aboutsummaryrefslogtreecommitdiff
path: root/Application/EfiDSEFix/src/ntdll.h
diff options
context:
space:
mode:
Diffstat (limited to 'Application/EfiDSEFix/src/ntdll.h')
-rw-r--r--Application/EfiDSEFix/src/ntdll.h9918
1 files changed, 9918 insertions, 0 deletions
diff --git a/Application/EfiDSEFix/src/ntdll.h b/Application/EfiDSEFix/src/ntdll.h
new file mode 100644
index 0000000..48da514
--- /dev/null
+++ b/Application/EfiDSEFix/src/ntdll.h
@@ -0,0 +1,9918 @@
+#ifndef _NTDLL_H
+#define _NTDLL_H
+
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef NOMINMAX
+#define NOMINMAX
+#endif
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#ifndef WIN32_NO_STATUS
+#define WIN32_NO_STATUS
+#endif
+#include <Windows.h>
+#undef WIN32_NO_STATUS
+#include <intrin.h>
+
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
+
+#define FASTCALL __fastcall
+
+#ifndef _Reserved_
+#define _Reserved_
+#endif
+
+#if defined(__clang__)
+#undef FIELD_OFFSET
+#undef UFIELD_OFFSET
+#define FIELD_OFFSET(type, field) ((LONG)__builtin_offsetof(type, field))
+#define UFIELD_OFFSET(type, field) ((ULONG)__builtin_offsetof(type, field))
+#endif
+
+#define ALIGN_DOWN(length, type) \
+ ((ULONG_PTR)(length) & ~(sizeof(type) - 1))
+
+#define ALIGN_UP(length, type) \
+ (ALIGN_DOWN(((ULONG_PTR)(length) + sizeof(type) - 1), type))
+
+#define MIN(a,b) (((a) < (b)) ? (a) : (b))
+#define MAX(a,b) (((a) > (b)) ? (a) : (b))
+
+typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+typedef LONG KPRIORITY, *PKPRIORITY;
+typedef ULONG LOGICAL, *PLOGICAL;
+
+typedef enum _NT_PRODUCT_TYPE
+{
+ NtProductWinNt = 1,
+ NtProductLanManNt,
+ NtProductServer
+} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
+
+typedef enum _SUITE_TYPE
+{
+ SmallBusiness,
+ Enterprise,
+ BackOffice,
+ CommunicationServer,
+ TerminalServer,
+ SmallBusinessRestricted,
+ EmbeddedNT,
+ DataCenter,
+ SingleUserTS,
+ Personal,
+ Blade,
+ EmbeddedRestricted,
+ SecurityAppliance,
+ StorageServer,
+ ComputeServer,
+ WHServer,
+ PhoneNT,
+ MaxSuiteType
+} SUITE_TYPE;
+
+typedef struct _CLIENT_ID
+{
+ HANDLE UniqueProcess;
+ HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+enum KPROCESSOR_MODE
+{
+ KernelMode,
+ UserMode
+};
+
+typedef enum _KTHREAD_STATE
+{
+ Initialized,
+ Ready,
+ Running,
+ Standby,
+ Terminated,
+ Waiting,
+ Transition,
+ DeferredReady,
+ GateWaitObsolete,
+ WaitingForProcessInSwap,
+ MaximumThreadState
+} KTHREAD_STATE, *PKTHREAD_STATE;
+
+typedef enum _KWAIT_REASON
+{
+ Executive,
+ FreePage,
+ PageIn,
+ PoolAllocation,
+ DelayExecution,
+ Suspended,
+ UserRequest,
+ WrExecutive,
+ WrFreePage,
+ WrPageIn,
+ WrPoolAllocation,
+ WrDelayExecution,
+ WrSuspended,
+ WrUserRequest,
+ WrEventPair,
+ WrQueue,
+ WrLpcReceive,
+ WrLpcReply,
+ WrVirtualMemory,
+ WrPageOut,
+ WrRendezvous,
+ WrKeyedEvent,
+ WrTerminated,
+ WrProcessInSwap,
+ WrCpuRateControl,
+ WrCalloutStack,
+ WrKernel,
+ WrResource,
+ WrPushLock,
+ WrMutex,
+ WrQuantumEnd,
+ WrDispatchInt,
+ WrPreempted,
+ WrYieldExecution,
+ WrFastMutex,
+ WrGuardedMutex,
+ WrRundown,
+ WrAlertByThreadId,
+ WrDeferredPreempt,
+ WrPhysicalFault,
+ MaximumWaitReason
+} KWAIT_REASON;
+
+typedef enum _EVENT_TYPE
+{
+ NotificationEvent,
+ SynchronizationEvent
+} EVENT_TYPE;
+
+typedef enum _TIMER_TYPE
+{
+ NotificationTimer,
+ SynchronizationTimer
+} TIMER_TYPE;
+
+typedef enum _WAIT_TYPE
+{
+ WaitAll,
+ WaitAny,
+ WaitNotification,
+ WaitDequeue
+} WAIT_TYPE;
+
+typedef enum _SECTION_INHERIT {
+ ViewShare = 1,
+ ViewUnmap = 2
+} SECTION_INHERIT;
+
+#define HARDERROR_OVERRIDE_ERRORMODE 0x10000000
+
+typedef enum _HARDERROR_RESPONSE_OPTION
+{
+ OptionAbortRetryIgnore,
+ OptionOk,
+ OptionOkCancel,
+ OptionRetryCancel,
+ OptionYesNo,
+ OptionYesNoCancel,
+ OptionShutdownSystem,
+ OptionOkNoWait,
+ OptionCancelTryContinue
+} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;
+
+typedef enum _HARDERROR_RESPONSE
+{
+ ResponseReturnToCaller,
+ ResponseNotHandled,
+ ResponseAbort,
+ ResponseCancel,
+ ResponseIgnore,
+ ResponseNo,
+ ResponseOk,
+ ResponseRetry,
+ ResponseYes,
+ ResponseTryAgain,
+ ResponseContinue
+} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;
+
+typedef struct _UNICODE_STRING
+{
+ USHORT Length;
+ USHORT MaximumLength;
+ PWSTR Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+typedef const UNICODE_STRING *PCUNICODE_STRING;
+
+#define DECLARE_UNICODE_STRING_SIZE(_var, _size) \
+WCHAR _var ## _buffer[_size]; \
+__pragma(warning(push)) \
+__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \
+UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \
+__pragma(warning(pop))
+
+#define DECLARE_STATIC_UNICODE_STRING_SIZE(_var, _size) \
+WCHAR _var ## _buffer[_size]; \
+__pragma(warning(push)) \
+__pragma(warning(disable:4221)) __pragma(warning(disable:4204)) \
+static UNICODE_STRING _var = { 0, (_size) * sizeof(WCHAR) , _var ## _buffer } \
+__pragma(warning(pop))
+
+#if defined(__clang__)
+#define RTL_CONSTANT_STRING(s) \
+__pragma(clang diagnostic push) \
+__pragma(clang diagnostic ignored "-Wwritable-strings") \
+{ sizeof(s) - sizeof((s)[0]), sizeof(s), s } \
+__pragma(clang diagnostic pop)
+#else
+#define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PWSTR)s }
+#define RTL_CONSTANT_ANSI_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), (PSTR)s }
+#endif
+
+FORCEINLINE
+VOID
+RtlInitEmptyUnicodeString(
+ _Out_ PUNICODE_STRING UnicodeString,
+ _In_ PWCHAR Buffer,
+ _In_ USHORT BufferSize)
+{
+ UnicodeString->Length = 0;
+ UnicodeString->MaximumLength = BufferSize;
+ UnicodeString->Buffer = Buffer;
+}
+
+typedef struct _STRING
+{
+ USHORT Length;
+ USHORT MaximumLength;
+ PCHAR Buffer;
+} STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
+
+typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION
+{
+ ULONG SessionId;
+ ULONG SizeOfBuf;
+ PVOID Buffer;
+} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
+
+typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
+{
+ BOOLEAN KernelDebuggerEnabled;
+ BOOLEAN KernelDebuggerNotPresent;
+} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
+
+typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
+{
+ BOOLEAN DebuggerAllowed;
+ BOOLEAN DebuggerEnabled;
+ BOOLEAN DebuggerPresent;
+} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;
+
+typedef struct _LDT_INFORMATION
+{
+ ULONG Start;
+ ULONG Length;
+ LDT_ENTRY LdtEntries[1];
+} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;
+
+typedef struct _KERNEL_USER_TIMES
+{
+ LARGE_INTEGER CreateTime;
+ LARGE_INTEGER ExitTime;
+ LARGE_INTEGER KernelTime;
+ LARGE_INTEGER UserTime;
+} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
+
+typedef struct _SYSTEM_THREAD_INFORMATION
+{
+ LARGE_INTEGER KernelTime;
+ LARGE_INTEGER UserTime;
+ LARGE_INTEGER CreateTime;
+ ULONG WaitTime;
+ PVOID StartAddress;
+ CLIENT_ID ClientId;
+ KPRIORITY Priority;
+ LONG BasePriority;
+ ULONG ContextSwitches;
+ ULONG ThreadState;
+ KWAIT_REASON WaitReason;
+} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
+
+typedef struct _SYSTEM_PROCESS_INFORMATION
+{
+ ULONG NextEntryOffset;
+ ULONG NumberOfThreads;
+ LARGE_INTEGER WorkingSetPrivateSize; // Since Vista
+ ULONG HardFaultCount; // Since Windows 7
+ ULONG NumberOfThreadsHighWatermark; // Since Windows 7
+ ULONGLONG CycleTime; // Since Windows 7
+ LARGE_INTEGER CreateTime;
+ LARGE_INTEGER UserTime;
+ LARGE_INTEGER KernelTime;
+ UNICODE_STRING ImageName;
+ KPRIORITY BasePriority;
+ HANDLE UniqueProcessId;
+ HANDLE InheritedFromUniqueProcessId;
+ ULONG HandleCount;
+ ULONG SessionId;
+ ULONG_PTR UniqueProcessKey; // Since Vista (requires SystemExtendedProcessInformation)
+ SIZE_T PeakVirtualSize;
+ SIZE_T VirtualSize;
+ ULONG PageFaultCount;
+ SIZE_T PeakWorkingSetSize;
+ SIZE_T WorkingSetSize;
+ SIZE_T QuotaPeakPagedPoolUsage;
+ SIZE_T QuotaPagedPoolUsage;
+ SIZE_T QuotaPeakNonPagedPoolUsage;
+ SIZE_T QuotaNonPagedPoolUsage;
+ SIZE_T PagefileUsage;
+ SIZE_T PeakPagefileUsage;
+ SIZE_T PrivatePageCount;
+ LARGE_INTEGER ReadOperationCount;
+ LARGE_INTEGER WriteOperationCount;
+ LARGE_INTEGER OtherOperationCount;
+ LARGE_INTEGER ReadTransferCount;
+ LARGE_INTEGER WriteTransferCount;
+ LARGE_INTEGER OtherTransferCount;
+ SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation
+ // SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation
+ // SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
+} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
+
+typedef struct _PROCESS_SESSION_INFORMATION
+{
+ ULONG SessionId;
+} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
+
+// File attribute values
+#define FILE_ATTRIBUTE_READONLY 0x00000001
+#define FILE_ATTRIBUTE_HIDDEN 0x00000002
+#define FILE_ATTRIBUTE_SYSTEM 0x00000004
+
+#define FILE_ATTRIBUTE_DIRECTORY 0x00000010
+#define FILE_ATTRIBUTE_ARCHIVE 0x00000020
+#define FILE_ATTRIBUTE_DEVICE 0x00000040
+#define FILE_ATTRIBUTE_NORMAL 0x00000080
+
+#define FILE_ATTRIBUTE_TEMPORARY 0x00000100
+#define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
+#define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
+#define FILE_ATTRIBUTE_COMPRESSED 0x00000800
+
+#define FILE_ATTRIBUTE_OFFLINE 0x00001000
+#define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
+#define FILE_ATTRIBUTE_ENCRYPTED 0x00004000
+
+#define FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000
+#define FILE_ATTRIBUTE_VIRTUAL 0x00010000
+#define FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000
+
+#define FILE_ATTRIBUTE_EA 0x00040000
+#define FILE_ATTRIBUTE_PINNED 0x00080000
+#define FILE_ATTRIBUTE_UNPINNED 0x00100000
+#define FILE_ATTRIBUTE_RECALL_ON_OPEN 0x00040000
+#define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 0x00400000
+
+#if NTDDI_VERSION < NTDDI_WIN8
+#define FILE_ATTRIBUTE_VALID_FLAGS 0x00007fb7
+#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000031a7
+#elif NTDDI_VERSION < NTDDI_WIN10_RS2
+#define FILE_ATTRIBUTE_VALID_FLAGS 0x0002ffb7
+#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000231a7
+#else
+#define FILE_ATTRIBUTE_VALID_FLAGS 0x005affb7
+#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x001a31a7
+#endif
+
+// File create disposition values
+#define FILE_SUPERSEDE 0x00000000
+#define FILE_OPEN 0x00000001
+#define FILE_CREATE 0x00000002
+#define FILE_OPEN_IF 0x00000003
+#define FILE_OVERWRITE 0x00000004
+#define FILE_OVERWRITE_IF 0x00000005
+#define FILE_MAXIMUM_DISPOSITION 0x00000005
+
+// File create/open option flags
+#define FILE_DIRECTORY_FILE 0x00000001
+#define FILE_WRITE_THROUGH 0x00000002
+#define FILE_SEQUENTIAL_ONLY 0x00000004
+#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
+
+#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
+#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
+#define FILE_NON_DIRECTORY_FILE 0x00000040
+#define FILE_CREATE_TREE_CONNECTION 0x00000080
+
+#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
+#define FILE_NO_EA_KNOWLEDGE 0x00000200
+#define FILE_OPEN_FOR_RECOVERY 0x00000400
+#define FILE_RANDOM_ACCESS 0x00000800
+
+#define FILE_DELETE_ON_CLOSE 0x00001000
+#define FILE_OPEN_BY_FILE_ID 0x00002000
+#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
+#define FILE_NO_COMPRESSION 0x00008000
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+#define FILE_OPEN_REQUIRING_OPLOCK 0x00010000
+#define FILE_DISALLOW_EXCLUSIVE 0x00020000
+#endif
+#if NTDDI_VERSION >= NTDDI_WIN8
+#define FILE_SESSION_AWARE 0x00040000
+#endif
+
+#define FILE_RESERVE_OPFILTER 0x00100000
+#define FILE_OPEN_REPARSE_POINT 0x00200000
+#define FILE_OPEN_NO_RECALL 0x00400000
+#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
+
+#define FILE_VALID_OPTION_FLAGS 0x00ffffff
+#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
+#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
+#define FILE_VALID_SET_FLAGS 0x00000036
+
+// Named pipe type flags
+#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
+#define FILE_PIPE_MESSAGE_TYPE 0x00000001
+#define FILE_PIPE_ACCEPT_REMOTE_CLIENTS 0x00000000
+#define FILE_PIPE_REJECT_REMOTE_CLIENTS 0x00000002
+#define FILE_PIPE_TYPE_VALID_MASK 0x00000003
+
+// Named pipe completion mode flags
+#define FILE_PIPE_QUEUE_OPERATION 0x00000000
+#define FILE_PIPE_COMPLETE_OPERATION 0x00000001
+
+// Named pipe read mode flags
+#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
+#define FILE_PIPE_MESSAGE_MODE 0x00000001
+
+// NamedPipeConfiguration flags
+#define FILE_PIPE_INBOUND 0x00000000
+#define FILE_PIPE_OUTBOUND 0x00000001
+#define FILE_PIPE_FULL_DUPLEX 0x00000002
+
+// NamedPipeState flags
+#define FILE_PIPE_DISCONNECTED_STATE 0x00000001
+#define FILE_PIPE_LISTENING_STATE 0x00000002
+#define FILE_PIPE_CONNECTED_STATE 0x00000003
+#define FILE_PIPE_CLOSING_STATE 0x00000004
+
+// NamedPipeEnd flags
+#define FILE_PIPE_CLIENT_END 0x00000000
+#define FILE_PIPE_SERVER_END 0x00000001
+
+typedef struct _FILE_BASIC_INFORMATION {
+ LARGE_INTEGER CreationTime;
+ LARGE_INTEGER LastAccessTime;
+ LARGE_INTEGER LastWriteTime;
+ LARGE_INTEGER ChangeTime;
+ ULONG FileAttributes;
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+typedef struct _FILE_STANDARD_INFORMATION {
+ LARGE_INTEGER AllocationSize;
+ LARGE_INTEGER EndOfFile;
+ ULONG NumberOfLinks;
+ BOOLEAN DeletePending;
+ BOOLEAN Directory;
+} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
+
+typedef struct _FILE_POSITION_INFORMATION
+{
+ LARGE_INTEGER CurrentByteOffset;
+} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
+
+// Privileges
+#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
+#define SE_CREATE_TOKEN_PRIVILEGE (2L)
+#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
+#define SE_LOCK_MEMORY_PRIVILEGE (4L)
+#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
+#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
+#define SE_TCB_PRIVILEGE (7L)
+#define SE_SECURITY_PRIVILEGE (8L)
+#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
+#define SE_LOAD_DRIVER_PRIVILEGE (10L)
+#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
+#define SE_SYSTEMTIME_PRIVILEGE (12L)
+#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
+#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
+#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
+#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
+#define SE_BACKUP_PRIVILEGE (17L)
+#define SE_RESTORE_PRIVILEGE (18L)
+#define SE_SHUTDOWN_PRIVILEGE (19L)
+#define SE_DEBUG_PRIVILEGE (20L)
+#define SE_AUDIT_PRIVILEGE (21L)
+#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
+#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
+#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
+#define SE_UNDOCK_PRIVILEGE (25L)
+#define SE_SYNC_AGENT_PRIVILEGE (26L)
+#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
+#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
+#define SE_IMPERSONATE_PRIVILEGE (29L)
+#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
+#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
+#define SE_RELABEL_PRIVILEGE (32L)
+#define SE_INC_WORKING_SET_PRIVILEGE (33L)
+#define SE_TIME_ZONE_PRIVILEGE (34L)
+#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
+#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
+
+typedef struct _THREAD_BASIC_INFORMATION
+{
+ NTSTATUS ExitStatus;
+ PVOID TebBaseAddress;
+ CLIENT_ID ClientId;
+ ULONG_PTR AffinityMask;
+ KPRIORITY Priority;
+ LONG BasePriority;
+} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
+
+typedef struct _MEMORY_REGION_INFORMATION
+{
+ PVOID AllocationBase;
+ ULONG AllocationProtect;
+ union
+ {
+ ULONG RegionType;
+ struct
+ {
+ ULONG Private : 1;
+ ULONG MappedDataFile : 1;
+ ULONG MappedImage : 1;
+ ULONG MappedPageFile : 1;
+ ULONG MappedPhysical : 1;
+ ULONG DirectMapped : 1;
+ ULONG SoftwareEnclave : 1; //REDSTONE3
+ ULONG PageSize64K : 1;
+ ULONG Reserved : 24;
+ } s;
+ } u;
+ SIZE_T RegionSize;
+ SIZE_T CommitSize;
+} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
+
+typedef struct _MEMORY_IMAGE_INFORMATION
+{
+ PVOID ImageBase;
+ SIZE_T SizeOfImage;
+ union
+ {
+ ULONG ImageFlags;
+ struct
+ {
+ ULONG ImagePartialMap : 1;
+ ULONG ImageNotExecutable : 1;
+ ULONG ImageSigningLevel : 1; // REDSTONE3
+ ULONG Reserved : 30;
+ } s1;
+ } u1;
+} MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION;
+
+typedef struct _SECTION_BASIC_INFORMATION
+{
+ PVOID BaseAddress;
+ ULONG AllocationAttributes;
+ LARGE_INTEGER MaximumSize;
+} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+
+typedef struct _SECTION_IMAGE_INFORMATION
+{
+ PVOID TransferAddress; // Entry point
+ ULONG ZeroBits;
+ SIZE_T MaximumStackSize;
+ SIZE_T CommittedStackSize;
+ ULONG SubSystemType;
+ union
+ {
+ struct
+ {
+ USHORT SubSystemMinorVersion;
+ USHORT SubSystemMajorVersion;
+ } s1;
+ ULONG SubSystemVersion;
+ } u1;
+ union
+ {
+ struct
+ {
+ USHORT MajorOperatingSystemVersion;
+ USHORT MinorOperatingSystemVersion;
+ } s2;
+ ULONG OperatingSystemVersion;
+ } u2;
+ USHORT ImageCharacteristics;
+ USHORT DllCharacteristics;
+ USHORT Machine;
+ BOOLEAN ImageContainsCode;
+ union
+ {
+ UCHAR ImageFlags;
+ struct
+ {
+ UCHAR ComPlusNativeReady : 1;
+ UCHAR ComPlusILOnly : 1;
+ UCHAR ImageDynamicallyRelocated : 1;
+ UCHAR ImageMappedFlat : 1;
+ UCHAR BaseBelow4gb : 1;
+ UCHAR ComPlusPrefer32bit : 1;
+ UCHAR Reserved : 2;
+ } s3;
+ } u3;
+ ULONG LoaderFlags;
+ ULONG ImageFileSize;
+ ULONG CheckSum;
+} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
+
+typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION
+{
+ SECTION_IMAGE_INFORMATION SectionInformation;
+ union
+ {
+ ULONG ExtendedFlags;
+ struct
+ {
+ ULONG ImageExportSuppressionEnabled : 1;
+ ULONG Reserved : 31;
+ } s;
+ } u;
+} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION;
+
+typedef struct _IMAGE_INFO
+{
+ union
+ {
+ ULONG Properties;
+ struct
+ {
+ ULONG ImageAddressingMode : 8; // Code addressing mode
+ ULONG SystemModeImage : 1; // System mode image
+ ULONG ImageMappedToAllPids : 1; // Image mapped into all processes
+ ULONG ExtendedInfoPresent : 1; // IMAGE_INFO_EX available
+ ULONG MachineTypeMismatch : 1; // Architecture type mismatch
+ ULONG ImageSignatureLevel : 4; // Signature level
+ ULONG ImageSignatureType : 3; // Signature type
+ ULONG ImagePartialMap : 1; // Nonzero if entire image is not mapped
+ ULONG Reserved : 12;
+ } s1;
+ } u1;
+ PVOID ImageBase;
+ ULONG ImageSelector;
+ SIZE_T ImageSize;
+ ULONG ImageSectionNumber;
+} IMAGE_INFO, *PIMAGE_INFO;
+
+typedef struct _OBJECT_ATTRIBUTES {
+ ULONG Length;
+ HANDLE RootDirectory;
+ PUNICODE_STRING ObjectName;
+ ULONG Attributes;
+ PVOID SecurityDescriptor;
+ PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
+#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
+
+#define LDR_GET_PROCEDURE_ADDRESS_EX_DONT_RECORD_FORWARDER 0x00000001
+
+#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
+
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2
+
+#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+
+typedef struct _LDR_RESOURCE_INFO
+{
+ ULONG_PTR Type;
+ ULONG_PTR Name;
+ ULONG_PTR Language;
+} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;
+
+typedef struct _LDR_ENUM_RESOURCE_INFO
+{
+ ULONG_PTR Type;
+ ULONG_PTR Name;
+ ULONG_PTR Language;
+ PVOID Data;
+ SIZE_T Size;
+ ULONG_PTR Reserved;
+} LDR_ENUM_RESOURCE_INFO, *PLDR_ENUM_RESOURCE_INFO;
+
+#define LDR_FIND_RESOURCE_LANGUAGE_CAN_FALLBACK 0x00000000
+#define LDR_FIND_RESOURCE_LANGUAGE_EXACT 0x00000004
+#define LDR_FIND_RESOURCE_LANGUAGE_REDIRECT_VERSION 0x00000008
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION
+{
+ HANDLE Section;
+ PVOID MappedBase;
+ PVOID ImageBase;
+ ULONG ImageSize;
+ ULONG Flags;
+ USHORT LoadOrderIndex;
+ USHORT InitOrderIndex;
+ USHORT LoadCount;
+ USHORT OffsetToFileName;
+ UCHAR FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _RTL_PROCESS_MODULES
+{
+ ULONG NumberOfModules;
+ RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
+{
+ USHORT NextOffset;
+ RTL_PROCESS_MODULE_INFORMATION BaseInfo;
+ ULONG ImageChecksum;
+ ULONG TimeDateStamp;
+ PVOID DefaultBase;
+} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
+
+typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION
+{
+ ULONG Length;
+ ULONG CodeIntegrityOptions;
+} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
+
+#define CODEINTEGRITY_OPTION_ENABLED 0x1
+#define CODEINTEGRITY_OPTION_TESTSIGN 0x2
+#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x4
+#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x8
+#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10
+#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20
+#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40
+#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80
+#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100
+#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200
+#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400
+#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800
+#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
+#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION
+{
+ GUID BootIdentifier;
+ FIRMWARE_TYPE FirmwareType;
+ ULONGLONG BootFlags;
+} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
+#endif
+
+typedef struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
+{
+ ULONG Options;
+ ULONG HVCIOptions;
+ ULONGLONG Version;
+ GUID PolicyGuid;
+} SYSTEM_CODEINTEGRITYPOLICY_INFORMATION, *PSYSTEM_CODEINTEGRITYPOLICY_INFORMATION;
+
+typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
+{
+ HANDLE ImageFile;
+} SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION;
+
+typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
+{
+ union
+ {
+ ULONG Flags;
+ struct
+ {
+ ULONG Locked : 1;
+ ULONG Unlockable : 1;
+ ULONG UnlockApplied : 1;
+ ULONG Reserved : 29;
+ } s1;
+ } u1;
+} SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION;
+
+typedef
+NTSTATUS
+NTAPI
+RTL_QUERY_REGISTRY_ROUTINE(
+ _In_z_ PWSTR ValueName,
+ _In_ ULONG ValueType,
+ _In_opt_ PVOID ValueData,
+ _In_ ULONG ValueLength,
+ _In_opt_ PVOID Context,
+ _In_opt_ PVOID EntryContext
+ );
+typedef RTL_QUERY_REGISTRY_ROUTINE *PRTL_QUERY_REGISTRY_ROUTINE;
+
+typedef struct _RTL_QUERY_REGISTRY_TABLE
+{
+ PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine;
+ ULONG Flags;
+ PWSTR Name;
+ PVOID EntryContext;
+ ULONG DefaultType;
+ PVOID DefaultData;
+ ULONG DefaultLength;
+} RTL_QUERY_REGISTRY_TABLE, *PRTL_QUERY_REGISTRY_TABLE;
+
+// RtlQueryRegistryValues flags
+#define RTL_QUERY_REGISTRY_SUBKEY 0x00000001
+#define RTL_QUERY_REGISTRY_TOPKEY 0x00000002
+#define RTL_QUERY_REGISTRY_REQUIRED 0x00000004
+#define RTL_QUERY_REGISTRY_NOVALUE 0x00000008
+#define RTL_QUERY_REGISTRY_NOEXPAND 0x00000010
+#define RTL_QUERY_REGISTRY_DIRECT 0x00000020
+#define RTL_QUERY_REGISTRY_DELETE 0x00000040
+#define RTL_QUERY_REGISTRY_NOSTRING 0x00000080
+#define RTL_QUERY_REGISTRY_TYPECHECK 0x00000100
+
+#define RTL_QUERY_REGISTRY_TYPECHECK_SHIFT 24
+#define RTL_QUERY_REGISTRY_TYPECHECK_MASK (0xff << RTL_QUERY_REGISTRY_TYPECHECK_SHIFT)
+
+// RtlWriteRegistryValue RelativeTo values
+#define RTL_REGISTRY_ABSOLUTE 0 // Path is a full path
+#define RTL_REGISTRY_SERVICES 1 // \Registry\Machine\System\CurrentControlSet\Services
+#define RTL_REGISTRY_CONTROL 2 // \Registry\Machine\System\CurrentControlSet\Control
+#define RTL_REGISTRY_WINDOWS_NT 3 // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
+#define RTL_REGISTRY_DEVICEMAP 4 // \Registry\Machine\Hardware\DeviceMap
+#define RTL_REGISTRY_USER 5 // \Registry\User\CurrentUser
+#define RTL_REGISTRY_MAXIMUM 6
+#define RTL_REGISTRY_HANDLE 0x40000000 // Low order bits are registry handle
+#define RTL_REGISTRY_OPTIONAL 0x80000000 // Indicates the key node is optional
+
+typedef struct _PROCESS_HANDLE_INFORMATION
+{
+ ULONG HandleCount;
+ ULONG HandleCountHighWatermark;
+} PROCESS_HANDLE_INFORMATION, *PPROCESS_HANDLE_INFORMATION;
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
+{
+ PROCESS_MITIGATION_POLICY Policy;
+ union
+ {
+ PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
+ PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
+ PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
+ PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
+ PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
+ PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
+ PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
+ PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
+ PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
+ PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
+ PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
+ PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
+ };
+} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
+#endif
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+ USHORT UniqueProcessId;
+ USHORT CreatorBackTraceIndex;
+ UCHAR ObjectTypeIndex;
+ UCHAR HandleAttributes;
+ USHORT HandleValue;
+ PVOID Object;
+ ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+ ULONG NumberOfHandles;
+ SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
+{
+ PVOID Object;
+ ULONG_PTR UniqueProcessId;
+ ULONG_PTR HandleValue;
+ ULONG GrantedAccess;
+ USHORT CreatorBackTraceIndex;
+ USHORT ObjectTypeIndex;
+ ULONG HandleAttributes;
+ ULONG Reserved;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION_EX
+{
+ ULONG_PTR NumberOfHandles;
+ ULONG_PTR Reserved;
+ SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
+} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
+
+typedef struct _OBJECT_BASIC_INFORMATION
+{
+ ULONG Attributes;
+ ACCESS_MASK GrantedAccess;
+ ULONG HandleCount;
+ ULONG PointerCount;
+ ULONG PagedPoolCharge;
+ ULONG NonPagedPoolCharge;
+ ULONG Reserved[ 3 ];
+ ULONG NameInfoSize;
+ ULONG TypeInfoSize;
+ ULONG SecurityDescriptorSize;
+ LARGE_INTEGER CreationTime;
+} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
+
+typedef struct _OBJECT_NAME_INFORMATION
+{
+ UNICODE_STRING Name;
+} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
+
+typedef struct _OBJECT_TYPE_INFORMATION
+{
+ UNICODE_STRING TypeName;
+ ULONG TotalNumberOfObjects;
+ ULONG TotalNumberOfHandles;
+ ULONG TotalPagedPoolUsage;
+ ULONG TotalNonPagedPoolUsage;
+ ULONG TotalNamePoolUsage;
+ ULONG TotalHandleTableUsage;
+ ULONG HighWaterNumberOfObjects;
+ ULONG HighWaterNumberOfHandles;
+ ULONG HighWaterPagedPoolUsage;
+ ULONG HighWaterNonPagedPoolUsage;
+ ULONG HighWaterNamePoolUsage;
+ ULONG HighWaterHandleTableUsage;
+ ULONG InvalidAttributes;
+ GENERIC_MAPPING GenericMapping;
+ ULONG ValidAccessMask;
+ BOOLEAN SecurityRequired;
+ BOOLEAN MaintainHandleCount;
+ UCHAR TypeIndex; // Since Windows 8.1
+ CHAR ReservedByte;
+ ULONG PoolType;
+ ULONG DefaultPagedPoolCharge;
+ ULONG DefaultNonPagedPoolCharge;
+} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
+
+typedef struct _OBJECT_TYPES_INFORMATION
+{
+ ULONG NumberOfTypes;
+} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
+
+typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
+{
+ BOOLEAN Inherit;
+ BOOLEAN ProtectFromClose;
+} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
+
+typedef struct _DBGKM_EXCEPTION
+{
+ EXCEPTION_RECORD ExceptionRecord;
+ ULONG FirstChance;
+} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
+
+typedef struct _DBGKM_CREATE_THREAD
+{
+ ULONG SubSystemKey;
+ PVOID StartAddress;
+} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
+
+typedef struct _DBGKM_CREATE_PROCESS
+{
+ ULONG SubSystemKey;
+ HANDLE FileHandle;
+ PVOID BaseOfImage;
+ ULONG DebugInfoFileOffset;
+ ULONG DebugInfoSize;
+ DBGKM_CREATE_THREAD InitialThread;
+} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
+
+typedef struct _DBGKM_EXIT_THREAD
+{
+ NTSTATUS ExitStatus;
+} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
+
+typedef struct _DBGKM_EXIT_PROCESS
+{
+ NTSTATUS ExitStatus;
+} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
+
+typedef struct _DBGKM_LOAD_DLL
+{
+ HANDLE FileHandle;
+ PVOID BaseOfDll;
+ ULONG DebugInfoFileOffset;
+ ULONG DebugInfoSize;
+ PVOID NamePointer;
+} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
+
+typedef struct _DBGKM_UNLOAD_DLL
+{
+ PVOID BaseAddress;
+} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
+
