H4CK3R 14

home *** CD-ROM | disk | FTP | other *** search

/ H4CK3R 14 / hacker14.iso / programacao / cwin / c.exe / $INSTDIR / include / ddk / ntifs.h < prev next >

Wrap

C/C++ Source or Header | 2003-12-15 | 122.0 KB | 4,685 lines

/* * ntifs.h * * Windows NT Filesystem Driver Developer Kit * * This file is part of the w32api package. * * Contributors: * Created by Bo BrantΘn <bosse@acc.umu.se> * * THIS SOFTWARE IS NOT COPYRIGHTED * * This source code is offered for use in the public domain. You may * use, modify or distribute it freely. * * This code is distributed in the hope that it will be useful but * WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY * DISCLAIMED. This includes but is not limited to warranties of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * */ #ifndef _NTIFS_ #define _NTIFS_ #define _GNU_NTIFS_ #if __GNUC__ >=3 #pragma GCC system_header #endif #ifdef __cplusplus extern "C" { #endif #pragma pack(push,4) #include "ntddk.h" #include "ntapi.h" #define VER_PRODUCTBUILD 10000 #ifndef NTSYSAPI #define NTSYSAPI #endif #ifndef NTKERNELAPI #define NTKERNELAPI STDCALL #endif typedef struct _SE_EXPORTS *PSE_EXPORTS; extern PUCHAR *FsRtlLegalAnsiCharacterArray; extern PSE_EXPORTS SeExports; extern PACL SePublicDefaultDacl; extern PACL SeSystemDefaultDacl; #define ACCESS_ALLOWED_ACE_TYPE (0x0) #define ACCESS_DENIED_ACE_TYPE (0x1) #define SYSTEM_AUDIT_ACE_TYPE (0x2) #define SYSTEM_ALARM_ACE_TYPE (0x3) #define ANSI_DOS_STAR ('<') #define ANSI_DOS_QM ('>') #define ANSI_DOS_DOT ('"') #define DOS_STAR (L'<') #define DOS_QM (L'>') #define DOS_DOT (L'"') #define COMPRESSION_FORMAT_NONE (0x0000) #define COMPRESSION_FORMAT_DEFAULT (0x0001) #define COMPRESSION_FORMAT_LZNT1 (0x0002) #define COMPRESSION_ENGINE_STANDARD (0x0000) #define COMPRESSION_ENGINE_MAXIMUM (0x0100) #define COMPRESSION_ENGINE_HIBER (0x0200) #define FILE_ACTION_ADDED 0x00000001 #define FILE_ACTION_REMOVED 0x00000002 #define FILE_ACTION_MODIFIED 0x00000003 #define FILE_ACTION_RENAMED_OLD_NAME 0x00000004 #define FILE_ACTION_RENAMED_NEW_NAME 0x00000005 #define FILE_ACTION_ADDED_STREAM 0x00000006 #define FILE_ACTION_REMOVED_STREAM 0x00000007 #define FILE_ACTION_MODIFIED_STREAM 0x00000008 #define FILE_ACTION_REMOVED_BY_DELETE 0x00000009 #define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A #define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B #define FILE_EA_TYPE_BINARY 0xfffe #define FILE_EA_TYPE_ASCII 0xfffd #define FILE_EA_TYPE_BITMAP 0xfffb #define FILE_EA_TYPE_METAFILE 0xfffa #define FILE_EA_TYPE_ICON 0xfff9 #define FILE_EA_TYPE_EA 0xffee #define FILE_EA_TYPE_MVMT 0xffdf #define FILE_EA_TYPE_MVST 0xffde #define FILE_EA_TYPE_ASN1 0xffdd #define FILE_EA_TYPE_FAMILY_IDS 0xff01 #define FILE_NEED_EA 0x00000080 #define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001 #define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002 #define FILE_NOTIFY_CHANGE_NAME 0x00000003 #define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004 #define FILE_NOTIFY_CHANGE_SIZE 0x00000008 #define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010 #define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020 #define FILE_NOTIFY_CHANGE_CREATION 0x00000040 #define FILE_NOTIFY_CHANGE_EA 0x00000080 #define FILE_NOTIFY_CHANGE_SECURITY 0x00000100 #define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200 #define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400 #define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800 #define FILE_NOTIFY_VALID_MASK 0x00000fff #define FILE_OPLOCK_BROKEN_TO_LEVEL_2 0x00000007 #define FILE_OPLOCK_BROKEN_TO_NONE 0x00000008 #define FILE_OPBATCH_BREAK_UNDERWAY 0x00000009 #define FILE_CASE_SENSITIVE_SEARCH 0x00000001 #define FILE_CASE_PRESERVED_NAMES 0x00000002 #define FILE_UNICODE_ON_DISK 0x00000004 #define FILE_PERSISTENT_ACLS 0x00000008 #define FILE_FILE_COMPRESSION 0x00000010 #define FILE_VOLUME_QUOTAS 0x00000020 #define FILE_SUPPORTS_SPARSE_FILES 0x00000040 #define FILE_SUPPORTS_REPARSE_POINTS 0x00000080 #define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100 #define FS_LFN_APIS 0x00004000 #define FILE_VOLUME_IS_COMPRESSED 0x00008000 #define FILE_SUPPORTS_OBJECT_IDS 0x00010000 #define FILE_SUPPORTS_ENCRYPTION 0x00020000 #define FILE_NAMED_STREAMS 0x00040000 #define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000 #define FILE_PIPE_MESSAGE_TYPE 0x00000001 #define FILE_PIPE_BYTE_STREAM_MODE 0x00000000 #define FILE_PIPE_MESSAGE_MODE 0x00000001 #define FILE_PIPE_QUEUE_OPERATION 0x00000000 #define FILE_PIPE_COMPLETE_OPERATION 0x00000001 #define FILE_PIPE_INBOUND 0x00000000 #define FILE_PIPE_OUTBOUND 0x00000001 #define FILE_PIPE_FULL_DUPLEX 0x00000002 #define FILE_PIPE_DISCONNECTED_STATE 0x00000001 #define FILE_PIPE_LISTENING_STATE 0x00000002 #define FILE_PIPE_CONNECTED_STATE 0x00000003 #define FILE_PIPE_CLOSING_STATE 0x00000004 #define FILE_PIPE_CLIENT_END 0x00000000 #define FILE_PIPE_SERVER_END 0x00000001 #define FILE_PIPE_READ_DATA 0x00000000 #define FILE_PIPE_WRITE_SPACE 0x00000001 #define FILE_STORAGE_TYPE_SPECIFIED 0x00000041 // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE #define FILE_STORAGE_TYPE_DEFAULT (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_DIRECTORY (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_FILE (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_DOCFILE (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_JUNCTION_POINT (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_CATALOG (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_STRUCTURED_STORAGE (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_EMBEDDING (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT) #define FILE_STORAGE_TYPE_STREAM (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT) #define FILE_MINIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_DEFAULT #define FILE_MAXIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_STREAM #define FILE_STORAGE_TYPE_MASK 0x000f0000 #define FILE_STORAGE_TYPE_SHIFT 16 #define FILE_VC_QUOTA_NONE 0x00000000 #define FILE_VC_QUOTA_TRACK 0x00000001 #define FILE_VC_QUOTA_ENFORCE 0x00000002 #define FILE_VC_QUOTA_MASK 0x00000003 #define FILE_VC_QUOTAS_LOG_VIOLATIONS 0x00000004 #define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008 #define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010 #define FILE_VC_LOG_QUOTA_LIMIT 0x00000020 #define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040 #define FILE_VC_LOG_VOLUME_LIMIT 0x00000080 #define FILE_VC_QUOTAS_INCOMPLETE 0x00000100 #define FILE_VC_QUOTAS_REBUILDING 0x00000200 #define FILE_VC_VALID_MASK 0x000003ff #define FSRTL_FLAG_FILE_MODIFIED (0x01) #define FSRTL_FLAG_FILE_LENGTH_CHANGED (0x02) #define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04) #define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08) #define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10) #define FSRTL_FLAG_USER_MAPPED_FILE (0x20) #define FSRTL_FLAG_EOF_ADVANCE_ACTIVE (0x80) #define FSRTL_FLAG2_DO_MODIFIED_WRITE (0x01) #define FSRTL_FSP_TOP_LEVEL_IRP (0x01) #define FSRTL_CACHE_TOP_LEVEL_IRP (0x02) #define FSRTL_MOD_WRITE_TOP_LEVEL_IRP (0x03) #define FSRTL_FAST_IO_TOP_LEVEL_IRP (0x04) #define FSRTL_MAX_TOP_LEVEL_IRP_FLAG (0x04) #define FSRTL_VOLUME_DISMOUNT 1 #define FSRTL_VOLUME_DISMOUNT_FAILED 2 #define FSRTL_VOLUME_LOCK 3 #define FSRTL_VOLUME_LOCK_FAILED 4 #define FSRTL_VOLUME_UNLOCK 5 #define FSRTL_VOLUME_MOUNT 6 #define FSRTL_WILD_CHARACTER 0x08 #ifdef _X86_ #define HARDWARE_PTE HARDWARE_PTE_X86 #define PHARDWARE_PTE PHARDWARE_PTE_X86 #else #define HARDWARE_PTE ULONG #define PHARDWARE_PTE PULONG #endif #define IO_CHECK_CREATE_PARAMETERS 0x0200 #define IO_ATTACH_DEVICE 0x0400 #define IO_ATTACH_DEVICE_API 0x80000000 #define IO_COMPLETION_QUERY_STATE 0x0001 #define IO_COMPLETION_MODIFY_STATE 0x0002 #define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3) #define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE 64 #define IO_FILE_OBJECT_PAGED_POOL_CHARGE 1024 #define IO_TYPE_APC 18 #define IO_TYPE_DPC 19 #define IO_TYPE_DEVICE_QUEUE 20 #define IO_TYPE_EVENT_PAIR 21 #define IO_TYPE_INTERRUPT 22 #define IO_TYPE_PROFILE 23 #define IRP_BEING_VERIFIED 0x10 #define MAILSLOT_CLASS_FIRSTCLASS 1 #define MAILSLOT_CLASS_SECONDCLASS 2 #define MAILSLOT_SIZE_AUTO 0 #define MAP_PROCESS 1L #define MAP_SYSTEM 2L #define MEM_DOS_LIM 0x40000000 #define MEM_IMAGE SEC_IMAGE #define OB_TYPE_TYPE 1 #define OB_TYPE_DIRECTORY 2 #define OB_TYPE_SYMBOLIC_LINK 3 #define OB_TYPE_TOKEN 4 #define OB_TYPE_PROCESS 5 #define OB_TYPE_THREAD 6 #define OB_TYPE_EVENT 7 #define OB_TYPE_EVENT_PAIR 8 #define OB_TYPE_MUTANT 9 #define OB_TYPE_SEMAPHORE 10 #define OB_TYPE_TIMER 11 #define OB_TYPE_PROFILE 12 #define OB_TYPE_WINDOW_STATION 13 #define OB_TYPE_DESKTOP 14 #define OB_TYPE_SECTION 15 #define OB_TYPE_KEY 16 #define OB_TYPE_PORT 17 #define OB_TYPE_ADAPTER 18 #define OB_TYPE_CONTROLLER 19 #define OB_TYPE_DEVICE 20 #define OB_TYPE_DRIVER 21 #define OB_TYPE_IO_COMPLETION 22 #define OB_TYPE_FILE 23 #define PIN_WAIT (1) #define PIN_EXCLUSIVE (2) #define PIN_NO_READ (4) #define PIN_IF_BCB (8) #define PORT_CONNECT 0x0001 #define PORT_ALL_ACCESS (STANDARD_RIGHTS_ALL |\ PORT_CONNECT) #define SEC_BASED 0x00200000 #define SEC_NO_CHANGE 0x00400000 #define SEC_FILE 0x00800000 #define SEC_IMAGE 0x01000000 #define SEC_COMMIT 0x08000000 #define SEC_NOCACHE 0x10000000 #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} #define SECURITY_WORLD_RID (0x00000000L) #define SID_REVISION 1 #define TOKEN_ASSIGN_PRIMARY (0x0001) #define TOKEN_DUPLICATE (0x0002) #define TOKEN_IMPERSONATE (0x0004) #define TOKEN_QUERY (0x0008) #define TOKEN_QUERY_SOURCE (0x0010) #define TOKEN_ADJUST_PRIVILEGES (0x0020) #define TOKEN_ADJUST_GROUPS (0x0040) #define TOKEN_ADJUST_DEFAULT (0x0080) #define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\ TOKEN_ASSIGN_PRIMARY |\ TOKEN_DUPLICATE |\ TOKEN_IMPERSONATE |\ TOKEN_QUERY |\ TOKEN_QUERY_SOURCE |\ TOKEN_ADJUST_PRIVILEGES |\ TOKEN_ADJUST_GROUPS |\ TOKEN_ADJUST_DEFAULT) #define TOKEN_READ (STANDARD_RIGHTS_READ |\ TOKEN_QUERY) #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\ TOKEN_ADJUST_PRIVILEGES |\ TOKEN_ADJUST_GROUPS |\ TOKEN_ADJUST_DEFAULT) #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE) #define TOKEN_SOURCE_LENGTH 8 #define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x01 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x02 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x04 #define TOKEN_HAS_ADMIN_GROUP 0x08 #define TOKEN_IS_RESTRICTED 0x10 #define VACB_MAPPING_GRANULARITY (0x40000) #define VACB_OFFSET_SHIFT (18) #define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_MARK_AS_SYSTEM_HIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS) #if (VER_PRODUCTBUILD >= 1381) #define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS) #endif // (VER_PRODUCTBUILD >= 1381) #if (VER_PRODUCTBUILD >= 2195) #define FSCTL_READ_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_WRITE_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_FIND_FILES_BY_SID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_DUMP_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_SET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_DELETE_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_SET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_GET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_DELETE_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_ENUM_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_SECURITY_ID_CHECK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_READ_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_SET_OBJECT_ID_EXTENDED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_CREATE_OR_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_SET_SPARSE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_SET_ZERO_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_QUERY_ALLOCATED_RANGES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_ENABLE_UPGRADE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_SET_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_ENCRYPTION_FSCTL_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_WRITE_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_READ_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_CREATE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_READ_FILE_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_WRITE_USN_CLOSE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_EXTEND_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_QUERY_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_DELETE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_MARK_HANDLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_SIS_COPYFILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_SIS_LINK_FILES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_HSM_MSG CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_NSS_CONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_HSM_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_RECALL_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_NSS_RCONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_READ_FROM_PLEX CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA) #define FSCTL_FILE_PREFETCH CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) #endif // (VER_PRODUCTBUILD >= 2195) #define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA) #define FSCTL_NETWORK_SET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS) #define FSCTL_NETWORK_GET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) #define FSCTL_NETWORK_GET_CONNECTION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_NETWORK_ENUMERATE_CONNECTIONS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS) #define FSCTL_NETWORK_DELETE_CONNECTION CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_NETWORK_GET_STATISTICS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_NETWORK_SET_DOMAIN_NAME CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA) #define IOCTL_REDIR_QUERY_PATH CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS) typedef PVOID PEJOB; typedef PVOID OPLOCK, *POPLOCK; typedef PVOID PWOW64_PROCESS; typedef struct _CACHE_MANAGER_CALLBACKS *PCACHE_MANAGER_CALLBACKS; typedef struct _EPROCESS_QUOTA_BLOCK *PEPROCESS_QUOTA_BLOCK; typedef struct _FILE_GET_QUOTA_INFORMATION *PFILE_GET_QUOTA_INFORMATION; typedef struct _HANDLE_TABLE *PHANDLE_TABLE; typedef struct _KEVENT_PAIR *PKEVENT_PAIR; typedef struct _KPROCESS *PKPROCESS; typedef struct _KQUEUE *PKQUEUE; typedef struct _KTRAP_FRAME *PKTRAP_FRAME; typedef struct _MAILSLOT_CREATE_PARAMETERS *PMAILSLOT_CREATE_PARAMETERS; typedef struct _MMWSL *PMMWSL; typedef struct _NAMED_PIPE_CREATE_PARAMETERS *PNAMED_PIPE_CREATE_PARAMETERS; typedef struct _OBJECT_DIRECTORY *POBJECT_DIRECTORY; typedef struct _PAGEFAULT_HISTORY *PPAGEFAULT_HISTORY; typedef struct _PS_IMPERSONATION_INFORMATION *PPS_IMPERSONATION_INFORMATION; typedef struct _SECTION_OBJECT *PSECTION_OBJECT; typedef struct _SHARED_CACHE_MAP *PSHARED_CACHE_MAP; typedef struct _TERMINATION_PORT *PTERMINATION_PORT; typedef struct _VACB *PVACB; typedef struct _VAD_HEADER *PVAD_HEADER; typedef struct _NOTIFY_SYNC { ULONG Unknown0; ULONG Unknown1; ULONG Unknown2; USHORT Unknown3; USHORT Unknown4; ULONG Unknown5; ULONG Unknown6; ULONG Unknown7; ULONG Unknown8; ULONG Unknown9; ULONG Unknown10; } NOTIFY_SYNC, * PNOTIFY_SYNC; typedef enum _FAST_IO_POSSIBLE { FastIoIsNotPossible, FastIoIsPossible, FastIoIsQuestionable } FAST_IO_POSSIBLE; typedef enum _FILE_STORAGE_TYPE { StorageTypeDefault = 1, StorageTypeDirectory, StorageTypeFile, StorageTypeJunctionPoint, StorageTypeCatalog, StorageTypeStructuredStorage, StorageTypeEmbedding, StorageTypeStream } FILE_STORAGE_TYPE; typedef enum _IO_COMPLETION_INFORMATION_CLASS { IoCompletionBasicInformation } IO_COMPLETION_INFORMATION_CLASS; typedef enum _OBJECT_INFO_CLASS { ObjectBasicInfo, ObjectNameInfo, ObjectTypeInfo, ObjectAllTypesInfo, ObjectProtectionInfo } OBJECT_INFO_CLASS; typedef struct _HARDWARE_PTE_X86 { ULONG Valid : 1; ULONG Write : 1; ULONG Owner : 1; ULONG WriteThrough : 1; ULONG CacheDisable : 1; ULONG Accessed : 1; ULONG Dirty : 1; ULONG LargePage : 1; ULONG Global : 1; ULONG CopyOnWrite : 1; ULONG Prototype : 1; ULONG reserved : 1; ULONG PageFrameNumber : 20; } HARDWARE_PTE_X86, *PHARDWARE_PTE_X86; typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; PKPROCESS Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; typedef struct _KGDTENTRY { USHORT LimitLow; USHORT BaseLow; union { struct { UCHAR BaseMid; UCHAR Flags1; UCHAR Flags2; UCHAR BaseHi; } Bytes; struct { ULONG BaseMid : 8; ULONG Type : 5; ULONG Dpl : 2; ULONG Pres : 1; ULONG LimitHi : 4; ULONG Sys : 1; ULONG Reserved_0 : 1; ULONG Default_Big : 1; ULONG Granularity : 1; ULONG BaseHi : 8; } Bits; } HighWord; } KGDTENTRY, *PKGDTENTRY; typedef struct _KIDTENTRY { USHORT Offset; USHORT Selector; USHORT Access; USHORT ExtendedOffset; } KIDTENTRY, *PKIDTENTRY; #if (VER_PRODUCTBUILD >= 2600) typedef struct _MMSUPPORT_FLAGS { ULONG SessionSpace : 1; ULONG BeingTrimmed : 1; ULONG SessionLeader : 1; ULONG TrimHard : 1; ULONG WorkingSetHard : 1; ULONG AddressSpaceBeingDeleted : 1; ULONG Available : 10; ULONG AllowWorkingSetAdjustment : 8; ULONG MemoryPriority : 8; } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS; #else typedef struct _MMSUPPORT_FLAGS { ULONG SessionSpace : 1; ULONG BeingTrimmed : 1; ULONG ProcessInSession : 1; ULONG SessionLeader : 1; ULONG TrimHard : 1; ULONG WorkingSetHard : 1; ULONG WriteWatch : 1; ULONG Filler : 25; } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS; #endif #if (VER_PRODUCTBUILD >= 2600) typedef struct _MMSUPPORT { LARGE_INTEGER LastTrimTime; MMSUPPORT_FLAGS Flags; ULONG PageFaultCount; ULONG PeakWorkingSetSize; ULONG WorkingSetSize; ULONG MinimumWorkingSetSize; ULONG MaximumWorkingSetSize; PMMWSL VmWorkingSetList; LIST_ENTRY WorkingSetExpansionLinks; ULONG Claim; ULONG NextEstimationSlot; ULONG NextAgingSlot; ULONG EstimatedAvailable; ULONG GrowthSinceLastEstimate; } MMSUPPORT, *PMMSUPPORT; #else typedef struct _MMSUPPORT { LARGE_INTEGER LastTrimTime; ULONG LastTrimFaultCount; ULONG PageFaultCount; ULONG PeakWorkingSetSize; ULONG WorkingSetSize; ULONG MinimumWorkingSetSize; ULONG MaximumWorkingSetSize; PMMWSL VmWorkingSetList; LIST_ENTRY WorkingSetExpansionLinks; BOOLEAN AllowWorkingSetAdjustment; BOOLEAN AddressSpaceBeingDeleted; UCHAR ForegroundSwitchCount; UCHAR MemoryPriority; #if (VER_PRODUCTBUILD >= 2195) union { ULONG LongFlags; MMSUPPORT_FLAGS Flags; } u; ULONG Claim; ULONG NextEstimationSlot; ULONG NextAgingSlot; ULONG EstimatedAvailable; ULONG GrowthSinceLastEstimate; #endif // (VER_PRODUCTBUILD >= 2195) } MMSUPPORT, *PMMSUPPORT; #endif typedef struct _SE_AUDIT_PROCESS_CREATION_INFO { POBJECT_NAME_INFORMATION ImageFileName; } SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO; typedef struct _BITMAP_RANGE { LIST_ENTRY Links; LARGE_INTEGER BasePage; ULONG FirstDirtyPage; ULONG LastDirtyPage; ULONG DirtyPages; PULONG Bitmap; } BITMAP_RANGE, *PBITMAP_RANGE; typedef struct _CACHE_UNINITIALIZE_EVENT { struct _CACHE_UNINITIALIZE_EVENT *Next; KEVENT Event; } CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT; typedef struct _CC_FILE_SIZES { LARGE_INTEGER AllocationSize; LARGE_INTEGER FileSize; LARGE_INTEGER ValidDataLength; } CC_FILE_SIZES, *PCC_FILE_SIZES; typedef struct _COMPRESSED_DATA_INFO { USHORT CompressionFormatAndEngine; UCHAR CompressionUnitShift; UCHAR ChunkShift; UCHAR ClusterShift; UCHAR Reserved; USHORT NumberOfChunks; ULONG CompressedChunkSizes[ANYSIZE_ARRAY]; } COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO; typedef struct _DEVICE_MAP { POBJECT_DIRECTORY DosDevicesDirectory; POBJECT_DIRECTORY GlobalDosDevicesDirectory; ULONG ReferenceCount; ULONG DriveMap; UCHAR DriveType[32]; } DEVICE_MAP, *PDEVICE_MAP; #if (VER_PRODUCTBUILD >= 2600) typedef struct _EX_FAST_REF { union { PVOID Object; ULONG RefCnt : 3; ULONG Value; }; } EX_FAST_REF, *PEX_FAST_REF; typedef struct _EX_PUSH_LOCK { union { struct { ULONG Waiting : 1; ULONG Exclusive : 1; ULONG Shared : 30; }; ULONG Value; PVOID Ptr; }; } EX_PUSH_LOCK, *PEX_PUSH_LOCK; typedef struct _EX_RUNDOWN_REF { union { ULONG Count; PVOID Ptr; }; } EX_RUNDOWN_REF, *PEX_RUNDOWN_REF; #endif typedef struct _EPROCESS_QUOTA_ENTRY { ULONG Usage; ULONG Limit; ULONG Peak; ULONG Return; } EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY; typedef struct _EPROCESS_QUOTA_BLOCK { EPROCESS_QUOTA_ENTRY QuotaEntry[3]; LIST_ENTRY QuotaList; ULONG ReferenceCount; ULONG ProcessCount; } EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK; /* * When needing these parameters cast your PIO_STACK_LOCATION to * PEXTENDED_IO_STACK_LOCATION */ #if !defined(_ALPHA_) #include <pshpack4.h> #endif typedef struct _EXTENDED_IO_STACK_LOCATION { /* Included for padding */ UCHAR MajorFunction; UCHAR MinorFunction; UCHAR Flags; UCHAR Control; union { struct { PIO_SECURITY_CONTEXT SecurityContext; ULONG Options; USHORT Reserved; USHORT ShareAccess; PMAILSLOT_CREATE_PARAMETERS Parameters; } CreateMailslot; struct { PIO_SECURITY_CONTEXT SecurityContext; ULONG Options; USHORT Reserved; USHORT ShareAccess; PNAMED_PIPE_CREATE_PARAMETERS Parameters; } CreatePipe; struct { ULONG OutputBufferLength; ULONG InputBufferLength; ULONG FsControlCode; PVOID Type3InputBuffer; } FileSystemControl; struct { PLARGE_INTEGER Length; ULONG Key; LARGE_INTEGER