#pragma once #define _WINSOCK_DEPRECATED_NO_WARNINGS #include #include #define PROCESSOR_FEATURE_MAX 64 #define InitializeObjectAttributes(p, n, a, r, s) \ { \ (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } #define OBJ_INHERIT 0x00000002 #define OBJ_PERMANENT 0x00000010 #define OBJ_EXCLUSIVE 0x00000020 #define OBJ_CASE_INSENSITIVE 0x00000040 #define OBJ_OPENIF 0x00000080 #define OBJ_OPENLINK 0x00000100 #define OBJ_KERNEL_HANDLE 0x00000200 #define OBJ_FORCE_ACCESS_CHECK 0x00000400 #define OBJ_VALID_ATTRIBUTES 0x000007f2 #define FILE_SUPERSEDE 0x00000000 #define FILE_OPEN 0x00000001 #define FILE_CREATE 0x00000002 #define FILE_OPEN_IF 0x00000003 #define FILE_OVERWRITE 0x00000004 #define FILE_OVERWRITE_IF 0x00000005 #define FILE_MAXIMUM_DISPOSITION 0x00000005 #define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 10, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_PIPE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_CONNECTION_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_GET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_SET_HANDLE_ATTRIBUTE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) #define FSCTL_PIPE_FLUSH CTL_CODE(FILE_DEVICE_NAMED_PIPE, 16, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA) #define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA) #define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA) // Flags for query event #define FILE_PIPE_READ_DATA 0x00000000 #define FILE_PIPE_WRITE_SPACE 0x00000001 #define RTL_CLONE_PROCESS_FLAGS_CREATE_SUSPENDED 0x00000001 #define RTL_CLONE_PROCESS_FLAGS_INHERIT_HANDLES 0x00000002 #define RTL_CLONE_PROCESS_FLAGS_NO_SYNCHRONIZE 0x00000004 #define CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO 0x04 typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, * PLDR_MODULE; typedef struct _PEB_LDR_DATA { ULONG Length; ULONG Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, * PPEB_LDR_DATA; typedef struct _CURDIR { UNICODE_STRING DosPath; PVOID Handle; }CURDIR, * PCURDIR; typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } ANSI_STRING, * PANSI_STRING; typedef struct _RTL_DRIVE_LETTER_CURDIR { WORD Flags; WORD Length; ULONG TimeStamp; ANSI_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; PVOID StandardInput; PVOID StandardOutput; PVOID StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; ULONG EnvironmentSize; }RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBase; PPEB_LDR_DATA LoaderData; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PVOID FastPebLockRoutine; PVOID FastPebUnlockRoutine; ULONG EnvironmentUpdateCount; PVOID* KernelCallbackTable; PVOID EventLogSection; PVOID EventLog; PVOID FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits[0x2]; PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryHeap; PVOID* ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; BYTE Spare2[0x4]; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; PVOID** ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; PVOID GdiDCAttributeList; PVOID LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; ULONG OSBuildNumber; ULONG OSPlatformId; ULONG ImageSubSystem; ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMinorVersion; ULONG GdiHandleBuffer[0x22]; ULONG PostProcessInitRoutine; ULONG TlsExpansionBitmap; BYTE TlsExpansionBitmapBits[0x80]; ULONG SessionId; } PEB, * PPEB; typedef struct __CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; }CLIENT_ID, * PCLIENT_ID; typedef PVOID PACTIVATION_CONTEXT; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; PACTIVATION_CONTEXT ActivationContext; ULONG