/* * This file is part of the Process Hacker project - https://processhacker.sourceforge.io/ * * You can redistribute this file and/or modify it under the terms of the * Attribution 4.0 International (CC BY 4.0) license. * * You must give appropriate credit, provide a link to the license, and * indicate if changes were made. You may do so in any reasonable manner, but * not in any way that suggests the licensor endorses you or your use. */ #ifndef _NTMMAPI_H #define _NTMMAPI_H #if (PHNT_MODE == PHNT_MODE_KERNEL) // Protection constants #define PAGE_NOACCESS 0x01 #define PAGE_READONLY 0x02 #define PAGE_READWRITE 0x04 #define PAGE_WRITECOPY 0x08 #define PAGE_EXECUTE 0x10 #define PAGE_EXECUTE_READ 0x20 #define PAGE_EXECUTE_READWRITE 0x40 #define PAGE_EXECUTE_WRITECOPY 0x80 #define PAGE_GUARD 0x100 #define PAGE_NOCACHE 0x200 #define PAGE_WRITECOMBINE 0x400 #define PAGE_REVERT_TO_FILE_MAP 0x80000000 #define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 #define PAGE_TARGETS_NO_UPDATE 0x40000000 #define PAGE_TARGETS_INVALID 0x40000000 #define PAGE_ENCLAVE_UNVALIDATED 0x20000000 // Region and section constants #if (PHNT_MODE != PHNT_MODE_KERNEL) #define MEM_COMMIT 0x1000 #define MEM_RESERVE 0x2000 #define MEM_DECOMMIT 0x4000 #define MEM_RELEASE 0x8000 #define MEM_FREE 0x10000 #define MEM_PRIVATE 0x20000 #define MEM_MAPPED 0x40000 #define MEM_RESET 0x80000 #define MEM_TOP_DOWN 0x100000 #endif #define MEM_WRITE_WATCH 0x200000 #define MEM_PHYSICAL 0x400000 #define MEM_ROTATE 0x800000 #define MEM_DIFFERENT_IMAGE_BASE_OK 0x800000 #if (PHNT_MODE != PHNT_MODE_KERNEL) #define MEM_RESET_UNDO 0x1000000 #endif #define MEM_LARGE_PAGES 0x20000000 #define MEM_4MB_PAGES 0x80000000 #if (PHNT_MODE != PHNT_MODE_KERNEL) #define SEC_FILE 0x800000 #endif #define SEC_IMAGE 0x1000000 #define SEC_PROTECTED_IMAGE 0x2000000 #if (PHNT_MODE != PHNT_MODE_KERNEL) #define SEC_RESERVE 0x4000000 #define SEC_COMMIT 0x8000000 #endif #define SEC_NOCACHE 0x10000000 #define SEC_WRITECOMBINE 0x40000000 #define SEC_LARGE_PAGES 0x80000000 #define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE) #define MEM_IMAGE SEC_IMAGE #endif #if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef enum _MEMORY_INFORMATION_CLASS { MemoryBasicInformation, // MEMORY_BASIC_INFORMATION MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION MemoryMappedFilenameInformation, // UNICODE_STRING MemoryRegionInformation, // MEMORY_REGION_INFORMATION MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION MemoryImageInformation, // MEMORY_IMAGE_INFORMATION MemoryRegionInformationEx, MemoryPrivilegedBasicInformation, MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 MemoryBasicInformationCapped } MEMORY_INFORMATION_CLASS; #else #define MemoryBasicInformation 0x0 #define MemoryWorkingSetInformation 0x1 #define MemoryMappedFilenameInformation 0x2 #define MemoryRegionInformation 0x3 #define MemoryWorkingSetExInformation 0x4 #define MemorySharedCommitInformation 0x5 #define MemoryImageInformation 0x6 #define MemoryRegionInformationEx 0x7 #define MemoryPrivilegedBasicInformation 0x8 #define MemoryEnclaveImageInformation 0x9 #define MemoryBasicInformationCapped 0xA #endif typedef struct _MEMORY_WORKING_SET_BLOCK { ULONG_PTR Protection : 5; ULONG_PTR ShareCount : 3; ULONG_PTR Shared : 1; ULONG_PTR Node : 3; #ifdef _WIN64 ULONG_PTR VirtualPage : 52; #else ULONG VirtualPage : 20; #endif } MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK; typedef struct _MEMORY_WORKING_SET_INFORMATION { ULONG_PTR NumberOfEntries; MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1]; } MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION; // private typedef struct _MEMORY_REGION_INFORMATION { PVOID AllocationBase; ULONG AllocationProtect; union { ULONG RegionType; struct { ULONG Private : 1; ULONG MappedDataFile : 1; ULONG MappedImage : 1; ULONG MappedPageFile : 1; ULONG MappedPhysical : 1; ULONG DirectMapped : 1; ULONG SoftwareEnclave : 1; // REDSTONE3 ULONG PageSize64K : 1; ULONG