/* * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ * * You can redistribute this file and/or modify it under the terms of the * Attribution 4.0 International (CC BY 4.0) license. * * You must give appropriate credit, provide a link to the license, and * indicate if changes were made. You may do so in any reasonable manner, but * not in any way that suggests the licensor endorses you or your use. */ #ifndef _NTRTL_H #define _NTRTL_H #define RtlOffsetToPointer(Base, Offset) ((PCHAR)(((PCHAR)(Base)) + ((ULONG_PTR)(Offset)))) #define RtlPointerToOffset(Base, Pointer) ((ULONG)(((PCHAR)(Pointer)) - ((PCHAR)(Base)))) // Linked lists FORCEINLINE VOID InitializeListHead( _Out_ PLIST_ENTRY ListHead ) { ListHead->Flink = ListHead->Blink = ListHead; } _Check_return_ FORCEINLINE BOOLEAN IsListEmpty( _In_ PLIST_ENTRY ListHead ) { return ListHead->Flink == ListHead; } FORCEINLINE BOOLEAN RemoveEntryList( _In_ PLIST_ENTRY Entry ) { PLIST_ENTRY Blink; PLIST_ENTRY Flink; Flink = Entry->Flink; Blink = Entry->Blink; Blink->Flink = Flink; Flink->Blink = Blink; return Flink == Blink; } FORCEINLINE PLIST_ENTRY RemoveHeadList( _Inout_ PLIST_ENTRY ListHead ) { PLIST_ENTRY Flink; PLIST_ENTRY Entry; Entry = ListHead->Flink; Flink = Entry->Flink; ListHead->Flink = Flink; Flink->Blink = ListHead; return Entry; } FORCEINLINE PLIST_ENTRY RemoveTailList( _Inout_ PLIST_ENTRY ListHead ) { PLIST_ENTRY Blink; PLIST_ENTRY Entry; Entry = ListHead->Blink; Blink = Entry->Blink; ListHead->Blink = Blink; Blink->Flink = ListHead; return Entry; } FORCEINLINE VOID InsertTailList( _Inout_ PLIST_ENTRY ListHead, _Inout_ PLIST_ENTRY Entry ) { PLIST_ENTRY Blink; Blink = ListHead->Blink; Entry->Flink = ListHead; Entry->Blink = Blink; Blink->Flink = Entry; ListHead->Blink = Entry; } FORCEINLINE VOID InsertHeadList( _Inout_ PLIST_ENTRY ListHead, _Inout_ PLIST_ENTRY Entry ) { PLIST_ENTRY Flink; Flink = ListHead->Flink; Entry->Flink = Flink; Entry->Blink = ListHead; Flink->Blink = Entry; ListHead->Flink = Entry; } FORCEINLINE VOID AppendTailList( _Inout_ PLIST_ENTRY ListHead, _Inout_ PLIST_ENTRY ListToAppend ) { PLIST_ENTRY ListEnd = ListHead->Blink; ListHead->Blink->Flink = ListToAppend; ListHead->Blink = ListToAppend->Blink; ListToAppend->Blink->Flink = ListHead; ListToAppend->Blink = ListEnd; } FORCEINLINE PSINGLE_LIST_ENTRY PopEntryList( _Inout_ PSINGLE_LIST_ENTRY ListHead ) { PSINGLE_LIST_ENTRY FirstEntry; FirstEntry = ListHead->Next; if (FirstEntry) ListHead->Next = FirstEntry->Next; return FirstEntry; } FORCEINLINE VOID PushEntryList( _Inout_ PSINGLE_LIST_ENTRY ListHead, _Inout_ PSINGLE_LIST_ENTRY Entry ) { Entry->Next = ListHead->Next; ListHead->Next = Entry; } // AVL and splay trees typedef enum _TABLE_SEARCH_RESULT { TableEmptyTree, TableFoundNode, TableInsertAsLeft, TableInsertAsRight } TABLE_SEARCH_RESULT; typedef enum _RTL_GENERIC_COMPARE_RESULTS { GenericLessThan, GenericGreaterThan, GenericEqual } RTL_GENERIC_COMPARE_RESULTS; typedef RTL_GENERIC_COMPARE_RESULTS (NTAPI *PRTL_AVL_COMPARE_ROUTINE)( _In_ struct _RTL_AVL_TABLE *Table, _In_ PVOID FirstStruct, _In_ PVOID SecondStruct ); typedef PVOID (NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)( _In_ struct _RTL_AVL_TABLE *Table, _In_ CLONG ByteSize ); typedef VOID (NTAPI *PRTL_AVL_FREE_ROUTINE)( _In_ struct _RTL_AVL_TABLE *Table, _In_ _Post_invalid_ PVOID Buffer ); typedef NTSTATUS (NTAPI *PRTL_AVL_MATCH_FUNCTION)( _In_ struct _RTL_AVL_TABLE *Table, _In_ PVOID UserData, _In_ PVOID MatchData ); typedef struct _RTL_BALANCED_LINKS { struct _RTL_BALANCED_LINKS *Parent; struct _RTL_BALANCED_LINKS *LeftChild; struct _RTL_BALANCED_LINKS *RightChild; CHAR Balance; UCHAR Reserved[3]; } RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS; typedef struct _RTL_AVL_TABLE { RTL_BALANCED_LINKS BalancedRoot; PVOID OrderedPointer; ULONG WhichOrderedElement; ULONG NumberGenericTableElements; ULONG DepthOfTree; PRTL_BALANCED_LINKS RestartKey; ULONG DeleteCount; PRTL_AVL_COMPARE_ROUTINE CompareRoutine; PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine; PRTL_AVL_FREE_ROUTINE FreeRoutine; PVOID TableContext; } RTL_AVL_TABLE, *PRTL_AVL_TABLE; NTSYSAPI VOID NTAPI RtlInitializeGenericTableAvl( _Out_ PRTL_AVL_TABLE Table, _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine, _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine, _In_opt_ PVOID TableContext ); NTSYSAPI PVOID NTAPI RtlInsertElementGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ CLONG BufferSize, _Out_opt_ PBOOLEAN NewElement ); NTSYSAPI PVOID NTAPI RtlInsertElementGenericTableFullAvl( _In_ PRTL_AVL_TABLE Table, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ CLONG BufferSize, _Out_opt_ PBOOLEAN NewElement, _In_ PVOID NodeOrParent, _In_ TABLE_SEARCH_RESULT SearchResult ); NTSYSAPI BOOLEAN NTAPI RtlDeleteElementGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_ PVOID Buffer ); _Check_return_ NTSYSAPI PVOID NTAPI RtlLookupElementGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_ PVOID Buffer ); NTSYSAPI PVOID NTAPI RtlLookupElementGenericTableFullAvl( _In_ PRTL_AVL_TABLE Table, _In_ PVOID Buffer, _Out_ PVOID *NodeOrParent, _Out_ TABLE_SEARCH_RESULT *SearchResult ); _Check_return_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_ BOOLEAN Restart ); _Check_return_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTableWithoutSplayingAvl( _In_ PRTL_AVL_TABLE Table, _Inout_ PVOID *RestartKey ); _Check_return_ NTSYSAPI PVOID NTAPI RtlLookupFirstMatchingElementGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_ PVOID Buffer, _Out_ PVOID *RestartKey ); _Check_return_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTableLikeADirectory( _In_ PRTL_AVL_TABLE Table, _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction, _In_opt_ PVOID MatchData, _In_ ULONG NextFlag, _Inout_ PVOID *RestartKey, _Inout_ PULONG DeleteCount, _In_ PVOID Buffer ); _Check_return_ NTSYSAPI PVOID NTAPI RtlGetElementGenericTableAvl( _In_ PRTL_AVL_TABLE Table, _In_ ULONG I ); NTSYSAPI ULONG NTAPI RtlNumberGenericTableElementsAvl( _In_ PRTL_AVL_TABLE Table ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlIsGenericTableEmptyAvl( _In_ PRTL_AVL_TABLE Table ); typedef struct _RTL_SPLAY_LINKS { struct _RTL_SPLAY_LINKS *Parent; struct _RTL_SPLAY_LINKS *LeftChild; struct _RTL_SPLAY_LINKS *RightChild; } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; #define RtlInitializeSplayLinks(Links) \ { \ PRTL_SPLAY_LINKS _SplayLinks; \ _SplayLinks = (PRTL_SPLAY_LINKS)(Links); \ _SplayLinks->Parent = _SplayLinks; \ _SplayLinks->LeftChild = NULL; \ _SplayLinks->RightChild = NULL; \ } #define RtlParent(Links) ((PRTL_SPLAY_LINKS)(Links)->Parent) #define RtlLeftChild(Links) ((PRTL_SPLAY_LINKS)(Links)->LeftChild) #define RtlRightChild(Links) ((PRTL_SPLAY_LINKS)(Links)->RightChild) #define RtlIsRoot(Links) ((RtlParent(Links) == (PRTL_SPLAY_LINKS)(Links))) #define RtlIsLeftChild(Links) ((RtlLeftChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links))) #define RtlIsRightChild(Links) ((RtlRightChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links))) #define RtlInsertAsLeftChild(ParentLinks, ChildLinks) \ { \ PRTL_SPLAY_LINKS _SplayParent; \ PRTL_SPLAY_LINKS _SplayChild; \ _SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \ _SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \ _SplayParent->LeftChild = _SplayChild; \ _SplayChild->Parent = _SplayParent; \ } #define RtlInsertAsRightChild(ParentLinks, ChildLinks) \ { \ PRTL_SPLAY_LINKS _SplayParent; \ PRTL_SPLAY_LINKS _SplayChild; \ _SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \ _SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \ _SplayParent->RightChild = _SplayChild; \ _SplayChild->Parent = _SplayParent; \ } NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlSplay( _Inout_ PRTL_SPLAY_LINKS Links ); NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlDelete( _In_ PRTL_SPLAY_LINKS Links ); NTSYSAPI VOID NTAPI RtlDeleteNoSplay( _In_ PRTL_SPLAY_LINKS Links, _Inout_ PRTL_SPLAY_LINKS *Root ); _Check_return_ NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlSubtreeSuccessor( _In_ PRTL_SPLAY_LINKS Links ); _Check_return_ NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlSubtreePredecessor( _In_ PRTL_SPLAY_LINKS Links ); _Check_return_ NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlRealSuccessor( _In_ PRTL_SPLAY_LINKS Links ); _Check_return_ NTSYSAPI PRTL_SPLAY_LINKS NTAPI RtlRealPredecessor( _In_ PRTL_SPLAY_LINKS Links ); struct _RTL_GENERIC_TABLE; typedef RTL_GENERIC_COMPARE_RESULTS (NTAPI *PRTL_GENERIC_COMPARE_ROUTINE)( _In_ struct _RTL_GENERIC_TABLE *Table, _In_ PVOID FirstStruct, _In_ PVOID SecondStruct ); typedef PVOID (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE)( _In_ struct _RTL_GENERIC_TABLE *Table, _In_ CLONG ByteSize ); typedef VOID (NTAPI *PRTL_GENERIC_FREE_ROUTINE)( _In_ struct _RTL_GENERIC_TABLE *Table, _In_ _Post_invalid_ PVOID Buffer ); typedef struct _RTL_GENERIC_TABLE { PRTL_SPLAY_LINKS TableRoot; LIST_ENTRY InsertOrderList; PLIST_ENTRY OrderedPointer; ULONG WhichOrderedElement; ULONG NumberGenericTableElements; PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine; PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine; PRTL_GENERIC_FREE_ROUTINE FreeRoutine; PVOID TableContext; } RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE; NTSYSAPI VOID NTAPI RtlInitializeGenericTable( _Out_ PRTL_GENERIC_TABLE Table, _In_ PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine, _In_ PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine, _In_ PRTL_GENERIC_FREE_ROUTINE FreeRoutine, _In_opt_ PVOID TableContext ); NTSYSAPI PVOID NTAPI RtlInsertElementGenericTable( _In_ PRTL_GENERIC_TABLE Table, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ CLONG BufferSize, _Out_opt_ PBOOLEAN NewElement ); NTSYSAPI PVOID NTAPI RtlInsertElementGenericTableFull( _In_ PRTL_GENERIC_TABLE Table, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ CLONG BufferSize, _Out_opt_ PBOOLEAN NewElement, _In_ PVOID NodeOrParent, _In_ TABLE_SEARCH_RESULT SearchResult ); NTSYSAPI BOOLEAN NTAPI RtlDeleteElementGenericTable( _In_ PRTL_GENERIC_TABLE Table, _In_ PVOID Buffer ); _Check_return_ NTSYSAPI PVOID NTAPI RtlLookupElementGenericTable( _In_ PRTL_GENERIC_TABLE Table, _In_ PVOID Buffer ); NTSYSAPI PVOID NTAPI RtlLookupElementGenericTableFull( _In_ PRTL_GENERIC_TABLE Table, _In_ PVOID Buffer, _Out_ PVOID *NodeOrParent, _Out_ TABLE_SEARCH_RESULT *SearchResult ); _Check_return_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTable( _In_ PRTL_GENERIC_TABLE Table, _In_ BOOLEAN Restart ); _Check_return_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTableWithoutSplaying( _In_ PRTL_GENERIC_TABLE Table, _Inout_ PVOID *RestartKey ); _Check_return_ NTSYSAPI PVOID NTAPI RtlGetElementGenericTable( _In_ PRTL_GENERIC_TABLE Table, _In_ ULONG I ); NTSYSAPI ULONG NTAPI RtlNumberGenericTableElements( _In_ PRTL_GENERIC_TABLE Table ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlIsGenericTableEmpty( _In_ PRTL_GENERIC_TABLE Table ); // RB trees typedef struct _RTL_RB_TREE { PRTL_BALANCED_NODE Root; PRTL_BALANCED_NODE Min; } RTL_RB_TREE, *PRTL_RB_TREE; #if (PHNT_VERSION >= PHNT_WIN8) // rev NTSYSAPI VOID NTAPI RtlRbInsertNodeEx( _In_ PRTL_RB_TREE Tree, _In_opt_ PRTL_BALANCED_NODE Parent, _In_ BOOLEAN Right, _Out_ PRTL_BALANCED_NODE Node ); // rev NTSYSAPI VOID NTAPI RtlRbRemoveNode( _In_ PRTL_RB_TREE Tree, _In_ PRTL_BALANCED_NODE Node ); #endif // Hash tables // begin_ntddk #define RTL_HASH_ALLOCATED_HEADER 0x00000001 #define RTL_HASH_RESERVED_SIGNATURE 0 typedef struct _RTL_DYNAMIC_HASH_TABLE_ENTRY { LIST_ENTRY Linkage; ULONG_PTR Signature; } RTL_DYNAMIC_HASH_TABLE_ENTRY, *PRTL_DYNAMIC_HASH_TABLE_ENTRY; #define HASH_ENTRY_KEY(x) ((x)->Signature) typedef struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT { PLIST_ENTRY ChainHead; PLIST_ENTRY PrevLinkage; ULONG_PTR Signature; } RTL_DYNAMIC_HASH_TABLE_CONTEXT, *PRTL_DYNAMIC_HASH_TABLE_CONTEXT; typedef struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR { RTL_DYNAMIC_HASH_TABLE_ENTRY HashEntry; PLIST_ENTRY ChainHead; ULONG BucketIndex; } RTL_DYNAMIC_HASH_TABLE_ENUMERATOR, *PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR; typedef struct _RTL_DYNAMIC_HASH_TABLE { // Entries initialized at creation. ULONG Flags; ULONG Shift; // Entries used in bucket computation. ULONG TableSize; ULONG Pivot; ULONG DivisorMask; // Counters. ULONG NumEntries; ULONG NonEmptyBuckets; ULONG NumEnumerators; // The directory. This field is for internal use only. PVOID Directory; } RTL_DYNAMIC_HASH_TABLE, *PRTL_DYNAMIC_HASH_TABLE; #if (PHNT_VERSION >= PHNT_WIN7) FORCEINLINE VOID RtlInitHashTableContext( _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { Context->ChainHead = NULL; Context->PrevLinkage = NULL; } FORCEINLINE VOID RtlInitHashTableContextFromEnumerator( _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context, _In_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ) { Context->ChainHead = Enumerator->ChainHead; Context->PrevLinkage = Enumerator->HashEntry.Linkage.Blink; } FORCEINLINE VOID RtlReleaseHashTableContext( _Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ) { UNREFERENCED_PARAMETER(Context); return; } FORCEINLINE ULONG RtlTotalBucketsHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ) { return HashTable->TableSize; } FORCEINLINE ULONG RtlNonEmptyBucketsHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ) { return HashTable->NonEmptyBuckets; } FORCEINLINE ULONG RtlEmptyBucketsHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ) { return HashTable->TableSize - HashTable->NonEmptyBuckets; } FORCEINLINE ULONG RtlTotalEntriesHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ) { return HashTable->NumEntries; } FORCEINLINE ULONG RtlActiveEnumeratorsHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ) { return HashTable->NumEnumerators; } _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlCreateHashTable( _Inout_ _When_(*HashTable == NULL, __drv_allocatesMem(Mem)) PRTL_DYNAMIC_HASH_TABLE *HashTable, _In_ ULONG Shift, _In_ _Reserved_ ULONG Flags ); NTSYSAPI VOID NTAPI RtlDeleteHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ); NTSYSAPI BOOLEAN NTAPI RtlInsertEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, _In_ ULONG_PTR Signature, _Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); NTSYSAPI BOOLEAN NTAPI RtlRemoveEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry, _Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); _Must_inspect_result_ NTSYSAPI PRTL_DYNAMIC_HASH_TABLE_ENTRY NTAPI RtlLookupEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _In_ ULONG_PTR Signature, _Out_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); _Must_inspect_result_ NTSYSAPI PRTL_DYNAMIC_HASH_TABLE_ENTRY NTAPI RtlGetNextEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _In_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context ); NTSYSAPI BOOLEAN NTAPI RtlInitEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); _Must_inspect_result_ NTSYSAPI PRTL_DYNAMIC_HASH_TABLE_ENTRY NTAPI RtlEnumerateEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); NTSYSAPI VOID NTAPI RtlEndEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); NTSYSAPI BOOLEAN NTAPI RtlInitWeakEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); _Must_inspect_result_ NTSYSAPI PRTL_DYNAMIC_HASH_TABLE_ENTRY NTAPI RtlWeaklyEnumerateEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); NTSYSAPI VOID NTAPI RtlEndWeakEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); NTSYSAPI BOOLEAN NTAPI RtlExpandHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ); NTSYSAPI BOOLEAN NTAPI RtlContractHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable ); #endif #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSAPI BOOLEAN NTAPI RtlInitStrongEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); _Must_inspect_result_ NTSYSAPI PRTL_DYNAMIC_HASH_TABLE_ENTRY NTAPI RtlStronglyEnumerateEntryHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); NTSYSAPI VOID NTAPI RtlEndStrongEnumerationHashTable( _In_ PRTL_DYNAMIC_HASH_TABLE HashTable, _Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator ); #endif // end_ntddk // Critical sections NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection( _Out_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSectionAndSpinCount( _Inout_ PRTL_CRITICAL_SECTION CriticalSection, _In_ ULONG SpinCount ); NTSYSAPI NTSTATUS NTAPI RtlDeleteCriticalSection( _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection( _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection( _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI LOGICAL NTAPI