diff --git a/Veil/Veil.System.ALPC.h b/Veil/Veil.System.ALPC.h index 11baee5..660743b 100644 --- a/Veil/Veil.System.ALPC.h +++ b/Veil/Veil.System.ALPC.h @@ -689,8 +689,8 @@ typedef struct _ALPC_HANDLE_ATTR32 ULONG Reserved1; ULONG Handle; ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex - ULONG DesiredAccess; - ULONG GrantedAccess; + ACCESS_MASK DesiredAccess; + ACCESS_MASK GrantedAccess; } ALPC_HANDLE_ATTR32, * PALPC_HANDLE_ATTR32; // private diff --git a/Veil/Veil.System.ConfigurationManager.h b/Veil/Veil.System.ConfigurationManager.h index 999568d..78d39e3 100644 --- a/Veil/Veil.System.ConfigurationManager.h +++ b/Veil/Veil.System.ConfigurationManager.h @@ -623,7 +623,7 @@ typedef struct _VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key. * @param[in] CreateOptions The options to use when creating the key. * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry __kernel_entry NTSYSCALLAPI NTSTATUS @@ -663,7 +663,7 @@ ZwCreateKey( * @param[in] CreateOptions The options to use when creating the key. * @param[in] TransactionHandle A handle to the transaction. * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -699,7 +699,7 @@ ZwCreateKeyTransacted( * @param[out] KeyHandle A pointer to a handle that receives the key handle. * @param[in] DesiredAccess The access mask that specifies the desired access rights. * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. * @remarks NtOpenKey ignores the security information in the ObjectAttributes structure. */ __kernel_entry NTSYSCALLAPI @@ -728,7 +728,7 @@ ZwOpenKey( * @param[in] DesiredAccess The access mask that specifies the desired access rights. * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * @param[in] TransactionHandle A handle to the transaction. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -758,7 +758,7 @@ ZwOpenKeyTransacted( * @param[in] DesiredAccess The access mask that specifies the desired access rights. * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * @param[in] OpenOptions The options to use when opening the key. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -789,7 +789,7 @@ ZwOpenKeyEx( * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. * @param[in] OpenOptions The options to use when opening the key. * @param[in] TransactionHandle A handle to the transaction. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -818,7 +818,7 @@ ZwOpenKeyTransactedEx( * Deletes a registry key. * * @param[in] KeyHandle A handle to the key to be deleted. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -840,7 +840,7 @@ ZwDeleteKey( * * @param[in] KeyHandle A handle to the key to be renamed. * @param[in] NewName A pointer to a UNICODE_STRING structure that specifies the new name of the key. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -864,7 +864,7 @@ ZwRenameKey( * * @param[in] KeyHandle A handle to the key that contains the value to be deleted. * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be deleted. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -891,7 +891,7 @@ ZwDeleteValueKey( * @param[out] KeyInformation A pointer to a buffer that receives the key information. * @param[in] Length The size of the buffer. * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -927,7 +927,7 @@ ZwQueryKey( * @param[in] KeySetInformationClass The type of information to be set. * @param[in] KeySetInformation A pointer to a buffer that contains the key information. * @param[in] KeySetInformationLength The size of the buffer. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -960,7 +960,7 @@ ZwSetInformationKey( * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. * @param[in] Length The size of the buffer. * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1001,7 +1001,7 @@ ZwQueryValueKey( * @param[in] Type The type of the value. * @param[in] Data A pointer to a buffer that contains the value data. * @param[in] DataSize The size of the buffer. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1037,7 +1037,7 @@ ZwSetValueKey( * @param[out] ValueBuffer A pointer to a buffer that receives the value data. * @param[in, out] BufferLength A pointer to a variable that specifies the size of the buffer and receives the size of the data returned. * @param[out, optional] RequiredBufferLength A pointer to a variable that receives the size of the buffer required to hold the data. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1073,7 +1073,7 @@ ZwQueryMultipleValueKey( * @param[out] KeyInformation A pointer to a buffer that receives the key information. * @param[in] Length The size of the buffer. * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1113,7 +1113,7 @@ ZwEnumerateKey( * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. * @param[in] Length The size of the buffer. * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1148,7 +1148,7 @@ ZwEnumerateValueKey( * Flushes the changes to a registry key. * * @param[in] KeyHandle A handle to the key to be flushed. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1170,7 +1170,7 @@ ZwFlushKey( * * @param[in] Count The number of keys to be compacted. * @param[in] KeyArray An array of handles to the keys to be compacted. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1193,7 +1193,7 @@ ZwCompactKeys( * Compresses a registry key. * * @param[in] KeyHandle A handle to the key to be compressed. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1215,7 +1215,7 @@ ZwCompressKey( * * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1240,7 +1240,7 @@ ZwLoadKey( * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. * @param[in] Flags The options to use when loading the key. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1272,7 +1272,7 @@ ZwLoadKey2( * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. * @param[in, reserved] Reserved Reserved. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS @@ -1315,7 +1315,7 @@ ZwLoadKeyEx( * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. * @param[in, reserved] Reserved Reserved. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ #if (NTDDI_VERSION >= NTDDI_WIN10_VB) __kernel_entry NTSYSCALLAPI @@ -1354,7 +1354,7 @@ ZwLoadKey3( * @param[in] NewFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the new file. * @param[in] TargetHandle A handle to the target key. * @param[in] OldFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the old file. - * @return NTSTATUS The status of the operation. + * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI NTSTATUS diff --git a/Veil/Veil.System.Debug.h b/Veil/Veil.System.Debug.h index 440e3b6..7e060e8 100644 --- a/Veil/Veil.System.Debug.h +++ b/Veil/Veil.System.Debug.h @@ -295,6 +295,21 @@ typedef struct _SYSDBG_LIVEDUMP_SELECTIVE_CONTROL #define SYSDBG_LIVEDUMP_CONTROL_VERSION_2 2 #define SYSDBG_LIVEDUMP_CONTROL_VERSION SYSDBG_LIVEDUMP_CONTROL_VERSION_2 +// private +typedef struct _SYSDBG_LIVEDUMP_CONTROL_V1 +{ + ULONG Version; + ULONG BugCheckCode; + ULONG_PTR BugCheckParam1; + ULONG_PTR BugCheckParam2; + ULONG_PTR BugCheckParam3; + ULONG_PTR BugCheckParam4; + HANDLE DumpFileHandle; + HANDLE CancelEventHandle; + SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; + SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; +} SYSDBG_LIVEDUMP_CONTROL_V1, * PSYSDBG_LIVEDUMP_CONTROL_V1; + // private typedef struct _SYSDBG_LIVEDUMP_CONTROL { diff --git a/Veil/Veil.System.Define.h b/Veil/Veil.System.Define.h index 9b02100..3f7cef5 100644 --- a/Veil/Veil.System.Define.h +++ b/Veil/Veil.System.Define.h @@ -1062,6 +1062,11 @@ typedef struct _LARGE_INTEGER_128 LONGLONG QuadPart[2]; } LARGE_INTEGER_128, * PLARGE_INTEGER_128; +typedef struct _ULARGE_INTEGER_128 +{ + ULONGLONG QuadPart[2]; +} ULARGE_INTEGER_128, * PULARGE_INTEGER_128; + VEIL_END() diff --git a/Veil/Veil.System.Etw.h b/Veil/Veil.System.Etw.h index d88eb44..fb656f2 100644 --- a/Veil/Veil.System.Etw.h +++ b/Veil/Veil.System.Etw.h @@ -3359,6 +3359,71 @@ DEFINE_GUID( /* 472496cf-0daf-4f7c-ac2e-3f8457ecc6bb */ // Spare guids for Perf/System events. // + +DEFINE_GUID( /* e8908abc-aa84-11d2-9a93-00805f85d7c6 */ + GlobalLoggerGuid, + 0xe8908abc, + 0xaa84, + 0x11d2, + 0x9a, 0x93, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6 +); + +DEFINE_GUID( /* 8d40301f-ab4a-11d2-9a93-00805f85d7c6 */ + GenericMessageGuid, + 0x8d40301f, + 0xab4a, + 0x11d2, + 0x9a, 0x93, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6 +); + +DEFINE_GUID( /* 398191dc-2da7-11d3-8b98-00805f85d7c6 */ + TraceErrorGuid, + 0x398191dc, + 0x2da7, + 0x11d3, + 0x8b, 0x98, 0x00, 0x80, 0x5f, 0x85, 0xd7, 0xc6 +); + +DEFINE_GUID( /* 3d6fa8d2-fe05-11d0-9dda-00c04fd7ba7c */ /* Not used */ + HardFaultGuid, + 0x3d6fa8d2, + 0xfe05, + 0x11d0, + 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c +); + +DEFINE_GUID( /* 44608a51-1851-4456-98b2-b300e931ee41 */ + WmiEventLoggerGuid, + 0x44608a51, + 0x1851, + 0x4456, + 0x98, 0xb2, 0xb3, 0x00, 0xe9, 0x31, 0xee, 0x41 +); + +DEFINE_GUID( /* 13976D09-A327-438c-950B-7F03192815C7 */ + DbgPrintGuid, + 0x13976d09, + 0xa327, + 0x438c, + 0x95, 0xb, 0x7f, 0x3, 0x19, 0x28, 0x15, 0xc7 +); + +DEFINE_GUID( /* D56CA431-61BF-4904-A621-00E0381E4DDE */ + DriverVerifierGuid, + 0xd56ca431, + 0x61bf, + 0x4904, + 0xa6, 0x21, 0x0, 0xe0, 0x38, 0x1e, 0x4d, 0xde +); + +DEFINE_GUID( /* 78d14f17-0105-46d7-bfff-6fbea2f3f358 */ + ApplicationVerifierGuid, + 0x78d14f17, + 0x0105, + 0x46d7, + 0xbf, 0xff, 0x6f, 0xbe, 0xa2, 0xf3, 0xf3, 0x58 +); + DEFINE_GUID( /* 3282fc76-feed-498e-8aa7-e70f459d430e */ JobGuid, 0x3282fc76, @@ -3497,6 +3562,13 @@ DEFINE_GUID( /* E21D2142-DF90-4d93-BBD9-30E63D5A4AD6 */ 0xbb, 0xd9, 0x30, 0xe6, 0x3d, 0x5a, 0x4a, 0xd6 ); +DEFINE_GUID( + UserLoaderGuid, /* b059b83f-d946-4b13-87ca-4292839dc2f2 */ + 0xb059b83f, + 0xd946, + 0x4b13, 0x87, 0xca, 0x42, 0x92, 0x83, 0x9d, 0xc2, 0xf2 +); + DEFINE_GUID( /* d3de60b2-a663-45d5-9826-a0a5949d2cb0 */ LoadMUIDllGuid, 0xd3de60b2, @@ -3625,6 +3697,13 @@ DEFINE_GUID( /* 2a6e185b-90de-4fc5-826c-9f44e608a427 */ 0x82, 0x6c, 0x9f, 0x44, 0xe6, 0x08, 0xa4, 0x27 ); +//DEFINE_GUID( /* 9e814aad-3204-11d2-9a82-006008a86939 */ +// SystemTraceControlGuid, +// 0x9e814aad, +// 0x3204, +// 0x11d2, 0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39 +// ); + DEFINE_GUID( /* 7687a439-f752-45b8-b741-321aec0f8df9 */ CcGuid, 0x7687a439, @@ -3641,7 +3720,22 @@ DEFINE_GUID( /* 00000000-0000-0000-0000-000000000000 */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ); -/// +DEFINE_GUID( /* 305fc87b-002a-5e26-d297-60223012ca9c */ + UserDiagnosticGuid, + 0x305fc87b, + 0x002a, + 0x5e26, 0xd2, 0x97, 0x60, 0x22, 0x30, 0x12, 0xca, 0x9c +); + +DEFINE_GUID( /* e46eead8-0c54-4489-9898-8fa79d059e0e */ + WerSvcTriggerGuid, + 0xe46eead8, + 0x0c54, + 0x4489, + 0x98, 0x98, 0x8f, 0xa7, 0x9d, 0x05, 0x9e, 0x0e +); + +// // EventTraceGuid is used to identify a event tracing session // //DEFINE_GUID( /* 68fdd900-4a3e-11d1-84f4-0000f80464e3 */ @@ -4504,7 +4598,7 @@ typedef struct _PERFINFO_PAGE_RANGE_IDENTITY