+typedef enum _DBG_STATE
+{
+ DbgIdle,
+ DbgReplyPending,
+ DbgCreateThreadStateChange,
+ DbgCreateProcessStateChange,
+ DbgExitThreadStateChange,
+ DbgExitProcessStateChange,
+ DbgExceptionStateChange,
+ DbgBreakpointStateChange,
+ DbgSingleStepStateChange,
+ DbgLoadDllStateChange,
+ DbgUnloadDllStateChange
+} DBG_STATE, *PDBG_STATE;
+
+typedef struct _DBGUI_CREATE_THREAD
+{
+ HANDLE HandleToThread;
+ DBGKM_CREATE_THREAD NewThread;
+} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
+
+typedef struct _DBGUI_CREATE_PROCESS
+{
+ HANDLE HandleToProcess;
+ HANDLE HandleToThread;
+ DBGKM_CREATE_PROCESS NewProcess;
+} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
+
+typedef struct _DBGUI_WAIT_STATE_CHANGE
+{
+ DBG_STATE NewState;
+ CLIENT_ID AppClientId;
+ union
+ {
+ DBGKM_EXCEPTION Exception;
+ DBGUI_CREATE_THREAD CreateThread;
+ DBGUI_CREATE_PROCESS CreateProcessInfo;
+ DBGKM_EXIT_THREAD ExitThread;
+ DBGKM_EXIT_PROCESS ExitProcess;
+ DBGKM_LOAD_DLL LoadDll;
+ DBGKM_UNLOAD_DLL UnloadDll;
+ } StateInfo;
+} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
+
+typedef struct _DBGSS_THREAD_DATA
+{
+ struct _DBGSS_THREAD_DATA *Next;
+ HANDLE ThreadHandle;
+ HANDLE ProcessHandle;
+ ULONG ProcessId;
+ ULONG ThreadId;
+ BOOLEAN HandleMarked;
+} DBGSS_THREAD_DATA, *PDBGSS_THREAD_DATA;
+
+#define DbgSsSetThreadData(d) \
+ NtCurrentTeb()->DbgSsReserved[0] = d
+
+#define DbgSsGetThreadData() \
+ ((PDBGSS_THREAD_DATA)NtCurrentTeb()->DbgSsReserved[0])
+
+typedef USHORT RTL_ATOM, *PRTL_ATOM;
+typedef long SECURITY_STATUS;
+
+typedef struct _RTL_SPLAY_LINKS
+{
+ struct _RTL_SPLAY_LINKS *Parent;
+ struct _RTL_SPLAY_LINKS *LeftChild;
+ struct _RTL_SPLAY_LINKS *RightChild;
+} RTL_SPLAY_LINKS, *PRTL_SPLAY_LINKS;
+
+#define RtlInitializeSplayLinks(Links) \
+{ \
+ PRTL_SPLAY_LINKS _SplayLinks; \
+ _SplayLinks = (PRTL_SPLAY_LINKS)(Links); \
+ _SplayLinks->Parent = _SplayLinks; \
+ _SplayLinks->LeftChild = NULL; \
+ _SplayLinks->RightChild = NULL; \
+}
+
+typedef struct _PREFIX_TABLE_ENTRY
+{
+ SHORT NodeTypeCode;
+ SHORT NameLength;
+ struct _PREFIX_TABLE_ENTRY *NextPrefixTree;
+ RTL_SPLAY_LINKS Links;
+ PANSI_STRING Prefix;
+} PREFIX_TABLE_ENTRY, *PPREFIX_TABLE_ENTRY;
+
+typedef struct _PREFIX_TABLE
+{
+ SHORT NodeTypeCode;
+ SHORT NameLength;
+ PPREFIX_TABLE_ENTRY NextPrefixTree;
+} PREFIX_TABLE, *PPREFIX_TABLE;
+
+typedef struct _RTL_BITMAP
+{
+ ULONG SizeOfBitMap;
+ PULONG Buffer;
+} RTL_BITMAP, *PRTL_BITMAP;
+
+typedef struct _RTL_BITMAP_RUN
+{
+ ULONG StartingIndex;
+ ULONG NumberOfBits;
+} RTL_BITMAP_RUN, *PRTL_BITMAP_RUN;
+
+typedef enum
+{
+ RtlBsdItemVersionNumber = 0x00,
+ RtlBsdItemProductType,
+ RtlBsdItemAabEnabled,
+ RtlBsdItemAabTimeout,
+ RtlBsdItemBootGood,
+ RtlBsdItemBootShutdown,
+ RtlBsdItemMax
+} RTL_BSD_ITEM_TYPE, *PRTL_BSD_ITEM_TYPE;
+
+#define DUPLICATE_CLOSE_SOURCE 0x00000001
+#define DUPLICATE_SAME_ACCESS 0x00000002
+#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
+
+#define RTL_WALK_MAX_STACK_DEPTH 128
+
+// These cannot be ORed together
+#define RTL_WALK_KERNEL_MODE_STACK 0x00000000 // Kernel mode callers only
+#define RTL_WALK_USER_MODE_STACK 0x00000001
+#define RTL_WALK_TRACE_HANDLES 0x00000300
+
+typedef struct _RTL_PROCESS_VERIFIER_OPTIONS
+{
+ ULONG SizeStruct;
+ ULONG Option;
+ UCHAR OptionData[1];
+} RTL_PROCESS_VERIFIER_OPTIONS, *PRTL_PROCESS_VERIFIER_OPTIONS;
+
+typedef struct _RTL_DEBUG_INFORMATION
+{
+ HANDLE SectionHandleClient;
+ PVOID ViewBaseClient;
+ PVOID ViewBaseTarget;
+ ULONG_PTR ViewBaseDelta;
+ HANDLE EventPairClient;
+ HANDLE EventPairTarget;
+ HANDLE TargetProcessId;
+ HANDLE TargetThreadHandle;
+ ULONG Flags;
+ SIZE_T OffsetFree;
+ SIZE_T CommitSize;
+ SIZE_T ViewSize;
+ union
+ {
+ PRTL_PROCESS_MODULES Modules;
+ PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx;
+ };
+ struct _RTL_PROCESS_BACKTRACES *BackTraces;
+ struct _RTL_PROCESS_HEAPS *Heaps;
+ struct _RTL_PROCESS_LOCKS *Locks;
+ PVOID SpecificHeap;
+ HANDLE TargetProcessHandle;
+ PRTL_PROCESS_VERIFIER_OPTIONS VerifierOptions;
+ PVOID ProcessHeap;
+ HANDLE CriticalSectionHandle;
+ HANDLE CriticalSectionOwnerThread;
+ PVOID Reserved[4];
+} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION;
+
+typedef
+VOID
+(*PPS_APC_ROUTINE)(
+ _In_opt_ PVOID ApcArgument1,
+ _In_opt_ PVOID ApcArgument2,
+ _In_opt_ PVOID ApcArgument3
+ );
+
+typedef struct _RTLP_CURDIR_REF *PRTLP_CURDIR_REF;
+
+typedef struct _RTL_RELATIVE_NAME_U
+{
+ UNICODE_STRING RelativeName;
+ HANDLE ContainingDirectory;
+ PRTLP_CURDIR_REF CurDirRef;
+} RTL_RELATIVE_NAME_U, *PRTL_RELATIVE_NAME_U;
+
+typedef enum _RTL_PATH_TYPE
+{
+ RtlPathTypeUnknown,
+ RtlPathTypeUncAbsolute,
+ RtlPathTypeDriveAbsolute,
+ RtlPathTypeDriveRelative,
+ RtlPathTypeRooted,
+ RtlPathTypeRelative,
+ RtlPathTypeLocalDevice,
+ RtlPathTypeRootLocalDevice,
+} RTL_PATH_TYPE;
+
+#define DOS_MAX_COMPONENT_LENGTH 255
+#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
+#define NT_MAX_PATH_LENGTH ( (sizeof("\\??\\UNC\\") - sizeof(CHAR) ) + DOS_MAX_PATH_LENGTH + 1)
+
+typedef struct _CURDIR
+{
+ UNICODE_STRING DosPath;
+ HANDLE Handle;
+} CURDIR, *PCURDIR;
+
+#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
+#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+ USHORT Flags;
+ USHORT Length;
+ ULONG TimeStamp;
+ UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+#define RTL_MAX_DRIVE_LETTERS 32
+#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
+
+typedef struct _LDR_SERVICE_TAG_RECORD
+{
+ struct _LDR_SERVICE_TAG_RECORD *Next;
+ ULONG ServiceTag;
+} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
+
+typedef struct _LDRP_CSLIST
+{
+ PSINGLE_LIST_ENTRY Tail;
+} LDRP_CSLIST, *PLDRP_CSLIST;
+
+typedef enum _LDR_DDAG_STATE
+{
+ LdrModulesMerged = -5,
+ LdrModulesInitError = -4,
+ LdrModulesSnapError = -3,
+ LdrModulesUnloaded = -2,
+ LdrModulesUnloading = -1,
+ LdrModulesPlaceHolder = 0,
+ LdrModulesMapping = 1,
+ LdrModulesMapped = 2,
+ LdrModulesWaitingForDependencies = 3,
+ LdrModulesSnapping = 4,
+ LdrModulesSnapped = 5,
+ LdrModulesCondensed = 6,
+ LdrModulesReadyToInit = 7,
+ LdrModulesInitializing = 8,
+ LdrModulesReadyToRun = 9
+} LDR_DDAG_STATE;
+
+typedef struct _LDR_DDAG_NODE
+{
+ LIST_ENTRY Modules;
+ PLDR_SERVICE_TAG_RECORD ServiceTagList;
+ ULONG LoadCount;
+ ULONG LoadWhileUnloadingCount;
+ ULONG LowestLink;
+ union
+ {
+ LDRP_CSLIST Dependencies;
+ SINGLE_LIST_ENTRY RemovalLink;
+ };
+ LDRP_CSLIST IncomingDependencies;
+ LDR_DDAG_STATE State;
+ SINGLE_LIST_ENTRY CondenseLink;
+ ULONG PreorderNumber;
+} LDR_DDAG_NODE, *PLDR_DDAG_NODE;
+
+typedef struct _LDR_DEPENDENCY_RECORD
+{
+ SINGLE_LIST_ENTRY DependencyLink;
+ PLDR_DDAG_NODE DependencyNode;
+ SINGLE_LIST_ENTRY IncomingDependencyLink;
+ PLDR_DDAG_NODE IncomingDependencyNode;
+} LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD;
+
+typedef enum _LDR_DLL_LOAD_REASON
+{
+ LoadReasonStaticDependency,
+ LoadReasonStaticForwarderDependency,
+ LoadReasonDynamicForwarderDependency,
+ LoadReasonDelayloadDependency,
+ LoadReasonDynamicLoad,
+ LoadReasonAsImageLoad,
+ LoadReasonAsDataLoad,
+ LoadReasonEnclavePrimary, // REDSTONE3
+ LoadReasonEnclaveDependency,
+ LoadReasonUnknown = -1
+} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
+
+#define LDRP_PACKAGED_BINARY 0x00000001
+#define LDRP_IMAGE_DLL 0x00000004
+#define LDRP_LOAD_IN_PROGRESS 0x00001000
+#define LDRP_ENTRY_PROCESSED 0x00004000
+#define LDRP_DONT_CALL_FOR_THREADS 0x00040000
+#define LDRP_PROCESS_ATTACH_CALLED 0x00080000
+#define LDRP_PROCESS_ATTACH_FAILED 0x00100000
+#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 // Vista and below
+#define LDRP_COR_IMAGE 0x00400000
+#define LDRP_DONT_RELOCATE 0x00800000
+#define LDRP_REDIRECTED 0x10000000
+#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000
+
+#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)
+
+#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
+
+typedef struct _RTL_BALANCED_NODE
+{
+ union
+ {
+ struct _RTL_BALANCED_NODE *Children[2];
+ struct
+ {
+ struct _RTL_BALANCED_NODE *Left;
+ struct _RTL_BALANCED_NODE *Right;
+ } s;
+ };
+ union
+ {
+ UCHAR Red : 1;
+ UCHAR Balance : 2;
+ ULONG_PTR ParentValue;
+ } u;
+} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
+
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+ LIST_ENTRY InLoadOrderLinks;
+ LIST_ENTRY InMemoryOrderLinks;
+ union
+ {
+ LIST_ENTRY InInitializationOrderLinks;
+ LIST_ENTRY InProgressLinks;
+ };
+ PVOID DllBase;
+ PVOID EntryPoint;
+ ULONG SizeOfImage;
+ UNICODE_STRING FullDllName;
+ UNICODE_STRING BaseDllName;
+ union
+ {
+ UCHAR FlagGroup[4];
+ ULONG Flags;
+ struct
+ {
+ ULONG PackagedBinary : 1;
+ ULONG MarkedForRemoval : 1;
+ ULONG ImageDll : 1;
+ ULONG LoadNotificationsSent : 1;
+ ULONG TelemetryEntryProcessed : 1;
+ ULONG ProcessStaticImport : 1;
+ ULONG InLegacyLists : 1;
+ ULONG InIndexes : 1;
+ ULONG ShimDll : 1;
+ ULONG InExceptionTable : 1;
+ ULONG ReservedFlags1 : 2;
+ ULONG LoadInProgress : 1;
+ ULONG LoadConfigProcessed : 1;
+ ULONG EntryProcessed : 1;
+ ULONG ProtectDelayLoad : 1;
+ ULONG ReservedFlags3 : 2;
+ ULONG DontCallForThreads : 1;
+ ULONG ProcessAttachCalled : 1;
+ ULONG ProcessAttachFailed : 1;
+ ULONG CorDeferredValidate : 1;
+ ULONG CorImage : 1;
+ ULONG DontRelocate : 1;
+ ULONG CorILOnly : 1;
+ ULONG ReservedFlags5 : 3;
+ ULONG Redirected : 1;
+ ULONG ReservedFlags6 : 2;
+ ULONG CompatDatabaseProcessed : 1;
+ } s;
+ } u;
+ USHORT ObsoleteLoadCount;
+ USHORT TlsIndex;
+ LIST_ENTRY HashLinks;
+ ULONG TimeDateStamp;
+ struct _ACTIVATION_CONTEXT *EntryPointActivationContext;
+ PVOID Lock;
+ PLDR_DDAG_NODE DdagNode;
+ LIST_ENTRY NodeModuleLink;
+ struct _LDRP_LOAD_CONTEXT *LoadContext;
+ PVOID ParentDllBase;
+ PVOID SwitchBackContext;
+ RTL_BALANCED_NODE BaseAddressIndexNode;
+ RTL_BALANCED_NODE MappingInfoIndexNode;
+ ULONG_PTR OriginalBase;
+ LARGE_INTEGER LoadTime;
+ ULONG BaseNameHashValue;
+ LDR_DLL_LOAD_REASON LoadReason;
+ ULONG ImplicitPathOptions;
+ ULONG ReferenceCount;
+ ULONG DependentLoadFlags;
+ UCHAR SigningLevel; // Since Windows 10 RS2
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _INITIAL_TEB
+{
+ struct
+ {
+ PVOID OldStackBase;
+ PVOID OldStackLimit;
+ } OldInitialTeb;
+ PVOID StackBase;
+ PVOID StackLimit;
+ PVOID StackAllocationBase;
+} INITIAL_TEB, *PINITIAL_TEB;
+
+typedef struct _IO_STATUS_BLOCK
+{
+ union
+ {
+ NTSTATUS Status;
+ PVOID Pointer;
+ };
+ ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+typedef
+VOID
+(NTAPI*
+PIO_APC_ROUTINE)(
+ _In_ PVOID ApcContext,
+ _In_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG Reserved
+ );
+
+typedef struct _FILE_IO_COMPLETION_INFORMATION
+{
+ PVOID KeyContext;
+ PVOID ApcContext;
+ IO_STATUS_BLOCK IoStatusBlock;
+} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION;
+
+typedef struct _FILE_COMPLETION_INFORMATION
+{
+ HANDLE Port;
+ PVOID Key;
+} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
+
+#ifdef __cplusplus
+typedef enum _PRIORITY_CLASS : UCHAR
+{
+ Undefined,
+ Idle,
+ Normal,
+ High,
+ Realtime,
+ BelowNormal,
+ AboveNormal
+} PRIORITY_CLASS;
+#else
+typedef UCHAR PRIORITY_CLASS;
+#endif
+
+typedef struct _PROCESS_PRIORITY_CLASS
+{
+ BOOLEAN Foreground;
+ PRIORITY_CLASS PriorityClass;
+} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
+
+typedef struct _PS_ATTRIBUTE {
+ ULONG_PTR Attribute; // PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372)
+ SIZE_T Size; // Size of Value or *ValuePtr
+ union {
+ ULONG_PTR Value; // Reserve 8 bytes for data (such as a Handle or a data pointer)
+ PVOID ValuePtr; // data pointer
+ };
+ PSIZE_T ReturnLength; // Either 0 or specifies size of data returned to caller via "ValuePtr"
+} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
+
+typedef struct _PS_ATTRIBUTE_LIST {
+ SIZE_T TotalLength; // sizeof(PS_ATTRIBUTE_LIST) + <attribute count> * sizeof(PS_ATTRIBUTE)
+ PS_ATTRIBUTE Attributes[1]; // Depends on how many attribute entries should be supplied to NtCreateUserProcess
+} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
+
+typedef struct _PS_MEMORY_RESERVE {
+ PVOID ReserveAddress;
+ SIZE_T ReserveSize;
+} PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE;
+
+#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
+#define PS_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation
+#define PS_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only
+#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated", e.g. bitmasks, counters, etc.
+
+typedef enum _PS_ATTRIBUTE_NUM
+{
+ PsAttributeParentProcess, // in HANDLE
+ PsAttributeDebugPort, // in HANDLE
+ PsAttributeToken, // in HANDLE
+ PsAttributeClientId, // out PCLIENT_ID
+ PsAttributeTebAddress, // out PTEB
+ PsAttributeImageName, // in PWSTR
+ PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
+ PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
+ PsAttributePriorityClass, // in UCHAR
+ PsAttributeErrorMode, // in ULONG
+ PsAttributeStdHandleInfo, // in PPS_STD_HANDLE_INFO
+ PsAttributeHandleList, // in PHANDLE
+ PsAttributeGroupAffinity, // in PGROUP_AFFINITY
+ PsAttributePreferredNode, // in PUSHORT
+ PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
+ PsAttributeUmsThread, // see MSDN UpdateProceThreadAttributeList (CreateProcessW) - in PUMS_CREATE_THREAD_ATTRIBUTES
+ PsAttributeMitigationOptions, // in UCHAR
+ PsAttributeProtectionLevel, // in ULONG
+ PsAttributeSecureProcess, // since THRESHOLD (Virtual Secure Mode, Device Guard)
+ PsAttributeJobList,
+ PsAttributeChildProcessPolicy, // since THRESHOLD2
+ PsAttributeAllApplicationPackagesPolicy, // since REDSTONE
+ PsAttributeWin32kFilter,
+ PsAttributeSafeOpenPromptOriginClaim,
+ PsAttributeBnoIsolation,
+ PsAttributeDesktopAppPolicy,
+ PsAttributeChpe, // since REDSTONE3
+ PsAttributeMax
+} PS_ATTRIBUTE_NUM;
+
+#define PsAttributeValue(Number, Thread, Input, Additive) \
+ (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
+ ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
+ ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
+ ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0))
+
+#define PS_ATTRIBUTE_PARENT_PROCESS \
+ PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) // 0x60000
+#define PS_ATTRIBUTE_DEBUG_PORT \
+ PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) // 0x60001
+#define PS_ATTRIBUTE_TOKEN \
+ PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) // 0x60002
+#define PS_ATTRIBUTE_CLIENT_ID \
+ PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) // 0x10003
+#define PS_ATTRIBUTE_TEB_ADDRESS \
+ PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) // 0x10004
+#define PS_ATTRIBUTE_IMAGE_NAME \
+ PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) // 0x20005
+#define PS_ATTRIBUTE_IMAGE_INFO \
+ PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) // 0x6
+#define PS_ATTRIBUTE_MEMORY_RESERVE \
+ PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) // 0x20007
+#define PS_ATTRIBUTE_PRIORITY_CLASS \
+ PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) // 0x20008
+#define PS_ATTRIBUTE_ERROR_MODE \
+ PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) // 0x20009
+#define PS_ATTRIBUTE_STD_HANDLE_INFO \
+ PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) // 0x2000A
+#define PS_ATTRIBUTE_HANDLE_LIST \
+ PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) // 0x2000B
+#define PS_ATTRIBUTE_GROUP_AFFINITY \
+ PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) // 0x2000C
+#define PS_ATTRIBUTE_PREFERRED_NODE \
+ PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) // 0x2000D
+#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
+ PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) // 0x2000E
+#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
+ PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) // 0x60010
+#define PS_ATTRIBUTE_PROTECTION_LEVEL \
+ PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, FALSE) // 0x20011
+#define PS_ATTRIBUTE_SECURE_PROCESS \
+ PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE) // 0x20012
+#define PS_ATTRIBUTE_JOB_LIST \
+ PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE) // 0x20013
+#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \
+ PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE) // 0x20014
+#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \
+ PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) // 0x20015
+#define PS_ATTRIBUTE_WIN32K_FILTER \
+ PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE) // 0x20016
+#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \
+ PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) // 0x20017
+#define PS_ATTRIBUTE_BNO_ISOLATION \
+ PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE) // 0x20018
+#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \
+ PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE) // 0x20019
+
+typedef enum _PS_STD_HANDLE_STATE {
+ PsNeverDuplicate,
+ PsRequestDuplicate, // Duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem
+ PsAlwaysDuplicate, // Always duplicate standard handles
+ PsMaxStdHandleStates
+} PS_STD_HANDLE_STATE;
+
+#define HANDLE_DETACHED_PROCESS ((HANDLE)-1)
+#define HANDLE_CREATE_NEW_CONSOLE ((HANDLE)-2)
+#define HANDLE_CREATE_NO_WINDOW ((HANDLE)-3)
+
+#define PS_STD_INPUT_HANDLE 0x1
+#define PS_STD_OUTPUT_HANDLE 0x2
+#define PS_STD_ERROR_HANDLE 0x4
+
+typedef struct _PS_STD_HANDLE_INFO
+{
+ union
+ {
+ ULONG Flags;
+ struct
+ {
+ ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE
+ ULONG PseudoHandleMask : 3; // PS_STD_*
+ } s;
+ };
+ ULONG StdHandleSubsystemType;
+} PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO;
+
+typedef struct _PS_BNO_ISOLATION_PARAMETERS
+{
+ UNICODE_STRING IsolationPrefix;
+ ULONG HandleCount;
+ PVOID *Handles;
+ BOOLEAN IsolationEnabled;
+} PS_BNO_ISOLATION_PARAMETERS, *PPS_BNO_ISOLATION_PARAMETERS;
+
+typedef enum _PS_MITIGATION_OPTION
+{
+ PS_MITIGATION_OPTION_NX,
+ PS_MITIGATION_OPTION_SEHOP,
+ PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES,
+ PS_MITIGATION_OPTION_HEAP_TERMINATE,
+ PS_MITIGATION_OPTION_BOTTOM_UP_ASLR,
+ PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR,
+ PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS,
+ PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE,
+ PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE,
+ PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE,
+ PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD,
+ PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES,
+ PS_MITIGATION_OPTION_FONT_DISABLE,
+ PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE,
+ PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL,
+ PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32,
+ PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,
+ PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,
+ PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,
+ PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,
+ PS_MITIGATION_OPTION_ROP_STACKPIVOT, // since REDSTONE3
+ PS_MITIGATION_OPTION_ROP_CALLER_CHECK,
+ PS_MITIGATION_OPTION_ROP_SIMEXEC,
+ PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,
+ PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
+ PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
+ PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
+ PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION
+} PS_MITIGATION_OPTION;
+
+typedef enum _PS_CREATE_STATE
+{
+ PsCreateInitialState,
+ PsCreateFailOnFileOpen,
+ PsCreateFailOnSectionCreate,
+ PsCreateFailExeFormat,
+ PsCreateFailMachineMismatch,
+ PsCreateFailExeName, // Debugger specified
+ PsCreateSuccess,
+ PsCreateMaximumStates
+} PS_CREATE_STATE;
+
+typedef struct _PS_CREATE_INFO
+{
+ SIZE_T Size;
+ PS_CREATE_STATE State;
+ union
+ {
+ // PsCreateInitialState
+ struct
+ {
+ union
+ {
+ ULONG InitFlags;
+ struct
+ {
+ UCHAR WriteOutputOnExit : 1;
+ UCHAR DetectManifest : 1;
+ UCHAR IFEOSkipDebugger : 1;
+ UCHAR IFEODoNotPropagateKeyState : 1;
+ UCHAR SpareBits1 : 4;
+ UCHAR SpareBits2 : 8;
+ USHORT ProhibitedImageCharacteristics : 16;
+ } s1;
+ } u1;
+ ACCESS_MASK AdditionalFileAccess;
+ } InitState;
+
+ // PsCreateFailOnSectionCreate
+ struct
+ {
+ HANDLE FileHandle;
+ } FailSection;
+
+ // PsCreateFailExeFormat
+ struct
+ {
+ USHORT DllCharacteristics;
+ } ExeFormat;
+
+ // PsCreateFailExeName
+ struct
+ {
+ HANDLE IFEOKey;
+ } ExeName;
+
+ // PsCreateSuccess
+ struct
+ {
+ union
+ {
+ ULONG OutputFlags;
+ struct
+ {
+ UCHAR ProtectedProcess : 1;
+ UCHAR AddressSpaceOverride : 1;
+ UCHAR DevOverrideEnabled : 1; // From Image File Execution Options
+ UCHAR ManifestDetected : 1;
+ UCHAR ProtectedProcessLight : 1;
+ UCHAR SpareBits1 : 3;
+ UCHAR SpareBits2 : 8;
+ USHORT SpareBits3 : 16;
+ } s2;
+ } u2;
+ HANDLE FileHandle;
+ HANDLE SectionHandle;
+ ULONGLONG UserProcessParametersNative;
+ ULONG UserProcessParametersWow64;
+ ULONG CurrentParameterFlags;
+ ULONGLONG PebAddressNative;
+ ULONG PebAddressWow64;
+ ULONGLONG ManifestAddress;
+ ULONG ManifestSize;
+ } SuccessState;
+ };
+} PS_CREATE_INFO, *PPS_CREATE_INFO;
+
+#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
+#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
+#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
+#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
+#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
+
+// Only usable with NtCreateUserProcess (Vista+):
+#define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020
+#define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040 // Only allowed if the calling process is itself protected
+#define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080
+#define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100
+#define PROCESS_CREATE_FLAGS_SUSPENDED 0x00000200
+#define PROCESS_CREATE_FLAGS_EXTENDED_UNKNOWN 0x00000400
+
+typedef enum _MEMORY_RESERVE_TYPE
+{
+ MemoryReserveUserApc,
+ MemoryReserveIoCompletion,
+ MemoryReserveTypeMax
+} MEMORY_RESERVE_TYPE;
+
+typedef struct _PROCESS_HANDLE_TRACING_ENABLE
+{
+ ULONG Flags;
+} PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE;
+
+#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000
+
+typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
+{
+ ULONG Flags;
+ ULONG TotalSlots;
+} PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX;
+
+typedef enum _PROCESSINFOCLASS
+{
+ ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
+ ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
+ ProcessIoCounters, // q: IO_COUNTERS
+ ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
+ ProcessTimes, // q: KERNEL_USER_TIMES
+ ProcessBasePriority, // s: KPRIORITY
+ ProcessRaisePriority, // s: ULONG
+ ProcessDebugPort, // q: HANDLE
+ ProcessExceptionPort, // s: HANDLE
+ ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
+ ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
+ ProcessLdtSize, // s: PROCESS_LDT_SIZE
+ ProcessDefaultHardErrorMode, // qs: ULONG
+ ProcessIoPortHandlers, // (kernel-mode only)
+ ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
+ ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
+ ProcessUserModeIOPL,
+ ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
+ ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
+ ProcessWx86Information,
+ ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
+ ProcessAffinityMask, // s: KAFFINITY
+ ProcessPriorityBoost, // qs: ULONG
+ ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
+ ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
+ ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
+ ProcessWow64Information, // q: ULONG_PTR
+ ProcessImageFileName, // q: UNICODE_STRING
+ ProcessLUIDDeviceMapsEnabled, // q: ULONG
+ ProcessBreakOnTermination, // qs: ULONG
+ ProcessDebugObjectHandle, // q: HANDLE // 30
+ ProcessDebugFlags, // qs: ULONG
+ ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
+ ProcessIoPriority, // qs: IO_PRIORITY_HINT
+ ProcessExecuteFlags, // qs: ULONG
+ ProcessResourceManagement,
+ ProcessCookie, // q: ULONG
+ ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
+ ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
+ ProcessPagePriority, // q: ULONG
+ ProcessInstrumentationCallback, // 40
+ ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
+ ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
+ ProcessImageFileNameWin32, // q: UNICODE_STRING
+ ProcessImageFileMapping, // q: HANDLE (input)
+ ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
+ ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
+ ProcessGroupInformation, // q: USHORT[]
+ ProcessTokenVirtualizationEnabled, // s: ULONG
+ ProcessConsoleHostProcess, // q: ULONG_PTR
+ ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
+ ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
+ ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
+ ProcessDynamicFunctionTableInformation,
+ ProcessHandleCheckingMode,
+ ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
+ ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
+ ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
+ ProcessHandleTable, // since WINBLUE
+ ProcessCheckStackExtentsMode,
+ ProcessCommandLineInformation, // q: UNICODE_STRING // 60
+ ProcessProtectionInformation, // q: PS_PROTECTION
+ ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
+ ProcessFaultInformation, // PROCESS_FAULT_INFORMATION
+ ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION
+ ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
+ ProcessDefaultCpuSetsInformation,
+ ProcessAllowedCpuSetsInformation,
+ ProcessSubsystemProcess,
+ ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO
+ ProcessInPrivate, // since THRESHOLD2 // 70
+ ProcessRaiseUMExceptionOnInvalidHandleClose,
+ ProcessIumChallengeResponse,
+ ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION
+ ProcessHighGraphicsPriorityInformation,
+ ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
+ ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
+ ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE
+ ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY
+ ProcessWin32kSyscallFilterInformation,
+ ProcessDisableSystemAllowedCpuSets,
+ ProcessWakeInformation, // PROCESS_WAKE_INFORMATION
+ ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE
+ ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
+ ProcessCaptureTrustletLiveDump,
+ ProcessTelemetryCoverage,
+ ProcessEnclaveInformation,
+ ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
+ ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION
+ ProcessImageSection,
+ MaxProcessInfoClass
+} PROCESSINFOCLASS;
+
+typedef enum _SYSTEM_INFORMATION_CLASS
+{
+ SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
+ SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
+ SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
+ SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
+ SystemPathInformation, // not implemented
+ SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
+ SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
+ SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
+ SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
+ SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
+ SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
+ SystemModuleInformation, // q: RTL_PROCESS_MODULES
+ SystemLocksInformation, // q: RTL_PROCESS_LOCKS
+ SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
+ SystemPagedPoolInformation, // not implemented
+ SystemNonPagedPoolInformation, // not implemented
+ SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
+ SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
+ SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
+ SystemVdmInstemulInformation, // q
+ SystemVdmBopInformation, // not implemented // 20
+ SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
+ SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
+ SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
+ SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
+ SystemFullMemoryInformation, // not implemented
+ SystemLoadGdiDriverInformation, // s (kernel-mode only)
