mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
386 lines
8.5 KiB
C
386 lines
8.5 KiB
C
|
/*
|
||
|
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
|
||
|
*
|
||
|
* You can redistribute this file and/or modify it under the terms of the
|
||
|
* Attribution 4.0 International (CC BY 4.0) license.
|
||
|
*
|
||
|
* You must give appropriate credit, provide a link to the license, and
|
||
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
||
|
* not in any way that suggests the licensor endorses you or your use.
|
||
|
*/
|
||
|
|
||
|
#ifndef _NTOBAPI_H
|
||
|
#define _NTOBAPI_H
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
#define OBJECT_TYPE_CREATE 0x0001
|
||
|
#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
||
|
#endif
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
#define DIRECTORY_QUERY 0x0001
|
||
|
#define DIRECTORY_TRAVERSE 0x0002
|
||
|
#define DIRECTORY_CREATE_OBJECT 0x0004
|
||
|
#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
|
||
|
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf)
|
||
|
#endif
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
#define SYMBOLIC_LINK_QUERY 0x0001
|
||
|
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
|
||
|
#endif
|
||
|
|
||
|
#define OBJ_PROTECT_CLOSE 0x00000001
|
||
|
#ifndef OBJ_INHERIT
|
||
|
#define OBJ_INHERIT 0x00000002
|
||
|
#endif
|
||
|
#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
typedef enum _OBJECT_INFORMATION_CLASS
|
||
|
{
|
||
|
ObjectBasicInformation, // OBJECT_BASIC_INFORMATION
|
||
|
ObjectNameInformation, // OBJECT_NAME_INFORMATION
|
||
|
ObjectTypeInformation, // OBJECT_TYPE_INFORMATION
|
||
|
ObjectTypesInformation, // OBJECT_TYPES_INFORMATION
|
||
|
ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION
|
||
|
ObjectSessionInformation,
|
||
|
ObjectSessionObjectInformation,
|
||
|
MaxObjectInfoClass
|
||
|
} OBJECT_INFORMATION_CLASS;
|
||
|
#else
|
||
|
#define ObjectBasicInformation 0
|
||
|
#define ObjectNameInformation 1
|
||
|
#define ObjectTypesInformation 3
|
||
|
#define ObjectHandleFlagInformation 4
|
||
|
#define ObjectSessionInformation 5
|
||
|
#define ObjectSessionObjectInformation 6
|
||
|
#endif
|
||
|
|
||
|
typedef struct _OBJECT_BASIC_INFORMATION
|
||
|
{
|
||
|
ULONG Attributes;
|
||
|
ACCESS_MASK GrantedAccess;
|
||
|
ULONG HandleCount;
|
||
|
ULONG PointerCount;
|
||
|
ULONG PagedPoolCharge;
|
||
|
ULONG NonPagedPoolCharge;
|
||
|
ULONG Reserved[3];
|
||
|
ULONG NameInfoSize;
|
||
|
ULONG TypeInfoSize;
|
||
|
ULONG SecurityDescriptorSize;
|
||
|
LARGE_INTEGER CreationTime;
|
||
|
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
typedef struct _OBJECT_NAME_INFORMATION
|
||
|
{
|
||
|
UNICODE_STRING Name;
|
||
|
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
|
||
|
#endif
|
||
|
|
||
|
typedef struct _OBJECT_TYPE_INFORMATION
|
||
|
{
|
||
|
UNICODE_STRING TypeName;
|
||
|
ULONG TotalNumberOfObjects;
|
||
|
ULONG TotalNumberOfHandles;
|
||
|
ULONG TotalPagedPoolUsage;
|
||
|
ULONG TotalNonPagedPoolUsage;
|
||
|
ULONG TotalNamePoolUsage;
|
||
|
ULONG TotalHandleTableUsage;
|
||
|
ULONG HighWaterNumberOfObjects;
|
||
|
ULONG HighWaterNumberOfHandles;
|
||
|
ULONG HighWaterPagedPoolUsage;
|
||
|
ULONG HighWaterNonPagedPoolUsage;
|
||
|
ULONG HighWaterNamePoolUsage;
|
||
|
ULONG HighWaterHandleTableUsage;
|
||
|
ULONG InvalidAttributes;
|
||
|
GENERIC_MAPPING GenericMapping;
|
||
|
ULONG ValidAccessMask;
|
||
|
BOOLEAN SecurityRequired;
|
||
|
BOOLEAN MaintainHandleCount;
|
||
|
UCHAR TypeIndex; // since WINBLUE
|
||
|
CHAR ReservedByte;
|
||
|
ULONG PoolType;
|
||
|
ULONG DefaultPagedPoolCharge;
|
||
|
ULONG DefaultNonPagedPoolCharge;
|
||
|
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
|
||
|
|
||
|
typedef struct _OBJECT_TYPES_INFORMATION
|
||
|
{
|
||
|
ULONG NumberOfTypes;
|
||
|
} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
|
||
|
|
||
|
typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
|
||
|
{
|
||
|
BOOLEAN Inherit;
|
||
|
BOOLEAN ProtectFromClose;
|
||
|
} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
|
||
|
|
||
|
// Objects, handles
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtQueryObject(
|
||
|
_In_opt_ HANDLE Handle,
|
||
|
_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
||
|
_Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
|
||
|
_In_ ULONG ObjectInformationLength,
|
||
|
_Out_opt_ PULONG ReturnLength
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtSetInformationObject(
|
||
|
_In_ HANDLE Handle,
|
||
|
_In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
|
||
|
_In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
|
||
|
_In_ ULONG ObjectInformationLength
|
||
|
);
|
||
|
|
||
|
#define DUPLICATE_CLOSE_SOURCE 0x00000001