RtlTryEnterCriticalSection( _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI LOGICAL NTAPI RtlIsCriticalSectionLocked( _In_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI LOGICAL NTAPI RtlIsCriticalSectionLockedByThread( _In_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI ULONG NTAPI RtlGetCriticalSectionRecursionCount( _In_ PRTL_CRITICAL_SECTION CriticalSection ); NTSYSAPI ULONG NTAPI RtlSetCriticalSectionSpinCount( _Inout_ PRTL_CRITICAL_SECTION CriticalSection, _In_ ULONG SpinCount ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI HANDLE NTAPI RtlQueryCriticalSectionOwner( _In_ HANDLE EventHandle ); #endif NTSYSAPI VOID NTAPI RtlCheckForOrphanedCriticalSections( _In_ HANDLE ThreadHandle ); // Resources typedef struct _RTL_RESOURCE { RTL_CRITICAL_SECTION CriticalSection; HANDLE SharedSemaphore; volatile ULONG NumberOfWaitingShared; HANDLE ExclusiveSemaphore; volatile ULONG NumberOfWaitingExclusive; volatile LONG NumberOfActive; // negative: exclusive acquire; zero: not acquired; positive: shared acquire(s) HANDLE ExclusiveOwnerThread; ULONG Flags; // RTL_RESOURCE_FLAG_* PRTL_RESOURCE_DEBUG DebugInfo; } RTL_RESOURCE, *PRTL_RESOURCE; #define RTL_RESOURCE_FLAG_LONG_TERM ((ULONG)0x00000001) NTSYSAPI VOID NTAPI RtlInitializeResource( _Out_ PRTL_RESOURCE Resource ); NTSYSAPI VOID NTAPI RtlDeleteResource( _Inout_ PRTL_RESOURCE Resource ); NTSYSAPI BOOLEAN NTAPI RtlAcquireResourceShared( _Inout_ PRTL_RESOURCE Resource, _In_ BOOLEAN Wait ); NTSYSAPI BOOLEAN NTAPI RtlAcquireResourceExclusive( _Inout_ PRTL_RESOURCE Resource, _In_ BOOLEAN Wait ); NTSYSAPI VOID NTAPI RtlReleaseResource( _Inout_ PRTL_RESOURCE Resource ); NTSYSAPI VOID NTAPI RtlConvertSharedToExclusive( _Inout_ PRTL_RESOURCE Resource ); NTSYSAPI VOID NTAPI RtlConvertExclusiveToShared( _Inout_ PRTL_RESOURCE Resource ); // Slim reader-writer locks, condition variables, and barriers #if (PHNT_VERSION >= PHNT_VISTA) // winbase:InitializeSRWLock NTSYSAPI VOID NTAPI RtlInitializeSRWLock( _Out_ PRTL_SRWLOCK SRWLock ); // winbase:AcquireSRWLockExclusive NTSYSAPI VOID NTAPI RtlAcquireSRWLockExclusive( _Inout_ PRTL_SRWLOCK SRWLock ); // winbase:AcquireSRWLockShared NTSYSAPI VOID NTAPI RtlAcquireSRWLockShared( _Inout_ PRTL_SRWLOCK SRWLock ); // winbase:ReleaseSRWLockExclusive NTSYSAPI VOID NTAPI RtlReleaseSRWLockExclusive( _Inout_ PRTL_SRWLOCK SRWLock ); // winbase:ReleaseSRWLockShared NTSYSAPI VOID NTAPI RtlReleaseSRWLockShared( _Inout_ PRTL_SRWLOCK SRWLock ); // winbase:TryAcquireSRWLockExclusive NTSYSAPI BOOLEAN NTAPI RtlTryAcquireSRWLockExclusive( _Inout_ PRTL_SRWLOCK SRWLock ); // winbase:TryAcquireSRWLockShared NTSYSAPI BOOLEAN NTAPI RtlTryAcquireSRWLockShared( _Inout_ PRTL_SRWLOCK SRWLock ); #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI VOID NTAPI RtlAcquireReleaseSRWLockExclusive( _Inout_ PRTL_SRWLOCK SRWLock ); #endif #endif #if (PHNT_VERSION >= PHNT_VISTA) // winbase:InitializeConditionVariable NTSYSAPI VOID NTAPI RtlInitializeConditionVariable( _Out_ PRTL_CONDITION_VARIABLE ConditionVariable ); // private NTSYSAPI NTSTATUS NTAPI RtlSleepConditionVariableCS( _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable, _Inout_ PRTL_CRITICAL_SECTION CriticalSection, _In_opt_ PLARGE_INTEGER Timeout ); // private NTSYSAPI NTSTATUS NTAPI RtlSleepConditionVariableSRW( _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable, _Inout_ PRTL_SRWLOCK SRWLock, _In_opt_ PLARGE_INTEGER Timeout, _In_ ULONG Flags ); // winbase:WakeConditionVariable NTSYSAPI VOID NTAPI RtlWakeConditionVariable( _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable ); // winbase:WakeAllConditionVariable NTSYSAPI VOID NTAPI RtlWakeAllConditionVariable( _Inout_ PRTL_CONDITION_VARIABLE ConditionVariable ); #endif // begin_rev #define RTL_BARRIER_FLAGS_SPIN_ONLY 0x00000001 // never block on event - always spin #define RTL_BARRIER_FLAGS_BLOCK_ONLY 0x00000002 // always block on event - never spin #define RTL_BARRIER_FLAGS_NO_DELETE 0x00000004 // use if barrier will never be deleted // end_rev // begin_private #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlInitBarrier( _Out_ PRTL_BARRIER Barrier, _In_ ULONG TotalThreads, _In_ ULONG SpinCount ); NTSYSAPI NTSTATUS NTAPI RtlDeleteBarrier( _In_ PRTL_BARRIER Barrier ); NTSYSAPI BOOLEAN NTAPI RtlBarrier( _Inout_ PRTL_BARRIER Barrier, _In_ ULONG Flags ); NTSYSAPI BOOLEAN NTAPI RtlBarrierForDelete( _Inout_ PRTL_BARRIER Barrier, _In_ ULONG Flags ); #endif // end_private // Wait on address // begin_rev #if (PHNT_VERSION >= PHNT_WIN8) NTSYSAPI NTSTATUS NTAPI RtlWaitOnAddress( _In_ volatile VOID *Address, _In_ PVOID CompareAddress, _In_ SIZE_T AddressSize, _In_opt_ PLARGE_INTEGER Timeout ); NTSYSAPI VOID NTAPI RtlWakeAddressAll( _In_ PVOID Address ); NTSYSAPI VOID NTAPI RtlWakeAddressSingle( _In_ PVOID Address ); #endif // end_rev // Strings #ifndef PHNT_NO_INLINE_INIT_STRING FORCEINLINE VOID RtlInitString( _Out_ PSTRING DestinationString, _In_opt_ PCSTR SourceString ) { if (SourceString) DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + 1; else DestinationString->MaximumLength = DestinationString->Length = 0; DestinationString->Buffer = (PCHAR)SourceString; } #else NTSYSAPI VOID NTAPI RtlInitString( _Out_ PSTRING DestinationString, _In_opt_ PCSTR SourceString ); #endif #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSAPI NTSTATUS NTAPI RtlInitStringEx( _Out_ PSTRING DestinationString, _In_opt_z_ PCSZ SourceString ); #endif #ifndef PHNT_NO_INLINE_INIT_STRING FORCEINLINE VOID RtlInitAnsiString( _Out_ PANSI_STRING DestinationString, _In_opt_ PCSTR SourceString ) { if (SourceString) DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + 1; else DestinationString->MaximumLength = DestinationString->Length = 0; DestinationString->Buffer = (PCHAR)SourceString; } #else NTSYSAPI VOID NTAPI RtlInitAnsiString( _Out_ PANSI_STRING DestinationString, _In_opt_ PCSTR SourceString ); #endif #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI NTSTATUS NTAPI RtlInitAnsiStringEx( _Out_ PANSI_STRING DestinationString, _In_opt_z_ PCSZ SourceString ); #endif NTSYSAPI VOID NTAPI RtlFreeAnsiString( _In_ PANSI_STRING AnsiString ); NTSYSAPI VOID NTAPI RtlFreeOemString( _In_ POEM_STRING OemString ); NTSYSAPI VOID NTAPI RtlCopyString( _In_ PSTRING DestinationString, _In_opt_ PSTRING SourceString ); NTSYSAPI CHAR NTAPI RtlUpperChar( _In_ CHAR Character ); _Must_inspect_result_ NTSYSAPI LONG NTAPI RtlCompareString( _In_ PSTRING String1, _In_ PSTRING String2, _In_ BOOLEAN CaseInSensitive ); _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlEqualString( _In_ PSTRING String1, _In_ PSTRING String2, _In_ BOOLEAN CaseInSensitive ); _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlPrefixString( _In_ PSTRING String1, _In_ PSTRING String2, _In_ BOOLEAN CaseInSensitive ); NTSYSAPI NTSTATUS NTAPI RtlAppendStringToString( _In_ PSTRING Destination, _In_ PSTRING Source ); NTSYSAPI NTSTATUS NTAPI RtlAppendAsciizToString( _In_ PSTRING Destination, _In_opt_ PCSTR Source ); NTSYSAPI VOID NTAPI RtlUpperString( _In_ PSTRING DestinationString, _In_ PSTRING SourceString ); FORCEINLINE BOOLEAN RtlIsNullOrEmptyUnicodeString( _In_opt_ PUNICODE_STRING String ) { return !String || String->Length == 0; } FORCEINLINE VOID NTAPI RtlInitEmptyUnicodeString( _Out_ PUNICODE_STRING DestinationString, _In_opt_ PWCHAR Buffer, _In_ USHORT MaximumLength ) { DestinationString->Buffer = Buffer; DestinationString->MaximumLength = MaximumLength; DestinationString->Length = 0; } #ifndef PHNT_NO_INLINE_INIT_STRING FORCEINLINE VOID RtlInitUnicodeString( _Out_ PUNICODE_STRING DestinationString, _In_opt_ PCWSTR SourceString ) { if (SourceString) DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL); else DestinationString->MaximumLength = DestinationString->Length = 0; DestinationString->Buffer = (PWCH)SourceString; } #else NTSYSAPI VOID NTAPI RtlInitUnicodeString( _Out_ PUNICODE_STRING DestinationString, _In_opt_ PCWSTR SourceString ); #endif NTSYSAPI NTSTATUS NTAPI RtlInitUnicodeStringEx( _Out_ PUNICODE_STRING DestinationString, _In_opt_ PCWSTR SourceString ); NTSYSAPI BOOLEAN NTAPI RtlCreateUnicodeString( _Out_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString ); NTSYSAPI BOOLEAN NTAPI RtlCreateUnicodeStringFromAsciiz( _Out_ PUNICODE_STRING DestinationString, _In_ PCSTR SourceString ); NTSYSAPI VOID NTAPI RtlFreeUnicodeString( _In_ PUNICODE_STRING UnicodeString ); #define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001) #define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002) NTSYSAPI NTSTATUS NTAPI RtlDuplicateUnicodeString( _In_ ULONG Flags, _In_ PUNICODE_STRING StringIn, _Out_ PUNICODE_STRING StringOut ); NTSYSAPI VOID NTAPI RtlCopyUnicodeString( _In_ PUNICODE_STRING DestinationString, _In_ PUNICODE_STRING SourceString ); NTSYSAPI WCHAR NTAPI RtlUpcaseUnicodeChar( _In_ WCHAR SourceCharacter ); NTSYSAPI WCHAR NTAPI RtlDowncaseUnicodeChar( _In_ WCHAR SourceCharacter ); _Must_inspect_result_ NTSYSAPI LONG NTAPI RtlCompareUnicodeString( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive ); #if (PHNT_VERSION >= PHNT_VISTA) _Must_inspect_result_ NTSYSAPI LONG NTAPI RtlCompareUnicodeStrings( _In_reads_(String1Length) PCWCH String1, _In_ SIZE_T String1Length, _In_reads_(String2Length) PCWCH String2, _In_ SIZE_T String2Length, _In_ BOOLEAN CaseInSensitive ); #endif _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlEqualUnicodeString( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive ); #define HASH_STRING_ALGORITHM_DEFAULT 0 #define HASH_STRING_ALGORITHM_X65599 1 #define HASH_STRING_ALGORITHM_INVALID 0xffffffff NTSYSAPI NTSTATUS NTAPI RtlHashUnicodeString( _In_ PUNICODE_STRING String, _In_ BOOLEAN CaseInSensitive, _In_ ULONG HashAlgorithm, _Out_ PULONG HashValue ); NTSYSAPI NTSTATUS NTAPI RtlValidateUnicodeString( _In_ ULONG Flags, _In_ PUNICODE_STRING String ); _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlPrefixUnicodeString( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive ); #if (PHNT_VERSION >= PHNT_THRESHOLD) _Must_inspect_result_ NTSYSAPI BOOLEAN NTAPI RtlSuffixUnicodeString( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive ); #endif #if (PHNT_VERSION >= PHNT_THRESHOLD) _Must_inspect_result_ NTSYSAPI PWCHAR NTAPI RtlFindUnicodeSubstring( _In_ PUNICODE_STRING FullString, _In_ PUNICODE_STRING SearchString, _In_ BOOLEAN CaseInSensitive ); #endif #define RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END 0x00000001 #define RTL_FIND_CHAR_IN_UNICODE_STRING_COMPLEMENT_CHAR_SET 0x00000002 #define RTL_FIND_CHAR_IN_UNICODE_STRING_CASE_INSENSITIVE 0x00000004 NTSYSAPI NTSTATUS NTAPI RtlFindCharInUnicodeString( _In_ ULONG Flags, _In_ PUNICODE_STRING StringToSearch, _In_ PUNICODE_STRING CharSet, _Out_ PUSHORT NonInclusivePrefixLength ); NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeStringToString( _In_ PUNICODE_STRING Destination, _In_ PUNICODE_STRING Source ); NTSYSAPI NTSTATUS NTAPI RtlAppendUnicodeToString( _In_ PUNICODE_STRING Destination, _In_opt_ PCWSTR Source ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeString( _Inout_ PUNICODE_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlDowncaseUnicodeString( _Inout_ PUNICODE_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI VOID NTAPI RtlEraseUnicodeString( _Inout_ PUNICODE_STRING String ); NTSYSAPI NTSTATUS NTAPI RtlAnsiStringToUnicodeString( _Inout_ PUNICODE_STRING DestinationString, _In_ PANSI_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToAnsiString( _Inout_ PANSI_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI WCHAR NTAPI RtlAnsiCharToUnicodeChar( _Inout_ PUCHAR *SourceCharacter ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeStringToAnsiString( _Inout_ PANSI_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlOemStringToUnicodeString( _Inout_ PUNICODE_STRING DestinationString, _In_ POEM_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToOemString( _Inout_ POEM_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeStringToOemString( _Inout_ POEM_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToCountedOemString( _Inout_ POEM_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeStringToCountedOemString( _Inout_ POEM_STRING DestinationString, _In_ PUNICODE_STRING SourceString, _In_ BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlMultiByteToUnicodeN( _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, _In_ ULONG MaxBytesInUnicodeString, _Out_opt_ PULONG BytesInUnicodeString, _In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString, _In_ ULONG BytesInMultiByteString ); NTSYSAPI NTSTATUS NTAPI RtlMultiByteToUnicodeSize( _Out_ PULONG BytesInUnicodeString, _In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString, _In_ ULONG BytesInMultiByteString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeToMultiByteN( _Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString, _In_ ULONG MaxBytesInMultiByteString, _Out_opt_ PULONG BytesInMultiByteString, _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeToMultiByteSize( _Out_ PULONG BytesInMultiByteString, _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeToMultiByteN( _Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString, _In_ ULONG MaxBytesInMultiByteString, _Out_opt_ PULONG BytesInMultiByteString, _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlOemToUnicodeN( _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWSTR UnicodeString, _In_ ULONG MaxBytesInUnicodeString, _Out_opt_ PULONG BytesInUnicodeString, _In_reads_bytes_(BytesInOemString) PCCH OemString, _In_ ULONG BytesInOemString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeToOemN( _Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString, _In_ ULONG MaxBytesInOemString, _Out_opt_ PULONG BytesInOemString, _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeToOemN( _Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString, _In_ ULONG MaxBytesInOemString, _Out_opt_ PULONG BytesInOemString, _In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlConsoleMultiByteToUnicodeN( _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, _In_ ULONG MaxBytesInUnicodeString, _Out_opt_ PULONG BytesInUnicodeString, _In_reads_bytes_(BytesInMultiByteString) PCCH MultiByteString, _In_ ULONG BytesInMultiByteString, _Out_ PULONG pdwSpecialChar ); #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI NTSTATUS NTAPI RtlUTF8ToUnicodeN( _Out_writes_bytes_to_(UnicodeStringMaxByteCount, *UnicodeStringActualByteCount) PWSTR UnicodeStringDestination, _In_ ULONG UnicodeStringMaxByteCount, _Out_ PULONG UnicodeStringActualByteCount, _In_reads_bytes_(UTF8StringByteCount) PCCH UTF8StringSource, _In_ ULONG UTF8StringByteCount ); #endif #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI NTSTATUS NTAPI RtlUnicodeToUTF8N( _Out_writes_bytes_to_(UTF8StringMaxByteCount, *UTF8StringActualByteCount) PCHAR UTF8StringDestination, _In_ ULONG UTF8StringMaxByteCount, _Out_ PULONG UTF8StringActualByteCount, _In_reads_bytes_(UnicodeStringByteCount) PCWCH UnicodeStringSource, _In_ ULONG UnicodeStringByteCount ); #endif NTSYSAPI NTSTATUS NTAPI RtlCustomCPToUnicodeN( _In_ PCPTABLEINFO CustomCP, _Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString, _In_ ULONG MaxBytesInUnicodeString, _Out_opt_ PULONG BytesInUnicodeString, _In_reads_bytes_(BytesInCustomCPString) PCH CustomCPString, _In_ ULONG BytesInCustomCPString ); NTSYSAPI NTSTATUS NTAPI RtlUnicodeToCustomCPN( _In_ PCPTABLEINFO CustomCP, _Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString, _In_ ULONG MaxBytesInCustomCPString, _Out_opt_ PULONG BytesInCustomCPString, _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI NTSTATUS NTAPI RtlUpcaseUnicodeToCustomCPN( _In_ PCPTABLEINFO CustomCP, _Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString, _In_ ULONG MaxBytesInCustomCPString, _Out_opt_ PULONG BytesInCustomCPString, _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString, _In_ ULONG BytesInUnicodeString ); NTSYSAPI VOID NTAPI RtlInitCodePageTable( _In_ PUSHORT TableBase, _Out_ PCPTABLEINFO CodePageTable ); NTSYSAPI VOID NTAPI RtlInitNlsTables( _In_ PUSHORT AnsiNlsBase, _In_ PUSHORT OemNlsBase, _In_ PUSHORT LanguageNlsBase, _Out_ PNLSTABLEINFO TableInfo // PCPTABLEINFO? ); NTSYSAPI VOID NTAPI RtlResetRtlTranslations( _In_ PNLSTABLEINFO TableInfo ); NTSYSAPI BOOLEAN NTAPI RtlIsTextUnicode( _In_ PVOID Buffer, _In_ ULONG Size, _Inout_opt_ PULONG Result ); typedef enum _RTL_NORM_FORM { NormOther = 0x0, NormC = 0x1, NormD = 0x2, NormKC = 0x5, NormKD = 0x6, NormIdna = 0xd, DisallowUnassigned = 0x100, NormCDisallowUnassigned = 0x101, NormDDisallowUnassigned = 0x102, NormKCDisallowUnassigned = 0x105, NormKDDisallowUnassigned = 0x106, NormIdnaDisallowUnassigned = 