+ SystemUnloadGdiDriverInformation, // s (kernel-mode only)
+ SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
+ SystemSummaryMemoryInformation, // not implemented
+ SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
+ SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
+ SystemObsolete0, // not implemented
+ SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
+ SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
+ SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
+ SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
+ SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
+ SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
+ SystemPrioritySeperation, // s (requires SeTcbPrivilege)
+ SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
+ SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
+ SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
+ SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
+ SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
+ SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
+ SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
+ SystemSessionCreate, // not implemented
+ SystemSessionDetach, // not implemented
+ SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
+ SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
+ SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
+ SystemVerifierThunkExtend, // s (kernel-mode only)
+ SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
+ SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
+ SystemNumaProcessorMap, // q
+ SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
+ SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
+ SystemRecommendedSharedDataAlignment, // q
+ SystemComPlusPackage, // q; s
+ SystemNumaAvailableMemory, // 60
+ SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
+ SystemEmulationBasicInformation, // q
+ SystemEmulationProcessorInformation,
+ SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
+ SystemLostDelayedWriteInformation, // q: ULONG
+ SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
+ SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
+ SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
+ SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
+ SystemObjectSecurityMode, // q: ULONG // 70
+ SystemWatchdogTimerHandler, // s (kernel-mode only)
+ SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
+ SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
+ SystemWow64SharedInformationObsolete, // not implemented
+ SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
+ SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
+ SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
+ SystemVerifierTriageInformation, // not implemented
+ SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
+ SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
+ SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
+ SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
+ SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
+ SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
+ SystemProcessorPowerInformationEx, // not implemented
+ SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
+ SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
+ SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
+ SystemErrorPortInformation, // s (requires SeTcbPrivilege)
+ SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
+ SystemHypervisorInformation, // q; s (kernel-mode only)
+ SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
+ SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
+ SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
+ SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
+ SystemPrefetchPatchInformation, // not implemented
+ SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
+ SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
+ SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
+ SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
+ SystemNumaProximityNodeInformation, // q
+ SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
+ SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
+ SystemProcessorMicrocodeUpdateInformation, // s
+ SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
+ SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
+ SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
+ SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
+ SystemStoreInformation, // q; s // SmQueryStoreInformation
+ SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
+ SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
+ SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
+ SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
+ SystemNativeBasicInformation, // not implemented
+ SystemSpare1, // not implemented
+ SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
+ SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
+ SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
+ SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
+ SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
+ SystemNodeDistanceInformation, // q
+ SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
+ SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
+ SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
+ SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
+ SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
+ SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
+ SystemBadPageInformation,
+ SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
+ SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
+ SystemEntropyInterruptTimingCallback,
+ SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
+ SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
+ SystemThrottleNotificationInformation,
+ SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
+ SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
+ SystemDeviceDataEnumerationInformation,
+ SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
+ SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
+ SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
+ SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
+ SystemSpare0,
+ SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
+ SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
+ SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
+ SystemEntropyInterruptTimingRawInformation,
+ SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
+ SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
+ SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
+ SystemBootMetadataInformation, // 150
+ SystemSoftRebootInformation,
+ SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
+ SystemOfflineDumpConfigInformation,
+ SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
+ SystemRegistryReconciliationInformation,
+ SystemEdidInformation,
+ SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
+ SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
+ SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
+ SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
+ SystemVmGenerationCountInformation,
+ SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
+ SystemKernelDebuggerFlags,
+ SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
+ SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
+ SystemHardwareSecurityTestInterfaceResultsInformation,
+ SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
+ SystemAllowedCpuSetsInformation,
+ SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
+ SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
+ SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
+ SystemCodeIntegrityPolicyFullInformation,
+ SystemAffinitizedInterruptProcessorInformation,
+ SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
+ SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
+ SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
+ SystemWin32WerStartCallout,
+ SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
+ SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
+ SystemInterruptSteeringInformation, // 180
+ SystemSupportedProcessorArchitectures,
+ SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
+ SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
+ SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
+ SystemControlFlowTransition,
+ SystemKernelDebuggingAllowed,
+ SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
+ SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
+ SystemCodeIntegrityPoliciesFullInformation,
+ SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
+ SystemIntegrityQuotaInformation,
+ SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
+ SystemProcessorIdleMaskInformation, // since REDSTONE3
+ SystemSecureDumpEncryptionInformation,
+ SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
+ SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
+ SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
+ SystemFirmwareBootPerformanceInformation,
+ SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
+ SystemFirmwarePartitionInformation, // 200
+ SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
+ SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
+ SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
+ SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
+ SystemCodeIntegrityUnlockModeInformation,
+ SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION
+ SystemFlags2Information,
+ MaxSystemInfoClass
+} SYSTEM_INFORMATION_CLASS;
+
+typedef enum _OBJECT_INFORMATION_CLASS
+{
+ ObjectBasicInformation, // OBJECT_BASIC_INFORMATION
+ ObjectNameInformation, // OBJECT_NAME_INFORMATION
+ ObjectTypeInformation, // OBJECT_TYPE_INFORMATION
+ ObjectTypesInformation, // OBJECT_TYPES_INFORMATION
+ ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION
+ ObjectSessionInformation,
+ ObjectSessionObjectInformation,
+ MaxObjectInfoClass
+} OBJECT_INFORMATION_CLASS;
+
+// Source: http://processhacker.sourceforge.net
+typedef enum _THREADINFOCLASS
+{
+ ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
+ ThreadTimes, // q: KERNEL_USER_TIMES
+ ThreadPriority, // s: KPRIORITY
+ ThreadBasePriority, // s: LONG
+ ThreadAffinityMask, // s: KAFFINITY
+ ThreadImpersonationToken, // s: HANDLE
+ ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY)
+ ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
+ ThreadEventPair,
+ ThreadQuerySetWin32StartAddress, // q: PVOID
+ ThreadZeroTlsCell, // 10
+ ThreadPerformanceCount, // q: LARGE_INTEGER
+ ThreadAmILastThread, // q: ULONG
+ ThreadIdealProcessor, // s: ULONG
+ ThreadPriorityBoost, // qs: ULONG
+ ThreadSetTlsArrayAddress,
+ ThreadIsIoPending, // q: ULONG
+ ThreadHideFromDebugger, // s: void
+ ThreadBreakOnTermination, // qs: ULONG
+ ThreadSwitchLegacyState,
+ ThreadIsTerminated, // q: ULONG // 20
+ ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
+ ThreadIoPriority, // qs: IO_PRIORITY_HINT
+ ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
+ ThreadPagePriority, // q: ULONG
+ ThreadActualBasePriority,
+ ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
+ ThreadCSwitchMon,
+ ThreadCSwitchPmu,
+ ThreadWow64Context, // q: WOW64_CONTEXT
+ ThreadGroupInformation, // q: GROUP_AFFINITY // 30
+ ThreadUmsInformation, // q: THREAD_UMS_INFORMATION
+ ThreadCounterProfiling,
+ ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
+ ThreadCpuAccountingInformation, // since WIN8
+ ThreadSuspendCount, // since WINBLUE
+ ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD
+ ThreadContainerId, // q: GUID
+ ThreadNameInformation, // qs: THREAD_NAME_INFORMATION
+ ThreadSelectedCpuSets,
+ ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40
+ ThreadActualGroupAffinity, // since THRESHOLD2
+ ThreadDynamicCodePolicyInfo,
+ ThreadExplicitCaseSensitivity,
+ ThreadWorkOnBehalfTicket,
+ ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
+ ThreadDbgkWerReportActive,
+ ThreadAttachContainer,
+ ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
+ ThreadPowerThrottlingState, // THREAD_POWER_THROTTLING_STATE
+ MaxThreadInfoClass
+} THREADINFOCLASS;
+
+typedef enum _FSINFOCLASS
+{
+ FileFsVolumeInformation = 1, // FILE_FS_VOLUME_INFORMATION
+ FileFsLabelInformation = 2, // FILE_FS_LABEL_INFORMATION
+ FileFsSizeInformation = 3, // FILE_FS_SIZE_INFORMATION
+ FileFsDeviceInformation = 4, // FILE_FS_DEVICE_INFORMATION
+ FileFsAttributeInformation = 5, // FILE_FS_ATTRIBUTE_INFORMATION
+ FileFsControlInformation = 6, // FILE_FS_CONTROL_INFORMATION
+ FileFsFullSizeInformation = 7, // FILE_FS_FULL_SIZE_INFORMATION
+ FileFsObjectIdInformation = 8, // FILE_FS_OBJECTID_INFORMATION
+ FileFsDriverPathInformation = 9, // FILE_FS_DRIVER_PATH_INFORMATION
+ FileFsVolumeFlagsInformation = 10, // FILE_FS_VOLUME_FLAGS_INFORMATION
+ FileFsSectorSizeInformation = 11, // FILE_FS_SECTOR_SIZE_INFORMATION // since WIN8
+ FileFsDataCopyInformation = 12, // FILE_FS_DATA_COPY_INFORMATION
+ FileFsMetadataSizeInformation = 13, // FILE_FS_METADATA_SIZE_INFORMATION // since THRESHOLD
+ FileFsMaximumInformation
+} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
+
+typedef enum _MEMORY_INFORMATION_CLASS
+{
+ MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
+ MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
+ MemoryMappedFilenameInformation, // UNICODE_STRING
+ MemoryRegionInformation, // MEMORY_REGION_INFORMATION
+ MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
+ MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
+ MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
+ MemoryRegionInformationEx,
+ MemoryPrivilegedBasicInformation
+} MEMORY_INFORMATION_CLASS;
+
+typedef enum _SECTION_INFORMATION_CLASS
+{
+ SectionBasicInformation, // q; SECTION_BASIC_INFORMATION
+ SectionImageInformation, // q; SECTION_IMAGE_INFORMATION
+ SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation
+ SectionOriginalBaseInformation, // PVOID BaseAddress
+ SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2
+ MaxSectionInfoClass
+} SECTION_INFORMATION_CLASS;
+
+// Boot condition flags (NtInitializeRegistry)
+#define REG_INIT_BOOT_SM 0x0000
+#define REG_INIT_BOOT_SETUP 0x0001
+#define REG_INIT_BOOT_ACCEPTED_BASE 0x0002
+#define REG_INIT_BOOT_ACCEPTED_MAX (REG_INIT_BOOT_ACCEPTED_BASE + 999)
+
+#define REG_MAX_KEY_VALUE_NAME_LENGTH 32767
+#define REG_MAX_KEY_NAME_LENGTH 512
+
+typedef enum _KEY_INFORMATION_CLASS
+{
+ KeyBasicInformation, // KEY_BASIC_INFORMATION
+ KeyNodeInformation, // KEY_NODE_INFORMATION
+ KeyFullInformation, // KEY_FULL_INFORMATION
+ KeyNameInformation, // KEY_NAME_INFORMATION
+ KeyCachedInformation, // KEY_CACHED_INFORMATION
+ KeyFlagsInformation, // KEY_FLAGS_INFORMATION
+ KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION
+ KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
+ KeyTrustInformation, // KEY_TRUST_INFORMATION
+ KeyLayerInformation, // KEY_LAYER_INFORMATION
+ MaxKeyInfoClass
+} KEY_INFORMATION_CLASS;
+
+typedef struct _KEY_BASIC_INFORMATION
+{
+ LARGE_INTEGER LastWriteTime;
+ ULONG TitleIndex;
+ ULONG NameLength;
+ WCHAR Name[1];
+} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
+
+typedef struct _KEY_NODE_INFORMATION
+{
+ LARGE_INTEGER LastWriteTime;
+ ULONG TitleIndex;
+ ULONG ClassOffset;
+ ULONG ClassLength;
+ ULONG NameLength;
+ WCHAR Name[1];
+ // ...
+ // WCHAR Class[1];
+} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
+
+typedef struct _KEY_FULL_INFORMATION
+{
+ LARGE_INTEGER LastWriteTime;
+ ULONG TitleIndex;
+ ULONG ClassOffset;
+ ULONG ClassLength;
+ ULONG SubKeys;
+ ULONG MaxNameLen;
+ ULONG MaxClassLen;
+ ULONG Values;
+ ULONG MaxValueNameLen;
+ ULONG MaxValueDataLen;
+ WCHAR Class[1];
+} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
+
+typedef struct _KEY_NAME_INFORMATION
+{
+ ULONG NameLength;
+ WCHAR Name[1];
+} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
+
+typedef struct _KEY_CACHED_INFORMATION
+{
+ LARGE_INTEGER LastWriteTime;
+ ULONG TitleIndex;
+ ULONG SubKeys;
+ ULONG MaxNameLen;
+ ULONG Values;
+ ULONG MaxValueNameLen;
+ ULONG MaxValueDataLen;
+ ULONG NameLength;
+ WCHAR Name[1];
+} KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
+
+typedef struct _KEY_FLAGS_INFORMATION
+{
+ ULONG UserFlags;
+} KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
+
+typedef struct _KEY_VIRTUALIZATION_INFORMATION
+{
+ ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now).
+ ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1.
+ ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles.
+ ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles.
+ ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
+ ULONG Reserved : 27;
+} KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
+
+// private
+typedef struct _KEY_TRUST_INFORMATION
+{
+ ULONG TrustedKey : 1;
+ ULONG Reserved : 31;
+} KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
+
+// private
+typedef struct _KEY_LAYER_INFORMATION
+{
+ ULONG IsTombstone;
+ ULONG IsSupersedeLocal;
+ ULONG IsSupersedeTree;
+ ULONG ClassIsInherited;
+ ULONG Reserved;
+} KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION;
+
+typedef enum _KEY_SET_INFORMATION_CLASS
+{
+ KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION
+ KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION
+ KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION
+ KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION
+ KeySetDebugInformation,
+ KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
+ KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION
+ MaxKeySetInfoClass
+} KEY_SET_INFORMATION_CLASS;
+
+typedef struct _KEY_WRITE_TIME_INFORMATION
+{
+ LARGE_INTEGER LastWriteTime;
+} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
+
+typedef struct _KEY_WOW64_FLAGS_INFORMATION
+{
+ ULONG UserFlags;
+} KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION;
+
+typedef struct _KEY_HANDLE_TAGS_INFORMATION
+{
+ ULONG HandleTags;
+} KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
+
+typedef struct _KEY_SET_LAYER_INFORMATION
+{
+ ULONG IsTombstone : 1;
+ ULONG IsSupersedeLocal : 1;
+ ULONG IsSupersedeTree : 1;
+ ULONG ClassIsInherited : 1;
+ ULONG Reserved : 28;
+} KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION;
+
+typedef struct _KEY_CONTROL_FLAGS_INFORMATION
+{
+ ULONG ControlFlags;
+} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;
+
+typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
+{
+ ULONG VirtualTarget : 1;
+ ULONG VirtualStore : 1;
+ ULONG VirtualSource : 1; // true if key has been virtualized at least once
+ ULONG Reserved : 29;
+} KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION;
+
+typedef enum _KEY_VALUE_INFORMATION_CLASS
+{
+ KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION
+ KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION
+ KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION
+ KeyValueFullInformationAlign64,
+ KeyValuePartialInformationAlign64, // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
+ KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION
+ MaxKeyValueInfoClass
+} KEY_VALUE_INFORMATION_CLASS;
+
+typedef struct _KEY_VALUE_BASIC_INFORMATION
+{
+ ULONG TitleIndex;
+ ULONG Type;
+ ULONG NameLength;
+ WCHAR Name[1];
+} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
+
+typedef struct _KEY_VALUE_FULL_INFORMATION
+{
+ ULONG TitleIndex;
+ ULONG Type;
+ ULONG DataOffset;
+ ULONG DataLength;
+ ULONG NameLength;
+ WCHAR Name[1];
+ // ...
+ // UCHAR Data[1];
+} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
+
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION
+{
+ ULONG TitleIndex;
+ ULONG Type;
+ ULONG DataLength;
+ UCHAR Data[1];
+} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
+
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
+{
+ ULONG Type;
+ ULONG DataLength;
+ UCHAR Data[1];
+} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
+
+// private
+typedef struct _KEY_VALUE_LAYER_INFORMATION
+{
+ ULONG IsTombstone;
+ ULONG Reserved;
+} KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION;
+
+typedef struct _KEY_VALUE_ENTRY
+{
+ PUNICODE_STRING ValueName;
+ ULONG DataLength;
+ ULONG DataOffset;
+ ULONG Type;
+} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
+
+typedef enum _REG_ACTION
+{
+ KeyAdded,
+ KeyRemoved,
+ KeyModified
+} REG_ACTION;
+
+typedef struct _REG_NOTIFY_INFORMATION
+{
+ ULONG NextEntryOffset;
+ REG_ACTION Action;
+ ULONG KeyLength;
+ WCHAR Key[1];
+} REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION;
+
+typedef struct _KEY_PID_ARRAY
+{
+ HANDLE PID;
+ UNICODE_STRING KeyName;
+} KEY_PID_ARRAY, *PKEY_PID_ARRAY;
+
+typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
+{
+ ULONG Count;
+ KEY_PID_ARRAY KeyArray[1];
+} KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION;
+
+typedef enum _SYSDBG_COMMAND
+{
+ SysDbgQueryModuleInformation,
+ SysDbgQueryTraceInformation,
+ SysDbgSetTracepoint,
+ SysDbgSetSpecialCall,
+ SysDbgClearSpecialCalls,
+ SysDbgQuerySpecialCalls,
+ SysDbgBreakPoint,
+ SysDbgQueryVersion,
+ SysDbgReadVirtual,
+ SysDbgWriteVirtual,
+ SysDbgReadPhysical,
+ SysDbgWritePhysical,
+ SysDbgReadControlSpace,
+ SysDbgWriteControlSpace,
+ SysDbgReadIoSpace,
+ SysDbgWriteIoSpace,
+ SysDbgReadMsr,
+ SysDbgWriteMsr,
+ SysDbgReadBusData,
+ SysDbgWriteBusData,
+ SysDbgCheckLowMemory,
+ SysDbgEnableKernelDebugger,
+ SysDbgDisableKernelDebugger,
+ SysDbgGetAutoKdEnable,
+ SysDbgSetAutoKdEnable,
+ SysDbgGetPrintBufferSize,
+ SysDbgSetPrintBufferSize,
+ SysDbgGetKdUmExceptionEnable,
+ SysDbgSetKdUmExceptionEnable,
+ SysDbgGetTriageDump,
+ SysDbgGetKdBlockEnable,
+ SysDbgSetKdBlockEnable,
+ SysDbgRegisterForUmBreakInfo,
+ SysDbgGetUmBreakPid,
+ SysDbgClearUmBreakPid,
+ SysDbgGetUmAttachPid,
+ SysDbgClearUmAttachPid,
+ SysDbgGetLiveKernelDump
+} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
+
+typedef enum _DEBUGOBJECTINFOCLASS
+{
+ DebugObjectFlags = 1,
+ MaxDebugObjectInfoClass
+} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
+
+// Source: http://processhacker.sourceforge.net
+typedef enum _FILE_INFORMATION_CLASS
+{
+ FileDirectoryInformation = 1, // FILE_DIRECTORY_INFORMATION
+ FileFullDirectoryInformation, // FILE_FULL_DIR_INFORMATION
+ FileBothDirectoryInformation, // FILE_BOTH_DIR_INFORMATION
+ FileBasicInformation, // FILE_BASIC_INFORMATION
+ FileStandardInformation, // FILE_STANDARD_INFORMATION
+ FileInternalInformation, // FILE_INTERNAL_INFORMATION
+ FileEaInformation, // FILE_EA_INFORMATION
+ FileAccessInformation, // FILE_ACCESS_INFORMATION
+ FileNameInformation, // FILE_NAME_INFORMATION
+ FileRenameInformation, // FILE_RENAME_INFORMATION // 10
+ FileLinkInformation, // FILE_LINK_INFORMATION
+ FileNamesInformation, // FILE_NAMES_INFORMATION
+ FileDispositionInformation, // FILE_DISPOSITION_INFORMATION
+ FilePositionInformation, // FILE_POSITION_INFORMATION
+ FileFullEaInformation, // FILE_FULL_EA_INFORMATION
+ FileModeInformation, // FILE_MODE_INFORMATION
+ FileAlignmentInformation, // FILE_ALIGNMENT_INFORMATION
+ FileAllInformation, // FILE_ALL_INFORMATION
+ FileAllocationInformation, // FILE_ALLOCATION_INFORMATION
+ FileEndOfFileInformation, // FILE_END_OF_FILE_INFORMATION // 20
+ FileAlternateNameInformation, // FILE_NAME_INFORMATION
+ FileStreamInformation, // FILE_STREAM_INFORMATION
+ FilePipeInformation, // FILE_PIPE_INFORMATION
+ FilePipeLocalInformation, // FILE_PIPE_LOCAL_INFORMATION
+ FilePipeRemoteInformation, // FILE_PIPE_REMOTE_INFORMATION
+ FileMailslotQueryInformation, // FILE_MAILSLOT_QUERY_INFORMATION
+ FileMailslotSetInformation, // FILE_MAILSLOT_SET_INFORMATION
+ FileCompressionInformation, // FILE_COMPRESSION_INFORMATION
+ FileObjectIdInformation, // FILE_OBJECTID_INFORMATION
+ FileCompletionInformation, // FILE_COMPLETION_INFORMATION // 30
+ FileMoveClusterInformation, // FILE_MOVE_CLUSTER_INFORMATION
+ FileQuotaInformation, // FILE_QUOTA_INFORMATION
+ FileReparsePointInformation, // FILE_REPARSE_POINT_INFORMATION
+ FileNetworkOpenInformation, // FILE_NETWORK_OPEN_INFORMATION
+ FileAttributeTagInformation, // FILE_ATTRIBUTE_TAG_INFORMATION
+ FileTrackingInformation, // FILE_TRACKING_INFORMATION
+ FileIdBothDirectoryInformation, // FILE_ID_BOTH_DIR_INFORMATION
+ FileIdFullDirectoryInformation, // FILE_ID_FULL_DIR_INFORMATION
+ FileValidDataLengthInformation, // FILE_VALID_DATA_LENGTH_INFORMATION
+ FileShortNameInformation, // FILE_NAME_INFORMATION // 40
+ FileIoCompletionNotificationInformation, // FILE_IO_COMPLETION_NOTIFICATION_INFORMATION // since VISTA
+ FileIoStatusBlockRangeInformation, // FILE_IOSTATUSBLOCK_RANGE_INFORMATION
+ FileIoPriorityHintInformation, // FILE_IO_PRIORITY_HINT_INFORMATION
+ FileSfioReserveInformation, // FILE_SFIO_RESERVE_INFORMATION
+ FileSfioVolumeInformation, // FILE_SFIO_VOLUME_INFORMATION
+ FileHardLinkInformation, // FILE_LINKS_INFORMATION
+ FileProcessIdsUsingFileInformation, // FILE_PROCESS_IDS_USING_FILE_INFORMATION
+ FileNormalizedNameInformation, // FILE_NAME_INFORMATION
+ FileNetworkPhysicalNameInformation, // FILE_NETWORK_PHYSICAL_NAME_INFORMATION
+ FileIdGlobalTxDirectoryInformation, // FILE_ID_GLOBAL_TX_DIR_INFORMATION // since WIN7 // 50
+ FileIsRemoteDeviceInformation, // FILE_IS_REMOTE_DEVICE_INFORMATION
+ FileUnusedInformation,
+ FileNumaNodeInformation, // FILE_NUMA_NODE_INFORMATION
+ FileStandardLinkInformation, // FILE_STANDARD_LINK_INFORMATION
+ FileRemoteProtocolInformation, // FILE_REMOTE_PROTOCOL_INFORMATION
+ FileRenameInformationBypassAccessCheck, // (kernel-mode only); FILE_RENAME_INFORMATION // since WIN8
+ FileLinkInformationBypassAccessCheck, // (kernel-mode only); FILE_LINK_INFORMATION
+ FileVolumeNameInformation, // FILE_VOLUME_NAME_INFORMATION
+ FileIdInformation, // FILE_ID_INFORMATION
+ FileIdExtdDirectoryInformation, // FILE_ID_EXTD_DIR_INFORMATION
+ FileReplaceCompletionInformation, // FILE_COMPLETION_INFORMATION // since WINBLUE
+ FileHardLinkFullIdInformation, // FILE_LINK_ENTRY_FULL_ID_INFORMATION
+ FileIdExtdBothDirectoryInformation, // FILE_ID_EXTD_BOTH_DIR_INFORMATION // since THRESHOLD
+ FileDispositionInformationEx, // FILE_DISPOSITION_INFO_EX // since REDSTONE
+ FileRenameInformationEx,
+ FileRenameInformationExBypassAccessCheck,
+ FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2
+ FileStatInformation, // FILE_STAT_INFORMATION
+ FileMemoryPartitionInformation, // FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3
+ FileMaximumInformation
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
+
+typedef struct _SYSTEM_BASIC_INFORMATION
+{
+ ULONG Reserved;
+ ULONG TimerResolution;
+ ULONG PageSize;
+ ULONG NumberOfPhysicalPages;
+ ULONG LowestPhysicalPageNumber;
+ ULONG HighestPhysicalPageNumber;
+ ULONG AllocationGranularity;
+ ULONG_PTR MinimumUserModeAddress;
+ ULONG_PTR MaximumUserModeAddress;
+ ULONG_PTR ActiveProcessorsAffinityMask;
+ CCHAR NumberOfProcessors;
+} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
+
+typedef struct _FILE_PIPE_PEEK_BUFFER
+{
+ ULONG NamedPipeState;
+ ULONG ReadDataAvailable;
+ ULONG NumberOfMessages;
+ ULONG MessageLength;
+ CHAR Data[1];
+} FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;
+
+typedef struct _NAMED_PIPE_CREATE_PARAMETERS
+{
+ ULONG NamedPipeType;
+ ULONG ReadMode;
+ ULONG CompletionMode;
+ ULONG MaximumInstances;
+ ULONG InboundQuota;
+ ULONG OutboundQuota;
+ LARGE_INTEGER DefaultTimeout;
+ BOOLEAN TimeoutSpecified;
+} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
+
+typedef struct _FILE_NETWORK_OPEN_INFORMATION
+{
+ LARGE_INTEGER CreationTime;
+ LARGE_INTEGER LastAccessTime;
+ LARGE_INTEGER LastWriteTime;
+ LARGE_INTEGER ChangeTime;
+ LARGE_INTEGER AllocationSize;
+ LARGE_INTEGER EndOfFile;
+ ULONG FileAttributes;
+} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
+
+typedef struct _SYSTEM_TIMEOFDAY_INFORMATION
+{
+ LARGE_INTEGER BootTime;
+ LARGE_INTEGER CurrentTime;
+ LARGE_INTEGER TimeZoneBias;
+ ULONG TimeZoneId;
+ ULONG Reserved;
+ ULONGLONG BootTimeBias;
+ ULONGLONG SleepTimeBias;
+} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;
+
+typedef struct _TIME_FIELDS
+{
+ SHORT Year; // range [1601...]