ULONG_PTR PageFrameIndex; // Used for DriverLocked/UserPhysical Mdls. PVOID VirtualAddress; // Used otherwise. }; - ULONG_PTR PageCount; // Number of pages. + SIZE_T PageCount; // Number of pages. } PERFINFO_PAGE_RANGE_IDENTITY, * PPERFINFO_PAGE_RANGE_IDENTITY; #define PERFINFO_MM_KERNELMEMORY_USAGE_TYPE_BITS 5 @@ -4944,22 +5038,22 @@ typedef struct _PERFINFO_FLT_OPERATION_STATUS typedef struct _PERFINFO_MEMORY_INFORMATION { - ULONG_PTR ZeroPageCount; - ULONG_PTR FreePageCount; - ULONG_PTR ModifiedPageCount; - ULONG_PTR ModifiedNoWritePageCount; - ULONG_PTR BadPageCount; - ULONG_PTR PageCountByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; - ULONG_PTR RepurposedPagesByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; - ULONG_PTR ModifiedPageCountPageFile; + SIZE_T ZeroPageCount; + SIZE_T FreePageCount; + SIZE_T ModifiedPageCount; + SIZE_T ModifiedNoWritePageCount; + SIZE_T BadPageCount; + SIZE_T PageCountByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; + SIZE_T RepurposedPagesByPriority[PERFINFO_PAGE_PRIORITY_LEVELS]; + SIZE_T ModifiedPageCountPageFile; } PERFINFO_MEMORY_INFORMATION, * PPERFINFO_MEMORY_INFORMATION; typedef struct _PERFINFO_SYSTEM_MEMORY_INFORMATION { - ULONG_PTR PagedPoolCommitPageCount; - ULONG_PTR NonPagedPoolPageCount; - ULONG_PTR MdlPageCount; - ULONG_PTR CommitPageCount; + SIZE_T PagedPoolCommitPageCount; + SIZE_T NonPagedPoolPageCount; + SIZE_T MdlPageCount; + SIZE_T CommitPageCount; } PERFINFO_SYSTEM_MEMORY_INFORMATION, * PPERFINFO_SYSTEM_MEMORY_INFORMATION; // @@ -4974,18 +5068,18 @@ typedef struct _PERFINFO_WORKINGSET_ENTRY ULONG UniqueProcessId; ULONG SessionId; }; - ULONG_PTR WorkingSetPageCount; - ULONG_PTR CommitPageCount; + SIZE_T WorkingSetPageCount; + SIZE_T CommitPageCount; union { - ULONG_PTR PagedPoolPageCount; // Used for SessionWs. - ULONG_PTR VirtualSizeInPages; // Used for ProcessWs. + SIZE_T PagedPoolPageCount; // Used for SessionWs. + SIZE_T VirtualSizeInPages; // Used for ProcessWs. }; - ULONG_PTR PrivateWorkingSetPageCount; - ULONG_PTR StoreSizeInPages; - ULONG_PTR StoredPageCount; - ULONG_PTR CommitDebtInPages; - ULONG_PTR SharedCommitInPages; + SIZE_T PrivateWorkingSetPageCount; + SIZE_T StoreSizeInPages; + SIZE_T StoredPageCount; + SIZE_T CommitDebtInPages; + SIZE_T SharedCommitInPages; } PERFINFO_WORKINGSET_ENTRY, * PPERFINFO_WORKINGSET_ENTRY; typedef struct _PERFINFO_WORKINGSET_INFORMATION @@ -5719,6 +5813,7 @@ EtwEventWriteString( _In_ PCWSTR String ); +NTSYSAPI ULONG NTAPI EtwEventWriteEx( @@ -5762,6 +5857,7 @@ EtwWriteUMSecurityEvent( _In_opt_ PEVENT_DATA_DESCRIPTOR UserData ); +NTSYSAPI ULONG NTAPI EtwEventWriteNoRegistration( @@ -5966,8 +6062,394 @@ EtwCheckCoverage( _Inout_ PTELEMETRY_COVERAGE_POINT CoveragePoint ); #endif +#endif // !_KERNEL_MODE + +#ifndef _KERNEL_MODE +// +// Data consumer apis (deprecated starting with Vista) +// +// WMI functionality was moved to ETW. +// + +NTSYSAPI +ULONG +NTAPI +WmiOpenBlock( + _In_ LPCGUID Guid, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE DataBlockHandle +); + +NTSYSAPI +ULONG +NTAPI +WmiCloseBlock( + _In_ HANDLE DataBlockHandle +); + +NTSYSAPI +ULONG +NTAPI +WmiQueryAllDataA( + _In_ HANDLE DataBlockHandle, + _Inout_ PULONG BufferLength, + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQueryAllDataW( + _In_ HANDLE DataBlockHandle, + _Inout_ PULONG BufferLength, + _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQueryAllDataMultipleA( + _In_reads_(HandleCount) PHANDLE HandleList, + _In_ ULONG HandleCount, + _Inout_ PULONG InOutBufferSize, + _Out_writes_bytes_(*InOutBufferSize) PVOID OutBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQueryAllDataMultipleW( + _In_reads_(HandleCount) PHANDLE HandleList, + _In_ ULONG HandleCount, + _Inout_ PULONG InOutBufferSize, + _Out_writes_bytes_(*InOutBufferSize) PVOID OutBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQuerySingleInstanceA( + _In_ HANDLE DataBlockHandle, + _In_ PCSTR InstanceName, + _Inout_ PULONG BufferSize, + _Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQuerySingleInstanceW( + _In_ HANDLE DataBlockHandle, + _In_ PCWSTR InstanceName, + _Inout_ PULONG BufferSize, + _Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQuerySingleInstanceMultipleW( + _In_reads_(HandleCount) PHANDLE HandleList, + _In_reads_(HandleCount) PCWSTR* InstanceNames, + _In_ ULONG HandleCount, + _Inout_ PULONG InOutBufferSize, + _Out_writes_bytes_to_opt_(*InOutBufferSize, *InOutBufferSize) PVOID OutBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiQuerySingleInstanceMultipleA( + _In_reads_(HandleCount) PHANDLE HandleList, + _In_reads_(HandleCount) PCSTR* InstanceNames, + _In_ ULONG HandleCount, + _Inout_ PULONG InOutBufferSize, + _Out_writes_bytes_to_opt_(*InOutBufferSize, *InOutBufferSize) PVOID OutBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiSetSingleInstanceA( + _In_ HANDLE DataBlockHandle, + _In_ PCSTR InstanceName, + _In_ ULONG Reserved, + _In_ ULONG ValueBufferSize, + _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiSetSingleInstanceW( + _In_ HANDLE DataBlockHandle, + _In_ PCWSTR InstanceName, + _In_ ULONG Reserved, + _In_ ULONG ValueBufferSize, + _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiSetSingleItemA( + _In_ HANDLE DataBlockHandle, + _In_ PCSTR InstanceName, + _In_ ULONG DataItemId, + _In_ ULONG Reserved, + _In_ ULONG ValueBufferSize, + _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiSetSingleItemW( + _In_ HANDLE DataBlockHandle, + _In_ PCWSTR InstanceName, + _In_ ULONG DataItemId, + _In_ ULONG Reserved, + _In_ ULONG ValueBufferSize, + _In_reads_bytes_(ValueBufferSize) PVOID ValueBuffer +); + + +NTSYSAPI +ULONG +NTAPI +WmiExecuteMethodA( + _In_ HANDLE MethodDataBlockHandle, + _In_ PCSTR MethodInstanceName, + _In_ ULONG MethodId, + _In_ ULONG InputBufferSize, + _In_reads_bytes_opt_(InputBufferSize) PVOID InputBuffer, + _Inout_opt_ PULONG OutputBufferSize, + _Out_writes_bytes_opt_(*OutputBufferSize) PVOID OutputBuffer +); + +NTSYSAPI +ULONG +NTAPI +WmiExecuteMethodW( + _In_ HANDLE MethodDataBlockHandle, + _In_ PCWSTR MethodInstanceName, + _In_ ULONG MethodId, + _In_ ULONG InputBufferSize, + _In_reads_bytes_opt_(InputBufferSize) PVOID InputBuffer, + _Inout_opt_ PULONG OutputBufferSize, + _Out_writes_bytes_opt_(*OutputBufferSize) PVOID OutputBuffer +); + +// Enable or disable a trace logging guid. +#define NOTIFICATION_TRACE_FLAG 0x00010000 +// Enable or disable a trace direct callback. +// The callback is invoked immediately via a seperate thread. +#define NOTIFICATION_CALLBACK_DIRECT 0x00000004 +// Set this flag (and only this flag) when you want to only check if the +// caller has permission to receive events for the guid +#define NOTIFICATION_CHECK_ACCESS 0x00000008 +// Enable lightweight notification. +#define NOTIFICATION_LIGHTWEIGHT_FLAG 0x00000020 + +// Event notification callback function prototype +_Function_class_(NOTIFICATIONCALLBACK) +typedef void (WINAPI NOTIFICATIONCALLBACK)( + _In_ PWNODE_HEADER Wnode, + _In_ ULONG_PTR NotificationContext + ); +typedef NOTIFICATIONCALLBACK* PNOTIFICATIONCALLBACK; + +// {B48D49A1-E777-11d0-A50C-00A0C9062910} +DEFINE_GUID(GUID_REGISTRATION_CHANGE_NOTIFICATION, 0xb48d49a1, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); +// {B48D49A2-E777-11d0-A50C-00A0C9062910} +DEFINE_GUID(GUID_MOF_RESOURCE_ADDED_NOTIFICATION, 0xb48d49a2, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); +// {B48D49A3-E777-11d0-A50C-00A0C9062910} +DEFINE_GUID(GUID_MOF_RESOURCE_REMOVED_NOTIFICATION, 0xb48d49a3, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); + +NTSYSAPI +ULONG +NTAPI +WmiNotificationRegistrationA( + _In_ LPCGUID Guid, + _In_ BOOLEAN Enable, + _In_ PVOID DeliveryInfo, + _In_ ULONG_PTR DeliveryContext, + _In_ ULONG Flags +); + +NTSYSAPI +ULONG +NTAPI +WmiNotificationRegistrationW( + _In_ LPCGUID Guid, + _In_ BOOLEAN Enable, + _In_ PVOID DeliveryInfo, + _In_ ULONG_PTR DeliveryContext, + _In_ ULONG Flags +); + +NTSYSAPI +ULONG +NTAPI +WmiEnumerateGuids( + _Out_writes_opt_(*GuidCount) LPGUID GuidList, + _Inout_ PULONG GuidCount +); + +typedef struct _MOFRESOURCEINFOA +{ + PSTR ImagePath; // Path to image containing MOF resource + PSTR ResourceName; // Name of resource in image + ULONG ResourceSize; // Number of bytes in resource + PUCHAR ResourceBuffer; +} MOFRESOURCEINFOA, * PMOFRESOURCEINFOA; + +#ifdef UNICODE +typedef struct _MOFRESOURCEINFOA MOFRESOURCEINFO, PMOFRESOURCEINFO; +#else +typedef struct _MOFRESOURCEINFOA MOFRESOURCEINFO, PMOFRESOURCEINFO; +#endif + +// +// When set the guid can be opened and accessed +#define MOFCI_RESERVED0 0x00000001 +#define MOFCI_RESERVED1 0x00000002 +#define MOFCI_RESERVED2 0x00000004 + +typedef struct +{ + LPWSTR ImagePath; // Path to image containing MOF resource + LPWSTR ResourceName; // Name of resource in image + ULONG ResourceSize; // Number of bytes in resource + PUCHAR ResourceBuffer; // Reserved +} MOFRESOURCEINFOW, * PMOFRESOURCEINFOW; + +NTSYSAPI +ULONG +NTAPI +WmiMofEnumerateResourcesW( + _In_ HANDLE MofResourceHandle, + _Out_ PULONG MofResourceCount, + _Outptr_result_buffer_(*MofResourceCount) PMOFRESOURCEINFOW* MofResourceInfo +); + +NTSYSAPI +ULONG +NTAPI +WmiMofEnumerateResourcesA( + _In_ HANDLE MofResourceHandle, + _Out_ PULONG MofResourceCount, + _Outptr_result_buffer_(*MofResourceCount) PMOFRESOURCEINFOA* MofResourceInfo +); + +NTSYSAPI +ULONG +NTAPI +WmiFileHandleToInstanceNameA( + _In_ HANDLE DataBlockHandle, + _In_ HANDLE FileHandle, + _Inout_ PULONG NumberCharacters, + _Out_writes_(*NumberCharacters) CHAR* InstanceNames +); + +NTSYSAPI +ULONG +NTAPI +WmiFileHandleToInstanceNameW( + _In_ HANDLE DataBlockHandle, + _In_ HANDLE FileHandle, + _Inout_ PULONG NumberCharacters, + _Out_writes_(*NumberCharacters) WCHAR* InstanceNames +); + +NTSYSAPI +ULONG +NTAPI +WmiDevInstToInstanceNameA( + _Out_writes_opt_(InstanceNameLength) PSTR InstanceName, + _In_ ULONG InstanceNameLength, + _In_ PCSTR DevInst, + _In_ ULONG InstanceIndex +); + +NTSYSAPI +ULONG +NTAPI +WmiDevInstToInstanceNameW( + _Out_writes_opt_(InstanceNameLength) PWSTR InstanceName, + _In_ ULONG InstanceNameLength, + _In_ PCWSTR DevInst, + _In_ ULONG InstanceIndex +); + +typedef struct _WMIGUIDINFORMATION +{ + ULONG Size; + BOOLEAN IsExpensive; + BOOLEAN IsEventOnly; +} WMIGUIDINFORMATION, * PWMIGUIDINFORMATION; + +NTSYSAPI +ULONG +NTAPI +WmiQueryGuidInformation( + _In_ HANDLE GuidHandle, + _Out_ PWMIGUIDINFORMATION GuidInfo +); + +NTSYSAPI +ULONG +NTAPI +WmiReceiveNotificationsW( + _In_ ULONG HandleCount, + _In_reads_(HandleCount) PHANDLE HandleList, + _In_ NOTIFICATIONCALLBACK Callback, + _In_ ULONG_PTR DeliveryContext +); + +NTSYSAPI +ULONG +NTAPI +WmiReceiveNotificationsA( + _In_ ULONG HandleCount, + _In_reads_(HandleCount) PHANDLE HandleList, + _In_ NOTIFICATIONCALLBACK Callback, + _In_ ULONG_PTR DeliveryContext +); + +#ifdef UNICODE +#define WmiQuerySingleInstanceMultiple WmiQuerySingleInstanceMultipleW +#define WmiSetSingleInstance WmiSetSingleInstanceW +#define WmiSetSingleItem WmiSetSingleItemW +#define WmiNotificationRegistration WmiNotificationRegistrationW +#define WmiMofEnumerateResources WmiMofEnumerateResourcesW +#define WmiExecuteMethod WmiExecuteMethodW +#define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameW +#define WmiDevInstToInstanceName WmiDevInstToInstanceNameW +#define WmiReceiveNotifications WmiReceiveNotificationsW +#else +#define WmiQuerySingleInstanceMultiple WmiQuerySingleInstanceMultipleA +#define WmiSetSingleInstance WmiSetSingleInstanceA +#define WmiSetSingleItem WmiSetSingleItemA +#define WmiNotificationRegistration WmiNotificationRegistrationA +#define WmiMofEnumerateResources WmiMofEnumerateResourcesA +#define WmiExecuteMethod WmiExecuteMethodA +#define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameA +#define WmiDevInstToInstanceName WmiDevInstToInstanceNameA +#define WmiReceiveNotifications WmiReceiveNotificationsA #endif +#define WmiInsertTimestamp(WnodeHeader) \ + GetSystemTimeAsFileTime((PFILETIME)&((PWNODE_HEADER)(WnodeHeader))->TimeStamp) + +NTSYSAPI +VOID +NTAPI +WmiFreeBuffer( + _In_ PVOID Buffer +); +#endif // !