mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
900263ea6f
n/a
8039 lines
150 KiB
C
8039 lines
150 KiB
C
/*
|
|
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
|
|
*
|
|
* You can redistribute this file and/or modify it under the terms of the
|
|
* Attribution 4.0 International (CC BY 4.0) license.
|
|
*
|
|
* You must give appropriate credit, provide a link to the license, and
|
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
|
* not in any way that suggests the licensor endorses you or your use.
|
|
*/
|
|
|
|
#ifndef _NTRTL_H
|
|
#define _NTRTL_H
|
|
|
|
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)(((PCHAR)(Base)) + ((ULONG_PTR)(Offset))))
|
|
#define RtlPointerToOffset(Base, Pointer) ((ULONG)(((PCHAR)(Pointer)) - ((PCHAR)(Base))))
|
|
|
|
// Linked lists
|
|
|
|
FORCEINLINE VOID InitializeListHead(
|
|
_Out_ PLIST_ENTRY ListHead
|
|
)
|
|
{
|
|
ListHead->Flink = ListHead->Blink = ListHead;
|
|
}
|
|
|
|
_Check_return_ FORCEINLINE BOOLEAN IsListEmpty(
|
|
_In_ PLIST_ENTRY ListHead
|
|
)
|
|
{
|
|
return ListHead->Flink == ListHead;
|
|
}
|
|
|
|
FORCEINLINE BOOLEAN RemoveEntryList(
|
|
_In_ PLIST_ENTRY Entry
|
|
)
|
|
{
|
|
PLIST_ENTRY Blink;
|
|
PLIST_ENTRY Flink;
|
|
|
|
Flink = Entry->Flink;
|
|
Blink = Entry->Blink;
|
|
Blink->Flink = Flink;
|
|
Flink->Blink = Blink;
|
|
|
|
return Flink == Blink;
|
|
}
|
|
|
|
FORCEINLINE PLIST_ENTRY RemoveHeadList(
|
|
_Inout_ PLIST_ENTRY ListHead
|
|
)
|
|
{
|
|
PLIST_ENTRY Flink;
|
|
PLIST_ENTRY Entry;
|
|
|
|
Entry = ListHead->Flink;
|
|
Flink = Entry->Flink;
|
|
ListHead->Flink = Flink;
|
|
Flink->Blink = ListHead;
|
|
|
|
return Entry;
|
|
}
|
|
|
|
FORCEINLINE PLIST_ENTRY RemoveTailList(
|
|
_Inout_ PLIST_ENTRY ListHead
|
|
)
|
|
{
|
|
PLIST_ENTRY Blink;
|
|
PLIST_ENTRY Entry;
|
|
|
|
Entry = ListHead->Blink;
|
|
Blink = Entry->Blink;
|
|
ListHead->Blink = Blink;
|
|
Blink->Flink = ListHead;
|
|
|
|
return Entry;
|
|
}
|
|
|
|
FORCEINLINE VOID InsertTailList(
|
|
_Inout_ PLIST_ENTRY ListHead,
|
|
_Inout_ PLIST_ENTRY Entry
|
|
)
|
|
{
|
|
PLIST_ENTRY Blink;
|
|
|
|
Blink = ListHead->Blink;
|
|
Entry->Flink = ListHead;
|
|
Entry->Blink = Blink;
|
|
Blink->Flink = Entry;
|
|
ListHead->Blink = Entry;
|
|
}
|
|
|
|
FORCEINLINE VOID InsertHeadList(
|
|
_Inout_ PLIST_ENTRY ListHead,
|
|
_Inout_ PLIST_ENTRY Entry
|
|
)
|
|
{
|
|
PLIST_ENTRY Flink;
|
|
|
|
Flink = ListHead->Flink;
|
|
Entry->Flink = Flink;
|
|
Entry->Blink = ListHead;
|
|
Flink->Blink = Entry;
|
|
ListHead->Flink = Entry;
|
|
}
|
|
|
|
FORCEINLINE VOID AppendTailList(
|
|
_Inout_ PLIST_ENTRY ListHead,
|
|
_Inout_ PLIST_ENTRY ListToAppend
|
|
)
|
|
{
|
|
PLIST_ENTRY ListEnd = ListHead->Blink;
|
|
|
|
ListHead->Blink->Flink = ListToAppend;
|
|
ListHead->Blink = ListToAppend->Blink;
|
|
ListToAppend->Blink->Flink = ListHead;
|
|
ListToAppend->Blink = ListEnd;
|
|
}
|
|
|
|
FORCEINLINE PSINGLE_LIST_ENTRY PopEntryList(
|
|
_Inout_ PSINGLE_LIST_ENTRY ListHead
|
|
)
|
|
{
|
|
PSINGLE_LIST_ENTRY FirstEntry;
|
|
|
|
FirstEntry = ListHead->Next;
|
|
|
|
if (FirstEntry)
|
|
ListHead->Next = FirstEntry->Next;
|
|
|
|
return FirstEntry;
|
|
}
|
|
|
|
FORCEINLINE VOID PushEntryList(
|
|
_Inout_ PSINGLE_LIST_ENTRY ListHead,
|
|
_Inout_ PSINGLE_LIST_ENTRY Entry
|
|
)
|
|
{
|
|
Entry->Next = ListHead->Next;
|
|
ListHead->Next = Entry;
|
|
}
|
|
|
|
// AVL and splay trees
|
|
|
|
typedef enum _TABLE_SEARCH_RESULT
|
|
{
|
|
TableEmptyTree,
|
|
TableFoundNode,
|
|
TableInsertAsLeft,
|
|
TableInsertAsRight
|
|
} TABLE_SEARCH_RESULT;
|
|
|
|
typedef enum _RTL_GENERIC_COMPARE_RESULTS
|
|
{
|
|
GenericLessThan,
|
|
GenericGreaterThan,
|
|
GenericEqual
|
|
} RTL_GENERIC_COMPARE_RESULTS;
|
|
|
|
typedef RTL_GENERIC_COMPARE_RESULTS (NTAPI *PRTL_AVL_COMPARE_ROUTINE)(
|
|
_In_ struct _RTL_AVL_TABLE *Table,
|
|
_In_ PVOID FirstStruct,
|
|
_In_ PVOID SecondStruct
|
|
);
|
|
|
|
typedef PVOID (NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(
|
|
_In_ struct _RTL_AVL_TABLE *Table,
|
|
_In_ CLONG ByteSize
|
|
);
|
|
|
|
typedef VOID (NTAPI *PRTL_AVL_FREE_ROUTINE)(
|
|
_In_ struct _RTL_AVL_TABLE *Table,
|
|
_In_ _Post_invalid_ PVOID Buffer
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_AVL_MATCH_FUNCTION)(
|
|
_In_ struct _RTL_AVL_TABLE *Table,
|
|
_In_ PVOID UserData,
|
|
_In_ PVOID MatchData
|
|
);
|
|
|
|
typedef struct _RTL_BALANCED_LINKS
|
|
{
|
|
struct _RTL_BALANCED_LINKS *Parent;
|
|
struct _RTL_BALANCED_LINKS *LeftChild;
|
|
struct _RTL_BALANCED_LINKS *RightChild;
|
|
CHAR Balance;
|
|
UCHAR Reserved[3];
|
|
} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;
|
|
|
|
typedef struct _RTL_AVL_TABLE
|
|
{
|
|
RTL_BALANCED_LINKS BalancedRoot;
|
|
PVOID OrderedPointer;
|
|
ULONG WhichOrderedElement;
|
|
ULONG NumberGenericTableElements;
|
|
ULONG DepthOfTree;
|
|
PRTL_BALANCED_LINKS RestartKey;
|
|
ULONG DeleteCount;
|
|
PRTL_AVL_COMPARE_ROUTINE CompareRoutine;
|
|
PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;
|
|
PRTL_AVL_FREE_ROUTINE FreeRoutine;
|
|
PVOID TableContext;
|
|
} RTL_AVL_TABLE, *PRTL_AVL_TABLE;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeGenericTableAvl(
|
|
_Out_ PRTL_AVL_TABLE Table,
|
|
_In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,
|
|
_In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,
|
|
_In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,
|
|
_In_opt_ PVOID TableContext
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlInsertElementGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_reads_bytes_(BufferSize) PVOID Buffer,
|
|
_In_ CLONG BufferSize,
|
|
_Out_opt_ PBOOLEAN NewElement
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlInsertElementGenericTableFullAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_reads_bytes_(BufferSize) PVOID Buffer,
|
|
_In_ CLONG BufferSize,
|
|
_Out_opt_ PBOOLEAN NewElement,
|
|
_In_ PVOID NodeOrParent,
|
|
_In_ TABLE_SEARCH_RESULT SearchResult
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDeleteElementGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ PVOID Buffer
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLookupElementGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ PVOID Buffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLookupElementGenericTableFullAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ PVOID Buffer,
|
|
_Out_ PVOID *NodeOrParent,
|
|
_Out_ TABLE_SEARCH_RESULT *SearchResult
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEnumerateGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ BOOLEAN Restart
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEnumerateGenericTableWithoutSplayingAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_Inout_ PVOID *RestartKey
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLookupFirstMatchingElementGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ PVOID Buffer,
|
|
_Out_ PVOID *RestartKey
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEnumerateGenericTableLikeADirectory(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,
|
|
_In_opt_ PVOID MatchData,
|
|
_In_ ULONG NextFlag,
|
|
_Inout_ PVOID *RestartKey,
|
|
_Inout_ PULONG DeleteCount,
|
|
_In_ PVOID Buffer
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlGetElementGenericTableAvl(
|
|
_In_ PRTL_AVL_TABLE Table,
|
|
_In_ ULONG I
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberGenericTableElementsAvl(
|
|
_In_ PRTL_AVL_TABLE Table
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsGenericTableEmptyAvl(
|
|
_In_ PRTL_AVL_TABLE Table
|
|
);
|
|
|
|
typedef struct _RTL_SPLAY_LINKS
|
|
{
|
|
struct _RTL_SPLAY_LINKS *Parent;
|
|
struct _RTL_SPLAY_LINKS *LeftChild;
|
|
struct _RTL_SPLAY_LINKS *RightChild;
|
|
} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
|
|
|
|
#define RtlInitializeSplayLinks(Links) \
|
|
{ \
|
|
PRTL_SPLAY_LINKS _SplayLinks; \
|
|
_SplayLinks = (PRTL_SPLAY_LINKS)(Links); \
|
|
_SplayLinks->Parent = _SplayLinks; \
|
|
_SplayLinks->LeftChild = NULL; \
|
|
_SplayLinks->RightChild = NULL; \
|
|
}
|
|
|
|
#define RtlParent(Links) ((PRTL_SPLAY_LINKS)(Links)->Parent)
|
|
#define RtlLeftChild(Links) ((PRTL_SPLAY_LINKS)(Links)->LeftChild)
|
|
#define RtlRightChild(Links) ((PRTL_SPLAY_LINKS)(Links)->RightChild)
|
|
#define RtlIsRoot(Links) ((RtlParent(Links) == (PRTL_SPLAY_LINKS)(Links)))
|
|
#define RtlIsLeftChild(Links) ((RtlLeftChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links)))
|
|
#define RtlIsRightChild(Links) ((RtlRightChild(RtlParent(Links)) == (PRTL_SPLAY_LINKS)(Links)))
|
|
|
|
#define RtlInsertAsLeftChild(ParentLinks, ChildLinks) \
|
|
{ \
|
|
PRTL_SPLAY_LINKS _SplayParent; \
|
|
PRTL_SPLAY_LINKS _SplayChild; \
|
|
_SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \
|
|
_SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \
|
|
_SplayParent->LeftChild = _SplayChild; \
|
|
_SplayChild->Parent = _SplayParent; \
|
|
}
|
|
|
|
#define RtlInsertAsRightChild(ParentLinks, ChildLinks) \
|
|
{ \
|
|
PRTL_SPLAY_LINKS _SplayParent; \
|
|
PRTL_SPLAY_LINKS _SplayChild; \
|
|
_SplayParent = (PRTL_SPLAY_LINKS)(ParentLinks); \
|
|
_SplayChild = (PRTL_SPLAY_LINKS)(ChildLinks); \
|
|
_SplayParent->RightChild = _SplayChild; \
|
|
_SplayChild->Parent = _SplayParent; \
|
|
}
|
|
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlSplay(
|
|
_Inout_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlDelete(
|
|
_In_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDeleteNoSplay(
|
|
_In_ PRTL_SPLAY_LINKS Links,
|
|
_Inout_ PRTL_SPLAY_LINKS *Root
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlSubtreeSuccessor(
|
|
_In_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlSubtreePredecessor(
|
|
_In_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlRealSuccessor(
|
|
_In_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PRTL_SPLAY_LINKS
|
|
NTAPI
|
|
RtlRealPredecessor(
|
|
_In_ PRTL_SPLAY_LINKS Links
|
|
);
|
|
|
|
struct _RTL_GENERIC_TABLE;
|
|
|
|
typedef RTL_GENERIC_COMPARE_RESULTS (NTAPI *PRTL_GENERIC_COMPARE_ROUTINE)(
|
|
_In_ struct _RTL_GENERIC_TABLE *Table,
|
|
_In_ PVOID FirstStruct,
|
|
_In_ PVOID SecondStruct
|
|
);
|
|
|
|
typedef PVOID (NTAPI *PRTL_GENERIC_ALLOCATE_ROUTINE)(
|
|
_In_ struct _RTL_GENERIC_TABLE *Table,
|
|
_In_ CLONG ByteSize
|
|
);
|
|
|
|
typedef VOID (NTAPI *PRTL_GENERIC_FREE_ROUTINE)(
|
|
_In_ struct _RTL_GENERIC_TABLE *Table,
|
|
_In_ _Post_invalid_ PVOID Buffer
|
|
);
|
|
|
|
typedef struct _RTL_GENERIC_TABLE
|
|
{
|
|
PRTL_SPLAY_LINKS TableRoot;
|
|
LIST_ENTRY InsertOrderList;
|
|
PLIST_ENTRY OrderedPointer;
|
|
ULONG WhichOrderedElement;
|
|
ULONG NumberGenericTableElements;
|
|
PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine;
|
|
PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine;
|
|
PRTL_GENERIC_FREE_ROUTINE FreeRoutine;
|
|
PVOID TableContext;
|
|
} RTL_GENERIC_TABLE, *PRTL_GENERIC_TABLE;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeGenericTable(
|
|
_Out_ PRTL_GENERIC_TABLE Table,
|
|
_In_ PRTL_GENERIC_COMPARE_ROUTINE CompareRoutine,
|
|
_In_ PRTL_GENERIC_ALLOCATE_ROUTINE AllocateRoutine,
|
|
_In_ PRTL_GENERIC_FREE_ROUTINE FreeRoutine,
|
|
_In_opt_ PVOID TableContext
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlInsertElementGenericTable(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_reads_bytes_(BufferSize) PVOID Buffer,
|
|
_In_ CLONG BufferSize,
|
|
_Out_opt_ PBOOLEAN NewElement
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlInsertElementGenericTableFull(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_reads_bytes_(BufferSize) PVOID Buffer,
|
|
_In_ CLONG BufferSize,
|
|
_Out_opt_ PBOOLEAN NewElement,
|
|
_In_ PVOID NodeOrParent,
|
|
_In_ TABLE_SEARCH_RESULT SearchResult
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDeleteElementGenericTable(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_ PVOID Buffer
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLookupElementGenericTable(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_ PVOID Buffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLookupElementGenericTableFull(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_ PVOID Buffer,
|
|
_Out_ PVOID *NodeOrParent,
|
|
_Out_ TABLE_SEARCH_RESULT *SearchResult
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEnumerateGenericTable(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_ BOOLEAN Restart
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEnumerateGenericTableWithoutSplaying(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_Inout_ PVOID *RestartKey
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlGetElementGenericTable(
|
|
_In_ PRTL_GENERIC_TABLE Table,
|
|
_In_ ULONG I
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberGenericTableElements(
|
|
_In_ PRTL_GENERIC_TABLE Table
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsGenericTableEmpty(
|
|
_In_ PRTL_GENERIC_TABLE Table
|
|
);
|
|
|
|
// RB trees
|
|
|
|
typedef struct _RTL_RB_TREE
|
|
{
|
|
PRTL_BALANCED_NODE Root;
|
|
PRTL_BALANCED_NODE Min;
|
|
} RTL_RB_TREE, *PRTL_RB_TREE;
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRbInsertNodeEx(
|
|
_In_ PRTL_RB_TREE Tree,
|
|
_In_opt_ PRTL_BALANCED_NODE Parent,
|
|
_In_ BOOLEAN Right,
|
|
_Out_ PRTL_BALANCED_NODE Node
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRbRemoveNode(
|
|
_In_ PRTL_RB_TREE Tree,
|
|
_In_ PRTL_BALANCED_NODE Node
|
|
);
|
|
|
|
#endif
|
|
|
|
// Hash tables
|
|
|
|
// begin_ntddk
|
|
|
|
#define RTL_HASH_ALLOCATED_HEADER 0x00000001
|
|
#define RTL_HASH_RESERVED_SIGNATURE 0
|
|
|
|
typedef struct _RTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
{
|
|
LIST_ENTRY Linkage;
|
|
ULONG_PTR Signature;
|
|
} RTL_DYNAMIC_HASH_TABLE_ENTRY, *PRTL_DYNAMIC_HASH_TABLE_ENTRY;
|
|
|
|
#define HASH_ENTRY_KEY(x) ((x)->Signature)
|
|
|
|
typedef struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT
|
|
{
|
|
PLIST_ENTRY ChainHead;
|
|
PLIST_ENTRY PrevLinkage;
|
|
ULONG_PTR Signature;
|
|
} RTL_DYNAMIC_HASH_TABLE_CONTEXT, *PRTL_DYNAMIC_HASH_TABLE_CONTEXT;
|
|
|
|
typedef struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR
|
|
{
|
|
RTL_DYNAMIC_HASH_TABLE_ENTRY HashEntry;
|
|
PLIST_ENTRY ChainHead;
|
|
ULONG BucketIndex;
|
|
} RTL_DYNAMIC_HASH_TABLE_ENUMERATOR, *PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR;
|
|
|
|
typedef struct _RTL_DYNAMIC_HASH_TABLE
|
|
{
|
|
// Entries initialized at creation.
|
|
ULONG Flags;
|
|
ULONG Shift;
|
|
|
|
// Entries used in bucket computation.
|
|
ULONG TableSize;
|
|
ULONG Pivot;
|
|
ULONG DivisorMask;
|
|
|
|
// Counters.
|
|
ULONG NumEntries;
|
|
ULONG NonEmptyBuckets;
|
|
ULONG NumEnumerators;
|
|
|
|
// The directory. This field is for internal use only.
