ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-23 11:55:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6672ee3eba
MalwareSourceCode/Win32/Proof of Concepts/herpaderping/ext/submodules/phnt/ntmmapi.h
vxunderground 900263ea6f updates and moves 
n/a
2022-04-11 20:00:13 -05:00

1042 lines
26 KiB
C
Raw Blame History

/*
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
*
* You can redistribute this file and/or modify it under the terms of the
* Attribution 4.0 International (CC BY 4.0) license.
*
* You must give appropriate credit, provide a link to the license, and
* indicate if changes were made. You may do so in any reasonable manner, but
* not in any way that suggests the licensor endorses you or your use.
*/
#ifndef _NTMMAPI_H
#define _NTMMAPI_H
#if (PHNT_MODE == PHNT_MODE_KERNEL)
// Protection constants
#define PAGE_NOACCESS 0x01
#define PAGE_READONLY 0x02
#define PAGE_READWRITE 0x04
#define PAGE_WRITECOPY 0x08
#define PAGE_EXECUTE 0x10
#define PAGE_EXECUTE_READ 0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
#define PAGE_GUARD 0x100
#define PAGE_NOCACHE 0x200
#define PAGE_WRITECOMBINE 0x400
#define PAGE_REVERT_TO_FILE_MAP 0x80000000
#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000
#define PAGE_TARGETS_NO_UPDATE 0x40000000
#define PAGE_TARGETS_INVALID 0x40000000
#define PAGE_ENCLAVE_UNVALIDATED 0x20000000
// Region and section constants
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define MEM_COMMIT 0x1000
#define MEM_RESERVE 0x2000
#define MEM_DECOMMIT 0x4000
#define MEM_RELEASE 0x8000
#define MEM_FREE 0x10000
#define MEM_PRIVATE 0x20000
#define MEM_MAPPED 0x40000
#define MEM_RESET 0x80000
#define MEM_TOP_DOWN 0x100000
#endif
#define MEM_WRITE_WATCH 0x200000
#define MEM_PHYSICAL 0x400000
#define MEM_ROTATE 0x800000
#define MEM_DIFFERENT_IMAGE_BASE_OK 0x800000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define MEM_RESET_UNDO 0x1000000
#endif
#define MEM_LARGE_PAGES 0x20000000
#define MEM_4MB_PAGES 0x80000000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define SEC_FILE 0x800000
#endif
#define SEC_IMAGE 0x1000000
#define SEC_PROTECTED_IMAGE 0x2000000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define SEC_RESERVE 0x4000000
#define SEC_COMMIT 0x8000000
#endif
#define SEC_NOCACHE 0x10000000
#define SEC_WRITECOMBINE 0x40000000
#define SEC_LARGE_PAGES 0x80000000
#define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE)
#define MEM_IMAGE SEC_IMAGE
#endif
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// private
typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
MemoryMappedFilenameInformation, // UNICODE_STRING
MemoryRegionInformation, // MEMORY_REGION_INFORMATION
MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
MemoryRegionInformationEx,
MemoryPrivilegedBasicInformation,
MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3
MemoryBasicInformationCapped
} MEMORY_INFORMATION_CLASS;
#else
#define MemoryBasicInformation 0x0
#define MemoryWorkingSetInformation 0x1
#define MemoryMappedFilenameInformation 0x2
#define MemoryRegionInformation 0x3
#define MemoryWorkingSetExInformation 0x4
#define MemorySharedCommitInformation 0x5
#define MemoryImageInformation 0x6
#define MemoryRegionInformationEx 0x7
#define MemoryPrivilegedBasicInformation 0x8
#define MemoryEnclaveImageInformation 0x9
#define MemoryBasicInformationCapped 0xA
#endif
typedef struct _MEMORY_WORKING_SET_BLOCK
{
ULONG_PTR Protection : 5;
ULONG_PTR ShareCount : 3;
ULONG_PTR Shared : 1;
ULONG_PTR Node : 3;
#ifdef _WIN64
ULONG_PTR VirtualPage : 52;
#else
ULONG VirtualPage : 20;
#endif
} MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK;
typedef struct _MEMORY_WORKING_SET_INFORMATION
{
ULONG_PTR NumberOfEntries;
MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];
} MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION;
// private
typedef struct _MEMORY_REGION_INFORMATION
{
PVOID AllocationBase;
ULONG AllocationProtect;
union
{
ULONG RegionType;
struct
{
ULONG Private : 1;
ULONG MappedDataFile : 1;
ULONG MappedImage : 1;
ULONG MappedPageFile : 1;
ULONG MappedPhysical : 1;
ULONG DirectMapped : 1;
ULONG SoftwareEnclave : 1; // REDSTONE3
ULONG PageSize64K : 1;