0x10d } RTL_NORM_FORM; #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlNormalizeString( _In_ ULONG NormForm, // RTL_NORM_FORM _In_ PCWSTR SourceString, _In_ LONG SourceStringLength, _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, _Inout_ PLONG DestinationStringLength ); #endif #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlIsNormalizedString( _In_ ULONG NormForm, // RTL_NORM_FORM _In_ PCWSTR SourceString, _In_ LONG SourceStringLength, _Out_ PBOOLEAN Normalized ); #endif #if (PHNT_VERSION >= PHNT_WIN7) // ntifs:FsRtlIsNameInExpression NTSYSAPI BOOLEAN NTAPI RtlIsNameInExpression( _In_ PUNICODE_STRING Expression, _In_ PUNICODE_STRING Name, _In_ BOOLEAN IgnoreCase, _In_opt_ PWCH UpcaseTable ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE4) // rev NTSYSAPI BOOLEAN NTAPI RtlIsNameInUnUpcasedExpression( _In_ PUNICODE_STRING Expression, _In_ PUNICODE_STRING Name, _In_ BOOLEAN IgnoreCase, _In_opt_ PWCH UpcaseTable ); #endif NTSYSAPI BOOLEAN NTAPI RtlEqualDomainName( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2 ); NTSYSAPI BOOLEAN NTAPI RtlEqualComputerName( _In_ PUNICODE_STRING String1, _In_ PUNICODE_STRING String2 ); NTSYSAPI NTSTATUS NTAPI RtlDnsHostNameToComputerName( _Out_ PUNICODE_STRING ComputerNameString, _In_ PUNICODE_STRING DnsHostNameString, _In_ BOOLEAN AllocateComputerNameString ); NTSYSAPI NTSTATUS NTAPI RtlStringFromGUID( _In_ PGUID Guid, _Out_ PUNICODE_STRING GuidString ); #if (PHNT_VERSION >= PHNT_WINBLUE) // rev NTSYSAPI NTSTATUS NTAPI RtlStringFromGUIDEx( _In_ PGUID Guid, _Inout_ PUNICODE_STRING GuidString, _In_ BOOLEAN AllocateGuidString ); #endif NTSYSAPI NTSTATUS NTAPI RtlGUIDFromString( _In_ PUNICODE_STRING GuidString, _Out_ PGUID Guid ); #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI LONG NTAPI RtlCompareAltitudes( _In_ PUNICODE_STRING Altitude1, _In_ PUNICODE_STRING Altitude2 ); NTSYSAPI NTSTATUS NTAPI RtlIdnToAscii( _In_ ULONG Flags, _In_ PCWSTR SourceString, _In_ LONG SourceStringLength, _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, _Inout_ PLONG DestinationStringLength ); NTSYSAPI NTSTATUS NTAPI RtlIdnToUnicode( _In_ ULONG Flags, _In_ PCWSTR SourceString, _In_ LONG SourceStringLength, _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, _Inout_ PLONG DestinationStringLength ); NTSYSAPI NTSTATUS NTAPI RtlIdnToNameprepUnicode( _In_ ULONG Flags, _In_ PCWSTR SourceString, _In_ LONG SourceStringLength, _Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString, _Inout_ PLONG DestinationStringLength ); #endif // Prefix typedef struct _PREFIX_TABLE_ENTRY { CSHORT NodeTypeCode; CSHORT NameLength; struct _PREFIX_TABLE_ENTRY *NextPrefixTree; RTL_SPLAY_LINKS Links; PSTRING Prefix; } PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY; typedef struct _PREFIX_TABLE { CSHORT NodeTypeCode; CSHORT NameLength; PPREFIX_TABLE_ENTRY NextPrefixTree; } PREFIX_TABLE, *PPREFIX_TABLE; NTSYSAPI VOID NTAPI PfxInitialize( _Out_ PPREFIX_TABLE PrefixTable ); NTSYSAPI BOOLEAN NTAPI PfxInsertPrefix( _In_ PPREFIX_TABLE PrefixTable, _In_ PSTRING Prefix, _Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry ); NTSYSAPI VOID NTAPI PfxRemovePrefix( _In_ PPREFIX_TABLE PrefixTable, _In_ PPREFIX_TABLE_ENTRY PrefixTableEntry ); NTSYSAPI PPREFIX_TABLE_ENTRY NTAPI PfxFindPrefix( _In_ PPREFIX_TABLE PrefixTable, _In_ PSTRING FullName ); typedef struct _UNICODE_PREFIX_TABLE_ENTRY { CSHORT NodeTypeCode; CSHORT NameLength; struct _UNICODE_PREFIX_TABLE_ENTRY *NextPrefixTree; struct _UNICODE_PREFIX_TABLE_ENTRY *CaseMatch; RTL_SPLAY_LINKS Links; PUNICODE_STRING Prefix; } UNICODE_PREFIX_TABLE_ENTRY, *PUNICODE_PREFIX_TABLE_ENTRY; typedef struct _UNICODE_PREFIX_TABLE { CSHORT NodeTypeCode; CSHORT NameLength; PUNICODE_PREFIX_TABLE_ENTRY NextPrefixTree; PUNICODE_PREFIX_TABLE_ENTRY LastNextEntry; } UNICODE_PREFIX_TABLE, *PUNICODE_PREFIX_TABLE; NTSYSAPI VOID NTAPI RtlInitializeUnicodePrefix( _Out_ PUNICODE_PREFIX_TABLE PrefixTable ); NTSYSAPI BOOLEAN NTAPI RtlInsertUnicodePrefix( _In_ PUNICODE_PREFIX_TABLE PrefixTable, _In_ PUNICODE_STRING Prefix, _Out_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry ); NTSYSAPI VOID NTAPI RtlRemoveUnicodePrefix( _In_ PUNICODE_PREFIX_TABLE PrefixTable, _In_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry ); NTSYSAPI PUNICODE_PREFIX_TABLE_ENTRY NTAPI RtlFindUnicodePrefix( _In_ PUNICODE_PREFIX_TABLE PrefixTable, _In_ PUNICODE_STRING FullName, _In_ ULONG CaseInsensitiveIndex ); NTSYSAPI PUNICODE_PREFIX_TABLE_ENTRY NTAPI RtlNextUnicodePrefix( _In_ PUNICODE_PREFIX_TABLE PrefixTable, _In_ BOOLEAN Restart ); // Compression typedef struct _COMPRESSED_DATA_INFO { USHORT CompressionFormatAndEngine; // COMPRESSION_FORMAT_* and COMPRESSION_ENGINE_* UCHAR CompressionUnitShift; UCHAR ChunkShift; UCHAR ClusterShift; UCHAR Reserved; USHORT NumberOfChunks; ULONG CompressedChunkSizes[1]; } COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO; NTSYSAPI NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize( _In_ USHORT CompressionFormatAndEngine, _Out_ PULONG CompressBufferWorkSpaceSize, _Out_ PULONG CompressFragmentWorkSpaceSize ); NTSYSAPI NTSTATUS NTAPI RtlCompressBuffer( _In_ USHORT CompressionFormatAndEngine, _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _In_ ULONG UncompressedChunkSize, _Out_ PULONG FinalCompressedSize, _In_ PVOID WorkSpace ); NTSYSAPI NTSTATUS NTAPI RtlDecompressBuffer( _In_ USHORT CompressionFormat, _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _Out_ PULONG FinalUncompressedSize ); #if (PHNT_VERSION >= PHNT_WIN8) NTSYSAPI NTSTATUS NTAPI RtlDecompressBufferEx( _In_ USHORT CompressionFormat, _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _Out_ PULONG FinalUncompressedSize, _In_ PVOID WorkSpace ); #endif NTSYSAPI NTSTATUS NTAPI RtlDecompressFragment( _In_ USHORT CompressionFormat, _Out_writes_bytes_to_(UncompressedFragmentSize, *FinalUncompressedSize) PUCHAR UncompressedFragment, _In_ ULONG UncompressedFragmentSize, _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _In_range_(<, CompressedBufferSize) ULONG FragmentOffset, _Out_ PULONG FinalUncompressedSize, _In_ PVOID WorkSpace ); NTSYSAPI NTSTATUS NTAPI RtlDescribeChunk( _In_ USHORT CompressionFormat, _Inout_ PUCHAR *CompressedBuffer, _In_ PUCHAR EndOfCompressedBufferPlus1, _Out_ PUCHAR *ChunkBuffer, _Out_ PULONG ChunkSize ); NTSYSAPI NTSTATUS NTAPI RtlReserveChunk( _In_ USHORT CompressionFormat, _Inout_ PUCHAR *CompressedBuffer, _In_ PUCHAR EndOfCompressedBufferPlus1, _Out_ PUCHAR *ChunkBuffer, _In_ ULONG ChunkSize ); NTSYSAPI NTSTATUS NTAPI RtlDecompressChunks( _Out_writes_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, _In_ ULONG CompressedBufferSize, _In_reads_bytes_(CompressedTailSize) PUCHAR CompressedTail, _In_ ULONG CompressedTailSize, _In_ PCOMPRESSED_DATA_INFO CompressedDataInfo ); NTSYSAPI NTSTATUS NTAPI RtlCompressChunks( _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer, _In_ ULONG UncompressedBufferSize, _Out_writes_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer, _In_range_(>=, (UncompressedBufferSize - (UncompressedBufferSize / 16))) ULONG CompressedBufferSize, _Inout_updates_bytes_(CompressedDataInfoLength) PCOMPRESSED_DATA_INFO CompressedDataInfo, _In_range_(>, sizeof(COMPRESSED_DATA_INFO)) ULONG CompressedDataInfoLength, _In_ PVOID WorkSpace ); // Locale #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlConvertLCIDToString( _In_ LCID LcidValue, _In_ ULONG Base, _In_ ULONG Padding, // string is padded to this width _Out_writes_(Size) PWSTR pResultBuf, _In_ ULONG Size ); // private NTSYSAPI BOOLEAN NTAPI RtlIsValidLocaleName( _In_ PCWSTR LocaleName, _In_ ULONG Flags ); // private NTSYSAPI NTSTATUS NTAPI RtlGetParentLocaleName( _In_ PCWSTR LocaleName, _Inout_ PUNICODE_STRING ParentLocaleName, _In_ ULONG Flags, _In_ BOOLEAN AllocateDestinationString ); // private NTSYSAPI NTSTATUS NTAPI RtlLcidToLocaleName( _In_ LCID lcid, // sic _Inout_ PUNICODE_STRING LocaleName, _In_ ULONG Flags, _In_ BOOLEAN AllocateDestinationString ); // private NTSYSAPI NTSTATUS NTAPI RtlLocaleNameToLcid( _In_ PCWSTR LocaleName, _Out_ PLCID lcid, _In_ ULONG Flags ); // private NTSYSAPI BOOLEAN NTAPI RtlLCIDToCultureName( _In_ LCID Lcid, _Inout_ PUNICODE_STRING String ); // private NTSYSAPI BOOLEAN NTAPI RtlCultureNameToLCID( _In_ PUNICODE_STRING String, _Out_ PLCID Lcid ); // private NTSYSAPI VOID NTAPI RtlCleanUpTEBLangLists( VOID ); #endif #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlGetLocaleFileMappingAddress( _Out_ PVOID *BaseAddress, _Out_ PLCID DefaultLocaleId, _Out_ PLARGE_INTEGER DefaultCasingTableSize ); #endif // PEB NTSYSAPI PPEB NTAPI RtlGetCurrentPeb( VOID ); NTSYSAPI VOID NTAPI RtlAcquirePebLock( VOID ); NTSYSAPI VOID NTAPI RtlReleasePebLock( VOID ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI LOGICAL NTAPI RtlTryAcquirePebLock( VOID ); #endif NTSYSAPI NTSTATUS NTAPI RtlAllocateFromPeb( _In_ ULONG Size, _Out_ PVOID *Block ); NTSYSAPI NTSTATUS NTAPI RtlFreeToPeb( _In_ PVOID Block, _In_ ULONG Size ); // Processes #define DOS_MAX_COMPONENT_LENGTH 255 #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) typedef struct _CURDIR { UNICODE_STRING DosPath; HANDLE Handle; } CURDIR, *PCURDIR; #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; HANDLE ConsoleHandle; ULONG ConsoleFlags; HANDLE StandardInput; HANDLE StandardOutput; HANDLE StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; ULONG_PTR EnvironmentSize; ULONG_PTR EnvironmentVersion; PVOID PackageDependencyData; ULONG ProcessGroupId; ULONG LoaderThreads; UNICODE_STRING RedirectionDllName; // REDSTONE4 UNICODE_STRING HeapPartitionName; // 19H1 ULONG_PTR DefaultThreadpoolCpuSetMasks; ULONG DefaultThreadpoolCpuSetMaskCount; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 #define RTL_USER_PROC_PROFILE_USER 0x00000002 #define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 #define RTL_USER_PROC_PROFILE_SERVER 0x00000008 #define RTL_USER_PROC_RESERVE_1MB 0x00000020 #define RTL_USER_PROC_RESERVE_16MB 0x00000040 #define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 #define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 #define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 #define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 #define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 #define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 NTSYSAPI NTSTATUS NTAPI RtlCreateProcessParameters( _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, _In_ PUNICODE_STRING ImagePathName, _In_opt_ PUNICODE_STRING DllPath, _In_opt_ PUNICODE_STRING CurrentDirectory, _In_opt_ PUNICODE_STRING CommandLine, _In_opt_ PVOID Environment, _In_opt_ PUNICODE_STRING WindowTitle, _In_opt_ PUNICODE_STRING DesktopInfo, _In_opt_ PUNICODE_STRING ShellInfo, _In_opt_ PUNICODE_STRING RuntimeData ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlCreateProcessParametersEx( _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters, _In_ PUNICODE_STRING ImagePathName, _In_opt_ PUNICODE_STRING DllPath, _In_opt_ PUNICODE_STRING CurrentDirectory, _In_opt_ PUNICODE_STRING CommandLine, _In_opt_ PVOID Environment, _In_opt_ PUNICODE_STRING WindowTitle, _In_opt_ PUNICODE_STRING DesktopInfo, _In_opt_ PUNICODE_STRING ShellInfo, _In_opt_ PUNICODE_STRING RuntimeData, _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized ); #endif NTSYSAPI NTSTATUS NTAPI RtlDestroyProcessParameters( _In_ _Post_invalid_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters ); NTSYSAPI PRTL_USER_PROCESS_PARAMETERS NTAPI RtlNormalizeProcessParams( _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters ); NTSYSAPI PRTL_USER_PROCESS_PARAMETERS NTAPI RtlDeNormalizeProcessParams( _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters ); typedef struct _RTL_USER_PROCESS_INFORMATION { ULONG Length; HANDLE ProcessHandle; HANDLE ThreadHandle; CLIENT_ID ClientId; SECTION_IMAGE_INFORMATION ImageInformation; } RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION; // private NTSYSAPI NTSTATUS NTAPI RtlCreateUserProcess( _In_ PUNICODE_STRING NtImagePathName, _In_ ULONG AttributesDeprecated, _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, _In_opt_ HANDLE ParentProcess, _In_ BOOLEAN InheritHandles, _In_opt_ HANDLE DebugPort, _In_opt_ HANDLE TokenHandle, // used to be ExceptionPort _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation ); NTSYSAPI NTSTATUS NTAPI RtlCreateUserProcessEx( _In_ PUNICODE_STRING NtImagePathName, _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters, _In_ BOOLEAN InheritHandles, _Reserved_ ULONG Flags, _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation ); #if (PHNT_VERSION >= PHNT_VISTA) DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlExitUserProcess( _In_ NTSTATUS ExitStatus ); #else #define RtlExitUserProcess RtlExitUserProcess_R DECLSPEC_NORETURN FORCEINLINE VOID RtlExitUserProcess_R( _In_ NTSTATUS ExitStatus ) { ExitProcess(ExitStatus); } #endif #if (PHNT_VERSION >= PHNT_VISTA) // begin_rev #define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001 #define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002 #define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004 // don't update synchronization objects // end_rev // private NTSYSAPI NTSTATUS NTAPI RtlCloneUserProcess( _In_ ULONG ProcessFlags, _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor, _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, _In_opt_ HANDLE DebugPort, _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation ); // private NTSYSAPI VOID NTAPI RtlUpdateClonedCriticalSection( _Inout_ PRTL_CRITICAL_SECTION CriticalSection ); // private NTSYSAPI VOID NTAPI RtlUpdateClonedSRWLock( _Inout_ PRTL_SRWLOCK SRWLock, _In_ LOGICAL Shared // TRUE to set to shared acquire ); // private typedef struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION { HANDLE ReflectionProcessHandle; HANDLE ReflectionThreadHandle; CLIENT_ID ReflectionClientId; } RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION; #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlCreateProcessReflection( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_opt_ PVOID StartRoutine, _In_opt_ PVOID StartContext, _In_opt_ HANDLE EventHandle, _Out_opt_ PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION ReflectionInformation ); #endif #endif NTSYSAPI NTSTATUS STDAPIVCALLTYPE RtlSetProcessIsCritical( _In_ BOOLEAN NewValue, _Out_opt_ PBOOLEAN OldValue, _In_ BOOLEAN CheckFlag ); NTSYSAPI NTSTATUS STDAPIVCALLTYPE RtlSetThreadIsCritical( _In_ BOOLEAN NewValue, _Out_opt_ PBOOLEAN OldValue, _In_ BOOLEAN CheckFlag ); // rev NTSYSAPI BOOLEAN NTAPI RtlValidProcessProtection( _In_ PS_PROTECTION ProcessProtection ); // rev NTSYSAPI BOOLEAN NTAPI RtlTestProtectedAccess( _In_ PS_PROTECTION Source, _In_ PS_PROTECTION Target ); #if (PHNT_VERSION >= PHNT_REDSTONE3) // rev NTSYSAPI BOOLEAN NTAPI RtlIsCurrentProcess( // NtCompareObjects(NtCurrentProcess(), ProcessHandle) _In_ HANDLE ProcessHandle ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsCurrentThread( // NtCompareObjects(NtCurrentThread(), ThreadHandle) _In_ HANDLE ThreadHandle ); #endif // Threads typedef NTSTATUS (NTAPI *PUSER_THREAD_START_ROUTINE)( _In_ PVOID ThreadParameter ); NTSYSAPI NTSTATUS NTAPI RtlCreateUserThread( _In_ HANDLE Process, _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor, _In_ BOOLEAN CreateSuspended, _In_opt_ ULONG ZeroBits, _In_opt_ SIZE_T MaximumStackSize, _In_opt_ SIZE_T CommittedStackSize, _In_ PUSER_THREAD_START_ROUTINE StartAddress, _In_opt_ PVOID Parameter, _Out_opt_ PHANDLE Thread, _Out_opt_ PCLIENT_ID ClientId ); #if (PHNT_VERSION >= PHNT_VISTA) // should be PHNT_WINXP, but is PHNT_VISTA for consistency with RtlExitUserProcess DECLSPEC_NORETURN NTSYSAPI VOID NTAPI RtlExitUserThread( _In_ NTSTATUS ExitStatus ); #else #define RtlExitUserThread RtlExitUserThread_R DECLSPEC_NORETURN FORCEINLINE VOID RtlExitUserThread_R( _In_ NTSTATUS ExitStatus ) { ExitThread(ExitStatus); } #endif #if (PHNT_VERSION >= PHNT_VISTA) // rev NTSYSAPI BOOLEAN NTAPI RtlIsCurrentThreadAttachExempt( VOID ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlCreateUserStack( _In_opt_ SIZE_T CommittedStackSize, _In_opt_ SIZE_T MaximumStackSize, _In_opt_ ULONG_PTR ZeroBits, _In_ SIZE_T PageSize, _In_ ULONG_PTR ReserveAlignment, _Out_ PINITIAL_TEB InitialTeb ); // private NTSYSAPI NTSTATUS NTAPI RtlFreeUserStack( _In_ PVOID AllocationBase ); #endif // Extended thread context typedef struct _CONTEXT_CHUNK { LONG Offset; // Offset may be negative. ULONG Length; } CONTEXT_CHUNK, *PCONTEXT_CHUNK; typedef struct _CONTEXT_EX { CONTEXT_CHUNK All; CONTEXT_CHUNK Legacy; CONTEXT_CHUNK XState; } CONTEXT_EX, *PCONTEXT_EX; #define CONTEXT_EX_LENGTH