()); + assert!(ParamCountFilter::from_str("3..abc").is_err()); + assert!(ParamCountFilter::from_str("abc..3").is_err()); + } + + /* ──────────── parse_param_type_pattern ──────────────────── */ + + #[test] + fn pattern_fixed() { + let p = parse_param_type_pattern("HANDLE,_,DWORD"); + assert!(p.anchored_start); + assert!(!p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE", "", "DWORD"]]); + } + + #[test] + fn pattern_floating_start() { + let p = parse_param_type_pattern("...,HANDLE,DWORD"); + assert!(!p.anchored_start); + assert!(!p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE", "DWORD"]]); + } + + #[test] + fn pattern_open_tail() { + let p = parse_param_type_pattern("HANDLE,DWORD,..."); + assert!(p.anchored_start); + assert!(p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE", "DWORD"]]); + } + + #[test] + fn pattern_floating_and_open_tail() { + let p = parse_param_type_pattern("...,HANDLE,..."); + assert!(!p.anchored_start); + assert!(p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE"]]); + } + + #[test] + fn pattern_middle_gap() { + let p = parse_param_type_pattern("HANDLE,...,DWORD"); + assert!(p.anchored_start); + assert!(!p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE"], vec!["DWORD"]]); + } + + #[test] + fn pattern_all_three_ellipses() { + let p = parse_param_type_pattern("...,HANDLE,...,DWORD,..."); + assert!(!p.anchored_start); + assert!(p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE"], vec!["DWORD"]]); + } + + #[test] + fn pattern_single_no_ellipsis() { + let p = parse_param_type_pattern("HANDLE"); + assert!(p.anchored_start); + assert!(!p.open_tail); + assert_eq!(p.segments, vec![vec!["HANDLE"]]); + } + + #[test] + fn pattern_underscore_wildcard() { + let p = parse_param_type_pattern("HANDLE,_,DWORD"); + assert_eq!(p.segments, vec![vec!["HANDLE", "", "DWORD"]]); + } + + #[test] + fn pattern_just_ellipsis() { + let p = parse_param_type_pattern("..."); + assert!(!p.anchored_start); + assert!(p.open_tail); + assert!(p.segments.is_empty()); + } + + #[test] + fn pattern_multi_slot_segments() { + let p = parse_param_type_pattern("A,B,...,C,D"); + assert!(p.anchored_start); + assert!(!p.open_tail); + assert_eq!(p.segments, vec![vec!["A", "B"], vec!["C", "D"]]); + } +} diff --git a/cli/bb-funcs/src/main.rs b/cli/bb-funcs/src/main.rs new file mode 100644 index 0000000..7a755a4 --- /dev/null +++ b/cli/bb-funcs/src/main.rs @@ -0,0 +1,218 @@ +use std::path::PathBuf; + +use anyhow::Result; +use bb_clang::Function; +use bb_clang::display::render_function_list; +use bb_cli::{current_command_string, get_header_config, print_suggestions}; +use bb_funcs_lib::enriched::{ + ConstantLookup, build_constant_lookup_from_tu, function_to_enriched_json, + functions_to_enriched_json, render_enriched_detail, +}; +use bb_funcs_lib::{ + FuncFilter, FuncSort, ParamCountFilter, SortDir, collect_funcs_filtered, iter_funcs, +}; +use bb_sql::export_json_to_sqlite; +use clang::{Clang, Index}; +use clap::Parser; +use serde_json::Value; + +/* ─────────────────────────────────── CLI ────────────────────────────────── */ + +#[derive(Parser, Debug)] +#[command( + before_help = "Benowin Blanc (bb): Windows through a detective's lens...", + name = "bb-funcs", + about = "Parse Windows SDK or PHNT embedded headers and extract function declarations." +)] +struct Args { + #[command(flatten)] + shared: bb_cli::SharedArgs, + + #[arg(long, help = "Output as JSON")] + json: bool, + + #[arg( + short = 'H', + long = "filter", + help = "Filter by header file (e.g., processthreadsapi.h)" + )] + filter: Option, + + #[arg( + short = 'n', + long = "name", + help = "Function name pattern (supports * wildcard)" + )] + name: Option, + + #[arg(short = 'c', long = "case-sensitive", help = "Case-sensitive matching")] + case_sensitive: bool, + + #[arg(long = "exported", help = "Show only exported (dllimport) functions")] + exported: bool, + + #[arg( + short = 'd', + long = "detail", + help = "Force detailed ABI breakdown for all results (auto for single result)" + )] + detail: bool, + + #[arg( + short = 'p', + long = "params", + help = "Filter by parameter count (e.g., 3, 0, 3..7, 3..)" + )] + params: Option, + + #[arg( + long = "signature", + help = "Parameter type signature pattern. Comma-separated positional slots; _ = any type; ... = any number of params. E.g., HANDLE,...,DWORD,..." + )] + signature: Option, + + #[arg( + short = 'r', + long = "return", + help = "Filter by return type (supports * wildcard, e.g., BOOL, void, *STATUS*)" + )] + return_type: Option, + + #[arg(long = "has-body", help = "Show only functions with a body")] + has_body: bool, + + #[arg( + long = "sort", + value_enum, + help = "Sort results (params, name, stack-size)" + )] + sort: Option, + + #[arg( + long = "sort-dir", + value_enum, + default_value = "asc", + help = "Sort direction (asc, desc)" + )] + sort_dir: SortDir, + + #[arg( + short = 'w', + long = "where", + long_help = "SQL WHERE clause for advanced filtering.\n\n\ + Columns: name, return_type, params, stack_size, arch, \ + calling_convention, is_exported, has_body, header.\n\n\ + Operators: =, !=, <, >, <=, >=, AND, OR, NOT, LIKE, IN, BETWEEN.\n\n\ + Examples:\n \ + --where \"params > 3 AND return_type = 'BOOL'\"\n \ + --where \"name LIKE '%File%'\"\n \ + --where \"params BETWEEN 2 AND 5\"\n \ + --where \"header IN ('fileapi.h', 'handleapi.h')\"", + help = "SQL WHERE clause for filtering (see --help for column list)" + )] + where_clause: Option, + + #[arg( + short = 'f', + long = "first", + num_args = 0..=1, + default_missing_value = "1", + help = "Show only the first N results (default: 1 if flag given without value)" + )] + first: Option, + + #[arg(long = "sqlite", help = "Export results to a SQLite database file")] + sqlite: Option, +} + +fn main() -> Result<()> { + let args = Args::parse(); + + // Build header configuration. + let config = get_header_config(&args.shared)?; + + // Set up Clang. + let clang_instance = Clang::new().expect("failed to initialize clang"); + let index = Index::new(&clang_instance, false, args.shared.diagnostics); + + // Parse headers (without macro preprocessing for function collection). + let tu = config.parse(&index, false)?; + + let func_filter = FuncFilter { + name_pattern: args.name.clone(), + header_filter: args.filter.clone(), + case_sensitive: args.case_sensitive, + dllimport_only: args.exported, + param_count: args.params, + param_type_pattern: args.signature.clone(), + return_type_pattern: args.return_type.clone(), + has_body: if args.has_body { Some(true) } else { None }, + sort: args.sort, + sort_dir: args.sort_dir, + where_clause: args.where_clause.clone(), + first: args.first, + }; + let funcs = collect_funcs_filtered(&tu, &func_filter).map_err(|e| anyhow::anyhow!(e))?; + + // If no function matched, try to print a suggestion. + if funcs.is_empty() { + let names: Vec = iter_funcs(&tu).filter_map(|e| e.get_name()).collect(); + print_suggestions( + "functions", + args.name.as_deref(), + names.iter().map(String::as_str), + ); + } + + // Build constant lookup if sparse data is available. + let const_lookup = if bb_sparse::is_available() { + let tu_macro = config.parse(&index, true)?; + Some(build_constant_lookup_from_tu(&tu_macro)) + } else { + None + }; + + let detail = args.detail || funcs.len() == 1; + + if let Some(ref path) = args.sqlite { + let json_rows: Vec = funcs + .iter() + .map(|f| function_to_enriched_json(f, const_lookup.as_ref())) + .collect(); + export_json_to_sqlite(path, "functions", &json_rows)?; + } else if args.json { + print_json(funcs.as_slice(), const_lookup.as_ref())?; + } else { + print_display(funcs.as_slice(), detail, const_lookup.as_ref()); + } + + Ok(()) +} + +/* ──────────────────────────────── Printing ──────────────────────────────── */ + +fn print_display(funcs: &[Function], detail: bool, const_lookup: Option<&ConstantLookup>) { + if detail { + for (i, f) in funcs.iter().enumerate() { + print!("{}", render_enriched_detail(f, const_lookup)); + if i < funcs.len() - 1 { + println!(); + } + } + } else { + print!("{}", render_function_list(funcs)); + } +} + +fn print_json(funcs: &[Function], const_lookup: Option<&ConstantLookup>) -> Result<()> { + let command = current_command_string(); + let mut output = serde_json::json!({ + "functions": functions_to_enriched_json(funcs, const_lookup), + }); + output + .as_object_mut() + .unwrap() + .insert("command".to_string(), Value::String(command)); + println!("{}", serde_json::to_string_pretty(&output)?); + Ok(()) +} diff --git a/cli/bb-funcs/src/where_filter.rs b/cli/bb-funcs/src/where_filter.rs new file mode 100644 index 0000000..2157bc1 --- /dev/null +++ b/cli/bb-funcs/src/where_filter.rs @@ -0,0 +1,65 @@ +//! SQL `WHERE`-clause filtering for functions. +//! +//! Uses [`bb_sql::Evaluator`] with a Function-specific column resolver. +//! +//! ## Supported columns +//! +//! | Column | Type | Example | +//! |----------------------|--------|--------------------------| +//! | `name` | string | `'CreateFileW'` | +//! | `return_type` | string | `'HANDLE'` | +//! | `params` | int | `7` | +//! | `stack_size` | int | `12` | +//! | `arch` | string | `'x64'` | +//! | `calling_convention` | string | `'cdecl'` | +//! | `is_exported` | bool | `true` | +//! | `has_body` | bool | `false` | +//! | `header` | string | `'fileapi.h'` | + +use bb_clang::Function; +use bb_clang::display::{format_arch, format_callconv}; +use bb_sql::{Evaluator, SqlValue}; + +pub use bb_sql::parse_where; + +/* ──────────────────────── Column resolution ────────────────────────────── */ + +fn resolve_column(name: &str, f: &Function) -> SqlValue { + match name { + "name" => SqlValue::Str(f.get_name().to_string()), + "return_type" => SqlValue::Str(f.get_return_type_name().to_string()), + "params" => SqlValue::Int(f.get_params().len() as i64), + "stack_size" => SqlValue::Int(stack_param_bytes(f) as i64), + "arch" => SqlValue::Str(format_arch(f.get_arch()).to_string()), + "calling_convention" | "callconv" => { + SqlValue::Str(format_callconv(f.get_calling_convention()).to_string()) + } + "is_exported" | "exported" => SqlValue::Bool(f.is_dllimport()), + "has_body" => SqlValue::Bool(f.has_body()), + "header" => { + let h = f + .get_location() + .and_then(|l| l.file.clone()) + .unwrap_or_default(); + SqlValue::Str(h) + } + _ => SqlValue::Null, + } +} + +fn stack_param_bytes(f: &Function) -> usize { + f.get_params() + .iter() + .filter(|p| p.is_stack()) + .map(bb_clang::Param::size) + .sum() +} + +/* ──────────────────────── Public interface ────────────────────────────── */ + +/// Evaluate a `WHERE` expression against a function, returning `true` if it passes. +#[must_use] +pub fn eval_where(expr: &bb_sql::Expr, f: &Function) -> bool { + let evaluator = Evaluator::new(resolve_column); + evaluator.eval_where(expr, f) +} diff --git a/bb-types/Cargo.toml b/cli/bb-types/Cargo.toml similarity index 95% rename from bb-types/Cargo.toml rename to cli/bb-types/Cargo.toml index 7e0822e..40496b3 100644 --- a/bb-types/Cargo.toml +++ b/cli/bb-types/Cargo.toml @@ -16,6 +16,7 @@ bb-sdk.workspace = true bb-clang.workspace = true bb-shared.workspace = true bb-cli.workspace = true +bb-sql.workspace = true clang.workspace = true clap.workspace = true anyhow.workspace = true diff --git a/bb-types/README.md b/cli/bb-types/README.md similarity index 93% rename from bb-types/README.md rename to cli/bb-types/README.md index 1a68b2e..03b88de 100644 --- a/bb-types/README.md +++ b/cli/bb-types/README.md @@ -38,14 +38,14 @@ error: no structs matching '_PBE' --- -### Shared with `bb-consts` +### Shared with `bb-consts` and `bb-funcs`
Expand shared arguments
-These arguments are managed by [`bb-cli`](./util/bb-cli/) and are shared across all CLI apps. +These arguments are managed by [`bb-cli`](../../crates/bb-cli/) and are shared across all CLI apps. | Flag | Default | Description | | --- | --- | --- | diff --git a/bb-types/src/lib.rs b/cli/bb-types/src/lib.rs similarity index 82% rename from bb-types/src/lib.rs rename to cli/bb-types/src/lib.rs index bfd73a0..1b8aabc 100644 --- a/bb-types/src/lib.rs +++ b/cli/bb-types/src/lib.rs @@ -52,18 +52,8 @@ impl StructFilter { #[must_use] pub fn matches_header(&self, entity: &Entity) -> bool { - let Some(filter) = self.header_filter.as_ref().map(|x| x.to_lowercase()) else { - return true; - }; - - entity - .get_location() - .and_then(|loc| loc.get_file_location().file) - .is_some_and(|f| { - f.get_path() - .to_string_lossy() - .to_lowercase() - .ends_with(&filter) - }) + self.header_filter + .as_ref() + .is_none_or(|f| bb_clang::entity_in_header(entity, f)) } } diff --git a/bb-types/src/main.rs b/cli/bb-types/src/main.rs similarity index 88% rename from bb-types/src/main.rs rename to cli/bb-types/src/main.rs index 80da757..5abab58 100644 --- a/bb-types/src/main.rs +++ b/cli/bb-types/src/main.rs @@ -1,6 +1,9 @@ +use std::path::PathBuf; + use anyhow::Result; use bb_clang::{Struct, ToJson}; -use bb_cli::{get_header_config, print_suggestions}; +use bb_cli::{current_command_string, get_header_config, print_suggestions}; +use bb_sql::export_json_to_sqlite; use bb_types_lib::{StructFilter, collect_structs, iter_structs}; use clang::{Clang, Index}; use clap::Parser; @@ -52,6 +55,9 @@ struct Args { help = "Recursion depth for nested types" )] depth: usize, + + #[arg(long = "sqlite", help = "Export results to a SQLite database file")] + sqlite: Option, } fn main() -> Result<()> { @@ -84,7 +90,10 @@ fn main() -> Result<()> { ); } - if args.json { + if let Some(ref path) = args.sqlite { + let json_rows: Vec = structs.iter().map(|s| s.to_json()).collect(); + export_json_to_sqlite(path, "types", &json_rows)?; + } else if args.json { print_json(structs.as_slice())?; } else { print_display(structs.as_slice(), args.depth, &args.field_name); @@ -113,7 +122,7 @@ fn print_display(structs: &[Struct], depth: usize, field_name: &Option) /// Uses [`ToJson::to_json_full`] on the struct slice to produce all matched /// types and their nested referenced types, fully expanded and deduplicated. fn print_json(structs: &[Struct]) -> anyhow::Result<()> { - let command = std::env::args().collect::>().join(" "); + let command = current_command_string(); let mut output = structs.to_json_full(); output .as_object_mut() diff --git a/crates/bb-arch/Cargo.toml b/crates/bb-arch/Cargo.toml new file mode 100644 index 0000000..590c2a7 --- /dev/null +++ b/crates/bb-arch/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "bb-arch" +version.workspace = true +edition.workspace = true + +[dependencies] +serde.workspace = true +serde_json.workspace = true +clap.workspace = true +thiserror.workspace = true diff --git a/crates/bb-arch/README.md b/crates/bb-arch/README.md new file mode 100644 index 0000000..129898a --- /dev/null +++ b/crates/bb-arch/README.md @@ -0,0 +1,45 @@ +# bb-arch + +> Architecture definitions, register sets, and ABI location types. + +`bb-arch` provides the shared vocabulary for describing target architectures, hardware registers, and where values live at the ABI level. + +This crate is used by both `bb-sdk` (which extends it with SDK-specific preprocessor defines) and `bb-clang` (which uses it for ABI-aware parameter assignment). + +--- + +## What's inside + +### `Arch` + +The target architecture enum: `X86`, `Amd64`, `Arm`, `Arm64`. + +Provides `from_triple()` to derive the architecture from a clang target triple, `target_triple()` for the MSVC triple, and `pointer_size()`. + +### Registers + +Full GPR enums for each architecture, plus x64 XMM registers: + +| Module | Registers | +| --- | --- | +| `reg::x64` | `X64Gpr` (RAX..R15), `X64Xmm` (XMM0..XMM15) | +| `reg::x86` | `X86Gpr` (EAX..EDI) | +| `reg::arm64` | `Arm64Gpr` (X0..X30, SP) | +| `reg::arm32` | `Arm32Gpr` (R0..R12, SP, LR, PC) | + +A `Register` sum type wraps all of them. + +### ABI locations + +- **`MemoryOperand`** — Where a value sits: `Reg(register)` or `RegImm { base, offset }` (e.g., `[RSP+0x28]`). +- **`ParamLocation`** — Where a parameter lives: `Direct` (register or stack slot, possibly multi-location for register pairs) or `Indirect` (caller-allocated, pointer passed). +- **`ReturnLocation`** — Where the return value goes: `Void`, `Register`, or `Indirect` (hidden pointer argument). + +Stack offsets are **callee-entry RSP/ESP-relative** -- after CALL pushed the return address, before any prologue instructions execute. + +### Display + serialization + +The `display` module provides: + +- **`register_name`** — canonical display name for any register (`RCX`, `XMM0`, `EAX`, etc.). +- **`operand_to_json`**, **`param_abi_to_json`**, **`return_abi_to_json`** — structured JSON serialization for ABI location types. diff --git a/crates/bb-arch/src/display.rs b/crates/bb-arch/src/display.rs new file mode 100644 index 0000000..e8f5d9f --- /dev/null +++ b/crates/bb-arch/src/display.rs @@ -0,0 +1,167 @@ +//! Display and serialization helpers for architecture types. + +use serde_json::json; + +use crate::Register; +use crate::location::{MemoryOperand, ParamLocation, ReturnLocation}; +use crate::reg::{Arm32Gpr, Arm64Gpr, X64Gpr, X64Xmm, X86Gpr}; + +/* ────────────────────────────── Register names ─────────────────────────── */ + +/// Get the canonical display name for a register. +#[must_use] +pub const fn register_name(reg: &Register) -> &'static str { + match reg { + Register::X64Gpr(r) => match r { + X64Gpr::Rax => "RAX", + X64Gpr::Rcx => "RCX", + X64Gpr::Rdx => "RDX", + X64Gpr::Rbx => "RBX", + X64Gpr::Rsp => "RSP", + X64Gpr::Rbp => "RBP", + X64Gpr::Rsi => "RSI", + X64Gpr::Rdi => "RDI", + X64Gpr::R8 => "R8", + X64Gpr::R9 => "R9", + X64Gpr::R10 => "R10", + X64Gpr::R11 => "R11", + X64Gpr::R12 => "R12", + X64Gpr::R13 => "R13", + X64Gpr::R14 => "R14", + X64Gpr::R15 => "R15", + }, + Register::X64Xmm(r) => match r { + X64Xmm::Xmm0 => "XMM0", + X64Xmm::Xmm1 => "XMM1", + X64Xmm::Xmm2 => "XMM2", + X64Xmm::Xmm3 => "XMM3", + X64Xmm::Xmm4 => "XMM4", + X64Xmm::Xmm5 => "XMM5", + X64Xmm::Xmm6 => "XMM6", + X64Xmm::Xmm7 => "XMM7", + X64Xmm::Xmm8 => "XMM8", + X64Xmm::Xmm9 => "XMM9", + X64Xmm::Xmm10 => "XMM10", + X64Xmm::Xmm11 => "XMM11", + X64Xmm::Xmm12 => "XMM12", + X64Xmm::Xmm13 => "XMM13", + X64Xmm::Xmm14 => "XMM14", + X64Xmm::Xmm15 => "XMM15", + }, + Register::X86Gpr(r) => match r { + X86Gpr::Eax => "EAX", + X86Gpr::Ecx => "ECX", + X86Gpr::Edx => "EDX", + X86Gpr::Ebx => "EBX", + X86Gpr::Esp => "ESP", + X86Gpr::Ebp => "EBP", + X86Gpr::Esi => "ESI", + X86Gpr::Edi => "EDI", + }, + Register::Arm64Gpr(r) => match r { + Arm64Gpr::X0 => "X0", + Arm64Gpr::X1 => "X1", + Arm64Gpr::X2 => "X2", + Arm64Gpr::X3 => "X3", + Arm64Gpr::X4 => "X4", + Arm64Gpr::X5 => "X5", + Arm64Gpr::X6 => "X6", + Arm64Gpr::X7 => "X7", + Arm64Gpr::X8 => "X8", + Arm64Gpr::X9 => "X9", + Arm64Gpr::X10 => "X10", + Arm64Gpr::X11 => "X11", + Arm64Gpr::X12 => "X12", + Arm64Gpr::X13 => "X13", + Arm64Gpr::X14 => "X14", + Arm64Gpr::X15 => "X15", + Arm64Gpr::X16 => "X16", + Arm64Gpr::X17 => "X17", + Arm64Gpr::X18 => "X18", + Arm64Gpr::X19 => "X19", + Arm64Gpr::X20 => "X20", + Arm64Gpr::X21 => "X21", + Arm64Gpr::X22 => "X22", + Arm64Gpr::X23 => "X23", + Arm64Gpr::X24 => "X24", + Arm64Gpr::X25 => "X25", + Arm64Gpr::X26 => "X26", + Arm64Gpr::X27 => "X27", + Arm64Gpr::X28 => "X28", + Arm64Gpr::X29 => "FP", + Arm64Gpr::X30 => "LR", + Arm64Gpr::Sp => "SP", + }, + Register::Arm32Gpr(r) => match r { + Arm32Gpr::R0 => "R0", + Arm32Gpr::R1 => "R1", + Arm32Gpr::R2 => "R2", + Arm32Gpr::R3 => "R3", + Arm32Gpr::R4 => "R4", + Arm32Gpr::R5 => "R5", + Arm32Gpr::R6 => "R6", + Arm32Gpr::R7 => "R7", + Arm32Gpr::R8 => "R8", + Arm32Gpr::R9 => "R9", + Arm32Gpr::R10 => "R10", + Arm32Gpr::R11 => "FP", + Arm32Gpr::R12 => "IP", + Arm32Gpr::Sp => "SP", + Arm32Gpr::Lr => "LR", + Arm32Gpr::Pc => "PC", + }, + } +} + +/* ──────────────────────── ABI JSON serialization ────────────────────────── */ + +/// Serialize a [`MemoryOperand`] to JSON. +#[must_use] +pub fn operand_to_json(op: &MemoryOperand) -> serde_json::Value { + match op { + MemoryOperand::Reg(r) => json!({ + "kind": "reg", + "register": register_name(r), + }), + MemoryOperand::RegImm { base, offset } => json!({ + "kind": "stack", + "base": register_name(base), + "offset": offset, + }), + } +} + +/// Serialize a [`ParamLocation`] to JSON. +#[must_use] +pub fn param_abi_to_json(loc: &ParamLocation) -> serde_json::Value { + match loc { + ParamLocation::Direct { locations, size } => { + let mut obj = match locations.first() { + Some(op) => operand_to_json(op), + None => json!({ "kind": "?" }), + }; + if let Some(map) = obj.as_object_mut() { + map.insert("size".into(), json!(size)); + } + obj + } + ParamLocation::Indirect { pointer, size } => json!({ + "kind": "indirect", + "pointer": operand_to_json(pointer), + "size": size, + }), + } +} + +/// Serialize a [`ReturnLocation`] to JSON. +#[must_use] +pub fn return_abi_to_json(loc: &ReturnLocation) -> serde_json::Value { + match loc { + ReturnLocation::Void => json!({ "kind": "void" }), + ReturnLocation::Register(r) => json!({ + "kind": "reg", + "register": register_name(r), + }), + ReturnLocation::Indirect => json!({ "kind": "indirect" }), + } +} diff --git a/crates/bb-arch/src/lib.rs b/crates/bb-arch/src/lib.rs new file mode 100644 index 0000000..d21e7f9 --- /dev/null +++ b/crates/bb-arch/src/lib.rs @@ -0,0 +1,70 @@ +//! Architecture definitions, register sets, and ABI location types. +//! +//! This crate provides the shared vocabulary for describing target architectures, +//! hardware registers, and where values live at the ABI level. + +pub mod display; +pub mod location; +pub mod reg; + +use serde::Serialize; +use thiserror::Error; + +pub use location::{MemoryOperand, ParamLocation, ReturnLocation}; +pub use reg::Register; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// Target architecture. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, clap::ValueEnum)] +pub enum Arch { + X86, + Amd64, + Arm, + Arm64, +} + +/* ──────────────────────────────── Errors ────────────────────────────────── */ + +#[derive(Debug, Error)] +#[error("unrecognized target triple: {0}")] +pub struct UnknownTripleError(pub String); + +/* ───────────────────────────── Implementation ──────────────────────────── */ + +impl Arch { + /// Pointer size in bytes for this architecture. + #[must_use] + pub const fn pointer_size(self) -> usize { + match self { + Self::Amd64 | Self::Arm64 => 8, + Self::X86 | Self::Arm => 4, + } + } + + /// Derive the architecture from a clang target triple. + pub fn from_triple(triple: &str) -> Result { + if triple.starts_with("x86_64") { + Ok(Self::Amd64) + } else if triple.starts_with("i686") || triple.starts_with("i386") { + Ok(Self::X86) + } else if triple.starts_with("aarch64") { + Ok(Self::Arm64) + } else if triple.starts_with("thumb") || triple.starts_with("arm") { + Ok(Self::Arm) + } else { + Err(UnknownTripleError(triple.to_owned())) + } + } + + /// The MSVC target triple for this architecture. + #[must_use] + pub const fn target_triple(self) -> &'static str { + match self { + Self::X86 => "i686-pc-windows-msvc", + Self::Amd64 => "x86_64-pc-windows-msvc", + Self::Arm => "thumbv7-pc-windows-msvc", + Self::Arm64 => "aarch64-pc-windows-msvc", + } + } +} diff --git a/crates/bb-arch/src/location.rs b/crates/bb-arch/src/location.rs new file mode 100644 index 0000000..b161ffc --- /dev/null +++ b/crates/bb-arch/src/location.rs @@ -0,0 +1,60 @@ +//! Memory operand and parameter location types. + +use serde::Serialize; + +use crate::reg::Register; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// A way to refer to a value's location, matching disassembler notation. +/// +/// - `Reg(RCX)` → a value sitting in a register. +/// - `RegImm { base: RSP, offset: 0x28 }` → a value at `[RSP + 0x28]`. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)] +pub enum MemoryOperand { + /// Value is in a register directly. + Reg(Register), + /// Value is in memory at `[base + offset]`. + RegImm { base: Register, offset: i64 }, +} + +/// Where a parameter lives at the ABI level. +/// +/// A single parameter may occupy one or more locations (e.g., a 64-bit value +/// split across two 32-bit registers on ARM32), or may be passed indirectly +/// (caller allocates, passes pointer). +/// +/// Stack offsets are relative to RSP/ESP **at callee entry** — after CALL +/// pushed the return address, before any prologue instructions execute. +/// This is the ABI contract and does not depend on prologue style. +#[derive(Debug, Clone, PartialEq, Eq, Serialize)] +pub enum ParamLocation { + /// Value stored directly at one or more locations. + /// + /// Usually a single register or single stack slot. + /// Multiple entries for register pairs (e.g., ARM32 `R0:R1` for a 64-bit value). + /// + /// `size` is the total size of the parameter in bytes. + Direct { + locations: Vec, + size: usize, + }, + + /// Value is passed indirectly: caller allocates memory, passes a pointer. + /// + /// The pointer itself is at the given operand. `size` is the size of the + /// pointed-to value, not the pointer. + Indirect { pointer: MemoryOperand, size: usize }, +} + +/// Where a function's return value is placed. +#[derive(Debug, Clone, PartialEq, Eq, Serialize)] +pub enum ReturnLocation { + /// No return value (`void`). + Void, + /// Return value is placed directly in a register. + Register(Register), + /// Return value is written to caller-allocated memory. + /// The caller passes a hidden pointer as the first argument. + Indirect, +} diff --git a/crates/bb-arch/src/reg/arm32.rs b/crates/bb-arch/src/reg/arm32.rs new file mode 100644 index 0000000..3e47e90 --- /dev/null +++ b/crates/bb-arch/src/reg/arm32.rs @@ -0,0 +1,39 @@ +//! ARM32 (Thumb/ARM) register definitions. + +use serde::Serialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// ARM32 general-purpose registers. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum Arm32Gpr { + R0, + R1, + R2, + R3, + R4, + R5, + R6, + R7, + R8, + R9, + R10, + /// Frame pointer. + R11, + /// Intra-procedure scratch register. + R12, + /// Stack pointer. + Sp, + /// Link register. + Lr, + /// Program counter. + Pc, +} + +/* ────────────────────────────── Param registers ────────────────────────── */ + +/// Integer/pointer parameter registers in positional order (ARM32 AAPCS). +/// Reserved for future ARM32 AAPCS implementation. +#[allow(dead_code)] +pub const ARM32_INT_PARAM_REGS: [Arm32Gpr; 4] = + [Arm32Gpr::R0, Arm32Gpr::R1, Arm32Gpr::R2, Arm32Gpr::R3]; diff --git a/crates/bb-arch/src/reg/arm64.rs b/crates/bb-arch/src/reg/arm64.rs new file mode 100644 index 0000000..8f43991 --- /dev/null +++ b/crates/bb-arch/src/reg/arm64.rs @@ -0,0 +1,61 @@ +//! ARM64 (`AArch64`) register definitions. + +use serde::Serialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// ARM64 general-purpose registers. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum Arm64Gpr { + X0, + X1, + X2, + X3, + X4, + X5, + X6, + X7, + X8, + X9, + X10, + X11, + X12, + X13, + X14, + X15, + X16, + X17, + X18, + X19, + X20, + X21, + X22, + X23, + X24, + X25, + X26, + X27, + X28, + /// Frame pointer. + X29, + /// Link register. + X30, + /// Stack pointer (not a GPR in the traditional sense, but addressable). + Sp, +} + +/* ────────────────────────────── Param registers ────────────────────────── */ + +/// Integer/pointer parameter registers in positional order (Windows ARM64 ABI). +/// Reserved for future ARM64 AAPCS implementation. +#[allow(dead_code)] +pub const ARM64_INT_PARAM_REGS: [Arm64Gpr; 8] = [ + Arm64Gpr::X0, + Arm64Gpr::X1, + Arm64Gpr::X2, + Arm64Gpr::X3, + Arm64Gpr::X4, + Arm64Gpr::X5, + Arm64Gpr::X6, + Arm64Gpr::X7, +]; diff --git a/crates/bb-arch/src/reg/mod.rs b/crates/bb-arch/src/reg/mod.rs new file mode 100644 index 0000000..20db91c --- /dev/null +++ b/crates/bb-arch/src/reg/mod.rs @@ -0,0 +1,57 @@ +//! Hardware register definitions for each supported architecture. + +mod arm32; +mod arm64; +mod x64; +mod x86; + +pub use arm32::*; +pub use arm64::*; +pub use x64::*; +pub use x86::*; + +use serde::Serialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// A hardware register, across all supported architectures. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum Register { + X64Gpr(X64Gpr), + X64Xmm(X64Xmm), + X86Gpr(X86Gpr), + Arm64Gpr(Arm64Gpr), + Arm32Gpr(Arm32Gpr), +} + +/* ─────────────────────────────── Conversions ────────────────────────────── */ + +impl From for Register { + fn from(r: X64Gpr) -> Self { + Self::X64Gpr(r) + } +} + +impl From for Register { + fn from(r: X64Xmm) -> Self { + Self::X64Xmm(r) + } +} + +impl From for Register { + fn from(r: X86Gpr) -> Self { + Self::X86Gpr(r) + } +} + +impl From for Register { + fn from(r: Arm64Gpr) -> Self { + Self::Arm64Gpr(r) + } +} + +impl From for Register { + fn from(r: Arm32Gpr) -> Self { + Self::Arm32Gpr(r) + } +} diff --git a/crates/bb-arch/src/reg/x64.rs b/crates/bb-arch/src/reg/x64.rs new file mode 100644 index 0000000..83e05a4 --- /dev/null +++ b/crates/bb-arch/src/reg/x64.rs @@ -0,0 +1,56 @@ +//! x86-64 register definitions. + +use serde::Serialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// x86-64 general-purpose registers. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum X64Gpr { + Rax, + Rcx, + Rdx, + Rbx, + Rsp, + Rbp, + Rsi, + Rdi, + R8, + R9, + R10, + R11, + R12, + R13, + R14, + R15, +} + +/// x86-64 SSE registers. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum X64Xmm { + Xmm0, + Xmm1, + Xmm2, + Xmm3, + Xmm4, + Xmm5, + Xmm6, + Xmm7, + Xmm8, + Xmm9, + Xmm10, + Xmm11, + Xmm12, + Xmm13, + Xmm14, + Xmm15, +} + +/* ────────────────────────────── Param registers ────────────────────────── */ + +/// Integer/pointer parameter registers in positional order. +pub const X64_INT_PARAM_REGS: [X64Gpr; 4] = [X64Gpr::Rcx, X64Gpr::Rdx, X64Gpr::R8, X64Gpr::R9]; + +/// Floating-point parameter registers in positional order. +pub const X64_FLOAT_PARAM_REGS: [X64Xmm; 4] = + [X64Xmm::Xmm0, X64Xmm::Xmm1, X64Xmm::Xmm2, X64Xmm::Xmm3]; diff --git a/crates/bb-arch/src/reg/x86.rs b/crates/bb-arch/src/reg/x86.rs new file mode 100644 index 0000000..cc4a27d --- /dev/null +++ b/crates/bb-arch/src/reg/x86.rs @@ -0,0 +1,23 @@ +//! x86 (32-bit) register definitions. + +use serde::Serialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// x86 general-purpose registers. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize)] +pub enum X86Gpr { + Eax, + Ecx, + Edx, + Ebx, + Esp, + Ebp, + Esi, + Edi, +} + +/* ────────────────────────────── Param registers ────────────────────────── */ + +/// Fastcall parameter registers in positional order. +pub const X86_FASTCALL_PARAM_REGS: [X86Gpr; 2] = [X86Gpr::Ecx, X86Gpr::Edx]; diff --git a/util/bb-clang/Cargo.toml b/crates/bb-clang/Cargo.toml similarity index 91% rename from util/bb-clang/Cargo.toml rename to crates/bb-clang/Cargo.toml index 691a07f..be3032a 100644 --- a/util/bb-clang/Cargo.toml +++ b/crates/bb-clang/Cargo.toml @@ -4,6 +4,7 @@ version.workspace = true edition.workspace = true [dependencies] +bb-arch.workspace = true bb-shared.workspace = true clang.workspace = true thiserror.workspace = true diff --git a/util/bb-clang/README.md b/crates/bb-clang/README.md similarity index 51% rename from util/bb-clang/README.md rename to crates/bb-clang/README.md index 5d62383..99c46bc 100644 --- a/util/bb-clang/README.md +++ b/crates/bb-clang/README.md @@ -14,26 +14,32 @@ Instead of working over something like clang bindings to Rust, we use [`clang-rs The purpose is to take in the entity object, and lift it to a structured representation of itself. Some of them would be: -- **[`Struct`](./src/struct_/mod.rs)** -- A structured representation of C/C++ `struct` (or `class`) declarations. They most often contain [`Field`](./src/struct_/field.rs)s. +- **[`Struct`](./src/struct_/mod.rs)** — A structured representation of C/C++ `struct` (or `class`) declarations. They most often contain [`Field`](./src/struct_/field.rs)s. -- **[`Field`](./src/struct_/field.rs)** -- A structured representation of C/C++ field declarations. They are always the semantic children of [`Struct`](./src/struct_/mod.rs)s and their declaration's underlying type might be used to obtain a new [`Struct`](./src/struct_/mod.rs) as well. +- **[`Field`](./src/struct_/field.rs)** — A structured representation of C/C++ field declarations. They are always the semantic children of [`Struct`](./src/struct_/mod.rs)s and their declaration's underlying type might be used to obtain a new [`Struct`](./src/struct_/mod.rs) as well. -- **[`Enum`](./src/enum_.rs)** -- A structured representation of C/C++ enum declarations. They most often contain [`Constant`](./src/constant/mod.rs) of the specific enum constant declaration kind, and they have an associated type. +- **[`Enum`](./src/enum_.rs)** — A structured representation of C/C++ enum declarations. They most often contain [`Constant`](./src/constant/mod.rs) of the specific enum constant declaration kind, and they have an associated type. -- **[`Constant`](./src/constant/mod.rs)** -- A generic representation of all constants (variable declarations that evaluate at compile-time; enum constant declarations; simple, non-builtin macro definitions). We only support (and expose) numeric ones. +- **[`Constant`](./src/constant/mod.rs)** — A generic representation of all constants (variable declarations that evaluate at compile-time; enum constant declarations; simple, non-builtin macro definitions). We only support (and expose) numeric ones. We evaluate the value of the macro after getting the tokens that make it up from Clang, and turning them into [`cexpr`](https://crates.io/crates/cexpr) tokens to evaluate them as a macro definition. Moreover, we also support decomposing more complex macros into body tokens that will later be used in conjunction with [`cexpr`](https://crates.io/crates/cexpr) to parse the individual tokens that make it up, to understand how the value came to be. Macro constants resolved via lookup also track their **components** — the names of other constants that were substituted during evaluation (e.g., `FILE_ALL_ACCESS` tracks `STANDARD_RIGHTS_REQUIRED`, `SYNCHRONIZE`, etc.). +- **[`Function`](./src/function/mod.rs)** — A structured representation of C/C++ function declarations. Automatically detects the target architecture from the translation unit and assigns each parameter its ABI location (register or stack offset) based on the calling convention. Contains [`Param`](./src/function/param.rs)s and a [`CallConv`](./src/function/callconv.rs). + +- **[`Param`](./src/function/param.rs)** — A structured representation of a function parameter declaration. Carries the parameter's type, name, and its computed **ABI location** — where the value lives at the calling convention level (e.g., `RCX`, `[RSP+0x28]`, or indirect via pointer). + +- **[`CallConv`](./src/function/abi.rs)** — Calling convention representation with ABI parameter assignment logic. Implements the Microsoft x64 calling convention, x86 cdecl/stdcall/fastcall, and determines return value placement. Stack offsets are callee-entry RSP/ESP-relative (before prologue). ARM is stubbed for future work. + > **Note** — This is always subject to change, please make sure that you create your own understanding by reading the source code. --- We also offer: -- **[`SourceLocation`](./src/location.rs)** -- A simple abstraction over source locations. Carries both the **filename** (used in serialization) and the **full path** (available via `path()` for programmatic use, skipped during serialization). +- **[`SourceLocation`](./src/location.rs)** — A simple abstraction over source locations. Carries both the **filename** (used in serialization) and the **full path** (available via `path()` for programmatic use, skipped during serialization). -- **[`clang_ext`](./src/clang_ext.rs)** -- Extension traits over `clang-rs` types (`AnonymousType`, `DeclarationKind`, `UnderlyingType`, `HasChildrenType`). These are used throughout the crate to simplify working with the clang AST. +- **[`clang_ext`](./src/ext.rs)** — Extension traits over `clang-rs` types (`AnonymousType`, `DeclarationKind`, `UnderlyingType`, `HasChildrenType`). These are used throughout the crate to simplify working with the clang AST. --- @@ -47,7 +53,7 @@ A core belief of `bb` is that it is meant to help others not only view the data, #### `ToJson` trait -The **[`ToJson`](./src/json.rs)** trait provides structured JSON serialization for all bb-clang types (`Constant`, `Enum`, `Field`, `Struct`), with implementations for individual values, slices, and `Vec`s. +The **[`ToJson`](./src/json.rs)** trait provides structured JSON serialization for all bb-clang types (`Constant`, `Enum`, `Field`, `Struct`, `Function`), with implementations for individual values, slices, and `Vec`s. It exposes two methods: diff --git a/util/bb-clang/src/constant/macro_.rs b/crates/bb-clang/src/constant/macro_.rs similarity index 98% rename from util/bb-clang/src/constant/macro_.rs rename to crates/bb-clang/src/constant/macro_.rs index f515a7d..47c0ace 100644 --- a/util/bb-clang/src/constant/macro_.rs +++ b/crates/bb-clang/src/constant/macro_.rs @@ -13,7 +13,7 @@ use std::collections::{HashMap, HashSet}; use clang::token::{Token, TokenKind}; use clang::{Entity, EntityKind, TranslationUnit}; -use super::token_conv::clang_to_cexpr_token; +use super::tokens::clang_to_cexpr_token; use crate::error::ConstantError; use crate::location::SourceLocation; @@ -181,12 +181,15 @@ impl<'a> Constant<'a> { .map(|c| c.get_name().to_string()) .collect(); + let expression = super::expression_from_body_tokens(&body_tokens); + Ok(Self::new( entity, name, value, type_name, location, + expression, body_tokens, components, component_constants, @@ -198,6 +201,7 @@ impl<'a> Constant<'a> { /// Build a [`TuEntityMap`] from a translation unit, covering every /// `MacroDefinition`, `VarDecl`, and `EnumConstantDecl` in the TU. +#[must_use] pub fn build_tu_entity_map<'tu>(tu: &'tu TranslationUnit<'tu>) -> TuEntityMap<'tu> { let mut map = HashMap::new(); for e in tu.get_entity().get_children() { diff --git a/util/bb-clang/src/constant/mod.rs b/crates/bb-clang/src/constant/mod.rs similarity index 72% rename from util/bb-clang/src/constant/mod.rs rename to crates/bb-clang/src/constant/mod.rs index fb4afbb..f5e3e54 100644 --- a/util/bb-clang/src/constant/mod.rs +++ b/crates/bb-clang/src/constant/mod.rs @@ -5,7 +5,7 @@ //! and `#define` macros (via [`cexpr`]). mod macro_; -mod token_conv; +mod tokens; mod value; pub use macro_::{TuEntityMap, build_tu_entity_map}; @@ -18,7 +18,7 @@ use serde::Serialize; use crate::error::ConstantError; use crate::location::SourceLocation; -use token_conv::clang_to_cexpr_token; +use tokens::clang_to_cexpr_token; /* ────────────────────────────────── Macro ───────────────────────────────── */ @@ -51,6 +51,9 @@ pub struct Constant<'a> { #[serde(rename = "type", skip_serializing_if = "Option::is_none")] type_name: Option, location: Option, + /// The original C expression text (e.g. `(0x00000001L | 0x00000002L)`). + #[serde(skip_serializing_if = "Option::is_none")] + expression: Option, /// Raw macro body tokens (identifier flag + spelling). Empty for non-macros. #[serde(skip)] body_tokens: Vec, @@ -73,9 +76,10 @@ impl<'a> Constant<'a> { value: ConstValue, type_name: Option, location: Option, + expression: Option, body_tokens: Vec, components: Vec, - component_constants: Vec>, + component_constants: Vec, ) -> Self { let hex = value.to_string(); Self { @@ -85,6 +89,7 @@ impl<'a> Constant<'a> { hex, type_name, location, + expression, body_tokens, components, component_constants, @@ -131,6 +136,12 @@ impl<'a> Constant<'a> { self.location.as_ref() } + /// The original C expression text, if available. + #[must_use] + pub fn get_expression(&self) -> Option<&str> { + self.expression.as_deref() + } + /// Raw body tokens of a macro definition (empty for non-macros). #[must_use] pub fn get_body_tokens(&self) -> &[MacroBodyToken] { @@ -147,7 +158,7 @@ impl<'a> Constant<'a> { /// /// Used by [`ToJson::to_json_full`] to emit `referred_components`. #[must_use] - pub fn get_component_constants(&self) -> &[Constant<'a>] { + pub fn get_component_constants(&self) -> &[Self] { &self.component_constants } } @@ -169,17 +180,23 @@ impl<'a> TryFrom> for Constant<'a> { let type_name = entity.get_type().map(|t| t.get_display_name()); let location = SourceLocation::from_entity(&entity); - let (value, body_tokens) = match kind { + let (value, expression, body_tokens) = match kind { EntityKind::EnumConstantDecl => { let (signed, unsigned) = entity .get_enum_constant_value() .ok_or(ConstantError::NotEvaluable)?; - (ConstValue::from_enum_constant(signed, unsigned), Vec::new()) + let expr = extract_expression_from_entity(&entity); + ( + ConstValue::from_enum_constant(signed, unsigned), + expr, + Vec::new(), + ) } EntityKind::VarDecl => { let result = entity.evaluate().ok_or(ConstantError::NotEvaluable)?; let value = ConstValue::from_eval(result).ok_or(ConstantError::NotEvaluable)?; - (value, Vec::new()) + let expr = extract_expression_from_entity(&entity); + (value, expr, Vec::new()) } EntityKind::MacroDefinition => { if entity.is_function_like_macro() || entity.is_builtin_macro() { @@ -195,7 +212,8 @@ impl<'a> TryFrom> for Constant<'a> { .map_err(|_| ConstantError::NotEvaluable)?; let value = ConstValue::from_cexpr(result).ok_or(ConstantError::NotEvaluable)?; - (value, body) + let expr = expression_from_body_tokens(&body); + (value, expr, body) } _ => return Err(ConstantError::NotConstant(kind)), }; @@ -208,6 +226,7 @@ impl<'a> TryFrom> for Constant<'a> { hex, type_name, location, + expression, body_tokens, components: Vec::new(), component_constants: Vec::new(), @@ -229,6 +248,73 @@ fn extract_body_tokens(tokens: &[Token]) -> Vec { .collect() } +/// Reconstruct the C expression string from macro body tokens. +/// +/// Spaces are inserted only between two "word" tokens (identifiers or +/// number literals). Punctuation and brackets bind tightly: +/// `(DWORD)(FOO | BAR)` not `( DWORD ) ( FOO | BAR )`. +pub(crate) fn expression_from_body_tokens(tokens: &[MacroBodyToken]) -> Option { + if tokens.is_empty() { + return None; + } + let mut out = String::new(); + for (i, t) in tokens.iter().enumerate() { + let s = t.lit_representation.as_str(); + if i > 0 && needs_space(tokens[i - 1].lit_representation.as_str(), s) { + out.push(' '); + } + out.push_str(s); + } + let trimmed = out.trim(); + if trimmed.is_empty() { + None + } else { + Some(trimmed.to_string()) + } +} + +/// Whether a space is needed between two adjacent tokens. +/// +/// Space is inserted only when both tokens are "words" (identifiers, +/// numbers, keywords). Punctuation tokens never get leading/trailing spaces. +fn needs_space(prev: &str, cur: &str) -> bool { + is_word_token(prev) && is_word_token(cur) +} + +fn is_word_token(s: &str) -> bool { + s.bytes() + .next() + .is_some_and(|b| b.is_ascii_alphanumeric() || b == b'_') +} + +/// Extract the C expression from an entity's token range (for enum constants and var decls). +/// +/// For enum constants, skips the name and `=` prefix. +/// For var decls, skips everything up to and including `=`. +fn extract_expression_from_entity(entity: &Entity) -> Option { + let range = entity.get_range()?; + let tokens = range.tokenize(); + // Find the `=` separator and take everything after it. + let eq_pos = tokens.iter().position(|t| t.get_spelling() == "=")?; + let expr_tokens: Vec<_> = tokens[eq_pos + 1..] + .iter() + .map(clang::token::Token::get_spelling) + // Skip trailing semicolons (var decls). + .filter(|s| s != ";") + .collect(); + if expr_tokens.is_empty() { + return None; + } + let mut out = String::new(); + for (i, s) in expr_tokens.iter().enumerate() { + if i > 0 && needs_space(expr_tokens[i - 1].as_str(), s) { + out.push(' '); + } + out.push_str(s); + } + Some(out) +} + /* ───────────────────────────── Type utilities ───────────────────────────── */ /// Strip matching outer parentheses from a macro body token slice. diff --git a/util/bb-clang/src/constant/token_conv.rs b/crates/bb-clang/src/constant/tokens.rs similarity index 100% rename from util/bb-clang/src/constant/token_conv.rs rename to crates/bb-clang/src/constant/tokens.rs diff --git a/util/bb-clang/src/constant/value.rs b/crates/bb-clang/src/constant/value.rs similarity index 100% rename from util/bb-clang/src/constant/value.rs rename to crates/bb-clang/src/constant/value.rs diff --git a/util/bb-clang/src/display/const_.rs b/crates/bb-clang/src/display/constant.rs similarity index 100% rename from util/bb-clang/src/display/const_.rs rename to crates/bb-clang/src/display/constant.rs diff --git a/util/bb-clang/src/display/enum_.rs b/crates/bb-clang/src/display/enum_.rs similarity index 94% rename from util/bb-clang/src/display/enum_.rs rename to crates/bb-clang/src/display/enum_.rs index 48ff31b..6401991 100644 --- a/util/bb-clang/src/display/enum_.rs +++ b/crates/bb-clang/src/display/enum_.rs @@ -7,12 +7,13 @@ use colored::Colorize; use crate::constant::{ConstLookup, Constant}; use crate::enum_::Enum; -use super::const_::render_constants; +use super::constant::render_constants; use super::render_type_header; /// Render an enum with its constants as a tree. /// /// The underlying type is shown on the header line, not per-constant. +#[must_use] pub fn render_enum(e: &Enum, lookup: Option<&ConstLookup>) -> String { render_enum_constants(e, e.get_constants(), lookup) } @@ -20,6 +21,7 @@ pub fn render_enum(e: &Enum, lookup: Option<&ConstLookup>) -> String { /// Render an enum header with a custom set of constants. /// /// Used by `display_filtered` when only a subset of constants should be shown. +#[must_use] pub fn render_enum_constants( e: &Enum, constants: &[Constant], diff --git a/crates/bb-clang/src/display/function.rs b/crates/bb-clang/src/display/function.rs new file mode 100644 index 0000000..e7053b1 --- /dev/null +++ b/crates/bb-clang/src/display/function.rs @@ -0,0 +1,239 @@ +//! Display rendering for function declarations. +//! +//! Provides both a compact list view with tree connectors and a detailed +//! ABI breakdown showing where each parameter lives and where the return +//! value goes, matching disassembler notation. + +use std::fmt::Write; + +use bb_arch::display::register_name; +use bb_arch::location::{MemoryOperand, ParamLocation, ReturnLocation}; +use colored::Colorize; + +use crate::function::{CallConv, Function, Param}; + +/* ────────────────────────── Operand formatting ─────────────────────────── */ + +#[must_use] +pub fn format_operand(op: &MemoryOperand) -> String { + match op { + MemoryOperand::Reg(r) => register_name(r).to_string(), + MemoryOperand::RegImm { base, offset } => { + if *offset >= 0 { + format!("[{}+{:#X}]", register_name(base), offset) + } else { + format!("[{}-{:#X}]", register_name(base), offset.unsigned_abs()) + } + } + } +} + +#[must_use] +pub fn format_location(loc: &ParamLocation) -> String { + match loc { + ParamLocation::Direct { locations, .. } => locations + .iter() + .map(format_operand) + .collect::>() + .join(":"), + ParamLocation::Indirect { pointer, .. } => { + format!("ptr → {}", format_operand(pointer)) + } + } +} + +#[must_use] +pub fn format_return_location(loc: &ReturnLocation) -> String { + match loc { + ReturnLocation::Void => "void".to_string(), + ReturnLocation::Register(r) => register_name(r).to_string(), + ReturnLocation::Indirect => "ptr (hidden 1st arg)".to_string(), + } +} + +#[must_use] +pub const fn format_callconv(cc: &CallConv) -> &'static str { + match cc { + CallConv::Cdecl => "cdecl", + CallConv::Stdcall => "stdcall", + CallConv::Fastcall => "fastcall", + } +} + +#[must_use] +pub const fn format_arch(arch: bb_arch::Arch) -> &'static str { + match arch { + bb_arch::Arch::Amd64 => "x64", + bb_arch::Arch::X86 => "x86", + bb_arch::Arch::Arm64 => "ARM64", + bb_arch::Arch::Arm => "ARM32", + } +} + +/// Build the base tags for a function (arch, callconv, exported, `has_body`). +/// +/// Returns a `Vec` so callers can extend with additional tags before joining. +#[must_use] +pub fn format_tags(f: &Function) -> Vec { + let mut tags = Vec::new(); + tags.push(format_arch(f.get_arch()).to_string()); + tags.push(format_callconv(f.get_calling_convention()).to_string()); + if f.is_dllimport() { + tags.push("exported".to_string()); + } + if f.has_body() { + tags.push("has body".to_string()); + } + tags +} + +/// Format a typed+named parameter string for display. +fn format_param_sig(p: &Param) -> String { + let ty = p.get_type_name().cyan().to_string(); + match p.get_name() { + Some(n) => format!("{ty} {}", n.white().bold()), + None => ty, + } +} + +/* ──────────────────── Compact list item (tree connector) ───────────────── */ + +/// Format a single ABI parameter row: index, kind, location, size, type, name. +/// +/// Shared between `render_function_detail` and enriched rendering. +#[must_use] +pub fn format_abi_param(i: usize, p: &Param) -> String { + let kind = match p.get_abi_location() { + ParamLocation::Direct { locations, .. } => match locations.first() { + Some(MemoryOperand::Reg(_)) => "reg", + Some(MemoryOperand::RegImm { .. }) => "stack", + None => "?", + }, + ParamLocation::Indirect { .. } => "indirect", + }; + let loc_str = format_location(p.get_abi_location()).yellow(); + let type_name = p.get_type_name().cyan(); + let param_name = p.get_name().map_or_else( + || "".dimmed().to_string(), + |n| n.white().bold().to_string(), + ); + let size = match p.get_abi_location() { + ParamLocation::Direct { size, .. } | ParamLocation::Indirect { size, .. } => *size, + }; + let size_str = format!("[{size}]").green(); + + let idx = i + 1; + format!("{idx}\t{kind:<8} {loc_str:<14} {size_str} {type_name} {param_name}") +} + +/// Render a single function as a tree list item with a connector. +#[must_use] +pub fn render_function_item(f: &Function, connector: &str) -> String { + let mut out = String::new(); + + let name = f.get_name().cyan().bold(); + let ret = f.get_return_type_name().green(); + let params_str: String = f + .get_params() + .iter() + .map(|p| format_param_sig(p)) + .collect::>() + .join(", "); + + let tags = format_tags(f).join(", "); + let loc = f + .get_location() + .map(|l| format!(" {l}").dimmed().to_string()) + .unwrap_or_default(); + + let _ = writeln!( + out, + "{} {ret} {name}({params_str}) {}{}", + connector.dimmed(), + tags.dimmed(), + loc, + ); + + out +} + +/// Render a list of functions as a tree with connectors and a footer. +#[must_use] +pub fn render_function_list(funcs: &[Function]) -> String { + let mut out = String::new(); + + for (i, f) in funcs.iter().enumerate() { + let is_last = i == funcs.len() - 1; + let connector = if is_last { "╰─" } else { "├─" }; + out.push_str(&render_function_item(f, connector)); + if !is_last { + let _ = writeln!(out, "{}", "│".dimmed()); + } + } + + let _ = writeln!(out, "{}", format!(" {} functions", funcs.len()).dimmed()); + out +} + +/* ──────────────────── Detailed ABI breakdown rendering ─────────────────── */ + +/// Render a detailed ABI breakdown for a function. +/// +/// Shows the C signature as the tree root, with architecture/tags, +/// parameter ABI locations, and return value placement as children. +#[must_use] +pub fn render_function_detail(f: &Function) -> String { + let mut out = String::new(); + + // Header: C signature as the tree root. + let name = f.get_name().cyan().bold(); + let ret = f.get_return_type_name().green(); + let params_str: String = f + .get_params() + .iter() + .map(|p| format_param_sig(p)) + .collect::>() + .join(", "); + let loc = f + .get_location() + .map(|l| format!(" {l}").dimmed().to_string()) + .unwrap_or_default(); + let _ = writeln!(out, "{ret} {name}({params_str}){loc}"); + + // Tags line as first child. + let tags = format_tags(f).join(", "); + let _ = writeln!(out, "{} {}", "│".dimmed(), tags.dimmed()); + + // Stack offset note — shown when any param is on the stack. + let params = f.get_params(); + if params.iter().any(Param::is_stack) { + let _ = writeln!( + out, + "{} {}", + "│".dimmed(), + "stack offsets are callee-entry (before prologue)".bright_black(), + ); + } + + // Blank line before parameters. + let _ = writeln!(out, "{}", "│".dimmed()); + + // Parameters. + if params.is_empty() { + let _ = writeln!(out, "{} {}", "│".dimmed(), "(no parameters)".dimmed()); + } else { + for (i, p) in params.iter().enumerate() { + let is_last = i == params.len() - 1; + let connector = if is_last { "╰─" } else { "├─" }; + let _ = writeln!(out, "{} {}", connector.dimmed(), format_abi_param(i, p)); + } + } + + // Return value — always last child. + let ret_type = f.get_return_type_name().cyan(); + let ret_loc = format_return_location(f.get_return_location()); + let ret_styled = ret_loc.yellow(); + let _ = writeln!(out, "{} {ret_styled} {ret_type}", "╰".dimmed()); + + out +} diff --git a/util/bb-clang/src/display/mod.rs b/crates/bb-clang/src/display/mod.rs similarity index 71% rename from util/bb-clang/src/display/mod.rs rename to crates/bb-clang/src/display/mod.rs index f009280..1b5112c 100644 --- a/util/bb-clang/src/display/mod.rs +++ b/crates/bb-clang/src/display/mod.rs @@ -1,23 +1,31 @@ //! Display rendering for bb-clang types. //! //! Provides tree-style rendering with Unicode box-drawing characters -//! for structs, enums, and constants. +//! for structs, enums, constants, and functions. use colored::Colorize; use crate::location::SourceLocation; -mod const_; +mod constant; mod enum_; +mod function; mod struct_; -pub use const_::render_constants; +pub use bb_arch::display::register_name; +pub use constant::render_constants; pub use enum_::{render_enum, render_enum_constants}; +pub use function::{ + format_abi_param, format_arch, format_callconv, format_location, format_operand, + format_return_location, format_tags, render_function_detail, render_function_item, + render_function_list, +}; pub use struct_::render_struct; /// Render a type header line: styled name + optional type info + optional location. /// /// Anonymous names are dimmed; named types are cyan + bold. +#[must_use] pub fn render_type_header( name: &str, is_anonymous: bool, diff --git a/util/bb-clang/src/display/struct_.rs b/crates/bb-clang/src/display/struct_.rs similarity index 98% rename from util/bb-clang/src/display/struct_.rs rename to crates/bb-clang/src/display/struct_.rs index 95c3853..f2a89dd 100644 --- a/util/bb-clang/src/display/struct_.rs +++ b/crates/bb-clang/src/display/struct_.rs @@ -5,7 +5,7 @@ use colored::Colorize; use std::collections::HashSet; use std::fmt::Write; -use crate::clang_ext::DeclarationKind; +use crate::ext::DeclarationKind; use crate::struct_::Field; use crate::struct_::Struct; @@ -15,6 +15,7 @@ use crate::struct_::Struct; /// When recursing into a nested type, we add its name to the set; after returning, /// we remove it. This prevents infinite recursion while allowing the same type /// to appear in different branches. +#[must_use] pub fn render_struct(s: &Struct, depth: usize, field_filter: Option<&str>) -> String { let mut out = super::render_type_header(s.get_name(), s.is_anonymous(), None, s.get_location()); diff --git a/util/bb-clang/src/enum_.rs b/crates/bb-clang/src/enum_.rs similarity index 99% rename from util/bb-clang/src/enum_.rs rename to crates/bb-clang/src/enum_.rs index 73c637f..493a52c 100644 --- a/util/bb-clang/src/enum_.rs +++ b/crates/bb-clang/src/enum_.rs @@ -3,10 +3,10 @@ use clang::{Entity, EntityKind, Type}; use serde::Serialize; -use crate::clang_ext::AnonymousType; use crate::constant::Constant; use crate::display; use crate::error::EnumError; +use crate::ext::AnonymousType; use crate::location::SourceLocation; /* ────────────────────────────────── Types ───────────────────────────────── */ diff --git a/util/bb-clang/src/error.rs b/crates/bb-clang/src/error.rs similarity index 92% rename from util/bb-clang/src/error.rs rename to crates/bb-clang/src/error.rs index eddc9ad..d7f8cf7 100644 --- a/util/bb-clang/src/error.rs +++ b/crates/bb-clang/src/error.rs @@ -53,7 +53,7 @@ pub enum ConstantError { pub enum FunctionError { #[error("Entity is not a function: {0:?}")] NotFunction(EntityKind), - #[error("Entity does not have a nam")] + #[error("Entity does not have a name")] NoName, #[error("Entity does not have a type")] NoType, @@ -61,6 +61,8 @@ pub enum FunctionError { NoReturnType, #[error("Entity type does not have a calling convention")] NoCallingConvention, + #[error("Unrecognized target architecture: {0}")] + UnknownArch(String), #[error("ParamError: {0}")] Param(#[from] ParamError), } @@ -73,6 +75,8 @@ pub enum ParamError { NoSemanticParent, #[error("Entity does not have a type")] NoType, + #[error("Could not compute ABI location for parameter")] + NoAbiLocation, } #[derive(Debug, Error)] diff --git a/util/bb-clang/src/clang_ext.rs b/crates/bb-clang/src/ext.rs similarity index 100% rename from util/bb-clang/src/clang_ext.rs rename to crates/bb-clang/src/ext.rs diff --git a/crates/bb-clang/src/function/abi.rs b/crates/bb-clang/src/function/abi.rs new file mode 100644 index 0000000..1bb249b --- /dev/null +++ b/crates/bb-clang/src/function/abi.rs @@ -0,0 +1,358 @@ +//! Function calling convention representation and ABI parameter assignment. + +use bb_arch::{ + Arch, MemoryOperand, ParamLocation, Register, ReturnLocation, + reg::{ + X64_FLOAT_PARAM_REGS, X64_INT_PARAM_REGS, X64Gpr, X64Xmm, X86_FASTCALL_PARAM_REGS, X86Gpr, + }, +}; +use clang::{Type, TypeKind}; +use serde::Serialize; + +use crate::error::FunctionError; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// A limited representation of [`clang::CallingConvention`] with further context, +/// and extensions that expose more information. +/// +/// On AMD64, ARM64, ARM32, you might be surprised to see that the sole calling +/// convention used on `WinSDK` and PHNT SDKs is [`CallConv::Cdecl`]. +/// +/// On x86, you wouldn't be surprised to see that the only calling conventions +/// used on `WinSDK` and PHNT SDKs are [`CallConv::Cdecl`], [`CallConv::Fastcall`] +/// and [`CallConv::Stdcall`]. +/// +/// Therefore, we will be focusing on those first and foremost. +#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)] +pub enum CallConv { + /* ───────────────────────────────── Shared ───────────────────────────────── */ + /// - On x64, this will be the [Microsoft standard x64 calling convention](https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170). + /// - For details on the ABI, [see here](https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions?view=msvc-170). + /// - For details on how the stack is used, [see here](https://learn.microsoft.com/en-us/cpp/build/stack-usage?view=msvc-170). + /// - Strict 1:1 positional mapping: param at position N uses slot N. + /// - Integer/pointer args: `RCX`, `RDX`, `R8`, `R9` for positions 0–3. + /// - Float/double args: `XMM0`–`XMM3` for positions 0–3. + /// - Aggregates of size 1, 2, 4, or 8 bytes → treated as integers → GPR. + /// - Aggregates of other sizes → passed by pointer (indirect) → pointer in GPR slot. + /// - Position >= 4 → stack at `[RSP + 0x28 + (position - 4) * 8]` + /// (callee-entry RSP, before prologue). + /// - 32-byte shadow space always reserved by caller for positions 0–3. + /// - Returns integer in `RAX`, float in `XMM0`. + /// + /// --- + /// + /// - On x86, the caller pushes the arguments to the stack, in reverse, so that they may be popped in order. + /// - The caller is responsible for cleaning up the stack. + /// - Returns integer in `EAX`. + /// + /// --- + /// + /// - On ARM32/ARM64: WIP + Cdecl, + + /* ───────────────────── x86 — may I never see you again ──────────────────── */ + /// - On x86: + /// - First two arguments that fit in a DWORD (left-to-right) are passed in `ECX` and `EDX` respectively. + /// - Arguments larger than DWORD skip register assignment. + /// - The remainder arguments (right-to-left) are pushed on the stack. + /// - Callee is responsible for cleaning up the stack. + /// - Returns integer in `EAX`. + Fastcall, + + /// - On x86: same as cdecl, BUT: + /// - Callee is responsible with cleaning up the stack. + /// - `ECX`, `EDX` are reserved. + /// - Returns integer in `EAX`. + Stdcall, +} + +/* ─────────────────────────────── Conversions ────────────────────────────── */ + +impl<'a> TryFrom<&Type<'a>> for CallConv { + type Error = FunctionError; + + fn try_from(type_: &Type<'a>) -> Result { + let cc = type_ + .get_calling_convention() + .ok_or(FunctionError::NoCallingConvention)?; + match cc { + clang::CallingConvention::Cdecl => Ok(Self::Cdecl), + clang::CallingConvention::Stdcall => Ok(Self::Stdcall), + clang::CallingConvention::Fastcall => Ok(Self::Fastcall), + _ => Err(FunctionError::NoCallingConvention), + } + } +} + +/* ──────────────────────── Parameter assignment ─────────────────────────── */ + +impl CallConv { + /// Assign ABI locations to each parameter based on architecture and + /// calling convention rules. + #[must_use] + pub fn assign_params(&self, arch: Arch, param_types: &[Type<'_>]) -> Vec { + match (arch, self) { + (Arch::Amd64, Self::Cdecl) => assign_x64_microsoft(param_types), + (Arch::X86, Self::Cdecl) => assign_x86_cdecl(param_types), + (Arch::X86, Self::Fastcall) => assign_x86_fastcall(param_types), + (Arch::X86, Self::Stdcall) => assign_x86_stdcall(param_types), + (Arch::Arm64, Self::Cdecl) => todo!("ARM64 AAPCS parameter assignment"), + (Arch::Arm, Self::Cdecl) => todo!("ARM32 AAPCS parameter assignment"), + _ => unreachable!(), + } + } + + /// Determine where the return value is placed based on architecture and + /// calling convention. + #[must_use] + pub fn return_location(&self, arch: Arch, return_type: &Type<'_>) -> ReturnLocation { + if return_type.get_kind() == TypeKind::Void { + return ReturnLocation::Void; + } + + match arch { + Arch::Amd64 => return_location_x64(return_type), + Arch::X86 => ReturnLocation::Register(Register::X86Gpr(X86Gpr::Eax)), + Arch::Arm64 | Arch::Arm => todo!("ARM return location"), + } + } +} + +/* ─────────────────────── Type classification helpers ────────────────────── */ + +/// Returns `true` if the type is a floating-point scalar (float or double). +fn is_float(ty: &Type<'_>) -> bool { + let kind = ty.get_canonical_type().get_kind(); + matches!(kind, TypeKind::Float | TypeKind::Double) +} + +/// Returns `true` if the type is a "simple" type that fits in a register +/// at the given pointer size — i.e., integer, pointer, enum, or bool. +fn is_register_int(ty: &Type<'_>, pointer_size: usize) -> bool { + let canonical = ty.get_canonical_type(); + let kind = canonical.get_kind(); + + // Pointers, references, and bool are always register-sized. + if matches!( + kind, + TypeKind::Pointer + | TypeKind::BlockPointer + | TypeKind::LValueReference + | TypeKind::RValueReference + | TypeKind::Bool + | TypeKind::Enum + ) { + return true; + } + + // Integer scalars. + if matches!( + kind, + TypeKind::CharS + | TypeKind::CharU + | TypeKind::SChar + | TypeKind::UChar + | TypeKind::Short + | TypeKind::UShort + | TypeKind::Int + | TypeKind::UInt + | TypeKind::Long + | TypeKind::ULong + | TypeKind::LongLong + | TypeKind::ULongLong + ) { + return canonical.get_sizeof().is_ok_and(|s| s <= pointer_size); + } + + false +} + +/// For x64: returns the size of a type, classifying aggregates. +/// Aggregates of 1, 2, 4, or 8 bytes are passed as integers. +/// Other sizes are passed by pointer (indirect). +fn x64_param_class(ty: &Type<'_>) -> X64ParamClass { + if is_float(ty) { + return X64ParamClass::Float; + } + + if is_register_int(ty, 8) { + return X64ParamClass::Integer; + } + + // Aggregate / struct / union / __m64 + let canonical = ty.get_canonical_type(); + match canonical.get_sizeof() { + Ok(1 | 2 | 4 | 8) => X64ParamClass::Aggregate, + Ok(size) => X64ParamClass::IndirectAggregate(size), + // If we can't determine size, treat as indirect (safe default). + Err(_) => X64ParamClass::IndirectAggregate(0), + } +} + +enum X64ParamClass { + /// Passed in a GPR (or on stack as 8-byte slot). + Integer, + /// Passed in an XMM register (or on stack as 8-byte slot). + Float, + /// Small aggregate (1/2/4/8 bytes) — treated like integer. + Aggregate, + /// Large aggregate — passed by pointer (indirect). + IndirectAggregate(usize), +} + +/* ─────────────────── Microsoft x64 calling convention ──────────────────── */ + +fn assign_x64_microsoft(param_types: &[Type<'_>]) -> Vec { + // Stack offsets are relative to RSP at callee entry (after CALL pushed + // the return address, before any prologue instructions execute). + // + // [RSP+0x00] = return address + // [RSP+0x08] = shadow space for RCX (param 0 home) + // [RSP+0x10] = shadow space for RDX (param 1 home) + // [RSP+0x18] = shadow space for R8 (param 2 home) + // [RSP+0x20] = shadow space for R9 (param 3 home) + // [RSP+0x28] = 5th param (position 4) + // [RSP+0x30] = 6th param (position 5) + // ... + // + // NOTE: MSVC x64 does NOT reliably set up an RBP frame pointer, so + // RSP-at-entry is the only prologue-independent reference. + // To get the post-prologue RSP offset, add the prologue's total + // stack adjustment (pushes + sub rsp, N). + let rsp = Register::X64Gpr(X64Gpr::Rsp); + + param_types + .iter() + .enumerate() + .map(|(i, ty)| { + let class = x64_param_class(ty); + + if i < 4 { + // Positions 0–3: register assignment. + match class { + X64ParamClass::Float => ParamLocation::Direct { + locations: vec![MemoryOperand::Reg(Register::X64Xmm( + X64_FLOAT_PARAM_REGS[i], + ))], + size: ty.get_sizeof().unwrap_or(8), + }, + X64ParamClass::Integer | X64ParamClass::Aggregate => ParamLocation::Direct { + locations: vec![MemoryOperand::Reg(Register::X64Gpr( + X64_INT_PARAM_REGS[i], + ))], + size: ty.get_sizeof().unwrap_or(8), + }, + X64ParamClass::IndirectAggregate(size) => ParamLocation::Indirect { + pointer: MemoryOperand::Reg(Register::X64Gpr(X64_INT_PARAM_REGS[i])), + size, + }, + } + } else { + // Position >= 4: on the stack. + // 0x08 (return addr) + 0x20 (shadow) + (position - 4) * 8 + let offset = 0x28i64 + ((i as i64) - 4) * 8; + match class { + X64ParamClass::IndirectAggregate(size) => ParamLocation::Indirect { + pointer: MemoryOperand::RegImm { base: rsp, offset }, + size, + }, + _ => ParamLocation::Direct { + locations: vec![MemoryOperand::RegImm { base: rsp, offset }], + size: ty.get_sizeof().unwrap_or(8), + }, + } + } + }) + .collect() +} + +/* ─────────────────────────── x86 cdecl ─────────────────────────────────── */ + +fn assign_x86_cdecl(param_types: &[Type<'_>]) -> Vec { + // Stack offsets are relative to ESP at callee entry (after CALL pushed + // the return address, before any prologue instructions execute). + // + // [ESP+0x00] = return address + // [ESP+0x04] = 1st param + // [ESP+0x04+sizeof(1st)] = 2nd param + // ... + let esp = Register::X86Gpr(X86Gpr::Esp); + + let mut offset: i64 = 0x04; + param_types + .iter() + .map(|ty| { + let size = ty.get_sizeof().unwrap_or(4); + let loc = ParamLocation::Direct { + locations: vec![MemoryOperand::RegImm { base: esp, offset }], + size, + }; + // Align each slot to 4-byte boundary (x86 stack alignment). + offset += size.next_multiple_of(4) as i64; + loc + }) + .collect() +} + +/* ─────────────────────────── x86 stdcall ───────────────────────────────── */ + +fn assign_x86_stdcall(param_types: &[Type<'_>]) -> Vec { + // Same layout as cdecl — only difference is cleanup responsibility. + assign_x86_cdecl(param_types) +} + +/* ─────────────────────────── x86 fastcall ──────────────────────────────── */ + +fn assign_x86_fastcall(param_types: &[Type<'_>]) -> Vec { + // Stack offsets are relative to ESP at callee entry (see assign_x86_cdecl). + let esp = Register::X86Gpr(X86Gpr::Esp); + + let mut reg_index: usize = 0; // next available fastcall register + let mut stack_offset: i64 = 0x04; // [ESP+0x04] = first stack param + + param_types + .iter() + .map(|ty| { + let size = ty.get_sizeof().unwrap_or(4); + + // Fastcall: first two DWORD-or-smaller args go in ECX, EDX. + if reg_index < 2 && size <= 4 { + let reg = X86_FASTCALL_PARAM_REGS[reg_index]; + reg_index += 1; + ParamLocation::Direct { + locations: vec![MemoryOperand::Reg(Register::X86Gpr(reg))], + size, + } + } else { + let loc = ParamLocation::Direct { + locations: vec![MemoryOperand::RegImm { + base: esp, + offset: stack_offset, + }], + size, + }; + // Align each slot to 4-byte boundary (x86 stack alignment). + stack_offset += size.next_multiple_of(4) as i64; + loc + } + }) + .collect() +} + +/* ─────────────────────── x64 return location ───────────────────────────── */ + +fn return_location_x64(return_type: &Type<'_>) -> ReturnLocation { + if is_float(return_type) { + return ReturnLocation::Register(Register::X64Xmm(X64Xmm::Xmm0)); + } + + let canonical = return_type.get_canonical_type(); + + // Scalars and small POD aggregates (1/2/4/8 bytes) → RAX. + match canonical.get_sizeof() { + Ok(1..=8) => ReturnLocation::Register(Register::X64Gpr(X64Gpr::Rax)), + // Larger types: caller passes hidden pointer, callee writes there. + _ => ReturnLocation::Indirect, + } +} diff --git a/util/bb-clang/src/function/mod.rs b/crates/bb-clang/src/function/mod.rs similarity index 65% rename from util/bb-clang/src/function/mod.rs rename to crates/bb-clang/src/function/mod.rs index b154213..9081d5b 100644 --- a/util/bb-clang/src/function/mod.rs +++ b/crates/bb-clang/src/function/mod.rs @@ -1,11 +1,16 @@ -//! Function declaration representation. +//! Function declaration representation with ABI-aware parameter locations. +//! +//! Automatically detects the target architecture from the translation unit +//! and assigns each parameter its ABI location (register or stack offset) +//! based on the calling convention. -mod callconv; +mod abi; mod param; +pub use abi::CallConv; pub use param::Param; -use callconv::CallConv; +use bb_arch::{Arch, ReturnLocation}; use clang::{Entity, EntityKind, Type}; use serde::Serialize; @@ -25,7 +30,9 @@ pub struct Function<'a> { #[serde(rename = "return_type")] return_type_name: String, is_dllimport: bool, + arch: Arch, calling_convention: CallConv, + return_location: ReturnLocation, params: Vec>, has_body: bool, location: Option, @@ -41,11 +48,11 @@ impl<'a> Function<'a> { &self.name } #[must_use] - pub fn get_type(&self) -> &Type<'a> { + pub const fn get_type(&self) -> &Type<'a> { &self.type_ } #[must_use] - pub fn get_return_type(&self) -> &Type<'a> { + pub const fn get_return_type(&self) -> &Type<'a> { &self.return_type } #[must_use] @@ -53,24 +60,39 @@ impl<'a> Function<'a> { &self.return_type_name } #[must_use] - pub fn is_dllimport(&self) -> bool { + pub const fn is_dllimport(&self) -> bool { self.is_dllimport } - pub fn get_calling_convention(&self) -> &CallConv { + #[must_use] + pub const fn get_arch(&self) -> Arch { + self.arch + } + #[must_use] + pub const fn get_calling_convention(&self) -> &CallConv { &self.calling_convention } #[must_use] + pub const fn get_return_location(&self) -> &ReturnLocation { + &self.return_location + } + #[must_use] pub fn get_params(&self) -> &[Param<'a>] { &self.params } #[must_use] - pub fn has_body(&self) -> bool { + pub const fn has_body(&self) -> bool { self.has_body } #[must_use] pub const fn get_location(&self) -> Option<&SourceLocation> { self.location.as_ref() } + + /// Render a detailed ABI breakdown. + #[must_use] + pub fn display_detail(&self) -> String { + crate::display::render_function_detail(self) + } } /* ─────────────────────────────── Conversions ────────────────────────────── */ @@ -84,18 +106,19 @@ impl<'a> TryFrom> for Function<'a> { return Err(FunctionError::NotFunction(kind)); } - let mut return_type: Option> = None; - let mut params: Vec> = Vec::new(); + // Detect architecture from the translation unit's target triple. + let target = entity.get_translation_unit().get_target(); + let arch = + Arch::from_triple(&target.triple).map_err(|e| FunctionError::UnknownArch(e.0))?; + let mut is_dllimport: bool = false; let mut has_body: bool = false; + let mut params: Vec> = Vec::new(); for entry in entity.get_children() { match entry.get_kind() { EntityKind::DllImport => is_dllimport = true, EntityKind::CompoundStmt => has_body = true, - EntityKind::TypeRef if return_type.is_none() => { - return_type = entry.get_type(); - } EntityKind::ParmDecl => { params.push(Param::try_from(entry)?); } @@ -105,15 +128,14 @@ impl<'a> TryFrom> for Function<'a> { let name = entity.get_name().ok_or(FunctionError::NoName)?; let type_ = entity.get_type().ok_or(FunctionError::NoType)?; - let return_type = return_type.ok_or(FunctionError::NoReturnType)?; + let return_type = type_.get_result_type().ok_or(FunctionError::NoReturnType)?; let return_type_name = return_type.get_display_name(); - let calling_convention = CallConv::from( - type_ - .get_calling_convention() - .ok_or(FunctionError::NoCallingConvention)?, - ); + let calling_convention = CallConv::try_from(&type_)?; let location = SourceLocation::from_entity(&entity); + // Compute return location. + let return_location = calling_convention.return_location(arch, &return_type); + Ok(Self { entity, name, @@ -121,7 +143,9 @@ impl<'a> TryFrom> for Function<'a> { return_type, return_type_name, is_dllimport, + arch, calling_convention, + return_location, params, has_body, location, diff --git a/crates/bb-clang/src/function/param.rs b/crates/bb-clang/src/function/param.rs new file mode 100644 index 0000000..f12bc83 --- /dev/null +++ b/crates/bb-clang/src/function/param.rs @@ -0,0 +1,177 @@ +//! Parameter declaration representation. +//! +//! Each parameter embeds a [`TypeInfo`](crate::TypeInfo) for shared type +//! classification (pointer, array, const, underlying type). + +use bb_arch::location::MemoryOperand; +use bb_arch::{Arch, ParamLocation}; +use clang::{Entity, EntityKind, Type}; +use serde::Serialize; + +use super::abi::CallConv; +use crate::type_info::TypeInfo; +use crate::{SourceLocation, error::ParamError}; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +#[derive(Debug, Serialize)] +pub struct Param<'a> { + #[serde(skip)] + entity: Entity<'a>, + #[serde(skip)] + #[allow(unused)] + semantic_parent: Entity<'a>, + name: Option, + #[serde(rename = "type")] + type_name: String, + #[serde(flatten)] + type_info: TypeInfo<'a>, + location: Option, + abi_location: ParamLocation, +} + +impl<'a> Param<'a> { + #[must_use] + pub const fn get_entity(&self) -> &Entity<'a> { + &self.entity + } + #[allow(unused)] + #[must_use] + pub const fn get_semantic_parent(&self) -> &Entity<'a> { + &self.semantic_parent + } + #[must_use] + pub fn get_name(&self) -> Option<&str> { + self.name.as_deref() + } + #[must_use] + pub fn get_type(&self) -> &Type<'a> { + self.type_info.get_type() + } + #[must_use] + pub fn get_type_name(&self) -> &str { + &self.type_name + } + #[must_use] + pub fn get_canonical_type(&self) -> Type<'a> { + self.type_info.get_canonical_type() + } + #[must_use] + pub const fn get_type_info(&self) -> &TypeInfo<'a> { + &self.type_info + } + #[must_use] + pub const fn get_location(&self) -> Option<&SourceLocation> { + self.location.as_ref() + } + #[must_use] + pub const fn get_abi_location(&self) -> &ParamLocation { + &self.abi_location + } + + /// Returns `true` if this parameter is passed on the stack. + #[must_use] + pub fn is_stack(&self) -> bool { + matches!( + &self.abi_location, + ParamLocation::Direct { locations, .. } + if locations.first().is_some_and(|l| matches!(l, MemoryOperand::RegImm { .. })) + ) + } + + /// Returns the size of this parameter in bytes. + #[must_use] + pub const fn size(&self) -> usize { + match &self.abi_location { + ParamLocation::Direct { size, .. } | ParamLocation::Indirect { size, .. } => *size, + } + } + + /// Returns the underlying type of this parameter, resolving pointers and arrays. + #[must_use] + pub fn get_underlying_type(&self) -> Type<'a> { + self.type_info.get_underlying_type() + } +} + +/* ─────────────────────────────── Conversions ────────────────────────────── */ + +impl<'a> TryFrom> for Param<'a> { + type Error = ParamError; + + fn try_from(entity: Entity<'a>) -> Result { + let kind = entity.get_kind(); + if !matches!(kind, EntityKind::ParmDecl) { + return Err(ParamError::NotParam(kind)); + } + + let semantic_parent = entity + .get_semantic_parent() + .ok_or(ParamError::NoSemanticParent)?; + let name = entity.get_name(); + let type_ = entity.get_type().ok_or(ParamError::NoType)?; + let type_name = type_.get_display_name(); + let location = SourceLocation::from_entity(&entity); + + let mut type_info = TypeInfo::from(type_); + type_info.suppress_underlying_if_matches(Some(&type_name)); + + // Compute ABI location from context: arch from TU, calling convention + // and positional index from the parent function declaration. + let abi_location = compute_abi_location(&entity, &semantic_parent)?; + + Ok(Self { + entity, + semantic_parent, + name, + type_name, + type_info, + location, + abi_location, + }) + } +} + +/* ──────────────────────── ABI location from context ────────────────────── */ + +/// Derive the ABI location for a `ParmDecl` by inspecting its parent +/// function's type (for calling convention and sibling param types) +/// and the translation unit's target (for architecture). +fn compute_abi_location( + entity: &Entity<'_>, + parent: &Entity<'_>, +) -> Result { + // Architecture from the translation unit. + let target = entity.get_translation_unit().get_target(); + let arch = Arch::from_triple(&target.triple).map_err(|_| ParamError::NoAbiLocation)?; + + // Calling convention from the parent function's type. + let parent_type = parent.get_type().ok_or(ParamError::NoAbiLocation)?; + let callconv = CallConv::try_from(&parent_type).map_err(|_| ParamError::NoAbiLocation)?; + + // Collect all sibling ParmDecl types to determine positional assignment, + // and find our own index among them. + let siblings: Vec> = parent + .get_children() + .into_iter() + .filter(|e| matches!(e.get_kind(), EntityKind::ParmDecl)) + .collect(); + + let sibling_types: Vec> = siblings + .iter() + .filter_map(clang::Entity::get_type) + .collect(); + + let all_locations = callconv.assign_params(arch, &sibling_types); + + // Find our index among the siblings. + let index = siblings + .iter() + .position(|e| e == entity) + .ok_or(ParamError::NoAbiLocation)?; + + all_locations + .into_iter() + .nth(index) + .ok_or(ParamError::NoAbiLocation) +} diff --git a/util/bb-clang/src/json.rs b/crates/bb-clang/src/json.rs similarity index 92% rename from util/bb-clang/src/json.rs rename to crates/bb-clang/src/json.rs index 65517b7..ece181d 100644 --- a/util/bb-clang/src/json.rs +++ b/crates/bb-clang/src/json.rs @@ -6,6 +6,7 @@ use serde_json::Value; use crate::constant::Constant; use crate::enum_::Enum; +use crate::function::{Function, Param}; use crate::struct_::Field; use crate::struct_::Struct; @@ -60,6 +61,18 @@ impl ToJson for Field<'_> { } } +impl ToJson for Function<'_> { + fn to_json(&self) -> Value { + serde_json::to_value(self).unwrap() + } +} + +impl ToJson for Param<'_> { + fn to_json(&self) -> Value { + serde_json::to_value(self).unwrap() + } +} + impl ToJson for Struct<'_> { /// Serializes the struct with `referenced_types` as a list of type names. fn to_json(&self) -> Value { @@ -163,6 +176,30 @@ impl ToJson for [&Field<'_>] { } } +impl ToJson for [Function<'_>] { + fn to_json(&self) -> Value { + slice_to_json(self) + } +} + +impl ToJson for [&Function<'_>] { + fn to_json(&self) -> Value { + slice_to_json(self) + } +} + +impl ToJson for [Param<'_>] { + fn to_json(&self) -> Value { + slice_to_json(self) + } +} + +impl ToJson for [&Param<'_>] { + fn to_json(&self) -> Value { + slice_to_json(self) + } +} + impl ToJson for [&Struct<'_>] { fn to_json(&self) -> Value { slice_to_json(self) diff --git a/crates/bb-clang/src/lib.rs b/crates/bb-clang/src/lib.rs new file mode 100644 index 0000000..55c9f26 --- /dev/null +++ b/crates/bb-clang/src/lib.rs @@ -0,0 +1,37 @@ +//! Clang parsing utilities for bb. +//! +//! This crate provides abstractions for parsing C/C++ types, constants, +//! and functions from headers using libclang, with tree-style display +//! rendering and ABI-aware parameter location analysis. +//! +//! [`TypeInfo`] is the shared type metadata struct embedded in both +//! [`Field`] and [`Param`], providing pointer/array/const classification +//! and underlying type resolution. + +mod constant; +pub mod display; +mod enum_; +mod error; +mod ext; +mod function; +mod json; +pub(crate) mod location; +mod struct_; +mod type_info; + +pub use constant::{ + ConstLookup, ConstValue, Constant, MacroBodyToken, StripOuterParens, TuEntityMap, + build_tu_entity_map, +}; +pub use display::render_constants; +pub use enum_::Enum; +pub use error::{ConstantError, EnumError, FieldError, FunctionError, StructError}; +pub use function::{CallConv, Function, Param}; +pub use json::{ToJson, build_referred_components, collect_component_constants}; +pub use location::{SourceLocation, entity_in_header}; +pub use struct_::Field; +pub use struct_::Struct; +pub use type_info::TypeInfo; + +// Re-export commonly used clang types for convenience +pub use clang::{Entity, EntityKind, Index, TranslationUnit, Unsaved}; diff --git a/util/bb-clang/src/location.rs b/crates/bb-clang/src/location.rs similarity index 62% rename from util/bb-clang/src/location.rs rename to crates/bb-clang/src/location.rs index 05bfa13..df777e4 100644 --- a/util/bb-clang/src/location.rs +++ b/crates/bb-clang/src/location.rs @@ -44,6 +44,38 @@ impl SourceLocation { pub fn path(&self) -> Option<&Path> { self.full_path.as_deref() } + + /// Check if this location's file matches a header filter string. + /// + /// Compares the lowercased full path with `ends_with`. + #[must_use] + pub fn matches_header(&self, filter: &str) -> bool { + let filter = filter.to_lowercase(); + self.full_path + .as_ref() + .is_some_and(|p| p.to_string_lossy().to_lowercase().ends_with(&filter)) + } +} + +/* ──────────────────────────── Entity helpers ────────────────────────────── */ + +/// Check if an entity's source file matches a header filter string. +/// +/// Extracts the entity's file location and compares the lowercased full +/// path with `ends_with`. Used by all CLI filter structs as a pre-parse +/// filter (before constructing `SourceLocation`). +#[must_use] +pub fn entity_in_header(entity: &Entity, filter: &str) -> bool { + let filter = filter.to_lowercase(); + entity + .get_location() + .and_then(|loc| loc.get_file_location().file) + .is_some_and(|f| { + f.get_path() + .to_string_lossy() + .to_lowercase() + .ends_with(&filter) + }) } /* ──────────────────────────────── Displays ──────────────────────────────── */ diff --git a/util/bb-clang/src/struct_/field.rs b/crates/bb-clang/src/struct_/field.rs similarity index 88% rename from util/bb-clang/src/struct_/field.rs rename to crates/bb-clang/src/struct_/field.rs index 5132ba6..43f3667 100644 --- a/util/bb-clang/src/struct_/field.rs +++ b/crates/bb-clang/src/struct_/field.rs @@ -1,8 +1,12 @@ //! Field type representation. +//! +//! Each field embeds a [`TypeInfo`](crate::TypeInfo) for shared type +//! classification (pointer, array, const, underlying type). -use crate::clang_ext::{AnonymousType, HasChildrenType, UnderlyingType}; use crate::error::FieldError; +use crate::ext::{AnonymousType, HasChildrenType}; use crate::location::SourceLocation; +use crate::type_info::TypeInfo; use clang::{Entity, EntityKind, Type}; use serde::Serialize; @@ -18,10 +22,10 @@ pub struct Field<'a> { #[allow(unused)] semantic_parent: Entity<'a>, name: String, - #[serde(skip)] - type_: Type<'a>, #[serde(rename = "type")] type_name: Option, + #[serde(flatten)] + type_info: TypeInfo<'a>, location: Option, #[serde(rename = "offset_bits")] offset: usize, @@ -46,8 +50,8 @@ impl<'a> Field<'a> { &self.name } #[must_use] - pub const fn get_type(&self) -> &Type<'a> { - &self.type_ + pub fn get_type(&self) -> &Type<'a> { + self.type_info.get_type() } #[must_use] pub fn get_type_name(&self) -> Option<&str> { @@ -55,7 +59,11 @@ impl<'a> Field<'a> { } #[must_use] pub fn get_canonical_type(&self) -> Type<'a> { - self.type_.get_canonical_type() + self.type_info.get_canonical_type() + } + #[must_use] + pub const fn get_type_info(&self) -> &TypeInfo<'a> { + &self.type_info } #[must_use] pub const fn get_location(&self) -> Option<&SourceLocation> { @@ -84,7 +92,7 @@ impl<'a> Field<'a> { /// For array types, this returns the element type. Otherwise returns the canonical type. #[must_use] pub fn get_underlying_type(&self) -> Type<'a> { - self.get_type().get_underlying_type() + self.type_info.get_underlying_type() } /// Returns true if this field's underlying type has child fields that can be expanded. @@ -145,6 +153,9 @@ impl<'a> TryFrom<(Entity<'a>, &Entity<'a>)> for Field<'a> { let anonymous_type = type_.is_anonymous().unwrap_or(false); let type_name = (!anonymous_type).then(|| type_.get_display_name()); + let mut type_info = TypeInfo::from(type_); + type_info.suppress_underlying_if_matches(type_name.as_deref()); + let parent_type = parent.get_type().ok_or(FieldError::NoType)?; let offset = parent_type .get_offsetof(&name) @@ -157,8 +168,8 @@ impl<'a> TryFrom<(Entity<'a>, &Entity<'a>)> for Field<'a> { entity, semantic_parent, name, - type_, type_name, + type_info, location, offset, offset_bytes: offset / 8, diff --git a/util/bb-clang/src/struct_/mod.rs b/crates/bb-clang/src/struct_/mod.rs similarity index 99% rename from util/bb-clang/src/struct_/mod.rs rename to crates/bb-clang/src/struct_/mod.rs index 0be4d36..f89c8b7 100644 --- a/util/bb-clang/src/struct_/mod.rs +++ b/crates/bb-clang/src/struct_/mod.rs @@ -5,9 +5,9 @@ mod field; pub use field::Field; use field::collect_fields; -use crate::clang_ext::{AnonymousType, DeclarationKind}; use crate::display; use crate::error::StructError; +use crate::ext::{AnonymousType, DeclarationKind}; use crate::location::SourceLocation; use clang::{Entity, EntityKind}; use serde::Serialize; diff --git a/crates/bb-clang/src/type_info.rs b/crates/bb-clang/src/type_info.rs new file mode 100644 index 0000000..2fcf8af --- /dev/null +++ b/crates/bb-clang/src/type_info.rs @@ -0,0 +1,140 @@ +//! Shared type metadata extracted from a [`clang::Type`]. +//! +//! [`TypeInfo`] is the single source of truth for type classification +//! (pointer, array, const, underlying type) used by both [`Field`](crate::Field) +//! and [`Param`](crate::Param). + +use clang::{Type, TypeKind}; +use serde::Serialize; + +use crate::ext::UnderlyingType; + +/* ────────────────────────────────── Type ───────────────────────────────── */ + +/// Extracted type metadata from a [`clang::Type`]. +/// +/// Holds both the raw clang type (for further introspection) and the +/// serializable properties that describe the type's nature. +#[derive(Debug, Serialize)] +#[allow(clippy::struct_excessive_bools)] // Each bool represents a distinct type property. +pub struct TypeInfo<'a> { + /// The raw clang type. Available for further introspection but + /// skipped during serialization. + #[serde(skip)] + type_: Type<'a>, + /// The resolved underlying type name after stripping pointers and arrays. + /// Only present when it differs from the display name. + #[serde(skip_serializing_if = "Option::is_none")] + pub underlying_type: Option, + pub is_const: bool, + pub is_volatile: bool, + pub is_restrict: bool, + pub is_pointer: bool, + /// How many levels of pointer indirection (e.g. `PVOID**` = 2, `HANDLE` = 1 if ptr typedef, plain `DWORD` = 0). + #[serde(skip_serializing_if = "is_zero")] + pub pointer_depth: usize, + pub is_function_pointer: bool, + pub is_array: bool, + /// The number of elements in a fixed-size array, if applicable. + #[serde(skip_serializing_if = "Option::is_none")] + pub array_size: Option, +} + +impl<'a> From> for TypeInfo<'a> { + /// Extract type metadata from a clang type. + /// + /// The `underlying_type` field is always populated when a declaration + /// name is available. Use [`suppress_underlying_if_matches`](Self::suppress_underlying_if_matches) + /// to clear it when it matches the display name. + fn from(type_: Type<'a>) -> Self { + let canonical = type_.get_canonical_type(); + let is_const = type_.is_const_qualified(); + let is_volatile = type_.is_volatile_qualified(); + let is_restrict = type_.is_restrict_qualified(); + let is_pointer = canonical.get_pointee_type().is_some(); + let pointer_depth = count_pointer_depth(&canonical); + let is_function_pointer = is_func_ptr(&canonical); + let is_array = matches!( + canonical.get_kind(), + TypeKind::ConstantArray | TypeKind::IncompleteArray | TypeKind::VariableArray + ); + let array_size = if is_array { canonical.get_size() } else { None }; + + let underlying = type_.get_underlying_type(); + let underlying_type = underlying.get_declaration().and_then(|d| d.get_name()); + + Self { + type_, + underlying_type, + is_const, + is_volatile, + is_restrict, + is_pointer, + pointer_depth, + is_function_pointer, + is_array, + array_size, + } + } +} + +impl<'a> TypeInfo<'a> { + /// Clear `underlying_type` if it matches the given display name. + /// + /// Used by [`Field`](crate::Field) and [`Param`](crate::Param) to avoid + /// redundant output when the underlying type is the same as the display type. + pub fn suppress_underlying_if_matches(&mut self, display_name: Option<&str>) { + if let Some(ref u) = self.underlying_type { + if display_name.is_some_and(|d| d == u) { + self.underlying_type = None; + } + } + } + + /// The raw clang type. + #[must_use] + pub const fn get_type(&self) -> &Type<'a> { + &self.type_ + } + + /// The canonical (fully resolved typedef) form of this type. + #[must_use] + pub fn get_canonical_type(&self) -> Type<'a> { + self.type_.get_canonical_type() + } + + /// The underlying type after resolving pointers and arrays. + #[must_use] + pub fn get_underlying_type(&self) -> Type<'a> { + self.type_.get_underlying_type() + } +} + +/* ─────────────────────────────── Helpers ──────────────────────────────── */ + +/// Count pointer indirection depth. `int**` = 2, `int*` = 1, `int` = 0. +fn count_pointer_depth(canonical: &Type) -> usize { + let mut depth = 0; + let mut t = *canonical; + while let Some(pointee) = t.get_pointee_type() { + depth += 1; + t = pointee.get_canonical_type(); + } + depth +} + +/// Check if the canonical type is a function pointer (pointer to FunctionProto/FunctionNoProto). +fn is_func_ptr(canonical: &Type) -> bool { + canonical.get_pointee_type().is_some_and(|pointee| { + matches!( + pointee.get_canonical_type().get_kind(), + TypeKind::FunctionPrototype | TypeKind::FunctionNoPrototype + ) + }) +} + +/// Serde helper: skip serializing when value is zero. +#[allow(clippy::trivially_copy_pass_by_ref)] // Required by serde skip_serializing_if signature. +const fn is_zero(v: &usize) -> bool { + *v == 0 +} diff --git a/util/bb-cli/Cargo.toml b/crates/bb-cli/Cargo.toml similarity index 77% rename from util/bb-cli/Cargo.toml rename to crates/bb-cli/Cargo.toml index 8323dce..c3abd5b 100644 --- a/util/bb-cli/Cargo.toml +++ b/crates/bb-cli/Cargo.toml @@ -8,4 +8,5 @@ clap.workspace = true bb-sdk.workspace = true bb-shared.workspace = true anyhow.workspace = true -colored.workspace = true \ No newline at end of file +colored.workspace = true +terminal_size.workspace = true \ No newline at end of file diff --git a/util/bb-cli/README.md b/crates/bb-cli/README.md similarity index 100% rename from util/bb-cli/README.md rename to crates/bb-cli/README.md diff --git a/util/bb-cli/src/lib.rs b/crates/bb-cli/src/lib.rs similarity index 81% rename from util/bb-cli/src/lib.rs rename to crates/bb-cli/src/lib.rs index d8ff0ff..4ad5fc9 100644 --- a/util/bb-cli/src/lib.rs +++ b/crates/bb-cli/src/lib.rs @@ -1,6 +1,8 @@ -//! The unifying struct between all `bin` crates in the Benowin-Blanc project, -//! [`SharedArgs`] is responsible with handling [`bb_sdk`] and [`bb_clang`] -//! related responsibilities. +//! Shared CLI infrastructure for all `bin` crates in the Benowin-Blanc project. +//! +//! Provides [`SharedArgs`] for header configuration, [`print_suggestions`] for +//! did-you-mean hints, [`current_command_string`] for JSON output, and +//! [`terminal_width`] for layout calculations. //! //! To introduce in other `clap`-based CLIs, consider the following //! implementation: @@ -98,6 +100,20 @@ pub fn print_suggestions<'a>( } } +/* ─────────────────────────────── Utilities ──────────────────────────────── */ + +/// Returns the full command line as a single string (for JSON `"command"` fields). +#[must_use] +pub fn current_command_string() -> String { + std::env::args().collect::>().join(" ") +} + +/// Returns the current terminal width, defaulting to 80 columns. +#[must_use] +pub fn terminal_width() -> usize { + terminal_size::terminal_size().map_or(80, |(w, _)| w.0 as usize) +} + /* ─────────────────────────────────── SDK ────────────────────────────────── */ /// Build a [`HeaderConfig`] from the command-line arguments. diff --git a/util/bb-sdk/Cargo.toml b/crates/bb-sdk/Cargo.toml similarity index 89% rename from util/bb-sdk/Cargo.toml rename to crates/bb-sdk/Cargo.toml index 63d1eb1..5cd3db3 100644 --- a/util/bb-sdk/Cargo.toml +++ b/crates/bb-sdk/Cargo.toml @@ -4,6 +4,7 @@ version.workspace = true edition.workspace = true [dependencies] +bb-arch.workspace = true bb-clang.workspace = true clang.workspace = true clap.workspace = true diff --git a/crates/bb-sdk/README.md b/crates/bb-sdk/README.md new file mode 100644 index 0000000..7d51ad3 --- /dev/null +++ b/crates/bb-sdk/README.md @@ -0,0 +1,95 @@ +# bb-sdk + +> Synthetic header generation for **Windows SDK** and **PHNT**. + +`bb-sdk` is responsible for generating synthetic headers that allow `bb-clang` to later index and parse them. + +To get there however, the crate also takes care of the following things: + +- Checking that your environment is set up with **Windows SDK**; +- Parsing your environment's latest **Windows SDK** version; + - Checking if you have all the pre-requisites necessary for generating a building kernel-mode SDK, if applicable. + +This crate also takes on the responsibility to handle versions for the provided SDKs. + +--- + +## Architectures + +Target architectures are defined in [`bb-arch`](../bb-arch/) and re-exported here. `bb-sdk` extends them with SDK-specific preprocessor defines via the `ArchDefines` trait. + +`x86` | `amd64` | `arm` | `arm64` + +### Header configuration + +These are later relevant when you're defining a header configuration. + +From a header configuration, you can obtain a translation unit. + +In preparing this, the header configuration's information will be used to provide stuff like command-line arguments (such as the target architecture), and more. + +The result will be a translation unit that is created from an in-memory file. + +--- + +## PHNT headers + +The PHNT header (`phnt.h`) provides internal NT structure definitions not available in the public Windows SDK. It is generated at build time from the [phnt-single-header](https://github.com/mrexodia/phnt-single-header) submodule. + +### How it works + +The `build.rs` resolves `phnt.h` in this order: + +1. **`BB_PHNT_HEADER`** env var — use a custom `phnt.h` directly. +2. **`phnt.h`** next to this crate — local override file. +3. **Submodule generation** — runs `amalgamate.py` from the `phnt/` submodule: + - Initializes the `phnt` submodule if not present. + - Initializes the nested `systeminformer` submodule (the PHNT source). + - Downloads `cpp-amalgamate.exe` (if missing) to combine headers. + - Runs `amalgamate.py` to generate `phnt/out/phnt.h`. + - Caches the result — subsequent builds are instant until the submodule changes. + +### Setup + +The recommended way: + +```powershell +.\update-submodules.ps1 phnt +``` + +This initializes the submodule, downloads dependencies, and generates `phnt.h` automatically. + +### Manual setup + +```bash +cd crates/bb-sdk/phnt +git submodule update --init # init systeminformer source +python amalgamate.py # generate out/phnt.h +``` + +### Custom header + +To use your own `phnt.h` without the submodule: + +```powershell +$env:BB_PHNT_HEADER = "C:\path\to\my\phnt.h" +cargo build +``` + +### Updating + +To update to the latest PHNT definitions: + +```bash +cd crates/bb-sdk/phnt +git pull # update the generator +git submodule update --remote # update systeminformer source +python amalgamate.py # regenerate +``` + +Or delete the cached stamp and rebuild: + +```powershell +.\update-submodules.ps1 phnt +cargo build +``` diff --git a/crates/bb-sdk/build.rs b/crates/bb-sdk/build.rs new file mode 100644 index 0000000..64ab43a --- /dev/null +++ b/crates/bb-sdk/build.rs @@ -0,0 +1,225 @@ +use std::env; +use std::fs; +use std::path::{Path, PathBuf}; +use std::process::Command; + +/* ────────────────────────────────── Main ────────────────────────────────── */ + +/// Resolve and copy the PHNT header to `OUT_DIR` for `include_str!`. +/// +/// Resolution order: +/// 1. `BB_PHNT_HEADER` env var → explicit custom header path +/// 2. `phnt.h` next to this crate → local override +/// 3. Generate from the phnt-single-header submodule +fn main() { + println!("cargo::rerun-if-env-changed=BB_PHNT_HEADER"); + + let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap()); + let out_phnt = out_dir.join("phnt.h"); + let stamp_path = out_dir.join("phnt.stamp"); + let manifest_dir = PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap()); + + // 1. BB_PHNT_HEADER env var. + if let Some(path) = env::var("BB_PHNT_HEADER") + .map(PathBuf::from) + .ok() + .filter(|p| p.exists()) + { + println!("cargo::rerun-if-changed={}", path.display()); + eprintln!("bb-sdk: using BB_PHNT_HEADER={}", path.display()); + fs::copy(&path, &out_phnt).expect("failed to copy BB_PHNT_HEADER"); + return; + } + + // 2. phnt.h next to the crate. + let local = manifest_dir.join("phnt.h"); + if local.exists() { + println!("cargo::rerun-if-changed={}", local.display()); + fs::copy(&local, &out_phnt).expect("failed to copy local phnt.h"); + return; + } + + // 3. Generate from phnt-single-header submodule. + let phnt_dir = manifest_dir.join("phnt"); + let amalgamate_py = phnt_dir.join("amalgamate.py"); + let generated = phnt_dir.join("out/phnt.h"); + + // Init the submodule if it's not there. + if !amalgamate_py.exists() { + eprintln!("bb-sdk: initializing phnt submodule..."); + run_or_warn( + Command::new("git") + .args(["submodule", "update", "--init", "crates/bb-sdk/phnt"]) + .current_dir(find_workspace_root().unwrap_or(manifest_dir)), + "git submodule init for phnt", + ); + } + + assert!( + amalgamate_py.exists(), + "bb-sdk: phnt submodule not found at {}\n\ + hint: run `git submodule update --init crates/bb-sdk/phnt`\n\ + or set BB_PHNT_HEADER to a custom phnt.h path", + phnt_dir.display() + ); + + // If the generated output already exists and is up-to-date, reuse it. + let si_dir = phnt_dir.join("systeminformer"); + let current_rev = submodule_rev(&si_dir); + if generated.exists() && is_up_to_date(&out_phnt, &stamp_path, current_rev.as_deref()) { + eprintln!("bb-sdk: phnt unchanged, reusing cached header"); + return; + } + + // If out/phnt.h already exists (pre-generated or from a previous run), use it. + if generated.exists() { + eprintln!("bb-sdk: using pre-generated {}", generated.display()); + println!("cargo::rerun-if-changed={}", generated.display()); + fs::copy(&generated, &out_phnt).expect("failed to copy generated phnt.h"); + if let Some(ref rev) = current_rev { + let _ = fs::write(&stamp_path, rev); + } + return; + } + + // Need to generate — init systeminformer submodule + run amalgamate.py. + if !si_dir.join("phnt").exists() { + eprintln!("bb-sdk: initializing systeminformer submodule (this may take a while)..."); + run_or_warn( + Command::new("git") + .args(["submodule", "update", "--init", "systeminformer"]) + .current_dir(&phnt_dir), + "git submodule init for systeminformer", + ); + } + + // Pre-download cpp-amalgamate.exe if missing or empty. + // amalgamate.py uses urllib which can fail silently on some Python versions. + let cpp_amalgamate = phnt_dir.join("cpp-amalgamate.exe"); + let needs_download = + !cpp_amalgamate.exists() || cpp_amalgamate.metadata().is_ok_and(|m| m.len() == 0); + if needs_download { + eprintln!("bb-sdk: downloading cpp-amalgamate.exe..."); + let url = "https://github.com/Felerius/cpp-amalgamate/releases/download/1.0.1/cpp-amalgamate-x86_64-pc-windows-gnu.exe"; + if cpp_amalgamate.exists() { + let _ = fs::remove_file(&cpp_amalgamate); + } + // Use curl or powershell — both handle GitHub redirects correctly. + let dl_ok = Command::new("curl") + .args(["-sL", "-o", cpp_amalgamate.to_str().unwrap(), url]) + .status() + .is_ok_and(|s| s.success()); + if !dl_ok { + // Fallback to powershell on Windows. + let _ = Command::new("powershell") + .args([ + "-Command", + &format!( + "Invoke-WebRequest -Uri '{}' -OutFile '{}' -UseBasicParsing", + url, + cpp_amalgamate.display() + ), + ]) + .status(); + } + } + + eprintln!("bb-sdk: running amalgamate.py to generate phnt.h..."); + let Some(python) = find_python() else { + panic!( + "bb-sdk: python3 not found on PATH\n\ + hint: install Python 3, or run amalgamate.py manually, \ + or set BB_PHNT_HEADER" + ); + }; + + let output = Command::new(&python[0]) + .args(&python[1..]) + .arg(amalgamate_py.to_str().unwrap()) + .current_dir(&phnt_dir) + .output(); + + match &output { + Ok(o) if o.status.success() && generated.exists() => { + eprintln!("bb-sdk: amalgamate.py completed successfully"); + fs::copy(&generated, &out_phnt).expect("failed to copy generated phnt.h"); + if let Some(ref rev) = current_rev { + let _ = fs::write(&stamp_path, rev); + } + } + Ok(o) => { + for line in String::from_utf8_lossy(&o.stderr).lines() { + eprintln!("bb-sdk: py: {line}"); + } + panic!("bb-sdk: amalgamate.py failed (exit {})", o.status); + } + Err(e) => panic!("bb-sdk: failed to run python ({e})"), + } +} + +/* ───────────────────────────────── Helpers ──────────────────────────────── */ + +fn run_or_warn(cmd: &mut Command, desc: &str) { + match cmd.status() { + Ok(s) if s.success() => {} + Ok(s) => eprintln!("bb-sdk: {desc} failed (exit {s}), continuing..."), + Err(e) => eprintln!("bb-sdk: {desc}: {e}, continuing..."), + } +} + +fn submodule_rev(dir: &Path) -> Option { + Command::new("git") + .args(["rev-parse", "HEAD"]) + .current_dir(dir) + .output() + .ok() + .filter(|o| o.status.success()) + .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string()) +} + +fn is_up_to_date(out_phnt: &Path, stamp_path: &Path, current_rev: Option<&str>) -> bool { + if !out_phnt.exists() { + return false; + } + let Some(rev) = current_rev else { + return false; + }; + fs::read_to_string(stamp_path).is_ok_and(|stored| stored.trim() == rev) +} + +fn find_python() -> Option> { + if cfg!(windows) + && Command::new("py") + .args(["-3", "--version"]) + .output() + .is_ok_and(|o| o.status.success()) + { + return Some(vec!["py".into(), "-3".into()]); + } + for name in ["python3", "python"] { + if Command::new(name) + .arg("--version") + .output() + .is_ok_and(|o| o.status.success()) + { + return Some(vec![name.into()]); + } + } + None +} + +fn find_workspace_root() -> Option { + let manifest = PathBuf::from(env::var("CARGO_MANIFEST_DIR").ok()?); + let mut dir = manifest.as_path(); + loop { + let candidate = dir.join("Cargo.toml"); + if candidate.exists() { + if let Ok(content) = fs::read_to_string(&candidate) { + if content.contains("[workspace]") { + return Some(dir.to_path_buf()); + } + } + } + dir = dir.parent()?; + } +} diff --git a/crates/bb-sdk/phnt b/crates/bb-sdk/phnt new file mode 160000 index 0000000..1db7214 --- /dev/null +++ b/crates/bb-sdk/phnt @@ -0,0 +1 @@ +Subproject commit 1db72143c1d137fafa174c0abc4f753a15ac2d37 diff --git a/crates/bb-sdk/src/arch.rs b/crates/bb-sdk/src/arch.rs new file mode 100644 index 0000000..b220b8b --- /dev/null +++ b/crates/bb-sdk/src/arch.rs @@ -0,0 +1,30 @@ +//! SDK-level architecture extensions. +//! +//! Re-exports [`bb_arch::Arch`] and adds Windows SDK-specific methods +//! (preprocessor defines for cross-compilation). + +pub use bb_arch::Arch; + +/* ──────────────────────────── SDK extensions ────────────────────────────── */ + +/// SDK-specific preprocessor defines for each architecture. +pub trait ArchDefines { + fn defines(self) -> &'static [&'static str]; +} + +impl ArchDefines for Arch { + fn defines(self) -> &'static [&'static str] { + match self { + Self::X86 => &["-D_WIN32", "-D_X86_", "-D_M_IX86=600"], + Self::Amd64 => &[ + "-D_WIN32", + "-D_WIN64", + "-D_AMD64_", + "-D_M_AMD64=100", + "-D_M_X64=100", + ], + Self::Arm => &["-D_WIN32", "-D_ARM_", "-D_M_ARM=7"], + Self::Arm64 => &["-D_WIN32", "-D_WIN64", "-D_ARM64_", "-D_M_ARM64=1"], + } + } +} diff --git a/util/bb-sdk/src/config.rs b/crates/bb-sdk/src/config.rs similarity index 93% rename from util/bb-sdk/src/config.rs rename to crates/bb-sdk/src/config.rs index 247d070..6f1141e 100644 --- a/util/bb-sdk/src/config.rs +++ b/crates/bb-sdk/src/config.rs @@ -2,7 +2,7 @@ //! //! This module provides a high-level API for configuring and parsing Windows headers. -use crate::arch::Arch; +use crate::arch::{Arch, ArchDefines}; use crate::parser::{parse_phnt, parse_winsdk}; use crate::phnt::PhntVersion; use crate::winsdk::{SdkInfo, SdkMode, check_wdk_installed, get_sdk_info}; @@ -105,17 +105,6 @@ impl HeaderConfig { }) } - /// Create a PHNT configuration with the default version (Win11). - /// - /// This is a convenience method equivalent to `phnt(arch, PhntVersion::default(), mode)`. - /// - /// # Errors - /// - /// Returns an error if Windows SDK is not found (needed for base types). - pub fn phnt_default(arch: Arch, mode: SdkMode) -> Result { - Self::phnt(arch, PhntVersion::default(), mode) - } - /// Get the target architecture for this configuration. #[must_use] pub const fn arch(&self) -> Arch { diff --git a/util/bb-sdk/src/lib.rs b/crates/bb-sdk/src/lib.rs similarity index 73% rename from util/bb-sdk/src/lib.rs rename to crates/bb-sdk/src/lib.rs index 969e2dd..7a6ff95 100644 --- a/util/bb-sdk/src/lib.rs +++ b/crates/bb-sdk/src/lib.rs @@ -1,7 +1,9 @@ //! SDK and PHNT integration for bb. //! //! This crate provides Windows SDK and PHNT header management, -//! including header generation and parsing utilities. +//! including header generation and parsing utilities. Re-exports +//! [`bb_arch::Arch`] and extends it with SDK-specific preprocessor +//! defines via [`ArchDefines`]. mod arch; mod config; @@ -13,7 +15,7 @@ mod winsdk; pub use config::HeaderConfig; // Architecture -pub use arch::Arch; +pub use arch::{Arch, ArchDefines}; // Parsing utilities pub use parser::{parse_phnt, parse_winsdk}; diff --git a/util/bb-sdk/src/parser.rs b/crates/bb-sdk/src/parser.rs similarity index 100% rename from util/bb-sdk/src/parser.rs rename to crates/bb-sdk/src/parser.rs diff --git a/util/bb-sdk/src/phnt/kernel.rs b/crates/bb-sdk/src/phnt/kernel.rs similarity index 100% rename from util/bb-sdk/src/phnt/kernel.rs rename to crates/bb-sdk/src/phnt/kernel.rs diff --git a/util/bb-sdk/src/phnt/mod.rs b/crates/bb-sdk/src/phnt/mod.rs similarity index 93% rename from util/bb-sdk/src/phnt/mod.rs rename to crates/bb-sdk/src/phnt/mod.rs index 7196ff5..89596b9 100644 --- a/util/bb-sdk/src/phnt/mod.rs +++ b/crates/bb-sdk/src/phnt/mod.rs @@ -79,8 +79,11 @@ impl PhntVersion { /* ──────────────────────────── Header generation ─────────────────────────── */ -/// The embedded PHNT header file. -pub const PHNT_HEADER: &str = include_str!("../../extra/phnt.h"); +/// The embedded PHNT header file, resolved at build time from: +/// 1. `BB_PHNT_HEADER` env var, or +/// 2. `phnt.h` next to the crate, or +/// 3. Generated from the phnt-single-header submodule. +pub const PHNT_HEADER: &str = include_str!(concat!(env!("OUT_DIR"), "/phnt.h")); /// Utility universal includes required before PHNT. const PHNT_INCLUDES: &[&str] = &["assert.h"]; diff --git a/util/bb-sdk/src/phnt/user.rs b/crates/bb-sdk/src/phnt/user.rs similarity index 100% rename from util/bb-sdk/src/phnt/user.rs rename to crates/bb-sdk/src/phnt/user.rs diff --git a/util/bb-sdk/src/winsdk/kernel.rs b/crates/bb-sdk/src/winsdk/kernel.rs similarity index 100% rename from util/bb-sdk/src/winsdk/kernel.rs rename to crates/bb-sdk/src/winsdk/kernel.rs diff --git a/util/bb-sdk/src/winsdk/mod.rs b/crates/bb-sdk/src/winsdk/mod.rs similarity index 100% rename from util/bb-sdk/src/winsdk/mod.rs rename to crates/bb-sdk/src/winsdk/mod.rs diff --git a/util/bb-sdk/src/winsdk/user.rs b/crates/bb-sdk/src/winsdk/user.rs similarity index 100% rename from util/bb-sdk/src/winsdk/user.rs rename to crates/bb-sdk/src/winsdk/user.rs diff --git a/util/bb-shared/Cargo.toml b/crates/bb-shared/Cargo.toml similarity index 100% rename from util/bb-shared/Cargo.toml rename to crates/bb-shared/Cargo.toml diff --git a/util/bb-shared/README.md b/crates/bb-shared/README.md similarity index 100% rename from util/bb-shared/README.md rename to crates/bb-shared/README.md diff --git a/util/bb-shared/src/lib.rs b/crates/bb-shared/src/lib.rs similarity index 100% rename from util/bb-shared/src/lib.rs rename to crates/bb-shared/src/lib.rs diff --git a/crates/bb-sparse/Cargo.toml b/crates/bb-sparse/Cargo.toml new file mode 100644 index 0000000..f3ac55c --- /dev/null +++ b/crates/bb-sparse/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "bb-sparse" +version.workspace = true +edition.workspace = true + +[dependencies] +serde.workspace = true +serde_json.workspace = true +flate2.workspace = true + +[build-dependencies] +flate2.workspace = true diff --git a/crates/bb-sparse/README.md b/crates/bb-sparse/README.md new file mode 100644 index 0000000..2c79f03 --- /dev/null +++ b/crates/bb-sparse/README.md @@ -0,0 +1,76 @@ +# bb-sparse + +> Embedded Windows API metadata from [sparse](https://github.com/cristeigabriela/sparse). + +`bb-sparse` provides offline lookup of function-level documentation metadata extracted from Microsoft's sdk-api repository: library/DLL info, version requirements, parameter directions (SAL), and known constant values. + +The JSON data is gzip-compressed at build time (~38MB raw → ~1.6MB compressed) and decompressed lazily on first access. + +--- + +## How it works + +The `build.rs` script handles data generation: + +1. **`BB_SPARSE_JSON` env var** — if set, uses a pre-generated JSON file directly. +2. **`sparse.json` file** — if found next to the workspace root or crate, uses it. +3. **Auto-generate** — runs the [sparse](https://github.com/cristeigabriela/sparse) Python tool against the sdk-api submodule: + - Initializes the `sparse/sdk-api` git submodule if needed (~1GB clone, first time only). + - Runs `sparse.py` to parse MSDN markdown files (~8s). + - Caches the result: subsequent builds are instant unless sdk-api is updated (tracked via git rev stamp). + +If none of the above succeed (no Python, no submodule, etc.), an empty placeholder is embedded and `bb_sparse::is_available()` returns `false`. + +### Setup + +The recommended way: + +```powershell +.\update-submodules.ps1 sparse +``` + +### Opting out + +To build without sparse data (faster builds, smaller binary), simply don't init the sparse submodule. The build.rs gracefully degrades: if the submodule or Python is missing, it embeds an empty placeholder. `bb-funcs` falls back to the plain ABI detail view. + +--- + +## Usage + +```rust +// Look up metadata for a function. +if let Some(meta) = bb_sparse::lookup("CreateFileW") { + println!("DLL: {:?}", meta.dll_display()); + println!("Min client: {:?}", meta.min_client_str()); + + if let Some(pm) = meta.params.get("dwShareMode") { + println!("Directions: {:?}", pm.direction_strings()); + println!("Values: {:?}", pm.values); + } +} + +// Check if data is available. +if bb_sparse::is_available() { + println!("{} functions indexed", bb_sparse::entry_count()); +} +``` + +--- + +## Data schema + +Each function entry contains: + +| Field | Type | Example | +| --- | --- | --- | +| `header` | string | `"fileapi.h"` | +| `dll` | string or array | `"Kernel32.dll"` | +| `lib` | string or array | `"Kernel32.lib"` | +| `min_client_version` | string | `"Windows XP [desktop apps only]"` | +| `min_server_version` | string | `"Windows Server 2003 [desktop apps only]"` | +| `metadata.api_location` | array | `["Kernel32.dll", "KernelBase.dll", ...]` | +| `metadata.api_name` | array | `["CreateFile", "CreateFileA", "CreateFileW"]` | +| `params..directions` | array | `["in"]`, `["in", "optional"]` | +| `params..values` | object | `{"FILE_SHARE_READ": 1, ...}` | + +All fields are nullable — the sparse JSON schema is inconsistent across entries. The types use `serde_json::Value` internally and expose typed accessor methods. diff --git a/crates/bb-sparse/build.rs b/crates/bb-sparse/build.rs new file mode 100644 index 0000000..ffb070e --- /dev/null +++ b/crates/bb-sparse/build.rs @@ -0,0 +1,236 @@ +use std::env; +use std::fs; +use std::io::Write; +use std::path::{Path, PathBuf}; +use std::process::Command; + +use flate2::Compression; +use flate2::write::GzEncoder; + +/* ────────────────────────────────── Main ────────────────────────────────── */ + +fn main() { + println!("cargo::rerun-if-env-changed=BB_SPARSE_JSON"); + + let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap()); + let gz_path = out_dir.join("sparse.json.gz"); + let stamp_path = out_dir.join("sparse.stamp"); + let manifest_dir = PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap()); + + // 1. BB_SPARSE_JSON env var always wins (explicit pre-generated file). + if let Some(path) = env::var("BB_SPARSE_JSON") + .map(PathBuf::from) + .ok() + .filter(|p| p.exists()) + { + println!("cargo::rerun-if-changed={}", path.display()); + compress_json(&path, &gz_path); + return; + } + + // 2. Check for pre-generated sparse.json next to workspace root or crate. + let pre_generated = find_workspace_root() + .map(|root| root.join("sparse.json")) + .filter(|p| p.exists()) + .or_else(|| { + let p = manifest_dir.join("sparse.json"); + p.exists().then_some(p) + }); + + if let Some(path) = &pre_generated { + println!("cargo::rerun-if-changed={}", path.display()); + compress_json(path, &gz_path); + return; + } + + // 3. Auto-generate from sparse submodule + sdk-api. + let sparse_dir = manifest_dir.join("sparse"); + let sparse_py = sparse_dir.join("sparse.py"); + let sdk_api_dir = sparse_dir.join("sdk-api"); + let sdk_api_content = sdk_api_dir.join("sdk-api-src/content"); + + if !sparse_py.exists() { + eprintln!("bb-sparse: sparse submodule not found, embedding empty data"); + eprintln!(" hint: run `git submodule update --init --recursive`"); + write_empty(&gz_path); + return; + } + + // Initialize the nested sdk-api submodule if needed. + if !sdk_api_content.exists() { + eprintln!("bb-sparse: initializing sdk-api submodule (this may take a while)..."); + let status = Command::new("git") + .args(["submodule", "update", "--init", "--recursive"]) + .current_dir(&sparse_dir) + .status(); + + match status { + Ok(s) if s.success() => {} + Ok(s) => { + eprintln!("bb-sparse: git submodule init failed (exit {s}), embedding empty data"); + write_empty(&gz_path); + return; + } + Err(e) => { + eprintln!("bb-sparse: git not available ({e}), embedding empty data"); + write_empty(&gz_path); + return; + } + } + } + + if !sdk_api_content.exists() { + eprintln!( + "bb-sparse: sdk-api content not found after submodule init, embedding empty data" + ); + write_empty(&gz_path); + return; + } + + // Check if we can skip regeneration: existing gz is non-empty and + // sdk-api hasn't changed since last generation. + let current_rev = sdk_api_rev(&sdk_api_dir); + if is_up_to_date(&gz_path, &stamp_path, current_rev.as_deref()) { + eprintln!("bb-sparse: sdk-api unchanged, reusing cached data"); + return; + } + + // Run sparse.py to generate the JSON. + eprintln!("bb-sparse: running sparse.py to generate API metadata..."); + let Some(python) = find_python() else { + eprintln!("bb-sparse: python3 not found on PATH, embedding empty data"); + eprintln!(" hint: install Python 3 or set BB_SPARSE_JSON to a pre-generated file"); + write_empty(&gz_path); + return; + }; + + let generated_json = out_dir.join("sparse_generated.json"); + let mut cmd = Command::new(&python[0]); + cmd.args(&python[1..]); + cmd.args([ + sparse_py.to_str().unwrap(), + "-o", + generated_json.to_str().unwrap(), + "--silent", + sdk_api_content.to_str().unwrap(), + ]); + cmd.current_dir(&sparse_dir); + + let output = cmd.output(); + + // Log stderr from sparse.py on failure. + if let Ok(ref o) = output { + if !o.status.success() { + for line in String::from_utf8_lossy(&o.stderr).lines() { + eprintln!("bb-sparse: py: {line}"); + } + } + } + + match output.as_ref().map(|o| o.status) { + Ok(s) if s.success() && generated_json.exists() => { + eprintln!("bb-sparse: sparse.py completed successfully"); + compress_json(&generated_json, &gz_path); + // Write stamp so we can skip next time. + if let Some(ref rev) = current_rev { + let _ = fs::write(&stamp_path, rev); + } + } + Ok(s) => { + eprintln!("bb-sparse: sparse.py failed (exit {s}), embedding empty data"); + write_empty(&gz_path); + } + Err(e) => { + eprintln!("bb-sparse: failed to run python ({e}), embedding empty data"); + write_empty(&gz_path); + } + } +} + +/* ───────────────────────────────── Helpers ──────────────────────────────── */ + +/// Get the current git rev of the sdk-api submodule. +fn sdk_api_rev(sdk_api_dir: &Path) -> Option { + Command::new("git") + .args(["rev-parse", "HEAD"]) + .current_dir(sdk_api_dir) + .output() + .ok() + .filter(|o| o.status.success()) + .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string()) +} + +/// Check if the existing compressed data is still valid: +/// - gz exists and is non-empty +/// - stamp file contains the same rev as current sdk-api HEAD +fn is_up_to_date(gz_path: &Path, stamp_path: &Path, current_rev: Option<&str>) -> bool { + let gz_ok = gz_path.metadata().is_ok_and(|m| m.len() > 0); + + if !gz_ok { + return false; + } + + let Some(rev) = current_rev else { + return false; + }; + + fs::read_to_string(stamp_path).is_ok_and(|stored| stored.trim() == rev) +} + +fn compress_json(json_path: &Path, gz_path: &Path) { + let raw = fs::read(json_path).expect("failed to read sparse JSON"); + let mut encoder = GzEncoder::new(Vec::new(), Compression::best()); + encoder.write_all(&raw).expect("failed to compress"); + let compressed = encoder.finish().expect("failed to finish compression"); + + eprintln!( + "bb-sparse: compressed {} -> {} bytes ({:.0}% reduction)", + raw.len(), + compressed.len(), + (1.0 - compressed.len() as f64 / raw.len() as f64) * 100.0, + ); + + fs::write(gz_path, &compressed).expect("failed to write compressed data"); +} + +fn write_empty(gz_path: &Path) { + fs::write(gz_path, b"").expect("failed to write empty placeholder"); +} + +fn find_python() -> Option> { + // On Windows, `py -3` uses the Python launcher to find the latest 3.x. + if cfg!(windows) + && Command::new("py") + .args(["-3", "--version"]) + .output() + .is_ok_and(|o| o.status.success()) + { + return Some(vec!["py".into(), "-3".into()]); + } + for name in ["python3", "python"] { + if Command::new(name) + .arg("--version") + .output() + .is_ok_and(|o| o.status.success()) + { + return Some(vec![name.into()]); + } + } + None +} + +fn find_workspace_root() -> Option { + let manifest = PathBuf::from(env::var("CARGO_MANIFEST_DIR").ok()?); + let mut dir = manifest.as_path(); + loop { + let candidate = dir.join("Cargo.toml"); + if candidate.exists() { + if let Ok(content) = fs::read_to_string(&candidate) { + if content.contains("[workspace]") { + return Some(dir.to_path_buf()); + } + } + } + dir = dir.parent()?; + } +} diff --git a/crates/bb-sparse/sparse b/crates/bb-sparse/sparse new file mode 160000 index 0000000..54d0f96 --- /dev/null +++ b/crates/bb-sparse/sparse @@ -0,0 +1 @@ +Subproject commit 54d0f96892d38d13ed52bcad8b866193f6f59824 diff --git a/crates/bb-sparse/src/lib.rs b/crates/bb-sparse/src/lib.rs new file mode 100644 index 0000000..8b152a1 --- /dev/null +++ b/crates/bb-sparse/src/lib.rs @@ -0,0 +1,197 @@ +//! Embedded Windows API metadata from [sparse](https://github.com/cristeigabriela/sparse). +//! +//! Provides offline lookup of function-level documentation metadata extracted +//! from Microsoft's sdk-api repository: library/DLL info, version requirements, +//! parameter directions, and known constant values. +//! +//! The JSON data is gzip-compressed at build time and decompressed lazily on +//! first access. + +use std::collections::HashMap; +use std::io::Read; +use std::sync::OnceLock; + +use flate2::read::GzDecoder; +use serde::Deserialize; + +/* ────────────────────────────────── Types ───────────────────────────────── */ + +/// Metadata for a single Windows API function, sourced from MSDN documentation. +/// +/// Fields use `serde_json::Value` where the sparse JSON schema is inconsistent +/// (some fields are strings in one entry, arrays or null in another). +#[derive(Debug, Clone, Deserialize)] +pub struct FuncMetadata { + /// Header file (e.g., `"fileapi.h"`). + #[serde(default)] + pub header: serde_json::Value, + /// Link library (e.g., `"Kernel32.lib"` or `["lib1", "lib2"]`). + #[serde(default)] + pub lib: serde_json::Value, + /// DLL name (e.g., `"Kernel32.dll"` or `["dll1", "dll2"]`). + #[serde(default)] + pub dll: serde_json::Value, + /// Minimum Windows client version. + #[serde(default)] + pub min_client_version: serde_json::Value, + /// Minimum Windows server version. + #[serde(default)] + pub min_server_version: serde_json::Value, + /// Extended API metadata. + #[serde(default)] + pub metadata: Option, + /// Per-parameter metadata, keyed by parameter name. + #[serde(default)] + pub params: HashMap, +} + +/// API-level metadata from the MSDN documentation frontmatter. +#[derive(Debug, Clone, Deserialize)] +pub struct ApiMetadata { + /// Unique identifier (e.g., `"NF:fileapi.CreateFileW"`). + #[serde(default, rename = "UID")] + pub uid: serde_json::Value, + /// Documentation title. + #[serde(default)] + pub title: serde_json::Value, + /// API classification (e.g., `["DllExport"]`). May contain nulls. + #[serde(default)] + pub api_type: Vec, + /// All DLL locations where the function exists. May contain nulls. + #[serde(default)] + pub api_location: Vec, + /// Function name variants (e.g., `["CreateFile", "CreateFileA", "CreateFileW"]`). + #[serde(default)] + pub api_name: Vec, +} + +/// Per-parameter metadata from MSDN documentation. +#[derive(Debug, Clone, Deserialize)] +pub struct ParamMetadata { + /// SAL-style directions (e.g., `["in"]`, `["in", "optional"]`, `["out"]`). + #[serde(default)] + pub directions: Vec, + /// Known constant values for this parameter (e.g., `{"FILE_SHARE_READ": 1}`). + #[serde(default)] + pub values: HashMap, +} + +/* ─────────────────────── Value extraction helpers ──────────────────────── */ + +/// Extract a display string from a `Value` that might be a string or an array of strings. +fn value_as_display(v: &serde_json::Value) -> Option { + match v { + serde_json::Value::String(s) => Some(s.clone()), + serde_json::Value::Array(arr) => { + let strs: Vec<&str> = arr.iter().filter_map(|v| v.as_str()).collect(); + if strs.is_empty() { + None + } else { + Some(strs.join(", ")) + } + } + _ => None, + } +} + +/// Extract a `Vec` from a `Vec`, skipping nulls. +fn values_as_strings(vals: &[serde_json::Value]) -> Vec { + vals.iter() + .filter_map(|v| v.as_str().map(String::from)) + .collect() +} + +impl FuncMetadata { + /// Get the header as a string, if available. + #[must_use] + pub fn header_str(&self) -> Option<&str> { + self.header.as_str() + } + /// Get the lib as a display string (may be a single value or comma-joined array). + #[must_use] + pub fn lib_display(&self) -> Option { + value_as_display(&self.lib) + } + /// Get the DLL as a display string (may be a single value or comma-joined array). + #[must_use] + pub fn dll_display(&self) -> Option { + value_as_display(&self.dll) + } + /// Get the minimum client version, if available. + #[must_use] + pub fn min_client_str(&self) -> Option<&str> { + self.min_client_version.as_str() + } + /// Get the minimum server version, if available. + #[must_use] + pub fn min_server_str(&self) -> Option<&str> { + self.min_server_version.as_str() + } +} + +impl ApiMetadata { + /// Get the API location DLLs as strings. + #[must_use] + pub fn locations(&self) -> Vec { + values_as_strings(&self.api_location) + } + /// Get the function name variants as strings. + #[must_use] + pub fn names(&self) -> Vec { + values_as_strings(&self.api_name) + } +} + +impl ParamMetadata { + /// Get the directions as strings. + #[must_use] + pub fn direction_strings(&self) -> Vec { + values_as_strings(&self.directions) + } +} + +/* ──────────────────────── Compressed data embedding ────────────────────── */ + +/// The gzip-compressed sparse JSON, embedded at compile time. +/// If no data file was present at build time, this is an empty slice. +static COMPRESSED_DATA: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/sparse.json.gz")); + +/// Lazily decompressed and deserialized lookup table. +static LOOKUP: OnceLock> = OnceLock::new(); + +fn load_lookup() -> HashMap { + if COMPRESSED_DATA.is_empty() { + return HashMap::new(); + } + + let mut decoder = GzDecoder::new(COMPRESSED_DATA); + let mut json_str = String::new(); + decoder + .read_to_string(&mut json_str) + .expect("failed to decompress sparse data"); + + serde_json::from_str(&json_str).expect("failed to parse sparse JSON") +} + +/* ─────────────────────────── Public API ─────────────────────────────────── */ + +/// Look up metadata for a function by name. +/// +/// Returns `None` if the function is not in the sparse database, or if +/// no sparse data was embedded at build time. +#[must_use] +pub fn lookup(name: &str) -> Option<&'static FuncMetadata> { + LOOKUP.get_or_init(load_lookup).get(name) +} + +/// Returns `true` if sparse data was embedded at build time. +#[must_use] +pub fn is_available() -> bool { + !COMPRESSED_DATA.is_empty() +} + +/// Returns the number of functions in the sparse database. +#[must_use] +pub fn entry_count() -> usize { + LOOKUP.get_or_init(load_lookup).len() +} diff --git a/crates/bb-sql/Cargo.toml b/crates/bb-sql/Cargo.toml new file mode 100644 index 0000000..dc57474 --- /dev/null +++ b/crates/bb-sql/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "bb-sql" +version.workspace = true +edition.workspace = true + +[dependencies] +sqlparser.workspace = true +rusqlite.workspace = true +anyhow.workspace = true +serde_json.workspace = true diff --git a/crates/bb-sql/src/eval.rs b/crates/bb-sql/src/eval.rs new file mode 100644 index 0000000..c05a49c --- /dev/null +++ b/crates/bb-sql/src/eval.rs @@ -0,0 +1,356 @@ +//! Generic SQL `WHERE` clause evaluator. +//! +//! The [`Evaluator`] is parameterised over a row type `T` and a column resolver +//! function that maps column names to [`SqlValue`]s. This lets each CLI crate +//! define its own column schema while sharing all parsing and evaluation logic. + +use sqlparser::ast::{BinaryOperator, Expr, UnaryOperator, Value}; +use sqlparser::dialect::GenericDialect; +use sqlparser::parser::Parser; + +use crate::value::SqlValue; + +/* ────────────────────────────── Parsing ───────────────────────────────── */ + +/// Parse a `WHERE` clause string into an AST expression. +pub fn parse_where(clause: &str) -> Result { + let sql = format!("SELECT 1 WHERE {clause}"); + let dialect = GenericDialect {}; + let statements = + Parser::parse_sql(&dialect, &sql).map_err(|e| format!("SQL parse error: {e}"))?; + + let Some(sqlparser::ast::Statement::Query(query)) = statements.into_iter().next() else { + return Err("expected a query statement".into()); + }; + + let Some(select) = query.body.as_select() else { + return Err("expected a SELECT body".into()); + }; + + select + .selection + .clone() + .ok_or_else(|| "empty WHERE clause".into()) +} + +/* ────────────────────────────── Evaluator ─────────────────────────────── */ + +/// Column resolver function type: maps a lowercased column name and a row to a [`SqlValue`]. +type Resolver = Box SqlValue>; + +/// A generic SQL `WHERE` evaluator bound to a column resolver. +pub struct Evaluator { + resolver: Resolver, +} + +impl Evaluator { + /// Create a new evaluator with the given column resolver. + /// + /// The resolver maps a column name (already lowercased) and a row to a [`SqlValue`]. + pub fn new(resolver: impl Fn(&str, &T) -> SqlValue + 'static) -> Self { + Self { + resolver: Box::new(resolver), + } + } + + /// Evaluate a parsed `WHERE` expression against a row, returning `true` if it passes. + #[must_use] + pub fn eval_where(&self, expr: &Expr, row: &T) -> bool { + match self.eval_expr(expr, row) { + SqlValue::Bool(b) => b, + _ => false, + } + } + + fn eval_expr(&self, expr: &Expr, row: &T) -> SqlValue { + match expr { + // Column reference. + Expr::Identifier(ident) => self.resolve(&ident.value, row), + + // Compound identifier like table.column — just use the last part. + Expr::CompoundIdentifier(parts) => { + if let Some(last) = parts.last() { + self.resolve(&last.value, row) + } else { + SqlValue::Null + } + } + + // Literals. + Expr::Value(val) => match &val.value { + Value::Number(n, _) => n.parse::().map_or(SqlValue::Null, SqlValue::Int), + Value::SingleQuotedString(s) | Value::DoubleQuotedString(s) => { + SqlValue::Str(s.clone()) + } + Value::Boolean(b) => SqlValue::Bool(*b), + _ => SqlValue::Null, + }, + + // Binary operators. + Expr::BinaryOp { left, op, right } => { + let lhs = self.eval_expr(left, row); + let rhs = self.eval_expr(right, row); + eval_binop(&lhs, op, &rhs) + } + + // Unary NOT. + Expr::UnaryOp { + op: UnaryOperator::Not, + expr: inner, + } => SqlValue::Bool(!self.eval_expr(inner, row).as_bool()), + + // LIKE. + Expr::Like { + expr: inner, + pattern, + negated, + .. + } => { + let val = self.eval_expr(inner, row); + let pat = self.eval_expr(pattern, row); + let matches = match (val.as_str(), pat.as_str()) { + (Some(v), Some(p)) => sql_like(v, p), + _ => false, + }; + SqlValue::Bool(if *negated { !matches } else { matches }) + } + + // IN list. + Expr::InList { + expr: inner, + list, + negated, + } => { + let val = self.eval_expr(inner, row); + let found = list.iter().any(|item| { + let item_val = self.eval_expr(item, row); + vals_eq(&val, &item_val) + }); + SqlValue::Bool(if *negated { !found } else { found }) + } + + // BETWEEN. + Expr::Between { + expr: inner, + low, + high, + negated, + } => { + let val = self.eval_expr(inner, row); + let lo = self.eval_expr(low, row); + let hi = self.eval_expr(high, row); + let between = match (val.as_int(), lo.as_int(), hi.as_int()) { + (Some(v), Some(l), Some(h)) => v >= l && v <= h, + _ => false, + }; + SqlValue::Bool(if *negated { !between } else { between }) + } + + // IS NULL / IS NOT NULL. + Expr::IsNull(inner) => { + SqlValue::Bool(matches!(self.eval_expr(inner, row), SqlValue::Null)) + } + Expr::IsNotNull(inner) => { + SqlValue::Bool(!matches!(self.eval_expr(inner, row), SqlValue::Null)) + } + + // Nested parens. + Expr::Nested(inner) => self.eval_expr(inner, row), + + _ => SqlValue::Null, + } + } + + fn resolve(&self, name: &str, row: &T) -> SqlValue { + (self.resolver)(&name.to_lowercase(), row) + } +} + +/* ──────────────────────── Shared helpers ──────────────────────────────── */ + +fn eval_binop(lhs: &SqlValue, op: &BinaryOperator, rhs: &SqlValue) -> SqlValue { + match op { + BinaryOperator::And => SqlValue::Bool(lhs.as_bool() && rhs.as_bool()), + BinaryOperator::Or => SqlValue::Bool(lhs.as_bool() || rhs.as_bool()), + + BinaryOperator::Eq => SqlValue::Bool(vals_eq(lhs, rhs)), + BinaryOperator::NotEq => SqlValue::Bool(!vals_eq(lhs, rhs)), + + BinaryOperator::Lt => { + SqlValue::Bool(vals_cmp(lhs, rhs).is_some_and(std::cmp::Ordering::is_lt)) + } + BinaryOperator::LtEq => SqlValue::Bool(vals_cmp(lhs, rhs).is_some_and(|c| !c.is_gt())), + BinaryOperator::Gt => { + SqlValue::Bool(vals_cmp(lhs, rhs).is_some_and(std::cmp::Ordering::is_gt)) + } + BinaryOperator::GtEq => SqlValue::Bool(vals_cmp(lhs, rhs).is_some_and(|c| !c.is_lt())), + + _ => SqlValue::Null, + } +} + +fn vals_eq(a: &SqlValue, b: &SqlValue) -> bool { + match (a, b) { + (SqlValue::Int(x), SqlValue::Int(y)) => x == y, + (SqlValue::Str(x), SqlValue::Str(y)) => x.eq_ignore_ascii_case(y), + (SqlValue::Bool(x), SqlValue::Bool(y)) => x == y, + _ => false, + } +} + +fn vals_cmp(a: &SqlValue, b: &SqlValue) -> Option { + match (a.as_int(), b.as_int()) { + (Some(x), Some(y)) => Some(x.cmp(&y)), + _ => None, + } +} + +/// SQL LIKE pattern matching (`%` = any, `_` = single char). +fn sql_like(input: &str, pattern: &str) -> bool { + let input = input.to_lowercase(); + let pattern = pattern.to_lowercase(); + like_match(input.as_bytes(), pattern.as_bytes()) +} + +fn like_match(input: &[u8], pattern: &[u8]) -> bool { + if pattern.is_empty() { + return input.is_empty(); + } + match pattern[0] { + b'%' => { + for i in 0..=input.len() { + if like_match(&input[i..], &pattern[1..]) { + return true; + } + } + false + } + b'_' => !input.is_empty() && like_match(&input[1..], &pattern[1..]), + c => { + !input.is_empty() + && input[0].eq_ignore_ascii_case(&c) + && like_match(&input[1..], &pattern[1..]) + } + } +} + +/* ────────────────────────────── Tests ─────────────────────────────────── */ + +#[cfg(test)] +mod tests { + use super::*; + + /// A simple row type for testing. + struct Row { + name: String, + count: i64, + active: bool, + } + + fn test_resolver(col: &str, row: &Row) -> SqlValue { + match col { + "name" => SqlValue::Str(row.name.clone()), + "count" => SqlValue::Int(row.count), + "active" => SqlValue::Bool(row.active), + _ => SqlValue::Null, + } + } + + fn eval(clause: &str, row: &Row) -> bool { + let expr = parse_where(clause).expect("valid SQL"); + let evaluator = Evaluator::new(test_resolver); + evaluator.eval_where(&expr, row) + } + + fn row(name: &str, count: i64, active: bool) -> Row { + Row { + name: name.to_string(), + count, + active, + } + } + + #[test] + fn eq_string() { + assert!(eval("name = 'foo'", &row("foo", 0, false))); + assert!(!eval("name = 'bar'", &row("foo", 0, false))); + } + + #[test] + fn eq_string_case_insensitive() { + assert!(eval("name = 'FOO'", &row("foo", 0, false))); + } + + #[test] + fn eq_int() { + assert!(eval("count = 5", &row("x", 5, false))); + assert!(!eval("count = 5", &row("x", 6, false))); + } + + #[test] + fn gt_lt() { + assert!(eval("count > 3", &row("x", 5, false))); + assert!(!eval("count > 3", &row("x", 2, false))); + assert!(eval("count < 10", &row("x", 5, false))); + assert!(!eval("count < 10", &row("x", 15, false))); + } + + #[test] + fn between() { + assert!(eval("count BETWEEN 3 AND 7", &row("x", 5, false))); + assert!(!eval("count BETWEEN 3 AND 7", &row("x", 8, false))); + } + + #[test] + fn like_pattern() { + assert!(eval("name LIKE 'fo%'", &row("foobar", 0, false))); + assert!(!eval("name LIKE 'ba%'", &row("foobar", 0, false))); + assert!(eval("name LIKE '%bar'", &row("foobar", 0, false))); + assert!(eval("name LIKE 'f__bar'", &row("foobar", 0, false))); + } + + #[test] + fn in_list() { + assert!(eval("name IN ('foo', 'bar', 'baz')", &row("bar", 0, false))); + assert!(!eval("name IN ('foo', 'baz')", &row("bar", 0, false))); + } + + #[test] + fn and_or() { + assert!(eval("count > 3 AND name = 'foo'", &row("foo", 5, false))); + assert!(!eval("count > 3 AND name = 'bar'", &row("foo", 5, false))); + assert!(eval("count > 100 OR name = 'foo'", &row("foo", 5, false))); + } + + #[test] + fn not() { + assert!(eval("NOT count = 5", &row("x", 3, false))); + assert!(!eval("NOT count = 5", &row("x", 5, false))); + } + + #[test] + fn is_null() { + // "missing_col" resolves to SqlValue::Null + assert!(eval("missing_col IS NULL", &row("x", 0, false))); + assert!(!eval("name IS NULL", &row("x", 0, false))); + } + + #[test] + fn bool_column() { + assert!(eval("active = true", &row("x", 0, true))); + assert!(!eval("active = true", &row("x", 0, false))); + } + + #[test] + fn parse_invalid_sql() { + assert!(parse_where("this is not sql !!!").is_err()); + } + + #[test] + fn like_helper() { + assert!(sql_like("CreateFileW", "%File%")); + assert!(!sql_like("CloseHandle", "%File%")); + assert!(sql_like("abc", "a_c")); + assert!(!sql_like("abbc", "a_c")); + } +} diff --git a/crates/bb-sql/src/export.rs b/crates/bb-sql/src/export.rs new file mode 100644 index 0000000..47f3dec --- /dev/null +++ b/crates/bb-sql/src/export.rs @@ -0,0 +1,300 @@ +//! SQLite export utilities. +//! +//! Exports serde-serialized JSON objects into SQLite tables. Top-level scalar +//! fields become columns with native SQLite types; nested objects and arrays +//! are stored as JSON text. This ensures the SQLite export has the same level +//! of detail as the JSON output. + +use std::path::Path; + +use anyhow::{Context, Result}; +use rusqlite::Connection; +use serde_json::Value; + +/* ────────────────────────── Column inference ──────────────────────────── */ + +/// Infer column definitions from the union of all keys across all rows. +/// +/// Scans every row to build a complete column set. This is necessary because +/// serde `skip_serializing_if` can omit keys from individual rows (e.g. +/// `expression: Option` is absent when `None`). +fn infer_columns(rows: &[Value]) -> Vec<(String, &'static str)> { + let mut columns: Vec<(String, &'static str)> = Vec::new(); + + for row in rows { + let Some(obj) = row.as_object() else { + continue; + }; + for (key, val) in obj { + if columns.iter().any(|(k, _)| k == key) { + continue; + } + let sql_type = match val { + Value::Bool(_) => "BOOLEAN", + Value::Number(n) if n.is_i64() || n.is_u64() => "INTEGER", + Value::Number(_) => "REAL", + _ => "TEXT", + }; + columns.push((key.clone(), sql_type)); + } + } + + columns +} + +/// Convert a JSON value to a rusqlite parameter. +fn json_to_param(val: &Value) -> Box { + match val { + Value::Bool(b) => Box::new(*b), + Value::Number(n) => { + if let Some(i) = n.as_i64() { + Box::new(i) + } else if let Some(u) = n.as_u64() { + Box::new(u as i64) + } else if let Some(f) = n.as_f64() { + Box::new(f) + } else { + Box::new(rusqlite::types::Null) + } + } + Value::String(s) => Box::new(s.clone()), + Value::Null => Box::new(rusqlite::types::Null), + // Nested structures are stored as JSON text. + val @ (Value::Array(_) | Value::Object(_)) => Box::new(val.to_string()), + } +} + +/* ─────────────────────────── Public API ───────────────────────────────── */ + +/// Export JSON objects to a SQLite table. +/// +/// Each [`Value`] in `rows` must be a JSON object. The table schema is +/// inferred from the union of all keys across all rows. Top-level scalar +/// fields map to native SQLite types; nested objects/arrays are stored as +/// JSON text. +/// +/// When `rows` is empty, an empty table with no columns is still created +/// so the output file always exists. +/// +/// This produces the same level of detail as `--json` output. +/// +/// # Errors +/// +/// Returns an error if the database cannot be opened, the table cannot be +/// created, or any row fails to insert. +pub fn export_json_to_sqlite(path: &Path, table: &str, rows: &[Value]) -> Result<()> { + let columns = infer_columns(rows); + + let mut conn = Connection::open(path) + .with_context(|| format!("failed to open SQLite database: {}", path.display()))?; + + // Drop + create table. + conn.execute_batch(&format!("DROP TABLE IF EXISTS [{table}]")) + .context("failed to drop existing table")?; + + if columns.is_empty() { + // Create an empty sentinel table so the file always exists. + conn.execute_batch(&format!("CREATE TABLE [{table}] (_empty INTEGER)")) + .context("failed to create empty table")?; + return Ok(()); + } + + let col_defs: Vec = columns + .iter() + .map(|(name, sql_type)| format!("[{name}] {sql_type}")) + .collect(); + let create_sql = format!("CREATE TABLE [{table}] ({})", col_defs.join(", ")); + conn.execute_batch(&create_sql) + .context("failed to create table")?; + + if rows.is_empty() { + return Ok(()); + } + + // Insert rows in a transaction. + let placeholders: Vec = (1..=columns.len()).map(|i| format!("?{i}")).collect(); + let insert_sql = format!("INSERT INTO [{table}] VALUES ({})", placeholders.join(", ")); + + let tx = conn.transaction().context("failed to begin transaction")?; + { + let mut stmt = tx + .prepare(&insert_sql) + .context("failed to prepare insert")?; + for row in rows { + let obj = row.as_object().context("row is not a JSON object")?; + let params: Vec> = columns + .iter() + .map(|(key, _)| { + let val = obj.get(key).unwrap_or(&Value::Null); + json_to_param(val) + }) + .collect(); + let param_refs: Vec<&dyn rusqlite::types::ToSql> = + params.iter().map(AsRef::as_ref).collect(); + stmt.execute(param_refs.as_slice()) + .context("failed to insert row")?; + } + } + tx.commit().context("failed to commit transaction")?; + + Ok(()) +} + +/* ────────────────────────────── Tests ─────────────────────────────────── */ + +#[cfg(test)] +mod tests { + use std::collections::HashSet; + use std::fs; + use std::sync::atomic::{AtomicU32, Ordering}; + + use serde_json::json; + + use super::*; + + static COUNTER: AtomicU32 = AtomicU32::new(0); + + fn temp_db() -> std::path::PathBuf { + let n = COUNTER.fetch_add(1, Ordering::Relaxed); + let dir = std::env::temp_dir(); + dir.join(format!("bb_sql_test_{}_{n}.db", std::process::id())) + } + + #[test] + fn export_basic_rows() { + let path = temp_db(); + let _ = fs::remove_file(&path); + + let rows = vec![ + json!({"name": "foo", "value": 42, "active": true}), + json!({"name": "bar", "value": 7, "active": false}), + ]; + + export_json_to_sqlite(&path, "test", &rows).unwrap(); + + let conn = Connection::open(&path).unwrap(); + let count: i64 = conn + .query_row("SELECT COUNT(*) FROM test", [], |r| r.get(0)) + .unwrap(); + assert_eq!(count, 2); + + let name: String = conn + .query_row("SELECT name FROM test WHERE value = 42", [], |r| r.get(0)) + .unwrap(); + assert_eq!(name, "foo"); + + fs::remove_file(&path).ok(); + } + + #[test] + fn export_empty_rows_creates_table() { + let path = temp_db(); + let _ = fs::remove_file(&path); + + export_json_to_sqlite(&path, "empty", &[]).unwrap(); + + let conn = Connection::open(&path).unwrap(); + // Table should exist. + let exists: i64 = conn + .query_row( + "SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='empty'", + [], + |r| r.get(0), + ) + .unwrap(); + assert_eq!(exists, 1); + + fs::remove_file(&path).ok(); + } + + #[test] + fn schema_union_across_rows() { + let path = temp_db(); + let _ = fs::remove_file(&path); + + // First row has no "extra" field, second row does. + // Both should be captured. + let rows = vec![ + json!({"name": "a", "value": 1}), + json!({"name": "b", "value": 2, "extra": "hello"}), + ]; + + export_json_to_sqlite(&path, "test", &rows).unwrap(); + + let conn = Connection::open(&path).unwrap(); + + // Check that the "extra" column exists. + let mut stmt = conn.prepare("PRAGMA table_info(test)").unwrap(); + let col_names: HashSet = stmt + .query_map([], |r| r.get::<_, String>(1)) + .unwrap() + .filter_map(|r| r.ok()) + .collect(); + + assert!(col_names.contains("name")); + assert!(col_names.contains("value")); + assert!( + col_names.contains("extra"), + "extra column from row 2 should be in schema" + ); + + // First row should have NULL for extra. + let extra: Option = conn + .query_row("SELECT extra FROM test WHERE name = 'a'", [], |r| r.get(0)) + .unwrap(); + assert!(extra.is_none(), "row 1 should have NULL for extra"); + + // Second row should have the value. + let extra: Option = conn + .query_row("SELECT extra FROM test WHERE name = 'b'", [], |r| r.get(0)) + .unwrap(); + assert_eq!(extra.as_deref(), Some("hello")); + + fs::remove_file(&path).ok(); + } + + #[test] + fn nested_json_stored_as_text() { + let path = temp_db(); + let _ = fs::remove_file(&path); + + let rows = vec![json!({"name": "x", "nested": {"a": 1, "b": 2}})]; + + export_json_to_sqlite(&path, "test", &rows).unwrap(); + + let conn = Connection::open(&path).unwrap(); + let nested: String = conn + .query_row("SELECT nested FROM test", [], |r| r.get(0)) + .unwrap(); + // Should be valid JSON text. + let parsed: serde_json::Value = serde_json::from_str(&nested).unwrap(); + assert_eq!(parsed["a"], 1); + assert_eq!(parsed["b"], 2); + + fs::remove_file(&path).ok(); + } + + #[test] + fn multiple_tables_same_file() { + let path = temp_db(); + let _ = fs::remove_file(&path); + + let rows1 = vec![json!({"x": 1})]; + let rows2 = vec![json!({"y": 2})]; + + export_json_to_sqlite(&path, "table1", &rows1).unwrap(); + export_json_to_sqlite(&path, "table2", &rows2).unwrap(); + + let conn = Connection::open(&path).unwrap(); + let t1: i64 = conn + .query_row("SELECT x FROM table1", [], |r| r.get(0)) + .unwrap(); + let t2: i64 = conn + .query_row("SELECT y FROM table2", [], |r| r.get(0)) + .unwrap(); + assert_eq!(t1, 1); + assert_eq!(t2, 2); + + fs::remove_file(&path).ok(); + } +} diff --git a/crates/bb-sql/src/lib.rs b/crates/bb-sql/src/lib.rs new file mode 100644 index 0000000..06f25bf --- /dev/null +++ b/crates/bb-sql/src/lib.rs @@ -0,0 +1,28 @@ +#![allow(clippy::doc_markdown)] // "SQLite" is a proper noun, not code. +#![allow(clippy::cast_sign_loss, clippy::cast_possible_wrap)] // SQL values cross i64/u64 boundary. +//! SQL evaluation and SQLite export for Benowin Blanc. +//! +//! Provides a generic SQL `WHERE` clause evaluator that works with any row type +//! via a column resolver closure, plus SQLite export utilities. + +mod eval; +mod export; +mod value; + +pub use eval::Evaluator; +pub use export::export_json_to_sqlite; +pub use value::SqlValue; + +/// Re-export the parsed expression type for callers that need to cache it. +pub use sqlparser::ast::Expr; + +/// Parse a `WHERE` clause string into an AST expression. +/// +/// Wraps the clause in `SELECT 1 WHERE ...` so `sqlparser` can handle it. +/// +/// # Errors +/// +/// Returns an error string if the SQL fails to parse. +pub fn parse_where(clause: &str) -> Result { + eval::parse_where(clause) +} diff --git a/crates/bb-sql/src/value.rs b/crates/bb-sql/src/value.rs new file mode 100644 index 0000000..373ff9b --- /dev/null +++ b/crates/bb-sql/src/value.rs @@ -0,0 +1,80 @@ +//! SQL value representation. + +use rusqlite::types::ToSqlOutput; + +/* ──────────────────────────── Value type ──────────────────────────────── */ + +/// A dynamically-typed SQL value used during expression evaluation and export. +#[derive(Debug, Clone)] +pub enum SqlValue { + Bool(bool), + Int(i64), + Str(String), + Null, +} + +impl SqlValue { + /// Coerce to boolean (SQL truthiness). + #[must_use] + pub const fn as_bool(&self) -> bool { + match self { + Self::Bool(b) => *b, + Self::Int(n) => *n != 0, + Self::Str(s) => !s.is_empty(), + Self::Null => false, + } + } + + /// Coerce to integer if possible. + #[must_use] + pub fn as_int(&self) -> Option { + match self { + Self::Int(n) => Some(*n), + Self::Bool(b) => Some(i64::from(*b)), + _ => None, + } + } + + /// Coerce to string reference if the value is a string. + #[must_use] + pub fn as_str(&self) -> Option<&str> { + match self { + Self::Str(s) => Some(s), + _ => None, + } + } +} + +/* ──────────────────────── rusqlite integration ───────────────────────── */ + +impl rusqlite::types::ToSql for SqlValue { + fn to_sql(&self) -> rusqlite::Result> { + match self { + Self::Bool(b) => Ok(ToSqlOutput::from(*b)), + Self::Int(n) => Ok(ToSqlOutput::from(*n)), + Self::Str(s) => Ok(ToSqlOutput::from(s.as_str())), + Self::Null => Ok(ToSqlOutput::from(rusqlite::types::Null)), + } + } +} + +/* ────────────────────────── serde_json conversion ────────────────────── */ + +impl From<&serde_json::Value> for SqlValue { + fn from(v: &serde_json::Value) -> Self { + match v { + serde_json::Value::Bool(b) => Self::Bool(*b), + serde_json::Value::Number(n) => { + if let Some(i) = n.as_i64() { + Self::Int(i) + } else if let Some(u) = n.as_u64() { + Self::Int(u as i64) + } else { + Self::Null + } + } + serde_json::Value::String(s) => Self::Str(s.clone()), + _ => Self::Null, + } + } +} diff --git a/util/bb-tui/Cargo.toml b/crates/bb-tui/Cargo.toml similarity index 100% rename from util/bb-tui/Cargo.toml rename to crates/bb-tui/Cargo.toml diff --git a/util/bb-tui/README.md b/crates/bb-tui/README.md similarity index 100% rename from util/bb-tui/README.md rename to crates/bb-tui/README.md diff --git a/util/bb-tui/src/event.rs b/crates/bb-tui/src/event.rs similarity index 100% rename from util/bb-tui/src/event.rs rename to crates/bb-tui/src/event.rs diff --git a/util/bb-tui/src/lib.rs b/crates/bb-tui/src/lib.rs similarity index 100% rename from util/bb-tui/src/lib.rs rename to crates/bb-tui/src/lib.rs diff --git a/util/bb-tui/src/ui.rs b/crates/bb-tui/src/ui.rs similarity index 100% rename from util/bb-tui/src/ui.rs rename to crates/bb-tui/src/ui.rs diff --git a/media/bb diagram.excalidraw b/media/bb diagram.excalidraw index a03a567..5c9552b 100644 --- a/media/bb diagram.excalidraw +++ b/media/bb diagram.excalidraw @@ -4,12 +4,12 @@ "source": "http://localhost:5000", "elements": [ { - "id": "YgiFqL-xzvp2bm9t0zqtN", + "id": "jQ7DYa808qPZonGgmkvRr", "type": "rectangle", - "x": 349.66655476888025, - "y": 233.57147216796875, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 239.4179750570831, + "y": 256.67405774640616, + "width": 153.59153590622162, + "height": 61.87468373838669, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -24,30 +24,21 @@ "roundness": { "type": 3 }, - "seed": 1568118215, - "version": 97, - "versionNonce": 535157223, - "isDeleted": false, - "boundElements": [ - { - "type": "text", - "id": "tSIC6z5ed7UIu9i7KzCGw" - }, - { - "id": "b4iO-JS9mWVrGIbg-bHU3", - "type": "arrow" - } - ], - "updated": 1770992306494, + "seed": 2086883447, + "version": 169, + "versionNonce": 1999943528, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "tSIC6z5ed7UIu9i7KzCGw", + "id": "0IFDAzSArWRr0X2iGZ6kb", "type": "text", - "x": 433.3608830769857, - "y": 287.35719299316406, - "width": 64.03993225097656, + "x": 284.733777800233, + "y": 275.1113996155995, + "width": 62.959930419921875, "height": 25, "angle": 0, "strokeColor": "#1e1e1e", @@ -61,30 +52,60 @@ "frameId": null, "index": "a0V", "roundness": null, - "seed": 863226823, - "version": 58, - "versionNonce": 16738601, - "isDeleted": false, + "seed": 1749022457, + "version": 106, + "versionNonce": 1294127896, + "isDeleted": true, "boundElements": [], - "updated": 1770992306494, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-sdk", + "text": "sparse", "fontSize": 20, "fontFamily": 5, "textAlign": "center", "verticalAlign": "middle", - "containerId": "YgiFqL-xzvp2bm9t0zqtN", - "originalText": "bb-sdk", + "containerId": "jQ7DYa808qPZonGgmkvRr", + "originalText": "sparse", "autoResize": true, "lineHeight": 1.25 }, { - "id": "rZgyE3tPvnvFq_HEdTR8I", + "id": "4F4qWl6X0E3s_dWvSgsqD", + "type": "rectangle", + "x": 239.4179749321467, + "y": 152.80831559572573, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "a3", + "roundness": { + "type": 3 + }, + "seed": 1010987577, + "version": 184, + "versionNonce": 695831144, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false + }, + { + "id": "bv-dFeGLYexEIje2Wtjkb", "type": "text", - "x": 400.85723876953125, - "y": 247.35719299316406, - "width": 8, + "x": 281.7237831684606, + "y": 171.24565746491908, + "width": 68.97991943359375, "height": 25, "angle": 0, "strokeColor": "#1e1e1e", @@ -96,33 +117,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a1", + "index": "a4", "roundness": null, - "seed": 598015913, - "version": 4, - "versionNonce": 1980230407, + "seed": 462013209, + "version": 143, + "versionNonce": 1820897304, "isDeleted": true, "boundElements": [], - "updated": 1770991937514, + "updated": 1774974083959, "link": null, "locked": false, - "text": "", + "text": "sdk-api", "fontSize": 20, "fontFamily": 5, "textAlign": "center", "verticalAlign": "middle", - "containerId": "YgiFqL-xzvp2bm9t0zqtN", - "originalText": "", + "containerId": "4F4qWl6X0E3s_dWvSgsqD", + "originalText": "sdk-api", "autoResize": true, "lineHeight": 1.25 }, { - "id": "P8bjp0PDUx0KZKoXB4Jqh", - "type": "arrow", - "x": 399.67213437737075, - "y": 337.1429138183594, - "width": 0.8993988257542469, - "height": 99.85711669921875, + "id": "TIotk5GyAM9mfamVLyiha", + "type": "text", + "x": 652.6678309903268, + "y": 214.68299909849745, + "width": 566.1395263671875, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -133,48 +154,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a2", - "roundness": { - "type": 2 - }, - "seed": 1616021737, - "version": 142, - "versionNonce": 1839498727, + "index": "aC", + "roundness": null, + "seed": 49020823, + "version": 285, + "versionNonce": 28048744, "isDeleted": true, "boundElements": [], - "updated": 1770991957494, + "updated": 1774974083959, "link": null, "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 0.8993988257542469, - 99.85711669921875 - ] - ], - "startBinding": { - "elementId": "YgiFqL-xzvp2bm9t0zqtN", - "mode": "orbit", - "fixedPoint": [ - 0.4765428725598846, - 0.5234571274401151 - ] - }, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false + "text": "The nf-* (Native Function) .md files are passed to sparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "The nf-* (Native Function) .md files are passed to sparse", + "autoResize": true, + "lineHeight": 1.25 }, { - "id": "MLRsULapaVmdtJp3FRGXS", + "id": "PS2N1NOsXbObu12k-0nTt", "type": "rectangle", - "x": 349.66655476888025, - "y": 473.3809254964192, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 182.5578616544264, + "y": 673.4311006881301, + "width": 258.4878193970961, + "height": 635.8297621019193, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -185,31 +191,26 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a3", + "index": "aD", "roundness": { "type": 3 }, - "seed": 854652295, - "version": 224, - "versionNonce": 1776137808, - "isDeleted": false, - "boundElements": [ - { - "type": "text", - "id": "dRMAPxsMuOHJaeEfeu6Ks" - } - ], - "updated": 1772721287471, + "seed": 1718444601, + "version": 977, + "versionNonce": 1026223384, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "dRMAPxsMuOHJaeEfeu6Ks", + "id": "k72iTKaz-07ZQR8Wj3290", "type": "text", - "x": 426.31088765462243, - "y": 527.1666463216145, - "width": 78.13992309570312, - "height": 25, + "x": 652.6678312795116, + "y": 590.3344013495876, + "width": 554.4595336914062, + "height": 50, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -220,33 +221,70 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a4", + "index": "aH", "roundness": null, - "seed": 812035239, - "version": 180, - "versionNonce": 746279401, - "isDeleted": false, + "seed": 1510986201, + "version": 297, + "versionNonce": 823660648, + "isDeleted": true, "boundElements": [], - "updated": 1770992235247, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-clang", + "text": "Sparse parses the .md files and generates a consistently\nstructured JSON for each", "fontSize": 20, "fontFamily": 5, - "textAlign": "center", - "verticalAlign": "middle", - "containerId": "MLRsULapaVmdtJp3FRGXS", - "originalText": "bb-clang", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Sparse parses the .md files and generates a consistently\nstructured JSON for each", "autoResize": true, "lineHeight": 1.25 }, { - "id": "51ej0x9jDd0B_zmFbZIug", + "id": "rfAP2Peq01QyqVfy6WLno", + "type": "text", + "x": 201.71533351679005, + "y": 713.1786259190814, + "width": 86.44335993780508, + "height": 86.84289609505637, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aI", + "roundness": null, + "seed": 168840825, + "version": 833, + "versionNonce": 410880536, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "header: ...,\nlib: ...,\ndll: ...,\nmetadata:", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "header: ...,\nlib: ...,\ndll: ...,\nmetadata:", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "ufxQqKoq7Fga2_2j8lUWY", "type": "rectangle", - "x": 60.57367311783841, - "y": 735.6663564046218, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 201.71533392761137, + "y": 800.0215220833463, + "width": 160.57976886687004, + "height": 73.81881444563736, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -257,35 +295,26 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a48", + "index": "aJ", "roundness": { "type": 3 }, - "seed": 81357767, - "version": 982, - "versionNonce": 608880304, - "isDeleted": false, - "boundElements": [ - { - "id": "LgOwvfuwHEkZSjqTczLCE", - "type": "text" - }, - { - "id": "l4tqfHGH78cA6lQH-8q8d", - "type": "arrow" - } - ], - "updated": 1772721239316, + "seed": 1302054711, + "version": 843, + "versionNonce": 1602863976, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "LgOwvfuwHEkZSjqTczLCE", + "id": "l6l8jgPuvHsZBZg8vabkA", "type": "text", - "x": 134.07800661393216, - "y": 789.4520772298171, - "width": 84.419921875, - "height": 25, + "x": 222.19286394810945, + "y": 815.2202055665106, + "width": 65.96582995079854, + "height": 43.42144804752819, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -296,33 +325,70 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a4G", + "index": "aN", "roundness": null, - "seed": 1323445417, - "version": 937, - "versionNonce": 379482288, - "isDeleted": false, + "seed": 2036204249, + "version": 713, + "versionNonce": 158631704, + "isDeleted": true, "boundElements": [], - "updated": 1772721239316, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-types", - "fontSize": 20, + "text": "UID: ...,\n...", + "fontSize": 17.368579219011274, "fontFamily": 5, - "textAlign": "center", - "verticalAlign": "middle", - "containerId": "51ej0x9jDd0B_zmFbZIug", - "originalText": "bb-types", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "UID: ...,\n...", "autoResize": true, "lineHeight": 1.25 }, { - "id": "UZrtJmZPOjBmuh7lwMQSV", + "id": "rKRkTHgSSk05hLR0Hgx3b", + "type": "text", + "x": 201.7153337750508, + "y": 883.8599175094752, + "width": 61.3283959772557, + "height": 21.710724023764094, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aO", + "roundness": null, + "seed": 1329124983, + "version": 873, + "versionNonce": 1531778664, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "params:", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "params:", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "_5MNpqilFqzOFSOSBjQ0i", "type": "rectangle", - "x": 644.3061724589844, - "y": 735.6663564046223, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 201.71533344981395, + "y": 905.5706410036324, + "width": 160.57976886687004, + "height": 218.06137805401153, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -333,35 +399,26 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a4V", + "index": "aP", "roundness": { "type": 3 }, - "seed": 1097134663, - "version": 445, - "versionNonce": 1740700336, - "isDeleted": false, - "boundElements": [ - { - "type": "text", - "id": "yLlKizghZNqjd1LGCrcgW" - }, - { - "id": "607G2bKhkujY0rL7bixNF", - "type": "arrow" - } - ], - "updated": 1772721147116, + "seed": 900254807, + "version": 1013, + "versionNonce": 478405656, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "yLlKizghZNqjd1LGCrcgW", + "id": "npPXUcYXadeje0SgxcuOF", "type": "text", - "x": 712.1205111430664, - "y": 789.4520772298176, - "width": 95.79991149902344, - "height": 25, + "x": 222.19286357074333, + "y": 915.5902218409602, + "width": 93.47765307314872, + "height": 217.10724023764095, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -372,33 +429,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a4l", + "index": "aS", "roundness": null, - "seed": 1891438951, - "version": 430, - "versionNonce": 1078144176, - "isDeleted": false, + "seed": 296862263, + "version": 798, + "versionNonce": 1227753832, + "isDeleted": true, "boundElements": [], - "updated": 1772721142536, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-consts", - "fontSize": 20, + "text": "direction: {\n \"in\",\n \"out\",\n \"optional\n},\nvalues: {\n \"A\": 1,\n ...\n}\n", + "fontSize": 17.368579219011274, "fontFamily": 5, - "textAlign": "center", - "verticalAlign": "middle", - "containerId": "UZrtJmZPOjBmuh7lwMQSV", - "originalText": "bb-consts", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "direction: {\n \"in\",\n \"out\",\n \"optional\n},\nvalues: {\n \"A\": 1,\n ...\n}\n", "autoResize": true, "lineHeight": 1.25 }, { - "id": "AzKv5P7C0lD7ZvIAw89vd", - "type": "rectangle", - "x": 60.57367311783841, - "y": 952.6191660563143, - "width": 231.4285888671875, - "height": 132.57144165039062, + "id": "Kj28-MVOPOUyDGV27c4LH", + "type": "text", + "x": 201.71533384840933, + "y": 1136.254509121156, + "width": 189.12632554397652, + "height": 65.13217207129227, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -409,34 +466,99 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a5", - "roundness": { + "index": "aU", + "roundness": null, + "seed": 1167796215, + "version": 948, + "versionNonce": 798990616, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "min_client_version: ...,\nmax_client_version: ...,\n...", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "min_client_version: ...,\nmax_client_version: ...,\n...", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "NFyWsDq8NbZ7rXGy_sEEA", + "type": "text", + "x": 652.667831, + "y": 390.0087000119974, + "width": 586.199462890625, + "height": 50, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aV", + "roundness": null, + "seed": 2045844313, + "version": 335, + "versionNonce": 1417190504, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "The process is spread out in chunks (--chunk-size) that are\nspread out over workers (--workers)", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "The process is spread out in chunks (--chunk-size) that are\nspread out over workers (--workers)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "Rtiro1kZEjwDJaWqfWRIF", + "type": "rectangle", + "x": 237.08812599670313, + "y": 360.53980059369536, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aW", + "roundness": { "type": 3 }, - "seed": 1142909769, - "version": 1114, - "versionNonce": 351066800, - "isDeleted": false, - "boundElements": [ - { - "id": "so3j-k_wk5a60ARWyfd9i", - "type": "text" - }, - { - "id": "l4tqfHGH78cA6lQH-8q8d", - "type": "arrow" - } - ], - "updated": 1772721239316, + "seed": 474556761, + "version": 198, + "versionNonce": 1111211544, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "so3j-k_wk5a60ARWyfd9i", + "id": "AUBvTeYPpYaWPkglL4Dxs", "type": "text", - "x": 116.51802431412747, - "y": 1006.4048868815096, - "width": 119.53988647460938, + "x": 281.6739253829194, + "y": 378.9771424628887, + "width": 64.41993713378906, "height": 25, "angle": 0, "strokeColor": "#1e1e1e", @@ -448,33 +570,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a5V", + "index": "aX", "roundness": null, - "seed": 495262249, - "version": 1092, - "versionNonce": 1373504688, - "isDeleted": false, + "seed": 871142969, + "version": 166, + "versionNonce": 1593364328, + "isDeleted": true, "boundElements": [], - "updated": 1772721239316, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-types-tui", + "text": "chunks", "fontSize": 20, "fontFamily": 5, "textAlign": "center", "verticalAlign": "middle", - "containerId": "AzKv5P7C0lD7ZvIAw89vd", - "originalText": "bb-types-tui", + "containerId": "Rtiro1kZEjwDJaWqfWRIF", + "originalText": "chunks", "autoResize": true, "lineHeight": 1.25 }, { - "id": "U8LMuoPM2R0JTVIQJOrw4", + "id": "XOt2nlNjEexHLN_89ireN", "type": "rectangle", - "x": 644.3061724589844, - "y": 954.7138519287112, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 31.04844799670311, + "y": 479.45501201615235, + "width": 153.59153590622162, + "height": 61.87468373838669, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -485,34 +607,25 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a6", + "index": "aY", "roundness": { "type": 3 }, - "seed": 323618407, - "version": 707, - "versionNonce": 580523696, - "isDeleted": false, - "boundElements": [ - { - "type": "text", - "id": "UWaBqpRE7Woinv3k4Do6a" - }, - { - "id": "607G2bKhkujY0rL7bixNF", - "type": "arrow" - } - ], - "updated": 1772721142536, + "seed": 1558211319, + "version": 340, + "versionNonce": 1162623768, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, "link": null, "locked": false }, { - "id": "UWaBqpRE7Woinv3k4Do6a", + "id": "mIYjhhZbkfnogqf6jq9yo", "type": "text", - "x": 694.5605288432617, - "y": 1008.4995727539065, - "width": 130.9198760986328, + "x": 75.97424372081002, + "y": 497.8923538853457, + "width": 63.73994445800781, "height": 25, "angle": 0, "strokeColor": "#1e1e1e", @@ -524,33 +637,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "a7", + "index": "aZ", "roundness": null, - "seed": 1227530631, - "version": 711, - "versionNonce": 780386480, - "isDeleted": false, + "seed": 2040919063, + "version": 324, + "versionNonce": 821731944, + "isDeleted": true, "boundElements": [], - "updated": 1772721142536, + "updated": 1774974083959, "link": null, "locked": false, - "text": "bb-consts-tui", + "text": "worker", "fontSize": 20, "fontFamily": 5, "textAlign": "center", "verticalAlign": "middle", - "containerId": "U8LMuoPM2R0JTVIQJOrw4", - "originalText": "bb-consts-tui", + "containerId": "XOt2nlNjEexHLN_89ireN", + "originalText": "worker", "autoResize": true, "lineHeight": 1.25 }, { - "id": "iZAmjLHp_FacgG0hikh7y", - "type": "arrow", - "x": 388.2276130209366, - "y": 337.1429138183594, - "width": 3.6712264566825183, - "height": 92.8571319580077, + "id": "_nCFnbUu3hCHIl8K26i7R", + "type": "rectangle", + "x": 237.08812599670318, + "y": 479.4550120161524, + "width": 153.59153590622162, + "height": 61.87468373838669, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -561,54 +674,25 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aD", + "index": "aa", "roundness": { - "type": 2 + "type": 3 }, - "seed": 1185573383, - "version": 90, - "versionNonce": 1147963273, + "seed": 2015210743, + "version": 369, + "versionNonce": 1799690264, "isDeleted": true, "boundElements": [], - "updated": 1770992008198, + "updated": 1774974083959, "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 3.6712264566825183, - 92.8571319580077 - ] - ], - "startBinding": { - "elementId": "YgiFqL-xzvp2bm9t0zqtN", - "mode": "orbit", - "fixedPoint": [ - 0.416571269593805, - 0.5834287304061949 - ] - }, - "endBinding": { - "elementId": "MLRsULapaVmdtJp3FRGXS", - "mode": "orbit", - "fixedPoint": [ - 0.4684295785495987, - 0.4684295785495993 - ] - }, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false + "locked": false }, { - "id": "zYU8UbYVl5cwyn0LH0PtA", + "id": "NX1-_ne7GFQxJVsf9R6hz", "type": "text", - "x": 310.047607421875, - "y": 1156.4285074869792, - "width": 8, + "x": 282.0139217208101, + "y": 497.89235388534576, + "width": 63.73994445800781, "height": 25, "angle": 0, "strokeColor": "#1e1e1e", @@ -620,33 +704,63 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aE", + "index": "ab", "roundness": null, - "seed": 393838857, - "version": 3, - "versionNonce": 1056741959, + "seed": 2146104855, + "version": 354, + "versionNonce": 692721000, "isDeleted": true, "boundElements": [], - "updated": 1770992054893, + "updated": 1774974083959, "link": null, "locked": false, - "text": "", + "text": "worker", "fontSize": 20, "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "_nCFnbUu3hCHIl8K26i7R", + "originalText": "worker", "autoResize": true, "lineHeight": 1.25 }, { - "id": "dpprmHdWtNcAybrDl69c1", - "type": "frame", - "x": 139.5238037109375, - "y": 678.9046478271482, - "width": 264.3809407552083, - "height": 344.5717976888019, + "id": "XkvZ7J5yVEWTHxPvwh_g4", + "type": "rectangle", + "x": 443.1278039967032, + "y": 479.4550120161524, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "ac", + "roundness": { + "type": 3 + }, + "seed": 1264873177, + "version": 343, + "versionNonce": 2014991640, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false + }, + { + "id": "zLcY1Rk9J1fDRta3qbKtj", + "type": "text", + "x": 488.0535997208101, + "y": 497.89235388534576, + "width": 63.73994445800781, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -657,25 +771,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aF", + "index": "ad", "roundness": null, - "seed": 163795399, - "version": 3, - "versionNonce": 1898801063, + "seed": 981674937, + "version": 328, + "versionNonce": 1832069224, "isDeleted": true, "boundElements": [], - "updated": 1770992085316, + "updated": 1774974083959, "link": null, "locked": false, - "name": null + "text": "worker", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "XkvZ7J5yVEWTHxPvwh_g4", + "originalText": "worker", + "autoResize": true, + "lineHeight": 1.25 }, { - "id": "hIvlDDitMWYmY0j8OKEcn", + "id": "rd9E92m3ujLQgUn7CnjTN", "type": "arrow", - "x": 477.458413891928, - "y": 379.0477701822917, - "width": 0.41912055888030864, - "height": 84.285659790039, + "x": 317.4564628181007, + "y": 211.70703731348613, + "width": 0.4092810376794205, + "height": 33.96702043292004, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -686,16 +808,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aG", + "index": "ai", "roundness": { "type": 2 }, - "seed": 563329831, - "version": 110, - "versionNonce": 864056809, + "seed": 898362617, + "version": 54, + "versionNonce": 289403416, "isDeleted": true, "boundElements": [], - "updated": 1770992159574, + "updated": 1774974083959, "link": null, "locked": false, "points": [ @@ -704,24 +826,24 @@ 0 ], [ - 0.41912055888030864, - 84.285659790039 + 0.4092810376794205, + 33.96702043292004 ] ], "startBinding": { - "elementId": "YgiFqL-xzvp2bm9t0zqtN", - "mode": "orbit", + "elementId": "4F4qWl6X0E3s_dWvSgsqD", + "mode": "inside", "fixedPoint": [ - 0.5473076352047744, - 0.5473076352047743 + 0.5080910704194139, + 0.9519033982749874 ] }, "endBinding": { - "elementId": "MLRsULapaVmdtJp3FRGXS", + "elementId": "jQ7DYa808qPZonGgmkvRr", "mode": "orbit", "fixedPoint": [ - 0.5555005341407, - 0.4444994658592998 + 0.5139779702064853, + 0.48602202979351344 ] }, "startArrowhead": null, @@ -729,12 +851,12 @@ "elbowed": false }, { - "id": "YwhlNyOpeDJr3XjbfTLun", + "id": "9rFy5QC0uzLw7OyViHnUu", "type": "arrow", - "x": 461.7145792643229, - "y": 290.7142944335937, - "width": 0, - "height": 0, + "x": 317.4564628181007, + "y": 316.0963877423337, + "width": 0.9038580840213513, + "height": 33.44341285136164, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -745,16 +867,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aH", + "index": "aj", "roundness": { "type": 2 }, - "seed": 736781319, - "version": 115, - "versionNonce": 717679280, + "seed": 276986137, + "version": 31, + "versionNonce": 411163496, "isDeleted": true, "boundElements": [], - "updated": 1772721090280, + "updated": 1774974083959, "link": null, "locked": false, "points": [ @@ -763,30 +885,3186 @@ 0 ], [ - 0, - 0 + -0.9038580840213513, + 33.44341285136164 ] ], "startBinding": { - "elementId": "YgiFqL-xzvp2bm9t0zqtN", + "elementId": "jQ7DYa808qPZonGgmkvRr", "mode": "inside", "fixedPoint": [ - 0.48415809405356086, - 0.4310341771519581 + 0.508091069605981, + 0.960365797539621 + ] + }, + "endBinding": { + "elementId": "Rtiro1kZEjwDJaWqfWRIF", + "mode": "orbit", + "fixedPoint": [ + 0.5101059694578957, + 0.4898940305421054 ] }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "HX00CH4A1Tl8IVT4fAUTU", + "type": "arrow", + "x": 236.06573393514358, + "y": 415.0176594978016, + "width": 108.70155863085316, + "height": 53.43735251835062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "al", + "roundness": { + "type": 2 + }, + "seed": 602844951, + "version": 89, + "versionNonce": 229240600, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -108.70155863085316, + 53.43735251835062 + ] + ], + "startBinding": null, "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false + "elbowed": false, + "moveMidPointsWithElement": false }, { - "id": "b4iO-JS9mWVrGIbg-bHU3", + "id": "HCYjnjfOJTSV3SAH5spHt", "type": "arrow", - "x": 462.66693115234375, - "y": 365.9523315429687, - "width": 0.00020599327615400398, - "height": 96.4285939534505, + "x": 390.46833707924173, + "y": 414.5471945886929, + "width": 108.70155863085316, + "height": 53.43735251835062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "an", + "roundness": { + "type": 2 + }, + "seed": 707349209, + "version": 168, + "versionNonce": 1837248104, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 108.70155863085316, + 53.43735251835062 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "k7I68ZFa5rLe8YbXkIiNm", + "type": "arrow", + "x": 310.0001140187078, + "y": 420.48567976651304, + "width": 1.5016049139078973, + "height": 47.96933224963931, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "ap", + "roundness": { + "type": 2 + }, + "seed": 1985796761, + "version": 51, + "versionNonce": 1171016728, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 1.5016049139078973, + 47.96933224963931 + ] + ], + "startBinding": { + "elementId": "Rtiro1kZEjwDJaWqfWRIF", + "mode": "inside", + "fixedPoint": [ + 0.474713581004376, + 0.9688272416272183 + ] + }, + "endBinding": { + "elementId": "_nCFnbUu3hCHIl8K26i7R", + "mode": "orbit", + "fixedPoint": [ + 0.4735569271938117, + 0.4735569271938122 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "_xS_Sn2BLgwqqjSDUpijN", + "type": "arrow", + "x": 104.70110489904218, + "y": 539.2906725538268, + "width": 81.28535902485214, + "height": 131.5383484763904, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aq", + "roundness": { + "type": 2 + }, + "seed": 2121409433, + "version": 120, + "versionNonce": 83894632, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 81.28535902485214, + 131.5383484763904 + ] + ], + "startBinding": { + "elementId": "XOt2nlNjEexHLN_89ireN", + "mode": "inside", + "fixedPoint": [ + 0.4795359097607381, + 0.9670459212473149 + ] + }, + "endBinding": { + "elementId": "PS2N1NOsXbObu12k-0nTt", + "mode": "orbit", + "fixedPoint": [ + 0.6109143456314435, + 0.38908565436855647 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "EWKSrsmLMQIHCZilndPIk", + "type": "arrow", + "x": 523.7496654054414, + "y": 540.7819481541721, + "width": 88.40571630571219, + "height": 128.42960844688764, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "ar", + "roundness": { + "type": 2 + }, + "seed": 1336227737, + "version": 99, + "versionNonce": 1671104792, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -88.40571630571219, + 128.42960844688764 + ] + ], + "startBinding": { + "elementId": "XkvZ7J5yVEWTHxPvwh_g4", + "mode": "inside", + "fixedPoint": [ + 0.5249108353077704, + 0.9911474682814881 + ] + }, + "endBinding": { + "elementId": "PS2N1NOsXbObu12k-0nTt", + "mode": "orbit", + "fixedPoint": [ + 0.35893888915483796, + 0.35893888915483774 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "aQsB28DlndzFgn-D0b0qN", + "type": "arrow", + "x": 316.4622985527599, + "y": 540.7819481541721, + "width": 0.9625150569492575, + "height": 121.64915253395793, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "as", + "roundness": { + "type": 2 + }, + "seed": 1254621497, + "version": 87, + "versionNonce": 2118628456, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -0.9625150569492575, + 121.64915253395793 + ] + ], + "startBinding": { + "elementId": "_nCFnbUu3hCHIl8K26i7R", + "mode": "inside", + "fixedPoint": [ + 0.5167874133671023, + 0.9911474682814881 + ] + }, + "endBinding": { + "elementId": "PS2N1NOsXbObu12k-0nTt", + "mode": "orbit", + "fixedPoint": [ + 0.5043224875714795, + 0.49567751242852065 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "Kz5KuQ5Fu2eL9YUN_RAX3", + "type": "rectangle", + "x": 235.00600309567994, + "y": 1388.7891345781047, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "at", + "roundness": { + "type": 3 + }, + "seed": 2023483927, + "version": 577, + "versionNonce": 1378661400, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false + }, + { + "id": "rcm6T1l_MtPzjtgRm4mpz", + "type": "text", + "x": 263.39179790425953, + "y": 1407.226476447298, + "width": 96.8199462890625, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "au", + "roundness": null, + "seed": 199528247, + "version": 565, + "versionNonce": 993671528, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "outputter", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "Kz5KuQ5Fu2eL9YUN_RAX3", + "originalText": "outputter", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "W4k4jDrevpRxdq50h2ZWp", + "type": "arrow", + "x": 309.4424791008174, + "y": 1308.2580827956754, + "width": 0.7211392872695228, + "height": 69.53105178242936, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "av", + "roundness": { + "type": 2 + }, + "seed": 1690578521, + "version": 128, + "versionNonce": 847914520, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -0.7211392872695228, + 69.53105178242936 + ] + ], + "startBinding": { + "elementId": "PS2N1NOsXbObu12k-0nTt", + "mode": "inside", + "fixedPoint": [ + 0.4908727140115929, + 0.9984228797484109 + ] + }, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "oChI4LYK-Y_vBuIRygkoB", + "type": "rectangle", + "x": 231.64380709567993, + "y": 1388.7891345781052, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "aw", + "roundness": { + "type": 3 + }, + "seed": 1753494425, + "version": 636, + "versionNonce": 790947688, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false + }, + { + "id": "a4xxQ0vnEXjemQZQzCv7w", + "type": "text", + "x": 252.33960709224775, + "y": 1407.2264764472986, + "width": 112.19993591308594, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "ax", + "roundness": null, + "seed": 1355569273, + "version": 643, + "versionNonce": 1871553304, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083959, + "link": null, + "locked": false, + "text": "output.json", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "oChI4LYK-Y_vBuIRygkoB", + "originalText": "output.json", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "cG9Oc_BzVe_h44PfKKJ0U", + "type": "arrow", + "x": 310.87379394534116, + "y": 1449.9618354469583, + "width": 5.684341886080802e-14, + "height": 46.37049813114686, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "ay", + "roundness": { + "type": 2 + }, + "seed": 55815897, + "version": 97, + "versionNonce": 2142830440, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 5.684341886080802e-14, + 46.37049813114686 + ] + ], + "startBinding": null, + "endBinding": { + "elementId": "oChI4LYK-Y_vBuIRygkoB", + "mode": "orbit", + "fixedPoint": [ + 0.4793471880808172, + 0.4793471880808117 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "y6mn-yzz8l7Rd2uXPMyKp", + "type": "text", + "x": 652.6678312093712, + "y": 1309.260862849232, + "width": 504.7596435546875, + "height": 75, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "az", + "roundness": null, + "seed": 55575191, + "version": 399, + "versionNonce": 870779672, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "The outputter merges all the processed chunks and\ngenerates the JSON objects, then writes them to\nthe file (-o/--output)", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "The outputter merges all the processed chunks and\ngenerates the JSON objects, then writes them to\nthe file (-o/--output)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "PtM3aVQsH2_vqd4wnc60C", + "type": "rectangle", + "x": 188.77447, + "y": 691.550008, + "width": 243.44707499999998, + "height": 531.4652922633409, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b00", + "roundness": { + "type": 3 + }, + "seed": 415654161, + "version": 112, + "versionNonce": 708104808, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "FweN4FTyliCjpZpgdx-m3", + "type": "rectangle", + "x": 188.77447, + "y": 1236.2593470766762, + "width": 243.44707499999998, + "height": 48.967902623462805, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b01", + "roundness": { + "type": 3 + }, + "seed": 229254001, + "version": 86, + "versionNonce": 1577445400, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "bJN_SlPRxhdR0qe6U0KE1", + "type": "text", + "x": 302.2780139086914, + "y": 1248.2432983884078, + "width": 16.439987182617188, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b02", + "roundness": null, + "seed": 1799296177, + "version": 20, + "versionNonce": 1539196264, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "...", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "FweN4FTyliCjpZpgdx-m3", + "originalText": "...", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "Q_MHsS_4iuaIJ1XqVE5On", + "type": "text", + "x": 347.75613319562206, + "y": 1262.4310661235777, + "width": 8, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b03", + "roundness": null, + "seed": 416991057, + "version": 5, + "versionNonce": 2051089688, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "SlBFQTsBrE28SMDK0dYie", + "type": "text", + "x": 652.6678310730779, + "y": 957.2826543153917, + "width": 596.339599609375, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b04", + "roundness": null, + "seed": 420721873, + "version": 457, + "versionNonce": 564222056, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "Each worker sends in their processed chunks upon completion", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Each worker sends in their processed chunks upon completion", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "88dq_9RKuqgshZt9Gn3fT", + "type": "arrow", + "x": 948.2699696179717, + "y": 250.68299909849745, + "width": 0.5672926119459589, + "height": 122.13005038453124, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b05", + "roundness": { + "type": 2 + }, + "seed": 1495836657, + "version": 75, + "versionNonce": 1175241240, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.5672926119459589, + 122.13005038453124 + ] + ], + "startBinding": { + "elementId": "TIotk5GyAM9mfamVLyiha", + "mode": "orbit", + "fixedPoint": [ + 0.5216726081844274, + 0.5216726081844274 + ] + }, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "U0XeBtu5VWi0bpkw0IK2q", + "type": "arrow", + "x": 951.6388709399841, + "y": 454.3781675102265, + "width": 0.5672926119459589, + "height": 122.13005038453124, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b06", + "roundness": { + "type": 2 + }, + "seed": 2053747967, + "version": 117, + "versionNonce": 2141850472, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.5672926119459589, + 122.13005038453124 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "EqK5S5Nrh5avwqbu0Hl9E", + "type": "arrow", + "x": 950.7713717394281, + "y": 661.626931863157, + "width": 1.092798264174462, + "height": 273.18359538627465, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b07", + "roundness": { + "type": 2 + }, + "seed": 1690166033, + "version": 240, + "versionNonce": 811384600, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -1.092798264174462, + 273.18359538627465 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "61roeiWzd_DDz8S5o11UI", + "type": "arrow", + "x": 383.35159093998413, + "y": 1009.7269627188783, + "width": 0.5672926119459589, + "height": 122.13005038453124, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b08", + "roundness": { + "type": 2 + }, + "seed": 2026986897, + "version": 79, + "versionNonce": 539254376, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.5672926119459589, + 122.13005038453124 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "5l4H3pEMV3TDnUCXL9x5u", + "type": "arrow", + "x": 951.84738528086, + "y": 990.8331687688242, + "width": 1.1085390365815329, + "height": 307.4276940804075, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b09", + "roundness": { + "type": 2 + }, + "seed": 351723679, + "version": 309, + "versionNonce": 698686488, + "isDeleted": true, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -1.1085390365815329, + 307.4276940804075 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "YgiFqL-xzvp2bm9t0zqtN", + "type": "rectangle", + "x": 349.66655476888025, + "y": 233.57147216796875, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0A", + "roundness": { + "type": 3 + }, + "seed": 1568118215, + "version": 103, + "versionNonce": 64770408, + "isDeleted": false, + "boundElements": [ + { + "id": "tSIC6z5ed7UIu9i7KzCGw", + "type": "text" + }, + { + "id": "b4iO-JS9mWVrGIbg-bHU3", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "tSIC6z5ed7UIu9i7KzCGw", + "type": "text", + "x": 433.3608830769857, + "y": 287.35719299316406, + "width": 64.03993225097656, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0B", + "roundness": null, + "seed": 863226823, + "version": 64, + "versionNonce": 1943656728, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-sdk", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "YgiFqL-xzvp2bm9t0zqtN", + "originalText": "bb-sdk", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "MLRsULapaVmdtJp3FRGXS", + "type": "rectangle", + "x": 349.66655476888025, + "y": 473.3809254964192, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0C", + "roundness": { + "type": 3 + }, + "seed": 854652295, + "version": 265, + "versionNonce": 840819816, + "isDeleted": false, + "boundElements": [ + { + "id": "dRMAPxsMuOHJaeEfeu6Ks", + "type": "text" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "dRMAPxsMuOHJaeEfeu6Ks", + "type": "text", + "x": 426.31088765462243, + "y": 527.1666463216145, + "width": 78.13992309570312, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0D", + "roundness": null, + "seed": 812035239, + "version": 197, + "versionNonce": 1919874584, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-clang", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "MLRsULapaVmdtJp3FRGXS", + "originalText": "bb-clang", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "51ej0x9jDd0B_zmFbZIug", + "type": "rectangle", + "x": 60.57367311783841, + "y": 735.6663564046218, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0E", + "roundness": { + "type": 3 + }, + "seed": 81357767, + "version": 1345, + "versionNonce": 1756698472, + "isDeleted": false, + "boundElements": [ + { + "id": "LgOwvfuwHEkZSjqTczLCE", + "type": "text" + }, + { + "id": "l4tqfHGH78cA6lQH-8q8d", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "LgOwvfuwHEkZSjqTczLCE", + "type": "text", + "x": 134.07800661393216, + "y": 789.4520772298171, + "width": 84.419921875, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0F", + "roundness": null, + "seed": 1323445417, + "version": 1280, + "versionNonce": 2052616984, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-types", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "51ej0x9jDd0B_zmFbZIug", + "originalText": "bb-types", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "UZrtJmZPOjBmuh7lwMQSV", + "type": "rectangle", + "x": 644.3061724589844, + "y": 735.6663564046223, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0G", + "roundness": { + "type": 3 + }, + "seed": 1097134663, + "version": 732, + "versionNonce": 1273883240, + "isDeleted": false, + "boundElements": [ + { + "id": "yLlKizghZNqjd1LGCrcgW", + "type": "text" + }, + { + "id": "607G2bKhkujY0rL7bixNF", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "yLlKizghZNqjd1LGCrcgW", + "type": "text", + "x": 712.1205111430664, + "y": 789.4520772298176, + "width": 95.79991149902344, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0H", + "roundness": null, + "seed": 1891438951, + "version": 690, + "versionNonce": 571101208, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-consts", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "UZrtJmZPOjBmuh7lwMQSV", + "originalText": "bb-consts", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "AzKv5P7C0lD7ZvIAw89vd", + "type": "rectangle", + "x": 60.57367311783841, + "y": 952.6191660563143, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0I", + "roundness": { + "type": 3 + }, + "seed": 1142909769, + "version": 1253, + "versionNonce": 378821992, + "isDeleted": false, + "boundElements": [ + { + "id": "so3j-k_wk5a60ARWyfd9i", + "type": "text" + }, + { + "id": "l4tqfHGH78cA6lQH-8q8d", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "so3j-k_wk5a60ARWyfd9i", + "type": "text", + "x": 116.51802431412747, + "y": 1006.4048868815096, + "width": 119.53988647460938, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0J", + "roundness": null, + "seed": 495262249, + "version": 1200, + "versionNonce": 293113112, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-types-tui", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "AzKv5P7C0lD7ZvIAw89vd", + "originalText": "bb-types-tui", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "U8LMuoPM2R0JTVIQJOrw4", + "type": "rectangle", + "x": 644.3061724589844, + "y": 954.7138519287112, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0K", + "roundness": { + "type": 3 + }, + "seed": 323618407, + "version": 973, + "versionNonce": 1240756328, + "isDeleted": false, + "boundElements": [ + { + "id": "UWaBqpRE7Woinv3k4Do6a", + "type": "text" + }, + { + "id": "607G2bKhkujY0rL7bixNF", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "UWaBqpRE7Woinv3k4Do6a", + "type": "text", + "x": 694.5605288432617, + "y": 1008.4995727539065, + "width": 130.9198760986328, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0L", + "roundness": null, + "seed": 1227530631, + "version": 950, + "versionNonce": 1377249816, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-consts-tui", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "U8LMuoPM2R0JTVIQJOrw4", + "originalText": "bb-consts-tui", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "b4iO-JS9mWVrGIbg-bHU3", + "type": "arrow", + "x": 462.66693115234375, + "y": 365.9523315429687, + "width": 0.00020599327615400398, + "height": 96.4285939534505, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0M", + "roundness": { + "type": 2 + }, + "seed": 1319256265, + "version": 103, + "versionNonce": 1574577000, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -0.00020599327615400398, + 96.4285939534505 + ] + ], + "startBinding": { + "elementId": "YgiFqL-xzvp2bm9t0zqtN", + "mode": "inside", + "fixedPoint": [ + 0.4882731944941871, + 0.9985624183231463 + ] + }, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "Nmoz8ryYJAmyPpJ_pziv9", + "type": "arrow", + "x": 582.1678615496126, + "y": 607.1133798764413, + "width": 56.83730196289332, + "height": 90.66818352818086, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0N", + "roundness": { + "type": 2 + }, + "seed": 2048926377, + "version": 408, + "versionNonce": 517613336, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 56.83730196289332, + 90.66818352818086 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "l4tqfHGH78cA6lQH-8q8d", + "type": "arrow", + "x": 175.8121476458334, + "y": 867.6667480468747, + "width": 3.792423902866375, + "height": 73.95241800943961, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0O", + "roundness": { + "type": 2 + }, + "seed": 1231803367, + "version": 1155, + "versionNonce": 1888581224, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 3.792423902866375, + 73.95241800943961 + ] + ], + "startBinding": { + "elementId": "51ej0x9jDd0B_zmFbZIug", + "mode": "inside", + "fixedPoint": [ + 0.49794398821715224, + 0.9956925111394379 + ] + }, + "endBinding": { + "elementId": "AzKv5P7C0lD7ZvIAw89vd", + "mode": "orbit", + "fixedPoint": [ + 0.5305589323716747, + 0.4694410676283262 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "607G2bKhkujY0rL7bixNF", + "type": "arrow", + "x": 763.8303322083334, + "y": 867.666748046875, + "width": 3.0018692077396736, + "height": 76.04710388183616, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0P", + "roundness": { + "type": 2 + }, + "seed": 429692167, + "version": 876, + "versionNonce": 875922456, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 3.0018692077396736, + 76.04710388183616 + ] + ], + "startBinding": { + "elementId": "UZrtJmZPOjBmuh7lwMQSV", + "mode": "inside", + "fixedPoint": [ + 0.5164623797535302, + 0.9956925111394361 + ] + }, + "endBinding": { + "elementId": "U8LMuoPM2R0JTVIQJOrw4", + "mode": "orbit", + "fixedPoint": [ + 0.541673397569584, + 0.45832660243041595 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "Sq6bwWF6GPmLMB1gvMW4j", + "type": "text", + "x": 632.1900431315107, + "y": 287.6189473470052, + "width": 548.07177734375, + "height": 35, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0Q", + "roundness": null, + "seed": 949739495, + "version": 194, + "versionNonce": 1994811752, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "Discovers SDK, builds synthetic headers", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Discovers SDK, builds synthetic headers", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "m4_WuFlctrnFJLExJqCLr", + "type": "text", + "x": 632.1900431315107, + "y": 531.4282277425131, + "width": 570.1358032226562, + "height": 35, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0R", + "roundness": null, + "seed": 1130321383, + "version": 217, + "versionNonce": 538788120, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "Parses AST, extracts structured entities", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Parses AST, extracts structured entities", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "Pw1ZveR4Cqeey3oAU_9FK", + "type": "text", + "x": 962.8777768697917, + "y": 787.4287109375, + "width": 193.64793395996094, + "height": 35, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0S", + "roundness": null, + "seed": 401996873, + "version": 440, + "versionNonce": 1814363240, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "CLI frontends", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "CLI frontends", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "dM0D1bs4f6-c8nywfFkuv", + "type": "text", + "x": 962.8777768697917, + "y": 1006.3572387695312, + "width": 205.26791381835938, + "height": 35, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0T", + "roundness": null, + "seed": 1042761671, + "version": 347, + "versionNonce": 302341656, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "TUI frontends", + "fontSize": 28, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "TUI frontends", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "pNaCNeWcnrSacPoPxWnp1", + "type": "arrow", + "x": 349.18545216399195, + "y": 608.337120586715, + "width": 56.83730196289332, + "height": 90.66818352818086, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0U", + "roundness": { + "type": 2 + }, + "seed": 1866543280, + "version": 550, + "versionNonce": 35204968, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -56.83730196289332, + 90.66818352818086 + ] + ], + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "iBCfEa_kcs9nqougTQ6Ik", + "type": "rectangle", + "x": 352.43992203465797, + "y": 736.0761986331474, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0V", + "roundness": { + "type": 3 + }, + "seed": 762215504, + "version": 1306, + "versionNonce": 719444760, + "isDeleted": false, + "boundElements": [ + { + "id": "nNPpWLpOMYrk-BEQFqlbV", + "type": "text" + }, + { + "id": "BMPIHnLsgb_8c4X_jamG7", + "type": "arrow" + }, + { + "id": "8b1fdoAmbFbe_8MEcwU-1", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "nNPpWLpOMYrk-BEQFqlbV", + "type": "text", + "x": 426.76426285497047, + "y": 789.8619194583428, + "width": 82.7799072265625, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0W", + "roundness": null, + "seed": 1492808272, + "version": 1279, + "versionNonce": 1359938152, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-funcs", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "iBCfEa_kcs9nqougTQ6Ik", + "originalText": "bb-funcs", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "HV38jHnMXHsLPDcoC92Lf", + "type": "rectangle", + "x": 347.9078840346581, + "y": 1111.7130002848398, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0X", + "roundness": { + "type": 3 + }, + "seed": 1536665680, + "version": 1463, + "versionNonce": 1294383128, + "isDeleted": false, + "boundElements": [ + { + "id": "p_bo45N7CO9CYtx3Vqy5U", + "type": "text" + }, + { + "id": "8b1fdoAmbFbe_8MEcwU-1", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "p_bo45N7CO9CYtx3Vqy5U", + "type": "text", + "x": 416.9322294326073, + "y": 1165.4987211100351, + "width": 93.37989807128906, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0Y", + "roundness": null, + "seed": 1092492880, + "version": 1479, + "versionNonce": 131233128, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "bb-sparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "HV38jHnMXHsLPDcoC92Lf", + "originalText": "bb-sparse", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "8b1fdoAmbFbe_8MEcwU-1", + "type": "arrow", + "x": 467.67839656265295, + "y": 868.0765902754003, + "width": 2.599127902207613, + "height": 232.6364100094395, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0Z", + "roundness": { + "type": 2 + }, + "seed": 1516622928, + "version": 1019, + "versionNonce": 1825043736, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -2.599127902207613, + 232.6364100094395 + ] + ], + "startBinding": { + "elementId": "iBCfEa_kcs9nqougTQ6Ik", + "mode": "inside", + "fixedPoint": [ + 0.49794398821715224, + 0.9956925111394379 + ] + }, + "endBinding": { + "elementId": "HV38jHnMXHsLPDcoC92Lf", + "mode": "orbit", + "fixedPoint": [ + 0.5025815302865124, + 0.49741846971348647 + ] + }, + "startArrowhead": "arrow", + "endArrowhead": null, + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "BMPIHnLsgb_8c4X_jamG7", + "type": "arrow", + "x": 462.8535243671166, + "y": 608.641357390665, + "width": 0.5926667276448825, + "height": 116.43484124248243, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0a", + "roundness": { + "type": 2 + }, + "seed": 2070522544, + "version": 262, + "versionNonce": 464488552, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.5926667276448825, + 116.43484124248243 + ] + ], + "startBinding": null, + "endBinding": { + "elementId": "iBCfEa_kcs9nqougTQ6Ik", + "mode": "orbit", + "fixedPoint": [ + 0.48130200911029575, + 0.4813020091102959 + ] + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "-nT6b25Fru71XImO8lrTO", + "type": "rectangle", + "x": 347.90788403263093, + "y": 1355.8696190283385, + "width": 231.4285888671875, + "height": 132.57144165039062, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0b", + "roundness": { + "type": 3 + }, + "seed": 961170963, + "version": 1616, + "versionNonce": 1597608472, + "isDeleted": false, + "boundElements": [ + { + "id": "94Mf1tCrzxAmRJx_IozMR", + "type": "text" + }, + { + "id": "AuS565SIOpX70yPxyYCna", + "type": "arrow" + } + ], + "updated": 1774974083961, + "link": null, + "locked": false + }, + { + "id": "94Mf1tCrzxAmRJx_IozMR", + "type": "text", + "x": 432.14221325626374, + "y": 1409.6553398535339, + "width": 62.959930419921875, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0c", + "roundness": null, + "seed": 1167922099, + "version": 1643, + "versionNonce": 2020752232, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "sparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "-nT6b25Fru71XImO8lrTO", + "originalText": "sparse", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "AuS565SIOpX70yPxyYCna", + "type": "arrow", + "x": 462.40238456062593, + "y": 1255.0153760188991, + "width": 0.9789472091575249, + "height": 89.85424300943919, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0d", + "roundness": { + "type": 2 + }, + "seed": 1925588307, + "version": 1199, + "versionNonce": 728731416, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.9789472091575249, + 89.85424300943919 + ] + ], + "startBinding": null, + "endBinding": { + "elementId": "-nT6b25Fru71XImO8lrTO", + "mode": "orbit", + "fixedPoint": [ + 0.5025815302865124, + 0.49741846971348647 + ] + }, + "startArrowhead": "arrow", + "endArrowhead": null, + "elbowed": false, + "moveMidPointsWithElement": false + }, + { + "id": "PzB-Tg--52wU4U8UDFbXh", + "type": "text", + "x": 632.1900433500834, + "y": 1152.9987207362924, + "width": 167.0598602294922, + "height": 50, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0e", + "roundness": null, + "seed": 158952019, + "version": 50, + "versionNonce": 812027496, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "Rust wrapper for\nsparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "Rust wrapper for\nsparse", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "u4-88RYc7Byvjuj25FsYF", + "type": "text", + "x": 644.3061716270195, + "y": 1397.1553395133874, + "width": 146.4598846435547, + "height": 50, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0f", + "roundness": null, + "seed": 2125378867, + "version": 167, + "versionNonce": 1507716120, + "isDeleted": false, + "boundElements": [], + "updated": 1774974083961, + "link": null, + "locked": false, + "text": "Python sdk-api\nparser", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "top", + "containerId": null, + "originalText": "Python sdk-api\nparser", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "XjNvp0PbShs1AYGcBe6_d", + "type": "rectangle", + "x": 1743.9045038806253, + "y": 321.90078715674724, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0g", + "roundness": { + "type": 3 + }, + "seed": 364889880, + "version": 322, + "versionNonce": 80739432, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "S2VTSDF6ea64AhBGUHn_l" + }, + { + "id": "NBswJipJArXk3ydBxZGRl", + "type": "arrow" + }, + { + "id": "VofeByEKdQWczO4ZrXK0W", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "S2VTSDF6ea64AhBGUHn_l", + "type": "text", + "x": 1789.2203066237748, + "y": 340.3381290259407, + "width": 62.959930419921875, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0h", + "roundness": null, + "seed": 2103911448, + "version": 255, + "versionNonce": 1298411368, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "sparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "XjNvp0PbShs1AYGcBe6_d", + "originalText": "sparse", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "rbmD5Q14Crm7HDHaFbyJK", + "type": "rectangle", + "x": 1743.904503755689, + "y": 218.03504500606712, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0i", + "roundness": { + "type": 3 + }, + "seed": 303751448, + "version": 337, + "versionNonce": 2063204968, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "Zv4ThBbWkqKCJLXEJYf4e" + }, + { + "id": "NBswJipJArXk3ydBxZGRl", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "Zv4ThBbWkqKCJLXEJYf4e", + "type": "text", + "x": 1786.2103119920025, + "y": 236.47238687526047, + "width": 68.97991943359375, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0j", + "roundness": null, + "seed": 860814872, + "version": 292, + "versionNonce": 1012757864, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "sdk-api", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "rbmD5Q14Crm7HDHaFbyJK", + "originalText": "sdk-api", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "z7F3au21Trvdb_q_HqROG", + "type": "text", + "x": 2157.1543598138687, + "y": 279.9097285088387, + "width": 566.1395263671875, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0k", + "roundness": null, + "seed": 838302488, + "version": 433, + "versionNonce": 114985064, + "isDeleted": false, + "boundElements": [ + { + "id": "6_587E9o9AainQ8eSmdRn", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "The nf-* (Native Function) .md files are passed to sparse", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "The nf-* (Native Function) .md files are passed to sparse", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "7rld8B6OG6hLD-Co3tr_v", + "type": "rectangle", + "x": 1687.0443904779686, + "y": 738.6578300984714, + "width": 258.4878193970961, + "height": 635.8297621019193, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0l", + "roundness": { + "type": 3 + }, + "seed": 545806360, + "version": 1130, + "versionNonce": 1178418024, + "isDeleted": false, + "boundElements": [ + { + "id": "Iy_kqjRDpXsClo7-CSyCk", + "type": "arrow" + }, + { + "id": "0pcL-9J9xxC1M7yCt84o7", + "type": "arrow" + }, + { + "id": "9nVLUTmBgpE91mru_Xr7K", + "type": "arrow" + }, + { + "id": "wDRNFO0Gv3jeoE5rvCe4U", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "ULEifD9b74eiIOSTYnG3y", + "type": "text", + "x": 2157.1543601030535, + "y": 655.5611307599287, + "width": 554.4595336914062, + "height": 50, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0m", + "roundness": null, + "seed": 586519832, + "version": 445, + "versionNonce": 215060072, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "Sparse parses the .md files and generates a consistently\nstructured JSON for each", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Sparse parses the .md files and generates a consistently\nstructured JSON for each", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "Gy1JdeA0X_0t1iDmB_QZn", + "type": "text", + "x": 1706.2018623403324, + "y": 778.4053553294228, + "width": 86.44335993780508, + "height": 86.84289609505637, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0n", + "roundness": null, + "seed": 1051931160, + "version": 986, + "versionNonce": 1130594664, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "header: ...,\nlib: ...,\ndll: ...,\nmetadata:", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "header: ...,\nlib: ...,\ndll: ...,\nmetadata:", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "cGYpZTM1t4Jgspi3ndV6v", + "type": "rectangle", + "x": 1706.2018627511534, + "y": 865.2482514936877, + "width": 160.57976886687004, + "height": 73.81881444563736, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0o", + "roundness": { + "type": 3 + }, + "seed": 716517144, + "version": 991, + "versionNonce": 1497306216, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "NwOEKgsEKJwRnk2DS4ia4", + "type": "text", + "x": 1726.6793927716517, + "y": 880.4469349768518, + "width": 65.96582995079854, + "height": 43.42144804752819, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0p", + "roundness": null, + "seed": 527404056, + "version": 866, + "versionNonce": 1949321064, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "UID: ...,\n...", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "UID: ...,\n...", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "tTgTkwkQz7hLAc2zg7eMd", + "type": "text", + "x": 1706.201862598593, + "y": 949.0866469198166, + "width": 61.3283959772557, + "height": 21.710724023764094, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0q", + "roundness": null, + "seed": 651577624, + "version": 1024, + "versionNonce": 545462888, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "params:", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "params:", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "auK1DfCAz5RsX-DGbsRzS", + "type": "rectangle", + "x": 1706.2018622733563, + "y": 970.7973704139739, + "width": 160.57976886687004, + "height": 218.06137805401153, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0r", + "roundness": { + "type": 3 + }, + "seed": 1818060312, + "version": 1157, + "versionNonce": 17010024, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "ismwEYbWAG3H6nTczdoKP", + "type": "text", + "x": 1726.6793923942855, + "y": 980.8169512513017, + "width": 93.47765307314872, + "height": 217.10724023764095, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0s", + "roundness": null, + "seed": 217637656, + "version": 942, + "versionNonce": 2130550888, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "direction: {\n \"in\",\n \"out\",\n \"optional\n},\nvalues: {\n \"A\": 1,\n ...\n}\n", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "direction: {\n \"in\",\n \"out\",\n \"optional\n},\nvalues: {\n \"A\": 1,\n ...