ULONG PlaceholderReservation : 1; // REDSTONE4
ULONG Reserved : 23;
};
};
SIZE_T RegionSize;
SIZE_T CommitSize;
ULONG_PTR PartitionId; // 19H1
} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
// private
typedef enum _MEMORY_WORKING_SET_EX_LOCATION
{
MemoryLocationInvalid,
MemoryLocationResident,
MemoryLocationPagefile,
MemoryLocationReserved
} MEMORY_WORKING_SET_EX_LOCATION;
// private
typedef struct _MEMORY_WORKING_SET_EX_BLOCK
{
union
{
struct
{
ULONG_PTR Valid : 1;
ULONG_PTR ShareCount : 3;
ULONG_PTR Win32Protection : 11;
ULONG_PTR Shared : 1;
ULONG_PTR Node : 6;
ULONG_PTR Locked : 1;
ULONG_PTR LargePage : 1;
ULONG_PTR Priority : 3;
ULONG_PTR Reserved : 3;
ULONG_PTR SharedOriginal : 1;
ULONG_PTR Bad : 1;
ULONG_PTR Win32GraphicsProtection : 4; // 19H1
#ifdef _WIN64
ULONG_PTR ReservedUlong : 28;
#endif
};
struct
{
ULONG_PTR Valid : 1;
ULONG_PTR Reserved0 : 14;
ULONG_PTR Shared : 1;
ULONG_PTR Reserved1 : 5;
ULONG_PTR PageTable : 1;
ULONG_PTR Location : 2;
ULONG_PTR Priority : 3;
ULONG_PTR ModifiedList : 1;
ULONG_PTR Reserved2 : 2;
ULONG_PTR SharedOriginal : 1;
ULONG_PTR Bad : 1;
#ifdef _WIN64
ULONG_PTR ReservedUlong : 32;
#endif
} Invalid;
};
} MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK;
// private
typedef struct _MEMORY_WORKING_SET_EX_INFORMATION
{
PVOID VirtualAddress;
union
{
MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
ULONG_PTR Long;
} u1;
} MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION;
// private
typedef struct _MEMORY_SHARED_COMMIT_INFORMATION
{
SIZE_T CommitSize;
} MEMORY_SHARED_COMMIT_INFORMATION, *PMEMORY_SHARED_COMMIT_INFORMATION;
// private
typedef struct _MEMORY_IMAGE_INFORMATION
{
PVOID ImageBase;
SIZE_T SizeOfImage;
union
{
ULONG ImageFlags;
struct
{
ULONG ImagePartialMap : 1;
ULONG ImageNotExecutable : 1;
ULONG ImageSigningLevel : 4; // REDSTONE3
ULONG Reserved : 26;
};
};
} MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION;
// private
typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION
{
MEMORY_IMAGE_INFORMATION ImageInfo;
UCHAR UniqueID[32];
UCHAR AuthorID[32];
} MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION;
#define MMPFNLIST_ZERO 0
#define MMPFNLIST_FREE 1
#define MMPFNLIST_STANDBY 2
#define MMPFNLIST_MODIFIED 3
#define MMPFNLIST_MODIFIEDNOWRITE 4
#define MMPFNLIST_BAD 5
#define MMPFNLIST_ACTIVE 6
#define MMPFNLIST_TRANSITION 7
//typedef enum _MMLISTS
//{
// ZeroedPageList = 0,
// FreePageList = 1,
// StandbyPageList = 2,
// ModifiedPageList = 3,
// ModifiedNoWritePageList = 4,
// BadPageList = 5,
// ActiveAndValid = 6,
// TransitionPage = 7
//} MMLISTS;
#define MMPFNUSE_PROCESSPRIVATE 0
#define MMPFNUSE_FILE 1
#define MMPFNUSE_PAGEFILEMAPPED 2
#define MMPFNUSE_PAGETABLE 3
#define MMPFNUSE_PAGEDPOOL 4
#define MMPFNUSE_NONPAGEDPOOL 5
#define MMPFNUSE_SYSTEMPTE 6
#define MMPFNUSE_SESSIONPRIVATE 7
#define MMPFNUSE_METAFILE 8
#define MMPFNUSE_AWEPAGE 9
#define MMPFNUSE_DRIVERLOCKPAGE 10
#define MMPFNUSE_KERNELSTACK 11
//typedef enum _MMPFNUSE
//{
// ProcessPrivatePage,
// MemoryMappedFilePage,
// PageFileMappedPage,
// PageTablePage,
// PagedPoolPage,
// NonPagedPoolPage,
// SystemPTEPage,
// SessionPrivatePage,
// MetafilePage,
// AWEPage,
// DriverLockedPage,
// KernelStackPage
//} MMPFNUSE;
// private
typedef struct _MEMORY_FRAME_INFORMATION
{
ULONGLONG UseDescription : 4; // MMPFNUSE_*
ULONGLONG ListDescription : 3; // MMPFNLIST_*
ULONGLONG Cold : 1; // 19H1
ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned
ULONGLONG DontUse : 48; // *_INFORMATION overlay
ULONGLONG Priority : 3; // rev
ULONGLONG Reserved : 4; // reserved for future expansion
} MEMORY_FRAME_INFORMATION;
// private
typedef struct _FILEOFFSET_INFORMATION
{
ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
ULONGLONG Offset : 48; // mapped files
ULONGLONG Reserved : 7; // reserved for future expansion
} FILEOFFSET_INFORMATION;
// private
typedef struct _PAGEDIR_INFORMATION
{
ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
ULONGLONG PageDirectoryBase : 48; // private pages
ULONGLONG Reserved : 7; // reserved for future expansion
} PAGEDIR_INFORMATION;
// private
typedef struct _UNIQUE_PROCESS_INFORMATION
{
ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
ULONGLONG UniqueProcessKey : 48; // ProcessId
ULONGLONG Reserved : 7; // reserved for future expansion
} UNIQUE_PROCESS_INFORMATION, *PUNIQUE_PROCESS_INFORMATION;
// private
typedef struct _MMPFN_IDENTITY
{
union
{
MEMORY_FRAME_INFORMATION e1; // all
FILEOFFSET_INFORMATION e2; // mapped files
PAGEDIR_INFORMATION e3; // private pages
UNIQUE_PROCESS_INFORMATION e4; // owning process
} u1;
ULONG_PTR PageFrameIndex; // all
union
{
struct
{
ULONG_PTR Image : 1;
ULONG_PTR Mismatch : 1;
} e1;
struct
{
ULONG_PTR CombinedPage;
} e2;
ULONG_PTR FileObject; // mapped files
ULONG_PTR UniqueFileObjectKey;
ULONG_PTR ProtoPteAddress;
ULONG_PTR VirtualAddress; // everything else
} u2;
} MMPFN_IDENTITY, *PMMPFN_IDENTITY;
typedef struct _MMPFN_MEMSNAP_INFORMATION
{
ULONG_PTR InitialPageFrameIndex;
ULONG_PTR Count;
} MMPFN_MEMSNAP_INFORMATION, *PMMPFN_MEMSNAP_INFORMATION;
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation, // q; SECTION_BASIC_INFORMATION
SectionImageInformation, // q; SECTION_IMAGE_INFORMATION
SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation
SectionOriginalBaseInformation, // PVOID BaseAddress
SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2
MaxSectionInfoClass
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFORMATION
{
PVOID BaseAddress;
ULONG AllocationAttributes;
LARGE_INTEGER MaximumSize;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
// symbols
typedef struct _SECTION_IMAGE_INFORMATION
{
PVOID TransferAddress;
ULONG ZeroBits;
SIZE_T MaximumStackSize;
SIZE_T CommittedStackSize;
ULONG SubSystemType;
union
{
struct
{
USHORT SubSystemMinorVersion;
USHORT SubSystemMajorVersion;
};
ULONG SubSystemVersion;
};
union
{
struct
{
USHORT MajorOperatingSystemVersion;
USHORT MinorOperatingSystemVersion;
};
ULONG OperatingSystemVersion;
};
USHORT ImageCharacteristics;
USHORT DllCharacteristics;
USHORT Machine;
BOOLEAN ImageContainsCode;
union
{
UCHAR ImageFlags;
struct
{
UCHAR ComPlusNativeReady : 1;
UCHAR ComPlusILOnly : 1;
UCHAR ImageDynamicallyRelocated : 1;
UCHAR ImageMappedFlat : 1;
UCHAR BaseBelow4gb : 1;
UCHAR ComPlusPrefer32bit : 1;
UCHAR Reserved : 2;
};
};
ULONG LoaderFlags;
ULONG ImageFileSize;
ULONG CheckSum;
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
// symbols
typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION
{
SECTION_IMAGE_INFORMATION SectionInformation;
union
{
ULONG ExtendedFlags;
struct
{
ULONG ImageExportSuppressionEnabled : 1;
ULONG Reserved : 31;
};
};
} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL)
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
#endif
#define SEC_BASED 0x200000
#define SEC_NO_CHANGE 0x400000
#define SEC_GLOBAL 0x20000000
#define MEM_EXECUTE_OPTION_DISABLE 0x1
#define MEM_EXECUTE_OPTION_ENABLE 0x2
#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
#define MEM_EXECUTE_OPTION_PERMANENT 0x8
#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
// Virtual memory
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAllocateVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFreeVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG FreeType
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtReadVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_Out_writes_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_Out_opt_ PSIZE_T NumberOfBytesRead
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtWriteVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_Out_opt_ PSIZE_T NumberOfBytesWritten
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtProtectVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG NewProtect,
_Out_ PULONG OldProtect
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
_In_ SIZE_T MemoryInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
#endif
// begin_private
#if (PHNT_MODE != PHNT_MODE_KERNEL)
typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
{
VmPrefetchInformation, // ULONG
VmPagePriorityInformation,
VmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2
VmPageDirtyStateInformation, // REDSTONE3
VmImageHotPatchInformation // 19H1
} VIRTUAL_MEMORY_INFORMATION_CLASS;
typedef struct _MEMORY_RANGE_ENTRY
{
PVOID VirtualAddress;