_KERNEL_MODE + VEIL_END() diff --git a/Veil/Veil.System.Executive.h b/Veil/Veil.System.Executive.h index d89169c..fb2a2e7 100644 --- a/Veil/Veil.System.Executive.h +++ b/Veil/Veil.System.Executive.h @@ -30,6 +30,19 @@ VEIL_BEGIN() // Thread execution // +/** + * The NtDelayExecution routine suspends the current thread until the specified condition is met. + * + * @param Alertable The function returns when either the time-out period has elapsed or when the APC function is called. + * @param DelayInterval The time interval for which execution is to be suspended, in milliseconds. + * - A value of zero causes the thread to relinquish the remainder of its time slice to any other thread that is ready to run. + * - If there are no other threads ready to run, the function returns immediately, and the thread continues execution. + * - A value of INFINITE indicates that the suspension should not time out. + * @return NTSTATUS Successful or errant status. The return value is STATUS_USER_APC when Alertable is TRUE, and the function returned due to one or more I/O completion callback functions. + * @remarks Note that a ready thread is not guaranteed to run immediately. Consequently, the thread will not run until some arbitrary time after the sleep interval elapses, + * based upon the system "tick" frequency and the load factor from other processes. + * @see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleepex + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -48,9 +61,18 @@ ZwDelayExecution( ); // -// Environment values +// Firmware environment values // + +/** + * Retrieves the value of the specified firmware environment variable. + * + * @param VariableName + * @param VariableValue + * @return NTSTATUS Successful or errant status. + */ + __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -72,23 +94,6 @@ ZwQuerySystemEnvironmentValue( _Out_opt_ PUSHORT ReturnLength ); -__kernel_entry NTSYSCALLAPI -NTSTATUS -NTAPI -NtSetSystemEnvironmentValue( - _In_ PUNICODE_STRING VariableName, - _In_ PUNICODE_STRING VariableValue -); - -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSYSAPI -NTSTATUS -NTAPI -ZwSetSystemEnvironmentValue( - _In_ PUNICODE_STRING VariableName, - _In_ PUNICODE_STRING VariableValue -); - #define EFI_VARIABLE_NON_VOLATILE 0x00000001 #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 #define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 @@ -144,9 +149,26 @@ ZwSetSystemEnvironmentValueEx( _In_ ULONG Attributes ); +__kernel_entry NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _In_ PUNICODE_STRING VariableValue +); + +_IRQL_requires_max_(PASSIVE_LEVEL) +NTSYSAPI +NTSTATUS +NTAPI +ZwSetSystemEnvironmentValue( + _In_ PUNICODE_STRING VariableName, + _In_ PUNICODE_STRING VariableValue +); + typedef enum _SYSTEM_ENVIRONMENT_INFORMATION_CLASS { - SystemEnvironmentNameInformation = 1, // q: VARIABLE_NAME + SystemEnvironmentNameInformation = 1, // q: VARIABLE_NAME SystemEnvironmentValueInformation = 2, // q: VARIABLE_NAME_AND_VALUE MaxSystemEnvironmentInfoClass } SYSTEM_ENVIRONMENT_INFORMATION_CLASS; @@ -553,6 +575,18 @@ typedef struct _EVENT_BASIC_INFORMATION LONG EventState; } EVENT_BASIC_INFORMATION, * PEVENT_BASIC_INFORMATION; +/** + * The NtCreateEvent routine creates an event object, sets the initial state of the event to the specified value, + * and opens a handle to the object with the specified desired access. + * + * @param EventHandle A pointer to a variable that receives the event object handle. + * @param DesiredAccess The access mask that specifies the requested access to the event object. + * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param EventType The type of the event, which can be SynchronizationEvent or a NotificationEvent. + * @param InitialState The initial state of the event object. + * @return NTSTATUS Successful or errant status. + * @see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-zwcreateevent + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -576,6 +610,14 @@ ZwCreateEvent( _In_ BOOLEAN InitialState ); +/** + * The NtOpenEvent routine opens a handle to an existing event object. + * + * @param EventHandle A pointer to a variable that receives the event object handle. + * @param DesiredAccess The access mask that specifies the requested access to the event object. + * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -595,6 +637,13 @@ ZwOpenEvent( _In_ POBJECT_ATTRIBUTES ObjectAttributes ); +/** + * The NtSetEvent routine sets an event object to the signaled state. + * + * @param EventHandle A handle to the event object. + * @param PreviousState A pointer to a variable that receives the previous state of the event object. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -612,6 +661,29 @@ ZwSetEvent( _Out_opt_ PLONG PreviousState ); +#if (NTDDI_VERSION >= NTDDI_WIN11) +/** + * The NtSetEventEx routine sets an event object to the signaled state and optionally acquires a lock. + * + * @param ThreadId A handle to the thread. + * @param Lock A pointer to an RTL_SRWLOCK structure that specifies the lock to acquire. + * @return NTSTATUS Successful or errant status. + */ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetEventEx( + _In_ HANDLE ThreadId, + _In_opt_ PRTL_SRWLOCK Lock +); +#endif + +/** + * The NtSetEventBoostPriority routine sets an event object to the signaled state and boosts the priority of threads waiting on the event. + * + * @param EventHandle A handle to the event object. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -627,6 +699,12 @@ ZwSetEventBoostPriority( _In_ HANDLE EventHandle ); +/** + * The NtClearEvent routine sets an event object to the not-signaled state. + * + * @param EventHandle A handle to the event object. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -642,6 +720,14 @@ ZwClearEvent( _In_ HANDLE EventHandle ); +/** + * The NtResetEvent routine sets an event object to the not-signaled state and optionally returns the previous state. + * + * @param EventHandle A handle to the event object. + * @param PreviousState A pointer to a variable that receives the previous state of the event object. + * @return NTSTATUS Successful or errant status. + * @see https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-resetevent + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -659,6 +745,14 @@ ZwResetEvent( _Out_opt_ PLONG PreviousState ); +/** + * The NtPulseEvent routine sets an event object to the signaled state and then resets it to the not-signaled state after releasing the appropriate number of waiting threads. + * + * @param EventHandle A handle to the event object. + * @param PreviousState A pointer to a variable that receives the previous state of the event object. + * @return NTSTATUS Successful or errant status. + * @see https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-pulseevent + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -676,6 +770,16 @@ ZwPulseEvent( _Out_opt_ PLONG PreviousState ); +/** + * The NtQueryEvent routine retrieves information about an event object. + * + * @param EventHandle A handle to the event object. + * @param EventInformationClass The type of information to be retrieved. + * @param EventInformation A pointer to a buffer that receives the requested information. + * @param EventInformationLength The size of the buffer pointed to by EventInformation. + * @param ReturnLength A pointer to a variable that receives the size of the data returned in the buffer. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -711,7 +815,7 @@ NTAPI NtCreateEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -721,7 +825,7 @@ NTAPI ZwCreateEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); __kernel_entry NTSYSCALLAPI @@ -730,7 +834,7 @@ NTAPI NtOpenEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -740,7 +844,7 @@ NTAPI ZwOpenEventPair( _Out_ PHANDLE EventPairHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); __kernel_entry NTSYSCALLAPI @@ -867,7 +971,7 @@ NTAPI NtCreateMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN InitialOwner ); @@ -878,7 +982,7 @@ NTAPI ZwCreateMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ BOOLEAN InitialOwner ); @@ -888,7 +992,7 @@ NTAPI NtOpenMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -898,7 +1002,7 @@ NTAPI ZwOpenMutant( _Out_ PHANDLE MutantHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); __kernel_entry NTSYSCALLAPI @@ -966,7 +1070,7 @@ NTAPI NtCreateSemaphore( _Out_ PHANDLE SemaphoreHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ LONG InitialCount, _In_ LONG MaximumCount ); @@ -978,7 +1082,7 @@ NTAPI ZwCreateSemaphore( _Out_ PHANDLE SemaphoreHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ LONG InitialCount, _In_ LONG MaximumCount ); @@ -1284,7 +1388,7 @@ NTAPI NtCreateTimer2( _Out_ PHANDLE TimerHandle, _In_opt_ PVOID Reserved1, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG Attributes, // TIMER_TYPE _In_ ACCESS_MASK DesiredAccess ); @@ -1296,7 +1400,7 @@ NTAPI ZwCreateTimer2( _Out_ PHANDLE TimerHandle, _In_opt_ PVOID Reserved1, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG Attributes, _In_ ACCESS_MASK DesiredAccess ); @@ -1490,7 +1594,7 @@ NTAPI NtCreateKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG Flags ); @@ -1501,7 +1605,7 @@ NTAPI ZwCreateKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _Reserved_ ULONG Flags ); @@ -1511,7 +1615,7 @@ NTAPI NtOpenKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -1521,7 +1625,7 @@ NTAPI ZwOpenKeyedEvent( _Out_ PHANDLE KeyedEventHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); __kernel_entry NTSYSCALLAPI @@ -1946,7 +2050,7 @@ NTAPI NtCreateWorkerFactory( _Out_ PHANDLE WorkerFactoryHandleReturn, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE CompletionPortHandle, _In_ HANDLE WorkerProcessHandle, _In_ PVOID StartRoutine, @@ -1963,7 +2067,7 @@ NTAPI ZwCreateWorkerFactory( _Out_ PHANDLE WorkerFactoryHandleReturn, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE CompletionPortHandle, _In_ HANDLE WorkerProcessHandle, _In_ PVOID StartRoutine, @@ -2124,6 +2228,13 @@ ZwWaitForWorkViaWorkerFactory( // Time // +/** + * The NtQuerySystemTime routine obtains the current system time. + * + * @param SystemTime A pointer to a LARGE_INTEGER structure that receives the system time. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). + * @return NTSTATUS Successful or errant status. + * @see https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysystemtime + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2139,6 +2250,15 @@ ZwQuerySystemTime( _Out_ PLARGE_INTEGER SystemTime ); +/** + * The NtSetSystemTime routine sets the current system time and date. The system time is expressed in Coordinated Universal Time (UTC). + * + * @param SystemTime A pointer to a LARGE_INTEGER structure that that contains the new system date and time. + * @param PreviousTime A pointer to a LARGE_INTEGER structure that that contains the previous system time. + * @return NTSTATUS Successful or errant status. + * @remarks The calling process must have the SE_SYSTEMTIME_NAME privilege. + * @see https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-setsystemtime + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2156,6 +2276,14 @@ ZwSetSystemTime( _Out_opt_ PLARGE_INTEGER PreviousTime ); +/** + * The NtQueryTimerResolution routine retrieves the range and current value of the system interrupt timer. + * + * @param MaximumTime The maximum timer resolution, in 100-nanosecond units. + * @param MinimumTime The minimum timer resolution, in 100-nanosecond units. + * @param CurrentTime The current timer resolution, in 100-nanosecond units. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2175,6 +2303,14 @@ ZwQueryTimerResolution( _Out_ PULONG CurrentTime ); +/** + * The NtSetTimerResolution routine sets the system interrupt timer resolution to the specified value. + * + * @param DesiredTime The desired timer resolution, in 100-nanosecond units. + * @param SetResolution If TRUE, the timer resolution is set to the value specified by DesiredTime. If FALSE, the timer resolution is reset to the default value. + * @param ActualTime The actual timer resolution, in 100-nanosecond units. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2439,7 +2575,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemNativeBasicInformation, // q: SYSTEM_BASIC_INFORMATION SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION - SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation + SystemTpmBootEntropyInformation, // q: BOOT_ENTROPY_NT_RESULT // ExQueryBootEntropyInformation SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool) SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120 @@ -2464,7 +2600,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140 SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUE - SystemCriticalProcessErrorLogInformation, + SystemCriticalProcessErrorLogInformation, // CRITICAL_PROCESS_EXCEPTION_DATA SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION @@ -2472,7 +2608,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin) SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX - SystemBootMetadataInformation, // 150 + SystemBootMetadataInformation, // 150 // (requires SeTcbPrivilege) SystemSoftRebootInformation, // q: ULONG SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION SystemOfflineDumpConfigInformation, // q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2 @@ -2495,7 +2631,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170 SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION SystemCodeIntegrityPolicyFullInformation, - SystemAffinitizedInterruptProcessorInformation, // (requires SeIncreaseBasePriorityPrivilege) + SystemAffinitizedInterruptProcessorInformation, // q: KAFFINITY_EX // (requires SeIncreaseBasePriorityPrivilege) SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2 SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION @@ -2561,10 +2697,10 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemPointerAuthInformation, // SYSTEM_POINTER_AUTH_INFORMATION SystemSecureKernelDebuggerInformation, SystemOriginalImageFeatureInformation, // q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationEx - SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT + SystemMemoryNumaInformation, // SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUT SystemMemoryNumaPerformanceInformation, // SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240 SystemCodeIntegritySignedPoliciesFullInformation, - SystemSecureSecretsInformation, + SystemSecureCoreInformation, // SystemSecureSecretsInformation SystemTrustedAppsRuntimeInformation, // SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATION SystemBadPageInformationEx, // SYSTEM_BAD_PAGE_INFORMATION SystemResourceDeadlockTimeout, // ULONG @@ -2588,6 +2724,29 @@ typedef struct _SYSTEM_BASIC_INFORMATION CCHAR NumberOfProcessors; } SYSTEM_BASIC_INFORMATION, * PSYSTEM_BASIC_INFORMATION; +// SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits (see also SYSTEM_PROCESSOR_FEATURES_INFORMATION) +#define KF_V86_VIS 0x00000001 +#define KF_RDTSC 0x00000002 // Indicates support for the RDTSC instruction. +#define KF_CR4 0x00000004 // Indicates support for the CR4 register. +#define KF_CMOV 0x00000008 +#define KF_GLOBAL_PAGE 0x00000010 // Indicates support for global pages. +#define KF_LARGE_PAGE 0x00000020 // Indicates support for large pages. +#define KF_MTRR 0x00000040 +#define KF_CMPXCHG8B 0x00000080 // Indicates support for the CMPXCHG8B instruction. +#define KF_MMX 0x00000100 +#define KF_WORKING_PTE 0x00000200 +#define KF_PAT 0x00000400 +#define KF_FXSR 0x00000800 +#define KF_FAST_SYSCALL 0x00001000 // Indicates support for fast system calls. +#define KF_XMMI 0x00002000 +#define KF_3DNOW 0x00004000 +#define KF_AMDK6MTRR 0x00008000 +#define KF_XMMI64 0x00010000 +#define KF_DTS 0x00020000 +#define KF_NOEXECUTE 0x20000000 +#define KF_GLOBAL_32BIT_EXECUTE 0x40000000 +#define KF_GLOBAL_32BIT_NOEXECUTE 0x80000000 + typedef struct _SYSTEM_PROCESSOR_INFORMATION { USHORT ProcessorArchitecture; @@ -2597,27 +2756,6 @@ typedef struct _SYSTEM_PROCESSOR_INFORMATION ULONG ProcessorFeatureBits; } SYSTEM_PROCESSOR_INFORMATION, * PSYSTEM_PROCESSOR_INFORMATION; -// SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits // ksamd64 -#define KF_RDTSC 0x0000000000000002 -#define KF_CR4 0x0000000000000004 -#define KF_GLOBAL_PAGE 0x0000000000000010 -#define KF_LARGE_PAGE 0x0000000000000020 -#define KF_CMPXCHG8B 0x0000000000000080 -#define KF_FAST_SYSCALL 0x0000000000001000 -#define KF_BRANCH 0x0000000000020000 -#define KF_XSTATE 0x0000000000800000 -#define KF_RDTSCP 0x0000000400000000 -#define KF_CET_SS 0x0000400000000000 -#define KF_XFD 0x0080000000000000 - -#define KF_XSAVEOPT_BIT 0x0F -#define KF_XSTATE_BIT 0x17 -#define KF_RDWRFSGSBASE_BIT 0x1C -#define KF_XSAVES_BIT 0x26 -#define KF_FPU_LEAKAGE_BIT 0x29 -#define KF_CAT_BIT 0x2C -#define KF_XFD_BIT 0x37 - typedef struct _SYSTEM_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleProcessTime; @@ -2695,9 +2833,13 @@ typedef struct _SYSTEM_PERFORMANCE_INFORMATION ULONG SecondLevelTbFills; ULONG SystemCalls; ULONGLONG CcTotalDirtyPages; // since THRESHOLD - ULONGLONG CcDirtyPageThreshold; // since THRESHOLD - LONGLONG ResidentAvailablePages; // since THRESHOLD - ULONGLONG SharedCommittedPages; // since THRESHOLD + ULONGLONG CcDirtyPageThreshold; + LONGLONG ResidentAvailablePages; + ULONGLONG SharedCommittedPages; + ULONGLONG MdlPagesAllocated; // since 24H2 + ULONGLONG PfnDatabaseCommittedPages; + ULONGLONG SystemPageTableCommittedPages; + ULONGLONG ContiguousPagesAllocated; } SYSTEM_PERFORMANCE_INFORMATION, * PSYSTEM_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_TIMEOFDAY_INFORMATION @@ -2732,8 +2874,8 @@ typedef struct _TEB TEB, * PTEB; typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION { SYSTEM_THREAD_INFORMATION ThreadInfo; - PVOID StackBase; - PVOID StackLimit; + ULONG_PTR StackBase; + ULONG_PTR StackLimit; PVOID Win32StartAddress; PTEB TebBase; // since VISTA ULONG_PTR Reserved2; @@ -2871,7 +3013,7 @@ typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; - ULONG GrantedAccess; + ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION @@ -2888,7 +3030,7 @@ typedef struct _SYSTEM_OBJECTTYPE_INFORMATION ULONG TypeIndex; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; - ULONG ValidAccessMask; + ACCESS_MASK ValidAccessMask; ULONG PoolType; BOOLEAN SecurityRequired; BOOLEAN WaitableObject; @@ -3050,6 +3192,265 @@ typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE BOOLEAN Enable; } SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE, * PSYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE; +#include +typedef enum _EVENT_TRACE_INFORMATION_CLASS +{ + EventTraceKernelVersionInformation, // EVENT_TRACE_VERSION_INFORMATION + EventTraceGroupMaskInformation, // EVENT_TRACE_GROUPMASK_INFORMATION + EventTracePerformanceInformation, // EVENT_TRACE_PERFORMANCE_INFORMATION + EventTraceTimeProfileInformation, // EVENT_TRACE_TIME_PROFILE_INFORMATION + EventTraceSessionSecurityInformation, // EVENT_TRACE_SESSION_SECURITY_INFORMATION + EventTraceSpinlockInformation, // EVENT_TRACE_SPINLOCK_INFORMATION + EventTraceStackTracingInformation, // EVENT_TRACE_STACK_TRACING_INFORMATION + EventTraceExecutiveResourceInformation, // EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION + EventTraceHeapTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION + EventTraceHeapSummaryTracingInformation, // EVENT_TRACE_HEAP_TRACING_INFORMATION + EventTracePoolTagFilterInformation, // EVENT_TRACE_POOLTAG_FILTER_INFORMATION + EventTracePebsTracingInformation, // EVENT_TRACE_PEBS_TRACING_INFORMATION + EventTraceProfileConfigInformation, // EVENT_TRACE_PROFILE_CONFIG_INFORMATION + EventTraceProfileSourceListInformation, // EVENT_TRACE_PROFILE_LIST_INFORMATION + EventTraceProfileEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION + EventTraceProfileCounterListInformation, // EVENT_TRACE_PROFILE_COUNTER_INFORMATION + EventTraceStackCachingInformation, // EVENT_TRACE_STACK_CACHING_INFORMATION + EventTraceObjectTypeFilterInformation, // EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION + EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION + EventTraceLastBranchConfigurationInformation, // REDSTONE3 + EventTraceLastBranchEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION + EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4 + EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION + EventTraceProcessorTraceConfigurationInformation, + EventTraceProcessorTraceEventListInformation, // EVENT_TRACE_PROFILE_EVENT_INFORMATION + EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION + EventTraceUnifiedStackCachingInformation, // since 21H1 + EventTraceContextRegisterTraceInformation, // TRACE_CONTEXT_REGISTER_INFO // 24H2 + MaxEventTraceInfoClass +} EVENT_TRACE_INFORMATION_CLASS; + +typedef struct _EVENT_TRACE_VERSION_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG EventTraceKernelVersion; +} EVENT_TRACE_VERSION_INFORMATION, * PEVENT_TRACE_VERSION_INFORMATION; + +typedef struct _EVENT_TRACE_GROUPMASK_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + ULONG EventTraceGroupMasks[8]; // PERFINFO_GROUPMASK +} EVENT_TRACE_GROUPMASK_INFORMATION, * PEVENT_TRACE_GROUPMASK_INFORMATION; + +typedef struct _EVENT_TRACE_PERFORMANCE_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + LARGE_INTEGER LogfileBytesWritten; +} EVENT_TRACE_PERFORMANCE_INFORMATION, * PEVENT_TRACE_PERFORMANCE_INFORMATION; + +typedef struct _EVENT_TRACE_TIME_PROFILE_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG ProfileInterval; +} EVENT_TRACE_TIME_PROFILE_INFORMATION, * PEVENT_TRACE_TIME_PROFILE_INFORMATION; + +typedef struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG SecurityInformation; + TRACEHANDLE TraceHandle; + UCHAR SecurityDescriptor[1]; +} EVENT_TRACE_SESSION_SECURITY_INFORMATION, * PEVENT_TRACE_SESSION_SECURITY_INFORMATION; + +typedef struct _EVENT_TRACE_SPINLOCK_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG SpinLockSpinThreshold; + ULONG SpinLockAcquireSampleRate; + ULONG SpinLockContentionSampleRate; + ULONG SpinLockHoldThreshold; +} EVENT_TRACE_SPINLOCK_INFORMATION, * PEVENT_TRACE_SPINLOCK_INFORMATION; + +typedef struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + ULONG HookId[1]; +} EVENT_TRACE_SYSTEM_EVENT_INFORMATION, * PEVENT_TRACE_SYSTEM_EVENT_INFORMATION; + +typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_STACK_TRACING_INFORMATION, * PEVENT_TRACE_STACK_TRACING_INFORMATION; +typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PEBS_TRACING_INFORMATION, * PEVENT_TRACE_PEBS_TRACING_INFORMATION; +typedef EVENT_TRACE_SYSTEM_EVENT_INFORMATION EVENT_TRACE_PROFILE_EVENT_INFORMATION, * PEVENT_TRACE_PROFILE_EVENT_INFORMATION; + +typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG ReleaseSamplingRate; + ULONG ContentionSamplingRate; + ULONG NumberOfExcessiveTimeouts; +} EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION, * PEVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION; + +typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG ProcessId[1]; +} EVENT_TRACE_HEAP_TRACING_INFORMATION, * PEVENT_TRACE_HEAP_TRACING_INFORMATION; + +typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + ULONG Filter[1]; +} EVENT_TRACE_TAG_FILTER_INFORMATION, * PEVENT_TRACE_TAG_FILTER_INFORMATION; + +typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_POOLTAG_FILTER_INFORMATION, * PEVENT_TRACE_POOLTAG_FILTER_INFORMATION; +typedef EVENT_TRACE_TAG_FILTER_INFORMATION EVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION, * PEVENT_TRACE_OBJECT_TYPE_FILTER_INFORMATION; + +// ProfileSource +#define ETW_MAX_PROFILING_SOURCES 4 +#define ETW_MAX_PMC_EVENTS 4 +#define ETW_MAX_PMC_COUNTERS 4 + +typedef struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + ULONG ProfileSource[1]; +} EVENT_TRACE_PROFILE_COUNTER_INFORMATION, * PEVENT_TRACE_PROFILE_COUNTER_INFORMATION; + +typedef EVENT_TRACE_PROFILE_COUNTER_INFORMATION EVENT_TRACE_PROFILE_CONFIG_INFORMATION, * PEVENT_TRACE_PROFILE_CONFIG_INFORMATION; + +//typedef struct _PROFILE_SOURCE_INFO +//{ +// ULONG NextEntryOffset; +// ULONG Source; +// ULONG MinInterval; +// ULONG MaxInterval; +// PVOID Reserved; +// WCHAR Description[1]; +//} PROFILE_SOURCE_INFO, *PPROFILE_SOURCE_INFO; + +typedef struct _PROFILE_SOURCE_INFO* PPROFILE_SOURCE_INFO; + +typedef struct _EVENT_TRACE_PROFILE_LIST_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + ULONG Spare; + PPROFILE_SOURCE_INFO Profile[1]; +} EVENT_TRACE_PROFILE_LIST_INFORMATION, * PEVENT_TRACE_PROFILE_LIST_INFORMATION; + +typedef struct _EVENT_TRACE_STACK_CACHING_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + BOOLEAN Enabled; + UCHAR Reserved[3]; + ULONG CacheSize; + ULONG BucketCount; +} EVENT_TRACE_STACK_CACHING_INFORMATION, * PEVENT_TRACE_STACK_CACHING_INFORMATION; + +typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + TRACEHANDLE TraceHandle; + BOOLEAN PersistTraceBuffers; + WCHAR FileName[1]; +} EVENT_TRACE_SOFT_RESTART_INFORMATION, * PEVENT_TRACE_SOFT_RESTART_INFORMATION; + +typedef enum _EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS +{ + EventTraceProfileAddInformationMinVersion = 0x2, + EventTraceProfileAddInformationV2 = 0x2, + EventTraceProfileAddInformationV3 = 0x3, + EventTraceProfileAddInformationMaxVersion = 0x3, +} EVENT_TRACE_PROFILE_ADD_INFORMATION_VERSIONS; + +typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 +{ + struct + { + UCHAR PerfEvtEventSelect; + UCHAR PerfEvtUnitSelect; + UCHAR PerfEvtCMask; + UCHAR PerfEvtCInv; + UCHAR PerfEvtAnyThread; + UCHAR PerfEvtEdgeDetect; + } Intel; + struct + { + UCHAR PerfEvtEventSelect; + UCHAR PerfEvtUnitSelect; + } Amd; + struct + { + ULONG PerfEvtType; + UCHAR AllowsHalt; + } Arm; +} EVENT_TRACE_PROFILE_ADD_INFORMATION_V2; + +typedef union _EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 +{ + struct + { + UCHAR PerfEvtEventSelect; + UCHAR PerfEvtUnitSelect; + UCHAR PerfEvtCMask; + UCHAR PerfEvtCInv; + UCHAR PerfEvtAnyThread; + UCHAR PerfEvtEdgeDetect; + } Intel; + struct + { + USHORT PerfEvtEventSelect; + UCHAR PerfEvtUnitSelect; + UCHAR PerfEvtCMask; + UCHAR PerfEvtCInv; + UCHAR PerfEvtEdgeDetect; + UCHAR PerfEvtHostGuest; + UCHAR PerfPmuType; + } Amd; + struct + { + ULONG PerfEvtType; + UCHAR AllowsHalt; + } Arm; +} EVENT_TRACE_PROFILE_ADD_INFORMATION_V3; + +typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + UCHAR Version; + union + { + EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 V2; + EVENT_TRACE_PROFILE_ADD_INFORMATION_V3 V3; + }; + ULONG CpuInfoHierarchy[0x3]; + ULONG InitialInterval; + BOOLEAN Persist; + WCHAR ProfileSourceDescription[0x1]; +} EVENT_TRACE_PROFILE_ADD_INFORMATION, * PEVENT_TRACE_PROFILE_ADD_INFORMATION; + +typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + KPROFILE_SOURCE ProfileSource; + ULONG CpuInfoHierarchy[0x3]; +} EVENT_TRACE_PROFILE_REMOVE_INFORMATION, * PEVENT_TRACE_PROFILE_REMOVE_INFORMATION; + +typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + UCHAR CoverageSamplerInformationClass; + UCHAR MajorVersion; + UCHAR MinorVersion; + UCHAR Reserved; + HANDLE SamplerHandle; +} EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, * PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION; + +//typedef struct _TRACE_CONTEXT_REGISTER_INFO +//{ +// ETW_CONTEXT_REGISTER_TYPES RegisterTypes; +// ULONG Reserved; +//} TRACE_CONTEXT_REGISTER_INFO, *PTRACE_CONTEXT_REGISTER_INFO; + typedef struct _SYSTEM_EXCEPTION_INFORMATION { ULONG AlignmentFixupCount; @@ -3276,9 +3677,9 @@ typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { PVOID Object; - ULONG_PTR UniqueProcessId; - ULONG_PTR HandleValue; - ULONG GrantedAccess; + HANDLE UniqueProcessId; + HANDLE HandleValue; + ACCESS_MASK GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; @@ -3444,14 +3845,14 @@ typedef struct _SYSTEM_FIRMWARE_TABLE_HANDLER // private typedef struct _SYSTEM_MEMORY_LIST_INFORMATION { - ULONG_PTR ZeroPageCount; - ULONG_PTR FreePageCount; - ULONG_PTR ModifiedPageCount; - ULONG_PTR ModifiedNoWritePageCount; - ULONG_PTR BadPageCount; - ULONG_PTR PageCountByPriority[8]; - ULONG_PTR RepurposedPagesByPriority[8]; - ULONG_PTR ModifiedPageCountPageFile; + SIZE_T ZeroPageCount; + SIZE_T FreePageCount; + SIZE_T ModifiedPageCount; + SIZE_T ModifiedNoWritePageCount; + SIZE_T BadPageCount; + SIZE_T PageCountByPriority[8]; + SIZE_T RepurposedPagesByPriority[8]; + SIZE_T ModifiedPageCountPageFile; } SYSTEM_MEMORY_LIST_INFORMATION, * PSYSTEM_MEMORY_LIST_INFORMATION; // private @@ -4254,14 +4655,30 @@ typedef struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION } SYSTEM_LOW_PRIORITY_IO_INFORMATION, * PSYSTEM_LOW_PRIORITY_IO_INFORMATION; // symbols -typedef enum _TPM_BOOT_ENTROPY_RESULT_CODE -{ - TpmBootEntropyStructureUninitialized, - TpmBootEntropyDisabledByPolicy, - TpmBootEntropyNoTpmFound, - TpmBootEntropyTpmError, - TpmBootEntropySuccess -} TPM_BOOT_ENTROPY_RESULT_CODE; +typedef enum _BOOT_ENTROPY_SOURCE_RESULT_CODE +{ + BootEntropySourceStructureUninitialized, + BootEntropySourceDisabledByPolicy, + BootEntropySourceNotPresent, + BootEntropySourceError, + BootEntropySourceSuccess +} BOOT_ENTROPY_SOURCE_RESULT_CODE; + +typedef enum _BOOT_ENTROPY_SOURCE_ID +{ + BootEntropySourceNone = 0, + BootEntropySourceSeedfile = 1, + BootEntropySourceExternal = 2, + BootEntropySourceTpm = 3, + BootEntropySourceRdrand = 4, + BootEntropySourceTime = 5, + BootEntropySourceAcpiOem0 = 6, + BootEntropySourceUefi = 7, + BootEntropySourceCng = 8, + BootEntropySourceTcbTpm = 9, + BootEntropySourceTcbRdrand = 10, + BootMaxEntropySources = 10 +} BOOT_ENTROPY_SOURCE_ID, * PBOOT_ENTROPY_SOURCE_ID; // Contents of KeLoaderBlock->Extension->TpmBootEntropyResult (TPM_BOOT_ENTROPY_LDR_RESULT). // EntropyData is truncated to 40 bytes. @@ -4270,13 +4687,33 @@ typedef enum _TPM_BOOT_ENTROPY_RESULT_CODE typedef struct _TPM_BOOT_ENTROPY_NT_RESULT { ULONGLONG Policy; - TPM_BOOT_ENTROPY_RESULT_CODE ResultCode; + BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; NTSTATUS ResultStatus; ULONGLONG Time; ULONG EntropyLength; UCHAR EntropyData[40]; } TPM_BOOT_ENTROPY_NT_RESULT, * PTPM_BOOT_ENTROPY_NT_RESULT; +// private +typedef struct _BOOT_ENTROPY_SOURCE_NT_RESULT +{ + BOOT_ENTROPY_SOURCE_ID SourceId; + ULONG64 Policy; + BOOT_ENTROPY_SOURCE_RESULT_CODE ResultCode; + NTSTATUS ResultStatus; + ULONGLONG Time; + ULONG EntropyLength; + UCHAR EntropyData[64]; +} BOOT_ENTROPY_SOURCE_NT_RESULT, * PBOOT_ENTROPY_SOURCE_NT_RESULT; + +// private +typedef struct _BOOT_ENTROPY_NT_RESULT +{ + ULONG maxEntropySources; + BOOT_ENTROPY_SOURCE_NT_RESULT EntropySourceResult[10]; + UCHAR SeedBytesForCng[48]; +} BOOT_ENTROPY_NT_RESULT, * PBOOT_ENTROPY_NT_RESULT; + // private typedef struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION { @@ -4374,7 +4811,7 @@ typedef struct _SYSTEM_BOOT_GRAPHICS_INFORMATION typedef struct _MEMORY_SCRUB_INFORMATION { HANDLE Handle; - ULONG_PTR PagesScrubbed; + SIZE_T PagesScrubbed; } MEMORY_SCRUB_INFORMATION, * PMEMORY_SCRUB_INFORMATION; // private @@ -4444,7 +4881,7 @@ typedef struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA typedef struct _MEMORY_COMBINE_INFORMATION { HANDLE Handle; - ULONG_PTR PagesCombined; + SIZE_T PagesCombined; } MEMORY_COMBINE_INFORMATION, * PMEMORY_COMBINE_INFORMATION; // rev @@ -4454,7 +4891,7 @@ typedef struct _MEMORY_COMBINE_INFORMATION typedef struct _MEMORY_COMBINE_INFORMATION_EX { HANDLE Handle; - ULONG_PTR