\n}\n", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "ETc-9IU3qDkkzMB6sg3Lg", + "type": "text", + "x": 1706.2018626719514, + "y": 1201.4812385314972, + "width": 189.12632554397652, + "height": 65.13217207129227, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0t", + "roundness": null, + "seed": 1729937432, + "version": 1080, + "versionNonce": 2050839400, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "min_client_version: ...,\nmax_client_version: ...,\n...", + "fontSize": 17.368579219011274, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "min_client_version: ...,\nmax_client_version: ...,\n...", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "P4xQQp3M0aY5AQjMZRvE_", + "type": "text", + "x": 2157.154359823542, + "y": 455.2354294223386, + "width": 586.199462890625, + "height": 50, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0u", + "roundness": null, + "seed": 1790770456, + "version": 483, + "versionNonce": 2031003240, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "The process is spread out in chunks (--chunk-size) that are\nspread out over workers (--workers)", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "The process is spread out in chunks (--chunk-size) that are\nspread out over workers (--workers)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "nrXIg6-vfuOQNOstqnxHe", + "type": "rectangle", + "x": 1741.574654820245, + "y": 425.76653000403655, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0v", + "roundness": { + "type": 3 + }, + "seed": 1766693400, + "version": 346, + "versionNonce": 1480431976, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "TY63HjtwrtzOcwOcoyN2J" + }, + { + "id": "VofeByEKdQWczO4ZrXK0W", + "type": "arrow" + }, + { + "id": "6sDU-3g5-cNb5EuoUK166", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "TY63HjtwrtzOcwOcoyN2J", + "type": "text", + "x": 1786.1604542064615, + "y": 444.20387187323, + "width": 64.41993713378906, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0w", + "roundness": null, + "seed": 1707251480, + "version": 320, + "versionNonce": 2065050728, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "chunks", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "nrXIg6-vfuOQNOstqnxHe", + "originalText": "chunks", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "PF0Mb5QfM-lrM-DasmsVl", + "type": "rectangle", + "x": 1535.5349768202452, + "y": 544.6817414264937, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0x", + "roundness": { + "type": 3 + }, + "seed": 1687155736, + "version": 495, + "versionNonce": 2070175592, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "2Kdpf9YEDw2yzCrKNiw0T" + }, + { + "id": "Iy_kqjRDpXsClo7-CSyCk", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "2Kdpf9YEDw2yzCrKNiw0T", + "type": "text", + "x": 1580.460772544352, + "y": 563.1190832956871, + "width": 63.73994445800781, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0y", + "roundness": null, + "seed": 1000976664, + "version": 472, + "versionNonce": 1500787304, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "worker", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "PF0Mb5QfM-lrM-DasmsVl", + "originalText": "worker", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "n8rQvwzDSTnGeZHXw4VOS", + "type": "rectangle", + "x": 1741.5746548202453, + "y": 544.6817414264937, + "width": 153.59153590622162, + "height": 61.87468373838669, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b0z", + "roundness": { + "type": 3 + }, + "seed": 1652805144, + "version": 524, + "versionNonce": 739353960, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "d5Z7Plfi6RB0LykLv_E8G" + }, + { + "id": "6sDU-3g5-cNb5EuoUK166", + "type": "arrow" + }, + { + "id": "9nVLUTmBgpE91mru_Xr7K", + "type": "arrow" + } + ], + "updated": 1774974110026, + "link": null, + "locked": false + }, + { + "id": "d5Z7Plfi6RB0LykLv_E8G", + "type": "text", + "x": 1786.5004505443521, + "y": 563.1190832956871, + "width": 63.73994445800781, + "height": 25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b10", + "roundness": null, + "seed": 1108495128, + "version": 502, + "versionNonce": 1351137384, + "isDeleted": false, + "boundElements": [], + "updated": 1774974110026, + "link": null, + "locked": false, + "text": "worker", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "n8rQvwzDSTnGeZHXw4VOS", + "originalText": "worker", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "GsUX94ACC9By9kBh8n0vS", + "type": "rectangle", + "x": 1947.6143328202452, + "y": 544.6817414264937, + "width": 153.59153590622162, + "height": 61.87468373838669, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -797,49 +4075,35 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aI", + "index": "b11", "roundness": { - "type": 2 + "type": 3 }, - "seed": 1319256265, - "version": 97, - "versionNonce": 167773447, + "seed": 80291864, + "version": 491, + "versionNonce": 447048552, "isDeleted": false, - "boundElements": [], - "updated": 1770992306495, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - -0.00020599327615400398, - 96.4285939534505 - ] + "boundElements": [ + { + "type": "text", + "id": "UUVcm4gviQnZJq_IU2ixT" + }, + { + "id": "0pcL-9J9xxC1M7yCt84o7", + "type": "arrow" + } ], - "startBinding": { - "elementId": "YgiFqL-xzvp2bm9t0zqtN", - "mode": "inside", - "fixedPoint": [ - 0.4882731944941871, - 0.9985624183231463 - ] - }, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "updated": 1774974110026, + "link": null, + "locked": false }, { - "id": "iBT-nXEE31lzGcBtLDcyE", - "type": "arrow", - "x": 468.3812459309896, - "y": 605.0000813802083, - "width": 164.63391227741494, - "height": 83.66627502441384, + "id": "UUVcm4gviQnZJq_IU2ixT", + "type": "text", + "x": 1992.5401285443522, + "y": 563.1190832956871, + "width": 63.73994445800781, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -850,49 +4114,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aJ", - "roundness": { - "type": 2 - }, - "seed": 613074921, - "version": 163, - "versionNonce": 1218980583, - "isDeleted": true, + "index": "b12", + "roundness": null, + "seed": 1721525528, + "version": 482, + "versionNonce": 78888552, + "isDeleted": false, "boundElements": [], - "updated": 1770992235247, + "updated": 1774974110026, "link": null, "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - -164.63391227741494, - 83.66627502441384 - ] - ], - "startBinding": { - "elementId": "MLRsULapaVmdtJp3FRGXS", - "mode": "inside", - "fixedPoint": [ - 0.5129646762450663, - 0.9928168106588682 - ] - }, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "text": "worker", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "GsUX94ACC9By9kBh8n0vS", + "originalText": "worker", + "autoResize": true, + "lineHeight": 1.25 }, { - "id": "vlv-8dS5lWYMPsgWaxmYp", + "id": "NBswJipJArXk3ydBxZGRl", "type": "arrow", - "x": 538.0396405376086, - "y": 616.9523671468098, - "width": 103.4807487989475, - "height": 71.7139892578125, + "x": 1821.942991641643, + "y": 276.9337667238274, + "width": 0.4092810376794205, + "height": 33.96702043292004, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -903,16 +4151,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aK", + "index": "b13", "roundness": { "type": 2 }, - "seed": 436075303, - "version": 113, - "versionNonce": 223735207, - "isDeleted": true, + "seed": 83886616, + "version": 207, + "versionNonce": 1602204008, + "isDeleted": false, "boundElements": [], - "updated": 1770992232359, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -921,24 +4169,24 @@ 0 ], [ - 103.4807487989475, - 71.7139892578125 + 0.4092810376794205, + 33.96702043292004 ] ], "startBinding": { - "elementId": "MLRsULapaVmdtJp3FRGXS", - "mode": "orbit", + "elementId": "rbmD5Q14Crm7HDHaFbyJK", + "mode": "inside", "fixedPoint": [ - 0.4100988649883558, - 0.5899011350116435 + 0.5080910704194139, + 0.9519033982749874 ] }, "endBinding": { - "elementId": "UZrtJmZPOjBmuh7lwMQSV", + "elementId": "XjNvp0PbShs1AYGcBe6_d", "mode": "orbit", "fixedPoint": [ - 0.7475845680021319, - 0.2524154319978695 + 0.5139779702064853, + 0.48602202979351344 ] }, "startArrowhead": null, @@ -946,12 +4194,12 @@ "elbowed": false }, { - "id": "lbdxa_ZKcSw5cQn8Q0A4-", + "id": "VofeByEKdQWczO4ZrXK0W", "type": "arrow", - "x": 348.4363755424731, - "y": 607.4694789167934, - "width": 61.30487188748663, - "height": 101.09347223587554, + "x": 1821.942991641643, + "y": 381.32311715267485, + "width": 0.9038580840213513, + "height": 33.44341285136164, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -962,16 +4210,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aL", + "index": "b14", "roundness": { "type": 2 }, - "seed": 1214032809, - "version": 604, - "versionNonce": 331042896, - "isDeleted": true, + "seed": 786956056, + "version": 184, + "versionNonce": 39142504, + "isDeleted": false, "boundElements": [], - "updated": 1772721206680, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -980,24 +4228,38 @@ 0 ], [ - -61.30487188748663, - 101.09347223587554 + -0.9038580840213513, + 33.44341285136164 ] ], - "startBinding": null, - "endBinding": null, + "startBinding": { + "elementId": "XjNvp0PbShs1AYGcBe6_d", + "mode": "inside", + "fixedPoint": [ + 0.508091069605981, + 0.960365797539621 + ] + }, + "endBinding": { + "elementId": "nrXIg6-vfuOQNOstqnxHe", + "mode": "orbit", + "fixedPoint": [ + 0.5101059694578957, + 0.4898940305421054 + ] + }, "startArrowhead": null, "endArrowhead": "arrow", "elbowed": false, "moveMidPointsWithElement": false }, { - "id": "Nmoz8ryYJAmyPpJ_pziv9", + "id": "hLUGuwaKn-DwrXHhKJCRu", "type": "arrow", - "x": 582.1678615496126, - "y": 607.1133798764413, - "width": 56.83730196289332, - "height": 90.66818352818086, + "x": 1740.5522627586856, + "y": 480.2443889081427, + "width": 108.70155863085316, + "height": 53.43735251835062, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1008,16 +4270,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aM", + "index": "b15", "roundness": { "type": 2 }, - "seed": 2048926377, - "version": 400, - "versionNonce": 1132070992, + "seed": 885546008, + "version": 237, + "versionNonce": 2063628136, "isDeleted": false, "boundElements": [], - "updated": 1772721194916, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1026,8 +4288,8 @@ 0 ], [ - 56.83730196289332, - 90.66818352818086 + -108.70155863085316, + 53.43735251835062 ] ], "startBinding": null, @@ -1038,12 +4300,12 @@ "moveMidPointsWithElement": false }, { - "id": "nG4hG-DOnVLTUDZoCDpIw", + "id": "k5r-_ZO9ofTK-hi13E5Ig", "type": "arrow", - "x": 299.66551104463093, - "y": 843.2377980550127, - "width": 2.5810951353200267, - "height": 62.38136800130178, + "x": 1894.9548659027837, + "y": 479.7739239990341, + "width": 108.70155863085316, + "height": 53.43735251835062, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1054,16 +4316,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aN", + "index": "b16", "roundness": { "type": 2 }, - "seed": 1406945865, - "version": 64, - "versionNonce": 1756459495, - "isDeleted": true, + "seed": 949295384, + "version": 316, + "versionNonce": 1036864104, + "isDeleted": false, "boundElements": [], - "updated": 1770992264474, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1072,37 +4334,24 @@ 0 ], [ - -2.5810951353200267, - 62.38136800130178 + 108.70155863085316, + 53.43735251835062 ] ], - "startBinding": { - "elementId": "51ej0x9jDd0B_zmFbZIug", - "mode": "orbit", - "fixedPoint": [ - 0.5391367185975062, - 0.5391367185975064 - ] - }, - "endBinding": { - "elementId": "AzKv5P7C0lD7ZvIAw89vd", - "mode": "orbit", - "fixedPoint": [ - 0.5011857569632173, - 0.49881424303678223 - ] - }, + "startBinding": null, + "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false + "elbowed": false, + "moveMidPointsWithElement": false }, { - "id": "goRcSL4HSN1gVZxGov7Au", + "id": "6sDU-3g5-cNb5EuoUK166", "type": "arrow", - "x": 295.7054282826312, - "y": 843.2377980550127, - "width": 1.1813762488469024, - "height": 62.38136800130178, + "x": 1814.4866428422497, + "y": 485.7124091768545, + "width": 1.5016049139078973, + "height": 47.96933224963931, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1113,16 +4362,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aO", + "index": "b17", "roundness": { "type": 2 }, - "seed": 252419689, - "version": 118, - "versionNonce": 499444937, - "isDeleted": true, + "seed": 2109879832, + "version": 199, + "versionNonce": 1434959208, + "isDeleted": false, "boundElements": [], - "updated": 1770992281026, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1131,38 +4380,37 @@ 0 ], [ - 1.1813762488469024, - 62.38136800130178 + 1.5016049139078973, + 47.96933224963931 ] ], "startBinding": { - "elementId": "51ej0x9jDd0B_zmFbZIug", - "mode": "orbit", + "elementId": "nrXIg6-vfuOQNOstqnxHe", + "mode": "inside", "fixedPoint": [ - 0.5026925974380019, - 0.502692597438001 + 0.474713581004376, + 0.9688272416272183 ] }, "endBinding": { - "elementId": "AzKv5P7C0lD7ZvIAw89vd", + "elementId": "n8rQvwzDSTnGeZHXw4VOS", "mode": "orbit", "fixedPoint": [ - 0.5202262592539764, - 0.479773740746024 + 0.4735569271938117, + 0.4735569271938122 ] }, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "elbowed": false }, { - "id": "l4tqfHGH78cA6lQH-8q8d", + "id": "Iy_kqjRDpXsClo7-CSyCk", "type": "arrow", - "x": 175.81214764583342, - "y": 867.6667480468747, - "width": 3.792423902866375, - "height": 73.95241800943961, + "x": 1609.1876337225845, + "y": 604.517401964168, + "width": 81.28535902485214, + "height": 131.5383484763904, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1173,16 +4421,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aP", + "index": "b18", "roundness": { "type": 2 }, - "seed": 1231803367, - "version": 673, - "versionNonce": 1796861616, + "seed": 960738072, + "version": 273, + "versionNonce": 326881384, "isDeleted": false, "boundElements": [], - "updated": 1772721239316, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1191,24 +4439,24 @@ 0 ], [ - 3.792423902866375, - 73.95241800943961 + 81.28535902485214, + 131.5383484763904 ] ], "startBinding": { - "elementId": "51ej0x9jDd0B_zmFbZIug", + "elementId": "PF0Mb5QfM-lrM-DasmsVl", "mode": "inside", "fixedPoint": [ - 0.49794398821715224, - 0.9956925111394379 + 0.4795359097607381, + 0.9670459212473149 ] }, "endBinding": { - "elementId": "AzKv5P7C0lD7ZvIAw89vd", + "elementId": "7rld8B6OG6hLD-Co3tr_v", "mode": "orbit", "fixedPoint": [ - 0.5305589323716747, - 0.4694410676283262 + 0.6109143456314435, + 0.38908565436855647 ] }, "startArrowhead": null, @@ -1217,12 +4465,12 @@ "moveMidPointsWithElement": false }, { - "id": "BS2c2QuX_Xfvlnj601Y5q", + "id": "0pcL-9J9xxC1M7yCt84o7", "type": "arrow", - "x": 648.890706807625, - "y": 843.2377980550128, - "width": 2.7334986769483294, - "height": 64.47605387369833, + "x": 2028.2361942289835, + "y": 606.0086775645135, + "width": 88.40571630571219, + "height": 128.42960844688764, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1233,16 +4481,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aQ", + "index": "b19", "roundness": { "type": 2 }, - "seed": 1631665609, - "version": 127, - "versionNonce": 913939689, - "isDeleted": true, + "seed": 1636667416, + "version": 247, + "versionNonce": 1064665960, + "isDeleted": false, "boundElements": [], - "updated": 1770992314199, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1251,124 +4499,38 @@ 0 ], [ - 2.7334986769483294, - 64.47605387369833 + -88.40571630571219, + 128.42960844688764 ] ], "startBinding": { - "elementId": "UZrtJmZPOjBmuh7lwMQSV", - "mode": "orbit", + "elementId": "GsUX94ACC9By9kBh8n0vS", + "mode": "inside", "fixedPoint": [ - 0.4883283436361764, - 0.5116716563638253 - ] - }, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false - }, - { - "id": "n6kB6sV6dhaRQx4pEdd_u", - "type": "freedraw", - "x": 649.3335978190104, - "y": 867.8571370442708, - "width": 0.0001, - "height": 0.0001, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "aR", - "roundness": null, - "seed": 1721830569, - "version": 4, - "versionNonce": 1974918537, - "isDeleted": true, - "boundElements": [], - "updated": 1770992311332, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 0.0001, - 0.0001 + 0.5249108353077704, + 0.9911474682814881 ] - ], - "pressures": [], - "simulatePressure": true - }, - { - "id": "I98-rpfbqCNKhkNVq2lel", - "type": "arrow", - "x": 655.0479125976562, - "y": 828.8094889322916, - "width": 4.1968221616823485, - "height": 78.90436299641942, - "angle": 0, - "strokeColor": "#1e1e1e", - "backgroundColor": "transparent", - "fillStyle": "solid", - "strokeWidth": 2, - "strokeStyle": "solid", - "roughness": 1, - "opacity": 100, - "groupIds": [], - "frameId": null, - "index": "aS", - "roundness": { - "type": 2 }, - "seed": 2122539113, - "version": 65, - "versionNonce": 1780519047, - "isDeleted": true, - "boundElements": [], - "updated": 1770992321050, - "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - 4.1968221616823485, - 78.90436299641942 - ] - ], - "startBinding": { - "elementId": "UZrtJmZPOjBmuh7lwMQSV", - "mode": "inside", + "endBinding": { + "elementId": "7rld8B6OG6hLD-Co3tr_v", + "mode": "orbit", "fixedPoint": [ - 0.5288081206289695, - 0.9741399121858971 + 0.35893888915483796, + 0.35893888915483774 ] }, - "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", "elbowed": false, "moveMidPointsWithElement": false }, { - "id": "607G2bKhkujY0rL7bixNF", + "id": "9nVLUTmBgpE91mru_Xr7K", "type": "arrow", - "x": 763.8303322083334, - "y": 867.666748046875, - "width": 3.0018692077396736, - "height": 76.04710388183616, + "x": 1820.9488273763018, + "y": 606.0086775645135, + "width": 0.9625150569492575, + "height": 121.64915253395793, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1379,16 +4541,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aT", + "index": "b1A", "roundness": { "type": 2 }, - "seed": 429692167, - "version": 150, - "versionNonce": 1708642992, + "seed": 2123615512, + "version": 235, + "versionNonce": 1203820136, "isDeleted": false, "boundElements": [], - "updated": 1772721145887, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1397,24 +4559,24 @@ 0 ], [ - 3.0018692077396736, - 76.04710388183616 + -0.9625150569492575, + 121.64915253395793 ] ], "startBinding": { - "elementId": "UZrtJmZPOjBmuh7lwMQSV", + "elementId": "n8rQvwzDSTnGeZHXw4VOS", "mode": "inside", "fixedPoint": [ - 0.5164623797535302, - 0.9956925111394361 + 0.5167874133671023, + 0.9911474682814881 ] }, "endBinding": { - "elementId": "U8LMuoPM2R0JTVIQJOrw4", + "elementId": "7rld8B6OG6hLD-Co3tr_v", "mode": "orbit", "fixedPoint": [ - 0.541673397569584, - 0.45832660243041595 + 0.5043224875714795, + 0.49567751242852065 ] }, "startArrowhead": null, @@ -1423,12 +4585,12 @@ "moveMidPointsWithElement": false }, { - "id": "Sq6bwWF6GPmLMB1gvMW4j", - "type": "text", - "x": 632.1900431315107, - "y": 287.6189473470052, - "width": 548.07177734375, - "height": 35, + "id": "wDRNFO0Gv3jeoE5rvCe4U", + "type": "arrow", + "x": 1813.9290079243597, + "y": 1373.4848122060166, + "width": 0.7211392872695228, + "height": 69.53105178242936, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1439,33 +4601,49 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aU", - "roundness": null, - "seed": 949739495, - "version": 188, - "versionNonce": 598344681, + "index": "b1B", + "roundness": { + "type": 2 + }, + "seed": 2043308568, + "version": 265, + "versionNonce": 1898563944, "isDeleted": false, "boundElements": [], - "updated": 1770992427769, + "updated": 1774974110026, "link": null, - "locked": false, - "text": "Discovers SDK, builds synthetic headers", - "fontSize": 28, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "Discovers SDK, builds synthetic headers", - "autoResize": true, - "lineHeight": 1.25 + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -0.7211392872695228, + 69.53105178242936 + ] + ], + "startBinding": { + "elementId": "7rld8B6OG6hLD-Co3tr_v", + "mode": "inside", + "fixedPoint": [ + 0.4908727140115929, + 0.9984228797484109 + ] + }, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false, + "moveMidPointsWithElement": false }, { - "id": "m4_WuFlctrnFJLExJqCLr", - "type": "text", - "x": 632.1900431315107, - "y": 531.4282277425131, - "width": 570.1358032226562, - "height": 35, + "id": "ad_w1hhSfO3DKXxN4SE5e", + "type": "rectangle", + "x": 1736.130335919222, + "y": 1454.0158639884467, + "width": 153.59153590622162, + "height": 61.87468373838669, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1476,33 +4654,31 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aV", - "roundness": null, - "seed": 1130321383, - "version": 211, - "versionNonce": 429780327, + "index": "b1C", + "roundness": { + "type": 3 + }, + "seed": 1847944984, + "version": 777, + "versionNonce": 117202024, "isDeleted": false, - "boundElements": [], - "updated": 1770992427770, + "boundElements": [ + { + "type": "text", + "id": "MRV9sexfA_91zQSJj_kkp" + } + ], + "updated": 1774974110026, "link": null, - "locked": false, - "text": "Parses AST, extracts structured entities", - "fontSize": 28, - "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "Parses AST, extracts structured entities", - "autoResize": true, - "lineHeight": 1.25 + "locked": false }, { - "id": "Pw1ZveR4Cqeey3oAU_9FK", + "id": "MRV9sexfA_91zQSJj_kkp", "type": "text", - "x": 962.8777768697917, - "y": 787.4287109375, - "width": 193.64793395996094, - "height": 35, + "x": 1756.82613591579, + "y": 1472.4532058576401, + "width": 112.19993591308594, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1513,33 +4689,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aW", + "index": "b1D", "roundness": null, - "seed": 401996873, - "version": 161, - "versionNonce": 1598111408, + "seed": 2014888984, + "version": 780, + "versionNonce": 184848232, "isDeleted": false, "boundElements": [], - "updated": 1772721142536, + "updated": 1774974110026, "link": null, "locked": false, - "text": "CLI frontends", - "fontSize": 28, + "text": "output.json", + "fontSize": 20, "fontFamily": 5, - "textAlign": "left", - "verticalAlign": "top", - "containerId": null, - "originalText": "CLI frontends", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "ad_w1hhSfO3DKXxN4SE5e", + "originalText": "output.json", "autoResize": true, "lineHeight": 1.25 }, { - "id": "dM0D1bs4f6-c8nywfFkuv", + "id": "2XwXZ9WfW2BhIujoXQUz6", "type": "text", - "x": 962.8777768697917, - "y": 1006.3572387695312, - "width": 205.26791381835938, - "height": 35, + "x": 2157.1543600329132, + "y": 1374.4875922595734, + "width": 504.7596435546875, + "height": 75, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1550,33 +4726,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aX", + "index": "b1E", "roundness": null, - "seed": 1042761671, - "version": 263, - "versionNonce": 470149296, + "seed": 93880600, + "version": 530, + "versionNonce": 1703830120, "isDeleted": false, "boundElements": [], - "updated": 1772721142536, + "updated": 1774974110026, "link": null, "locked": false, - "text": "TUI frontends", - "fontSize": 28, + "text": "The outputter merges all the processed chunks and\ngenerates the JSON objects, then writes them to\nthe file (-o/--output)", + "fontSize": 20, "fontFamily": 5, "textAlign": "left", "verticalAlign": "top", "containerId": null, - "originalText": "TUI frontends", + "originalText": "The outputter merges all the processed chunks and\ngenerates the JSON objects, then writes them to\nthe file (-o/--output)", "autoResize": true, "lineHeight": 1.25 }, { - "id": "pNaCNeWcnrSacPoPxWnp1", - "type": "arrow", - "x": 349.18545216399195, - "y": 608.337120586715, - "width": 56.83730196289332, - "height": 90.66818352818086, + "id": "meNXzVnF9oTmzVcaydSLR", + "type": "rectangle", + "x": 1693.2609988235422, + "y": 756.7767374103413, + "width": 243.44707499999998, + "height": 531.4652922633409, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1587,42 +4763,26 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aY", + "index": "b1F", "roundness": { - "type": 2 + "type": 3 }, - "seed": 1866543280, - "version": 542, - "versionNonce": 204416688, + "seed": 639147544, + "version": 264, + "versionNonce": 358995304, "isDeleted": false, "boundElements": [], - "updated": 1772721220869, + "updated": 1774974110026, "link": null, - "locked": false, - "points": [ - [ - 0, - 0 - ], - [ - -56.83730196289332, - 90.66818352818086 - ] - ], - "startBinding": null, - "endBinding": null, - "startArrowhead": null, - "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "locked": false }, { - "id": "iBCfEa_kcs9nqougTQ6Ik", + "id": "svtqyzg13pad1ErNgG8rm", "type": "rectangle", - "x": 352.43992203465797, - "y": 736.0761986331474, - "width": 231.4285888671875, - "height": 132.57144165039062, + "x": 1693.2609988235422, + "y": 1301.4860764870177, + "width": 243.44707499999998, + "height": 48.967902623462805, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1633,39 +4793,31 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aZ", + "index": "b1G", "roundness": { "type": 3 }, - "seed": 762215504, - "version": 1058, - "versionNonce": 86941872, + "seed": 1519196952, + "version": 222, + "versionNonce": 1607919720, "isDeleted": false, "boundElements": [ { - "id": "nNPpWLpOMYrk-BEQFqlbV", - "type": "text" - }, - { - "id": "8b1fdoAmbFbe_8MEcwU-1", - "type": "arrow" - }, - { - "id": "BMPIHnLsgb_8c4X_jamG7", - "type": "arrow" + "type": "text", + "id": "RaUlXqe7zQFLvK1PSKNGl" } ], - "updated": 1772721329763, + "updated": 1774974110026, "link": null, "locked": false }, { - "id": "nNPpWLpOMYrk-BEQFqlbV", + "id": "RaUlXqe7zQFLvK1PSKNGl", "type": "text", - "x": 426.76426285497047, - "y": 777.3619194583428, - "width": 82.7799072265625, - "height": 50, + "x": 1806.7645427322336, + "y": 1313.470027798749, + "width": 16.439987182617188, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1676,33 +4828,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "aa", + "index": "b1H", "roundness": null, - "seed": 1492808272, - "version": 1026, - "versionNonce": 569838256, + "seed": 1701443608, + "version": 157, + "versionNonce": 11377512, "isDeleted": false, "boundElements": [], - "updated": 1772721329763, + "updated": 1774974110026, "link": null, "locked": false, - "text": "bb-funcs\n(WIP)", + "text": "...", "fontSize": 20, "fontFamily": 5, "textAlign": "center", "verticalAlign": "middle", - "containerId": "iBCfEa_kcs9nqougTQ6Ik", - "originalText": "bb-funcs\n(WIP)", + "containerId": "svtqyzg13pad1ErNgG8rm", + "originalText": "...", "autoResize": true, "lineHeight": 1.25 }, { - "id": "HV38jHnMXHsLPDcoC92Lf", - "type": "rectangle", - "x": 352.43992203465797, - "y": 954.7138522848398, - "width": 231.4285888671875, - "height": 132.57144165039062, + "id": "vT8Y0hLkUQLJTxlQyLXPD", + "type": "text", + "x": 2157.15435989662, + "y": 1022.5093837257331, + "width": 596.339599609375, + "height": 25, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1713,35 +4865,33 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "ab", - "roundness": { - "type": 3 - }, - "seed": 1536665680, - "version": 1188, - "versionNonce": 2136481456, + "index": "b1I", + "roundness": null, + "seed": 446903576, + "version": 588, + "versionNonce": 1513483880, "isDeleted": false, - "boundElements": [ - { - "id": "p_bo45N7CO9CYtx3Vqy5U", - "type": "text" - }, - { - "id": "8b1fdoAmbFbe_8MEcwU-1", - "type": "arrow" - } - ], - "updated": 1772721329763, + "boundElements": [], + "updated": 1774974110026, "link": null, - "locked": false + "locked": false, + "text": "Each worker sends in their processed chunks upon completion", + "fontSize": 20, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Each worker sends in their processed chunks upon completion", + "autoResize": true, + "lineHeight": 1.25 }, { - "id": "p_bo45N7CO9CYtx3Vqy5U", - "type": "text", - "x": 409.2042805551658, - "y": 995.9995731100352, - "width": 117.89987182617188, - "height": 50, + "id": "6_587E9o9AainQ8eSmdRn", + "type": "arrow", + "x": 2452.756498441514, + "y": 315.9097285088386, + "width": 0.5672926119459589, + "height": 122.13005038453124, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1752,33 +4902,48 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "ac", - "roundness": null, - "seed": 1092492880, - "version": 1192, - "versionNonce": 1447086256, + "index": "b1J", + "roundness": { + "type": 2 + }, + "seed": 799855128, + "version": 227, + "versionNonce": 624681320, "isDeleted": false, "boundElements": [], - "updated": 1772721329763, + "updated": 1774974110026, "link": null, "locked": false, - "text": "bb-funcs-tui\n(WIP)", - "fontSize": 20, - "fontFamily": 5, - "textAlign": "center", - "verticalAlign": "middle", - "containerId": "HV38jHnMXHsLPDcoC92Lf", - "originalText": "bb-funcs-tui\n(WIP)", - "autoResize": true, - "lineHeight": 1.25 + "points": [ + [ + 0, + 0 + ], + [ + 0.5672926119459589, + 122.13005038453124 + ] + ], + "startBinding": { + "elementId": "z7F3au21Trvdb_q_HqROG", + "mode": "orbit", + "fixedPoint": [ + 0.5216726081844274, + 0.5216726081844274 + ] + }, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false }, { - "id": "8b1fdoAmbFbe_8MEcwU-1", + "id": "PKNVoM3k3mdZm1J8oPqBw", "type": "arrow", - "x": 467.67839656265295, - "y": 868.0765902754003, - "width": 0.5320358976806574, - "height": 75.6372620094395, + "x": 2456.1253997635263, + "y": 519.604896920568, + "width": 0.5672926119459589, + "height": 122.13005038453124, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1789,16 +4954,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "ad", + "index": "b1K", "roundness": { "type": 2 }, - "seed": 1516622928, - "version": 752, - "versionNonce": 1585722032, + "seed": 192597784, + "version": 264, + "versionNonce": 554398824, "isDeleted": false, "boundElements": [], - "updated": 1772721329763, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1807,38 +4972,23 @@ 0 ], [ - 0.5320358976806574, - 75.6372620094395 + 0.5672926119459589, + 122.13005038453124 ] ], - "startBinding": { - "elementId": "iBCfEa_kcs9nqougTQ6Ik", - "mode": "inside", - "fixedPoint": [ - 0.49794398821715224, - 0.9956925111394379 - ] - }, - "endBinding": { - "elementId": "HV38jHnMXHsLPDcoC92Lf", - "mode": "orbit", - "fixedPoint": [ - 0.5025815302865124, - 0.49741846971348647 - ] - }, + "startBinding": null, + "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "elbowed": false }, { - "id": "imvgJIXRC2zgXOIveczla", + "id": "QC7yAcGMHocVecmA6BoIv", "type": "arrow", - "x": 467.7579756362204, - "y": 604.1876525146574, - "width": 1.4248626287208594, - "height": 110.6308792018009, + "x": 2455.25790056297, + "y": 726.8536612734982, + "width": 1.092798264174462, + "height": 273.18359538627465, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1849,16 +4999,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "ae", + "index": "b1L", "roundness": { "type": 2 }, - "seed": 309417552, - "version": 538, - "versionNonce": 412396720, - "isDeleted": true, + "seed": 377564184, + "version": 387, + "versionNonce": 1131456360, + "isDeleted": false, "boundElements": [], - "updated": 1772721287471, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1867,31 +5017,23 @@ 0 ], [ - -1.4248626287208594, - 110.6308792018009 + -1.092798264174462, + 273.18359538627465 ] ], - "startBinding": { - "elementId": "MLRsULapaVmdtJp3FRGXS", - "mode": "inside", - "fixedPoint": [ - 0.5102715331989973, - 0.9866885762862397 - ] - }, + "startBinding": null, "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "elbowed": false }, { - "id": "BMPIHnLsgb_8c4X_jamG7", + "id": "_jD7R2KGUuNPx1hMIlvfG", "type": "arrow", - "x": 462.8535243671166, - "y": 608.641357390665, - "width": 0.5926667276448825, - "height": 116.43484124248243, + "x": 2456.333914104402, + "y": 1056.0598981791654, + "width": 1.1085390365815329, + "height": 307.4276940804075, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", @@ -1902,16 +5044,16 @@ "opacity": 100, "groupIds": [], "frameId": null, - "index": "af", + "index": "b1M", "roundness": { "type": 2 }, - "seed": 2070522544, - "version": 254, - "versionNonce": 1761973936, + "seed": 179562776, + "version": 440, + "versionNonce": 1756854888, "isDeleted": false, "boundElements": [], - "updated": 1772721334719, + "updated": 1774974110026, "link": null, "locked": false, "points": [ @@ -1920,23 +5062,15 @@ 0 ], [ - 0.5926667276448825, - 116.43484124248243 + -1.1085390365815329, + 307.4276940804075 ] ], "startBinding": null, - "endBinding": { - "elementId": "iBCfEa_kcs9nqougTQ6Ik", - "mode": "orbit", - "fixedPoint": [ - 0.48130200911029575, - 0.4813020091102959 - ] - }, + "endBinding": null, "startArrowhead": null, "endArrowhead": "arrow", - "elbowed": false, - "moveMidPointsWithElement": false + "elbowed": false } ], "appState": { diff --git a/media/bb-diagram-dark-mode.png b/media/bb-diagram-dark-mode.png index bd5049d..ddf2b32 100644 Binary files a/media/bb-diagram-dark-mode.png and b/media/bb-diagram-dark-mode.png differ diff --git a/media/bb-diagram.png b/media/bb-diagram.png index b3e1d52..f970f99 100644 Binary files a/media/bb-diagram.png and b/media/bb-diagram.png differ diff --git a/media/bb-viewer-createfilew.png b/media/bb-viewer-createfilew.png new file mode 100644 index 0000000..98080f0 Binary files /dev/null and b/media/bb-viewer-createfilew.png differ diff --git a/media/bb-viewer-home.png b/media/bb-viewer-home.png new file mode 100644 index 0000000..b9f9552 Binary files /dev/null and b/media/bb-viewer-home.png differ diff --git a/tests/Cargo.toml b/tests/Cargo.toml index 0d20735..b9a10b2 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -8,8 +8,10 @@ name = "bb_tests" path = "src/lib.rs" [dependencies] -bb-consts = { path = "../bb-consts" } -bb-types = { path = "../bb-types" } +bb-arch.workspace = true +bb-consts = { path = "../cli/bb-consts" } +bb-funcs = { path = "../cli/bb-funcs" } +bb-types = { path = "../cli/bb-types" } bb-clang.workspace = true bb-sdk.workspace = true clang.workspace = true diff --git a/tests/src/integration.rs b/tests/src/integration.rs index dd0a785..dae4490 100644 --- a/tests/src/integration.rs +++ b/tests/src/integration.rs @@ -3,11 +3,17 @@ mod tests { use serial_test::serial; use anyhow::Context; - use bb_clang::{Enum, Struct, ToJson, build_referred_components}; + use bb_arch::reg::{X64Gpr, X86Gpr}; + use bb_arch::{Arch, MemoryOperand, ParamLocation, Register, ReturnLocation}; + use bb_clang::{Enum, Function, Struct, ToJson, build_referred_components}; use bb_consts_lib::{ ConstFilter, build_lookup_table, collect_constants, collect_enums, filter_constants_by_name, }; - use bb_sdk::{Arch, HeaderConfig, SdkMode}; + use bb_funcs_lib::where_filter::{eval_where, parse_where}; + use bb_funcs_lib::{ + FuncFilter, FuncSort, ParamCountFilter, collect_funcs, collect_funcs_filtered, + }; + use bb_sdk::{HeaderConfig, SdkMode}; use bb_types_lib::{StructFilter, collect_structs, iter_structs}; use clang::{Clang, Index}; @@ -161,7 +167,7 @@ mod tests { // FILETIME: always 8 bytes, exactly 2 DWORD fields let filetime = find_struct(&structs, "_FILETIME").unwrap(); - // Location: should be in guiddef.h + // Location: should be in minwindef.h let location = filetime .get_location() .ok_or_else(|| anyhow::anyhow!("FILETIME should have a source location"))?; @@ -373,7 +379,7 @@ mod tests { // Macro constants (including composed ones) should be present assert!( - vars.iter().any(|c| c.is_macro()), + vars.iter().any(bb_clang::Constant::is_macro), "should find macro constants" ); @@ -636,7 +642,6 @@ mod tests { assert!(!structs.is_empty(), "_PEB must exist"); let full = structs.to_json_full(); - dbg!(&full); assert!(full["types"].is_array(), "should have types array"); assert!( full["referenced_types"].is_array(), @@ -840,7 +845,7 @@ mod tests { let j = max_path.to_json_full(); assert_eq!( - j["referred_components"].as_array().map(|a| a.len()), + j["referred_components"].as_array().map(std::vec::Vec::len), Some(0), "to_json_full on a simple constant should have empty referred_components" ); @@ -848,6 +853,1135 @@ mod tests { Ok(()) } + /* ──────────────────────────────── Functions ───────────────────────────── */ + + /// Find a function by name. + fn find_func<'a, 'b>(funcs: &'b [Function<'a>], name: &str) -> Option<&'b Function<'a>> { + funcs.iter().find(|f| f.get_name() == name) + } + + #[test] + #[serial] + fn funcs_populated_and_valid() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let funcs = collect_funcs(&tu); + + assert!( + funcs.len() > 100, + "expected hundreds of functions, got {}", + funcs.len() + ); + + // Every function should have a name and calling convention. + for f in &funcs { + assert!(!f.get_name().is_empty(), "function should have a name"); + assert!( + !f.get_return_type_name().is_empty(), + "function '{}' should have a return type name", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn well_known_functions_exist() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let funcs = collect_funcs(&tu); + + let expected: &[&str] = &[ + "CreateFileW", + "CloseHandle", + "ReadFile", + "WriteFile", + "GetLastError", + ]; + + for name in expected { + assert!( + find_func(&funcs, name).is_some(), + "{name} not found in parsed functions" + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn function_arch_detection_amd64() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CloseHandle").expect("CloseHandle must exist"); + + assert_eq!(f.get_arch(), Arch::Amd64); + + Ok(()) + } + + #[test] + #[serial] + fn function_arch_detection_x86() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::X86, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CloseHandle").expect("CloseHandle must exist"); + + assert_eq!(f.get_arch(), Arch::X86); + + Ok(()) + } + + #[test] + #[serial] + fn closehandle_x64_param_in_rcx() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CloseHandle").expect("CloseHandle must exist"); + + // CloseHandle(HANDLE hObject) — 1 param, integer, in RCX on x64. + let params = f.get_params(); + assert_eq!(params.len(), 1, "CloseHandle has exactly 1 parameter"); + + let p = ¶ms[0]; + assert_eq!(p.get_name(), Some("hObject")); + + assert_eq!( + *p.get_abi_location(), + ParamLocation::Direct { + locations: vec![MemoryOperand::Reg(Register::X64Gpr(X64Gpr::Rcx))], + size: 8, + }, + "CloseHandle's HANDLE param should be in RCX on x64" + ); + + // Return: BOOL → RAX + assert_eq!( + *f.get_return_location(), + ReturnLocation::Register(Register::X64Gpr(X64Gpr::Rax)), + ); + + Ok(()) + } + + #[test] + #[serial] + fn createfilew_x64_params() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CreateFileW").expect("CreateFileW must exist"); + + // CreateFileW has 7 params (callee-entry RSP): + // LPCWSTR lpFileName → RCX (pos 0) + // DWORD dwDesiredAccess → RDX (pos 1) + // DWORD dwShareMode → R8 (pos 2) + // LPSECURITY_ATTRIBUTES ... → R9 (pos 3) + // DWORD dwCreationDisposition → [RSP+0x28] (pos 4) + // DWORD dwFlagsAndAttributes → [RSP+0x30] (pos 5) + // HANDLE hTemplateFile → [RSP+0x38] (pos 6) + let params = f.get_params(); + assert_eq!(params.len(), 7, "CreateFileW has 7 parameters"); + + // First 4 in registers. + let expected_regs = [X64Gpr::Rcx, X64Gpr::Rdx, X64Gpr::R8, X64Gpr::R9]; + for (i, expected_reg) in expected_regs.iter().enumerate() { + match ¶ms[i].get_abi_location() { + ParamLocation::Direct { locations, .. } => { + assert_eq!( + locations[0], + MemoryOperand::Reg(Register::X64Gpr(*expected_reg)), + "param {i} should be in {expected_reg:?}" + ); + } + other => panic!("param {i} expected Direct, got {other:?}"), + } + } + + // Params 4–6 on stack (callee-entry RSP). + // 0x08 return addr + 0x20 shadow = 0x28 base, then +8 per slot. + let rsp = Register::X64Gpr(X64Gpr::Rsp); + for (i, rsp_off) in [(4, 0x28_i64), (5, 0x30), (6, 0x38)] { + match ¶ms[i].get_abi_location() { + ParamLocation::Direct { locations, .. } => { + assert_eq!( + locations[0], + MemoryOperand::RegImm { + base: rsp, + offset: rsp_off + }, + "param {i} should be at [RSP+{rsp_off:#x}]" + ); + } + other => panic!("param {i} expected Direct stack, got {other:?}"), + } + } + + Ok(()) + } + + #[test] + #[serial] + fn closehandle_x86_param_on_stack() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::X86, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CloseHandle").expect("CloseHandle must exist"); + + let params = f.get_params(); + assert_eq!(params.len(), 1); + + // On x86 stdcall, all params on stack (callee-entry ESP). + // HANDLE at [ESP+0x04] (after return address). + let esp = Register::X86Gpr(X86Gpr::Esp); + match params[0].get_abi_location() { + ParamLocation::Direct { locations, size } => { + assert_eq!( + locations[0], + MemoryOperand::RegImm { + base: esp, + offset: 0x04, + }, + ); + assert_eq!(*size, 4, "HANDLE on x86 is 4 bytes"); + } + other => panic!("expected Direct stack, got {other:?}"), + } + + Ok(()) + } + + #[test] + #[serial] + fn getlasterror_void_params_rax_return() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "GetLastError").expect("GetLastError must exist"); + + // GetLastError takes no parameters. + assert!(f.get_params().is_empty(), "GetLastError has no parameters"); + + // Returns DWORD in RAX. + assert_eq!( + *f.get_return_location(), + ReturnLocation::Register(Register::X64Gpr(X64Gpr::Rax)), + ); + + Ok(()) + } + + #[test] + #[serial] + fn function_json_structure() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + let funcs = collect_funcs(&tu); + let f = find_func(&funcs, "CloseHandle").expect("CloseHandle must exist"); + + let j = f.to_json(); + assert_eq!(j["name"], "CloseHandle"); + assert!(j["params"].is_array(), "should have params array"); + assert!( + j["calling_convention"].is_string(), + "should have calling_convention" + ); + assert!( + j["return_location"].is_object() || j["return_location"].is_string(), + "should have return_location" + ); + assert!(j["arch"].is_string(), "should have arch"); + + // params[0] should have abi_location + let p0 = &j["params"][0]; + assert!( + p0["abi_location"].is_object(), + "param should have abi_location" + ); + + // Slice + let arr = funcs.to_json(); + assert!(arr.is_array(), "slice to_json should produce an array"); + assert!(arr.as_array().unwrap().len() > 100); + + Ok(()) + } + + /* ────────────────────────── Function filtering ────────────────────────── */ + + fn base_func_filter() -> FuncFilter { + FuncFilter { + name_pattern: None, + header_filter: Some("handleapi.h".into()), + case_sensitive: true, + dllimport_only: false, + param_count: None, + param_type_pattern: None, + return_type_pattern: None, + has_body: None, + sort: None, + sort_dir: bb_funcs_lib::SortDir::Asc, + where_clause: None, + first: None, + } + } + + #[test] + #[serial] + fn filter_by_param_count_exact() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + param_count: Some(ParamCountFilter::Exact(1)), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + !funcs.is_empty(), + "should find 1-param functions in handleapi.h" + ); + for f in &funcs { + assert_eq!( + f.get_params().len(), + 1, + "'{}' should have exactly 1 param", + f.get_name() + ); + } + assert!( + find_func(&funcs, "CloseHandle").is_some(), + "CloseHandle has 1 param" + ); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_count_range() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + param_count: Some(ParamCountFilter::Range { min: 5, max: None }), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + for f in &funcs { + assert!( + f.get_params().len() >= 5, + "'{}' has {} params, expected >= 5", + f.get_name(), + f.get_params().len() + ); + } + assert!( + find_func(&funcs, "DuplicateHandle").is_some(), + "DuplicateHandle has 7 params" + ); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_positional() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // First param must be HANDLE + let filter = FuncFilter { + param_type_pattern: Some("HANDLE".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + !funcs.is_empty(), + "should find functions with HANDLE as first param" + ); + for f in &funcs { + assert_eq!( + f.get_params()[0].get_type_name(), + "HANDLE", + "'{}' first param should be HANDLE", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_positional_skip() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // 4th param (index 3) must be LPHANDLE, using explicit _ slots. + // Trailing ... because DuplicateHandle has 7 params. + let filter = FuncFilter { + param_type_pattern: Some("_,_,_,LPHANDLE,...".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert_eq!( + funcs.len(), + 1, + "only DuplicateHandle has LPHANDLE at position 3" + ); + assert_eq!(funcs[0].get_name(), "DuplicateHandle"); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_floating() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // ...,LPHANDLE → LPHANDLE at any position. + let filter = FuncFilter { + param_type_pattern: Some("...,LPHANDLE,...".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + find_func(&funcs, "DuplicateHandle").is_some(), + "DuplicateHandle has LPHANDLE at position 3" + ); + for f in &funcs { + assert!( + f.get_params() + .iter() + .any(|p| p.get_type_name() == "LPHANDLE"), + "'{}' should have an LPHANDLE param", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_floating_pair() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // ...,HANDLE,HANDLE,... → consecutive HANDLE pair at any position. + let filter = FuncFilter { + param_type_pattern: Some("...,HANDLE,HANDLE,...".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + find_func(&funcs, "DuplicateHandle").is_some(), + "DuplicateHandle has HANDLE,HANDLE,HANDLE at positions 0-2" + ); + assert!( + find_func(&funcs, "CompareObjectHandles").is_some(), + "CompareObjectHandles has HANDLE,HANDLE at positions 0-1" + ); + assert!( + find_func(&funcs, "CloseHandle").is_none(), + "CloseHandle has only 1 param, can't match HANDLE,HANDLE" + ); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_open_tail() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // HANDLE,... → HANDLE at position 0, any trailing params OK. + let filter = FuncFilter { + param_type_pattern: Some("HANDLE,...".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + find_func(&funcs, "CloseHandle").is_some(), + "CloseHandle(HANDLE) matches — open tail allows 0 trailing" + ); + assert!( + find_func(&funcs, "DuplicateHandle").is_some(), + "DuplicateHandle(HANDLE, ...) matches" + ); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_param_type_middle_gap() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // HANDLE,...,DWORD,... → HANDLE at 0, then DWORD at some later position. + let filter = FuncFilter { + param_type_pattern: Some("HANDLE,...,DWORD,...".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!( + find_func(&funcs, "SetHandleInformation").is_some(), + "SetHandleInformation(HANDLE, DWORD, DWORD) matches" + ); + assert!( + find_func(&funcs, "DuplicateHandle").is_some(), + "DuplicateHandle(HANDLE, ..., DWORD, ...) matches" + ); + assert!( + find_func(&funcs, "CompareObjectHandles").is_none(), + "CompareObjectHandles(HANDLE, HANDLE) has no DWORD" + ); + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_return_type() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + return_type_pattern: Some("BOOL".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!(!funcs.is_empty(), "should find BOOL-returning functions"); + for f in &funcs { + assert_eq!( + f.get_return_type_name(), + "BOOL", + "'{}' should return BOOL", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn filter_by_exported() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + for f in &funcs { + assert!(f.is_dllimport(), "'{}' should be dllimport", f.get_name()); + } + + Ok(()) + } + + #[test] + #[serial] + fn sort_by_params() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + sort: Some(FuncSort::Params), + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!(funcs.len() > 1, "need multiple functions to verify sort"); + for w in funcs.windows(2) { + assert!( + w[0].get_params().len() <= w[1].get_params().len(), + "'{}' ({} params) should come before '{}' ({} params)", + w[0].get_name(), + w[0].get_params().len(), + w[1].get_name(), + w[1].get_params().len(), + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn sort_by_name() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + sort: Some(FuncSort::Name), + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!(funcs.len() > 1, "need multiple functions to verify sort"); + for w in funcs.windows(2) { + assert!( + w[0].get_name() <= w[1].get_name(), + "'{}' should come before '{}'", + w[0].get_name(), + w[1].get_name(), + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn filter_combined_param_count_and_return() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // BOOL-returning functions with exactly 2 params in handleapi.h + let filter = FuncFilter { + param_count: Some(ParamCountFilter::Exact(2)), + return_type_pattern: Some("BOOL".into()), + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + for f in &funcs { + assert_eq!(f.get_params().len(), 2); + assert_eq!(f.get_return_type_name(), "BOOL"); + assert!(f.is_dllimport()); + } + + Ok(()) + } + + /* ────────────────────────── WHERE clause filter ──────────────────────── */ + + #[test] + #[serial] + fn where_param_count_gt() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let funcs = collect_funcs(&tu); + let expr = parse_where("params > 5").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!( + !filtered.is_empty(), + "should find functions with > 5 params" + ); + for f in &filtered { + assert!( + f.get_params().len() > 5, + "'{}' has {} params, expected > 5", + f.get_name(), + f.get_params().len() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_return_type_eq() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let expr = parse_where("return_type = 'BOOL'").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!(!filtered.is_empty()); + for f in &filtered { + assert_eq!(f.get_return_type_name(), "BOOL"); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_name_like() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let expr = parse_where("name LIKE '%Handle%'").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!( + filtered.len() >= 3, + "should find multiple *Handle* functions" + ); + for f in &filtered { + assert!( + f.get_name().to_lowercase().contains("handle"), + "'{}' should contain 'Handle'", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_compound_and_or() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let expr = + parse_where("params > 3 AND (return_type = 'BOOL' OR return_type = 'HANDLE')").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + for f in &filtered { + assert!(f.get_params().len() > 3); + assert!( + f.get_return_type_name() == "BOOL" || f.get_return_type_name() == "HANDLE", + "'{}' returns '{}', expected BOOL or HANDLE", + f.get_name(), + f.get_return_type_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_is_exported() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let expr = parse_where("is_exported = true").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + for f in &filtered { + assert!(f.is_dllimport(), "'{}' should be exported", f.get_name()); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_between() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let funcs = collect_funcs(&tu); + let expr = parse_where("params BETWEEN 2 AND 4").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!(!filtered.is_empty()); + for f in &filtered { + let n = f.get_params().len(); + assert!( + (2..=4).contains(&n), + "'{}' has {} params, expected 2..=4", + f.get_name(), + n + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_in_list() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let expr = parse_where("name IN ('CloseHandle', 'DuplicateHandle')").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert_eq!(filtered.len(), 2); + assert!(filtered.iter().any(|f| f.get_name() == "CloseHandle")); + assert!(filtered.iter().any(|f| f.get_name() == "DuplicateHandle")); + + Ok(()) + } + + #[test] + #[serial] + fn where_not_negation() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + header_filter: Some("handleapi.h".into()), + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + let all_count = funcs.len(); + let expr = parse_where("NOT name LIKE '%Close%'").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!(filtered.len() < all_count); + for f in &filtered { + assert!( + !f.get_name().to_lowercase().contains("close"), + "'{}' should not contain 'close' (case-insensitive)", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_header_filter() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let funcs = collect_funcs(&tu); + let expr = parse_where("header = 'handleapi.h'").unwrap(); + let filtered: Vec<_> = funcs.iter().filter(|f| eval_where(&expr, f)).collect(); + + assert!(!filtered.is_empty()); + for f in &filtered { + let file = f + .get_location() + .and_then(|l| l.file.clone()) + .unwrap_or_default(); + assert_eq!( + file.to_lowercase(), + "handleapi.h", + "'{}' should be in handleapi.h", + f.get_name() + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn where_invalid_sql_returns_err() { + assert!(parse_where("???invalid!!!").is_err()); + assert!(parse_where("").is_err()); + } + + #[test] + #[serial] + fn where_invalid_sql_propagates_through_filter() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + where_clause: Some("???invalid!!!".into()), + ..base_func_filter() + }; + let result = collect_funcs_filtered(&tu, &filter); + assert!( + result.is_err(), + "invalid WHERE should propagate as an error, not silently return all results" + ); + + Ok(()) + } + + /* ─────────────────────── Sort keys (stack/param) ───────────────────── */ + + #[test] + #[serial] + fn sort_by_stack_size() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = FuncFilter { + sort: Some(FuncSort::StackSize), + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!(funcs.len() > 1); + let sizes: Vec = funcs + .iter() + .map(|f| { + f.get_params() + .iter() + .filter_map(|p| match p.get_abi_location() { + ParamLocation::Direct { locations, size } + if locations + .first() + .is_some_and(|l| matches!(l, MemoryOperand::RegImm { .. })) => + { + Some(*size) + } + _ => None, + }) + .sum() + }) + .collect(); + + for w in sizes.windows(2) { + assert!(w[0] <= w[1], "stack sizes should be ascending"); + } + + Ok(()) + } + + #[test] + #[serial] + fn sort_max_stack_param_desc() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::X86, SdkMode::User); + + let filter = FuncFilter { + header_filter: Some("fileapi.h".into()), + sort: Some(FuncSort::MaxStackParam), + sort_dir: bb_funcs_lib::SortDir::Desc, + dllimport_only: true, + ..base_func_filter() + }; + let funcs = collect_funcs_filtered(&tu, &filter).map_err(anyhow::Error::msg)?; + + assert!(funcs.len() > 1); + let sizes: Vec = funcs + .iter() + .map(|f| { + f.get_params() + .iter() + .filter_map(|p| match p.get_abi_location() { + ParamLocation::Direct { locations, size } + if locations + .first() + .is_some_and(|l| matches!(l, MemoryOperand::RegImm { .. })) => + { + Some(*size) + } + _ => None, + }) + .max() + .unwrap_or(0) + }) + .collect(); + + for w in sizes.windows(2) { + assert!(w[0] >= w[1], "max stack param sizes should be descending"); + } + + Ok(()) + } + + /* ──────────────────────────── --first limit ────────────────────────── */ + + #[test] + #[serial] + fn first_limits_results() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let all = collect_funcs(&tu); + assert!(all.len() > 10, "should have many functions"); + + // Simulate --first 3 by truncating. + let mut limited = all; + limited.truncate(3); + assert_eq!(limited.len(), 3); + + Ok(()) + } + + /* ──────────────── Constant expression field (issue #9) ──────────────── */ + + #[test] + #[serial] + fn macro_constant_has_expression() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let vars = collect_constants(&tu, &no_filter()); + + // MAX_PATH is a simple #define MAX_PATH 260 — the expression is just "260". + let max_path = vars + .iter() + .find(|c| c.get_name() == "MAX_PATH") + .expect("MAX_PATH must exist"); + assert!(max_path.is_macro(), "MAX_PATH should be a macro"); + let expr = max_path.get_expression(); + assert!(expr.is_some(), "macro constants should have an expression"); + assert!(!expr.unwrap().is_empty(), "expression should not be empty"); + + Ok(()) + } + + #[test] + #[serial] + fn macro_expression_in_json() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let vars = collect_constants(&tu, &no_filter()); + let max_path = vars + .iter() + .find(|c| c.get_name() == "MAX_PATH") + .expect("MAX_PATH must exist"); + + let j = max_path.to_json(); + assert!( + j["expression"].is_string(), + "JSON should have expression field for macros" + ); + + Ok(()) + } + + #[test] + #[serial] + fn enum_constant_expression() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let enums = collect_enums(&tu, &no_filter()); + + // Find any enum with children — most have explicit values. + let enum_with_values = enums.iter().find(|e| { + e.get_constants() + .iter() + .any(|c| c.get_expression().is_some()) + }); + assert!( + enum_with_values.is_some(), + "should find at least one enum constant with an expression" + ); + + Ok(()) + } + + /* ──────────────── Field type metadata (issue #10) ─────────────────── */ + + #[test] + #[serial] + fn field_json_has_type_metadata() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + let filter = StructFilter { + name_pattern: Some("_GUID".into()), + header_filter: None, + case_sensitive: true, + }; + let structs = collect_structs(&tu, &filter); + let guid = structs + .into_iter() + .next() + .ok_or_else(|| anyhow::anyhow!("GUID must exist"))?; + + let j = guid.to_json(); + let fields = j["fields"].as_array().expect("should have fields"); + assert!(!fields.is_empty()); + + // Every field should have the type metadata properties. + for field in fields { + assert!( + field["is_const"].is_boolean(), + "field should have is_const boolean: {field}" + ); + assert!( + field["is_pointer"].is_boolean(), + "field should have is_pointer boolean: {field}" + ); + assert!( + field["is_array"].is_boolean(), + "field should have is_array boolean: {field}" + ); + } + + Ok(()) + } + + #[test] + #[serial] + fn field_array_detection() -> anyhow::Result<()> { + winsdk!(clang, index, tu); + + // _GUID has Data4[8] which is a fixed-size array. + let filter = StructFilter { + name_pattern: Some("_GUID".into()), + header_filter: None, + case_sensitive: true, + }; + let structs = collect_structs(&tu, &filter); + let guid = structs + .into_iter() + .next() + .ok_or_else(|| anyhow::anyhow!("GUID must exist"))?; + + let j = guid.to_json(); + let fields = j["fields"].as_array().expect("should have fields"); + + let data4 = fields + .iter() + .find(|f| f["name"] == "Data4") + .expect("GUID should have Data4 field"); + assert_eq!(data4["is_array"], true, "Data4 should be an array"); + assert_eq!(data4["array_size"], 8, "Data4 should have 8 elements"); + assert_eq!(data4["is_pointer"], false, "Data4 should not be a pointer"); + + Ok(()) + } + + #[test] + #[serial] + fn field_pointer_detection() -> anyhow::Result<()> { + winsdk!(clang, index, tu, Arch::Amd64, SdkMode::User); + + // Find a struct with a pointer field. _PEB has many. + let filter = StructFilter { + name_pattern: Some("_PEB".into()), + header_filter: None, + case_sensitive: true, + }; + let structs = collect_structs(&tu, &filter); + let peb = structs + .into_iter() + .next() + .ok_or_else(|| anyhow::anyhow!("PEB must exist"))?; + + let j = peb.to_json(); + let fields = j["fields"].as_array().expect("should have fields"); + + // PEB has pointer fields. + let has_pointer = fields.iter().any(|f| f["is_pointer"] == true); + assert!(has_pointer, "PEB should have at least one pointer field"); + + // Pointer fields with underlying_type show what they point to. + let pointer_with_underlying = fields + .iter() + .find(|f| f["is_pointer"] == true && f["underlying_type"].is_string()); + assert!( + pointer_with_underlying.is_some(), + "should find a pointer field with underlying_type set" + ); + + Ok(()) + } + /* ───────────────────────────────── Helpers ──────────────────────────────── */ fn no_filter() -> ConstFilter { diff --git a/bb-consts-tui/Cargo.toml b/tui/bb-consts-tui/Cargo.toml similarity index 88% rename from bb-consts-tui/Cargo.toml rename to tui/bb-consts-tui/Cargo.toml index 8e9d5ff..d9ca6d1 100644 --- a/bb-consts-tui/Cargo.toml +++ b/tui/bb-consts-tui/Cargo.toml @@ -8,7 +8,7 @@ bb-tui = { workspace = true } bb-clang = { workspace = true } bb-shared = { workspace = true } bb-cli = { workspace = true } -bb-consts = { path = "../bb-consts" } +bb-consts = { path = "../../cli/bb-consts" } clang = { workspace = true } clap = { workspace = true } diff --git a/bb-consts-tui/README.md b/tui/bb-consts-tui/README.md similarity index 97% rename from bb-consts-tui/README.md rename to tui/bb-consts-tui/README.md index 553273f..3139523 100644 --- a/bb-consts-tui/README.md +++ b/tui/bb-consts-tui/README.md @@ -2,7 +2,7 @@ > TUI browser for **Windows SDK** / **PHNT** constants. -`bb-consts-tui` is a TUI version of the `bb-consts` CLI application crate, using its library code, and exposing the data that is gathered with it to a [`bb-tui`](./util/bb-tui/) data model. +`bb-consts-tui` is a TUI version of the `bb-consts` CLI application crate, using its library code, and exposing the data that is gathered with it to a [`bb-tui`](../../crates/bb-tui/) data model. --- diff --git a/bb-consts-tui/src/data.rs b/tui/bb-consts-tui/src/data.rs similarity index 100% rename from bb-consts-tui/src/data.rs rename to tui/bb-consts-tui/src/data.rs diff --git a/bb-consts-tui/src/main.rs b/tui/bb-consts-tui/src/main.rs similarity index 100% rename from bb-consts-tui/src/main.rs rename to tui/bb-consts-tui/src/main.rs diff --git a/bb-types-tui/Cargo.toml b/tui/bb-types-tui/Cargo.toml similarity index 88% rename from bb-types-tui/Cargo.toml rename to tui/bb-types-tui/Cargo.toml index 2479c6e..a8b4115 100644 --- a/bb-types-tui/Cargo.toml +++ b/tui/bb-types-tui/Cargo.toml @@ -8,7 +8,7 @@ bb-tui = { workspace = true } bb-clang = { workspace = true } bb-shared = { workspace = true } bb-cli = { workspace = true } -bb-types = { path = "../bb-types" } +bb-types = { path = "../../cli/bb-types" } clang = { workspace = true } clap = { workspace = true } diff --git a/bb-types-tui/README.md b/tui/bb-types-tui/README.md similarity index 97% rename from bb-types-tui/README.md rename to tui/bb-types-tui/README.md index 641f23f..4561850 100644 --- a/bb-types-tui/README.md +++ b/tui/bb-types-tui/README.md @@ -2,7 +2,7 @@ > TUI browser for **Windows SDK** / **PHNT** struct types. -`bb-types-tui` is a TUI version of the `bb-types` CLI application crate, using its library code, and exposing the data that is gathered with it to a [`bb-tui`](./util/bb-tui/) data model. +`bb-types-tui` is a TUI version of the `bb-types` CLI application crate, using its library code, and exposing the data that is gathered with it to a [`bb-tui`](../../crates/bb-tui/) data model. --- diff --git a/bb-types-tui/src/data.rs b/tui/bb-types-tui/src/data.rs similarity index 100% rename from bb-types-tui/src/data.rs rename to tui/bb-types-tui/src/data.rs diff --git a/bb-types-tui/src/main.rs b/tui/bb-types-tui/src/main.rs similarity index 100% rename from bb-types-tui/src/main.rs rename to tui/bb-types-tui/src/main.rs diff --git a/update-submodules.ps1 b/update-submodules.ps1 new file mode 100644 index 0000000..5d1e3c3 --- /dev/null +++ b/update-submodules.ps1 @@ -0,0 +1,93 @@ +<# +.SYNOPSIS + Update bb submodules. + +.DESCRIPTION + Initializes and updates git submodules used by bb. + Without arguments, updates all submodules. + With a name argument, updates only the specified submodule. + +.PARAMETER Name + Optional submodule name to update: "sparse", "phnt", or "all" (default). + +.EXAMPLE + .\update-submodules.ps1 # Update all submodules + .\update-submodules.ps1 sparse # Update only sparse (sdk-api data) + .\update-submodules.ps1 phnt # Update only phnt (NT headers) +#> + +param( + [ValidateSet("all", "sparse", "phnt")] + [string]$Name = "all" +) + +$ErrorActionPreference = "Stop" + +function Update-Sparse { + Write-Host "Updating sparse submodule..." -ForegroundColor Cyan + git submodule update --init crates/bb-sparse/sparse + if ($LASTEXITCODE -ne 0) { throw "Failed to update sparse submodule" } + + Write-Host "Updating sparse/sdk-api nested submodule..." -ForegroundColor Cyan + Push-Location crates/bb-sparse/sparse + git submodule update --init sdk-api + if ($LASTEXITCODE -ne 0) { Pop-Location; throw "Failed to update sdk-api submodule" } + Pop-Location + + Write-Host "sparse submodule ready." -ForegroundColor Green +} + +function Update-Phnt { + Write-Host "Updating phnt submodule..." -ForegroundColor Cyan + git submodule update --init crates/bb-sdk/phnt + if ($LASTEXITCODE -ne 0) { throw "Failed to update phnt submodule" } + + # The phnt submodule has a nested systeminformer submodule. + # Only needed if you want to regenerate phnt.h from source. + $siDir = "crates/bb-sdk/phnt/systeminformer" + if (-not (Test-Path "$siDir/phnt")) { + Write-Host "Updating phnt/systeminformer nested submodule..." -ForegroundColor Cyan + Push-Location crates/bb-sdk/phnt + git submodule update --init systeminformer + if ($LASTEXITCODE -ne 0) { Pop-Location; throw "Failed to update systeminformer submodule" } + Pop-Location + } + + # Generate phnt.h from the submodule. + $outPhnt = "crates/bb-sdk/phnt/out/phnt.h" + if (Test-Path $outPhnt) { + Write-Host "phnt.h already exists at $outPhnt" -ForegroundColor Green + } else { + Write-Host "Generating phnt.h via amalgamate.py..." -ForegroundColor Cyan + + # amalgamate.py downloads cpp-amalgamate.exe via urllib, which can + # fail silently on some Python versions. Pre-download it with + # Invoke-WebRequest if it's missing or empty. + $cppAmalgamate = "crates/bb-sdk/phnt/cpp-amalgamate.exe" + $downloadUrl = "https://github.com/Felerius/cpp-amalgamate/releases/download/1.0.1/cpp-amalgamate-x86_64-pc-windows-gnu.exe" + if (-not (Test-Path $cppAmalgamate) -or (Get-Item $cppAmalgamate).Length -eq 0) { + Write-Host " Pre-downloading cpp-amalgamate.exe..." -ForegroundColor DarkGray + if (Test-Path $cppAmalgamate) { Remove-Item $cppAmalgamate } + Invoke-WebRequest -Uri $downloadUrl -OutFile $cppAmalgamate -UseBasicParsing + } + + Push-Location crates/bb-sdk/phnt + py -3 amalgamate.py + if ($LASTEXITCODE -ne 0) { Pop-Location; throw "amalgamate.py failed" } + Pop-Location + Write-Host "phnt.h generated at $outPhnt" -ForegroundColor Green + } +} + +switch ($Name) { + "all" { + Update-Sparse + Write-Host "" + Update-Phnt + } + "sparse" { Update-Sparse } + "phnt" { Update-Phnt } +} + +Write-Host "" +Write-Host "Done." -ForegroundColor Green diff --git a/util/bb-clang/src/function/callconv.rs b/util/bb-clang/src/function/callconv.rs deleted file mode 100644 index fedb3d4..0000000 --- a/util/bb-clang/src/function/callconv.rs +++ /dev/null @@ -1,40 +0,0 @@ -//! Function calling convention representation. - -use serde::Serialize; - -/* ────────────────────────────────── Types ───────────────────────────────── */ - -/// A limited representation of [`clang::CallingConvention`] with further context, -/// and extensions that expose more information. -/// -/// On AMD64, ARM64, ARM32, you might be surprised to see that the sole calling -/// convention used on WinSDK and PHNT SDKs is [`CallConv::Cdecl`]. -/// -/// On x86, you wouldn't be surprised to see that the only calling conventions -/// used on WinSDK and PHNT SDKs are [`CallConv::Cdecl`], [`CallConv::Fastcall`] -/// and [`CallConv::Stdcall`]. -/// -/// Therefore, we will be focusing on those first and foremost. -#[derive(Debug, Serialize)] -pub enum CallConv { - /* ───────────────────────────────── Shared ───────────────────────────────── */ - Cdecl, - - /* ───────────────────── x86 — may I never see you again ──────────────────── */ - Fastcall, - Stdcall, -} - -/* ─────────────────────────────── Conversions ────────────────────────────── */ - -impl From for CallConv { - fn from(value: clang::CallingConvention) -> Self { - match value { - clang::CallingConvention::Cdecl => Self::Cdecl, - clang::CallingConvention::Stdcall => Self::Stdcall, - clang::CallingConvention::Fastcall => Self::Fastcall, - // NOTE: lol - _ => unreachable!(), - } - } -} diff --git a/util/bb-clang/src/function/param.rs b/util/bb-clang/src/function/param.rs deleted file mode 100644 index 2a59a4b..0000000 --- a/util/bb-clang/src/function/param.rs +++ /dev/null @@ -1,95 +0,0 @@ -//! Parameter declartion representation. - -use clang::{Entity, EntityKind, Type}; -use serde::Serialize; - -use crate::{SourceLocation, clang_ext::UnderlyingType, error::ParamError}; - -/* ────────────────────────────────── Types ───────────────────────────────── */ - -#[derive(Debug, Serialize)] -pub struct Param<'a> { - #[serde(skip)] - entity: Entity<'a>, - #[serde(skip)] - #[allow(unused)] - semantic_parent: Entity<'a>, - name: Option, - #[serde(skip)] - type_: Type<'a>, - #[serde(rename = "type")] - type_name: String, - location: Option, -} - -impl<'a> Param<'a> { - #[must_use] - pub const fn get_entity(&self) -> &Entity<'a> { - &self.entity - } - #[allow(unused)] - #[must_use] - pub const fn get_semantic_parent(&self) -> &Entity<'a> { - &self.semantic_parent - } - #[must_use] - pub fn get_name(&self) -> Option<&str> { - self.name.as_deref() - } - #[must_use] - pub const fn get_type(&self) -> &Type<'a> { - &self.type_ - } - #[must_use] - pub fn get_type_name(&self) -> &str { - &self.type_name - } - #[must_use] - pub fn get_canonical_type(&self) -> Type<'a> { - self.type_.get_canonical_type() - } - #[must_use] - pub const fn get_location(&self) -> Option<&SourceLocation> { - self.location.as_ref() - } - - /// Returns the underlying type of this field, resolving pointers and arrays. - #[allow(unused)] - pub fn get_underlying_type(&self) -> Type<'a> { - self.get_type().get_underlying_type() - } -} - -/* ─────────────────────────────── Conversions ────────────────────────────── */ - -impl<'a> TryFrom> for Param<'a> { - type Error = ParamError; - - fn try_from(entity: Entity<'a>) -> Result { - let kind = entity.get_kind(); - if !matches!(kind, EntityKind::ParmDecl) { - return Err(ParamError::NotParam(kind)); - } - - // NOTE: it's... well... technically possible to have params with an anonymous - // type, but... I'm not going to over-engineer around that, as I can't think of - // one case where it's used in WinAPI, and it's kind of a batshit insane decision. - - let semantic_parent = entity - .get_semantic_parent() - .ok_or(ParamError::NoSemanticParent)?; - let name = entity.get_name(); - let type_ = entity.get_type().ok_or(ParamError::NoType)?; - let type_name = type_.get_display_name(); - let location = SourceLocation::from_entity(&entity); - - Ok(Self { - entity, - semantic_parent, - name, - type_, - type_name, - location, - }) - } -} diff --git a/util/bb-clang/src/lib.rs b/util/bb-clang/src/lib.rs deleted file mode 100644 index 12fd2d7..0000000 --- a/util/bb-clang/src/lib.rs +++ /dev/null @@ -1,31 +0,0 @@ -//! Clang parsing utilities for bb. -//! -//! This crate provides abstractions for parsing C/C++ types and constants -//! from headers using libclang, with tree-style display rendering. - -mod clang_ext; -mod constant; -pub(crate) mod display; -mod enum_; -mod error; -mod function; -mod json; -pub(crate) mod location; -mod struct_; - -pub use constant::{ - ConstLookup, ConstValue, Constant, MacroBodyToken, StripOuterParens, TuEntityMap, - build_tu_entity_map, -}; -pub use display::render_constants; -pub use enum_::Enum; -pub use error::{ConstantError, EnumError, FieldError, StructError}; -pub use function::Function; -pub use function::Param; -pub use json::{ToJson, build_referred_components, collect_component_constants}; -pub use location::SourceLocation; -pub use struct_::Field; -pub use struct_::Struct; - -// Re-export commonly used clang types for convenience -pub use clang::{Entity, EntityKind, Index, TranslationUnit, Unsaved}; diff --git a/util/bb-sdk/README.md b/util/bb-sdk/README.md deleted file mode 100644 index 7d28d5c..0000000 --- a/util/bb-sdk/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# bb-sdk - -> Synthetic header generation for **Windows SDK** and **PHNT**. - -`bb-sdk` is responsible for generating synthetic headers that allow `bb-clang` to later index and parse them. - -To get there however, the crate also takes care of the following things: - -- Checking that your environment is set up with **Windows SDK**; -- Parsing your environment's latest **Windows SDK** version; - - Checking if you have all the pre-requisites necessary for generating a building kernel-mode SDK, if applicable. - -This crate also takes on the responsibility to handle versions for the provided SDKs. - ---- - -## Architectures - -We expose multiple target architecture options for our SDKs: - -`x86` | `amd64` | `arm` | `arm64` - -### Header configuration - -These are later relevant when you're defining a header configuration. - -From a header configuration, you can obtain a translation unit. - -In preparing this, the header configuration's information will be used to provide stuff like command-line arguments (such as the target architecture), and more. - -The result will be a translation unit that is created from an in-memory file. diff --git a/util/bb-sdk/extra/phnt.h b/util/bb-sdk/extra/phnt.h deleted file mode 100644 index 3c3b942..0000000 --- a/util/bb-sdk/extra/phnt.h +++ /dev/null @@ -1,53857 +0,0 @@ -/* - -+===========================================================+ -| THIS FILE WAS AUTOMATICALLY GENERATED | -+===========================================================+ -| Source: https://github.com/winsiderss/systeminformer | -| Commit: ed73b907dcd9c8f3c8d61b164a68006660e030c3 | -| Generator: https://github.com/mrexodia/phnt-single-header | -+===========================================================+ - -MIT License - -Copyright (c) 2022 Winsider Seminars & Solutions, Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. -*/ - -#ifndef _PHNT_AMALGAMATE_H -#define _PHNT_AMALGAMATE_H - -#ifdef _WINTERNL_ -#error Do not mix Winternl.h and phnt.h -#endif // _WINTERNL_ -#define _WINTERNL_ // Pretend the header was included - -#ifdef _KERNEL_MODE -#define PHNT_DETECTED_MODE PHNT_MODE_KERNEL -#else -#define PHNT_DETECTED_MODE PHNT_MODE_USER -/* - * Win32 definition support - * - * This file is part of System Informer. - */ - -#ifndef _PHNT_WINDOWS_H -#define _PHNT_WINDOWS_H - -// This header file provides access to Win32, plus NTSTATUS values and some access mask values. - -#ifndef UNICODE -#define UNICODE -#endif - -#ifndef _CRT_SECURE_NO_WARNINGS -#define _CRT_SECURE_NO_WARNINGS -#endif - -#ifndef __cplusplus -#ifndef CINTERFACE -#define CINTERFACE -#endif - -#ifndef COBJMACROS -#define COBJMACROS -#endif -#endif - -#ifndef NOMINMAX -#define NOMINMAX -#endif - -#ifndef INT_ERROR -#define INT_ERROR (-1) -#endif - -#ifndef ULONG64_MAX -#define ULONG64_MAX 0xffffffffffffffffui64 -#endif - -#ifndef SIZE_T_MAX -#ifdef _WIN64 -#define SIZE_T_MAX 0xffffffffffffffffui64 -#else -#define SIZE_T_MAX 0xffffffffUL -#endif -#endif - -#ifndef MAXLONGLONG -// The Windows SDK basetsd.h is missing the MAXLONGLONG definition. (dmex) -#define MAXLONGLONG (0x7fffffffffffffff) -#endif - -#ifndef MINLONGLONG -// The Windows SDK basetsd.h references non-existent MAXLONGLONG definition -// and breaks MINLONGLONG or in other cases results in a definition of zero. (dmex) -#define MINLONGLONG ((LONGLONG)~MAXLONGLONG) -#endif - -#ifndef ENABLE_RTL_NUMBER_OF_V2 -#define ENABLE_RTL_NUMBER_OF_V2 -#endif - -#ifndef INITGUID -#define INITGUID -#endif - -#ifndef WIN32_LEAN_AND_MEAN -#define WIN32_LEAN_AND_MEAN -#endif - -#ifndef WIN32_NO_STATUS -#define WIN32_NO_STATUS -#endif - -#ifndef COM_NO_WINDOWS_H -#define COM_NO_WINDOWS_H -#endif - -#ifndef STRICT_TYPED_ITEMIDS -#define STRICT_TYPED_ITEMIDS -#endif - -#ifndef __cplusplus -// This is needed to workaround C17 preprocessor errors when using legacy versions of the Windows SDK. (dmex) -#ifndef MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS -#define MICROSOFT_WINDOWS_WINBASE_H_DEFINE_INTERLOCKED_CPLUSPLUS_OVERLOADS 0 -#endif -#endif - -#ifdef __cplusplus -#define RTL_ADDRESS_OF(v) (&const_cast(reinterpret_cast(v))) // _ADDRESSOF() macro -#else -#define RTL_ADDRESS_OF(v) (&(v)) -#endif - -#include -#include -#undef WIN32_NO_STATUS -#include -#include -#include -#include -#include - -#ifdef COM_NO_WINDOWS_H -#include -#endif - -typedef DOUBLE *PDOUBLE; -typedef GUID *PGUID; - -// Desktop access rights -#define DESKTOP_ALL_ACCESS \ - (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ - DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ - DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ - STANDARD_RIGHTS_REQUIRED) -#define DESKTOP_GENERIC_READ \ - (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) -#define DESKTOP_GENERIC_WRITE \ - (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ - DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ - STANDARD_RIGHTS_WRITE) -#define DESKTOP_GENERIC_EXECUTE \ - (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) - -// Window station access rights -#define WINSTA_GENERIC_READ \ - (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ - WINSTA_READSCREEN | STANDARD_RIGHTS_READ) -#define WINSTA_GENERIC_WRITE \ - (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ - STANDARD_RIGHTS_WRITE) -#define WINSTA_GENERIC_EXECUTE \ - (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) - -// WMI access rights -#define WMIGUID_GENERIC_READ \ - (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ - STANDARD_RIGHTS_READ) -#define WMIGUID_GENERIC_WRITE \ - (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ - STANDARD_RIGHTS_WRITE) -#define WMIGUID_GENERIC_EXECUTE \ - (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ - TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ - STANDARD_RIGHTS_EXECUTE) - -// Note: Some parts of the Windows Runtime, COM or third party hooks are returning -// S_FALSE and null pointers on errors when S_FALSE is a success code. (dmex) -#define HR_SUCCESS(hr) (((HRESULT)(hr)) == S_OK) -#define HR_FAILED(hr) (((HRESULT)(hr)) != S_OK) - -// Note: The CONTAINING_RECORD macro doesn't support UBSan and generates false positives, -// we redefine the macro with FIELD_OFFSET as a workaround until the WinSDK is fixed (dmex) -#undef CONTAINING_RECORD -#define CONTAINING_RECORD(address, type, field) \ - ((type *)((ULONG_PTR)(address) - UFIELD_OFFSET(type, field))) - -#ifndef __PCGUID_DEFINED__ -#define __PCGUID_DEFINED__ -typedef const GUID *PCGUID; -#endif - -DEFINE_GUID(GUID_NULL, 0x00000000L, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); - -#if __STDC_VERSION__ >= 202311L -#ifndef __cplusplus -#define nullptr ((void *)0) -#endif -typedef typeof(nullptr) nullptr_t; -#endif -#include - -#endif -#endif // _KERNEL_MODE - -#ifndef PHNT_MODE -#define PHNT_MODE PHNT_DETECTED_MODE -#endif // PHNT_MODE - -/* - * NT Header annotations - * - * This file is part of System Informer. - */ - -#ifndef _PHNT_H -#define _PHNT_H - -// This header file provides access to NT APIs. - -// Definitions are annotated to indicate their source. If a definition is not annotated, it has been -// retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). - -// * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in -// winbase.h. -// * "rev" indicates that a definition has been reverse-engineered. -// * "dbg" indicates that a definition has been obtained from a debug message or assertion in a -// checked build of the kernel or file. - -// Reliability: -// 1. No annotation. -// 2. dbg. -// 3. symbols, private. Types may be incorrect. -// 4. winbase. Names and types may be incorrect. -// 5. rev. - -// Mode -#define PHNT_MODE_KERNEL 0 -#define PHNT_MODE_USER 1 - -// Version -#define PHNT_WIN2K 50 -#define PHNT_WINXP 51 -#define PHNT_WS03 52 -#define PHNT_VISTA 60 -#define PHNT_WIN7 61 -#define PHNT_WIN8 62 -#define PHNT_WINBLUE 63 -#define PHNT_THRESHOLD 100 -#define PHNT_THRESHOLD2 101 -#define PHNT_REDSTONE 102 -#define PHNT_REDSTONE2 103 -#define PHNT_REDSTONE3 104 -#define PHNT_REDSTONE4 105 -#define PHNT_REDSTONE5 106 -#define PHNT_19H1 107 -#define PHNT_19H2 108 -#define PHNT_20H1 109 -#define PHNT_20H2 110 -#define PHNT_21H1 111 -#define PHNT_WIN10_21H2 112 -#define PHNT_WIN10_22H2 113 -#define PHNT_WIN11 114 -#define PHNT_WIN11_22H2 115 -#define PHNT_WIN11_23H2 116 -#define PHNT_WIN11_24H2 117 - -#ifndef PHNT_MODE -#define PHNT_MODE PHNT_MODE_USER -#endif - -#ifndef PHNT_VERSION -#define PHNT_VERSION PHNT_WIN11_24H2 -#endif - -// Options - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -// #define PHNT_NO_INLINE_INIT_STRING -#ifndef PHNT_INLINE_TYPEDEFS -#define PHNT_INLINE_TYPEDEFS -#endif -#endif - -#ifdef __cplusplus -extern "C" -{ -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - /* - * Native definition support - * - * This file is part of System Informer. - */ - -#ifndef _PHNT_NTDEF_H -#define _PHNT_NTDEF_H - -#ifndef _NTDEF_ -#define _NTDEF_ - - // This header file provides basic NT types not included in Win32. If you have included winnt.h - // (perhaps indirectly), you must use this file instead of ntdef.h. - -#ifndef NOTHING -#define NOTHING -#endif - - // - // Basic types - // - - typedef struct _QUAD - { - union - { - __int64 UseThisFieldToCopy; - double DoNotUseThisField; - }; - } QUAD, *PQUAD; - - // This isn't in NT, but it's useful. - typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR - { - ULONG_PTR DoNotUseThisField1; - ULONG_PTR DoNotUseThisField2; - } QUAD_PTR, *PQUAD_PTR; - - typedef ULONG LOGICAL; - typedef ULONG *PLOGICAL; - - typedef _Return_type_success_(return >= 0) LONG NTSTATUS; - typedef NTSTATUS *PNTSTATUS; - - // - // Cardinal types - // - - typedef char CCHAR; - typedef short CSHORT; - typedef ULONG CLONG; - - typedef CCHAR *PCCHAR; - typedef CSHORT *PCSHORT; - typedef CLONG *PCLONG; - - typedef PCSTR PCSZ; - - typedef PVOID *PPVOID; - typedef CONST VOID *PCVOID; - - // - // Specific - // - - typedef UCHAR KIRQL, *PKIRQL; - typedef LONG KPRIORITY, *PKPRIORITY; - typedef USHORT RTL_ATOM, *PRTL_ATOM; - - typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; - - typedef struct _LARGE_INTEGER_128 - { - LONGLONG QuadPart[2]; - } LARGE_INTEGER_128, *PLARGE_INTEGER_128; - - typedef struct _ULARGE_INTEGER_128 - { - ULONGLONG QuadPart[2]; - } ULARGE_INTEGER_128, *PULARGE_INTEGER_128; - - // - // Limits - // - -#define MINCHAR 0x80 // winnt -#define MAXCHAR 0x7f // winnt -#define MINSHORT 0x8000 // winnt -#define MAXSHORT 0x7fff // winnt -#define MINLONG 0x80000000 // winnt -#define MAXLONG 0x7fffffff // winnt -#define MAXUCHAR 0xff // winnt -#define MAXUSHORT 0xffff // winnt -#define MAXULONG 0xffffffff // winnt - - // - // NT status macros - // - -#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) -#define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) -#define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) -#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) - -#define NT_CUSTOMER_SHIFT 29 -#define NT_CUSTOMER(Status) ((((ULONG)(Status)) >> NT_CUSTOMER_SHIFT) & 1) - -#define NT_FACILITY_MASK 0xfff -#define NT_FACILITY_SHIFT 16 -#define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) - -#define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) -#define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) - - // - // Functions - // - -#ifndef _WIN64 -#define FASTCALL __fastcall -#else -#define FASTCALL -#endif - - // - // Synchronization enumerations - // - - typedef enum _EVENT_TYPE - { - NotificationEvent, - SynchronizationEvent - } EVENT_TYPE; - - typedef enum _TIMER_TYPE - { - NotificationTimer, - SynchronizationTimer - } TIMER_TYPE; - - typedef enum _WAIT_TYPE - { - WaitAll, - WaitAny, - WaitNotification, - WaitDequeue, - WaitDpc, - } WAIT_TYPE; - - // - // Strings - // - - typedef struct _STRING - { - USHORT Length; - USHORT MaximumLength; - _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; - } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; - - typedef STRING UTF8_STRING; - typedef PSTRING PUTF8_STRING; - - typedef const STRING *PCSTRING; - typedef const ANSI_STRING *PCANSI_STRING; - typedef const OEM_STRING *PCOEM_STRING; - - typedef struct _UNICODE_STRING - { - USHORT Length; - USHORT MaximumLength; - _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer; - } UNICODE_STRING, *PUNICODE_STRING; - - typedef const UNICODE_STRING *PCUNICODE_STRING; - -#define RTL_CONSTANT_STRING(s) {sizeof((s)) - sizeof((s)[0]), sizeof((s)), (PWCH)(s)} - -#define DECLARE_CONST_UNICODE_STRING(_var, _str) \ - const WCHAR _var##_buffer[] = _str; \ - const UNICODE_STRING _var = {sizeof(_str) - sizeof(WCHAR), sizeof(_str), (PWCH)_var##_buffer} - -#define DECLARE_GLOBAL_CONST_UNICODE_STRING(_var, _str) \ - extern const DECLSPEC_SELECTANY UNICODE_STRING _var = RTL_CONSTANT_STRING(_str) - -#define DECLARE_UNICODE_STRING_SIZE(_var, _size) \ - WCHAR _var##_buffer[_size]; \ - UNICODE_STRING _var = {0, (_size) * sizeof(WCHAR), _var##_buffer} - - // - // Balanced tree node - // - -#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 - - typedef struct _RTL_BALANCED_NODE - { - union - { - struct _RTL_BALANCED_NODE *Children[2]; - struct - { - struct _RTL_BALANCED_NODE *Left; - struct _RTL_BALANCED_NODE *Right; - }; - }; - union - { - UCHAR Red : 1; - UCHAR Balance : 2; - ULONG_PTR ParentValue; - }; - } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; - -#define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ - ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) - - // - // Portability - // - - typedef struct _SINGLE_LIST_ENTRY32 - { - ULONG Next; - } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; - - typedef struct _STRING32 - { - USHORT Length; - USHORT MaximumLength; - ULONG Buffer; - } STRING32, *PSTRING32; - - typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; - typedef STRING32 ANSI_STRING32, *PANSI_STRING32; - - typedef struct _STRING64 - { - USHORT Length; - USHORT MaximumLength; - ULONGLONG Buffer; - } STRING64, *PSTRING64; - - typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; - typedef STRING64 ANSI_STRING64, *PANSI_STRING64; - - // - // Object attributes - // - -#define OBJ_PROTECT_CLOSE 0x00000001L -#define OBJ_INHERIT 0x00000002L -#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004L -#define OBJ_NO_RIGHTS_UPGRADE 0x00000008L -#define OBJ_PERMANENT 0x00000010L -#define OBJ_EXCLUSIVE 0x00000020L -#define OBJ_CASE_INSENSITIVE 0x00000040L -#define OBJ_OPENIF 0x00000080L -#define OBJ_OPENLINK 0x00000100L -#define OBJ_KERNEL_HANDLE 0x00000200L -#define OBJ_FORCE_ACCESS_CHECK 0x00000400L -#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L -#define OBJ_DONT_REPARSE 0x00001000L -#define OBJ_VALID_ATTRIBUTES 0x00001FF2L - - typedef struct _OBJECT_ATTRIBUTES - { - ULONG Length; - HANDLE RootDirectory; - PCUNICODE_STRING ObjectName; - ULONG Attributes; - PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; - PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE - } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; - - typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; - -#define InitializeObjectAttributes(p, n, a, r, s) \ - { \ - (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ - (p)->RootDirectory = r; \ - (p)->Attributes = a; \ - (p)->ObjectName = n; \ - (p)->SecurityDescriptor = s; \ - (p)->SecurityQualityOfService = NULL; \ - } - -#define InitializeObjectAttributesEx(p, n, a, r, s, q) \ - { \ - (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ - (p)->RootDirectory = r; \ - (p)->Attributes = a; \ - (p)->ObjectName = n; \ - (p)->SecurityDescriptor = s; \ - (p)->SecurityQualityOfService = q; \ - } - -#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) {sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL} -#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) - -#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') -#define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') - - // - // Portability - // - - typedef struct _OBJECT_ATTRIBUTES64 - { - ULONG Length; - ULONG64 RootDirectory; - ULONG64 ObjectName; - ULONG Attributes; - ULONG64 SecurityDescriptor; - ULONG64 SecurityQualityOfService; - } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; - - typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; - - typedef struct _OBJECT_ATTRIBUTES32 - { - ULONG Length; - ULONG RootDirectory; - ULONG ObjectName; - ULONG Attributes; - ULONG SecurityDescriptor; - ULONG SecurityQualityOfService; - } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; - - typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; - - // - // Product types - // - - typedef enum _NT_PRODUCT_TYPE - { - NtProductWinNt = 1, - NtProductLanManNt, - NtProductServer - } NT_PRODUCT_TYPE, - *PNT_PRODUCT_TYPE; - - typedef enum _SUITE_TYPE - { - SmallBusiness, - Enterprise, - BackOffice, - CommunicationServer, - TerminalServer, - SmallBusinessRestricted, - EmbeddedNT, - DataCenter, - SingleUserTS, - Personal, - Blade, - EmbeddedRestricted, - SecurityAppliance, - StorageServer, - ComputeServer, - WHServer, - PhoneNT, - MaxSuiteType - } SUITE_TYPE; - - // - // Specific - // - - typedef struct _CLIENT_ID - { - HANDLE UniqueProcess; - HANDLE UniqueThread; - } CLIENT_ID, *PCLIENT_ID; - - typedef struct _CLIENT_ID32 - { - ULONG UniqueProcess; - ULONG UniqueThread; - } CLIENT_ID32, *PCLIENT_ID32; - - typedef struct _CLIENT_ID64 - { - ULONGLONG UniqueProcess; - ULONGLONG UniqueThread; - } CLIENT_ID64, *PCLIENT_ID64; - -#include - - typedef struct _KSYSTEM_TIME - { - ULONG LowPart; - LONG High1Time; - LONG High2Time; - } KSYSTEM_TIME, *PKSYSTEM_TIME; - -#include - -#ifndef AFFINITY_MASK -#define AFFINITY_MASK(n) ((KAFFINITY)1 << (n)) -#endif - -#ifndef FlagOn -#define FlagOn(_F, _SF) ((_F) & (_SF)) -#endif -#ifndef BooleanFlagOn -#define BooleanFlagOn(F, SF) ((BOOLEAN)(((F) & (SF)) != 0)) -#endif -#ifndef SetFlag -#define SetFlag(_F, _SF) ((_F) |= (_SF)) -#endif -#ifndef ClearFlag -#define ClearFlag(_F, _SF) ((_F) &= ~(_SF)) -#endif - -#ifndef Add2Ptr -#define Add2Ptr(P, I) ((PVOID)((PUCHAR)(P) + (I))) -#endif -#ifndef PtrOffset -#define PtrOffset(B, O) ((ULONG)((ULONG_PTR)(O) - (ULONG_PTR)(B))) -#endif - -#ifndef ALIGN_UP_BY -#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1)) -#endif -#ifndef ALIGN_UP_POINTER_BY -#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align)) -#endif -#ifndef ALIGN_UP -#define ALIGN_UP(Address, Type) ALIGN_UP_BY(Address, sizeof(Type)) -#endif -#ifndef ALIGN_UP_POINTER -#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type)) -#endif -#ifndef ALIGN_DOWN_BY -#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1)) -#endif -#ifndef ALIGN_DOWN_POINTER_BY -#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align)) -#endif -#ifndef ALIGN_DOWN -#define ALIGN_DOWN(Address, Type) ALIGN_DOWN_BY(Address, sizeof(Type)) -#endif -#ifndef ALIGN_DOWN_POINTER -#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type)) -#endif -#ifndef IS_ALIGNED -#define IS_ALIGNED(Pointer, Alignment) ((((ULONG_PTR)(Pointer)) & ((Alignment) - 1)) == 0) -#endif - -#ifndef PAGE_SIZE -#define PAGE_SIZE 0x1000 -#endif -#ifndef PAGE_MASK -#define PAGE_MASK 0xFFF -#endif -#ifndef PAGE_SHIFT -#define PAGE_SHIFT 0xC -#endif - -#ifndef BYTE_OFFSET -#define BYTE_OFFSET(Address) ((SIZE_T)((ULONG_PTR)(Address) & PAGE_MASK)) -#endif -#ifndef PAGE_ALIGN -#define PAGE_ALIGN(Address) ((PVOID)((ULONG_PTR)(Address) & ~PAGE_MASK)) -#endif -#ifndef PAGE_OFFSET -#define PAGE_OFFSET(p) ((PAGE_MASK) & (ULONG_PTR)(p)) -#endif - -#ifndef ADDRESS_AND_SIZE_TO_SPAN_PAGES -#define ADDRESS_AND_SIZE_TO_SPAN_PAGES(Address, Size) ((BYTE_OFFSET(Address) + ((SIZE_T)(Size)) + PAGE_MASK) >> PAGE_SHIFT) -#endif -#ifndef ROUND_TO_SIZE -#define ROUND_TO_SIZE(Size, Alignment) ((((ULONG_PTR)(Size)) + ((Alignment) - 1)) & ~(ULONG_PTR)((Alignment) - 1)) -#endif -#ifndef ROUND_TO_PAGES -#define ROUND_TO_PAGES(Size) (((ULONG_PTR)(Size) + PAGE_MASK) & ~PAGE_MASK) -#endif -#ifndef BYTES_TO_PAGES -#define BYTES_TO_PAGES(Size) (((Size) >> PAGE_SHIFT) + (((Size) & PAGE_MASK) != 0)) -#endif - -#endif - -#if defined(_WIN64) -#define POINTER_ALIGNMENT DECLSPEC_ALIGN(8) -#else -#define POINTER_ALIGNMENT -#endif - -#ifndef DECLSPEC_NOALIAS -#if _MSC_VER < 1900 -#define DECLSPEC_NOALIAS -#else -#define DECLSPEC_NOALIAS __declspec(noalias) -#endif -#endif - -#endif - /* - * National Language Support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTNLS_H -#define _NTNLS_H - -#define MAXIMUM_LEADBYTES 12 - - typedef struct _CPTABLEINFO - { - USHORT CodePage; - USHORT MaximumCharacterSize; - USHORT DefaultChar; - USHORT UniDefaultChar; - USHORT TransDefaultChar; - USHORT TransUniDefaultChar; - USHORT DBCSCodePage; - UCHAR LeadByte[MAXIMUM_LEADBYTES]; - PUSHORT MultiByteTable; - PVOID WideCharTable; - PUSHORT DBCSRanges; - PUSHORT DBCSOffsets; - } CPTABLEINFO, *PCPTABLEINFO; - - typedef struct _NLSTABLEINFO - { - CPTABLEINFO OemTableInfo; - CPTABLEINFO AnsiTableInfo; - PUSHORT UpperCaseTable; - PUSHORT LowerCaseTable; - } NLSTABLEINFO, *PNLSTABLEINFO; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - NTSYSAPI USHORT NlsAnsiCodePage; - NTSYSAPI BOOLEAN NlsMbCodePageTag; - NTSYSAPI BOOLEAN NlsMbOemCodePageTag; -#endif - -#endif -#endif - - /* - * Kernel executive support library - * - * This file is part of System Informer. - */ - -#ifndef _NTKEAPI_H -#define _NTKEAPI_H - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#define LOW_PRIORITY 0 // Lowest thread priority level -#define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level -#define HIGH_PRIORITY 31 // Highest thread priority level -#define MAXIMUM_PRIORITY 32 // Number of thread priority levels -#endif - - typedef enum _KTHREAD_STATE - { - Initialized, - Ready, - Running, - Standby, - Terminated, - Waiting, - Transition, - DeferredReady, - GateWaitObsolete, - WaitingForProcessInSwap, - MaximumThreadState - } KTHREAD_STATE, - *PKTHREAD_STATE; - - // private - typedef enum _KHETERO_CPU_POLICY - { - KHeteroCpuPolicyAll = 0, - KHeteroCpuPolicyLarge = 1, - KHeteroCpuPolicyLargeOrIdle = 2, - KHeteroCpuPolicySmall = 3, - KHeteroCpuPolicySmallOrIdle = 4, - KHeteroCpuPolicyDynamic = 5, - KHeteroCpuPolicyStaticMax = 5, // valid - KHeteroCpuPolicyBiasedSmall = 6, - KHeteroCpuPolicyBiasedLarge = 7, - KHeteroCpuPolicyDefault = 8, - KHeteroCpuPolicyMax = 9 - } KHETERO_CPU_POLICY, - *PKHETERO_CPU_POLICY; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - typedef enum _KWAIT_REASON - { - Executive, - FreePage, - PageIn, - PoolAllocation, - DelayExecution, - Suspended, - UserRequest, - WrExecutive, - WrFreePage, - WrPageIn, - WrPoolAllocation, - WrDelayExecution, - WrSuspended, - WrUserRequest, - WrEventPair, - WrQueue, - WrLpcReceive, - WrLpcReply, - WrVirtualMemory, - WrPageOut, - WrRendezvous, - WrKeyedEvent, - WrTerminated, - WrProcessInSwap, - WrCpuRateControl, - WrCalloutStack, - WrKernel, - WrResource, - WrPushLock, - WrMutex, - WrQuantumEnd, - WrDispatchInt, - WrPreempted, - WrYieldExecution, - WrFastMutex, - WrGuardedMutex, - WrRundown, - WrAlertByThreadId, - WrDeferredPreempt, - WrPhysicalFault, - WrIoRing, - WrMdlCache, - WrRcu, - MaximumWaitReason - } KWAIT_REASON, - *PKWAIT_REASON; - - typedef enum _KPROFILE_SOURCE - { - ProfileTime, - ProfileAlignmentFixup, - ProfileTotalIssues, - ProfilePipelineDry, - ProfileLoadInstructions, - ProfilePipelineFrozen, - ProfileBranchInstructions, - ProfileTotalNonissues, - ProfileDcacheMisses, - ProfileIcacheMisses, - ProfileCacheMisses, - ProfileBranchMispredictions, - ProfileStoreInstructions, - ProfileFpInstructions, - ProfileIntegerInstructions, - Profile2Issue, - Profile3Issue, - Profile4Issue, - ProfileSpecialInstructions, - ProfileTotalCycles, - ProfileIcacheIssues, - ProfileDcacheAccesses, - ProfileMemoryBarrierCycles, - ProfileLoadLinkedIssues, - ProfileMaximum - } KPROFILE_SOURCE; - -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCallbackReturn( - _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, - _In_ ULONG OutputLength, - _In_ NTSTATUS Status); - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushProcessWriteBuffers( - VOID); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_ BOOLEAN State); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtYieldExecution( - VOID); - -#endif - -#endif - /* - * Loader support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTLDR_H -#define _NTLDR_H - - typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; - typedef struct _LDRP_LOAD_CONTEXT *PLDRP_LOAD_CONTEXT; - - // - // DLLs - // - - typedef _Function_class_(LDR_INIT_ROUTINE) - BOOLEAN NTAPI LDR_INIT_ROUTINE( - _In_ PVOID DllHandle, - _In_ ULONG Reason, - _In_opt_ PVOID Context); - typedef LDR_INIT_ROUTINE *PLDR_INIT_ROUTINE; - - typedef struct _LDR_SERVICE_TAG_RECORD - { - struct _LDR_SERVICE_TAG_RECORD *Next; - ULONG ServiceTag; - } LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD; - - typedef struct _LDRP_CSLIST - { - PSINGLE_LIST_ENTRY Tail; - } LDRP_CSLIST, *PLDRP_CSLIST; - - typedef enum _LDR_DDAG_STATE - { - LdrModulesMerged = -5, - LdrModulesInitError = -4, - LdrModulesSnapError = -3, - LdrModulesUnloaded = -2, - LdrModulesUnloading = -1, - LdrModulesPlaceHolder = 0, - LdrModulesMapping = 1, - LdrModulesMapped = 2, - LdrModulesWaitingForDependencies = 3, - LdrModulesSnapping = 4, - LdrModulesSnapped = 5, - LdrModulesCondensed = 6, - LdrModulesReadyToInit = 7, - LdrModulesInitializing = 8, - LdrModulesReadyToRun = 9 - } LDR_DDAG_STATE; - - typedef struct _LDR_DDAG_NODE - { - LIST_ENTRY Modules; - PLDR_SERVICE_TAG_RECORD ServiceTagList; - ULONG LoadCount; - ULONG LoadWhileUnloadingCount; - ULONG LowestLink; - union - { - LDRP_CSLIST Dependencies; - SINGLE_LIST_ENTRY RemovalLink; - }; - LDRP_CSLIST IncomingDependencies; - LDR_DDAG_STATE State; - SINGLE_LIST_ENTRY CondenseLink; - ULONG PreorderNumber; - } LDR_DDAG_NODE, *PLDR_DDAG_NODE; - - // rev - typedef struct _LDR_DEPENDENCY_RECORD - { - SINGLE_LIST_ENTRY DependencyLink; - PLDR_DDAG_NODE DependencyNode; - SINGLE_LIST_ENTRY IncomingDependencyLink; - PLDR_DDAG_NODE IncomingDependencyNode; - } LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD; - - typedef enum _LDR_DLL_LOAD_REASON - { - LoadReasonStaticDependency, - LoadReasonStaticForwarderDependency, - LoadReasonDynamicForwarderDependency, - LoadReasonDelayloadDependency, - LoadReasonDynamicLoad, - LoadReasonAsImageLoad, - LoadReasonAsDataLoad, - LoadReasonEnclavePrimary, // since REDSTONE3 - LoadReasonEnclaveDependency, - LoadReasonPatchImage, // since WIN11 - LoadReasonUnknown = -1 - } LDR_DLL_LOAD_REASON, - *PLDR_DLL_LOAD_REASON; - - typedef enum _LDR_HOT_PATCH_STATE - { - LdrHotPatchBaseImage, - LdrHotPatchNotApplied, - LdrHotPatchAppliedReverse, - LdrHotPatchAppliedForward, - LdrHotPatchFailedToPatch, - LdrHotPatchStateMax, - } LDR_HOT_PATCH_STATE, - *PLDR_HOT_PATCH_STATE; - -// LDR_DATA_TABLE_ENTRY->Flags -#define LDRP_PACKAGED_BINARY 0x00000001 -#define LDRP_MARKED_FOR_REMOVAL 0x00000002 -#define LDRP_IMAGE_DLL 0x00000004 -#define LDRP_LOAD_NOTIFICATIONS_SENT 0x00000008 -#define LDRP_TELEMETRY_ENTRY_PROCESSED 0x00000010 -#define LDRP_PROCESS_STATIC_IMPORT 0x00000020 -#define LDRP_IN_LEGACY_LISTS 0x00000040 -#define LDRP_IN_INDEXES 0x00000080 -#define LDRP_SHIM_DLL 0x00000100 -#define LDRP_IN_EXCEPTION_TABLE 0x00000200 -#define LDRP_LOAD_IN_PROGRESS 0x00001000 -#define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 -#define LDRP_ENTRY_PROCESSED 0x00004000 -#define LDRP_PROTECT_DELAY_LOAD 0x00008000 -#define LDRP_DONT_CALL_FOR_THREADS 0x00040000 -#define LDRP_PROCESS_ATTACH_CALLED 0x00080000 -#define LDRP_PROCESS_ATTACH_FAILED 0x00100000 -#define LDRP_COR_DEFERRED_VALIDATE 0x00200000 -#define LDRP_COR_IMAGE 0x00400000 -#define LDRP_DONT_RELOCATE 0x00800000 -#define LDRP_COR_IL_ONLY 0x01000000 -#define LDRP_CHPE_IMAGE 0x02000000 -#define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 -#define LDRP_REDIRECTED 0x10000000 -#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 - -#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SigningLevel) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN11 sizeof(LDR_DATA_TABLE_ENTRY) - - // symbols - typedef struct _LDR_DATA_TABLE_ENTRY - { - LIST_ENTRY InLoadOrderLinks; - LIST_ENTRY InMemoryOrderLinks; - LIST_ENTRY InInitializationOrderLinks; - PVOID DllBase; - PLDR_INIT_ROUTINE EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - union - { - UCHAR FlagGroup[4]; - ULONG Flags; - struct - { - ULONG PackagedBinary : 1; - ULONG MarkedForRemoval : 1; - ULONG ImageDll : 1; - ULONG LoadNotificationsSent : 1; - ULONG TelemetryEntryProcessed : 1; - ULONG ProcessStaticImport : 1; - ULONG InLegacyLists : 1; - ULONG InIndexes : 1; - ULONG ShimDll : 1; - ULONG InExceptionTable : 1; - ULONG ReservedFlags1 : 2; - ULONG LoadInProgress : 1; - ULONG LoadConfigProcessed : 1; - ULONG EntryProcessed : 1; - ULONG ProtectDelayLoad : 1; - ULONG ReservedFlags3 : 2; - ULONG DontCallForThreads : 1; - ULONG ProcessAttachCalled : 1; - ULONG ProcessAttachFailed : 1; - ULONG CorDeferredValidate : 1; - ULONG CorImage : 1; - ULONG DontRelocate : 1; - ULONG CorILOnly : 1; - ULONG ChpeImage : 1; - ULONG ChpeEmulatorImage : 1; - ULONG ReservedFlags5 : 1; - ULONG Redirected : 1; - ULONG ReservedFlags6 : 2; - ULONG CompatDatabaseProcessed : 1; - }; - }; - USHORT ObsoleteLoadCount; - USHORT TlsIndex; - LIST_ENTRY HashLinks; - ULONG TimeDateStamp; - PACTIVATION_CONTEXT EntryPointActivationContext; - PVOID Lock; // RtlAcquireSRWLockExclusive - PLDR_DDAG_NODE DdagNode; - LIST_ENTRY NodeModuleLink; - PLDRP_LOAD_CONTEXT LoadContext; - PVOID ParentDllBase; - PVOID SwitchBackContext; - RTL_BALANCED_NODE BaseAddressIndexNode; - RTL_BALANCED_NODE MappingInfoIndexNode; - ULONG_PTR OriginalBase; - LARGE_INTEGER LoadTime; - ULONG BaseNameHashValue; - LDR_DLL_LOAD_REASON LoadReason; // since WIN8 - ULONG ImplicitPathOptions; - ULONG ReferenceCount; // since WIN10 - ULONG DependentLoadFlags; - UCHAR SigningLevel; // since REDSTONE2 - ULONG CheckSum; // since 22H1 - PVOID ActivePatchImageBase; - LDR_HOT_PATCH_STATE HotPatchState; - } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; - -#define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1) -#define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2) -#define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle)) -#define LDR_MAPPEDVIEW_TO_DATAFILE(BaseAddress) ((PVOID)(((ULONG_PTR)(BaseAddress)) | (ULONG_PTR)1)) -#define LDR_MAPPEDVIEW_TO_IMAGEMAPPING(BaseAddress) ((PVOID)(((ULONG_PTR)(BaseAddress)) | (ULONG_PTR)2)) -#define LDR_DATAFILE_TO_MAPPEDVIEW(DllHandle) ((PVOID)(((ULONG_PTR)(DllHandle)) & ~(ULONG_PTR)1)) -#define LDR_IMAGEMAPPING_TO_MAPPEDVIEW(DllHandle) ((PVOID)(((ULONG_PTR)(DllHandle)) & ~(ULONG_PTR)2)) - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSAPI - NTSTATUS - NTAPI - LdrLoadDll( - _In_opt_ PCWSTR DllPath, - _In_opt_ PULONG DllCharacteristics, - _In_ PUNICODE_STRING DllName, - _Out_ PVOID *DllHandle); - - NTSYSAPI - NTSTATUS - NTAPI - LdrUnloadDll( - _In_ PVOID DllHandle); - - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllHandle( - _In_opt_ PCWSTR DllPath, - _In_opt_ PULONG DllCharacteristics, - _In_ PUNICODE_STRING DllName, - _Out_ PVOID *DllHandle); - -#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 -#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 - - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllHandleEx( - _In_ ULONG Flags, - _In_opt_ PCWSTR DllPath, - _In_opt_ PULONG DllCharacteristics, - _In_ PUNICODE_STRING DllName, - _Out_ PVOID *DllHandle); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllHandleByMapping( - _In_ PVOID BaseAddress, - _Out_ PVOID *DllHandle); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllHandleByName( - _In_opt_ PUNICODE_STRING BaseDllName, - _In_opt_ PUNICODE_STRING FullDllName, - _Out_ PVOID *DllHandle); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllFullName( - _In_ PVOID DllHandle, - _Out_ PUNICODE_STRING FullDllName); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllPath( - _In_ PCWSTR DllName, - _In_ ULONG Flags, // LOAD_LIBRARY_SEARCH_* - _Out_ PWSTR *DllPath, - _Out_ PWSTR *SearchPaths); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetDllDirectory( - _Out_ PUNICODE_STRING DllDirectory); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrSetDllDirectory( - _In_ PUNICODE_STRING DllDirectory); -#endif - -#define LDR_ADDREF_DLL_PIN 0x00000001 - - NTSYSAPI - NTSTATUS - NTAPI - LdrAddRefDll( - _In_ ULONG Flags, - _In_ PVOID DllHandle); - - NTSYSAPI - NTSTATUS - NTAPI - LdrGetProcedureAddress( - _In_ PVOID DllHandle, - _In_opt_ PANSI_STRING ProcedureName, - _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress); - -// rev -#define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001 - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrGetProcedureAddressEx( - _In_ PVOID DllHandle, - _In_opt_ PANSI_STRING ProcedureName, - _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress, - _In_ ULONG Flags); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - LdrGetKnownDllSectionHandle( - _In_ PCWSTR DllName, - _In_ BOOLEAN KnownDlls32, - _Out_ PHANDLE Section); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrGetProcedureAddressForCaller( - _In_ PVOID DllHandle, - _In_opt_ PANSI_STRING ProcedureName, - _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress, - _In_ ULONG Flags, - _In_ PVOID *Callback); -#endif - -#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 -#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 - -#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 -#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 -#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 - - NTSYSAPI - NTSTATUS - NTAPI - LdrLockLoaderLock( - _In_ ULONG Flags, - _Out_opt_ ULONG *Disposition, - _Out_opt_ PVOID *Cookie); - -#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 - - NTSYSAPI - NTSTATUS - NTAPI - LdrUnlockLoaderLock( - _In_ ULONG Flags, - _In_opt_ PVOID Cookie); - - NTSYSAPI - NTSTATUS - NTAPI - LdrRelocateImage( - _In_ PVOID NewBase, - _In_opt_ PSTR LoaderName, - _In_ NTSTATUS Success, - _In_ NTSTATUS Conflict, - _In_ NTSTATUS Invalid); - - NTSYSAPI - NTSTATUS - NTAPI - LdrRelocateImageWithBias( - _In_ PVOID NewBase, - _In_opt_ LONGLONG Bias, - _In_opt_ PSTR LoaderName, - _In_ NTSTATUS Success, - _In_ NTSTATUS Conflict, - _In_ NTSTATUS Invalid); - - NTSYSAPI - PIMAGE_BASE_RELOCATION - NTAPI - LdrProcessRelocationBlock( - _In_ ULONG_PTR VA, - _In_ ULONG SizeOfBlock, - _In_ PUSHORT NextOffset, - _In_ LONG_PTR Diff); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - PIMAGE_BASE_RELOCATION - NTAPI - LdrProcessRelocationBlockEx( - _In_ ULONG Machine, // IMAGE_FILE_MACHINE_AMD64|IMAGE_FILE_MACHINE_ARM|IMAGE_FILE_MACHINE_THUMB|IMAGE_FILE_MACHINE_ARMNT - _In_ ULONG_PTR VA, - _In_ ULONG SizeOfBlock, - _In_ PUSHORT NextOffset, - _In_ LONG_PTR Diff); -#endif - - NTSYSAPI - BOOLEAN - NTAPI - LdrVerifyMappedImageMatchesChecksum( - _In_ PVOID BaseAddress, - _In_ SIZE_T NumberOfBytes, - _In_ ULONG FileLength); - - typedef _Function_class_(LDR_IMPORT_MODULE_CALLBACK) - VOID NTAPI LDR_IMPORT_MODULE_CALLBACK( - _In_ PVOID Parameter, - _In_ PSTR ModuleName); - typedef LDR_IMPORT_MODULE_CALLBACK *PLDR_IMPORT_MODULE_CALLBACK; - - NTSYSAPI - NTSTATUS - NTAPI - LdrVerifyImageMatchesChecksum( - _In_ HANDLE ImageFileHandle, - _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine, - _In_ PVOID ImportCallbackParameter, - _Out_opt_ PUSHORT ImageCharacteristics); - - // private - typedef struct _LDR_IMPORT_CALLBACK_INFO - { - PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine; - PVOID ImportCallbackParameter; - } LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO; - - // private - typedef struct _LDR_SECTION_INFO - { - HANDLE SectionHandle; - ACCESS_MASK DesiredAccess; - POBJECT_ATTRIBUTES ObjA; - ULONG SectionPageProtection; - ULONG AllocationAttributes; - } LDR_SECTION_INFO, *PLDR_SECTION_INFO; - - // private - typedef struct _LDR_VERIFY_IMAGE_INFO - { - ULONG Size; - ULONG Flags; - LDR_IMPORT_CALLBACK_INFO CallbackInfo; - LDR_SECTION_INFO SectionInfo; - USHORT ImageCharacteristics; - } LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO; - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrVerifyImageMatchesChecksumEx( - _In_ HANDLE ImageFileHandle, - _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryModuleServiceTags( - _In_ PVOID DllHandle, - _Out_writes_(*BufferSize) PULONG ServiceTagBuffer, - _Inout_ PULONG BufferSize); -#endif - - // begin_msdn:"DLL Load Notification" - -#define LDR_DLL_NOTIFICATION_REASON_LOADED 1 -#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2 - - typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA - { - ULONG Flags; - PUNICODE_STRING FullDllName; - PUNICODE_STRING BaseDllName; - PVOID DllBase; - ULONG SizeOfImage; - } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA; - - typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA - { - ULONG Flags; - PCUNICODE_STRING FullDllName; - PCUNICODE_STRING BaseDllName; - PVOID DllBase; - ULONG SizeOfImage; - } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA; - - typedef union _LDR_DLL_NOTIFICATION_DATA - { - LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; - LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; - } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA; - - typedef _Function_class_(LDR_DLL_NOTIFICATION_FUNCTION) - VOID NTAPI LDR_DLL_NOTIFICATION_FUNCTION( - _In_ ULONG NotificationReason, - _In_ PLDR_DLL_NOTIFICATION_DATA NotificationData, - _In_opt_ PVOID Context); - typedef LDR_DLL_NOTIFICATION_FUNCTION *PLDR_DLL_NOTIFICATION_FUNCTION; - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Registers for notification when a DLL is first loaded. This notification occurs before dynamic linking takes place. - * - * @param Flags This parameter must be zero. - * @param NotificationFunction A pointer to an LdrDllNotification notification callback function to call when the DLL is loaded. - * @param Context A pointer to context data for the callback function. - * @param Cookie A pointer to a variable to receive an identifier for the callback function. This identifier is used to unregister the notification callback function. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrregisterdllnotification - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrRegisterDllNotification( - _In_ ULONG Flags, - _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, - _In_opt_ PVOID Context, - _Out_ PVOID *Cookie); - - /** - * Cancels DLL load notification previously registered by calling the LdrRegisterDllNotification function. - * - * @param Cookie A pointer to the callback identifier received from the LdrRegisterDllNotification call that registered for notification. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrunregisterdllnotification - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrUnregisterDllNotification( - _In_ PVOID Cookie); -#endif - - // end_msdn - - // rev - NTSYSAPI - PUNICODE_STRING - NTAPI - LdrStandardizeSystemPath( - _In_ PUNICODE_STRING SystemPath); - - typedef struct _LDR_FAILURE_DATA - { - NTSTATUS Status; - WCHAR DllName[0x20]; - WCHAR AdditionalInfo[0x20]; - } LDR_FAILURE_DATA, *PLDR_FAILURE_DATA; - -#if (PHNT_VERSION >= PHNT_WINBLUE) - NTSYSAPI - PLDR_FAILURE_DATA - NTAPI - LdrGetFailureData( - VOID); -#endif - - // private - typedef struct _PS_MITIGATION_OPTIONS_MAP - { - ULONG_PTR Map[3]; // 2 < 20H1 - } PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP; - - // private - typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP - { - ULONG_PTR Map[3]; // 2 < 20H1 - } PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP; - - // private - typedef struct _PS_SYSTEM_DLL_INIT_BLOCK - { - ULONG Size; - ULONG_PTR SystemDllWowRelocation; - ULONG_PTR SystemDllNativeRelocation; - ULONG_PTR Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index - ULONG RngData; - union - { - ULONG Flags; - struct - { - ULONG CfgOverride : 1; - ULONG Reserved : 31; - }; - }; - PS_MITIGATION_OPTIONS_MAP MitigationOptionsMap; - ULONG_PTR CfgBitMap; - ULONG_PTR CfgBitMapSize; - ULONG_PTR Wow64CfgBitMap; - ULONG_PTR Wow64CfgBitMapSize; - PS_MITIGATION_AUDIT_OPTIONS_MAP MitigationAuditOptionsMap; // REDSTONE3 - ULONG_PTR ScpCfgCheckFunction; // since 24H2 - ULONG_PTR ScpCfgCheckESFunction; - ULONG_PTR ScpCfgDispatchFunction; - ULONG_PTR ScpCfgDispatchESFunction; - ULONG_PTR ScpArm64EcCallCheck; - ULONG_PTR ScpArm64EcCfgCheckFunction; - ULONG_PTR ScpArm64EcCfgCheckESFunction; - } PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK; - -// rev -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI PS_SYSTEM_DLL_INIT_BLOCK LdrSystemDllInitBlock; -#endif - -#define PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 \ - RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, MitigationAuditOptionsMap) -#define PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 \ - RTL_SIZEOF_THROUGH_FIELD(PS_SYSTEM_DLL_INIT_BLOCK, ScpArm64EcCfgCheckESFunction) - - // static_assert(PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 == 240, "PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V1 must equal 240"); - // static_assert(PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 == 296, "PS_SYSTEM_DLL_INIT_BLOCK_SIZE_V2 must equal 296"); - - // rev see also MEMORY_IMAGE_EXTENSION_INFORMATION - typedef struct _RTL_SCPCFG_NTDLL_EXPORTS - { - PVOID ScpCfgHeader_Nop; - PVOID ScpCfgEnd_Nop; - PVOID ScpCfgHeader; - PVOID ScpCfgEnd; - PVOID ScpCfgHeader_ES; - PVOID ScpCfgEnd_ES; - PVOID ScpCfgHeader_Fptr; - PVOID ScpCfgEnd_Fptr; - PVOID LdrpGuardDispatchIcallNoESFptr; - PVOID __guard_dispatch_icall_fptr; - PVOID LdrpGuardCheckIcallNoESFptr; - PVOID __guard_check_icall_fptr; - PVOID LdrpHandleInvalidUserCallTarget; - struct - { - PVOID NtOpenFile; - PVOID NtCreateSection; - PVOID NtQueryAttributesFile; - PVOID NtOpenSection; - PVOID NtMapViewOfSection; - } LdrpCriticalLoaderFunctions; - } RTL_SCPCFG_NTDLL_EXPORTS, *PRTL_SCPCFG_NTDLL_EXPORTS; - -// rev -#if (PHNT_VERSION >= PHNT_WIN11_24H2) - NTSYSAPI RTL_SCPCFG_NTDLL_EXPORTS RtlpScpCfgNtdllExports; -#endif - - // - // Load as data table - // - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrAddLoadAsDataTable( - _In_ PVOID Module, - _In_ PCWSTR FilePath, - _In_ SIZE_T Size, - _In_ HANDLE Handle, - _In_opt_ PACTIVATION_CONTEXT ActCtx); - - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrRemoveLoadAsDataTable( - _In_ PVOID InitModule, - _Out_opt_ PVOID *BaseModule, - _Out_opt_ PSIZE_T Size, - _In_ ULONG Flags); - - // private - NTSYSAPI - NTSTATUS - NTAPI - LdrGetFileNameFromLoadAsDataTable( - _In_ PVOID Module, - _Out_ PVOID *pFileNamePrt); - -#endif - - NTSYSAPI - NTSTATUS - NTAPI - LdrDisableThreadCalloutsForDll( - _In_ PVOID DllImageBase); - - // - // Resources - // - - NTSYSAPI - NTSTATUS - NTAPI - LdrAccessResource( - _In_ PVOID DllHandle, - _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry, - _Out_opt_ PVOID *ResourceBuffer, - _Out_opt_ ULONG *ResourceLength); - - typedef struct _LDR_RESOURCE_INFO - { - ULONG_PTR Type; - ULONG_PTR Name; - ULONG_PTR Language; - } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; - -#define RESOURCE_TYPE_LEVEL 0 -#define RESOURCE_NAME_LEVEL 1 -#define RESOURCE_LANGUAGE_LEVEL 2 -#define RESOURCE_DATA_LEVEL 3 - - NTSYSAPI - NTSTATUS - NTAPI - LdrFindResource_U( - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry); - - NTSYSAPI - NTSTATUS - NTAPI - LdrFindResourceEx_U( - _In_ ULONG Flags, - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry); - - NTSYSAPI - NTSTATUS - NTAPI - LdrFindResourceDirectory_U( - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory); - -#if (PHNT_VERSION >= PHNT_WIN8) - /** - * The LdrResFindResource function finds a resource in a DLL. - * - * @param DllHandle A handle to the DLL. - * @param Type The type of the resource. - * @param Name The name of the resource. - * @param Language The language of the resource. - * @param ResourceBuffer An optional pointer to receive the resource buffer. - * @param ResourceLength An optional pointer to receive the resource length. - * @param CultureName An optional buffer to receive the culture name. - * @param CultureNameLength An optional pointer to receive the length of the culture name. - * @param Flags Flags for the resource search. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResFindResource( - _In_ PVOID DllHandle, - _In_ ULONG_PTR Type, - _In_ ULONG_PTR Name, - _In_ ULONG_PTR Language, - _Out_opt_ PVOID *ResourceBuffer, - _Out_opt_ PULONG ResourceLength, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength, - _In_ ULONG Flags); - - /** - * The LdrResFindResourceDirectory function finds a resource directory in a DLL. - * - * @param DllHandle A handle to the DLL. - * @param Type The type of the resource. - * @param Name The name of the resource. - * @param ResourceDirectory An optional pointer to receive the resource directory. - * @param CultureName An optional buffer to receive the culture name. - * @param CultureNameLength An optional pointer to receive the length of the culture name. - * @param Flags Flags for the resource search. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResFindResourceDirectory( - _In_ PVOID DllHandle, - _In_ ULONG_PTR Type, - _In_ ULONG_PTR Name, - _Out_opt_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - LdrpResGetResourceDirectory( - _In_ PVOID DllHandle, - _In_ SIZE_T Size, - _In_ ULONG Flags, - _Out_opt_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory, - _Out_ PIMAGE_NT_HEADERS *OutHeaders); - - /** - * The LdrResSearchResource function searches for a resource in a DLL. - * - * @param DllHandle A handle to the DLL. - * @param ResourceInfo A pointer to the resource information. - * @param Level The level of the resource. - * @param Flags Flags for the resource search. - * @param ResourceBuffer An optional pointer to receive the resource buffer. - * @param ResourceLength An optional pointer to receive the resource length. - * @param CultureName An optional buffer to receive the culture name. - * @param CultureNameLength An optional pointer to receive the length of the culture name. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResSearchResource( - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _In_ ULONG Flags, - _Out_opt_ PVOID *ResourceBuffer, - _Out_opt_ PSIZE_T ResourceLength, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength); - - /** - * The LdrResGetRCConfig function retrieves the RC configuration for a DLL. - * - * @param DllHandle A handle to the DLL. - * @param Length The length of the configuration buffer. - * @param Config A buffer to receive the configuration. - * @param Flags Flags for the operation. - * @param AlternateResource Indicates if an alternate resource should be loaded. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResGetRCConfig( - _In_ PVOID DllHandle, - _In_opt_ SIZE_T Length, - _Out_writes_bytes_opt_(Length) PVOID Config, - _In_ ULONG Flags, - _In_ BOOLEAN AlternateResource // LdrLoadAlternateResourceModule - ); - - /** - * The LdrResRelease function releases a resource in a DLL. - * - * @param DllHandle A handle to the DLL. - * @param CultureNameOrId An optional culture name or ID. - * @param Flags Flags for the operation. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResRelease( - _In_ PVOID DllHandle, - _In_opt_ ULONG_PTR CultureNameOrId, // MAKEINTRESOURCE - _In_ ULONG Flags); -#endif - - // private - typedef struct _LDR_ENUM_RESOURCE_ENTRY - { - union - { - ULONG_PTR NameOrId; - PIMAGE_RESOURCE_DIRECTORY_STRING Name; - struct - { - USHORT Id; - USHORT NameIsPresent; - }; - } Path[3]; - PVOID Data; - ULONG Size; - ULONG Reserved; - } LDR_ENUM_RESOURCE_ENTRY, *PLDR_ENUM_RESOURCE_ENTRY; - -#define NAME_FROM_RESOURCE_ENTRY(RootDirectory, Entry) \ - ((Entry)->NameIsString ? (ULONG_PTR)((ULONG_PTR)(RootDirectory) + (ULONG_PTR)((Entry)->NameOffset)) : (Entry)->Id) - - NTSYSAPI - NTSTATUS - NTAPI - LdrEnumResources( - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Inout_ ULONG *ResourceCount, - _Out_writes_to_opt_(*ResourceCount, *ResourceCount) PLDR_ENUM_RESOURCE_ENTRY Resources); - - NTSYSAPI - NTSTATUS - NTAPI - LdrFindEntryForAddress( - _In_ PVOID DllHandle, - _Out_ PLDR_DATA_TABLE_ENTRY *Entry); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrLoadAlternateResourceModule( - _In_ PVOID DllHandle, - _Out_ PVOID *ResourceDllBase, - _Out_opt_ ULONG_PTR *ResourceOffset, - _In_ ULONG Flags); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrLoadAlternateResourceModuleEx( - _In_ PVOID DllHandle, - _In_ LANGID LanguageId, - _Out_ PVOID *ResourceDllBase, - _Out_opt_ ULONG_PTR *ResourceOffset, - _In_ ULONG Flags); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - LdrUnloadAlternateResourceModule( - _In_ PVOID DllHandle); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - LdrUnloadAlternateResourceModuleEx( - _In_ PVOID DllHandle, - _In_ ULONG Flags); - -#endif // (PHNT_MODE != PHNT_MODE_KERNEL) - - // - // Module information - // - - typedef struct _RTL_PROCESS_MODULE_INFORMATION - { - PVOID Section; - PVOID MappedBase; - PVOID ImageBase; - ULONG ImageSize; - ULONG Flags; - USHORT LoadOrderIndex; - USHORT InitOrderIndex; - USHORT LoadCount; - USHORT OffsetToFileName; - UCHAR FullPathName[256]; - } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; - - typedef struct _RTL_PROCESS_MODULES - { - ULONG NumberOfModules; - _Field_size_(NumberOfModules) RTL_PROCESS_MODULE_INFORMATION Modules[1]; - } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; - - // private - typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX - { - USHORT NextOffset; - union - { - RTL_PROCESS_MODULE_INFORMATION BaseInfo; - struct - { - PVOID Section; - PVOID MappedBase; - PVOID ImageBase; - ULONG ImageSize; - ULONG Flags; - USHORT LoadOrderIndex; - USHORT InitOrderIndex; - USHORT LoadCount; - USHORT OffsetToFileName; - UCHAR FullPathName[256]; - }; - }; - ULONG ImageChecksum; - ULONG TimeDateStamp; - PVOID DefaultBase; - } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryProcessModuleInformation( - _In_opt_ PRTL_PROCESS_MODULES ModuleInformation, - _In_opt_ ULONG Size, - _Out_ PULONG ReturnedSize); - - typedef _Function_class_(LDR_ENUM_CALLBACK) - VOID NTAPI LDR_ENUM_CALLBACK( - _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, - _In_ PVOID Parameter, - _Out_ BOOLEAN *Stop); - typedef LDR_ENUM_CALLBACK *PLDR_ENUM_CALLBACK; - - NTSYSAPI - NTSTATUS - NTAPI - LdrEnumerateLoadedModules( - _In_ BOOLEAN ReservedFlag, - _In_ PLDR_ENUM_CALLBACK EnumProc, - _In_ PVOID Context); - - NTSYSAPI - NTSTATUS - NTAPI - LdrOpenImageFileOptionsKey( - _In_ PUNICODE_STRING SubKey, - _In_ BOOLEAN Wow64, - _Out_ PHANDLE NewKeyHandle); - - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryImageFileKeyOption( - _In_ HANDLE KeyHandle, - _In_ PCWSTR ValueName, - _In_ ULONG Type, - _Out_ PVOID Buffer, - _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength); - - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryImageFileExecutionOptions( - _In_ PUNICODE_STRING SubKey, - _In_ PCWSTR ValueName, - _In_ ULONG ValueSize, - _Out_ PVOID Buffer, - _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength); - - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryImageFileExecutionOptionsEx( - _In_ PUNICODE_STRING SubKey, - _In_ PCWSTR ValueName, - _In_ ULONG Type, - _Out_ PVOID Buffer, - _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength, - _In_ BOOLEAN Wow64); - - // private - typedef struct _DELAYLOAD_PROC_DESCRIPTOR - { - ULONG ImportDescribedByName; - union - { - PCSTR Name; - ULONG Ordinal; - } Description; - } DELAYLOAD_PROC_DESCRIPTOR, *PDELAYLOAD_PROC_DESCRIPTOR; - - // private - typedef struct _DELAYLOAD_INFO - { - ULONG Size; - PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor; - PIMAGE_THUNK_DATA ThunkAddress; - PCSTR TargetDllName; - DELAYLOAD_PROC_DESCRIPTOR TargetApiDescriptor; - PVOID TargetModuleBase; - PVOID Unused; - ULONG LastError; - } DELAYLOAD_INFO, *PDELAYLOAD_INFO; - - // private - typedef _Function_class_(DELAYLOAD_FAILURE_DLL_CALLBACK) - PVOID NTAPI DELAYLOAD_FAILURE_DLL_CALLBACK( - _In_ ULONG NotificationReason, - _In_ PDELAYLOAD_INFO DelayloadInfo); - typedef DELAYLOAD_FAILURE_DLL_CALLBACK *PDELAYLOAD_FAILURE_DLL_CALLBACK; - - // rev - typedef _Function_class_(DELAYLOAD_FAILURE_SYSTEM_ROUTINE) - PVOID NTAPI DELAYLOAD_FAILURE_SYSTEM_ROUTINE( - _In_ PCSTR DllName, - _In_ PCSTR ProcedureName); - typedef DELAYLOAD_FAILURE_SYSTEM_ROUTINE *PDELAYLOAD_FAILURE_SYSTEM_ROUTINE; - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev from QueryOptionalDelayLoadedAPI - /** - * Determines whether the specified function in a delay-loaded DLL is available on the system. - * - * @param ParentModuleBase A handle to the calling module. (NtCurrentImageBase) - * @param DllName The file name of the delay-loaded DLL that exports the specified function. This parameter is case-insensitive. - * @param ProcedureName The address of a delay-load failure callback function for the specified DLL and process. - * @param Flags Reserved; must be 0. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi2/nf-libloaderapi2-queryoptionaldelayloadedapi - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrQueryOptionalDelayLoadedAPI( - _In_ PVOID ParentModuleBase, - _In_ PCSTR DllName, - _In_ PCSTR ProcedureName, - _Reserved_ ULONG Flags); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev from ResolveDelayLoadedAPI - /** - * Locates the target function of the specified import and replaces the function pointer in the import thunk with the target of the function implementation. - * - * @param ParentModuleBase The address of the base of the module importing a delay-loaded function. (NtCurrentImageBase) - * @param DelayloadDescriptor The address of the image delay import directory for the module to be loaded. - * @param FailureDllHook The address of a delay-load failure callback function for the specified DLL and process. - * @param FailureSystemHook The address of a delay-load failure callback function for the specified DLL and process. - * @param ThunkAddress The thunk data for the target function. Used to find the specific name table entry of the function. - * @param Flags Reserved; must be 0. - * @return The address of the import, or the failure stub for it. - * @remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/resolvedelayloadedapi - */ - NTSYSAPI - PVOID - NTAPI - LdrResolveDelayLoadedAPI( - _In_ PVOID ParentModuleBase, - _In_ PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor, - _In_opt_ PDELAYLOAD_FAILURE_DLL_CALLBACK FailureDllHook, - _In_opt_ PDELAYLOAD_FAILURE_SYSTEM_ROUTINE FailureSystemHook, // kernel32.DelayLoadFailureHook - _Out_ PIMAGE_THUNK_DATA ThunkAddress, - _Reserved_ ULONG Flags); - - // rev from ResolveDelayLoadsFromDll - /** - * Forwards the work in resolving delay-loaded imports from the parent binary to a target binary. - * - * @param [in] ParentModuleBase The base address of the module that delay loads another binary. - * @param [in] TargetDllName The name of the target DLL. - * @param [in] Flags Reserved; must be 0. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/resolvedelayloadsfromdll - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrResolveDelayLoadsFromDll( - _In_ PVOID ParentModuleBase, - _In_ PCSTR TargetDllName, - _Reserved_ ULONG Flags); - - // rev from SetDefaultDllDirectories - /** - * Specifies a default set of directories to search when the calling process loads a DLL. - * - * @param [in] DirectoryFlags The directories to search. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-setdefaultdlldirectories - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrSetDefaultDllDirectories( - _In_ ULONG DirectoryFlags); - - // rev from AddDllDirectory - /** - * Adds a directory to the process DLL search path. - * - * @param [in] NewDirectory An absolute path to the directory to add to the search path. For example, to add the directory Dir2 to the process DLL search path, specify \Dir2. - * @param [out] Cookie An opaque pointer that can be passed to RemoveDllDirectory to remove the DLL from the process DLL search path. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-adddlldirectory - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrAddDllDirectory( - _In_ PUNICODE_STRING NewDirectory, - _Out_ PDLL_DIRECTORY_COOKIE Cookie); - - // rev from RemoveDllDirectory - /** - * Removes a directory that was added to the process DLL search path by using LdrAddDllDirectory. - * - * @param [in] Cookie The cookie returned by LdrAddDllDirectory when the directory was added to the search path. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-removedlldirectory - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrRemoveDllDirectory( - _In_ DLL_DIRECTORY_COOKIE Cookie); -#endif - - // rev - _Analysis_noreturn_ - DECLSPEC_NORETURN - NTSYSAPI - VOID - NTAPI - LdrShutdownProcess( - VOID); - - // rev - _Analysis_noreturn_ - DECLSPEC_NORETURN - NTSYSAPI - VOID - NTAPI - LdrShutdownThread( - VOID); - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrSetImplicitPathOptions( - _In_ ULONG ImplicitPathOptions); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) -#ifdef PHNT_INLINE_TYPEDEFS - /** - * The LdrControlFlowGuardEnforced function checks if Control Flow Guard is enforced. - * - * @return BOOLEAN TRUE if Control Flow Guard is enforced, FALSE otherwise. - */ - FORCEINLINE - BOOLEAN - NTAPI - LdrControlFlowGuardEnforced( - VOID) - { - return LdrSystemDllInitBlock.CfgBitMap && (LdrSystemDllInitBlock.Flags & 1) == 0; - } -#else - // rev - /** - * The LdrControlFlowGuardEnforced function checks if Control Flow Guard is enforced. - * - * @return BOOLEAN TRUE if Control Flow Guard is enforced, FALSE otherwise. - */ - NTSYSAPI - BOOLEAN - NTAPI - LdrControlFlowGuardEnforced( - VOID); -#endif -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - /** - * The LdrControlFlowGuardEnforcedWithExportSuppression function checks if Control Flow Guard is - * enforced with export suppression. - * - * @return BOOLEAN TRUE if Control Flow Guard is enforced, FALSE otherwise. - */ - FORCEINLINE - BOOLEAN - NTAPI - LdrControlFlowGuardEnforcedWithExportSuppression( - VOID) - { - return LdrSystemDllInitBlock.CfgBitMap && (LdrSystemDllInitBlock.Flags & 1) == 0 && (LdrSystemDllInitBlock.MitigationOptionsMap.Map[0] & 3) == 3; // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_EXPORT_SUPPRESSION - } -#endif - -#if (PHNT_VERSION >= PHNT_19H1) - // rev - NTSYSAPI - BOOLEAN - NTAPI - LdrIsModuleSxsRedirected( - _In_ PVOID DllHandle); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrUpdatePackageSearchPath( - _In_ PCWSTR SearchPath); -#endif - -// rev -#define ENCLAVE_STATE_CREATED 0x00000000ul // LdrpCreateSoftwareEnclave initial state -#define ENCLAVE_STATE_INITIALIZED 0x00000001ul // ZwInitializeEnclave successful (LdrInitializeEnclave) -#define ENCLAVE_STATE_INITIALIZED_VBS 0x00000002ul // only for ENCLAVE_TYPE_VBS (LdrInitializeEnclave) - - // rev - typedef struct _LDR_SOFTWARE_ENCLAVE - { - LIST_ENTRY Links; // ntdll!LdrpEnclaveList - RTL_CRITICAL_SECTION CriticalSection; - ULONG EnclaveType; // ENCLAVE_TYPE_* - LONG ReferenceCount; - ULONG EnclaveState; // ENCLAVE_STATE_* - PVOID BaseAddress; - SIZE_T Size; - PVOID PreviousBaseAddress; - LIST_ENTRY Modules; // LDR_DATA_TABLE_ENTRY.InLoadOrderLinks - PLDR_DATA_TABLE_ENTRY PrimaryModule; - PLDR_DATA_TABLE_ENTRY BCryptModule; - PLDR_DATA_TABLE_ENTRY BCryptPrimitivesModule; - } LDR_SOFTWARE_ENCLAVE, *PLDR_SOFTWARE_ENCLAVE; - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - // rev from CreateEnclave - /** - * Creates a new uninitialized enclave. An enclave is an isolated region of code and data within the address space for an application. Only code that runs within the enclave can access data within the same enclave. - * - * @param ProcessHandle A handle to the process for which you want to create an enclave. - * @param BaseAddress The preferred base address of the enclave. Specify NULL to have the operating system assign the base address. - * @param Reserved Reserved. - * @param Size The size of the enclave that you want to create, including the size of the code that you will load into the enclave, in bytes. - * @param InitialCommitment The amount of memory to commit for the enclave, in bytes. This parameter is not used for virtualization-based security (VBS) enclaves. - * @param EnclaveType The architecture type of the enclave that you want to create. To verify that an enclave type is supported, call IsEnclaveTypeSupported. - * @param EnclaveInformation A pointer to the architecture-specific information to use to create the enclave. - * @param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. - * For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_SGX2 enclave types, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes. - * @param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-createenclave - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrCreateEnclave( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _In_ ULONG Reserved, - _In_ SIZE_T Size, - _In_ SIZE_T InitialCommitment, - _In_ ULONG EnclaveType, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_ PULONG EnclaveError); - - // rev from InitializeEnclave - /** - * Initializes an enclave that you created and loaded with data. - * - * @param ProcessHandle A handle to the process for which the enclave was created. - * @param BaseAddress Any address within the enclave. - * @param EnclaveInformation A pointer to the architecture-specific information to use to initialize the enclave. - * @param EnclaveInformationLength The length of the structure that the EnclaveInformation parameter points to, in bytes. - * For the ENCLAVE_TYPE_SGX and ENCLAVE_TYPE_SGX2 enclave types, this value must be 4096. For the ENCLAVE_TYPE_VBS enclave type, this value must be sizeof(ENCLAVE_CREATE_INFO_VBS), which is 36 bytes. - * @param EnclaveError An optional pointer to a variable that receives an enclave error code that is architecture-specific. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-initializeenclave - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrInitializeEnclave( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_ PULONG EnclaveError); - - // rev from DeleteEnclave - /** - * Deletes the specified enclave. - * - * @param BaseAddress The base address of the enclave that you want to delete. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-deleteenclave - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrDeleteEnclave( - _In_ PVOID BaseAddress); - - // rev from CallEnclave - /** - * Calls a function within an enclave. LdrCallEnclave can also be called within an enclave to call a function outside of the enclave. - * - * @param Routine The address of the function that you want to call. - * @param Flags The flags to modify the call function. - * @param RoutineParamReturn The parameter than you want to pass to the function. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-callenclave - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrCallEnclave( - _In_ PENCLAVE_ROUTINE Routine, - _In_ ULONG Flags, // ENCLAVE_CALL_FLAG_* - _Inout_ PVOID *RoutineParamReturn); - - // rev from LoadEnclaveImage - /** - * Loads an image and all of its imports into an enclave. - * - * @param BaseAddress The base address of the image into which to load the image. - * @param DllPath A NULL-terminated string that contains the path of the image to load. - * @param DllName A NULL-terminated string that contains the name of the image to load. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-loadenclaveimagew - */ - NTSYSAPI - NTSTATUS - NTAPI - LdrLoadEnclaveModule( - _In_ PVOID BaseAddress, - _In_opt_ PCWSTR DllPath, - _In_ PUNICODE_STRING DllName); - -#endif - - /** - * This function forcefully terminates the calling program if it is invoked inside a loader callout. Otherwise, it has no effect. - * - * @remarks This routine does not catch all potential deadlock cases; it is possible for a thread inside a loader callout - * to acquire a lock while some thread outside a loader callout holds the same lock and makes a call into the loader. - * In other words, there can be a lock order inversion between the loader lock and a client lock. - * https://learn.microsoft.com/en-us/windows/win32/devnotes/ldrfastfailinloadercallout - */ - NTSYSAPI - VOID - NTAPI - LdrFastFailInLoaderCallout( - VOID); - - NTSYSAPI - BOOLEAN - NTAPI - LdrFlushAlternateResourceModules( - VOID); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - LdrDllRedirectionCallback( - _In_ ULONG Flags, - _In_ PCWSTR DllName, - _In_opt_ PCWSTR DllPath, - _Inout_opt_ PULONG DllCharacteristics, - _In_ PVOID CallbackData, - _Out_ PCWSTR *EffectiveDllPath); - - // rev - NTSYSAPI - VOID - NTAPI - LdrSetDllManifestProber( - _In_ PVOID Routine); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI BOOLEAN LdrpChildNtdll; // DATA export -#endif - - // rev - NTSYSAPI - VOID - NTAPI - LdrpResGetMappingSize( - _In_ PVOID BaseAddress, - _Out_ PSIZE_T Size, - _In_ ULONG Flags, - _In_ BOOLEAN GetFileSizeFromLoadAsDataTable); - -#endif // (PHNT_MODE != PHNT_MODE_KERNEL) - -#endif - /* - * Executive support library functions - * - * This file is part of System Informer. - */ - -#ifndef _NTEXAPI_H -#define _NTEXAPI_H - - typedef struct _TEB *PTEB; - typedef struct _COUNTED_REASON_CONTEXT *PCOUNTED_REASON_CONTEXT; - typedef struct _FILE_IO_COMPLETION_INFORMATION *PFILE_IO_COMPLETION_INFORMATION; - typedef struct _PORT_MESSAGE *PPORT_MESSAGE; - typedef struct _IMAGE_EXPORT_DIRECTORY *PIMAGE_EXPORT_DIRECTORY; - typedef struct _FILE_OBJECT *PFILE_OBJECT; - typedef struct _DEVICE_OBJECT *PDEVICE_OBJECT; - typedef struct _IRP *PIRP; - typedef struct _RTL_BITMAP *PRTL_BITMAP; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - // - // Thread execution - // - - /** - * The NtDelayExecution routine suspends the current thread until the specified condition is met. - * - * @param Alertable The function returns when either the time-out period has elapsed or when the APC function is called. - * @param DelayInterval The time interval for which execution is to be suspended, in milliseconds. - * - A value of zero causes the thread to relinquish the remainder of its time slice to any other thread that is ready to run. - * - If there are no other threads ready to run, the function returns immediately, and the thread continues execution. - * - A value of INFINITE indicates that the suspension should not time out. - * @return NTSTATUS Successful or errant status. The return value is STATUS_USER_APC when Alertable is TRUE, and the function returned due to one or more I/O completion callback functions. - * @remarks Note that a ready thread is not guaranteed to run immediately. Consequently, the thread will not run until some arbitrary time after the sleep interval elapses, - * based upon the system "tick" frequency and the load factor from other processes. - * @see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleepex - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDelayExecution( - _In_ BOOLEAN Alertable, - _In_ PLARGE_INTEGER DelayInterval); - - // - // Firmware environment values - // - - /** - * Retrieves the value of the specified firmware environment variable. - * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. - * - * @param VariableName The name of the firmware environment variable. The pointer must not be NULL. - * @param VariableValue A pointer to a buffer that receives the value of the specified firmware environment variable. - * @param ValueLength The size of the \c VariableValue buffer, in bytes. - * @param ReturnLength If the function succeeds, the return length is the number of bytes stored in the \c VariableValue buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemEnvironmentValue( - _In_ PUNICODE_STRING VariableName, - _Out_writes_bytes_(ValueLength) PWSTR VariableValue, - _In_ USHORT ValueLength, - _Out_opt_ PUSHORT ReturnLength); - -// The firmware environment variable is stored in non-volatile memory (e.g. NVRAM). -#define EFI_VARIABLE_NON_VOLATILE 0x00000001 -// The firmware environment variable can be accessed during boot service. -#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 -// The firmware environment variable can be accessed at runtime. -#define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 -// Indicates hardware related errors encountered at runtime. -#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x00000008 -// Indicates an authentication requirement that must be met before writing to this firmware environment variable. -#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 -// Indicates authentication and time stamp requirements that must be met before writing to this firmware environment variable. -// When this attribute is set, the buffer, represented by Buffer, will begin with an instance of a complete (and serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. -#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 -// Append an existing environment variable with the value of Buffer. If the firmware does not support the operation, the function returns ERROR_INVALID_FUNCTION. -#define EFI_VARIABLE_APPEND_WRITE 0x00000040 -// The firmware environment variable will return metadata in addition to variable data. -#define EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS 0x00000080 - - /** - * Retrieves the value of the specified firmware environment variable and its attributes. - * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. - * - * @param VariableName The name of the firmware environment variable. The pointer must not be NULL. - * @param VendorGuid The GUID that represents the namespace of the firmware environment variable. - * @param Buffer A pointer to a buffer that receives the value of the specified firmware environment variable. - * @param BufferLength The size of the \c Buffer, in bytes. - * @param Attributes Bitmask identifying UEFI variable attributes associated with the variable. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemEnvironmentValueEx( - _In_ PCUNICODE_STRING VariableName, - _In_ PCGUID VendorGuid, - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength, - _Out_opt_ PULONG Attributes // EFI_VARIABLE_* - ); - - /** - * Sets the value of the specified firmware environment variable. - * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. - * - * @param VariableName The name of the firmware environment variable. The pointer must not be NULL. - * @param VariableValue A pointer to the new value for the firmware environment variable. - * If this parameter is zero, the firmware environment variable is deleted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSystemEnvironmentValue( - _In_ PCUNICODE_STRING VariableName, - _In_ PCUNICODE_STRING VariableValue); - - /** - * Sets the value of the specified firmware environment variable and the attributes that indicate how this variable is stored and maintained. - * The user account that the app is running under must have the SE_SYSTEM_ENVIRONMENT_NAME privilege. - * - * @param VariableName The name of the firmware environment variable. The pointer must not be NULL. - * @param VendorGuid The GUID that represents the namespace of the firmware environment variable. - * @param Buffer A pointer to the new value for the firmware environment variable. - * @param BufferLength The size of the pValue buffer, in bytes. - * Unless the VARIABLE_ATTRIBUTE_APPEND_WRITE, VARIABLE_ATTRIBUTE_AUTHENTICATED_WRITE_ACCESS, - * or VARIABLE_ATTRIBUTE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS variable attribute is set via dwAttributes, - * setting this value to zero will result in the deletion of this variable. - * @param Attributes Bitmask to set UEFI variable attributes associated with the variable. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSystemEnvironmentValueEx( - _In_ PCUNICODE_STRING VariableName, - _In_ PCGUID VendorGuid, - _In_reads_bytes_opt_(BufferLength) PVOID Buffer, - _In_ ULONG BufferLength, // 0 = delete variable - _In_ ULONG Attributes // EFI_VARIABLE_* - ); - - typedef enum _SYSTEM_ENVIRONMENT_INFORMATION_CLASS - { - SystemEnvironmentNameInformation = 1, // q: VARIABLE_NAME - SystemEnvironmentValueInformation = 2, // q: VARIABLE_NAME_AND_VALUE - MaxSystemEnvironmentInfoClass - } SYSTEM_ENVIRONMENT_INFORMATION_CLASS; - - typedef struct _VARIABLE_NAME - { - ULONG NextEntryOffset; - GUID VendorGuid; - WCHAR Name[ANYSIZE_ARRAY]; - } VARIABLE_NAME, *PVARIABLE_NAME; - - typedef struct _VARIABLE_NAME_AND_VALUE - { - ULONG NextEntryOffset; - ULONG ValueOffset; - ULONG ValueLength; - ULONG Attributes; - GUID VendorGuid; - WCHAR Name[ANYSIZE_ARRAY]; - // BYTE Value[ANYSIZE_ARRAY]; - } VARIABLE_NAME_AND_VALUE, *PVARIABLE_NAME_AND_VALUE; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateSystemEnvironmentValuesEx( - _In_ ULONG InformationClass, // SYSTEM_ENVIRONMENT_INFORMATION_CLASS - _Out_ PVOID Buffer, - _Inout_ PULONG BufferLength); - - // EFI - - // private - typedef struct _BOOT_ENTRY - { - ULONG Version; - ULONG Length; - ULONG Id; - ULONG Attributes; - ULONG FriendlyNameOffset; - ULONG BootFilePathOffset; - ULONG OsOptionsLength; - _Field_size_bytes_(OsOptionsLength) UCHAR OsOptions[1]; - } BOOT_ENTRY, *PBOOT_ENTRY; - - // private - typedef struct _BOOT_ENTRY_LIST - { - ULONG NextEntryOffset; - BOOT_ENTRY BootEntry; - } BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST; - - // private - typedef struct _BOOT_OPTIONS - { - ULONG Version; - ULONG Length; - ULONG Timeout; - ULONG CurrentBootEntryId; - ULONG NextBootEntryId; - WCHAR HeadlessRedirection[1]; - } BOOT_OPTIONS, *PBOOT_OPTIONS; - - // private - typedef struct _FILE_PATH - { - ULONG Version; - ULONG Length; - ULONG Type; - _Field_size_bytes_(Length) UCHAR FilePath[1]; - } FILE_PATH, *PFILE_PATH; - - // private - typedef struct _EFI_DRIVER_ENTRY - { - ULONG Version; - ULONG Length; - ULONG Id; - ULONG FriendlyNameOffset; - ULONG DriverFilePathOffset; - } EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; - - // private - typedef struct _EFI_DRIVER_ENTRY_LIST - { - ULONG NextEntryOffset; - EFI_DRIVER_ENTRY DriverEntry; - } EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST; - -#if (PHNT_VERSION >= PHNT_WINXP) - /** - * The NtAddBootEntry routine adds a new boot entry to the system boot configuration. - * - * @param BootEntry A pointer to a BOOT_ENTRY structure that specifies the boot entry to be added. - * @param Id A pointer to a variable that receives the identifier of the new boot entry. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAddBootEntry( - _In_ PBOOT_ENTRY BootEntry, - _Out_opt_ PULONG Id); - - /** - * The NtDeleteBootEntry routine deletes an existing boot entry from the system boot configuration. - * - * @param Id The identifier of the boot entry to be deleted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteBootEntry( - _In_ ULONG Id); - - /** - * The NtModifyBootEntry routine modifies an existing boot entry in the system boot configuration. - * - * @param BootEntry A pointer to a BOOT_ENTRY structure that specifies the new boot entry information. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtModifyBootEntry( - _In_ PBOOT_ENTRY BootEntry); - - /** - * The NtEnumerateBootEntries routine retrieves information about all boot entries in the system boot configuration. - * - * @param Buffer A pointer to a buffer that receives the boot entries information. - * @param BufferLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateBootEntries( - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength); - - /** - * The NtQueryBootEntryOrder routine retrieves the current boot entry order. - * - * @param Ids A pointer to a buffer that receives the identifiers of the boot entries in the current boot order. - * @param Count A pointer to a variable that specifies the number of entries in the buffer. On return, it contains the number of entries returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryBootEntryOrder( - _Out_writes_opt_(*Count) PULONG Ids, - _Inout_ PULONG Count); - - /** - * The NtSetBootEntryOrder routine sets the boot entry order. - * - * @param Ids A pointer to a buffer that specifies the identifiers of the boot entries in the desired boot order. - * @param Count The number of entries in the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetBootEntryOrder( - _In_reads_(Count) PULONG Ids, - _In_ ULONG Count); - - /** - * The NtQueryBootOptions routine retrieves the current boot options. - * - * @param BootOptions A pointer to a buffer that receives the boot options. - * @param BootOptionsLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryBootOptions( - _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions, - _Inout_ PULONG BootOptionsLength); - - /** - * The NtSetBootOptions routine sets the boot options. - * - * @param BootOptions A pointer to a BOOT_OPTIONS structure that specifies the new boot options. - * @param FieldsToChange A bitmask that specifies which fields in the BOOT_OPTIONS structure are to be changed. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetBootOptions( - _In_ PBOOT_OPTIONS BootOptions, - _In_ ULONG FieldsToChange); - - /** - * The NtTranslateFilePath routine translates a file path from one format to another. - * - * @param InputFilePath A pointer to a FILE_PATH structure that specifies the input file path. - * @param OutputType The type of the output file path. - * @param OutputFilePath A pointer to a buffer that receives the translated file path. - * @param OutputFilePathLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTranslateFilePath( - _In_ PFILE_PATH InputFilePath, - _In_ ULONG OutputType, - _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath, - _Inout_opt_ PULONG OutputFilePathLength); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - /** - * The NtAddDriverEntry routine adds a new driver entry to the system boot configuration. - * - * @param DriverEntry A pointer to an EFI_DRIVER_ENTRY structure that specifies the driver entry to be added. - * @param Id A pointer to a variable that receives the identifier of the new driver entry. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAddDriverEntry( - _In_ PEFI_DRIVER_ENTRY DriverEntry, - _Out_opt_ PULONG Id); - - /** - * The NtDeleteDriverEntry routine deletes an existing driver entry from the system boot configuration. - * - * @param Id The identifier of the driver entry to be deleted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteDriverEntry( - _In_ ULONG Id); - - /** - * The NtModifyDriverEntry routine modifies an existing driver entry in the system boot configuration. - * - * @param DriverEntry A pointer to an EFI_DRIVER_ENTRY structure that specifies the new driver entry information. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtModifyDriverEntry( - _In_ PEFI_DRIVER_ENTRY DriverEntry); - - /** - * The NtEnumerateDriverEntries routine retrieves information about all driver entries in the system boot configuration. - * - * @param Buffer A pointer to a buffer that receives the driver entries information. - * @param BufferLength A pointer to a variable that specifies the size of the buffer. On return, it contains the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateDriverEntries( - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength); - - /** - * The NtQueryDriverEntryOrder routine retrieves the current driver entry order. - * - * @param Ids A pointer to a buffer that receives the identifiers of the driver entries in the current driver order. - * @param Count A pointer to a variable that specifies the number of entries in the buffer. On return, it contains the number of entries returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDriverEntryOrder( - _Out_writes_opt_(*Count) PULONG Ids, - _Inout_ PULONG Count); - - /** - * The NtSetDriverEntryOrder routine sets the driver entry order. - * - * @param Ids A pointer to a buffer that specifies the identifiers of the driver entries in the desired driver order. - * @param Count The number of entries in the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetDriverEntryOrder( - _In_reads_(Count) PULONG Ids, - _In_ ULONG Count); -#endif - - typedef enum _FILTER_BOOT_OPTION_OPERATION - { - FilterBootOptionOperationOpenSystemStore, - FilterBootOptionOperationSetElement, - FilterBootOptionOperationDeleteElement, - FilterBootOptionOperationMax - } FILTER_BOOT_OPTION_OPERATION; - -#if (PHNT_VERSION >= PHNT_WIN8) - /** - * The NtFilterBootOption routine filters boot options based on the specified operation, object type, and element type. - * - * @param FilterOperation The operation to be performed on the boot option. This can be one of the values from the FILTER_BOOT_OPTION_OPERATION enumeration. - * @param ObjectType The type of the object to be filtered. - * @param ElementType The type of the element within the object to be filtered. - * @param Data A pointer to a buffer that contains the data to be used in the filter operation. This parameter is optional and can be NULL. - * @param DataSize The size, in bytes, of the data buffer pointed to by the Data parameter. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFilterBootOption( - _In_ FILTER_BOOT_OPTION_OPERATION FilterOperation, - _In_ ULONG ObjectType, - _In_ ULONG ElementType, - _In_reads_bytes_opt_(DataSize) PVOID Data, - _In_ ULONG DataSize); -#endif - - // - // Event - // - -#ifndef EVENT_QUERY_STATE -#define EVENT_QUERY_STATE 0x0001 -#endif - -#ifndef EVENT_MODIFY_STATE -#define EVENT_MODIFY_STATE 0x0002 -#endif - -#ifndef EVENT_ALL_ACCESS -#define EVENT_ALL_ACCESS (EVENT_QUERY_STATE | EVENT_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) -#endif - - typedef enum _EVENT_INFORMATION_CLASS - { - EventBasicInformation - } EVENT_INFORMATION_CLASS; - - typedef struct _EVENT_BASIC_INFORMATION - { - EVENT_TYPE EventType; - LONG EventState; - } EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION; - - /** - * The NtCreateEvent routine creates an event object, sets the initial state of the event to the specified value, - * and opens a handle to the object with the specified desired access. - * - * @param EventHandle A pointer to a variable that receives the event object handle. - * @param DesiredAccess The access mask that specifies the requested access to the event object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param EventType The type of the event, which can be SynchronizationEvent or a NotificationEvent. - * @param InitialState The initial state of the event object. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwcreateevent - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateEvent( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ EVENT_TYPE EventType, - _In_ BOOLEAN InitialState); - - /** - * The NtOpenEvent routine opens a handle to an existing event object. - * - * @param EventHandle A pointer to a variable that receives the event object handle. - * @param DesiredAccess The access mask that specifies the requested access to the event object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenEvent( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - /** - * The NtSetEvent routine sets an event object to the signaled state. - * - * @param EventHandle A handle to the event object. - * @param PreviousState A pointer to a variable that receives the previous state of the event object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * The NtSetEventEx routine sets an event object to the signaled state and optionally acquires a lock. - * - * @param ThreadId A handle to the thread. - * @param Lock A pointer to an RTL_SRWLOCK structure that specifies the lock to acquire. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetEventEx( - _In_ HANDLE ThreadId, - _In_opt_ PRTL_SRWLOCK Lock); -#endif - - /** - * The NtSetEventBoostPriority routine sets an event object to the signaled state and boosts the priority of threads waiting on the event. - * - * @param EventHandle A handle to the event object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetEventBoostPriority( - _In_ HANDLE EventHandle); - - /** - * The NtClearEvent routine sets an event object to the not-signaled state. - * - * @param EventHandle A handle to the event object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtClearEvent( - _In_ HANDLE EventHandle); - - /** - * The NtResetEvent routine sets an event object to the not-signaled state and optionally returns the previous state. - * - * @param EventHandle A handle to the event object. - * @param PreviousState A pointer to a variable that receives the previous state of the event object. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-resetevent - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtResetEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - - /** - * The NtPulseEvent routine sets an event object to the signaled state and then resets it to the not-signaled state after releasing the appropriate number of waiting threads. - * - * @param EventHandle A handle to the event object. - * @param PreviousState A pointer to a variable that receives the previous state of the event object. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-pulseevent - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPulseEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - - /** - * The NtQueryEvent routine retrieves information about an event object. - * - * @param EventHandle A handle to the event object. - * @param EventInformationClass The type of information to be retrieved. - * @param EventInformation A pointer to a buffer that receives the requested information. - * @param EventInformationLength The size of the buffer pointed to by EventInformation. - * @param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryEvent( - _In_ HANDLE EventHandle, - _In_ EVENT_INFORMATION_CLASS EventInformationClass, - _Out_writes_bytes_(EventInformationLength) PVOID EventInformation, - _In_ ULONG EventInformationLength, - _Out_opt_ PULONG ReturnLength); - - // - // Event Pair - // - -#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) - - /** - * The NtCreateEventPair routine creates an event pair object and opens a handle to the object with the specified desired access. - * - * @param EventPairHandle A pointer to a variable that receives the event pair object handle. - * @param DesiredAccess The access mask that specifies the requested access to the event pair object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateEventPair( - _Out_ PHANDLE EventPairHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * The NtOpenEventPair routine opens a handle to an existing event pair object. - * - * @param EventPairHandle A pointer to a variable that receives the event pair object handle. - * @param DesiredAccess The access mask that specifies the requested access to the event pair object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenEventPair( - _Out_ PHANDLE EventPairHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * The NtSetLowEventPair routine sets the low event in an event pair to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetLowEventPair( - _In_ HANDLE EventPairHandle); - - /** - * The NtSetHighEventPair routine sets the high event in an event pair to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetHighEventPair( - _In_ HANDLE EventPairHandle); - - /** - * The NtWaitLowEventPair routine waits for the low event in an event pair to be set to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitLowEventPair( - _In_ HANDLE EventPairHandle); - - /** - * The NtWaitHighEventPair routine waits for the high event in an event pair to be set to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitHighEventPair( - _In_ HANDLE EventPairHandle); - - /** - * The NtSetLowWaitHighEventPair routine sets the low event in an event pair to the signaled state and waits for the high event to be set to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetLowWaitHighEventPair( - _In_ HANDLE EventPairHandle); - - /** - * The NtSetHighWaitLowEventPair routine sets the high event in an event pair to the signaled state and waits for the low event to be set to the signaled state. - * - * @param EventPairHandle A handle to the event pair object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetHighWaitLowEventPair( - _In_ HANDLE EventPairHandle); - - // - // Mutant - // - -#ifndef MUTANT_QUERY_STATE -#define MUTANT_QUERY_STATE 0x0001 -#endif - -#ifndef MUTANT_ALL_ACCESS -#define MUTANT_ALL_ACCESS (MUTANT_QUERY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) -#endif - - typedef enum _MUTANT_INFORMATION_CLASS - { - MutantBasicInformation, // MUTANT_BASIC_INFORMATION - MutantOwnerInformation // MUTANT_OWNER_INFORMATION - } MUTANT_INFORMATION_CLASS; - - /** - * The MUTANT_BASIC_INFORMATION structure contains basic information about a mutant object. - */ - typedef struct _MUTANT_BASIC_INFORMATION - { - LONG CurrentCount; - BOOLEAN OwnedByCaller; - BOOLEAN AbandonedState; - } MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION; - - /** - * The MUTANT_OWNER_INFORMATION structure contains information about the owner of a mutant object. - */ - typedef struct _MUTANT_OWNER_INFORMATION - { - CLIENT_ID ClientId; - } MUTANT_OWNER_INFORMATION, *PMUTANT_OWNER_INFORMATION; - - /** - * The NtCreateMutant routine creates a mutant object, sets the initial state of the mutant to the specified value, - * and opens a handle to the object with the specified desired access. - * - * @param MutantHandle A pointer to a variable that receives the mutant object handle. - * @param DesiredAccess The access mask that specifies the requested access to the mutant object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param InitialOwner If TRUE, the calling thread is the initial owner of the mutant object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateMutant( - _Out_ PHANDLE MutantHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ BOOLEAN InitialOwner); - - /** - * The NtOpenMutant routine opens a handle to an existing mutant object. - * - * @param MutantHandle A pointer to a variable that receives the mutant object handle. - * @param DesiredAccess The access mask that specifies the requested access to the mutant object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenMutant( - _Out_ PHANDLE MutantHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * The NtReleaseMutant routine releases ownership of a mutant object. - * - * @param MutantHandle A handle to the mutant object. - * @param PreviousCount A pointer to a variable that receives the previous count of the mutant object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReleaseMutant( - _In_ HANDLE MutantHandle, - _Out_opt_ PLONG PreviousCount); - - /** - * The NtQueryMutant routine retrieves information about a mutant object. - * - * @param MutantHandle A handle to the mutant object. - * @param MutantInformationClass The type of information to be retrieved. - * @param MutantInformation A pointer to a buffer that receives the requested information. - * @param MutantInformationLength The size of the buffer pointed to by MutantInformation. - * @param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryMutant( - _In_ HANDLE MutantHandle, - _In_ MUTANT_INFORMATION_CLASS MutantInformationClass, - _Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation, - _In_ ULONG MutantInformationLength, - _Out_opt_ PULONG ReturnLength); - - // - // Semaphore - // - -#ifndef SEMAPHORE_QUERY_STATE -#define SEMAPHORE_QUERY_STATE 0x0001 -#endif - -#ifndef SEMAPHORE_MODIFY_STATE -#define SEMAPHORE_MODIFY_STATE 0x0002 -#endif - -#ifndef SEMAPHORE_ALL_ACCESS -#define SEMAPHORE_ALL_ACCESS (SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) -#endif - - typedef enum _SEMAPHORE_INFORMATION_CLASS - { - SemaphoreBasicInformation - } SEMAPHORE_INFORMATION_CLASS; - - /** - * The SEMAPHORE_BASIC_INFORMATION structure contains basic information about a semaphore object. - */ - typedef struct _SEMAPHORE_BASIC_INFORMATION - { - LONG CurrentCount; - LONG MaximumCount; - } SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION; - - /** - * The NtCreateSemaphore routine creates a semaphore object, sets the initial count of the semaphore to the specified value, - * and opens a handle to the object with the specified desired access. - * - * @param SemaphoreHandle A pointer to a variable that receives the semaphore object handle. - * @param DesiredAccess The access mask that specifies the requested access to the semaphore object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param InitialCount The initial count of the semaphore object. - * @param MaximumCount The maximum count of the semaphore object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateSemaphore( - _Out_ PHANDLE SemaphoreHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ LONG InitialCount, - _In_ LONG MaximumCount); - - /** - * The NtOpenSemaphore routine opens a handle to an existing semaphore object. - * - * @param SemaphoreHandle A pointer to a variable that receives the semaphore object handle. - * @param DesiredAccess The access mask that specifies the requested access to the semaphore object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenSemaphore( - _Out_ PHANDLE SemaphoreHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * The NtReleaseSemaphore routine increases the count of the specified semaphore object by a specified amount. - * - * @param SemaphoreHandle A handle to the semaphore object. - * @param ReleaseCount The amount by which the semaphore object's count is to be increased. - * @param PreviousCount A pointer to a variable that receives the previous count of the semaphore object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReleaseSemaphore( - _In_ HANDLE SemaphoreHandle, - _In_ LONG ReleaseCount, - _Out_opt_ PLONG PreviousCount); - - /** - * The NtQuerySemaphore routine retrieves information about a semaphore object. - * - * @param SemaphoreHandle A handle to the semaphore object. - * @param SemaphoreInformationClass The type of information to be retrieved. - * @param SemaphoreInformation A pointer to a buffer that receives the requested information. - * @param SemaphoreInformationLength The size of the buffer pointed to by SemaphoreInformation. - * @param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySemaphore( - _In_ HANDLE SemaphoreHandle, - _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, - _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation, - _In_ ULONG SemaphoreInformationLength, - _Out_opt_ PULONG ReturnLength); - - // - // Timer - // - -#ifndef TIMER_QUERY_STATE -#define TIMER_QUERY_STATE 0x0001 -#endif - -#ifndef TIMER_MODIFY_STATE -#define TIMER_MODIFY_STATE 0x0002 -#endif - -#ifndef TIMER_ALL_ACCESS -#define TIMER_ALL_ACCESS (TIMER_QUERY_STATE | TIMER_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) -#endif - - typedef enum _TIMER_INFORMATION_CLASS - { - TimerBasicInformation // TIMER_BASIC_INFORMATION - } TIMER_INFORMATION_CLASS; - - typedef struct _TIMER_BASIC_INFORMATION - { - LARGE_INTEGER RemainingTime; - BOOLEAN TimerState; - } TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION; - - typedef _Function_class_(TIMER_APC_ROUTINE) - VOID NTAPI TIMER_APC_ROUTINE( - _In_ PVOID TimerContext, - _In_ ULONG TimerLowValue, - _In_ LONG TimerHighValue); - typedef TIMER_APC_ROUTINE *PTIMER_APC_ROUTINE; - - typedef enum _TIMER_SET_INFORMATION_CLASS - { - TimerSetCoalescableTimer, // TIMER_SET_COALESCABLE_TIMER_INFO - MaxTimerInfoClass - } TIMER_SET_INFORMATION_CLASS; - - typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO - { - _In_ LARGE_INTEGER DueTime; - _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine; - _In_opt_ PVOID TimerContext; - _In_opt_ PCOUNTED_REASON_CONTEXT WakeContext; - _In_opt_ ULONG Period; - _In_ ULONG TolerableDelay; - _Out_opt_ PBOOLEAN PreviousState; - } TIMER_SET_COALESCABLE_TIMER_INFO, *PTIMER_SET_COALESCABLE_TIMER_INFO; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateTimer( - _Out_ PHANDLE TimerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ TIMER_TYPE TimerType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenTimer( - _Out_ PHANDLE TimerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetTimer( - _In_ HANDLE TimerHandle, - _In_ PLARGE_INTEGER DueTime, - _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, - _In_opt_ PVOID TimerContext, - _In_ BOOLEAN ResumeTimer, - _In_opt_ LONG Period, - _Out_opt_ PBOOLEAN PreviousState); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetTimerEx( - _In_ HANDLE TimerHandle, - _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, - _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation, - _In_ ULONG TimerSetInformationLength); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelTimer( - _In_ HANDLE TimerHandle, - _Out_opt_ PBOOLEAN CurrentState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryTimer( - _In_ HANDLE TimerHandle, - _In_ TIMER_INFORMATION_CLASS TimerInformationClass, - _Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation, - _In_ ULONG TimerInformationLength, - _Out_opt_ PULONG ReturnLength); - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateIRTimer( - _Out_ PHANDLE TimerHandle, - _In_ PVOID Reserved, - _In_ ACCESS_MASK DesiredAccess); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetIRTimer( - _In_ HANDLE TimerHandle, - _In_opt_ PLARGE_INTEGER DueTime); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateTimer2( - _Out_ PHANDLE TimerHandle, - _In_opt_ PVOID Reserved1, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG Attributes, // TIMER_TYPE - _In_ ACCESS_MASK DesiredAccess); - -#endif - - typedef struct _T2_SET_PARAMETERS_V0 - { - ULONG Version; - ULONG Reserved; - LONGLONG NoWakeTolerance; - } T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; - - typedef PVOID PT2_CANCEL_PARAMETERS; - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetTimer2( - _In_ HANDLE TimerHandle, - _In_ PLARGE_INTEGER DueTime, - _In_opt_ PLARGE_INTEGER Period, - _In_ PT2_SET_PARAMETERS Parameters); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelTimer2( - _In_ HANDLE TimerHandle, - _In_ PT2_CANCEL_PARAMETERS Parameters); - -#endif - - // Profile - -#define PROFILE_CONTROL 0x0001 -#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateProfile( - _Out_ PHANDLE ProfileHandle, - _In_opt_ HANDLE Process, - _In_ PVOID ProfileBase, - _In_ SIZE_T ProfileSize, - _In_ ULONG BucketSize, - _In_reads_bytes_(BufferSize) PULONG Buffer, - _In_ ULONG BufferSize, - _In_ KPROFILE_SOURCE ProfileSource, - _In_ KAFFINITY Affinity); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateProfileEx( - _Out_ PHANDLE ProfileHandle, - _In_opt_ HANDLE Process, - _In_ PVOID ProfileBase, - _In_ SIZE_T ProfileSize, - _In_ ULONG BucketSize, - _In_reads_bytes_(BufferSize) PULONG Buffer, - _In_ ULONG BufferSize, - _In_ KPROFILE_SOURCE ProfileSource, - _In_ USHORT GroupCount, - _In_reads_(GroupCount) PGROUP_AFFINITY GroupAffinity); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtStartProfile( - _In_ HANDLE ProfileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtStopProfile( - _In_ HANDLE ProfileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryIntervalProfile( - _In_ KPROFILE_SOURCE ProfileSource, - _Out_ PULONG Interval); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetIntervalProfile( - _In_ ULONG Interval, - _In_ KPROFILE_SOURCE Source); - - // Keyed Event - -#define KEYEDEVENT_WAIT 0x0001 -#define KEYEDEVENT_WAKE 0x0002 -#define KEYEDEVENT_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateKeyedEvent( - _Out_ PHANDLE KeyedEventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenKeyedEvent( - _Out_ PHANDLE KeyedEventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReleaseKeyedEvent( - _In_opt_ HANDLE KeyedEventHandle, - _In_ PVOID KeyValue, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForKeyedEvent( - _In_opt_ HANDLE KeyedEventHandle, - _In_ PVOID KeyValue, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - // UMS - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUmsThreadYield( - _In_ PVOID SchedulerParam); -#endif - - // WNF - - // begin_private - - typedef struct _WNF_STATE_NAME - { - ULONG Data[2]; - } WNF_STATE_NAME, *PWNF_STATE_NAME; - - typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; - - typedef enum _WNF_STATE_NAME_LIFETIME - { - WnfWellKnownStateName, - WnfPermanentStateName, - WnfPersistentStateName, - WnfTemporaryStateName - } WNF_STATE_NAME_LIFETIME; - - typedef enum _WNF_STATE_NAME_INFORMATION - { - WnfInfoStateNameExist, - WnfInfoSubscribersPresent, - WnfInfoIsQuiescent - } WNF_STATE_NAME_INFORMATION; - - typedef enum _WNF_DATA_SCOPE - { - WnfDataScopeSystem, - WnfDataScopeSession, - WnfDataScopeUser, - WnfDataScopeProcess, - WnfDataScopeMachine, // REDSTONE3 - WnfDataScopePhysicalMachine, // WIN11 - } WNF_DATA_SCOPE; - - typedef struct _WNF_TYPE_ID - { - GUID TypeId; - } WNF_TYPE_ID, *PWNF_TYPE_ID; - - typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; - - // rev - typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; - - typedef struct _WNF_DELIVERY_DESCRIPTOR - { - ULONGLONG SubscriptionId; - WNF_STATE_NAME StateName; - WNF_CHANGE_STAMP ChangeStamp; - ULONG StateDataSize; - ULONG EventMask; - WNF_TYPE_ID TypeId; - ULONG StateDataOffset; - } WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; - - // end_private - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateWnfStateName( - _Out_ PWNF_STATE_NAME StateName, - _In_ WNF_STATE_NAME_LIFETIME NameLifetime, - _In_ WNF_DATA_SCOPE DataScope, - _In_ BOOLEAN PersistData, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_ ULONG MaximumStateSize, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteWnfStateName( - _In_ PCWNF_STATE_NAME StateName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUpdateWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_reads_bytes_opt_(Length) const VOID *Buffer, - _In_opt_ ULONG Length, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_opt_ const VOID *ExplicitScope, - _In_ WNF_CHANGE_STAMP MatchingChangeStamp, - _In_ LOGICAL CheckStamp); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ const VOID *ExplicitScope); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_opt_ const VOID *ExplicitScope, - _Out_ PWNF_CHANGE_STAMP ChangeStamp, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, - _Inout_ PULONG BufferSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryWnfStateNameInformation( - _In_ PCWNF_STATE_NAME StateName, - _In_ WNF_STATE_NAME_INFORMATION NameInfoClass, - _In_opt_ const VOID *ExplicitScope, - _Out_writes_bytes_(InfoBufferSize) PVOID InfoBuffer, - _In_ ULONG InfoBufferSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSubscribeWnfStateChange( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ WNF_CHANGE_STAMP ChangeStamp, - _In_ ULONG EventMask, - _Out_opt_ PULONG64 SubscriptionId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnsubscribeWnfStateChange( - _In_ PCWNF_STATE_NAME StateName); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetCompleteWnfStateSubscription( - _In_opt_ PWNF_STATE_NAME OldDescriptorStateName, - _In_opt_ ULONG64 *OldSubscriptionId, - _In_opt_ ULONG OldDescriptorEventMask, - _In_opt_ ULONG OldDescriptorStatus, - _Out_writes_bytes_(DescriptorSize) PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, - _In_ ULONG DescriptorSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetWnfProcessNotificationEvent( - _In_ HANDLE NotificationEvent); - -#endif - - // Worker factory - - // begin_rev - -#define WORKER_FACTORY_RELEASE_WORKER 0x0001 -#define WORKER_FACTORY_WAIT 0x0002 -#define WORKER_FACTORY_SET_INFORMATION 0x0004 -#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 -#define WORKER_FACTORY_READY_WORKER 0x0010 -#define WORKER_FACTORY_SHUTDOWN 0x0020 - -#define WORKER_FACTORY_ALL_ACCESS ( \ - STANDARD_RIGHTS_REQUIRED | \ - WORKER_FACTORY_RELEASE_WORKER | \ - WORKER_FACTORY_WAIT | \ - WORKER_FACTORY_SET_INFORMATION | \ - WORKER_FACTORY_QUERY_INFORMATION | \ - WORKER_FACTORY_READY_WORKER | \ - WORKER_FACTORY_SHUTDOWN) - - // end_rev - - // begin_private - - typedef enum _WORKERFACTORYINFOCLASS - { - WorkerFactoryTimeout, // LARGE_INTEGER - WorkerFactoryRetryTimeout, // LARGE_INTEGER - WorkerFactoryIdleTimeout, // s: LARGE_INTEGER - WorkerFactoryBindingCount, // s: ULONG - WorkerFactoryThreadMinimum, // s: ULONG - WorkerFactoryThreadMaximum, // s: ULONG - WorkerFactoryPaused, // ULONG or BOOLEAN - WorkerFactoryBasicInformation, // q: WORKER_FACTORY_BASIC_INFORMATION - WorkerFactoryAdjustThreadGoal, - WorkerFactoryCallbackType, - WorkerFactoryStackInformation, // 10 - WorkerFactoryThreadBasePriority, // s: ULONG - WorkerFactoryTimeoutWaiters, // s: ULONG, since THRESHOLD - WorkerFactoryFlags, // s: ULONG - WorkerFactoryThreadSoftMaximum, // s: ULONG - WorkerFactoryThreadCpuSets, // since REDSTONE5 - MaxWorkerFactoryInfoClass - } WORKERFACTORYINFOCLASS, - *PWORKERFACTORYINFOCLASS; - - typedef struct _WORKER_FACTORY_BASIC_INFORMATION - { - LARGE_INTEGER Timeout; - LARGE_INTEGER RetryTimeout; - LARGE_INTEGER IdleTimeout; - BOOLEAN Paused; - BOOLEAN TimerSet; - BOOLEAN QueuedToExWorker; - BOOLEAN MayCreate; - BOOLEAN CreateInProgress; - BOOLEAN InsertedIntoQueue; - BOOLEAN Shutdown; - ULONG BindingCount; - ULONG ThreadMinimum; - ULONG ThreadMaximum; - ULONG PendingWorkerCount; - ULONG WaitingWorkerCount; - ULONG TotalWorkerCount; - ULONG ReleaseCount; - LONGLONG InfiniteWaitGoal; - PVOID StartRoutine; - PVOID StartParameter; - HANDLE ProcessId; - SIZE_T StackReserve; - SIZE_T StackCommit; - NTSTATUS LastThreadCreationStatus; - } WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION; - - // end_private - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateWorkerFactory( - _Out_ PHANDLE WorkerFactoryHandleReturn, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE CompletionPortHandle, - _In_ HANDLE WorkerProcessHandle, - _In_ PVOID StartRoutine, - _In_opt_ PVOID StartParameter, - _In_opt_ ULONG MaxThreadCount, - _In_opt_ SIZE_T StackReserve, - _In_opt_ SIZE_T StackCommit); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - _Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, - _In_ ULONG WorkerFactoryInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - _In_reads_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, - _In_ ULONG WorkerFactoryInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtShutdownWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _Inout_ volatile LONG *PendingWorkerCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReleaseWorkerFactoryWorker( - _In_ HANDLE WorkerFactoryHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWorkerFactoryWorkerReady( - _In_ HANDLE WorkerFactoryHandle); - - typedef struct _WORKER_FACTORY_DEFERRED_WORK - { - PPORT_MESSAGE AlpcSendMessage; - PVOID AlpcSendMessagePort; - ULONG AlpcSendMessageFlags; - ULONG Flags; - } WORKER_FACTORY_DEFERRED_WORK, *PWORKER_FACTORY_DEFERRED_WORK; - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForWorkViaWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _Out_writes_to_(Count, *PacketsReturned) PFILE_IO_COMPLETION_INFORMATION MiniPackets, - _In_ ULONG Count, - _Out_ PULONG PacketsReturned, - _In_ PWORKER_FACTORY_DEFERRED_WORK DeferredWork); - -#else - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForWorkViaWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket); - -#endif - -#endif - - // - // Time - // - - /** - * The NtQuerySystemTime routine obtains the current system time. - * - * @param SystemTime A pointer to a LARGE_INTEGER structure that receives the system time. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysystemtime - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemTime( - _Out_ PLARGE_INTEGER SystemTime); - - /** - * The NtSetSystemTime routine sets the current system time and date. The system time is expressed in Coordinated Universal Time (UTC). - * - * @param SystemTime A pointer to a LARGE_INTEGER structure that that contains the new system date and time. - * @param PreviousTime A pointer to a LARGE_INTEGER structure that that contains the previous system time. - * @return NTSTATUS Successful or errant status. - * @remarks The calling process must have the SE_SYSTEMTIME_NAME privilege. - * @see https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-setsystemtime - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSystemTime( - _In_opt_ PLARGE_INTEGER SystemTime, - _Out_opt_ PLARGE_INTEGER PreviousTime); - - /** - * The NtQueryTimerResolution routine retrieves the range and current value of the system interrupt timer. - * - * @param MaximumTime The maximum timer resolution, in 100-nanosecond units. - * @param MinimumTime The minimum timer resolution, in 100-nanosecond units. - * @param CurrentTime The current timer resolution, in 100-nanosecond units. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryTimerResolution( - _Out_ PULONG MaximumTime, - _Out_ PULONG MinimumTime, - _Out_ PULONG CurrentTime); - - /** - * The NtSetTimerResolution routine sets the system interrupt timer resolution to the specified value. - * - * @param DesiredTime The desired timer resolution, in 100-nanosecond units. - * @param SetResolution If TRUE, the timer resolution is set to the value specified by DesiredTime. If FALSE, the timer resolution is reset to the default value. - * @param ActualTime The actual timer resolution, in 100-nanosecond units. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetTimerResolution( - _In_ ULONG DesiredTime, - _In_ BOOLEAN SetResolution, - _Out_ PULONG ActualTime); - - // - // Performance Counter - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryPerformanceCounter( - _Out_ PLARGE_INTEGER PerformanceCounter, - _Out_opt_ PLARGE_INTEGER PerformanceFrequency); - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryAuxiliaryCounterFrequency( - _Out_ PULONG64 AuxiliaryCounterFrequency); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( - _In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter, - _In_ PULONG64 PerformanceOrAuxiliaryCounterValue, - _Out_ PULONG64 ConvertedValue, - _Out_opt_ PULONG64 ConversionError); -#endif - - // LUIDs - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateLocallyUniqueId( - _Out_ PLUID Luid); - - // UUIDs - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetUuidSeed( - _In_ PCHAR Seed); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateUuids( - _Out_ PULARGE_INTEGER Time, - _Out_ PULONG Range, - _Out_ PULONG Sequence, - _Out_ PCHAR Seed); - - // System Information - -#endif // (PHNT_MODE != PHNT_MODE_KERNEL) - - // rev - // private - typedef enum _SYSTEM_INFORMATION_CLASS - { - SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION - SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION - SystemPathInformation, // not implemented - SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION - SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION - SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup) - SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION - SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10 - SystemModuleInformation, // q: RTL_PROCESS_MODULES - SystemLocksInformation, // q: RTL_PROCESS_LOCKS - SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES - SystemPagedPoolInformation, // not implemented - SystemNonPagedPoolInformation, // not implemented - SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION - SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION - SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION - SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO - SystemVdmBopInformation, // not implemented // 20 - SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache) - SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION - SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup) - SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege) - SystemFullMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemLoadGdiDriverInformation, // s (kernel-mode only) - SystemUnloadGdiDriverInformation, // s (kernel-mode only) - SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege) - SystemSummaryMemoryInformation, // not implemented // SYSTEM_MEMORY_USAGE_INFORMATION - SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30 - SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS) - SystemObsolete0, // not implemented - SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION - SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege) - SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION - SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION - SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege) - SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only - SystemPrioritySeparation, // s (requires SeTcbPrivilege) - SystemVerifierAddDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) // 40 - SystemVerifierRemoveDriverInformation, // s: UNICODE_STRING (requires SeDebugPrivilege) - SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup) - SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION - SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION - SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION - SystemTimeSlipNotification, // s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege) - SystemSessionCreate, // not implemented - SystemSessionDetach, // not implemented - SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION) - SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50 - SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege) - SystemVerifierThunkExtend, // s (kernel-mode only) - SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION - SystemLoadGdiDriverInSystemSpace, // s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation) - SystemNumaProcessorMap, // q: SYSTEM_NUMA_INFORMATION - SystemPrefetcherInformation, // q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation - SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION - SystemRecommendedSharedDataAlignment, // q: ULONG // KeGetRecommendedSharedDataAlignment - SystemComPlusPackage, // q; s: ULONG - SystemNumaAvailableMemory, // q: SYSTEM_NUMA_INFORMATION // 60 - SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup) - SystemEmulationBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemEmulationProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION - SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX - SystemLostDelayedWriteInformation, // q: ULONG - SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION - SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION - SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION - SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION - SystemObjectSecurityMode, // q: ULONG // 70 - SystemWatchdogTimerHandler, // s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only) - SystemWatchdogTimerInformation, // q: SYSTEM_WATCHDOG_TIMER_INFORMATION // NtQuerySystemInformationEx // (kernel-mode only) - SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemWow64SharedInformationObsolete, // not implemented - SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only) - SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION - SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX // since VISTA - SystemVerifierTriageInformation, // not implemented - SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation - SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80 - SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation) - SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege) // NtQuerySystemInformationEx - SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation - SystemProcessorPowerInformationEx, // not implemented - SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation - SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0 - SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION - SystemErrorPortInformation, // s (requires SeTcbPrivilege) - SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90 - SystemHypervisorInformation, // q: SYSTEM_HYPERVISOR_QUERY_INFORMATION - SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX - SystemTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege) - SystemCoverageInformation, // q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege) - SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION - SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege) - SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION - SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION - SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 100 - SystemNumaProximityNodeInformation, // q; s: SYSTEM_NUMA_PROXIMITY_MAP - SystemDynamicTimeZoneInformation, // q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege) - SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation - SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION - SystemProcessorBrandString, // q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23 - SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation - SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // NtQuerySystemInformationEx // KeQueryLogicalProcessorRelationship - SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx - SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformation - SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110 - SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege) - SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION - SystemCpuQuotaInformation, // q; s: PS_CPU_QUOTA_QUERY_INFORMATION - SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION - SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS - SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION - SystemTpmBootEntropyInformation, // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation - SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION - SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) - SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 - SystemNodeDistanceInformation, // q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber) // NtQuerySystemInformationEx - SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26 - SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation - SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1 - SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8 - SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only) - SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION - SystemBadPageInformation, // SYSTEM_BAD_PAGE_INFORMATION - SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA - SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 - SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION - SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION - SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) - SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute) - SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION - SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION - SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION - SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION - SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 - SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // since WINBLUE - SystemCriticalProcessErrorLogInformation, // CRITICAL_PROCESS_EXCEPTION_DATA - SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION - SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX - SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION - SystemEntropyInterruptTimingRawInformation, - SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION - SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) - SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - SystemBootMetadataInformation, // 150 // (requires SeTcbPrivilege) - SystemSoftRebootInformation, // q: ULONG - SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION - SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 - SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION - SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives) - SystemEdidInformation, // q: SYSTEM_EDID_INFORMATION - SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD - SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION - SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION - SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // NtQuerySystemInformationEx // 160 - SystemVmGenerationCountInformation, - SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION - SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS - SystemCodeIntegrityPolicyInformation, // q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION - SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION - SystemHardwareSecurityTestInterfaceResultsInformation, - SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION - SystemAllowedCpuSetsInformation, // s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION - SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation) - SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 - SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION - SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege) - SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION - SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 - SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION - SystemWin32WerStartCallout, - SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION - SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // NtQuerySystemInformationEx // since REDSTONE - SystemInterruptSteeringInformation, // q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180 - SystemSupportedProcessorArchitectures, // p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx - SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION - SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION - SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2 - SystemControlFlowTransition, // (Warbird/Encrypt/Decrypt/Execute) - SystemKernelDebuggingAllowed, // s: ULONG - SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE - SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS - SystemCodeIntegrityPoliciesFullInformation, // NtQuerySystemInformationEx - SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190 - SystemIntegrityQuotaInformation, - SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION - SystemProcessorIdleMaskInformation, // q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3 - SystemSecureDumpEncryptionInformation, // NtQuerySystemInformationEx - SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION - SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION - SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 - SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION - SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200 - SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. - SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION - SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION - SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5 - SystemCodeIntegrityUnlockModeInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION - SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION - SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION - SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1 - SystemCodeIntegritySyntheticCacheInformation, // NtQuerySystemInformationEx - SystemFeatureConfigurationInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210 - SystemFeatureConfigurationSectionInformation, // q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationEx - SystemFeatureUsageSubscriptionInformation, // q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE - SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION - SystemSpacesBootInformation, // since 20H2 - SystemFwRamdiskInformation, // SYSTEM_FIRMWARE_RAMDISK_INFORMATION - SystemWheaIpmiHardwareInformation, - SystemDifSetRuleClassInformation, // SYSTEM_DIF_VOLATILE_INFORMATION - SystemDifClearRuleClassInformation, - SystemDifApplyPluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION - SystemDifRemovePluginVerificationOnDriver, // SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION // 220 - SystemShadowStackInformation, // SYSTEM_SHADOW_STACK_INFORMATION - SystemBuildVersionInformation, // q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222 - SystemPoolLimitInformation, // SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege) // NtQuerySystemInformationEx - SystemCodeIntegrityAddDynamicStore, - SystemCodeIntegrityClearDynamicStores, - SystemDifPoolTrackingInformation, - SystemPoolZeroingInformation, // q: SYSTEM_POOL_ZEROING_INFORMATION - SystemDpcWatchdogInformation, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION - SystemDpcWatchdogInformation2, // q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2 - SystemSupportedProcessorArchitectures2, // q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230 - SystemSingleProcessorRelationshipInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor) // NtQuerySystemInformationEx - SystemXfgCheckFailureInformation, // q: SYSTEM_XFG_FAILURE_INFORMATION - SystemIommuStateInformation, // SYSTEM_IOMMU_STATE_INFORMATION // since 22H1 - SystemHypervisorMinrootInformation, // SYSTEM_HYPERVISOR_MINROOT_INFORMATION - SystemHypervisorBootPagesInformation, // SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION - SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION - SystemSecureKernelDebuggerInformation, // NtQuerySystemInformationEx - SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaPerformanceInformation, // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 - SystemCodeIntegritySignedPoliciesFullInformation, - SystemSecureCoreInformation, // SystemSecureSecretsInformation - SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION - SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION - SystemResourceDeadlockTimeout, // ULONG - SystemBreakOnContextUnwindFailureInformation, // ULONG (requires SeDebugPrivilege) - SystemOslRamdiskInformation, // SYSTEM_OSL_RAMDISK_INFORMATION - MaxSystemInfoClass - } SYSTEM_INFORMATION_CLASS; - - typedef struct _SYSTEM_BASIC_INFORMATION - { - ULONG Reserved; - ULONG TimerResolution; - ULONG PageSize; - ULONG NumberOfPhysicalPages; - ULONG LowestPhysicalPageNumber; - ULONG HighestPhysicalPageNumber; - ULONG AllocationGranularity; - ULONG_PTR MinimumUserModeAddress; - ULONG_PTR MaximumUserModeAddress; - KAFFINITY ActiveProcessorsAffinityMask; - CCHAR NumberOfProcessors; - } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; - -// SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits (see also SYSTEM_PROCESSOR_FEATURES_INFORMATION) -#define KF_V86_VIS 0x00000001 -#define KF_RDTSC 0x00000002 // Indicates support for the RDTSC instruction. -#define KF_CR4 0x00000004 // Indicates support for the CR4 register. -#define KF_CMOV 0x00000008 -#define KF_GLOBAL_PAGE 0x00000010 // Indicates support for global pages. -#define KF_LARGE_PAGE 0x00000020 // Indicates support for large pages. -#define KF_MTRR 0x00000040 -#define KF_CMPXCHG8B 0x00000080 // Indicates support for the CMPXCHG8B instruction. -#define KF_MMX 0x00000100 -#define KF_WORKING_PTE 0x00000200 -#define KF_PAT 0x00000400 -#define KF_FXSR 0x00000800 -#define KF_FAST_SYSCALL 0x00001000 // Indicates support for fast system calls. -#define KF_XMMI 0x00002000 -#define KF_3DNOW 0x00004000 -#define KF_AMDK6MTRR 0x00008000 -#define KF_XMMI64 0x00010000 -#define KF_DTS 0x00020000 -#define KF_NOEXECUTE 0x20000000 -#define KF_GLOBAL_32BIT_EXECUTE 0x40000000 -#define KF_GLOBAL_32BIT_NOEXECUTE 0x80000000 - - typedef struct _SYSTEM_PROCESSOR_INFORMATION - { - USHORT ProcessorArchitecture; - USHORT ProcessorLevel; - USHORT ProcessorRevision; - USHORT MaximumProcessors; - ULONG ProcessorFeatureBits; - } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; - - typedef struct _SYSTEM_PERFORMANCE_INFORMATION - { - LARGE_INTEGER IdleProcessTime; - LARGE_INTEGER IoReadTransferCount; - LARGE_INTEGER IoWriteTransferCount; - LARGE_INTEGER IoOtherTransferCount; - ULONG IoReadOperationCount; - ULONG IoWriteOperationCount; - ULONG IoOtherOperationCount; - ULONG AvailablePages; - ULONG CommittedPages; - ULONG CommitLimit; - ULONG PeakCommitment; - ULONG PageFaultCount; - ULONG CopyOnWriteCount; - ULONG TransitionCount; - ULONG CacheTransitionCount; - ULONG DemandZeroCount; - ULONG PageReadCount; - ULONG PageReadIoCount; - ULONG CacheReadCount; - ULONG CacheIoCount; - ULONG DirtyPagesWriteCount; - ULONG DirtyWriteIoCount; - ULONG MappedPagesWriteCount; - ULONG MappedWriteIoCount; - ULONG PagedPoolPages; - ULONG NonPagedPoolPages; - ULONG PagedPoolAllocs; - ULONG PagedPoolFrees; - ULONG NonPagedPoolAllocs; - ULONG NonPagedPoolFrees; - ULONG FreeSystemPtes; - ULONG ResidentSystemCodePage; - ULONG TotalSystemDriverPages; - ULONG TotalSystemCodePages; - ULONG NonPagedPoolLookasideHits; - ULONG PagedPoolLookasideHits; - ULONG AvailablePagedPoolPages; - ULONG ResidentSystemCachePage; - ULONG ResidentPagedPoolPage; - ULONG ResidentSystemDriverPage; - ULONG CcFastReadNoWait; - ULONG CcFastReadWait; - ULONG CcFastReadResourceMiss; - ULONG CcFastReadNotPossible; - ULONG CcFastMdlReadNoWait; - ULONG CcFastMdlReadWait; - ULONG CcFastMdlReadResourceMiss; - ULONG CcFastMdlReadNotPossible; - ULONG CcMapDataNoWait; - ULONG CcMapDataWait; - ULONG CcMapDataNoWaitMiss; - ULONG CcMapDataWaitMiss; - ULONG CcPinMappedDataCount; - ULONG CcPinReadNoWait; - ULONG CcPinReadWait; - ULONG CcPinReadNoWaitMiss; - ULONG CcPinReadWaitMiss; - ULONG CcCopyReadNoWait; - ULONG CcCopyReadWait; - ULONG CcCopyReadNoWaitMiss; - ULONG CcCopyReadWaitMiss; - ULONG CcMdlReadNoWait; - ULONG CcMdlReadWait; - ULONG CcMdlReadNoWaitMiss; - ULONG CcMdlReadWaitMiss; - ULONG CcReadAheadIos; - ULONG CcLazyWriteIos; - ULONG CcLazyWritePages; - ULONG CcDataFlushes; - ULONG CcDataPages; - ULONG ContextSwitches; - ULONG FirstLevelTbFills; - ULONG SecondLevelTbFills; - ULONG SystemCalls; - ULONGLONG CcTotalDirtyPages; // since THRESHOLD - ULONGLONG CcDirtyPageThreshold; - LONGLONG ResidentAvailablePages; - ULONGLONG SharedCommittedPages; - ULONGLONG MdlPagesAllocated; // since 24H2 - ULONGLONG PfnDatabaseCommittedPages; - ULONGLONG SystemPageTableCommittedPages; - ULONGLONG ContiguousPagesAllocated; - } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; - - typedef struct _SYSTEM_TIMEOFDAY_INFORMATION - { - LARGE_INTEGER BootTime; - LARGE_INTEGER CurrentTime; - LARGE_INTEGER TimeZoneBias; - ULONG TimeZoneId; - ULONG Reserved; - ULONGLONG BootTimeBias; - ULONGLONG SleepTimeBias; - } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; - - typedef struct _SYSTEM_THREAD_INFORMATION - { - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER CreateTime; - ULONG WaitTime; - PVOID StartAddress; - CLIENT_ID ClientId; - KPRIORITY Priority; - KPRIORITY BasePriority; - ULONG ContextSwitches; - KTHREAD_STATE ThreadState; - KWAIT_REASON WaitReason; - } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; - - // private - typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION - { - union - { - SYSTEM_THREAD_INFORMATION ThreadInfo; - struct - { - ULONGLONG KernelTime; - ULONGLONG UserTime; - ULONGLONG CreateTime; - ULONG WaitTime; - PVOID StartAddress; - CLIENT_ID ClientId; - KPRIORITY Priority; - KPRIORITY BasePriority; - ULONG ContextSwitches; - KTHREAD_STATE ThreadState; - KWAIT_REASON WaitReason; - }; - }; - ULONG_PTR StackBase; - ULONG_PTR StackLimit; - PVOID Win32StartAddress; - PVOID TebBase; // since VISTA - ULONG_PTR Reserved2; - ULONG_PTR Reserved3; - ULONG_PTR Reserved4; - } SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; - - typedef struct _SYSTEM_PROCESS_INFORMATION - { - ULONG NextEntryOffset; - ULONG NumberOfThreads; - LARGE_INTEGER WorkingSetPrivateSize; // since VISTA - ULONG HardFaultCount; // since WIN7 - ULONG NumberOfThreadsHighWatermark; // since WIN7 - ULONGLONG CycleTime; // since WIN7 - LARGE_INTEGER CreateTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER KernelTime; - UNICODE_STRING ImageName; - KPRIORITY BasePriority; - HANDLE UniqueProcessId; - HANDLE InheritedFromUniqueProcessId; - ULONG HandleCount; - ULONG SessionId; - ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation) - SIZE_T PeakVirtualSize; - SIZE_T VirtualSize; - ULONG PageFaultCount; - SIZE_T PeakWorkingSetSize; - SIZE_T WorkingSetSize; - SIZE_T QuotaPeakPagedPoolUsage; - SIZE_T QuotaPagedPoolUsage; - SIZE_T QuotaPeakNonPagedPoolUsage; - SIZE_T QuotaNonPagedPoolUsage; - SIZE_T PagefileUsage; - SIZE_T PeakPagefileUsage; - SIZE_T PrivatePageCount; - LARGE_INTEGER ReadOperationCount; - LARGE_INTEGER WriteOperationCount; - LARGE_INTEGER OtherOperationCount; - LARGE_INTEGER ReadTransferCount; - LARGE_INTEGER WriteTransferCount; - LARGE_INTEGER OtherTransferCount; - SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation - // SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation - // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation - } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; - - typedef struct _SYSTEM_CALL_COUNT_INFORMATION - { - ULONG Length; - ULONG NumberOfTables; - } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; - - typedef struct _SYSTEM_DEVICE_INFORMATION - { - ULONG NumberOfDisks; - ULONG NumberOfFloppies; - ULONG NumberOfCdRoms; - ULONG NumberOfTapes; - ULONG NumberOfSerialPorts; - ULONG NumberOfParallelPorts; - } SYSTEM_DEVICE_INFORMATION, *PSYSTEM_DEVICE_INFORMATION; - - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION - { - LARGE_INTEGER IdleTime; - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER DpcTime; - LARGE_INTEGER InterruptTime; - ULONG InterruptCount; - } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; - - typedef struct _SYSTEM_FLAGS_INFORMATION - { - union - { - ULONG Flags; // NtGlobalFlag - struct - { - ULONG StopOnException : 1; // FLG_STOP_ON_EXCEPTION - ULONG ShowLoaderSnaps : 1; // FLG_SHOW_LDR_SNAPS - ULONG DebugInitialCommand : 1; // FLG_DEBUG_INITIAL_COMMAND - ULONG StopOnHungGUI : 1; // FLG_STOP_ON_HUNG_GUI - ULONG HeapEnableTailCheck : 1; // FLG_HEAP_ENABLE_TAIL_CHECK - ULONG HeapEnableFreeCheck : 1; // FLG_HEAP_ENABLE_FREE_CHECK - ULONG HeapValidateParameters : 1; // FLG_HEAP_VALIDATE_PARAMETERS - ULONG HeapValidateAll : 1; // FLG_HEAP_VALIDATE_ALL - ULONG ApplicationVerifier : 1; // FLG_APPLICATION_VERIFIER - ULONG MonitorSilentProcessExit : 1; // FLG_MONITOR_SILENT_PROCESS_EXIT - ULONG PoolEnableTagging : 1; // FLG_POOL_ENABLE_TAGGING - ULONG HeapEnableTagging : 1; // FLG_HEAP_ENABLE_TAGGING - ULONG UserStackTraceDb : 1; // FLG_USER_STACK_TRACE_DB - ULONG KernelStackTraceDb : 1; // FLG_KERNEL_STACK_TRACE_DB - ULONG MaintainObjectTypeList : 1; // FLG_MAINTAIN_OBJECT_TYPELIST - ULONG HeapEnableTagByDll : 1; // FLG_HEAP_ENABLE_TAG_BY_DLL - ULONG DisableStackExtension : 1; // FLG_DISABLE_STACK_EXTENSION - ULONG EnableCsrDebug : 1; // FLG_ENABLE_CSRDEBUG - ULONG EnableKDebugSymbolLoad : 1; // FLG_ENABLE_KDEBUG_SYMBOL_LOAD - ULONG DisablePageKernelStacks : 1; // FLG_DISABLE_PAGE_KERNEL_STACKS - ULONG EnableSystemCritBreaks : 1; // FLG_ENABLE_SYSTEM_CRIT_BREAKS - ULONG HeapDisableCoalescing : 1; // FLG_HEAP_DISABLE_COALESCING - ULONG EnableCloseExceptions : 1; // FLG_ENABLE_CLOSE_EXCEPTIONS - ULONG EnableExceptionLogging : 1; // FLG_ENABLE_EXCEPTION_LOGGING - ULONG EnableHandleTypeTagging : 1; // FLG_ENABLE_HANDLE_TYPE_TAGGING - ULONG HeapPageAllocs : 1; // FLG_HEAP_PAGE_ALLOCS - ULONG DebugInitialCommandEx : 1; // FLG_DEBUG_INITIAL_COMMAND_EX - ULONG DisableDbgPrint : 1; // FLG_DISABLE_DBGPRINT - ULONG CritSecEventCreation : 1; // FLG_CRITSEC_EVENT_CREATION - ULONG LdrTopDown : 1; // FLG_LDR_TOP_DOWN - ULONG EnableHandleExceptions : 1; // FLG_ENABLE_HANDLE_EXCEPTIONS - ULONG DisableProtDlls : 1; // FLG_DISABLE_PROTDLLS - }; - }; - } SYSTEM_FLAGS_INFORMATION, *PSYSTEM_FLAGS_INFORMATION; - - // private - typedef struct _SYSTEM_CALL_TIME_INFORMATION - { - ULONG Length; - ULONG TotalCalls; - LARGE_INTEGER TimeOfCalls[1]; - } SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION; - - // private - typedef struct _RTL_PROCESS_LOCK_INFORMATION - { - PVOID Address; - USHORT Type; - USHORT CreatorBackTraceIndex; - HANDLE OwningThread; - LONG LockCount; - ULONG ContentionCount; - ULONG EntryCount; - LONG RecursionCount; - ULONG NumberOfWaitingShared; - ULONG NumberOfWaitingExclusive; - } RTL_PROCESS_LOCK_INFORMATION, *PRTL_PROCESS_LOCK_INFORMATION; - - // private - typedef struct _RTL_PROCESS_LOCKS - { - ULONG NumberOfLocks; - _Field_size_(NumberOfLocks) RTL_PROCESS_LOCK_INFORMATION Locks[1]; - } RTL_PROCESS_LOCKS, *PRTL_PROCESS_LOCKS; - - // private - typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION - { - PCHAR SymbolicBackTrace; - ULONG TraceCount; - USHORT Index; - USHORT Depth; - PVOID BackTrace[32]; - } RTL_PROCESS_BACKTRACE_INFORMATION, *PRTL_PROCESS_BACKTRACE_INFORMATION; - - // private - typedef struct _RTL_PROCESS_BACKTRACES - { - ULONG CommittedMemory; - ULONG ReservedMemory; - ULONG NumberOfBackTraceLookups; - ULONG NumberOfBackTraces; - _Field_size_(NumberOfBackTraces) RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1]; - } RTL_PROCESS_BACKTRACES, *PRTL_PROCESS_BACKTRACES; - - typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO - { - USHORT UniqueProcessId; - USHORT CreatorBackTraceIndex; - UCHAR ObjectTypeIndex; - UCHAR HandleAttributes; - USHORT HandleValue; - PVOID Object; - ACCESS_MASK GrantedAccess; - } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; - - typedef struct _SYSTEM_HANDLE_INFORMATION - { - ULONG NumberOfHandles; - _Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; - } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - - typedef struct _SYSTEM_OBJECTTYPE_INFORMATION - { - ULONG NextEntryOffset; - ULONG NumberOfObjects; - ULONG NumberOfHandles; - ULONG TypeIndex; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ACCESS_MASK ValidAccessMask; - ULONG PoolType; - BOOLEAN SecurityRequired; - BOOLEAN WaitableObject; - UNICODE_STRING TypeName; - } SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION; - - typedef struct _SYSTEM_OBJECT_INFORMATION - { - ULONG NextEntryOffset; - PVOID Object; - HANDLE CreatorUniqueProcess; - USHORT CreatorBackTraceIndex; - USHORT Flags; - LONG PointerCount; - LONG HandleCount; - ULONG PagedPoolCharge; - ULONG NonPagedPoolCharge; - HANDLE ExclusiveProcessId; - PVOID SecurityDescriptor; - UNICODE_STRING NameInfo; - } SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION; - - typedef struct _SYSTEM_PAGEFILE_INFORMATION - { - ULONG NextEntryOffset; - ULONG TotalSize; - ULONG TotalInUse; - ULONG PeakUsage; - UNICODE_STRING PageFileName; - } SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION; - - typedef struct _SYSTEM_VDM_INSTEMUL_INFO - { - ULONG SegmentNotPresent; - ULONG VdmOpcode0F; - ULONG OpcodeESPrefix; - ULONG OpcodeCSPrefix; - ULONG OpcodeSSPrefix; - ULONG OpcodeDSPrefix; - ULONG OpcodeFSPrefix; - ULONG OpcodeGSPrefix; - ULONG OpcodeOPER32Prefix; - ULONG OpcodeADDR32Prefix; - ULONG OpcodeINSB; - ULONG OpcodeINSW; - ULONG OpcodeOUTSB; - ULONG OpcodeOUTSW; - ULONG OpcodePUSHF; - ULONG OpcodePOPF; - ULONG OpcodeINTnn; - ULONG OpcodeINTO; - ULONG OpcodeIRET; - ULONG OpcodeINBimm; - ULONG OpcodeINWimm; - ULONG OpcodeOUTBimm; - ULONG OpcodeOUTWimm; - ULONG OpcodeINB; - ULONG OpcodeINW; - ULONG OpcodeOUTB; - ULONG OpcodeOUTW; - ULONG OpcodeLOCKPrefix; - ULONG OpcodeREPNEPrefix; - ULONG OpcodeREPPrefix; - ULONG OpcodeHLT; - ULONG OpcodeCLI; - ULONG OpcodeSTI; - ULONG BopCount; - } SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO; - -#define MM_WORKING_SET_MAX_HARD_ENABLE 0x1 -#define MM_WORKING_SET_MAX_HARD_DISABLE 0x2 -#define MM_WORKING_SET_MIN_HARD_ENABLE 0x4 -#define MM_WORKING_SET_MIN_HARD_DISABLE 0x8 - - typedef struct _SYSTEM_FILECACHE_INFORMATION - { - SIZE_T CurrentSize; - SIZE_T PeakSize; - ULONG PageFaultCount; - SIZE_T MinimumWorkingSet; - SIZE_T MaximumWorkingSet; - SIZE_T CurrentSizeIncludingTransitionInPages; - SIZE_T PeakSizeIncludingTransitionInPages; - ULONG TransitionRePurposeCount; - ULONG Flags; - } SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION; - - // Can be used instead of SYSTEM_FILECACHE_INFORMATION - typedef struct _SYSTEM_BASIC_WORKING_SET_INFORMATION - { - SIZE_T CurrentSize; - SIZE_T PeakSize; - ULONG PageFaultCount; - } SYSTEM_BASIC_WORKING_SET_INFORMATION, *PSYSTEM_BASIC_WORKING_SET_INFORMATION; - - typedef struct _SYSTEM_POOLTAG - { - union - { - UCHAR Tag[4]; - ULONG TagUlong; - }; - ULONG PagedAllocs; - ULONG PagedFrees; - SIZE_T PagedUsed; - ULONG NonPagedAllocs; - ULONG NonPagedFrees; - SIZE_T NonPagedUsed; - } SYSTEM_POOLTAG, *PSYSTEM_POOLTAG; - - typedef struct _SYSTEM_POOLTAG_INFORMATION - { - ULONG Count; - _Field_size_(Count) SYSTEM_POOLTAG TagInfo[1]; - } SYSTEM_POOLTAG_INFORMATION, *PSYSTEM_POOLTAG_INFORMATION; - - typedef struct _SYSTEM_INTERRUPT_INFORMATION - { - ULONG ContextSwitches; - ULONG DpcCount; - ULONG DpcRate; - ULONG TimeIncrement; - ULONG DpcBypassCount; - ULONG ApcBypassCount; - } SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; - - typedef struct _SYSTEM_DPC_BEHAVIOR_INFORMATION - { - ULONG Spare; - ULONG DpcQueueDepth; - ULONG MinimumDpcRate; - ULONG AdjustDpcThreshold; - ULONG IdealDpcRate; - } SYSTEM_DPC_BEHAVIOR_INFORMATION, *PSYSTEM_DPC_BEHAVIOR_INFORMATION; - - typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION - { - ULONG TimeAdjustment; - ULONG TimeIncrement; - BOOLEAN Enable; - } SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION; - - typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE - { - ULONGLONG TimeAdjustment; - ULONGLONG TimeIncrement; - BOOLEAN Enable; - } SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE; - - typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION - { - ULONG TimeAdjustment; - BOOLEAN Enable; - } SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION; - - typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE - { - ULONGLONG TimeAdjustment; - BOOLEAN Enable; - } SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE; - - typedef enum _EVENT_TRACE_INFORMATION_CLASS - { - EventTraceKernelVersionInformation, // EVENT_TRACE_VERSION_INFORMATION - EventTraceGroupMaskInformation, // EVENT_TRACE_GROUPMASK_INFORMATION - EventTracePerformanceInformation, // EVENT_TRACE_PERFORMANCE_INFORMATION - EventTraceTimeProfileInformation, // EVENT_TRACE_TIME_PROFILE_INFORMATION - EventTraceSessionSecurityInformation, // EVENT_TRACE_SESSION_SECURITY_INFORMATION - EventTraceSpinlockInformation, // EVENT_TRACE_SPINLOCK_INFORMATION - EventTraceStackTracingInformation, // EVENT_TRACE_STACK_TRACING_INFORMATION - EventTraceExecutiveResourceInformation, // EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION - EventTraceHeapTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION - EventTraceHeapSummaryTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION - EventTracePoolTagFilterInformation, // EVENT_TRACE_POOLTAG_FILTER_INFORMATION - EventTracePebsTracingInformation, // EVENT_TRACE_PEBS_TRACING_INFORMATION - EventTraceProfileConfigInformation, // EVENT_TRACE_PROFILE_CONFIG_INFORMATION - EventTraceProfileSourceListInformation, // EVENT_TRACE_PROFILE_LIST_INFORMATION - EventTraceProfileEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION - EventTraceProfileCounterListInformation, // EVENT_TRACE_PROFILE_COUNTER_INFORMATION - EventTraceStackCachingInformation, // EVENT_TRACE_STACK_CACHING_INFORMATION - EventTraceObjectTypeFilterInformation, // EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION - EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION - EventTraceLastBranchConfigurationInformation, // REDSTONE3 - EventTraceLastBranchEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION - EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4 - EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION - EventTraceProcessorTraceConfigurationInformation, - EventTraceProcessorTraceEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION - EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION - EventTraceUnifiedStackCachingInformation, // since 21H1 - EventTraceContextRegisterTraceInformation, // TRACE_CONTEXT_REGISTER_INFO // 24H2 - MaxEventTraceInfoClass - } EVENT_TRACE_INFORMATION_CLASS; - - typedef struct _EVENT_TRACE_VERSION_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG EventTraceKernelVersion; - } EVENT_TRACE_VERSION_INFORMATION, *PEVENT_TRACE_VERSION_INFORMATION; - - typedef struct _EVENT_TRACE_GROUPMASK_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - ULONG EventTraceGroupMasks[8]; // PERFINFO_GROUPMASK - } EVENT_TRACE_GROUPMASK_INFORMATION, *PEVENT_TRACE_GROUPMASK_INFORMATION; - - typedef struct _EVENT_TRACE_PERFORMANCE_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - LARGE_INTEGER LogfileBytesWritten; - } EVENT_TRACE_PERFORMANCE_INFORMATION, *PEVENT_TRACE_PERFORMANCE_INFORMATION; - - typedef struct _EVENT_TRACE_TIME_PROFILE_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG ProfileInterval; - } EVENT_TRACE_TIME_PROFILE_INFORMATION, *PEVENT_TRACE_TIME_PROFILE_INFORMATION; - - typedef struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG SecurityInformation; - TRACEHANDLE TraceHandle; - UCHAR SecurityDescriptor[1]; - } EVENT_TRACE_SESSION_SECURITY_INFORMATION, *PEVENT_TRACE_SESSION_SECURITY_INFORMATION; - - typedef struct _EVENT_TRACE_SPINLOCK_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG SpinLockSpinThreshold; - ULONG SpinLockAcquireSampleRate; - ULONG SpinLockContentionSampleRate; - ULONG SpinLockHoldThreshold; - } EVENT_TRACE_SPINLOCK_INFORMATION, *PEVENT_TRACE_SPINLOCK_INFORMATION; - - typedef struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - ULONG HookId[1]; - } EVENT_TRACE_SYSTEM_EVENT_INFORMATION, *PEVENT_TRACE_SYSTEM_EVENT_INFORMATION; - - typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_STACK_TRACING_INFORMATION, *PEVENT_TRACE_STACK_TRACING_INFORMATION; - typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PEBS_TRACING_INFORMATION, *PEVENT_TRACE_PEBS_TRACING_INFORMATION; - typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PROFILE_EVENT_INFORMATION, *PEVENT_TRACE_PROFILE_EVENT_INFORMATION; - - typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG ReleaseSamplingRate; - ULONG ContentionSamplingRate; - ULONG NumberOfExcessiveTimeouts; - } EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION, *PEVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION; - - typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG ProcessId[1]; - } EVENT_TRACE_HEAP_TRACING_INFORMATION, *PEVENT_TRACE_HEAP_TRACING_INFORMATION; - - typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - ULONG Filter[1]; - } EVENT_TRACE_TAG_FILTER_INFORMATION, *PEVENT_TRACE_TAG_FILTER_INFORMATION; - - typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_POOLTAG_FILTER_INFORMATION, *PEVENT_TRACE_POOLTAG_FILTER_INFORMATION; - typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION, *PEVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION; - -// ProfileSource -#define ETW_MAX_PROFILING_SOURCES 4 -#define ETW_MAX_PMC_EVENTS 4 -#define ETW_MAX_PMC_COUNTERS 4 - - typedef struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - ULONG ProfileSource[1]; - } EVENT_TRACE_PROFILE_COUNTER_INFORMATION, *PEVENT_TRACE_PROFILE_COUNTER_INFORMATION; - - typedef EVENT_TRACE_PROFILE_COUNTER_INFORMATION EVENT_TRACE_PROFILE_CONFIG_INFORMATION, *PEVENT_TRACE_PROFILE_CONFIG_INFORMATION; - - // typedef struct _PROFILE_SOURCE_INFO - //{ - // ULONG NextEntryOffset; - // ULONG Source; - // ULONG MinInterval; - // ULONG MaxInterval; - // PVOID Reserved; - // WCHAR Description[1]; - // } PROFILE_SOURCE_INFO, *PPROFILE_SOURCE_INFO; - - typedef struct _PROFILE_SOURCE_INFO *PPROFILE_SOURCE_INFO; - - typedef struct _EVENT_TRACE_PROFILE_LIST_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG Spare; - PPROFILE_SOURCE_INFO Profile[1]; - } EVENT_TRACE_PROFILE_LIST_INFORMATION, *PEVENT_TRACE_PROFILE_LIST_INFORMATION; - - typedef struct _EVENT_TRACE_STACK_CACHING_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - BOOLEAN Enabled; - UCHAR Reserved[3]; - ULONG CacheSize; - ULONG BucketCount; - } EVENT_TRACE_STACK_CACHING_INFORMATION, *PEVENT_TRACE_STACK_CACHING_INFORMATION; - - typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - TRACEHANDLE TraceHandle; - BOOLEAN PersistTraceBuffers; - WCHAR FileName[1]; - } EVENT_TRACE_SOFT_RESTART_INFORMATION, *PEVENT_TRACE_SOFT_RESTART_INFORMATION; - - typedef enum _EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS - { - EventTraceProfileAddInformationMinVersion = 0x2, - EventTraceProfileAddInformationV2 = 0x2, - EventTraceProfileAddInformationV3 = 0x3, - EventTraceProfileAddInformationMaxVersion = 0x3, - } EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS; - - typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 - { - struct - { - UCHAR PerfEvtEventSelect; - UCHAR PerfEvtUnitSelect; - UCHAR PerfEvtCMask; - UCHAR PerfEvtCInv; - UCHAR PerfEvtAnyThread; - UCHAR PerfEvtEdgeDetect; - } Intel; - struct - { - UCHAR PerfEvtEventSelect; - UCHAR PerfEvtUnitSelect; - } Amd; - struct - { - ULONG PerfEvtType; - UCHAR AllowsHalt; - } Arm; - } EVENT_TRACE_PROFILE_ADD_INFORMATION_V2; - - typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 - { - struct - { - UCHAR PerfEvtEventSelect; - UCHAR PerfEvtUnitSelect; - UCHAR PerfEvtCMask; - UCHAR PerfEvtCInv; - UCHAR PerfEvtAnyThread; - UCHAR PerfEvtEdgeDetect; - } Intel; - struct - { - USHORT PerfEvtEventSelect; - UCHAR PerfEvtUnitSelect; - UCHAR PerfEvtCMask; - UCHAR PerfEvtCInv; - UCHAR PerfEvtEdgeDetect; - UCHAR PerfEvtHostGuest; - UCHAR PerfPmuType; - } Amd; - struct - { - ULONG PerfEvtType; - UCHAR AllowsHalt; - } Arm; - } EVENT_TRACE_PROFILE_ADD_INFORMATION_V3; - - typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - UCHAR Version; - union - { - EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 V2; - EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 V3; - }; - ULONG CpuInfoHierarchy[0x3]; - ULONG InitialInterval; - BOOLEAN Persist; - WCHAR ProfileSourceDescription[0x1]; - } EVENT_TRACE_PROFILE_ADD_INFORMATION, *PEVENT_TRACE_PROFILE_ADD_INFORMATION; - - typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - KPROFILE_SOURCE ProfileSource; - ULONG CpuInfoHierarchy[0x3]; - } EVENT_TRACE_PROFILE_REMOVE_INFORMATION, *PEVENT_TRACE_PROFILE_REMOVE_INFORMATION; - - typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION - { - EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - UCHAR CoverageSamplerInformationClass; - UCHAR MajorVersion; - UCHAR MinorVersion; - UCHAR Reserved; - HANDLE SamplerHandle; - } EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, *PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION; - - // typedef struct _TRACE_CONTEXT_REGISTER_INFO - //{ - // ETW_CONTEXT_REGISTER_TYPES RegisterTypes; - // ULONG Reserved; - // } TRACE_CONTEXT_REGISTER_INFO, *PTRACE_CONTEXT_REGISTER_INFO; - - typedef struct _SYSTEM_EXCEPTION_INFORMATION - { - ULONG AlignmentFixupCount; - ULONG ExceptionDispatchCount; - ULONG FloatingEmulationCount; - ULONG ByteWordEmulationCount; - } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; - - typedef enum _SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS - { - SystemCrashDumpDisable, - SystemCrashDumpReconfigure, - SystemCrashDumpInitializationComplete - } SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS, - *PSYSTEM_CRASH_DUMP_CONFIGURATION_CLASS; - - typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION - { - SYSTEM_CRASH_DUMP_CONFIGURATION_CLASS CrashDumpConfigurationClass; - } SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION; - - typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION - { - BOOLEAN KernelDebuggerEnabled; - BOOLEAN KernelDebuggerNotPresent; - } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; - - typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION - { - ULONG ContextSwitches; - ULONG FindAny; - ULONG FindLast; - ULONG FindIdeal; - ULONG IdleAny; - ULONG IdleCurrent; - ULONG IdleLast; - ULONG IdleIdeal; - ULONG PreemptAny; - ULONG PreemptCurrent; - ULONG PreemptLast; - ULONG SwitchToIdle; - } SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION; - - typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION - { - ULONG RegistryQuotaAllowed; - ULONG RegistryQuotaUsed; - SIZE_T PagedPoolSize; - } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; - - typedef struct _SYSTEM_PROCESSOR_IDLE_INFORMATION - { - ULONGLONG IdleTime; - ULONGLONG C1Time; - ULONGLONG C2Time; - ULONGLONG C3Time; - ULONG C1Transitions; - ULONG C2Transitions; - ULONG C3Transitions; - ULONG Padding; - } SYSTEM_PROCESSOR_IDLE_INFORMATION, *PSYSTEM_PROCESSOR_IDLE_INFORMATION; - - typedef struct _SYSTEM_LEGACY_DRIVER_INFORMATION - { - ULONG VetoType; - UNICODE_STRING VetoList; - } SYSTEM_LEGACY_DRIVER_INFORMATION, *PSYSTEM_LEGACY_DRIVER_INFORMATION; - - typedef struct _SYSTEM_LOOKASIDE_INFORMATION - { - USHORT CurrentDepth; - USHORT MaximumDepth; - ULONG TotalAllocates; - ULONG AllocateMisses; - ULONG TotalFrees; - ULONG FreeMisses; - ULONG Type; - ULONG Tag; - ULONG Size; - } SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; - - // private - typedef struct _SYSTEM_RANGE_START_INFORMATION - { - ULONG_PTR SystemRangeStart; - } SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION; - - typedef struct _SYSTEM_VERIFIER_INFORMATION_LEGACY // pre-19H1 - { - ULONG NextEntryOffset; - ULONG Level; - UNICODE_STRING DriverName; - - ULONG RaiseIrqls; - ULONG AcquireSpinLocks; - ULONG SynchronizeExecutions; - ULONG AllocationsAttempted; - - ULONG AllocationsSucceeded; - ULONG AllocationsSucceededSpecialPool; - ULONG AllocationsWithNoTag; - ULONG TrimRequests; - - ULONG Trims; - ULONG AllocationsFailed; - ULONG AllocationsFailedDeliberately; - ULONG Loads; - - ULONG Unloads; - ULONG UnTrackedPool; - ULONG CurrentPagedPoolAllocations; - ULONG CurrentNonPagedPoolAllocations; - - ULONG PeakPagedPoolAllocations; - ULONG PeakNonPagedPoolAllocations; - - SIZE_T PagedPoolUsageInBytes; - SIZE_T NonPagedPoolUsageInBytes; - SIZE_T PeakPagedPoolUsageInBytes; - SIZE_T PeakNonPagedPoolUsageInBytes; - } SYSTEM_VERIFIER_INFORMATION_LEGACY, *PSYSTEM_VERIFIER_INFORMATION_LEGACY; - - typedef struct _SYSTEM_VERIFIER_INFORMATION - { - ULONG NextEntryOffset; - ULONG Level; - ULONG RuleClasses[2]; - ULONG TriageContext; - ULONG AreAllDriversBeingVerified; - - UNICODE_STRING DriverName; - - ULONG RaiseIrqls; - ULONG AcquireSpinLocks; - ULONG SynchronizeExecutions; - ULONG AllocationsAttempted; - - ULONG AllocationsSucceeded; - ULONG AllocationsSucceededSpecialPool; - ULONG AllocationsWithNoTag; - ULONG TrimRequests; - - ULONG Trims; - ULONG AllocationsFailed; - ULONG AllocationsFailedDeliberately; - ULONG Loads; - - ULONG Unloads; - ULONG UnTrackedPool; - ULONG CurrentPagedPoolAllocations; - ULONG CurrentNonPagedPoolAllocations; - - ULONG PeakPagedPoolAllocations; - ULONG PeakNonPagedPoolAllocations; - - SIZE_T PagedPoolUsageInBytes; - SIZE_T NonPagedPoolUsageInBytes; - SIZE_T PeakPagedPoolUsageInBytes; - SIZE_T PeakNonPagedPoolUsageInBytes; - } SYSTEM_VERIFIER_INFORMATION, *PSYSTEM_VERIFIER_INFORMATION; - - // private - typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION - { - ULONG SessionId; - ULONG SizeOfBuf; - PVOID Buffer; - } SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - // private - typedef struct _SYSTEM_GDI_DRIVER_INFORMATION - { - UNICODE_STRING DriverName; - PVOID ImageAddress; - PVOID SectionPointer; - PVOID EntryPoint; - PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; - ULONG ImageLength; - } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; -#endif - -// geoffchappell -#ifdef _WIN64 -#define MAXIMUM_NODE_COUNT 0x40 -#else -#define MAXIMUM_NODE_COUNT 0x10 -#endif - - // private - typedef struct _SYSTEM_NUMA_INFORMATION - { - ULONG HighestNodeNumber; - ULONG Reserved; - union - { - GROUP_AFFINITY ActiveProcessorsGroupAffinity[MAXIMUM_NODE_COUNT]; - ULONGLONG AvailableMemory[MAXIMUM_NODE_COUNT]; - ULONGLONG Pad[MAXIMUM_NODE_COUNT * 2]; - }; - } SYSTEM_NUMA_INFORMATION, *PSYSTEM_NUMA_INFORMATION; - - typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION - { - UCHAR CurrentFrequency; - UCHAR ThermalLimitFrequency; - UCHAR ConstantThrottleFrequency; - UCHAR DegradedThrottleFrequency; - UCHAR LastBusyFrequency; - UCHAR LastC3Frequency; - UCHAR LastAdjustedBusyFrequency; - UCHAR ProcessorMinThrottle; - UCHAR ProcessorMaxThrottle; - ULONG NumberOfFrequencies; - ULONG PromotionCount; - ULONG DemotionCount; - ULONG ErrorCount; - ULONG RetryCount; - ULONGLONG CurrentFrequencyTime; - ULONGLONG CurrentProcessorTime; - ULONGLONG CurrentProcessorIdleTime; - ULONGLONG LastProcessorTime; - ULONGLONG LastProcessorIdleTime; - ULONGLONG Energy; - } SYSTEM_PROCESSOR_POWER_INFORMATION, *PSYSTEM_PROCESSOR_POWER_INFORMATION; - - typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX - { - PVOID Object; - HANDLE UniqueProcessId; - HANDLE HandleValue; - ACCESS_MASK GrantedAccess; - USHORT CreatorBackTraceIndex; - USHORT ObjectTypeIndex; - ULONG HandleAttributes; - ULONG Reserved; - } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; - - typedef struct _SYSTEM_HANDLE_INFORMATION_EX - { - ULONG_PTR NumberOfHandles; - ULONG_PTR Reserved; - _Field_size_(NumberOfHandles) SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; - } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; - - typedef struct _SYSTEM_BIGPOOL_ENTRY - { - union - { - PVOID VirtualAddress; - ULONG_PTR NonPaged : 1; - }; - SIZE_T SizeInBytes; - union - { - UCHAR Tag[4]; - ULONG TagUlong; - }; - } SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY; - - typedef struct _SYSTEM_BIGPOOL_INFORMATION - { - ULONG Count; - _Field_size_(Count) SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; - } SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION; - - typedef struct _SYSTEM_POOL_ENTRY - { - BOOLEAN Allocated; - BOOLEAN Spare0; - USHORT AllocatorBackTraceIndex; - ULONG Size; - union - { - UCHAR Tag[4]; - ULONG TagUlong; - PVOID ProcessChargedQuota; - }; - } SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY; - - typedef struct _SYSTEM_POOL_INFORMATION - { - SIZE_T TotalSize; - PVOID FirstEntry; - USHORT EntryOverhead; - BOOLEAN PoolTagPresent; - BOOLEAN Spare0; - ULONG NumberOfEntries; - _Field_size_(NumberOfEntries) SYSTEM_POOL_ENTRY Entries[1]; - } SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION; - - typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION - { - SIZE_T NextEntryOffset; - ULONG SessionId; - ULONG Count; - _Field_size_(Count) SYSTEM_POOLTAG TagInfo[1]; - } SYSTEM_SESSION_POOLTAG_INFORMATION, *PSYSTEM_SESSION_POOLTAG_INFORMATION; - - typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION - { - SIZE_T NextEntryOffset; - ULONG SessionId; - ULONG ViewFailures; - SIZE_T NumberOfBytesAvailable; - SIZE_T NumberOfBytesAvailableContiguous; - } SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, *PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION; - - typedef enum _WATCHDOG_HANDLER_ACTION - { - WdActionSetTimeoutValue, - WdActionQueryTimeoutValue, - WdActionResetTimer, - WdActionStopTimer, - WdActionStartTimer, - WdActionSetTriggerAction, - WdActionQueryTriggerAction, - WdActionQueryState - } WATCHDOG_HANDLER_ACTION; - - typedef _Function_class_(SYSTEM_WATCHDOG_HANDLER) - NTSTATUS NTAPI SYSTEM_WATCHDOG_HANDLER( - _In_ WATCHDOG_HANDLER_ACTION Action, - _In_ PVOID Context, - _Inout_ PULONG DataValue, - _In_ BOOLEAN NoLocks); - typedef SYSTEM_WATCHDOG_HANDLER *PSYSTEM_WATCHDOG_HANDLER; - - // private - typedef struct _SYSTEM_WATCHDOG_HANDLER_INFORMATION - { - PSYSTEM_WATCHDOG_HANDLER WdHandler; - PVOID Context; - } SYSTEM_WATCHDOG_HANDLER_INFORMATION, *PSYSTEM_WATCHDOG_HANDLER_INFORMATION; - - typedef enum _WATCHDOG_INFORMATION_CLASS - { - WdInfoTimeoutValue = 0, - WdInfoResetTimer = 1, - WdInfoStopTimer = 2, - WdInfoStartTimer = 3, - WdInfoTriggerAction = 4, - WdInfoState = 5, - WdInfoTriggerReset = 6, - WdInfoNop = 7, - WdInfoGeneratedLastReset = 8, - WdInfoInvalid = 9, - } WATCHDOG_INFORMATION_CLASS; - - // private - typedef struct _SYSTEM_WATCHDOG_TIMER_INFORMATION - { - WATCHDOG_INFORMATION_CLASS WdInfoClass; - ULONG DataValue; - } SYSTEM_WATCHDOG_TIMER_INFORMATION, *PSYSTEM_WATCHDOG_TIMER_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - // private - typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION - { - SystemFirmwareTableEnumerate, - SystemFirmwareTableGet, - SystemFirmwareTableMax - } SYSTEM_FIRMWARE_TABLE_ACTION; - - // private - typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION - { - ULONG ProviderSignature; // (same as the GetSystemFirmwareTable function) - SYSTEM_FIRMWARE_TABLE_ACTION Action; - ULONG TableID; - ULONG TableBufferLength; - _Field_size_bytes_(TableBufferLength) UCHAR TableBuffer[1]; - } SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION; -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - // private - typedef NTSTATUS(__cdecl *PFNFTH)( - _Inout_ PSYSTEM_FIRMWARE_TABLE_INFORMATION SystemFirmwareTableInfo); - - // private - typedef struct _SYSTEM_FIRMWARE_TABLE_HANDLER - { - ULONG ProviderSignature; - BOOLEAN Register; - PFNFTH FirmwareTableHandler; - PVOID DriverObject; - } SYSTEM_FIRMWARE_TABLE_HANDLER, *PSYSTEM_FIRMWARE_TABLE_HANDLER; -#endif - - // private - typedef struct _SYSTEM_MEMORY_LIST_INFORMATION - { - SIZE_T ZeroPageCount; - SIZE_T FreePageCount; - SIZE_T ModifiedPageCount; - SIZE_T ModifiedNoWritePageCount; - SIZE_T BadPageCount; - SIZE_T PageCountByPriority[8]; - SIZE_T RepurposedPagesByPriority[8]; - SIZE_T ModifiedPageCountPageFile; - } SYSTEM_MEMORY_LIST_INFORMATION, *PSYSTEM_MEMORY_LIST_INFORMATION; - - // private - typedef enum _SYSTEM_MEMORY_LIST_COMMAND - { - MemoryCaptureAccessedBits, - MemoryCaptureAndResetAccessedBits, - MemoryEmptyWorkingSets, - MemoryFlushModifiedList, - MemoryPurgeStandbyList, - MemoryPurgeLowPriorityStandbyList, - MemoryCommandMax - } SYSTEM_MEMORY_LIST_COMMAND; - - // private - typedef struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION - { - CLIENT_ID ClientId; - KPRIORITY Priority; - } SYSTEM_THREAD_CID_PRIORITY_INFORMATION, *PSYSTEM_THREAD_CID_PRIORITY_INFORMATION; - - // private - typedef struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION - { - ULONGLONG CycleTime; - } SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION, *PSYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION; - - // private - typedef struct _SYSTEM_VERIFIER_ISSUE - { - ULONGLONG IssueType; - PVOID Address; - ULONGLONG Parameters[2]; - } SYSTEM_VERIFIER_ISSUE, *PSYSTEM_VERIFIER_ISSUE; - - // private - typedef struct _SYSTEM_VERIFIER_CANCELLATION_INFORMATION - { - ULONG CancelProbability; - ULONG CancelThreshold; - ULONG CompletionThreshold; - ULONG CancellationVerifierDisabled; - ULONG AvailableIssues; - SYSTEM_VERIFIER_ISSUE Issues[128]; - } SYSTEM_VERIFIER_CANCELLATION_INFORMATION, *PSYSTEM_VERIFIER_CANCELLATION_INFORMATION; - - // private - typedef struct _SYSTEM_REF_TRACE_INFORMATION - { - BOOLEAN TraceEnable; - BOOLEAN TracePermanent; - UNICODE_STRING TraceProcessName; - UNICODE_STRING TracePoolTags; - } SYSTEM_REF_TRACE_INFORMATION, *PSYSTEM_REF_TRACE_INFORMATION; - - // private - typedef struct _SYSTEM_SPECIAL_POOL_INFORMATION - { - ULONG PoolTag; - ULONG Flags; - } SYSTEM_SPECIAL_POOL_INFORMATION, *PSYSTEM_SPECIAL_POOL_INFORMATION; - - // private - typedef struct _SYSTEM_PROCESS_ID_INFORMATION - { - HANDLE ProcessId; - UNICODE_STRING ImageName; - } SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION; - - // private - typedef struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION - { - BOOLEAN HypervisorConnected; - BOOLEAN HypervisorDebuggingEnabled; - BOOLEAN HypervisorPresent; - BOOLEAN Spare0[5]; - ULONGLONG EnabledEnlightenments; - } SYSTEM_HYPERVISOR_QUERY_INFORMATION, *PSYSTEM_HYPERVISOR_QUERY_INFORMATION; - - // private - typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION - { - GUID BootIdentifier; - FIRMWARE_TYPE FirmwareType; - union - { - ULONGLONG BootFlags; - struct - { - ULONGLONG DbgMenuOsSelection : 1; // REDSTONE4 - ULONGLONG DbgHiberBoot : 1; - ULONGLONG DbgSoftBoot : 1; - ULONGLONG DbgMeasuredLaunch : 1; - ULONGLONG DbgMeasuredLaunchCapable : 1; // 19H1 - ULONGLONG DbgSystemHiveReplace : 1; - ULONGLONG DbgMeasuredLaunchSmmProtections : 1; - ULONGLONG DbgMeasuredLaunchSmmLevel : 7; // 20H1 - ULONGLONG DbgBugCheckRecovery : 1; // 24H2 - ULONGLONG DbgFASR : 1; - ULONGLONG DbgUseCachedBcd : 1; - }; - }; - } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; - - // private - typedef struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION - { - ULONG FlagsToEnable; - ULONG FlagsToDisable; - } SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION, *PSYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION; - - // private - typedef enum _COVERAGE_REQUEST_CODES - { - CoverageAllModules = 0, - CoverageSearchByHash = 1, - CoverageSearchByName = 2 - } COVERAGE_REQUEST_CODES; - - // private - typedef struct _COVERAGE_MODULE_REQUEST - { - COVERAGE_REQUEST_CODES RequestType; - union - { - UCHAR MD5Hash[16]; - UNICODE_STRING ModuleName; - } SearchInfo; - } COVERAGE_MODULE_REQUEST, *PCOVERAGE_MODULE_REQUEST; - - // private - typedef struct _COVERAGE_MODULE_INFO - { - ULONG ModuleInfoSize; - ULONG IsBinaryLoaded; - UNICODE_STRING ModulePathName; - ULONG CoverageSectionSize; - UCHAR CoverageSection[1]; - } COVERAGE_MODULE_INFO, *PCOVERAGE_MODULE_INFO; - - // private - typedef struct _COVERAGE_MODULES - { - ULONG ListAndReset; - ULONG NumberOfModules; - COVERAGE_MODULE_REQUEST ModuleRequestInfo; - COVERAGE_MODULE_INFO Modules[1]; - } COVERAGE_MODULES, *PCOVERAGE_MODULES; - - // private - typedef struct _SYSTEM_PREFETCH_PATCH_INFORMATION - { - ULONG PrefetchPatchCount; - } SYSTEM_PREFETCH_PATCH_INFORMATION, *PSYSTEM_PREFETCH_PATCH_INFORMATION; - - // private - typedef struct _SYSTEM_VERIFIER_FAULTS_INFORMATION - { - ULONG Probability; - ULONG MaxProbability; - UNICODE_STRING PoolTags; - UNICODE_STRING Applications; - } SYSTEM_VERIFIER_FAULTS_INFORMATION, *PSYSTEM_VERIFIER_FAULTS_INFORMATION; - - // private - typedef struct _SYSTEM_VERIFIER_INFORMATION_EX - { - ULONG VerifyMode; - ULONG OptionChanges; - UNICODE_STRING PreviousBucketName; - ULONG IrpCancelTimeoutMsec; - ULONG VerifierExtensionEnabled; -#ifdef _WIN64 - ULONG Reserved[1]; -#else - ULONG Reserved[3]; -#endif - } SYSTEM_VERIFIER_INFORMATION_EX, *PSYSTEM_VERIFIER_INFORMATION_EX; - - // private - typedef struct _SYSTEM_SYSTEM_PARTITION_INFORMATION - { - UNICODE_STRING SystemPartition; - } SYSTEM_SYSTEM_PARTITION_INFORMATION, *PSYSTEM_SYSTEM_PARTITION_INFORMATION; - - // private - typedef struct _SYSTEM_SYSTEM_DISK_INFORMATION - { - UNICODE_STRING SystemDisk; - } SYSTEM_SYSTEM_DISK_INFORMATION, *PSYSTEM_SYSTEM_DISK_INFORMATION; - - // private - typedef struct _SYSTEM_NUMA_PROXIMITY_MAP - { - ULONG NodeProximityId; - USHORT NodeNumber; - } SYSTEM_NUMA_PROXIMITY_MAP, *PSYSTEM_NUMA_PROXIMITY_MAP; - - // private (Windows 8.1 and above) - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT - { - ULONGLONG Hits; - UCHAR PercentFrequency; - } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT; - - // private (Windows 8.1 and above) - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION - { - ULONG ProcessorNumber; - ULONG StateCount; - _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1]; - } SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION; - - // private (Windows 7 and Windows 8) - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 - { - ULONG Hits; - UCHAR PercentFrequency; - } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8; - - // private (Windows 7 and Windows 8) - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8 - { - ULONG ProcessorNumber; - ULONG StateCount; - _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 States[1]; - } SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8; - - // private - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION - { - ULONG ProcessorCount; - ULONG Offsets[1]; - } SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION; - -#define CODEINTEGRITY_OPTION_ENABLED 0x01 -#define CODEINTEGRITY_OPTION_TESTSIGN 0x02 -#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04 -#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08 -#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10 -#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20 -#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40 -#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80 -#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100 -#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800 -#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000 -#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000 -#define CODEINTEGRITY_OPTION_WHQL_ENFORCEMENT_ENABLED 0x4000 -#define CODEINTEGRITY_OPTION_WHQL_AUDITMODE_ENABLED 0x8000 - - // private - typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION - { - ULONG Length; - union - { - ULONG CodeIntegrityOptions; - struct - { - ULONG Enabled : 1; - ULONG TestSign : 1; - ULONG UmciEnabled : 1; - ULONG UmciAuditModeEnabled : 1; - ULONG UmciExclusionPathsEnabled : 1; - ULONG TestBuild : 1; - ULONG PreproductionBuild : 1; - ULONG DebugModeEnabled : 1; - ULONG FlightBuild : 1; - ULONG FlightingEnabled : 1; - ULONG HvciKmciEnabled : 1; - ULONG HvciKmciAuditModeEnabled : 1; - ULONG HvciKmciStrictModeEnabled : 1; - ULONG HvciIumEnabled : 1; - ULONG WhqlEnforcementEnabled : 1; - ULONG WhqlAuditModeEnabled : 1; - ULONG Spare : 16; - }; - }; - } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION; - - // private - typedef struct _SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION - { - ULONG Operation; - } SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION, *PSYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION; - - // private - typedef enum _SYSTEM_VA_TYPE - { - SystemVaTypeAll, - SystemVaTypeNonPagedPool, - SystemVaTypePagedPool, - SystemVaTypeSystemCache, - SystemVaTypeSystemPtes, - SystemVaTypeSessionSpace, - SystemVaTypeMax - } SYSTEM_VA_TYPE, - *PSYSTEM_VA_TYPE; - - // private - typedef struct _SYSTEM_VA_LIST_INFORMATION - { - SIZE_T VirtualSize; - SIZE_T VirtualPeak; - SIZE_T VirtualLimit; - SIZE_T AllocationFailures; - } SYSTEM_VA_LIST_INFORMATION, *PSYSTEM_VA_LIST_INFORMATION; - - // rev - typedef enum _STORE_INFORMATION_CLASS - { - StorePageRequest = 1, - StoreStatsRequest = 2, // q: SM_STATS_REQUEST // SmProcessStatsRequest - StoreCreateRequest = 3, // s: SM_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) - StoreDeleteRequest = 4, // s: SM_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) - StoreListRequest = 5, // q: SM_STORE_LIST_REQUEST / SM_STORE_LIST_REQUEST_EX // SmProcessListRequest - Available1 = 6, - StoreEmptyRequest = 7, - CacheListRequest = 8, // q: SMC_CACHE_LIST_REQUEST // SmcProcessListRequest - CacheCreateRequest = 9, // s: SMC_CACHE_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) - CacheDeleteRequest = 10, // s: SMC_CACHE_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) - CacheStoreCreateRequest = 11, // s: SMC_STORE_CREATE_REQUEST (requires SeProfileSingleProcessPrivilege) - CacheStoreDeleteRequest = 12, // s: SMC_STORE_DELETE_REQUEST (requires SeProfileSingleProcessPrivilege) - CacheStatsRequest = 13, // q: SMC_CACHE_STATS_REQUEST // SmcProcessStatsRequest - Available2 = 14, - RegistrationRequest = 15, // q: SM_REGISTRATION_REQUEST (requires SeProfileSingleProcessPrivilege) // SmProcessRegistrationRequest - GlobalCacheStatsRequest = 16, - StoreResizeRequest = 17, // s: SM_STORE_RESIZE_REQUEST (requires SeProfileSingleProcessPrivilege) - CacheStoreResizeRequest = 18, // s: SMC_STORE_RESIZE_REQUEST (requires SeProfileSingleProcessPrivilege) - SmConfigRequest = 19, // s: SM_CONFIG_REQUEST (requires SeProfileSingleProcessPrivilege) - StoreHighMemoryPriorityRequest = 20, // s: SM_STORE_HIGH_MEM_PRIORITY_REQUEST (requires SeProfileSingleProcessPrivilege) - SystemStoreTrimRequest = 21, // s: SM_SYSTEM_STORE_TRIM_REQUEST (requires SeProfileSingleProcessPrivilege) - MemCompressionInfoRequest = 22, // q: SM_MEM_COMPRESSION_INFO_REQUEST // SmProcessCompressionInfoRequest - ProcessStoreInfoRequest = 23, // SmProcessProcessStoreInfoRequest - StoreInformationMax - } STORE_INFORMATION_CLASS; - -// rev -#define SYSTEM_STORE_INFORMATION_VERSION 1 - - // rev - typedef struct _SYSTEM_STORE_INFORMATION - { - _In_ ULONG Version; - _In_ STORE_INFORMATION_CLASS StoreInformationClass; - _Inout_ PVOID Data; - _Inout_ ULONG Length; - } SYSTEM_STORE_INFORMATION, *PSYSTEM_STORE_INFORMATION; - -#define SYSTEM_STORE_STATS_INFORMATION_VERSION 2 - - typedef enum _ST_STATS_LEVEL - { - StStatsLevelBasic = 0, - StStatsLevelIoStats = 1, - StStatsLevelRegionSpace = 2, // requires SeProfileSingleProcessPrivilege - StStatsLevelSpaceBitmap = 3, // requires SeProfileSingleProcessPrivilege - StStatsLevelMax = 4 - } ST_STATS_LEVEL; - - typedef struct _SM_STATS_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_STATS_INFORMATION_VERSION - ULONG DetailLevel : 8; // ST_STATS_LEVEL - ULONG StoreId : 16; - ULONG BufferSize; - PVOID Buffer; // PST_STATS - } SM_STATS_REQUEST, *PSM_STATS_REQUEST; - - typedef struct _ST_DATA_MGR_STATS - { - ULONG RegionCount; - ULONG PagesStored; - ULONG UniquePagesStored; - ULONG LazyCleanupRegionCount; - struct - { - ULONG RegionsInUse; - ULONG SpaceUsed; - } Space[8]; - } ST_DATA_MGR_STATS, *PST_DATA_MGR_STATS; - - typedef struct _ST_IO_STATS_PERIOD - { - ULONG PageCounts[5]; - } ST_IO_STATS_PERIOD, *PST_IO_STATS_PERIOD; - - typedef struct _ST_IO_STATS - { - ULONG PeriodCount; - ST_IO_STATS_PERIOD Periods[64]; - } ST_IO_STATS, *PST_IO_STATS; - - typedef struct _ST_READ_LATENCY_BUCKET - { - ULONG LatencyUs; - ULONG Count; - } ST_READ_LATENCY_BUCKET, *PST_READ_LATENCY_BUCKET; - - typedef struct _ST_READ_LATENCY_STATS - { - ST_READ_LATENCY_BUCKET Buckets[8]; - } ST_READ_LATENCY_STATS, *PST_READ_LATENCY_STATS; - - // rev - typedef struct _ST_STATS_REGION_INFO - { - USHORT SpaceUsed; - UCHAR Priority; - UCHAR Spare; - } ST_STATS_REGION_INFO, *PST_STATS_REGION_INFO; - - // rev - typedef struct _ST_STATS_SPACE_BITMAP - { - SIZE_T CompressedBytes; - ULONG BytesPerBit; - UCHAR StoreBitmap[1]; - } ST_STATS_SPACE_BITMAP, *PST_STATS_SPACE_BITMAP; - - // rev - typedef struct _ST_STATS - { - ULONG Version : 8; - ULONG Level : 4; - ULONG StoreType : 4; - ULONG NoDuplication : 1; - ULONG NoCompression : 1; - ULONG EncryptionStrength : 12; - ULONG VirtualRegions : 1; - ULONG Spare0 : 1; - ULONG Size; - USHORT CompressionFormat; - USHORT Spare; - - struct - { - ULONG RegionSize; - ULONG RegionCount; - ULONG RegionCountMax; - ULONG Granularity; - ST_DATA_MGR_STATS UserData; - ST_DATA_MGR_STATS Metadata; - } Basic; - - struct - { - ST_IO_STATS IoStats; - ST_READ_LATENCY_STATS ReadLatencyStats; - } Io; - - // ST_STATS_REGION_INFO[RegionCountMax] - // ST_STATS_SPACE_BITMAP - } ST_STATS, *PST_STATS; - -#define SYSTEM_STORE_CREATE_INFORMATION_VERSION 6 - - typedef enum _SM_STORE_TYPE - { - StoreTypeInMemory = 0, - StoreTypeFile = 1, - StoreTypeMax = 2 - } SM_STORE_TYPE; - - typedef struct _SM_STORE_BASIC_PARAMS - { - union - { - struct - { - ULONG StoreType : 8; // SM_STORE_TYPE - ULONG NoDuplication : 1; - ULONG FailNoCompression : 1; - ULONG NoCompression : 1; - ULONG NoEncryption : 1; - ULONG NoEvictOnAdd : 1; - ULONG PerformsFileIo : 1; - ULONG VdlNotSet : 1; - ULONG UseIntermediateAddBuffer : 1; - ULONG CompressNoHuff : 1; - ULONG LockActiveRegions : 1; - ULONG VirtualRegions : 1; - ULONG Spare : 13; - }; - ULONG StoreFlags; - }; - ULONG Granularity; - ULONG RegionSize; - ULONG RegionCountMax; - } SM_STORE_BASIC_PARAMS, *PSM_STORE_BASIC_PARAMS; - - typedef struct _SMKM_REGION_EXTENT - { - ULONG RegionCount; - SIZE_T ByteOffset; - } SMKM_REGION_EXTENT, *PSMKM_REGION_EXTENT; - - typedef struct _SMKM_FILE_INFO - { - HANDLE FileHandle; - PFILE_OBJECT FileObject; - PFILE_OBJECT VolumeFileObject; - PDEVICE_OBJECT VolumeDeviceObject; - HANDLE VolumePnpHandle; - PIRP UsageNotificationIrp; - PSMKM_REGION_EXTENT Extents; - ULONG ExtentCount; - } SMKM_FILE_INFO, *PSMKM_FILE_INFO; - - typedef struct _SM_STORE_CACHE_BACKED_PARAMS - { - ULONG SectorSize; - PCHAR EncryptionKey; - ULONG EncryptionKeySize; - PSMKM_FILE_INFO FileInfo; - PVOID EtaContext; - PRTL_BITMAP StoreRegionBitmap; - } SM_STORE_CACHE_BACKED_PARAMS, *PSM_STORE_CACHE_BACKED_PARAMS; - - typedef struct _SM_STORE_PARAMETERS - { - SM_STORE_BASIC_PARAMS Store; - ULONG Priority; - ULONG Flags; - SM_STORE_CACHE_BACKED_PARAMS CacheBacked; - } SM_STORE_PARAMETERS, *PSM_STORE_PARAMETERS; - - typedef struct _SM_CREATE_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_CREATE_INFORMATION_VERSION - ULONG AcquireReference : 1; - ULONG KeyedStore : 1; - ULONG Spare : 22; - SM_STORE_PARAMETERS Params; - ULONG StoreId; - } SM_CREATE_REQUEST, *PSM_CREATE_REQUEST; - -#define SYSTEM_STORE_DELETE_INFORMATION_VERSION 1 - - typedef struct _SM_DELETE_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_DELETE_INFORMATION_VERSION - ULONG Spare : 24; - ULONG StoreId; - } SM_DELETE_REQUEST, *PSM_DELETE_REQUEST; - -#define SYSTEM_STORE_LIST_INFORMATION_VERSION 2 - - typedef struct _SM_STORE_LIST_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_LIST_INFORMATION_VERSION - ULONG StoreCount : 8; // = 0 - ULONG ExtendedRequest : 1; // SM_STORE_LIST_REQUEST_EX if set - ULONG Spare : 15; - ULONG StoreId[32]; - } SM_STORE_LIST_REQUEST, *PSM_STORE_LIST_REQUEST; - - typedef struct _SM_STORE_LIST_REQUEST_EX - { - SM_STORE_LIST_REQUEST Request; - WCHAR NameBuffer[32][64]; - } SM_STORE_LIST_REQUEST_EX, *PSM_STORE_LIST_REQUEST_EX; - -#define SYSTEM_CACHE_LIST_INFORMATION_VERSION 2 - - typedef struct _SMC_CACHE_LIST_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_LIST_INFORMATION_VERSION - ULONG CacheCount : 8; // = 0 - ULONG Spare : 16; - ULONG CacheId[16]; - } SMC_CACHE_LIST_REQUEST, *PSMC_CACHE_LIST_REQUEST; - -#define SYSTEM_CACHE_CREATE_INFORMATION_VERSION 3 - - typedef struct _SMC_CACHE_PARAMETERS - { - SIZE_T CacheFileSize; - ULONG StoreAlignment; - ULONG PerformsFileIo : 1; - ULONG VdlNotSet : 1; - ULONG Spare : 30; - ULONG CacheFlags; - ULONG Priority; - } SMC_CACHE_PARAMETERS, *PSMC_CACHE_PARAMETERS; - - typedef struct _SMC_CACHE_CREATE_PARAMETERS - { - SMC_CACHE_PARAMETERS CacheParameters; - WCHAR TemplateFilePath[512]; - } SMC_CACHE_CREATE_PARAMETERS, *PSMC_CACHE_CREATE_PARAMETERS; - - typedef struct _SMC_CACHE_CREATE_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_CREATE_INFORMATION_VERSION - ULONG Spare : 24; - ULONG CacheId; - SMC_CACHE_CREATE_PARAMETERS CacheCreateParams; - } SMC_CACHE_CREATE_REQUEST, *PSMC_CACHE_CREATE_REQUEST; - -#define SYSTEM_CACHE_DELETE_INFORMATION_VERSION 1 - - typedef struct _SMC_CACHE_DELETE_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_DELETE_INFORMATION_VERSION - ULONG Spare : 24; - ULONG CacheId; - } SMC_CACHE_DELETE_REQUEST, *PSMC_CACHE_DELETE_REQUEST; - -#define SYSTEM_CACHE_STORE_CREATE_INFORMATION_VERSION 2 - - typedef enum _SM_STORE_MANAGER_TYPE - { - SmStoreManagerTypePhysical = 0, - SmStoreManagerTypeVirtual = 1, - SmStoreManagerTypeMax = 2 - } SM_STORE_MANAGER_TYPE; - - typedef struct _SMC_STORE_CREATE_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_STORE_CREATE_INFORMATION_VERSION - ULONG Spare : 24; - SM_STORE_BASIC_PARAMS StoreParams; - ULONG CacheId; - SM_STORE_MANAGER_TYPE StoreManagerType; - ULONG StoreId; - } SMC_STORE_CREATE_REQUEST, *PSMC_STORE_CREATE_REQUEST; - -#define SYSTEM_CACHE_STORE_DELETE_INFORMATION_VERSION 1 - - typedef struct _SMC_STORE_DELETE_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_STORE_DELETE_INFORMATION_VERSION - ULONG Spare : 24; - ULONG CacheId; - SM_STORE_MANAGER_TYPE StoreManagerType; - ULONG StoreId; - } SMC_STORE_DELETE_REQUEST, *PSMC_STORE_DELETE_REQUEST; - -#define SYSTEM_CACHE_STATS_INFORMATION_VERSION 3 - - typedef struct _SMC_CACHE_STATS - { - SIZE_T TotalFileSize; - ULONG StoreCount; - ULONG RegionCount; - ULONG RegionSizeBytes; - ULONG FileCount : 6; - ULONG PerformsFileIo : 1; - ULONG Spare : 25; - ULONG StoreIds[16]; - ULONG PhysicalStoreBitmap; - ULONG Priority; - WCHAR TemplateFilePath[512]; - } SMC_CACHE_STATS, *PSMC_CACHE_STATS; - - typedef struct _SMC_CACHE_STATS_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_STATS_INFORMATION_VERSION - ULONG NoFilePath : 1; - ULONG Spare : 23; - ULONG CacheId; - SMC_CACHE_STATS CacheStats; - } SMC_CACHE_STATS_REQUEST, *PSMC_CACHE_STATS_REQUEST; - -#define SYSTEM_STORE_REGISTRATION_INFORMATION_VERSION 2 - - typedef struct _SM_REGISTRATION_INFO - { - HANDLE CachesUpdatedEvent; - } SM_REGISTRATION_INFO, *PSM_REGISTRATION_INFO; - - typedef struct _SM_REGISTRATION_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_REGISTRATION_INFORMATION_VERSION - ULONG Spare : 24; - SM_REGISTRATION_INFO RegInfo; - } SM_REGISTRATION_REQUEST, *PSM_REGISTRATION_REQUEST; - -#define SYSTEM_STORE_RESIZE_INFORMATION_VERSION 6 - - typedef struct _SM_STORE_RESIZE_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_RESIZE_INFORMATION_VERSION - ULONG AddRegions : 1; - ULONG Spare : 23; - ULONG StoreId; - ULONG NumberOfRegions; - PRTL_BITMAP RegionBitmap; - } SM_STORE_RESIZE_REQUEST, *PSM_STORE_RESIZE_REQUEST; - -#define SYSTEM_CACHE_STORE_RESIZE_INFORMATION_VERSION 1 - - typedef struct _SMC_STORE_RESIZE_REQUEST - { - ULONG Version : 8; // SYSTEM_CACHE_STORE_RESIZE_INFORMATION_VERSION - ULONG AddRegions : 1; - ULONG Spare : 23; - ULONG CacheId; - ULONG StoreId; - SM_STORE_MANAGER_TYPE StoreManagerType; - ULONG RegionCount; - } SMC_STORE_RESIZE_REQUEST, *PSMC_STORE_RESIZE_REQUEST; - -#define SYSTEM_STORE_CONFIG_INFORMATION_VERSION 4 - - typedef enum _SM_CONFIG_TYPE - { - SmConfigDirtyPageCompression = 0, - SmConfigAsyncInswap = 1, - SmConfigPrefetchSeekThreshold = 2, - SmConfigTypeMax = 3 - } SM_CONFIG_TYPE; - - typedef struct _SM_CONFIG_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_CONFIG_INFORMATION_VERSION - ULONG Spare : 16; - ULONG ConfigType : 8; // SM_CONFIG_TYPE - ULONG ConfigValue; - } SM_CONFIG_REQUEST, *PSM_CONFIG_REQUEST; - -#define SYSTEM_STORE_HIGH_MEM_PRIORITY_INFORMATION_VERSION 1 - - // rev - typedef struct _SM_STORE_HIGH_MEM_PRIORITY_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_HIGH_MEM_PRIORITY_INFORMATION_VERSION - ULONG SetHighMemoryPriority : 1; - ULONG Spare : 23; - HANDLE ProcessHandle; - } SM_STORE_HIGH_MEM_PRIORITY_REQUEST, *PSM_STORE_HIGH_MEM_PRIORITY_REQUEST; - -#define SYSTEM_STORE_TRIM_INFORMATION_VERSION 1 - - // rev - typedef struct _SM_SYSTEM_STORE_TRIM_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_TRIM_INFORMATION_VERSION - ULONG Spare : 24; - SIZE_T PagesToTrim; // ULONG? - } SM_SYSTEM_STORE_TRIM_REQUEST, *PSM_SYSTEM_STORE_TRIM_REQUEST; - -// rev -#define SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION 3 - - // rev - typedef struct _SM_MEM_COMPRESSION_INFO_REQUEST - { - ULONG Version : 8; // SYSTEM_STORE_COMPRESSION_INFORMATION_VERSION - ULONG Spare : 24; - ULONG CompressionPid; - ULONG WorkingSetSize; - SIZE_T TotalDataCompressed; - SIZE_T TotalCompressedSize; - SIZE_T TotalUniqueDataCompressed; - } SM_MEM_COMPRESSION_INFO_REQUEST, *PSM_MEM_COMPRESSION_INFO_REQUEST; - - // private - typedef struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS - { - HANDLE KeyHandle; - PUNICODE_STRING ValueNamePointer; - PULONG RequiredLengthPointer; - PUCHAR Buffer; - ULONG BufferLength; - ULONG Type; - PUCHAR AppendBuffer; - ULONG AppendBufferLength; - BOOLEAN CreateIfDoesntExist; - BOOLEAN TruncateExistingValue; - } SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS, *PSYSTEM_REGISTRY_APPEND_STRING_PARAMETERS; - - // msdn - typedef struct _SYSTEM_VHD_BOOT_INFORMATION - { - BOOLEAN OsDiskIsVhd; - ULONG OsVhdFilePathOffset; - WCHAR OsVhdParentVolume[1]; - } SYSTEM_VHD_BOOT_INFORMATION, *PSYSTEM_VHD_BOOT_INFORMATION; - - // private - typedef struct _PS_CPU_QUOTA_QUERY_ENTRY - { - ULONG SessionId; - ULONG Weight; - } PS_CPU_QUOTA_QUERY_ENTRY, *PPS_CPU_QUOTA_QUERY_ENTRY; - - // private - typedef struct _PS_CPU_QUOTA_QUERY_INFORMATION - { - ULONG SessionCount; - PS_CPU_QUOTA_QUERY_ENTRY SessionInformation[1]; - } PS_CPU_QUOTA_QUERY_INFORMATION, *PPS_CPU_QUOTA_QUERY_INFORMATION; - - // private - typedef struct _SYSTEM_ERROR_PORT_TIMEOUTS - { - ULONG StartTimeout; - ULONG CommTimeout; - } SYSTEM_ERROR_PORT_TIMEOUTS, *PSYSTEM_ERROR_PORT_TIMEOUTS; - - // private - typedef struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION - { - ULONG LowPriReadOperations; - ULONG LowPriWriteOperations; - ULONG KernelBumpedToNormalOperations; - ULONG LowPriPagingReadOperations; - ULONG KernelPagingReadsBumpedToNormal; - ULONG LowPriPagingWriteOperations; - ULONG KernelPagingWritesBumpedToNormal; - ULONG BoostedIrpCount; - ULONG BoostedPagingIrpCount; - ULONG BlanketBoostCount; - } SYSTEM_LOW_PRIORITY_IO_INFORMATION, *PSYSTEM_LOW_PRIORITY_IO_INFORMATION; - - // symbols - typedef enum _BOOT_ENTROPY_SOURCE_RESULT_CODE - { - BootEntropySourceStructureUninitialized, - BootEntropySourceDisabledByPolicy, - BootEntropySourceNotPresent, - BootEntropySourceError, - BootEntropySourceSuccess - } BOOT_ENTROPY_SOURCE_RESULT_CODE; - - typedef enum _BOOT_ENTROPY_SOURCE_ID - { - BootEntropySourceNone = 0, - BootEntropySourceSeedfile = 1, - BootEntropySourceExternal = 2, - BootEntropySourceTpm = 3, - BootEntropySourceRdrand = 4, - BootEntropySourceTime = 5, - BootEntropySourceAcpiOem0 = 6, - BootEntropySourceUefi = 7, - BootEntropySourceCng = 8, - BootEntropySourceTcbTpm = 9, - BootEntropySourceTcbRdrand = 10, - BootMaxEntropySources = 10 - } BOOT_ENTROPY_SOURCE_ID, - *PBOOT_ENTROPY_SOURCE_ID; - - // Contents of KeLoaderBlock->Extension->TpmBootEntropyResult (TPM_BOOT_ENTROPY_LDR_RESULT). - // EntropyData is truncated to 40 bytes. - - // private - typedef struct _TPM_BOOT_ENTROPY_NT_RESULT - { - ULONGLONG Policy; - BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; - NTSTATUS ResultStatus; - ULONGLONG Time; - ULONG EntropyLength; - UCHAR EntropyData[40]; - } TPM_BOOT_ENTROPY_NT_RESULT, *PTPM_BOOT_ENTROPY_NT_RESULT; - - // private - typedef struct _BOOT_ENTROPY_SOURCE_NT_RESULT - { - BOOT_ENTROPY_SOURCE_ID SourceId; - ULONG64 Policy; - BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; - NTSTATUS ResultStatus; - ULONGLONG Time; - ULONG EntropyLength; - UCHAR EntropyData[64]; - } BOOT_ENTROPY_SOURCE_NT_RESULT, *PBOOT_ENTROPY_SOURCE_NT_RESULT; - - // private - typedef struct _BOOT_ENTROPY_NT_RESULT - { - ULONG maxEntropySources; - BOOT_ENTROPY_SOURCE_NT_RESULT EntropySourceResult[10]; - UCHAR SeedBytesForCng[48]; - } BOOT_ENTROPY_NT_RESULT, *PBOOT_ENTROPY_NT_RESULT; - - // private - typedef struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION - { - SYSTEM_VERIFIER_INFORMATION Legacy; - ULONG RaiseIrqls; - ULONG AcquireSpinLocks; - ULONG SynchronizeExecutions; - ULONG AllocationsWithNoTag; - ULONG AllocationsFailed; - ULONG AllocationsFailedDeliberately; - SIZE_T LockedBytes; - SIZE_T PeakLockedBytes; - SIZE_T MappedLockedBytes; - SIZE_T PeakMappedLockedBytes; - SIZE_T MappedIoSpaceBytes; - SIZE_T PeakMappedIoSpaceBytes; - SIZE_T PagesForMdlBytes; - SIZE_T PeakPagesForMdlBytes; - SIZE_T ContiguousMemoryBytes; - SIZE_T PeakContiguousMemoryBytes; - ULONG ExecutePoolTypes; // REDSTONE2 - ULONG ExecutePageProtections; - ULONG ExecutePageMappings; - ULONG ExecuteWriteSections; - ULONG SectionAlignmentFailures; - ULONG UnsupportedRelocs; - ULONG IATInExecutableSection; - } SYSTEM_VERIFIER_COUNTERS_INFORMATION, *PSYSTEM_VERIFIER_COUNTERS_INFORMATION; - - // private - typedef struct _SYSTEM_ACPI_AUDIT_INFORMATION - { - ULONG RsdpCount; - ULONG SameRsdt : 1; - ULONG SlicPresent : 1; - ULONG SlicDifferent : 1; - } SYSTEM_ACPI_AUDIT_INFORMATION, *PSYSTEM_ACPI_AUDIT_INFORMATION; - - // private - typedef struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION - { - SIZE_T AvailablePages; - SIZE_T CommittedPages; - SIZE_T CommitLimit; - SIZE_T PeakCommitment; - } SYSTEM_BASIC_PERFORMANCE_INFORMATION, *PSYSTEM_BASIC_PERFORMANCE_INFORMATION; - - // begin_msdn - - typedef struct _QUERY_PERFORMANCE_COUNTER_FLAGS - { - union - { - struct - { - ULONG KernelTransition : 1; - ULONG Reserved : 31; - }; - ULONG ul; - }; - } QUERY_PERFORMANCE_COUNTER_FLAGS; - - typedef struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION - { - ULONG Version; - QUERY_PERFORMANCE_COUNTER_FLAGS Flags; - QUERY_PERFORMANCE_COUNTER_FLAGS ValidFlags; - } SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION, *PSYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION; - - // end_msdn - - // private - typedef enum _SYSTEM_PIXEL_FORMAT - { - SystemPixelFormatUnknown, - SystemPixelFormatR8G8B8, - SystemPixelFormatR8G8B8X8, - SystemPixelFormatB8G8R8, - SystemPixelFormatB8G8R8X8 - } SYSTEM_PIXEL_FORMAT; - - // private - typedef struct _SYSTEM_BOOT_GRAPHICS_INFORMATION - { - LARGE_INTEGER FrameBuffer; - ULONG Width; - ULONG Height; - ULONG PixelStride; - ULONG Flags; - SYSTEM_PIXEL_FORMAT Format; - ULONG DisplayRotation; - } SYSTEM_BOOT_GRAPHICS_INFORMATION, *PSYSTEM_BOOT_GRAPHICS_INFORMATION; - - // private - typedef struct _MEMORY_SCRUB_INFORMATION - { - HANDLE Handle; - SIZE_T PagesScrubbed; - } MEMORY_SCRUB_INFORMATION, *PMEMORY_SCRUB_INFORMATION; - - // private - typedef union _SYSTEM_BAD_PAGE_INFORMATION - { -#ifdef _WIN64 - ULONG_PTR PhysicalPageNumber : 52; -#else - ULONG PhysicalPageNumber : 20; -#endif - ULONG_PTR Reserved : 10; - ULONG_PTR Pending : 1; - ULONG_PTR Poisoned : 1; - } SYSTEM_BAD_PAGE_INFORMATION, *PSYSTEM_BAD_PAGE_INFORMATION; - - // private - typedef struct _PEBS_DS_SAVE_AREA32 - { - ULONG BtsBufferBase; - ULONG BtsIndex; - ULONG BtsAbsoluteMaximum; - ULONG BtsInterruptThreshold; - ULONG PebsBufferBase; - ULONG PebsIndex; - ULONG PebsAbsoluteMaximum; - ULONG PebsInterruptThreshold; - ULONG PebsGpCounterReset[8]; - ULONG PebsFixedCounterReset[4]; - } PEBS_DS_SAVE_AREA32, *PPEBS_DS_SAVE_AREA32; - - // private - typedef struct _PEBS_DS_SAVE_AREA64 - { - ULONGLONG BtsBufferBase; - ULONGLONG BtsIndex; - ULONGLONG BtsAbsoluteMaximum; - ULONGLONG BtsInterruptThreshold; - ULONGLONG PebsBufferBase; - ULONGLONG PebsIndex; - ULONGLONG PebsAbsoluteMaximum; - ULONGLONG PebsInterruptThreshold; - ULONGLONG PebsGpCounterReset[8]; - ULONGLONG PebsFixedCounterReset[4]; - } PEBS_DS_SAVE_AREA64, *PPEBS_DS_SAVE_AREA64; - - // private - typedef union _PEBS_DS_SAVE_AREA - { - PEBS_DS_SAVE_AREA32 As32Bit; - PEBS_DS_SAVE_AREA64 As64Bit; - } PEBS_DS_SAVE_AREA, *PPEBS_DS_SAVE_AREA; - - // private - typedef struct _PROCESSOR_PROFILE_CONTROL_AREA - { - PEBS_DS_SAVE_AREA PebsDsSaveArea; - } PROCESSOR_PROFILE_CONTROL_AREA, *PPROCESSOR_PROFILE_CONTROL_AREA; - - // private - typedef struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA - { - PROCESSOR_PROFILE_CONTROL_AREA ProcessorProfileControlArea; - BOOLEAN Allocate; - } SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA, *PSYSTEM_PROCESSOR_PROFILE_CONTROL_AREA; - - // private - typedef struct _MEMORY_COMBINE_INFORMATION - { - HANDLE Handle; - SIZE_T PagesCombined; - } MEMORY_COMBINE_INFORMATION, *PMEMORY_COMBINE_INFORMATION; - -// rev -#define MEMORY_COMBINE_FLAGS_COMMON_PAGES_ONLY 0x4 - - // private - typedef struct _MEMORY_COMBINE_INFORMATION_EX - { - HANDLE Handle; - SIZE_T PagesCombined; - ULONG Flags; - } MEMORY_COMBINE_INFORMATION_EX, *PMEMORY_COMBINE_INFORMATION_EX; - - // private - typedef struct _MEMORY_COMBINE_INFORMATION_EX2 - { - HANDLE Handle; - SIZE_T PagesCombined; - ULONG Flags; - HANDLE ProcessHandle; - } MEMORY_COMBINE_INFORMATION_EX2, *PMEMORY_COMBINE_INFORMATION_EX2; - - // private - typedef struct _SYSTEM_ENTROPY_TIMING_INFORMATION - { - VOID(NTAPI *EntropyRoutine)(PVOID, ULONG); - VOID(NTAPI *InitializationRoutine)(PVOID, ULONG, PVOID); - PVOID InitializationContext; - } SYSTEM_ENTROPY_TIMING_INFORMATION, *PSYSTEM_ENTROPY_TIMING_INFORMATION; - - // private - typedef struct _SYSTEM_CONSOLE_INFORMATION - { - ULONG DriverLoaded : 1; - ULONG Spare : 31; - } SYSTEM_CONSOLE_INFORMATION, *PSYSTEM_CONSOLE_INFORMATION; - - // private - typedef struct _SYSTEM_PLATFORM_BINARY_INFORMATION - { - ULONG64 PhysicalAddress; - PVOID HandoffBuffer; - PVOID CommandLineBuffer; - ULONG HandoffBufferSize; - ULONG CommandLineBufferSize; - } SYSTEM_PLATFORM_BINARY_INFORMATION, *PSYSTEM_PLATFORM_BINARY_INFORMATION; - - // private - typedef struct _SYSTEM_POLICY_INFORMATION - { - PVOID InputData; - PVOID OutputData; - ULONG InputDataSize; - ULONG OutputDataSize; - ULONG Version; - } SYSTEM_POLICY_INFORMATION, *PSYSTEM_POLICY_INFORMATION; - - // private - typedef struct _SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION - { - ULONG NumberOfLogicalProcessors; - ULONG NumberOfCores; - } SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION, *PSYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION; - - // private - typedef struct _SYSTEM_DEVICE_DATA_INFORMATION - { - UNICODE_STRING DeviceId; - UNICODE_STRING DataName; - ULONG DataType; - ULONG DataBufferLength; - PVOID DataBuffer; - } SYSTEM_DEVICE_DATA_INFORMATION, *PSYSTEM_DEVICE_DATA_INFORMATION; - - // private - typedef struct _PHYSICAL_CHANNEL_RUN - { - ULONG NodeNumber; - ULONG ChannelNumber; - ULONGLONG BasePage; - ULONGLONG PageCount; - ULONG Flags; - } PHYSICAL_CHANNEL_RUN, *PPHYSICAL_CHANNEL_RUN; - - // private - typedef struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION - { - ULONGLONG NumberOfRuns; - ULONG NumberOfNodes; - ULONG NumberOfChannels; - PHYSICAL_CHANNEL_RUN Run[1]; - } SYSTEM_MEMORY_TOPOLOGY_INFORMATION, *PSYSTEM_MEMORY_TOPOLOGY_INFORMATION; - - // private - typedef struct _SYSTEM_MEMORY_CHANNEL_INFORMATION - { - ULONG ChannelNumber; - ULONG ChannelHeatIndex; - ULONGLONG TotalPageCount; - ULONGLONG ZeroPageCount; - ULONGLONG FreePageCount; - ULONGLONG StandbyPageCount; - } SYSTEM_MEMORY_CHANNEL_INFORMATION, *PSYSTEM_MEMORY_CHANNEL_INFORMATION; - - // private - typedef struct _SYSTEM_BOOT_LOGO_INFORMATION - { - ULONG Flags; - ULONG BitmapOffset; - } SYSTEM_BOOT_LOGO_INFORMATION, *PSYSTEM_BOOT_LOGO_INFORMATION; - - // private - typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX - { - LARGE_INTEGER IdleTime; - LARGE_INTEGER KernelTime; - LARGE_INTEGER UserTime; - LARGE_INTEGER DpcTime; - LARGE_INTEGER InterruptTime; - ULONG InterruptCount; - ULONG Spare0; - LARGE_INTEGER AvailableTime; - LARGE_INTEGER Spare1; - LARGE_INTEGER Spare2; - } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX; - - // private - typedef struct _CRITICAL_PROCESS_EXCEPTION_DATA - { - GUID ReportId; - UNICODE_STRING ModuleName; - ULONG ModuleTimestamp; - ULONG ModuleSize; - ULONG_PTR Offset; - } CRITICAL_PROCESS_EXCEPTION_DATA, *PCRITICAL_PROCESS_EXCEPTION_DATA; - - // private - typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION - { - GUID PolicyPublisher; - ULONG PolicyVersion; - ULONG PolicyOptions; - } SYSTEM_SECUREBOOT_POLICY_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_INFORMATION; - - // private - typedef struct _SYSTEM_PAGEFILE_INFORMATION_EX - { - union // HACK union declaration for convenience (dmex) - { - SYSTEM_PAGEFILE_INFORMATION Info; - struct - { - ULONG NextEntryOffset; - ULONG TotalSize; - ULONG TotalInUse; - ULONG PeakUsage; - UNICODE_STRING PageFileName; - }; - }; - - ULONG MinimumSize; - ULONG MaximumSize; - } SYSTEM_PAGEFILE_INFORMATION_EX, *PSYSTEM_PAGEFILE_INFORMATION_EX; - - // private - typedef struct _SYSTEM_SECUREBOOT_INFORMATION - { - BOOLEAN SecureBootEnabled; - BOOLEAN SecureBootCapable; - } SYSTEM_SECUREBOOT_INFORMATION, *PSYSTEM_SECUREBOOT_INFORMATION; - - // private - typedef struct _PROCESS_DISK_COUNTERS - { - ULONGLONG BytesRead; - ULONGLONG BytesWritten; - ULONGLONG ReadOperationCount; - ULONGLONG WriteOperationCount; - ULONGLONG FlushOperationCount; - } PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS; - - // private - typedef union _ENERGY_STATE_DURATION - { - ULONGLONG Value; - struct - { - ULONG LastChangeTime; - ULONG Duration : 31; - ULONG IsInState : 1; - }; - } ENERGY_STATE_DURATION, *PENERGY_STATE_DURATION; - - typedef struct _PROCESS_ENERGY_VALUES - { - ULONGLONG Cycles[4][2]; - ULONGLONG DiskEnergy; - ULONGLONG NetworkTailEnergy; - ULONGLONG MBBTailEnergy; - ULONGLONG NetworkTxRxBytes; - ULONGLONG MBBTxRxBytes; - union - { - ENERGY_STATE_DURATION Durations[3]; - struct - { - ENERGY_STATE_DURATION ForegroundDuration; - ENERGY_STATE_DURATION DesktopVisibleDuration; - ENERGY_STATE_DURATION PSMForegroundDuration; - }; - }; - ULONG CompositionRendered; - ULONG CompositionDirtyGenerated; - ULONG CompositionDirtyPropagated; - ULONG Reserved1; - ULONGLONG AttributedCycles[4][2]; - ULONGLONG WorkOnBehalfCycles[4][2]; - } PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES; - - typedef union _TIMELINE_BITMAP - { - ULONGLONG Value; - struct - { - ULONG EndTime; - ULONG Bitmap; - }; - } TIMELINE_BITMAP, *PTIMELINE_BITMAP; - - typedef struct _PROCESS_ENERGY_VALUES_EXTENSION - { - union - { - TIMELINE_BITMAP Timelines[14]; // 9 for REDSTONE2, 14 for REDSTONE3/4/5 - struct - { - TIMELINE_BITMAP CpuTimeline; - TIMELINE_BITMAP DiskTimeline; - TIMELINE_BITMAP NetworkTimeline; - TIMELINE_BITMAP MBBTimeline; - TIMELINE_BITMAP ForegroundTimeline; - TIMELINE_BITMAP DesktopVisibleTimeline; - TIMELINE_BITMAP CompositionRenderedTimeline; - TIMELINE_BITMAP CompositionDirtyGeneratedTimeline; - TIMELINE_BITMAP CompositionDirtyPropagatedTimeline; - TIMELINE_BITMAP InputTimeline; // REDSTONE3 - TIMELINE_BITMAP AudioInTimeline; - TIMELINE_BITMAP AudioOutTimeline; - TIMELINE_BITMAP DisplayRequiredTimeline; - TIMELINE_BITMAP KeyboardInputTimeline; - }; - }; - - union // REDSTONE3 - { - ENERGY_STATE_DURATION Durations[5]; - struct - { - ENERGY_STATE_DURATION InputDuration; - ENERGY_STATE_DURATION AudioInDuration; - ENERGY_STATE_DURATION AudioOutDuration; - ENERGY_STATE_DURATION DisplayRequiredDuration; - ENERGY_STATE_DURATION PSMBackgroundDuration; - }; - }; - - ULONG KeyboardInput; - ULONG MouseInput; - } PROCESS_ENERGY_VALUES_EXTENSION, *PPROCESS_ENERGY_VALUES_EXTENSION; - - typedef struct _PROCESS_EXTENDED_ENERGY_VALUES - { - PROCESS_ENERGY_VALUES Base; - PROCESS_ENERGY_VALUES_EXTENSION Extension; - } PROCESS_EXTENDED_ENERGY_VALUES, *PPROCESS_EXTENDED_ENERGY_VALUES; - - // private - typedef enum _SYSTEM_PROCESS_CLASSIFICATION - { - SystemProcessClassificationNormal, - SystemProcessClassificationSystem, - SystemProcessClassificationSecureSystem, - SystemProcessClassificationMemCompression, - SystemProcessClassificationRegistry, // REDSTONE4 - SystemProcessClassificationMaximum - } SYSTEM_PROCESS_CLASSIFICATION; - - // private - typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION - { - PROCESS_DISK_COUNTERS DiskCounters; - ULONGLONG ContextSwitches; - union - { - ULONG Flags; - struct - { - ULONG HasStrongId : 1; - ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION - ULONG BackgroundActivityModerated : 1; - ULONG Spare : 26; - }; - }; - ULONG UserSidOffset; - ULONG PackageFullNameOffset; // since THRESHOLD - PROCESS_ENERGY_VALUES EnergyValues; // since THRESHOLD - ULONG AppIdOffset; // since THRESHOLD - SIZE_T SharedCommitCharge; // since THRESHOLD2 - ULONG JobObjectId; // since REDSTONE - ULONG SpareUlong; // since REDSTONE - ULONGLONG ProcessSequenceNumber; - } SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION; - - // private - typedef struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION - { - BOOLEAN EfiLauncherEnabled; - } SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION, *PSYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION; - - // private - typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - { - BOOLEAN DebuggerAllowed; - BOOLEAN DebuggerEnabled; - BOOLEAN DebuggerPresent; - } SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX; - - // private - typedef struct _SYSTEM_ELAM_CERTIFICATE_INFORMATION - { - HANDLE ElamDriverFile; - } SYSTEM_ELAM_CERTIFICATE_INFORMATION, *PSYSTEM_ELAM_CERTIFICATE_INFORMATION; - - // private - typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 - { - ULONG Version; - ULONG AbnormalResetOccurred; - ULONG OfflineMemoryDumpCapable; - LARGE_INTEGER ResetDataAddress; - ULONG ResetDataSize; - } OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2; - - // private - typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1 - { - ULONG Version; - ULONG AbnormalResetOccurred; - ULONG OfflineMemoryDumpCapable; - } OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1, *POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1; - -// SYSTEM_PROCESSOR_FEATURES_INFORMATION // ProcessorFeatureBits -#define KF_BRANCH 0x0000000000020000 -#define KF_XSTATE 0x0000000000800000 -#define KF_RDTSCP 0x0000000400000000 -#define KF_CET_SS 0x0000400000000000 -#define KF_XFD 0x0080000000000000 - - // private - typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION - { - ULONGLONG ProcessorFeatureBits; - ULONGLONG Reserved[3]; - } SYSTEM_PROCESSOR_FEATURES_INFORMATION, *PSYSTEM_PROCESSOR_FEATURES_INFORMATION; - - // EDID v1.4 standard data format - typedef struct _SYSTEM_EDID_INFORMATION - { - UCHAR Edid[128]; - } SYSTEM_EDID_INFORMATION, *PSYSTEM_EDID_INFORMATION; - - // private - typedef struct _SYSTEM_MANUFACTURING_INFORMATION - { - ULONG Options; - UNICODE_STRING ProfileName; - } SYSTEM_MANUFACTURING_INFORMATION, *PSYSTEM_MANUFACTURING_INFORMATION; - - // private - typedef struct _SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION - { - BOOLEAN Enabled; - } SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION, *PSYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION; - - // private - typedef struct _HV_DETAILS - { - ULONG Data[4]; - } HV_DETAILS, *PHV_DETAILS; - - // private - typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION - { - HV_DETAILS HvVendorAndMaxFunction; - HV_DETAILS HypervisorInterface; - HV_DETAILS HypervisorVersion; - HV_DETAILS HvFeatures; - HV_DETAILS HwFeatures; - HV_DETAILS EnlightenmentInfo; - HV_DETAILS ImplementationLimits; - } SYSTEM_HYPERVISOR_DETAIL_INFORMATION, *PSYSTEM_HYPERVISOR_DETAIL_INFORMATION; - - // private - typedef struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION - { - // - // First index is bucket (see: PoGetFrequencyBucket) selected based on latest frequency percent - // using _KPRCB.PowerState.FrequencyBucketThresholds. - // - // Second index is _KPRCB.PowerState.ArchitecturalEfficiencyClass, accounting for architecture - // dependent KeHeteroSystem and using _KPRCB.PowerState.EarlyBootArchitecturalEfficiencyClass - // instead, when appropriate. - // - ULONGLONG Cycles[4][2]; - } SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION, *PSYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION; - - // private - typedef struct _SYSTEM_TPM_INFORMATION - { - ULONG Flags; - } SYSTEM_TPM_INFORMATION, *PSYSTEM_TPM_INFORMATION; - - // private - typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION - { - BOOLEAN DmaProtectionsAvailable; - BOOLEAN DmaProtectionsInUse; - BOOLEAN HardwareMbecAvailable; // REDSTONE4 (CVE-2018-3639) - BOOLEAN ApicVirtualizationAvailable; // 20H1 - } SYSTEM_VSM_PROTECTION_INFORMATION, *PSYSTEM_VSM_PROTECTION_INFORMATION; - - // private - typedef struct _SYSTEM_KERNEL_DEBUGGER_FLAGS - { - BOOLEAN KernelDebuggerIgnoreUmExceptions; - } SYSTEM_KERNEL_DEBUGGER_FLAGS, *PSYSTEM_KERNEL_DEBUGGER_FLAGS; - -// SYSTEM_CODEINTEGRITYPOLICY_INFORMATION Options -#define CODEINTEGRITYPOLICY_OPTION_ENABLED 0x01 -#define CODEINTEGRITYPOLICY_OPTION_AUDIT 0x02 -#define CODEINTEGRITYPOLICY_OPTION_REQUIRE_WHQL 0x04 -#define CODEINTEGRITYPOLICY_OPTION_DISABLED_FLIGHTSIGNING 0x08 -#define CODEINTEGRITYPOLICY_OPTION_ENABLED_UMCI 0x10 -#define CODEINTEGRITYPOLICY_OPTION_ENABLED_UPDATE_POLICY_NOREBOOT 0x20 -#define CODEINTEGRITYPOLICY_OPTION_ENABLED_SECURE_SETTING_POLICY 0x40 -#define CODEINTEGRITYPOLICY_OPTION_ENABLED_UNSIGNED_SYSTEMINTEGRITY_POLICY 0x80 -#define CODEINTEGRITYPOLICY_OPTION_DYNAMIC_CODE_POLICY_ENABLED 0x100 -#define CODEINTEGRITYPOLICY_OPTION_RELOAD_POLICY_NO_REBOOT 0x10000000 // NtSetSystemInformation reloads SiPolicy.p7b -#define CODEINTEGRITYPOLICY_OPTION_CONDITIONAL_LOCKDOWN 0x20000000 -#define CODEINTEGRITYPOLICY_OPTION_NOLOCKDOWN 0x40000000 -#define CODEINTEGRITYPOLICY_OPTION_LOCKDOWN 0x80000000 - -// SYSTEM_CODEINTEGRITYPOLICY_INFORMATION HVCIOptions -#define CODEINTEGRITYPOLICY_HVCIOPTION_ENABLED 0x01 -#define CODEINTEGRITYPOLICY_HVCIOPTION_STRICT 0x02 -#define CODEINTEGRITYPOLICY_HVCIOPTION_DEBUG 0x04 - - // private - typedef struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION - { - union - { - ULONG Options; - struct - { - ULONG Enabled : 1; - ULONG Audit : 1; - ULONG RequireWHQL : 1; - ULONG DisabledFlightSigning : 1; - ULONG EnabledUMCI : 1; - ULONG EnabledUpdatePolicyNoReboot : 1; - ULONG EnabledSecureSettingPolicy : 1; - ULONG EnabledUnsignedSystemIntegrityPolicy : 1; - ULONG DynamicCodePolicyEnabled : 1; - ULONG Spare : 19; - ULONG ReloadPolicyNoReboot : 1; - ULONG ConditionalLockdown : 1; - ULONG NoLockdown : 1; - ULONG Lockdown : 1; - }; - }; - union - { - ULONG HVCIOptions; - struct - { - ULONG HVCIEnabled : 1; - ULONG HVCIStrict : 1; - ULONG HVCIDebug : 1; - ULONG HVCISpare : 29; - }; - }; - ULONGLONG Version; - GUID PolicyGuid; - } SYSTEM_CODEINTEGRITYPOLICY_INFORMATION, *PSYSTEM_CODEINTEGRITYPOLICY_INFORMATION; - - // private - typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION - { - BOOLEAN SecureKernelRunning : 1; - BOOLEAN HvciEnabled : 1; - BOOLEAN HvciStrictMode : 1; - BOOLEAN DebugEnabled : 1; - BOOLEAN FirmwarePageProtection : 1; - BOOLEAN EncryptionKeyAvailable : 1; - BOOLEAN SpareFlags : 2; - BOOLEAN TrustletRunning : 1; - BOOLEAN HvciDisableAllowed : 1; - BOOLEAN HardwareEnforcedVbs : 1; - BOOLEAN NoSecrets : 1; - BOOLEAN EncryptionKeyPersistent : 1; - BOOLEAN HardwareEnforcedHvpt : 1; - BOOLEAN HardwareHvptAvailable : 1; - BOOLEAN SpareFlags2 : 1; - BOOLEAN Spare0[6]; - ULONGLONG Spare1; - } SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION; - - // private - typedef struct _SYSTEM_SINGLE_MODULE_INFORMATION - { - PVOID TargetModuleAddress; - RTL_PROCESS_MODULE_INFORMATION_EX ExInfo; - } SYSTEM_SINGLE_MODULE_INFORMATION, *PSYSTEM_SINGLE_MODULE_INFORMATION; - - // private - typedef struct _SYSTEM_INTERRUPT_CPU_SET_INFORMATION - { - ULONG Gsiv; - USHORT Group; - ULONGLONG CpuSets; - } SYSTEM_INTERRUPT_CPU_SET_INFORMATION, *PSYSTEM_INTERRUPT_CPU_SET_INFORMATION; - - // private - typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION - { - SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation; - ULONG PolicySize; - UCHAR Policy[1]; - } SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION; - - // private - typedef struct _KAFFINITY_EX - { - USHORT Count; - USHORT Size; - ULONG Reserved; - union - { - ULONG_PTR Bitmap[1]; - ULONG_PTR StaticBitmap[32]; - }; - } KAFFINITY_EX, *PKAFFINITY_EX; - - // private - typedef struct _SYSTEM_ROOT_SILO_INFORMATION - { - ULONG NumberOfSilos; - ULONG SiloIdList[1]; - } SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION; - - // private - typedef struct _SYSTEM_CPU_SET_TAG_INFORMATION - { - ULONGLONG Tag; - ULONGLONG CpuSets[1]; - } SYSTEM_CPU_SET_TAG_INFORMATION, *PSYSTEM_CPU_SET_TAG_INFORMATION; - - // private - typedef struct _SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION - { - ULONG ExtentCount; - ULONG ValidStructureSize; - ULONG NextExtentIndex; - ULONG ExtentRestart; - ULONG CycleCount; - ULONG TimeoutCount; - ULONGLONG CycleTime; - ULONGLONG CycleTimeMax; - ULONGLONG ExtentTime; - ULONG ExtentTimeIndex; - ULONG ExtentTimeMaxIndex; - ULONGLONG ExtentTimeMax; - ULONGLONG HyperFlushTimeMax; - ULONGLONG TranslateVaTimeMax; - ULONGLONG DebugExemptionCount; - ULONGLONG TbHitCount; - ULONGLONG TbMissCount; - ULONGLONG VinaPendingYield; - ULONGLONG HashCycles; - ULONG HistogramOffset; - ULONG HistogramBuckets; - ULONG HistogramShift; - ULONG Reserved1; - ULONGLONG PageNotPresentCount; - } SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION, *PSYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION; - - // private - typedef struct _SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION - { - ULONG PlatformManifestSize; - UCHAR PlatformManifest[1]; - } SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION, *PSYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION; - - // private - typedef struct _SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT - { - ULONG Gsiv; - UCHAR ControllerInterrupt; - UCHAR EdgeInterrupt; - UCHAR IsPrimaryInterrupt; - GROUP_AFFINITY TargetAffinity; - } SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, *PSYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT; - - // private - typedef union _SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT - { - ULONG AsULONG; - struct - { - ULONG Enabled : 1; - ULONG Reserved : 31; - }; - } SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT, *PSYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT; - -#if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) - // private - typedef struct _SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION - { - ULONG Machine : 16; - ULONG KernelMode : 1; - ULONG UserMode : 1; - ULONG Native : 1; - ULONG Process : 1; - ULONG WoW64Container : 1; - ULONG ReservedZero0 : 11; - } SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION, *PSYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION; -#endif - - // private - typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION - { - ULONGLONG TotalPhysicalBytes; - ULONGLONG AvailableBytes; - LONGLONG ResidentAvailableBytes; - ULONGLONG CommittedBytes; - ULONGLONG SharedCommittedBytes; - ULONGLONG CommitLimitBytes; - ULONGLONG PeakCommitmentBytes; - } SYSTEM_MEMORY_USAGE_INFORMATION, *PSYSTEM_MEMORY_USAGE_INFORMATION; - - // private - typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION - { - HANDLE ImageFile; - ULONG Type; // REDSTONE4 - } SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION; - - // private - typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION - { - ULONGLONG TotalPhysicalBytes; - ULONGLONG LowestPhysicalAddress; - ULONGLONG HighestPhysicalAddress; - } SYSTEM_PHYSICAL_MEMORY_INFORMATION, *PSYSTEM_PHYSICAL_MEMORY_INFORMATION; - - // private - typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE - { - SystemActivityModerationStateSystemManaged, - SystemActivityModerationStateUserManagedAllowThrottling, - SystemActivityModerationStateUserManagedDisableThrottling, - MaxSystemActivityModerationState - } SYSTEM_ACTIVITY_MODERATION_STATE; - - // private - REDSTONE2 - typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE // REDSTONE3: Renamed SYSTEM_ACTIVITY_MODERATION_INFO - { - UNICODE_STRING ExePathNt; - SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; - } SYSTEM_ACTIVITY_MODERATION_EXE_STATE, *PSYSTEM_ACTIVITY_MODERATION_EXE_STATE; - - typedef enum _SYSTEM_ACTIVITY_MODERATION_APP_TYPE - { - SystemActivityModerationAppTypeClassic, - SystemActivityModerationAppTypePackaged, - MaxSystemActivityModerationAppType - } SYSTEM_ACTIVITY_MODERATION_APP_TYPE; - - // private - REDSTONE3 - typedef struct _SYSTEM_ACTIVITY_MODERATION_INFO - { - UNICODE_STRING Identifier; - SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; - SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType; - } SYSTEM_ACTIVITY_MODERATION_INFO, *PSYSTEM_ACTIVITY_MODERATION_INFO; - -// rev -#include - typedef struct _SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS - { - LARGE_INTEGER LastUpdatedTime; // QuerySystemTime - SYSTEM_ACTIVITY_MODERATION_STATE ModerationState; - UCHAR Reserved[4]; - SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType; - UCHAR Flags[4]; - } SYSTEM_ACTIVITY_MODERATION_APP_SETTINGS, *PSYSTEM_ACTIVITY_MODERATION_APP_SETTINGS; -#include - - // private - typedef struct _SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS - { - HANDLE UserKeyHandle; - } SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS, *PSYSTEM_ACTIVITY_MODERATION_USER_SETTINGS; - - // private - typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION - { - union - { - ULONG Flags; - struct - { - ULONG Locked : 1; - ULONG UnlockApplied : 1; // Unlockable field removed 19H1 - ULONG UnlockIdValid : 1; - ULONG Reserved : 29; - }; - }; - UCHAR UnlockId[32]; // REDSTONE4 - } SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION; - - // private - typedef struct _SYSTEM_FLUSH_INFORMATION - { - ULONG SupportedFlushMethods; - ULONG ProcessorCacheFlushSize; - ULONGLONG SystemFlushCapabilities; - ULONGLONG Reserved[2]; - } SYSTEM_FLUSH_INFORMATION, *PSYSTEM_FLUSH_INFORMATION; - - // private - typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION - { - ULONG WriteConstraintPolicy; - ULONG Reserved; - } SYSTEM_WRITE_CONSTRAINT_INFORMATION, *PSYSTEM_WRITE_CONSTRAINT_INFORMATION; - - // private - typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION - { - union - { - ULONG KvaShadowFlags; - struct - { - ULONG KvaShadowEnabled : 1; - ULONG KvaShadowUserGlobal : 1; - ULONG KvaShadowPcid : 1; - ULONG KvaShadowInvpcid : 1; - ULONG KvaShadowRequired : 1; // REDSTONE4 - ULONG KvaShadowRequiredAvailable : 1; - ULONG InvalidPteBit : 6; - ULONG L1DataCacheFlushSupported : 1; - ULONG L1TerminalFaultMitigationPresent : 1; - ULONG Reserved : 18; - }; - }; - } SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION; - - // private - typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION - { - HANDLE FileHandle; - ULONG ImageSize; - PVOID Image; - } SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION, *PSYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION; - - // rev - typedef struct _SYSTEM_HYPERVISOR_USER_SHARED_DATA - { - ULONGLONG TimeUpdateLock; // QpcSystemTimeIncrement? - volatile ULONGLONG QpcMultiplier; - volatile ULONGLONG QpcBias; // HvlGetQpcBias - } SYSTEM_HYPERVISOR_USER_SHARED_DATA, *PSYSTEM_HYPERVISOR_USER_SHARED_DATA; - - // private - typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION - { - PSYSTEM_HYPERVISOR_USER_SHARED_DATA HypervisorSharedUserVa; - } SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION, *PSYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION; - - // private - typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION - { - UNICODE_STRING FirmwarePartition; - } SYSTEM_FIRMWARE_PARTITION_INFORMATION, *PSYSTEM_FIRMWARE_PARTITION_INFORMATION; - - // private - typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION - { - union - { - ULONG Flags; - struct - { - ULONG BpbEnabled : 1; - ULONG BpbDisabledSystemPolicy : 1; - ULONG BpbDisabledNoHardwareSupport : 1; - ULONG SpecCtrlEnumerated : 1; - ULONG SpecCmdEnumerated : 1; - ULONG IbrsPresent : 1; - ULONG StibpPresent : 1; - ULONG SmepPresent : 1; - ULONG SpeculativeStoreBypassDisableAvailable : 1; // REDSTONE4 (CVE-2018-3639) - ULONG SpeculativeStoreBypassDisableSupported : 1; - ULONG SpeculativeStoreBypassDisabledSystemWide : 1; - ULONG SpeculativeStoreBypassDisabledKernel : 1; - ULONG SpeculativeStoreBypassDisableRequired : 1; - ULONG BpbDisabledKernelToUser : 1; - ULONG SpecCtrlRetpolineEnabled : 1; - ULONG SpecCtrlImportOptimizationEnabled : 1; - ULONG EnhancedIbrs : 1; // since 19H1 - ULONG HvL1tfStatusAvailable : 1; - ULONG HvL1tfProcessorNotAffected : 1; - ULONG HvL1tfMigitationEnabled : 1; - ULONG HvL1tfMigitationNotEnabled_Hardware : 1; - ULONG HvL1tfMigitationNotEnabled_LoadOption : 1; - ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1; - ULONG EnhancedIbrsReported : 1; - ULONG MdsHardwareProtected : 1; // since 19H2 - ULONG MbClearEnabled : 1; - ULONG MbClearReported : 1; - ULONG ReservedTaa : 4; - ULONG Reserved : 1; - }; - } SpeculationControlFlags; - union - { - ULONG Flags; // since 23H2 - struct - { - ULONG SbdrSsdpHardwareProtected : 1; - ULONG FbsdpHardwareProtected : 1; - ULONG PsdpHardwareProtected : 1; - ULONG FbClearEnabled : 1; - ULONG FbClearReported : 1; - ULONG BhbEnabled : 1; - ULONG BhbDisabledSystemPolicy : 1; - ULONG BhbDisabledNoHardwareSupport : 1; - ULONG BranchConfusionStatus : 2; - ULONG BranchConfusionReported : 1; - ULONG RdclHardwareProtectedReported : 1; - ULONG RdclHardwareProtected : 1; - ULONG Reserved3 : 4; - ULONG Reserved4 : 3; - ULONG DivideByZeroReported : 1; - ULONG DivideByZeroStatus : 1; - ULONG Reserved5 : 3; - ULONG Reserved : 7; - }; - } SpeculationControlFlags2; - } SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION; - - // private - typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION - { - BOOLEAN DmaGuardPolicyEnabled; - } SYSTEM_DMA_GUARD_POLICY_INFORMATION, *PSYSTEM_DMA_GUARD_POLICY_INFORMATION; - - // private - typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION - { - UCHAR EnclaveLaunchSigner[32]; - } SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION, *PSYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION; - - // private - typedef struct _SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION - { - ULONGLONG WorkloadClass; - ULONGLONG CpuSets[1]; - } SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION, *PSYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION; - - // private - typedef struct _SYSTEM_SECURITY_MODEL_INFORMATION - { - union - { - ULONG SecurityModelFlags; - struct - { - ULONG ReservedFlag : 1; // SModeAdminlessEnabled - ULONG AllowDeviceOwnerProtectionDowngrade : 1; - ULONG Reserved : 30; - }; - }; - } SYSTEM_SECURITY_MODEL_INFORMATION, *PSYSTEM_SECURITY_MODEL_INFORMATION; - - // private - typedef union _SECURE_SPECULATION_CONTROL_INFORMATION - { - ULONG KvaShadowSupported : 1; - ULONG KvaShadowEnabled : 1; - ULONG KvaShadowUserGlobal : 1; - ULONG KvaShadowPcid : 1; - ULONG MbClearEnabled : 1; - ULONG L1TFMitigated : 1; // since 20H2 - ULONG BpbEnabled : 1; - ULONG IbrsPresent : 1; - ULONG EnhancedIbrs : 1; - ULONG StibpPresent : 1; - ULONG SsbdSupported : 1; - ULONG SsbdRequired : 1; - ULONG BpbKernelToUser : 1; - ULONG BpbUserToKernel : 1; - ULONG ReturnSpeculate : 1; - ULONG BranchConfusionSafe : 1; - ULONG SsbsEnabledAlways : 1; // 24H2 - ULONG SsbsEnabledKernel : 1; - ULONG Reserved : 14; - } SECURE_SPECULATION_CONTROL_INFORMATION, *PSECURE_SPECULATION_CONTROL_INFORMATION; - - // private - typedef struct _SYSTEM_FIRMWARE_RAMDISK_INFORMATION - { - ULONG Version; - ULONG BlockSize; - ULONG_PTR BaseAddress; - SIZE_T Size; - } SYSTEM_FIRMWARE_RAMDISK_INFORMATION, *PSYSTEM_FIRMWARE_RAMDISK_INFORMATION; - - // private - typedef struct _SYSTEM_SHADOW_STACK_INFORMATION - { - union - { - ULONG Flags; - struct - { - ULONG CetCapable : 1; - ULONG UserCetAllowed : 1; - ULONG ReservedForUserCet : 6; - ULONG KernelCetEnabled : 1; - ULONG KernelCetAuditModeEnabled : 1; - ULONG ReservedForKernelCet : 6; // since Windows 10 build 21387 - ULONG Reserved : 16; - }; - }; - } SYSTEM_SHADOW_STACK_INFORMATION, *PSYSTEM_SHADOW_STACK_INFORMATION; - - // private - typedef union _SYSTEM_BUILD_VERSION_INFORMATION_FLAGS - { - ULONG Value32; - struct - { - ULONG IsTopLevel : 1; - ULONG IsChecked : 1; - }; - } SYSTEM_BUILD_VERSION_INFORMATION_FLAGS, *PSYSTEM_BUILD_VERSION_INFORMATION_FLAGS; - - // private - typedef struct _SYSTEM_BUILD_VERSION_INFORMATION - { - USHORT LayerNumber; - USHORT LayerCount; - ULONG OsMajorVersion; - ULONG OsMinorVersion; - ULONG NtBuildNumber; - ULONG NtBuildQfe; - UCHAR LayerName[128]; - UCHAR NtBuildBranch[128]; - UCHAR NtBuildLab[128]; - UCHAR NtBuildLabEx[128]; - UCHAR NtBuildStamp[26]; - UCHAR NtBuildArch[16]; - SYSTEM_BUILD_VERSION_INFORMATION_FLAGS Flags; - } SYSTEM_BUILD_VERSION_INFORMATION, *PSYSTEM_BUILD_VERSION_INFORMATION; - - // private - typedef struct _SYSTEM_POOL_LIMIT_MEM_INFO - { - ULONGLONG MemoryLimit; - ULONGLONG NotificationLimit; - } SYSTEM_POOL_LIMIT_MEM_INFO, *PSYSTEM_POOL_LIMIT_MEM_INFO; - - // private - typedef struct _SYSTEM_POOL_LIMIT_INFO - { - ULONG PoolTag; - SYSTEM_POOL_LIMIT_MEM_INFO MemLimits[2]; - WNF_STATE_NAME NotificationHandle; - } SYSTEM_POOL_LIMIT_INFO, *PSYSTEM_POOL_LIMIT_INFO; - - // private - typedef struct _SYSTEM_POOL_LIMIT_INFORMATION - { - ULONG Version; - ULONG EntryCount; - _Field_size_(EntryCount) SYSTEM_POOL_LIMIT_INFO LimitEntries[1]; - } SYSTEM_POOL_LIMIT_INFORMATION, *PSYSTEM_POOL_LIMIT_INFORMATION; - - // private - // typedef struct _SYSTEM_POOL_ZEROING_INFORMATION - //{ - // BOOLEAN PoolZeroingSupportPresent; - //} SYSTEM_POOL_ZEROING_INFORMATION, *PSYSTEM_POOL_ZEROING_INFORMATION; - - // private - typedef struct _HV_MINROOT_NUMA_LPS - { - ULONG NodeIndex; - ULONG_PTR Mask[16]; - } HV_MINROOT_NUMA_LPS, *PHV_MINROOT_NUMA_LPS; - - // private - typedef struct _SYSTEM_XFG_FAILURE_INFORMATION - { - PVOID ReturnAddress; - PVOID TargetAddress; - ULONG DispatchMode; - ULONGLONG XfgValue; - } SYSTEM_XFG_FAILURE_INFORMATION, *PSYSTEM_XFG_FAILURE_INFORMATION; - - // private - typedef enum _SYSTEM_IOMMU_STATE - { - IommuStateBlock, - IommuStateUnblock - } SYSTEM_IOMMU_STATE; - - // private - typedef struct _SYSTEM_IOMMU_STATE_INFORMATION - { - SYSTEM_IOMMU_STATE State; - PVOID Pdo; - } SYSTEM_IOMMU_STATE_INFORMATION, *PSYSTEM_IOMMU_STATE_INFORMATION; - - // private - typedef struct _SYSTEM_HYPERVISOR_MINROOT_INFORMATION - { - ULONG NumProc; - ULONG RootProc; - ULONG RootProcNumaNodesSpecified; - USHORT RootProcNumaNodes[64]; - ULONG RootProcPerCore; - ULONG RootProcPerNode; - ULONG RootProcNumaNodesLpsSpecified; - HV_MINROOT_NUMA_LPS RootProcNumaNodeLps[64]; - } SYSTEM_HYPERVISOR_MINROOT_INFORMATION, *PSYSTEM_HYPERVISOR_MINROOT_INFORMATION; - - // private - typedef struct _SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION - { - ULONG RangeCount; - ULONG_PTR RangeArray[1]; - } SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION, *PSYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATION; - - // private - typedef struct _SYSTEM_POINTER_AUTH_INFORMATION - { - union - { - USHORT SupportedFlags; - struct - { - USHORT AddressAuthSupported : 1; - USHORT AddressAuthQarma : 1; - USHORT GenericAuthSupported : 1; - USHORT GenericAuthQarma : 1; - USHORT AddressAuthFaulting : 1; - USHORT SupportedReserved : 11; - }; - }; - union - { - USHORT EnabledFlags; - struct - { - USHORT UserPerProcessIpAuthEnabled : 1; - USHORT UserGlobalIpAuthEnabled : 1; - USHORT UserEnabledReserved : 6; - USHORT KernelIpAuthEnabled : 1; - USHORT KernelEnabledReserved : 7; - }; - }; - } SYSTEM_POINTER_AUTH_INFORMATION, *PSYSTEM_POINTER_AUTH_INFORMATION; - - // private - typedef struct _SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT - { - ULONG Version; - PWSTR FeatureName; - ULONG BornOnVersion; - } SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, *PSYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT; - - // private - typedef struct _SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT - { - ULONG Version; - BOOLEAN FeatureIsEnabled; - } SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT, *PSYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT; - - // private - typedef struct _SYSTEM_MEMORY_NUMA_INFORMATION_INPUT - { - ULONG Version; - ULONG TargetNodeNumber; - ULONG Flags; - } SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, *PSYSTEM_MEMORY_NUMA_INFORMATION_INPUT; - - // private - typedef struct _SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT - { - ULONG Version; - ULONG Size; - ULONG InitiatorNode; - union - { - ULONG Flags; - struct - { - ULONG IsAttached : 1; - ULONG Reserved : 31; - }; - }; - } SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT, *PSYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT; - - // private - typedef enum _SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES - { - SystemMemoryNumaPerformanceQuery_ReadLatency, - SystemMemoryNumaPerformanceQuery_ReadBandwidth, - SystemMemoryNumaPerformanceQuery_WriteLatency, - SystemMemoryNumaPerformanceQuery_WriteBandwidth, - SystemMemoryNumaPerformanceQuery_Latency, - SystemMemoryNumaPerformanceQuery_Bandwidth, - SystemMemoryNumaPerformanceQuery_AllDataTypes, - SystemMemoryNumaPerformanceQuery_MaxDataType - } SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES; - - // private - typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT - { - ULONG Version; - ULONG TargetNodeNumber; - SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES QueryDataType; - ULONG Flags; - } SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT; - - // private - typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY - { - ULONG InitiatorNodeNumber; - ULONG TargetNodeNumber; - SYSTEM_MEMORY_NUMA_PERFORMANCE_QUERY_DATA_TYPES DataType; - union - { - BOOLEAN Flags; - struct - { - BOOLEAN MinTransferSizeToAchieveValues : 1; - BOOLEAN NonSequentialTransfers : 1; - BOOLEAN Reserved : 6; - }; - }; - SIZE_T MinTransferSizeInBytes; - ULONG_PTR EntryValue; - } SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY; - - // private - typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT - { - ULONG Version; - ULONG Size; - ULONG EntryCount; - SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY PerformanceEntries[1]; - } SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT, *PSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT; - - // private - typedef struct _SYSTEM_OSL_RAMDISK_ENTRY - { - ULONG BlockSize; - ULONG_PTR BaseAddress; - SIZE_T Size; - } SYSTEM_OSL_RAMDISK_ENTRY, *PSYSTEM_OSL_RAMDISK_ENTRY; - - // private - typedef struct _SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION - { - union - { - ULONGLONG Flags; - struct - { - ULONGLONG Supported : 1; - ULONGLONG Spare : 63; - }; - }; - PVOID RemoteBreakingRoutine; - } SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION, *PSYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION; - - // private - typedef struct _SYSTEM_OSL_RAMDISK_INFORMATION - { - ULONG Version; - ULONG Count; - SYSTEM_OSL_RAMDISK_ENTRY Entries[1]; - } SYSTEM_OSL_RAMDISK_INFORMATION, *PSYSTEM_OSL_RAMDISK_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySystemInformationEx( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength); - - // SysDbg APIs - - // private - typedef enum _SYSDBG_COMMAND - { - SysDbgQueryModuleInformation, - SysDbgQueryTraceInformation, - SysDbgSetTracepoint, - SysDbgSetSpecialCall, // PVOID - SysDbgClearSpecialCalls, // void - SysDbgQuerySpecialCalls, - SysDbgBreakPoint, - SysDbgQueryVersion, // DBGKD_GET_VERSION64 - SysDbgReadVirtual, // SYSDBG_VIRTUAL - SysDbgWriteVirtual, // SYSDBG_VIRTUAL - SysDbgReadPhysical, // SYSDBG_PHYSICAL // 10 - SysDbgWritePhysical, // SYSDBG_PHYSICAL - SysDbgReadControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgWriteControlSpace, // SYSDBG_CONTROL_SPACE - SysDbgReadIoSpace, // SYSDBG_IO_SPACE - SysDbgWriteIoSpace, // SYSDBG_IO_SPACE - SysDbgReadMsr, // SYSDBG_MSR - SysDbgWriteMsr, // SYSDBG_MSR - SysDbgReadBusData, // SYSDBG_BUS_DATA - SysDbgWriteBusData, // SYSDBG_BUS_DATA - SysDbgCheckLowMemory, // 20 - SysDbgEnableKernelDebugger, - SysDbgDisableKernelDebugger, - SysDbgGetAutoKdEnable, - SysDbgSetAutoKdEnable, - SysDbgGetPrintBufferSize, - SysDbgSetPrintBufferSize, - SysDbgGetKdUmExceptionEnable, - SysDbgSetKdUmExceptionEnable, - SysDbgGetTriageDump, // SYSDBG_TRIAGE_DUMP - SysDbgGetKdBlockEnable, // 30 - SysDbgSetKdBlockEnable, - SysDbgRegisterForUmBreakInfo, - SysDbgGetUmBreakPid, - SysDbgClearUmBreakPid, - SysDbgGetUmAttachPid, - SysDbgClearUmAttachPid, - SysDbgGetLiveKernelDump, // SYSDBG_LIVEDUMP_CONTROL - SysDbgKdPullRemoteFile, // SYSDBG_KD_PULL_REMOTE_FILE - SysDbgMaxInfoClass - } SYSDBG_COMMAND, - *PSYSDBG_COMMAND; - - typedef struct _SYSDBG_VIRTUAL - { - PVOID Address; - PVOID Buffer; - ULONG Request; - } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; - - typedef struct _SYSDBG_PHYSICAL - { - PHYSICAL_ADDRESS Address; - PVOID Buffer; - ULONG Request; - } SYSDBG_PHYSICAL, *PSYSDBG_PHYSICAL; - - typedef struct _SYSDBG_CONTROL_SPACE - { - ULONG64 Address; - PVOID Buffer; - ULONG Request; - ULONG Processor; - } SYSDBG_CONTROL_SPACE, *PSYSDBG_CONTROL_SPACE; - - enum _INTERFACE_TYPE; - - typedef struct _SYSDBG_IO_SPACE - { - ULONG64 Address; - PVOID Buffer; - ULONG Request; - enum _INTERFACE_TYPE InterfaceType; - ULONG BusNumber; - ULONG AddressSpace; - } SYSDBG_IO_SPACE, *PSYSDBG_IO_SPACE; - - typedef struct _SYSDBG_MSR - { - ULONG Msr; - ULONG64 Data; - } SYSDBG_MSR, *PSYSDBG_MSR; - - enum _BUS_DATA_TYPE; - - typedef struct _SYSDBG_BUS_DATA - { - ULONG Address; - PVOID Buffer; - ULONG Request; - enum _BUS_DATA_TYPE BusDataType; - ULONG BusNumber; - ULONG SlotNumber; - } SYSDBG_BUS_DATA, *PSYSDBG_BUS_DATA; - - // private - typedef struct _SYSDBG_TRIAGE_DUMP - { - ULONG Flags; - ULONG BugCheckCode; - ULONG_PTR BugCheckParam1; - ULONG_PTR BugCheckParam2; - ULONG_PTR BugCheckParam3; - ULONG_PTR BugCheckParam4; - ULONG ProcessHandles; - ULONG ThreadHandles; - PHANDLE Handles; - } SYSDBG_TRIAGE_DUMP, *PSYSDBG_TRIAGE_DUMP; - - // private - typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS - { - struct - { - ULONG UseDumpStorageStack : 1; - ULONG CompressMemoryPagesData : 1; - ULONG IncludeUserSpaceMemoryPages : 1; - ULONG AbortIfMemoryPressure : 1; // REDSTONE4 - ULONG SelectiveDump : 1; // WIN11 - ULONG Reserved : 27; - }; - ULONG AsUlong; - } SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS; - - // private - typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES - { - struct - { - ULONG HypervisorPages : 1; - ULONG NonEssentialHypervisorPages : 1; // since WIN11 - ULONG Reserved : 30; - }; - ULONG AsUlong; - } SYSDBG_LIVEDUMP_CONTROL_ADDPAGES, *PSYSDBG_LIVEDUMP_CONTROL_ADDPAGES; - -#define SYSDBG_LIVEDUMP_SELECTIVE_CONTROL_VERSION 1 - - // rev - typedef struct _SYSDBG_LIVEDUMP_SELECTIVE_CONTROL - { - ULONG Version; - ULONG Size; - union - { - ULONGLONG Flags; - struct - { - ULONGLONG ThreadKernelStacks : 1; - ULONGLONG ReservedFlags : 63; - }; - }; - ULONGLONG Reserved[4]; - } SYSDBG_LIVEDUMP_SELECTIVE_CONTROL, *PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL; - -#define SYSDBG_LIVEDUMP_CONTROL_VERSION_1 1 -#define SYSDBG_LIVEDUMP_CONTROL_VERSION_2 2 -#define SYSDBG_LIVEDUMP_CONTROL_VERSION SYSDBG_LIVEDUMP_CONTROL_VERSION_2 - - // private - typedef struct _SYSDBG_LIVEDUMP_CONTROL_V1 - { - ULONG Version; - ULONG BugCheckCode; - ULONG_PTR BugCheckParam1; - ULONG_PTR BugCheckParam2; - ULONG_PTR BugCheckParam3; - ULONG_PTR BugCheckParam4; - HANDLE DumpFileHandle; - HANDLE CancelEventHandle; - SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; - SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; - } SYSDBG_LIVEDUMP_CONTROL_V1, *PSYSDBG_LIVEDUMP_CONTROL_V1; - - // private - typedef struct _SYSDBG_LIVEDUMP_CONTROL - { - ULONG Version; - ULONG BugCheckCode; - ULONG_PTR BugCheckParam1; - ULONG_PTR BugCheckParam2; - ULONG_PTR BugCheckParam3; - ULONG_PTR BugCheckParam4; - HANDLE DumpFileHandle; - HANDLE CancelEventHandle; - SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; - SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; - PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL SelectiveControl; // since WIN11 - } SYSDBG_LIVEDUMP_CONTROL, *PSYSDBG_LIVEDUMP_CONTROL; - - // private - typedef struct _SYSDBG_KD_PULL_REMOTE_FILE - { - UNICODE_STRING ImageFileName; - } SYSDBG_KD_PULL_REMOTE_FILE, *PSYSDBG_KD_PULL_REMOTE_FILE; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSystemDebugControl( - _In_ SYSDBG_COMMAND Command, - _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength, - _Out_opt_ PULONG ReturnLength); - - // Hard errors - - typedef enum _HARDERROR_RESPONSE_OPTION - { - OptionAbortRetryIgnore, - OptionOk, - OptionOkCancel, - OptionRetryCancel, - OptionYesNo, - OptionYesNoCancel, - OptionShutdownSystem, - OptionOkNoWait, - OptionCancelTryContinue - } HARDERROR_RESPONSE_OPTION; - - typedef enum _HARDERROR_RESPONSE - { - ResponseReturnToCaller, - ResponseNotHandled, - ResponseAbort, - ResponseCancel, - ResponseIgnore, - ResponseNo, - ResponseOk, - ResponseRetry, - ResponseYes, - ResponseTryAgain, - ResponseContinue - } HARDERROR_RESPONSE; - -#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000 - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRaiseHardError( - _In_ NTSTATUS ErrorStatus, - _In_ ULONG NumberOfParameters, - _In_ ULONG UnicodeStringParameterMask, - _In_reads_(NumberOfParameters) PULONG_PTR Parameters, - _In_ ULONG ValidResponseOptions, - _Out_ PULONG Response); - - // - // Kernel-user shared data - // - - typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE - { - StandardDesign, - NEC98x86, - EndAlternatives - } ALTERNATIVE_ARCHITECTURE_TYPE; - -#define PROCESSOR_FEATURE_MAX 64 - -#define MAX_WOW64_SHARED_ENTRIES 16 - - // - // Define NX support policy values. - // - -#define NX_SUPPORT_POLICY_ALWAYSOFF 0 -#define NX_SUPPORT_POLICY_ALWAYSON 1 -#define NX_SUPPORT_POLICY_OPTIN 2 -#define NX_SUPPORT_POLICY_OPTOUT 3 - - // - // SEH chain validation policies. - // - -#define SEH_VALIDATION_POLICY_ON 0 -#define SEH_VALIDATION_POLICY_OFF 1 -#define SEH_VALIDATION_POLICY_TELEMETRY 2 -#define SEH_VALIDATION_POLICY_DEFER 3 - - // - // Global shared data flags and manipulation macros. - // - -#define SHARED_GLOBAL_FLAGS_ERROR_PORT_V 0x0 -#define SHARED_GLOBAL_FLAGS_ERROR_PORT \ - (1UL << SHARED_GLOBAL_FLAGS_ERROR_PORT_V) - -#define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V 0x1 -#define SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_ELEVATION_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V 0x2 -#define SHARED_GLOBAL_FLAGS_VIRT_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_VIRT_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V 0x3 -#define SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_INSTALLER_DETECT_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_LKG_ENABLED_V 0x4 -#define SHARED_GLOBAL_FLAGS_LKG_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_LKG_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V 0x5 -#define SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_DYNAMIC_PROC_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V 0x6 -#define SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_CONSOLE_BROKER_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V 0x7 -#define SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_SECURE_BOOT_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V 0x8 -#define SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU \ - (1UL << SHARED_GLOBAL_FLAGS_MULTI_SESSION_SKU_V) - -#define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V 0x9 -#define SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU \ - (1UL << SHARED_GLOBAL_FLAGS_MULTIUSERS_IN_SESSION_SKU_V) - -#define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V 0xA -#define SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED \ - (1UL << SHARED_GLOBAL_FLAGS_STATE_SEPARATION_ENABLED_V) - -#define SHARED_GLOBAL_FLAGS_SET_GLOBAL_DATA_FLAG 0x40000000 -#define SHARED_GLOBAL_FLAGS_CLEAR_GLOBAL_DATA_FLAG 0x80000000 - - // - // Define legal values for the SystemCall member. - // - -#define SYSTEM_CALL_SYSCALL 0 -#define SYSTEM_CALL_INT_2E 1 - - // - // Define flags for QPC bypass information. None of these flags may be set - // unless bypass is enabled. This is for compat with existing code which - // compares this value to zero to detect bypass enablement. - // - -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_ENABLED (0x01) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_HV_PAGE (0x02) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_DISABLE_32BIT (0x04) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_MFENCE (0x10) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_LFENCE (0x20) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_A73_ERRATA (0x40) -#define SHARED_GLOBAL_FLAGS_QPC_BYPASS_USE_RDTSCP (0x80) - - typedef struct _KUSER_SHARED_DATA - { - // - // Current low 32-bit of tick count and tick count multiplier. - // - // N.B. The tick count is updated each time the clock ticks. - // - - ULONG TickCountLowDeprecated; - ULONG TickCountMultiplier; - - // - // Current 64-bit interrupt time in 100ns units. - // - - volatile KSYSTEM_TIME InterruptTime; - - // - // Current 64-bit system time in 100ns units. - // - - volatile KSYSTEM_TIME SystemTime; - - // - // Current 64-bit time zone bias. - // - - volatile KSYSTEM_TIME TimeZoneBias; - - // - // Support image magic number range for the host system. - // - // N.B. This is an inclusive range. - // - - USHORT ImageNumberLow; - USHORT ImageNumberHigh; - - // - // Copy of system root in unicode. - // - // N.B. This field must be accessed via the RtlGetNtSystemRoot API for - // an accurate result. - // - - WCHAR NtSystemRoot[260]; - - // - // Maximum stack trace depth if tracing enabled. - // - - ULONG MaxStackTraceDepth; - - // - // Crypto exponent value. - // - - ULONG CryptoExponent; - - // - // Time zone ID. - // - - ULONG TimeZoneId; - - ULONG LargePageMinimum; - - // - // This value controls the AIT Sampling rate. - // - - ULONG AitSamplingValue; - - // - // This value controls switchback processing. - // - - ULONG AppCompatFlag; - - // - // Current Kernel Root RNG state seed version - // - - ULONGLONG RNGSeedVersion; - - // - // This value controls assertion failure handling. - // - - ULONG GlobalValidationRunlevel; - - volatile LONG TimeZoneBiasStamp; - - // - // The shared collective build number undecorated with C or F. - // GetVersionEx hides the real number - // - - ULONG NtBuildNumber; - - // - // Product type. - // - // N.B. This field must be accessed via the RtlGetNtProductType API for - // an accurate result. - // - - NT_PRODUCT_TYPE NtProductType; - BOOLEAN ProductTypeIsValid; - BOOLEAN Reserved0[1]; - USHORT NativeProcessorArchitecture; - - // - // The NT Version. - // - // N. B. Note that each process sees a version from its PEB, but if the - // process is running with an altered view of the system version, - // the following two fields are used to correctly identify the - // version - // - - ULONG NtMajorVersion; - ULONG NtMinorVersion; - - // - // Processor features. - // - - BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; - - // - // Reserved fields - do not use. - // - - ULONG Reserved1; - ULONG Reserved3; - - // - // Time slippage while in debugger. - // - - volatile ULONG TimeSlip; - - // - // Alternative system architecture, e.g., NEC PC98xx on x86. - // - - ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; - - // - // Boot sequence, incremented for each boot attempt by the OS loader. - // - - ULONG BootId; - - // - // If the system is an evaluation unit, the following field contains the - // date and time that the evaluation unit expires. A value of 0 indicates - // that there is no expiration. A non-zero value is the UTC absolute time - // that the system expires. - // - - LARGE_INTEGER SystemExpirationDate; - - // - // Suite support. - // - // N.B. This field must be accessed via the RtlGetSuiteMask API for - // an accurate result. - // - - ULONG SuiteMask; - - // - // TRUE if a kernel debugger is connected/enabled. - // - - BOOLEAN KdDebuggerEnabled; - - // - // Mitigation policies. - // - - union - { - UCHAR MitigationPolicies; - struct - { - UCHAR NXSupportPolicy : 2; - UCHAR SEHValidationPolicy : 2; - UCHAR CurDirDevicesSkippedForDlls : 2; - UCHAR Reserved : 2; - }; - }; - - // - // Measured duration of a single processor yield, in cycles. This is used by - // lock packages to determine how many times to spin waiting for a state - // change before blocking. - // - - USHORT CyclesPerYield; - - // - // Current console session Id. Always zero on non-TS systems. - // - // N.B. This field must be accessed via the RtlGetActiveConsoleId API for an - // accurate result. - // - - volatile ULONG ActiveConsoleId; - - // - // Force-dismounts cause handles to become invalid. Rather than always - // probe handles, a serial number of dismounts is maintained that clients - // can use to see if they need to probe handles. - // - - volatile ULONG DismountCount; - - // - // This field indicates the status of the 64-bit COM+ package on the - // system. It indicates whether the Intermediate Language (IL) COM+ - // images need to use the 64-bit COM+ runtime or the 32-bit COM+ runtime. - // - - ULONG ComPlusPackage; - - // - // Time in tick count for system-wide last user input across all terminal - // sessions. For MP performance, it is not updated all the time (e.g. once - // a minute per session). It is used for idle detection. - // - - ULONG LastSystemRITEventTickCount; - - // - // Number of physical pages in the system. This can dynamically change as - // physical memory can be added or removed from a running system. This - // cell is too small to hold the non-truncated value on very large memory - // machines so code that needs the full value should access - // FullNumberOfPhysicalPages instead. - // - - ULONG NumberOfPhysicalPages; - - // - // True if the system was booted in safe boot mode. - // - - BOOLEAN SafeBootMode; - - // - // Virtualization flags. - // - - union - { - UCHAR VirtualizationFlags; - -#if defined(_ARM64_) - - // - // N.B. Keep this bitfield in sync with the one in arc.w. - // - - struct - { - UCHAR ArchStartedInEl2 : 1; - UCHAR QcSlIsSupported : 1; - UCHAR : 6; - }; - -#endif - }; - - // - // Reserved (available for reuse). - // - - UCHAR Reserved12[2]; - - // - // This is a packed bitfield that contains various flags concerning - // the system state. They must be manipulated using interlocked - // operations. - // - // N.B. DbgMultiSessionSku must be accessed via the RtlIsMultiSessionSku - // API for an accurate result - // - - union - { - ULONG SharedDataFlags; - struct - { - // - // The following bit fields are for the debugger only. Do not use. - // Use the bit definitions instead. - // - - ULONG DbgErrorPortPresent : 1; - ULONG DbgElevationEnabled : 1; - ULONG DbgVirtEnabled : 1; - ULONG DbgInstallerDetectEnabled : 1; - ULONG DbgLkgEnabled : 1; - ULONG DbgDynProcessorEnabled : 1; - ULONG DbgConsoleBrokerEnabled : 1; - ULONG DbgSecureBootEnabled : 1; - ULONG DbgMultiSessionSku : 1; - ULONG DbgMultiUsersInSessionSku : 1; - ULONG DbgStateSeparationEnabled : 1; - ULONG DbgSplitTokenEnabled : 1; - ULONG DbgShadowAdminEnabled : 1; - ULONG SpareBits : 19; - } DUMMYSTRUCTNAME2; - } DUMMYUNIONNAME2; - - ULONG DataFlagsPad[1]; - - // - // Depending on the processor, the code for fast system call will differ, - // Stub code is provided pointers below to access the appropriate code. - // - // N.B. The following field is only used on 32-bit systems. - // - - ULONGLONG TestRetInstruction; - - LONGLONG QpcFrequency; - - // - // On AMD64, this value is initialized to a nonzero value if the system - // operates with an altered view of the system service call mechanism. - // - - ULONG SystemCall; - - // - // Reserved field - do not use. Used to be UserCetAvailableEnvironments. - // - - ULONG Reserved2; - - // - // Full 64 bit version of the number of physical pages in the system. - // This can dynamically change as physical memory can be added or removed - // from a running system. - // - - ULONGLONG FullNumberOfPhysicalPages; - - // - // Reserved, available for reuse. - // - - ULONGLONG SystemCallPad[1]; - - // - // The 64-bit tick count. - // - - union - { - volatile KSYSTEM_TIME TickCount; - volatile ULONG64 TickCountQuad; - struct - { - ULONG ReservedTickCountOverlay[3]; - ULONG TickCountPad[1]; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME3; - - // - // Cookie for encoding pointers system wide. - // - - ULONG Cookie; - ULONG CookiePad[1]; - - // - // Client id of the process having the focus in the current - // active console session id. - // - // N.B. This field must be accessed via the - // RtlGetConsoleSessionForegroundProcessId API for an accurate result. - // - - LONGLONG ConsoleSessionForegroundProcessId; - - // - // N.B. The following data is used to implement the precise time - // services. It is aligned on a 64-byte cache-line boundary and - // arranged in the order of typical accesses. - // - // Placeholder for the (internal) time update lock. - // - - ULONGLONG TimeUpdateLock; - - // - // The performance counter value used to establish the current system time. - // - - ULONGLONG BaselineSystemTimeQpc; - - // - // The performance counter value used to compute the last interrupt time. - // - - ULONGLONG BaselineInterruptTimeQpc; - - // - // The scaled number of system time seconds represented by a single - // performance count (this value may vary to achieve time synchronization). - // - - ULONGLONG QpcSystemTimeIncrement; - - // - // The scaled number of interrupt time seconds represented by a single - // performance count (this value is constant after the system is booted). - // - - ULONGLONG QpcInterruptTimeIncrement; - - // - // The scaling shift count applied to the performance counter system time - // increment. - // - - UCHAR QpcSystemTimeIncrementShift; - - // - // The scaling shift count applied to the performance counter interrupt time - // increment. - // - - UCHAR QpcInterruptTimeIncrementShift; - - // - // The count of unparked processors. - // - - USHORT UnparkedProcessorCount; - - // - // A bitmask of enclave features supported on this system. - // - // N.B. This field must be accessed via the RtlIsEnclaveFeaturePresent API for an - // accurate result. - // - - ULONG EnclaveFeatureMask[4]; - - // - // Current coverage round for telemetry based coverage. - // - - ULONG TelemetryCoverageRound; - - // - // The following field is used for ETW user mode global logging - // (UMGL). - // - - USHORT UserModeGlobalLogger[16]; - - // - // Settings that can enable the use of Image File Execution Options - // from HKCU in addition to the original HKLM. - // - - ULONG ImageFileExecutionOptions; - - // - // Generation of the kernel structure holding system language information - // - - ULONG LangGenerationCount; - - // - // Reserved (available for reuse). - // - - ULONGLONG Reserved4; - - // - // Current 64-bit interrupt time bias in 100ns units. - // - - volatile ULONGLONG InterruptTimeBias; - - // - // Current 64-bit performance counter bias, in performance counter units - // before the shift is applied. - // - - volatile ULONGLONG QpcBias; - - // - // Number of active processors and groups. - // - - ULONG ActiveProcessorCount; - volatile UCHAR ActiveGroupCount; - - // - // Reserved (available for re-use). - // - - UCHAR Reserved9; - - union - { - USHORT QpcData; - struct - { - // - // A bitfield indicating whether performance counter queries can - // read the counter directly (bypassing the system call) and flags. - // - - volatile UCHAR QpcBypassEnabled; - - // - // Reserved, leave as zero for backward compatibility. Was shift - // applied to the raw counter value to derive QPC count. - // - - UCHAR QpcReserved; - }; - }; - - LARGE_INTEGER TimeZoneBiasEffectiveStart; - LARGE_INTEGER TimeZoneBiasEffectiveEnd; - - // - // Extended processor state configuration (AMD64 and x86). - // - - XSTATE_CONFIGURATION XState; - - KSYSTEM_TIME FeatureConfigurationChangeStamp; - ULONG Spare; - - ULONG64 UserPointerAuthMask; - - // - // Extended processor state configuration (ARM64). The reserved space for - // other architectures is not available for reuse. - // - -#if defined(_ARM64_) - XSTATE_CONFIGURATION XStateArm64; -#else - ULONG Reserved10[210]; -#endif - } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; - - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountLowDeprecated) == 0x0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4); - C_ASSERT(__alignof(KSYSTEM_TIME) == 4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x08); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x014); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x020); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x02c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x02e); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x030); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AitSamplingValue) == 0x248); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AppCompatFlag) == 0x24c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, RNGSeedVersion) == 0x250); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, GlobalValidationRunlevel) == 0x258); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasStamp) == 0x25c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtBuildNumber) == 0x260); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NativeProcessorArchitecture) == 0x26a); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, MitigationPolicies) == 0x2d5); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, CyclesPerYield) == 0x2d6); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, VirtualizationFlags) == 0x2ed); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved12) == 0x2ee); -#if defined(_MSC_EXTENSIONS) - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SharedDataFlags) == 0x2f0); -#endif - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcFrequency) == 0x300); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCall) == 0x308); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved2) == 0x30c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x318); // previously 0x310 -#if defined(_MSC_EXTENSIONS) - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320); -#endif - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Cookie) == 0x330); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ConsoleSessionForegroundProcessId) == 0x338); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeUpdateLock) == 0x340); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineSystemTimeQpc) == 0x348); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, BaselineInterruptTimeQpc) == 0x350); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrement) == 0x358); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrement) == 0x360); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcSystemTimeIncrementShift) == 0x368); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcInterruptTimeIncrementShift) == 0x369); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UnparkedProcessorCount) == 0x36a); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, EnclaveFeatureMask) == 0x36c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TelemetryCoverageRound) == 0x37c); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserModeGlobalLogger) == 0x380); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ImageFileExecutionOptions) == 0x3a0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LangGenerationCount) == 0x3a4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved4) == 0x3a8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTimeBias) == 0x3b0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBias) == 0x3b8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved9) == 0x3c5); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcData) == 0x3c6); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcBypassEnabled) == 0x3c6); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, QpcReserved) == 0x3c7); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveStart) == 0x3c8); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBiasEffectiveEnd) == 0x3d0); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8); -#if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x710); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserPointerAuthMask) == 0x720); -#if defined(_ARM64_) - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XStateArm64) == 0x728); -#else - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved10) == 0x728); -#endif -#if !defined(WINDOWS_IGNORE_PACKING_MISMATCH) - C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0xa70); -#endif -#else - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x720); - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserPointerAuthMask) == 0x730); -#if defined(_ARM64_) - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XStateArm64) == 0x738); -#else - C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved10) == 0x738); -#endif -#if !defined(WINDOWS_IGNORE_PACKING_MISMATCH) - C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0xa80); -#endif -#endif - -#define USER_SHARED_DATA ((KUSER_SHARED_DATA *const)0x7ffe0000) - - FORCEINLINE - ULONGLONG - NtGetTickCount64( - VOID) - { - ULARGE_INTEGER tickCount; - -#ifdef _WIN64 - - tickCount.QuadPart = USER_SHARED_DATA->TickCountQuad; - -#else - - while (TRUE) - { - tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time; - tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart; - - if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time) - break; - - YieldProcessor(); - } - -#endif - - return (UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) + - (UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8); - } - - FORCEINLINE - ULONG - NtGetTickCount( - VOID) - { -#ifdef _WIN64 - - return (ULONG)((USER_SHARED_DATA->TickCountQuad * USER_SHARED_DATA->TickCountMultiplier) >> 24); - -#else - - ULARGE_INTEGER tickCount; - - while (TRUE) - { - tickCount.HighPart = (ULONG)USER_SHARED_DATA->TickCount.High1Time; - tickCount.LowPart = USER_SHARED_DATA->TickCount.LowPart; - - if (tickCount.HighPart == (ULONG)USER_SHARED_DATA->TickCount.High2Time) - break; - - YieldProcessor(); - } - - return (ULONG)((UInt32x32To64(tickCount.LowPart, USER_SHARED_DATA->TickCountMultiplier) >> 24) + - UInt32x32To64((tickCount.HighPart << 8) & 0xffffffff, USER_SHARED_DATA->TickCountMultiplier)); - -#endif - } - - // Locale - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDefaultLocale( - _In_ BOOLEAN UserProfile, - _Out_ PLCID DefaultLocaleId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetDefaultLocale( - _In_ BOOLEAN UserProfile, - _In_ LCID DefaultLocaleId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInstallUILanguage( - _Out_ LANGID *InstallUILanguageId); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushInstallUILanguage( - _In_ LANGID InstallUILanguage, - _In_ ULONG SetComittedFlag); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDefaultUILanguage( - _Out_ LANGID *DefaultUILanguageId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetDefaultUILanguage( - _In_ LANGID DefaultUILanguageId); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSCALLAPI - NTSTATUS - NTAPI - NtIsUILanguageComitted( - VOID); -#endif - - // NLS - - // begin_private - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtInitializeNlsFiles( - _Out_ PVOID *BaseAddress, - _Out_ PLCID DefaultLocaleId, - _Out_ PLARGE_INTEGER DefaultCasingTableSize, - _Out_opt_ PULONG CurrentNLSVersion); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetNlsSectionPtr( - _In_ ULONG SectionType, - _In_ ULONG SectionData, - _In_ PVOID ContextData, - _Out_ PVOID *SectionPointer, - _Out_ PULONG SectionSize); - -#if (PHNT_VERSION < PHNT_WIN7) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAcquireCMFViewOwnership( - _Out_ PULONGLONG TimeStamp, - _Out_ PBOOLEAN tokenTaken, - _In_ BOOLEAN replaceExisting); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReleaseCMFViewOwnership( - VOID); - -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMapCMFModule( - _In_ ULONG What, - _In_ ULONG Index, - _Out_opt_ PULONG CacheIndexOut, - _Out_opt_ PULONG CacheFlagsOut, - _Out_opt_ PULONG ViewSizeOut, - _Out_opt_ PVOID *BaseAddress); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetMUIRegistryInfo( - _In_ ULONG Flags, - _Inout_ PULONG DataSize, - _Out_ PVOID Data); - -#endif - - // end_private - - // Global atoms - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAddAtom( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom); - -#if (PHNT_VERSION >= PHNT_WIN8) - -#define ATOM_FLAG_GLOBAL 0x2 - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAddAtomEx( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom, - _In_ ULONG Flags); - -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFindAtom( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteAtom( - _In_ RTL_ATOM Atom); - - typedef enum _ATOM_INFORMATION_CLASS - { - AtomBasicInformation, - AtomTableInformation - } ATOM_INFORMATION_CLASS; - - typedef struct _ATOM_BASIC_INFORMATION - { - USHORT UsageCount; - USHORT Flags; - USHORT NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION; - - typedef struct _ATOM_TABLE_INFORMATION - { - ULONG NumberOfAtoms; - _Field_size_(NumberOfAtoms) RTL_ATOM Atoms[1]; - } ATOM_TABLE_INFORMATION, *PATOM_TABLE_INFORMATION; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationAtom( - _In_ RTL_ATOM Atom, - _In_ ATOM_INFORMATION_CLASS AtomInformationClass, - _Out_writes_bytes_(AtomInformationLength) PVOID AtomInformation, - _In_ ULONG AtomInformationLength, - _Out_opt_ PULONG ReturnLength); - - // Global flags - -#define FLG_STOP_ON_EXCEPTION 0x00000001 // uk -#define FLG_SHOW_LDR_SNAPS 0x00000002 // uk -#define FLG_DEBUG_INITIAL_COMMAND 0x00000004 // k -#define FLG_STOP_ON_HUNG_GUI 0x00000008 // k - -#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010 // u -#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020 // u -#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040 // u -#define FLG_HEAP_VALIDATE_ALL 0x00000080 // u - -#define FLG_APPLICATION_VERIFIER 0x00000100 // u -#define FLG_MONITOR_SILENT_PROCESS_EXIT 0x00000200 // uk -#define FLG_POOL_ENABLE_TAGGING 0x00000400 // k -#define FLG_HEAP_ENABLE_TAGGING 0x00000800 // u - -#define FLG_USER_STACK_TRACE_DB 0x00001000 // u,32 -#define FLG_KERNEL_STACK_TRACE_DB 0x00002000 // k,32 -#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000 // k -#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000 // u - -#define FLG_DISABLE_STACK_EXTENSION 0x00010000 // u -#define FLG_ENABLE_CSRDEBUG 0x00020000 // k -#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000 // k -#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000 // k - -#define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000 // u -#define FLG_HEAP_DISABLE_COALESCING 0x00200000 // u -#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000 // k -#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000 // k - -#define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000 // k -#define FLG_HEAP_PAGE_ALLOCS 0x02000000 // u -#define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000 // k -#define FLG_DISABLE_DBGPRINT 0x08000000 // k - -#define FLG_CRITSEC_EVENT_CREATION 0x10000000 // u -#define FLG_LDR_TOP_DOWN 0x20000000 // u,64 -#define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000 // k -#define FLG_DISABLE_PROTDLLS 0x80000000 // u - -#define FLG_VALID_BITS 0xfffffdff - -#define FLG_USERMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \ - FLG_SHOW_LDR_SNAPS | \ - FLG_HEAP_ENABLE_TAIL_CHECK | \ - FLG_HEAP_ENABLE_FREE_CHECK | \ - FLG_HEAP_VALIDATE_PARAMETERS | \ - FLG_HEAP_VALIDATE_ALL | \ - FLG_APPLICATION_VERIFIER | \ - FLG_HEAP_ENABLE_TAGGING | \ - FLG_USER_STACK_TRACE_DB | \ - FLG_HEAP_ENABLE_TAG_BY_DLL | \ - FLG_DISABLE_STACK_EXTENSION | \ - FLG_ENABLE_SYSTEM_CRIT_BREAKS | \ - FLG_HEAP_DISABLE_COALESCING | \ - FLG_DISABLE_PROTDLLS | \ - FLG_HEAP_PAGE_ALLOCS | \ - FLG_CRITSEC_EVENT_CREATION | \ - FLG_LDR_TOP_DOWN) - -#define FLG_BOOTONLY_VALID_BITS (FLG_KERNEL_STACK_TRACE_DB | \ - FLG_MAINTAIN_OBJECT_TYPELIST | \ - FLG_ENABLE_CSRDEBUG | \ - FLG_DEBUG_INITIAL_COMMAND | \ - FLG_DEBUG_INITIAL_COMMAND_EX | \ - FLG_DISABLE_PAGE_KERNEL_STACKS) - -#define FLG_KERNELMODE_VALID_BITS (FLG_STOP_ON_EXCEPTION | \ - FLG_SHOW_LDR_SNAPS | \ - FLG_STOP_ON_HUNG_GUI | \ - FLG_POOL_ENABLE_TAGGING | \ - FLG_ENABLE_KDEBUG_SYMBOL_LOAD | \ - FLG_ENABLE_CLOSE_EXCEPTIONS | \ - FLG_ENABLE_EXCEPTION_LOGGING | \ - FLG_ENABLE_HANDLE_TYPE_TAGGING | \ - FLG_DISABLE_DBGPRINT | \ - FLG_ENABLE_HANDLE_EXCEPTIONS) - -// Licensing -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryLicenseValue( - _In_ PUNICODE_STRING ValueName, - _Out_opt_ PULONG Type, - _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, - _In_ ULONG DataSize, - _Out_ PULONG ResultDataSize); -#endif - - // Misc. - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetDefaultHardErrorPort( - _In_ HANDLE DefaultHardErrorPort); - - typedef enum _SHUTDOWN_ACTION - { - ShutdownNoReboot, - ShutdownReboot, - ShutdownPowerOff, - ShutdownRebootForRecovery // since WIN11 - } SHUTDOWN_ACTION; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtShutdownSystem( - _In_ SHUTDOWN_ACTION Action); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDisplayString( - _In_ PUNICODE_STRING String); - - // Boot graphics - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDrawText( - _In_ PUNICODE_STRING Text); -#endif - -#endif // (PHNT_MODE != PHNT_MODE_KERNEL) - -#endif - - /* - * Boot Configuration Data (BCD) support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTBCD_H -#define _NTBCD_H - -#ifndef PHNT_INLINE_BCD_GUIDS - // 5189B25C-5558-4BF2-BCA4-289B11BD29E2 // {badmemory} - DEFINE_GUID(GUID_BAD_MEMORY_GROUP, 0x5189B25C, 0x5558, 0x4BF2, 0xBC, 0xA4, 0x28, 0x9B, 0x11, 0xBD, 0x29, 0xE2); - // 6EFB52BF-1766-41DB-A6B3-0EE5EFF72BD7 // {bootloadersettings} - DEFINE_GUID(GUID_BOOT_LOADER_SETTINGS_GROUP, 0x6EFB52BF, 0x1766, 0x41DB, 0xA6, 0xB3, 0x0E, 0xE5, 0xEF, 0xF7, 0x2B, 0xD7); - // FA926493-6F1C-4193-A414-58F0B2456D1E // {current} - DEFINE_GUID(GUID_CURRENT_BOOT_ENTRY, 0xFA926493, 0x6F1C, 0x4193, 0xA4, 0x14, 0x58, 0xF0, 0xB2, 0x45, 0x6D, 0x1E); - // 4636856E-540F-4170-A130-A84776F4C654 // {eventsettings} {dbgsettings} - DEFINE_GUID(GUID_DEBUGGER_SETTINGS_GROUP, 0x4636856E, 0x540F, 0x4170, 0xA1, 0x30, 0xA8, 0x47, 0x76, 0xF4, 0xC6, 0x54); - // 1CAE1EB7-A0DF-4D4D-9851-4860E34EF535 // {default} - DEFINE_GUID(GUID_DEFAULT_BOOT_ENTRY, 0x1CAE1EB7, 0xA0DF, 0x4D4D, 0x98, 0x51, 0x48, 0x60, 0xE3, 0x4E, 0xF5, 0x35); - // 0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9 // {emssettings} - DEFINE_GUID(GUID_EMS_SETTINGS_GROUP, 0x0CE4991B, 0xE6B3, 0x4B16, 0xB2, 0x3C, 0x5E, 0x0D, 0x92, 0x50, 0xE5, 0xD9); - // A5A30FA2-3D06-4E9F-B5F4-A01DF9D1FCBA // {fwbootmgr} - DEFINE_GUID(GUID_FIRMWARE_BOOTMGR, 0xA5A30FA2, 0x3D06, 0x4E9F, 0xB5, 0xF4, 0xA0, 0x1D, 0xF9, 0xD1, 0xFC, 0xBA); - // 7EA2E1AC-2E61-4728-AAA3-896D9D0A9F0E // {globalsettings} - DEFINE_GUID(GUID_GLOBAL_SETTINGS_GROUP, 0x7EA2E1AC, 0x2E61, 0x4728, 0xAA, 0xA3, 0x89, 0x6D, 0x9D, 0x0A, 0x9F, 0x0E); - // 7FF607E0-4395-11DB-B0DE-0800200C9A66 // {hypervisorsettings} - DEFINE_GUID(GUID_HYPERVISOR_SETTINGS_GROUP, 0x7FF607E0, 0x4395, 0x11DB, 0xB0, 0xDE, 0x08, 0x00, 0x20, 0x0C, 0x9A, 0x66); - // 313E8EED-7098-4586-A9BF-309C61F8D449 // {kerneldbgsettings} - DEFINE_GUID(GUID_KERNEL_DEBUGGER_SETTINGS_GROUP, 0x313E8EED, 0x7098, 0x4586, 0xA9, 0xBF, 0x30, 0x9C, 0x61, 0xF8, 0xD4, 0x49); - // 1AFA9C49-16AB-4A5C-4A90-212802DA9460 // {resumeloadersettings} - DEFINE_GUID(GUID_RESUME_LOADER_SETTINGS_GROUP, 0x1AFA9C49, 0x16AB, 0x4A5C, 0x4A, 0x90, 0x21, 0x28, 0x02, 0xDA, 0x94, 0x60); - // 9DEA862C-5CDD-4E70-ACC1-F32B344D4795 // {bootmgr} - DEFINE_GUID(GUID_WINDOWS_BOOTMGR, 0x9DEA862C, 0x5CDD, 0x4E70, 0xAC, 0xC1, 0xF3, 0x2B, 0x34, 0x4D, 0x47, 0x95); - // 466F5A88-0AF2-4F76-9038-095B170DC21C // {ntldr} {legacy} - DEFINE_GUID(GUID_WINDOWS_LEGACY_NTLDR, 0x466F5A88, 0x0AF2, 0x4F76, 0x90, 0x38, 0x09, 0x5B, 0x17, 0x0D, 0xC2, 0x1C); - // B2721D73-1DB4-4C62-BF78-C548A880142D // {memdiag} - DEFINE_GUID(GUID_WINDOWS_MEMORY_TESTER, 0xB2721D73, 0x1DB4, 0x4C62, 0xBF, 0x78, 0xC5, 0x48, 0xA8, 0x80, 0x14, 0x2D); - // B012B84D-C47C-4ED5-B722-C0C42163E569 - DEFINE_GUID(GUID_WINDOWS_OS_TARGET_TEMPLATE_EFI, 0xB012B84D, 0xC47C, 0x4ED5, 0xB7, 0x22, 0xC0, 0xC4, 0x21, 0x63, 0xE5, 0x69); - // A1943BBC-EA85-487C-97C7-C9EDE908A38A - DEFINE_GUID(GUID_WINDOWS_OS_TARGET_TEMPLATE_PCAT, 0xA1943BBC, 0xEA85, 0x487C, 0x97, 0xC7, 0xC9, 0xED, 0xE9, 0x08, 0xA3, 0x8A); - // {0C334284-9A41-4DE1-99B3-A7E87E8FF07E} - DEFINE_GUID(GUID_WINDOWS_RESUME_TARGET_TEMPLATE_EFI, 0x0C334284, 0x9A41, 0x4DE1, 0x99, 0xB3, 0xA7, 0xE8, 0x7E, 0x8F, 0xF0, 0x7E); - // {98B02A23-0674-4CE7-BDAD-E0A15A8FF97B} - DEFINE_GUID(GUID_WINDOWS_RESUME_TARGET_TEMPLATE_PCAT, 0x98B02A23, 0x0674, 0x4CE7, 0xBD, 0xAD, 0xE0, 0xA1, 0x5A, 0x8F, 0xF9, 0x7B); - // 7254a080-1510-4e85-ac0f-e7fb3d444736 - DEFINE_GUID(GUID_WINDOWS_SETUP_EFI, 0x7254A080, 0x1510, 0x4E85, 0xAC, 0x0F, 0xE7, 0xFB, 0x3D, 0x44, 0x47, 0x36); - // CBD971BF-B7B8-4885-951A-FA03044F5D71 - DEFINE_GUID(GUID_WINDOWS_SETUP_PCAT, 0xCBD971BF, 0xB7B8, 0x4885, 0x95, 0x1A, 0xFA, 0x03, 0x04, 0x4F, 0x5D, 0x71); - // AE5534E0-A924-466C-B836-758539A3EE3A // {ramdiskoptions} - DEFINE_GUID(GUID_WINDOWS_SETUP_RAMDISK_OPTIONS, 0xAE5534E0, 0xA924, 0x466C, 0xB8, 0x36, 0x75, 0x85, 0x39, 0xA3, 0xEE, 0x3A); - // {7619dcc9-fafe-11d9-b411-000476eba25f} - DEFINE_GUID(GUID_WINDOWS_SETUP_BOOT_ENTRY, 0x7619dcc9, 0xfafe, 0x11d9, 0xb4, 0x11, 0x00, 0x04, 0x76, 0xeb, 0xa2, 0x5f); - // {a62c8016-ca4e-4687-8032-d666c51a280c} - DEFINE_GUID(GUID_VHD_BOOT_OPTIONS, 0xa62c8016, 0xca4e, 0x4687, 0x80, 0x32, 0xd6, 0x66, 0xc5, 0x1a, 0x28, 0x0c); - // ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 - DEFINE_GUID(PARTITION_BASIC_DATA_GUID, 0xebd0a0a2, 0xb9e5, 0x4433, 0x87, 0xc0, 0x68, 0xb6, 0xb7, 0x26, 0x99, 0xc7); - // db97dba9-0840-4bae-97f0-ffb9a327c7e1 - DEFINE_GUID(PARTITION_CLUSTER_GUID, 0xdb97dba9, 0x0840, 0x4bae, 0x97, 0xf0, 0xff, 0xb9, 0xa3, 0x27, 0xc7, 0xe1); - // 00000000-0000-0000-0000-000000000000 - DEFINE_GUID(PARTITION_ENTRY_UNUSED_GUID, 0x00000000, 0x0000, 0x0000, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); - // af9b60a0-1431-4f62-bc68-3311714a69ad - DEFINE_GUID(PARTITION_LDM_DATA_GUID, 0xaf9b60a0, 0x1431, 0x4f62, 0xbc, 0x68, 0x33, 0x11, 0x71, 0x4a, 0x69, 0xad); - // 5808c8aa-7e8f-42e0-85d2-e1e90434cfb3 - DEFINE_GUID(PARTITION_LDM_METADATA_GUID, 0x5808c8aa, 0x7e8f, 0x42e0, 0x85, 0xd2, 0xe1, 0xe9, 0x04, 0x34, 0xcf, 0xb3); - // de94bba4-06d1-4d40-a16a-bfd50179d6ac - DEFINE_GUID(PARTITION_MSFT_RECOVERY_GUID, 0xde94bba4, 0x06d1, 0x4d40, 0xa1, 0x6a, 0xbf, 0xd5, 0x01, 0x79, 0xd6, 0xac); - // e3c9e316-0b5c-4db8-817d-f92df00215ae - DEFINE_GUID(PARTITION_MSFT_RESERVED_GUID, 0xe3c9e316, 0x0b5c, 0x4db8, 0x81, 0x7d, 0xf9, 0x2d, 0xf0, 0x02, 0x15, 0xae); - // caddebf1-4400-4de8-b103-12117dcf3cc - DEFINE_GUID(PARTITION_MSFT_SNAPSHOT_GUID, 0xcaddebf1, 0x4400, 0x4de8, 0xb1, 0x03, 0x12, 0x11, 0x7d, 0xcf, 0x3c, 0xcf); - // e75caf8f-f680-4cee-afa3-b001e56efc2d - DEFINE_GUID(PARTITION_SPACES_GUID, 0xe75caf8f, 0xf680, 0x4cee, 0xaf, 0xa3, 0xb0, 0x01, 0xe5, 0x6e, 0xfc, 0x2d); - // c12a7328-f81f-11d2-ba4b-00a0c93ec93b - DEFINE_GUID(PARTITION_SYSTEM_GUID, 0xc12a7328, 0xf81f, 0x11d2, 0xba, 0x4b, 0x00, 0xa0, 0xc9, 0x3e, 0xc9, 0x3b); -#else - NTSYSAPI GUID GUID_BAD_MEMORY_GROUP; // {badmemory} - NTSYSAPI GUID GUID_BOOT_LOADER_SETTINGS_GROUP; // {bootloadersettings} - NTSYSAPI GUID GUID_CURRENT_BOOT_ENTRY; // {current} - NTSYSAPI GUID GUID_DEBUGGER_SETTINGS_GROUP; // {eventsettings} {dbgsettings} - NTSYSAPI GUID GUID_DEFAULT_BOOT_ENTRY; // {default} - NTSYSAPI GUID GUID_EMS_SETTINGS_GROUP; // {emssettings} - NTSYSAPI GUID GUID_FIRMWARE_BOOTMGR; // {fwbootmgr} - NTSYSAPI GUID GUID_GLOBAL_SETTINGS_GROUP; // {globalsettings} - NTSYSAPI GUID GUID_HYPERVISOR_SETTINGS_GROUP; // {hypervisorsettings} - NTSYSAPI GUID GUID_KERNEL_DEBUGGER_SETTINGS_GROUP; // {kerneldbgsettings} - NTSYSAPI GUID GUID_RESUME_LOADER_SETTINGS_GROUP; // {resumeloadersettings} - NTSYSAPI GUID GUID_WINDOWS_BOOTMGR; // {bootmgr} - NTSYSAPI GUID GUID_WINDOWS_LEGACY_NTLDR; // {ntldr} {legacy} - NTSYSAPI GUID GUID_WINDOWS_MEMORY_TESTER; // {memdiag} - NTSYSAPI GUID GUID_WINDOWS_OS_TARGET_TEMPLATE_EFI; - NTSYSAPI GUID GUID_WINDOWS_OS_TARGET_TEMPLATE_PCAT; - NTSYSAPI GUID GUID_WINDOWS_RESUME_TARGET_TEMPLATE_EFI; - NTSYSAPI GUID GUID_WINDOWS_RESUME_TARGET_TEMPLATE_PCAT; - NTSYSAPI GUID GUID_WINDOWS_SETUP_EFI; - NTSYSAPI GUID GUID_WINDOWS_SETUP_PCAT; - NTSYSAPI GUID GUID_WINDOWS_SETUP_RAMDISK_OPTIONS; // {ramdiskoptions} - NTSYSAPI GUID GUID_VHD_BOOT_OPTIONS; - NTSYSAPI GUID PARTITION_BASIC_DATA_GUID; - NTSYSAPI GUID PARTITION_CLUSTER_GUID; - NTSYSAPI GUID PARTITION_ENTRY_UNUSED_GUID; - NTSYSAPI GUID PARTITION_LDM_DATA_GUID; - NTSYSAPI GUID PARTITION_LDM_METADATA_GUID; - NTSYSAPI GUID PARTITION_MSFT_RECOVERY_GUID; - NTSYSAPI GUID PARTITION_MSFT_RESERVED_GUID; - NTSYSAPI GUID PARTITION_MSFT_SNAPSHOT_GUID; - NTSYSAPI GUID PARTITION_SPACES_GUID; - NTSYSAPI GUID PARTITION_SYSTEM_GUID; -#endif - - typedef enum _BCD_MESSAGE_TYPE - { - BCD_MESSAGE_TYPE_NONE, - BCD_MESSAGE_TYPE_TRACE, - BCD_MESSAGE_TYPE_INFORMATION, - BCD_MESSAGE_TYPE_WARNING, - BCD_MESSAGE_TYPE_ERROR, - BCD_MESSAGE_TYPE_MAXIMUM - } BCD_MESSAGE_TYPE; - - typedef VOID(NTAPI *BCD_MESSAGE_CALLBACK)( - _In_ BCD_MESSAGE_TYPE type, - _In_ PCWSTR Message); - - /** - * Sets the logging level and callback routine for BCD messages. - * - * @param BcdLoggingLevel The logging level to set. - * @param BcdMessageCallbackRoutine The callback routine for BCD messages. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdSetLogging( - _In_ BCD_MESSAGE_TYPE BcdLoggingLevel, - _In_ BCD_MESSAGE_CALLBACK BcdMessageCallbackRoutine); - - /** - * Initializes the BCD synchronization mutant. - */ - NTSYSAPI - VOID - NTAPI - BcdInitializeBcdSyncMutant( - VOID); - - /** - * Retrieves the file name for the BCD. - * - * @param BcdSystemStorePath The pointer to receive the system store path. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdGetSystemStorePath( - _Out_ PWSTR *BcdSystemStorePath // RtlFreeHeap(RtlProcessHeap(), 0, BcdSystemStorePath); - ); - - /** - * Sets the device for the system BCD store. - * - * @param SystemPartition The system partition to set. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdSetSystemStoreDevice( - _In_ PCUNICODE_STRING SystemPartition); - - /** - * Opens the BCD system store. - * - * @param BcdStoreHandle The handle to receive the system store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdOpenSystemStore( - _Out_ PHANDLE BcdStoreHandle); - - /** - * Opens a BCD store from a file. - * - * @param BcdFilePath The file path of the BCD store. - * @param BcdStoreHandle The handle to receive the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdOpenStoreFromFile( - _In_ PCUNICODE_STRING BcdFilePath, - _Out_ PHANDLE BcdStoreHandle); - - /** - * Creates a BCD store. - * - * @param BcdFilePath The file path to create the BCD store. - * @param BcdStoreHandle The handle to receive the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdCreateStore( - _In_ PCUNICODE_STRING BcdFilePath, - _Out_ PHANDLE BcdStoreHandle); - - /** - * Exports the BCD store to a file. - * - * @param BcdFilePath The file path to export the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdExportStore( - _In_ PCUNICODE_STRING BcdFilePath); - -#if (PHNT_VERSION > PHNT_WIN11) - /** - * Exports the BCD store to a file with additional flags. - * - * @param BcdStoreHandle The handle to the BCD store. - * @param Flags The flags for exporting the store. - * @param BcdFilePath The file path to export the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdExportStoreEx( - _In_ HANDLE BcdStoreHandle, - _In_ ULONG Flags, - _In_ PCUNICODE_STRING BcdFilePath); -#endif - - /** - * Imports a BCD store from a file. - * - * @param BcdFilePath The file path to import the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdImportStore( - _In_ PCUNICODE_STRING BcdFilePath); - - typedef enum _BCD_IMPORT_FLAGS - { - BCD_IMPORT_NONE, - BCD_IMPORT_DELETE_FIRMWARE_OBJECTS - } BCD_IMPORT_FLAGS; - - /** - * Imports a BCD store from a file with additional flags. - * - * @param BcdFilePath The file path to import the BCD store. - * @param BcdImportFlags The flags for importing the store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdImportStoreWithFlags( - _In_ PCUNICODE_STRING BcdFilePath, - _In_ BCD_IMPORT_FLAGS BcdImportFlags); - - /** - * Deletes object references in the BCD store. - * - * @param BcdStoreHandle The handle to the BCD store. - * @param Identifier The identifier of the object to delete references for. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdDeleteObjectReferences( - _In_ HANDLE BcdStoreHandle, - _In_ PGUID Identifier); - - /** - * Deletes the system store for BCD. - * - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdDeleteSystemStore( - VOID); - - typedef enum _BCD_OPEN_FLAGS - { - BCD_OPEN_NONE, - BCD_OPEN_OPEN_STORE_OFFLINE, - BCD_OPEN_SYNC_FIRMWARE_ENTRIES - } BCD_OPEN_FLAGS; - - /** - * Opens a BCD store with additional flags. - * - * @param BcdFilePath The file path of the BCD store. - * @param BcdOpenFlags The flags for opening the store. - * @param BcdStoreHandle The handle to receive the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdOpenStore( - _In_ PCUNICODE_STRING BcdFilePath, - _In_ BCD_OPEN_FLAGS BcdOpenFlags, - _Out_ PHANDLE BcdStoreHandle); - - /** - * Closes a BCD store. - * - * @param BcdStoreHandle The handle to the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdCloseStore( - _In_ HANDLE BcdStoreHandle); - - /** - * Flushes a BCD store. - * - * @param BcdStoreHandle The handle to the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdFlushStore( - _In_ HANDLE BcdStoreHandle); - - /** - * Forcibly unloads a BCD store. - * - * @param BcdStoreHandle The handle to the BCD store. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - BcdForciblyUnloadStore( - _In_ HANDLE BcdStoreHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdMarkAsSystemStore( - _In_ HANDLE BcdStoreHandle); - - typedef enum _BCD_OBJECT_TYPE - { - BCD_OBJECT_TYPE_NONE, - BCD_OBJECT_TYPE_APPLICATION, // 0x10000000 - BCD_OBJECT_TYPE_INHERITED, // 0x20000000 - BCD_OBJECT_TYPE_DEVICE, // 0x30000000 - } BCD_OBJECT_TYPE; - - typedef enum _BCD_APPLICATION_OBJECT_TYPE - { - BCD_APPLICATION_OBJECT_NONE = 0, - BCD_APPLICATION_OBJECT_FIRMWARE_BOOT_MANAGER = 1, // 0x00000001 - BCD_APPLICATION_OBJECT_WINDOWS_BOOT_MANAGER = 2, // 0x00000002 - BCD_APPLICATION_OBJECT_WINDOWS_BOOT_LOADER = 3, // 0x00000003 - BCD_APPLICATION_OBJECT_WINDOWS_RESUME_APPLICATION = 4, // 0x00000004 - BCD_APPLICATION_OBJECT_MEMORY_TESTER = 5, // 0x00000005 - BCD_APPLICATION_OBJECT_LEGACY_NTLDR = 6, // 0x00000006 - BCD_APPLICATION_OBJECT_LEGACY_SETUPLDR = 7, // 0x00000007 - BCD_APPLICATION_OBJECT_BOOT_SECTOR = 8, // 0x00000008 - BCD_APPLICATION_OBJECT_STARTUP_MODULE = 9, // 0x00000009 - BCD_APPLICATION_OBJECT_GENERIC_APPLICATION = 10, // 0x0000000a - BCD_APPLICATION_OBJECT_RESERVED = 0xFFFFF // 0x000fffff - } BCD_APPLICATION_OBJECT_TYPE; - - typedef enum _BCD_APPLICATION_IMAGE_TYPE - { - BCD_APPLICATION_IMAGE_NONE, - BCD_APPLICATION_IMAGE_FIRMWARE_APPLICATION, // 0x00100000 - BCD_APPLICATION_IMAGE_BOOT_APPLICATION, // 0x00200000 - BCD_APPLICATION_IMAGE_LEGACY_LOADER, // 0x00300000 - BCD_APPLICATION_IMAGE_REALMODE_CODE, // 0x00400000 - } BCD_APPLICATION_IMAGE_TYPE; - - typedef enum _BCD_INHERITED_CLASS_TYPE - { - BCD_INHERITED_CLASS_NONE, - BCD_INHERITED_CLASS_LIBRARY, - BCD_INHERITED_CLASS_APPLICATION, - BCD_INHERITED_CLASS_DEVICE - } BCD_INHERITED_CLASS_TYPE; - -#define MAKE_BCD_OBJECT(ObjectType, ImageType, ApplicationType) \ - (((ULONG)(ObjectType) << 28) | \ - (((ULONG)(ImageType) & 0xF) << 20) | \ - ((ULONG)(ApplicationType) & 0xFFFFF)) - -#define MAKE_BCD_APPLICATION_OBJECT(ImageType, ApplicationType) \ - MAKE_BCD_OBJECT(BCD_OBJECT_TYPE_APPLICATION, (ULONG)(ImageType), (ULONG)(ApplicationType)) - -#define GET_BCD_OBJECT_TYPE(DataType) \ - ((BCD_OBJECT_TYPE)(((((ULONG)DataType)) >> 28) & 0xF)) -#define GET_BCD_APPLICATION_IMAGE(DataType) \ - ((BCD_APPLICATION_IMAGE_TYPE)(((((ULONG)DataType)) >> 20) & 0xF)) -#define GET_BCD_APPLICATION_OBJECT(DataType) \ - ((BCD_APPLICATION_OBJECT_TYPE)((((ULONG)DataType)) & 0xFFFFF)) - -#define BCD_OBJECT_OSLOADER_TYPE \ - MAKE_BCD_APPLICATION_OBJECT(BCD_APPLICATION_IMAGE_BOOT_APPLICATION, BCD_APPLICATION_OBJECT_WINDOWS_BOOT_LOADER) - - typedef union _BCD_OBJECT_DATATYPE - { - ULONG PackedValue; - union - { - struct - { - ULONG Reserved : 28; - BCD_OBJECT_TYPE ObjectType : 4; - }; - struct - { - BCD_APPLICATION_OBJECT_TYPE ApplicationType : 20; - BCD_APPLICATION_IMAGE_TYPE ImageType : 4; - ULONG Reserved : 4; - BCD_OBJECT_TYPE ObjectType : 4; - } Application; - struct - { - ULONG Value : 20; - BCD_INHERITED_CLASS_TYPE Class : 4; - ULONG Reserved : 4; - BCD_OBJECT_TYPE ObjectType : 4; - } Inherit; - struct - { - ULONG Reserved : 28; - BCD_OBJECT_TYPE ObjectType : 4; - } Device; - }; - } BCD_OBJECT_DATATYPE, *PBCD_OBJECT_DATATYPE; - - static_assert(sizeof(BCD_OBJECT_DATATYPE) == sizeof(ULONG), "sizeof(BCD_OBJECT_DATATYPE) is invalid."); - -#define BCD_OBJECT_DESCRIPTION_VERSION 0x1 - - typedef struct _BCD_OBJECT_DESCRIPTION - { - ULONG Version; // BCD_OBJECT_DESCRIPTION_VERSION - ULONG Type; // BCD_OBJECT_DATATYPE - } BCD_OBJECT_DESCRIPTION, *PBCD_OBJECT_DESCRIPTION; - - typedef struct _BCD_OBJECT - { - GUID Identifer; - PBCD_OBJECT_DESCRIPTION Description; - } BCD_OBJECT, *PBCD_OBJECT; - - NTSYSAPI - NTSTATUS - NTAPI - BcdEnumerateObjects( - _In_ HANDLE BcdStoreHandle, - _In_ PBCD_OBJECT_DESCRIPTION BcdEnumDescriptor, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, // BCD_OBJECT[] - _Inout_ PULONG BufferSize, - _Out_ PULONG ObjectCount); - - NTSYSAPI - NTSTATUS - NTAPI - BcdOpenObject( - _In_ HANDLE BcdStoreHandle, - _In_ const GUID *Identifier, - _Out_ PHANDLE BcdObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdCreateObject( - _In_ HANDLE BcdStoreHandle, - _In_ PGUID Identifier, - _In_ PBCD_OBJECT_DESCRIPTION Description, - _Out_ PHANDLE BcdObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdDeleteObject( - _In_ HANDLE BcdObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdCloseObject( - _In_ HANDLE BcdObjectHandle); - - typedef enum _BCD_COPY_FLAGS - { - BCD_COPY_NONE = 0x0, - BCD_COPY_COPY_CREATE_NEW_OBJECT_IDENTIFIER = 0x1, - BCD_COPY_COPY_DELETE_EXISTING_OBJECT = 0x2, - BCD_COPY_COPY_UNKNOWN_FIRMWARE_APPLICATION = 0x4, - BCD_COPY_IGNORE_SETUP_TEMPLATE_ELEMENTS = 0x8, - BCD_COPY_RETAIN_ELEMENT_DATA = 0x10, - BCD_COPY_MIGRATE_ELEMENT_DATA = 0x20 - } BCD_COPY_FLAGS; - - NTSYSAPI - NTSTATUS - NTAPI - BcdCopyObject( - _In_ HANDLE BcdStoreHandle, - _In_ HANDLE BcdObjectHandle, - _In_ BCD_COPY_FLAGS BcdCopyFlags, - _In_ HANDLE TargetStoreHandle, - _Out_ PHANDLE TargetObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdCopyObjectEx( - _In_ HANDLE BcdStoreHandle, - _In_ HANDLE BcdObjectHandle, - _In_ BCD_COPY_FLAGS BcdCopyFlags, - _In_ HANDLE TargetStoreHandle, - _In_ PGUID TargetObjectId, - _Out_ PHANDLE TargetObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdCopyObjects( - _In_ HANDLE BcdStoreHandle, - _In_ PBCD_OBJECT_DESCRIPTION Characteristics, - _In_ BCD_COPY_FLAGS BcdCopyFlags, - _In_ HANDLE TargetStoreHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdMigrateObjectElementValues( - _In_ HANDLE TemplateObjectHandle, - _In_ HANDLE SourceObjectHandle, - _In_ HANDLE TargetObjectHandle); - - NTSYSAPI - NTSTATUS - NTAPI - BcdQueryObject( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdVersion, // BCD_OBJECT_DESCRIPTION_VERSION - _Out_ BCD_OBJECT_DESCRIPTION Description, - _Out_ PGUID Identifier); - - typedef enum _BCD_ELEMENT_DATATYPE_FORMAT - { - BCD_ELEMENT_DATATYPE_FORMAT_UNKNOWN, - BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, // 0x01000000 - BCD_ELEMENT_DATATYPE_FORMAT_STRING, // 0x02000000 - BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, // 0x03000000 - BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, // 0x04000000 - BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, // 0x05000000 - BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, // 0x06000000 - BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, // 0x07000000 - BCD_ELEMENT_DATATYPE_FORMAT_BINARY // 0x08000000 - } BCD_ELEMENT_DATATYPE_FORMAT; - - typedef enum _BCD_ELEMENT_DATATYPE_CLASS - { - BCD_ELEMENT_DATATYPE_CLASS_NONE, - BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, // 0x10000000 - BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, // 0x20000000 - BCD_ELEMENT_DATATYPE_CLASS_DEVICE, // 0x30000000 - BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, // 0x40000000 - BCD_ELEMENT_DATATYPE_CLASS_OEM // 0x50000000 - } BCD_ELEMENT_DATATYPE_CLASS; - - typedef enum _BCD_ELEMENT_DEVICE_TYPE - { - BCD_ELEMENT_DEVICE_TYPE_NONE, - BCD_ELEMENT_DEVICE_TYPE_BOOT_DEVICE, - BCD_ELEMENT_DEVICE_TYPE_PARTITION, - BCD_ELEMENT_DEVICE_TYPE_FILE, - BCD_ELEMENT_DEVICE_TYPE_RAMDISK, - BCD_ELEMENT_DEVICE_TYPE_UNKNOWN, - BCD_ELEMENT_DEVICE_TYPE_QUALIFIED_PARTITION, - BCD_ELEMENT_DEVICE_TYPE_VMBUS, - BCD_ELEMENT_DEVICE_TYPE_LOCATE_DEVICE, - BCD_ELEMENT_DEVICE_TYPE_URI, - BCD_ELEMENT_DEVICE_TYPE_COMPOSITE - } BCD_ELEMENT_DEVICE_TYPE; - -#define MAKE_BCDE_DATA_TYPE(Class, Format, Subtype) \ - (((((ULONG)Class) & 0xF) << 28) | ((((ULONG)Format) & 0xF) << 24) | (((ULONG)Subtype) & 0x00FFFFFF)) - -#define GET_BCDE_DATA_CLASS(DataType) \ - ((BCD_ELEMENT_DATATYPE_CLASS)(((((ULONG)DataType)) >> 28) & 0xF)) -#define GET_BCDE_DATA_FORMAT(DataType) \ - ((BCD_ELEMENT_DATATYPE_FORMAT)(((((ULONG)DataType)) >> 24) & 0xF)) -#define GET_BCDE_DATA_SUBTYPE(DataType) \ - ((ULONG)((((ULONG)DataType)) & 0x00FFFFFF)) - - typedef union _BCD_ELEMENT_DATATYPE - { - ULONG PackedValue; - struct - { - ULONG SubType : 24; - BCD_ELEMENT_DATATYPE_FORMAT Format : 4; - BCD_ELEMENT_DATATYPE_CLASS Class : 4; - }; - } BCD_ELEMENT_DATATYPE, *PBCD_ELEMENT_DATATYPE; - - static_assert(sizeof(BCD_ELEMENT_DATATYPE) == sizeof(ULONG), "sizeof(BCD_ELEMENT_DATATYPE) is invalid."); - - NTSYSAPI - NTSTATUS - NTAPI - BcdEnumerateElementTypes( - _In_ HANDLE BcdObjectHandle, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, // BCD_ELEMENT_DATATYPE[] - _Inout_ PULONG BufferSize, - _Out_ PULONG ElementCount); - - typedef struct _BCD_ELEMENT_DEVICE_QUALIFIED_PARTITION - { - ULONG PartitionStyle; - ULONG Reserved; - struct - { - union - { - ULONG DiskSignature; - ULONG64 PartitionOffset; - } Mbr; - union - { - GUID DiskSignature; - GUID PartitionSignature; - } Gpt; - }; - } BCD_ELEMENT_DEVICE_QUALIFIED_PARTITION, *PBCD_ELEMENT_DEVICE_QUALIFIED_PARTITION; - - typedef struct _BCD_ELEMENT_DEVICE - { - ULONG DeviceType; - GUID AdditionalOptions; - struct - { - union - { - ULONG ParentOffset; - WCHAR Path[ANYSIZE_ARRAY]; - } File; - union - { - WCHAR Path[ANYSIZE_ARRAY]; - } Partition; - union - { - ULONG Type; - ULONG ParentOffset; - ULONG ElementType; - WCHAR Path[ANYSIZE_ARRAY]; - } Locate; - union - { - GUID InterfaceInstance; - } Vmbus; - union - { - ULONG Data[ANYSIZE_ARRAY]; - } Unknown; - BCD_ELEMENT_DEVICE_QUALIFIED_PARTITION QualifiedPartition; - }; - } BCD_ELEMENT_DEVICE, *PBCD_ELEMENT_DEVICE; - - typedef struct _BCD_ELEMENT_STRING - { - WCHAR Value[ANYSIZE_ARRAY]; - } BCD_ELEMENT_STRING, *PBCD_ELEMENT_STRING; - - typedef struct _BCD_ELEMENT_OBJECT - { - GUID Object; - } BCD_ELEMENT_OBJECT, *PBCD_ELEMENT_OBJECT; - - typedef struct _BCD_ELEMENT_OBJECT_LIST - { - GUID ObjectList[ANYSIZE_ARRAY]; - } BCD_ELEMENT_OBJECT_LIST, *PBCD_ELEMENT_OBJECT_LIST; - - typedef struct _BCD_ELEMENT_INTEGER - { - ULONG64 Value; - } BCD_ELEMENT_INTEGER, *PBCD_ELEMENT_INTEGER; - - typedef struct _BCD_ELEMENT_INTEGER_LIST - { - ULONG64 Value[ANYSIZE_ARRAY]; - } BCD_ELEMENT_INTEGER_LIST, *PBCD_ELEMENT_INTEGER_LIST; - - typedef struct _BCD_ELEMENT_BOOLEAN - { - BOOLEAN Value; - // BOOLEAN Pad; // sym - } BCD_ELEMENT_BOOLEAN, *PBCD_ELEMENT_BOOLEAN; - -#define BCD_ELEMENT_DESCRIPTION_VERSION 0x1 - - typedef struct BCD_ELEMENT_DESCRIPTION - { - ULONG Version; // BCD_ELEMENT_DESCRIPTION_VERSION - ULONG Type; - ULONG DataSize; - } BCD_ELEMENT_DESCRIPTION, *PBCD_ELEMENT_DESCRIPTION; - - typedef struct _BCD_ELEMENT - { - PBCD_ELEMENT_DESCRIPTION Description; - PVOID Data; - } BCD_ELEMENT, *PBCD_ELEMENT; - - NTSYSAPI - NTSTATUS - NTAPI - BcdEnumerateElements( - _In_ HANDLE BcdObjectHandle, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, // BCD_ELEMENT[] - _Inout_ PULONG BufferSize, - _Out_ PULONG ElementCount); - - typedef enum _BCD_FLAGS - { - BCD_FLAG_NONE = 0x0, - BCD_FLAG_QUALIFIED_PARTITION = 0x1, - BCD_FLAG_NO_DEVICE_TRANSLATION = 0x2, - BCD_FLAG_ENUMERATE_INHERITED_OBJECTS = 0x4, - BCD_FLAG_ENUMERATE_DEVICE_OPTIONS = 0x8, - BCD_FLAG_OBSERVE_PRECEDENCE = 0x10, - BCD_FLAG_DISABLE_VHD_NT_TRANSLATION = 0x20, - BCD_FLAG_DISABLE_VHD_DEVICE_DETECTION = 0x40, - BCD_FLAG_DISABLE_POLICY_CHECKS = 0x80 - } BCD_FLAGS; - - NTSYSAPI - NTSTATUS - NTAPI - BcdEnumerateElementsWithFlags( - _In_ HANDLE BcdObjectHandle, - _In_ BCD_FLAGS BcdFlags, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, // BCD_ELEMENT[] - _Inout_ PULONG BufferSize, - _Out_ PULONG ElementCount); - - NTSYSAPI - NTSTATUS - NTAPI - BcdEnumerateAndUnpackElements( - _In_ HANDLE BcdStoreHandle, - _In_ HANDLE BcdObjectHandle, - _In_ BCD_FLAGS BcdFlags, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, // BCD_ELEMENT[] - _Inout_ PULONG BufferSize, - _Out_ PULONG ElementCount); - - NTSYSAPI - NTSTATUS - NTAPI - BcdGetElementData( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdElement, // BCD_ELEMENT_DATATYPE - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, - _Inout_ PULONG BufferSize); - - NTSYSAPI - NTSTATUS - NTAPI - BcdGetElementDataWithFlags( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdElement, // BCD_ELEMENT_DATATYPE - _In_ BCD_FLAGS BcdFlags, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, - _Inout_ PULONG BufferSize); - - NTSYSAPI - NTSTATUS - NTAPI - BcdSetElementData( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdElement, // BCD_ELEMENT_DATATYPE - _In_reads_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize); - - NTSYSAPI - NTSTATUS - NTAPI - BcdSetElementDataWithFlags( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdElement, // BCD_ELEMENT_DATATYPE - _In_ BCD_FLAGS BcdFlags, - _In_reads_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize); - - NTSYSAPI - NTSTATUS - NTAPI - BcdDeleteElement( - _In_ HANDLE BcdObjectHandle, - _In_ ULONG BcdElement // BCD_ELEMENT_DATATYPE - ); - - // - // Element types - // - - /** - * BCD configuration elements for the Boot Manager types. - */ - typedef enum _BcdBootMgrElementTypes - { - /** - * The order in which BCD objects should be displayed. [0x24000001] - * Objects are displayed using the string specified by the BcdLibraryString_Description element. - */ - BcdBootMgrObjectList_DisplayOrder = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 1), - /** - * List of boot environment applications the boot manager should execute. [0x24000002] - * The applications are executed in the order they appear in this list. - * If the firmware boot manager does not support loading multiple applications, this list cannot contain more than one entry. - */ - BcdBootMgrObjectList_BootSequence = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 2), - /** - * The default boot environment application to load if the user does not select one. [0x23000003] - */ - BcdBootMgrObject_DefaultObject = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, 3), - /** - * The maximum number of seconds a boot selection menu is to be displayed to the user. [0x25000004] - * The menu is displayed until the user selects an option or the time-out expires. - * If this value is not specified, the boot manager waits for the user to make a selection. - */ - BcdBootMgrInteger_Timeout = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 4), - /** - * Indicates that a resume operation should be attempted during a system restart. [0x26000005] - */ - BcdBootMgrBoolean_AttemptResume = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 5), - /** - * The resume application object. [0x23000006] - */ - BcdBootMgrObject_ResumeObject = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, 6), - /** - * The startup sequence. [0x24000007] - */ - BcdBootMgrObjectList_StartupSequence = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 7), - /** - * The boot manager tools display order list. [0x24000010] - */ - BcdBootMgrObjectList_ToolsDisplayOrder = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 16), - /** - * Forces the display of the legacy boot menu, regardless of the number of OS entries in the BCD store and their BcdOSLoaderInteger_BootMenuPolicy. [0x26000020] - */ - BcdBootMgrBoolean_DisplayBootMenu = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 32), - /** - * Indicates whether the display of errors should be suppressed. If this setting is enabled, the boot manager exits to the multi-OS menu on OS launch error. [0x26000021] - */ - BcdBootMgrBoolean_NoErrorDisplay = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 33), - /** - * The device on which the boot application resides. [0x21000022] - */ - BcdBootMgrDevice_BcdDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 34), - /** - * The boot application. [0x22000023] (BCDE_BOOTMGR_TYPE_BCD_FILEPATH) - */ - BcdBootMgrString_BcdFilePath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 35), - /** - * Indicates whether HORM (Hibernate Once/Resume Many) is enabled. [0x26000024] - */ - BcdBootMgrBoolean_HormEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 36), - /** - * Indicates whether the system is in hibernation root mode. [0x26000025] - */ - BcdBootMgrBoolean_HiberRoot = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 37), - /** - * The password override string. [0x22000026] - */ - BcdBootMgrString_PasswordOverride = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 38), - /** - * The PIN/passphrase override string. [0x22000027] - */ - BcdBootMgrString_PinpassPhraseOverride = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 39), - /** - * Controls whether custom actions are processed before a boot sequence. Note This value is supported starting in Windows 8 and Windows Server 2012. [0x26000028] - */ - BcdBootMgrBoolean_ProcessCustomActionsFirst = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 40), - /** - * Custom Bootstrap Actions. [0x27000030] (BCDE_BOOTMGR_TYPE_CUSTOM_ACTIONS_LIST) - */ - BcdBootMgrIntegerList_CustomActionsList = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, 48), - /** - * Controls whether a boot sequence persists across multiple boots. Note This value is supported starting in Windows 8 and Windows Server 2012. [0x26000031] - */ - BcdBootMgrBoolean_PersistBootSequence = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 49), - /** - * Indicates whether to skip the startup sequence. [0x26000032] - */ - BcdBootMgrBoolean_SkipStartupSequence = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 50), - } BcdBootMgrElementTypes; - - /** - * Specifies the policy for using the first megabyte of memory. - */ - typedef enum _BcdLibrary_FirstMegabytePolicy - { - /* Use none of the first megabyte of memory. */ - FirstMegabytePolicyUseNone, - /* Use all of the first megabyte of memory. */ - FirstMegabytePolicyUseAll, - /* Reserved for future use. */ - FirstMegabytePolicyUsePrivate - } BcdLibrary_FirstMegabytePolicy; - - /** - * Specifies the type of debugger. - */ - typedef enum _BcdLibrary_DebuggerType - { - /* Serial debugger. */ - DebuggerSerial = 0, - /* 1394 debugger. */ - Debugger1394 = 1, - /* USB debugger. */ - DebuggerUsb = 2, - /* Network debugger. */ - DebuggerNet = 3, - /* Local debugger. */ - DebuggerLocal = 4 - } BcdLibrary_DebuggerType; - - /** - * Specifies the start policy for the debugger. - */ - typedef enum _BcdLibrary_DebuggerStartPolicy - { - /* The debugger will start active. */ - DebuggerStartActive, - /** - * The debugger will start in the auto-enabled state. - * If a debugger is attached it will be used; otherwise the debugger port will be available for other applications. - */ - DebuggerStartAutoEnable, - /* The debugger will not start. */ - DebuggerStartDisable - } BcdLibrary_DebuggerStartPolicy; - - /** - * Specifies the access policy for PCI configuration space. - */ - typedef enum _BcdLibrary_ConfigAccessPolicy - { - /** - * Access to PCI configuration space through the memory-mapped region is allowed. - */ - ConfigAccessPolicyDefault, - /** - * Access to PCI configuration space through the memory-mapped region is not allowed. - * This setting is used for platforms that implement memory-mapped configuration space incorrectly. - * The CFC/CF8 access mechanism can be used to access configuration space on these platforms. - */ - ConfigAccessPolicyDisallowMmConfig - } BcdLibrary_ConfigAccessPolicy; - - /** - * Enumeration for UX Display Message Types in the Boot Configuration Data (BCD) library. - * This enumeration defines the different UX display message types that can be specified in the BCD library. - */ - typedef enum _BcdLibrary_UxDisplayMessageType - { - DisplayMessageTypeDefault = 0, /**< Default display message type. */ - DisplayMessageTypeResume = 1, /**< Display message type for resume. */ - DisplayMessageTypeHyperV = 2, /**< Display message type for Hyper-V. */ - DisplayMessageTypeRecovery = 3, /**< Display message type for recovery. */ - DisplayMessageTypeStartupRepair = 4, /**< Display message type for startup repair. */ - DisplayMessageTypeSystemImageRecovery = 5, /**< Display message type for system image recovery. */ - DisplayMessageTypeCommandPrompt = 6, /**< Display message type for command prompt. */ - DisplayMessageTypeSystemRestore = 7, /**< Display message type for system restore. */ - DisplayMessageTypePushButtonReset = 8 /**< Display message type for push button reset. */ - } BcdLibrary_UxDisplayMessageType; - - /** - * Enumeration for Safe Boot options in the Boot Configuration Data (BCD) library. - * This enumeration defines the different safe boot modes that can be specified in the BCD library. - */ - typedef enum BcdLibrary_SafeBoot - { - /** - * Load the drivers and services specified by name or group under the following registry key: - * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal. - */ - SafemodeMinimal = 0, - /** - * Load the drivers and services specified by name or group under the following registry key: - * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network. - */ - SafemodeNetwork = 1, - /** - * Boot the system into a repair mode that restores the Active Directory service from backup medium. - */ - SafemodeDsRepair = 2 - } BcdLibrary_SafeBoot; - - typedef enum _BcdLibrary_BootUxPolicy - { - BootUxPolicyDisabled = 0, - BootUxPolicyBasic = 1, - BootUxPolicyStandard = 2, - } BcdLibrary_BootUxPolicy; - - // BcdLibraryElementTypes based on geoffchappell: https://www.geoffchappell.com/notes/windows/boot/bcd/elements.htm (dmex) - typedef enum _BcdLibraryElementTypes - { - /// - /// Device on which a boot environment application resides. - /// - /// 0x11000001 - // alternate name: BCDE_LIBRARY_TYPE_APPLICATION_DEVICE - BcdLibraryDevice_ApplicationDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 1), - /// - /// Path to a boot environment application. - /// - /// 0x12000002 - // alternate name: BCDE_LIBRARY_TYPE_APPLICATION_PATH - BcdLibraryString_ApplicationPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 2), - /// - /// Display name of the boot environment application. - /// - /// 0x12000004 - // alternate name: BCDE_LIBRARY_TYPE_APPLICATION_DESCRIPTION - BcdLibraryString_Description = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 4), - /// - /// Preferred locale, in RFC 3066 format. - /// - /// 0x12000005 - // alternate name: BCDE_LIBRARY_TYPE_APPLICATION_PREFERRED_LOCALE - BcdLibraryString_PreferredLocale = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 5), - /// - /// List of BCD objects from which the current object should inherit elements. - /// - /// 0x14000006 - // alternate name: BCDE_LIBRARY_TYPE_APPLICATION_INHERITED_OBJECTS - BcdLibraryObjectList_InheritedObjects = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 6), - /// - /// Maximum physical address a boot environment application should recognize. All memory above this address is ignored. - /// - /// 0x15000007 - BcdLibraryInteger_TruncatePhysicalMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 7), - /// - /// List of boot environment applications to be executed if the associated application fails. The applications are executed in the order they appear in this list. - /// - /// 0x14000008 - BcdLibraryObjectList_RecoverySequence = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, 8), - /// - /// Indicates whether the recovery sequence executes automatically if the boot application fails. Otherwise, the recovery sequence only runs on demand. - /// - /// 0x16000009 - BcdLibraryBoolean_AutoRecoveryEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 9), - /// - /// List of page frame numbers describing faulty memory in the system. - /// - /// 0x1700000A - BcdLibraryIntegerList_BadMemoryList = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, 10), - /// - /// If TRUE, indicates that a boot application can use memory listed in the BcdLibraryIntegerList_BadMemoryList. - /// - /// 0x1600000B - BcdLibraryBoolean_AllowBadMemoryAccess = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 11), - /// - /// Indicates how the first megabyte of memory is to be used. The Integer property is one of the values from the BcdLibrary_FirstMegabytePolicy enumeration. (BCDE_POLICY_LIBRARY_TYPE_FIRST_MEGABYTE_POLICY) - /// - /// 0x1500000C - BcdLibraryInteger_FirstMegabytePolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 12), - /// - /// Relocates physical memory on certain AMD processors. - /// This value is not used in Windows 8 or Windows Server 2012. - /// - /// 0x1500000D - BcdLibraryInteger_RelocatePhysicalMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 13), - /// - /// Specifies a minimum physical address to use in the boot environment. - /// - /// 0x1500000E - BcdLibraryInteger_AvoidLowPhysicalMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 14), - /// - /// - /// - /// 0x1600000F - // alternate name: BCDE_LIBRARY_TYPE_TRADITIONAL_KSEG_MAPPINGS - BcdLibraryBoolean_TraditionalKsegMappings = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 15), - /// - /// Indicates whether the boot debugger should be enabled. - /// - /// 0x16000010 - BcdLibraryBoolean_DebuggerEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 16), - /// - /// Debugger type. The Integer property is one of the values from the BcdLibrary_DebuggerType enumeration. - /// - /// 0x15000011 - BcdLibraryInteger_DebuggerType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 17), - /// - /// I/O port address for the serial debugger. - /// - /// 0x15000012 - BcdLibraryInteger_SerialDebuggerPortAddress = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 18), - /// - /// Serial port number for serial debugging. - /// If this value is not specified, the default is specified by the DBGP ACPI table settings. - /// - /// 0x15000013 - BcdLibraryInteger_SerialDebuggerPort = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 19), - /// - /// Baud rate for serial debugging. - /// - /// 0x15000014 - BcdLibraryInteger_SerialDebuggerBaudRate = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 20), - /// - /// Channel number for 1394 debugging. - /// - /// 0x15000015 - BcdLibraryInteger_1394DebuggerChannel = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 21), - /// - /// The target name for the USB debugger. The target name is arbitrary but must match between the debugger and the debug target. - /// - /// 0x12000016 - BcdLibraryString_UsbDebuggerTargetName = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 22), - /// - /// If TRUE, the debugger will ignore user mode exceptions and only stop for kernel mode exceptions. - /// - /// 0x16000017 - BcdLibraryBoolean_DebuggerIgnoreUsermodeExceptions = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 23), - /// - /// Indicates the debugger start policy. The Integer property is one of the values from the BcdLibrary_DebuggerStartPolicy enumeration. - /// - /// 0x15000018 - BcdLibraryInteger_DebuggerStartPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 24), - /// - /// Defines the PCI bus, device, and function numbers of the debugging device. For example, 1.5.0 describes the debugging device on bus 1, device 5, function 0. - /// - /// 0x12000019 - BcdLibraryString_DebuggerBusParameters = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 25), - /// - /// Defines the host IP address for the network debugger. - /// - /// 0x1500001A - BcdLibraryInteger_DebuggerNetHostIP = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 26), - /// - /// Defines the network port for the network debugger. - /// - /// 0x1500001B - BcdLibraryInteger_DebuggerNetPort = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 27), - /// - /// Controls the use of DHCP by the network debugger. Setting this to false causes the OS to only use link-local addresses. - /// This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x1600001C - BcdLibraryBoolean_DebuggerNetDhcp = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 28), - /// - /// Holds the key used to encrypt the network debug connection. - /// This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x1200001D - BcdLibraryString_DebuggerNetKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 29), - /// - /// - /// - /// 0x1600001E - BcdLibraryBoolean_DebuggerNetVM = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 30), - /// - /// - /// - /// 0x1200001F - BcdLibraryString_DebuggerNetHostIpv6 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 31), - /// - /// Indicates whether EMS redirection should be enabled. - /// - /// 0x16000020 - BcdLibraryBoolean_EmsEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 32), - /// - /// COM port number for EMS redirection. - /// - /// 0x15000022 - BcdLibraryInteger_EmsPort = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 34), - /// - /// Baud rate for EMS redirection. - /// - /// 0x15000023 - BcdLibraryInteger_EmsBaudRate = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 35), - /// - /// String that is appended to the load options string passed to the kernel to be consumed by kernel-mode components. - /// This is useful for communicating with kernel-mode components that are not BCD-aware. - /// - /// 0x12000030 - BcdLibraryString_LoadOptionsString = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 48), - /// - /// - /// - /// 0x16000031 - BcdLibraryBoolean_AttemptNonBcdStart = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 49), - /// - /// Indicates whether the advanced options boot menu (F8) is displayed. - /// - /// 0x16000040 - BcdLibraryBoolean_DisplayAdvancedOptions = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 64), - /// - /// Indicates whether the boot options editor is enabled. - /// - /// 0x16000041 - BcdLibraryBoolean_DisplayOptionsEdit = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 65), - /// - /// - /// - /// 0x15000042 - // BCDE_LIBRARY_TYPE_FVE_KEYRING_ADDRESS - BcdLibraryInteger_FVEKeyRingAddress = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 66), - /// - /// Allows a device override for the bootstat.dat log in the boot manager and winload.exe. - /// - /// 0x11000043 - BcdLibraryDevice_BsdLogDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 67), - /// - /// Allows a path override for the bootstat.dat log file in the boot manager and winload.exe. - /// - /// 0x12000044 - BcdLibraryString_BsdLogPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 68), - /// - /// Indicates whether graphics mode is disabled and boot applications must use text mode display. - /// - /// 0x16000045 - BcdLibraryBoolean_BsdPreserveLog = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 69), - /// - /// - /// - /// 0x16000046 - // BCDE_LIBRARY_TYPE_GRAPHICS_MODE_DISABLED - BcdLibraryBoolean_GraphicsModeDisabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 70), - /// - /// Indicates the access policy for PCI configuration space. - /// - /// 0x15000047 - BcdLibraryInteger_ConfigAccessPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 71), - /// - /// Disables integrity checks. - /// Cannot be set when secure boot is enabled. - /// This value is ignored by Windows 7 and Windows 8. - /// - /// 0x16000048 - BcdLibraryBoolean_DisableIntegrityChecks = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 72), - /// - /// Indicates whether the test code signing certificate is supported. - /// - /// 0x16000049 - BcdLibraryBoolean_AllowPrereleaseSignatures = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 73), - /// - /// Overrides the default location of the boot fonts. - /// - /// 0x1200004A - // BCDE_LIBRARY_TYPE_FONT_PATH - BcdLibraryString_FontPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 74), - /// - /// - /// - /// 0x1500004B - BcdLibraryInteger_SiPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 75), - /// - /// This value (if present) should not be modified. - /// - /// 0x1500004C - BcdLibraryInteger_FveBandId = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 76), - /// - /// Specifies that legacy BIOS systems should use INT 16h Function 10h for console input instead of INT 16h Function 0h. - /// - /// 0x16000050 - BcdLibraryBoolean_ConsoleExtendedInput = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 80), - /// - /// - /// - /// 0x15000051 - BcdLibraryInteger_InitialConsoleInput = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 81), - /// - /// Forces a specific graphics resolution at boot. - /// Possible values include GraphicsResolution1024x768 (0), GraphicsResolution800x600 (1), and GraphicsResolution1024x600 (2). - /// - /// 0x15000052 - BcdLibraryInteger_GraphicsResolution = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 82), - /// - /// If enabled, specifies that boot error screens are not shown when OS launch errors occur, and the system is reset rather than exiting directly back to the firmware. - /// - /// 0x16000053 - BcdLibraryBoolean_RestartOnFailure = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 83), - /// - /// Forces highest available graphics resolution at boot. - /// This value can only be used on UEFI systems. - /// This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x16000054 - BcdLibraryBoolean_GraphicsForceHighestMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 84), - /// - /// This setting is used to differentiate between the Windows 7 and Windows 8 implementations of UEFI. - /// Do not modify this setting. - /// If this setting is removed from a Windows 8 installation, it will not boot. - /// If this setting is added to a Windows 7 installation, it will not boot. - /// - /// 0x16000060 - BcdLibraryBoolean_IsolatedExecutionContext = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 96), - /// - /// This setting disables the progress bar and default Windows logo. If a custom text string has been defined, it is also disabled by this setting. - /// The Integer property is one of the values from the BcdLibrary_UxDisplayMessageType enumeration. - /// - /// 0x15000065 - BcdLibraryInteger_BootUxDisplayMessage = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 101), - /// - /// - /// - /// 0x15000066 - BcdLibraryInteger_BootUxDisplayMessageOverride = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 102), - /// - /// This setting disables the boot logo. - /// - /// 0x16000067 - BcdLibraryBoolean_BootUxLogoDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 103), - /// - /// This setting disables the boot status text. - /// - /// 0x16000068 - BcdLibraryBoolean_BootUxTextDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 104), - /// - /// This setting disables the boot progress bar. - /// - /// 0x16000069 - BcdLibraryBoolean_BootUxProgressDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 105), - /// - /// This setting disables the boot transition fading. - /// - /// 0x1600006A - BcdLibraryBoolean_BootUxFadeDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 106), - /// - /// - /// - /// 0x1600006B - BcdLibraryBoolean_BootUxReservePoolDebug = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 107), - /// - /// - /// - /// 0x1600006C - BcdLibraryBoolean_BootUxDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 108), - /// - /// - /// - /// 0x1500006D - BcdLibraryInteger_BootUxFadeFrames = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 109), - /// - /// - /// - /// 0x1600006E - BcdLibraryBoolean_BootUxDumpStats = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 110), - /// - /// - /// - /// 0x1600006F - BcdLibraryBoolean_BootUxShowStats = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 111), - /// - /// - /// - /// 0x16000071 - BcdLibraryBoolean_MultiBootSystem = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 113), - /// - /// - /// - /// 0x16000072 - BcdLibraryBoolean_ForceNoKeyboard = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 114), - /// - /// - /// - /// 0x15000073 - BcdLibraryInteger_AliasWindowsKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 115), - /// - /// Disables the 1-minute timer that triggers shutdown on boot error screens, and the F8 menu, on UEFI systems. - /// - /// 0x16000074 - BcdLibraryBoolean_BootShutdownDisabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 116), - /// - /// - /// - /// 0x15000075 - BcdLibraryInteger_PerformanceFrequency = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 117), - /// - /// - /// - /// 0x15000076 - BcdLibraryInteger_SecurebootRawPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 118), - /// - /// Indicates whether or not an in-memory BCD setting passed between boot apps will trigger BitLocker recovery. - /// This value should not be modified as it could trigger a BitLocker recovery action. - /// - /// 0x17000077 - BcdLibraryIntegerList_AllowedInMemorySettings = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 119), - /// - /// - /// - /// 0x15000079 - BcdLibraryInteger_BootUxBitmapTransitionTime = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 121), - /// - /// - /// - /// 0x1600007A - BcdLibraryBoolean_TwoBootImages = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 122), - /// - /// Force the use of FIPS cryptography checks on boot applications. - /// BcdLibraryBoolean_ForceFipsCrypto is documented with wrong value 0x16000079 - /// - /// 0x1600007B - BcdLibraryBoolean_ForceFipsCrypto = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 123), - /// - /// - /// - /// 0x1500007D - BcdLibraryInteger_BootErrorUx = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 125), - /// - /// - /// - /// 0x1600007E - BcdLibraryBoolean_AllowFlightSignatures = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 126), - /// - /// - /// - /// 0x1500007F - BcdLibraryInteger_BootMeasurementLogFormat = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 127), - /// - /// - /// - /// 0x15000080 - BcdLibraryInteger_DisplayRotation = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 128), - /// - /// - /// - /// 0x15000081 - BcdLibraryInteger_LogControl = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 129), - /// - /// - /// - /// 0x16000082 - BcdLibraryBoolean_NoFirmwareSync = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 130), - /// - /// - /// - /// 0x11000084 - BcdLibraryDevice_WindowsSystemDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 132), - /// - /// - /// - /// 0x16000087 - BcdLibraryBoolean_NumLockOn = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 135), - /// - /// - /// - /// 0x12000088 - BcdLibraryString_AdditionalCiPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 136), - /// - /// Enabling the 5-Level Paging feature. 0 = Disabled, 1 = Optout, 2 = Optin - /// - /// 0x15000088 - BcdLibraryInteger_LinearAddress57 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 136), - } BcdLibraryElementTypes; - - typedef enum _BcdTemplateElementTypes - { - /// - /// - /// - /// 0x45000001 - BcdSetupInteger_DeviceType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 1), - /// - /// - /// - /// 0x42000002 - BcdSetupString_ApplicationRelativePath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 2), - /// - /// - /// - /// 0x42000003 - BcdSetupString_RamdiskDeviceRelativePath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 3), - /// - /// - /// - /// 0x46000004 - BcdSetupBoolean_OmitOsLoaderElements = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 4), - /// - /// - /// - /// 0x47000006 - BcdSetupIntegerList_ElementsToMigrateList = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, 6), - /// - /// - /// - /// 0x46000010 - BcdSetupBoolean_RecoveryOs = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 16), - } BcdTemplateElementTypes; - - /** - * @brief Specifies the no-execute page protection policies. - */ - typedef enum _BcdOSLoader_NxPolicy - { - /** - * @brief The no-execute page protection is off by default. - */ - NxPolicyOptIn = 0, - /** - * @brief The no-execute page protection is on by default. - */ - NxPolicyOptOut = 1, - /** - * @brief The no-execute page protection is always off. - */ - NxPolicyAlwaysOff = 2, - /** - * @brief The no-execute page protection is always on. - */ - NxPolicyAlwaysOn = 3 - } BcdOSLoader_NxPolicy; - - /** - * @brief Specifies the Physical Address Extension (PAE) policies. - */ - typedef enum _BcdOSLoader_PAEPolicy - { - /** - * @brief Enable PAE if hot-pluggable memory is defined above 4GB. - */ - PaePolicyDefault = 0, - /** - * @brief PAE is enabled. - */ - PaePolicyForceEnable = 1, - /** - * @brief PAE is disabled. - */ - PaePolicyForceDisable = 2 - } BcdOSLoader_PAEPolicy; - - /** - * @brief Specifies the boot status policies. - */ - typedef enum _BcdOSLoader_BootStatusPolicy - { - /** - * @brief Display all boot failures. - */ - BootStatusPolicyDisplayAllFailures = 0, - /** - * @brief Ignore all boot failures. - */ - BootStatusPolicyIgnoreAllFailures = 1, - /** - * @brief Ignore all shutdown failures. - */ - BootStatusPolicyIgnoreShutdownFailures = 2, - /** - * @brief Ignore all boot failures. - */ - BootStatusPolicyIgnoreBootFailures = 3, - /** - * @brief Ignore checkpoint failures. - */ - BootStatusPolicyIgnoreCheckpointFailures = 4, - /** - * @brief Display shutdown failures. - */ - BootStatusPolicyDisplayShutdownFailures = 5, - /** - * @brief Display boot failures. - */ - BootStatusPolicyDisplayBootFailures = 6, - /** - * @brief Display checkpoint failures. - */ - BootStatusPolicyDisplayCheckpointFailures = 7, - /** - * @brief Always display startup failures. - */ - BootStatusPolicyAlwaysDisplayStartupFailures = 8 - } BcdOSLoaderBootStatusPolicy; - - // BcdOSLoaderElementTypes based on geoffchappell: https://www.geoffchappell.com/notes/windows/boot/bcd/elements.htm (dmex) - typedef enum _BcdOSLoaderElementTypes - { - /// - /// The device on which the operating system resides. - /// - /// 0x21000001 - BcdOSLoaderDevice_OSDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 1), - /// - /// The file path to the operating system (%SystemRoot% minus the volume). - /// - /// 0x22000002 - BcdOSLoaderString_SystemRoot = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 2), - /// - /// The resume application associated with the operating system. - /// - /// 0x23000003 - BcdOSLoaderObject_AssociatedResumeObject = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, 3), - /// - /// - /// - /// 0x26000004 - BcdOSLoaderBoolean_StampDisks = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 4), - /// - /// Indicates whether the operating system loader should determine the kernel and HAL to load based on the platform features. - /// - /// 0x26000010 - BcdOSLoaderBoolean_DetectKernelAndHal = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 16), - /// - /// The kernel to be loaded by the operating system loader. This value overrides the default kernel. - /// - /// 0x22000011 - BcdOSLoaderString_KernelPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 17), - /// - /// The HAL to be loaded by the operating system loader. This value overrides the default HAL. - /// - /// 0x22000012 - BcdOSLoaderString_HalPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 18), - /// - /// The transport DLL to be loaded by the operating system loader. This value overrides the default Kdcom.dll. - /// - /// 0x22000013 - BcdOSLoaderString_DbgTransportPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 19), - /// - /// The no-execute page protection policy. The Integer property is one of the values from the BcdOSLoader_NxPolicy enumeration. - /// - /// 0x25000020 - BcdOSLoaderInteger_NxPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 32), - /// - /// The Physical Address Extension (PAE) policy. The Integer property is one of the values from the BcdOSLoader_PAEPolicy enumeration. - /// - /// 0x25000021 - BcdOSLoaderInteger_PAEPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 33), - /// - /// Indicates that the system should be started in Windows Preinstallation Environment (Windows PE) mode. - /// - /// 0x26000022 - BcdOSLoaderBoolean_WinPEMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 34), - /// - /// Indicates that the system should not automatically reboot when it crashes. - /// - /// 0x26000024 - BcdOSLoaderBoolean_DisableCrashAutoReboot = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 36), - /// - /// Indicates that the system should use the last-known good settings. - /// - /// 0x26000025 - BcdOSLoaderBoolean_UseLastGoodSettings = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 37), - /// - /// - /// - /// 0x26000026 - BcdOSLoaderBoolean_DisableCodeIntegrityChecks = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 38), - /// - /// Indicates whether the test code signing certificate is supported. - /// - /// 0x26000027 - BcdOSLoaderBoolean_AllowPrereleaseSignatures = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 39), - /// - /// Indicates whether the system should utilize the first 4GB of physical memory. - /// This option requires 5GB of physical memory, and on x86 systems it requires PAE to be enabled. - /// - /// 0x26000030 - BcdOSLoaderBoolean_NoLowMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 48), - /// - /// The amount of memory the system should ignore. - /// - /// 0x25000031 - BcdOSLoaderInteger_RemoveMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 49), - /// - /// The amount of memory that should be utilized by the process address space, in bytes. - /// This value should be between 2GB and 3GB. - /// Increasing this value from the default 2GB decreases the amount of virtual address space available to the system and device drivers. - /// - /// 0x25000032 - BcdOSLoaderInteger_IncreaseUserVa = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 50), - /// - /// BCDE_OSLOADER_TYPE_PERFORMANCE_DATA_MEMORY - /// - /// 0x25000033 - BcdOSLoaderInteger_PerformaceDataMemory = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 51), - /// - /// Indicates whether the system should use the standard VGA display driver instead of a high-performance display driver. - /// - /// 0x26000040 - BcdOSLoaderBoolean_UseVgaDriver = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 64), - /// - /// Indicates whether the system should initialize the VGA driver responsible for displaying simple graphics during the boot process. - /// If not, there is no display is presented during the boot process. - /// - /// 0x26000041 - BcdOSLoaderBoolean_DisableBootDisplay = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 65), - /// - /// Indicates whether the VGA driver should avoid VESA BIOS calls. - /// Note This value is ignored by Windows 8 and Windows Server 2012. - /// - /// 0x26000042 - BcdOSLoaderBoolean_DisableVesaBios = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 66), - /// - /// Disables the use of VGA modes in the OS. - /// - /// 0x26000043 - BcdOSLoaderBoolean_DisableVgaMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 67), - /// - /// Indicates that cluster-mode APIC addressing should be utilized, and the value is the maximum number of processors per cluster. - /// - /// 0x25000050 - BcdOSLoaderInteger_ClusterModeAddressing = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 80), - /// - /// Indicates whether to enable physical-destination mode for all APIC messages. - /// - /// 0x26000051 - BcdOSLoaderBoolean_UsePhysicalDestination = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 81), - /// - /// The maximum number of APIC clusters that should be used by cluster-mode addressing. - /// - /// 0x25000052 - BcdOSLoaderInteger_RestrictApicCluster = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 82), - /// - /// - /// - /// 0x22000053 - BcdOSLoaderString_OSLoaderTypeEVStore = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 83), - /// - /// Used to force legacy APIC mode, even if the processors and chipset support extended APIC mode. - /// - /// 0x26000054 - BcdOSLoaderBoolean_UseLegacyApicMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 84), - /// - /// Enables the use of extended APIC mode, if supported. - /// Zero (0) indicates default behavior, one (1) indicates that extended APIC mode is disabled, and two (2) indicates that extended APIC mode is enabled. - /// The system defaults to using extended APIC mode if available. - /// - /// 0x25000055 - BcdOSLoaderInteger_X2ApicPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 85), - /// - /// Indicates whether the operating system should initialize or start non-boot processors. - /// - /// 0x26000060 - BcdOSLoaderBoolean_UseBootProcessorOnly = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 96), - /// - /// The maximum number of processors that can be utilized by the system; all other processors are ignored. - /// - /// 0x25000061 - BcdOSLoaderInteger_NumberOfProcessors = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 97), - /// - /// Indicates whether the system should use the maximum number of processors. - /// - /// 0x26000062 - BcdOSLoaderBoolean_ForceMaximumProcessors = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 98), - /// - /// Indicates whether processor specific configuration flags are to be used. - /// - /// 0x25000063 - BcdOSLoaderBoolean_ProcessorConfigurationFlags = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 99), - /// - /// Maximizes the number of groups created when assigning nodes to processor groups. - /// - /// 0x26000064 - BcdOSLoaderBoolean_MaximizeGroupsCreated = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 100), - /// - /// This setting makes drivers group aware and can be used to determine improper group usage. - /// - /// 0x26000065 - BcdOSLoaderBoolean_ForceGroupAwareness = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 101), - /// - /// Specifies the size of all processor groups. Must be set to a power of 2. - /// - /// 0x25000066 - BcdOSLoaderInteger_GroupSize = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 102), - /// - /// Indicates whether the system should use I/O and IRQ resources created by the system firmware instead of using dynamically configured resources. - /// - /// 0x26000070 - BcdOSLoaderInteger_UseFirmwarePciSettings = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 112), - /// - /// The PCI Message Signaled Interrupt (MSI) policy. Zero (0) indicates default, and one (1) indicates that MSI interrupts are forcefully disabled. - /// - /// 0x25000071 - BcdOSLoaderInteger_MsiPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 113), - /// - /// Zero (0) indicates default, and one (1) indicates that PCI Express is forcefully disabled. - /// - /// 0x25000072 - BcdOSLoaderInteger_PciExpressPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 114), - /// - /// The Integer property is one of the values from the BcdLibrary_SafeBoot enumeration. - /// - /// 0x25000080 - BcdOSLoaderInteger_SafeBoot = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 128), - /// - /// Indicates whether the system should use the shell specified under the following registry key instead of the default shell: - /// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell. - /// - /// 0x26000081 - BcdOSLoaderBoolean_SafeBootAlternateShell = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 129), - /// - /// Indicates whether the system should write logging information to %SystemRoot%\Ntbtlog.txt during initialization. - /// - /// 0x26000090 - BcdOSLoaderBoolean_BootLogInitialization = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 144), - /// - /// Indicates whether the system should display verbose information. - /// - /// 0x26000091 - BcdOSLoaderBoolean_VerboseObjectLoadMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 145), - /// - /// Indicates whether the kernel debugger should be enabled using the settings in the inherited debugger object. - /// - /// 0x260000A0 - BcdOSLoaderBoolean_KernelDebuggerEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 160), - /// - /// Indicates whether the HAL should call DbgBreakPoint at the start of HalInitSystem for phase 0 initialization of the kernel. - /// - /// 0x260000A1 - BcdOSLoaderBoolean_DebuggerHalBreakpoint = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 161), - /// - /// Forces the use of the platform clock as the system's performance counter. - /// - /// 0x260000A2 - BcdOSLoaderBoolean_UsePlatformClock = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 162), - /// - /// Forces the OS to assume the presence of legacy PC devices like CMOS and keyboard controllers. - /// This value should only be used for debugging. - /// - /// 0x260000A3 - BcdOSLoaderBoolean_ForceLegacyPlatform = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 163), - /// - /// - /// - /// 0x260000A4 - BcdOSLoaderBoolean_UsePlatformTick = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 164), - /// - /// - /// - /// 0x260000A5 - BcdOSLoaderBoolean_DisableDynamicTick = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 165), - /// - /// Controls the TSC synchronization policy. Possible values include default (0), legacy (1), or enhanced (2). - /// This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x250000A6 - BcdOSLoaderInteger_TscSyncPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 166), - /// - /// Indicates whether EMS should be enabled in the kernel. - /// - /// 0x260000B0 - BcdOSLoaderBoolean_EmsEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 176), - /// - /// - /// - /// 0x250000C0 - BcdOSLoaderInteger_ForceFailure = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 192), - /// - /// Indicates the driver load failure policy. Zero (0) indicates that a failed driver load is fatal and the boot will not continue, - /// one (1) indicates that the standard error control is used. - /// - /// 0x250000C1 - BcdOSLoaderInteger_DriverLoadFailurePolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 193), - /// - /// Defines the type of boot menus the system will use. Possible values include menupolicylegacy (0) or menupolicystandard (1). - /// The default value is menupolicylegacy (0). - /// - /// 0x250000C2 - BcdOSLoaderInteger_BootMenuPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 194), - /// - /// Controls whether the system boots to the legacy menu (F8 menu) on the next boot. - /// Note This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x260000C3 - BcdOSLoaderBoolean_AdvancedOptionsOneTime = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 195), - /// - /// - /// - /// 0x260000C4 - BcdOSLoaderBoolean_OptionsEditOneTime = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 196), - /// - /// The boot status policy. The Integer property is one of the values from the BcdOSLoaderBootStatusPolicy enumeration - /// - /// 0x250000E0 - BcdOSLoaderInteger_BootStatusPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 224), - /// - /// The OS loader removes this entry for security reasons. This option can only be triggered by using the F8 menu; a user must be physically present to trigger this option. - /// This value is supported starting in Windows 8 and Windows Server 2012. - /// - /// 0x260000E1 - BcdOSLoaderBoolean_DisableElamDrivers = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 225), - /// - /// Controls the hypervisor launch type. Options are HyperVisorLaunchOff (0) and HypervisorLaunchAuto (1). - /// - /// 0x250000F0 - BcdOSLoaderInteger_HypervisorLaunchType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 240), - /// - /// - /// - /// 0x250000F1 - BcdOSLoaderString_HypervisorPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 241), - /// - /// Controls whether the hypervisor debugger is enabled. - /// - /// 0x260000F2 - BcdOSLoaderBoolean_HypervisorDebuggerEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 242), - /// - /// Controls the hypervisor debugger type. Can be set to SERIAL (0), 1394 (1), or NET (2). - /// - /// 0x250000F3 - BcdOSLoaderInteger_HypervisorDebuggerType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 243), - /// - /// Specifies the serial port number for serial debugging. - /// - /// 0x250000F4 - BcdOSLoaderInteger_HypervisorDebuggerPortNumber = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 244), - /// - /// Specifies the baud rate for serial debugging. - /// - /// 0x250000F5 - BcdOSLoaderInteger_HypervisorDebuggerBaudrate = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 245), - /// - /// Specifies the channel number for 1394 debugging. - /// - /// 0x250000F6 - BcdOSLoaderInteger_HypervisorDebugger1394Channel = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 246), - /// - /// Values are Disabled (0), Basic (1), and Standard (2). - /// - /// 0x250000F7 - BcdOSLoaderInteger_BootUxPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 247), - /// - /// - /// - /// 0x220000F8 - BcdOSLoaderInteger_HypervisorSlatDisabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 248), - /// - /// Defines the PCI bus, device, and function numbers of the debugging device used with the hypervisor. - /// For example, 1.5.0 describes the debugging device on bus 1, device 5, function 0. - /// - /// 0x220000F9 - BcdOSLoaderString_HypervisorDebuggerBusParams = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 249), - /// - /// - /// - /// 0x250000FA - BcdOSLoaderInteger_HypervisorNumProc = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 250), - /// - /// - /// - /// 0x250000FB - BcdOSLoaderInteger_HypervisorRootProcPerNode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 251), - /// - /// - /// - /// 0x260000FC - BcdOSLoaderBoolean_HypervisorUseLargeVTlb = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 252), - /// - /// - /// - /// 0x250000FD - BcdOSLoaderInteger_HypervisorDebuggerNetHostIp = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 253), - /// - /// - /// - /// 0x250000FE - BcdOSLoaderInteger_HypervisorDebuggerNetHostPort = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 254), - /// - /// - /// - /// 0x250000FF - BcdOSLoaderInteger_HypervisorDebuggerPages = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 255), - /// - /// - /// - /// 0x25000100 - BcdOSLoaderInteger_TpmBootEntropyPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 256), - /// - /// - /// - /// 0x22000110 - BcdOSLoaderString_HypervisorDebuggerNetKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 272), - /// - /// - /// - /// 0x22000112 - BcdOSLoaderString_HypervisorProductSkuType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 274), - /// - /// - /// - /// 0x22000113 - BcdOSLoaderInteger_HypervisorRootProc = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 275), - /// - /// - /// - /// 0x26000114 - BcdOSLoaderBoolean_HypervisorDebuggerNetDhcp = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 276), - /// - /// - /// - /// 0x25000115 - BcdOSLoaderInteger_HypervisorIommuPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 277), - /// - /// - /// - /// 0x26000116 - BcdOSLoaderBoolean_HypervisorUseVApic = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 278), - /// - /// - /// - /// 0x22000117 - BcdOSLoaderString_HypervisorLoadOptions = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 279), - /// - /// BCDE_POLICY_OSLOADER_TYPE_HYPERVISOR_MSR_FILTER_POLICY - /// - /// 0x25000118 - BcdOSLoaderInteger_HypervisorMsrFilterPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 280), - /// - /// - /// - /// 0x25000119 - BcdOSLoaderInteger_HypervisorMmioNxPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 281), - /// - /// - /// - /// 0x2500011A - BcdOSLoaderInteger_HypervisorSchedulerType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 282), - /// - /// - /// - /// 0x2200011B - BcdOSLoaderString_HypervisorRootProcNumaNodes = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 283), - /// - /// BCDE_POLICY_OSLOADER_TYPE_HYPERVISOR_PERFMON - /// - /// 0x2500011C - BcdOSLoaderInteger_HypervisorPerfmon = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 284), - /// - /// - /// - /// 0x2500011D - BcdOSLoaderInteger_HypervisorRootProcPerCore = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 285), - /// - /// - /// - /// 0x2200011E - BcdOSLoaderString_HypervisorRootProcNumaNodeLps = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 286), - /// - /// - /// - /// 0x25000120 - BcdOSLoaderInteger_XSavePolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 288), - /// - /// - /// - /// 0x25000121 - BcdOSLoaderInteger_XSaveAddFeature0 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 289), - /// - /// - /// - /// 0x25000122 - BcdOSLoaderInteger_XSaveAddFeature1 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 290), - /// - /// - /// - /// 0x25000123 - BcdOSLoaderInteger_XSaveAddFeature2 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 291), - /// - /// - /// - /// 0x25000124 - BcdOSLoaderInteger_XSaveAddFeature3 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 292), - /// - /// - /// - /// 0x25000125 - BcdOSLoaderInteger_XSaveAddFeature4 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 293), - /// - /// - /// - /// 0x25000126 - BcdOSLoaderInteger_XSaveAddFeature5 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 294), - /// - /// - /// - /// 0x25000127 - BcdOSLoaderInteger_XSaveAddFeature6 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 295), - /// - /// - /// - /// 0x25000128 - BcdOSLoaderInteger_XSaveAddFeature7 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 296), - /// - /// - /// - /// 0x25000129 - BcdOSLoaderInteger_XSaveRemoveFeature = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 297), - /// - /// - /// - /// 0x2500012A - BcdOSLoaderInteger_XSaveProcessorsMask = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 298), - /// - /// - /// - /// 0x2500012B - BcdOSLoaderInteger_XSaveDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 299), - /// - /// - /// - /// 0x2500012C - BcdOSLoaderInteger_KernelDebuggerType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 300), - /// - /// - /// - /// 0x2200012D - BcdOSLoaderString_KernelDebuggerBusParameters = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 301), - /// - /// - /// - /// 0x2500012E - BcdOSLoaderInteger_KernelDebuggerPortAddress = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 302), - /// - /// - /// - /// 0x2500012F - BcdOSLoaderInteger_KernelDebuggerPortNumber = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 303), - /// - /// - /// - /// 0x25000130 - BcdOSLoaderInteger_ClaimedTpmCounter = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 304), - /// - /// - /// - /// 0x25000131 - BcdOSLoaderInteger_KernelDebugger1394Channel = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 305), - /// - /// - /// - /// 0x22000132 - BcdOSLoaderString_KernelDebuggerUsbTargetname = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 306), - /// - /// - /// - /// 0x25000133 - BcdOSLoaderInteger_KernelDebuggerNetHostIp = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 307), - /// - /// - /// - /// 0x25000134 - BcdOSLoaderInteger_KernelDebuggerNetHostPort = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 308), - /// - /// - /// - /// 0x26000135 - BcdOSLoaderBoolean_KernelDebuggerNetDhcp = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 309), - /// - /// - /// - /// 0x22000136 - BcdOSLoaderString_KernelDebuggerNetKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 310), - /// - /// - /// - /// 0x22000137 - BcdOSLoaderString_IMCHiveName = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 311), - /// - /// - /// - /// 0x21000138 - BcdOSLoaderDevice_IMCDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 312), - /// - /// - /// - /// 0x25000139 - BcdOSLoaderInteger_KernelDebuggerBaudrate = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 313), - /// - /// - /// - /// 0x22000140 - BcdOSLoaderString_ManufacturingMode = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 320), - /// - /// - /// - /// 0x26000141 - BcdOSLoaderBoolean_EventLoggingEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 321), - /// - /// - /// - /// 0x25000142 - BcdOSLoaderInteger_VsmLaunchType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 322), - /// - /// Zero (0) indicates Disabled, one (1) indicates that Enabled and two (2) indicates strict mode. - /// - /// 0x25000144 - BcdOSLoaderInteger_HypervisorEnforcedCodeIntegrity = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 324), - /// - /// - /// - /// 0x26000145 - BcdOSLoaderBoolean_DtraceEnabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 325), - /// - /// - /// - /// 0x21000150 - BcdOSLoaderDevice_SystemDataDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 336), - /// - /// - /// - /// 0x21000151 - BcdOSLoaderDevice_OsArcDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 337), - /// - /// - /// - /// 0x21000153 - BcdOSLoaderDevice_OsDataDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 339), - /// - /// - /// - /// 0x21000154 - BcdOSLoaderDevice_BspDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 340), - /// - /// - /// - /// 0x21000155 - BcdOSLoaderDevice_BspFilepath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 341), - /// - /// - /// - /// 0x22000156 - BcdOSLoaderString_KernelDebuggerNetHostIpv6 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 342), - /// - /// - /// - /// 0x22000161 - BcdOSLoaderString_HypervisorDebuggerNetHostIpv6 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 353), - } BcdOSLoaderElementTypes; - -#endif - /* - * Memory Manager Support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTMMAPI_H -#define _NTMMAPI_H - - // - // Memory Protection Constants - // - -#define PAGE_NOACCESS 0x01 // Disables all access to the committed region of pages. An attempt to read from, write to, or execute the committed region results in an access violation. -#define PAGE_READONLY 0x02 // Enables read-only access to the committed region of pages. An attempt to write or execute the committed region results in an access violation. -#define PAGE_READWRITE 0x04 // Enables read-only or read/write access to the committed region of pages. -#define PAGE_WRITECOPY 0x08 // Enables read-only or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_EXECUTE 0x10 // Enables execute access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READ 0x20 // Enables execute or read-only access to the committed region of pages. An attempt to write to the committed region results in an access violation. -#define PAGE_EXECUTE_READWRITE 0x40 // Enables execute, read-only, or read/write access to the committed region of pages. -#define PAGE_EXECUTE_WRITECOPY 0x80 // Enables execute, read-only, or copy-on-write access to a mapped view of a file mapping object. -#define PAGE_GUARD 0x100 // Pages in the region become guard pages. Any attempt to access a guard page causes the system to raise a STATUS_GUARD_PAGE_VIOLATION exception. -#define PAGE_NOCACHE 0x200 // Sets all pages to be non-cachable. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. -#define PAGE_WRITECOMBINE 0x400 // Sets all pages to be write-combined. Applications should not use this attribute. Using interlocked functions with memory that is mapped with SEC_NOCACHE can result in an EXCEPTION_ILLEGAL_INSTRUCTION exception. - -#define PAGE_REVERT_TO_FILE_MAP 0x80000000 // Pages in the region can revert modified copy-on-write pages to the original unmodified page when using the mapped view of a file mapping object. -#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 // Pages in the region contain a thread control structure (TCS) from the Intel Software Guard Extensions programming model. -#define PAGE_TARGETS_NO_UPDATE 0x40000000 // Pages in the region will not update the CFG bitmap when the protection changes. The default behavior for VirtualProtect is to mark all locations as valid call targets for CFG. -#define PAGE_TARGETS_INVALID 0x40000000 // Pages in the region are excluded from the CFG bitmap as valid targets. Any indirect call to locations in those pages will terminate the process using the __fastfail intrinsic. -#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 // Pages in the region are excluded from measurement with the EEXTEND instruction of the Intel Software Guard Extensions programming model. -#define PAGE_ENCLAVE_NO_CHANGE 0x20000000 -#define PAGE_ENCLAVE_MASK 0x10000000 -#define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) -#define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) -#define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) - - // - // Memory Region and Section Constants - // - -#define MEM_COMMIT 0x00001000 -#define MEM_RESERVE 0x00002000 -#define MEM_DECOMMIT 0x00004000 -#define MEM_RELEASE 0x00008000 -#define MEM_FREE 0x00010000 -#define MEM_PRIVATE 0x00020000 -#define MEM_MAPPED 0x00040000 -#define MEM_RESET 0x00080000 -#define MEM_TOP_DOWN 0x00100000 -#define MEM_WRITE_WATCH 0x00200000 -#define MEM_PHYSICAL 0x00400000 -#define MEM_ROTATE 0x00800000 -#define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 -#define MEM_RESET_UNDO 0x01000000 -#define MEM_LARGE_PAGES 0x20000000 -#define MEM_DOS_LIM 0x40000000 -#define MEM_4MB_PAGES 0x80000000 -#define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) - -#define MEM_UNMAP_WITH_TRANSIENT_BOOST 0x00000001 -#define MEM_COALESCE_PLACEHOLDERS 0x00000001 -#define MEM_PRESERVE_PLACEHOLDER 0x00000002 -#define MEM_REPLACE_PLACEHOLDER 0x00004000 -#define MEM_RESERVE_PLACEHOLDER 0x00040000 - -#define SEC_HUGE_PAGES 0x00020000 -#define SEC_PARTITION_OWNER_HANDLE 0x00040000 -#define SEC_64K_PAGES 0x00080000 -#define SEC_DRIVER_IMAGE 0x00100000 // rev -#define SEC_BASED 0x00200000 -#define SEC_NO_CHANGE 0x00400000 -#define SEC_FILE 0x00800000 -#define SEC_IMAGE 0x01000000 -#define SEC_PROTECTED_IMAGE 0x02000000 -#define SEC_RESERVE 0x04000000 -#define SEC_COMMIT 0x08000000 -#define SEC_NOCACHE 0x10000000 -#define SEC_GLOBAL 0x20000000 -#define SEC_WRITECOMBINE 0x40000000 -#define SEC_LARGE_PAGES 0x80000000 -#define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) -#if (PHNT_MODE == PHNT_MODE_KERNEL) -#define MEM_IMAGE SEC_IMAGE -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _MEMORY_INFORMATION_CLASS - { - MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION - MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION - MemoryMappedFilenameInformation, // q: UNICODE_STRING - MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION - MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA - MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 - MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION - MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION - MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION - MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 - MemoryBasicInformationCapped, // 10 - MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 - MemoryBadInformation, // since WIN11 - MemoryBadInformationAllProcesses, // since 22H1 - MemoryImageExtensionInformation, // MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2 - MaxMemoryInfoClass - } MEMORY_INFORMATION_CLASS; -#else -#define MemoryBasicInformation 0x0 -#define MemoryWorkingSetInformation 0x1 -#define MemoryMappedFilenameInformation 0x2 -#define MemoryRegionInformation 0x3 -#define MemoryWorkingSetExInformation 0x4 -#define MemorySharedCommitInformation 0x5 -#define MemoryImageInformation 0x6 -#define MemoryRegionInformationEx 0x7 -#define MemoryPrivilegedBasicInformation 0x8 -#define MemoryEnclaveImageInformation 0x9 -#define MemoryBasicInformationCapped 0xA -#define MemoryPhysicalContiguityInformation 0xB -#define MemoryBadInformation 0xC -#define MemoryBadInformationAllProcesses 0xD -#define MemoryImageExtensionInformation 0xE -#endif - -// MEMORY_WORKING_SET_BLOCK->Protection -#define MEMORY_BLOCK_NOT_ACCESSED 0 -#define MEMORY_BLOCK_READONLY 1 -#define MEMORY_BLOCK_EXECUTABLE 2 -#define MEMORY_BLOCK_EXECUTABLE_READONLY 3 -#define MEMORY_BLOCK_READWRITE 4 -#define MEMORY_BLOCK_COPYONWRITE 5 -#define MEMORY_BLOCK_EXECUTABLE_READWRITE 6 -#define MEMORY_BLOCK_EXECUTABLE_COPYONWRITE 7 -#define MEMORY_BLOCK_NOT_ACCESSED_2 8 -#define MEMORY_BLOCK_NON_CACHEABLE_READONLY 9 -#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE 10 -#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READONLY 11 -#define MEMORY_BLOCK_NON_CACHEABLE_READWRITE 12 -#define MEMORY_BLOCK_NON_CACHEABLE_COPYONWRITE 13 -#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READWRITE 14 -#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_COPYONWRITE 15 -#define MEMORY_BLOCK_NOT_ACCESSED_3 16 -#define MEMORY_BLOCK_GUARD_READONLY 17 -#define MEMORY_BLOCK_GUARD_EXECUTABLE 18 -#define MEMORY_BLOCK_GUARD_EXECUTABLE_READONLY 19 -#define MEMORY_BLOCK_GUARD_READWRITE 20 -#define MEMORY_BLOCK_GUARD_COPYONWRITE 21 -#define MEMORY_BLOCK_GUARD_EXECUTABLE_READWRITE 22 -#define MEMORY_BLOCK_GUARD_EXECUTABLE_COPYONWRITE 23 -#define MEMORY_BLOCK_NOT_ACCESSED_4 24 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READONLY 25 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE 26 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READONLY 27 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READWRITE 28 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_COPYONWRITE 29 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READWRITE 30 -#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_COPYONWRITE 31 - - /** - * The MEMORY_WORKING_SET_BLOCK structure contains working set information for a page. - * - * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_block - */ - typedef struct _MEMORY_WORKING_SET_BLOCK - { - ULONG_PTR Protection : 5; // The protection attributes of the page. This member can be one of above MEMORY_BLOCK_* values. - ULONG_PTR ShareCount : 3; // The number of processes that share this page. The maximum value of this member is 7. - ULONG_PTR Shared : 1; // If this bit is 1, the page is sharable; otherwise, the page is not sharable. - ULONG_PTR Node : 3; // The NUMA node where the physical memory should reside. -#ifdef _WIN64 - ULONG_PTR VirtualPage : 52; // The address of the page in the virtual address space. -#else - ULONG VirtualPage : 20; // The address of the page in the virtual address space. -#endif - } MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK; - - /** - * The MEMORY_WORKING_SET_INFORMATION structure contains working set information for a process. - * - * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_information - */ - typedef struct _MEMORY_WORKING_SET_INFORMATION - { - ULONG_PTR NumberOfEntries; - _Field_size_(NumberOfEntries) MEMORY_WORKING_SET_BLOCK WorkingSetInfo[ANYSIZE_ARRAY]; - } MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION; - - // private - typedef struct _MEMORY_REGION_INFORMATION - { - PVOID AllocationBase; - ULONG AllocationProtect; - union - { - ULONG RegionType; - struct - { - ULONG Private : 1; - ULONG MappedDataFile : 1; - ULONG MappedImage : 1; - ULONG MappedPageFile : 1; - ULONG MappedPhysical : 1; - ULONG DirectMapped : 1; - ULONG SoftwareEnclave : 1; // REDSTONE3 - ULONG PageSize64K : 1; - ULONG PlaceholderReservation : 1; // REDSTONE4 - ULONG MappedAwe : 1; // 21H1 - ULONG MappedWriteWatch : 1; - ULONG PageSizeLarge : 1; - ULONG PageSizeHuge : 1; - ULONG Reserved : 19; - }; - }; - SIZE_T RegionSize; - SIZE_T CommitSize; - ULONG_PTR PartitionId; // 19H1 - ULONG_PTR NodePreference; // 20H1 - } MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; - - // private - typedef enum _MEMORY_WORKING_SET_EX_LOCATION - { - MemoryLocationInvalid, - MemoryLocationResident, - MemoryLocationPagefile, - MemoryLocationReserved - } MEMORY_WORKING_SET_EX_LOCATION; - - /** - * The MEMORY_WORKING_SET_EX_BLOCK structure contains extended working set information for a page. - * - * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_block - */ - typedef union _MEMORY_WORKING_SET_EX_BLOCK - { - ULONG_PTR Flags; - union - { - struct - { - ULONG_PTR Valid : 1; // If this bit is 1, the subsequent members are valid; otherwise they should be ignored. - ULONG_PTR ShareCount : 3; // The number of processes that share this page. The maximum value of this member is 7. - ULONG_PTR Win32Protection : 11; // The memory protection attributes of the page. - ULONG_PTR Shared : 1; // If this bit is 1, the page can be shared. - ULONG_PTR Node : 6; // The NUMA node. The maximum value of this member is 63. - ULONG_PTR Locked : 1; // If this bit is 1, the virtual page is locked in physical memory. - ULONG_PTR LargePage : 1; // If this bit is 1, the page is a large page. - ULONG_PTR Priority : 3; // The memory priority attributes of the page. - ULONG_PTR Reserved : 3; - ULONG_PTR SharedOriginal : 1; // If this bit is 1, the page was not modified. - ULONG_PTR Bad : 1; // If this bit is 1, the page is has been reported as bad. -#ifdef _WIN64 - ULONG_PTR Win32GraphicsProtection : 4; // The memory protection attributes of the page. // since 19H1 - ULONG_PTR ReservedUlong : 28; -#endif - }; - struct - { - ULONG_PTR Valid : 1; // If this bit is 0, the subsequent members are valid; otherwise they should be ignored. - ULONG_PTR Reserved0 : 14; - ULONG_PTR Shared : 1; // If this bit is 1, the page can be shared. - ULONG_PTR Reserved1 : 5; - ULONG_PTR PageTable : 1; - ULONG_PTR Location : 2; // The memory location of the page. MEMORY_WORKING_SET_EX_LOCATION - ULONG_PTR Priority : 3; // The memory priority of the page. - ULONG_PTR ModifiedList : 1; - ULONG_PTR Reserved2 : 2; - ULONG_PTR SharedOriginal : 1; // If this bit is 1, the page was not modified. - ULONG_PTR Bad : 1; // If this bit is 1, the page is has been reported as bad. -#ifdef _WIN64 - ULONG_PTR ReservedUlong : 32; -#endif - } Invalid; - }; - } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK; - - /** - * The MEMORY_WORKING_SET_EX_INFORMATION structure contains extended working set information for a process. - * - * \ref https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_working_set_ex_information - */ - typedef struct _MEMORY_WORKING_SET_EX_INFORMATION - { - PVOID VirtualAddress; // The virtual address. - MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; // The attributes of the page at VirtualAddress. - } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION; - - // private - typedef struct _MEMORY_SHARED_COMMIT_INFORMATION - { - SIZE_T CommitSize; - } MEMORY_SHARED_COMMIT_INFORMATION, *PMEMORY_SHARED_COMMIT_INFORMATION; - - // private - typedef struct _MEMORY_IMAGE_INFORMATION - { - PVOID ImageBase; - SIZE_T SizeOfImage; - union - { - ULONG ImageFlags; - struct - { - ULONG ImagePartialMap : 1; - ULONG ImageNotExecutable : 1; - ULONG ImageSigningLevel : 4; // REDSTONE3 - ULONG ImageExtensionPresent : 1; // since 24H2 - ULONG Reserved : 25; - }; - }; - } MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION; - - // private - typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION - { - MEMORY_IMAGE_INFORMATION ImageInfo; - UCHAR UniqueID[32]; - UCHAR AuthorID[32]; - } MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION; - - // private - typedef enum _MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE - { - MemoryNotContiguous, - MemoryAlignedAndContiguous, - MemoryNotResident, - MemoryNotEligibleToMakeContiguous, - MemoryContiguityStateMax, - } MEMORY_PHYSICAL_CONTIGUITY_UNIT_STATE; - - // private - typedef struct _MEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION - { - union - { - struct - { - ULONG State : 2; - ULONG Reserved : 30; - }; - ULONG AllInformation; - }; - } MEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION, *PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION; - - // private - typedef struct _MEMORY_PHYSICAL_CONTIGUITY_INFORMATION - { - PVOID VirtualAddress; - ULONG_PTR Size; - ULONG_PTR ContiguityUnitSize; - ULONG Flags; - PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION ContiguityUnitInformation; - } MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, *PMEMORY_PHYSICAL_CONTIGUITY_INFORMATION; - - // private - typedef struct _RTL_SCP_CFG_ARM64_HEADER - { - ULONG EcInvalidCallHandlerRva; - ULONG EcCfgCheckRva; - ULONG EcCfgCheckESRva; - ULONG EcCallCheckRva; - ULONG CpuInitializationCompleteLoadRva; - ULONG LdrpValidateEcCallTargetInitRva; - ULONG SyscallFfsSizeRva; - ULONG SyscallFfsBaseRva; - } RTL_SCP_CFG_ARM64_HEADER, *PRTL_SCP_CFG_ARM64_HEADER; - - // private - typedef enum _RTL_SCP_CFG_PAGE_TYPE - { - RtlScpCfgPageTypeNop, - RtlScpCfgPageTypeDefault, - RtlScpCfgPageTypeExportSuppression, - RtlScpCfgPageTypeFptr, - RtlScpCfgPageTypeMax, - RtlScpCfgPageTypeNone - } RTL_SCP_CFG_PAGE_TYPE; - - // private - typedef struct _RTL_SCP_CFG_COMMON_HEADER - { - ULONG CfgDispatchRva; - ULONG CfgDispatchESRva; - ULONG CfgCheckRva; - ULONG CfgCheckESRva; - ULONG InvalidCallHandlerRva; - ULONG FnTableRva; - } RTL_SCP_CFG_COMMON_HEADER, *PRTL_SCP_CFG_COMMON_HEADER; - - // private - typedef struct _RTL_SCP_CFG_HEADER - { - RTL_SCP_CFG_COMMON_HEADER Common; - } RTL_SCP_CFG_HEADER, *PRTL_SCP_CFG_HEADER; - - // private - typedef struct _RTL_SCP_CFG_REGION_BOUNDS - { - PVOID StartAddress; - PVOID EndAddress; - } RTL_SCP_CFG_REGION_BOUNDS, *PRTL_SCP_CFG_REGION_BOUNDS; - - // private - typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS - { - RTL_SCP_CFG_REGION_BOUNDS ScpRegions[4]; - PVOID CfgDispatchFptr; - PVOID CfgDispatchESFptr; - PVOID CfgCheckFptr; - PVOID CfgCheckESFptr; - PVOID IllegalCallHandler; - } RTL_SCP_CFG_NTDLL_EXPORTS, *PRTL_SCP_CFG_NTDLL_EXPORTS; - - // private - typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC - { - PVOID EcInvalidCallHandler; - PVOID EcCfgCheckFptr; - PVOID EcCfgCheckESFptr; - PVOID EcCallCheckFptr; - PVOID CpuInitializationComplete; - PVOID LdrpValidateEcCallTargetInit; - struct - { - PVOID SyscallFfsSize; - union - { - PVOID Ptr; - ULONG Value; - }; - }; - PVOID SyscallFfsBase; - } RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC, *PRTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC; - - // private - typedef struct _RTL_RETPOLINE_ROUTINES - { - ULONG SwitchtableJump[16]; - ULONG CfgIndirectRax; - ULONG NonCfgIndirectRax; - ULONG ImportR10; - ULONG JumpHpat; - } RTL_RETPOLINE_ROUTINES, *PRTL_RETPOLINE_ROUTINES; - - // private - typedef struct _RTL_KSCP_ROUTINES - { - ULONG UnwindDataOffset; - RTL_RETPOLINE_ROUTINES RetpolineRoutines; - ULONG CfgDispatchSmep; - ULONG CfgDispatchNoSmep; - } RTL_KSCP_ROUTINES, *PRTL_KSCP_ROUTINES; - - // private - typedef enum _MEMORY_IMAGE_EXTENSION_TYPE - { - MemoryImageExtensionCfgScp, - MemoryImageExtensionCfgEmulatedScp, - MemoryImageExtensionTypeMax, - } MEMORY_IMAGE_EXTENSION_TYPE; - - // private - typedef struct _MEMORY_IMAGE_EXTENSION_INFORMATION - { - MEMORY_IMAGE_EXTENSION_TYPE ExtensionType; - ULONG Flags; - PVOID ExtensionImageBaseRva; - SIZE_T ExtensionSize; - } MEMORY_IMAGE_EXTENSION_INFORMATION, *PMEMORY_IMAGE_EXTENSION_INFORMATION; - -#define MMPFNLIST_ZERO 0 -#define MMPFNLIST_FREE 1 -#define MMPFNLIST_STANDBY 2 -#define MMPFNLIST_MODIFIED 3 -#define MMPFNLIST_MODIFIEDNOWRITE 4 -#define MMPFNLIST_BAD 5 -#define MMPFNLIST_ACTIVE 6 -#define MMPFNLIST_TRANSITION 7 - - // typedef enum _MMLISTS - //{ - // ZeroedPageList = 0, - // FreePageList = 1, - // StandbyPageList = 2, - // ModifiedPageList = 3, - // ModifiedNoWritePageList = 4, - // BadPageList = 5, - // ActiveAndValid = 6, - // TransitionPage = 7 - // } MMLISTS; - -#define MMPFNUSE_PROCESSPRIVATE 0 -#define MMPFNUSE_FILE 1 -#define MMPFNUSE_PAGEFILEMAPPED 2 -#define MMPFNUSE_PAGETABLE 3 -#define MMPFNUSE_PAGEDPOOL 4 -#define MMPFNUSE_NONPAGEDPOOL 5 -#define MMPFNUSE_SYSTEMPTE 6 -#define MMPFNUSE_SESSIONPRIVATE 7 -#define MMPFNUSE_METAFILE 8 -#define MMPFNUSE_AWEPAGE 9 -#define MMPFNUSE_DRIVERLOCKPAGE 10 -#define MMPFNUSE_KERNELSTACK 11 - - // typedef enum _MMPFNUSE - //{ - // ProcessPrivatePage, - // MemoryMappedFilePage, - // PageFileMappedPage, - // PageTablePage, - // PagedPoolPage, - // NonPagedPoolPage, - // SystemPTEPage, - // SessionPrivatePage, - // MetafilePage, - // AWEPage, - // DriverLockedPage, - // KernelStackPage - // } MMPFNUSE; - - // private - typedef struct _MEMORY_FRAME_INFORMATION - { - ULONGLONG UseDescription : 4; // MMPFNUSE_* - ULONGLONG ListDescription : 3; // MMPFNLIST_* - ULONGLONG Cold : 1; // 19H1 - ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned - ULONGLONG DontUse : 48; // *_INFORMATION overlay - ULONGLONG Priority : 3; - ULONGLONG NonTradeable : 1; - ULONGLONG Reserved : 3; - } MEMORY_FRAME_INFORMATION; - - // private - typedef struct _FILEOFFSET_INFORMATION - { - ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay - ULONGLONG Offset : 48; // mapped files - ULONGLONG Reserved : 7; - } FILEOFFSET_INFORMATION; - - // private - typedef struct _PAGEDIR_INFORMATION - { - ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay - ULONGLONG PageDirectoryBase : 48; // private pages - ULONGLONG Reserved : 7; - } PAGEDIR_INFORMATION; - - // private - typedef struct _UNIQUE_PROCESS_INFORMATION - { - ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay - ULONGLONG UniqueProcessKey : 48; // ProcessId - ULONGLONG Reserved : 7; - } UNIQUE_PROCESS_INFORMATION, *PUNIQUE_PROCESS_INFORMATION; - - // private - typedef struct _MMPFN_IDENTITY - { - union - { - MEMORY_FRAME_INFORMATION e1; // all - FILEOFFSET_INFORMATION e2; // mapped files - PAGEDIR_INFORMATION e3; // private pages - UNIQUE_PROCESS_INFORMATION e4; // owning process - } u1; - ULONG_PTR PageFrameIndex; // all - union - { - struct - { - ULONG_PTR Image : 1; - ULONG_PTR Mismatch : 1; - } e1; - struct - { - ULONG_PTR CombinedPage; - } e2; - ULONG_PTR FileObject; // mapped files - ULONG_PTR UniqueFileObjectKey; - ULONG_PTR ProtoPteAddress; - ULONG_PTR VirtualAddress; // everything else - } u2; - } MMPFN_IDENTITY, *PMMPFN_IDENTITY; - - typedef struct _MMPFN_MEMSNAP_INFORMATION - { - ULONG_PTR InitialPageFrameIndex; - ULONG_PTR Count; - } MMPFN_MEMSNAP_INFORMATION, *PMMPFN_MEMSNAP_INFORMATION; - - typedef enum _SECTION_INFORMATION_CLASS - { - SectionBasicInformation, // q; SECTION_BASIC_INFORMATION - SectionImageInformation, // q; SECTION_IMAGE_INFORMATION - SectionRelocationInformation, // q; ULONG_PTR RelocationDelta // name:wow64:whNtQuerySection_SectionRelocationInformation // since WIN7 - SectionOriginalBaseInformation, // q; PVOID BaseAddress // since REDSTONE - SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 - MaxSectionInfoClass - } SECTION_INFORMATION_CLASS; - - typedef struct _SECTION_BASIC_INFORMATION - { - PVOID BaseAddress; - ULONG AllocationAttributes; - LARGE_INTEGER MaximumSize; - } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; - - // symbols - typedef struct _SECTION_IMAGE_INFORMATION - { - PVOID TransferAddress; - ULONG ZeroBits; - SIZE_T MaximumStackSize; - SIZE_T CommittedStackSize; - ULONG SubSystemType; - union - { - struct - { - USHORT SubSystemMinorVersion; - USHORT SubSystemMajorVersion; - }; - ULONG SubSystemVersion; - }; - union - { - struct - { - USHORT MajorOperatingSystemVersion; - USHORT MinorOperatingSystemVersion; - }; - ULONG OperatingSystemVersion; - }; - USHORT ImageCharacteristics; - USHORT DllCharacteristics; - USHORT Machine; - BOOLEAN ImageContainsCode; - union - { - UCHAR ImageFlags; - struct - { - UCHAR ComPlusNativeReady : 1; - UCHAR ComPlusILOnly : 1; - UCHAR ImageDynamicallyRelocated : 1; - UCHAR ImageMappedFlat : 1; - UCHAR BaseBelow4gb : 1; - UCHAR ComPlusPrefer32bit : 1; - UCHAR Reserved : 2; - }; - }; - ULONG LoaderFlags; - ULONG ImageFileSize; - ULONG CheckSum; - } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; - - // symbols - typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION - { - SECTION_IMAGE_INFORMATION SectionInformation; - union - { - ULONG ExtendedFlags; - struct - { - ULONG ImageExportSuppressionEnabled : 1; - ULONG ImageCetShadowStacksReady : 1; // 20H1 - ULONG ImageXfgEnabled : 1; // 20H2 - ULONG ImageCetShadowStacksStrictMode : 1; - ULONG ImageCetSetContextIpValidationRelaxedMode : 1; - ULONG ImageCetDynamicApisAllowInProc : 1; - ULONG ImageCetDowngradeReserved1 : 1; - ULONG ImageCetDowngradeReserved2 : 1; - ULONG ImageExportSuppressionInfoPresent : 1; - ULONG ImageCfgEnabled : 1; - ULONG Reserved : 22; - }; - }; - } SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _SECTION_INHERIT - { - ViewShare = 1, - ViewUnmap = 2 - } SECTION_INHERIT; -#endif - -#define MEM_EXECUTE_OPTION_ENABLE 0x1 -#define MEM_EXECUTE_OPTION_DISABLE 0x2 -#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4 -#define MEM_EXECUTE_OPTION_PERMANENT 0x8 -#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10 -#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20 -#define MEM_EXECUTE_OPTION_DISABLE_EXCEPTION_CHAIN_VALIDATION 0x40 -#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x7f - - // - // Virtual memory - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - _Must_inspect_result_ - _When_(return == 0, __drv_allocatesMem(mem)) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection); - -#if (PHNT_VERSION >= PHNT_REDSTONE5) - _Must_inspect_result_ - _When_(return == 0, __drv_allocatesMem(mem)) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateVirtualMemoryEx( - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); -#endif - - /** - * Frees virtual memory allocated for a process. - * - * @param ProcessHandle A handle to the process whose virtual memory is to be freed. - * @param BaseAddress A pointer to the base address of the region of pages to be freed. - * @param RegionSize A pointer to a variable that specifies the size of the region of memory to be freed. - * @param FreeType The type of free operation. This parameter can be MEM_DECOMMIT or MEM_RELEASE. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFreeVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG FreeType); - - /** - * Reads virtual memory from a process. - * - * @param ProcessHandle A handle to the process whose memory is to be read. - * @param BaseAddress A pointer to the base address in the specified process from which to read. - * @param Buffer A pointer to a buffer that receives the contents from the address space of the specified process. - * @param NumberOfBytesToRead The number of bytes to be read from the specified process. - * @param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToRead, - _Out_opt_ PSIZE_T NumberOfBytesRead); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - NtWow64ReadVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ ULONGLONG NumberOfBytesToRead, - _Out_opt_ PULONGLONG NumberOfBytesRead); - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * Reads virtual memory from a process with extended options. - * - * @param ProcessHandle A handle to the process whose memory is to be read. - * @param BaseAddress A pointer to the base address in the specified process from which to read. - * @param Buffer A pointer to a buffer that receives the contents from the address space of the specified process. - * @param NumberOfBytesToRead The number of bytes to be read from the specified process. - * @param NumberOfBytesRead A pointer to a variable that receives the number of bytes transferred into the specified buffer. - * @param Flags Additional flags for the read operation. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadVirtualMemoryEx( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToRead, - _Out_opt_ PSIZE_T NumberOfBytesRead, - _In_ ULONG Flags); -#endif - - /** - * Writes virtual memory to a process. - * - * @param ProcessHandle A handle to the process whose memory is to be written. - * @param BaseAddress A pointer to the base address in the specified process to which to write. - * @param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process. - * @param NumberOfBytesToWrite The number of bytes to be written to the specified process. - * @param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWriteVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToWrite, - _Out_opt_ PSIZE_T NumberOfBytesWritten); - - // rev - /** - * Writes virtual memory to a 64-bit process from a 32-bit process. - * - * @param ProcessHandle A handle to the process whose memory is to be written. - * @param BaseAddress A pointer to the base address in the specified process to which to write. - * @param Buffer A pointer to the buffer that contains the data to be written to the address space of the specified process. - * @param NumberOfBytesToWrite The number of bytes to be written to the specified process. - * @param NumberOfBytesWritten A pointer to a variable that receives the number of bytes transferred into the specified buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - NtWow64WriteVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, - _In_ ULONGLONG NumberOfBytesToWrite, - _Out_opt_ PULONGLONG NumberOfBytesWritten); - - /** - * Changes the protection on a region of virtual memory. - * - * @param ProcessHandle A handle to the process whose memory protection is to be changed. - * @param BaseAddress A pointer to the base address of the region of pages whose access protection attributes are to be changed. - * @param RegionSize A pointer to a variable that specifies the size of the region whose access protection attributes are to be changed. - * @param NewProtection The memory protection option. This parameter can be one of the memory protection constants. - * @param OldProtection A pointer to a variable that receives the previous access protection of the first page in the specified region of pages. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtProtectVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG NewProtection, - _Out_ PULONG OldProtection); - - /** - * Queries information about a region of virtual memory in a process. - * - * @param ProcessHandle A handle to the process whose memory information is to be queried. - * @param BaseAddress A pointer to the base address of the region of pages to be queried. - * @param MemoryInformationClass The type of information to be queried. - * @param MemoryInformation A pointer to a buffer that receives the memory information. - * @param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter. - * @param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, - _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, - _In_ SIZE_T MemoryInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - // rev - /** - * Queries information about a region of virtual memory in a 64-bit process from a 32-bit process. - * - * @param ProcessHandle A handle to the process whose memory information is to be queried. - * @param BaseAddress A pointer to the base address of the region of pages to be queried. - * @param MemoryInformationClass The type of information to be queried. - * @param MemoryInformation A pointer to a buffer that receives the memory information. - * @param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter. - * @param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - NtWow64QueryVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, - _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, - _In_ ULONGLONG MemoryInformationLength, - _Out_opt_ PULONGLONG ReturnLength); - - typedef struct _IO_STATUS_BLOCK *PIO_STATUS_BLOCK; - - /** - * Flushes the instruction cache for a specified process. - * - * @param ProcessHandle A handle to the process whose instruction cache is to be flushed. - * @param BaseAddress A pointer to the base address of the region of memory to be flushed. - * @param RegionSize A pointer to a variable that specifies the size of the region to be flushed. - * @param IoStatus A pointer to an IO_STATUS_BLOCK structure that receives the status of the flush operation. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _Out_ PIO_STATUS_BLOCK IoStatus); - -#endif - -// begin_private -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS - { - VmPrefetchInformation, // MEMORY_PREFETCH_INFORMATION - VmPagePriorityInformation, // OFFER_PRIORITY - VmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2 - VmPageDirtyStateInformation, // REDSTONE3 - VmImageHotPatchInformation, // 19H1 - VmPhysicalContiguityInformation, // 20H1 - VmVirtualMachinePrepopulateInformation, - VmRemoveFromWorkingSetInformation, - MaxVmInfoClass - } VIRTUAL_MEMORY_INFORMATION_CLASS; -#else -#define VmPrefetchInformation 0x0 -#define VmPagePriorityInformation 0x1 -#define VmCfgCallTargetInformation 0x2 -#define VmPageDirtyStateInformation 0x3 -#define VmImageHotPatchInformation 0x4 -#define VmPhysicalContiguityInformation 0x5 -#define VmVirtualMachinePrepopulateInformation 0x6 -#define VmRemoveFromWorkingSetInformation 0x7 -#define MaxVmInfoClass 0x8 -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef struct _MEMORY_RANGE_ENTRY - { - PVOID VirtualAddress; - SIZE_T NumberOfBytes; - } MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; - -#define VM_PREFETCH_TO_WORKING_SET 0x1 // since 24H4 - - typedef struct _MEMORY_PREFETCH_INFORMATION - { - ULONG Flags; - } MEMORY_PREFETCH_INFORMATION, *PMEMORY_PREFETCH_INFORMATION; - - typedef struct _CFG_CALL_TARGET_LIST_INFORMATION - { - ULONG NumberOfEntries; - ULONG Reserved; - PULONG NumberOfEntriesProcessed; - PCFG_CALL_TARGET_INFO CallTargetInfo; - PVOID Section; // since REDSTONE5 - ULONGLONG FileOffset; - } CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION; -#endif - // end_private - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, - _In_ SIZE_T NumberOfEntries, - _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses, - _In_reads_bytes_(VmInformationLength) PVOID VmInformation, - _In_ ULONG VmInformationLength); - -#endif - -#define MAP_PROCESS 1 -#define MAP_SYSTEM 2 - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLockVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG MapType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnlockVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG MapType); - -#endif - - // Sections - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateSection( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PLARGE_INTEGER MaximumSize, - _In_ ULONG SectionPageProtection, - _In_ ULONG AllocationAttributes, - _In_opt_ HANDLE FileHandle); - -#if (PHNT_VERSION >= PHNT_REDSTONE5) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateSectionEx( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PLARGE_INTEGER MaximumSize, - _In_ ULONG SectionPageProtection, - _In_ ULONG AllocationAttributes, - _In_opt_ HANDLE FileHandle, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenSection( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMapViewOfSection( - _In_ HANDLE SectionHandle, - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _In_ SIZE_T CommitSize, - _Inout_opt_ PLARGE_INTEGER SectionOffset, - _Inout_ PSIZE_T ViewSize, - _In_ SECTION_INHERIT InheritDisposition, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection); - -#if (PHNT_VERSION >= PHNT_REDSTONE5) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMapViewOfSectionEx( - _In_ HANDLE SectionHandle, - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, - _Inout_opt_ PLARGE_INTEGER SectionOffset, - _Inout_ PSIZE_T ViewSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnmapViewOfSection( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnmapViewOfSectionEx( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ ULONG Flags); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtExtendSection( - _In_ HANDLE SectionHandle, - _Inout_ PLARGE_INTEGER NewSectionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySection( - _In_ HANDLE SectionHandle, - _In_ SECTION_INFORMATION_CLASS SectionInformationClass, - _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, - _In_ SIZE_T SectionInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAreMappedFilesTheSame( - _In_ PVOID File1MappedAsAnImage, - _In_ PVOID File2MappedAsFile); - -#endif - - // Partitions - -#ifndef MEMORY_PARTITION_QUERY_ACCESS -#define MEMORY_PARTITION_QUERY_ACCESS 0x0001 -#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 -#define MEMORY_PARTITION_ALL_ACCESS \ - (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS) -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - // private - typedef enum _PARTITION_INFORMATION_CLASS - { - SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION - SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION - SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION - SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION - SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION - SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 - SystemMemoryPartitionSetAttributes, - SystemMemoryPartitionNodeInformation, - SystemMemoryPartitionCreateLargePages, - SystemMemoryPartitionDedicatedMemoryInformation, - SystemMemoryPartitionOpenDedicatedMemory, // 10 - SystemMemoryPartitionMemoryChargeAttributes, - SystemMemoryPartitionClearAttributes, - SystemMemoryPartitionSetMemoryThresholds, // since WIN11 - SystemMemoryPartitionMemoryListCommand, // since 24H2 - SystemMemoryPartitionMax - } PARTITION_INFORMATION_CLASS, - *PPARTITION_INFORMATION_CLASS; -#else -#define SystemMemoryPartitionInformation 0x0 -#define SystemMemoryPartitionMoveMemory 0x1 -#define SystemMemoryPartitionAddPagefile 0x2 -#define SystemMemoryPartitionCombineMemory 0x3 -#define SystemMemoryPartitionInitialAddMemory 0x4 -#define SystemMemoryPartitionGetMemoryEvents 0x5 -#define SystemMemoryPartitionSetAttributes 0x6 -#define SystemMemoryPartitionNodeInformation 0x7 -#define SystemMemoryPartitionCreateLargePages 0x8 -#define SystemMemoryPartitionDedicatedMemoryInformation 0x9 -#define SystemMemoryPartitionOpenDedicatedMemory 0xA -#define SystemMemoryPartitionMemoryChargeAttributes 0xB -#define SystemMemoryPartitionClearAttributes 0xC -#define SystemMemoryPartitionSetMemoryThresholds 0xD -#define SystemMemoryPartitionMemoryListCommand 0xE -#define SystemMemoryPartitionMax 0xF -#endif - - // private - typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION - { - ULONG Flags; - ULONG NumaNode; - ULONG Channel; - ULONG NumberOfNumaNodes; - SIZE_T ResidentAvailablePages; - SIZE_T CommittedPages; - SIZE_T CommitLimit; - SIZE_T PeakCommitment; - SIZE_T TotalNumberOfPages; - SIZE_T AvailablePages; - SIZE_T ZeroPages; - SIZE_T FreePages; - SIZE_T StandbyPages; - SIZE_T StandbyPageCountByPriority[8]; // since REDSTONE2 - SIZE_T RepurposedPagesByPriority[8]; - SIZE_T MaximumCommitLimit; - SIZE_T Reserved; // DonatedPagesToPartitions - ULONG PartitionId; // since REDSTONE3 - } MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; - - // private - typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION - { - SIZE_T NumberOfPages; - ULONG NumaNode; - ULONG Flags; - } MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION; - - // private - typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION - { - UNICODE_STRING PageFileName; - LARGE_INTEGER MinimumSize; - LARGE_INTEGER MaximumSize; - ULONG Flags; - } MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION; - - // private - typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION - { - HANDLE StopHandle; - ULONG Flags; - SIZE_T TotalNumberOfPages; - } MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; - - // private - typedef struct _MEMORY_PARTITION_PAGE_RANGE - { - ULONG_PTR StartPage; - ULONG_PTR NumberOfPages; - } MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE; - - // private - typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION - { - ULONG Flags; - ULONG NumberOfRanges; - SIZE_T NumberOfPagesAdded; - MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; - } MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; - - // private - typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION - { - union - { - struct - { - ULONG CommitEvents : 1; - ULONG Spare : 31; - }; - ULONG AllFlags; - } Flags; - - ULONG HandleAttributes; - ACCESS_MASK DesiredAccess; - HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition - HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition - HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition - } MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreatePartition( - _In_opt_ HANDLE ParentPartitionHandle, - _Out_ PHANDLE PartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG PreferredNode); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenPartition( - _Out_ PHANDLE PartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtManagePartition( - _In_ HANDLE TargetHandle, - _In_opt_ HANDLE SourceHandle, - _In_ PARTITION_INFORMATION_CLASS PartitionInformationClass, - _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation, - _In_ ULONG PartitionInformationLength); - -#endif - -#endif - - // User physical pages - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMapUserPhysicalPages( - _In_ PVOID VirtualAddress, - _In_ SIZE_T NumberOfPages, - _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMapUserPhysicalPagesScatter( - _In_reads_(NumberOfPages) PVOID *VirtualAddresses, - _In_ SIZE_T NumberOfPages, - _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateUserPhysicalPages( - _In_ HANDLE ProcessHandle, - _Inout_ PSIZE_T NumberOfPages, - _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateUserPhysicalPagesEx( - _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, - _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFreeUserPhysicalPages( - _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, - _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray); - -#endif - - // Misc. - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetWriteWatch( - _In_ HANDLE ProcessHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress, - _In_ SIZE_T RegionSize, - _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray, - _Inout_ PULONG_PTR EntriesInUserAddressArray, - _Out_ PULONG Granularity); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtResetWriteWatch( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_ SIZE_T RegionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreatePagingFile( - _In_ PUNICODE_STRING PageFileName, - _In_ PLARGE_INTEGER MinimumSize, - _In_ PLARGE_INTEGER MaximumSize, - _In_ ULONG Priority); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushInstructionCache( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ SIZE_T Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushWriteBuffer( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // Enclave support - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateEnclave( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _In_ SIZE_T Size, - _In_ SIZE_T InitialCommitment, - _In_ ULONG EnclaveType, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_opt_ PULONG EnclaveError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadEnclaveData( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ SIZE_T BufferSize, - _In_ ULONG Protect, - _In_reads_bytes_(PageInformationLength) PVOID PageInformation, - _In_ ULONG PageInformationLength, - _Out_opt_ PSIZE_T NumberOfBytesWritten, - _Out_opt_ PULONG EnclaveError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtInitializeEnclave( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_opt_ PULONG EnclaveError); - -// rev -#define TERMINATE_ENCLAVE_VALID_FLAGS 0x00000005ul -#define TERMINATE_ENCLAVE_FLAG_NO_WAIT 0x00000001ul -#define TERMINATE_ENCLAVE_FLAG_WAIT_ERROR 0x00000004ul // STATUS_PENDING -> STATUS_ENCLAVE_NOT_TERMINATED - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTerminateEnclave( - _In_ PVOID BaseAddress, - _In_ ULONG Flags // TERMINATE_ENCLAVE_FLAG_* - ); - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -// rev -#define ENCLAVE_CALL_VALID_FLAGS 0x00000001ul -#define ENCLAVE_CALL_FLAG_NO_WAIT 0x00000001ul - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCallEnclave( - _In_ PENCLAVE_ROUTINE Routine, - _In_ PVOID Reserved, // reserved for dispatch (RtlEnclaveCallDispatch) - _In_ ULONG Flags, // ENCLAVE_CALL_FLAG_* - _Inout_ PVOID *RoutineParamReturn // input routine parameter, output routine return value - ); -#endif - -#endif - -#endif - /* - * Object Manager support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTOBAPI_H -#define _NTOBAPI_H - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#define OBJECT_TYPE_CREATE 0x0001 -#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE) -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#define DIRECTORY_QUERY 0x0001 -#define DIRECTORY_TRAVERSE 0x0002 -#define DIRECTORY_CREATE_OBJECT 0x0004 -#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 -#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | DIRECTORY_QUERY | DIRECTORY_TRAVERSE | DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY) -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#define SYMBOLIC_LINK_QUERY 0x0001 -#define SYMBOLIC_LINK_SET 0x0002 -#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY) -#define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | SPECIFIC_RIGHTS_ALL) -#endif - -#ifndef OBJ_PROTECT_CLOSE -#define OBJ_PROTECT_CLOSE 0x00000001 -#endif -#ifndef OBJ_INHERIT -#define OBJ_INHERIT 0x00000002 -#endif -#ifndef OBJ_AUDIT_OBJECT_CLOSE -#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _OBJECT_INFORMATION_CLASS - { - ObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION - ObjectNameInformation, // q: OBJECT_NAME_INFORMATION - ObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION - ObjectTypesInformation, // q: OBJECT_TYPES_INFORMATION - ObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION - ObjectSessionInformation, // s: void // change object session // (requires SeTcbPrivilege) - ObjectSessionObjectInformation, // s: void // change object session // (requires SeTcbPrivilege) - MaxObjectInfoClass - } OBJECT_INFORMATION_CLASS; -#else -#define ObjectBasicInformation 0 -#define ObjectNameInformation 1 -#define ObjectTypeInformation 2 -#define ObjectTypesInformation 3 -#define ObjectHandleFlagInformation 4 -#define ObjectSessionInformation 5 -#define ObjectSessionObjectInformation 6 -#endif - - /** - * The OBJECT_BASIC_INFORMATION structure contains basic information about an object. - */ - typedef struct _OBJECT_BASIC_INFORMATION - { - ULONG Attributes; // The attributes of the object include whether the object is permanent, can be inherited, and other characteristics. - ACCESS_MASK GrantedAccess; // Specifies a mask that represents the granted access when the object was created. - ULONG HandleCount; // The number of handles that are currently open for the object. - ULONG PointerCount; // The number of references to the object from both handles and other references, such as those from the system. - ULONG PagedPoolCharge; // The amount of paged pool memory that the object is using. - ULONG NonPagedPoolCharge; // The amount of non-paged pool memory that the object is using. - ULONG Reserved[3]; // Reserved for future use. - ULONG NameInfoSize; // The size of the name information for the object. - ULONG TypeInfoSize; // The size of the type information for the object. - ULONG SecurityDescriptorSize; // The size of the security descriptor for the object. - LARGE_INTEGER CreationTime; // The time when a symbolic link was created. Not supported for other types of objects. - } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - /** - * The OBJECT_NAME_INFORMATION structure contains the name, if there is one, of a given object. - */ - typedef struct _OBJECT_NAME_INFORMATION - { - UNICODE_STRING Name; // The object name (when present) includes a NULL-terminator and all path separators "\" in the name. - } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; -#endif - - /** - * The OBJECT_NAME_INFORMATION structure contains various statistics and properties about an object type. - */ - typedef struct _OBJECT_TYPE_INFORMATION - { - UNICODE_STRING TypeName; - ULONG TotalNumberOfObjects; - ULONG TotalNumberOfHandles; - ULONG TotalPagedPoolUsage; - ULONG TotalNonPagedPoolUsage; - ULONG TotalNamePoolUsage; - ULONG TotalHandleTableUsage; - ULONG HighWaterNumberOfObjects; - ULONG HighWaterNumberOfHandles; - ULONG HighWaterPagedPoolUsage; - ULONG HighWaterNonPagedPoolUsage; - ULONG HighWaterNamePoolUsage; - ULONG HighWaterHandleTableUsage; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccessMask; - BOOLEAN SecurityRequired; - BOOLEAN MaintainHandleCount; - UCHAR TypeIndex; // since WINBLUE - CHAR ReservedByte; - ULONG PoolType; - ULONG DefaultPagedPoolCharge; - ULONG DefaultNonPagedPoolCharge; - } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; - - typedef struct _OBJECT_TYPES_INFORMATION - { - ULONG NumberOfTypes; - } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; - - typedef struct _OBJECT_HANDLE_FLAG_INFORMATION - { - BOOLEAN Inherit; - BOOLEAN ProtectFromClose; - } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; - - // Objects, handles - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryObject( - _In_opt_ HANDLE Handle, - _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, - _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, - _In_ ULONG ObjectInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationObject( - _In_ HANDLE Handle, - _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, - _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, - _In_ ULONG ObjectInformationLength); - -#define DUPLICATE_CLOSE_SOURCE 0x00000001 -#define DUPLICATE_SAME_ACCESS 0x00000002 -#define DUPLICATE_SAME_ATTRIBUTES 0x00000004 - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDuplicateObject( - _In_ HANDLE SourceProcessHandle, - _In_ HANDLE SourceHandle, - _In_opt_ HANDLE TargetProcessHandle, - _Out_opt_ PHANDLE TargetHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Options); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMakeTemporaryObject( - _In_ HANDLE Handle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtMakePermanentObject( - _In_ HANDLE Handle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSignalAndWaitForSingleObject( - _In_ HANDLE SignalHandle, - _In_ HANDLE WaitHandle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForSingleObject( - _In_ HANDLE Handle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForMultipleObjects( - _In_ ULONG Count, - _In_reads_(Count) HANDLE Handles[], - _In_ WAIT_TYPE WaitType, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForMultipleObjects32( - _In_ ULONG Count, - _In_reads_(Count) LONG Handles[], - _In_ WAIT_TYPE WaitType, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSecurityObject( - _In_ HANDLE Handle, - _In_ SECURITY_INFORMATION SecurityInformation, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySecurityObject( - _In_ HANDLE Handle, - _In_ SECURITY_INFORMATION SecurityInformation, - _Out_writes_bytes_to_opt_(Length, *LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ ULONG Length, - _Out_ PULONG LengthNeeded); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtClose( - _In_ _Post_ptr_invalid_ HANDLE Handle); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompareObjects( - _In_ HANDLE FirstObjectHandle, - _In_ HANDLE SecondObjectHandle); -#endif - -#endif - - // Directory objects - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateDirectoryObject( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateDirectoryObjectEx( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ShadowDirectoryHandle, - _In_ ULONG Flags); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenDirectoryObject( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - typedef struct _OBJECT_DIRECTORY_INFORMATION - { - UNICODE_STRING Name; - UNICODE_STRING TypeName; - } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDirectoryObject( - _In_ HANDLE DirectoryHandle, - _Out_writes_bytes_opt_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_ BOOLEAN RestartScan, - _Inout_ PULONG Context, - _Out_opt_ PULONG ReturnLength); - -#endif - - // Private namespaces - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - // private - typedef enum _BOUNDARY_ENTRY_TYPE - { - OBNS_Invalid, - OBNS_Name, - OBNS_SID, - OBNS_IL - } BOUNDARY_ENTRY_TYPE; - - // private - typedef struct _OBJECT_BOUNDARY_ENTRY - { - BOUNDARY_ENTRY_TYPE EntryType; - ULONG EntrySize; - // union - //{ - // WCHAR Name[1]; - // PSID Sid; - // PSID IntegrityLabel; - // }; - } OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY; - -// rev -#define OBJECT_BOUNDARY_DESCRIPTOR_VERSION 1 - - // private - typedef struct _OBJECT_BOUNDARY_DESCRIPTOR - { - ULONG Version; - ULONG Items; - ULONG TotalSize; - union - { - ULONG Flags; - struct - { - ULONG AddAppContainerSid : 1; - ULONG Reserved : 31; - }; - }; - // OBJECT_BOUNDARY_ENTRY Entries[1]; - } OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR; - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreatePrivateNamespace( - _Out_ PHANDLE NamespaceHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenPrivateNamespace( - _Out_ PHANDLE NamespaceHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeletePrivateNamespace( - _In_ HANDLE NamespaceHandle); - -#endif - -#endif - - // Symbolic links - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateSymbolicLinkObject( - _Out_ PHANDLE LinkHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ PUNICODE_STRING LinkTarget); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenSymbolicLinkObject( - _Out_ PHANDLE LinkHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySymbolicLinkObject( - _In_ HANDLE LinkHandle, - _Inout_ PUNICODE_STRING LinkTarget, - _Out_opt_ PULONG ReturnedLength); - - typedef enum _SYMBOLIC_LINK_INFO_CLASS - { - SymbolicLinkGlobalInformation = 1, // s: ULONG - SymbolicLinkAccessMask, // s: ACCESS_MASK - MaxnSymbolicLinkInfoClass - } SYMBOLIC_LINK_INFO_CLASS; - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationSymbolicLink( - _In_ HANDLE LinkHandle, - _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, - _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, - _In_ ULONG SymbolicLinkInformationLength); -#endif - -#endif - -#endif - /* - * Process support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTPSAPI_H -#define _NTPSAPI_H - - /* - * Process and Thread Environment Block support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTPEBTEB_H -#define _NTPEBTEB_H - - /* - * Side-by-side assembly support definitions. - * - * This file is part of System Informer. - */ - -#ifndef _NTSXS_H -#define _NTSXS_H - -#define ACTIVATION_CONTEXT_DATA_MAGIC ('xtcA') -#define ACTIVATION_CONTEXT_DATA_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_FLAG_NO_INHERIT 0x00000001 - -#if (PHNT_MODE == PHNT_MODE_KERNEL) - typedef enum _ACTCTX_REQUESTED_RUN_LEVEL - { - ACTCTX_RUN_LEVEL_UNSPECIFIED = 0, - ACTCTX_RUN_LEVEL_AS_INVOKER, - ACTCTX_RUN_LEVEL_HIGHEST_AVAILABLE, - ACTCTX_RUN_LEVEL_REQUIRE_ADMIN, - ACTCTX_RUN_LEVEL_NUMBERS - } ACTCTX_REQUESTED_RUN_LEVEL; - - typedef enum _ACTCTX_COMPATIBILITY_ELEMENT_TYPE - { - ACTCTX_COMPATIBILITY_ELEMENT_TYPE_UNKNOWN = 0, - ACTCTX_COMPATIBILITY_ELEMENT_TYPE_OS, - ACTCTX_COMPATIBILITY_ELEMENT_TYPE_MITIGATION, - ACTCTX_COMPATIBILITY_ELEMENT_TYPE_MAXVERSIONTESTED - } ACTCTX_COMPATIBILITY_ELEMENT_TYPE; -#endif - -#include - - typedef struct _ACTIVATION_CONTEXT_DATA - { - ULONG Magic; - ULONG HeaderSize; - ULONG FormatVersion; - ULONG TotalSize; - ULONG DefaultTocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER - ULONG ExtendedTocOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER - ULONG AssemblyRosterOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER - ULONG Flags; // ACTIVATION_CONTEXT_FLAG_* - } ACTIVATION_CONTEXT_DATA, *PACTIVATION_CONTEXT_DATA; - -#define ACTIVATION_CONTEXT_DATA_TOC_HEADER_DENSE 0x00000001 -#define ACTIVATION_CONTEXT_DATA_TOC_HEADER_INORDER 0x00000002 - - typedef struct _ACTIVATION_CONTEXT_DATA_TOC_HEADER - { - ULONG HeaderSize; - ULONG EntryCount; - ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_TOC_ENTRY[], from ACTIVATION_CONTEXT_DATA base - ULONG Flags; // ACTIVATION_CONTEXT_DATA_TOC_HEADER_* - } ACTIVATION_CONTEXT_DATA_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_TOC_HEADER; - - typedef struct _ACTIVATION_CONTEXT_DATA_TOC_ENTRY - { - ULONG Id; // ACTIVATION_CONTEXT_SECTION_* - ULONG Offset; // to ACTIVATION_CONTEXT_*_SECTION_HEADER, from ACTIVATION_CONTEXT_DATA base - ULONG Length; - ULONG Format; // ACTIVATION_CONTEXT_SECTION_FORMAT_* - } ACTIVATION_CONTEXT_DATA_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_TOC_ENTRY; - - typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER - { - ULONG HeaderSize; - ULONG EntryCount; - ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY[], from ACTIVATION_CONTEXT_DATA base - ULONG Flags; - } ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_HEADER; - - typedef struct _ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY - { - GUID ExtensionGuid; - ULONG TocOffset; // to ACTIVATION_CONTEXT_DATA_TOC_HEADER, from ACTIVATION_CONTEXT_DATA base - ULONG Length; - } ACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY, *PACTIVATION_CONTEXT_DATA_EXTENDED_TOC_ENTRY; - -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_INVALID 0x00000001 -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY_ROOT 0x00000002 - - typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER - { - ULONG HeaderSize; - ULONG HashAlgorithm; // HASH_STRING_ALGORITHM_* - ULONG EntryCount; - ULONG FirstEntryOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY[], from ACTIVATION_CONTEXT_DATA base - ULONG AssemblyInformationSectionOffset; // to resolve section-relative offsets - } ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_HEADER; - - typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY - { - ULONG Flags; - ULONG PseudoKey; - ULONG AssemblyNameOffset; // to WCHAR[], from ACTIVATION_CONTEXT_DATA base - ULONG AssemblyNameLength; - ULONG AssemblyInformationOffset; // to ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, from ACTIVATION_CONTEXT_DATA base - ULONG AssemblyInformationLength; - } ACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_ROSTER_ENTRY; - -#define ACTIVATION_CONTEXT_SECTION_FORMAT_UNKNOWN 0 -#define ACTIVATION_CONTEXT_SECTION_FORMAT_STRING_TABLE 1 // ACTIVATION_CONTEXT_STRING_SECTION_HEADER -#define ACTIVATION_CONTEXT_SECTION_FORMAT_GUID_TABLE 2 // ACTIVATION_CONTEXT_GUID_SECTION_HEADER - -#define ACTIVATION_CONTEXT_STRING_SECTION_MAGIC ('dHsS') -#define ACTIVATION_CONTEXT_STRING_SECTION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_STRING_SECTION_CASE_INSENSITIVE 0x00000001 -#define ACTIVATION_CONTEXT_STRING_SECTION_ENTRIES_IN_PSEUDOKEY_ORDER 0x00000002 - - typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HEADER - { - ULONG Magic; - ULONG HeaderSize; - ULONG FormatVersion; - ULONG DataFormatVersion; - ULONG Flags; // ACTIVATION_CONTEXT_STRING_SECTION_* - ULONG ElementCount; - ULONG ElementListOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_ENTRY[], from this struct base - ULONG HashAlgorithm; // HASH_STRING_ALGORITHM_* - ULONG SearchStructureOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, from this struct base - ULONG UserDataOffset; // to data depending on section Id, from this struct base - ULONG UserDataSize; - } ACTIVATION_CONTEXT_STRING_SECTION_HEADER, *PACTIVATION_CONTEXT_STRING_SECTION_HEADER; - - typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_ENTRY - { - ULONG PseudoKey; - ULONG KeyOffset; // to WCHAR[], from section header - ULONG KeyLength; - ULONG Offset; // to data depending on section Id, from section header - ULONG Length; - ULONG AssemblyRosterIndex; - } ACTIVATION_CONTEXT_STRING_SECTION_ENTRY, *PACTIVATION_CONTEXT_STRING_SECTION_ENTRY; - - typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE - { - ULONG BucketTableEntryCount; - ULONG BucketTableOffset; // to ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET[], from section header - } ACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_TABLE; - - typedef struct _ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET - { - ULONG ChainCount; - ULONG ChainOffset; // to LONG[], from section header - } ACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_STRING_SECTION_HASH_BUCKET; - -#define ACTIVATION_CONTEXT_GUID_SECTION_MAGIC ('dHsG') -#define ACTIVATION_CONTEXT_GUID_SECTION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_GUID_SECTION_ENTRIES_IN_ORDER 0x00000001 - - typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HEADER - { - ULONG Magic; - ULONG HeaderSize; - ULONG FormatVersion; - ULONG DataFormatVersion; - ULONG Flags; // ACTIVATION_CONTEXT_GUID_SECTION_* - ULONG ElementCount; - ULONG ElementListOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_ENTRY[], from this struct base - ULONG SearchStructureOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, from this struct base - ULONG UserDataOffset; // to data depending on section Id, from this struct base - ULONG UserDataSize; - } ACTIVATION_CONTEXT_GUID_SECTION_HEADER, *PACTIVATION_CONTEXT_GUID_SECTION_HEADER; - - typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_ENTRY - { - GUID Guid; - ULONG Offset; // to data depending on section Id, from section header - ULONG Length; - ULONG AssemblyRosterIndex; - } ACTIVATION_CONTEXT_GUID_SECTION_ENTRY, *PACTIVATION_CONTEXT_GUID_SECTION_ENTRY; - - typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE - { - ULONG BucketTableEntryCount; - ULONG BucketTableOffset; // to ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, from section header - } ACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_TABLE; - - typedef struct _ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET - { - ULONG ChainCount; - ULONG ChainOffset; // to LONG[], from section header - } ACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET, *PACTIVATION_CONTEXT_GUID_SECTION_HASH_BUCKET; - - // winnt.h - known section IDs - // #define ACTIVATION_CONTEXT_SECTION_ASSEMBLY_INFORMATION (1) // ACTIVATION_CONTEXT_SECTION_ASSEMBLY_INFORMATION + ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION - // #define ACTIVATION_CONTEXT_SECTION_DLL_REDIRECTION (2) // ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_WINDOW_CLASS_REDIRECTION (3) // ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_COM_SERVER_REDIRECTION (4) // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_COM_INTERFACE_REDIRECTION (5) // ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_COM_TYPE_LIBRARY_REDIRECTION (6) // ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_COM_PROGID_REDIRECTION (7) // ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION - // #define ACTIVATION_CONTEXT_SECTION_GLOBAL_OBJECT_RENAME_TABLE (8) - // #define ACTIVATION_CONTEXT_SECTION_CLR_SURROGATES (9) // ACTIVATION_CONTEXT_DATA_CLR_SURROGATE - // #define ACTIVATION_CONTEXT_SECTION_APPLICATION_SETTINGS (10) // ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS - // #define ACTIVATION_CONTEXT_SECTION_COMPATIBILITY_INFO (11) // ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION[_LEGACY] - // #define ACTIVATION_CONTEXT_SECTION_WINRT_ACTIVATABLE_CLASSES (12) // since 19H1 - -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_ASSEMBLY 0x00000001 -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_POLICY_APPLIED 0x00000002 -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ASSEMBLY_POLICY_APPLIED 0x00000004 -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_ROOT_POLICY_APPLIED 0x00000008 -#define ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_PRIVATE_ASSEMBLY 0x00000010 - - typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION - { - ULONG Size; - ULONG Flags; // ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION_* - ULONG EncodedAssemblyIdentityLength; - ULONG EncodedAssemblyIdentityOffset; // to WCHAR[], from section header - ULONG ManifestPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* - ULONG ManifestPathLength; - ULONG ManifestPathOffset; // to WCHAR[], from section header - LARGE_INTEGER ManifestLastWriteTime; - ULONG PolicyPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* - ULONG PolicyPathLength; - ULONG PolicyPathOffset; // to WCHAR[], from section header - LARGE_INTEGER PolicyLastWriteTime; - ULONG MetadataSatelliteRosterIndex; - ULONG Unused2; - ULONG ManifestVersionMajor; - ULONG ManifestVersionMinor; - ULONG PolicyVersionMajor; - ULONG PolicyVersionMinor; - ULONG AssemblyDirectoryNameLength; - ULONG AssemblyDirectoryNameOffset; // to WCHAR[], from section header - ULONG NumOfFilesInAssembly; - ULONG LanguageLength; - ULONG LanguageOffset; // to WCHAR[], from section header - ACTCTX_REQUESTED_RUN_LEVEL RunLevel; - ULONG UiAccess; - } ACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_INFORMATION; - - // via UserData - typedef struct _ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION - { - ULONG Size; - ULONG Flags; - GUID PolicyCoherencyGuid; - GUID PolicyOverrideGuid; - ULONG ApplicationDirectoryPathType; // ACTIVATION_CONTEXT_PATH_TYPE_* - ULONG ApplicationDirectoryLength; - ULONG ApplicationDirectoryOffset; // to WCHAR[], from this struct base - ULONG ResourceName; - } ACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION, *PACTIVATION_CONTEXT_DATA_ASSEMBLY_GLOBAL_INFORMATION; - -#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_INCLUDES_BASE_NAME 0x00000001 -#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_OMITS_ASSEMBLY_ROOT 0x00000002 -#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_EXPAND 0x00000004 -#define ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SYSTEM_DEFAULT_REDIRECTED_SYSTEM32_DLL 0x00000008 - - typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION - { - ULONG Size; - ULONG Flags; // ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_* - ULONG TotalPathLength; - ULONG PathSegmentCount; - ULONG PathSegmentOffset; // to ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT[], from section header - } ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION; - - typedef struct _ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT - { - ULONG Length; - ULONG Offset; // to WCHAR[], from section header - } ACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT, *PACTIVATION_CONTEXT_DATA_DLL_REDIRECTION_PATH_SEGMENT; - -#define ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION_FORMAT_WHISTLER 1 - - typedef struct _ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION - { - ULONG Size; - ULONG Flags; - ULONG VersionSpecificClassNameLength; - ULONG VersionSpecificClassNameOffset; // to WHCAR[], from this struct base - ULONG DllNameLength; - ULONG DllNameOffset; // to WCHAR[], from section header - } ACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION, *PACTIVATION_CONTEXT_DATA_WINDOW_CLASS_REDIRECTION; - -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_INVALID 0 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_APARTMENT 1 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_FREE 2 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_SINGLE 3 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_BOTH 4 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_NEUTRAL 5 - -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET 8 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DEFAULT (0x01 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_ICON (0x02 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_CONTENT (0x04 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_THUMBNAIL (0x08 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_HAS_DOCPRINT (0x10 << ACTIVATION_CONTEXT_DATA_COM_SERVER_MISCSTATUS_FLAG_OFFSET) - - typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION - { - ULONG Size; - ULONG Flags; - ULONG ThreadingModel; // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_THREADING_MODEL_* - GUID ReferenceClsid; - GUID ConfiguredClsid; - GUID ImplementedClsid; - GUID TypeLibraryId; - ULONG ModuleLength; - ULONG ModuleOffset; // to WCHAR[], from section header - ULONG ProgIdLength; - ULONG ProgIdOffset; // to WCHAR[], from this struct base - ULONG ShimDataLength; - ULONG ShimDataOffset; // to ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, from this struct base - ULONG MiscStatusDefault; - ULONG MiscStatusContent; - ULONG MiscStatusThumbnail; - ULONG MiscStatusIcon; - ULONG MiscStatusDocPrint; - } ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION; - -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_OTHER 1 -#define ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_CLR_CLASS 2 - - typedef struct _ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM - { - ULONG Size; - ULONG Flags; - ULONG Type; // ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM_TYPE_* - ULONG ModuleLength; - ULONG ModuleOffset; // to WCHAR[], from section header - ULONG TypeLength; - ULONG TypeOffset; // to WCHAR[], from this struct base - ULONG ShimVersionLength; - ULONG ShimVersionOffset; // to WCHAR[], from this struct base - ULONG DataLength; - ULONG DataOffset; // from this struct base - } ACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM, *PACTIVATION_CONTEXT_DATA_COM_SERVER_REDIRECTION_SHIM; - -#define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FORMAT_WHISTLER 1 - -#define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_NUM_METHODS_VALID 0x00000001 -#define ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_BASE_INTERFACE_VALID 0x00000002 - - typedef struct _ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION - { - ULONG Size; - ULONG Flags; // ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION_FLAG_* - GUID ProxyStubClsid32; - ULONG NumMethods; - GUID TypeLibraryId; - GUID BaseInterface; - ULONG NameLength; - ULONG NameOffset; // to WCHAR[], from this struct base - } ACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_INTERFACE_REDIRECTION; - -#define ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION_FORMAT_WHISTLER 1 - - typedef struct _ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION - { - USHORT Major; - USHORT Minor; - } ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION, *PACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION; - - typedef struct _ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION - { - ULONG Size; - ULONG Flags; - ULONG NameLength; - ULONG NameOffset; // to WCHAR[], from section header - USHORT ResourceId; - USHORT LibraryFlags; // LIBFLAG_* oaidl.h - ULONG HelpDirLength; - ULONG HelpDirOffset; // to WCHAR[], from this struct base - ACTIVATION_CONTEXT_DATA_TYPE_LIBRARY_VERSION Version; - } ACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_TYPE_LIBRARY_REDIRECTION; - -#define ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION_FORMAT_WHISTLER 1 - - typedef struct _ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION - { - ULONG Size; - ULONG Flags; - ULONG ConfiguredClsidOffset; // to CLSID, from section header - } ACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION, *PACTIVATION_CONTEXT_DATA_COM_PROGID_REDIRECTION; - -#define ACTIVATION_CONTEXT_DATA_CLR_SURROGATE_FORMAT_WHISTLER 1 - - typedef struct _ACTIVATION_CONTEXT_DATA_CLR_SURROGATE - { - ULONG Size; - ULONG Flags; - GUID SurrogateIdent; - ULONG VersionOffset; - ULONG VersionLength; - ULONG TypeNameOffset; - ULONG TypeNameLength; // to WCHAR[], from this struct base - } ACTIVATION_CONTEXT_DATA_CLR_SURROGATE, *PACTIVATION_CONTEXT_DATA_CLR_SURROGATE; - -#define ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS_FORMAT_LONGHORN 1 - -#define SXS_WINDOWS_SETTINGS_NAMESPACE L"http://schemas.microsoft.com/SMI/2005/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2011_NAMESPACE L"http://schemas.microsoft.com/SMI/2011/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2013_NAMESPACE L"http://schemas.microsoft.com/SMI/2013/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2014_NAMESPACE L"http://schemas.microsoft.com/SMI/2014/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2016_NAMESPACE L"http://schemas.microsoft.com/SMI/2016/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2017_NAMESPACE L"http://schemas.microsoft.com/SMI/2017/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2019_NAMESPACE L"http://schemas.microsoft.com/SMI/2019/WindowsSettings" -#define SXS_WINDOWS_SETTINGS_2020_NAMESPACE L"http://schemas.microsoft.com/SMI/2020/WindowsSettings" - - typedef struct _ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS - { - ULONG Size; - ULONG Flags; - ULONG SettingNamespaceLength; - ULONG SettingNamespaceOffset; // to WCHAR[], from this struct base - ULONG SettingNameLength; - ULONG SettingNameOffset; // to WCHAR[], from this struct base - ULONG SettingValueLength; - ULONG SettingValueOffset; // to WCHAR[], from this struct base - } ACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS, *PACTIVATION_CONTEXT_DATA_APPLICATION_SETTINGS; - - // COMPATIBILITY_CONTEXT_ELEMENT from winnt.h before 19H1 - typedef struct _COMPATIBILITY_CONTEXT_ELEMENT_LEGACY - { - GUID Id; - ACTCTX_COMPATIBILITY_ELEMENT_TYPE Type; - } COMPATIBILITY_CONTEXT_ELEMENT_LEGACY, *PCOMPATIBILITY_CONTEXT_ELEMENT_LEGACY; - - // ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION from winnt.h before 19H1 - typedef struct _ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY - { - ULONG ElementCount; - COMPATIBILITY_CONTEXT_ELEMENT_LEGACY Elements[ANYSIZE_ARRAY]; - } ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY, *PACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY; - -#include - - // begin_private - - typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY - { - ULONG Flags; - UNICODE_STRING DosPath; - HANDLE Handle; - } ASSEMBLY_STORAGE_MAP_ENTRY, *PASSEMBLY_STORAGE_MAP_ENTRY; - -#define ASSEMBLY_STORAGE_MAP_ASSEMBLY_ARRAY_IS_HEAP_ALLOCATED 0x00000001 - - typedef struct _ASSEMBLY_STORAGE_MAP - { - ULONG Flags; - ULONG AssemblyCount; - PASSEMBLY_STORAGE_MAP_ENTRY *AssemblyArray; - } ASSEMBLY_STORAGE_MAP, *PASSEMBLY_STORAGE_MAP; - - typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; - -#define ACTIVATION_CONTEXT_NOTIFICATION_DESTROY 1 -#define ACTIVATION_CONTEXT_NOTIFICATION_ZOMBIFY 2 -#define ACTIVATION_CONTEXT_NOTIFICATION_USED 3 - - typedef VOID(NTAPI *PACTIVATION_CONTEXT_NOTIFY_ROUTINE)( - _In_ ULONG NotificationType, // ACTIVATION_CONTEXT_NOTIFICATION_* - _In_ PACTIVATION_CONTEXT ActivationContext, - _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, - _In_opt_ PVOID NotificationContext, - _In_opt_ PVOID NotificationData, - _Inout_ PBOOLEAN DisableThisNotification); - - typedef struct _ACTIVATION_CONTEXT - { - LONG RefCount; - ULONG Flags; - PACTIVATION_CONTEXT_DATA ActivationContextData; - PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine; - PVOID NotificationContext; - ULONG SentNotifications[8]; - ULONG DisabledNotifications[8]; - ASSEMBLY_STORAGE_MAP StorageMap; - PASSEMBLY_STORAGE_MAP_ENTRY InlineStorageMapEntries[32]; - } ACTIVATION_CONTEXT, *PACTIVATION_CONTEXT; - -#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION 0x00000001 -#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE 0x00000002 -#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST 0x00000004 -#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED 0x00000008 -#define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NOT_REALLY_ACTIVATED 0x00000010 - - typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME - { - struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *Previous; - PACTIVATION_CONTEXT ActivationContext; - ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* - } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME; - -#define ACTIVATION_CONTEXT_STACK_FLAG_QUERIES_DISABLED 0x00000001 - - typedef struct _ACTIVATION_CONTEXT_STACK - { - PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; - LIST_ENTRY FrameListCache; - ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* - ULONG NextCookieSequenceNumber; - ULONG StackId; - } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; - - // end_private - -#endif - - typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; - typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; - typedef struct _SILO_USER_SHARED_DATA *PSILO_USER_SHARED_DATA; - typedef struct _LEAP_SECOND_DATA *PLEAP_SECOND_DATA; - typedef struct _PEB_LDR_DATA PEB_LDR_DATA, *PPEB_LDR_DATA; - -// PEB->AppCompatFlags -#define KACF_OLDGETSHORTPATHNAME 0x00000001 -#define KACF_VERSIONLIE_NOT_USED 0x00000002 -#define KACF_GETTEMPPATH_NOT_USED 0x00000004 -#define KACF_GETDISKFREESPACE 0x00000008 -#define KACF_FTMFROMCURRENTAPT 0x00000020 -#define KACF_DISALLOWORBINDINGCHANGES 0x00000040 -#define KACF_OLE32VALIDATEPTRS 0x00000080 -#define KACF_DISABLECICERO 0x00000100 -#define KACF_OLE32ENABLEASYNCDOCFILE 0x00000200 -#define KACF_OLE32ENABLELEGACYEXCEPTIONHANDLING 0x00000400 -#define KACF_RPCDISABLENDRCLIENTHARDENING 0x00000800 -#define KACF_RPCDISABLENDRMAYBENULL_SIZEIS 0x00001000 -#define KACF_DISABLEALLDDEHACK_NOT_USED 0x00002000 -#define KACF_RPCDISABLENDR61_RANGE 0x00004000 -#define KACF_RPC32ENABLELEGACYEXCEPTIONHANDLING 0x00008000 -#define KACF_OLE32DOCFILEUSELEGACYNTFSFLAGS 0x00010000 -#define KACF_RPCDISABLENDRCONSTIIDCHECK 0x00020000 -#define KACF_USERDISABLEFORWARDERPATCH 0x00040000 -#define KACF_OLE32DISABLENEW_WMPAINT_DISPATCH 0x00100000 -#define KACF_ADDRESTRICTEDSIDINCOINITIALIZESECURITY 0x00200000 -#define KACF_ALLOCDEBUGINFOFORCRITSECTIONS 0x00400000 -#define KACF_OLEAUT32ENABLEUNSAFELOADTYPELIBRELATIVE 0x00800000 -#define KACF_ALLOWMAXIMIZEDWINDOWGAMMA 0x01000000 -#define KACF_DONOTADDTOCACHE 0x80000000 - - // PEB->ApiSetMap - typedef struct _API_SET_NAMESPACE - { - ULONG Version; - ULONG Size; - ULONG Flags; - ULONG Count; - ULONG EntryOffset; - ULONG HashOffset; - ULONG HashFactor; - } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; - - // private - typedef struct _API_SET_HASH_ENTRY - { - ULONG Hash; - ULONG Index; - } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; - - // private - typedef struct _API_SET_NAMESPACE_ENTRY - { - ULONG Flags; - ULONG NameOffset; - ULONG NameLength; - ULONG HashedLength; - ULONG ValueOffset; - ULONG ValueCount; - } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; - - // private - typedef struct _API_SET_VALUE_ENTRY - { - ULONG Flags; - ULONG NameOffset; - ULONG NameLength; - ULONG ValueOffset; - ULONG ValueLength; - } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; - - // PEB->TelemetryCoverageHeader - typedef struct _TELEMETRY_COVERAGE_HEADER - { - UCHAR MajorVersion; - UCHAR MinorVersion; - struct - { - USHORT TracingEnabled : 1; - USHORT Reserved1 : 15; - }; - ULONG HashTableEntries; - ULONG HashIndexMask; - ULONG TableUpdateVersion; - ULONG TableSizeInBytes; - ULONG LastResetTick; - ULONG ResetRound; - ULONG Reserved2; - ULONG RecordedCount; - ULONG Reserved3[4]; - ULONG HashTable[ANYSIZE_ARRAY]; - } TELEMETRY_COVERAGE_HEADER, *PTELEMETRY_COVERAGE_HEADER; - - typedef struct _WER_RECOVERY_INFO - { - ULONG Length; - PVOID Callback; - PVOID Parameter; - HANDLE Started; - HANDLE Finished; - HANDLE InProgress; - LONG LastError; - BOOL Successful; - ULONG PingInterval; - ULONG Flags; - } WER_RECOVERY_INFO, *PWER_RECOVERY_INFO; - - typedef struct _WER_FILE - { - USHORT Flags; - WCHAR Path[MAX_PATH]; - } WER_FILE, *PWER_FILE; - - typedef struct _WER_MEMORY - { - PVOID Address; - ULONG Size; - } WER_MEMORY, *PWER_MEMORY; - - typedef struct _WER_GATHER - { - PVOID Next; - USHORT Flags; - union - { - WER_FILE File; - WER_MEMORY Memory; - } v; - } WER_GATHER, *PWER_GATHER; - - typedef struct _WER_METADATA - { - PVOID Next; - WCHAR Key[64]; - WCHAR Value[128]; - } WER_METADATA, *PWER_METADATA; - - typedef struct _WER_RUNTIME_DLL - { - PVOID Next; - ULONG Length; - PVOID Context; - WCHAR CallbackDllPath[MAX_PATH]; - } WER_RUNTIME_DLL, *PWER_RUNTIME_DLL; - - typedef struct _WER_DUMP_COLLECTION - { - PVOID Next; - ULONG ProcessId; - ULONG ThreadId; - } WER_DUMP_COLLECTION, *PWER_DUMP_COLLECTION; - - typedef struct _WER_HEAP_MAIN_HEADER - { - WCHAR Signature[16]; - LIST_ENTRY Links; - HANDLE Mutex; - PVOID FreeHeap; - ULONG FreeCount; - } WER_HEAP_MAIN_HEADER, *PWER_HEAP_MAIN_HEADER; - -#ifndef RESTART_MAX_CMD_LINE -#define RESTART_MAX_CMD_LINE 1024 -#endif - - typedef struct _WER_PEB_HEADER_BLOCK - { - LONG Length; - WCHAR Signature[16]; - WCHAR AppDataRelativePath[64]; - WCHAR RestartCommandLine[RESTART_MAX_CMD_LINE]; - WER_RECOVERY_INFO RecoveryInfo; - PWER_GATHER Gather; - PWER_METADATA MetaData; - PWER_RUNTIME_DLL RuntimeDll; - PWER_DUMP_COLLECTION DumpCollection; - LONG GatherCount; - LONG MetaDataCount; - LONG DumpCount; - LONG Flags; - WER_HEAP_MAIN_HEADER MainHeader; - PVOID Reserved; - } WER_PEB_HEADER_BLOCK, *PWER_PEB_HEADER_BLOCK; - -#define GDI_HANDLE_BUFFER_SIZE32 34 -#define GDI_HANDLE_BUFFER_SIZE64 60 - -#ifndef _WIN64 -#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 -#else -#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 -#endif - - typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; - - typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; - typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; - - typedef VOID(NTAPI *PPS_POST_PROCESS_INIT_ROUTINE)( - VOID); - -#ifndef FLS_MAXIMUM_AVAILABLE -#define FLS_MAXIMUM_AVAILABLE 128 -#endif -#ifndef TLS_MINIMUM_AVAILABLE -#define TLS_MINIMUM_AVAILABLE 64 -#endif -#ifndef TLS_EXPANSION_SLOTS -#define TLS_EXPANSION_SLOTS 1024 -#endif - - /** - * Process Environment Block (PEB) structure. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb - */ - typedef struct _PEB - { - // - // The process was cloned with an inherited address space. - // - BOOLEAN InheritedAddressSpace; - - // - // The process has image file execution options (IFEO). - // - BOOLEAN ReadImageFileExecOptions; - - // - // The process has a debugger attached. - // - BOOLEAN BeingDebugged; - - union - { - BOOLEAN BitField; - struct - { - BOOLEAN ImageUsesLargePages : 1; // The process uses large image regions (4 MB). - BOOLEAN IsProtectedProcess : 1; // The process is a protected process. - BOOLEAN IsImageDynamicallyRelocated : 1; // The process image base address was relocated. - BOOLEAN SkipPatchingUser32Forwarders : 1; // The process skipped forwarders for User32.dll functions. 1 for 64-bit, 0 for 32-bit. - BOOLEAN IsPackagedProcess : 1; // The process is a packaged store process (APPX/MSIX). - BOOLEAN IsAppContainer : 1; // The process has an AppContainer token. - BOOLEAN IsProtectedProcessLight : 1; // The process is a protected process (light). - BOOLEAN IsLongPathAwareProcess : 1; // The process is long path aware. - }; - }; - - // - // Handle to a mutex for synchronization. - // - HANDLE Mutant; - - // - // Pointer to the base address of the process image. - // - PVOID ImageBaseAddress; - - // - // Pointer to the process loader data. - // - PPEB_LDR_DATA Ldr; - - // - // Pointer to the process parameters. - // - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - - // - // Reserved. - // - PVOID SubSystemData; - - // - // Pointer to the process default heap. - // - PVOID ProcessHeap; - - // - // Pointer to a critical section used to synchronize access to the PEB. - // - PRTL_CRITICAL_SECTION FastPebLock; - - // - // Pointer to a singly linked list used by ATL. - // - PSLIST_HEADER AtlThunkSListPtr; - - // - // Pointer to the Image File Execution Options key. - // - PVOID IFEOKey; - - // - // Cross process flags. - // - union - { - ULONG CrossProcessFlags; - struct - { - ULONG ProcessInJob : 1; // The process is part of a job. - ULONG ProcessInitializing : 1; // The process is initializing. - ULONG ProcessUsingVEH : 1; // The process is using VEH. - ULONG ProcessUsingVCH : 1; // The process is using VCH. - ULONG ProcessUsingFTH : 1; // The process is using FTH. - ULONG ProcessPreviouslyThrottled : 1; // The process was previously throttled. - ULONG ProcessCurrentlyThrottled : 1; // The process is currently throttled. - ULONG ProcessImagesHotPatched : 1; // The process images are hot patched. // RS5 - ULONG ReservedBits0 : 24; - }; - }; - - // - // User32 KERNEL_CALLBACK_TABLE (ntuser.h) - // - union - { - PVOID KernelCallbackTable; - PVOID UserSharedInfoPtr; - }; - - // - // Reserved. - // - ULONG SystemReserved; - - // - // Pointer to the Active Template Library (ATL) singly linked list (32-bit) - // - ULONG AtlThunkSListPtr32; - - // - // Pointer to the API Set Schema. - // - PAPI_SET_NAMESPACE ApiSetMap; - - // - // Counter for TLS expansion. - // - ULONG TlsExpansionCounter; - - // - // Pointer to the TLS bitmap. - // - PRTL_BITMAP TlsBitmap; - - // - // Bits for the TLS bitmap. - // - ULONG TlsBitmapBits[2]; - - // - // Reserved for CSRSS. - // - PVOID ReadOnlySharedMemoryBase; - - // - // Pointer to the USER_SHARED_DATA for the current SILO. - // - PSILO_USER_SHARED_DATA SharedData; - - // - // Reserved for CSRSS. - // - PVOID *ReadOnlyStaticServerData; - - // - // Pointer to the ANSI code page data. (PCPTABLEINFO) - // - PVOID AnsiCodePageData; - - // - // Pointer to the OEM code page data. (PCPTABLEINFO) - // - PVOID OemCodePageData; - - // - // Pointer to the Unicode case table data. (PNLSTABLEINFO) - // - PVOID UnicodeCaseTableData; - - // - // The total number of system processors. - // - ULONG NumberOfProcessors; - - // - // Global flags for the system. - // - ULONG NtGlobalFlag; - - // - // Timeout for critical sections. - // - LARGE_INTEGER CriticalSectionTimeout; - - // - // Reserved size for heap segments. - // - SIZE_T HeapSegmentReserve; - - // - // Committed size for heap segments. - // - SIZE_T HeapSegmentCommit; - - // - // Threshold for decommitting total free heap. - // - SIZE_T HeapDeCommitTotalFreeThreshold; - - // - // Threshold for decommitting free heap blocks. - // - SIZE_T HeapDeCommitFreeBlockThreshold; - - // - // Number of process heaps. - // - ULONG NumberOfHeaps; - - // - // Maximum number of process heaps. - // - ULONG MaximumNumberOfHeaps; - - // - // Pointer to an array of process heaps. ProcessHeaps is initialized - // to point to the first free byte after the PEB and MaximumNumberOfHeaps - // is computed from the page size used to hold the PEB, less the fixed - // size of this data structure. - // - PVOID *ProcessHeaps; - - // - // Pointer to the system GDI shared handle table. - // - PVOID GdiSharedHandleTable; - - // - // Pointer to the process starter helper. - // - PVOID ProcessStarterHelper; - - // - // The maximum number of GDI function calls during batch operations (GdiSetBatchLimit) - // - ULONG GdiDCAttributeList; - - // - // Pointer to the loader lock critical section. - // - PRTL_CRITICAL_SECTION LoaderLock; - - // - // Major version of the operating system. - // - ULONG OSMajorVersion; - - // - // Minor version of the operating system. - // - ULONG OSMinorVersion; - - // - // Build number of the operating system. - // - USHORT OSBuildNumber; - - // - // CSD version of the operating system. - // - USHORT OSCSDVersion; - - // - // Platform ID of the operating system. - // - ULONG OSPlatformId; - - // - // Subsystem version of the current process image (PE Headers). - // - ULONG ImageSubsystem; - - // - // Major version of the current process image subsystem (PE Headers). - // - ULONG ImageSubsystemMajorVersion; - - // - // Minor version of the current process image subsystem (PE Headers). - // - ULONG ImageSubsystemMinorVersion; - - // - // Affinity mask for the current process. - // - KAFFINITY ActiveProcessAffinityMask; - - // - // Temporary buffer for GDI handles accumulated in the current batch. - // - GDI_HANDLE_BUFFER GdiHandleBuffer; - - // - // Pointer to the post-process initialization routine available for use by the application. - // - PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; - - // - // Pointer to the TLS expansion bitmap. - // - PRTL_BITMAP TlsExpansionBitmap; - - // - // Bits for the TLS expansion bitmap. TLS_EXPANSION_SLOTS - // - ULONG TlsExpansionBitmapBits[32]; - - // - // Session ID of the current process. - // - ULONG SessionId; - - // - // Application compatibility flags. KACF_* - // - ULARGE_INTEGER AppCompatFlags; - - // - // Application compatibility flags. KACF_* - // - ULARGE_INTEGER AppCompatFlagsUser; - - // - // Pointer to the Application SwitchBack Compatibility Engine. - // - PVOID pShimData; - - // - // Pointer to the Application Compatibility Engine. // APPCOMPAT_EXE_DATA - // - PVOID AppCompatInfo; - - // - // CSD version string of the operating system. - // - UNICODE_STRING CSDVersion; - - // - // Pointer to the process activation context. - // - PACTIVATION_CONTEXT_DATA ActivationContextData; - - // - // Pointer to the process assembly storage map. - // - PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap; - - // - // Pointer to the system default activation context. - // - PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData; - - // - // Pointer to the system assembly storage map. - // - PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap; - - // - // Minimum stack commit size. - // - SIZE_T MinimumStackCommit; - - // - // since 19H1 (previously FlsCallback to FlsHighIndex) - // - PVOID SparePointers[2]; - - // - // Pointer to the patch loader data. - // - PVOID PatchLoaderData; - - // - // Pointer to the CHPE V2 process information. CHPEV2_PROCESS_INFO - // - PVOID ChpeV2ProcessInfo; - - // - // Packaged process feature state. - // - union - { - ULONG AppModelFeatureState; - struct - { - ULONG ForegroundBoostProcesses : 1; - ULONG AppModelFeatureStateReserved : 31; - }; - }; - - // - // SpareUlongs - // - ULONG SpareUlongs[2]; - - // - // Active code page. - // - USHORT ActiveCodePage; - - // - // OEM code page. - // - USHORT OemCodePage; - - // - // Code page case mapping. - // - USHORT UseCaseMapping; - - // - // Unused NLS field. - // - USHORT UnusedNlsField; - - // - // Pointer to the application WER registration data. - // - PWER_PEB_HEADER_BLOCK WerRegistrationData; - - // - // Pointer to the application WER assert pointer. - // - PVOID WerShipAssertPtr; - - // - // Pointer to the EC bitmap on ARM64. (Windows 11 and above) - // - union - { - PVOID pContextData; // Pointer to the switchback compatibility engine (Windows 7 and below) - PVOID EcCodeBitMap; // Pointer to the EC bitmap on ARM64 (Windows 11 and above) // since WIN11 - }; - - // - // Reserved. - // - PVOID pImageHeaderHash; - - // - // ETW tracing flags. - // - union - { - ULONG TracingFlags; - struct - { - ULONG HeapTracingEnabled : 1; // ETW heap tracing enabled. - ULONG CritSecTracingEnabled : 1; // ETW lock tracing enabled. - ULONG LibLoaderTracingEnabled : 1; // ETW loader tracing enabled. - ULONG SpareTracingBits : 29; - }; - }; - - // - // Reserved for CSRSS. - // - ULONGLONG CsrServerReadOnlySharedMemoryBase; - - // - // Pointer to the thread pool worker list lock. - // - PRTL_CRITICAL_SECTION TppWorkerpListLock; - - // - // Pointer to the thread pool worker list. - // - LIST_ENTRY TppWorkerpList; - - // - // Wait on address hash table. (RtlWaitOnAddress) - // - PVOID WaitOnAddressHashTable[128]; - - // - // Pointer to the telemetry coverage header. // since RS3 - // - PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader; - - // - // Cloud file flags. (ProjFs and Cloud Files) // since RS4 - // - ULONG CloudFileFlags; - - // - // Cloud file diagnostic flags. - // - ULONG CloudFileDiagFlags; - - // - // Placeholder compatibility mode. (ProjFs and Cloud Files) - // - CHAR PlaceholderCompatibilityMode; - - // - // Reserved for placeholder compatibility mode. - // - CHAR PlaceholderCompatibilityModeReserved[7]; - - // - // Pointer to leap second data. // since RS5 - // - PLEAP_SECOND_DATA LeapSecondData; - - // - // Leap second flags. - // - union - { - ULONG LeapSecondFlags; - struct - { - ULONG SixtySecondEnabled : 1; // Leap seconds enabled. - ULONG Reserved : 31; - }; - }; - - // - // Global flags for the process. - // - ULONG NtGlobalFlag2; - - // - // Extended feature disable mask (AVX). // since WIN11 - // - ULONGLONG ExtendedFeatureDisableMask; - } PEB, *PPEB; - -#ifdef _WIN64 - static_assert(FIELD_OFFSET(PEB, SessionId) == 0x2C0); - // static_assert(sizeof(PEB) == 0x7B0); // REDSTONE3 - // static_assert(sizeof(PEB) == 0x7B8); // REDSTONE4 - // static_assert(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 - static_assert(sizeof(PEB) == 0x7d0); // WIN11 -#else - static_assert(FIELD_OFFSET(PEB, SessionId) == 0x1D4); - // static_assert(sizeof(PEB) == 0x468); // REDSTONE3 - // static_assert(sizeof(PEB) == 0x470); // REDSTONE4 - // static_assert(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 - static_assert(sizeof(PEB) == 0x488); // WIN11 -#endif - -#define GDI_BATCH_BUFFER_SIZE 310 - - /** - * The GDI_TEB_BATCH structure is used to store information about GDI batch operations. - */ - typedef struct _GDI_TEB_BATCH - { - ULONG Offset; - ULONG_PTR HDC; - ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; - } GDI_TEB_BATCH, *PGDI_TEB_BATCH; - -#define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED (0x00000001) - - /** - * The TEB_ACTIVE_FRAME_CONTEXT structure is used to store information about an active frame context. - */ - typedef struct _TEB_ACTIVE_FRAME_CONTEXT - { - ULONG Flags; - PCSTR FrameName; - } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; - - /** - * The TEB_ACTIVE_FRAME_CONTEXT_EX structure extends TEB_ACTIVE_FRAME_CONTEXT with additional information. - */ - typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX - { - TEB_ACTIVE_FRAME_CONTEXT BasicContext; - PCSTR SourceLocation; - } TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX; - -#define TEB_ACTIVE_FRAME_FLAG_EXTENDED (0x00000001) - - /** - * The TEB_ACTIVE_FRAME structure is used to store information about an active frame. - */ - typedef struct _TEB_ACTIVE_FRAME - { - ULONG Flags; - struct _TEB_ACTIVE_FRAME *Previous; - PTEB_ACTIVE_FRAME_CONTEXT Context; - } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; - - /** - * The TEB_ACTIVE_FRAME_EX structure extends TEB_ACTIVE_FRAME with additional information. - */ - typedef struct _TEB_ACTIVE_FRAME_EX - { - TEB_ACTIVE_FRAME BasicFrame; - PVOID ExtensionIdentifier; - } TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX; - -#define STATIC_UNICODE_BUFFER_LENGTH 261 -#define WIN32_CLIENT_INFO_LENGTH 62 - - /** - * Thread Environment Block (TEB) structure. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb - */ - typedef struct _TEB - { - // - // Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. - // - NT_TIB NtTib; - - // - // Reserved. - // - PVOID EnvironmentPointer; - - // - // Client ID for this thread. - // - CLIENT_ID ClientId; - - // - // A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. - // - PVOID ActiveRpcHandle; - - // - // A pointer to the __declspec(thread) local storage array. - // - PVOID ThreadLocalStoragePointer; - - // - // A pointer to the Process Environment Block (PEB), which contains information about the process. - // - PPEB ProcessEnvironmentBlock; - - // - // The previous Win32 error value for this thread. - // - ULONG LastErrorValue; - - // - // The number of critical sections currently owned by this thread. - // - ULONG CountOfOwnedCriticalSections; - - // - // Reserved. - // - PVOID CsrClientThread; - - // - // Reserved. - // - PVOID Win32ThreadInfo; - - // - // Reserved. - // - ULONG User32Reserved[26]; - - // - // Reserved. - // - ULONG UserReserved[5]; - - // - // Reserved. - // - PVOID WOW32Reserved; - - // - // The LCID of the current thread. (Kernel32!GetThreadLocale) - // - LCID CurrentLocale; - - // - // Reserved. - // - ULONG FpSoftwareStatusRegister; - - // - // Reserved. - // - PVOID ReservedForDebuggerInstrumentation[16]; - -#ifdef _WIN64 - // - // Reserved. - // - PVOID SystemReserved1[25]; - - // - // Per-thread fiber local storage. (Teb->HasFiberData) - // - PVOID HeapFlsData; - - // - // Reserved. - // - ULONG_PTR RngState[4]; -#else - // - // Reserved. - // - PVOID SystemReserved1[26]; -#endif - - // - // Placeholder compatibility mode. (ProjFs and Cloud Files) - // - CHAR PlaceholderCompatibilityMode; - - // - // Indicates whether placeholder hydration is always explicit. - // - BOOLEAN PlaceholderHydrationAlwaysExplicit; - - // - // Reserved. - // - CHAR PlaceholderReserved[10]; - - // - // The process ID (PID) that the current COM server thread is acting on behalf of. - // - ULONG ProxiedProcessId; - - // - // Pointer to the activation context stack for the current thread. - // - ACTIVATION_CONTEXT_STACK ActivationStack; - - // - // Opaque operation on behalf of another user or process. - // - UCHAR WorkingOnBehalfTicket[8]; - - // - // The last exception status for the current thread. - // - NTSTATUS ExceptionCode; - - // - // Pointer to the activation context stack for the current thread. - // - PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; - - // - // The stack pointer (SP) of the current system call or exception during instrumentation. - // - ULONG_PTR InstrumentationCallbackSp; - - // - // The program counter (PC) of the previous system call or exception during instrumentation. - // - ULONG_PTR InstrumentationCallbackPreviousPc; - - // - // The stack pointer (SP) of the previous system call or exception during instrumentation. - // - ULONG_PTR InstrumentationCallbackPreviousSp; - -#ifdef _WIN64 - // - // The miniversion ID of the current transacted file operation. - // - ULONG TxFsContext; -#endif - - // - // Indicates the state of the system call or exception instrumentation callback. - // - BOOLEAN InstrumentationCallbackDisabled; - -#ifdef _WIN64 - // - // Indicates the state of alignment exceptions for unaligned load/store operations. - // - BOOLEAN UnalignedLoadStoreExceptions; -#endif - -#ifndef _WIN64 - // - // SpareBytes. - // - UCHAR SpareBytes[23]; - - // - // The miniversion ID of the current transacted file operation. - // - ULONG TxFsContext; -#endif - - // - // Reserved for GDI. - // - GDI_TEB_BATCH GdiTebBatch; - CLIENT_ID RealClientId; - HANDLE GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - PVOID GdiThreadLocalInfo; - - // - // Reserved for User32. - // - ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; - - // - // Reserved for opengl32.dll - // - PVOID glDispatchTable[233]; - ULONG_PTR glReserved1[29]; - PVOID glReserved2; - PVOID glSectionInfo; - PVOID glSection; - PVOID glTable; - PVOID glCurrentRC; - PVOID glContext; - - // - // The previous status value for this thread. - // - NTSTATUS LastStatusValue; - - // - // A static string for use by the application. - // - UNICODE_STRING StaticUnicodeString; - - // - // A static buffer for use by the application. - // - WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; - - // - // The maximum stack size and indicates the base of the stack. - // - PVOID DeallocationStack; - - // - // Data for Thread Local Storage. (TlsGetValue) - // - PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; - - // - // Reserved. - // - LIST_ENTRY TlsLinks; - - // - // Reserved for NTVDM. - // - PVOID Vdm; - - // - // Reserved. - // - PVOID ReservedForNtRpc; - - // - // Reserved. - // - PVOID DbgSsReserved[2]; - - // - // The error mode for the current thread. (GetThreadErrorMode) - // - ULONG HardErrorMode; - - // - // Reserved. - // -#ifdef _WIN64 - PVOID Instrumentation[11]; -#else - PVOID Instrumentation[9]; -#endif - - // - // Reserved. - // - GUID ActivityId; - - // - // The service creating the thread (svchost). - // - PVOID SubProcessTag; - - // - // Reserved. - // - PVOID PerflibData; - - // - // Reserved. - // - PVOID EtwTraceData; - - // - // The address of a socket handle during a blocking socket operation. (WSAStartup) - // - HANDLE WinSockData; - - // - // The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) - // - ULONG GdiBatchCount; - - // - // The preferred processor for the curremt thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) - // - union - { - PROCESSOR_NUMBER CurrentIdealProcessor; - ULONG IdealProcessorValue; - struct - { - UCHAR ReservedPad0; - UCHAR ReservedPad1; - UCHAR ReservedPad2; - UCHAR IdealProcessor; - }; - }; - - // - // The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) - // - ULONG GuaranteedStackBytes; - - // - // Reserved. - // - PVOID ReservedForPerf; - - // - // tagSOleTlsData. - // - PVOID ReservedForOle; - - ULONG WaitingOnLoaderLock; - PVOID SavedPriorityState; - ULONG_PTR ReservedForCodeCoverage; - PVOID ThreadPoolData; - PVOID *TlsExpansionSlots; -#ifdef _WIN64 - PVOID ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore - PVOID Unused; // previously BStoreLimit -#endif - ULONG MuiGeneration; - ULONG IsImpersonating; - PVOID NlsCache; - PVOID pShimData; - ULONG HeapData; - HANDLE CurrentTransactionHandle; - PTEB_ACTIVE_FRAME ActiveFrame; - - // - // Reserved for FLS (RtlProcessFlsData). - // - PVOID FlsData; - - PVOID PreferredLanguages; - PVOID UserPrefLanguages; - PVOID MergedPrefLanguages; - ULONG MuiImpersonation; - - union - { - USHORT CrossTebFlags; - USHORT SpareCrossTebBits : 16; - }; - union - { - USHORT SameTebFlags; - struct - { - USHORT SafeThunkCall : 1; - USHORT InDebugPrint : 1; - USHORT HasFiberData : 1; - USHORT SkipThreadAttach : 1; - USHORT WerInShipAssertCode : 1; - USHORT RanProcessInit : 1; - USHORT ClonedThread : 1; - USHORT SuppressDebugMsg : 1; - USHORT DisableUserStackWalk : 1; - USHORT RtlExceptionAttached : 1; - USHORT InitialThread : 1; - USHORT SessionAware : 1; - USHORT LoadOwner : 1; - USHORT LoaderWorker : 1; - USHORT SkipLoaderInit : 1; - USHORT SkipFileAPIBrokering : 1; - }; - }; - - PVOID TxnScopeEnterCallback; - PVOID TxnScopeExitCallback; - PVOID TxnScopeContext; - ULONG LockCount; - LONG WowTebOffset; - PVOID ResourceRetValue; - PVOID ReservedForWdf; - ULONGLONG ReservedForCrt; - GUID EffectiveContainerId; - ULONGLONG LastSleepCounter; // Win11 - ULONG SpinCallCount; - ULONGLONG ExtendedFeatureDisableMask; - PVOID SchedulerSharedDataSlot; // 24H2 - PVOID HeapWalkContext; - GROUP_AFFINITY PrimaryGroupAffinity; - ULONG Rcu[2]; - } TEB, *PTEB; - -#ifdef _WIN64 - // static_assert(sizeof(TEB) == 0x1850); // WIN11 - static_assert(sizeof(TEB) == 0x1878); // 24H2 -#else - // static_assert(sizeof(TEB) == 0x1018); // WIN11 - static_assert(sizeof(TEB) == 0x1038); // 24H2 -#endif - -#endif - - // - // Process Object Specific Access Rights - // - -#ifndef PROCESS_TERMINATE -#define PROCESS_TERMINATE 0x0001 -#endif -#ifndef PROCESS_CREATE_THREAD -#define PROCESS_CREATE_THREAD 0x0002 -#endif -#ifndef PROCESS_SET_SESSIONID -#define PROCESS_SET_SESSIONID 0x0004 -#endif -#ifndef PROCESS_VM_OPERATION -#define PROCESS_VM_OPERATION 0x0008 -#endif -#ifndef PROCESS_VM_READ -#define PROCESS_VM_READ 0x0010 -#endif -#ifndef PROCESS_VM_WRITE -#define PROCESS_VM_WRITE 0x0020 -#endif -#ifndef PROCESS_DUP_HANDLE -#define PROCESS_DUP_HANDLE 0x0040 -#endif -#ifndef PROCESS_CREATE_PROCESS -#define PROCESS_CREATE_PROCESS 0x0080 -#endif -#ifndef PROCESS_SET_QUOTA -#define PROCESS_SET_QUOTA 0x0100 -#endif -#ifndef PROCESS_SET_INFORMATION -#define PROCESS_SET_INFORMATION 0x0200 -#endif -#ifndef PROCESS_QUERY_INFORMATION -#define PROCESS_QUERY_INFORMATION 0x0400 -#endif -#ifndef PROCESS_SET_PORT -#define PROCESS_SET_PORT 0x0800 -#endif -#ifndef PROCESS_SUSPEND_RESUME -#define PROCESS_SUSPEND_RESUME 0x0800 -#endif -#ifndef PROCESS_QUERY_LIMITED_INFORMATION -#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000 -#endif -#ifndef PROCESS_SET_LIMITED_INFORMATION -#define PROCESS_SET_LIMITED_INFORMATION 0x2000 -#endif -#ifndef PROCESS_ALL_ACCESS -#if (PHNT_VERSION >= PHNT_VISTA) -#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL) -#else -#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF) -#endif -#endif - - // - // Thread Object Specific Access Rights - // - -#ifndef THREAD_TERMINATE -#define THREAD_TERMINATE 0x0001 -#endif -#ifndef THREAD_SUSPEND_RESUME -#define THREAD_SUSPEND_RESUME 0x0002 -#endif -#ifndef THREAD_ALERT -#define THREAD_ALERT 0x0004 -#endif -#ifndef THREAD_GET_CONTEXT -#define THREAD_GET_CONTEXT 0x0008 -#endif -#ifndef THREAD_SET_CONTEXT -#define THREAD_SET_CONTEXT 0x0010 -#endif -#ifndef THREAD_SET_INFORMATION -#define THREAD_SET_INFORMATION 0x0020 -#endif -#ifndef THREAD_QUERY_INFORMATION -#define THREAD_QUERY_INFORMATION 0x0040 -#endif -#ifndef THREAD_SET_THREAD_TOKEN -#define THREAD_SET_THREAD_TOKEN 0x0080 -#endif -#ifndef THREAD_IMPERSONATE -#define THREAD_IMPERSONATE 0x0100 -#endif -#ifndef THREAD_DIRECT_IMPERSONATION -#define THREAD_DIRECT_IMPERSONATION 0x0200 -#endif -#ifndef THREAD_SET_LIMITED_INFORMATION -#define THREAD_SET_LIMITED_INFORMATION 0x0400 -#endif -#ifndef THREAD_QUERY_LIMITED_INFORMATION -#define THREAD_QUERY_LIMITED_INFORMATION 0x0800 -#endif -#ifndef THREAD_RESUME -#define THREAD_RESUME 0x1000 -#endif -#ifndef THREAD_ALL_ACCESS -#if (PHNT_VERSION >= PHNT_VISTA) -#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | SPECIFIC_RIGHTS_ALL) -#else -#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF) -#endif -#endif - - // - // Job Object Specific Access Rights - // - -#ifndef JOB_OBJECT_ASSIGN_PROCESS -#define JOB_OBJECT_ASSIGN_PROCESS 0x0001 -#endif -#ifndef JOB_OBJECT_SET_ATTRIBUTES -#define JOB_OBJECT_SET_ATTRIBUTES 0x0002 -#endif -#ifndef JOB_OBJECT_QUERY -#define JOB_OBJECT_QUERY 0x0004 -#endif -#ifndef JOB_OBJECT_TERMINATE -#define JOB_OBJECT_TERMINATE 0x0008 -#endif -#ifndef JOB_OBJECT_SET_SECURITY_ATTRIBUTES -#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010 -#endif -#ifndef JOB_OBJECT_ALL_ACCESS -#if (PHNT_VERSION >= PHNT_VISTA) -#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3F) -#else -#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f) // pre-Vista full access -#endif -#endif - - // - // Process information structures - // - - typedef struct _PEB_LDR_DATA - { - ULONG Length; - BOOLEAN Initialized; - HANDLE SsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID EntryInProgress; - BOOLEAN ShutdownInProgress; - HANDLE ShutdownThreadId; - } PEB_LDR_DATA, *PPEB_LDR_DATA; - - typedef struct _INITIAL_TEB - { - struct - { - PVOID OldStackBase; - PVOID OldStackLimit; - } OldInitialTeb; - PVOID StackBase; - PVOID StackLimit; - PVOID StackAllocationBase; - } INITIAL_TEB, *PINITIAL_TEB; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _PROCESSINFOCLASS - { - ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION - ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX - ProcessIoCounters, // q: IO_COUNTERS - ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 - ProcessTimes, // q: KERNEL_USER_TIMES - ProcessBasePriority, // s: KPRIORITY - ProcessRaisePriority, // s: ULONG - ProcessDebugPort, // q: HANDLE - ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) - ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN - ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 - ProcessLdtSize, // s: PROCESS_LDT_SIZE - ProcessDefaultHardErrorMode, // qs: ULONG - ProcessIoPortHandlers, // (kernel-mode only) // s: PROCESS_IO_PORT_HANDLER_INFORMATION - ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS - ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void - ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) - ProcessEnableAlignmentFaultFixup, // s: BOOLEAN - ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS - ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) - ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 - ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY - ProcessPriorityBoost, // qs: ULONG - ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX - ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION - ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND - ProcessWow64Information, // q: ULONG_PTR - ProcessImageFileName, // q: UNICODE_STRING - ProcessLUIDDeviceMapsEnabled, // q: ULONG - ProcessBreakOnTermination, // qs: ULONG - ProcessDebugObjectHandle, // q: HANDLE // 30 - ProcessDebugFlags, // qs: ULONG - ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: PROCESS_HANDLE_TRACING_ENABLE[_EX] or void to disable - ProcessIoPriority, // qs: IO_PRIORITY_HINT - ProcessExecuteFlags, // qs: ULONG (MEM_EXECUTE_OPTION_*) - ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement - ProcessCookie, // q: ULONG - ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION - ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA - ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION - ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 - ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX - ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]; s: void - ProcessImageFileNameWin32, // q: UNICODE_STRING - ProcessImageFileMapping, // q: HANDLE (input) - ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE - ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE - ProcessGroupInformation, // q: USHORT[] - ProcessTokenVirtualizationEnabled, // s: ULONG - ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation - ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 - ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 - ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION - ProcessDynamicFunctionTableInformation, // s: PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION - ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables - ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION - ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION - ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) - ProcessHandleTable, // q: ULONG[] // since WINBLUE - ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) - ProcessCommandLineInformation, // q: UNICODE_STRING // 60 - ProcessProtectionInformation, // q: PS_PROTECTION - ProcessMemoryExhaustion, // s: PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD - ProcessFaultInformation, // s: PROCESS_FAULT_INFORMATION - ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION - ProcessCommitReleaseInformation, // qs: PROCESS_COMMIT_RELEASE_INFORMATION - ProcessDefaultCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] - ProcessAllowedCpuSetsInformation, // qs: SYSTEM_CPU_SET_INFORMATION[5] - ProcessSubsystemProcess, - ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO - ProcessInPrivate, // q: BOOLEAN; s: void // ETW // since THRESHOLD2 // 70 - ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables - ProcessIumChallengeResponse, - ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION - ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) - ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 - ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES - ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE - ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY - ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER - ProcessDisableSystemAllowedCpuSets, // s: BOOLEAN // 80 - ProcessWakeInformation, // q: PROCESS_WAKE_INFORMATION - ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE - ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 - ProcessCaptureTrustletLiveDump, - ProcessTelemetryCoverage, // q: TELEMETRY_COVERAGE_HEADER; s: TELEMETRY_COVERAGE_POINT - ProcessEnclaveInformation, - ProcessEnableReadWriteVmLogging, // qs: PROCESS_READWRITEVM_LOGGING_INFORMATION - ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION - ProcessImageSection, // q: HANDLE - ProcessDebugAuthInformation, // since REDSTONE4 // 90 - ProcessSystemResourceManagement, // s: PROCESS_SYSTEM_RESOURCE_MANAGEMENT - ProcessSequenceNumber, // q: ULONGLONG - ProcessLoaderDetour, // since REDSTONE5 - ProcessSecurityDomainInformation, // q: PROCESS_SECURITY_DOMAIN_INFORMATION - ProcessCombineSecurityDomainsInformation, // s: PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION - ProcessEnableLogging, // qs: PROCESS_LOGGING_INFORMATION - ProcessLeapSecondInformation, // qs: PROCESS_LEAP_SECOND_INFORMATION - ProcessFiberShadowStackAllocation, // s: PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 - ProcessFreeFiberShadowStackAllocation, // s: PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION - ProcessAltSystemCallInformation, // s: PROCESS_SYSCALL_PROVIDER_INFORMATION // since 20H1 // 100 - ProcessDynamicEHContinuationTargets, // s: PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION - ProcessDynamicEnforcedCetCompatibleRanges, // s: PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 - ProcessCreateStateChange, // since WIN11 - ProcessApplyStateChange, - ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask - ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1 - ProcessAssignCpuPartitions, // HANDLE - ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX - ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION - ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110 - ProcessEffectivePagePriority, // q: ULONG - ProcessSchedulerSharedData, // SCHEDULER_SHARED_DATA_SLOT_INFORMATION // since 24H2 - ProcessSlistRollbackInformation, - ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS - ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION - MaxProcessInfoClass - } PROCESSINFOCLASS; -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _THREADINFOCLASS - { - ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION - ThreadTimes, // q: KERNEL_USER_TIMES - ThreadPriority, // s: KPRIORITY (requires SeIncreaseBasePriorityPrivilege) - ThreadBasePriority, // s: KPRIORITY - ThreadAffinityMask, // s: KAFFINITY - ThreadImpersonationToken, // s: HANDLE - ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) - ThreadEnableAlignmentFaultFixup, // s: BOOLEAN - ThreadEventPair, // Obsolete - ThreadQuerySetWin32StartAddress, // q: ULONG_PTR - ThreadZeroTlsCell, // s: ULONG // TlsIndex // 10 - ThreadPerformanceCount, // q: LARGE_INTEGER - ThreadAmILastThread, // q: ULONG - ThreadIdealProcessor, // s: ULONG - ThreadPriorityBoost, // qs: ULONG - ThreadSetTlsArrayAddress, // s: ULONG_PTR // Obsolete - ThreadIsIoPending, // q: ULONG - ThreadHideFromDebugger, // q: BOOLEAN; s: void - ThreadBreakOnTermination, // qs: ULONG - ThreadSwitchLegacyState, // s: void // NtCurrentThread // NPX/FPU - ThreadIsTerminated, // q: ULONG // 20 - ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION - ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege) - ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION (requires THREAD_QUERY_LIMITED_INFORMATION) - ThreadPagePriority, // qs: PAGE_PRIORITY_INFORMATION - ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege) - ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) - ThreadCSwitchMon, // Obsolete - ThreadCSwitchPmu, // Obsolete - ThreadWow64Context, // qs: WOW64_CONTEXT, ARM_NT_CONTEXT since 20H1 - ThreadGroupInformation, // qs: GROUP_AFFINITY // 30 - ThreadUmsInformation, // q: THREAD_UMS_INFORMATION // Obsolete - ThreadCounterProfiling, // q: BOOLEAN; s: THREAD_PROFILING_INFORMATION? - ThreadIdealProcessorEx, // qs: PROCESSOR_NUMBER; s: previous PROCESSOR_NUMBER on return - ThreadCpuAccountingInformation, // q: BOOLEAN; s: HANDLE (NtOpenSession) // NtCurrentThread // since WIN8 - ThreadSuspendCount, // q: ULONG // since WINBLUE - ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD - ThreadContainerId, // q: GUID - ThreadNameInformation, // qs: THREAD_NAME_INFORMATION (requires THREAD_SET_LIMITED_INFORMATION) - ThreadSelectedCpuSets, - ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 - ThreadActualGroupAffinity, // q: GROUP_AFFINITY // since THRESHOLD2 - ThreadDynamicCodePolicyInfo, // q: ULONG; s: ULONG (NtCurrentThread) - ThreadExplicitCaseSensitivity, // qs: ULONG; s: 0 disables, otherwise enables - ThreadWorkOnBehalfTicket, // RTL_WORK_ON_BEHALF_TICKET_EX - ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 - ThreadDbgkWerReportActive, // s: ULONG; s: 0 disables, otherwise enables - ThreadAttachContainer, // s: HANDLE (job object) // NtCurrentThread - ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 - ThreadPowerThrottlingState, // POWER_THROTTLING_THREAD_STATE // since REDSTONE3 (set), WIN11 22H2 (query) - ThreadWorkloadClass, // THREAD_WORKLOAD_CLASS // since REDSTONE5 // 50 - ThreadCreateStateChange, // since WIN11 - ThreadApplyStateChange, - ThreadStrongerBadHandleChecks, // since 22H1 - ThreadEffectiveIoPriority, // q: IO_PRIORITY_HINT - ThreadEffectivePagePriority, // q: ULONG - ThreadUpdateLockOwnership, // THREAD_LOCK_OWNERSHIP // since 24H2 - ThreadSchedulerSharedDataSlot, // SCHEDULER_SHARED_DATA_SLOT_INFORMATION - ThreadTebInformationAtomic, // THREAD_TEB_INFORMATION - ThreadIndexInformation, // THREAD_INDEX_INFORMATION - MaxThreadInfoClass - } THREADINFOCLASS; -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - // Use with both ProcessPagePriority and ThreadPagePriority - typedef struct _PAGE_PRIORITY_INFORMATION - { - ULONG PagePriority; - } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION; - - // - // Process information structures - // - - /** - * The PROCESS_BASIC_INFORMATION structure contains basic information about a process. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess#process_basic_information - */ - typedef struct _PROCESS_BASIC_INFORMATION - { - NTSTATUS ExitStatus; // The exit status of the process. (GetExitCodeProcess) - PPEB PebBaseAddress; // A pointer to the process environment block (PEB) of the process. - KAFFINITY AffinityMask; // The affinity mask of the process. (GetProcessAffinityMask) (deprecated) - KPRIORITY BasePriority; // The base priority of the process. (GetPriorityClass) - HANDLE UniqueProcessId; // The unique identifier of the process. (GetProcessId) - HANDLE InheritedFromUniqueProcessId; // The unique identifier of the parent process. - } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; - - /** - * The PROCESS_EXTENDED_BASIC_INFORMATION structure contains extended basic information about a process. - */ - typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION - { - _In_ SIZE_T Size; // The size of the structure, in bytes. This member must be set to sizeof(PROCESS_EXTENDED_BASIC_INFORMATION). - union - { - PROCESS_BASIC_INFORMATION BasicInfo; - struct - { - NTSTATUS ExitStatus; // The exit status of the process. (GetExitCodeProcess) - PPEB PebBaseAddress; // A pointer to the process environment block (PEB) of the process. - KAFFINITY AffinityMask; // The affinity mask of the process. (GetProcessAffinityMask) (deprecated) - KPRIORITY BasePriority; // The base priority of the process. (GetPriorityClass) - HANDLE UniqueProcessId; // The unique identifier of the process. (GetProcessId) - HANDLE InheritedFromUniqueProcessId; // The unique identifier of the parent process. - }; - }; - union - { - ULONG Flags; - struct - { - ULONG IsProtectedProcess : 1; - ULONG IsWow64Process : 1; - ULONG IsProcessDeleting : 1; - ULONG IsCrossSessionCreate : 1; - ULONG IsFrozen : 1; - ULONG IsBackground : 1; // WIN://BGKD - ULONG IsStronglyNamed : 1; // WIN://SYSAPPID - ULONG IsSecureProcess : 1; - ULONG IsSubsystemProcess : 1; - ULONG IsTrustedApp : 1; // since 24H2 - ULONG SpareBits : 22; - }; - }; - } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; - - /** - * The VM_COUNTERS structure contains various memory usage statistics for a process. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters - */ - typedef struct _VM_COUNTERS - { - SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. - SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. - ULONG PageFaultCount; // The number of page faults. - SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. - SIZE_T WorkingSetSize; // The current working set size, in bytes - SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. - SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. - SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. - SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. - SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. - SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. - } VM_COUNTERS, *PVM_COUNTERS; - - /** - * The VM_COUNTERS_EX structure extends VM_COUNTERS to include private memory usage. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters_ex2 - */ - typedef struct _VM_COUNTERS_EX - { - SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. - SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. - ULONG PageFaultCount; // The number of page faults. - SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. - SIZE_T WorkingSetSize; // The current working set size, in bytes - SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. - SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. - SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. - SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. - SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. - SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. - SIZE_T PrivateUsage; // Same as PagefileUsage. The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. - } VM_COUNTERS_EX, *PVM_COUNTERS_EX; - - /** - * The VM_COUNTERS_EX2 structure extends VM_COUNTERS_EX to include private working set size and shared commit usage. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-process_memory_counters_ex2 - */ - typedef struct _VM_COUNTERS_EX2 - { - union - { - VM_COUNTERS_EX CountersEx; - struct - { - SIZE_T PeakVirtualSize; // The peak virtual address space size of this process, in bytes. - SIZE_T VirtualSize; // The virtual address space size of this process, in bytes. - ULONG PageFaultCount; // The number of page faults. - SIZE_T PeakWorkingSetSize; // The peak working set size, in bytes. - SIZE_T WorkingSetSize; // The current working set size, in bytes - SIZE_T QuotaPeakPagedPoolUsage; // The peak paged pool usage, in bytes. - SIZE_T QuotaPagedPoolUsage; // The current paged pool usage, in bytes. - SIZE_T QuotaPeakNonPagedPoolUsage; // The peak non-paged pool usage, in bytes. - SIZE_T QuotaNonPagedPoolUsage; // The current non-paged pool usage, in bytes. - SIZE_T PagefileUsage; // The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. - SIZE_T PeakPagefileUsage; // The peak value in bytes of the Commit Charge during the lifetime of this process. - SIZE_T PrivateUsage; // Same as PagefileUsage. The Commit Charge value in bytes for this process. Commit Charge is the total amount of private memory that the memory manager has committed for a running process. - }; - }; - SIZE_T PrivateWorkingSetSize; // The current private working set size, in bytes. - SIZE_T SharedCommitUsage; // The current shared commit usage, in bytes. - } VM_COUNTERS_EX2, *PVM_COUNTERS_EX2; - - /** - * The KERNEL_USER_TIMES structure contains timing information for a process or thread. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadtimes - */ - typedef struct _KERNEL_USER_TIMES - { - LARGE_INTEGER CreateTime; // The creation time of the process or thread. - LARGE_INTEGER ExitTime; // The exit time of the process or thread. - LARGE_INTEGER KernelTime; // The amount of time the process has executed in kernel mode. - LARGE_INTEGER UserTime; // The amount of time the process has executed in user mode. - } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; - - /** - * The POOLED_USAGE_AND_LIMITS structure contains information about the usage and limits of paged and non-paged pool memory. - */ - typedef struct _POOLED_USAGE_AND_LIMITS - { - SIZE_T PeakPagedPoolUsage; // The peak paged pool usage. - SIZE_T PagedPoolUsage; // The current paged pool usage. - SIZE_T PagedPoolLimit; // The limit on paged pool usage. - SIZE_T PeakNonPagedPoolUsage; // The peak non-paged pool usage. - SIZE_T NonPagedPoolUsage; // The current non-paged pool usage. - SIZE_T NonPagedPoolLimit; // The limit on non-paged pool usage. - SIZE_T PeakPagefileUsage; // The peak pagefile usage. - SIZE_T PagefileUsage; // The current pagefile usage. - SIZE_T PagefileLimit; // The limit on pagefile usage. - } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; - -#define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003 -#define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1)) - - /** - * The PROCESS_EXCEPTION_PORT structure is used to manage exception ports for a process. - */ - typedef struct _PROCESS_EXCEPTION_PORT - { - // - // Handle to the exception port. No particular access required. - // - _In_ HANDLE ExceptionPortHandle; - - // - // Miscellaneous state flags to be cached along with the exception - // port in the kernel. - // - _Inout_ ULONG StateFlags; - - } PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT; - - /** - * The PROCESS_ACCESS_TOKEN structure is used to manage the security context of a process or thread. - * - * A process's access token can only be changed if the process has no threads or a single thread that has not yet begun execution. - */ - typedef struct _PROCESS_ACCESS_TOKEN - { - // - // Handle to Primary token to assign to the process. - // TOKEN_ASSIGN_PRIMARY access to this token is needed. - // - HANDLE Token; - - // - // Handle to the initial thread of the process. - // THREAD_QUERY_INFORMATION access to this thread is needed. - // - // N.B. This field is unused. - // - HANDLE Thread; - - } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN; - -#ifndef _LDT_ENTRY_DEFINED -#define _LDT_ENTRY_DEFINED - typedef struct _LDT_ENTRY - { - USHORT LimitLow; - USHORT BaseLow; - union - { - struct - { - UCHAR BaseMid; - UCHAR Flags1; - UCHAR Flags2; - UCHAR BaseHi; - } Bytes; - struct - { - ULONG BaseMid : 8; - ULONG Type : 5; - ULONG Dpl : 2; - ULONG Pres : 1; - ULONG LimitHi : 4; - ULONG Sys : 1; - ULONG Reserved_0 : 1; - ULONG Default_Big : 1; - ULONG Granularity : 1; - ULONG BaseHi : 8; - } Bits; - } HighWord; - } LDT_ENTRY, *PLDT_ENTRY; -#endif - - /** - * The PROCESS_LDT_INFORMATION structure is used to manage Local Descriptor Table (LDT) entries for a process. - */ - typedef struct _PROCESS_LDT_INFORMATION - { - ULONG Start; - ULONG Length; - LDT_ENTRY LdtEntries[1]; - } PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION; - - /** - * The PROCESS_LDT_SIZE structure is used to specify the size of the Local Descriptor Table (LDT) for a process. - */ - typedef struct _PROCESS_LDT_SIZE - { - ULONG Length; - } PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE; - - /** - * The PROCESS_WS_WATCH_INFORMATION structure is used to store information about working set watch events for a process. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_ws_watch_information - */ - typedef struct _PROCESS_WS_WATCH_INFORMATION - { - PVOID FaultingPc; // A pointer to the instruction that caused the page fault. - PVOID FaultingVa; // A pointer to the page that was added to the working set. - } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION; - -#endif - - /** - * The PROCESS_WS_WATCH_INFORMATION_EX structure contains extended information about a page added to a process working set. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_ws_watch_information_ex - */ - typedef struct _PROCESS_WS_WATCH_INFORMATION_EX - { - union - { - PROCESS_WS_WATCH_INFORMATION BasicInfo; - struct - { - PVOID FaultingPc; // The address of the instruction that caused the page fault. - PVOID FaultingVa; // The virtual address that caused the page fault. - }; - }; - HANDLE FaultingThreadId; // The identifier of the thread that caused the page fault. - ULONG_PTR Flags; // This member is reserved for future use. - } PROCESS_WS_WATCH_INFORMATION_EX, *PPROCESS_WS_WATCH_INFORMATION_EX; - -#define PROCESS_PRIORITY_CLASS_UNKNOWN 0 -#define PROCESS_PRIORITY_CLASS_IDLE 1 -#define PROCESS_PRIORITY_CLASS_NORMAL 2 -#define PROCESS_PRIORITY_CLASS_HIGH 3 -#define PROCESS_PRIORITY_CLASS_REALTIME 4 -#define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5 -#define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6 - - /** - * The PROCESS_PRIORITY_CLASS structure is used to manage the priority class of a process. - */ - typedef struct _PROCESS_PRIORITY_CLASS - { - BOOLEAN Foreground; - UCHAR PriorityClass; - } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; - - /** - * The PROCESS_PRIORITY_CLASS_EX structure extends PROCESS_PRIORITY_CLASS to include validity flags. - */ - typedef struct _PROCESS_PRIORITY_CLASS_EX - { - union - { - struct - { - USHORT ForegroundValid : 1; - USHORT PriorityClassValid : 1; - }; - USHORT AllFlags; - }; - UCHAR PriorityClass; - BOOLEAN Foreground; - } PROCESS_PRIORITY_CLASS_EX, *PPROCESS_PRIORITY_CLASS_EX; - - /** - * The PROCESS_FOREGROUND_BACKGROUND structure is used to manage the the priority class of a process, specifically whether it runs in the foreground or background. - */ - typedef struct _PROCESS_FOREGROUND_BACKGROUND - { - BOOLEAN Foreground; - } PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -// DriveType -#define DRIVE_UNKNOWN 0 -#define DRIVE_NO_ROOT_DIR 1 -#define DRIVE_REMOVABLE 2 -#define DRIVE_FIXED 3 -#define DRIVE_REMOTE 4 -#define DRIVE_CDROM 5 -#define DRIVE_RAMDISK 6 - - /** - * The PROCESS_DEVICEMAP_INFORMATION structure contains information about a process's device map. - */ - typedef struct _PROCESS_DEVICEMAP_INFORMATION - { - union - { - struct - { - HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access. - } Set; - struct - { - ULONG DriveMap; // A bitmask that indicates which drive letters are currently in use in the process's device map. - UCHAR DriveType[32]; // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h - } Query; - }; - } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION; - -#define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001 - - /** - * The _PROCESS_DEVICEMAP_INFORMATION_EX structure contains information about a process's device map. - */ - typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX - { - union - { - struct - { - HANDLE DirectoryHandle; // A handle to a directory object that can be set as the new device map for the process. This handle must have DIRECTORY_TRAVERSE access. - } Set; - struct - { - ULONG DriveMap; // A bitmask that indicates which drive letters are currently in use in the process's device map. - UCHAR DriveType[32]; // A value that indicates the type of each drive (e.g., local disk, network drive, etc.). // DRIVE_* WinBase.h - } Query; - }; - ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY - } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX; - - /** - * The PROCESS_SESSION_INFORMATION structure is used to store information about the session ID of a process. - */ - typedef struct _PROCESS_SESSION_INFORMATION - { - ULONG SessionId; - } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; - -#define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001 -#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000 -#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001 - - /** - * The PROCESS_HANDLE_TRACING_ENABLE structure is used to enable handle tracing for a process. - */ - typedef struct _PROCESS_HANDLE_TRACING_ENABLE - { - ULONG Flags; // Flags that control handle tracing. - } PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE; - -#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000 - - /** - * The PROCESS_HANDLE_TRACING_ENABLE_EX structure extends PROCESS_HANDLE_TRACING_ENABLE to include the total number of slots. - */ - typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX - { - ULONG Flags; // Flags that control handle tracing. - ULONG TotalSlots; // Total number of handle tracing slots. - } PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX; - -#define PROCESS_HANDLE_TRACING_MAX_STACKS 16 - -#define PROCESS_HANDLE_TRACE_TYPE_OPEN 1 -#define PROCESS_HANDLE_TRACE_TYPE_CLOSE 2 -#define PROCESS_HANDLE_TRACE_TYPE_BADREF 3 - - typedef struct _PROCESS_HANDLE_TRACING_ENTRY - { - HANDLE Handle; - CLIENT_ID ClientId; - ULONG Type; - PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS]; - } PROCESS_HANDLE_TRACING_ENTRY, *PPROCESS_HANDLE_TRACING_ENTRY; - - typedef struct _PROCESS_HANDLE_TRACING_QUERY - { - _In_opt_ HANDLE Handle; - _Out_ ULONG TotalTraces; - _Out_ _Field_size_(TotalTraces) PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1]; - } PROCESS_HANDLE_TRACING_QUERY, *PPROCESS_HANDLE_TRACING_QUERY; - -#endif - - /** - * The THREAD_TLS_INFORMATION structure contains information about the Thread Local Storage (TLS) data for a thread. - */ - typedef struct _THREAD_TLS_INFORMATION - { - ULONG Flags; // Flags that provide additional information about the TLS data. - PVOID NewTlsData; // Pointer to the new TLS data. - PVOID OldTlsData; // Pointer to the old TLS data. - HANDLE ThreadId; // Handle to the thread associated with the TLS data. - } THREAD_TLS_INFORMATION, *PTHREAD_TLS_INFORMATION; - - /** - * The PROCESS_TLS_INFORMATION_TYPE enumeration defines the types of TLS operations that can be performed on a process. - */ - typedef enum _PROCESS_TLS_INFORMATION_TYPE - { - ProcessTlsReplaceIndex, // Replace the TLS index. - ProcessTlsReplaceVector, // Replace the TLS vector. - MaxProcessTlsOperation // Maximum value for the enumeration. - } PROCESS_TLS_INFORMATION_TYPE, - *PPROCESS_TLS_INFORMATION_TYPE; - - /** - * The PROCESS_TLS_INFORMATION structure contains information about the TLS operations for a process. - */ - typedef struct _PROCESS_TLS_INFORMATION - { - ULONG Flags; // Flags that provide additional information about the TLS operation. - ULONG OperationType; // The type of TLS operation to be performed. - ULONG ThreadDataCount; // The number of THREAD_TLS_INFORMATION structures in the ThreadData array. - ULONG TlsIndex; // The TLS index to be replaced. - ULONG PreviousCount; // The previous count of TLS data. - _Field_size_(ThreadDataCount) THREAD_TLS_INFORMATION ThreadData[1]; // Array of THREAD_TLS_INFORMATION structures. - } PROCESS_TLS_INFORMATION, *PPROCESS_TLS_INFORMATION; - - /** - * The PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION structure contains information about the instrumentation callback for a process. - */ - typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION - { - ULONG Version; // The version of the instrumentation callback information. - ULONG Reserved; // Reserved for future use. - PVOID Callback; // Pointer to the callback function. - } PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, *PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; - - /** - * The PROCESS_STACK_ALLOCATION_INFORMATION structure contains information about the stack allocation for a process. - */ - typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION - { - SIZE_T ReserveSize; // The size of the stack to be reserved. - SIZE_T ZeroBits; // The number of zero bits in the stack base address. - PVOID StackBase; // Pointer to the base of the stack. - } PROCESS_STACK_ALLOCATION_INFORMATION, *PPROCESS_STACK_ALLOCATION_INFORMATION; - - /** - * The PROCESS_STACK_ALLOCATION_INFORMATION_EX structure extends PROCESS_STACK_ALLOCATION_INFORMATION to include additional fields. - */ - typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION_EX - { - ULONG PreferredNode; // The preferred NUMA node for the stack allocation. - ULONG Reserved0; // Reserved for future use. - ULONG Reserved1; // Reserved for future use. - ULONG Reserved2; // Reserved for future use. - PROCESS_STACK_ALLOCATION_INFORMATION AllocInfo; // The stack allocation information. - } PROCESS_STACK_ALLOCATION_INFORMATION_EX, *PPROCESS_STACK_ALLOCATION_INFORMATION_EX; - /** - * The PROCESS_AFFINITY_UPDATE_MODE union is used to specify the affinity update mode for a process. - */ - typedef union _PROCESS_AFFINITY_UPDATE_MODE - { - ULONG Flags; - struct - { - ULONG EnableAutoUpdate : 1; // Indicates whether auto-update of affinity is enabled. - ULONG Permanent : 1; // Indicates whether the affinity update is permanent. - ULONG Reserved : 30; // Reserved for future use. - }; - } PROCESS_AFFINITY_UPDATE_MODE, *PPROCESS_AFFINITY_UPDATE_MODE; - - /** - * The PROCESS_MEMORY_ALLOCATION_MODE union is used to specify the memory allocation mode for a process. - */ - typedef union _PROCESS_MEMORY_ALLOCATION_MODE - { - ULONG Flags; - struct - { - ULONG TopDown : 1; // Indicates whether memory allocation should be top-down. - ULONG Reserved : 31; // Reserved for future use. - }; - } PROCESS_MEMORY_ALLOCATION_MODE, *PPROCESS_MEMORY_ALLOCATION_MODE; - - /** - * The PROCESS_HANDLE_INFORMATION structure contains information about the handles of a process. - */ - typedef struct _PROCESS_HANDLE_INFORMATION - { - ULONG HandleCount; // The number of handles in the process. - ULONG HandleCountHighWatermark; // The highest number of handles that the process has had. - } PROCESS_HANDLE_INFORMATION, *PPROCESS_HANDLE_INFORMATION; - - /** - * The PROCESS_CYCLE_TIME_INFORMATION structure contains information about the cycle time of a process. - */ - typedef struct _PROCESS_CYCLE_TIME_INFORMATION - { - ULONGLONG AccumulatedCycles; // The total number of cycles accumulated by the process. - ULONGLONG CurrentCycleCount; // The current cycle count of the process. - } PROCESS_CYCLE_TIME_INFORMATION, *PPROCESS_CYCLE_TIME_INFORMATION; - - /** - * The PROCESS_WINDOW_INFORMATION structure contains information about the windows of a process. - */ - typedef struct _PROCESS_WINDOW_INFORMATION - { - ULONG WindowFlags; // Flags that provide information about the window. - USHORT WindowTitleLength; // The length of the window title. - _Field_size_bytes_(WindowTitleLength) WCHAR WindowTitle[1]; // The title of the window. - } PROCESS_WINDOW_INFORMATION, *PPROCESS_WINDOW_INFORMATION; - - /** - * The PROCESS_HANDLE_TABLE_ENTRY_INFO structure contains information about a handle table entry of a process. - */ - typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO - { - HANDLE HandleValue; // The value of the handle. - SIZE_T HandleCount; // The number of references to the handle. - SIZE_T PointerCount; // The number of pointers to the handle. - ACCESS_MASK GrantedAccess; // The access rights granted to the handle. - ULONG ObjectTypeIndex; // The index of the object type. - ULONG HandleAttributes; // The attributes of the handle. - ULONG Reserved; // Reserved for future use. - } PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO; - - /** - * The PROCESS_HANDLE_SNAPSHOT_INFORMATION structure contains information about the handle snapshot of a process. - */ - typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION - { - ULONG_PTR NumberOfHandles; - ULONG_PTR Reserved; - _Field_size_(NumberOfHandles) PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; - } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -#if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) - typedef struct _PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY - { - union - { - ULONG Flags; - struct - { - ULONG EnforceRedirectionTrust : 1; - ULONG AuditRedirectionTrust : 1; - ULONG ReservedFlags : 30; - }; - }; - } PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY, *PPROCESS_MITIGATION_REDIRECTION_TRUST_POLICY; -#endif - -#if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) - typedef struct _PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY - { - union - { - ULONG Flags; - struct - { - ULONG EnablePointerAuthUserIp : 1; - ULONG ReservedFlags : 31; - }; - }; - } PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY, *PPROCESS_MITIGATION_USER_POINTER_AUTH_POLICY; - - typedef struct _PROCESS_MITIGATION_SEHOP_POLICY - { - union - { - ULONG Flags; - struct - { - ULONG EnableSehop : 1; - ULONG ReservedFlags : 31; - }; - }; - } PROCESS_MITIGATION_SEHOP_POLICY, *PPROCESS_MITIGATION_SEHOP_POLICY; -#endif - - typedef struct _PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2 - { - union - { - ULONG Flags; - struct - { - ULONG AssemblyManifestRedirectionTrust : 1; - ULONG ReservedFlags : 31; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - } PROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2, *PPROCESS_MITIGATION_ACTIVATION_CONTEXT_TRUST_POLICY2; - -#if defined(_PHLIB_) -// enum PROCESS_MITIGATION_POLICY -#define PROCESS_MITIGATION_POLICY ULONG -#define ProcessDEPPolicy 0 -#define ProcessASLRPolicy 1 -#define ProcessDynamicCodePolicy 2 -#define ProcessStrictHandleCheckPolicy 3 -#define ProcessSystemCallDisablePolicy 4 -#define ProcessMitigationOptionsMask 5 -#define ProcessExtensionPointDisablePolicy 6 -#define ProcessControlFlowGuardPolicy 7 -#define ProcessSignaturePolicy 8 -#define ProcessFontDisablePolicy 9 -#define ProcessImageLoadPolicy 10 -#define ProcessSystemCallFilterPolicy 11 -#define ProcessPayloadRestrictionPolicy 12 -#define ProcessChildProcessPolicy 13 -#define ProcessSideChannelIsolationPolicy 14 -#define ProcessUserShadowStackPolicy 15 -#define ProcessRedirectionTrustPolicy 16 -#define ProcessUserPointerAuthPolicy 17 -#define ProcessSEHOPPolicy 18 -#define ProcessActivationContextTrustPolicy 19 -#define MaxProcessMitigationPolicy 20 -#endif - - typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION - { - PROCESS_MITIGATION_POLICY Policy; - union - { - PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; - PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; - PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; - PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; - PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy; - PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy; - PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy; - PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy; - PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy; - PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy; - PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy; - PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy; - PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy; - PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy; - PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy; - PROCESS_MITIGATION_USER_POINTER_AUTH_POLICY UserPointerAuthPolicy; - PROCESS_MITIGATION_SEHOP_POLICY SEHOPPolicy; - }; - } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; - - // private - typedef struct _PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION - { - struct _DYNAMIC_FUNCTION_TABLE *DynamicFunctionTable; - BOOLEAN Remove; - } PROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION, *PPROCESS_DYNAMIC_FUNCTION_TABLE_INFORMATION; - - typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION - { - ULONG WakeCount; - ULONG NoWakeCount; - } PROCESS_KEEPALIVE_COUNT_INFORMATION, *PPROCESS_KEEPALIVE_COUNT_INFORMATION; - - typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION - { - UNICODE_STRING TargetDevicePath; - } PROCESS_REVOKE_FILE_HANDLES_INFORMATION, *PPROCESS_REVOKE_FILE_HANDLES_INFORMATION; - - // begin_private - -#define PROCESS_WORKING_SET_CONTROL_VERSION 3 - - /** - * The PROCESS_WORKING_SET_OPERATION enumeration defines the operation to perform on a process's working set. - */ - typedef enum _PROCESS_WORKING_SET_OPERATION - { - ProcessWorkingSetSwap, - ProcessWorkingSetEmpty, - ProcessWorkingSetOperationMax - } PROCESS_WORKING_SET_OPERATION; - - /** - * The PROCESS_WORKING_SET_CONTROL structure is used to control the working set of a process. - */ - typedef struct _PROCESS_WORKING_SET_CONTROL - { - ULONG Version; - PROCESS_WORKING_SET_OPERATION Operation; - ULONG Flags; - } PROCESS_WORKING_SET_CONTROL, *PPROCESS_WORKING_SET_CONTROL; - - /** - * The PS_PROTECTED_TYPE enumeration defines the types of protection that can be applied to a process. - */ - typedef enum _PS_PROTECTED_TYPE - { - PsProtectedTypeNone, // No protection. - PsProtectedTypeProtectedLight, // Light protection. - PsProtectedTypeProtected, // Full protection. - PsProtectedTypeMax - } PS_PROTECTED_TYPE; - - /** - * The PS_PROTECTED_SIGNER enumeration defines the types of signers that can be associated with a protected process. - */ - typedef enum _PS_PROTECTED_SIGNER - { - PsProtectedSignerNone, // No signer. - PsProtectedSignerAuthenticode, // Authenticode signer. - PsProtectedSignerCodeGen, // Code generation signer. - PsProtectedSignerAntimalware, // Antimalware signer. - PsProtectedSignerLsa, // Local Security Authority signer. - PsProtectedSignerWindows, // Windows signer. - PsProtectedSignerWinTcb, // Windows Trusted Computing Base signer. - PsProtectedSignerWinSystem, // Windows system signer. - PsProtectedSignerApp, // Application signer. - PsProtectedSignerMax - } PS_PROTECTED_SIGNER; - -#define PS_PROTECTED_SIGNER_MASK 0xFF -#define PS_PROTECTED_AUDIT_MASK 0x08 -#define PS_PROTECTED_TYPE_MASK 0x07 - -// ProtectionLevel.Level = PsProtectedValue(PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight) -#define PsProtectedValue(PsSigner, PsAudit, PsType) ( \ - (((PsSigner) & PS_PROTECTED_SIGNER_MASK) << 4) | \ - (((PsAudit) & PS_PROTECTED_AUDIT_MASK) << 3) | \ - (((PsType) & PS_PROTECTED_TYPE_MASK))) - -// InitializePsProtection(&ProtectionLevel, PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight) -#define InitializePsProtection(PsProtectionLevel, PsSigner, PsAudit, PsType) \ - { \ - (PsProtectionLevel)->Signer = (PsSigner); \ - (PsProtectionLevel)->Audit = (PsAudit); \ - (PsProtectionLevel)->Type = (PsType); \ - } - - /** - * The PS_PROTECTION structure is used to define the protection level of a process. - */ - typedef struct _PS_PROTECTION - { - union - { - UCHAR Level; - struct - { - UCHAR Type : 3; - UCHAR Audit : 1; - UCHAR Signer : 4; - }; - }; - } PS_PROTECTION, *PPS_PROTECTION; - - /** - * The PROCESS_FAULT_INFORMATION structure contains information about process faults. - */ - typedef struct _PROCESS_FAULT_INFORMATION - { - ULONG FaultFlags; // Flags that provide additional information about the fault. - ULONG AdditionalInfo; // Additional information about the fault. - } PROCESS_FAULT_INFORMATION, *PPROCESS_FAULT_INFORMATION; - - /** - * The PROCESS_TELEMETRY_ID_INFORMATION structure contains telemetry information about a process. - */ - typedef struct _PROCESS_TELEMETRY_ID_INFORMATION - { - ULONG HeaderSize; // The size of the structure, in bytes. - ULONG ProcessId; // The ID of the process. - ULONGLONG ProcessStartKey; // The start key of the process. - ULONGLONG CreateTime; // The creation time of the process. - ULONGLONG CreateInterruptTime; // The interrupt time at creation. - ULONGLONG CreateUnbiasedInterruptTime; // The unbiased interrupt time at creation. - ULONGLONG ProcessSequenceNumber; // The monotonic sequence number of the process. - ULONGLONG SessionCreateTime; // The session creation time. - ULONG SessionId; // The ID of the session. - ULONG BootId; // The boot ID. - ULONG ImageChecksum; // The checksum of the process image. - ULONG ImageTimeDateStamp; // The timestamp of the process image. - ULONG UserSidOffset; // The offset to the user SID. - ULONG ImagePathOffset; // The offset to the image path. - ULONG PackageNameOffset; // The offset to the package name. - ULONG RelativeAppNameOffset; // The offset to the relative application name. - ULONG CommandLineOffset; // The offset to the command line. - } PROCESS_TELEMETRY_ID_INFORMATION, *PPROCESS_TELEMETRY_ID_INFORMATION; - - /** - * The PROCESS_COMMIT_RELEASE_INFORMATION structure contains information about the commit and release of memory for a process. - */ - typedef struct _PROCESS_COMMIT_RELEASE_INFORMATION - { - ULONG Version; - struct - { - ULONG Eligible : 1; - ULONG ReleaseRepurposedMemResetCommit : 1; - ULONG ForceReleaseMemResetCommit : 1; - ULONG Spare : 29; - }; - SIZE_T CommitDebt; - SIZE_T CommittedMemResetSize; - SIZE_T RepurposedMemResetSize; - } PROCESS_COMMIT_RELEASE_INFORMATION, *PPROCESS_COMMIT_RELEASE_INFORMATION; - - /** - * The PROCESS_JOB_MEMORY_INFO structure contains Represents app memory usage at a single point in time. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-app_memory_information - */ - typedef struct _PROCESS_JOB_MEMORY_INFO - { - ULONGLONG SharedCommitUsage; // The current shared commit usage, in bytes. - ULONGLONG PrivateCommitUsage; // The current private commit usage, in bytes. - ULONGLONG PeakPrivateCommitUsage; // The peak private commit usage, in bytes. - ULONGLONG PrivateCommitLimit; // The private commit limit, in bytes. - ULONGLONG TotalCommitLimit; // The total commit limit, in bytes. - } PROCESS_JOB_MEMORY_INFO, *PPROCESS_JOB_MEMORY_INFO; - - /** - * The PROCESS_CHILD_PROCESS_INFORMATION structure contains information about child process policies. - */ - typedef struct _PROCESS_CHILD_PROCESS_INFORMATION - { - BOOLEAN ProhibitChildProcesses; // Child processes are prohibited. - BOOLEAN AlwaysAllowSecureChildProcess; // Secure child processes are always allowed. - BOOLEAN AuditProhibitChildProcesses; // Child processes are audited. - } PROCESS_CHILD_PROCESS_INFORMATION, *PPROCESS_CHILD_PROCESS_INFORMATION; - -#define POWER_THROTTLING_PROCESS_CURRENT_VERSION 1 -#define POWER_THROTTLING_PROCESS_EXECUTION_SPEED 0x1 -#define POWER_THROTTLING_PROCESS_DELAYTIMERS 0x2 -#define POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION 0x4 // since WIN11 -#define POWER_THROTTLING_PROCESS_VALID_FLAGS \ - ((POWER_THROTTLING_PROCESS_EXECUTION_SPEED | POWER_THROTTLING_PROCESS_DELAYTIMERS | POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION)) - - /** - * The POWER_THROTTLING_PROCESS_STATE structure is used to manage the power throttling state of a process. - */ - typedef struct _POWER_THROTTLING_PROCESS_STATE - { - ULONG Version; // The version of the structure. - ULONG ControlMask; // A mask that specifies the control settings for power throttling. - ULONG StateMask; // A mask that specifies the current state of power throttling. - } POWER_THROTTLING_PROCESS_STATE, *PPOWER_THROTTLING_PROCESS_STATE; - -// rev (tyranid) -#define WIN32K_SYSCALL_FILTER_STATE_ENABLE 0x1 -#define WIN32K_SYSCALL_FILTER_STATE_AUDIT 0x2 - - typedef struct _WIN32K_SYSCALL_FILTER - { - ULONG FilterState; - ULONG FilterSet; - } WIN32K_SYSCALL_FILTER, *PWIN32K_SYSCALL_FILTER; - - typedef struct _JOBOBJECT_WAKE_FILTER *PJOBOBJECT_WAKE_FILTER; // from ntpsapi.h - - typedef struct _PROCESS_WAKE_INFORMATION - { - ULONGLONG NotificationChannel; - ULONG WakeCounters[7]; - PJOBOBJECT_WAKE_FILTER WakeFilter; - } PROCESS_WAKE_INFORMATION, *PPROCESS_WAKE_INFORMATION; - - typedef struct _PROCESS_ENERGY_TRACKING_STATE - { - ULONG StateUpdateMask; - ULONG StateDesiredValue; - ULONG StateSequence; - ULONG UpdateTag : 1; - WCHAR Tag[64]; - } PROCESS_ENERGY_TRACKING_STATE, *PPROCESS_ENERGY_TRACKING_STATE; - - typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY - { - ULONG Version : 8; - ULONG ProcessEnableWriteExceptions : 1; - ULONG ThreadAllowWrites : 1; - ULONG Spare : 22; - PVOID KernelWriteToExecutableSignal; // 19H1 - } MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY; - -#define POWER_THROTTLING_THREAD_CURRENT_VERSION 1 -#define POWER_THROTTLING_THREAD_EXECUTION_SPEED 0x1 -#define POWER_THROTTLING_THREAD_VALID_FLAGS (POWER_THROTTLING_THREAD_EXECUTION_SPEED) - - typedef struct _POWER_THROTTLING_THREAD_STATE - { - ULONG Version; - ULONG ControlMask; - ULONG StateMask; - } POWER_THROTTLING_THREAD_STATE, *PPOWER_THROTTLING_THREAD_STATE; - -#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM 1 -#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM 2 -#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V 1UL -#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V 2UL - - typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION - { - UCHAR Flags; - struct - { - UCHAR EnableReadVmLogging : 1; - UCHAR EnableWriteVmLogging : 1; - UCHAR Unused : 6; - }; - } PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION; - - typedef struct _PROCESS_UPTIME_INFORMATION - { - ULONGLONG QueryInterruptTime; - ULONGLONG QueryUnbiasedTime; - ULONGLONG EndInterruptTime; - ULONGLONG TimeSinceCreation; - ULONGLONG Uptime; - ULONGLONG SuspendedTime; - struct - { - ULONG HangCount : 4; - ULONG GhostCount : 4; - ULONG Crashed : 1; - ULONG Terminated : 1; - }; - } PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION; - - typedef union _PROCESS_SYSTEM_RESOURCE_MANAGEMENT - { - ULONG Flags; - struct - { - ULONG Foreground : 1; - ULONG Reserved : 31; - }; - } PROCESS_SYSTEM_RESOURCE_MANAGEMENT, *PPROCESS_SYSTEM_RESOURCE_MANAGEMENT; - - typedef struct _PROCESS_SECURITY_DOMAIN_INFORMATION - { - ULONGLONG SecurityDomain; - } PROCESS_SECURITY_DOMAIN_INFORMATION, *PPROCESS_SECURITY_DOMAIN_INFORMATION; - - typedef struct _PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION - { - HANDLE ProcessHandle; - } PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION, *PPROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION; - - typedef union _PROCESS_LOGGING_INFORMATION - { - ULONG Flags; - struct - { - ULONG EnableReadVmLogging : 1; - ULONG EnableWriteVmLogging : 1; - ULONG EnableProcessSuspendResumeLogging : 1; - ULONG EnableThreadSuspendResumeLogging : 1; - ULONG EnableLocalExecProtectVmLogging : 1; - ULONG EnableRemoteExecProtectVmLogging : 1; - ULONG EnableImpersonationLogging : 1; - ULONG Reserved : 25; - }; - } PROCESS_LOGGING_INFORMATION, *PPROCESS_LOGGING_INFORMATION; - - typedef struct _PROCESS_LEAP_SECOND_INFORMATION - { - ULONG Flags; - ULONG Reserved; - } PROCESS_LEAP_SECOND_INFORMATION, *PPROCESS_LEAP_SECOND_INFORMATION; - - typedef struct _PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION - { - ULONGLONG ReserveSize; - ULONGLONG CommitSize; - ULONG PreferredNode; - ULONG Reserved; - PVOID Ssp; - } PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, *PPROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION; - - typedef struct _PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION - { - PVOID Ssp; - } PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, *PPROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION; - - typedef struct _PROCESS_SYSCALL_PROVIDER_INFORMATION - { - GUID ProviderId; - UCHAR Level; - } PROCESS_SYSCALL_PROVIDER_INFORMATION, *PPROCESS_SYSCALL_PROVIDER_INFORMATION; - - // typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE - //{ - // ULONG_PTR BaseAddress; - // SIZE_T Size; - // ULONG Flags; - // } PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE; - // - // typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION - //{ - // USHORT NumberOfRanges; - // USHORT Reserved; - // ULONG Reserved2; - // PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE Ranges; - // } PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION; - - typedef struct _PROCESS_MEMBERSHIP_INFORMATION - { - ULONG ServerSiloId; - } PROCESS_MEMBERSHIP_INFORMATION, *PPROCESS_MEMBERSHIP_INFORMATION; - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - typedef struct _PROCESS_NETWORK_COUNTERS - { - ULONG64 BytesIn; - ULONG64 BytesOut; - } PROCESS_NETWORK_COUNTERS, *PPROCESS_NETWORK_COUNTERS; -#endif - - typedef struct _PROCESS_TEB_VALUE_INFORMATION - { - ULONG ThreadId; - ULONG TebOffset; - ULONG_PTR Value; - } PROCESS_TEB_VALUE_INFORMATION, *PPROCESS_TEB_VALUE_INFORMATION; - - // end_private - - /** - * The NtQueryPortInformationProcess function retrieves the status of the current process exception port. - * - * @return LOGICAL If TRUE, the process exception port is valid. - */ - NTSYSCALLAPI - LOGICAL - NTAPI - NtQueryPortInformationProcess( - VOID); - -#endif - - // - // Thread information structures - // - - typedef struct _THREAD_BASIC_INFORMATION - { - NTSTATUS ExitStatus; - PTEB TebBaseAddress; - CLIENT_ID ClientId; - KAFFINITY AffinityMask; - KPRIORITY Priority; - KPRIORITY BasePriority; - } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; - - typedef struct _THREAD_LAST_SYSCALL_INFORMATION - { - PVOID FirstArgument; - USHORT SystemCallNumber; -#ifdef WIN64 - USHORT Pad[0x3]; // since REDSTONE2 -#else - USHORT Pad[0x1]; // since REDSTONE2 -#endif - ULONG64 WaitTime; - } THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION; - - /** - * The THREAD_CYCLE_TIME_INFORMATION structure contains information about the cycle time of a thread. - */ - typedef struct _THREAD_CYCLE_TIME_INFORMATION - { - ULONGLONG AccumulatedCycles; // The total number of cycles accumulated by the thread. - ULONGLONG CurrentCycleCount; // The current cycle count of the thread. - } THREAD_CYCLE_TIME_INFORMATION, *PTHREAD_CYCLE_TIME_INFORMATION; - - // RtlAbPostRelease / ReleaseAllUserModeAutoBoostLockHandles - typedef struct _THREAD_LOCK_OWNERSHIP - { - ULONG SrwLock[1]; - } THREAD_LOCK_OWNERSHIP, *PTHREAD_LOCK_OWNERSHIP; - - typedef enum _SCHEDULER_SHARED_DATA_SLOT_ACTION - { - SchedulerSharedSlotAssign, - SchedulerSharedSlotFree, - SchedulerSharedSlotQuery - } SCHEDULER_SHARED_DATA_SLOT_ACTION; - - typedef struct _SCHEDULER_SHARED_DATA_SLOT_INFORMATION - { - SCHEDULER_SHARED_DATA_SLOT_ACTION Action; - PVOID SchedulerSharedDataHandle; - PVOID Slot; - } SCHEDULER_SHARED_DATA_SLOT_INFORMATION, *PSCHEDULER_SHARED_DATA_SLOT_INFORMATION; - - typedef struct _THREAD_TEB_INFORMATION - { - _Inout_bytecount_(BytesToRead) PVOID TebInformation; // Buffer to write data into. - _In_ ULONG TebOffset; // Offset in TEB to begin reading from. - _In_ ULONG BytesToRead; // Number of bytes to read. - } THREAD_TEB_INFORMATION, *PTHREAD_TEB_INFORMATION; - - /** - * The COUNTER_READING structure is used to store individual counter data from a hardware counter. - * - * \sa https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-hardware_counter_data - */ - typedef struct _COUNTER_READING - { - HARDWARE_COUNTER_TYPE Type; // Specifies the type of hardware counter data collected. - ULONG Index; // An identifier for the specific counter. - ULONG64 Start; // The initial value of the counter when measurement started. - ULONG64 Total; // The accumulated value of the counter over the measurement period. - } COUNTER_READING, *PCOUNTER_READING; - -#ifndef THREAD_PERFORMANCE_DATA_VERSION -#define THREAD_PERFORMANCE_DATA_VERSION 1 -#endif - - /** - * The THREAD_PERFORMANCE_DATA structure aggregates various performance metrics for a thread. - * - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-performance_data - */ - typedef struct _THREAD_PERFORMANCE_DATA - { - USHORT Size; // The size of the structure. - USHORT Version; // The version of the structure. Must be set to \ref THREAD_PERFORMANCE_DATA_VERSION. - PROCESSOR_NUMBER ProcessorNumber; // The processor number that identifies where the thread is running. - ULONG ContextSwitches; // The number of context switches that occurred from the time profiling was enabled. - ULONG HwCountersCount; // The number of array elements in the HwCounters array that contain hardware counter data. - ULONG64 UpdateCount; // The number of times that the read operation read the data to ensure a consistent snapshot of the data. - ULONG64 WaitReasonBitMap; // A bitmask of \ref KWAIT_REASON that identifies the reasons for the context switches that occurred since the last time the data was read. - ULONG64 HardwareCounters; // A bitmask of hardware counters used to collect counter data. - COUNTER_READING CycleTime; // The cycle time of the thread (excludes the time spent interrupted) from the time profiling was enabled. - COUNTER_READING HwCounters[MAX_HW_COUNTERS]; // The \ref COUNTER_READING structure that contains hardware counter data. - } THREAD_PERFORMANCE_DATA, *PTHREAD_PERFORMANCE_DATA; - -#ifndef THREAD_PROFILING_FLAG_DISPATCH -#define THREAD_PROFILING_FLAG_DISPATCH 0x00000001 -#endif - -#ifndef THREAD_PROFILING_FLAG_HARDWARE_COUNTERS -#define THREAD_PROFILING_FLAG_HARDWARE_COUNTERS 0x00000002 -#endif - - /** - * The THREAD_PROFILING_INFORMATION structure contains profiling information and references to performance data. - * - * \sa https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readthreadprofilingdata - */ - typedef struct _THREAD_PROFILING_INFORMATION - { - // To receive hardware performance counter data, set this parameter to a bitmask that identifies the hardware counters to collect. - // You can specify up to 16 performance counters. Each bit relates directly to the zero-based hardware counter index for the hardware - // performance counters that you configured. Set to zero if you are not collecting hardware counter data. - // If you set a bit for a hardware counter that has not been configured, the counter value that is read for that counter is zero. - ULONG64 HardwareCounters; - // To receive thread profiling data such as context switch count, set this parameter to \ref THREAD_PROFILING_FLAG_DISPATCH. - ULONG Flags; - // Enable or disable thread profiling on the specified thread. - ULONG Enable; - // The PERFORMANCE_DATA structure that contains thread profiling and hardware counter data. - PTHREAD_PERFORMANCE_DATA PerformanceData; - } THREAD_PROFILING_INFORMATION, *PTHREAD_PROFILING_INFORMATION; - - typedef struct _RTL_UMS_CONTEXT - { - SINGLE_LIST_ENTRY Link; - CONTEXT Context; - PVOID Teb; - PVOID UserContext; - volatile ULONG ScheduledThread : 1; - volatile ULONG Suspended : 1; - volatile ULONG VolatileContext : 1; - volatile ULONG Terminated : 1; - volatile ULONG DebugActive : 1; - volatile ULONG RunningOnSelfThread : 1; - volatile ULONG DenyRunningOnSelfThread : 1; - volatile LONG Flags; - volatile ULONG64 KernelUpdateLock : 2; - volatile ULONG64 PrimaryClientID : 62; - volatile ULONG64 ContextLock; - struct _RTL_UMS_CONTEXT *PrimaryUmsContext; - ULONG SwitchCount; - ULONG KernelYieldCount; - ULONG MixedYieldCount; - ULONG YieldCount; - } RTL_UMS_CONTEXT, *PRTL_UMS_CONTEXT; - - typedef enum _THREAD_UMS_INFORMATION_COMMAND - { - UmsInformationCommandInvalid, - UmsInformationCommandAttach, - UmsInformationCommandDetach, - UmsInformationCommandQuery - } THREAD_UMS_INFORMATION_COMMAND; - - typedef struct _RTL_UMS_COMPLETION_LIST - { - PSINGLE_LIST_ENTRY ThreadListHead; - PVOID CompletionEvent; - ULONG CompletionFlags; - SINGLE_LIST_ENTRY InternalListHead; - } RTL_UMS_COMPLETION_LIST, *PRTL_UMS_COMPLETION_LIST; - - typedef struct _THREAD_UMS_INFORMATION - { - THREAD_UMS_INFORMATION_COMMAND Command; - PRTL_UMS_COMPLETION_LIST CompletionList; - PRTL_UMS_CONTEXT UmsContext; - union - { - ULONG Flags; - struct - { - ULONG IsUmsSchedulerThread : 1; - ULONG IsUmsWorkerThread : 1; - ULONG SpareBits : 30; - }; - }; - } THREAD_UMS_INFORMATION, *PTHREAD_UMS_INFORMATION; - - /** - * The THREAD_NAME_INFORMATION structure assigns a description to a thread. - * - * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. - * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreaddescription - */ - typedef struct _THREAD_NAME_INFORMATION - { - UNICODE_STRING ThreadName; - } THREAD_NAME_INFORMATION, *PTHREAD_NAME_INFORMATION; - - typedef struct _ALPC_WORK_ON_BEHALF_TICKET - { - ULONG ThreadId; - ULONG ThreadCreationTimeLow; - } ALPC_WORK_ON_BEHALF_TICKET, *PALPC_WORK_ON_BEHALF_TICKET; - - typedef struct _RTL_WORK_ON_BEHALF_TICKET_EX - { - ALPC_WORK_ON_BEHALF_TICKET Ticket; - union - { - ULONG Flags; - struct - { - ULONG CurrentThread : 1; - ULONG Reserved1 : 31; - }; - }; - ULONG Reserved2; - } RTL_WORK_ON_BEHALF_TICKET_EX, *PRTL_WORK_ON_BEHALF_TICKET_EX; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - typedef enum _SUBSYSTEM_INFORMATION_TYPE - { - SubsystemInformationTypeWin32, - SubsystemInformationTypeWSL, - MaxSubsystemInformationType - } SUBSYSTEM_INFORMATION_TYPE; -#endif - - typedef enum _THREAD_WORKLOAD_CLASS - { - ThreadWorkloadClassDefault, - ThreadWorkloadClassGraphics, - MaxThreadWorkloadClass - } THREAD_WORKLOAD_CLASS; - -#if defined(_ARM64_) - -#define CONTEXT_ARM 0x00200000L - -#define CONTEXT_ARM_CONTROL (CONTEXT_ARM | 0x1L) -#define CONTEXT_ARM_INTEGER (CONTEXT_ARM | 0x2L) -#define CONTEXT_ARM_FLOATING_POINT (CONTEXT_ARM | 0x4L) -#define CONTEXT_ARM_DEBUG_REGISTERS (CONTEXT_ARM | 0x8L) - -#define CONTEXT_ARM_FULL (CONTEXT_ARM_CONTROL | CONTEXT_ARM_INTEGER | CONTEXT_ARM_FLOATING_POINT) - -#define CONTEXT_ARM_ALL (CONTEXT_ARM_CONTROL | CONTEXT_ARM_INTEGER | CONTEXT_ARM_FLOATING_POINT | CONTEXT_ARM_DEBUG_REGISTERS) - -#define ARM_MAX_BREAKPOINTS 8 -#define ARM_MAX_WATCHPOINTS 1 - - typedef struct _ARM_NT_NEON128 - { - ULONGLONG Low; - LONGLONG High; - } ARM_NT_NEON128, *PARM_NT_NEON128; - - typedef struct DECLSPEC_ALIGN(8) DECLSPEC_NOINITALL _ARM_NT_CONTEXT - { - - // - // Control flags. - // - - DWORD ContextFlags; - - // - // Integer registers - // - - DWORD R0; - DWORD R1; - DWORD R2; - DWORD R3; - DWORD R4; - DWORD R5; - DWORD R6; - DWORD R7; - DWORD R8; - DWORD R9; - DWORD R10; - DWORD R11; - DWORD R12; - - // - // Control Registers - // - - DWORD Sp; - DWORD Lr; - DWORD Pc; - DWORD Cpsr; - - // - // Floating Point/NEON Registers - // - - DWORD Fpscr; - DWORD Padding; - union - { - ARM_NT_NEON128 Q[16]; - ULONGLONG D[32]; - DWORD S[32]; - } DUMMYUNIONNAME; - - // - // Debug registers - // - - DWORD Bvr[ARM_MAX_BREAKPOINTS]; - DWORD Bcr[ARM_MAX_BREAKPOINTS]; - DWORD Wvr[ARM_MAX_WATCHPOINTS]; - DWORD Wcr[ARM_MAX_WATCHPOINTS]; - - DWORD Padding2[2]; - - } ARM_NT_CONTEXT, *PARM_NT_CONTEXT; - -#endif - - // private - typedef struct _THREAD_INDEX_INFORMATION - { - ULONG Index; - ULONG Sequence; - } THREAD_INDEX_INFORMATION, *PTHREAD_INDEX_INFORMATION; - - // - // Processes - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - /** - * Creates a new process. - * - * @param ProcessHandle A pointer to a handle that receives the process object handle. - * @param DesiredAccess The access rights desired for the process object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. - * @param ParentProcess A handle to the parent process. - * @param InheritObjectTable If TRUE, the new process inherits the object table of the parent process. - * @param SectionHandle Optional. A handle to a section object to be used for the new process. - * @param DebugPort Optional. A handle to a debug port to be used for the new process. - * @param TokenHandle Optional. A handle to an access token to be used for the new process. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateProcess( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ParentProcess, - _In_ BOOLEAN InheritObjectTable, - _In_opt_ HANDLE SectionHandle, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE TokenHandle); - -// begin_rev -#define PROCESS_CREATE_FLAGS_NONE 0x00000000 -#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008 // NtCreateProcessEx only -#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010 // NtCreateProcessEx only (requires SeLockMemoryPrivilege) -#define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020 // NtCreateProcessEx only (requires SeLockMemoryPrivilege) -#define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 // NtCreateUserProcess only -#define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // NtCreateProcessEx & NtCreateUserProcess (requires SeLoadDriverPrivilege) -#define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_CREATE_SUSPENDED 0x00000200 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_FORCE_BREAKAWAY 0x00000400 // NtCreateProcessEx & NtCreateUserProcess (requires SeTcbPrivilege) -#define PROCESS_CREATE_FLAGS_MINIMAL_PROCESS 0x00000800 // NtCreateProcessEx only -#define PROCESS_CREATE_FLAGS_RELEASE_SECTION 0x00001000 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_CLONE_MINIMAL 0x00002000 // NtCreateProcessEx only -#define PROCESS_CREATE_FLAGS_CLONE_MINIMAL_REDUCED_COMMIT 0x00004000 -#define PROCESS_CREATE_FLAGS_AUXILIARY_PROCESS 0x00008000 // NtCreateProcessEx & NtCreateUserProcess (requires SeTcbPrivilege) -#define PROCESS_CREATE_FLAGS_CREATE_STORE 0x00020000 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_USE_PROTECTED_ENVIRONMENT 0x00040000 // NtCreateProcessEx & NtCreateUserProcess -#define PROCESS_CREATE_FLAGS_IMAGE_EXPANSION_MITIGATION_DISABLE 0x00080000 -#define PROCESS_CREATE_FLAGS_PARTITION_CREATE_SLAB_IDENTITY 0x00400000 // NtCreateProcessEx & NtCreateUserProcess (requires SeLockMemoryPrivilege) - // end_rev - - /** - * Creates a new process with extended options. - * - * @param ProcessHandle A pointer to a handle that receives the process object handle. - * @param DesiredAccess The access rights desired for the process object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. - * @param ParentProcess A handle to the parent process. - * @param Flags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*. - * @param SectionHandle Optional. A handle to a section object to be used for the new process. - * @param DebugPort Optional. A handle to a debug port to be used for the new process. - * @param TokenHandle Optional. A handle to an access token to be used for the new process. - * @param Reserved Reserved for future use. Must be zero. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateProcessEx( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ParentProcess, - _In_ ULONG Flags, // PROCESS_CREATE_FLAGS_* - _In_opt_ HANDLE SectionHandle, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE TokenHandle, - _Reserved_ ULONG Reserved // JobMemberLevel - ); - - /** - * Opens an existing process object. - * - * @param ProcessHandle A pointer to a handle that receives the process object handle. - * @param DesiredAccess The access rights desired for the process object. - * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. - * @param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the process to be opened. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenProcess( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PCLIENT_ID ClientId); - - /** - * Terminates the specified process. - * - * @param ProcessHandle Optional. A handle to the process to be terminated. If this parameter is NULL, the calling process is terminated. - * @param ExitStatus The exit status to be used by the process and the process's termination status. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTerminateProcess( - _In_opt_ HANDLE ProcessHandle, - _In_ NTSTATUS ExitStatus); - - /** - * Suspends the specified process. - * - * @param ProcessHandle A handle to the process to be suspended. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSuspendProcess( - _In_ HANDLE ProcessHandle); - - /** - * Resumes the specified process. - * - * @param ProcessHandle A handle to the process to be resumed. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtResumeProcess( - _In_ HANDLE ProcessHandle); - - // - // Macros - // - -#define NtCurrentProcess() ((HANDLE)(LONG_PTR) - 1) -#define ZwCurrentProcess() NtCurrentProcess() -#define NtCurrentThread() ((HANDLE)(LONG_PTR) - 2) -#define ZwCurrentThread() NtCurrentThread() -#define NtCurrentSession() ((HANDLE)(LONG_PTR) - 3) -#define ZwCurrentSession() NtCurrentSession() - -#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) - -#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) -#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread) - -// Windows 8 and above -#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR) - 4) // NtOpenProcessToken(NtCurrentProcess()) -#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR) - 5) // NtOpenThreadToken(NtCurrentThread()) -#define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR) - 6) // NtOpenThreadToken(NtCurrentThread()) + NtOpenProcessToken(NtCurrentProcess()) -#define NtCurrentSilo() ((HANDLE)(LONG_PTR) - 1) - - EXTERN_C CONST IMAGE_DOS_HEADER __ImageBase; -#define NtCurrentImageBase() ((PIMAGE_DOS_HEADER) & __ImageBase) - -#define NtCurrentSessionId() (RtlGetActiveConsoleId()) // USER_SHARED_DATA->ActiveConsoleId -#define NtCurrentLogonId() (NtCurrentPeb()->LogonId) - - /** - * Retrieves information about the specified process. - * - * @param ProcessHandle A handle to the process. - * @param ProcessInformationClass The type of process information to be retrieved. - * @param ProcessInformation A pointer to a buffer that receives the process information. - * @param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter. - * @param ReturnLength An optional pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationProcess( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength, - _Out_opt_ PULONG ReturnLength); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - NtWow64QueryInformationProcess64( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength, - _Out_opt_ PULONG ReturnLength); - - /** - * Sets information for the specified process. - * - * @param ProcessHandle A handle to the process. - * @param ProcessInformationClass The type of process information to be set. - * @param ProcessInformation A pointer to a buffer that contains the process information. - * @param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationProcess( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength); - -#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001 - -#if (PHNT_VERSION >= PHNT_WS03) - /** - * Retrieves a handle to the next process in the system. - * - * @param ProcessHandle An optional handle to a process. If this parameter is NULL, the function retrieves the first process in the system. - * @param DesiredAccess The access rights desired for the new process handle. - * @param HandleAttributes The attributes for the new process handle. - * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags: - * - \ref PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS (0x00000001): Retrieve the previous process in the system. - * @param NewProcessHandle A pointer to a variable that receives the handle to the next process. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetNextProcess( - _In_opt_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Flags, - _Out_ PHANDLE NewProcessHandle); - - /** - * Retrieves a handle to the next thread in the system. - * - * @param ProcessHandle A handle to the process for enumerateration of threads. - * @param ThreadHandle An optional handle to a thread. If this parameter is NULL, the function retrieves the first thread in the process. - * @param DesiredAccess The access rights desired for the new thread handle. - * @param HandleAttributes The attributes for the new thread handle. - * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags: - * - \ref THREAD_GET_NEXT_FLAGS_PREVIOUS_THREAD (0x00000001): Retrieve the previous thread in the process. - * @param NewThreadHandle A pointer to a variable that receives the handle to the next thread. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetNextThread( - _In_ HANDLE ProcessHandle, - _In_opt_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Flags, - _Out_ PHANDLE NewThreadHandle); -#endif - -#endif - -#define STATECHANGE_SET_ATTRIBUTES 0x0001 - - typedef enum _PROCESS_STATE_CHANGE_TYPE - { - ProcessStateChangeSuspend, - ProcessStateChangeResume, - ProcessStateChangeMax, - } PROCESS_STATE_CHANGE_TYPE, - *PPROCESS_STATE_CHANGE_TYPE; - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * Creates a state change handle for changing the suspension state of a process. - * - * @param ProcessStateChangeHandle A pointer to a variable that receives the handle. - * @param DesiredAccess The access rights desired for the handle. - * @param ObjectAttributes Optional attributes for the handle. - * @param ProcessHandle A handle to the process. - * @param Reserved Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateProcessStateChange( - _Out_ PHANDLE ProcessStateChangeHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_opt_ _Reserved_ ULONG64 Reserved); - - /** - * Changes the suspension state of a process. - * - * @param ProcessStateChangeHandle A handle to the process state change object. - * @param ProcessHandle A handle to the process. - * @param StateChangeType The type of state change. - * @param ExtendedInformation Optional extended information. - * @param ExtendedInformationLength The length of the extended information. - * @param Reserved Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtChangeProcessState( - _In_ HANDLE ProcessStateChangeHandle, - _In_ HANDLE ProcessHandle, - _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ _Reserved_ PVOID ExtendedInformation, - _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength, - _In_opt_ _Reserved_ ULONG64 Reserved); -#endif - - typedef enum _THREAD_STATE_CHANGE_TYPE - { - ThreadStateChangeSuspend, - ThreadStateChangeResume, - ThreadStateChangeMax, - } THREAD_STATE_CHANGE_TYPE, - *PTHREAD_STATE_CHANGE_TYPE; - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * Creates a state change handle for changing the suspension state of a thread. - * - * @param ThreadStateChangeHandle A pointer to a variable that receives the handle. - * @param DesiredAccess The access rights desired for the handle. - * @param ObjectAttributes Optional attributes for the handle. - * @param ThreadHandle A handle to the thread. - * @param Reserved Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateThreadStateChange( - _Out_ PHANDLE ThreadStateChangeHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ThreadHandle, - _In_opt_ ULONG64 Reserved); - - /** - * Changes the suspension state of a thread. - * - * @param ThreadStateChangeHandle A handle to the thread state change object. - * @param ThreadHandle A handle to the thread. - * @param StateChangeType The type of state change. - * @param ExtendedInformation Optional extended information. - * @param ExtendedInformationLength The length of the extended information. - * @param Reserved Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtChangeThreadState( - _In_ HANDLE ThreadStateChangeHandle, - _In_ HANDLE ThreadHandle, - _In_ THREAD_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ PVOID ExtendedInformation, - _In_opt_ SIZE_T ExtendedInformationLength, - _In_opt_ ULONG64 Reserved); -#endif - - // - // Threads - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - /** - * Creates a new thread in the specified process. - * - * @param ThreadHandle A pointer to a handle that receives the thread object handle. - * @param DesiredAccess The access rights desired for the thread object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @param ProcessHandle A handle to the process in which the thread is to be created. - * @param ClientId A pointer to a CLIENT_ID structure that receives the client ID of the new thread. - * @param ThreadContext A pointer to a CONTEXT structure that specifies the initial context of the new thread. - * @param InitialTeb A pointer to an INITIAL_TEB structure that specifies the initial stack limits of the new thread. - * @param CreateSuspended If TRUE, the thread is created in a suspended state. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateThread( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _Out_ PCLIENT_ID ClientId, - _In_ PCONTEXT ThreadContext, - _In_ PINITIAL_TEB InitialTeb, - _In_ BOOLEAN CreateSuspended); - - /** - * Opens an existing thread object. - * - * @param ThreadHandle A pointer to a handle that receives the thread object handle. - * @param DesiredAccess The access rights desired for the thread object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the thread to be opened. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenThread( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PCLIENT_ID ClientId); - - /** - * Terminates the specified thread. - * - * @param ThreadHandle Optional. A handle to the thread to be terminated. If this parameter is NULL, the calling thread is terminated. - * @param ExitStatus The exit status to be used by the thread and the thread's termination status. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTerminateThread( - _In_opt_ HANDLE ThreadHandle, - _In_ NTSTATUS ExitStatus); - - /** - * Suspends the specified thread. - * - * @param ThreadHandle A handle to the thread to be suspended. - * @param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSuspendThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - - /** - * Resumes the specified thread. - * - * @param ThreadHandle A handle to the thread to be resumed. - * @param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtResumeThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - -#if (PHNT_VERSION >= PHNT_WS03) - /** - * Retrieves the number of the current processor. - * - * @return ULONG The number of the current processor. - */ - NTSYSCALLAPI - ULONG - NTAPI - NtGetCurrentProcessorNumber( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - /** - * Retrieves the number of the current processor. - * - * @param ProcessorNumber An optional pointer to a PROCESSOR_NUMBER structure that receives the processor number. - * @return ULONG The number of the current processor. - */ - NTSYSCALLAPI - ULONG - NTAPI - NtGetCurrentProcessorNumberEx( - _Out_opt_ PPROCESSOR_NUMBER ProcessorNumber); -#endif - - /** - * Retrieves the context of the specified thread. - * - * @param ThreadHandle A handle to the thread. - * @param ThreadContext A pointer to a CONTEXT structure that receives the thread context. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetContextThread( - _In_ HANDLE ThreadHandle, - _Inout_ PCONTEXT ThreadContext); - - /** - * Sets the context of the specified thread. - * - * @param ThreadHandle A handle to the thread. - * @param ThreadContext A pointer to a CONTEXT structure that specifies the thread context. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetContextThread( - _In_ HANDLE ThreadHandle, - _In_ PCONTEXT ThreadContext); - /** - * Retrieves information about the specified thread. - * - * @param ThreadHandle A handle to the thread. - * @param ThreadInformationClass The type of thread information to be retrieved. - * @param ThreadInformation A pointer to a buffer that receives the thread information. - * @param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. - * @param ReturnLength An optional pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationThread( - _In_ HANDLE ThreadHandle, - _In_ THREADINFOCLASS ThreadInformationClass, - _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, - _In_ ULONG ThreadInformationLength, - _Out_opt_ PULONG ReturnLength); - - /** - * Sets information for the specified thread. - * - * @param ThreadHandle A handle to the thread. - * @param ThreadInformationClass The type of thread information to be set. - * @param ThreadInformation A pointer to a buffer that contains the thread information. - * @param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationThread( - _In_ HANDLE ThreadHandle, - _In_ THREADINFOCLASS ThreadInformationClass, - _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, - _In_ ULONG ThreadInformationLength); - - /** - * Sends an alert to the specified thread. - * - * @param ThreadHandle A handle to the thread to be alerted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlertThread( - _In_ HANDLE ThreadHandle); - - /** - * Resumes a thread that was previously suspended and sends an alert to it. - * - * @param ThreadHandle A handle to the thread to be resumed and alerted. - * @param PreviousSuspendCount An optional pointer to a variable that receives the thread's previous suspend count. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlertResumeThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - - /** - * Tests whether the current thread has an alert pending. - * - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTestAlert( - VOID); - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - /** - * Sends an alert to the specified thread. - * - * @param ThreadId The thread ID of the thread to be alerted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlertThreadByThreadId( - _In_ HANDLE ThreadId); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * Sends an alert to the specified thread by its thread ID, with an optional lock. - * - * @param ThreadId The thread ID of the thread to be alerted. - * @param Lock An optional pointer to an SRW lock to be used during the alert. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlertThreadByThreadIdEx( - _In_ HANDLE ThreadId, - _In_opt_ PRTL_SRWLOCK Lock); - - /** - * Sends an alert to multiple threads by their thread IDs. - * - * @param MultipleThreadId A pointer to an array of thread IDs to be alerted. - * @param Count The number of thread IDs in the array. - * @param Boost A pointer to a boost value to be applied to the threads. - * @param BoostCount The number of boost values in the array. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlertMultipleThreadByThreadId( - _In_ PHANDLE MultipleThreadId, - _In_ ULONG Count, - _In_ PVOID Boost, - _In_ ULONG BoostCount); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - /** - * Waits for an alert to be delivered to the specified thread. - * - * @param Address The address to wait for an alert on. - * @param Timeout The timeout value for waiting, or NULL for no timeout. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForAlertByThreadId( - _In_opt_ PVOID Address, - _In_opt_ PLARGE_INTEGER Timeout); -#endif - - /** - * Impersonates a client thread. - * - * @param ServerThreadHandle A handle to the server thread. - * @param ClientThreadHandle A handle to the client thread. - * @param SecurityQos A pointer to a SECURITY_QUALITY_OF_SERVICE structure that specifies the impersonation level and context tracking mode. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtImpersonateThread( - _In_ HANDLE ServerThreadHandle, - _In_ HANDLE ClientThreadHandle, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos); - - /** - * Registers a thread termination port. - * - * @param PortHandle A handle to the port to be registered. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRegisterThreadTerminatePort( - _In_ HANDLE PortHandle); - - /** - * Sets LDT (Local Descriptor Table) entries. - * - * @param Selector0 The first selector. - * @param Entry0Low The low part of the first entry. - * @param Entry0Hi The high part of the first entry. - * @param Selector1 The second selector. - * @param Entry1Low The low part of the second entry. - * @param Entry1Hi The high part of the second entry. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetLdtEntries( - _In_ ULONG Selector0, - _In_ ULONG Entry0Low, - _In_ ULONG Entry0Hi, - _In_ ULONG Selector1, - _In_ ULONG Entry1Low, - _In_ ULONG Entry1Hi); - - /** - * Dispatches the Asynchronous Procedure Call (APC) from the NtQueueApc* functions to the specified routine. - * - * @param ApcRoutine A pointer to the APC routine to be executed. - * @param Parameter Optional. A pointer to a parameter to be passed to the APC routine. - * @param ActxContext Optional. A handle to an activation context. - */ - NTSYSAPI - VOID - NTAPI - RtlDispatchAPC( - _In_ PAPCFUNC ApcRoutine, - _In_opt_ PVOID Parameter, - _In_opt_ HANDLE ActxContext); - - /** - * A pointer to a function that serves as an APC routine. - * - * @param ApcArgument1 Optional. A pointer to the first argument to be passed to the APC routine. - * @param ApcArgument2 Optional. A pointer to the second argument to be passed to the APC routine. - * @param ApcArgument3 Optional. A pointer to the third argument to be passed to the APC routine. - */ - typedef VOID(NTAPI *PPS_APC_ROUTINE)( - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - -/** - * Encodes an APC routine pointer for use in a WOW64 environment. - * - * @param ApcRoutine The APC routine pointer to be encoded. - * @return PVOID The encoded APC routine pointer. - */ -#define Wow64EncodeApcRoutine(ApcRoutine) \ - ((PVOID)((0 - ((LONG_PTR)(ApcRoutine))) << 2)) - -/** - * Decodes an APC routine pointer that was encoded for use in a WOW64 environment. - * - * @param ApcRoutine The encoded APC routine pointer to be decoded. - * @return PVOID The decoded APC routine pointer. - */ -#define Wow64DecodeApcRoutine(ApcRoutine) \ - ((PVOID)(0 - (((LONG_PTR)(ApcRoutine)) >> 2))) - - /** - * Queues an APC (Asynchronous Procedure Call) to a thread. - * - * @param ThreadHandle Handle to the thread to which the APC is to be queued. - * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. - * @param ApcArgument1 Optional first argument to be passed to the APC routine. - * @param ApcArgument2 Optional second argument to be passed to the APC routine. - * @param ApcArgument3 Optional third argument to be passed to the APC routine. - * @return NTSTATUS Successful or errant status. - * @remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or when any - * process calls the NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId functions. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueueApcThread( - _In_ HANDLE ThreadHandle, - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - -/** - * A special handle value used to queue a user APC (Asynchronous Procedure Call). - */ -#define QUEUE_USER_APC_SPECIAL_USER_APC ((HANDLE)0x1) - -#if (PHNT_VERSION >= PHNT_WIN7) - /** - * Queues an APC (Asynchronous Procedure Call) to a thread. - * - * @param ThreadHandle Handle to the thread to which the APC is to be queued. - * @param ReserveHandle Optional handle to a reserve object. This can be QUEUE_USER_APC_SPECIAL_USER_APC or a handle returned by NtAllocateReserveObject. - * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. - * @param ApcArgument1 Optional first argument to be passed to the APC routine. - * @param ApcArgument2 Optional second argument to be passed to the APC routine. - * @param ApcArgument3 Optional third argument to be passed to the APC routine. - * @return NTSTATUS Successful or errant status. - * @remarks The APC will be executed in the context of the specified thread after the thread enters an alertable wait state or immediately - * when QUEUE_USER_APC_SPECIAL_USER_APC is used or NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId are called. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueueApcThreadEx( - _In_ HANDLE ThreadHandle, - _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject // QUEUE_USER_APC_SPECIAL_USER_APC - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); -#endif - - /** - * The APC_CALLBACK_DATA_CONTEXT structure is used to pass information to the APC callback routine. - */ - typedef struct _APC_CALLBACK_DATA_CONTEXT - { - ULONG_PTR Parameter; - PCONTEXT ContextRecord; - ULONG_PTR Reserved0; - ULONG_PTR Reserved1; - } APC_CALLBACK_DATA_CONTEXT, *PAPC_CALLBACK_DATA_CONTEXT; - -#define QUEUE_USER_APC_FLAGS_NONE 0x00000000 -#define QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 0x00000001 -#define QUEUE_USER_APC_FLAGS_CALLBACK_DATA_CONTEXT 0x00010000 // APC_CALLBACK_DATA_CONTEXT - -#if (PHNT_VERSION >= PHNT_WIN11) - /** - * Queues an Asynchronous Procedure Call (APC) to a specified thread. - * - * @param ThreadHandle A handle to the thread to which the APC is to be queued. - * @param ReserveHandle An optional handle to a reserve object. This can be obtained using NtAllocateReserveObject. - * @param ApcFlags Flags that control the behavior of the APC. These flags are defined in QUEUE_USER_APC_FLAGS. - * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed. - * @param ApcArgument1 An optional argument to be passed to the APC routine. - * @param ApcArgument2 An optional argument to be passed to the APC routine. - * @param ApcArgument3 An optional argument to be passed to the APC routine. - * @return NTSTATUS Successful or errant status. - * @remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or immediately - * when QUEUE_USER_APC_SPECIAL_USER_APC is used or any process calls the NtTestAlert, NtAlertThread, - * NtAlertResumeThread or NtAlertThreadByThreadId functions. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueueApcThreadEx2( - _In_ HANDLE ThreadHandle, - _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject - _In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - -#endif - -#endif - - // - // User processes and threads - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -// Attributes (Win32 CreateProcess) - -// PROC_THREAD_ATTRIBUTE_NUM (dmex) -#define ProcThreadAttributeParentProcess 0 // in HANDLE -#define ProcThreadAttributeExtendedFlags 1 // in ULONG (EXTENDED_PROCESS_CREATION_FLAG_*) -#define ProcThreadAttributeHandleList 2 // in HANDLE[] -#define ProcThreadAttributeGroupAffinity 3 // in GROUP_AFFINITY // since WIN7 -#define ProcThreadAttributePreferredNode 4 // in USHORT -#define ProcThreadAttributeIdealProcessor 5 // in PROCESSOR_NUMBER -#define ProcThreadAttributeUmsThread 6 // in UMS_CREATE_THREAD_ATTRIBUTES -#define ProcThreadAttributeMitigationPolicy 7 // in ULONG, ULONG64, or ULONG64[2] -#define ProcThreadAttributePackageFullName 8 // in WCHAR[] // since WIN8 -#define ProcThreadAttributeSecurityCapabilities 9 // in SECURITY_CAPABILITIES -#define ProcThreadAttributeConsoleReference 10 // BaseGetConsoleReference (kernelbase.dll) -#define ProcThreadAttributeProtectionLevel 11 // in ULONG (PROTECTION_LEVEL_*) // since WINBLUE -#define ProcThreadAttributeOsMaxVersionTested 12 // in MAXVERSIONTESTED_INFO // since THRESHOLD // (from exe.manifest) -#define ProcThreadAttributeJobList 13 // in HANDLE[] -#define ProcThreadAttributeChildProcessPolicy 14 // in ULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 -#define ProcThreadAttributeAllApplicationPackagesPolicy 15 // in ULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE -#define ProcThreadAttributeWin32kFilter 16 // in WIN32K_SYSCALL_FILTER -#define ProcThreadAttributeSafeOpenPromptOriginClaim 17 // in SE_SAFE_OPEN_PROMPT_RESULTS -#define ProcThreadAttributeDesktopAppPolicy 18 // in ULONG (PROCESS_CREATION_DESKTOP_APP_*) // since RS2 -#define ProcThreadAttributeBnoIsolation 19 // in PROC_THREAD_BNOISOLATION_ATTRIBUTE -#define ProcThreadAttributePseudoConsole 22 // in HANDLE (HPCON) // since RS5 -#define ProcThreadAttributeIsolationManifest 23 // in ISOLATION_MANIFEST_PROPERTIES // rev (diversenok) // since 19H2+ -#define ProcThreadAttributeMitigationAuditPolicy 24 // in ULONG, ULONG64, or ULONG64[2] // since 21H1 -#define ProcThreadAttributeMachineType 25 // in USHORT // since 21H2 -#define ProcThreadAttributeComponentFilter 26 // in ULONG -#define ProcThreadAttributeEnableOptionalXStateFeatures 27 // in ULONG64 // since WIN11 -#define ProcThreadAttributeCreateStore 28 // ULONG // rev (diversenok) -#define ProcThreadAttributeTrustedApp 29 -#define ProcThreadAttributeSveVectorLength 30 - -#ifndef PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS -#define PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS \ - ProcThreadAttributeValue(ProcThreadAttributeExtendedFlags, FALSE, TRUE, TRUE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_PACKAGE_FULL_NAME -#define PROC_THREAD_ATTRIBUTE_PACKAGE_FULL_NAME \ - ProcThreadAttributeValue(ProcThreadAttributePackageFullName, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE -#define PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE \ - ProcThreadAttributeValue(ProcThreadAttributeConsoleReference, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_OSMAXVERSIONTESTED -#define PROC_THREAD_ATTRIBUTE_OSMAXVERSIONTESTED \ - ProcThreadAttributeValue(ProcThreadAttributeOsMaxVersionTested, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM -#define PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ - ProcThreadAttributeValue(ProcThreadAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_BNO_ISOLATION -#define PROC_THREAD_ATTRIBUTE_BNO_ISOLATION \ - ProcThreadAttributeValue(ProcThreadAttributeBnoIsolation, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_ISOLATION_MANIFEST -#define PROC_THREAD_ATTRIBUTE_ISOLATION_MANIFEST \ - ProcThreadAttributeValue(ProcThreadAttributeIsolationManifest, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_CREATE_STORE -#define PROC_THREAD_ATTRIBUTE_CREATE_STORE \ - ProcThreadAttributeValue(ProcThreadAttributeCreateStore, FALSE, TRUE, FALSE) -#endif -#ifndef PROC_THREAD_ATTRIBUTE_TRUSTED_APP -#define PROC_THREAD_ATTRIBUTE_TRUSTED_APP \ - ProcThreadAttributeValue(ProcThreadAttributeTrustedApp, FALSE, TRUE, FALSE) -#endif - - // private - typedef struct _PROC_THREAD_ATTRIBUTE - { - ULONG_PTR Attribute; - SIZE_T Size; - ULONG_PTR Value; - } PROC_THREAD_ATTRIBUTE, *PPROC_THREAD_ATTRIBUTE; - - /** - * The PROC_THREAD_ATTRIBUTE_LIST structure contains the list of attributes for process and thread creation. - */ - typedef struct _PROC_THREAD_ATTRIBUTE_LIST - { - ULONG PresentFlags; // A bitmask of flags that indicate the attributes for process and thread creation. - ULONG AttributeCount; // The number of attributes in the list. - ULONG LastAttribute; // The index of the last attribute in the list. - ULONG SpareUlong0; // Reserved for future use. - PPROC_THREAD_ATTRIBUTE ExtendedFlagsAttribute; // A pointer to the extended flags attribute. - _Field_size_(AttributeCount) PROC_THREAD_ATTRIBUTE Attributes[1]; // An array of attributes. - } PROC_THREAD_ATTRIBUTE_LIST, *PPROC_THREAD_ATTRIBUTE_LIST; - -// private -#define EXTENDED_PROCESS_CREATION_FLAG_ELEVATION_HANDLED 0x00000001 -#define EXTENDED_PROCESS_CREATION_FLAG_FORCELUA 0x00000002 -#define EXTENDED_PROCESS_CREATION_FLAG_FORCE_BREAKAWAY 0x00000004 // requires SeTcbPrivilege // since WINBLUE - -#define PROTECTION_LEVEL_WINTCB_LIGHT 0x00000000 -#define PROTECTION_LEVEL_WINDOWS 0x00000001 -#define PROTECTION_LEVEL_WINDOWS_LIGHT 0x00000002 -#define PROTECTION_LEVEL_ANTIMALWARE_LIGHT 0x00000003 -#define PROTECTION_LEVEL_LSA_LIGHT 0x00000004 -#define PROTECTION_LEVEL_WINTCB 0x00000005 -#define PROTECTION_LEVEL_CODEGEN_LIGHT 0x00000006 -#define PROTECTION_LEVEL_AUTHENTICODE 0x00000007 -#define PROTECTION_LEVEL_PPL_APP 0x00000008 - -#define PROTECTION_LEVEL_SAME 0xFFFFFFFF -#define PROTECTION_LEVEL_NONE 0xFFFFFFFE - - // private - typedef enum _SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS - { - SeSafeOpenExperienceNone = 0x00, - SeSafeOpenExperienceCalled = 0x01, - SeSafeOpenExperienceAppRepCalled = 0x02, - SeSafeOpenExperiencePromptDisplayed = 0x04, - SeSafeOpenExperienceUAC = 0x08, - SeSafeOpenExperienceUninstaller = 0x10, - SeSafeOpenExperienceIgnoreUnknownOrBad = 0x20, - SeSafeOpenExperienceDefenderTrustedInstaller = 0x40, - SeSafeOpenExperienceMOTWPresent = 0x80, - SeSafeOpenExperienceElevatedNoPropagation = 0x100 - } SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS; - - // private - typedef struct _SE_SAFE_OPEN_PROMPT_RESULTS - { - SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS Results; - WCHAR Path[MAX_PATH]; - } SE_SAFE_OPEN_PROMPT_RESULTS, *PSE_SAFE_OPEN_PROMPT_RESULTS; - - typedef struct _PROC_THREAD_BNOISOLATION_ATTRIBUTE - { - BOOL IsolationEnabled; - WCHAR IsolationPrefix[0x88]; - } PROC_THREAD_BNOISOLATION_ATTRIBUTE, *PPROC_THREAD_BNOISOLATION_ATTRIBUTE; - - // private - typedef struct _ISOLATION_MANIFEST_PROPERTIES - { - UNICODE_STRING InstancePath; - UNICODE_STRING FriendlyName; - UNICODE_STRING Description; - ULONG_PTR Level; - } ISOLATION_MANIFEST_PROPERTIES, *PISOLATION_MANIFEST_PROPERTIES; - - // Attributes (Native) - - // private - typedef enum _PS_ATTRIBUTE_NUM - { - PsAttributeParentProcess, // in HANDLE - PsAttributeDebugObject, // in HANDLE - PsAttributeToken, // in HANDLE - PsAttributeClientId, // out PCLIENT_ID - PsAttributeTebAddress, // out PTEB * - PsAttributeImageName, // in PWSTR - PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION - PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE - PsAttributePriorityClass, // in UCHAR - PsAttributeErrorMode, // in ULONG - PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO - PsAttributeHandleList, // in HANDLE[] - PsAttributeGroupAffinity, // in PGROUP_AFFINITY - PsAttributePreferredNode, // in PUSHORT - PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER - PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES - PsAttributeMitigationOptions, // in PPS_MITIGATION_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_POLICY_*) // since WIN8 - PsAttributeProtectionLevel, // in PS_PROTECTION // since WINBLUE - PsAttributeSecureProcess, // in PPS_TRUSTLET_CREATE_ATTRIBUTES, since THRESHOLD - PsAttributeJobList, // in HANDLE[] - PsAttributeChildProcessPolicy, // 20, in PULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 - PsAttributeAllApplicationPackagesPolicy, // in PULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE - PsAttributeWin32kFilter, // in PWIN32K_SYSCALL_FILTER - PsAttributeSafeOpenPromptOriginClaim, // in SE_SAFE_OPEN_PROMPT_RESULTS - PsAttributeBnoIsolation, // in PPS_BNO_ISOLATION_PARAMETERS // since REDSTONE2 - PsAttributeDesktopAppPolicy, // in PULONG (PROCESS_CREATION_DESKTOP_APP_*) - PsAttributeChpe, // in BOOLEAN // since REDSTONE3 - PsAttributeMitigationAuditOptions, // in PPS_MITIGATION_AUDIT_OPTIONS_MAP (PROCESS_CREATION_MITIGATION_AUDIT_POLICY_*) // since 21H1 - PsAttributeMachineType, // in USHORT // since 21H2 - PsAttributeComponentFilter, - PsAttributeEnableOptionalXStateFeatures, // since WIN11 - PsAttributeSupportedMachines, // since 24H2 - PsAttributeSveVectorLength, // PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH - PsAttributeMax - } PS_ATTRIBUTE_NUM; - -// private -#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff -#define PS_ATTRIBUTE_THREAD 0x00010000 // may be used with thread creation -#define PS_ATTRIBUTE_INPUT 0x00020000 // input only -#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // "accumulated" e.g. bitmasks, counters, etc. - - // begin_rev - -#define PsAttributeValue(Number, Thread, Input, Additive) \ - (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ - ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ - ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ - ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) - -#define PS_ATTRIBUTE_PARENT_PROCESS \ - PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_DEBUG_OBJECT \ - PsAttributeValue(PsAttributeDebugObject, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_TOKEN \ - PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_CLIENT_ID \ - PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) -#define PS_ATTRIBUTE_TEB_ADDRESS \ - PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) -#define PS_ATTRIBUTE_IMAGE_NAME \ - PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_IMAGE_INFO \ - PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) -#define PS_ATTRIBUTE_MEMORY_RESERVE \ - PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_PRIORITY_CLASS \ - PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_ERROR_MODE \ - PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_STD_HANDLE_INFO \ - PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_HANDLE_LIST \ - PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_GROUP_AFFINITY \ - PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) -#define PS_ATTRIBUTE_PREFERRED_NODE \ - PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_IDEAL_PROCESSOR \ - PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) -#define PS_ATTRIBUTE_UMS_THREAD \ - PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE) -#define PS_ATTRIBUTE_MITIGATION_OPTIONS \ - PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_PROTECTION_LEVEL \ - PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_SECURE_PROCESS \ - PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_JOB_LIST \ - PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \ - PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \ - PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_WIN32K_FILTER \ - PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ - PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_BNO_ISOLATION \ - PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \ - PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_CHPE \ - PsAttributeValue(PsAttributeChpe, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS \ - PsAttributeValue(PsAttributeMitigationAuditOptions, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_MACHINE_TYPE \ - PsAttributeValue(PsAttributeMachineType, FALSE, TRUE, TRUE) -#define PS_ATTRIBUTE_COMPONENT_FILTER \ - PsAttributeValue(PsAttributeComponentFilter, FALSE, TRUE, FALSE) -#define PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \ - PsAttributeValue(PsAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE) - - // end_rev - - // begin_private - - typedef struct _PS_ATTRIBUTE - { - ULONG_PTR Attribute; - SIZE_T Size; - union - { - ULONG_PTR Value; - PVOID ValuePtr; - }; - PSIZE_T ReturnLength; - } PS_ATTRIBUTE, *PPS_ATTRIBUTE; - - typedef struct _PS_ATTRIBUTE_LIST - { - SIZE_T TotalLength; - PS_ATTRIBUTE Attributes[1]; - } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; - - typedef struct _PS_MEMORY_RESERVE - { - PVOID ReserveAddress; - SIZE_T ReserveSize; - } PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE; - - typedef enum _PS_STD_HANDLE_STATE - { - PsNeverDuplicate, - PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem - PsAlwaysDuplicate, // always duplicate standard handles - PsMaxStdHandleStates - } PS_STD_HANDLE_STATE; - -// begin_rev -#define PS_STD_INPUT_HANDLE 0x1 -#define PS_STD_OUTPUT_HANDLE 0x2 -#define PS_STD_ERROR_HANDLE 0x4 - // end_rev - - typedef struct _PS_STD_HANDLE_INFO - { - union - { - ULONG Flags; - struct - { - ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE - ULONG PseudoHandleMask : 3; // PS_STD_* - }; - }; - ULONG StdHandleSubsystemType; - } PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO; - - typedef union _PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS - { - UCHAR Trustlet : 1; - UCHAR Ntos : 1; - UCHAR WriteHandle : 1; - UCHAR ReadHandle : 1; - UCHAR Reserved : 4; - UCHAR AccessRights; - } PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS, *PPS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS; - - typedef struct _PS_TRUSTLET_ATTRIBUTE_TYPE - { - union - { - struct - { - UCHAR Version; - UCHAR DataCount; - UCHAR SemanticType; - PS_TRUSTLET_ATTRIBUTE_ACCESSRIGHTS AccessRights; - }; - ULONG AttributeType; - }; - } PS_TRUSTLET_ATTRIBUTE_TYPE, *PPS_TRUSTLET_ATTRIBUTE_TYPE; - - typedef struct _PS_TRUSTLET_ATTRIBUTE_HEADER - { - PS_TRUSTLET_ATTRIBUTE_TYPE AttributeType; - ULONG InstanceNumber : 8; - ULONG Reserved : 24; - } PS_TRUSTLET_ATTRIBUTE_HEADER, *PPS_TRUSTLET_ATTRIBUTE_HEADER; - - typedef struct _PS_TRUSTLET_ATTRIBUTE_DATA - { - PS_TRUSTLET_ATTRIBUTE_HEADER Header; - ULONGLONG Data[1]; - } PS_TRUSTLET_ATTRIBUTE_DATA, *PPS_TRUSTLET_ATTRIBUTE_DATA; - - typedef struct _PS_TRUSTLET_CREATE_ATTRIBUTES - { - ULONGLONG TrustletIdentity; - PS_TRUSTLET_ATTRIBUTE_DATA Attributes[1]; - } PS_TRUSTLET_CREATE_ATTRIBUTES, *PPS_TRUSTLET_CREATE_ATTRIBUTES; - - // private - typedef struct _PS_BNO_ISOLATION_PARAMETERS - { - UNICODE_STRING IsolationPrefix; - ULONG HandleCount; - PVOID *Handles; - BOOLEAN IsolationEnabled; - } PS_BNO_ISOLATION_PARAMETERS, *PPS_BNO_ISOLATION_PARAMETERS; - - // private - typedef union _PS_PROCESS_CREATION_SVE_VECTOR_LENGTH - { - ULONG VectorLength : 24; - ULONG FlagsReserved : 8; - } PS_PROCESS_CREATION_SVE_VECTOR_LENGTH, *PPS_PROCESS_CREATION_SVE_VECTOR_LENGTH; - - // private - typedef enum _PS_MITIGATION_OPTION - { - PS_MITIGATION_OPTION_NX, - PS_MITIGATION_OPTION_SEHOP, - PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES, - PS_MITIGATION_OPTION_HEAP_TERMINATE, - PS_MITIGATION_OPTION_BOTTOM_UP_ASLR, - PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR, - PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS, - PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE, - PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE, - PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE, - PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD, - PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES, - PS_MITIGATION_OPTION_FONT_DISABLE, - PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE, - PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL, - PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32, - PS_MITIGATION_OPTION_RETURN_FLOW_GUARD, - PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY, - PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD, - PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT, - PS_MITIGATION_OPTION_ROP_STACKPIVOT, // since REDSTONE3 - PS_MITIGATION_OPTION_ROP_CALLER_CHECK, - PS_MITIGATION_OPTION_ROP_SIMEXEC, - PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER, - PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS, - PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION, - PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER, - PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION, - PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION, - PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE, // since REDSTONE5 - PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY, - PS_MITIGATION_OPTION_CET_USER_SHADOW_STACKS, - PS_MITIGATION_OPTION_USER_CET_SET_CONTEXT_IP_VALIDATION, // since 21H1 - PS_MITIGATION_OPTION_BLOCK_NON_CET_BINARIES, - PS_MITIGATION_OPTION_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY, - PS_MITIGATION_OPTION_REDIRECTION_TRUST, // since 22H1 - PS_MITIGATION_OPTION_RESTRICT_CORE_SHARING, - PS_MITIGATION_OPTION_FSCTL_SYSTEM_CALL_DISABLE, // since 24H2 - } PS_MITIGATION_OPTION; - - // windows-internals-book:"Chapter 5" - typedef enum _PS_CREATE_STATE - { - PsCreateInitialState, - PsCreateFailOnFileOpen, - PsCreateFailOnSectionCreate, - PsCreateFailExeFormat, - PsCreateFailMachineMismatch, - PsCreateFailExeName, // Debugger specified - PsCreateSuccess, - PsCreateMaximumStates - } PS_CREATE_STATE; - - typedef struct _PS_CREATE_INFO - { - SIZE_T Size; - PS_CREATE_STATE State; - union - { - // PsCreateInitialState - struct - { - union - { - ULONG InitFlags; - struct - { - UCHAR WriteOutputOnExit : 1; - UCHAR DetectManifest : 1; - UCHAR IFEOSkipDebugger : 1; - UCHAR IFEODoNotPropagateKeyState : 1; - UCHAR SpareBits1 : 4; - UCHAR SpareBits2 : 8; - USHORT ProhibitedImageCharacteristics : 16; - }; - }; - ACCESS_MASK AdditionalFileAccess; - } InitState; - - // PsCreateFailOnSectionCreate - struct - { - HANDLE FileHandle; - } FailSection; - - // PsCreateFailExeFormat - struct - { - USHORT DllCharacteristics; - } ExeFormat; - - // PsCreateFailExeName - struct - { - HANDLE IFEOKey; - } ExeName; - - // PsCreateSuccess - struct - { - union - { - ULONG OutputFlags; - struct - { - UCHAR ProtectedProcess : 1; - UCHAR AddressSpaceOverride : 1; - UCHAR DevOverrideEnabled : 1; // from Image File Execution Options - UCHAR ManifestDetected : 1; - UCHAR ProtectedProcessLight : 1; - UCHAR SpareBits1 : 3; - UCHAR SpareBits2 : 8; - USHORT SpareBits3 : 16; - }; - }; - HANDLE FileHandle; - HANDLE SectionHandle; - ULONGLONG UserProcessParametersNative; - ULONG UserProcessParametersWow64; - ULONG CurrentParameterFlags; - ULONGLONG PebAddressNative; - ULONG PebAddressWow64; - ULONGLONG ManifestAddress; - ULONG ManifestSize; - } SuccessState; - }; - } PS_CREATE_INFO, *PPS_CREATE_INFO; - - // end_private - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Creates a new process and primary thread. - * - * @param ProcessHandle A pointer to a handle that receives the process object handle. - * @param ThreadHandle A pointer to a handle that receives the thread object handle. - * @param ProcessDesiredAccess The access rights desired for the process object. - * @param ThreadDesiredAccess The access rights desired for the thread object. - * @param ProcessObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. - * @param ThreadObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @param ProcessFlags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*. - * @param ThreadFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*. - * @param ProcessParameters Optional. A pointer to a RTL_USER_PROCESS_PARAMETERS structure that specifies the parameters for the new process. - * @param CreateInfo A pointer to a PS_CREATE_INFO structure that specifies additional information for the process creation. - * @param AttributeList Optional. A pointer to a list of attributes for the process and thread. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateUserProcess( - _Out_ PHANDLE ProcessHandle, - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK ProcessDesiredAccess, - _In_ ACCESS_MASK ThreadDesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ProcessObjectAttributes, - _In_opt_ PCOBJECT_ATTRIBUTES ThreadObjectAttributes, - _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* - _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* - _In_opt_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, - _Inout_ PPS_CREATE_INFO CreateInfo, - _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); - -// begin_rev -#define THREAD_CREATE_FLAGS_NONE 0x00000000 -#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 // NtCreateUserProcess & NtCreateThreadEx -#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // NtCreateThreadEx only -#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 // NtCreateThreadEx only -#define THREAD_CREATE_FLAGS_LOADER_WORKER 0x00000010 // NtCreateThreadEx only // since THRESHOLD -#define THREAD_CREATE_FLAGS_SKIP_LOADER_INIT 0x00000020 // NtCreateThreadEx only // since REDSTONE2 -#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040 // NtCreateThreadEx only // since 19H1 - // end_rev - - /** - * A pointer to a user-defined function that serves as the starting routine for a new thread. - * - * @param ThreadParameter A pointer to a variable to be passed to the thread. - * @return NTSTATUS Successful or errant status. - */ - typedef NTSTATUS(NTAPI *PUSER_THREAD_START_ROUTINE)( - _In_ PVOID ThreadParameter); - - /** - * Creates a new thread in the specified process. - * - * @param ThreadHandle A pointer to a handle that receives the thread object handle. - * @param DesiredAccess The access rights desired for the thread object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @param ProcessHandle A handle to the process in which the thread is to be created. - * @param StartRoutine A pointer to the application-defined function to be executed by the thread. - * @param Argument Optional. A pointer to a variable to be passed to the thread. - * @param CreateFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*. - * @param ZeroBits The number of zero bits in the starting address of the thread's stack. - * @param StackSize The initial size of the thread's stack, in bytes. - * @param MaximumStackSize The maximum size of the thread's stack, in bytes. - * @param AttributeList Optional. A pointer to a list of attributes for the thread. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateThreadEx( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_ PUSER_THREAD_START_ROUTINE StartRoutine, - _In_opt_ PVOID Argument, - _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_* - _In_ SIZE_T ZeroBits, - _In_ SIZE_T StackSize, - _In_ SIZE_T MaximumStackSize, - _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); -#endif - -#endif - - // - // Job objects - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -// JOBOBJECTINFOCLASS -// Note: We don't use an enum since it conflicts with the Windows SDK. -#define JobObjectBasicAccountingInformation 1 // q: JOBOBJECT_BASIC_ACCOUNTING_INFORMATION -#define JobObjectBasicLimitInformation 2 // q; s: JOBOBJECT_BASIC_LIMIT_INFORMATION -#define JobObjectBasicProcessIdList 3 // q: JOBOBJECT_BASIC_PROCESS_ID_LIST -#define JobObjectBasicUIRestrictions 4 // q; s: JOBOBJECT_BASIC_UI_RESTRICTIONS -#define JobObjectSecurityLimitInformation 5 // JOBOBJECT_SECURITY_LIMIT_INFORMATION -#define JobObjectEndOfJobTimeInformation 6 // q; s: JOBOBJECT_END_OF_JOB_TIME_INFORMATION -#define JobObjectAssociateCompletionPortInformation 7 // s: JOBOBJECT_ASSOCIATE_COMPLETION_PORT -#define JobObjectBasicAndIoAccountingInformation 8 // q: JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION -#define JobObjectExtendedLimitInformation 9 // q; s: JOBOBJECT_EXTENDED_LIMIT_INFORMATION[V2] -#define JobObjectJobSetInformation 10 // JOBOBJECT_JOBSET_INFORMATION -#define JobObjectGroupInformation 11 // USHORT -#define JobObjectNotificationLimitInformation 12 // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION -#define JobObjectLimitViolationInformation 13 // JOBOBJECT_LIMIT_VIOLATION_INFORMATION -#define JobObjectGroupInformationEx 14 // GROUP_AFFINITY (ARRAY) -#define JobObjectCpuRateControlInformation 15 // JOBOBJECT_CPU_RATE_CONTROL_INFORMATION -#define JobObjectCompletionFilter 16 -#define JobObjectCompletionCounter 17 -#define JobObjectFreezeInformation 18 // JOBOBJECT_FREEZE_INFORMATION -#define JobObjectExtendedAccountingInformation 19 // JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION -#define JobObjectWakeInformation 20 // JOBOBJECT_WAKE_INFORMATION -#define JobObjectBackgroundInformation 21 -#define JobObjectSchedulingRankBiasInformation 22 -#define JobObjectTimerVirtualizationInformation 23 -#define JobObjectCycleTimeNotification 24 -#define JobObjectClearEvent 25 -#define JobObjectInterferenceInformation 26 // JOBOBJECT_INTERFERENCE_INFORMATION -#define JobObjectClearPeakJobMemoryUsed 27 -#define JobObjectMemoryUsageInformation 28 // JOBOBJECT_MEMORY_USAGE_INFORMATION // JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 -#define JobObjectSharedCommit 29 -#define JobObjectContainerId 30 // JOBOBJECT_CONTAINER_IDENTIFIER_V2 -#define JobObjectIoRateControlInformation 31 // JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE, JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE_V2, JOBOBJECT_IO_RATE_CONTROL_INFORMATION_NATIVE_V3 -#define JobObjectNetRateControlInformation 32 // JOBOBJECT_NET_RATE_CONTROL_INFORMATION -#define JobObjectNotificationLimitInformation2 33 // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION_2 -#define JobObjectLimitViolationInformation2 34 // JOBOBJECT_LIMIT_VIOLATION_INFORMATION_2 -#define JobObjectCreateSilo 35 -#define JobObjectSiloBasicInformation 36 // SILOOBJECT_BASIC_INFORMATION -#define JobObjectSiloRootDirectory 37 // SILOOBJECT_ROOT_DIRECTORY -#define JobObjectServerSiloBasicInformation 38 // SERVERSILO_BASIC_INFORMATION -#define JobObjectServerSiloUserSharedData 39 // SILO_USER_SHARED_DATA // NtQueryInformationJobObject(NULL, 39, Buffer, sizeof(SILO_USER_SHARED_DATA), 0); -#define JobObjectServerSiloInitialize 40 // SERVERSILO_INIT_INFORMATION -#define JobObjectServerSiloRunningState 41 -#define JobObjectIoAttribution 42 // JOBOBJECT_IO_ATTRIBUTION_INFORMATION -#define JobObjectMemoryPartitionInformation 43 -#define JobObjectContainerTelemetryId 44 // GUID // NtSetInformationJobObject(_In_ PGUID, 44, _In_ PGUID, sizeof(GUID)); // daxexec -#define JobObjectSiloSystemRoot 45 -#define JobObjectEnergyTrackingState 46 // JOBOBJECT_ENERGY_TRACKING_STATE -#define JobObjectThreadImpersonationInformation 47 -#define JobObjectIoPriorityLimit 48 // JOBOBJECT_IO_PRIORITY_LIMIT -#define JobObjectPagePriorityLimit 49 // JOBOBJECT_PAGE_PRIORITY_LIMIT -#define JobObjectServerSiloDiagnosticInformation 50 // SERVERSILO_DIAGNOSTIC_INFORMATION // since 24H2 -#define JobObjectNetworkAccountingInformation 51 // JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION -#define MaxJobObjectInfoClass 52 - -// rev // extended limit v2 -#define JOB_OBJECT_LIMIT_SILO_READY 0x00400000 - - // private - typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2 - { - JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation; - IO_COUNTERS IoInfo; - SIZE_T ProcessMemoryLimit; - SIZE_T JobMemoryLimit; - SIZE_T PeakProcessMemoryUsed; - SIZE_T PeakJobMemoryUsed; - SIZE_T JobTotalMemoryLimit; - } JOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION_V2; - - // private - typedef struct _JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION - { - JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo; - IO_COUNTERS IoInfo; - PROCESS_DISK_COUNTERS DiskIoInfo; - ULONG64 ContextSwitches; - LARGE_INTEGER TotalCycleTime; - ULONG64 ReadyTime; - PROCESS_ENERGY_VALUES EnergyValues; - } JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION, *PJOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION; - - // private - typedef struct _JOBOBJECT_WAKE_INFORMATION - { - HANDLE NotificationChannel; - ULONG64 WakeCounters[7]; - } JOBOBJECT_WAKE_INFORMATION, *PJOBOBJECT_WAKE_INFORMATION; - - // private - typedef struct _JOBOBJECT_WAKE_INFORMATION_V1 - { - HANDLE NotificationChannel; - ULONG64 WakeCounters[4]; - } JOBOBJECT_WAKE_INFORMATION_V1, *PJOBOBJECT_WAKE_INFORMATION_V1; - - // private - typedef struct _JOBOBJECT_INTERFERENCE_INFORMATION - { - ULONG64 Count; - } JOBOBJECT_INTERFERENCE_INFORMATION, *PJOBOBJECT_INTERFERENCE_INFORMATION; - - // private - typedef struct _JOBOBJECT_WAKE_FILTER - { - ULONG HighEdgeFilter; - ULONG LowEdgeFilter; - } JOBOBJECT_WAKE_FILTER, *PJOBOBJECT_WAKE_FILTER; - - // private - typedef struct _JOBOBJECT_FREEZE_INFORMATION - { - union - { - ULONG Flags; - struct - { - ULONG FreezeOperation : 1; - ULONG FilterOperation : 1; - ULONG SwapOperation : 1; - ULONG Reserved : 29; - }; - }; - BOOLEAN Freeze; - BOOLEAN Swap; - UCHAR Reserved0[2]; - JOBOBJECT_WAKE_FILTER WakeFilter; - } JOBOBJECT_FREEZE_INFORMATION, *PJOBOBJECT_FREEZE_INFORMATION; - - // private - typedef struct _JOBOBJECT_CONTAINER_IDENTIFIER_V2 - { - GUID ContainerId; - GUID ContainerTelemetryId; - ULONG JobId; - } JOBOBJECT_CONTAINER_IDENTIFIER_V2, *PJOBOBJECT_CONTAINER_IDENTIFIER_V2; - - // private - typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION - { - ULONG64 JobMemory; - ULONG64 PeakJobMemoryUsed; - } JOBOBJECT_MEMORY_USAGE_INFORMATION, *PJOBOBJECT_MEMORY_USAGE_INFORMATION; - - // private - typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 - { - JOBOBJECT_MEMORY_USAGE_INFORMATION BasicInfo; - ULONG64 JobSharedMemory; - ULONG64 Reserved[2]; - } JOBOBJECT_MEMORY_USAGE_INFORMATION_V2, *PJOBOBJECT_MEMORY_USAGE_INFORMATION_V2; - - // private - typedef struct _SILO_USER_SHARED_DATA - { - ULONG ServiceSessionId; - ULONG ActiveConsoleId; - LONGLONG ConsoleSessionForegroundProcessId; - NT_PRODUCT_TYPE NtProductType; - ULONG SuiteMask; - ULONG SharedUserSessionId; // since RS2 - BOOLEAN IsMultiSessionSku; - BOOLEAN IsStateSeparationEnabled; - WCHAR NtSystemRoot[260]; - USHORT UserModeGlobalLogger[16]; - ULONG TimeZoneId; // since 21H2 - LONG TimeZoneBiasStamp; - KSYSTEM_TIME TimeZoneBias; - LARGE_INTEGER TimeZoneBiasEffectiveStart; - LARGE_INTEGER TimeZoneBiasEffectiveEnd; - } SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA; - -// rev -#define SILO_OBJECT_ROOT_DIRECTORY_SHADOW_ROOT 0x00000001 -#define SILO_OBJECT_ROOT_DIRECTORY_INITIALIZE 0x00000002 -#define SILO_OBJECT_ROOT_DIRECTORY_SHADOW_DOS_DEVICES 0x00000004 - - // private - typedef struct _SILOOBJECT_ROOT_DIRECTORY - { - union - { - ULONG ControlFlags; // SILO_OBJECT_ROOT_DIRECTORY_* - UNICODE_STRING Path; - }; - } SILOOBJECT_ROOT_DIRECTORY, *PSILOOBJECT_ROOT_DIRECTORY; - - // private - typedef struct _SERVERSILO_INIT_INFORMATION - { - HANDLE DeleteEvent; - BOOLEAN IsDownlevelContainer; - } SERVERSILO_INIT_INFORMATION, *PSERVERSILO_INIT_INFORMATION; - - // private - typedef struct _JOBOBJECT_ENERGY_TRACKING_STATE - { - ULONG64 Value; - ULONG UpdateMask; - ULONG DesiredState; - } JOBOBJECT_ENERGY_TRACKING_STATE, *PJOBOBJECT_ENERGY_TRACKING_STATE; - - // private - typedef enum _JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS - { - JOBOBJECT_IO_PRIORITY_LIMIT_ENABLE = 0x1, - JOBOBJECT_IO_PRIORITY_LIMIT_VALID_FLAGS = 0x1, - } JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS; - - // private - typedef struct _JOBOBJECT_IO_PRIORITY_LIMIT - { - JOBOBJECT_IO_PRIORITY_LIMIT_FLAGS Flags; - ULONG Priority; - } JOBOBJECT_IO_PRIORITY_LIMIT, *PJOBOBJECT_IO_PRIORITY_LIMIT; - - // private - typedef enum _JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS - { - JOBOBJECT_PAGE_PRIORITY_LIMIT_ENABLE = 0x1, - JOBOBJECT_PAGE_PRIORITY_LIMIT_VALID_FLAGS = 0x1, - } JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS; - - // private - typedef struct _JOBOBJECT_PAGE_PRIORITY_LIMIT - { - JOBOBJECT_PAGE_PRIORITY_LIMIT_FLAGS Flags; - ULONG Priority; - } JOBOBJECT_PAGE_PRIORITY_LIMIT, *PJOBOBJECT_PAGE_PRIORITY_LIMIT; - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - // private - typedef struct _SERVERSILO_DIAGNOSTIC_INFORMATION - { - NTSTATUS ExitStatus; - WCHAR CriticalProcessName[15]; - } SERVERSILO_DIAGNOSTIC_INFORMATION, *PSERVERSILO_DIAGNOSTIC_INFORMATION; - - // private - typedef struct _JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION - { - ULONG64 DataBytesIn; - ULONG64 DataBytesOut; - } JOBOBJECT_NETWORK_ACCOUNTING_INFORMATION, *PJOBOBJECT_NETWORK_ACCOUNTING_INFORMATION; -#endif - - /** - * Creates or opens a job object. - * - * @param JobHandle A handle to the job object. - * @param DesiredAccess The access rights desired for the thread object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateJobObject( - _Out_ PHANDLE JobHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * Opens an existing job object. - * - * @param JobHandle A handle to the job object. - * @param DesiredAccess The access rights desired for the thread object. - * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenJobObject( - _Out_ PHANDLE JobHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - /** - * Assigns a process to an existing job object. - * - * @param JobHandle A handle to the job object to which the process will be associated. The handle must have the JOB_OBJECT_ASSIGN_PROCESS access right. - * @param ProcessHandle A handle to the process to associate with the job object. The handle must have the PROCESS_SET_QUOTA and PROCESS_TERMINATE access rights. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAssignProcessToJobObject( - _In_ HANDLE JobHandle, - _In_ HANDLE ProcessHandle); - - /** - * Terminates all processes associated with the job object. If the job is nested, all processes currently associated with the job and all child jobs in the hierarchy are terminated. - * - * @param JobHandle A handle to the job whose processes will be terminated. The handle must have the JOB_OBJECT_TERMINATE access right. - * @param ExitStatus The exit status to be used by all processes and threads in the job object. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTerminateJobObject( - _In_ HANDLE JobHandle, - _In_ NTSTATUS ExitStatus); - - /** - * Checks if a process is associated with a job object. - * - * @param ProcessHandle A handle to the process to be checked. - * @param JobHandle An optional handle to the job object. If this parameter is NULL, the function checks if the process is associated with any job object. - * @return NTSTATUS Successful or errant status. - * @remarks This function can be used to determine if a process is running within a job object, which can be useful for managing process resources and constraints. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtIsProcessInJob( - _In_ HANDLE ProcessHandle, - _In_opt_ HANDLE JobHandle); - - /** - * Retrieves information about a job object. - * - * @param JobHandle An optional handle to the job object. If this parameter is NULL, the function retrieves information about the job object associated with the calling process. - * @param JobObjectInformationClass The type of job object information to be retrieved. - * @param JobObjectInformation A pointer to a buffer that receives the job object information. - * @param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. - * @param ReturnLength An optional pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - * @remarks This function can be used to query various types of information about a job object, such as accounting information, limit information, and process ID list. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationJobObject( - _In_opt_ HANDLE JobHandle, - _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, - _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, - _In_ ULONG JobObjectInformationLength, - _Out_opt_ PULONG ReturnLength); - - /** - * Sets information for a job object. - * - * @param JobHandle A handle to the job object. - * @param JobObjectInformationClass The type of job object information to be set. - * @param JobObjectInformation A pointer to a buffer that contains the job object information. - * @param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. - * @return NTSTATUS Successful or errant status. - * @remarks This function can be used to set various types of information for a job object, such as limit information, UI restrictions, and security limit information. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationJobObject( - _In_ HANDLE JobHandle, - _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, - _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, - _In_ ULONG JobObjectInformationLength); - - /** - * Creates a set of job objects. - * - * @param NumJob The number of job objects in the set. - * @param UserJobSet A pointer to an array of JOB_SET_ARRAY structures that specify the job objects in the set. - * @param Flags Reserved for future use. Must be zero. - * @return NTSTATUS Successful or errant status. - * @remarks This function can be used to create a set of job objects, which can be useful for managing groups of related processes. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateJobSet( - _In_ ULONG NumJob, - _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet, - _In_ ULONG Flags); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRevertContainerImpersonation( - VOID); -#endif - -#endif - - // - // Reserve objects - // - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - - // private - typedef enum _MEMORY_RESERVE_TYPE - { - MemoryReserveUserApc, - MemoryReserveIoCompletion, - MemoryReserveTypeMax - } MEMORY_RESERVE_TYPE; - -#if (PHNT_VERSION >= PHNT_WIN7) - /** - * Allocates a memory reserve object. - * - * @param MemoryReserveHandle Pointer to a variable that receives the memory reserve object handle. - * @param ObjectAttributes Pointer to an object attributes structure. - * @param Type The type of memory reserve. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAllocateReserveObject( - _Out_ PHANDLE MemoryReserveHandle, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ MEMORY_RESERVE_TYPE Type); -#endif - - // - // Process snapshotting - // - - // Capture/creation flags. - typedef enum _PSSNT_CAPTURE_FLAGS - { - PSSNT_CAPTURE_NONE = 0x00000000, - PSSNT_CAPTURE_VA_CLONE = 0x00000001, - PSSNT_CAPTURE_RESERVED_00000002 = 0x00000002, - PSSNT_CAPTURE_HANDLES = 0x00000004, - PSSNT_CAPTURE_HANDLE_NAME_INFORMATION = 0x00000008, - PSSNT_CAPTURE_HANDLE_BASIC_INFORMATION = 0x00000010, - PSSNT_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION = 0x00000020, - PSSNT_CAPTURE_HANDLE_TRACE = 0x00000040, - PSSNT_CAPTURE_THREADS = 0x00000080, - PSSNT_CAPTURE_THREAD_CONTEXT = 0x00000100, - PSSNT_CAPTURE_THREAD_CONTEXT_EXTENDED = 0x00000200, - PSSNT_CAPTURE_RESERVED_00000400 = 0x00000400, - PSSNT_CAPTURE_VA_SPACE = 0x00000800, - PSSNT_CAPTURE_VA_SPACE_SECTION_INFORMATION = 0x00001000, - PSSNT_CAPTURE_IPT_TRACE = 0x00002000, - PSSNT_CAPTURE_RESERVED_00004000 = 0x00004000, - - PSSNT_CREATE_BREAKAWAY_OPTIONAL = 0x04000000, - PSSNT_CREATE_BREAKAWAY = 0x08000000, - PSSNT_CREATE_FORCE_BREAKAWAY = 0x10000000, - PSSNT_CREATE_USE_VM_ALLOCATIONS = 0x20000000, - PSSNT_CREATE_MEASURE_PERFORMANCE = 0x40000000, - PSSNT_CREATE_RELEASE_SECTION = 0x80000000 - } PSSNT_CAPTURE_FLAGS; - DEFINE_ENUM_FLAG_OPERATORS(PSSNT_CAPTURE_FLAGS); - - typedef enum _PSSNT_DUPLICATE_FLAGS - { - PSSNT_DUPLICATE_NONE = 0x00, - PSSNT_DUPLICATE_CLOSE_SOURCE = 0x01 - } PSSNT_DUPLICATE_FLAGS; - DEFINE_ENUM_FLAG_OPERATORS(PSSNT_DUPLICATE_FLAGS); - - typedef enum _PSSNT_QUERY_INFORMATION_CLASS - { - PSSNT_QUERY_PROCESS_INFORMATION = 0, // PSS_PROCESS_INFORMATION - PSSNT_QUERY_VA_CLONE_INFORMATION = 1, // PSS_VA_CLONE_INFORMATION - PSSNT_QUERY_AUXILIARY_PAGES_INFORMATION = 2, // PSS_AUXILIARY_PAGES_INFORMATION - PSSNT_QUERY_VA_SPACE_INFORMATION = 3, // PSS_VA_SPACE_INFORMATION - PSSNT_QUERY_HANDLE_INFORMATION = 4, // PSS_HANDLE_INFORMATION - PSSNT_QUERY_THREAD_INFORMATION = 5, // PSS_THREAD_INFORMATION - PSSNT_QUERY_HANDLE_TRACE_INFORMATION = 6, // PSS_HANDLE_TRACE_INFORMATION - PSSNT_QUERY_PERFORMANCE_COUNTERS = 7 // PSS_PERFORMANCE_COUNTERS - } PSSNT_QUERY_INFORMATION_CLASS; - -#define PSSNT_SIGNATURE_PSSD 'PSSD' // 0x50535344 - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - /** - * Captures a snapshot of the specified process. - * - * @param SnapshotHandle Pointer to a variable that receives the snapshot handle. - * @param ProcessHandle Handle to the process. - * @param CaptureFlags Flags indicating what to capture. - * @param ThreadContextFlags Optional flags for capturing thread context. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - PssNtCaptureSnapshot( - _Out_ PHANDLE SnapshotHandle, - _In_ HANDLE ProcessHandle, - _In_ PSSNT_CAPTURE_FLAGS CaptureFlags, - _In_opt_ ULONG ThreadContextFlags); - - // rev - /** - * Duplicates a process snapshot from one process to another. - * - * @param SourceProcessHandle Handle to the source process. - * @param SnapshotHandle Handle to the snapshot to duplicate. - * @param TargetProcessHandle Handle to the target process. - * @param TargetSnapshotHandle Pointer to a variable that receives the duplicated snapshot handle. - * @param Flags Optional flags for duplication. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - PssNtDuplicateSnapshot( - _In_ HANDLE SourceProcessHandle, - _In_ HANDLE SnapshotHandle, - _In_ HANDLE TargetProcessHandle, - _Out_ PHANDLE TargetSnapshotHandle, - _In_opt_ PSSNT_DUPLICATE_FLAGS Flags); - - // rev - /** - * Frees a remote process snapshot. - * - * @param ProcessHandle A handle to the process that contains the snapshot. The handle must have PROCESS_VM_READ, PROCESS_VM_OPERATION, and PROCESS_DUP_HANDLE rights. - * @param SnapshotHandle Handle to the snapshot to free. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - PssNtFreeSnapshot( - _In_ HANDLE SnapshotHandle); - - // rev - /** - * Frees a snapshot. - * - * @param SnapshotHandle Handle to the snapshot to free. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - PssNtFreeRemoteSnapshot( - _In_ HANDLE ProcessHandle, - _In_ HANDLE SnapshotHandle); - - // rev - /** - * Queries information from a the specified snapshot. - * - * @param SnapshotHandle Handle to the snapshot. - * @param InformationClass The information class to query. - * @param Buffer Pointer to a buffer that receives the queried information. - * @param BufferLength Length of the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSAPI - NTSTATUS - NTAPI - PssNtQuerySnapshot( - _In_ HANDLE SnapshotHandle, - _In_ PSSNT_QUERY_INFORMATION_CLASS InformationClass, - _Out_writes_bytes_(BufferLength) PVOID Buffer, - _In_ ULONG BufferLength); -#endif - -// rev -/** - * Flag indicating the type of bulk information to query. - */ -#define MEMORY_BULK_INFORMATION_FLAG_BASIC 0x00000001 - - // rev - /** - * The NTPSS_MEMORY_BULK_INFORMATION structure is used to query basic memory information in bulk for a process. - */ - typedef struct _NTPSS_MEMORY_BULK_INFORMATION - { - ULONG QueryFlags; - ULONG NumberOfEntries; - PVOID NextValidAddress; - } NTPSS_MEMORY_BULK_INFORMATION, *PNTPSS_MEMORY_BULK_INFORMATION; - -#if (PHNT_VERSION >= PHNT_20H1) - // rev - /** - * Captures virtual address space bulk information for a process. - * - * @param ProcessHandle Handle to the process. - * @param BaseAddress Optional base address to start the capture. - * @param BulkInformation Pointer to the memory bulk information structure. - * @param BulkInformationLength Length of the memory bulk information structure. - * @param ReturnLength Optional pointer to a variable that receives the length of the captured information. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPssCaptureVaSpaceBulk( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ PNTPSS_MEMORY_BULK_INFORMATION BulkInformation, - _In_ SIZE_T BulkInformationLength, - _Out_opt_ PSIZE_T ReturnLength); -#endif - -#endif - -#endif - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - /* - * Debugger support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTDBG_H -#define _NTDBG_H - - // Debugging - - NTSYSAPI - VOID - NTAPI - DbgUserBreakPoint( - VOID); - - NTSYSAPI - VOID - NTAPI - DbgBreakPoint( - VOID); - - NTSYSAPI - VOID - NTAPI - DbgBreakPointWithStatus( - _In_ ULONG Status); - -#define DBG_STATUS_CONTROL_C 1 -#define DBG_STATUS_SYSRQ 2 -#define DBG_STATUS_BUGCHECK_FIRST 3 -#define DBG_STATUS_BUGCHECK_SECOND 4 -#define DBG_STATUS_FATAL 5 -#define DBG_STATUS_DEBUG_CONTROL 6 -#define DBG_STATUS_WORKER 7 - - NTSYSAPI - ULONG - STDAPIVCALLTYPE - DbgPrint( - _In_z_ _Printf_format_string_ PCCH Format, - ...); - - NTSYSAPI - ULONG - STDAPIVCALLTYPE - DbgPrintEx( - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_z_ _Printf_format_string_ PCCH Format, - ...); - - NTSYSAPI - ULONG - NTAPI - vDbgPrintEx( - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_z_ PCCH Format, - _In_ va_list arglist); - - NTSYSAPI - ULONG - NTAPI - vDbgPrintExWithPrefix( - _In_z_ PCCH Prefix, - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_z_ PCCH Format, - _In_ va_list arglist); - - NTSYSAPI - ULONG - STDAPIVCALLTYPE - DbgPrintReturnControlC( - _In_z_ _Printf_format_string_ PCCH Format, - ...); - - NTSYSAPI - NTSTATUS - NTAPI - DbgQueryDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level); - - NTSYSAPI - NTSTATUS - NTAPI - DbgSetDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_ BOOLEAN State); - - NTSYSAPI - ULONG - NTAPI - DbgPrompt( - _In_ PCCH Prompt, - _Out_writes_bytes_(Length) PCH Response, - _In_ ULONG Length); - - // Definitions - - typedef struct _DBGKM_EXCEPTION - { - EXCEPTION_RECORD ExceptionRecord; - ULONG FirstChance; - } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; - - typedef struct _DBGKM_CREATE_THREAD - { - ULONG SubSystemKey; - PVOID StartAddress; - } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; - - typedef struct _DBGKM_CREATE_PROCESS - { - ULONG SubSystemKey; - HANDLE FileHandle; - PVOID BaseOfImage; - ULONG DebugInfoFileOffset; - ULONG DebugInfoSize; - DBGKM_CREATE_THREAD InitialThread; - } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; - - typedef struct _DBGKM_EXIT_THREAD - { - NTSTATUS ExitStatus; - } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; - - typedef struct _DBGKM_EXIT_PROCESS - { - NTSTATUS ExitStatus; - } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; - - typedef struct _DBGKM_LOAD_DLL - { - HANDLE FileHandle; - PVOID BaseOfDll; - ULONG DebugInfoFileOffset; - ULONG DebugInfoSize; - PVOID NamePointer; - } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; - - typedef struct _DBGKM_UNLOAD_DLL - { - PVOID BaseAddress; - } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; - - typedef enum _DBG_STATE - { - DbgIdle, - DbgReplyPending, - DbgCreateThreadStateChange, - DbgCreateProcessStateChange, - DbgExitThreadStateChange, - DbgExitProcessStateChange, - DbgExceptionStateChange, - DbgBreakpointStateChange, - DbgSingleStepStateChange, - DbgLoadDllStateChange, - DbgUnloadDllStateChange - } DBG_STATE, - *PDBG_STATE; - - typedef struct _DBGUI_CREATE_THREAD - { - HANDLE HandleToThread; - DBGKM_CREATE_THREAD NewThread; - } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; - - typedef struct _DBGUI_CREATE_PROCESS - { - HANDLE HandleToProcess; - HANDLE HandleToThread; - DBGKM_CREATE_PROCESS NewProcess; - } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; - - typedef struct _DBGUI_WAIT_STATE_CHANGE - { - DBG_STATE NewState; - CLIENT_ID AppClientId; - union - { - DBGKM_EXCEPTION Exception; - DBGUI_CREATE_THREAD CreateThread; - DBGUI_CREATE_PROCESS CreateProcessInfo; - DBGKM_EXIT_THREAD ExitThread; - DBGKM_EXIT_PROCESS ExitProcess; - DBGKM_LOAD_DLL LoadDll; - DBGKM_UNLOAD_DLL UnloadDll; - } StateInfo; - } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; - -#define DEBUG_READ_EVENT 0x0001 -#define DEBUG_PROCESS_ASSIGN 0x0002 -#define DEBUG_SET_INFORMATION 0x0004 -#define DEBUG_QUERY_INFORMATION 0x0008 -#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ - DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ - DEBUG_QUERY_INFORMATION) - -#define DEBUG_KILL_ON_CLOSE 0x1 - - typedef enum _DEBUGOBJECTINFOCLASS - { - DebugObjectUnusedInformation, - DebugObjectKillProcessOnExitInformation, // s: ULONG - MaxDebugObjectInfoClass - } DEBUGOBJECTINFOCLASS, - *PDEBUGOBJECTINFOCLASS; - - // System calls - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateDebugObject( - _Out_ PHANDLE DebugObjectHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDebugActiveProcess( - _In_ HANDLE ProcessHandle, - _In_ HANDLE DebugObjectHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDebugContinue( - _In_ HANDLE DebugObjectHandle, - _In_ PCLIENT_ID ClientId, - _In_ NTSTATUS ContinueStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRemoveProcessDebug( - _In_ HANDLE ProcessHandle, - _In_ HANDLE DebugObjectHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationDebugObject( - _In_ HANDLE DebugObjectHandle, - _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, - _In_reads_bytes_(DebugInformationLength) PVOID DebugInformation, - _In_ ULONG DebugInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWaitForDebugEvent( - _In_ HANDLE DebugObjectHandle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout, - _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange); - - // Debugging UI - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiConnectToDbg( - VOID); - - NTSYSAPI - HANDLE - NTAPI - DbgUiGetThreadDebugObject( - VOID); - - NTSYSAPI - VOID - NTAPI - DbgUiSetThreadDebugObject( - _In_ HANDLE DebugObject); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiWaitStateChange( - _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiContinue( - _In_ PCLIENT_ID AppClientId, - _In_ NTSTATUS ContinueStatus); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiStopDebugging( - _In_ HANDLE Process); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiDebugActiveProcess( - _In_ HANDLE Process); - - NTSYSAPI - VOID - NTAPI - DbgUiRemoteBreakin( - _In_ PVOID Context); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiIssueRemoteBreakin( - _In_ HANDLE Process); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiConvertStateChangeStructure( - _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, - _Out_ LPDEBUG_EVENT DebugEvent); - - NTSYSAPI - NTSTATUS - NTAPI - DbgUiConvertStateChangeStructureEx( - _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, - _Out_ LPDEBUG_EVENT DebugEvent); - - typedef struct _EVENT_FILTER_DESCRIPTOR *PEVENT_FILTER_DESCRIPTOR; - - typedef VOID(NTAPI *PENABLECALLBACK)( - _In_ LPCGUID SourceId, - _In_ ULONG IsEnabled, - _In_ UCHAR Level, - _In_ ULONGLONG MatchAnyKeyword, - _In_ ULONGLONG MatchAllKeyword, - _In_opt_ PEVENT_FILTER_DESCRIPTOR FilterData, - _Inout_opt_ PVOID CallbackContext); - - typedef ULONGLONG REGHANDLE, *PREGHANDLE; - - NTSYSAPI - NTSTATUS - NTAPI - EtwEventRegister( - _In_ LPCGUID ProviderId, - _In_opt_ PENABLECALLBACK EnableCallback, - _In_opt_ PVOID CallbackContext, - _Out_ PREGHANDLE RegHandle); - -#endif - /* - * File management support - * - * This file is part of System Informer. - */ - -#ifndef _NTIOAPI_H -#define _NTIOAPI_H - - // Sharing mode - -#define FILE_SHARE_NONE 0x00000000 -#define FILE_SHARE_READ 0x00000001 -#define FILE_SHARE_WRITE 0x00000002 -#define FILE_SHARE_DELETE 0x00000004 - - // Create disposition - -#define FILE_SUPERSEDE 0x00000000 -#define FILE_OPEN 0x00000001 -#define FILE_CREATE 0x00000002 -#define FILE_OPEN_IF 0x00000003 -#define FILE_OVERWRITE 0x00000004 -#define FILE_OVERWRITE_IF 0x00000005 -#define FILE_MAXIMUM_DISPOSITION 0x00000005 - - // Create/open flags - -#define FILE_DIRECTORY_FILE 0x00000001 -#define FILE_WRITE_THROUGH 0x00000002 -#define FILE_SEQUENTIAL_ONLY 0x00000004 -#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 - -#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 -#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 -#define FILE_NON_DIRECTORY_FILE 0x00000040 -#define FILE_CREATE_TREE_CONNECTION 0x00000080 - -#define FILE_COMPLETE_IF_OPLOCKED 0x00000100 -#define FILE_NO_EA_KNOWLEDGE 0x00000200 -#define FILE_OPEN_REMOTE_INSTANCE 0x00000400 -#define FILE_RANDOM_ACCESS 0x00000800 - -#define FILE_DELETE_ON_CLOSE 0x00001000 -#define FILE_OPEN_BY_FILE_ID 0x00002000 -#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 -#define FILE_NO_COMPRESSION 0x00008000 - -#define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 -#define FILE_DISALLOW_EXCLUSIVE 0x00020000 -#define FILE_SESSION_AWARE 0x00040000 - -#define FILE_RESERVE_OPFILTER 0x00100000 -#define FILE_OPEN_REPARSE_POINT 0x00200000 -#define FILE_OPEN_NO_RECALL 0x00400000 -#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 - -#define TREE_CONNECT_WRITE_THROUGH 0x00000002 -#define TREE_CONNECT_NO_CLIENT_BUFFERING 0x00000008 - - // Extended create/open flags - -#define FILE_CONTAINS_EXTENDED_CREATE_INFORMATION 0x10000000 -#define FILE_VALID_EXTENDED_OPTION_FLAGS 0x10000000 - - typedef struct _EXTENDED_CREATE_DUAL_OPLOCK_KEYS - { - // - // Parent oplock key. - // All-zero if not set. - // - GUID ParentOplockKey; - // - // Target oplock key. - // All-zero if not set. - // - GUID TargetOplockKey; - } EXTENDED_CREATE_DUAL_OPLOCK_KEYS, *PEXTENDED_CREATE_DUAL_OPLOCK_KEYS; - - typedef struct _EXTENDED_CREATE_INFORMATION - { - LONGLONG ExtendedCreateFlags; - PVOID EaBuffer; - ULONG EaLength; - // PEXTENDED_CREATE_DUAL_OPLOCK_KEYS DualOplockKeys; // since 24H2 - } EXTENDED_CREATE_INFORMATION, *PEXTENDED_CREATE_INFORMATION; - - typedef struct _EXTENDED_CREATE_INFORMATION_32 - { - LONGLONG ExtendedCreateFlags; - void *POINTER_32 EaBuffer; - ULONG EaLength; - // PEXTENDED_CREATE_DUAL_OPLOCK_KEYS POINTER_32 DualOplockKeys; // since 24H2 - } EXTENDED_CREATE_INFORMATION_32, *PEXTENDED_CREATE_INFORMATION_32; - -#define EX_CREATE_FLAG_FILE_SOURCE_OPEN_FOR_COPY 0x00000001 -#define EX_CREATE_FLAG_FILE_DEST_OPEN_FOR_COPY 0x00000002 - -#define FILE_VALID_OPTION_FLAGS 0x00ffffff -#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032 -#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032 -#define FILE_VALID_SET_FLAGS 0x00000036 - -#define FILE_COPY_STRUCTURED_STORAGE 0x00000041 -#define FILE_STRUCTURED_STORAGE 0x00000441 - - // I/O status information values for NtCreateFile/NtOpenFile - -#define FILE_SUPERSEDED 0x00000000 -#define FILE_OPENED 0x00000001 -#define FILE_CREATED 0x00000002 -#define FILE_OVERWRITTEN 0x00000003 -#define FILE_EXISTS 0x00000004 -#define FILE_DOES_NOT_EXIST 0x00000005 - - // Special ByteOffset parameters - -#define FILE_WRITE_TO_END_OF_FILE 0xffffffff -#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe - - // Alignment requirement values - -#define FILE_BYTE_ALIGNMENT 0x00000000 -#define FILE_WORD_ALIGNMENT 0x00000001 -#define FILE_LONG_ALIGNMENT 0x00000003 -#define FILE_QUAD_ALIGNMENT 0x00000007 -#define FILE_OCTA_ALIGNMENT 0x0000000f -#define FILE_32_BYTE_ALIGNMENT 0x0000001f -#define FILE_64_BYTE_ALIGNMENT 0x0000003f -#define FILE_128_BYTE_ALIGNMENT 0x0000007f -#define FILE_256_BYTE_ALIGNMENT 0x000000ff -#define FILE_512_BYTE_ALIGNMENT 0x000001ff - - // Maximum length of a filename string - -#define DOS_MAX_COMPONENT_LENGTH 255 -#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) - -#define MAXIMUM_FILENAME_LENGTH 256 - - // Extended attributes - -#define FILE_NEED_EA 0x00000080 - -#define FILE_EA_TYPE_BINARY 0xfffe -#define FILE_EA_TYPE_ASCII 0xfffd -#define FILE_EA_TYPE_BITMAP 0xfffb -#define FILE_EA_TYPE_METAFILE 0xfffa -#define FILE_EA_TYPE_ICON 0xfff9 -#define FILE_EA_TYPE_EA 0xffee -#define FILE_EA_TYPE_MVMT 0xffdf -#define FILE_EA_TYPE_MVST 0xffde -#define FILE_EA_TYPE_ASN1 0xffdd -#define FILE_EA_TYPE_FAMILY_IDS 0xff01 - - // Device characteristics - -#define FILE_REMOVABLE_MEDIA 0x00000001 -#define FILE_READ_ONLY_DEVICE 0x00000002 -#define FILE_FLOPPY_DISKETTE 0x00000004 -#define FILE_WRITE_ONCE_MEDIA 0x00000008 -#define FILE_REMOTE_DEVICE 0x00000010 -#define FILE_DEVICE_IS_MOUNTED 0x00000020 -#define FILE_VIRTUAL_VOLUME 0x00000040 -#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080 -#define FILE_DEVICE_SECURE_OPEN 0x00000100 -#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800 -#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000 -#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000 -#define FILE_CHARACTERISTIC_CSV 0x00010000 -#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000 -#define FILE_PORTABLE_DEVICE 0x00040000 -#define FILE_REMOTE_DEVICE_VSMB 0x00080000 -#define FILE_DEVICE_REQUIRE_SECURITY_CHECK 0x00100000 - -// Named pipe values - -// NamedPipeType for NtCreateNamedPipeFile -#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 -#define FILE_PIPE_MESSAGE_TYPE 0x00000001 -#define FILE_PIPE_ACCEPT_REMOTE_CLIENTS 0x00000000 -#define FILE_PIPE_REJECT_REMOTE_CLIENTS 0x00000002 -#define FILE_PIPE_TYPE_VALID_MASK 0x00000003 - -// CompletionMode for NtCreateNamedPipeFile -#define FILE_PIPE_QUEUE_OPERATION 0x00000000 -#define FILE_PIPE_COMPLETE_OPERATION 0x00000001 - -// ReadMode for NtCreateNamedPipeFile -#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 -#define FILE_PIPE_MESSAGE_MODE 0x00000001 - -// NamedPipeConfiguration for NtQueryInformationFile -#define FILE_PIPE_INBOUND 0x00000000 -#define FILE_PIPE_OUTBOUND 0x00000001 -#define FILE_PIPE_FULL_DUPLEX 0x00000002 - -// NamedPipeState for NtQueryInformationFile -#define FILE_PIPE_DISCONNECTED_STATE 0x00000001 -#define FILE_PIPE_LISTENING_STATE 0x00000002 -#define FILE_PIPE_CONNECTED_STATE 0x00000003 -#define FILE_PIPE_CLOSING_STATE 0x00000004 - -// NamedPipeEnd for NtQueryInformationFile -#define FILE_PIPE_CLIENT_END 0x00000000 -#define FILE_PIPE_SERVER_END 0x00000001 - -// Win32 pipe instance limit (0xff) -#define FILE_PIPE_UNLIMITED_INSTANCES 0xffffffff - - // Mailslot values - -#define MAILSLOT_SIZE_AUTO 0 - - typedef struct _IO_STATUS_BLOCK - { - union - { - NTSTATUS Status; - PVOID Pointer; - }; - ULONG_PTR Information; - } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; - - typedef _Function_class_(IO_APC_ROUTINE) - VOID NTAPI IO_APC_ROUTINE( - _In_ PVOID ApcContext, - _In_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG Reserved); - typedef IO_APC_ROUTINE *PIO_APC_ROUTINE; - - typedef enum _FILE_INFORMATION_CLASS - { - FileDirectoryInformation = 1, // q: FILE_DIRECTORY_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileFullDirectoryInformation, // q: FILE_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileBothDirectoryInformation, // q: FILE_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileBasicInformation, // q; s: FILE_BASIC_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileStandardInformation, // q: FILE_STANDARD_INFORMATION, FILE_STANDARD_INFORMATION_EX - FileInternalInformation, // q: FILE_INTERNAL_INFORMATION - FileEaInformation, // q: FILE_EA_INFORMATION - FileAccessInformation, // q: FILE_ACCESS_INFORMATION - FileNameInformation, // q: FILE_NAME_INFORMATION - FileRenameInformation, // s: FILE_RENAME_INFORMATION (requires DELETE) // 10 - FileLinkInformation, // s: FILE_LINK_INFORMATION - FileNamesInformation, // q: FILE_NAMES_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileDispositionInformation, // s: FILE_DISPOSITION_INFORMATION (requires DELETE) - FilePositionInformation, // q; s: FILE_POSITION_INFORMATION - FileFullEaInformation, // FILE_FULL_EA_INFORMATION - FileModeInformation, // q; s: FILE_MODE_INFORMATION - FileAlignmentInformation, // q: FILE_ALIGNMENT_INFORMATION - FileAllInformation, // q: FILE_ALL_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileAllocationInformation, // s: FILE_ALLOCATION_INFORMATION (requires FILE_WRITE_DATA) - FileEndOfFileInformation, // s: FILE_END_OF_FILE_INFORMATION (requires FILE_WRITE_DATA) // 20 - FileAlternateNameInformation, // q: FILE_NAME_INFORMATION - FileStreamInformation, // q: FILE_STREAM_INFORMATION - FilePipeInformation, // q; s: FILE_PIPE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FilePipeLocalInformation, // q: FILE_PIPE_LOCAL_INFORMATION (requires FILE_READ_ATTRIBUTES) - FilePipeRemoteInformation, // q; s: FILE_PIPE_REMOTE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileMailslotQueryInformation, // q: FILE_MAILSLOT_QUERY_INFORMATION - FileMailslotSetInformation, // s: FILE_MAILSLOT_SET_INFORMATION - FileCompressionInformation, // q: FILE_COMPRESSION_INFORMATION - FileObjectIdInformation, // q: FILE_OBJECTID_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileCompletionInformation, // s: FILE_COMPLETION_INFORMATION // 30 - FileMoveClusterInformation, // s: FILE_MOVE_CLUSTER_INFORMATION (requires FILE_WRITE_DATA) - FileQuotaInformation, // q: FILE_QUOTA_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileReparsePointInformation, // q: FILE_REPARSE_POINT_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileNetworkOpenInformation, // q: FILE_NETWORK_OPEN_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileAttributeTagInformation, // q: FILE_ATTRIBUTE_TAG_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileTrackingInformation, // s: FILE_TRACKING_INFORMATION (requires FILE_WRITE_DATA) - FileIdBothDirectoryInformation, // q: FILE_ID_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileIdFullDirectoryInformation, // q: FILE_ID_FULL_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) - FileValidDataLengthInformation, // s: FILE_VALID_DATA_LENGTH_INFORMATION (requires FILE_WRITE_DATA and/or SeManageVolumePrivilege) - FileShortNameInformation, // s: FILE_NAME_INFORMATION (requires DELETE) // 40 - FileIoCompletionNotificationInformation, // q; s: FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (q: requires FILE_READ_ATTRIBUTES) // since VISTA - FileIoStatusBlockRangeInformation, // s: FILE_IOSTATUSBLOCK_RANGE_INFORMATION (requires SeLockMemoryPrivilege) - FileIoPriorityHintInformation, // q; s: FILE_IO_PRIORITY_HINT_INFORMATION, FILE_IO_PRIORITY_HINT_INFORMATION_EX (q: requires FILE_READ_DATA) - FileSfioReserveInformation, // q; s: FILE_SFIO_RESERVE_INFORMATION (q: requires FILE_READ_DATA) - FileSfioVolumeInformation, // q: FILE_SFIO_VOLUME_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileHardLinkInformation, // q: FILE_LINKS_INFORMATION - FileProcessIdsUsingFileInformation, // q: FILE_PROCESS_IDS_USING_FILE_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileNormalizedNameInformation, // q: FILE_NAME_INFORMATION - FileNetworkPhysicalNameInformation, // q: FILE_NETWORK_PHYSICAL_NAME_INFORMATION - FileIdGlobalTxDirectoryInformation, // q: FILE_ID_GLOBAL_TX_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since WIN7 // 50 - FileIsRemoteDeviceInformation, // q: FILE_IS_REMOTE_DEVICE_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileUnusedInformation, - FileNumaNodeInformation, // q: FILE_NUMA_NODE_INFORMATION - FileStandardLinkInformation, // q: FILE_STANDARD_LINK_INFORMATION - FileRemoteProtocolInformation, // q: FILE_REMOTE_PROTOCOL_INFORMATION - FileRenameInformationBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION // since WIN8 - FileLinkInformationBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION - FileVolumeNameInformation, // q: FILE_VOLUME_NAME_INFORMATION - FileIdInformation, // q: FILE_ID_INFORMATION - FileIdExtdDirectoryInformation, // q: FILE_ID_EXTD_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // 60 - FileReplaceCompletionInformation, // s: FILE_COMPLETION_INFORMATION // since WINBLUE - FileHardLinkFullIdInformation, // q: FILE_LINK_ENTRY_FULL_ID_INFORMATION // FILE_LINKS_FULL_ID_INFORMATION - FileIdExtdBothDirectoryInformation, // q: FILE_ID_EXTD_BOTH_DIR_INFORMATION (requires FILE_LIST_DIRECTORY) (NtQueryDirectoryFile[Ex]) // since THRESHOLD - FileDispositionInformationEx, // s: FILE_DISPOSITION_INFO_EX (requires DELETE) // since REDSTONE - FileRenameInformationEx, // s: FILE_RENAME_INFORMATION_EX - FileRenameInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_RENAME_INFORMATION_EX - FileDesiredStorageClassInformation, // q; s: FILE_DESIRED_STORAGE_CLASS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since REDSTONE2 - FileStatInformation, // q: FILE_STAT_INFORMATION (requires FILE_READ_ATTRIBUTES) - FileMemoryPartitionInformation, // s: FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 - FileStatLxInformation, // q: FILE_STAT_LX_INFORMATION (requires FILE_READ_ATTRIBUTES and FILE_READ_EA) // since REDSTONE4 // 70 - FileCaseSensitiveInformation, // q; s: FILE_CASE_SENSITIVE_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileLinkInformationEx, // s: FILE_LINK_INFORMATION_EX // since REDSTONE5 - FileLinkInformationExBypassAccessCheck, // (kernel-mode only); s: FILE_LINK_INFORMATION_EX - FileStorageReserveIdInformation, // q; s: FILE_STORAGE_RESERVE_ID_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) - FileCaseSensitiveInformationForceAccessCheck, // q; s: FILE_CASE_SENSITIVE_INFORMATION - FileKnownFolderInformation, // q; s: FILE_KNOWN_FOLDER_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES) // since WIN11 - FileStatBasicInformation, // since 23H2 - FileId64ExtdDirectoryInformation, // FILE_ID_64_EXTD_DIR_INFORMATION - FileId64ExtdBothDirectoryInformation, // FILE_ID_64_EXTD_BOTH_DIR_INFORMATION - FileIdAllExtdDirectoryInformation, // FILE_ID_ALL_EXTD_DIR_INFORMATION - FileIdAllExtdBothDirectoryInformation, // FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION - FileStreamReservationInformation, // FILE_STREAM_RESERVATION_INFORMATION // since 24H2 - FileMupProviderInfo, // MUP_PROVIDER_INFORMATION - FileMaximumInformation - } FILE_INFORMATION_CLASS, - *PFILE_INFORMATION_CLASS; - - // - // NtQueryInformationFile/NtSetInformationFile types - // - - /** - * The FILE_BASIC_INFORMATION structure contains timestamps and basic attributes of a file. - * \li If you specify a value of zero for any of the XxxTime members, the file system keeps a file's current value for that time. - * \li If you specify a value of -1 for any of the XxxTime members, time stamp updates are disabled for I/O operations preformed on the file handle. - * \li If you specify a value of -2 for any of the XxxTime members, time stamp updates are enabled for I/O operations preformed on the file handle. - * \remarks To set the members of this structure, the caller must have FILE_WRITE_ATTRIBUTES access to the file. - */ - typedef struct _FILE_BASIC_INFORMATION - { - LARGE_INTEGER CreationTime; // Specifies the time that the file was created. - LARGE_INTEGER LastAccessTime; // Specifies the time that the file was last accessed. - LARGE_INTEGER LastWriteTime; // Specifies the time that the file was last written to. - LARGE_INTEGER ChangeTime; // Specifies the last time the file was changed. - ULONG FileAttributes; // Specifies one or more FILE_ATTRIBUTE_XXX flags. - } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; - - /** - * The FILE_STANDARD_INFORMATION structure contains standard information of a file. - * \remarks EndOfFile specifies the byte offset to the end of the file. - * Because this value is zero-based, it actually refers to the first free byte in the file; that is, it is the offset to the byte immediately following the last valid byte in the file. - */ - typedef struct _FILE_STANDARD_INFORMATION - { - LARGE_INTEGER AllocationSize; // The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. - LARGE_INTEGER EndOfFile; // The end of file location as a byte offset. - ULONG NumberOfLinks; // The number of hard links to the file. - BOOLEAN DeletePending; // The delete pending status. TRUE indicates that a file deletion has been requested. - BOOLEAN Directory; // The file directory status. TRUE indicates the file object represents a directory. - } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; - - typedef struct _FILE_STANDARD_INFORMATION_EX - { - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG NumberOfLinks; - BOOLEAN DeletePending; - BOOLEAN Directory; - BOOLEAN AlternateStream; - BOOLEAN MetadataAttribute; - } FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX; - - typedef struct _FILE_INTERNAL_INFORMATION - { - union - { - ULARGE_INTEGER IndexNumber; - struct - { - ULONGLONG MftRecordIndex : 48; // rev - ULONGLONG SequenceNumber : 16; // rev - }; - }; - } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; - - typedef struct _FILE_EA_INFORMATION - { - ULONG EaSize; - } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; - - typedef struct _FILE_ACCESS_INFORMATION - { - ACCESS_MASK AccessFlags; - } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; - - typedef struct _FILE_POSITION_INFORMATION - { - LARGE_INTEGER CurrentByteOffset; - } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; - - typedef struct _FILE_MODE_INFORMATION - { - ULONG Mode; - } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; - - typedef struct _FILE_ALIGNMENT_INFORMATION - { - ULONG AlignmentRequirement; - } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; - - typedef struct _FILE_NAME_INFORMATION - { - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; - - typedef struct _FILE_ALL_INFORMATION - { - FILE_BASIC_INFORMATION BasicInformation; - FILE_STANDARD_INFORMATION StandardInformation; - FILE_INTERNAL_INFORMATION InternalInformation; - FILE_EA_INFORMATION EaInformation; - FILE_ACCESS_INFORMATION AccessInformation; - FILE_POSITION_INFORMATION PositionInformation; - FILE_MODE_INFORMATION ModeInformation; - FILE_ALIGNMENT_INFORMATION AlignmentInformation; - FILE_NAME_INFORMATION NameInformation; - } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; - - typedef struct _FILE_NETWORK_OPEN_INFORMATION - { - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; - - typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION - { - ULONG FileAttributes; - ULONG ReparseTag; - } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; - - typedef struct _FILE_ALLOCATION_INFORMATION - { - LARGE_INTEGER AllocationSize; - } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; - - typedef struct _FILE_COMPRESSION_INFORMATION - { - LARGE_INTEGER CompressedFileSize; - USHORT CompressionFormat; - UCHAR CompressionUnitShift; - UCHAR ChunkShift; - UCHAR ClusterShift; - UCHAR Reserved[3]; - } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; - - typedef struct _FILE_DISPOSITION_INFORMATION - { - BOOLEAN DeleteFile; - } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; - - typedef struct _FILE_END_OF_FILE_INFORMATION - { - LARGE_INTEGER EndOfFile; - } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; - -// #if (PHNT_VERSION >= PHNT_REDSTONE5) -#define FLAGS_END_OF_FILE_INFO_EX_EXTEND_PAGING 0x00000001 -#define FLAGS_END_OF_FILE_INFO_EX_NO_EXTRA_PAGING_EXTEND 0x00000002 -#define FLAGS_END_OF_FILE_INFO_EX_TIME_CONSTRAINED 0x00000004 -#define FLAGS_DELAY_REASONS_LOG_FILE_FULL 0x00000001 -#define FLAGS_DELAY_REASONS_BITMAP_SCANNED 0x00000002 - - typedef struct _FILE_END_OF_FILE_INFORMATION_EX - { - LARGE_INTEGER EndOfFile; - LARGE_INTEGER PagingFileSizeInMM; - LARGE_INTEGER PagingFileMaxSize; - ULONG Flags; - } FILE_END_OF_FILE_INFORMATION_EX, *PFILE_END_OF_FILE_INFORMATION_EX; - // #endif - - typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION - { - LARGE_INTEGER ValidDataLength; - } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; - -#define FILE_LINK_REPLACE_IF_EXISTS 0x00000001 // since RS5 -#define FILE_LINK_POSIX_SEMANTICS 0x00000002 - -#define FILE_LINK_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 -#define FILE_LINK_NO_INCREASE_AVAILABLE_SPACE 0x00000010 -#define FILE_LINK_NO_DECREASE_AVAILABLE_SPACE 0x00000020 -#define FILE_LINK_PRESERVE_AVAILABLE_SPACE 0x00000030 -#define FILE_LINK_IGNORE_READONLY_ATTRIBUTE 0x00000040 -#define FILE_LINK_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 -#define FILE_LINK_FORCE_RESIZE_SOURCE_SR 0x00000100 -#define FILE_LINK_FORCE_RESIZE_SR 0x00000180 - - typedef struct _FILE_LINK_INFORMATION - { - BOOLEAN ReplaceIfExists; - HANDLE RootDirectory; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; - - typedef struct _FILE_LINK_INFORMATION_EX - { - ULONG Flags; - HANDLE RootDirectory; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_LINK_INFORMATION_EX, *PFILE_LINK_INFORMATION_EX; - - typedef struct _FILE_MOVE_CLUSTER_INFORMATION - { - ULONG ClusterCount; - HANDLE RootDirectory; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION; - - typedef struct _FILE_RENAME_INFORMATION - { - BOOLEAN ReplaceIfExists; - HANDLE RootDirectory; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; - -#define FILE_RENAME_REPLACE_IF_EXISTS 0x00000001 // since REDSTONE -#define FILE_RENAME_POSIX_SEMANTICS 0x00000002 -#define FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE 0x00000004 // since REDSTONE3 -#define FILE_RENAME_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 // since REDSTONE5 -#define FILE_RENAME_NO_INCREASE_AVAILABLE_SPACE 0x00000010 -#define FILE_RENAME_NO_DECREASE_AVAILABLE_SPACE 0x00000020 -#define FILE_RENAME_PRESERVE_AVAILABLE_SPACE 0x00000030 -#define FILE_RENAME_IGNORE_READONLY_ATTRIBUTE 0x00000040 -#define FILE_RENAME_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 -#define FILE_RENAME_FORCE_RESIZE_SOURCE_SR 0x00000100 -#define FILE_RENAME_FORCE_RESIZE_SR 0x00000180 - - typedef struct _FILE_RENAME_INFORMATION_EX - { - ULONG Flags; - HANDLE RootDirectory; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_RENAME_INFORMATION_EX, *PFILE_RENAME_INFORMATION_EX; - - /** - * The FILE_STREAM_INFORMATION structure contains information about a file stream. - */ - typedef struct _FILE_STREAM_INFORMATION - { - ULONG NextEntryOffset; - ULONG StreamNameLength; - LARGE_INTEGER StreamSize; - LARGE_INTEGER StreamAllocationSize; - _Field_size_bytes_(StreamNameLength) WCHAR StreamName[1]; - } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; - - /** - * The FILE_TRACKING_INFORMATION structure contains information used for tracking file operations. - */ - typedef struct _FILE_TRACKING_INFORMATION - { - HANDLE DestinationFile; - ULONG ObjectInformationLength; - _Field_size_bytes_(ObjectInformationLength) CHAR ObjectInformation[1]; - } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; - - /** - * The FILE_COMPLETION_INFORMATION structure contains the port handle and key for an I/O completion port created for a file handle. - * - * \remarks he FILE_COMPLETION_INFORMATION structure is used to replace the completion information for a port handle set in Port. - * Completion information is replaced with the ZwSetInformationFile routine with the FileInformationClass parameter set to FileReplaceCompletionInformation. - * The Port and Key members of FILE_COMPLETION_INFORMATION are set to their new values. To remove an existing completion port for a file handle, Port is set to NULL. - * - * https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_completion_information - */ - typedef struct _FILE_COMPLETION_INFORMATION - { - HANDLE Port; - PVOID Key; - } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; - - /** - * The FILE_PIPE_INFORMATION structure contains information about a named pipe that is not specific to the local or the remote end of the pipe. - * - * \remarks If ReadMode is set to FILE_PIPE_BYTE_STREAM_MODE, any attempt to change it must fail with a STATUS_INVALID_PARAMETER error code. - * When CompletionMode is set to FILE_PIPE_QUEUE_OPERATION, if the pipe is connected to, read to, or written from, - * the operation is not completed until there is data to read, all data is written, or a client is connected. - * When CompletionMode is set to FILE_PIPE_COMPLETE_OPERATION, if the pipe is being connected to, read to, or written from, the operation is completed immediately. - * - * https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_information - */ - typedef struct _FILE_PIPE_INFORMATION - { - ULONG ReadMode; - ULONG CompletionMode; - } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; - - /** - * The FILE_PIPE_LOCAL_INFORMATION structure contains information about the local end of a named pipe. - * - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_local_information - */ - typedef struct _FILE_PIPE_LOCAL_INFORMATION - { - ULONG NamedPipeType; - ULONG NamedPipeConfiguration; - ULONG MaximumInstances; - ULONG CurrentInstances; - ULONG InboundQuota; - ULONG ReadDataAvailable; - ULONG OutboundQuota; - ULONG WriteQuotaAvailable; - ULONG NamedPipeState; - ULONG NamedPipeEnd; - } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; - - /** - * The FILE_PIPE_REMOTE_INFORMATION structure contains information about the remote end of a named pipe. - * - * \remarks Remote information is not available for local pipes or for the server end of a remote pipe. - * https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_pipe_remote_information - */ - typedef struct _FILE_PIPE_REMOTE_INFORMATION - { - LARGE_INTEGER CollectDataTime; // The maximum amount of time, in 100-nanosecond intervals, that elapses before transmission of data from the client machine to the server. - ULONG MaximumCollectionCount; // The maximum size, in bytes, of data that will be collected on the client machine before transmission to the server. - } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; - - /** - * The FILE_MAILSLOT_QUERY_INFORMATION structure contains information about a mailslot. - * - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_mailslot_query_information - */ - typedef struct _FILE_MAILSLOT_QUERY_INFORMATION - { - ULONG MaximumMessageSize; // The maximum size, in bytes, of a single message that can be written to the mailslot, or 0 for a message of any size. - ULONG MailslotQuota; // The size, in bytes, of the in-memory pool that is reserved for writes to this mailslot. - ULONG NextMessageSize; // The next message size, in bytes. - ULONG MessagesAvailable; // The total number of messages waiting to be read from the mailslot. - LARGE_INTEGER ReadTimeout; // The time, in milliseconds, that a read operation can wait for a message to be written to the mailslot before a time-out occurs. - } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; - - /** - * The FILE_MAILSLOT_SET_INFORMATION structure is used to set a value on a mailslot. - * - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_file_mailslot_set_information - */ - typedef struct _FILE_MAILSLOT_SET_INFORMATION - { - PLARGE_INTEGER ReadTimeout; // The time, in milliseconds, that a read operation can wait for a message to be written to the mailslot before a time-out occurs. - } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; - - /** - * The FILE_REPARSE_POINT_INFORMATION structure contains information about a reparse point. - */ - typedef struct _FILE_REPARSE_POINT_INFORMATION - { - LONGLONG FileReference; - ULONG Tag; - } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION; - - /** - * The FILE_LINK_ENTRY_INFORMATION structure contains information about a file link entry. - */ - typedef struct _FILE_LINK_ENTRY_INFORMATION - { - ULONG NextEntryOffset; - LONGLONG ParentFileId; // LARGE_INTEGER - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION; - - /** - * The FILE_LINKS_INFORMATION structure contains information about file links. - */ - typedef struct _FILE_LINKS_INFORMATION - { - ULONG BytesNeeded; - ULONG EntriesReturned; - FILE_LINK_ENTRY_INFORMATION Entry; - } FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION; - - /** - * The FILE_NETWORK_PHYSICAL_NAME_INFORMATION structure contains information about the network physical name of a file. - */ - typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION - { - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_NETWORK_PHYSICAL_NAME_INFORMATION, *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION; - - /** - * The FILE_STANDARD_LINK_INFORMATION structure contains standard information about a file link. - */ - typedef struct _FILE_STANDARD_LINK_INFORMATION - { - ULONG NumberOfAccessibleLinks; - ULONG TotalNumberOfLinks; - BOOLEAN DeletePending; - BOOLEAN Directory; - } FILE_STANDARD_LINK_INFORMATION, *PFILE_STANDARD_LINK_INFORMATION; - - typedef struct _FILE_SFIO_RESERVE_INFORMATION - { - ULONG RequestsPerPeriod; - ULONG Period; - BOOLEAN RetryFailures; - BOOLEAN Discardable; - ULONG RequestSize; - ULONG NumOutstandingRequests; - } FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION; - - typedef struct _FILE_SFIO_VOLUME_INFORMATION - { - ULONG MaximumRequestsPerPeriod; - ULONG MinimumPeriod; - ULONG MinimumTransferSize; - } FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION; - - typedef enum _IO_PRIORITY_HINT - { - IoPriorityVeryLow = 0, // Defragging, content indexing and other background I/Os. - IoPriorityLow, // Prefetching for applications. - IoPriorityNormal, // Normal I/Os. - IoPriorityHigh, // Used by filesystems for checkpoint I/O. - IoPriorityCritical, // Used by memory manager. Not available for applications. - MaxIoPriorityTypes - } IO_PRIORITY_HINT; - - typedef struct DECLSPEC_ALIGN(8) _FILE_IO_PRIORITY_HINT_INFORMATION - { - IO_PRIORITY_HINT PriorityHint; - } FILE_IO_PRIORITY_HINT_INFORMATION, *PFILE_IO_PRIORITY_HINT_INFORMATION; - - typedef struct _FILE_IO_PRIORITY_HINT_INFORMATION_EX - { - IO_PRIORITY_HINT PriorityHint; - BOOLEAN BoostOutstanding; - } FILE_IO_PRIORITY_HINT_INFORMATION_EX, *PFILE_IO_PRIORITY_HINT_INFORMATION_EX; - -#define FILE_SKIP_COMPLETION_PORT_ON_SUCCESS 0x1 -#define FILE_SKIP_SET_EVENT_ON_HANDLE 0x2 -#define FILE_SKIP_SET_USER_EVENT_ON_FAST_IO 0x4 - - typedef struct _FILE_IO_COMPLETION_NOTIFICATION_INFORMATION - { - ULONG Flags; - } FILE_IO_COMPLETION_NOTIFICATION_INFORMATION, *PFILE_IO_COMPLETION_NOTIFICATION_INFORMATION; - - typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION - { - ULONG NumberOfProcessIdsInList; - _Field_size_(NumberOfProcessIdsInList) ULONG_PTR ProcessIdList[1]; - } FILE_PROCESS_IDS_USING_FILE_INFORMATION, *PFILE_PROCESS_IDS_USING_FILE_INFORMATION; - - /** - * The FILE_IS_REMOTE_DEVICE_INFORMATION structure indicates whether the file system that contains the file is a remote file system. - */ - typedef struct _FILE_IS_REMOTE_DEVICE_INFORMATION - { - BOOLEAN IsRemote; // A value that indicates whether the file system that contains the file is a remote file system. - } FILE_IS_REMOTE_DEVICE_INFORMATION, *PFILE_IS_REMOTE_DEVICE_INFORMATION; - - typedef struct _FILE_NUMA_NODE_INFORMATION - { - USHORT NodeNumber; - } FILE_NUMA_NODE_INFORMATION, *PFILE_NUMA_NODE_INFORMATION; - - typedef struct _FILE_IOSTATUSBLOCK_RANGE_INFORMATION - { - PUCHAR IoStatusBlockRange; - ULONG Length; - } FILE_IOSTATUSBLOCK_RANGE_INFORMATION, *PFILE_IOSTATUSBLOCK_RANGE_INFORMATION; - - // Win32 FILE_REMOTE_PROTOCOL_INFO - typedef struct _FILE_REMOTE_PROTOCOL_INFORMATION - { - // Structure Version - USHORT StructureVersion; // 1 for Win7, 2 for Win8 SMB3, 3 for Blue SMB3, 4 for RS5 - USHORT StructureSize; // sizeof(FILE_REMOTE_PROTOCOL_INFORMATION) - - ULONG Protocol; // Protocol (WNNC_NET_*) defined in winnetwk.h or ntifs.h. - - // Protocol Version & Type - USHORT ProtocolMajorVersion; - USHORT ProtocolMinorVersion; - USHORT ProtocolRevision; - - USHORT Reserved; - - // Protocol-Generic Information - ULONG Flags; - - struct - { - ULONG Reserved[8]; - } GenericReserved; - - // Protocol specific information - - union - { - struct - { - struct - { - ULONG Capabilities; - } Server; - struct - { - ULONG Capabilities; - ULONG ShareFlags; // previoulsly CachingFlags before 21H1 - UCHAR ShareType; // RS5 - UCHAR Reserved0[3]; - ULONG Reserved1; - } Share; - } Smb2; - ULONG Reserved[16]; - } ProtocolSpecific; - } FILE_REMOTE_PROTOCOL_INFORMATION, *PFILE_REMOTE_PROTOCOL_INFORMATION; - -#define CHECKSUM_ENFORCEMENT_OFF 0x00000001 - - typedef struct _FILE_INTEGRITY_STREAM_INFORMATION - { - USHORT ChecksumAlgorithm; - UCHAR ChecksumChunkShift; - UCHAR ClusterShift; - ULONG Flags; - } FILE_INTEGRITY_STREAM_INFORMATION, *PFILE_INTEGRITY_STREAM_INFORMATION; - - typedef struct _FILE_VOLUME_NAME_INFORMATION - { - ULONG DeviceNameLength; - _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; - } FILE_VOLUME_NAME_INFORMATION, *PFILE_VOLUME_NAME_INFORMATION; - -#ifndef FILE_INVALID_FILE_ID -#define FILE_INVALID_FILE_ID ((LONGLONG) - 1LL) -#endif - -#define FILE_ID_IS_INVALID(FID) ((FID).QuadPart == FILE_INVALID_FILE_ID) - -#define FILE_ID_128_IS_INVALID(FID128) \ - (((FID128).Identifier[0] == (UCHAR) - 1) && \ - ((FID128).Identifier[1] == (UCHAR) - 1) && \ - ((FID128).Identifier[2] == (UCHAR) - 1) && \ - ((FID128).Identifier[3] == (UCHAR) - 1) && \ - ((FID128).Identifier[4] == (UCHAR) - 1) && \ - ((FID128).Identifier[5] == (UCHAR) - 1) && \ - ((FID128).Identifier[6] == (UCHAR) - 1) && \ - ((FID128).Identifier[7] == (UCHAR) - 1) && \ - ((FID128).Identifier[8] == (UCHAR) - 1) && \ - ((FID128).Identifier[9] == (UCHAR) - 1) && \ - ((FID128).Identifier[10] == (UCHAR) - 1) && \ - ((FID128).Identifier[11] == (UCHAR) - 1) && \ - ((FID128).Identifier[12] == (UCHAR) - 1) && \ - ((FID128).Identifier[13] == (UCHAR) - 1) && \ - ((FID128).Identifier[14] == (UCHAR) - 1) && \ - ((FID128).Identifier[15] == (UCHAR) - 1)) - -#define MAKE_INVALID_FILE_ID_128(FID128) \ - { \ - ((FID128).Identifier[0] = (UCHAR) - 1); \ - ((FID128).Identifier[1] = (UCHAR) - 1); \ - ((FID128).Identifier[2] = (UCHAR) - 1); \ - ((FID128).Identifier[3] = (UCHAR) - 1); \ - ((FID128).Identifier[4] = (UCHAR) - 1); \ - ((FID128).Identifier[5] = (UCHAR) - 1); \ - ((FID128).Identifier[6] = (UCHAR) - 1); \ - ((FID128).Identifier[7] = (UCHAR) - 1); \ - ((FID128).Identifier[8] = (UCHAR) - 1); \ - ((FID128).Identifier[9] = (UCHAR) - 1); \ - ((FID128).Identifier[10] = (UCHAR) - 1); \ - ((FID128).Identifier[11] = (UCHAR) - 1); \ - ((FID128).Identifier[12] = (UCHAR) - 1); \ - ((FID128).Identifier[13] = (UCHAR) - 1); \ - ((FID128).Identifier[14] = (UCHAR) - 1); \ - ((FID128).Identifier[15] = (UCHAR) - 1); \ - } - - typedef struct _FILE_ID_INFORMATION - { - ULONGLONG VolumeSerialNumber; - union - { - FILE_ID_128 FileId; - struct - { - LONGLONG FileIdLowPart : 64; // rev - LONGLONG FileIdHighPart : 64; // rev - }; - }; - } FILE_ID_INFORMATION, *PFILE_ID_INFORMATION; - - typedef struct _FILE_ID_EXTD_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - FILE_ID_128 FileId; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_EXTD_DIR_INFORMATION, *PFILE_ID_EXTD_DIR_INFORMATION; - -#define FileIdExtdDirectoryInformationDefinition { \ - FileIdExtdDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_EXTD_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_LINK_ENTRY_FULL_ID_INFORMATION - { - ULONG NextEntryOffset; - FILE_ID_128 ParentFileId; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_LINK_ENTRY_FULL_ID_INFORMATION, *PFILE_LINK_ENTRY_FULL_ID_INFORMATION; - - typedef struct _FILE_LINKS_FULL_ID_INFORMATION - { - ULONG BytesNeeded; - ULONG EntriesReturned; - FILE_LINK_ENTRY_FULL_ID_INFORMATION Entry; - } FILE_LINKS_FULL_ID_INFORMATION, *PFILE_LINKS_FULL_ID_INFORMATION; - - typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - FILE_ID_128 FileId; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION; - -#define FileIdExtdBothDirectoryInformationDefinition { \ - FileIdExtdBothDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_EXTD_BOTH_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_64_EXTD_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - LARGE_INTEGER FileId; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_64_EXTD_DIR_INFORMATION, *PFILE_ID_64_EXTD_DIR_INFORMATION; - -#define FileId64ExtdDirectoryInformationDefinition { \ - FileId64ExtdDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_64_EXTD_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_64_EXTD_BOTH_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - LARGE_INTEGER FileId; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_64_EXTD_BOTH_DIR_INFORMATION; - -#define FileId64ExtdBothDirectoryInformationDefinition { \ - FileId64ExtdBothDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_64_EXTD_BOTH_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_ALL_EXTD_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - LARGE_INTEGER FileId; - FILE_ID_128 FileId128; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_ALL_EXTD_DIR_INFORMATION, *PFILE_ID_ALL_EXTD_DIR_INFORMATION; - -#define FileIdAllExtdDirectoryInformationDefinition { \ - FileIdAllExtdDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - ULONG ReparsePointTag; - LARGE_INTEGER FileId; - FILE_ID_128 FileId128; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION; - -#define FileIdAllExtdBothDirectoryInformationDefinition { \ - FileIdAllExtdBothDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_ALL_EXTD_BOTH_DIR_INFORMATION, FileNameLength)} - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - typedef struct _FILE_STAT_INFORMATION - { - LARGE_INTEGER FileId; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - ULONG ReparseTag; - ULONG NumberOfLinks; - ACCESS_MASK EffectiveAccess; - } FILE_STAT_INFORMATION, *PFILE_STAT_INFORMATION; - - typedef struct _FILE_STAT_BASIC_INFORMATION - { - LARGE_INTEGER FileId; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - ULONG ReparseTag; - ULONG NumberOfLinks; - ULONG DeviceType; - ULONG DeviceCharacteristics; - ULONG Reserved; - LARGE_INTEGER VolumeSerialNumber; - FILE_ID_128 FileId128; - } FILE_STAT_BASIC_INFORMATION, *PFILE_STAT_BASIC_INFORMATION; -#endif - - typedef struct _FILE_MEMORY_PARTITION_INFORMATION - { - HANDLE OwnerPartitionHandle; - union - { - struct - { - UCHAR NoCrossPartitionAccess; - UCHAR Spare[3]; - }; - ULONG AllFlags; - } Flags; - } FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION; - -// LxFlags -#define LX_FILE_METADATA_HAS_UID 0x1 -#define LX_FILE_METADATA_HAS_GID 0x2 -#define LX_FILE_METADATA_HAS_MODE 0x4 -#define LX_FILE_METADATA_HAS_DEVICE_ID 0x8 -#define LX_FILE_CASE_SENSITIVE_DIR 0x10 - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - typedef struct _FILE_STAT_LX_INFORMATION - { - LARGE_INTEGER FileId; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER AllocationSize; - LARGE_INTEGER EndOfFile; - ULONG FileAttributes; - ULONG ReparseTag; - ULONG NumberOfLinks; - ACCESS_MASK EffectiveAccess; - ULONG LxFlags; - ULONG LxUid; - ULONG LxGid; - ULONG LxMode; - ULONG LxDeviceIdMajor; - ULONG LxDeviceIdMinor; - } FILE_STAT_LX_INFORMATION, *PFILE_STAT_LX_INFORMATION; -#endif - - typedef struct _FILE_STORAGE_RESERVE_ID_INFORMATION - { - STORAGE_RESERVE_ID StorageReserveId; - } FILE_STORAGE_RESERVE_ID_INFORMATION, *PFILE_STORAGE_RESERVE_ID_INFORMATION; - -#define FILE_CS_FLAG_CASE_SENSITIVE_DIR 0x00000001 - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - typedef struct _FILE_CASE_SENSITIVE_INFORMATION - { - ULONG Flags; - } FILE_CASE_SENSITIVE_INFORMATION, *PFILE_CASE_SENSITIVE_INFORMATION; -#endif - - typedef enum _FILE_KNOWN_FOLDER_TYPE - { - KnownFolderNone = 0, - KnownFolderDesktop, - KnownFolderDocuments, - KnownFolderDownloads, - KnownFolderMusic, - KnownFolderPictures, - KnownFolderVideos, - KnownFolderOther, - KnownFolderMax - } FILE_KNOWN_FOLDER_TYPE; - - typedef struct _FILE_KNOWN_FOLDER_INFORMATION - { - FILE_KNOWN_FOLDER_TYPE Type; - } FILE_KNOWN_FOLDER_INFORMATION, *PFILE_KNOWN_FOLDER_INFORMATION; - - // private - typedef struct _FILE_STREAM_RESERVATION_INFORMATION - { - ULONG_PTR TrackedReservation; - ULONG_PTR EnforcedReservation; - } FILE_STREAM_RESERVATION_INFORMATION, *PFILE_STREAM_RESERVATION_INFORMATION; - - // private - typedef struct _MUP_PROVIDER_INFORMATION - { - ULONG Level; - PVOID Buffer; - PULONG BufferSize; - } MUP_PROVIDER_INFORMATION, *PMUP_PROVIDER_INFORMATION; - - // NtQueryDirectoryFile types - - typedef struct _FILE_INFORMATION_DEFINITION - { - FILE_INFORMATION_CLASS Class; - ULONG NextEntryOffset; - ULONG FileNameOffset; - ULONG FileNameLengthOffset; - } FILE_INFORMATION_DEFINITION, *PFILE_INFORMATION_DEFINITION; - - typedef struct _FILE_DIRECTORY_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; - -#define FileDirectoryInformationDefinition { \ - FileDirectoryInformation, \ - FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileNameLength)} - - typedef struct _FILE_FULL_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; - -#define FileFullDirectoryInformationDefinition { \ - FileFullDirectoryInformation, \ - FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_FULL_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - LARGE_INTEGER FileId; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; - -#define FileIdFullDirectoryInformationDefinition { \ - FileIdFullDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_FULL_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_BOTH_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; - -#define FileBothDirectoryInformationDefinition { \ - FileBothDirectoryInformation, \ - FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_BOTH_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - ULONG EaSize; - CCHAR ShortNameLength; - WCHAR ShortName[12]; - LARGE_INTEGER FileId; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; - -#define FileIdBothDirectoryInformationDefinition { \ - FileIdBothDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_BOTH_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_NAMES_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - ULONG FileNameLength; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; - -#define FileNamesInformationDefinition { \ - FileNamesInformation, \ - FIELD_OFFSET(FILE_NAMES_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_NAMES_INFORMATION, FileNameLength)} - - typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION - { - ULONG NextEntryOffset; - ULONG FileIndex; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER LastWriteTime; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER EndOfFile; - LARGE_INTEGER AllocationSize; - ULONG FileAttributes; - ULONG FileNameLength; - LARGE_INTEGER FileId; - GUID LockingTransactionId; - ULONG TxInfoFlags; - _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; - } FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION; - -#define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_WRITELOCKED 0x00000001 -#define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_VISIBLE_TO_TX 0x00000002 -#define FILE_ID_GLOBAL_TX_DIR_INFO_FLAG_VISIBLE_OUTSIDE_TX 0x00000004 - -#define FileIdGlobalTxDirectoryInformationDefinition { \ - FileIdGlobalTxDirectoryInformation, \ - FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, NextEntryOffset), \ - FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, FileName), \ - FIELD_OFFSET(FILE_ID_GLOBAL_TX_DIR_INFORMATION, FileNameLength)} - - typedef struct _FILE_OBJECTID_INFORMATION - { - ULONGLONG FileReference; - UCHAR ObjectId[16]; // GUID - union - { - struct - { - UCHAR BirthVolumeId[16]; - UCHAR BirthObjectId[16]; - UCHAR DomainId[16]; - }; - UCHAR ExtendedInfo[48]; - }; - } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; - - typedef struct _FILE_DIRECTORY_NEXT_INFORMATION - { - ULONG NextEntryOffset; - } FILE_DIRECTORY_NEXT_INFORMATION, *PFILE_DIRECTORY_NEXT_INFORMATION; - - // NtQueryEaFile/NtSetEaFile types - - typedef struct _FILE_FULL_EA_INFORMATION - { - ULONG NextEntryOffset; - UCHAR Flags; - UCHAR EaNameLength; - USHORT EaValueLength; - _Field_size_bytes_(EaNameLength) CHAR EaName[1]; - // ... - // UCHAR EaValue[1] - } FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; - - typedef struct _FILE_GET_EA_INFORMATION - { - ULONG NextEntryOffset; - UCHAR EaNameLength; - _Field_size_bytes_(EaNameLength) CHAR EaName[1]; - } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; - - // NtQueryQuotaInformationFile/NtSetQuotaInformationFile types - - typedef struct _FILE_GET_QUOTA_INFORMATION - { - ULONG NextEntryOffset; - ULONG SidLength; - _Field_size_bytes_(SidLength) SID Sid; - } FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; - - typedef struct _FILE_QUOTA_INFORMATION - { - ULONG NextEntryOffset; - ULONG SidLength; - LARGE_INTEGER ChangeTime; - LARGE_INTEGER QuotaUsed; - LARGE_INTEGER QuotaThreshold; - LARGE_INTEGER QuotaLimit; - _Field_size_bytes_(SidLength) SID Sid; - } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; - - typedef enum _FSINFOCLASS - { - FileFsVolumeInformation = 1, // q: FILE_FS_VOLUME_INFORMATION - FileFsLabelInformation, // s: FILE_FS_LABEL_INFORMATION (requires FILE_WRITE_DATA to volume) - FileFsSizeInformation, // q: FILE_FS_SIZE_INFORMATION - FileFsDeviceInformation, // q: FILE_FS_DEVICE_INFORMATION - FileFsAttributeInformation, // q: FILE_FS_ATTRIBUTE_INFORMATION - FileFsControlInformation, // q, s: FILE_FS_CONTROL_INFORMATION (q: requires FILE_READ_DATA; s: requires FILE_WRITE_DATA to volume) - FileFsFullSizeInformation, // q: FILE_FS_FULL_SIZE_INFORMATION - FileFsObjectIdInformation, // q; s: FILE_FS_OBJECTID_INFORMATION (s: requires FILE_WRITE_DATA to volume) - FileFsDriverPathInformation, // q: FILE_FS_DRIVER_PATH_INFORMATION - FileFsVolumeFlagsInformation, // q; s: FILE_FS_VOLUME_FLAGS_INFORMATION (q: requires FILE_READ_ATTRIBUTES; s: requires FILE_WRITE_ATTRIBUTES to volume) // 10 - FileFsSectorSizeInformation, // q: FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8 - FileFsDataCopyInformation, // q: FILE_FS_DATA_COPY_INFORMATION - FileFsMetadataSizeInformation, // q: FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD - FileFsFullSizeInformationEx, // q: FILE_FS_FULL_SIZE_INFORMATION_EX // since REDSTONE5 - FileFsGuidInformation, // q: FILE_FS_GUID_INFORMATION // since 23H2 - FileFsMaximumInformation - } FSINFOCLASS, - *PFSINFOCLASS; - typedef enum _FSINFOCLASS FS_INFORMATION_CLASS; - - // NtQueryVolumeInformation/NtSetVolumeInformation types - - typedef struct _FILE_FS_VOLUME_INFORMATION - { - LARGE_INTEGER VolumeCreationTime; - ULONG VolumeSerialNumber; - ULONG VolumeLabelLength; - BOOLEAN SupportsObjects; - _Field_size_bytes_(VolumeLabelLength) WCHAR VolumeLabel[1]; - } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; - - typedef struct _FILE_FS_LABEL_INFORMATION - { - ULONG VolumeLabelLength; - _Field_size_bytes_(VolumeLabelLength) WCHAR VolumeLabel[1]; - } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; - - typedef struct _FILE_FS_SIZE_INFORMATION - { - LARGE_INTEGER TotalAllocationUnits; - LARGE_INTEGER AvailableAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; - } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; - -// FileSystemControlFlags -#define FILE_VC_QUOTA_NONE 0x00000000 -#define FILE_VC_QUOTA_TRACK 0x00000001 -#define FILE_VC_QUOTA_ENFORCE 0x00000002 -#define FILE_VC_QUOTA_MASK 0x00000003 -#define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008 -#define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010 -#define FILE_VC_LOG_QUOTA_LIMIT 0x00000020 -#define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040 -#define FILE_VC_LOG_VOLUME_LIMIT 0x00000080 -#define FILE_VC_QUOTAS_INCOMPLETE 0x00000100 -#define FILE_VC_QUOTAS_REBUILDING 0x00000200 -#define FILE_VC_VALID_MASK 0x000003ff - - typedef struct _FILE_FS_CONTROL_INFORMATION - { - LARGE_INTEGER FreeSpaceStartFiltering; - LARGE_INTEGER FreeSpaceThreshold; - LARGE_INTEGER FreeSpaceStopFiltering; - LARGE_INTEGER DefaultQuotaThreshold; - LARGE_INTEGER DefaultQuotaLimit; - ULONG FileSystemControlFlags; // FILE_VC_* - } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; - - typedef struct _FILE_FS_FULL_SIZE_INFORMATION - { - LARGE_INTEGER TotalAllocationUnits; - LARGE_INTEGER CallerAvailableAllocationUnits; - LARGE_INTEGER ActualAvailableAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; - } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; - - typedef struct _FILE_FS_OBJECTID_INFORMATION - { - UCHAR ObjectId[16]; - union - { - struct - { - UCHAR BirthVolumeId[16]; - UCHAR BirthObjectId[16]; - UCHAR DomainId[16]; - }; - UCHAR ExtendedInfo[48]; - }; - } FILE_FS_OBJECTID_INFORMATION, *PFILE_FS_OBJECTID_INFORMATION; - - typedef struct _FILE_FS_DEVICE_INFORMATION - { - DEVICE_TYPE DeviceType; - ULONG Characteristics; - } FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION; - - typedef struct _FILE_FS_ATTRIBUTE_INFORMATION - { - ULONG FileSystemAttributes; - LONG MaximumComponentNameLength; - ULONG FileSystemNameLength; - _Field_size_bytes_(FileSystemNameLength) WCHAR FileSystemName[1]; - } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; - - typedef struct _FILE_FS_DRIVER_PATH_INFORMATION - { - BOOLEAN DriverInPath; - ULONG DriverNameLength; - _Field_size_bytes_(DriverNameLength) WCHAR DriverName[1]; - } FILE_FS_DRIVER_PATH_INFORMATION, *PFILE_FS_DRIVER_PATH_INFORMATION; - - typedef struct _FILE_FS_VOLUME_FLAGS_INFORMATION - { - ULONG Flags; - } FILE_FS_VOLUME_FLAGS_INFORMATION, *PFILE_FS_VOLUME_FLAGS_INFORMATION; - -#define SSINFO_FLAGS_ALIGNED_DEVICE 0x00000001 -#define SSINFO_FLAGS_PARTITION_ALIGNED_ON_DEVICE 0x00000002 -#define SSINFO_FLAGS_NO_SEEK_PENALTY 0x00000004 -#define SSINFO_FLAGS_TRIM_ENABLED 0x00000008 -#define SSINFO_FLAGS_BYTE_ADDRESSABLE 0x00000010 // since REDSTONE - -// If set for Sector and Partition fields, alignment is not known. -#define SSINFO_OFFSET_UNKNOWN 0xffffffff - - typedef struct _FILE_FS_SECTOR_SIZE_INFORMATION - { - ULONG LogicalBytesPerSector; - ULONG PhysicalBytesPerSectorForAtomicity; - ULONG PhysicalBytesPerSectorForPerformance; - ULONG FileSystemEffectivePhysicalBytesPerSectorForAtomicity; - ULONG Flags; // SSINFO_FLAGS_* - ULONG ByteOffsetForSectorAlignment; - ULONG ByteOffsetForPartitionAlignment; - } FILE_FS_SECTOR_SIZE_INFORMATION, *PFILE_FS_SECTOR_SIZE_INFORMATION; - - typedef struct _FILE_FS_DATA_COPY_INFORMATION - { - ULONG NumberOfCopies; - } FILE_FS_DATA_COPY_INFORMATION, *PFILE_FS_DATA_COPY_INFORMATION; - - typedef struct _FILE_FS_METADATA_SIZE_INFORMATION - { - LARGE_INTEGER TotalMetadataAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; - } FILE_FS_METADATA_SIZE_INFORMATION, *PFILE_FS_METADATA_SIZE_INFORMATION; - - typedef struct _FILE_FS_FULL_SIZE_INFORMATION_EX - { - ULONGLONG ActualTotalAllocationUnits; - ULONGLONG ActualAvailableAllocationUnits; - ULONGLONG ActualPoolUnavailableAllocationUnits; - ULONGLONG CallerTotalAllocationUnits; - ULONGLONG CallerAvailableAllocationUnits; - ULONGLONG CallerPoolUnavailableAllocationUnits; - ULONGLONG UsedAllocationUnits; - ULONGLONG TotalReservedAllocationUnits; - ULONGLONG VolumeStorageReserveAllocationUnits; - ULONGLONG AvailableCommittedAllocationUnits; - ULONGLONG PoolAvailableAllocationUnits; - ULONG SectorsPerAllocationUnit; - ULONG BytesPerSector; - } FILE_FS_FULL_SIZE_INFORMATION_EX, *PFILE_FS_FULL_SIZE_INFORMATION_EX; - - typedef struct _FILE_FS_GUID_INFORMATION - { - GUID FsGuid; - } FILE_FS_GUID_INFORMATION, *PFILE_FS_GUID_INFORMATION; - - // System calls - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_opt_ PLARGE_INTEGER AllocationSize, - _In_ ULONG FileAttributes, - _In_ ULONG ShareAccess, - _In_ ULONG CreateDisposition, - _In_ ULONG CreateOptions, - _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, - _In_ ULONG EaLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateNamedPipeFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG ShareAccess, - _In_ ULONG CreateDisposition, - _In_ ULONG CreateOptions, - _In_ ULONG NamedPipeType, - _In_ ULONG ReadMode, - _In_ ULONG CompletionMode, - _In_ ULONG MaximumInstances, - _In_ ULONG InboundQuota, - _In_ ULONG OutboundQuota, - _In_ PLARGE_INTEGER DefaultTimeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateMailslotFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CreateOptions, - _In_ ULONG MailslotQuota, - _In_ ULONG MaximumMessageSize, - _In_ PLARGE_INTEGER ReadTimeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG ShareAccess, - _In_ ULONG OpenOptions); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushBuffersFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - -// Flag definitions for NtFlushBuffersFileEx -// -// If none of the below flags are specified the following will occur for a -// given file handle: -// - Write any modified data for the given file from the Windows in-memory -// cache. -// - Commit all pending metadata changes for the given file from the -// Windows in-memory cache. -// - Send a SYNC command to the underlying storage device to commit all -// written data in the devices cache to persistent storage. -// -// If a volume handle is specified: -// - Write all modified data for all files on the volume from the Windows -// in-memory cache. -// - Commit all pending metadata changes for all files on the volume from -// the Windows in-memory cache. -// - Send a SYNC command to the underlying storage device to commit all -// written data in the devices cache to persistent storage. -// -// This is equivalent to how NtFlushBuffersFile has always worked. -// - -// If set, this operation will write the data for the given file from the -// Windows in-memory cache. This will NOT commit any associated metadata -// changes. This will NOT send a SYNC to the storage device to flush its -// cache. Not supported on volume handles. -// -#define FLUSH_FLAGS_FILE_DATA_ONLY 0x00000001 -// -// If set, this operation will commit both the data and metadata changes for -// the given file from the Windows in-memory cache. This will NOT send a SYNC -// to the storage device to flush its cache. Not supported on volume handles. -// -#define FLUSH_FLAGS_NO_SYNC 0x00000002 -// -// If set, this operation will write the data for the given file from the -// Windows in-memory cache. It will also try to skip updating the timestamp -// as much as possible. This will send a SYNC to the storage device to flush its -// cache. Not supported on volume or directory handles. -// -#define FLUSH_FLAGS_FILE_DATA_SYNC_ONLY 0x00000004 // REDSTONE1 -// -// If set, this operation will write the data for the given file from the -// Windows in-memory cache. It will also try to skip updating the timestamp -// as much as possible. This will send a SYNC to the storage device to flush its -// cache. Not supported on volume or directory handles. -// -#define FLUSH_FLAGS_FLUSH_AND_PURGE 0x00000008 // 24H2 - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushBuffersFileEx( - _In_ HANDLE FileHandle, - _In_ ULONG Flags, - _In_reads_bytes_(ParametersSize) PVOID Parameters, - _In_ ULONG ParametersSize, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationByName( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDirectoryFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass, - _In_ BOOLEAN ReturnSingleEntry, - _In_opt_ PUNICODE_STRING FileName, - _In_ BOOLEAN RestartScan); - -// QueryFlags values for NtQueryDirectoryFileEx -#define FILE_QUERY_RESTART_SCAN 0x00000001 -#define FILE_QUERY_RETURN_SINGLE_ENTRY 0x00000002 -#define FILE_QUERY_INDEX_SPECIFIED 0x00000004 -#define FILE_QUERY_RETURN_ON_DISK_ENTRIES_ONLY 0x00000008 -#define FILE_QUERY_NO_CURSOR_UPDATE 0x00000010 // RS5 - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryDirectoryFileEx( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass, - _In_ ULONG QueryFlags, - _In_opt_ PUNICODE_STRING FileName); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryEaFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_reads_bytes_opt_(EaListLength) PVOID EaList, - _In_ ULONG EaListLength, - _In_opt_ PULONG EaIndex, - _In_ BOOLEAN RestartScan); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetEaFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryQuotaInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_reads_bytes_opt_(SidListLength) PVOID SidList, - _In_ ULONG SidListLength, - _In_opt_ PSID StartSid, - _In_ BOOLEAN RestartScan); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetQuotaInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryVolumeInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FsInformation, - _In_ ULONG Length, - _In_ FSINFOCLASS FsInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetVolumeInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID FsInformation, - _In_ ULONG Length, - _In_ FSINFOCLASS FsInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelIoFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelIoFileEx( - _In_ HANDLE FileHandle, - _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelSynchronousIoFile( - _In_ HANDLE ThreadHandle, - _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeviceIoControlFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG IoControlCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFsControlFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG FsControlCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWriteFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadFileScatter( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PFILE_SEGMENT_ELEMENT SegmentArray, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWriteFileGather( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PFILE_SEGMENT_ELEMENT SegmentArray, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLockFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PLARGE_INTEGER ByteOffset, - _In_ PLARGE_INTEGER Length, - _In_ ULONG Key, - _In_ BOOLEAN FailImmediately, - _In_ BOOLEAN ExclusiveLock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnlockFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PLARGE_INTEGER ByteOffset, - _In_ PLARGE_INTEGER Length, - _In_ ULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryAttributesFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PFILE_BASIC_INFORMATION FileInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryFullAttributesFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation); - -#define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001 // winnt -#define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002 // winnt -#define FILE_NOTIFY_CHANGE_NAME 0x00000003 -#define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004 // winnt -#define FILE_NOTIFY_CHANGE_SIZE 0x00000008 // winnt -#define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010 // winnt -#define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020 // winnt -#define FILE_NOTIFY_CHANGE_CREATION 0x00000040 // winnt -#define FILE_NOTIFY_CHANGE_EA 0x00000080 -#define FILE_NOTIFY_CHANGE_SECURITY 0x00000100 // winnt -#define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200 -#define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400 -#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800 -#define FILE_NOTIFY_VALID_MASK 0x00000fff - -#define FILE_ACTION_ADDED 0x00000001 // winnt -#define FILE_ACTION_REMOVED 0x00000002 // winnt -#define FILE_ACTION_MODIFIED 0x00000003 // winnt -#define FILE_ACTION_RENAMED_OLD_NAME 0x00000004 // winnt -#define FILE_ACTION_RENAMED_NEW_NAME 0x00000005 // winnt -#define FILE_ACTION_ADDED_STREAM 0x00000006 -#define FILE_ACTION_REMOVED_STREAM 0x00000007 -#define FILE_ACTION_MODIFIED_STREAM 0x00000008 -#define FILE_ACTION_REMOVED_BY_DELETE 0x00000009 -#define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A -#define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtNotifyChangeDirectoryFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, // FILE_NOTIFY_INFORMATION - _In_ ULONG Length, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree); - - // private - typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS - { - DirectoryNotifyInformation = 1, // FILE_NOTIFY_INFORMATION - DirectoryNotifyExtendedInformation, // FILE_NOTIFY_EXTENDED_INFORMATION - DirectoryNotifyFullInformation, // FILE_NOTIFY_FULL_INFORMATION // since 22H2 - DirectoryNotifyMaximumInformation - } DIRECTORY_NOTIFY_INFORMATION_CLASS, - *PDIRECTORY_NOTIFY_INFORMATION_CLASS; - -#if !defined(NTDDI_WIN10_RS5) || (NTDDI_VERSION < NTDDI_WIN10_RS5) - typedef struct _FILE_NOTIFY_INFORMATION - { - ULONG NextEntryOffset; - ULONG Action; - ULONG FileNameLength; - WCHAR FileName[1]; - } FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION; - - typedef struct _FILE_NOTIFY_EXTENDED_INFORMATION - { - ULONG NextEntryOffset; - ULONG Action; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastModificationTime; - LARGE_INTEGER LastChangeTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER AllocatedLength; - LARGE_INTEGER FileSize; - ULONG FileAttributes; - union - { - ULONG ReparsePointTag; - ULONG EaSize; - }; - LARGE_INTEGER FileId; - LARGE_INTEGER ParentFileId; - ULONG FileNameLength; - WCHAR FileName[1]; - } FILE_NOTIFY_EXTENDED_INFORMATION, *PFILE_NOTIFY_EXTENDED_INFORMATION; -#endif - -#define FILE_NAME_FLAG_HARDLINK 0 // not part of a name pair -#define FILE_NAME_FLAG_NTFS 0x01 // NTFS name in a name pair -#define FILE_NAME_FLAG_DOS 0x02 // DOS name in a name pair -#define FILE_NAME_FLAG_BOTH 0x03 // NTFS+DOS combined name -#define FILE_NAME_FLAGS_UNSPECIFIED 0x80 // not specified by file system (do not combine with other flags) - -#if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) - typedef struct _FILE_NOTIFY_FULL_INFORMATION - { - ULONG NextEntryOffset; - ULONG Action; - LARGE_INTEGER CreationTime; - LARGE_INTEGER LastModificationTime; - LARGE_INTEGER LastChangeTime; - LARGE_INTEGER LastAccessTime; - LARGE_INTEGER AllocatedLength; - LARGE_INTEGER FileSize; - ULONG FileAttributes; - union - { - ULONG ReparsePointTag; - ULONG EaSize; - }; - LARGE_INTEGER FileId; - LARGE_INTEGER ParentFileId; - USHORT FileNameLength; - BYTE FileNameFlags; - BYTE Reserved; - WCHAR FileName[1]; - } FILE_NOTIFY_FULL_INFORMATION, *PFILE_NOTIFY_FULL_INFORMATION; -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtNotifyChangeDirectoryFileEx( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _In_opt_ DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass); -#endif - - /** - * \brief The NtLoadDriver function loads a driver specified by the DriverServiceName parameter. - * \param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to load. - * \return NTSTATUS The status code returned by the function. Possible values include, but are not limited to: - * - STATUS_SUCCESS: The driver was successfully loaded. - * - STATUS_INVALID_PARAMETER: The DriverServiceName parameter is invalid. - * - STATUS_INSUFFICIENT_RESOURCES: There are insufficient resources to load the driver. - * - STATUS_OBJECT_NAME_NOT_FOUND: The specified driver service name was not found. - * - STATUS_OBJECT_PATH_NOT_FOUND: The path to the driver service was not found. - * - STATUS_OBJECT_NAME_COLLISION: A driver with the same name already exists. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadDriver( - _In_ PUNICODE_STRING DriverServiceName); - - /** - * \brief The NtUnloadDriver function unloads a driver specified by the DriverServiceName parameter. - * \param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to unload. - * \return NTSTATUS The status code returned by the function. Possible values include, but are not limited to: - * - STATUS_SUCCESS: The driver was successfully unloaded. - * - STATUS_INVALID_PARAMETER: The DriverServiceName parameter is invalid. - * - STATUS_OBJECT_NAME_NOT_FOUND: The specified driver service name was not found. - * - STATUS_OBJECT_PATH_NOT_FOUND: The path to the driver service was not found. - * - STATUS_OBJECT_NAME_COLLISION: A driver with the same name already exists. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnloadDriver( - _In_ PUNICODE_STRING DriverServiceName); - - // I/O completion port - -#ifndef IO_COMPLETION_QUERY_STATE -#define IO_COMPLETION_QUERY_STATE 0x0001 -#endif - -#ifndef IO_COMPLETION_MODIFY_STATE -#define IO_COMPLETION_MODIFY_STATE 0x0002 -#endif - -#ifndef IO_COMPLETION_ALL_ACCESS -#define IO_COMPLETION_ALL_ACCESS (IO_COMPLETION_QUERY_STATE | IO_COMPLETION_MODIFY_STATE | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE) -#endif - - typedef enum _IO_COMPLETION_INFORMATION_CLASS - { - IoCompletionBasicInformation - } IO_COMPLETION_INFORMATION_CLASS; - - typedef struct _IO_COMPLETION_BASIC_INFORMATION - { - LONG Depth; - } IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateIoCompletion( - _Out_ PHANDLE IoCompletionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG NumberOfConcurrentThreads); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenIoCompletion( - _Out_ PHANDLE IoCompletionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryIoCompletion( - _In_ HANDLE IoCompletionHandle, - _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, - _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation, - _In_ ULONG IoCompletionInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetIoCompletion( - _In_ HANDLE IoCompletionHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetIoCompletionEx( - _In_ HANDLE IoCompletionHandle, - _In_ HANDLE IoCompletionPacketHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRemoveIoCompletion( - _In_ HANDLE IoCompletionHandle, - _Out_ PVOID *KeyContext, - _Out_ PVOID *ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_opt_ PLARGE_INTEGER Timeout); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - typedef struct _FILE_IO_COMPLETION_INFORMATION - { - PVOID KeyContext; - PVOID ApcContext; - IO_STATUS_BLOCK IoStatusBlock; - } FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRemoveIoCompletionEx( - _In_ HANDLE IoCompletionHandle, - _Out_writes_to_(Count, *NumEntriesRemoved) PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, - _In_ ULONG Count, - _Out_ PULONG NumEntriesRemoved, - _In_opt_ PLARGE_INTEGER Timeout, - _In_ BOOLEAN Alertable); -#endif - - // Wait completion packet - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateWaitCompletionPacket( - _Out_ PHANDLE WaitCompletionPacketHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAssociateWaitCompletionPacket( - _In_ HANDLE WaitCompletionPacketHandle, - _In_ HANDLE IoCompletionHandle, - _In_ HANDLE TargetObjectHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation, - _Out_opt_ PBOOLEAN AlreadySignaled); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCancelWaitCompletionPacket( - _In_ HANDLE WaitCompletionPacketHandle, - _In_ BOOLEAN RemoveSignaledPacket); - -#endif - - // Sessions - - typedef enum _IO_SESSION_EVENT - { - IoSessionEventIgnore, - IoSessionEventCreated, - IoSessionEventTerminated, - IoSessionEventConnected, - IoSessionEventDisconnected, - IoSessionEventLogon, - IoSessionEventLogoff, - IoSessionEventMax - } IO_SESSION_EVENT; - - typedef enum _IO_SESSION_STATE - { - IoSessionStateCreated = 1, - IoSessionStateInitialized = 2, - IoSessionStateConnected = 3, - IoSessionStateDisconnected = 4, - IoSessionStateDisconnectedLoggedOn = 5, - IoSessionStateLoggedOn = 6, - IoSessionStateLoggedOff = 7, - IoSessionStateTerminated = 8, - IoSessionStateMax - } IO_SESSION_STATE; - - // Sessions - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenSession( - _Out_ PHANDLE SessionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); -#endif - -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtNotifyChangeSession( - _In_ HANDLE SessionHandle, - _In_ ULONG ChangeSequenceNumber, - _In_ PLARGE_INTEGER ChangeTimeStamp, - _In_ IO_SESSION_EVENT Event, - _In_ IO_SESSION_STATE NewState, - _In_ IO_SESSION_STATE PreviousState, - _In_reads_bytes_opt_(PayloadSize) PVOID Payload, - _In_ ULONG PayloadSize); -#endif - - // I/O Ring - -#if (PHNT_VERSION >= PHNT_WIN11) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateIoRing( - _Out_ PHANDLE IoRingHandle, - _In_ ULONG CreateParametersLength, - _In_ PVOID CreateParameters, - _In_ ULONG OutputParametersLength, - _Out_ PVOID OutputParameters); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSubmitIoRing( - _In_ HANDLE IoRingHandle, - _In_ ULONG Flags, - _In_opt_ ULONG WaitOperations, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryIoRingCapabilities( - _In_ SIZE_T IoRingCapabilitiesLength, - _Out_ PVOID IoRingCapabilities); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationIoRing( - _In_ HANDLE IoRingHandle, - _In_ ULONG IoRingInformationClass, - _In_ ULONG IoRingInformationLength, - _In_ PVOID IoRingInformation); -#endif - - // Other types - - typedef enum _INTERFACE_TYPE - { - InterfaceTypeUndefined = -1, - Internal = 0, - Isa = 1, - Eisa = 2, - MicroChannel = 3, - TurboChannel = 4, - PCIBus = 5, - VMEBus = 6, - NuBus = 7, - PCMCIABus = 8, - CBus = 9, - MPIBus = 10, - MPSABus = 11, - ProcessorInternal = 12, - InternalPowerBus = 13, - PNPISABus = 14, - PNPBus = 15, - Vmcs = 16, - ACPIBus = 17, - MaximumInterfaceType - } INTERFACE_TYPE, - *PINTERFACE_TYPE; - - typedef enum _DMA_WIDTH - { - Width8Bits, - Width16Bits, - Width32Bits, - Width64Bits, - WidthNoWrap, - MaximumDmaWidth - } DMA_WIDTH, - *PDMA_WIDTH; - - typedef enum _DMA_SPEED - { - Compatible, - TypeA, - TypeB, - TypeC, - TypeF, - MaximumDmaSpeed - } DMA_SPEED, - *PDMA_SPEED; - - typedef enum _BUS_DATA_TYPE - { - ConfigurationSpaceUndefined = -1, - Cmos, - EisaConfiguration, - Pos, - CbusConfiguration, - PCIConfiguration, - VMEConfiguration, - NuBusConfiguration, - PCMCIAConfiguration, - MPIConfiguration, - MPSAConfiguration, - PNPISAConfiguration, - SgiInternalConfiguration, - MaximumBusDataType - } BUS_DATA_TYPE, - *PBUS_DATA_TYPE; - - // Control structures - - // Reparse structure for FSCTL_SET_REPARSE_POINT, FSCTL_GET_REPARSE_POINT, FSCTL_DELETE_REPARSE_POINT - -#define SYMLINK_FLAG_RELATIVE 0x00000001 -#define SYMLINK_DIRECTORY 0x80000000 // If set then this is a directory symlink -#define SYMLINK_FILE 0x40000000 // If set then this is a file symlink - - typedef struct _REPARSE_DATA_BUFFER - { - ULONG ReparseTag; - USHORT ReparseDataLength; - USHORT Reserved; - - _Field_size_bytes_(ReparseDataLength) union - { - struct - { - USHORT SubstituteNameOffset; - USHORT SubstituteNameLength; - USHORT PrintNameOffset; - USHORT PrintNameLength; - ULONG Flags; - WCHAR PathBuffer[1]; - } SymbolicLinkReparseBuffer; - struct - { - USHORT SubstituteNameOffset; - USHORT SubstituteNameLength; - USHORT PrintNameOffset; - USHORT PrintNameLength; - WCHAR PathBuffer[1]; - } MountPointReparseBuffer; - struct - { - ULONG StringCount; - WCHAR StringList[1]; - } AppExecLinkReparseBuffer; - struct - { - UCHAR DataBuffer[1]; - } GenericReparseBuffer; - }; - } REPARSE_DATA_BUFFER, *PREPARSE_DATA_BUFFER; - -#define REPARSE_DATA_BUFFER_HEADER_SIZE UFIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer) - - // Reparse structure for FSCTL_SET_REPARSE_POINT_EX - - typedef struct _REPARSE_DATA_BUFFER_EX - { - ULONG Flags; - - // - // This is the existing reparse tag on the file if any, if the - // caller wants to replace the reparse tag too. - // - // - To set the reparse data along with the reparse tag that - // could be different, pass the current reparse tag of the - // file. - // - // - To update the reparse data while having the same reparse - // tag, the caller should give the existing reparse tag in - // this ExistingReparseTag field. - // - // - To set the reparse tag along with reparse data on a file - // that doesn't have a reparse tag yet, set this to zero. - // - // If the ExistingReparseTag does not match the reparse tag on - // the file, the FSCTL_SET_REPARSE_POINT_EX would fail with - // STATUS_IO_REPARSE_TAG_MISMATCH. NOTE: If a file doesn't have - // a reparse tag, ExistingReparseTag should be 0. - // - - ULONG ExistingReparseTag; - - // For non-Microsoft reparse tags, this is the existing reparse - // guid on the file if any, if the caller wants to replace the - // reparse tag and / or guid along with the data. - // - // If ExistingReparseTag is 0, the file is not expected to have - // any reparse tags, so ExistingReparseGuid is ignored. And for - // non-Microsoft tags ExistingReparseGuid should match the guid - // in the file if ExistingReparseTag is non zero. - - GUID ExistingReparseGuid; - - // - // Reserved - // - ULONGLONG Reserved; - - // - // Reparse data to set - // - union - { - REPARSE_DATA_BUFFER ReparseDataBuffer; - REPARSE_GUID_DATA_BUFFER ReparseGuidDataBuffer; - }; - } REPARSE_DATA_BUFFER_EX, *PREPARSE_DATA_BUFFER_EX; - -// REPARSE_DATA_BUFFER_EX Flags -// -// REPARSE_DATA_EX_FLAG_GIVEN_TAG_OR_NONE - Forces the FSCTL to set the -// reparse tag if the file has no tag or the tag on the file is same as -// the one in ExistingReparseTag. NOTE: If the ExistingReparseTag is -// not a Microsoft tag then the ExistingReparseGuid should match if the -// file has the ExistingReparseTag. -// -#define REPARSE_DATA_EX_FLAG_GIVEN_TAG_OR_NONE (0x00000001) - -#define REPARSE_GUID_DATA_BUFFER_EX_HEADER_SIZE \ - UFIELD_OFFSET(REPARSE_DATA_BUFFER_EX, ReparseGuidDataBuffer.GenericReparseBuffer) - -#define REPARSE_DATA_BUFFER_EX_HEADER_SIZE \ - UFIELD_OFFSET(REPARSE_DATA_BUFFER_EX, ReparseDataBuffer.GenericReparseBuffer) - - // Named pipe FS control definitions - -#define DEVICE_NAMED_PIPE L"\\Device\\NamedPipe\\" - -#define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA) -#define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) -#define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_GET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_SET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define FSCTL_PIPE_FLUSH CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA) -#define FSCTL_PIPE_DISABLE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 17, METHOD_BUFFERED, FILE_ANY_ACCESS) // since REDSTONE -#define FSCTL_PIPE_SILO_ARRIVAL CTL_CODE(FILE_DEVICE_NAMED_PIPE, 18, METHOD_BUFFERED, FILE_WRITE_DATA) // since REDSTONE3 -#define FSCTL_PIPE_CREATE_SYMLINK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 19, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // requires SeTcbPrivilege -#define FSCTL_PIPE_DELETE_SYMLINK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 20, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) -#define FSCTL_PIPE_QUERY_CLIENT_PROCESS_V2 CTL_CODE(FILE_DEVICE_NAMED_PIPE, 21, METHOD_BUFFERED, FILE_ANY_ACCESS) // since 19H1 - -#define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA) -#define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA) -#define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) -#define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA) - - // Flags for query event - -#define FILE_PIPE_READ_DATA 0x00000000 -#define FILE_PIPE_WRITE_SPACE 0x00000001 - - // Input for FSCTL_PIPE_ASSIGN_EVENT - typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER - { - HANDLE EventHandle; - ULONG KeyValue; - } FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER; - - // Output for FILE_PIPE_PEEK_BUFFER - typedef struct _FILE_PIPE_PEEK_BUFFER - { - ULONG NamedPipeState; - ULONG ReadDataAvailable; - ULONG NumberOfMessages; - ULONG MessageLength; - _Field_size_bytes_(MessageLength) CHAR Data[1]; - } FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER; - - // Output for FSCTL_PIPE_QUERY_EVENT - typedef struct _FILE_PIPE_EVENT_BUFFER - { - ULONG NamedPipeState; - ULONG EntryType; - ULONG ByteCount; - ULONG KeyValue; - ULONG NumberRequests; - } FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER; - - // Input for FSCTL_PIPE_WAIT - typedef struct _FILE_PIPE_WAIT_FOR_BUFFER - { - LARGE_INTEGER Timeout; - ULONG NameLength; - BOOLEAN TimeoutSpecified; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER; - - // Input for FSCTL_PIPE_SET_CLIENT_PROCESS, Output for FSCTL_PIPE_QUERY_CLIENT_PROCESS - typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER - { -#if !defined(BUILD_WOW6432) - PVOID ClientSession; - PVOID ClientProcess; -#else - ULONGLONG ClientSession; - ULONGLONG ClientProcess; -#endif - } FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER; - - // Control structure for FSCTL_PIPE_QUERY_CLIENT_PROCESS_V2 - - typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_V2 - { - ULONGLONG ClientSession; -#if !defined(BUILD_WOW6432) - PVOID ClientProcess; -#else - ULONGLONG ClientProcess; -#endif - } FILE_PIPE_CLIENT_PROCESS_BUFFER_V2, *PFILE_PIPE_CLIENT_PROCESS_BUFFER_V2; - -#define FILE_PIPE_COMPUTER_NAME_LENGTH 15 - - // Input for FSCTL_PIPE_SET_CLIENT_PROCESS, Output for FSCTL_PIPE_QUERY_CLIENT_PROCESS - typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_EX - { -#if !defined(BUILD_WOW6432) - PVOID ClientSession; - PVOID ClientProcess; -#else - ULONGLONG ClientSession; - ULONGLONG ClientProcess; -#endif - USHORT ClientComputerNameLength; // in bytes - WCHAR ClientComputerBuffer[FILE_PIPE_COMPUTER_NAME_LENGTH + 1]; // null-terminated - } FILE_PIPE_CLIENT_PROCESS_BUFFER_EX, *PFILE_PIPE_CLIENT_PROCESS_BUFFER_EX; - - // Control structure for FSCTL_PIPE_SILO_ARRIVAL - - typedef struct _FILE_PIPE_SILO_ARRIVAL_INPUT - { - HANDLE JobHandle; - } FILE_PIPE_SILO_ARRIVAL_INPUT, *PFILE_PIPE_SILO_ARRIVAL_INPUT; - -// -// Flags for create symlink -// - -// -// A global symlink will cause resolution of the symlink's target to occur in -// the host silo (i.e. not in any current silo). For example, if there is a -// symlink at \Device\Silos\37\Device\NamedPipe\symlink then the target will be -// resolved as \Device\NamedPipe\target instead of \Device\Silos\37\Device\NamedPipe\target -// -#define FILE_PIPE_SYMLINK_FLAG_GLOBAL 0x1 - -// -// A relative symlink will cause resolution of the symlink's target to occur relative -// to the root of the named pipe file system. For example, if there is a symlink at -// \Device\NamedPipe\symlink that has a target called "target", then the target will -// be resolved as \Device\NamedPipe\target -// -#define FILE_PIPE_SYMLINK_FLAG_RELATIVE 0x2 - -#define FILE_PIPE_SYMLINK_VALID_FLAGS \ - (FILE_PIPE_SYMLINK_FLAG_GLOBAL | FILE_PIPE_SYMLINK_FLAG_RELATIVE) - - // Control structure for FSCTL_PIPE_CREATE_SYMLINK - - typedef struct _FILE_PIPE_CREATE_SYMLINK_INPUT - { - USHORT NameOffset; - USHORT NameLength; - USHORT SubstituteNameOffset; - USHORT SubstituteNameLength; - ULONG Flags; - } FILE_PIPE_CREATE_SYMLINK_INPUT, *PFILE_PIPE_CREATE_SYMLINK_INPUT; - - // Control structure for FSCTL_PIPE_DELETE_SYMLINK - - typedef struct _FILE_PIPE_DELETE_SYMLINK_INPUT - { - USHORT NameOffset; - USHORT NameLength; - } FILE_PIPE_DELETE_SYMLINK_INPUT, *PFILE_PIPE_DELETE_SYMLINK_INPUT; - - // Mailslot FS control definitions - -#define MAILSLOT_CLASS_FIRSTCLASS 1 -#define MAILSLOT_CLASS_SECONDCLASS 2 - -#define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA) - - // Output for FSCTL_MAILSLOT_PEEK - typedef struct _FILE_MAILSLOT_PEEK_BUFFER - { - ULONG ReadDataAvailable; - ULONG NumberOfMessages; - ULONG MessageLength; - } FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER; - - // Mount manager FS control definitions - -#define MOUNTMGR_DEVICE_NAME L"\\Device\\MountPointManager" -#define MOUNTMGRCONTROLTYPE 0x0000006D // 'm' -#define MOUNTDEVCONTROLTYPE 0x0000004D // 'M' - -#define IOCTL_MOUNTMGR_CREATE_POINT CTL_CODE(MOUNTMGRCONTROLTYPE, 0, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_DELETE_POINTS CTL_CODE(MOUNTMGRCONTROLTYPE, 1, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_QUERY_POINTS CTL_CODE(MOUNTMGRCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY CTL_CODE(MOUNTMGRCONTROLTYPE, 3, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER CTL_CODE(MOUNTMGRCONTROLTYPE, 4, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_AUTO_DL_ASSIGNMENTS CTL_CODE(MOUNTMGRCONTROLTYPE, 5, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_CREATED CTL_CODE(MOUNTMGRCONTROLTYPE, 6, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_DELETED CTL_CODE(MOUNTMGRCONTROLTYPE, 7, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_CHANGE_NOTIFY CTL_CODE(MOUNTMGRCONTROLTYPE, 8, METHOD_BUFFERED, FILE_READ_ACCESS) -#define IOCTL_MOUNTMGR_KEEP_LINKS_WHEN_OFFLINE CTL_CODE(MOUNTMGRCONTROLTYPE, 9, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_CHECK_UNPROCESSED_VOLUMES CTL_CODE(MOUNTMGRCONTROLTYPE, 10, METHOD_BUFFERED, FILE_READ_ACCESS) -#define IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION CTL_CODE(MOUNTMGRCONTROLTYPE, 11, METHOD_BUFFERED, FILE_READ_ACCESS) -#define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH CTL_CODE(MOUNTMGRCONTROLTYPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS CTL_CODE(MOUNTMGRCONTROLTYPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_MOUNTMGR_SCRUB_REGISTRY CTL_CODE(MOUNTMGRCONTROLTYPE, 14, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_QUERY_AUTO_MOUNT CTL_CODE(MOUNTMGRCONTROLTYPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_MOUNTMGR_SET_AUTO_MOUNT CTL_CODE(MOUNTMGRCONTROLTYPE, 16, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_BOOT_DL_ASSIGNMENT CTL_CODE(MOUNTMGRCONTROLTYPE, 17, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since WIN7 -#define IOCTL_MOUNTMGR_TRACELOG_CACHE CTL_CODE(MOUNTMGRCONTROLTYPE, 18, METHOD_BUFFERED, FILE_READ_ACCESS) -#define IOCTL_MOUNTMGR_PREPARE_VOLUME_DELETE CTL_CODE(MOUNTMGRCONTROLTYPE, 19, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) -#define IOCTL_MOUNTMGR_CANCEL_VOLUME_DELETE CTL_CODE(MOUNTMGRCONTROLTYPE, 20, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since WIN8 -#define IOCTL_MOUNTMGR_SILO_ARRIVAL CTL_CODE(MOUNTMGRCONTROLTYPE, 21, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) // since RS1 - -#define IOCTL_MOUNTDEV_QUERY_DEVICE_NAME CTL_CODE(MOUNTDEVCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) - - // Input structure for IOCTL_MOUNTMGR_CREATE_POINT. - typedef struct _MOUNTMGR_CREATE_POINT_INPUT - { - USHORT SymbolicLinkNameOffset; - USHORT SymbolicLinkNameLength; - USHORT DeviceNameOffset; - USHORT DeviceNameLength; - } MOUNTMGR_CREATE_POINT_INPUT, *PMOUNTMGR_CREATE_POINT_INPUT; - - // Input structure for IOCTL_MOUNTMGR_DELETE_POINTS, IOCTL_MOUNTMGR_QUERY_POINTS, and IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY. - typedef struct _MOUNTMGR_MOUNT_POINT - { - ULONG SymbolicLinkNameOffset; - USHORT SymbolicLinkNameLength; - USHORT Reserved1; - ULONG UniqueIdOffset; - USHORT UniqueIdLength; - USHORT Reserved2; - ULONG DeviceNameOffset; - USHORT DeviceNameLength; - USHORT Reserved3; - } MOUNTMGR_MOUNT_POINT, *PMOUNTMGR_MOUNT_POINT; - - // Output structure for IOCTL_MOUNTMGR_DELETE_POINTS, IOCTL_MOUNTMGR_QUERY_POINTS, and IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY. - typedef struct _MOUNTMGR_MOUNT_POINTS - { - ULONG Size; - ULONG NumberOfMountPoints; - _Field_size_(NumberOfMountPoints) MOUNTMGR_MOUNT_POINT MountPoints[1]; - } MOUNTMGR_MOUNT_POINTS, *PMOUNTMGR_MOUNT_POINTS; - - // Input structure for IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER. - typedef struct _MOUNTMGR_DRIVE_LETTER_TARGET - { - USHORT DeviceNameLength; - _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; - } MOUNTMGR_DRIVE_LETTER_TARGET, *PMOUNTMGR_DRIVE_LETTER_TARGET; - - // Output structure for IOCTL_MOUNTMGR_NEXT_DRIVE_LETTER. - typedef struct _MOUNTMGR_DRIVE_LETTER_INFORMATION - { - BOOLEAN DriveLetterWasAssigned; - UCHAR CurrentDriveLetter; - } MOUNTMGR_DRIVE_LETTER_INFORMATION, *PMOUNTMGR_DRIVE_LETTER_INFORMATION; - - // Input structure for IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_CREATED and - // IOCTL_MOUNTMGR_VOLUME_MOUNT_POINT_DELETED. - typedef struct _MOUNTMGR_VOLUME_MOUNT_POINT - { - USHORT SourceVolumeNameOffset; - USHORT SourceVolumeNameLength; - USHORT TargetVolumeNameOffset; - USHORT TargetVolumeNameLength; - } MOUNTMGR_VOLUME_MOUNT_POINT, *PMOUNTMGR_VOLUME_MOUNT_POINT; - - // Input structure for IOCTL_MOUNTMGR_CHANGE_NOTIFY. - // Output structure for IOCTL_MOUNTMGR_CHANGE_NOTIFY. - typedef struct _MOUNTMGR_CHANGE_NOTIFY_INFO - { - ULONG EpicNumber; - } MOUNTMGR_CHANGE_NOTIFY_INFO, *PMOUNTMGR_CHANGE_NOTIFY_INFO; - - // Input structure for IOCTL_MOUNTMGR_KEEP_LINKS_WHEN_OFFLINE, - // IOCTL_MOUNTMGR_VOLUME_ARRIVAL_NOTIFICATION, - // IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH, and - // IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS. - // IOCTL_MOUNTMGR_PREPARE_VOLUME_DELETE - // IOCTL_MOUNTMGR_CANCEL_VOLUME_DELETE - typedef struct _MOUNTMGR_TARGET_NAME - { - USHORT DeviceNameLength; - _Field_size_bytes_(DeviceNameLength) WCHAR DeviceName[1]; - } MOUNTMGR_TARGET_NAME, *PMOUNTMGR_TARGET_NAME; - - // Input / Output structure for querying / setting the auto-mount setting - typedef enum _MOUNTMGR_AUTO_MOUNT_STATE - { - Disabled = 0, - Enabled - } MOUNTMGR_AUTO_MOUNT_STATE; - - // IOCTL_MOUNTMGR_QUERY_AUTO_MOUNT - typedef struct _MOUNTMGR_QUERY_AUTO_MOUNT - { - MOUNTMGR_AUTO_MOUNT_STATE CurrentState; - } MOUNTMGR_QUERY_AUTO_MOUNT, *PMOUNTMGR_QUERY_AUTO_MOUNT; - - // IOCTL_MOUNTMGR_SET_AUTO_MOUNT - typedef struct _MOUNTMGR_SET_AUTO_MOUNT - { - MOUNTMGR_AUTO_MOUNT_STATE NewState; - } MOUNTMGR_SET_AUTO_MOUNT, *PMOUNTMGR_SET_AUTO_MOUNT; - - // Input structure for IOCTL_MOUNTMGR_SILO_ARRIVAL. - typedef struct _MOUNTMGR_SILO_ARRIVAL_INPUT - { - HANDLE JobHandle; - } MOUNTMGR_SILO_ARRIVAL_INPUT, *PMOUNTMGR_SILO_ARRIVAL_INPUT; - -// Macro that defines what a "drive letter" mount point is. This macro can -// be used to scan the result from QUERY_POINTS to discover which mount points -// are find "drive letter" mount points. -#define MOUNTMGR_IS_DRIVE_LETTER(s) ( \ - (s)->Length == 28 && \ - (s)->Buffer[0] == '\\' && \ - (s)->Buffer[1] == 'D' && \ - (s)->Buffer[2] == 'o' && \ - (s)->Buffer[3] == 's' && \ - (s)->Buffer[4] == 'D' && \ - (s)->Buffer[5] == 'e' && \ - (s)->Buffer[6] == 'v' && \ - (s)->Buffer[7] == 'i' && \ - (s)->Buffer[8] == 'c' && \ - (s)->Buffer[9] == 'e' && \ - (s)->Buffer[10] == 's' && \ - (s)->Buffer[11] == '\\' && \ - (s)->Buffer[12] >= 'A' && \ - (s)->Buffer[12] <= 'Z' && \ - (s)->Buffer[13] == ':') - -// Macro that defines what a "volume name" mount point is. This macro can -// be used to scan the result from QUERY_POINTS to discover which mount points -// are "volume name" mount points. -#define MOUNTMGR_IS_VOLUME_NAME(s) ( \ - ((s)->Length == 96 || ((s)->Length == 98 && (s)->Buffer[48] == '\\')) && \ - (s)->Buffer[0] == '\\' && \ - ((s)->Buffer[1] == '?' || (s)->Buffer[1] == '\\') && \ - (s)->Buffer[2] == '?' && \ - (s)->Buffer[3] == '\\' && \ - (s)->Buffer[4] == 'V' && \ - (s)->Buffer[5] == 'o' && \ - (s)->Buffer[6] == 'l' && \ - (s)->Buffer[7] == 'u' && \ - (s)->Buffer[8] == 'm' && \ - (s)->Buffer[9] == 'e' && \ - (s)->Buffer[10] == '{' && \ - (s)->Buffer[19] == '-' && \ - (s)->Buffer[24] == '-' && \ - (s)->Buffer[29] == '-' && \ - (s)->Buffer[34] == '-' && \ - (s)->Buffer[47] == '}') - - // Output structure for IOCTL_MOUNTDEV_QUERY_DEVICE_NAME. - typedef struct _MOUNTDEV_NAME - { - USHORT NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } MOUNTDEV_NAME, *PMOUNTDEV_NAME; - - // Output structure for IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATH and IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS. - typedef struct _MOUNTMGR_VOLUME_PATHS - { - ULONG MultiSzLength; - _Field_size_bytes_(MultiSzLength) WCHAR MultiSz[1]; - } MOUNTMGR_VOLUME_PATHS, *PMOUNTMGR_VOLUME_PATHS; - -#define MOUNTMGR_IS_DOS_VOLUME_NAME(s) ( \ - MOUNTMGR_IS_VOLUME_NAME(s) && \ - (s)->Length == 96 && \ - (s)->Buffer[1] == '\\') - -#define MOUNTMGR_IS_DOS_VOLUME_NAME_WB(s) ( \ - MOUNTMGR_IS_VOLUME_NAME(s) && \ - (s)->Length == 98 && \ - (s)->Buffer[1] == '\\') - -#define MOUNTMGR_IS_NT_VOLUME_NAME(s) ( \ - MOUNTMGR_IS_VOLUME_NAME(s) && \ - (s)->Length == 96 && \ - (s)->Buffer[1] == '?') - -#define MOUNTMGR_IS_NT_VOLUME_NAME_WB(s) ( \ - MOUNTMGR_IS_VOLUME_NAME(s) && \ - (s)->Length == 98 && \ - (s)->Buffer[1] == '?') - -// Filter manager - -// rev -#define FLT_SYMLINK_NAME L"\\Global??\\FltMgr" -#define FLT_MSG_SYMLINK_NAME L"\\Global??\\FltMgrMsg" -#define FLT_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgr" -#define FLT_MSG_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgrMsg" - - // private - typedef struct _FLT_CONNECT_CONTEXT - { - PUNICODE_STRING PortName; - PUNICODE_STRING64 PortName64; - USHORT SizeOfContext; - UCHAR Padding[6]; // unused - _Field_size_bytes_(SizeOfContext) UCHAR Context[ANYSIZE_ARRAY]; - } FLT_CONNECT_CONTEXT, *PFLT_CONNECT_CONTEXT; - -// rev -#define FLT_PORT_EA_NAME "FLTPORT" -#define FLT_PORT_CONTEXT_MAX 0xFFE8 - - // combined FILE_FULL_EA_INFORMATION and FLT_CONNECT_CONTEXT - typedef struct _FLT_PORT_FULL_EA - { - ULONG NextEntryOffset; // 0 - UCHAR Flags; // 0 - UCHAR EaNameLength; // sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL) - USHORT EaValueLength; // RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) + SizeOfContext - CHAR EaName[8]; // FLTPORT\0 - FLT_CONNECT_CONTEXT EaValue; - } FLT_PORT_FULL_EA, *PFLT_PORT_FULL_EA; - -#define FLT_PORT_FULL_EA_SIZE \ - (sizeof(FILE_FULL_EA_INFORMATION) + (sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL))) -#define FLT_PORT_FULL_EA_VALUE_SIZE \ - RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) - -// begin_rev - -// IOCTLs for unlinked FltMgr handles -#define FLT_CTL_LOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege -#define FLT_CTL_UNLOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege -#define FLT_CTL_LINK_HANDLE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_READ_ACCESS) // in: FLT_LINK // specializes the handle -#define FLT_CTL_ATTACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_ATTACH -#define FLT_CTL_DETACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS - -// IOCTLs for port-specific FltMgrMsg handles (opened using the extended attribute) -#define FLT_CTL_SEND_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 6, METHOD_NEITHER, FILE_WRITE_ACCESS) // in, out: filter-specific -#define FLT_CTL_GET_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 7, METHOD_NEITHER, FILE_READ_ACCESS) // out: filter-specific -#define FLT_CTL_REPLY_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 8, METHOD_NEITHER, FILE_WRITE_ACCESS) // in: filter-specific - -// IOCTLs for linked FltMgr handles; depend on previously used FLT_LINK_TYPE -// -// Find first/next: -// FILTER - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS -// FILTER_VOLUME - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS -// FILTER_MANAGER - enumerates all filters; in: FILTER_INFORMATION_CLASS -// FILTER_MANAGER_VOLUME - enumerates all volumes; in: FILTER_VOLUME_INFORMATION_CLASS -// -// Get information: -// FILTER - queries filter; in: FILTER_INFORMATION_CLASS -// FILTER_INSTANCE - queries instance; in: INSTANCE_INFORMATION_CLASS -// -#define FLT_CTL_FIND_FIRST CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 9, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) -#define FLT_CTL_FIND_NEXT CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) -#define FLT_CTL_GET_INFORMATION CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) - - // end_rev - - // private - typedef struct _FLT_LOAD_PARAMETERS - { - USHORT FilterNameSize; - _Field_size_bytes_(FilterNameSize) WCHAR FilterName[ANYSIZE_ARRAY]; - } FLT_LOAD_PARAMETERS, *PFLT_LOAD_PARAMETERS; - - // private - typedef enum _FLT_LINK_TYPE - { - FILTER = 0, // FLT_FILTER_PARAMETERS - FILTER_INSTANCE = 1, // FLT_INSTANCE_PARAMETERS - FILTER_VOLUME = 2, // FLT_VOLUME_PARAMETERS - FILTER_MANAGER = 3, // nothing - FILTER_MANAGER_VOLUME = 4, // nothing - } FLT_LINK_TYPE, - *PFLT_LINK_TYPE; - - // private - typedef struct _FLT_LINK - { - FLT_LINK_TYPE Type; - ULONG ParametersOffset; // from this struct - } FLT_LINK, *PFLT_LINK; - - // rev - typedef struct _FLT_FILTER_PARAMETERS - { - USHORT FilterNameSize; - USHORT FilterNameOffset; // to WCHAR[] from this struct - } FLT_FILTER_PARAMETERS, *PFLT_FILTER_PARAMETERS; - - // private - typedef struct _FLT_INSTANCE_PARAMETERS - { - USHORT FilterNameSize; - USHORT FilterNameOffset; // to WCHAR[] from this struct - USHORT VolumeNameSize; - USHORT VolumeNameOffset; // to WCHAR[] from this struct - USHORT InstanceNameSize; - USHORT InstanceNameOffset; // to WCHAR[] from this struct - } FLT_INSTANCE_PARAMETERS, *PFLT_INSTANCE_PARAMETERS; - - // rev - typedef struct _FLT_VOLUME_PARAMETERS - { - USHORT VolumeNameSize; - USHORT VolumeNameOffset; // to WCHAR[] from this struct - } FLT_VOLUME_PARAMETERS, *PFLT_VOLUME_PARAMETERS; - - // private - typedef enum _ATTACH_TYPE - { - AltitudeBased = 0, - InstanceNameBased = 1, - } ATTACH_TYPE, - *PATTACH_TYPE; - - // private - typedef struct _FLT_ATTACH - { - USHORT FilterNameSize; - USHORT FilterNameOffset; // to WCHAR[] from this struct - USHORT VolumeNameSize; - USHORT VolumeNameOffset; // to WCHAR[] from this struct - ATTACH_TYPE Type; - USHORT InstanceNameSize; - USHORT InstanceNameOffset; // to WCHAR[] from this struct - USHORT AltitudeSize; - USHORT AltitudeOffset; // to WCHAR[] from this struct - } FLT_ATTACH, *PFLT_ATTACH; - -// Multiple UNC Provider - -// rev // FSCTLs for \Device\Mup -#define FSCTL_MUP_GET_UNC_CACHE_INFO CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_CACHE_INFORMATION -#define FSCTL_MUP_GET_UNC_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_PROVIDER_INFORMATION -#define FSCTL_MUP_GET_SURROGATE_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION -#define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY[] -#define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION_FOR_PATH CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; out: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT - - // private - typedef struct _MUP_FSCTL_UNC_CACHE_ENTRY - { - ULONG TotalLength; - ULONG UncNameOffset; // to WCHAR[] from this struct - USHORT UncNameLength; // in bytes - ULONG ProviderNameOffset; // to WCHAR[] from this struct - USHORT ProviderNameLength; // in bytes - ULONG SurrogateNameOffset; // to WCHAR[] from this struct - USHORT SurrogateNameLength; // in bytes - ULONG ProviderPriority; - ULONG EntryTtl; - WCHAR Strings[ANYSIZE_ARRAY]; - } MUP_FSCTL_UNC_CACHE_ENTRY, *PMUP_FSCTL_UNC_CACHE_ENTRY; - - // private - typedef struct _MUP_FSCTL_UNC_CACHE_INFORMATION - { - ULONG MaxCacheSize; - ULONG CurrentCacheSize; - ULONG EntryTimeout; - ULONG TotalEntries; - MUP_FSCTL_UNC_CACHE_ENTRY CacheEntry[ANYSIZE_ARRAY]; - } MUP_FSCTL_UNC_CACHE_INFORMATION, *PMUP_FSCTL_UNC_CACHE_INFORMATION; - - // private - typedef struct _MUP_FSCTL_UNC_PROVIDER_ENTRY - { - ULONG TotalLength; - LONG ReferenceCount; - ULONG ProviderPriority; - ULONG ProviderState; - ULONG ProviderId; - USHORT ProviderNameLength; // in bytes - WCHAR ProviderName[ANYSIZE_ARRAY]; - } MUP_FSCTL_UNC_PROVIDER_ENTRY, *PMUP_FSCTL_UNC_PROVIDER_ENTRY; - - // private - typedef struct _MUP_FSCTL_UNC_PROVIDER_INFORMATION - { - ULONG TotalEntries; - MUP_FSCTL_UNC_PROVIDER_ENTRY ProviderEntry[ANYSIZE_ARRAY]; - } MUP_FSCTL_UNC_PROVIDER_INFORMATION, *PMUP_FSCTL_UNC_PROVIDER_INFORMATION; - - // private - typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_ENTRY - { - ULONG TotalLength; - LONG ReferenceCount; - ULONG SurrogateType; - ULONG SurrogateState; - ULONG SurrogatePriority; - USHORT SurrogateNameLength; // in bytes - WCHAR SurrogateName[ANYSIZE_ARRAY]; - } MUP_FSCTL_SURROGATE_PROVIDER_ENTRY, *PMUP_FSCTL_SURROGATE_PROVIDER_ENTRY; - - // private - typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION - { - ULONG TotalEntries; - MUP_FSCTL_SURROGATE_PROVIDER_ENTRY SurrogateEntry[ANYSIZE_ARRAY]; - } MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION, *PMUP_FSCTL_SURROGATE_PROVIDER_INFORMATION; - - // private - typedef struct _MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY - { - ULONG NextOffset; // from this struct - ULONG PrefixNameOffset; // to WCHAR[] from this struct - USHORT PrefixNameCbLength; // in bytes - union - { - ULONG RequiredHardeningCapabilities; - struct - { - ULONG RequiresMutualAuth : 1; - ULONG RequiresIntegrity : 1; - ULONG RequiresPrivacy : 1; - }; - }; - ULONGLONG OpenCount; - } MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY, *PMUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY; - - // private - typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN - { - ULONG Size; - ULONG UncPathOffset; // to WCHAR[] from this struct - USHORT UncPathCbLength; // in bytes - } MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN, *PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; - - // private - typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT - { - ULONG Size; - union - { - ULONG RequiredHardeningCapabilities; - struct - { - ULONG RequiresMutualAuth : 1; - ULONG RequiresIntegrity : 1; - ULONG RequiresPrivacy : 1; - }; - }; - } MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT, *PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -// -// Major Function Codes -// -#define IRP_MJ_CREATE 0x00 -#define IRP_MJ_CREATE_NAMED_PIPE 0x01 -#define IRP_MJ_CLOSE 0x02 -#define IRP_MJ_READ 0x03 -#define IRP_MJ_WRITE 0x04 -#define IRP_MJ_QUERY_INFORMATION 0x05 -#define IRP_MJ_SET_INFORMATION 0x06 -#define IRP_MJ_QUERY_EA 0x07 -#define IRP_MJ_SET_EA 0x08 -#define IRP_MJ_FLUSH_BUFFERS 0x09 -#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a -#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b -#define IRP_MJ_DIRECTORY_CONTROL 0x0c -#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d -#define IRP_MJ_DEVICE_CONTROL 0x0e -#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f -#define IRP_MJ_SHUTDOWN 0x10 -#define IRP_MJ_LOCK_CONTROL 0x11 -#define IRP_MJ_CLEANUP 0x12 -#define IRP_MJ_CREATE_MAILSLOT 0x13 -#define IRP_MJ_QUERY_SECURITY 0x14 -#define IRP_MJ_SET_SECURITY 0x15 -#define IRP_MJ_POWER 0x16 -#define IRP_MJ_SYSTEM_CONTROL 0x17 -#define IRP_MJ_DEVICE_CHANGE 0x18 -#define IRP_MJ_QUERY_QUOTA 0x19 -#define IRP_MJ_SET_QUOTA 0x1a -#define IRP_MJ_PNP 0x1b -#define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... -#define IRP_MJ_MAXIMUM_FUNCTION 0x1b -#define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION ((UCHAR) - 1) -#define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION ((UCHAR) - 2) -#define IRP_MJ_ACQUIRE_FOR_MOD_WRITE ((UCHAR) - 3) -#define IRP_MJ_RELEASE_FOR_MOD_WRITE ((UCHAR) - 4) -#define IRP_MJ_ACQUIRE_FOR_CC_FLUSH ((UCHAR) - 5) -#define IRP_MJ_RELEASE_FOR_CC_FLUSH ((UCHAR) - 6) -#define IRP_MJ_QUERY_OPEN ((UCHAR) - 7) -#define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE ((UCHAR) - 13) -#define IRP_MJ_NETWORK_QUERY_OPEN ((UCHAR) - 14) -#define IRP_MJ_MDL_READ ((UCHAR) - 15) -#define IRP_MJ_MDL_READ_COMPLETE ((UCHAR) - 16) -#define IRP_MJ_PREPARE_MDL_WRITE ((UCHAR) - 17) -#define IRP_MJ_MDL_WRITE_COMPLETE ((UCHAR) - 18) -#define IRP_MJ_VOLUME_MOUNT ((UCHAR) - 19) -#define IRP_MJ_VOLUME_DISMOUNT ((UCHAR) - 20) -#define FLT_INTERNAL_OPERATION_COUNT 22 - -// -// Minor Function Codes -// -#define IRP_MN_SCSI_CLASS 0x01 -// PNP minor function codes -#define IRP_MN_START_DEVICE 0x00 -#define IRP_MN_QUERY_REMOVE_DEVICE 0x01 -#define IRP_MN_REMOVE_DEVICE 0x02 -#define IRP_MN_CANCEL_REMOVE_DEVICE 0x03 -#define IRP_MN_STOP_DEVICE 0x04 -#define IRP_MN_QUERY_STOP_DEVICE 0x05 -#define IRP_MN_CANCEL_STOP_DEVICE 0x06 -#define IRP_MN_QUERY_DEVICE_RELATIONS 0x07 -#define IRP_MN_QUERY_INTERFACE 0x08 -#define IRP_MN_QUERY_CAPABILITIES 0x09 -#define IRP_MN_QUERY_RESOURCES 0x0A -#define IRP_MN_QUERY_RESOURCE_REQUIREMENTS 0x0B -#define IRP_MN_QUERY_DEVICE_TEXT 0x0C -#define IRP_MN_FILTER_RESOURCE_REQUIREMENTS 0x0D -#define IRP_MN_READ_CONFIG 0x0F -#define IRP_MN_WRITE_CONFIG 0x10 -#define IRP_MN_EJECT 0x11 -#define IRP_MN_SET_LOCK 0x12 -#define IRP_MN_QUERY_ID 0x13 -#define IRP_MN_QUERY_PNP_DEVICE_STATE 0x14 -#define IRP_MN_QUERY_BUS_INFORMATION 0x15 -#define IRP_MN_DEVICE_USAGE_NOTIFICATION 0x16 -#define IRP_MN_SURPRISE_REMOVAL 0x17 -#define IRP_MN_DEVICE_ENUMERATED 0x19 - -// POWER minor function codes -#define IRP_MN_WAIT_WAKE 0x00 -#define IRP_MN_POWER_SEQUENCE 0x01 -#define IRP_MN_SET_POWER 0x02 -#define IRP_MN_QUERY_POWER 0x03 -// WMI minor function codes under IRP_MJ_SYSTEM_CONTROL -#define IRP_MN_QUERY_ALL_DATA 0x00 -#define IRP_MN_QUERY_SINGLE_INSTANCE 0x01 -#define IRP_MN_CHANGE_SINGLE_INSTANCE 0x02 -#define IRP_MN_CHANGE_SINGLE_ITEM 0x03 -#define IRP_MN_ENABLE_EVENTS 0x04 -#define IRP_MN_DISABLE_EVENTS 0x05 -#define IRP_MN_ENABLE_COLLECTION 0x06 -#define IRP_MN_DISABLE_COLLECTION 0x07 -#define IRP_MN_REGINFO 0x08 -#define IRP_MN_EXECUTE_METHOD 0x09 -// Minor code 0x0a is reserved -#define IRP_MN_REGINFO_EX 0x0b -// Minor code 0x0c is reserved -// Minor code 0x0d is reserved - -// -// Filter Manager Callback Data Flags -// -#define FLTFL_CALLBACK_DATA_REISSUE_MASK 0x0000FFFF -#define FLTFL_CALLBACK_DATA_IRP_OPERATION 0x00000001 // Set for Irp operations -#define FLTFL_CALLBACK_DATA_FAST_IO_OPERATION 0x00000002 // Set for Fast Io operations -#define FLTFL_CALLBACK_DATA_FS_FILTER_OPERATION 0x00000004 // Set for Fs Filter operations -#define FLTFL_CALLBACK_DATA_SYSTEM_BUFFER 0x00000008 // Set if the buffer passed in for the i/o was a system buffer -#define FLTFL_CALLBACK_DATA_GENERATED_IO 0x00010000 // Set if this is I/O generated by a mini-filter -#define FLTFL_CALLBACK_DATA_REISSUED_IO 0x00020000 // Set if this I/O was reissued -#define FLTFL_CALLBACK_DATA_DRAINING_IO 0x00040000 // set if this operation is being drained. If set, -#define FLTFL_CALLBACK_DATA_POST_OPERATION 0x00080000 // Set if this is a POST operation -#define FLTFL_CALLBACK_DATA_NEW_SYSTEM_BUFFER 0x00100000 -#define FLTFL_CALLBACK_DATA_DIRTY 0x80000000 // Set by caller if parameters were changed - -// -// IRP Flags -// -#define IRP_NOCACHE 0x00000001 -#define IRP_PAGING_IO 0x00000002 -#define IRP_MOUNT_COMPLETION 0x00000002 -#define IRP_SYNCHRONOUS_API 0x00000004 -#define IRP_ASSOCIATED_IRP 0x00000008 -#define IRP_BUFFERED_IO 0x00000010 -#define IRP_DEALLOCATE_BUFFER 0x00000020 -#define IRP_INPUT_OPERATION 0x00000040 -#define IRP_SYNCHRONOUS_PAGING_IO 0x00000040 -#define IRP_CREATE_OPERATION 0x00000080 -#define IRP_READ_OPERATION 0x00000100 -#define IRP_WRITE_OPERATION 0x00000200 -#define IRP_CLOSE_OPERATION 0x00000400 -#define IRP_DEFER_IO_COMPLETION 0x00000800 -#define IRP_OB_QUERY_NAME 0x00001000 -#define IRP_HOLD_DEVICE_QUEUE 0x00002000 -#define IRP_UM_DRIVER_INITIATED_IO 0x00400000 - -// -// File Object Flags -// -#define FO_FILE_OPEN 0x00000001 -#define FO_SYNCHRONOUS_IO 0x00000002 -#define FO_ALERTABLE_IO 0x00000004 -#define FO_NO_INTERMEDIATE_BUFFERING 0x00000008 -#define FO_WRITE_THROUGH 0x00000010 -#define FO_SEQUENTIAL_ONLY 0x00000020 -#define FO_CACHE_SUPPORTED 0x00000040 -#define FO_NAMED_PIPE 0x00000080 -#define FO_STREAM_FILE 0x00000100 -#define FO_MAILSLOT 0x00000200 -#define FO_GENERATE_AUDIT_ON_CLOSE 0x00000400 -#define FO_QUEUE_IRP_TO_THREAD FO_GENERATE_AUDIT_ON_CLOSE -#define FO_DIRECT_DEVICE_OPEN 0x00000800 -#define FO_FILE_MODIFIED 0x00001000 -#define FO_FILE_SIZE_CHANGED 0x00002000 -#define FO_CLEANUP_COMPLETE 0x00004000 -#define FO_TEMPORARY_FILE 0x00008000 -#define FO_DELETE_ON_CLOSE 0x00010000 -#define FO_OPENED_CASE_SENSITIVE 0x00020000 -#define FO_HANDLE_CREATED 0x00040000 -#define FO_FILE_FAST_IO_READ 0x00080000 -#define FO_RANDOM_ACCESS 0x00100000 -#define FO_FILE_OPEN_CANCELLED 0x00200000 -#define FO_VOLUME_OPEN 0x00400000 -#define FO_BYPASS_IO_ENABLED 0x00800000 // when set BYPASS IO is enabled on this handle -#define FO_REMOTE_ORIGIN 0x01000000 -#define FO_DISALLOW_EXCLUSIVE 0x02000000 -#define FO_SKIP_COMPLETION_PORT FO_DISALLOW_EXCLUSIVE -#define FO_SKIP_SET_EVENT 0x04000000 -#define FO_SKIP_SET_FAST_IO 0x08000000 -#define FO_INDIRECT_WAIT_OBJECT 0x10000000 -#define FO_SECTION_MINSTORE_TREATMENT 0x20000000 - -// -// Define stack location (IO_STACK_LOCATION) flags -// -#define SL_PENDING_RETURNED 0x01 -#define SL_ERROR_RETURNED 0x02 -#define SL_INVOKE_ON_CANCEL 0x20 -#define SL_INVOKE_ON_SUCCESS 0x40 -#define SL_INVOKE_ON_ERROR 0x80 -// Create / Create Named Pipe (IRP_MJ_CREATE/IRP_MJ_CREATE_NAMED_PIPE) -#define SL_FORCE_ACCESS_CHECK 0x01 -#define SL_OPEN_PAGING_FILE 0x02 -#define SL_OPEN_TARGET_DIRECTORY 0x04 -#define SL_STOP_ON_SYMLINK 0x08 -#define SL_IGNORE_READONLY_ATTRIBUTE 0x40 -#define SL_CASE_SENSITIVE 0x80 -// Read / Write (IRP_MJ_READ/IRP_MJ_WRITE) -#define SL_KEY_SPECIFIED 0x01 -#define SL_OVERRIDE_VERIFY_VOLUME 0x02 -#define SL_WRITE_THROUGH 0x04 -#define SL_FT_SEQUENTIAL_WRITE 0x08 -#define SL_FORCE_DIRECT_WRITE 0x10 -#define SL_REALTIME_STREAM 0x20 // valid only with optical media -#define SL_PERSISTENT_MEMORY_FIXED_MAPPING 0x20 // valid only with persistent memory device and IRP_MJ_WRITE -#define SL_BYPASS_IO 0x40 -// IRP_MJ_FLUSH_BUFFERS -#define SL_FORCE_ASYNCHRONOUS 0x01 -// Device I/O Control -#define SL_READ_ACCESS_GRANTED 0x01 -#define SL_WRITE_ACCESS_GRANTED 0x04 // Gap for SL_OVERRIDE_VERIFY_VOLUME -// Lock (IRP_MJ_LOCK_CONTROL) -#define SL_FAIL_IMMEDIATELY 0x01 -#define SL_EXCLUSIVE_LOCK 0x02 -// QueryDirectory / QueryEa / QueryQuota (IRP_MJ_DIRECTORY_CONTROL/IRP_MJ_QUERY_EA/IRP_MJ_QUERY_QUOTA)) -#define SL_RESTART_SCAN 0x01 -#define SL_RETURN_SINGLE_ENTRY 0x02 -#define SL_INDEX_SPECIFIED 0x04 -#define SL_RETURN_ON_DISK_ENTRIES_ONLY 0x08 -#define SL_NO_CURSOR_UPDATE 0x10 -#define SL_QUERY_DIRECTORY_MASK 0x1b -// NotifyDirectory (IRP_MJ_DIRECTORY_CONTROL) -#define SL_WATCH_TREE 0x01 -// FileSystemControl (IRP_MJ_FILE_SYSTEM_CONTROL) -#define SL_ALLOW_RAW_MOUNT 0x01 -// SetInformationFile (IRP_MJ_SET_INFORMATION) / QueryInformationFile -#define SL_BYPASS_ACCESS_CHECK 0x01 -#define SL_INFO_FORCE_ACCESS_CHECK 0x01 -#define SL_INFO_IGNORE_READONLY_ATTRIBUTE 0x40 // same value as IO_IGNORE_READONLY_ATTRIBUTE - -// -// Device Object (DO) flags -// -#define DO_VERIFY_VOLUME 0x00000002 -#define DO_BUFFERED_IO 0x00000004 -#define DO_EXCLUSIVE 0x00000008 -#define DO_DIRECT_IO 0x00000010 -#define DO_MAP_IO_BUFFER 0x00000020 -#define DO_DEVICE_INITIALIZING 0x00000080 -#define DO_SHUTDOWN_REGISTERED 0x00000800 -#define DO_BUS_ENUMERATED_DEVICE 0x00001000 -#define DO_POWER_PAGABLE 0x00002000 -#define DO_POWER_INRUSH 0x00004000 -#define DO_DEVICE_TO_BE_RESET 0x04000000 -#define DO_DAX_VOLUME 0x10000000 - -// -// KSecDD FS control definitions -// -#define KSEC_DEVICE_NAME L"\\Device\\KSecDD" -#define IOCTL_KSEC_CONNECT_LSA CTL_CODE(FILE_DEVICE_KSEC, 0, METHOD_BUFFERED, FILE_WRITE_ACCESS) -#define IOCTL_KSEC_RNG CTL_CODE(FILE_DEVICE_KSEC, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_RNG_REKEY CTL_CODE(FILE_DEVICE_KSEC, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_ENCRYPT_MEMORY CTL_CODE(FILE_DEVICE_KSEC, 3, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_DECRYPT_MEMORY CTL_CODE(FILE_DEVICE_KSEC, 4, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_ENCRYPT_MEMORY_CROSS_PROC CTL_CODE(FILE_DEVICE_KSEC, 5, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_DECRYPT_MEMORY_CROSS_PROC CTL_CODE(FILE_DEVICE_KSEC, 6, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_ENCRYPT_MEMORY_SAME_LOGON CTL_CODE(FILE_DEVICE_KSEC, 7, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_DECRYPT_MEMORY_SAME_LOGON CTL_CODE(FILE_DEVICE_KSEC, 8, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_FIPS_GET_FUNCTION_TABLE CTL_CODE(FILE_DEVICE_KSEC, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_ALLOC_POOL CTL_CODE(FILE_DEVICE_KSEC, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_FREE_POOL CTL_CODE(FILE_DEVICE_KSEC, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_COPY_POOL CTL_CODE(FILE_DEVICE_KSEC, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_DUPLICATE_HANDLE CTL_CODE(FILE_DEVICE_KSEC, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_REGISTER_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_CLIENT_CALLBACK CTL_CODE(FILE_DEVICE_KSEC, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_GET_BCRYPT_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 16, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_GET_SSL_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 17, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_GET_DEVICECONTROL_EXTENSION CTL_CODE(FILE_DEVICE_KSEC, 18, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_ALLOC_VM CTL_CODE(FILE_DEVICE_KSEC, 19, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_FREE_VM CTL_CODE(FILE_DEVICE_KSEC, 20, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_COPY_VM CTL_CODE(FILE_DEVICE_KSEC, 21, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_CLIENT_FREE_VM CTL_CODE(FILE_DEVICE_KSEC, 22, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_INSERT_PROTECTED_PROCESS_ADDRESS CTL_CODE(FILE_DEVICE_KSEC, 23, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_REMOVE_PROTECTED_PROCESS_ADDRESS CTL_CODE(FILE_DEVICE_KSEC, 24, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_GET_BCRYPT_EXTENSION2 CTL_CODE(FILE_DEVICE_KSEC, 25, METHOD_BUFFERED, FILE_ANY_ACCESS) -#define IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS CTL_CODE(FILE_DEVICE_KSEC, 26, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) -#define IOCTL_KSEC_IPC_SET_FUNCTION_RETURN CTL_CODE(FILE_DEVICE_KSEC, 27, METHOD_NEITHER, FILE_ANY_ACCESS) - - // pub - typedef enum _FS_FILTER_SECTION_SYNC_TYPE - { - SyncTypeOther = 0, - SyncTypeCreateSection - } FS_FILTER_SECTION_SYNC_TYPE, - *PFS_FILTER_SECTION_SYNC_TYPE; - - // pub - typedef enum _CREATE_FILE_TYPE - { - CreateFileTypeNone, - CreateFileTypeNamedPipe, - CreateFileTypeMailslot - } CREATE_FILE_TYPE; - - // pub - typedef struct _NAMED_PIPE_CREATE_PARAMETERS - { - ULONG NamedPipeType; - ULONG ReadMode; - ULONG CompletionMode; - ULONG MaximumInstances; - ULONG InboundQuota; - ULONG OutboundQuota; - LARGE_INTEGER DefaultTimeout; - BOOLEAN TimeoutSpecified; - } NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS; - - // pub - typedef struct _MAILSLOT_CREATE_PARAMETERS - { - ULONG MailslotQuota; - ULONG MaximumMessageSize; - LARGE_INTEGER ReadTimeout; - BOOLEAN TimeoutSpecified; - } MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS; - - // pub - typedef struct _OPLOCK_KEY_ECP_CONTEXT - { - GUID OplockKey; - ULONG Reserved; - } OPLOCK_KEY_ECP_CONTEXT, *POPLOCK_KEY_ECP_CONTEXT; - - // pub - typedef struct _OPLOCK_KEY_CONTEXT - { - USHORT Version; // OPLOCK_KEY_VERSION_* - USHORT Flags; // OPLOCK_KEY_FLAG_* - GUID ParentOplockKey; - GUID TargetOplockKey; - ULONG Reserved; - } OPLOCK_KEY_CONTEXT, *POPLOCK_KEY_CONTEXT; - -#define OPLOCK_KEY_VERSION_WIN7 0x0001 -#define OPLOCK_KEY_VERSION_WIN8 0x0002 - -#define OPLOCK_KEY_FLAG_PARENT_KEY 0x0001 -#define OPLOCK_KEY_FLAG_TARGET_KEY 0x0002 - -// pub -#define SUPPORTED_FS_FEATURES_OFFLOAD_READ 0x00000001 -#define SUPPORTED_FS_FEATURES_OFFLOAD_WRITE 0x00000002 -#define SUPPORTED_FS_FEATURES_QUERY_OPEN 0x00000004 -#define SUPPORTED_FS_FEATURES_BYPASS_IO 0x00000008 - -// WIN11 -#define SUPPORTED_FS_FEATURES_VALID_MASK_V3 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ - SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \ - SUPPORTED_FS_FEATURES_QUERY_OPEN | \ - SUPPORTED_FS_FEATURES_BYPASS_IO) -// WIN10-RS2 -#define SUPPORTED_FS_FEATURES_VALID_MASK_V2 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ - SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \ - SUPPORTED_FS_FEATURES_QUERY_OPEN) -// WIN8 -#define SUPPORTED_FS_FEATURES_VALID_MASK_V1 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \ - SUPPORTED_FS_FEATURES_OFFLOAD_WRITE) - -#define SUPPORTED_FS_FEATURES_VALID_MASK SUPPORTED_FS_FEATURES_VALID_MASK_V3 - -#endif // (PHNT_MODE != PHNT_MODE_KERNEL) - -#endif - /* - * Local Inter-process Communication support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTLPCAPI_H -#define _NTLPCAPI_H - -#define PORT_CONNECT 0x0001 -#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1) - - typedef struct _PORT_MESSAGE - { - union - { - struct - { - CSHORT DataLength; - CSHORT TotalLength; - } s1; - ULONG Length; - } u1; - union - { - struct - { - CSHORT Type; - CSHORT DataInfoOffset; - } s2; - ULONG ZeroInit; - } u2; - union - { - CLIENT_ID ClientId; - double DoNotUseThisField; - }; - ULONG MessageId; - union - { - SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages - ULONG CallbackId; // only valid for LPC_REQUEST messages - }; - } PORT_MESSAGE, *PPORT_MESSAGE; - - typedef struct _PORT_DATA_ENTRY - { - PVOID Base; - ULONG Size; - } PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; - - typedef struct _PORT_DATA_INFORMATION - { - ULONG CountDataEntries; - _Field_size_(CountDataEntries) PORT_DATA_ENTRY DataEntries[1]; - } PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; - -#define LPC_REQUEST 1 -#define LPC_REPLY 2 -#define LPC_DATAGRAM 3 -#define LPC_LOST_REPLY 4 -#define LPC_PORT_CLOSED 5 -#define LPC_CLIENT_DIED 6 -#define LPC_EXCEPTION 7 -#define LPC_DEBUG_EVENT 8 -#define LPC_ERROR_EVENT 9 -#define LPC_CONNECTION_REQUEST 10 - -#define LPC_CONTINUATION_REQUIRED 0x2000 -#define LPC_NO_IMPERSONATE 0x4000 -#define LPC_KERNELMODE_MESSAGE 0x8000 - -#define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE - -#ifdef _WIN64 -#define PORT_MAXIMUM_MESSAGE_LENGTH 512 -#else -#define PORT_MAXIMUM_MESSAGE_LENGTH 256 -#endif - -#define LPC_MAX_CONNECTION_INFO_SIZE (16 * sizeof(ULONG_PTR)) - -#define PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH \ - ((PORT_MAXIMUM_MESSAGE_LENGTH + sizeof(PORT_MESSAGE) + LPC_MAX_CONNECTION_INFO_SIZE + 0xf) & ~0xf) - - typedef struct _LPC_CLIENT_DIED_MSG - { - PORT_MESSAGE PortMsg; - LARGE_INTEGER CreateTime; - } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; - - typedef struct _PORT_VIEW - { - ULONG Length; - HANDLE SectionHandle; - ULONG SectionOffset; - SIZE_T ViewSize; - PVOID ViewBase; - PVOID ViewRemoteBase; - } PORT_VIEW, *PPORT_VIEW; - - typedef struct _REMOTE_PORT_VIEW - { - ULONG Length; - SIZE_T ViewSize; - PVOID ViewBase; - } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; - - // WOW64 definitions - - // Except in a small number of special cases, WOW64 programs using the LPC APIs must use the 64-bit versions of the - // PORT_MESSAGE, PORT_VIEW and REMOTE_PORT_VIEW data structures. Note that we take a different approach than the - // official NT headers, which produce 64-bit versions in a 32-bit environment when USE_LPC6432 is defined. - - typedef struct _PORT_MESSAGE64 - { - union - { - struct - { - CSHORT DataLength; - CSHORT TotalLength; - } s1; - ULONG Length; - } u1; - union - { - struct - { - CSHORT Type; - CSHORT DataInfoOffset; - } s2; - ULONG ZeroInit; - } u2; - union - { - CLIENT_ID64 ClientId; - double DoNotUseThisField; - }; - ULONG MessageId; - union - { - ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages - ULONG CallbackId; // only valid for LPC_REQUEST messages - }; - } PORT_MESSAGE64, *PPORT_MESSAGE64; - - typedef struct _LPC_CLIENT_DIED_MSG64 - { - PORT_MESSAGE64 PortMsg; - LARGE_INTEGER CreateTime; - } LPC_CLIENT_DIED_MSG64, *PLPC_CLIENT_DIED_MSG64; - - typedef struct _PORT_VIEW64 - { - ULONG Length; - ULONGLONG SectionHandle; - ULONG SectionOffset; - ULONGLONG ViewSize; - ULONGLONG ViewBase; - ULONGLONG ViewRemoteBase; - } PORT_VIEW64, *PPORT_VIEW64; - - typedef struct _REMOTE_PORT_VIEW64 - { - ULONG Length; - ULONGLONG ViewSize; - ULONGLONG ViewBase; - } REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64; - - // - // Port creation - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreatePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG MaxConnectionInfoLength, - _In_ ULONG MaxMessageLength, - _In_opt_ ULONG MaxPoolUsage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateWaitablePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG MaxConnectionInfoLength, - _In_ ULONG MaxMessageLength, - _In_opt_ ULONG MaxPoolUsage); - - // - // Port connection (client) - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, - _Inout_opt_ PPORT_VIEW ClientView, - _Inout_opt_ PREMOTE_PORT_VIEW ServerView, - _Out_opt_ PULONG MaxMessageLength, - _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, - _Inout_opt_ PULONG ConnectionInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSecureConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, - _Inout_opt_ PPORT_VIEW ClientView, - _In_opt_ PSID RequiredServerSid, - _Inout_opt_ PREMOTE_PORT_VIEW ServerView, - _Out_opt_ PULONG MaxMessageLength, - _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, - _Inout_opt_ PULONG ConnectionInformationLength); - - // - // Port connection (server) - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtListenPort( - _In_ HANDLE PortHandle, - _Out_ PPORT_MESSAGE ConnectionRequest); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAcceptConnectPort( - _Out_ PHANDLE PortHandle, - _In_opt_ PVOID PortContext, - _In_ PPORT_MESSAGE ConnectionRequest, - _In_ BOOLEAN AcceptConnection, - _Inout_opt_ PPORT_VIEW ServerView, - _Out_opt_ PREMOTE_PORT_VIEW ClientView); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompleteConnectPort( - _In_ HANDLE PortHandle); - - // - // General - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRequestPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRequestWaitReplyPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage, - _Out_ PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplyPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplyWaitReplyPort( - _In_ HANDLE PortHandle, - _Inout_ PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplyWaitReceivePort( - _In_ HANDLE PortHandle, - _Out_opt_ PVOID *PortContext, - _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, - _Out_ PPORT_MESSAGE ReceiveMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplyWaitReceivePortEx( - _In_ HANDLE PortHandle, - _Out_opt_ PVOID *PortContext, - _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, - _Out_ PPORT_MESSAGE ReceiveMessage, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtImpersonateClientOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadRequestData( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ ULONG DataEntryIndex, - _Out_writes_bytes_to_(BufferSize, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T BufferSize, - _Out_opt_ PSIZE_T NumberOfBytesRead); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtWriteRequestData( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ ULONG DataEntryIndex, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ SIZE_T BufferSize, - _Out_opt_ PSIZE_T NumberOfBytesWritten); - - typedef enum _PORT_INFORMATION_CLASS - { - PortBasicInformation, - PortDumpInformation - } PORT_INFORMATION_CLASS; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationPort( - _In_ HANDLE PortHandle, - _In_ PORT_INFORMATION_CLASS PortInformationClass, - _Out_writes_bytes_to_(Length, *ReturnLength) PVOID PortInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - // Asynchronous Local Inter-process Communication - - // rev - typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE; - -#define ALPC_PORFLG_LPC_MODE 0x1000 // kernel only -#define ALPC_PORFLG_ALLOW_IMPERSONATION 0x10000 -#define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev -#define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg -#define ALPC_PORFLG_ALLOW_DUP_OBJECT 0x80000 -#define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg -#define ALPC_PORFLG_WAKE_POLICY1 0x200000 -#define ALPC_PORFLG_WAKE_POLICY2 0x400000 -#define ALPC_PORFLG_WAKE_POLICY3 0x800000 -#define ALPC_PORFLG_DIRECT_MESSAGE 0x1000000 -#define ALPC_PORFLG_ALLOW_MULTIHANDLE_ATTRIBUTE 0x2000000 - -#define ALPC_PORFLG_OBJECT_TYPE_FILE 0x0001 -#define ALPC_PORFLG_OBJECT_TYPE_INVALID 0x0002 -#define ALPC_PORFLG_OBJECT_TYPE_THREAD 0x0004 -#define ALPC_PORFLG_OBJECT_TYPE_SEMAPHORE 0x0008 -#define ALPC_PORFLG_OBJECT_TYPE_EVENT 0x0010 -#define ALPC_PORFLG_OBJECT_TYPE_PROCESS 0X0020 -#define ALPC_PORFLG_OBJECT_TYPE_MUTEX 0x0040 -#define ALPC_PORFLG_OBJECT_TYPE_SECTION 0x0080 -#define ALPC_PORFLG_OBJECT_TYPE_REGKEY 0x0100 -#define ALPC_PORFLG_OBJECT_TYPE_TOKEN 0x0200 -#define ALPC_PORFLG_OBJECT_TYPE_COMPOSITION 0x0400 -#define ALPC_PORFLG_OBJECT_TYPE_JOB 0x0800 -#define ALPC_PORFLG_OBJECT_TYPE_ALL \ - (ALPC_PORFLG_OBJECT_TYPE_FILE | ALPC_PORFLG_OBJECT_TYPE_THREAD | \ - ALPC_PORFLG_OBJECT_TYPE_SEMAPHORE | ALPC_PORFLG_OBJECT_TYPE_EVENT | \ - ALPC_PORFLG_OBJECT_TYPE_PROCESS | ALPC_PORFLG_OBJECT_TYPE_MUTEX | \ - ALPC_PORFLG_OBJECT_TYPE_SECTION | ALPC_PORFLG_OBJECT_TYPE_REGKEY | \ - ALPC_PORFLG_OBJECT_TYPE_TOKEN | ALPC_PORFLG_OBJECT_TYPE_COMPOSITION | \ - ALPC_PORFLG_OBJECT_TYPE_JOB) - - // symbols - typedef struct _ALPC_PORT_ATTRIBUTES - { - ULONG Flags; - SECURITY_QUALITY_OF_SERVICE SecurityQos; - SIZE_T MaxMessageLength; - SIZE_T MemoryBandwidth; - SIZE_T MaxPoolUsage; - SIZE_T MaxSectionSize; - SIZE_T MaxViewSize; - SIZE_T MaxTotalSectionSize; - ULONG DupObjectTypes; -#ifdef _WIN64 - ULONG Reserved; -#endif - } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; - -// begin_rev -#define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000 -#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000 -#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000 -#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000 - // end_rev - - // symbols - typedef struct _ALPC_MESSAGE_ATTRIBUTES - { - ULONG AllocatedAttributes; - ULONG ValidAttributes; - } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; - - // symbols - typedef struct _ALPC_COMPLETION_LIST_STATE - { - union - { - struct - { - ULONG64 Head : 24; - ULONG64 Tail : 24; - ULONG64 ActiveThreadCount : 16; - } s1; - ULONG64 Value; - } u1; - } ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE; - -#define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg - - // symbols - typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER - { - ULONG64 StartMagic; - - ULONG TotalSize; - ULONG ListOffset; - ULONG ListSize; - ULONG BitmapOffset; - ULONG BitmapSize; - ULONG DataOffset; - ULONG DataSize; - ULONG AttributeFlags; - ULONG AttributeSize; - - DECLSPEC_ALIGN(128) - ALPC_COMPLETION_LIST_STATE State; - ULONG LastMessageId; - ULONG LastCallbackId; - DECLSPEC_ALIGN(128) - ULONG PostCount; - DECLSPEC_ALIGN(128) - ULONG ReturnCount; - DECLSPEC_ALIGN(128) - ULONG LogSequenceNumber; - DECLSPEC_ALIGN(128) - RTL_SRWLOCK UserLock; - - ULONG64 EndMagic; - } ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER; - - // private - typedef struct _ALPC_CONTEXT_ATTR - { - PVOID PortContext; - PVOID MessageContext; - ULONG Sequence; - ULONG MessageId; - ULONG CallbackId; - } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; - -// begin_rev -#define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000 -#define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000 -#define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000 - // end_rev - - // private - typedef struct _ALPC_HANDLE_ATTR32 - { - ULONG Flags; - ULONG Reserved0; - ULONG SameAccess; - ULONG SameAttributes; - ULONG Indirect; - ULONG Inherit; - ULONG Reserved1; - ULONG Handle; - ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex - ACCESS_MASK DesiredAccess; - ACCESS_MASK GrantedAccess; - } ALPC_HANDLE_ATTR32, *PALPC_HANDLE_ATTR32; - - // private - typedef struct _ALPC_HANDLE_ATTR - { - ULONG Flags; - ULONG Reserved0; - ULONG SameAccess; - ULONG SameAttributes; - ULONG Indirect; - ULONG Inherit; - ULONG Reserved1; - HANDLE Handle; - PALPC_HANDLE_ATTR32 HandleAttrArray; - ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex - ULONG HandleCount; - ACCESS_MASK DesiredAccess; - ACCESS_MASK GrantedAccess; - } ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR; - -#define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg -#define ALPC_SECFLG_NOSECTIONHANDLE 0x40000 - - // private - typedef struct _ALPC_SECURITY_ATTR - { - ULONG Flags; - PSECURITY_QUALITY_OF_SERVICE QoS; - ALPC_HANDLE ContextHandle; // dbg - } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; - -// begin_rev -#define ALPC_VIEWFLG_UNMAP_EXISTING 0x10000 -#define ALPC_VIEWFLG_AUTO_RELEASE 0x20000 -#define ALPC_VIEWFLG_NOT_SECURE 0x40000 - // end_rev - - // private - typedef struct _ALPC_DATA_VIEW_ATTR - { - ULONG Flags; - ALPC_HANDLE SectionHandle; - PVOID ViewBase; // must be zero on input - SIZE_T ViewSize; - } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; - - // private - typedef enum _ALPC_PORT_INFORMATION_CLASS - { - AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION - AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES - AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT - AlpcConnectedSIDInformation, // q: in SID - AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION - AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION - AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION - AlpcUnregisterCompletionListInformation, // s: VOID - AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG - AlpcRegisterCallbackInformation, // s: ALPC_REGISTER_CALLBACK // kernel-mode only - AlpcCompletionListRundownInformation, // s: VOID // 10 - AlpcWaitForPortReferences, - AlpcServerSessionInformation // q: ALPC_SERVER_SESSION_INFORMATION // since 19H2 - } ALPC_PORT_INFORMATION_CLASS; - - // private - typedef struct _ALPC_BASIC_INFORMATION - { - ULONG Flags; - ULONG SequenceNo; - PVOID PortContext; - } ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION; - - // private - typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT - { - PVOID CompletionKey; - HANDLE CompletionPort; - } ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT; - - // private - typedef struct _ALPC_SERVER_INFORMATION - { - union - { - struct - { - HANDLE ThreadHandle; - } In; - struct - { - BOOLEAN ThreadBlocked; - HANDLE ConnectedProcessId; - UNICODE_STRING ConnectionPortName; - } Out; - }; - } ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION; - - // private - typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION - { - PVOID Buffer; - ULONG Size; - } ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION; - - // private - typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION - { - PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER - ULONG Size; - ULONG ConcurrencyCount; - ULONG AttributeFlags; - } ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION; - - // private - typedef struct _ALPC_REGISTER_CALLBACK - { - PVOID CallbackObject; // PCALLBACK_OBJECT - PVOID CallbackContext; - } ALPC_REGISTER_CALLBACK, *PALPC_REGISTER_CALLBACK; - - // private - typedef struct _ALPC_SERVER_SESSION_INFORMATION - { - ULONG SessionId; - ULONG ProcessId; - } ALPC_SERVER_SESSION_INFORMATION, *PALPC_SERVER_SESSION_INFORMATION; - - // private - typedef enum _ALPC_MESSAGE_INFORMATION_CLASS - { - AlpcMessageSidInformation, // q: out SID - AlpcMessageTokenModifiedIdInformation, // q: out LUID - AlpcMessageDirectStatusInformation, - AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION - MaxAlpcMessageInfoClass - } ALPC_MESSAGE_INFORMATION_CLASS, - *PALPC_MESSAGE_INFORMATION_CLASS; - - typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION - { - ULONG Index; - ULONG Flags; - ULONG Handle; - ULONG ObjectType; - ACCESS_MASK GrantedAccess; - } ALPC_MESSAGE_HANDLE_INFORMATION, *PALPC_MESSAGE_HANDLE_INFORMATION; - - // begin_private - -#if (PHNT_VERSION >= PHNT_VISTA) - - // - // System calls - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCreatePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcDisconnectPort( - _In_ HANDLE PortHandle, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcQueryInformation( - _In_opt_ HANDLE PortHandle, - _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, - _Inout_updates_bytes_to_(Length, *ReturnLength) PVOID PortInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcSetInformation( - _In_ HANDLE PortHandle, - _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, - _In_reads_bytes_opt_(Length) PVOID PortInformation, - _In_ ULONG Length); - -#define ALPC_CREATEPORTSECTIONFLG_SECURE 0x40000 // rev - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCreatePortSection( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_opt_ HANDLE SectionHandle, - _In_ SIZE_T SectionSize, - _Out_ PALPC_HANDLE AlpcSectionHandle, - _Out_ PSIZE_T ActualSectionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcDeletePortSection( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE SectionHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCreateResourceReserve( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ SIZE_T MessageSize, - _Out_ PALPC_HANDLE ResourceId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcDeleteResourceReserve( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ResourceId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCreateSectionView( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcDeleteSectionView( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ PVOID ViewBase); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCreateSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _Inout_ PALPC_SECURITY_ATTR SecurityAttribute); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcDeleteSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ContextHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcRevokeSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ContextHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcQueryInformationMessage( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, - _Out_writes_bytes_to_opt_(Length, *ReturnLength) PVOID MessageInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - -#define ALPC_MSGFLG_REPLY_MESSAGE 0x1 -#define ALPC_MSGFLG_LPC_MODE 0x2 -#define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg -#define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg -#define ALPC_MSGFLG_TRACK_PORT_REFERENCES 0x40000 -#define ALPC_MSGFLG_WAIT_USER_MODE 0x100000 -#define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000 -#define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_ ULONG Flags, - _In_opt_ PSID RequiredServerSid, - _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcConnectPortEx( - _Out_ PHANDLE PortHandle, - _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, - _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_ ULONG Flags, - _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements, - _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcAcceptConnectPort( - _Out_ PHANDLE PortHandle, - _In_ HANDLE ConnectionPortHandle, - _In_ ULONG Flags, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_opt_ PVOID PortContext, - _In_reads_bytes_(ConnectionRequest->u1.s1.TotalLength) PPORT_MESSAGE ConnectionRequest, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes, - _In_ BOOLEAN AcceptConnection); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcSendWaitReceivePort( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, - _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); - -#define ALPC_CANCELFLG_TRY_CANCEL 0x1 // dbg -#define ALPC_CANCELFLG_NO_CONTEXT_CHECK 0x8 -#define ALPC_CANCELFLGP_FLUSH 0x10000 // dbg - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcCancelMessage( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_ PALPC_CONTEXT_ATTR MessageContext); - -#define ALPC_IMPERSONATEFLG_ANONYMOUS 0x1 -#define ALPC_IMPERSONATEFLG_REQUIRE_IMPERSONATE 0x2 - // ALPC_IMPERSONATEFLG 0x3-0x10 (SECURITY_IMPERSONATION_LEVEL) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcImpersonateClientOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ PVOID Flags); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcImpersonateClientContainerOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _Reserved_ ULONG Flags); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcOpenSenderProcess( - _Out_ PHANDLE ProcessHandle, - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _Reserved_ ULONG Flags, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAlpcOpenSenderThread( - _Out_ PHANDLE ThreadHandle, - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _Reserved_ ULONG Flags, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - // - // Support functions - // - - NTSYSAPI - ULONG - NTAPI - AlpcMaxAllowedMessageLength( - VOID); - -#define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000 -#define ALPC_ATTRFLG_VALIDATTR 0x40000000 -#define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000 - - NTSYSAPI - ULONG - NTAPI - AlpcGetHeaderSize( - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - AlpcInitializeMessageAttribute( - _In_ ULONG AttributeFlags, - _Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer, - _In_ SIZE_T BufferSize, - _Out_ PSIZE_T RequiredBufferSize); - - NTSYSAPI - PVOID - NTAPI - AlpcGetMessageAttribute( - _In_ PALPC_MESSAGE_ATTRIBUTES Buffer, - _In_ ULONG AttributeFlag); - - NTSYSAPI - NTSTATUS - NTAPI - AlpcRegisterCompletionList( - _In_ HANDLE PortHandle, - _Out_ PALPC_COMPLETION_LIST_HEADER Buffer, - _In_ ULONG Size, - _In_ ULONG ConcurrencyCount, - _In_ ULONG AttributeFlags); - - NTSYSAPI - NTSTATUS - NTAPI - AlpcUnregisterCompletionList( - _In_ HANDLE PortHandle); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - AlpcRundownCompletionList( - _In_ HANDLE PortHandle); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - AlpcAdjustCompletionListConcurrencyCount( - _In_ HANDLE PortHandle, - _In_ ULONG ConcurrencyCount); - - NTSYSAPI - BOOLEAN - NTAPI - AlpcRegisterCompletionListWorkerThread( - _Inout_ PVOID CompletionList); - - NTSYSAPI - BOOLEAN - NTAPI - AlpcUnregisterCompletionListWorkerThread( - _Inout_ PVOID CompletionList); - - NTSYSAPI - VOID - NTAPI - AlpcGetCompletionListLastMessageInformation( - _In_ PVOID CompletionList, - _Out_ PULONG LastMessageId, - _Out_ PULONG LastCallbackId); - - NTSYSAPI - ULONG - NTAPI - AlpcGetOutstandingCompletionListMessageCount( - _In_ PVOID CompletionList); - - NTSYSAPI - PPORT_MESSAGE - NTAPI - AlpcGetMessageFromCompletionList( - _In_ PVOID CompletionList, - _Out_opt_ PALPC_MESSAGE_ATTRIBUTES *MessageAttributes); - - NTSYSAPI - VOID - NTAPI - AlpcFreeCompletionListMessage( - _Inout_ PVOID CompletionList, - _In_ PPORT_MESSAGE Message); - - NTSYSAPI - PALPC_MESSAGE_ATTRIBUTES - NTAPI - AlpcGetCompletionListMessageAttributes( - _In_ PVOID CompletionList, - _In_ PPORT_MESSAGE Message); - -#endif - - // end_private - -#endif - /* - * Prefetcher (Superfetch) support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTPFAPI_H -#define _NTPFAPI_H - - // begin_private - - // Prefetch - - typedef enum _PF_BOOT_PHASE_ID - { - PfKernelInitPhase = 0, - PfBootDriverInitPhase = 90, - PfSystemDriverInitPhase = 120, - PfSessionManagerInitPhase = 150, - PfSMRegistryInitPhase = 180, - PfVideoInitPhase = 210, - PfPostVideoInitPhase = 240, - PfBootAcceptedRegistryInitPhase = 270, - PfUserShellReadyPhase = 300, - PfMaxBootPhaseId = 900 - } PF_BOOT_PHASE_ID; - - typedef enum _PF_ENABLE_STATUS - { - PfSvNotSpecified, - PfSvEnabled, - PfSvDisabled, - PfSvMaxEnableStatus - } PF_ENABLE_STATUS; - - typedef struct _PF_TRACE_LIMITS - { - ULONG MaxNumPages; - ULONG MaxNumSections; - LONGLONG TimerPeriod; - } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; - - typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS - { - PF_ENABLE_STATUS EnableStatus[2]; - PF_TRACE_LIMITS TraceLimits[2]; - ULONG MaxNumActiveTraces; - ULONG MaxNumSavedTraces; - WCHAR RootDirPath[32]; - WCHAR HostingApplicationList[128]; - } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; - -#define PF_BOOT_CONTROL_VERSION 1 - - typedef struct _PF_BOOT_CONTROL - { - ULONG Version; - ULONG DisableBootPrefetching; - } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; - - typedef enum _PREFETCHER_INFORMATION_CLASS - { - PrefetcherRetrieveTrace = 1, // q: CHAR[] - PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS - PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID - PrefetcherSpare1, // PrefetcherRetrieveBootLoaderTrace // q: CHAR[] - PrefetcherBootControl, // s: PF_BOOT_CONTROL - PrefetcherScenarioPolicyControl, - PrefetcherSpare2, - PrefetcherAppLaunchScenarioControl, - PrefetcherInformationMax - } PREFETCHER_INFORMATION_CLASS; - -#define PREFETCHER_INFORMATION_VERSION 23 // rev -#define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev - - typedef struct _PREFETCHER_INFORMATION - { - _In_ ULONG Version; - _In_ ULONG Magic; - _In_ PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; - _Inout_ PVOID PrefetcherInformation; - _Inout_ ULONG PrefetcherInformationLength; - } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; - - // Superfetch - - typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS - { - ULONG EnabledComponents; - ULONG BootID; - ULONG SavedSectInfoTracesMax; - ULONG SavedPageAccessTracesMax; - ULONG ScenarioPrefetchTimeoutStandby; - ULONG ScenarioPrefetchTimeoutHibernate; - ULONG ScenarioPrefetchTimeoutHiberBoot; - } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; - - // rev - typedef enum _PF_EVENT_TYPE - { - PfEventTypeImageLoad = 0, - PfEventTypeAppLaunch = 1, - PfEventTypeStartTrace = 2, - PfEventTypeEndTrace = 3, - PfEventTypeTimestamp = 4, - PfEventTypeOperation = 5, - PfEventTypeRepurpose = 6, - PfEventTypeForegroundProcess = 7, - PfEventTypeTimeRange = 8, - PfEventTypeUserInput = 9, - PfEventTypeFileAccess = 10, - PfEventTypeUnmap = 11, - PfEventTypeUtilization = 11, - PfEventTypeMemInfo = 12, - PfEventTypeFileDelete = 13, - PfEventTypeAppExit = 14, - PfEventTypeSystemTime = 15, - PfEventTypePower = 16, - PfEventTypeSessionChange = 17, - PfEventTypeHardFaultTimeStamp = 18, - PfEventTypeVirtualFree = 19, - PfEventTypePerfInfo = 20, - PfEventTypeProcessSnapshot = 21, - PfEventTypeUserSnapshot = 22, - PfEventTypeStreamSequenceNumber = 23, - PfEventTypeFileTruncate = 24, - PfEventTypeFileRename = 25, - PfEventTypeFileCreate = 26, - PfEventTypeAgCxContext = 27, - PfEventTypePowerAction = 28, - PfEventTypeHardFaultTS = 29, - PfEventTypeRobustInfo = 30, - PfEventTypeFileDefrag = 31, - PfEventTypeMax = 32 - } PF_EVENT_TYPE; - - // rev - typedef struct _PF_LOG_EVENT_DATA - { - ULONG EventType : 5; // PF_EVENT_TYPE - ULONG Flags : 2; - ULONG DataSize : 25; - PVOID EventData; - } PF_LOG_EVENT_DATA, *PPF_LOG_EVENT_DATA; - -#define PF_PFN_PRIO_REQUEST_VERSION 1 -#define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 -#define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 - - typedef struct _PF_PFN_PRIO_REQUEST - { - ULONG Version; - ULONG RequestFlags; - ULONG_PTR PfnCount; - SYSTEM_MEMORY_LIST_INFORMATION MemInfo; - MMPFN_IDENTITY PageData[256]; - } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; - - typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE - { - PfsPrivateSourceKernel, - PfsPrivateSourceSession, - PfsPrivateSourceProcess, - PfsPrivateSourceMax - } PFS_PRIVATE_PAGE_SOURCE_TYPE; - - typedef struct _PFS_PRIVATE_PAGE_SOURCE - { - PFS_PRIVATE_PAGE_SOURCE_TYPE Type; - union - { - ULONG SessionId; - ULONG ProcessId; - }; - ULONG ImagePathHash; - ULONG_PTR UniqueProcessHash; - } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; - - typedef struct _PF_PRIVSOURCE_INFO - { - PFS_PRIVATE_PAGE_SOURCE DbInfo; - PVOID EProcess; - SIZE_T WsPrivatePages; - SIZE_T TotalPrivatePages; - ULONG SessionID; - CHAR ImageName[16]; - union - { - ULONG_PTR WsSwapPages; // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES. - ULONG_PTR SessionPagedPoolPages; // session only. - ULONG_PTR StoreSizePages; // process only PF_PRIVSOURCE_QUERY_STORE_INFO. - }; - ULONG_PTR WsTotalPages; // process/session only. - ULONG DeepFreezeTimeMs; // process only. - ULONG ModernApp : 1; // process only. - ULONG DeepFrozen : 1; // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred - ULONG Foreground : 1; // process only. - ULONG PerProcessStore : 1; // process only. - ULONG Spare : 28; - } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; - -// rev -#define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 8 -#define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYWSPAGES 0x1 -#define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYCOMPRESSEDPAGES 0x2 -#define PF_PRIVSOURCE_QUERY_REQUEST_FLAGS_QUERYSKIPPAGES 0x4 // ?? - - // rev - typedef struct _PF_PRIVSOURCE_QUERY_REQUEST - { - ULONG Version; - ULONG Flags; - ULONG InfoCount; - PF_PRIVSOURCE_INFO InfoArray[1]; - } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; - - // rev - typedef enum _PF_PHASED_SCENARIO_TYPE - { - PfScenarioTypeNone, - PfScenarioTypeStandby, - PfScenarioTypeHibernate, - PfScenarioTypeFUS, - PfScenarioTypeMax - } PF_PHASED_SCENARIO_TYPE; - -// rev -#define PF_SCENARIO_PHASE_INFO_VERSION 4 - - // rev - typedef struct _PF_SCENARIO_PHASE_INFO - { - ULONG Version; - PF_PHASED_SCENARIO_TYPE ScenType; - ULONG PhaseId; - ULONG SequenceNumber; - ULONG Flags; - ULONG FUSUserId; - } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; - - // rev - typedef struct _PF_MEMORY_LIST_NODE - { - ULONGLONG Node : 8; - ULONGLONG Spare : 56; - ULONGLONG StandbyLowPageCount; - ULONGLONG StandbyMediumPageCount; - ULONGLONG StandbyHighPageCount; - ULONGLONG FreePageCount; - ULONGLONG ModifiedPageCount; - } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; - - // rev - typedef struct _PF_ROBUST_PROCESS_ENTRY - { - ULONG ImagePathHash; - ULONG Pid; - ULONG Alignment; - } PF_ROBUST_PROCESS_ENTRY, *PPF_ROBUST_PROCESS_ENTRY; - - // rev - typedef struct _PF_ROBUST_FILE_ENTRY - { - ULONG FilePathHash; - } PF_ROBUST_FILE_ENTRY, *PPF_ROBUST_FILE_ENTRY; - - // rev - typedef enum _PF_ROBUSTNESS_CONTROL_COMMAND - { - PfRpControlUpdate = 0, - PfRpControlReset = 1, - PfRpControlRobustAllStart = 2, - PfRpControlRobustAllStop = 3, - PfRpControlCommandMax = 4 - } PF_ROBUSTNESS_CONTROL_COMMAND; - -// rev -#define PF_ROBUSTNESS_CONTROL_VERSION 1 - - // rev - typedef struct _PF_ROBUSTNESS_CONTROL - { - ULONG Version; - PF_ROBUSTNESS_CONTROL_COMMAND Command; - ULONG DeprioProcessCount; - ULONG ExemptProcessCount; - ULONG DeprioFileCount; - ULONG ExemptFileCount; - PF_ROBUST_PROCESS_ENTRY ProcessEntries[1]; - PF_ROBUST_FILE_ENTRY FileEntries[1]; - } PF_ROBUSTNESS_CONTROL, *PPF_ROBUSTNESS_CONTROL; - - // rev - typedef struct _PF_TIME_CONTROL - { - LONG TimeAdjustment; - } PF_TIME_CONTROL, *PPF_TIME_CONTROL; - -#define PF_MEMORY_LIST_INFO_VERSION 1 - - typedef struct _PF_MEMORY_LIST_INFO - { - ULONG Version; - ULONG Size; - ULONG NodeCount; - PF_MEMORY_LIST_NODE Nodes[1]; - } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; - - typedef struct _PF_PHYSICAL_MEMORY_RANGE - { - ULONG_PTR BasePfn; - ULONG_PTR PageCount; - } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; - -#define PF_PHYSICAL_MEMORY_RANGE_INFO_V1_VERSION 1 - - typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1 - { - ULONG Version; - ULONG RangeCount; - PF_PHYSICAL_MEMORY_RANGE Ranges[1]; - } PF_PHYSICAL_MEMORY_RANGE_INFO_V1, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V1; - -#define PF_PHYSICAL_MEMORY_RANGE_INFO_V2_VERSION 2 - - typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2 - { - ULONG Version; - ULONG Flags; - ULONG RangeCount; - PF_PHYSICAL_MEMORY_RANGE Ranges[ANYSIZE_ARRAY]; - } PF_PHYSICAL_MEMORY_RANGE_INFO_V2, *PPF_PHYSICAL_MEMORY_RANGE_INFO_V2; - -// rev -#define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 - - // rev - typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO - { - ULONG Version; - SIZE_T RepurposedByPrefetch; - } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; - -// rev -#define PF_VIRTUAL_QUERY_VERSION 1 - - // rev - typedef struct _PF_VIRTUAL_QUERY - { - ULONG Version; - union - { - ULONG Flags; - struct - { - ULONG FaultInPageTables : 1; - ULONG ReportPageTables : 1; - ULONG Spare : 30; - }; - }; - PVOID QueryBuffer; // MEMORY_WORKING_SET_EX_INFORMATION[NumberOfPages] (input: VirtualAddress[], output: VirtualAttributes[]) - SIZE_T QueryBufferSize; // NumberOfPages * sizeof(MEMORY_WORKING_SET_EX_INFORMATION) - HANDLE ProcessHandle; - } PF_VIRTUAL_QUERY, *PPF_VIRTUAL_QUERY; - -// rev -#define PF_MIN_WS_AGE_RATE_CONTROL_VERSION 1 - - // rev - typedef struct _PF_MIN_WS_AGE_RATE_CONTROL - { - ULONG Version; - ULONG SecondsToOldestAge; - } PF_MIN_WS_AGE_RATE_CONTROL, *PPF_MIN_WS_AGE_RATE_CONTROL; - -// rev -#define PF_DEPRIORITIZE_OLD_PAGES_VERSION 3 - - // rev - typedef struct _PF_DEPRIORITIZE_OLD_PAGES - { - ULONG Version; - HANDLE ProcessHandle; - union - { - ULONG Flags; - struct - { - ULONG TargetPriority : 4; - ULONG TrimPages : 2; - ULONG Spare : 26; - }; - }; - } PF_DEPRIORITIZE_OLD_PAGES, *PPF_DEPRIORITIZE_OLD_PAGES; - -// rev -#define PF_GPU_UTILIZATION_INFO_VERSION 1 - - // rev - typedef struct _PF_GPU_UTILIZATION_INFO - { - ULONG Version; - ULONG SessionId; - ULONGLONG GpuTime; - } PF_GPU_UTILIZATION_INFO, *PPF_GPU_UTILIZATION_INFO; - - // rev - typedef enum _SUPERFETCH_INFORMATION_CLASS - { - SuperfetchRetrieveTrace = 1, // q: CHAR[] - SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS - SuperfetchLogEvent, // s: PF_LOG_EVENT_DATA - SuperfetchGenerateTrace, // s: NULL - SuperfetchPrefetch, - SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST - SuperfetchPfnSetPriority, - SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST - SuperfetchSequenceNumberQuery, // q: ULONG - SuperfetchScenarioPhase, // 10 - SuperfetchWorkerPriority, // s: KPRIORITY - SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO - SuperfetchScenarioPrefetch, - SuperfetchRobustnessControl, // s: PF_ROBUSTNESS_CONTROL - SuperfetchTimeControl, // s: PF_TIME_CONTROL - SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO - SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO - SuperfetchTracingControl, - SuperfetchTrimWhileAgingControl, - SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // 20 - SuperfetchChannelPowerRequest, - SuperfetchMovePages, - SuperfetchVirtualQuery, // q: PF_VIRTUAL_QUERY - SuperfetchCombineStatsQuery, - SuperfetchSetMinWsAgeRate, // s: PF_MIN_WS_AGE_RATE_CONTROL - SuperfetchDeprioritizeOldPagesInWs, // s: PF_DEPRIORITIZE_OLD_PAGES - SuperfetchFileExtentsQuery, // q: PF_FILE_EXTENTS_INFO - SuperfetchGpuUtilizationQuery, // q: PF_GPU_UTILIZATION_INFO - SuperfetchPfnSet, // s: PF_PFN_PRIO_REQUEST // since WIN11 - SuperfetchInformationMax - } SUPERFETCH_INFORMATION_CLASS; - -#define SUPERFETCH_INFORMATION_VERSION 45 // rev -#define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev - - typedef struct _SUPERFETCH_INFORMATION - { - _In_ ULONG Version; - _In_ ULONG Magic; - _In_ SUPERFETCH_INFORMATION_CLASS SuperfetchInformationClass; - _Inout_ PVOID SuperfetchInformation; - _Inout_ ULONG SuperfetchInformationLength; - } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; - - // end_private - -#endif - /* - * Plug and Play support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTPNPAPI_H -#define _NTPNPAPI_H - -#include - - typedef enum _PLUGPLAY_EVENT_CATEGORY - { - HardwareProfileChangeEvent, - TargetDeviceChangeEvent, - DeviceClassChangeEvent, - CustomDeviceEvent, - DeviceInstallEvent, - DeviceArrivalEvent, - PowerEvent, - VetoEvent, - BlockedDriverEvent, - InvalidIDEvent, - MaxPlugEventCategory - } PLUGPLAY_EVENT_CATEGORY, - *PPLUGPLAY_EVENT_CATEGORY; - - typedef struct _PLUGPLAY_EVENT_BLOCK - { - GUID EventGuid; - PLUGPLAY_EVENT_CATEGORY EventCategory; - PULONG Result; - ULONG Flags; - ULONG TotalSize; - PVOID DeviceObject; - - union - { - struct - { - GUID ClassGuid; - WCHAR SymbolicLinkName[1]; - } DeviceClass; - struct - { - WCHAR DeviceIds[1]; - } TargetDevice; - struct - { - WCHAR DeviceId[1]; - } InstallDevice; - struct - { - PVOID NotificationStructure; - WCHAR DeviceIds[1]; - } CustomNotification; - struct - { - PVOID Notification; - } ProfileNotification; - struct - { - ULONG NotificationCode; - ULONG NotificationData; - } PowerNotification; - struct - { - PNP_VETO_TYPE VetoType; - WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName - } VetoNotification; - struct - { - GUID BlockedDriverGuid; - } BlockedDriverNotification; - struct - { - WCHAR ParentId[1]; - } InvalidIDNotification; - } u; - } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; - - typedef enum _PLUGPLAY_CONTROL_CLASS - { - PlugPlayControlEnumerateDevice, // PLUGPLAY_CONTROL_ENUMERATE_DEVICE_DATA - PlugPlayControlRegisterNewDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlDeregisterDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlInitializeDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlStartDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlUnlockDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlQueryAndRemoveDevice, // PLUGPLAY_CONTROL_QUERY_AND_REMOVE_DATA - PlugPlayControlUserResponse, // PLUGPLAY_CONTROL_USER_RESPONSE_DATA - PlugPlayControlGenerateLegacyDevice, // PLUGPLAY_CONTROL_LEGACY_DEVGEN_DATA - PlugPlayControlGetInterfaceDeviceList, // PLUGPLAY_CONTROL_INTERFACE_LIST_DATA - PlugPlayControlProperty, // PLUGPLAY_CONTROL_PROPERTY_DATA - PlugPlayControlDeviceClassAssociation, // PLUGPLAY_CONTROL_CLASS_ASSOCIATION_DATA - PlugPlayControlGetRelatedDevice, // PLUGPLAY_CONTROL_RELATED_DEVICE_DATA - PlugPlayControlGetInterfaceDeviceAlias, // PLUGPLAY_CONTROL_INTERFACE_ALIAS_DATA - PlugPlayControlDeviceStatus, // PLUGPLAY_CONTROL_STATUS_DATA - PlugPlayControlGetDeviceDepth, // PLUGPLAY_CONTROL_DEPTH_DATA - PlugPlayControlQueryDeviceRelations, // PLUGPLAY_CONTROL_DEVICE_RELATIONS_DATA - PlugPlayControlTargetDeviceRelation, // PLUGPLAY_CONTROL_TARGET_RELATION_DATA - PlugPlayControlQueryConflictList, // PLUGPLAY_CONTROL_CONFLICT_LIST - PlugPlayControlRetrieveDock, // PLUGPLAY_CONTROL_RETRIEVE_DOCK_DATA - PlugPlayControlResetDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlHaltDevice, // PLUGPLAY_CONTROL_DEVICE_CONTROL_DATA - PlugPlayControlGetBlockedDriverList, // PLUGPLAY_CONTROL_BLOCKED_DRIVER_DATA - PlugPlayControlGetDeviceInterfaceEnabled, // PLUGPLAY_CONTROL_DEVICE_INTERFACE_ENABLED - MaxPlugPlayControl - } PLUGPLAY_CONTROL_CLASS, - *PPLUGPLAY_CONTROL_CLASS; - - // pub - typedef enum _DEVICE_RELATION_TYPE - { - BusRelations, - EjectionRelations, - PowerRelations, - RemovalRelations, - TargetDeviceRelation, - SingleBusRelations, - TransportRelations - } DEVICE_RELATION_TYPE, - *PDEVICE_RELATION_TYPE; - - // pub - typedef enum _BUS_QUERY_ID_TYPE - { - BusQueryDeviceID = 0, // \ - BusQueryHardwareIDs = 1, // Hardware ids - BusQueryCompatibleIDs = 2, // compatible device ids - BusQueryInstanceID = 3, // persistent id for this instance of the device - BusQueryDeviceSerialNumber = 4, // serial number for this device - BusQueryContainerID = 5 // unique id of the device's physical container - } BUS_QUERY_ID_TYPE, - *PBUS_QUERY_ID_TYPE; - - // pub - typedef enum _DEVICE_TEXT_TYPE - { - DeviceTextDescription = 0, // DeviceDesc property - DeviceTextLocationInformation = 1 // DeviceLocation property - } DEVICE_TEXT_TYPE, - *PDEVICE_TEXT_TYPE; - - // pub - typedef enum _DEVICE_USAGE_NOTIFICATION_TYPE - { - DeviceUsageTypeUndefined, - DeviceUsageTypePaging, - DeviceUsageTypeHibernation, - DeviceUsageTypeDumpFile, - DeviceUsageTypeBoot, - DeviceUsageTypePostDisplay, - DeviceUsageTypeGuestAssigned - } DEVICE_USAGE_NOTIFICATION_TYPE, - *PDEVICE_USAGE_NOTIFICATION_TYPE; - -#if (PHNT_VERSION < PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetPlugPlayEvent( - _In_ HANDLE EventHandle, - _In_opt_ PVOID Context, - _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, - _In_ ULONG EventBufferSize); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPlugPlayControl( - _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, - _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, - _In_ ULONG PnPControlDataLength); - -#if (PHNT_VERSION >= PHNT_WIN7) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSerializeBoot( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnableLastKnownGood( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDisableLastKnownGood( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplacePartitionUnit( - _In_ PUNICODE_STRING TargetInstancePath, - _In_ PUNICODE_STRING SpareInstancePath, - _In_ ULONG Flags); -#endif - -#endif - /* - * Power Management support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTPOAPI_H -#define _NTPOAPI_H - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -// POWER_INFORMATION_LEVEL -// Note: We don't use an enum for these values to minimize conflicts with the Windows SDK. (dmex) -#define SystemPowerPolicyAc 0 // SYSTEM_POWER_POLICY // GET: InputBuffer NULL. SET: InputBuffer not NULL. -#define SystemPowerPolicyDc 1 // SYSTEM_POWER_POLICY -#define VerifySystemPolicyAc 2 // SYSTEM_POWER_POLICY -#define VerifySystemPolicyDc 3 // SYSTEM_POWER_POLICY -#define SystemPowerCapabilities 4 // SYSTEM_POWER_CAPABILITIES -#define SystemBatteryState 5 // SYSTEM_BATTERY_STATE -#define SystemPowerStateHandler 6 // POWER_STATE_HANDLER // (kernel-mode only) -#define ProcessorStateHandler 7 // PROCESSOR_STATE_HANDLER // (kernel-mode only) -#define SystemPowerPolicyCurrent 8 // SYSTEM_POWER_POLICY -#define AdministratorPowerPolicy 9 // ADMINISTRATOR_POWER_POLICY -#define SystemReserveHiberFile 10 // BOOLEAN // (requires SeCreatePagefilePrivilege) // TRUE: hibernation file created. FALSE: hibernation file deleted. -#define ProcessorInformation 11 // PROCESSOR_POWER_INFORMATION -#define SystemPowerInformation 12 // SYSTEM_POWER_INFORMATION -#define ProcessorStateHandler2 13 // PROCESSOR_STATE_HANDLER2 // not implemented -#define LastWakeTime 14 // ULONGLONG // InterruptTime -#define LastSleepTime 15 // ULONGLONG // InterruptTime -#define SystemExecutionState 16 // EXECUTION_STATE // NtSetThreadExecutionState -#define SystemPowerStateNotifyHandler 17 // POWER_STATE_NOTIFY_HANDLER // (kernel-mode only) -#define ProcessorPowerPolicyAc 18 // PROCESSOR_POWER_POLICY // not implemented -#define ProcessorPowerPolicyDc 19 // PROCESSOR_POWER_POLICY // not implemented -#define VerifyProcessorPowerPolicyAc 20 // PROCESSOR_POWER_POLICY // not implemented -#define VerifyProcessorPowerPolicyDc 21 // PROCESSOR_POWER_POLICY // not implemented -#define ProcessorPowerPolicyCurrent 22 // PROCESSOR_POWER_POLICY // not implemented -#define SystemPowerStateLogging 23 // SYSTEM_POWER_STATE_DISABLE_REASON[] -#define SystemPowerLoggingEntry 24 // SYSTEM_POWER_LOGGING_ENTRY[] // (kernel-mode only) -#define SetPowerSettingValue 25 // (kernel-mode only) -#define NotifyUserPowerSetting 26 // not implemented -#define PowerInformationLevelUnused0 27 // not implemented -#define SystemMonitorHiberBootPowerOff 28 // NULL (PowerMonitorOff) -#define SystemVideoState 29 // MONITOR_DISPLAY_STATE -#define TraceApplicationPowerMessage 30 // (kernel-mode only) -#define TraceApplicationPowerMessageEnd 31 // (kernel-mode only) -#define ProcessorPerfStates 32 // (kernel-mode only) -#define ProcessorIdleStates 33 // PROCESSOR_IDLE_STATES // (kernel-mode only) -#define ProcessorCap 34 // PROCESSOR_CAP // (kernel-mode only) -#define SystemWakeSource 35 // out: POWER_WAKE_SOURCE_INFO -#define SystemHiberFileInformation 36 // out: SYSTEM_HIBERFILE_INFORMATION -#define TraceServicePowerMessage 37 -#define ProcessorLoad 38 // in: PROCESSOR_LOAD (sets), in: PPROCESSOR_NUMBER (clears) -#define PowerShutdownNotification 39 // (kernel-mode only) -#define MonitorCapabilities 40 // (kernel-mode only) -#define SessionPowerInit 41 // (kernel-mode only) -#define SessionDisplayState 42 // (kernel-mode only) -#define PowerRequestCreate 43 // in: COUNTED_REASON_CONTEXT, out: HANDLE -#define PowerRequestAction 44 // in: POWER_REQUEST_ACTION -#define GetPowerRequestList 45 // out: POWER_REQUEST_LIST -#define ProcessorInformationEx 46 // in: USHORT ProcessorGroup, out: PROCESSOR_POWER_INFORMATION -#define NotifyUserModeLegacyPowerEvent 47 // (kernel-mode only) -#define GroupPark 48 // (debug-mode boot only) -#define ProcessorIdleDomains 49 // (kernel-mode only) -#define WakeTimerList 50 // out: WAKE_TIMER_INFO[] -#define SystemHiberFileSize 51 // ULONG -#define ProcessorIdleStatesHv 52 // (kernel-mode only) -#define ProcessorPerfStatesHv 53 // (kernel-mode only) -#define ProcessorPerfCapHv 54 // PROCESSOR_PERF_CAP_HV // (kernel-mode only) -#define ProcessorSetIdle 55 // (debug-mode boot only) -#define LogicalProcessorIdling 56 // (kernel-mode only) -#define UserPresence 57 // POWER_USER_PRESENCE // not implemented -#define PowerSettingNotificationName 58 // in: ? (optional) // out: PWNF_STATE_NAME (RtlSubscribeWnfStateChangeNotification) -#define GetPowerSettingValue 59 // GUID -#define IdleResiliency 60 // POWER_IDLE_RESILIENCY -#define SessionRITState 61 // POWER_SESSION_RIT_STATE -#define SessionConnectNotification 62 // POWER_SESSION_WINLOGON -#define SessionPowerCleanup 63 -#define SessionLockState 64 // POWER_SESSION_WINLOGON -#define SystemHiberbootState 65 // BOOLEAN // fast startup supported -#define PlatformInformation 66 // BOOLEAN // connected standby supported -#define PdcInvocation 67 // (kernel-mode only) -#define MonitorInvocation 68 // (kernel-mode only) -#define FirmwareTableInformationRegistered 69 // (kernel-mode only) -#define SetShutdownSelectedTime 70 // in: NULL -#define SuspendResumeInvocation 71 // (kernel-mode only) // not implemented -#define PlmPowerRequestCreate 72 // in: COUNTED_REASON_CONTEXT, out: HANDLE -#define ScreenOff 73 // in: NULL (PowerMonitorOff) -#define CsDeviceNotification 74 // (kernel-mode only) -#define PlatformRole 75 // POWER_PLATFORM_ROLE -#define LastResumePerformance 76 // RESUME_PERFORMANCE -#define DisplayBurst 77 // in: NULL (PowerMonitorOn) -#define ExitLatencySamplingPercentage 78 // in: NULL (ClearExitLatencySamplingPercentage), in: ULONG (SetExitLatencySamplingPercentage) (max 100) -#define RegisterSpmPowerSettings 79 // (kernel-mode only) -#define PlatformIdleStates 80 // (kernel-mode only) -#define ProcessorIdleVeto 81 // (kernel-mode only) // deprecated -#define PlatformIdleVeto 82 // (kernel-mode only) // deprecated -#define SystemBatteryStatePrecise 83 // SYSTEM_BATTERY_STATE -#define ThermalEvent 84 // THERMAL_EVENT // PowerReportThermalEvent -#define PowerRequestActionInternal 85 // POWER_REQUEST_ACTION_INTERNAL -#define BatteryDeviceState 86 -#define PowerInformationInternal 87 // POWER_INFORMATION_LEVEL_INTERNAL // PopPowerInformationInternal -#define ThermalStandby 88 // NULL // shutdown with thermal standby as reason. -#define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type -#define PhysicalPowerButtonPress 90 // BOOLEAN -#define QueryPotentialDripsConstraint 91 // (kernel-mode only) -#define EnergyTrackerCreate 92 -#define EnergyTrackerQuery 93 -#define UpdateBlackBoxRecorder 94 -#define SessionAllowExternalDmaDevices 95 // POWER_SESSION_ALLOW_EXTERNAL_DMA_DEVICES -#define SendSuspendResumeNotification 96 // since WIN11 -#define BlackBoxRecorderDirectAccessBuffer 97 -#define PowerInformationLevelMaximum 98 -#endif - - typedef struct _PROCESSOR_POWER_INFORMATION - { - ULONG Number; - ULONG MaxMhz; - ULONG CurrentMhz; - ULONG MhzLimit; - ULONG MaxIdleState; - ULONG CurrentIdleState; - } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION; - - typedef struct _SYSTEM_POWER_INFORMATION - { - ULONG MaxIdlenessAllowed; - ULONG Idleness; - ULONG TimeRemaining; - UCHAR CoolingMode; - } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; - - typedef struct _SYSTEM_HIBERFILE_INFORMATION - { - ULONG NumberOfMcbPairs; - LARGE_INTEGER Mcb[1]; - } SYSTEM_HIBERFILE_INFORMATION, *PSYSTEM_HIBERFILE_INFORMATION; - - // typedef enum POWER_USER_PRESENCE_TYPE - //{ - // UserNotPresent = 0, - // UserPresent = 1, - // UserUnknown = 0xff - // } POWER_USER_PRESENCE_TYPE, *PPOWER_USER_PRESENCE_TYPE; - - // typedef struct _POWER_USER_PRESENCE - //{ - // POWER_USER_PRESENCE_TYPE PowerUserPresence; - // } POWER_USER_PRESENCE, *PPOWER_USER_PRESENCE; - - // typedef struct _POWER_SESSION_CONNECT - //{ - // BOOLEAN Connected; // TRUE - connected, FALSE - disconnected - // BOOLEAN Console; // TRUE - console, FALSE - TS (not used for Connected = FALSE) - // } POWER_SESSION_CONNECT, *PPOWER_SESSION_CONNECT; - - // typedef struct _POWER_SESSION_TIMEOUTS - //{ - // ULONG InputTimeout; - // ULONG DisplayTimeout; - // } POWER_SESSION_TIMEOUTS, *PPOWER_SESSION_TIMEOUTS; - - // typedef struct _POWER_SESSION_RIT_STATE - //{ - // BOOLEAN Active; // TRUE - RIT input received, FALSE - RIT timeout - // ULONG64 LastInputTime; // last input time held for this session - // } POWER_SESSION_RIT_STATE, *PPOWER_SESSION_RIT_STATE; - - // typedef struct _POWER_SESSION_WINLOGON - //{ - // ULONG SessionId; // the Win32k session identifier - // BOOLEAN Console; // TRUE - for console session, FALSE - for remote session - // BOOLEAN Locked; // TRUE - lock, FALSE - unlock - // } POWER_SESSION_WINLOGON, *PPOWER_SESSION_WINLOGON; - - // typedef struct _POWER_SESSION_ALLOW_EXTERNAL_DMA_DEVICES - //{ - // BOOLEAN IsAllowed; - // } POWER_SESSION_ALLOW_EXTERNAL_DMA_DEVICES, *PPOWER_SESSION_ALLOW_EXTERNAL_DMA_DEVICES; - // - // typedef struct _POWER_IDLE_RESILIENCY - //{ - // ULONG CoalescingTimeout; - // ULONG IdleResiliencyPeriod; - // } POWER_IDLE_RESILIENCY, *PPOWER_IDLE_RESILIENCY; - - // typedef struct _RESUME_PERFORMANCE - //{ - // ULONG PostTimeMs; - // ULONGLONG TotalResumeTimeMs; - // ULONGLONG ResumeCompleteTimestamp; - // } RESUME_PERFORMANCE, *PRESUME_PERFORMANCE; - - // typedef struct _NOTIFY_USER_POWER_SETTING - //{ - // GUID Guid; - // } NOTIFY_USER_POWER_SETTING, *PNOTIFY_USER_POWER_SETTING; - -#define POWER_PERF_SCALE 100 -#define PERF_LEVEL_TO_PERCENT(_x_) ((_x_ * 1000) / (POWER_PERF_SCALE * 10)) -#define PERCENT_TO_PERF_LEVEL(_x_) ((_x_ * POWER_PERF_SCALE * 10) / 1000) -#define PO_REASON_STATE_STANDBY (PO_REASON_STATE_S1 | \ - PO_REASON_STATE_S2 | \ - PO_REASON_STATE_S3) - -#define PO_REASON_STATE_ALL (PO_REASON_STATE_STANDBY | \ - PO_REASON_STATE_S4 | \ - PO_REASON_STATE_S4FIRM) - - typedef struct _SYSTEM_POWER_LOGGING_ENTRY - { - ULONG Reason; - ULONG States; - } SYSTEM_POWER_LOGGING_ENTRY, *PSYSTEM_POWER_LOGGING_ENTRY; - - typedef enum _POWER_STATE_DISABLED_TYPE - { - PoDisabledStateSleeping1 = 0, - PoDisabledStateSleeping2 = 1, - PoDisabledStateSleeping3 = 2, - PoDisabledStateSleeping4 = 3, - PoDisabledStateSleeping0Idle = 4, - PoDisabledStateReserved5 = 5, - PoDisabledStateSleeping4Firmware = 6, - PoDisabledStateMaximum = 7 - } POWER_STATE_DISABLED_TYPE, - *PPOWER_STATE_DISABLED_TYPE; - -#define POWER_STATE_DISABLED_TYPE_MAX 8 - - _Struct_size_bytes_(sizeof(SYSTEM_POWER_STATE_DISABLE_REASON) + PowerReasonLength) typedef struct _SYSTEM_POWER_STATE_DISABLE_REASON - { - BOOLEAN AffectedState[POWER_STATE_DISABLED_TYPE_MAX]; - ULONG PowerReasonCode; - ULONG PowerReasonLength; - // UCHAR PowerReasonInfo[ANYSIZE_ARRAY]; - } SYSTEM_POWER_STATE_DISABLE_REASON, *PSYSTEM_POWER_STATE_DISABLE_REASON; - -// Reason Context -#define POWER_REQUEST_CONTEXT_NOT_SPECIFIED DIAGNOSTIC_REASON_NOT_SPECIFIED - - // wdm - typedef struct _COUNTED_REASON_CONTEXT - { - ULONG Version; - ULONG Flags; - union - { - struct - { - UNICODE_STRING ResourceFileName; - USHORT ResourceReasonId; - ULONG StringCount; - _Field_size_(StringCount) PUNICODE_STRING ReasonStrings; - }; - UNICODE_STRING SimpleString; - }; - } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT; - - typedef enum _POWER_REQUEST_TYPE_INTERNAL // POWER_REQUEST_TYPE - { - PowerRequestDisplayRequiredInternal, - PowerRequestSystemRequiredInternal, - PowerRequestAwayModeRequiredInternal, - PowerRequestExecutionRequiredInternal, // Windows 8+ - PowerRequestPerfBoostRequiredInternal, // Windows 8+ - PowerRequestActiveLockScreenInternal, // Windows 10 RS1+ (reserved on Windows 8) - // Values 6 and 7 are reserved for Windows 8 only - PowerRequestInternalInvalid, - PowerRequestInternalUnknown, - PowerRequestFullScreenVideoRequired // Windows 8 only - } POWER_REQUEST_TYPE_INTERNAL; - - typedef struct _POWER_REQUEST_ACTION - { - HANDLE PowerRequestHandle; - POWER_REQUEST_TYPE_INTERNAL RequestType; - BOOLEAN SetAction; - HANDLE ProcessHandle; // Windows 8+ and only for requests created via PlmPowerRequestCreate - } POWER_REQUEST_ACTION, *PPOWER_REQUEST_ACTION; - - typedef union _POWER_STATE - { - SYSTEM_POWER_STATE SystemState; - DEVICE_POWER_STATE DeviceState; - } POWER_STATE, *PPOWER_STATE; - - typedef enum _POWER_STATE_TYPE - { - SystemPowerState = 0, - DevicePowerState - } POWER_STATE_TYPE, - *PPOWER_STATE_TYPE; - - // wdm - typedef struct _SYSTEM_POWER_STATE_CONTEXT - { - union - { - struct - { - ULONG Reserved1 : 8; - ULONG TargetSystemState : 4; - ULONG EffectiveSystemState : 4; - ULONG CurrentSystemState : 4; - ULONG IgnoreHibernationPath : 1; - ULONG PseudoTransition : 1; - ULONG KernelSoftReboot : 1; - ULONG DirectedDripsTransition : 1; - ULONG Reserved2 : 8; - }; - ULONG ContextAsUlong; - }; - } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT; - - typedef enum _REQUESTER_TYPE - { - KernelRequester = 0, - UserProcessRequester = 1, - UserSharedServiceRequester = 2 - } REQUESTER_TYPE; - - typedef struct _COUNTED_REASON_CONTEXT_RELATIVE - { - ULONG Flags; - union - { - struct - { - SIZE_T ResourceFileNameOffset; - USHORT ResourceReasonId; - ULONG StringCount; - SIZE_T SubstitutionStringsOffset; - } DUMMYSTRUCTNAME; - SIZE_T SimpleStringOffset; - } DUMMYUNIONNAME; - } COUNTED_REASON_CONTEXT_RELATIVE, *PCOUNTED_REASON_CONTEXT_RELATIVE; - - typedef struct _DIAGNOSTIC_BUFFER - { - SIZE_T Size; - REQUESTER_TYPE CallerType; - union - { - struct - { - SIZE_T ProcessImageNameOffset; // PWSTR - ULONG ProcessId; - ULONG ServiceTag; - } DUMMYSTRUCTNAME; - struct - { - SIZE_T DeviceDescriptionOffset; // PWSTR - SIZE_T DevicePathOffset; // PWSTR - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - SIZE_T ReasonOffset; // PCOUNTED_REASON_CONTEXT_RELATIVE - } DIAGNOSTIC_BUFFER, *PDIAGNOSTIC_BUFFER; - - typedef struct _WAKE_TIMER_INFO - { - SIZE_T OffsetToNext; - LARGE_INTEGER DueTime; - ULONG Period; - DIAGNOSTIC_BUFFER ReasonContext; - } WAKE_TIMER_INFO, *PWAKE_TIMER_INFO; - - // rev - typedef struct _PROCESSOR_PERF_CAP_HV - { - ULONG Version; - ULONG InitialApicId; - ULONG Ppc; - ULONG Tpc; - ULONG ThermalCap; - } PROCESSOR_PERF_CAP_HV, *PPROCESSOR_PERF_CAP_HV; - - typedef struct PROCESSOR_IDLE_TIMES - { - ULONG64 StartTime; - ULONG64 EndTime; - ULONG Reserved[4]; - } PROCESSOR_IDLE_TIMES, *PPROCESSOR_IDLE_TIMES; - - _Function_class_(PROCESSOR_IDLE_HANDLER) typedef NTSTATUS(FASTCALL PROCESSOR_IDLE_HANDLER)( - _In_ ULONG_PTR Context, - _Inout_ PPROCESSOR_IDLE_TIMES IdleTimes); - - typedef PROCESSOR_IDLE_HANDLER *PPROCESSOR_IDLE_HANDLER; - -#define PROCESSOR_STATE_TYPE_PERFORMANCE 0x1 -#define PROCESSOR_STATE_TYPE_THROTTLE 0x2 - -#define IDLE_STATE_FLAGS_C1_HLT 0x01 // describes C1 only -#define IDLE_STATE_FLAGS_C1_IO_HLT 0x02 // describes C1 only -#define IDLE_STATE_FLAGS_IO 0x04 // describes C2 and C3 only -#define IDLE_STATE_FLAGS_MWAIT 0x08 // describes C1, C2, C3, C4, ... - - typedef struct _PROCESSOR_IDLE_STATE - { - UCHAR StateType; - ULONG StateFlags; - ULONG HardwareLatency; - ULONG Power; - ULONG_PTR Context; - PPROCESSOR_IDLE_HANDLER Handler; - } PROCESSOR_IDLE_STATE, *PPROCESSOR_IDLE_STATE; - - typedef struct _PROCESSOR_IDLE_STATES - { - ULONG Size; - ULONG Revision; - ULONG Count; - ULONG Type; - KAFFINITY TargetProcessors; - PROCESSOR_IDLE_STATE State[ANYSIZE_ARRAY]; - } PROCESSOR_IDLE_STATES, *PPROCESSOR_IDLE_STATES; - // - // #define PROCESSOR_IDLESTATE_POLICY_COUNT 0x3 - // - // typedef struct - //{ - // ULONG TimeCheck; - // UCHAR DemotePercent; - // UCHAR PromotePercent; - // UCHAR Spare[2]; - //} PROCESSOR_IDLESTATE_INFO, *PPROCESSOR_IDLESTATE_INFO; - // - // typedef struct - //{ - // USHORT Revision; - // union - // { - // USHORT AsUSHORT; - // struct - // { - // USHORT AllowScaling : 1; - // USHORT Disabled : 1; - // USHORT Reserved : 14; - // } DUMMYSTRUCTNAME; - // } Flags; - // - // ULONG PolicyCount; - // PROCESSOR_IDLESTATE_INFO Policy[PROCESSOR_IDLESTATE_POLICY_COUNT]; - //} PROCESSOR_IDLESTATE_POLICY, *PPROCESSOR_IDLESTATE_POLICY; - - // rev - typedef struct _PROCESSOR_LOAD - { - PROCESSOR_NUMBER ProcessorNumber; - UCHAR BusyPercentage; - UCHAR FrequencyPercentage; - USHORT Padding; - } PROCESSOR_LOAD, *PPROCESSOR_LOAD; - - // rev - typedef struct _PROCESSOR_CAP - { - ULONG Version; - PROCESSOR_NUMBER ProcessorNumber; - ULONG PlatformCap; - ULONG ThermalCap; - ULONG LimitReasons; - } PROCESSOR_CAP, *PPROCESSOR_CAP; - - typedef struct _PO_WAKE_SOURCE_INFO - { - ULONG Count; - ULONG Offsets[ANYSIZE_ARRAY]; // POWER_WAKE_SOURCE_HEADER, POWER_WAKE_SOURCE_INTERNAL, POWER_WAKE_SOURCE_TIMER, POWER_WAKE_SOURCE_FIXED - } PO_WAKE_SOURCE_INFO, *PPO_WAKE_SOURCE_INFO; - - typedef struct _PO_WAKE_SOURCE_HISTORY - { - ULONG Count; - ULONG Offsets[ANYSIZE_ARRAY]; // POWER_WAKE_SOURCE_HEADER, POWER_WAKE_SOURCE_INTERNAL, POWER_WAKE_SOURCE_TIMER, POWER_WAKE_SOURCE_FIXED - } PO_WAKE_SOURCE_HISTORY, *PPO_WAKE_SOURCE_HISTORY; - - typedef enum _PO_WAKE_SOURCE_TYPE - { - DeviceWakeSourceType = 0, - FixedWakeSourceType = 1, - TimerWakeSourceType = 2, - TimerPresumedWakeSourceType = 3, - InternalWakeSourceType = 4 - } PO_WAKE_SOURCE_TYPE, - *PPO_WAKE_SOURCE_TYPE; - - typedef enum _PO_INTERNAL_WAKE_SOURCE_TYPE - { - InternalWakeSourceDozeToHibernate = 0, - InternalWakeSourcePredictedUserPresence = 1 - } PO_INTERNAL_WAKE_SOURCE_TYPE; - - typedef enum _PO_FIXED_WAKE_SOURCE_TYPE - { - FixedWakeSourcePowerButton = 0, - FixedWakeSourceSleepButton = 1, - FixedWakeSourceRtc = 2, - FixedWakeSourceDozeToHibernate = 3 - } PO_FIXED_WAKE_SOURCE_TYPE, - *PPO_FIXED_WAKE_SOURCE_TYPE; - - typedef struct _PO_WAKE_SOURCE_HEADER - { - PO_WAKE_SOURCE_TYPE Type; - ULONG Size; - } PO_WAKE_SOURCE_HEADER, *PPO_WAKE_SOURCE_HEADER; - - typedef struct _PO_WAKE_SOURCE_DEVICE - { - PO_WAKE_SOURCE_HEADER Header; - WCHAR InstancePath[ANYSIZE_ARRAY]; - } PO_WAKE_SOURCE_DEVICE, *PPO_WAKE_SOURCE_DEVICE; - - typedef struct _PO_WAKE_SOURCE_FIXED - { - PO_WAKE_SOURCE_HEADER Header; - PO_FIXED_WAKE_SOURCE_TYPE FixedWakeSourceType; - } PO_WAKE_SOURCE_FIXED, *PPO_WAKE_SOURCE_FIXED; - - typedef struct _PO_WAKE_SOURCE_INTERNAL - { - PO_WAKE_SOURCE_HEADER Header; - PO_INTERNAL_WAKE_SOURCE_TYPE InternalWakeSourceType; - } PO_WAKE_SOURCE_INTERNAL, *PPO_WAKE_SOURCE_INTERNAL; - - typedef struct _PO_WAKE_SOURCE_TIMER - { - PO_WAKE_SOURCE_HEADER Header; - DIAGNOSTIC_BUFFER Reason; - } PO_WAKE_SOURCE_TIMER, *PPO_WAKE_SOURCE_TIMER; - -// The number of supported request types per version -#define POWER_REQUEST_SUPPORTED_TYPES_V1 3 // Windows 7 -#define POWER_REQUEST_SUPPORTED_TYPES_V2 9 // Windows 8 -#define POWER_REQUEST_SUPPORTED_TYPES_V3 5 // Windows 8.1 and Windows 10 TH1-TH2 -#define POWER_REQUEST_SUPPORTED_TYPES_V4 6 // Windows 10 RS1+ - - typedef struct _POWER_REQUEST - { - union - { - struct - { - ULONG SupportedRequestMask; - ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V1]; - DIAGNOSTIC_BUFFER DiagnosticBuffer; - } V1; -#if (PHNT_VERSION >= PHNT_WIN8) - struct - { - ULONG SupportedRequestMask; - ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V2]; - DIAGNOSTIC_BUFFER DiagnosticBuffer; - } V2; -#endif -#if (PHNT_VERSION >= PHNT_WINBLUE) - struct - { - ULONG SupportedRequestMask; - ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V3]; - DIAGNOSTIC_BUFFER DiagnosticBuffer; - } V3; -#endif -#if (PHNT_VERSION >= PHNT_REDSTONE) - struct - { - ULONG SupportedRequestMask; - ULONG PowerRequestCount[POWER_REQUEST_SUPPORTED_TYPES_V4]; - DIAGNOSTIC_BUFFER DiagnosticBuffer; - } V4; -#endif - }; - } POWER_REQUEST, *PPOWER_REQUEST; - - typedef struct _POWER_REQUEST_LIST - { - ULONG_PTR Count; - ULONG_PTR PowerRequestOffsets[ANYSIZE_ARRAY]; // PPOWER_REQUEST - } POWER_REQUEST_LIST, *PPOWER_REQUEST_LIST; - - typedef enum _POWER_STATE_HANDLER_TYPE - { - PowerStateSleeping1 = 0, - PowerStateSleeping2 = 1, - PowerStateSleeping3 = 2, - PowerStateSleeping4 = 3, - PowerStateShutdownOff = 4, - PowerStateShutdownReset = 5, - PowerStateSleeping4Firmware = 6, - PowerStateMaximum = 7 - } POWER_STATE_HANDLER_TYPE, - *PPOWER_STATE_HANDLER_TYPE; - - typedef NTSTATUS(NTAPI *PENTER_STATE_SYSTEM_HANDLER)( - _In_ PVOID SystemContext); - - typedef NTSTATUS(NTAPI *PENTER_STATE_HANDLER)( - _In_ PVOID Context, - _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler, - _In_ PVOID SystemContext, - _In_ LONG NumberProcessors, - _In_ LONG volatile *Number); - - typedef struct _POWER_STATE_HANDLER - { - POWER_STATE_HANDLER_TYPE Type; - BOOLEAN RtcWake; - UCHAR Spare[3]; - PENTER_STATE_HANDLER Handler; - PVOID Context; - } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER; - - typedef NTSTATUS(NTAPI *PENTER_STATE_NOTIFY_HANDLER)( - _In_ POWER_STATE_HANDLER_TYPE State, - _In_ PVOID Context, - _In_ BOOLEAN Entering); - - typedef struct _POWER_STATE_NOTIFY_HANDLER - { - PENTER_STATE_NOTIFY_HANDLER Handler; - PVOID Context; - } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER; - - typedef struct _POWER_REQUEST_ACTION_INTERNAL - { - PVOID PowerRequestPointer; - POWER_REQUEST_TYPE_INTERNAL RequestType; - BOOLEAN SetAction; - } POWER_REQUEST_ACTION_INTERNAL, *PPOWER_REQUEST_ACTION_INTERNAL; - - typedef enum _POWER_INFORMATION_LEVEL_INTERNAL - { - PowerInternalAcpiInterfaceRegister, - PowerInternalS0LowPowerIdleInfo, // POWER_S0_LOW_POWER_IDLE_INFO - PowerInternalReapplyBrightnessSettings, - PowerInternalUserAbsencePrediction, // POWER_USER_ABSENCE_PREDICTION - PowerInternalUserAbsencePredictionCapability, // POWER_USER_ABSENCE_PREDICTION_CAPABILITY - PowerInternalPoProcessorLatencyHint, // POWER_PROCESSOR_LATENCY_HINT - PowerInternalStandbyNetworkRequest, // POWER_STANDBY_NETWORK_REQUEST (requires PopNetBIServiceSid) - PowerInternalDirtyTransitionInformation, // out: BOOLEAN - PowerInternalSetBackgroundTaskState, // POWER_SET_BACKGROUND_TASK_STATE - PowerInternalTtmOpenTerminal, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmCreateTerminal, // (requires SeShutdownPrivilege and terminalPowerManagement capability) // 10 - PowerInternalTtmEvacuateDevices, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmCreateTerminalEventQueue, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmGetTerminalEvent, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmSetDefaultDeviceAssignment, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmAssignDevice, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmSetDisplayState, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalTtmSetDisplayTimeouts, // (requires SeShutdownPrivilege and terminalPowerManagement capability) - PowerInternalBootSessionStandbyActivationInformation, // out: POWER_BOOT_SESSION_STANDBY_ACTIVATION_INFO - PowerInternalSessionPowerState, // in: POWER_SESSION_POWER_STATE - PowerInternalSessionTerminalInput, // 20 - PowerInternalSetWatchdog, - PowerInternalPhysicalPowerButtonPressInfoAtBoot, - PowerInternalExternalMonitorConnected, - PowerInternalHighPrecisionBrightnessSettings, - PowerInternalWinrtScreenToggle, - PowerInternalPpmQosDisable, - PowerInternalTransitionCheckpoint, - PowerInternalInputControllerState, - PowerInternalFirmwareResetReason, - PowerInternalPpmSchedulerQosSupport, // out: POWER_INTERNAL_PROCESSOR_QOS_SUPPORT // 30 - PowerInternalBootStatGet, - PowerInternalBootStatSet, - PowerInternalCallHasNotReturnedWatchdog, - PowerInternalBootStatCheckIntegrity, - PowerInternalBootStatRestoreDefaults, // in: void - PowerInternalHostEsStateUpdate, // in: POWER_INTERNAL_HOST_ENERGY_SAVER_STATE - PowerInternalGetPowerActionState, // out: ULONG - PowerInternalBootStatUnlock, - PowerInternalWakeOnVoiceState, - PowerInternalDeepSleepBlock, // 40 - PowerInternalIsPoFxDevice, - PowerInternalPowerTransitionExtensionAtBoot, - PowerInternalProcessorBrandedFrequency, // in: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, out: POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT - PowerInternalTimeBrokerExpirationReason, - PowerInternalNotifyUserShutdownStatus, - PowerInternalPowerRequestTerminalCoreWindow, - PowerInternalProcessorIdleVeto, // PROCESSOR_IDLE_VETO - PowerInternalPlatformIdleVeto, // PLATFORM_IDLE_VETO - PowerInternalIsLongPowerButtonBugcheckEnabled, - PowerInternalAutoChkCausedReboot, // 50 - PowerInternalSetWakeAlarmOverride, - - PowerInternalDirectedFxAddTestDevice = 53, - PowerInternalDirectedFxRemoveTestDevice, - - PowerInternalDirectedFxSetMode = 56, - PowerInternalRegisterPowerPlane, - PowerInternalSetDirectedDripsFlags, - PowerInternalClearDirectedDripsFlags, - PowerInternalRetrieveHiberFileResumeContext, // 60 - PowerInternalReadHiberFilePage, - PowerInternalLastBootSucceeded, // out: BOOLEAN - PowerInternalQuerySleepStudyHelperRoutineBlock, - PowerInternalDirectedDripsQueryCapabilities, - PowerInternalClearConstraints, - PowerInternalSoftParkVelocityEnabled, - PowerInternalQueryIntelPepCapabilities, - PowerInternalGetSystemIdleLoopEnablement, // since WIN11 - PowerInternalGetVmPerfControlSupport, - PowerInternalGetVmPerfControlConfig, // 70 - PowerInternalSleepDetailedDiagUpdate, - PowerInternalProcessorClassFrequencyBandsStats, - PowerInternalHostGlobalUserPresenceStateUpdate, - PowerInternalCpuNodeIdleIntervalStats, - PowerInternalClassIdleIntervalStats, - PowerInternalCpuNodeConcurrencyStats, - PowerInternalClassConcurrencyStats, - PowerInternalQueryProcMeasurementCapabilities, // PPROCESSOR_QUERY_MEASUREMENT_CAPABILITIES - PowerInternalQueryProcMeasurementValues, // PROCESSOR_QUERY_MEASUREMENT_VALUES - PowerInternalPrepareForSystemInitiatedReboot, // 80 - PowerInternalGetAdaptiveSessionState, - PowerInternalSetConsoleLockedState, - PowerInternalOverrideSystemInitiatedRebootState, - PowerInternalFanImpactStats, - PowerInternalFanRpmBuckets, - PowerInternalPowerBootAppDiagInfo, // out: POWER_INTERNAL_BOOTAPP_DIAGNOSTIC - PowerInternalUnregisterShutdownNotification, // since 22H1 - PowerInternalManageTransitionStateRecord, - PowerInternalGetAcpiTimeAndAlarmCapabilities, // since 22H2 - PowerInternalSuspendResumeRequest, - PowerInternalEnergyEstimationInfo, // since 23H2 - PowerInternalProvSocIdentifierOperation, // since 24H2 - PowerInternalGetVmPerfPrioritySupport, - PowerInternalGetVmPerfPriorityConfig, - PowerInternalNotifyWin32kPowerRequestQueued, - PowerInternalNotifyWin32kPowerRequestCompleted, - PowerInformationInternalMaximum - } POWER_INFORMATION_LEVEL_INTERNAL; - - typedef enum _POWER_S0_DISCONNECTED_REASON - { - PoS0DisconnectedReasonNone, - PoS0DisconnectedReasonNonCompliantNic, - PoS0DisconnectedReasonSettingPolicy, - PoS0DisconnectedReasonEnforceDsPolicy, - PoS0DisconnectedReasonCsChecksFailed, - PoS0DisconnectedReasonSmartStandby, - PoS0DisconnectedReasonMaximum - } POWER_S0_DISCONNECTED_REASON; - - typedef struct _POWER_S0_LOW_POWER_IDLE_INFO - { - POWER_S0_DISCONNECTED_REASON DisconnectedReason; - union - { - BOOLEAN Storage : 1; - BOOLEAN WiFi : 1; - BOOLEAN Mbn : 1; - BOOLEAN Ethernet : 1; - BOOLEAN Reserved : 4; - UCHAR AsUCHAR; - } CsDeviceCompliance; - union - { - BOOLEAN DisconnectInStandby : 1; - BOOLEAN EnforceDs : 1; - BOOLEAN Reserved : 6; - UCHAR AsUCHAR; - } Policy; - } POWER_S0_LOW_POWER_IDLE_INFO, *PPOWER_S0_LOW_POWER_IDLE_INFO; - - typedef struct _POWER_INFORMATION_INTERNAL_HEADER - { - POWER_INFORMATION_LEVEL_INTERNAL InternalType; - ULONG Version; - } POWER_INFORMATION_INTERNAL_HEADER, *PPOWER_INFORMATION_INTERNAL_HEADER; - - typedef struct _POWER_USER_ABSENCE_PREDICTION - { - POWER_INFORMATION_INTERNAL_HEADER Header; - LARGE_INTEGER ReturnTime; - } POWER_USER_ABSENCE_PREDICTION, *PPOWER_USER_ABSENCE_PREDICTION; - - typedef struct _POWER_USER_ABSENCE_PREDICTION_CAPABILITY - { - BOOLEAN AbsencePredictionCapability; - } POWER_USER_ABSENCE_PREDICTION_CAPABILITY, *PPOWER_USER_ABSENCE_PREDICTION_CAPABILITY; - - // rev - typedef struct _POWER_PROCESSOR_LATENCY_HINT - { - POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; - ULONG Type; - } POWER_PROCESSOR_LATENCY_HINT, *PPOWER_PROCESSOR_LATENCY_HINT; - - // rev - typedef struct _POWER_STANDBY_NETWORK_REQUEST - { - POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; - BOOLEAN Active; - } POWER_STANDBY_NETWORK_REQUEST, *PPOWER_STANDBY_NETWORK_REQUEST; - - // rev - typedef struct _POWER_SET_BACKGROUND_TASK_STATE - { - POWER_INFORMATION_INTERNAL_HEADER PowerInformationInternalHeader; - BOOLEAN Engaged; - } POWER_SET_BACKGROUND_TASK_STATE, *PPOWER_SET_BACKGROUND_TASK_STATE; - - // rev - typedef struct _POWER_BOOT_SESSION_STANDBY_ACTIVATION_INFO - { - ULONG StandbyTotalTime; - ULONG DripsTotalTime; - ULONG ActivatorClientTotalActiveTime; - ULONG PerActivatorClientTotalActiveTime[98]; - } POWER_BOOT_SESSION_STANDBY_ACTIVATION_INFO, *PPOWER_BOOT_SESSION_STANDBY_ACTIVATION_INFO; - - // rev - typedef struct _POWER_SESSION_POWER_STATE - { - POWER_INFORMATION_INTERNAL_HEADER Header; - ULONG SessionId; - BOOLEAN On; - BOOLEAN IsConsole; - POWER_MONITOR_REQUEST_REASON RequestReason; - } POWER_SESSION_POWER_STATE, *PPOWER_SESSION_POWER_STATE; - - // rev - typedef struct _POWER_INTERNAL_PROCESSOR_QOS_SUPPORT - { - BOOLEAN QosSupportedAndConfigured; - BOOLEAN SchedulerDirectedPerfStatesSupported; - BOOLEAN QosGroupPolicyDisable; - } POWER_INTERNAL_PROCESSOR_QOS_SUPPORT, *PPOWER_INTERNAL_PROCESSOR_QOS_SUPPORT; - - // rev - typedef struct _POWER_INTERNAL_HOST_ENERGY_SAVER_STATE - { - POWER_INFORMATION_INTERNAL_HEADER Header; - BOOLEAN EsEnabledOnHost; - } POWER_INTERNAL_HOST_ENERGY_SAVER_STATE, *PPOWER_INTERNAL_HOST_ENERGY_SAVER_STATE; - - // rev - typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT - { - POWER_INFORMATION_LEVEL_INTERNAL InternalType; - PROCESSOR_NUMBER ProcessorNumber; // ULONG_MAX - } POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT; - -#define POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION 1 - - // rev - typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT - { - ULONG Version; - ULONG NominalFrequency; // if (Domain) Prcb->PowerState.CheckContext.Domain.NominalFrequency else Prcb->MHz - } POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT; - - // rev - typedef struct _PROCESSOR_IDLE_VETO - { - ULONG Version; - PROCESSOR_NUMBER ProcessorNumber; - ULONG StateIndex; - ULONG VetoReason; - UCHAR Increment; - } PROCESSOR_IDLE_VETO, *PPROCESSOR_IDLE_VETO; - - // rev - typedef struct _PLATFORM_IDLE_VETO - { - ULONG Version; - ULONG StateIndex; - ULONG VetoReason; - UCHAR Increment; - } PLATFORM_IDLE_VETO, *PPLATFORM_IDLE_VETO; - - // rev - typedef struct _POWER_INTERNAL_BOOTAPP_DIAGNOSTIC - { - ULONG BootAppErrorDiagCode; // bcdedit last status - ULONG BootAppFailureStatus; // bcdedit last status - } POWER_INTERNAL_BOOTAPP_DIAGNOSTIC, *PPOWER_INTERNAL_BOOTAPP_DIAGNOSTIC; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - /** - * The NtPowerInformation routine sets or retrieves system power information. - * - * @param InformationLevel Specifies the requested information level, which indicates the specific power information to be set or retrieved. - * @param InputBuffer Optional pointer to a caller-allocated input buffer. - * @param InputBufferLength Size, in bytes, of the buffer at InputBuffer. - * @param OutputBuffer Optional pointer to an output buffer. The type depends on the InformationLevel requested. - * @param OutputBufferLength Size, in bytes, of the output buffer. - * @return Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPowerInformation( - _In_ POWER_INFORMATION_LEVEL InformationLevel, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); -#endif - - /** - * Enables an application to inform the system that it is in use, - * thereby preventing the system from entering sleep or turning off the display while the application is running. - * - * @param NewFlags New execution state flags. - * @param PreviousFlags Pointer to receive the previous execution state flags. - * @return Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetThreadExecutionState( - _In_ EXECUTION_STATE NewFlags, // ES_* flags - _Out_ EXECUTION_STATE *PreviousFlags); - -#if (PHNT_VERSION < PHNT_WIN7) - /** - * Requests the system resume latency. - * - * @param latency The desired latency time. - * @return Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRequestWakeupLatency( - _In_ LATENCY_TIME latency); -#endif - - /** - * Initiates a power action of the current system. - * - * @param SystemAction The system power action. - * @param LightestSystemState The lightest system power state. - * @param Flags Flags for the power action. - * @param Asynchronous Whether the action is asynchronous. - * @return Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtInitiatePowerAction( - _In_ POWER_ACTION SystemAction, - _In_ SYSTEM_POWER_STATE LightestSystemState, - _In_ ULONG Flags, // POWER_ACTION_* flags - _In_ BOOLEAN Asynchronous); - - /** - * Initiates a power action of the current system. Depending on the Flags parameter, the function either - * suspends operation immediately or requests permission from all applications and device drivers before doing so. - * - * @param SystemAction The system power action. - * @param LightestSystemState The lightest system power state. - * @param Flags Flags for the power action. - * @return Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetSystemPowerState( - _In_ POWER_ACTION SystemAction, - _In_ SYSTEM_POWER_STATE LightestSystemState, - _In_ ULONG Flags // POWER_ACTION_* flags - ); - - /** - * Retrieves the current power state of the specified device. This function cannot be used to query the power state of a display device. - * - * @param Device A handle to an object on the device, such as a file or socket, or a handle to the device itself. - * @param State A pointer to the variable that receives the power state. - * @return Successful or errant status. - * @remarks An application can use NtGetDevicePowerState to determine whether a device is in the working state or a low-power state. - * If the device is in a low-power state, accessing the device may cause it to either queue or fail any I/O requests, or transition the device into the working state. - * The exact behavior depends on the implementation of the device. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetDevicePowerState( - _In_ HANDLE Device, - _Out_ PDEVICE_POWER_STATE State); - - /** - * Checks if the system resume is automatic. - * - * @return BOOLEAN TRUE if the system resume is automatic, FALSE otherwise. - */ - NTSYSCALLAPI - BOOLEAN - NTAPI - NtIsSystemResumeAutomatic( - VOID); - -#endif - /* - * Registry support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTREGAPI_H -#define _NTREGAPI_H - - // Boot condition flags (NtInitializeRegistry) - -#define REG_INIT_BOOT_SM 0x0000 -#define REG_INIT_BOOT_SETUP 0x0001 -#define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 -#define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 - -#define REG_MAX_KEY_VALUE_NAME_LENGTH 32767 -#define REG_MAX_KEY_NAME_LENGTH 512 - - typedef enum _KEY_INFORMATION_CLASS - { - KeyBasicInformation, // KEY_BASIC_INFORMATION - KeyNodeInformation, // KEY_NODE_INFORMATION - KeyFullInformation, // KEY_FULL_INFORMATION - KeyNameInformation, // KEY_NAME_INFORMATION - KeyCachedInformation, // KEY_CACHED_INFORMATION - KeyFlagsInformation, // KEY_FLAGS_INFORMATION - KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION - KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION - KeyTrustInformation, // KEY_TRUST_INFORMATION - KeyLayerInformation, // KEY_LAYER_INFORMATION - MaxKeyInfoClass - } KEY_INFORMATION_CLASS; - - typedef struct _KEY_BASIC_INFORMATION - { - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION; - - typedef struct _KEY_NODE_INFORMATION - { - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG ClassOffset; - ULONG ClassLength; - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - // ... - // WCHAR Class[1]; - } KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION; - - typedef struct _KEY_FULL_INFORMATION - { - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG ClassOffset; - ULONG ClassLength; - ULONG SubKeys; - ULONG MaxNameLength; - ULONG MaxClassLength; - ULONG Values; - ULONG MaxValueNameLength; - ULONG MaxValueDataLength; - WCHAR Class[1]; - } KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION; - - typedef struct _KEY_NAME_INFORMATION - { - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION; - - typedef struct _KEY_CACHED_INFORMATION - { - LARGE_INTEGER LastWriteTime; - ULONG TitleIndex; - ULONG SubKeys; - ULONG MaxNameLength; - ULONG Values; - ULONG MaxValueNameLength; - ULONG MaxValueDataLength; - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION; - -// rev -#define REG_FLAG_VOLATILE 0x0001 -#define REG_FLAG_LINK 0x0002 - -// msdn -#define REG_KEY_DONT_VIRTUALIZE 0x0002 -#define REG_KEY_DONT_SILENT_FAIL 0x0004 -#define REG_KEY_RECURSE_FLAG 0x0008 - - // private - typedef struct _KEY_FLAGS_INFORMATION - { - ULONG Wow64Flags; - ULONG KeyFlags; // REG_FLAG_* - ULONG ControlFlags; // REG_KEY_* - } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; - - /** - * The KEY_VIRTUALIZATION_INFORMATION structure contains information about the virtualization state of a key. - * - * The flags include: - * - VirtualizationCandidate: The key is part of the virtualization namespace scope (only HKLM\Software for now). - * - VirtualizationEnabled: Virtualization is enabled on this key. Can be 1 only if VirtualizationCandidate is 1. - * - VirtualTarget: The key is a virtual key. Can be 1 only if VirtualizationCandidate and VirtualizationEnabled are 0. Valid only on the virtual store key handles. - * - VirtualStore: The key is a part of the virtual store path. Valid only on the virtual store key handles. - * - VirtualSource: The key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. - * - Reserved: Reserved bits. - */ - typedef struct _KEY_VIRTUALIZATION_INFORMATION - { - ULONG VirtualizationCandidate : 1; - ULONG VirtualizationEnabled : 1; - ULONG VirtualTarget : 1; - ULONG VirtualStore : 1; - ULONG VirtualSource : 1; - ULONG Reserved : 27; - } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; - - // private - /** - * The KEY_TRUST_INFORMATION structure contains information about the trust status of a key. - * - * The flags include: - * - TrustedKey: Indicates whether the key is trusted. When set, this flag signifies that the key is considered - * to be secure and reliable. - * - Reserved: Reserved bits. - */ - typedef struct _KEY_TRUST_INFORMATION - { - ULONG TrustedKey : 1; - ULONG Reserved : 31; - } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; - - // private - /** - * The KEY_LAYER_INFORMATION structure contains information about a key layer. - * - * The flags include: - * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates - * that the key has been deleted but not yet purged from the registry. It is used to maintain the - * integrity of the registry and ensure that deleted keys are not immediately reused. - * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag - * indicates that the key layer should replace the local key's information, effectively overriding - * any local changes or settings. - * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag - * indicates that the key layer should replace the entire subtree of keys, overriding any changes or - * settings in the subtree. - * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates - * that the class information of the key layer is inherited from its parent key, rather than being - * explicitly defined. - * - Reserved: Reserved bits. - */ - typedef struct _KEY_LAYER_INFORMATION - { - ULONG IsTombstone : 1; - ULONG IsSupersedeLocal : 1; - ULONG IsSupersedeTree : 1; - ULONG ClassIsInherited : 1; - ULONG Reserved : 28; - } KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION; - - typedef enum _KEY_SET_INFORMATION_CLASS - { - KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION - KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION - KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION - KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION - KeySetDebugInformation, - KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION - KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION - MaxKeySetInfoClass - } KEY_SET_INFORMATION_CLASS; - - /** - * Structure representing the last write time of a registry key. - * - * The values include: - * - LastWriteTime: Contains the timestamp of the last write operation performed on a registry key. - */ - typedef struct _KEY_WRITE_TIME_INFORMATION - { - LARGE_INTEGER LastWriteTime; - } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; - - /** - * The KEY_WOW64_FLAGS_INFORMATION structure contains information about the WOW64 flags for a key. - * - * The fields include: - * - UserFlags: A set of user-defined flags associated with the key. These flags are used to store - * additional information about the key in the context of WOW64 (Windows 32-bit on Windows 64-bit). - */ - typedef struct _KEY_WOW64_FLAGS_INFORMATION - { - ULONG UserFlags; - } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; - - /** - * The KEY_HANDLE_TAGS_INFORMATION structure contains information about the handle tags for a key. - * - * The fields include: - * - HandleTags: A set of tags associated with the key handle. These tags are used to store additional - * metadata or state information about the key handle. - */ - typedef struct _KEY_HANDLE_TAGS_INFORMATION - { - ULONG HandleTags; - } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; - - /** - * The KEY_SET_LAYER_INFORMATION structure contains information about a key layer. - * - * The flags include: - * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates - * that the key has been deleted but not yet purged from the registry. It is used to maintain the - * integrity of the registry and ensure that deleted keys are not immediately reused. - * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag - * indicates that the key layer should replace the local key's information, effectively overriding - * any local changes or settings. - * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag - * indicates that the key layer should replace the entire subtree of keys, overriding any changes or - * settings in the subtree. - * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates - * that the class information of the key layer is inherited from its parent key, rather than being - * explicitly defined. - * - Reserved: Reserved bits. - */ - typedef struct _KEY_SET_LAYER_INFORMATION - { - ULONG IsTombstone : 1; - ULONG IsSupersedeLocal : 1; - ULONG IsSupersedeTree : 1; - ULONG ClassIsInherited : 1; - ULONG Reserved : 28; - } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION; - - /** - * The KEY_CONTROL_FLAGS_INFORMATION structure contains control flags for a key. - * - * The fields include: - * - ControlFlags: A set of control flags associated with the key. These flags are used to store - * additional control information about the key, which can affect its behavior or state. - */ - typedef struct _KEY_CONTROL_FLAGS_INFORMATION - { - ULONG ControlFlags; - } KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION; - - typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION - { - ULONG VirtualTarget : 1; - ULONG VirtualStore : 1; - ULONG VirtualSource : 1; // true if key has been virtualized at least once - ULONG Reserved : 29; - } KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION; - - typedef enum _KEY_VALUE_INFORMATION_CLASS - { - KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION - KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION - KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION - KeyValueFullInformationAlign64, - KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 - KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION - MaxKeyValueInfoClass - } KEY_VALUE_INFORMATION_CLASS; - - typedef struct _KEY_VALUE_BASIC_INFORMATION - { - ULONG TitleIndex; - ULONG Type; - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - } KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION; - - typedef struct _KEY_VALUE_FULL_INFORMATION - { - ULONG TitleIndex; - ULONG Type; - ULONG DataOffset; - ULONG DataLength; - ULONG NameLength; - _Field_size_bytes_(NameLength) WCHAR Name[1]; - // ... - // UCHAR Data[1]; - } KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION; - - typedef struct _KEY_VALUE_PARTIAL_INFORMATION - { - ULONG TitleIndex; - ULONG Type; - ULONG DataLength; - _Field_size_bytes_(DataLength) UCHAR Data[1]; - } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; - - typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 - { - ULONG Type; - ULONG DataLength; - _Field_size_bytes_(DataLength) UCHAR Data[1]; - } KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64; - - // private - typedef struct _KEY_VALUE_LAYER_INFORMATION - { - ULONG IsTombstone : 1; - ULONG Reserved : 31; - } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; - - // private - typedef enum _CM_EXTENDED_PARAMETER_TYPE - { - CmExtendedParameterInvalidType, - CmExtendedParameterTrustClassKey, - CmExtendedParameterEvent, - CmExtendedParameterFileAccessToken, - CmExtendedParameterMax, - } CM_EXTENDED_PARAMETER_TYPE; - -#define CM_EXTENDED_PARAMETER_TYPE_BITS 8 - - // private - typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER - { - struct - { - ULONG64 Type : CM_EXTENDED_PARAMETER_TYPE_BITS; - ULONG64 Reserved : 64 - CM_EXTENDED_PARAMETER_TYPE_BITS; - }; - - union - { - ULONG64 ULong64; - PVOID Pointer; - SIZE_T Size; - HANDLE Handle; - ULONG ULong; - ACCESS_MASK AccessMask; - }; - } CM_EXTENDED_PARAMETER, *PCM_EXTENDED_PARAMETER; - - typedef struct _KEY_VALUE_ENTRY - { - PUNICODE_STRING ValueName; - ULONG DataLength; - ULONG DataOffset; - ULONG Type; - } KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; - - typedef enum _REG_ACTION - { - KeyAdded, - KeyRemoved, - KeyModified - } REG_ACTION; - - typedef struct _REG_NOTIFY_INFORMATION - { - ULONG NextEntryOffset; - REG_ACTION Action; - ULONG KeyLength; - _Field_size_bytes_(KeyLength) WCHAR Key[1]; - } REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION; - - typedef struct _KEY_PID_ARRAY - { - HANDLE ProcessId; - UNICODE_STRING KeyName; - } KEY_PID_ARRAY, *PKEY_PID_ARRAY; - - typedef struct _KEY_OPEN_SUBKEYS_INFORMATION - { - ULONG Count; - KEY_PID_ARRAY KeyArray[1]; - } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; - -// -// Virtualization // since REDSTONE -// - -// rev -#define VR_DEVICE_NAME L"\\Device\\VRegDriver" - -// rev -#define IOCTL_VR_INITIALIZE_JOB_FOR_VREG CTL_CODE(FILE_DEVICE_UNKNOWN, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_INITIALIZE_JOB_FOR_VREG -#define IOCTL_VR_LOAD_DIFFERENCING_HIVE CTL_CODE(FILE_DEVICE_UNKNOWN, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_LOAD_DIFFERENCING_HIVE -#define IOCTL_VR_CREATE_NAMESPACE_NODE CTL_CODE(FILE_DEVICE_UNKNOWN, 3, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_CREATE_NAMESPACE_NODE -#define IOCTL_VR_MODIFY_FLAGS CTL_CODE(FILE_DEVICE_UNKNOWN, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_MODIFY_FLAGS -#define IOCTL_VR_CREATE_MULTIPLE_NAMESPACE_NODES CTL_CODE(FILE_DEVICE_UNKNOWN, 5, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_CREATE_MULTIPLE_NAMESPACE_NODES -#define IOCTL_VR_UNLOAD_DYNAMICALLY_LOADED_HIVES CTL_CODE(FILE_DEVICE_UNKNOWN, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_UNLOAD_DYNAMICALLY_LOADED_HIVES -#define IOCTL_VR_GET_VIRTUAL_ROOT_KEY CTL_CODE(FILE_DEVICE_UNKNOWN, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_GET_VIRTUAL_ROOT; out: VR_GET_VIRTUAL_ROOT_RESULT -#define IOCTL_VR_LOAD_DIFFERENCING_HIVE_FOR_HOST CTL_CODE(FILE_DEVICE_UNKNOWN, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_LOAD_DIFFERENCING_HIVE_FOR_HOST -#define IOCTL_VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST CTL_CODE(FILE_DEVICE_UNKNOWN, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST - - // private - typedef struct _VR_INITIALIZE_JOB_FOR_VREG - { - HANDLE Job; - } VR_INITIALIZE_JOB_FOR_VREG, *PVR_INITIALIZE_JOB_FOR_VREG; - -// rev -#define VR_FLAG_INHERIT_TRUST_CLASS 0x00000001 -#define VR_FLAG_WRITE_THROUGH_HIVE 0x00000002 // since REDSTONE2 -#define VR_FLAG_LOCAL_MACHINE_TRUST_CLASS 0x00000004 // since 21H1 - - // rev + private - typedef struct _VR_LOAD_DIFFERENCING_HIVE - { - HANDLE Job; - ULONG NextLayerIsHost; - ULONG Flags; // VR_FLAG_* - ULONG LoadFlags; // NtLoadKeyEx flags - USHORT KeyPathLength; - USHORT HivePathLength; - USHORT NextLayerKeyPathLength; - HANDLE FileAccessToken; // since 20H1 - WCHAR Strings[ANYSIZE_ARRAY]; - // ... - // WCHAR KeyPath[1]; - // WCHAR HivePath[1]; - // WCHAR NextLayerKeyPath[1]; - } VR_LOAD_DIFFERENCING_HIVE, *PVR_LOAD_DIFFERENCING_HIVE; - - // rev + private - typedef struct _VR_CREATE_NAMESPACE_NODE - { - HANDLE Job; - USHORT ContainerPathLength; - USHORT HostPathLength; - ULONG Flags; - ACCESS_MASK AccessMask; // since 20H1 - WCHAR Strings[ANYSIZE_ARRAY]; - // ... - // WCHAR ContainerPath[1]; - // WCHAR HostPath[1]; - } VR_CREATE_NAMESPACE_NODE, *PVR_CREATE_NAMESPACE_NODE; - - // private - typedef struct _VR_MODIFY_FLAGS - { - HANDLE Job; - ULONG AddFlags; - ULONG RemoveFlags; - } VR_MODIFY_FLAGS, *PVR_MODIFY_FLAGS; - - // private - typedef struct _NAMESPACE_NODE_DATA - { - ACCESS_MASK AccessMask; - USHORT ContainerPathLength; - USHORT HostPathLength; - ULONG Flags; - WCHAR Strings[ANYSIZE_ARRAY]; - // ... - // WCHAR ContainerPath[1]; - // WCHAR HostPath[1]; - } NAMESPACE_NODE_DATA, *PNAMESPACE_NODE_DATA; - - // private - typedef struct _VR_CREATE_MULTIPLE_NAMESPACE_NODES - { - HANDLE Job; - ULONG NumNewKeys; - NAMESPACE_NODE_DATA Keys[1]; - } VR_CREATE_MULTIPLE_NAMESPACE_NODES, *PVR_CREATE_MULTIPLE_NAMESPACE_NODES; - - // private - typedef struct _VR_UNLOAD_DYNAMICALLY_LOADED_HIVES - { - HANDLE Job; - } VR_UNLOAD_DYNAMICALLY_LOADED_HIVES, *PVR_UNLOAD_DYNAMICALLY_LOADED_HIVES; - -// rev -#define VR_KEY_COMROOT 0 // \Registry\ComRoot\Classes -#define VR_KEY_MACHINE_SOFTWARE 1 // \Registry\Machine\Software // since REDSTONE2 -#define VR_KEY_CONTROL_SET 2 // \Registry\Machine\System\ControlSet001 // since REDSTONE2 - - // rev - typedef struct _VR_GET_VIRTUAL_ROOT - { - HANDLE Job; - ULONG Index; // VR_KEY_* // since REDSTONE2 - } VR_GET_VIRTUAL_ROOT, *PVR_GET_VIRTUAL_ROOT; - - // rev - typedef struct _VR_GET_VIRTUAL_ROOT_RESULT - { - HANDLE Key; - } VR_GET_VIRTUAL_ROOT_RESULT, *PVR_GET_VIRTUAL_ROOT_RESULT; - - // rev - typedef struct _VR_LOAD_DIFFERENCING_HIVE_FOR_HOST - { - ULONG LoadFlags; // NtLoadKeyEx flags - ULONG Flags; // VR_FLAG_* // since REDSTONE2 - USHORT KeyPathLength; - USHORT HivePathLength; - USHORT NextLayerKeyPathLength; - HANDLE FileAccessToken; // since 20H1 - WCHAR Strings[ANYSIZE_ARRAY]; - // ... - // WCHAR KeyPath[1]; - // WCHAR HivePath[1]; - // WCHAR NextLayerKeyPath[1]; - } VR_LOAD_DIFFERENCING_HIVE_FOR_HOST, *PVR_LOAD_DIFFERENCING_HIVE_FOR_HOST; - - // rev - typedef struct _VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST - { - ULONG Reserved; - USHORT TargetKeyPathLength; - WCHAR TargetKeyPath[ANYSIZE_ARRAY]; - } VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST, *PVR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST; - -// -// Key Open/Create Options -// -#define REG_OPTION_RESERVED (0x00000000L) // Parameter is reserved. -#define REG_OPTION_NON_VOLATILE (0x00000000L) // Key is preserved when system is rebooted. -#define REG_OPTION_VOLATILE (0x00000001L) // Key is not preserved when system is rebooted -#define REG_OPTION_CREATE_LINK (0x00000002L) // Created key is a symbolic link -#define REG_OPTION_BACKUP_RESTORE (0x00000004L) // open for backup or restore special access rules privilege required -#define REG_OPTION_OPEN_LINK (0x00000008L) // Open symbolic link -#define REG_OPTION_DONT_VIRTUALIZE (0x00000010L) // Disable Open/Read/Write virtualization for this open and the resulting handle. - -#ifndef REG_LEGAL_OPTION -#define REG_LEGAL_OPTION \ - (REG_OPTION_RESERVED | REG_OPTION_NON_VOLATILE | \ - REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK | \ - REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK | \ - REG_OPTION_DONT_VIRTUALIZE) -#endif - -#ifndef REG_OPEN_LEGAL_OPTION -#define REG_OPEN_LEGAL_OPTION \ - (REG_OPTION_RESERVED | REG_OPTION_BACKUP_RESTORE | \ - REG_OPTION_OPEN_LINK | REG_OPTION_DONT_VIRTUALIZE) -#endif - -// -// Key creation/open disposition -// -#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created -#define REG_OPENED_EXISTING_KEY (0x00000002L) // Existing Key opened - -// -// hive format to be used by Reg(Nt)SaveKeyEx -// -#define REG_STANDARD_FORMAT 1 -#define REG_LATEST_FORMAT 2 -#define REG_NO_COMPRESSION 4 - -// -// Key restore & hive load flags -// -#define REG_WHOLE_HIVE_VOLATILE (0x00000001L) // Restore whole hive volatile -#define REG_REFRESH_HIVE (0x00000002L) // Unwind changes to last flush -#define REG_NO_LAZY_FLUSH (0x00000004L) // Never lazy flush this hive -#define REG_FORCE_RESTORE (0x00000008L) // Force the restore process even when we have open handles on subkeys -#define REG_APP_HIVE (0x00000010L) // Loads the hive visible to the calling process -#define REG_PROCESS_PRIVATE (0x00000020L) // Hive cannot be mounted by any other process while in use -#define REG_START_JOURNAL (0x00000040L) // Starts Hive Journal -#define REG_HIVE_EXACT_FILE_GROWTH (0x00000080L) // Grow hive file in exact 4k increments -#define REG_HIVE_NO_RM (0x00000100L) // No RM is started for this hive (no transactions) -#define REG_HIVE_SINGLE_LOG (0x00000200L) // Legacy single logging is used for this hive -#define REG_BOOT_HIVE (0x00000400L) // This hive might be used by the OS loader -#define REG_LOAD_HIVE_OPEN_HANDLE (0x00000800L) // Load the hive and return a handle to its root kcb -#define REG_FLUSH_HIVE_FILE_GROWTH (0x00001000L) // Flush changes to primary hive file size as part of all flushes -#define REG_OPEN_READ_ONLY (0x00002000L) // Open a hive's files in read-only mode -#define REG_IMMUTABLE (0x00004000L) // Load the hive, but don't allow any modification of it -#define REG_NO_IMPERSONATION_FALLBACK (0x00008000L) // Do not fall back to impersonating the caller if hive file access fails -#define REG_APP_HIVE_OPEN_READ_ONLY (REG_OPEN_READ_ONLY) // Open an app hive's files in read-only mode (if the hive was not previously loaded) - -// -// Unload Flags -// -#define REG_FORCE_UNLOAD 1 -#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) - - /** - * Creates a new registry key routine or opens an existing one. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param[in] TitleIndex Reserved. - * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key. - * @param[in] CreateOptions The options to use when creating the key. - * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateKey( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG TitleIndex, - _In_opt_ PUNICODE_STRING Class, - _In_ ULONG CreateOptions, - _Out_opt_ PULONG Disposition); - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Creates a new registry key or opens an existing one, and it associates the key with a transaction. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param[in] TitleIndex Reserved. - * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key. - * @param[in] CreateOptions The options to use when creating the key. - * @param[in] TransactionHandle A handle to the transaction. - * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateKeyTransacted( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG TitleIndex, - _In_opt_ PUNICODE_STRING Class, - _In_ ULONG CreateOptions, - _In_ HANDLE TransactionHandle, - _Out_opt_ PULONG Disposition); -#endif - - /** - * Opens an existing registry key. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS Successful or errant status. - * @remarks NtOpenKey ignores the security information in the ObjectAttributes structure. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenKey( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Opens an existing registry key and associates the key with a transaction. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param[in] TransactionHandle A handle to the transaction. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenKeyTransacted( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE TransactionHandle); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - /** - * Opens an existing registry key with extended options. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param[in] OpenOptions The options to use when opening the key. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenKeyEx( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG OpenOptions); - - /** - * Opens an existing registry key in a transaction with extended options. - * - * @param[out] KeyHandle A pointer to a handle that receives the key handle. - * @param[in] DesiredAccess The access mask that specifies the desired access rights. - * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @param[in] OpenOptions The options to use when opening the key. - * @param[in] TransactionHandle A handle to the transaction. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenKeyTransactedEx( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG OpenOptions, - _In_ HANDLE TransactionHandle); -#endif - - /** - * Deletes a registry key. - * - * @param[in] KeyHandle A handle to the key to be deleted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteKey( - _In_ HANDLE KeyHandle); - - /** - * Renames a registry key. - * - * @param[in] KeyHandle A handle to the key to be renamed. - * @param[in] NewName A pointer to a UNICODE_STRING structure that specifies the new name of the key. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRenameKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING NewName); - - /** - * Deletes a value from a registry key. - * - * @param[in] KeyHandle A handle to the key that contains the value to be deleted. - * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be deleted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName); - - /** - * Queries information about a registry key. - * - * @param[in] KeyHandle A handle to the key to be queried. - * @param[in] KeyInformationClass The type of information to be queried. - * @param[out] KeyInformation A pointer to a buffer that receives the key information. - * @param[in] Length The size of the buffer. - * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryKey( - _In_ HANDLE KeyHandle, - _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - /** - * Sets information for a registry key. - * - * @param[in] KeyHandle A handle to the key to be modified. - * @param[in] KeySetInformationClass The type of information to be set. - * @param[in] KeySetInformation A pointer to a buffer that contains the key information. - * @param[in] KeySetInformationLength The size of the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationKey( - _In_ HANDLE KeyHandle, - _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, - _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, - _In_ ULONG KeySetInformationLength); - - /** - * Queries the value of a registry key. - * - * @param[in] KeyHandle A handle to the key to be queried. - * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be queried. - * @param[in] KeyValueInformationClass The type of information to be queried. - * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. - * @param[in] Length The size of the buffer. - * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, - _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - /** - * Sets the value of a registry key. - * - * @param[in] KeyHandle A handle to the key to be modified. - * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be set. - * @param[in, optional] TitleIndex Reserved. - * @param[in] Type The type of the value. - * @param[in] Data A pointer to a buffer that contains the value data. - * @param[in] DataSize The size of the buffer. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, - _In_opt_ ULONG TitleIndex, - _In_ ULONG Type, - _In_reads_bytes_opt_(DataSize) PVOID Data, - _In_ ULONG DataSize); - - /** - * Queries multiple values of a registry key. - * - * @param[in] KeyHandle A handle to the key to be queried. - * @param[in, out] ValueEntries A pointer to an array of KEY_VALUE_ENTRY structures that specify the values to be queried. - * @param[in] EntryCount The number of entries in the array. - * @param[out] ValueBuffer A pointer to a buffer that receives the value data. - * @param[in, out] BufferLength A pointer to a variable that specifies the size of the buffer and receives the size of the data returned. - * @param[out, optional] RequiredBufferLength A pointer to a variable that receives the size of the buffer required to hold the data. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryMultipleValueKey( - _In_ HANDLE KeyHandle, - _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, - _In_ ULONG EntryCount, - _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, - _Inout_ PULONG BufferLength, - _Out_opt_ PULONG RequiredBufferLength); - - /** - * Enumerates the subkeys of a registry key. - * - * @param[in] KeyHandle A handle to the key to be enumerated. - * @param[in] Index The index of the subkey to be enumerated. - * @param[in] KeyInformationClass The type of information to be queried. - * @param[out] KeyInformation A pointer to a buffer that receives the key information. - * @param[in] Length The size of the buffer. - * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateKey( - _In_ HANDLE KeyHandle, - _In_ ULONG Index, - _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - /** - * Enumerates the values of a registry key. - * - * @param[in] KeyHandle A handle to the key to be enumerated. - * @param[in] Index The index of the value to be enumerated. - * @param[in] KeyValueInformationClass The type of information to be queried. - * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. - * @param[in] Length The size of the buffer. - * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateValueKey( - _In_ HANDLE KeyHandle, - _In_ ULONG Index, - _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - /** - * Flushes the changes to a registry key. - * - * @param[in] KeyHandle A handle to the key to be flushed. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFlushKey( - _In_ HANDLE KeyHandle); - - /** - * Compacts the specified registry keys. - * - * @param[in] Count The number of keys to be compacted. - * @param[in] KeyArray An array of handles to the keys to be compacted. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompactKeys( - _In_ ULONG Count, - _In_reads_(Count) HANDLE KeyArray[]); - - /** - * Compresses a registry key. - * - * @param[in] KeyHandle A handle to the key to be compressed. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompressKey( - _In_ HANDLE KeyHandle); - - /** - * Loads a registry key from a file. - * - * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. - * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadKey( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile); - - /** - * Loads a registry key from a file with additional options. - * - * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. - * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. - * @param[in] Flags The options to use when loading the key. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadKey2( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags); - -#if (PHNT_VERSION >= PHNT_WS03) - /** - * Loads a registry key from a file with extended options. - * - * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. - * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. - * @param[in] Flags The options to use when loading the key. - * @param[in, optional] TrustClassKey A handle to the trust class key. - * @param[in, optional] Event A handle to an event. - * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. - * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. - * @param[in, reserved] Reserved Reserved. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadKeyEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags, - _In_opt_ HANDLE TrustClassKey, - _In_opt_ HANDLE Event, - _In_opt_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE RootHandle, - _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK - ); -#endif - -#if (PHNT_VERSION >= PHNT_20H1) - // rev by tyranid - /** - * Loads a registry key from a file with extended parameters. - * - * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. - * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. - * @param[in] Flags The options to use when loading the key. - * @param[in] ExtendedParameters A pointer to an array of extended parameters. - * @param[in] ExtendedParameterCount The number of extended parameters. - * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. - * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. - * @param[in, reserved] Reserved Reserved. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLoadKey3( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags, - _In_reads_(ExtendedParameterCount) PCM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount, - _In_opt_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE RootHandle, - _Reserved_ PVOID Reserved); -#endif - - /** - * Replaces a registry key. - * - * @param[in] NewFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the new file. - * @param[in] TargetHandle A handle to the target key. - * @param[in] OldFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the old file. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReplaceKey( - _In_ POBJECT_ATTRIBUTES NewFile, - _In_ HANDLE TargetHandle, - _In_ POBJECT_ATTRIBUTES OldFile); - - /** - * Saves the specified registry key to a file. - * - * @param KeyHandle Handle to the registry key. - * @param FileHandle Handle to the file where the key will be saved. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSaveKey( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle); - - /** - * Saves the specified registry key to a file with a specified format. - * - * @param KeyHandle Handle to the registry key. - * @param FileHandle Handle to the file where the key will be saved. - * @param Format Format in which the key will be saved. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSaveKeyEx( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle, - _In_ ULONG Format); - - /** - * Merges two registry keys and saves the result to a file. - * - * @param HighPrecedenceKeyHandle Handle to the high precedence registry key. - * @param LowPrecedenceKeyHandle Handle to the low precedence registry key. - * @param FileHandle Handle to the file where the merged key will be saved. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSaveMergedKeys( - _In_ HANDLE HighPrecedenceKeyHandle, - _In_ HANDLE LowPrecedenceKeyHandle, - _In_ HANDLE FileHandle); - - /** - * Restores a registry key from a file. - * - * @param KeyHandle Handle to the registry key. - * @param FileHandle Handle to the file from which the key will be restored. - * @param Flags Flags for the restore operation. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRestoreKey( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle, - _In_ ULONG Flags); - - /** - * Unloads a registry key. - * - * @param TargetKey Pointer to the object attributes of the target key. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnloadKey( - _In_ POBJECT_ATTRIBUTES TargetKey); - -#if PHNT_VERSION >= PHNT_WS03 - /** - * Unloads a registry key with additional flags. - * - * @param TargetKey Pointer to the object attributes of the target key. - * @param Flags Flags for the unload operation. - * @return NTSTATUS Successful or errant status. - * @remarks Valid flags are REG_FORCE_UNLOAD and REG_UNLOAD_LEGAL_FLAGS. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnloadKey2( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ ULONG Flags); -#endif - - /** - * Unloads a registry key and optionally signals an event. - * - * @param TargetKey Pointer to the object attributes of the target key. - * @param Event Optional handle to an event to be signaled. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtUnloadKeyEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_opt_ HANDLE Event); - - /** - * Notifies of changes to a registry key. - * - * @param KeyHandle Handle to the registry key. - * @param Event Optional handle to an event to be signaled. - * @param ApcRoutine Optional APC routine to be called. - * @param ApcContext Optional context for the APC routine. - * @param IoStatusBlock Pointer to an IO status block. - * @param CompletionFilter Filter for the types of changes to notify. - * @param WatchTree Whether to watch the entire tree. - * @param Buffer Optional buffer for change data. - * @param BufferSize Size of the buffer. - * @param Asynchronous Whether the operation is asynchronous. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtNotifyChangeKey( - _In_ HANDLE KeyHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize, - _In_ BOOLEAN Asynchronous); - - /** - * Requests notification when a registry key or any of its subkeys changes. - * - * @param MasterKeyHandle A handle to an open key. The handle must be opened with the KEY_NOTIFY access right. - * @param Count The number of subkeys under the key specified by the MasterKeyHandle parameter. - * @param SubordinateObjects Pointer to an array of OBJECT_ATTRIBUTES structures, one for each subkey. This array can contain one OBJECT_ATTRIBUTES structure. - * @param Event A handle to an event created by the caller. If Event is not NULL, the caller waits until the operation succeeds, at which time the event is signaled. - * @param ApcRoutine A pointer to an asynchronous procedure call (APC) function supplied by the caller. If ApcRoutine is not NULL, the specified APC function executes after the operation completes. - * @param ApcContext A pointer to a context supplied by the caller for its APC function. This value is passed to the APC function when it is executed. The Asynchronous parameter must be TRUE. If ApcContext is specified, the Event parameter must be NULL. - * @param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to the Buffer parameter is supplied in the Information member of the IO_STATUS_BLOCK structure. - * @param CompletionFilter A bitmap of operations that trigger notification. This parameter can be one or more of the following flags. REG_NOTIFY_CHANGE_NAME, REG_NOTIFY_CHANGE_ATTRIBUTES, REG_NOTIFY_CHANGE_LAST_SET, REG_NOTIFY_CHANGE_SECURITY. - * @param WatchTree If this parameter is TRUE, the caller is notified about changes to all subkeys of the specified key. If this parameter is FALSE, the caller is notified only about changes to the specified key. - * @param Buffer Reserved for system use. This parameter must be NULL. - * @param BufferSize Reserved for system use. This parameter must be zero. - * @param Asynchronous Whether the operation is asynchronous. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtNotifyChangeMultipleKeys( - _In_ HANDLE MasterKeyHandle, - _In_opt_ ULONG Count, - _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize, - _In_ BOOLEAN Asynchronous); - - /** - * Queries the number of open subkeys of a registry key. - * - * @param TargetKey Pointer to the object attributes of the target key. - * @param HandleCount Pointer to a variable to receive the handle count. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryOpenSubKeys( - _In_ POBJECT_ATTRIBUTES TargetKey, - _Out_ PULONG HandleCount); - -#if (PHNT_VERSION >= PHNT_WS03) - /** - * Queries the open subkeys of a registry key with additional information. - * - * @param TargetKey Pointer to the object attributes of the target key. - * @param BufferLength Length of the buffer. - * @param Buffer Optional buffer to receive the subkey information. - * @param RequiredSize Pointer to a variable to receive the required size. - * @return NTSTATUS Successful or errant status. - * @remarks Returns an array of KEY_OPEN_SUBKEYS_INFORMATION structures. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryOpenSubKeysEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ ULONG BufferLength, - _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, - _Out_ PULONG RequiredSize); -#endif - - /** - * Initializes the registry. - * - * @param BootCondition Condition for the boot. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtInitializeRegistry( - _In_ USHORT BootCondition); - - /** - * Locks the registry key and prevents changes from being written to disk. - * - * @param KeyHandle Handle to the registry key. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLockRegistryKey( - _In_ HANDLE KeyHandle); - - /** - * Locks the product activation keys. - * - * @param pPrivateVer Optional pointer to a private version variable. - * @param pSafeMode Optional pointer to a safe mode variable. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtLockProductActivationKeys( - _Inout_opt_ ULONG *pPrivateVer, - _Out_opt_ ULONG *pSafeMode); - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Freezes the registry and prevents changes from being flushed to disk. - * - * @param TimeOutInSeconds Timeout in seconds. - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFreezeRegistry( - _In_ ULONG TimeOutInSeconds); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - /** - * Thaws the registry and enables flushing changes to disk. - * - * @return NTSTATUS Successful or errant status. - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtThawRegistry( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - /** - * Creates a registry transaction. - * - * @param RegistryTransactionHandle Pointer to a variable to receive the handle. - * @param DesiredAccess Desired access mask. - * @param ObjAttributes Optional pointer to object attributes. - * @param CreateOptions Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSTATUS NtCreateRegistryTransaction( - _Out_ HANDLE *RegistryTransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, - _Reserved_ ULONG CreateOptions); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - /** - * Opens a registry transaction. - * - * @param RegistryTransactionHandle Pointer to a variable to receive the handle. - * @param DesiredAccess Desired access mask. - * @param ObjAttributes Pointer to object attributes. - * @return NTSTATUS Successful or errant status. - */ - NTSTATUS NtOpenRegistryTransaction( - _Out_ HANDLE *RegistryTransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjAttributes); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - /** - * Commits a registry transaction. - * - * @param RegistryTransactionHandle Handle to the registry transaction. - * @param Flags Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSTATUS NtCommitRegistryTransaction( - _In_ HANDLE RegistryTransactionHandle, - _Reserved_ ULONG Flags); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - /** - * Rolls back a registry transaction. - * - * @param RegistryTransactionHandle Handle to the registry transaction. - * @param Flags Reserved for future use. - * @return NTSTATUS Successful or errant status. - */ - NTSTATUS NtRollbackRegistryTransaction( - _In_ HANDLE RegistryTransactionHandle, - _Reserved_ ULONG Flags); -#endif - -#endif - /* - * RTL support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTRTL_H -#define _NTRTL_H - -#define RtlOffsetToPointer(Base, Offset) ((PCHAR)(((PCHAR)(Base)) + ((ULONG_PTR)(Offset)))) -#define RtlPointerToOffset(Base, Pointer) ((ULONG)(((PCHAR)(Pointer)) - ((PCHAR)(Base)))) - -#define RTL_PTR_ADD(Pointer, Value) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Value))) -#define RTL_PTR_SUBTRACT(Pointer, Value) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Value))) - -#define RTL_MILLISEC_TO_100NANOSEC(m) ((m) * 10000ULL) -#define RTL_SEC_TO_100NANOSEC(s) ((s) * 10000000ULL) -#define RTL_SEC_TO_MILLISEC(s) ((s) * 1000ULL) - -#define RTL_MEG (1024UL * 1024UL) -#define RTL_IMAGE_MAX_DOS_HEADER (256UL * RTL_MEG) - - // Linked lists - - typedef struct _LIST_ENTRY LIST_ENTRY, *PLIST_ENTRY; - -#define RTL_STATIC_LIST_HEAD(x) \ - LIST_ENTRY(x) = {&(x), &(x)} - -#define RTL_LIST_FOREACH(Entry, ListHead) \ - for ((Entry) = &(ListHead); (Entry) != &(ListHead); (Entry) = (Entry)->Flink) - - FORCEINLINE - VOID - InitializeListHead( - _Out_ PLIST_ENTRY ListHead) - { - ListHead->Flink = ListHead->Blink = ListHead; - } - - FORCEINLINE - VOID - InitializeListHead32( - _Out_ PLIST_ENTRY32 ListHead) - { - ListHead->Flink = ListHead->Blink = ((ULONG)(ULONG_PTR)ListHead); - } - - _Must_inspect_result_ - FORCEINLINE - BOOLEAN - IsListEmpty( - _In_ PLIST_ENTRY ListHead) - { - return ListHead->Flink == ListHead; - } - - FORCEINLINE BOOLEAN RemoveEntryList( - _In_ PLIST_ENTRY Entry) - { - PLIST_ENTRY Blink; - PLIST_ENTRY Flink; - - Flink = Entry->Flink; - Blink = Entry->Blink; - Blink->Flink = Flink; - Flink->Blink = Blink; - - return Flink == Blink; - } - - FORCEINLINE PLIST_ENTRY RemoveHeadList( - _Inout_ PLIST_ENTRY ListHead) - { - PLIST_ENTRY Flink; - PLIST_ENTRY Entry; - - Entry = ListHead->Flink; - Flink = Entry->Flink; - ListHead->Flink = Flink; - Flink->Blink = ListHead; - - return Entry; - } - - FORCEINLINE PLIST_ENTRY RemoveTailList( - _Inout_ PLIST_ENTRY ListHead) - { - PLIST_ENTRY Blink; - PLIST_ENTRY Entry; - - Entry = ListHead->Blink; - Blink = Entry->Blink; - ListHead->Blink = Blink; - Blink->Flink = ListHead; - - return Entry; - } - - FORCEINLINE VOID InsertTailList( - _Inout_ PLIST_ENTRY ListHead, - _Inout_ PLIST_ENTRY Entry) - { - PLIST_ENTRY Blink; - - Blink = ListHead->Blink; - Entry->Flink = ListHead; - Entry->Blink = Blink; - Blink->Flink = Entry; - ListHead->Blink = Entry; - } - - FORCEINLINE VOID InsertHeadList( - _Inout_ PLIST_ENTRY ListHead, - _Inout_ PLIST_ENTRY Entry) - { - PLIST_ENTRY Flink; - - Flink = ListHead->Flink; - Entry->Flink = Flink; - Entry->Blink = ListHead; - Flink->Blink = Entry; - ListHead->Flink = Entry; - } - - FORCEINLINE VOID AppendTailList( - _Inout_ PLIST_ENTRY ListHead, - _Inout_ PLIST_ENTRY ListToAppend) - { - PLIST_ENTRY ListEnd = ListHead->Blink; - - ListHead->Blink->Flink = ListToAppend; - ListHead->Blink = ListToAppend->Blink; - ListToAppend->Blink->Flink = ListHead; - ListToAppend->Blink = ListEnd; - } - - FORCEINLINE PSINGLE_LIST_ENTRY PopEntryList( - _Inout_ PSINGLE_LIST_ENTRY ListHead) - { - PSINGLE_LIST_ENTRY FirstEntry; - - FirstEntry = ListHead->Next; - - if (FirstEntry) - ListHead->Next = FirstEntry->Next; - - return FirstEntry; - } - - FORCEINLINE VOID PushEntryList( - _Inout_ PSINGLE_LIST_ENTRY ListHead, - _Inout_ PSINGLE_LIST_ENTRY Entry) - { - Entry->Next = ListHead->Next; - ListHead->Next = Entry; - } - - // AVL and splay trees - - typedef enum _TABLE_SEARCH_RESULT - { - TableEmptyTree, - TableFoundNode, - TableInsertAsLeft, - TableInsertAsRight - } TABLE_SEARCH_RESULT; - - typedef enum _RTL_GENERIC_COMPARE_RESULTS - { - GenericLessThan, - GenericGreaterThan, - GenericEqual - } RTL_GENERIC_COMPARE_RESULTS; - - typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)( - _In_ struct _RTL_AVL_TABLE *Table, - _In_ PVOID FirstStruct, - _In_ PVOID SecondStruct); - - typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)( - _In_ struct _RTL_AVL_TABLE *Table, - _In_ CLONG ByteSize); - - typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)( - _In_ struct _RTL_AVL_TABLE *Table, - _In_ _Post_invalid_ PVOID Buffer); - - typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)( - _In_ struct _RTL_AVL_TABLE *Table, - _In_ PVOID UserData, - _In_ PVOID MatchData); - - typedef struct _RTL_BALANCED_LINKS - { - struct _RTL_BALANCED_LINKS *Parent; - struct _RTL_BALANCED_LINKS *LeftChild; - struct _RTL_BALANCED_LINKS *RightChild; - CHAR Balance; - UCHAR Reserved[3]; - } RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; - - typedef struct _RTL_AVL_TABLE - { - RTL_BALANCED_LINKS BalancedRoot; - PVOID OrderedPointer; - ULONG WhichOrderedElement; - ULONG NumberGenericTableElements; - ULONG DepthOfTree; - PRTL_BALANCED_LINKS RestartKey; - ULONG DeleteCount; - PRTL_AVL_COMPARE_ROUTINE CompareRoutine; - PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine; - PRTL_AVL_FREE_ROUTINE FreeRoutine; - PVOID TableContext; - } RTL_AVL_TABLE, *PRTL_AVL_TABLE; - - NTSYSAPI - VOID - NTAPI - RtlInitializeGenericTableAvl( - _Out_ PRTL_AVL_TABLE Table, - _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine, - _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, - _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine, - _In_opt_ PVOID TableContext); - - NTSYSAPI - PVOID - NTAPI - RtlInsertElementGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ CLONG BufferSize, - _Out_opt_ PBOOLEAN NewElement); - - NTSYSAPI - PVOID - NTAPI - RtlInsertElementGenericTableFullAvl( - _In_ PRTL_AVL_TABLE Table, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ CLONG BufferSize, - _Out_opt_ PBOOLEAN NewElement, - _In_ PVOID NodeOrParent, - _In_ TABLE_SEARCH_RESULT SearchResult); - - NTSYSAPI - BOOLEAN - NTAPI - RtlDeleteElementGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ PVOID Buffer); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlLookupElementGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ PVOID Buffer); - - NTSYSAPI - PVOID - NTAPI - RtlLookupElementGenericTableFullAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ PVOID Buffer, - _Out_ PVOID *NodeOrParent, - _Out_ TABLE_SEARCH_RESULT *SearchResult); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlEnumerateGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ BOOLEAN Restart); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlEnumerateGenericTableWithoutSplayingAvl( - _In_ PRTL_AVL_TABLE Table, - _Inout_ PVOID *RestartKey); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlLookupFirstMatchingElementGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ PVOID Buffer, - _Out_ PVOID *RestartKey); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlEnumerateGenericTableLikeADirectory( - _In_ PRTL_AVL_TABLE Table, - _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction, - _In_opt_ PVOID MatchData, - _In_ ULONG NextFlag, - _Inout_ PVOID *RestartKey, - _Inout_ PULONG DeleteCount, - _In_ PVOID Buffer); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlGetElementGenericTableAvl( - _In_ PRTL_AVL_TABLE Table, - _In_ ULONG I); - - NTSYSAPI - ULONG - NTAPI - RtlNumberGenericTableElementsAvl( - _In_ PRTL_AVL_TABLE Table); - - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlIsGenericTableEmptyAvl( - _In_ PRTL_AVL_TABLE Table); - - typedef struct _RTL_SPLAY_LINKS - { - struct _RTL_SPLAY_LINKS *Parent; - struct _RTL_SPLAY_LINKS *LeftChild; - struct _RTL_SPLAY_LINKS *RightChild; - } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; - -#define RtlInitializeSplayLinks(Links) \ - { \ - PRTL_SPLAY_LINKS _SplayLinks; \ - _SplayLinks = (PRTL_SPLAY_LINKS)(Links); \ - _SplayLinks->Parent = _SplayLinks; \ - _SplayLinks->LeftChild = NULL; \ - _SplayLinks->RightChild = NULL; \ - } - -#define RtlParent(Links) ((PRTL_SPLAY_LINKS)(Links)->Parent) -#define RtlLeftChild(Links) ((PRTL_SPLAY_LINKS)(Links)->LeftChild) -#define RtlRightChild(Links) ((PRTL_SPLAY_LINKS)(Links)->RightChild) -#define RtlIsRoot(Links) ((RtlParent(Links) == (PRTL_SPLAY_LINKS)(Links))) -#define RtlIsLeftChild(Links) ((RtlLeftChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links))) -#define RtlIsRightChild(Links) ((RtlRightChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links))) - -#define RtlInsertAsLeftChild(ParentLinks, ChildLinks) \ - { \ - PRTL_SPLAY_LINKS _SplayParent; \ - PRTL_SPLAY_LINKS _SplayChild; \ - _SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \ - _SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \ - _SplayParent->LeftChild = _SplayChild; \ - _SplayChild->Parent = _SplayParent; \ - } - -#define RtlInsertAsRightChild(ParentLinks, ChildLinks) \ - { \ - PRTL_SPLAY_LINKS _SplayParent; \ - PRTL_SPLAY_LINKS _SplayChild; \ - _SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \ - _SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \ - _SplayParent->RightChild = _SplayChild; \ - _SplayChild->Parent = _SplayParent; \ - } - - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlSplay( - _Inout_ PRTL_SPLAY_LINKS Links); - - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlDelete( - _In_ PRTL_SPLAY_LINKS Links); - - NTSYSAPI - VOID - NTAPI - RtlDeleteNoSplay( - _In_ PRTL_SPLAY_LINKS Links, - _Inout_ PRTL_SPLAY_LINKS *Root); - - _Check_return_ - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlSubtreeSuccessor( - _In_ PRTL_SPLAY_LINKS Links); - - _Check_return_ - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlSubtreePredecessor( - _In_ PRTL_SPLAY_LINKS Links); - - _Check_return_ - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlRealSuccessor( - _In_ PRTL_SPLAY_LINKS Links); - - _Check_return_ - NTSYSAPI - PRTL_SPLAY_LINKS - NTAPI - RtlRealPredecessor( - _In_ PRTL_SPLAY_LINKS Links); - - struct _RTL_GENERIC_TABLE; - - typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_GENERIC_COMPARE_ROUTINE)( - _In_ struct _RTL_GENERIC_TABLE *Table, - _In_ PVOID FirstStruct, - _In_ PVOID SecondStruct); - - typedef PVOID(NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE)( - _In_ struct _RTL_GENERIC_TABLE *Table, - _In_ CLONG ByteSize); - - typedef VOID(NTAPI *PRTL_GENERIC_FREE_ROUTINE)( - _In_ struct _RTL_GENERIC_TABLE *Table, - _In_ _Post_invalid_ PVOID Buffer); - - typedef struct _RTL_GENERIC_TABLE - { - PRTL_SPLAY_LINKS TableRoot; - LIST_ENTRY InsertOrderList; - PLIST_ENTRY OrderedPointer; - ULONG WhichOrderedElement; - ULONG NumberGenericTableElements; - PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine; - PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine; - PRTL_GENERIC_FREE_ROUTINE FreeRoutine; - PVOID TableContext; - } RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE; - - NTSYSAPI - VOID - NTAPI - RtlInitializeGenericTable( - _Out_ PRTL_GENERIC_TABLE Table, - _In_ PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, - _In_ PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, - _In_ PRTL_GENERIC_FREE_ROUTINE FreeRoutine, - _In_opt_ PVOID TableContext); - - NTSYSAPI - PVOID - NTAPI - RtlInsertElementGenericTable( - _In_ PRTL_GENERIC_TABLE Table, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ CLONG BufferSize, - _Out_opt_ PBOOLEAN NewElement); - - NTSYSAPI - PVOID - NTAPI - RtlInsertElementGenericTableFull( - _In_ PRTL_GENERIC_TABLE Table, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ CLONG BufferSize, - _Out_opt_ PBOOLEAN NewElement, - _In_ PVOID NodeOrParent, - _In_ TABLE_SEARCH_RESULT SearchResult); - - NTSYSAPI - BOOLEAN - NTAPI - RtlDeleteElementGenericTable( - _In_ PRTL_GENERIC_TABLE Table, - _In_ PVOID Buffer); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlLookupElementGenericTable( - _In_ PRTL_GENERIC_TABLE Table, - _In_ PVOID Buffer); - - NTSYSAPI - PVOID - NTAPI - RtlLookupElementGenericTableFull( - _In_ PRTL_GENERIC_TABLE Table, - _In_ PVOID Buffer, - _Out_ PVOID *NodeOrParent, - _Out_ TABLE_SEARCH_RESULT *SearchResult); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlEnumerateGenericTable( - _In_ PRTL_GENERIC_TABLE Table, - _In_ BOOLEAN Restart); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlEnumerateGenericTableWithoutSplaying( - _In_ PRTL_GENERIC_TABLE Table, - _Inout_ PVOID *RestartKey); - - _Check_return_ - NTSYSAPI - PVOID - NTAPI - RtlGetElementGenericTable( - _In_ PRTL_GENERIC_TABLE Table, - _In_ ULONG I); - - NTSYSAPI - ULONG - NTAPI - RtlNumberGenericTableElements( - _In_ PRTL_GENERIC_TABLE Table); - - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlIsGenericTableEmpty( - _In_ PRTL_GENERIC_TABLE Table); - - // RB trees - - typedef struct _RTL_RB_TREE - { - PRTL_BALANCED_NODE Root; - PRTL_BALANCED_NODE Min; - } RTL_RB_TREE, *PRTL_RB_TREE; - -#if (PHNT_VERSION >= PHNT_WIN8) - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlRbInsertNodeEx( - _In_ PRTL_RB_TREE Tree, - _In_opt_ PRTL_BALANCED_NODE Parent, - _In_ BOOLEAN Right, - _Out_ PRTL_BALANCED_NODE Node); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlRbRemoveNode( - _In_ PRTL_RB_TREE Tree, - _In_ PRTL_BALANCED_NODE Node); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCompareExchangePointerMapping( - _In_ PRTL_BALANCED_NODE Node1, - _In_ PRTL_BALANCED_NODE Node2, - _Out_ PRTL_BALANCED_NODE *Node3, - _Out_ PRTL_BALANCED_NODE *Node4); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryPointerMapping( - _In_ PRTL_RB_TREE Tree, - _Inout_ PRTL_BALANCED_NODE Children); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlRemovePointerMapping( - _In_ PRTL_RB_TREE Tree, - _Inout_ PRTL_BALANCED_NODE Children); -#endif - - // Hash tables - - // begin_ntddk - -#define RTL_HASH_ALLOCATED_HEADER 0x00000001 -#define RTL_HASH_RESERVED_SIGNATURE 0 - - typedef struct _RTL_DYNAMIC_HASH_TABLE_ENTRY - { - LIST_ENTRY Linkage; - ULONG_PTR Signature; - } RTL_DYNAMIC_HASH_TABLE_ENTRY, *PRTL_DYNAMIC_HASH_TABLE_ENTRY; - -#define HASH_ENTRY_KEY(x) ((x)->Signature) - - typedef struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT - { - PLIST_ENTRY ChainHead; - PLIST_ENTRY PrevLinkage; - ULONG_PTR Signature; - } RTL_DYNAMIC_HASH_TABLE_CONTEXT, *PRTL_DYNAMIC_HASH_TABLE_CONTEXT; - - typedef struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR - { - RTL_DYNAMIC_HASH_TABLE_ENTRY HashEntry; - PLIST_ENTRY ChainHead; - ULONG BucketIndex; - } RTL_DYNAMIC_HASH_TABLE_ENUMERATOR, *PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR; - - typedef struct _RTL_DYNAMIC_HASH_TABLE - { - // Entries initialized at creation. - ULONG Flags; - ULONG Shift; - - // Entries used in bucket computation. - ULONG TableSize; - ULONG Pivot; - ULONG DivisorMask; - - // Counters. - ULONG NumEntries; - ULONG NonEmptyBuckets; - ULONG NumEnumerators; - - // The directory. This field is for internal use only. - PVOID Directory; - } RTL_DYNAMIC_HASH_TABLE, *PRTL_DYNAMIC_HASH_TABLE; - -#if (PHNT_VERSION >= PHNT_WIN7) - - FORCEINLINE - VOID - RtlInitHashTableContext( - _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context) - { - Context->ChainHead = NULL; - Context->PrevLinkage = NULL; - } - - FORCEINLINE - VOID - RtlInitHashTableContextFromEnumerator( - _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context, - _In_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator) - { - Context->ChainHead = Enumerator->ChainHead; - Context->PrevLinkage = Enumerator->HashEntry.Linkage.Blink; - } - - FORCEINLINE - VOID - RtlReleaseHashTableContext( - _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context) - { - UNREFERENCED_PARAMETER(Context); - return; - } - - FORCEINLINE - ULONG - RtlTotalBucketsHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable) - { - return HashTable->TableSize; - } - - FORCEINLINE - ULONG - RtlNonEmptyBucketsHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable) - { - return HashTable->NonEmptyBuckets; - } - - FORCEINLINE - ULONG - RtlEmptyBucketsHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable) - { - return HashTable->TableSize - HashTable->NonEmptyBuckets; - } - - FORCEINLINE - ULONG - RtlTotalEntriesHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable) - { - return HashTable->NumEntries; - } - - FORCEINLINE - ULONG - RtlActiveEnumeratorsHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable) - { - return HashTable->NumEnumerators; - } - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlCreateHashTable( - _Inout_ _When_(*HashTable == NULL, __drv_allocatesMem(Mem)) PRTL_DYNAMIC_HASH_TABLE *HashTable, - _In_ ULONG Shift, - _In_ _Reserved_ ULONG Flags); - - _Must_inspect_result_ - _Success_(return != 0) - NTSYSAPI - BOOLEAN - NTAPI - RtlCreateHashTableEx( - _Inout_ _When_(NULL == *HashTable, _At_(*HashTable, __drv_allocatesMem(Mem))) PRTL_DYNAMIC_HASH_TABLE *HashTable, - _In_ ULONG InitialSize, - _In_ ULONG Shift, - _Reserved_ ULONG Flags); - - NTSYSAPI - LOGICAL - NTAPI - RtlDeleteHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable); - - NTSYSAPI - BOOLEAN - NTAPI - RtlInsertEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, - _In_ ULONG_PTR Signature, - _Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context); - - NTSYSAPI - BOOLEAN - NTAPI - RtlRemoveEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, - _Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context); - - _Must_inspect_result_ - NTSYSAPI - PRTL_DYNAMIC_HASH_TABLE_ENTRY - NTAPI - RtlLookupEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _In_ ULONG_PTR Signature, - _Out_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context); - - _Must_inspect_result_ - NTSYSAPI - PRTL_DYNAMIC_HASH_TABLE_ENTRY - NTAPI - RtlGetNextEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _In_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context); - - NTSYSAPI - BOOLEAN - NTAPI - RtlInitEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - _Must_inspect_result_ - NTSYSAPI - PRTL_DYNAMIC_HASH_TABLE_ENTRY - NTAPI - RtlEnumerateEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - NTSYSAPI - VOID - NTAPI - RtlEndEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - NTSYSAPI - BOOLEAN - NTAPI - RtlInitWeakEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - _Must_inspect_result_ - NTSYSAPI - PRTL_DYNAMIC_HASH_TABLE_ENTRY - NTAPI - RtlWeaklyEnumerateEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - NTSYSAPI - VOID - NTAPI - RtlEndWeakEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - NTSYSAPI - BOOLEAN - NTAPI - RtlExpandHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable); - - NTSYSAPI - BOOLEAN - NTAPI - RtlContractHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - NTSYSAPI - BOOLEAN - NTAPI - RtlInitStrongEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - _Must_inspect_result_ - NTSYSAPI - PRTL_DYNAMIC_HASH_TABLE_ENTRY - NTAPI - RtlStronglyEnumerateEntryHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - - NTSYSAPI - VOID - NTAPI - RtlEndStrongEnumerationHashTable( - _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, - _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator); - -#endif - -// end_ntddk - -// -// Critical sections -// - -// These flags define the upper byte of the critical section SpinCount field -#define RTL_CRITICAL_SECTION_FLAG_NO_DEBUG_INFO 0x01000000 -#define RTL_CRITICAL_SECTION_FLAG_DYNAMIC_SPIN 0x02000000 -#define RTL_CRITICAL_SECTION_FLAG_STATIC_INIT 0x04000000 -#define RTL_CRITICAL_SECTION_FLAG_RESOURCE_TYPE 0x08000000 -#define RTL_CRITICAL_SECTION_FLAG_FORCE_DEBUG_INFO 0x10000000 -#define RTL_CRITICAL_SECTION_ALL_FLAG_BITS 0xFF000000 -#define RTL_CRITICAL_SECTION_FLAG_RESERVED (RTL_CRITICAL_SECTION_ALL_FLAG_BITS & (~(RTL_CRITICAL_SECTION_FLAG_NO_DEBUG_INFO | RTL_CRITICAL_SECTION_FLAG_DYNAMIC_SPIN | RTL_CRITICAL_SECTION_FLAG_STATIC_INIT | RTL_CRITICAL_SECTION_FLAG_RESOURCE_TYPE | RTL_CRITICAL_SECTION_FLAG_FORCE_DEBUG_INFO))) -// These flags define possible values stored in the Flags field of a critsec debuginfo. -#define RTL_CRITICAL_SECTION_DEBUG_FLAG_STATIC_INIT 0x00000001 - - // typedef struct _RTL_CRITICAL_SECTION_DEBUG - // { - // USHORT Type; - // USHORT CreatorBackTraceIndex; - // struct _RTL_CRITICAL_SECTION *CriticalSection; - // LIST_ENTRY ProcessLocksList; - // ULONG EntryCount; - // ULONG ContentionCount; - // ULONG Flags; - // USHORT CreatorBackTraceIndexHigh; - // USHORT Identifier; - // } RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG, RTL_RESOURCE_DEBUG, *PRTL_RESOURCE_DEBUG; - // - // #pragma pack(push, 8) - // typedef struct _RTL_CRITICAL_SECTION - // { - // PRTL_CRITICAL_SECTION_DEBUG DebugInfo; - // LONG LockCount; - // LONG RecursionCount; - // HANDLE OwningThread; - // HANDLE LockSemaphore; - // SIZE_T SpinCount; - // } RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION; - // #pragma pack(pop) - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeCriticalSection( - _Out_ PRTL_CRITICAL_SECTION CriticalSection); - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeCriticalSectionAndSpinCount( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection, - _In_ ULONG SpinCount); - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeCriticalSectionEx( - _Out_ PRTL_CRITICAL_SECTION CriticalSection, - _In_ ULONG SpinCount, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteCriticalSection( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - _Acquires_exclusive_lock_(*CriticalSection) - NTSYSAPI - NTSTATUS - NTAPI - RtlEnterCriticalSection( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - _Releases_exclusive_lock_(*CriticalSection) - NTSYSAPI - NTSTATUS - NTAPI - RtlLeaveCriticalSection( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - _When_(return != 0, _Acquires_exclusive_lock_(*CriticalSection)) - NTSYSAPI - LOGICAL - NTAPI - RtlTryEnterCriticalSection( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - NTSYSAPI - LOGICAL - NTAPI - RtlIsCriticalSectionLocked( - _In_ PRTL_CRITICAL_SECTION CriticalSection); - - NTSYSAPI - LOGICAL - NTAPI - RtlIsCriticalSectionLockedByThread( - _In_ PRTL_CRITICAL_SECTION CriticalSection); - - NTSYSAPI - ULONG - NTAPI - RtlGetCriticalSectionRecursionCount( - _In_ PRTL_CRITICAL_SECTION CriticalSection); - - NTSYSAPI - ULONG - NTAPI - RtlSetCriticalSectionSpinCount( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection, - _In_ ULONG SpinCount); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - HANDLE - NTAPI - RtlQueryCriticalSectionOwner( - _In_ HANDLE EventHandle); -#endif - - NTSYSAPI - VOID - NTAPI - RtlCheckForOrphanedCriticalSections( - _In_ HANDLE ThreadHandle); - - /** - * Enables the creation of early critical section events. - * - * This function allows the system to create critical section events early in the process - * initialization. It is typically used to ensure that critical sections are properly - * initialized and can be used safely during the early stages of process startup. - * @remarks This function sets the FLG_CRITSEC_EVENT_CREATION flag in the PEB flags field. - * @return A pointer to the Process Environment Block (PEB). - */ - NTSYSAPI - PPEB - NTAPI - RtlEnableEarlyCriticalSectionEventCreation( - VOID); - - // Resources - - typedef struct _RTL_RESOURCE - { - RTL_CRITICAL_SECTION CriticalSection; - - HANDLE SharedSemaphore; - volatile ULONG NumberOfWaitingShared; - HANDLE ExclusiveSemaphore; - volatile ULONG NumberOfWaitingExclusive; - - volatile LONG NumberOfActive; // negative: exclusive acquire; zero: not acquired; positive: shared acquire(s) - HANDLE ExclusiveOwnerThread; - - ULONG Flags; // RTL_RESOURCE_FLAG_* - - PRTL_RESOURCE_DEBUG DebugInfo; - } RTL_RESOURCE, *PRTL_RESOURCE; - -#define RTL_RESOURCE_FLAG_LONG_TERM ((ULONG)0x00000001) - - NTSYSAPI - VOID - NTAPI - RtlInitializeResource( - _Out_ PRTL_RESOURCE Resource); - - NTSYSAPI - VOID - NTAPI - RtlDeleteResource( - _Inout_ PRTL_RESOURCE Resource); - - NTSYSAPI - BOOLEAN - NTAPI - RtlAcquireResourceShared( - _Inout_ PRTL_RESOURCE Resource, - _In_ BOOLEAN Wait); - - NTSYSAPI - BOOLEAN - NTAPI - RtlAcquireResourceExclusive( - _Inout_ PRTL_RESOURCE Resource, - _In_ BOOLEAN Wait); - - NTSYSAPI - VOID - NTAPI - RtlReleaseResource( - _Inout_ PRTL_RESOURCE Resource); - - NTSYSAPI - VOID - NTAPI - RtlConvertSharedToExclusive( - _Inout_ PRTL_RESOURCE Resource); - - NTSYSAPI - VOID - NTAPI - RtlConvertExclusiveToShared( - _Inout_ PRTL_RESOURCE Resource); - - NTSYSAPI - ULONG - NTAPI - RtlDumpResource( - _Inout_ PRTL_RESOURCE Resource); - - // Slim reader-writer locks, condition variables, and barriers - -#if (PHNT_VERSION >= PHNT_VISTA) - - // winbase:InitializeSRWLock - NTSYSAPI - VOID - NTAPI - RtlInitializeSRWLock( - _Out_ PRTL_SRWLOCK SRWLock); - - // winbase:AcquireSRWLockExclusive - _Acquires_exclusive_lock_(*SRWLock) - NTSYSAPI - VOID - NTAPI - RtlAcquireSRWLockExclusive( - _Inout_ PRTL_SRWLOCK SRWLock); - - // winbase:AcquireSRWLockShared - _Acquires_shared_lock_(*SRWLock) - NTSYSAPI - VOID - NTAPI - RtlAcquireSRWLockShared( - _Inout_ PRTL_SRWLOCK SRWLock); - - // winbase:ReleaseSRWLockExclusive - _Releases_exclusive_lock_(*SRWLock) - NTSYSAPI - VOID - NTAPI - RtlReleaseSRWLockExclusive( - _Inout_ PRTL_SRWLOCK SRWLock); - - // winbase:ReleaseSRWLockShared - _Releases_shared_lock_(*SRWLock) - NTSYSAPI - VOID - NTAPI - RtlReleaseSRWLockShared( - _Inout_ PRTL_SRWLOCK SRWLock); - - // winbase:TryAcquireSRWLockExclusive - _When_(return != 0, _Acquires_exclusive_lock_(*SRWLock)) - NTSYSAPI - BOOLEAN - NTAPI - RtlTryAcquireSRWLockExclusive( - _Inout_ PRTL_SRWLOCK SRWLock); - - // winbase:TryAcquireSRWLockShared - _When_(return != 0, _Acquires_shared_lock_(*SRWLock)) - NTSYSAPI - BOOLEAN - NTAPI - RtlTryAcquireSRWLockShared( - _Inout_ PRTL_SRWLOCK SRWLock); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - VOID - NTAPI - RtlAcquireReleaseSRWLockExclusive( - _Inout_ PRTL_SRWLOCK SRWLock); -#endif - -#if (PHNT_VERSION >= PHNT_WIN10) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlConvertSRWLockExclusiveToShared( - _Inout_ PRTL_SRWLOCK SRWLock); -#endif - - // - // Read-Copy Update. - // - // RCU synchronization allows concurrent access to shared data structures, - // such as linked lists, trees, or hash tables, without using traditional locking methods - // in scenarios where read operations are frequent and need to be fast. - // @remarks RCU synchronization is not for general-purpose synchronization. - // Teb->Rcu is used to store the RCU state. - - NTSYSAPI - PVOID - NTAPI - RtlRcuAllocate( - _In_ SIZE_T Size); - - NTSYSAPI - LOGICAL - NTAPI - RtlRcuFree( - _In_ PULONG Rcu); - - NTSYSAPI - VOID - NTAPI - RtlRcuReadLock( - _Inout_ PRTL_SRWLOCK SRWLock, - _Out_ PULONG Rcu); - - NTSYSAPI - VOID - NTAPI - RtlRcuReadUnlock( - _Inout_ PRTL_SRWLOCK SRWLock, - _Inout_ PULONG *Rcu); - - NTSYSAPI - LONG - NTAPI - RtlRcuSynchronize( - _Inout_ PRTL_SRWLOCK SRWLock); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - -#define RTL_CONDITION_VARIABLE_INIT {0} -#define RTL_CONDITION_VARIABLE_LOCKMODE_SHARED 0x1 - - // winbase:InitializeConditionVariable - NTSYSAPI - VOID - NTAPI - RtlInitializeConditionVariable( - _Out_ PRTL_CONDITION_VARIABLE ConditionVariable); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSleepConditionVariableCS( - _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable, - _Inout_ PRTL_CRITICAL_SECTION CriticalSection, - _In_opt_ PLARGE_INTEGER Timeout); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSleepConditionVariableSRW( - _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable, - _Inout_ PRTL_SRWLOCK SRWLock, - _In_opt_ PLARGE_INTEGER Timeout, - _In_ ULONG Flags); - - // winbase:WakeConditionVariable - NTSYSAPI - VOID - NTAPI - RtlWakeConditionVariable( - _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable); - - // winbase:WakeAllConditionVariable - NTSYSAPI - VOID - NTAPI - RtlWakeAllConditionVariable( - _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable); - -#endif - -// begin_rev -#define RTL_BARRIER_FLAGS_SPIN_ONLY 0x00000001 // never block on event - always spin -#define RTL_BARRIER_FLAGS_BLOCK_ONLY 0x00000002 // always block on event - never spin -#define RTL_BARRIER_FLAGS_NO_DELETE 0x00000004 // use if barrier will never be deleted - // end_rev - - // begin_private - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitBarrier( - _Out_ PRTL_BARRIER Barrier, - _In_ ULONG TotalThreads, - _In_ ULONG SpinCount); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteBarrier( - _In_ PRTL_BARRIER Barrier); - - NTSYSAPI - BOOLEAN - NTAPI - RtlBarrier( - _Inout_ PRTL_BARRIER Barrier, - _In_ ULONG Flags); - - NTSYSAPI - BOOLEAN - NTAPI - RtlBarrierForDelete( - _Inout_ PRTL_BARRIER Barrier, - _In_ ULONG Flags); - -#endif - - // end_private - - // Wait on address - - // begin_rev - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSAPI - NTSTATUS - NTAPI - RtlWaitOnAddress( - _In_reads_bytes_(AddressSize) volatile VOID *Address, - _In_reads_bytes_(AddressSize) PVOID CompareAddress, - _In_ SIZE_T AddressSize, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSAPI - VOID - NTAPI - RtlWakeAddressAll( - _In_ PVOID Address); - - NTSYSAPI - VOID - NTAPI - RtlWakeAddressAllNoFence( - _In_ PVOID Address); - - NTSYSAPI - VOID - NTAPI - RtlWakeAddressSingle( - _In_ PVOID Address); - - NTSYSAPI - VOID - NTAPI - RtlWakeAddressSingleNoFence( - _In_ PVOID Address); - -#endif - - // end_rev - - // Strings - - FORCEINLINE - VOID - NTAPI - RtlInitEmptyAnsiString( - _Out_ PANSI_STRING AnsiString, - _Pre_maybenull_ _Pre_readable_size_(MaximumLength) PCHAR Buffer, - _In_ USHORT MaximumLength) - { - memset(AnsiString, 0, sizeof(ANSI_STRING)); - AnsiString->MaximumLength = MaximumLength; - AnsiString->Buffer = Buffer; - } - -#ifndef PHNT_NO_INLINE_INIT_STRING - FORCEINLINE VOID RtlInitString( - _Out_ PSTRING DestinationString, - _In_opt_z_ PCSTR SourceString) - { - if (SourceString) - DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + sizeof(ANSI_NULL); - else - DestinationString->MaximumLength = DestinationString->Length = 0; - - DestinationString->Buffer = (PCHAR)SourceString; - } -#else - NTSYSAPI - VOID - NTAPI - RtlInitString( - _Out_ PSTRING DestinationString, - _In_opt_z_ PCSTR SourceString); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI - NTSTATUS - NTAPI - RtlInitStringEx( - _Out_ PSTRING DestinationString, - _In_opt_z_ PCSZ SourceString); -#endif - -#ifndef PHNT_NO_INLINE_INIT_STRING - FORCEINLINE VOID RtlInitAnsiString( - _Out_ PANSI_STRING DestinationString, - _In_opt_z_ PCSTR SourceString) - { - if (SourceString) - DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + sizeof(ANSI_NULL); - else - DestinationString->MaximumLength = DestinationString->Length = 0; - - DestinationString->Buffer = (PCHAR)SourceString; - } -#else - NTSYSAPI - VOID - NTAPI - RtlInitAnsiString( - _Out_ PANSI_STRING DestinationString, - _In_opt_z_ PCSTR SourceString); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - NTSTATUS - NTAPI - RtlInitAnsiStringEx( - _Out_ PANSI_STRING DestinationString, - _In_opt_z_ PCSZ SourceString); -#endif - - NTSYSAPI - VOID - NTAPI - RtlFreeAnsiString( - _Inout_ _At_(AnsiString->Buffer, _Frees_ptr_opt_) PANSI_STRING AnsiString); - -#if (PHNT_VERSION >= PHNT_20H1) - NTSYSAPI - VOID - NTAPI - RtlInitUTF8String( - _Out_ PUTF8_STRING DestinationString, - _In_opt_z_ PCSZ SourceString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitUTF8StringEx( - _Out_ PUTF8_STRING DestinationString, - _In_opt_z_ PCSZ SourceString); - - NTSYSAPI - VOID - NTAPI - RtlFreeUTF8String( - _Inout_ _At_(Utf8String->Buffer, _Frees_ptr_opt_) PUTF8_STRING Utf8String); -#endif - - NTSYSAPI - VOID - NTAPI - RtlFreeOemString( - _Inout_ POEM_STRING OemString); - - NTSYSAPI - VOID - NTAPI - RtlCopyString( - _In_ PSTRING DestinationString, - _In_opt_ PSTRING SourceString); - - NTSYSAPI - CHAR - NTAPI - RtlUpperChar( - _In_ CHAR Character); - - _Must_inspect_result_ - NTSYSAPI - LONG - NTAPI - RtlCompareString( - _In_ PSTRING String1, - _In_ PSTRING String2, - _In_ BOOLEAN CaseInSensitive); - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualString( - _In_ PSTRING String1, - _In_ PSTRING String2, - _In_ BOOLEAN CaseInSensitive); - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlPrefixString( - _In_ PSTRING String1, - _In_ PSTRING String2, - _In_ BOOLEAN CaseInSensitive); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAppendStringToString( - _Inout_ PSTRING Destination, - _In_ PSTRING Source); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAppendAsciizToString( - _Inout_ PSTRING Destination, - _In_opt_z_ PCSTR Source); - - NTSYSAPI - VOID - NTAPI - RtlUpperString( - _Inout_ PSTRING DestinationString, - _In_ const STRING *SourceString); - - FORCEINLINE - BOOLEAN - RtlIsNullOrEmptyUnicodeString( - _In_opt_ PUNICODE_STRING String) - { - return !String || String->Length == 0; - } - - FORCEINLINE - VOID - NTAPI - RtlInitEmptyUnicodeString( - _Out_ PUNICODE_STRING DestinationString, - _Writable_bytes_(MaximumLength) _When_(MaximumLength != 0, _Notnull_) PWCHAR Buffer, - _In_ USHORT MaximumLength) - { - memset(DestinationString, 0, sizeof(UNICODE_STRING)); - DestinationString->MaximumLength = MaximumLength; - DestinationString->Buffer = Buffer; - } - -#ifndef PHNT_NO_INLINE_INIT_STRING - FORCEINLINE VOID RtlInitUnicodeString( - _Out_ PUNICODE_STRING DestinationString, - _In_opt_z_ PCWSTR SourceString) - { - if (SourceString) - DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL); - else - DestinationString->MaximumLength = DestinationString->Length = 0; - - DestinationString->Buffer = (PWCH)SourceString; - } -#else - NTSYSAPI - VOID - NTAPI - RtlInitUnicodeString( - _Out_ PUNICODE_STRING DestinationString, - _In_opt_z_ PCWSTR SourceString); -#endif - -#ifndef PHNT_NO_INLINE_INIT_STRING - FORCEINLINE NTSTATUS RtlInitUnicodeStringEx( - _Out_ PUNICODE_STRING DestinationString, - _In_opt_z_ PCWSTR SourceString) - { - size_t stringLength; - - DestinationString->Length = 0; - DestinationString->Buffer = (PWCH)SourceString; - - if (!SourceString) - return STATUS_SUCCESS; - - stringLength = wcslen(SourceString); - - if (stringLength <= UNICODE_STRING_MAX_CHARS - 1) - { - DestinationString->Length = (USHORT)stringLength * sizeof(WCHAR); - DestinationString->MaximumLength = DestinationString->Length + sizeof(UNICODE_NULL); - return STATUS_SUCCESS; - } - - return STATUS_NAME_TOO_LONG; - } -#else - NTSYSAPI - NTSTATUS - NTAPI - RtlInitUnicodeStringEx( - _Out_ PUNICODE_STRING DestinationString, - _In_opt_z_ PCWSTR SourceString); -#endif - - _Success_(return != 0) - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlCreateUnicodeString( - _Out_ PUNICODE_STRING DestinationString, - _In_z_ PCWSTR SourceString); - - NTSYSAPI - BOOLEAN - NTAPI - RtlCreateUnicodeStringFromAsciiz( - _Out_ PUNICODE_STRING DestinationString, - _In_z_ PCSTR SourceString); - - NTSYSAPI - VOID - NTAPI - RtlFreeUnicodeString( - _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString); - -#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001) -#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002) - - NTSYSAPI - NTSTATUS - NTAPI - RtlDuplicateUnicodeString( - _In_ ULONG Flags, - _In_ PUNICODE_STRING StringIn, - _Out_ PUNICODE_STRING StringOut); - - NTSYSAPI - VOID - NTAPI - RtlCopyUnicodeString( - _In_ PUNICODE_STRING DestinationString, - _In_opt_ PCUNICODE_STRING SourceString); - - NTSYSAPI - WCHAR - NTAPI - RtlUpcaseUnicodeChar( - _In_ WCHAR SourceCharacter); - - NTSYSAPI - WCHAR - NTAPI - RtlDowncaseUnicodeChar( - _In_ WCHAR SourceCharacter); - - _Must_inspect_result_ - NTSYSAPI - LONG - NTAPI - RtlCompareUnicodeString( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2, - _In_ BOOLEAN CaseInSensitive); - -#if (PHNT_VERSION >= PHNT_VISTA) - _Must_inspect_result_ - NTSYSAPI - LONG - NTAPI - RtlCompareUnicodeStrings( - _In_reads_(String1Length) PCWCH String1, - _In_ SIZE_T String1Length, - _In_reads_(String2Length) PCWCH String2, - _In_ SIZE_T String2Length, - _In_ BOOLEAN CaseInSensitive); -#endif - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualUnicodeString( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2, - _In_ BOOLEAN CaseInSensitive); - -#define HASH_STRING_ALGORITHM_DEFAULT 0 -#define HASH_STRING_ALGORITHM_X65599 1 -#define HASH_STRING_ALGORITHM_INVALID 0xffffffff - - NTSYSAPI - NTSTATUS - NTAPI - RtlHashUnicodeString( - _In_ PUNICODE_STRING String, - _In_ BOOLEAN CaseInSensitive, - _In_ ULONG HashAlgorithm, - _Out_ PULONG HashValue); - - NTSYSAPI - NTSTATUS - NTAPI - RtlValidateUnicodeString( - _In_ ULONG Flags, - _In_ PUNICODE_STRING String); - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlPrefixUnicodeString( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2, - _In_ BOOLEAN CaseInSensitive); - -#if (PHNT_MODE == PHNT_MODE_KERNEL && PHNT_VERSION >= PHNT_THRESHOLD) - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlSuffixUnicodeString( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2, - _In_ BOOLEAN CaseInSensitive); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - _Must_inspect_result_ - NTSYSAPI - PWCHAR - NTAPI - RtlFindUnicodeSubstring( - _In_ PUNICODE_STRING FullString, - _In_ PUNICODE_STRING SearchString, - _In_ BOOLEAN CaseInSensitive); -#endif - -#define RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END 0x00000001 -#define RTL_FIND_CHAR_IN_UNICODE_STRING_COMPLEMENT_CHAR_SET 0x00000002 -#define RTL_FIND_CHAR_IN_UNICODE_STRING_CASE_INSENSITIVE 0x00000004 - - NTSYSAPI - NTSTATUS - NTAPI - RtlFindCharInUnicodeString( - _In_ ULONG Flags, - _In_ PUNICODE_STRING StringToSearch, - _In_ PUNICODE_STRING CharSet, - _Out_ PUSHORT NonInclusivePrefixLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAppendUnicodeStringToString( - _Inout_ PUNICODE_STRING Destination, - _In_ PCUNICODE_STRING Source); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAppendUnicodeToString( - _Inout_ PUNICODE_STRING Destination, - _In_opt_z_ PCWSTR Source); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDowncaseUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - VOID - NTAPI - RtlEraseUnicodeString( - _Inout_ PUNICODE_STRING String); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAnsiStringToUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ PCANSI_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - ULONG - NTAPI - RtlxAnsiStringToUnicodeSize( - _In_ PCANSI_STRING AnsiString); - - // NTSYSAPI - // ULONG - // NTAPI - // RtlAnsiStringToUnicodeSize( - // _In_ PCANSI_STRING AnsiString - // ); - -#define RtlAnsiStringToUnicodeSize(STRING) \ - RtlxAnsiStringToUnicodeSize(STRING) - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeStringToAnsiString( - _Inout_ PANSI_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - // rev - NTSYSAPI - ULONG - NTAPI - RtlUnicodeStringToAnsiSize( - _In_ PUNICODE_STRING SourceString); - -#if (PHNT_VERSION >= PHNT_20H1) - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeStringToUTF8String( - _Inout_ PUTF8_STRING DestinationString, - _In_ PCUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUTF8StringToUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ PUTF8_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); -#endif - - NTSYSAPI - WCHAR - NTAPI - RtlAnsiCharToUnicodeChar( - _Inout_ PUCHAR *SourceCharacter); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeStringToAnsiString( - _Inout_ PANSI_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlOemStringToUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ POEM_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeStringToOemString( - _Inout_ POEM_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeStringToOemString( - _Inout_ POEM_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlOemStringToCountedUnicodeString( - _Inout_ PUNICODE_STRING DestinationString, - _In_ PCOEM_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeStringToCountedOemString( - _Inout_ POEM_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeStringToCountedOemString( - _Inout_ POEM_STRING DestinationString, - _In_ PUNICODE_STRING SourceString, - _In_ BOOLEAN AllocateDestinationString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlMultiByteToUnicodeN( - _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, - _In_ ULONG MaxBytesInUnicodeString, - _Out_opt_ PULONG BytesInUnicodeString, - _In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString, - _In_ ULONG BytesInMultiByteString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlMultiByteToUnicodeSize( - _Out_ PULONG BytesInUnicodeString, - _In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString, - _In_ ULONG BytesInMultiByteString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeToMultiByteN( - _Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString, - _In_ ULONG MaxBytesInMultiByteString, - _Out_opt_ PULONG BytesInMultiByteString, - _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeToMultiByteSize( - _Out_ PULONG BytesInMultiByteString, - _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeToMultiByteN( - _Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString, - _In_ ULONG MaxBytesInMultiByteString, - _Out_opt_ PULONG BytesInMultiByteString, - _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlOemToUnicodeN( - _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWSTR UnicodeString, - _In_ ULONG MaxBytesInUnicodeString, - _Out_opt_ PULONG BytesInUnicodeString, - _In_reads_bytes_(BytesInOemString) PCCH OemString, - _In_ ULONG BytesInOemString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeToOemN( - _Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString, - _In_ ULONG MaxBytesInOemString, - _Out_opt_ PULONG BytesInOemString, - _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeToOemN( - _Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString, - _In_ ULONG MaxBytesInOemString, - _Out_opt_ PULONG BytesInOemString, - _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlConsoleMultiByteToUnicodeN( - _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, - _In_ ULONG MaxBytesInUnicodeString, - _Out_opt_ PULONG BytesInUnicodeString, - _In_reads_bytes_(BytesInMultiByteString) PCCH MultiByteString, - _In_ ULONG BytesInMultiByteString, - _Out_ PULONG pdwSpecialChar); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSAPI - NTSTATUS - NTAPI - RtlUTF8ToUnicodeN( - _Out_writes_bytes_to_(UnicodeStringMaxByteCount, *UnicodeStringActualByteCount) PWSTR UnicodeStringDestination, - _In_ ULONG UnicodeStringMaxByteCount, - _Out_opt_ PULONG UnicodeStringActualByteCount, - _In_reads_bytes_(UTF8StringByteCount) PCCH UTF8StringSource, - _In_ ULONG UTF8StringByteCount); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeToUTF8N( - _Out_writes_bytes_to_(UTF8StringMaxByteCount, *UTF8StringActualByteCount) PCHAR UTF8StringDestination, - _In_ ULONG UTF8StringMaxByteCount, - _Out_opt_ PULONG UTF8StringActualByteCount, - _In_reads_bytes_(UnicodeStringByteCount) PCWCH UnicodeStringSource, - _In_ ULONG UnicodeStringByteCount); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlCustomCPToUnicodeN( - _In_ PCPTABLEINFO CustomCP, - _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, - _In_ ULONG MaxBytesInUnicodeString, - _Out_opt_ PULONG BytesInUnicodeString, - _In_reads_bytes_(BytesInCustomCPString) PCH CustomCPString, - _In_ ULONG BytesInCustomCPString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeToCustomCPN( - _In_ PCPTABLEINFO CustomCP, - _Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString, - _In_ ULONG MaxBytesInCustomCPString, - _Out_opt_ PULONG BytesInCustomCPString, - _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpcaseUnicodeToCustomCPN( - _In_ PCPTABLEINFO CustomCP, - _Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString, - _In_ ULONG MaxBytesInCustomCPString, - _Out_opt_ PULONG BytesInCustomCPString, - _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString, - _In_ ULONG BytesInUnicodeString); - - NTSYSAPI - VOID - NTAPI - RtlInitCodePageTable( - _In_reads_z_(2) PUSHORT TableBase, - _Inout_ PCPTABLEINFO CodePageTable); - - NTSYSAPI - VOID - NTAPI - RtlInitNlsTables( - _In_ PUSHORT AnsiNlsBase, - _In_ PUSHORT OemNlsBase, - _In_ PUSHORT LanguageNlsBase, - _Out_ PNLSTABLEINFO TableInfo // PCPTABLEINFO? - ); - - NTSYSAPI - VOID - NTAPI - RtlResetRtlTranslations( - _In_ PNLSTABLEINFO TableInfo); - - NTSYSAPI - BOOLEAN - NTAPI - RtlIsTextUnicode( - _In_ PVOID Buffer, - _In_ ULONG Size, - _Inout_opt_ PULONG Result); - - typedef enum _RTL_NORM_FORM - { - NormOther = 0x0, - NormC = 0x1, - NormD = 0x2, - NormKC = 0x5, - NormKD = 0x6, - NormIdna = 0xd, - DisallowUnassigned = 0x100, - NormCDisallowUnassigned = 0x101, - NormDDisallowUnassigned = 0x102, - NormKCDisallowUnassigned = 0x105, - NormKDDisallowUnassigned = 0x106, - NormIdnaDisallowUnassigned = 0x10d - } RTL_NORM_FORM; - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSAPI - NTSTATUS - NTAPI - RtlNormalizeString( - _In_ ULONG NormForm, // RTL_NORM_FORM - _In_ PCWSTR SourceString, - _In_ LONG SourceStringLength, - _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, - _Inout_ PLONG DestinationStringLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSAPI - NTSTATUS - NTAPI - RtlIsNormalizedString( - _In_ ULONG NormForm, // RTL_NORM_FORM - _In_ PCWSTR SourceString, - _In_ LONG SourceStringLength, - _Out_ PBOOLEAN Normalized); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - // ntifs:FsRtlIsNameInExpression - NTSYSAPI - BOOLEAN - NTAPI - RtlIsNameInExpression( - _In_ PUNICODE_STRING Expression, - _In_ PUNICODE_STRING Name, - _In_ BOOLEAN IgnoreCase, - _In_opt_ PWCH UpcaseTable); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE4) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsNameInUnUpcasedExpression( - _In_ PUNICODE_STRING Expression, - _In_ PUNICODE_STRING Name, - _In_ BOOLEAN IgnoreCase, - _In_opt_ PWCH UpcaseTable); -#endif - -#if (PHNT_VERSION >= PHNT_19H1) - NTSYSAPI - BOOLEAN - NTAPI - RtlDoesNameContainWildCards( - _In_ PUNICODE_STRING Expression); -#endif - - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualDomainName( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2); - - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualComputerName( - _In_ PUNICODE_STRING String1, - _In_ PUNICODE_STRING String2); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDnsHostNameToComputerName( - _Out_ PUNICODE_STRING ComputerNameString, - _In_ PUNICODE_STRING DnsHostNameString, - _In_ BOOLEAN AllocateComputerNameString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlStringFromGUID( - _In_ PGUID Guid, - _Out_ PUNICODE_STRING GuidString); - -#if (PHNT_VERSION >= PHNT_WINBLUE) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlStringFromGUIDEx( - _In_ PGUID Guid, - _Inout_ PUNICODE_STRING GuidString, - _In_ BOOLEAN AllocateGuidString); - -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlGUIDFromString( - _In_ PUNICODE_STRING GuidString, - _Out_ PGUID Guid); - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - LONG - NTAPI - RtlCompareAltitudes( - _In_ PUNICODE_STRING Altitude1, - _In_ PUNICODE_STRING Altitude2); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIdnToAscii( - _In_ ULONG Flags, - _In_ PCWSTR SourceString, - _In_ LONG SourceStringLength, - _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, - _Inout_ PLONG DestinationStringLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIdnToUnicode( - _In_ ULONG Flags, - _In_ PCWSTR SourceString, - _In_ LONG SourceStringLength, - _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, - _Inout_ PLONG DestinationStringLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIdnToNameprepUnicode( - _In_ ULONG Flags, - _In_ PCWSTR SourceString, - _In_ LONG SourceStringLength, - _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, - _Inout_ PLONG DestinationStringLength); - -#endif - - // Prefix - - typedef struct _PREFIX_TABLE_ENTRY - { - CSHORT NodeTypeCode; - CSHORT NameLength; - struct _PREFIX_TABLE_ENTRY *NextPrefixTree; - RTL_SPLAY_LINKS Links; - PSTRING Prefix; - } PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY; - - typedef struct _PREFIX_TABLE - { - CSHORT NodeTypeCode; - CSHORT NameLength; - PPREFIX_TABLE_ENTRY NextPrefixTree; - } PREFIX_TABLE, *PPREFIX_TABLE; - - NTSYSAPI - VOID - NTAPI - PfxInitialize( - _Out_ PPREFIX_TABLE PrefixTable); - - NTSYSAPI - BOOLEAN - NTAPI - PfxInsertPrefix( - _In_ PPREFIX_TABLE PrefixTable, - _In_ PSTRING Prefix, - _Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry); - - NTSYSAPI - VOID - NTAPI - PfxRemovePrefix( - _In_ PPREFIX_TABLE PrefixTable, - _In_ PPREFIX_TABLE_ENTRY PrefixTableEntry); - - NTSYSAPI - PPREFIX_TABLE_ENTRY - NTAPI - PfxFindPrefix( - _In_ PPREFIX_TABLE PrefixTable, - _In_ PSTRING FullName); - - typedef struct _UNICODE_PREFIX_TABLE_ENTRY - { - CSHORT NodeTypeCode; - CSHORT NameLength; - struct _UNICODE_PREFIX_TABLE_ENTRY *NextPrefixTree; - struct _UNICODE_PREFIX_TABLE_ENTRY *CaseMatch; - RTL_SPLAY_LINKS Links; - PUNICODE_STRING Prefix; - } UNICODE_PREFIX_TABLE_ENTRY, *PUNICODE_PREFIX_TABLE_ENTRY; - - typedef struct _UNICODE_PREFIX_TABLE - { - CSHORT NodeTypeCode; - CSHORT NameLength; - PUNICODE_PREFIX_TABLE_ENTRY NextPrefixTree; - PUNICODE_PREFIX_TABLE_ENTRY LastNextEntry; - } UNICODE_PREFIX_TABLE, *PUNICODE_PREFIX_TABLE; - - NTSYSAPI - VOID - NTAPI - RtlInitializeUnicodePrefix( - _Out_ PUNICODE_PREFIX_TABLE PrefixTable); - - NTSYSAPI - BOOLEAN - NTAPI - RtlInsertUnicodePrefix( - _In_ PUNICODE_PREFIX_TABLE PrefixTable, - _In_ PUNICODE_STRING Prefix, - _Out_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry); - - NTSYSAPI - VOID - NTAPI - RtlRemoveUnicodePrefix( - _In_ PUNICODE_PREFIX_TABLE PrefixTable, - _In_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry); - - NTSYSAPI - PUNICODE_PREFIX_TABLE_ENTRY - NTAPI - RtlFindUnicodePrefix( - _In_ PUNICODE_PREFIX_TABLE PrefixTable, - _In_ PUNICODE_STRING FullName, - _In_ ULONG CaseInsensitiveIndex); - - NTSYSAPI - PUNICODE_PREFIX_TABLE_ENTRY - NTAPI - RtlNextUnicodePrefix( - _In_ PUNICODE_PREFIX_TABLE PrefixTable, - _In_ BOOLEAN Restart); - - // Compression - -#define COMPRESSION_FORMAT_NONE (0x0000) -#define COMPRESSION_FORMAT_DEFAULT (0x0001) -#define COMPRESSION_FORMAT_LZNT1 (0x0002) -#define COMPRESSION_FORMAT_XPRESS (0x0003) -#define COMPRESSION_FORMAT_XPRESS_HUFF (0x0004) -#define COMPRESSION_FORMAT_XP10 (0x0005) -#define COMPRESSION_FORMAT_LZ4 (0x0006) -#define COMPRESSION_FORMAT_DEFLATE (0x0007) -#define COMPRESSION_FORMAT_ZLIB (0x0008) -#define COMPRESSION_FORMAT_MAX (0x0008) - -#define COMPRESSION_ENGINE_STANDARD (0x0000) -#define COMPRESSION_ENGINE_MAXIMUM (0x0100) -#define COMPRESSION_ENGINE_HIBER (0x0200) -#define COMPRESSION_ENGINE_MAX (0x0200) - -#define COMPRESSION_FORMAT_MASK (0x00FF) -#define COMPRESSION_ENGINE_MASK (0xFF00) -#define COMPRESSION_FORMAT_ENGINE_MASK (COMPRESSION_FORMAT_MASK | COMPRESSION_ENGINE_MASK) - - typedef struct _COMPRESSED_DATA_INFO - { - // - // Code for the compression format (and engine) as - // defined in ntrtl.h. Note that COMPRESSION_FORMAT_NONE - // and COMPRESSION_FORMAT_DEFAULT are invalid if - // any of the described chunks are compressed. - // - - USHORT CompressionFormatAndEngine; - - // - // Since chunks and compression units are expected to be - // powers of 2 in size, we express then log2. So, for - // example (1 << ChunkShift) == ChunkSizeInBytes. The - // ClusterShift indicates how much space must be saved - // to successfully compress a compression unit - each - // successfully compressed compression unit must occupy - // at least one cluster less in bytes than an uncompressed - // compression unit. - // - - UCHAR CompressionUnitShift; - UCHAR ChunkShift; - UCHAR ClusterShift; - UCHAR Reserved; - - // - // This is the number of entries in the CompressedChunkSizes - // array. - // - - USHORT NumberOfChunks; - - // - // This is an array of the sizes of all chunks resident - // in the compressed data buffer. There must be one entry - // in this array for each chunk possible in the uncompressed - // buffer size. A size of FSRTL_CHUNK_SIZE indicates the - // corresponding chunk is uncompressed and occupies exactly - // that size. A size of 0 indicates that the corresponding - // chunk contains nothing but binary 0's, and occupies no - // space in the compressed data. All other sizes must be - // less than FSRTL_CHUNK_SIZE, and indicate the exact size - // of the compressed data in bytes. - // - - ULONG CompressedChunkSizes[ANYSIZE_ARRAY]; - } COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO; - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetCompressionWorkSpaceSize( - _In_ USHORT CompressionFormatAndEngine, - _Out_ PULONG CompressBufferWorkSpaceSize, - _Out_ PULONG CompressFragmentWorkSpaceSize); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCompressBuffer( - _In_ USHORT CompressionFormatAndEngine, - _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _In_ ULONG UncompressedChunkSize, - _Out_ PULONG FinalCompressedSize, - _In_ PVOID WorkSpace); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressBuffer( - _In_ USHORT CompressionFormat, - _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _Out_ PULONG FinalUncompressedSize); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressBufferEx( - _In_ USHORT CompressionFormat, - _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _Out_ PULONG FinalUncompressedSize, - _In_opt_ PVOID WorkSpace); -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressBufferEx2( - _In_ USHORT CompressionFormat, - _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _In_ ULONG UncompressedChunkSize, - _Out_ PULONG FinalUncompressedSize, - _In_opt_ PVOID WorkSpace); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressFragment( - _In_ USHORT CompressionFormat, - _Out_writes_bytes_to_(UncompressedFragmentSize, *FinalUncompressedSize) PUCHAR UncompressedFragment, - _In_ ULONG UncompressedFragmentSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _In_range_(<, CompressedBufferSize) ULONG FragmentOffset, - _Out_ PULONG FinalUncompressedSize, - _In_ PVOID WorkSpace); - -#if (PHNT_VERSION >= PHNT_WINBLUE) - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressFragmentEx( - _In_ USHORT CompressionFormat, - _Out_writes_bytes_to_(UncompressedFragmentSize, *FinalUncompressedSize) PUCHAR UncompressedFragment, - _In_ ULONG UncompressedFragmentSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _In_range_(<, CompressedBufferSize) ULONG FragmentOffset, - _In_ ULONG UncompressedChunkSize, - _Out_ PULONG FinalUncompressedSize, - _In_ PVOID WorkSpace); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlDescribeChunk( - _In_ USHORT CompressionFormat, - _Inout_ PUCHAR *CompressedBuffer, - _In_ PUCHAR EndOfCompressedBufferPlus1, - _Out_ PUCHAR *ChunkBuffer, - _Out_ PULONG ChunkSize); - - NTSYSAPI - NTSTATUS - NTAPI - RtlReserveChunk( - _In_ USHORT CompressionFormat, - _Inout_ PUCHAR *CompressedBuffer, - _In_ PUCHAR EndOfCompressedBufferPlus1, - _Out_ PUCHAR *ChunkBuffer, - _In_ ULONG ChunkSize); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDecompressChunks( - _Out_writes_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_ ULONG CompressedBufferSize, - _In_reads_bytes_(CompressedTailSize) PUCHAR CompressedTail, - _In_ ULONG CompressedTailSize, - _In_ PCOMPRESSED_DATA_INFO CompressedDataInfo); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCompressChunks( - _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, - _In_ ULONG UncompressedBufferSize, - _Out_writes_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, - _In_range_(>=, (UncompressedBufferSize - (UncompressedBufferSize / 16))) ULONG CompressedBufferSize, - _Inout_updates_bytes_(CompressedDataInfoLength) PCOMPRESSED_DATA_INFO CompressedDataInfo, - _In_range_(>, sizeof(COMPRESSED_DATA_INFO)) ULONG CompressedDataInfoLength, - _In_ PVOID WorkSpace); - - // Locale - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlConvertLCIDToString( - _In_ LCID LcidValue, - _In_ ULONG Base, - _In_ ULONG Padding, // string is padded to this width - _Out_writes_(Size) PWSTR pResultBuf, - _In_ ULONG Size); - - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlIsValidLocaleName( - _In_ PCWSTR LocaleName, - _In_ ULONG Flags); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlGetParentLocaleName( - _In_ PCWSTR LocaleName, - _Inout_ PUNICODE_STRING ParentLocaleName, - _In_ ULONG Flags, - _In_ BOOLEAN AllocateDestinationString); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlLcidToLocaleName( - _In_ LCID lcid, // sic - _Inout_ PUNICODE_STRING LocaleName, - _In_ ULONG Flags, - _In_ BOOLEAN AllocateDestinationString); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlLocaleNameToLcid( - _In_ PCWSTR LocaleName, - _Out_ PLCID lcid, - _In_ ULONG Flags); - - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlLCIDToCultureName( - _In_ LCID Lcid, - _Inout_ PUNICODE_STRING String); - - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlCultureNameToLCID( - _In_ PUNICODE_STRING String, - _Out_ PLCID Lcid); - - // private - NTSYSAPI - VOID - NTAPI - RtlCleanUpTEBLangLists( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - - // rev from GetThreadPreferredUILanguages - NTSYSAPI - NTSTATUS - NTAPI - RtlGetThreadPreferredUILanguages( - _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _Out_ PULONG NumberOfLanguages, - _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, - _Inout_ PULONG ReturnLength); - - // rev from GetProcessPreferredUILanguages - NTSYSAPI - NTSTATUS - NTAPI - RtlGetProcessPreferredUILanguages( - _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _Out_ PULONG NumberOfLanguages, - _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, - _Inout_ PULONG ReturnLength); - - // rev from GetSystemPreferredUILanguages - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSystemPreferredUILanguages( - _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _In_opt_ PCWSTR LocaleName, - _Out_ PULONG NumberOfLanguages, - _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, - _Inout_ PULONG ReturnLength); - - // rev from GetSystemDefaultUILanguage - NTSYSAPI - NTSTATUS - NTAPI - RtlpGetSystemDefaultUILanguage( - _Out_ LANGID DefaultUILanguageId, - _Inout_ PLCID Lcid); - - // rev from GetUserPreferredUILanguages - NTSYSAPI - NTSTATUS - NTAPI - RtlGetUserPreferredUILanguages( - _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _In_opt_ PCWSTR LocaleName, - _Out_ PULONG NumberOfLanguages, - _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, - _Inout_ PULONG ReturnLength); - - // rev from GetUILanguageInfo - NTSYSAPI - NTSTATUS - NTAPI - RtlGetUILanguageInfo( - _In_ ULONG Flags, - _In_ PCZZWSTR Languages, - _Out_writes_opt_(*NumberOfFallbackLanguages) PZZWSTR FallbackLanguages, - _Inout_opt_ PULONG NumberOfFallbackLanguages, - _Out_ PULONG Attributes); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetLocaleFileMappingAddress( - _Out_ PVOID *BaseAddress, - _Out_ PLCID DefaultLocaleId, - _Out_ PLARGE_INTEGER DefaultCasingTableSize, - _Out_opt_ PULONG CurrentNLSVersion); - -#endif - - // PEB - - NTSYSAPI - PPEB - NTAPI - RtlGetCurrentPeb( - VOID); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAcquirePebLock( - VOID); - - NTSYSAPI - NTSTATUS - NTAPI - RtlReleasePebLock( - VOID); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - LOGICAL - NTAPI - RtlTryAcquirePebLock( - VOID); -#endif - -#if (PHNT_VERSION < PHNT_VISTA) - NTSYSAPI - NTSTATUS - NTAPI - RtlAllocateFromPeb( - _In_ ULONG Size, - _Out_ PVOID *Block); - - NTSYSAPI - NTSTATUS - NTAPI - RtlFreeToPeb( - _In_ PVOID Block, - _In_ ULONG Size); -#endif - -// -// Processes -// - -// CURDIR Handle | Flags -#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 -#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 - - typedef struct _CURDIR - { - UNICODE_STRING DosPath; - HANDLE Handle; - } CURDIR, *PCURDIR; - -// RTL_DRIVE_LETTER_CURDIR Flags -#define RTL_MAX_DRIVE_LETTERS 32 -#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 - - typedef struct _RTL_DRIVE_LETTER_CURDIR - { - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - STRING DosPath; - } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; - -#define RTL_USER_PROC_DETACHED_PROCESS ((HANDLE)(LONG_PTR) - 1) -#define RTL_USER_PROC_CREATE_NEW_CONSOLE ((HANDLE)(LONG_PTR) - 2) -#define RTL_USER_PROC_CREATE_NO_WINDOW ((HANDLE)(LONG_PTR) - 3) - - typedef struct _RTL_USER_PROCESS_PARAMETERS - { - ULONG MaximumLength; - ULONG Length; - - ULONG Flags; - ULONG DebugFlags; - - HANDLE ConsoleHandle; - ULONG ConsoleFlags; - HANDLE StandardInput; - HANDLE StandardOutput; - HANDLE StandardError; - - CURDIR CurrentDirectory; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PVOID Environment; - - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG CountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; - - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING DesktopInfo; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeData; - RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; - - ULONG_PTR EnvironmentSize; - ULONG_PTR EnvironmentVersion; - - PVOID PackageDependencyData; - ULONG ProcessGroupId; - ULONG LoaderThreads; - UNICODE_STRING RedirectionDllName; // REDSTONE4 - UNICODE_STRING HeapPartitionName; // 19H1 - PULONGLONG DefaultThreadpoolCpuSetMasks; - ULONG DefaultThreadpoolCpuSetMaskCount; - ULONG DefaultThreadpoolThreadMaximum; - ULONG HeapMemoryTypeMask; // WIN11 - } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; - -// RTL_USER_PROCESS_PARAMETERS Flags -#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 -#define RTL_USER_PROC_PROFILE_USER 0x00000002 -#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 -#define RTL_USER_PROC_PROFILE_SERVER 0x00000008 -#define RTL_USER_PROC_RESERVE_1MB 0x00000020 -#define RTL_USER_PROC_RESERVE_16MB 0x00000040 -#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 -#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 -#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 -#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 -#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 -#define RTL_USER_PROC_DEV_OVERRIDE_ENABLED 0x00008000 -#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 -#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 -#define RTL_USER_PROC_SESSION_OWNER 0x00040000 -#define RTL_USER_PROC_HANDLE_USER_CALLBACK_EXCEPTIONS 0x00080000 -#define RTL_USER_PROC_PROTECTED_PROCESS 0x00400000 -#define RTL_USER_PROC_SECURE_PROCESS 0x80000000 - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateProcessParameters( - _Out_ PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, - _In_ PUNICODE_STRING ImagePathName, - _In_opt_ PUNICODE_STRING DllPath, - _In_opt_ PUNICODE_STRING CurrentDirectory, - _In_opt_ PUNICODE_STRING CommandLine, - _In_opt_ PVOID Environment, - _In_opt_ PUNICODE_STRING WindowTitle, - _In_opt_ PUNICODE_STRING DesktopInfo, - _In_opt_ PUNICODE_STRING ShellInfo, - _In_opt_ PUNICODE_STRING RuntimeData); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateProcessParametersEx( - _Out_ PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, - _In_ PUNICODE_STRING ImagePathName, - _In_opt_ PUNICODE_STRING DllPath, - _In_opt_ PUNICODE_STRING CurrentDirectory, - _In_opt_ PUNICODE_STRING CommandLine, - _In_opt_ PVOID Environment, - _In_opt_ PUNICODE_STRING WindowTitle, - _In_opt_ PUNICODE_STRING DesktopInfo, - _In_opt_ PUNICODE_STRING ShellInfo, - _In_opt_ PUNICODE_STRING RuntimeData, - _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized - ); -#endif - -#if (PHNT_VERSION >= PHNT_WIN10_RS4) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateProcessParametersWithTemplate( - _Out_ PRTL_USER_PROCESS_PARAMETERS *ProcessParameters, - _In_ PUNICODE_STRING ImagePathName, - _In_opt_ PUNICODE_STRING DllPath, - _In_opt_ PUNICODE_STRING CurrentDirectory, - _In_opt_ PUNICODE_STRING CommandLine, - _In_opt_ PVOID Environment, - _In_opt_ PUNICODE_STRING WindowTitle, - _In_opt_ PUNICODE_STRING DesktopInfo, - _In_opt_ PUNICODE_STRING ShellInfo, - _In_opt_ PUNICODE_STRING RuntimeData, - _In_opt_ PUNICODE_STRING RedirectionDllName, - _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized - ); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyProcessParameters( - _In_ _Post_invalid_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters); - - NTSYSAPI - PRTL_USER_PROCESS_PARAMETERS - NTAPI - RtlNormalizeProcessParams( - _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters); - - NTSYSAPI - PRTL_USER_PROCESS_PARAMETERS - NTAPI - RtlDeNormalizeProcessParams( - _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters); - - typedef struct _RTL_USER_PROCESS_INFORMATION - { - ULONG Length; - HANDLE ProcessHandle; - HANDLE ThreadHandle; - CLIENT_ID ClientId; - SECTION_IMAGE_INFORMATION ImageInformation; - } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateUserProcess( - _In_ PUNICODE_STRING NtImagePathName, - _In_ ULONG ExtendedParameters, // HIWORD(NumaNodeNumber), LOWORD(Reserved) - _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, - _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, - _In_opt_ HANDLE ParentProcess, - _In_ BOOLEAN InheritHandles, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE TokenHandle, // used to be ExceptionPort - _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation); - -#define RTL_USER_PROCESS_EXTENDED_PARAMETERS_VERSION 1 - - // private - typedef struct _RTL_USER_PROCESS_EXTENDED_PARAMETERS - { - USHORT Version; - USHORT NodeNumber; - PSECURITY_DESCRIPTOR ProcessSecurityDescriptor; - PSECURITY_DESCRIPTOR ThreadSecurityDescriptor; - HANDLE ParentProcess; - HANDLE DebugPort; - HANDLE TokenHandle; - HANDLE JobHandle; - } RTL_USER_PROCESS_EXTENDED_PARAMETERS, *PRTL_USER_PROCESS_EXTENDED_PARAMETERS; - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateUserProcessEx( - _In_ PUNICODE_STRING NtImagePathName, - _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, - _In_ BOOLEAN InheritHandles, - _In_opt_ PRTL_USER_PROCESS_EXTENDED_PARAMETERS ProcessExtendedParameters, - _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - _Analysis_noreturn_ - DECLSPEC_NORETURN - NTSYSAPI - VOID - NTAPI - RtlExitUserProcess( - _In_ NTSTATUS ExitStatus); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - -// begin_rev -#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001 -#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002 -#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004 // don't update synchronization objects - // end_rev - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCloneUserProcess( - _In_ ULONG ProcessFlags, - _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, - _In_opt_ HANDLE DebugPort, - _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlPrepareForProcessCloning( - VOID); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCompleteProcessCloning( - _In_ LOGICAL Completed); - - // private - NTSYSAPI - VOID - NTAPI - RtlUpdateClonedCriticalSection( - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - // private - NTSYSAPI - VOID - NTAPI - RtlUpdateClonedSRWLock( - _Inout_ PRTL_SRWLOCK SRWLock, - _In_ LOGICAL Shared // TRUE to set to shared acquire - ); - -// rev -#define RTL_PROCESS_REFLECTION_FLAGS_INHERIT_HANDLES 0x2 -#define RTL_PROCESS_REFLECTION_FLAGS_NO_SUSPEND 0x4 -#define RTL_PROCESS_REFLECTION_FLAGS_NO_SYNCHRONIZE 0x8 -#define RTL_PROCESS_REFLECTION_FLAGS_NO_CLOSE_EVENT 0x10 - - // private - typedef struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION - { - HANDLE ReflectionProcessHandle; - HANDLE ReflectionThreadHandle; - CLIENT_ID ReflectionClientId; - } RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION; - - typedef RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION PROCESS_REFLECTION_INFORMATION, *PPROCESS_REFLECTION_INFORMATION; - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateProcessReflection( - _In_ HANDLE ProcessHandle, - _In_ ULONG Flags, // RTL_PROCESS_REFLECTION_FLAGS_* - _In_opt_ PVOID StartRoutine, - _In_opt_ PVOID StartContext, - _In_opt_ HANDLE EventHandle, - _Out_opt_ PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION ReflectionInformation); -#endif - -#endif - - NTSYSAPI - NTSTATUS - STDAPIVCALLTYPE - RtlSetProcessIsCritical( - _In_ BOOLEAN NewValue, - _Out_opt_ PBOOLEAN OldValue, - _In_ BOOLEAN CheckFlag); - - NTSYSAPI - NTSTATUS - STDAPIVCALLTYPE - RtlSetThreadIsCritical( - _In_ BOOLEAN NewValue, - _Out_opt_ PBOOLEAN OldValue, - _In_ BOOLEAN CheckFlag); - - // rev - NTSYSAPI - PVOID - NTAPI - RtlSetThreadSubProcessTag( - _In_ PVOID SubProcessTag); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlValidProcessProtection( - _In_ PS_PROTECTION ProcessProtection); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlTestProtectedAccess( - _In_ PS_PROTECTION Source, - _In_ PS_PROTECTION Target); - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsCurrentProcess( // NtCompareObjects(NtCurrentProcess(), ProcessHandle) - _In_ HANDLE ProcessHandle); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsCurrentThread( // NtCompareObjects(NtCurrentThread(), ThreadHandle) - _In_ HANDLE ThreadHandle); -#endif - - // Threads - - typedef NTSTATUS(NTAPI *PUSER_THREAD_START_ROUTINE)( - _In_ PVOID ThreadParameter); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateUserThread( - _In_ HANDLE ProcessHandle, - _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, - _In_ BOOLEAN CreateSuspended, - _In_opt_ ULONG ZeroBits, - _In_opt_ SIZE_T MaximumStackSize, - _In_opt_ SIZE_T CommittedStackSize, - _In_ PUSER_THREAD_START_ROUTINE StartAddress, - _In_opt_ PVOID Parameter, - _Out_opt_ PHANDLE ThreadHandle, - _Out_opt_ PCLIENT_ID ClientId); - -#if (PHNT_VERSION >= PHNT_WINXP) - _Analysis_noreturn_ - DECLSPEC_NORETURN - NTSYSAPI - VOID - NTAPI - RtlExitUserThread( - _In_ NTSTATUS ExitStatus); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsCurrentThreadAttachExempt( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateUserStack( - _In_opt_ SIZE_T CommittedStackSize, - _In_opt_ SIZE_T MaximumStackSize, - _In_opt_ ULONG_PTR ZeroBits, - _In_ SIZE_T PageSize, - _In_ ULONG_PTR ReserveAlignment, - _Out_ PINITIAL_TEB InitialTeb); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlFreeUserStack( - _In_ PVOID AllocationBase); -#endif - - // Extended thread context - - typedef struct _CONTEXT_CHUNK - { - LONG Offset; // Offset may be negative. - ULONG Length; - } CONTEXT_CHUNK, *PCONTEXT_CHUNK; - - typedef struct _CONTEXT_EX - { - CONTEXT_CHUNK All; - CONTEXT_CHUNK Legacy; - CONTEXT_CHUNK XState; - CONTEXT_CHUNK KernelCet; - } CONTEXT_EX, *PCONTEXT_EX; - -#if defined(_AMD64_) || defined(_ARM64_) || defined(_ARM64EC_) -#define CONTEXT_ALIGN 0x10 -#else -#define CONTEXT_ALIGN 0x8 -#endif - -#if defined(_AMD64_) -#define CONTEXT_FRAME_LENGTH 0x4D0 -#define CONTEXT_EX_PADDING 0x10 -#elif defined(_ARM64_) || defined(_ARM64EC_) -#define CONTEXT_FRAME_LENGTH 0x390 -#define CONTEXT_EX_PADDING 0x10 -#elif defined(_M_ARM) -#define CONTEXT_FRAME_LENGTH 0x1a0 -#define CONTEXT_EX_PADDING 0x8 -#else -#define CONTEXT_FRAME_LENGTH 0x2CC -#define CONTEXT_EX_PADDING 0x4 -#endif - -#define CONTEXT_ALIGNMENT(Size, Align) \ - (((ULONG_PTR)(Size) + (Align) - 1) & ~((Align) - 1)) - -#define CONTEXT_EX_LENGTH \ - CONTEXT_ALIGNMENT(sizeof(CONTEXT_EX), CONTEXT_ALIGN) - - C_ASSERT(CONTEXT_FRAME_LENGTH == sizeof(CONTEXT)); - C_ASSERT(CONTEXT_EX_LENGTH == 0x20); - -#define RTL_CONTEXT_EX_OFFSET(ContextEx, Chunk) ((ContextEx)->Chunk.Offset) -#define RTL_CONTEXT_EX_LENGTH(ContextEx, Chunk) ((ContextEx)->Chunk.Length) -#define RTL_CONTEXT_EX_CHUNK(Base, Layout, Chunk) ((PVOID)((PCHAR)(Base) + RTL_CONTEXT_EX_OFFSET(Layout, Chunk))) -#define RTL_CONTEXT_OFFSET(Context, Chunk) RTL_CONTEXT_EX_OFFSET((PCONTEXT_EX)(Context + 1), Chunk) -#define RTL_CONTEXT_LENGTH(Context, Chunk) RTL_CONTEXT_EX_LENGTH((PCONTEXT_EX)(Context + 1), Chunk) -#define RTL_CONTEXT_CHUNK(Context, Chunk) RTL_CONTEXT_EX_CHUNK((PCONTEXT_EX)(Context + 1), (PCONTEXT_EX)(Context + 1), Chunk) - -#if defined(_M_AMD64) - // returns constant 0xf0e0d0c0a0908070 (dmex) - NTSYSAPI - ULONG64 - NTAPI - RtlInitializeContext( - _Reserved_ HANDLE Reserved, - _Out_ PCONTEXT Context, - _In_opt_ PVOID Parameter, - _In_opt_ PVOID InitialPc, - _In_opt_ PVOID InitialSp); -#else - // returns status of NtWriteVirtualMemory (dmex) - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeContext( - _In_ HANDLE ProcessHandle, - _Out_ PCONTEXT Context, - _In_opt_ PVOID Parameter, - _In_opt_ PVOID InitialPc, - _In_opt_ PVOID InitialSp); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeExtendedContext( - _Out_ PCONTEXT Context, - _In_ ULONG ContextFlags, - _Out_ PCONTEXT_EX *ContextEx); - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeExtendedContext2( - _Out_ PCONTEXT Context, - _In_ ULONG ContextFlags, - _Out_ PCONTEXT_EX *ContextEx, - _In_ ULONG64 EnabledExtendedFeatures // RtlGetEnabledExtendedFeatures(-1) - ); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCopyContext( - _Inout_ PCONTEXT Context, - _In_ ULONG ContextFlags, - _Out_ PCONTEXT Source); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCopyExtendedContext( - _Out_ PCONTEXT_EX Destination, - _In_ ULONG ContextFlags, - _In_ PCONTEXT_EX Source); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetExtendedContextLength( - _In_ ULONG ContextFlags, - _Out_ PULONG ContextLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetExtendedContextLength2( - _In_ ULONG ContextFlags, - _Out_ PULONG ContextLength, - _In_ ULONG64 EnabledExtendedFeatures // RtlGetEnabledExtendedFeatures(-1) - ); - - NTSYSAPI - ULONG64 - NTAPI - RtlGetExtendedFeaturesMask( - _In_ PCONTEXT_EX ContextEx); - - NTSYSAPI - PVOID - NTAPI - RtlLocateExtendedFeature( - _In_ PCONTEXT_EX ContextEx, - _In_ ULONG FeatureId, - _Out_opt_ PULONG Length); - - NTSYSAPI - PCONTEXT - NTAPI - RtlLocateLegacyContext( - _In_ PCONTEXT_EX ContextEx, - _Out_opt_ PULONG Length); - - NTSYSAPI - VOID - NTAPI - RtlSetExtendedFeaturesMask( - _In_ PCONTEXT_EX ContextEx, - _In_ ULONG64 FeatureMask); - -#ifdef _WIN64 -#ifdef PHNT_INLINE_TYPEDEFS - FORCEINLINE - NTSTATUS - NTAPI - RtlWow64GetThreadContext( - _In_ HANDLE ThreadHandle, - _Inout_ PWOW64_CONTEXT ThreadContext) - { - return NtQueryInformationThread( - ThreadHandle, - ThreadWow64Context, - ThreadContext, - sizeof(WOW64_CONTEXT), - NULL); - } -#else - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64GetThreadContext( - _In_ HANDLE ThreadHandle, - _Inout_ PWOW64_CONTEXT ThreadContext); -#endif -#endif - -#ifdef _WIN64 -#ifdef PHNT_INLINE_TYPEDEFS - FORCEINLINE - NTSTATUS - NTAPI - RtlWow64SetThreadContext( - _In_ HANDLE ThreadHandle, - _In_ PWOW64_CONTEXT ThreadContext) - { - return NtSetInformationThread( - ThreadHandle, - ThreadWow64Context, - ThreadContext, - sizeof(WOW64_CONTEXT)); - } -#else - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64SetThreadContext( - _In_ HANDLE ThreadHandle, - _In_ PWOW64_CONTEXT ThreadContext); -#endif -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlRemoteCall( - _In_ HANDLE ProcessHandle, - _In_ HANDLE ThreadHandle, - _In_ PVOID CallSite, - _In_ ULONG ArgumentCount, - _In_opt_ PULONG_PTR Arguments, - _In_ BOOLEAN PassContext, - _In_ BOOLEAN AlreadySuspended); - - // - // Vectored Exception Handlers - // - - /** - * Registers a vectored exception handler. - * - * @param First If this parameter is TRUE, the handler is the first handler in the list. - * @param Handler A pointer to the vectored exception handler to be called. - * @return A handle to the vectored exception handler. - * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler - */ - NTSYSAPI - PVOID - NTAPI - RtlAddVectoredExceptionHandler( - _In_ ULONG First, - _In_ PVECTORED_EXCEPTION_HANDLER Handler); - - /** - * Removes a vectored exception handler. - * - * @param Handle A handle to the vectored exception handler to remove. - * @return The function returns 0 if the handler is removed, or -1 if the handler is not found. - * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredexceptionhandler - */ - NTSYSAPI - ULONG - NTAPI - RtlRemoveVectoredExceptionHandler( - _In_ PVOID Handle); - - /** - * Registers a vectored continue handler. - * - * @param First If this parameter is TRUE, the handler is the first handler in the list. - * @param Handler A pointer to the vectored exception handler to be called. - * @return A handle to the vectored continue handler. - * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredcontinuehandler - */ - NTSYSAPI - PVOID - NTAPI - RtlAddVectoredContinueHandler( - _In_ ULONG First, - _In_ PVECTORED_EXCEPTION_HANDLER Handler); - - /** - * Removes a vectored continue handler. - * - * @param Handle A handle to the vectored continue handler to remove. - * @return The function returns 0 if the handler is removed, or -1 if the handler is not found. - * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredcontinuehandler - */ - NTSYSAPI - ULONG - NTAPI - RtlRemoveVectoredContinueHandler( - _In_ PVOID Handle); - - // Runtime exception handling - - typedef ULONG(NTAPI *PRTLP_UNHANDLED_EXCEPTION_FILTER)( - _In_ PEXCEPTION_POINTERS ExceptionInfo); - - NTSYSAPI - VOID - NTAPI - RtlSetUnhandledExceptionFilter( - _In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter); - - // rev - NTSYSAPI - LONG - NTAPI - RtlUnhandledExceptionFilter( - _In_ PEXCEPTION_POINTERS ExceptionPointers); - - // rev - NTSYSAPI - LONG - NTAPI - RtlUnhandledExceptionFilter2( - _In_ PEXCEPTION_POINTERS ExceptionPointers, - _In_ ULONG Flags); - - // rev - NTSYSAPI - LONG - NTAPI - RtlKnownExceptionFilter( - _In_ PEXCEPTION_POINTERS ExceptionPointers); - -#ifdef _WIN64 - - // private - typedef enum _FUNCTION_TABLE_TYPE - { - RF_SORTED, - RF_UNSORTED, - RF_CALLBACK, - RF_KERNEL_DYNAMIC - } FUNCTION_TABLE_TYPE; - - // private - typedef struct _DYNAMIC_FUNCTION_TABLE - { - LIST_ENTRY ListEntry; - PRUNTIME_FUNCTION FunctionTable; - LARGE_INTEGER TimeStamp; - ULONG64 MinimumAddress; - ULONG64 MaximumAddress; - ULONG64 BaseAddress; - PGET_RUNTIME_FUNCTION_CALLBACK Callback; - PVOID Context; - PWSTR OutOfProcessCallbackDll; - FUNCTION_TABLE_TYPE Type; - ULONG EntryCount; - RTL_BALANCED_NODE TreeNodeMin; - RTL_BALANCED_NODE TreeNodeMax; - } DYNAMIC_FUNCTION_TABLE, *PDYNAMIC_FUNCTION_TABLE; - - // rev - NTSYSAPI - PLIST_ENTRY - NTAPI - RtlGetFunctionTableListHead( - VOID); - -#endif - - // - // Linked lists - // - - NTSYSAPI - VOID - NTAPI - RtlInitializeSListHead( - _Out_ PSLIST_HEADER ListHead); - - _Must_inspect_result_ - NTSYSAPI - PSLIST_ENTRY - NTAPI - RtlFirstEntrySList( - _In_ const SLIST_HEADER *ListHead); - - NTSYSAPI - PSLIST_ENTRY - NTAPI - RtlInterlockedPopEntrySList( - _Inout_ PSLIST_HEADER ListHead); - - NTSYSAPI - PSLIST_ENTRY - NTAPI - RtlInterlockedPushEntrySList( - _Inout_ PSLIST_HEADER ListHead, - _Inout_ __drv_aliasesMem PSLIST_ENTRY ListEntry); - - NTSYSAPI - PSLIST_ENTRY - NTAPI - RtlInterlockedPushListSListEx( - _Inout_ PSLIST_HEADER ListHead, - _Inout_ __drv_aliasesMem PSLIST_ENTRY List, - _Inout_ PSLIST_ENTRY ListEnd, - _In_ DWORD Count); - - NTSYSAPI - PSLIST_ENTRY - NTAPI - RtlInterlockedFlushSList( - _Inout_ PSLIST_HEADER ListHead); - - NTSYSAPI - WORD - NTAPI - RtlQueryDepthSList( - _In_ PSLIST_HEADER ListHead); - - // - // Activation Contexts - // - -#define INVALID_ACTIVATION_CONTEXT ((HANDLE)(LONG_PTR) - 1) -#define ACTCTX_PROCESS_DEFAULT ((HANDLE)(LONG_PTR)0) -#define ACTCTX_EMPTY ((HANDLE)(LONG_PTR) - 3) -#define ACTCTX_SYSTEM_DEFAULT ((HANDLE)(LONG_PTR) - 4) -#define IS_SPECIAL_ACTCTX(x) (((((LONG_PTR)(x)) - 1) | 7) == -1) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlGetActiveActivationContext( - _Out_ PACTIVATION_CONTEXT ActivationContext); - - // private - NTSYSAPI - VOID - NTAPI - RtlAddRefActivationContext( - _In_ PACTIVATION_CONTEXT ActivationContext); - - // private - NTSYSAPI - VOID - NTAPI - RtlReleaseActivationContext( - _In_ PACTIVATION_CONTEXT ActivationContext); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlZombifyActivationContext( - _In_ PACTIVATION_CONTEXT ActivationContext); - - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlIsActivationContextActive( - _In_ PACTIVATION_CONTEXT ActivationContext); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlActivateActivationContext( - _Reserved_ ULONG Flags, - _In_ PACTIVATION_CONTEXT ActivationContext, - _Out_ PULONG_PTR Cookie); - -#define RTL_ACTIVATE_ACTIVATION_CONTEXT_EX_FLAG_RELEASE_ON_STACK_DEALLOCATION 0x00000001 - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlActivateActivationContextEx( - _In_ ULONG Flags, - _In_ PTEB Teb, - _In_ PACTIVATION_CONTEXT ActivationContext, - _Out_ PULONG_PTR Cookie); - -#define RTL_DEACTIVATE_ACTIVATION_CONTEXT_FLAG_FORCE_EARLY_DEACTIVATION 0x00000001 - - // private - NTSYSAPI - VOID - NTAPI - RtlDeactivateActivationContext( - _In_ ULONG Flags, - _In_ ULONG_PTR Cookie); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateActivationContext( - _Reserved_ ULONG Flags, - _In_ PACTIVATION_CONTEXT_DATA ActivationContextData, - _In_opt_ ULONG ExtraBytes, - _In_opt_ PACTIVATION_CONTEXT_NOTIFY_ROUTINE NotificationRoutine, - _In_opt_ PVOID NotificationContext, - _Out_ PACTIVATION_CONTEXT *ActivationContext); - -#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ACTIVATION_CONTEXT 0x00000001 -#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_FLAGS 0x00000002 -#define FIND_ACTIVATION_CONTEXT_SECTION_KEY_RETURN_ASSEMBLY_METADATA 0x00000004 - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlFindActivationContextSectionString( - _In_ ULONG Flags, - _In_opt_ PGUID ExtensionGuid, - _In_ ULONG SectionId, // ACTIVATION_CONTEXT_SECTION_* - _In_ PUNICODE_STRING StringToFind, - _Inout_ PACTCTX_SECTION_KEYED_DATA ReturnedData); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlFindActivationContextSectionGuid( - _In_ ULONG Flags, - _In_opt_ PGUID ExtensionGuid, - _In_ ULONG SectionId, // ACTIVATION_CONTEXT_SECTION_* - _In_ PGUID GuidToFind, - _Inout_ PACTCTX_SECTION_KEYED_DATA ReturnedData); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryActivationContextApplicationSettings( - _Reserved_ ULONG Flags, - _In_ PACTIVATION_CONTEXT ActivationContext, - _In_ PCWSTR SettingsNameSpace, - _In_ PCWSTR SettingName, - _Out_writes_bytes_(BufferLength) PWSTR Buffer, - _In_ SIZE_T BufferLength, - _Out_opt_ PSIZE_T RequiredLength); - - // ACTIVATION_CONTEXT_INFO_CLASS - // ActivationContextBasicInformation // q: ACTIVATION_CONTEXT_BASIC_INFORMATION - // ActivationContextDetailedInformation // q: ACTIVATION_CONTEXT_DETAILED_INFORMATION - // AssemblyDetailedInformationInActivationContext // q: ACTIVATION_CONTEXT_ASSEMBLY_DETAILED_INFORMATION - // FileInformationInAssemblyOfAssemblyInActivationContext // q: ASSEMBLY_FILE_DETAILED_INFORMATION - // RunlevelInformationInActivationContext // q: ACTIVATION_CONTEXT_RUN_LEVEL_INFORMATION - // CompatibilityInformationInActivationContext // q: ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION[_LEGACY] - // ActivationContextManifestResourceName // q: ULONG - -#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_USE_ACTIVE_ACTIVATION_CONTEXT 0x00000001 -#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_MODULE 0x00000002 -#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_ACTIVATION_CONTEXT_IS_ADDRESS 0x00000004 -#define RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_NO_ADDREF 0x80000000 - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryInformationActivationContext( - _In_ ULONG Flags, - _In_opt_ PACTIVATION_CONTEXT ActivationContext, - _In_opt_ PACTIVATION_CONTEXT_QUERY_INDEX SubInstanceIndex, - _In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass, - _Out_writes_bytes_(ActivationContextInformationLength) PVOID ActivationContextInformation, - _In_ SIZE_T ActivationContextInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - -#ifdef PHNT_INLINE_TYPEDEFS - // private - FORCEINLINE - NTSTATUS - NTAPI - RtlQueryInformationActiveActivationContext( - _In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass, - _Out_writes_bytes_(ActivationContextInformationLength) PVOID ActivationContextInformation, - _In_ SIZE_T ActivationContextInformationLength, - _Out_opt_ PSIZE_T ReturnLength) - { - return RtlQueryInformationActivationContext( - RTL_QUERY_INFORMATION_ACTIVATION_CONTEXT_FLAG_USE_ACTIVE_ACTIVATION_CONTEXT, - NULL, - 0, - ActivationContextInformationClass, - ActivationContextInformation, - ActivationContextInformationLength, - ReturnLength); - } -#else - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryInformationActiveActivationContext( - _In_ ACTIVATION_CONTEXT_INFO_CLASS ActivationContextInformationClass, - _Out_writes_bytes_(ActivationContextInformationLength) PVOID ActivationContextInformation, - _In_ SIZE_T ActivationContextInformationLength, - _Out_opt_ PSIZE_T ReturnLength); -#endif - - // Images - - NTSYSAPI - PIMAGE_NT_HEADERS - NTAPI - RtlImageNtHeader( - _In_ PVOID BaseOfImage); - -#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK 0x00000001 - - NTSYSAPI - NTSTATUS - NTAPI - RtlImageNtHeaderEx( - _In_ ULONG Flags, - _In_ PVOID BaseOfImage, - _In_ ULONG64 Size, - _Out_ PIMAGE_NT_HEADERS *OutHeaders); - - NTSYSAPI - PVOID - NTAPI - RtlAddressInSectionTable( - _In_ PIMAGE_NT_HEADERS NtHeaders, - _In_ PVOID BaseOfImage, - _In_ ULONG VirtualAddress); - - NTSYSAPI - PIMAGE_SECTION_HEADER - NTAPI - RtlSectionTableFromVirtualAddress( - _In_ PIMAGE_NT_HEADERS NtHeaders, - _In_ PVOID BaseOfImage, - _In_ ULONG VirtualAddress); - - NTSYSAPI - PVOID - NTAPI - RtlImageDirectoryEntryToData( - _In_ PVOID BaseOfImage, - _In_ BOOLEAN MappedAsImage, - _In_ USHORT DirectoryEntry, - _Out_ PULONG Size); - - NTSYSAPI - PIMAGE_SECTION_HEADER - NTAPI - RtlImageRvaToSection( - _In_ PIMAGE_NT_HEADERS NtHeaders, - _In_ PVOID BaseOfImage, - _In_ ULONG Rva); - - NTSYSAPI - PVOID - NTAPI - RtlImageRvaToVa( - _In_ PIMAGE_NT_HEADERS NtHeaders, - _In_ PVOID BaseOfImage, - _In_ ULONG Rva, - _Out_opt_ PIMAGE_SECTION_HEADER *LastRvaSection); - -#if (PHNT_VERSION >= PHNT_REDSTONE) - - // rev - NTSYSAPI - PVOID - NTAPI - RtlFindExportedRoutineByName( - _In_ PVOID BaseOfImage, - _In_z_ PCSTR RoutineName); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGuardCheckLongJumpTarget( - _In_ PVOID PcValue, - _In_ BOOL IsFastFail, - _Out_ PBOOL IsLongJumpTarget); - -#endif - -#if (PHNT_VERSION >= PHNT_WIN11_22H2) - NTSYSAPI - VOID - NTAPI - RtlValidateUserCallTarget( - _In_ PVOID Address, - _Out_ PULONG Flags); -#endif - - // - // Memory - // - - _Check_return_ - NTSYSAPI - SIZE_T - NTAPI - RtlCompareMemory( - _In_ const VOID *Source1, - _In_ const VOID *Source2, - _In_ SIZE_T Length); - - _Must_inspect_result_ - NTSYSAPI - SIZE_T - NTAPI - RtlCompareMemoryUlong( - _In_reads_bytes_(Length) PVOID Source, - _In_ SIZE_T Length, - _In_ ULONG Pattern); - -#if defined(_M_AMD64) - FORCEINLINE - VOID - RtlFillMemoryUlong( - _Out_writes_bytes_all_(Length) PVOID Destination, - _In_ SIZE_T Length, - _In_ ULONG Pattern) - { - PULONG Address = (PULONG)Destination; - - // - // If the number of DWORDs is not zero, then fill the specified buffer - // with the specified pattern. - // - - if ((Length /= 4) != 0) - { - - // - // If the destination is not quadword aligned (ignoring low bits), - // then align the destination by storing one DWORD. - // - - if (((ULONG64)Address & 4) != 0) - { - *Address = Pattern; - if ((Length -= 1) == 0) - { - return; - } - - Address += 1; - } - - // - // If the number of QWORDs is not zero, then fill the destination - // buffer a QWORD at a time. - // - - __stosq((PULONG64)(Address), - Pattern | ((ULONG64)Pattern << 32), - Length / 2); - - if ((Length & 1) != 0) - { - Address[Length - 1] = Pattern; - } - } - - return; - } -#else - NTSYSAPI - VOID - NTAPI - RtlFillMemoryUlong( - _Out_writes_bytes_all_(Length) PVOID Destination, - _In_ SIZE_T Length, - _In_ ULONG Pattern); -#endif - -#if defined(_M_AMD64) - -#define RtlFillMemoryUlonglong(Destination, Length, Pattern) \ - __stosq((PULONG64)(Destination), Pattern, (Length) / 8) - -#else - NTSYSAPI - VOID - NTAPI - RtlFillMemoryUlonglong( - _Out_writes_bytes_all_(Length) PVOID Destination, - _In_ SIZE_T Length, - _In_ ULONGLONG Pattern); -#endif - -#if (PHNT_VERSION >= PHNT_19H2) - NTSYSAPI - BOOLEAN - NTAPI - RtlIsZeroMemory( - _In_ PVOID Buffer, - _In_ SIZE_T Length); -#endif - - NTSYSAPI - ULONG - NTAPI - RtlCrc32( - _In_reads_bytes_(Size) const void *Buffer, - _In_ size_t Size, - _In_ ULONG InitialCrc); - - NTSYSAPI - ULONGLONG - NTAPI - RtlCrc64( - _In_reads_bytes_(Size) const void *Buffer, - _In_ size_t Size, - _In_ ULONGLONG InitialCrc); - -// RTL_SYSTEM_GLOBAL_DATA_ID -#define GlobalDataIdUnknown 0 -#define GlobalDataIdRngSeedVersion 1 -#define GlobalDataIdInterruptTime 2 -#define GlobalDataIdTimeZoneBias 3 -#define GlobalDataIdImageNumberLow 4 -#define GlobalDataIdImageNumberHigh 5 -#define GlobalDataIdTimeZoneId 6 -#define GlobalDataIdNtMajorVersion 7 -#define GlobalDataIdNtMinorVersion 8 -#define GlobalDataIdSystemExpirationDate 9 -#define GlobalDataIdKdDebuggerEnabled 10 -#define GlobalDataIdCyclesPerYield 11 -#define GlobalDataIdSafeBootMode 12 -#define GlobalDataIdLastSystemRITEventTickCount 13 -#define GlobalDataIdConsoleSharedDataFlags 14 -#define GlobalDataIdNtSystemRootDrive 15 -#define GlobalDataIdQpcBypassEnabled 16 -#define GlobalDataIdQpcData 17 -#define GlobalDataIdQpcBias 18 - - NTSYSAPI - ULONG - NTAPI - RtlGetSystemGlobalData( - _In_ RTL_SYSTEM_GLOBAL_DATA_ID DataId, - _Inout_ PVOID Buffer, - _In_ ULONG Size); - - NTSYSAPI - ULONG - NTAPI - RtlSetSystemGlobalData( - _In_ RTL_SYSTEM_GLOBAL_DATA_ID DataId, - _In_ PVOID Buffer, - _In_ ULONG Size); - - // - // Environment - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateEnvironment( - _In_ BOOLEAN CloneCurrentEnvironment, - _Out_ PVOID *Environment); - -// begin_rev -#define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // translate from multi-byte to Unicode -#define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // translate from OEM to Unicode (Translate flag must also be set) -#define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // create empty environment block - // end_rev - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateEnvironmentEx( - _In_opt_ PVOID SourceEnvironment, - _Out_ PVOID *Environment, - _In_ ULONG Flags); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyEnvironment( - _In_ _Post_invalid_ PVOID Environment); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetCurrentEnvironment( - _In_ PVOID Environment, - _Out_opt_ PVOID *PreviousEnvironment); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSetEnvironmentVar( - _Inout_opt_ PVOID *Environment, - _In_reads_(NameLength) PCWSTR Name, - _In_ SIZE_T NameLength, - _In_reads_(ValueLength) PCWSTR Value, - _In_opt_ SIZE_T ValueLength); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetEnvironmentVariable( - _Inout_opt_ PVOID *Environment, - _In_ PUNICODE_STRING Name, - _In_opt_ PUNICODE_STRING Value); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryEnvironmentVariable( - _In_opt_ PVOID Environment, - _In_reads_(NameLength) PCWSTR Name, - _In_ SIZE_T NameLength, - _Out_writes_opt_(ValueLength) PWSTR Value, - _In_opt_ SIZE_T ValueLength, - _Out_ PSIZE_T ReturnLength); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryEnvironmentVariable_U( - _In_opt_ PVOID Environment, - _In_ PUNICODE_STRING Name, - _Inout_ PUNICODE_STRING Value); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlExpandEnvironmentStrings( - _In_opt_ PVOID Environment, - _In_reads_(SourceLength) PCWSTR Source, - _In_ SIZE_T SourceLength, - _Out_writes_(DestinationLength) PWSTR Destination, - _In_ SIZE_T DestinationLength, - _Out_opt_ PSIZE_T ReturnLength); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlExpandEnvironmentStrings_U( - _In_opt_ PVOID Environment, - _In_ PUNICODE_STRING Source, - _Inout_ PUNICODE_STRING Destination, - _Out_opt_ PULONG ReturnedLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetEnvironmentStrings( - _In_ PCWSTR NewEnvironment, - _In_ SIZE_T NewEnvironmentSize); - - // Directory and path support - - typedef struct _RTLP_CURDIR_REF - { - LONG ReferenceCount; - HANDLE DirectoryHandle; - } RTLP_CURDIR_REF, *PRTLP_CURDIR_REF; - - typedef struct _RTL_RELATIVE_NAME_U - { - UNICODE_STRING RelativeName; - HANDLE ContainingDirectory; - PRTLP_CURDIR_REF CurDirRef; - } RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U; - - typedef enum _RTL_PATH_TYPE - { - RtlPathTypeUnknown, - RtlPathTypeUncAbsolute, - RtlPathTypeDriveAbsolute, - RtlPathTypeDriveRelative, - RtlPathTypeRooted, - RtlPathTypeRelative, - RtlPathTypeLocalDevice, - RtlPathTypeRootLocalDevice - } RTL_PATH_TYPE; - - // Data exports (ntdll.lib/ntdllp.lib) - - NTSYSAPI PCWSTR RtlNtdllName; - NTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString; - NTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString; - NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString; - -#ifndef PHNT_INLINE_SEPERATOR_STRINGS -#define RtlNtdllName L"ntdll.dll" -#define RtlDosPathSeperatorsString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\/")) -#define RtlAlternateDosPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"/")) -#define RtlNtPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\")) - -#define RtlDosDevicesPrefix ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\??\\")) -#define RtlDosDevicesUncPrefix ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\??\\UNC\\")) -#define RtlSlashSlashDot ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\\\.\\")) -#define RtlNullString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"")) -#define RtlWin32NtRootSlash ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\\\?\\")) -#define RtlWin32NtRoot ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\\\?")) -#define RtlWin32NtUncRoot ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\\\?\\UNC")) -#define RtlWin32NtUncRootSlash ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\\\?\\UNC\\")) -#define RtlDefaultExtension ((UNICODE_STRING)RTL_CONSTANT_STRING(L".DLL")) -#endif - - // Path functions - - NTSYSAPI - RTL_PATH_TYPE - NTAPI - RtlDetermineDosPathNameType_U( - _In_ PCWSTR DosFileName); - - NTSYSAPI - ULONG - NTAPI - RtlIsDosDeviceName_U( - _In_ PCWSTR DosFileName); - - NTSYSAPI - ULONG - NTAPI - RtlGetFullPathName_U( - _In_ PCWSTR FileName, - _In_ ULONG BufferLength, - _Out_writes_bytes_(BufferLength) PWSTR Buffer, - _Out_opt_ PWSTR *FilePart); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetFullPathName_UEx( - _In_ PCWSTR FileName, - _In_ ULONG BufferLength, - _Out_writes_bytes_(BufferLength) PWSTR Buffer, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ ULONG *BytesRequired); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - NTSTATUS - NTAPI - RtlGetFullPathName_UstrEx( - _In_ PUNICODE_STRING FileName, - _Inout_ PUNICODE_STRING StaticString, - _Out_opt_ PUNICODE_STRING DynamicString, - _Out_opt_ PUNICODE_STRING *StringUsed, - _Out_opt_ SIZE_T *FilePartPrefixCch, - _Out_opt_ PBOOLEAN NameInvalid, - _Out_ RTL_PATH_TYPE *InputPathType, - _Out_opt_ SIZE_T *BytesRequired); -#endif - - NTSYSAPI - ULONG - NTAPI - RtlGetCurrentDirectory_U( - _In_ ULONG BufferLength, - _Out_writes_bytes_(BufferLength) PWSTR Buffer); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetCurrentDirectory_U( - _In_ PUNICODE_STRING PathName); - - NTSYSAPI - ULONG - NTAPI - RtlGetLongestNtPathLength( - VOID); - - // rev - typedef struct _RTL_BUFFER - { - PUCHAR Buffer; - PUCHAR StaticBuffer; - SIZE_T Size; - SIZE_T StaticSize; - } RTL_BUFFER, *PRTL_BUFFER; - - // FORCEINLINE - // VOID - // RtlInitBuffer( - // _Inout_ PRTL_BUFFER Buffer, - // _In_ PUCHAR Data, - // _In_ ULONG DataSize - // ) - //{ - // Buffer->Buffer = Buffer->StaticBuffer = Data; - // Buffer->Size = Buffer->StaticSize = DataSize; - // } - // - // FORCEINLINE - // VOID - // RtlFreeBuffer( - // _Inout_ PRTL_BUFFER Buffer - // ) - //{ - // if (Buffer->Buffer != Buffer->StaticBuffer && Buffer->Buffer) - // RtlFreeHeap(RtlProcessHeap(), 0, Buffer->Buffer); - // Buffer->Buffer = Buffer->StaticBuffer; - // Buffer->Size = Buffer->StaticSize; - // } - - // rev - typedef struct _RTL_UNICODE_STRING_BUFFER - { - UNICODE_STRING String; - RTL_BUFFER ByteBuffer; - UCHAR MinimumStaticBufferForTerminalNul[2]; - } RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER; - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlNtPathNameToDosPathName( - _Reserved_ ULONG Flags, - _Inout_ PRTL_UNICODE_STRING_BUFFER Path, - _Out_opt_ PULONG Disposition, // RtlDetermineDosPathNameType_U - _Out_opt_ PWSTR *FilePart); - - NTSYSAPI - BOOLEAN - NTAPI - RtlDosPathNameToNtPathName_U( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - NTSTATUS - NTAPI - RtlDosPathNameToNtPathName_U_WithStatus( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDosLongPathNameToNtPathName_U_WithStatus( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - BOOLEAN - NTAPI - RtlDosPathNameToRelativeNtPathName_U( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - NTSTATUS - NTAPI - RtlDosPathNameToRelativeNtPathName_U_WithStatus( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDosLongPathNameToRelativeNtPathName_U_WithStatus( - _In_ PCWSTR DosFileName, - _Out_ PUNICODE_STRING NtFileName, - _Out_opt_ PWSTR *FilePart, - _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - -#if (PHNT_VERSION >= PHNT_WS03) - NTSYSAPI - VOID - NTAPI - RtlReleaseRelativeName( - _Inout_ PRTL_RELATIVE_NAME_U RelativeName); -#endif - - NTSYSAPI - ULONG - NTAPI - RtlDosSearchPath_U( - _In_ PCWSTR Path, - _In_ PCWSTR FileName, - _In_opt_ PCWSTR Extension, - _In_ ULONG BufferLength, - _Out_writes_bytes_(BufferLength) PWSTR Buffer, - _Out_opt_ PWSTR *FilePart); - -#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION 0x00000001 -#define RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH 0x00000002 -#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION 0x00000004 - - NTSYSAPI - NTSTATUS - NTAPI - RtlDosSearchPath_Ustr( - _In_ ULONG Flags, - _In_ PUNICODE_STRING Path, - _In_ PUNICODE_STRING FileName, - _In_opt_ PUNICODE_STRING DefaultExtension, - _Out_opt_ PUNICODE_STRING StaticString, - _Out_opt_ PUNICODE_STRING DynamicString, - _Out_opt_ PCUNICODE_STRING *FullFileNameOut, - _Out_opt_ SIZE_T *FilePartPrefixCch, - _Out_opt_ SIZE_T *BytesRequired); - - NTSYSAPI - BOOLEAN - NTAPI - RtlDoesFileExists_U( - _In_ PCWSTR FileName); - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlDosApplyFileIsolationRedirection_Ustr( - _In_ ULONG Flags, - _In_ PUNICODE_STRING OriginalName, - _In_ PUNICODE_STRING Extension, - _In_opt_ PUNICODE_STRING StaticString, - _In_opt_ PUNICODE_STRING DynamicString, - _In_opt_ PUNICODE_STRING *NewName, - _In_ PULONG NewFlags, - _In_ PSIZE_T FileNameSize, - _In_ PSIZE_T RequiredLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetLengthWithoutLastFullDosOrNtPathElement( - _Reserved_ ULONG Flags, - _In_ PUNICODE_STRING PathString, - _Out_ PULONG Length); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetLengthWithoutTrailingPathSeperators( - _Reserved_ ULONG Flags, - _In_ PUNICODE_STRING PathString, - _Out_ PULONG Length); - - typedef struct _GENERATE_NAME_CONTEXT - { - USHORT Checksum; - BOOLEAN CheckSumInserted; - UCHAR NameLength; - WCHAR NameBuffer[8]; - ULONG ExtensionLength; - WCHAR ExtensionBuffer[4]; - ULONG LastIndexValue; - } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT; - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlGenerate8dot3Name( - _In_ PUNICODE_STRING Name, - _In_ BOOLEAN AllowExtendedCharacters, - _Inout_ PGENERATE_NAME_CONTEXT Context, - _Inout_ PUNICODE_STRING Name8dot3); - -#if (PHNT_VERSION >= PHNT_WIN8) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlComputePrivatizedDllName_U( - _In_ PUNICODE_STRING DllName, - _Out_ PUNICODE_STRING RealName, - _Out_ PUNICODE_STRING LocalName); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSearchPath( - _Out_ PWSTR *SearchPath); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetSearchPathMode( - _In_ ULONG Flags); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetExePath( - _In_ PCWSTR DosPathName, - _Out_ PWSTR *SearchPath); - - // rev - NTSYSAPI - VOID - NTAPI - RtlReleasePath( - _In_ PCWSTR Path); - -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSAPI - ULONG - NTAPI - RtlReplaceSystemDirectoryInPath( - _Inout_ PUNICODE_STRING Destination, - _In_ USHORT Machine, // IMAGE_FILE_MACHINE_I386 - _In_ USHORT TargetMachine, // IMAGE_FILE_MACHINE_TARGET_HOST - _In_ BOOLEAN IncludePathSeperator); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev from Wow64DetermineEnvironment - NTSYSAPI - USHORT - NTAPI - RtlWow64GetCurrentMachine( - VOID); - - // rev from Wow64DetermineEnvironment - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64IsWowGuestMachineSupported( - _In_ USHORT NativeMachine, - _Out_ PBOOLEAN IsWowGuestMachineSupported); -#endif - -#if (PHNT_VERSION >= PHNT_WIN10_21H2) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64GetProcessMachines( - _In_ HANDLE ProcessHandle, - _Out_ PUSHORT ProcessMachine, - _Out_opt_ PUSHORT NativeMachine); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) -// rev -#define IMAGE_FILE_NATIVE_MACHINE_I386 0x1 -#define IMAGE_FILE_NATIVE_MACHINE_AMD64 0x2 -#define IMAGE_FILE_NATIVE_MACHINE_ARMNT 0x4 -#define IMAGE_FILE_NATIVE_MACHINE_ARM64 0x8 - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetImageFileMachines( - _In_ PCWSTR FileName, - _Out_ PUSHORT FileMachines); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - -#ifdef PHNT_INLINE_TYPEDEFS - // rev - FORCEINLINE - PWSTR - NTAPI - RtlGetNtSystemRoot( - VOID) - { - if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) // RtlGetCurrentServiceSessionId - return NtCurrentPeb()->SharedData->NtSystemRoot; - else - return USER_SHARED_DATA->NtSystemRoot; - } -#else - // private - NTSYSAPI - PWSTR - NTAPI - RtlGetNtSystemRoot( - VOID); -#endif - -#ifdef PHNT_INLINE_TYPEDEFS - // rev - FORCEINLINE - BOOLEAN - NTAPI - RtlAreLongPathsEnabled( - VOID) - { - return NtCurrentPeb()->IsLongPathAwareProcess; - } -#else - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlAreLongPathsEnabled( - VOID); -#endif - -#endif - - NTSYSAPI - BOOLEAN - NTAPI - RtlIsThreadWithinLoaderCallout( - VOID); - - /** - * Gets a value indicating whether the process is currently in the shutdown phase. - * - * @return TRUE if a shutdown of the current dll process is in progress; otherwise, FALSE. - */ - NTSYSAPI - BOOLEAN - NTAPI - RtlDllShutdownInProgress( - VOID); - - // Heaps - - typedef struct _RTL_HEAP_ENTRY - { - SIZE_T Size; - USHORT Flags; - USHORT AllocatorBackTraceIndex; - union - { - struct - { - SIZE_T Settable; - ULONG Tag; - } s1; - struct - { - SIZE_T CommittedSize; - PVOID FirstBlock; - } s2; - } u; - } RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; - -#define RTL_HEAP_BUSY (USHORT)0x0001 -#define RTL_HEAP_SEGMENT (USHORT)0x0002 -#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 -#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 -#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 -#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 -#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0 -#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x1000 -#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x2000 -#define RTL_HEAP_LARGE_ALLOC (USHORT)0x4000 -#define RTL_HEAP_LFH_ALLOC (USHORT)0x8000 - - typedef struct _RTL_HEAP_TAG - { - ULONG NumberOfAllocations; - ULONG NumberOfFrees; - SIZE_T BytesAllocated; - USHORT TagIndex; - USHORT CreatorBackTraceIndex; - WCHAR TagName[24]; - } RTL_HEAP_TAG, *PRTL_HEAP_TAG; - - // Windows 7/8/10 - typedef struct _RTL_HEAP_INFORMATION_V1 - { - PVOID BaseAddress; - ULONG Flags; - USHORT EntryOverhead; - USHORT CreatorBackTraceIndex; - SIZE_T BytesAllocated; - SIZE_T BytesCommitted; - ULONG NumberOfTags; - ULONG NumberOfEntries; - ULONG NumberOfPseudoTags; - ULONG PseudoTagGranularity; - ULONG Reserved[5]; - PRTL_HEAP_TAG Tags; - PRTL_HEAP_ENTRY Entries; - } RTL_HEAP_INFORMATION_V1, *PRTL_HEAP_INFORMATION_V1; - - // Windows 11 > 22000 - typedef struct _RTL_HEAP_INFORMATION_V2 - { - PVOID BaseAddress; - ULONG Flags; - USHORT EntryOverhead; - USHORT CreatorBackTraceIndex; - SIZE_T BytesAllocated; - SIZE_T BytesCommitted; - ULONG NumberOfTags; - ULONG NumberOfEntries; - ULONG NumberOfPseudoTags; - ULONG PseudoTagGranularity; - ULONG Reserved[5]; - PRTL_HEAP_TAG Tags; - PRTL_HEAP_ENTRY Entries; - ULONG64 HeapTag; - } RTL_HEAP_INFORMATION_V2, *PRTL_HEAP_INFORMATION_V2; - -#define RTL_HEAP_SIGNATURE 0xFFEEFFEEUL -#define RTL_HEAP_SEGMENT_SIGNATURE 0xDDEEDDEEUL - - typedef struct _RTL_PROCESS_HEAPS_V1 - { - ULONG NumberOfHeaps; - _Field_size_(NumberOfHeaps) RTL_HEAP_INFORMATION_V1 Heaps[1]; - } RTL_PROCESS_HEAPS_V1, *PRTL_PROCESS_HEAPS_V1; - - typedef struct _RTL_PROCESS_HEAPS_V2 - { - ULONG NumberOfHeaps; - _Field_size_(NumberOfHeaps) RTL_HEAP_INFORMATION_V2 Heaps[1]; - } RTL_PROCESS_HEAPS_V2, *PRTL_PROCESS_HEAPS_V2; - - // Segment heap parameters. - - typedef enum _RTL_MEMORY_TYPE - { - MemoryTypePaged, - MemoryTypeNonPaged, - MemoryType64KPage, - MemoryTypeLargePage, - MemoryTypeHugePage, - MemoryTypeCustom, - MemoryTypeMax - } RTL_MEMORY_TYPE, - *PRTL_MEMORY_TYPE; - - typedef enum _HEAP_MEMORY_INFO_CLASS - { - HeapMemoryBasicInformation - } HEAP_MEMORY_INFO_CLASS; - - typedef NTSTATUS ALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK( - _Inout_ HANDLE CallbackContext, - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); - - typedef ALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK *PALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK; - - typedef NTSTATUS FREE_VIRTUAL_MEMORY_EX_CALLBACK( - _Inout_ HANDLE CallbackContext, - _In_ HANDLE ProcessHandle, - _Inout_ __drv_freesMem(Mem) PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG FreeType); - - typedef FREE_VIRTUAL_MEMORY_EX_CALLBACK *PFREE_VIRTUAL_MEMORY_EX_CALLBACK; - - typedef NTSTATUS QUERY_VIRTUAL_MEMORY_CALLBACK( - _Inout_ HANDLE CallbackContext, - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ HEAP_MEMORY_INFO_CLASS MemoryInformationClass, - _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, - _In_ SIZE_T MemoryInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - typedef QUERY_VIRTUAL_MEMORY_CALLBACK *PQUERY_VIRTUAL_MEMORY_CALLBACK; - - typedef struct _RTL_SEGMENT_HEAP_VA_CALLBACKS - { - HANDLE CallbackContext; - PALLOCATE_VIRTUAL_MEMORY_EX_CALLBACK AllocateVirtualMemory; - PFREE_VIRTUAL_MEMORY_EX_CALLBACK FreeVirtualMemory; - PQUERY_VIRTUAL_MEMORY_CALLBACK QueryVirtualMemory; - } RTL_SEGMENT_HEAP_VA_CALLBACKS, *PRTL_SEGMENT_HEAP_VA_CALLBACKS; - -#define RTL_SEGHEAP_MEM_SOURCE_ANY_NODE ((ULONG) - 1) - - typedef struct _RTL_SEGMENT_HEAP_MEMORY_SOURCE - { - ULONG Flags; - ULONG MemoryTypeMask; // Mask of RTL_MEMORY_TYPE members. - ULONG NumaNode; - union - { - HANDLE PartitionHandle; - RTL_SEGMENT_HEAP_VA_CALLBACKS *Callbacks; - }; - SIZE_T Reserved[2]; - } RTL_SEGMENT_HEAP_MEMORY_SOURCE, *PRTL_SEGMENT_HEAP_MEMORY_SOURCE; - -#define SEGMENT_HEAP_PARAMETERS_VERSION 3 -#define SEGMENT_HEAP_FLG_USE_PAGE_HEAP 0x1 -#define SEGMENT_HEAP_FLG_NO_LFH 0x2 -#define SEGMENT_HEAP_PARAMS_VALID_FLAGS 0x3 - - typedef struct _RTL_SEGMENT_HEAP_PARAMETERS - { - USHORT Version; - USHORT Size; - ULONG Flags; - RTL_SEGMENT_HEAP_MEMORY_SOURCE MemorySource; - SIZE_T Reserved[4]; - } RTL_SEGMENT_HEAP_PARAMETERS, *PRTL_SEGMENT_HEAP_PARAMETERS; - - // Heap parameters. - - typedef _Function_class_(RTL_HEAP_COMMIT_ROUTINE) - NTSTATUS - NTAPI - RTL_HEAP_COMMIT_ROUTINE( - _In_ PVOID Base, - _Inout_ PVOID *CommitAddress, - _Inout_ PSIZE_T CommitSize); - - typedef RTL_HEAP_COMMIT_ROUTINE *PRTL_HEAP_COMMIT_ROUTINE; - - typedef struct _RTL_HEAP_PARAMETERS - { - ULONG Length; - SIZE_T SegmentReserve; - SIZE_T SegmentCommit; - SIZE_T DeCommitFreeBlockThreshold; - SIZE_T DeCommitTotalFreeThreshold; - SIZE_T MaximumAllocationSize; - SIZE_T VirtualMemoryThreshold; - SIZE_T InitialCommit; - SIZE_T InitialReserve; - PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; - SIZE_T Reserved[2]; - } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; - -#define HEAP_SETTABLE_USER_VALUE 0x00000100 -#define HEAP_SETTABLE_USER_FLAG1 0x00000200 -#define HEAP_SETTABLE_USER_FLAG2 0x00000400 -#define HEAP_SETTABLE_USER_FLAG3 0x00000800 -#define HEAP_SETTABLE_USER_FLAGS 0x00000e00 - -#define HEAP_CLASS_0 0x00000000 // Process heap -#define HEAP_CLASS_1 0x00001000 // Private heap -#define HEAP_CLASS_2 0x00002000 // Kernel heap -#define HEAP_CLASS_3 0x00003000 // GDI heap -#define HEAP_CLASS_4 0x00004000 // User heap -#define HEAP_CLASS_5 0x00005000 // Console heap -#define HEAP_CLASS_6 0x00006000 // User desktop heap -#define HEAP_CLASS_7 0x00007000 // CSR shared heap -#define HEAP_CLASS_8 0x00008000 // CSR port heap -#define HEAP_CLASS_MASK 0x0000f000 - -#define HEAP_MAXIMUM_TAG 0x0FFF -#define HEAP_GLOBAL_TAG 0x0800 -#define HEAP_PSEUDO_TAG_FLAG 0x8000 -#define HEAP_TAG_SHIFT 18 -#define HEAP_TAG_MASK (HEAP_MAXIMUM_TAG << HEAP_TAG_SHIFT) - -#define HEAP_CREATE_SEGMENT_HEAP 0x00000100 -// -// Only applies to segment heap. Applies pointer obfuscation which is -// generally excessive and unnecessary but is necessary for certain insecure -// heaps in win32k. -// -// Specifying HEAP_CREATE_HARDENED prevents the heap from using locks as -// pointers would potentially be exposed in heap metadata lock variables. -// Callers are therefore responsible for synchronizing access to hardened heaps. -// -#define HEAP_CREATE_HARDENED 0x00000200 - - /** - * The RtlCreateHeap routine creates a heap object that can be used by the calling process. This routine reserves - * space in the virtual address space of the process and allocates physical storage for a specified initial portion of this block. - * - * @param Flags Flags specifying optional attributes of the heap. - * @param HeapBase If HeapBase is a non-NULL value, it specifies the base address for a block of caller-allocated memory to use for the heap. - * @param ReserveSize If ReserveSize is a nonzero value, it specifies the initial amount of memory, in bytes, to reserve for the heap. - * @param CommitSize If CommitSize is a nonzero value, it specifies the initial amount of memory, in bytes, to commit for the heap. - * @param Lock Pointer to an opaque structure to be used as the heap lock. - * @param Parameters Pointer to a RTL_HEAP_PARAMETERS structure that contains parameters to be applied when creating the heap. - * @return RtlCreateHeap returns a handle to be used in accessing the created heap. - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcreateheap - */ - _Must_inspect_result_ - NTSYSAPI - PVOID - NTAPI - RtlCreateHeap( - _In_ ULONG Flags, - _In_opt_ PVOID HeapBase, - _In_opt_ SIZE_T ReserveSize, - _In_opt_ SIZE_T CommitSize, - _In_opt_ PVOID Lock, - _When_((Flags & HEAP_CREATE_SEGMENT_HEAP) != 0, _In_reads_bytes_opt_(sizeof(RTL_SEGMENT_HEAP_PARAMETERS))) - _When_((Flags & HEAP_CREATE_SEGMENT_HEAP) == 0, _In_reads_bytes_opt_(sizeof(RTL_HEAP_PARAMETERS))) - _In_opt_ PVOID Parameters); - - /** - * The RtlDestroyHeap routine destroys the specified heap object. RtlDestroyHeap decommits and releases all the pages of a private heap object, - * and it invalidates the handle to the heap. - * - * @param HeapHandle Handle for the heap to be destroyed. This parameter is a heap handle returned by RtlCreateHeap. - * @return If the call to RtlDestroyHeap succeeds, the return value is a NULL pointer. If the call to RtlDestroyHeap fails, the return value is a handle for the heap. - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldestroyheap - */ - NTSYSAPI - PVOID - NTAPI - RtlDestroyHeap( - _In_ _Post_invalid_ PVOID HeapHandle); - - /** - * The RtlAllocateHeap routine allocates a block of memory from a heap. - * - * @param HeapHandle Handle for a private heap from which the memory will be allocated. - * @param Flags Controllable aspects of heap allocation. Specifying any flags will override the corresponding value specified when the heap was created with RtlCreateHeap. - * @param Size Number of bytes to be allocated. If the heap, specified by the HeapHandle parameter, is a nongrowable heap, Size must be less than or equal to the heap's virtual memory threshold. - * @return If the call to RtlAllocateHeap succeeds, the return value is a pointer to the newly-allocated block. The return value is NULL if the allocation failed. - * \remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlallocateheap - */ - NTSYSAPI - _Success_(return != 0) - _Must_inspect_result_ - _Ret_maybenull_ - _Post_writable_byte_size_(Size) - __drv_allocatesMem(Mem) - DECLSPEC_ALLOCATOR - DECLSPEC_NOALIAS - DECLSPEC_RESTRICT - PVOID - NTAPI - RtlAllocateHeap( - _In_ PVOID HeapHandle, - _In_opt_ ULONG Flags, - _In_ SIZE_T Size); - -#if (PHNT_VERSION >= PHNT_WIN8) - _Success_(return != 0) - NTSYSAPI - LOGICAL - NTAPI - RtlFreeHeap( - _In_ PVOID HeapHandle, - _In_opt_ ULONG Flags, - _Frees_ptr_opt_ _Post_invalid_ PVOID BaseAddress); -#else - _Success_(return) - NTSYSAPI - BOOLEAN - NTAPI - RtlFreeHeap( - _In_ PVOID HeapHandle, - _In_opt_ ULONG Flags, - _Frees_ptr_opt_ PVOID BaseAddress); -#endif - - NTSYSAPI - SIZE_T - NTAPI - RtlSizeHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress); - - NTSYSAPI - NTSTATUS - NTAPI - RtlZeroHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags); - - NTSYSAPI - VOID - NTAPI - RtlProtectHeap( - _In_ PVOID HeapHandle, - _In_ BOOLEAN MakeReadOnly); - -#define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap) - - NTSYSAPI - BOOLEAN - NTAPI - RtlLockHeap( - _In_ PVOID HeapHandle); - - NTSYSAPI - BOOLEAN - NTAPI - RtlUnlockHeap( - _In_ PVOID HeapHandle); - - NTSYSAPI - _Success_(return != 0) - _Must_inspect_result_ - _Ret_maybenull_ - _Post_writable_byte_size_(Size) - _When_(Size > 0, __drv_allocatesMem(Mem)) - DECLSPEC_ALLOCATOR - DECLSPEC_NOALIAS - DECLSPEC_RESTRICT - PVOID - NTAPI - RtlReAllocateHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _Frees_ptr_opt_ PVOID BaseAddress, - _In_ SIZE_T Size); - - NTSYSAPI - BOOLEAN - NTAPI - RtlGetUserInfoHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress, - _Out_opt_ PVOID *UserValue, - _Out_opt_ PULONG UserFlags); - - NTSYSAPI - BOOLEAN - NTAPI - RtlSetUserValueHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress, - _In_ PVOID UserValue); - - NTSYSAPI - BOOLEAN - NTAPI - RtlSetUserFlagsHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress, - _In_ ULONG UserFlagsReset, - _In_ ULONG UserFlagsSet); - - typedef struct _RTL_HEAP_TAG_INFO - { - ULONG NumberOfAllocations; - ULONG NumberOfFrees; - SIZE_T BytesAllocated; - } RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO; - -#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS - - NTSYSAPI - ULONG - NTAPI - RtlCreateTagHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_opt_ PCWSTR TagPrefix, - _In_ PCWSTR TagNames); - - NTSYSAPI - PWSTR - NTAPI - RtlQueryTagHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ USHORT TagIndex, - _In_ BOOLEAN ResetCounters, - _Out_opt_ PRTL_HEAP_TAG_INFO TagInfo); - - NTSYSAPI - NTSTATUS - NTAPI - RtlExtendHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_ PVOID Base, - _In_ SIZE_T Size); - - NTSYSAPI - SIZE_T - NTAPI - RtlCompactHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags); - - NTSYSAPI - BOOLEAN - NTAPI - RtlValidateHeap( - _In_opt_ PVOID HeapHandle, - _In_ ULONG Flags, - _In_opt_ PVOID BaseAddress); - - NTSYSAPI - BOOLEAN - NTAPI - RtlValidateProcessHeaps( - VOID); - - NTSYSAPI - ULONG - NTAPI - RtlGetProcessHeaps( - _In_ ULONG NumberOfHeaps, - _Out_ PVOID *ProcessHeaps); - - _Function_class_(RTL_ENUM_HEAPS_ROUTINE) typedef NTSTATUS(NTAPI RTL_ENUM_HEAPS_ROUTINE)( - _In_ PVOID HeapHandle, - _In_ PVOID Parameter); - typedef RTL_ENUM_HEAPS_ROUTINE *PRTL_ENUM_HEAPS_ROUTINE; - - NTSYSAPI - NTSTATUS - NTAPI - RtlEnumProcessHeaps( - _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine, - _In_ PVOID Parameter); - - typedef struct _RTL_HEAP_USAGE_ENTRY - { - struct _RTL_HEAP_USAGE_ENTRY *Next; - PVOID Address; - SIZE_T Size; - USHORT AllocatorBackTraceIndex; - USHORT TagIndex; - } RTL_HEAP_USAGE_ENTRY, *PRTL_HEAP_USAGE_ENTRY; - - typedef struct _RTL_HEAP_USAGE - { - ULONG Length; - SIZE_T BytesAllocated; - SIZE_T BytesCommitted; - SIZE_T BytesReserved; - SIZE_T BytesReservedMaximum; - PRTL_HEAP_USAGE_ENTRY Entries; - PRTL_HEAP_USAGE_ENTRY AddedEntries; - PRTL_HEAP_USAGE_ENTRY RemovedEntries; - ULONG_PTR Reserved[8]; - } RTL_HEAP_USAGE, *PRTL_HEAP_USAGE; - -#define HEAP_USAGE_ALLOCATED_BLOCKS HEAP_REALLOC_IN_PLACE_ONLY -#define HEAP_USAGE_FREE_BUFFER HEAP_ZERO_MEMORY - - NTSYSAPI - NTSTATUS - NTAPI - RtlUsageHeap( - _In_ PVOID HeapHandle, - _In_ ULONG Flags, - _Inout_ PRTL_HEAP_USAGE Usage); - - typedef struct _RTL_HEAP_WALK_ENTRY - { - PVOID DataAddress; - SIZE_T DataSize; - UCHAR OverheadBytes; - UCHAR SegmentIndex; - USHORT Flags; - union - { - struct - { - SIZE_T Settable; - USHORT TagIndex; - USHORT AllocatorBackTraceIndex; - ULONG Reserved[2]; - } Block; - struct - { - ULONG CommittedSize; - ULONG UnCommittedSize; - PVOID FirstEntry; - PVOID LastEntry; - } Segment; - }; - } RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY; - - NTSYSAPI - NTSTATUS - NTAPI - RtlWalkHeap( - _In_ PVOID HeapHandle, - _Inout_ PRTL_HEAP_WALK_ENTRY Entry); - -// HEAP_INFORMATION_CLASS -#define HeapCompatibilityInformation 0x0 // q; s: ULONG -#define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL -#define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION -#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION -#define HeapTaggingInformation 0x4 -#define HeapStackDatabase 0x5 // q: RTL_HEAP_STACK_QUERY; s: RTL_HEAP_STACK_CONTROL -#define HeapMemoryLimit 0x6 // since 19H2 -#define HeapTag 0x7 // since 20H1 -#define HeapDetailedFailureInformation 0x80000001 -#define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION - - typedef enum _HEAP_COMPATIBILITY_MODE - { - HEAP_COMPATIBILITY_STANDARD = 0UL, - HEAP_COMPATIBILITY_LAL = 1UL, - HEAP_COMPATIBILITY_LFH = 2UL, - } HEAP_COMPATIBILITY_MODE; - - typedef struct _RTLP_TAG_INFO - { - GUID Id; - ULONG_PTR CurrentAllocatedBytes; - } RTLP_TAG_INFO, *PRTLP_TAG_INFO; - - typedef struct _RTLP_HEAP_TAGGING_INFO - { - USHORT Version; - USHORT Flags; - PVOID ProcessHandle; - ULONG_PTR EntriesCount; - RTLP_TAG_INFO Entries[1]; - } RTLP_HEAP_TAGGING_INFO, *PRTLP_HEAP_TAGGING_INFO; - - typedef struct _PROCESS_HEAP_INFORMATION - { - SIZE_T ReserveSize; - SIZE_T CommitSize; - ULONG NumberOfHeaps; - ULONG_PTR FirstHeapInformationOffset; - } PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION; - - typedef struct _HEAP_REGION_INFORMATION - { - PVOID Address; - SIZE_T ReserveSize; - SIZE_T CommitSize; - ULONG_PTR FirstRangeInformationOffset; - ULONG_PTR NextRegionInformationOffset; - } HEAP_REGION_INFORMATION, *PHEAP_REGION_INFORMATION; - - typedef struct _HEAP_RANGE_INFORMATION - { - PVOID Address; - SIZE_T Size; - ULONG Type; - ULONG Protection; - ULONG_PTR FirstBlockInformationOffset; - ULONG_PTR NextRangeInformationOffset; - } HEAP_RANGE_INFORMATION, *PHEAP_RANGE_INFORMATION; - - typedef struct _HEAP_BLOCK_INFORMATION - { - PVOID Address; - ULONG Flags; - SIZE_T DataSize; - ULONG_PTR OverheadSize; - ULONG_PTR NextBlockInformationOffset; - } HEAP_BLOCK_INFORMATION, *PHEAP_BLOCK_INFORMATION; - - typedef struct _HEAP_INFORMATION - { - PVOID Address; - ULONG Mode; - SIZE_T ReserveSize; - SIZE_T CommitSize; - ULONG_PTR FirstRegionInformationOffset; - ULONG_PTR NextHeapInformationOffset; - } HEAP_INFORMATION, *PHEAP_INFORMATION; - - typedef struct _SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION - { - SIZE_T SegmentReserveSize; - SIZE_T SegmentCommitSize; - ULONG_PTR SegmentCount; - SIZE_T AllocatedSize; - SIZE_T LargeAllocReserveSize; - SIZE_T LargeAllocCommitSize; - } SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION, *PSEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION; - -#define HeapPerformanceCountersInformationStandardHeapVersion 0x1 -#define HeapPerformanceCountersInformationSegmentHeapVersion 0x2 - - typedef struct _HEAP_PERFORMANCE_COUNTERS_INFORMATION - { - ULONG Size; - ULONG Version; - ULONG HeapIndex; - ULONG LastHeapIndex; - PVOID BaseAddress; - SIZE_T ReserveSize; - SIZE_T CommitSize; - ULONG SegmentCount; - SIZE_T LargeUCRMemory; - ULONG UCRLength; - SIZE_T AllocatedSpace; - SIZE_T FreeSpace; - ULONG FreeListLength; - ULONG Contention; - ULONG VirtualBlocks; - ULONG CommitRate; - ULONG DecommitRate; - SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION SegmentHeapPerfInformation; // since WIN8 - } HEAP_PERFORMANCE_COUNTERS_INFORMATION, *PHEAP_PERFORMANCE_COUNTERS_INFORMATION; - - typedef struct _HEAP_INFORMATION_ITEM - { - ULONG Level; - SIZE_T Size; - union - { - PROCESS_HEAP_INFORMATION ProcessHeapInformation; - HEAP_INFORMATION HeapInformation; - HEAP_REGION_INFORMATION HeapRegionInformation; - HEAP_RANGE_INFORMATION HeapRangeInformation; - HEAP_BLOCK_INFORMATION HeapBlockInformation; - HEAP_PERFORMANCE_COUNTERS_INFORMATION HeapPerfInformation; - ULONG_PTR DynamicStart; - }; - } HEAP_INFORMATION_ITEM, *PHEAP_INFORMATION_ITEM; - - typedef NTSTATUS(NTAPI *PRTL_HEAP_EXTENDED_ENUMERATION_ROUTINE)( - _In_ PHEAP_INFORMATION_ITEM Information, - _In_opt_ PVOID Context); - -// HEAP_EXTENDED_INFORMATION Level -#define HeapExtendedProcessHeapInformationLevel 0x1 -#define HeapExtendedHeapInformationLevel 0x2 -#define HeapExtendedHeapRegionInformationLevel 0x3 -#define HeapExtendedHeapRangeInformationLevel 0x4 -#define HeapExtendedHeapBlockInformationLevel 0x5 -#define HeapExtendedHeapHeapPerfInformationLevel 0x80000000 - - typedef struct _HEAP_EXTENDED_INFORMATION - { - HANDLE ProcessHandle; - PVOID HeapHandle; - ULONG Level; - PRTL_HEAP_EXTENDED_ENUMERATION_ROUTINE CallbackRoutine; - PVOID CallbackContext; - union - { - PROCESS_HEAP_INFORMATION ProcessHeapInformation; - HEAP_INFORMATION HeapInformation; - }; - } HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION; - - // rev - typedef NTSTATUS(NTAPI *RTL_HEAP_STACK_WRITE_ROUTINE)( - _In_ PVOID Information, // TODO: 3 missing structures (dmex) - _In_ ULONG Size, - _In_opt_ PVOID Context); - - // rev - typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT - { - ULONG Count; - ULONG Total; - ULONG Flags; - } RTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT; - - // rev - typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER - { - USHORT Version; - USHORT PointerSize; - PVOID Heap; - SIZE_T TotalCommit; - SIZE_T TotalReserve; - } RTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER; - - // rev - typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION - { - PVOID Address; - ULONG Flags; - SIZE_T DataSize; - } RTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION; - - // rev - typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME - { - PVOID StackFrame[8]; - } RTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME; - -#define HEAP_STACK_QUERY_VERSION 0x2 - - typedef struct _RTL_HEAP_STACK_QUERY - { - ULONG Version; - HANDLE ProcessHandle; - RTL_HEAP_STACK_WRITE_ROUTINE WriteRoutine; - PVOID SerializationContext; - UCHAR QueryLevel; - UCHAR Flags; - } RTL_HEAP_STACK_QUERY, *PRTL_HEAP_STACK_QUERY; - -#define HEAP_STACK_CONTROL_VERSION 0x1 -#define HEAP_STACK_CONTROL_FLAGS_STACKTRACE_ENABLE 0x1 -#define HEAP_STACK_CONTROL_FLAGS_STACKTRACE_DISABLE 0x2 - - typedef struct _RTL_HEAP_STACK_CONTROL - { - USHORT Version; - USHORT Flags; - HANDLE ProcessHandle; - } RTL_HEAP_STACK_CONTROL, *PRTL_HEAP_STACK_CONTROL; - - // rev - typedef NTSTATUS(NTAPI *PRTL_HEAP_DEBUGGING_INTERCEPTOR_ROUTINE)( - _In_ PVOID HeapHandle, - _In_ ULONG Action, - _In_ ULONG StackFramesToCapture, - _In_ PVOID *StackTrace); - - // rev - typedef NTSTATUS(NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( - _In_ LONG Reserved, - _In_ PVOID HeapHandle, - _In_ PVOID BaseAddress, - _In_ SIZE_T BlockSize, - _In_ ULONG StackTraceDepth, - _In_ PVOID *StackTrace); - - // symbols - typedef struct _HEAP_DEBUGGING_INFORMATION - { - PRTL_HEAP_DEBUGGING_INTERCEPTOR_ROUTINE InterceptorFunction; - USHORT InterceptorValue; - ULONG ExtendedOptions; - ULONG StackTraceDepth; - SIZE_T MinTotalBlockSize; - SIZE_T MaxTotalBlockSize; - PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine; - } HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION; - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryHeapInformation( - _In_opt_ PVOID HeapHandle, - _In_ HEAP_INFORMATION_CLASS HeapInformationClass, - _Out_opt_ PVOID HeapInformation, - _In_opt_ SIZE_T HeapInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetHeapInformation( - _In_opt_ PCVOID HeapHandle, - _In_ HEAP_INFORMATION_CLASS HeapInformationClass, - _In_opt_ PCVOID HeapInformation, - _In_opt_ SIZE_T HeapInformationLength); - - NTSYSAPI - ULONG - NTAPI - RtlMultipleAllocateHeap( - _In_ PCVOID HeapHandle, - _In_ ULONG Flags, - _In_ SIZE_T Size, - _In_ ULONG Count, - _Out_ PVOID *Array); - - NTSYSAPI - ULONG - NTAPI - RtlMultipleFreeHeap( - _In_ PCVOID HeapHandle, - _In_ ULONG Flags, - _In_ ULONG Count, - _In_ PVOID *Array); - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSAPI - VOID - NTAPI - RtlDetectHeapLeaks( - VOID); -#endif - - NTSYSAPI - VOID - NTAPI - RtlFlushHeaps( - VOID); - - // Memory zones - - // begin_private - - typedef struct _RTL_MEMORY_ZONE_SEGMENT - { - struct _RTL_MEMORY_ZONE_SEGMENT *NextSegment; - SIZE_T Size; - PVOID Next; - PVOID Limit; - } RTL_MEMORY_ZONE_SEGMENT, *PRTL_MEMORY_ZONE_SEGMENT; - - typedef struct _RTL_MEMORY_ZONE - { - RTL_MEMORY_ZONE_SEGMENT Segment; - RTL_SRWLOCK Lock; - ULONG LockCount; - PRTL_MEMORY_ZONE_SEGMENT FirstSegment; - } RTL_MEMORY_ZONE, *PRTL_MEMORY_ZONE; - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateMemoryZone( - _Out_ PVOID *MemoryZone, - _In_ SIZE_T InitialSize, - _Reserved_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyMemoryZone( - _In_ _Post_invalid_ PVOID MemoryZone); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAllocateMemoryZone( - _In_ PVOID MemoryZone, - _In_ SIZE_T BlockSize, - _Out_ PVOID *Block); - - NTSYSAPI - NTSTATUS - NTAPI - RtlResetMemoryZone( - _In_ PVOID MemoryZone); - - NTSYSAPI - NTSTATUS - NTAPI - RtlLockMemoryZone( - _In_ PVOID MemoryZone); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnlockMemoryZone( - _In_ PVOID MemoryZone); - -#endif - - // Memory block lookaside lists - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateMemoryBlockLookaside( - _Out_ PVOID *MemoryBlockLookaside, - _Reserved_ ULONG Flags, - _In_ ULONG InitialSize, - _In_ ULONG MinimumBlockSize, - _In_ ULONG MaximumBlockSize); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAllocateMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside, - _In_ ULONG BlockSize, - _Out_ PVOID *Block); - - NTSYSAPI - NTSTATUS - NTAPI - RtlFreeMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside, - _In_ PVOID Block); - - NTSYSAPI - NTSTATUS - NTAPI - RtlExtendMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside, - _In_ ULONG Increment); - - NTSYSAPI - NTSTATUS - NTAPI - RtlResetMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside); - - NTSYSAPI - NTSTATUS - NTAPI - RtlLockMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnlockMemoryBlockLookaside( - _In_ PVOID MemoryBlockLookaside); - -#endif - - // end_private - - // Transactions - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - HANDLE - NTAPI - RtlGetCurrentTransaction( - _In_opt_ PCWSTR ExistingFileName, - _In_opt_ PCWSTR NewFileName); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - LOGICAL - NTAPI - RtlSetCurrentTransaction( - _In_opt_ HANDLE TransactionHandle); -#endif - - // LUIDs - - FORCEINLINE BOOLEAN RtlIsEqualLuid( // RtlEqualLuid - _In_ PLUID L1, - _In_ PLUID L2) - { - return L1->LowPart == L2->LowPart && - L1->HighPart == L2->HighPart; - } - - FORCEINLINE BOOLEAN RtlIsZeroLuid( - _In_ PLUID L1) - { - return (L1->LowPart | L1->HighPart) == 0; - } - - FORCEINLINE - LUID - NTAPI_INLINE - RtlConvertLongToLuid( - _In_ LONG Long) - { - LUID tempLuid; - - tempLuid.LowPart = Long; - tempLuid.HighPart = 0; - - return tempLuid; - } - - FORCEINLINE - LUID - NTAPI_INLINE - RtlConvertUlongToLuid( - _In_ ULONG Ulong) - { - LUID tempLuid; - - tempLuid.LowPart = Ulong; - tempLuid.HighPart = 0; - - return tempLuid; - } - - FORCEINLINE - LONGLONG - NTAPI_INLINE - RtlConvertLuidToLonglong( - _In_ LUID Luid) - { - LARGE_INTEGER tempLi; - - tempLi.LowPart = Luid.LowPart; - tempLi.HighPart = Luid.HighPart; - - return tempLi.QuadPart; - } - - FORCEINLINE - ULONGLONG - NTAPI_INLINE - RtlConvertLuidToUlonglong( - _In_ LUID Luid) - { - ULARGE_INTEGER tempLi; - - tempLi.LowPart = Luid.LowPart; - tempLi.HighPart = Luid.HighPart; - - return tempLi.QuadPart; - } - - NTSYSAPI - VOID - NTAPI - RtlCopyLuid( - _Out_ PLUID DestinationLuid, - _In_ PLUID SourceLuid); - - // ros - NTSYSAPI - VOID - NTAPI - RtlCopyLuidAndAttributesArray( - _In_ ULONG Count, - _In_ PLUID_AND_ATTRIBUTES Src, - _In_ PLUID_AND_ATTRIBUTES Dest); - - // Byte swap routines. - -#ifndef PHNT_RTL_BYTESWAP -#define RtlUshortByteSwap(_x) _byteswap_ushort((USHORT)(_x)) -#define RtlUlongByteSwap(_x) _byteswap_ulong((_x)) -#define RtlUlonglongByteSwap(_x) _byteswap_uint64((_x)) -#else - NTSYSAPI - USHORT - FASTCALL - RtlUshortByteSwap( - _In_ USHORT Source); - - NTSYSAPI - ULONG - FASTCALL - RtlUlongByteSwap( - _In_ ULONG Source); - - NTSYSAPI - ULONGLONG - FASTCALL - RtlUlonglongByteSwap( - _In_ ULONGLONG Source); -#endif - - DECLSPEC_DEPRECATED - NTSYSAPI - LARGE_INTEGER - NTAPI - RtlConvertUlongToLargeInteger( - _In_ ULONG UnsignedInteger); - - DECLSPEC_DEPRECATED - NTSYSAPI - LARGE_INTEGER - NTAPI - RtlConvertLongToLargeInteger( - _In_ LONG SignedInteger); - - DECLSPEC_DEPRECATED - NTSYSAPI - LARGE_INTEGER - NTAPI - RtlEnlargedIntegerMultiply( - _In_ LONG Multiplicand, - _In_ LONG Multiplier); - - DECLSPEC_DEPRECATED - NTSYSAPI - LARGE_INTEGER - NTAPI_INLINE - RtlEnlargedUnsignedMultiply( - _In_ ULONG Multiplicand, - _In_ ULONG Multiplier); - - // Debugging - - // private - typedef struct _RTL_PROCESS_MODULES *PRTL_PROCESS_MODULES; - typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX *PRTL_PROCESS_MODULE_INFORMATION_EX; - typedef struct _RTL_PROCESS_BACKTRACES *PRTL_PROCESS_BACKTRACES; - typedef struct _RTL_PROCESS_LOCKS *PRTL_PROCESS_LOCKS; - - typedef struct _RTL_PROCESS_VERIFIER_OPTIONS - { - ULONG SizeStruct; - ULONG Option; - UCHAR OptionData[1]; - } RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS; - - // private - typedef struct _RTL_DEBUG_INFORMATION - { - HANDLE SectionHandleClient; - PVOID ViewBaseClient; - PVOID ViewBaseTarget; - ULONG_PTR ViewBaseDelta; - HANDLE EventPairClient; - HANDLE EventPairTarget; - HANDLE TargetProcessId; - HANDLE TargetThreadHandle; - ULONG Flags; - SIZE_T OffsetFree; - SIZE_T CommitSize; - SIZE_T ViewSize; - union - { - PRTL_PROCESS_MODULES Modules; - PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx; - }; - PRTL_PROCESS_BACKTRACES BackTraces; - PVOID Heaps; - PRTL_PROCESS_LOCKS Locks; - PVOID SpecificHeap; - HANDLE TargetProcessHandle; - PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions; - PVOID ProcessHeap; - HANDLE CriticalSectionHandle; - HANDLE CriticalSectionOwnerThread; - PVOID Reserved[4]; - } RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; - - NTSYSAPI - PRTL_DEBUG_INFORMATION - NTAPI - RtlCreateQueryDebugBuffer( - _In_opt_ ULONG MaximumCommit, - _In_ BOOLEAN UseEventPair); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyQueryDebugBuffer( - _In_ PRTL_DEBUG_INFORMATION Buffer); - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - PVOID - NTAPI - RtlCommitDebugInfo( - _Inout_ PRTL_DEBUG_INFORMATION Buffer, - _In_ SIZE_T Size); - - // private - NTSYSAPI - VOID - NTAPI - RtlDeCommitDebugInfo( - _Inout_ PRTL_DEBUG_INFORMATION Buffer, - _In_ PVOID p, - _In_ SIZE_T Size); - -#endif - -#define RTL_QUERY_PROCESS_MODULES 0x00000001 -#define RTL_QUERY_PROCESS_BACKTRACES 0x00000002 -#define RTL_QUERY_PROCESS_HEAP_SUMMARY 0x00000004 -#define RTL_QUERY_PROCESS_HEAP_TAGS 0x00000008 -#define RTL_QUERY_PROCESS_HEAP_ENTRIES 0x00000010 -#define RTL_QUERY_PROCESS_LOCKS 0x00000020 -#define RTL_QUERY_PROCESS_MODULES32 0x00000040 -#define RTL_QUERY_PROCESS_VERIFIER_OPTIONS 0x00000080 // rev -#define RTL_QUERY_PROCESS_MODULESEX 0x00000100 // rev -#define RTL_QUERY_PROCESS_HEAP_SEGMENTS 0x00000200 -#define RTL_QUERY_PROCESS_CS_OWNER 0x00000400 // rev -#define RTL_QUERY_PROCESS_NONINVASIVE 0x80000000 -#define RTL_QUERY_PROCESS_NONINVASIVE_CS_OWNER 0x80000800 // WIN11 - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryProcessDebugInformation( - _In_ HANDLE UniqueProcessId, - _In_ ULONG Flags, - _Inout_ PRTL_DEBUG_INFORMATION Buffer); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetProcessDebugInformation( - _In_ HANDLE UniqueProcessId, - _In_ ULONG Flags, - _Inout_ PRTL_DEBUG_INFORMATION Buffer); - - // rev - FORCEINLINE - BOOLEAN - NTAPI - RtlIsAnyDebuggerPresent( - VOID) - { - BOOLEAN result; - - result = NtCurrentPeb()->BeingDebugged; - - if (!result) - return USER_SHARED_DATA->KdDebuggerEnabled; - - return result; - } - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDebugPrintTimes( - VOID); - - // - // Messages - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlFindMessage( - _In_ PVOID DllHandle, - _In_ ULONG MessageTableId, - _In_ ULONG MessageLanguageId, - _In_ ULONG MessageId, - _Out_ PMESSAGE_RESOURCE_ENTRY *MessageEntry); - - NTSYSAPI - NTSTATUS - NTAPI - RtlFormatMessage( - _In_ PCWSTR MessageFormat, - _In_ ULONG MaximumWidth, - _In_ BOOLEAN IgnoreInserts, - _In_ BOOLEAN ArgumentsAreAnsi, - _In_ BOOLEAN ArgumentsAreAnArray, - _In_ va_list *Arguments, - _Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - typedef struct _PARSE_MESSAGE_CONTEXT - { - ULONG fFlags; - ULONG cwSavColumn; - SIZE_T iwSrc; - SIZE_T iwDst; - SIZE_T iwDstSpace; - va_list lpvArgStart; - } PARSE_MESSAGE_CONTEXT, *PPARSE_MESSAGE_CONTEXT; - -#define INIT_PARSE_MESSAGE_CONTEXT(ctx) \ - { \ - (ctx)->fFlags = 0; \ - } -#define TEST_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags & (flag)) -#define SET_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags |= (flag)) -#define CLEAR_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags &= ~(flag)) - - NTSYSAPI - NTSTATUS - NTAPI - RtlFormatMessageEx( - _In_ PCWSTR MessageFormat, - _In_ ULONG MaximumWidth, - _In_ BOOLEAN IgnoreInserts, - _In_ BOOLEAN ArgumentsAreAnsi, - _In_ BOOLEAN ArgumentsAreAnArray, - _In_ va_list *Arguments, - _Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength, - _Out_opt_ PPARSE_MESSAGE_CONTEXT ParseContext); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetFileMUIPath( - _In_ ULONG Flags, - _In_ PCWSTR FilePath, - _Inout_opt_ PCWSTR Language, - _Inout_ PULONG LanguageLength, - _Out_opt_ PWSTR FileMUIPath, - _Inout_ PULONG FileMUIPathLength, - _Inout_ PULONGLONG Enumerator); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlLoadString( - _In_ PVOID DllHandle, - _In_ ULONG StringId, - _In_opt_ PCWSTR StringLanguage, - _In_ ULONG Flags, - _Out_ PCWSTR *ReturnString, - _Out_opt_ PUSHORT ReturnStringLen, - _Out_writes_(ReturnLanguageLen) PWSTR ReturnLanguageName, - _Inout_opt_ PULONG ReturnLanguageLen); - - // Errors - - _When_(Status < 0, _Out_range_(>, 0)) - _When_(Status >= 0, _Out_range_(==, 0)) - NTSYSAPI - ULONG - NTAPI - RtlNtStatusToDosError( - _In_ NTSTATUS Status); - - _When_(Status < 0, _Out_range_(>, 0)) - _When_(Status >= 0, _Out_range_(==, 0)) - NTSYSAPI - ULONG - NTAPI - RtlNtStatusToDosErrorNoTeb( - _In_ NTSTATUS Status); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetLastNtStatus( - VOID); - - NTSYSAPI - LONG - NTAPI - RtlGetLastWin32Error( - VOID); - - NTSYSAPI - VOID - NTAPI - RtlSetLastWin32ErrorAndNtStatusFromNtStatus( - _In_ NTSTATUS Status); - - NTSYSAPI - VOID - NTAPI - RtlSetLastWin32Error( - _In_ LONG Win32Error); - - NTSYSAPI - VOID - NTAPI - RtlRestoreLastWin32Error( - _In_ LONG Win32Error); - -#define RTL_ERRORMODE_FAILCRITICALERRORS 0x0010 -#define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020 -#define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040 - - NTSYSAPI - ULONG - NTAPI - RtlGetThreadErrorMode( - VOID); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetThreadErrorMode( - _In_ ULONG NewMode, - _Out_opt_ PULONG OldMode); - - // Windows Error Reporting - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlReportException( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord, - _In_ ULONG Flags); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlReportExceptionEx( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord, - _In_ ULONG Flags, - _In_ PLARGE_INTEGER Timeout); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlWerpReportException( - _In_ ULONG ProcessId, - _In_ HANDLE CrashReportSharedMem, - _In_ ULONG Flags, - _Out_ PHANDLE CrashVerticalProcessHandle); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlReportSilentProcessExit( - _In_ HANDLE ProcessHandle, - _In_ NTSTATUS ExitStatus); -#endif - - // - // Random - // - - NTSYSAPI - ULONG - NTAPI - RtlUniform( - _Inout_ PULONG Seed); - - _Ret_range_(<=, MAXLONG) - NTSYSAPI - ULONG - NTAPI - RtlRandom( - _Inout_ PULONG Seed); - - _Ret_range_(<=, MAXLONG) - NTSYSAPI - ULONG - NTAPI - RtlRandomEx( - _Inout_ PULONG Seed); - -#define RTL_IMPORT_TABLE_HASH_REVISION 1 - - NTSYSAPI - NTSTATUS - NTAPI - RtlComputeImportTableHash( - _In_ HANDLE FileHandle, - _Out_writes_bytes_(16) PCHAR Hash, - _In_ ULONG ImportTableHashRevision // must be 1 - ); - - // - // Integer conversion - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlIntegerToChar( - _In_ ULONG Value, - _In_opt_ ULONG Base, - _In_ LONG OutputLength, // negative to pad to width - _Out_ PSTR String); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCharToInteger( - _In_z_ PCSTR String, - _In_opt_ ULONG Base, - _Out_ PULONG Value); - - NTSYSAPI - NTSTATUS - NTAPI - RtlLargeIntegerToChar( - _In_ PLARGE_INTEGER Value, - _In_opt_ ULONG Base, - _In_ LONG OutputLength, - _Out_ PSTR String); - -#define RtlLargeIntegerGreaterThan(X, Y) ((((X).HighPart == (Y).HighPart) && ((X).LowPart > (Y).LowPart)) || ((X).HighPart > (Y).HighPart)) -#define RtlLargeIntegerGreaterThanOrEqualTo(X, Y) ((((X).HighPart == (Y).HighPart) && ((X).LowPart >= (Y).LowPart)) || ((X).HighPart > (Y).HighPart))) -#define RtlLargeIntegerEqualTo(X, Y) (!(((X).LowPart ^ (Y).LowPart) | ((X).HighPart ^ (Y).HighPart))) -#define RtlLargeIntegerNotEqualTo(X, Y) ((((X).LowPart ^ (Y).LowPart) | ((X).HighPart ^ (Y).HighPart))) -#define RtlLargeIntegerLessThan(X, Y) ((((X).HighPart == (Y).HighPart) && ((X).LowPart < (Y).LowPart)) || ((X).HighPart < (Y).HighPart)) -#define RtlLargeIntegerLessThanOrEqualTo(X, Y) ((((X).HighPart == (Y).HighPart) && ((X).LowPart <= (Y).LowPart)) || ((X).HighPart < (Y).HighPart)) -#define RtlLargeIntegerGreaterThanZero(X) ((((X).HighPart == 0) && ((X).LowPart > 0)) || ((X).HighPart > 0)) -#define RtlLargeIntegerGreaterOrEqualToZero(X) ((X).HighPart >= 0) -#define RtlLargeIntegerEqualToZero(X) (!((X).LowPart | (X).HighPart)) -#define RtlLargeIntegerNotEqualToZero(X) (((X).LowPart | (X).HighPart)) -#define RtlLargeIntegerLessThanZero(X) (((X).HighPart < 0)) -#define RtlLargeIntegerLessOrEqualToZero(X) (((X).HighPart < 0) || !((X).LowPart | (X).HighPart)) - - NTSYSAPI - NTSTATUS - NTAPI - RtlIntegerToUnicodeString( - _In_ ULONG Value, - _In_opt_ ULONG Base, - _Inout_ PUNICODE_STRING String); - - NTSYSAPI - NTSTATUS - NTAPI - RtlInt64ToUnicodeString( - _In_ ULONGLONG Value, - _In_opt_ ULONG Base, - _Inout_ PUNICODE_STRING String); - -#ifdef _WIN64 -#define RtlIntPtrToUnicodeString(Value, Base, String) RtlInt64ToUnicodeString(Value, Base, String) -#else -#define RtlIntPtrToUnicodeString(Value, Base, String) RtlIntegerToUnicodeString(Value, Base, String) -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnicodeStringToInteger( - _In_ PUNICODE_STRING String, - _In_opt_ ULONG Base, - _Out_ PULONG Value); - - // - // IPv4/6 conversion - // - - typedef struct in_addr IN_ADDR, *PIN_ADDR; - typedef struct in6_addr IN6_ADDR, *PIN6_ADDR; - typedef IN_ADDR const *PCIN_ADDR; - typedef IN6_ADDR const *PCIN6_ADDR; - - NTSYSAPI - PWSTR - NTAPI - RtlIpv4AddressToStringW( - _In_ PCIN_ADDR Address, - _Out_writes_(16) PWSTR AddressString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv4AddressToStringExW( - _In_ PCIN_ADDR Address, - _In_ USHORT Port, - _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, - _Inout_ PULONG AddressStringLength); - - NTSYSAPI - PWSTR - NTAPI - RtlIpv6AddressToStringW( - _In_ PCIN6_ADDR Address, - _Out_writes_(46) PWSTR AddressString); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv6AddressToStringExW( - _In_ PCIN6_ADDR Address, - _In_ ULONG ScopeId, - _In_ USHORT Port, - _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, - _Inout_ PULONG AddressStringLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv4StringToAddressW( - _In_ PCWSTR AddressString, - _In_ BOOLEAN Strict, - _Out_ LPCWSTR *Terminator, - _Out_ PIN_ADDR Address); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv4StringToAddressExW( - _In_ PCWSTR AddressString, - _In_ BOOLEAN Strict, - _Out_ PIN_ADDR Address, - _Out_ PUSHORT Port); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv6StringToAddressW( - _In_ PCWSTR AddressString, - _Out_ PCWSTR *Terminator, - _Out_ PIN6_ADDR Address); - - NTSYSAPI - NTSTATUS - NTAPI - RtlIpv6StringToAddressExW( - _In_ PCWSTR AddressString, - _Out_ PIN6_ADDR Address, - _Out_ PULONG ScopeId, - _Out_ PUSHORT Port); - -#define RtlIpv4AddressToString RtlIpv4AddressToStringW -#define RtlIpv4AddressToStringEx RtlIpv4AddressToStringExW -#define RtlIpv6AddressToString RtlIpv6AddressToStringW -#define RtlIpv6AddressToStringEx RtlIpv6AddressToStringExW -#define RtlIpv4StringToAddress RtlIpv4StringToAddressW -#define RtlIpv4StringToAddressEx RtlIpv4StringToAddressExW -#define RtlIpv6StringToAddress RtlIpv6StringToAddressW -#define RtlIpv6StringToAddressEx RtlIpv6StringToAddressExW - - // Time - - typedef struct _TIME_FIELDS - { - CSHORT Year; // 1601... - CSHORT Month; // 1..12 - CSHORT Day; // 1..31 - CSHORT Hour; // 0..23 - CSHORT Minute; // 0..59 - CSHORT Second; // 0..59 - CSHORT Milliseconds; // 0..999 - CSHORT Weekday; // 0..6 = Sunday..Saturday - } TIME_FIELDS, *PTIME_FIELDS; - - NTSYSAPI - BOOLEAN - NTAPI - RtlCutoverTimeToSystemTime( - _In_ PTIME_FIELDS CutoverTime, - _Out_ PLARGE_INTEGER SystemTime, - _In_ PLARGE_INTEGER CurrentSystemTime, - _In_ BOOLEAN ThisYear); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSystemTimeToLocalTime( - _In_ PLARGE_INTEGER SystemTime, - _Out_ PLARGE_INTEGER LocalTime); - - NTSYSAPI - NTSTATUS - NTAPI - RtlLocalTimeToSystemTime( - _In_ PLARGE_INTEGER LocalTime, - _Out_ PLARGE_INTEGER SystemTime); - - NTSYSAPI - VOID - NTAPI - RtlTimeToElapsedTimeFields( - _In_ PLARGE_INTEGER Time, - _Out_ PTIME_FIELDS TimeFields); - - NTSYSAPI - VOID - NTAPI - RtlTimeToTimeFields( - _In_ PLARGE_INTEGER Time, - _Out_ PTIME_FIELDS TimeFields); - - NTSYSAPI - BOOLEAN - NTAPI - RtlTimeFieldsToTime( - _In_ PTIME_FIELDS TimeFields, // Weekday is ignored - _Out_ PLARGE_INTEGER Time); - -#define SecondsToStartOf1980 11960006400 -#define SecondsToStartOf1970 11644473600 - - NTSYSAPI - BOOLEAN - NTAPI - RtlTimeToSecondsSince1980( - _In_ PLARGE_INTEGER Time, - _Out_ PULONG ElapsedSeconds); - - NTSYSAPI - VOID - NTAPI - RtlSecondsSince1980ToTime( - _In_ ULONG ElapsedSeconds, - _Out_ PLARGE_INTEGER Time); - - NTSYSAPI - BOOLEAN - NTAPI - RtlTimeToSecondsSince1970( - _In_ PLARGE_INTEGER Time, - _Out_ PULONG ElapsedSeconds); - - NTSYSAPI - VOID - NTAPI - RtlSecondsSince1970ToTime( - _In_ ULONG ElapsedSeconds, - _Out_ PLARGE_INTEGER Time); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - ULONGLONG - NTAPI - RtlGetSystemTimePrecise( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_WIN10_21H2) - NTSYSAPI - KSYSTEM_TIME - NTAPI - RtlGetSystemTimeAndBias( - _Out_ KSYSTEM_TIME TimeZoneBias, - _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveStart, - _Out_opt_ PLARGE_INTEGER TimeZoneBiasEffectiveEnd); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI - ULONGLONG - NTAPI - RtlGetInterruptTimePrecise( - _Out_ PLARGE_INTEGER PerformanceCounter); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - BOOLEAN - NTAPI - RtlQueryUnbiasedInterruptTime( - _Out_ PLARGE_INTEGER InterruptTime); -#endif - - FORCEINLINE - ULONGLONG - NTAPI - RtlBeginReadTickLock( - _In_ PULONGLONG TimeUpdateLock // USER_SHARED_DATA->TimeUpdateLock - ) - { - ULONGLONG result; - - for (result = *TimeUpdateLock; (*TimeUpdateLock & 1) != 0; result = *TimeUpdateLock) - { - YieldProcessor(); - } - - return result; - } - - // - // Time zones - // - - typedef struct _RTL_TIME_ZONE_INFORMATION - { - LONG Bias; - WCHAR StandardName[32]; - TIME_FIELDS StandardStart; - LONG StandardBias; - WCHAR DaylightName[32]; - TIME_FIELDS DaylightStart; - LONG DaylightBias; - } RTL_TIME_ZONE_INFORMATION, *PRTL_TIME_ZONE_INFORMATION; - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryTimeZoneInformation( - _Out_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetTimeZoneInformation( - _In_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation); - - // - // Interlocked bit manipulation interfaces - // - -#define RtlInterlockedSetBits(Flags, Flag) \ - InterlockedOr((PLONG)(Flags), Flag) - -#define RtlInterlockedAndBits(Flags, Flag) \ - InterlockedAnd((PLONG)(Flags), Flag) - -#define RtlInterlockedClearBits(Flags, Flag) \ - RtlInterlockedAndBits(Flags, ~(Flag)) - -#define RtlInterlockedXorBits(Flags, Flag) \ - InterlockedXor(Flags, Flag) - -#define RtlInterlockedSetBitsDiscardReturn(Flags, Flag) \ - (VOID) RtlInterlockedSetBits(Flags, Flag) - -#define RtlInterlockedAndBitsDiscardReturn(Flags, Flag) \ - (VOID) RtlInterlockedAndBits(Flags, Flag) - -#define RtlInterlockedClearBitsDiscardReturn(Flags, Flag) \ - RtlInterlockedAndBitsDiscardReturn(Flags, ~(Flag)) - -#define RtlInterlockedTestBits(Flags, Flag) \ - ((InterlockedOr((PLONG)(Flags), 0) & (Flag)) == (Flag)) // dmex - - // - // Bitmaps - // - - typedef struct _RTL_BITMAP - { - ULONG SizeOfBitMap; - PULONG Buffer; - } RTL_BITMAP, *PRTL_BITMAP; - - NTSYSAPI - VOID - NTAPI - RtlInitializeBitMap( - _Out_ PRTL_BITMAP BitMapHeader, - _In_ PULONG BitMapBuffer, - _In_ ULONG SizeOfBitMap); - -#if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - VOID - NTAPI - RtlClearBit( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber); -#endif - -#if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - VOID - NTAPI - RtlSetBit( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber); -#endif - - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlTestBit( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber); - - NTSYSAPI - VOID - NTAPI - RtlClearAllBits( - _In_ PRTL_BITMAP BitMapHeader); - - NTSYSAPI - VOID - NTAPI - RtlSetAllBits( - _In_ PRTL_BITMAP BitMapHeader); - - _Success_(return != -1) - _Check_return_ - NTSYSAPI - ULONG - NTAPI - RtlFindClearBits( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG NumberToFind, - _In_ ULONG HintIndex); - - _Success_(return != -1) - _Check_return_ - NTSYSAPI - ULONG - NTAPI - RtlFindSetBits( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG NumberToFind, - _In_ ULONG HintIndex); - - _Success_(return != -1) - NTSYSAPI - ULONG - NTAPI - RtlFindClearBitsAndSet( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG NumberToFind, - _In_ ULONG HintIndex); - - _Success_(return != -1) - NTSYSAPI - ULONG - NTAPI - RtlFindSetBitsAndClear( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG NumberToFind, - _In_ ULONG HintIndex); - - NTSYSAPI - VOID - NTAPI - RtlClearBits( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex, - _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear); - - NTSYSAPI - VOID - NTAPI - RtlSetBits( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex, - _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet); - - NTSYSAPI - CCHAR - NTAPI - RtlFindMostSignificantBit( - _In_ ULONGLONG Set); - - NTSYSAPI - CCHAR - NTAPI - RtlFindLeastSignificantBit( - _In_ ULONGLONG Set); - - typedef struct _RTL_BITMAP_RUN - { - ULONG StartingIndex; - ULONG NumberOfBits; - } RTL_BITMAP_RUN, *PRTL_BITMAP_RUN; - - NTSYSAPI - ULONG - NTAPI - RtlFindClearRuns( - _In_ PRTL_BITMAP BitMapHeader, - _Out_writes_to_(SizeOfRunArray, return) PRTL_BITMAP_RUN RunArray, - _In_range_(>, 0) ULONG SizeOfRunArray, - _In_ BOOLEAN LocateLongestRuns); - - NTSYSAPI - ULONG - NTAPI - RtlFindLongestRunClear( - _In_ PRTL_BITMAP BitMapHeader, - _Out_ PULONG StartingIndex); - - NTSYSAPI - ULONG - NTAPI - RtlFindFirstRunClear( - _In_ PRTL_BITMAP BitMapHeader, - _Out_ PULONG StartingIndex); - - _Check_return_ - FORCEINLINE - BOOLEAN - RtlCheckBit( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitPosition) - { -#ifdef _WIN64 - return BitTest64((LONG64 const *)BitMapHeader->Buffer, (LONG64)BitPosition); -#else - return (((PLONG)BitMapHeader->Buffer)[BitPosition / 32] >> (BitPosition % 32)) & 0x1; -#endif - } - - NTSYSAPI - ULONG - NTAPI - RtlNumberOfClearBits( - _In_ PRTL_BITMAP BitMapHeader); - - NTSYSAPI - ULONG - NTAPI - RtlNumberOfSetBits( - _In_ PRTL_BITMAP BitMapHeader); - - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlAreBitsClear( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG StartingIndex, - _In_ ULONG Length); - - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlAreBitsSet( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG StartingIndex, - _In_ ULONG Length); - - NTSYSAPI - ULONG - NTAPI - RtlFindNextForwardRunClear( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG FromIndex, - _Out_ PULONG StartingRunIndex); - - NTSYSAPI - ULONG - NTAPI - RtlFindLastBackwardRunClear( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG FromIndex, - _Out_ PULONG StartingRunIndex); - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - ULONG - NTAPI - RtlNumberOfSetBitsUlongPtr( - _In_ ULONG_PTR Target); - -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - - // rev - NTSYSAPI - VOID - NTAPI - RtlInterlockedClearBitRun( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex, - _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear); - - // rev - NTSYSAPI - VOID - NTAPI - RtlInterlockedSetBitRun( - _In_ PRTL_BITMAP BitMapHeader, - _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex, - _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet); - -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSAPI - VOID - NTAPI - RtlCopyBitMap( - _In_ PRTL_BITMAP Source, - _In_ PRTL_BITMAP Destination, - _In_range_(0, Destination->SizeOfBitMap - 1) ULONG TargetBit); - - NTSYSAPI - VOID - NTAPI - RtlExtractBitMap( - _In_ PRTL_BITMAP Source, - _In_ PRTL_BITMAP Destination, - _In_range_(0, Source->SizeOfBitMap - 1) ULONG TargetBit, - _In_range_(0, Source->SizeOfBitMap) ULONG NumberOfBits); - - NTSYSAPI - ULONG - NTAPI - RtlNumberOfClearBitsInRange( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG StartingIndex, - _In_ ULONG Length); - - NTSYSAPI - ULONG - NTAPI - RtlNumberOfSetBitsInRange( - _In_ PRTL_BITMAP BitMapHeader, - _In_ ULONG StartingIndex, - _In_ ULONG Length); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - // private - typedef struct _RTL_BITMAP_EX - { - ULONG64 SizeOfBitMap; - PULONG64 Buffer; - } RTL_BITMAP_EX, *PRTL_BITMAP_EX; - - // rev - NTSYSAPI - VOID - NTAPI - RtlInitializeBitMapEx( - _Out_ PRTL_BITMAP_EX BitMapHeader, - _In_ PULONG64 BitMapBuffer, - _In_ ULONG64 SizeOfBitMap); - - // rev - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlTestBitEx( - _In_ PRTL_BITMAP_EX BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber); - - // rev - NTSYSAPI - VOID - NTAPI - RtlClearAllBitsEx( - _In_ PRTL_BITMAP_EX BitMapHeader); - - // rev - NTSYSAPI - VOID - NTAPI - RtlClearBitEx( - _In_ PRTL_BITMAP_EX BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber); - - // rev - NTSYSAPI - VOID - NTAPI - RtlSetBitEx( - _In_ PRTL_BITMAP_EX BitMapHeader, - _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber); - - // rev - NTSYSAPI - ULONG64 - NTAPI - RtlFindSetBitsEx( - _In_ PRTL_BITMAP_EX BitMapHeader, - _In_ ULONG64 NumberToFind, - _In_ ULONG64 HintIndex); - - NTSYSAPI - ULONG64 - NTAPI - RtlFindSetBitsAndClearEx( - _In_ PRTL_BITMAP_EX BitMapHeader, - _In_ ULONG64 NumberToFind, - _In_ ULONG64 HintIndex); - -#endif - - // - // Handle tables - // - - typedef struct _RTL_HANDLE_TABLE_ENTRY - { - union - { - ULONG Flags; // allocated entries have the low bit set - struct _RTL_HANDLE_TABLE_ENTRY *NextFree; - }; - } RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY; - -#define RTL_HANDLE_ALLOCATED (USHORT)0x0001 - - typedef struct _RTL_HANDLE_TABLE - { - ULONG MaximumNumberOfHandles; - ULONG SizeOfHandleTableEntry; - ULONG Reserved[2]; - PRTL_HANDLE_TABLE_ENTRY FreeHandles; - PRTL_HANDLE_TABLE_ENTRY CommittedHandles; - PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles; - PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles; - } RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE; - - NTSYSAPI - VOID - NTAPI - RtlInitializeHandleTable( - _In_ ULONG MaximumNumberOfHandles, - _In_ ULONG SizeOfHandleTableEntry, - _Out_ PRTL_HANDLE_TABLE HandleTable); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyHandleTable( - _Inout_ PRTL_HANDLE_TABLE HandleTable); - - NTSYSAPI - PRTL_HANDLE_TABLE_ENTRY - NTAPI - RtlAllocateHandle( - _In_ PRTL_HANDLE_TABLE HandleTable, - _Out_opt_ PULONG HandleIndex); - - NTSYSAPI - BOOLEAN - NTAPI - RtlFreeHandle( - _In_ PRTL_HANDLE_TABLE HandleTable, - _In_ PRTL_HANDLE_TABLE_ENTRY Handle); - - NTSYSAPI - BOOLEAN - NTAPI - RtlIsValidHandle( - _In_ PRTL_HANDLE_TABLE HandleTable, - _In_ PRTL_HANDLE_TABLE_ENTRY Handle); - - NTSYSAPI - BOOLEAN - NTAPI - RtlIsValidIndexHandle( - _In_ PRTL_HANDLE_TABLE HandleTable, - _In_ ULONG HandleIndex, - _Out_ PRTL_HANDLE_TABLE_ENTRY *Handle); - - // - // Atom tables - // - -#define RTL_ATOM_MAXIMUM_INTEGER_ATOM (RTL_ATOM)0xc000 -#define RTL_ATOM_INVALID_ATOM (RTL_ATOM)0x0000 -#define RTL_ATOM_TABLE_DEFAULT_NUMBER_OF_BUCKETS 37 -#define RTL_ATOM_MAXIMUM_NAME_LENGTH 255 -#define RTL_ATOM_PINNED 0x01 - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateAtomTable( - _In_ ULONG NumberOfBuckets, - _Out_ PVOID *AtomTableHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDestroyAtomTable( - _In_ _Post_invalid_ PVOID AtomTableHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlEmptyAtomTable( - _In_ PVOID AtomTableHandle, - _In_ BOOLEAN IncludePinnedAtoms); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAtomToAtomTable( - _In_ PVOID AtomTableHandle, - _In_ PCWSTR AtomName, - _Inout_opt_ PRTL_ATOM Atom); - - NTSYSAPI - NTSTATUS - NTAPI - RtlLookupAtomInAtomTable( - _In_ PVOID AtomTableHandle, - _In_ PCWSTR AtomName, - _Out_opt_ PRTL_ATOM Atom); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteAtomFromAtomTable( - _In_ PVOID AtomTableHandle, - _In_ RTL_ATOM Atom); - - NTSYSAPI - NTSTATUS - NTAPI - RtlPinAtomInAtomTable( - _In_ PVOID AtomTableHandle, - _In_ RTL_ATOM Atom); - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryAtomInAtomTable( - _In_ PVOID AtomTableHandle, - _In_ RTL_ATOM Atom, - _Out_opt_ PULONG AtomUsage, - _Out_opt_ PULONG AtomFlags, - _Inout_updates_bytes_to_opt_(*AtomNameLength, *AtomNameLength) PWSTR AtomName, - _Inout_opt_ PULONG AtomNameLength); - -#if (PHNT_VERSION >= PHNT_VISTA) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlGetIntegerAtom( - _In_ PCWSTR AtomName, - _Out_opt_ PUSHORT IntegerAtom); -#endif - - // - // SIDs - // - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlValidSid( - _In_ PSID Sid); - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualSid( - _In_ PSID Sid1, - _In_ PSID Sid2); - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualPrefixSid( - _In_ PSID Sid1, - _In_ PSID Sid2); - - NTSYSAPI - ULONG - NTAPI - RtlLengthRequiredSid( - _In_ ULONG SubAuthorityCount); - - NTSYSAPI - PVOID - NTAPI - RtlFreeSid( - _In_ _Post_invalid_ PSID Sid); - - _Must_inspect_result_ - NTSYSAPI - NTSTATUS - NTAPI - RtlAllocateAndInitializeSid( - _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, - _In_ UCHAR SubAuthorityCount, - _In_ ULONG SubAuthority0, - _In_ ULONG SubAuthority1, - _In_ ULONG SubAuthority2, - _In_ ULONG SubAuthority3, - _In_ ULONG SubAuthority4, - _In_ ULONG SubAuthority5, - _In_ ULONG SubAuthority6, - _In_ ULONG SubAuthority7, - _Outptr_ PSID *Sid); - -#if (PHNT_VERSION >= PHNT_WINBLUE) - _Must_inspect_result_ - NTSYSAPI - NTSTATUS - NTAPI - RtlAllocateAndInitializeSidEx( - _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, - _In_ UCHAR SubAuthorityCount, - _In_reads_(SubAuthorityCount) PULONG SubAuthorities, - _Outptr_ PSID *Sid); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeSid( - _Out_ PSID Sid, - _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, - _In_ UCHAR SubAuthorityCount); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI - NTSTATUS - NTAPI - RtlInitializeSidEx( - _Out_writes_bytes_(SECURITY_SID_SIZE(SubAuthorityCount)) PSID Sid, - _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, - _In_ UCHAR SubAuthorityCount, - ...); -#endif - - NTSYSAPI - PSID_IDENTIFIER_AUTHORITY - NTAPI - RtlIdentifierAuthoritySid( - _In_ PSID Sid); - - NTSYSAPI - PULONG - NTAPI - RtlSubAuthoritySid( - _In_ PSID Sid, - _In_ ULONG SubAuthority); - - NTSYSAPI - PUCHAR - NTAPI - RtlSubAuthorityCountSid( - _In_ PSID Sid); - - NTSYSAPI - ULONG - NTAPI - RtlLengthSid( - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCopySid( - _In_ ULONG DestinationSidLength, - _Out_writes_bytes_(DestinationSidLength) PSID DestinationSid, - _In_ PSID SourceSid); - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlCopySidAndAttributesArray( - _In_ ULONG Count, - _In_ PSID_AND_ATTRIBUTES Src, - _In_ ULONG SidAreaSize, - _In_ PSID_AND_ATTRIBUTES Dest, - _In_ PSID SidArea, - _Out_ PSID *RemainingSidArea, - _Out_ PULONG RemainingSidAreaSize); - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateServiceSid( - _In_ PUNICODE_STRING ServiceName, - _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid, - _Inout_ PULONG ServiceSidLength); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSidDominates( - _In_ PSID Sid1, - _In_ PSID Sid2, - _Out_ PBOOLEAN Dominates); - -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSidDominatesForTrust( - _In_ PSID Sid1, - _In_ PSID Sid2, - _Out_ PBOOLEAN DominatesTrust // TokenProcessTrustLevel - ); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSidEqualLevel( - _In_ PSID Sid1, - _In_ PSID Sid2, - _Out_ PBOOLEAN EqualLevel); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSidIsHigherLevel( - _In_ PSID Sid1, - _In_ PSID Sid2, - _Out_ PBOOLEAN HigherLevel); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateVirtualAccountSid( - _In_ PUNICODE_STRING Name, - _In_ ULONG BaseSubAuthority, - _Out_writes_bytes_(*SidLength) PSID Sid, - _Inout_ PULONG SidLength); -#endif - -#if (PHNT_VERSION >= PHNT_WIN7) - NTSYSAPI - NTSTATUS - NTAPI - RtlReplaceSidInSd( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ PSID OldSid, - _In_ PSID NewSid, - _Out_ ULONG *NumChanges); -#endif - -#define MAX_UNICODE_STACK_BUFFER_LENGTH 256 - - NTSYSAPI - NTSTATUS - NTAPI - RtlLengthSidAsUnicodeString( - _In_ PSID Sid, - _Out_ PULONG StringLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlConvertSidToUnicodeString( - _Inout_ PUNICODE_STRING UnicodeString, - _In_ PSID Sid, - _In_ BOOLEAN AllocateDestinationString); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSidHashInitialize( - _In_reads_(SidCount) PSID_AND_ATTRIBUTES SidAttr, - _In_ ULONG SidCount, - _Out_ PSID_AND_ATTRIBUTES_HASH SidAttrHash); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - PSID_AND_ATTRIBUTES - NTAPI - RtlSidHashLookup( - _In_ PSID_AND_ATTRIBUTES_HASH SidAttrHash, - _In_ PSID Sid); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsElevatedRid( - _In_ PSID_AND_ATTRIBUTES SidAttr); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDeriveCapabilitySidsFromName( - _Inout_ PUNICODE_STRING UnicodeString, - _Out_ PSID CapabilityGroupSid, - _Out_ PSID CapabilitySid); -#endif - - // - // Security Descriptors - // - - /** - * The RtlCreateSecurityDescriptor routine initializes a new absolute-format security descriptor. - * On return, the security descriptor is initialized with no system ACL, no discretionary ACL, no owner, no primary group, and all control flags set to zero. - * - * \param SecurityDescriptor Pointer to the buffer for the \ref SECURITY_DESCRIPTOR to be initialized. - * \param Revision Specifies the revision level to assign to the security descriptor. Set this parameter to SECURITY_DESCRIPTOR_REVISION. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlcreatesecuritydescriptor - */ - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateSecurityDescriptor( - _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ ULONG Revision); - - /** - * The RtlValidSecurityDescriptor routine checks a given security descriptor's validity. - * - * \param SecurityDescriptor Pointer to the \ref SECURITY_DESCRIPTOR to be checked. - * @return Returns TRUE if the security descriptor is valid, or FALSE otherwise. - * @remarks The routine checks the validity of an absolute-format security descriptor. To check the validity of a self-relative security descriptor, use the \ref RtlValidRelativeSecurityDescriptor routine instead. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlvalidsecuritydescriptor - */ - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlValidSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - /** - * The RtlLengthSecurityDescriptor routine returns the size of a given security descriptor. - * - * \param SecurityDescriptor A pointer to a \ref SECURITY_DESCRIPTOR structure whose length the function retrieves. - * @return Returns the length, in bytes, of the SECURITY_DESCRIPTOR structure. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtllengthsecuritydescriptor - */ - NTSYSAPI - ULONG - NTAPI - RtlLengthSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - /** - * The RtlValidRelativeSecurityDescriptor routine checks the validity of a self-relative security descriptor. - * - * \param SecurityDescriptorInput A pointer to the buffer that contains the security descriptor in self-relative format. - * The buffer must begin with a SECURITY_DESCRIPTOR structure, which is followed by the rest of the security descriptor data. - * \param SecurityDescriptorLength The size of the SecurityDescriptorInput structure. - * \param RequiredInformation A SECURITY_INFORMATION value that specifies the information that is required to be contained in the security descriptor. - * @return RtlValidRelativeSecurityDescriptor returns TRUE if the security descriptor is valid and includes the information that the RequiredInformation parameter specifies. Otherwise, this routine returns FALSE. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlvalidrelativesecuritydescriptor - */ - _Check_return_ - NTSYSAPI - BOOLEAN - NTAPI - RtlValidRelativeSecurityDescriptor( - _In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput, - _In_ ULONG SecurityDescriptorLength, - _In_ SECURITY_INFORMATION RequiredInformation); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetControlSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Out_ PSECURITY_DESCRIPTOR_CONTROL Control, - _Out_ PULONG Revision); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetControlSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, - _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetAttributesSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ SECURITY_DESCRIPTOR_CONTROL Control, - _Out_ PULONG Revision); - - NTSYSAPI - BOOLEAN - NTAPI - RtlGetSecurityDescriptorRMControl( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Out_ PUCHAR RMControl); - - NTSYSAPI - VOID - NTAPI - RtlSetSecurityDescriptorRMControl( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PUCHAR RMControl); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetDaclSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ BOOLEAN DaclPresent, - _In_opt_ PACL Dacl, - _In_ BOOLEAN DaclDefaulted); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetDaclSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Out_ PBOOLEAN DaclPresent, - _Outptr_result_maybenull_ PACL *Dacl, - _Out_ PBOOLEAN DaclDefaulted); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetSaclSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ BOOLEAN SaclPresent, - _In_opt_ PACL Sacl, - _In_ BOOLEAN SaclDefaulted); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSaclSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Out_ PBOOLEAN SaclPresent, - _Out_ PACL *Sacl, - _Out_ PBOOLEAN SaclDefaulted); - - /** - * The RtlSetOwnerSecurityDescriptor routine sets the owner information of an absolute-format security descriptor. It replaces any owner information that is already present in the security descriptor. - * - * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure whose owner is to be set. RtlSetOwnerSecurityDescriptor replaces any existing owner with the new owner. - * \param Owner Pointer to a security identifier (SID) structure for the security descriptor's new primary owner. - * \li \c This pointer, not the SID structure itself, is copied into the security descriptor. - * \li \c If this parameter is NULL, RtlSetOwnerSecurityDescriptor clears the security descriptor's owner information. This marks the security descriptor as having no owner. - * \param OwnerDefaulted Set to TRUE if the owner information is derived from a default mechanism. - * \li \c If this value is TRUE, it is default information. RtlSetOwnerSecurityDescriptor sets the SE_OWNER_DEFAULTED flag in the security descriptor's SECURITY_DESCRIPTOR_CONTROL field. - * \li \c If this parameter is FALSE, the SE_OWNER_DEFAULTED flag is cleared. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlsetownersecuritydescriptor - */ - NTSYSAPI - NTSTATUS - NTAPI - RtlSetOwnerSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID Owner, - _In_ BOOLEAN OwnerDefaulted); - - /** - * The RtlGetOwnerSecurityDescriptor routine returns the owner information for a given security descriptor. - * - * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure. - * \param Owner Pointer to an address to receive a pointer to the owner security identifier (SID). If the security descriptor does not currently contain an owner SID, Owner receives NULL. - * \param OwnerDefaulted Pointer to a Boolean variable that receives TRUE if the owner information is derived from a default mechanism, FALSE otherwise. Valid only if Owner receives a non-NULL value. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlgetownersecuritydescriptor - */ - NTSYSAPI - NTSTATUS - NTAPI - RtlGetOwnerSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Outptr_result_maybenull_ PSID *Owner, - _Out_ PBOOLEAN OwnerDefaulted); - - /** - * The RtlSetGroupSecurityDescriptor routine sets the primary group information of an absolute-format security descriptor. It replaces any primary group information that is already present in the security descriptor. - * - * \param SecurityDescriptor Pointer to the SECURITY_DESCRIPTOR structure whose primary group is to be set. RtlSetGroupSecurityDescriptor replaces any existing primary group with the new primary group. - * \param Group Pointer to a security identifier (SID) structure for the security descriptor's new primary owner. - * \li \c This pointer, not the SID structure itself, is copied into the security descriptor. - * \li \c If Group is NULL, RtlSetGroupSecurityDescriptor clears the security descriptor's primary group information. This marks the security descriptor as having no primary group. - * \param GroupDefaulted Set this Boolean variable to TRUE if the primary group information is derived from a default mechanism. - * \li \c If this parameter is TRUE, RtlSetGroupSecurityDescriptor sets the SE_GROUP_DEFAULTED flag in the security descriptor's SECURITY_DESCRIPTOR_CONTROL field. - * \li \c If this parameter is FALSE, RtlSetGroupSecurityDescriptor clears the SE_GROUP_DEFAULTED flag. - * @return NTSTATUS Successful or errant status. - * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlsetgroupsecuritydescriptor - */ - NTSYSAPI - NTSTATUS - NTAPI - RtlSetGroupSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID Group, - _In_ BOOLEAN GroupDefaulted); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetGroupSecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _Outptr_result_maybenull_ PSID *Group, - _Out_ PBOOLEAN GroupDefaulted); - - NTSYSAPI - NTSTATUS - NTAPI - RtlMakeSelfRelativeSD( - _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, - _Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, - _Inout_ PULONG BufferLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAbsoluteToSelfRelativeSD( - _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, - _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, - _Inout_ PULONG BufferLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSelfRelativeToAbsoluteSD( - _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, - _Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, - _Inout_ PULONG AbsoluteSecurityDescriptorSize, - _Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl, - _Inout_ PULONG DaclSize, - _Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl, - _Inout_ PULONG SaclSize, - _Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner, - _Inout_ PULONG OwnerSize, - _Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup, - _Inout_ PULONG PrimaryGroupSize); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSelfRelativeToAbsoluteSD2( - _Inout_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, - _Inout_ PULONG BufferSize); - -#if (PHNT_VERSION >= PHNT_19H2) - __drv_maxIRQL(APC_LEVEL) - NTSYSAPI - BOOLEAN - NTAPI - RtlNormalizeSecurityDescriptor( - _Inout_ PSECURITY_DESCRIPTOR *SecurityDescriptor, - _In_ ULONG SecurityDescriptorLength, - _Out_opt_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor, - _Out_opt_ PULONG NewSecurityDescriptorLength, - _In_ BOOLEAN CheckOnly); -#endif - - // Access masks - -#ifndef PHNT_NO_INLINE_ACCESSES_GRANTED - /** - * Checks if all desired accesses are granted. - * - * This function determines whether all the accesses specified in the DesiredAccess - * mask are granted by the GrantedAccess mask. - * - * \param GrantedAccess The access mask that specifies the granted accesses. - * \param DesiredAccess The access mask that specifies the desired accesses. - * @return Returns TRUE if all desired accesses are granted, otherwise FALSE. - */ - FORCEINLINE - BOOLEAN - NTAPI - RtlAreAllAccessesGranted( - _In_ ACCESS_MASK GrantedAccess, - _In_ ACCESS_MASK DesiredAccess) - { - return (~GrantedAccess & DesiredAccess) == 0; - } - - /** - * Checks if any of the desired accesses are granted. - * - * This function determines if any of the access rights specified in the DesiredAccess - * mask are present in the GrantedAccess mask. - * - * \param GrantedAccess The access mask that specifies the granted access rights. - * \param DesiredAccess The access mask that specifies the desired access rights. - * @return Returns TRUE if any of the desired access rights are granted, otherwise FALSE. - */ - FORCEINLINE - BOOLEAN - NTAPI - RtlAreAnyAccessesGranted( - _In_ ACCESS_MASK GrantedAccess, - _In_ ACCESS_MASK DesiredAccess) - { - return (GrantedAccess & DesiredAccess) != 0; - } -#else - /** - * Checks if all desired accesses are granted. - * - * This function determines whether all the accesses specified in the DesiredAccess - * mask are granted by the GrantedAccess mask. - * - * \param GrantedAccess The access mask that specifies the granted accesses. - * \param DesiredAccess The access mask that specifies the desired accesses. - * @return Returns TRUE if all desired accesses are granted, otherwise FALSE. - */ - NTSYSAPI - BOOLEAN - NTAPI - RtlAreAllAccessesGranted( - _In_ ACCESS_MASK GrantedAccess, - _In_ ACCESS_MASK DesiredAccess); - - /** - * Checks if any of the desired accesses are granted. - * - * This function determines if any of the access rights specified in the DesiredAccess - * mask are present in the GrantedAccess mask. - * - * \param GrantedAccess The access mask that specifies the granted access rights. - * \param DesiredAccess The access mask that specifies the desired access rights. - * @return Returns TRUE if any of the desired access rights are granted, otherwise FALSE. - */ - NTSYSAPI - BOOLEAN - NTAPI - RtlAreAnyAccessesGranted( - _In_ ACCESS_MASK GrantedAccess, - _In_ ACCESS_MASK DesiredAccess); -#endif - - NTSYSAPI - VOID - NTAPI - RtlMapGenericMask( - _Inout_ PACCESS_MASK AccessMask, - _In_ PGENERIC_MAPPING GenericMapping); - - // - // ACLs - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateAcl( - _Out_writes_bytes_(AclLength) PACL Acl, - _In_ ULONG AclLength, - _In_ ULONG AclRevision); - - NTSYSAPI - BOOLEAN - NTAPI - RtlValidAcl( - _In_ PACL Acl); - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryInformationAcl( - _In_ PACL Acl, - _Out_writes_bytes_(AclInformationLength) PVOID AclInformation, - _In_ ULONG AclInformationLength, - _In_ ACL_INFORMATION_CLASS AclInformationClass); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetInformationAcl( - _Inout_ PACL Acl, - _In_reads_bytes_(AclInformationLength) PVOID AclInformation, - _In_ ULONG AclInformationLength, - _In_ ACL_INFORMATION_CLASS AclInformationClass); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG StartingAceIndex, - _In_reads_bytes_(AceListLength) PVOID AceList, - _In_ ULONG AceListLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteAce( - _Inout_ PACL Acl, - _In_ ULONG AceIndex); - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetAce( - _In_ PACL Acl, - _In_ ULONG AceIndex, - _Outptr_ PVOID *Ace); - -#if (PHNT_VERSION >= PHNT_WIN11_24H2) - NTSYSAPI - NTSTATUS - NTAPI - RtlGetAcesBufferSize( - _In_ PACL Acl, - _Out_ PULONG AcesBufferSize); -#endif - - NTSYSAPI - BOOLEAN - NTAPI - RtlFirstFreeAce( - _In_ PACL Acl, - _Out_ PVOID *FirstFree); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - PVOID - NTAPI - RtlFindAceByType( - _In_ PACL Acl, - _In_ UCHAR AceType, - _Out_opt_ PULONG Index); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlOwnerAcesPresent( - _In_ PACL pAcl); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessAllowedAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessAllowedAceEx( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessDeniedAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessDeniedAceEx( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAuditAccessAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid, - _In_ BOOLEAN AuditSuccess, - _In_ BOOLEAN AuditFailure); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAuditAccessAceEx( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_ PSID Sid, - _In_ BOOLEAN AuditSuccess, - _In_ BOOLEAN AuditFailure); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessAllowedObjectAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_opt_ PGUID ObjectTypeGuid, - _In_opt_ PGUID InheritedObjectTypeGuid, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAccessDeniedObjectAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_opt_ PGUID ObjectTypeGuid, - _In_opt_ PGUID InheritedObjectTypeGuid, - _In_ PSID Sid); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddAuditAccessObjectAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ACCESS_MASK AccessMask, - _In_opt_ PGUID ObjectTypeGuid, - _In_opt_ PGUID InheritedObjectTypeGuid, - _In_ PSID Sid, - _In_ BOOLEAN AuditSuccess, - _In_ BOOLEAN AuditFailure); - -// private -#define COMPOUND_ACE_IMPERSONATION 1 - - // private - typedef struct _COMPOUND_ACCESS_ALLOWED_ACE - { - ACE_HEADER Header; - ACCESS_MASK Mask; - USHORT CompoundAceType; // COMPOUND_ACE_* - USHORT Reserved; - ULONG SidStart; // Server SID - // Client SID follows - } COMPOUND_ACCESS_ALLOWED_ACE, *PCOMPOUND_ACCESS_ALLOWED_ACE; - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddCompoundAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ UCHAR AceType, // COMPOUND_ACE_* - _In_ ACCESS_MASK AccessMask, - _In_ PSID ServerSid, - _In_ PSID ClientSid); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlAddMandatoryAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ PSID Sid, - _In_ UCHAR AceType, - _In_ ACCESS_MASK AccessMask); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - NTSTATUS - NTAPI - RtlAddResourceAttributeAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ULONG AccessMask, - _In_ PSID Sid, - _In_ PCLAIM_SECURITY_ATTRIBUTES_INFORMATION AttributeInfo, - _Out_ PULONG ReturnLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddScopedPolicyIDAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ ULONG AccessMask, - _In_ PSID Sid); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlAddProcessTrustLabelAce( - _Inout_ PACL Acl, - _In_ ULONG AceRevision, - _In_ ULONG AceFlags, - _In_ PSID ProcessTrustLabelSid, - _In_ UCHAR AceType, // SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE - _In_ ACCESS_MASK AccessMask); -#endif - - // - // Named pipes - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlDefaultNpAcl( - _Out_ PACL *Acl); - - // - // Security objects - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlNewSecurityObject( - _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, - _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, - _In_ BOOLEAN IsDirectoryObject, - _In_opt_ HANDLE Token, - _In_ PGENERIC_MAPPING GenericMapping); - - NTSYSAPI - NTSTATUS - NTAPI - RtlNewSecurityObjectEx( - _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, - _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, - _In_opt_ GUID *ObjectType, - _In_ BOOLEAN IsDirectoryObject, - _In_ ULONG AutoInheritFlags, // SEF_* - _In_opt_ HANDLE Token, - _In_ PGENERIC_MAPPING GenericMapping); - - NTSYSAPI - NTSTATUS - NTAPI - RtlNewSecurityObjectWithMultipleInheritance( - _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, - _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, - _In_opt_ GUID **ObjectType, - _In_ ULONG GuidCount, - _In_ BOOLEAN IsDirectoryObject, - _In_ ULONG AutoInheritFlags, // SEF_* - _In_opt_ HANDLE Token, - _In_ PGENERIC_MAPPING GenericMapping); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteSecurityObject( - _Inout_ PSECURITY_DESCRIPTOR *ObjectDescriptor); - - NTSYSAPI - NTSTATUS - NTAPI - RtlQuerySecurityObject( - _In_ PSECURITY_DESCRIPTOR ObjectDescriptor, - _In_ SECURITY_INFORMATION SecurityInformation, - _Out_opt_ PSECURITY_DESCRIPTOR ResultantDescriptor, - _In_ ULONG DescriptorLength, - _Out_ PULONG ReturnLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetSecurityObject( - _In_ SECURITY_INFORMATION SecurityInformation, - _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, - _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, - _In_ PGENERIC_MAPPING GenericMapping, - _In_opt_ HANDLE TokenHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetSecurityObjectEx( - _In_ SECURITY_INFORMATION SecurityInformation, - _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, - _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, - _In_ ULONG AutoInheritFlags, // SEF_* - _In_ PGENERIC_MAPPING GenericMapping, - _In_opt_ HANDLE TokenHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlConvertToAutoInheritSecurityObject( - _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, - _In_ PSECURITY_DESCRIPTOR CurrentSecurityDescriptor, - _Out_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor, - _In_opt_ GUID *ObjectType, - _In_ BOOLEAN IsDirectoryObject, - _In_ PGENERIC_MAPPING GenericMapping); - - NTSYSAPI - NTSTATUS - NTAPI - RtlNewInstanceSecurityObject( - _In_ BOOLEAN ParentDescriptorChanged, - _In_ BOOLEAN CreatorDescriptorChanged, - _In_ PLUID OldClientTokenModifiedId, - _Out_ PLUID NewClientTokenModifiedId, - _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, - _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, - _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, - _In_ BOOLEAN IsDirectoryObject, - _In_ HANDLE TokenHandle, - _In_ PGENERIC_MAPPING GenericMapping); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCopySecurityDescriptor( - _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor, - _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor); - - // private - typedef struct _RTL_ACE_DATA - { - UCHAR AceType; - UCHAR InheritFlags; - UCHAR AceFlags; - ACCESS_MASK AccessMask; - PSID *Sid; - } RTL_ACE_DATA, *PRTL_ACE_DATA; - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateUserSecurityObject( - _In_ PRTL_ACE_DATA AceData, - _In_ ULONG AceCount, - _In_ PSID OwnerSid, - _In_ PSID GroupSid, - _In_ BOOLEAN IsDirectoryObject, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateAndSetSD( - _In_ PRTL_ACE_DATA AceData, - _In_ ULONG AceCount, - _In_opt_ PSID OwnerSid, - _In_opt_ PSID GroupSid, - _Out_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor); - - // Misc. security - - NTSYSAPI - VOID - NTAPI - RtlRunEncodeUnicodeString( - _Inout_ PUCHAR Seed, - _Inout_ PUNICODE_STRING String); - - NTSYSAPI - VOID - NTAPI - RtlRunDecodeUnicodeString( - _In_ UCHAR Seed, - _Inout_ PUNICODE_STRING String); - - NTSYSAPI - NTSTATUS - NTAPI - RtlImpersonateSelf( - _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlImpersonateSelfEx( - _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, - _In_opt_ ACCESS_MASK AdditionalAccess, - _Out_opt_ PHANDLE ThreadToken); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlAdjustPrivilege( - _In_ ULONG Privilege, - _In_ BOOLEAN Enable, - _In_ BOOLEAN Client, - _Out_ PBOOLEAN WasEnabled); - -#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001 -#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002 - - NTSYSAPI - NTSTATUS - NTAPI - RtlAcquirePrivilege( - _In_ PULONG Privilege, - _In_ ULONG NumPriv, - _In_ ULONG Flags, - _Out_ PVOID *ReturnedState); - - NTSYSAPI - VOID - NTAPI - RtlReleasePrivilege( - _In_ PVOID StatePointer); - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlRemovePrivileges( - _In_ HANDLE TokenHandle, - _In_ PULONG PrivilegesToKeep, - _In_ ULONG PrivilegeCount); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlIsUntrustedObject( - _In_opt_ HANDLE Handle, - _In_opt_ PVOID Object, - _Out_ PBOOLEAN IsUntrustedObject); - - NTSYSAPI - ULONG - NTAPI - RtlQueryValidationRunlevel( - _In_opt_ PUNICODE_STRING ComponentName); - -#endif - - // Private namespaces - -#if (PHNT_VERSION >= PHNT_VISTA) - -// rev -#define BOUNDARY_DESCRIPTOR_ADD_APPCONTAINER_SID 0x0001 - - // begin_private - - _Ret_maybenull_ - _Success_(return != NULL) - NTSYSAPI - POBJECT_BOUNDARY_DESCRIPTOR - NTAPI - RtlCreateBoundaryDescriptor( - _In_ PUNICODE_STRING Name, - _In_ ULONG Flags); - - NTSYSAPI - VOID - NTAPI - RtlDeleteBoundaryDescriptor( - _In_ _Post_invalid_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor); - - NTSYSAPI - NTSTATUS - NTAPI - RtlAddSIDToBoundaryDescriptor( - _Inout_ POBJECT_BOUNDARY_DESCRIPTOR *BoundaryDescriptor, - _In_ PSID RequiredSid); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlAddIntegrityLabelToBoundaryDescriptor( - _Inout_ POBJECT_BOUNDARY_DESCRIPTOR *BoundaryDescriptor, - _In_ PSID IntegrityLabel); -#endif - - // end_private - -#endif - - // - // Version - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetVersion( - _Out_ PRTL_OSVERSIONINFOEXW VersionInformation // PRTL_OSVERSIONINFOW - ); - - NTSYSAPI - NTSTATUS - NTAPI - RtlVerifyVersionInfo( - _In_ PRTL_OSVERSIONINFOEXW VersionInformation, // PRTL_OSVERSIONINFOW - _In_ ULONG TypeMask, - _In_ ULONGLONG ConditionMask); - - // rev - NTSYSAPI - VOID - NTAPI - RtlGetNtVersionNumbers( - _Out_opt_ PULONG NtMajorVersion, - _Out_opt_ PULONG NtMinorVersion, - _Out_opt_ PULONG NtBuildNumber); - - // - // System information - // - - // rev - NTSYSAPI - ULONG - NTAPI - RtlGetNtGlobalFlags( - VOID); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlGetNtProductType( - _Out_ PNT_PRODUCT_TYPE NtProductType); - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // private - NTSYSAPI - ULONG - NTAPI - RtlGetSuiteMask( - VOID); -#endif - - // - // Thread pool (old) - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlRegisterWait( - _Out_ PHANDLE WaitHandle, - _In_ HANDLE Handle, - _In_ WAITORTIMERCALLBACKFUNC Function, - _In_opt_ PVOID Context, - _In_ ULONG Milliseconds, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeregisterWait( - _In_ HANDLE WaitHandle); - -#define RTL_WAITER_DEREGISTER_WAIT_FOR_COMPLETION ((HANDLE)(LONG_PTR) - 1) - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeregisterWaitEx( - _In_ HANDLE WaitHandle, - _In_opt_ HANDLE CompletionEvent // optional: RTL_WAITER_DEREGISTER_WAIT_FOR_COMPLETION - ); - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueueWorkItem( - _In_ WORKERCALLBACKFUNC Function, - _In_opt_ PVOID Context, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetIoCompletionCallback( - _In_ HANDLE FileHandle, - _In_ APC_CALLBACK_FUNCTION CompletionProc, - _In_ ULONG Flags); - - _Function_class_(RTL_START_POOL_THREAD) typedef NTSTATUS(NTAPI RTL_START_POOL_THREAD)( - _In_ PTHREAD_START_ROUTINE Function, - _In_ PVOID Parameter, - _Out_ PHANDLE ThreadHandle); - typedef RTL_START_POOL_THREAD *PRTL_START_POOL_THREAD; - - _Function_class_(RTL_EXIT_POOL_THREAD) typedef NTSTATUS(NTAPI RTL_EXIT_POOL_THREAD)( - _In_ NTSTATUS ExitStatus); - typedef RTL_EXIT_POOL_THREAD *PRTL_EXIT_POOL_THREAD; - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetThreadPoolStartFunc( - _In_ PRTL_START_POOL_THREAD StartPoolThread, - _In_ PRTL_EXIT_POOL_THREAD ExitPoolThread); - - NTSYSAPI - VOID - NTAPI - RtlUserThreadStart( - _In_ PTHREAD_START_ROUTINE Function, - _In_ PVOID Parameter); - - NTSYSAPI - VOID - NTAPI - LdrInitializeThunk( - _In_ PCONTEXT ContextRecord, - _In_ PVOID Parameter); - - // - // Thread execution - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlDelayExecution( - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER DelayInterval); - - // - // Timer support - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateTimerQueue( - _Out_ PHANDLE TimerQueueHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateTimer( - _In_ HANDLE TimerQueueHandle, - _Out_ PHANDLE Handle, - _In_ WAITORTIMERCALLBACKFUNC Function, - _In_opt_ PVOID Context, - _In_ ULONG DueTime, - _In_ ULONG Period, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSetTimer( - _In_ HANDLE TimerQueueHandle, - _Out_ PHANDLE Handle, - _In_ WAITORTIMERCALLBACKFUNC Function, - _In_opt_ PVOID Context, - _In_ ULONG DueTime, - _In_ ULONG Period, - _In_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUpdateTimer( - _In_ HANDLE TimerQueueHandle, - _In_ HANDLE TimerHandle, - _In_ ULONG DueTime, - _In_ ULONG Period); - -#define RTL_TIMER_DELETE_WAIT_FOR_COMPLETION ((HANDLE)(LONG_PTR) - 1) - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteTimer( - _In_ HANDLE TimerQueueHandle, - _In_ HANDLE TimerToCancel, - _In_opt_ HANDLE Event // optional: RTL_TIMER_DELETE_WAIT_FOR_COMPLETION - ); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteTimerQueue( - _In_ HANDLE TimerQueueHandle); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteTimerQueueEx( - _In_ HANDLE TimerQueueHandle, - _In_opt_ HANDLE Event); - - // - // Registry access - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlFormatCurrentUserKeyPath( - _Out_ PUNICODE_STRING CurrentUserKeyPath); - - NTSYSAPI - NTSTATUS - NTAPI - RtlOpenCurrentUser( - _In_ ACCESS_MASK DesiredAccess, - _Out_ PHANDLE CurrentUserKey); - -#define RTL_REGISTRY_ABSOLUTE 0 -#define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services -#define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control -#define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion -#define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap -#define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser -#define RTL_REGISTRY_MAXIMUM 6 -#define RTL_REGISTRY_HANDLE 0x40000000 -#define RTL_REGISTRY_OPTIONAL 0x80000000 - - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateRegistryKey( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path); - - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckRegistryKey( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path); - - _Function_class_(RTL_QUERY_REGISTRY_ROUTINE) typedef NTSTATUS(NTAPI RTL_QUERY_REGISTRY_ROUTINE)( - _In_ PCWSTR ValueName, - _In_ ULONG ValueType, - _In_ PVOID ValueData, - _In_ ULONG ValueLength, - _In_opt_ PVOID Context, - _In_opt_ PVOID EntryContext); - typedef RTL_QUERY_REGISTRY_ROUTINE *PRTL_QUERY_REGISTRY_ROUTINE; - - typedef struct _RTL_QUERY_REGISTRY_TABLE - { - PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; - ULONG Flags; - PWSTR Name; - PVOID EntryContext; - ULONG DefaultType; - PVOID DefaultData; - ULONG DefaultLength; - } RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE; - -#define RTL_QUERY_REGISTRY_SUBKEY 0x00000001 -#define RTL_QUERY_REGISTRY_TOPKEY 0x00000002 -#define RTL_QUERY_REGISTRY_REQUIRED 0x00000004 -#define RTL_QUERY_REGISTRY_NOVALUE 0x00000008 -#define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010 -#define RTL_QUERY_REGISTRY_DIRECT 0x00000020 -#define RTL_QUERY_REGISTRY_DELETE 0x00000040 - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryRegistryValues( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path, - _Inout_ _At_(*(*QueryTable).EntryContext, _Pre_unknown_) PRTL_QUERY_REGISTRY_TABLE QueryTable, - _In_opt_ PVOID Context, - _In_opt_ PVOID Environment); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryRegistryValuesEx( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path, - _Inout_ _At_(*(*QueryTable).EntryContext, _Pre_unknown_) PRTL_QUERY_REGISTRY_TABLE QueryTable, - _In_opt_ PVOID Context, - _In_opt_ PVOID Environment); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE4) - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryRegistryValueWithFallback( - _In_opt_ HANDLE PrimaryHandle, - _In_opt_ HANDLE FallbackHandle, - _In_ PUNICODE_STRING ValueName, - _In_ ULONG ValueLength, - _Out_opt_ PULONG ValueType, - _Out_writes_bytes_to_(ValueLength, *ResultLength) PVOID ValueData, - _Out_range_(<=, ValueLength) PULONG ResultLength); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlWriteRegistryValue( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path, - _In_ PCWSTR ValueName, - _In_ ULONG ValueType, - _In_ PVOID ValueData, - _In_ ULONG ValueLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeleteRegistryValue( - _In_ ULONG RelativeTo, - _In_ PCWSTR Path, - _In_ PCWSTR ValueName); - - // - // Thread profiling - // - -#if (PHNT_VERSION >= PHNT_WIN7) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlEnableThreadProfiling( - _In_ HANDLE ThreadHandle, - _In_ ULONG Flags, - _In_ ULONG64 HardwareCounters, - _Out_ PVOID *PerformanceDataHandle); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDisableThreadProfiling( - _In_ PVOID PerformanceDataHandle); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryThreadProfiling( - _In_ HANDLE ThreadHandle, - _Out_ PBOOLEAN Enabled); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlReadThreadProfilingData( - _In_ HANDLE PerformanceDataHandle, - _In_ ULONG Flags, - _Out_ PPERFORMANCE_DATA PerformanceData); - -#endif - - // - // WOW64 - // - - NTSYSAPI - NTSTATUS - NTAPI - RtlGetNativeSystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_ PVOID NativeSystemInformation, - _In_ ULONG InformationLength, - _Out_opt_ PULONG ReturnLength); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - NtWow64GetNativeSystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_ PVOID NativeSystemInformation, - _In_ ULONG InformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueueApcWow64Thread( - _In_ HANDLE ThreadHandle, - _In_ PPS_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64EnableFsRedirection( - _In_ BOOLEAN Wow64FsEnableRedirection); - - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64EnableFsRedirectionEx( - _In_ PVOID Wow64FsEnableRedirection, - _Out_ PVOID *OldFsRedirectionLevel); - - // - // Misc. - // - - NTSYSAPI - ULONG32 - NTAPI - RtlComputeCrc32( - _In_ ULONG32 PartialCrc, - _In_ PVOID Buffer, - _In_ ULONG Length); - - NTSYSAPI - PVOID - NTAPI - RtlEncodePointer( - _In_ PVOID Ptr); - - NTSYSAPI - PVOID - NTAPI - RtlDecodePointer( - _In_ PVOID Ptr); - - NTSYSAPI - PVOID - NTAPI - RtlEncodeSystemPointer( - _In_ PVOID Ptr); - - NTSYSAPI - PVOID - NTAPI - RtlDecodeSystemPointer( - _In_ PVOID Ptr); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlEncodeRemotePointer( - _In_ HANDLE ProcessHandle, - _In_ PVOID Pointer, - _Out_ PVOID *EncodedPointer); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlDecodeRemotePointer( - _In_ HANDLE ProcessHandle, - _In_ PVOID Pointer, - _Out_ PVOID *DecodedPointer); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsProcessorFeaturePresent( - _In_ ULONG ProcessorFeature); - -#endif - - // rev - NTSYSAPI - ULONG - NTAPI - RtlGetCurrentProcessorNumber( - VOID); - -#if (PHNT_VERSION >= PHNT_WIN7) - - // rev - NTSYSAPI - VOID - NTAPI - RtlGetCurrentProcessorNumberEx( - _Out_ PPROCESSOR_NUMBER ProcessorNumber); - -#endif - - // - // Stack support - // - - NTSYSAPI - VOID - NTAPI - RtlPushFrame( - _In_ PTEB_ACTIVE_FRAME Frame); - - NTSYSAPI - VOID - NTAPI - RtlPopFrame( - _In_ PTEB_ACTIVE_FRAME Frame); - - NTSYSAPI - PTEB_ACTIVE_FRAME - NTAPI - RtlGetFrame( - VOID); - -#define RTL_WALK_USER_MODE_STACK 0x00000001 -#define RTL_WALK_VALID_FLAGS 0x00000001 -#define RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT 0x00000008 - - // private - NTSYSAPI - ULONG - NTAPI - RtlWalkFrameChain( - _Out_writes_(Count - (Flags >> RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT)) PVOID *Callers, - _In_ ULONG Count, - _In_ ULONG Flags); - - // rev - NTSYSAPI - VOID - NTAPI - RtlGetCallersAddress( // Use the intrinsic _ReturnAddress instead. - _Out_ PVOID *CallersAddress, - _Out_ PVOID *CallersCaller); - -#if (PHNT_VERSION >= PHNT_WIN7) - - NTSYSAPI - ULONG64 - NTAPI - RtlGetEnabledExtendedFeatures( - _In_ ULONG64 FeatureMask); - -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE4) - - // msdn - NTSYSAPI - ULONG64 - NTAPI - RtlGetEnabledExtendedAndSupervisorFeatures( - _In_ ULONG64 FeatureMask); - - // msdn - _Ret_maybenull_ - _Success_(return != NULL) - NTSYSAPI - PVOID - NTAPI - RtlLocateSupervisorFeature( - _In_ PXSAVE_AREA_HEADER XStateHeader, - _In_range_(XSTATE_AVX, MAXIMUM_XSTATE_FEATURES - 1) ULONG FeatureId, - _Out_opt_ PULONG Length); - -#endif - -#define ELEVATION_FLAG_TOKEN_CHECKS 0x00000001 -#define ELEVATION_FLAG_VIRTUALIZATION 0x00000002 -#define ELEVATION_FLAG_SHORTCUT_REDIR 0x00000004 -#define ELEVATION_FLAG_NO_SIGNATURE_CHECK 0x00000008 - - // private - typedef union _RTL_ELEVATION_FLAGS - { - ULONG Flags; - struct - { - ULONG ElevationEnabled : 1; - ULONG VirtualizationEnabled : 1; - ULONG InstallerDetectEnabled : 1; - ULONG AdminApprovalModeType : 2; - ULONG ReservedBits : 27; - }; - } RTL_ELEVATION_FLAGS, *PRTL_ELEVATION_FLAGS; - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryElevationFlags( - _Out_ PRTL_ELEVATION_FLAGS Flags); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlRegisterThreadWithCsrss( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlLockCurrentThread( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlUnlockCurrentThread( - VOID); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlLockModuleSection( - _In_ PVOID Address); - -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlUnlockModuleSection( - _In_ PVOID Address); - -#endif - - // begin_msdn:"Winternl" - -#define RTL_UNLOAD_EVENT_TRACE_NUMBER 64 - - // private - typedef struct _RTL_UNLOAD_EVENT_TRACE - { - PVOID BaseAddress; - SIZE_T SizeOfImage; - ULONG Sequence; - ULONG TimeDateStamp; - ULONG CheckSum; - WCHAR ImageName[32]; - ULONG Version[2]; - } RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE; - - typedef struct _RTL_UNLOAD_EVENT_TRACE32 - { - ULONG BaseAddress; - ULONG SizeOfImage; - ULONG Sequence; - ULONG TimeDateStamp; - ULONG CheckSum; - WCHAR ImageName[32]; - ULONG Version[2]; - } RTL_UNLOAD_EVENT_TRACE32, *PRTL_UNLOAD_EVENT_TRACE32; - - NTSYSAPI - PRTL_UNLOAD_EVENT_TRACE - NTAPI - RtlGetUnloadEventTrace( - VOID); - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSAPI - PRTL_UNLOAD_EVENT_TRACE - NTAPI - RtlGetUnloadEventTraceEx( - _Out_ PULONG *ElementSize, - _Out_ PULONG *ElementCount, - _Out_ PVOID *EventTrace // works across all processes - ); -#endif - - NTSYSAPI - _Success_(return != 0) - USHORT - NTAPI - RtlCaptureStackBackTrace( - _In_ ULONG FramesToSkip, - _In_ ULONG FramesToCapture, - _Out_writes_to_(FramesToCapture, return) PVOID *BackTrace, - _Out_opt_ PULONG BackTraceHash); - - NTSYSAPI - VOID - NTAPI - RtlCaptureContext( - _Out_ PCONTEXT ContextRecord); - -#if (PHNT_VERSION >= PHNT_WIN10_20H1) - NTSYSAPI - VOID - NTAPI - RtlCaptureContext2( - _Inout_ PCONTEXT ContextRecord); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - NTSYSAPI - VOID __cdecl - RtlRestoreContext( - _In_ PCONTEXT ContextRecord, - _In_opt_ struct _EXCEPTION_RECORD *ExceptionRecord); -#endif - - NTSYSAPI - VOID - NTAPI - RtlUnwind( - _In_opt_ PVOID TargetFrame, - _In_opt_ PVOID TargetIp, - _In_opt_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PVOID ReturnValue); - -#if defined(_M_AMD64) && defined(_M_ARM64EC) - NTSYSAPI - BOOLEAN - __cdecl - RtlAddFunctionTable( - _In_reads_(EntryCount) PRUNTIME_FUNCTION FunctionTable, - _In_ DWORD EntryCount, - _In_ DWORD64 BaseAddress); - - NTSYSAPI - BOOLEAN - __cdecl - RtlDeleteFunctionTable( - _In_ PRUNTIME_FUNCTION FunctionTable); - - NTSYSAPI - BOOLEAN - __cdecl - RtlInstallFunctionTableCallback( - _In_ DWORD64 TableIdentifier, - _In_ DWORD64 BaseAddress, - _In_ DWORD Length, - _In_ PGET_RUNTIME_FUNCTION_CALLBACK Callback, - _In_opt_ PVOID Context, - _In_opt_ PCWSTR OutOfProcessCallbackDll); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - DWORD - NTAPI - RtlAddGrowableFunctionTable( - _Out_ PVOID *DynamicTable, - _In_reads_(MaximumEntryCount) PRUNTIME_FUNCTION FunctionTable, - _In_ DWORD EntryCount, - _In_ DWORD MaximumEntryCount, - _In_ ULONG_PTR RangeBase, - _In_ ULONG_PTR RangeEnd); - - NTSYSAPI - VOID - NTAPI - RtlGrowFunctionTable( - _Inout_ PVOID DynamicTable, - _In_ DWORD NewEntryCount); - - NTSYSAPI - VOID - NTAPI - RtlDeleteGrowableFunctionTable( - _In_ PVOID DynamicTable); -#endif -#endif - -#if defined(_M_ARM64EC) - NTSYSAPI - BOOLEAN - NTAPI - RtlIsEcCode( - _In_ ULONG64 CodePointer); -#endif - - NTSYSAPI - PVOID - NTAPI - RtlPcToFileHeader( - _In_ PVOID PcValue, - _Out_ PVOID *BaseOfImage); - - // end_msdn - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - LOGICAL - NTAPI - RtlQueryPerformanceCounter( - _Out_ PLARGE_INTEGER PerformanceCounter); - - // rev - NTSYSAPI - LOGICAL - NTAPI - RtlQueryPerformanceFrequency( - _Out_ PLARGE_INTEGER PerformanceFrequency); -#endif - - // Image Mitigation - - // rev - typedef enum _IMAGE_MITIGATION_POLICY - { - ImageDepPolicy, // RTL_IMAGE_MITIGATION_DEP_POLICY - ImageAslrPolicy, // RTL_IMAGE_MITIGATION_ASLR_POLICY - ImageDynamicCodePolicy, // RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY - ImageStrictHandleCheckPolicy, // RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY - ImageSystemCallDisablePolicy, // RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY - ImageMitigationOptionsMask, - ImageExtensionPointDisablePolicy, // RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY - ImageControlFlowGuardPolicy, // RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY - ImageSignaturePolicy, // RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY - ImageFontDisablePolicy, // RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY - ImageImageLoadPolicy, // RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY - ImagePayloadRestrictionPolicy, // RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY - ImageChildProcessPolicy, // RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY - ImageSehopPolicy, // RTL_IMAGE_MITIGATION_SEHOP_POLICY - ImageHeapPolicy, // RTL_IMAGE_MITIGATION_HEAP_POLICY - ImageUserShadowStackPolicy, // RTL_IMAGE_MITIGATION_USER_SHADOW_STACK_POLICY - ImageRedirectionTrustPolicy, // RTL_IMAGE_MITIGATION_REDIRECTION_TRUST_POLICY - ImageUserPointerAuthPolicy, // RTL_IMAGE_MITIGATION_USER_POINTER_AUTH_POLICY - MaxImageMitigationPolicy - } IMAGE_MITIGATION_POLICY; - - // rev - typedef union _RTL_IMAGE_MITIGATION_POLICY - { - struct - { - ULONG64 AuditState : 2; - ULONG64 AuditFlag : 1; - ULONG64 EnableAdditionalAuditingOption : 1; - ULONG64 Reserved : 60; - }; - struct - { - ULONG64 PolicyState : 2; - ULONG64 AlwaysInherit : 1; - ULONG64 EnableAdditionalPolicyOption : 1; - ULONG64 AuditReserved : 60; - }; - } RTL_IMAGE_MITIGATION_POLICY, *PRTL_IMAGE_MITIGATION_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_DEP_POLICY - { - RTL_IMAGE_MITIGATION_POLICY Dep; - } RTL_IMAGE_MITIGATION_DEP_POLICY, *PRTL_IMAGE_MITIGATION_DEP_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_ASLR_POLICY - { - RTL_IMAGE_MITIGATION_POLICY ForceRelocateImages; - RTL_IMAGE_MITIGATION_POLICY BottomUpRandomization; - RTL_IMAGE_MITIGATION_POLICY HighEntropyRandomization; - } RTL_IMAGE_MITIGATION_ASLR_POLICY, *PRTL_IMAGE_MITIGATION_ASLR_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY - { - RTL_IMAGE_MITIGATION_POLICY BlockDynamicCode; - } RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY, *PRTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY - { - RTL_IMAGE_MITIGATION_POLICY StrictHandleChecks; - } RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PRTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY - { - RTL_IMAGE_MITIGATION_POLICY BlockWin32kSystemCalls; - } RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY - { - RTL_IMAGE_MITIGATION_POLICY DisableExtensionPoints; - } RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY - { - RTL_IMAGE_MITIGATION_POLICY ControlFlowGuard; - RTL_IMAGE_MITIGATION_POLICY StrictControlFlowGuard; - } RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PRTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY - { - RTL_IMAGE_MITIGATION_POLICY BlockNonMicrosoftSignedBinaries; - RTL_IMAGE_MITIGATION_POLICY EnforceSigningOnModuleDependencies; - } RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY, *PRTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY - { - RTL_IMAGE_MITIGATION_POLICY DisableNonSystemFonts; - } RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY - { - RTL_IMAGE_MITIGATION_POLICY BlockRemoteImageLoads; - RTL_IMAGE_MITIGATION_POLICY BlockLowLabelImageLoads; - RTL_IMAGE_MITIGATION_POLICY PreferSystem32; - } RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY, *PRTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY - { - RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilter; - RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilterPlus; - RTL_IMAGE_MITIGATION_POLICY EnableImportAddressFilter; - RTL_IMAGE_MITIGATION_POLICY EnableRopStackPivot; - RTL_IMAGE_MITIGATION_POLICY EnableRopCallerCheck; - RTL_IMAGE_MITIGATION_POLICY EnableRopSimExec; - WCHAR EafPlusModuleList[512]; // 19H1 - } RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PRTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY - { - RTL_IMAGE_MITIGATION_POLICY DisallowChildProcessCreation; - } RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY, *PRTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_SEHOP_POLICY - { - RTL_IMAGE_MITIGATION_POLICY Sehop; - } RTL_IMAGE_MITIGATION_SEHOP_POLICY, *PRTL_IMAGE_MITIGATION_SEHOP_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_HEAP_POLICY - { - RTL_IMAGE_MITIGATION_POLICY TerminateOnHeapErrors; - } RTL_IMAGE_MITIGATION_HEAP_POLICY, *PRTL_IMAGE_MITIGATION_HEAP_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_USER_SHADOW_STACK_POLICY - { - RTL_IMAGE_MITIGATION_POLICY UserShadowStack; - RTL_IMAGE_MITIGATION_POLICY SetContextIpValidation; - RTL_IMAGE_MITIGATION_POLICY BlockNonCetBinaries; - } RTL_IMAGE_MITIGATION_USER_SHADOW_STACK_POLICY, *PRTL_IMAGE_MITIGATION_USER_SHADOW_STACK_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_REDIRECTION_TRUST_POLICY - { - RTL_IMAGE_MITIGATION_POLICY BlockUntrustedRedirections; - } RTL_IMAGE_MITIGATION_REDIRECTION_TRUST_POLICY, *PRTL_IMAGE_MITIGATION_REDIRECTION_TRUST_POLICY; - - // rev - typedef struct _RTL_IMAGE_MITIGATION_USER_POINTER_AUTH_POLICY - { - RTL_IMAGE_MITIGATION_POLICY PointerAuthUserIp; - } RTL_IMAGE_MITIGATION_USER_POINTER_AUTH_POLICY, *PRTL_IMAGE_MITIGATION_USER_POINTER_AUTH_POLICY; - - // rev - typedef enum _RTL_IMAGE_MITIGATION_OPTION_STATE - { - RtlMitigationOptionStateNotConfigured, - RtlMitigationOptionStateOn, - RtlMitigationOptionStateOff, - RtlMitigationOptionStateForce, - RtlMitigationOptionStateOption - } RTL_IMAGE_MITIGATION_OPTION_STATE; - -#define RTL_IMAGE_MITIGATION_OPTION_STATEMASK 3UL -#define RTL_IMAGE_MITIGATION_OPTION_FORCEMASK 4UL -#define RTL_IMAGE_MITIGATION_OPTION_OPTIONMASK 8UL - -// rev from PROCESS_MITIGATION_FLAGS -#define RTL_IMAGE_MITIGATION_FLAG_RESET 0x1 -#define RTL_IMAGE_MITIGATION_FLAG_REMOVE 0x2 -#define RTL_IMAGE_MITIGATION_FLAG_OSDEFAULT 0x4 -#define RTL_IMAGE_MITIGATION_FLAG_AUDIT 0x8 - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryImageMitigationPolicy( - _In_opt_ PCWSTR ImagePath, // NULL for system-wide defaults - _In_ IMAGE_MITIGATION_POLICY Policy, - _In_ ULONG Flags, - _Inout_ PVOID Buffer, - _In_ ULONG BufferSize); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetImageMitigationPolicy( - _In_opt_ PCWSTR ImagePath, // NULL for system-wide defaults - _In_ IMAGE_MITIGATION_POLICY Policy, - _In_ ULONG Flags, - _Inout_ PVOID Buffer, - _In_ ULONG BufferSize); - -#endif - - // - // session - // - -#ifdef PHNT_INLINE_TYPEDEFS - // rev - FORCEINLINE - ULONG - NTAPI - RtlGetCurrentServiceSessionId( - VOID) - { - if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) - return NtCurrentPeb()->SharedData->ServiceSessionId; - else - return 0; - } -#else - // rev - NTSYSAPI - ULONG - NTAPI - RtlGetCurrentServiceSessionId( - VOID); -#endif - -#ifdef PHNT_INLINE_TYPEDEFS - // rev - FORCEINLINE - ULONG - NTAPI - RtlGetActiveConsoleId( - VOID) - { - if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) - return NtCurrentPeb()->SharedData->ActiveConsoleId; - else - return USER_SHARED_DATA->ActiveConsoleId; - } -#else - // private - NTSYSAPI - ULONG - NTAPI - RtlGetActiveConsoleId( - VOID); -#endif - -#ifdef PHNT_INLINE_TYPEDEFS -#if (PHNT_VERSION >= PHNT_REDSTONE) - // private - FORCEINLINE - LONGLONG - NTAPI - RtlGetConsoleSessionForegroundProcessId( - VOID) - { - if (NtCurrentPeb()->SharedData && NtCurrentPeb()->SharedData->ServiceSessionId) - return NtCurrentPeb()->SharedData->ConsoleSessionForegroundProcessId; - else - return USER_SHARED_DATA->ConsoleSessionForegroundProcessId; - } -#endif -#else -#if (PHNT_VERSION >= PHNT_REDSTONE) - // private - NTSYSAPI - LONGLONG - NTAPI - RtlGetConsoleSessionForegroundProcessId( - VOID); -#endif -#endif - - // - // Appcontainer - // - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetTokenNamedObjectPath( - _In_ HANDLE TokenHandle, - _In_opt_ PSID Sid, - _Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString - ); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetAppContainerNamedObjectPath( - _In_opt_ HANDLE TokenHandle, - _In_opt_ PSID AppContainerSid, - _In_ BOOLEAN RelativePath, - _Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString - ); -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetAppContainerParent( - _In_ PSID AppContainerSid, - _Out_ PSID *AppContainerSidParent // RtlFreeSid - ); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckSandboxedToken( - _In_opt_ HANDLE TokenHandle, - _Out_ PBOOLEAN IsSandboxed); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckTokenCapability( - _In_opt_ HANDLE TokenHandle, - _In_ PSID CapabilitySidToCheck, - _Out_ PBOOLEAN HasCapability); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCapabilityCheck( - _In_opt_ HANDLE TokenHandle, - _In_ PUNICODE_STRING CapabilityName, - _Out_ PBOOLEAN HasCapability); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckTokenMembership( - _In_opt_ HANDLE TokenHandle, - _In_ PSID SidToCheck, - _Out_ PBOOLEAN IsMember); - -// RtlCheckTokenMembershipEx Flags -#define CTMF_INCLUDE_APPCONTAINER 0x00000001UL -#define CTMF_INCLUDE_LPAC 0x00000002UL -#define CTMF_VALID_FLAGS (CTMF_INCLUDE_APPCONTAINER | CTMF_INCLUDE_LPAC) - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckTokenMembershipEx( - _In_opt_ HANDLE TokenHandle, - _In_ PSID SidToCheck, - _In_ ULONG Flags, // CTMF_VALID_FLAGS - _Out_ PBOOLEAN IsMember); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE4) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryTokenHostIdAsUlong64( - _In_ HANDLE TokenHandle, - _Out_ PULONG64 HostId // (WIN://PKGHOSTID) - ); -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsParentOfChildAppContainer( - _In_ PSID ParentAppContainerSid, - _In_ PSID ChildAppContainerSid); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlIsApiSetImplemented( - _In_z_ PCSTR ApiSetName); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsCapabilitySid( - _In_ PSID Sid); - - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsPackageSid( - _In_ PSID Sid); -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsValidProcessTrustLabelSid( - _In_ PSID Sid); -#endif - - typedef enum _APPCONTAINER_SID_TYPE - { - NotAppContainerSidType, - ChildAppContainerSidType, - ParentAppContainerSidType, - InvalidAppContainerSidType, - MaxAppContainerSidType - } APPCONTAINER_SID_TYPE, - *PAPPCONTAINER_SID_TYPE; - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetAppContainerSidType( - _In_ PSID AppContainerSid, - _Out_ PAPPCONTAINER_SID_TYPE AppContainerSidType); -#endif - - NTSYSAPI - NTSTATUS - NTAPI - RtlFlsAlloc( - _In_ PFLS_CALLBACK_FUNCTION Callback, - _Out_ PULONG FlsIndex); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlFlsAllocEx( - _In_ PFLS_CALLBACK_FUNCTION Callback, - _Out_ PULONG, - _Out_ PULONG FlsIndex); - - NTSYSAPI - NTSTATUS - NTAPI - RtlFlsFree( - _In_ ULONG FlsIndex); - -#if (PHNT_VERSION >= PHNT_20H1) - NTSYSAPI - NTSTATUS - NTAPI - RtlFlsGetValue( - _In_ ULONG FlsIndex, - _Out_ PVOID *FlsData); - - NTSYSAPI - PVOID - WINAPI - RtlFlsGetValue2( - _In_ ULONG FlsIndex); - - NTSYSAPI - NTSTATUS - NTAPI - RtlFlsSetValue( - _In_ ULONG FlsIndex, - _In_ PVOID FlsData); - - NTSYSAPI - NTSTATUS - NTAPI - RtlProcessFlsData( - _In_ HANDLE ProcessHandle, - _Out_ PVOID *FlsData); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlTlsAlloc( - _Out_ PULONG TlsIndex); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlTlsFree( - _In_ ULONG TlsIndex); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlTlsSetValue( - _In_ ULONG TlsIndex, - _In_ PVOID TlsData); -#endif - - // - // State isolation - // - - typedef enum _STATE_LOCATION_TYPE - { - LocationTypeRegistry, - LocationTypeFileSystem, - LocationTypeMaximum - } STATE_LOCATION_TYPE; - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlIsStateSeparationEnabled( - VOID); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlGetPersistedStateLocation( - _In_ PCWSTR SourceID, - _In_opt_ PCWSTR CustomValue, - _In_opt_ PCWSTR DefaultPath, - _In_ STATE_LOCATION_TYPE StateLocationType, - _Out_writes_bytes_to_opt_(BufferLengthIn, *BufferLengthOut) PWCHAR TargetPath, - _In_ ULONG BufferLengthIn, - _Out_opt_ PULONG BufferLengthOut); -#endif - - // Cloud Filters - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // msdn - NTSYSAPI - BOOLEAN - NTAPI - RtlIsCloudFilesPlaceholder( - _In_ ULONG FileAttributes, - _In_ ULONG ReparseTag); - - // msdn - NTSYSAPI - BOOLEAN - NTAPI - RtlIsPartialPlaceholder( - _In_ ULONG FileAttributes, - _In_ ULONG ReparseTag); - - // msdn - NTSYSAPI - NTSTATUS - NTAPI - RtlIsPartialPlaceholderFileHandle( - _In_ HANDLE FileHandle, - _Out_ PBOOLEAN IsPartialPlaceholder); - - // msdn - NTSYSAPI - NTSTATUS - NTAPI - RtlIsPartialPlaceholderFileInfo( - _In_ PVOID InfoBuffer, - _In_ FILE_INFORMATION_CLASS InfoClass, - _Out_ PBOOLEAN IsPartialPlaceholder); - -#undef PHCM_MAX -#define PHCM_APPLICATION_DEFAULT ((CHAR)0) -#define PHCM_DISGUISE_PLACEHOLDERS ((CHAR)1) -#define PHCM_EXPOSE_PLACEHOLDERS ((CHAR)2) -#define PHCM_MAX ((CHAR)2) - -#define PHCM_ERROR_INVALID_PARAMETER ((CHAR) - 1) -#define PHCM_ERROR_NO_TEB ((CHAR) - 2) - - NTSYSAPI - CHAR - NTAPI - RtlQueryThreadPlaceholderCompatibilityMode( - VOID); - - NTSYSAPI - CHAR - NTAPI - RtlSetThreadPlaceholderCompatibilityMode( - _In_ CHAR Mode); -#endif - -#undef PHCM_MAX -#define PHCM_DISGUISE_FULL_PLACEHOLDERS ((CHAR)3) -#define PHCM_MAX ((CHAR)3) -#define PHCM_ERROR_NO_PEB ((CHAR) - 3) - -#if (PHNT_VERSION >= PHNT_REDSTONE4) - - NTSYSAPI - CHAR - NTAPI - RtlQueryProcessPlaceholderCompatibilityMode( - VOID); - - NTSYSAPI - CHAR - NTAPI - RtlSetProcessPlaceholderCompatibilityMode( - _In_ CHAR Mode); - -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsNonEmptyDirectoryReparsePointAllowed( - _In_ ULONG ReparseTag); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlAppxIsFileOwnedByTrustedInstaller( - _In_ HANDLE FileHandle, - _Out_ PBOOLEAN IsFileOwnedByTrustedInstaller); -#endif - -// Windows Internals book -#define PSM_ACTIVATION_TOKEN_PACKAGED_APPLICATION 0x00000001UL // AppX package format -#define PSM_ACTIVATION_TOKEN_SHARED_ENTITY 0x00000002UL // Shared token, multiple binaries in the same package -#define PSM_ACTIVATION_TOKEN_FULL_TRUST 0x00000004UL // Trusted (Centennial), converted Win32 application -#define PSM_ACTIVATION_TOKEN_NATIVE_SERVICE 0x00000008UL // Packaged service created by SCM -// #define PSM_ACTIVATION_TOKEN_DEVELOPMENT_APP 0x00000010UL -#define PSM_ACTIVATION_TOKEN_MULTIPLE_INSTANCES_ALLOWED 0x00000010UL -#define PSM_ACTIVATION_TOKEN_BREAKAWAY_INHIBITED 0x00000020UL // Cannot create non-packaged child processes -#define PSM_ACTIVATION_TOKEN_RUNTIME_BROKER 0x00000040UL // rev -#define PSM_ACTIVATION_TOKEN_UNIVERSAL_CONSOLE 0x00000200UL // rev -#define PSM_ACTIVATION_TOKEN_WIN32ALACARTE_PROCESS 0x00010000UL // rev - - // PackageOrigin appmodel.h - // #define PackageOrigin_Unknown 0 - // #define PackageOrigin_Unsigned 1 - // #define PackageOrigin_Inbox 2 - // #define PackageOrigin_Store 3 - // #define PackageOrigin_DeveloperUnsigned 4 - // #define PackageOrigin_DeveloperSigned 5 - // #define PackageOrigin_LineOfBusiness 6 - -#define PSMP_MINIMUM_SYSAPP_CLAIM_VALUES 2 -#define PSMP_MAXIMUM_SYSAPP_CLAIM_VALUES 4 - - // private - typedef struct _PS_PKG_CLAIM - { - ULONG Flags; // PSM_ACTIVATION_TOKEN_* - ULONG Origin; // PackageOrigin - } PS_PKG_CLAIM, *PPS_PKG_CLAIM; - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryPackageClaims( - _In_ HANDLE TokenHandle, - _Out_writes_bytes_to_opt_(*PackageSize, *PackageSize) PWSTR PackageFullName, - _Inout_opt_ PSIZE_T PackageSize, - _Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId, - _Inout_opt_ PSIZE_T AppIdSize, - _Out_opt_ PGUID DynamicId, - _Out_opt_ PPS_PKG_CLAIM PkgClaim, - _Out_opt_ PULONG64 AttributesPresent); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryPackageIdentity( - _In_ HANDLE TokenHandle, - _Out_writes_bytes_to_(*PackageSize, *PackageSize) PWSTR PackageFullName, - _Inout_ PSIZE_T PackageSize, - _Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId, - _Inout_opt_ PSIZE_T AppIdSize, - _Out_opt_ PBOOLEAN Packaged); -#endif - -#if (PHNT_VERSION >= PHNT_WINBLUE) - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryPackageIdentityEx( - _In_ HANDLE TokenHandle, - _Out_writes_bytes_to_(*PackageSize, *PackageSize) PWSTR PackageFullName, - _Inout_ PSIZE_T PackageSize, - _Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId, - _Inout_opt_ PSIZE_T AppIdSize, - _Out_opt_ PGUID DynamicId, - _Out_opt_ PULONG64 Flags); -#endif - - // Protected policies - -#if (PHNT_VERSION >= PHNT_WINBLUE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryProtectedPolicy( - _In_ PGUID PolicyGuid, - _Out_ PULONG_PTR PolicyValue); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetProtectedPolicy( - _In_ PGUID PolicyGuid, - _In_ ULONG_PTR PolicyValue, - _Out_ PULONG_PTR OldPolicyValue); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSAPI - BOOLEAN - NTAPI - RtlIsEnclaveFeaturePresent( - _In_ ULONG FeatureMask); -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlIsMultiSessionSku( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // private - NTSYSAPI - BOOLEAN - NTAPI - RtlIsMultiUsersInSessionSku( - VOID); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSessionProperties( - _In_ ULONG SessionId, - _Out_ PULONG SharedUserSessionId); -#endif - - // private - typedef enum _RTL_BSD_ITEM_TYPE - { - RtlBsdItemVersionNumber, // q; s: ULONG - RtlBsdItemProductType, // q; s: NT_PRODUCT_TYPE (ULONG) - RtlBsdItemAabEnabled, // q: s: BOOLEAN // AutoAdvancedBoot - RtlBsdItemAabTimeout, // q: s: UCHAR // AdvancedBootMenuTimeout - RtlBsdItemBootGood, // q: s: BOOLEAN // LastBootSucceeded - RtlBsdItemBootShutdown, // q: s: BOOLEAN // LastBootShutdown - RtlBsdSleepInProgress, // q: s: BOOLEAN // SleepInProgress - RtlBsdPowerTransition, // q: s: RTL_BSD_DATA_POWER_TRANSITION - RtlBsdItemBootAttemptCount, // q: s: UCHAR // BootAttemptCount - RtlBsdItemBootCheckpoint, // q: s: UCHAR // LastBootCheckpoint - RtlBsdItemBootId, // q; s: ULONG (USER_SHARED_DATA->BootId) - RtlBsdItemShutdownBootId, // q; s: ULONG - RtlBsdItemReportedAbnormalShutdownBootId, // q; s: ULONG - RtlBsdItemErrorInfo, // RTL_BSD_DATA_ERROR_INFO - RtlBsdItemPowerButtonPressInfo, // RTL_BSD_POWER_BUTTON_PRESS_INFO - RtlBsdItemChecksum, // q: s: UCHAR - RtlBsdPowerTransitionExtension, - RtlBsdItemFeatureConfigurationState, // q; s: ULONG - RtlBsdItemRevocationListInfo, // 24H2 - RtlBsdItemMax - } RTL_BSD_ITEM_TYPE; - - // ros - typedef struct _RTL_BSD_DATA_POWER_TRANSITION - { - LARGE_INTEGER PowerButtonTimestamp; - struct - { - BOOLEAN SystemRunning : 1; - BOOLEAN ConnectedStandbyInProgress : 1; - BOOLEAN UserShutdownInProgress : 1; - BOOLEAN SystemShutdownInProgress : 1; - BOOLEAN SleepInProgress : 4; - } Flags; - UCHAR ConnectedStandbyScenarioInstanceId; - UCHAR ConnectedStandbyEntryReason; - UCHAR ConnectedStandbyExitReason; - USHORT SystemSleepTransitionCount; - LARGE_INTEGER LastReferenceTime; - ULONG LastReferenceTimeChecksum; - ULONG LastUpdateBootId; - } RTL_BSD_DATA_POWER_TRANSITION, *PRTL_BSD_DATA_POWER_TRANSITION; - - // ros - typedef struct _RTL_BSD_DATA_ERROR_INFO - { - ULONG BootId; - ULONG RepeatCount; - ULONG OtherErrorCount; - ULONG Code; - ULONG OtherErrorCount2; - } RTL_BSD_DATA_ERROR_INFO, *PRTL_BSD_DATA_ERROR_INFO; - - // ros - typedef struct _RTL_BSD_POWER_BUTTON_PRESS_INFO - { - LARGE_INTEGER LastPressTime; - ULONG CumulativePressCount; - USHORT LastPressBootId; - UCHAR LastPowerWatchdogStage; - struct - { - UCHAR WatchdogArmed : 1; - UCHAR ShutdownInProgress : 1; - } Flags; - LARGE_INTEGER LastReleaseTime; - ULONG CumulativeReleaseCount; - USHORT LastReleaseBootId; - USHORT ErrorCount; - UCHAR CurrentConnectedStandbyPhase; - ULONG TransitionLatestCheckpointId; - ULONG TransitionLatestCheckpointType; - ULONG TransitionLatestCheckpointSequenceNumber; - } RTL_BSD_POWER_BUTTON_PRESS_INFO, *PRTL_BSD_POWER_BUTTON_PRESS_INFO; - - // private - typedef struct _RTL_BSD_ITEM - { - RTL_BSD_ITEM_TYPE Type; - PVOID DataBuffer; - ULONG DataLength; - } RTL_BSD_ITEM, *PRTL_BSD_ITEM; - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlCreateBootStatusDataFile( - VOID); - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlLockBootStatusData( - _Out_ PHANDLE FileHandle); - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlUnlockBootStatusData( - _In_ HANDLE FileHandle); - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSetBootStatusData( - _In_ HANDLE FileHandle, - _In_ BOOLEAN Read, - _In_ RTL_BSD_ITEM_TYPE DataClass, - _In_ PVOID Buffer, - _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnLength); - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckBootStatusIntegrity( - _In_ HANDLE FileHandle, - _Out_ PBOOLEAN Verified); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlRestoreBootStatusDefaults( - _In_ HANDLE FileHandle); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlRestoreSystemBootStatusDefaults( - VOID); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlGetSystemBootStatus( - _In_ RTL_BSD_ITEM_TYPE BootStatusInformationClass, - _Out_ PVOID DataBuffer, - _In_ ULONG DataLength, - _Out_opt_ PULONG ReturnLength); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetSystemBootStatus( - _In_ RTL_BSD_ITEM_TYPE BootStatusInformationClass, - _In_ PVOID DataBuffer, - _In_ ULONG DataLength, - _Out_opt_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCheckPortableOperatingSystem( - _Out_ PBOOLEAN IsPortable // VOID - ); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlSetPortableOperatingSystem( - _In_ BOOLEAN IsPortable); - - // rev - NTSYSAPI - ULONG - NTAPI - RtlSetProxiedProcessId( - _In_ ULONG ProxiedProcessId); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - NTSTATUS - NTAPI - RtlFindClosestEncodableLength( - _In_ ULONGLONG SourceLength, - _Out_ PULONGLONG TargetLength); - -#endif - - // Memory cache - - _Function_class_(RTL_SECURE_MEMORY_CACHE_CALLBACK) typedef NTSTATUS(NTAPI RTL_SECURE_MEMORY_CACHE_CALLBACK)( - _In_ PVOID Address, - _In_ SIZE_T Length); - typedef RTL_SECURE_MEMORY_CACHE_CALLBACK *PRTL_SECURE_MEMORY_CACHE_CALLBACK; - - // ros - NTSYSAPI - NTSTATUS - NTAPI - RtlRegisterSecureMemoryCacheCallback( - _In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback); - - NTSYSAPI - NTSTATUS - NTAPI - RtlDeregisterSecureMemoryCacheCallback( - _In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback); - - // ros - NTSYSAPI - BOOLEAN - NTAPI - RtlFlushSecureMemoryCache( - _In_ PVOID MemoryCache, - _In_opt_ SIZE_T MemoryLength); - - // Feature configuration - - // private - typedef ULONG RTL_FEATURE_ID; - typedef ULONGLONG RTL_FEATURE_CHANGE_STAMP, *PRTL_FEATURE_CHANGE_STAMP; - typedef UCHAR RTL_FEATURE_VARIANT; - typedef ULONG RTL_FEATURE_VARIANT_PAYLOAD; - typedef PVOID RTL_FEATURE_CONFIGURATION_CHANGE_REGISTRATION, *PRTL_FEATURE_CONFIGURATION_CHANGE_REGISTRATION; - - // private - typedef struct _RTL_FEATURE_USAGE_REPORT - { - ULONG FeatureId; - USHORT ReportingKind; - USHORT ReportingOptions; - } RTL_FEATURE_USAGE_REPORT, *PRTL_FEATURE_USAGE_REPORT; - - // private - typedef enum _RTL_FEATURE_CONFIGURATION_TYPE - { - RtlFeatureConfigurationBoot, - RtlFeatureConfigurationRuntime, - RtlFeatureConfigurationCount - } RTL_FEATURE_CONFIGURATION_TYPE; - - // private - typedef struct _RTL_FEATURE_CONFIGURATION - { - RTL_FEATURE_ID FeatureId; - union - { - ULONG Flags; - struct - { - ULONG Priority : 4; - ULONG EnabledState : 2; - ULONG IsWexpConfiguration : 1; - ULONG HasSubscriptions : 1; - ULONG Variant : 6; - ULONG VariantPayloadKind : 2; - ULONG Reserved : 16; - }; - }; - RTL_FEATURE_VARIANT_PAYLOAD VariantPayload; - } RTL_FEATURE_CONFIGURATION, *PRTL_FEATURE_CONFIGURATION; - - // private - typedef struct _RTL_FEATURE_CONFIGURATION_TABLE - { - ULONG FeatureCount; - _Field_size_(FeatureCount) RTL_FEATURE_CONFIGURATION Features[ANYSIZE_ARRAY]; - } RTL_FEATURE_CONFIGURATION_TABLE, *PRTL_FEATURE_CONFIGURATION_TABLE; - - // private - typedef enum _RTL_FEATURE_CONFIGURATION_PRIORITY - { - FeatureConfigurationPriorityImageDefault = 0, - FeatureConfigurationPriorityEKB = 1, - FeatureConfigurationPrioritySafeguard = 2, - FeatureConfigurationPriorityPersistent = FeatureConfigurationPrioritySafeguard, - FeatureConfigurationPriorityReserved3 = 3, - FeatureConfigurationPriorityService = 4, - FeatureConfigurationPriorityReserved5 = 5, - FeatureConfigurationPriorityDynamic = 6, - FeatureConfigurationPriorityReserved7 = 7, - FeatureConfigurationPriorityUser = 8, - FeatureConfigurationPrioritySecurity = 9, - FeatureConfigurationPriorityUserPolicy = 10, - FeatureConfigurationPriorityReserved11 = 11, - FeatureConfigurationPriorityTest = 12, - FeatureConfigurationPriorityReserved13 = 13, - FeatureConfigurationPriorityReserved14 = 14, - FeatureConfigurationPriorityImageOverride = 15, - FeatureConfigurationPriorityMax = FeatureConfigurationPriorityImageOverride - } RTL_FEATURE_CONFIGURATION_PRIORITY, - *PRTL_FEATURE_CONFIGURATION_PRIORITY; - - // private - typedef enum _RTL_FEATURE_ENABLED_STATE - { - FeatureEnabledStateDefault, - FeatureEnabledStateDisabled, - FeatureEnabledStateEnabled - } RTL_FEATURE_ENABLED_STATE; - - // private - typedef enum _RTL_FEATURE_ENABLED_STATE_OPTIONS - { - FeatureEnabledStateOptionsNone, - FeatureEnabledStateOptionsWexpConfig - } RTL_FEATURE_ENABLED_STATE_OPTIONS, - *PRTL_FEATURE_ENABLED_STATE_OPTIONS; - - // private - typedef enum _RTL_FEATURE_VARIANT_PAYLOAD_KIND - { - FeatureVariantPayloadKindNone, - FeatureVariantPayloadKindResident, - FeatureVariantPayloadKindExternal - } RTL_FEATURE_VARIANT_PAYLOAD_KIND, - *PRTL_FEATURE_VARIANT_PAYLOAD_KIND; - - // private - typedef enum _RTL_FEATURE_CONFIGURATION_OPERATION - { - FeatureConfigurationOperationNone = 0, - FeatureConfigurationOperationFeatureState = 1, - FeatureConfigurationOperationVariantState = 2, - FeatureConfigurationOperationResetState = 4 - } RTL_FEATURE_CONFIGURATION_OPERATION, - *PRTL_FEATURE_CONFIGURATION_OPERATION; - - // private - typedef struct _RTL_FEATURE_CONFIGURATION_UPDATE - { - RTL_FEATURE_ID FeatureId; - RTL_FEATURE_CONFIGURATION_PRIORITY Priority; - RTL_FEATURE_ENABLED_STATE EnabledState; - RTL_FEATURE_ENABLED_STATE_OPTIONS EnabledStateOptions; - RTL_FEATURE_VARIANT Variant; - UCHAR Reserved[3]; - RTL_FEATURE_VARIANT_PAYLOAD_KIND VariantPayloadKind; - RTL_FEATURE_VARIANT_PAYLOAD VariantPayload; - RTL_FEATURE_CONFIGURATION_OPERATION Operation; - } RTL_FEATURE_CONFIGURATION_UPDATE, *PRTL_FEATURE_CONFIGURATION_UPDATE; - - // private - typedef struct _RTL_FEATURE_USAGE_SUBSCRIPTION_TARGET - { - ULONG Data[2]; - } RTL_FEATURE_USAGE_SUBSCRIPTION_TARGET, *PRTL_FEATURE_USAGE_SUBSCRIPTION_TARGET; - - // private - typedef struct _RTL_FEATURE_USAGE_DATA - { - RTL_FEATURE_ID FeatureId; - USHORT ReportingKind; - USHORT Reserved; - } RTL_FEATURE_USAGE_DATA, *PRTL_FEATURE_USAGE_DATA; - - // private - typedef struct _RTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS - { - RTL_FEATURE_ID FeatureId; - USHORT ReportingKind; - USHORT ReportingOptions; - RTL_FEATURE_USAGE_SUBSCRIPTION_TARGET ReportingTarget; - } RTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS, *PRTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS; - - // private - typedef struct _RTL_FEATURE_USAGE_SUBSCRIPTION_TABLE - { - ULONG SubscriptionCount; - _Field_size_(SubscriptionCount) RTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS Subscriptions[ANYSIZE_ARRAY]; - } RTL_FEATURE_USAGE_SUBSCRIPTION_TABLE, *PRTL_FEATURE_USAGE_SUBSCRIPTION_TABLE; - - // private - _Function_class_(RTL_FEATURE_CONFIGURATION_CHANGE_CALLBACK) typedef VOID(NTAPI RTL_FEATURE_CONFIGURATION_CHANGE_CALLBACK)( - _In_opt_ PVOID Context); - typedef RTL_FEATURE_CONFIGURATION_CHANGE_CALLBACK *PRTL_FEATURE_CONFIGURATION_CHANGE_CALLBACK; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_QUERY - { - RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType; - RTL_FEATURE_ID FeatureId; - } SYSTEM_FEATURE_CONFIGURATION_QUERY, *PSYSTEM_FEATURE_CONFIGURATION_QUERY; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_INFORMATION - { - RTL_FEATURE_CHANGE_STAMP ChangeStamp; - RTL_FEATURE_CONFIGURATION Configuration; - } SYSTEM_FEATURE_CONFIGURATION_INFORMATION, *PSYSTEM_FEATURE_CONFIGURATION_INFORMATION; - - // private - typedef enum _SYSTEM_FEATURE_CONFIGURATION_UPDATE_TYPE - { - SystemFeatureConfigurationUpdateTypeUpdate = 0, - SystemFeatureConfigurationUpdateTypeOverwrite = 1, - SystemFeatureConfigurationUpdateTypeCount = 2, - } SYSTEM_FEATURE_CONFIGURATION_UPDATE_TYPE, - *PSYSTEM_FEATURE_CONFIGURATION_UPDATE_TYPE; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_UPDATE - { - SYSTEM_FEATURE_CONFIGURATION_UPDATE_TYPE UpdateType; - union - { - struct - { - RTL_FEATURE_CHANGE_STAMP PreviousChangeStamp; - RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType; - ULONG UpdateCount; - _Field_size_(UpdateCount) RTL_FEATURE_CONFIGURATION_UPDATE Updates[ANYSIZE_ARRAY]; - } Update; - - struct - { - RTL_FEATURE_CHANGE_STAMP PreviousChangeStamp; - RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType; - SIZE_T BufferSize; - PVOID Buffer; - } Overwrite; - }; - } SYSTEM_FEATURE_CONFIGURATION_UPDATE, *PSYSTEM_FEATURE_CONFIGURATION_UPDATE; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY - { - RTL_FEATURE_CHANGE_STAMP ChangeStamp; - PVOID Section; - SIZE_T Size; - } SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY, *PSYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY; - - // private - typedef enum _SYSTEM_FEATURE_CONFIGURATION_SECTION_TYPE - { - SystemFeatureConfigurationSectionTypeBoot = 0, - SystemFeatureConfigurationSectionTypeRuntime = 1, - SystemFeatureConfigurationSectionTypeUsageTriggers = 2, - SystemFeatureConfigurationSectionTypeCount = 3, - } SYSTEM_FEATURE_CONFIGURATION_SECTION_TYPE; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST - { - RTL_FEATURE_CHANGE_STAMP