ByteOffset; } LockControl; struct { ULONG Length; ULONG CompletionFilter; } NotifyDirectory; struct { ULONG Length; PUNICODE_STRING FileName; FILE_INFORMATION_CLASS FileInformationClass; ULONG FileIndex; } QueryDirectory; struct { ULONG Length; PVOID EaList; ULONG EaListLength; ULONG EaIndex; } QueryEa; struct { ULONG Length; PSID StartSid; PFILE_GET_QUOTA_INFORMATION SidList; ULONG SidListLength; } QueryQuota; struct { ULONG Length; } SetEa; struct { ULONG Length; } SetQuota; struct { ULONG Length; FS_INFORMATION_CLASS FsInformationClass; } SetVolume; } Parameters; PDEVICE_OBJECT DeviceObject; PFILE_OBJECT FileObject; PIO_COMPLETION_ROUTINE CompletionRoutine; PVOID Context; } EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION; #if !defined(_ALPHA_) #include <poppack.h> #endif typedef struct _FILE_ACCESS_INFORMATION { ACCESS_MASK AccessFlags; } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; typedef struct _FILE_ALLOCATION_INFORMATION { LARGE_INTEGER AllocationSize; } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[1]; } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; typedef struct _FILE_COMPLETION_INFORMATION { HANDLE Port; ULONG Key; } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION; typedef struct _FILE_COMPRESSION_INFORMATION { LARGE_INTEGER CompressedFileSize; USHORT CompressionFormat; UCHAR CompressionUnitShift; UCHAR ChunkShift; UCHAR ClusterShift; UCHAR Reserved[3]; } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION; typedef struct _FILE_COPY_ON_WRITE_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION; typedef struct _FILE_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; WCHAR FileName[1]; } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; typedef struct _FILE_FULL_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; WCHAR FileName[0]; } FILE_FULL_DIRECTORY_INFORMATION, *PFILE_FULL_DIRECTORY_INFORMATION; typedef struct _FILE_BOTH_DIRECTORY_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[0]; } FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION; typedef struct _FILE_EA_INFORMATION { ULONG EaSize; } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { ULONG FileSystemAttributes; ULONG MaximumComponentNameLength; ULONG FileSystemNameLength; WCHAR FileSystemName[1]; } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; typedef struct _FILE_FS_CONTROL_INFORMATION { LARGE_INTEGER FreeSpaceStartFiltering; LARGE_INTEGER FreeSpaceThreshold; LARGE_INTEGER FreeSpaceStopFiltering; LARGE_INTEGER DefaultQuotaThreshold; LARGE_INTEGER DefaultQuotaLimit; ULONG FileSystemControlFlags; } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION; typedef struct _FILE_FS_FULL_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER CallerAvailableAllocationUnits; LARGE_INTEGER ActualAvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; typedef struct _FILE_FS_LABEL_INFORMATION { ULONG VolumeLabelLength; WCHAR VolumeLabel[1]; } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; #if (VER_PRODUCTBUILD >= 2195) typedef struct _FILE_FS_OBJECT_ID_INFORMATION { UCHAR ObjectId[16]; UCHAR ExtendedInfo[48]; } FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION; #endif // (VER_PRODUCTBUILD >= 2195) typedef struct _FILE_FS_SIZE_INFORMATION { LARGE_INTEGER TotalAllocationUnits; LARGE_INTEGER AvailableAllocationUnits; ULONG SectorsPerAllocationUnit; ULONG BytesPerSector; } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; typedef struct _FILE_FS_VOLUME_INFORMATION { LARGE_INTEGER VolumeCreationTime; ULONG VolumeSerialNumber; ULONG VolumeLabelLength; BOOLEAN SupportsObjects; WCHAR VolumeLabel[1]; } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; typedef struct _FILE_FULL_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; WCHAR FileName[1]; } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; typedef struct _FILE_GET_EA_INFORMATION { ULONG NextEntryOffset; UCHAR EaNameLength; CHAR EaName[1]; } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; typedef struct _FILE_GET_QUOTA_INFORMATION { ULONG NextEntryOffset; ULONG SidLength; SID Sid; } FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION; typedef struct _FILE_INTERNAL_INFORMATION { LARGE_INTEGER IndexNumber; } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; typedef struct _FILE_LINK_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; typedef struct _FILE_LOCK_INFO { LARGE_INTEGER StartingByte; LARGE_INTEGER Length; BOOLEAN ExclusiveLock; ULONG Key; PFILE_OBJECT FileObject; PEPROCESS Process; LARGE_INTEGER EndingByte; } FILE_LOCK_INFO, *PFILE_LOCK_INFO; // raw internal file lock struct returned from FsRtlGetNextFileLock typedef struct _FILE_SHARED_LOCK_ENTRY { PVOID Unknown1; PVOID Unknown2; FILE_LOCK_INFO FileLock; } FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY; // raw internal file lock struct returned from FsRtlGetNextFileLock typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY { LIST_ENTRY ListEntry; PVOID Unknown1; PVOID Unknown2; FILE_LOCK_INFO FileLock; } FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY; typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) ( IN PVOID Context, IN PIRP Irp ); typedef VOID (NTAPI *PUNLOCK_ROUTINE) ( IN PVOID Context, IN PFILE_LOCK_INFO FileLockInfo ); typedef struct _FILE_LOCK { PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine; PUNLOCK_ROUTINE UnlockRoutine; BOOLEAN FastIoIsQuestionable; BOOLEAN Pad[3]; PVOID LockInformation; FILE_LOCK_INFO LastReturnedLockInfo; PVOID LastReturnedLock; } FILE_LOCK, *PFILE_LOCK; typedef struct _FILE_MAILSLOT_PEEK_BUFFER { ULONG ReadDataAvailable; ULONG NumberOfMessages; ULONG MessageLength; } FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER; typedef struct _FILE_MAILSLOT_QUERY_INFORMATION { ULONG MaximumMessageSize; ULONG MailslotQuota; ULONG NextMessageSize; ULONG MessagesAvailable; LARGE_INTEGER ReadTimeout; } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION; typedef struct _FILE_MAILSLOT_SET_INFORMATION { LARGE_INTEGER ReadTimeout; } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION; typedef struct _FILE_MODE_INFORMATION { ULONG Mode; } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; typedef struct _FILE_ALL_INFORMATION { FILE_BASIC_INFORMATION BasicInformation; FILE_STANDARD_INFORMATION StandardInformation; FILE_INTERNAL_INFORMATION InternalInformation; FILE_EA_INFORMATION EaInformation; FILE_ACCESS_INFORMATION AccessInformation; FILE_POSITION_INFORMATION PositionInformation; FILE_MODE_INFORMATION ModeInformation; FILE_ALIGNMENT_INFORMATION AlignmentInformation; FILE_NAME_INFORMATION NameInformation; } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; typedef struct _FILE_NAMES_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; ULONG FileNameLength; WCHAR FileName[1]; } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; typedef struct _FILE_OBJECTID_INFORMATION { LONGLONG FileReference; UCHAR ObjectId[16]; union { struct { UCHAR BirthVolumeId[16]; UCHAR BirthObjectId[16]; UCHAR DomainId[16]; } ; UCHAR ExtendedInfo[48]; }; } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION; typedef struct _FILE_OLE_CLASSID_INFORMATION { GUID ClassId; } FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION; typedef struct _FILE_OLE_ALL_INFORMATION { FILE_BASIC_INFORMATION BasicInformation; FILE_STANDARD_INFORMATION StandardInformation; FILE_INTERNAL_INFORMATION InternalInformation; FILE_EA_INFORMATION EaInformation; FILE_ACCESS_INFORMATION AccessInformation; FILE_POSITION_INFORMATION PositionInformation; FILE_MODE_INFORMATION ModeInformation; FILE_ALIGNMENT_INFORMATION AlignmentInformation; USN LastChangeUsn; USN ReplicationUsn; LARGE_INTEGER SecurityChangeTime; FILE_OLE_CLASSID_INFORMATION OleClassIdInformation; FILE_OBJECTID_INFORMATION ObjectIdInformation; FILE_STORAGE_TYPE StorageType; ULONG OleStateBits; ULONG OleId; ULONG NumberOfStreamReferences; ULONG StreamIndex; ULONG SecurityId; BOOLEAN ContentIndexDisable; BOOLEAN InheritContentIndexDisable; FILE_NAME_INFORMATION NameInformation; } FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION; typedef struct _FILE_OLE_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; FILE_STORAGE_TYPE StorageType; GUID OleClassId; ULONG OleStateBits; BOOLEAN ContentIndexDisable; BOOLEAN InheritContentIndexDisable; WCHAR FileName[1]; } FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION; typedef struct _FILE_OLE_INFORMATION { LARGE_INTEGER SecurityChangeTime; FILE_OLE_CLASSID_INFORMATION OleClassIdInformation; FILE_OBJECTID_INFORMATION ObjectIdInformation; FILE_STORAGE_TYPE StorageType; ULONG OleStateBits; BOOLEAN ContentIndexDisable; BOOLEAN InheritContentIndexDisable; } FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION; typedef struct _FILE_OLE_STATE_BITS_INFORMATION { ULONG StateBits; ULONG StateBitsMask; } FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION; typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER { HANDLE EventHandle; ULONG KeyValue; } FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER; typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER { PVOID ClientSession; PVOID ClientProcess; } FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER; typedef struct _FILE_PIPE_EVENT_BUFFER { ULONG NamedPipeState; ULONG EntryType; ULONG ByteCount; ULONG KeyValue; ULONG NumberRequests; } FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER; typedef struct _FILE_PIPE_INFORMATION { ULONG ReadMode; ULONG CompletionMode; } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION; typedef struct _FILE_PIPE_LOCAL_INFORMATION { ULONG NamedPipeType; ULONG NamedPipeConfiguration; ULONG MaximumInstances; ULONG CurrentInstances; ULONG InboundQuota; ULONG ReadDataAvailable; ULONG OutboundQuota; ULONG WriteQuotaAvailable; ULONG NamedPipeState; ULONG NamedPipeEnd; } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION; typedef struct _FILE_PIPE_REMOTE_INFORMATION { LARGE_INTEGER CollectDataTime; ULONG MaximumCollectionCount; } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION; typedef struct _FILE_PIPE_WAIT_FOR_BUFFER { LARGE_INTEGER Timeout; ULONG NameLength; BOOLEAN TimeoutSpecified; WCHAR Name[1]; } FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER; typedef struct _FILE_QUOTA_INFORMATION { ULONG NextEntryOffset; ULONG SidLength; LARGE_INTEGER ChangeTime; LARGE_INTEGER QuotaUsed; LARGE_INTEGER QuotaThreshold; LARGE_INTEGER QuotaLimit; SID Sid; } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION; typedef struct _FILE_RENAME_INFORMATION { BOOLEAN ReplaceIfExists; HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; typedef struct _FILE_STREAM_INFORMATION { ULONG NextEntryOffset; ULONG StreamNameLength; LARGE_INTEGER StreamSize; LARGE_INTEGER