ALIGN_UP_BY(sizeof(CONTEXT_EX), PAGE_SIZE) #define RTL_CONTEXT_EX_OFFSET(ContextEx, Chunk) ((ContextEx)->Chunk.Offset) #define RTL_CONTEXT_EX_LENGTH(ContextEx, Chunk) ((ContextEx)->Chunk.Length) #define RTL_CONTEXT_EX_CHUNK(Base, Layout, Chunk) ((PVOID)((PCHAR)(Base) + RTL_CONTEXT_EX_OFFSET(Layout, Chunk))) #define RTL_CONTEXT_OFFSET(Context, Chunk) RTL_CONTEXT_EX_OFFSET((PCONTEXT_EX)(Context + 1), Chunk) #define RTL_CONTEXT_LENGTH(Context, Chunk) RTL_CONTEXT_EX_LENGTH((PCONTEXT_EX)(Context + 1), Chunk) #define RTL_CONTEXT_CHUNK(Context, Chunk) RTL_CONTEXT_EX_CHUNK((PCONTEXT_EX)(Context + 1), (PCONTEXT_EX)(Context + 1), Chunk) NTSYSAPI VOID NTAPI RtlInitializeContext( _In_ HANDLE Process, _Out_ PCONTEXT Context, _In_opt_ PVOID Parameter, _In_opt_ PVOID InitialPc, _In_opt_ PVOID InitialSp ); NTSYSAPI ULONG NTAPI RtlInitializeExtendedContext( _Out_ PCONTEXT Context, _In_ ULONG ContextFlags, _Out_ PCONTEXT_EX* ContextEx ); NTSYSAPI ULONG NTAPI RtlCopyExtendedContext( _Out_ PCONTEXT_EX Destination, _In_ ULONG ContextFlags, _In_ PCONTEXT_EX Source ); NTSYSAPI ULONG NTAPI RtlGetExtendedContextLength( _In_ ULONG ContextFlags, _Out_ PULONG ContextLength ); NTSYSAPI ULONG64 NTAPI RtlGetExtendedFeaturesMask( _In_ PCONTEXT_EX ContextEx ); NTSYSAPI PVOID NTAPI RtlLocateExtendedFeature( _In_ PCONTEXT_EX ContextEx, _In_ ULONG FeatureId, _Out_opt_ PULONG Length ); NTSYSAPI PCONTEXT NTAPI RtlLocateLegacyContext( _In_ PCONTEXT_EX ContextEx, _Out_opt_ PULONG Length ); NTSYSAPI VOID NTAPI RtlSetExtendedFeaturesMask( __out PCONTEXT_EX ContextEx, _Out_ ULONG64 FeatureMask ); #ifdef _WIN64 // rev NTSYSAPI NTSTATUS NTAPI RtlWow64GetThreadContext( _In_ HANDLE ThreadHandle, _Inout_ PWOW64_CONTEXT ThreadContext ); #endif #ifdef _WIN64 // rev NTSYSAPI NTSTATUS NTAPI RtlWow64SetThreadContext( _In_ HANDLE ThreadHandle, _In_ PWOW64_CONTEXT ThreadContext ); #endif NTSYSAPI NTSTATUS NTAPI RtlRemoteCall( _In_ HANDLE Process, _In_ HANDLE Thread, _In_ PVOID CallSite, _In_ ULONG ArgumentCount, _In_opt_ PULONG_PTR Arguments, _In_ BOOLEAN PassContext, _In_ BOOLEAN AlreadySuspended ); // Vectored exception handlers NTSYSAPI PVOID NTAPI RtlAddVectoredExceptionHandler( _In_ ULONG First, _In_ PVECTORED_EXCEPTION_HANDLER Handler ); NTSYSAPI ULONG NTAPI RtlRemoveVectoredExceptionHandler( _In_ PVOID Handle ); NTSYSAPI PVOID NTAPI RtlAddVectoredContinueHandler( _In_ ULONG First, _In_ PVECTORED_EXCEPTION_HANDLER Handler ); NTSYSAPI ULONG NTAPI RtlRemoveVectoredContinueHandler( _In_ PVOID Handle ); // Runtime exception handling typedef ULONG (NTAPI *PRTLP_UNHANDLED_EXCEPTION_FILTER)( _In_ PEXCEPTION_POINTERS ExceptionInfo ); NTSYSAPI VOID NTAPI RtlSetUnhandledExceptionFilter( _In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter ); // rev NTSYSAPI LONG NTAPI RtlUnhandledExceptionFilter( _In_ PEXCEPTION_POINTERS ExceptionPointers ); // rev NTSYSAPI LONG NTAPI RtlUnhandledExceptionFilter2( _In_ PEXCEPTION_POINTERS ExceptionPointers, _In_ ULONG Flags ); // rev NTSYSAPI LONG NTAPI RtlKnownExceptionFilter( _In_ PEXCEPTION_POINTERS ExceptionPointers ); #ifdef _WIN64 // private typedef enum _FUNCTION_TABLE_TYPE { RF_SORTED, RF_UNSORTED, RF_CALLBACK, RF_KERNEL_DYNAMIC } FUNCTION_TABLE_TYPE; // private typedef struct _DYNAMIC_FUNCTION_TABLE { LIST_ENTRY ListEntry; PRUNTIME_FUNCTION FunctionTable; LARGE_INTEGER TimeStamp; ULONG64 MinimumAddress; ULONG64 MaximumAddress; ULONG64 BaseAddress; PGET_RUNTIME_FUNCTION_CALLBACK Callback; PVOID Context; PWSTR OutOfProcessCallbackDll; FUNCTION_TABLE_TYPE Type; ULONG EntryCount; RTL_BALANCED_NODE TreeNode; } DYNAMIC_FUNCTION_TABLE, *PDYNAMIC_FUNCTION_TABLE; // rev NTSYSAPI PLIST_ENTRY NTAPI RtlGetFunctionTableListHead( VOID ); #endif // Images NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader( _In_ PVOID BaseOfImage ); #define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK 0x00000001 NTSYSAPI NTSTATUS NTAPI RtlImageNtHeaderEx( _In_ ULONG Flags, _In_ PVOID BaseOfImage, _In_ ULONG64 Size, _Out_ PIMAGE_NT_HEADERS *OutHeaders ); NTSYSAPI PVOID NTAPI RtlAddressInSectionTable( _In_ PIMAGE_NT_HEADERS NtHeaders, _In_ PVOID BaseOfImage, _In_ ULONG VirtualAddress ); NTSYSAPI PIMAGE_SECTION_HEADER NTAPI RtlSectionTableFromVirtualAddress( _In_ PIMAGE_NT_HEADERS NtHeaders, _In_ PVOID BaseOfImage, _In_ ULONG VirtualAddress ); NTSYSAPI PVOID NTAPI RtlImageDirectoryEntryToData( _In_ PVOID BaseOfImage, _In_ BOOLEAN MappedAsImage, _In_ USHORT DirectoryEntry, _Out_ PULONG Size ); NTSYSAPI PIMAGE_SECTION_HEADER NTAPI RtlImageRvaToSection( _In_ PIMAGE_NT_HEADERS NtHeaders, _In_ PVOID BaseOfImage, _In_ ULONG Rva ); NTSYSAPI PVOID NTAPI RtlImageRvaToVa( _In_ PIMAGE_NT_HEADERS NtHeaders, _In_ PVOID BaseOfImage, _In_ ULONG Rva, _Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection ); #if (PHNT_VERSION >= PHNT_THRESHOLD) // rev NTSYSAPI PVOID NTAPI RtlFindExportedRoutineByName( _In_ PVOID BaseOfImage, _In_ PCSTR RoutineName ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE) // rev NTSYSAPI NTSTATUS NTAPI RtlGuardCheckLongJumpTarget( _In_ PVOID PcValue, _In_ BOOL IsFastFail, _Out_ PBOOL IsLongJumpTarget ); #endif // Memory NTSYSAPI SIZE_T NTAPI RtlCompareMemoryUlong( _In_ PVOID Source, _In_ SIZE_T Length, _In_ ULONG Pattern ); NTSYSAPI VOID NTAPI RtlFillMemoryUlong( _Out_ PVOID Destination, _In_ SIZE_T Length, _In_ ULONG Pattern ); NTSYSAPI VOID NTAPI RtlFillMemoryUlonglong( _Out_ PVOID Destination, _In_ SIZE_T Length, _In_ ULONGLONG Pattern ); // Environment NTSYSAPI NTSTATUS NTAPI RtlCreateEnvironment( _In_ BOOLEAN CloneCurrentEnvironment, _Out_ PVOID *Environment ); // begin_rev #define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // translate from multi-byte to Unicode #define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // translate from OEM to Unicode (Translate flag must also be set) #define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // create empty environment block // end_rev #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlCreateEnvironmentEx( _In_ PVOID SourceEnv, _Out_ PVOID *Environment, _In_ ULONG Flags ); #endif NTSYSAPI NTSTATUS NTAPI RtlDestroyEnvironment( _In_ PVOID Environment ); NTSYSAPI NTSTATUS NTAPI RtlSetCurrentEnvironment( _In_ PVOID Environment, _Out_opt_ PVOID *PreviousEnvironment ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlSetEnvironmentVar( _Inout_opt_ PVOID *Environment, _In_reads_(NameLength) PCWSTR Name, _In_ SIZE_T NameLength, _In_reads_(ValueLength) PCWSTR Value, _In_ SIZE_T ValueLength ); #endif NTSYSAPI NTSTATUS NTAPI RtlSetEnvironmentVariable( _Inout_opt_ PVOID *Environment, _In_ PUNICODE_STRING Name, _In_opt_ PUNICODE_STRING Value ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlQueryEnvironmentVariable( _In_opt_ PVOID Environment, _In_reads_(NameLength) PCWSTR Name, _In_ SIZE_T NameLength, _Out_writes_(ValueLength) PWSTR Value, _In_ SIZE_T ValueLength, _Out_ PSIZE_T ReturnLength ); #endif NTSYSAPI NTSTATUS NTAPI RtlQueryEnvironmentVariable_U( _In_opt_ PVOID Environment, _In_ PUNICODE_STRING Name, _Inout_ PUNICODE_STRING Value ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlExpandEnvironmentStrings( _In_opt_ PVOID Environment, _In_reads_(SrcLength) PCWSTR Src, _In_ SIZE_T SrcLength, _Out_writes_(DstLength) PWSTR Dst, _In_ SIZE_T DstLength, _Out_opt_ PSIZE_T ReturnLength ); #endif NTSYSAPI NTSTATUS NTAPI RtlExpandEnvironmentStrings_U( _In_opt_ PVOID Environment, _In_ PUNICODE_STRING Source, _Inout_ PUNICODE_STRING Destination, _Out_opt_ PULONG ReturnedLength ); NTSYSAPI NTSTATUS NTAPI RtlSetEnvironmentStrings( _In_ PCWCHAR NewEnvironment, _In_ SIZE_T NewEnvironmentSize ); // Directory and path support typedef struct _RTLP_CURDIR_REF { LONG ReferenceCount; HANDLE DirectoryHandle; } RTLP_CURDIR_REF, *PRTLP_CURDIR_REF; typedef struct _RTL_RELATIVE_NAME_U { UNICODE_STRING RelativeName; HANDLE ContainingDirectory; PRTLP_CURDIR_REF CurDirRef; } RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U; typedef enum _RTL_PATH_TYPE { RtlPathTypeUnknown, RtlPathTypeUncAbsolute, RtlPathTypeDriveAbsolute, RtlPathTypeDriveRelative, RtlPathTypeRooted, RtlPathTypeRelative, RtlPathTypeLocalDevice, RtlPathTypeRootLocalDevice } RTL_PATH_TYPE; // Data exports (ntdll.lib/ntdllp.lib) NTSYSAPI PWSTR RtlNtdllName; NTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString; NTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString; NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString; #ifndef PHNT_INLINE_SEPERATOR_STRINGS #define RtlNtdllName L"ntdll.dll" #define RtlDosPathSeperatorsString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\/")) #define RtlAlternateDosPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"/")) #define RtlNtPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\")) #endif // Path functions NTSYSAPI RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_U( _In_ PCWSTR DosFileName ); NTSYSAPI RTL_PATH_TYPE NTAPI RtlDetermineDosPathNameType_Ustr( _In_ PCUNICODE_STRING DosFileName ); NTSYSAPI ULONG NTAPI RtlIsDosDeviceName_U( _In_ PCWSTR DosFileName ); NTSYSAPI ULONG NTAPI RtlIsDosDeviceName_Ustr( _In_ PUNICODE_STRING DosFileName ); NTSYSAPI ULONG NTAPI RtlGetFullPathName_U( _In_ PCWSTR FileName, _In_ ULONG BufferLength, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _Out_opt_ PWSTR *FilePart ); #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlGetFullPathName_UEx( _In_ PCWSTR FileName, _In_ ULONG BufferLength, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _Out_opt_ PWSTR *FilePart, _Out_opt_ ULONG *BytesRequired ); #endif #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI NTSTATUS NTAPI RtlGetFullPathName_UstrEx( _In_ PUNICODE_STRING FileName, _Inout_ PUNICODE_STRING StaticString, _Out_opt_ PUNICODE_STRING DynamicString, _Out_opt_ PUNICODE_STRING *StringUsed, _Out_opt_ SIZE_T *FilePartPrefixCch, _Out_opt_ PBOOLEAN NameInvalid, _Out_ RTL_PATH_TYPE *InputPathType, _Out_opt_ SIZE_T *BytesRequired ); #endif NTSYSAPI ULONG NTAPI RtlGetCurrentDirectory_U( _In_ ULONG BufferLength, _Out_writes_bytes_(BufferLength) PWSTR Buffer ); NTSYSAPI NTSTATUS NTAPI RtlSetCurrentDirectory_U( _In_ PUNICODE_STRING PathName ); NTSYSAPI ULONG NTAPI RtlGetLongestNtPathLength( VOID ); NTSYSAPI BOOLEAN NTAPI RtlDosPathNameToNtPathName_U( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI NTSTATUS NTAPI RtlDosPathNameToNtPathName_U_WithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE3) // rev NTSYSAPI NTSTATUS NTAPI RtlDosLongPathNameToNtPathName_U_WithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #endif #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI BOOLEAN NTAPI RtlDosPathNameToRelativeNtPathName_U( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #endif #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI NTSTATUS NTAPI RtlDosPathNameToRelativeNtPathName_U_WithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE3) // rev NTSYSAPI NTSTATUS NTAPI RtlDosLongPathNameToRelativeNtPathName_U_WithStatus( _In_ PCWSTR DosFileName, _Out_ PUNICODE_STRING NtFileName, _Out_opt_ PWSTR *FilePart, _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName ); #endif #if (PHNT_VERSION >= PHNT_WS03) NTSYSAPI VOID NTAPI RtlReleaseRelativeName( _Inout_ PRTL_RELATIVE_NAME_U RelativeName ); #endif NTSYSAPI ULONG NTAPI RtlDosSearchPath_U( _In_ PCWSTR Path, _In_ PCWSTR FileName, _In_opt_ PCWSTR Extension, _In_ ULONG BufferLength, _Out_writes_bytes_(BufferLength) PWSTR Buffer, _Out_opt_ PWSTR *FilePart ); #define RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION 0x00000001 #define RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH 0x00000002 #define RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION 0x00000004 NTSYSAPI NTSTATUS NTAPI RtlDosSearchPath_Ustr( _In_ ULONG Flags, _In_ PUNICODE_STRING Path, _In_ PUNICODE_STRING FileName, _In_opt_ PUNICODE_STRING DefaultExtension, _Out_opt_ PUNICODE_STRING StaticString, _Out_opt_ PUNICODE_STRING DynamicString, _Out_opt_ PCUNICODE_STRING *FullFileNameOut, _Out_opt_ SIZE_T *FilePartPrefixCch, _Out_opt_ SIZE_T *BytesRequired ); NTSYSAPI BOOLEAN NTAPI RtlDoesFileExists_U( _In_ PCWSTR FileName ); NTSYSAPI NTSTATUS NTAPI RtlGetLengthWithoutLastFullDosOrNtPathElement( _Reserved_ ULONG Flags, _In_ PUNICODE_STRING PathString, _Out_ PULONG Length ); NTSYSAPI NTSTATUS NTAPI RtlGetLengthWithoutTrailingPathSeperators( _Reserved_ ULONG Flags, _In_ PUNICODE_STRING PathString, _Out_ PULONG Length ); typedef struct _GENERATE_NAME_CONTEXT { USHORT Checksum; BOOLEAN CheckSumInserted; UCHAR NameLength; WCHAR NameBuffer[8]; ULONG ExtensionLength; WCHAR ExtensionBuffer[4]; ULONG LastIndexValue; } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT; // private NTSYSAPI NTSTATUS NTAPI RtlGenerate8dot3Name( _In_ PUNICODE_STRING Name, _In_ BOOLEAN AllowExtendedCharacters, _In_ PGENERATE_NAME_CONTEXT Context, _Out_ PUNICODE_STRING Name8dot3 ); #if (PHNT_VERSION >= PHNT_WIN8) // private NTSYSAPI NTSTATUS NTAPI RtlComputePrivatizedDllName_U( _In_ PUNICODE_STRING DllName, _Out_ PUNICODE_STRING RealName, _Out_ PUNICODE_STRING LocalName ); // rev NTSYSAPI BOOLEAN NTAPI RtlGetSearchPath( _Out_ PWSTR *SearchPath ); // rev NTSYSAPI NTSTATUS NTAPI RtlSetSearchPathMode( _In_ ULONG Flags ); // rev NTSYSAPI PWSTR NTAPI RtlGetExePath( VOID ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE2) // private NTSYSAPI PWSTR NTAPI RtlGetNtSystemRoot( VOID ); // rev NTSYSAPI BOOLEAN NTAPI RtlAreLongPathsEnabled( VOID ); #endif NTSYSAPI BOOLEAN NTAPI RtlIsThreadWithinLoaderCallout( VOID ); NTSYSAPI BOOLEAN NTAPI RtlDllShutdownInProgress( VOID ); // Heaps typedef struct _RTL_HEAP_ENTRY { SIZE_T Size; USHORT Flags; USHORT AllocatorBackTraceIndex; union { struct { SIZE_T Settable; ULONG Tag; } s1; struct { SIZE_T CommittedSize; PVOID FirstBlock; } s2; } u; } RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY; #define RTL_HEAP_BUSY (USHORT)0x0001 #define RTL_HEAP_SEGMENT (USHORT)0x0002 #define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010 #define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020 #define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040 #define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080 #define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0 #define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100 #define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200 typedef struct _RTL_HEAP_TAG { ULONG NumberOfAllocations; ULONG NumberOfFrees; SIZE_T BytesAllocated; USHORT TagIndex; USHORT CreatorBackTraceIndex; WCHAR TagName[24]; } RTL_HEAP_TAG, *PRTL_HEAP_TAG; typedef struct _RTL_HEAP_INFORMATION { PVOID BaseAddress; ULONG Flags; USHORT EntryOverhead; USHORT CreatorBackTraceIndex; SIZE_T BytesAllocated; SIZE_T BytesCommitted; ULONG NumberOfTags; ULONG NumberOfEntries; ULONG NumberOfPseudoTags; ULONG PseudoTagGranularity; ULONG Reserved[5]; PRTL_HEAP_TAG Tags; PRTL_HEAP_ENTRY Entries; } RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; typedef struct _RTL_PROCESS_HEAPS { ULONG NumberOfHeaps; RTL_HEAP_INFORMATION Heaps[1]; } RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; typedef NTSTATUS (NTAPI *PRTL_HEAP_COMMIT_ROUTINE)( _In_ PVOID Base, _Inout_ PVOID *CommitAddress, _Inout_ PSIZE_T CommitSize ); typedef struct _RTL_HEAP_PARAMETERS { ULONG Length; SIZE_T SegmentReserve; SIZE_T SegmentCommit; SIZE_T DeCommitFreeBlockThreshold; SIZE_T DeCommitTotalFreeThreshold; SIZE_T MaximumAllocationSize; SIZE_T VirtualMemoryThreshold; SIZE_T InitialCommit; SIZE_T InitialReserve; PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; SIZE_T Reserved[2]; } RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS; #define HEAP_SETTABLE_USER_VALUE 0x00000100 #define HEAP_SETTABLE_USER_FLAG1 0x00000200 #define HEAP_SETTABLE_USER_FLAG2 0x00000400 #define HEAP_SETTABLE_USER_FLAG3 0x00000800 #define HEAP_SETTABLE_USER_FLAGS 0x00000e00 #define HEAP_CLASS_0 0x00000000 // Process heap #define HEAP_CLASS_1 0x00001000 // Private heap #define HEAP_CLASS_2 0x00002000 // Kernel heap #define HEAP_CLASS_3 0x00003000 // GDI heap #define HEAP_CLASS_4 0x00004000 // User heap #define HEAP_CLASS_5 0x00005000 // Console heap #define HEAP_CLASS_6 0x00006000 // User desktop heap #define HEAP_CLASS_7 0x00007000 // CSR shared heap #define HEAP_CLASS_8 0x00008000 // CSR port heap #define HEAP_CLASS_MASK 0x0000f000 NTSYSAPI PVOID NTAPI RtlCreateHeap( _In_ ULONG Flags, _In_opt_ PVOID HeapBase, _In_opt_ SIZE_T ReserveSize, _In_opt_ SIZE_T CommitSize, _In_opt_ PVOID Lock, _In_opt_ PRTL_HEAP_PARAMETERS Parameters ); NTSYSAPI PVOID NTAPI RtlDestroyHeap( _Frees_ptr_ PVOID HeapHandle ); NTSYSAPI PVOID NTAPI RtlAllocateHeap( _In_ PVOID HeapHandle, _In_opt_ ULONG Flags, _In_ SIZE_T Size ); NTSYSAPI BOOLEAN NTAPI