PreviousChangeStamps[SystemFeatureConfigurationSectionTypeCount]; - } SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, *PSYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST; - - // private - typedef struct _SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION - { - RTL_FEATURE_CHANGE_STAMP OverallChangeStamp; - SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION_ENTRY Descriptors[SystemFeatureConfigurationSectionTypeCount]; - } SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION, *PSYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION; - - // private - typedef struct _SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS - { - RTL_FEATURE_ID FeatureId; - USHORT ReportingKind; - USHORT ReportingOptions; - RTL_FEATURE_USAGE_SUBSCRIPTION_TARGET ReportingTarget; - } SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS, *PSYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; - - typedef struct _SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE_ENTRY - { - ULONG Remove; - RTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS Details; - } SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE_ENTRY, *PSYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE_ENTRY; - - typedef struct _SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE - { - ULONG UpdateCount; - _Field_size_(UpdateCount) SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE_ENTRY Updates[ANYSIZE_ARRAY]; - } SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE, *PSYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATE; - -#if (PHNT_VERSION >= PHNT_20H1) - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlNotifyFeatureUsage( - _In_ PRTL_FEATURE_USAGE_REPORT FeatureUsageReport); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryFeatureConfiguration( - _In_ RTL_FEATURE_ID FeatureId, - _In_ RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType, - _Out_ PRTL_FEATURE_CHANGE_STAMP ChangeStamp, - _Out_ PRTL_FEATURE_CONFIGURATION FeatureConfiguration); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSetFeatureConfigurations( - _In_opt_ PRTL_FEATURE_CHANGE_STAMP PreviousChangeStamp, - _In_ RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType, - _In_reads_(ConfigurationUpdateCount) PRTL_FEATURE_CONFIGURATION_UPDATE ConfigurationUpdates, - _In_ SIZE_T ConfigurationUpdateCount); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryAllFeatureConfigurations( - _In_ RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType, - _Out_opt_ PRTL_FEATURE_CHANGE_STAMP ChangeStamp, - _Out_writes_(*ConfigurationCount) PRTL_FEATURE_CONFIGURATION Configurations, - _Inout_ PSIZE_T ConfigurationCount); - - // private - NTSYSAPI - RTL_FEATURE_CHANGE_STAMP - NTAPI - RtlQueryFeatureConfigurationChangeStamp( - VOID); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryFeatureUsageNotificationSubscriptions( - _Out_writes_(*SubscriptionCount) PRTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS Subscriptions, - _Inout_ PSIZE_T SubscriptionCount); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlRegisterFeatureConfigurationChangeNotification( - _In_ PRTL_FEATURE_CONFIGURATION_CHANGE_CALLBACK Callback, - _In_opt_ PVOID Context, - _In_opt_ PRTL_FEATURE_CHANGE_STAMP ObservedChangeStamp, - _Out_ PRTL_FEATURE_CONFIGURATION_CHANGE_REGISTRATION RegistrationHandle); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlUnregisterFeatureConfigurationChangeNotification( - _In_ RTL_FEATURE_CONFIGURATION_CHANGE_REGISTRATION RegistrationHandle); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlSubscribeForFeatureUsageNotification( - _In_reads_(SubscriptionCount) PRTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS SubscriptionDetails, - _In_ SIZE_T SubscriptionCount); - - // private - NTSYSAPI - NTSTATUS - NTAPI - RtlUnsubscribeFromFeatureUsageNotifications( - _In_reads_(SubscriptionCount) PRTL_FEATURE_USAGE_SUBSCRIPTION_DETAILS SubscriptionDetails, - _In_ SIZE_T SubscriptionCount); -#endif - -// private -#if (PHNT_VERSION >= PHNT_WIN11) - NTSYSAPI - NTSTATUS - NTAPI - RtlOverwriteFeatureConfigurationBuffer( - _In_opt_ PRTL_FEATURE_CHANGE_STAMP PreviousChangeStamp, - _In_ RTL_FEATURE_CONFIGURATION_TYPE ConfigurationType, - _In_reads_bytes_opt_(ConfigurationBufferSize) PVOID ConfigurationBuffer, - _In_ ULONG ConfigurationBufferSize); -#endif - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlNotifyFeatureToggleUsage( - _In_ PRTL_FEATURE_USAGE_REPORT FeatureUsageReport, - _In_ RTL_FEATURE_ID FeatureId, - _In_ ULONG Flags); - -#ifndef _RTL_RUN_ONCE_DEF -#define _RTL_RUN_ONCE_DEF -// -// Run once initializer -// -#define RTL_RUN_ONCE_INIT {0} -// -// Run once flags -// -#define RTL_RUN_ONCE_CHECK_ONLY 0x00000001UL -#define RTL_RUN_ONCE_ASYNC 0x00000002UL -#define RTL_RUN_ONCE_INIT_FAILED 0x00000004UL -// -// The context stored in the run once structure must -// leave the following number of low order bits unused. -// -#define RTL_RUN_ONCE_CTX_RESERVED_BITS 2 - - typedef union _RTL_RUN_ONCE - { - PVOID Ptr; - } RTL_RUN_ONCE, *PRTL_RUN_ONCE; -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - - NTSYSAPI - VOID - NTAPI - RtlRunOnceInitialize( - _Out_ PRTL_RUN_ONCE RunOnce); - - typedef _Function_class_(RTL_RUN_ONCE_INIT_FN) - LOGICAL - NTAPI - RTL_RUN_ONCE_INIT_FN( - _Inout_ PRTL_RUN_ONCE RunOnce, - _Inout_opt_ PVOID Parameter, - _Inout_opt_ PVOID *Context); - typedef RTL_RUN_ONCE_INIT_FN *PRTL_RUN_ONCE_INIT_FN; - - _Maybe_raises_SEH_exception_ - NTSYSAPI - NTSTATUS - NTAPI - RtlRunOnceExecuteOnce( - _Inout_ PRTL_RUN_ONCE RunOnce, - _In_ __callback PRTL_RUN_ONCE_INIT_FN InitFn, - _Inout_opt_ PVOID Parameter, - _Outptr_opt_result_maybenull_ PVOID *Context); - - _Must_inspect_result_ - NTSYSAPI - NTSTATUS - NTAPI - RtlRunOnceBeginInitialize( - _Inout_ PRTL_RUN_ONCE RunOnce, - _In_ ULONG Flags, - _Outptr_opt_result_maybenull_ PVOID *Context); - - NTSYSAPI - NTSTATUS - NTAPI - RtlRunOnceComplete( - _Inout_ PRTL_RUN_ONCE RunOnce, - _In_ ULONG Flags, - _In_opt_ PVOID Context); - -#endif - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - -#define WNF_STATE_KEY 0x41C64E6DA3BC0074 - - _Must_inspect_result_ - NTSYSAPI - BOOLEAN - NTAPI - RtlEqualWnfChangeStamps( - _In_ WNF_CHANGE_STAMP ChangeStamp1, - _In_ WNF_CHANGE_STAMP ChangeStamp2); - - _Always_(_Post_satisfies_(return == STATUS_NO_MEMORY || return == STATUS_RETRY || return == STATUS_SUCCESS)) typedef _Function_class_(WNF_USER_CALLBACK) - NTSTATUS - NTAPI - WNF_USER_CALLBACK( - _In_ WNF_STATE_NAME StateName, - _In_ WNF_CHANGE_STAMP ChangeStamp, - _In_opt_ PWNF_TYPE_ID TypeId, - _In_opt_ PVOID CallbackContext, - _In_reads_bytes_opt_(Length) const VOID *Buffer, - _In_ ULONG Length); - typedef WNF_USER_CALLBACK *PWNF_USER_CALLBACK; - - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryWnfStateData( - _Out_ PWNF_CHANGE_STAMP ChangeStamp, - _In_ WNF_STATE_NAME StateName, - _In_ PWNF_USER_CALLBACK Callback, - _In_opt_ PVOID CallbackContext, - _In_opt_ PWNF_TYPE_ID TypeId); - - NTSYSAPI - NTSTATUS - NTAPI - RtlPublishWnfStateData( - _In_ WNF_STATE_NAME StateName, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_reads_bytes_opt_(Length) const VOID *Buffer, - _In_opt_ ULONG Length, - _In_opt_ const VOID *ExplicitScope); - - NTSYSAPI - NTSTATUS - NTAPI - RtlSubscribeWnfStateChangeNotification( - _Outptr_ PVOID *SubscriptionHandle, // PWNF_USER_SUBSCRIPTION - _In_ WNF_STATE_NAME StateName, - _In_ WNF_CHANGE_STAMP ChangeStamp, - _In_ PWNF_USER_CALLBACK Callback, - _In_opt_ PVOID CallbackContext, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_opt_ ULONG SerializationGroup, - _Reserved_ ULONG Flags); - - NTSYSAPI - NTSTATUS - NTAPI - RtlUnsubscribeWnfStateChangeNotification( - _In_ PWNF_USER_CALLBACK Callback); - - NTSYSAPI - NTSTATUS - NTAPI - RtlWnfDllUnloadCallback( - _In_ PVOID DllBase); - -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCopyFileChunk( - _In_ HANDLE SourceHandle, - _In_ HANDLE DestinationHandle, - _In_opt_ HANDLE EventHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG Length, - _In_ PLARGE_INTEGER SourceOffset, - _In_ PLARGE_INTEGER DestOffset, - _In_opt_ PULONG SourceKey, - _In_opt_ PULONG DestKey, - _In_ ULONG Flags); -#endif - -#define COPY_FILE_CHUNK_DUPLICATE_EXTENTS 0x00000001L // 24H2 -#define VALID_COPY_FILE_CHUNK_FLAGS (COPY_FILE_CHUNK_DUPLICATE_EXTENTS) - -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlQueryPropertyStore( - _In_ ULONG_PTR Key, - _Out_ PULONG_PTR Context); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlRemovePropertyStore( - _In_ ULONG_PTR Key, - _Out_ PULONG_PTR Context); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlCompareExchangePropertyStore( - _In_ ULONG_PTR Key, - _In_ PULONG_PTR Comperand, - _In_opt_ PULONG_PTR Exchange, - _Out_ PULONG_PTR Context); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11) - typedef enum _THREAD_STATE_CHANGE_TYPE THREAD_STATE_CHANGE_TYPE, *PTHREAD_STATE_CHANGE_TYPE; - - // rev - NTSYSAPI - NTSTATUS - NTAPI - RtlWow64ChangeThreadState( - _In_ HANDLE ThreadStateChangeHandle, - _In_ HANDLE ThreadHandle, - _In_ THREAD_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ PVOID ExtendedInformation, - _In_opt_ SIZE_T ExtendedInformationLength, - _In_opt_ ULONG64 Reserved); -#endif - -#ifdef PHNT_INLINE_TYPEDEFS -#if (PHNT_VERSION >= PHNT_WIN11) - // rev - FORCEINLINE - USHORT - NTAPI - RtlGetCurrentThreadPrimaryGroup( - VOID) - { - return NtCurrentTeb()->PrimaryGroupAffinity.Group; - } -#endif -#else -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSAPI - USHORT - NTAPI - RtlGetCurrentThreadPrimaryGroup( - VOID); -#endif -#endif - -#endif // _NTRTL_H - -/* - * RTL forward symbol typedefs - * - * This file is part of System Informer. - */ -#ifndef _NTRTL_FWD_H -#define _NTRTL_FWD_H - -// Note: ntdll symbols and exports define these forwarders: - -// begin_forwarders -#ifndef PHNT_INLINE_NAME_FORWARDERS -#define RtlGetNativeSystemInformation NtQuerySystemInformation -#define RtlGetTickCount NtGetTickCount -#define RtlGuardRestoreContext RtlRestoreContext -#define RtlRandom RtlRandomEx -#define RtlOpenImageFileOptionsKey LdrOpenImageFileOptionsKey -#define RtlQueryImageFileExecutionOptions LdrQueryImageFileExecutionOptionsEx -#define RtlQueryImageFileKeyOption LdrQueryImageFileKeyOption -#define RtlSetTimer RtlCreateTimer -#define RtlRestoreLastWin32Error RtlSetLastWin32Error -#endif - -#ifndef PHNT_INLINE_PEB_FORWARDERS - FORCEINLINE - PPEB - NTAPI - RtlGetCurrentPeb( - VOID) - { - return NtCurrentPeb(); - } - - FORCEINLINE - NTSTATUS - NTAPI - RtlAcquirePebLock( - VOID) - { - return RtlEnterCriticalSection(NtCurrentPeb()->FastPebLock); - } - - FORCEINLINE - NTSTATUS - NTAPI - RtlReleasePebLock( - VOID) - { - return RtlLeaveCriticalSection(NtCurrentPeb()->FastPebLock); - } -#endif - -#ifndef PHNT_INLINE_FREE_FORWARDERS - // #define RtlFreeUnicodeString(UnicodeString) {if ((UnicodeString)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (UnicodeString)->Buffer); memset(UnicodeString, 0, sizeof(UNICODE_STRING));} - FORCEINLINE - VOID - NTAPI - RtlFreeUnicodeString( - _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString) - { - if (UnicodeString->Buffer) - { - RtlFreeHeap(RtlProcessHeap(), 0, UnicodeString->Buffer); - memset(UnicodeString, 0, sizeof(UNICODE_STRING)); - } - } - - // #define RtlFreeAnsiString(UnicodeString) {if ((AnsiString)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (AnsiString)->Buffer); memset(AnsiString, 0, sizeof(ANSI_STRING));} - FORCEINLINE - VOID - NTAPI - RtlFreeAnsiString( - _Inout_ _At_(AnsiString->Buffer, _Frees_ptr_opt_) PANSI_STRING AnsiString) - { - if (AnsiString->Buffer) - { - RtlFreeHeap(RtlProcessHeap(), 0, AnsiString->Buffer); - memset(AnsiString, 0, sizeof(ANSI_STRING)); - } - } - - // #define RtlFreeUTF8String(Utf8String) {if ((Utf8String)->Buffer) RtlFreeHeap(RtlProcessHeap(), 0, (Utf8String)->Buffer); memset(Utf8String, 0, sizeof(UTF8_STRING));} - FORCEINLINE - VOID - NTAPI - RtlFreeUTF8String( - _Inout_ _At_(Utf8String->Buffer, _Frees_ptr_opt_) PUTF8_STRING Utf8String) - { - if (Utf8String->Buffer) - { - RtlFreeHeap(RtlProcessHeap(), 0, Utf8String->Buffer); - memset(Utf8String, 0, sizeof(UTF8_STRING)); - } - } - - // #define RtlFreeSid(Sid) RtlFreeHeap(RtlProcessHeap(), 0, (Sid)) - FORCEINLINE - PVOID - NTAPI - RtlFreeSid( - _In_ _Post_invalid_ PSID Sid) - { - RtlFreeHeap(RtlProcessHeap(), 0, Sid); - return NULL; - } - - // #define RtlDeleteBoundaryDescriptor(BoundaryDescriptor) RtlFreeHeap(RtlProcessHeap(), 0, (BoundaryDescriptor)) - FORCEINLINE - VOID - NTAPI - RtlDeleteBoundaryDescriptor( - _In_ _Post_invalid_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor) - { - RtlFreeHeap(RtlProcessHeap(), 0, BoundaryDescriptor); - } - - // #define RtlDeleteSecurityObject(ObjectDescriptor) RtlFreeHeap(RtlProcessHeap(), 0, *(ObjectDescriptor)) - // FORCEINLINE - // NTSTATUS - // RtlDeleteSecurityObject( - // _Inout_ PSECURITY_DESCRIPTOR *ObjectDescriptor - // ) - //{ - // RtlFreeHeap(RtlProcessHeap(), 0, *ObjectDescriptor); - // return STATUS_SUCCESS; - // } - - // #define RtlDestroyEnvironment(Environment) RtlFreeHeap(RtlProcessHeap(), 0, (Environment)) - FORCEINLINE - NTSTATUS - NTAPI - RtlDestroyEnvironment( - _In_ _Post_invalid_ PVOID Environment) - { - RtlFreeHeap(RtlProcessHeap(), 0, Environment); - return STATUS_SUCCESS; - } - - // #define RtlDestroyProcessParameters(ProcessParameters) RtlFreeHeap(RtlProcessHeap(), 0, (ProcessParameters)) - FORCEINLINE - NTSTATUS - NTAPI - RtlDestroyProcessParameters( - _In_ _Post_invalid_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters) - { - RtlFreeHeap(RtlProcessHeap(), 0, ProcessParameters); - return STATUS_SUCCESS; - } -#endif - // end_forwarders - -#endif // _NTRTL_FWD_H - /* - * PE format support - * - * This file is part of System Informer. - */ - -#ifndef _NTIMAGE_H -#define _NTIMAGE_H - -#include - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#define IMAGE_FILE_MACHINE_CHPE_X86 0x3A64 -#define IMAGE_FILE_MACHINE_ARM64EC 0xA641 -#define IMAGE_FILE_MACHINE_ARM64X 0xA64E -#endif - - typedef struct _IMAGE_DEBUG_POGO_ENTRY - { - ULONG Rva; - ULONG Size; - CHAR Name[1]; - } IMAGE_DEBUG_POGO_ENTRY, *PIMAGE_DEBUG_POGO_ENTRY; - - typedef struct _IMAGE_DEBUG_POGO_SIGNATURE - { - ULONG Signature; - } IMAGE_DEBUG_POGO_SIGNATURE, *PIMAGE_DEBUG_POGO_SIGNATURE; - -#define IMAGE_DEBUG_POGO_SIGNATURE_LTCG 'LTCG' // coffgrp LTCG (0x4C544347) -#define IMAGE_DEBUG_POGO_SIGNATURE_PGU 'PGU\0' // coffgrp PGU (0x50475500) - - typedef struct _IMAGE_RELOCATION_RECORD - { - USHORT Offset : 12; - USHORT Type : 4; - } IMAGE_RELOCATION_RECORD, *PIMAGE_RELOCATION_RECORD; - - typedef struct _IMAGE_CHPE_METADATA_X86 - { - ULONG Version; - ULONG CHPECodeAddressRangeOffset; - ULONG CHPECodeAddressRangeCount; - ULONG WowA64ExceptionHandlerFunctionPointer; - ULONG WowA64DispatchCallFunctionPointer; - ULONG WowA64DispatchIndirectCallFunctionPointer; - ULONG WowA64DispatchIndirectCallCfgFunctionPointer; - ULONG WowA64DispatchRetFunctionPointer; - ULONG WowA64DispatchRetLeafFunctionPointer; - ULONG WowA64DispatchJumpFunctionPointer; - ULONG CompilerIATPointer; // Present if Version >= 2 - ULONG WowA64RdtscFunctionPointer; // Present if Version >= 3 - } IMAGE_CHPE_METADATA_X86, *PIMAGE_CHPE_METADATA_X86; - - typedef struct _IMAGE_CHPE_RANGE_ENTRY - { - union - { - ULONG StartOffset; - struct - { - ULONG NativeCode : 1; - ULONG AddressBits : 31; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - - ULONG Length; - } IMAGE_CHPE_RANGE_ENTRY, *PIMAGE_CHPE_RANGE_ENTRY; - - typedef struct _IMAGE_ARM64EC_METADATA - { - ULONG Version; - ULONG CodeMap; - ULONG CodeMapCount; - ULONG CodeRangesToEntryPoints; - ULONG RedirectionMetadata; - ULONG tbd__os_arm64x_dispatch_call_no_redirect; - ULONG tbd__os_arm64x_dispatch_ret; - ULONG tbd__os_arm64x_dispatch_call; - ULONG tbd__os_arm64x_dispatch_icall; - ULONG tbd__os_arm64x_dispatch_icall_cfg; - ULONG AlternateEntryPoint; - ULONG AuxiliaryIAT; - ULONG CodeRangesToEntryPointsCount; - ULONG RedirectionMetadataCount; - ULONG GetX64InformationFunctionPointer; - ULONG SetX64InformationFunctionPointer; - ULONG ExtraRFETable; - ULONG ExtraRFETableSize; - ULONG __os_arm64x_dispatch_fptr; - ULONG AuxiliaryIATCopy; - } IMAGE_ARM64EC_METADATA, *PIMAGE_ARM64EC_METADATA; - -// rev -#define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64 0 -#define IMAGE_ARM64EC_CODE_MAP_TYPE_ARM64EC 1 -#define IMAGE_ARM64EC_CODE_MAP_TYPE_AMD64 2 - - // rev - typedef struct _IMAGE_ARM64EC_CODE_MAP_ENTRY - { - union - { - ULONG StartOffset; - struct - { - ULONG Type : 2; - ULONG AddressBits : 30; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - - ULONG Length; - } IMAGE_ARM64EC_CODE_MAP_ENTRY, *PIMAGE_ARM64EC_CODE_MAP_ENTRY; - - typedef struct _IMAGE_ARM64EC_REDIRECTION_ENTRY - { - ULONG Source; - ULONG Destination; - } IMAGE_ARM64EC_REDIRECTION_ENTRY, *PIMAGE_ARM64EC_REDIRECTION_ENTRY; - - typedef struct _IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT - { - ULONG StartRva; - ULONG EndRva; - ULONG EntryPoint; - } IMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT, *PIMAGE_ARM64EC_CODE_RANGE_ENTRY_POINT; - -#define IMAGE_DVRT_ARM64X_FIXUP_TYPE_ZEROFILL 0 -#define IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE 1 -#define IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA 2 - -#define IMAGE_DVRT_ARM64X_FIXUP_SIZE_2BYTES 1 -#define IMAGE_DVRT_ARM64X_FIXUP_SIZE_4BYTES 2 -#define IMAGE_DVRT_ARM64X_FIXUP_SIZE_8BYTES 3 - - typedef struct _IMAGE_DVRT_ARM64X_FIXUP_RECORD - { - USHORT Offset : 12; - USHORT Type : 2; - USHORT Size : 2; - // Value of variable Size when IMAGE_DVRT_ARM64X_FIXUP_TYPE_VALUE - } IMAGE_DVRT_ARM64X_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_FIXUP_RECORD; - - typedef struct _IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD - { - USHORT Offset : 12; - USHORT Type : 2; // IMAGE_DVRT_ARM64X_FIXUP_TYPE_DELTA - USHORT Sign : 1; // 1 = -, 0 = + - USHORT Scale : 1; // 1 = 8, 0 = 4 - // USHORT Value; // Delta = Value * Scale * Sign - } IMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD, *PIMAGE_DVRT_ARM64X_DELTA_FIXUP_RECORD; - -#include - -#define IMAGE_DYNAMIC_RELOCATION_ARM64X 0x00000006 -#define IMAGE_DYNAMIC_RELOCATION_MM_SHARED_USER_DATA_VA 0x7FFE0000 -#define IMAGE_DYNAMIC_RELOCATION_KI_USER_SHARED_DATA64 0xFFFFF78000000000UI64 - - // Note: The Windows SDK defines UNALIGNED for PIMAGE_IMPORT_DESCRIPTOR but - // doesn't include UNALIGNED for PIMAGE_THUNK_DATA (See GH#1694) (dmex) - typedef struct _IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA32; - typedef struct _IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA64; - typedef IMAGE_THUNK_DATA32 UNALIGNED *UNALIGNED_PIMAGE_THUNK_DATA32; - typedef IMAGE_THUNK_DATA64 UNALIGNED *UNALIGNED_PIMAGE_THUNK_DATA64; - -// Note: Required for legacy SDK support (dmex) -#if !defined(NTDDI_WIN10_NI) || (NTDDI_VERSION < NTDDI_WIN10_NI) -#define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE 0x00000001 -#define IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE 0x00000002 -#define IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER 0x00000003 -#define IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER 0x00000004 -#define IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH 0x00000005 -#define IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE 0x00000007 - - typedef struct _IMAGE_FUNCTION_OVERRIDE_HEADER - { - ULONG FuncOverrideSize; - // IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION FuncOverrideInfo[ANYSIZE_ARRAY]; // FuncOverrideSize bytes in size - // IMAGE_BDD_INFO BDDInfo; // BDD region, size in bytes: DVRTEntrySize - sizeof(IMAGE_FUNCTION_OVERRIDE_HEADER) - FuncOverrideSize - } IMAGE_FUNCTION_OVERRIDE_HEADER; - typedef IMAGE_FUNCTION_OVERRIDE_HEADER UNALIGNED *PIMAGE_FUNCTION_OVERRIDE_HEADER; - - typedef struct _IMAGE_BDD_INFO - { - ULONG Version; // decides the semantics of serialized BDD - ULONG BDDSize; - // IMAGE_BDD_DYNAMIC_RELOCATION BDDNodes[ANYSIZE_ARRAY]; // BDDSize size in bytes. - } IMAGE_BDD_INFO, *PIMAGE_BDD_INFO; - - typedef struct _IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION - { - ULONG OriginalRva; // RVA of original function - ULONG BDDOffset; // Offset into the BDD region - ULONG RvaSize; // Size in bytes taken by RVAs. Must be multiple of sizeof(DWORD). - ULONG BaseRelocSize; // Size in bytes taken by BaseRelocs - // DWORD RVAs[RvaSize / sizeof(DWORD)]; // Array containing overriding func RVAs. - // IMAGE_BASE_RELOCATION BaseRelocs[ANYSIZE_ARRAY]; - // ^Base relocations (RVA + Size + TO) - // ^Padded with extra TOs for 4B alignment - // ^BaseRelocSize size in bytes - } IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION, *PIMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION; - - typedef struct _IMAGE_BDD_DYNAMIC_RELOCATION - { - USHORT Left; // Index of FALSE edge in BDD array - USHORT Right; // Index of TRUE edge in BDD array - ULONG Value; // Either FeatureNumber or Index into RVAs array - } IMAGE_BDD_DYNAMIC_RELOCATION, *PIMAGE_BDD_DYNAMIC_RELOCATION; - -// Function override relocation types in DVRT records. -#define IMAGE_FUNCTION_OVERRIDE_INVALID 0 -#define IMAGE_FUNCTION_OVERRIDE_X64_REL32 1 // 32-bit relative address from byte following reloc -#define IMAGE_FUNCTION_OVERRIDE_ARM64_BRANCH26 2 // 26 bit offset << 2 & sign ext. for B & BL -#define IMAGE_FUNCTION_OVERRIDE_ARM64_THUNK 3 -#endif - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) -#define IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT 0x40 -#define IMAGE_DLLCHARACTERISTICS_EX_HOTPATCH_COMPATIBLE 0x80 -#endif - -#endif - /* - * Authorization functions - * - * This file is part of System Informer. - */ - -#ifndef _NTSEAPI_H -#define _NTSEAPI_H - - // - // Privileges - // - -#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) -#define SE_CREATE_TOKEN_PRIVILEGE (2L) -#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) -#define SE_LOCK_MEMORY_PRIVILEGE (4L) -#define SE_INCREASE_QUOTA_PRIVILEGE (5L) - -#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) -#define SE_TCB_PRIVILEGE (7L) -#define SE_SECURITY_PRIVILEGE (8L) -#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) -#define SE_LOAD_DRIVER_PRIVILEGE (10L) -#define SE_SYSTEM_PROFILE_PRIVILEGE (11L) -#define SE_SYSTEMTIME_PRIVILEGE (12L) -#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) -#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) -#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) -#define SE_CREATE_PERMANENT_PRIVILEGE (16L) -#define SE_BACKUP_PRIVILEGE (17L) -#define SE_RESTORE_PRIVILEGE (18L) -#define SE_SHUTDOWN_PRIVILEGE (19L) -#define SE_DEBUG_PRIVILEGE (20L) -#define SE_AUDIT_PRIVILEGE (21L) -#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) -#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) -#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) -#define SE_UNDOCK_PRIVILEGE (25L) -#define SE_SYNC_AGENT_PRIVILEGE (26L) -#define SE_ENABLE_DELEGATION_PRIVILEGE (27L) -#define SE_MANAGE_VOLUME_PRIVILEGE (28L) -#define SE_IMPERSONATE_PRIVILEGE (29L) -#define SE_CREATE_GLOBAL_PRIVILEGE (30L) -#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L) -#define SE_RELABEL_PRIVILEGE (32L) -#define SE_INC_WORKING_SET_PRIVILEGE (33L) -#define SE_TIME_ZONE_PRIVILEGE (34L) -#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L) -#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L) -#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE - - // - // Authz - // - - // begin_rev - -#if (PHNT_MODE == PHNT_MODE_KERNEL) - typedef enum _TOKEN_INFORMATION_CLASS - { - TokenUser = 1, // q: TOKEN_USER, SE_TOKEN_USER - TokenGroups, // q: TOKEN_GROUPS - TokenPrivileges, // q: TOKEN_PRIVILEGES - TokenOwner, // q; s: TOKEN_OWNER - TokenPrimaryGroup, // q; s: TOKEN_PRIMARY_GROUP - TokenDefaultDacl, // q; s: TOKEN_DEFAULT_DACL - TokenSource, // q: TOKEN_SOURCE - TokenType, // q: TOKEN_TYPE - TokenImpersonationLevel, // q: SECURITY_IMPERSONATION_LEVEL - TokenStatistics, // q: TOKEN_STATISTICS // 10 - TokenRestrictedSids, // q: TOKEN_GROUPS - TokenSessionId, // q; s: ULONG (requires SeTcbPrivilege) - TokenGroupsAndPrivileges, // q: TOKEN_GROUPS_AND_PRIVILEGES - TokenSessionReference, // s: ULONG (requires SeTcbPrivilege) - TokenSandBoxInert, // q: ULONG - TokenAuditPolicy, // q; s: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege) - TokenOrigin, // q; s: TOKEN_ORIGIN (requires SeTcbPrivilege) - TokenElevationType, // q: TOKEN_ELEVATION_TYPE - TokenLinkedToken, // q; s: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege) - TokenElevation, // q: TOKEN_ELEVATION // 20 - TokenHasRestrictions, // q: ULONG - TokenAccessInformation, // q: TOKEN_ACCESS_INFORMATION - TokenVirtualizationAllowed, // q; s: ULONG (requires SeCreateTokenPrivilege) - TokenVirtualizationEnabled, // q; s: ULONG - TokenIntegrityLevel, // q; s: TOKEN_MANDATORY_LABEL - TokenUIAccess, // q; s: ULONG (requires SeTcbPrivilege) - TokenMandatoryPolicy, // q; s: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege) - TokenLogonSid, // q: TOKEN_GROUPS - TokenIsAppContainer, // q: ULONG // since WIN8 - TokenCapabilities, // q: TOKEN_GROUPS // 30 - TokenAppContainerSid, // q: TOKEN_APPCONTAINER_INFORMATION - TokenAppContainerNumber, // q: ULONG - TokenUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION - TokenDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION - TokenRestrictedUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION - TokenRestrictedDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION - TokenDeviceGroups, // q: TOKEN_GROUPS - TokenRestrictedDeviceGroups, // q: TOKEN_GROUPS - TokenSecurityAttributes, // q; s: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege) - TokenIsRestricted, // q: ULONG // 40 - TokenProcessTrustLevel, // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE - TokenPrivateNameSpace, // q; s: ULONG (requires SeTcbPrivilege) // since THRESHOLD - TokenSingletonAttributes, // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE - TokenBnoIsolation, // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2 - TokenChildProcessFlags, // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3 - TokenIsLessPrivilegedAppContainer, // q: ULONG // since REDSTONE5 - TokenIsSandboxed, // q: ULONG // since 19H1 - TokenIsAppSilo, // q: ULONG // since WIN11 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL - TokenLoggingInformation, // TOKEN_LOGGING_INFORMATION // since 24H2 - MaxTokenInfoClass - } TOKEN_INFORMATION_CLASS, - *PTOKEN_INFORMATION_CLASS; -#else -#define TOKEN_INFORMATION_CLASS ULONG -// #define TokenUser 1 // q: TOKEN_USER, SE_TOKEN_USER -// #define TokenGroups 2 // q: TOKEN_GROUPS -// #define TokenPrivileges 3 // q: TOKEN_PRIVILEGES -// #define TokenOwner 4 // q; s: TOKEN_OWNER -#define TokenPrimaryGroup 5 // q; s: TOKEN_PRIMARY_GROUP -#define TokenDefaultDacl 6 // q; s: TOKEN_DEFAULT_DACL -#define TokenSource 7 // q: TOKEN_SOURCE -// #define TokenType 8 // q: TOKEN_TYPE -#define TokenImpersonationLevel 9 // q: SECURITY_IMPERSONATION_LEVEL -#define TokenStatistics 10 // q: TOKEN_STATISTICS // 10 -#define TokenRestrictedSids 11 // q: TOKEN_GROUPS -#define TokenSessionId 12 // q; s: ULONG (requires SeTcbPrivilege) -#define TokenGroupsAndPrivileges 13 // q: TOKEN_GROUPS_AND_PRIVILEGES -#define TokenSessionReference 14 // s: ULONG (requires SeTcbPrivilege) -#define TokenSandBoxInert 15 // q: ULONG -#define TokenAuditPolicy 16 // q; s: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege) -#define TokenOrigin 17 // q; s: TOKEN_ORIGIN (requires SeTcbPrivilege) -#define TokenElevationType 18 // q: TOKEN_ELEVATION_TYPE -#define TokenLinkedToken 19 // q; s: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege) -#define TokenElevation 20 // q: TOKEN_ELEVATION // 20 -#define TokenHasRestrictions 21 // q: ULONG -#define TokenAccessInformation 22 // q: TOKEN_ACCESS_INFORMATION -#define TokenVirtualizationAllowed 23 // q; s: ULONG (requires SeCreateTokenPrivilege) -#define TokenVirtualizationEnabled 24 // q; s: ULONG -#define TokenIntegrityLevel 25 // q; s: TOKEN_MANDATORY_LABEL -#define TokenUIAccess 26 // q; s: ULONG (requires SeTcbPrivilege) -#define TokenMandatoryPolicy 27 // q; s: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege) -#define TokenLogonSid 28 // q: TOKEN_GROUPS -#define TokenIsAppContainer 29 // q: ULONG // since WIN8 -#define TokenCapabilities 30 // q: TOKEN_GROUPS // 30 -// #define TokenAppContainerSid 31 // q: TOKEN_APPCONTAINER_INFORMATION -#define TokenAppContainerNumber 32 // q: ULONG -#define TokenUserClaimAttributes 33 // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION -#define TokenDeviceClaimAttributes 34 // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION -#define TokenRestrictedUserClaimAttributes 35 // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION -#define TokenRestrictedDeviceClaimAttributes 36 // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION -#define TokenDeviceGroups 37 // q: TOKEN_GROUPS -#define TokenRestrictedDeviceGroups 38 // q: TOKEN_GROUPS -#define TokenSecurityAttributes 39 // q; s: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege) -#define TokenIsRestricted 40 // q: ULONG // 40 -#define TokenProcessTrustLevel 41 // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE -#define TokenPrivateNameSpace 42 // q; s: ULONG (requires SeTcbPrivilege) // since THRESHOLD -#define TokenSingletonAttributes 43 // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE -#define TokenBnoIsolation 44 // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2 -#define TokenChildProcessFlags 45 // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3 -#define TokenIsLessPrivilegedAppContainer 46 // q: ULONG // since REDSTONE5 -#define TokenIsSandboxed 47 // q: ULONG // since 19H1 -#define TokenIsAppSilo 48 // q: ULONG // since 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL -#define TokenLoggingInformation 49 // TOKEN_LOGGING_INFORMATION // since 24H2 -#define MaxTokenInfoClass 50 -#endif - - // Types - -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00 -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01 -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02 -// Case insensitive attribute value string by default. -// Unless the flag TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE -// is set indicating otherwise. -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03 -// Fully-qualified binary name. -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04 -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05 -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06 -#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10 - -// Flags - -// Attribute must not be inherited across process spawns. -#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001 -// Attribute value is compared in a case sensitive way. It is valid with string value -// or composite type containing string value. For other types of value, this flag -// will be ignored. Currently, it is valid with the two types: -// TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING and TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN. -#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002 -#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 // Attribute is considered only for Deny Aces. -#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 // Attribute is disabled by default. -#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 // Attribute is disabled. -#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 // Attribute is mandatory. -#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 // Attribute is ignored. - -#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \ - TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \ - TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \ - TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \ - TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \ - TOKEN_SECURITY_ATTRIBUTE_DISABLED | \ - TOKEN_SECURITY_ATTRIBUTE_MANDATORY) - -// Reserve upper 16 bits for custom flags. These should be preserved but not -// validated as they do not affect security in any way. -#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000 - - // end_rev - - // private // CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE - typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE - { - ULONG64 Version; - UNICODE_STRING Name; - } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; - - // private // CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE - typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE - { - PVOID Value; // Pointer is BYTE aligned. - ULONG ValueLength; // In bytes - } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; - - // private - typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 - { - UNICODE_STRING Name; - USHORT ValueType; - USHORT Reserved; - ULONG Flags; - ULONG ValueCount; - union - { - PLONG64 Int64; - PULONG64 Uint64; - PUNICODE_STRING String; - PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE Fqbn; - PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE OctetString; - } Values; - } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; - - // private - typedef struct _TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1 - { - UNICODE_STRING Name; - USHORT ValueType; - USHORT Reserved; - ULONG Flags; - ULONG ValueCount; - union - { - ULONG Int64[ANYSIZE_ARRAY]; - ULONG Uint64[ANYSIZE_ARRAY]; - ULONG String[ANYSIZE_ARRAY]; - ULONG Fqbn[ANYSIZE_ARRAY]; - ULONG OctetString[ANYSIZE_ARRAY]; - } Values; - } TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1, *PTOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1; - -// rev -#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 -// rev -#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 - - // private - typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION - { - USHORT Version; - USHORT Reserved; - ULONG AttributeCount; - union - { - PTOKEN_SECURITY_ATTRIBUTE_V1 AttributeV1; - }; - } TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; - - // private - typedef enum _TOKEN_SECURITY_ATTRIBUTE_OPERATION - { - TOKEN_SECURITY_ATTRIBUTE_OPERATION_NONE, - TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE_ALL, - TOKEN_SECURITY_ATTRIBUTE_OPERATION_ADD, - TOKEN_SECURITY_ATTRIBUTE_OPERATION_DELETE, - TOKEN_SECURITY_ATTRIBUTE_OPERATION_REPLACE - } TOKEN_SECURITY_ATTRIBUTE_OPERATION, - *PTOKEN_SECURITY_ATTRIBUTE_OPERATION; - - // private - typedef struct _TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION - { - PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Attributes; - PTOKEN_SECURITY_ATTRIBUTE_OPERATION Operations; - } TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION; - - // rev - typedef struct _TOKEN_PROCESS_TRUST_LEVEL - { - PSID TrustLevelSid; - } TOKEN_PROCESS_TRUST_LEVEL, *PTOKEN_PROCESS_TRUST_LEVEL; - -#if !defined(NTDDI_WIN11_GE) || (NTDDI_VERSION < NTDDI_WIN11_GE) - typedef struct _TOKEN_LOGGING_INFORMATION - { - TOKEN_TYPE TokenType; - TOKEN_ELEVATION TokenElevation; - TOKEN_ELEVATION_TYPE TokenElevationType; - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; - DWORD IntegrityLevel; - SID_AND_ATTRIBUTES User; - PSID TrustLevelSid; - DWORD SessionId; - DWORD AppContainerNumber; - LUID AuthenticationId; - DWORD GroupCount; - DWORD GroupsLength; - PSID_AND_ATTRIBUTES Groups; - } TOKEN_LOGGING_INFORMATION, *PTOKEN_LOGGING_INFORMATION; -#endif - - // - // Tokens - // - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateToken( - _Out_ PHANDLE TokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ TOKEN_TYPE Type, - _In_ PLUID AuthenticationId, - _In_ PLARGE_INTEGER ExpirationTime, - _In_ PTOKEN_USER User, - _In_ PTOKEN_GROUPS Groups, - _In_ PTOKEN_PRIVILEGES Privileges, - _In_opt_ PTOKEN_OWNER Owner, - _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, - _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, - _In_ PTOKEN_SOURCE Source); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateLowBoxToken( - _Out_ PHANDLE TokenHandle, - _In_ HANDLE ExistingTokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ PSID PackageSid, - _In_ ULONG CapabilityCount, - _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities, - _In_ ULONG HandleCount, - _In_reads_opt_(HandleCount) HANDLE *Handles); -#endif - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateTokenEx( - _Out_ PHANDLE TokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ TOKEN_TYPE Type, - _In_ PLUID AuthenticationId, - _In_ PLARGE_INTEGER ExpirationTime, - _In_ PTOKEN_USER User, - _In_ PTOKEN_GROUPS Groups, - _In_ PTOKEN_PRIVILEGES Privileges, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes, - _In_opt_ PTOKEN_GROUPS DeviceGroups, - _In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy, - _In_opt_ PTOKEN_OWNER Owner, - _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, - _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, - _In_ PTOKEN_SOURCE Source); -#endif - - /** - * The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token. - * - * @param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access. - * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. - * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenProcessToken( - _In_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PHANDLE TokenHandle); - - /** - * The NtOpenProcessTokenEx routine opens the access token associated with a process, and returns a handle that can be used to access that token. - * - * @param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access. - * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. - * @param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. - * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstokenex - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenProcessTokenEx( - _In_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _Out_ PHANDLE TokenHandle); - - /** - * The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token. - * - * @param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. - * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. - * @param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread. - * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtoken - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenThreadToken( - _In_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ BOOLEAN OpenAsSelf, - _Out_ PHANDLE TokenHandle); - - /** - * The NtOpenThreadTokenEx routine opens the access token associated with a thread, and returns a handle that can be used to access that token. - * - * @param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. - * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. - * @param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread. - * @param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. - * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtokenex - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenThreadTokenEx( - _In_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ BOOLEAN OpenAsSelf, - _In_ ULONG HandleAttributes, - _Out_ PHANDLE TokenHandle); - - /** - * The NtDuplicateToken function creates a handle to a new access token that duplicates an existing token. - * - * @param ExistingTokenHandle A handle to an existing access token that was opened with the TOKEN_DUPLICATE access right. - * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token. - * @param ObjectAttributes Pointer to an OBJECT_ATTRIBUTES structure that describes the requested properties for the new token. - * @param EffectiveOnly A Boolean value that indicates whether the entire existing token should be duplicated into the new token or just the effective (currently enabled) part of the token. - * @param Type Specifies the type of token to create either a primary token or an impersonation token. - * @param NewTokenHandle Pointer to a caller-allocated variable that receives a handle to the newly duplicated token. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDuplicateToken( - _In_ HANDLE ExistingTokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ BOOLEAN EffectiveOnly, - _In_ TOKEN_TYPE Type, - _Out_ PHANDLE NewTokenHandle); - - /** - * The NtQueryInformationToken routine retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information. - * - * @param TokenHandle A handle to an existing access token from which information is to be retrieved. If TokenInformationClass is set to TokenSource, the handle must have TOKEN_QUERY_SOURCE access. - * For all other TokenInformationClass values, the handle must have TOKEN_QUERY access. - * @param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be retrieved. - * @param TokenInformation Pointer to a caller-allocated buffer that receives the requested information about the token. - * @param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer. - * @param ReturnLength Pointer to a caller-allocated variable that receives the actual length, in bytes, of the information returned in the TokenInformation buffer. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationtoken - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationToken( - _In_ HANDLE TokenHandle, - _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, - _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, - _In_ ULONG TokenInformationLength, - _Out_ PULONG ReturnLength); - - /** - * The NtSetInformationToken routine modifies information in a specified token. The calling process must have appropriate access rights to set the information. - * - * @param TokenHandle A handle to an existing access token which information is to be modified. - * @param TokenInformationClass A value from the TOKEN_INFORMATION_CLASS enumerated type identifying the type of information to be modified. - * @param TokenInformation Pointer to a caller-allocated buffer containing the information to be modified in the token. - * @param TokenInformationLength Length, in bytes, of the caller-allocated TokenInformation buffer. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationtoken - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationToken( - _In_ HANDLE TokenHandle, - _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, - _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation, - _In_ ULONG TokenInformationLength); - - /** - * The NtAdjustPrivilegesToken routine enables or disables privileges in the specified access token. - * - * @param TokenHandle Handle to the token that contains the privileges to be modified. The handle must have TOKEN_ADJUST_PRIVILEGES access. - * @param DisableAllPrivileges Specifies whether the function disables all of the token's privileges. If this value is TRUE, the function disables all privileges and ignores the NewState parameter. - * If it is FALSE, the function modifies privileges based on the information pointed to by the NewState parameter. - * @param NewState A pointer to a TOKEN_PRIVILEGES structure that specifies an array of privileges and their attributes. If DisableAllPrivileges is TRUE, the function ignores this parameter. - * @param BufferLength Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be zero if the PreviousState parameter is NULL. - * @param PreviousState A pointer to a buffer that the function fills with a TOKEN_PRIVILEGES structure that contains the previous state of any privileges that the function modifies. - * @param ReturnLength A pointer to a variable that receives the required size, in bytes, of the buffer pointed to by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL. - * @return NTSTATUS Successful or errant status. - * @remarks https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges - */ - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAdjustPrivilegesToken( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN DisableAllPrivileges, - _In_opt_ PTOKEN_PRIVILEGES NewState, - _In_ ULONG BufferLength, - _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAdjustGroupsToken( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN ResetToDefault, - _In_opt_ PTOKEN_GROUPS NewState, - _In_opt_ ULONG BufferLength, - _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, - _Out_opt_ PULONG ReturnLength); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAdjustTokenClaimsAndDeviceGroups( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN UserResetToDefault, - _In_ BOOLEAN DeviceResetToDefault, - _In_ BOOLEAN DeviceGroupsResetToDefault, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState, - _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState, - _In_ ULONG UserBufferLength, - _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState, - _In_ ULONG DeviceBufferLength, - _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState, - _In_ ULONG DeviceGroupsBufferLength, - _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups, - _Out_opt_ PULONG UserReturnLength, - _Out_opt_ PULONG DeviceReturnLength, - _Out_opt_ PULONG DeviceGroupsReturnBufferLength); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFilterToken( - _In_ HANDLE ExistingTokenHandle, - _In_ ULONG Flags, - _In_opt_ PTOKEN_GROUPS SidsToDisable, - _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, - _In_opt_ PTOKEN_GROUPS RestrictedSids, - _Out_ PHANDLE NewTokenHandle); - -#if (PHNT_VERSION >= PHNT_WIN8) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFilterTokenEx( - _In_ HANDLE ExistingTokenHandle, - _In_ ULONG Flags, - _In_opt_ PTOKEN_GROUPS SidsToDisable, - _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, - _In_opt_ PTOKEN_GROUPS RestrictedSids, - _In_ ULONG DisableUserClaimsCount, - _In_opt_ PUNICODE_STRING UserClaimsToDisable, - _In_ ULONG DisableDeviceClaimsCount, - _In_opt_ PUNICODE_STRING DeviceClaimsToDisable, - _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes, - _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups, - _Out_ PHANDLE NewTokenHandle); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompareTokens( - _In_ HANDLE FirstTokenHandle, - _In_ HANDLE SecondTokenHandle, - _Out_ PBOOLEAN Equal); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrivilegeCheck( - _In_ HANDLE ClientToken, - _Inout_ PPRIVILEGE_SET RequiredPrivileges, - _Out_ PBOOLEAN Result); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtImpersonateAnonymousToken( - _In_ HANDLE ThreadHandle); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySecurityAttributesToken( - _In_ HANDLE TokenHandle, - _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes, - _In_ ULONG NumberOfAttributes, - _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION - _In_ ULONG Length, - _Out_ PULONG ReturnLength); -#endif - - // Access checking - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheck( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckByType( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckByTypeResultList( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus); - - // Signing - -#if (PHNT_VERSION >= PHNT_WIN8) - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetCachedSigningLevel( - _In_ ULONG Flags, - _In_ SE_SIGNING_LEVEL InputSigningLevel, - _In_reads_(SourceFileCount) PHANDLE SourceFiles, - _In_ ULONG SourceFileCount, - _In_opt_ HANDLE TargetFile); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetCachedSigningLevel( - _In_ HANDLE File, - _Out_ PULONG Flags, - _Out_ PSE_SIGNING_LEVEL SigningLevel, - _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, - _Inout_opt_ PULONG ThumbprintSize, - _Out_opt_ PULONG ThumbprintAlgorithm); - -#endif - - // rev - typedef struct _SE_FILE_CACHE_CLAIM_INFORMATION - { - ULONG Size; - PVOID Claim; - } SE_FILE_CACHE_CLAIM_INFORMATION, *PSE_FILE_CACHE_CLAIM_INFORMATION; - - // rev - typedef struct _SE_SET_FILE_CACHE_INFORMATION - { - ULONG Size; - UNICODE_STRING CatalogDirectoryPath; - SE_FILE_CACHE_CLAIM_INFORMATION OriginClaimInfo; - } SE_SET_FILE_CACHE_INFORMATION, *PSE_SET_FILE_CACHE_INFORMATION; - -#if (PHNT_VERSION >= PHNT_REDSTONE) - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetCachedSigningLevel2( - _In_ ULONG Flags, - _In_ SE_SIGNING_LEVEL InputSigningLevel, - _In_reads_(SourceFileCount) PHANDLE SourceFiles, - _In_ ULONG SourceFileCount, - _In_opt_ HANDLE TargetFile, - _In_opt_ SE_SET_FILE_CACHE_INFORMATION *CacheInformation); - -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCompareSigningLevels( - _In_ SE_SIGNING_LEVEL FirstSigningLevel, - _In_ SE_SIGNING_LEVEL SecondSigningLevel); - -#endif - - // Audit alarm - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ ACCESS_MASK DesiredAccess, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckByTypeAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckByTypeResultListAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAccessCheckByTypeResultListAndAuditAlarmByHandle( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ HANDLE ClientToken, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ ACCESS_MASK GrantedAccess, - _In_opt_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN ObjectCreation, - _In_ BOOLEAN AccessGranted, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrivilegeObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN AccessGranted); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCloseObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ BOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDeleteObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ BOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrivilegedServiceAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_ PUNICODE_STRING ServiceName, - _In_ HANDLE ClientToken, - _In_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN AccessGranted); - -#endif - /* - * Transaction Manager support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTTMAPI_H -#define _NTTMAPI_H - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateTransactionManager( - _Out_ PHANDLE TmHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PUNICODE_STRING LogFileName, - _In_opt_ ULONG CreateOptions, - _In_opt_ ULONG CommitStrength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenTransactionManager( - _Out_ PHANDLE TmHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PUNICODE_STRING LogFileName, - _In_opt_ LPGUID TmIdentity, - _In_opt_ ULONG OpenOptions); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRenameTransactionManager( - _In_ PUNICODE_STRING LogFileName, - _In_ LPGUID ExistingTransactionManagerGuid); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRollforwardTransactionManager( - _In_ HANDLE TransactionManagerHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRecoverTransactionManager( - _In_ HANDLE TransactionManagerHandle); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationTransactionManager( - _In_ HANDLE TransactionManagerHandle, - _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, - _In_ ULONG TransactionManagerInformationLength, - _Out_opt_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationTransactionManager( - _In_opt_ HANDLE TmHandle, - _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, - _In_ ULONG TransactionManagerInformationLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtEnumerateTransactionObject( - _In_opt_ HANDLE RootObjectHandle, - _In_ KTMOBJECT_TYPE QueryType, - _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, - _In_ ULONG ObjectCursorLength, - _Out_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateTransaction( - _Out_ PHANDLE TransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ LPGUID Uow, - _In_opt_ HANDLE TmHandle, - _In_opt_ ULONG CreateOptions, - _In_opt_ ULONG IsolationLevel, - _In_opt_ ULONG IsolationFlags, - _In_opt_ PLARGE_INTEGER Timeout, - _In_opt_ PUNICODE_STRING Description); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenTransaction( - _Out_ PHANDLE TransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ LPGUID Uow, - _In_opt_ HANDLE TmHandle); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationTransaction( - _In_ HANDLE TransactionHandle, - _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, - _In_ ULONG TransactionInformationLength, - _Out_opt_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationTransaction( - _In_ HANDLE TransactionHandle, - _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, - _In_ ULONG TransactionInformationLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCommitTransaction( - _In_ HANDLE TransactionHandle, - _In_ BOOLEAN Wait); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRollbackTransaction( - _In_ HANDLE TransactionHandle, - _In_ BOOLEAN Wait); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateEnlistment( - _Out_ PHANDLE EnlistmentHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE ResourceManagerHandle, - _In_ HANDLE TransactionHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG CreateOptions, - _In_ NOTIFICATION_MASK NotificationMask, - _In_opt_ PVOID EnlistmentKey); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenEnlistment( - _Out_ PHANDLE EnlistmentHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE ResourceManagerHandle, - _In_ LPGUID EnlistmentGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, - _In_ ULONG EnlistmentInformationLength, - _Out_opt_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationEnlistment( - _In_opt_ HANDLE EnlistmentHandle, - _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, - _In_ ULONG EnlistmentInformationLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRecoverEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PVOID EnlistmentKey); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrePrepareEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrepareEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCommitEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRollbackEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrePrepareComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPrepareComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCommitComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtReadOnlyEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRollbackComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSinglePhaseReject( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateResourceManager( - _Out_ PHANDLE ResourceManagerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE TmHandle, - _In_ LPGUID RmGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG CreateOptions, - _In_opt_ PUNICODE_STRING Description); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenResourceManager( - _Out_ PHANDLE ResourceManagerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE TmHandle, - _In_opt_ LPGUID ResourceManagerGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRecoverResourceManager( - _In_ HANDLE ResourceManagerHandle); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtGetNotificationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, - _In_ ULONG NotificationLength, - _In_opt_ PLARGE_INTEGER Timeout, - _Out_opt_ PULONG ReturnLength, - _In_ ULONG Asynchronous, - _In_opt_ ULONG_PTR AsynchronousContext); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQueryInformationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, - _In_ ULONG ResourceManagerInformationLength, - _Out_opt_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, - _In_ ULONG ResourceManagerInformationLength); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRegisterProtocolAddressInformation( - _In_ HANDLE ResourceManager, - _In_ PCRM_PROTOCOL_ID ProtocolId, - _In_ ULONG ProtocolInformationSize, - _In_ PVOID ProtocolInformation, - _In_opt_ ULONG CreateOptions); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPropagationComplete( - _In_ HANDLE ResourceManagerHandle, - _In_ ULONG RequestCookie, - _In_ ULONG BufferLength, - _In_ PVOID Buffer); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtPropagationFailed( - _In_ HANDLE ResourceManagerHandle, - _In_ ULONG RequestCookie, - _In_ NTSTATUS PropStatus); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSCALLAPI - NTSTATUS - NTAPI - NtFreezeTransactions( - _In_ PLARGE_INTEGER FreezeTimeout, - _In_ PLARGE_INTEGER ThawTimeout); -#endif - -#if (PHNT_VERSION >= PHNT_VISTA) - // private - NTSYSCALLAPI - NTSTATUS - NTAPI - NtThawTransactions( - VOID); -#endif - -#endif - /* - * Thread Pool support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTTP_H -#define _NTTP_H - - // Some types are already defined in winnt.h. - - typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; - - // private - typedef VOID(NTAPI *PTP_ALPC_CALLBACK)( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _Inout_opt_ PVOID Context, - _In_ PTP_ALPC Alpc); - - // rev - typedef VOID(NTAPI *PTP_ALPC_CALLBACK_EX)( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _Inout_opt_ PVOID Context, - _In_ PTP_ALPC Alpc, - _In_ PVOID ApcContext); - -#if (PHNT_VERSION >= PHNT_VISTA) - - // winbase:CreateThreadpool - NTSYSAPI - NTSTATUS - NTAPI - TpAllocPool( - _Out_ PTP_POOL *PoolReturn, - _Reserved_ PVOID Reserved); - - // winbase:CloseThreadpool - NTSYSAPI - VOID - NTAPI - TpReleasePool( - _Inout_ PTP_POOL Pool); - - // winbase:SetThreadpoolThreadMaximum - NTSYSAPI - VOID - NTAPI - TpSetPoolMaxThreads( - _Inout_ PTP_POOL Pool, - _In_ ULONG MaxThreads); - - // winbase:SetThreadpoolThreadMinimum - NTSYSAPI - NTSTATUS - NTAPI - TpSetPoolMinThreads( - _Inout_ PTP_POOL Pool, - _In_ ULONG MinThreads); - -#if (PHNT_VERSION >= PHNT_WIN7) - // winbase:QueryThreadpoolStackInformation - NTSYSAPI - NTSTATUS - NTAPI - TpQueryPoolStackInformation( - _In_ PTP_POOL Pool, - _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation); - - // winbase:SetThreadpoolStackInformation - NTSYSAPI - NTSTATUS - NTAPI - TpSetPoolStackInformation( - _Inout_ PTP_POOL Pool, - _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation); - - // rev - NTSYSAPI - NTSTATUS - NTAPI - TpSetPoolThreadBasePriority( - _Inout_ PTP_POOL Pool, - _In_ ULONG BasePriority); -#endif - - // winbase:CreateThreadpoolCleanupGroup - NTSYSAPI - NTSTATUS - NTAPI - TpAllocCleanupGroup( - _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn); - - // winbase:CloseThreadpoolCleanupGroup - NTSYSAPI - VOID - NTAPI - TpReleaseCleanupGroup( - _Inout_ PTP_CLEANUP_GROUP CleanupGroup); - - // winbase:CloseThreadpoolCleanupGroupMembers - NTSYSAPI - VOID - NTAPI - TpReleaseCleanupGroupMembers( - _Inout_ PTP_CLEANUP_GROUP CleanupGroup, - _In_ LOGICAL CancelPendingCallbacks, - _Inout_opt_ PVOID CleanupParameter); - - // winbase:SetEventWhenCallbackReturns - NTSYSAPI - VOID - NTAPI - TpCallbackSetEventOnCompletion( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _In_ HANDLE Event); - - // winbase:ReleaseSemaphoreWhenCallbackReturns - NTSYSAPI - VOID - NTAPI - TpCallbackReleaseSemaphoreOnCompletion( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _In_ HANDLE Semaphore, - _In_ ULONG ReleaseCount); - - // winbase:ReleaseMutexWhenCallbackReturns - NTSYSAPI - VOID - NTAPI - TpCallbackReleaseMutexOnCompletion( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _In_ HANDLE Mutex); - - // winbase:LeaveCriticalSectionWhenCallbackReturns - NTSYSAPI - VOID - NTAPI - TpCallbackLeaveCriticalSectionOnCompletion( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _Inout_ PRTL_CRITICAL_SECTION CriticalSection); - - // winbase:FreeLibraryWhenCallbackReturns - NTSYSAPI - VOID - NTAPI - TpCallbackUnloadDllOnCompletion( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _In_ PVOID DllHandle); - - // winbase:CallbackMayRunLong - NTSYSAPI - NTSTATUS - NTAPI - TpCallbackMayRunLong( - _Inout_ PTP_CALLBACK_INSTANCE Instance); - - // winbase:DisassociateCurrentThreadFromCallback - NTSYSAPI - VOID - NTAPI - TpDisassociateCallback( - _Inout_ PTP_CALLBACK_INSTANCE Instance); - - // winbase:TrySubmitThreadpoolCallback - NTSYSAPI - NTSTATUS - NTAPI - TpSimpleTryPost( - _In_ PTP_SIMPLE_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - - // winbase:CreateThreadpoolWork - NTSYSAPI - NTSTATUS - NTAPI - TpAllocWork( - _Out_ PTP_WORK *WorkReturn, - _In_ PTP_WORK_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - - // winbase:CloseThreadpoolWork - NTSYSAPI - VOID - NTAPI - TpReleaseWork( - _Inout_ PTP_WORK Work); - - // winbase:SubmitThreadpoolWork - NTSYSAPI - VOID - NTAPI - TpPostWork( - _Inout_ PTP_WORK Work); - - // winbase:WaitForThreadpoolWorkCallbacks - NTSYSAPI - VOID - NTAPI - TpWaitForWork( - _Inout_ PTP_WORK Work, - _In_ LOGICAL CancelPendingCallbacks); - - // winbase:CreateThreadpoolTimer - NTSYSAPI - NTSTATUS - NTAPI - TpAllocTimer( - _Out_ PTP_TIMER *Timer, - _In_ PTP_TIMER_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - - // winbase:CloseThreadpoolTimer - NTSYSAPI - VOID - NTAPI - TpReleaseTimer( - _Inout_ PTP_TIMER Timer); - - // winbase:SetThreadpoolTimer - NTSYSAPI - VOID - NTAPI - TpSetTimer( - _Inout_ PTP_TIMER Timer, - _In_opt_ PLARGE_INTEGER DueTime, - _In_ ULONG Period, - _In_opt_ ULONG WindowLength); - -#if (PHNT_VERSION >= PHNT_WIN8) - // winbase:SetThreadpoolTimerEx - NTSYSAPI - NTSTATUS - NTAPI - TpSetTimerEx( - _Inout_ PTP_TIMER Timer, - _In_opt_ PLARGE_INTEGER DueTime, - _In_ ULONG Period, - _In_opt_ ULONG WindowLength); -#endif - - // winbase:IsThreadpoolTimerSet - NTSYSAPI - LOGICAL - NTAPI - TpIsTimerSet( - _In_ PTP_TIMER Timer); - - // winbase:WaitForThreadpoolTimerCallbacks - NTSYSAPI - VOID - NTAPI - TpWaitForTimer( - _Inout_ PTP_TIMER Timer, - _In_ LOGICAL CancelPendingCallbacks); - - // winbase:CreateThreadpoolWait - NTSYSAPI - NTSTATUS - NTAPI - TpAllocWait( - _Out_ PTP_WAIT *WaitReturn, - _In_ PTP_WAIT_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - - // winbase:CloseThreadpoolWait - NTSYSAPI - VOID - NTAPI - TpReleaseWait( - _Inout_ PTP_WAIT Wait); - - // winbase:SetThreadpoolWait - NTSYSAPI - VOID - NTAPI - TpSetWait( - _Inout_ PTP_WAIT Wait, - _In_opt_ HANDLE Handle, - _In_opt_ PLARGE_INTEGER Timeout); - -#if (PHNT_VERSION >= PHNT_WIN8) - // winbase:SetThreadpoolWaitEx - NTSYSAPI - NTSTATUS - NTAPI - TpSetWaitEx( - _Inout_ PTP_WAIT Wait, - _In_opt_ HANDLE Handle, - _In_opt_ PLARGE_INTEGER Timeout, - _In_opt_ PVOID Reserved); -#endif - - // winbase:WaitForThreadpoolWaitCallbacks - NTSYSAPI - VOID - NTAPI - TpWaitForWait( - _Inout_ PTP_WAIT Wait, - _In_ LOGICAL CancelPendingCallbacks); - - // private - typedef VOID(NTAPI *PTP_IO_CALLBACK)( - _Inout_ PTP_CALLBACK_INSTANCE Instance, - _Inout_opt_ PVOID Context, - _In_ PVOID ApcContext, - _In_ PIO_STATUS_BLOCK IoSB, - _In_ PTP_IO Io); - - // winbase:CreateThreadpoolIo - NTSYSAPI - NTSTATUS - NTAPI - TpAllocIoCompletion( - _Out_ PTP_IO *IoReturn, - _In_ HANDLE File, - _In_ PTP_IO_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - - // winbase:CloseThreadpoolIo - NTSYSAPI - VOID - NTAPI - TpReleaseIoCompletion( - _Inout_ PTP_IO Io); - - // winbase:StartThreadpoolIo - NTSYSAPI - VOID - NTAPI - TpStartAsyncIoOperation( - _Inout_ PTP_IO Io); - - // winbase:CancelThreadpoolIo - NTSYSAPI - VOID - NTAPI - TpCancelAsyncIoOperation( - _Inout_ PTP_IO Io); - - // winbase:WaitForThreadpoolIoCallbacks - NTSYSAPI - VOID - NTAPI - TpWaitForIoCompletion( - _Inout_ PTP_IO Io, - _In_ LOGICAL CancelPendingCallbacks); - - // private - NTSYSAPI - NTSTATUS - NTAPI - TpAllocAlpcCompletion( - _Out_ PTP_ALPC *AlpcReturn, - _In_ HANDLE AlpcPort, - _In_ PTP_ALPC_CALLBACK Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); - -#if (PHNT_VERSION >= PHNT_WIN7) - // rev - NTSYSAPI - NTSTATUS - NTAPI - TpAllocAlpcCompletionEx( - _Out_ PTP_ALPC *AlpcReturn, - _In_ HANDLE AlpcPort, - _In_ PTP_ALPC_CALLBACK_EX Callback, - _Inout_opt_ PVOID Context, - _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron); -#endif - - // private - NTSYSAPI - VOID - NTAPI - TpReleaseAlpcCompletion( - _Inout_ PTP_ALPC Alpc); - - // private - NTSYSAPI - VOID - NTAPI - TpWaitForAlpcCompletion( - _Inout_ PTP_ALPC Alpc); - - // rev - NTSYSAPI - VOID - NTAPI - TpAlpcRegisterCompletionList( - _Inout_ PTP_ALPC Alpc); - - // rev - NTSYSAPI - VOID - NTAPI - TpAlpcUnregisterCompletionList( - _Inout_ PTP_ALPC Alpc); - - // private - typedef enum _TP_TRACE_TYPE - { - TpTraceThreadPriority = 1, - TpTraceThreadAffinity, - MaxTpTraceType - } TP_TRACE_TYPE; - - // private - NTSYSAPI - VOID - NTAPI - TpCaptureCaller( - _In_ TP_TRACE_TYPE Type); - - // private - NTSYSAPI - VOID - NTAPI - TpCheckTerminateWorker( - _In_ HANDLE Thread); - -#endif - -#endif - /* - * Exception support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTXCAPI_H -#define _NTXCAPI_H - - NTSYSAPI - BOOLEAN - NTAPI - RtlDispatchException( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord); - - _Analysis_noreturn_ - NTSYSAPI - DECLSPEC_NORETURN - VOID - NTAPI - RtlRaiseStatus( - _In_ NTSTATUS Status); - - NTSYSAPI - VOID - NTAPI - RtlRaiseException( - _In_ PEXCEPTION_RECORD ExceptionRecord); - -#if (PHNT_VERSION >= PHNT_20H1) - // rev - NTSYSAPI - VOID - NTAPI - RtlRaiseExceptionForReturnAddressHijack( - VOID); - - // rev - _Analysis_noreturn_ - NTSYSAPI - DECLSPEC_NORETURN - VOID - NTAPI - RtlRaiseNoncontinuableException( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord); -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtContinue( - _In_ PCONTEXT ContextRecord, - _In_ BOOLEAN TestAlert); - -#if (PHNT_VERSION >= PHNT_THRESHOLD) - typedef enum _KCONTINUE_TYPE - { - KCONTINUE_UNWIND, - KCONTINUE_RESUME, - KCONTINUE_LONGJUMP, - KCONTINUE_SET, - KCONTINUE_LAST, - } KCONTINUE_TYPE; - - typedef struct _KCONTINUE_ARGUMENT - { - KCONTINUE_TYPE ContinueType; - ULONG ContinueFlags; - ULONGLONG Reserved[2]; - } KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; - -#define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny -#define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtContinueEx( - _In_ PCONTEXT ContextRecord, - _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid - ); - -// FORCEINLINE -// NTSTATUS -// NtContinue( -// _In_ PCONTEXT ContextRecord, -// _In_ BOOLEAN TestAlert -// ) -//{ -// return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); -// } -#endif - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtRaiseException( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord, - _In_ BOOLEAN FirstChance); - - _Analysis_noreturn_ - NTSYSCALLAPI - DECLSPEC_NORETURN - VOID - NTAPI - RtlAssert( - _In_ PVOID VoidFailedAssertion, - _In_ PVOID VoidFileName, - _In_ ULONG LineNumber, - _In_opt_ PSTR MutableMessage); - -#define RTL_ASSERT(exp) \ - ((!(exp)) ? (RtlAssert((PVOID) #exp, (PVOID)__FILE__, __LINE__, NULL), FALSE) : TRUE) -#define RTL_ASSERTMSG(msg, exp) \ - ((!(exp)) ? (RtlAssert((PVOID) #exp, (PVOID)__FILE__, __LINE__, msg), FALSE) : TRUE) -#define RTL_SOFT_ASSERT(_exp) \ - ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n", __FILE__, __LINE__, #_exp), FALSE) : TRUE) -#define RTL_SOFT_ASSERTMSG(_msg, _exp) \ - ((!(_exp)) ? (DbgPrint("%s(%d): Soft assertion failed\n Expression: %s\n Message: %s\n", __FILE__, __LINE__, #_exp, (_msg)), FALSE) : TRUE) - -#endif - /* - * Windows on Windows support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTWOW64_H -#define _NTWOW64_H - -#define WOW64_SYSTEM_DIRECTORY "SysWOW64" -#define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64" -#define WOW64_X86_TAG " (x86)" -#define WOW64_X86_TAG_U L" (x86)" - - // In USER_SHARED_DATA - typedef enum _WOW64_SHARED_INFORMATION - { - SharedNtdll32LdrInitializeThunk, - SharedNtdll32KiUserExceptionDispatcher, - SharedNtdll32KiUserApcDispatcher, - SharedNtdll32KiUserCallbackDispatcher, - SharedNtdll32ExpInterlockedPopEntrySListFault, - SharedNtdll32ExpInterlockedPopEntrySListResume, - SharedNtdll32ExpInterlockedPopEntrySListEnd, - SharedNtdll32RtlUserThreadStart, - SharedNtdll32pQueryProcessDebugInformationRemote, - SharedNtdll32BaseAddress, - SharedNtdll32LdrSystemDllInitBlock, - Wow64SharedPageEntriesCount - } WOW64_SHARED_INFORMATION; - - // 32-bit definitions - -#define WOW64_POINTER(Type) ULONG - - typedef struct _RTL_BALANCED_NODE32 - { - union - { - WOW64_POINTER(struct _RTL_BALANCED_NODE *) - Children[2]; - struct - { - WOW64_POINTER(struct _RTL_BALANCED_NODE *) - Left; - WOW64_POINTER(struct _RTL_BALANCED_NODE *) - Right; - }; - }; - union - { - WOW64_POINTER(UCHAR) - Red : 1; - WOW64_POINTER(UCHAR) - Balance : 2; - WOW64_POINTER(ULONG_PTR) - ParentValue; - }; - } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32; - - typedef struct _RTL_RB_TREE32 - { - WOW64_POINTER(PRTL_BALANCED_NODE) - Root; - WOW64_POINTER(PRTL_BALANCED_NODE) - Min; - } RTL_RB_TREE32, *PRTL_RB_TREE32; - - typedef struct _PEB_LDR_DATA32 - { - ULONG Length; - BOOLEAN Initialized; - WOW64_POINTER(HANDLE) - SsHandle; - LIST_ENTRY32 InLoadOrderModuleList; - LIST_ENTRY32 InMemoryOrderModuleList; - LIST_ENTRY32 InInitializationOrderModuleList; - WOW64_POINTER(PVOID) - EntryInProgress; - BOOLEAN ShutdownInProgress; - WOW64_POINTER(HANDLE) - ShutdownThreadId; - } PEB_LDR_DATA32, *PPEB_LDR_DATA32; - - typedef struct _LDR_SERVICE_TAG_RECORD32 - { - WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) - Next; - ULONG ServiceTag; - } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32; - - typedef struct _LDRP_CSLIST32 - { - WOW64_POINTER(PSINGLE_LIST_ENTRY) - Tail; - } LDRP_CSLIST32, *PLDRP_CSLIST32; - - typedef struct _LDR_DDAG_NODE32 - { - LIST_ENTRY32 Modules; - WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) - ServiceTagList; - ULONG LoadCount; - ULONG LoadWhileUnloadingCount; - ULONG LowestLink; - union - { - LDRP_CSLIST32 Dependencies; - SINGLE_LIST_ENTRY32 RemovalLink; - }; - LDRP_CSLIST32 IncomingDependencies; - LDR_DDAG_STATE State; - SINGLE_LIST_ENTRY32 CondenseLink; - ULONG PreorderNumber; - } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32; - -#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN10_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, SigningLevel) -#define LDR_DATA_TABLE_ENTRY_SIZE_WIN11_32 sizeof(LDR_DATA_TABLE_ENTRY32) - - typedef struct _LDR_DATA_TABLE_ENTRY32 - { - LIST_ENTRY32 InLoadOrderLinks; - LIST_ENTRY32 InMemoryOrderLinks; - union - { - LIST_ENTRY32 InInitializationOrderLinks; - LIST_ENTRY32 InProgressLinks; - }; - WOW64_POINTER(PVOID) - DllBase; - WOW64_POINTER(PVOID) - EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING32 FullDllName; - UNICODE_STRING32 BaseDllName; - union - { - UCHAR FlagGroup[4]; - ULONG Flags; - struct - { - ULONG PackagedBinary : 1; - ULONG MarkedForRemoval : 1; - ULONG ImageDll : 1; - ULONG LoadNotificationsSent : 1; - ULONG TelemetryEntryProcessed : 1; - ULONG ProcessStaticImport : 1; - ULONG InLegacyLists : 1; - ULONG InIndexes : 1; - ULONG ShimDll : 1; - ULONG InExceptionTable : 1; - ULONG ReservedFlags1 : 2; - ULONG LoadInProgress : 1; - ULONG LoadConfigProcessed : 1; - ULONG EntryProcessed : 1; - ULONG ProtectDelayLoad : 1; - ULONG ReservedFlags3 : 2; - ULONG DontCallForThreads : 1; - ULONG ProcessAttachCalled : 1; - ULONG ProcessAttachFailed : 1; - ULONG CorDeferredValidate : 1; - ULONG CorImage : 1; - ULONG DontRelocate : 1; - ULONG CorILOnly : 1; - ULONG ChpeImage : 1; - ULONG ReservedFlags5 : 2; - ULONG Redirected : 1; - ULONG ReservedFlags6 : 2; - ULONG CompatDatabaseProcessed : 1; - }; - }; - USHORT ObsoleteLoadCount; - USHORT TlsIndex; - LIST_ENTRY32 HashLinks; - ULONG TimeDateStamp; - WOW64_POINTER(struct _ACTIVATION_CONTEXT *) - EntryPointActivationContext; - WOW64_POINTER(PVOID) - Lock; - WOW64_POINTER(PLDR_DDAG_NODE) - DdagNode; - LIST_ENTRY32 NodeModuleLink; - WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) - LoadContext; - WOW64_POINTER(PVOID) - ParentDllBase; - WOW64_POINTER(PVOID) - SwitchBackContext; - RTL_BALANCED_NODE32 BaseAddressIndexNode; - RTL_BALANCED_NODE32 MappingInfoIndexNode; - WOW64_POINTER(ULONG_PTR) - OriginalBase; - LARGE_INTEGER LoadTime; - ULONG BaseNameHashValue; - LDR_DLL_LOAD_REASON LoadReason; - ULONG ImplicitPathOptions; - ULONG ReferenceCount; - ULONG DependentLoadFlags; - UCHAR SigningLevel; // since REDSTONE2 - ULONG CheckSum; // since 22H1 - WOW64_POINTER(PVOID) - ActivePatchImageBase; - LDR_HOT_PATCH_STATE HotPatchState; - } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; - - typedef struct _CURDIR32 - { - UNICODE_STRING32 DosPath; - WOW64_POINTER(HANDLE) - Handle; - } CURDIR32, *PCURDIR32; - - typedef struct _RTL_DRIVE_LETTER_CURDIR32 - { - USHORT Flags; - USHORT Length; - ULONG TimeStamp; - STRING32 DosPath; - } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; - - typedef struct _RTL_USER_PROCESS_PARAMETERS32 - { - ULONG MaximumLength; - ULONG Length; - - ULONG Flags; - ULONG DebugFlags; - - WOW64_POINTER(HANDLE) - ConsoleHandle; - ULONG ConsoleFlags; - WOW64_POINTER(HANDLE) - StandardInput; - WOW64_POINTER(HANDLE) - StandardOutput; - WOW64_POINTER(HANDLE) - StandardError; - - CURDIR32 CurrentDirectory; - UNICODE_STRING32 DllPath; - UNICODE_STRING32 ImagePathName; - UNICODE_STRING32 CommandLine; - WOW64_POINTER(PVOID) - Environment; - - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG CountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; - - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING32 WindowTitle; - UNICODE_STRING32 DesktopInfo; - UNICODE_STRING32 ShellInfo; - UNICODE_STRING32 RuntimeData; - RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; - - WOW64_POINTER(ULONG_PTR) - EnvironmentSize; - WOW64_POINTER(ULONG_PTR) - EnvironmentVersion; - WOW64_POINTER(PVOID) - PackageDependencyData; - ULONG ProcessGroupId; - ULONG LoaderThreads; - - UNICODE_STRING32 RedirectionDllName; // REDSTONE4 - UNICODE_STRING32 HeapPartitionName; // 19H1 - WOW64_POINTER(ULONGLONG) - DefaultThreadpoolCpuSetMasks; - ULONG DefaultThreadpoolCpuSetMaskCount; - ULONG DefaultThreadpoolThreadMaximum; - } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; - - typedef struct _LEAP_SECOND_DATA *PLEAP_SECOND_DATA; - - typedef struct _PEB32 - { - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - union - { - BOOLEAN BitField; - struct - { - BOOLEAN ImageUsesLargePages : 1; - BOOLEAN IsProtectedProcess : 1; - BOOLEAN IsImageDynamicallyRelocated : 1; - BOOLEAN SkipPatchingUser32Forwarders : 1; - BOOLEAN IsPackagedProcess : 1; - BOOLEAN IsAppContainer : 1; - BOOLEAN IsProtectedProcessLight : 1; - BOOLEAN IsLongPathAwareProcess : 1; - }; - }; - WOW64_POINTER(HANDLE) - Mutant; - - WOW64_POINTER(PVOID) - ImageBaseAddress; - WOW64_POINTER(PPEB_LDR_DATA) - Ldr; - WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) - ProcessParameters; - WOW64_POINTER(PVOID) - SubSystemData; - WOW64_POINTER(PVOID) - ProcessHeap; - WOW64_POINTER(PRTL_CRITICAL_SECTION) - FastPebLock; - WOW64_POINTER(PVOID) - AtlThunkSListPtr; - WOW64_POINTER(PVOID) - IFEOKey; - union - { - ULONG CrossProcessFlags; - struct - { - ULONG ProcessInJob : 1; - ULONG ProcessInitializing : 1; - ULONG ProcessUsingVEH : 1; - ULONG ProcessUsingVCH : 1; - ULONG ProcessUsingFTH : 1; - ULONG ReservedBits0 : 27; - }; - }; - union - { - WOW64_POINTER(PVOID) - KernelCallbackTable; - WOW64_POINTER(PVOID) - UserSharedInfoPtr; - }; - ULONG SystemReserved; - ULONG AtlThunkSListPtr32; - WOW64_POINTER(PVOID) - ApiSetMap; - ULONG TlsExpansionCounter; - WOW64_POINTER(PVOID) - TlsBitmap; - ULONG TlsBitmapBits[2]; - WOW64_POINTER(PVOID) - ReadOnlySharedMemoryBase; - WOW64_POINTER(PVOID) - SharedData; - WOW64_POINTER(PVOID *) - ReadOnlyStaticServerData; - WOW64_POINTER(PVOID) - AnsiCodePageData; - WOW64_POINTER(PVOID) - OemCodePageData; - WOW64_POINTER(PVOID) - UnicodeCaseTableData; - - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; - - LARGE_INTEGER CriticalSectionTimeout; - WOW64_POINTER(SIZE_T) - HeapSegmentReserve; - WOW64_POINTER(SIZE_T) - HeapSegmentCommit; - WOW64_POINTER(SIZE_T) - HeapDeCommitTotalFreeThreshold; - WOW64_POINTER(SIZE_T) - HeapDeCommitFreeBlockThreshold; - - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - WOW64_POINTER(PVOID *) - ProcessHeaps; - - WOW64_POINTER(PVOID) - GdiSharedHandleTable; - WOW64_POINTER(PVOID) - ProcessStarterHelper; - ULONG GdiDCAttributeList; - - WOW64_POINTER(PRTL_CRITICAL_SECTION) - LoaderLock; - - ULONG OSMajorVersion; - ULONG OSMinorVersion; - USHORT OSBuildNumber; - USHORT OSCSDVersion; - ULONG OSPlatformId; - ULONG ImageSubsystem; - ULONG ImageSubsystemMajorVersion; - ULONG ImageSubsystemMinorVersion; - WOW64_POINTER(ULONG_PTR) - ActiveProcessAffinityMask; - GDI_HANDLE_BUFFER32 GdiHandleBuffer; - WOW64_POINTER(PVOID) - PostProcessInitRoutine; - - WOW64_POINTER(PVOID) - TlsExpansionBitmap; - ULONG TlsExpansionBitmapBits[32]; - - ULONG SessionId; - - ULARGE_INTEGER AppCompatFlags; - ULARGE_INTEGER AppCompatFlagsUser; - WOW64_POINTER(PVOID) - pShimData; - WOW64_POINTER(PVOID) - AppCompatInfo; - - UNICODE_STRING32 CSDVersion; - - WOW64_POINTER(PACTIVATION_CONTEXT_DATA) - ActivationContextData; - WOW64_POINTER(PVOID) - ProcessAssemblyStorageMap; - WOW64_POINTER(PACTIVATION_CONTEXT_DATA) - SystemDefaultActivationContextData; - WOW64_POINTER(PVOID) - SystemAssemblyStorageMap; - - WOW64_POINTER(SIZE_T) - MinimumStackCommit; - - WOW64_POINTER(PVOID) - SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) - WOW64_POINTER(PVOID) - PatchLoaderData; - WOW64_POINTER(PVOID) - ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO - - ULONG AppModelFeatureState; - ULONG SpareUlongs[2]; - - USHORT ActiveCodePage; - USHORT OemCodePage; - USHORT UseCaseMapping; - USHORT UnusedNlsField; - - WOW64_POINTER(PVOID) - WerRegistrationData; - WOW64_POINTER(PVOID) - WerShipAssertPtr; - - union - { - WOW64_POINTER(PVOID) - pContextData; // WIN7 - WOW64_POINTER(PVOID) - pUnused; // WIN10 - WOW64_POINTER(PVOID) - EcCodeBitMap; // WIN11 - }; - - WOW64_POINTER(PVOID) - pImageHeaderHash; - union - { - ULONG TracingFlags; - struct - { - ULONG HeapTracingEnabled : 1; - ULONG CritSecTracingEnabled : 1; - ULONG LibLoaderTracingEnabled : 1; - ULONG SpareTracingBits : 29; - }; - }; - ULONGLONG CsrServerReadOnlySharedMemoryBase; - WOW64_POINTER(PVOID) - TppWorkerpListLock; - LIST_ENTRY32 TppWorkerpList; - WOW64_POINTER(PVOID) - WaitOnAddressHashTable[128]; - WOW64_POINTER(PVOID) - TelemetryCoverageHeader; // REDSTONE3 - ULONG CloudFileFlags; - ULONG CloudFileDiagFlags; // REDSTONE4 - CHAR PlaceholderCompatibilityMode; - CHAR PlaceholderCompatibilityModeReserved[7]; - WOW64_POINTER(PLEAP_SECOND_DATA) - LeapSecondData; // REDSTONE5 - union - { - ULONG LeapSecondFlags; - struct - { - ULONG SixtySecondEnabled : 1; - ULONG Reserved : 31; - }; - }; - ULONG NtGlobalFlag2; - ULONGLONG ExtendedFeatureDisableMask; // since WIN11 - } PEB32, *PPEB32; - - // C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3 - // C_ASSERT(sizeof(PEB32) == 0x470); // REDSTONE5 - C_ASSERT(sizeof(PEB32) == 0x488); // WIN11 - - // Note: Use PhGetProcessPeb32 instead. (dmex) - // #define WOW64_GET_PEB32(peb64) ((PPEB32)PTR_ADD_OFFSET((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) - -#define GDI_BATCH_BUFFER_SIZE 310 - - typedef struct _GDI_TEB_BATCH32 - { - ULONG Offset; - WOW64_POINTER(ULONG_PTR) - HDC; - ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; - } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; - - typedef struct _TEB32 - { - NT_TIB32 NtTib; - - WOW64_POINTER(PVOID) - EnvironmentPointer; - CLIENT_ID32 ClientId; - WOW64_POINTER(PVOID) - ActiveRpcHandle; - WOW64_POINTER(PVOID) - ThreadLocalStoragePointer; - WOW64_POINTER(PPEB) - ProcessEnvironmentBlock; - - ULONG LastErrorValue; - ULONG CountOfOwnedCriticalSections; - WOW64_POINTER(PVOID) - CsrClientThread; - WOW64_POINTER(PVOID) - Win32ThreadInfo; - ULONG User32Reserved[26]; - ULONG UserReserved[5]; - WOW64_POINTER(PVOID) - WOW32Reserved; - LCID CurrentLocale; - ULONG FpSoftwareStatusRegister; - WOW64_POINTER(PVOID) - ReservedForDebuggerInstrumentation[16]; - WOW64_POINTER(PVOID) - SystemReserved1[36]; - UCHAR WorkingOnBehalfTicket[8]; - NTSTATUS ExceptionCode; - - WOW64_POINTER(PVOID) - ActivationContextStackPointer; - WOW64_POINTER(ULONG_PTR) - InstrumentationCallbackSp; - WOW64_POINTER(ULONG_PTR) - InstrumentationCallbackPreviousPc; - WOW64_POINTER(ULONG_PTR) - InstrumentationCallbackPreviousSp; - BOOLEAN InstrumentationCallbackDisabled; - UCHAR SpareBytes[23]; - ULONG TxFsContext; - - GDI_TEB_BATCH32 GdiTebBatch; - CLIENT_ID32 RealClientId; - WOW64_POINTER(HANDLE) - GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - WOW64_POINTER(PVOID) - GdiThreadLocalInfo; - WOW64_POINTER(ULONG_PTR) - Win32ClientInfo[62]; - WOW64_POINTER(PVOID) - glDispatchTable[233]; - WOW64_POINTER(ULONG_PTR) - glReserved1[29]; - WOW64_POINTER(PVOID) - glReserved2; - WOW64_POINTER(PVOID) - glSectionInfo; - WOW64_POINTER(PVOID) - glSection; - WOW64_POINTER(PVOID) - glTable; - WOW64_POINTER(PVOID) - glCurrentRC; - WOW64_POINTER(PVOID) - glContext; - - NTSTATUS LastStatusValue; - UNICODE_STRING32 StaticUnicodeString; - WCHAR StaticUnicodeBuffer[261]; - - WOW64_POINTER(PVOID) - DeallocationStack; - WOW64_POINTER(PVOID) - TlsSlots[64]; - LIST_ENTRY32 TlsLinks; - - WOW64_POINTER(PVOID) - Vdm; - WOW64_POINTER(PVOID) - ReservedForNtRpc; - WOW64_POINTER(PVOID) - DbgSsReserved[2]; - - ULONG HardErrorMode; - WOW64_POINTER(PVOID) - Instrumentation[9]; - GUID ActivityId; - - WOW64_POINTER(PVOID) - SubProcessTag; - WOW64_POINTER(PVOID) - PerflibData; - WOW64_POINTER(PVOID) - EtwTraceData; - WOW64_POINTER(PVOID) - WinSockData; - ULONG GdiBatchCount; - - union - { - PROCESSOR_NUMBER CurrentIdealProcessor; - ULONG IdealProcessorValue; - struct - { - UCHAR ReservedPad0; - UCHAR ReservedPad1; - UCHAR ReservedPad2; - UCHAR IdealProcessor; - }; - }; - - ULONG GuaranteedStackBytes; - WOW64_POINTER(PVOID) - ReservedForPerf; - WOW64_POINTER(PVOID) - ReservedForOle; - ULONG WaitingOnLoaderLock; - WOW64_POINTER(PVOID) - SavedPriorityState; - WOW64_POINTER(ULONG_PTR) - ReservedForCodeCoverage; - WOW64_POINTER(PVOID) - ThreadPoolData; - WOW64_POINTER(PVOID *) - TlsExpansionSlots; - - ULONG MuiGeneration; - ULONG IsImpersonating; - WOW64_POINTER(PVOID) - NlsCache; - WOW64_POINTER(PVOID) - pShimData; - USHORT HeapVirtualAffinity; - USHORT LowFragHeapDataSlot; - WOW64_POINTER(HANDLE) - CurrentTransactionHandle; - WOW64_POINTER(PTEB_ACTIVE_FRAME) - ActiveFrame; - WOW64_POINTER(PVOID) - FlsData; - - WOW64_POINTER(PVOID) - PreferredLanguages; - WOW64_POINTER(PVOID) - UserPrefLanguages; - WOW64_POINTER(PVOID) - MergedPrefLanguages; - ULONG MuiImpersonation; - - union - { - USHORT CrossTebFlags; - USHORT SpareCrossTebBits : 16; - }; - union - { - USHORT SameTebFlags; - struct - { - USHORT SafeThunkCall : 1; - USHORT InDebugPrint : 1; - USHORT HasFiberData : 1; - USHORT SkipThreadAttach : 1; - USHORT WerInShipAssertCode : 1; - USHORT RanProcessInit : 1; - USHORT ClonedThread : 1; - USHORT SuppressDebugMsg : 1; - USHORT DisableUserStackWalk : 1; - USHORT RtlExceptionAttached : 1; - USHORT InitialThread : 1; - USHORT SessionAware : 1; - USHORT LoadOwner : 1; - USHORT LoaderWorker : 1; - USHORT SpareSameTebBits : 2; - }; - }; - - WOW64_POINTER(PVOID) - TxnScopeEnterCallback; - WOW64_POINTER(PVOID) - TxnScopeExitCallback; - WOW64_POINTER(PVOID) - TxnScopeContext; - ULONG LockCount; - LONG WowTebOffset; - WOW64_POINTER(PVOID) - ResourceRetValue; - WOW64_POINTER(PVOID) - ReservedForWdf; - ULONGLONG ReservedForCrt; - GUID EffectiveContainerId; - } TEB32, *PTEB32; - - C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030); - C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4); - C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0); - C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0); - C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00); - C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10); - C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20); - C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50); - C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70); - C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94); - C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4); - C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4); - C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8); - C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0); - C_ASSERT(sizeof(TEB32) == 0x1000); - - // Conversion - - FORCEINLINE VOID UStr32ToUStr( - _Out_ PUNICODE_STRING Destination, - _In_ PUNICODE_STRING32 Source) - { - Destination->Length = Source->Length; - Destination->MaximumLength = Source->MaximumLength; - Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer); - } - - FORCEINLINE VOID UStrToUStr32( - _Out_ PUNICODE_STRING32 Destination, - _In_ PUNICODE_STRING Source) - { - Destination->Length = Source->Length; - Destination->MaximumLength = Source->MaximumLength; - Destination->Buffer = PtrToUlong(Source->Buffer); - } - -// The Wow64Info structure follows the PEB32/TEB32 structures and is shared between 32-bit and 64-bit modules inside a Wow64 process. -// from SDK/10.0.10240.0/um/minwin/wow64t.h (dmex) -// -// Page size on x86 NT -// -#define PAGE_SIZE_X86NT 0x1000 -#define PAGE_SHIFT_X86NT 12L -#define WOW64_SPLITS_PER_PAGE (PAGE_SIZE_X86NT / PAGE_SIZE_X86NT) - -// -// Convert the number of native pages to sub x86-pages -// -#define Wow64GetNumberOfX86Pages(NativePages) \ - (NativePages * (PAGE_SIZE_X86NT >> PAGE_SHIFT_X86NT)) - -// -// Macro to round to the nearest page size -// -#define WOW64_ROUND_TO_PAGES(Size) \ - (((ULONG_PTR)(Size) + PAGE_SIZE_X86NT - 1) & ~(PAGE_SIZE_X86NT - 1)) - -// -// Get number of native pages -// -#define WOW64_BYTES_TO_PAGES(Size) \ - (((ULONG)(Size) >> WOW64_ROUND_TO_PAGES) + (((ULONG)(Size) & (PAGE_SIZE_X86NT - 1)) != 0)) - -// -// Get the 32-bit TEB without doing a memory reference. -// -#define WOW64_GET_TEB32(teb64) ((PTEB32)(((ULONG_PTR)(teb64)) + ((ULONG_PTR)WOW64_ROUND_TO_PAGES(sizeof(TEB))))) -#define WOW64_TEB32_POINTER_ADDRESS(teb64) ((PVOID) & (((PTEB)(teb64))->NtTib.ExceptionList)) - - typedef union _WOW64_EXECUTE_OPTIONS - { - ULONG Flags; - struct - { - ULONG StackReserveSize : 8; - ULONG StackCommitSize : 4; - ULONG Deprecated0 : 1; - ULONG DisableWowAssert : 1; - ULONG DisableTurboDispatch : 1; - ULONG Unused : 13; - ULONG Reserved0 : 1; - ULONG Reserved1 : 1; - ULONG Reserved2 : 1; - ULONG Reserved3 : 1; - }; - } WOW64_EXECUTE_OPTIONS, *PWOW64_EXECUTE_OPTIONS; - -#define WOW64_CPUFLAGS_MSFT64 0x00000001 -#define WOW64_CPUFLAGS_SOFTWARE 0x00000002 -#define WOW64_CPUFLAGS_IA64 0x00000004 - - typedef struct _WOW64INFO - { - ULONG NativeSystemPageSize; - ULONG CpuFlags; - WOW64_EXECUTE_OPTIONS Wow64ExecuteFlags; - ULONG InstrumentationCallback; - } WOW64INFO, *PWOW64INFO; - - typedef struct _PEB32_WITH_WOW64INFO - { - PEB32 Peb32; - WOW64INFO Wow64Info; - } PEB32_WITH_WOW64INFO, *PPEB32_WITH_WOW64INFO; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) -#ifdef _M_X64 - - FORCEINLINE - TEB32 * - POINTER_UNSIGNED - Wow64CurrentGuestTeb( - VOID) - { - TEB *POINTER_UNSIGNED Teb; - TEB32 *POINTER_UNSIGNED Teb32; - - Teb = NtCurrentTeb(); - - if (Teb->WowTebOffset == 0) - { - // - // Not running under or over WoW, so there is no "guest teb" - // - - return NULL; - } - - if (Teb->WowTebOffset < 0) - { - // - // Was called while running under WoW. The current teb is the guest - // teb. - // - - Teb32 = (PTEB32)Teb; - - RTL_ASSERT(&Teb32->WowTebOffset == &Teb->WowTebOffset); - } - else - { - // - // Called by the WoW Host, so calculate the position of the guest teb - // relative to the current (host) teb. - // - - Teb32 = (PTEB32)RtlOffsetToPointer(Teb, Teb->WowTebOffset); - } - - RTL_ASSERT(Teb32->NtTib.Self == PtrToUlong(Teb32)); - - return Teb32; - } - - FORCEINLINE - VOID * - POINTER_UNSIGNED - Wow64CurrentNativeTeb( - VOID) - { - TEB *POINTER_UNSIGNED Teb; - VOID *POINTER_UNSIGNED HostTeb; - - Teb = NtCurrentTeb(); - - if (Teb->WowTebOffset >= 0) - { - // - // Not running under WoW, so it it either not running on WoW at all, or - // it is the host. Return the current teb as native teb. - // - - HostTeb = (PVOID)Teb; - } - else - { - // - // Called while running under WoW Host, so calculate the position of the - // host teb relative to the current (guest) teb. - // - - HostTeb = (PVOID)RtlOffsetToPointer(Teb, Teb->WowTebOffset); - } - - RTL_ASSERT((((PTEB32)HostTeb)->NtTib.Self == PtrToUlong(HostTeb)) || ((ULONG_PTR)((PTEB)HostTeb)->NtTib.Self == (ULONG_PTR)HostTeb)); - - return HostTeb; - } - -#define NtCurrentTeb32() (Wow64CurrentGuestTeb()) -#define NtCurrentPeb32() ((PPEB32)(UlongToPtr((NtCurrentTeb32()->ProcessEnvironmentBlock)))) - -#define Wow64GetNativeTebField(teb, field) (((ULONG)(teb) == ((PTEB32)(teb))->NtTib.Self) ? (((PTEB32)(teb))->##field) : (((PTEB)(teb))->##field)) -#define Wow64SetNativeTebField(teb, field, value) \ - { \ - if ((ULONG)(teb) == ((PTEB32)(teb))->NtTib.Self) \ - { \ - (((PTEB32)(teb))->##field) = (value); \ - } \ - else \ - { \ - (((PTEB)(teb))->##field) = (value); \ - } \ - } - -#endif -#endif - -#endif -#include - /* - * Security Account Manager support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTSAM_H -#define _NTSAM_H - -#define SAM_MAXIMUM_LOOKUP_COUNT (1000) -#define SAM_MAXIMUM_LOOKUP_LENGTH (32000) -#define SAM_MAX_PASSWORD_LENGTH (256) -#define SAM_PASSWORD_ENCRYPTION_SALT_LEN (16) - - typedef PVOID SAM_HANDLE, *PSAM_HANDLE; - typedef ULONG SAM_ENUMERATE_HANDLE, *PSAM_ENUMERATE_HANDLE; - - typedef struct _SAM_RID_ENUMERATION - { - ULONG RelativeId; - UNICODE_STRING Name; - } SAM_RID_ENUMERATION, *PSAM_RID_ENUMERATION; - - typedef struct _SAM_SID_ENUMERATION - { - PSID Sid; - UNICODE_STRING Name; - } SAM_SID_ENUMERATION, *PSAM_SID_ENUMERATION; - - typedef struct _SAM_BYTE_ARRAY - { - ULONG Size; - _Field_size_bytes_(Size) PUCHAR Data; - } SAM_BYTE_ARRAY, *PSAM_BYTE_ARRAY; - - typedef struct _SAM_BYTE_ARRAY_32K - { - ULONG Size; - _Field_size_bytes_(Size) PUCHAR Data; - } SAM_BYTE_ARRAY_32K, *PSAM_BYTE_ARRAY_32K; - - typedef SAM_BYTE_ARRAY_32K SAM_SHELL_OBJECT_PROPERTIES, *PSAM_SHELL_OBJECT_PROPERTIES; - - // Basic - - NTSTATUS - NTAPI - SamFreeMemory( - _In_ PVOID Buffer); - - NTSTATUS - NTAPI - SamCloseHandle( - _In_ SAM_HANDLE SamHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamSetSecurityObject( - _In_ SAM_HANDLE ObjectHandle, - _In_ SECURITY_INFORMATION SecurityInformation, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - _Check_return_ - NTSTATUS - NTAPI - SamQuerySecurityObject( - _In_ SAM_HANDLE ObjectHandle, - _In_ SECURITY_INFORMATION SecurityInformation, - _Outptr_ PSECURITY_DESCRIPTOR *SecurityDescriptor); - - _Check_return_ - NTSTATUS - NTAPI - SamRidToSid( - _In_ SAM_HANDLE ObjectHandle, - _In_ ULONG Rid, - _Outptr_ PSID *Sid); - - // Server - -#define SAM_SERVER_CONNECT 0x0001 -#define SAM_SERVER_SHUTDOWN 0x0002 -#define SAM_SERVER_INITIALIZE 0x0004 -#define SAM_SERVER_CREATE_DOMAIN 0x0008 -#define SAM_SERVER_ENUMERATE_DOMAINS 0x0010 -#define SAM_SERVER_LOOKUP_DOMAIN 0x0020 - -#define SAM_SERVER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ - SAM_SERVER_CONNECT | \ - SAM_SERVER_INITIALIZE | \ - SAM_SERVER_CREATE_DOMAIN | \ - SAM_SERVER_SHUTDOWN | \ - SAM_SERVER_ENUMERATE_DOMAINS | \ - SAM_SERVER_LOOKUP_DOMAIN) - -#define SAM_SERVER_READ (STANDARD_RIGHTS_READ | \ - SAM_SERVER_ENUMERATE_DOMAINS) - -#define SAM_SERVER_WRITE (STANDARD_RIGHTS_WRITE | \ - SAM_SERVER_INITIALIZE | \ - SAM_SERVER_CREATE_DOMAIN | \ - SAM_SERVER_SHUTDOWN) - -#define SAM_SERVER_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ - SAM_SERVER_CONNECT | \ - SAM_SERVER_LOOKUP_DOMAIN) - - typedef struct _RPC_AUTH_IDENTITY_HANDLE *PRPC_AUTH_IDENTITY_HANDLE; - - // Functions - - _Check_return_ - NTSTATUS - NTAPI - SamConnect( - _In_opt_ PUNICODE_STRING ServerName, - _Out_ PSAM_HANDLE ServerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - _Check_return_ - NTSTATUS - NTAPI - SamConnectWithCreds( - _In_ PUNICODE_STRING ServerName, - _Out_ PSAM_HANDLE ServerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ PRPC_AUTH_IDENTITY_HANDLE Creds, - _In_ PWCHAR Spn, - _Out_ BOOL *pfDstIsW2K); - - _Check_return_ - NTSTATUS - NTAPI - SamShutdownSamServer( - _In_ SAM_HANDLE ServerHandle); - - // Domain - -#define DOMAIN_READ_PASSWORD_PARAMETERS 0x0001 -#define DOMAIN_WRITE_PASSWORD_PARAMS 0x0002 -#define DOMAIN_READ_OTHER_PARAMETERS 0x0004 -#define DOMAIN_WRITE_OTHER_PARAMETERS 0x0008 -#define DOMAIN_CREATE_USER 0x0010 -#define DOMAIN_CREATE_GROUP 0x0020 -#define DOMAIN_CREATE_ALIAS 0x0040 -#define DOMAIN_GET_ALIAS_MEMBERSHIP 0x0080 -#define DOMAIN_LIST_ACCOUNTS 0x0100 -#define DOMAIN_LOOKUP 0x0200 -#define DOMAIN_ADMINISTER_SERVER 0x0400 - -#define DOMAIN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ - DOMAIN_READ_OTHER_PARAMETERS | \ - DOMAIN_WRITE_OTHER_PARAMETERS | \ - DOMAIN_WRITE_PASSWORD_PARAMS | \ - DOMAIN_CREATE_USER | \ - DOMAIN_CREATE_GROUP | \ - DOMAIN_CREATE_ALIAS | \ - DOMAIN_GET_ALIAS_MEMBERSHIP | \ - DOMAIN_LIST_ACCOUNTS | \ - DOMAIN_READ_PASSWORD_PARAMETERS | \ - DOMAIN_LOOKUP | \ - DOMAIN_ADMINISTER_SERVER) - -#define DOMAIN_READ (STANDARD_RIGHTS_READ | \ - DOMAIN_GET_ALIAS_MEMBERSHIP | \ - DOMAIN_READ_OTHER_PARAMETERS) - -#define DOMAIN_WRITE (STANDARD_RIGHTS_WRITE | \ - DOMAIN_WRITE_OTHER_PARAMETERS | \ - DOMAIN_WRITE_PASSWORD_PARAMS | \ - DOMAIN_CREATE_USER | \ - DOMAIN_CREATE_GROUP | \ - DOMAIN_CREATE_ALIAS | \ - DOMAIN_ADMINISTER_SERVER) - -#define DOMAIN_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ - DOMAIN_READ_PASSWORD_PARAMETERS | \ - DOMAIN_LIST_ACCOUNTS | \ - DOMAIN_LOOKUP) - -#define DOMAIN_PROMOTION_INCREMENT {0x0, 0x10} -#define DOMAIN_PROMOTION_MASK {0x0, 0xfffffff0} - - // SamQueryInformationDomain/SamSetInformationDomain types - - typedef enum _DOMAIN_INFORMATION_CLASS - { - DomainPasswordInformation = 1, // q; s: DOMAIN_PASSWORD_INFORMATION - DomainGeneralInformation, // q: DOMAIN_GENERAL_INFORMATION - DomainLogoffInformation, // q; s: DOMAIN_LOGOFF_INFORMATION - DomainOemInformation, // q; s: DOMAIN_OEM_INFORMATION - DomainNameInformation, // q: DOMAIN_NAME_INFORMATION - DomainReplicationInformation, // q; s: DOMAIN_REPLICATION_INFORMATION - DomainServerRoleInformation, // q; s: DOMAIN_SERVER_ROLE_INFORMATION - DomainModifiedInformation, // q: DOMAIN_MODIFIED_INFORMATION - DomainStateInformation, // q; s: DOMAIN_STATE_INFORMATION - DomainUasInformation, // q; s: DOMAIN_UAS_INFORMATION - DomainGeneralInformation2, // q: DOMAIN_GENERAL_INFORMATION2 - DomainLockoutInformation, // q; s: DOMAIN_LOCKOUT_INFORMATION - DomainModifiedInformation2 // q: DOMAIN_MODIFIED_INFORMATION2 - } DOMAIN_INFORMATION_CLASS; - - typedef enum _DOMAIN_SERVER_ENABLE_STATE - { - DomainServerEnabled = 1, - DomainServerDisabled - } DOMAIN_SERVER_ENABLE_STATE, - *PDOMAIN_SERVER_ENABLE_STATE; - - typedef enum _DOMAIN_SERVER_ROLE - { - DomainServerRoleBackup = 2, - DomainServerRolePrimary - } DOMAIN_SERVER_ROLE, - *PDOMAIN_SERVER_ROLE; - -#include - typedef struct _DOMAIN_GENERAL_INFORMATION - { - LARGE_INTEGER ForceLogoff; - UNICODE_STRING OemInformation; - UNICODE_STRING DomainName; - UNICODE_STRING ReplicaSourceNodeName; - LARGE_INTEGER DomainModifiedCount; - DOMAIN_SERVER_ENABLE_STATE DomainServerState; - DOMAIN_SERVER_ROLE DomainServerRole; - BOOLEAN UasCompatibilityRequired; - ULONG UserCount; - ULONG GroupCount; - ULONG AliasCount; - } DOMAIN_GENERAL_INFORMATION, *PDOMAIN_GENERAL_INFORMATION; -#include - -#include - typedef struct _DOMAIN_GENERAL_INFORMATION2 - { - DOMAIN_GENERAL_INFORMATION I1; - LARGE_INTEGER LockoutDuration; // delta time - LARGE_INTEGER LockoutObservationWindow; // delta time - USHORT LockoutThreshold; - } DOMAIN_GENERAL_INFORMATION2, *PDOMAIN_GENERAL_INFORMATION2; -#include - - typedef struct _DOMAIN_UAS_INFORMATION - { - BOOLEAN UasCompatibilityRequired; - } DOMAIN_UAS_INFORMATION; - -#ifndef _DOMAIN_PASSWORD_INFORMATION_DEFINED // defined in ntsecapi.h -#define _DOMAIN_PASSWORD_INFORMATION_DEFINED - - typedef struct _DOMAIN_PASSWORD_INFORMATION - { - USHORT MinPasswordLength; - USHORT PasswordHistoryLength; - ULONG PasswordProperties; - LARGE_INTEGER MaxPasswordAge; - LARGE_INTEGER MinPasswordAge; - } DOMAIN_PASSWORD_INFORMATION, *PDOMAIN_PASSWORD_INFORMATION; - - // PasswordProperties flags - -#define DOMAIN_PASSWORD_COMPLEX 0x00000001L -#define DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L -#define DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L -#define DOMAIN_LOCKOUT_ADMINS 0x00000008L -#define DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L -#define DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L -#define DOMAIN_NO_LM_OWF_CHANGE 0x00000040L - -#endif - - typedef enum _DOMAIN_PASSWORD_CONSTRUCTION - { - DomainPasswordSimple = 1, - DomainPasswordComplex - } DOMAIN_PASSWORD_CONSTRUCTION; - - typedef struct _DOMAIN_LOGOFF_INFORMATION - { - LARGE_INTEGER ForceLogoff; - } DOMAIN_LOGOFF_INFORMATION, *PDOMAIN_LOGOFF_INFORMATION; - - typedef struct _DOMAIN_OEM_INFORMATION - { - UNICODE_STRING OemInformation; - } DOMAIN_OEM_INFORMATION, *PDOMAIN_OEM_INFORMATION; - - typedef struct _DOMAIN_NAME_INFORMATION - { - UNICODE_STRING DomainName; - } DOMAIN_NAME_INFORMATION, *PDOMAIN_NAME_INFORMATION; - - typedef struct _DOMAIN_SERVER_ROLE_INFORMATION - { - DOMAIN_SERVER_ROLE DomainServerRole; - } DOMAIN_SERVER_ROLE_INFORMATION, *PDOMAIN_SERVER_ROLE_INFORMATION; - - typedef struct _DOMAIN_REPLICATION_INFORMATION - { - UNICODE_STRING ReplicaSourceNodeName; - } DOMAIN_REPLICATION_INFORMATION, *PDOMAIN_REPLICATION_INFORMATION; - - typedef struct _DOMAIN_MODIFIED_INFORMATION - { - LARGE_INTEGER DomainModifiedCount; - LARGE_INTEGER CreationTime; - } DOMAIN_MODIFIED_INFORMATION, *PDOMAIN_MODIFIED_INFORMATION; - - typedef struct _DOMAIN_MODIFIED_INFORMATION2 - { - LARGE_INTEGER DomainModifiedCount; - LARGE_INTEGER CreationTime; - LARGE_INTEGER ModifiedCountAtLastPromotion; - } DOMAIN_MODIFIED_INFORMATION2, *PDOMAIN_MODIFIED_INFORMATION2; - - typedef struct _DOMAIN_STATE_INFORMATION - { - DOMAIN_SERVER_ENABLE_STATE DomainServerState; - } DOMAIN_STATE_INFORMATION, *PDOMAIN_STATE_INFORMATION; - - typedef struct _DOMAIN_LOCKOUT_INFORMATION - { - LARGE_INTEGER LockoutDuration; // delta time - LARGE_INTEGER LockoutObservationWindow; // delta time - USHORT LockoutThreshold; // zero means no lockout - } DOMAIN_LOCKOUT_INFORMATION, *PDOMAIN_LOCKOUT_INFORMATION; - - // SamQueryDisplayInformation types - - typedef enum _DOMAIN_DISPLAY_INFORMATION - { - DomainDisplayUser = 1, // DOMAIN_DISPLAY_USER - DomainDisplayMachine, // DOMAIN_DISPLAY_MACHINE - DomainDisplayGroup, // DOMAIN_DISPLAY_GROUP - DomainDisplayOemUser, // DOMAIN_DISPLAY_OEM_USER - DomainDisplayOemGroup, // DOMAIN_DISPLAY_OEM_GROUP - DomainDisplayServer - } DOMAIN_DISPLAY_INFORMATION, - *PDOMAIN_DISPLAY_INFORMATION; - - typedef struct _DOMAIN_DISPLAY_USER - { - ULONG Index; - ULONG Rid; - ULONG AccountControl; - UNICODE_STRING LogonName; - UNICODE_STRING AdminComment; - UNICODE_STRING FullName; - } DOMAIN_DISPLAY_USER, *PDOMAIN_DISPLAY_USER; - - typedef struct _DOMAIN_DISPLAY_MACHINE - { - ULONG Index; - ULONG Rid; - ULONG AccountControl; - UNICODE_STRING Machine; - UNICODE_STRING Comment; - } DOMAIN_DISPLAY_MACHINE, *PDOMAIN_DISPLAY_MACHINE; - - typedef struct _DOMAIN_DISPLAY_GROUP - { - ULONG Index; - ULONG Rid; - ULONG Attributes; - UNICODE_STRING Group; - UNICODE_STRING Comment; - } DOMAIN_DISPLAY_GROUP, *PDOMAIN_DISPLAY_GROUP; - - typedef struct _DOMAIN_DISPLAY_OEM_USER - { - ULONG Index; - OEM_STRING User; - } DOMAIN_DISPLAY_OEM_USER, *PDOMAIN_DISPLAY_OEM_USER; - - typedef struct _DOMAIN_DISPLAY_OEM_GROUP - { - ULONG Index; - OEM_STRING Group; - } DOMAIN_DISPLAY_OEM_GROUP, *PDOMAIN_DISPLAY_OEM_GROUP; - - // SamQueryLocalizableAccountsInDomain types - - typedef enum _DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION - { - DomainLocalizableAccountsBasic = 1, - } DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION, - *PDOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION; - - typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS_ENTRY - { - ULONG Rid; - SID_NAME_USE Use; - UNICODE_STRING Name; - UNICODE_STRING AdminComment; - } DOMAIN_LOCALIZABLE_ACCOUNT_ENTRY, *PDOMAIN_LOCALIZABLE_ACCOUNT_ENTRY; - - typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS - { - ULONG Count; - _Field_size_(Count) DOMAIN_LOCALIZABLE_ACCOUNT_ENTRY *Entries; - } DOMAIN_LOCALIZABLE_ACCOUNTS_BASIC, *PDOMAIN_LOCALIZABLE_ACCOUNTS_BASIC; - - typedef union _DOMAIN_LOCALIZABLE_INFO_BUFFER - { - DOMAIN_LOCALIZABLE_ACCOUNTS_BASIC Basic; - } DOMAIN_LOCALIZABLE_ACCOUNTS_INFO_BUFFER, *PDOMAIN_LOCALIZABLE_ACCOUNTS_INFO_BUFFER; - - // Functions - - _Check_return_ - NTSTATUS - NTAPI - SamLookupDomainInSamServer( - _In_ SAM_HANDLE ServerHandle, - _In_ PUNICODE_STRING Name, - _Outptr_ PSID *DomainId); - - _Check_return_ - NTSTATUS - NTAPI - SamEnumerateDomainsInSamServer( - _In_ SAM_HANDLE ServerHandle, - _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, - _Outptr_ PVOID *Buffer, // PSAM_SID_ENUMERATION *Buffer - _In_ ULONG PreferedMaximumLength, - _Out_ PULONG CountReturned); - - _Check_return_ - NTSTATUS - NTAPI - SamOpenDomain( - _In_ SAM_HANDLE ServerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PSID DomainId, - _Out_ PSAM_HANDLE DomainHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryInformationDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ DOMAIN_INFORMATION_CLASS DomainInformationClass, - _Outptr_ PVOID *Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamSetInformationDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ DOMAIN_INFORMATION_CLASS DomainInformationClass, - _In_ PVOID DomainInformation); - - _Check_return_ - NTSTATUS - NTAPI - SamLookupNamesInDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ ULONG Count, - _In_reads_(Count) PUNICODE_STRING Names, - _Out_ _Deref_post_count_(Count) PULONG *RelativeIds, - _Out_ _Deref_post_count_(Count) PSID_NAME_USE *Use); - - _Check_return_ - NTSTATUS - NTAPI - SamLookupNamesInDomain2( - _In_ SAM_HANDLE DomainHandle, - _In_ ULONG Count, - _In_reads_(Count) PUNICODE_STRING Names, - _Out_ _Deref_post_count_(Count) PSID *Sids, - _Out_ _Deref_post_count_(Count) PSID_NAME_USE *Use); - - _Check_return_ - NTSTATUS - NTAPI - SamLookupIdsInDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ ULONG Count, - _In_reads_(Count) PULONG RelativeIds, - _Out_ _Deref_post_count_(Count) PUNICODE_STRING *Names, - _Out_ _Deref_post_opt_count_(Count) PSID_NAME_USE *Use); - - _Check_return_ - NTSTATUS - NTAPI - SamRemoveMemberFromForeignDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ PSID MemberId); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryLocalizableAccountsInDomain( - _In_ SAM_HANDLE Domain, - _In_ ULONG Flags, - _In_ ULONG LanguageId, - _In_ DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION Class, - _Outptr_ PVOID *Buffer); - - // Group - -#define GROUP_READ_INFORMATION 0x0001 -#define GROUP_WRITE_ACCOUNT 0x0002 -#define GROUP_ADD_MEMBER 0x0004 -#define GROUP_REMOVE_MEMBER 0x0008 -#define GROUP_LIST_MEMBERS 0x0010 - -#define GROUP_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ - GROUP_LIST_MEMBERS | \ - GROUP_WRITE_ACCOUNT | \ - GROUP_ADD_MEMBER | \ - GROUP_REMOVE_MEMBER | \ - GROUP_READ_INFORMATION) - -#define GROUP_READ (STANDARD_RIGHTS_READ | \ - GROUP_LIST_MEMBERS) - -#define GROUP_WRITE (STANDARD_RIGHTS_WRITE | \ - GROUP_WRITE_ACCOUNT | \ - GROUP_ADD_MEMBER | \ - GROUP_REMOVE_MEMBER) - -#define GROUP_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ - GROUP_READ_INFORMATION) - - typedef struct _GROUP_MEMBERSHIP - { - ULONG RelativeId; - ULONG Attributes; - } GROUP_MEMBERSHIP, *PGROUP_MEMBERSHIP; - - // SamQueryInformationGroup/SamSetInformationGroup types - - typedef enum _GROUP_INFORMATION_CLASS - { - GroupGeneralInformation = 1, // q: GROUP_GENERAL_INFORMATION - GroupNameInformation, // q; s: GROUP_NAME_INFORMATION - GroupAttributeInformation, // q; s: GROUP_ATTRIBUTE_INFORMATION - GroupAdminCommentInformation, // q; s: GROUP_ADM_COMMENT_INFORMATION - GroupReplicationInformation - } GROUP_INFORMATION_CLASS; - - typedef struct _GROUP_GENERAL_INFORMATION - { - UNICODE_STRING Name; - ULONG Attributes; - ULONG MemberCount; - UNICODE_STRING AdminComment; - } GROUP_GENERAL_INFORMATION, *PGROUP_GENERAL_INFORMATION; - - typedef struct _GROUP_NAME_INFORMATION - { - UNICODE_STRING Name; - } GROUP_NAME_INFORMATION, *PGROUP_NAME_INFORMATION; - - typedef struct _GROUP_ATTRIBUTE_INFORMATION - { - ULONG Attributes; - } GROUP_ATTRIBUTE_INFORMATION, *PGROUP_ATTRIBUTE_INFORMATION; - - typedef struct _GROUP_ADM_COMMENT_INFORMATION - { - UNICODE_STRING AdminComment; - } GROUP_ADM_COMMENT_INFORMATION, *PGROUP_ADM_COMMENT_INFORMATION; - - // Functions - - _Check_return_ - NTSTATUS - NTAPI - SamEnumerateGroupsInDomain( - _In_ SAM_HANDLE DomainHandle, - _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, - _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION * - _In_ ULONG PreferedMaximumLength, - _Out_ PULONG CountReturned); - - _Check_return_ - NTSTATUS - NTAPI - SamCreateGroupInDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ PUNICODE_STRING AccountName, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PSAM_HANDLE GroupHandle, - _Out_ PULONG RelativeId); - - _Check_return_ - NTSTATUS - NTAPI - SamOpenGroup( - _In_ SAM_HANDLE DomainHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG GroupId, - _Out_ PSAM_HANDLE GroupHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamDeleteGroup( - _In_ SAM_HANDLE GroupHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryInformationGroup( - _In_ SAM_HANDLE GroupHandle, - _In_ GROUP_INFORMATION_CLASS GroupInformationClass, - _Outptr_ PVOID *Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamSetInformationGroup( - _In_ SAM_HANDLE GroupHandle, - _In_ GROUP_INFORMATION_CLASS GroupInformationClass, - _In_ PVOID Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamAddMemberToGroup( - _In_ SAM_HANDLE GroupHandle, - _In_ ULONG MemberId, - _In_ ULONG Attributes); - - _Check_return_ - NTSTATUS - NTAPI - SamRemoveMemberFromGroup( - _In_ SAM_HANDLE GroupHandle, - _In_ ULONG MemberId); - - _Check_return_ - NTSTATUS - NTAPI - SamGetMembersInGroup( - _In_ SAM_HANDLE GroupHandle, - _Out_ _Deref_post_count_(*MemberCount) PULONG *MemberIds, - _Out_ _Deref_post_count_(*MemberCount) PULONG *Attributes, - _Out_ PULONG MemberCount); - - _Check_return_ - NTSTATUS - NTAPI - SamSetMemberAttributesOfGroup( - _In_ SAM_HANDLE GroupHandle, - _In_ ULONG MemberId, - _In_ ULONG Attributes); - - // Alias - -#define ALIAS_ADD_MEMBER 0x0001 -#define ALIAS_REMOVE_MEMBER 0x0002 -#define ALIAS_LIST_MEMBERS 0x0004 -#define ALIAS_READ_INFORMATION 0x0008 -#define ALIAS_WRITE_ACCOUNT 0x0010 - -#define ALIAS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ - ALIAS_READ_INFORMATION | \ - ALIAS_WRITE_ACCOUNT | \ - ALIAS_LIST_MEMBERS | \ - ALIAS_ADD_MEMBER | \ - ALIAS_REMOVE_MEMBER) - -#define ALIAS_READ (STANDARD_RIGHTS_READ | \ - ALIAS_LIST_MEMBERS) - -#define ALIAS_WRITE (STANDARD_RIGHTS_WRITE | \ - ALIAS_WRITE_ACCOUNT | \ - ALIAS_ADD_MEMBER | \ - ALIAS_REMOVE_MEMBER) - -#define ALIAS_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ - ALIAS_READ_INFORMATION) - - // SamQueryInformationAlias/SamSetInformationAlias types - - typedef enum _ALIAS_INFORMATION_CLASS - { - AliasGeneralInformation = 1, // q: ALIAS_GENERAL_INFORMATION - AliasNameInformation, // q; s: ALIAS_NAME_INFORMATION - AliasAdminCommentInformation, // q; s: ALIAS_ADM_COMMENT_INFORMATION - AliasReplicationInformation, - AliasExtendedInformation, - } ALIAS_INFORMATION_CLASS; - - typedef struct _ALIAS_GENERAL_INFORMATION - { - UNICODE_STRING Name; - ULONG MemberCount; - UNICODE_STRING AdminComment; - } ALIAS_GENERAL_INFORMATION, *PALIAS_GENERAL_INFORMATION; - - typedef struct _ALIAS_NAME_INFORMATION - { - UNICODE_STRING Name; - } ALIAS_NAME_INFORMATION, *PALIAS_NAME_INFORMATION; - - typedef struct _ALIAS_ADM_COMMENT_INFORMATION - { - UNICODE_STRING AdminComment; - } ALIAS_ADM_COMMENT_INFORMATION, *PALIAS_ADM_COMMENT_INFORMATION; - -#define ALIAS_ALL_NAME (0x00000001L) -#define ALIAS_ALL_MEMBER_COUNT (0x00000002L) -#define ALIAS_ALL_ADMIN_COMMENT (0x00000004L) -#define ALIAS_ALL_SHELL_ADMIN_OBJECT_PROPERTIES (0x00000008L) - - typedef struct _ALIAS_EXTENDED_INFORMATION - { - ULONG WhichFields; - SAM_SHELL_OBJECT_PROPERTIES ShellAdminObjectProperties; - } ALIAS_EXTENDED_INFORMATION, *PALIAS_EXTENDED_INFORMATION; - - // Functions - - _Check_return_ - NTSTATUS - NTAPI - SamEnumerateAliasesInDomain( - _In_ SAM_HANDLE DomainHandle, - _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, - _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION *Buffer - _In_ ULONG PreferedMaximumLength, - _Out_ PULONG CountReturned); - - _Check_return_ - NTSTATUS - NTAPI - SamCreateAliasInDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ PUNICODE_STRING AccountName, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PSAM_HANDLE AliasHandle, - _Out_ PULONG RelativeId); - - _Check_return_ - NTSTATUS - NTAPI - SamOpenAlias( - _In_ SAM_HANDLE DomainHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG AliasId, - _Out_ PSAM_HANDLE AliasHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamDeleteAlias( - _In_ SAM_HANDLE AliasHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryInformationAlias( - _In_ SAM_HANDLE AliasHandle, - _In_ ALIAS_INFORMATION_CLASS AliasInformationClass, - _Outptr_ PVOID *Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamSetInformationAlias( - _In_ SAM_HANDLE AliasHandle, - _In_ ALIAS_INFORMATION_CLASS AliasInformationClass, - _In_ PVOID Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamAddMemberToAlias( - _In_ SAM_HANDLE AliasHandle, - _In_ PSID MemberId); - - _Check_return_ - NTSTATUS - NTAPI - SamAddMultipleMembersToAlias( - _In_ SAM_HANDLE AliasHandle, - _In_reads_(MemberCount) PSID *MemberIds, - _In_ ULONG MemberCount); - - _Check_return_ - NTSTATUS - NTAPI - SamRemoveMemberFromAlias( - _In_ SAM_HANDLE AliasHandle, - _In_ PSID MemberId); - - _Check_return_ - NTSTATUS - NTAPI - SamRemoveMultipleMembersFromAlias( - _In_ SAM_HANDLE AliasHandle, - _In_reads_(MemberCount) PSID *MemberIds, - _In_ ULONG MemberCount); - - _Check_return_ - NTSTATUS - NTAPI - SamGetMembersInAlias( - _In_ SAM_HANDLE AliasHandle, - _Out_ _Deref_post_count_(*MemberCount) PSID **MemberIds, - _Out_ PULONG MemberCount); - - _Check_return_ - NTSTATUS - NTAPI - SamGetAliasMembership( - _In_ SAM_HANDLE DomainHandle, - _In_ ULONG PassedCount, - _In_reads_(PassedCount) PSID *Sids, - _Out_ PULONG MembershipCount, - _Out_ _Deref_post_count_(*MembershipCount) PULONG *Aliases); - - // Group types - -#define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001 -#define GROUP_TYPE_ACCOUNT_GROUP 0x00000002 -#define GROUP_TYPE_RESOURCE_GROUP 0x00000004 -#define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008 -#define GROUP_TYPE_APP_BASIC_GROUP 0x00000010 -#define GROUP_TYPE_APP_QUERY_GROUP 0x00000020 -#define GROUP_TYPE_SECURITY_ENABLED 0x80000000 - -#define GROUP_TYPE_RESOURCE_BEHAVOIR (GROUP_TYPE_RESOURCE_GROUP | \ - GROUP_TYPE_APP_BASIC_GROUP | \ - GROUP_TYPE_APP_QUERY_GROUP) - - // User - -#define USER_READ_GENERAL 0x0001 -#define USER_READ_PREFERENCES 0x0002 -#define USER_WRITE_PREFERENCES 0x0004 -#define USER_READ_LOGON 0x0008 -#define USER_READ_ACCOUNT 0x0010 -#define USER_WRITE_ACCOUNT 0x0020 -#define USER_CHANGE_PASSWORD 0x0040 -#define USER_FORCE_PASSWORD_CHANGE 0x0080 -#define USER_LIST_GROUPS 0x0100 -#define USER_READ_GROUP_INFORMATION 0x0200 -#define USER_WRITE_GROUP_INFORMATION 0x0400 - -#define USER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \ - USER_READ_PREFERENCES | \ - USER_READ_LOGON | \ - USER_LIST_GROUPS | \ - USER_READ_GROUP_INFORMATION | \ - USER_WRITE_PREFERENCES | \ - USER_CHANGE_PASSWORD | \ - USER_FORCE_PASSWORD_CHANGE | \ - USER_READ_GENERAL | \ - USER_READ_ACCOUNT | \ - USER_WRITE_ACCOUNT | \ - USER_WRITE_GROUP_INFORMATION) - -#define USER_READ (STANDARD_RIGHTS_READ | \ - USER_READ_PREFERENCES | \ - USER_READ_LOGON | \ - USER_READ_ACCOUNT | \ - USER_LIST_GROUPS | \ - USER_READ_GROUP_INFORMATION) - -#define USER_WRITE (STANDARD_RIGHTS_WRITE | \ - USER_WRITE_PREFERENCES | \ - USER_CHANGE_PASSWORD) - -#define USER_EXECUTE (STANDARD_RIGHTS_EXECUTE | \ - USER_READ_GENERAL | \ - USER_CHANGE_PASSWORD) - - // User account control flags - -#define USER_ACCOUNT_DISABLED (0x00000001) -#define USER_HOME_DIRECTORY_REQUIRED (0x00000002) -#define USER_PASSWORD_NOT_REQUIRED (0x00000004) -#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008) -#define USER_NORMAL_ACCOUNT (0x00000010) -#define USER_MNS_LOGON_ACCOUNT (0x00000020) -#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040) -#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080) -#define USER_SERVER_TRUST_ACCOUNT (0x00000100) -#define USER_DONT_EXPIRE_PASSWORD (0x00000200) -#define USER_ACCOUNT_AUTO_LOCKED (0x00000400) -#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800) -#define USER_SMARTCARD_REQUIRED (0x00001000) -#define USER_TRUSTED_FOR_DELEGATION (0x00002000) -#define USER_NOT_DELEGATED (0x00004000) -#define USER_USE_DES_KEY_ONLY (0x00008000) -#define USER_DONT_REQUIRE_PREAUTH (0x00010000) -#define USER_PASSWORD_EXPIRED (0x00020000) -#define USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (0x00040000) -#define USER_NO_AUTH_DATA_REQUIRED (0x00080000) -#define USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) -#define USER_USE_AES_KEYS (0x00200000) - -#define NEXT_FREE_ACCOUNT_CONTROL_BIT (USER_USE_AES_KEYS << 1) - -#define USER_MACHINE_ACCOUNT_MASK ( \ - USER_INTERDOMAIN_TRUST_ACCOUNT | \ - USER_WORKSTATION_TRUST_ACCOUNT | \ - USER_SERVER_TRUST_ACCOUNT) - -#define USER_ACCOUNT_TYPE_MASK ( \ - USER_TEMP_DUPLICATE_ACCOUNT | \ - USER_NORMAL_ACCOUNT | \ - USER_MACHINE_ACCOUNT_MASK) - -#define USER_COMPUTED_ACCOUNT_CONTROL_BITS ( \ - USER_ACCOUNT_AUTO_LOCKED | \ - USER_PASSWORD_EXPIRED) - - // Logon times may be expressed in day, hour, or minute granularity. - -#define SAM_DAYS_PER_WEEK (7) -#define SAM_HOURS_PER_WEEK (24 * SAM_DAYS_PER_WEEK) -#define SAM_MINUTES_PER_WEEK (60 * SAM_HOURS_PER_WEEK) - - typedef struct _LOGON_HOURS - { - USHORT UnitsPerWeek; - - // UnitsPerWeek is the number of equal length time units the week is - // divided into. This value is used to compute the length of the bit - // string in logon_hours. Must be less than or equal to - // SAM_UNITS_PER_WEEK (10080) for this release. - // - // LogonHours is a bit map of valid logon times. Each bit represents - // a unique division in a week. The largest bit map supported is 1260 - // bytes (10080 bits), which represents minutes per week. In this case - // the first bit (bit 0, byte 0) is Sunday, 00:00:00 - 00-00:59; bit 1, - // byte 0 is Sunday, 00:01:00 - 00:01:59, etc. A NULL pointer means - // DONT_CHANGE for SamSetInformationUser() calls. - - PUCHAR LogonHours; - } LOGON_HOURS, *PLOGON_HOURS; - - typedef struct _SR_SECURITY_DESCRIPTOR - { - ULONG Length; - PUCHAR SecurityDescriptor; - } SR_SECURITY_DESCRIPTOR, *PSR_SECURITY_DESCRIPTOR; - - // SamQueryInformationUser/SamSetInformationUser types - - typedef enum _USER_INFORMATION_CLASS - { - UserGeneralInformation = 1, // q: USER_GENERAL_INFORMATION - UserPreferencesInformation, // q; s: USER_PREFERENCES_INFORMATION - UserLogonInformation, // q: USER_LOGON_INFORMATION - UserLogonHoursInformation, // q; s: USER_LOGON_HOURS_INFORMATION - UserAccountInformation, // q: USER_ACCOUNT_INFORMATION - UserNameInformation, // q; s: USER_NAME_INFORMATION - UserAccountNameInformation, // q; s: USER_ACCOUNT_NAME_INFORMATION - UserFullNameInformation, // q; s: USER_FULL_NAME_INFORMATION - UserPrimaryGroupInformation, // q; s: USER_PRIMARY_GROUP_INFORMATION - UserHomeInformation, // q; s: USER_HOME_INFORMATION // 10 - UserScriptInformation, // q; s: USER_SCRIPT_INFORMATION - UserProfileInformation, // q; s: USER_PROFILE_INFORMATION - UserAdminCommentInformation, // q; s: USER_ADMIN_COMMENT_INFORMATION - UserWorkStationsInformation, // q; s: USER_WORKSTATIONS_INFORMATION - UserSetPasswordInformation, // s: USER_SET_PASSWORD_INFORMATION - UserControlInformation, // q; s: USER_CONTROL_INFORMATION - UserExpiresInformation, // q; s: USER_EXPIRES_INFORMATION - UserInternal1Information, // USER_INTERNAL1_INFORMATION - UserInternal2Information, // USER_INTERNAL2_INFORMATION - UserParametersInformation, // q; s: USER_PARAMETERS_INFORMATION // 20 - UserAllInformation, // USER_ALL_INFORMATION - UserInternal3Information, // USER_INTERNAL3_INFORMATION - UserInternal4Information, // USER_INTERNAL4_INFORMATION - UserInternal5Information, // USER_INTERNAL5_INFORMATION - UserInternal4InformationNew, // USER_INTERNAL4_INFORMATION_NEW - UserInternal5InformationNew, // USER_INTERNAL5_INFORMATION_NEW - UserInternal6Information, // USER_INTERNAL6_INFORMATION - UserExtendedInformation, // USER_EXTENDED_INFORMATION - UserLogonUIInformation, // USER_LOGON_UI_INFORMATION - UserUnknownTodoInformation, - UserInternal7Information, // USER_INTERNAL7_INFORMATION - UserInternal8Information, // USER_INTERNAL8_INFORMATION - } USER_INFORMATION_CLASS, - *PUSER_INFORMATION_CLASS; - - typedef struct _USER_GENERAL_INFORMATION - { - UNICODE_STRING UserName; - UNICODE_STRING FullName; - ULONG PrimaryGroupId; - UNICODE_STRING AdminComment; - UNICODE_STRING UserComment; - } USER_GENERAL_INFORMATION, *PUSER_GENERAL_INFORMATION; - - typedef struct _USER_PREFERENCES_INFORMATION - { - UNICODE_STRING UserComment; - UNICODE_STRING Reserved1; - USHORT CountryCode; - USHORT CodePage; - } USER_PREFERENCES_INFORMATION, *PUSER_PREFERENCES_INFORMATION; - -#include - typedef struct _USER_LOGON_INFORMATION - { - UNICODE_STRING UserName; - UNICODE_STRING FullName; - ULONG UserId; - ULONG PrimaryGroupId; - UNICODE_STRING HomeDirectory; - UNICODE_STRING HomeDirectoryDrive; - UNICODE_STRING ScriptPath; - UNICODE_STRING ProfilePath; - UNICODE_STRING WorkStations; - LARGE_INTEGER LastLogon; - LARGE_INTEGER LastLogoff; - LARGE_INTEGER PasswordLastSet; - LARGE_INTEGER PasswordCanChange; - LARGE_INTEGER PasswordMustChange; - LOGON_HOURS LogonHours; - USHORT BadPasswordCount; - USHORT LogonCount; - ULONG UserAccountControl; - } USER_LOGON_INFORMATION, *PUSER_LOGON_INFORMATION; -#include - - typedef struct _USER_LOGON_HOURS_INFORMATION - { - LOGON_HOURS LogonHours; - } USER_LOGON_HOURS_INFORMATION, *PUSER_LOGON_HOURS_INFORMATION; - -#include - typedef struct _USER_ACCOUNT_INFORMATION - { - UNICODE_STRING UserName; - UNICODE_STRING FullName; - ULONG UserId; - ULONG PrimaryGroupId; - UNICODE_STRING HomeDirectory; - UNICODE_STRING HomeDirectoryDrive; - UNICODE_STRING ScriptPath; - UNICODE_STRING ProfilePath; - UNICODE_STRING AdminComment; - UNICODE_STRING WorkStations; - LARGE_INTEGER LastLogon; - LARGE_INTEGER LastLogoff; - LOGON_HOURS LogonHours; - USHORT BadPasswordCount; - USHORT LogonCount; - LARGE_INTEGER PasswordLastSet; - LARGE_INTEGER AccountExpires; - ULONG UserAccountControl; - } USER_ACCOUNT_INFORMATION, *PUSER_ACCOUNT_INFORMATION; -#include - - typedef struct _USER_NAME_INFORMATION - { - UNICODE_STRING UserName; - UNICODE_STRING FullName; - } USER_NAME_INFORMATION, *PUSER_NAME_INFORMATION; - - typedef struct _USER_ACCOUNT_NAME_INFORMATION - { - UNICODE_STRING UserName; - } USER_ACCOUNT_NAME_INFORMATION, *PUSER_ACCOUNT_NAME_INFORMATION; - - typedef struct _USER_FULL_NAME_INFORMATION - { - UNICODE_STRING FullName; - } USER_FULL_NAME_INFORMATION, *PUSER_FULL_NAME_INFORMATION; - - typedef struct _USER_PRIMARY_GROUP_INFORMATION - { - ULONG PrimaryGroupId; - } USER_PRIMARY_GROUP_INFORMATION, *PUSER_PRIMARY_GROUP_INFORMATION; - - typedef struct _USER_HOME_INFORMATION - { - UNICODE_STRING HomeDirectory; - UNICODE_STRING HomeDirectoryDrive; - } USER_HOME_INFORMATION, *PUSER_HOME_INFORMATION; - - typedef struct _USER_SCRIPT_INFORMATION - { - UNICODE_STRING ScriptPath; - } USER_SCRIPT_INFORMATION, *PUSER_SCRIPT_INFORMATION; - - typedef struct _USER_PROFILE_INFORMATION - { - UNICODE_STRING ProfilePath; - } USER_PROFILE_INFORMATION, *PUSER_PROFILE_INFORMATION; - - typedef struct _USER_ADMIN_COMMENT_INFORMATION - { - UNICODE_STRING AdminComment; - } USER_ADMIN_COMMENT_INFORMATION, *PUSER_ADMIN_COMMENT_INFORMATION; - - typedef struct _USER_WORKSTATIONS_INFORMATION - { - UNICODE_STRING WorkStations; - } USER_WORKSTATIONS_INFORMATION, *PUSER_WORKSTATIONS_INFORMATION; - - typedef struct _USER_SET_PASSWORD_INFORMATION - { - UNICODE_STRING Password; - BOOLEAN PasswordExpired; - } USER_SET_PASSWORD_INFORMATION, *PUSER_SET_PASSWORD_INFORMATION; - - typedef struct _USER_CONTROL_INFORMATION - { - ULONG UserAccountControl; - } USER_CONTROL_INFORMATION, *PUSER_CONTROL_INFORMATION; - - typedef struct _USER_EXPIRES_INFORMATION - { - LARGE_INTEGER AccountExpires; - } USER_EXPIRES_INFORMATION, *PUSER_EXPIRES_INFORMATION; - -#define CYPHER_BLOCK_LENGTH 8 - - typedef struct _CYPHER_BLOCK - { - CHAR data[CYPHER_BLOCK_LENGTH]; - } CYPHER_BLOCK, *PCYPHER_BLOCK; - - typedef struct _ENCRYPTED_NT_OWF_PASSWORD - { - CYPHER_BLOCK data[2]; - } ENCRYPTED_NT_OWF_PASSWORD, *PENCRYPTED_NT_OWF_PASSWORD; - - typedef struct _ENCRYPTED_LM_OWF_PASSWORD - { - CYPHER_BLOCK data[2]; - } ENCRYPTED_LM_OWF_PASSWORD, *PENCRYPTED_LM_OWF_PASSWORD; - - typedef struct _USER_INTERNAL1_INFORMATION - { - ENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword; - ENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword; - BOOLEAN NtPasswordPresent; - BOOLEAN LmPasswordPresent; - BOOLEAN PasswordExpired; - } USER_INTERNAL1_INFORMATION, *PUSER_INTERNAL1_INFORMATION; - - typedef struct _USER_INTERNAL2_INFORMATION - { - ULONG StatisticsToApply; - LARGE_INTEGER LastLogon; - LARGE_INTEGER LastLogoff; - USHORT BadPasswordCount; - USHORT LogonCount; - } USER_INTERNAL2_INFORMATION, *PUSER_INTERNAL2_INFORMATION; - - typedef struct _USER_PARAMETERS_INFORMATION - { - UNICODE_STRING Parameters; - } USER_PARAMETERS_INFORMATION, *PUSER_PARAMETERS_INFORMATION; - - // Flags for WhichFields in USER_ALL_INFORMATION - -#define USER_ALL_USERNAME 0x00000001 -#define USER_ALL_FULLNAME 0x00000002 -#define USER_ALL_USERID 0x00000004 -#define USER_ALL_PRIMARYGROUPID 0x00000008 -#define USER_ALL_ADMINCOMMENT 0x00000010 -#define USER_ALL_USERCOMMENT 0x00000020 -#define USER_ALL_HOMEDIRECTORY 0x00000040 -#define USER_ALL_HOMEDIRECTORYDRIVE 0x00000080 -#define USER_ALL_SCRIPTPATH 0x00000100 -#define USER_ALL_PROFILEPATH 0x00000200 -#define USER_ALL_WORKSTATIONS 0x00000400 -#define USER_ALL_LASTLOGON 0x00000800 -#define USER_ALL_LASTLOGOFF 0x00001000 -#define USER_ALL_LOGONHOURS 0x00002000 -#define USER_ALL_BADPASSWORDCOUNT 0x00004000 -#define USER_ALL_LOGONCOUNT 0x00008000 -#define USER_ALL_PASSWORDCANCHANGE 0x00010000 -#define USER_ALL_PASSWORDMUSTCHANGE 0x00020000 -#define USER_ALL_PASSWORDLASTSET 0x00040000 -#define USER_ALL_ACCOUNTEXPIRES 0x00080000 -#define USER_ALL_USERACCOUNTCONTROL 0x00100000 -#define USER_ALL_PARAMETERS 0x00200000 -#define USER_ALL_COUNTRYCODE 0x00400000 -#define USER_ALL_CODEPAGE 0x00800000 -#define USER_ALL_NTPASSWORDPRESENT 0x01000000 // field AND boolean -#define USER_ALL_LMPASSWORDPRESENT 0x02000000 // field AND boolean -#define USER_ALL_PRIVATEDATA 0x04000000 // field AND boolean -#define USER_ALL_PASSWORDEXPIRED 0x08000000 -#define USER_ALL_SECURITYDESCRIPTOR 0x10000000 -#define USER_ALL_OWFPASSWORD 0x20000000 // boolean - -#define USER_ALL_UNDEFINED_MASK 0xc0000000 - - // Fields that require USER_READ_GENERAL access to read. - -#define USER_ALL_READ_GENERAL_MASK \ - (USER_ALL_USERNAME | \ - USER_ALL_FULLNAME | \ - USER_ALL_USERID | \ - USER_ALL_PRIMARYGROUPID | \ - USER_ALL_ADMINCOMMENT | \ - USER_ALL_USERCOMMENT) - - // Fields that require USER_READ_LOGON access to read. - -#define USER_ALL_READ_LOGON_MASK \ - (USER_ALL_HOMEDIRECTORY | \ - USER_ALL_HOMEDIRECTORYDRIVE | \ - USER_ALL_SCRIPTPATH | \ - USER_ALL_PROFILEPATH | \ - USER_ALL_WORKSTATIONS | \ - USER_ALL_LASTLOGON | \ - USER_ALL_LASTLOGOFF | \ - USER_ALL_LOGONHOURS | \ - USER_ALL_BADPASSWORDCOUNT | \ - USER_ALL_LOGONCOUNT | \ - USER_ALL_PASSWORDCANCHANGE | \ - USER_ALL_PASSWORDMUSTCHANGE) - - // Fields that require USER_READ_ACCOUNT access to read. - -#define USER_ALL_READ_ACCOUNT_MASK \ - (USER_ALL_PASSWORDLASTSET | \ - USER_ALL_ACCOUNTEXPIRES | \ - USER_ALL_USERACCOUNTCONTROL | \ - USER_ALL_PARAMETERS) - - // Fields that require USER_READ_PREFERENCES access to read. - -#define USER_ALL_READ_PREFERENCES_MASK \ - (USER_ALL_COUNTRYCODE | USER_ALL_CODEPAGE) - - // Fields that can only be read by trusted clients. - -#define USER_ALL_READ_TRUSTED_MASK \ - (USER_ALL_NTPASSWORDPRESENT | \ - USER_ALL_LMPASSWORDPRESENT | \ - USER_ALL_PASSWORDEXPIRED | \ - USER_ALL_SECURITYDESCRIPTOR | \ - USER_ALL_PRIVATEDATA) - - // Fields that can't be read. - -#define USER_ALL_READ_CANT_MASK USER_ALL_UNDEFINED_MASK - - // Fields that require USER_WRITE_ACCOUNT access to write. - -#define USER_ALL_WRITE_ACCOUNT_MASK \ - (USER_ALL_USERNAME | \ - USER_ALL_FULLNAME | \ - USER_ALL_PRIMARYGROUPID | \ - USER_ALL_HOMEDIRECTORY | \ - USER_ALL_HOMEDIRECTORYDRIVE | \ - USER_ALL_SCRIPTPATH | \ - USER_ALL_PROFILEPATH | \ - USER_ALL_ADMINCOMMENT | \ - USER_ALL_WORKSTATIONS | \ - USER_ALL_LOGONHOURS | \ - USER_ALL_ACCOUNTEXPIRES | \ - USER_ALL_USERACCOUNTCONTROL | \ - USER_ALL_PARAMETERS) - - // Fields that require USER_WRITE_PREFERENCES access to write. - -#define USER_ALL_WRITE_PREFERENCES_MASK \ - (USER_ALL_USERCOMMENT | USER_ALL_COUNTRYCODE | USER_ALL_CODEPAGE) - - // Fields that require USER_FORCE_PASSWORD_CHANGE access to write. - // - // Note that non-trusted clients only set the NT password as a - // UNICODE string. The wrapper will convert it to an LM password, - // OWF and encrypt both versions. Trusted clients can pass in OWF - // versions of either or both. - -#define USER_ALL_WRITE_FORCE_PASSWORD_CHANGE_MASK \ - (USER_ALL_NTPASSWORDPRESENT | \ - USER_ALL_LMPASSWORDPRESENT | \ - USER_ALL_PASSWORDEXPIRED) - - // Fields that can only be written by trusted clients. - -#define USER_ALL_WRITE_TRUSTED_MASK \ - (USER_ALL_LASTLOGON | \ - USER_ALL_LASTLOGOFF | \ - USER_ALL_BADPASSWORDCOUNT | \ - USER_ALL_LOGONCOUNT | \ - USER_ALL_PASSWORDLASTSET | \ - USER_ALL_SECURITYDESCRIPTOR | \ - USER_ALL_PRIVATEDATA) - - // Fields that can't be written. - -#define USER_ALL_WRITE_CANT_MASK \ - (USER_ALL_USERID | \ - USER_ALL_PASSWORDCANCHANGE | \ - USER_ALL_PASSWORDMUSTCHANGE | \ - USER_ALL_UNDEFINED_MASK) - -#include - typedef struct _USER_ALL_INFORMATION - { - LARGE_INTEGER LastLogon; - LARGE_INTEGER LastLogoff; - LARGE_INTEGER PasswordLastSet; - LARGE_INTEGER AccountExpires; - LARGE_INTEGER PasswordCanChange; - LARGE_INTEGER PasswordMustChange; - UNICODE_STRING UserName; - UNICODE_STRING FullName; - UNICODE_STRING HomeDirectory; - UNICODE_STRING HomeDirectoryDrive; - UNICODE_STRING ScriptPath; - UNICODE_STRING ProfilePath; - UNICODE_STRING AdminComment; - UNICODE_STRING WorkStations; - UNICODE_STRING UserComment; - UNICODE_STRING Parameters; - UNICODE_STRING LmPassword; - UNICODE_STRING NtPassword; - UNICODE_STRING PrivateData; - SR_SECURITY_DESCRIPTOR SecurityDescriptor; - ULONG UserId; - ULONG PrimaryGroupId; - ULONG UserAccountControl; - ULONG WhichFields; - LOGON_HOURS LogonHours; - USHORT BadPasswordCount; - USHORT LogonCount; - USHORT CountryCode; - USHORT CodePage; - BOOLEAN LmPasswordPresent; - BOOLEAN NtPasswordPresent; - BOOLEAN PasswordExpired; - BOOLEAN PrivateDataSensitive; - } USER_ALL_INFORMATION, *PUSER_ALL_INFORMATION; -#include - -#include - typedef struct _USER_INTERNAL3_INFORMATION - { - USER_ALL_INFORMATION I1; - LARGE_INTEGER LastBadPasswordTime; - } USER_INTERNAL3_INFORMATION, *PUSER_INTERNAL3_INFORMATION; -#include - - typedef struct _ENCRYPTED_USER_PASSWORD - { - UCHAR Buffer[(SAM_MAX_PASSWORD_LENGTH * 2) + 4]; - } ENCRYPTED_USER_PASSWORD, *PENCRYPTED_USER_PASSWORD; - - typedef struct _USER_INTERNAL4_INFORMATION - { - USER_ALL_INFORMATION I1; - ENCRYPTED_USER_PASSWORD UserPassword; - } USER_INTERNAL4_INFORMATION, *PUSER_INTERNAL4_INFORMATION; - - typedef struct _USER_INTERNAL5_INFORMATION - { - ENCRYPTED_USER_PASSWORD UserPassword; - BOOLEAN PasswordExpired; - } USER_INTERNAL5_INFORMATION, *PUSER_INTERNAL5_INFORMATION; - - typedef struct _ENCRYPTED_USER_PASSWORD_NEW - { - UCHAR Buffer[(SAM_MAX_PASSWORD_LENGTH * 2) + 4 + SAM_PASSWORD_ENCRYPTION_SALT_LEN]; - } ENCRYPTED_USER_PASSWORD_NEW, *PENCRYPTED_USER_PASSWORD_NEW; - - typedef struct _USER_INTERNAL4_INFORMATION_NEW - { - USER_ALL_INFORMATION I1; - ENCRYPTED_USER_PASSWORD_NEW UserPassword; - } USER_INTERNAL4_INFORMATION_NEW, *PUSER_INTERNAL4_INFORMATION_NEW; - - typedef struct _USER_INTERNAL5_INFORMATION_NEW - { - ENCRYPTED_USER_PASSWORD_NEW UserPassword; - BOOLEAN PasswordExpired; - } USER_INTERNAL5_INFORMATION_NEW, *PUSER_INTERNAL5_INFORMATION_NEW; - - typedef struct _USER_ALLOWED_TO_DELEGATE_TO_LIST - { - ULONG Size; - ULONG NumSPNs; - UNICODE_STRING SPNList[ANYSIZE_ARRAY]; - } USER_ALLOWED_TO_DELEGATE_TO_LIST, *PUSER_ALLOWED_TO_DELEGATE_TO_LIST; - -#define USER_EXTENDED_FIELD_UPN 0x00000001L -#define USER_EXTENDED_FIELD_A2D2 0x00000002L - - typedef struct _USER_INTERNAL6_INFORMATION - { - USER_ALL_INFORMATION I1; - LARGE_INTEGER LastBadPasswordTime; - ULONG ExtendedFields; - BOOLEAN UPNDefaulted; - UNICODE_STRING UPN; - PUSER_ALLOWED_TO_DELEGATE_TO_LIST A2D2List; - } USER_INTERNAL6_INFORMATION, *PUSER_INTERNAL6_INFORMATION; - - typedef SAM_BYTE_ARRAY_32K SAM_USER_TILE, *PSAM_USER_TILE; - - // 0xff000fff is reserved for internal callers and implementation. - -#define USER_EXTENDED_FIELD_USER_TILE (0x00001000L) -#define USER_EXTENDED_FIELD_PASSWORD_HINT (0x00002000L) -#define USER_EXTENDED_FIELD_DONT_SHOW_IN_LOGON_UI (0x00004000L) -#define USER_EXTENDED_FIELD_SHELL_ADMIN_OBJECT_PROPERTIES (0x00008000L) - - typedef struct _USER_EXTENDED_INFORMATION - { - ULONG ExtendedWhichFields; - SAM_USER_TILE UserTile; - UNICODE_STRING PasswordHint; - BOOLEAN DontShowInLogonUI; - SAM_SHELL_OBJECT_PROPERTIES ShellAdminObjectProperties; - } USER_EXTENDED_INFORMATION, *PUSER_EXTENDED_INFORMATION; - - // For local callers only. - typedef struct _USER_LOGON_UI_INFORMATION - { - BOOLEAN PasswordIsBlank; - BOOLEAN AccountIsDisabled; - } USER_LOGON_UI_INFORMATION, *PUSER_LOGON_UI_INFORMATION; - - typedef struct _ENCRYPTED_PASSWORD_AES - { - UCHAR AuthData[64]; - UCHAR Salt[SAM_PASSWORD_ENCRYPTION_SALT_LEN]; - ULONG cbCipher; - PUCHAR Cipher; - ULONGLONG PBKDF2Iterations; - } ENCRYPTED_PASSWORD_AES, *PENCRYPTED_PASSWORD_AES; - - typedef struct _USER_INTERNAL7_INFORMATION - { - ENCRYPTED_PASSWORD_AES UserPassword; - BOOLEAN PasswordExpired; - } USER_INTERNAL7_INFORMATION, *PUSER_INTERNAL7_INFORMATION; - - typedef struct _USER_INTERNAL8_INFORMATION - { - USER_ALL_INFORMATION I1; - ENCRYPTED_PASSWORD_AES UserPassword; - } USER_INTERNAL8_INFORMATION, *PUSER_INTERNAL8_INFORMATION; - - // SamChangePasswordUser3 types - - // Error values: - // * SAM_PWD_CHANGE_NO_ERROR - // * SAM_PWD_CHANGE_PASSWORD_TOO_SHORT - // * SAM_PWD_CHANGE_PWD_IN_HISTORY - // * SAM_PWD_CHANGE_USERNAME_IN_PASSWORD - // * SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD - // * SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT - // * SAM_PWD_CHANGE_FAILED_BY_FILTER - - typedef struct _USER_PWD_CHANGE_FAILURE_INFORMATION - { - ULONG ExtendedFailureReason; - UNICODE_STRING FilterModuleName; - } USER_PWD_CHANGE_FAILURE_INFORMATION, *PUSER_PWD_CHANGE_FAILURE_INFORMATION; - - // ExtendedFailureReason values - -#define SAM_PWD_CHANGE_NO_ERROR 0 -#define SAM_PWD_CHANGE_PASSWORD_TOO_SHORT 1 -#define SAM_PWD_CHANGE_PWD_IN_HISTORY 2 -#define SAM_PWD_CHANGE_USERNAME_IN_PASSWORD 3 -#define SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD 4 -#define SAM_PWD_CHANGE_NOT_COMPLEX 5 -#define SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT 6 -#define SAM_PWD_CHANGE_FAILED_BY_FILTER 7 -#define SAM_PWD_CHANGE_PASSWORD_TOO_LONG 8 -#define SAM_PWD_CHANGE_FAILURE_REASON_MAX 8 - - // Functions - - _Check_return_ - NTSTATUS - NTAPI - SamEnumerateUsersInDomain( - _In_ SAM_HANDLE DomainHandle, - _Inout_ PSAM_ENUMERATE_HANDLE EnumerationContext, - _In_ ULONG UserAccountControl, - _Outptr_ PVOID *Buffer, // PSAM_RID_ENUMERATION * - _In_ ULONG PreferedMaximumLength, - _Out_ PULONG CountReturned); - - _Check_return_ - NTSTATUS - NTAPI - SamCreateUserInDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ PUNICODE_STRING AccountName, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PSAM_HANDLE UserHandle, - _Out_ PULONG RelativeId); - - _Check_return_ - NTSTATUS - NTAPI - SamCreateUser2InDomain( - _In_ SAM_HANDLE DomainHandle, - _In_ PUNICODE_STRING AccountName, - _In_ ULONG AccountType, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PSAM_HANDLE UserHandle, - _Out_ PULONG GrantedAccess, - _Out_ PULONG RelativeId); - - _Check_return_ - NTSTATUS - NTAPI - SamOpenUser( - _In_ SAM_HANDLE DomainHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG UserId, - _Out_ PSAM_HANDLE UserHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamDeleteUser( - _In_ SAM_HANDLE UserHandle); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryInformationUser( - _In_ SAM_HANDLE UserHandle, - _In_ USER_INFORMATION_CLASS UserInformationClass, - _Outptr_ PVOID *Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamSetInformationUser( - _In_ SAM_HANDLE UserHandle, - _In_ USER_INFORMATION_CLASS UserInformationClass, - _In_ PVOID Buffer); - - _Check_return_ - NTSTATUS - NTAPI - SamGetGroupsForUser( - _In_ SAM_HANDLE UserHandle, - _Out_ _Deref_post_count_(*MembershipCount) PGROUP_MEMBERSHIP *Groups, - _Out_ PULONG MembershipCount); - - _Check_return_ - NTSTATUS - NTAPI - SamChangePasswordUser( - _In_ SAM_HANDLE UserHandle, - _In_ PUNICODE_STRING OldPassword, - _In_ PUNICODE_STRING NewPassword); - - _Check_return_ - NTSTATUS - NTAPI - SamChangePasswordUser2( - _In_ PUNICODE_STRING ServerName, - _In_ PUNICODE_STRING UserName, - _In_ PUNICODE_STRING OldPassword, - _In_ PUNICODE_STRING NewPassword); - - _Check_return_ - NTSTATUS - NTAPI - SamChangePasswordUser3( - _In_ PUNICODE_STRING ServerName, - _In_ PUNICODE_STRING UserName, - _In_ PUNICODE_STRING OldPassword, - _In_ PUNICODE_STRING NewPassword, - _Outptr_ PDOMAIN_PASSWORD_INFORMATION *EffectivePasswordPolicy, - _Outptr_ PUSER_PWD_CHANGE_FAILURE_INFORMATION *PasswordChangeFailureInfo); - - _Check_return_ - NTSTATUS - NTAPI - SamQueryDisplayInformation( - _In_ SAM_HANDLE DomainHandle, - _In_ DOMAIN_DISPLAY_INFORMATION DisplayInformation, - _In_ ULONG Index, - _In_ ULONG EntryCount, - _In_ ULONG PreferredMaximumLength, - _Out_ PULONG TotalAvailable, - _Out_ PULONG TotalReturned, - _Out_ PULONG ReturnedEntryCount, - _Outptr_ PVOID *SortedBuffer); - - _Check_return_ - NTSTATUS - NTAPI - SamGetDisplayEnumerationIndex( - _In_ SAM_HANDLE DomainHandle, - _In_ DOMAIN_DISPLAY_INFORMATION DisplayInformation, - _In_ PUNICODE_STRING Prefix, - _Out_ PULONG Index); - - // Database replication - - typedef enum _SECURITY_DB_DELTA_TYPE - { - SecurityDbNew = 1, - SecurityDbRename, - SecurityDbDelete, - SecurityDbChangeMemberAdd, - SecurityDbChangeMemberSet, - SecurityDbChangeMemberDel, - SecurityDbChange, - SecurityDbChangePassword - } SECURITY_DB_DELTA_TYPE, - *PSECURITY_DB_DELTA_TYPE; - - typedef enum _SECURITY_DB_OBJECT_TYPE - { - SecurityDbObjectSamDomain = 1, - SecurityDbObjectSamUser, - SecurityDbObjectSamGroup, - SecurityDbObjectSamAlias, - SecurityDbObjectLsaPolicy, - SecurityDbObjectLsaTDomain, - SecurityDbObjectLsaAccount, - SecurityDbObjectLsaSecret - } SECURITY_DB_OBJECT_TYPE, - *PSECURITY_DB_OBJECT_TYPE; - - typedef enum _SAM_ACCOUNT_TYPE - { - SamObjectUser = 1, - SamObjectGroup, - SamObjectAlias - } SAM_ACCOUNT_TYPE, - *PSAM_ACCOUNT_TYPE; - -#define SAM_USER_ACCOUNT (0x00000001) -#define SAM_GLOBAL_GROUP_ACCOUNT (0x00000002) -#define SAM_LOCAL_GROUP_ACCOUNT (0x00000004) - - typedef struct _SAM_GROUP_MEMBER_ID - { - ULONG MemberRid; - } SAM_GROUP_MEMBER_ID, *PSAM_GROUP_MEMBER_ID; - - typedef struct _SAM_ALIAS_MEMBER_ID - { - PSID MemberSid; - } SAM_ALIAS_MEMBER_ID, *PSAM_ALIAS_MEMBER_ID; - - typedef union _SAM_DELTA_DATA - { - SAM_GROUP_MEMBER_ID GroupMemberId; - SAM_ALIAS_MEMBER_ID AliasMemberId; - ULONG AccountControl; - } SAM_DELTA_DATA, *PSAM_DELTA_DATA; - - typedef NTSTATUS(NTAPI *PSAM_DELTA_NOTIFICATION_ROUTINE)( - _In_ PSID DomainSid, - _In_ SECURITY_DB_DELTA_TYPE DeltaType, - _In_ SECURITY_DB_OBJECT_TYPE ObjectType, - _In_ ULONG ObjectRid, - _In_opt_ PUNICODE_STRING ObjectName, - _In_ PLARGE_INTEGER ModifiedCount, - _In_opt_ PSAM_DELTA_DATA DeltaData); - -#define SAM_DELTA_NOTIFY_ROUTINE "DeltaNotify" - - _Check_return_ - NTSTATUS - NTAPI - SamRegisterObjectChangeNotification( - _In_ SECURITY_DB_OBJECT_TYPE ObjectType, - _In_ HANDLE NotificationEventHandle); - - NTSTATUS - NTAPI - SamUnregisterObjectChangeNotification( - _In_ SECURITY_DB_OBJECT_TYPE ObjectType, - _In_ HANDLE NotificationEventHandle); - - // Compatibility mode - -#define SAM_SID_COMPATIBILITY_ALL 0 -#define SAM_SID_COMPATIBILITY_LAX 1 -#define SAM_SID_COMPATIBILITY_STRICT 2 - - _Check_return_ - NTSTATUS - NTAPI - SamGetCompatibilityMode( - _In_ SAM_HANDLE ObjectHandle, - _Out_ ULONG *Mode); - - // Password validation - - typedef enum _PASSWORD_POLICY_VALIDATION_TYPE - { - SamValidateAuthentication = 1, - SamValidatePasswordChange, - SamValidatePasswordReset - } PASSWORD_POLICY_VALIDATION_TYPE; - - typedef struct _SAM_VALIDATE_PASSWORD_HASH - { - ULONG Length; - _Field_size_bytes_(Length) PUCHAR Hash; - } SAM_VALIDATE_PASSWORD_HASH, *PSAM_VALIDATE_PASSWORD_HASH; - - // Flags for PresentFields in SAM_VALIDATE_PERSISTED_FIELDS - -#define SAM_VALIDATE_PASSWORD_LAST_SET 0x00000001 -#define SAM_VALIDATE_BAD_PASSWORD_TIME 0x00000002 -#define SAM_VALIDATE_LOCKOUT_TIME 0x00000004 -#define SAM_VALIDATE_BAD_PASSWORD_COUNT 0x00000008 -#define SAM_VALIDATE_PASSWORD_HISTORY_LENGTH 0x00000010 -#define SAM_VALIDATE_PASSWORD_HISTORY 0x00000020 - - typedef struct _SAM_VALIDATE_PERSISTED_FIELDS - { - ULONG PresentFields; - LARGE_INTEGER PasswordLastSet; - LARGE_INTEGER BadPasswordTime; - LARGE_INTEGER LockoutTime; - ULONG BadPasswordCount; - ULONG PasswordHistoryLength; - _Field_size_bytes_(PasswordHistoryLength) PSAM_VALIDATE_PASSWORD_HASH PasswordHistory; - } SAM_VALIDATE_PERSISTED_FIELDS, *PSAM_VALIDATE_PERSISTED_FIELDS; - - typedef enum _SAM_VALIDATE_VALIDATION_STATUS - { - SamValidateSuccess = 0, - SamValidatePasswordMustChange, - SamValidateAccountLockedOut, - SamValidatePasswordExpired, - SamValidatePasswordIncorrect, - SamValidatePasswordIsInHistory, - SamValidatePasswordTooShort, - SamValidatePasswordTooLong, - SamValidatePasswordNotComplexEnough, - SamValidatePasswordTooRecent, - SamValidatePasswordFilterError - } SAM_VALIDATE_VALIDATION_STATUS, - *PSAM_VALIDATE_VALIDATION_STATUS; - - typedef struct _SAM_VALIDATE_STANDARD_OUTPUT_ARG - { - SAM_VALIDATE_PERSISTED_FIELDS ChangedPersistedFields; - SAM_VALIDATE_VALIDATION_STATUS ValidationStatus; - } SAM_VALIDATE_STANDARD_OUTPUT_ARG, *PSAM_VALIDATE_STANDARD_OUTPUT_ARG; - - typedef struct _SAM_VALIDATE_AUTHENTICATION_INPUT_ARG - { - SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; - BOOLEAN PasswordMatched; - } SAM_VALIDATE_AUTHENTICATION_INPUT_ARG, *PSAM_VALIDATE_AUTHENTICATION_INPUT_ARG; - - typedef struct _SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG - { - SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; - UNICODE_STRING ClearPassword; - UNICODE_STRING UserAccountName; - SAM_VALIDATE_PASSWORD_HASH HashedPassword; - BOOLEAN PasswordMatch; // denotes if the old password supplied by user matched or not - } SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG, *PSAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG; - - typedef struct _SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG - { - SAM_VALIDATE_PERSISTED_FIELDS InputPersistedFields; - UNICODE_STRING ClearPassword; - UNICODE_STRING UserAccountName; - SAM_VALIDATE_PASSWORD_HASH HashedPassword; - BOOLEAN PasswordMustChangeAtNextLogon; // looked at only for password reset - BOOLEAN ClearLockout; // can be used clear user account lockout - } SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG, *PSAM_VALIDATE_PASSWORD_RESET_INPUT_ARG; - - typedef union _SAM_VALIDATE_INPUT_ARG - { - SAM_VALIDATE_AUTHENTICATION_INPUT_ARG ValidateAuthenticationInput; - SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG ValidatePasswordChangeInput; - SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG ValidatePasswordResetInput; - } SAM_VALIDATE_INPUT_ARG, *PSAM_VALIDATE_INPUT_ARG; - - typedef union _SAM_VALIDATE_OUTPUT_ARG - { - SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidateAuthenticationOutput; - SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidatePasswordChangeOutput; - SAM_VALIDATE_STANDARD_OUTPUT_ARG ValidatePasswordResetOutput; - } SAM_VALIDATE_OUTPUT_ARG, *PSAM_VALIDATE_OUTPUT_ARG; - - _Check_return_ - NTSTATUS - NTAPI - SamValidatePassword( - _In_opt_ PUNICODE_STRING ServerName, - _In_ PASSWORD_POLICY_VALIDATION_TYPE ValidationType, - _In_ PSAM_VALIDATE_INPUT_ARG InputArg, - _Out_ PSAM_VALIDATE_OUTPUT_ARG *OutputArg); - - // Generic operation - - typedef enum _SAM_GENERIC_OPERATION_TYPE - { - SamObjectChangeNotificationOperation - } SAM_GENERIC_OPERATION_TYPE, - *PSAM_GENERIC_OPERATION_TYPE; - - typedef struct _SAM_OPERATION_OBJCHG_INPUT - { - BOOLEAN Register; - ULONG64 EventHandle; - SECURITY_DB_OBJECT_TYPE ObjectType; - ULONG ProcessID; - } SAM_OPERATION_OBJCHG_INPUT, *PSAM_OPERATION_OBJCHG_INPUT; - - typedef struct _SAM_OPERATION_OBJCHG_OUTPUT - { - ULONG Reserved; - } SAM_OPERATION_OBJCHG_OUTPUT, *PSAM_OPERATION_OBJCHG_OUTPUT; - - typedef union _SAM_GENERIC_OPERATION_INPUT - { - SAM_OPERATION_OBJCHG_INPUT ObjChangeIn; - } SAM_GENERIC_OPERATION_INPUT, *PSAM_GENERIC_OPERATION_INPUT; - - typedef union _SAM_GENERIC_OPERATION_OUTPUT - { - SAM_OPERATION_OBJCHG_OUTPUT ObjChangeOut; - } SAM_GENERIC_OPERATION_OUTPUT, *PSAM_GENERIC_OPERATION_OUTPUT; - - _Check_return_ - NTSTATUS - NTAPI - SamPerformGenericOperation( - _In_opt_ PWSTR ServerName, - _In_ SAM_GENERIC_OPERATION_TYPE OperationType, - _In_ PSAM_GENERIC_OPERATION_INPUT OperationIn, - _Out_ PSAM_GENERIC_OPERATION_OUTPUT *OperationOut); - -#endif - /* - * Trace Control support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTMISC_H -#define _NTMISC_H - - // Filter manager - -#define FLT_PORT_CONNECT 0x0001 -#define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) - - // VDM - - typedef enum _VDMSERVICECLASS - { - VdmStartExecution, - VdmQueueInterrupt, - VdmDelayInterrupt, - VdmInitialize, - VdmFeatures, - VdmSetInt21Handler, - VdmQueryDir, - VdmPrinterDirectIoOpen, - VdmPrinterDirectIoClose, - VdmPrinterInitialize, - VdmSetLdtEntries, - VdmSetProcessLdtInfo, - VdmAdlibEmulation, - VdmPMCliControl, - VdmQueryVdmProcess, - VdmPreInitialize - } VDMSERVICECLASS, - *PVDMSERVICECLASS; - - NTSYSCALLAPI - NTSTATUS - NTAPI - NtVdmControl( - _In_ VDMSERVICECLASS Service, - _Inout_ PVOID ServiceData); - - // ApiSet - - NTSYSAPI - BOOL - NTAPI - ApiSetQueryApiSetPresence( - _In_ PCUNICODE_STRING Namespace, - _Out_ PBOOLEAN Present); - - NTSYSAPI - BOOL - NTAPI - ApiSetQueryApiSetPresenceEx( - _In_ PCUNICODE_STRING Namespace, - _Out_ PBOOLEAN IsInSchema, - _Out_ PBOOLEAN Present); - - typedef enum _SECURE_SETTING_VALUE_TYPE - { - SecureSettingValueTypeBoolean = 0, - SecureSettingValueTypeUlong = 1, - SecureSettingValueTypeBinary = 2, - SecureSettingValueTypeString = 3, - SecureSettingValueTypeUnknown = 4 - } SECURE_SETTING_VALUE_TYPE, - *PSECURE_SETTING_VALUE_TYPE; - -#if (PHNT_VERSION >= PHNT_REDSTONE) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtQuerySecurityPolicy( - _In_ PCUNICODE_STRING Policy, - _In_ PCUNICODE_STRING KeyName, - _In_ PCUNICODE_STRING ValueName, - _In_ SECURE_SETTING_VALUE_TYPE ValueType, - _Out_writes_bytes_opt_(*ValueSize) PVOID Value, - _Inout_ PULONG ValueSize); -#endif - -#if (PHNT_VERSION >= PHNT_20H1) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateCrossVmEvent( - _Out_ PHANDLE CrossVmEvent, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG CrossVmEventFlags, - _In_ LPCGUID VMID, - _In_ LPCGUID ServiceID); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateCrossVmMutant( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG CrossVmEventFlags, - _In_ LPCGUID VMID, - _In_ LPCGUID ServiceID); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAcquireCrossVmMutant( - _In_ HANDLE CrossVmMutant, - _In_ PLARGE_INTEGER Timeout); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtDirectGraphicsCall( - _In_ ULONG InputBufferLength, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG OutputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _Out_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_WIN11_22H2) - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtOpenCpuPartition( - _Out_ PHANDLE CpuPartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtCreateCpuPartition( - _Out_ PHANDLE CpuPartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtSetInformationCpuPartition( - _In_ HANDLE CpuPartitionHandle, - _In_ ULONG CpuPartitionInformationClass, - _In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation, - _In_ ULONG CpuPartitionInformationLength, - _Reserved_ PVOID, - _Reserved_ ULONG, - _Reserved_ ULONG); -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE2) - - // Process KeepAlive (also WakeCounter) - - typedef enum _PROCESS_ACTIVITY_TYPE - { - ProcessActivityTypeAudio = 0, - ProcessActivityTypeMax = 1 - } PROCESS_ACTIVITY_TYPE; - - // rev - NTSYSCALLAPI - NTSTATUS - NTAPI - NtAcquireProcessActivityReference( - _Out_ PHANDLE ActivityReferenceHandle, - _In_ HANDLE ParentProcessHandle, - _Reserved_ PROCESS_ACTIVITY_TYPE Reserved); - -#endif - -#endif - /* - * Trace Control support functions - * - * This file is part of System Informer. - */ - -#ifndef _NTWMI_H -#define _NTWMI_H - - EXTERN_C_START - -#ifndef _TRACEHANDLE_DEFINED -#define _TRACEHANDLE_DEFINED - // Obsolete - prefer PROCESSTRACE_HANDLE or CONTROLTRACE_ID. - typedef ULONG64 TRACEHANDLE, *PTRACEHANDLE; -#endif - - // Used to read the events from a trace file or real-time trace session (via - // ProcessTrace). The handle is invalid if it contains the value - // INVALID_PROCESSTRACE_HANDLE. Obtain the handle by calling an OpenTrace - // function (e.g. OpenTrace, OpenTraceFromFile, OpenTraceFromRealTimeLogger). - // Close the handle by calling CloseTrace. - typedef ULONG64 PROCESSTRACE_HANDLE; - - // Used to identify a trace collection session. The id is invalid if it - // contains the value (CONTROLTRACE_ID)0. Obtain the id from StartTrace or from - // the Wnode.HistoricalContext field of the EVENT_TRACE_PROPERTIES returned by - // ControlTrace(0, sessionName, ...). The id is valid until the trace stops and - // does not need to be closed by the user. - typedef ULONG64 CONTROLTRACE_ID; - -// -// Maximum supported buffer size in KB - Win8 (16MB) -// -// N.B. Prior to Win8 the value was 1MB (1024KB). -#define MIN_ETW_BUFFER_SIZE 1 // in KBytes -#define MAX_ETW_BUFFER_SIZE (16 * 1024) // in KBytes -#define MAX_ETW_BUFFER_SIZE_WIN7 (1 * 1024) // in KBytes -#define MAX_ETW_EVENT_SIZE 0xFFFF // MAX_USHORT - -// SystemTraceControlGuid -#define ETW_KERNEL_RUNDOWN_START 0x00000001 -#define ETW_KERNEL_RUNDOWN_STOP 0x00000002 -#define ETW_CKCL_RUNDOWN_START 0x00000004 -#define ETW_CKCL_RUNDOWN_STOP 0x00000008 -#define ETW_FILENAME_RUNDOWN 0x00000010 - -// -// Alignment macros -// -#define DEFAULT_TRACE_ALIGNMENT 8 // 8 byte alignment -#define ALIGN_TO_POWER2(x, n) (((ULONG)(x) + ((n) - 1)) & ~((ULONG)(n) - 1)) - -// -// The predefined event groups or families for NT subsystems -// -#define EVENT_TRACE_GROUP_HEADER 0x0000 -#define EVENT_TRACE_GROUP_IO 0x0100 -#define EVENT_TRACE_GROUP_MEMORY 0x0200 -#define EVENT_TRACE_GROUP_PROCESS 0x0300 -#define EVENT_TRACE_GROUP_FILE 0x0400 -#define EVENT_TRACE_GROUP_THREAD 0x0500 -#define EVENT_TRACE_GROUP_TCPIP 0x0600 -#define EVENT_TRACE_GROUP_JOB 0x0700 -#define EVENT_TRACE_GROUP_UDPIP 0x0800 -#define EVENT_TRACE_GROUP_REGISTRY 0x0900 -#define EVENT_TRACE_GROUP_DBGPRINT 0x0A00 -#define EVENT_TRACE_GROUP_CONFIG 0x0B00 -#define EVENT_TRACE_GROUP_SPARE1 0x0C00 // Spare1 -#define EVENT_TRACE_GROUP_WNF 0x0D00 -#define EVENT_TRACE_GROUP_POOL 0x0E00 -#define EVENT_TRACE_GROUP_PERFINFO 0x0F00 -#define EVENT_TRACE_GROUP_HEAP 0x1000 -#define EVENT_TRACE_GROUP_OBJECT 0x1100 -#define EVENT_TRACE_GROUP_POWER 0x1200 -#define EVENT_TRACE_GROUP_MODBOUND 0x1300 -#define EVENT_TRACE_GROUP_IMAGE 0x1400 -#define EVENT_TRACE_GROUP_DPC 0x1500 -#define EVENT_TRACE_GROUP_CC 0x1600 -#define EVENT_TRACE_GROUP_CRITSEC 0x1700 -#define EVENT_TRACE_GROUP_STACKWALK 0x1800 -#define EVENT_TRACE_GROUP_UMS 0x1900 -#define EVENT_TRACE_GROUP_ALPC 0x1A00 -#define EVENT_TRACE_GROUP_SPLITIO 0x1B00 -#define EVENT_TRACE_GROUP_THREAD_POOL 0x1C00 -#define EVENT_TRACE_GROUP_HYPERVISOR 0x1D00 -#define EVENT_TRACE_GROUP_HYPERVISORX 0x1E00 - -// -// If you add any new groups, you must bump up MAX_KERNEL_TRACE_EVENTS -// and make sure post processing is fixed up. -// -#define MAX_KERNEL_TRACE_EVENTS 0x1F - -// -// The highest order bit of a data block is set if trace, WNODE otherwise -// -#define TRACE_HEADER_FLAG 0x80000000 - -// Header type for tracing messages -// | Marker(8) | Reserved(8) | Size(16) | MessageNumber(16) | Flags(16) -#define TRACE_MESSAGE 0x10000000 - -// | MARKER(16) | SIZE (16) | ULONG 32 | TIME_STAMP ... -#define TRACE_HEADER_ULONG32_TIME 0xB0000000 - -// -// The second bit is set if the trace is used by PM & CP (fixed headers) -// If not, the data block is used by for finer data for performance analysis -// -#define TRACE_HEADER_EVENT_TRACE 0x40000000 -// -// If set, the data block is SYSTEM_TRACE_HEADER -// -#define TRACE_HEADER_ENUM_MASK 0x00FF0000 - -// -// The following are various header type -// -#define TRACE_HEADER_TYPE_SYSTEM32 1 -#define TRACE_HEADER_TYPE_SYSTEM64 2 -#define TRACE_HEADER_TYPE_COMPACT32 3 -#define TRACE_HEADER_TYPE_COMPACT64 4 -#define TRACE_HEADER_TYPE_FULL_HEADER32 10 -#define TRACE_HEADER_TYPE_INSTANCE32 11 -#define TRACE_HEADER_TYPE_TIMED 12 // Not used -#define TRACE_HEADER_TYPE_ERROR 13 // Error while logging event -#define TRACE_HEADER_TYPE_WNODE_HEADER 14 // Not used -#define TRACE_HEADER_TYPE_MESSAGE 15 -#define TRACE_HEADER_TYPE_PERFINFO32 16 -#define TRACE_HEADER_TYPE_PERFINFO64 17 -#define TRACE_HEADER_TYPE_EVENT_HEADER32 18 -#define TRACE_HEADER_TYPE_EVENT_HEADER64 19 -#define TRACE_HEADER_TYPE_FULL_HEADER64 20 -#define TRACE_HEADER_TYPE_INSTANCE64 21 - -#define EVENT_HEADER_SIZE_MASK 0x0000FFFF - -#define SYSTEM_TRACE_VERSION 2 - - // - // The following two are used for defining LogFile layout version. - // - // 1.2 -- Add per-processor event streams. - // 1.3 -- Remove rundown and context/switch streams. - // 1.4 -- Add header stream. - // 1.5 -- Include QPC and Platform clock source in the header. - // - // 2.0 -- Larger Buffers (over 1MB) / 256+ Processors / Compression (Win8). - // - -#define TRACE_VERSION_MAJOR_WIN7 1 -#define TRACE_VERSION_MINOR_WIN7 5 - -#define TRACE_VERSION_MAJOR 2 -#define TRACE_VERSION_MINOR 0 - -#define SYSTEM_TRACE_MARKER32 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_SYSTEM32 << 16)) -#define SYSTEM_TRACE_MARKER64 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_SYSTEM64 << 16)) - -#define COMPACT_TRACE_MARKER32 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_COMPACT32 << 16)) -#define COMPACT_TRACE_MARKER64 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_COMPACT64 << 16)) - -#define PERFINFO_TRACE_MARKER32 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_PERFINFO32 << 16)) -#define PERFINFO_TRACE_MARKER64 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_PERFINFO64 << 16)) - -#define TRACE_HEADER_PEBS_INDEX_FLAG 0x00008000 -#define TRACE_HEADER_SPARE_FLAG1 0x00004000 -#define TRACE_HEADER_SPARE_FLAG2 0x00002000 -#define TRACE_HEADER_SPARE_FLAG3 0x00001000 -#define TRACE_HEADER_SPARE_FLAG4 0x00000800 -#define TRACE_HEADER_PMC_COUNTERS_MASK 0x00000700 -#define TRACE_HEADER_PMC_COUNTERS_SHIFT 8 - -#define TRACE_HEADER_EXT_ITEMS_MASK (TRACE_HEADER_PEBS_INDEX_FLAG | TRACE_HEADER_PMC_COUNTERS_MASK) - -#ifdef _WIN64 -#define SYSTEM_TRACE_MARKER SYSTEM_TRACE_MARKER64 -#define COMPACT_TRACE_MARKER COMPACT_TRACE_MARKER64 -#define PERFINFO_TRACE_MARKER PERFINFO_TRACE_MARKER64 -#else -#define SYSTEM_TRACE_MARKER SYSTEM_TRACE_MARKER32 -#define COMPACT_TRACE_MARKER COMPACT_TRACE_MARKER32 -#define PERFINFO_TRACE_MARKER PERFINFO_TRACE_MARKER32 -#endif - -// -// Support a maximum of 64 logger instances. -// -#define MAXLOGGERS 64 - -// -// Set of Internal Flags passed to the Logger via ClientContext during StartTrace -// -#define EVENT_TRACE_CLOCK_RAW 0 // Use Raw timestamp -#define EVENT_TRACE_CLOCK_PERFCOUNTER 1 // Use HighPerfClock (Default) -#define EVENT_TRACE_CLOCK_SYSTEMTIME 2 // Use SystemTime -#define EVENT_TRACE_CLOCK_CPUCYCLE 3 // Use CPU cycle counter -#define EVENT_TRACE_CLOCK_MAX 4 // Max number of clock types - -// -// NOTE: The following should not overlap with other bits in the LogFileMode -// or LoggerMode defined in evntrace.h. Placed here since it is for internal -// use only. -// -#define EVENT_TRACE_KD_FILTER_MODE 0x00080000 // KD_FILTER -#define EVENT_TRACE_BUFFER_INTERFACE_MODE 0x00040000 - -// -// LoggerMode flags on Win7 and above. -// -#define EVENT_TRACE_USE_MS_FLUSH_TIMER 0x00000010 // FlushTimer value in milliseconds -#define EVENT_TRACE_BLOCKING_MODE 0x20000000 // Private loggers wait for buffers - -// -// LoggerMode flags on Win8 and above. -// -#define EVENT_TRACE_REALTIME_RELOG_MODE 0x00100000 // Private logger, relogging real-time events - // This is same as EVENT_TRACE_MODE_RESERVED - -#define EVENT_TRACE_LOST_EVENTS_DEBUG_MODE 0x00200000 // Break on lost events -#define EVENT_TRACE_COMPRESSED_MODE 0x04000000 // Compress relogged file - - // - // see evntrace.h for pre-defined generic event types (0-10) - // - typedef struct _WMI_TRACE_PACKET - { - USHORT Size; - union - { - USHORT HookId; - struct - { - UCHAR Type; - UCHAR Group; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - } WMI_TRACE_PACKET, *PWMI_TRACE_PACKET; - - static_assert(sizeof(WMI_TRACE_PACKET) == sizeof(ULONG), "WMI_TRACE_PACKET must equal sizeof(ULONG)"); - - // New struct that replaces EVENT_INSTANCE_GUID_HEADER. It is basically - // EVENT_TRACE_HEADER + 2 Guids. - // For XP, we will not publish this struct and hide it from users. - // TRACE_VERSION in LOG_FILE_HEADER will tell the consumer APIs to use - // this struct instead of EVENT_TRACE_HEADER. - - typedef struct _EVENT_INSTANCE_GUID_HEADER - { - USHORT Size; // Size of entire record - union - { - USHORT FieldTypeFlags; // Indicates valid fields - struct - { - UCHAR HeaderType; // Header type - internal use only - UCHAR MarkerFlags; // Marker - internal use only - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - union - { - ULONG Version; - struct - { - UCHAR Type; // event type - UCHAR Level; // trace instrumentation level - USHORT Version; // version of trace record - } Class; - } DUMMYUNIONNAME2; - ULONG ThreadId; // Thread Id - ULONG ProcessId; // Process Id - LARGE_INTEGER TimeStamp; // time when event happens - union - { - GUID Guid; // Guid that identifies event - ULONGLONG GuidPtr; // use with WNODE_FLAG_USE_GUID_PTR - } DUMMYUNIONNAME3; - union - { - struct - { - ULONG ClientContext; // Reserved - ULONG Flags; // Flags for header - } DUMMYSTRUCTNAME; - struct - { - ULONG KernelTime; // Kernel Mode CPU ticks - ULONG UserTime; // User mode CPU ticks - } DUMMYSTRUCTNAME2; - ULONG64 ProcessorTime; // Processor Clock - } DUMMYUNIONNAME4; - ULONG InstanceId; - ULONG ParentInstanceId; - GUID ParentGuid; // Guid that identifies event - } EVENT_INSTANCE_GUID_HEADER, *PEVENT_INSTANCE_GUID_HEADER; - - typedef ULONGLONG PERFINFO_TIMESTAMP; - typedef struct _PERFINFO_TRACE_HEADER PERFINFO_TRACE_ENTRY, *PPERFINFO_TRACE_ENTRY; - - // - // 64-bit Trace header for NTPERF events - // - // Note. The field "Version" will temporary be used to log CPU Id when log to PerfMem. - // This will be removed after we change the buffer management to be the same as WMI. - // i.e., Each CPU will allocate a block of memory for logging and CPU id is in the header - // of each block. - // - typedef struct _PERFINFO_TRACE_HEADER - { - union - { - ULONG Marker; - struct - { - USHORT Version; - UCHAR HeaderType; - UCHAR Flags; // WMI uses this flag to identify event types - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - union - { - ULONG Header; // both sizes must be the same! - WMI_TRACE_PACKET Packet; - } DUMMYUNIONNAME2; - union - { - PERFINFO_TIMESTAMP TS; - LARGE_INTEGER SystemTime; - } DUMMYUNIONNAME3; - UCHAR Data[1]; - } PERFINFO_TRACE_HEADER, *PPERFINFO_TRACE_HEADER; - - // - // 64-bit Trace header for kernel events - // - typedef struct _SYSTEM_TRACE_HEADER - { - union - { - ULONG Marker; - struct - { - USHORT Version; - UCHAR HeaderType; - UCHAR Flags; - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - union - { - ULONG Header; // both sizes must be the same! - WMI_TRACE_PACKET Packet; - } DUMMYUNIONNAME2; - ULONG ThreadId; - ULONG ProcessId; - LARGE_INTEGER SystemTime; - ULONG KernelTime; - ULONG UserTime; - } SYSTEM_TRACE_HEADER, *PSYSTEM_TRACE_HEADER; - -// -// System header with no User/Kernel time. -// -#define COMPACT_HEADER_SIZE (RTL_SIZEOF_THROUGH_FIELD(SYSTEM_TRACE_HEADER, SystemTime)) - - // - // 64-bit Trace Header for Tracing Messages - // - typedef struct _WMI_TRACE_MESSAGE_PACKET - { - USHORT MessageNumber; // The message Number, index of messages by GUID - // Or ComponentID - USHORT OptionFlags; // Flags associated with the message - } WMI_TRACE_MESSAGE_PACKET, *PWMI_TRACE_MESSAGE_PACKET; - - static_assert(sizeof(WMI_TRACE_MESSAGE_PACKET) == sizeof(ULONG), "WMI_TRACE_MESSAGE_PACKET must equal sizeof(ULONG)"); - - typedef struct _MESSAGE_TRACE_HEADER - { - union - { - ULONG Marker; - struct - { - USHORT Size; // Total Size of the message including header - UCHAR Reserved; // Unused and reserved - UCHAR Version; // The message structure type (TRACE_MESSAGE_FLAG) - } DUMMYSTRUCTNAME; - } DUMMYUNIONNAME; - union - { - ULONG Header; // both sizes must be the same! - WMI_TRACE_MESSAGE_PACKET Packet; - } DUMMYUNIONNAME2; - } MESSAGE_TRACE_HEADER, *PMESSAGE_TRACE_HEADER; - - typedef struct _MESSAGE_TRACE - { - MESSAGE_TRACE_HEADER MessageHeader; - UCHAR Data; - } MESSAGE_TRACE, *PMESSAGE_TRACE; - -#define TRACE_MESSAGE_USERMODE 0x40 // flag indicating message came from user mode -#define TRACE_MESSAGE_WOW 0x80 - // - // Structure used to pass user log messages to the kernel - // - typedef struct DECLSPEC_ALIGN(8) _MESSAGE_TRACE_USER - { - MESSAGE_TRACE_HEADER MessageHeader; - GUID MessageGuid; - ULONG MessageFlags; - ULONG DataSize; - ULONG64 Data; - } MESSAGE_TRACE_USER, *PMESSAGE_TRACE_USER; - - // - // N.B. ETW_REF_CLOCK needs to be available for WOW64, thus the trick with defines for ETW_WOW64. - // - typedef struct _ETW_REF_CLOCK - { - LARGE_INTEGER StartTime; - LARGE_INTEGER StartPerfClock; - } ETW_REF_CLOCK, *PETW_REF_CLOCK; - -#ifndef ETW_WOW6432 - - typedef enum _ETW_BUFFER_STATE - { - EtwBufferStateFree, - EtwBufferStateGeneralLogging, - EtwBufferStateCSwitch, - EtwBufferStateFlush, - EtwBufferStateMaximum // MaxState should always be the last enum - } ETW_BUFFER_STATE, - *PETW_BUFFER_STATE; - -#define ETW_BUFFER_TYPE_GENERIC 0 -#define ETW_BUFFER_TYPE_RUNDOWN 1 -#define ETW_BUFFER_TYPE_CTX_SWAP 2 -#define ETW_BUFFER_TYPE_REFTIME 3 -#define ETW_BUFFER_TYPE_HEADER 4 -#define ETW_BUFFER_TYPE_BATCHED 5 -#define ETW_BUFFER_TYPE_EMPTY_MARKER 6 -#define ETW_BUFFER_TYPE_DBG_INFO 7 -#define ETW_BUFFER_TYPE_MAXIMUM 8 - -#define ETW_BUFFER_FLAG_NORMAL 0x0000 -#define ETW_BUFFER_FLAG_FLUSH_MARKER 0x0001 -#define ETW_BUFFER_FLAG_EVENTS_LOST 0x0002 -#define ETW_BUFFER_FLAG_BUFFER_LOST 0x0004 -#define ETW_BUFFER_FLAG_RTBACKUP_CORRUPT 0x0008 -#define ETW_BUFFER_FLAG_RTBACKUP 0x0010 -#define ETW_BUFFER_FLAG_PROC_INDEX 0x0020 -#define ETW_BUFFER_FLAG_COMPRESSED 0x0040 - -#define ETW_PROCESSOR_INDEX_MASK 0x07FF - -// -// The following constants for real time event loss reasons should be -// in sync with the messages in admin\wmi\events\service\eventlog.man. -// -#define ETW_RT_LOSS_EVENT 0x20 -#define ETW_RT_LOSS_BUFFER 0x21 -#define ETW_RT_LOSS_BACKUP 0x22 - - typedef enum _ETW_RT_EVENT_LOSS - { - EtwRtEventNoLoss, - EtwRtEventLost, - EtwRtBufferLost, - EtwRtBackupLost, - EtwRtEventLossMax - } ETW_RT_EVENT_LOSS, - *PETW_RT_EVENT_LOSS; - - typedef struct _WMI_BUFFER_HEADER *PWMI_BUFFER_HEADER; - - typedef struct _WMI_BUFFER_HEADER - { - ULONG BufferSize; // BufferSize - ULONG SavedOffset; // Temp saved offset - volatile ULONG CurrentOffset; // Current offset - volatile LONG ReferenceCount; // Reference count - LARGE_INTEGER TimeStamp; // Flush time stamp - LONGLONG SequenceNumber; // Buffer sequence number - - union - { - struct - { // DBG_INFO buffers send to debugger - ULONGLONG ClockType : 3; - ULONGLONG Frequency : 61; - } DUMMYSTRUCTNAME; - SINGLE_LIST_ENTRY SlistEntry; // Local list when flushing - PWMI_BUFFER_HEADER NextBuffer; // FlushList - } DUMMYUNIONNAME; - - ETW_BUFFER_CONTEXT ClientContext; // LoggerId/ProcessorIndex - ETW_BUFFER_STATE State; // (Free/GeneralLogging/Flush) - - ULONG Offset; // Offset when flushing (can overlap SavedOffset) - USHORT BufferFlag; // (flush marker, events lost) - USHORT BufferType; // (generic/rundown/cswitch/reftime) - union - { - ULONG Padding1[4]; - ETW_REF_CLOCK ReferenceTime; // persistent real-time - LIST_ENTRY GlobalEntry; // Global list entry - struct - { - PVOID Pointer0; - PVOID Pointer1; - } DUMMYSTRUCTNAME2; - } DUMMYUNIONNAME2; - } WMI_BUFFER_HEADER, *PWMI_BUFFER_HEADER; - - static_assert(sizeof(WMI_BUFFER_HEADER) == 0x48, "WMI_BUFFER_HEADER must equal 0x48"); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, BufferSize) == 0x0); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, SavedOffset) == 0x4); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, CurrentOffset) == 0x8); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, TimeStamp) == 0x10); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, SlistEntry) == 0x20); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, ClientContext) == 0x28); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, State) == 0x2c); // Compression - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, Offset) == 0x30); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, BufferFlag) == 0x34); - C_ASSERT(FIELD_OFFSET(WMI_BUFFER_HEADER, BufferType) == 0x36); - - typedef struct _TRACE_ENABLE_FLAG_EXTENSION - { - USHORT Offset; // Offset to the flag array in structure - UCHAR Length; // Length of flag array in ULONGs - UCHAR Flag; // Must be set to EVENT_TRACE_FLAG_EXTENSION - } TRACE_ENABLE_FLAG_EXTENSION, *PTRACE_ENABLE_FLAG_EXTENSION; - - typedef struct _TRACE_ENABLE_FLAG_EXT_HEADER - { - USHORT Length; // Length in ULONGs - USHORT Items; // # of items - } TRACE_ENABLE_FLAG_EXT_HEADER, *PTRACE_ENABLE_FLAG_EXT_HEADER; - - typedef struct _TRACE_ENABLE_FLAG_EXT_ITEM - { - USHORT Offset; // Offset to the next block - USHORT Type; // Extension type - } TRACE_ENABLE_FLAG_EXT_ITEM, *PTRACE_ENABLE_FLAG_EXT_ITEM; - -#define EVENT_TRACE_FLAG_EXT_ITEMS 0x80FF0000 // New extension structure -#define EVENT_TRACE_FLAG_EXT_LEN_NEW_STRUCT 0xFF // Pseudo length to denote new struct format - -#define ETW_MINIMUM_CACHED_STACK_LENGTH 4 -#define ETW_SW_ARRAY_SIZE 256 // Frame Count allocated in lookaside list -#define ETW_STACK_SW_ARRAY_SIZE 192 // Frame Count allocated in stack -#define ETW_MAX_STACKWALK_FILTER 256 // Max number of HookId's -#define ETW_MAX_TAG_FILTER 4 -#define ETW_MAX_POOLTAG_FILTER ETW_MAX_TAG_FILTER - -#define ETW_EXT_ENABLE_FLAGS 0x0001 -#define ETW_EXT_PIDS 0x0002 -#define ETW_EXT_STACKWALK_FILTER 0x0003 -#define ETW_EXT_POOLTAG_FILTER 0x0004 -#define ETW_EXT_STACK_CACHING 0x0005 - - // - // Extended item for configuring stack caching. - // - typedef struct _ETW_STACK_CACHING_CONFIG - { - ULONG CacheSize; - ULONG BucketCount; - } ETW_STACK_CACHING_CONFIG, *PETW_STACK_CACHING_CONFIG; - -#endif // ifndef ETW_WOW6432 - -#define PERFINFO_APPLY_OFFSET_GIVING_TYPE(_Base, _Offset, _Type) ((_Type)(((PPERF_BYTE)(_Base)) + (_Offset))) -#define PERFINFO_ROUND_UP(Size, Amount) (((ULONG)(Size) + ((Amount) - 1)) & ~((Amount) - 1)) - -// -// Enable flags, hook id's, etc... -// -#define PERF_MASK_INDEX (0xe0000000) -#define PERF_MASK_GROUP (~PERF_MASK_INDEX) -#define PERF_NUM_MASKS 8 - - typedef ULONG PERFINFO_MASK; - - // - // This structure holds a group mask for all the PERF_NUM_MASKS sets (see PERF_MASK_INDEX above). - // - typedef struct _PERFINFO_GROUPMASK - { - ULONG Masks[PERF_NUM_MASKS]; - } PERFINFO_GROUPMASK, *PPERFINFO_GROUPMASK; - -#define PERF_GET_MASK_INDEX(GM) (((GM) & PERF_MASK_INDEX) >> 29) -#define PERF_GET_MASK_GROUP(GM) ((GM) & PERF_MASK_GROUP) - -#define PERFINFO_CLEAR_GROUPMASK(GroupMask) RtlZeroMemory((GroupMask), sizeof(PERFINFO_GROUPMASK)) -#define PERFINFO_OR_GROUP_WITH_GROUPMASK(Group, GroupMask) (GroupMask)->Masks[PERF_GET_MASK_INDEX(Group)] |= PERF_GET_MASK_GROUP(Group) -#define PERFINFO_CLEAR_GROUP_IN_GROUPMASK(Group, GroupMask) (GroupMask)->Masks[PERF_GET_MASK_INDEX(Group)] &= (~PERF_GET_MASK_GROUP(Group)) - - /*++ - - Routine Description: - - Determines whether any group is on in a group mask - - Arguments: - - Group - Group index to check. - - GroupMask - pointer to group mask to check. - - Return Value: - - Boolean indicating whether it is set or not. - - Environment: - - User mode. - - --*/ - FORCEINLINE - BOOLEAN - PerfIsGroupOnInGroupMask( - _In_ ULONG Group, - _In_ PPERFINFO_GROUPMASK GroupMask) - { - PPERFINFO_GROUPMASK TestMask = GroupMask; - - return (BOOLEAN)(((TestMask) != NULL) && (((TestMask)->Masks[PERF_GET_MASK_INDEX((Group))] & PERF_GET_MASK_GROUP((Group))) != 0)); - } - -// Group Masks (enabling flags) are used to determine the type of -// events to be logged. Each hook type is controlled by one bit in the -// Group masks. -// -// Currently we have 8 sets of global masks available. Each set is a ULONG with -// the highest 3 bits reserved for PERF_MASK_INDEX, which is used to index to -// the particular set of masks. For example, -// -// #define PERF_GROUP1 0x0XXXXXXX in the 0th set (0x10000000 is the last bit in this set) -// #define PERF_GROUP2 0x2XXXXXXX in the 1st set (0x30000000 is the last bit in this set) -// #define PERF_GROUP3 0x4XXXXXXX in the 2nd set (0x50000000 is the last bit in this set) -// ... -// #define PERF_GROUP7 0xeXXXXXXX in the 7th set (0xf0000000 is the last bit in this set) -// -// See ntperf.h for the manipulations of flags. -// -// Externally published group masks (only in the 0th set) are defined in envtrace.h. -// This section contains extended group masks which are private. -// -// The highest set of GROUP_MASK (0xeXXXXXXX) is currently reserved for -// modifying system behaviors (e.g., turn off page fault clustering, limit -// process working set when BigFoot is turned on, etc.) when trace is -// turned on. -// -// -// -// NOTE: In LongHorn we decided to expose some of the flags outside of group 0. -// We did that by adding the following flags which are treated as aliases: -// -// EVENT_TRACE_FLAG_CSWITCH -// EVENT_TRACE_FLAG_DPC -// EVENT_TRACE_FLAG_INTERRUPT -// EVENT_TRACE_FLAG_SYSTEMCALL -// EVENT_TRACE_FLAG_DRIVER -// EVENT_TRACE_FLAG_PROFILE -// -// -// GlobalMask 0 (Masks[0]) -// -#define PERF_REGISTRY EVENT_TRACE_FLAG_REGISTRY -#define PERF_HARD_FAULTS EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS -#define PERF_JOB EVENT_TRACE_FLAG_JOB -#define PERF_PROC_THREAD EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD -#define PERF_PROCESS EVENT_TRACE_FLAG_PROCESS -#define PERF_THREAD EVENT_TRACE_FLAG_THREAD -#define PERF_DISK_IO EVENT_TRACE_FLAG_DISK_FILE_IO | EVENT_TRACE_FLAG_DISK_IO -#define PERF_DISK_IO_INIT EVENT_TRACE_FLAG_DISK_IO_INIT -#define PERF_LOADER EVENT_TRACE_FLAG_IMAGE_LOAD -#define PERF_ALL_FAULTS EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS -#define PERF_FILENAME EVENT_TRACE_FLAG_DISK_FILE_IO -#define PERF_NETWORK EVENT_TRACE_FLAG_NETWORK_TCPIP -#define PERF_ALPC EVENT_TRACE_FLAG_ALPC -#define PERF_SPLIT_IO EVENT_TRACE_FLAG_SPLIT_IO -#define PERF_PERF_COUNTER EVENT_TRACE_FLAG_PROCESS_COUNTERS -#define PERF_FILE_IO EVENT_TRACE_FLAG_FILE_IO -#define PERF_FILE_IO_INIT EVENT_TRACE_FLAG_FILE_IO_INIT -#define PERF_DBGPRINT EVENT_TRACE_FLAG_DBGPRINT -#define PERF_NO_SYSCONFIG EVENT_TRACE_FLAG_NO_SYSCONFIG -#define PERF_VAMAP EVENT_TRACE_FLAG_VAMAP -#define PERF_DEBUG_EVENTS EVENT_TRACE_FLAG_DEBUG_EVENTS - -// -// GlobalMask 1 (Masks[1]) -// -#define PERF_MEMORY 0x20000001 // High level WS manager activities, PFN changes -#define PERF_PROFILE 0x20000002 // Sysprof // equivalent to EVENT_TRACE_FLAG_PROFILE -#define PERF_CONTEXT_SWITCH 0x20000004 // Context Switch // equivalent to EVENT_TRACE_FLAG_CSWITCH -#define PERF_FOOTPRINT 0x20000008 // Flush WS on every mark_with_flush -#define PERF_DRIVERS 0x20000010 // equivalent to EVENT_TRACE_FLAG_DRIVER -#define PERF_REFSET 0x20000020 // PERF_FOOTPRINT + log AutoMark on trace start/stop. -#define PERF_POOL 0x20000040 -#define PERF_POOLTRACE 0x20000041 -#define PERF_DPC 0x20000080 // equivalent to EVENT_TRACE_FLAG_DPC -#define PERF_COMPACT_CSWITCH 0x20000100 -#define PERF_DISPATCHER 0x20000200 // equivalent to EVENT_TRACE_FLAG_DISPATCHER -#define PERF_PMC_PROFILE 0x20000400 -#define PERF_PROFILING 0x20000402 -#define PERF_PROCESS_INSWAP 0x20000800 -#define PERF_AFFINITY 0x20001000 -#define PERF_PRIORITY 0x20002000 -#define PERF_INTERRUPT 0x20004000 // equivalent to EVENT_TRACE_FLAG_INTERRUPT -#define PERF_VIRTUAL_ALLOC 0x20008000 // equivalent to EVENT_TRACE_FLAG_VIRTUAL_ALLOC -#define PERF_SPINLOCK 0x20010000 -#define PERF_SYNC_OBJECTS 0x20020000 -#define PERF_DPC_QUEUE 0x20040000 -#define PERF_MEMINFO 0x20080000 -#define PERF_CONTMEM_GEN 0x20100000 -#define PERF_SPINLOCK_CNTRS 0x20200000 -#define PERF_SPININSTR 0x20210000 -#define PERF_SESSION 0x20400000 -#define PERF_PFSECTION PERF_SESSION // Bits in this group are scarce and so use SESSION for PFSECTION events. -#define PERF_MEMINFO_WS 0x20800000 // Logs Workingset/Commit information on MemInfo DPC -#define PERF_KERNEL_QUEUE 0x21000000 -#define PERF_INTERRUPT_STEER 0x22000000 -#define PERF_SHOULD_YIELD 0x24000000 -#define PERF_WS 0x28000000 -// #define PERF_POOLTRACE (PERF_MEMORY | PERF_POOL) -// #define PERF_PROFILING (PERF_PROFILE | PERF_PMC_PROFILE) -// #define PERF_SPININSTR (PERF_SPINLOCK | PERF_SPINLOCK_CNTRS) - -// -// GlobalMask 2 (Masks[2]) -// -#define PERF_ANTI_STARVATION 0x40000001 -#define PERF_PROCESS_FREEZE 0x40000002 -#define PERF_PFN_LIST 0x40000004 -#define PERF_WS_DETAIL 0x40000008 -#define PERF_WS_ENTRY 0x40000010 -#define PERF_HEAP 0x40000020 -#define PERF_SYSCALL 0x40000040 -#define PERF_UMS 0x40000080 -#define PERF_BACKTRACE 0x40000100 -#define PERF_VULCAN 0x40000200 -#define PERF_OBJECTS 0x40000400 -#define PERF_EVENTS 0x40000800 -#define PERF_FULLTRACE 0x40001000 -#define PERF_DFSS 0x40002000 // spare -#define PERF_PREFETCH 0x40004000 -#define PERF_PROCESSOR_IDLE 0x40008000 -#define PERF_CPU_CONFIG 0x40010000 -#define PERF_TIMER 0x40020000 -#define PERF_CLOCK_INTERRUPT 0x40040000 -#define PERF_LOAD_BALANCER 0x40080000 // spare -#define PERF_CLOCK_TIMER 0x40100000 -#define PERF_IDLE_SELECTION 0x40200000 -#define PERF_IPI 0x40400000 -#define PERF_IO_TIMER 0x40800000 -#define PERF_REG_HIVE 0x41000000 -#define PERF_REG_NOTIF 0x42000000 -#define PERF_PPM_EXIT_LATENCY 0x44000000 -#define PERF_WORKER_THREAD 0x48000000 - - // - // GlobalMask 3 (Masks[3]) - // - - // Reserved 0x60000001 - // Reserved 0x60000002 - // Reserved 0x60000004 - // Reserved 0x60000008 - // ... - - // - // GlobalMask 4 (Masks[4]) - // - -#define PERF_OPTICAL_IO 0x80000001 -#define PERF_OPTICAL_IO_INIT 0x80000002 -// Reserved 0x80000004 -#define PERF_DLL_INFO 0x80000008 -#define PERF_DLL_FLUSH_WS 0x80000010 -// Reserved 0x80000020 -#define PERF_OB_HANDLE 0x80000040 -#define PERF_OB_OBJECT 0x80000080 -// Reserved 0x80000100 -#define PERF_WAKE_DROP 0x80000200 -#define PERF_WAKE_EVENT 0x80000400 -#define PERF_DEBUGGER 0x80000800 -#define PERF_PROC_ATTACH 0x80001000 -#define PERF_WAKE_COUNTER 0x80002000 -// Reserved 0x80004000 -#define PERF_POWER 0x80008000 -#define PERF_SOFT_TRIM 0x80010000 -#define PERF_CC 0x80020000 -// Reserved 0x80040000 -#define PERF_FLT_IO_INIT 0x80080000 -#define PERF_FLT_IO 0x80100000 -#define PERF_FLT_FASTIO 0x80200000 -#define PERF_FLT_IO_FAILURE 0x80400000 -#define PERF_HV_PROFILE 0x80800000 -#define PERF_WDF_DPC 0x81000000 -#define PERF_WDF_INTERRUPT 0x82000000 -#define PERF_CACHE_FLUSH 0x84000000 - - // - // GlobalMask 5: - // - -#define PERF_HIBER_RUNDOWN 0xA0000001 - - // Reserved 0xA0000002 - // Reserved 0xA0000004 - // Reserved 0xA0000008 - // ... - - // - // GlobalMask 6: - // - -#define PERF_SYSCFG_SYSTEM 0xC0000001 -#define PERF_SYSCFG_GRAPHICS 0xC0000002 -#define PERF_SYSCFG_STORAGE 0xC0000004 -#define PERF_SYSCFG_NETWORK 0xC0000008 -#define PERF_SYSCFG_SERVICES 0xC0000010 -#define PERF_SYSCFG_PNP 0xC0000020 -#define PERF_SYSCFG_OPTICAL 0xC0000040 -// Reserved 0xC0000080 -// Reserved 0xC0000100 -#define PERF_SYSCFG_ALL 0xDFFFFFFF - - // - // GlobalMask 7: The mark is a control mask. All flags that changes system - // behaviors go here. - // - -#define PERF_CLUSTER_OFF 0xe0000001 -#define PERF_MEMORY_CONTROL 0xe0000002 - -// -// Converting old PERF hooks into WMI format. More clean up to be done. -// -// WHEN YOU ADD NEW TYPES UPDATE THE NAME TABLE in perfgroups.c: -// PerfLogTypeNames ALSO UPDATE VERIFICATION TABLE IN PERFPOSTTBLS.C -// - -// -// Event for header -// -#define WMI_LOG_TYPE_HEADER (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_INFO) -#define WMI_LOG_TYPE_HEADER_EXTENSION (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_EXTENSION) -#define WMI_LOG_TYPE_RUNDOWN_COMPLETE (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_CHECKPOINT) -#define WMI_LOG_TYPE_GROUP_MASKS_END (EVENT_TRACE_GROUP_HEADER | 0x20) -#define WMI_LOG_TYPE_RUNDOWN_BEGIN (EVENT_TRACE_GROUP_HEADER | 0x30) -#define WMI_LOG_TYPE_RUNDOWN_END (EVENT_TRACE_GROUP_HEADER | 0x31) -#define WMI_LOG_TYPE_DBGID_RSDS (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_DBGID_RSDS) -#define WMI_LOG_TYPE_DBGID_NB10 (EVENT_TRACE_GROUP_HEADER | 0x41) -#define WMI_LOG_TYPE_BUILD_LAB (EVENT_TRACE_GROUP_HEADER | 0x42) -#define WMI_LOG_TYPE_BINARY_PATH (EVENT_TRACE_GROUP_HEADER | 0x43) - - // - // Event for system config - // - -#define WMI_LOG_TYPE_CONFIG_CPU (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_CPU) -#define WMI_LOG_TYPE_CONFIG_PHYSICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK) -#define WMI_LOG_TYPE_CONFIG_LOGICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_LOGICALDISK) -#define WMI_LOG_TYPE_CONFIG_OPTICALMEDIA (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_OPTICALMEDIA) -#define WMI_LOG_TYPE_CONFIG_NIC (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_NIC) -#define WMI_LOG_TYPE_CONFIG_VIDEO (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_VIDEO) -#define WMI_LOG_TYPE_CONFIG_SERVICES (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SERVICES) -#define WMI_LOG_TYPE_CONFIG_POWER (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_POWER) -// #define WMI_LOG_TYPE_CONFIG_OSVERSION (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_OSVERSION) -// #define WMI_LOG_TYPE_CONFIG_VISUALTHEME (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_VISUALTHEME) -// #define WMI_LOG_TYPE_CONFIG_SYSTEMRANGE (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SYSTEMRANGE) -// #define WMI_LOG_TYPE_CONFIG_SYSDLLINFO (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SYSDLLINFO) -#define WMI_LOG_TYPE_CONFIG_IRQ (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_IRQ) -#define WMI_LOG_TYPE_CONFIG_PNP (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PNP) -#define WMI_LOG_TYPE_CONFIG_IDECHANNEL (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_IDECHANNEL) -#define WMI_LOG_TYPE_CONFIG_NUMANODE (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_NUMANODE) -#define WMI_LOG_TYPE_CONFIG_PLATFORM (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PLATFORM) -#define WMI_LOG_TYPE_CONFIG_PROCESSORGROUP (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PROCESSORGROUP) -#define WMI_LOG_TYPE_CONFIG_PROCESSORNUMBER (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PROCESSORNUMBER) -#define WMI_LOG_TYPE_CONFIG_DPI (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_DPI) -#define WMI_LOG_TYPE_CONFIG_CODEINTEGRITY (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_CI_INFO) -#define WMI_LOG_TYPE_CONFIG_MACHINEID (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_MACHINEID) - -// -// Event for Image and File Name -// -#define PERFINFO_LOG_TYPE_FILENAME (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_INFO) -#define PERFINFO_LOG_TYPE_FILENAME_CREATE (EVENT_TRACE_GROUP_FILE | 0x20) -#define PERFINFO_LOG_TYPE_FILENAME_SAME (EVENT_TRACE_GROUP_FILE | 0x21) -#define PERFINFO_LOG_TYPE_FILENAME_NULL (EVENT_TRACE_GROUP_FILE | 0x22) -#define PERFINFO_LOG_TYPE_FILENAME_DELETE (EVENT_TRACE_GROUP_FILE | 0x23) -#define PERFINFO_LOG_TYPE_FILENAME_RUNDOWN (EVENT_TRACE_GROUP_FILE | 0x24) - -#define PERFINFO_LOG_TYPE_MAPFILE (EVENT_TRACE_GROUP_FILE | 0x25) -#define PERFINFO_LOG_TYPE_UNMAPFILE (EVENT_TRACE_GROUP_FILE | 0x26) -#define PERFINFO_LOG_TYPE_MAPFILE_DC_START (EVENT_TRACE_GROUP_FILE | 0x27) -#define PERFINFO_LOG_TYPE_MAPFILE_DC_END (EVENT_TRACE_GROUP_FILE | 0x28) - -#define PERFINFO_LOG_TYPE_FILE_IO_CREATE (EVENT_TRACE_GROUP_FILE | 0x40) -#define PERFINFO_LOG_TYPE_FILE_IO_CLEANUP (EVENT_TRACE_GROUP_FILE | 0x41) -#define PERFINFO_LOG_TYPE_FILE_IO_CLOSE (EVENT_TRACE_GROUP_FILE | 0x42) -#define PERFINFO_LOG_TYPE_FILE_IO_READ (EVENT_TRACE_GROUP_FILE | 0x43) -#define PERFINFO_LOG_TYPE_FILE_IO_WRITE (EVENT_TRACE_GROUP_FILE | 0x44) -#define PERFINFO_LOG_TYPE_FILE_IO_SET_INFORMATION (EVENT_TRACE_GROUP_FILE | 0x45) -#define PERFINFO_LOG_TYPE_FILE_IO_DELETE (EVENT_TRACE_GROUP_FILE | 0x46) -#define PERFINFO_LOG_TYPE_FILE_IO_RENAME (EVENT_TRACE_GROUP_FILE | 0x47) -#define PERFINFO_LOG_TYPE_FILE_IO_DIRENUM (EVENT_TRACE_GROUP_FILE | 0x48) -#define PERFINFO_LOG_TYPE_FILE_IO_FLUSH (EVENT_TRACE_GROUP_FILE | 0x49) -#define PERFINFO_LOG_TYPE_FILE_IO_QUERY_INFORMATION (EVENT_TRACE_GROUP_FILE | 0x4A) -#define PERFINFO_LOG_TYPE_FILE_IO_FS_CONTROL (EVENT_TRACE_GROUP_FILE | 0x4B) -#define PERFINFO_LOG_TYPE_FILE_IO_OPERATION_END (EVENT_TRACE_GROUP_FILE | 0x4C) -#define PERFINFO_LOG_TYPE_FILE_IO_DIRNOTIFY (EVENT_TRACE_GROUP_FILE | 0x4D) -#define PERFINFO_LOG_TYPE_FILE_IO_CREATE_NEW (EVENT_TRACE_GROUP_FILE | 0x4E) -#define PERFINFO_LOG_TYPE_FILE_IO_DELETE_PATH (EVENT_TRACE_GROUP_FILE | 0x4F) -#define PERFINFO_LOG_TYPE_FILE_IO_RENAME_PATH (EVENT_TRACE_GROUP_FILE | 0x50) -#define PERFINFO_LOG_TYPE_FILE_IO_SETLINK_PATH (EVENT_TRACE_GROUP_FILE | 0x51) -#define PERFINFO_LOG_TYPE_FILE_IO_SETLINK (EVENT_TRACE_GROUP_FILE | 0x52) - - // - // Event types for minifilter callbacks - // - -#define PERFINFO_LOG_TYPE_FLT_PREOP_INIT (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_INIT) -#define PERFINFO_LOG_TYPE_FLT_POSTOP_INIT (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_INIT) -#define PERFINFO_LOG_TYPE_FLT_PREOP_COMPLETION (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_COMPLETION) -#define PERFINFO_LOG_TYPE_FLT_POSTOP_COMPLETION (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_COMPLETION) -#define PERFINFO_LOG_TYPE_FLT_PREOP_FAILURE (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_FAILURE) -#define PERFINFO_LOG_TYPE_FLT_POSTOP_FAILURE (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_FAILURE) - - // - // Event types for Job - // - -#define WMI_LOG_TYPE_JOB_CREATE (EVENT_TRACE_GROUP_JOB | 0x20) -#define WMI_LOG_TYPE_JOB_TERMINATE (EVENT_TRACE_GROUP_JOB | 0x21) -#define WMI_LOG_TYPE_JOB_OPEN (EVENT_TRACE_GROUP_JOB | 0x22) -#define WMI_LOG_TYPE_JOB_ASSIGN_PROCESS (EVENT_TRACE_GROUP_JOB | 0x23) -#define WMI_LOG_TYPE_JOB_REMOVE_PROCESS (EVENT_TRACE_GROUP_JOB | 0x24) -#define WMI_LOG_TYPE_JOB_SET (EVENT_TRACE_GROUP_JOB | 0x25) -#define WMI_LOG_TYPE_JOB_QUERY (EVENT_TRACE_GROUP_JOB | 0x26) -#define WMI_LOG_TYPE_JOB_SET_FAILED (EVENT_TRACE_GROUP_JOB | 0x27) -#define WMI_LOG_TYPE_JOB_QUERY_FAILED (EVENT_TRACE_GROUP_JOB | 0x28) -#define WMI_LOG_TYPE_JOB_SET_NOTIFICATION (EVENT_TRACE_GROUP_JOB | 0x29) -#define WMI_LOG_TYPE_JOB_SEND_NOTIFICATION (EVENT_TRACE_GROUP_JOB | 0x2A) -#define WMI_LOG_TYPE_JOB_QUERY_VIOLATION (EVENT_TRACE_GROUP_JOB | 0x2B) -#define WMI_LOG_TYPE_JOB_SET_CPU_RATE (EVENT_TRACE_GROUP_JOB | 0x2C) -#define WMI_LOG_TYPE_JOB_SET_NET_RATE (EVENT_TRACE_GROUP_JOB | 0x2D) - - // - // Event types for Process - // - -#define WMI_LOG_TYPE_PROCESS_CREATE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_START) -#define WMI_LOG_TYPE_PROCESS_DELETE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_END) -#define WMI_LOG_TYPE_PROCESS_DC_START (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_START) -#define WMI_LOG_TYPE_PROCESS_DC_END (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_END) -#define WMI_LOG_TYPE_PROCESS_LOAD_IMAGE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_LOAD) -#define WMI_LOG_TYPE_PROCESS_TERMINATE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_TERMINATE) - -#define PERFINFO_LOG_TYPE_PROCESS_PERFCTR_END (EVENT_TRACE_GROUP_PROCESS | 0x20) -#define PERFINFO_LOG_TYPE_PROCESS_PERFCTR_RD (EVENT_TRACE_GROUP_PROCESS | 0x21) -// Reserved (EVENT_TRACE_GROUP_PROCESS | 0x22) -#define PERFINFO_LOG_TYPE_INSWAPPROCESS (EVENT_TRACE_GROUP_PROCESS | 0x23) -#define PERFINFO_LOG_TYPE_PROCESS_FREEZE (EVENT_TRACE_GROUP_PROCESS | 0x24) -#define PERFINFO_LOG_TYPE_PROCESS_THAW (EVENT_TRACE_GROUP_PROCESS | 0x25) -#define PERFINFO_LOG_TYPE_BOOT_PHASE_START (EVENT_TRACE_GROUP_PROCESS | 0x26) -#define PERFINFO_LOG_TYPE_ZOMBIE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x27) -#define PERFINFO_LOG_TYPE_PROCESS_SET_AFFINITY (EVENT_TRACE_GROUP_PROCESS | 0x28) - -#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_USER (EVENT_TRACE_GROUP_PROCESS | 0x30) -#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x31) -#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x32) -#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x33) -#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x34) - -#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_USER (EVENT_TRACE_GROUP_PROCESS | 0x40) -#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x41) -#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x42) -#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x43) -#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x44) - -#define PERFINFO_LOG_TYPE_WAKE_DROP_USER (EVENT_TRACE_GROUP_PROCESS | 0x50) -#define PERFINFO_LOG_TYPE_WAKE_DROP_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x51) -#define PERFINFO_LOG_TYPE_WAKE_DROP_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x52) -#define PERFINFO_LOG_TYPE_WAKE_DROP_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x53) -#define PERFINFO_LOG_TYPE_WAKE_DROP_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x54) - -#define PERFINFO_LOG_TYPE_WAKE_EVENT_USER (EVENT_TRACE_GROUP_PROCESS | 0x60) -#define PERFINFO_LOG_TYPE_WAKE_EVENT_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x61) -#define PERFINFO_LOG_TYPE_WAKE_EVENT_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x62) -#define PERFINFO_LOG_TYPE_WAKE_EVENT_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x63) -#define PERFINFO_LOG_TYPE_WAKE_EVENT_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x64) - -#define PERFINFO_LOG_TYPE_DEBUG_EVENT (EVENT_TRACE_GROUP_PROCESS | 0x70) - - // - // Event types for Image and Library Loader - // - -#define WMI_LOG_TYPE_IMAGE_LOAD (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_START) // reserved for future -#define WMI_LOG_TYPE_IMAGE_UNLOAD (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_END) -#define WMI_LOG_TYPE_IMAGE_DC_START (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_DC_START) -#define WMI_LOG_TYPE_IMAGE_DC_END (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_DC_END) -#define WMI_LOG_TYPE_IMAGE_RELOCATION (EVENT_TRACE_GROUP_IMAGE | 0x20) -#define WMI_LOG_TYPE_IMAGE_KERNEL_BASE (EVENT_TRACE_GROUP_IMAGE | 0x21) -#define WMI_LOG_TYPE_IMAGE_HYPERCALL_PAGE (EVENT_TRACE_GROUP_IMAGE | 0x22) - -#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_ATTEMPT (EVENT_TRACE_GROUP_IMAGE | 0x80) // 128 -#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_SUCCESS (EVENT_TRACE_GROUP_IMAGE | 0x81) -#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_FAIL (EVENT_TRACE_GROUP_IMAGE | 0x82) -#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_WAIT (EVENT_TRACE_GROUP_IMAGE | 0x83) -#define PERFINFO_LOG_TYPE_LDR_PROC_INIT_DONE (EVENT_TRACE_GROUP_IMAGE | 0x84) // 132 -#define PERFINFO_LOG_TYPE_LDR_CREATE_SECTION (EVENT_TRACE_GROUP_IMAGE | 0x85) -#define PERFINFO_LOG_TYPE_LDR_SECTION_CREATED (EVENT_TRACE_GROUP_IMAGE | 0x86) -#define PERFINFO_LOG_TYPE_LDR_MAP_VIEW (EVENT_TRACE_GROUP_IMAGE | 0x87) - -#define PERFINFO_LOG_TYPE_LDR_RELOCATE_IMAGE (EVENT_TRACE_GROUP_IMAGE | 0x90) // 144 -#define PERFINFO_LOG_TYPE_LDR_IMAGE_RELOCATED (EVENT_TRACE_GROUP_IMAGE | 0x91) -#define PERFINFO_LOG_TYPE_LDR_HANDLE_OLD_DESCRIPTORS (EVENT_TRACE_GROUP_IMAGE | 0x92) -#define PERFINFO_LOG_TYPE_LDR_OLD_DESCRIPTORS_HANDLED (EVENT_TRACE_GROUP_IMAGE | 0x93) -#define PERFINFO_LOG_TYPE_LDR_HANDLE_NEW_DESCRIPTORS (EVENT_TRACE_GROUP_IMAGE | 0x94) // 148 -#define PERFINFO_LOG_TYPE_LDR_NEW_DESCRIPTORS_HANDLED (EVENT_TRACE_GROUP_IMAGE | 0x95) -#define PERFINFO_LOG_TYPE_LDR_DLLMAIN_EXIT (EVENT_TRACE_GROUP_IMAGE | 0x96) - -#define PERFINFO_LOG_TYPE_LDR_FIND_DLL (EVENT_TRACE_GROUP_IMAGE | 0xA0) // 160 -#define PERFINFO_LOG_TYPE_LDR_VIEW_MAPPED (EVENT_TRACE_GROUP_IMAGE | 0xA1) -#define PERFINFO_LOG_TYPE_LDR_LOCK_RELEASE (EVENT_TRACE_GROUP_IMAGE | 0xA2) -#define PERFINFO_LOG_TYPE_LDR_DLLMAIN_ENTER (EVENT_TRACE_GROUP_IMAGE | 0xA3) -#define PERFINFO_LOG_TYPE_LDR_ERROR (EVENT_TRACE_GROUP_IMAGE | 0xA4) // 164 - -#define PERFINFO_LOG_TYPE_LDR_VIEW_MAPPING (EVENT_TRACE_GROUP_IMAGE | 0xA5) // 165 -#define PERFINFO_LOG_TYPE_LDR_SNAPPING (EVENT_TRACE_GROUP_IMAGE | 0xA6) -#define PERFINFO_LOG_TYPE_LDR_SNAPPED (EVENT_TRACE_GROUP_IMAGE | 0xA7) -#define PERFINFO_LOG_TYPE_LDR_LOADING (EVENT_TRACE_GROUP_IMAGE | 0xA8) -#define PERFINFO_LOG_TYPE_LDR_LOADED (EVENT_TRACE_GROUP_IMAGE | 0xA9) -#define PERFINFO_LOG_TYPE_LDR_FOUND_KNOWN_DLL (EVENT_TRACE_GROUP_IMAGE | 0xAA) // 170 -#define PERFINFO_LOG_TYPE_LDR_ABNORMAL (EVENT_TRACE_GROUP_IMAGE | 0xAB) -#define PERFINFO_LOG_TYPE_LDR_PLACEHOLDER (EVENT_TRACE_GROUP_IMAGE | 0xAC) -#define PERFINFO_LOG_TYPE_LDR_RDY_TO_INIT (EVENT_TRACE_GROUP_IMAGE | 0xAD) -#define PERFINFO_LOG_TYPE_LDR_RDY_TO_RUN (EVENT_TRACE_GROUP_IMAGE | 0xAE) // 174 - -#define PERFINFO_LOG_TYPE_LDR_NEW_DLL_LOAD (EVENT_TRACE_GROUP_IMAGE | 0xB0) // 176 -#define PERFINFO_LOG_TYPE_LDR_NEW_DLL_AS_DATA (EVENT_TRACE_GROUP_IMAGE | 0xB1) // 177 - -#define PERFINFO_LOG_TYPE_LDR_EXTERNAL_PATH (EVENT_TRACE_GROUP_IMAGE | 0xC0) // 192 -#define PERFINFO_LOG_TYPE_LDR_GENERATED_PATH (EVENT_TRACE_GROUP_IMAGE | 0xC1) - -#define PERFINFO_LOG_TYPE_LDR_APISET_RESOLVING (EVENT_TRACE_GROUP_IMAGE | 0xD0) // 208 -#define PERFINFO_LOG_TYPE_LDR_APISET_HOSTED (EVENT_TRACE_GROUP_IMAGE | 0xD1) // 209 -#define PERFINFO_LOG_TYPE_LDR_APISET_UNHOSTED (EVENT_TRACE_GROUP_IMAGE | 0xD2) // 210 -#define PERFINFO_LOG_TYPE_LDR_APISET_UNRESOLVED (EVENT_TRACE_GROUP_IMAGE | 0xD3) // 211 - -#define PERFINFO_LOG_TYPE_LDR_SEARCH_SECURITY (EVENT_TRACE_GROUP_IMAGE | 0xD4) // 212 -#define PERFINFO_LOG_TYPE_LDR_SEARCH_PATH_SECURITY (EVENT_TRACE_GROUP_IMAGE | 0xD5) // 213 - - // - // Event types for Thread - // - -#define WMI_LOG_TYPE_THREAD_CREATE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_START) -#define WMI_LOG_TYPE_THREAD_DELETE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_END) -#define WMI_LOG_TYPE_THREAD_DC_START (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_START) -#define WMI_LOG_TYPE_THREAD_DC_END (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_END) - -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x20) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x21) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x22) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x23) -#define PERFINFO_LOG_TYPE_CONTEXTSWAP (EVENT_TRACE_GROUP_THREAD | 0x24) -#define PERFINFO_LOG_TYPE_CONTEXTSWAP_BATCH (EVENT_TRACE_GROUP_THREAD | 0x25) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x26) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x27) -// Reserved (EVENT_TRACE_GROUP_THREAD | 0x28) -#define PERFINFO_LOG_TYPE_SPINLOCK (EVENT_TRACE_GROUP_THREAD | 0x29) -#define PERFINFO_LOG_TYPE_QUEUE (EVENT_TRACE_GROUP_THREAD | 0x2A) -#define PERFINFO_LOG_TYPE_RESOURCE (EVENT_TRACE_GROUP_THREAD | 0x2B) -#define PERFINFO_LOG_TYPE_PUSHLOCK (EVENT_TRACE_GROUP_THREAD | 0x2C) -#define PERFINFO_LOG_TYPE_WAIT_SINGLE (EVENT_TRACE_GROUP_THREAD | 0x2D) -#define PERFINFO_LOG_TYPE_WAIT_MULTIPLE (EVENT_TRACE_GROUP_THREAD | 0x2E) -#define PERFINFO_LOG_TYPE_DELAY_EXECUTION (EVENT_TRACE_GROUP_THREAD | 0x2F) -#define PERFINFO_LOG_TYPE_THREAD_SET_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x30) -#define PERFINFO_LOT_TYPE_THREAD_SET_BASE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x31) -#define PERFINFO_LOG_TYPE_THREAD_SET_BASE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x31) -#define PERFINFO_LOG_TYPE_READY_THREAD (EVENT_TRACE_GROUP_THREAD | 0x32) -#define PERFINFO_LOG_TYPE_THREAD_SET_PAGE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x33) -#define PERFINFO_LOG_TYPE_THREAD_SET_IO_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x34) -#define PERFINFO_LOG_TYPE_THREAD_SET_AFFINITY (EVENT_TRACE_GROUP_THREAD | 0x35) -#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM (EVENT_TRACE_GROUP_THREAD | 0x39) -#define PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL (EVENT_TRACE_GROUP_THREAD | 0x3A) -#define PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE (EVENT_TRACE_GROUP_THREAD | 0x3B) -#define PERFINFO_LOG_TYPE_ANTI_STARVATION_BOOST (EVENT_TRACE_GROUP_THREAD | 0x3C) -#define PERFINFO_LOG_TYPE_THREAD_MIGRATION (EVENT_TRACE_GROUP_THREAD | 0x3D) -#define PERFINFO_LOG_TYPE_KQUEUE_ENQUEUE (EVENT_TRACE_GROUP_THREAD | 0x3E) -#define PERFINFO_LOG_TYPE_KQUEUE_DEQUEUE (EVENT_TRACE_GROUP_THREAD | 0x3F) -#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_START (EVENT_TRACE_GROUP_THREAD | 0x40) -#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END (EVENT_TRACE_GROUP_THREAD | 0x41) -#define PERFINFO_LOG_TYPE_AUTO_BOOST_SET_FLOOR (EVENT_TRACE_GROUP_THREAD | 0x42) -#define PERFINFO_LOG_TYPE_AUTO_BOOST_CLEAR_FLOOR (EVENT_TRACE_GROUP_THREAD | 0x43) -#define PERFINFO_LOG_TYPE_AUTO_BOOST_NO_ENTRIES (EVENT_TRACE_GROUP_THREAD | 0x44) -#define PERFINFO_LOG_TYPE_THREAD_SUBPROCESSTAG_CHANGED (EVENT_TRACE_GROUP_THREAD | 0x45) - - // - // Event types for Network subsystem (TCPIP/UDPIP) - // - -#define WMI_LOG_TYPE_TCPIP_SEND (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_SEND) -#define WMI_LOG_TYPE_TCPIP_RECEIVE (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RECEIVE) -#define WMI_LOG_TYPE_TCPIP_CONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_CONNECT) -#define WMI_LOG_TYPE_TCPIP_DISCONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_DISCONNECT) -#define WMI_LOG_TYPE_TCPIP_RETRANSMIT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RETRANSMIT) -#define WMI_LOG_TYPE_TCPIP_ACCEPT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACCEPT) -#define WMI_LOG_TYPE_TCPIP_RECONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RECONNECT) -#define WMI_LOG_TYPE_TCPIP_FAIL (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_CONNFAIL) -#define WMI_LOG_TYPE_TCPIP_TCPCOPY (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_COPY_TCP) -#define WMI_LOG_TYPE_TCPIP_ARPCOPY (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_COPY_ARP) -#define WMI_LOG_TYPE_TCPIP_FULLACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKFULL) -#define WMI_LOG_TYPE_TCPIP_PARTACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKPART) -#define WMI_LOG_TYPE_TCPIP_DUPACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKDUP) - -#define WMI_LOG_TYPE_UDP_SEND (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_SEND) -#define WMI_LOG_TYPE_UDP_RECEIVE (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_RECEIVE) -#define WMI_LOG_TYPE_UDP_FAIL (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_CONNFAIL) - -// -// Network events with IPV6 -// -#define WMI_LOG_TYPE_TCPIP_SEND_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1A) -#define WMI_LOG_TYPE_TCPIP_RECEIVE_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1B) -#define WMI_LOG_TYPE_TCPIP_CONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1C) -#define WMI_LOG_TYPE_TCPIP_DISCONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1D) -#define WMI_LOG_TYPE_TCPIP_RETRANSMIT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1E) -#define WMI_LOG_TYPE_TCPIP_ACCEPT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1F) -#define WMI_LOG_TYPE_TCPIP_RECONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x20) -#define WMI_LOG_TYPE_TCPIP_FAIL_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x21) -#define WMI_LOG_TYPE_TCPIP_TCPCOPY_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x22) -#define WMI_LOG_TYPE_TCPIP_ARPCOPY_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x23) -#define WMI_LOG_TYPE_TCPIP_FULLACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x24) -#define WMI_LOG_TYPE_TCPIP_PARTACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x25) -#define WMI_LOG_TYPE_TCPIP_DUPACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x26) - -#define WMI_LOG_TYPE_UDP_SEND_IPV6 (EVENT_TRACE_GROUP_UDPIP | 0x1A) -#define WMI_LOG_TYPE_UDP_RECEIVE_IPV6 (EVENT_TRACE_GROUP_UDPIP | 0x1B) - - // - // Event types for IO subsystem - // - -#define WMI_LOG_TYPE_IO_READ (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_READ) -#define WMI_LOG_TYPE_IO_WRITE (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_WRITE) -#define WMI_LOG_TYPE_IO_READ_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_READ_INIT) -#define WMI_LOG_TYPE_IO_WRITE_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_WRITE_INIT) -#define WMI_LOG_TYPE_IO_FLUSH (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_FLUSH) -#define WMI_LOG_TYPE_IO_FLUSH_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_FLUSH_INIT) -#define WMI_LOG_TYPE_IO_REDIRECTED_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_REDIRECTED_INIT) - -#define PERFINFO_LOG_TYPE_DRIVER_INIT (EVENT_TRACE_GROUP_IO | 0x20) -#define PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE (EVENT_TRACE_GROUP_IO | 0x21) -#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL (EVENT_TRACE_GROUP_IO | 0x22) -#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN (EVENT_TRACE_GROUP_IO | 0x23) -#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL (EVENT_TRACE_GROUP_IO | 0x24) -#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN (EVENT_TRACE_GROUP_IO | 0x25) -#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL (EVENT_TRACE_GROUP_IO | 0x26) -#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN (EVENT_TRACE_GROUP_IO | 0x27) -#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL (EVENT_TRACE_GROUP_IO | 0x28) -#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN (EVENT_TRACE_GROUP_IO | 0x29) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2a) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2b) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2c) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2d) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2e) -// Reserved (EVENT_TRACE_GROUP_IO | 0x2f) -#define PERFINFO_LOG_TYPE_PREFETCH_ACTION (EVENT_TRACE_GROUP_IO | 0x30) -#define PERFINFO_LOG_TYPE_PREFETCH_REQUEST (EVENT_TRACE_GROUP_IO | 0x31) -#define PERFINFO_LOG_TYPE_PREFETCH_READLIST (EVENT_TRACE_GROUP_IO | 0x32) -#define PERFINFO_LOG_TYPE_PREFETCH_READ (EVENT_TRACE_GROUP_IO | 0x33) -#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST (EVENT_TRACE_GROUP_IO | 0x34) -#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN (EVENT_TRACE_GROUP_IO | 0x35) -#define PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION (EVENT_TRACE_GROUP_IO | 0x36) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_READ (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_READ) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_WRITE) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_READ_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_READ_INIT) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_WRITE_INIT) -#define PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH_INIT) - -// -// Event types for Memory subsystem -// -#define WMI_LOG_TYPE_PAGE_FAULT_TRANSITION (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_TF) -#define WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_DZF) -#define WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_COW) -#define WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_GPF) -#define WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_HPF) -#define WMI_LOG_TYPE_PAGE_FAULT_ACCESS_VIOLATION (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_AV) - -#define PERFINFO_LOG_TYPE_HARDFAULT (EVENT_TRACE_GROUP_MEMORY | 0x20) -#define PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR (EVENT_TRACE_GROUP_MEMORY | 0x21) -#define PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST (EVENT_TRACE_GROUP_MEMORY | 0x22) -#define PERFINFO_LOG_TYPE_PAGEINMEMORY (EVENT_TRACE_GROUP_MEMORY | 0x23) -#define PERFINFO_LOG_TYPE_INSERTINFREELIST (EVENT_TRACE_GROUP_MEMORY | 0x24) -#define PERFINFO_LOG_TYPE_INSERTINMODIFIEDLIST (EVENT_TRACE_GROUP_MEMORY | 0x25) -#define PERFINFO_LOG_TYPE_INSERTINLIST (EVENT_TRACE_GROUP_MEMORY | 0x26) -#define PERFINFO_LOG_TYPE_INSERTATFRONT (EVENT_TRACE_GROUP_MEMORY | 0x28) -#define PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY (EVENT_TRACE_GROUP_MEMORY | 0x29) -#define PERFINFO_LOG_TYPE_UNLINKFFREEORZERO (EVENT_TRACE_GROUP_MEMORY | 0x2a) -#define PERFINFO_LOG_TYPE_WORKINGSETMANAGER (EVENT_TRACE_GROUP_MEMORY | 0x2b) -#define PERFINFO_LOG_TYPE_TRIMPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x2c) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x2d) -#define PERFINFO_LOG_TYPE_ZEROSHARECOUNT (EVENT_TRACE_GROUP_MEMORY | 0x2e) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x2f) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x30) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x31) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x32) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x33) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x34) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x35) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x36) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x37) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x38) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x39) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3a) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3b) -#define PERFINFO_LOG_TYPE_WSINFOPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x3c) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3d) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3e) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3f) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x40) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x41) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x42) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x43) -// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x44) -#define PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP (EVENT_TRACE_GROUP_MEMORY | 0x45) -#define PERFINFO_LOG_TYPE_TRIMSESSION (EVENT_TRACE_GROUP_MEMORY | 0x46) -#define PERFINFO_LOG_TYPE_MEMORYSNAPLITE (EVENT_TRACE_GROUP_MEMORY | 0x47) -#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x48) -#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x49) -#define PERFINFO_LOG_TYPE_WSINFOSESSION (EVENT_TRACE_GROUP_MEMORY | 0x4a) -#define PERFINFO_LOG_TYPE_CREATE_SESSION (EVENT_TRACE_GROUP_MEMORY | 0x4b) -#define PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_END (EVENT_TRACE_GROUP_MEMORY | 0x4c) -#define PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_START (EVENT_TRACE_GROUP_MEMORY | 0x4d) -#define PERFINFO_LOG_TYPE_SESSION_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x4e) -#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x4f) - -#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC (EVENT_TRACE_GROUP_MEMORY | 0x62) -#define PERFINFO_LOG_TYPE_VIRTUAL_FREE (EVENT_TRACE_GROUP_MEMORY | 0x63) -#define PERFINFO_LOG_TYPE_HEAP_RANGE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x64) -#define PERFINFO_LOG_TYPE_HEAP_RANGE_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x65) -#define PERFINFO_LOG_TYPE_HEAP_RANGE_RESERVE (EVENT_TRACE_GROUP_MEMORY | 0x66) -#define PERFINFO_LOG_TYPE_HEAP_RANGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x67) -#define PERFINFO_LOG_TYPE_HEAP_RANGE_DESTROY (EVENT_TRACE_GROUP_MEMORY | 0x68) - -#define PERFINFO_LOG_TYPE_PAGEFILE_BACK (EVENT_TRACE_GROUP_MEMORY | 0x69) -#define PERFINFO_LOG_TYPE_MEMINFO (EVENT_TRACE_GROUP_MEMORY | 0x70) -#define PERFINFO_LOG_TYPE_CONTMEM_GENERATE (EVENT_TRACE_GROUP_MEMORY | 0x71) -#define PERFINFO_LOG_TYPE_FILE_STORE_FAULT (EVENT_TRACE_GROUP_MEMORY | 0x72) -#define PERFINFO_LOG_TYPE_INMEMORY_STORE_FAULT (EVENT_TRACE_GROUP_MEMORY | 0x73) -#define PERFINFO_LOG_TYPE_COMPRESSED_PAGE (EVENT_TRACE_GROUP_MEMORY | 0x74) -#define PERFINFO_LOG_TYPE_PAGEINMEMORY_ACTIVE (EVENT_TRACE_GROUP_MEMORY | 0x75) -#define PERFINFO_LOG_TYPE_PAGE_ACCESS (EVENT_TRACE_GROUP_MEMORY | 0x76) -#define PERFINFO_LOG_TYPE_PAGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x77) -#define PERFINFO_LOG_TYPE_PAGE_RANGE_ACCESS (EVENT_TRACE_GROUP_MEMORY | 0x78) -#define PERFINFO_LOG_TYPE_PAGE_RANGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x79) -#define PERFINFO_LOG_TYPE_PAGE_COMBINE (EVENT_TRACE_GROUP_MEMORY | 0x7a) -#define PERFINFO_LOG_TYPE_KERNEL_MEMUSAGE (EVENT_TRACE_GROUP_MEMORY | 0x7b) -#define PERFINFO_LOG_TYPE_MM_STATS (EVENT_TRACE_GROUP_MEMORY | 0x7c) -#define PERFINFO_LOG_TYPE_MEMINFOEX_WS (EVENT_TRACE_GROUP_MEMORY | 0x7d) -#define PERFINFO_LOG_TYPE_MEMINFOEX_SESSIONWS (EVENT_TRACE_GROUP_MEMORY | 0x7e) - -#define PERFINFO_LOG_TYPE_VIRTUAL_ROTATE (EVENT_TRACE_GROUP_MEMORY | 0x7f) -#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_START (EVENT_TRACE_GROUP_MEMORY | 0x80) -#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_END (EVENT_TRACE_GROUP_MEMORY | 0x81) - -#define PERFINFO_LOG_TYPE_PAGE_ACCESS_EX (EVENT_TRACE_GROUP_MEMORY | 0x82) -#define PERFINFO_LOG_TYPE_REMOVEFROMWS (EVENT_TRACE_GROUP_MEMORY | 0x83) -#define PERFINFO_LOG_TYPE_WSSHAREABLE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x84) -#define PERFINFO_LOG_TYPE_INMEMORYACTIVE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x85) - -#define PERFINFO_LOG_TYPE_MEM_RESET_INFO (EVENT_TRACE_GROUP_MEMORY | 0x86) -#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x87) -#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x88) - -// -// -// Event types for Registry subsystem -// -#define WMI_LOG_TYPE_REG_RUNDOWNBEGIN (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN) -#define WMI_LOG_TYPE_REG_RUNDOWNEND (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGKCBRUNDOWNEND) - -#define PERFINFO_LOG_TYPE_CMCELLREFERRED (EVENT_TRACE_GROUP_REGISTRY | 0x20) -#define PERFINFO_LOG_TYPE_REG_SET_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x21) -#define PERFINFO_LOG_TYPE_REG_COUNTERS (EVENT_TRACE_GROUP_REGISTRY | 0x22) -#define PERFINFO_LOG_TYPE_REG_CONFIG (EVENT_TRACE_GROUP_REGISTRY | 0x23) -#define PERFINFO_LOG_TYPE_REG_HIVE_INITIALIZE (EVENT_TRACE_GROUP_REGISTRY | 0x24) -#define PERFINFO_LOG_TYPE_REG_HIVE_DESTROY (EVENT_TRACE_GROUP_REGISTRY | 0x25) -#define PERFINFO_LOG_TYPE_REG_HIVE_LINK (EVENT_TRACE_GROUP_REGISTRY | 0x26) -#define PERFINFO_LOG_TYPE_REG_HIVE_RUNDOWN_DC_END (EVENT_TRACE_GROUP_REGISTRY | 0x27) -#define PERFINFO_LOG_TYPE_REG_HIVE_DIRTY (EVENT_TRACE_GROUP_REGISTRY | 0x28) -// Reserved -#define PERFINFO_LOG_TYPE_REG_NOTIF_REGISTER (EVENT_TRACE_GROUP_REGISTRY | 0x30) -#define PERFINFO_LOG_TYPE_REG_NOTIF_DELIVER (EVENT_TRACE_GROUP_REGISTRY | 0x31) - -// -// Event types for PERF tracing specific subsystem -// -#define PERFINFO_LOG_TYPE_RUNDOWN_CHECKPOINT (EVENT_TRACE_GROUP_PERFINFO | 0x20) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x21) -#define PERFINFO_LOG_TYPE_MARK (EVENT_TRACE_GROUP_PERFINFO | 0x22) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x23) -#define PERFINFO_LOG_TYPE_ASYNCMARK (EVENT_TRACE_GROUP_PERFINFO | 0x24) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x25) -#define PERFINFO_LOG_TYPE_IMAGENAME (EVENT_TRACE_GROUP_PERFINFO | 0x26) -#define PERFINFO_LOG_TYPE_DELAYS_CC_CAN_I_WRITE (EVENT_TRACE_GROUP_PERFINFO | 0x27) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x28) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x29) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2a) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2b) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2c) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2d) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE (EVENT_TRACE_GROUP_PERFINFO | 0x2e) -#define PERFINFO_LOG_TYPE_PMC_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x2f) -#define PERFINFO_LOG_TYPE_PMC_CONFIG (EVENT_TRACE_GROUP_PERFINFO | 0x30) -// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x31) -#define PERFINFO_LOG_TYPE_MSI_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x32) -#define PERFINFO_LOG_TYPE_SYSCALL_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x33) -#define PERFINFO_LOG_TYPE_SYSCALL_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x34) -#define PERFINFO_LOG_TYPE_BACKTRACE (EVENT_TRACE_GROUP_PERFINFO | 0x35) -#define PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK (EVENT_TRACE_GROUP_PERFINFO | 0x36) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE (EVENT_TRACE_GROUP_PERFINFO | 0x37) -#define PERFINFO_LOG_TYPE_EXCEPTION_STACK (EVENT_TRACE_GROUP_PERFINFO | 0x38) -#define PERFINFO_LOG_TYPE_BRANCH_TRACE (EVENT_TRACE_GROUP_PERFINFO | 0x39) -#define PERFINFO_LOG_TYPE_DEBUGGER_ENABLED (EVENT_TRACE_GROUP_PERFINFO | 0x3a) -#define PERFINFO_LOG_TYPE_DEBUGGER_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x3b) -#define PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x40) -#define PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x41) -#define PERFINFO_LOG_TYPE_THREADED_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x42) -#define PERFINFO_LOG_TYPE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x43) -#define PERFINFO_LOG_TYPE_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x44) -#define PERFINFO_LOG_TYPE_TIMERDPC (EVENT_TRACE_GROUP_PERFINFO | 0x45) -#define PERFINFO_LOG_TYPE_IOTIMER_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x46) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_NMI (EVENT_TRACE_GROUP_PERFINFO | 0x47) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_SET_INTERVAL (EVENT_TRACE_GROUP_PERFINFO | 0x48) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x49) -#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4a) -#define PERFINFO_LOG_TYPE_SPINLOCK_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x4b) -#define PERFINFO_LOG_TYPE_SPINLOCK_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4c) -#define PERFINFO_LOG_TYPE_ERESOURCE_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x4d) -#define PERFINFO_LOG_TYPE_ERESOURCE_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4e) -#define PERFINFO_LOG_TYPE_CLOCK_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x4f) -#define PERFINFO_LOG_TYPE_TIMER_EXPIRATION_START (EVENT_TRACE_GROUP_PERFINFO | 0x50) -#define PERFINFO_LOG_TYPE_TIMER_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x51) -#define PERFINFO_LOG_TYPE_TIMER_SET_PERIODIC (EVENT_TRACE_GROUP_PERFINFO | 0x52) -#define PERFINFO_LOG_TYPE_TIMER_SET_ONE_SHOT (EVENT_TRACE_GROUP_PERFINFO | 0x53) -#define PERFINFO_LOG_TYPE_TIMER_SET_THREAD (EVENT_TRACE_GROUP_PERFINFO | 0x54) -#define PERFINFO_LOG_TYPE_TIMER_CANCEL (EVENT_TRACE_GROUP_PERFINFO | 0x55) -#define PERFINFO_LOG_TYPE_TIME_ADJUSTMENT (EVENT_TRACE_GROUP_PERFINFO | 0x56) -#define PERFINFO_LOG_TYPE_CLOCK_MODE_SWITCH (EVENT_TRACE_GROUP_PERFINFO | 0x57) -#define PERFINFO_LOG_TYPE_CLOCK_TIME_UPDATE (EVENT_TRACE_GROUP_PERFINFO | 0x58) -#define PERFINFO_LOG_TYPE_CLOCK_DYNAMIC_TICK_VETO (EVENT_TRACE_GROUP_PERFINFO | 0x59) -#define PERFINFO_LOG_TYPE_CLOCK_CONFIGURATION (EVENT_TRACE_GROUP_PERFINFO | 0x5a) -#define PERFINFO_LOG_TYPE_IPI (EVENT_TRACE_GROUP_PERFINFO | 0x5b) -#define PERFINFO_LOG_TYPE_UNEXPECTED_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x5c) -#define PERFINFO_LOG_TYPE_IOTIMER_START (EVENT_TRACE_GROUP_PERFINFO | 0x5d) -#define PERFINFO_LOG_TYPE_IOTIMER_STOP (EVENT_TRACE_GROUP_PERFINFO | 0x5e) -#define PERFINFO_LOG_TYPE_PASSIVE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x5f) -#define PERFINFO_LOG_TYPE_WDF_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x60) -#define PERFINFO_LOG_TYPE_WDF_PASSIVE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x61) -#define PERFINFO_LOG_TYPE_WDF_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x62) -#define PERFINFO_LOG_TYPE_CPU_CACHE_FLUSH (EVENT_TRACE_GROUP_PERFINFO | 0x63) -#define PERFINFO_LOG_TYPE_DPC_ENQUEUE (EVENT_TRACE_GROUP_PERFINFO | 0x64) -#define PERFINFO_LOG_TYPE_DPC_EXECUTION (EVENT_TRACE_GROUP_PERFINFO | 0x65) -#define PERFINFO_LOG_TYPE_INTERRUPT_STEERING (EVENT_TRACE_GROUP_PERFINFO | 0x66) -#define PERFINFO_LOG_TYPE_WDF_WORK_ITEM (EVENT_TRACE_GROUP_PERFINFO | 0x67) -#define PERFINFO_LOG_TYPE_KTIMER2_SET (EVENT_TRACE_GROUP_PERFINFO | 0x68) -#define PERFINFO_LOG_TYPE_KTIMER2_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x69) -#define PERFINFO_LOG_TYPE_KTIMER2_CANCEL (EVENT_TRACE_GROUP_PERFINFO | 0x6a) -#define PERFINFO_LOG_TYPE_KTIMER2_DISABLE (EVENT_TRACE_GROUP_PERFINFO | 0x6b) -#define PERFINFO_LOG_TYPE_KTIMER2_FINALIZATION (EVENT_TRACE_GROUP_PERFINFO | 0x6c) -#define PERFINFO_LOG_TYPE_SHOULD_YIELD_PROCESSOR (EVENT_TRACE_GROUP_PERFINFO | 0x6d) - - // - // Event types for ICE. - // - -#define PERFINFO_LOG_TYPE_FUNCTION_CALL (EVENT_TRACE_GROUP_PERFINFO | 0x80) -#define PERFINFO_LOG_TYPE_FUNCTION_RETURN (EVENT_TRACE_GROUP_PERFINFO | 0x81) -#define PERFINFO_LOG_TYPE_FUNCTION_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x82) -#define PERFINFO_LOG_TYPE_FUNCTION_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x83) -#define PERFINFO_LOG_TYPE_TAILCALL (EVENT_TRACE_GROUP_PERFINFO | 0x84) -#define PERFINFO_LOG_TYPE_TRAP (EVENT_TRACE_GROUP_PERFINFO | 0x85) -#define PERFINFO_LOG_TYPE_SPINLOCK_ACQUIRE (EVENT_TRACE_GROUP_PERFINFO | 0x86) -#define PERFINFO_LOG_TYPE_SPINLOCK_RELEASE (EVENT_TRACE_GROUP_PERFINFO | 0x87) -#define PERFINFO_LOG_TYPE_CAP_COMMENT (EVENT_TRACE_GROUP_PERFINFO | 0x88) -#define PERFINFO_LOG_TYPE_CAP_RUNDOWN (EVENT_TRACE_GROUP_PERFINFO | 0x89) - - // - // Event types for Debugger subsystem. - // - -#define PERFINFO_LOG_TYPE_DEBUG_PRINT (EVENT_TRACE_GROUP_DBGPRINT | 0x20) - - // - // Event types for WNF facility - // - -#define PERFINFO_LOG_TYPE_WNF_SUBSCRIBE (EVENT_TRACE_GROUP_WNF | 0x20) -#define PERFINFO_LOG_TYPE_WNF_UNSUBSCRIBE (EVENT_TRACE_GROUP_WNF | 0x21) -#define PERFINFO_LOG_TYPE_WNF_CALLBACK (EVENT_TRACE_GROUP_WNF | 0x22) -#define PERFINFO_LOG_TYPE_WNF_PUBLISH (EVENT_TRACE_GROUP_WNF | 0x23) -#define PERFINFO_LOG_TYPE_WNF_NAME_SUB_RUNDOWN (EVENT_TRACE_GROUP_WNF | 0x24) - - // - // Event types for Pool subsystem. - // - -#define PERFINFO_LOG_TYPE_ALLOCATEPOOL (EVENT_TRACE_GROUP_POOL | 0x20) -#define PERFINFO_LOG_TYPE_ALLOCATEPOOL_SESSION (EVENT_TRACE_GROUP_POOL | 0x21) -#define PERFINFO_LOG_TYPE_FREEPOOL (EVENT_TRACE_GROUP_POOL | 0x22) -#define PERFINFO_LOG_TYPE_FREEPOOL_SESSION (EVENT_TRACE_GROUP_POOL | 0x23) -#define PERFINFO_LOG_TYPE_ADDPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x24) -#define PERFINFO_LOG_TYPE_ADDPOOLPAGE_SESSION (EVENT_TRACE_GROUP_POOL | 0x25) -#define PERFINFO_LOG_TYPE_BIGPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x26) -#define PERFINFO_LOG_TYPE_BIGPOOLPAGE_SESSION (EVENT_TRACE_GROUP_POOL | 0x27) -#define PERFINFO_LOG_TYPE_POOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x28) -#define PERFINFO_LOG_TYPE_POOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x29) -#define PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x2a) -#define PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x2b) -#define PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_START (EVENT_TRACE_GROUP_POOL | 0x2c) -#define PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_END (EVENT_TRACE_GROUP_POOL | 0x2d) -#define PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x2e) -#define PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x2f) - -// -// Event types for Heap subsystem -// -#define PERFINFO_LOG_TYPE_HEAP_CREATE (EVENT_TRACE_GROUP_HEAP | 0x20) -#define PERFINFO_LOG_TYPE_HEAP_ALLOC (EVENT_TRACE_GROUP_HEAP | 0x21) -#define PERFINFO_LOG_TYPE_HEAP_REALLOC (EVENT_TRACE_GROUP_HEAP | 0x22) -#define PERFINFO_LOG_TYPE_HEAP_DESTROY (EVENT_TRACE_GROUP_HEAP | 0x23) -#define PERFINFO_LOG_TYPE_HEAP_FREE (EVENT_TRACE_GROUP_HEAP | 0x24) -#define PERFINFO_LOG_TYPE_HEAP_EXTEND (EVENT_TRACE_GROUP_HEAP | 0x25) -#define PERFINFO_LOG_TYPE_HEAP_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x26) -#define PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x27) -#define PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x28) -#define PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x29) -#define PERFINFO_LOG_TYPE_HEAP_CONTRACT (EVENT_TRACE_GROUP_HEAP | 0x2a) -#define PERFINFO_LOG_TYPE_HEAP_LOCK (EVENT_TRACE_GROUP_HEAP | 0x2b) -#define PERFINFO_LOG_TYPE_HEAP_UNLOCK (EVENT_TRACE_GROUP_HEAP | 0x2c) -#define PERFINFO_LOG_TYPE_HEAP_VALIDATE (EVENT_TRACE_GROUP_HEAP | 0x2d) -#define PERFINFO_LOG_TYPE_HEAP_WALK (EVENT_TRACE_GROUP_HEAP | 0x2e) - -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC (EVENT_TRACE_GROUP_HEAP | 0x2f) -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE (EVENT_TRACE_GROUP_HEAP | 0x30) -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC_CACHE (EVENT_TRACE_GROUP_HEAP | 0x31) -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE_CACHE (EVENT_TRACE_GROUP_HEAP | 0x32) -#define PERFINFO_LOG_TYPE_HEAP_COMMIT (EVENT_TRACE_GROUP_HEAP | 0x33) -#define PERFINFO_LOG_TYPE_HEAP_DECOMMIT (EVENT_TRACE_GROUP_HEAP | 0x34) -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_INIT (EVENT_TRACE_GROUP_HEAP | 0x35) -#define PERFINFO_LOG_TYPE_HEAP_AFFINITY_ENABLE (EVENT_TRACE_GROUP_HEAP | 0x36) -// Reserved (EVENT_TRACE_GROUP_HEAP | 0x37) -#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ACTIVATED (EVENT_TRACE_GROUP_HEAP | 0x38) -#define PERFINFO_LOG_TYPE_HEAP_AFFINITY_ASSIGN (EVENT_TRACE_GROUP_HEAP | 0x39) -#define PERFINFO_LOG_TYPE_HEAP_REUSE_THRESHOLD_ACTIVATED (EVENT_TRACE_GROUP_HEAP | 0x3a) - - // - // Event Types for Critical Section Subsystem - // - -#define PERFINFO_LOG_TYPE_CRITSEC_ENTER (EVENT_TRACE_GROUP_CRITSEC | 0x20) -#define PERFINFO_LOG_TYPE_CRITSEC_LEAVE (EVENT_TRACE_GROUP_CRITSEC | 0x21) -#define PERFINFO_LOG_TYPE_CRITSEC_COLLISION (EVENT_TRACE_GROUP_CRITSEC | 0x22) -#define PERFINFO_LOG_TYPE_CRITSEC_INITIALIZE (EVENT_TRACE_GROUP_CRITSEC | 0x23) - - // - // Event types for Stackwalk subsystem - // - -#define PERFINFO_LOG_TYPE_STACKWALK (EVENT_TRACE_GROUP_STACKWALK | 0x20) -// Reserved (EVENT_TRACE_GROUP_STACKWALK | 0x21) -#define PERFINFO_LOG_TYPE_STACKTRACE_CREATE (EVENT_TRACE_GROUP_STACKWALK | 0x22) -#define PERFINFO_LOG_TYPE_STACKTRACE_DELETE (EVENT_TRACE_GROUP_STACKWALK | 0x23) -#define PERFINFO_LOG_TYPE_STACKTRACE_RUNDOWN (EVENT_TRACE_GROUP_STACKWALK | 0x24) -#define PERFINFO_LOG_TYPE_STACKTRACE_KEY_KERNEL (EVENT_TRACE_GROUP_STACKWALK | 0x25) -#define PERFINFO_LOG_TYPE_STACKTRACE_KEY_USER (EVENT_TRACE_GROUP_STACKWALK | 0x26) - - // - // Event types for ALPC - // - -#define WMI_LOG_TYPE_ALPC_SEND_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x21) -#define WMI_LOG_TYPE_ALPC_RECEIVE_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x22) -#define WMI_LOG_TYPE_ALPC_WAIT_FOR_REPLY (EVENT_TRACE_GROUP_ALPC | 0x23) -#define WMI_LOG_TYPE_ALPC_WAIT_FOR_NEW_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x24) -#define WMI_LOG_TYPE_ALPC_UNWAIT (EVENT_TRACE_GROUP_ALPC | 0x25) -#define WMI_LOG_TYPE_ALPC_CONNECT_REQUEST (EVENT_TRACE_GROUP_ALPC | 0x26) -#define WMI_LOG_TYPE_ALPC_CONNECT_SUCCESS (EVENT_TRACE_GROUP_ALPC | 0x27) -#define WMI_LOG_TYPE_ALPC_CONNECT_FAIL (EVENT_TRACE_GROUP_ALPC | 0x28) -#define WMI_LOG_TYPE_ALPC_CLOSE_PORT (EVENT_TRACE_GROUP_ALPC | 0x29) - - // - // Event types for Object Manager subsystem - // - -#define PERFINFO_LOG_TYPE_CREATE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x20) -#define PERFINFO_LOG_TYPE_CLOSE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x21) -#define PERFINFO_LOG_TYPE_DUPLICATE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x22) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x23) -#define PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_START (EVENT_TRACE_GROUP_OBJECT | 0x24) -#define PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_END (EVENT_TRACE_GROUP_OBJECT | 0x25) -#define PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_START (EVENT_TRACE_GROUP_OBJECT | 0x26) -#define PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_END (EVENT_TRACE_GROUP_OBJECT | 0x27) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x28) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x29) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2a) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2b) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2c) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2d) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2e) -// Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2f) -#define PERFINFO_LOG_TYPE_CREATE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x30) -#define PERFINFO_LOG_TYPE_DELETE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x31) -#define PERFINFO_LOG_TYPE_REFERENCE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x32) -#define PERFINFO_LOG_TYPE_DEREFERENCE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x33) - - // - // Event types for Power subsystem - // - -#define PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO (EVENT_TRACE_GROUP_POWER | 0x20) -#define PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x21) -#define PERFINFO_LOG_TYPE_SET_POWER_ACTION (EVENT_TRACE_GROUP_POWER | 0x22) -#define PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET (EVENT_TRACE_GROUP_POWER | 0x23) -#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE (EVENT_TRACE_GROUP_POWER | 0x24) -#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET (EVENT_TRACE_GROUP_POWER | 0x25) -#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE (EVENT_TRACE_GROUP_POWER | 0x26) -#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE (EVENT_TRACE_GROUP_POWER | 0x27) -#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT (EVENT_TRACE_GROUP_POWER | 0x28) -#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET (EVENT_TRACE_GROUP_POWER | 0x29) -#define PERFINFO_LOG_TYPE_PO_PRESLEEP (EVENT_TRACE_GROUP_POWER | 0x30) -#define PERFINFO_LOG_TYPE_PO_POSTSLEEP (EVENT_TRACE_GROUP_POWER | 0x31) -#define PERFINFO_LOG_TYPE_PO_CALIBRATED_PERFCOUNTER (EVENT_TRACE_GROUP_POWER | 0x32) -#define PERFINFO_LOG_TYPE_PPM_PERF_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x33) -#define PERFINFO_LOG_TYPE_PPM_THROTTLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x34) -#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x35) -#define PERFINFO_LOG_TYPE_PPM_THERMAL_CONSTRAINT (EVENT_TRACE_GROUP_POWER | 0x36) -#define PERFINFO_LOG_TYPE_PO_SIGNAL_RESUME_UI (EVENT_TRACE_GROUP_POWER | 0x37) -#define PERFINFO_LOG_TYPE_PO_SIGNAL_VIDEO_ON (EVENT_TRACE_GROUP_POWER | 0x38) -#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_ENTER (EVENT_TRACE_GROUP_POWER | 0x39) -#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_EXIT (EVENT_TRACE_GROUP_POWER | 0x3a) -#define PERFINFO_LOG_TYPE_PPM_PLATFORM_IDLE_STATE_ENTER (EVENT_TRACE_GROUP_POWER | 0x3b) -#define PERFINFO_LOG_TYPE_PPM_IDLE_EXIT_LATENCY (EVENT_TRACE_GROUP_POWER | 0x3c) -#define PERFINFO_LOG_TYPE_PPM_IDLE_PROCESSOR_SELECTION (EVENT_TRACE_GROUP_POWER | 0x3d) -#define PERFINFO_LOG_TYPE_PPM_IDLE_PLATFORM_SELECTION (EVENT_TRACE_GROUP_POWER | 0x3e) -#define PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_ENTER (EVENT_TRACE_GROUP_POWER | 0x3f) -#define PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_EXIT (EVENT_TRACE_GROUP_POWER | 0x40) - -// -// Event types for MODBound subsystem -// -#define PERFINFO_LOG_TYPE_COWHEADER (EVENT_TRACE_GROUP_MODBOUND | 0x18) -#define PERFINFO_LOG_TYPE_COWBLOB (EVENT_TRACE_GROUP_MODBOUND | 0x19) -#define PERFINFO_LOG_TYPE_COWBLOB_CLOSED (EVENT_TRACE_GROUP_MODBOUND | 0x1a) -#define PERFINFO_LOG_TYPE_MODULEBOUND_ENT (EVENT_TRACE_GROUP_MODBOUND | 0x20) -#define PERFINFO_LOG_TYPE_MODULEBOUND_JUMP (EVENT_TRACE_GROUP_MODBOUND | 0x21) -#define PERFINFO_LOG_TYPE_MODULEBOUND_RET (EVENT_TRACE_GROUP_MODBOUND | 0x22) -#define PERFINFO_LOG_TYPE_MODULEBOUND_CALL (EVENT_TRACE_GROUP_MODBOUND | 0x23) -#define PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET (EVENT_TRACE_GROUP_MODBOUND | 0x24) -#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2E (EVENT_TRACE_GROUP_MODBOUND | 0x25) -#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2B (EVENT_TRACE_GROUP_MODBOUND | 0x26) -#define PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE (EVENT_TRACE_GROUP_MODBOUND | 0x27) - -// -// Event types for the thread class scheduler -// -// TODO: Because MMCSS is a DLL it doesn't need to use UMGL. -// -#define PERFINFO_LOG_TYPE_MMCSS_START (0x20) -#define PERFINFO_LOG_TYPE_MMCSS_STOP (0x21) -#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_EVENT (0x22) -#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_WAKEUP (0x23) -#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_SLEEP (0x24) -#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_SLEEP_RESP (0x25) - - // - // Event types To be Decided if they are still needed? - // - -#define PERFINFO_LOG_TYPE_DISPATCHMSG (EVENT_TRACE_GROUP_TBD | 0x00) -#define PERFINFO_LOG_TYPE_GLYPHCACHE (EVENT_TRACE_GROUP_TBD | 0x01) -#define PERFINFO_LOG_TYPE_GLYPHS (EVENT_TRACE_GROUP_TBD | 0x02) -#define PERFINFO_LOG_TYPE_READWRITE (EVENT_TRACE_GROUP_TBD | 0x03) -#define PERFINFO_LOG_TYPE_EXPLICIT_LOAD (EVENT_TRACE_GROUP_TBD | 0x04) -#define PERFINFO_LOG_TYPE_IMPLICIT_LOAD (EVENT_TRACE_GROUP_TBD | 0x05) -#define PERFINFO_LOG_TYPE_CHECKSUM (EVENT_TRACE_GROUP_TBD | 0x06) -#define PERFINFO_LOG_TYPE_DLL_INIT (EVENT_TRACE_GROUP_TBD | 0x07) -#define PERFINFO_LOG_TYPE_SERVICE_DD_START_INIT (EVENT_TRACE_GROUP_TBD | 0x08) -#define PERFINFO_LOG_TYPE_SERVICE_DD_DONE_INIT (EVENT_TRACE_GROUP_TBD | 0x09) -#define PERFINFO_LOG_TYPE_SERVICE_START_INIT (EVENT_TRACE_GROUP_TBD | 0x0a) -#define PERFINFO_LOG_TYPE_SERVICE_DONE_INIT (EVENT_TRACE_GROUP_TBD | 0x0b) -#define PERFINFO_LOG_TYPE_SERVICE_NAME (EVENT_TRACE_GROUP_TBD | 0x0c) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x0d) -#define PERFINFO_LOG_TIMED_ENTER_ROUTINE (EVENT_TRACE_GROUP_TBD | 0x0e) -#define PERFINFO_LOG_TIMED_EXIT_ROUTINE (EVENT_TRACE_GROUP_TBD | 0x0f) -#define PERFINFO_LOG_TYPE_CTIME_STATS (EVENT_TRACE_GROUP_TBD | 0x10) -#define PERFINFO_LOG_TYPE_MARKED_DIRTY (EVENT_TRACE_GROUP_TBD | 0x11) -#define PERFINFO_LOG_TYPE_MARKED_CELL_DIRTY (EVENT_TRACE_GROUP_TBD | 0x12) -#define PERFINFO_LOG_TYPE_HIVE_WRITE_DIRTY (EVENT_TRACE_GROUP_TBD | 0x13) -#define PERFINFO_LOG_TYPE_DUMP_HIVECELL (EVENT_TRACE_GROUP_TBD | 0x14) -#define PERFINFO_LOG_TYPE_HIVE_STAT (EVENT_TRACE_GROUP_TBD | 0x16) -#define PERFINFO_LOG_TYPE_CLOCKREF (EVENT_TRACE_GROUP_TBD | 0x17) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x18) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x19) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x1a) -#define PERFINFO_LOG_TYPE_WMIPERFFREQUENCY (EVENT_TRACE_GROUP_TBD | 0x1d) -#define PERFINFO_LOG_TYPE_CDROM_READ (EVENT_TRACE_GROUP_TBD | 0x1e) -#define PERFINFO_LOG_TYPE_CDROM_READ_COMPLETE (EVENT_TRACE_GROUP_TBD | 0x1f) -#define PERFINFO_LOG_TYPE_KE_SET_EVENT (EVENT_TRACE_GROUP_TBD | 0x20) -#define PERFINFO_LOG_TYPE_REG_PARSEKEY (EVENT_TRACE_GROUP_TBD | 0x21) -#define PERFINFO_LOG_TYPE_REG_PARSEKEYEND (EVENT_TRACE_GROUP_TBD | 0x22) -#define PERFINFO_LOG_TYPE_ATTACH_PROCESS (EVENT_TRACE_GROUP_TBD | 0x24) -#define PERFINFO_LOG_TYPE_DETACH_PROCESS (EVENT_TRACE_GROUP_TBD | 0x25) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x26) -#define PERFINFO_LOG_TYPE_KDHELP (EVENT_TRACE_GROUP_TBD | 0x27) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x28) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x29) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x2a) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x2b) -#define PERFINFO_LOG_TYPE_FAILED_STKDUMP (EVENT_TRACE_GROUP_TBD | 0x2c) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x2d) -// Reserved (EVENT_TRACE_GROUP_TBD | 0x2e) -#define PERFINFO_LOG_TYPE_SYSTEM_TIME (EVENT_TRACE_GROUP_TBD | 0x2f) -#define PERFINFO_LOG_TYPE_READYQUEUE (EVENT_TRACE_GROUP_TBD | 0x30) - - // - // Event types for SplitIo - // - -#define PERFINFO_LOG_TYPE_SPLITIO_VOLMGR (EVENT_TRACE_GROUP_SPLITIO | 0x20) - -// -// Event types for ThreadPool -// -#define PERFINFO_LOG_TYPE_TP_CALLBACK_ENQUEUE (EVENT_TRACE_GROUP_THREAD_POOL | 0x20) -#define PERFINFO_LOG_TYPE_TP_CALLBACK_DEQUEUE (EVENT_TRACE_GROUP_THREAD_POOL | 0x21) -#define PERFINFO_LOG_TYPE_TP_CALLBACK_START (EVENT_TRACE_GROUP_THREAD_POOL | 0x22) -#define PERFINFO_LOG_TYPE_TP_CALLBACK_STOP (EVENT_TRACE_GROUP_THREAD_POOL | 0x23) -#define PERFINFO_LOG_TYPE_TP_CALLBACK_CANCEL (EVENT_TRACE_GROUP_THREAD_POOL | 0x24) -#define PERFINFO_LOG_TYPE_TP_POOL_CREATE (EVENT_TRACE_GROUP_THREAD_POOL | 0x25) -#define PERFINFO_LOG_TYPE_TP_POOL_CLOSE (EVENT_TRACE_GROUP_THREAD_POOL | 0x26) -#define PERFINFO_LOG_TYPE_TP_POOL_TH_MIN_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x27) -#define PERFINFO_LOG_TYPE_TP_POOL_TH_MAX_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x28) -#define PERFINFO_LOG_TYPE_TP_WORKER_NUMANODE_SWITCH (EVENT_TRACE_GROUP_THREAD_POOL | 0x29) -#define PERFINFO_LOG_TYPE_TP_TIMER_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x2a) -#define PERFINFO_LOG_TYPE_TP_TIMER_CANCELLED (EVENT_TRACE_GROUP_THREAD_POOL | 0x2b) -#define PERFINFO_LOG_TYPE_TP_TIMER_SET_NTTIMER (EVENT_TRACE_GROUP_THREAD_POOL | 0x2c) -#define PERFINFO_LOG_TYPE_TP_TIMER_CANCEL_NTTIMER (EVENT_TRACE_GROUP_THREAD_POOL | 0x2d) -#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_BEGIN (EVENT_TRACE_GROUP_THREAD_POOL | 0x2e) -#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_END (EVENT_TRACE_GROUP_THREAD_POOL | 0x2f) -#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION (EVENT_TRACE_GROUP_THREAD_POOL | 0x30) - - // - // Event types for UMS - // - -#define PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_START (EVENT_TRACE_GROUP_UMS | 0x20) -#define PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_END (EVENT_TRACE_GROUP_UMS | 0x21) -#define PERFINFO_LOG_TYPE_UMS_PARK (EVENT_TRACE_GROUP_UMS | 0x22) -#define PERFINFO_LOG_TYPE_UMS_DISASSOCIATE (EVENT_TRACE_GROUP_UMS | 0x23) -#define PERFINFO_LOG_TYPE_UMS_CONTEXT_SWITCH (EVENT_TRACE_GROUP_UMS | 0x24) - - // - // Event types for Cache manager - // - -#define PERFINFO_LOG_TYPE_CC_WORKITEM_ENQUEUE (EVENT_TRACE_GROUP_CC | 0x00) -#define PERFINFO_LOG_TYPE_CC_WORKITEM_DEQUEUE (EVENT_TRACE_GROUP_CC | 0x01) -#define PERFINFO_LOG_TYPE_CC_WORKITEM_COMPLETE (EVENT_TRACE_GROUP_CC | 0x02) -#define PERFINFO_LOG_TYPE_CC_READ_AHEAD (EVENT_TRACE_GROUP_CC | 0x03) -#define PERFINFO_LOG_TYPE_CC_WRITE_BEHIND (EVENT_TRACE_GROUP_CC | 0x04) -#define PERFINFO_LOG_TYPE_CC_LAZY_WRITE_SCAN (EVENT_TRACE_GROUP_CC | 0x05) -#define PERFINFO_LOG_TYPE_CC_CAN_I_WRITE_FAIL (EVENT_TRACE_GROUP_CC | 0x06) -// #define PERFINFO_LOG_TYPE_CC_MAP_VIEW (EVENT_TRACE_GROUP_CC | 0x07) -// #define PERFINFO_LOG_TYPE_CC_UNMAP_VIEW (EVENT_TRACE_GROUP_CC | 0x08) -#define PERFINFO_LOG_TYPE_CC_FLUSH_CACHE (EVENT_TRACE_GROUP_CC | 0x09) -#define PERFINFO_LOG_TYPE_CC_FLUSH_SECTION (EVENT_TRACE_GROUP_CC | 0x0a) -#define PERFINFO_LOG_TYPE_CC_READ_AHEAD_PREFETCH (EVENT_TRACE_GROUP_CC | 0x0b) -#define PERFINFO_LOG_TYPE_CC_SCHEDULE_READ_AHEAD (EVENT_TRACE_GROUP_CC | 0x0c) -#define PERFINFO_LOG_TYPE_CC_LOGGED_STREAM_INFO (EVENT_TRACE_GROUP_CC | 0x0d) -#define PERFINFO_LOG_TYPE_CC_EXTRA_WRITEBEHIND_THREAD (EVENT_TRACE_GROUP_CC | 0x0e) - - // - // Data structure used for WMI Kernel Events - // - // **NB** the hardware events are described in software tracing, if they - // change in layout please update sdktools\trace\tracefmt\default.tmf - -#define MAX_DEVICE_ID_LENGTH 256 -#define CONFIG_MAX_DOMAIN_NAME_LEN 134 - - typedef struct _CPU_CONFIG_RECORD - { - ULONG ProcessorSpeed; - ULONG NumberOfProcessors; - ULONG MemorySize; // in MBytes - ULONG PageSize; // in Bytes - ULONG AllocationGranularity; // in Bytes - WCHAR ComputerName[MAX_DEVICE_ID_LENGTH]; - WCHAR DomainName[CONFIG_MAX_DOMAIN_NAME_LEN]; - ULONG_PTR HyperThreadingFlag; - ULONG_PTR HighestUserAddress; - USHORT ProcessorArchitecture; - USHORT ProcessorLevel; - USHORT ProcessorRevision; - BOOLEAN NxEnabled; - BOOLEAN PaeEnabled; - ULONG MemorySpeed; - } CPU_CONFIG_RECORD, *PCPU_CONFIG_RECORD; - -#define CONFIG_WRITE_CACHE_ENABLED 0x00000001 -#define CONFIG_FS_NAME_LEN 16 -#define CONFIG_BOOT_DRIVE_LEN 3 - - typedef struct _PHYSICAL_DISK_RECORD - { - ULONG DiskNumber; - ULONG BytesPerSector; - ULONG SectorsPerTrack; - ULONG TracksPerCylinder; - ULONGLONG Cylinders; - ULONG SCSIPortNumber; - ULONG SCSIPathId; - ULONG SCSITargetId; - ULONG SCSILun; - WCHAR Manufacturer[MAX_DEVICE_ID_LENGTH]; - - ULONG PartitionCount; - BOOLEAN WriteCacheEnabled; - WCHAR BootDriveLetter[CONFIG_BOOT_DRIVE_LEN]; - } PHYSICAL_DISK_RECORD, *PPHYSICAL_DISK_RECORD; - -// -// Types of logical drive -// -#define CONFIG_DRIVE_PARTITION 0x00000001 -#define CONFIG_DRIVE_VOLUME 0x00000002 -#define CONFIG_DRIVE_EXTENT 0x00000004 -#define CONFIG_DRIVE_LETTER_LEN 4 - - typedef struct _LOGICAL_DISK_EXTENTS - { - ULONGLONG StartingOffset; - ULONGLONG PartitionSize; - ULONG DiskNumber; // The physical disk number where the logical drive resides - ULONG Size; // The size in bytes of the structure. - ULONG DriveType; // Logical drive type partition/volume/extend-partition - WCHAR DriveLetterString[CONFIG_DRIVE_LETTER_LEN]; - ULONG Pad; - ULONG PartitionNumber; // The partition number where the logical drive resides - ULONG SectorsPerCluster; - ULONG BytesPerSector; - LONGLONG NumberOfFreeClusters; - LONGLONG TotalNumberOfClusters; - WCHAR FileSystemType[CONFIG_FS_NAME_LEN]; - ULONG VolumeExt; // Offset to VOLUME_DISK_EXTENTS structure - } LOGICAL_DISK_EXTENTS, *PLOGICAL_DISK_EXTENTS; - - typedef struct _OPTICAL_MEDIA_RECORD - { - USHORT DiskNumber; - USHORT BusType; - USHORT DeviceType; - USHORT MediaType; - ULONGLONG StartingOffset; - ULONGLONG Size; - ULONGLONG NumberOfFreeBlocks; - ULONGLONG TotalNumberOfBlocks; - ULONGLONG NextWritableAddress; - ULONG NumberOfSessions; - ULONG NumberOfTracks; - ULONG BytesPerSector; - USHORT DiscStatus; - USHORT LastSessionStatus; - WCHAR Data[1]; - } OPTICAL_MEDIA_RECORD, *POPTICAL_MEDIA_RECORD; - -#define CONFIG_MAX_DNS_SERVER 4 -#define CONFIG_MAX_ADAPTER_ADDRESS_LENGTH 8 - - // - // Note: Data is an array of structures of type IP_ADDRESS_STRING defined in iptypes.h - // - typedef struct _NIC_RECORD - { - WCHAR NICName[MAX_DEVICE_ID_LENGTH]; - ULONG Index; - ULONG PhysicalAddrLen; - WCHAR PhysicalAddr[CONFIG_MAX_ADAPTER_ADDRESS_LENGTH]; - ULONG Size; // Size of the Data - LONG IpAddress; // IP Address offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG SubnetMask; // subnet mask offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG DhcpServer; // dhcp server offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG Gateway; // gateway offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG PrimaryWinsServer; // primary wins server offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG SecondaryWinsServer; // secondary wins server offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - LONG DnsServer[CONFIG_MAX_DNS_SERVER]; // dns server offset. Copy bytes = sizeof(IP_ADDRESS_STRING) - ULONG Data; // Offset to an array of IP_ADDRESS_STRING - } NIC_RECORD, *PNIC_RECORD; - - typedef struct _VIDEO_RECORD - { - ULONG MemorySize; - ULONG XResolution; - ULONG YResolution; - ULONG BitsPerPixel; - ULONG VRefresh; - WCHAR ChipType[MAX_DEVICE_ID_LENGTH]; - WCHAR DACType[MAX_DEVICE_ID_LENGTH]; - WCHAR AdapterString[MAX_DEVICE_ID_LENGTH]; - WCHAR BiosString[MAX_DEVICE_ID_LENGTH]; - WCHAR DeviceId[MAX_DEVICE_ID_LENGTH]; - ULONG StateFlags; - } VIDEO_RECORD, *PVIDEO_RECORD; - - typedef struct _WMI_DPI_RECORD - { - ULONG MachineDPI; - ULONG UserDPI; - } WMI_DPI_RECORD, *PWMI_DPI_RECORD; - - // - // Stores the ACPI Power Information - // - typedef struct _WMI_POWER_RECORD - { - BOOLEAN SystemS1; - BOOLEAN SystemS2; - BOOLEAN SystemS3; - BOOLEAN SystemS4; // hibernate - BOOLEAN SystemS5; // off - BOOLEAN AoAc; - CHAR Pad2; - CHAR Pad3; - } WMI_POWER_RECORD, *PWMI_POWER_RECORD; - - // - // Store the IRQ assigned to devices - // - typedef struct _WMI_IRQ_RECORD - { - // Bit 0 indicates CPU0, Bit 1 indicates CPU1, and so on - ULONG64 IRQAffinity; - USHORT IRQGroup; - USHORT Reserved; - ULONG IRQNum; - ULONG DeviceDescriptionLen; - WCHAR DeviceDescription[1]; - } WMI_IRQ_RECORD, *PWMI_IRQ_RECORD; - - typedef struct _WMI_PNP_RECORD_V3 - { - ULONG IDLength; - ULONG DescriptionLength; - ULONG FriendlyNameLength; - WCHAR Strings[1]; // DeviceID, Description, Friendly, each NULL-terminated - } WMI_PNP_RECORD_V3, *PWMI_PNP_RECORD_V3; - - typedef struct _WMI_PNP_RECORD_V4 - { - GUID ClassGuid; - ULONG UpperFilterCount; - ULONG LowerFilterCount; - WCHAR Strings[ANYSIZE_ARRAY]; - // DeviceID (unicode string) - // Description (unicode string) - // FriendlyName (unicode string) - // PdoName (unicode string) - // ServiceName (unicode string) - // UpperFilters (unicode string) - // LowerFilters (unicode string) - } WMI_PNP_RECORD_V4, *PWMI_PNP_RECORD_V4; - - typedef struct _WMI_PNP_RECORD_V5 - { - GUID ClassGuid; - ULONG UpperFilterCount; - ULONG LowerFilterCount; - ULONG DevStatus; - ULONG DevProblem; - WCHAR Strings[ANYSIZE_ARRAY]; - // DeviceID (unicode string) - // Description (unicode string) - // FriendlyName (unicode string) - // PdoName (unicode string) - // ServiceName (unicode string) - // UpperFilters (unicode string) - // LowerFilters (unicode string) - } WMI_PNP_RECORD_V5, *PWMI_PNP_RECORD_V5; - - typedef WMI_PNP_RECORD_V5 WMI_PNP_RECORD, *PWMI_PNP_RECORD; - - // - // Store the IDE Channel (Primary/Secondary) info - // - typedef struct _WMI_IDE_CHANNEL_RECORD - { - ULONG TargetId; - ULONG DeviceType; - ULONG DeviceTimingMode; - ULONG LocationInformationLen; - WCHAR LocationInformation[1]; - } WMI_IDE_CHANNEL_RECORD, *PWMI_IDE_CHANNEL_RECORD; - - typedef struct _WMI_JOB_INFORMATION - { - GUID JobId; - ULONG JobHandle; - ULONG Flags; - NTSTATUS Status; - } WMI_JOB_INFORMATION, *PWMI_JOB_INFORMATION; - - typedef struct _WMI_JOB_ASSIGN_PROCESS - { - GUID JobId; - ULONG JobHandle; - ULONG UniqueProcessId; - NTSTATUS Status; - } WMI_JOB_ASSIGN_PROCESS, *PWMI_JOB_ASSIGN_PROCESS; - - typedef struct _WMI_JOB_REMOVE_PROCESS - { - GUID JobId; - ULONG UniqueProcessId; - ULONG RemovalFlags; - NTSTATUS ExitStatus; - } WMI_JOB_REMOVE_PROCESS, *PWMI_JOB_REMOVE_PROCESS; - - typedef struct _WMI_JOB_SET_QUERY_CPU_RATE - { - ULONG AllFlags; - ULONG Value; - } WMI_JOB_SET_QUERY_CPU_RATE, *PWMI_JOB_SET_QUERY_CPU_RATE; - - typedef struct _WMI_JOB_SET_QUERY_NET_RATE - { - ULONG Flags; - ULONG64 MaxBandwidth; - UCHAR DscpTag; - } WMI_JOB_SET_QUERY_NET_RATE, *PWMI_JOB_SET_QUERY_NET_RATE; - - typedef struct _WMI_JOB_SET_QUERY_INFORMATION - { - GUID JobId; - ULONG JobHandle; - ULONG JobObjectInformationClass; - } WMI_JOB_SET_QUERY_INFORMATION, *PWMI_JOB_SET_QUERY_INFORMATION; - - typedef struct _WMI_JOB_SEND_NOTIFICATION_INFORMATION - { - GUID JobId; - ULONG NotificationId; - } WMI_JOB_SEND_NOTIFICATION_INFORMATION, *PWMI_JOB_SEND_NOTIFICATION_INFORMATION; - -#define ETW_PROCESS_EVENT_FLAG_APPLICATION_ID 0x00000001 -#define ETW_PROCESS_EVENT_FLAG_WOW64 0x00000002 -#define ETW_PROCESS_EVENT_FLAG_PROTECTED 0x00000004 -#define ETW_PROCESS_EVENT_FLAG_PACKAGED 0x00000008 - - typedef struct _WMI_PROCESS_INFORMATION - { - ULONG_PTR UniqueProcessKey; - ULONG ProcessId; - ULONG ParentId; - ULONG SessionId; - NTSTATUS ExitStatus; - ULONG_PTR DirectoryTableBase; - ULONG Flags; - ULONG Sid; - // Variable length sid - // FileName (ansi string) - // CommandLine (unicode string) - // PackageFullName (unicode string) - // PRAID (unicode string) - } WMI_PROCESS_INFORMATION, *PWMI_PROCESS_INFORMATION; - - typedef struct _WMI_PROCESS_INFORMATION64 - { - ULONG64 UniqueProcessKey64; - ULONG ProcessId; - ULONG ParentId; - ULONG SessionId; - NTSTATUS ExitStatus; - ULONG64 DirectoryTableBase; - ULONG Flags; - ULONG Sid; - // Variable length data - } WMI_PROCESS_INFORMATION64, *PWMI_PROCESS_INFORMATION64; - - typedef struct _WMI_THREAD_INFORMATION - { - ULONG ProcessId; - ULONG ThreadId; - } WMI_THREAD_INFORMATION, *PWMI_THREAD_INFORMATION; - - typedef signed char SCHAR; - -#define ETW_THREAD_FLAG_REGISTRY_NOTIFICATION 0x00000001 - - typedef struct _WMI_EXTENDED_THREAD_INFORMATION - { - ULONG ProcessId; - ULONG ThreadId; - PVOID StackBase; - PVOID StackLimit; - PVOID UserStackBase; - PVOID UserStackLimit; - union - { - PVOID StartAddress; - KAFFINITY Affinity; - } DUMMYUNIONNAME; - PVOID Win32StartAddress; - PVOID TebBase; - ULONG SubProcessTag; - SCHAR BasePriority; - UCHAR PagePriority; - UCHAR IoPriority; - UCHAR Flags; - } WMI_EXTENDED_THREAD_INFORMATION, *PWMI_EXTENDED_THREAD_INFORMATION; - - typedef struct _WMI_EXTENDED_THREAD_INFORMATION64 - { - ULONG ProcessId; - ULONG ThreadId; - ULONG64 StackBase64; - ULONG64 StackLimit64; - ULONG64 UserStackBase64; - ULONG64 UserStackLimit64; - union - { - ULONG64 StartAddress64; - ULONG64 Affinity; - } DUMMYUNIONNAME; - ULONG64 Win32StartAddress64; - ULONG64 TebBase64; - ULONG SubProcessTag; - SCHAR BasePriority; - UCHAR PagePriority; - UCHAR IoPriority; - UCHAR Flags; - } WMI_EXTENDED_THREAD_INFORMATION64, *PWMI_EXTENDED_THREAD_INFORMATION64; - - // - // SignatureLevel flags indicating if the image is embedded or catalog signed. - // - -#define ETW_IMAGE_CATALOG_SIGNED 0x10 -#define ETW_IMAGE_EMBEDDED_SIGNED 0x20 - - typedef struct _WMI_IMAGELOAD_INFORMATION - { - PVOID ImageBase; - SIZE_T ImageSize; - ULONG ProcessId; - ULONG ImageChecksum; - ULONG TimeDateStamp; - UCHAR SignatureLevel; - UCHAR SignatureType; - USHORT Reserved0; - PVOID DefaultBase; - ULONG Reserved1; - ULONG Reserved2; - ULONG Reserved3; - ULONG Reserved4; - WCHAR FileName[1]; - } WMI_IMAGELOAD_INFORMATION, *PWMI_IMAGELOAD_INFORMATION; - - typedef struct _WMI_IMAGELOAD_INFORMATION32 - { - ULONG32 ImageBase32; - ULONG32 ImageSize32; - ULONG ProcessId; - ULONG ImageChecksum; - ULONG TimeDateStamp; - UCHAR SignatureLevel; - UCHAR SignatureType; - USHORT Reserved0; - ULONG32 DefaultBase32; - ULONG Reserved1; - ULONG Reserved2; - ULONG Reserved3; - ULONG Reserved4; - WCHAR FileName[1]; - } WMI_IMAGELOAD_INFORMATION32, *PWMI_IMAGELOAD_INFORMATION32; - - typedef struct _WMI_IMAGELOAD_INFORMATION64 - { - ULONG64 ImageBase64; - ULONG64 ImageSize64; - ULONG ProcessId; - ULONG ImageChecksum; - ULONG TimeDateStamp; - UCHAR SignatureLevel; - UCHAR SignatureType; - USHORT Reserved0; - ULONG64 DefaultBase64; - ULONG Reserved1; - ULONG Reserved2; - ULONG Reserved3; - ULONG Reserved4; - WCHAR FileName[1]; - } WMI_IMAGELOAD_INFORMATION64, *PWMI_IMAGELOAD_INFORMATION64; - -#include - typedef struct _WMI_IMAGEID_INFORMATION - { - PVOID ImageBase; - SIZE_T ImageSize; - ULONG ProcessId; - ULONG TimeDateStamp; - WCHAR OriginalFileName[1]; - } WMI_IMAGEID_INFORMATION, *PWMI_IMAGEID_INFORMATION; - - typedef struct _WMI_IMAGEID_INFORMATION32 - { - ULONG32 ImageBase32; - ULONG32 ImageSize32; - ULONG ProcessId; - ULONG TimeDateStamp; - WCHAR OriginalFileName[1]; - } WMI_IMAGEID_INFORMATION32, *PWMI_IMAGEID_INFORMATION32; - - typedef struct _WMI_IMAGEID_INFORMATION64 - { - ULONG64 ImageBase64; - ULONG64 ImageSize64; - ULONG ProcessId; - ULONG TimeDateStamp; - WCHAR OriginalFileName[1]; - } WMI_IMAGEID_INFORMATION64, *PWMI_IMAGEID_INFORMATION64; -#include - -#define ETW_IO_FLAG_BACKUP 0x00000001 -#define ETW_IO_FLAG_PREFETCH 0x00000002 -#define ETW_IO_FLAG_WRITE_AGGREGATION 0x00000004 - - typedef struct _ETW_DISKIO_READWRITE_V2 - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONG Size; - ULONG Reserved; - ULONGLONG ByteOffset; - PVOID FileObject; - PVOID IrpAddress; - ULONGLONG HighResResponseTime; - } ETW_DISKIO_READWRITE_V2, *PETW_DISKIO_READWRITE_V2; - - typedef struct _ETW_DISKIO_READWRITE_V3 - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONG Size; - ULONG Reserved; - ULONGLONG ByteOffset; - PVOID FileObject; - PVOID IrpAddress; - ULONGLONG HighResResponseTime; - ULONG IssuingThreadId; - } ETW_DISKIO_READWRITE_V3, *PETW_DISKIO_READWRITE_V3; - - typedef struct _ETW_DISKIO_FLUSH_BUFFERS_V2 - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONGLONG HighResResponseTime; - PVOID IrpAddress; - } ETW_DISKIO_FLUSH_BUFFERS_V2, *PETW_DISKIO_FLUSH_BUFFERS_V2; - - typedef struct _ETW_DISKIO_FLUSH_BUFFERS_V3 - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONGLONG HighResResponseTime; - PVOID IrpAddress; - ULONG IssuingThreadId; - } ETW_DISKIO_FLUSH_BUFFERS_V3, *PETW_DISKIO_FLUSH_BUFFERS_V3; - - typedef struct _ETW_DISKIO_READWRITE_V3 WMI_DISKIO_READWRITE, *PWMI_DISKIO_READWRITE; - typedef struct _ETW_DISKIO_FLUSH_BUFFERS_V3 WMI_DISKIO_FLUSH_BUFFERS, *PWMI_DISKIO_FLUSH_BUFFERS; - - typedef struct _WMI_DISKIO_READWRITE_INIT - { - PVOID Irp; - ULONG IssuingThreadId; - } WMI_DISKIO_READWRITE_INIT, *PWMI_DISKIO_READWRITE_INIT; - - typedef struct _WMI_DISKIO_IO_REDIRECTED_INIT - { - PVOID Irp; - PVOID FileKey; - } WMI_DISKIO_IO_REDIRECTED_INIT, *PWMI_DISKIO_IO_REDIRECTED_INIT; - - typedef struct _ETW_OPTICALIO_READWRITE - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONG Size; - ULONG Reserved; - ULONGLONG ByteOffset; - PVOID FileObject; - PVOID IrpAddress; - ULONGLONG HighResResponseTime; - ULONG IssuingThreadId; - } ETW_OPTICALIO_READWRITE, *PETW_OPTICALIO_READWRITE; - - typedef struct _ETW_OPTICALIO_FLUSH_BUFFERS - { - ULONG DiskNumber; - ULONG IrpFlags; - ULONGLONG HighResResponseTime; - PVOID IrpAddress; - ULONG IssuingThreadId; - } ETW_OPTICALIO_FLUSH_BUFFERS, *PETW_OPTICALIO_FLUSH_BUFFERS; - - typedef struct _ETW_OPTICALIO_INIT - { - PVOID Irp; - ULONG IssuingThreadId; - } ETW_OPTICALIO_INIT, *PETW_OPTICALIO_INIT; - - typedef struct _WMI_REGISTRY - { - LONGLONG InitialTime; - ULONG Status; - union - { - ULONG Index; - ULONG InfoClass; - } DUMMYUNIONNAME; - PVOID Kcb; - WCHAR Name[1]; - } WMI_REGISTRY, *PWMI_REGISTRY; - - typedef struct _WMI_TXR - { - LONGLONG InitialTime; - GUID TxRGUID; - ULONG Status; - ULONG UowCount; - WCHAR Hive[1]; - } WMI_TXR, *PWMI_TXR; - - typedef struct _ETW_REGNOTIF_REGISTER - { - PVOID Notification; - PVOID Kcb; - UCHAR Type; - BOOLEAN WatchTree; - BOOLEAN Primary; - } ETW_REGNOTIF_REGISTER, *PETW_REGNOTIF_REGISTER; - - typedef struct _WMI_FILE_IO - { - PVOID FileObject; - WCHAR FileName[1]; - } WMI_FILE_IO, *PWMI_FILE_IO; - - typedef struct _WMI_TCPIP_V4 - { - ULONG ProcessId; - ULONG TransferSize; - UCHAR DestinationAddress[4]; - UCHAR SourceAddress[4]; - USHORT DestinationPort; - USHORT SourcePort; - } WMI_TCPIP_V4, *PWMI_TCPIP_V4; - - typedef struct _WMI_TCPIP_V6 - { - ULONG ProcessId; - ULONG TransferSize; - UCHAR DestinationAddress[16]; - UCHAR SourceAddress[16]; - USHORT DestinationPort; - USHORT SourcePort; - } WMI_TCPIP_V6, *PWMI_TCPIP_V6; - - typedef struct _WMI_UDP_V4 - { - ULONG ProcessId; - USHORT TransferSize; - UCHAR DestinationAddress[4]; - UCHAR SourceAddress[4]; - USHORT DestinationPort; - USHORT SourcePort; - } WMI_UDP_V4, *PWMI_UDP_V4; - - typedef struct _WMI_UDP_V6 - { - ULONG ProcessId; - USHORT TransferSize; - UCHAR DestinationAddress[16]; - UCHAR SourceAddress[16]; - USHORT DestinationPort; - USHORT SourcePort; - } WMI_UDP_V6, *PWMI_UDP_V6; - - typedef struct _WMI_PAGE_FAULT - { - PVOID VirtualAddress; - PVOID ProgramCounter; - } WMI_PAGE_FAULT, *PWMI_PAGE_FAULT; - - typedef struct _WMI_CONTEXTSWAP - { - ULONG NewThreadId; - ULONG OldThreadId; - - CHAR NewThreadPriority; - CHAR OldThreadPriority; - union - { - UCHAR PreviousCState; - UCHAR OldThreadRank; - } DUMMYUNIONNAME; - union - { - CHAR NewThreadPriorityDecrement; - CHAR SpareByte; - } DUMMYUNIONNAME2; - UCHAR OldThreadWaitReason; - CHAR OldThreadWaitMode; - UCHAR OldThreadState; - UCHAR OldThreadIdealProcessor; - - ULONG NewThreadWaitTime; - LONG OldThreadRemainingQuantum; - } WMI_CONTEXTSWAP, *PWMI_CONTEXTSWAP; - -#define WMI_SPINLOCK_EVENT_EXECUTE_DPC_BIT 6 -#define WMI_SPINLOCK_EVENT_EXECUTE_ISR_BIT 7 -#define WMI_SPINLOCK_ACQUIRE_MODE_MASK 0x3F - -#include - typedef struct _WMI_SPINLOCK - { - PVOID SpinLockAddress; - PVOID CallerAddress; - ULONG64 AcquireTime; - ULONG64 ReleaseTime; - ULONG WaitTimeInCycles; - ULONG SpinCount; - ULONG ThreadId; - ULONG InterruptCount; - UCHAR Irql; - UCHAR AcquireDepth; - - union - { - struct - { - UCHAR AcquireMode : 6; - UCHAR ExecuteDpc : 1; - UCHAR ExecuteIsr : 1; - }; - - UCHAR Flags; - }; - - UCHAR Reserved[5]; - } WMI_SPINLOCK, *PWMI_SPINLOCK; -#include - - // - // Logging every action on every instance of ERESOURCE is almost impossible. - // Especially for highly contented or highly frequently used instances. - // - // Thus logging an event is done on complete release operations - // or on excessive waits with filtering as follows: - // - // 1) For contention cases where the releasing thread either: - // 1.a) Has a wait time, e.g. it was blocked before the acquire. - // 1.b) Caused one or more other acquire attempts to be blocked. - // In such a case every N-th sample is logged. - - // 2) For a complete release (with or without contention). - // In this case every N-th sample is logged. - // - // 3) Excessive waits. - // - // Exact mapping and publishing WMI_RESOURCE_ACTIONs as values used - // internally in ..