StreamAllocationSize; WCHAR StreamName[1]; } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; typedef struct _FILE_TRACKING_INFORMATION { HANDLE DestinationFile; ULONG ObjectInformationLength; CHAR ObjectInformation[1]; } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION; typedef struct _FSRTL_COMMON_FCB_HEADER { CSHORT NodeTypeCode; CSHORT NodeByteSize; UCHAR Flags; UCHAR IsFastIoPossible; #if (VER_PRODUCTBUILD >= 1381) UCHAR Flags2; UCHAR Reserved; #endif // (VER_PRODUCTBUILD >= 1381) PERESOURCE Resource; PERESOURCE PagingIoResource; LARGE_INTEGER AllocationSize; LARGE_INTEGER FileSize; LARGE_INTEGER ValidDataLength; } FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER; typedef struct _GENERATE_NAME_CONTEXT { USHORT Checksum; BOOLEAN CheckSumInserted; UCHAR NameLength; WCHAR NameBuffer[8]; ULONG ExtensionLength; WCHAR ExtensionBuffer[4]; ULONG LastIndexValue; } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT; typedef struct _HANDLE_TABLE_ENTRY { PVOID Object; ULONG ObjectAttributes; ULONG GrantedAccess; USHORT GrantedAccessIndex; USHORT CreatorBackTraceIndex; ULONG NextFreeTableEntry; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; typedef struct _MAPPING_PAIR { ULONGLONG Vcn; ULONGLONG Lcn; } MAPPING_PAIR, *PMAPPING_PAIR; typedef struct _GET_RETRIEVAL_DESCRIPTOR { ULONG NumberOfPairs; ULONGLONG StartVcn; MAPPING_PAIR Pair[1]; } GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR; typedef struct _IO_CLIENT_EXTENSION { struct _IO_CLIENT_EXTENSION *NextExtension; PVOID ClientIdentificationAddress; } IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION; typedef struct _IO_COMPLETION_BASIC_INFORMATION { LONG Depth; } IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION; typedef struct _KEVENT_PAIR { USHORT Type; USHORT Size; KEVENT Event1; KEVENT Event2; } KEVENT_PAIR, *PKEVENT_PAIR; typedef struct _KQUEUE { DISPATCHER_HEADER Header; LIST_ENTRY EntryListHead; ULONG CurrentCount; ULONG MaximumCount; LIST_ENTRY ThreadListHead; } KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE; typedef struct _MAILSLOT_CREATE_PARAMETERS { ULONG MailslotQuota; ULONG MaximumMessageSize; LARGE_INTEGER ReadTimeout; BOOLEAN TimeoutSpecified; } MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS; typedef struct _MBCB { CSHORT NodeTypeCode; CSHORT NodeIsInZone; ULONG PagesToWrite; ULONG DirtyPages; ULONG Reserved; LIST_ENTRY BitmapRanges; LONGLONG ResumeWritePage; BITMAP_RANGE BitmapRange1; BITMAP_RANGE BitmapRange2; BITMAP_RANGE BitmapRange3; } MBCB, *PMBCB; typedef struct _MOVEFILE_DESCRIPTOR { HANDLE FileHandle; ULONG Reserved; LARGE_INTEGER StartVcn; LARGE_INTEGER TargetLcn; ULONG NumVcns; ULONG Reserved1; } MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR; typedef struct _NAMED_PIPE_CREATE_PARAMETERS { ULONG NamedPipeType; ULONG ReadMode; ULONG CompletionMode; ULONG MaximumInstances; ULONG InboundQuota; ULONG OutboundQuota; LARGE_INTEGER DefaultTimeout; BOOLEAN TimeoutSpecified; } NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS; typedef struct _OBJECT_BASIC_INFO { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG ReferenceCount; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; ULONG Reserved[3]; ULONG NameInformationLength; ULONG TypeInformationLength; ULONG SecurityDescriptorLength; LARGE_INTEGER CreateTime; } OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO; typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO { BOOLEAN Inherit; BOOLEAN ProtectFromClose; } OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO; typedef struct _OBJECT_NAME_INFO { UNICODE_STRING ObjectName; WCHAR ObjectNameBuffer[1]; } OBJECT_NAME_INFO, *POBJECT_NAME_INFO; typedef struct _OBJECT_PROTECTION_INFO { BOOLEAN Inherit; BOOLEAN ProtectHandle; } OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO; typedef struct _OBJECT_TYPE_INFO { UNICODE_STRING ObjectTypeName; UCHAR Unknown[0x58]; WCHAR ObjectTypeNameBuffer[1]; } OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO; typedef struct _OBJECT_ALL_TYPES_INFO { ULONG NumberOfObjectTypes; OBJECT_TYPE_INFO ObjectsTypeInfo[1]; } OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO; typedef struct _PAGEFAULT_HISTORY { ULONG CurrentIndex; ULONG MaxIndex; KSPIN_LOCK SpinLock; PVOID Reserved; PROCESS_WS_WATCH_INFORMATION WatchInfo[1]; } PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY; typedef struct _PATHNAME_BUFFER { ULONG PathNameLength; WCHAR Name[1]; } PATHNAME_BUFFER, *PPATHNAME_BUFFER; #if (VER_PRODUCTBUILD >= 2600) typedef struct _PRIVATE_CACHE_MAP_FLAGS { ULONG DontUse : 16; ULONG ReadAheadActive : 1; ULONG ReadAheadEnabled : 1; ULONG Available : 14; } PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS; typedef struct _PRIVATE_CACHE_MAP { union { CSHORT NodeTypeCode; PRIVATE_CACHE_MAP_FLAGS Flags; ULONG UlongFlags; }; ULONG ReadAheadMask; PFILE_OBJECT FileObject; LARGE_INTEGER FileOffset1; LARGE_INTEGER BeyondLastByte1; LARGE_INTEGER FileOffset2; LARGE_INTEGER BeyondLastByte2; LARGE_INTEGER ReadAheadOffset[2]; ULONG ReadAheadLength[2]; KSPIN_LOCK ReadAheadSpinLock; LIST_ENTRY PrivateLinks; } PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP; #endif typedef struct _PS_IMPERSONATION_INFORMATION { PACCESS_TOKEN Token; BOOLEAN CopyOnOpen; BOOLEAN EffectiveOnly; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; } PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION; typedef struct _PUBLIC_BCB { CSHORT NodeTypeCode; CSHORT NodeByteSize; ULONG MappedLength; LARGE_INTEGER MappedFileOffset; } PUBLIC_BCB, *PPUBLIC_BCB; typedef struct _QUERY_PATH_REQUEST { ULONG PathNameLength; PIO_SECURITY_CONTEXT SecurityContext; WCHAR FilePathName[1]; } QUERY_PATH_REQUEST, *PQUERY_PATH_REQUEST; typedef struct _QUERY_PATH_RESPONSE { ULONG LengthAccepted; } QUERY_PATH_RESPONSE, *PQUERY_PATH_RESPONSE; typedef struct _RETRIEVAL_POINTERS_BUFFER { ULONG ExtentCount; LARGE_INTEGER StartingVcn; struct { LARGE_INTEGER NextVcn; LARGE_INTEGER Lcn; } Extents[1]; } RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER; typedef struct _RTL_SPLAY_LINKS { struct _RTL_SPLAY_LINKS *Parent; struct _RTL_SPLAY_LINKS *LeftChild; struct _RTL_SPLAY_LINKS *RightChild; } RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS; typedef struct _SE_EXPORTS { LUID SeCreateTokenPrivilege; LUID SeAssignPrimaryTokenPrivilege; LUID SeLockMemoryPrivilege; LUID SeIncreaseQuotaPrivilege; LUID SeUnsolicitedInputPrivilege; LUID SeTcbPrivilege; LUID SeSecurityPrivilege; LUID SeTakeOwnershipPrivilege; LUID SeLoadDriverPrivilege; LUID SeCreatePagefilePrivilege; LUID SeIncreaseBasePriorityPrivilege; LUID SeSystemProfilePrivilege; LUID SeSystemtimePrivilege; LUID SeProfileSingleProcessPrivilege; LUID SeCreatePermanentPrivilege; LUID SeBackupPrivilege; LUID SeRestorePrivilege; LUID SeShutdownPrivilege; LUID SeDebugPrivilege; LUID SeAuditPrivilege; LUID SeSystemEnvironmentPrivilege; LUID SeChangeNotifyPrivilege; LUID SeRemoteShutdownPrivilege; PSID SeNullSid; PSID SeWorldSid; PSID SeLocalSid; PSID SeCreatorOwnerSid; PSID SeCreatorGroupSid; PSID SeNtAuthoritySid; PSID SeDialupSid; PSID SeNetworkSid; PSID SeBatchSid; PSID SeInteractiveSid; PSID SeLocalSystemSid; PSID SeAliasAdminsSid; PSID SeAliasUsersSid; PSID SeAliasGuestsSid; PSID SeAliasPowerUsersSid; PSID SeAliasAccountOpsSid; PSID SeAliasSystemOpsSid; PSID SeAliasPrintOpsSid; PSID SeAliasBackupOpsSid; PSID SeAuthenticatedUsersSid; PSID SeRestrictedSid; PSID SeAnonymousLogonSid; LUID SeUndockPrivilege; LUID SeSyncAgentPrivilege; LUID SeEnableDelegationPrivilege; } SE_EXPORTS, *PSE_EXPORTS; typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; } SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; typedef struct _SECTION_IMAGE_INFORMATION { PVOID EntryPoint; ULONG Unknown1; ULONG StackReserve; ULONG StackCommit; ULONG Subsystem; USHORT MinorSubsystemVersion; USHORT MajorSubsystemVersion; ULONG Unknown2; ULONG Characteristics; USHORT ImageNumber; BOOLEAN Executable; UCHAR Unknown3; ULONG Unknown4[3]; } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; #if (VER_PRODUCTBUILD >= 2600) typedef struct _SHARED_CACHE_MAP { CSHORT NodeTypeCode; CSHORT NodeByteSize; ULONG OpenCount; LARGE_INTEGER FileSize; LIST_ENTRY BcbList; LARGE_INTEGER SectionSize; LARGE_INTEGER ValidDataLength; LARGE_INTEGER ValidDataGoal; PVACB InitialVacbs[4]; PVACB *Vacbs; PFILE_OBJECT FileObject; PVACB ActiveVacb; PVOID NeedToZero; ULONG ActivePage; ULONG NeedToZeroPage; KSPIN_LOCK ActiveVacbSpinLock; ULONG VacbActiveCount; ULONG DirtyPages; LIST_ENTRY SharedCacheMapLinks; ULONG Flags; NTSTATUS Status; PMBCB Mbcb; PVOID Section; PKEVENT CreateEvent; PKEVENT WaitOnActiveCount; ULONG PagesToWrite; LONGLONG BeyondLastFlush; PCACHE_MANAGER_CALLBACKS Callbacks; PVOID LazyWriteContext; LIST_ENTRY PrivateList; PVOID LogHandle; PVOID FlushToLsnRoutine; ULONG DirtyPageThreshold; ULONG LazyWritePassCount; PCACHE_UNINITIALIZE_EVENT UninitializeEvent; PVACB NeedToZeroVacb; KSPIN_LOCK BcbSpinLock; PVOID Reserved; KEVENT Event; EX_PUSH_LOCK VacbPushLock; PRIVATE_CACHE_MAP PrivateCacheMap; } SHARED_CACHE_MAP, *PSHARED_CACHE_MAP; #endif typedef struct _STARTING_VCN_INPUT_BUFFER { LARGE_INTEGER StartingVcn; } STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER; typedef struct _SYSTEM_CACHE_INFORMATION { ULONG CurrentSize; ULONG PeakSize; ULONG PageFaultCount; ULONG MinimumWorkingSet; ULONG MaximumWorkingSet; ULONG Unused[4]; } SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION; typedef struct _TERMINATION_PORT { struct _TERMINATION_PORT* Next; PVOID Port; } TERMINATION_PORT, *PTERMINATION_PORT; typedef struct _SECURITY_CLIENT_CONTEXT { SECURITY_QUALITY_OF_SERVICE SecurityQos; PACCESS_TOKEN ClientToken; BOOLEAN DirectlyAccessClientToken; BOOLEAN DirectAccessEffectiveOnly; BOOLEAN ServerIsRemote; TOKEN_CONTROL ClientTokenControl; } SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT; typedef struct _TUNNEL { FAST_MUTEX Mutex; PRTL_SPLAY_LINKS Cache; LIST_ENTRY TimerQueue; USHORT NumEntries; } TUNNEL, *PTUNNEL; typedef struct _VACB { PVOID BaseAddress; PSHARED_CACHE_MAP SharedCacheMap; union { LARGE_INTEGER FileOffset; USHORT ActiveCount; } Overlay; LIST_ENTRY LruList; } VACB, *PVACB; typedef struct _VAD_HEADER { PVOID StartVPN; PVOID EndVPN; PVAD_HEADER ParentLink; PVAD_HEADER LeftLink; PVAD_HEADER RightLink; ULONG Flags; // LSB = CommitCharge PVOID ControlArea; PVOID FirstProtoPte; PVOID LastPTE; ULONG Unknown; LIST_ENTRY Secured; } VAD_HEADER, *PVAD_HEADER; NTKERNELAPI BOOLEAN NTAPI CcCanIWrite ( IN PFILE_OBJECT FileObject, IN ULONG BytesToWrite, IN BOOLEAN Wait, IN BOOLEAN Retrying ); NTKERNELAPI BOOLEAN NTAPI CcCopyRead ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, OUT PVOID Buffer, OUT PIO_STATUS_BLOCK IoStatus ); NTKERNELAPI BOOLEAN