Flags; } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; typedef struct _ACTIVATION_CONTEXT_STACK { PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; LIST_ENTRY FrameListCache; ULONG Flags; ULONG NextCookieSequenceNumber; ULONG StackId; } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; typedef struct _GDI_TEB_BATCH { ULONG Offset; ULONG HDC; ULONG Buffer[310]; } GDI_TEB_BATCH, * PGDI_TEB_BATCH; typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; PCHAR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; typedef struct _TEB_ACTIVE_FRAME { ULONG Flags; struct _TEB_ACTIVE_FRAME* Previous; PTEB_ACTIVE_FRAME_CONTEXT Context; } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; typedef struct _TEB { NT_TIB NtTib; PVOID EnvironmentPointer; CLIENT_ID ClientId; PVOID ActiveRpcHandle; PVOID ThreadLocalStoragePointer; PPEB ProcessEnvironmentBlock; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG User32Reserved[26]; ULONG UserReserved[5]; PVOID WOW32Reserved; LCID CurrentLocale; ULONG FpSoftwareStatusRegister; PVOID SystemReserved1[54]; LONG ExceptionCode; #if (NTDDI_VERSION >= NTDDI_LONGHORN) PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; ULONG TxFsContext; #elif (NTDDI_VERSION >= NTDDI_WS03) PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; #else ACTIVATION_CONTEXT_STACK ActivationContextStack; UCHAR SpareBytes1[24]; #endif GDI_TEB_BATCH GdiTebBatch; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocalInfo; PSIZE_T Win32ClientInfo[62]; PVOID glDispatchTable[233]; PSIZE_T glReserved1[29]; PVOID glReserved2; PVOID glSectionInfo; PVOID glSection; PVOID glTable; PVOID glCurrentRC; PVOID glContext; NTSTATUS LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer[261]; PVOID DeallocationStack; PVOID TlsSlots[64]; LIST_ENTRY TlsLinks; PVOID Vdm; PVOID ReservedForNtRpc; PVOID DbgSsReserved[2]; #if (NTDDI_VERSION >= NTDDI_WS03) ULONG HardErrorMode; #else ULONG HardErrorsAreDisabled; #endif #if (NTDDI_VERSION >= NTDDI_LONGHORN) PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; GUID ActivityId; PVOID SubProcessTag; PVOID EtwLocalData; PVOID EtwTraceData; #elif (NTDDI_VERSION >= NTDDI_WS03) PVOID Instrumentation[14]; PVOID SubProcessTag; PVOID EtwLocalData; #else PVOID Instrumentation[16]; #endif PVOID WinSockData; ULONG GdiBatchCount; #if (NTDDI_VERSION >= NTDDI_LONGHORN) BOOLEAN SpareBool0; BOOLEAN SpareBool1; BOOLEAN SpareBool2; #else BOOLEAN InDbgPrint; BOOLEAN FreeStackOnTermination; BOOLEAN HasFiberData; #endif UCHAR IdealProcessor; #if (NTDDI_VERSION >= NTDDI_WS03) ULONG GuaranteedStackBytes; #else ULONG Spare3; #endif PVOID ReservedForPerf; PVOID ReservedForOle; ULONG WaitingOnLoaderLock; #if (NTDDI_VERSION >= NTDDI_LONGHORN) PVOID SavedPriorityState; ULONG_PTR SoftPatchPtr1; ULONG_PTR ThreadPoolData; #elif (NTDDI_VERSION >= NTDDI_WS03) ULONG_PTR SparePointer1; ULONG_PTR SoftPatchPtr1; ULONG_PTR SoftPatchPtr2; #else Wx86ThreadState Wx86Thread; #endif PVOID* TlsExpansionSlots; #if defined(_WIN64) && !defined(EXPLICIT_32BIT) PVOID DeallocationBStore; PVOID BStoreLimit; #endif ULONG ImpersonationLocale; ULONG IsImpersonating; PVOID NlsCache; PVOID pShimData; ULONG HeapVirtualAffinity; HANDLE CurrentTransactionHandle; PTEB_ACTIVE_FRAME ActiveFrame; #if (NTDDI_VERSION >= NTDDI_WS03) PVOID FlsData; #endif #if (NTDDI_VERSION >= NTDDI_LONGHORN) PVOID PreferredLangauges; PVOID UserPrefLanguages; PVOID MergedPrefLanguages; ULONG MuiImpersonation; union { struct { USHORT SpareCrossTebFlags : 16; }; USHORT CrossTebFlags; }; union { struct { USHORT DbgSafeThunkCall : 1; USHORT DbgInDebugPrint : 1; USHORT DbgHasFiberData : 1; USHORT DbgSkipThreadAttach : 1; USHORT DbgWerInShipAssertCode : 1; USHORT DbgIssuedInitialBp : 1; USHORT DbgClonedThread : 1; USHORT SpareSameTebBits : 9; }; USHORT SameTebFlags; }; PVOID TxnScopeEntercallback; PVOID TxnScopeExitCAllback; PVOID TxnScopeContext; ULONG LockCount; ULONG ProcessRundown; ULONG64 LastSwitchTime; ULONG64 TotalSwitchOutTime; LARGE_INTEGER WaitReasonBitMap; #else BOOLEAN SafeThunkCall; BOOLEAN BooleanSpare[3]; #endif } TEB, * PTEB; typedef struct _KSYSTEM_TIME { ULONG LowPart; LONG High1Time; LONG High2Time; } KSYSTEM_TIME, * PKSYSTEM_TIME; typedef enum _NT_PRODUCT_TYPE { NtProductWinNt = 1, NtProductLanManNt = 2, NtProductServer = 3 } NT_PRODUCT_TYPE; typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { StandardDesign = 0, NEC98x86 = 1, EndAlternatives = 2 } ALTERNATIVE_ARCHITECTURE_TYPE; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemCpuInformation = 1, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, /* was SystemTimeInformation */ SystemPathInformation = 4, SystemProcessInformation = 5, SystemCallCountInformation = 6, SystemDeviceInformation = 7, SystemProcessorPerformanceInformation = 8, SystemFlagsInformation = 9, SystemCallTimeInformation = 10, SystemModuleInformation = 11, SystemLocksInformation = 12, SystemStackTraceInformation = 13, SystemPagedPoolInformation = 14, SystemNonPagedPoolInformation = 15, SystemHandleInformation = 16, SystemObjectInformation = 17, SystemPageFileInformation = 18, SystemVdmInstemulInformation = 19, SystemVdmBopInformation = 20, SystemFileCacheInformation = 21, SystemPoolTagInformation = 22, SystemInterruptInformation = 23, SystemDpcBehaviorInformation = 24, SystemFullMemoryInformation = 25, SystemNotImplemented6 = 25, SystemLoadGdiDriverInformation = 26, SystemUnloadGdiDriverInformation = 27, SystemTimeAdjustmentInformation = 28, SystemTimeAdjustment = 28, SystemSummaryMemoryInformation = 29, SystemMirrorMemoryInformation = 30, SystemPerformanceTraceInformation = 31, SystemObsolete0 = 32, SystemExceptionInformation = 33, SystemCrashDumpStateInformation = 34, SystemKernelDebuggerInformation = 35, SystemContextSwitchInformation = 36, SystemRegistryQuotaInformation = 37, SystemExtendServiceTableInformation = 38, SystemPrioritySeparation = 39, SystemVerifierAddDriverInformation = 40, SystemVerifierRemoveDriverInformation = 41, SystemProcessorIdleInformation = 42, SystemLegacyDriverInformation = 43, SystemCurrentTimeZoneInformation = 44, SystemLookasideInformation = 45, SystemTimeSlipNotification = 46, SystemSessionCreate = 47, SystemSessionDetach = 48, SystemSessionInformation = 49, SystemRangeStartInformation = 50, SystemVerifierInformation = 51, SystemVerifierThunkExtend = 52, SystemSessionProcessesInformation = 53, SystemLoadGdiDriverInSystemSpace = 54, SystemNumaProcessorMap = 55, SystemPrefetcherInformation = 56, SystemExtendedProcessInformation = 57, SystemRecommendedSharedDataAlignment = 58, SystemComPlusPackage = 59, SystemNumaAvailableMemory = 60, SystemProcessorPowerInformation = 61, SystemEmulationBasicInformation = 62, SystemEmulationProcessorInformation = 63, SystemExtendedHandleInformation = 64, SystemLostDelayedWriteInformation = 65, SystemBigPoolInformation = 66, SystemSessionPoolTagInformation = 67, SystemSessionMappedViewInformation = 68, SystemHotpatchInformation = 69, SystemObjectSecurityMode = 70, SystemWatchdogTimerHandler = 71, SystemWatchdogTimerInformation = 72, SystemLogicalProcessorInformation = 73, SystemWow64SharedInformationObsolete = 74, SystemRegisterFirmwareTableInformationHandler = 