|
|
PVOID Directory;
|
|
} RTL_DYNAMIC_HASH_TABLE, *PRTL_DYNAMIC_HASH_TABLE;
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
|
|
FORCEINLINE
|
|
VOID
|
|
RtlInitHashTableContext(
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
)
|
|
{
|
|
Context->ChainHead = NULL;
|
|
Context->PrevLinkage = NULL;
|
|
}
|
|
|
|
FORCEINLINE
|
|
VOID
|
|
RtlInitHashTableContextFromEnumerator(
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context,
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
)
|
|
{
|
|
Context->ChainHead = Enumerator->ChainHead;
|
|
Context->PrevLinkage = Enumerator->HashEntry.Linkage.Blink;
|
|
}
|
|
|
|
FORCEINLINE
|
|
VOID
|
|
RtlReleaseHashTableContext(
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER(Context);
|
|
return;
|
|
}
|
|
|
|
FORCEINLINE
|
|
ULONG
|
|
RtlTotalBucketsHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
)
|
|
{
|
|
return HashTable->TableSize;
|
|
}
|
|
|
|
FORCEINLINE
|
|
ULONG
|
|
RtlNonEmptyBucketsHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
)
|
|
{
|
|
return HashTable->NonEmptyBuckets;
|
|
}
|
|
|
|
FORCEINLINE
|
|
ULONG
|
|
RtlEmptyBucketsHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
)
|
|
{
|
|
return HashTable->TableSize - HashTable->NonEmptyBuckets;
|
|
}
|
|
|
|
FORCEINLINE
|
|
ULONG
|
|
RtlTotalEntriesHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
)
|
|
{
|
|
return HashTable->NumEntries;
|
|
}
|
|
|
|
FORCEINLINE
|
|
ULONG
|
|
RtlActiveEnumeratorsHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
)
|
|
{
|
|
return HashTable->NumEnumerators;
|
|
}
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlCreateHashTable(
|
|
_Inout_ _When_(*HashTable == NULL, __drv_allocatesMem(Mem)) PRTL_DYNAMIC_HASH_TABLE *HashTable,
|
|
_In_ ULONG Shift,
|
|
_In_ _Reserved_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDeleteHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlInsertEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
|
|
_In_ ULONG_PTR Signature,
|
|
_Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlRemoveEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE_ENTRY Entry,
|
|
_Inout_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PRTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
NTAPI
|
|
RtlLookupEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_In_ ULONG_PTR Signature,
|
|
_Out_opt_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PRTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
NTAPI
|
|
RtlGetNextEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE_CONTEXT Context
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlInitEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PRTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
NTAPI
|
|
RtlEnumerateEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlEndEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlInitWeakEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PRTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
NTAPI
|
|
RtlWeaklyEnumerateEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlEndWeakEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlExpandHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlContractHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlInitStrongEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Out_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PRTL_DYNAMIC_HASH_TABLE_ENTRY
|
|
NTAPI
|
|
RtlStronglyEnumerateEntryHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlEndStrongEnumerationHashTable(
|
|
_In_ PRTL_DYNAMIC_HASH_TABLE HashTable,
|
|
_Inout_ PRTL_DYNAMIC_HASH_TABLE_ENUMERATOR Enumerator
|
|
);
|
|
|
|
#endif
|
|
|
|
// end_ntddk
|
|
|
|
// Critical sections
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeCriticalSection(
|
|
_Out_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeCriticalSectionAndSpinCount(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection,
|
|
_In_ ULONG SpinCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteCriticalSection(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEnterCriticalSection(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLeaveCriticalSection(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlTryEnterCriticalSection(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlIsCriticalSectionLocked(
|
|
_In_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlIsCriticalSectionLockedByThread(
|
|
_In_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetCriticalSectionRecursionCount(
|
|
_In_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlSetCriticalSectionSpinCount(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection,
|
|
_In_ ULONG SpinCount
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
HANDLE
|
|
NTAPI
|
|
RtlQueryCriticalSectionOwner(
|
|
_In_ HANDLE EventHandle
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCheckForOrphanedCriticalSections(
|
|
_In_ HANDLE ThreadHandle
|
|
);
|
|
|
|
// Resources
|
|
|
|
typedef struct _RTL_RESOURCE
|
|
{
|
|
RTL_CRITICAL_SECTION CriticalSection;
|
|
|
|
HANDLE SharedSemaphore;
|
|
volatile ULONG NumberOfWaitingShared;
|
|
HANDLE ExclusiveSemaphore;
|
|
volatile ULONG NumberOfWaitingExclusive;
|
|
|
|
volatile LONG NumberOfActive; // negative: exclusive acquire; zero: not acquired; positive: shared acquire(s)
|
|
HANDLE ExclusiveOwnerThread;
|
|
|
|
ULONG Flags; // RTL_RESOURCE_FLAG_*
|
|
|
|
PRTL_RESOURCE_DEBUG DebugInfo;
|
|
} RTL_RESOURCE, *PRTL_RESOURCE;
|
|
|
|
#define RTL_RESOURCE_FLAG_LONG_TERM ((ULONG)0x00000001)
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeResource(
|
|
_Out_ PRTL_RESOURCE Resource
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDeleteResource(
|
|
_Inout_ PRTL_RESOURCE Resource
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAcquireResourceShared(
|
|
_Inout_ PRTL_RESOURCE Resource,
|
|
_In_ BOOLEAN Wait
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAcquireResourceExclusive(
|
|
_Inout_ PRTL_RESOURCE Resource,
|
|
_In_ BOOLEAN Wait
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleaseResource(
|
|
_Inout_ PRTL_RESOURCE Resource
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlConvertSharedToExclusive(
|
|
_Inout_ PRTL_RESOURCE Resource
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlConvertExclusiveToShared(
|
|
_Inout_ PRTL_RESOURCE Resource
|
|
);
|
|
|
|
// Slim reader-writer locks, condition variables, and barriers
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// winbase:InitializeSRWLock
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeSRWLock(
|
|
_Out_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:AcquireSRWLockExclusive
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlAcquireSRWLockExclusive(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:AcquireSRWLockShared
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlAcquireSRWLockShared(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:ReleaseSRWLockExclusive
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleaseSRWLockExclusive(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:ReleaseSRWLockShared
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleaseSRWLockShared(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:TryAcquireSRWLockExclusive
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTryAcquireSRWLockExclusive(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
// winbase:TryAcquireSRWLockShared
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTryAcquireSRWLockShared(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlAcquireReleaseSRWLockExclusive(
|
|
_Inout_ PRTL_SRWLOCK SRWLock
|
|
);
|
|
#endif
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// winbase:InitializeConditionVariable
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeConditionVariable(
|
|
_Out_ PRTL_CONDITION_VARIABLE ConditionVariable
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSleepConditionVariableCS(
|
|
_Inout_ PRTL_CONDITION_VARIABLE ConditionVariable,
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection,
|
|
_In_opt_ PLARGE_INTEGER Timeout
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSleepConditionVariableSRW(
|
|
_Inout_ PRTL_CONDITION_VARIABLE ConditionVariable,
|
|
_Inout_ PRTL_SRWLOCK SRWLock,
|
|
_In_opt_ PLARGE_INTEGER Timeout,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// winbase:WakeConditionVariable
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlWakeConditionVariable(
|
|
_Inout_ PRTL_CONDITION_VARIABLE ConditionVariable
|
|
);
|
|
|
|
// winbase:WakeAllConditionVariable
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlWakeAllConditionVariable(
|
|
_Inout_ PRTL_CONDITION_VARIABLE ConditionVariable
|
|
);
|
|
|
|
#endif
|
|
|
|
// begin_rev
|
|
#define RTL_BARRIER_FLAGS_SPIN_ONLY 0x00000001 // never block on event - always spin
|
|
#define RTL_BARRIER_FLAGS_BLOCK_ONLY 0x00000002 // always block on event - never spin
|
|
#define RTL_BARRIER_FLAGS_NO_DELETE 0x00000004 // use if barrier will never be deleted
|
|
// end_rev
|
|
|
|
// begin_private
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitBarrier(
|
|
_Out_ PRTL_BARRIER Barrier,
|
|
_In_ ULONG TotalThreads,
|
|
_In_ ULONG SpinCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteBarrier(
|
|
_In_ PRTL_BARRIER Barrier
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlBarrier(
|
|
_Inout_ PRTL_BARRIER Barrier,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlBarrierForDelete(
|
|
_Inout_ PRTL_BARRIER Barrier,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
#endif
|
|
|
|
// end_private
|
|
|
|
// Wait on address
|
|
|
|
// begin_rev
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWaitOnAddress(
|
|
_In_ volatile VOID *Address,
|
|
_In_ PVOID CompareAddress,
|
|
_In_ SIZE_T AddressSize,
|
|
_In_opt_ PLARGE_INTEGER Timeout
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlWakeAddressAll(
|
|
_In_ PVOID Address
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlWakeAddressSingle(
|
|
_In_ PVOID Address
|
|
);
|
|
|
|
#endif
|
|
|
|
// end_rev
|
|
|
|
// Strings
|
|
|
|
#ifndef PHNT_NO_INLINE_INIT_STRING
|
|
FORCEINLINE VOID RtlInitString(
|
|
_Out_ PSTRING DestinationString,
|
|
_In_opt_ PCSTR SourceString
|
|
)
|
|
{
|
|
if (SourceString)
|
|
DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + 1;
|
|
else
|
|
DestinationString->MaximumLength = DestinationString->Length = 0;
|
|
|
|
DestinationString->Buffer = (PCHAR)SourceString;
|
|
}
|
|
#else
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitString(
|
|
_Out_ PSTRING DestinationString,
|
|
_In_opt_ PCSTR SourceString
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitStringEx(
|
|
_Out_ PSTRING DestinationString,
|
|
_In_opt_z_ PCSZ SourceString
|
|
);
|
|
#endif
|
|
|
|
#ifndef PHNT_NO_INLINE_INIT_STRING
|
|
FORCEINLINE VOID RtlInitAnsiString(
|
|
_Out_ PANSI_STRING DestinationString,
|
|
_In_opt_ PCSTR SourceString
|
|
)
|
|
{
|
|
if (SourceString)
|
|
DestinationString->MaximumLength = (DestinationString->Length = (USHORT)strlen(SourceString)) + 1;
|
|
else
|
|
DestinationString->MaximumLength = DestinationString->Length = 0;
|
|
|
|
DestinationString->Buffer = (PCHAR)SourceString;
|
|
}
|
|
#else
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitAnsiString(
|
|
_Out_ PANSI_STRING DestinationString,
|
|
_In_opt_ PCSTR SourceString
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitAnsiStringEx(
|
|
_Out_ PANSI_STRING DestinationString,
|
|
_In_opt_z_ PCSZ SourceString
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFreeAnsiString(
|
|
_In_ PANSI_STRING AnsiString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFreeOemString(
|
|
_In_ POEM_STRING OemString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyString(
|
|
_In_ PSTRING DestinationString,
|
|
_In_opt_ PSTRING SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
CHAR
|
|
NTAPI
|
|
RtlUpperChar(
|
|
_In_ CHAR Character
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlCompareString(
|
|
_In_ PSTRING String1,
|
|
_In_ PSTRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualString(
|
|
_In_ PSTRING String1,
|
|
_In_ PSTRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlPrefixString(
|
|
_In_ PSTRING String1,
|
|
_In_ PSTRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendStringToString(
|
|
_In_ PSTRING Destination,
|
|
_In_ PSTRING Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendAsciizToString(
|
|
_In_ PSTRING Destination,
|
|
_In_opt_ PCSTR Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlUpperString(
|
|
_In_ PSTRING DestinationString,
|
|
_In_ PSTRING SourceString
|
|
);
|
|
|
|
FORCEINLINE
|
|
BOOLEAN
|
|
RtlIsNullOrEmptyUnicodeString(
|
|
_In_opt_ PUNICODE_STRING String
|
|
)
|
|
{
|
|
return !String || String->Length == 0;
|
|
}
|
|
|
|
FORCEINLINE
|
|
VOID
|
|
NTAPI
|
|
RtlInitEmptyUnicodeString(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_opt_ PWCHAR Buffer,
|
|
_In_ USHORT MaximumLength
|
|
)
|
|
{
|
|
DestinationString->Buffer = Buffer;
|
|
DestinationString->MaximumLength = MaximumLength;
|
|
DestinationString->Length = 0;
|
|
}
|
|
|
|
#ifndef PHNT_NO_INLINE_INIT_STRING
|
|
FORCEINLINE VOID RtlInitUnicodeString(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_opt_ PCWSTR SourceString
|
|
)
|
|
{
|
|
if (SourceString)
|
|
DestinationString->MaximumLength = (DestinationString->Length = (USHORT)(wcslen(SourceString) * sizeof(WCHAR))) + sizeof(UNICODE_NULL);
|
|
else
|
|
DestinationString->MaximumLength = DestinationString->Length = 0;
|
|
|
|
DestinationString->Buffer = (PWCH)SourceString;
|
|
}
|
|
#else
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitUnicodeString(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_opt_ PCWSTR SourceString
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitUnicodeStringEx(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_opt_ PCWSTR SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlCreateUnicodeString(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_ PCWSTR SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlCreateUnicodeStringFromAsciiz(
|
|
_Out_ PUNICODE_STRING DestinationString,
|
|
_In_ PCSTR SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFreeUnicodeString(
|
|
_In_ PUNICODE_STRING UnicodeString
|
|
);
|
|
|
|
#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001)
|
|
#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDuplicateUnicodeString(
|
|
_In_ ULONG Flags,
|
|
_In_ PUNICODE_STRING StringIn,
|
|
_Out_ PUNICODE_STRING StringOut
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyUnicodeString(
|
|
_In_ PUNICODE_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString
|
|
);
|
|
|
|
NTSYSAPI
|
|
WCHAR
|
|
NTAPI
|
|
RtlUpcaseUnicodeChar(
|
|
_In_ WCHAR SourceCharacter
|
|
);
|
|
|
|
NTSYSAPI
|
|
WCHAR
|
|
NTAPI
|
|
RtlDowncaseUnicodeChar(
|
|
_In_ WCHAR SourceCharacter
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlCompareUnicodeString(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlCompareUnicodeStrings(
|
|
_In_reads_(String1Length) PCWCH String1,
|
|
_In_ SIZE_T String1Length,
|
|
_In_reads_(String2Length) PCWCH String2,
|
|
_In_ SIZE_T String2Length,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
#endif
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualUnicodeString(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
#define HASH_STRING_ALGORITHM_DEFAULT 0
|
|
#define HASH_STRING_ALGORITHM_X65599 1
|
|
#define HASH_STRING_ALGORITHM_INVALID 0xffffffff
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlHashUnicodeString(
|
|
_In_ PUNICODE_STRING String,
|
|
_In_ BOOLEAN CaseInSensitive,
|
|
_In_ ULONG HashAlgorithm,
|
|
_Out_ PULONG HashValue
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlValidateUnicodeString(
|
|
_In_ ULONG Flags,
|
|
_In_ PUNICODE_STRING String
|
|
);
|
|
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlPrefixUnicodeString(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlSuffixUnicodeString(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
_Must_inspect_result_
|
|
NTSYSAPI
|
|
PWCHAR
|
|
NTAPI
|
|
RtlFindUnicodeSubstring(
|
|
_In_ PUNICODE_STRING FullString,
|
|
_In_ PUNICODE_STRING SearchString,
|
|
_In_ BOOLEAN CaseInSensitive
|
|
);
|
|
#endif
|
|
|
|
#define RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END 0x00000001
|
|
#define RTL_FIND_CHAR_IN_UNICODE_STRING_COMPLEMENT_CHAR_SET 0x00000002
|
|
#define RTL_FIND_CHAR_IN_UNICODE_STRING_CASE_INSENSITIVE 0x00000004
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFindCharInUnicodeString(
|
|
_In_ ULONG Flags,
|
|
_In_ PUNICODE_STRING StringToSearch,
|
|
_In_ PUNICODE_STRING CharSet,
|
|
_Out_ PUSHORT NonInclusivePrefixLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendUnicodeStringToString(
|
|
_In_ PUNICODE_STRING Destination,
|
|
_In_ PUNICODE_STRING Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppendUnicodeToString(
|
|
_In_ PUNICODE_STRING Destination,
|
|
_In_opt_ PCWSTR Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeString(
|
|
_Inout_ PUNICODE_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDowncaseUnicodeString(
|
|
_Inout_ PUNICODE_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlEraseUnicodeString(
|
|
_Inout_ PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAnsiStringToUnicodeString(
|
|
_Inout_ PUNICODE_STRING DestinationString,
|
|
_In_ PANSI_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToAnsiString(
|
|
_Inout_ PANSI_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
WCHAR
|
|
NTAPI
|
|
RtlAnsiCharToUnicodeChar(
|
|
_Inout_ PUCHAR *SourceCharacter
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeStringToAnsiString(
|
|
_Inout_ PANSI_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlOemStringToUnicodeString(
|
|
_Inout_ PUNICODE_STRING DestinationString,
|
|
_In_ POEM_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToOemString(
|
|
_Inout_ POEM_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeStringToOemString(
|
|
_Inout_ POEM_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToCountedOemString(
|
|
_Inout_ POEM_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeStringToCountedOemString(
|
|
_Inout_ POEM_STRING DestinationString,
|
|
_In_ PUNICODE_STRING SourceString,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlMultiByteToUnicodeN(
|
|
_Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString,
|
|
_In_ ULONG MaxBytesInUnicodeString,
|
|
_Out_opt_ PULONG BytesInUnicodeString,
|
|
_In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString,
|
|
_In_ ULONG BytesInMultiByteString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlMultiByteToUnicodeSize(
|
|
_Out_ PULONG BytesInUnicodeString,
|
|
_In_reads_bytes_(BytesInMultiByteString) PCSTR MultiByteString,
|
|
_In_ ULONG BytesInMultiByteString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeToMultiByteN(
|
|
_Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString,
|
|
_In_ ULONG MaxBytesInMultiByteString,
|
|
_Out_opt_ PULONG BytesInMultiByteString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeToMultiByteSize(
|
|
_Out_ PULONG BytesInMultiByteString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeToMultiByteN(
|
|
_Out_writes_bytes_to_(MaxBytesInMultiByteString, *BytesInMultiByteString) PCHAR MultiByteString,
|
|
_In_ ULONG MaxBytesInMultiByteString,
|
|
_Out_opt_ PULONG BytesInMultiByteString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlOemToUnicodeN(
|
|
_Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWSTR UnicodeString,
|
|
_In_ ULONG MaxBytesInUnicodeString,
|
|
_Out_opt_ PULONG BytesInUnicodeString,
|
|
_In_reads_bytes_(BytesInOemString) PCCH OemString,
|
|
_In_ ULONG BytesInOemString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeToOemN(
|
|
_Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString,
|
|
_In_ ULONG MaxBytesInOemString,
|
|
_Out_opt_ PULONG BytesInOemString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeToOemN(
|
|
_Out_writes_bytes_to_(MaxBytesInOemString, *BytesInOemString) PCHAR OemString,
|
|
_In_ ULONG MaxBytesInOemString,
|
|
_Out_opt_ PULONG BytesInOemString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PCWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlConsoleMultiByteToUnicodeN(
|
|
_Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString,
|
|
_In_ ULONG MaxBytesInUnicodeString,
|
|
_Out_opt_ PULONG BytesInUnicodeString,
|
|
_In_reads_bytes_(BytesInMultiByteString) PCCH MultiByteString,
|
|
_In_ ULONG BytesInMultiByteString,
|
|
_Out_ PULONG pdwSpecialChar
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUTF8ToUnicodeN(
|
|
_Out_writes_bytes_to_(UnicodeStringMaxByteCount, *UnicodeStringActualByteCount) PWSTR UnicodeStringDestination,
|
|
_In_ ULONG UnicodeStringMaxByteCount,
|
|
_Out_ PULONG UnicodeStringActualByteCount,
|
|
_In_reads_bytes_(UTF8StringByteCount) PCCH UTF8StringSource,
|
|
_In_ ULONG UTF8StringByteCount
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeToUTF8N(
|
|
_Out_writes_bytes_to_(UTF8StringMaxByteCount, *UTF8StringActualByteCount) PCHAR UTF8StringDestination,
|
|
_In_ ULONG UTF8StringMaxByteCount,
|
|
_Out_ PULONG UTF8StringActualByteCount,
|
|
_In_reads_bytes_(UnicodeStringByteCount) PCWCH UnicodeStringSource,
|
|
_In_ ULONG UnicodeStringByteCount
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCustomCPToUnicodeN(
|
|
_In_ PCPTABLEINFO CustomCP,
|
|
_Out_writes_bytes_to_(MaxBytesInUnicodeString, *BytesInUnicodeString) PWCH UnicodeString,
|
|
_In_ ULONG MaxBytesInUnicodeString,
|
|
_Out_opt_ PULONG BytesInUnicodeString,
|
|
_In_reads_bytes_(BytesInCustomCPString) PCH CustomCPString,
|
|
_In_ ULONG BytesInCustomCPString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeToCustomCPN(
|
|
_In_ PCPTABLEINFO CustomCP,
|
|
_Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString,
|
|
_In_ ULONG MaxBytesInCustomCPString,
|
|
_Out_opt_ PULONG BytesInCustomCPString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpcaseUnicodeToCustomCPN(
|
|
_In_ PCPTABLEINFO CustomCP,
|
|
_Out_writes_bytes_to_(MaxBytesInCustomCPString, *BytesInCustomCPString) PCH CustomCPString,
|
|
_In_ ULONG MaxBytesInCustomCPString,
|
|
_Out_opt_ PULONG BytesInCustomCPString,
|
|
_In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString,
|
|
_In_ ULONG BytesInUnicodeString
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitCodePageTable(
|
|
_In_ PUSHORT TableBase,
|
|
_Out_ PCPTABLEINFO CodePageTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitNlsTables(
|
|
_In_ PUSHORT AnsiNlsBase,
|
|
_In_ PUSHORT OemNlsBase,
|
|
_In_ PUSHORT LanguageNlsBase,
|
|
_Out_ PNLSTABLEINFO TableInfo // PCPTABLEINFO?