NTAPI CcCopyWrite ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, IN PVOID Buffer ); #define CcCopyWriteWontFlush(FO, FOFF, LEN) ((LEN) <= 0x10000) typedef VOID (NTAPI *PCC_POST_DEFERRED_WRITE) ( IN PVOID Context1, IN PVOID Context2 ); NTKERNELAPI VOID NTAPI CcDeferWrite ( IN PFILE_OBJECT FileObject, IN PCC_POST_DEFERRED_WRITE PostRoutine, IN PVOID Context1, IN PVOID Context2, IN ULONG BytesToWrite, IN BOOLEAN Retrying ); NTKERNELAPI VOID NTAPI CcFastCopyRead ( IN PFILE_OBJECT FileObject, IN ULONG FileOffset, IN ULONG Length, IN ULONG PageCount, OUT PVOID Buffer, OUT PIO_STATUS_BLOCK IoStatus ); NTKERNELAPI VOID NTAPI CcFastCopyWrite ( IN PFILE_OBJECT FileObject, IN ULONG FileOffset, IN ULONG Length, IN PVOID Buffer ); NTKERNELAPI VOID NTAPI CcFlushCache ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN PLARGE_INTEGER FileOffset OPTIONAL, IN ULONG Length, OUT PIO_STATUS_BLOCK IoStatus OPTIONAL ); typedef VOID (*PDIRTY_PAGE_ROUTINE) ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN PLARGE_INTEGER OldestLsn, IN PLARGE_INTEGER NewestLsn, IN PVOID Context1, IN PVOID Context2 ); NTKERNELAPI LARGE_INTEGER NTAPI CcGetDirtyPages ( IN PVOID LogHandle, IN PDIRTY_PAGE_ROUTINE DirtyPageRoutine, IN PVOID Context1, IN PVOID Context2 ); NTKERNELAPI PFILE_OBJECT NTAPI CcGetFileObjectFromBcb ( IN PVOID Bcb ); NTKERNELAPI PFILE_OBJECT NTAPI CcGetFileObjectFromSectionPtrs ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer ); #define CcGetFileSizePointer(FO) ( \ ((PLARGE_INTEGER)((FO)->SectionObjectPointer->SharedCacheMap) + 1) \ ) #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI LARGE_INTEGER NTAPI CcGetFlushedValidData ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN BOOLEAN BcbListHeld ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI LARGE_INTEGER CcGetLsnForFileObject ( IN PFILE_OBJECT FileObject, OUT PLARGE_INTEGER OldestLsn OPTIONAL ); typedef BOOLEAN (NTAPI *PACQUIRE_FOR_LAZY_WRITE) ( IN PVOID Context, IN BOOLEAN Wait ); typedef VOID (NTAPI *PRELEASE_FROM_LAZY_WRITE) ( IN PVOID Context ); typedef BOOLEAN (NTAPI *PACQUIRE_FOR_READ_AHEAD) ( IN PVOID Context, IN BOOLEAN Wait ); typedef VOID (NTAPI *PRELEASE_FROM_READ_AHEAD) ( IN PVOID Context ); typedef struct _CACHE_MANAGER_CALLBACKS { PACQUIRE_FOR_LAZY_WRITE AcquireForLazyWrite; PRELEASE_FROM_LAZY_WRITE ReleaseFromLazyWrite; PACQUIRE_FOR_READ_AHEAD AcquireForReadAhead; PRELEASE_FROM_READ_AHEAD ReleaseFromReadAhead; } CACHE_MANAGER_CALLBACKS, *PCACHE_MANAGER_CALLBACKS; NTKERNELAPI VOID NTAPI CcInitializeCacheMap ( IN PFILE_OBJECT FileObject, IN PCC_FILE_SIZES FileSizes, IN BOOLEAN PinAccess, IN PCACHE_MANAGER_CALLBACKS Callbacks, IN PVOID LazyWriteContext ); #define CcIsFileCached(FO) ( \ ((FO)->SectionObjectPointer != NULL) && \ (((PSECTION_OBJECT_POINTERS)(FO)->SectionObjectPointer)->SharedCacheMap != NULL) \ ) NTKERNELAPI BOOLEAN NTAPI CcIsThereDirtyData ( IN PVPB Vpb ); NTKERNELAPI BOOLEAN NTAPI CcMapData ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, OUT PVOID *Bcb, OUT PVOID *Buffer ); NTKERNELAPI VOID NTAPI CcMdlRead ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus ); NTKERNELAPI VOID NTAPI CcMdlReadComplete ( IN PFILE_OBJECT FileObject, IN PMDL MdlChain ); NTKERNELAPI VOID NTAPI CcMdlWriteComplete ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain ); NTKERNELAPI BOOLEAN NTAPI CcPinMappedData ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, #if (VER_PRODUCTBUILD >= 2195) IN ULONG Flags, #else IN BOOLEAN Wait, #endif IN OUT PVOID *Bcb ); NTKERNELAPI BOOLEAN NTAPI CcPinRead ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, #if (VER_PRODUCTBUILD >= 2195) IN ULONG Flags, #else IN BOOLEAN Wait, #endif OUT PVOID *Bcb, OUT PVOID *Buffer ); NTKERNELAPI VOID NTAPI CcPrepareMdlWrite ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, OUT PMDL *MdlChain, OUT PIO_STATUS_BLOCK IoStatus ); NTKERNELAPI BOOLEAN NTAPI CcPreparePinWrite ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Zero, #if (VER_PRODUCTBUILD >= 2195) IN ULONG Flags, #else IN BOOLEAN Wait, #endif OUT PVOID *Bcb, OUT PVOID *Buffer ); NTKERNELAPI BOOLEAN NTAPI CcPurgeCacheSection ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN PLARGE_INTEGER FileOffset OPTIONAL, IN ULONG Length, IN BOOLEAN UninitializeCacheMaps ); #define CcReadAhead(FO, FOFF, LEN) ( \ if ((LEN) >= 256) { \ CcScheduleReadAhead((FO), (FOFF), (LEN)); \ } \ ) #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI PVOID NTAPI CcRemapBcb ( IN PVOID Bcb ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI VOID NTAPI CcRepinBcb ( IN PVOID Bcb ); NTKERNELAPI VOID NTAPI CcScheduleReadAhead ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length ); NTKERNELAPI VOID NTAPI CcSetAdditionalCacheAttributes ( IN PFILE_OBJECT FileObject, IN BOOLEAN DisableReadAhead, IN BOOLEAN DisableWriteBehind ); NTKERNELAPI VOID NTAPI CcSetBcbOwnerPointer ( IN PVOID Bcb, IN PVOID OwnerPointer ); NTKERNELAPI VOID NTAPI CcSetDirtyPageThreshold ( IN PFILE_OBJECT FileObject, IN ULONG DirtyPageThreshold ); NTKERNELAPI VOID NTAPI CcSetDirtyPinnedData ( IN PVOID BcbVoid, IN PLARGE_INTEGER Lsn OPTIONAL ); NTKERNELAPI VOID NTAPI CcSetFileSizes ( IN PFILE_OBJECT FileObject, IN PCC_FILE_SIZES FileSizes ); typedef VOID (NTAPI *PFLUSH_TO_LSN) ( IN PVOID LogHandle, IN PLARGE_INTEGER Lsn ); NTKERNELAPI VOID NTAPI CcSetLogHandleForFile ( IN PFILE_OBJECT FileObject, IN PVOID LogHandle, IN PFLUSH_TO_LSN FlushToLsnRoutine ); NTKERNELAPI VOID NTAPI CcSetReadAheadGranularity ( IN PFILE_OBJECT FileObject, IN ULONG Granularity // default: PAGE_SIZE // allowed: 2^n * PAGE_SIZE ); NTKERNELAPI BOOLEAN NTAPI CcUninitializeCacheMap ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER TruncateSize OPTIONAL, IN PCACHE_UNINITIALIZE_EVENT UninitializeCompleteEvent OPTIONAL ); NTKERNELAPI VOID NTAPI CcUnpinData ( IN PVOID Bcb ); NTKERNELAPI VOID NTAPI CcUnpinDataForThread ( IN PVOID Bcb, IN ERESOURCE_THREAD ResourceThreadId ); NTKERNELAPI VOID NTAPI CcUnpinRepinnedBcb ( IN PVOID Bcb, IN BOOLEAN WriteThrough, OUT PIO_STATUS_BLOCK IoStatus ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI CcWaitForCurrentLazyWriterActivity ( VOID ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI BOOLEAN NTAPI CcZeroData ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER StartOffset, IN PLARGE_INTEGER EndOffset, IN BOOLEAN Wait ); NTKERNELAPI VOID NTAPI ExDisableResourceBoostLite ( IN PERESOURCE Resource ); NTKERNELAPI ULONG NTAPI ExQueryPoolBlockSize ( IN PVOID PoolBlock, OUT PBOOLEAN QuotaCharged ); #define FlagOn(x, f) ((x) & (f)) NTKERNELAPI VOID NTAPI FsRtlAddToTunnelCache ( IN PTUNNEL Cache, IN ULONGLONG DirectoryKey, IN PUNICODE_STRING ShortName, IN PUNICODE_STRING LongName, IN BOOLEAN KeyByShortName, IN ULONG DataLength, IN PVOID Data ); #if (VER_PRODUCTBUILD >= 2195) PFILE_LOCK NTAPI FsRtlAllocateFileLock ( IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL, IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI PVOID NTAPI FsRtlAllocatePool ( IN POOL_TYPE PoolType, IN ULONG NumberOfBytes ); NTKERNELAPI PVOID NTAPI FsRtlAllocatePoolWithQuota ( IN POOL_TYPE PoolType, IN ULONG NumberOfBytes ); NTKERNELAPI PVOID NTAPI FsRtlAllocatePoolWithQuotaTag ( IN POOL_TYPE PoolType, IN ULONG NumberOfBytes, IN ULONG Tag ); NTKERNELAPI PVOID NTAPI FsRtlAllocatePoolWithTag ( IN POOL_TYPE PoolType, IN ULONG NumberOfBytes, IN ULONG Tag ); NTKERNELAPI BOOLEAN NTAPI FsRtlAreNamesEqual ( IN PUNICODE_STRING Name1, IN PUNICODE_STRING Name2, IN BOOLEAN IgnoreCase, IN PWCHAR UpcaseTable OPTIONAL ); #define FsRtlAreThereCurrentFileLocks(FL) ( \ ((FL)->FastIoIsQuestionable) \ ) /* FsRtlCheckLockForReadAccess: All this really does is pick out the lock parameters from the irp (io stack location?), get IoGetRequestorProcess, and pass values on to FsRtlFastCheckLockForRead. */ NTKERNELAPI BOOLEAN NTAPI FsRtlCheckLockForReadAccess ( IN PFILE_LOCK FileLock, IN PIRP Irp ); /* FsRtlCheckLockForWriteAccess: All this really does is pick out the lock parameters from the irp (io stack location?), get IoGetRequestorProcess, and pass values on to FsRtlFastCheckLockForWrite. */ NTKERNELAPI BOOLEAN NTAPI FsRtlCheckLockForWriteAccess ( IN PFILE_LOCK FileLock, IN PIRP Irp ); typedef VOID NTAPI (*POPLOCK_WAIT_COMPLETE_ROUTINE) ( IN PVOID Context, IN PIRP Irp ); typedef VOID NTAPI (*POPLOCK_FS_PREPOST_IRP) ( IN PVOID Context, IN PIRP Irp ); NTKERNELAPI NTSTATUS NTAPI FsRtlCheckOplock ( IN POPLOCK Oplock, IN PIRP Irp, IN PVOID Context, IN POPLOCK_WAIT_COMPLETE_ROUTINE CompletionRoutine OPTIONAL, IN POPLOCK_FS_PREPOST_IRP PostIrpRoutine OPTIONAL ); NTKERNELAPI BOOLEAN NTAPI FsRtlCopyRead ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, OUT PVOID Buffer, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI BOOLEAN NTAPI FsRtlCopyWrite ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN BOOLEAN Wait, IN ULONG LockKey, IN PVOID Buffer, OUT PIO_STATUS_BLOCK IoStatus, IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI BOOLEAN NTAPI FsRtlCurrentBatchOplock ( IN POPLOCK Oplock ); NTKERNELAPI VOID NTAPI FsRtlDeleteKeyFromTunnelCache ( IN PTUNNEL Cache, IN ULONGLONG DirectoryKey ); NTKERNELAPI VOID NTAPI FsRtlDeleteTunnelCache ( IN PTUNNEL Cache ); NTKERNELAPI VOID NTAPI FsRtlDeregisterUncProvider ( IN HANDLE Handle ); NTKERNELAPI BOOLEAN NTAPI FsRtlDoesNameContainWildCards ( IN PUNICODE_STRING Name ); #define FsRtlEnterFileSystem KeEnterCriticalRegion #define FsRtlExitFileSystem KeLeaveCriticalRegion NTKERNELAPI BOOLEAN NTAPI FsRtlFastCheckLockForRead ( IN PFILE_LOCK FileLock, IN PLARGE_INTEGER FileOffset, IN PLARGE_INTEGER Length, IN ULONG Key, IN PFILE_OBJECT FileObject, IN PEPROCESS Process ); NTKERNELAPI BOOLEAN NTAPI FsRtlFastCheckLockForWrite ( IN PFILE_LOCK FileLock, IN PLARGE_INTEGER FileOffset, IN PLARGE_INTEGER Length, IN ULONG Key, IN PFILE_OBJECT FileObject, IN PEPROCESS Process ); #define FsRtlFastLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, A10, A11) ( \ FsRtlPrivateLock(A1, A2, A3, A4, A5, A6, A7, A8, A9, NULL, A10, A11) \ ) NTKERNELAPI NTSTATUS NTAPI FsRtlFastUnlockAll ( IN PFILE_LOCK FileLock, IN PFILE_OBJECT FileObject, IN PEPROCESS Process, IN PVOID Context OPTIONAL ); //ret: STATUS_RANGE_NOT_LOCKED NTKERNELAPI NTSTATUS NTAPI FsRtlFastUnlockAllByKey ( IN PFILE_LOCK FileLock, IN PFILE_OBJECT FileObject, IN PEPROCESS Process, IN ULONG Key, IN PVOID Context OPTIONAL ); //ret: STATUS_RANGE_NOT_LOCKED NTKERNELAPI NTSTATUS NTAPI FsRtlFastUnlockSingle ( IN PFILE_LOCK FileLock, IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PLARGE_INTEGER Length, IN PEPROCESS Process, IN ULONG Key, IN PVOID Context OPTIONAL, IN BOOLEAN AlreadySynchronized ); //ret: STATUS_RANGE_NOT_LOCKED NTKERNELAPI BOOLEAN NTAPI FsRtlFindInTunnelCache ( IN PTUNNEL Cache, IN