PlaceholderReservation : 1; // REDSTONE4 ULONG Reserved : 23; }; }; SIZE_T RegionSize; SIZE_T CommitSize; ULONG_PTR PartitionId; // 19H1 } MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; // private typedef enum _MEMORY_WORKING_SET_EX_LOCATION { MemoryLocationInvalid, MemoryLocationResident, MemoryLocationPagefile, MemoryLocationReserved } MEMORY_WORKING_SET_EX_LOCATION; // private typedef struct _MEMORY_WORKING_SET_EX_BLOCK { union { struct { ULONG_PTR Valid : 1; ULONG_PTR ShareCount : 3; ULONG_PTR Win32Protection : 11; ULONG_PTR Shared : 1; ULONG_PTR Node : 6; ULONG_PTR Locked : 1; ULONG_PTR LargePage : 1; ULONG_PTR Priority : 3; ULONG_PTR Reserved : 3; ULONG_PTR SharedOriginal : 1; ULONG_PTR Bad : 1; ULONG_PTR Win32GraphicsProtection : 4; // 19H1 #ifdef _WIN64 ULONG_PTR ReservedUlong : 28; #endif }; struct { ULONG_PTR Valid : 1; ULONG_PTR Reserved0 : 14; ULONG_PTR Shared : 1; ULONG_PTR Reserved1 : 5; ULONG_PTR PageTable : 1; ULONG_PTR Location : 2; ULONG_PTR Priority : 3; ULONG_PTR ModifiedList : 1; ULONG_PTR Reserved2 : 2; ULONG_PTR SharedOriginal : 1; ULONG_PTR Bad : 1; #ifdef _WIN64 ULONG_PTR ReservedUlong : 32; #endif } Invalid; }; } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK; // private typedef struct _MEMORY_WORKING_SET_EX_INFORMATION { PVOID VirtualAddress; union { MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; ULONG_PTR Long; } u1; } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION; // private typedef struct _MEMORY_SHARED_COMMIT_INFORMATION { SIZE_T CommitSize; } MEMORY_SHARED_COMMIT_INFORMATION, *PMEMORY_SHARED_COMMIT_INFORMATION; // private typedef struct _MEMORY_IMAGE_INFORMATION { PVOID ImageBase; SIZE_T SizeOfImage; union { ULONG ImageFlags; struct { ULONG ImagePartialMap : 1; ULONG ImageNotExecutable : 1; ULONG ImageSigningLevel : 4; // REDSTONE3 ULONG Reserved : 26; }; }; } MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION; // private typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION { MEMORY_IMAGE_INFORMATION ImageInfo; UCHAR UniqueID[32]; UCHAR AuthorID[32]; } MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION; #define MMPFNLIST_ZERO 0 #define MMPFNLIST_FREE 1 #define MMPFNLIST_STANDBY 2 #define MMPFNLIST_MODIFIED 3 #define MMPFNLIST_MODIFIEDNOWRITE 4 #define MMPFNLIST_BAD 5 #define MMPFNLIST_ACTIVE 6 #define MMPFNLIST_TRANSITION 7 //typedef enum _MMLISTS //{ // ZeroedPageList = 0, // FreePageList = 1, // StandbyPageList = 2, // ModifiedPageList = 3, // ModifiedNoWritePageList = 4, // BadPageList = 5, // ActiveAndValid = 6, // TransitionPage = 7 //} MMLISTS; #define MMPFNUSE_PROCESSPRIVATE 0 #define MMPFNUSE_FILE 1 #define MMPFNUSE_PAGEFILEMAPPED 2 #define MMPFNUSE_PAGETABLE 3 #define MMPFNUSE_PAGEDPOOL 4 #define MMPFNUSE_NONPAGEDPOOL 5 #define MMPFNUSE_SYSTEMPTE 6 #define MMPFNUSE_SESSIONPRIVATE 7 #define MMPFNUSE_METAFILE 8 #define MMPFNUSE_AWEPAGE 9 #define MMPFNUSE_DRIVERLOCKPAGE 10 #define MMPFNUSE_KERNELSTACK 11 //typedef enum _MMPFNUSE //{ // ProcessPrivatePage, // MemoryMappedFilePage, // PageFileMappedPage, // PageTablePage, // PagedPoolPage, // NonPagedPoolPage, // SystemPTEPage, // SessionPrivatePage, // MetafilePage, // AWEPage, // DriverLockedPage, // KernelStackPage //} MMPFNUSE; // private typedef struct _MEMORY_FRAME_INFORMATION { ULONGLONG UseDescription : 4; // MMPFNUSE_* ULONGLONG ListDescription : 3; // MMPFNLIST_* ULONGLONG Cold : 1; // 19H1 ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned ULONGLONG DontUse : 48; // *_INFORMATION overlay ULONGLONG Priority : 3; // rev ULONGLONG Reserved : 4; // reserved for future expansion } MEMORY_FRAME_INFORMATION; // private typedef struct _FILEOFFSET_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG Offset : 48; // mapped files ULONGLONG Reserved : 7; // reserved for future expansion } FILEOFFSET_INFORMATION; // private typedef struct _PAGEDIR_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG PageDirectoryBase : 48; // private pages ULONGLONG Reserved : 7; // reserved