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlResetRtlTranslations(
|
|
_In_ PNLSTABLEINFO TableInfo
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsTextUnicode(
|
|
_In_ PVOID Buffer,
|
|
_In_ ULONG Size,
|
|
_Inout_opt_ PULONG Result
|
|
);
|
|
|
|
typedef enum _RTL_NORM_FORM
|
|
{
|
|
NormOther = 0x0,
|
|
NormC = 0x1,
|
|
NormD = 0x2,
|
|
NormKC = 0x5,
|
|
NormKD = 0x6,
|
|
NormIdna = 0xd,
|
|
DisallowUnassigned = 0x100,
|
|
NormCDisallowUnassigned = 0x101,
|
|
NormDDisallowUnassigned = 0x102,
|
|
NormKCDisallowUnassigned = 0x105,
|
|
NormKDDisallowUnassigned = 0x106,
|
|
NormIdnaDisallowUnassigned = 0x10d
|
|
} RTL_NORM_FORM;
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlNormalizeString(
|
|
_In_ ULONG NormForm, // RTL_NORM_FORM
|
|
_In_ PCWSTR SourceString,
|
|
_In_ LONG SourceStringLength,
|
|
_Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString,
|
|
_Inout_ PLONG DestinationStringLength
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIsNormalizedString(
|
|
_In_ ULONG NormForm, // RTL_NORM_FORM
|
|
_In_ PCWSTR SourceString,
|
|
_In_ LONG SourceStringLength,
|
|
_Out_ PBOOLEAN Normalized
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// ntifs:FsRtlIsNameInExpression
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsNameInExpression(
|
|
_In_ PUNICODE_STRING Expression,
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_ BOOLEAN IgnoreCase,
|
|
_In_opt_ PWCH UpcaseTable
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE4)
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsNameInUnUpcasedExpression(
|
|
_In_ PUNICODE_STRING Expression,
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_ BOOLEAN IgnoreCase,
|
|
_In_opt_ PWCH UpcaseTable
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualDomainName(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualComputerName(
|
|
_In_ PUNICODE_STRING String1,
|
|
_In_ PUNICODE_STRING String2
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDnsHostNameToComputerName(
|
|
_Out_ PUNICODE_STRING ComputerNameString,
|
|
_In_ PUNICODE_STRING DnsHostNameString,
|
|
_In_ BOOLEAN AllocateComputerNameString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlStringFromGUID(
|
|
_In_ PGUID Guid,
|
|
_Out_ PUNICODE_STRING GuidString
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WINBLUE)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlStringFromGUIDEx(
|
|
_In_ PGUID Guid,
|
|
_Inout_ PUNICODE_STRING GuidString,
|
|
_In_ BOOLEAN AllocateGuidString
|
|
);
|
|
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGUIDFromString(
|
|
_In_ PUNICODE_STRING GuidString,
|
|
_Out_ PGUID Guid
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlCompareAltitudes(
|
|
_In_ PUNICODE_STRING Altitude1,
|
|
_In_ PUNICODE_STRING Altitude2
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIdnToAscii(
|
|
_In_ ULONG Flags,
|
|
_In_ PCWSTR SourceString,
|
|
_In_ LONG SourceStringLength,
|
|
_Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString,
|
|
_Inout_ PLONG DestinationStringLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIdnToUnicode(
|
|
_In_ ULONG Flags,
|
|
_In_ PCWSTR SourceString,
|
|
_In_ LONG SourceStringLength,
|
|
_Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString,
|
|
_Inout_ PLONG DestinationStringLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIdnToNameprepUnicode(
|
|
_In_ ULONG Flags,
|
|
_In_ PCWSTR SourceString,
|
|
_In_ LONG SourceStringLength,
|
|
_Out_writes_to_(*DestinationStringLength, *DestinationStringLength) PWSTR DestinationString,
|
|
_Inout_ PLONG DestinationStringLength
|
|
);
|
|
|
|
#endif
|
|
|
|
// Prefix
|
|
|
|
typedef struct _PREFIX_TABLE_ENTRY
|
|
{
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NameLength;
|
|
struct _PREFIX_TABLE_ENTRY *NextPrefixTree;
|
|
RTL_SPLAY_LINKS Links;
|
|
PSTRING Prefix;
|
|
} PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY;
|
|
|
|
typedef struct _PREFIX_TABLE
|
|
{
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NameLength;
|
|
PPREFIX_TABLE_ENTRY NextPrefixTree;
|
|
} PREFIX_TABLE, *PPREFIX_TABLE;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
PfxInitialize(
|
|
_Out_ PPREFIX_TABLE PrefixTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
PfxInsertPrefix(
|
|
_In_ PPREFIX_TABLE PrefixTable,
|
|
_In_ PSTRING Prefix,
|
|
_Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
PfxRemovePrefix(
|
|
_In_ PPREFIX_TABLE PrefixTable,
|
|
_In_ PPREFIX_TABLE_ENTRY PrefixTableEntry
|
|
);
|
|
|
|
NTSYSAPI
|
|
PPREFIX_TABLE_ENTRY
|
|
NTAPI
|
|
PfxFindPrefix(
|
|
_In_ PPREFIX_TABLE PrefixTable,
|
|
_In_ PSTRING FullName
|
|
);
|
|
|
|
typedef struct _UNICODE_PREFIX_TABLE_ENTRY
|
|
{
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NameLength;
|
|
struct _UNICODE_PREFIX_TABLE_ENTRY *NextPrefixTree;
|
|
struct _UNICODE_PREFIX_TABLE_ENTRY *CaseMatch;
|
|
RTL_SPLAY_LINKS Links;
|
|
PUNICODE_STRING Prefix;
|
|
} UNICODE_PREFIX_TABLE_ENTRY, *PUNICODE_PREFIX_TABLE_ENTRY;
|
|
|
|
typedef struct _UNICODE_PREFIX_TABLE
|
|
{
|
|
CSHORT NodeTypeCode;
|
|
CSHORT NameLength;
|
|
PUNICODE_PREFIX_TABLE_ENTRY NextPrefixTree;
|
|
PUNICODE_PREFIX_TABLE_ENTRY LastNextEntry;
|
|
} UNICODE_PREFIX_TABLE, *PUNICODE_PREFIX_TABLE;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeUnicodePrefix(
|
|
_Out_ PUNICODE_PREFIX_TABLE PrefixTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlInsertUnicodePrefix(
|
|
_In_ PUNICODE_PREFIX_TABLE PrefixTable,
|
|
_In_ PUNICODE_STRING Prefix,
|
|
_Out_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRemoveUnicodePrefix(
|
|
_In_ PUNICODE_PREFIX_TABLE PrefixTable,
|
|
_In_ PUNICODE_PREFIX_TABLE_ENTRY PrefixTableEntry
|
|
);
|
|
|
|
NTSYSAPI
|
|
PUNICODE_PREFIX_TABLE_ENTRY
|
|
NTAPI
|
|
RtlFindUnicodePrefix(
|
|
_In_ PUNICODE_PREFIX_TABLE PrefixTable,
|
|
_In_ PUNICODE_STRING FullName,
|
|
_In_ ULONG CaseInsensitiveIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
PUNICODE_PREFIX_TABLE_ENTRY
|
|
NTAPI
|
|
RtlNextUnicodePrefix(
|
|
_In_ PUNICODE_PREFIX_TABLE PrefixTable,
|
|
_In_ BOOLEAN Restart
|
|
);
|
|
|
|
// Compression
|
|
|
|
typedef struct _COMPRESSED_DATA_INFO
|
|
{
|
|
USHORT CompressionFormatAndEngine; // COMPRESSION_FORMAT_* and COMPRESSION_ENGINE_*
|
|
|
|
UCHAR CompressionUnitShift;
|
|
UCHAR ChunkShift;
|
|
UCHAR ClusterShift;
|
|
UCHAR Reserved;
|
|
|
|
USHORT NumberOfChunks;
|
|
|
|
ULONG CompressedChunkSizes[1];
|
|
} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetCompressionWorkSpaceSize(
|
|
_In_ USHORT CompressionFormatAndEngine,
|
|
_Out_ PULONG CompressBufferWorkSpaceSize,
|
|
_Out_ PULONG CompressFragmentWorkSpaceSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCompressBuffer(
|
|
_In_ USHORT CompressionFormatAndEngine,
|
|
_In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
|
|
_In_ ULONG UncompressedBufferSize,
|
|
_Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer,
|
|
_In_ ULONG CompressedBufferSize,
|
|
_In_ ULONG UncompressedChunkSize,
|
|
_Out_ PULONG FinalCompressedSize,
|
|
_In_ PVOID WorkSpace
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressBuffer(
|
|
_In_ USHORT CompressionFormat,
|
|
_Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
|
|
_In_ ULONG UncompressedBufferSize,
|
|
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
|
|
_In_ ULONG CompressedBufferSize,
|
|
_Out_ PULONG FinalUncompressedSize
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressBufferEx(
|
|
_In_ USHORT CompressionFormat,
|
|
_Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
|
|
_In_ ULONG UncompressedBufferSize,
|
|
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
|
|
_In_ ULONG CompressedBufferSize,
|
|
_Out_ PULONG FinalUncompressedSize,
|
|
_In_ PVOID WorkSpace
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressFragment(
|
|
_In_ USHORT CompressionFormat,
|
|
_Out_writes_bytes_to_(UncompressedFragmentSize, *FinalUncompressedSize) PUCHAR UncompressedFragment,
|
|
_In_ ULONG UncompressedFragmentSize,
|
|
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
|
|
_In_ ULONG CompressedBufferSize,
|
|
_In_range_(<, CompressedBufferSize) ULONG FragmentOffset,
|
|
_Out_ PULONG FinalUncompressedSize,
|
|
_In_ PVOID WorkSpace
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDescribeChunk(
|
|
_In_ USHORT CompressionFormat,
|
|
_Inout_ PUCHAR *CompressedBuffer,
|
|
_In_ PUCHAR EndOfCompressedBufferPlus1,
|
|
_Out_ PUCHAR *ChunkBuffer,
|
|
_Out_ PULONG ChunkSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReserveChunk(
|
|
_In_ USHORT CompressionFormat,
|
|
_Inout_ PUCHAR *CompressedBuffer,
|
|
_In_ PUCHAR EndOfCompressedBufferPlus1,
|
|
_Out_ PUCHAR *ChunkBuffer,
|
|
_In_ ULONG ChunkSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecompressChunks(
|
|
_Out_writes_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
|
|
_In_ ULONG UncompressedBufferSize,
|
|
_In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
|
|
_In_ ULONG CompressedBufferSize,
|
|
_In_reads_bytes_(CompressedTailSize) PUCHAR CompressedTail,
|
|
_In_ ULONG CompressedTailSize,
|
|
_In_ PCOMPRESSED_DATA_INFO CompressedDataInfo
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCompressChunks(
|
|
_In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
|
|
_In_ ULONG UncompressedBufferSize,
|
|
_Out_writes_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
|
|
_In_range_(>=, (UncompressedBufferSize - (UncompressedBufferSize / 16))) ULONG CompressedBufferSize,
|
|
_Inout_updates_bytes_(CompressedDataInfoLength) PCOMPRESSED_DATA_INFO CompressedDataInfo,
|
|
_In_range_(>, sizeof(COMPRESSED_DATA_INFO)) ULONG CompressedDataInfoLength,
|
|
_In_ PVOID WorkSpace
|
|
);
|
|
|
|
// Locale
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlConvertLCIDToString(
|
|
_In_ LCID LcidValue,
|
|
_In_ ULONG Base,
|
|
_In_ ULONG Padding, // string is padded to this width
|
|
_Out_writes_(Size) PWSTR pResultBuf,
|
|
_In_ ULONG Size
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsValidLocaleName(
|
|
_In_ PCWSTR LocaleName,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetParentLocaleName(
|
|
_In_ PCWSTR LocaleName,
|
|
_Inout_ PUNICODE_STRING ParentLocaleName,
|
|
_In_ ULONG Flags,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLcidToLocaleName(
|
|
_In_ LCID lcid, // sic
|
|
_Inout_ PUNICODE_STRING LocaleName,
|
|
_In_ ULONG Flags,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLocaleNameToLcid(
|
|
_In_ PCWSTR LocaleName,
|
|
_Out_ PLCID lcid,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlLCIDToCultureName(
|
|
_In_ LCID Lcid,
|
|
_Inout_ PUNICODE_STRING String
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlCultureNameToLCID(
|
|
_In_ PUNICODE_STRING String,
|
|
_Out_ PLCID Lcid
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCleanUpTEBLangLists(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetLocaleFileMappingAddress(
|
|
_Out_ PVOID *BaseAddress,
|
|
_Out_ PLCID DefaultLocaleId,
|
|
_Out_ PLARGE_INTEGER DefaultCasingTableSize
|
|
);
|
|
|
|
#endif
|
|
|
|
// PEB
|
|
|
|
NTSYSAPI
|
|
PPEB
|
|
NTAPI
|
|
RtlGetCurrentPeb(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlAcquirePebLock(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleasePebLock(
|
|
VOID
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlTryAcquirePebLock(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAllocateFromPeb(
|
|
_In_ ULONG Size,
|
|
_Out_ PVOID *Block
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFreeToPeb(
|
|
_In_ PVOID Block,
|
|
_In_ ULONG Size
|
|
);
|
|
|
|
// Processes
|
|
|
|
#define DOS_MAX_COMPONENT_LENGTH 255
|
|
#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
|
|
|
|
typedef struct _CURDIR
|
|
{
|
|
UNICODE_STRING DosPath;
|
|
HANDLE Handle;
|
|
} CURDIR, *PCURDIR;
|
|
|
|
#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
|
|
#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
|
|
|
|
typedef struct _RTL_DRIVE_LETTER_CURDIR
|
|
{
|
|
USHORT Flags;
|
|
USHORT Length;
|
|
ULONG TimeStamp;
|
|
STRING DosPath;
|
|
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
|
|
|
|
#define RTL_MAX_DRIVE_LETTERS 32
|
|
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
|
|
|
|
typedef struct _RTL_USER_PROCESS_PARAMETERS
|
|
{
|
|
ULONG MaximumLength;
|
|
ULONG Length;
|
|
|
|
ULONG Flags;
|
|
ULONG DebugFlags;
|
|
|
|
HANDLE ConsoleHandle;
|
|
ULONG ConsoleFlags;
|
|
HANDLE StandardInput;
|
|
HANDLE StandardOutput;
|
|
HANDLE StandardError;
|
|
|
|
CURDIR CurrentDirectory;
|
|
UNICODE_STRING DllPath;
|
|
UNICODE_STRING ImagePathName;
|
|
UNICODE_STRING CommandLine;
|
|
PVOID Environment;
|
|
|
|
ULONG StartingX;
|
|
ULONG StartingY;
|
|
ULONG CountX;
|
|
ULONG CountY;
|
|
ULONG CountCharsX;
|
|
ULONG CountCharsY;
|
|
ULONG FillAttribute;
|
|
|
|
ULONG WindowFlags;
|
|
ULONG ShowWindowFlags;
|
|
UNICODE_STRING WindowTitle;
|
|
UNICODE_STRING DesktopInfo;
|
|
UNICODE_STRING ShellInfo;
|
|
UNICODE_STRING RuntimeData;
|
|
RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
|
|
|
|
ULONG_PTR EnvironmentSize;
|
|
ULONG_PTR EnvironmentVersion;
|
|
PVOID PackageDependencyData;
|
|
ULONG ProcessGroupId;
|
|
ULONG LoaderThreads;
|
|
|
|
UNICODE_STRING RedirectionDllName; // REDSTONE4
|
|
UNICODE_STRING HeapPartitionName; // 19H1
|
|
ULONG_PTR DefaultThreadpoolCpuSetMasks;
|
|
ULONG DefaultThreadpoolCpuSetMaskCount;
|
|
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
|
|
|
|
#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
|
|
#define RTL_USER_PROC_PROFILE_USER 0x00000002
|
|
#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004
|
|
#define RTL_USER_PROC_PROFILE_SERVER 0x00000008
|
|
#define RTL_USER_PROC_RESERVE_1MB 0x00000020
|
|
#define RTL_USER_PROC_RESERVE_16MB 0x00000040
|
|
#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080
|
|
#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
|
|
#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
|
|
#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000
|
|
#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000
|
|
#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateProcessParameters(
|
|
_Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
|
|
_In_ PUNICODE_STRING ImagePathName,
|
|
_In_opt_ PUNICODE_STRING DllPath,
|
|
_In_opt_ PUNICODE_STRING CurrentDirectory,
|
|
_In_opt_ PUNICODE_STRING CommandLine,
|
|
_In_opt_ PVOID Environment,
|
|
_In_opt_ PUNICODE_STRING WindowTitle,
|
|
_In_opt_ PUNICODE_STRING DesktopInfo,
|
|
_In_opt_ PUNICODE_STRING ShellInfo,
|
|
_In_opt_ PUNICODE_STRING RuntimeData
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateProcessParametersEx(
|
|
_Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
|
|
_In_ PUNICODE_STRING ImagePathName,
|
|
_In_opt_ PUNICODE_STRING DllPath,
|
|
_In_opt_ PUNICODE_STRING CurrentDirectory,
|
|
_In_opt_ PUNICODE_STRING CommandLine,
|
|
_In_opt_ PVOID Environment,
|
|
_In_opt_ PUNICODE_STRING WindowTitle,
|
|
_In_opt_ PUNICODE_STRING DesktopInfo,
|
|
_In_opt_ PUNICODE_STRING ShellInfo,
|
|
_In_opt_ PUNICODE_STRING RuntimeData,
|
|
_In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyProcessParameters(
|
|
_In_ _Post_invalid_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
|
|
);
|
|
|
|
NTSYSAPI
|
|
PRTL_USER_PROCESS_PARAMETERS
|
|
NTAPI
|
|
RtlNormalizeProcessParams(
|
|
_Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
|
|
);
|
|
|
|
NTSYSAPI
|
|
PRTL_USER_PROCESS_PARAMETERS
|
|
NTAPI
|
|
RtlDeNormalizeProcessParams(
|
|
_Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
|
|
);
|
|
|
|
typedef struct _RTL_USER_PROCESS_INFORMATION
|
|
{
|
|
ULONG Length;
|
|
HANDLE ProcessHandle;
|
|
HANDLE ThreadHandle;
|
|
CLIENT_ID ClientId;
|
|
SECTION_IMAGE_INFORMATION ImageInformation;
|
|
} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateUserProcess(
|
|
_In_ PUNICODE_STRING NtImagePathName,
|
|
_In_ ULONG AttributesDeprecated,
|
|
_In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
|
|
_In_opt_ HANDLE ParentProcess,
|
|
_In_ BOOLEAN InheritHandles,
|
|
_In_opt_ HANDLE DebugPort,
|
|
_In_opt_ HANDLE TokenHandle, // used to be ExceptionPort
|
|
_Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateUserProcessEx(
|
|
_In_ PUNICODE_STRING NtImagePathName,
|
|
_In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
|
|
_In_ BOOLEAN InheritHandles,
|
|
_Reserved_ ULONG Flags,
|
|
_Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
DECLSPEC_NORETURN
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlExitUserProcess(
|
|
_In_ NTSTATUS ExitStatus
|
|
);
|
|
#else
|
|
|
|
#define RtlExitUserProcess RtlExitUserProcess_R
|
|
|
|
DECLSPEC_NORETURN
|
|
FORCEINLINE VOID RtlExitUserProcess_R(
|
|
_In_ NTSTATUS ExitStatus
|
|
)
|
|
{
|
|
ExitProcess(ExitStatus);
|
|
}
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// begin_rev
|
|
#define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001
|
|
#define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002
|
|
#define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004 // don't update synchronization objects
|
|
// end_rev
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCloneUserProcess(
|
|
_In_ ULONG ProcessFlags,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
|
|
_In_opt_ HANDLE DebugPort,
|
|
_Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlUpdateClonedCriticalSection(
|
|
_Inout_ PRTL_CRITICAL_SECTION CriticalSection
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlUpdateClonedSRWLock(
|
|
_Inout_ PRTL_SRWLOCK SRWLock,
|
|
_In_ LOGICAL Shared // TRUE to set to shared acquire
|
|
);
|
|
|
|
// private
|
|
typedef struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION
|
|
{
|
|
HANDLE ReflectionProcessHandle;
|
|
HANDLE ReflectionThreadHandle;
|
|
CLIENT_ID ReflectionClientId;
|
|
} RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION;
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateProcessReflection(
|
|
_In_ HANDLE ProcessHandle,
|
|
_In_ ULONG Flags,
|
|
_In_opt_ PVOID StartRoutine,
|
|
_In_opt_ PVOID StartContext,
|
|
_In_opt_ HANDLE EventHandle,
|
|
_Out_opt_ PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION ReflectionInformation
|
|
);
|
|
#endif
|
|
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
STDAPIVCALLTYPE
|
|
RtlSetProcessIsCritical(
|
|
_In_ BOOLEAN NewValue,
|
|
_Out_opt_ PBOOLEAN OldValue,
|
|
_In_ BOOLEAN CheckFlag
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
STDAPIVCALLTYPE
|
|
RtlSetThreadIsCritical(
|
|
_In_ BOOLEAN NewValue,
|
|
_Out_opt_ PBOOLEAN OldValue,
|
|
_In_ BOOLEAN CheckFlag
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidProcessProtection(
|
|
_In_ PS_PROTECTION ProcessProtection
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTestProtectedAccess(
|
|
_In_ PS_PROTECTION Source,
|
|
_In_ PS_PROTECTION Target
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE3)
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsCurrentProcess( // NtCompareObjects(NtCurrentProcess(), ProcessHandle)
|
|
_In_ HANDLE ProcessHandle
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsCurrentThread( // NtCompareObjects(NtCurrentThread(), ThreadHandle)
|
|
_In_ HANDLE ThreadHandle
|
|
);
|
|
#endif
|
|
|
|
// Threads
|
|
|
|
typedef NTSTATUS (NTAPI *PUSER_THREAD_START_ROUTINE)(
|
|
_In_ PVOID ThreadParameter
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateUserThread(
|
|
_In_ HANDLE Process,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
|
|
_In_ BOOLEAN CreateSuspended,
|
|
_In_opt_ ULONG ZeroBits,
|
|
_In_opt_ SIZE_T MaximumStackSize,
|
|
_In_opt_ SIZE_T CommittedStackSize,
|
|
_In_ PUSER_THREAD_START_ROUTINE StartAddress,
|
|
_In_opt_ PVOID Parameter,
|
|
_Out_opt_ PHANDLE Thread,
|
|
_Out_opt_ PCLIENT_ID ClientId
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA) // should be PHNT_WINXP, but is PHNT_VISTA for consistency with RtlExitUserProcess
|
|
DECLSPEC_NORETURN
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlExitUserThread(
|
|
_In_ NTSTATUS ExitStatus
|
|
);
|
|
#else
|
|
|
|
#define RtlExitUserThread RtlExitUserThread_R
|
|
|
|
DECLSPEC_NORETURN
|
|
FORCEINLINE VOID RtlExitUserThread_R(
|
|
_In_ NTSTATUS ExitStatus
|
|
)
|
|
{
|
|
ExitThread(ExitStatus);
|
|
}
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsCurrentThreadAttachExempt(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateUserStack(
|
|
_In_opt_ SIZE_T CommittedStackSize,
|
|
_In_opt_ SIZE_T MaximumStackSize,
|
|
_In_opt_ ULONG_PTR ZeroBits,
|
|
_In_ SIZE_T PageSize,
|
|
_In_ ULONG_PTR ReserveAlignment,
|
|
_Out_ PINITIAL_TEB InitialTeb
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFreeUserStack(
|
|
_In_ PVOID AllocationBase
|
|
);
|
|
|
|
#endif
|
|
|
|
// Extended thread context
|
|
|
|
typedef struct _CONTEXT_CHUNK
|
|
{
|
|
LONG Offset; // Offset may be negative.