ULONGLONG DirectoryKey, IN PUNICODE_STRING Name, OUT PUNICODE_STRING ShortName, OUT PUNICODE_STRING LongName, IN OUT PULONG DataLength, OUT PVOID Data ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI VOID NTAPI FsRtlFreeFileLock ( IN PFILE_LOCK FileLock ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI FsRtlGetFileSize ( IN PFILE_OBJECT FileObject, IN OUT PLARGE_INTEGER FileSize ); /* FsRtlGetNextFileLock: ret: NULL if no more locks Internals: FsRtlGetNextFileLock uses FileLock->LastReturnedLockInfo and FileLock->LastReturnedLock as storage. LastReturnedLock is a pointer to the 'raw' lock inkl. double linked list, and FsRtlGetNextFileLock needs this to get next lock on subsequent calls with Restart = FALSE. */ NTKERNELAPI PFILE_LOCK_INFO NTAPI FsRtlGetNextFileLock ( IN PFILE_LOCK FileLock, IN BOOLEAN Restart ); NTKERNELAPI VOID NTAPI FsRtlInitializeFileLock ( IN PFILE_LOCK FileLock, IN PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine OPTIONAL, IN PUNLOCK_ROUTINE UnlockRoutine OPTIONAL ); NTKERNELAPI VOID NTAPI FsRtlInitializeOplock ( IN OUT POPLOCK Oplock ); NTKERNELAPI VOID NTAPI FsRtlInitializeTunnelCache ( IN PTUNNEL Cache ); NTKERNELAPI BOOLEAN NTAPI FsRtlIsNameInExpression ( IN PUNICODE_STRING Expression, IN PUNICODE_STRING Name, IN BOOLEAN IgnoreCase, IN PWCHAR UpcaseTable OPTIONAL ); NTKERNELAPI BOOLEAN NTAPI FsRtlIsNtstatusExpected ( IN NTSTATUS Ntstatus ); #define FsRtlIsUnicodeCharacterWild(C) ( \ (((C) >= 0x40) ? \ FALSE : \ FlagOn((*FsRtlLegalAnsiCharacterArray)[(C)], FSRTL_WILD_CHARACTER )) \ ) NTKERNELAPI BOOLEAN NTAPI FsRtlMdlReadComplete ( IN PFILE_OBJECT FileObject, IN PMDL MdlChain ); NTKERNELAPI BOOLEAN NTAPI FsRtlMdlReadCompleteDev ( IN PFILE_OBJECT FileObject, IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI BOOLEAN NTAPI FsRtlMdlWriteComplete ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain ); NTKERNELAPI BOOLEAN NTAPI FsRtlMdlWriteCompleteDev ( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PMDL MdlChain, IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI NTSTATUS NTAPI FsRtlNormalizeNtstatus ( IN NTSTATUS Exception, IN NTSTATUS GenericException ); NTKERNELAPI VOID NTAPI FsRtlNotifyChangeDirectory ( IN PNOTIFY_SYNC NotifySync, IN PVOID FsContext, IN PSTRING FullDirectoryName, IN PLIST_ENTRY NotifyList, IN BOOLEAN WatchTree, IN ULONG CompletionFilter, IN PIRP NotifyIrp ); NTKERNELAPI VOID NTAPI FsRtlNotifyCleanup ( IN PNOTIFY_SYNC NotifySync, IN PLIST_ENTRY NotifyList, IN PVOID FsContext ); typedef BOOLEAN (*PCHECK_FOR_TRAVERSE_ACCESS) ( IN PVOID NotifyContext, IN PVOID TargetContext, IN PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI VOID NTAPI FsRtlNotifyFullChangeDirectory ( IN PNOTIFY_SYNC NotifySync, IN PLIST_ENTRY NotifyList, IN PVOID FsContext, IN PSTRING FullDirectoryName, IN BOOLEAN WatchTree, IN BOOLEAN IgnoreBuffer, IN ULONG CompletionFilter, IN PIRP NotifyIrp, IN PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback OPTIONAL, IN PSECURITY_SUBJECT_CONTEXT SubjectContext OPTIONAL ); NTKERNELAPI VOID NTAPI FsRtlNotifyFullReportChange ( IN PNOTIFY_SYNC NotifySync, IN PLIST_ENTRY NotifyList, IN PSTRING FullTargetName, IN USHORT TargetNameOffset, IN PSTRING StreamName OPTIONAL, IN PSTRING NormalizedParentName OPTIONAL, IN ULONG FilterMatch, IN ULONG Action, IN PVOID TargetContext ); NTKERNELAPI VOID NTAPI FsRtlNotifyInitializeSync ( IN PNOTIFY_SYNC NotifySync ); NTKERNELAPI VOID NTAPI FsRtlNotifyReportChange ( IN PNOTIFY_SYNC NotifySync, IN PLIST_ENTRY NotifyList, IN PSTRING FullTargetName, IN PUSHORT FileNamePartLength, IN ULONG FilterMatch ); NTKERNELAPI VOID NTAPI FsRtlNotifyUninitializeSync ( IN PNOTIFY_SYNC NotifySync ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI FsRtlNotifyVolumeEvent ( IN PFILE_OBJECT FileObject, IN ULONG EventCode ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI FsRtlOplockFsctrl ( IN POPLOCK Oplock, IN PIRP Irp, IN ULONG OpenCount ); NTKERNELAPI BOOLEAN NTAPI FsRtlOplockIsFastIoPossible ( IN POPLOCK Oplock ); /* FsRtlPrivateLock: ret: IoStatus->Status: STATUS_PENDING, STATUS_LOCK_NOT_GRANTED Internals: -Calls IoCompleteRequest if Irp -Uses exception handling / ExRaiseStatus with STATUS_INSUFFICIENT_RESOURCES */ NTKERNELAPI BOOLEAN NTAPI FsRtlPrivateLock ( IN PFILE_LOCK FileLock, IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN PLARGE_INTEGER Length, IN PEPROCESS Process, IN ULONG Key, IN BOOLEAN FailImmediately, IN BOOLEAN ExclusiveLock, OUT PIO_STATUS_BLOCK IoStatus, IN PIRP Irp OPTIONAL, IN PVOID Context, IN BOOLEAN AlreadySynchronized ); /* FsRtlProcessFileLock: ret: -STATUS_INVALID_DEVICE_REQUEST -STATUS_RANGE_NOT_LOCKED from unlock routines. -STATUS_PENDING, STATUS_LOCK_NOT_GRANTED from FsRtlPrivateLock (redirected IoStatus->Status). Internals: -switch ( Irp->CurrentStackLocation->MinorFunction ) lock: return FsRtlPrivateLock; unlocksingle: return FsRtlFastUnlockSingle; unlockall: return FsRtlFastUnlockAll; unlockallbykey: return FsRtlFastUnlockAllByKey; default: IofCompleteRequest with STATUS_INVALID_DEVICE_REQUEST; return STATUS_INVALID_DEVICE_REQUEST; -'AllwaysZero' is passed thru as 'AllwaysZero' to lock / unlock routines. -'Irp' is passet thru as 'Irp' to FsRtlPrivateLock. */ NTKERNELAPI NTSTATUS NTAPI FsRtlProcessFileLock ( IN PFILE_LOCK FileLock, IN PIRP Irp, IN PVOID Context OPTIONAL ); NTKERNELAPI NTSTATUS NTAPI FsRtlRegisterUncProvider ( IN OUT PHANDLE MupHandle, IN PUNICODE_STRING RedirectorDeviceName, IN BOOLEAN MailslotsSupported ); NTKERNELAPI VOID NTAPI FsRtlUninitializeFileLock ( IN PFILE_LOCK FileLock ); NTKERNELAPI VOID NTAPI FsRtlUninitializeOplock ( IN OUT POPLOCK Oplock ); NTSYSAPI VOID NTAPI HalDisplayString ( IN PCHAR String ); NTSYSAPI VOID NTAPI HalQueryRealTimeClock ( IN OUT PTIME_FIELDS TimeFields ); NTSYSAPI VOID NTAPI HalSetRealTimeClock ( IN PTIME_FIELDS TimeFields ); #define InitializeMessageHeader(m, l, t) { \ (m)->Length = (USHORT)(l); \ (m)->DataLength = (USHORT)(l - sizeof( LPC_MESSAGE )); \ (m)->MessageType = (USHORT)(t); \ (m)->DataInfoOffset = 0; \ } NTKERNELAPI VOID NTAPI IoAcquireVpbSpinLock ( OUT PKIRQL Irql ); NTKERNELAPI NTSTATUS NTAPI IoCheckDesiredAccess ( IN OUT PACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess ); NTKERNELAPI NTSTATUS NTAPI IoCheckEaBufferValidity ( IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset ); NTKERNELAPI NTSTATUS NTAPI IoCheckFunctionAccess ( IN ACCESS_MASK GrantedAccess, IN UCHAR MajorFunction, IN UCHAR MinorFunction, IN ULONG IoControlCode, IN PFILE_INFORMATION_CLASS FileInformationClass OPTIONAL, IN PFS_INFORMATION_CLASS FsInformationClass OPTIONAL ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI IoCheckQuotaBufferValidity ( IN PFILE_QUOTA_INFORMATION QuotaBuffer, IN ULONG QuotaLength, OUT PULONG ErrorOffset ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI PFILE_OBJECT NTAPI IoCreateStreamFileObject ( IN PFILE_OBJECT FileObject OPTIONAL, IN PDEVICE_OBJECT DeviceObject OPTIONAL ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI PFILE_OBJECT NTAPI IoCreateStreamFileObjectLite ( IN PFILE_OBJECT FileObject OPTIONAL, IN PDEVICE_OBJECT DeviceObject OPTIONAL ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI BOOLEAN NTAPI IoFastQueryNetworkAttributes ( IN POBJECT_ATTRIBUTES ObjectAttributes, IN ACCESS_MASK DesiredAccess, IN ULONG OpenOptions, OUT PIO_STATUS_BLOCK IoStatus, OUT PFILE_NETWORK_OPEN_INFORMATION Buffer ); NTKERNELAPI PDEVICE_OBJECT NTAPI IoGetAttachedDevice ( IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI PDEVICE_OBJECT NTAPI IoGetBaseFileSystemDeviceObject ( IN PFILE_OBJECT FileObject ); NTKERNELAPI PEPROCESS NTAPI IoGetRequestorProcess ( IN PIRP Irp ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI ULONG NTAPI IoGetRequestorProcessId ( IN PIRP Irp ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI PIRP NTAPI IoGetTopLevelIrp ( VOID ); #define IoIsFileOpenedExclusively(FileObject) ( \ (BOOLEAN) !( \ (FileObject)->SharedRead || \ (FileObject)->SharedWrite || \ (FileObject)->SharedDelete \ ) \ ) NTKERNELAPI BOOLEAN NTAPI IoIsOperationSynchronous ( IN PIRP Irp ); NTKERNELAPI BOOLEAN NTAPI IoIsSystemThread ( IN PETHREAD Thread ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI BOOLEAN NTAPI IoIsValidNameGraftingBuffer ( IN PIRP Irp, IN PREPARSE_DATA_BUFFER ReparseBuffer ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI IoPageRead ( IN PFILE_OBJECT FileObject, IN PMDL Mdl, IN PLARGE_INTEGER Offset, IN PKEVENT Event, OUT PIO_STATUS_BLOCK IoStatusBlock ); NTKERNELAPI NTSTATUS NTAPI IoQueryFileInformation ( IN PFILE_OBJECT FileObject, IN FILE_INFORMATION_CLASS FileInformationClass, IN ULONG Length, OUT PVOID FileInformation, OUT PULONG ReturnedLength ); NTKERNELAPI NTSTATUS NTAPI IoQueryVolumeInformation ( IN PFILE_OBJECT FileObject, IN FS_INFORMATION_CLASS FsInformationClass, IN ULONG Length, OUT PVOID FsInformation, OUT PULONG ReturnedLength ); NTKERNELAPI VOID NTAPI IoRegisterFileSystem ( IN OUT PDEVICE_OBJECT DeviceObject ); #if (VER_PRODUCTBUILD >= 1381) typedef VOID (NTAPI *PDRIVER_FS_NOTIFICATION) ( IN PDEVICE_OBJECT DeviceObject, IN BOOLEAN DriverActive ); NTKERNELAPI NTSTATUS NTAPI IoRegisterFsRegistrationChange ( IN PDRIVER_OBJECT DriverObject, IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine ); #endif // (VER_PRODUCTBUILD >= 1381) NTKERNELAPI VOID NTAPI IoReleaseVpbSpinLock ( IN KIRQL Irql ); NTKERNELAPI VOID NTAPI IoSetDeviceToVerify ( IN PETHREAD Thread, IN PDEVICE_OBJECT DeviceObject ); NTKERNELAPI NTSTATUS NTAPI IoSetInformation ( IN PFILE_OBJECT FileObject, IN FILE_INFORMATION_CLASS FileInformationClass, IN ULONG Length, IN PVOID FileInformation ); NTKERNELAPI VOID NTAPI IoSetTopLevelIrp ( IN PIRP Irp ); NTKERNELAPI NTSTATUS NTAPI IoSynchronousPageWrite ( IN PFILE_OBJECT FileObject, IN PMDL Mdl, IN PLARGE_INTEGER FileOffset, IN PKEVENT Event, OUT PIO_STATUS_BLOCK IoStatusBlock ); NTKERNELAPI PEPROCESS NTAPI IoThreadToProcess ( IN PETHREAD Thread ); NTKERNELAPI VOID NTAPI IoUnregisterFileSystem ( IN OUT PDEVICE_OBJECT DeviceObject ); #if (VER_PRODUCTBUILD >= 1381) NTKERNELAPI NTSTATUS NTAPI IoUnregisterFsRegistrationChange ( IN PDRIVER_OBJECT DriverObject, IN PDRIVER_FS_NOTIFICATION DriverNotificationRoutine ); #endif // (VER_PRODUCTBUILD >= 1381) NTKERNELAPI NTSTATUS NTAPI IoVerifyVolume ( IN PDEVICE_OBJECT DeviceObject, IN BOOLEAN AllowRawMount ); NTKERNELAPI VOID NTAPI KeAttachProcess ( IN PEPROCESS Process ); NTKERNELAPI VOID NTAPI KeDetachProcess ( VOID ); NTKERNELAPI VOID NTAPI KeInitializeQueue ( IN PRKQUEUE Queue, IN ULONG Count OPTIONAL ); NTKERNELAPI LONG NTAPI KeInsertHeadQueue ( IN PRKQUEUE Queue, IN PLIST_ENTRY Entry ); NTKERNELAPI LONG NTAPI KeInsertQueue ( IN PRKQUEUE Queue, IN PLIST_ENTRY Entry ); NTKERNELAPI VOID