SIZE_T NumberOfBytes;
} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
typedef struct _CFG_CALL_TARGET_LIST_INFORMATION
{
ULONG NumberOfEntries;
ULONG Reserved;
PULONG NumberOfEntriesProcessed;
PCFG_CALL_TARGET_INFO CallTargetInfo;
PVOID Section; // since REDSTONE5
ULONGLONG FileOffset;
} CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION;
#endif
// end_private
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_THRESHOLD)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationVirtualMemory(
_In_ HANDLE ProcessHandle,
_In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,
_In_ ULONG_PTR NumberOfEntries,
_In_reads_ (NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,
_In_reads_bytes_ (VmInformationLength) PVOID VmInformation,
_In_ ULONG VmInformationLength
);
#endif
#define MAP_PROCESS 1
#define MAP_SYSTEM 2
NTSYSCALLAPI
NTSTATUS
NTAPI
NtLockVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG MapType
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnlockVirtualMemory(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG MapType
);
#endif
// Sections
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateSection(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle
);
#if (PHNT_VERSION >= PHNT_REDSTONE5)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateSectionEx(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle,
_In_ PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount
);
#endif
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenSection(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapViewOfSection(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
_Inout_ PSIZE_T ViewSize,
_In_ SECTION_INHERIT InheritDisposition,
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress
);
#if (PHNT_VERSION >= PHNT_WIN8)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtUnmapViewOfSectionEx(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ ULONG Flags
);
#endif
NTSYSCALLAPI
NTSTATUS
NTAPI
NtExtendSection(
_In_ HANDLE SectionHandle,
_Inout_ PLARGE_INTEGER NewSectionSize
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAreMappedFilesTheSame(
_In_ PVOID File1MappedAsAnImage,
_In_ PVOID File2MappedAsFile
);
#endif
// Partitions
#ifndef MEMORY_PARTITION_QUERY_ACCESS
#define MEMORY_PARTITION_QUERY_ACCESS 0x0001
#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
#define MEMORY_PARTITION_ALL_ACCESS \
(STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS)
#endif
// private
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
{
SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION
SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION
SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION
SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION
SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2
SystemMemoryPartitionMax
} MEMORY_PARTITION_INFORMATION_CLASS;
// private
typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION
{
ULONG Flags;
ULONG NumaNode;
ULONG Channel;
ULONG NumberOfNumaNodes;
ULONG_PTR ResidentAvailablePages;
ULONG_PTR CommittedPages;
ULONG_PTR CommitLimit;
ULONG_PTR PeakCommitment;
ULONG_PTR TotalNumberOfPages;
ULONG_PTR AvailablePages;
ULONG_PTR ZeroPages;
ULONG_PTR FreePages;
ULONG_PTR StandbyPages;
ULONG_PTR StandbyPageCountByPriority[8]; // since REDSTONE2
ULONG_PTR RepurposedPagesByPriority[8];
ULONG_PTR MaximumCommitLimit;
ULONG_PTR DonatedPagesToPartitions;
ULONG PartitionId; // since REDSTONE3
} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
// private
typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION
{
ULONG_PTR NumberOfPages;
ULONG NumaNode;
ULONG Flags;
} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;
// private
typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION
{
UNICODE_STRING PageFileName;
LARGE_INTEGER MinimumSize;
LARGE_INTEGER MaximumSize;
ULONG Flags;
} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;
// private
typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
{
HANDLE StopHandle;
ULONG Flags;
ULONG_PTR TotalNumberOfPages;
} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;
// private
typedef struct _MEMORY_PARTITION_PAGE_RANGE
{