|
|
ULONG Length;
|
|
} CONTEXT_CHUNK, *PCONTEXT_CHUNK;
|
|
|
|
typedef struct _CONTEXT_EX
|
|
{
|
|
CONTEXT_CHUNK All;
|
|
CONTEXT_CHUNK Legacy;
|
|
CONTEXT_CHUNK XState;
|
|
} CONTEXT_EX, *PCONTEXT_EX;
|
|
|
|
#define CONTEXT_EX_LENGTH ALIGN_UP_BY(sizeof(CONTEXT_EX), PAGE_SIZE)
|
|
#define RTL_CONTEXT_EX_OFFSET(ContextEx, Chunk) ((ContextEx)->Chunk.Offset)
|
|
#define RTL_CONTEXT_EX_LENGTH(ContextEx, Chunk) ((ContextEx)->Chunk.Length)
|
|
#define RTL_CONTEXT_EX_CHUNK(Base, Layout, Chunk) ((PVOID)((PCHAR)(Base) + RTL_CONTEXT_EX_OFFSET(Layout, Chunk)))
|
|
#define RTL_CONTEXT_OFFSET(Context, Chunk) RTL_CONTEXT_EX_OFFSET((PCONTEXT_EX)(Context + 1), Chunk)
|
|
#define RTL_CONTEXT_LENGTH(Context, Chunk) RTL_CONTEXT_EX_LENGTH((PCONTEXT_EX)(Context + 1), Chunk)
|
|
#define RTL_CONTEXT_CHUNK(Context, Chunk) RTL_CONTEXT_EX_CHUNK((PCONTEXT_EX)(Context + 1), (PCONTEXT_EX)(Context + 1), Chunk)
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeContext(
|
|
_In_ HANDLE Process,
|
|
_Out_ PCONTEXT Context,
|
|
_In_opt_ PVOID Parameter,
|
|
_In_opt_ PVOID InitialPc,
|
|
_In_opt_ PVOID InitialSp
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlInitializeExtendedContext(
|
|
_Out_ PCONTEXT Context,
|
|
_In_ ULONG ContextFlags,
|
|
_Out_ PCONTEXT_EX* ContextEx
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlCopyExtendedContext(
|
|
_Out_ PCONTEXT_EX Destination,
|
|
_In_ ULONG ContextFlags,
|
|
_In_ PCONTEXT_EX Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetExtendedContextLength(
|
|
_In_ ULONG ContextFlags,
|
|
_Out_ PULONG ContextLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG64
|
|
NTAPI
|
|
RtlGetExtendedFeaturesMask(
|
|
_In_ PCONTEXT_EX ContextEx
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLocateExtendedFeature(
|
|
_In_ PCONTEXT_EX ContextEx,
|
|
_In_ ULONG FeatureId,
|
|
_Out_opt_ PULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
PCONTEXT
|
|
NTAPI
|
|
RtlLocateLegacyContext(
|
|
_In_ PCONTEXT_EX ContextEx,
|
|
_Out_opt_ PULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetExtendedFeaturesMask(
|
|
__out PCONTEXT_EX ContextEx,
|
|
_Out_ ULONG64 FeatureMask
|
|
);
|
|
|
|
#ifdef _WIN64
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWow64GetThreadContext(
|
|
_In_ HANDLE ThreadHandle,
|
|
_Inout_ PWOW64_CONTEXT ThreadContext
|
|
);
|
|
#endif
|
|
|
|
#ifdef _WIN64
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWow64SetThreadContext(
|
|
_In_ HANDLE ThreadHandle,
|
|
_In_ PWOW64_CONTEXT ThreadContext
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRemoteCall(
|
|
_In_ HANDLE Process,
|
|
_In_ HANDLE Thread,
|
|
_In_ PVOID CallSite,
|
|
_In_ ULONG ArgumentCount,
|
|
_In_opt_ PULONG_PTR Arguments,
|
|
_In_ BOOLEAN PassContext,
|
|
_In_ BOOLEAN AlreadySuspended
|
|
);
|
|
|
|
// Vectored exception handlers
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAddVectoredExceptionHandler(
|
|
_In_ ULONG First,
|
|
_In_ PVECTORED_EXCEPTION_HANDLER Handler
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRemoveVectoredExceptionHandler(
|
|
_In_ PVOID Handle
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAddVectoredContinueHandler(
|
|
_In_ ULONG First,
|
|
_In_ PVECTORED_EXCEPTION_HANDLER Handler
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRemoveVectoredContinueHandler(
|
|
_In_ PVOID Handle
|
|
);
|
|
|
|
// Runtime exception handling
|
|
|
|
typedef ULONG (NTAPI *PRTLP_UNHANDLED_EXCEPTION_FILTER)(
|
|
_In_ PEXCEPTION_POINTERS ExceptionInfo
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetUnhandledExceptionFilter(
|
|
_In_ PRTLP_UNHANDLED_EXCEPTION_FILTER UnhandledExceptionFilter
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlUnhandledExceptionFilter(
|
|
_In_ PEXCEPTION_POINTERS ExceptionPointers
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlUnhandledExceptionFilter2(
|
|
_In_ PEXCEPTION_POINTERS ExceptionPointers,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlKnownExceptionFilter(
|
|
_In_ PEXCEPTION_POINTERS ExceptionPointers
|
|
);
|
|
|
|
#ifdef _WIN64
|
|
|
|
// private
|
|
typedef enum _FUNCTION_TABLE_TYPE
|
|
{
|
|
RF_SORTED,
|
|
RF_UNSORTED,
|
|
RF_CALLBACK,
|
|
RF_KERNEL_DYNAMIC
|
|
} FUNCTION_TABLE_TYPE;
|
|
|
|
// private
|
|
typedef struct _DYNAMIC_FUNCTION_TABLE
|
|
{
|
|
LIST_ENTRY ListEntry;
|
|
PRUNTIME_FUNCTION FunctionTable;
|
|
LARGE_INTEGER TimeStamp;
|
|
ULONG64 MinimumAddress;
|
|
ULONG64 MaximumAddress;
|
|
ULONG64 BaseAddress;
|
|
PGET_RUNTIME_FUNCTION_CALLBACK Callback;
|
|
PVOID Context;
|
|
PWSTR OutOfProcessCallbackDll;
|
|
FUNCTION_TABLE_TYPE Type;
|
|
ULONG EntryCount;
|
|
RTL_BALANCED_NODE TreeNode;
|
|
} DYNAMIC_FUNCTION_TABLE, *PDYNAMIC_FUNCTION_TABLE;
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
PLIST_ENTRY
|
|
NTAPI
|
|
RtlGetFunctionTableListHead(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
// Images
|
|
|
|
NTSYSAPI
|
|
PIMAGE_NT_HEADERS
|
|
NTAPI
|
|
RtlImageNtHeader(
|
|
_In_ PVOID BaseOfImage
|
|
);
|
|
|
|
#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK 0x00000001
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlImageNtHeaderEx(
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ ULONG64 Size,
|
|
_Out_ PIMAGE_NT_HEADERS *OutHeaders
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAddressInSectionTable(
|
|
_In_ PIMAGE_NT_HEADERS NtHeaders,
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ ULONG VirtualAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
PIMAGE_SECTION_HEADER
|
|
NTAPI
|
|
RtlSectionTableFromVirtualAddress(
|
|
_In_ PIMAGE_NT_HEADERS NtHeaders,
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ ULONG VirtualAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlImageDirectoryEntryToData(
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ BOOLEAN MappedAsImage,
|
|
_In_ USHORT DirectoryEntry,
|
|
_Out_ PULONG Size
|
|
);
|
|
|
|
NTSYSAPI
|
|
PIMAGE_SECTION_HEADER
|
|
NTAPI
|
|
RtlImageRvaToSection(
|
|
_In_ PIMAGE_NT_HEADERS NtHeaders,
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ ULONG Rva
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlImageRvaToVa(
|
|
_In_ PIMAGE_NT_HEADERS NtHeaders,
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ ULONG Rva,
|
|
_Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlFindExportedRoutineByName(
|
|
_In_ PVOID BaseOfImage,
|
|
_In_ PCSTR RoutineName
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGuardCheckLongJumpTarget(
|
|
_In_ PVOID PcValue,
|
|
_In_ BOOL IsFastFail,
|
|
_Out_ PBOOL IsLongJumpTarget
|
|
);
|
|
|
|
#endif
|
|
|
|
// Memory
|
|
|
|
NTSYSAPI
|
|
SIZE_T
|
|
NTAPI
|
|
RtlCompareMemoryUlong(
|
|
_In_ PVOID Source,
|
|
_In_ SIZE_T Length,
|
|
_In_ ULONG Pattern
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFillMemoryUlong(
|
|
_Out_ PVOID Destination,
|
|
_In_ SIZE_T Length,
|
|
_In_ ULONG Pattern
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFillMemoryUlonglong(
|
|
_Out_ PVOID Destination,
|
|
_In_ SIZE_T Length,
|
|
_In_ ULONGLONG Pattern
|
|
);
|
|
|
|
// Environment
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateEnvironment(
|
|
_In_ BOOLEAN CloneCurrentEnvironment,
|
|
_Out_ PVOID *Environment
|
|
);
|
|
|
|
// begin_rev
|
|
#define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // translate from multi-byte to Unicode
|
|
#define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // translate from OEM to Unicode (Translate flag must also be set)
|
|
#define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // create empty environment block
|
|
// end_rev
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateEnvironmentEx(
|
|
_In_ PVOID SourceEnv,
|
|
_Out_ PVOID *Environment,
|
|
_In_ ULONG Flags
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyEnvironment(
|
|
_In_ PVOID Environment
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetCurrentEnvironment(
|
|
_In_ PVOID Environment,
|
|
_Out_opt_ PVOID *PreviousEnvironment
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetEnvironmentVar(
|
|
_Inout_opt_ PVOID *Environment,
|
|
_In_reads_(NameLength) PCWSTR Name,
|
|
_In_ SIZE_T NameLength,
|
|
_In_reads_(ValueLength) PCWSTR Value,
|
|
_In_ SIZE_T ValueLength
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetEnvironmentVariable(
|
|
_Inout_opt_ PVOID *Environment,
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_opt_ PUNICODE_STRING Value
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryEnvironmentVariable(
|
|
_In_opt_ PVOID Environment,
|
|
_In_reads_(NameLength) PCWSTR Name,
|
|
_In_ SIZE_T NameLength,
|
|
_Out_writes_(ValueLength) PWSTR Value,
|
|
_In_ SIZE_T ValueLength,
|
|
_Out_ PSIZE_T ReturnLength
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryEnvironmentVariable_U(
|
|
_In_opt_ PVOID Environment,
|
|
_In_ PUNICODE_STRING Name,
|
|
_Inout_ PUNICODE_STRING Value
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlExpandEnvironmentStrings(
|
|
_In_opt_ PVOID Environment,
|
|
_In_reads_(SrcLength) PCWSTR Src,
|
|
_In_ SIZE_T SrcLength,
|
|
_Out_writes_(DstLength) PWSTR Dst,
|
|
_In_ SIZE_T DstLength,
|
|
_Out_opt_ PSIZE_T ReturnLength
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlExpandEnvironmentStrings_U(
|
|
_In_opt_ PVOID Environment,
|
|
_In_ PUNICODE_STRING Source,
|
|
_Inout_ PUNICODE_STRING Destination,
|
|
_Out_opt_ PULONG ReturnedLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetEnvironmentStrings(
|
|
_In_ PCWCHAR NewEnvironment,
|
|
_In_ SIZE_T NewEnvironmentSize
|
|
);
|
|
|
|
// Directory and path support
|
|
|
|
typedef struct _RTLP_CURDIR_REF
|
|
{
|
|
LONG ReferenceCount;
|
|
HANDLE DirectoryHandle;
|
|
} RTLP_CURDIR_REF, *PRTLP_CURDIR_REF;
|
|
|
|
typedef struct _RTL_RELATIVE_NAME_U
|
|
{
|
|
UNICODE_STRING RelativeName;
|
|
HANDLE ContainingDirectory;
|
|
PRTLP_CURDIR_REF CurDirRef;
|
|
} RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U;
|
|
|
|
typedef enum _RTL_PATH_TYPE
|
|
{
|
|
RtlPathTypeUnknown,
|
|
RtlPathTypeUncAbsolute,
|
|
RtlPathTypeDriveAbsolute,
|
|
RtlPathTypeDriveRelative,
|
|
RtlPathTypeRooted,
|
|
RtlPathTypeRelative,
|
|
RtlPathTypeLocalDevice,
|
|
RtlPathTypeRootLocalDevice
|
|
} RTL_PATH_TYPE;
|
|
|
|
// Data exports (ntdll.lib/ntdllp.lib)
|
|
|
|
NTSYSAPI PWSTR RtlNtdllName;
|
|
NTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString;
|
|
NTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString;
|
|
NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString;
|
|
|
|
#ifndef PHNT_INLINE_SEPERATOR_STRINGS
|
|
#define RtlNtdllName L"ntdll.dll"
|
|
#define RtlDosPathSeperatorsString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\/"))
|
|
#define RtlAlternateDosPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"/"))
|
|
#define RtlNtPathSeperatorString ((UNICODE_STRING)RTL_CONSTANT_STRING(L"\\"))
|
|
#endif
|
|
|
|
// Path functions
|
|
|
|
NTSYSAPI
|
|
RTL_PATH_TYPE
|
|
NTAPI
|
|
RtlDetermineDosPathNameType_U(
|
|
_In_ PCWSTR DosFileName
|
|
);
|
|
|
|
NTSYSAPI
|
|
RTL_PATH_TYPE
|
|
NTAPI
|
|
RtlDetermineDosPathNameType_Ustr(
|
|
_In_ PCUNICODE_STRING DosFileName
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlIsDosDeviceName_U(
|
|
_In_ PCWSTR DosFileName
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlIsDosDeviceName_Ustr(
|
|
_In_ PUNICODE_STRING DosFileName
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetFullPathName_U(
|
|
_In_ PCWSTR FileName,
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_(BufferLength) PWSTR Buffer,
|
|
_Out_opt_ PWSTR *FilePart
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetFullPathName_UEx(
|
|
_In_ PCWSTR FileName,
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_(BufferLength) PWSTR Buffer,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ ULONG *BytesRequired
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetFullPathName_UstrEx(
|
|
_In_ PUNICODE_STRING FileName,
|
|
_Inout_ PUNICODE_STRING StaticString,
|
|
_Out_opt_ PUNICODE_STRING DynamicString,
|
|
_Out_opt_ PUNICODE_STRING *StringUsed,
|
|
_Out_opt_ SIZE_T *FilePartPrefixCch,
|
|
_Out_opt_ PBOOLEAN NameInvalid,
|
|
_Out_ RTL_PATH_TYPE *InputPathType,
|
|
_Out_opt_ SIZE_T *BytesRequired
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetCurrentDirectory_U(
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_(BufferLength) PWSTR Buffer
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetCurrentDirectory_U(
|
|
_In_ PUNICODE_STRING PathName
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetLongestNtPathLength(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDosPathNameToNtPathName_U(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDosPathNameToNtPathName_U_WithStatus(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE3)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDosLongPathNameToNtPathName_U_WithStatus(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDosPathNameToRelativeNtPathName_U(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDosPathNameToRelativeNtPathName_U_WithStatus(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE3)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDosLongPathNameToRelativeNtPathName_U_WithStatus(
|
|
_In_ PCWSTR DosFileName,
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
_Out_opt_ PWSTR *FilePart,
|
|
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WS03)
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleaseRelativeName(
|
|
_Inout_ PRTL_RELATIVE_NAME_U RelativeName
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlDosSearchPath_U(
|
|
_In_ PCWSTR Path,
|
|
_In_ PCWSTR FileName,
|
|
_In_opt_ PCWSTR Extension,
|
|
_In_ ULONG BufferLength,
|
|
_Out_writes_bytes_(BufferLength) PWSTR Buffer,
|
|
_Out_opt_ PWSTR *FilePart
|
|
);
|
|
|
|
#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION 0x00000001
|
|
#define RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH 0x00000002
|
|
#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION 0x00000004
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDosSearchPath_Ustr(
|
|
_In_ ULONG Flags,
|
|
_In_ PUNICODE_STRING Path,
|
|
_In_ PUNICODE_STRING FileName,
|
|
_In_opt_ PUNICODE_STRING DefaultExtension,
|
|
_Out_opt_ PUNICODE_STRING StaticString,
|
|
_Out_opt_ PUNICODE_STRING DynamicString,
|
|
_Out_opt_ PCUNICODE_STRING *FullFileNameOut,
|
|
_Out_opt_ SIZE_T *FilePartPrefixCch,
|
|
_Out_opt_ SIZE_T *BytesRequired
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDoesFileExists_U(
|
|
_In_ PCWSTR FileName
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetLengthWithoutLastFullDosOrNtPathElement(
|
|
_Reserved_ ULONG Flags,
|
|
_In_ PUNICODE_STRING PathString,
|
|
_Out_ PULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetLengthWithoutTrailingPathSeperators(
|
|
_Reserved_ ULONG Flags,
|
|
_In_ PUNICODE_STRING PathString,
|
|
_Out_ PULONG Length
|
|
);
|
|
|
|
typedef struct _GENERATE_NAME_CONTEXT
|
|
{
|
|
USHORT Checksum;
|
|
BOOLEAN CheckSumInserted;
|
|
UCHAR NameLength;
|
|
WCHAR NameBuffer[8];
|
|
ULONG ExtensionLength;
|
|
WCHAR ExtensionBuffer[4];
|
|
ULONG LastIndexValue;
|
|
} GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGenerate8dot3Name(
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_ BOOLEAN AllowExtendedCharacters,
|
|
_In_ PGENERATE_NAME_CONTEXT Context,
|
|
_Out_ PUNICODE_STRING Name8dot3
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlComputePrivatizedDllName_U(
|
|
_In_ PUNICODE_STRING DllName,
|
|
_Out_ PUNICODE_STRING RealName,
|
|
_Out_ PUNICODE_STRING LocalName
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlGetSearchPath(
|
|
_Out_ PWSTR *SearchPath
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetSearchPathMode(
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
PWSTR
|
|
NTAPI
|
|
RtlGetExePath(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE2)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
PWSTR
|
|
NTAPI
|
|
RtlGetNtSystemRoot(
|
|
VOID
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAreLongPathsEnabled(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsThreadWithinLoaderCallout(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlDllShutdownInProgress(
|
|
VOID
|
|
);
|
|
|
|
// Heaps
|
|
|
|
typedef struct _RTL_HEAP_ENTRY
|
|
{
|
|
SIZE_T Size;
|
|
USHORT Flags;
|
|
USHORT AllocatorBackTraceIndex;
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
SIZE_T Settable;
|
|
ULONG Tag;
|
|
} s1;
|
|
struct
|
|
{
|
|
SIZE_T CommittedSize;
|
|
PVOID FirstBlock;
|
|
} s2;
|
|
} u;
|
|
} RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY;
|
|
|
|
#define RTL_HEAP_BUSY (USHORT)0x0001
|
|
#define RTL_HEAP_SEGMENT (USHORT)0x0002
|
|
#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010
|
|
#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020
|
|
#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040
|
|
#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080
|
|