RtlFreeHeap( _In_ PVOID HeapHandle, _In_opt_ ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress ); NTSYSAPI SIZE_T NTAPI RtlSizeHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress ); NTSYSAPI NTSTATUS NTAPI RtlZeroHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags ); NTSYSAPI VOID NTAPI RtlProtectHeap( _In_ PVOID HeapHandle, _In_ BOOLEAN MakeReadOnly ); #define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap) NTSYSAPI BOOLEAN NTAPI RtlLockHeap( _In_ PVOID HeapHandle ); NTSYSAPI BOOLEAN NTAPI RtlUnlockHeap( _In_ PVOID HeapHandle ); NTSYSAPI PVOID NTAPI RtlReAllocateHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress, _In_ SIZE_T Size ); NTSYSAPI BOOLEAN NTAPI RtlGetUserInfoHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress, _Out_opt_ PVOID *UserValue, _Out_opt_ PULONG UserFlags ); NTSYSAPI BOOLEAN NTAPI RtlSetUserValueHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress, _In_ PVOID UserValue ); NTSYSAPI BOOLEAN NTAPI RtlSetUserFlagsHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress, _In_ ULONG UserFlagsReset, _In_ ULONG UserFlagsSet ); typedef struct _RTL_HEAP_TAG_INFO { ULONG NumberOfAllocations; ULONG NumberOfFrees; SIZE_T BytesAllocated; } RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO; #define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS NTSYSAPI ULONG NTAPI RtlCreateTagHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_opt_ PWSTR TagPrefix, _In_ PWSTR TagNames ); NTSYSAPI PWSTR NTAPI RtlQueryTagHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ USHORT TagIndex, _In_ BOOLEAN ResetCounters, _Out_opt_ PRTL_HEAP_TAG_INFO TagInfo ); NTSYSAPI NTSTATUS NTAPI RtlExtendHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID Base, _In_ SIZE_T Size ); NTSYSAPI SIZE_T NTAPI RtlCompactHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags ); NTSYSAPI BOOLEAN NTAPI RtlValidateHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress ); NTSYSAPI BOOLEAN NTAPI RtlValidateProcessHeaps( VOID ); NTSYSAPI ULONG NTAPI RtlGetProcessHeaps( _In_ ULONG NumberOfHeaps, _Out_ PVOID *ProcessHeaps ); typedef NTSTATUS (NTAPI *PRTL_ENUM_HEAPS_ROUTINE)( _In_ PVOID HeapHandle, _In_ PVOID Parameter ); NTSYSAPI NTSTATUS NTAPI RtlEnumProcessHeaps( _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine, _In_ PVOID Parameter ); typedef struct _RTL_HEAP_USAGE_ENTRY { struct _RTL_HEAP_USAGE_ENTRY *Next; PVOID Address; SIZE_T Size; USHORT AllocatorBackTraceIndex; USHORT TagIndex; } RTL_HEAP_USAGE_ENTRY, *PRTL_HEAP_USAGE_ENTRY; typedef struct _RTL_HEAP_USAGE { ULONG Length; SIZE_T BytesAllocated; SIZE_T BytesCommitted; SIZE_T BytesReserved; SIZE_T BytesReservedMaximum; PRTL_HEAP_USAGE_ENTRY Entries; PRTL_HEAP_USAGE_ENTRY AddedEntries; PRTL_HEAP_USAGE_ENTRY RemovedEntries; ULONG_PTR Reserved[8]; } RTL_HEAP_USAGE, *PRTL_HEAP_USAGE; #define HEAP_USAGE_ALLOCATED_BLOCKS HEAP_REALLOC_IN_PLACE_ONLY #define HEAP_USAGE_FREE_BUFFER HEAP_ZERO_MEMORY NTSYSAPI NTSTATUS NTAPI RtlUsageHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _Inout_ PRTL_HEAP_USAGE Usage ); typedef struct _RTL_HEAP_WALK_ENTRY { PVOID DataAddress; SIZE_T DataSize; UCHAR OverheadBytes; UCHAR SegmentIndex; USHORT Flags; union { struct { SIZE_T Settable; USHORT TagIndex; USHORT AllocatorBackTraceIndex; ULONG Reserved[2]; } Block; struct { ULONG CommittedSize; ULONG UnCommittedSize; PVOID FirstEntry; PVOID LastEntry; } Segment; }; } RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY; NTSYSAPI NTSTATUS NTAPI RtlWalkHeap( _In_ PVOID HeapHandle, _Inout_ PRTL_HEAP_WALK_ENTRY Entry ); // HEAP_INFORMATION_CLASS #define HeapCompatibilityInformation 0x0 // q; s: ULONG #define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL #define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION #define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION #define HeapTaggingInformation 0x4 #define HeapStackDatabase 0x5 #define HeapMemoryLimit 0x6 // 19H2 #define HeapDetailedFailureInformation 0x80000001 #define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION typedef enum _HEAP_COMPATIBILITY_MODE { HEAP_COMPATIBILITY_STANDARD = 0UL, HEAP_COMPATIBILITY_LAL = 1UL, HEAP_COMPATIBILITY_LFH = 2UL, } HEAP_COMPATIBILITY_MODE; typedef struct _PROCESS_HEAP_INFORMATION { ULONG_PTR ReserveSize; ULONG_PTR CommitSize; ULONG NumberOfHeaps; ULONG_PTR FirstHeapInformationOffset; } PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION; typedef struct _HEAP_INFORMATION { ULONG_PTR Address; ULONG Mode; ULONG_PTR ReserveSize; ULONG_PTR CommitSize; ULONG_PTR FirstRegionInformationOffset; ULONG_PTR NextHeapInformationOffset; } HEAP_INFORMATION, *PHEAP_INFORMATION; typedef struct _HEAP_EXTENDED_INFORMATION { HANDLE Process; ULONG_PTR Heap; ULONG Level; PVOID CallbackRoutine; PVOID CallbackContext; union { PROCESS_HEAP_INFORMATION ProcessHeapInformation; HEAP_INFORMATION HeapInformation; }; } HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION; // rev typedef NTSTATUS (NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( _In_ LONG Reserved, _In_ PVOID HeapHandle, _In_ PVOID BaseAddress, _In_ SIZE_T BlockSize, _In_ ULONG StackTraceDepth, _In_ PVOID *StackTrace ); // symbols typedef struct _HEAP_DEBUGGING_INFORMATION { PVOID InterceptorFunction; USHORT InterceptorValue; ULONG ExtendedOptions; ULONG StackTraceDepth; SIZE_T MinTotalBlockSize; SIZE_T MaxTotalBlockSize; PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine; } HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION; NTSYSAPI NTSTATUS NTAPI RtlQueryHeapInformation( _In_ PVOID HeapHandle, _In_ HEAP_INFORMATION_CLASS HeapInformationClass, _Out_opt_ PVOID HeapInformation, _In_opt_ SIZE_T HeapInformationLength, _Out_opt_ PSIZE_T ReturnLength ); NTSYSAPI NTSTATUS NTAPI RtlSetHeapInformation( _In_ PVOID HeapHandle, _In_ HEAP_INFORMATION_CLASS HeapInformationClass, _In_opt_ PVOID HeapInformation, _In_opt_ SIZE_T HeapInformationLength ); NTSYSAPI ULONG NTAPI RtlMultipleAllocateHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ SIZE_T Size, _In_ ULONG Count, _Out_ PVOID *Array ); NTSYSAPI ULONG NTAPI RtlMultipleFreeHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, _In_ ULONG Count, _In_ PVOID *Array ); #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI VOID NTAPI RtlDetectHeapLeaks( VOID ); #endif NTSYSAPI VOID NTAPI RtlFlushHeaps( VOID ); // Memory zones // begin_private typedef struct _RTL_MEMORY_ZONE_SEGMENT { struct _RTL_MEMORY_ZONE_SEGMENT *NextSegment; SIZE_T Size; PVOID Next; PVOID Limit; } RTL_MEMORY_ZONE_SEGMENT, *PRTL_MEMORY_ZONE_SEGMENT; typedef struct _RTL_MEMORY_ZONE { RTL_MEMORY_ZONE_SEGMENT Segment; RTL_SRWLOCK Lock; ULONG LockCount; PRTL_MEMORY_ZONE_SEGMENT FirstSegment; } RTL_MEMORY_ZONE, *PRTL_MEMORY_ZONE; #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlCreateMemoryZone( _Out_ PVOID *MemoryZone, _In_ SIZE_T InitialSize, _Reserved_ ULONG Flags ); NTSYSAPI NTSTATUS NTAPI RtlDestroyMemoryZone( _In_ _Post_invalid_ PVOID MemoryZone ); NTSYSAPI NTSTATUS NTAPI RtlAllocateMemoryZone( _In_ PVOID MemoryZone, _In_ SIZE_T BlockSize, _Out_ PVOID *Block ); NTSYSAPI NTSTATUS NTAPI RtlResetMemoryZone( _In_ PVOID MemoryZone ); NTSYSAPI NTSTATUS NTAPI RtlLockMemoryZone( _In_ PVOID MemoryZone ); NTSYSAPI NTSTATUS NTAPI RtlUnlockMemoryZone( _In_ PVOID MemoryZone ); #endif // end_private // Memory block lookaside lists // begin_private #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlCreateMemoryBlockLookaside( _Out_ PVOID *MemoryBlockLookaside, _Reserved_ ULONG Flags, _In_ ULONG InitialSize, _In_ ULONG MinimumBlockSize, _In_ ULONG MaximumBlockSize ); NTSYSAPI NTSTATUS NTAPI RtlDestroyMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside ); NTSYSAPI NTSTATUS NTAPI RtlAllocateMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside, _In_ ULONG BlockSize, _Out_ PVOID *Block ); NTSYSAPI NTSTATUS NTAPI RtlFreeMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside, _In_ PVOID Block ); NTSYSAPI NTSTATUS NTAPI RtlExtendMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside, _In_ ULONG Increment ); NTSYSAPI NTSTATUS NTAPI RtlResetMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside ); NTSYSAPI NTSTATUS NTAPI RtlLockMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside ); NTSYSAPI NTSTATUS NTAPI RtlUnlockMemoryBlockLookaside( _In_ PVOID MemoryBlockLookaside ); #endif // end_private // Transactions #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI HANDLE NTAPI RtlGetCurrentTransaction( VOID ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI LOGICAL NTAPI RtlSetCurrentTransaction( _In_ HANDLE TransactionHandle ); #endif // LUIDs FORCEINLINE BOOLEAN RtlIsEqualLuid( // RtlEqualLuid _In_ PLUID L1, _In_ PLUID L2 ) { return L1->LowPart == L2->LowPart && L1->HighPart == L2->HighPart; } FORCEINLINE BOOLEAN RtlIsZeroLuid( _In_ PLUID L1 ) { return (L1->LowPart | L1->HighPart) == 0; } FORCEINLINE LUID RtlConvertLongToLuid( _In_ LONG Long ) { LUID tempLuid; LARGE_INTEGER tempLi; tempLi.QuadPart = Long; tempLuid.LowPart = tempLi.LowPart; tempLuid.HighPart = tempLi.HighPart; return tempLuid; } FORCEINLINE LUID RtlConvertUlongToLuid( _In_ ULONG Ulong ) { LUID tempLuid; tempLuid.LowPart = Ulong; tempLuid.HighPart = 0; return tempLuid; } NTSYSAPI VOID NTAPI RtlCopyLuid( _Out_ PLUID DestinationLuid, _In_ PLUID SourceLuid ); // ros NTSYSAPI VOID NTAPI RtlCopyLuidAndAttributesArray( _In_ ULONG Count, _In_ PLUID_AND_ATTRIBUTES Src, _In_ PLUID_AND_ATTRIBUTES Dest ); // Byte swap routines. #ifndef PHNT_RTL_BYTESWAP #define RtlUshortByteSwap(_x) _byteswap_ushort((USHORT)(_x)) #define RtlUlongByteSwap(_x) _byteswap_ulong((_x)) #define RtlUlonglongByteSwap(_x) _byteswap_uint64((_x)) #else NTSYSAPI USHORT FASTCALL RtlUshortByteSwap( _In_ USHORT Source ); NTSYSAPI ULONG FASTCALL RtlUlongByteSwap( _In_ ULONG Source ); NTSYSAPI ULONGLONG FASTCALL RtlUlonglongByteSwap( _In_ ULONGLONG Source ); #endif // Debugging // private typedef struct _RTL_PROCESS_VERIFIER_OPTIONS { ULONG SizeStruct; ULONG Option; UCHAR OptionData[1]; } RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS; // private typedef struct _RTL_DEBUG_INFORMATION { HANDLE SectionHandleClient; PVOID ViewBaseClient; PVOID ViewBaseTarget; ULONG_PTR ViewBaseDelta; HANDLE EventPairClient; HANDLE EventPairTarget; HANDLE TargetProcessId; HANDLE TargetThreadHandle; ULONG Flags; SIZE_T OffsetFree; SIZE_T CommitSize; SIZE_T ViewSize; union { struct _RTL_PROCESS_MODULES *Modules; struct _RTL_PROCESS_MODULE_INFORMATION_EX *ModulesEx; }; struct _RTL_PROCESS_BACKTRACES *BackTraces; struct _RTL_PROCESS_HEAPS *Heaps; struct _RTL_PROCESS_LOCKS *Locks; PVOID SpecificHeap; HANDLE TargetProcessHandle; PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions; PVOID ProcessHeap; HANDLE CriticalSectionHandle; HANDLE CriticalSectionOwnerThread; PVOID Reserved[4]; } RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; NTSYSAPI PRTL_DEBUG_INFORMATION NTAPI RtlCreateQueryDebugBuffer( _In_opt_ ULONG MaximumCommit, _In_ BOOLEAN UseEventPair ); NTSYSAPI NTSTATUS NTAPI RtlDestroyQueryDebugBuffer( _In_ PRTL_DEBUG_INFORMATION Buffer ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI PVOID NTAPI RtlCommitDebugInfo( _Inout_ PRTL_DEBUG_INFORMATION Buffer, _In_ SIZE_T Size ); // private NTSYSAPI VOID NTAPI RtlDeCommitDebugInfo( _Inout_ PRTL_DEBUG_INFORMATION Buffer, _In_ PVOID p, _In_ SIZE_T Size ); #endif #define RTL_QUERY_PROCESS_MODULES 0x00000001 #define RTL_QUERY_PROCESS_BACKTRACES 0x00000002 #define RTL_QUERY_PROCESS_HEAP_SUMMARY 0x00000004 #define RTL_QUERY_PROCESS_HEAP_TAGS 0x00000008 #define RTL_QUERY_PROCESS_HEAP_ENTRIES 0x00000010 #define RTL_QUERY_PROCESS_LOCKS 0x00000020 #define RTL_QUERY_PROCESS_MODULES32 0x00000040 #define RTL_QUERY_PROCESS_VERIFIER_OPTIONS 0x00000080 // rev #define RTL_QUERY_PROCESS_MODULESEX 0x00000100 // rev #define RTL_QUERY_PROCESS_HEAP_ENTRIES_EX 0x00000200 // ? #define RTL_QUERY_PROCESS_CS_OWNER 0x00000400 // rev #define RTL_QUERY_PROCESS_NONINVASIVE 0x80000000 NTSYSAPI NTSTATUS NTAPI RtlQueryProcessDebugInformation( _In_ HANDLE UniqueProcessId, _In_ ULONG Flags, _Inout_ PRTL_DEBUG_INFORMATION Buffer ); // Messages NTSYSAPI NTSTATUS NTAPI RtlFindMessage( _In_ PVOID DllHandle, _In_ ULONG MessageTableId, _In_ ULONG MessageLanguageId, _In_ ULONG MessageId, _Out_ PMESSAGE_RESOURCE_ENTRY *MessageEntry ); NTSYSAPI NTSTATUS NTAPI RtlFormatMessage( _In_ PWSTR MessageFormat, _In_ ULONG MaximumWidth, _In_ BOOLEAN IgnoreInserts, _In_ BOOLEAN ArgumentsAreAnsi, _In_ BOOLEAN ArgumentsAreAnArray, _In_ va_list *Arguments, _Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReturnLength ); typedef struct _PARSE_MESSAGE_CONTEXT { ULONG fFlags; ULONG cwSavColumn; SIZE_T iwSrc; SIZE_T iwDst; SIZE_T iwDstSpace; va_list lpvArgStart; } PARSE_MESSAGE_CONTEXT, *PPARSE_MESSAGE_CONTEXT; #define INIT_PARSE_MESSAGE_CONTEXT(ctx) { (ctx)->fFlags = 0; } #define TEST_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags & (flag)) #define SET_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags |= (flag)) #define CLEAR_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags &= ~(flag)) NTSYSAPI NTSTATUS NTAPI RtlFormatMessageEx( _In_ PWSTR MessageFormat, _In_ ULONG MaximumWidth, _In_ BOOLEAN IgnoreInserts, _In_ BOOLEAN ArgumentsAreAnsi, _In_ BOOLEAN ArgumentsAreAnArray, _In_ va_list *Arguments, _Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer, _In_ ULONG Length, _Out_opt_ PULONG ReturnLength, _Out_opt_ PPARSE_MESSAGE_CONTEXT ParseContext ); // Errors NTSYSAPI ULONG NTAPI RtlNtStatusToDosError( _In_ NTSTATUS Status ); NTSYSAPI ULONG NTAPI RtlNtStatusToDosErrorNoTeb( _In_ NTSTATUS Status ); NTSYSAPI NTSTATUS NTAPI RtlGetLastNtStatus( VOID ); NTSYSAPI LONG NTAPI RtlGetLastWin32Error( VOID ); NTSYSAPI VOID NTAPI RtlSetLastWin32ErrorAndNtStatusFromNtStatus( _In_ NTSTATUS Status ); NTSYSAPI VOID NTAPI RtlSetLastWin32Error( _In_ LONG Win32Error ); NTSYSAPI VOID NTAPI RtlRestoreLastWin32Error( _In_ LONG Win32Error ); #define RTL_ERRORMODE_FAILCRITICALERRORS 0x0010 #define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020 #define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040 NTSYSAPI ULONG NTAPI RtlGetThreadErrorMode( VOID ); NTSYSAPI NTSTATUS NTAPI RtlSetThreadErrorMode( _In_ ULONG NewMode, _Out_opt_ PULONG OldMode ); // Windows Error Reporting #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlReportException( _In_ PEXCEPTION_RECORD ExceptionRecord, _In_ PCONTEXT ContextRecord, _In_ ULONG Flags ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE) // rev NTSYSAPI NTSTATUS NTAPI RtlReportExceptionEx( _In_ PEXCEPTION_RECORD ExceptionRecord, _In_ PCONTEXT ContextRecord, _In_ ULONG Flags, _In_ PLARGE_INTEGER Timeout ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlWerpReportException( _In_ ULONG ProcessId, _In_ HANDLE CrashReportSharedMem, _In_ ULONG Flags, _Out_ PHANDLE CrashVerticalProcessHandle ); #endif #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlReportSilentProcessExit( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); #endif // Vectored Exception Handlers NTSYSAPI PVOID NTAPI RtlAddVectoredExceptionHandler( _In_ ULONG First, _In_ PVECTORED_EXCEPTION_HANDLER Handler ); NTSYSAPI ULONG NTAPI RtlRemoveVectoredExceptionHandler( _In_ PVOID Handle ); NTSYSAPI PVOID NTAPI RtlAddVectoredContinueHandler( _In_ ULONG First, _In_ PVECTORED_EXCEPTION_HANDLER Handler ); NTSYSAPI ULONG NTAPI RtlRemoveVectoredContinueHandler( _In_ PVOID Handle ); // Random NTSYSAPI ULONG NTAPI RtlUniform( _Inout_ PULONG Seed ); NTSYSAPI ULONG NTAPI RtlRandom( _Inout_ PULONG Seed ); NTSYSAPI ULONG NTAPI RtlRandomEx( _Inout_ PULONG Seed ); NTSYSAPI NTSTATUS NTAPI RtlComputeImportTableHash( _In_ HANDLE FileHandle, _Out_writes_bytes_(16) PCHAR Hash, _In_ ULONG ImportTableHashRevision // must be 1 ); // Integer conversion NTSYSAPI NTSTATUS NTAPI RtlIntegerToChar( _In_ ULONG Value, _In_opt_ ULONG Base, _In_ LONG OutputLength, // negative to pad to width _Out_ PSTR String ); NTSYSAPI NTSTATUS NTAPI RtlCharToInteger( _In_ PCSTR String, _In_opt_ ULONG Base, _Out_ PULONG Value ); NTSYSAPI NTSTATUS NTAPI RtlLargeIntegerToChar( _In_ PLARGE_INTEGER Value, _In_opt_ ULONG Base, _In_ LONG OutputLength, _Out_ PSTR String ); NTSYSAPI NTSTATUS NTAPI RtlIntegerToUnicodeString( _In_ ULONG Value, _In_opt_ ULONG Base, _Inout_ PUNICODE_STRING String ); NTSYSAPI NTSTATUS NTAPI RtlInt64ToUnicodeString( _In_ ULONGLONG Value, _In_opt_ ULONG Base, _Inout_ PUNICODE_STRING String ); #ifdef _WIN64 #define RtlIntPtrToUnicodeString(Value, Base, String) RtlInt64ToUnicodeString(Value, Base, String) #else #define RtlIntPtrToUnicodeString(Value, Base, String) RtlIntegerToUnicodeString(Value, Base, String) #endif NTSYSAPI NTSTATUS NTAPI RtlUnicodeStringToInteger( _In_ PUNICODE_STRING String, _In_opt_ ULONG Base, _Out_ PULONG Value ); // IPv4/6 conversion struct in_addr; struct in6_addr; NTSYSAPI PWSTR NTAPI RtlIpv4AddressToStringW( _In_ const struct in_addr *Address, _Out_writes_(16) PWSTR AddressString ); NTSYSAPI NTSTATUS NTAPI RtlIpv4AddressToStringExW( _In_ const struct in_addr *Address, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ); NTSYSAPI PWSTR NTAPI RtlIpv6AddressToStringW( _In_ const struct in6_addr *Address, _Out_writes_(46) PWSTR AddressString ); NTSYSAPI NTSTATUS NTAPI RtlIpv6AddressToStringExW( _In_ const struct in6_addr *Address, _In_ ULONG ScopeId, _In_ USHORT Port, _Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString, _Inout_ PULONG AddressStringLength ); NTSYSAPI NTSTATUS NTAPI RtlIpv4StringToAddressW( _In_ PCWSTR AddressString, _In_ BOOLEAN Strict, _Out_ LPCWSTR *Terminator, _Out_ struct in_addr *Address ); NTSYSAPI NTSTATUS NTAPI RtlIpv4StringToAddressExW( _In_ PCWSTR AddressString, _In_ BOOLEAN Strict, _Out_ struct in_addr *Address, _Out_ PUSHORT Port ); NTSYSAPI NTSTATUS NTAPI RtlIpv6StringToAddressW( _In_ PCWSTR AddressString, _Out_ PCWSTR *Terminator, _Out_ struct in6_addr *Address ); NTSYSAPI NTSTATUS NTAPI RtlIpv6StringToAddressExW( _In_ PCWSTR AddressString, _Out_ struct in6_addr *Address, _Out_ PULONG ScopeId, _Out_ PUSHORT Port ); #define RtlIpv4AddressToString RtlIpv4AddressToStringW #define RtlIpv4AddressToStringEx RtlIpv4AddressToStringExW #define RtlIpv6AddressToString RtlIpv6AddressToStringW #define RtlIpv6AddressToStringEx RtlIpv6AddressToStringExW #define RtlIpv4StringToAddress RtlIpv4StringToAddressW #define RtlIpv4StringToAddressEx RtlIpv4StringToAddressExW #define RtlIpv6StringToAddress RtlIpv6StringToAddressW #define RtlIpv6StringToAddressEx RtlIpv6StringToAddressExW // Time typedef struct _TIME_FIELDS { CSHORT Year; // 1601... CSHORT Month; // 1..12 CSHORT Day; // 1..31 CSHORT Hour; // 0..23 CSHORT Minute; // 0..59 CSHORT Second; // 0..59 CSHORT Milliseconds; // 0..999 CSHORT Weekday; // 0..6 = Sunday..Saturday } TIME_FIELDS, *PTIME_FIELDS; NTSYSAPI BOOLEAN NTAPI RtlCutoverTimeToSystemTime( _In_ PTIME_FIELDS CutoverTime, _Out_ PLARGE_INTEGER SystemTime, _In_ PLARGE_INTEGER CurrentSystemTime, _In_ BOOLEAN ThisYear ); NTSYSAPI NTSTATUS NTAPI RtlSystemTimeToLocalTime( _In_ PLARGE_INTEGER SystemTime, _Out_ PLARGE_INTEGER LocalTime ); NTSYSAPI NTSTATUS NTAPI RtlLocalTimeToSystemTime( _In_ PLARGE_INTEGER LocalTime, _Out_ PLARGE_INTEGER SystemTime ); NTSYSAPI VOID NTAPI RtlTimeToElapsedTimeFields( _In_ PLARGE_INTEGER Time, _Out_ PTIME_FIELDS TimeFields ); NTSYSAPI VOID NTAPI RtlTimeToTimeFields( _In_ PLARGE_INTEGER Time, _Out_ PTIME_FIELDS TimeFields ); NTSYSAPI BOOLEAN NTAPI RtlTimeFieldsToTime( _In_ PTIME_FIELDS TimeFields, // Weekday is ignored _Out_ PLARGE_INTEGER Time ); NTSYSAPI BOOLEAN NTAPI RtlTimeToSecondsSince1980( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ); NTSYSAPI VOID NTAPI RtlSecondsSince1980ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ); NTSYSAPI BOOLEAN NTAPI RtlTimeToSecondsSince1970( _In_ PLARGE_INTEGER Time, _Out_ PULONG ElapsedSeconds ); NTSYSAPI VOID NTAPI RtlSecondsSince1970ToTime( _In_ ULONG ElapsedSeconds, _Out_ PLARGE_INTEGER Time ); // Time zones typedef struct _RTL_TIME_ZONE_INFORMATION { LONG Bias; WCHAR StandardName[32]; TIME_FIELDS StandardStart; LONG StandardBias; WCHAR DaylightName[32]; TIME_FIELDS DaylightStart; LONG DaylightBias; } RTL_TIME_ZONE_INFORMATION, *PRTL_TIME_ZONE_INFORMATION; NTSYSAPI NTSTATUS NTAPI RtlQueryTimeZoneInformation( _Out_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation ); NTSYSAPI NTSTATUS NTAPI RtlSetTimeZoneInformation( _In_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation ); // Bitmaps typedef struct _RTL_BITMAP { ULONG SizeOfBitMap; PULONG Buffer; } RTL_BITMAP, *PRTL_BITMAP; NTSYSAPI VOID NTAPI RtlInitializeBitMap( _Out_ PRTL_BITMAP BitMapHeader, _In_ PULONG BitMapBuffer, _In_ ULONG SizeOfBitMap ); #if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8) NTSYSAPI VOID NTAPI RtlClearBit( _In_ PRTL_BITMAP BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber ); #endif #if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8) NTSYSAPI VOID NTAPI RtlSetBit( _In_ PRTL_BITMAP BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber ); #endif _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlTestBit( _In_ PRTL_BITMAP BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber ); NTSYSAPI VOID NTAPI RtlClearAllBits( _In_ PRTL_BITMAP BitMapHeader ); NTSYSAPI VOID NTAPI RtlSetAllBits( _In_ PRTL_BITMAP BitMapHeader ); _Success_(return != -1) _Check_return_ NTSYSAPI ULONG NTAPI RtlFindClearBits( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG NumberToFind, _In_ ULONG HintIndex ); _Success_(return != -1) _Check_return_ NTSYSAPI ULONG NTAPI RtlFindSetBits( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG NumberToFind, _In_ ULONG HintIndex ); _Success_(return != -1) NTSYSAPI ULONG NTAPI RtlFindClearBitsAndSet( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG NumberToFind, _In_ ULONG HintIndex ); _Success_(return != -1) NTSYSAPI ULONG NTAPI RtlFindSetBitsAndClear( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG NumberToFind, _In_ ULONG HintIndex ); NTSYSAPI VOID NTAPI RtlClearBits( _In_ PRTL_BITMAP BitMapHeader, _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex, _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear ); NTSYSAPI VOID NTAPI RtlSetBits( _In_ PRTL_BITMAP BitMapHeader, _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex, _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet ); NTSYSAPI CCHAR NTAPI RtlFindMostSignificantBit( _In_ ULONGLONG Set ); NTSYSAPI CCHAR NTAPI RtlFindLeastSignificantBit( _In_ ULONGLONG Set ); typedef struct _RTL_BITMAP_RUN { ULONG StartingIndex; ULONG NumberOfBits; } RTL_BITMAP_RUN, *PRTL_BITMAP_RUN; NTSYSAPI ULONG NTAPI RtlFindClearRuns( _In_ PRTL_BITMAP BitMapHeader, _Out_writes_to_(SizeOfRunArray, return) PRTL_BITMAP_RUN RunArray, _In_range_(>, 0) ULONG SizeOfRunArray, _In_ BOOLEAN LocateLongestRuns ); NTSYSAPI ULONG NTAPI RtlFindLongestRunClear( _In_ PRTL_BITMAP BitMapHeader, _Out_ PULONG StartingIndex ); NTSYSAPI ULONG NTAPI RtlFindFirstRunClear( _In_ PRTL_BITMAP BitMapHeader, _Out_ PULONG StartingIndex ); _Check_return_ FORCEINLINE BOOLEAN RtlCheckBit( _In_ PRTL_BITMAP BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitPosition ) { #ifdef _WIN64 return BitTest64((LONG64 const *)BitMapHeader->Buffer, (LONG64)BitPosition); #else return (((PLONG)BitMapHeader->Buffer)[BitPosition / 32] >> (BitPosition % 32)) & 0x1; #endif } NTSYSAPI ULONG NTAPI RtlNumberOfClearBits( _In_ PRTL_BITMAP BitMapHeader ); NTSYSAPI ULONG NTAPI RtlNumberOfSetBits( _In_ PRTL_BITMAP BitMapHeader ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlAreBitsClear( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG StartingIndex, _In_ ULONG Length ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlAreBitsSet( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG StartingIndex, _In_ ULONG Length ); NTSYSAPI ULONG NTAPI RtlFindNextForwardRunClear( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG FromIndex, _Out_ PULONG StartingRunIndex ); NTSYSAPI ULONG NTAPI RtlFindLastBackwardRunClear( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG FromIndex, _Out_ PULONG StartingRunIndex ); #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI ULONG NTAPI RtlNumberOfSetBitsUlongPtr( _In_ ULONG_PTR Target ); #endif #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI VOID NTAPI RtlInterlockedClearBitRun( _In_ PRTL_BITMAP BitMapHeader, _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex, _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear ); // rev NTSYSAPI VOID NTAPI RtlInterlockedSetBitRun( _In_ PRTL_BITMAP BitMapHeader, _In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex, _In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet ); #endif #if (PHNT_VERSION >= PHNT_WIN8) NTSYSAPI VOID NTAPI RtlCopyBitMap( _In_ PRTL_BITMAP Source, _In_ PRTL_BITMAP Destination, _In_range_(0, Destination->SizeOfBitMap - 1) ULONG TargetBit ); NTSYSAPI VOID NTAPI RtlExtractBitMap( _In_ PRTL_BITMAP Source, _In_ PRTL_BITMAP Destination, _In_range_(0, Source->SizeOfBitMap - 1) ULONG TargetBit, _In_range_(0, Source->SizeOfBitMap) ULONG NumberOfBits ); NTSYSAPI ULONG NTAPI RtlNumberOfClearBitsInRange( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG StartingIndex, _In_ ULONG Length ); NTSYSAPI ULONG NTAPI RtlNumberOfSetBitsInRange( _In_ PRTL_BITMAP BitMapHeader, _In_ ULONG StartingIndex, _In_ ULONG Length ); #endif #if (PHNT_VERSION >= PHNT_THRESHOLD) // private typedef struct _RTL_BITMAP_EX { ULONG64 SizeOfBitMap; PULONG64 Buffer; } RTL_BITMAP_EX, *PRTL_BITMAP_EX; // rev NTSYSAPI VOID NTAPI RtlInitializeBitMapEx( _Out_ PRTL_BITMAP_EX BitMapHeader, _In_ PULONG64 BitMapBuffer, _In_ ULONG64 SizeOfBitMap ); // rev _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlTestBitEx( _In_ PRTL_BITMAP_EX BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber ); #if (PHNT_MODE == PHNT_MODE_KERNEL) // rev NTSYSAPI VOID NTAPI RtlClearAllBitsEx( _In_ PRTL_BITMAP_EX BitMapHeader ); // rev NTSYSAPI VOID NTAPI RtlClearBitEx( _In_ PRTL_BITMAP_EX BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber ); // rev NTSYSAPI VOID NTAPI RtlSetBitEx( _In_ PRTL_BITMAP_EX BitMapHeader, _In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber ); // rev NTSYSAPI ULONG64 NTAPI RtlFindSetBitsEx( _In_ PRTL_BITMAP_EX BitMapHeader, _In_ ULONG64 NumberToFind, _In_ ULONG64 HintIndex ); NTSYSAPI ULONG64 NTAPI RtlFindSetBitsAndClearEx( _In_ PRTL_BITMAP_EX BitMapHeader, _In_ ULONG64 NumberToFind, _In_ ULONG64 HintIndex ); #endif #endif // Handle tables typedef struct _RTL_HANDLE_TABLE_ENTRY { union { ULONG Flags; // allocated entries have the low bit set struct _RTL_HANDLE_TABLE_ENTRY *NextFree; }; } RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY; #define RTL_HANDLE_ALLOCATED (USHORT)0x0001 typedef struct _RTL_HANDLE_TABLE { ULONG MaximumNumberOfHandles; ULONG SizeOfHandleTableEntry; ULONG Reserved[2]; PRTL_HANDLE_TABLE_ENTRY FreeHandles; PRTL_HANDLE_TABLE_ENTRY CommittedHandles; PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles; PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles; } RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE; NTSYSAPI VOID NTAPI RtlInitializeHandleTable( _In_ ULONG MaximumNumberOfHandles, _In_ ULONG SizeOfHandleTableEntry, _Out_ PRTL_HANDLE_TABLE HandleTable ); NTSYSAPI NTSTATUS NTAPI RtlDestroyHandleTable( _Inout_ PRTL_HANDLE_TABLE HandleTable ); NTSYSAPI PRTL_HANDLE_TABLE_ENTRY NTAPI RtlAllocateHandle( _In_ PRTL_HANDLE_TABLE HandleTable, _Out_opt_ PULONG HandleIndex ); NTSYSAPI BOOLEAN NTAPI RtlFreeHandle( _In_ PRTL_HANDLE_TABLE HandleTable, _In_ PRTL_HANDLE_TABLE_ENTRY Handle ); NTSYSAPI BOOLEAN NTAPI RtlIsValidHandle( _In_ PRTL_HANDLE_TABLE HandleTable, _In_ PRTL_HANDLE_TABLE_ENTRY Handle ); NTSYSAPI BOOLEAN NTAPI RtlIsValidIndexHandle( _In_ PRTL_HANDLE_TABLE HandleTable, _In_ ULONG HandleIndex, _Out_ PRTL_HANDLE_TABLE_ENTRY *Handle ); // Atom tables #define RTL_ATOM_MAXIMUM_INTEGER_ATOM (RTL_ATOM)0xc000 #define RTL_ATOM_INVALID_ATOM (RTL_ATOM)0x0000 #define RTL_ATOM_TABLE_DEFAULT_NUMBER_OF_BUCKETS 37 #define RTL_ATOM_MAXIMUM_NAME_LENGTH 255 #define RTL_ATOM_PINNED 0x01 NTSYSAPI NTSTATUS NTAPI RtlCreateAtomTable( _In_ ULONG NumberOfBuckets, _Out_ PVOID *AtomTableHandle ); NTSYSAPI NTSTATUS NTAPI RtlDestroyAtomTable( _In_ _Post_invalid_ PVOID AtomTableHandle ); NTSYSAPI NTSTATUS NTAPI RtlEmptyAtomTable( _In_ PVOID AtomTableHandle, _In_ BOOLEAN IncludePinnedAtoms ); NTSYSAPI NTSTATUS NTAPI RtlAddAtomToAtomTable( _In_ PVOID AtomTableHandle, _In_ PWSTR AtomName, _Inout_opt_ PRTL_ATOM Atom ); NTSYSAPI NTSTATUS NTAPI RtlLookupAtomInAtomTable( _In_ PVOID AtomTableHandle, _In_ PWSTR AtomName, _Out_opt_ PRTL_ATOM Atom ); NTSYSAPI NTSTATUS NTAPI RtlDeleteAtomFromAtomTable( _In_ PVOID AtomTableHandle, _In_ RTL_ATOM Atom ); NTSYSAPI NTSTATUS NTAPI RtlPinAtomInAtomTable( _In_ PVOID AtomTableHandle, _In_ RTL_ATOM Atom ); NTSYSAPI NTSTATUS NTAPI RtlQueryAtomInAtomTable( _In_ PVOID AtomTableHandle, _In_ RTL_ATOM Atom, _Out_opt_ PULONG AtomUsage, _Out_opt_ PULONG AtomFlags, _Inout_updates_bytes_to_opt_(*AtomNameLength, *AtomNameLength) PWSTR AtomName, _Inout_opt_ PULONG AtomNameLength ); #if (PHNT_VERSION >= PHNT_VISTA) // rev NTSYSAPI BOOLEAN NTAPI RtlGetIntegerAtom( _In_ PWSTR AtomName, _Out_opt_ PUSHORT IntegerAtom ); #endif // SIDs _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlValidSid( _In_ PSID Sid ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlEqualSid( _In_ PSID Sid1, _In_ PSID Sid2 ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlEqualPrefixSid( _In_ PSID Sid1, _In_ PSID Sid2 ); NTSYSAPI ULONG NTAPI RtlLengthRequiredSid( _In_ ULONG SubAuthorityCount ); NTSYSAPI PVOID NTAPI RtlFreeSid( _In_ _Post_invalid_ PSID Sid ); _Check_return_ NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid( _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, _In_ UCHAR SubAuthorityCount, _In_ ULONG SubAuthority0, _In_ ULONG SubAuthority1, _In_ ULONG SubAuthority2, _In_ ULONG SubAuthority3, _In_ ULONG SubAuthority4, _In_ ULONG SubAuthority5, _In_ ULONG SubAuthority6, _In_ ULONG SubAuthority7, _Outptr_ PSID *Sid ); NTSYSAPI NTSTATUS NTAPI RtlInitializeSid( _Out_ PSID Sid, _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, _In_ UCHAR SubAuthorityCount ); #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSAPI NTSTATUS NTAPI RtlInitializeSidEx( _Out_writes_bytes_(SECURITY_SID_SIZE(SubAuthorityCount)) PSID Sid, _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, _In_ UCHAR SubAuthorityCount, ... ); #endif NTSYSAPI PSID_IDENTIFIER_AUTHORITY NTAPI RtlIdentifierAuthoritySid( _In_ PSID Sid ); NTSYSAPI PULONG NTAPI RtlSubAuthoritySid( _In_ PSID Sid, _In_ ULONG SubAuthority ); NTSYSAPI PUCHAR NTAPI RtlSubAuthorityCountSid( _In_ PSID Sid ); NTSYSAPI ULONG NTAPI RtlLengthSid( _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlCopySid( _In_ ULONG DestinationSidLength, _In_reads_bytes_(DestinationSidLength) PSID DestinationSid, _In_ PSID SourceSid ); // ros NTSYSAPI NTSTATUS NTAPI RtlCopySidAndAttributesArray( _In_ ULONG Count, _In_ PSID_AND_ATTRIBUTES Src, _In_ ULONG SidAreaSize, _In_ PSID_AND_ATTRIBUTES Dest, _In_ PSID SidArea, _Out_ PSID *RemainingSidArea, _Out_ PULONG RemainingSidAreaSize ); #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlCreateServiceSid( _In_ PUNICODE_STRING ServiceName, _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid, _Inout_ PULONG ServiceSidLength ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlSidDominates( _In_ PSID Sid1, _In_ PSID Sid2, _Out_ PBOOLEAN Dominates ); #endif #if (PHNT_VERSION >= PHNT_WINBLUE) // rev NTSYSAPI NTSTATUS NTAPI RtlSidDominatesForTrust( _In_ PSID Sid1, _In_ PSID Sid2, _Out_ PBOOLEAN DominatesTrust // TokenProcessTrustLevel ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlSidEqualLevel( _In_ PSID Sid1, _In_ PSID Sid2, _Out_ PBOOLEAN EqualLevel ); // private NTSYSAPI NTSTATUS NTAPI RtlSidIsHigherLevel( _In_ PSID Sid1, _In_ PSID Sid2, _Out_ PBOOLEAN HigherLevel ); #endif #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI NTSTATUS NTAPI RtlCreateVirtualAccountSid( _In_ PUNICODE_STRING Name, _In_ ULONG BaseSubAuthority, _Out_writes_bytes_(*SidLength) PSID Sid, _Inout_ PULONG SidLength ); #endif #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI NTSTATUS NTAPI RtlReplaceSidInSd( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ PSID OldSid, _In_ PSID NewSid, _Out_ ULONG *NumChanges ); #endif #define MAX_UNICODE_STACK_BUFFER_LENGTH 256 NTSYSAPI NTSTATUS NTAPI RtlLengthSidAsUnicodeString( _In_ PSID Sid, _Out_ PULONG StringLength ); NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString( _Inout_ PUNICODE_STRING UnicodeString, _In_ PSID Sid, _In_ BOOLEAN AllocateDestinationString ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlSidHashInitialize( _In_reads_(SidCount) PSID_AND_ATTRIBUTES SidAttr, _In_ ULONG SidCount, _Out_ PSID_AND_ATTRIBUTES_HASH SidAttrHash ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI PSID_AND_ATTRIBUTES NTAPI RtlSidHashLookup( _In_ PSID_AND_ATTRIBUTES_HASH SidAttrHash, _In_ PSID Sid ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // rev NTSYSAPI BOOLEAN NTAPI RtlIsElevatedRid( _In_ PSID_AND_ATTRIBUTES SidAttr ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE2) // rev NTSYSAPI NTSTATUS NTAPI RtlDeriveCapabilitySidsFromName( _Inout_ PUNICODE_STRING UnicodeString, _Out_ PSID CapabilityGroupSid, _Out_ PSID CapabilitySid ); #endif // Security Descriptors NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor( _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlValidSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); NTSYSAPI ULONG NTAPI RtlLengthSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); _Check_return_ NTSYSAPI BOOLEAN NTAPI RtlValidRelativeSecurityDescriptor( _In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput, _In_ ULONG SecurityDescriptorLength, _In_ SECURITY_INFORMATION RequiredInformation ); NTSYSAPI NTSTATUS NTAPI RtlGetControlSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PSECURITY_DESCRIPTOR_CONTROL Control, _Out_ PULONG Revision ); NTSYSAPI NTSTATUS NTAPI RtlSetControlSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, _In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet ); NTSYSAPI NTSTATUS NTAPI RtlSetAttributesSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_DESCRIPTOR_CONTROL Control, _Out_ PULONG Revision ); NTSYSAPI BOOLEAN NTAPI RtlGetSecurityDescriptorRMControl( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PUCHAR RMControl ); NTSYSAPI VOID NTAPI RtlSetSecurityDescriptorRMControl( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PUCHAR RMControl ); NTSYSAPI NTSTATUS NTAPI RtlSetDaclSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN DaclPresent, _In_opt_ PACL Dacl, _In_opt_ BOOLEAN DaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN DaclPresent, _Out_ PACL *Dacl, _Out_ PBOOLEAN DaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ BOOLEAN SaclPresent, _In_opt_ PACL Sacl, _In_opt_ BOOLEAN SaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetSaclSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PBOOLEAN SaclPresent, _Out_ PACL *Sacl, _Out_ PBOOLEAN SaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID Owner, _In_opt_ BOOLEAN OwnerDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PSID *Owner, _Out_ PBOOLEAN OwnerDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor( _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_opt_ PSID Group, _In_opt_ BOOLEAN GroupDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetGroupSecurityDescriptor( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _Out_ PSID *Group, _Out_ PBOOLEAN GroupDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlMakeSelfRelativeSD( _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, _Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, _Inout_ PULONG BufferLength ); NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD( _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, _Inout_ PULONG BufferLength ); NTSYSAPI NTSTATUS NTAPI RtlSelfRelativeToAbsoluteSD( _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, _Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, _Inout_ PULONG AbsoluteSecurityDescriptorSize, _Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl, _Inout_ PULONG DaclSize, _Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl, _Inout_ PULONG SaclSize, _Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner, _Inout_ PULONG OwnerSize, _Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup, _Inout_ PULONG PrimaryGroupSize ); // private NTSYSAPI NTSTATUS NTAPI RtlSelfRelativeToAbsoluteSD2( _Inout_ PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, _Inout_ PULONG pBufferSize ); // Access masks NTSYSAPI BOOLEAN NTAPI RtlAreAllAccessesGranted( _In_ ACCESS_MASK GrantedAccess, _In_ ACCESS_MASK DesiredAccess ); NTSYSAPI BOOLEAN NTAPI RtlAreAnyAccessesGranted( _In_ ACCESS_MASK GrantedAccess, _In_ ACCESS_MASK DesiredAccess ); NTSYSAPI VOID NTAPI RtlMapGenericMask( _Inout_ PACCESS_MASK AccessMask, _In_ PGENERIC_MAPPING GenericMapping ); // ACLs NTSYSAPI NTSTATUS NTAPI RtlCreateAcl( _Out_writes_bytes_(AclLength) PACL Acl, _In_ ULONG AclLength, _In_ ULONG AclRevision ); NTSYSAPI BOOLEAN NTAPI RtlValidAcl( _In_ PACL Acl ); NTSYSAPI NTSTATUS NTAPI RtlQueryInformationAcl( _In_ PACL Acl, _Out_writes_bytes_(AclInformationLength) PVOID AclInformation, _In_ ULONG AclInformationLength, _In_ ACL_INFORMATION_CLASS AclInformationClass ); NTSYSAPI NTSTATUS NTAPI RtlSetInformationAcl( _Inout_ PACL Acl, _In_reads_bytes_(AclInformationLength) PVOID AclInformation, _In_ ULONG AclInformationLength, _In_ ACL_INFORMATION_CLASS AclInformationClass ); NTSYSAPI NTSTATUS NTAPI RtlAddAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG StartingAceIndex, _In_reads_bytes_(AceListLength) PVOID AceList, _In_ ULONG AceListLength ); NTSYSAPI NTSTATUS NTAPI RtlDeleteAce( _Inout_ PACL Acl, _In_ ULONG AceIndex ); NTSYSAPI NTSTATUS NTAPI RtlGetAce( _In_ PACL Acl, _In_ ULONG AceIndex, _Outptr_ PVOID *Ace ); NTSYSAPI BOOLEAN NTAPI RtlFirstFreeAce( _In_ PACL Acl, _Out_ PVOID *FirstFree ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI PVOID NTAPI RtlFindAceByType( _In_ PACL pAcl, _In_ UCHAR AceType, _Out_opt_ PULONG pIndex ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI BOOLEAN NTAPI RtlOwnerAcesPresent( _In_ PACL pAcl ); #endif NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedAceEx( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAceEx( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN AuditSuccess, _In_ BOOLEAN AuditFailure ); NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAceEx( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN AuditSuccess, _In_ BOOLEAN AuditFailure ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessAllowedObjectAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid, _In_opt_ PGUID InheritedObjectTypeGuid, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedObjectAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid, _In_opt_ PGUID InheritedObjectTypeGuid, _In_ PSID Sid ); NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessObjectAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ ACCESS_MASK AccessMask, _In_opt_ PGUID ObjectTypeGuid, _In_opt_ PGUID InheritedObjectTypeGuid, _In_ PSID Sid, _In_ BOOLEAN AuditSuccess, _In_ BOOLEAN AuditFailure ); NTSYSAPI NTSTATUS NTAPI RtlAddCompoundAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ UCHAR AceType, _In_ ACCESS_MASK AccessMask, _In_ PSID ServerSid, _In_ PSID ClientSid ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlAddMandatoryAce( _Inout_ PACL Acl, _In_ ULONG AceRevision, _In_ ULONG AceFlags, _In_ PSID Sid, _In_ UCHAR AceType, _In_ ACCESS_MASK AccessMask ); #endif // Named pipes NTSYSAPI NTSTATUS NTAPI RtlDefaultNpAcl( _Out_ PACL *Acl ); // Security objects NTSYSAPI NTSTATUS NTAPI RtlNewSecurityObject( _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_ BOOLEAN IsDirectoryObject, _In_opt_ HANDLE Token, _In_ PGENERIC_MAPPING GenericMapping ); NTSYSAPI NTSTATUS NTAPI RtlNewSecurityObjectEx( _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, // SEF_* _In_opt_ HANDLE Token, _In_ PGENERIC_MAPPING GenericMapping ); NTSYSAPI NTSTATUS NTAPI RtlNewSecurityObjectWithMultipleInheritance( _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_opt_ GUID **ObjectType, _In_ ULONG GuidCount, _In_ BOOLEAN IsDirectoryObject, _In_ ULONG AutoInheritFlags, // SEF_* _In_opt_ HANDLE Token, _In_ PGENERIC_MAPPING GenericMapping ); NTSYSAPI NTSTATUS NTAPI RtlDeleteSecurityObject( _Inout_ PSECURITY_DESCRIPTOR *ObjectDescriptor ); NTSYSAPI NTSTATUS NTAPI RtlQuerySecurityObject( _In_ PSECURITY_DESCRIPTOR ObjectDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _Out_opt_ PSECURITY_DESCRIPTOR ResultantDescriptor, _In_ ULONG DescriptorLength, _Out_ PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI RtlSetSecurityObject( _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ PGENERIC_MAPPING GenericMapping, _In_opt_ HANDLE Token ); NTSYSAPI NTSTATUS NTAPI RtlSetSecurityObjectEx( _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR ModificationDescriptor, _Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, _In_ ULONG AutoInheritFlags, // SEF_* _In_ PGENERIC_MAPPING GenericMapping, _In_opt_ HANDLE Token ); NTSYSAPI NTSTATUS NTAPI RtlConvertToAutoInheritSecurityObject( _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_ PSECURITY_DESCRIPTOR CurrentSecurityDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor, _In_opt_ GUID *ObjectType, _In_ BOOLEAN IsDirectoryObject, _In_ PGENERIC_MAPPING GenericMapping ); NTSYSAPI NTSTATUS NTAPI RtlNewInstanceSecurityObject( _In_ BOOLEAN ParentDescriptorChanged, _In_ BOOLEAN CreatorDescriptorChanged, _In_ PLUID OldClientTokenModifiedId, _Out_ PLUID NewClientTokenModifiedId, _In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor, _In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor, _Out_ PSECURITY_DESCRIPTOR *NewDescriptor, _In_ BOOLEAN IsDirectoryObject, _In_ HANDLE Token, _In_ PGENERIC_MAPPING GenericMapping ); NTSYSAPI NTSTATUS NTAPI RtlCopySecurityDescriptor( _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor, _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor ); // Misc. security NTSYSAPI VOID NTAPI RtlRunEncodeUnicodeString( _Inout_ PUCHAR Seed, _In_ PUNICODE_STRING String ); NTSYSAPI VOID NTAPI RtlRunDecodeUnicodeString( _In_ UCHAR Seed, _In_ PUNICODE_STRING String ); NTSYSAPI NTSTATUS NTAPI RtlImpersonateSelf( _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlImpersonateSelfEx( _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_opt_ ACCESS_MASK AdditionalAccess, _Out_opt_ PHANDLE ThreadToken ); #endif NTSYSAPI NTSTATUS NTAPI RtlAdjustPrivilege( _In_ ULONG Privilege, _In_ BOOLEAN Enable, _In_ BOOLEAN Client, _Out_ PBOOLEAN WasEnabled ); #define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001 #define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002 NTSYSAPI NTSTATUS NTAPI RtlAcquirePrivilege( _In_ PULONG Privilege, _In_ ULONG NumPriv, _In_ ULONG Flags, _Out_ PVOID *ReturnedState ); NTSYSAPI VOID NTAPI RtlReleasePrivilege( _In_ PVOID StatePointer ); #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlRemovePrivileges( _In_ HANDLE TokenHandle, _In_ PULONG PrivilegesToKeep, _In_ ULONG PrivilegeCount ); #endif #if (PHNT_VERSION >= PHNT_WIN8) // rev NTSYSAPI NTSTATUS NTAPI RtlIsUntrustedObject( _In_opt_ HANDLE Handle, _In_opt_ PVOID Object, _Out_ PBOOLEAN IsUntrustedObject ); NTSYSAPI ULONG NTAPI RtlQueryValidationRunlevel( _In_opt_ PUNICODE_STRING ComponentName ); #endif // Private namespaces #if (PHNT_VERSION >= PHNT_VISTA) // begin_private NTSYSAPI PVOID NTAPI RtlCreateBoundaryDescriptor( _In_ PUNICODE_STRING Name, _In_ ULONG Flags ); NTSYSAPI VOID NTAPI RtlDeleteBoundaryDescriptor( _In_ PVOID BoundaryDescriptor ); NTSYSAPI NTSTATUS NTAPI RtlAddSIDToBoundaryDescriptor( _Inout_ PVOID *BoundaryDescriptor, _In_ PSID RequiredSid ); #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlAddIntegrityLabelToBoundaryDescriptor( _Inout_ PVOID *BoundaryDescriptor, _In_ PSID IntegrityLabel ); #endif // end_private #endif // Version NTSYSAPI NTSTATUS NTAPI RtlGetVersion( _Out_ PRTL_OSVERSIONINFOEXW VersionInformation // PRTL_OSVERSIONINFOW ); NTSYSAPI NTSTATUS NTAPI RtlVerifyVersionInfo( _In_ PRTL_OSVERSIONINFOEXW VersionInformation, // PRTL_OSVERSIONINFOW _In_ ULONG TypeMask, _In_ ULONGLONG ConditionMask ); // rev NTSYSAPI VOID NTAPI RtlGetNtVersionNumbers( _Out_opt_ PULONG NtMajorVersion, _Out_opt_ PULONG NtMinorVersion, _Out_opt_ PULONG NtBuildNumber ); // System information // rev NTSYSAPI ULONG NTAPI RtlGetNtGlobalFlags( VOID ); #if (PHNT_VERSION >= PHNT_REDSTONE) // rev NTSYSAPI BOOLEAN NTAPI RtlGetNtProductType( _Out_ PNT_PRODUCT_TYPE NtProductType ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE2) // private NTSYSAPI ULONG NTAPI RtlGetSuiteMask( VOID ); #endif // Thread pool (old) NTSYSAPI NTSTATUS NTAPI RtlRegisterWait( _Out_ PHANDLE WaitHandle, _In_ HANDLE Handle, _In_ WAITORTIMERCALLBACKFUNC Function, _In_ PVOID Context, _In_ ULONG Milliseconds, _In_ ULONG Flags ); NTSYSAPI NTSTATUS NTAPI RtlDeregisterWait( _In_ HANDLE WaitHandle ); NTSYSAPI NTSTATUS NTAPI RtlDeregisterWaitEx( _In_ HANDLE WaitHandle, _In_ HANDLE Event ); NTSYSAPI NTSTATUS NTAPI RtlQueueWorkItem( _In_ WORKERCALLBACKFUNC Function, _In_ PVOID Context, _In_ ULONG Flags ); NTSYSAPI NTSTATUS NTAPI RtlSetIoCompletionCallback( _In_ HANDLE FileHandle, _In_ APC_CALLBACK_FUNCTION CompletionProc, _In_ ULONG Flags ); typedef NTSTATUS (NTAPI *PRTL_START_POOL_THREAD)( _In_ PTHREAD_START_ROUTINE Function, _In_ PVOID Parameter, _Out_ PHANDLE ThreadHandle ); typedef NTSTATUS (NTAPI *PRTL_EXIT_POOL_THREAD)( _In_ NTSTATUS ExitStatus ); NTSYSAPI NTSTATUS NTAPI RtlSetThreadPoolStartFunc( _In_ PRTL_START_POOL_THREAD StartPoolThread, _In_ PRTL_EXIT_POOL_THREAD ExitPoolThread ); NTSYSAPI VOID NTAPI RtlUserThreadStart( _In_ PTHREAD_START_ROUTINE Function, _In_ PVOID Parameter ); NTSYSAPI VOID NTAPI LdrInitializeThunk( _In_ PCONTEXT ContextRecord, _In_ PVOID Parameter ); // Timer support NTSYSAPI NTSTATUS NTAPI RtlCreateTimerQueue( _Out_ PHANDLE TimerQueueHandle ); NTSYSAPI NTSTATUS NTAPI RtlCreateTimer( _In_ HANDLE TimerQueueHandle, _Out_ PHANDLE Handle, _In_ WAITORTIMERCALLBACKFUNC Function, _In_opt_ PVOID Context, _In_ ULONG DueTime, _In_ ULONG Period, _In_ ULONG Flags ); NTSYSAPI NTSTATUS NTAPI RtlUpdateTimer( _In_ HANDLE TimerQueueHandle, _In_ HANDLE TimerHandle, _In_ ULONG DueTime, _In_ ULONG Period ); NTSYSAPI NTSTATUS NTAPI RtlDeleteTimer( _In_ HANDLE TimerQueueHandle, _In_ HANDLE TimerToCancel, _In_opt_ HANDLE Event ); NTSYSAPI NTSTATUS NTAPI RtlDeleteTimerQueue( _In_ HANDLE TimerQueueHandle ); NTSYSAPI NTSTATUS NTAPI RtlDeleteTimerQueueEx( _In_ HANDLE TimerQueueHandle, _In_ HANDLE Event ); // Registry access NTSYSAPI NTSTATUS NTAPI RtlFormatCurrentUserKeyPath( _Out_ PUNICODE_STRING CurrentUserKeyPath ); NTSYSAPI NTSTATUS NTAPI RtlOpenCurrentUser( _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE CurrentUserKey ); #define RTL_REGISTRY_ABSOLUTE 0 #define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services #define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control #define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion #define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap #define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser #define RTL_REGISTRY_MAXIMUM 6 #define RTL_REGISTRY_HANDLE 0x40000000 #define RTL_REGISTRY_OPTIONAL 0x80000000 NTSYSAPI NTSTATUS NTAPI RtlCreateRegistryKey( _In_ ULONG RelativeTo, _In_ PWSTR Path ); NTSYSAPI NTSTATUS NTAPI RtlCheckRegistryKey( _In_ ULONG RelativeTo, _In_ PWSTR Path ); typedef NTSTATUS (NTAPI *PRTL_QUERY_REGISTRY_ROUTINE)( _In_ PWSTR ValueName, _In_ ULONG ValueType, _In_ PVOID ValueData, _In_ ULONG ValueLength, _In_ PVOID Context, _In_ PVOID EntryContext ); typedef struct _RTL_QUERY_REGISTRY_TABLE { PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; ULONG Flags; PWSTR Name; PVOID EntryContext; ULONG DefaultType; PVOID DefaultData; ULONG DefaultLength; } RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE; #define RTL_QUERY_REGISTRY_SUBKEY 0x00000001 #define RTL_QUERY_REGISTRY_TOPKEY 0x00000002 #define RTL_QUERY_REGISTRY_REQUIRED 0x00000004 #define RTL_QUERY_REGISTRY_NOVALUE 0x00000008 #define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010 #define RTL_QUERY_REGISTRY_DIRECT 0x00000020 #define RTL_QUERY_REGISTRY_DELETE 0x00000040 NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValues( _In_ ULONG RelativeTo, _In_ PCWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment ); // rev NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValuesEx( _In_ ULONG RelativeTo, _In_ PCWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment ); NTSYSAPI NTSTATUS NTAPI RtlWriteRegistryValue( _In_ ULONG RelativeTo, _In_ PCWSTR Path, _In_ PCWSTR ValueName, _In_ ULONG ValueType, _In_ PVOID ValueData, _In_ ULONG ValueLength ); NTSYSAPI NTSTATUS NTAPI RtlDeleteRegistryValue( _In_ ULONG RelativeTo, _In_ PCWSTR Path, _In_ PCWSTR ValueName ); // Thread profiling #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI NTSTATUS NTAPI RtlEnableThreadProfiling( _In_ HANDLE ThreadHandle, _In_ ULONG Flags, _In_ ULONG64 HardwareCounters, _Out_ PVOID *PerformanceDataHandle ); // rev NTSYSAPI NTSTATUS NTAPI RtlDisableThreadProfiling( _In_ PVOID PerformanceDataHandle ); // rev NTSYSAPI NTSTATUS NTAPI RtlQueryThreadProfiling( _In_ HANDLE ThreadHandle, _Out_ PBOOLEAN Enabled ); // rev NTSYSAPI NTSTATUS NTAPI RtlReadThreadProfilingData( _In_ HANDLE PerformanceDataHandle, _In_ ULONG Flags, _Out_ PPERFORMANCE_DATA PerformanceData ); #endif // WOW64 NTSYSAPI NTSTATUS NTAPI RtlGetNativeSystemInformation( _In_ ULONG SystemInformationClass, _In_ PVOID NativeSystemInformation, _In_ ULONG InformationLength, _Out_opt_ PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI RtlQueueApcWow64Thread( _In_ HANDLE ThreadHandle, _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); NTSYSAPI NTSTATUS NTAPI