75, SystemFirmwareTableInformation = 76, SystemModuleInformationEx = 77, SystemVerifierTriageInformation = 78, SystemSuperfetchInformation = 79, SystemMemoryListInformation = 80, SystemFileCacheInformationEx = 81, SystemThreadPriorityClientIdInformation = 82, SystemProcessorIdleCycleTimeInformation = 83, SystemVerifierCancellationInformation = 84, SystemProcessorPowerInformationEx = 85, SystemRefTraceInformation = 86, SystemSpecialPoolInformation = 87, SystemProcessIdInformation = 88, SystemErrorPortInformation = 89, SystemBootEnvironmentInformation = 90, SystemHypervisorInformation = 91, SystemVerifierInformationEx = 92, SystemTimeZoneInformation = 93, SystemImageFileExecutionOptionsInformation = 94, SystemCoverageInformation = 95, SystemPrefetchPatchInformation = 96, SystemVerifierFaultsInformation = 97, SystemSystemPartitionInformation = 98, SystemSystemDiskInformation = 99, SystemProcessorPerformanceDistribution = 100, SystemNumaProximityNodeInformation = 101, SystemDynamicTimeZoneInformation = 102, SystemCodeIntegrityInformation = 103, SystemProcessorMicrocodeUpdateInformation = 104, SystemProcessorBrandString = 105, SystemVirtualAddressInformation = 106, SystemLogicalProcessorInformationEx = 107, SystemProcessorCycleTimeInformation = 108, SystemStoreInformation = 109, SystemRegistryAppendString = 110, SystemAitSamplingValue = 111, SystemVhdBootInformation = 112, SystemCpuQuotaInformation = 113, SystemNativeBasicInformation = 114, SystemErrorPortTimeouts = 115, SystemLowPriorityIoInformation = 116, SystemTpmBootEntropyInformation = 117, SystemVerifierCountersInformation = 118, SystemPagedPoolInformationEx = 119, SystemSystemPtesInformationEx = 120, SystemNodeDistanceInformation = 121, SystemAcpiAuditInformation = 122, SystemBasicPerformanceInformation = 123, SystemQueryPerformanceCounterInformation = 124, SystemSessionBigPoolInformation = 125, SystemBootGraphicsInformation = 126, SystemScrubPhysicalMemoryInformation = 127, SystemBadPageInformation = 128, SystemProcessorProfileControlArea = 129, SystemCombinePhysicalMemoryInformation = 130, SystemEntropyInterruptTimingInformation = 131, SystemConsoleInformation = 132, SystemPlatformBinaryInformation = 133, SystemPolicyInformation = 134, SystemHypervisorProcessorCountInformation = 135, SystemDeviceDataInformation = 136, SystemDeviceDataEnumerationInformation = 137, SystemMemoryTopologyInformation = 138, SystemMemoryChannelInformation = 139, SystemBootLogoInformation = 140, SystemProcessorPerformanceInformationEx = 141, SystemCriticalProcessErrorLogInformation = 142, SystemSecureBootPolicyInformation = 143, SystemPageFileInformationEx = 144, SystemSecureBootInformation = 145, SystemEntropyInterruptTimingRawInformation = 146, SystemPortableWorkspaceEfiLauncherInformation = 147, SystemFullProcessInformation = 148, SystemKernelDebuggerInformationEx = 149, SystemBootMetadataInformation = 150, SystemSoftRebootInformation = 151, SystemElamCertificateInformation = 152, SystemOfflineDumpConfigInformation = 153, SystemProcessorFeaturesInformation = 154, SystemRegistryReconciliationInformation = 155, SystemEdidInformation = 156, SystemManufacturingInformation = 157, SystemEnergyEstimationConfigInformation = 158, SystemHypervisorDetailInformation = 159, SystemProcessorCycleStatsInformation = 160, SystemVmGenerationCountInformation = 161, SystemTrustedPlatformModuleInformation = 162, SystemKernelDebuggerFlags = 163, SystemCodeIntegrityPolicyInformation = 164, SystemIsolatedUserModeInformation = 165, SystemHardwareSecurityTestInterfaceResultsInformation = 166, SystemSingleModuleInformation = 