NTAPI KeInsertQueueApc ( IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, UCHAR Unknown ); NTKERNELAPI LONG NTAPI KeReadStateQueue ( IN PRKQUEUE Queue ); NTKERNELAPI PLIST_ENTRY NTAPI KeRemoveQueue ( IN PRKQUEUE Queue, IN KPROCESSOR_MODE WaitMode, IN PLARGE_INTEGER Timeout OPTIONAL ); NTKERNELAPI PLIST_ENTRY NTAPI KeRundownQueue ( IN PRKQUEUE Queue ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI VOID NTAPI KeStackAttachProcess ( IN PKPROCESS Process, OUT PKAPC_STATE ApcState ); NTKERNELAPI VOID NTAPI KeUnstackDetachProcess ( IN PKAPC_STATE ApcState ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI BOOLEAN NTAPI MmCanFileBeTruncated ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN PLARGE_INTEGER NewFileSize ); NTKERNELAPI BOOLEAN NTAPI MmFlushImageSection ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN MMFLUSH_TYPE FlushType ); NTKERNELAPI BOOLEAN NTAPI MmForceSectionClosed ( IN PSECTION_OBJECT_POINTERS SectionObjectPointer, IN BOOLEAN DelayClose ); #if (VER_PRODUCTBUILD >= 1381) NTKERNELAPI BOOLEAN NTAPI MmIsRecursiveIoFault ( VOID ); #else #define MmIsRecursiveIoFault() ( \ (PsGetCurrentThread()->DisablePageFaultClustering) | \ (PsGetCurrentThread()->ForwardClusterOnly) \ ) #endif NTKERNELAPI NTSTATUS NTAPI MmMapViewOfSection ( IN PVOID SectionObject, IN PEPROCESS Process, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTKERNELAPI BOOLEAN NTAPI MmSetAddressRangeModified ( IN PVOID Address, IN ULONG Length ); NTKERNELAPI NTSTATUS NTAPI ObCreateObject ( IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL, IN POBJECT_TYPE ObjectType, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, IN ULONG ObjectSize, IN ULONG PagedPoolCharge OPTIONAL, IN ULONG NonPagedPoolCharge OPTIONAL, OUT PVOID *Object ); NTKERNELAPI ULONG NTAPI ObGetObjectPointerCount ( IN PVOID Object ); NTKERNELAPI NTSTATUS NTAPI ObInsertObject ( IN PVOID Object, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG AdditionalReferences, OUT PVOID *ReferencedObject OPTIONAL, OUT PHANDLE Handle ); NTKERNELAPI VOID NTAPI ObMakeTemporaryObject ( IN PVOID Object ); NTKERNELAPI NTSTATUS NTAPI ObOpenObjectByPointer ( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); NTKERNELAPI NTSTATUS NTAPI ObQueryNameString ( IN PVOID Object, OUT POBJECT_NAME_INFORMATION ObjectNameInfo, IN ULONG Length, OUT PULONG ReturnLength ); NTKERNELAPI NTSTATUS NTAPI ObQueryObjectAuditingByHandle ( IN HANDLE Handle, OUT PBOOLEAN GenerateOnClose ); NTKERNELAPI NTSTATUS NTAPI ObReferenceObjectByName ( IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, OUT PVOID *Object ); NTKERNELAPI VOID NTAPI PsChargePoolQuota ( IN PEPROCESS Process, IN POOL_TYPE PoolType, IN ULONG Amount ); #define PsDereferenceImpersonationToken(T) \ {if (ARGUMENT_PRESENT(T)) { \ (ObDereferenceObject((T))); \ } else { \ ; \ } \ } #define PsDereferencePrimaryToken(T) (ObDereferenceObject((T))) NTKERNELAPI ULONGLONG NTAPI PsGetProcessExitTime ( VOID ); NTKERNELAPI BOOLEAN NTAPI PsIsThreadTerminating ( IN PETHREAD Thread ); NTKERNELAPI NTSTATUS NTAPI PsLookupProcessByProcessId ( IN PVOID ProcessId, OUT PEPROCESS *Process ); NTKERNELAPI NTSTATUS NTAPI PsLookupProcessThreadByCid ( IN PCLIENT_ID Cid, OUT PEPROCESS *Process OPTIONAL, OUT PETHREAD *Thread ); NTKERNELAPI NTSTATUS NTAPI PsLookupThreadByThreadId ( IN PVOID UniqueThreadId, OUT PETHREAD *Thread ); NTKERNELAPI PACCESS_TOKEN NTAPI PsReferenceImpersonationToken ( IN PETHREAD Thread, OUT PBOOLEAN CopyOnUse, OUT PBOOLEAN EffectiveOnly, OUT PSECURITY_IMPERSONATION_LEVEL Level ); NTKERNELAPI HANDLE NTAPI PsReferencePrimaryToken ( IN PEPROCESS Process ); NTKERNELAPI VOID NTAPI PsReturnPoolQuota ( IN PEPROCESS Process, IN POOL_TYPE PoolType, IN ULONG Amount ); NTKERNELAPI VOID NTAPI PsRevertToSelf ( VOID ); NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD ( IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength ); NTSYSAPI PVOID NTAPI RtlAllocateHeap ( IN HANDLE HeapHandle, IN ULONG Flags, IN ULONG Size ); NTSYSAPI NTSTATUS NTAPI RtlCompressBuffer ( IN USHORT CompressionFormatAndEngine, IN PUCHAR UncompressedBuffer, IN ULONG UncompressedBufferSize, OUT PUCHAR CompressedBuffer, IN ULONG CompressedBufferSize, IN ULONG UncompressedChunkSize, OUT PULONG FinalCompressedSize, IN PVOID WorkSpace ); NTSYSAPI NTSTATUS NTAPI RtlCompressChunks ( IN PUCHAR UncompressedBuffer, IN ULONG UncompressedBufferSize, OUT PUCHAR CompressedBuffer, IN ULONG CompressedBufferSize, IN OUT PCOMPRESSED_DATA_INFO CompressedDataInfo, IN ULONG CompressedDataInfoLength, IN PVOID WorkSpace ); NTSYSAPI NTSTATUS NTAPI RtlConvertSidToUnicodeString ( OUT PUNICODE_STRING DestinationString, IN PSID Sid, IN BOOLEAN AllocateDestinationString ); NTSYSAPI NTSTATUS NTAPI RtlCopySid ( IN ULONG Length, IN PSID Destination, IN PSID Source ); NTSYSAPI NTSTATUS NTAPI RtlDecompressBuffer ( IN USHORT CompressionFormat, OUT PUCHAR UncompressedBuffer, IN ULONG UncompressedBufferSize, IN PUCHAR CompressedBuffer, IN ULONG CompressedBufferSize, OUT PULONG FinalUncompressedSize ); NTSYSAPI NTSTATUS NTAPI RtlDecompressChunks ( OUT PUCHAR UncompressedBuffer, IN ULONG UncompressedBufferSize, IN PUCHAR CompressedBuffer, IN ULONG CompressedBufferSize, IN PUCHAR CompressedTail, IN ULONG CompressedTailSize, IN PCOMPRESSED_DATA_INFO CompressedDataInfo ); NTSYSAPI NTSTATUS NTAPI RtlDecompressFragment ( IN USHORT CompressionFormat, OUT PUCHAR UncompressedFragment, IN ULONG UncompressedFragmentSize, IN PUCHAR CompressedBuffer, IN ULONG CompressedBufferSize, IN ULONG FragmentOffset, OUT PULONG FinalUncompressedSize, IN PVOID WorkSpace ); NTSYSAPI NTSTATUS NTAPI RtlDescribeChunk ( IN USHORT CompressionFormat, IN OUT PUCHAR *CompressedBuffer, IN PUCHAR EndOfCompressedBufferPlus1, OUT PUCHAR *ChunkBuffer, OUT PULONG ChunkSize ); NTSYSAPI BOOLEAN NTAPI RtlEqualSid ( IN PSID Sid1, IN PSID Sid2 ); NTSYSAPI VOID NTAPI RtlFillMemoryUlong ( IN PVOID Destination, IN ULONG Length, IN ULONG Fill ); NTSYSAPI BOOLEAN NTAPI RtlFreeHeap ( IN HANDLE HeapHandle, IN ULONG Flags, IN PVOID P ); NTSYSAPI VOID NTAPI RtlGenerate8dot3Name ( IN PUNICODE_STRING Name, IN BOOLEAN AllowExtendedCharacters, IN OUT PGENERATE_NAME_CONTEXT Context, OUT PUNICODE_STRING Name8dot3 ); NTSYSAPI NTSTATUS NTAPI RtlGetCompressionWorkSpaceSize ( IN USHORT CompressionFormatAndEngine, OUT PULONG CompressBufferWorkSpaceSize, OUT PULONG CompressFragmentWorkSpaceSize ); NTSYSAPI NTSTATUS NTAPI RtlGetDaclSecurityDescriptor ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PBOOLEAN DaclPresent, OUT PACL *Dacl, OUT PBOOLEAN DaclDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetGroupSecurityDescriptor ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Group, OUT PBOOLEAN GroupDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlGetOwnerSecurityDescriptor ( IN PSECURITY_DESCRIPTOR SecurityDescriptor, OUT PSID *Owner, OUT PBOOLEAN OwnerDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlInitializeSid ( IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount ); NTSYSAPI BOOLEAN NTAPI RtlIsNameLegalDOS8Dot3 ( IN PUNICODE_STRING UnicodeName, IN PANSI_STRING AnsiName, PBOOLEAN Unknown ); NTSYSAPI ULONG NTAPI RtlLengthRequiredSid ( IN UCHAR SubAuthorityCount ); NTSYSAPI ULONG NTAPI RtlLengthSid ( IN PSID Sid ); NTSYSAPI ULONG NTAPI RtlNtStatusToDosError ( IN NTSTATUS Status ); NTSYSAPI NTSTATUS NTAPI RtlReserveChunk ( IN USHORT CompressionFormat, IN OUT PUCHAR *CompressedBuffer, IN PUCHAR EndOfCompressedBufferPlus1, OUT PUCHAR *ChunkBuffer, IN ULONG ChunkSize ); NTSYSAPI VOID NTAPI RtlSecondsSince1970ToTime ( IN ULONG SecondsSince1970, OUT PLARGE_INTEGER Time ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI RtlSelfRelativeToAbsoluteSD ( IN PSECURITY_DESCRIPTOR SelfRelativeSD, OUT PSECURITY_DESCRIPTOR AbsoluteSD, IN PULONG AbsoluteSDSize, IN PACL Dacl, IN PULONG DaclSize, IN PACL Sacl, IN PULONG SaclSize, IN PSID Owner, IN PULONG OwnerSize, IN PSID PrimaryGroup, IN PULONG PrimaryGroupSize ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor ( IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSetOwnerSecurityDescriptor ( IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Owner, IN BOOLEAN OwnerDefaulted ); NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor ( IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted ); NTSYSAPI PUCHAR NTAPI RtlSubAuthorityCountSid ( IN PSID Sid ); NTSYSAPI PULONG NTAPI RtlSubAuthoritySid ( IN PSID Sid, IN ULONG SubAuthority ); NTSYSAPI BOOLEAN NTAPI RtlValidSid ( IN PSID Sid ); NTKERNELAPI NTSTATUS NTAPI SeAppendPrivileges ( PACCESS_STATE AccessState, PPRIVILEGE_SET Privileges ); NTKERNELAPI BOOLEAN NTAPI SeAuditingFileEvents ( IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor ); NTKERNELAPI BOOLEAN NTAPI SeAuditingFileOrGlobalEvents ( IN BOOLEAN AccessGranted, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI VOID NTAPI SeCaptureSubjectContext ( OUT PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI NTSTATUS NTAPI SeCreateAccessState ( OUT PACCESS_STATE AccessState, IN PVOID AuxData, IN ACCESS_MASK AccessMask, IN PGENERIC_MAPPING Mapping ); NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity ( IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurityFromSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN ServerIsRemote, OUT PSECURITY_CLIENT_CONTEXT ClientContext ); #endif // (VER_PRODUCTBUILD >= 2195) #define SeDeleteClientSecurity(C) { \ if (SeTokenType((C)->ClientToken) == TokenPrimary) { \ PsDereferencePrimaryToken( (C)->ClientToken ); \ } else { \ PsDereferenceImpersonationToken( (C)->ClientToken ); \ } \ } NTKERNELAPI VOID NTAPI SeDeleteObjectAuditAlarm ( IN PVOID Object, IN HANDLE Handle ); #define SeEnableAccessToExports() SeExports = *(PSE_EXPORTS *)SeExports; NTKERNELAPI VOID NTAPI SeFreePrivileges ( IN PPRIVILEGE_SET Privileges ); NTKERNELAPI VOID NTAPI SeImpersonateClient ( IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeImpersonateClientEx ( IN PSECURITY_CLIENT_CONTEXT ClientContext, IN PETHREAD ServerThread OPTIONAL ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI VOID NTAPI SeLockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI NTSTATUS NTAPI SeMarkLogonSessionForTerminationNotification ( IN PLUID LogonId ); NTKERNELAPI VOID NTAPI SeOpenObjectAuditAlarm ( IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose ); NTKERNELAPI VOID NTAPI SeOpenObjectForDeleteAuditAlarm ( IN PUNICODE_STRING ObjectTypeName, IN PVOID Object OPTIONAL, IN PUNICODE_STRING AbsoluteObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN PACCESS_STATE AccessState, IN BOOLEAN ObjectCreated, IN BOOLEAN AccessGranted, IN KPROCESSOR_MODE AccessMode, OUT PBOOLEAN GenerateOnClose ); NTKERNELAPI BOOLEAN NTAPI SePrivilegeCheck ( IN OUT PPRIVILEGE_SET