for future expansion } PAGEDIR_INFORMATION; // private typedef struct _UNIQUE_PROCESS_INFORMATION { ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay ULONGLONG UniqueProcessKey : 48; // ProcessId ULONGLONG Reserved : 7; // reserved for future expansion } UNIQUE_PROCESS_INFORMATION, *PUNIQUE_PROCESS_INFORMATION; // private typedef struct _MMPFN_IDENTITY { union { MEMORY_FRAME_INFORMATION e1; // all FILEOFFSET_INFORMATION e2; // mapped files PAGEDIR_INFORMATION e3; // private pages UNIQUE_PROCESS_INFORMATION e4; // owning process } u1; ULONG_PTR PageFrameIndex; // all union { struct { ULONG_PTR Image : 1; ULONG_PTR Mismatch : 1; } e1; struct { ULONG_PTR CombinedPage; } e2; ULONG_PTR FileObject; // mapped files ULONG_PTR UniqueFileObjectKey; ULONG_PTR ProtoPteAddress; ULONG_PTR VirtualAddress; // everything else } u2; } MMPFN_IDENTITY, *PMMPFN_IDENTITY; typedef struct _MMPFN_MEMSNAP_INFORMATION { ULONG_PTR InitialPageFrameIndex; ULONG_PTR Count; } MMPFN_MEMSNAP_INFORMATION, *PMMPFN_MEMSNAP_INFORMATION; typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, // q; SECTION_BASIC_INFORMATION SectionImageInformation, // q; SECTION_IMAGE_INFORMATION SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation SectionOriginalBaseInformation, // PVOID BaseAddress SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2 MaxSectionInfoClass } SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG AllocationAttributes; LARGE_INTEGER MaximumSize; } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; // symbols typedef struct _SECTION_IMAGE_INFORMATION { PVOID TransferAddress; ULONG ZeroBits; SIZE_T MaximumStackSize; SIZE_T CommittedStackSize; ULONG SubSystemType; union { struct { USHORT SubSystemMinorVersion; USHORT SubSystemMajorVersion; }; ULONG SubSystemVersion; }; union { struct { USHORT MajorOperatingSystemVersion; USHORT MinorOperatingSystemVersion; }; ULONG OperatingSystemVersion; }; USHORT ImageCharacteristics; USHORT DllCharacteristics; USHORT Machine; BOOLEAN ImageContainsCode; union { UCHAR ImageFlags; struct { UCHAR ComPlusNativeReady : 1; UCHAR ComPlusILOnly : 1; UCHAR ImageDynamicallyRelocated : 1; UCHAR ImageMappedFlat : 1; UCHAR BaseBelow4gb : 1; UCHAR ComPlusPrefer32bit : 1; UCHAR Reserved : 2; }; }; ULONG LoaderFlags; ULONG ImageFileSize; ULONG CheckSum; } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; // symbols typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION { SECTION_IMAGE_INFORMATION SectionInformation; union { ULONG ExtendedFlags; struct { ULONG ImageExportSuppressionEnabled : 1; ULONG Reserved : 31; }; }; } SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; #endif #define SEC_BASED 0x200000 #define SEC_NO_CHANGE 0x400000 #define SEC_GLOBAL 0x20000000 #define MEM_EXECUTE_OPTION_DISABLE 0x1 #define MEM_EXECUTE_OPTION_ENABLE 0x2 #define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4 #define MEM_EXECUTE_OPTION_PERMANENT 0x8 #define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10 #define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20 #define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f // Virtual memory #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); NTSYSCALLAPI NTSTATUS NTAPI NtFreeVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG FreeType ); NTSYSCALLAPI NTSTATUS NTAPI NtReadVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead ); NTSYSCALLAPI NTSTATUS NTAPI NtWriteVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesWritten ); NTSYSCALLAPI NTSTATUS NTAPI NtProtectVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG NewProtect, _Out_ PULONG OldProtect ); NTSYSCALLAPI NTSTATUS NTAPI NtQueryVirtualMemory( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_opt_ PSIZE_T ReturnLength ); #endif // begin_private #if (PHNT_MODE != PHNT_MODE_KERNEL) typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS { VmPrefetchInformation, // ULONG VmPagePriorityInformation, VmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2 