167, SystemAllowedCpuSetsInformation = 168, SystemVsmProtectionInformation = 169, SystemInterruptCpuSetsInformation = 170, SystemSecureBootPolicyFullInformation = 171, SystemCodeIntegrityPolicyFullInformation = 172, SystemAffinitizedInterruptProcessorInformation = 173, SystemRootSiloInformation = 174, SystemCpuSetInformation = 175, SystemCpuSetTagInformation = 176, SystemWin32WerStartCallout = 177, SystemSecureKernelProfileInformation = 178, SystemCodeIntegrityPlatformManifestInformation = 179, SystemInterruptSteeringInformation = 180, SystemSupportedProcessorArchitectures = 181, SystemMemoryUsageInformation = 182, SystemCodeIntegrityCertificateInformation = 183, SystemPhysicalMemoryInformation = 184, SystemControlFlowTransition = 185, SystemKernelDebuggingAllowed = 186, SystemActivityModerationExeState = 187, SystemActivityModerationUserSettings = 188, SystemCodeIntegrityPoliciesFullInformation = 189, SystemCodeIntegrityUnlockInformation = 190, SystemIntegrityQuotaInformation = 191, SystemFlushInformation = 192, SystemProcessorIdleMaskInformation = 193, SystemSecureDumpEncryptionInformation = 194, SystemWriteConstraintInformation = 195, SystemKernelVaShadowInformation = 196, SystemHypervisorSharedPageInformation = 197, SystemFirmwareBootPerformanceInformation = 198, SystemCodeIntegrityVerificationInformation = 199, SystemFirmwarePartitionInformation = 200, SystemSpeculationControlInformation = 201, SystemDmaGuardPolicyInformation = 202, SystemEnclaveLaunchControlInformation = 203, SystemWorkloadAllowedCpuSetsInformation = 204, SystemCodeIntegrityUnlockModeInformation = 205, SystemLeapSecondInformation = 206, SystemFlags2Information = 207, SystemSecurityModelInformation = 208, SystemCodeIntegritySyntheticCacheInformation = 209, SystemFeatureConfigurationInformation = 210, SystemFeatureConfigurationSectionInformation = 211, SystemFeatureUsageSubscriptionInformation = 212, SystemSecureSpeculationControlInformation = 213, SystemSpacesBootInformation = 214, SystemFwRamdiskInformation = 215, SystemWheaIpmiHardwareInformation = 216, SystemDifSetRuleClassInformation = 217, SystemDifClearRuleClassInformation = 218, SystemDifApplyPluginVerificationOnDriver = 219, SystemDifRemovePluginVerificationOnDriver = 220, SystemShadowStackInformation = 221, SystemBuildVersionInformation = 222, #ifdef __WINESRC__ SystemWineVersionInformation = 1000, #endif } SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS; typedef struct _KUSER_SHARED_DATA { ULONG TickCountLowDeprecated; ULONG TickCountMultiplier; KSYSTEM_TIME InterruptTime; KSYSTEM_TIME SystemTime; KSYSTEM_TIME TimeZoneBias; USHORT ImageNumberLow; USHORT ImageNumberHigh; WCHAR NtSystemRoot[260]; ULONG MaxStackTraceDepth; ULONG CryptoExponent; ULONG TimeZoneId; ULONG LargePageMinimum; ULONG AitSamplingValue; ULONG AppCompatFlag; ULONGLONG RNGSeedVersion; ULONG GlobalValidationRunlevel; LONG TimeZoneBiasStamp; ULONG NtBuildNumber; NT_PRODUCT_TYPE NtProductType; BOOLEAN ProductTypeIsValid; BOOLEAN Reserved0[1]; USHORT NativeProcessorArchitecture; ULONG NtMajorVersion; ULONG NtMinorVersion; BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; ULONG Reserved1; ULONG Reserved3; ULONG TimeSlip; ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; ULONG BootId; LARGE_INTEGER SystemExpirationDate; ULONG SuiteMask; BOOLEAN KdDebuggerEnabled; union { UCHAR MitigationPolicies; struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; USHORT CyclesPerYield; ULONG ActiveConsoleId; ULONG DismountCount; ULONG ComPlusPackage; ULONG LastSystemRITEventTickCount; ULONG NumberOfPhysicalPages; BOOLEAN