\minkernel\ntos\inc\etw.h. - // - -#define WMI_RESOURCE_ACTION_COMPLETE_RELEASE_EXCLUSIVE 0x00010022 -#define WMI_RESOURCE_ACTION_COMPLETE_RELEASE_SHARED 0x00010042 -#define WMI_RESOURCE_ACTION_WAIT_EXCESSIVE_FOR_EXCLUSIVE 0x00010224 -#define WMI_RESOURCE_ACTION_WAIT_EXCESSIVE_FOR_SHARED 0x00010244 - - typedef struct _WMI_RESOURCE - { - ULONG64 AcquireTime; - ULONG64 HoldTime; - ULONG64 WaitTime; - ULONG MaxRecursionDepth; - ULONG ThreadId; - PVOID Resource; - ULONG Action; - ULONG ContentionDelta; - } WMI_RESOURCE, *PWMI_RESOURCE; - - // - // Only log wait-events for KQUEUE and PUSHLOCK objects. Full tracing generates - // way too much data and also significantly affects performance. - // - // Also note that full tracing for PUSHLOCK objects is impossible as some routines - // are defined inline in ex.h and are already compiled into drivers. - // - -#define WMI_QUEUE_ACTION_WAIT_FOR_ITEM 1 - - typedef struct _WMI_QUEUE - { - PVOID Queue; - ULONG ThreadId; - UCHAR Action; - } WMI_QUEUE, *PWMI_QUEUE; - -#define WMI_PUSHLOCK_ACTION_WAIT_FOR_EXCLUSIVE 1 -#define WMI_PUSHLOCK_ACTION_WAIT_FOR_SHARED 2 - - typedef struct _WMI_PUSHLOCK - { - PVOID PushLock; - ULONG ThreadId; - UCHAR Action; - } WMI_PUSHLOCK, *PWMI_PUSHLOCK; - - typedef struct _WMI_WAIT_SINGLE - { - ULONG ThreadId; - PVOID Object; - UCHAR ObjectType; - } WMI_WAIT_SINGLE, *PWMI_WAIT_SINGLE; - - typedef struct _WMI_WAIT_OBJECT_RECORD - { - PVOID Object; - UCHAR ObjectType; - } WMI_WAIT_OBJECT_RECORD, *PWMI_WAIT_OBJECT_RECORD; - -#define WMI_WAIT_MULTIPLE_MAX_OBJECTS 64 - -#define WMI_WAIT_MULTIPLE_WAIT_ANY 1 -#define WMI_WAIT_MULTIPLE_WAIT_ALL 2 - - typedef struct _WMI_WAIT_MULTIPLE - { - ULONG ThreadId; - UCHAR WaitType; - UCHAR ObjectCount; - WMI_WAIT_OBJECT_RECORD ObjectRecord[WMI_WAIT_MULTIPLE_MAX_OBJECTS]; - } WMI_WAIT_MULTIPLE, *PWMI_WAIT_MULTIPLE; - -#define WMI_WAIT_MULTIPLE_HEADER_SIZE (sizeof(PVOID) + sizeof(UCHAR)) - - typedef struct _WMI_DELAY_EXECUTION - { - ULONG ThreadId; - ULONGLONG Delta; - } WMI_DELAY_EXECUTION, *PWMI_DELAY_EXECUTION; - - // - // Scheduler events. - // - typedef struct _ETW_READY_THREAD_EVENT - { - ULONG ThreadId; - UCHAR AdjustReason; - SCHAR AdjustIncrement; - union - { - struct - { - UCHAR ExecutingDpc : 1; - UCHAR KernelStackNotResident : 1; - UCHAR ProcessOutOfMemory : 1; - UCHAR DirectSwitchAttempt : 1; - UCHAR Reserved : 4; - } DUMMYSTRUCTNAME; - UCHAR Flags; - } DUMMYUNIONNAME; - UCHAR SpareByte; - } ETW_READY_THREAD_EVENT, *PETW_READY_THREAD_EVENT; - - // - // Kernel Queue events. - // - typedef struct _ETW_KQUEUE_ENQUEUE_EVENT - { - PVOID Entry; - ULONG ThreadId; - } ETW_KQUEUE_ENQUEUE_EVENT, *PETW_KQUEUE_ENQUEUE_EVENT; - - typedef struct _ETW_KQUEUE_DEQUEUE_EVENT - { - ULONG ThreadId; - ULONG EntryCount; - PVOID Entries[ANYSIZE_ARRAY]; - } ETW_KQUEUE_DEQUEUE_EVENT, *PETW_KQUEUE_DEQUEUE_EVENT; - - // - // Anti-starvation boost by BalanceSetmanager event. - // - - typedef struct _ETW_ANTI_STARVATION_BOOST_EVENT - { - ULONG ThreadId; - USHORT ProcessorIndex; - SCHAR OldPriority; - UCHAR SpareByte; - } ETW_ANTI_STARVATION_BOOST_EVENT, *PETW_ANTI_STARVATION_BOOST_EVENT; - - // - // AutoBoost priority-inversion avoidance events. - // - typedef struct _ETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT - { - PVOID Lock; - ULONG ThreadId; - SCHAR NewCpuPriorityFloor; - SCHAR OldCpuPriority; - union - { - struct - { - SCHAR NewIoPriorityFloor : 4; - SCHAR OldIoPriority : 4; - }; - SCHAR IoPriorities; - }; - - union - { - struct - { - UCHAR ExecutingDpc : 1; - UCHAR WakeupBoost : 1; - UCHAR BoostedOutstandingIrps : 1; - UCHAR Reserved : 5; - }; - UCHAR Flags; - }; - } ETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT, *PETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT; - - typedef struct _ETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT - { - PVOID Lock; - ULONG ThreadId; - union - { - // - // The order of bits in this field must be the same as the bitmap field - // in KLOCK_ENTRY. - // - struct - { - USHORT IoBoost : 1; - USHORT CpuBoostsBitmap : 15; - }; - USHORT BoostBitmap; - }; - USHORT Reserved; - } ETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT, *PETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT; - - typedef struct _ETW_AUTOBOOST_NO_ENTRIES_EVENT - { - PVOID Lock; - ULONG ThreadId; - } ETW_AUTOBOOST_NO_ENTRIES_EVENT, *PETW_AUTOBOOST_NO_ENTRIES_EVENT; - - // - // Priority and affinity change events. - // - typedef struct _ETW_PRIORITY_EVENT - { - ULONG ThreadId; - SCHAR OldPriority; - SCHAR NewPriority; - SCHAR DynamicPriority; // SetBasePriority events only - SCHAR Reserved; - } ETW_PRIORITY_EVENT, *PETW_PRIORITY_EVENT; - - typedef struct _ETW_THREAD_AFFINITY_EVENT - { - KAFFINITY Mask; - ULONG ThreadId; - USHORT Group; - USHORT Reserved; - } ETW_THREAD_AFFINITY_EVENT, *PETW_THREAD_AFFINITY_EVENT; - - typedef struct _ETW_DEBUG_PRINT_EVENT - { - ULONG Component; - ULONG Level; - CHAR Message[1]; - } ETW_DEBUG_PRINT_EVENT, *PETW_DEBUG_PRINT_EVENT; - - // - // Note that BIGPOOL mask is carefully chosen to avoid conflict, and - // this is only for instrumentation. So, there is possibility that - // mask is used by pool component at future. - // - -#define ETW_POOLTRACE_BIGPOOL_MASK 0x10000000 - - typedef struct _ETW_POOL_EVENT - { - ULONG PoolType; - ULONG Tag; - SIZE_T NumberOfBytes; - PVOID Entry; - } ETW_POOL_EVENT, *PETW_POOL_EVENT; - - // - // Object Manager events - // - -#define ETW_KERNEL_HANDLE_MASK 0x80000000 - - typedef struct _ETW_CREATE_HANDLE_EVENT - { - PVOID Object; - ULONG Handle; - USHORT ObjectType; - } ETW_CREATE_HANDLE_EVENT, *PETW_CREATE_HANDLE_EVENT; - - typedef ETW_CREATE_HANDLE_EVENT ETW_CLOSE_HANDLE_EVENT, *PETW_CLOSE_HANDLE_EVENT; - -#include - typedef struct _ETW_DUPLICATE_HANDLE_EVENT - { - PVOID Object; - ULONG SourceHandle; - ULONG TargetHandle; - ULONG TargetProcessId; - USHORT ObjectType; - ULONG SourceProcessId; - } ETW_DUPLICATE_HANDLE_EVENT, *PETW_DUPLICATE_HANDLE_EVENT; -#include - - typedef struct _ETW_OBJECT_TYPE_EVENT - { - USHORT ObjectType; - USHORT Reserved; - WCHAR Name[ANYSIZE_ARRAY]; - } ETW_OBJECT_TYPE_EVENT, *PETW_OBJECT_TYPE_EVENT; - - typedef struct _ETW_OBJECT_HANDLE_EVENT - { - PVOID Object; - ULONG ProcessId; - ULONG Handle; - USHORT ObjectType; - } ETW_OBJECT_HANDLE_EVENT, *PETW_OBJECT_HANDLE_EVENT; - - typedef struct _ETW_REFDEREF_OBJECT_EVENT - { - PVOID Object; - ULONG Tag; - ULONG Count; - } ETW_REFDEREF_OBJECT_EVENT, *PETW_REFDEREF_OBJECT_EVENT; - - typedef struct _ETW_CREATEDELETE_OBJECT_EVENT - { - PVOID Object; - USHORT ObjectType; - } ETW_CREATEDELETE_OBJECT_EVENT, *PETW_CREATEDELETE_OBJECT_EVENT; - - // - // Wake Counter events - // - typedef struct _ETW_WAKE_COUNTER_EVENT - { - PVOID Object; - ULONG_PTR Tag; - ULONG ProcessId; - LONG Count; - } ETW_WAKE_COUNTER_EVENT, *PETW_WAKE_COUNTER_EVENT; - - // - // Heap events - // - -#include - typedef struct _ETW_HEAP_EVENT_COMMON - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID Handle; // Handle of Heap - } ETW_HEAP_EVENT_COMMON, *PETW_HEAP_EVENT_COMMON; -#include - -#include - typedef struct _ETW_HEAP_EVENT_ALLOC - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - SIZE_T Size; // Size of allocation in bytes - PVOID Address; // Address of Allocation - ULONG Source; // Type ie Lookaside, Lowfrag or main path - - } ETW_HEAP_EVENT_ALLOC, *PETW_HEAP_EVENT_ALLOC; -#include - -#include - typedef struct _ETW_HEAP_EVENT_FREE - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - PVOID Address; // Address to free - ULONG Source; // Type ie Lookaside, Lowfrag or main path - - } ETW_HEAP_EVENT_FREE, *PETW_HEAP_EVENT_FREE; -#include - -#include - typedef struct _ETW_HEAP_EVENT_REALLOC - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - PVOID NewAddress; // New Address returned to user - PVOID OldAddress; // Old Address got from user - SIZE_T NewSize; // New Size in bytes - SIZE_T OldSize; // Old Size in bytes - ULONG Source; // Type ie Lookaside, Lowfrag or main path - } ETW_HEAP_EVENT_REALLOC, *PETW_HEAP_EVENT_REALLOC; -#include - -#include - typedef struct _ETW_HEAP_EVENT_EXPANSION - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - SIZE_T CommittedSize; // Memory Size in bytes actually committed - PVOID Address; // Address of free block or segment - SIZE_T FreeSpace; // Total free Space in Heap - SIZE_T CommittedSpace; // Memory Committed - SIZE_T ReservedSpace; // Memory reserved - ULONG NoOfUCRs; // Number of uncommitted ranges - SIZE_T AllocatedSpace; // Memory allocated - } ETW_HEAP_EVENT_EXPANSION, *PETW_HEAP_EVENT_EXPANSION; -#include - -#include - typedef struct _ETW_HEAP_EVENT_CONTRACTION - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - SIZE_T DeCommitSize; // The size of DeCommitted Block - PVOID DeCommitAddress; // Address of the Decommitted block - SIZE_T FreeSpace; // Total free Space in Heap in bytes - SIZE_T CommittedSpace; // Memory Committed in bytes - SIZE_T ReservedSpace; // Memory reserved in bytes - ULONG NoOfUCRs; // Number of UnCommitted Ranges - SIZE_T AllocatedSpace; // Memory allocated - - } ETW_HEAP_EVENT_CONTRACTION, *PETW_HEAP_EVENT_CONTRACTION; -#include - -#include - typedef struct _ETW_HEAP_EVENT_CREATE - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - ULONG Flags; // Flags passed while creating heap. - SIZE_T ReserveSize; - SIZE_T CommitSize; - SIZE_T AllocatedSize; - } ETW_HEAP_EVENT_CREATE, *PETW_HEAP_EVENT_CREATE; -#include - -#define HEAP_LOG_CREATE_HEAP 1 -#define HEAP_LOG_FIND_AND_COMMIT_PAGES 2 -#define HEAP_LOG_INITIALIZE_SEGMENT 3 -#define HEAP_LOG_EXTEND_HEAP 4 -#define HEAP_LOG_DECOMMIT_FREE_BLOCK 5 -#define HEAP_LOG_DECOMMIT_FREE_BLOCK2 6 -#define HEAP_LOG_DECOMMIT_BLOCK 7 -#define HEAP_LOG_COMMIT_BLOCK 8 -#define HEAP_LOG_ALLOCATE_HEAP 9 -#define HEAP_LOG_COMMIT_AND_INITIALIZE_PAGES 10 -#define HEAP_LOG_ALLOCATE_SEGMENT_HEAP 11 -#define HEAP_LOG_ALLOCATE_NEW_SEGMENT 12 -#define HEAP_LOG_DECOMMIT_PAGE_RANGE 13 - - typedef struct _HEAP_EVENT_COMMIT_DECOMMIT - { - PVOID HeapHandle; - PVOID Block; - SIZE_T Size; - ULONG Caller; - } HEAP_EVENT_COMMIT_DECOMMIT, *PHEAP_EVENT_COMMIT_DECOMMIT; - - typedef struct _HEAP_COMMIT_DECOMMIT - { - SYSTEM_TRACE_HEADER Header; - HEAP_EVENT_COMMIT_DECOMMIT Event; - } HEAP_COMMIT_DECOMMIT, *PHEAP_COMMIT_DECOMMIT; - - typedef struct _HEAP_EVENT_SUBSEGMENT_ALLOC_FREE - { - PVOID HeapHandle; - PVOID SubSegment; - SIZE_T SubSegmentSize; - SIZE_T BlockSize; - } HEAP_EVENT_SUBSEGMENT_ALLOC_FREE, *PHEAP_EVENT_SUBSEGMENT_ALLOC_FREE; - - typedef struct _HEAP_SUBSEGMENT_FREE - { - SYSTEM_TRACE_HEADER Header; - HEAP_EVENT_SUBSEGMENT_ALLOC_FREE Event; - } HEAP_SUBSEGMENT_FREE, *PHEAP_SUBSEGMENT_FREE; - - typedef struct _HEAP_SUBSEGMENT_ALLOC - { - SYSTEM_TRACE_HEADER Header; - HEAP_EVENT_SUBSEGMENT_ALLOC_FREE Event; - } HEAP_SUBSEGMENT_ALLOC, *PHEAP_SUBSEGMENT_ALLOC; - -#include - typedef struct _HEAP_SUBSEGMENT_INIT - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - PVOID SubSegment; - SIZE_T BlockSize; - SIZE_T BlockCount; - ULONG AffinityIndex; - } HEAP_SUBSEGMENT_INIT, *PHEAP_SUBSEGMENT_INIT; -#include - -#include - typedef struct _HEAP_AFFINITY_MANAGER_ENABLE - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - ULONG BucketIndex; - } HEAP_AFFINITY_MANAGER_ENABLE, *PHEAP_AFFINITY_MANAGER_ENABLE; -#include - -#include - typedef struct _HEAP_AFFINITY_SLOT_ASSIGN - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - PVOID SubSegment; - ULONG SlotIndex; - } HEAP_AFFINITY_SLOT_ASSIGN, *PHEAP_AFFINITY_SLOT_ASSIGN; -#include - -#include - typedef struct _HEAP_REUSE_THRESHOLD_ACTIVATED - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - PVOID SubSegment; - ULONG BucketIndex; - } HEAP_REUSE_THRESHOLD_ACTIVATED, *PHEAP_REUSE_THRESHOLD_ACTIVATED; -#include - -#include - typedef struct _HEAP_SUBSEGMENT_ACTIVATED - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - PVOID SubSegment; - } HEAP_SUBSEGMENT_ACTIVATED, *PHEAP_SUBSEGMENT_ACTIVATED; -#include - -#include - typedef struct _ETW_HEAP_EVENT_SNAPSHOT - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; // Handle of Heap - SIZE_T FreeSpace; // Total free Space in Heap in bytes - SIZE_T CommittedSpace; // Memory Committed in bytes - SIZE_T ReservedSpace; // Memory reserved in bytes - ULONG Flags; // Flags passed while creating heap. - ULONG ProcessId; - SIZE_T LargeUCRSpace; - ULONG FreeListLength; - ULONG UCRLength; - SIZE_T AllocatedSpace; // Total allocated space in heap, in bytes - } ETW_HEAP_EVENT_SNAPSHOT, *PETW_HEAP_EVENT_SNAPSHOT; -#include - -#include - typedef struct _ETW_HEAP_EVENT_RUNDOWN_RANGE - { - PVOID Address; - SIZE_T Size; - } ETW_HEAP_EVENT_RUNDOWN_RANGE, *PETW_HEAP_EVENT_RUNDOWN_RANGE; -#include - -#include - typedef struct _ETW_HEAP_EVENT_RUNDOWN - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID HeapHandle; - ULONG Flags; - ULONG ProcessId; - ULONG RangeCount; - ULONG Reserved; // for padding - ETW_HEAP_EVENT_RUNDOWN_RANGE Ranges[1]; - } ETW_HEAP_EVENT_RUNDOWN, *PETW_HEAP_EVENT_RUNDOWN; -#include - - typedef struct _HEAP_EVENT_RANGE_CREATE - { - PVOID HeapHandle; - SIZE_T FirstRangeSize; - ULONG Flags; - } HEAP_EVENT_RANGE_CREATE, *PHEAP_EVENT_RANGE_CREATE; - - typedef struct _HEAP_EVENT_RANGE - { - PVOID HeapHandle; - PVOID Address; - SIZE_T Size; - } HEAP_EVENT_RANGE, *PHEAP_EVENT_RANGE; - - typedef struct _HEAP_RANGE_CREATE - { - SYSTEM_TRACE_HEADER Header; - HEAP_EVENT_RANGE_CREATE Event; - } HEAP_RANGE_CREATE, *PHEAP_RANGE_CREATE; - - typedef struct _HEAP_RANGE_DESTROY - { - SYSTEM_TRACE_HEADER Header; - PVOID HeapHandle; - } HEAP_RANGE_DESTROY, *PHEAP_RANGE_DESTROY; - - typedef struct _HEAP_RANGE_LOG - { - SYSTEM_TRACE_HEADER Header; - HEAP_EVENT_RANGE Range; - } HEAP_RANGE_LOG, *PHEAP_RANGE_LOG; - - typedef struct _ETW_CRITSEC_EVENT_COLLISION - { - SYSTEM_TRACE_HEADER Header; // Header - ULONG LockCount; // Lock Count - ULONG SpinCount; // Spin Count - PVOID OwningThread; // Thread having Lock - PVOID Address; // Address of Critical Section - } ETW_CRITSEC_EVENT_COLLISION, *PETW_CRITSEC_EVENT_COLLISION; - - typedef struct _ETW_CRITSEC_EVENT_INIT - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID SpinCount; // Spin Count - PVOID Address; // Address of Critical Section - } ETW_CRITSEC_EVENT_INIT, *PETW_CRITSEC_EVENT_INIT; - - typedef struct _STACK_WALK_EVENT_DATA - { - ULONGLONG TimeStamp; - ULONG ProcessId; - ULONG ThreadId; - PVOID Addresses[1]; // Address of captured Stack address - } STACK_WALK_EVENT_DATA, *PSTACK_WALK_EVENT_DATA; - - typedef struct _LOAD_DLL_EVENT_DATA - { - WCHAR ImageName[1]; - } LOAD_DLL_EVENT_DATA, *PLOAD_DLL_EVENT_DATA; - - typedef struct _CM_PERF_COUNTERS - { - ULONGLONG OpenedKeys; // number of kcbs in the system - ULONGLONG DelayCloseKCBs; // number of kcbs in delay close - ULONGLONG PrivateAllocPages; // number of pages used by the private allocator for kcbs - ULONGLONG PrivateAllocFree; // number of fixed size allocations which are currently free - ULONGLONG PrivateAllocUsed; // number of fixed size allocations which are currently in use - ULONGLONG LookupCacheHit; // cache hit - ULONGLONG LookupCacheMissFound; // cache miss but key was opened from the hive - ULONGLONG LookupCacheMissNotFound; // cache miss; key does not exist - ULONGLONG ViewMap; // number of times we mapped a view - ULONGLONG ViewUnMap; // number of times we mapped a view - ULONGLONG HiveShrink; // number of times we have shrunk a hive - } CM_PERF_COUNTERS, *PCM_PERF_COUNTERS; - - // - // The class scheduler events - // - typedef struct _CI_LOG_SCHEDULER_EVENT - { - EVENT_TRACE_HEADER Header; // Header - ULONG ProcessId; // Process id of the the thread being scheduled - ULONG ThreadId; // Thread id of the thread being scheduled - ULONG Priority; // Scheduling priority - ULONG TaskIndex; // Task index the thread being scheduled linked to. - } CI_LOG_SCHEDULER_EVENT, *PCI_LOG_SCHEDULER_EVENT; - - typedef struct _CI_LOG_SCHEDULER_WAKEUP - { - EVENT_TRACE_HEADER Header; // Header - ULONG Reason; - } CI_LOG_SCHEDULER_WAKEUP, *PCI_LOG_SCHEDULER_WAKEUP; - - typedef struct _CI_LOG_SCHEDULER_SLEEP - { - EVENT_TRACE_HEADER Header; // Header - } CI_LOG_SCHEDULER_SLEEP, *PCI_LOG_SCHEDULER_SLEEP; - - typedef struct _CI_LOG_SCHEDULER_SLEEP_RESPONSE - { - EVENT_TRACE_HEADER Header; // Header - } CI_LOG_SCHEDULER_SLEEP_RESPONSE, *PCI_LOG_SCHEDULER_SLEEP_RESPONSE; - - typedef struct _CI_LOG_MMCSS_START - { - EVENT_TRACE_HEADER Header; // Header - } CI_LOG_MMCSS_START, *PCI_LOG_MMCSS_START; - - typedef struct _CI_LOG_MMCSS_STOP - { - EVENT_TRACE_HEADER Header; // Header - } CI_LOG_MMCSS_STOP, *PCI_LOG_MMCSS_STOP; - -// -// UMS events. -// -#define UMS_ETW_DIRECTED_SWITCH_START_VOLATILE (0x1) - - typedef struct _ETW_UMS_EVENT_DIRECTED_SWITCH_START - { - ULONG ProcessId; - ULONG ScheduledThreadId; - ULONG PrimaryThreadId; - ULONG SwitchFlags; - } ETW_UMS_EVENT_DIRECTED_SWITCH_START, *PETW_UMS_EVENT_DIRECTED_SWITCH_START; - -#define UMS_ETW_DIRECTED_SWITCH_END_FAST (0x1) - - typedef struct _ETW_UMS_EVENT_DIRECTED_SWITCH_END - { - ULONG ProcessId; - ULONG ScheduledThreadId; - ULONG PrimaryThreadId; - ULONG SwitchFlags; - } ETW_UMS_EVENT_DIRECTED_SWITCH_END, *PETW_UMS_EVENT_DIRECTED_SWITCH_END; - -#define UMS_ETW_PARK_VOLATILE (0x1) -#define UMS_ETW_PARK_PRIMARY_PRESENT (0x2) -#define UMS_ETW_PARK_PRIMARY_DELIVERED_CONTEXT (0x4) - - typedef struct _ETW_UMS_EVENT_PARK - { - ULONG ProcessId; - ULONG ScheduledThreadId; - ULONG ParkFlags; - } ETW_UMS_EVENT_PARK, *PETW_UMS_EVENT_PARK; - - typedef struct _ETW_UMS_EVENT_DISASSOCIATE - { - ULONG ProcessId; - ULONG ScheduledThreadId; - ULONG PrimaryThreadId; - ULONG UmsApcControlFlags; - NTSTATUS Status; - } ETW_UMS_EVENT_DISASSOCIATE, *PETW_UMS_EVENT_DISASSOCIATE; - - typedef struct _ETW_UMS_EVENT_CONTEXT_SWITCH - { - SYSTEM_TRACE_HEADER Header; - ULONG ScheduledThreadId; - ULONG SwitchCount; - ULONG KernelYieldCount; - ULONG MixedYieldCount; - ULONG YieldCount; // Used to determine event size; needs to be the last field. - } ETW_UMS_EVENT_CONTEXT_SWITCH, *PETW_UMS_EVENT_CONTEXT_SWITCH; - - // - // For ETW_SET_TIMER_EVENT, Period must always be defined as the last member as - // the same structure is used for periodic and one-shot timers. In the latter - // case, the payload size is truncated to ignore the period field. - // - typedef struct _ETW_SET_TIMER_EVENT - { - ULONG64 ExpectedDueTime; - ULONG_PTR TimerAddress; - USHORT TargetProcessorGroup; - UCHAR TargetProcessorIndex; - UCHAR Flags; - ULONG Period; - UCHAR EncodedDelay; - UCHAR Reserved0; - USHORT Reserved1; - } ETW_SET_TIMER_EVENT, *PETW_SET_TIMER_EVENT; - - typedef struct _ETW_CANCEL_TIMER_EVENT - { - ULONG_PTR TimerAddress; - } ETW_CANCEL_TIMER_EVENT, *PETW_CANCEL_TIMER_EVENT; - - typedef struct _ETW_TIMER_EXPIRATION_EVENT - { - ULONG64 ExpectedDueTime; - ULONG_PTR TimerAddress; - ULONG_PTR DeferredRoutine; - UCHAR EncodedDelay; - } ETW_TIMER_EXPIRATION_EVENT, *PETW_TIMER_EXPIRATION_EVENT; - - typedef struct _ETW_TIMER_EXPIRATION_START_EVENT - { - ULONG64 InterruptTime; - } ETW_TIMER_EXPIRATION_START_EVENT, *PETW_TIMER_EXPIRATION_START_EVENT; - -#define ETW_KTIMER2_HAS_CALLBACK 0x01 -#define ETW_KTIMER2_PERIODIC 0x02 -#define ETW_KTIMER2_IDLE_RESILIENT 0x04 -#define ETW_KTIMER2_HIGH_RESOLUTION 0x08 -#define ETW_KTIMER2_NO_WAKE 0x10 -#define ETW_KTIMER2_NO_WAKE_FINITE 0x20 - - // - // Define timer events. - // - -#define ETW_TIMER_COALESCABLE 0x01 -#define ETW_TIMER_DPC 0x02 -#define ETW_TIMER_IDLE_RESILIENT ETW_KTIMER2_IDLE_RESILIENT -#define ETW_TIMER_HIGH_RESOLUTION ETW_KTIMER2_HIGH_RESOLUTION -#define ETW_TIMER_NO_WAKE ETW_KTIMER2_NO_WAKE - - typedef struct _ETW_SET_KTIMER2_EVENT - { - ULONG64 DueTime; - ULONG64 MaximumDueTime; - ULONG64 Period; - ULONG_PTR TimerKey; - ULONG_PTR Callback; - ULONG_PTR CallbackContextKey; - UCHAR Flags; - } ETW_SET_KTIMER2_EVENT, *PETW_SET_KTIMER2_EVENT; - - typedef ETW_SET_KTIMER2_EVENT ETW_KTIMER2_EXPIRATION_EVENT, *PETW_KTIMER2_EXPIRATION_EVENT; - - typedef struct _ETW_CANCEL_KTIMER2_EVENT - { - ULONG_PTR TimerKey; - } ETW_CANCEL_KTIMER2_EVENT, *PETW_CANCEL_KTIMER2_EVENT; - -#define ETW_DISABLE_KTIMER2_CANCEL 0x1 -#define ETW_DISABLE_KTIMER2_WAIT 0x2 -#define ETW_DISABLE_KTIMER2_DELAYED 0x4 -#define ETW_DISABLE_KTIMER2_HAS_DISABLE_CALLBACK 0x8 - - typedef struct _ETW_DISABLE_KTIMER2_EVENT - { - ULONG_PTR TimerKey; - ULONG_PTR DisableCallback; - ULONG_PTR DisableContextKey; - UCHAR Flags; - } ETW_DISABLE_KTIMER2_EVENT, *PETW_DISABLE_KTIMER2_EVENT; - - typedef struct _ETW_FINALIZE_KTIMER2_EVENT - { - ULONG_PTR TimerKey; - ULONG_PTR DisableCallback; - ULONG_PTR DisableContextKey; - } ETW_FINALIZE_KTIMER2_EVENT, *PETW_FINALIZE_KTIMER2_EVENT; - - // - // Clock event definitions. - // - typedef enum _PERFINFO_DYNAMIC_TICK_VETO_REASON - { - DynamicTickVetoNone = 0, - DynamicTickVetoProcBusy, - DynamicTickVetoSoftwareTimer, - DynamicTickVetoClockConstraint, - DynamicTickVetoClockOutOfSync, - DynamicTickVetoClockUpdateFailed, - DynamicTickVetoMax - } PERFINFO_DYNAMIC_TICK_VETO_REASON, - *PPERFINFO_DYNAMIC_TICK_VETO_REASON; - - typedef enum _PERFINFO_DYNAMIC_TICK_DISABLE_REASON - { - DynamicTickDisableReasonNone = 0, - DynamicTickDisableReasonBcdOverride, - DynamicTickDisableReasonNoHwSupport, - DynamicTickDisableReasonEmOverride, - DynamicTickDisableReasonMax - } PERFINFO_DYNAMIC_TICK_DISABLE_REASON, - *PPERFINFO_DYNAMIC_TICK_DISABLE_REASON; - - typedef struct _ETW_CLOCK_CONFIGURATION_EVENT - { - ULONG KnownType; - ULONG Capabilities; - PERFINFO_DYNAMIC_TICK_DISABLE_REASON DisableReason; - } ETW_CLOCK_CONFIGURATION_EVENT, *PETW_CLOCK_CONFIGURATION_EVENT; - - typedef struct _ETW_CLOCK_TIME_UPDATE - { - ULONG64 InterruptTime; - ULONG ClockOwner; - } ETW_CLOCK_TIME_UPDATE, *PETW_CLOCK_TIME_UPDATE; - - typedef struct _ETW_CLOCK_STATE_CHANGE_EVENT - { - UCHAR NewState; - UCHAR PrevState; - UCHAR Reserved[6]; - union - { - struct - { - ULONG64 DeliveredIncrement; - ULONG64 RequestedIncrement; - }; - ULONG64 NextClockUpdateTime; - }; - } ETW_CLOCK_STATE_CHANGE_EVENT, *PETW_CLOCK_STATE_CHANGE_EVENT; - - // - // DFSS Events - // - typedef struct _ETW_PER_SESSION_QUOTA - { - ULONG SessionId; - ULONG CpuShareWeight; - LONGLONG CapturedWeightData; - ULONG64 CyclesAccumulated; - } ETW_PER_SESSION_QUOTA, *PETW_PER_SESSION_QUOTA; - - typedef struct _ETW_DFSS_START_NEW_INTERVAL - { - ULONG CurrentGeneration; - ULONG SessionCount; - ULONG64 TotalCycleCredit; - ULONG64 TotalCyclesAccumulated; - ETW_PER_SESSION_QUOTA SessionQuota[1]; - } ETW_DFSS_START_NEW_INTERVAL, *PETW_DFSS_START_NEW_INTERVAL; - - typedef struct _ETW_DFSS_RELEASE_THREAD_ON_IDLE - { - ULONG CurrentGeneration; - ULONG SessionSelectedToRun; - ULONG64 CycleBaseAllowance; - LONG64 CyclesRemaining; - } ETW_DFSS_RELEASE_THREAD_ON_IDLE, *PETW_DFSS_RELEASE_THREAD_ON_IDLE; - - typedef struct _ETW_CPU_CACHE_FLUSH_EVENT - { - PVOID Address; - SIZE_T Bytes; - BOOLEAN Clean; - BOOLEAN FullFlush; - BOOLEAN Rectangle; - BOOLEAN Reserved0; - ULONG Reserved1; - } ETW_CPU_CACHE_FLUSH_EVENT, *PETW_CPU_CACHE_FLUSH_EVENT; - - DEFINE_GUID(/* 2b88b710-1c93-4f7c-b06c-655ecc50decc */ - EtwSecondaryDumpDataGuid, - 0x2b88b710, - 0x1c93, - 0x4f7c, - 0xb0, 0x6c, 0x65, 0x5e, 0xcc, 0x50, 0xde, 0xcc); - -// -// CKCL Name and Guid -// -#define CKCL_NAMEW L"Circular Kernel Context Logger" -#define CKCL_NAMEA "Circular Kernel Context Logger" - - DEFINE_GUID(/* 54dea73a-ed1f-42a4-af71-3e63d056f174 */ - CKCLGuid, - 0x54dea73a, - 0xed1f, - 0x42a4, - 0xaf, 0x71, 0x3e, 0x63, 0xd0, 0x56, 0xf1, 0x74); - -// -// Audit Session Name and Guid -// -#define AUDIT_LOGGER_NAMEW L"Eventlog-Security" -#define AUDIT_LOGGER_NAMEA "Eventlog-Security" - - DEFINE_GUID(/* 0e66e20b-b802-ba6a-9272-31199d0ed295 */ - AuditLoggerGuid, - 0x0e66e20b, - 0xb802, - 0xba6a, - 0x92, 0x72, 0x31, 0x19, 0x9d, 0x0e, 0xd2, 0x95); - - // - // Security Provider (LSASS) Guid - // - DEFINE_GUID(/* 54849625-5478-4994-a5ba-3e3b0328c30d */ - SecurityProviderGuid, - 0x54849625, - 0x5478, - 0x4994, - 0xa5, 0xba, 0x3e, 0x3b, 0x03, 0x28, 0xc3, 0x0d); - - DEFINE_GUID(/* 472496cf-0daf-4f7c-ac2e-3f8457ecc6bb */ - PrivateLoggerSecurityGuid, - 0x472496cf, - 0x0daf, - 0x4f7c, - 0xac, 0x2e, 0x3f, 0x84, 0x57, 0xec, 0xc6, 0xbb); - - // - // Spare guids for Perf/System events. - // - - DEFINE_GUID(/* e8908abc-aa84-11d2-9a93-00805f85d7c6 */ - GlobalLoggerGuid, - 0xe8908abc, - 0xaa84, - 0x11d2, - 0x9a, 0x93, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6); - - DEFINE_GUID(/* 8d40301f-ab4a-11d2-9a93-00805f85d7c6 */ - GenericMessageGuid, - 0x8d40301f, - 0xab4a, - 0x11d2, - 0x9a, 0x93, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6); - - DEFINE_GUID(/* 398191dc-2da7-11d3-8b98-00805f85d7c6 */ - TraceErrorGuid, - 0x398191dc, - 0x2da7, - 0x11d3, - 0x8b, 0x98, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6); - - DEFINE_GUID(/* 3d6fa8d2-fe05-11d0-9dda-00c04fd7ba7c */ /* Not used */ - HardFaultGuid, - 0x3d6fa8d2, - 0xfe05, - 0x11d0, - 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c); - - DEFINE_GUID(/* 44608a51-1851-4456-98b2-b300e931ee41 */ - WmiEventLoggerGuid, - 0x44608a51, - 0x1851, - 0x4456, - 0x98, 0xb2, 0xb3, 0x00, 0xe9, 0x31, 0xee, 0x41); - - DEFINE_GUID(/* 13976D09-A327-438c-950B-7F03192815C7 */ - DbgPrintGuid, - 0x13976d09, - 0xa327, - 0x438c, - 0x95, 0xb, 0x7f, 0x3, 0x19, 0x28, 0x15, 0xc7); - - DEFINE_GUID(/* D56CA431-61BF-4904-A621-00E0381E4DDE */ - DriverVerifierGuid, - 0xd56ca431, - 0x61bf, - 0x4904, - 0xa6, 0x21, 0x0, 0xe0, 0x38, 0x1e, 0x4d, 0xde); - - DEFINE_GUID(/* 78d14f17-0105-46d7-bfff-6fbea2f3f358 */ - ApplicationVerifierGuid, - 0x78d14f17, - 0x0105, - 0x46d7, - 0xbf, 0xff, 0x6f, 0xbe, 0xa2, 0xf3, 0xf3, 0x58); - - DEFINE_GUID(/* 3282fc76-feed-498e-8aa7-e70f459d430e */ - JobGuid, - 0x3282fc76, - 0xfeed, - 0x498e, - 0x8a, 0xa7, 0xe7, 0x0f, 0x45, 0x9d, 0x43, 0x0e); - - DEFINE_GUID(/* 99134383-5248-43fc-834b-529454e75df3 */ - EventTraceSpare1, - 0x99134383, - 0x5248, - 0x43fc, - 0x83, 0x4b, 0x52, 0x94, 0x54, 0xe7, 0x5d, 0xf3); - - DEFINE_GUID(/* 42695762-ea50-497a-9068-5cbbb35e0b95 */ - WnfGuid, - 0x42695762, - 0xea50, - 0x497a, - 0x90, 0x68, 0x5c, 0xbb, 0xb3, 0x5e, 0x0b, 0x95); - - DEFINE_GUID(/* 3BEEF58A-6E0F-445D-B2A4-37AB737BD47E */ - UmglThreadGuid, - 0x3beef58a, - 0x6e0f, - 0x445d, 0xb2, 0xa4, 0x37, 0xab, 0x73, 0x7b, 0xd4, 0x7e); - - //// - //// DefaultTraceSecurityGuid. Specifies the default event tracing security - //// - // DEFINE_GUID( /* 0811c1af-7a07-4a06-82ed-869455cdf713 */ - // DefaultTraceSecurityGuid, - // 0x0811c1af, - // 0x7a07, - // 0x4a06, - // 0x82, 0xed, 0x86, 0x94, 0x55, 0xcd, 0xf7, 0x13 - // ); - - DEFINE_GUID(/* 3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c */ - DiskIoGuid, - 0x3d6fa8d4, - 0xfe05, - 0x11d0, - 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c); - - DEFINE_GUID(/* B3E675D7-2554-4f18-830B-2762732560DE */ - ImageIdGuid, - 0xb3e675d7, - 0x2554, - 0x4f18, - 0x83, 0xb, 0x27, 0x62, 0x73, 0x25, 0x60, 0xde); - - DEFINE_GUID(/* 0268a8b6-74fd-4302-9dd0-6e8f1795c0cf */ - PoolGuid, - 0x0268a8b6, - 0x74fd, - 0x4302, - 0x9d, 0xd0, 0x6e, 0x8f, 0x17, 0x95, 0xc0, 0xcf); - - DEFINE_GUID(/* ce1dbfb4-137e-4da6-87b0-3f59aa102cbc */ - PerfinfoGuid, - 0xce1dbfb4, - 0x137e, - 0x4da6, - 0x87, 0xb0, 0x3f, 0x59, 0xaa, 0x10, 0x2c, 0xbc); - - DEFINE_GUID(/* 222962ab-6180-4b88-a825-346b75f2a24a */ - HeapGuid, - 0x222962ab, - 0x6180, - 0x4b88, - 0xa8, 0x25, 0x34, 0x6b, 0x75, 0xf2, 0xa2, 0x4a); - - DEFINE_GUID(/* d781ca11-61c0-4387-b83d-af52d3d2dd6a */ - HeapRangeGuid, - 0xd781ca11, - 0x61c0, - 0x4387, - 0xb8, 0x3d, 0xaf, 0x52, 0xd3, 0xd2, 0xdd, 0x6a); - - DEFINE_GUID(/* 05867806-c246-43ef-a147-e17d2bdb1496 */ - HeapSummaryGuid, - 0x05867806, - 0xc246, - 0x43ef, - 0xa1, 0x47, 0xe1, 0x7d, 0x2b, 0xdb, 0x14, 0x96); - - DEFINE_GUID(/* 3AC66736-CC59-4cff-8115-8DF50E39816B */ - CritSecGuid, - 0x3ac66736, - 0xcc59, - 0x4cff, - 0x81, 0x15, 0x8d, 0xf5, 0xe, 0x39, 0x81, 0x6b); - - DEFINE_GUID(/* DEF2FE46-7BD6-4b80-bd94-F57FE20D0CE3 */ - StackWalkGuid, - 0xdef2fe46, - 0x7bd6, - 0x4b80, - 0xbd, 0x94, 0xf5, 0x7f, 0xe2, 0xd, 0xc, 0xe3); - - DEFINE_GUID(/* 45d8cccd-539f-4b72-a8b7-5c683142609a */ - ALPCGuid, - 0x45d8cccd, - 0x539f, - 0x4b72, - 0xa8, 0xb7, 0x5c, 0x68, 0x31, 0x42, 0x60, 0x9a); - - DEFINE_GUID(/* 6A399AE0-4BC6-4DE9-870B-3657F8947E7E */ - RTLostEventsGuid, - 0x6a399ae0, - 0x4bc6, - 0x4de9, - 0x87, 0x0b, 0x36, 0x57, 0xf8, 0x94, 0x7e, 0x7e); - - DEFINE_GUID(/* E21D2142-DF90-4d93-BBD9-30E63D5A4AD6 */ - NtdllTraceGuid, - 0xe21d2142, - 0xdf90, - 0x4d93, - 0xbb, 0xd9, 0x30, 0xe6, 0x3d, 0x5a, 0x4a, 0xd6); - - DEFINE_GUID( - UserLoaderGuid, /* b059b83f-d946-4b13-87ca-4292839dc2f2 */ - 0xb059b83f, - 0xd946, - 0x4b13, 0x87, 0xca, 0x42, 0x92, 0x83, 0x9d, 0xc2, 0xf2); - - DEFINE_GUID(/* d3de60b2-a663-45d5-9826-a0a5949d2cb0 */ - LoadMUIDllGuid, - 0xd3de60b2, - 0xa663, - 0x45d5, - 0x98, 0x26, 0xa0, 0xa5, 0x94, 0x9d, 0x2c, 0xb0); - - DEFINE_GUID(/* 89497f50-effe-4440-8cf2-ce6b1cdcaca7 */ - ObjectGuid, - 0x89497f50, - 0xeffe, - 0x4440, - 0x8c, 0xf2, 0xce, 0x6b, 0x1c, 0xdc, 0xac, 0xa7); - - DEFINE_GUID(/* a9152f00-3f58-4bee-92a1-70c7d079d5dd */ - ModBoundGuid, - 0xa9152f00, - 0x3f58, - 0x4bee, - 0x92, 0xa1, 0x70, 0xc7, 0xd0, 0x79, 0xd5, 0xdd); - - DEFINE_GUID(/* 3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c */ - ProcessGuid, - 0x3d6fa8d0, - 0xfe05, - 0x11d0, - 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c); - - DEFINE_GUID(/* E43445E0-0903-48c3-B878-FF0FCCEBDD04 */ - PowerGuid, - 0xe43445e0, - 0x903, - 0x48c3, - 0xb8, 0x78, 0xff, 0xf, 0xcc, 0xeb, 0xdd, 0x4); - - DEFINE_GUID(/* F8F10121-B617-4A56-868B-9dF1B27FE32C */ - MmcssGuid, - 0xf8f10121, - 0xb617, - 0x4a56, - 0x86, 0x8b, 0x9d, 0xf1, 0xb2, 0x7f, 0xe3, 0x2c); - - DEFINE_GUID(/* b2d14872-7c5b-463d-8419-ee9bf7d23e04 */ - DpcGuid, - 0xb2d14872, - 0x7c5b, - 0x463d, - 0x84, 0x19, 0xee, 0x9b, 0xf7, 0xd2, 0x3e, 0x04); - - DEFINE_GUID(/* d837ca92-12b9-44a5-ad6a-3a65b3578aa8 */ - SplitIoGuid, - 0xd837ca92, - 0x12b9, - 0x44a5, - 0xad, 0x6a, 0x3a, 0x65, 0xb3, 0x57, 0x8a, 0xa8); - - DEFINE_GUID(/* c861d0e2-a2c1-4d36-9f9c-970bab943a12 */ - ThreadPoolGuid, - 0xc861d0e2, - 0xa2c1, - 0x4d36, - 0x9f, 0x9c, 0x97, 0x0b, 0xab, 0x94, 0x3a, 0x12); - - DEFINE_GUID(/* bddad2c1-52d1-4aea-94d6-b3ca9236f62e */ - UmsTraceGuid, - 0xbddad2c1, - 0x52d1, - 0x4aea, - 0x94, 0xd6, 0xb3, 0xca, 0x92, 0x36, 0xf6, 0x2e); - - DEFINE_GUID(/* 9aec974b-5b8e-4118-9b92-3186d8002ce5 */ - UmsEventGuid, - 0x9aec974b, - 0x5b8e, - 0x4118, - 0x9b, 0x92, 0x31, 0x86, 0xd8, 0x00, 0x2c, 0xe5); - - DEFINE_GUID(/* 7f2a405c-69b5-4bf9-a1f5-30e8f1afab5e */ - HypervisorTraceGuid, - 0x7f2a405c, - 0x69b5, - 0x4bf9, - 0xa1, 0xf5, 0x30, 0xe8, 0xf1, 0xaf, 0xab, 0x5e); - - DEFINE_GUID(/* 2ce9a149-effe-42f0-a635-a1d39e26c8f2 */ - HypervisorXTraceGuid, - 0x2ce9a149, - 0xeffe, - 0x42f0, - 0xa6, 0x35, 0xa1, 0xd3, 0x9e, 0x26, 0xc8, 0xf2); - - DEFINE_GUID(/* 2d9f3a42-01d4-4733-97f7-041e8021dc84 */ - LegacyEventLogGuid, - 0x2d9f3a42, - 0x01d4, - 0x4733, - 0x97, 0xf7, 0x04, 0x1e, 0x80, 0x21, 0xdc, 0x84); - - DEFINE_GUID(/* 3b9c9951-3480-4220-9377-9c8e5184f5cd */ - KernelRundownGuid, - 0x3b9c9951, - 0x3480, - 0x4220, - 0x93, 0x77, 0x9c, 0x8e, 0x51, 0x84, 0xf5, 0xcd); - - DEFINE_GUID(/* 2a6e185b-90de-4fc5-826c-9f44e608a427 */ - SessionNotificationGuid, - 0x2a6e185b, - 0x90de, - 0x4fc5, - 0x82, 0x6c, 0x9f, 0x44, 0xe6, 0x08, 0xa4, 0x27); - - // DEFINE_GUID( /* 9e814aad-3204-11d2-9a82-006008a86939 */ - // SystemTraceControlGuid, - // 0x9e814aad, - // 0x3204, - // 0x11d2, 0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39 - // ); - - DEFINE_GUID(/* 7687a439-f752-45b8-b741-321aec0f8df9 */ - CcGuid, - 0x7687a439, - 0xf752, - 0x45b8, - 0xb7, 0x41, 0x32, 0x1a, 0xec, 0x0f, 0x8d, 0xf9); - - DEFINE_GUID(/* 00000000-0000-0000-0000-000000000000 */ - NullGuid, - 0x00000000, - 0x0000, - 0x0000, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); - - DEFINE_GUID(/* 305fc87b-002a-5e26-d297-60223012ca9c */ - UserDiagnosticGuid, - 0x305fc87b, - 0x002a, - 0x5e26, 0xd2, 0x97, 0x60, 0x22, 0x30, 0x12, 0xca, 0x9c); - - DEFINE_GUID(/* e46eead8-0c54-4489-9898-8fa79d059e0e */ - WerSvcTriggerGuid, - 0xe46eead8, - 0x0c54, - 0x4489, - 0x98, 0x98, 0x8f, 0xa7, 0x9d, 0x05, 0x9e, 0x0e); - - /// - // EventTraceGuid is used to identify a event tracing session - // - // DEFINE_GUID( /* 68fdd900-4a3e-11d1-84f4-0000f80464e3 */ - // EventTraceGuid, - // 0x68fdd900, - // 0x4a3e, - // 0x11d1, - // 0x84, 0xf4, 0x00, 0x00, 0xf8, 0x04, 0x64, 0xe3 - // ); - // - // - // EventTraceConfigGuid. Used to report system configuration records - // - // DEFINE_GUID( /* 01853a65-418f-4f36-aefc-dc0f1d2fd235 */ - // EventTraceConfigGuid, - // 0x01853a65, - // 0x418f, - // 0x4f36, - // 0xae, 0xfc, 0xdc, 0x0f, 0x1d, 0x2f, 0xd2, 0x35 - // ); - - DEFINE_GUID(/* 90cbdc39-4a3e-11d1-84f4-0000f80464e3 */ - FileIoGuid, - 0x90cbdc39, - 0x4a3e, - 0x11d1, - 0x84, 0xf4, 0x00, 0x00, 0xf8, 0x04, 0x64, 0xe3); - - DEFINE_GUID(/* 2cb15d1d-5fc1-11d2-abe1-00a0c911f518 */ - ImageLoadGuid, - 0x2cb15d1d, - 0x5fc1, - 0x11d2, - 0xab, 0xe1, 0x00, 0xa0, 0xc9, 0x11, 0xf5, 0x18); - - DEFINE_GUID(/* 3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c */ - PageFaultGuid, - 0x3d6fa8d3, - 0xfe05, - 0x11d0, - 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c); - - DEFINE_GUID(/* AE53722E-C863-11d2-8659-00C04FA321A1 */ - RegistryGuid, - 0xae53722e, - 0xc863, - 0x11d2, - 0x86, 0x59, 0x0, 0xc0, 0x4f, 0xa3, 0x21, 0xa1); - - DEFINE_GUID(/* 9a280ac0-c8e0-11d1-84e2-00c04fb998a2 */ - TcpIpGuid, - 0x9a280ac0, - 0xc8e0, - 0x11d1, - 0x84, 0xe2, 0x00, 0xc0, 0x4f, 0xb9, 0x98, 0xa2); - - DEFINE_GUID(/* 3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c */ - ThreadGuid, - 0x3d6fa8d1, - 0xfe05, - 0x11d0, - 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c); - - DEFINE_GUID(/* bf3a50c5-a9c9-4988-a005-2df0b7c80f80 */ - UdpIpGuid, - 0xbf3a50c5, - 0xa9c9, - 0x4988, - 0xa0, 0x05, 0x2d, 0xf0, 0xb7, 0xc8, 0x0f, 0x80); - - // - // ThreadPool Events - // If you change these structures, may need to update some users of these - // structures. - // Avoid inner structure padding - // - - typedef struct _ETW_TP_EVENT_CALLBACK_ENQUEUE - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - PVOID TaskId; // Task Identifier - PVOID Callback; // Callback Function - PVOID Context; // Callback Context - PVOID SubProcessTag; // Sub-components in a process - // SubProcessTag must be the last field or update users - } ETW_TP_EVENT_CALLBACK_ENQUEUE, *PETW_TP_EVENT_CALLBACK_ENQUEUE; - - // - // Use the same struct for Enqueue and Dequeue - // - - typedef ETW_TP_EVENT_CALLBACK_ENQUEUE ETW_TP_EVENT_CALLBACK_DEQUEUE, *PETW_TP_EVENT_CALLBACK_DEQUEUE; - - typedef struct _ETW_TP_EVENT_CALLBACK_START - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - PVOID TaskId; // Task Identifier - PVOID Callback; // Callback Function - PVOID Context; // Callback Context - PVOID SubProcessTag; // Sub-components in a process - // SubProcessTag must be the last field or update users - - } ETW_TP_EVENT_CALLBACK_START, *PETW_TP_EVENT_CALLBACK_START; - - // - // Use the same struct for Start and Stop - // - - typedef ETW_TP_EVENT_CALLBACK_START ETW_TP_EVENT_CALLBACK_STOP, *PETW_TP_EVENT_CALLBACK_STOP; - - typedef struct _ETW_TP_EVENT_CALLBACK_CANCEL - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - PVOID TaskId; // Task Identifier - PVOID Callback; // Callback Function - PVOID Context; // Callback Context - PVOID SubProcessTag; // Sub-components in a process - ULONG CancelCount; // Number of callbacks cancelled - // CancelCount must be the last field or update users - - } ETW_TP_EVENT_CALLBACK_CANCEL, *PETW_TP_EVENT_CALLBACK_CANCEL; - - typedef struct _ETW_TP_EVENT_POOL_CREATE - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - // PoolId must be the last field or update users - - } ETW_TP_EVENT_POOL_CREATE, *PETW_TP_EVENT_POOL_CREATE; - - typedef struct _ETW_TP_EVENT_POOL_CLOSE - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - // PoolId must be the last field or update users - - } ETW_TP_EVENT_POOL_CLOSE, *PETW_TP_EVENT_POOL_CLOSE; - - typedef struct _ETW_TP_EVENT_POOL_TH_MIN_SET - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - ULONG ThreadNum; // New limit on number of threads - // ThreadNum must be the last field or update users - - } ETW_TP_EVENT_POOL_TH_MIN_SET, *PETW_TP_EVENT_POOL_TH_MIN_SET; - - typedef struct _ETW_TP_EVENT_POOL_TH_MAX_SET - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - ULONG ThreadNum; // New limit on number of threads - // ThreadNum must be the last field or update users - - } ETW_TP_EVENT_POOL_TH_MAX_SET, *PETW_TP_EVENT_POOL_TH_MAX_SET; - - typedef struct _ETW_TP_EVENT_WORKER_NUMANODE_SWITCH - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID PoolId; // Pool Identifier - ULONG CurrentNode; // Thread's current numa node - ULONG NextNode; // The node the thread is moving to - USHORT CurrentGroup; // Thread's current group - USHORT NextGroup; // The group the thread is moving to - ULONG CurrentWorkerCount; // Current node's worker count - ULONG NextWorkerCount; // Next node's worker count - // NextWorkerCount must be the last field or update users - - } ETW_TP_EVENT_WORKER_NUMANODE_SWITCH, *PETW_TP_EVENT_WORKER_NUMANODE_SWITCH; - -#include - typedef struct _ETW_TP_EVENT_TIMER_SET - { - SYSTEM_TRACE_HEADER Header; // Header - LONG64 DueTime; // Due time - PVOID SubQueue; // Sub Queue to be inserted - PVOID Timer; // Timer to be set - ULONG Period; // period of the timer - ULONG WindowLength; // Tolerate period - ULONG Absolute; // An absolute timer or relative timer - } ETW_TP_EVENT_TIMER_SET, *PETW_TP_EVENT_TIMER_SET; - - typedef struct _ETW_TP_EVENT_TIMER_CANCELLED - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID SubQueue; // Sub Queue containing the timer - PVOID Timer; // Timer to be cancelled - } ETW_TP_EVENT_TIMER_CANCELLED, *PETW_TP_EVENT_TIMER_CANCELLED; - - typedef struct _ETW_TP_EVENT_TIMER_SET_NTTIMER - { - SYSTEM_TRACE_HEADER Header; // Header - LONG64 DueTime; // Due time - PVOID SubQueue; // Sub Queue to be inserted - ULONG TolerableDelay; // Tolerance - } ETW_TP_EVENT_TIMER_SET_NTTIMER, *PETW_TP_EVENT_TIMER_SET_NTTIMER; - - typedef struct _ETW_TP_EVENT_TIMER_CANCEL_NTTIMER - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID SubQueue; // Sub Queue to be cancelled - } ETW_TP_EVENT_TIMER_CANCEL_NTTIMER, *PETW_TP_EVENT_TIMER_CANCEL_NTTIMER; - - typedef struct _ETW_TP_EVENT_TIMER_EXPIRATION_BEGIN - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID SubQueue; // Sub Queue to be expired - } ETW_TP_EVENT_TIMER_EXPIRATION_BEGIN, *PETW_TP_EVENT_TIMER_EXPIRATION_BEGIN; - - typedef struct _ETW_TP_EVENT_TIMER_EXPIRATION_END - { - SYSTEM_TRACE_HEADER Header; // Header - PVOID SubQueue; // Sub Queue to be expired - } ETW_TP_EVENT_TIMER_EXPIRATION_END, *PETW_TP_EVENT_TIMER_EXPIRATION_END; - - typedef struct _ETW_TP_EVENT_TIMER_EXPIRATION - { - SYSTEM_TRACE_HEADER Header; // Header - LONG64 DueTime; // Due time - PVOID SubQueue; // Sub Queue containing the timer - PVOID Timer; // Timer to be expired - ULONG Period; // period of the timer - ULONG WindowLength; // Tolerate period - } ETW_TP_EVENT_TIMER_EXPIRATION, *PETW_TP_EVENT_TIMER_EXPIRATION; -#include - - // - // Thread SubProcessTag Changed Event - // - - typedef struct _ETW_THREAD_EVENT_SUBPROCESSTAG - { - SYSTEM_TRACE_HEADER Header; // Header - ULONG OldTag; - ULONG NewTag; - } ETW_THREAD_EVENT_SUBPROCESSTAG, *PETW_THREAD_EVENT_SUBPROCESSTAG; - - // - // WNF Events - // - typedef struct _ETW_WNF_EVENT_SUBSCRIBE - { - SYSTEM_TRACE_HEADER Header; // Header - LARGE_INTEGER StateName; // State name - PVOID Subscription; // User Subscription - PVOID NameSub; // Name Subscription - PVOID Callback; // Callback function - ULONG RefCount; // Name Subscription Refcount - ULONG DeliveryFlags; // Requested Deliveries - } ETW_WNF_EVENT_SUBSCRIBE, *PETW_WNF_EVENT_SUBSCRIBE; - - typedef ETW_WNF_EVENT_SUBSCRIBE ETW_WNF_EVENT_UNSUBSCRIBE, *PETW_WNF_EVENT_UNSUBSCRIBE; - - typedef struct _ETW_WNF_EVENT_CALLBACK - { - SYSTEM_TRACE_HEADER Header; // Header - LARGE_INTEGER StateName; // State name - PVOID Subscription; // User Subscription - PVOID NameSub; // Name Subscription - PVOID Callback; // Callback function - ULONG ChangeStamp; // Change Stamp - ULONG DeliveryFlags; // Delivery types - ULONG Return; // Return status from callback - } ETW_WNF_EVENT_CALLBACK, *PETW_WNF_EVENT_CALLBACK; - - typedef struct _ETW_WNF_EVENT_PUBLISH - { - SYSTEM_TRACE_HEADER Header; // Header - LARGE_INTEGER StateName; // State name - ULONG DataLength; // Length of State Data - } ETW_WNF_EVENT_PUBLISH, *PETW_WNF_EVENT_PUBLISH; - - typedef struct _ETW_WNF_EVENT_NAME_SUB_RUNDOWN - { - SYSTEM_TRACE_HEADER Header; // Header - LARGE_INTEGER StateName; // State name - PVOID NameSub; // Name Subscription - } ETW_WNF_EVENT_NAME_SUB_RUNDOWN, *PETW_WNF_EVENT_NAME_SUB_RUNDOWN; - -// -// Data structures of events -// -#define PERFINFO_THREAD_SWAPABLE 0 -#define PERFINFO_THREAD_NONSWAPABLE 1 - - typedef struct _PERFINFO_MARK_EVENT - { - ULONG TranId; - UCHAR Level; - UCHAR AppId; - USHORT OpId; - WCHAR Text[1]; - } PERFINFO_MARK_EVENT, *PPERFINFO_MARK_EVENT; - - // - // Structures for Driver hooks - // - -#include - typedef struct _PERFINFO_DRIVER_MAJORFUNCTION - { - ULONG MajorFunction; - ULONG MinorFunction; - PVOID RoutineAddr; - PVOID FileNamePointer; - PVOID Irp; - ULONG UniqMatchId; - } PERFINFO_DRIVER_MAJORFUNCTION, *PPERFINFO_DRIVER_MAJORFUNCTION; -#include - -#include - typedef struct _PERFINFO_DRIVER_MAJORFUNCTION_RET - { - PVOID Irp; - ULONG UniqMatchId; - } PERFINFO_DRIVER_MAJORFUNCTION_RET, *PPERFINFO_DRIVER_MAJORFUNCTION_RET; -#include - -#include - typedef struct _PERFINFO_DRIVER_COMPLETE_REQUEST - { - // - // Driver major function routine address for the "current" stack location - // on the IRP when it was completed. It is used to identify which driver - // was processing the IRP when the IRP got completed. - // - - PVOID RoutineAddr; - - // - // Irp field and UniqMatchId is used to match COMPLETE_REQUEST - // and COMPLETE_REQUEST_RET logged for an IRP completion. - // - - PVOID Irp; - ULONG UniqMatchId; - - } PERFINFO_DRIVER_COMPLETE_REQUEST, *PPERFINFO_DRIVER_COMPLETE_REQUEST; -#include - -#include - typedef struct _PERFINFO_DRIVER_COMPLETE_REQUEST_RET - { - // - // Irp field and UniqMatchId is used to match COMPLETE_REQUEST - // and COMPLETE_REQUEST_RET logged for an IRP completion. - // - PVOID Irp; - ULONG UniqMatchId; - } PERFINFO_DRIVER_COMPLETE_REQUEST_RET, *PPERFINFO_DRIVER_COMPLETE_REQUEST_RET; -#include - -#include - typedef struct _PERFINFO_DRIVER_COMPLETIONROUTINE - { - PVOID Routine; - PVOID IrpPtr; - ULONG UniqMatchId; - } PERFINFO_DRIVER_COMPLETIONROUTINE, *PPERFINFO_DRIVER_COMPLETIONROUTINE; -#include - - // - // Power hooks - // - typedef struct _PERFINFO_BATTERY_LIFE_INFO - { - ULONG RemainingCapacity; - ULONG Rate; - } PERFINFO_BATTERY_LIFE_INFO, *PPERFINFO_BATTERY_LIFE_INFO; - - typedef struct _PERFINFO_IDLE_STATE_CHANGE - { - ULONG State; - ULONG Throttle; - ULONG Direction; - } PERFINFO_IDLE_STATE_CHANGE, *PPERFINFO_IDLE_STATE_CHANGE; - - // - // This structure is logged when PopSetPowerAction is called to start - // propagating a new power action (e.g. standby/hibernate/shutdown) - // - typedef struct _PERFINFO_SET_POWER_ACTION - { - // - // This field is used to match SET_POWER_ACTION_RET entry. - // - PVOID Trigger; - ULONG PowerAction; - ULONG LightestState; - } PERFINFO_SET_POWER_ACTION, *PPERFINFO_SET_POWER_ACTION; - - // - // This structure is logged when PopSetPowerAction completes. - // - typedef struct _PERFINFO_SET_POWER_ACTION_RET - { - PVOID Trigger; - NTSTATUS Status; - } PERFINFO_SET_POWER_ACTION_RET, *PPERFINFO_SET_POWER_ACTION_RET; - - // - // This structure is logged when PopSetDevicesSystemState is called to - // propagate a system state to all devices. - // - typedef struct _PERFINFO_SET_DEVICES_STATE - { - ULONG SystemState; - BOOLEAN Waking; - BOOLEAN Shutdown; - UCHAR IrpMinor; - } PERFINFO_SET_DEVICES_STATE, *PPERFINFO_SET_DEVICES_STATE; - - // - // This structure is logged when PopSetDevicesSystemState is done. - // - typedef struct _PERFINFO_SET_DEVICES_STATE_RET - { - NTSTATUS Status; - } PERFINFO_SET_DEVICES_STATE_RET, *PPERFINFO_SET_DEVICES_STATE_RET; - - // - // This structure is logged when PopNotifyDevice calls into a driver - // to set the power state of a device. - // - typedef struct _PERFINFO_PO_NOTIFY_DEVICE - { - // - // This field is used to match notification and completion log - // entries for a device. - // - - PVOID Irp; - - // - // Base address of the driver that owns this device. - // - - PVOID DriverStart; - - // - // Device node properties. - // - - UCHAR OrderLevel; - - // - // Major and minor IRP codes for the request made to the driver. - // - - UCHAR MajorFunction; - UCHAR MinorFunction; - - // - // Type of power irp - // - POWER_STATE_TYPE Type; - POWER_STATE State; - - // - // Length of the device name in characters excluding terminating NUL, - // and the device name itself. Depending on how much fits into our - // stack buffer, this is the *last* part of the device name. - // - - ULONG DeviceNameLength; - WCHAR DeviceName[1]; - - } PERFINFO_PO_NOTIFY_DEVICE, *PPERFINFO_PO_NOTIFY_DEVICE; - - // - // This structure is logged when a PopNotifyDevice processing for a - // particular device completes. - // - - typedef struct _PERFINFO_PO_NOTIFY_DEVICE_COMPLETE - { - // - // This field is used to match notification and completion log - // entries for a device. - // - - PVOID Irp; - - // - // Status with which the notify power IRP was completed. - // - - NTSTATUS Status; - - } PERFINFO_PO_NOTIFY_DEVICE_COMPLETE, *PPERFINFO_PO_NOTIFY_DEVICE_COMPLETE; - - // - // This structure is logged around every win32 state callout - // - typedef struct _PERFINFO_PO_SESSION_CALLOUT - { - POWER_ACTION SystemAction; - SYSTEM_POWER_STATE MinSystemState; - ULONG Flags; - ULONG PowerStateTask; - } PERFINFO_PO_SESSION_CALLOUT, *PPERFINFO_PO_SESSION_CALLOUT; - - typedef struct _PERFINFO_PO_PRESLEEP - { - LARGE_INTEGER PerformanceCounter; - LARGE_INTEGER PerformanceFrequency; - } PERFINFO_PO_PRESLEEP, *PPERFINFO_PO_PRESLEEP; - - typedef struct _PERFINFO_PO_POSTSLEEP - { - LARGE_INTEGER PerformanceCounter; - } PERFINFO_PO_POSTSLEEP, *PPERFINFO_PO_POSTSLEEP; - - typedef struct _PERFINFO_PO_CALIBRATED_PERFCOUNTER - { - LARGE_INTEGER PerformanceCounter; - } PERFINFO_PO_CALIBRATED_PERFCOUNTER, *PPERFINFO_PO_CALIBRATED_PERFCOUNTER; - - typedef struct _PERFINFO_BOOT_PHASE_START - { - LONG Phase; - } PERFINFO_BOOT_PHASE_START, *PPERFINFO_BOOT_PHASE_START; - - typedef struct _PERFINFO_BOOT_PREFETCH_INFORMATION - { - LONG Action; - NTSTATUS Status; - LONG Pages; - } PERFINFO_BOOT_PREFETCH_INFORMATION, *PPERFINFO_BOOT_PREFETCH_INFORMATION; - - typedef struct _PERFINFO_PO_SESSION_CALLOUT_RET - { - NTSTATUS Status; - } PERFINFO_PO_SESSION_CALLOUT_RET, *PPERFINFO_PO_SESSION_CALLOUT_RET; - - typedef struct _PERFINFO_PPM_IDLE_STATE_CHANGE - { - ULONG NewState; - ULONG OldState; - ULONG64 Processors; - } PERFINFO_PPM_IDLE_STATE_CHANGE, *PPERFINFO_PPM_IDLE_STATE_CHANGE; - - // - // Flags related to each processor idle entry. - // - // DUE_INTERRUPT: Idle duration hint is based on next expected h/w interrupt. - // When not set, it indicates the the idle duration hint was based on the next - // due s/w timer. - // - // IR_RETRY: The idle transition follows a failed previous attempt to pick the - // optimal idle state with an IR based hint. - // - // IR_ENABLED: Idle-resiliency was enabled during the idle transition. - // - // PLATFORM_ENTER: The idle entry was part of a platform idle transition. - // - // LOCK_PROCESSORS: The idle transition required locking at least one other - // processor. - // - // CONSTRAINT_PLATFORM: The idle entry was capable of a platform idle - // transition. - // - // CONSTRAINT_NI: The idle transition is capable of entering a non-interruptible - // idle state. - // - // OVERRIDE_ENABLED: The idle transition had force-idle override enabled. - // - // MEASURING_EXIT_LATENCY: Exit latency measurement is engaged during the idle - // transition. - // - // WAKE_REQUESTED: Idle transition was accompanied with a request to wake - // another processor. - // - // IPI_CLOCK_OWNER: Idle transition was on non clock owner and observed to be - // the last processor to be going idle. It send an IPI to clock owner to wake - // it up. - // - // PLATFORM_HINT_OVERRIDE: Idle duration hint is based on global platform idle - // hint. - // - -#define PERFINFO_PPM_IDLE_FLAG_DUE_INTERRUPT (1 << 0) -#define PERFINFO_PPM_IDLE_FLAG_IR_RETRY (1 << 1) -#define PERFINFO_PPM_IDLE_FLAG_IR_ENABLED (1 << 2) -#define PERFINFO_PPM_IDLE_FLAG_CLOCK_OWNER (1 << 3) -#define PERFINFO_PPM_IDLE_FLAG_PLATFORM_ENTER (1 << 4) -#define PERFINFO_PPM_IDLE_FLAG_LOCK_PROCESSORS (1 << 5) -#define PERFINFO_PPM_IDLE_FLAG_CONSTRAINT_NI (1 << 6) -#define PERFINFO_PPM_IDLE_FLAG_CONSTRAINT_PLATFORM (1 << 7) -#define PERFINFO_PPM_IDLE_FLAG_OVERRIDE_ENABLED (1 << 8) -#define PERFINFO_PPM_IDLE_FLAG_MEASURING_EXIT_LATENCY (1 << 9) -#define PERFINFO_PPM_IDLE_FLAG_WAKE_REQUESTED (1 << 10) -#define PERFINFO_PPM_IDLE_FLAG_IPI_CLOCK_OWNER (1 << 11) -#define PERFINFO_PPM_IDLE_FLAG_PLATFORM_HINT_OVERRIDE (1 << 12) -#define PERFINFO_PPM_IDLE_FLAG_DURATION_EXPIRATION (1 << 13) - - typedef struct _PERFINFO_PPM_IDLE_STATE_ENTER - { - ULONG State; - union - { - struct - { - USHORT Properties; - UCHAR ExpectedWakeReason; - UCHAR Reserved; - }; - ULONG Flags; - }; - - ULONG64 ExpectedDuration; - } PERFINFO_PPM_IDLE_STATE_ENTER, *PPERFINFO_PPM_IDLE_STATE_ENTER; - - typedef struct _PERFINFO_PPM_IDLE_STATE_EXIT - { - ULONG State; - ULONG Status; - } PERFINFO_PPM_IDLE_STATE_EXIT, *PPERFINFO_PPM_IDLE_STATE_EXIT; - - typedef struct _PERFINFO_PPM_STATE_SELECTION - { - ULONG SelectedState; - ULONG VetoedStates; - _Field_size_(VetoedStates) ULONG VetoReason[ANYSIZE_ARRAY]; - } PERFINFO_PPM_STATE_SELECTION, *PPERFINFO_PPM_STATE_SELECTION; - -#define PERFINFO_PPM_IDLE_VETO_PREREGISTERED_VETO (0x80000000) -#define PERFINFO_PPM_IDLE_VETO_WRONG_INITIATOR (0x80000001) -#define PERFINFO_PPM_IDLE_VETO_SYSTEM_LATENCY (0x80000002) -#define PERFINFO_PPM_IDLE_VETO_IDLE_DURATION (0x80000003) -#define PERFINFO_PPM_IDLE_VETO_DEVICE_DEPENDENCY (0x80000004) -#define PERFINFO_PPM_IDLE_VETO_PROCESSOR_DEPENDENCY (0x80000005) -#define PERFINFO_PPM_IDLE_VETO_PLATFORM_ONLY (0x80000006) -#define PERFINFO_PPM_IDLE_VETO_INTERRUPTIBLE (0x80000007) -#define PERFINFO_PPM_IDLE_VETO_LEGACY_OVEERIDE (0x80000008) -#define PERFINFO_PPM_IDLE_VETO_C_STATE_CHECK (0x80000009) -#define PERFINFO_PPM_IDLE_VETO_NO_C_STATE (0x8000000a) -#define PERFINFO_PPM_IDLE_VETO_COORDINATED_DEPENDENCY (0x8000000b) -#define PERFINFO_PPM_IDLE_VETO_DISABLED_IN_MENU (0xfffffffe) -#define PERFINFO_PPM_IDLE_VETO_ACTIVE_PROCESSOR (0xffffffff) - -#define PERFINFO_PPM_IDLE_NON_INTERRUPTIBLE (1 << 0) -#define PERFINFO_PPM_IDLE_ALL_PROC_LOCKED (1 << 1) -#define PERFINFO_PPM_IDLE_EXIT_SAMPLE_INVALID (1 << 2) - - typedef struct _PERFINFO_PPM_IDLE_EXIT_LATENCY - { - ULONG Flags; - ULONG PlatformState; - ULONG ProcessorState; - ULONG ReturnLatency; - ULONG TotalLatency; - } PERFINFO_PPM_IDLE_EXIT_LATENCY, *PPERFINFO_PPM_IDLE_EXIT_LATENCY; - -#define PERFINFO_PPM_FREQUENCY_VOLTAGE_STATE 1 -#define PERFINFO_PPM_STOPCLOCK_THROTTLE_STATE 2 - - typedef struct _PERFINFO_PPM_PERF_STATE_CHANGE - { - ULONG Type; - ULONG NewState; - ULONG OldState; - NTSTATUS Result; - ULONG64 Processors; - } PERFINFO_PPM_PERF_STATE_CHANGE, *PPERFINFO_PPM_PERF_STATE_CHANGE; - - typedef struct _PERFINFO_PPM_THERMAL_CONSTRAINT - { - ULONG Constraint; - ULONG64 Processors; - } PERFINFO_PPM_THERMAL_CONSTRAINT, *PPERFINFO_PPM_THERMAL_CONSTRAINT; - - // - // File Name related hooks - // - - typedef struct _PERFINFO_FILEOBJECT_INFORMATION - { - PVOID FileObject; - } PERFINFO_FILEOBJECT_INFORMATION, *PPERFINFO_FILEOBJECT_INFORMATION; - - typedef struct _PERFINFO_FILENAME_SAME_INFORMATION - { - PVOID OldFile; - PVOID NewFile; - } PERFINFO_FILENAME_SAME_INFORMATION, *PPERFINFO_FILENAME_SAME_INFORMATION; - - typedef struct _PERFINFO_PFMAPPED_SECTION_INFORMATION - { - PVOID RangeBase; - PVOID RangeEnd; - ULONG CreatingProcessId; - } PERFINFO_PFMAPPED_SECTION_INFORMATION, *PPERFINFO_PFMAPPED_SECTION_INFORMATION; - - typedef struct _PERFINFO_PFMAPPED_SECTION_OBJECT_INFORMATION - { - PVOID SectionObject; - PVOID RangeBase; - } PERFINFO_PFMAPPED_SECTION_OBJECT_INFORMATION, *PPERFINFO_PFMAPPED_SECTION_OBJECT_INFORMATION; - - // - // Sample profile - // - typedef struct _PERFINFO_SAMPLED_PROFILE_INFORMATION - { - PVOID InstructionPointer; - ULONG ThreadId; - USHORT Count; - union - { - struct - { - UCHAR ExecutingDpc : 1; - UCHAR ExecutingIsr : 1; - UCHAR Reserved : 1; - UCHAR Priority : 5; - } DUMMYSTRUCTNAME; - UCHAR Flags; - } DUMMYUNIONNAME; - UCHAR Rank; - } PERFINFO_SAMPLED_PROFILE_INFORMATION, *PPERFINFO_SAMPLED_PROFILE_INFORMATION; - -#define PERFINFO_SAMPLED_PROFILE_CACHE_MAX 20 - typedef struct _PERFINFO_SAMPLED_PROFILE_CACHE - { - ULONG Entries; - PERFINFO_SAMPLED_PROFILE_INFORMATION Sample[PERFINFO_SAMPLED_PROFILE_CACHE_MAX]; - } PERFINFO_SAMPLED_PROFILE_CACHE, *PPERFINFO_SAMPLED_PROFILE_CACHE; - - typedef struct _PERFINFO_SAMPLED_PROFILE_CONFIG - { - ULONG Source; - ULONG NewInterval; - ULONG OldInterval; - } PERFINFO_SAMPLED_PROFILE_CONFIG, *PPERFINFO_SAMPLED_PROFILE_CONFIG; - - typedef struct _PERFINFO_PMC_SAMPLE_INFORMATION - { - PVOID InstructionPointer; - ULONG ThreadId; - USHORT ProfileSource; - USHORT Reserved; - } PERFINFO_PMC_SAMPLE_INFORMATION, *PPERFINFO_PMC_SAMPLE_INFORMATION; - - typedef struct _PERFINFO_DPC_INFORMATION - { - ULONGLONG InitialTime; - PVOID DpcRoutine; - } PERFINFO_DPC_INFORMATION, *PPERFINFO_DPC_INFORMATION; - - typedef struct _PERFINFO_DPC_ENQUEUE_INFORMATION - { - ULONG_PTR Key; - LONG DpcQueueDepth; - ULONG DpcCount; - ULONG TargetProcessorIndex; - UCHAR Importance; - UCHAR Reserved[3]; - } PERFINFO_DPC_ENQUEUE_INFORMATION, *PPERFINFO_DPC_ENQUEUE_INFORMATION; - - typedef struct _PERFINFO_DPC_EXECUTION_INFORMATION - { - PVOID DpcRoutine; - ULONG_PTR Key; - } PERFINFO_DPC_EXECUTION_INFORMATION, *PPERFINFO_DPC_EXECUTION_INFORMATION; - - typedef struct _PERFINFO_YIELD_PROCESSOR_INFORMATION - { - ULONG YieldReason; - ULONG DpcWatchdogCount; - ULONG DpcTimeCount; - } PERFINFO_YIELD_PROCESSOR_INFORMATION, *PPERFINFO_YIELD_PROCESSOR_INFORMATION; - -#include - typedef struct _PERFINFO_INTERRUPT_INFORMATION - { - ULONGLONG InitialTime; - PVOID ServiceRoutine; - UCHAR ReturnValue; - USHORT Vector; - UCHAR Reserved; - } PERFINFO_INTERRUPT_INFORMATION, *PPERFINFO_INTERRUPT_INFORMATION; -#include - -#define PERFINFO_CLOCK_INTERRUPT_CLOCK_OWNER 0x0001 -#define PERFINFO_CLOCK_INTERRUPT_TIMER_PENDING 0x0008 - - typedef struct _PERFINFO_CLOCK_INTERRUPT_INFORMATION - { - ULONG64 InterruptTime; - SHORT Flags; - } PERFINFO_CLOCK_INTERRUPT_INFORMATION, *PPERFINFO_CLOCK_INTERRUPT_INFORMATION; - -#define PERFINFO_IPI_APC_REQUEST 0x1 -#define PERFINFO_IPI_DPC_REQUEST 0x2 - -// -// Spinlock -// -#include - typedef struct _PERFINFO_SPINLOCK_CONFIG - { - ULONG SpinLockSpinThreshold; - ULONG SpinLockContentionSampleRate; - ULONG SpinLockAcquireSampleRate; - ULONG SpinLockHoldThreshold; - } PERFINFO_SPINLOCK_CONFIG, *PPERFINFO_SPINLOCK_CONFIG; -#include - - // - // Stores Executive Resource sampling parameters. - // - // Note: NumberOfExcessiveTimeouts uses counting units of 4 (four) seconds. - // It inherits the granularity of ExResourceTimeoutCount used in - // ...\ntos\ex\resource.c. - // The later, takes a reg-key settable timeout with a default value of - // 30 days used to trigger a debug spew for excessive waits on the checked - // builds: 648000 * 4 seconds = 2592000 seconds = 30 days. - // - // HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ -// ResourceTimeoutCount (REG_DWORD), Default: 0x9E340 (648000) - // - typedef struct _PERFINFO_EXECUTIVE_RESOURCE_CONFIG - { - ULONG ReleaseSamplingRate; - ULONG ContentionSamplingRate; - ULONG NumberOfExcessiveTimeouts; - } PERFINFO_EXECUTIVE_RESOURCE_CONFIG, *PPERFINFO_EXECUTIVE_RESOURCE_CONFIG; - - // - // MM related hooks - // - -#define NTWMI_BITSIZE(type) (sizeof(type) * 8) - - typedef struct _PERFINFO_SESSIONCREATE_INFORMATION - { - ULONG_PTR UniqueSessionId; - ULONG SessionId; - } PERFINFO_SESSIONCREATE_INFORMATION, *PPERFINFO_SESSIONCREATE_INFORMATION; - - typedef struct _PERFINFO_PAGE_RANGE_IDENTITY - { - struct - { - ULONGLONG UseDescription : 4; // MMPFNUSE_* - ULONGLONG UniqueKey : 48; // Used for SessionVAs/AWE/LargePages. - ULONGLONG Reserved : 12; - }; - union - { - PVOID ProtoPteAddress; // Used for large page PFMapped sections. - ULONG_PTR PageFrameIndex; // Used for DriverLocked/UserPhysical Mdls. - PVOID VirtualAddress; // Used otherwise. - }; - SIZE_T PageCount; // Number of pages. - } PERFINFO_PAGE_RANGE_IDENTITY, *PPERFINFO_PAGE_RANGE_IDENTITY; - -#define PERFINFO_MM_KERNELMEMORY_USAGE_TYPE_BITS 5 - - typedef enum _PERFINFO_KERNELMEMORY_USAGE_TYPE - { - PerfInfoMemUsagePfnMetadata, - PerfInfoMemUsageMax - } PERFINFO_KERNELMEMORY_USAGE_TYPE, - *PPERFINFO_KERNELMEMORY_USAGE_TYPE; - - C_ASSERT(PerfInfoMemUsageMax <= (1 << PERFINFO_MM_KERNELMEMORY_USAGE_TYPE_BITS)); - - typedef struct _PERFINFO_KERNELMEMORY_RANGE_USAGE - { - ULONG UsageType : PERFINFO_MM_KERNELMEMORY_USAGE_TYPE_BITS; - ULONG Spare : (NTWMI_BITSIZE(ULONG) - PERFINFO_MM_KERNELMEMORY_USAGE_TYPE_BITS); - PVOID VirtualAddress; // Starting VA (where meaningful). - SIZE_T PageCount; // Number of pages. - } PERFINFO_KERNELMEMORY_RANGE_USAGE, *PPERFINFO_KERNELMEMORY_RANGE_USAGE; - -#define PERFINFO_MM_STAT_TYPE_BITS 6 - - typedef enum _PERFINFO_MM_STAT - { - PerfInfoMMStatNotUsed, - PerfInfoMMStatAggregatePageCombine, - PerfInfoMMStatIterationPageCombine, - PerfInfoMMStatMax - } PERFINFO_MM_STAT, - *PPERFINFO_MM_STAT; - - C_ASSERT(PerfInfoMMStatMax <= (1 << PERFINFO_MM_STAT_TYPE_BITS)); - - // - // This is logged as part of the end rundown. - // PerfTrack traces can be mined for this low-overhead information logged with - // MemInfo classic. - // - - typedef struct _PERFINFO_PAGECOMBINE_AGGREGATE_STAT - { - ULONG StatType : PERFINFO_MM_STAT_TYPE_BITS; // Value one of PERFINFO_MM_STATS - ULONG Spare : (NTWMI_BITSIZE(ULONG) - PERFINFO_MM_STAT_TYPE_BITS); - - // - // The following provide average stats for a scan. - // - - ULONG CombineScanCount; - ULONGLONG PagesScanned; - ULONGLONG PagesCombined; - - // - // These help compute the memory saved. - // - - LONG CombinedBlocksInUse; // Count of CombinedPTEs in use. - LONG SumCombinedBlocksReferenceCount; // Sum of the referencecounts of combined PTEs. - } PERFINFO_PAGECOMBINE_AGGREGATE_STAT, *PPERFINFO_PAGECOMBINE_AGGREGATE_STAT; - - // - // This is logged subsequent to each combine scan. Logged with MemInfo classic. - // - - typedef struct _PERFINFO_PAGECOMBINE_ITERATION_STAT - { - ULONG StatType : PERFINFO_MM_STAT_TYPE_BITS; // Value of type PERFINFO_MM_STATS - ULONG Spare : (NTWMI_BITSIZE(ULONG) - PERFINFO_MM_STAT_TYPE_BITS); - - ULONG PagesScanned; - ULONG PagesCombined; - } PERFINFO_PAGECOMBINE_ITERATION_STAT, *PPERFINFO_PAGECOMBINE_ITERATION_STAT; - - // - // NOTE: Hard Fault event starts with InitialTime (LARGE_INTEGER) - // not shown in the structure. - // - - typedef struct _PERFINFO_HARDPAGEFAULT_INFORMATION - { - LARGE_INTEGER ReadOffset; - PVOID VirtualAddress; - PVOID FileObject; - ULONG ThreadId; - ULONG ByteCount; - } PERFINFO_HARDPAGEFAULT_INFORMATION, *PPERFINFO_HARDPAGEFAULT_INFORMATION; - - // - // The first four fields of this data structure mirror PROCESS_VIRTUAL_ALLOC_INFO. - // - - typedef struct _PERFINFO_VIRTUAL_ALLOC - { - PVOID CapturedBase; - SIZE_T CapturedRegionSize; - ULONG ProcessId; - ULONG Flags; - } PERFINFO_VIRTUAL_ALLOC, *PPERFINFO_VIRTUAL_ALLOC; - - typedef struct _PERFINFO_VAD_ROTATE_INFO - { - PVOID BaseAddress; - SIZE_T SizeInBytes; - union - { - struct - { - ULONG Direction : 4; - ULONG Spare : (NTWMI_BITSIZE(ULONG) - 4); - }; - ULONG Flags; - }; - } PERFINFO_VAD_ROTATE_INFO, *PPERFINFO_VAD_ROTATE_INFO; - - typedef enum _PERFINFO_MEM_RESET_INFO_TYPE - { - PerfInfoMemReset, - PerfInfoMemResetUndo, - PerfInfoMemResetUndoFailed, - PerfInfoMemResetMax - } PERFINFO_MEM_RESET_INFO_TYPE, - *PPERFINFO_MEM_RESET_INFO_TYPE; - - typedef struct _PERFINFO_MEM_RESET_INFO - { - PVOID BaseAddress; - SIZE_T SizeInBytes; - union - { - struct - { - ULONG TypeInfo : 2; - ULONG Spare : (NTWMI_BITSIZE(ULONG) - 2); - }; - ULONG Flags; - }; - } PERFINFO_MEM_RESET_INFO, *PPERFINFO_MEM_RESET_INFO; - - // - // Cache manager - // - -#define PERFINFO_CC_WORKQUEUE_FAST_TEARDOWN 0x000000001 -#define PERFINFO_CC_WORKQUEUE_EXPRESS 0x000000002 -#define PERFINFO_CC_WORKQUEUE_REGULAR 0x000000003 -#define PERFINFO_CC_WORKQUEUE_POST_TICK 0x000000004 -#define PERFINFO_CC_WORKQUEUE_ASYNC_READ 0x000000005 -#define PERFINFO_CC_WORKQUEUE_COMP_ASYNC_READ 0x000000006 - - typedef struct _PERFINFO_CC_WORKITEM_ENQUEUE - { - ULONG_PTR WorkItemKey; - ULONG_PTR FileObjectKey; - UCHAR QueueType; - UCHAR WorkItemType; - BOOLEAN Requeue; - UCHAR Reserved; - } PERFINFO_CC_WORKITEM_ENQUEUE, *PPERFINFO_CC_WORKITEM_ENQUEUE; - - typedef struct _PERFINFO_CC_WORKITEM_DEQUEUE - { - ULONG_PTR WorkItemKey; - } PERFINFO_CC_WORKITEM_DEQUEUE, *PPERFINFO_CC_WORKITEM_DEQUEUE; - - typedef struct _PERFINFO_CC_WORKITEM_COMPLETE - { - ULONG_PTR WorkItemKey; - } PERFINFO_CC_WORKITEM_COMPLETE, *PPERFINFO_CC_WORKITEM_COMPLETE; - -#define PERFINFO_CC_WORKITEM_TYPE_READAHEAD 0x000000001 -#define PERFINFO_CC_WORKITEM_TYPE_WRITEBEHIND 0x000000002 -#define PERFINFO_CC_WORKITEM_TYPE_LAZYWRITESCAN 0x000000003 -#define PERFINFO_CC_WORKITEM_TYPE_EVENT_SET 0x000000004 - - typedef struct _PERFINFO_CC_READ_AHEAD - { - ULONG_PTR WorkItemKey; - ULONGLONG FileOffset; - ULONG Size; - ULONG PagePriority; - ULONG DetectedPattern; - ULONG Reserved; - } PERFINFO_CC_READ_AHEAD_COMPLETE, *PPERFINFO_CC_READ_AHEAD_COMPLETE; - - typedef struct _PERFINFO_CC_SCHEDULE_READ_AHEAD - { - ULONG_PTR WorkItemKey; - ULONG_PTR FileObjectKey; - ULONGLONG FileOffset; // app read offset - ULONG Length; // app read length - - ULONG ReadAheadUnit; - ULONG ReadAheadLength; - ULONGLONG ReadAheadOffset; - ULONGLONG ReadAheadBeyondLastByte; // high water mark - UCHAR ReadPattern; - ULONG SequentialReadCount; - ULONG SharedCacheMapFlags; - ULONG ReadAheadSettingsChanged : 1; - ULONG ReadAheadActive : 1; - } PERFINFO_CC_SCHEDULE_READ_AHEAD, *PPERFINFO_CC_SCHEDULE_READ_AHEAD; - - typedef struct _PERFINFO_CC_LAZY_WRITE_SCAN - { - ULONG_PTR WorkItemKey; - ULONG ReasonForFlush; - ULONG PagesToWrite; - SIZE_T TotalDirtyPages; - SIZE_T AvailablePages; - SIZE_T DirtyPageThreshold; - SIZE_T NumberOfMappedVacbs; - SIZE_T TopDirtyPageThreshold; - SIZE_T BottomDirtyPageThreshold; - SIZE_T AverageAvailablePages; - SIZE_T AverageDirtyPages; - SIZE_T ConsecutiveWorklessLazywriteScans; - } PERFINFO_CC_LAZY_WRITE_SCAN, *PPERFINFO_CC_LAZY_WRITE_SCAN; - - typedef struct _PERFINFO_CC_CAN_WRITE_FAIL - { - ULONG_PTR FileObjectKey; - SIZE_T TotalDirtyPages; - SIZE_T DirtyPageThreshold; - ULONG BytesToWrite; - } PERFINFO_CC_CAN_WRITE_FAIL, *PPERFINFO_CC_CAN_WRITE_FAIL; - - typedef struct _PERFINFO_CC_FLUSH_SECTION - { - ULONG_PTR WorkItemKey; - ULONG_PTR FileObjectKey; - ULONGLONG Offset; - ULONG Length; - ULONG MmFlushFlags; - } PERFINFO_CC_FLUSH_SECTION, *PPERFINFO_CC_FLUSH_SECTION; - -#define PERFINFO_CC_FLUSH_DATA_IS_LAZY_WRITER 0x000000001 -#define PERFINFO_CC_FLUSH_DATA_FAST_LAZY_WRITE 0x000000002 -#define PERFINFO_CC_FLUSH_DATA_FORCE_FULL_FLUSH 0x000000004 - - // - // Reason for lazy write scan - // Note: These SHOULD be the same values as Cc's corresponding - // reason codes in minkernel/ntos/inc/cache.h file. - // - -#define PERFINFO_CC_NOTIFY_LOW_MEMORY 0x000000001 -#define PERFINFO_CC_NOTIFY_POWER 0x000000002 -#define PERFINFO_CC_NOTIFY_PERIODIC_SCAN 0x000000004 -#define PERFINFO_CC_NOTIFY_WAITING_TEARDOWN 0x000000008 -#define PERFINFO_CC_NOTIFY_FLUSH_DURING_COALESCING 0x000000010 - - typedef struct _PERFINFO_CC_FLUSH_CACHE - { - ULONG_PTR WorkItemKey; - ULONG_PTR FileObjectKey; - ULONGLONG Offset; - ULONG Length; - ULONG SharedCacheMapFlags; - ULONG Flags; - ULONG Reserved; - } PERFINFO_CC_FLUSH_CACHE, *PPERFINFO_CC_FLUSH_CACHE; - - typedef struct _PERFINFO_CC_LOGGED_STREAM_INFO - { - ULONG_PTR FileObjectKey; - ULONG ReasonForFlush; - ULONG PagesToWrite; - SIZE_T DirtyLoggedPages; - SIZE_T DirtyLoggedPageThreshold; - LARGE_INTEGER LargestLsnForLWS; - } PERFINFO_CC_LOGGED_STREAM_INFO, *PPERFINFO_CC_LOGGED_STREAM_INFO; - - // - // Thread Action being logged - // - -#define PERFINFO_CC_EXTRA_WB_THREAD_ADD 0x000000001 -#define PERFINFO_CC_EXTRA_WB_THREAD_REMOVE 0x000000002 - - typedef struct _PERFINFO_CC_EXTRA_WB_THREAD_INFO - { - ULONG ThreadAction; - ULONG ActiveExtraWBThreads; - SIZE_T TotalDirtyPages; - SIZE_T DirtyPageThreshold; - SIZE_T AvailablePages; - } PERFINFO_CC_EXTRA_WB_THREAD_INFO, *PPERFINFO_CC_EXTRA_WB_THREAD_INFO; - - // - // Image backed by pagefile event. - // - - typedef struct _PERFINFO_IMAGELOAD_IN_PAGEFILE_INFO - { - PVOID FileObject; - ULONG DeviceCharacteristics; - USHORT FileCharacteristics; - union - { - USHORT Flags; - struct - { - USHORT ActiveDataReference : 1; - USHORT DeviceEjectable : 1; - USHORT WritableHandles : 1; - } DUMMYSTRUCTNAME; - } Flags; - } PERFINFO_IMAGELOAD_IN_PAGEFILE_INFO, *PPERFINFO_IMAGELOAD_IN_PAGEFILE_INFO; - - // - // System call events - // - typedef struct _PERFINFO_SYSCALL_ENTER_DATA - { - PVOID SysCallAddr; - } PERFINFO_SYSCALL_ENTER_DATA, *PPERFINFO_SYSCALL_ENTER_DATA; - - typedef struct _PERFINFO_SYSCALL_EXIT_DATA - { - NTSTATUS ReturnValue; - } PERFINFO_SYSCALL_EXIT_DATA, *PPERFINFO_SYSCALL_EXIT_DATA; - - // - // SetMark - // - typedef struct _PERFINFO_MARK_INFORMATION - { - char Name[1]; - } PERFINFO_MARK_INFORMATION, *PPERFINFO_MARK_INFORMATION; - - // - // File system operations. - // - // Since these are also logged using event descriptors, it is important to - // watch padding in the structure due to alignment or specify the appropriate - // pack pragma. - // - - typedef struct _PERFINFO_FILE_CREATE - { - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG IssuingThreadId; - ULONG Options; - ULONG Attributes; - ULONG ShareAccess; - WCHAR OpenPath[1]; - } PERFINFO_FILE_CREATE, *PPERFINFO_FILE_CREATE; - - typedef struct _PERFINFO_FILE_INFORMATION - { - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG_PTR FileKey; - ULONG_PTR ExtraInformation; - ULONG IssuingThreadId; - ULONG InfoClass; - } PERFINFO_FILE_INFORMATION, *PPERFINFO_FILE_INFORMATION; - - typedef struct _PERFINFO_FILE_DIRENUM - { - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG_PTR FileKey; - ULONG IssuingThreadId; - ULONG Length; - ULONG InfoClass; - ULONG FileIndex; - WCHAR FileName[1]; - } PERFINFO_FILE_DIRENUM, *PPERFINFO_FILE_DIRENUM; - - typedef struct _PERFINFO_FILE_PATH_OPERATION - { - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG_PTR FileKey; - ULONG_PTR ExtraInformation; - ULONG IssuingThreadId; - ULONG InfoClass; - WCHAR Path[1]; - } PERFINFO_FILE_PATH_OPERATION, *PPERFINFO_FILE_PATH_OPERATION; - -#include - -#define PERFINFO_FILE_READ_WRITE_FLAG_MDL 0x1 - - typedef struct _PERFINFO_FILE_READ_WRITE - { - ULONGLONG Offset; - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG_PTR FileKey; - ULONG IssuingThreadId; - ULONG Size; - ULONG Flags; - ULONG ExtraFlags; - } PERFINFO_FILE_READ_WRITE, *PPERFINFO_FILE_READ_WRITE; - - typedef struct _PERFINFO_FILE_SIMPLE_OPERATION - { - ULONG_PTR Irp; - ULONG_PTR FileObject; - ULONG_PTR FileKey; - ULONG IssuingThreadId; - } PERFINFO_FILE_SIMPLE_OPERATION, *PPERFINFO_FILE_SIMPLE_OPERATION; - - typedef struct _PERFINFO_FILE_OPERATION_END - { - ULONG_PTR Irp; - ULONG_PTR ExtraInformation; - NTSTATUS Status; - } PERFINFO_FILE_OPERATION_END, *PPERFINFO_FILE_OPERATION_END; - - typedef struct _PERFINFO_FLT_OPERATION - { - PVOID RoutineAddr; - PVOID FileObject; - PVOID FsContext; - PVOID IrpPtr; - PVOID CbdPtr; - LONG MajorFunction; - } PERFINFO_FLT_OPERATION, *PPERFINFO_FLT_OPERATION; - - typedef struct _PERFINFO_FLT_OPERATION_STATUS - { - PVOID RoutineAddr; - PVOID FileObject; - PVOID FsContext; - PVOID IrpPtr; - PVOID CbdPtr; - LONG MajorFunction; - NTSTATUS Status; - } PERFINFO_FLT_OPERATION_STATUS, *PPERFINFO_FLT_OPERATION_STATUS; - -#include - // - // MemInfo event. This structure should parallel SYSTEM_MEMORY_LIST_INFORMATION. - // - -#define PERFINFO_PAGE_PRIORITY_LEVELS 8 - - typedef struct _PERFINFO_MEMORY_INFORMATION - { - SIZE_T ZeroPageCount; - SIZE_T FreePageCount; - SIZE_T ModifiedPageCount; - SIZE_T ModifiedNoWritePageCount; - SIZE_T BadPageCount; - SIZE_T PageCountByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; - SIZE_T RepurposedPagesByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; - SIZE_T ModifiedPageCountPageFile; - } PERFINFO_MEMORY_INFORMATION, *PPERFINFO_MEMORY_INFORMATION; - - typedef struct _PERFINFO_SYSTEM_MEMORY_INFORMATION - { - SIZE_T PagedPoolCommitPageCount; - SIZE_T NonPagedPoolPageCount; - SIZE_T MdlPageCount; - SIZE_T CommitPageCount; - } PERFINFO_SYSTEM_MEMORY_INFORMATION, *PPERFINFO_SYSTEM_MEMORY_INFORMATION; - - // - // Used for MemInfoWS/MemInfoSessionWs event. - // - -#include - typedef struct _PERFINFO_WORKINGSET_ENTRY - { - union - { - ULONG UniqueProcessId; - ULONG SessionId; - }; - SIZE_T WorkingSetPageCount; - SIZE_T CommitPageCount; - union - { - SIZE_T PagedPoolPageCount; // Used for SessionWs. - SIZE_T VirtualSizeInPages; // Used for ProcessWs. - }; - SIZE_T PrivateWorkingSetPageCount; - SIZE_T StoreSizeInPages; - SIZE_T StoredPageCount; - SIZE_T CommitDebtInPages; - SIZE_T SharedCommitInPages; - } PERFINFO_WORKINGSET_ENTRY, *PPERFINFO_WORKINGSET_ENTRY; - - typedef struct _PERFINFO_WORKINGSET_INFORMATION - { - ULONG Count; - PERFINFO_WORKINGSET_ENTRY WsEntry[1]; - } PERFINFO_WORKINGSET_INFORMATION, *PPERFINFO_WORKINGSET_INFORMATION; -#include - - // - // Contiguous page generation event. - // - typedef struct _PERFINFO_CONTIGUOUS_PAGE_GENERATE - { - ULONGLONG ThreadId; - ULONGLONG NumberOfBytes; - } PERFINFO_CONTIGUOUS_PAGE_GENERATE, *PPERFINFO_CONTIGUOUS_PAGE_GENERATE; - - // - // Debugger (debug event) events - // - typedef enum _PERFINFO_DEBUG_EVENT_REASON - { - PerfInfoDebugEventReceived = 1, - PerfInfoDebugEventContinued, - PerfInfoDebugEventMax - } PERFINFO_DEBUG_EVENT_REASON, - *PPERFINFO_DEBUG_EVENT_REASON; - - typedef struct _PERFINFO_DEBUG_EVENT - { - ULONG ProcessId; - ULONG ThreadId; - PERFINFO_DEBUG_EVENT_REASON Reason; - } PERFINFO_DEBUG_EVENT, *PPERFINFO_DEBUG_EVENT; - -// -// Compressed Context Swap events -// - -/* - - 1) packets of 2- 4- and 8-byte are used to store context switch event - according to the content of the event. (cf. ccswap.c) - 2) a local cache of thread ids and the base priorities are stored in each - buffer so that a short index can be used to log the thread id of the - switching-out thread. - -*/ - -// -// Number of bits allocated for the necessary fields: -// -#define PERFINFO_CCSWAP_BIT_TYPE 2 // packet type -#define PERFINFO_CCSWAP_BIT_TID 4 // size of the tid table -#define PERFINFO_CCSWAP_BIT_STATE_WR 6 // store state+wait reason -#define PERFINFO_CCSWAP_BIT_PRIORITY 5 // full priority in 'full' packet -#define PERFINFO_CCSWAP_BIT_PRI_INC 3 // priority increment in 'lite' packet - - // - // The following are the number of bits left after allocating bits for - // the necessary fields. These bits are used to store time deltas. If the - // value of a time delta is too big for a short format, the longer format - // is used. - // - -#define PERFINFO_CCSWAP_BIT_FULL_TS 30 - C_ASSERT(PERFINFO_CCSWAP_BIT_FULL_TS == (32 - PERFINFO_CCSWAP_BIT_TYPE)); - -#define PERFINFO_CCSWAP_BIT_SHORT_TS 14 - C_ASSERT(PERFINFO_CCSWAP_BIT_SHORT_TS == (16 - PERFINFO_CCSWAP_BIT_TYPE)); - -#define PERFINFO_CCSWAP_BIT_SMALL_TS 17 - C_ASSERT(PERFINFO_CCSWAP_BIT_SMALL_TS == - (32 - PERFINFO_CCSWAP_BIT_TYPE - PERFINFO_CCSWAP_BIT_TID - PERFINFO_CCSWAP_BIT_PRI_INC - PERFINFO_CCSWAP_BIT_STATE_WR)); - -#define PERFINFO_CCSWAP_BIT_WAIT_TIME 17 - C_ASSERT(PERFINFO_CCSWAP_BIT_WAIT_TIME == - (32 - PERFINFO_CCSWAP_BIT_TID - PERFINFO_CCSWAP_BIT_STATE_WR - PERFINFO_CCSWAP_BIT_PRIORITY)); - -// -// size of the tid table: -// -#define PERFINFO_CCSWAP_MAX_TID (1 << PERFINFO_CCSWAP_BIT_TID) - - // - // the packet type. it must fit into the bit-field of the length - // PERFINFO_CCSWAP_BIT_TYPE - // - typedef enum _PERFINFO_CCSWAP_TYPE - { - PerfCSwapIdleShort, - PerfCSwapIdle, - PerfCSwapLite, - PerfCSwapFull - } PERFINFO_CCSWAP_TYPE; - - // - // Compact context switch buffer structure: - // - // 0 +-----------------------------------+ - // | First Time Stamp | - // | | - // 8 |-----------------------------------| - // | 16 entry thread id table | - // ... - // | | - // 72 |-----------------------------------| - // | 16 entry base priority table | - // | | - // 88 |-----------------------------------| - // | variable-length data packets | - // ... - // - // - typedef struct _PERFINFO_CCSWAP_BUFFER - { - LONGLONG FirstTimeStamp; - ULONG TidTable[PERFINFO_CCSWAP_MAX_TID]; - SCHAR ThreadBasePriority[PERFINFO_CCSWAP_MAX_TID]; - } PERFINFO_CCSWAP_BUFFER, *PPERFINFO_CCSWAP_BUFFER; - - // - // 2 byte PerfCSwapIdleShort data: Idle thread switching out with small time delta - // - // 0 2 15 - // |--|--------------| - // type|short time delta - // - - typedef struct _PERFINFO_CCSWAP_IDLE_SHORT - { - USHORT DataType : PERFINFO_CCSWAP_BIT_TYPE; - USHORT TimeDelta : PERFINFO_CCSWAP_BIT_SHORT_TS; - } PERFINFO_CCSWAP_IDLE_SHORT, *PPERFINFO_CCSWAP_IDLE_SHORT; - - // - // 4 byte PerfCSwapIdle data: Idle thread switching out with large time delta - // - // 0 2 32 - // |--|------------------------------| - // type| full time delta - // - - typedef struct _PERFINFO_CCSWAP_IDLE - { - ULONG DataType : PERFINFO_CCSWAP_BIT_TYPE; - ULONG TimeDelta : PERFINFO_CCSWAP_BIT_FULL_TS; - } PERFINFO_CCSWAP_IDLE, *PPERFINFO_CCSWAP_IDLE; - - // - // 4 byte PerfCSwapLite data: Non-idle thread with no wait time, and priority - // increment from base less than 8 - // - // 0 2 6 9 15 32 - // |--|----|---|------|-----------------| - // type|tid |pri|st+wr |time delta - // - - typedef struct _PERFINFO_CCSWAP_LITE - { - ULONG DataType : PERFINFO_CCSWAP_BIT_TYPE; - ULONG OldThreadIdIndex : PERFINFO_CCSWAP_BIT_TID; - ULONG OldThreadPriInc : PERFINFO_CCSWAP_BIT_PRI_INC; - ULONG OldThreadStateWr : PERFINFO_CCSWAP_BIT_STATE_WR; - ULONG TimeDelta : PERFINFO_CCSWAP_BIT_SMALL_TS; - } PERFINFO_CCSWAP_LITE, *PPERFINFO_CCSWAP_LITE; - - // - // 8 byte PerfCSwapFull data: all others. - // - // 0 32 36 42 47 64 - // |--|------------------------------|----|------|-----|-----------------| - // type| full time delta |tid |st+wr |pri. | wait time - // - - typedef struct _PERFINFO_CCSWAP - { - ULONG DataType : PERFINFO_CCSWAP_BIT_TYPE; - ULONG TimeDelta : PERFINFO_CCSWAP_BIT_FULL_TS; - ULONG OldThreadIdIndex : PERFINFO_CCSWAP_BIT_TID; - ULONG OldThreadStateWr : PERFINFO_CCSWAP_BIT_STATE_WR; - ULONG OldThreadPriority : PERFINFO_CCSWAP_BIT_PRIORITY; - ULONG NewThreadWaitTime : PERFINFO_CCSWAP_BIT_WAIT_TIME; - } PERFINFO_CCSWAP, *PPERFINFO_CCSWAP; - - // - // Process Perf Counters - // - - typedef struct _PERFINFO_PROCESS_PERFCTR - { - ULONG ProcessId; - ULONG PageFaultCount; - ULONG HandleCount; - ULONG Reserved; - - SIZE_T PeakVirtualSize; - SIZE_T PeakWorkingSetSize; - SIZE_T PeakPagefileUsage; - SIZE_T QuotaPeakPagedPoolUsage; - SIZE_T QuotaPeakNonPagedPoolUsage; - - SIZE_T VirtualSize; - SIZE_T WorkingSetSize; - SIZE_T PagefileUsage; - SIZE_T QuotaPagedPoolUsage; - SIZE_T QuotaNonPagedPoolUsage; - SIZE_T PrivatePageCount; - - } PERFINFO_PROCESS_PERFCTR, *PPERFINFO_PROCESS_PERFCTR; - - // - // Process Perf Counters structures defined for cross platform post processing. - // - typedef struct _PERFINFO_PROCESS_PERFCTR32 - { - ULONG ProcessId; - ULONG PageFaultCount; - ULONG HandleCount; - ULONG Reserved; - - ULONG32 PeakVirtualSize; - ULONG32 PeakWorkingSetSize; - ULONG32 PeakPagefileUsage; - ULONG32 QuotaPeakPagedPoolUsage; - ULONG32 QuotaPeakNonPagedPoolUsage; - - ULONG32 VirtualSize; - ULONG32 WorkingSetSize; - ULONG32 PagefileUsage; - ULONG32 QuotaPagedPoolUsage; - ULONG32 QuotaNonPagedPoolUsage; - ULONG32 PrivatePageCount; - - } PERFINFO_PROCESS_PERFCTR32, *PPERFINFO_PROCESS_PERFCTR32; - - typedef struct _PERFINFO_PROCESS_PERFCTR64 - { - ULONG ProcessId; - ULONG PageFaultCount; - ULONG HandleCount; - ULONG Reserved; - - ULONG64 PeakVirtualSize; - ULONG64 PeakWorkingSetSize; - ULONG64 PeakPagefileUsage; - ULONG64 QuotaPeakPagedPoolUsage; - ULONG64 QuotaPeakNonPagedPoolUsage; - - ULONG64 VirtualSize; - ULONG64 WorkingSetSize; - ULONG64 PagefileUsage; - ULONG64 QuotaPagedPoolUsage; - ULONG64 QuotaNonPagedPoolUsage; - ULONG64 PrivatePageCount; - - } PERFINFO_PROCESS_PERFCTR64, *PPERFINFO_PROCESS_PERFCTR64; - - // - // Process In Swap structure. - // - - typedef struct _PERFINFO_PROCESS_INSWAP - { - ULONG_PTR DirectoryTableBase; - ULONG ProcessId; - } PERFINFO_PROCESS_INSWAP, *PPERFINFO_PROCESS_INSWAP; - - // - // I/O Timer structure. - // - - typedef struct _PERFINFO_IO_TIMER - { - PVOID DeviceObject; - PVOID RoutineAddress; - } PERFINFO_IO_TIMER, *PPERFINFO_IO_TIMER; - - // - // Keywords for Kernel Tracelogging Process Provider. - // - -#define TLG_KERNEL_PSPROV_KEYWORD_PROCESS 0x00000001 -#define TLG_KERNEL_PSPROV_KEYWORD_UTC 0x00000002 - - // - // Logger configuration and running statistics. This structure is used - // - - typedef struct _WMI_LOGGER_INFORMATION - { - WNODE_HEADER Wnode; // Had to do this since wmium.h comes later - ULONG BufferSize; // buffer size for logging (in kbytes) - ULONG MinimumBuffers; // minimum to preallocate - ULONG MaximumBuffers; // maximum buffers allowed - ULONG MaximumFileSize; // maximum logfile size (in MBytes) - ULONG LogFileMode; // sequential, circular - ULONG FlushTimer; // buffer flush timer, in seconds - ULONG EnableFlags; // trace enable flags - union - { - LONG AgeLimit; // aging decay time, in minutes - LONG FlushThreshold; // Number of buffers to fill before flushing - } DUMMYUNIONNAME; - ULONG Wow; // TRUE if the logger started under WOW64 - union - { - HANDLE LogFileHandle; // handle to logfile - ULONG64 LogFileHandle64; - } DUMMYUNIONNAME2; - union - { - ULONG NumberOfBuffers; // no of buffers in use - ULONG InstanceCount; // Number of Provider Instances - } DUMMYUNIONNAME3; - union - { - ULONG FreeBuffers; // no of buffers free - ULONG InstanceId; // Current Provider's Id for UmLogger - } DUMMYUNIONNAME4; - union - { - ULONG EventsLost; // event records lost - ULONG NumberOfProcessors; // Passed on to UmLogger - } DUMMYUNIONNAME5; - ULONG BuffersWritten; // no of buffers written to file - union - { - ULONG LogBuffersLost; // no of logfile write failures - ULONG Flags; // internal flags - } DUMMYUNIONNAME6; - - ULONG RealTimeBuffersLost; // no of rt delivery failures - union - { - HANDLE LoggerThreadId; // thread id of Logger - ULONG64 LoggerThreadId64; // thread is of Logger - } DUMMYUNIONNAME7; - union - { - UNICODE_STRING LogFileName; // used only in WIN64 - UNICODE_STRING64 LogFileName64; // Logfile name: only in WIN32 - } DUMMYUNIONNAME8; - - // mandatory data provided by caller - union - { - UNICODE_STRING LoggerName; // Logger instance name in WIN64 - UNICODE_STRING64 LoggerName64; // Logger Instance name in WIN32 - } DUMMYUNIONNAME9; - - ULONG RealTimeConsumerCount; // Number of rt consumers - ULONG SpareUlong; - - union - { - PVOID LoggerExtension; - ULONG64 LoggerExtension64; - } DUMMYUNIONNAME10; - } WMI_LOGGER_INFORMATION, *PWMI_LOGGER_INFORMATION; - -#define ETW_SYSTEM_EVENT_VERSION_MASK 0x000000FF -#define ETW_GET_SYSTEM_EVENT_VERSION(X) ((X) & ETW_SYSTEM_EVENT_VERSION_MASK) - -#define ETW_SYSTEM_EVENT_V1 0x000000001 -#define ETW_SYSTEM_EVENT_V2 0x000000002 -#define ETW_SYSTEM_EVENT_V3 0x000000003 -#define ETW_SYSTEM_EVENT_V4 0x000000004 -#define ETW_SYSTEM_EVENT_V5 0x000000005 -#define ETW_SYSTEM_EVENT_V6 0x000000006 - -// -// Following flags denotes what Fields actually contains -// -#define ETW_NT_TRACE_TYPE_MASK 0x0000FF00 - -#define ETW_NT_FLAGS_TRACE_HEADER 0x00000100 // Event Trace Header (Old) -#define ETW_NT_FLAGS_TRACE_MESSAGE 0x00000200 // Trace Message -#define ETW_NT_FLAGS_TRACE_EVENT 0x00000300 // Event Header (New) -#define ETW_NT_FLAGS_TRACE_SYSTEM 0x00000400 // Events using SystemHeader -#define ETW_NT_FLAGS_TRACE_SECURITY 0x00000500 // Events from security provider (LSA) -#define ETW_NT_FLAGS_TRACE_MARK 0x00000600 // Mark to KernelLogger or CKCL -#define ETW_NT_FLAGS_TRACE_EVENT_NOREG 0x00000700 // Event Header without registration handle -#define ETW_NT_FLAGS_TRACE_INSTANCE 0x00000800 // Event Instance Header (Old) - -#define ETW_NT_FLAGS_USE_NATIVE_HEADER 0x40000000 // Use native header for WOW64 -#define ETW_NT_FLAGS_WOW64_CALL 0x80000000 // For use by WOW (Internal) - -#define ETW_NT_FLAGS_TRACE_RUNDOWN_V2 (ETW_NT_FLAGS_TRACE_SYSTEM_V2 | ETW_NT_FLAGS_USE_NATIVE_HEADER) // Rundown and SysConfig events -#define ETW_NT_FLAGS_TRACE_RUNDOWN_V3 (ETW_NT_FLAGS_TRACE_SYSTEM_V3 | ETW_NT_FLAGS_USE_NATIVE_HEADER) // Rundown and SysConfig events -#define ETW_NT_FLAGS_TRACE_RUNDOWN_V4 (ETW_NT_FLAGS_TRACE_SYSTEM_V4 | ETW_NT_FLAGS_USE_NATIVE_HEADER) // Rundown and SysConfig events -#define ETW_NT_FLAGS_TRACE_RUNDOWN_V5 (ETW_NT_FLAGS_TRACE_SYSTEM_V5 | ETW_NT_FLAGS_USE_NATIVE_HEADER) // Rundown and SysConfig events - -#define ETW_NT_FLAGS_TRACE_RUNDOWN ETW_NT_FLAGS_TRACE_RUNDOWN_V2 - -// -// Flags used to control stack tracing when logging system -// events from user mode (e.g. Heap, CritSect, ThreadPool) -// -#define ETW_USER_FRAMES_TO_SKIP_MASK 0x000F0000 -#define ETW_USER_FRAMES_TO_SKIP_SHIFT 16 - -#define ETW_SKIP_USER_FRAMES(X) ((X) << ETW_USER_FRAMES_TO_SKIP_SHIFT) -#define ETW_USER_EVENT_WITH_STACKWALK(X) (ETW_NT_FLAGS_TRACE_SYSTEM_V2 | ETW_SKIP_USER_FRAMES(X)) - -#define ETW_NT_FLAGS_TRACE_SYSTEM_V1 (ETW_NT_FLAGS_TRACE_SYSTEM | ETW_SYSTEM_EVENT_V1) -#define ETW_NT_FLAGS_TRACE_SYSTEM_V2 (ETW_NT_FLAGS_TRACE_SYSTEM | ETW_SYSTEM_EVENT_V2) -#define ETW_NT_FLAGS_TRACE_SYSTEM_V3 (ETW_NT_FLAGS_TRACE_SYSTEM | ETW_SYSTEM_EVENT_V3) -#define ETW_NT_FLAGS_TRACE_SYSTEM_V4 (ETW_NT_FLAGS_TRACE_SYSTEM | ETW_SYSTEM_EVENT_V4) -#define ETW_NT_FLAGS_TRACE_SYSTEM_V5 (ETW_NT_FLAGS_TRACE_SYSTEM | ETW_SYSTEM_EVENT_V5) - -// Constants for UMGL (User Mode Global Logging). -// -// N.B. There is enough space reserved in UserSharedData -// to support up to 16 providers, but to avoid needless -// scanning MAX_PROVIDERS constant is currently set to 8. -// -// N.B. Heap and CritSec providers can be controlled with IFEO -// making the indexes fixed. -#define ETW_UMGL_INDEX_HEAP 0 -#define ETW_UMGL_INDEX_CRITSEC 1 -#define ETW_UMGL_INDEX_LDR 2 -#define ETW_UMGL_INDEX_THREAD_POOL 3 -#define ETW_UMGL_INDEX_HEAPRANGE 4 -#define ETW_UMGL_INDEX_HEAPSUMMARY 5 -#define ETW_UMGL_INDEX_UMS 6 -#define ETW_UMGL_INDEX_WNF 7 -#define ETW_UMGL_INDEX_THREAD 8 -#define ETW_UMGL_INDEX_SPARE2 9 -#define ETW_UMGL_INDEX_SPARE3 10 -#define ETW_UMGL_INDEX_SPARE4 11 -#define ETW_UMGL_INDEX_SPARE5 12 -#define ETW_UMGL_INDEX_SPARE6 13 -#define ETW_UMGL_INDEX_SPARE7 14 -#define ETW_UMGL_INDEX_SPARE8 15 - -#define ETW_UMGL_MAX_PROVIDERS 9 - - typedef struct _ETW_UMGL_KEY - { - UCHAR LoggerId; - UCHAR Flags; - } ETW_UMGL_KEY, *PETW_UMGL_KEY; - -#define UMGL_LOGGER_ID(Index) (((PETW_UMGL_KEY)(&USER_SHARED_DATA->UserModeGlobalLogger[Index]))->LoggerId) -#define UMGL_LOGGER_FLAGS(Index) (((PETW_UMGL_KEY)(&USER_SHARED_DATA->UserModeGlobalLogger[Index]))->Flags) -#define IS_UMGL_LOGGING_ENABLED(Index) (UMGL_LOGGER_ID(Index) != 0) -#define IS_UMGL_FLAG_ENABLED(Index, Flag) ((UMGL_LOGGER_FLAGS(Index) & Flag) != 0) - -#define IS_HEAP_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_HEAP) && (NtCurrentPeb()->HeapTracingEnabled != FALSE)) -#define IS_HEAP_RANGE_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_HEAPRANGE)) -#define HEAP_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_HEAP)) - -#define IS_CRITSEC_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_CRITSEC) && (NtCurrentPeb()->CritSecTracingEnabled != FALSE)) -#define CRITSEC_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_CRITSEC)) -#define IS_LOADER_LOGGING_ENABLED_FLAG(Flag) (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_LDR) && ((UMGL_LOGGER_FLAGS(ETW_UMGL_INDEX_LDR) & Flag) != 0)) -#define IS_PER_PROCESS_LOADER_LOGGING_ENABLED_FLAG(Flag) (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_LDR) && (NtCurrentPeb()->LibLoaderTracingEnabled != FALSE) && ((UMGL_LOGGER_FLAGS(ETW_UMGL_INDEX_LDR) & Flag) != 0)) -#define IS_GLOBAL_LOADER_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_LDR)) -#define LOADER_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_LDR)) -#define HEAPRANGE_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_HEAPRANGE)) -#define IS_THREAD_POOL_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_THREAD_POOL)) -#define THREAD_POOL_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_THREAD_POOL)) -#define IS_UMS_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_UMS)) -#define UMS_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_UMS)) -#define HEAPSUMMARY_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_HEAPSUMMARY)) -#define IS_HEAPSUMMARY_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_HEAPSUMMARY)) -#define WNF_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_WNF)) -#define IS_WNF_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_WNF)) -#define UMGL_THREAD_LOGGER_ID (UMGL_LOGGER_ID(ETW_UMGL_INDEX_THREAD)) -#define IS_UMGL_THREAD_LOGGING_ENABLED() (IS_UMGL_LOGGING_ENABLED(ETW_UMGL_INDEX_THREAD)) - -// -// Flags used by user mode loader logging to UMGL. -// -#define ETW_UMGL_LDR_MUI_VERBOSE_FLAG 0x0001 -#define ETW_UMGL_LDR_MUI_TEST_FLAG 0x0002 -#define ETW_UMGL_LDR_RELOCATION_FLAG 0x0004 -#define ETW_UMGL_LDR_NEW_DLL_FLAG 0x0010 -#define ETW_UMGL_LDR_TEST_FLAG 0x0020 -#define ETW_UMGL_LDR_SECURITY_FLAG 0x0040 - -// -// Constants for heap log -// -#define MEMORY_FROM_LOOKASIDE 1 // Activity from LookAside -#define MEMORY_FROM_LOWFRAG 2 // Activity from Low Frag Heap -#define MEMORY_FROM_MAINPATH 3 // Activity from Main Code Path -#define MEMORY_FROM_SLOWPATH 4 // Activity from Slow C -#define MEMORY_FROM_INVALID 5 -#define MEMORY_FROM_SEGMENT_HEAP 6 // Activity from segment heap. - -#define EVENT_HEADER_EVENT64 ((USHORT)(((TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE) >> 16) | TRACE_HEADER_TYPE_EVENT_HEADER64)) -#define EVENT_HEADER_EVENT32 ((USHORT)(((TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE) >> 16) | TRACE_HEADER_TYPE_EVENT_HEADER32)) -#define EVENT_HEADER_ERROR ((USHORT)(((TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE) >> 16) | TRACE_HEADER_TYPE_ERROR)) -#define TRACE_HEADER_FULL32 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_FULL_HEADER32 << 16)) -#define TRACE_HEADER_FULL64 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_FULL_HEADER64 << 16)) -#define TRACE_HEADER_INSTANCE32 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_INSTANCE32 << 16)) -#define TRACE_HEADER_INSTANCE64 (TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE | (TRACE_HEADER_TYPE_INSTANCE64 << 16)) - -#ifdef _WIN64 -#define EVENT_HEADER_EVENT EVENT_HEADER_EVENT64 -#define TRACE_HEADER_FULL TRACE_HEADER_FULL64 -#define TRACE_HEADER_INSTANCE TRACE_HEADER_INSTANCE64 -#else -#define EVENT_HEADER_EVENT EVENT_HEADER_EVENT32 -#define TRACE_HEADER_FULL TRACE_HEADER_FULL32 -#define TRACE_HEADER_INSTANCE TRACE_HEADER_INSTANCE32 -#endif - -#define PREPARE_ETW_TRACE_HEADER_GUID(Header, EventStruct, EventType, EventGuid, LoggerId) \ - (Header)->Size = sizeof(EventStruct); \ - (Header)->Class.Type = (EventType); \ - RtlCopyMemory(&((Header)->Guid), (EventGuid), sizeof(*(EventGuid))); - -// Used with OpenTrace(), prevents conversion of TimeStamps to UTC -#define EVENT_TRACE_USE_RAWTIMESTAMP 0x00000002 -// Used with OpenTrace(), retrieves event from file as is. -#define EVENT_TRACE_GET_RAWEVENT 0x00000100 -// Used with OpenTrace() to ReadBehind a live logger session. -#define EVENT_TRACE_READ_BEHIND 0x00000200 -// Used in EventCallbacks to indicate that the InstanceId field is a sequence number. -#define EVENT_TRACE_USE_SEQUENCE 0x0004 -// Kernel Event Version is used to indicate if any kernel event has changed. -#define ETW_KERNEL_EVENT_VERSION 60 - - typedef struct _ETW_KERNEL_HEADER_EXTENSION - { - PERFINFO_GROUPMASK GroupMasks; - ULONG Version; - } ETW_KERNEL_HEADER_EXTENSION, *PETW_KERNEL_HEADER_EXTENSION; - -#define ETW_SET_MARK_WITH_FLUSH 0x00000001 - - typedef struct _ETW_SET_MARK_INFORMATION - { - ULONG Flag; - WCHAR Mark[1]; - } ETW_SET_MARK_INFORMATION, *PETW_SET_MARK_INFORMATION; - - // - // Data Block structure for ETW notification - // - typedef enum _ETW_NOTIFICATION_TYPE - { - EtwNotificationTypeNoReply = 1, // No data block reply - EtwNotificationTypeLegacyEnable, // Enable notification for RegisterTraceGuids - EtwNotificationTypeEnable, // Enable notification for EventRegister - EtwNotificationTypePrivateLogger, // Private logger notification for ETW - EtwNotificationTypePerflib, // PERFLIB V2 counter data request/delivery block - EtwNotificationTypeAudio, // Private notification for audio policy - EtwNotificationTypeSession, // Session related ETW notifications - EtwNotificationTypeReserved, // For internal use (test) - EtwNotificationTypeCredentialUI, // Private notification for media center elevation detection - EtwNotificationTypeInProcSession, // Private in-proc session related ETW notifications - EtwNotificationTypeMax - } ETW_NOTIFICATION_TYPE; - -#define ETW_MAX_DATA_BLOCK_BUFFER_SIZE (65536) - - typedef struct _ETW_NOTIFICATION_HEADER - { - ETW_NOTIFICATION_TYPE NotificationType; // Notification type - ULONG NotificationSize; // Notification size in bytes - ULONG Offset; // Offset to the next notification - BOOLEAN ReplyRequested; // Reply Requested - ULONG Timeout; // Timeout in milliseconds when requesting reply - union - { - ULONG ReplyCount; // Out to sender: the number of notifications sent - ULONG NotifyeeCount; // Out to notifyee: the order during notification - }; - ULONGLONG Reserved2; - ULONG TargetPID; - ULONG SourcePID; - GUID DestinationGuid; // Destination GUID - GUID SourceGuid; // Source GUID - } ETW_NOTIFICATION_HEADER, *PETW_NOTIFICATION_HEADER; - - typedef ULONG(NTAPI *PETW_NOTIFICATION_CALLBACK)( - _In_ PETW_NOTIFICATION_HEADER NotificationHeader, - _In_ PVOID Context); - - typedef enum _ETW_SESSION_NOTIFICATION_TYPE - { - EtwSessionNotificationMediaChanged = 1, - EtwSessionNotificationSessionTerminated, - EtwSessionNotificationLogfileError, - EtwSessionNotificationRealtimeError, - EtwSessionNotificationSessionStarted, - EtwSessionNotificationMax - } ETW_SESSION_NOTIFICATION_TYPE; - - typedef struct _ETW_SESSION_NOTIFICATION_PACKET - { - ETW_NOTIFICATION_HEADER NotificationHeader; - ETW_SESSION_NOTIFICATION_TYPE Type; - NTSTATUS Status; - TRACEHANDLE TraceHandle; - ULONG Reserved[2]; - } ETW_SESSION_NOTIFICATION_PACKET, *PETW_SESSION_NOTIFICATION_PACKET; - -#if (PHNT_MODE != PHNT_MODE_KERNEL) - -#ifndef EVENT_DESCRIPTOR_DEF -#define EVENT_DESCRIPTOR_DEF - typedef struct _EVENT_DESCRIPTOR - { - USHORT Id; - UCHAR Version; - UCHAR Channel; - UCHAR Level; - UCHAR Opcode; - USHORT Task; - ULONGLONG Keyword; - } EVENT_DESCRIPTOR, *PEVENT_DESCRIPTOR; - typedef const EVENT_DESCRIPTOR *PCEVENT_DESCRIPTOR; -#endif - - NTSYSAPI - ULONG - NTAPI - EtwSetMark( - _In_opt_ TRACEHANDLE TraceHandle, - _In_ PETW_SET_MARK_INFORMATION MarkInfo, - _In_ ULONG Size); - - typedef struct _EVENT_DATA_DESCRIPTOR EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR; - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteFull( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ USHORT EventProperty, - _In_opt_ LPCGUID ActivityId, - _In_opt_ LPCGUID RelatedActivityId, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - // NTSYSAPI - // ULONG - // NTAPI - // EtwEventRegister( - // _In_ LPCGUID ProviderId, - // _In_opt_ PENABLECALLBACK EnableCallback, - // _In_opt_ PVOID CallbackContext, - // _Out_ PREGHANDLE RegHandle - // ); - - NTSYSAPI - ULONG - NTAPI - EtwEventUnregister( - _In_ REGHANDLE RegHandle); - - typedef enum _EVENT_INFO_CLASS EVENT_INFO_CLASS; - - NTSYSAPI - ULONG - NTAPI - EtwEventSetInformation( - _In_ REGHANDLE RegHandle, - _In_ EVENT_INFO_CLASS InformationClass, - _In_reads_bytes_(InformationLength) PVOID EventInformation, - _In_ ULONG InformationLength); - - NTSYSAPI - ULONG - NTAPI - EtwRegisterSecurityProvider( - VOID); - - NTSYSAPI - BOOLEAN - NTAPI - EtwEventProviderEnabled( - _In_ REGHANDLE RegHandle, - _In_ UCHAR Level, - _In_ ULONGLONG Keyword); - - NTSYSAPI - BOOLEAN - NTAPI - EtwEventEnabled( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor); - - NTSYSAPI - ULONG - NTAPI - EtwEventWrite( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteTransfer( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_opt_ LPCGUID ActivityId, - _In_opt_ LPCGUID RelatedActivityId, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteString( - _In_ REGHANDLE RegHandle, - _In_ UCHAR Level, - _In_ ULONGLONG Keyword, - _In_ PCWSTR String); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteEx( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ ULONG64 Filter, - _In_ ULONG Flags, - _In_opt_ LPCGUID ActivityId, - _In_opt_ LPCGUID RelatedActivityId, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteStartScenario( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteEndScenario( - _In_ REGHANDLE RegHandle, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwWriteUMSecurityEvent( - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ USHORT EventProperty, - _In_ ULONG UserDataCount, - _In_opt_ PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventWriteNoRegistration( - _In_ LPCGUID ProviderId, - _In_ PCEVENT_DESCRIPTOR EventDescriptor, - _In_ ULONG UserDataCount, - _In_reads_opt_(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData); - - NTSYSAPI - ULONG - NTAPI - EtwEventActivityIdControl( - _In_ ULONG ControlCode, - _Inout_ LPGUID ActivityId); - - NTSYSAPI - ULONG - NTAPI - EtwNotificationRegister( - _In_ LPCGUID Guid, - _In_ ULONG Type, - _In_ PETW_NOTIFICATION_CALLBACK Callback, - _In_opt_ PVOID Context, - _Out_ PREGHANDLE RegHandle); - - NTSYSAPI - ULONG - NTAPI - EtwNotificationUnregister( - _In_ REGHANDLE RegHandle, - _Out_opt_ PVOID *Context); - - NTSYSAPI - ULONG - NTAPI - EtwSendNotification( - _In_ PETW_NOTIFICATION_HEADER DataBlock, - _In_ ULONG ReceiveDataBlockSize, - _Inout_ PVOID ReceiveDataBlock, - _Out_ PULONG ReplyReceived, - _Out_ PULONG ReplySizeNeeded); - - NTSYSAPI - ULONG - NTAPI - EtwReplyNotification( - _In_ PETW_NOTIFICATION_HEADER Notification); - - NTSYSAPI - ULONG - NTAPI - EtwEnumerateProcessRegGuids( - _Out_writes_bytes_opt_(OutBufferSize) PVOID OutBuffer, - _In_ ULONG OutBufferSize, - _Out_ PULONG ReturnLength); - - NTSYSAPI - ULONG - NTAPI - EtwQueryRealtimeConsumer( - _In_ TRACEHANDLE TraceHandle, - _Out_ PULONG EventsLostCount, - _Out_ PULONG BuffersLostCount); -#endif - - // public TRACE_PROVIDER_INSTANCE_INFO - typedef struct _ETW_TRACE_PROVIDER_INSTANCE_INFO - { - ULONG NextOffset; - ULONG EnableCount; - ULONG Pid; - ULONG Flags; - } ETW_TRACE_PROVIDER_INSTANCE_INFO, *PETW_TRACE_PROVIDER_INSTANCE_INFO; - - // public TRACE_GUID_INFO - typedef struct _ETW_TRACE_GUID_INFO - { - ULONG InstanceCount; - ULONG Reserved; - // ETW_TRACE_PROVIDER_INSTANCE_INFO Instances[1]; - } ETW_TRACE_GUID_INFO, *PETW_TRACE_GUID_INFO; - - // rev - typedef enum _ETWTRACECONTROLCODE - { - EtwStartLoggerCode = 1, // inout WMI_LOGGER_INFORMATION - EtwStopLoggerCode = 2, // inout WMI_LOGGER_INFORMATION - EtwQueryLoggerCode = 3, // inout WMI_LOGGER_INFORMATION - EtwUpdateLoggerCode = 4, // inout WMI_LOGGER_INFORMATION - EtwFlushLoggerCode = 5, // inout WMI_LOGGER_INFORMATION - EtwIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION - EtwRealtimeTransition = 7, // inout WMI_LOGGER_INFORMATION - // reserved - EtwRealtimeConnectCode = 11, - EtwActivityIdCreate = 12, - EtwWdiScenarioCode = 13, - EtwRealtimeDisconnectCode = 14, // in HANDLE - EtwRegisterGuidsCode = 15, - EtwReceiveNotification = 16, - EtwSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET // ETW_SESSION_NOTIFICATION_PACKET - EtwSendReplyDataBlock = 18, - EtwReceiveReplyDataBlock = 19, - EtwWdiSemUpdate = 20, - EtwEnumTraceGuidList = 21, // out GUID[] - EtwGetTraceGuidInfo = 22, // in GUID, out ETW_TRACE_GUID_INFO - EtwEnumerateTraceGuids = 23, // out TRACE_GUID_PROPERTIES[] - EtwRegisterSecurityProv = 24, - EtwReferenceTimeCode = 25, // in ULONG LoggerId, out ETW_REF_CLOCK - EtwTrackBinaryCode = 26, // in HANDLE - EtwAddNotificationEvent = 27, - EtwUpdateDisallowList = 28, - EtwSetEnableAllKeywordsCode = 29, - EtwSetProviderTraitsCode = 30, - EtwUseDescriptorTypeCode = 31, - EtwEnumTraceGroupList = 32, - EtwGetTraceGroupInfo = 33, - EtwGetDisallowList = 34, - EtwSetCompressionSettings = 35, - EtwGetCompressionSettings = 36, - EtwUpdatePeriodicCaptureState = 37, - EtwGetPrivateSessionTraceHandle = 38, - EtwRegisterPrivateSession = 39, - EtwQuerySessionDemuxObject = 40, - EtwSetProviderBinaryTracking = 41, - EtwMaxLoggers = 42, // out ULONG - EtwMaxPmcCounter = 43, // out ULONG - EtwQueryUsedProcessorCount = 44, // ULONG // since WIN11 - EtwGetPmcOwnership = 45, - EtwGetPmcSessions = 46, - } ETWTRACECONTROLCODE; - -#if (PHNT_VERSION >= PHNT_VISTA) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTraceControl( - _In_ ETWTRACECONTROLCODE FunctionCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength, - _Out_ PULONG ReturnLength); -#endif - -#if (PHNT_VERSION >= PHNT_WINXP) - NTSYSCALLAPI - NTSTATUS - NTAPI - NtTraceEvent( - _In_opt_ HANDLE TraceHandle, - _In_ ULONG Flags, - _In_ ULONG FieldSize, - _In_ PVOID Fields); -#endif - - // private - typedef struct _TELEMETRY_COVERAGE_POINT - { - PWSTR Name; - ULONG Hash; - ULONG LastCoveredRound; - ULONG Flags; - } TELEMETRY_COVERAGE_POINT, *PTELEMETRY_COVERAGE_POINT; - -#if (PHNT_VERSION >= PHNT_REDSTONE3) - // rev - NTSYSAPI - BOOLEAN - NTAPI - EtwCheckCoverage( - _Inout_ PTELEMETRY_COVERAGE_POINT CoveragePoint); -#endif - - // - // Data consumer apis (deprecated starting with Vista) - // - // WMI functionality was moved to ETW. - // - - NTSYSAPI - ULONG - NTAPI - WmiOpenBlock( - _In_ LPCGUID Guid, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PHANDLE DataBlockHandle); - - NTSYSAPI - ULONG - NTAPI - WmiCloseBlock( - _In_ HANDLE DataBlockHandle); - - NTSYSAPI - ULONG - NTAPI - WmiQueryAllDataA( - _In_ HANDLE DataBlockHandle, - _Inout_ PULONG BufferLength, - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer); - - NTSYSAPI - ULONG - NTAPI - WmiQueryAllDataW( - _In_ HANDLE DataBlockHandle, - _Inout_ PULONG BufferLength, - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer); - - NTSYSAPI - ULONG - NTAPI - WmiQueryAllDataMultipleA( - _In_reads_(HandleCount) PHANDLE HandleList, - _In_ ULONG HandleCount, - _Inout_ PULONG InOutBufferSize, - _Out_writes_bytes_(*InOutBufferSize) PVOID OutBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiQueryAllDataMultipleW( - _In_reads_(HandleCount) PHANDLE HandleList, - _In_ ULONG HandleCount, - _Inout_ PULONG InOutBufferSize, - _Out_writes_bytes_(*InOutBufferSize) PVOID OutBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiQuerySingleInstanceA( - _In_ HANDLE DataBlockHandle, - _In_ PCSTR InstanceName, - _Inout_ PULONG BufferSize, - _Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer); - - NTSYSAPI - ULONG - NTAPI - WmiQuerySingleInstanceW( - _In_ HANDLE DataBlockHandle, - _In_ PCWSTR InstanceName, - _Inout_ PULONG BufferSize, - _Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer); - - NTSYSAPI - ULONG - NTAPI - WmiQuerySingleInstanceMultipleW( - _In_reads_(HandleCount) PHANDLE HandleList, - _In_reads_(HandleCount) PCWSTR *InstanceNames, - _In_ ULONG HandleCount, - _Inout_ PULONG InOutBufferSize, - _Out_writes_bytes_to_opt_(*InOutBufferSize, *InOutBufferSize) PVOID OutBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiQuerySingleInstanceMultipleA( - _In_reads_(HandleCount) PHANDLE HandleList, - _In_reads_(HandleCount) PCSTR *InstanceNames, - _In_ ULONG HandleCount, - _Inout_ PULONG InOutBufferSize, - _Out_writes_bytes_to_opt_(*InOutBufferSize, *InOutBufferSize) PVOID OutBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiSetSingleInstanceA( - _In_ HANDLE DataBlockHandle, - _In_ PCSTR InstanceName, - _In_ ULONG Reserved, - _In_ ULONG ValueBufferSize, - _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiSetSingleInstanceW( - _In_ HANDLE DataBlockHandle, - _In_ PCWSTR InstanceName, - _In_ ULONG Reserved, - _In_ ULONG ValueBufferSize, - _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiSetSingleItemA( - _In_ HANDLE DataBlockHandle, - _In_ PCSTR InstanceName, - _In_ ULONG DataItemId, - _In_ ULONG Reserved, - _In_ ULONG ValueBufferSize, - _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiSetSingleItemW( - _In_ HANDLE DataBlockHandle, - _In_ PCWSTR InstanceName, - _In_ ULONG DataItemId, - _In_ ULONG Reserved, - _In_ ULONG ValueBufferSize, - _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiExecuteMethodA( - _In_ HANDLE MethodDataBlockHandle, - _In_ PCSTR MethodInstanceName, - _In_ ULONG MethodId, - _In_ ULONG InputBufferSize, - _In_reads_bytes_opt_(InputBufferSize) PVOID InputBuffer, - _Inout_opt_ PULONG OutputBufferSize, - _Out_writes_bytes_opt_(*OutputBufferSize) PVOID OutputBuffer); - - NTSYSAPI - ULONG - NTAPI - WmiExecuteMethodW( - _In_ HANDLE MethodDataBlockHandle, - _In_ PCWSTR MethodInstanceName, - _In_ ULONG MethodId, - _In_ ULONG InputBufferSize, - _In_reads_bytes_opt_(InputBufferSize) PVOID InputBuffer, - _Inout_opt_ PULONG OutputBufferSize, - _Out_writes_bytes_opt_(*OutputBufferSize) PVOID OutputBuffer); - -// Enable or disable a trace logging guid. -#define NOTIFICATION_TRACE_FLAG 0x00010000 -// Enable or disable a trace direct callback. -// The callback is invoked immediately via a separate thread. -#define NOTIFICATION_CALLBACK_DIRECT 0x00000004 -// Set this flag (and only this flag) when you want to only check if the -// caller has permission to receive events for the guid. -#define NOTIFICATION_CHECK_ACCESS 0x00000008 -// Enable lightweight notification. -#define NOTIFICATION_LIGHTWEIGHT_FLAG 0x00000020 - - // Event notification callback function prototype - _Function_class_(NOTIFICATIONCALLBACK) typedef void(WINAPI NOTIFICATIONCALLBACK)( - _In_ PWNODE_HEADER Wnode, - _In_ ULONG_PTR NotificationContext); - typedef NOTIFICATIONCALLBACK *PNOTIFICATIONCALLBACK; - - // {B48D49A1-E777-11d0-A50C-00A0C9062910} - DEFINE_GUID(GUID_REGISTRATION_CHANGE_NOTIFICATION, 0xb48d49a1, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); - // {B48D49A2-E777-11d0-A50C-00A0C9062910} - DEFINE_GUID(GUID_MOF_RESOURCE_ADDED_NOTIFICATION, 0xb48d49a2, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); - // {B48D49A3-E777-11d0-A50C-00A0C9062910} - DEFINE_GUID(GUID_MOF_RESOURCE_REMOVED_NOTIFICATION, 0xb48d49a3, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); - - NTSYSAPI - ULONG - NTAPI - WmiNotificationRegistrationA( - _In_ PCGUID Guid, - _In_ BOOLEAN Enable, - _In_ PVOID DeliveryInfo, - _In_ ULONG_PTR DeliveryContext, - _In_ ULONG Flags); - - NTSYSAPI - ULONG - NTAPI - WmiNotificationRegistrationW( - _In_ PCGUID Guid, - _In_ BOOLEAN Enable, - _In_ PVOID DeliveryInfo, - _In_ ULONG_PTR DeliveryContext, - _In_ ULONG Flags); - - NTSYSAPI - ULONG - NTAPI - WmiEnumerateGuids( - _Out_writes_opt_(*GuidCount) PGUID GuidList, - _Inout_ PULONG GuidCount); - - typedef struct _MOFRESOURCEINFOA - { - PSTR ImagePath; // Path to image containing MOF resource - PSTR ResourceName; // Name of resource in image - ULONG ResourceSize; // Number of bytes in resource - PUCHAR ResourceBuffer; - } MOFRESOURCEINFOA, *PMOFRESOURCEINFOA; - -#ifdef UNICODE - typedef struct _MOFRESOURCEINFOW MOFRESOURCEINFO, *PMOFRESOURCEINFO; -#else - typedef struct _MOFRESOURCEINFOA MOFRESOURCEINFO, *PMOFRESOURCEINFO; -#endif - -// -// When set the guid can be opened and accessed -#define MOFCI_RESERVED0 0x00000001 -#define MOFCI_RESERVED1 0x00000002 -#define MOFCI_RESERVED2 0x00000004 - - typedef struct _MOFRESOURCEINFOW - { - LPWSTR ImagePath; // Path to image containing MOF resource - LPWSTR ResourceName; // Name of resource in image - ULONG ResourceSize; // Number of bytes in resource - PUCHAR ResourceBuffer; // Reserved - } MOFRESOURCEINFOW, *PMOFRESOURCEINFOW; - - NTSYSAPI - ULONG - NTAPI - WmiMofEnumerateResourcesW( - _In_ HANDLE MofResourceHandle, - _Out_ PULONG MofResourceCount, - _Outptr_result_buffer_(*MofResourceCount) PMOFRESOURCEINFOW *MofResourceInfo); - - NTSYSAPI - ULONG - NTAPI - WmiMofEnumerateResourcesA( - _In_ HANDLE MofResourceHandle, - _Out_ PULONG MofResourceCount, - _Outptr_result_buffer_(*MofResourceCount) PMOFRESOURCEINFOA *MofResourceInfo); - - NTSYSAPI - ULONG - NTAPI - WmiFileHandleToInstanceNameA( - _In_ HANDLE DataBlockHandle, - _In_ HANDLE FileHandle, - _Inout_ PULONG NumberCharacters, - _Out_writes_(*NumberCharacters) CHAR *InstanceNames); - - NTSYSAPI - ULONG - NTAPI - WmiFileHandleToInstanceNameW( - _In_ HANDLE DataBlockHandle, - _In_ HANDLE FileHandle, - _Inout_ PULONG NumberCharacters, - _Out_writes_(*NumberCharacters) WCHAR *InstanceNames); - - NTSYSAPI - ULONG - NTAPI - WmiDevInstToInstanceNameA( - _Out_writes_opt_(InstanceNameLength) PSTR InstanceName, - _In_ ULONG InstanceNameLength, - _In_ PCSTR DevInst, - _In_ ULONG InstanceIndex); - - NTSYSAPI - ULONG - NTAPI - WmiDevInstToInstanceNameW( - _Out_writes_opt_(InstanceNameLength) PWSTR InstanceName, - _In_ ULONG InstanceNameLength, - _In_ PCWSTR DevInst, - _In_ ULONG InstanceIndex); - - typedef struct _WMIGUIDINFORMATION - { - ULONG Size; - BOOLEAN IsExpensive; - BOOLEAN IsEventOnly; - } WMIGUIDINFORMATION, *PWMIGUIDINFORMATION; - - NTSYSAPI - ULONG - NTAPI - WmiQueryGuidInformation( - _In_ HANDLE GuidHandle, - _Out_ PWMIGUIDINFORMATION GuidInfo); - - NTSYSAPI - ULONG - NTAPI - WmiReceiveNotificationsW( - _In_ ULONG HandleCount, - _In_reads_(HandleCount) PHANDLE HandleList, - _In_ NOTIFICATIONCALLBACK Callback, - _In_ ULONG_PTR DeliveryContext); - - NTSYSAPI - ULONG - NTAPI - WmiReceiveNotificationsA( - _In_ ULONG HandleCount, - _In_reads_(HandleCount) PHANDLE HandleList, - _In_ NOTIFICATIONCALLBACK Callback, - _In_ ULONG_PTR DeliveryContext); - -#ifdef UNICODE -#define WmiQuerySingleInstanceMultiple WmiQuerySingleInstanceMultipleW -#define WmiSetSingleInstance WmiSetSingleInstanceW -#define WmiSetSingleItem WmiSetSingleItemW -#define WmiNotificationRegistration WmiNotificationRegistrationW -#define WmiMofEnumerateResources WmiMofEnumerateResourcesW -#define WmiExecuteMethod WmiExecuteMethodW -#define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameW -#define WmiDevInstToInstanceName WmiDevInstToInstanceNameW -#define WmiReceiveNotifications WmiReceiveNotificationsW -#else -#define WmiQuerySingleInstanceMultiple WmiQuerySingleInstanceMultipleA -#define WmiSetSingleInstance WmiSetSingleInstanceA -#define WmiSetSingleItem WmiSetSingleItemA -#define WmiNotificationRegistration WmiNotificationRegistrationA -#define WmiMofEnumerateResources WmiMofEnumerateResourcesA -#define WmiExecuteMethod WmiExecuteMethodA -#define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameA -#define WmiDevInstToInstanceName WmiDevInstToInstanceNameA -#define WmiReceiveNotifications WmiReceiveNotificationsA -#endif - -#define WmiInsertTimestamp(WnodeHeader) \ - GetSystemTimeAsFileTime((PFILETIME) & ((PWNODE_HEADER)(WnodeHeader))->TimeStamp) - - NTSYSAPI - VOID - NTAPI - WmiFreeBuffer( - _In_ PVOID Buffer); - - EXTERN_C_END - -#endif -#ifndef _NTZWAPI_H -#define _NTZWAPI_H - - // This file was automatically generated. Do not edit. - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAcceptConnectPort( - _Out_ PHANDLE PortHandle, - _In_opt_ PVOID PortContext, - _In_ PPORT_MESSAGE ConnectionRequest, - _In_ BOOLEAN AcceptConnection, - _Inout_opt_ PPORT_VIEW ServerView, - _Out_opt_ PREMOTE_PORT_VIEW ClientView); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheck( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ ACCESS_MASK DesiredAccess, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckByType( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckByTypeAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_ PACCESS_MASK GrantedAccess, - _Out_ PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckByTypeResultList( - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, - _Inout_ PULONG PrivilegeSetLength, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckByTypeResultListAndAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAccessCheckByTypeResultListAndAuditAlarmByHandle( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ HANDLE ClientToken, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_opt_ PSID PrincipalSelfSid, - _In_ ACCESS_MASK DesiredAccess, - _In_ AUDIT_EVENT_TYPE AuditType, - _In_ ULONG Flags, - _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList, - _In_ ULONG ObjectTypeListLength, - _In_ PGENERIC_MAPPING GenericMapping, - _In_ BOOLEAN ObjectCreation, - _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, - _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAcquireCMFViewOwnership( - _Out_ PULONGLONG TimeStamp, - _Out_ PBOOLEAN tokenTaken, - _In_ BOOLEAN replaceExisting); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAcquireCrossVmMutant( - _In_ HANDLE CrossVmMutant, - _In_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAcquireProcessActivityReference( - _Out_ PHANDLE ActivityReferenceHandle, - _In_ HANDLE ParentProcessHandle, - _Reserved_ PROCESS_ACTIVITY_TYPE Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAddAtom( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAddAtomEx( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAddBootEntry( - _In_ PBOOT_ENTRY BootEntry, - _Out_opt_ PULONG Id); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAddDriverEntry( - _In_ PEFI_DRIVER_ENTRY DriverEntry, - _Out_opt_ PULONG Id); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAdjustGroupsToken( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN ResetToDefault, - _In_opt_ PTOKEN_GROUPS NewState, - _In_opt_ ULONG BufferLength, - _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAdjustPrivilegesToken( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN DisableAllPrivileges, - _In_opt_ PTOKEN_PRIVILEGES NewState, - _In_ ULONG BufferLength, - _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAdjustTokenClaimsAndDeviceGroups( - _In_ HANDLE TokenHandle, - _In_ BOOLEAN UserResetToDefault, - _In_ BOOLEAN DeviceResetToDefault, - _In_ BOOLEAN DeviceGroupsResetToDefault, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState, - _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState, - _In_ ULONG UserBufferLength, - _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState, - _In_ ULONG DeviceBufferLength, - _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState, - _In_ ULONG DeviceGroupsBufferLength, - _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups, - _Out_opt_ PULONG UserReturnLength, - _Out_opt_ PULONG DeviceReturnLength, - _Out_opt_ PULONG DeviceGroupsReturnBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlertMultipleThreadByThreadId( - _In_ PHANDLE MultipleThreadId, - _In_ ULONG Count, - _In_ PVOID Boost, - _In_ ULONG BoostCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlertResumeThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlertThread( - _In_ HANDLE ThreadHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlertThreadByThreadId( - _In_ HANDLE ThreadId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlertThreadByThreadIdEx( - _In_ HANDLE ThreadId, - _In_opt_ PRTL_SRWLOCK Lock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateLocallyUniqueId( - _Out_ PLUID Luid); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateReserveObject( - _Out_ PHANDLE MemoryReserveHandle, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ MEMORY_RESERVE_TYPE Type); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateUserPhysicalPages( - _In_ HANDLE ProcessHandle, - _Inout_ PSIZE_T NumberOfPages, - _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateUserPhysicalPagesEx( - _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, - _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateUuids( - _Out_ PULARGE_INTEGER Time, - _Out_ PULONG Range, - _Out_ PULONG Sequence, - _Out_ PCHAR Seed); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAllocateVirtualMemoryEx( - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcAcceptConnectPort( - _Out_ PHANDLE PortHandle, - _In_ HANDLE ConnectionPortHandle, - _In_ ULONG Flags, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_opt_ PVOID PortContext, - _In_reads_bytes_(ConnectionRequest->u1.s1.TotalLength) PPORT_MESSAGE ConnectionRequest, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes, - _In_ BOOLEAN AcceptConnection); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCancelMessage( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_ PALPC_CONTEXT_ATTR MessageContext); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_ ULONG Flags, - _In_opt_ PSID RequiredServerSid, - _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcConnectPortEx( - _Out_ PHANDLE PortHandle, - _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, - _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes, - _In_ ULONG Flags, - _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements, - _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCreatePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCreatePortSection( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_opt_ HANDLE SectionHandle, - _In_ SIZE_T SectionSize, - _Out_ PALPC_HANDLE AlpcSectionHandle, - _Out_ PSIZE_T ActualSectionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCreateResourceReserve( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ SIZE_T MessageSize, - _Out_ PALPC_HANDLE ResourceId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCreateSectionView( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcCreateSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _Inout_ PALPC_SECURITY_ATTR SecurityAttribute); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcDeletePortSection( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE SectionHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcDeleteResourceReserve( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ResourceId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcDeleteSectionView( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ PVOID ViewBase); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcDeleteSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ContextHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcDisconnectPort( - _In_ HANDLE PortHandle, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcImpersonateClientContainerOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _Reserved_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcImpersonateClientOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ PVOID Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcOpenSenderProcess( - _Out_ PHANDLE ProcessHandle, - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _Reserved_ ULONG Flags, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcOpenSenderThread( - _Out_ PHANDLE ThreadHandle, - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _Reserved_ ULONG Flags, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcQueryInformation( - _In_opt_ HANDLE PortHandle, - _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, - _Inout_updates_bytes_to_(Length, *ReturnLength) PVOID PortInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcQueryInformationMessage( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE PortMessage, - _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, - _Out_writes_bytes_to_opt_(Length, *ReturnLength) PVOID MessageInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcRevokeSecurityContext( - _In_ HANDLE PortHandle, - _Reserved_ ULONG Flags, - _In_ ALPC_HANDLE ContextHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcSendWaitReceivePort( - _In_ HANDLE PortHandle, - _In_ ULONG Flags, - _In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes, - _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage, - _Inout_opt_ PSIZE_T BufferLength, - _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAlpcSetInformation( - _In_ HANDLE PortHandle, - _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass, - _In_reads_bytes_opt_(Length) PVOID PortInformation, - _In_ ULONG Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAreMappedFilesTheSame( - _In_ PVOID File1MappedAsAnImage, - _In_ PVOID File2MappedAsFile); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAssignProcessToJobObject( - _In_ HANDLE JobHandle, - _In_ HANDLE ProcessHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwAssociateWaitCompletionPacket( - _In_ HANDLE WaitCompletionPacketHandle, - _In_ HANDLE IoCompletionHandle, - _In_ HANDLE TargetObjectHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation, - _Out_opt_ PBOOLEAN AlreadySignaled); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCallbackReturn( - _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, - _In_ ULONG OutputLength, - _In_ NTSTATUS Status); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCallEnclave( - _In_ PENCLAVE_ROUTINE Routine, - _In_ PVOID Reserved, // reserved for dispatch (RtlEnclaveCallDispatch) - _In_ ULONG Flags, // ENCLAVE_CALL_FLAG_* - _Inout_ PVOID *RoutineParamReturn // input routine parameter, output routine return value - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelIoFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelIoFileEx( - _In_ HANDLE FileHandle, - _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelSynchronousIoFile( - _In_ HANDLE ThreadHandle, - _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelTimer( - _In_ HANDLE TimerHandle, - _Out_opt_ PBOOLEAN CurrentState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelTimer2( - _In_ HANDLE TimerHandle, - _In_ PT2_CANCEL_PARAMETERS Parameters); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCancelWaitCompletionPacket( - _In_ HANDLE WaitCompletionPacketHandle, - _In_ BOOLEAN RemoveSignaledPacket); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwChangeProcessState( - _In_ HANDLE ProcessStateChangeHandle, - _In_ HANDLE ProcessHandle, - _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ _Reserved_ PVOID ExtendedInformation, - _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength, - _In_opt_ _Reserved_ ULONG64 Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwChangeThreadState( - _In_ HANDLE ThreadStateChangeHandle, - _In_ HANDLE ThreadHandle, - _In_ THREAD_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ PVOID ExtendedInformation, - _In_opt_ SIZE_T ExtendedInformationLength, - _In_opt_ ULONG64 Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwClearEvent( - _In_ HANDLE EventHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwClose( - _In_ _Post_ptr_invalid_ HANDLE Handle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCloseObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ BOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCommitComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCommitEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCommitTransaction( - _In_ HANDLE TransactionHandle, - _In_ BOOLEAN Wait); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompactKeys( - _In_ ULONG Count, - _In_reads_(Count) HANDLE KeyArray[]); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompareObjects( - _In_ HANDLE FirstObjectHandle, - _In_ HANDLE SecondObjectHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompareSigningLevels( - _In_ SE_SIGNING_LEVEL FirstSigningLevel, - _In_ SE_SIGNING_LEVEL SecondSigningLevel); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompareTokens( - _In_ HANDLE FirstTokenHandle, - _In_ HANDLE SecondTokenHandle, - _Out_ PBOOLEAN Equal); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompleteConnectPort( - _In_ HANDLE PortHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCompressKey( - _In_ HANDLE KeyHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, - _Inout_opt_ PPORT_VIEW ClientView, - _Inout_opt_ PREMOTE_PORT_VIEW ServerView, - _Out_opt_ PULONG MaxMessageLength, - _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, - _Inout_opt_ PULONG ConnectionInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwContinue( - _In_ PCONTEXT ContextRecord, - _In_ BOOLEAN TestAlert); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwContinueEx( - _In_ PCONTEXT ContextRecord, - _In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter( - _In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter, - _In_ PULONG64 PerformanceOrAuxiliaryCounterValue, - _Out_ PULONG64 ConvertedValue, - _Out_opt_ PULONG64 ConversionError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCopyFileChunk( - _In_ HANDLE SourceHandle, - _In_ HANDLE DestinationHandle, - _In_opt_ HANDLE EventHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG Length, - _In_ PLARGE_INTEGER SourceOffset, - _In_ PLARGE_INTEGER DestOffset, - _In_opt_ PULONG SourceKey, - _In_opt_ PULONG DestKey, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateCpuPartition( - _Out_ PHANDLE CpuPartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateCrossVmEvent( - _Out_ PHANDLE CrossVmEvent, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG CrossVmEventFlags, - _In_ LPCGUID VMID, - _In_ LPCGUID ServiceID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateCrossVmMutant( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG CrossVmEventFlags, - _In_ LPCGUID VMID, - _In_ LPCGUID ServiceID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateDebugObject( - _Out_ PHANDLE DebugObjectHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateDirectoryObject( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateDirectoryObjectEx( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ShadowDirectoryHandle, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateEnclave( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _In_ SIZE_T Size, - _In_ SIZE_T InitialCommitment, - _In_ ULONG EnclaveType, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_opt_ PULONG EnclaveError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateEnlistment( - _Out_ PHANDLE EnlistmentHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE ResourceManagerHandle, - _In_ HANDLE TransactionHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG CreateOptions, - _In_ NOTIFICATION_MASK NotificationMask, - _In_opt_ PVOID EnlistmentKey); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateEvent( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ EVENT_TYPE EventType, - _In_ BOOLEAN InitialState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateEventPair( - _Out_ PHANDLE EventPairHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_opt_ PLARGE_INTEGER AllocationSize, - _In_ ULONG FileAttributes, - _In_ ULONG ShareAccess, - _In_ ULONG CreateDisposition, - _In_ ULONG CreateOptions, - _In_reads_bytes_opt_(EaLength) PVOID EaBuffer, - _In_ ULONG EaLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateIoCompletion( - _Out_ PHANDLE IoCompletionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG NumberOfConcurrentThreads); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateIoRing( - _Out_ PHANDLE IoRingHandle, - _In_ ULONG CreateParametersLength, - _In_ PVOID CreateParameters, - _In_ ULONG OutputParametersLength, - _Out_ PVOID OutputParameters); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateIRTimer( - _Out_ PHANDLE TimerHandle, - _In_ PVOID Reserved, - _In_ ACCESS_MASK DesiredAccess); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateJobObject( - _Out_ PHANDLE JobHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateJobSet( - _In_ ULONG NumJob, - _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateKey( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG TitleIndex, - _In_opt_ PUNICODE_STRING Class, - _In_ ULONG CreateOptions, - _Out_opt_ PULONG Disposition); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateKeyedEvent( - _Out_ PHANDLE KeyedEventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateKeyTransacted( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Reserved_ ULONG TitleIndex, - _In_opt_ PUNICODE_STRING Class, - _In_ ULONG CreateOptions, - _In_ HANDLE TransactionHandle, - _Out_opt_ PULONG Disposition); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateLowBoxToken( - _Out_ PHANDLE TokenHandle, - _In_ HANDLE ExistingTokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ PSID PackageSid, - _In_ ULONG CapabilityCount, - _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities, - _In_ ULONG HandleCount, - _In_reads_opt_(HandleCount) HANDLE *Handles); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateMailslotFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CreateOptions, - _In_ ULONG MailslotQuota, - _In_ ULONG MaximumMessageSize, - _In_ PLARGE_INTEGER ReadTimeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateMutant( - _Out_ PHANDLE MutantHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ BOOLEAN InitialOwner); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateNamedPipeFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG ShareAccess, - _In_ ULONG CreateDisposition, - _In_ ULONG CreateOptions, - _In_ ULONG NamedPipeType, - _In_ ULONG ReadMode, - _In_ ULONG CompletionMode, - _In_ ULONG MaximumInstances, - _In_ ULONG InboundQuota, - _In_ ULONG OutboundQuota, - _In_ PLARGE_INTEGER DefaultTimeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreatePagingFile( - _In_ PUNICODE_STRING PageFileName, - _In_ PLARGE_INTEGER MinimumSize, - _In_ PLARGE_INTEGER MaximumSize, - _In_ ULONG Priority); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreatePartition( - _In_opt_ HANDLE ParentPartitionHandle, - _Out_ PHANDLE PartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG PreferredNode); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreatePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG MaxConnectionInfoLength, - _In_ ULONG MaxMessageLength, - _In_opt_ ULONG MaxPoolUsage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreatePrivateNamespace( - _Out_ PHANDLE NamespaceHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateProcess( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ParentProcess, - _In_ BOOLEAN InheritObjectTable, - _In_opt_ HANDLE SectionHandle, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE TokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateProcessEx( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ParentProcess, - _In_ ULONG Flags, // PROCESS_CREATE_FLAGS_* - _In_opt_ HANDLE SectionHandle, - _In_opt_ HANDLE DebugPort, - _In_opt_ HANDLE TokenHandle, - _Reserved_ ULONG Reserved // JobMemberLevel - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateProcessStateChange( - _Out_ PHANDLE ProcessStateChangeHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_opt_ _Reserved_ ULONG64 Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateProfile( - _Out_ PHANDLE ProfileHandle, - _In_opt_ HANDLE Process, - _In_ PVOID ProfileBase, - _In_ SIZE_T ProfileSize, - _In_ ULONG BucketSize, - _In_reads_bytes_(BufferSize) PULONG Buffer, - _In_ ULONG BufferSize, - _In_ KPROFILE_SOURCE ProfileSource, - _In_ KAFFINITY Affinity); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateProfileEx( - _Out_ PHANDLE ProfileHandle, - _In_opt_ HANDLE Process, - _In_ PVOID ProfileBase, - _In_ SIZE_T ProfileSize, - _In_ ULONG BucketSize, - _In_reads_bytes_(BufferSize) PULONG Buffer, - _In_ ULONG BufferSize, - _In_ KPROFILE_SOURCE ProfileSource, - _In_ USHORT GroupCount, - _In_reads_(GroupCount) PGROUP_AFFINITY GroupAffinity); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateResourceManager( - _Out_ PHANDLE ResourceManagerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE TmHandle, - _In_ LPGUID RmGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ ULONG CreateOptions, - _In_opt_ PUNICODE_STRING Description); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateSection( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PLARGE_INTEGER MaximumSize, - _In_ ULONG SectionPageProtection, - _In_ ULONG AllocationAttributes, - _In_opt_ HANDLE FileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateSectionEx( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PLARGE_INTEGER MaximumSize, - _In_ ULONG SectionPageProtection, - _In_ ULONG AllocationAttributes, - _In_opt_ HANDLE FileHandle, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateSemaphore( - _Out_ PHANDLE SemaphoreHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ LONG InitialCount, - _In_ LONG MaximumCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateSymbolicLinkObject( - _Out_ PHANDLE LinkHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ PUNICODE_STRING LinkTarget); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateThread( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _Out_ PCLIENT_ID ClientId, - _In_ PCONTEXT ThreadContext, - _In_ PINITIAL_TEB InitialTeb, - _In_ BOOLEAN CreateSuspended); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateThreadEx( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_ PUSER_THREAD_START_ROUTINE StartRoutine, - _In_opt_ PVOID Argument, - _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_* - _In_ SIZE_T ZeroBits, - _In_ SIZE_T StackSize, - _In_ SIZE_T MaximumStackSize, - _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateThreadStateChange( - _Out_ PHANDLE ThreadStateChangeHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE ThreadHandle, - _In_opt_ ULONG64 Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateTimer( - _Out_ PHANDLE TimerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ TIMER_TYPE TimerType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateTimer2( - _Out_ PHANDLE TimerHandle, - _In_opt_ PVOID Reserved1, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG Attributes, // TIMER_TYPE - _In_ ACCESS_MASK DesiredAccess); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateToken( - _Out_ PHANDLE TokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ TOKEN_TYPE Type, - _In_ PLUID AuthenticationId, - _In_ PLARGE_INTEGER ExpirationTime, - _In_ PTOKEN_USER User, - _In_ PTOKEN_GROUPS Groups, - _In_ PTOKEN_PRIVILEGES Privileges, - _In_opt_ PTOKEN_OWNER Owner, - _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, - _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, - _In_ PTOKEN_SOURCE Source); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateTokenEx( - _Out_ PHANDLE TokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ TOKEN_TYPE Type, - _In_ PLUID AuthenticationId, - _In_ PLARGE_INTEGER ExpirationTime, - _In_ PTOKEN_USER User, - _In_ PTOKEN_GROUPS Groups, - _In_ PTOKEN_PRIVILEGES Privileges, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes, - _In_opt_ PTOKEN_GROUPS DeviceGroups, - _In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy, - _In_opt_ PTOKEN_OWNER Owner, - _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup, - _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl, - _In_ PTOKEN_SOURCE Source); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateTransaction( - _Out_ PHANDLE TransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ LPGUID Uow, - _In_opt_ HANDLE TmHandle, - _In_opt_ ULONG CreateOptions, - _In_opt_ ULONG IsolationLevel, - _In_opt_ ULONG IsolationFlags, - _In_opt_ PLARGE_INTEGER Timeout, - _In_opt_ PUNICODE_STRING Description); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateTransactionManager( - _Out_ PHANDLE TmHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PUNICODE_STRING LogFileName, - _In_opt_ ULONG CreateOptions, - _In_opt_ ULONG CommitStrength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateUserProcess( - _Out_ PHANDLE ProcessHandle, - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK ProcessDesiredAccess, - _In_ ACCESS_MASK ThreadDesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ProcessObjectAttributes, - _In_opt_ PCOBJECT_ATTRIBUTES ThreadObjectAttributes, - _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* - _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* - _In_opt_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, - _Inout_ PPS_CREATE_INFO CreateInfo, - _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateWaitablePort( - _Out_ PHANDLE PortHandle, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG MaxConnectionInfoLength, - _In_ ULONG MaxMessageLength, - _In_opt_ ULONG MaxPoolUsage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateWaitCompletionPacket( - _Out_ PHANDLE WaitCompletionPacketHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateWnfStateName( - _Out_ PWNF_STATE_NAME StateName, - _In_ WNF_STATE_NAME_LIFETIME NameLifetime, - _In_ WNF_DATA_SCOPE DataScope, - _In_ BOOLEAN PersistData, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_ ULONG MaximumStateSize, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwCreateWorkerFactory( - _Out_ PHANDLE WorkerFactoryHandleReturn, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE CompletionPortHandle, - _In_ HANDLE WorkerProcessHandle, - _In_ PVOID StartRoutine, - _In_opt_ PVOID StartParameter, - _In_opt_ ULONG MaxThreadCount, - _In_opt_ SIZE_T StackReserve, - _In_opt_ SIZE_T StackCommit); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDebugActiveProcess( - _In_ HANDLE ProcessHandle, - _In_ HANDLE DebugObjectHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDebugContinue( - _In_ HANDLE DebugObjectHandle, - _In_ PCLIENT_ID ClientId, - _In_ NTSTATUS ContinueStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDelayExecution( - _In_ BOOLEAN Alertable, - _In_ PLARGE_INTEGER DelayInterval); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteAtom( - _In_ RTL_ATOM Atom); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteBootEntry( - _In_ ULONG Id); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteDriverEntry( - _In_ ULONG Id); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteKey( - _In_ HANDLE KeyHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ BOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeletePrivateNamespace( - _In_ HANDLE NamespaceHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ const VOID *ExplicitScope); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeleteWnfStateName( - _In_ PCWNF_STATE_NAME StateName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDeviceIoControlFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG IoControlCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDirectGraphicsCall( - _In_ ULONG InputBufferLength, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG OutputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _Out_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDisableLastKnownGood( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDisplayString( - _In_ PUNICODE_STRING String); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDrawText( - _In_ PUNICODE_STRING Text); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDuplicateObject( - _In_ HANDLE SourceProcessHandle, - _In_ HANDLE SourceHandle, - _In_opt_ HANDLE TargetProcessHandle, - _Out_opt_ PHANDLE TargetHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Options); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwDuplicateToken( - _In_ HANDLE ExistingTokenHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ BOOLEAN EffectiveOnly, - _In_ TOKEN_TYPE Type, - _Out_ PHANDLE NewTokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnableLastKnownGood( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateBootEntries( - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateDriverEntries( - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateKey( - _In_ HANDLE KeyHandle, - _In_ ULONG Index, - _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateSystemEnvironmentValuesEx( - _In_ ULONG InformationClass, // SYSTEM_ENVIRONMENT_INFORMATION_CLASS - _Out_ PVOID Buffer, - _Inout_ PULONG BufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateTransactionObject( - _In_opt_ HANDLE RootObjectHandle, - _In_ KTMOBJECT_TYPE QueryType, - _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor, - _In_ ULONG ObjectCursorLength, - _Out_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwEnumerateValueKey( - _In_ HANDLE KeyHandle, - _In_ ULONG Index, - _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwExtendSection( - _In_ HANDLE SectionHandle, - _Inout_ PLARGE_INTEGER NewSectionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFilterBootOption( - _In_ FILTER_BOOT_OPTION_OPERATION FilterOperation, - _In_ ULONG ObjectType, - _In_ ULONG ElementType, - _In_reads_bytes_opt_(DataSize) PVOID Data, - _In_ ULONG DataSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFilterToken( - _In_ HANDLE ExistingTokenHandle, - _In_ ULONG Flags, - _In_opt_ PTOKEN_GROUPS SidsToDisable, - _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, - _In_opt_ PTOKEN_GROUPS RestrictedSids, - _Out_ PHANDLE NewTokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFilterTokenEx( - _In_ HANDLE ExistingTokenHandle, - _In_ ULONG Flags, - _In_opt_ PTOKEN_GROUPS SidsToDisable, - _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete, - _In_opt_ PTOKEN_GROUPS RestrictedSids, - _In_ ULONG DisableUserClaimsCount, - _In_opt_ PUNICODE_STRING UserClaimsToDisable, - _In_ ULONG DisableDeviceClaimsCount, - _In_opt_ PUNICODE_STRING DeviceClaimsToDisable, - _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes, - _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes, - _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups, - _Out_ PHANDLE NewTokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFindAtom( - _In_reads_bytes_opt_(Length) PCWSTR AtomName, - _In_ ULONG Length, - _Out_opt_ PRTL_ATOM Atom); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushBuffersFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushBuffersFileEx( - _In_ HANDLE FileHandle, - _In_ ULONG Flags, - _In_reads_bytes_(ParametersSize) PVOID Parameters, - _In_ ULONG ParametersSize, - _Out_ PIO_STATUS_BLOCK IoStatusBlock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushInstallUILanguage( - _In_ LANGID InstallUILanguage, - _In_ ULONG SetComittedFlag); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushInstructionCache( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ SIZE_T Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushKey( - _In_ HANDLE KeyHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushProcessWriteBuffers( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _Out_ PIO_STATUS_BLOCK IoStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFlushWriteBuffer( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFreeUserPhysicalPages( - _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, - _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFreeVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG FreeType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFreezeRegistry( - _In_ ULONG TimeOutInSeconds); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFreezeTransactions( - _In_ PLARGE_INTEGER FreezeTimeout, - _In_ PLARGE_INTEGER ThawTimeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwFsControlFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG FsControlCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetCachedSigningLevel( - _In_ HANDLE File, - _Out_ PULONG Flags, - _Out_ PSE_SIGNING_LEVEL SigningLevel, - _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint, - _Inout_opt_ PULONG ThumbprintSize, - _Out_opt_ PULONG ThumbprintAlgorithm); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetCompleteWnfStateSubscription( - _In_opt_ PWNF_STATE_NAME OldDescriptorStateName, - _In_opt_ ULONG64 *OldSubscriptionId, - _In_opt_ ULONG OldDescriptorEventMask, - _In_opt_ ULONG OldDescriptorStatus, - _Out_writes_bytes_(DescriptorSize) PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, - _In_ ULONG DescriptorSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetContextThread( - _In_ HANDLE ThreadHandle, - _Inout_ PCONTEXT ThreadContext); - - NTSYSCALLAPI - ULONG - NTAPI - ZwGetCurrentProcessorNumber( - VOID); - - NTSYSCALLAPI - ULONG - NTAPI - ZwGetCurrentProcessorNumberEx( - _Out_opt_ PPROCESSOR_NUMBER ProcessorNumber); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetDevicePowerState( - _In_ HANDLE Device, - _Out_ PDEVICE_POWER_STATE State); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetMUIRegistryInfo( - _In_ ULONG Flags, - _Inout_ PULONG DataSize, - _Out_ PVOID Data); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetNextProcess( - _In_opt_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Flags, - _Out_ PHANDLE NewProcessHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetNextThread( - _In_ HANDLE ProcessHandle, - _In_opt_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _In_ ULONG Flags, - _Out_ PHANDLE NewThreadHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetNlsSectionPtr( - _In_ ULONG SectionType, - _In_ ULONG SectionData, - _In_ PVOID ContextData, - _Out_ PVOID *SectionPointer, - _Out_ PULONG SectionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetNotificationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _Out_ PTRANSACTION_NOTIFICATION TransactionNotification, - _In_ ULONG NotificationLength, - _In_opt_ PLARGE_INTEGER Timeout, - _Out_opt_ PULONG ReturnLength, - _In_ ULONG Asynchronous, - _In_opt_ ULONG_PTR AsynchronousContext); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetPlugPlayEvent( - _In_ HANDLE EventHandle, - _In_opt_ PVOID Context, - _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, - _In_ ULONG EventBufferSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwGetWriteWatch( - _In_ HANDLE ProcessHandle, - _In_ ULONG Flags, - _In_ PVOID BaseAddress, - _In_ SIZE_T RegionSize, - _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray, - _Inout_ PULONG_PTR EntriesInUserAddressArray, - _Out_ PULONG Granularity); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwImpersonateAnonymousToken( - _In_ HANDLE ThreadHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwImpersonateClientOfPort( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwImpersonateThread( - _In_ HANDLE ServerThreadHandle, - _In_ HANDLE ClientThreadHandle, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwInitializeEnclave( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, - _In_ ULONG EnclaveInformationLength, - _Out_opt_ PULONG EnclaveError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwInitializeNlsFiles( - _Out_ PVOID *BaseAddress, - _Out_ PLCID DefaultLocaleId, - _Out_ PLARGE_INTEGER DefaultCasingTableSize, - _Out_opt_ PULONG CurrentNLSVersion); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwInitializeRegistry( - _In_ USHORT BootCondition); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwInitiatePowerAction( - _In_ POWER_ACTION SystemAction, - _In_ SYSTEM_POWER_STATE LightestSystemState, - _In_ ULONG Flags, // POWER_ACTION_* flags - _In_ BOOLEAN Asynchronous); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwIsProcessInJob( - _In_ HANDLE ProcessHandle, - _In_opt_ HANDLE JobHandle); - - NTSYSCALLAPI - BOOLEAN - NTAPI - ZwIsSystemResumeAutomatic( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwIsUILanguageComitted( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwListenPort( - _In_ HANDLE PortHandle, - _Out_ PPORT_MESSAGE ConnectionRequest); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadDriver( - _In_ PUNICODE_STRING DriverServiceName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadEnclaveData( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ SIZE_T BufferSize, - _In_ ULONG Protect, - _In_reads_bytes_(PageInformationLength) PVOID PageInformation, - _In_ ULONG PageInformationLength, - _Out_opt_ PSIZE_T NumberOfBytesWritten, - _Out_opt_ PULONG EnclaveError); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadKey( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadKey2( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadKey3( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags, - _In_reads_(ExtendedParameterCount) PCM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount, - _In_opt_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE RootHandle, - _Reserved_ PVOID Reserved); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLoadKeyEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ POBJECT_ATTRIBUTES SourceFile, - _In_ ULONG Flags, - _In_opt_ HANDLE TrustClassKey, - _In_opt_ HANDLE Event, - _In_opt_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE RootHandle, - _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLockFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PLARGE_INTEGER ByteOffset, - _In_ PLARGE_INTEGER Length, - _In_ ULONG Key, - _In_ BOOLEAN FailImmediately, - _In_ BOOLEAN ExclusiveLock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLockProductActivationKeys( - _Inout_opt_ ULONG *pPrivateVer, - _Out_opt_ ULONG *pSafeMode); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLockRegistryKey( - _In_ HANDLE KeyHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwLockVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG MapType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMakePermanentObject( - _In_ HANDLE Handle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMakeTemporaryObject( - _In_ HANDLE Handle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwManagePartition( - _In_ HANDLE TargetHandle, - _In_opt_ HANDLE SourceHandle, - _In_ PARTITION_INFORMATION_CLASS PartitionInformationClass, - _Inout_updates_bytes_(PartitionInformationLength) PVOID PartitionInformation, - _In_ ULONG PartitionInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMapCMFModule( - _In_ ULONG What, - _In_ ULONG Index, - _Out_opt_ PULONG CacheIndexOut, - _Out_opt_ PULONG CacheFlagsOut, - _Out_opt_ PULONG ViewSizeOut, - _Out_opt_ PVOID *BaseAddress); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMapUserPhysicalPages( - _In_ PVOID VirtualAddress, - _In_ SIZE_T NumberOfPages, - _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMapUserPhysicalPagesScatter( - _In_reads_(NumberOfPages) PVOID *VirtualAddresses, - _In_ SIZE_T NumberOfPages, - _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMapViewOfSection( - _In_ HANDLE SectionHandle, - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, - _In_ ULONG_PTR ZeroBits, - _In_ SIZE_T CommitSize, - _Inout_opt_ PLARGE_INTEGER SectionOffset, - _Inout_ PSIZE_T ViewSize, - _In_ SECTION_INHERIT InheritDisposition, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwMapViewOfSectionEx( - _In_ HANDLE SectionHandle, - _In_ HANDLE ProcessHandle, - _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, - _Inout_opt_ PLARGE_INTEGER SectionOffset, - _Inout_ PSIZE_T ViewSize, - _In_ ULONG AllocationType, - _In_ ULONG PageProtection, - _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, - _In_ ULONG ExtendedParameterCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwModifyBootEntry( - _In_ PBOOT_ENTRY BootEntry); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwModifyDriverEntry( - _In_ PEFI_DRIVER_ENTRY DriverEntry); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwNotifyChangeDirectoryFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, // FILE_NOTIFY_INFORMATION - _In_ ULONG Length, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwNotifyChangeDirectoryFileEx( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _In_opt_ DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwNotifyChangeKey( - _In_ HANDLE KeyHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize, - _In_ BOOLEAN Asynchronous); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwNotifyChangeMultipleKeys( - _In_ HANDLE MasterKeyHandle, - _In_opt_ ULONG Count, - _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[], - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG CompletionFilter, - _In_ BOOLEAN WatchTree, - _Out_writes_bytes_opt_(BufferSize) PVOID Buffer, - _In_ ULONG BufferSize, - _In_ BOOLEAN Asynchronous); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwNotifyChangeSession( - _In_ HANDLE SessionHandle, - _In_ ULONG ChangeSequenceNumber, - _In_ PLARGE_INTEGER ChangeTimeStamp, - _In_ IO_SESSION_EVENT Event, - _In_ IO_SESSION_STATE NewState, - _In_ IO_SESSION_STATE PreviousState, - _In_reads_bytes_opt_(PayloadSize) PVOID Payload, - _In_ ULONG PayloadSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenCpuPartition( - _Out_ PHANDLE CpuPartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenDirectoryObject( - _Out_ PHANDLE DirectoryHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenEnlistment( - _Out_ PHANDLE EnlistmentHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE ResourceManagerHandle, - _In_ LPGUID EnlistmentGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenEvent( - _Out_ PHANDLE EventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenEventPair( - _Out_ PHANDLE EventPairHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenFile( - _Out_ PHANDLE FileHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ ULONG ShareAccess, - _In_ ULONG OpenOptions); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenIoCompletion( - _Out_ PHANDLE IoCompletionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenJobObject( - _Out_ PHANDLE JobHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenKey( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenKeyedEvent( - _Out_ PHANDLE KeyedEventHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenKeyEx( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG OpenOptions); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenKeyTransacted( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ HANDLE TransactionHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenKeyTransactedEx( - _Out_ PHANDLE KeyHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG OpenOptions, - _In_ HANDLE TransactionHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenMutant( - _Out_ PHANDLE MutantHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ PUNICODE_STRING ObjectTypeName, - _In_ PUNICODE_STRING ObjectName, - _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ ACCESS_MASK GrantedAccess, - _In_opt_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN ObjectCreation, - _In_ BOOLEAN AccessGranted, - _Out_ PBOOLEAN GenerateOnClose); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenPartition( - _Out_ PHANDLE PartitionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenPrivateNamespace( - _Out_ PHANDLE NamespaceHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenProcess( - _Out_ PHANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PCLIENT_ID ClientId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenProcessToken( - _In_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _Out_ PHANDLE TokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenProcessTokenEx( - _In_ HANDLE ProcessHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ ULONG HandleAttributes, - _Out_ PHANDLE TokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenResourceManager( - _Out_ PHANDLE ResourceManagerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ HANDLE TmHandle, - _In_opt_ LPGUID ResourceManagerGuid, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenSection( - _Out_ PHANDLE SectionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenSemaphore( - _Out_ PHANDLE SemaphoreHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenSession( - _Out_ PHANDLE SessionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenSymbolicLinkObject( - _Out_ PHANDLE LinkHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenThread( - _Out_ PHANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PCLIENT_ID ClientId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenThreadToken( - _In_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ BOOLEAN OpenAsSelf, - _Out_ PHANDLE TokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenThreadTokenEx( - _In_ HANDLE ThreadHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ BOOLEAN OpenAsSelf, - _In_ ULONG HandleAttributes, - _Out_ PHANDLE TokenHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenTimer( - _Out_ PHANDLE TimerHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_ PCOBJECT_ATTRIBUTES ObjectAttributes); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenTransaction( - _Out_ PHANDLE TransactionHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ LPGUID Uow, - _In_opt_ HANDLE TmHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwOpenTransactionManager( - _Out_ PHANDLE TmHandle, - _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ PUNICODE_STRING LogFileName, - _In_opt_ LPGUID TmIdentity, - _In_opt_ ULONG OpenOptions); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPlugPlayControl( - _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, - _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, - _In_ ULONG PnPControlDataLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPowerInformation( - _In_ POWER_INFORMATION_LEVEL InformationLevel, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrepareComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrepareEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrePrepareComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrePrepareEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrivilegeCheck( - _In_ HANDLE ClientToken, - _Inout_ PPRIVILEGE_SET RequiredPrivileges, - _Out_ PBOOLEAN Result); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrivilegedServiceAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_ PUNICODE_STRING ServiceName, - _In_ HANDLE ClientToken, - _In_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN AccessGranted); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPrivilegeObjectAuditAlarm( - _In_ PUNICODE_STRING SubsystemName, - _In_opt_ PVOID HandleId, - _In_ HANDLE ClientToken, - _In_ ACCESS_MASK DesiredAccess, - _In_ PPRIVILEGE_SET Privileges, - _In_ BOOLEAN AccessGranted); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPropagationComplete( - _In_ HANDLE ResourceManagerHandle, - _In_ ULONG RequestCookie, - _In_ ULONG BufferLength, - _In_ PVOID Buffer); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPropagationFailed( - _In_ HANDLE ResourceManagerHandle, - _In_ ULONG RequestCookie, - _In_ NTSTATUS PropStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwProtectVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG NewProtection, - _Out_ PULONG OldProtection); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPssCaptureVaSpaceBulk( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ PNTPSS_MEMORY_BULK_INFORMATION BulkInformation, - _In_ SIZE_T BulkInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwPulseEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryAttributesFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PFILE_BASIC_INFORMATION FileInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryAuxiliaryCounterFrequency( - _Out_ PULONG64 AuxiliaryCounterFrequency); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryBootEntryOrder( - _Out_writes_opt_(*Count) PULONG Ids, - _Inout_ PULONG Count); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryBootOptions( - _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions, - _Inout_ PULONG BootOptionsLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDefaultLocale( - _In_ BOOLEAN UserProfile, - _Out_ PLCID DefaultLocaleId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDefaultUILanguage( - _Out_ LANGID *DefaultUILanguageId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDirectoryFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass, - _In_ BOOLEAN ReturnSingleEntry, - _In_opt_ PUNICODE_STRING FileName, - _In_ BOOLEAN RestartScan); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDirectoryFileEx( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass, - _In_ ULONG QueryFlags, - _In_opt_ PUNICODE_STRING FileName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDirectoryObject( - _In_ HANDLE DirectoryHandle, - _Out_writes_bytes_opt_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_ BOOLEAN RestartScan, - _Inout_ PULONG Context, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryDriverEntryOrder( - _Out_writes_opt_(*Count) PULONG Ids, - _Inout_ PULONG Count); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryEaFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_reads_bytes_opt_(EaListLength) PVOID EaList, - _In_ ULONG EaListLength, - _In_opt_ PULONG EaIndex, - _In_ BOOLEAN RestartScan); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryEvent( - _In_ HANDLE EventHandle, - _In_ EVENT_INFORMATION_CLASS EventInformationClass, - _Out_writes_bytes_(EventInformationLength) PVOID EventInformation, - _In_ ULONG EventInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryFullAttributesFile( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationAtom( - _In_ RTL_ATOM Atom, - _In_ ATOM_INFORMATION_CLASS AtomInformationClass, - _Out_writes_bytes_(AtomInformationLength) PVOID AtomInformation, - _In_ ULONG AtomInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationByName( - _In_ POBJECT_ATTRIBUTES ObjectAttributes, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, - _In_ ULONG EnlistmentInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationJobObject( - _In_opt_ HANDLE JobHandle, - _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, - _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, - _In_ ULONG JobObjectInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationPort( - _In_ HANDLE PortHandle, - _In_ PORT_INFORMATION_CLASS PortInformationClass, - _Out_writes_bytes_to_(Length, *ReturnLength) PVOID PortInformation, - _In_ ULONG Length, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationProcess( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, - _In_ ULONG ResourceManagerInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationThread( - _In_ HANDLE ThreadHandle, - _In_ THREADINFOCLASS ThreadInformationClass, - _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, - _In_ ULONG ThreadInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationToken( - _In_ HANDLE TokenHandle, - _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, - _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, - _In_ ULONG TokenInformationLength, - _Out_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationTransaction( - _In_ HANDLE TransactionHandle, - _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation, - _In_ ULONG TransactionInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationTransactionManager( - _In_ HANDLE TransactionManagerHandle, - _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, - _In_ ULONG TransactionManagerInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInformationWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - _Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, - _In_ ULONG WorkerFactoryInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryInstallUILanguage( - _Out_ LANGID *InstallUILanguageId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryIntervalProfile( - _In_ KPROFILE_SOURCE ProfileSource, - _Out_ PULONG Interval); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryIoCompletion( - _In_ HANDLE IoCompletionHandle, - _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, - _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation, - _In_ ULONG IoCompletionInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryIoRingCapabilities( - _In_ SIZE_T IoRingCapabilitiesLength, - _Out_ PVOID IoRingCapabilities); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryKey( - _In_ HANDLE KeyHandle, - _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryLicenseValue( - _In_ PUNICODE_STRING ValueName, - _Out_opt_ PULONG Type, - _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data, - _In_ ULONG DataSize, - _Out_ PULONG ResultDataSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryMultipleValueKey( - _In_ HANDLE KeyHandle, - _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, - _In_ ULONG EntryCount, - _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, - _Inout_ PULONG BufferLength, - _Out_opt_ PULONG RequiredBufferLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryMutant( - _In_ HANDLE MutantHandle, - _In_ MUTANT_INFORMATION_CLASS MutantInformationClass, - _Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation, - _In_ ULONG MutantInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryObject( - _In_opt_ HANDLE Handle, - _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, - _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, - _In_ ULONG ObjectInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryOpenSubKeys( - _In_ POBJECT_ATTRIBUTES TargetKey, - _Out_ PULONG HandleCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryOpenSubKeysEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ ULONG BufferLength, - _Out_writes_bytes_opt_(BufferLength) PVOID Buffer, - _Out_ PULONG RequiredSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryPerformanceCounter( - _Out_ PLARGE_INTEGER PerformanceCounter, - _Out_opt_ PLARGE_INTEGER PerformanceFrequency); - - NTSYSCALLAPI - LOGICAL - NTAPI - ZwQueryPortInformationProcess( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryQuotaInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_ BOOLEAN ReturnSingleEntry, - _In_reads_bytes_opt_(SidListLength) PVOID SidList, - _In_ ULONG SidListLength, - _In_opt_ PSID StartSid, - _In_ BOOLEAN RestartScan); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySection( - _In_ HANDLE SectionHandle, - _In_ SECTION_INFORMATION_CLASS SectionInformationClass, - _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, - _In_ SIZE_T SectionInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySecurityAttributesToken( - _In_ HANDLE TokenHandle, - _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes, - _In_ ULONG NumberOfAttributes, - _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION - _In_ ULONG Length, - _Out_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySecurityObject( - _In_ HANDLE Handle, - _In_ SECURITY_INFORMATION SecurityInformation, - _Out_writes_bytes_to_opt_(Length, *LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor, - _In_ ULONG Length, - _Out_ PULONG LengthNeeded); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySecurityPolicy( - _In_ PCUNICODE_STRING Policy, - _In_ PCUNICODE_STRING KeyName, - _In_ PCUNICODE_STRING ValueName, - _In_ SECURE_SETTING_VALUE_TYPE ValueType, - _Out_writes_bytes_opt_(*ValueSize) PVOID Value, - _Inout_ PULONG ValueSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySemaphore( - _In_ HANDLE SemaphoreHandle, - _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, - _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation, - _In_ ULONG SemaphoreInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySymbolicLinkObject( - _In_ HANDLE LinkHandle, - _Inout_ PUNICODE_STRING LinkTarget, - _Out_opt_ PULONG ReturnedLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySystemEnvironmentValue( - _In_ PUNICODE_STRING VariableName, - _Out_writes_bytes_(ValueLength) PWSTR VariableValue, - _In_ USHORT ValueLength, - _Out_opt_ PUSHORT ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySystemEnvironmentValueEx( - _In_ PCUNICODE_STRING VariableName, - _In_ PCGUID VendorGuid, - _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer, - _Inout_ PULONG BufferLength, - _Out_opt_ PULONG Attributes // EFI_VARIABLE_* - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySystemInformationEx( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQuerySystemTime( - _Out_ PLARGE_INTEGER SystemTime); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryTimer( - _In_ HANDLE TimerHandle, - _In_ TIMER_INFORMATION_CLASS TimerInformationClass, - _Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation, - _In_ ULONG TimerInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryTimerResolution( - _Out_ PULONG MaximumTime, - _Out_ PULONG MinimumTime, - _Out_ PULONG CurrentTime); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, - _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, - _In_ ULONG Length, - _Out_ PULONG ResultLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, - _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, - _In_ SIZE_T MemoryInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryVolumeInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID FsInformation, - _In_ ULONG Length, - _In_ FSINFOCLASS FsInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_opt_ const VOID *ExplicitScope, - _Out_ PWNF_CHANGE_STAMP ChangeStamp, - _Out_writes_bytes_opt_(*BufferSize) PVOID Buffer, - _Inout_ PULONG BufferSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueryWnfStateNameInformation( - _In_ PCWNF_STATE_NAME StateName, - _In_ WNF_STATE_NAME_INFORMATION NameInfoClass, - _In_opt_ const VOID *ExplicitScope, - _Out_writes_bytes_(InfoBufferSize) PVOID InfoBuffer, - _In_ ULONG InfoBufferSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueueApcThread( - _In_ HANDLE ThreadHandle, - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueueApcThreadEx( - _In_ HANDLE ThreadHandle, - _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject // QUEUE_USER_APC_SPECIAL_USER_APC - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwQueueApcThreadEx2( - _In_ HANDLE ThreadHandle, - _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject - _In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS - _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC - _In_opt_ PVOID ApcArgument1, - _In_opt_ PVOID ApcArgument2, - _In_opt_ PVOID ApcArgument3); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRaiseException( - _In_ PEXCEPTION_RECORD ExceptionRecord, - _In_ PCONTEXT ContextRecord, - _In_ BOOLEAN FirstChance); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRaiseHardError( - _In_ NTSTATUS ErrorStatus, - _In_ ULONG NumberOfParameters, - _In_ ULONG UnicodeStringParameterMask, - _In_reads_(NumberOfParameters) PULONG_PTR Parameters, - _In_ ULONG ValidResponseOptions, - _Out_ PULONG Response); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _Out_writes_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadFileScatter( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PFILE_SEGMENT_ELEMENT SegmentArray, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadOnlyEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadRequestData( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ ULONG DataEntryIndex, - _Out_writes_bytes_to_(BufferSize, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T BufferSize, - _Out_opt_ PSIZE_T NumberOfBytesRead); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToRead, - _Out_opt_ PSIZE_T NumberOfBytesRead); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReadVirtualMemoryEx( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToRead, - _Out_opt_ PSIZE_T NumberOfBytesRead, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRecoverEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PVOID EnlistmentKey); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRecoverResourceManager( - _In_ HANDLE ResourceManagerHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRecoverTransactionManager( - _In_ HANDLE TransactionManagerHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRegisterProtocolAddressInformation( - _In_ HANDLE ResourceManager, - _In_ PCRM_PROTOCOL_ID ProtocolId, - _In_ ULONG ProtocolInformationSize, - _In_ PVOID ProtocolInformation, - _In_opt_ ULONG CreateOptions); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRegisterThreadTerminatePort( - _In_ HANDLE PortHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReleaseCMFViewOwnership( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReleaseKeyedEvent( - _In_opt_ HANDLE KeyedEventHandle, - _In_ PVOID KeyValue, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReleaseMutant( - _In_ HANDLE MutantHandle, - _Out_opt_ PLONG PreviousCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReleaseSemaphore( - _In_ HANDLE SemaphoreHandle, - _In_ LONG ReleaseCount, - _Out_opt_ PLONG PreviousCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReleaseWorkerFactoryWorker( - _In_ HANDLE WorkerFactoryHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRemoveIoCompletion( - _In_ HANDLE IoCompletionHandle, - _Out_ PVOID *KeyContext, - _Out_ PVOID *ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRemoveIoCompletionEx( - _In_ HANDLE IoCompletionHandle, - _Out_writes_to_(Count, *NumEntriesRemoved) PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, - _In_ ULONG Count, - _Out_ PULONG NumEntriesRemoved, - _In_opt_ PLARGE_INTEGER Timeout, - _In_ BOOLEAN Alertable); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRemoveProcessDebug( - _In_ HANDLE ProcessHandle, - _In_ HANDLE DebugObjectHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRenameKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING NewName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRenameTransactionManager( - _In_ PUNICODE_STRING LogFileName, - _In_ LPGUID ExistingTransactionManagerGuid); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplaceKey( - _In_ POBJECT_ATTRIBUTES NewFile, - _In_ HANDLE TargetHandle, - _In_ POBJECT_ATTRIBUTES OldFile); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplacePartitionUnit( - _In_ PUNICODE_STRING TargetInstancePath, - _In_ PUNICODE_STRING SpareInstancePath, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplyPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplyWaitReceivePort( - _In_ HANDLE PortHandle, - _Out_opt_ PVOID *PortContext, - _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, - _Out_ PPORT_MESSAGE ReceiveMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplyWaitReceivePortEx( - _In_ HANDLE PortHandle, - _Out_opt_ PVOID *PortContext, - _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage, - _Out_ PPORT_MESSAGE ReceiveMessage, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwReplyWaitReplyPort( - _In_ HANDLE PortHandle, - _Inout_ PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRequestPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRequestWaitReplyPort( - _In_ HANDLE PortHandle, - _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage, - _Out_ PPORT_MESSAGE ReplyMessage); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRequestWakeupLatency( - _In_ LATENCY_TIME latency); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwResetEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwResetWriteWatch( - _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress, - _In_ SIZE_T RegionSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRestoreKey( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwResumeProcess( - _In_ HANDLE ProcessHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwResumeThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRevertContainerImpersonation( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRollbackComplete( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRollbackEnlistment( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRollbackTransaction( - _In_ HANDLE TransactionHandle, - _In_ BOOLEAN Wait); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwRollforwardTransactionManager( - _In_ HANDLE TransactionManagerHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSaveKey( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSaveKeyEx( - _In_ HANDLE KeyHandle, - _In_ HANDLE FileHandle, - _In_ ULONG Format); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSaveMergedKeys( - _In_ HANDLE HighPrecedenceKeyHandle, - _In_ HANDLE LowPrecedenceKeyHandle, - _In_ HANDLE FileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSecureConnectPort( - _Out_ PHANDLE PortHandle, - _In_ PUNICODE_STRING PortName, - _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos, - _Inout_opt_ PPORT_VIEW ClientView, - _In_opt_ PSID RequiredServerSid, - _Inout_opt_ PREMOTE_PORT_VIEW ServerView, - _Out_opt_ PULONG MaxMessageLength, - _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation, - _Inout_opt_ PULONG ConnectionInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSerializeBoot( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetBootEntryOrder( - _In_reads_(Count) PULONG Ids, - _In_ ULONG Count); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetBootOptions( - _In_ PBOOT_OPTIONS BootOptions, - _In_ ULONG FieldsToChange); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetCachedSigningLevel( - _In_ ULONG Flags, - _In_ SE_SIGNING_LEVEL InputSigningLevel, - _In_reads_(SourceFileCount) PHANDLE SourceFiles, - _In_ ULONG SourceFileCount, - _In_opt_ HANDLE TargetFile); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetCachedSigningLevel2( - _In_ ULONG Flags, - _In_ SE_SIGNING_LEVEL InputSigningLevel, - _In_reads_(SourceFileCount) PHANDLE SourceFiles, - _In_ ULONG SourceFileCount, - _In_opt_ HANDLE TargetFile, - _In_opt_ SE_SET_FILE_CACHE_INFORMATION *CacheInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetContextThread( - _In_ HANDLE ThreadHandle, - _In_ PCONTEXT ThreadContext); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetDebugFilterState( - _In_ ULONG ComponentId, - _In_ ULONG Level, - _In_ BOOLEAN State); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetDefaultHardErrorPort( - _In_ HANDLE DefaultHardErrorPort); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetDefaultLocale( - _In_ BOOLEAN UserProfile, - _In_ LCID DefaultLocaleId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetDefaultUILanguage( - _In_ LANGID DefaultUILanguageId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetDriverEntryOrder( - _In_reads_(Count) PULONG Ids, - _In_ ULONG Count); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetEaFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetEvent( - _In_ HANDLE EventHandle, - _Out_opt_ PLONG PreviousState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetEventBoostPriority( - _In_ HANDLE EventHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetEventEx( - _In_ HANDLE ThreadId, - _In_opt_ PRTL_SRWLOCK Lock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetHighEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetHighWaitLowEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationCpuPartition( - _In_ HANDLE CpuPartitionHandle, - _In_ ULONG CpuPartitionInformationClass, - _In_reads_bytes_(CpuPartitionInformationLength) PVOID CpuPartitionInformation, - _In_ ULONG CpuPartitionInformationLength, - _Reserved_ PVOID, - _Reserved_ ULONG, - _Reserved_ ULONG); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationDebugObject( - _In_ HANDLE DebugObjectHandle, - _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, - _In_reads_bytes_(DebugInformationLength) PVOID DebugInformation, - _In_ ULONG DebugInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationEnlistment( - _In_opt_ HANDLE EnlistmentHandle, - _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, - _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation, - _In_ ULONG EnlistmentInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID FileInformation, - _In_ ULONG Length, - _In_ FILE_INFORMATION_CLASS FileInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationIoRing( - _In_ HANDLE IoRingHandle, - _In_ ULONG IoRingInformationClass, - _In_ ULONG IoRingInformationLength, - _In_ PVOID IoRingInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationJobObject( - _In_ HANDLE JobHandle, - _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, - _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, - _In_ ULONG JobObjectInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationKey( - _In_ HANDLE KeyHandle, - _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass, - _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation, - _In_ ULONG KeySetInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationObject( - _In_ HANDLE Handle, - _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, - _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, - _In_ ULONG ObjectInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationProcess( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationResourceManager( - _In_ HANDLE ResourceManagerHandle, - _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, - _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation, - _In_ ULONG ResourceManagerInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationSymbolicLink( - _In_ HANDLE LinkHandle, - _In_ SYMBOLIC_LINK_INFO_CLASS SymbolicLinkInformationClass, - _In_reads_bytes_(SymbolicLinkInformationLength) PVOID SymbolicLinkInformation, - _In_ ULONG SymbolicLinkInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationThread( - _In_ HANDLE ThreadHandle, - _In_ THREADINFOCLASS ThreadInformationClass, - _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, - _In_ ULONG ThreadInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationToken( - _In_ HANDLE TokenHandle, - _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, - _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation, - _In_ ULONG TokenInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationTransaction( - _In_ HANDLE TransactionHandle, - _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, - _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation, - _In_ ULONG TransactionInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationTransactionManager( - _In_opt_ HANDLE TmHandle, - _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, - _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation, - _In_ ULONG TransactionManagerInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, - _In_ SIZE_T NumberOfEntries, - _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses, - _In_reads_bytes_(VmInformationLength) PVOID VmInformation, - _In_ ULONG VmInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetInformationWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, - _In_reads_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation, - _In_ ULONG WorkerFactoryInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetIntervalProfile( - _In_ ULONG Interval, - _In_ KPROFILE_SOURCE Source); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetIoCompletion( - _In_ HANDLE IoCompletionHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetIoCompletionEx( - _In_ HANDLE IoCompletionHandle, - _In_ HANDLE IoCompletionPacketHandle, - _In_opt_ PVOID KeyContext, - _In_opt_ PVOID ApcContext, - _In_ NTSTATUS IoStatus, - _In_ ULONG_PTR IoStatusInformation); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetIRTimer( - _In_ HANDLE TimerHandle, - _In_opt_ PLARGE_INTEGER DueTime); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetLdtEntries( - _In_ ULONG Selector0, - _In_ ULONG Entry0Low, - _In_ ULONG Entry0Hi, - _In_ ULONG Selector1, - _In_ ULONG Entry1Low, - _In_ ULONG Entry1Hi); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetLowEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetLowWaitHighEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetQuotaInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSecurityObject( - _In_ HANDLE Handle, - _In_ SECURITY_INFORMATION SecurityInformation, - _In_ PSECURITY_DESCRIPTOR SecurityDescriptor); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSystemEnvironmentValue( - _In_ PCUNICODE_STRING VariableName, - _In_ PCUNICODE_STRING VariableValue); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSystemEnvironmentValueEx( - _In_ PCUNICODE_STRING VariableName, - _In_ PCGUID VendorGuid, - _In_reads_bytes_opt_(BufferLength) PVOID Buffer, - _In_ ULONG BufferLength, // 0 = delete variable - _In_ ULONG Attributes // EFI_VARIABLE_* - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSystemInformation( - _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, - _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation, - _In_ ULONG SystemInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSystemPowerState( - _In_ POWER_ACTION SystemAction, - _In_ SYSTEM_POWER_STATE LightestSystemState, - _In_ ULONG Flags // POWER_ACTION_* flags - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetSystemTime( - _In_opt_ PLARGE_INTEGER SystemTime, - _Out_opt_ PLARGE_INTEGER PreviousTime); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetThreadExecutionState( - _In_ EXECUTION_STATE NewFlags, // ES_* flags - _Out_ EXECUTION_STATE *PreviousFlags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetTimer( - _In_ HANDLE TimerHandle, - _In_ PLARGE_INTEGER DueTime, - _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine, - _In_opt_ PVOID TimerContext, - _In_ BOOLEAN ResumeTimer, - _In_opt_ LONG Period, - _Out_opt_ PBOOLEAN PreviousState); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetTimer2( - _In_ HANDLE TimerHandle, - _In_ PLARGE_INTEGER DueTime, - _In_opt_ PLARGE_INTEGER Period, - _In_ PT2_SET_PARAMETERS Parameters); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetTimerEx( - _In_ HANDLE TimerHandle, - _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, - _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation, - _In_ ULONG TimerSetInformationLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetTimerResolution( - _In_ ULONG DesiredTime, - _In_ BOOLEAN SetResolution, - _Out_ PULONG ActualTime); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetUuidSeed( - _In_ PCHAR Seed); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, - _In_opt_ ULONG TitleIndex, - _In_ ULONG Type, - _In_reads_bytes_opt_(DataSize) PVOID Data, - _In_ ULONG DataSize); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetVolumeInformationFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID FsInformation, - _In_ ULONG Length, - _In_ FSINFOCLASS FsInformationClass); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSetWnfProcessNotificationEvent( - _In_ HANDLE NotificationEvent); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwShutdownSystem( - _In_ SHUTDOWN_ACTION Action); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwShutdownWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _Inout_ volatile LONG *PendingWorkerCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSignalAndWaitForSingleObject( - _In_ HANDLE SignalHandle, - _In_ HANDLE WaitHandle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSinglePhaseReject( - _In_ HANDLE EnlistmentHandle, - _In_opt_ PLARGE_INTEGER TmVirtualClock); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwStartProfile( - _In_ HANDLE ProfileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwStopProfile( - _In_ HANDLE ProfileHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSubmitIoRing( - _In_ HANDLE IoRingHandle, - _In_ ULONG Flags, - _In_opt_ ULONG WaitOperations, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSubscribeWnfStateChange( - _In_ PCWNF_STATE_NAME StateName, - _In_opt_ WNF_CHANGE_STAMP ChangeStamp, - _In_ ULONG EventMask, - _Out_opt_ PULONG64 SubscriptionId); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSuspendProcess( - _In_ HANDLE ProcessHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSuspendThread( - _In_ HANDLE ThreadHandle, - _Out_opt_ PULONG PreviousSuspendCount); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwSystemDebugControl( - _In_ SYSDBG_COMMAND Command, - _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTerminateEnclave( - _In_ PVOID BaseAddress, - _In_ ULONG Flags // TERMINATE_ENCLAVE_FLAG_* - ); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTerminateJobObject( - _In_ HANDLE JobHandle, - _In_ NTSTATUS ExitStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTerminateProcess( - _In_opt_ HANDLE ProcessHandle, - _In_ NTSTATUS ExitStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTerminateThread( - _In_opt_ HANDLE ThreadHandle, - _In_ NTSTATUS ExitStatus); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTestAlert( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwThawRegistry( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwThawTransactions( - VOID); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTraceControl( - _In_ ETWTRACECONTROLCODE FunctionCode, - _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, - _In_ ULONG InputBufferLength, - _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength, - _Out_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTraceEvent( - _In_opt_ HANDLE TraceHandle, - _In_ ULONG Flags, - _In_ ULONG FieldSize, - _In_ PVOID Fields); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwTranslateFilePath( - _In_ PFILE_PATH InputFilePath, - _In_ ULONG OutputType, - _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath, - _Inout_opt_ PULONG OutputFilePathLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUmsThreadYield( - _In_ PVOID SchedulerParam); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnloadDriver( - _In_ PUNICODE_STRING DriverServiceName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnloadKey( - _In_ POBJECT_ATTRIBUTES TargetKey); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnloadKey2( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnloadKeyEx( - _In_ POBJECT_ATTRIBUTES TargetKey, - _In_opt_ HANDLE Event); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnlockFile( - _In_ HANDLE FileHandle, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PLARGE_INTEGER ByteOffset, - _In_ PLARGE_INTEGER Length, - _In_ ULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnlockVirtualMemory( - _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, - _Inout_ PSIZE_T RegionSize, - _In_ ULONG MapType); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnmapViewOfSection( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnmapViewOfSectionEx( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_ ULONG Flags); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUnsubscribeWnfStateChange( - _In_ PCWNF_STATE_NAME StateName); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwUpdateWnfStateData( - _In_ PCWNF_STATE_NAME StateName, - _In_reads_bytes_opt_(Length) const VOID *Buffer, - _In_opt_ ULONG Length, - _In_opt_ PCWNF_TYPE_ID TypeId, - _In_opt_ const VOID *ExplicitScope, - _In_ WNF_CHANGE_STAMP MatchingChangeStamp, - _In_ LOGICAL CheckStamp); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwVdmControl( - _In_ VDMSERVICECLASS Service, - _Inout_ PVOID ServiceData); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForAlertByThreadId( - _In_opt_ PVOID Address, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForDebugEvent( - _In_ HANDLE DebugObjectHandle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout, - _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForKeyedEvent( - _In_opt_ HANDLE KeyedEventHandle, - _In_ PVOID KeyValue, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForMultipleObjects( - _In_ ULONG Count, - _In_reads_(Count) HANDLE Handles[], - _In_ WAIT_TYPE WaitType, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForMultipleObjects32( - _In_ ULONG Count, - _In_reads_(Count) LONG Handles[], - _In_ WAIT_TYPE WaitType, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForSingleObject( - _In_ HANDLE Handle, - _In_ BOOLEAN Alertable, - _In_opt_ PLARGE_INTEGER Timeout); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitForWorkViaWorkerFactory( - _In_ HANDLE WorkerFactoryHandle, - _Out_writes_to_(Count, *PacketsReturned) PFILE_IO_COMPLETION_INFORMATION MiniPackets, - _In_ ULONG Count, - _Out_ PULONG PacketsReturned, - _In_ PWORKER_FACTORY_DEFERRED_WORK DeferredWork); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitHighEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWaitLowEventPair( - _In_ HANDLE EventPairHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWorkerFactoryWorkerReady( - _In_ HANDLE WorkerFactoryHandle); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWow64QueryInformationProcess64( - _In_ HANDLE ProcessHandle, - _In_ PROCESSINFOCLASS ProcessInformationClass, - _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, - _In_ ULONG ProcessInformationLength, - _Out_opt_ PULONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWow64QueryVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, - _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, - _In_ ULONGLONG MemoryInformationLength, - _Out_opt_ PULONGLONG ReturnLength); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWow64ReadVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _Out_writes_bytes_to_(NumberOfBytesToRead, *NumberOfBytesRead) PVOID Buffer, - _In_ ULONGLONG NumberOfBytesToRead, - _Out_opt_ PULONGLONG NumberOfBytesRead); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWow64WriteVirtualMemory64( - _In_ HANDLE ProcessHandle, - _In_opt_ ULONGLONG BaseAddress, - _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, - _In_ ULONGLONG NumberOfBytesToWrite, - _Out_opt_ PULONGLONG NumberOfBytesWritten); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWriteFile( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_reads_bytes_(Length) PVOID Buffer, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWriteFileGather( - _In_ HANDLE FileHandle, - _In_opt_ HANDLE Event, - _In_opt_ PIO_APC_ROUTINE ApcRoutine, - _In_opt_ PVOID ApcContext, - _Out_ PIO_STATUS_BLOCK IoStatusBlock, - _In_ PFILE_SEGMENT_ELEMENT SegmentArray, - _In_ ULONG Length, - _In_opt_ PLARGE_INTEGER ByteOffset, - _In_opt_ PULONG Key); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWriteRequestData( - _In_ HANDLE PortHandle, - _In_ PPORT_MESSAGE Message, - _In_ ULONG DataEntryIndex, - _In_reads_bytes_(BufferSize) PVOID Buffer, - _In_ SIZE_T BufferSize, - _Out_opt_ PSIZE_T NumberOfBytesWritten); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwWriteVirtualMemory( - _In_ HANDLE ProcessHandle, - _In_opt_ PVOID BaseAddress, - _In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer, - _In_ SIZE_T NumberOfBytesToWrite, - _Out_opt_ PSIZE_T NumberOfBytesWritten); - - NTSYSCALLAPI - NTSTATUS - NTAPI - ZwYieldExecution( - VOID); - -#endif -#endif - -#ifdef __cplusplus -} -#endif - -static_assert(__alignof(LARGE_INTEGER) == 8, "Windows headers require the default packing option. Changing the packing can lead to memory corruption."); -static_assert(__alignof(PROCESS_CYCLE_TIME_INFORMATION) == 8, "PHNT headers require the default packing option. Changing the packing can lead to memory corruption."); - -#endif - -#endif // _PHNT_AMALGAMATE_H diff --git a/util/bb-sdk/src/arch.rs b/util/bb-sdk/src/arch.rs deleted file mode 100644 index 6115392..0000000 --- a/util/bb-sdk/src/arch.rs +++ /dev/null @@ -1,39 +0,0 @@ -//! Architecture definitions for cross-compilation support. - -/* ────────────────────────────────── Types ───────────────────────────────── */ - -#[derive(Debug, Clone, Copy, PartialEq, Eq, clap::ValueEnum)] -pub enum Arch { - X86, - Amd64, - Arm, - Arm64, -} - -impl Arch { - #[must_use] - pub const fn target_triple(self) -> &'static str { - match self { - Self::X86 => "i686-pc-windows-msvc", - Self::Amd64 => "x86_64-pc-windows-msvc", - Self::Arm => "thumbv7-pc-windows-msvc", - Self::Arm64 => "aarch64-pc-windows-msvc", - } - } - - #[must_use] - pub const fn defines(self) -> &'static [&'static str] { - match self { - Self::X86 => &["-D_WIN32", "-D_X86_", "-D_M_IX86=600"], - Self::Amd64 => &[ - "-D_WIN32", - "-D_WIN64", - "-D_AMD64_", - "-D_M_AMD64=100", - "-D_M_X64=100", - ], - Self::Arm => &["-D_WIN32", "-D_ARM_", "-D_M_ARM=7"], - Self::Arm64 => &["-D_WIN32", "-D_WIN64", "-D_ARM64_", "-D_M_ARM64=1"], - } - } -}