PagesCombined; + SIZE_T PagesCombined; ULONG Flags; } MEMORY_COMBINE_INFORMATION_EX, * PMEMORY_COMBINE_INFORMATION_EX; @@ -4462,7 +4899,7 @@ typedef struct _MEMORY_COMBINE_INFORMATION_EX typedef struct _MEMORY_COMBINE_INFORMATION_EX2 { HANDLE Handle; - ULONG_PTR PagesCombined; + SIZE_T PagesCombined; ULONG Flags; HANDLE ProcessHandle; } MEMORY_COMBINE_INFORMATION_EX2, * PMEMORY_COMBINE_INFORMATION_EX2; @@ -4579,6 +5016,16 @@ typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION ULONG PolicyOptions; } SYSTEM_SECUREBOOT_POLICY_INFORMATION, * PSYSTEM_SECUREBOOT_POLICY_INFORMATION; +// private +typedef struct _CRITICAL_PROCESS_EXCEPTION_DATA +{ + GUID ReportId; + UNICODE_STRING ModuleName; + ULONG ModuleTimestamp; + ULONG ModuleSize; + ULONG_PTR Offset; +} CRITICAL_PROCESS_EXCEPTION_DATA, * PCRITICAL_PROCESS_EXCEPTION_DATA; + // private typedef struct _SYSTEM_PAGEFILE_INFORMATION_EX { @@ -4786,6 +5233,13 @@ typedef struct _OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1 ULONG OfflineMemoryDumpCapable; } OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1, * POFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V1; +// SYSTEM_PROCESSOR_FEATURES_INFORMATION // ProcessorFeatureBits +#define KF_BRANCH 0x0000000000020000 +#define KF_XSTATE 0x0000000000800000 +#define KF_RDTSCP 0x0000000400000000 +#define KF_CET_SS 0x0000400000000000 +#define KF_XFD 0x0080000000000000 + // private typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION { @@ -4833,6 +5287,14 @@ typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION // private typedef struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION { + // + // First index is bucket (see: PoGetFrequencyBucket) selected based on latest frequency percent + // using _KPRCB.PowerState.FrequencyBucketThresholds. + // + // Second index is _KPRCB.PowerState.ArchitecturalEfficiencyClass, accounting for architecture + // dependent KeHeteroSystem and using _KPRCB.PowerState.EarlyBootArchitecturalEfficiencyClass + // instead, when appropriate. + // ULONGLONG Cycles[4][2]; } SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION, * PSYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION; @@ -4911,6 +5373,19 @@ typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION UCHAR Policy[1]; } SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, * PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION; +// private +typedef struct _KAFFINITY_EX +{ + USHORT Count; + USHORT Size; + ULONG Reserved; + union + { + ULONG_PTR Bitmap[1]; + ULONG_PTR StaticBitmap[32]; + }; +} KAFFINITY_EX, * PKAFFINITY_EX; + // private typedef struct _SYSTEM_ROOT_SILO_INFORMATION { @@ -5555,7 +6030,7 @@ typedef struct _SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY BOOLEAN Reserved : 6; }; }; - ULONG_PTR MinTransferSizeInBytes; + SIZE_T MinTransferSizeInBytes; ULONG_PTR EntryValue; } SYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY, * PSYSTEM_MEMORY_NUMA_PERFORMANCE_ENTRY; @@ -6761,7 +7236,7 @@ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAddAtom( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); @@ -6771,7 +7246,7 @@ NTSYSAPI NTSTATUS NTAPI ZwAddAtom( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); @@ -6784,7 +7259,7 @@ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtAddAtomEx( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom, _In_ ULONG Flags @@ -6795,7 +7270,7 @@ NTSYSAPI NTSTATUS NTAPI ZwAddAtomEx( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom, _In_ ULONG Flags @@ -6806,7 +7281,7 @@ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtFindAtom( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); @@ -6816,7 +7291,7 @@ NTSYSAPI NTSTATUS NTAPI ZwFindAtom( - _In_reads_bytes_opt_(Length) PWSTR AtomName, + _In_reads_bytes_opt_(Length) PCWSTR AtomName, _In_ ULONG Length, _Out_opt_ PRTL_ATOM Atom ); diff --git a/Veil/Veil.System.IOManager.h b/Veil/Veil.System.IOManager.h index dcab9ba..da5f816 100644 --- a/Veil/Veil.System.IOManager.h +++ b/Veil/Veil.System.IOManager.h @@ -447,11 +447,11 @@ typedef struct _FILE_INTERNAL_INFORMATION { union { - LARGE_INTEGER IndexNumber; + ULARGE_INTEGER IndexNumber; struct { - LONGLONG MftRecordIndex : 48; // rev - LONGLONG SequenceNumber : 16; // rev + ULONGLONG MftRecordIndex : 48; // rev + ULONGLONG SequenceNumber : 16; // rev }; }; } FILE_INTERNAL_INFORMATION, * PFILE_INTERNAL_INFORMATION; @@ -1698,7 +1698,7 @@ NTSTATUS NTAPI NtCreateNamedPipeFile( _Out_ PHANDLE FileHandle, - _In_ ULONG DesiredAccess, + _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG ShareAccess, @@ -1718,7 +1718,7 @@ NTSTATUS NTAPI ZwCreateNamedPipeFile( _Out_ PHANDLE FileHandle, - _In_ ULONG DesiredAccess, + _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG ShareAccess, @@ -1738,7 +1738,7 @@ NTSTATUS NTAPI NtCreateMailslotFile( _Out_ PHANDLE FileHandle, - _In_ ULONG DesiredAccess, + _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CreateOptions, @@ -1752,7 +1752,7 @@ NTSTATUS NTAPI ZwCreateMailslotFile( _Out_ PHANDLE FileHandle, - _In_ ULONG DesiredAccess, + _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_ ULONG CreateOptions, @@ -2770,6 +2770,21 @@ ZwNotifyChangeDirectoryFileEx( ); #endif // NTDDI_VERSION >= NTDDI_WIN10_RS3 +/** + * @brief Loads a driver. + * + * This function loads a driver specified by the DriverServiceName parameter. + * + * @param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to load. + * + * @return NTSTATUS The status code returned by the function. Possible values include, but are not limited to: + * - STATUS_SUCCESS: The driver was successfully loaded. + * - STATUS_INVALID_PARAMETER: The DriverServiceName parameter is invalid. + * - STATUS_INSUFFICIENT_RESOURCES: There are insufficient resources to load the driver. + * - STATUS_OBJECT_NAME_NOT_FOUND: The specified driver service name was not found. + * - STATUS_OBJECT_PATH_NOT_FOUND: The path to the driver service was not found. + * - STATUS_OBJECT_NAME_COLLISION: A driver with the same name already exists. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2785,6 +2800,20 @@ ZwLoadDriver( _In_ PUNICODE_STRING DriverServiceName ); +/** + * @brief Unloads a driver. + * + * This function unloads a driver specified by the DriverServiceName parameter. + * + * @param DriverServiceName A pointer to a UNICODE_STRING structure that specifies the name of the driver service to unload. + * + * @return NTSTATUS The status code returned by the function. Possible values include, but are not limited to: + * - STATUS_SUCCESS: The driver was successfully unloaded. + * - STATUS_INVALID_PARAMETER: The DriverServiceName parameter is invalid. + * - STATUS_OBJECT_NAME_NOT_FOUND: The specified driver service name was not found. + * - STATUS_OBJECT_PATH_NOT_FOUND: The path to the driver service was not found. + * - STATUS_OBJECT_NAME_COLLISION: A driver with the same name already exists. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3868,7 +3897,7 @@ typedef struct _FLT_PORT_FULL_EA #define FLT_CTL_UNLOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege #define FLT_CTL_LINK_HANDLE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_READ_ACCESS) // in: FLT_LINK // specializes the handle #define FLT_CTL_ATTACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_ATTACH -#define FLT_CTL_DETATCH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS +#define FLT_CTL_DETACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS // IOCTLs for port-specific FltMgrMsg handles (opened using the extended attribute) #define FLT_CTL_SEND_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 6, METHOD_NEITHER, FILE_WRITE_ACCESS) // in, out: filter-specific @@ -3963,6 +3992,124 @@ typedef struct _FLT_ATTACH USHORT AltitudeOffset; // to WCHAR[] from this struct } FLT_ATTACH, * PFLT_ATTACH; +// +// Multiple UNC Provider +// + +// rev // FSCTLs for \Device\Mup +#define FSCTL_MUP_GET_UNC_CACHE_INFO CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 11, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_CACHE_INFORMATION +#define FSCTL_MUP_GET_UNC_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 12, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_PROVIDER_INFORMATION +#define FSCTL_MUP_GET_SURROGATE_PROVIDER_LIST CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 13, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION +#define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 14, METHOD_BUFFERED, FILE_ANY_ACCESS) // out: MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY[] +#define FSCTL_MUP_GET_UNC_HARDENING_CONFIGURATION_FOR_PATH CTL_CODE(FILE_DEVICE_MULTI_UNC_PROVIDER, 15, METHOD_BUFFERED, FILE_ANY_ACCESS) // in: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; out: MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT + +// private +typedef struct _MUP_FSCTL_UNC_CACHE_ENTRY +{ + ULONG TotalLength; + ULONG UncNameOffset; // to WCHAR[] from this struct + USHORT UncNameLength; // in bytes + ULONG ProviderNameOffset; // to WCHAR[] from this struct + USHORT ProviderNameLength; // in bytes + ULONG SurrogateNameOffset; // to WCHAR[] from this struct + USHORT SurrogateNameLength; // in bytes + ULONG ProviderPriority; + ULONG EntryTtl; + WCHAR Strings[ANYSIZE_ARRAY]; +} MUP_FSCTL_UNC_CACHE_ENTRY, * PMUP_FSCTL_UNC_CACHE_ENTRY; + +// private +typedef struct _MUP_FSCTL_UNC_CACHE_INFORMATION +{ + ULONG MaxCacheSize; + ULONG CurrentCacheSize; + ULONG EntryTimeout; + ULONG TotalEntries; + MUP_FSCTL_UNC_CACHE_ENTRY CacheEntry[ANYSIZE_ARRAY]; +} MUP_FSCTL_UNC_CACHE_INFORMATION, * PMUP_FSCTL_UNC_CACHE_INFORMATION; + +// private +typedef struct _MUP_FSCTL_UNC_PROVIDER_ENTRY +{ + ULONG TotalLength; + LONG ReferenceCount; + ULONG ProviderPriority; + ULONG ProviderState; + ULONG ProviderId; + USHORT ProviderNameLength; // in bytes + WCHAR ProviderName[ANYSIZE_ARRAY]; +} MUP_FSCTL_UNC_PROVIDER_ENTRY, * PMUP_FSCTL_UNC_PROVIDER_ENTRY; + +// private +typedef struct _MUP_FSCTL_UNC_PROVIDER_INFORMATION +{ + ULONG TotalEntries; + MUP_FSCTL_UNC_PROVIDER_ENTRY ProviderEntry[ANYSIZE_ARRAY]; +} MUP_FSCTL_UNC_PROVIDER_INFORMATION, * PMUP_FSCTL_UNC_PROVIDER_INFORMATION; + +// private +typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_ENTRY +{ + ULONG TotalLength; + LONG ReferenceCount; + ULONG SurrogateType; + ULONG SurrogateState; + ULONG SurrogatePriority; + USHORT SurrogateNameLength; // in bytes + WCHAR SurrogateName[ANYSIZE_ARRAY]; +} MUP_FSCTL_SURROGATE_PROVIDER_ENTRY, * PMUP_FSCTL_SURROGATE_PROVIDER_ENTRY; + +// private +typedef struct _MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION +{ + ULONG TotalEntries; + MUP_FSCTL_SURROGATE_PROVIDER_ENTRY SurrogateEntry[ANYSIZE_ARRAY]; +} MUP_FSCTL_SURROGATE_PROVIDER_INFORMATION, * PMUP_FSCTL_SURROGATE_PROVIDER_INFORMATION; + +// private +typedef struct _MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY +{ + ULONG NextOffset; // from this struct + ULONG PrefixNameOffset; // to