SafeBootMode; UCHAR VirtualizationFlags; UCHAR Reserved12[2]; union { ULONG SharedDataFlags; struct { ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG DbgMultiSessionSku : 1; ULONG DbgMultiUsersInSessionSku : 1; ULONG DbgStateSeparationEnabled : 1; ULONG SpareBits : 21; } DUMMYSTRUCTNAME2; } DUMMYUNIONNAME2; ULONG DataFlagsPad[1]; ULONGLONG TestRetInstruction; LONGLONG QpcFrequency; ULONG SystemCall; ULONG Reserved2; ULONGLONG SystemCallPad[2]; union { KSYSTEM_TIME TickCount; ULONG64 TickCountQuad; struct { ULONG ReservedTickCountOverlay[3]; ULONG TickCountPad[1]; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME3; ULONG Cookie; ULONG CookiePad[1]; LONGLONG ConsoleSessionForegroundProcessId; ULONGLONG TimeUpdateLock; ULONGLONG BaselineSystemTimeQpc; ULONGLONG BaselineInterruptTimeQpc; ULONGLONG QpcSystemTimeIncrement; ULONGLONG QpcInterruptTimeIncrement; UCHAR QpcSystemTimeIncrementShift; UCHAR QpcInterruptTimeIncrementShift; USHORT UnparkedProcessorCount; ULONG EnclaveFeatureMask[4]; ULONG TelemetryCoverageRound; USHORT UserModeGlobalLogger[16]; ULONG ImageFileExecutionOptions; ULONG LangGenerationCount; ULONGLONG Reserved4; ULONGLONG InterruptTimeBias; ULONGLONG QpcBias; ULONG ActiveProcessorCount; UCHAR ActiveGroupCount; UCHAR Reserved9; union { USHORT QpcData; struct { UCHAR QpcBypassEnabled; UCHAR QpcShift; }; }; LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; XSTATE_CONFIGURATION XState; KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER WorkingSetPrivateSize; ULONG HardFaultCount; ULONG NumberOfThreadsHighWatermark; ULONGLONG CycleTime; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; LONG BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; ULONG_PTR PageDirectoryBase; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; typedef enum _PROCESSINFOCLASS { ProcessBasicInformation = 0, ProcessDebugPort = 7, ProcessWow64Information = 26, ProcessImageFileName = 27, ProcessBreakOnTermination = 29 } PROCESSINFOCLASS; typedef struct _MSIFILEHASHINFO { ULONG dwFileHashInfoSize; ULONG dwData[4]; } MSIFILEHASHINFO, * PMSIFILEHASHINFO; typedef struct __DATA_SHARE_SCOPE_ENTRY { INT ScopeType; PWCHAR ScopeValue; }DATA_SHARE_SCOPE_ENTRY, * PDATA_SHARE_SCOPE_ENTRY; typedef struct __DATA_SHARE_SCOPE { INT ScopeCount; DATA_SHARE_SCOPE_ENTRY Entries[20]; }DATA_SHARE_SCOPE, * PDATA_SHARE_SCOPE; typedef struct __DATA_SHARE_CTRL { INT SharePermission; INT ShareMode; DATA_SHARE_SCOPE Scope; }DATA_SHARE_CTRL, * PDATA_SHARE_CTRL; #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff #define PS_ATTRIBUTE_THREAD 0x00010000 #define PS_ATTRIBUTE_INPUT 0x00020000 #define PS_ATTRIBUTE_ADDITIVE 0x00040000 typedef enum _PS_ATTRIBUTE_NUM { PsAttributeParentProcess, PsAttributeDebugPort, PsAttributeToken, PsAttributeClientId, PsAttributeTebAddress, PsAttributeImageName, PsAttributeImageInfo, PsAttributeMemoryReserve, PsAttributePriorityClass, PsAttributeErrorMode, PsAttributeStdHandleInfo, PsAttributeHandleList, PsAttributeGroupAffinity, PsAttributePreferredNode, PsAttributeIdealProcessor, PsAttributeUmsThread, PsAttributeMitigationOptions, PsAttributeProtectionLevel, PsAttributeSecureProcess, PsAttributeJobList, PsAttributeChildProcessPolicy, PsAttributeAllApplicationPackagesPolicy, PsAttributeWin32kFilter, PsAttributeSafeOpenPromptOriginClaim, PsAttributeBnoIsolation, PsAttributeDesktopAppPolicy, PsAttributeMax } PS_ATTRIBUTE_NUM; #define PsAttributeValue(Number, Thread, Input, Additive) \ (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) #define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 #define