#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0
|
|
#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100
|
|
#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200
|
|
|
|
typedef struct _RTL_HEAP_TAG
|
|
{
|
|
ULONG NumberOfAllocations;
|
|
ULONG NumberOfFrees;
|
|
SIZE_T BytesAllocated;
|
|
USHORT TagIndex;
|
|
USHORT CreatorBackTraceIndex;
|
|
WCHAR TagName[24];
|
|
} RTL_HEAP_TAG, *PRTL_HEAP_TAG;
|
|
|
|
typedef struct _RTL_HEAP_INFORMATION
|
|
{
|
|
PVOID BaseAddress;
|
|
ULONG Flags;
|
|
USHORT EntryOverhead;
|
|
USHORT CreatorBackTraceIndex;
|
|
SIZE_T BytesAllocated;
|
|
SIZE_T BytesCommitted;
|
|
ULONG NumberOfTags;
|
|
ULONG NumberOfEntries;
|
|
ULONG NumberOfPseudoTags;
|
|
ULONG PseudoTagGranularity;
|
|
ULONG Reserved[5];
|
|
PRTL_HEAP_TAG Tags;
|
|
PRTL_HEAP_ENTRY Entries;
|
|
} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION;
|
|
|
|
typedef struct _RTL_PROCESS_HEAPS
|
|
{
|
|
ULONG NumberOfHeaps;
|
|
RTL_HEAP_INFORMATION Heaps[1];
|
|
} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS;
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_HEAP_COMMIT_ROUTINE)(
|
|
_In_ PVOID Base,
|
|
_Inout_ PVOID *CommitAddress,
|
|
_Inout_ PSIZE_T CommitSize
|
|
);
|
|
|
|
typedef struct _RTL_HEAP_PARAMETERS
|
|
{
|
|
ULONG Length;
|
|
SIZE_T SegmentReserve;
|
|
SIZE_T SegmentCommit;
|
|
SIZE_T DeCommitFreeBlockThreshold;
|
|
SIZE_T DeCommitTotalFreeThreshold;
|
|
SIZE_T MaximumAllocationSize;
|
|
SIZE_T VirtualMemoryThreshold;
|
|
SIZE_T InitialCommit;
|
|
SIZE_T InitialReserve;
|
|
PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
|
|
SIZE_T Reserved[2];
|
|
} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
|
|
|
|
#define HEAP_SETTABLE_USER_VALUE 0x00000100
|
|
#define HEAP_SETTABLE_USER_FLAG1 0x00000200
|
|
#define HEAP_SETTABLE_USER_FLAG2 0x00000400
|
|
#define HEAP_SETTABLE_USER_FLAG3 0x00000800
|
|
#define HEAP_SETTABLE_USER_FLAGS 0x00000e00
|
|
|
|
#define HEAP_CLASS_0 0x00000000 // Process heap
|
|
#define HEAP_CLASS_1 0x00001000 // Private heap
|
|
#define HEAP_CLASS_2 0x00002000 // Kernel heap
|
|
#define HEAP_CLASS_3 0x00003000 // GDI heap
|
|
#define HEAP_CLASS_4 0x00004000 // User heap
|
|
#define HEAP_CLASS_5 0x00005000 // Console heap
|
|
#define HEAP_CLASS_6 0x00006000 // User desktop heap
|
|
#define HEAP_CLASS_7 0x00007000 // CSR shared heap
|
|
#define HEAP_CLASS_8 0x00008000 // CSR port heap
|
|
#define HEAP_CLASS_MASK 0x0000f000
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlCreateHeap(
|
|
_In_ ULONG Flags,
|
|
_In_opt_ PVOID HeapBase,
|
|
_In_opt_ SIZE_T ReserveSize,
|
|
_In_opt_ SIZE_T CommitSize,
|
|
_In_opt_ PVOID Lock,
|
|
_In_opt_ PRTL_HEAP_PARAMETERS Parameters
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlDestroyHeap(
|
|
_Frees_ptr_ PVOID HeapHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAllocateHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_opt_ ULONG Flags,
|
|
_In_ SIZE_T Size
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlFreeHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_opt_ ULONG Flags,
|
|
_Frees_ptr_opt_ PVOID BaseAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
SIZE_T
|
|
NTAPI
|
|
RtlSizeHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlZeroHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlProtectHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ BOOLEAN MakeReadOnly
|
|
);
|
|
|
|
#define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap)
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlLockHeap(
|
|
_In_ PVOID HeapHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlUnlockHeap(
|
|
_In_ PVOID HeapHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlReAllocateHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_Frees_ptr_opt_ PVOID BaseAddress,
|
|
_In_ SIZE_T Size
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlGetUserInfoHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseAddress,
|
|
_Out_opt_ PVOID *UserValue,
|
|
_Out_opt_ PULONG UserFlags
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlSetUserValueHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseAddress,
|
|
_In_ PVOID UserValue
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlSetUserFlagsHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseAddress,
|
|
_In_ ULONG UserFlagsReset,
|
|
_In_ ULONG UserFlagsSet
|
|
);
|
|
|
|
typedef struct _RTL_HEAP_TAG_INFO
|
|
{
|
|
ULONG NumberOfAllocations;
|
|
ULONG NumberOfFrees;
|
|
SIZE_T BytesAllocated;
|
|
} RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO;
|
|
|
|
#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlCreateTagHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_opt_ PWSTR TagPrefix,
|
|
_In_ PWSTR TagNames
|
|
);
|
|
|
|
NTSYSAPI
|
|
PWSTR
|
|
NTAPI
|
|
RtlQueryTagHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ USHORT TagIndex,
|
|
_In_ BOOLEAN ResetCounters,
|
|
_Out_opt_ PRTL_HEAP_TAG_INFO TagInfo
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlExtendHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID Base,
|
|
_In_ SIZE_T Size
|
|
);
|
|
|
|
NTSYSAPI
|
|
SIZE_T
|
|
NTAPI
|
|
RtlCompactHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidateHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ PVOID BaseAddress
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidateProcessHeaps(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetProcessHeaps(
|
|
_In_ ULONG NumberOfHeaps,
|
|
_Out_ PVOID *ProcessHeaps
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_ENUM_HEAPS_ROUTINE)(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ PVOID Parameter
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEnumProcessHeaps(
|
|
_In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine,
|
|
_In_ PVOID Parameter
|
|
);
|
|
|
|
typedef struct _RTL_HEAP_USAGE_ENTRY
|
|
{
|
|
struct _RTL_HEAP_USAGE_ENTRY *Next;
|
|
PVOID Address;
|
|
SIZE_T Size;
|
|
USHORT AllocatorBackTraceIndex;
|
|
USHORT TagIndex;
|
|
} RTL_HEAP_USAGE_ENTRY, *PRTL_HEAP_USAGE_ENTRY;
|
|
|
|
typedef struct _RTL_HEAP_USAGE
|
|
{
|
|
ULONG Length;
|
|
SIZE_T BytesAllocated;
|
|
SIZE_T BytesCommitted;
|
|
SIZE_T BytesReserved;
|
|
SIZE_T BytesReservedMaximum;
|
|
PRTL_HEAP_USAGE_ENTRY Entries;
|
|
PRTL_HEAP_USAGE_ENTRY AddedEntries;
|
|
PRTL_HEAP_USAGE_ENTRY RemovedEntries;
|
|
ULONG_PTR Reserved[8];
|
|
} RTL_HEAP_USAGE, *PRTL_HEAP_USAGE;
|
|
|
|
#define HEAP_USAGE_ALLOCATED_BLOCKS HEAP_REALLOC_IN_PLACE_ONLY
|
|
#define HEAP_USAGE_FREE_BUFFER HEAP_ZERO_MEMORY
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUsageHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_Inout_ PRTL_HEAP_USAGE Usage
|
|
);
|
|
|
|
typedef struct _RTL_HEAP_WALK_ENTRY
|
|
{
|
|
PVOID DataAddress;
|
|
SIZE_T DataSize;
|
|
UCHAR OverheadBytes;
|
|
UCHAR SegmentIndex;
|
|
USHORT Flags;
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
SIZE_T Settable;
|
|
USHORT TagIndex;
|
|
USHORT AllocatorBackTraceIndex;
|
|
ULONG Reserved[2];
|
|
} Block;
|
|
struct
|
|
{
|
|
ULONG CommittedSize;
|
|
ULONG UnCommittedSize;
|
|
PVOID FirstEntry;
|
|
PVOID LastEntry;
|
|
} Segment;
|
|
};
|
|
} RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWalkHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_Inout_ PRTL_HEAP_WALK_ENTRY Entry
|
|
);
|
|
|
|
// HEAP_INFORMATION_CLASS
|
|
#define HeapCompatibilityInformation 0x0 // q; s: ULONG
|
|
#define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL
|
|
#define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION
|
|
#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION
|
|
#define HeapTaggingInformation 0x4
|
|
#define HeapStackDatabase 0x5
|
|
#define HeapMemoryLimit 0x6 // 19H2
|
|
#define HeapDetailedFailureInformation 0x80000001
|
|
#define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION
|
|
|
|
typedef enum _HEAP_COMPATIBILITY_MODE
|
|
{
|
|
HEAP_COMPATIBILITY_STANDARD = 0UL,
|
|
HEAP_COMPATIBILITY_LAL = 1UL,
|
|
HEAP_COMPATIBILITY_LFH = 2UL,
|
|
} HEAP_COMPATIBILITY_MODE;
|
|
|
|
typedef struct _PROCESS_HEAP_INFORMATION
|
|
{
|
|
ULONG_PTR ReserveSize;
|
|
ULONG_PTR CommitSize;
|
|
ULONG NumberOfHeaps;
|
|
ULONG_PTR FirstHeapInformationOffset;
|
|
} PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION;
|
|
|
|
typedef struct _HEAP_INFORMATION
|
|
{
|
|
ULONG_PTR Address;
|
|
ULONG Mode;
|
|
ULONG_PTR ReserveSize;
|
|
ULONG_PTR CommitSize;
|
|
ULONG_PTR FirstRegionInformationOffset;
|
|
ULONG_PTR NextHeapInformationOffset;
|
|
} HEAP_INFORMATION, *PHEAP_INFORMATION;
|
|
|
|
typedef struct _HEAP_EXTENDED_INFORMATION
|
|
{
|
|
HANDLE Process;
|
|
ULONG_PTR Heap;
|
|
ULONG Level;
|
|
PVOID CallbackRoutine;
|
|
PVOID CallbackContext;
|
|
union
|
|
{
|
|
PROCESS_HEAP_INFORMATION ProcessHeapInformation;
|
|
HEAP_INFORMATION HeapInformation;
|
|
};
|
|
} HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION;
|
|
|
|
// rev
|
|
typedef NTSTATUS (NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)(
|
|
_In_ LONG Reserved,
|
|
_In_ PVOID HeapHandle,
|
|
_In_ PVOID BaseAddress,
|
|
_In_ SIZE_T BlockSize,
|
|
_In_ ULONG StackTraceDepth,
|
|
_In_ PVOID *StackTrace
|
|
);
|
|
|
|
// symbols
|
|
typedef struct _HEAP_DEBUGGING_INFORMATION
|
|
{
|
|
PVOID InterceptorFunction;
|
|
USHORT InterceptorValue;
|
|
ULONG ExtendedOptions;
|
|
ULONG StackTraceDepth;
|
|
SIZE_T MinTotalBlockSize;
|
|
SIZE_T MaxTotalBlockSize;
|
|
PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine;
|
|
} HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryHeapInformation(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ HEAP_INFORMATION_CLASS HeapInformationClass,
|
|
_Out_opt_ PVOID HeapInformation,
|
|
_In_opt_ SIZE_T HeapInformationLength,
|
|
_Out_opt_ PSIZE_T ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetHeapInformation(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ HEAP_INFORMATION_CLASS HeapInformationClass,
|
|
_In_opt_ PVOID HeapInformation,
|
|
_In_opt_ SIZE_T HeapInformationLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlMultipleAllocateHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ SIZE_T Size,
|
|
_In_ ULONG Count,
|
|
_Out_ PVOID *Array
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlMultipleFreeHeap(
|
|
_In_ PVOID HeapHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ ULONG Count,
|
|
_In_ PVOID *Array
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDetectHeapLeaks(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlFlushHeaps(
|
|
VOID
|
|
);
|
|
|
|
// Memory zones
|
|
|
|
// begin_private
|
|
|
|
typedef struct _RTL_MEMORY_ZONE_SEGMENT
|
|
{
|
|
struct _RTL_MEMORY_ZONE_SEGMENT *NextSegment;
|
|
SIZE_T Size;
|
|
PVOID Next;
|
|
PVOID Limit;
|
|
} RTL_MEMORY_ZONE_SEGMENT, *PRTL_MEMORY_ZONE_SEGMENT;
|
|
|
|
typedef struct _RTL_MEMORY_ZONE
|
|
{
|
|
RTL_MEMORY_ZONE_SEGMENT Segment;
|
|
RTL_SRWLOCK Lock;
|
|
ULONG LockCount;
|
|
PRTL_MEMORY_ZONE_SEGMENT FirstSegment;
|
|
} RTL_MEMORY_ZONE, *PRTL_MEMORY_ZONE;
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateMemoryZone(
|
|
_Out_ PVOID *MemoryZone,
|
|
_In_ SIZE_T InitialSize,
|
|
_Reserved_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyMemoryZone(
|
|
_In_ _Post_invalid_ PVOID MemoryZone
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAllocateMemoryZone(
|
|
_In_ PVOID MemoryZone,
|
|
_In_ SIZE_T BlockSize,
|
|
_Out_ PVOID *Block
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlResetMemoryZone(
|
|
_In_ PVOID MemoryZone
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLockMemoryZone(
|
|
_In_ PVOID MemoryZone
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnlockMemoryZone(
|
|
_In_ PVOID MemoryZone
|
|
);
|
|
|
|
#endif
|
|
|
|
// end_private
|
|
|
|
// Memory block lookaside lists
|
|
|
|
// begin_private
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateMemoryBlockLookaside(
|
|
_Out_ PVOID *MemoryBlockLookaside,
|
|
_Reserved_ ULONG Flags,
|
|
_In_ ULONG InitialSize,
|
|
_In_ ULONG MinimumBlockSize,
|
|
_In_ ULONG MaximumBlockSize
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAllocateMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside,
|
|
_In_ ULONG BlockSize,
|
|
_Out_ PVOID *Block
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFreeMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside,
|
|
_In_ PVOID Block
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlExtendMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside,
|
|
_In_ ULONG Increment
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlResetMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLockMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnlockMemoryBlockLookaside(
|
|
_In_ PVOID MemoryBlockLookaside
|
|
);
|
|
|
|
#endif
|
|
|
|
// end_private
|
|
|
|
// Transactions
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
HANDLE
|
|
NTAPI
|
|
RtlGetCurrentTransaction(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlSetCurrentTransaction(
|
|
_In_ HANDLE TransactionHandle
|
|
);
|
|
#endif
|
|
|
|
// LUIDs
|
|
|
|
FORCEINLINE BOOLEAN RtlIsEqualLuid( // RtlEqualLuid
|
|
_In_ PLUID L1,
|
|
_In_ PLUID L2
|
|
)
|
|
{
|
|
return L1->LowPart == L2->LowPart &&
|
|
L1->HighPart == L2->HighPart;
|
|
}
|
|
|
|
FORCEINLINE BOOLEAN RtlIsZeroLuid(
|
|
_In_ PLUID L1
|
|
)
|
|
{
|
|
return (L1->LowPart | L1->HighPart) == 0;
|
|
}
|
|
|
|
FORCEINLINE LUID RtlConvertLongToLuid(
|
|
_In_ LONG Long
|
|
)
|
|
{
|
|
LUID tempLuid;
|
|
LARGE_INTEGER tempLi;
|
|
|
|
tempLi.QuadPart = Long;
|
|
tempLuid.LowPart = tempLi.LowPart;
|
|
tempLuid.HighPart = tempLi.HighPart;
|
|
|
|
return tempLuid;
|
|
}
|
|
|
|
FORCEINLINE LUID RtlConvertUlongToLuid(
|
|
_In_ ULONG Ulong
|
|
)
|
|
{
|
|
LUID tempLuid;
|
|
|
|
tempLuid.LowPart = Ulong;
|
|
tempLuid.HighPart = 0;
|
|
|
|
return tempLuid;
|
|
}
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyLuid(
|
|
_Out_ PLUID DestinationLuid,
|
|
_In_ PLUID SourceLuid
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyLuidAndAttributesArray(
|
|
_In_ ULONG Count,
|
|
_In_ PLUID_AND_ATTRIBUTES Src,
|
|
_In_ PLUID_AND_ATTRIBUTES Dest
|
|
);
|
|
|
|
// Byte swap routines.
|
|
|
|
#ifndef PHNT_RTL_BYTESWAP
|
|
#define RtlUshortByteSwap(_x) _byteswap_ushort((USHORT)(_x))
|
|
#define RtlUlongByteSwap(_x) _byteswap_ulong((_x))
|
|
#define RtlUlonglongByteSwap(_x) _byteswap_uint64((_x))
|
|
#else
|
|
NTSYSAPI
|
|
USHORT
|
|
FASTCALL
|
|
RtlUshortByteSwap(
|
|
_In_ USHORT Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
FASTCALL
|
|
RtlUlongByteSwap(
|
|
_In_ ULONG Source
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONGLONG
|
|
FASTCALL
|
|
RtlUlonglongByteSwap(
|
|
_In_ ULONGLONG Source
|
|
);
|
|
#endif
|
|
|
|
// Debugging
|
|
|
|
// private
|
|
typedef struct _RTL_PROCESS_VERIFIER_OPTIONS
|
|
{
|
|
ULONG SizeStruct;
|
|
ULONG Option;
|
|
UCHAR OptionData[1];
|
|
} RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS;
|
|
|
|
// private
|
|
typedef struct _RTL_DEBUG_INFORMATION
|
|
{
|
|
HANDLE SectionHandleClient;
|
|
PVOID ViewBaseClient;
|
|
PVOID ViewBaseTarget;
|
|
ULONG_PTR ViewBaseDelta;
|
|
HANDLE EventPairClient;
|
|
HANDLE EventPairTarget;
|
|
HANDLE TargetProcessId;
|
|
HANDLE TargetThreadHandle;
|
|
ULONG Flags;
|
|
SIZE_T OffsetFree;
|
|
SIZE_T CommitSize;
|
|
SIZE_T ViewSize;
|
|
union
|
|
{
|
|
struct _RTL_PROCESS_MODULES *Modules;
|
|
struct _RTL_PROCESS_MODULE_INFORMATION_EX *ModulesEx;
|
|
};
|
|
struct _RTL_PROCESS_BACKTRACES *BackTraces;
|
|
struct _RTL_PROCESS_HEAPS *Heaps;
|
|
struct _RTL_PROCESS_LOCKS *Locks;
|
|
PVOID SpecificHeap;
|
|
HANDLE TargetProcessHandle;
|
|
PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions;
|
|
PVOID ProcessHeap;
|
|
HANDLE CriticalSectionHandle;
|
|
HANDLE CriticalSectionOwnerThread;
|
|
PVOID Reserved[4];
|
|
} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
PRTL_DEBUG_INFORMATION
|
|
NTAPI
|
|
RtlCreateQueryDebugBuffer(
|
|
_In_opt_ ULONG MaximumCommit,
|
|
_In_ BOOLEAN UseEventPair
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyQueryDebugBuffer(
|
|
_In_ PRTL_DEBUG_INFORMATION Buffer
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlCommitDebugInfo(
|
|
_Inout_ PRTL_DEBUG_INFORMATION Buffer,
|
|
_In_ SIZE_T Size
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDeCommitDebugInfo(
|
|
_Inout_ PRTL_DEBUG_INFORMATION Buffer,
|
|
_In_ PVOID p,
|
|
_In_ SIZE_T Size
|
|
);
|
|
|
|
#endif
|
|
|
|
#define RTL_QUERY_PROCESS_MODULES 0x00000001
|
|
#define RTL_QUERY_PROCESS_BACKTRACES 0x00000002
|
|
#define RTL_QUERY_PROCESS_HEAP_SUMMARY 0x00000004
|
|
#define RTL_QUERY_PROCESS_HEAP_TAGS 0x00000008
|
|
#define RTL_QUERY_PROCESS_HEAP_ENTRIES 0x00000010
|
|
#define RTL_QUERY_PROCESS_LOCKS 0x00000020
|
|
#define RTL_QUERY_PROCESS_MODULES32 0x00000040
|
|
#define RTL_QUERY_PROCESS_VERIFIER_OPTIONS 0x00000080 // rev
|
|
#define RTL_QUERY_PROCESS_MODULESEX 0x00000100 // rev
|
|
#define RTL_QUERY_PROCESS_HEAP_ENTRIES_EX 0x00000200 // ?