VmPageDirtyStateInformation, // REDSTONE3 VmImageHotPatchInformation // 19H1 } VIRTUAL_MEMORY_INFORMATION_CLASS; typedef struct _MEMORY_RANGE_ENTRY { PVOID VirtualAddress; SIZE_T NumberOfBytes; } MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; typedef struct _CFG_CALL_TARGET_LIST_INFORMATION { ULONG NumberOfEntries; ULONG Reserved; PULONG NumberOfEntriesProcessed; PCFG_CALL_TARGET_INFO CallTargetInfo; PVOID Section; // since REDSTONE5 ULONGLONG FileOffset; } CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION; #endif // end_private #if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSCALLAPI NTSTATUS NTAPI NtSetInformationVirtualMemory( _In_ HANDLE ProcessHandle, _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, _In_ ULONG_PTR NumberOfEntries, _In_reads_ (NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses, _In_reads_bytes_ (VmInformationLength) PVOID VmInformation, _In_ ULONG VmInformationLength ); #endif #define MAP_PROCESS 1 #define MAP_SYSTEM 2 NTSYSCALLAPI NTSTATUS NTAPI NtLockVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG MapType ); NTSYSCALLAPI NTSTATUS NTAPI NtUnlockVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG MapType ); #endif // Sections #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtCreateSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle ); #if (PHNT_VERSION >= PHNT_REDSTONE5) NTSYSCALLAPI NTSTATUS NTAPI NtCreateSectionEx( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection, _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle, _In_ PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount ); #endif NTSYSCALLAPI NTSTATUS NTAPI NtOpenSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtMapViewOfSection( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize, _Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize, _In_ SECTION_INHERIT InheritDisposition, _In_ ULONG AllocationType, _In_ ULONG Win32Protect ); NTSYSCALLAPI NTSTATUS NTAPI NtUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress ); #if (PHNT_VERSION >= PHNT_WIN8) NTSYSCALLAPI NTSTATUS NTAPI NtUnmapViewOfSectionEx( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ ULONG Flags ); #endif NTSYSCALLAPI NTSTATUS NTAPI NtExtendSection( _In_ HANDLE SectionHandle, _Inout_ PLARGE_INTEGER NewSectionSize ); NTSYSCALLAPI NTSTATUS NTAPI NtQuerySection( _In_ HANDLE SectionHandle, _In_ SECTION_INFORMATION_CLASS SectionInformationClass, _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, _In_ SIZE_T SectionInformationLength, _Out_opt_ PSIZE_T ReturnLength ); NTSYSCALLAPI NTSTATUS NTAPI NtAreMappedFilesTheSame( _In_ PVOID File1MappedAsAnImage, _In_ PVOID File2MappedAsFile ); #endif // Partitions #ifndef MEMORY_PARTITION_QUERY_ACCESS #define MEMORY_PARTITION_QUERY_ACCESS 0x0001 #define MEMORY_PARTITION_MODIFY_ACCESS 0x0002 #define MEMORY_PARTITION_ALL_ACCESS \ (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS) #endif // private typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 SystemMemoryPartitionMax } MEMORY_PARTITION_INFORMATION_CLASS; // private typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION { ULONG Flags; ULONG NumaNode; ULONG Channel; ULONG NumberOfNumaNodes; ULONG_PTR ResidentAvailablePages; ULONG_PTR CommittedPages; ULONG_PTR CommitLimit; ULONG_PTR PeakCommitment; ULONG_PTR TotalNumberOfPages; ULONG_PTR AvailablePages; ULONG_PTR ZeroPages; ULONG_PTR FreePages; ULONG_PTR StandbyPages; ULONG_PTR StandbyPageCountByPriority[8]; // since REDSTONE2 ULONG_PTR RepurposedPagesByPriority[8]; ULONG_PTR MaximumCommitLimit; ULONG_PTR DonatedPagesToPartitions; ULONG PartitionId; // since REDSTONE3 } MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION; // private typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION { ULONG_PTR NumberOfPages; ULONG NumaNode; ULONG Flags; } MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION { UNICODE_STRING PageFileName; LARGE_INTEGER MinimumSize; LARGE_INTEGER MaximumSize; ULONG Flags; } MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION { HANDLE StopHandle; ULONG Flags; ULONG_PTR TotalNumberOfPages; } MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; // private typedef struct _MEMORY_PARTITION_PAGE_RANGE { ULONG_PTR StartPage; ULONG_PTR NumberOfPages; } MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE; // private typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION { ULONG Flags; ULONG NumberOfRanges; ULONG_PTR NumberOfPagesAdded; MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; } MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; // private typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION { union { struct { ULONG CommitEvents : 1; ULONG Spare : 31; }; ULONG AllFlags; } Flags; ULONG HandleAttributes; ULONG DesiredAccess; HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition } MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION; #if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_VERSION >= PHNT_THRESHOLD) NTSYSCALLAPI NTSTATUS NTAPI NtCreatePartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG PreferredNode ); NTSYSCALLAPI NTSTATUS NTAPI NtOpenPartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSCALLAPI NTSTATUS NTAPI NtManagePartition( _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, _In_ PVOID PartitionInformation, _In_ ULONG PartitionInformationLength ); #endif #endif // User physical pages #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtMapUserPhysicalPages( _In_ PVOID VirtualAddress, _In_ ULONG_PTR NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); NTSYSCALLAPI NTSTATUS NTAPI NtMapUserPhysicalPagesScatter( _In_reads_(NumberOfPages) PVOID *VirtualAddresses, _In_ ULONG_PTR NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); NTSYSCALLAPI NTSTATUS NTAPI NtAllocateUserPhysicalPages( _In_ HANDLE ProcessHandle, _Inout_ PULONG_PTR NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray ); NTSYSCALLAPI NTSTATUS NTAPI NtFreeUserPhysicalPages( _In_ HANDLE ProcessHandle, _Inout_ PULONG_PTR NumberOfPages, _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray ); #endif // Sessions #if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_VERSION >= PHNT_VISTA) NTSYSCALLAPI NTSTATUS NTAPI NtOpenSession( _Out_ PHANDLE SessionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); #endif #endif // Misc. #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI NTSTATUS NTAPI NtGetWriteWatch( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray, _Inout_ PULONG_PTR EntriesInUserAddressArray, _Out_ PULONG Granularity ); NTSYSCALLAPI NTSTATUS NTAPI NtResetWriteWatch( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize ); NTSYSCALLAPI NTSTATUS NTAPI NtCreatePagingFile( _In_ PUNICODE_STRING PageFileName, _In_ PLARGE_INTEGER MinimumSize, _In_ PLARGE_INTEGER MaximumSize, _In_ ULONG Priority ); NTSYSCALLAPI NTSTATUS NTAPI NtFlushInstructionCache( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ SIZE_T Length ); NTSYSCALLAPI NTSTATUS NTAPI NtFlushWriteBuffer( VOID ); #endif // Enclave support NTSYSAPI NTSTATUS NTAPI NtCreateEnclave( _In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T Size, _In_ SIZE_T InitialCommitment, _In_ ULONG EnclaveType, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_opt_ PULONG EnclaveError ); NTSYSAPI NTSTATUS NTAPI NtLoadEnclaveData( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _In_ ULONG Protect, _In_reads_bytes_(PageInformationLength) PVOID PageInformation, _In_ ULONG PageInformationLength, _Out_opt_ PSIZE_T NumberOfBytesWritten, _Out_opt_ PULONG EnclaveError ); NTSYSAPI NTSTATUS NTAPI NtInitializeEnclave( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_opt_ PULONG EnclaveError ); // rev NTSYSAPI NTSTATUS NTAPI NtTerminateEnclave( _In_ PVOID BaseAddress, _In_ BOOLEAN WaitForThread ); #if (PHNT_MODE != PHNT_MODE_KERNEL) // rev NTSYSAPI NTSTATUS NTAPI NtCallEnclave( _In_ PENCLAVE_ROUTINE Routine, _In_ PVOID Parameter, _In_ BOOLEAN WaitForThread, _Out_opt_ PVOID *ReturnValue ); #endif #endif