PS_ATTRIBUTE_IMAGE_NAME \ PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) typedef struct _PS_ATTRIBUTE { ULONG_PTR Attribute; SIZE_T Size; union { ULONG_PTR Value; PVOID ValuePtr; }; PSIZE_T ReturnLength; } PS_ATTRIBUTE, * PPS_ATTRIBUTE; typedef struct _PS_ATTRIBUTE_LIST { SIZE_T TotalLength; PS_ATTRIBUTE Attributes[2]; } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; typedef enum _PS_CREATE_STATE { PsCreateInitialState, PsCreateFailOnFileOpen, PsCreateFailOnSectionCreate, PsCreateFailExeFormat, PsCreateFailMachineMismatch, PsCreateFailExeName, PsCreateSuccess, PsCreateMaximumStates } PS_CREATE_STATE; typedef struct _PS_CREATE_INFO { SIZE_T Size; PS_CREATE_STATE State; union { struct { union { ULONG InitFlags; struct { UCHAR WriteOutputOnExit : 1; UCHAR DetectManifest : 1; UCHAR IFEOSkipDebugger : 1; UCHAR IFEODoNotPropagateKeyState : 1; UCHAR SpareBits1 : 4; UCHAR SpareBits2 : 8; USHORT ProhibitedImageCharacteristics : 16; } s1; } u1; ACCESS_MASK AdditionalFileAccess; } InitState; struct { HANDLE FileHandle; } FailSection; struct { USHORT DllCharacteristics; } ExeFormat; struct { HANDLE IFEOKey; } ExeName; struct { union { ULONG OutputFlags; struct { UCHAR ProtectedProcess : 1; UCHAR AddressSpaceOverride : 1; UCHAR DevOverrideEnabled : 1; UCHAR ManifestDetected : 1; UCHAR ProtectedProcessLight : 1; UCHAR SpareBits1 : 3; UCHAR SpareBits2 : 8; USHORT SpareBits3 : 16; } s2; } u2; HANDLE FileHandle; HANDLE SectionHandle; ULONGLONG UserProcessParametersNative; ULONG UserProcessParametersWow64; ULONG CurrentParameterFlags; ULONGLONG PebAddressNative; ULONG PebAddressWow64; ULONGLONG ManifestAddress; ULONG ManifestSize; } SuccessState; }; } PS_CREATE_INFO, * PPS_CREATE_INFO; typedef struct _PROC_THREAD_ATTRIBUTE { ULONG64 Attribute; ULONG64 Size; ULONG64 Value; }PROC_THREAD_ATTRIBUTE, * PPROC_THREAD_ATTRIBUTE; typedef struct _PROC_THREAD_ATTRIBUTE_LIST { ULONG PresentFlags; ULONG AttributeCount; ULONG LastAttribute; ULONG SpareUlong0; struct _PROC_THREAD_ATTRIBUTE* ExtendedFlagsAttribute; struct _PROC_THREAD_ATTRIBUTE Attributes[1]; }PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST; typedef enum _KEY_VALUE_INFORMATION_CLASS { KeyValueBasicInformation, KeyValueFullInformation, KeyValuePartialInformation, KeyValueFullInformationAlign64, KeyValuePartialInformationAlign64, KeyValueLayerInformation, MaxKeyValueInfoClass } KEY_VALUE_INFORMATION_CLASS; typedef struct _KEY_VALUE_PARTIAL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION, * PKEY_VALUE_PARTIAL_INFORMATION; typedef struct _SYSTEM_PROCESS_ID_INFORMATION { HANDLE ProcessId; UNICODE_STRING ImageName; } SYSTEM_PROCESS_IMAGE_NAME_INFORMATION, * PSYSTEM_PROCESS_IMAGE_NAME_INFORMATION; typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, FileFullDirectoryInformation, // 2 FileBothDirectoryInformation, // 3 FileBasicInformation, // 4 FileStandardInformation, // 5 FileInternalInformation, // 6 FileEaInformation, // 7 FileAccessInformation, // 8 FileNameInformation, // 9 FileRenameInformation, // 10 FileLinkInformation, // 11 FileNamesInformation, // 12 FileDispositionInformation, // 13 FilePositionInformation, // 14 FileFullEaInformation, // 15 FileModeInformation, // 16 FileAlignmentInformation, // 17 FileAllInformation, // 18 FileAllocationInformation, // 19 FileEndOfFileInformation, // 20 FileAlternateNameInformation, // 21 FileStreamInformation, // 22 FilePipeInformation, // 23 FilePipeLocalInformation, // 24 FilePipeRemoteInformation, // 25 FileMailslotQueryInformation, // 26 FileMailslotSetInformation, // 27 FileCompressionInformation, // 28 FileObjectIdInformation, // 