ULONG_PTR StartPage;
ULONG_PTR NumberOfPages;
} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;
// private
typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION
{
ULONG Flags;
ULONG NumberOfRanges;
ULONG_PTR NumberOfPagesAdded;
MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;
// private
typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION
{
union
{
struct
{
ULONG CommitEvents : 1;
ULONG Spare : 31;
};
ULONG AllFlags;
} Flags;
ULONG HandleAttributes;
ULONG DesiredAccess;
HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition
HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition
HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition
} MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_THRESHOLD)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreatePartition(
_Out_ PHANDLE PartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ ULONG PreferredNode
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenPartition(
_Out_ PHANDLE PartitionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtManagePartition(
_In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
_In_ PVOID PartitionInformation,
_In_ ULONG PartitionInformationLength
);
#endif
#endif
// User physical pages
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapUserPhysicalPages(
_In_ PVOID VirtualAddress,
_In_ ULONG_PTR NumberOfPages,
_In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapUserPhysicalPagesScatter(
_In_reads_(NumberOfPages) PVOID *VirtualAddresses,
_In_ ULONG_PTR NumberOfPages,
_In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAllocateUserPhysicalPages(
_In_ HANDLE ProcessHandle,
_Inout_ PULONG_PTR NumberOfPages,
_Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFreeUserPhysicalPages(
_In_ HANDLE ProcessHandle,
_Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray
);
#endif
// Sessions
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_VISTA)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenSession(
_Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
#endif
#endif
// Misc.
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetWriteWatch(
_In_ HANDLE ProcessHandle,
_In_ ULONG Flags,
_In_ PVOID BaseAddress,
_In_ SIZE_T RegionSize,
_Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray,
_Inout_ PULONG_PTR EntriesInUserAddressArray,
_Out_ PULONG Granularity
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtResetWriteWatch(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_ SIZE_T RegionSize
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreatePagingFile(
_In_ PUNICODE_STRING PageFileName,
_In_ PLARGE_INTEGER MinimumSize,
_In_ PLARGE_INTEGER MaximumSize,
_In_ ULONG Priority
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFlushInstructionCache(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ SIZE_T Length
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFlushWriteBuffer(
VOID
);
#endif
// Enclave support
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T Size,
_In_ SIZE_T InitialCommitment,
_In_ ULONG EnclaveType,
_In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
_In_ ULONG EnclaveInformationLength,
_Out_opt_ PULONG EnclaveError
);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadEnclaveData(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_reads_bytes_(BufferSize) PVOID Buffer,
_In_ SIZE_T BufferSize,
_In_ ULONG Protect,
_In_reads_bytes_(PageInformationLength) PVOID PageInformation,
_In_ ULONG PageInformationLength,
_Out_opt_ PSIZE_T NumberOfBytesWritten,
_Out_opt_ PULONG EnclaveError
);
NTSYSAPI
NTSTATUS
NTAPI
NtInitializeEnclave(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress,
_In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
_In_ ULONG EnclaveInformationLength,
_Out_opt_ PULONG EnclaveError
);
// rev
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateEnclave(
_In_ PVOID BaseAddress,
_In_ BOOLEAN WaitForThread
);
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// rev
NTSYSAPI
NTSTATUS
NTAPI
NtCallEnclave(
_In_ PENCLAVE_ROUTINE Routine,
_In_ PVOID Parameter,
_In_ BOOLEAN WaitForThread,
_Out_opt_ PVOID *ReturnValue
);
#endif
#endif
Reference in New Issue View Git Blame Copy Permalink