+ SHORT Month; // range [1..12]
+ SHORT Day; // range [1..31]
+ SHORT Hour; // range [0..23]
+ SHORT Minute; // range [0..59]
+ SHORT Second; // range [0..59]
+ SHORT Milliseconds; // range [0..999]
+ SHORT Weekday; // range [0..6] == [Sunday..Saturday]
+} TIME_FIELDS, *PTIME_FIELDS;
+
+typedef struct _SYSTEM_CONSOLE_INFORMATION
+{
+ ULONG DriverLoaded : 1;
+ ULONG Spare : 31;
+} SYSTEM_CONSOLE_INFORMATION, *PSYSTEM_CONSOLE_INFORMATION;
+
+typedef struct _COMPRESSED_DATA_INFO
+{
+ USHORT CompressionFormatAndEngine; // COMPRESSION_FORMAT_* and COMPRESSION_ENGINE_*
+
+ UCHAR CompressionUnitShift;
+ UCHAR ChunkShift;
+ UCHAR ClusterShift;
+ UCHAR Reserved;
+
+ USHORT NumberOfChunks;
+
+ ULONG CompressedChunkSizes[1];
+} COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
+
+typedef struct _KSYSTEM_TIME
+{
+ ULONG LowPart;
+ LONG High1Time;
+ LONG High2Time;
+} KSYSTEM_TIME, *PKSYSTEM_TIME;
+
+typedef struct _PROCESS_ACCESS_TOKEN
+{
+ HANDLE Token; // Needs TOKEN_ASSIGN_PRIMARY access
+ HANDLE Thread; // Handle to initial/only thread; needs THREAD_QUERY_INFORMATION access
+} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
+
+#ifdef __cplusplus
+typedef enum _PS_PROTECTED_TYPE : UCHAR
+{
+ PsProtectedTypeNone,
+ PsProtectedTypeProtectedLight,
+ PsProtectedTypeProtected,
+ PsProtectedTypeMax
+} PS_PROTECTED_TYPE;
+#else
+typedef UCHAR PS_PROTECTED_TYPE;
+#endif
+
+#ifdef __cplusplus
+typedef enum _PS_PROTECTED_SIGNER : UCHAR
+{
+ PsProtectedSignerNone,
+ PsProtectedSignerAuthenticode,
+ PsProtectedSignerCodeGen,
+ PsProtectedSignerAntimalware,
+ PsProtectedSignerLsa,
+ PsProtectedSignerWindows,
+ PsProtectedSignerWinTcb,
+ PsProtectedSignerWinSystem,
+ PsProtectedSignerApp,
+ PsProtectedSignerMax
+} PS_PROTECTED_SIGNER;
+#else
+typedef UCHAR PS_PROTECTED_SIGNER;
+#endif
+
+typedef struct _PS_PROTECTION
+{
+ union
+ {
+ struct
+ {
+ PS_PROTECTED_TYPE Type : 3;
+ BOOLEAN Audit : 1;
+ PS_PROTECTED_SIGNER Signer : 4;
+ } s;
+ UCHAR Level;
+ };
+} PS_PROTECTION, *PPS_PROTECTION;
+
+#define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // Translate from multi-byte to Unicode
+#define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // Translate from OEM to Unicode (Translate flag must also be set)
+#define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // Create empty environment block
+
+typedef struct _RTL_BUFFER {
+ PUCHAR Buffer;
+ PUCHAR StaticBuffer;
+ SIZE_T Size;
+ SIZE_T StaticSize;
+ SIZE_T ReservedForAllocatedSize; // for future doubling
+ PVOID ReservedForIMalloc; // for future pluggable growth
+} RTL_BUFFER, *PRTL_BUFFER;
+
+typedef struct _RTL_UNICODE_STRING_BUFFER {
+ UNICODE_STRING String;
+ RTL_BUFFER ByteBuffer;
+ UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];
+} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS
+{
+ ULONG MaximumLength;
+ ULONG Length;
+
+ ULONG Flags;
+ ULONG DebugFlags;
+
+ HANDLE ConsoleHandle;
+ ULONG ConsoleFlags;
+ HANDLE StandardInput;
+ HANDLE StandardOutput;
+ HANDLE StandardError;
+
+ CURDIR CurrentDirectory;
+ UNICODE_STRING DllPath;
+ UNICODE_STRING ImagePathName;
+ UNICODE_STRING CommandLine;
+ PWCHAR Environment;
+
+ ULONG StartingX;
+ ULONG StartingY;
+ ULONG CountX;
+ ULONG CountY;
+ ULONG CountCharsX;
+ ULONG CountCharsY;
+ ULONG FillAttribute;
+
+ ULONG WindowFlags;
+ ULONG ShowWindowFlags;
+ UNICODE_STRING WindowTitle;
+ UNICODE_STRING DesktopInfo;
+ UNICODE_STRING ShellInfo;
+ UNICODE_STRING RuntimeData;
+ RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+ ULONG_PTR EnvironmentSize;
+ ULONG_PTR EnvironmentVersion;
+ PVOID PackageDependencyData;
+ ULONG ProcessGroupId;
+ ULONG LoaderThreads;
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+#define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01
+#define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02
+#define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04
+#define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08
+#define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20
+#define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40
+#define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80
+#define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_DECOMMIT 0x100
+#define RTL_USER_PROCESS_PARAMETERS_DLL_REDIRECTION_LOCAL 0x1000
+#define RTL_USER_PROCESS_PARAMETERS_APP_MANIFEST_PRESENT 0x2000
+#define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000
+#define RTL_USER_PROCESS_PARAMETERS_NX_OPTIN 0x20000
+
+typedef struct _RTL_USER_PROCESS_INFORMATION
+{
+ ULONG Length;
+ HANDLE Process;
+ HANDLE Thread;
+ CLIENT_ID ClientId;
+ SECTION_IMAGE_INFORMATION ImageInformation;
+} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
+
+// Handle tag bits for PEB stdio file handles
+#define PEB_STDIO_HANDLE_NATIVE 0
+#define PEB_STDIO_HANDLE_SUBSYS 1
+#define PEB_STDIO_HANDLE_PM 2
+#define PEB_STDIO_HANDLE_RESERVED 3
+
+#define GDI_HANDLE_BUFFER_SIZE32 34
+#define GDI_HANDLE_BUFFER_SIZE64 60
+
+#ifndef _WIN64
+#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
+#else
+#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
+#endif
+
+typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
+typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
+typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
+
+#define FLS_MAXIMUM_AVAILABLE 128
+#define TLS_MINIMUM_AVAILABLE 64
+#define TLS_EXPANSION_SLOTS 1024
+
+typedef struct _PEB_LDR_DATA
+{
+ ULONG Length;
+ BOOLEAN Initialized;
+ HANDLE SsHandle;
+ LIST_ENTRY InLoadOrderModuleList;
+ LIST_ENTRY InMemoryOrderModuleList;
+ LIST_ENTRY InInitializationOrderModuleList;
+ PVOID EntryInProgress;
+ BOOLEAN ShutdownInProgress;
+ HANDLE ShutdownThreadId;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+typedef struct _ACTIVATION_CONTEXT_STACK
+{
+ struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
+ LIST_ENTRY FrameListCache;
+ ULONG Flags;
+ ULONG NextCookieSequenceNumber;
+ ULONG StackId;
+} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
+
+typedef struct _PEB
+{
+ BOOLEAN InheritedAddressSpace;
+ BOOLEAN ReadImageFileExecOptions;
+ BOOLEAN BeingDebugged;
+ union
+ {
+ BOOLEAN BitField;
+ struct
+ {
+ BOOLEAN ImageUsesLargePages : 1;
+ BOOLEAN IsProtectedProcess : 1;
+ BOOLEAN IsImageDynamicallyRelocated : 1;
+ BOOLEAN SkipPatchingUser32Forwarders : 1;
+ BOOLEAN IsPackagedProcess : 1;
+ BOOLEAN IsAppContainer : 1;
+ BOOLEAN IsProtectedProcessLight : 1;
+ BOOLEAN IsLongPathAwareProcess : 1;
+ } s1;
+ } u1;
+
+ HANDLE Mutant;
+
+ PVOID ImageBaseAddress;
+ PPEB_LDR_DATA Ldr;
+ PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+ PVOID SubSystemData;
+ PVOID ProcessHeap;
+ PRTL_CRITICAL_SECTION FastPebLock;
+ PVOID AtlThunkSListPtr;
+ PVOID IFEOKey;
+ union
+ {
+ ULONG CrossProcessFlags;
+ struct
+ {
+ ULONG ProcessInJob : 1;
+ ULONG ProcessInitializing : 1;
+ ULONG ProcessUsingVEH : 1;
+ ULONG ProcessUsingVCH : 1;
+ ULONG ProcessUsingFTH : 1;
+ ULONG ProcessPreviouslyThrottled : 1;
+ ULONG ProcessCurrentlyThrottled : 1;
+ ULONG ReservedBits0 : 25;
+ } s2;
+ } u2;
+ union
+ {
+ PVOID KernelCallbackTable;
+ PVOID UserSharedInfoPtr;
+ } u3;
+ ULONG SystemReserved[1];
+ ULONG AtlThunkSListPtr32;
+ PVOID ApiSetMap;
+ ULONG TlsExpansionCounter;
+ PVOID TlsBitmap;
+ ULONG TlsBitmapBits[2];
+
+ PVOID ReadOnlySharedMemoryBase;
+ PVOID SharedData; // HotpatchInformation
+ PVOID *ReadOnlyStaticServerData;
+
+ PVOID AnsiCodePageData; // PCPTABLEINFO
+ PVOID OemCodePageData; // PCPTABLEINFO
+ PVOID UnicodeCaseTableData; // PNLSTABLEINFO
+
+ ULONG NumberOfProcessors;
+ ULONG NtGlobalFlag;
+
+ LARGE_INTEGER CriticalSectionTimeout;
+ SIZE_T HeapSegmentReserve;
+ SIZE_T HeapSegmentCommit;
+ SIZE_T HeapDeCommitTotalFreeThreshold;
+ SIZE_T HeapDeCommitFreeBlockThreshold;
+
+ ULONG NumberOfHeaps;
+ ULONG MaximumNumberOfHeaps;
+ PVOID *ProcessHeaps; // PHEAP
+
+ PVOID GdiSharedHandleTable;
+ PVOID ProcessStarterHelper;
+ ULONG GdiDCAttributeList;
+
+ PRTL_CRITICAL_SECTION LoaderLock;
+
+ ULONG OSMajorVersion;
+ ULONG OSMinorVersion;
+ USHORT OSBuildNumber;
+ USHORT OSCSDVersion;
+ ULONG OSPlatformId;
+ ULONG ImageSubsystem;
+ ULONG ImageSubsystemMajorVersion;
+ ULONG ImageSubsystemMinorVersion;
+ ULONG_PTR ActiveProcessAffinityMask;
+ GDI_HANDLE_BUFFER GdiHandleBuffer;
+ PVOID PostProcessInitRoutine;
+
+ PVOID TlsExpansionBitmap;
+ ULONG TlsExpansionBitmapBits[32];
+
+ ULONG SessionId;
+
+ ULARGE_INTEGER AppCompatFlags;
+ ULARGE_INTEGER AppCompatFlagsUser;
+ PVOID pShimData;
+ PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
+
+ UNICODE_STRING CSDVersion;
+
+ PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA
+ PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
+ PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA
+ PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
+
+ SIZE_T MinimumStackCommit;
+
+ PVOID *FlsCallback;
+ LIST_ENTRY FlsListHead;
+ PVOID FlsBitmap;
+ ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
+ ULONG FlsHighIndex;
+
+ PVOID WerRegistrationData;
+ PVOID WerShipAssertPtr;
+ PVOID pUnused; // pContextData
+ PVOID pImageHeaderHash;
+ union
+ {
+ ULONG TracingFlags;
+ struct
+ {
+ ULONG HeapTracingEnabled : 1;
+ ULONG CritSecTracingEnabled : 1;
+ ULONG LibLoaderTracingEnabled : 1;
+ ULONG SpareTracingBits : 29;
+ } s3;
+ } u4;
+ ULONGLONG CsrServerReadOnlySharedMemoryBase;
+ PVOID TppWorkerpListLock;
+ LIST_ENTRY TppWorkerpList;
+ PVOID WaitOnAddressHashTable[128];
+ PVOID TelemetryCoverageHeader; // REDSTONE3
+ ULONG CloudFileFlags;
+} PEB, *PPEB;
+
+#define GDI_BATCH_BUFFER_SIZE 310
+
+typedef struct _GDI_TEB_BATCH
+{
+ ULONG Offset;
+ ULONG_PTR HDC;
+ ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT
+{
+ ULONG Flags;
+ PSTR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME
+{
+ ULONG Flags;
+ struct _TEB_ACTIVE_FRAME *Previous;
+ PTEB_ACTIVE_FRAME_CONTEXT Context;
+} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
+
+typedef struct _TEB
+{
+ NT_TIB NtTib;
+
+ PVOID EnvironmentPointer;
+ CLIENT_ID ClientId;
+ PVOID ActiveRpcHandle;
+ PVOID ThreadLocalStoragePointer;
+ PPEB ProcessEnvironmentBlock;
+
+ ULONG LastErrorValue;
+ ULONG CountOfOwnedCriticalSections;
+ PVOID CsrClientThread;
+ PVOID Win32ThreadInfo;
+ ULONG User32Reserved[26];
+ ULONG UserReserved[5];
+ PVOID WOW32Reserved;
+ LCID CurrentLocale;
+ ULONG FpSoftwareStatusRegister;
+ PVOID ReservedForDebuggerInstrumentation[16];
+#ifdef _WIN64
+ PVOID SystemReserved1[30];
+#else
+ PVOID SystemReserved1[26];
+#endif
+ CHAR PlaceholderCompatibilityMode;
+ CHAR PlaceholderReserved[11];
+ ULONG ProxiedProcessId;
+ ACTIVATION_CONTEXT_STACK ActivationStack;
+
+ UCHAR WorkingOnBehalfTicket[8];
+ NTSTATUS ExceptionCode;
+
+ PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
+ ULONG_PTR InstrumentationCallbackSp;
+ ULONG_PTR InstrumentationCallbackPreviousPc;
+ ULONG_PTR InstrumentationCallbackPreviousSp;
+#ifdef _WIN64
+ ULONG TxFsContext;
+#endif
+ BOOLEAN InstrumentationCallbackDisabled;
+#ifndef _WIN64
+ UCHAR SpareBytes[23];
+ ULONG TxFsContext;
+#endif
+ GDI_TEB_BATCH GdiTebBatch;
+ CLIENT_ID RealClientId;
+ HANDLE GdiCachedProcessHandle;
+ ULONG GdiClientPID;
+ ULONG GdiClientTID;
+ PVOID GdiThreadLocalInfo;
+ ULONG_PTR Win32ClientInfo[62];
+ PVOID glDispatchTable[233];
+ ULONG_PTR glReserved1[29];
+ PVOID glReserved2;
+ PVOID glSectionInfo;
+ PVOID glSection;
+ PVOID glTable;
+ PVOID glCurrentRC;
+ PVOID glContext;
+
+ NTSTATUS LastStatusValue;
+ UNICODE_STRING StaticUnicodeString;
+ WCHAR StaticUnicodeBuffer[261];
+
+ PVOID DeallocationStack;
+ PVOID TlsSlots[64];
+ LIST_ENTRY TlsLinks;
+
+ PVOID Vdm;
+ PVOID ReservedForNtRpc;
+ PVOID DbgSsReserved[2];
+
+ ULONG HardErrorMode;
+#ifdef _WIN64
+ PVOID Instrumentation[11];
+#else
+ PVOID Instrumentation[9];
+#endif
+ GUID ActivityId;
+
+ PVOID SubProcessTag;
+ PVOID PerflibData;
+ PVOID EtwTraceData;
+ PVOID WinSockData;
+ ULONG GdiBatchCount;
+
+ union
+ {
+ PROCESSOR_NUMBER CurrentIdealProcessor;
+ ULONG IdealProcessorValue;
+ struct
+ {
+ UCHAR ReservedPad0;
+ UCHAR ReservedPad1;
+ UCHAR ReservedPad2;
+ UCHAR IdealProcessor;
+ } s1;
+ } u1;
+
+ ULONG GuaranteedStackBytes;
+ PVOID ReservedForPerf;
+ PVOID ReservedForOle;
+ ULONG WaitingOnLoaderLock;
+ PVOID SavedPriorityState;
+ ULONG_PTR ReservedForCodeCoverage;
+ PVOID ThreadPoolData;
+ PVOID *TlsExpansionSlots;
+#ifdef _WIN64
+ PVOID DeallocationBStore;
+ PVOID BStoreLimit;
+#endif
+ ULONG MuiGeneration;
+ ULONG IsImpersonating;
+ PVOID NlsCache;
+ PVOID pShimData;
+ USHORT HeapVirtualAffinity;
+ USHORT LowFragHeapDataSlot;
+ HANDLE CurrentTransactionHandle;
+ PTEB_ACTIVE_FRAME ActiveFrame;
+ PVOID FlsData;
+
+ PVOID PreferredLanguages;
+ PVOID UserPrefLanguages;
+ PVOID MergedPrefLanguages;
+ ULONG MuiImpersonation;
+
+ union
+ {
+ USHORT CrossTebFlags;
+ USHORT SpareCrossTebBits : 16;
+ } u2;
+ union
+ {
+ USHORT SameTebFlags;
+ struct
+ {
+ USHORT SafeThunkCall : 1;
+ USHORT InDebugPrint : 1;
+ USHORT HasFiberData : 1;
+ USHORT SkipThreadAttach : 1;
+ USHORT WerInShipAssertCode : 1;
+ USHORT RanProcessInit : 1;
+ USHORT ClonedThread : 1;
+ USHORT SuppressDebugMsg : 1;
+ USHORT DisableUserStackWalk : 1;
+ USHORT RtlExceptionAttached : 1;
+ USHORT InitialThread : 1;
+ USHORT SessionAware : 1;
+ USHORT LoadOwner : 1;
+ USHORT LoaderWorker : 1;
+ USHORT SkipLoaderInit : 1;
+ USHORT SpareSameTebBits : 1;
+ } s2;
+ } u3;
+
+ PVOID TxnScopeEnterCallback;
+ PVOID TxnScopeExitCallback;
+ PVOID TxnScopeContext;
+ ULONG LockCount;
+ LONG WowTebOffset;
+ PVOID ResourceRetValue;
+ PVOID ReservedForWdf;
+ ULONGLONG ReservedForCrt;
+ GUID EffectiveContainerId;
+} TEB, *PTEB;
+
+typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
+{
+ StandardDesign,
+ NEC98x86,
+ EndAlternatives
+} ALTERNATIVE_ARCHITECTURE_TYPE;
+
+#define PROCESSOR_FEATURE_MAX 64
+
+#define MAX_WOW64_SHARED_ENTRIES 16
+
+#define NX_SUPPORT_POLICY_ALWAYSOFF 0
+#define NX_SUPPORT_POLICY_ALWAYSON 1
+#define NX_SUPPORT_POLICY_OPTIN 2
+#define NX_SUPPORT_POLICY_OPTOUT 3
+
+#pragma pack(push, 4)
+typedef struct _KUSER_SHARED_DATA
+{
+ ULONG TickCountLowDeprecated;
+ ULONG TickCountMultiplier;
+
+ volatile KSYSTEM_TIME InterruptTime;
+ volatile KSYSTEM_TIME SystemTime;
+ volatile KSYSTEM_TIME TimeZoneBias;
+
+ USHORT ImageNumberLow;
+ USHORT ImageNumberHigh;
+
+ WCHAR NtSystemRoot[260];
+
+ ULONG MaxStackTraceDepth;
+
+ ULONG CryptoExponent;
+
+ ULONG TimeZoneId;
+ ULONG LargePageMinimum;
+ ULONG AitSamplingValue;
+ ULONG AppCompatFlag;
+ ULONGLONG RNGSeedVersion;
+ ULONG GlobalValidationRunlevel;
+ LONG TimeZoneBiasStamp;
+
+ ULONG NtBuildNumber;
+ NT_PRODUCT_TYPE NtProductType;
+ BOOLEAN ProductTypeIsValid;
+ UCHAR Reserved0[1];
+ USHORT NativeProcessorArchitecture;
+
+ ULONG NtMajorVersion;
+ ULONG NtMinorVersion;
+
+ BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
+
+ ULONG Reserved1;
+ ULONG Reserved3;
+
+ volatile ULONG TimeSlip;
+
+ ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
+ ULONG BootId;
+
+ LARGE_INTEGER SystemExpirationDate;
+
+ ULONG SuiteMask;
+
+ BOOLEAN KdDebuggerEnabled;
+ union
+ {
+ UCHAR MitigationPolicies;
+ struct
+ {
+ UCHAR NXSupportPolicy : 2;
+ UCHAR SEHValidationPolicy : 2;
+ UCHAR CurDirDevicesSkippedForDlls : 2;
+ UCHAR Reserved : 2;
+ } s1;
+ } u1;
+ UCHAR Reserved6[2];
+
+ volatile ULONG ActiveConsoleId;
+
+ volatile ULONG DismountCount;
+
+ ULONG ComPlusPackage;
+
+ ULONG LastSystemRITEventTickCount;
+
+ ULONG NumberOfPhysicalPages;
+
+ BOOLEAN SafeBootMode;
+ UCHAR VirtualizationFlags;
+ UCHAR Reserved12[2];
+
+ union
+ {
+ ULONG SharedDataFlags;
+ struct
+ {
+ ULONG DbgErrorPortPresent : 1;
+ ULONG DbgElevationEnabled : 1;
+ ULONG DbgVirtEnabled : 1;
+ ULONG DbgInstallerDetectEnabled : 1;
+ ULONG DbgLkgEnabled : 1;
+ ULONG DbgDynProcessorEnabled : 1;
+ ULONG DbgConsoleBrokerEnabled : 1;
+ ULONG DbgSecureBootEnabled : 1;
+ ULONG DbgMultiSessionSku : 1;
+ ULONG DbgMultiUsersInSessionSku : 1;
+ ULONG DbgStateSeparationEnabled : 1;
+ ULONG SpareBits : 21;
+ } s2;
+ } u2;
+ ULONG DataFlagsPad[1];
+
+ ULONGLONG TestRetInstruction;
+ LONGLONG QpcFrequency;
+ ULONG SystemCall;
+ ULONG SystemCallPad0;
+ ULONGLONG SystemCallPad[2];
+
+ union
+ {
+ volatile KSYSTEM_TIME TickCount;
+ volatile ULONG64 TickCountQuad;
+ ULONG ReservedTickCountOverlay[3];
+ };
+ ULONG TickCountPad[1];
+
+ ULONG Cookie;
+ ULONG CookiePad[1];
+
+ LONGLONG ConsoleSessionForegroundProcessId;
+ ULONGLONG TimeUpdateLock;
+ ULONGLONG BaselineSystemTimeQpc;
+ ULONGLONG BaselineInterruptTimeQpc;
+ ULONGLONG QpcSystemTimeIncrement;
+ ULONGLONG QpcInterruptTimeIncrement;
+ UCHAR QpcSystemTimeIncrementShift;
+ UCHAR QpcInterruptTimeIncrementShift;
+
+ USHORT UnparkedProcessorCount;
+ ULONG EnclaveFeatureMask[4];
+
+ ULONG TelemetryCoverageRound;
+
+ USHORT UserModeGlobalLogger[16];
+ ULONG ImageFileExecutionOptions;
+
+ ULONG LangGenerationCount;
+ ULONGLONG Reserved4;
+ volatile ULONG64 InterruptTimeBias;
+ volatile ULONG64 QpcBias;
+
+ ULONG ActiveProcessorCount;
+ volatile UCHAR ActiveGroupCount;
+ UCHAR Reserved9;
+ union
+ {
+ USHORT QpcData;
+ struct
+ {
+ UCHAR QpcBypassEnabled : 1;
+ UCHAR QpcShift : 1;
+ } s3;
+ } u3;
+
+ LARGE_INTEGER TimeZoneBiasEffectiveStart;
+ LARGE_INTEGER TimeZoneBiasEffectiveEnd;
+ XSTATE_CONFIGURATION XState;
+} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
+#pragma pack(pop)
+
+#ifdef __cplusplus
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x14, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x20, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberLow) == 0x2c, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ImageNumberHigh) == 0x2e, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x30, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, MaxStackTraceDepth) == 0x238, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, CryptoExponent) == 0x23c, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneId) == 0x240, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProductTypeIsValid) == 0x268, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved1) == 0x2b4, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved3) == 0x2b8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TimeSlip) == 0x2bc, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, AlternativeArchitecture) == 0x2c0, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemExpirationDate) == 0x2c8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SuiteMask) == 0x2d0, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, DismountCount) == 0x2dc, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, ComPlusPackage) == 0x2e0, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320, "Offset check");
+static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8, "Offset check");
+#endif
+
+#if !defined(_KERNEL_MODE) && !defined(KERNELMODE)
+ #define USER_SHARED_DATA 0x7FFE0000
+ #define SharedUserData ((KUSER_SHARED_DATA * const)USER_SHARED_DATA)
+#else
+ #if defined(_M_IX86)
+ #define KI_USER_SHARED_DATA 0xFFDF0000
+ #elif defined (_M_AMD64)
+ #define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64
+ #elif defined (_M_ARM)
+ #define KI_USER_SHARED_DATA 0xFFFF9000
+ #elif defined(M_ARM64)
+ #define KI_USER_SHARED_DATA 0xFFFFF78000000000Ui64
+ #endif
+ #define SharedUserData ((KUSER_SHARED_DATA * const)KI_USER_SHARED_DATA)
+#endif
+
+typedef struct _PROCESS_BASIC_INFORMATION
+{
+ NTSTATUS ExitStatus;
+ PPEB PebBaseAddress;
+ ULONG_PTR AffinityMask;
+ KPRIORITY BasePriority;
+ HANDLE UniqueProcessId;
+ HANDLE InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
+
+typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
+{
+ SIZE_T Size; // Set to sizeof structure on input
+ PROCESS_BASIC_INFORMATION BasicInfo;
+ union
+ {
+ ULONG Flags;
+ struct
+ {
+ ULONG IsProtectedProcess : 1;
+ ULONG IsWow64Process : 1;
+ ULONG IsProcessDeleting : 1;
+ ULONG IsCrossSessionCreate : 1;
+ ULONG IsFrozen : 1;
+ ULONG IsBackground : 1;
+ ULONG IsStronglyNamed : 1;
+ ULONG IsSecureProcess : 1;
+ ULONG IsSubsystemProcess : 1;
+ ULONG SpareBits : 23;
+ } s;
+ } u;
+} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
+
+typedef struct _VM_COUNTERS
+{
+ SIZE_T PeakVirtualSize;
+ SIZE_T VirtualSize;
+ ULONG PageFaultCount;
+ SIZE_T PeakWorkingSetSize;
+ SIZE_T WorkingSetSize;
+ SIZE_T QuotaPeakPagedPoolUsage;
+ SIZE_T QuotaPagedPoolUsage;
+ SIZE_T QuotaPeakNonPagedPoolUsage;
+ SIZE_T QuotaNonPagedPoolUsage;
+ SIZE_T PagefileUsage;
+ SIZE_T PeakPagefileUsage;
+} VM_COUNTERS, *PVM_COUNTERS;
+
+typedef struct _VM_COUNTERS_EX
+{
+ SIZE_T PeakVirtualSize;
+ SIZE_T VirtualSize;
+ ULONG PageFaultCount;
+ SIZE_T PeakWorkingSetSize;
+ SIZE_T WorkingSetSize;
+ SIZE_T QuotaPeakPagedPoolUsage;
+ SIZE_T QuotaPagedPoolUsage;
+ SIZE_T QuotaPeakNonPagedPoolUsage;
+ SIZE_T QuotaNonPagedPoolUsage;
+ SIZE_T PagefileUsage;
+ SIZE_T PeakPagefileUsage;
+ SIZE_T PrivateUsage;
+} VM_COUNTERS_EX, *PVM_COUNTERS_EX;
+
+typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
+{
+ SYSTEM_THREAD_INFORMATION ThreadInfo;
+ PVOID StackBase;
+ PVOID StackLimit;
+ PVOID Win32StartAddress;
+ PTEB TebBase; // Since Vista
+ ULONG_PTR Reserved2;
+ ULONG_PTR Reserved3;
+ ULONG_PTR Reserved4;
+} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
+
+#define PTR_ADD_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset)))
+#define PTR_SUB_OFFSET(Pointer, Offset) ((PVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset)))
+#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((Align) - 1))
+#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align))
+#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type))
+#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))
+#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align))
+#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type))
+
+#define InitializeObjectAttributes( p, n, a, r, s ) { \
+ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
+ (p)->RootDirectory = r; \
+ (p)->Attributes = a; \
+ (p)->ObjectName = n; \
+ (p)->SecurityDescriptor = s; \
+ (p)->SecurityQualityOfService = NULL; \
+ }
+
+#if defined(__cplusplus)
+#define RTL_CONST_CAST(type) const_cast<type>
+#else
+#define RTL_CONST_CAST(type) (type)
+#endif
+
+#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
+ { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
+
+#define OBJ_INHERIT 0x00000002L
+#define OBJ_PERMANENT 0x00000010L
+#define OBJ_EXCLUSIVE 0x00000020L
+#define OBJ_CASE_INSENSITIVE 0x00000040L
+#define OBJ_OPENIF 0x00000080L
+#define OBJ_OPENLINK 0x00000100L
+#define OBJ_KERNEL_HANDLE 0x00000200L
+#define OBJ_FORCE_ACCESS_CHECK 0x00000400L
+#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800
+#define OBJ_DONT_REPARSE 0x00001000
+#define OBJ_VALID_ATTRIBUTES 0x00001FF2
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ 0xFFFF)
+#else
+#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ 0x3FF)
+#endif
+
+#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
+#define THREAD_CREATE_FLAGS_SUPPRESS_DLLMAINS 0x00000002
+#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
+#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ?