RtlWow64EnableFsRedirection( _In_ BOOLEAN Wow64FsEnableRedirection ); NTSYSAPI NTSTATUS NTAPI RtlWow64EnableFsRedirectionEx( _In_ PVOID Wow64FsEnableRedirection, _Out_ PVOID *OldFsRedirectionLevel ); // Misc. NTSYSAPI ULONG32 NTAPI RtlComputeCrc32( _In_ ULONG32 PartialCrc, _In_ PVOID Buffer, _In_ ULONG Length ); NTSYSAPI PVOID NTAPI RtlEncodePointer( _In_ PVOID Ptr ); NTSYSAPI PVOID NTAPI RtlDecodePointer( _In_ PVOID Ptr ); NTSYSAPI PVOID NTAPI RtlEncodeSystemPointer( _In_ PVOID Ptr ); NTSYSAPI PVOID NTAPI RtlDecodeSystemPointer( _In_ PVOID Ptr ); #if (PHNT_VERSION >= PHNT_THRESHOLD) // rev NTSYSAPI NTSTATUS NTAPI RtlEncodeRemotePointer( _In_ HANDLE ProcessHandle, _In_ PVOID Pointer, _Out_ PVOID *EncodedPointer ); // rev NTSYSAPI NTSTATUS NTAPI RtlDecodeRemotePointer( _In_ HANDLE ProcessHandle, _In_ PVOID Pointer, _Out_ PVOID *DecodedPointer ); #endif // rev NTSYSAPI BOOLEAN NTAPI RtlIsProcessorFeaturePresent( _In_ ULONG ProcessorFeature ); // rev NTSYSAPI ULONG NTAPI RtlGetCurrentProcessorNumber( VOID ); #if (PHNT_VERSION >= PHNT_THRESHOLD) // rev NTSYSAPI VOID NTAPI RtlGetCurrentProcessorNumberEx( _Out_ PPROCESSOR_NUMBER ProcessorNumber ); #endif // Stack support NTSYSAPI VOID NTAPI RtlPushFrame( _In_ PTEB_ACTIVE_FRAME Frame ); NTSYSAPI VOID NTAPI RtlPopFrame( _In_ PTEB_ACTIVE_FRAME Frame ); NTSYSAPI PTEB_ACTIVE_FRAME NTAPI RtlGetFrame( VOID ); #define RTL_WALK_USER_MODE_STACK 0x00000001 #define RTL_WALK_VALID_FLAGS 0x00000001 #define RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT 0x00000008 // private NTSYSAPI ULONG NTAPI RtlWalkFrameChain( _Out_writes_(Count - (Flags >> RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT)) PVOID *Callers, _In_ ULONG Count, _In_ ULONG Flags ); // rev NTSYSAPI VOID NTAPI RtlGetCallersAddress( // Use the intrinsic _ReturnAddress instead. _Out_ PVOID *CallersAddress, _Out_ PVOID *CallersCaller ); #if (PHNT_VERSION >= PHNT_WIN7) NTSYSAPI ULONG64 NTAPI RtlGetEnabledExtendedFeatures( _In_ ULONG64 FeatureMask ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE4) // msdn NTSYSAPI ULONG64 NTAPI RtlGetEnabledExtendedAndSupervisorFeatures( _In_ ULONG64 FeatureMask ); // msdn _Ret_maybenull_ _Success_(return != NULL) NTSYSAPI PVOID NTAPI RtlLocateSupervisorFeature( _In_ PXSAVE_AREA_HEADER XStateHeader, _In_range_(XSTATE_AVX, MAXIMUM_XSTATE_FEATURES - 1) ULONG FeatureId, _Out_opt_ PULONG Length ); #endif // private typedef union _RTL_ELEVATION_FLAGS { ULONG Flags; struct { ULONG ElevationEnabled : 1; ULONG VirtualizationEnabled : 1; ULONG InstallerDetectEnabled : 1; ULONG ReservedBits : 29; }; } RTL_ELEVATION_FLAGS, *PRTL_ELEVATION_FLAGS; #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlQueryElevationFlags( _Out_ PRTL_ELEVATION_FLAGS Flags ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlRegisterThreadWithCsrss( VOID ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlLockCurrentThread( VOID ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlUnlockCurrentThread( VOID ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlLockModuleSection( _In_ PVOID Address ); #endif #if (PHNT_VERSION >= PHNT_VISTA) // private NTSYSAPI NTSTATUS NTAPI RtlUnlockModuleSection( _In_ PVOID Address ); #endif // begin_msdn:"Winternl" #define RTL_UNLOAD_EVENT_TRACE_NUMBER 64 // private typedef struct _RTL_UNLOAD_EVENT_TRACE { PVOID BaseAddress; SIZE_T SizeOfImage; ULONG Sequence; ULONG TimeDateStamp; ULONG CheckSum; WCHAR ImageName[32]; ULONG Version[2]; } RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE; typedef struct _RTL_UNLOAD_EVENT_TRACE32 { ULONG BaseAddress; ULONG SizeOfImage; ULONG Sequence; ULONG TimeDateStamp; ULONG CheckSum; WCHAR ImageName[32]; ULONG Version[2]; } RTL_UNLOAD_EVENT_TRACE32, *PRTL_UNLOAD_EVENT_TRACE32; NTSYSAPI PRTL_UNLOAD_EVENT_TRACE NTAPI RtlGetUnloadEventTrace( VOID ); #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI VOID NTAPI RtlGetUnloadEventTraceEx( _Out_ PULONG *ElementSize, _Out_ PULONG *ElementCount, _Out_ PVOID *EventTrace // works across all processes ); #endif // end_msdn #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI LOGICAL NTAPI RtlQueryPerformanceCounter( _Out_ PLARGE_INTEGER PerformanceCounter ); #endif #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI LOGICAL NTAPI RtlQueryPerformanceFrequency( _Out_ PLARGE_INTEGER PerformanceFrequency ); #endif // Image Mitigation // rev typedef enum _IMAGE_MITIGATION_POLICY { ImageDepPolicy, // RTL_IMAGE_MITIGATION_DEP_POLICY ImageAslrPolicy, // RTL_IMAGE_MITIGATION_ASLR_POLICY ImageDynamicCodePolicy, // RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY ImageStrictHandleCheckPolicy, // RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY ImageSystemCallDisablePolicy, // RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY ImageMitigationOptionsMask, ImageExtensionPointDisablePolicy, // RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ImageControlFlowGuardPolicy, // RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY ImageSignaturePolicy, // RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY ImageFontDisablePolicy, // RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY ImageImageLoadPolicy, // RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY ImagePayloadRestrictionPolicy, // RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY ImageChildProcessPolicy, // RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY ImageSehopPolicy, // RTL_IMAGE_MITIGATION_SEHOP_POLICY ImageHeapPolicy, // RTL_IMAGE_MITIGATION_HEAP_POLICY MaxImageMitigationPolicy } IMAGE_MITIGATION_POLICY; // rev typedef union _RTL_IMAGE_MITIGATION_POLICY { struct { ULONG64 AuditState : 2; ULONG64 AuditFlag : 1; ULONG64 EnableAdditionalAuditingOption : 1; ULONG64 Reserved : 60; }; struct { ULONG64 PolicyState : 2; ULONG64 AlwaysInherit : 1; ULONG64 EnableAdditionalPolicyOption : 1; ULONG64 AuditReserved : 60; }; } RTL_IMAGE_MITIGATION_POLICY, *PRTL_IMAGE_MITIGATION_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_DEP_POLICY { RTL_IMAGE_MITIGATION_POLICY Dep; } RTL_IMAGE_MITIGATION_DEP_POLICY, *PRTL_IMAGE_MITIGATION_DEP_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_ASLR_POLICY { RTL_IMAGE_MITIGATION_POLICY ForceRelocateImages; RTL_IMAGE_MITIGATION_POLICY BottomUpRandomization; RTL_IMAGE_MITIGATION_POLICY HighEntropyRandomization; } RTL_IMAGE_MITIGATION_ASLR_POLICY, *PRTL_IMAGE_MITIGATION_ASLR_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY { RTL_IMAGE_MITIGATION_POLICY BlockDynamicCode; } RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY, *PRTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY { RTL_IMAGE_MITIGATION_POLICY StrictHandleChecks; } RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PRTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY { RTL_IMAGE_MITIGATION_POLICY BlockWin32kSystemCalls; } RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY { RTL_IMAGE_MITIGATION_POLICY DisableExtensionPoints; } RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY { RTL_IMAGE_MITIGATION_POLICY ControlFlowGuard; RTL_IMAGE_MITIGATION_POLICY StrictControlFlowGuard; } RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PRTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY { RTL_IMAGE_MITIGATION_POLICY BlockNonMicrosoftSignedBinaries; RTL_IMAGE_MITIGATION_POLICY EnforceSigningOnModuleDependencies; } RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY, *PRTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY { RTL_IMAGE_MITIGATION_POLICY DisableNonSystemFonts; } RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY { RTL_IMAGE_MITIGATION_POLICY BlockRemoteImageLoads; RTL_IMAGE_MITIGATION_POLICY BlockLowLabelImageLoads; RTL_IMAGE_MITIGATION_POLICY PreferSystem32; } RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY, *PRTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY { RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilter; RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilterPlus; RTL_IMAGE_MITIGATION_POLICY EnableImportAddressFilter; RTL_IMAGE_MITIGATION_POLICY EnableRopStackPivot; RTL_IMAGE_MITIGATION_POLICY EnableRopCallerCheck; RTL_IMAGE_MITIGATION_POLICY EnableRopSimExec; WCHAR EafPlusModuleList[512]; // 19H1 } RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PRTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY { RTL_IMAGE_MITIGATION_POLICY DisallowChildProcessCreation; } RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY, *PRTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_SEHOP_POLICY { RTL_IMAGE_MITIGATION_POLICY Sehop; } RTL_IMAGE_MITIGATION_SEHOP_POLICY, *PRTL_IMAGE_MITIGATION_SEHOP_POLICY; // rev typedef struct _RTL_IMAGE_MITIGATION_HEAP_POLICY { RTL_IMAGE_MITIGATION_POLICY TerminateOnHeapErrors; } RTL_IMAGE_MITIGATION_HEAP_POLICY, *PRTL_IMAGE_MITIGATION_HEAP_POLICY; typedef enum _RTL_IMAGE_MITIGATION_OPTION_STATE { RtlMitigationOptionStateNotConfigured, RtlMitigationOptionStateOn, RtlMitigationOptionStateOff } RTL_IMAGE_MITIGATION_OPTION_STATE; // rev from PROCESS_MITIGATION_FLAGS #define RTL_IMAGE_MITIGATION_FLAG_RESET 0x1 #define RTL_IMAGE_MITIGATION_FLAG_REMOVE 0x2 #define RTL_IMAGE_MITIGATION_FLAG_OSDEFAULT 0x4 #define RTL_IMAGE_MITIGATION_FLAG_AUDIT 0x8 #if (PHNT_VERSION >= PHNT_REDSTONE3) // rev NTSYSAPI NTSTATUS NTAPI RtlQueryImageMitigationPolicy( _In_opt_ PWSTR ImagePath, // NULL for system-wide defaults _In_ IMAGE_MITIGATION_POLICY Policy, _In_ ULONG Flags, _Inout_ PVOID Buffer, _In_ ULONG BufferSize ); // rev NTSYSAPI NTSTATUS NTAPI RtlSetImageMitigationPolicy( _In_opt_ PWSTR ImagePath, // NULL for system-wide defaults _In_ IMAGE_MITIGATION_POLICY Policy, _In_ ULONG Flags, _Inout_ PVOID Buffer, _In_ ULONG BufferSize ); #endif // session // rev NTSYSAPI ULONG NTAPI RtlGetCurrentServiceSessionId( VOID ); // private NTSYSAPI ULONG NTAPI RtlGetActiveConsoleId( VOID ); #if (PHNT_VERSION >= PHNT_REDSTONE) // private NTSYSAPI ULONGLONG NTAPI RtlGetConsoleSessionForegroundProcessId( VOID ); #endif // Appcontainer // rev NTSYSAPI NTSTATUS NTAPI RtlGetTokenNamedObjectPath( _In_ HANDLE Token, _In_opt_ PSID Sid, _Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString ); // rev NTSYSAPI NTSTATUS NTAPI RtlGetAppContainerNamedObjectPath( _In_opt_ HANDLE Token, _In_opt_ PSID AppContainerSid, _In_ BOOLEAN RelativePath, _Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString ); // rev NTSYSAPI NTSTATUS NTAPI RtlGetAppContainerParent( _In_ PSID AppContainerSid, _Out_ PSID* AppContainerSidParent // RtlFreeSid ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckSandboxedToken( _In_opt_ HANDLE TokenHandle, _Out_ PBOOLEAN IsSandboxed ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckTokenCapability( _In_opt_ HANDLE TokenHandle, _In_ PSID CapabilitySidToCheck, _Out_ PBOOLEAN HasCapability ); // rev NTSYSAPI NTSTATUS NTAPI RtlCapabilityCheck( _In_opt_ HANDLE TokenHandle, _In_ PUNICODE_STRING CapabilityName, _Out_ PBOOLEAN HasCapability ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckTokenMembership( _In_opt_ HANDLE TokenHandle, _In_ PSID SidToCheck, _Out_ PBOOLEAN IsMember ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckTokenMembershipEx( _In_opt_ HANDLE TokenHandle, _In_ PSID SidToCheck, _In_ ULONG Flags, // CTMF_VALID_FLAGS _Out_ PBOOLEAN IsMember ); // rev NTSYSAPI NTSTATUS NTAPI RtlQueryTokenHostIdAsUlong64( _In_ HANDLE TokenHandle, _Out_ PULONG64 HostId // (WIN://PKGHOSTID) ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsParentOfChildAppContainer( _In_ PSID ParentAppContainerSid, _In_ PSID ChildAppContainerSid ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsCapabilitySid( _In_ PSID Sid ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsPackageSid( _In_ PSID Sid ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsValidProcessTrustLabelSid( _In_ PSID Sid ); NTSYSAPI BOOLEAN NTAPI RtlIsStateSeparationEnabled( VOID ); typedef enum _APPCONTAINER_SID_TYPE { NotAppContainerSidType, ChildAppContainerSidType, ParentAppContainerSidType, InvalidAppContainerSidType, MaxAppContainerSidType } APPCONTAINER_SID_TYPE, *PAPPCONTAINER_SID_TYPE; // rev NTSYSAPI NTSTATUS NTAPI RtlGetAppContainerSidType( _In_ PSID AppContainerSid, _Out_ PAPPCONTAINER_SID_TYPE AppContainerSidType ); NTSYSAPI NTSTATUS NTAPI RtlFlsAlloc( _In_ PFLS_CALLBACK_FUNCTION Callback, _Out_ PULONG FlsIndex ); NTSYSAPI NTSTATUS NTAPI RtlFlsFree( _In_ ULONG FlsIndex ); typedef enum _STATE_LOCATION_TYPE { LocationTypeRegistry, LocationTypeFileSystem, LocationTypeMaximum } STATE_LOCATION_TYPE; // private NTSYSAPI NTSTATUS NTAPI RtlGetPersistedStateLocation( _In_ PCWSTR SourceID, _In_opt_ PCWSTR CustomValue, _In_opt_ PCWSTR DefaultPath, _In_ STATE_LOCATION_TYPE StateLocationType, _Out_writes_bytes_to_opt_(BufferLengthIn, *BufferLengthOut) PWCHAR TargetPath, _In_ ULONG BufferLengthIn, _Out_opt_ PULONG BufferLengthOut ); // msdn NTSYSAPI BOOLEAN NTAPI RtlIsCloudFilesPlaceholder( _In_ ULONG FileAttributes, _In_ ULONG ReparseTag ); // msdn NTSYSAPI BOOLEAN NTAPI RtlIsPartialPlaceholder( _In_ ULONG FileAttributes, _In_ ULONG ReparseTag ); // msdn NTSYSAPI NTSTATUS NTAPI RtlIsPartialPlaceholderFileHandle( _In_ HANDLE FileHandle, _Out_ PBOOLEAN IsPartialPlaceholder ); // msdn NTSYSAPI NTSTATUS NTAPI RtlIsPartialPlaceholderFileInfo( _In_ PVOID InfoBuffer, _In_ FILE_INFORMATION_CLASS InfoClass, _Out_ PBOOLEAN IsPartialPlaceholder ); // rev NTSYSAPI BOOLEAN NTAPI RtlIsNonEmptyDirectoryReparsePointAllowed( _In_ ULONG ReparseTag ); // rev NTSYSAPI NTSTATUS NTAPI RtlAppxIsFileOwnedByTrustedInstaller( _In_ HANDLE FileHandle, _Out_ PBOOLEAN IsFileOwnedByTrustedInstaller ); // rev typedef struct _PS_PKG_CLAIM { ULONGLONG Flags; ULONGLONG Origin; } PS_PKG_CLAIM, *PPS_PKG_CLAIM; NTSYSAPI NTSTATUS NTAPI RtlQueryPackageClaims( _In_ HANDLE TokenHandle, _Out_writes_bytes_to_opt_(*PackageSize, *PackageSize) PWSTR PackageFullName, _Inout_opt_ PSIZE_T PackageSize, _Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId, _Inout_opt_ PSIZE_T AppIdSize, _Out_opt_ PGUID DynamicId, _Out_opt_ PPS_PKG_CLAIM PkgClaim, _Out_opt_ PULONG64 AttributesPresent ); // Protected policies // rev NTSYSAPI NTSTATUS NTAPI RtlQueryProtectedPolicy( _In_ PGUID PolicyGuid, _Out_ PULONG_PTR PolicyValue ); // rev NTSYSAPI NTSTATUS NTAPI RtlSetProtectedPolicy( _In_ PGUID PolicyGuid, _In_ ULONG_PTR PolicyValue, _Out_ PULONG_PTR OldPolicyValue ); #if (PHNT_VERSION >= PHNT_REDSTONE) // private NTSYSAPI BOOLEAN NTAPI RtlIsMultiSessionSku( VOID ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE) // private NTSYSAPI BOOLEAN NTAPI RtlIsMultiUsersInSessionSku( VOID ); #endif // private typedef enum _RTL_BSD_ITEM_TYPE { RtlBsdItemVersionNumber, RtlBsdItemProductType, RtlBsdItemAabEnabled, RtlBsdItemAabTimeout, RtlBsdItemBootGood, RtlBsdItemBootShutdown, RtlBsdSleepInProgress, RtlBsdPowerTransition, RtlBsdItemBootAttemptCount, RtlBsdItemBootCheckpoint, RtlBsdItemBootId, RtlBsdItemShutdownBootId, RtlBsdItemReportedAbnormalShutdownBootId, RtlBsdItemErrorInfo, RtlBsdItemPowerButtonPressInfo, RtlBsdItemChecksum, RtlBsdItemMax } RTL_BSD_ITEM_TYPE; // private typedef struct _RTL_BSD_ITEM { RTL_BSD_ITEM_TYPE Type; PVOID DataBuffer; ULONG DataLength; } RTL_BSD_ITEM, *PRTL_BSD_ITEM; // ros NTSYSAPI NTSTATUS NTAPI RtlCreateBootStatusDataFile( VOID ); // ros NTSYSAPI NTSTATUS NTAPI RtlLockBootStatusData( _Out_ PHANDLE FileHandle ); // ros NTSYSAPI NTSTATUS NTAPI RtlUnlockBootStatusData( _In_ HANDLE FileHandle ); // ros NTSYSAPI NTSTATUS NTAPI RtlGetSetBootStatusData( _In_ HANDLE FileHandle, _In_ BOOLEAN Read, _In_ RTL_BSD_ITEM_TYPE DataClass, _In_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnLength ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckBootStatusIntegrity( _In_ HANDLE FileHandle, _Out_ PBOOLEAN Verified ); // rev NTSYSAPI NTSTATUS NTAPI RtlCheckPortableOperatingSystem( _Out_ PBOOLEAN IsPortable // VOID ); // rev NTSYSAPI NTSTATUS NTAPI RtlSetPortableOperatingSystem( _In_ BOOLEAN IsPortable ); #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSAPI OS_DEPLOYEMENT_STATE_VALUES NTAPI RtlOsDeploymentState( _Reserved_ _In_ ULONG Flags ); #endif #if (PHNT_VERSION >= PHNT_VISTA) NTSYSAPI NTSTATUS NTAPI RtlFindClosestEncodableLength( _In_ ULONGLONG SourceLength, _Out_ PULONGLONG TargetLength ); #endif // Memory cache typedef NTSTATUS (NTAPI *PRTL_SECURE_MEMORY_CACHE_CALLBACK)( _In_ PVOID Address, _In_ SIZE_T Length ); // ros NTSYSAPI NTSTATUS NTAPI RtlRegisterSecureMemoryCacheCallback( _In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback ); NTSYSAPI NTSTATUS NTAPI RtlDeregisterSecureMemoryCacheCallback( _In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback ); // ros NTSYSAPI BOOLEAN NTAPI RtlFlushSecureMemoryCache( _In_ PVOID MemoryCache, _In_opt_ SIZE_T MemoryLength ); #endif