29 FileCompletionInformation, // 30 FileMoveClusterInformation, // 31 FileQuotaInformation, // 32 FileReparsePointInformation, // 33 FileNetworkOpenInformation, // 34 FileAttributeTagInformation, // 35 FileTrackingInformation, // 36 FileIdBothDirectoryInformation, // 37 FileIdFullDirectoryInformation, // 38 FileValidDataLengthInformation, // 39 FileShortNameInformation, // 40 FileIoCompletionNotificationInformation, // 41 FileIoStatusBlockRangeInformation, // 42 FileIoPriorityHintInformation, // 43 FileSfioReserveInformation, // 44 FileSfioVolumeInformation, // 45 FileHardLinkInformation, // 46 FileProcessIdsUsingFileInformation, // 47 FileNormalizedNameInformation, // 48 FileNetworkPhysicalNameInformation, // 49 FileIdGlobalTxDirectoryInformation, // 50 FileIsRemoteDeviceInformation, // 51 FileUnusedInformation, // 52 FileNumaNodeInformation, // 53 FileStandardLinkInformation, // 54 FileRemoteProtocolInformation, // 55 FileRenameInformationBypassAccessCheck, // 56 FileLinkInformationBypassAccessCheck, // 57 FileVolumeNameInformation, // 58 FileIdInformation, // 59 FileIdExtdDirectoryInformation, // 60 FileReplaceCompletionInformation, // 61 FileHardLinkFullIdInformation, // 62 FileIdExtdBothDirectoryInformation, // 63 FileDispositionInformationEx, // 64 FileRenameInformationEx, // 65 FileRenameInformationExBypassAccessCheck, // 66 FileDesiredStorageClassInformation, // 67 FileStatInformation, // 68 FileMemoryPartitionInformation, // 69 FileStatLxInformation, // 70 FileCaseSensitiveInformation, // 71 FileLinkInformationEx, // 72 FileLinkInformationExBypassAccessCheck, // 73 FileStorageReserveIdInformation, // 74 FileCaseSensitiveInformationForceAccessCheck, // 75 FileKnownFolderInformation, // 76 FileMaximumInformation } FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS; typedef struct _RTLP_CURDIR_REF* PRTLP_CURDIR_REF; typedef struct _RTL_RELATIVE_NAME_U { UNICODE_STRING RelativeName; HANDLE ContainingDirectory; PRTLP_CURDIR_REF CurDirRef; } RTL_RELATIVE_NAME_U, * PRTL_RELATIVE_NAME_U; typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION { ULONG NumberOfProcessIdsInList; ULONG_PTR ProcessIdList[1]; } FILE_PROCESS_IDS_USING_FILE_INFORMATION, * PFILE_PROCESS_IDS_USING_FILE_INFORMATION; typedef VOID(NTAPI* PIO_APC_ROUTINE)(PVOID ApcContext, _In_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG Reserved); typedef DWORD(CALLBACK* PRTL_WORK_ITEM_ROUTINE)(LPVOID); typedef struct AMBIGUOUS_STRING { DWORD Length; DWORD MaximumLength; PUCHAR Buffer; }AB_STRING, * PAB_STRING; typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA { ULONG Flags; PUNICODE_STRING FullDllName; PUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_UNLOADED_NOTIFICATION_DATA, * PLDR_DLL_UNLOADED_NOTIFICATION_DATA; typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA { ULONG Flags; PUNICODE_STRING FullDllName; PUNICODE_STRING BaseDllName; PVOID DllBase; ULONG SizeOfImage; } LDR_DLL_LOADED_NOTIFICATION_DATA, * PLDR_DLL_LOADED_NOTIFICATION_DATA; typedef union _LDR_DLL_NOTIFICATION_DATA { LDR_DLL_LOADED_NOTIFICATION_DATA Loaded; LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded; } LDR_DLL_NOTIFICATION_DATA, * PLDR_DLL_NOTIFICATION_DATA; typedef VOID(CALLBACK* LDR_DLL_NOTIFICATION_FUNCTION)(ULONG, CONST PLDR_DLL_NOTIFICATION_DATA, PVOID); typedef struct RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION { HANDLE ReflectionProcessHandle; HANDLE ReflectionThreadHandle; CLIENT_ID ReflectionClientId; } RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, * PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION;