mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
320 lines
7.1 KiB
C
320 lines
7.1 KiB
C
/*
|
|
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
|
|
*
|
|
* You can redistribute this file and/or modify it under the terms of the
|
|
* Attribution 4.0 International (CC BY 4.0) license.
|
|
*
|
|
* You must give appropriate credit, provide a link to the license, and
|
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
|
* not in any way that suggests the licensor endorses you or your use.
|
|
*/
|
|
|
|
#ifndef _PHNT_NTDEF_H
|
|
#define _PHNT_NTDEF_H
|
|
|
|
#ifndef _NTDEF_
|
|
#define _NTDEF_
|
|
|
|
// This header file provides basic NT types not included in Win32. If you have included winnt.h
|
|
// (perhaps indirectly), you must use this file instead of ntdef.h.
|
|
|
|
#ifndef NOTHING
|
|
#define NOTHING
|
|
#endif
|
|
|
|
// Basic types
|
|
|
|
typedef struct _QUAD
|
|
{
|
|
union
|
|
{
|
|
__int64 UseThisFieldToCopy;
|
|
double DoNotUseThisField;
|
|
};
|
|
} QUAD, *PQUAD;
|
|
|
|
// This isn't in NT, but it's useful.
|
|
typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR
|
|
{
|
|
ULONG_PTR DoNotUseThisField1;
|
|
ULONG_PTR DoNotUseThisField2;
|
|
} QUAD_PTR, *PQUAD_PTR;
|
|
|
|
typedef ULONG LOGICAL;
|
|
typedef ULONG *PLOGICAL;
|
|
|
|
typedef _Success_(return >= 0) LONG NTSTATUS;
|
|
typedef NTSTATUS *PNTSTATUS;
|
|
|
|
// Cardinal types
|
|
|
|
typedef char CCHAR;
|
|
typedef short CSHORT;
|
|
typedef ULONG CLONG;
|
|
|
|
typedef CCHAR *PCCHAR;
|
|
typedef CSHORT *PCSHORT;
|
|
typedef CLONG *PCLONG;
|
|
|
|
typedef PCSTR PCSZ;
|
|
|
|
// Specific
|
|
|
|
typedef UCHAR KIRQL, *PKIRQL;
|
|
typedef LONG KPRIORITY;
|
|
typedef USHORT RTL_ATOM, *PRTL_ATOM;
|
|
|
|
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
|
|
|
|
// NT status macros
|
|
|
|
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
|
#define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1)
|
|
#define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2)
|
|
#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
|
|
|
|
#define NT_FACILITY_MASK 0xfff
|
|
#define NT_FACILITY_SHIFT 16
|
|
#define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK)
|
|
|
|
#define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32)
|
|
#define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff)
|
|
|
|
// Functions
|
|
|
|
#ifndef _WIN64
|
|
#define FASTCALL __fastcall
|
|
#else
|
|
#define FASTCALL
|
|
#endif
|
|
|
|
// Synchronization enumerations
|
|
|
|
typedef enum _EVENT_TYPE
|
|
{
|
|
NotificationEvent,
|
|
SynchronizationEvent
|
|
} EVENT_TYPE;
|
|
|
|
typedef enum _TIMER_TYPE
|
|
{
|
|
NotificationTimer,
|
|
SynchronizationTimer
|
|
} TIMER_TYPE;
|
|
|
|
typedef enum _WAIT_TYPE
|
|
{
|
|
WaitAll,
|
|
WaitAny,
|
|
WaitNotification
|
|
} WAIT_TYPE;
|
|
|
|
// Strings
|
|
|
|
typedef struct _STRING
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
_Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer;
|
|
} STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
|
|
|
|
typedef const STRING *PCSTRING;
|
|
typedef const ANSI_STRING *PCANSI_STRING;
|
|
typedef const OEM_STRING *PCOEM_STRING;
|
|
|
|
typedef struct _UNICODE_STRING
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
_Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer;
|
|
} UNICODE_STRING, *PUNICODE_STRING;
|
|
|
|
typedef const UNICODE_STRING *PCUNICODE_STRING;
|
|
|
|
#define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s }
|
|
|
|
// Balanced tree node
|
|
|
|
#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
|
|
|
|
typedef struct _RTL_BALANCED_NODE
|
|
{
|
|
union
|
|
{
|
|
struct _RTL_BALANCED_NODE *Children[2];
|
|
struct
|
|
{
|
|
struct _RTL_BALANCED_NODE *Left;
|
|
struct _RTL_BALANCED_NODE *Right;
|
|
};
|
|
};
|
|
union
|
|
{
|
|
UCHAR Red : 1;
|
|
UCHAR Balance : 2;
|
|
ULONG_PTR ParentValue;
|
|
};
|
|
} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
|
|
|
|
#define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \
|
|
((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK))
|
|
|
|
// Portability
|
|
|
|
typedef struct _SINGLE_LIST_ENTRY32
|
|
{
|
|
ULONG Next;
|
|
} SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32;
|
|
|
|
typedef struct _STRING32
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
ULONG Buffer;
|
|
} STRING32, *PSTRING32;
|
|
|
|
typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
|
|
typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
|
|
|
|
typedef struct _STRING64
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
ULONGLONG Buffer;
|
|
} STRING64, *PSTRING64;
|
|
|
|
typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
|
|
typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
|
|
|
|
// Object attributes
|
|
|
|
#define OBJ_INHERIT 0x00000002
|
|
#define OBJ_PERMANENT 0x00000010
|
|
#define OBJ_EXCLUSIVE 0x00000020
|
|
#define OBJ_CASE_INSENSITIVE 0x00000040
|
|
#define OBJ_OPENIF 0x00000080
|
|
#define OBJ_OPENLINK 0x00000100
|
|
#define OBJ_KERNEL_HANDLE 0x00000200
|
|
#define OBJ_FORCE_ACCESS_CHECK 0x00000400
|
|
#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800
|
|
#define OBJ_DONT_REPARSE 0x00001000
|
|
#define OBJ_VALID_ATTRIBUTES 0x00001ff2
|
|
|
|
typedef struct _OBJECT_ATTRIBUTES
|
|
{
|
|
ULONG Length;
|
|
HANDLE RootDirectory;
|
|
PUNICODE_STRING ObjectName;
|
|
ULONG Attributes;
|
|
PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR;
|
|
PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE
|
|
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
|
|
|
|
typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
|
|
|
|
#define InitializeObjectAttributes(p, n, a, r, s) { \
|
|
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
|
|
(p)->RootDirectory = r; \
|
|
(p)->Attributes = a; \
|
|
(p)->ObjectName = n; \
|
|
(p)->SecurityDescriptor = s; \
|
|
(p)->SecurityQualityOfService = NULL; \
|
|
}
|
|
|
|
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL }
|
|
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
|
|
|
|
#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\')
|
|
|
|
// Portability
|
|
|
|
typedef struct _OBJECT_ATTRIBUTES64
|
|
{
|
|
ULONG Length;
|
|
ULONG64 RootDirectory;
|
|
ULONG64 ObjectName;
|
|
ULONG Attributes;
|
|
ULONG64 SecurityDescriptor;
|
|
ULONG64 SecurityQualityOfService;
|
|
} OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64;
|
|
|
|
typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64;
|
|
|
|
typedef struct _OBJECT_ATTRIBUTES32
|
|
{
|
|
ULONG Length;
|
|
ULONG RootDirectory;
|
|
ULONG ObjectName;
|
|
ULONG Attributes;
|
|
ULONG SecurityDescriptor;
|
|
ULONG SecurityQualityOfService;
|
|
} OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32;
|
|
|
|
typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32;
|
|
|
|
// Product types
|
|
|
|
typedef enum _NT_PRODUCT_TYPE
|
|
{
|
|
NtProductWinNt = 1,
|
|
NtProductLanManNt,
|
|
NtProductServer
|
|
} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
|
|
|
|
typedef enum _SUITE_TYPE
|
|
{
|
|
SmallBusiness,
|
|
Enterprise,
|
|
BackOffice,
|
|
CommunicationServer,
|
|
TerminalServer,
|
|
SmallBusinessRestricted,
|
|
EmbeddedNT,
|
|
DataCenter,
|
|
SingleUserTS,
|
|
Personal,
|
|
Blade,
|
|
EmbeddedRestricted,
|
|
SecurityAppliance,
|
|
StorageServer,
|
|
ComputeServer,
|
|
WHServer,
|
|
PhoneNT,
|
|
MaxSuiteType
|
|
} SUITE_TYPE;
|
|
|
|
// Specific
|
|
|
|
typedef struct _CLIENT_ID
|
|
{
|
|
HANDLE UniqueProcess;
|
|
HANDLE UniqueThread;
|
|
} CLIENT_ID, *PCLIENT_ID;
|
|
|
|
typedef struct _CLIENT_ID32
|
|
{
|
|
ULONG UniqueProcess;
|
|
ULONG UniqueThread;
|
|
} CLIENT_ID32, *PCLIENT_ID32;
|
|
|
|
typedef struct _CLIENT_ID64
|
|
{
|
|
ULONGLONG UniqueProcess;
|
|
ULONGLONG UniqueThread;
|
|
} CLIENT_ID64, *PCLIENT_ID64;
|
|
|
|
#include <pshpack4.h>
|
|
|
|
typedef struct _KSYSTEM_TIME
|
|
{
|
|
ULONG LowPart;
|
|
LONG High1Time;
|
|
LONG High2Time;
|
|
} KSYSTEM_TIME, *PKSYSTEM_TIME;
|
|
|
|
#include <poppack.h>
|
|
|
|
#endif
|
|
|
|
#endif
|