RequiredPrivileges, IN PSECURITY_SUBJECT_CONTEXT SubjectContext, IN KPROCESSOR_MODE AccessMode ); NTKERNELAPI NTSTATUS NTAPI SeQueryAuthenticationIdToken ( IN PACCESS_TOKEN Token, OUT PLUID LogonId ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeQueryInformationToken ( IN PACCESS_TOKEN Token, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID *TokenInformation ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeQuerySecurityDescriptorInfo ( IN PSECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PULONG Length, IN PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeQuerySessionIdToken ( IN PACCESS_TOKEN Token, IN PULONG SessionId ); #endif // (VER_PRODUCTBUILD >= 2195) #define SeQuerySubjectContextToken( SubjectContext ) \ ( ARGUMENT_PRESENT( \ ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken \ ) ? \ ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->ClientToken : \ ((PSECURITY_SUBJECT_CONTEXT) SubjectContext)->PrimaryToken ) typedef NTSTATUS (*PSE_LOGON_SESSION_TERMINATED_ROUTINE) ( IN PLUID LogonId ); NTKERNELAPI NTSTATUS NTAPI SeRegisterLogonSessionTerminatedRoutine ( IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine ); NTKERNELAPI VOID NTAPI SeReleaseSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI VOID NTAPI SeSetAccessStateGenericMapping ( PACCESS_STATE AccessState, PGENERIC_MAPPING GenericMapping ); NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfo ( IN PVOID Object OPTIONAL, IN PSECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping ); #if (VER_PRODUCTBUILD >= 2195) NTKERNELAPI NTSTATUS NTAPI SeSetSecurityDescriptorInfoEx ( IN PVOID Object OPTIONAL, IN PSECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR ModificationDescriptor, IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor, IN ULONG AutoInheritFlags, IN POOL_TYPE PoolType, IN PGENERIC_MAPPING GenericMapping ); NTKERNELAPI BOOLEAN NTAPI SeTokenIsAdmin ( IN PACCESS_TOKEN Token ); NTKERNELAPI BOOLEAN NTAPI SeTokenIsRestricted ( IN PACCESS_TOKEN Token ); #endif // (VER_PRODUCTBUILD >= 2195) NTKERNELAPI TOKEN_TYPE NTAPI SeTokenType ( IN PACCESS_TOKEN Token ); NTKERNELAPI VOID NTAPI SeUnlockSubjectContext ( IN PSECURITY_SUBJECT_CONTEXT SubjectContext ); NTKERNELAPI NTSTATUS SeUnregisterLogonSessionTerminatedRoutine ( IN PSE_LOGON_SESSION_TERMINATED_ROUTINE CallbackRoutine ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwAdjustPrivilegesToken ( IN HANDLE TokenHandle, IN BOOLEAN DisableAllPrivileges, IN PTOKEN_PRIVILEGES NewState, IN ULONG BufferLength, OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, OUT PULONG ReturnLength ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwAlertThread ( IN HANDLE ThreadHandle ); NTSYSAPI NTSTATUS NTAPI ZwAllocateVirtualMemory ( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); NTSYSAPI NTSTATUS NTAPI ZwAccessCheckAndAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN PUNICODE_STRING ObjectTypeName, IN PUNICODE_STRING ObjectName, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PACCESS_MASK GrantedAccess, OUT PBOOLEAN AccessStatus, OUT PBOOLEAN GenerateOnClose ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwCancelIoFile ( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwClearEvent ( IN HANDLE EventHandle ); NTSYSAPI NTSTATUS NTAPI ZwCloseObjectAuditAlarm ( IN PUNICODE_STRING SubsystemName, IN PVOID HandleId, IN BOOLEAN GenerateOnClose ); NTSYSAPI NTSTATUS NTAPI ZwCreateSection ( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwCreateSymbolicLinkObject ( OUT PHANDLE SymbolicLinkHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PUNICODE_STRING TargetName ); NTSYSAPI NTSTATUS NTAPI ZwDeleteFile ( IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwDeleteValueKey ( IN HANDLE Handle, IN PUNICODE_STRING Name ); NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile ( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); NTSYSAPI NTSTATUS NTAPI ZwDisplayString ( IN PUNICODE_STRING String ); NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject ( IN HANDLE SourceProcessHandle, IN HANDLE SourceHandle, IN HANDLE TargetProcessHandle OPTIONAL, OUT PHANDLE TargetHandle OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG HandleAttributes, IN ULONG Options ); NTSYSAPI NTSTATUS NTAPI ZwDuplicateToken ( IN HANDLE ExistingTokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN BOOLEAN EffectiveOnly, IN TOKEN_TYPE TokenType, OUT PHANDLE NewTokenHandle ); NTSYSAPI NTSTATUS NTAPI ZwFlushInstructionCache ( IN HANDLE ProcessHandle, IN PVOID BaseAddress OPTIONAL, IN ULONG FlushSize ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwFlushVirtualMemory ( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG FlushSize, OUT PIO_STATUS_BLOCK IoStatusBlock ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwFreeVirtualMemory ( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG RegionSize, IN ULONG FreeType ); NTSYSAPI NTSTATUS NTAPI ZwFsControlFile ( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG FsControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwInitiatePowerAction ( IN POWER_ACTION SystemAction, IN SYSTEM_POWER_STATE MinSystemState, IN ULONG Flags, IN BOOLEAN Asynchronous ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwLoadDriver ( // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>" IN PUNICODE_STRING RegistryPath ); NTSYSAPI NTSTATUS NTAPI ZwLoadKey ( IN POBJECT_ATTRIBUTES KeyObjectAttributes, IN POBJECT_ATTRIBUTES FileObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwNotifyChangeKey ( IN HANDLE KeyHandle, IN HANDLE EventHandle OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG NotifyFilter, IN BOOLEAN WatchSubtree, IN PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN Asynchronous ); NTSYSAPI NTSTATUS NTAPI ZwOpenDirectoryObject ( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwOpenEvent ( OUT PHANDLE EventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwOpenProcess ( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwOpenProcessToken ( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle ); NTSYSAPI NTSTATUS NTAPI ZwOpenThread ( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId ); NTSYSAPI NTSTATUS NTAPI ZwOpenThreadToken ( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwPowerInformation ( IN POWER_INFORMATION_LEVEL PowerInformationLevel, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwPulseEvent ( IN HANDLE EventHandle, OUT PULONG PreviousState OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwQueryDefaultLocale ( IN BOOLEAN ThreadOrSystem, OUT PLCID Locale ); NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile ( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryObject ( IN HANDLE DirectoryHandle, OUT PVOID Buffer, IN ULONG Length, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, IN OUT PULONG Context, OUT PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwQueryEaFile ( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN BOOLEAN ReturnSingleEntry, IN PVOID EaList OPTIONAL, IN ULONG EaListLength, IN PULONG EaIndex OPTIONAL, IN BOOLEAN RestartScan ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess ( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationToken ( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG Length, OUT PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI ZwQueryObject ( IN HANDLE ObjectHandle, IN OBJECT_INFO_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG Length, OUT PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI ZwQuerySection ( IN HANDLE SectionHandle, IN SECTION_INFORMATION_CLASS SectionInformationClass, OUT PVOID SectionInformation, IN ULONG SectionInformationLength, OUT PULONG ResultLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwQuerySecurityObject ( IN HANDLE FileHandle, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG Length, OUT PULONG ResultLength ); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG Length, OUT PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwQueryVolumeInformationFile ( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FsInformation, IN ULONG Length, IN FS_INFORMATION_CLASS FsInformationClass ); NTSYSAPI NTSTATUS NTAPI ZwReplaceKey ( IN POBJECT_ATTRIBUTES NewFileObjectAttributes, IN HANDLE KeyHandle, IN POBJECT_ATTRIBUTES OldFileObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwResetEvent ( IN HANDLE EventHandle, OUT PULONG PreviousState OPTIONAL ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwRestoreKey ( IN HANDLE KeyHandle, IN HANDLE FileHandle, IN ULONG Flags ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSaveKey ( IN HANDLE KeyHandle, IN HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI ZwSetDefaultLocale ( IN BOOLEAN ThreadOrSystem, IN LCID Locale ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSetDefaultUILanguage ( IN LANGID LanguageId ); NTSYSAPI NTSTATUS NTAPI ZwSetEaFile ( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSetEvent ( IN HANDLE EventHandle, OUT PULONG PreviousState OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwSetInformationObject ( IN HANDLE ObjectHandle, IN OBJECT_INFO_CLASS ObjectInformationClass, IN PVOID ObjectInformation, IN ULONG ObjectInformationLength ); NTSYSAPI NTSTATUS NTAPI ZwSetInformationProcess ( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, IN PVOID ProcessInformation, IN ULONG ProcessInformationLength ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSetSecurityObject ( IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, IN PSECURITY_DESCRIPTOR SecurityDescriptor ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSetSystemInformation ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG Length ); NTSYSAPI NTSTATUS NTAPI ZwSetSystemTime ( IN PLARGE_INTEGER NewTime, OUT PLARGE_INTEGER OldTime OPTIONAL ); #if (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwSetVolumeInformationFile ( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FsInformation, IN ULONG Length, IN FS_INFORMATION_CLASS FsInformationClass ); #endif // (VER_PRODUCTBUILD >= 2195) NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess ( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus ); NTSYSAPI NTSTATUS NTAPI ZwUnloadDriver ( // "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\<DriverName>" IN PUNICODE_STRING RegistryPath ); NTSYSAPI NTSTATUS NTAPI ZwUnloadKey ( IN POBJECT_ATTRIBUTES KeyObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwWaitForSingleObject ( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwWaitForMultipleObjects ( IN ULONG HandleCount, IN PHANDLE Handles, IN WAIT_TYPE WaitType, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwYieldExecution ( VOID ); #pragma pack(pop) #ifdef __cplusplus } #endif #endif // _NTIFS_