+#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ?
+#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
+
+#define DEBUG_READ_EVENT 0x0001
+#define DEBUG_PROCESS_ASSIGN 0x0002
+#define DEBUG_SET_INFORMATION 0x0004
+#define DEBUG_QUERY_INFORMATION 0x0008
+
+#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
+ DEBUG_QUERY_INFORMATION)
+
+#define DEBUG_KILL_ON_CLOSE 0x1
+
+#ifndef IO_COMPLETION_QUERY_STATE
+#define IO_COMPLETION_QUERY_STATE 0x0001
+#endif
+#ifndef IO_COMPLETION_MODIFY_STATE
+#define IO_COMPLETION_MODIFY_STATE 0x0002
+#endif
+#ifndef IO_COMPLETION_ALL_ACCESS
+#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ IO_COMPLETION_QUERY_STATE | IO_COMPLETION_MODIFY_STATE)
+#endif
+
+#ifndef SEMAPHORE_ALL_ACCESS
+#define SEMAPHORE_QUERY_STATE 0x0001
+#define SEMAPHORE_MODIFY_STATE 0x0002
+
+#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ SEMAPHORE_QUERY_STATE | SEMAPHORE_MODIFY_STATE)
+#endif
+
+#ifndef MUTANT_ALL_ACCESS
+#define MUTANT_QUERY_STATE 0x0001
+
+#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ MUTANT_QUERY_STATE)
+#endif
+
+#ifndef EVENT_ALL_ACCESS
+#define EVENT_QUERY_STATE 0x0001
+#define EVENT_MODIFY_STATE 0x0002
+
+#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+ EVENT_QUERY_STATE | EVENT_MODIFY_STATE)
+#endif
+
+#define KEYEDEVENT_WAIT 0x0001
+#define KEYEDEVENT_WAKE 0x0002
+#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
+ KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)
+
+#define DIRECTORY_QUERY 0x0001
+#define DIRECTORY_TRAVERSE 0x0002
+#define DIRECTORY_CREATE_OBJECT 0x0004
+#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
+
+#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
+ DIRECTORY_QUERY | DIRECTORY_TRAVERSE | \
+ DIRECTORY_CREATE_OBJECT | DIRECTORY_CREATE_SUBDIRECTORY)
+
+#define SYMBOLIC_LINK_QUERY 0x0001
+
+#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
+ SYMBOLIC_LINK_QUERY)
+
+#ifndef TOKEN_ALL_ACCESS
+#define TOKEN_ASSIGN_PRIMARY 0x0001
+#define TOKEN_DUPLICATE 0x0002
+#define TOKEN_IMPERSONATE 0x0004
+#define TOKEN_QUERY 0x0008
+#define TOKEN_QUERY_SOURCE 0x0010
+#define TOKEN_ADJUST_PRIVILEGES 0x0020
+#define TOKEN_ADJUST_GROUPS 0x0040
+#define TOKEN_ADJUST_DEFAULT 0x0080
+#define TOKEN_ADJUST_SESSIONID 0x0100
+
+#define TOKEN_ALL_ACCESS_P (STANDARD_RIGHTS_REQUIRED | \
+ TOKEN_ASSIGN_PRIMARY | \
+ TOKEN_DUPLICATE | \
+ TOKEN_IMPERSONATE | \
+ TOKEN_QUERY | \
+ TOKEN_QUERY_SOURCE | \
+ TOKEN_ADJUST_PRIVILEGES | \
+ TOKEN_ADJUST_GROUPS | \
+ TOKEN_ADJUST_DEFAULT)
+
+#define TOKEN_ALL_ACCESS (TOKEN_ALL_ACCESS_P | \
+ TOKEN_ADJUST_SESSIONID)
+#endif
+
+#define WORKER_FACTORY_RELEASE_WORKER 0x0001
+#define WORKER_FACTORY_WAIT 0x0002
+#define WORKER_FACTORY_SET_INFORMATION 0x0004
+#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
+#define WORKER_FACTORY_READY_WORKER 0x0010
+#define WORKER_FACTORY_SHUTDOWN 0x0020
+
+#define WORKER_FACTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
+ WORKER_FACTORY_RELEASE_WORKER | \
+ WORKER_FACTORY_WAIT | \
+ WORKER_FACTORY_SET_INFORMATION | \
+ WORKER_FACTORY_QUERY_INFORMATION | \
+ WORKER_FACTORY_READY_WORKER | \
+ WORKER_FACTORY_SHUTDOWN)
+
+#define NtCurrentProcess ((HANDLE)(LONG_PTR)-1)
+#define NtCurrentThread ((HANDLE)(LONG_PTR)-2)
+#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
+#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
+#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
+#define RtlProcessHeap() (NtCurrentPeb()->ProcessHeap)
+
+typedef struct _RTL_HEAP_ENTRY
+{
+ SIZE_T Size;
+ USHORT Flags;
+ USHORT AllocatorBackTraceIndex;
+ union
+ {
+ struct
+ {
+ SIZE_T Settable;
+ ULONG Tag;
+ } s1;
+ struct
+ {
+ SIZE_T CommittedSize;
+ PVOID FirstBlock;
+ } s2;
+ } u;
+} RTL_HEAP_ENTRY, *PRTL_HEAP_ENTRY;
+
+#define RTL_HEAP_BUSY (USHORT)0x0001
+#define RTL_HEAP_SEGMENT (USHORT)0x0002
+#define RTL_HEAP_SETTABLE_VALUE (USHORT)0x0010
+#define RTL_HEAP_SETTABLE_FLAG1 (USHORT)0x0020
+#define RTL_HEAP_SETTABLE_FLAG2 (USHORT)0x0040
+#define RTL_HEAP_SETTABLE_FLAG3 (USHORT)0x0080
+#define RTL_HEAP_SETTABLE_FLAGS (USHORT)0x00e0
+#define RTL_HEAP_UNCOMMITTED_RANGE (USHORT)0x0100
+#define RTL_HEAP_PROTECTED_ENTRY (USHORT)0x0200
+
+typedef struct _RTL_HEAP_TAG
+{
+ ULONG NumberOfAllocations;
+ ULONG NumberOfFrees;
+ SIZE_T BytesAllocated;
+ USHORT TagIndex;
+ USHORT CreatorBackTraceIndex;
+ WCHAR TagName[24];
+} RTL_HEAP_TAG, *PRTL_HEAP_TAG;
+
+typedef struct _RTL_HEAP_INFORMATION
+{
+ PVOID BaseAddress;
+ ULONG Flags;
+ USHORT EntryOverhead;
+ USHORT CreatorBackTraceIndex;
+ SIZE_T BytesAllocated;
+ SIZE_T BytesCommitted;
+ ULONG NumberOfTags;
+ ULONG NumberOfEntries;
+ ULONG NumberOfPseudoTags;
+ ULONG PseudoTagGranularity;
+ ULONG Reserved[5];
+ PRTL_HEAP_TAG Tags;
+ PRTL_HEAP_ENTRY Entries;
+} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION;
+
+typedef struct _RTL_PROCESS_HEAPS
+{
+ ULONG NumberOfHeaps;
+ RTL_HEAP_INFORMATION Heaps[1];
+} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS;
+
+typedef
+NTSTATUS
+(NTAPI*
+PRTL_HEAP_COMMIT_ROUTINE)(
+ _In_ PVOID Base,
+ _Inout_ PVOID *CommitAddress,
+ _Inout_ PSIZE_T CommitSize
+ );
+
+typedef struct _RTL_HEAP_PARAMETERS
+{
+ ULONG Length;
+ SIZE_T SegmentReserve;
+ SIZE_T SegmentCommit;
+ SIZE_T DeCommitFreeBlockThreshold;
+ SIZE_T DeCommitTotalFreeThreshold;
+ SIZE_T MaximumAllocationSize;
+ SIZE_T VirtualMemoryThreshold;
+ SIZE_T InitialCommit;
+ SIZE_T InitialReserve;
+ PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
+ SIZE_T Reserved[2];
+} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
+
+#define HEAP_SETTABLE_USER_VALUE 0x00000100
+#define HEAP_SETTABLE_USER_FLAG1 0x00000200
+#define HEAP_SETTABLE_USER_FLAG2 0x00000400
+#define HEAP_SETTABLE_USER_FLAG3 0x00000800
+#define HEAP_SETTABLE_USER_FLAGS 0x00000e00
+
+#define HEAP_CLASS_0 0x00000000 // Process heap
+#define HEAP_CLASS_1 0x00001000 // Private heap
+#define HEAP_CLASS_2 0x00002000 // Kernel heap
+#define HEAP_CLASS_3 0x00003000 // GDI heap
+#define HEAP_CLASS_4 0x00004000 // User heap
+#define HEAP_CLASS_5 0x00005000 // Console heap
+#define HEAP_CLASS_6 0x00006000 // User desktop heap
+#define HEAP_CLASS_7 0x00007000 // CSR shared heap
+#define HEAP_CLASS_8 0x00008000 // CSR port heap
+#define HEAP_CLASS_MASK 0x0000f000
+
+typedef struct _RTL_HEAP_TAG_INFO
+{
+ ULONG NumberOfAllocations;
+ ULONG NumberOfFrees;
+ SIZE_T BytesAllocated;
+} RTL_HEAP_TAG_INFO, *PRTL_HEAP_TAG_INFO;
+
+#define RTL_HEAP_MAKE_TAG HEAP_MAKE_TAG_FLAGS
+
+typedef struct _RTL_HEAP_WALK_ENTRY
+{
+ PVOID DataAddress;
+ SIZE_T DataSize;
+ UCHAR OverheadBytes;
+ UCHAR SegmentIndex;
+ USHORT Flags;
+ union
+ {
+ struct
+ {
+ SIZE_T Settable;
+ USHORT TagIndex;
+ USHORT AllocatorBackTraceIndex;
+ ULONG Reserved[2];
+ } Block;
+ struct
+ {
+ ULONG CommittedSize;
+ ULONG UnCommittedSize;
+ PVOID FirstEntry;
+ PVOID LastEntry;
+ } Segment;
+ };
+} RTL_HEAP_WALK_ENTRY, *PRTL_HEAP_WALK_ENTRY;
+
+// HEAP_INFORMATION_CLASS. winnt.h is incomplete
+#define HeapCompatibilityInformation 0x0 // q; s: ULONG
+#define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL
+#define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION
+#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION
+#define HeapTaggingInformation 0x4
+#define HeapStackDatabase 0x5
+#define HeapDetailedFailureInformation 0x80000001
+#define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION
+
+typedef struct _PROCESS_HEAP_INFORMATION
+{
+ ULONG_PTR ReserveSize;
+ ULONG_PTR CommitSize;
+ ULONG NumberOfHeaps;
+ ULONG_PTR FirstHeapInformationOffset;
+} PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION;
+
+typedef struct _HEAP_INFORMATION
+{
+ ULONG_PTR Address;
+ ULONG Mode;
+ ULONG_PTR ReserveSize;
+ ULONG_PTR CommitSize;
+ ULONG_PTR FirstRegionInformationOffset;
+ ULONG_PTR NextHeapInformationOffset;
+} HEAP_INFORMATION, *PHEAP_INFORMATION;
+
+typedef struct _HEAP_EXTENDED_INFORMATION
+{
+ HANDLE Process;
+ ULONG_PTR Heap;
+ ULONG Level;
+ PVOID CallbackRoutine;
+ PVOID CallbackContext;
+ PROCESS_HEAP_INFORMATION ProcessHeapInformation;
+ HEAP_INFORMATION HeapInformation;
+} HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION;
+
+typedef
+NTSTATUS
+(NTAPI*
+PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)(
+ _In_ LONG Reserved,
+ _In_ PVOID HeapHandle,
+ _In_ PVOID BaseAddress,
+ _In_ SIZE_T BlockSize,
+ _In_ ULONG StackTraceDepth,
+ _In_ PVOID *StackTrace
+ );
+
+typedef struct _HEAP_DEBUGGING_INFORMATION
+{
+ PVOID InterceptorFunction;
+ USHORT InterceptorValue;
+ ULONG ExtendedOptions;
+ ULONG StackTraceDepth;
+ SIZE_T MinTotalBlockSize;
+ SIZE_T MaxTotalBlockSize;
+ PRTL_HEAP_LEAK_ENUMERATION_ROUTINE HeapLeakEnumerationRoutine;
+} HEAP_DEBUGGING_INFORMATION, *PHEAP_DEBUGGING_INFORMATION;
+
+typedef
+NTSTATUS
+(NTAPI*
+PRTL_ENUM_HEAPS_ROUTINE)(
+ _In_ PVOID HeapHandle,
+ _In_ PVOID Parameter
+ );
+
+typedef
+NTSTATUS
+(NTAPI*
+PUSER_THREAD_START_ROUTINE)(
+ _In_ PVOID ThreadParameter
+ );
+
+#define LDR_FORMAT_MESSAGE_FROM_SYSTEM_MESSAGE_TABLE 11
+
+#define RTL_ERRORMODE_NOGPFAULTERRORBOX 0x0020
+#define RTL_ERRORMODE_NOOPENFILEERRORBOX 0x0040
+
+#define RTL_ACQUIRE_PRIVILEGE_REVERT 0x00000001
+#define RTL_ACQUIRE_PRIVILEGE_PROCESS 0x00000002
+
+typedef
+VOID
+(NTAPI*
+PLDR_IMPORT_MODULE_CALLBACK)(
+ _In_ PVOID Parameter,
+ _In_ PSTR ModuleName
+ );
+
+typedef struct _LDR_IMPORT_CALLBACK_INFO
+{
+ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine;
+ PVOID ImportCallbackParameter;
+} LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO;
+
+typedef struct _LDR_SECTION_INFO
+{
+ HANDLE SectionHandle;
+ ACCESS_MASK DesiredAccess;
+ POBJECT_ATTRIBUTES ObjectAttributes;
+ ULONG SectionPageProtection;
+ ULONG AllocationAttributes;
+} LDR_SECTION_INFO, *PLDR_SECTION_INFO;
+
+typedef struct _LDR_VERIFY_IMAGE_INFO
+{
+ ULONG Size;
+ ULONG Flags;
+ LDR_IMPORT_CALLBACK_INFO CallbackInfo;
+ LDR_SECTION_INFO SectionInfo;
+ USHORT ImageCharacteristics;
+} LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO;
+
+typedef enum _SEMAPHORE_INFORMATION_CLASS
+{
+ SemaphoreBasicInformation
+} SEMAPHORE_INFORMATION_CLASS;
+
+typedef struct _SEMAPHORE_BASIC_INFORMATION
+{
+ LONG CurrentCount;
+ LONG MaximumCount;
+} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
+
+typedef enum _TIMER_INFORMATION_CLASS
+{
+ TimerBasicInformation
+} TIMER_INFORMATION_CLASS;
+
+typedef struct _TIMER_BASIC_INFORMATION
+{
+ LARGE_INTEGER RemainingTime;
+ BOOLEAN TimerState;
+} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;
+
+typedef
+VOID
+(NTAPI*
+PTIMER_APC_ROUTINE)(
+ _In_ PVOID TimerContext,
+ _In_ ULONG TimerLowValue,
+ _In_ LONG TimerHighValue
+ );
+
+typedef enum _TIMER_SET_INFORMATION_CLASS
+{
+ TimerSetCoalescableTimer,
+ MaxTimerInfoClass
+} TIMER_SET_INFORMATION_CLASS;
+
+typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO
+{
+ _In_ LARGE_INTEGER DueTime;
+ _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine;
+ _In_opt_ PVOID TimerContext;
+ _In_opt_ struct _COUNTED_REASON_CONTEXT *WakeContext;
+ _In_opt_ ULONG Period;
+ _In_ ULONG TolerableDelay;
+ _Out_opt_ PBOOLEAN PreviousState;
+} TIMER_SET_COALESCABLE_TIMER_INFO, *PTIMER_SET_COALESCABLE_TIMER_INFO;
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
+{
+ ULONG64 Version;
+ UNICODE_STRING Name;
+} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
+{
+ PVOID pValue;
+ ULONG ValueLength;
+} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
+{
+ UNICODE_STRING Name;
+ USHORT ValueType;
+ USHORT Reserved;
+ ULONG Flags;
+ ULONG ValueCount;
+ union
+ {
+ PLONG64 pInt64;
+ PULONG64 pUint64;
+ PUNICODE_STRING pString;
+ PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
+ PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
+ } Values;
+} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
+
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
+{
+ USHORT Version;
+ USHORT Reserved;
+ ULONG AttributeCount;
+ union
+ {
+ PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
+ } Attribute;
+} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
+
+typedef enum _FILTER_BOOT_OPTION_OPERATION
+{
+ FilterBootOptionOperationOpenSystemStore,
+ FilterBootOptionOperationSetElement,
+ FilterBootOptionOperationDeleteElement,
+ FilterBootOptionOperationMax
+} FILTER_BOOT_OPTION_OPERATION;
+
+typedef enum _IO_SESSION_EVENT
+{
+ IoSessionEventIgnore,
+ IoSessionEventCreated,
+ IoSessionEventTerminated,
+ IoSessionEventConnected,
+ IoSessionEventDisconnected,
+ IoSessionEventLogon,
+ IoSessionEventLogoff,
+ IoSessionEventMax
+} IO_SESSION_EVENT;
+
+typedef enum _IO_SESSION_STATE
+{
+ IoSessionStateCreated,
+ IoSessionStateInitialized,
+ IoSessionStateConnected,
+ IoSessionStateDisconnected,
+ IoSessionStateDisconnectedLoggedOn,
+ IoSessionStateLoggedOn,
+ IoSessionStateLoggedOff,
+ IoSessionStateTerminated,
+ IoSessionStateMax
+} IO_SESSION_STATE;
+
+typedef struct _PORT_MESSAGE PORT_MESSAGE, *PPORT_MESSAGE;
+typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC;
+
+typedef
+VOID
+(NTAPI*
+PTP_ALPC_CALLBACK)(
+ _Inout_ PTP_CALLBACK_INSTANCE Instance,
+ _Inout_opt_ PVOID Context,
+ _In_ PTP_ALPC Alpc
+ );
+
+typedef
+VOID
+(NTAPI*
+PTP_ALPC_CALLBACK_EX)(
+ _Inout_ PTP_CALLBACK_INSTANCE Instance,
+ _Inout_opt_ PVOID Context,
+ _In_ PTP_ALPC Alpc,
+ _In_ PVOID ApcContext
+ );
+
+typedef
+VOID
+(NTAPI*
+PTP_IO_CALLBACK)(
+ _Inout_ PTP_CALLBACK_INSTANCE Instance,
+ _Inout_opt_ PVOID Context,
+ _In_ PVOID ApcContext,
+ _In_ PIO_STATUS_BLOCK IoSB,
+ _In_ PTP_IO Io
+ );
+
+typedef enum _IO_COMPLETION_INFORMATION_CLASS
+{
+ IoCompletionBasicInformation
+} IO_COMPLETION_INFORMATION_CLASS;
+
+typedef struct _IO_COMPLETION_BASIC_INFORMATION
+{
+ LONG Depth;
+} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
+
+typedef enum _WORKERFACTORYINFOCLASS
+{
+ WorkerFactoryTimeout,
+ WorkerFactoryRetryTimeout,
+ WorkerFactoryIdleTimeout,
+ WorkerFactoryBindingCount,
+ WorkerFactoryThreadMinimum,
+ WorkerFactoryThreadMaximum,
+ WorkerFactoryPaused,
+ WorkerFactoryBasicInformation,
+ WorkerFactoryAdjustThreadGoal,
+ WorkerFactoryCallbackType,
+ WorkerFactoryStackInformation, // 10
+ WorkerFactoryThreadBasePriority,
+ WorkerFactoryTimeoutWaiters, // since THRESHOLD
+ WorkerFactoryFlags,
+ WorkerFactoryThreadSoftMaximum,
+ MaxWorkerFactoryInfoClass
+} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;
+
+typedef struct _WORKER_FACTORY_BASIC_INFORMATION
+{
+ LARGE_INTEGER Timeout;
+ LARGE_INTEGER RetryTimeout;
+ LARGE_INTEGER IdleTimeout;
+ BOOLEAN Paused;
+ BOOLEAN TimerSet;
+ BOOLEAN QueuedToExWorker;
+ BOOLEAN MayCreate;
+ BOOLEAN CreateInProgress;
+ BOOLEAN InsertedIntoQueue;
+ BOOLEAN Shutdown;
+ ULONG BindingCount;
+ ULONG ThreadMinimum;
+ ULONG ThreadMaximum;
+ ULONG PendingWorkerCount;
+ ULONG WaitingWorkerCount;
+ ULONG TotalWorkerCount;
+ ULONG ReleaseCount;
+ LONGLONG InfiniteWaitGoal;
+ PVOID StartRoutine;
+ PVOID StartParameter;
+ HANDLE ProcessId;
+ SIZE_T StackReserve;
+ SIZE_T StackCommit;
+ NTSTATUS LastThreadCreationStatus;
+} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION;
+
+typedef struct _BOOT_ENTRY
+{
+ ULONG Version;
+ ULONG Length;
+ ULONG Id;
+ ULONG Attributes;
+ ULONG FriendlyNameOffset;
+ ULONG BootFilePathOffset;
+ ULONG OsOptionsLength;
+ UCHAR OsOptions[1];
+} BOOT_ENTRY, *PBOOT_ENTRY;
+
+typedef struct _BOOT_ENTRY_LIST
+{
+ ULONG NextEntryOffset;
+ BOOT_ENTRY BootEntry;
+} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
+
+typedef struct _BOOT_OPTIONS
+{
+ ULONG Version;
+ ULONG Length;
+ ULONG Timeout;
+ ULONG CurrentBootEntryId;
+ ULONG NextBootEntryId;
+ WCHAR HeadlessRedirection[1];
+} BOOT_OPTIONS, *PBOOT_OPTIONS;
+
+typedef struct _FILE_PATH
+{
+ ULONG Version;
+ ULONG Length;
+ ULONG Type;
+ UCHAR FilePath[1];
+} FILE_PATH, *PFILE_PATH;
+
+typedef struct _EFI_DRIVER_ENTRY
+{
+ ULONG Version;
+ ULONG Length;
+ ULONG Id;
+ ULONG FriendlyNameOffset;
+ ULONG DriverFilePathOffset;
+} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY;
+
+typedef struct _EFI_DRIVER_ENTRY_LIST
+{
+ ULONG NextEntryOffset;
+ EFI_DRIVER_ENTRY DriverEntry;
+} EFI_DRIVER_ENTRY_LIST, *PEFI_DRIVER_ENTRY_LIST;
+
+FORCEINLINE
+VOID
+InitializeListHead(
+ _Out_ PLIST_ENTRY ListHead
+ )
+{
+ ListHead->Flink = ListHead->Blink = ListHead;
+}
+
+FORCEINLINE
+BOOLEAN
+IsListEmpty(
+ _In_ PLIST_ENTRY ListHead
+ )
+{
+ return ListHead->Flink == ListHead;
+}
+
+FORCEINLINE
+BOOLEAN
+RemoveEntryList(
+ _In_ PLIST_ENTRY Entry
+ )
+{
+ PLIST_ENTRY Flink = Entry->Flink;
+ PLIST_ENTRY Blink = Entry->Blink;
+ Blink->Flink = Flink;
+ Flink->Blink = Blink;
+
+ return Flink == Blink;
+}
+
+FORCEINLINE
+PLIST_ENTRY
+RemoveHeadList(
+ _Inout_ PLIST_ENTRY ListHead
+ )
+{
+ PLIST_ENTRY Entry = ListHead->Flink;
+ PLIST_ENTRY Flink = Entry->Flink;
+ ListHead->Flink = Flink;
+ Flink->Blink = ListHead;
+
+ return Entry;
+}
+
+FORCEINLINE
+PLIST_ENTRY
+RemoveTailList(
+ _Inout_ PLIST_ENTRY ListHead
+ )
+{
+ PLIST_ENTRY Entry = ListHead->Blink;
+ PLIST_ENTRY Blink = Entry->Blink;
+ ListHead->Blink = Blink;
+ Blink->Flink = ListHead;
+
+ return Entry;
+}
+
+FORCEINLINE
+VOID
+InsertTailList(
+ _Inout_ PLIST_ENTRY ListHead,
+ _Inout_ PLIST_ENTRY Entry
+ )
+{
+ PLIST_ENTRY Blink = ListHead->Blink;
+ Entry->Flink = ListHead;
+ Entry->Blink = Blink;
+ Blink->Flink = Entry;
+ ListHead->Blink = Entry;
+}
+
+FORCEINLINE
+VOID
+InsertHeadList(
+ _Inout_ PLIST_ENTRY ListHead,
+ _Inout_ PLIST_ENTRY Entry
+ )
+{
+ PLIST_ENTRY Flink = ListHead->Flink;
+ Entry->Flink = Flink;
+ Entry->Blink = ListHead;
+ Flink->Blink = Entry;
+ ListHead->Flink = Entry;
+}
+
+FORCEINLINE
+VOID
+AppendTailList(
+ _Inout_ PLIST_ENTRY ListHead,
+ _Inout_ PLIST_ENTRY ListToAppend
+ )
+{
+ PLIST_ENTRY ListEnd = ListHead->Blink;
+
+ ListHead->Blink->Flink = ListToAppend;
+ ListHead->Blink = ListToAppend->Blink;
+ ListToAppend->Blink->Flink = ListHead;
+ ListToAppend->Blink = ListEnd;
+}
+
+FORCEINLINE
+PSINGLE_LIST_ENTRY
+PopEntryList(
+ _Inout_ PSINGLE_LIST_ENTRY ListHead
+ )
+{
+ PSINGLE_LIST_ENTRY FirstEntry = ListHead->Next;
+
+ if (FirstEntry)
+ ListHead->Next = FirstEntry->Next;
+
+ return FirstEntry;
+}
+
+FORCEINLINE
+VOID
+PushEntryList(
+ _Inout_ PSINGLE_LIST_ENTRY ListHead,
+ _Inout_ PSINGLE_LIST_ENTRY Entry
+ )
+{
+ Entry->Next = ListHead->Next;
+ ListHead->Next = Entry;
+}
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateProcess(
+ _Out_ PHANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ParentProcess,
+ _In_ BOOLEAN InheritObjectTable,
+ _In_opt_ HANDLE SectionHandle,
+ _In_opt_ HANDLE DebugPort,
+ _In_opt_ HANDLE TokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateProcessEx(
+ _Out_ PHANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ParentProcess,
+ _In_ ULONG Flags,
+ _In_opt_ HANDLE SectionHandle,
+ _In_opt_ HANDLE DebugPort,
+ _In_opt_ HANDLE TokenHandle,
+ _In_ ULONG JobMemberLevel
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateUserProcess(
+ _Out_ PHANDLE ProcessHandle,
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK ProcessDesiredAccess,
+ _In_ ACCESS_MASK ThreadDesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
+ _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
+ _In_ ULONG ProcessFlags,
+ _In_ ULONG ThreadFlags,
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+ _Inout_ PPS_CREATE_INFO CreateInfo,
+ _In_ PPS_ATTRIBUTE_LIST AttributeList
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationProcess(
+ _In_ HANDLE ProcessHandle,
+ _In_ PROCESSINFOCLASS ProcessInformationClass,
+ _In_ PVOID ProcessInformation,
+ _In_ ULONG ProcessInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationProcess(
+ _In_ HANDLE ProcessHandle,
+ _In_ PROCESSINFOCLASS ProcessInformationClass,
+ _Out_ PVOID ProcessInformation,
+ _In_ ULONG ProcessInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryObject(
+ _In_ HANDLE Handle,
+ _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
+ _Out_opt_ PVOID ObjectInformation,
+ _In_ ULONG ObjectInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySystemInformation(
+ _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ _Out_writes_bytes_to_opt_(SystemInformationLength, *ReturnLength) PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySystemInformationEx(
+ _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ _In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemInformation(
+ _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
+ _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
+ _In_ ULONG SystemInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationThread(
+ _In_ HANDLE ThreadHandle,
+ _In_ THREADINFOCLASS ThreadInformationClass,
+ _In_ PVOID ThreadInformation,
+ _In_ ULONG ThreadInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationThread(
+ _In_ HANDLE ThreadHandle,
+ _In_ THREADINFOCLASS ThreadInformationClass,
+ _Out_ PVOID ThreadInformation,
+ _In_ ULONG ThreadInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnmapViewOfSection(
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ PVOID BaseAddress
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtExtendSection(
+ _In_ HANDLE SectionHandle,
+ _Inout_ PLARGE_INTEGER NewSectionSize
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSuspendThread(
+ _In_ HANDLE ThreadHandle,
+ _Out_opt_ PULONG PreviousSuspendCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResumeThread(
+ _In_ HANDLE ThreadHandle,
+ _Out_opt_ PULONG PreviousSuspendCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSuspendProcess(
+ _In_ HANDLE ProcessHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResumeProcess(
+ _In_ HANDLE ProcessHandle
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+ULONG
+NTAPI
+NtGetCurrentProcessorNumber(
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSignalAndWaitForSingleObject(
+ _In_ HANDLE SignalHandle,
+ _In_ HANDLE WaitHandle,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForSingleObject(
+ _In_ HANDLE Handle,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForMultipleObjects(
+ _In_ ULONG Count,
+ _In_reads_(Count) HANDLE Handles[],
+ _In_ WAIT_TYPE WaitType,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForMultipleObjects32(
+ _In_ ULONG Count,
+ _In_reads_(Count) HANDLE Handles[],
+ _In_ WAIT_TYPE WaitType,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSecurityObject(
+ _In_ HANDLE Handle,
+ _In_ SECURITY_INFORMATION SecurityInformation,
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySecurityObject(
+ _In_ HANDLE Handle,
+ _In_ SECURITY_INFORMATION SecurityInformation,
+ _Out_writes_bytes_to_(Length,*LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ ULONG Length,
+ _Out_ PULONG LengthNeeded
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueueApcThread(
+ _In_ HANDLE ThreadHandle,
+ _In_ PPS_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcArgument1,
+ _In_opt_ PVOID ApcArgument2,
+ _In_opt_ PVOID ApcArgument3
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueueApcThreadEx(
+ _In_ HANDLE ThreadHandle,
+ _In_opt_ HANDLE UserApcReserveHandle,
+ _In_ PPS_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcArgument1,
+ _In_opt_ PVOID ApcArgument2,
+ _In_opt_ PVOID ApcArgument3
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtProtectVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG NewProtect,
+ _Out_ PULONG OldProtect
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushBuffersFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushInstructionCache(
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ PVOID BaseAddress,
+ _In_ SIZE_T Length
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushWriteBuffer(
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFsControlFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG FsControlCode,
+ _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ PLARGE_INTEGER ByteOffset,
+ _In_ PLARGE_INTEGER Length,
+ _In_ ULONG Key,
+ _In_ BOOLEAN FailImmediately,
+ _In_ BOOLEAN ExclusiveLock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnlockFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ PLARGE_INTEGER ByteOffset,
+ _In_ PLARGE_INTEGER Length,
+ _In_ ULONG Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _Out_ PIO_STATUS_BLOCK IoStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _In_ PVOID BaseAddress,
+ _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
+ _Out_ PVOID MemoryInformation,
+ _In_ SIZE_T MemoryInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG MapType
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnlockVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG MapType
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSystemDebugControl(
+ _In_ SYSDBG_COMMAND Command,
+ _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtYieldExecution(
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtClose(
+ _In_ HANDLE Handle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryAttributesFile(
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PFILE_BASIC_INFORMATION FileInformation
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryFullAttributesFile(
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_writes_bytes_(Length) PVOID FileInformation,
+ _In_ ULONG Length,
+ _In_ FILE_INFORMATION_CLASS FileInformationClass
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_reads_bytes_(Length) PVOID FileInformation,
+ _In_ ULONG Length,
+ _In_ FILE_INFORMATION_CLASS FileInformationClass
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetQuotaInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_reads_bytes_(Length) PVOID Buffer,
+ _In_ ULONG Length
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetVolumeInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_reads_bytes_(Length) PVOID FsInformation,
+ _In_ ULONG Length,
+ _In_ FS_INFORMATION_CLASS FsInformationClass
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateFile(
+ _Out_ PHANDLE FileHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_opt_ PLARGE_INTEGER AllocationSize,
+ _In_ ULONG FileAttributes,
+ _In_ ULONG ShareAccess,
+ _In_ ULONG CreateDisposition,
+ _In_ ULONG CreateOptions,
+ _In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
+ _In_ ULONG EaLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateNamedPipeFile(
+ _Out_ PHANDLE FileHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG ShareAccess,
+ _In_ ULONG CreateDisposition,
+ _In_ ULONG CreateOptions,
+ _In_ ULONG NamedPipeType,
+ _In_ ULONG ReadMode,
+ _In_ ULONG CompletionMode,
+ _In_ ULONG MaximumInstances,
+ _In_ ULONG InboundQuota,
+ _In_ ULONG OutboundQuota,
+ _In_opt_ PLARGE_INTEGER DefaultTimeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateMailslotFile(
+ _Out_ PHANDLE FileHandle,
+ _In_ ULONG DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG CreateOptions,
+ _In_ ULONG MailslotQuota,
+ _In_ ULONG MaximumMessageSize,
+ _In_ PLARGE_INTEGER ReadTimeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCancelIoFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCancelIoFileEx(
+ _In_ HANDLE FileHandle,
+ _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCancelSynchronousIoFile(
+ _In_ HANDLE ThreadHandle,
+ _In_opt_ PIO_STATUS_BLOCK IoRequestToCancel,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateSymbolicLinkObject(
+ _Out_ PHANDLE LinkHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ PUNICODE_STRING LinkTarget
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSymbolicLinkObject(
+ _Out_ PHANDLE LinkHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySymbolicLinkObject(
+ _In_ HANDLE LinkHandle,
+ _Inout_ PUNICODE_STRING LinkTarget,
+ _Out_opt_ PULONG ReturnedLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetContextThread(
+ _In_ HANDLE ThreadHandle,
+ _Inout_ PCONTEXT ThreadContext
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetContextThread(
+ _In_ HANDLE ThreadHandle,
+ _In_ PCONTEXT ThreadContext
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenProcess(
+ _Out_ PHANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PCLIENT_ID ClientId
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTerminateProcess(
+ _In_opt_ HANDLE ProcessHandle,
+ _In_ NTSTATUS ExitStatus
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetNextProcess(
+ _In_ HANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _In_ ULONG Flags,
+ _Out_ PHANDLE NewProcessHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetNextThread(