|
|
#define RTL_QUERY_PROCESS_CS_OWNER 0x00000400 // rev
|
|
#define RTL_QUERY_PROCESS_NONINVASIVE 0x80000000
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryProcessDebugInformation(
|
|
_In_ HANDLE UniqueProcessId,
|
|
_In_ ULONG Flags,
|
|
_Inout_ PRTL_DEBUG_INFORMATION Buffer
|
|
);
|
|
|
|
// Messages
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFindMessage(
|
|
_In_ PVOID DllHandle,
|
|
_In_ ULONG MessageTableId,
|
|
_In_ ULONG MessageLanguageId,
|
|
_In_ ULONG MessageId,
|
|
_Out_ PMESSAGE_RESOURCE_ENTRY *MessageEntry
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFormatMessage(
|
|
_In_ PWSTR MessageFormat,
|
|
_In_ ULONG MaximumWidth,
|
|
_In_ BOOLEAN IgnoreInserts,
|
|
_In_ BOOLEAN ArgumentsAreAnsi,
|
|
_In_ BOOLEAN ArgumentsAreAnArray,
|
|
_In_ va_list *Arguments,
|
|
_Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer,
|
|
_In_ ULONG Length,
|
|
_Out_opt_ PULONG ReturnLength
|
|
);
|
|
|
|
typedef struct _PARSE_MESSAGE_CONTEXT
|
|
{
|
|
ULONG fFlags;
|
|
ULONG cwSavColumn;
|
|
SIZE_T iwSrc;
|
|
SIZE_T iwDst;
|
|
SIZE_T iwDstSpace;
|
|
va_list lpvArgStart;
|
|
} PARSE_MESSAGE_CONTEXT, *PPARSE_MESSAGE_CONTEXT;
|
|
|
|
#define INIT_PARSE_MESSAGE_CONTEXT(ctx) { (ctx)->fFlags = 0; }
|
|
#define TEST_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags & (flag))
|
|
#define SET_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags |= (flag))
|
|
#define CLEAR_PARSE_MESSAGE_CONTEXT_FLAG(ctx, flag) ((ctx)->fFlags &= ~(flag))
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFormatMessageEx(
|
|
_In_ PWSTR MessageFormat,
|
|
_In_ ULONG MaximumWidth,
|
|
_In_ BOOLEAN IgnoreInserts,
|
|
_In_ BOOLEAN ArgumentsAreAnsi,
|
|
_In_ BOOLEAN ArgumentsAreAnArray,
|
|
_In_ va_list *Arguments,
|
|
_Out_writes_bytes_to_(Length, *ReturnLength) PWSTR Buffer,
|
|
_In_ ULONG Length,
|
|
_Out_opt_ PULONG ReturnLength,
|
|
_Out_opt_ PPARSE_MESSAGE_CONTEXT ParseContext
|
|
);
|
|
|
|
// Errors
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNtStatusToDosError(
|
|
_In_ NTSTATUS Status
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNtStatusToDosErrorNoTeb(
|
|
_In_ NTSTATUS Status
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetLastNtStatus(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
LONG
|
|
NTAPI
|
|
RtlGetLastWin32Error(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
|
|
_In_ NTSTATUS Status
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetLastWin32Error(
|
|
_In_ LONG Win32Error
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRestoreLastWin32Error(
|
|
_In_ LONG Win32Error
|
|
);
|
|
|
|
#define RTL_ERRORMODE_FAILCRITICALERRORS 0x0010
|
|
#define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020
|
|
#define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetThreadErrorMode(
|
|
VOID
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetThreadErrorMode(
|
|
_In_ ULONG NewMode,
|
|
_Out_opt_ PULONG OldMode
|
|
);
|
|
|
|
// Windows Error Reporting
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReportException(
|
|
_In_ PEXCEPTION_RECORD ExceptionRecord,
|
|
_In_ PCONTEXT ContextRecord,
|
|
_In_ ULONG Flags
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReportExceptionEx(
|
|
_In_ PEXCEPTION_RECORD ExceptionRecord,
|
|
_In_ PCONTEXT ContextRecord,
|
|
_In_ ULONG Flags,
|
|
_In_ PLARGE_INTEGER Timeout
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWerpReportException(
|
|
_In_ ULONG ProcessId,
|
|
_In_ HANDLE CrashReportSharedMem,
|
|
_In_ ULONG Flags,
|
|
_Out_ PHANDLE CrashVerticalProcessHandle
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReportSilentProcessExit(
|
|
_In_ HANDLE ProcessHandle,
|
|
_In_ NTSTATUS ExitStatus
|
|
);
|
|
#endif
|
|
|
|
// Vectored Exception Handlers
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAddVectoredExceptionHandler(
|
|
_In_ ULONG First,
|
|
_In_ PVECTORED_EXCEPTION_HANDLER Handler
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRemoveVectoredExceptionHandler(
|
|
_In_ PVOID Handle
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlAddVectoredContinueHandler(
|
|
_In_ ULONG First,
|
|
_In_ PVECTORED_EXCEPTION_HANDLER Handler
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRemoveVectoredContinueHandler(
|
|
_In_ PVOID Handle
|
|
);
|
|
|
|
// Random
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlUniform(
|
|
_Inout_ PULONG Seed
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRandom(
|
|
_Inout_ PULONG Seed
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlRandomEx(
|
|
_Inout_ PULONG Seed
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlComputeImportTableHash(
|
|
_In_ HANDLE FileHandle,
|
|
_Out_writes_bytes_(16) PCHAR Hash,
|
|
_In_ ULONG ImportTableHashRevision // must be 1
|
|
);
|
|
|
|
// Integer conversion
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIntegerToChar(
|
|
_In_ ULONG Value,
|
|
_In_opt_ ULONG Base,
|
|
_In_ LONG OutputLength, // negative to pad to width
|
|
_Out_ PSTR String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCharToInteger(
|
|
_In_ PCSTR String,
|
|
_In_opt_ ULONG Base,
|
|
_Out_ PULONG Value
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLargeIntegerToChar(
|
|
_In_ PLARGE_INTEGER Value,
|
|
_In_opt_ ULONG Base,
|
|
_In_ LONG OutputLength,
|
|
_Out_ PSTR String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIntegerToUnicodeString(
|
|
_In_ ULONG Value,
|
|
_In_opt_ ULONG Base,
|
|
_Inout_ PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInt64ToUnicodeString(
|
|
_In_ ULONGLONG Value,
|
|
_In_opt_ ULONG Base,
|
|
_Inout_ PUNICODE_STRING String
|
|
);
|
|
|
|
#ifdef _WIN64
|
|
#define RtlIntPtrToUnicodeString(Value, Base, String) RtlInt64ToUnicodeString(Value, Base, String)
|
|
#else
|
|
#define RtlIntPtrToUnicodeString(Value, Base, String) RtlIntegerToUnicodeString(Value, Base, String)
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnicodeStringToInteger(
|
|
_In_ PUNICODE_STRING String,
|
|
_In_opt_ ULONG Base,
|
|
_Out_ PULONG Value
|
|
);
|
|
|
|
// IPv4/6 conversion
|
|
|
|
struct in_addr;
|
|
struct in6_addr;
|
|
|
|
NTSYSAPI
|
|
PWSTR
|
|
NTAPI
|
|
RtlIpv4AddressToStringW(
|
|
_In_ const struct in_addr *Address,
|
|
_Out_writes_(16) PWSTR AddressString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv4AddressToStringExW(
|
|
_In_ const struct in_addr *Address,
|
|
_In_ USHORT Port,
|
|
_Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString,
|
|
_Inout_ PULONG AddressStringLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
PWSTR
|
|
NTAPI
|
|
RtlIpv6AddressToStringW(
|
|
_In_ const struct in6_addr *Address,
|
|
_Out_writes_(46) PWSTR AddressString
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv6AddressToStringExW(
|
|
_In_ const struct in6_addr *Address,
|
|
_In_ ULONG ScopeId,
|
|
_In_ USHORT Port,
|
|
_Out_writes_to_(*AddressStringLength, *AddressStringLength) PWSTR AddressString,
|
|
_Inout_ PULONG AddressStringLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv4StringToAddressW(
|
|
_In_ PCWSTR AddressString,
|
|
_In_ BOOLEAN Strict,
|
|
_Out_ LPCWSTR *Terminator,
|
|
_Out_ struct in_addr *Address
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv4StringToAddressExW(
|
|
_In_ PCWSTR AddressString,
|
|
_In_ BOOLEAN Strict,
|
|
_Out_ struct in_addr *Address,
|
|
_Out_ PUSHORT Port
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv6StringToAddressW(
|
|
_In_ PCWSTR AddressString,
|
|
_Out_ PCWSTR *Terminator,
|
|
_Out_ struct in6_addr *Address
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIpv6StringToAddressExW(
|
|
_In_ PCWSTR AddressString,
|
|
_Out_ struct in6_addr *Address,
|
|
_Out_ PULONG ScopeId,
|
|
_Out_ PUSHORT Port
|
|
);
|
|
|
|
#define RtlIpv4AddressToString RtlIpv4AddressToStringW
|
|
#define RtlIpv4AddressToStringEx RtlIpv4AddressToStringExW
|
|
#define RtlIpv6AddressToString RtlIpv6AddressToStringW
|
|
#define RtlIpv6AddressToStringEx RtlIpv6AddressToStringExW
|
|
#define RtlIpv4StringToAddress RtlIpv4StringToAddressW
|
|
#define RtlIpv4StringToAddressEx RtlIpv4StringToAddressExW
|
|
#define RtlIpv6StringToAddress RtlIpv6StringToAddressW
|
|
#define RtlIpv6StringToAddressEx RtlIpv6StringToAddressExW
|
|
|
|
// Time
|
|
|
|
typedef struct _TIME_FIELDS
|
|
{
|
|
CSHORT Year; // 1601...
|
|
CSHORT Month; // 1..12
|
|
CSHORT Day; // 1..31
|
|
CSHORT Hour; // 0..23
|
|
CSHORT Minute; // 0..59
|
|
CSHORT Second; // 0..59
|
|
CSHORT Milliseconds; // 0..999
|
|
CSHORT Weekday; // 0..6 = Sunday..Saturday
|
|
} TIME_FIELDS, *PTIME_FIELDS;
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlCutoverTimeToSystemTime(
|
|
_In_ PTIME_FIELDS CutoverTime,
|
|
_Out_ PLARGE_INTEGER SystemTime,
|
|
_In_ PLARGE_INTEGER CurrentSystemTime,
|
|
_In_ BOOLEAN ThisYear
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSystemTimeToLocalTime(
|
|
_In_ PLARGE_INTEGER SystemTime,
|
|
_Out_ PLARGE_INTEGER LocalTime
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLocalTimeToSystemTime(
|
|
_In_ PLARGE_INTEGER LocalTime,
|
|
_Out_ PLARGE_INTEGER SystemTime
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlTimeToElapsedTimeFields(
|
|
_In_ PLARGE_INTEGER Time,
|
|
_Out_ PTIME_FIELDS TimeFields
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlTimeToTimeFields(
|
|
_In_ PLARGE_INTEGER Time,
|
|
_Out_ PTIME_FIELDS TimeFields
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeFieldsToTime(
|
|
_In_ PTIME_FIELDS TimeFields, // Weekday is ignored
|
|
_Out_ PLARGE_INTEGER Time
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeToSecondsSince1980(
|
|
_In_ PLARGE_INTEGER Time,
|
|
_Out_ PULONG ElapsedSeconds
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSecondsSince1980ToTime(
|
|
_In_ ULONG ElapsedSeconds,
|
|
_Out_ PLARGE_INTEGER Time
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTimeToSecondsSince1970(
|
|
_In_ PLARGE_INTEGER Time,
|
|
_Out_ PULONG ElapsedSeconds
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSecondsSince1970ToTime(
|
|
_In_ ULONG ElapsedSeconds,
|
|
_Out_ PLARGE_INTEGER Time
|
|
);
|
|
|
|
// Time zones
|
|
|
|
typedef struct _RTL_TIME_ZONE_INFORMATION
|
|
{
|
|
LONG Bias;
|
|
WCHAR StandardName[32];
|
|
TIME_FIELDS StandardStart;
|
|
LONG StandardBias;
|
|
WCHAR DaylightName[32];
|
|
TIME_FIELDS DaylightStart;
|
|
LONG DaylightBias;
|
|
} RTL_TIME_ZONE_INFORMATION, *PRTL_TIME_ZONE_INFORMATION;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryTimeZoneInformation(
|
|
_Out_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetTimeZoneInformation(
|
|
_In_ PRTL_TIME_ZONE_INFORMATION TimeZoneInformation
|
|
);
|
|
|
|
// Bitmaps
|
|
|
|
typedef struct _RTL_BITMAP
|
|
{
|
|
ULONG SizeOfBitMap;
|
|
PULONG Buffer;
|
|
} RTL_BITMAP, *PRTL_BITMAP;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeBitMap(
|
|
_Out_ PRTL_BITMAP BitMapHeader,
|
|
_In_ PULONG BitMapBuffer,
|
|
_In_ ULONG SizeOfBitMap
|
|
);
|
|
|
|
#if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8)
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlClearBit(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_MODE == PHNT_MODE_KERNEL || PHNT_VERSION >= PHNT_WIN8)
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetBit(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber
|
|
);
|
|
#endif
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTestBit(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitNumber
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlClearAllBits(
|
|
_In_ PRTL_BITMAP BitMapHeader
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetAllBits(
|
|
_In_ PRTL_BITMAP BitMapHeader
|
|
);
|
|
|
|
_Success_(return != -1)
|
|
_Check_return_
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindClearBits(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG NumberToFind,
|
|
_In_ ULONG HintIndex
|
|
);
|
|
|
|
_Success_(return != -1)
|
|
_Check_return_
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindSetBits(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG NumberToFind,
|
|
_In_ ULONG HintIndex
|
|
);
|
|
|
|
_Success_(return != -1)
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindClearBitsAndSet(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG NumberToFind,
|
|
_In_ ULONG HintIndex
|
|
);
|
|
|
|
_Success_(return != -1)
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindSetBitsAndClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG NumberToFind,
|
|
_In_ ULONG HintIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlClearBits(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetBits(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet
|
|
);
|
|
|
|
NTSYSAPI
|
|
CCHAR
|
|
NTAPI
|
|
RtlFindMostSignificantBit(
|
|
_In_ ULONGLONG Set
|
|
);
|
|
|
|
NTSYSAPI
|
|
CCHAR
|
|
NTAPI
|
|
RtlFindLeastSignificantBit(
|
|
_In_ ULONGLONG Set
|
|
);
|
|
|
|
typedef struct _RTL_BITMAP_RUN
|
|
{
|
|
ULONG StartingIndex;
|
|
ULONG NumberOfBits;
|
|
} RTL_BITMAP_RUN, *PRTL_BITMAP_RUN;
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindClearRuns(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_Out_writes_to_(SizeOfRunArray, return) PRTL_BITMAP_RUN RunArray,
|
|
_In_range_(>, 0) ULONG SizeOfRunArray,
|
|
_In_ BOOLEAN LocateLongestRuns
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindLongestRunClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_Out_ PULONG StartingIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindFirstRunClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_Out_ PULONG StartingIndex
|
|
);
|
|
|
|
_Check_return_
|
|
FORCEINLINE
|
|
BOOLEAN
|
|
RtlCheckBit(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG BitPosition
|
|
)
|
|
{
|
|
#ifdef _WIN64
|
|
return BitTest64((LONG64 const *)BitMapHeader->Buffer, (LONG64)BitPosition);
|
|
#else
|
|
return (((PLONG)BitMapHeader->Buffer)[BitPosition / 32] >> (BitPosition % 32)) & 0x1;
|
|
#endif
|
|
}
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberOfClearBits(
|
|
_In_ PRTL_BITMAP BitMapHeader
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberOfSetBits(
|
|
_In_ PRTL_BITMAP BitMapHeader
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAreBitsClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG StartingIndex,
|
|
_In_ ULONG Length
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAreBitsSet(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG StartingIndex,
|
|
_In_ ULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindNextForwardRunClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG FromIndex,
|
|
_Out_ PULONG StartingRunIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlFindLastBackwardRunClear(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG FromIndex,
|
|
_Out_ PULONG StartingRunIndex
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberOfSetBitsUlongPtr(
|
|
_In_ ULONG_PTR Target
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInterlockedClearBitRun(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - NumberToClear) ULONG StartingIndex,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToClear
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInterlockedSetBitRun(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - NumberToSet) ULONG StartingIndex,
|
|
_In_range_(0, BitMapHeader->SizeOfBitMap - StartingIndex) ULONG NumberToSet
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlCopyBitMap(
|
|
_In_ PRTL_BITMAP Source,
|
|
_In_ PRTL_BITMAP Destination,
|
|
_In_range_(0, Destination->SizeOfBitMap - 1) ULONG TargetBit
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlExtractBitMap(
|
|
_In_ PRTL_BITMAP Source,
|
|
_In_ PRTL_BITMAP Destination,
|
|
_In_range_(0, Source->SizeOfBitMap - 1) ULONG TargetBit,
|
|
_In_range_(0, Source->SizeOfBitMap) ULONG NumberOfBits
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberOfClearBitsInRange(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG StartingIndex,
|
|
_In_ ULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlNumberOfSetBitsInRange(
|
|
_In_ PRTL_BITMAP BitMapHeader,
|
|
_In_ ULONG StartingIndex,
|
|
_In_ ULONG Length
|
|
);
|
|
|
|
#endif
|
|
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
|
|
// private
|
|
typedef struct _RTL_BITMAP_EX
|
|
{
|
|
ULONG64 SizeOfBitMap;
|
|
PULONG64 Buffer;
|
|
} RTL_BITMAP_EX, *PRTL_BITMAP_EX;
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeBitMapEx(
|
|
_Out_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_ PULONG64 BitMapBuffer,
|
|
_In_ ULONG64 SizeOfBitMap
|
|
);
|
|
|
|
// rev
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlTestBitEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber
|
|
);
|
|
|
|
#if (PHNT_MODE == PHNT_MODE_KERNEL)
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlClearAllBitsEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlClearBitEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetBitEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_range_(<, BitMapHeader->SizeOfBitMap) ULONG64 BitNumber
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
ULONG64
|
|
NTAPI
|
|
RtlFindSetBitsEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_ ULONG64 NumberToFind,
|
|
_In_ ULONG64 HintIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG64
|
|
NTAPI
|
|
RtlFindSetBitsAndClearEx(
|
|
_In_ PRTL_BITMAP_EX BitMapHeader,
|
|
_In_ ULONG64 NumberToFind,
|
|
_In_ ULONG64 HintIndex
|
|
);
|
|
#endif
|
|
|
|
#endif
|
|
|
|
// Handle tables
|
|
|
|
typedef struct _RTL_HANDLE_TABLE_ENTRY
|
|
{
|
|
union
|
|
{
|
|
ULONG Flags; // allocated entries have the low bit set
|
|
struct _RTL_HANDLE_TABLE_ENTRY *NextFree;
|
|
};
|
|
} RTL_HANDLE_TABLE_ENTRY, *PRTL_HANDLE_TABLE_ENTRY;
|
|
|
|
#define RTL_HANDLE_ALLOCATED (USHORT)0x0001
|
|
|
|
typedef struct _RTL_HANDLE_TABLE
|
|
{
|
|
ULONG MaximumNumberOfHandles;
|
|
ULONG SizeOfHandleTableEntry;
|
|
ULONG Reserved[2];
|
|
PRTL_HANDLE_TABLE_ENTRY FreeHandles;
|
|
PRTL_HANDLE_TABLE_ENTRY CommittedHandles;
|
|
PRTL_HANDLE_TABLE_ENTRY UnCommittedHandles;
|
|
PRTL_HANDLE_TABLE_ENTRY MaxReservedHandles;
|
|
} RTL_HANDLE_TABLE, *PRTL_HANDLE_TABLE;
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlInitializeHandleTable(
|
|
_In_ ULONG MaximumNumberOfHandles,
|
|
_In_ ULONG SizeOfHandleTableEntry,
|
|
_Out_ PRTL_HANDLE_TABLE HandleTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyHandleTable(
|
|
_Inout_ PRTL_HANDLE_TABLE HandleTable
|
|
);
|
|
|
|
NTSYSAPI
|
|
PRTL_HANDLE_TABLE_ENTRY
|
|
NTAPI
|
|
RtlAllocateHandle(
|
|
_In_ PRTL_HANDLE_TABLE HandleTable,
|
|
_Out_opt_ PULONG HandleIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlFreeHandle(
|
|
_In_ PRTL_HANDLE_TABLE HandleTable,
|
|
_In_ PRTL_HANDLE_TABLE_ENTRY Handle
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsValidHandle(
|
|
_In_ PRTL_HANDLE_TABLE HandleTable,
|
|
_In_ PRTL_HANDLE_TABLE_ENTRY Handle
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsValidIndexHandle(
|
|
_In_ PRTL_HANDLE_TABLE HandleTable,
|
|
_In_ ULONG HandleIndex,
|
|
_Out_ PRTL_HANDLE_TABLE_ENTRY *Handle
|
|
);
|
|
|
|
// Atom tables
|
|
|
|
#define RTL_ATOM_MAXIMUM_INTEGER_ATOM (RTL_ATOM)0xc000
|
|
#define RTL_ATOM_INVALID_ATOM (RTL_ATOM)0x0000
|
|
#define RTL_ATOM_TABLE_DEFAULT_NUMBER_OF_BUCKETS 37
|
|
#define RTL_ATOM_MAXIMUM_NAME_LENGTH 255
|
|
#define RTL_ATOM_PINNED 0x01
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateAtomTable(
|
|
_In_ ULONG NumberOfBuckets,
|
|
_Out_ PVOID *AtomTableHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDestroyAtomTable(
|
|
_In_ _Post_invalid_ PVOID AtomTableHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEmptyAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ BOOLEAN IncludePinnedAtoms
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAtomToAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ PWSTR AtomName,
|
|
_Inout_opt_ PRTL_ATOM Atom
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLookupAtomInAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ PWSTR AtomName,
|
|
_Out_opt_ PRTL_ATOM Atom
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteAtomFromAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ RTL_ATOM Atom
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlPinAtomInAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ RTL_ATOM Atom
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryAtomInAtomTable(
|
|
_In_ PVOID AtomTableHandle,
|
|
_In_ RTL_ATOM Atom,
|
|
_Out_opt_ PULONG AtomUsage,
|
|
_Out_opt_ PULONG AtomFlags,
|
|
_Inout_updates_bytes_to_opt_(*AtomNameLength, *AtomNameLength) PWSTR AtomName,
|
|
_Inout_opt_ PULONG AtomNameLength
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlGetIntegerAtom(
|
|
_In_ PWSTR AtomName,
|
|
_Out_opt_ PUSHORT IntegerAtom
|
|
);
|
|
#endif
|
|
|
|
// SIDs
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidSid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualSid(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlEqualPrefixSid(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlLengthRequiredSid(
|
|
_In_ ULONG SubAuthorityCount
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlFreeSid(
|
|
_In_ _Post_invalid_ PSID Sid
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAllocateAndInitializeSid(
|
|
_In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
|
|
_In_ UCHAR SubAuthorityCount,
|
|
_In_ ULONG SubAuthority0,
|
|
_In_ ULONG SubAuthority1,
|
|
_In_ ULONG SubAuthority2,
|
|
_In_ ULONG SubAuthority3,
|
|
_In_ ULONG SubAuthority4,
|
|
_In_ ULONG SubAuthority5,
|
|
_In_ ULONG SubAuthority6,
|
|
_In_ ULONG SubAuthority7,
|
|
_Outptr_ PSID *Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeSid(
|
|
_Out_ PSID Sid,
|
|
_In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
|
|
_In_ UCHAR SubAuthorityCount
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlInitializeSidEx(
|
|
_Out_writes_bytes_(SECURITY_SID_SIZE(SubAuthorityCount)) PSID Sid,
|
|
_In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
|
|
_In_ UCHAR SubAuthorityCount,
|
|
...