WCHAR[] from this struct + USHORT PrefixNameCbLength; // in bytes + union + { + ULONG RequiredHardeningCapabilities; + struct + { + ULONG RequiresMutualAuth : 1; + ULONG RequiresIntegrity : 1; + ULONG RequiresPrivacy : 1; + }; + }; + ULONGLONG OpenCount; +} MUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY, * PMUP_FSCTL_UNC_HARDENING_PREFIX_TABLE_ENTRY; + +// private +typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN +{ + ULONG Size; + ULONG UncPathOffset; // to WCHAR[] from this struct + USHORT UncPathCbLength; // in bytes +} MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN, * PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_IN; + +// private +typedef struct _MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT +{ + ULONG Size; + union + { + ULONG RequiredHardeningCapabilities; + struct + { + ULONG RequiresMutualAuth : 1; + ULONG RequiresIntegrity : 1; + ULONG RequiresPrivacy : 1; + }; + }; +} MUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT, * PMUP_FSCTL_QUERY_UNC_HARDENING_CONFIGURATION_OUT; + + #ifndef _KERNEL_MODE // // Major Function Codes diff --git a/Veil/Veil.System.Loader.h b/Veil/Veil.System.Loader.h index 79d6af5..48af0ae 100644 --- a/Veil/Veil.System.Loader.h +++ b/Veil/Veil.System.Loader.h @@ -362,7 +362,7 @@ NTSYSAPI NTSTATUS NTAPI LdrLoadDll( - _In_opt_ PWSTR DllPath, + _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID* DllHandle @@ -379,7 +379,7 @@ NTSYSAPI NTSTATUS NTAPI LdrGetDllHandle( - _In_opt_ PWSTR DllPath, + _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID* DllHandle @@ -393,7 +393,7 @@ NTSTATUS NTAPI LdrGetDllHandleEx( _In_ ULONG Flags, - _In_opt_ PWSTR DllPath, + _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID* DllHandle @@ -803,7 +803,39 @@ typedef struct _PS_SYSTEM_DLL_INIT_BLOCK #if (NTDDI_VERSION >= NTDDI_WINTHRESHOLD) NTSYSAPI PS_SYSTEM_DLL_INIT_BLOCK LdrSystemDllInitBlock; #endif -#endif // _KERNEL_MODE + +// rev see also MEMORY_IMAGE_EXTENSION_INFORMATION +typedef struct _RTL_SCPCFG_NTDLL_EXPORTS +{ + PVOID ScpCfgHeader_Nop; + PVOID ScpCfgEnd_Nop; + PVOID ScpCfgHeader; + PVOID ScpCfgEnd; + PVOID ScpCfgHeader_ES; + PVOID ScpCfgEnd_ES; + PVOID ScpCfgHeader_Fptr; + PVOID ScpCfgEnd_Fptr; + PVOID LdrpGuardDispatchIcallNoESFptr; + PVOID __guard_dispatch_icall_fptr; + PVOID LdrpGuardCheckIcallNoESFptr; + PVOID __guard_check_icall_fptr; + PVOID LdrpHandleInvalidUserCallTarget; + struct + { + PVOID NtOpenFile; + PVOID NtCreateSection; + PVOID NtQueryAttributesFile; + PVOID NtOpenSection; + PVOID NtMapViewOfSection; + } LdrpCriticalLoaderFunctions; +} RTL_SCPCFG_NTDLL_EXPORTS, * PRTL_SCPCFG_NTDLL_EXPORTS; + +// rev +#if (NTDDI_VERSION >= NTDDI_WIN11_GE) +NTSYSAPI RTL_SCPCFG_NTDLL_EXPORTS RtlpScpCfgNtdllExports; +#endif + +#endif // !_KERNEL_MODE // // Load as data table @@ -816,7 +848,7 @@ NTSTATUS NTAPI LdrAddLoadAsDataTable( _In_ PVOID Module, - _In_ PWSTR FilePath, + _In_ PCWSTR FilePath, _In_ SIZE_T Size, _In_ HANDLE Handle, _In_opt_ struct _ACTIVATION_CONTEXT* ActCtx @@ -1130,6 +1162,17 @@ LdrResFindResourceDirectory( _In_ ULONG Flags ); +NTSYSAPI +NTSTATUS +NTAPI +LdrpResGetResourceDirectory( + _In_ PVOID DllHandle, + _In_ SIZE_T Size, + _In_ ULONG Flags, + _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory, + _Out_ PIMAGE_NT_HEADERS* OutHeaders +); + /** * The LdrResSearchResource function searches for a resource in a DLL. * @@ -1172,7 +1215,7 @@ NTSTATUS NTAPI LdrResGetRCConfig( _In_ PVOID DllHandle, - _In_ SIZE_T Length, + _In_opt_ SIZE_T Length, _Out_writes_bytes_opt_(Length) PVOID Config, _In_ ULONG Flags, _In_ BOOLEAN AlternateResource // LdrLoadAlternateResourceModule @@ -1500,7 +1543,7 @@ NTSYSAPI NTSTATUS NTAPI LdrUpdatePackageSearchPath( - _In_ PWSTR SearchPath + _In_ PCWSTR SearchPath ); // rev @@ -1577,12 +1620,33 @@ NTSTATUS NTAPI LdrLoadEnclaveModule( _In_ PVOID BaseAddress, - _In_opt_ PWSTR DllPath, + _In_opt_ PCWSTR DllPath, _In_ PUNICODE_STRING DllName ); #endif // (NTDDI_VERSION >= NTDDI_WINTHRESHOLD) -#endif // _KERNEL_MODE +/** + * This function forcefully terminates the calling program if it is invoked inside a loader callout. Otherwise, it has no effect. + * + * @remarks This routine does not catch all potential deadlock cases; it is possible for a thread inside a loader callout + * to acquire a lock while some thread outside a loader callout holds the same lock and makes a call into the loader. + * In other words, there can be a lock order inversion between the loader lock and a client lock. + */ +NTSYSAPI +VOID +NTAPI +LdrFastFailInLoaderCallout( + VOID +); + +NTSYSAPI +BOOLEAN +NTAPI +LdrFlushAlternateResourceModules( + VOID +); + +#endif // !_KERNEL_MODE // // Driver Section diff --git a/Veil/Veil.System.MemoryManager.h b/Veil/Veil.System.MemoryManager.h index b179843..36ddfc2 100644 --- a/Veil/Veil.System.MemoryManager.h +++ b/Veil/Veil.System.MemoryManager.h @@ -1531,26 +1531,25 @@ typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION ULONG NumaNode; ULONG Channel; ULONG NumberOfNumaNodes; - ULONG_PTR ResidentAvailablePages; - ULONG_PTR CommittedPages; - ULONG_PTR CommitLimit; - ULONG_PTR PeakCommitment; - ULONG_PTR TotalNumberOfPages; - ULONG_PTR AvailablePages; - ULONG_PTR ZeroPages; - ULONG_PTR FreePages; - ULONG_PTR StandbyPages; - ULONG_PTR StandbyPageCountByPriority[8]; // since REDSTONE2 - ULONG_PTR RepurposedPagesByPriority[8]; - ULONG_PTR MaximumCommitLimit; - ULONG_PTR Reserved; // DonatedPagesToPartitions - ULONG PartitionId; // since REDSTONE3 + SIZE_T ResidentAvailablePages; + SIZE_T CommittedPages; + SIZE_T CommitLimit; + SIZE_T PeakCommitment; + SIZE_T TotalNumberOfPages; + SIZE_T AvailablePages; + SIZE_T ZeroPages; + SIZE_T FreePages; + SIZE_T StandbyPages; + SIZE_T StandbyPageCountByPriority[8]; // since REDSTONE2 + SIZE_T RepurposedPagesByPriority[8]; + SIZE_T MaximumCommitLimit; + SIZE_T Reserved; // DonatedPagesToPartitions } MEMORY_PARTITION_CONFIGURATION_INFORMATION, * PMEMORY_PARTITION_CONFIGURATION_INFORMATION; // private typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION { - ULONG_PTR NumberOfPages; + SIZE_T NumberOfPages; ULONG NumaNode; ULONG Flags; } MEMORY_PARTITION_TRANSFER_INFORMATION, * PMEMORY_PARTITION_TRANSFER_INFORMATION; @@ -1569,7 +1568,7 @@ typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION { HANDLE StopHandle; ULONG Flags; - ULONG_PTR TotalNumberOfPages; + SIZE_T TotalNumberOfPages; } MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, * PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION; // private @@ -1584,7 +1583,7 @@ typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION { ULONG Flags; ULONG NumberOfRanges; - ULONG_PTR NumberOfPagesAdded; + SIZE_T NumberOfPagesAdded; MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1]; } MEMORY_PARTITION_INITIAL_ADD_INFORMATION, * PMEMORY_PARTITION_INITIAL_ADD_INFORMATION; @@ -1602,7 +1601,7 @@ typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION } Flags; ULONG HandleAttributes; - ULONG DesiredAccess; + ACCESS_MASK DesiredAccess; HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition @@ -1616,7 +1615,7 @@ NtCreatePartition( _In_opt_ HANDLE ParentPartitionHandle, _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG PreferredNode ); @@ -1628,7 +1627,7 @@ ZwCreatePartition( _In_opt_ HANDLE ParentPartitionHandle, _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG PreferredNode ); @@ -1638,7 +1637,7 @@ NTAPI NtOpenPartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -1648,7 +1647,7 @@ NTAPI ZwOpenPartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _Must_inspect_result_ @@ -1685,7 +1684,7 @@ NTSTATUS NTAPI NtMapUserPhysicalPages( _In_ PVOID VirtualAddress, - _In_ ULONG_PTR NumberOfPages, + _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1695,7 +1694,7 @@ NTSTATUS NTAPI ZwMapUserPhysicalPages( _In_ PVOID VirtualAddress, - _In_ ULONG_PTR NumberOfPages, + _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1704,7 +1703,7 @@ NTSTATUS NTAPI NtMapUserPhysicalPagesScatter( _In_reads_(NumberOfPages) PVOID* VirtualAddresses, - _In_ ULONG_PTR NumberOfPages, + _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1714,7 +1713,7 @@ NTSTATUS NTAPI ZwMapUserPhysicalPagesScatter( _In_reads_(NumberOfPages) PVOID* VirtualAddresses, - _In_ ULONG_PTR NumberOfPages, + _In_ SIZE_T NumberOfPages, _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1723,7 +1722,7 @@ NTSTATUS NTAPI NtAllocateUserPhysicalPages( _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, + _Inout_ PSIZE_T NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1733,7 +1732,7 @@ NTSTATUS NTAPI ZwAllocateUserPhysicalPages( _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, + _Inout_ PSIZE_T NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray ); @@ -1743,7 +1742,7 @@ NTSTATUS NTAPI NtAllocateUserPhysicalPagesEx( _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, + _Inout_ PSIZE_T NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray, _Inout_updates_opt_(ParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount @@ -1755,7 +1754,7 @@ NTSTATUS NTAPI ZwAllocateUserPhysicalPagesEx( _In_ HANDLE ProcessHandle, - _Inout_ PULONG_PTR NumberOfPages, + _Inout_ PSIZE_T NumberOfPages, _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray, _Inout_updates_opt_(ParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters, _In_ ULONG ExtendedParameterCount @@ -1792,7 +1791,7 @@ NtGetWriteWatch( _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _Out_writes_(*EntriesInUserAddressArray) PVOID* UserAddressArray, - _Inout_ PULONG_PTR EntriesInUserAddressArray, + _Inout_ PSIZE_T EntriesInUserAddressArray, _Out_ PULONG Granularity ); @@ -1806,7 +1805,7 @@ ZwGetWriteWatch( _In_ PVOID BaseAddress, _In_ SIZE_T RegionSize, _Out_writes_(*EntriesInUserAddressArray) PVOID* UserAddressArray, - _Inout_ PULONG_PTR EntriesInUserAddressArray, + _Inout_ PSIZE_T EntriesInUserAddressArray, _Out_ PULONG Granularity ); diff --git a/Veil/Veil.System.ObjectManager.h b/Veil/Veil.System.ObjectManager.h index fe375c5..179cc3b 100644 --- a/Veil/Veil.System.ObjectManager.h +++ b/Veil/Veil.System.ObjectManager.h @@ -51,7 +51,7 @@ VEIL_BEGIN() #define SYMBOLIC_LINK_QUERY (0x0001) #define SYMBOLIC_LINK_SET (0x0002) #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) -#define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | 0xFFFF) +#define SYMBOLIC_LINK_ALL_ACCESS_EX (STANDARD_RIGHTS_REQUIRED | SPECIFIC_RIGHTS_ALL) #endif // !_KERNEL_MODE #ifndef _KERNEL_MODE @@ -76,28 +76,37 @@ typedef enum _OBJECT_INFORMATION_CLASS #define ObjectSessionObjectInformation ((_OBJECT_INFORMATION_CLASS)6) #endif // !