|
||
|
#define DUPLICATE_SAME_ACCESS 0x00000002
|
||
|
#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtDuplicateObject(
|
||
|
_In_ HANDLE SourceProcessHandle,
|
||
|
_In_ HANDLE SourceHandle,
|
||
|
_In_opt_ HANDLE TargetProcessHandle,
|
||
|
_Out_opt_ PHANDLE TargetHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ ULONG HandleAttributes,
|
||
|
_In_ ULONG Options
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtMakeTemporaryObject(
|
||
|
_In_ HANDLE Handle
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtMakePermanentObject(
|
||
|
_In_ HANDLE Handle
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtSignalAndWaitForSingleObject(
|
||
|
_In_ HANDLE SignalHandle,
|
||
|
_In_ HANDLE WaitHandle,
|
||
|
_In_ BOOLEAN Alertable,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtWaitForSingleObject(
|
||
|
_In_ HANDLE Handle,
|
||
|
_In_ BOOLEAN Alertable,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtWaitForMultipleObjects(
|
||
|
_In_ ULONG Count,
|
||
|
_In_reads_(Count) HANDLE Handles[],
|
||
|
_In_ WAIT_TYPE WaitType,
|
||
|
_In_ BOOLEAN Alertable,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout
|
||
|
);
|
||
|
|
||
|
#if (PHNT_VERSION >= PHNT_WS03)
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtWaitForMultipleObjects32(
|
||
|
_In_ ULONG Count,
|
||
|
_In_reads_(Count) LONG Handles[],
|
||
|
_In_ WAIT_TYPE WaitType,
|
||
|
_In_ BOOLEAN Alertable,
|
||
|
_In_opt_ PLARGE_INTEGER Timeout
|
||
|
);
|
||
|
#endif
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtSetSecurityObject(
|
||
|
_In_ HANDLE Handle,
|
||
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
||
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtQuerySecurityObject(
|
||
|
_In_ HANDLE Handle,
|
||
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
||
|
_Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
|
||
|
_In_ ULONG Length,
|
||
|
_Out_ PULONG LengthNeeded
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtClose(
|
||
|
_In_ HANDLE Handle
|
||
|
);
|
||
|
|
||
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCompareObjects(
|
||
|
_In_ HANDLE FirstObjectHandle,
|
||
|
_In_ HANDLE SecondObjectHandle
|
||
|
);
|
||
|
#endif
|
||
|
|
||
|
#endif
|
||
|
|
||
|
// Directory objects
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCreateDirectoryObject(
|
||
|
_Out_ PHANDLE DirectoryHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes
|
||
|
);
|
||
|
|
||
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCreateDirectoryObjectEx(
|
||
|
_Out_ PHANDLE DirectoryHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
|
_In_ HANDLE ShadowDirectoryHandle,
|
||
|
_In_ ULONG Flags
|
||
|
);
|
||
|
#endif
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtOpenDirectoryObject(
|
||
|
_Out_ PHANDLE DirectoryHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes
|
||
|
);
|
||
|
|
||
|
typedef struct _OBJECT_DIRECTORY_INFORMATION
|
||
|
{
|
||
|
UNICODE_STRING Name;
|
||
|
UNICODE_STRING TypeName;
|
||
|
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtQueryDirectoryObject(
|
||
|
_In_ HANDLE DirectoryHandle,
|
||
|
_Out_writes_bytes_opt_(Length) PVOID Buffer,
|
||
|
_In_ ULONG Length,
|
||
|
_In_ BOOLEAN ReturnSingleEntry,
|
||
|
_In_ BOOLEAN RestartScan,
|
||
|
_Inout_ PULONG Context,
|
||
|
_Out_opt_ PULONG ReturnLength
|
||
|
);
|
||
|
|
||
|
#endif
|
||
|
|
||
|
// Private namespaces
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
|
||
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCreatePrivateNamespace(
|
||
|
_Out_ PHANDLE NamespaceHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
|
_In_ PVOID BoundaryDescriptor
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtOpenPrivateNamespace(
|
||
|
_Out_ PHANDLE NamespaceHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
|
_In_ PVOID BoundaryDescriptor
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtDeletePrivateNamespace(
|
||
|
_In_ HANDLE NamespaceHandle
|
||
|
);
|
||
|
|
||
|
#endif
|
||
|
|
||
|
#endif
|
||
|
|
||
|
// Symbolic links
|
||
|
|
||
|
#if (PHNT_MODE != PHNT_MODE_KERNEL)
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtCreateSymbolicLinkObject(
|
||
|
_Out_ PHANDLE LinkHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
|
||
|
_In_ PUNICODE_STRING LinkTarget
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtOpenSymbolicLinkObject(
|
||
|
_Out_ PHANDLE LinkHandle,
|
||
|
_In_ ACCESS_MASK DesiredAccess,
|
||
|
_In_ POBJECT_ATTRIBUTES ObjectAttributes
|
||
|
);
|
||
|
|
||
|
NTSYSCALLAPI
|
||
|
NTSTATUS
|
||
|
NTAPI
|
||
|
NtQuerySymbolicLinkObject(
|
||
|
_In_ HANDLE LinkHandle,
|
||
|
_Inout_ PUNICODE_STRING LinkTarget,
|
||
|
_Out_opt_ PULONG ReturnedLength
|
||
|
);
|
||
|
|
||
|
#endif
|
||
|
|
||
|
#endif
|