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
PSID_IDENTIFIER_AUTHORITY
|
|
NTAPI
|
|
RtlIdentifierAuthoritySid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
PULONG
|
|
NTAPI
|
|
RtlSubAuthoritySid(
|
|
_In_ PSID Sid,
|
|
_In_ ULONG SubAuthority
|
|
);
|
|
|
|
NTSYSAPI
|
|
PUCHAR
|
|
NTAPI
|
|
RtlSubAuthorityCountSid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlLengthSid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCopySid(
|
|
_In_ ULONG DestinationSidLength,
|
|
_In_reads_bytes_(DestinationSidLength) PSID DestinationSid,
|
|
_In_ PSID SourceSid
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCopySidAndAttributesArray(
|
|
_In_ ULONG Count,
|
|
_In_ PSID_AND_ATTRIBUTES Src,
|
|
_In_ ULONG SidAreaSize,
|
|
_In_ PSID_AND_ATTRIBUTES Dest,
|
|
_In_ PSID SidArea,
|
|
_Out_ PSID *RemainingSidArea,
|
|
_Out_ PULONG RemainingSidAreaSize
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateServiceSid(
|
|
_In_ PUNICODE_STRING ServiceName,
|
|
_Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
|
|
_Inout_ PULONG ServiceSidLength
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSidDominates(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2,
|
|
_Out_ PBOOLEAN Dominates
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WINBLUE)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSidDominatesForTrust(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2,
|
|
_Out_ PBOOLEAN DominatesTrust // TokenProcessTrustLevel
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSidEqualLevel(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2,
|
|
_Out_ PBOOLEAN EqualLevel
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSidIsHigherLevel(
|
|
_In_ PSID Sid1,
|
|
_In_ PSID Sid2,
|
|
_Out_ PBOOLEAN HigherLevel
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateVirtualAccountSid(
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_ ULONG BaseSubAuthority,
|
|
_Out_writes_bytes_(*SidLength) PSID Sid,
|
|
_Inout_ PULONG SidLength
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReplaceSidInSd(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ PSID OldSid,
|
|
_In_ PSID NewSid,
|
|
_Out_ ULONG *NumChanges
|
|
);
|
|
#endif
|
|
|
|
#define MAX_UNICODE_STACK_BUFFER_LENGTH 256
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLengthSidAsUnicodeString(
|
|
_In_ PSID Sid,
|
|
_Out_ PULONG StringLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlConvertSidToUnicodeString(
|
|
_Inout_ PUNICODE_STRING UnicodeString,
|
|
_In_ PSID Sid,
|
|
_In_ BOOLEAN AllocateDestinationString
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSidHashInitialize(
|
|
_In_reads_(SidCount) PSID_AND_ATTRIBUTES SidAttr,
|
|
_In_ ULONG SidCount,
|
|
_Out_ PSID_AND_ATTRIBUTES_HASH SidAttrHash
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
PSID_AND_ATTRIBUTES
|
|
NTAPI
|
|
RtlSidHashLookup(
|
|
_In_ PSID_AND_ATTRIBUTES_HASH SidAttrHash,
|
|
_In_ PSID Sid
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsElevatedRid(
|
|
_In_ PSID_AND_ATTRIBUTES SidAttr
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE2)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeriveCapabilitySidsFromName(
|
|
_Inout_ PUNICODE_STRING UnicodeString,
|
|
_Out_ PSID CapabilityGroupSid,
|
|
_Out_ PSID CapabilitySid
|
|
);
|
|
#endif
|
|
|
|
// Security Descriptors
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateSecurityDescriptor(
|
|
_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ ULONG Revision
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlLengthSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
|
|
);
|
|
|
|
_Check_return_
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidRelativeSecurityDescriptor(
|
|
_In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput,
|
|
_In_ ULONG SecurityDescriptorLength,
|
|
_In_ SECURITY_INFORMATION RequiredInformation
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetControlSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR_CONTROL Control,
|
|
_Out_ PULONG Revision
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetControlSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
|
|
_In_ SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetAttributesSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ SECURITY_DESCRIPTOR_CONTROL Control,
|
|
_Out_ PULONG Revision
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlGetSecurityDescriptorRMControl(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PUCHAR RMControl
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlSetSecurityDescriptorRMControl(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_opt_ PUCHAR RMControl
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetDaclSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ BOOLEAN DaclPresent,
|
|
_In_opt_ PACL Dacl,
|
|
_In_opt_ BOOLEAN DaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetDaclSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PBOOLEAN DaclPresent,
|
|
_Out_ PACL *Dacl,
|
|
_Out_ PBOOLEAN DaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetSaclSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_ BOOLEAN SaclPresent,
|
|
_In_opt_ PACL Sacl,
|
|
_In_opt_ BOOLEAN SaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetSaclSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PBOOLEAN SaclPresent,
|
|
_Out_ PACL *Sacl,
|
|
_Out_ PBOOLEAN SaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetSaclSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PBOOLEAN SaclPresent,
|
|
_Out_ PACL *Sacl,
|
|
_Out_ PBOOLEAN SaclDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetOwnerSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_opt_ PSID Owner,
|
|
_In_opt_ BOOLEAN OwnerDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetOwnerSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PSID *Owner,
|
|
_Out_ PBOOLEAN OwnerDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetGroupSecurityDescriptor(
|
|
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_In_opt_ PSID Group,
|
|
_In_opt_ BOOLEAN GroupDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetGroupSecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
|
|
_Out_ PSID *Group,
|
|
_Out_ PBOOLEAN GroupDefaulted
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlMakeSelfRelativeSD(
|
|
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
|
|
_Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
|
|
_Inout_ PULONG BufferLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAbsoluteToSelfRelativeSD(
|
|
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
|
|
_Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
|
|
_Inout_ PULONG BufferLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSelfRelativeToAbsoluteSD(
|
|
_In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
|
|
_Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
|
|
_Inout_ PULONG AbsoluteSecurityDescriptorSize,
|
|
_Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl,
|
|
_Inout_ PULONG DaclSize,
|
|
_Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl,
|
|
_Inout_ PULONG SaclSize,
|
|
_Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner,
|
|
_Inout_ PULONG OwnerSize,
|
|
_Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup,
|
|
_Inout_ PULONG PrimaryGroupSize
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSelfRelativeToAbsoluteSD2(
|
|
_Inout_ PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
|
|
_Inout_ PULONG pBufferSize
|
|
);
|
|
|
|
// Access masks
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAreAllAccessesGranted(
|
|
_In_ ACCESS_MASK GrantedAccess,
|
|
_In_ ACCESS_MASK DesiredAccess
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlAreAnyAccessesGranted(
|
|
_In_ ACCESS_MASK GrantedAccess,
|
|
_In_ ACCESS_MASK DesiredAccess
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlMapGenericMask(
|
|
_Inout_ PACCESS_MASK AccessMask,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
// ACLs
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateAcl(
|
|
_Out_writes_bytes_(AclLength) PACL Acl,
|
|
_In_ ULONG AclLength,
|
|
_In_ ULONG AclRevision
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlValidAcl(
|
|
_In_ PACL Acl
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryInformationAcl(
|
|
_In_ PACL Acl,
|
|
_Out_writes_bytes_(AclInformationLength) PVOID AclInformation,
|
|
_In_ ULONG AclInformationLength,
|
|
_In_ ACL_INFORMATION_CLASS AclInformationClass
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetInformationAcl(
|
|
_Inout_ PACL Acl,
|
|
_In_reads_bytes_(AclInformationLength) PVOID AclInformation,
|
|
_In_ ULONG AclInformationLength,
|
|
_In_ ACL_INFORMATION_CLASS AclInformationClass
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG StartingAceIndex,
|
|
_In_reads_bytes_(AceListLength) PVOID AceList,
|
|
_In_ ULONG AceListLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetAce(
|
|
_In_ PACL Acl,
|
|
_In_ ULONG AceIndex,
|
|
_Outptr_ PVOID *Ace
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlFirstFreeAce(
|
|
_In_ PACL Acl,
|
|
_Out_ PVOID *FirstFree
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlFindAceByType(
|
|
_In_ PACL pAcl,
|
|
_In_ UCHAR AceType,
|
|
_Out_opt_ PULONG pIndex
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlOwnerAcesPresent(
|
|
_In_ PACL pAcl
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessAllowedAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessAllowedAceEx(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessDeniedAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessDeniedAceEx(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAuditAccessAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid,
|
|
_In_ BOOLEAN AuditSuccess,
|
|
_In_ BOOLEAN AuditFailure
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAuditAccessAceEx(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID Sid,
|
|
_In_ BOOLEAN AuditSuccess,
|
|
_In_ BOOLEAN AuditFailure
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessAllowedObjectAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_opt_ PGUID ObjectTypeGuid,
|
|
_In_opt_ PGUID InheritedObjectTypeGuid,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAccessDeniedObjectAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_opt_ PGUID ObjectTypeGuid,
|
|
_In_opt_ PGUID InheritedObjectTypeGuid,
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddAuditAccessObjectAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_opt_ PGUID ObjectTypeGuid,
|
|
_In_opt_ PGUID InheritedObjectTypeGuid,
|
|
_In_ PSID Sid,
|
|
_In_ BOOLEAN AuditSuccess,
|
|
_In_ BOOLEAN AuditFailure
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddCompoundAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ UCHAR AceType,
|
|
_In_ ACCESS_MASK AccessMask,
|
|
_In_ PSID ServerSid,
|
|
_In_ PSID ClientSid
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddMandatoryAce(
|
|
_Inout_ PACL Acl,
|
|
_In_ ULONG AceRevision,
|
|
_In_ ULONG AceFlags,
|
|
_In_ PSID Sid,
|
|
_In_ UCHAR AceType,
|
|
_In_ ACCESS_MASK AccessMask
|
|
);
|
|
#endif
|
|
|
|
// Named pipes
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDefaultNpAcl(
|
|
_Out_ PACL *Acl
|
|
);
|
|
|
|
// Security objects
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlNewSecurityObject(
|
|
_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_opt_ HANDLE Token,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlNewSecurityObjectEx(
|
|
_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
|
|
_In_opt_ GUID *ObjectType,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ ULONG AutoInheritFlags, // SEF_*
|
|
_In_opt_ HANDLE Token,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlNewSecurityObjectWithMultipleInheritance(
|
|
_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
|
|
_In_opt_ GUID **ObjectType,
|
|
_In_ ULONG GuidCount,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ ULONG AutoInheritFlags, // SEF_*
|
|
_In_opt_ HANDLE Token,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteSecurityObject(
|
|
_Inout_ PSECURITY_DESCRIPTOR *ObjectDescriptor
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQuerySecurityObject(
|
|
_In_ PSECURITY_DESCRIPTOR ObjectDescriptor,
|
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
|
_Out_opt_ PSECURITY_DESCRIPTOR ResultantDescriptor,
|
|
_In_ ULONG DescriptorLength,
|
|
_Out_ PULONG ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetSecurityObject(
|
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
|
_In_ PSECURITY_DESCRIPTOR ModificationDescriptor,
|
|
_Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|
_In_opt_ HANDLE Token
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetSecurityObjectEx(
|
|
_In_ SECURITY_INFORMATION SecurityInformation,
|
|
_In_ PSECURITY_DESCRIPTOR ModificationDescriptor,
|
|
_Inout_ PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
_In_ ULONG AutoInheritFlags, // SEF_*
|
|
_In_ PGENERIC_MAPPING GenericMapping,
|
|
_In_opt_ HANDLE Token
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlConvertToAutoInheritSecurityObject(
|
|
_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
|
|
_In_ PSECURITY_DESCRIPTOR CurrentSecurityDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *NewSecurityDescriptor,
|
|
_In_opt_ GUID *ObjectType,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlNewInstanceSecurityObject(
|
|
_In_ BOOLEAN ParentDescriptorChanged,
|
|
_In_ BOOLEAN CreatorDescriptorChanged,
|
|
_In_ PLUID OldClientTokenModifiedId,
|
|
_Out_ PLUID NewClientTokenModifiedId,
|
|
_In_opt_ PSECURITY_DESCRIPTOR ParentDescriptor,
|
|
_In_opt_ PSECURITY_DESCRIPTOR CreatorDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *NewDescriptor,
|
|
_In_ BOOLEAN IsDirectoryObject,
|
|
_In_ HANDLE Token,
|
|
_In_ PGENERIC_MAPPING GenericMapping
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCopySecurityDescriptor(
|
|
_In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
|
|
_Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor
|
|
);
|
|
|
|
// Misc. security
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRunEncodeUnicodeString(
|
|
_Inout_ PUCHAR Seed,
|
|
_In_ PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlRunDecodeUnicodeString(
|
|
_In_ UCHAR Seed,
|
|
_In_ PUNICODE_STRING String
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlImpersonateSelf(
|
|
_In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlImpersonateSelfEx(
|
|
_In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
|
|
_In_opt_ ACCESS_MASK AdditionalAccess,
|
|
_Out_opt_ PHANDLE ThreadToken
|
|
);
|
|
#endif
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAdjustPrivilege(
|
|
_In_ ULONG Privilege,
|
|
_In_ BOOLEAN Enable,
|
|
_In_ BOOLEAN Client,
|
|
_Out_ PBOOLEAN WasEnabled
|
|
);
|
|
|
|
#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001
|
|
#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAcquirePrivilege(
|
|
_In_ PULONG Privilege,
|
|
_In_ ULONG NumPriv,
|
|
_In_ ULONG Flags,
|
|
_Out_ PVOID *ReturnedState
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlReleasePrivilege(
|
|
_In_ PVOID StatePointer
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRemovePrivileges(
|
|
_In_ HANDLE TokenHandle,
|
|
_In_ PULONG PrivilegesToKeep,
|
|
_In_ ULONG PrivilegeCount
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN8)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIsUntrustedObject(
|
|
_In_opt_ HANDLE Handle,
|
|
_In_opt_ PVOID Object,
|
|
_Out_ PBOOLEAN IsUntrustedObject
|
|
);
|
|
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlQueryValidationRunlevel(
|
|
_In_opt_ PUNICODE_STRING ComponentName
|
|
);
|
|
|
|
#endif
|
|
|
|
// Private namespaces
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// begin_private
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlCreateBoundaryDescriptor(
|
|
_In_ PUNICODE_STRING Name,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlDeleteBoundaryDescriptor(
|
|
_In_ PVOID BoundaryDescriptor
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddSIDToBoundaryDescriptor(
|
|
_Inout_ PVOID *BoundaryDescriptor,
|
|
_In_ PSID RequiredSid
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAddIntegrityLabelToBoundaryDescriptor(
|
|
_Inout_ PVOID *BoundaryDescriptor,
|
|
_In_ PSID IntegrityLabel
|
|
);
|
|
#endif
|
|
|
|
// end_private
|
|
|
|
#endif
|
|
|
|
// Version
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetVersion(
|
|
_Out_ PRTL_OSVERSIONINFOEXW VersionInformation // PRTL_OSVERSIONINFOW
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlVerifyVersionInfo(
|
|
_In_ PRTL_OSVERSIONINFOEXW VersionInformation, // PRTL_OSVERSIONINFOW
|
|
_In_ ULONG TypeMask,
|
|
_In_ ULONGLONG ConditionMask
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlGetNtVersionNumbers(
|
|
_Out_opt_ PULONG NtMajorVersion,
|
|
_Out_opt_ PULONG NtMinorVersion,
|
|
_Out_opt_ PULONG NtBuildNumber
|
|
);
|
|
|
|
// System information
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetNtGlobalFlags(
|
|
VOID
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlGetNtProductType(
|
|
_Out_ PNT_PRODUCT_TYPE NtProductType
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE2)
|
|
// private
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetSuiteMask(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
// Thread pool (old)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRegisterWait(
|
|
_Out_ PHANDLE WaitHandle,
|
|
_In_ HANDLE Handle,
|
|
_In_ WAITORTIMERCALLBACKFUNC Function,
|
|
_In_ PVOID Context,
|
|
_In_ ULONG Milliseconds,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeregisterWait(
|
|
_In_ HANDLE WaitHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeregisterWaitEx(
|
|
_In_ HANDLE WaitHandle,
|
|
_In_ HANDLE Event
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueueWorkItem(
|
|
_In_ WORKERCALLBACKFUNC Function,
|
|
_In_ PVOID Context,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetIoCompletionCallback(
|
|
_In_ HANDLE FileHandle,
|
|
_In_ APC_CALLBACK_FUNCTION CompletionProc,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_START_POOL_THREAD)(
|
|
_In_ PTHREAD_START_ROUTINE Function,
|
|
_In_ PVOID Parameter,
|
|
_Out_ PHANDLE ThreadHandle
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_EXIT_POOL_THREAD)(
|
|
_In_ NTSTATUS ExitStatus
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetThreadPoolStartFunc(
|
|
_In_ PRTL_START_POOL_THREAD StartPoolThread,
|
|
_In_ PRTL_EXIT_POOL_THREAD ExitPoolThread
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlUserThreadStart(
|
|
_In_ PTHREAD_START_ROUTINE Function,
|
|
_In_ PVOID Parameter
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
LdrInitializeThunk(
|
|
_In_ PCONTEXT ContextRecord,
|
|
_In_ PVOID Parameter
|
|
);
|
|
|
|
// Timer support
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateTimerQueue(
|
|
_Out_ PHANDLE TimerQueueHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateTimer(
|
|
_In_ HANDLE TimerQueueHandle,
|
|
_Out_ PHANDLE Handle,
|
|
_In_ WAITORTIMERCALLBACKFUNC Function,
|
|
_In_opt_ PVOID Context,
|
|
_In_ ULONG DueTime,
|
|
_In_ ULONG Period,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUpdateTimer(
|
|
_In_ HANDLE TimerQueueHandle,
|
|
_In_ HANDLE TimerHandle,
|
|
_In_ ULONG DueTime,
|
|
_In_ ULONG Period
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteTimer(
|
|
_In_ HANDLE TimerQueueHandle,
|
|
_In_ HANDLE TimerToCancel,
|
|
_In_opt_ HANDLE Event
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteTimerQueue(
|
|
_In_ HANDLE TimerQueueHandle
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteTimerQueueEx(
|
|
_In_ HANDLE TimerQueueHandle,
|
|
_In_ HANDLE Event
|
|
);
|
|
|
|
// Registry access
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFormatCurrentUserKeyPath(
|
|
_Out_ PUNICODE_STRING CurrentUserKeyPath
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlOpenCurrentUser(
|
|
_In_ ACCESS_MASK DesiredAccess,
|
|
_Out_ PHANDLE CurrentUserKey
|
|
);
|
|
|
|
#define RTL_REGISTRY_ABSOLUTE 0
|
|
#define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services
|
|
#define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control
|
|
#define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
|
|
#define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap
|
|
#define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser
|
|
#define RTL_REGISTRY_MAXIMUM 6
|
|
#define RTL_REGISTRY_HANDLE 0x40000000
|
|
#define RTL_REGISTRY_OPTIONAL 0x80000000
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateRegistryKey(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PWSTR Path
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckRegistryKey(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PWSTR Path
|
|
);
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_QUERY_REGISTRY_ROUTINE)(
|
|
_In_ PWSTR ValueName,
|
|
_In_ ULONG ValueType,
|
|
_In_ PVOID ValueData,
|
|
_In_ ULONG ValueLength,
|
|
_In_ PVOID Context,
|
|
_In_ PVOID EntryContext
|
|
);
|
|
|
|
typedef struct _RTL_QUERY_REGISTRY_TABLE
|
|
{
|
|
PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine;
|
|
ULONG Flags;
|
|
PWSTR Name;
|
|
PVOID EntryContext;
|
|
ULONG DefaultType;
|
|
PVOID DefaultData;
|
|
ULONG DefaultLength;
|
|
} RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE;
|
|
|
|
#define RTL_QUERY_REGISTRY_SUBKEY 0x00000001
|
|
#define RTL_QUERY_REGISTRY_TOPKEY 0x00000002
|
|
#define RTL_QUERY_REGISTRY_REQUIRED 0x00000004
|
|
#define RTL_QUERY_REGISTRY_NOVALUE 0x00000008
|
|
#define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010
|
|
#define RTL_QUERY_REGISTRY_DIRECT 0x00000020
|
|
#define RTL_QUERY_REGISTRY_DELETE 0x00000040
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryRegistryValues(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PCWSTR Path,
|
|
_In_ PRTL_QUERY_REGISTRY_TABLE QueryTable,
|
|
_In_ PVOID Context,
|
|
_In_opt_ PVOID Environment
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryRegistryValuesEx(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PCWSTR Path,
|
|
_In_ PRTL_QUERY_REGISTRY_TABLE QueryTable,
|
|
_In_ PVOID Context,
|
|
_In_opt_ PVOID Environment
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWriteRegistryValue(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PCWSTR Path,
|
|
_In_ PCWSTR ValueName,
|
|
_In_ ULONG ValueType,
|
|
_In_ PVOID ValueData,
|
|
_In_ ULONG ValueLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeleteRegistryValue(
|
|
_In_ ULONG RelativeTo,
|
|
_In_ PCWSTR Path,
|
|
_In_ PCWSTR ValueName
|
|
);
|
|
|
|
// Thread profiling
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEnableThreadProfiling(
|
|
_In_ HANDLE ThreadHandle,
|
|
_In_ ULONG Flags,
|
|
_In_ ULONG64 HardwareCounters,
|
|
_Out_ PVOID *PerformanceDataHandle
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDisableThreadProfiling(
|
|
_In_ PVOID PerformanceDataHandle
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryThreadProfiling(
|
|
_In_ HANDLE ThreadHandle,
|
|
_Out_ PBOOLEAN Enabled
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlReadThreadProfilingData(
|
|
_In_ HANDLE PerformanceDataHandle,
|
|
_In_ ULONG Flags,
|
|
_Out_ PPERFORMANCE_DATA PerformanceData
|
|
);
|
|
|
|
#endif
|
|
|
|
// WOW64
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetNativeSystemInformation(
|
|
_In_ ULONG SystemInformationClass,
|
|
_In_ PVOID NativeSystemInformation,
|
|
_In_ ULONG InformationLength,
|
|
_Out_opt_ PULONG ReturnLength
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueueApcWow64Thread(
|
|
_In_ HANDLE ThreadHandle,
|
|
_In_ PPS_APC_ROUTINE ApcRoutine,
|
|
_In_opt_ PVOID ApcArgument1,
|
|
_In_opt_ PVOID ApcArgument2,
|
|
_In_opt_ PVOID ApcArgument3
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWow64EnableFsRedirection(
|
|
_In_ BOOLEAN Wow64FsEnableRedirection
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlWow64EnableFsRedirectionEx(
|
|
_In_ PVOID Wow64FsEnableRedirection,
|
|
_Out_ PVOID *OldFsRedirectionLevel
|
|
);
|
|
|
|
// Misc.
|
|
|
|
NTSYSAPI
|
|
ULONG32
|
|
NTAPI
|
|
RtlComputeCrc32(
|
|
_In_ ULONG32 PartialCrc,
|
|
_In_ PVOID Buffer,
|
|
_In_ ULONG Length
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEncodePointer(
|
|
_In_ PVOID Ptr
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlDecodePointer(
|
|
_In_ PVOID Ptr
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlEncodeSystemPointer(
|
|
_In_ PVOID Ptr
|
|
);
|
|
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlDecodeSystemPointer(
|
|
_In_ PVOID Ptr
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlEncodeRemotePointer(
|
|
_In_ HANDLE ProcessHandle,
|
|
_In_ PVOID Pointer,
|
|
_Out_ PVOID *EncodedPointer
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDecodeRemotePointer(
|
|
_In_ HANDLE ProcessHandle,
|
|
_In_ PVOID Pointer,
|
|
_Out_ PVOID *DecodedPointer
|
|
);
|
|
#endif
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsProcessorFeaturePresent(
|
|
_In_ ULONG ProcessorFeature
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetCurrentProcessorNumber(
|
|
VOID
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlGetCurrentProcessorNumberEx(
|
|
_Out_ PPROCESSOR_NUMBER ProcessorNumber
|
|
);
|
|
|
|
#endif
|
|
|
|
// Stack support
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlPushFrame(
|
|
_In_ PTEB_ACTIVE_FRAME Frame
|
|
);
|
|
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlPopFrame(
|
|
_In_ PTEB_ACTIVE_FRAME Frame
|
|
);
|
|
|
|
NTSYSAPI
|
|
PTEB_ACTIVE_FRAME
|
|
NTAPI
|
|
RtlGetFrame(
|
|
VOID
|
|
);
|
|
|
|
#define RTL_WALK_USER_MODE_STACK 0x00000001
|
|
#define RTL_WALK_VALID_FLAGS 0x00000001
|
|
#define RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT 0x00000008
|
|
|
|
// private
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlWalkFrameChain(
|
|
_Out_writes_(Count - (Flags >> RTL_STACK_WALKING_MODE_FRAMES_TO_SKIP_SHIFT)) PVOID *Callers,
|
|
_In_ ULONG Count,
|
|
_In_ ULONG Flags
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlGetCallersAddress( // Use the intrinsic _ReturnAddress instead.
|
|
_Out_ PVOID *CallersAddress,
|
|
_Out_ PVOID *CallersCaller
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
|
|
NTSYSAPI
|
|
ULONG64
|
|
NTAPI
|
|
RtlGetEnabledExtendedFeatures(
|
|
_In_ ULONG64 FeatureMask
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE4)
|
|
|
|
// msdn
|
|
NTSYSAPI
|
|
ULONG64
|
|
NTAPI
|
|
RtlGetEnabledExtendedAndSupervisorFeatures(
|
|
_In_ ULONG64 FeatureMask
|
|
);
|
|
|
|
// msdn
|
|
_Ret_maybenull_
|
|
_Success_(return != NULL)
|
|
NTSYSAPI
|
|
PVOID
|
|
NTAPI
|
|
RtlLocateSupervisorFeature(
|
|
_In_ PXSAVE_AREA_HEADER XStateHeader,
|
|
_In_range_(XSTATE_AVX, MAXIMUM_XSTATE_FEATURES - 1) ULONG FeatureId,
|
|
_Out_opt_ PULONG Length
|
|
);
|
|
|
|
#endif
|
|
|
|
// private
|
|
typedef union _RTL_ELEVATION_FLAGS
|
|
{
|
|
ULONG Flags;
|
|
struct
|
|
{
|
|
ULONG ElevationEnabled : 1;
|
|
ULONG VirtualizationEnabled : 1;
|
|
ULONG InstallerDetectEnabled : 1;
|
|
ULONG ReservedBits : 29;
|
|
};
|
|
} RTL_ELEVATION_FLAGS, *PRTL_ELEVATION_FLAGS;
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryElevationFlags(
|
|
_Out_ PRTL_ELEVATION_FLAGS Flags
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRegisterThreadWithCsrss(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLockCurrentThread(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnlockCurrentThread(
|
|
VOID
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLockModuleSection(
|
|
_In_ PVOID Address
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnlockModuleSection(
|
|
_In_ PVOID Address
|
|
);
|
|
|
|
#endif
|
|
|
|
// begin_msdn:"Winternl"
|
|
|
|
#define RTL_UNLOAD_EVENT_TRACE_NUMBER 64
|
|
|
|
// private
|
|
typedef struct _RTL_UNLOAD_EVENT_TRACE
|
|
{
|
|
PVOID BaseAddress;
|
|
SIZE_T SizeOfImage;
|
|
ULONG Sequence;
|
|
ULONG TimeDateStamp;
|
|
ULONG CheckSum;
|
|
WCHAR ImageName[32];
|
|
ULONG Version[2];
|
|
} RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE;
|
|
|
|
typedef struct _RTL_UNLOAD_EVENT_TRACE32
|
|
{
|
|
ULONG BaseAddress;
|
|
ULONG SizeOfImage;
|
|
ULONG Sequence;
|
|
ULONG TimeDateStamp;
|
|
ULONG CheckSum;
|
|
WCHAR ImageName[32];
|
|
ULONG Version[2];
|
|
} RTL_UNLOAD_EVENT_TRACE32, *PRTL_UNLOAD_EVENT_TRACE32;
|
|
|
|
NTSYSAPI
|
|
PRTL_UNLOAD_EVENT_TRACE
|
|
NTAPI
|
|
RtlGetUnloadEventTrace(
|
|
VOID
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
NTSYSAPI
|
|
VOID
|
|
NTAPI
|
|
RtlGetUnloadEventTraceEx(
|
|
_Out_ PULONG *ElementSize,
|
|
_Out_ PULONG *ElementCount,
|
|
_Out_ PVOID *EventTrace // works across all processes
|
|
);
|
|
#endif
|
|
|
|
// end_msdn
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlQueryPerformanceCounter(
|
|
_Out_ PLARGE_INTEGER PerformanceCounter
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_WIN7)
|
|
// rev
|
|
NTSYSAPI
|
|
LOGICAL
|
|
NTAPI
|
|
RtlQueryPerformanceFrequency(
|
|
_Out_ PLARGE_INTEGER PerformanceFrequency
|
|
);
|
|
#endif
|
|
|
|
// Image Mitigation
|
|
|
|
// rev
|
|
typedef enum _IMAGE_MITIGATION_POLICY
|
|
{
|
|
ImageDepPolicy, // RTL_IMAGE_MITIGATION_DEP_POLICY
|
|
ImageAslrPolicy, // RTL_IMAGE_MITIGATION_ASLR_POLICY
|
|
ImageDynamicCodePolicy, // RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY
|
|
ImageStrictHandleCheckPolicy, // RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY
|
|
ImageSystemCallDisablePolicy, // RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY
|
|
ImageMitigationOptionsMask,
|
|
ImageExtensionPointDisablePolicy, // RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
|
|
ImageControlFlowGuardPolicy, // RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY
|
|
ImageSignaturePolicy, // RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY
|
|
ImageFontDisablePolicy, // RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY
|
|
ImageImageLoadPolicy, // RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY
|
|
ImagePayloadRestrictionPolicy, // RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY
|
|
ImageChildProcessPolicy, // RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY
|
|
ImageSehopPolicy, // RTL_IMAGE_MITIGATION_SEHOP_POLICY
|
|
ImageHeapPolicy, // RTL_IMAGE_MITIGATION_HEAP_POLICY
|
|
MaxImageMitigationPolicy
|
|
} IMAGE_MITIGATION_POLICY;
|
|
|
|
// rev
|
|
typedef union _RTL_IMAGE_MITIGATION_POLICY
|
|
{
|
|
struct
|
|
{
|
|
ULONG64 AuditState : 2;
|
|
ULONG64 AuditFlag : 1;
|
|
ULONG64 EnableAdditionalAuditingOption : 1;
|
|
ULONG64 Reserved : 60;
|
|
};
|
|
struct
|
|
{
|
|
ULONG64 PolicyState : 2;
|
|
ULONG64 AlwaysInherit : 1;
|
|
ULONG64 EnableAdditionalPolicyOption : 1;
|
|
ULONG64 AuditReserved : 60;
|
|
};
|
|
} RTL_IMAGE_MITIGATION_POLICY, *PRTL_IMAGE_MITIGATION_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_DEP_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY Dep;
|
|
} RTL_IMAGE_MITIGATION_DEP_POLICY, *PRTL_IMAGE_MITIGATION_DEP_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_ASLR_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY ForceRelocateImages;
|
|
RTL_IMAGE_MITIGATION_POLICY BottomUpRandomization;
|
|
RTL_IMAGE_MITIGATION_POLICY HighEntropyRandomization;
|
|
} RTL_IMAGE_MITIGATION_ASLR_POLICY, *PRTL_IMAGE_MITIGATION_ASLR_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY BlockDynamicCode;
|
|
} RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY, *PRTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY StrictHandleChecks;
|
|
} RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PRTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY BlockWin32kSystemCalls;
|
|
} RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY DisableExtensionPoints;
|
|
} RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY ControlFlowGuard;
|
|
RTL_IMAGE_MITIGATION_POLICY StrictControlFlowGuard;
|
|
} RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PRTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY BlockNonMicrosoftSignedBinaries;
|
|
RTL_IMAGE_MITIGATION_POLICY EnforceSigningOnModuleDependencies;
|
|
} RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY, *PRTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY DisableNonSystemFonts;
|
|
} RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY BlockRemoteImageLoads;
|
|
RTL_IMAGE_MITIGATION_POLICY BlockLowLabelImageLoads;
|
|
RTL_IMAGE_MITIGATION_POLICY PreferSystem32;
|
|
} RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY, *PRTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilter;
|
|
RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilterPlus;
|
|
RTL_IMAGE_MITIGATION_POLICY EnableImportAddressFilter;
|
|
RTL_IMAGE_MITIGATION_POLICY EnableRopStackPivot;
|
|
RTL_IMAGE_MITIGATION_POLICY EnableRopCallerCheck;
|
|
RTL_IMAGE_MITIGATION_POLICY EnableRopSimExec;
|
|
WCHAR EafPlusModuleList[512]; // 19H1
|
|
} RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PRTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY DisallowChildProcessCreation;
|
|
} RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY, *PRTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_SEHOP_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY Sehop;
|
|
} RTL_IMAGE_MITIGATION_SEHOP_POLICY, *PRTL_IMAGE_MITIGATION_SEHOP_POLICY;
|
|
|
|
// rev
|
|
typedef struct _RTL_IMAGE_MITIGATION_HEAP_POLICY
|
|
{
|
|
RTL_IMAGE_MITIGATION_POLICY TerminateOnHeapErrors;
|
|
} RTL_IMAGE_MITIGATION_HEAP_POLICY, *PRTL_IMAGE_MITIGATION_HEAP_POLICY;
|
|
|
|
typedef enum _RTL_IMAGE_MITIGATION_OPTION_STATE
|
|
{
|
|
RtlMitigationOptionStateNotConfigured,
|
|
RtlMitigationOptionStateOn,
|
|
RtlMitigationOptionStateOff
|
|
} RTL_IMAGE_MITIGATION_OPTION_STATE;
|
|
|
|
// rev from PROCESS_MITIGATION_FLAGS
|
|
#define RTL_IMAGE_MITIGATION_FLAG_RESET 0x1
|
|
#define RTL_IMAGE_MITIGATION_FLAG_REMOVE 0x2
|
|
#define RTL_IMAGE_MITIGATION_FLAG_OSDEFAULT 0x4
|
|
#define RTL_IMAGE_MITIGATION_FLAG_AUDIT 0x8
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE3)
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryImageMitigationPolicy(
|
|
_In_opt_ PWSTR ImagePath, // NULL for system-wide defaults
|
|
_In_ IMAGE_MITIGATION_POLICY Policy,
|
|
_In_ ULONG Flags,
|
|
_Inout_ PVOID Buffer,
|
|
_In_ ULONG BufferSize
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetImageMitigationPolicy(
|
|
_In_opt_ PWSTR ImagePath, // NULL for system-wide defaults
|
|
_In_ IMAGE_MITIGATION_POLICY Policy,
|
|
_In_ ULONG Flags,
|
|
_Inout_ PVOID Buffer,
|
|
_In_ ULONG BufferSize
|
|
);
|
|
|
|
#endif
|
|
|
|
// session
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetCurrentServiceSessionId(
|
|
VOID
|
|
);
|
|
|
|
// private
|
|
NTSYSAPI
|
|
ULONG
|
|
NTAPI
|
|
RtlGetActiveConsoleId(
|
|
VOID
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
// private
|
|
NTSYSAPI
|
|
ULONGLONG
|
|
NTAPI
|
|
RtlGetConsoleSessionForegroundProcessId(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
// Appcontainer
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetTokenNamedObjectPath(
|
|
_In_ HANDLE Token,
|
|
_In_opt_ PSID Sid,
|
|
_Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetAppContainerNamedObjectPath(
|
|
_In_opt_ HANDLE Token,
|
|
_In_opt_ PSID AppContainerSid,
|
|
_In_ BOOLEAN RelativePath,
|
|
_Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetAppContainerParent(
|
|
_In_ PSID AppContainerSid,
|
|
_Out_ PSID* AppContainerSidParent // RtlFreeSid
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckSandboxedToken(
|
|
_In_opt_ HANDLE TokenHandle,
|
|
_Out_ PBOOLEAN IsSandboxed
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckTokenCapability(
|
|
_In_opt_ HANDLE TokenHandle,
|
|
_In_ PSID CapabilitySidToCheck,
|
|
_Out_ PBOOLEAN HasCapability
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCapabilityCheck(
|
|
_In_opt_ HANDLE TokenHandle,
|
|
_In_ PUNICODE_STRING CapabilityName,
|
|
_Out_ PBOOLEAN HasCapability
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckTokenMembership(
|
|
_In_opt_ HANDLE TokenHandle,
|
|
_In_ PSID SidToCheck,
|
|
_Out_ PBOOLEAN IsMember
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckTokenMembershipEx(
|
|
_In_opt_ HANDLE TokenHandle,
|
|
_In_ PSID SidToCheck,
|
|
_In_ ULONG Flags, // CTMF_VALID_FLAGS
|
|
_Out_ PBOOLEAN IsMember
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryTokenHostIdAsUlong64(
|
|
_In_ HANDLE TokenHandle,
|
|
_Out_ PULONG64 HostId // (WIN://PKGHOSTID)
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsParentOfChildAppContainer(
|
|
_In_ PSID ParentAppContainerSid,
|
|
_In_ PSID ChildAppContainerSid
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsCapabilitySid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsPackageSid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsValidProcessTrustLabelSid(
|
|
_In_ PSID Sid
|
|
);
|
|
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsStateSeparationEnabled(
|
|
VOID
|
|
);
|
|
|
|
typedef enum _APPCONTAINER_SID_TYPE
|
|
{
|
|
NotAppContainerSidType,
|
|
ChildAppContainerSidType,
|
|
ParentAppContainerSidType,
|
|
InvalidAppContainerSidType,
|
|
MaxAppContainerSidType
|
|
} APPCONTAINER_SID_TYPE, *PAPPCONTAINER_SID_TYPE;
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetAppContainerSidType(
|
|
_In_ PSID AppContainerSid,
|
|
_Out_ PAPPCONTAINER_SID_TYPE AppContainerSidType
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFlsAlloc(
|
|
_In_ PFLS_CALLBACK_FUNCTION Callback,
|
|
_Out_ PULONG FlsIndex
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFlsFree(
|
|
_In_ ULONG FlsIndex
|
|
);
|
|
|
|
typedef enum _STATE_LOCATION_TYPE
|
|
{
|
|
LocationTypeRegistry,
|
|
LocationTypeFileSystem,
|
|
LocationTypeMaximum
|
|
} STATE_LOCATION_TYPE;
|
|
|
|
// private
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetPersistedStateLocation(
|
|
_In_ PCWSTR SourceID,
|
|
_In_opt_ PCWSTR CustomValue,
|
|
_In_opt_ PCWSTR DefaultPath,
|
|
_In_ STATE_LOCATION_TYPE StateLocationType,
|
|
_Out_writes_bytes_to_opt_(BufferLengthIn, *BufferLengthOut) PWCHAR TargetPath,
|
|
_In_ ULONG BufferLengthIn,
|
|
_Out_opt_ PULONG BufferLengthOut
|
|
);
|
|
|
|
// msdn
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsCloudFilesPlaceholder(
|
|
_In_ ULONG FileAttributes,
|
|
_In_ ULONG ReparseTag
|
|
);
|
|
|
|
// msdn
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsPartialPlaceholder(
|
|
_In_ ULONG FileAttributes,
|
|
_In_ ULONG ReparseTag
|
|
);
|
|
|
|
// msdn
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIsPartialPlaceholderFileHandle(
|
|
_In_ HANDLE FileHandle,
|
|
_Out_ PBOOLEAN IsPartialPlaceholder
|
|
);
|
|
|
|
// msdn
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlIsPartialPlaceholderFileInfo(
|
|
_In_ PVOID InfoBuffer,
|
|
_In_ FILE_INFORMATION_CLASS InfoClass,
|
|
_Out_ PBOOLEAN IsPartialPlaceholder
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsNonEmptyDirectoryReparsePointAllowed(
|
|
_In_ ULONG ReparseTag
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlAppxIsFileOwnedByTrustedInstaller(
|
|
_In_ HANDLE FileHandle,
|
|
_Out_ PBOOLEAN IsFileOwnedByTrustedInstaller
|
|
);
|
|
|
|
// rev
|
|
typedef struct _PS_PKG_CLAIM
|
|
{
|
|
ULONGLONG Flags;
|
|
ULONGLONG Origin;
|
|
} PS_PKG_CLAIM, *PPS_PKG_CLAIM;
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryPackageClaims(
|
|
_In_ HANDLE TokenHandle,
|
|
_Out_writes_bytes_to_opt_(*PackageSize, *PackageSize) PWSTR PackageFullName,
|
|
_Inout_opt_ PSIZE_T PackageSize,
|
|
_Out_writes_bytes_to_opt_(*AppIdSize, *AppIdSize) PWSTR AppId,
|
|
_Inout_opt_ PSIZE_T AppIdSize,
|
|
_Out_opt_ PGUID DynamicId,
|
|
_Out_opt_ PPS_PKG_CLAIM PkgClaim,
|
|
_Out_opt_ PULONG64 AttributesPresent
|
|
);
|
|
|
|
// Protected policies
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlQueryProtectedPolicy(
|
|
_In_ PGUID PolicyGuid,
|
|
_Out_ PULONG_PTR PolicyValue
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetProtectedPolicy(
|
|
_In_ PGUID PolicyGuid,
|
|
_In_ ULONG_PTR PolicyValue,
|
|
_Out_ PULONG_PTR OldPolicyValue
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsMultiSessionSku(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_REDSTONE)
|
|
// private
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlIsMultiUsersInSessionSku(
|
|
VOID
|
|
);
|
|
#endif
|
|
|
|
// private
|
|
typedef enum _RTL_BSD_ITEM_TYPE
|
|
{
|
|
RtlBsdItemVersionNumber,
|
|
RtlBsdItemProductType,
|
|
RtlBsdItemAabEnabled,
|
|
RtlBsdItemAabTimeout,
|
|
RtlBsdItemBootGood,
|
|
RtlBsdItemBootShutdown,
|
|
RtlBsdSleepInProgress,
|
|
RtlBsdPowerTransition,
|
|
RtlBsdItemBootAttemptCount,
|
|
RtlBsdItemBootCheckpoint,
|
|
RtlBsdItemBootId,
|
|
RtlBsdItemShutdownBootId,
|
|
RtlBsdItemReportedAbnormalShutdownBootId,
|
|
RtlBsdItemErrorInfo,
|
|
RtlBsdItemPowerButtonPressInfo,
|
|
RtlBsdItemChecksum,
|
|
RtlBsdItemMax
|
|
} RTL_BSD_ITEM_TYPE;
|
|
|
|
// private
|
|
typedef struct _RTL_BSD_ITEM
|
|
{
|
|
RTL_BSD_ITEM_TYPE Type;
|
|
PVOID DataBuffer;
|
|
ULONG DataLength;
|
|
} RTL_BSD_ITEM, *PRTL_BSD_ITEM;
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCreateBootStatusDataFile(
|
|
VOID
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlLockBootStatusData(
|
|
_Out_ PHANDLE FileHandle
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlUnlockBootStatusData(
|
|
_In_ HANDLE FileHandle
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlGetSetBootStatusData(
|
|
_In_ HANDLE FileHandle,
|
|
_In_ BOOLEAN Read,
|
|
_In_ RTL_BSD_ITEM_TYPE DataClass,
|
|
_In_ PVOID Buffer,
|
|
_In_ ULONG BufferSize,
|
|
_Out_opt_ PULONG ReturnLength
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckBootStatusIntegrity(
|
|
_In_ HANDLE FileHandle,
|
|
_Out_ PBOOLEAN Verified
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlCheckPortableOperatingSystem(
|
|
_Out_ PBOOLEAN IsPortable // VOID
|
|
);
|
|
|
|
// rev
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlSetPortableOperatingSystem(
|
|
_In_ BOOLEAN IsPortable
|
|
);
|
|
|
|
#if (PHNT_VERSION >= PHNT_THRESHOLD)
|
|
|
|
NTSYSAPI
|
|
OS_DEPLOYEMENT_STATE_VALUES
|
|
NTAPI
|
|
RtlOsDeploymentState(
|
|
_Reserved_ _In_ ULONG Flags
|
|
);
|
|
|
|
#endif
|
|
|
|
#if (PHNT_VERSION >= PHNT_VISTA)
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlFindClosestEncodableLength(
|
|
_In_ ULONGLONG SourceLength,
|
|
_Out_ PULONGLONG TargetLength
|
|
);
|
|
|
|
#endif
|
|
|
|
// Memory cache
|
|
|
|
typedef NTSTATUS (NTAPI *PRTL_SECURE_MEMORY_CACHE_CALLBACK)(
|
|
_In_ PVOID Address,
|
|
_In_ SIZE_T Length
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlRegisterSecureMemoryCacheCallback(
|
|
_In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback
|
|
);
|
|
|
|
NTSYSAPI
|
|
NTSTATUS
|
|
NTAPI
|
|
RtlDeregisterSecureMemoryCacheCallback(
|
|
_In_ PRTL_SECURE_MEMORY_CACHE_CALLBACK Callback
|
|
);
|
|
|
|
// ros
|
|
NTSYSAPI
|
|
BOOLEAN
|
|
NTAPI
|
|
RtlFlushSecureMemoryCache(
|
|
_In_ PVOID MemoryCache,
|
|
_In_opt_ SIZE_T MemoryLength
|
|
);
|
|
|
|
#endif
|