+ _In_ HANDLE ProcessHandle,
+ _In_ HANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _In_ ULONG Flags,
+ _Out_ PHANDLE NewThreadHandle
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateDebugObject(
+ _Out_ PHANDLE DebugObjectHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG Flags
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDebugActiveProcess(
+ _In_ HANDLE ProcessHandle,
+ _In_ HANDLE DebugObjectHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtContinue(
+ _In_ PCONTEXT ContextRecord,
+ _In_ BOOLEAN TestAlert
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRaiseException(
+ _In_ PEXCEPTION_RECORD ExceptionRecord,
+ _In_ PCONTEXT ContextRecord,
+ _In_ BOOLEAN FirstChance
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateThread(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _Out_ PCLIENT_ID ClientId,
+ _In_ PCONTEXT ThreadContext,
+ _In_ PINITIAL_TEB InitialTeb,
+ _In_ BOOLEAN CreateSuspended
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateThreadEx(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _In_ PUSER_THREAD_START_ROUTINE StartRoutine,
+ _In_opt_ PVOID Argument,
+ _In_ ULONG CreateFlags,
+ _In_opt_ SIZE_T ZeroBits,
+ _In_opt_ SIZE_T StackSize,
+ _In_opt_ SIZE_T MaximumStackSize,
+ _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateReserveObject(
+ _Out_ PHANDLE MemoryReserveHandle,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ MEMORY_RESERVE_TYPE Type
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRegisterThreadTerminatePort(
+ _In_ HANDLE PortHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRaiseHardError(
+ _In_ NTSTATUS ErrorStatus,
+ _In_ ULONG NumberOfParameters,
+ _In_ ULONG UnicodeStringParameterMask,
+ _In_reads_(NumberOfParameters) PULONG_PTR Parameters,
+ _In_ HARDERROR_RESPONSE_OPTION ResponseOption,
+ _Out_ PHARDERROR_RESPONSE Response
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
+ _In_ ULONG_PTR ZeroBits,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Protect
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreeVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PVOID *BaseAddress,
+ _Inout_ PSIZE_T RegionSize,
+ _In_ ULONG FreeType
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ PVOID BaseAddress,
+ _Out_writes_bytes_(BufferSize) PVOID Buffer,
+ _In_ SIZE_T BufferSize,
+ _Out_opt_ PSIZE_T NumberOfBytesRead
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWriteVirtualMemory(
+ _In_ HANDLE ProcessHandle,
+ _In_opt_ PVOID BaseAddress,
+ _In_reads_bytes_(BufferSize) CONST VOID *Buffer,
+ _In_ SIZE_T BufferSize,
+ _Out_opt_ PSIZE_T NumberOfBytesWritten
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateUserPhysicalPages(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PULONG_PTR NumberOfPages,
+ _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapUserPhysicalPages(
+ _In_ PVOID VirtualAddress,
+ _In_ ULONG_PTR NumberOfPages,
+ _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapUserPhysicalPagesScatter(
+ _In_reads_(NumberOfPages) PVOID *VirtualAddresses,
+ _In_ ULONG_PTR NumberOfPages,
+ _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreeUserPhysicalPages(
+ _In_ HANDLE ProcessHandle,
+ _Inout_ PULONG_PTR NumberOfPages,
+ _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySection(
+ _In_ HANDLE SectionHandle,
+ _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
+ _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
+ _In_ SIZE_T SectionInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAreMappedFilesTheSame(
+ _In_ PVOID File1MappedAsAnImage,
+ _In_ PVOID File2MappedAsFile
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateSection(
+ _Out_ PHANDLE SectionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PLARGE_INTEGER MaximumSize,
+ _In_ ULONG SectionPageProtection,
+ _In_ ULONG AllocationAttributes,
+ _In_opt_ HANDLE FileHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSection(
+ _Out_ PHANDLE SectionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapViewOfSection(
+ _In_ HANDLE SectionHandle,
+ _In_ HANDLE ProcessHandle,
+ _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
+ _In_ ULONG_PTR ZeroBits,
+ _In_ SIZE_T CommitSize,
+ _Inout_opt_ PLARGE_INTEGER SectionOffset,
+ _Inout_ PSIZE_T ViewSize,
+ _In_ SECTION_INHERIT InheritDisposition,
+ _In_ ULONG AllocationType,
+ _In_ ULONG Win32Protect
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSession(
+ _Out_ PHANDLE SessionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeDirectoryFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_ FILE_NOTIFY_INFORMATION Buffer,
+ _In_ ULONG Length,
+ _In_ ULONG CompletionFilter,
+ _In_ BOOLEAN WatchTree
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenFile(
+ _Out_ PHANDLE FileHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG ShareAccess,
+ _In_ ULONG OpenOptions
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDirectoryFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_writes_bytes_(Length) PVOID FileInformation,
+ _In_ ULONG Length,
+ _In_ FILE_INFORMATION_CLASS FileInformationClass,
+ _In_ BOOLEAN ReturnSingleEntry,
+ _In_opt_ PUNICODE_STRING FileName,
+ _In_ BOOLEAN RestartScan
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryEaFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_writes_bytes_(Length) PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ BOOLEAN ReturnSingleEntry,
+ _In_reads_bytes_opt_(EaListLength) PVOID EaList,
+ _In_ ULONG EaListLength,
+ _In_opt_ PULONG EaIndex,
+ _In_ BOOLEAN RestartScan
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetEaFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_reads_bytes_(Length) PVOID Buffer,
+ _In_ ULONG Length
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadDriver(
+ _In_ PUNICODE_STRING DriverServiceName
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadDriver(
+ _In_ PUNICODE_STRING DriverServiceName
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_writes_bytes_(Length) PVOID Buffer,
+ _In_ ULONG Length,
+ _In_opt_ PLARGE_INTEGER ByteOffset,
+ _In_opt_ PULONG Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadFileScatter(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ PFILE_SEGMENT_ELEMENT SegmentArray,
+ _In_ ULONG Length,
+ _In_opt_ PLARGE_INTEGER ByteOffset,
+ _In_opt_ PULONG Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWriteFileGather(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ PFILE_SEGMENT_ELEMENT SegmentArray,
+ _In_ ULONG Length,
+ _In_opt_ PLARGE_INTEGER ByteOffset,
+ _In_opt_ PULONG Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteFile(
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWriteFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_reads_bytes_(Length) PVOID Buffer,
+ _In_ ULONG Length,
+ _In_opt_ PLARGE_INTEGER ByteOffset,
+ _In_opt_ PULONG Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeviceIoControlFile(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG IoControlCode,
+ _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationObject(
+ _In_ HANDLE Handle,
+ _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
+ _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
+ _In_ ULONG ObjectInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDuplicateObject(
+ _In_ HANDLE SourceProcessHandle,
+ _In_ HANDLE SourceHandle,
+ _In_opt_ HANDLE TargetProcessHandle,
+ _Out_opt_ PHANDLE TargetHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _In_ ULONG Options
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMakePermanentObject(
+ _In_ HANDLE Object
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMakeTemporaryObject(
+ _In_ HANDLE Handle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateDirectoryObject(
+ _Out_ PHANDLE DirectoryHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenDirectoryObject(
+ _Out_ PHANDLE DirectoryHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDirectoryObject(
+ _In_ HANDLE DirectoryHandle,
+ _Out_writes_bytes_opt_(Length) PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ BOOLEAN ReturnSingleEntry,
+ _In_ BOOLEAN RestartScan,
+ _Inout_ PULONG Context,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreatePrivateNamespace(
+ _Out_ PHANDLE NamespaceHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ PVOID BoundaryDescriptor
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenPrivateNamespace(
+ _Out_ PHANDLE NamespaceHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ PVOID BoundaryDescriptor
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeletePrivateNamespace(
+ _In_ HANDLE NamespaceHandle
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenThread(
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PCLIENT_ID ClientId
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTerminateThread(
+ _In_opt_ HANDLE ThreadHandle,
+ _In_ NTSTATUS ExitStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySystemTime(
+ _Out_ PLARGE_INTEGER SystemTime
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemTime(
+ _In_opt_ PLARGE_INTEGER SystemTime,
+ _Out_opt_ PLARGE_INTEGER PreviousTime
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryTimerResolution(
+ _Out_ PULONG MaximumTime,
+ _Out_ PULONG MinimumTime,
+ _Out_ PULONG CurrentTime
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetTimerResolution(
+ _In_ ULONG DesiredTime,
+ _In_ BOOLEAN SetResolution,
+ _Out_ PULONG ActualTime
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryPerformanceCounter(
+ _Out_ PLARGE_INTEGER PerformanceCounter,
+ _Out_opt_ PLARGE_INTEGER PerformanceFrequency
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateLocallyUniqueId(
+ _Out_ PLUID Luid
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetUuidSeed(
+ _In_ PCHAR Seed
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateUuids(
+ _Out_ PULARGE_INTEGER Time,
+ _Out_ PULONG Range,
+ _Out_ PULONG Sequence,
+ _Out_ PCHAR Seed
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateEvent(
+ _Out_ PHANDLE EventHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ EVENT_TYPE EventType,
+ _In_ BOOLEAN InitialState
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenEvent(
+ _Out_ PHANDLE EventHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetEvent(
+ _In_ HANDLE EventHandle,
+ _Out_opt_ PLONG PreviousState
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResetEvent(
+ _In_ HANDLE EventHandle,
+ _Out_opt_ PLONG PreviousState
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtClearEvent(
+ _In_ HANDLE EventHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryQuotaInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_ PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ BOOLEAN ReturnSingleEntry,
+ _In_opt_ PVOID SidList,
+ _In_ ULONG SidListLength,
+ _In_opt_ PSID StartSid,
+ _In_ BOOLEAN RestartScan
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryVolumeInformationFile(
+ _In_ HANDLE FileHandle,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_writes_bytes_(Length) PVOID FsInformation,
+ _In_ ULONG Length,
+ _In_ FS_INFORMATION_CLASS FsInformationClass
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateKey(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Reserved_ ULONG TitleIndex,
+ _In_opt_ PUNICODE_STRING Class,
+ _In_ ULONG CreateOptions,
+ _Out_opt_ PULONG Disposition
+ );
+
+#if NTDDI_VERSION >= PNTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateKeyTransacted(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _Reserved_ ULONG TitleIndex,
+ _In_opt_ PUNICODE_STRING Class,
+ _In_ ULONG CreateOptions,
+ _In_ HANDLE TransactionHandle,
+ _Out_opt_ PULONG Disposition
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKey(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+#if NTDDI_VERSION >= PNTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyTransacted(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE TransactionHandle
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyEx(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG OpenOptions
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyTransactedEx(
+ _Out_ PHANDLE KeyHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG OpenOptions,
+ _In_ HANDLE TransactionHandle
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteKey(
+ _In_ HANDLE KeyHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRenameKey(
+ _In_ HANDLE KeyHandle,
+ _In_ PUNICODE_STRING NewName
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteValueKey(
+ _In_ HANDLE KeyHandle,
+ _In_ PUNICODE_STRING ValueName
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryKey(
+ _In_ HANDLE KeyHandle,
+ _In_ KEY_INFORMATION_CLASS KeyInformationClass,
+ _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation,
+ _In_ ULONG Length,
+ _Out_ PULONG ResultLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationKey(
+ _In_ HANDLE KeyHandle,
+ _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
+ _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
+ _In_ ULONG KeySetInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryValueKey(
+ _In_ HANDLE KeyHandle,
+ _In_ PUNICODE_STRING ValueName,
+ _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+ _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
+ _In_ ULONG Length,
+ _Out_ PULONG ResultLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetValueKey(
+ _In_ HANDLE KeyHandle,
+ _In_ PUNICODE_STRING ValueName,
+ _In_opt_ ULONG TitleIndex,
+ _In_ ULONG Type,
+ _In_reads_bytes_opt_(DataSize) PVOID Data,
+ _In_ ULONG DataSize
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryMultipleValueKey(
+ _In_ HANDLE KeyHandle,
+ _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
+ _In_ ULONG EntryCount,
+ _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
+ _Inout_ PULONG BufferLength,
+ _Out_opt_ PULONG RequiredBufferLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateKey(
+ _In_ HANDLE KeyHandle,
+ _In_ ULONG Index,
+ _In_ KEY_INFORMATION_CLASS KeyInformationClass,
+ _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation,
+ _In_ ULONG Length,
+ _Out_ PULONG ResultLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateValueKey(
+ _In_ HANDLE KeyHandle,
+ _In_ ULONG Index,
+ _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+ _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation,
+ _In_ ULONG Length,
+ _Out_ PULONG ResultLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushKey(
+ _In_ HANDLE KeyHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompactKeys(
+ _In_ ULONG Count,
+ _In_ PHANDLE KeyArray
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompressKey(
+ _In_ HANDLE Key
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKey(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_ POBJECT_ATTRIBUTES SourceFile
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKey2(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_ POBJECT_ATTRIBUTES SourceFile,
+ _In_ ULONG Flags
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKeyEx(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_ POBJECT_ATTRIBUTES SourceFile,
+ _In_ ULONG Flags,
+ _In_opt_ HANDLE TrustClassKey,
+ _In_opt_ HANDLE Event,
+ _In_opt_ ACCESS_MASK DesiredAccess,
+ _Out_opt_ PHANDLE RootHandle,
+ _Out_opt_ PIO_STATUS_BLOCK IoStatus
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplaceKey(
+ _In_ POBJECT_ATTRIBUTES NewFile,
+ _In_ HANDLE TargetHandle,
+ _In_ POBJECT_ATTRIBUTES OldFile
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveKey(
+ _In_ HANDLE KeyHandle,
+ _In_ HANDLE FileHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveKeyEx(
+ _In_ HANDLE KeyHandle,
+ _In_ HANDLE FileHandle,
+ _In_ ULONG Format
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveMergedKeys(
+ _In_ HANDLE HighPrecedenceKeyHandle,
+ _In_ HANDLE LowPrecedenceKeyHandle,
+ _In_ HANDLE FileHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRestoreKey(
+ _In_ HANDLE KeyHandle,
+ _In_opt_ HANDLE FileHandle,
+ _In_ ULONG Flags
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKey(
+ _In_ POBJECT_ATTRIBUTES TargetKey
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKey2(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_ ULONG Flags
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKeyEx(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_opt_ HANDLE Event
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeKey(
+ _In_ HANDLE KeyHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG CompletionFilter,
+ _In_ BOOLEAN WatchTree,
+ _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
+ _In_ ULONG BufferSize,
+ _In_ BOOLEAN Asynchronous
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeMultipleKeys(
+ _In_ HANDLE MasterKeyHandle,
+ _In_opt_ ULONG Count,
+ _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_ ULONG CompletionFilter,
+ _In_ BOOLEAN WatchTree,
+ _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
+ _In_ ULONG BufferSize,
+ _In_ BOOLEAN Asynchronous
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryOpenSubKeys(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _Out_ PULONG HandleCount
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryOpenSubKeysEx(
+ _In_ POBJECT_ATTRIBUTES TargetKey,
+ _In_ ULONG BufferLength,
+ _Out_writes_bytes_(BufferLength) PVOID Buffer,
+ _Out_ PULONG RequiredSize
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtInitializeRegistry(
+ _In_ USHORT BootCondition
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockRegistryKey(
+ _In_ HANDLE KeyHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockProductActivationKeys(
+ _Inout_opt_ ULONG *pPrivateVer,
+ _Out_opt_ ULONG *pSafeMode
+ );
+
+#if NTDDI_VERSION >= PNTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreezeRegistry(
+ _In_ ULONG TimeOutInSeconds
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtThawRegistry(
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDelayExecution(
+ _In_ BOOLEAN Alertable,
+ _In_ PLARGE_INTEGER DelayInterval
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCallbackReturn(
+ _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer,
+ _In_ ULONG OutputLength,
+ _In_ NTSTATUS Status
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+VOID
+NTAPI
+NtFlushProcessWriteBuffers(
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDebugFilterState(
+ _In_ ULONG ComponentId,
+ _In_ ULONG Level
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetDebugFilterState(
+ _In_ ULONG ComponentId,
+ _In_ ULONG Level,
+ _In_ BOOLEAN State
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRemoveProcessDebug(
+ _In_ HANDLE ProcessHandle,
+ _In_ HANDLE DebugObjectHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForDebugEvent(
+ _In_ HANDLE DebugObjectHandle,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout,
+ _Out_ PDBGUI_WAIT_STATE_CHANGE WaitStateChange
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDebugContinue(
+ _In_ HANDLE DebugObjectHandle,
+ _In_ PCLIENT_ID ClientId,
+ _In_ NTSTATUS ContinueStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationDebugObject(
+ _In_ HANDLE DebugObjectHandle,
+ _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
+ _In_ PVOID DebugInformation,
+ _In_ ULONG DebugInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenProcessToken(
+ _In_ HANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE TokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenProcessTokenEx(
+ _In_ HANDLE ProcessHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ULONG HandleAttributes,
+ _Out_ PHANDLE TokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenThreadToken(
+ _In_ HANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ BOOLEAN OpenAsSelf,
+ _Out_ PHANDLE TokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenThreadTokenEx(
+ _In_ HANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ BOOLEAN OpenAsSelf,
+ _In_ ULONG HandleAttributes,
+ _Out_ PHANDLE TokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateToken(
+ _Out_ PHANDLE TokenHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ TOKEN_TYPE TokenType,
+ _In_ PLUID AuthenticationId,
+ _In_ PLARGE_INTEGER ExpirationTime,
+ _In_ PTOKEN_USER User,
+ _In_ PTOKEN_GROUPS Groups,
+ _In_ PTOKEN_PRIVILEGES Privileges,
+ _In_opt_ PTOKEN_OWNER Owner,
+ _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
+ _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
+ _In_ PTOKEN_SOURCE TokenSource
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDuplicateToken(
+ _In_ HANDLE ExistingTokenHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ BOOLEAN EffectiveOnly,
+ _In_ TOKEN_TYPE TokenType,
+ _Out_ PHANDLE NewTokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAdjustPrivilegesToken(
+ _In_ HANDLE TokenHandle,
+ _In_ BOOLEAN DisableAllPrivileges,
+ _In_opt_ PTOKEN_PRIVILEGES NewState,
+ _In_ ULONG BufferLength,
+ _Out_opt_ PTOKEN_PRIVILEGES PreviousState,
+ _Out_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAdjustGroupsToken(
+ _In_ HANDLE TokenHandle,
+ _In_ BOOLEAN ResetToDefault,
+ _In_opt_ PTOKEN_GROUPS NewState,
+ _In_opt_ ULONG BufferLength,
+ _Out_ PTOKEN_GROUPS PreviousState,
+ _Out_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFilterToken(
+ _In_ HANDLE ExistingTokenHandle,
+ _In_ ULONG Flags,
+ _In_opt_ PTOKEN_GROUPS SidsToDisable,
+ _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+ _In_opt_ PTOKEN_GROUPS RestrictedSids,
+ _Out_ PHANDLE NewTokenHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationToken(
+ _In_ HANDLE TokenHandle,
+ _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+ _In_ PVOID TokenInformation,
+ _In_ ULONG TokenInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompareTokens(
+ _In_ HANDLE FirstTokenHandle,
+ _In_ HANDLE SecondTokenHandle,
+ _Out_ PBOOLEAN Equal
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrivilegeCheck(
+ _In_ HANDLE ClientToken,
+ _Inout_ PPRIVILEGE_SET RequiredPrivileges,
+ _Out_ PBOOLEAN Result
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtImpersonateAnonymousToken(
+ _In_ HANDLE ThreadHandle
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySecurityAttributesToken(
+ _In_ HANDLE TokenHandle,
+ _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
+ _In_ ULONG NumberOfAttributes,
+ _Out_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION Buffer,
+ _In_ ULONG Length,
+ _Out_ PULONG ReturnLength
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheck(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ HANDLE ClientToken,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _Out_ PPRIVILEGE_SET PrivilegeSet,
+ _Inout_ PULONG PrivilegeSetLength,
+ _Out_ PACCESS_MASK GrantedAccess,
+ _Out_ PNTSTATUS AccessStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByType(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_opt_ PSID PrincipalSelfSid,
+ _In_ HANDLE ClientToken,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_TYPE_LIST ObjectTypeList,
+ _In_ ULONG ObjectTypeListLength,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _Out_ PPRIVILEGE_SET PrivilegeSet,
+ _Inout_ PULONG PrivilegeSetLength,
+ _Out_ PACCESS_MASK GrantedAccess,
+ _Out_ PNTSTATUS AccessStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultList(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_opt_ PSID PrincipalSelfSid,
+ _In_ HANDLE ClientToken,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_TYPE_LIST ObjectTypeList,
+ _In_ ULONG ObjectTypeListLength,
+ _In_ PGENERIC_MAPPING GenericMapping,
+ _Out_ PPRIVILEGE_SET PrivilegeSet,
+ _Inout_ PULONG PrivilegeSetLength,
+ _Out_ PACCESS_MASK GrantedAccess,
+ _Out_ PNTSTATUS AccessStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateIoCompletion(
+ _Out_ PHANDLE IoCompletionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ ULONG Count
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenIoCompletion(
+ _Out_ PHANDLE IoCompletionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryIoCompletion(
+ _In_ HANDLE IoCompletionHandle,
+ _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
+ _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation,
+ _In_ ULONG IoCompletionInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetIoCompletion(
+ _In_ HANDLE IoCompletionHandle,
+ _In_opt_ PVOID KeyContext,
+ _In_opt_ PVOID ApcContext,
+ _In_ NTSTATUS IoStatus,
+ _In_ ULONG_PTR IoStatusInformation
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetIoCompletionEx(
+ _In_ HANDLE IoCompletionHandle,
+ _In_ HANDLE IoCompletionPacketHandle,
+ _In_opt_ PVOID KeyContext,
+ _In_opt_ PVOID ApcContext,
+ _In_ NTSTATUS IoStatus,
+ _In_ ULONG_PTR IoStatusInformation
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRemoveIoCompletion(
+ _In_ HANDLE IoCompletionHandle,
+ _Out_ PVOID *KeyContext,
+ _Out_ PVOID *ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRemoveIoCompletionEx(
+ _In_ HANDLE IoCompletionHandle,
+ _Out_writes_to_(Count, *NumEntriesRemoved) PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation,
+ _In_ ULONG Count,
+ _Out_ PULONG NumEntriesRemoved,
+ _In_opt_ PLARGE_INTEGER Timeout,
+ _In_ BOOLEAN Alertable
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeSession(
+ _In_ HANDLE SessionHandle,
+ _In_ ULONG ChangeSequenceNumber,
+ _In_ PLARGE_INTEGER ChangeTimeStamp,
+ _In_ IO_SESSION_EVENT Event,
+ _In_ IO_SESSION_STATE NewState,
+ _In_ IO_SESSION_STATE PreviousState,
+ _In_reads_bytes_opt_(PayloadSize) PVOID Payload,
+ _In_ ULONG PayloadSize
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateMutant(
+ _Out_ PHANDLE MutantHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ BOOLEAN InitialOwner
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenMutant(
+ _Out_ PHANDLE MutantHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReleaseMutant(
+ _In_ HANDLE MutantHandle,
+ _Out_opt_ PLONG PreviousCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlertThread(
+ _In_ HANDLE ThreadHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlertResumeThread(
+ _In_ HANDLE ThreadHandle,
+ _Out_opt_ PULONG PreviousSuspendCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTestAlert(
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtImpersonateThread(
+ _In_ HANDLE ServerThreadHandle,
+ _In_ HANDLE ClientThreadHandle,
+ _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateSemaphore(
+ _Out_ PHANDLE SemaphoreHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ LONG InitialCount,
+ _In_ LONG MaximumCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSemaphore(
+ _Out_ PHANDLE SemaphoreHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReleaseSemaphore(
+ _In_ HANDLE SemaphoreHandle,
+ _In_ LONG ReleaseCount,
+ _Out_opt_ PLONG PreviousCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySemaphore(
+ _In_ HANDLE SemaphoreHandle,
+ _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
+ _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,
+ _In_ ULONG SemaphoreInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTimer(
+ _Out_ PHANDLE TimerHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ TIMER_TYPE TimerType
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenTimer(
+ _Out_ PHANDLE TimerHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetTimer(
+ _In_ HANDLE TimerHandle,
+ _In_ PLARGE_INTEGER DueTime,
+ _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,
+ _In_opt_ PVOID TimerContext,
+ _In_ BOOLEAN ResumeTimer,
+ _In_opt_ LONG Period,
+ _Out_opt_ PBOOLEAN PreviousState
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetTimerEx(
+ _In_ HANDLE TimerHandle,
+ _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,
+ _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,
+ _In_ ULONG TimerSetInformationLength
+ );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCancelTimer(
+ _In_ HANDLE TimerHandle,
+ _Out_opt_ PBOOLEAN CurrentState
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryTimer(
+ _In_ HANDLE TimerHandle,
+ _In_ TIMER_INFORMATION_CLASS TimerInformationClass,
+ _Out_ PVOID TimerInformation,
+ _In_ ULONG TimerInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateKeyedEvent(
+ _Out_ PHANDLE KeyedEventHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ ULONG Flags
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyedEvent(
+ _Out_ PHANDLE KeyedEventHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReleaseKeyedEvent(
+ _In_ HANDLE KeyedEventHandle,
+ _In_ PVOID KeyValue,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForKeyedEvent(
+ _In_ HANDLE KeyedEventHandle,
+ _In_ PVOID KeyValue,
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUmsThreadYield(
+ _In_ PVOID SchedulerParam
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTransactionManager(
+ _Out_ PHANDLE TmHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PUNICODE_STRING LogFileName,
+ _In_opt_ ULONG CreateOptions,
+ _In_opt_ ULONG CommitStrength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenTransactionManager(
+ _Out_ PHANDLE TmHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PUNICODE_STRING LogFileName,
+ _In_opt_ LPGUID TmIdentity,
+ _In_opt_ ULONG OpenOptions
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRenameTransactionManager(
+ _In_ PUNICODE_STRING LogFileName,
+ _In_ LPGUID ExistingTransactionManagerGuid
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollforwardTransactionManager(
+ _In_ HANDLE TransactionManagerHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverTransactionManager(
+ _In_ HANDLE TransactionManagerHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationTransactionManager(
+ _In_ HANDLE TransactionManagerHandle,
+ _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
+ _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
+ _In_ ULONG TransactionManagerInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationTransactionManager(
+ _In_ HANDLE TmHandle,
+ _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
+ _In_ PVOID TransactionManagerInformation,
+ _In_ ULONG TransactionManagerInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateTransactionObject(
+ _In_opt_ HANDLE RootObjectHandle,
+ _In_ KTMOBJECT_TYPE QueryType,
+ _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor,
+ _In_ ULONG ObjectCursorLength,
+ _Out_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTransaction(
+ _Out_ PHANDLE TransactionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ LPGUID Uow,
+ _In_opt_ HANDLE TmHandle,
+ _In_opt_ ULONG CreateOptions,
+ _In_opt_ ULONG IsolationLevel,
+ _In_opt_ ULONG IsolationFlags,
+ _In_opt_ PLARGE_INTEGER Timeout,
+ _In_opt_ PUNICODE_STRING Description
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenTransaction(
+ _Out_ PHANDLE TransactionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ LPGUID Uow,
+ _In_opt_ HANDLE TmHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationTransaction(
+ _In_ HANDLE TransactionHandle,
+ _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
+ _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation,
+ _In_ ULONG TransactionInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationTransaction(
+ _In_ HANDLE TransactionHandle,
+ _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
+ _In_ PVOID TransactionInformation,
+ _In_ ULONG TransactionInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitTransaction(
+ _In_ HANDLE TransactionHandle,
+ _In_ BOOLEAN Wait
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackTransaction(
+ _In_ HANDLE TransactionHandle,
+ _In_ BOOLEAN Wait
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateEnlistment(
+ _Out_ PHANDLE EnlistmentHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ HANDLE TransactionHandle,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ ULONG CreateOptions,
+ _In_ NOTIFICATION_MASK NotificationMask,
+ _In_opt_ PVOID EnlistmentKey
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenEnlistment(
+ _Out_ PHANDLE EnlistmentHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ LPGUID EnlistmentGuid,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
+ _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
+ _In_ ULONG EnlistmentInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationEnlistment(
+ _In_opt_ HANDLE EnlistmentHandle,
+ _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
+ _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
+ _In_ ULONG EnlistmentInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PVOID EnlistmentKey
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrePrepareEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrepareEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrePrepareComplete(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrepareComplete(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitComplete(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadOnlyEnlistment(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackComplete(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSinglePhaseReject(
+ _In_ HANDLE EnlistmentHandle,
+ _In_opt_ PLARGE_INTEGER TmVirtualClock
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateResourceManager(
+ _Out_ PHANDLE ResourceManagerHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ HANDLE TmHandle,
+ _In_opt_ LPGUID ResourceManagerGuid,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ ULONG CreateOptions,
+ _In_opt_ PUNICODE_STRING Description
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenResourceManager(
+ _Out_ PHANDLE ResourceManagerHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ HANDLE TmHandle,
+ _In_ LPGUID ResourceManagerGuid,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverResourceManager(
+ _In_ HANDLE ResourceManagerHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetNotificationResourceManager(
+ _In_ HANDLE ResourceManagerHandle,
+ _Out_ PTRANSACTION_NOTIFICATION TransactionNotification,
+ _In_ ULONG NotificationLength,
+ _In_ PLARGE_INTEGER Timeout,
+ _Out_opt_ PULONG ReturnLength,
+ _In_ ULONG Asynchronous,
+ _In_opt_ ULONG_PTR AsynchronousContext
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationResourceManager(
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
+ _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
+ _In_ ULONG ResourceManagerInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationResourceManager(
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
+ _In_ PVOID ResourceManagerInformation,
+ _In_ ULONG ResourceManagerInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRegisterProtocolAddressInformation(
+ _In_ HANDLE ResourceManager,
+ _In_ PCRM_PROTOCOL_ID ProtocolId,
+ _In_ ULONG ProtocolInformationSize,
+ _In_ PVOID ProtocolInformation,
+ _In_opt_ ULONG CreateOptions
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPropagationComplete(
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ ULONG RequestCookie,
+ _In_ ULONG BufferLength,
+ _In_ PVOID Buffer
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPropagationFailed(
+ _In_ HANDLE ResourceManagerHandle,
+ _In_ ULONG RequestCookie,
+ _In_ NTSTATUS PropStatus
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreezeTransactions(
+ _In_ PLARGE_INTEGER FreezeTimeout,
+ _In_ PLARGE_INTEGER ThawTimeout
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtThawTransactions(
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateWorkerFactory(
+ _Out_ PHANDLE WorkerFactoryHandleReturn,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE CompletionPortHandle,
+ _In_ HANDLE WorkerProcessHandle,
+ _In_ PUSER_THREAD_START_ROUTINE StartRoutine,
+ _In_opt_ PVOID StartParameter,
+ _In_opt_ ULONG MaxThreadCount,
+ _In_opt_ SIZE_T StackReserve,
+ _In_opt_ SIZE_T StackCommit
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
+ _Out_ PVOID WorkerFactoryInformation,
+ _In_ ULONG WorkerFactoryInformationLength,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
+ _In_ PVOID WorkerFactoryInformation,
+ _In_ ULONG WorkerFactoryInformationLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtShutdownWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _Inout_ volatile LONG *PendingWorkerCount
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReleaseWorkerFactoryWorker(
+ _In_ HANDLE WorkerFactoryHandle
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWorkerFactoryWorkerReady(
+ _In_ HANDLE WorkerFactoryHandle
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+#if NTDDI_VERSION >= NTDDI_WIN8 || defined(_WIN64)
+// Windows 8+ declaration, can be used on Win 7 x64
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForWorkViaWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _Out_ PFILE_IO_COMPLETION_INFORMATION *MiniPacket,
+ _In_ ULONG NumberOfMiniPackets,
+ _Out_ PULONG NumberOfMiniPacketsReturned,
+ _In_opt_ PHANDLE Handles,
+ _In_ PULONG Flags
+ );
+#else
+// Allow Windows 7 x86 to link (import @8 instead of @20) and run without stack corruption
+// If you're using one of the new shitty Windows versions on x86 you should use the other declaration
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwWaitForWorkViaWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket
+ );
+
+FORCEINLINE
+NTSTATUS
+NtWaitForWorkViaWorkerFactory(
+ _In_ HANDLE WorkerFactoryHandle,
+ _Out_ PFILE_IO_COMPLETION_INFORMATION MiniPacket,
+ _Reserved_ ULONG Count,
+ _Reserved_ PULONG NumEntriesRemoved,
+ _Reserved_ PLARGE_INTEGER Unknown
+ )
+{
+ UNREFERENCED_PARAMETER(Count);
+ UNREFERENCED_PARAMETER(NumEntriesRemoved);
+ UNREFERENCED_PARAMETER(Unknown);
+
+ return ZwWaitForWorkViaWorkerFactory(WorkerFactoryHandle,
+ MiniPacket);
+}
+#endif
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySystemEnvironmentValue(
+ _In_ PUNICODE_STRING VariableName,
+ _Out_writes_bytes_(ValueLength) PWSTR VariableValue,
+ _In_ USHORT ValueLength,
+ _Out_opt_ PUSHORT ReturnLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemEnvironmentValue(
+ _In_ PUNICODE_STRING VariableName,
+ _In_ PUNICODE_STRING VariableValue
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySystemEnvironmentValueEx(
+ _In_ PUNICODE_STRING VariableName,
+ _In_ LPGUID VendorGuid,
+ _Out_writes_bytes_opt_(*ValueLength) PVOID Value,
+ _Inout_ PULONG ValueLength,
+ _Out_opt_ PULONG Attributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemEnvironmentValueEx(
+ _In_ PUNICODE_STRING VariableName,
+ _In_ LPGUID VendorGuid,
+ _In_reads_bytes_opt_(ValueLength) PVOID Value,
+ _In_ ULONG ValueLength,
+ _In_ ULONG Attributes
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateSystemEnvironmentValuesEx(
+ _In_ ULONG InformationClass,
+ _Out_ PVOID Buffer,
+ _Inout_ PULONG BufferLength
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAddBootEntry(
+ _In_ PBOOT_ENTRY BootEntry,
+ _Out_opt_ PULONG Id
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteBootEntry(
+ _In_ ULONG Id
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtModifyBootEntry(
+ _In_ PBOOT_ENTRY BootEntry
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateBootEntries(
+ _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
+ _Inout_ PULONG BufferLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryBootEntryOrder(
+ _Out_writes_opt_(*Count) PULONG Ids,
+ _Inout_ PULONG Count
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetBootEntryOrder(
+ _In_reads_(Count) PULONG Ids,
+ _In_ ULONG Count
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryBootOptions(
+ _Out_writes_bytes_opt_(*BootOptionsLength) PBOOT_OPTIONS BootOptions,
+ _Inout_ PULONG BootOptionsLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetBootOptions(
+ _In_ PBOOT_OPTIONS BootOptions,
+ _In_ ULONG FieldsToChange
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTranslateFilePath(
+ _In_ PFILE_PATH InputFilePath,
+ _In_ ULONG OutputType,
+ _Out_writes_bytes_opt_(*OutputFilePathLength) PFILE_PATH OutputFilePath,
+ _Inout_opt_ PULONG OutputFilePathLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAddDriverEntry(
+ _In_ PEFI_DRIVER_ENTRY DriverEntry,
+ _Out_opt_ PULONG Id
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteDriverEntry(
+ _In_ ULONG Id
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtModifyDriverEntry(
+ _In_ PEFI_DRIVER_ENTRY DriverEntry
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateDriverEntries(
+ _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
+ _Inout_ PULONG BufferLength
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDriverEntryOrder(
+ _Out_writes_opt_(*Count) PULONG Ids,
+ _Inout_ PULONG Count
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetDriverEntryOrder(
+ _In_reads_(Count) PULONG Ids,
+ _In_ ULONG Count
+ );
+
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSerializeBoot(
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnableLastKnownGood(
+ );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDisableLastKnownGood(
+ );
+
+#endif
+
+NTSYSAPI
+ULONG
+__cdecl
+DbgPrint(
+ _In_ PCH Format,
+ ...
+ );
+
+NTSYSAPI
+ULONG
+__cdecl
+DbgPrintEx(
+ _In_ ULONG ComponentId,
+ _In_ ULONG Level,
+ _In_ PCSTR Format,
+ ...
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+DbgBreakPoint(
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiConnectToDbg(
+ );
+
+NTSYSAPI
+HANDLE
+NTAPI
+DbgUiGetThreadDebugObject(
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+DbgUiSetThreadDebugObject(
+ _In_ HANDLE DebugObject
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiWaitStateChange(
+ _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiContinue(
+ _In_ PCLIENT_ID AppClientId,
+ _In_ NTSTATUS ContinueStatus
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiStopDebugging(
+ _In_ HANDLE Process
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiDebugActiveProcess(
+ _In_ HANDLE Process
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+DbgUiRemoteBreakin(
+ _In_ PVOID Context
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiIssueRemoteBreakin(
+ _In_ HANDLE Process
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiConvertStateChangeStructure(
+ _In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
+ _Out_ DEBUG_EVENT *DebugEvent
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrLoadDll(
+ _In_opt_ PCWSTR DllPath,
+ _In_opt_ PULONG DllCharacteristics,
+ _In_ PUNICODE_STRING DllName,
+ _Out_ PVOID *DllHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandle(
+ _In_opt_ PCWSTR DllPath,
+ _In_opt_ PULONG DllCharacteristics,
+ _In_ PUNICODE_STRING DllName,
+ _Out_ PVOID *DllHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleEx(
+ _In_ ULONG Flags,
+ _In_opt_ PCWSTR DllPath,
+ _In_opt_ PULONG DllCharacteristics,
+ _In_ PUNICODE_STRING DllName,
+ _Out_opt_ PVOID *DllHandle
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleByMapping(
+ _In_ PVOID Base,
+ _Out_ PVOID *DllHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleByName(
+ _In_opt_ PUNICODE_STRING BaseDllName,
+ _In_opt_ PUNICODE_STRING FullDllName,
+ _Out_ PVOID *DllHandle
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetProcedureAddress(
+ _In_ PVOID DllHandle,
+ _In_opt_ CONST PANSI_STRING ProcedureName,
+ _In_opt_ ULONG ProcedureNumber,
+ _Out_ PVOID *ProcedureAddress
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetProcedureAddressEx(
+ _In_ PVOID DllHandle,
+ _In_opt_ PANSI_STRING ProcedureName,
+ _In_opt_ ULONG ProcedureNumber,
+ _Out_ PVOID *ProcedureAddress,
+ _In_ ULONG Flags
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrLockLoaderLock(
+ _In_ ULONG Flags,
+ _Out_opt_ ULONG *Disposition,
+ _Out_ PVOID *Cookie
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrUnlockLoaderLock(
+ _In_ ULONG Flags,
+ _Inout_ PVOID Cookie
+ );
+
+NTSYSAPI
+PIMAGE_BASE_RELOCATION
+NTAPI
+LdrProcessRelocationBlock(
+ _In_ ULONG_PTR VA,
+ _In_ ULONG SizeOfBlock,
+ _In_ PUSHORT NextOffset,
+ _In_ LONG_PTR Diff
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrUnloadDll(
+ _In_ PVOID DllHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrDisableThreadCalloutsForDll(
+ _In_ PVOID DllHandle
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrOpenImageFileOptionsKey(
+ _In_ PUNICODE_STRING SubKey,
+ _In_ BOOLEAN Wow64,
+ _Out_ PHANDLE NewKeyHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrQueryImageFileKeyOption(
+ _In_ HANDLE KeyHandle,
+ _In_ PCWSTR ValueName,
+ _In_ ULONG Type,
+ _Out_ PVOID Buffer,
+ _In_ ULONG BufferSize,
+ _Out_opt_ PULONG ReturnedLength
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrVerifyImageMatchesChecksum(
+ _In_ HANDLE ImageFileHandle,
+ _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine,
+ _In_ PVOID ImportCallbackParameter,
+ _Out_opt_ PUSHORT ImageCharacteristics
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrVerifyImageMatchesChecksumEx(
+ _In_ HANDLE ImageFileHandle,
+ _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrAccessResource(
+ _In_ PVOID DllHandle,
+ _In_ CONST PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry,
+ _Out_opt_ PVOID *Address,
+ _Out_ PULONG Size
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrFindResourceDirectory_U(
+ _In_ PVOID DllHandle,
+ _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath,
+ _In_ ULONG ResourceIdPathLength,
+ _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrFindResource_U(
+ _In_ PVOID DllHandle,
+ _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath,
+ _In_ ULONG ResourceIdPathLength,
+ _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrFindResourceEx_U(
+ _In_opt_ ULONG Flags,
+ _In_ PVOID DllHandle,
+ _In_ CONST LDR_RESOURCE_INFO* ResourceIdPath,
+ _In_ ULONG ResourceIdPathLength,
+ _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlAssert(
+ _In_ PVOID VoidFailedAssertion,
+ _In_ PVOID VoidFileName,
+ _In_ ULONG LineNumber,
+ _In_opt_ PSTR MutableMessage
+ );
+
+NTSYSAPI
+DECLSPEC_NORETURN
+VOID
+NTAPI
+RtlRaiseStatus(
+ _In_ NTSTATUS Status
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlRaiseException(
+ _In_ PEXCEPTION_RECORD ExceptionRecord
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlConnectToSm(
+ _In_ PUNICODE_STRING ApiPortName,
+ _In_ HANDLE ApiPortHandle,
+ _In_ DWORD ProcessImageType,
+ _Out_ PHANDLE SmssConnection
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSendMsgToSm(
+ _In_ HANDLE ApiPortHandle,
+ _In_ PPORT_MESSAGE MessageData
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlRegisterThreadWithCsrss(
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlEnterCriticalSection(
+ _Inout_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlLeaveCriticalSection(
+ _Inout_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+LOGICAL
+NTAPI
+RtlIsCriticalSectionLocked(
+ _In_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+NTSYSAPI
+LOGICAL
+NTAPI
+RtlIsCriticalSectionLockedByThread(
+ _In_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetCriticalSectionRecursionCount(
+ _In_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+#endif
+
+NTSYSAPI
+LOGICAL
+NTAPI
+RtlTryEnterCriticalSection(
+ _Inout_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlInitializeCriticalSection(
+ _Out_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlEnableEarlyCriticalSectionEventCreation(
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlInitializeCriticalSectionAndSpinCount(
+ _Out_ PRTL_CRITICAL_SECTION CriticalSection,
+ _In_ ULONG SpinCount
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlSetCriticalSectionSpinCount(
+ _Inout_ PRTL_CRITICAL_SECTION CriticalSection,
+ _In_ ULONG SpinCount
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDeleteCriticalSection(
+ _Inout_ PRTL_CRITICAL_SECTION CriticalSection
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+BOOL
+NTAPI
+RtlQueryPerformanceFrequency(
+ _Out_ PLARGE_INTEGER Frequency
+ );
+#else
+FORCEINLINE
+BOOL
+NTAPI
+RtlQueryPerformanceFrequency(
+ _Out_ PLARGE_INTEGER Frequency
+ )
+{
+ LARGE_INTEGER _;
+ return NT_SUCCESS(NtQueryPerformanceCounter(&_,
+ Frequency));
+}
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+BOOL
+NTAPI
+RtlQueryPerformanceCounter(
+ _Out_ PLARGE_INTEGER PerformanceCount
+ );
+#else
+FORCEINLINE
+BOOL
+NTAPI
+RtlQueryPerformanceCounter(
+ _Out_ PLARGE_INTEGER PerformanceCount
+ )
+{
+ return NT_SUCCESS(NtQueryPerformanceCounter(PerformanceCount,
+ NULL));
+}
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetCompressionWorkSpaceSize(
+ _In_ USHORT CompressionFormatAndEngine,
+ _Out_ PULONG CompressBufferWorkSpaceSize,
+ _Out_ PULONG CompressFragmentWorkSpaceSize
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCompressBuffer(
+ _In_ USHORT CompressionFormatAndEngine,
+ _In_ PUCHAR UncompressedBuffer,
+ _In_ ULONG UncompressedBufferSize,
+ _Out_ PUCHAR CompressedBuffer,
+ _In_ ULONG CompressedBufferSize,
+ _In_ ULONG UncompressedChunkSize,
+ _Out_ PULONG FinalCompressedSize,
+ _In_ PVOID WorkSpace
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDecompressBuffer(
+ _In_ USHORT CompressionFormat,
+ _Out_ PUCHAR UncompressedBuffer,
+ _In_ ULONG UncompressedBufferSize,
+ _In_ PUCHAR CompressedBuffer,
+ _In_ ULONG CompressedBufferSize,
+ _Out_ PULONG FinalUncompressedSize
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlCreateHeap(
+ _In_ ULONG Flags,
+ _In_opt_ PVOID HeapBase,
+ _In_opt_ SIZE_T ReserveSize,
+ _In_opt_ SIZE_T CommitSize,
+ _In_opt_ PVOID Lock,
+ _In_opt_ PRTL_HEAP_PARAMETERS Parameters
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlDestroyHeap(
+ _Inout_ PVOID HeapHandle
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlAllocateHeap(
+ _In_ PVOID HeapHandle,
+ _In_opt_ ULONG Flags,
+ _In_ SIZE_T Size
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlFreeHeap(
+ _In_ PVOID HeapHandle,
+ _In_opt_ ULONG Flags,
+ _Inout_opt_ PVOID BaseAddress
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlWalkHeap(
+ _In_ PVOID HeapHandle,
+ _Inout_ PRTL_HEAP_WALK_ENTRY Entry
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryHeapInformation(
+ _In_ PVOID HeapHandle,
+ _In_ HEAP_INFORMATION_CLASS HeapInformationClass,
+ _Out_opt_ PVOID HeapInformation,
+ _In_opt_ SIZE_T HeapInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetHeapInformation(
+ _In_ PVOID HeapHandle,
+ _In_ HEAP_INFORMATION_CLASS HeapInformationClass,
+ _In_opt_ PVOID HeapInformation,
+ _In_opt_ SIZE_T HeapInformationLength
+ );
+
+NTSYSAPI
+SIZE_T
+NTAPI
+RtlSizeHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ PVOID BaseAddress
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlZeroHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlProtectHeap(
+ _In_ PVOID HeapHandle,
+ _In_ BOOLEAN MakeReadOnly
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlLockHeap(
+ _In_ PVOID HeapHandle
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlUnlockHeap(
+ _In_ PVOID HeapHandle
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlReAllocateHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _Inout_opt_ PVOID BaseAddress,
+ _In_ SIZE_T Size
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlGetUserInfoHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ PVOID BaseAddress,
+ _Out_opt_ PVOID *UserValue,
+ _Out_opt_ PULONG UserFlags
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlSetUserValueHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ PVOID BaseAddress,
+ _In_ PVOID UserValue
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlSetUserFlagsHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ PVOID BaseAddress,
+ _In_ ULONG UserFlagsReset,
+ _In_ ULONG UserFlagsSet
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlCreateTagHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_opt_ PWSTR TagPrefix,
+ _In_ PWSTR TagNames
+ );
+
+NTSYSAPI
+PWSTR
+NTAPI
+RtlQueryTagHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ USHORT TagIndex,
+ _In_ BOOLEAN ResetCounters,
+ _Out_opt_ PRTL_HEAP_TAG_INFO TagInfo
+ );
+
+NTSYSAPI
+SIZE_T
+NTAPI
+RtlCompactHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidateHeap(
+ _In_ PVOID HeapHandle,
+ _In_ ULONG Flags,
+ _In_ PVOID BaseAddress
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidateProcessHeaps(
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetProcessHeaps(
+ _In_ ULONG NumberOfHeaps,
+ _Out_ PVOID *ProcessHeaps
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlEnumProcessHeaps(
+ _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine,
+ _In_ PVOID Parameter
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlTimeToTimeFields(
+ _In_ PLARGE_INTEGER Time,
+ _Out_ PTIME_FIELDS TimeFields
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlUniform(
+ _Inout_ PULONG Seed
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlRandom(
+ _Inout_ PULONG Seed
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlRandomEx(
+ _Inout_ PULONG Seed
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlFindMessage(
+ _In_ PVOID DllHandle,
+ _In_ ULONG MessageTableId,
+ _In_ ULONG MessageLanguageId,
+ _In_ ULONG MessageId,
+ _Out_ PMESSAGE_RESOURCE_ENTRY *MessageEntry
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlFormatMessage(
+ _In_ PCWSTR MessageFormat,
+ _In_ ULONG MaximumWidth,
+ _In_ BOOLEAN IgnoreInserts,
+ _In_ BOOLEAN ArgumentsAreAnsi,
+ _In_ BOOLEAN ArgumentsAreAnArray,
+ _In_ va_list *Arguments,
+ _Out_ PWSTR Buffer,
+ _In_ ULONG Length,
+ _Out_opt_ PULONG ReturnLength
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlNtStatusToDosError(
+ _In_ NTSTATUS Status
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlNtStatusToDosErrorNoTeb(
+ _In_ NTSTATUS Status
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetLastNtStatus(
+ );
+
+NTSYSAPI
+LONG
+NTAPI
+RtlGetLastWin32Error(
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
+ _In_ NTSTATUS Status
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSetLastWin32Error(
+ _In_ LONG Win32Error
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlRestoreLastWin32Error(
+ _In_ LONG Win32Error
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetThreadErrorMode(
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetThreadErrorMode(
+ _In_ ULONG NewMode,
+ _Out_opt_ PULONG OldMode
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUpcaseUnicodeString(
+ _Out_ PUNICODE_STRING DestinationString,
+ _In_ PCUNICODE_STRING SourceString,
+ _In_ BOOLEAN AllocateDestinationString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlInitUnicodeString(
+ _Out_ PUNICODE_STRING DestinationString,
+ _In_opt_ PWSTR SourceString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlInitAnsiString(
+ _Out_ PANSI_STRING DestinationString,
+ _In_opt_ PSTR SourceString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlCopyUnicodeString(
+ _Out_ PUNICODE_STRING DestinationString,
+ _In_ PCUNICODE_STRING SourceString
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAppendUnicodeToString(
+ _In_ PUNICODE_STRING Destination,
+ _In_opt_ PCWSTR Source
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAnsiStringToUnicodeString(
+ _Inout_ PUNICODE_STRING DestinationString,
+ _In_ PANSI_STRING SourceString,
+ _In_ BOOLEAN AllocateDestinationString
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUnicodeStringToAnsiString(
+ _Inout_ PANSI_STRING DestinationString,
+ _In_ PUNICODE_STRING SourceString,
+ _In_ BOOLEAN AllocateDestinationString
+ );
+
+NTSYSAPI
+CHAR
+NTAPI
+RtlUpperChar(
+ _In_ CHAR Character
+ );
+
+_Must_inspect_result_
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlPrefixString(
+ _In_ PSTRING String1,
+ _In_ PSTRING String2,
+ _In_ BOOLEAN CaseInSensitive
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAppendStringToString(
+ _In_ PSTRING Destination,
+ _In_ PSTRING Source
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlUpperString(
+ _In_ PSTRING DestinationString,
+ _In_ PSTRING SourceString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlFreeAnsiString(
+ _Inout_ PANSI_STRING AnsiString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlFreeUnicodeString(
+ _In_ PUNICODE_STRING UnicodeString
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUnicodeStringToInteger(
+ _In_ PCUNICODE_STRING String,
+ _In_opt_ ULONG Base,
+ _Out_ PULONG Value
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDefaultNpAcl(
+ _Out_ PACL *Dacl
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateRegistryKey(
+ _In_ ULONG RelativeTo,
+ _In_ PWSTR Path
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryRegistryValues(
+ _In_ ULONG RelativeTo,
+ _In_ PCWSTR Path,
+ _Inout_ PRTL_QUERY_REGISTRY_TABLE QueryTable,
+ _In_opt_ PVOID Context,
+ _In_opt_ PVOID Environment
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlWriteRegistryValue(
+ _In_ ULONG RelativeTo,
+ _In_ PCWSTR Path,
+ _In_ PCWSTR ValueName,
+ _In_ ULONG ValueType,
+ _In_opt_ PVOID ValueData,
+ _In_ ULONG ValueLength
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateEnvironment(
+ _In_ BOOLEAN CloneCurrentEnvironment,
+ _Out_ PVOID *Environment
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateEnvironmentEx(
+ _In_ PVOID SourceEnv,
+ _Out_ PVOID *Environment,
+ _In_ ULONG Flags
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDestroyEnvironment(
+ _In_ PVOID Environment
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetCurrentEnvironment(
+ _In_ PVOID Environment,
+ _Out_opt_ PVOID *PreviousEnvironment
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetEnvironmentVar(
+ _In_opt_ PWSTR *Environment,
+ _In_ PWSTR Name,
+ _In_ SIZE_T NameLength,
+ _In_ PWSTR Value,
+ _In_ SIZE_T ValueLength
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetEnvironmentVariable(
+ _In_opt_ PVOID *Environment,
+ _In_ PUNICODE_STRING Name,
+ _In_ PUNICODE_STRING Value
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryEnvironmentVariable(
+ _In_opt_ PVOID Environment,
+ _In_ PWSTR Name,
+ _In_ SIZE_T NameLength,
+ _Out_ PWSTR Value,
+ _In_ SIZE_T ValueLength,
+ _Out_ PSIZE_T ReturnLength
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryEnvironmentVariable_U(
+ _In_opt_ PVOID Environment,
+ _In_ PUNICODE_STRING Name,
+ _Out_ PUNICODE_STRING Value
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlExpandEnvironmentStrings(
+ _In_opt_ PVOID Environment,
+ _In_ PWSTR Src,
+ _In_ SIZE_T SrcLength,
+ _Out_ PWSTR Dst,
+ _In_ SIZE_T DstLength,
+ _Out_opt_ PSIZE_T ReturnLength
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlExpandEnvironmentStrings_U(
+ _In_opt_ PVOID Environment,
+ _In_ PUNICODE_STRING Source,
+ _Out_ PUNICODE_STRING Destination,
+ _Out_opt_ PULONG ReturnedLength
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetEnvironmentStrings(
+ _In_ PWCHAR NewEnvironment,
+ _In_ SIZE_T NewEnvironmentSize
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateProcessParameters(
+ _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+ _In_ PUNICODE_STRING ImagePathName,
+ _In_opt_ PUNICODE_STRING DllPath,
+ _In_opt_ PUNICODE_STRING CurrentDirectory,
+ _In_opt_ PUNICODE_STRING CommandLine,
+ _In_opt_ PVOID Environment,
+ _In_opt_ PUNICODE_STRING WindowTitle,
+ _In_opt_ PUNICODE_STRING DesktopInfo,
+ _In_opt_ PUNICODE_STRING ShellInfo,
+ _In_opt_ PUNICODE_STRING RuntimeData
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateProcessParametersEx(
+ _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
+ _In_ PUNICODE_STRING ImagePathName,
+ _In_opt_ PUNICODE_STRING DllPath,
+ _In_opt_ PUNICODE_STRING CurrentDirectory,
+ _In_opt_ PUNICODE_STRING CommandLine,
+ _In_opt_ PVOID Environment,
+ _In_opt_ PUNICODE_STRING WindowTitle,
+ _In_opt_ PUNICODE_STRING DesktopInfo,
+ _In_opt_ PUNICODE_STRING ShellInfo,
+ _In_opt_ PUNICODE_STRING RuntimeData,
+ _In_ ULONG Flags // Pass RTL_USER_PROCESS_PARAMETERS_NORMALIZED to keep parameters normalized
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDestroyProcessParameters(
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+ );
+
+NTSYSAPI
+PRTL_USER_PROCESS_PARAMETERS
+NTAPI
+RtlNormalizeProcessParams(
+ _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+ );
+
+NTSYSAPI
+PRTL_USER_PROCESS_PARAMETERS
+NTAPI
+RtlDeNormalizeProcessParams(
+ _Inout_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateUserProcess(
+ _In_ PUNICODE_STRING NtImagePathName,
+ _In_ ULONG AttributesDeprecated,
+ _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
+ _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
+ _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
+ _In_opt_ HANDLE ParentProcess,
+ _In_ BOOLEAN InheritHandles,
+ _In_opt_ HANDLE DebugPort,
+ _In_opt_ HANDLE TokenHandle, // used to be ExceptionPort
+ _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateUserThread(
+ _In_ HANDLE Process,
+ _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
+ _In_ BOOLEAN CreateSuspended,
+ _In_opt_ ULONG ZeroBits,
+ _In_opt_ SIZE_T MaximumStackSize,
+ _In_opt_ SIZE_T CommittedStackSize,
+ _In_ PUSER_THREAD_START_ROUTINE StartAddress,
+ _In_opt_ PVOID Parameter,
+ _Out_opt_ PHANDLE Thread,
+ _Out_opt_ PCLIENT_ID ClientId
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlExitUserThread(
+ _In_ NTSTATUS ExitStatus
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDosApplyFileIsolationRedirection_Ustr(
+ _In_ ULONG Flags,
+ _In_ PUNICODE_STRING OriginalName,
+ _In_ PUNICODE_STRING Extension,
+ _Inout_ PUNICODE_STRING StaticString,
+ _Inout_ PUNICODE_STRING DynamicString,
+ _Inout_ PUNICODE_STRING *NewName,
+ _In_ PULONG NewFlags,
+ _In_ PSIZE_T FileNameSize,
+ _In_ PSIZE_T RequiredLength
+ );
+
+NTSYSAPI
+PIMAGE_NT_HEADERS
+NTAPI
+RtlImageNtHeader(
+ _In_ PVOID ImageBase
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlImageNtHeaderEx(
+ _In_opt_ ULONG Flags,
+ _In_ PVOID Base,
+ _In_ ULONG64 Size,
+ _Out_ PIMAGE_NT_HEADERS *OutHeaders
+ );
+#endif
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlImageDirectoryEntryToData(
+ _In_ PVOID ImageBase,
+ _In_ BOOLEAN MappedAsImage,
+ _In_ USHORT DirectoryEntry,
+ _Out_ PULONG Size
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlPcToFileHeader(
+ _In_ PVOID PcValue,
+ _Out_ PVOID *BaseOfImage
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlAddressInSectionTable(
+ _In_ PIMAGE_NT_HEADERS NtHeaders,
+ _In_ PVOID BaseOfImage,
+ _In_ ULONG VirtualAddress
+ );
+
+NTSYSAPI
+PIMAGE_SECTION_HEADER
+NTAPI
+RtlImageRvaToSection(
+ _In_ PIMAGE_NT_HEADERS NtHeaders,
+ _In_ PVOID Base,
+ _In_ ULONG Rva
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlImageRvaToVa(
+ _In_ PIMAGE_NT_HEADERS NtHeaders,
+ _In_ PVOID Base,
+ _In_ ULONG Rva,
+ _Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryProcessHeapInformation(
+ _Inout_ PRTL_DEBUG_INFORMATION Buffer
+ );
+
+NTSYSAPI
+PRTL_DEBUG_INFORMATION
+NTAPI
+RtlCreateQueryDebugBuffer(
+ _In_opt_ ULONG MaximumCommit,
+ _In_ BOOLEAN UseEventPair
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryProcessDebugInformation(
+ _In_ HANDLE UniqueProcessId,
+ _In_ ULONG Flags,
+ _Inout_ PRTL_DEBUG_INFORMATION Buffer
+ );
+
+#ifdef _WIN64
+NTSYSAPI
+VOID
+WINAPI
+RtlRestoreContext(
+ _In_ PCONTEXT ContextRecord,
+ _In_opt_ PEXCEPTION_RECORD ExceptionRecord
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAdjustPrivilege(
+ _In_ ULONG Privilege,
+ _In_ BOOLEAN Enable,
+ _In_ BOOLEAN Client,
+ _Out_ PBOOLEAN WasEnabled
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAcquirePrivilege(
+ _In_ PULONG Privilege,
+ _In_ ULONG NumPriv,
+ _In_ ULONG Flags,
+ _Out_ PVOID *ReturnedState
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlReleasePrivilege(
+ _In_ PVOID StatePointer
+ );
+#endif
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlDosPathNameToNtPathName_U(
+ _In_ PCWSTR DosFileName,
+ _Out_ PUNICODE_STRING NtFileName,
+ _Out_opt_ PWSTR *FilePart,
+ _Reserved_ PVOID Reserved
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlDosPathNameToRelativeNtPathName_U(
+ _In_ PCWSTR DosFileName,
+ _Out_ PUNICODE_STRING NtFileName,
+ _Out_opt_ PWSTR *FilePart,
+ _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDosPathNameToRelativeNtPathName_U_WithStatus(
+ _In_ PWSTR DosFileName,
+ _Out_ PUNICODE_STRING NtFileName,
+ _Out_opt_ PWSTR *FilePart,
+ _Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
+ );
+#endif
+
+NTSYSAPI
+RTL_PATH_TYPE
+NTAPI
+RtlDetermineDosPathNameType_U(
+ _In_ PCWSTR Path
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlIsDosDeviceName_U(
+ _In_ PWSTR DosFileName
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetFullPathName_U(
+ _In_ PWSTR FileName,
+ _In_ ULONG BufferLength,
+ _Out_ PWSTR Buffer,
+ _Out_opt_ PWSTR *FilePart
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetFullPathName_UEx(
+ _In_ PWSTR FileName,
+ _In_ ULONG BufferLength,
+ _Out_writes_bytes_(BufferLength) PWSTR Buffer,
+ _Out_opt_ PWSTR *FilePart,
+ _Out_opt_ RTL_PATH_TYPE *InputPathType
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetFullPathName_UstrEx(
+ _In_ PUNICODE_STRING FileName,
+ _In_opt_ PUNICODE_STRING StaticString,
+ _In_opt_ PUNICODE_STRING DynamicString,
+ _Out_opt_ PUNICODE_STRING *StringUsed,
+ _Out_opt_ PSIZE_T FilePartSize,
+ _Out_opt_ PBOOLEAN NameInvalid,
+ _Out_ RTL_PATH_TYPE* PathType,
+ _Out_opt_ PSIZE_T LengthNeeded
+ );
+#endif
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetCurrentDirectory_U(
+ _In_ ULONG BufferLength,
+ _Out_writes_bytes_(BufferLength) PWSTR Buffer
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetCurrentDirectory_U(
+ _In_ PUNICODE_STRING PathName
+ );
+
+#if NTDDI_VERSION >= NTDDI_WS03
+NTSYSAPI
+VOID
+NTAPI
+RtlReleaseRelativeName(
+ _In_ PRTL_RELATIVE_NAME_U RelativeName
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlNtPathNameToDosPathName(
+ _In_ ULONG Flags,
+ _Inout_ PRTL_UNICODE_STRING_BUFFER Path,
+ _Out_opt_ PULONG Disposition,
+ _Inout_opt_ PWSTR* FilePart
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+VOID
+NTAPI
+RtlInitializeSRWLock(
+ _Out_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlAcquireSRWLockExclusive(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlAcquireSRWLockShared(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlReleaseSRWLockExclusive(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlReleaseSRWLockShared(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTryAcquireSRWLockExclusive(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTryAcquireSRWLockShared(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlAcquireReleaseSRWLockExclusive(
+ _Inout_ PRTL_SRWLOCK SRWLock
+ );
+#endif
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlWalkFrameChain(
+ _Out_ PVOID *Callers,
+ _In_ ULONG Count,
+ _In_ ULONG Flags
+ );
+
+NTSYSAPI
+PPREFIX_TABLE_ENTRY
+NTAPI
+PfxFindPrefix(
+ _In_ PPREFIX_TABLE PrefixTable,
+ _In_ PANSI_STRING FullName
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+PfxInitialize(
+ _Out_ PPREFIX_TABLE PrefixTable
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+PfxInsertPrefix(
+ _In_ PPREFIX_TABLE PrefixTable,
+ _In_ PANSI_STRING Prefix,
+ _Out_ PPREFIX_TABLE_ENTRY PrefixTableEntry
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+PfxRemovePrefix(
+ _In_ PPREFIX_TABLE PrefixTable,
+ _In_ PPREFIX_TABLE_ENTRY PrefixTableEntry
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAbsoluteToSelfRelativeSD(
+ _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+ _Inout_ PULONG BufferLength
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddAccessAllowedAce(
+ _Inout_ PACL Acl,
+ _In_ ULONG AceRevision,
+ _In_ ACCESS_MASK AccessMask,
+ _In_ PSID Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddAccessAllowedAceEx(
+ _Inout_ PACL Acl,
+ _In_ ULONG AceRevision,
+ _In_ ULONG AceFlags,
+ _In_ ACCESS_MASK AccessMask,
+ _In_ PSID Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddAce(
+ _Inout_ PACL Acl,
+ _In_ ULONG AceRevision,
+ _In_ ULONG StartingAceIndex,
+ _In_ PVOID AceList,
+ _In_ ULONG AceListLength
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddAtomToAtomTable(
+ _In_ PVOID AtomTableHandle,
+ _In_ PWSTR AtomName,
+ _Inout_opt_ PRTL_ATOM Atom
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAppendUnicodeStringToString(
+ PUNICODE_STRING Destination,
+ PCUNICODE_STRING Source
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreAllAccessesGranted(
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_ ACCESS_MASK DesiredAccess
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreAnyAccessesGranted(
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_ ACCESS_MASK DesiredAccess
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreBitsClear(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG StartingIndex,
+ _In_ ULONG Length
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreBitsSet(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG StartingIndex,
+ _In_ ULONG Length
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlCaptureContext(
+ _Out_ PCONTEXT ContextRecord
+ );
+
+NTSYSAPI
+_Success_(return != 0)
+USHORT
+NTAPI
+RtlCaptureStackBackTrace(
+ _In_ ULONG FramesToSkip,
+ _In_ ULONG FramesToCapture,
+ _Out_writes_to_(FramesToCapture, return) PVOID *BackTrace,
+ _Out_opt_ PULONG BackTraceHash
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlClearAllBits(
+ _In_ PRTL_BITMAP BitMapHeader
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlClearBits(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG StartingIndex,
+ _In_ ULONG NumberToClear
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateSystemVolumeInformationFolder(
+ _In_ PCUNICODE_STRING VolumeRootPath
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+LONG
+NTAPI
+RtlCompareAltitudes(
+ _In_ PCUNICODE_STRING Altitude1,
+ _In_ PCUNICODE_STRING Altitude2
+ );
+#endif
+
+NTSYSAPI
+LONG
+NTAPI
+RtlCompareUnicodeString(
+ _In_ PCUNICODE_STRING String1,
+ _In_ PCUNICODE_STRING String2,
+ _In_ BOOLEAN CaseInSensitive
+ );
+
+NTSYSAPI
+ULONG32
+NTAPI
+RtlComputeCrc32(
+ _In_ ULONG32 PartialCrc,
+ _In_ PVOID Buffer,
+ _In_ ULONG Length
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlConvertSidToUnicodeString(
+ _Inout_ PUNICODE_STRING UnicodeString,
+ _In_ PSID Sid,
+ _In_ BOOLEAN AllocateDestinationString
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlCopyLuid(
+ _Out_ PLUID DestinationLuid,
+ _In_ PLUID SourceLuid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAllocateAndInitializeSid(
+ _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
+ _In_ UCHAR SubAuthorityCount,
+ _In_ ULONG SubAuthority0,
+ _In_ ULONG SubAuthority1,
+ _In_ ULONG SubAuthority2,
+ _In_ ULONG SubAuthority3,
+ _In_ ULONG SubAuthority4,
+ _In_ ULONG SubAuthority5,
+ _In_ ULONG SubAuthority6,
+ _In_ ULONG SubAuthority7,
+ _Outptr_ PSID *Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCopySid(
+ _In_ ULONG DestinationSidLength,
+ _Out_ PSID DestinationSid,
+ _In_ PSID SourceSid
+ );
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlFreeSid(
+ _Inout_ PSID Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateAcl(
+ _Out_ PACL Acl,
+ _In_ ULONG AclLength,
+ _In_ ULONG AclRevision
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateAtomTable(
+ _In_ ULONG NumberOfBuckets,
+ _Out_ PVOID *AtomTableHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDecompressFragment(
+ _In_ USHORT CompressionFormat,
+ _Out_ PUCHAR UncompressedFragment,
+ _In_ ULONG UncompressedFragmentSize,
+ _In_ PUCHAR CompressedBuffer,
+ _In_ ULONG CompressedBufferSize,
+ _In_ ULONG FragmentOffset,
+ _Out_ PULONG FinalUncompressedSize,
+ _In_ PVOID WorkSpace
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlDelete(
+ _In_ PRTL_SPLAY_LINKS Links
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDeleteAce(
+ _Inout_ PACL Acl,
+ _In_ ULONG AceIndex
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDeleteAtomFromAtomTable(
+ _In_ PVOID AtomTableHandle,
+ _In_ RTL_ATOM Atom
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlDeleteNoSplay(
+ _In_ PRTL_SPLAY_LINKS Links,
+ _Inout_ PRTL_SPLAY_LINKS *Root
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDowncaseUnicodeString(
+ _Out_ PUNICODE_STRING DestinationString,
+ _In_ PCUNICODE_STRING SourceString,
+ _In_ BOOLEAN AllocateDestinationString
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlDuplicateUnicodeString(
+ _In_ ULONG Flags,
+ _In_ UNICODE_STRING *StringIn,
+ _Out_ UNICODE_STRING *StringOut
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlEmptyAtomTable(
+ _In_ PVOID AtomTableHandle,
+ _In_ BOOLEAN IncludePinnedAtoms
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlEqualSid(
+ _In_ PSID Sid1,
+ _In_ PSID Sid2
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlEqualString(
+ _In_ PANSI_STRING String1,
+ _In_ PANSI_STRING String2,
+ _In_ BOOLEAN CaseInSensitive
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlEqualUnicodeString(
+ _In_ PCUNICODE_STRING String1,
+ _In_ PCUNICODE_STRING String2,
+ _In_ BOOLEAN CaseInSensitive
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindClearBits(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG NumberToFind,
+ _In_ ULONG HintIndex
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindClearBitsAndSet(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG NumberToFind,
+ _In_ ULONG HintIndex
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindClearRuns(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _Out_ PRTL_BITMAP_RUN RunArray,
+ _In_ ULONG SizeOfRunArray,
+ _In_ BOOLEAN LocateLongestRuns
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindLastBackwardRunClear(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG FromIndex,
+ _In_ PULONG StartingRunIndex
+ );
+
+NTSYSAPI
+CCHAR
+NTAPI
+RtlFindLeastSignificantBit(
+ _In_ ULONGLONG Set
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindLongestRunClear(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ PULONG StartingIndex
+ );
+
+NTSYSAPI
+CCHAR
+NTAPI
+RtlFindMostSignificantBit(
+ _In_ ULONGLONG Set
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindNextForwardRunClear(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG FromIndex,
+ _In_ PULONG StartingRunIndex
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindSetBits(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG NumberToFind,
+ _In_ ULONG HintIndex
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlFindSetBitsAndClear(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG NumberToFind,
+ _In_ ULONG HintIndex
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlGetCallersAddress(
+ _Out_ PVOID *CallersAddress,
+ _Out_ PVOID *CallersCaller
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetDaclSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PBOOLEAN DaclPresent,
+ _Out_ PACL *Dacl,
+ _Out_ PBOOLEAN DaclDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetGroupSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PSID *Group,
+ _Out_ PBOOLEAN GroupDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetOwnerSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PSID *Owner,
+ _Out_ PBOOLEAN OwnerDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetSaclSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PBOOLEAN SaclPresent,
+ _Out_ PACL *Sacl,
+ _Out_ PBOOLEAN SaclDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetSetBootStatusData(
+ _In_ HANDLE Handle,
+ _In_ BOOLEAN Get,
+ _In_ RTL_BSD_ITEM_TYPE DataItem,
+ _In_ PVOID DataBuffer,
+ _In_ ULONG DataBufferLength,
+ _Out_opt_ PULONG ByteRead
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateBootStatusDataFile(
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetVersion(
+ _Out_ PRTL_OSVERSIONINFOW lpVersionInformation
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGUIDFromString(
+ _In_ PUNICODE_STRING GuidString,
+ _Out_ GUID* Guid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlHashUnicodeString(
+ _In_ UNICODE_STRING *String,
+ _In_ BOOLEAN CaseInSensitive,
+ _In_ ULONG HashAlgorithm,
+ _Out_ PULONG HashValue
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlInitializeSid(
+ _Out_ PSID Sid,
+ _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
+ _In_ UCHAR SubAuthorityCount
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthRequiredSid(
+ _In_ ULONG SubAuthorityCount
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthSid(
+ _In_ PSID Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlLockBootStatusData(
+ _Out_ PHANDLE BootStatusDataHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlLookupAtomInAtomTable(
+ _In_ PVOID AtomTableHandle,
+ _In_ PWSTR AtomName,
+ _Out_opt_ PRTL_ATOM Atom
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlMapSecurityErrorToNtStatus(
+ _In_ SECURITY_STATUS Error
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlMultiByteToUnicodeN(
+ _Out_ PWCH UnicodeString,
+ _In_ ULONG MaxBytesInUnicodeString,
+ _Out_opt_ PULONG BytesInUnicodeString,
+ _In_ PCSTR MultiByteString,
+ _In_ ULONG BytesInMultiByteString
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlMultiByteToUnicodeSize(
+ _Out_ PULONG BytesInUnicodeString,
+ _In_ PCSTR MultiByteString,
+ _In_ ULONG BytesInMultiByteString
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlNumberOfClearBits(
+ _In_ PRTL_BITMAP BitMapHeader
+ );
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlNumberOfSetBits(
+ _In_ PRTL_BITMAP BitMapHeader
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlQueryAtomInAtomTable(
+ _In_ PVOID AtomTableHandle,
+ _In_ RTL_ATOM Atom,
+ _Out_opt_ PULONG AtomUsage,
+ _Out_opt_ PULONG AtomFlags,
+ _Inout_opt_ PWSTR AtomName,
+ _Inout_opt_ PULONG AtomNameLength
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlRealPredecessor(
+ _In_ PRTL_SPLAY_LINKS Links
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlRealSuccessor(
+ _In_ PRTL_SPLAY_LINKS Links
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlRunDecodeUnicodeString(
+ _In_ UCHAR Seed,
+ _Inout_ PUNICODE_STRING String
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlRunEncodeUnicodeString(
+ _In_opt_ PUCHAR Seed,
+ _Inout_ PUNICODE_STRING String
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSelfRelativeToAbsoluteSD(
+ _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
+ _Inout_ PULONG AbsoluteSecurityDescriptorSize,
+ _Out_ PACL Dacl,
+ _Inout_ PULONG DaclSize,
+ _Out_ PACL Sacl,
+ _Inout_ PULONG SaclSize,
+ _Out_opt_ PSID Owner,
+ _Inout_ PULONG OwnerSize,
+ _Out_opt_ PSID PrimaryGroup,
+ _Inout_ PULONG PrimaryGroupSize
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSelfRelativeToAbsoluteSD2(
+ _Inout_ PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
+ _Inout_ PULONG pBufferSize
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSetAllBits(
+ _In_ PRTL_BITMAP BitMapHeader
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlSetBits(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG StartingIndex,
+ _In_ ULONG NumberToSet
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetDaclSecurityDescriptor(
+ _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ BOOLEAN DaclPresent,
+ _In_opt_ PACL Dacl,
+ _In_ BOOLEAN DaclDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetGroupSecurityDescriptor(
+ _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_opt_ PSID Group,
+ _In_opt_ BOOLEAN GroupDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetOwnerSecurityDescriptor(
+ _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_opt_ PSID Owner,
+ _In_ BOOLEAN OwnerDefaulted
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetSaclSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ BOOLEAN SaclPresent,
+ _In_opt_ PACL Sacl,
+ _In_opt_ BOOLEAN SaclDefaulted
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlSplay(
+ _Inout_ PRTL_SPLAY_LINKS Links
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlStringFromGUID(
+ _In_ REFGUID Guid,
+ _Out_ PUNICODE_STRING GuidString
+ );
+
+NTSYSAPI
+PUCHAR
+NTAPI
+RtlSubAuthorityCountSid(
+ _In_ PSID Sid
+ );
+
+NTSYSAPI
+PULONG
+NTAPI
+RtlSubAuthoritySid(
+ _In_ PSID Sid,
+ _In_ ULONG SubAuthority
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlSubtreePredecessor(
+ _In_ PRTL_SPLAY_LINKS Links
+ );
+
+NTSYSAPI
+PRTL_SPLAY_LINKS
+NTAPI
+RtlSubtreeSuccessor(
+ _In_ PRTL_SPLAY_LINKS Links
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTestBit(
+ _In_ PRTL_BITMAP BitMapHeader,
+ _In_ ULONG BitNumber
+ );
+#endif
+
+NTSYSAPI
+VOID
+NTAPI
+RtlUnlockBootStatusData(
+ _In_ HANDLE BootStatusDataHandle
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateSecurityDescriptor(
+ _Out_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ ULONG Revision
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidRelativeSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptorInput,
+ _In_ ULONG SecurityDescriptorLength,
+ _In_ SECURITY_INFORMATION RequiredInformation
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
+ );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidSid(
+ _In_ PSID Sid
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlVerifyVersionInfo(
+ _In_ RTL_OSVERSIONINFOEXW VersionInfo,
+ _In_ ULONG TypeMask,
+ _In_ ULONGLONG ConditionMask
+ );
+
+NTSYSAPI
+ULONGLONG
+NTAPI
+VerSetConditionMask(
+ _In_ ULONGLONG ConditionMask,
+ _In_ ULONG TypeMask,
+ _In_ UCHAR Condition
+ );
+
+#if NTDDI_VERSION >= NTDDI_VISTA
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocPool(
+ _Out_ PTP_POOL *PoolReturn,
+ _Reserved_ PVOID Reserved
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpDisablePoolCallbackChecks(
+ _Inout_ PTP_POOL Pool
+ );
+#endif
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleasePool(
+ _Inout_ PTP_POOL Pool
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpSetPoolMaxThreads(
+ _Inout_ PTP_POOL Pool,
+ _In_ LONG MaxThreads
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSetPoolMinThreads(
+ _Inout_ PTP_POOL Pool,
+ _In_ LONG MinThreads
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpQueryPoolStackInformation(
+ _In_ PTP_POOL Pool,
+ _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSetPoolStackInformation(
+ _Inout_ PTP_POOL Pool,
+ _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation
+ );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocCleanupGroup(
+ _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseCleanupGroup(
+ _Inout_ PTP_CLEANUP_GROUP CleanupGroup
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseCleanupGroupMembers(
+ _Inout_ PTP_CLEANUP_GROUP CleanupGroup,
+ _In_ LOGICAL CancelPendingCallbacks,
+ _Inout_opt_ PVOID CleanupParameter
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSimpleTryPost(
+ _In_ PTP_SIMPLE_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocWork(
+ _Out_ PTP_WORK *WorkReturn,
+ _In_ PTP_WORK_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseWork(
+ _Inout_ PTP_WORK Work
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpPostWork(
+ _Inout_ PTP_WORK Work
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForWork(
+ _Inout_ PTP_WORK Work,
+ _In_ LOGICAL CancelPendingCallbacks
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocTimer(
+ _Out_ PTP_TIMER *Timer,
+ _In_ PTP_TIMER_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseTimer(
+ _Inout_ PTP_TIMER Timer
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpSetTimer(
+ _Inout_ PTP_TIMER Timer,
+ _In_opt_ PLARGE_INTEGER DueTime,
+ _In_ LONG Period,
+ _In_opt_ LONG WindowLength
+ );
+
+NTSYSAPI
+LOGICAL
+NTAPI
+TpIsTimerSet(
+ _In_ PTP_TIMER Timer
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForTimer(
+ _Inout_ PTP_TIMER Timer,
+ _In_ LOGICAL CancelPendingCallbacks
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocWait(
+ _Out_ PTP_WAIT *WaitReturn,
+ _In_ PTP_WAIT_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseWait(
+ _Inout_ PTP_WAIT Wait
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpSetWait(
+ _Inout_ PTP_WAIT Wait,
+ _In_opt_ HANDLE Handle,
+ _In_opt_ PLARGE_INTEGER Timeout
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocIoCompletion(
+ _Out_ PTP_IO *IoReturn,
+ _In_ HANDLE File,
+ _In_ PTP_IO_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForIoCompletion(
+ _Inout_ PTP_IO Io,
+ _In_ LOGICAL CancelPendingCallbacks
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocAlpcCompletion(
+ _Out_ PTP_ALPC *AlpcReturn,
+ _In_ HANDLE AlpcPort,
+ _In_ PTP_ALPC_CALLBACK Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocAlpcCompletionEx(
+ _Out_ PTP_ALPC *AlpcReturn,
+ _In_ HANDLE AlpcPort,
+ _In_ PTP_ALPC_CALLBACK_EX Callback,
+ _Inout_opt_ PVOID Context,
+ _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+ );
+#endif
+
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseAlpcCompletion(
+ _Inout_ PTP_ALPC Alpc
+ );
+
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForAlpcCompletion(
+ _Inout_ PTP_ALPC Alpc
+ );
+#endif
+
+#if NTDDI_VERSION >= NTDDI_WIN7
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAlpcRegisterCompletionList(
+ _Inout_ PTP_ALPC Alpc
+ );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAlpcUnregisterCompletionList(
+ _Inout_ PTP_ALPC Alpc
+ );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // _NTDLL_H
Powered by cgit, Themed by Ted Yin.