_KERNEL_MODE +/** + * The OBJECT_BASIC_INFORMATION structure contains basic information about an object. + */ typedef struct _OBJECT_BASIC_INFORMATION { - ULONG Attributes; - ACCESS_MASK GrantedAccess; - ULONG HandleCount; - ULONG PointerCount; - ULONG PagedPoolCharge; - ULONG NonPagedPoolCharge; - ULONG Reserved[3]; - ULONG NameInfoSize; - ULONG TypeInfoSize; - ULONG SecurityDescriptorSize; - LARGE_INTEGER CreationTime; + ULONG Attributes; // The attributes of the object include whether the object is permanent, can be inherited, and other characteristics. + ACCESS_MASK GrantedAccess; // Specifies a mask that represents the granted access when the object was created. + ULONG HandleCount; // The number of handles that are currently open for the object. + ULONG PointerCount; // The number of references to the object from both handles and other references, such as those from the system. + ULONG PagedPoolCharge; // The amount of paged pool memory that the object is using. + ULONG NonPagedPoolCharge; // The amount of non-paged pool memory that the object is using. + ULONG Reserved[3]; // Reserved for future use. + ULONG NameInfoSize; // The size of the name information for the object. + ULONG TypeInfoSize; // The size of the type information for the object. + ULONG SecurityDescriptorSize; // The size of the security descriptor for the object. + LARGE_INTEGER CreationTime; // The time when a symbolic link was created. Not supported for other types of objects. } OBJECT_BASIC_INFORMATION, * POBJECT_BASIC_INFORMATION; #ifndef _KERNEL_MODE +/** + * The OBJECT_NAME_INFORMATION structure contains the name, if there is one, of a given object. + */ typedef struct _OBJECT_NAME_INFORMATION { - UNICODE_STRING Name; + UNICODE_STRING Name; // The object name (when present) includes a NULL-terminator and all path separators "\" in the name. } OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION; #endif // !_KERNEL_MODE +/** + * The OBJECT_NAME_INFORMATION structure contains various statistics and properties about an object type. + */ typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; diff --git a/Veil/Veil.System.PowerManager.h b/Veil/Veil.System.PowerManager.h index 325ce5f..4718abd 100644 --- a/Veil/Veil.System.PowerManager.h +++ b/Veil/Veil.System.PowerManager.h @@ -26,6 +26,107 @@ VEIL_BEGIN() +// POWER_INFORMATION_LEVEL +//#define SystemPowerPolicyAc 0 // SYSTEM_POWER_POLICY // GET: InputBuffer NULL. SET: InputBuffer not NULL. +//#define SystemPowerPolicyDc 1 // SYSTEM_POWER_POLICY +//#define VerifySystemPolicyAc 2 // SYSTEM_POWER_POLICY +//#define VerifySystemPolicyDc 3 // SYSTEM_POWER_POLICY +//#define SystemPowerCapabilities 4 // SYSTEM_POWER_CAPABILITIES +//#define SystemBatteryState 5 // SYSTEM_BATTERY_STATE +//#define SystemPowerStateHandler 6 // POWER_STATE_HANDLER // (kernel-mode only) +//#define ProcessorStateHandler 7 // PROCESSOR_STATE_HANDLER // (kernel-mode only) +//#define SystemPowerPolicyCurrent 8 // SYSTEM_POWER_POLICY +//#define AdministratorPowerPolicy 9 // ADMINISTRATOR_POWER_POLICY +//#define SystemReserveHiberFile 10 // BOOLEAN // (requires SeCreatePagefilePrivilege) // TRUE: hibernation file created. FALSE: hibernation file deleted. +//#define ProcessorInformation 11 // PROCESSOR_POWER_INFORMATION +//#define SystemPowerInformation 12 // SYSTEM_POWER_INFORMATION +//#define ProcessorStateHandler2 13 // PROCESSOR_STATE_HANDLER2 // not implemented +//#define LastWakeTime 14 // ULONGLONG // InterruptTime +//#define LastSleepTime 15 // ULONGLONG // InterruptTime +//#define SystemExecutionState 16 // EXECUTION_STATE // NtSetThreadExecutionState +//#define SystemPowerStateNotifyHandler 17 // POWER_STATE_NOTIFY_HANDLER // (kernel-mode only) +//#define ProcessorPowerPolicyAc 18 // PROCESSOR_POWER_POLICY // not implemented +//#define ProcessorPowerPolicyDc 19 // PROCESSOR_POWER_POLICY // not implemented +//#define VerifyProcessorPowerPolicyAc 20 // PROCESSOR_POWER_POLICY // not implemented +//#define VerifyProcessorPowerPolicyDc 21 // PROCESSOR_POWER_POLICY // not implemented +//#define ProcessorPowerPolicyCurrent 22 // PROCESSOR_POWER_POLICY // not implemented +//#define SystemPowerStateLogging 23 // SYSTEM_POWER_STATE_DISABLE_REASON[] +//#define SystemPowerLoggingEntry 24 // SYSTEM_POWER_LOGGING_ENTRY[] // (kernel-mode only) +//#define SetPowerSettingValue 25 // (kernel-mode only) +//#define NotifyUserPowerSetting 26 // not implemented +//#define PowerInformationLevelUnused0 27 // not implemented +//#define SystemMonitorHiberBootPowerOff 28 // NULL (PowerMonitorOff) +//#define SystemVideoState 29 // MONITOR_DISPLAY_STATE +//#define TraceApplicationPowerMessage 30 // (kernel-mode only) +//#define TraceApplicationPowerMessageEnd 31 // (kernel-mode only) +//#define ProcessorPerfStates 32 // (kernel-mode only) +//#define ProcessorIdleStates 33 // PROCESSOR_IDLE_STATES // (kernel-mode only) +//#define ProcessorCap 34 // PROCESSOR_CAP // (kernel-mode only) +//#define SystemWakeSource 35 // out: POWER_WAKE_SOURCE_INFO +//#define SystemHiberFileInformation 36 // out: SYSTEM_HIBERFILE_INFORMATION +//#define TraceServicePowerMessage 37 +//#define ProcessorLoad 38 // in: PROCESSOR_LOAD (sets), in: PPROCESSOR_NUMBER (clears) +//#define PowerShutdownNotification 39 // (kernel-mode only) +//#define MonitorCapabilities 40 // (kernel-mode only) +//#define SessionPowerInit 41 // (kernel-mode only) +//#define SessionDisplayState 42 // (kernel-mode only) +//#define PowerRequestCreate 43 // in: COUNTED_REASON_CONTEXT, out: HANDLE +//#define PowerRequestAction 44 // in: POWER_REQUEST_ACTION +//#define GetPowerRequestList 45 // out: POWER_REQUEST_LIST +//#define ProcessorInformationEx 46 // in: USHORT ProcessorGroup, out: PROCESSOR_POWER_INFORMATION +//#define NotifyUserModeLegacyPowerEvent 47 // (kernel-mode only) +//#define GroupPark 48 // (debug-mode boot only) +//#define ProcessorIdleDomains 49 // (kernel-mode only) +//#define WakeTimerList 50 // out: WAKE_TIMER_INFO[] +//#define SystemHiberFileSize 51 // ULONG +//#define ProcessorIdleStatesHv 52 // (kernel-mode only) +//#define ProcessorPerfStatesHv 53 // (kernel-mode only) +//#define ProcessorPerfCapHv 54 // PROCESSOR_PERF_CAP_HV // (kernel-mode only) +//#define ProcessorSetIdle 55 // (debug-mode boot only) +//#define LogicalProcessorIdling 56 // (kernel-mode only) +//#define UserPresence 57 // POWER_USER_PRESENCE // not implemented +//#define PowerSettingNotificationName 58 // in: ? (optional) // out: PWNF_STATE_NAME (RtlSubscribeWnfStateChangeNotification) +//#define GetPowerSettingValue 59 // GUID +//#define IdleResiliency 60 // POWER_IDLE_RESILIENCY +//#define SessionRITState 61 // POWER_SESSION_RIT_STATE +//#define SessionConnectNotification 62 // POWER_SESSION_WINLOGON +//#define SessionPowerCleanup 63 +//#define SessionLockState 64 // POWER_SESSION_WINLOGON +//#define SystemHiberbootState 65 // BOOLEAN // fast startup supported +//#define PlatformInformation 66 // BOOLEAN // connected standby supported +//#define PdcInvocation 67 // (kernel-mode only) +//#define MonitorInvocation 68 // (kernel-mode only) +//#define FirmwareTableInformationRegistered 69 // (kernel-mode only) +//#define SetShutdownSelectedTime 70 // in: NULL +//#define SuspendResumeInvocation 71 // (kernel-mode only) +//#define PlmPowerRequestCreate 72 // in: COUNTED_REASON_CONTEXT, out: HANDLE +//#define ScreenOff 73 // in: NULL (PowerMonitorOff) +//#define CsDeviceNotification 74 // (kernel-mode only) +//#define PlatformRole 75 // POWER_PLATFORM_ROLE +//#define LastResumePerformance 76 // RESUME_PERFORMANCE +//#define DisplayBurst 77 // in: NULL (PowerMonitorOn) +//#define ExitLatencySamplingPercentage 78 // in: NULL (ClearExitLatencySamplingPercentage), in: ULONG (SetExitLatencySamplingPercentage) (max 100) +//#define RegisterSpmPowerSettings 79 // (kernel-mode only) +//#define PlatformIdleStates 80 // (kernel-mode only) +//#define ProcessorIdleVeto 81 // (kernel-mode only) // deprecated +//#define PlatformIdleVeto 82 // (kernel-mode only) // deprecated +//#define SystemBatteryStatePrecise 83 // SYSTEM_BATTERY_STATE +//#define ThermalEvent 84 // THERMAL_EVENT // PowerReportThermalEvent +//#define PowerRequestActionInternal 85 // POWER_REQUEST_ACTION_INTERNAL +//#define BatteryDeviceState 86 +//#define PowerInformationInternal 87 // POWER_INFORMATION_LEVEL_INTERNAL // PopPowerInformationInternal +//#define ThermalStandby 88 // NULL // shutdown with thermal standby as reason. +//#define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type +//#define PhysicalPowerButtonPress 90 // BOOLEAN +//#define QueryPotentialDripsConstraint 91 // (kernel-mode only) +//#define EnergyTrackerCreate 92 +//#define EnergyTrackerQuery 93 +//#define UpdateBlackBoxRecorder 94 +//#define SessionAllowExternalDmaDevices 95 // POWER_SESSION_ALLOW_EXTERNAL_DMA_DEVICES +//#define SendSuspendResumeNotification 96 // since WIN11 +//#define BlackBoxRecorderDirectAccessBuffer 97 +//#define PowerInformationLevelMaximum 98 + typedef struct _PROCESSOR_POWER_INFORMATION { ULONG Number; @@ -210,7 +311,7 @@ typedef struct _DIAGNOSTIC_BUFFER typedef struct _WAKE_TIMER_INFO { SIZE_T OffsetToNext; - ULARGE_INTEGER DueTime; + LARGE_INTEGER DueTime; ULONG Period; DIAGNOSTIC_BUFFER ReasonContext; } WAKE_TIMER_INFO, * PWAKE_TIMER_INFO; @@ -465,15 +566,15 @@ typedef enum _POWER_INFORMATION_LEVEL_INTERNAL PowerInternalStandbyNetworkRequest, // POWER_STANDBY_NETWORK_REQUEST (requires PopNetBIServiceSid) PowerInternalDirtyTransitionInformation, // out: BOOLEAN PowerInternalSetBackgroundTaskState, // POWER_SET_BACKGROUND_TASK_STATE - PowerInternalTtmOpenTerminal, - PowerInternalTtmCreateTerminal, // 10 - PowerInternalTtmEvacuateDevices, - PowerInternalTtmCreateTerminalEventQueue, - PowerInternalTtmGetTerminalEvent, - PowerInternalTtmSetDefaultDeviceAssignment, - PowerInternalTtmAssignDevice, - PowerInternalTtmSetDisplayState, - PowerInternalTtmSetDisplayTimeouts, + PowerInternalTtmOpenTerminal, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmCreateTerminal, // (requires SeShutdownPrivilege and terminalPowerManagement capability) // 10 + PowerInternalTtmEvacuateDevices, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmCreateTerminalEventQueue, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmGetTerminalEvent, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmSetDefaultDeviceAssignment, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmAssignDevice, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmSetDisplayState, // (requires SeShutdownPrivilege and terminalPowerManagement capability) + PowerInternalTtmSetDisplayTimeouts, // (requires SeShutdownPrivilege and terminalPowerManagement capability) PowerInternalBootSessionStandbyActivationInformation, // out: POWER_BOOT_SESSION_STANDBY_ACTIVATION_INFO PowerInternalSessionPowerState, // in: POWER_SESSION_POWER_STATE PowerInternalSessionTerminalInput, // 20 @@ -503,8 +604,8 @@ typedef enum _POWER_INFORMATION_LEVEL_INTERNAL PowerInternalTimeBrokerExpirationReason, PowerInternalNotifyUserShutdownStatus, PowerInternalPowerRequestTerminalCoreWindow, - PowerInternalProcessorIdleVeto, - PowerInternalPlatformIdleVeto, + PowerInternalProcessorIdleVeto, // PROCESSOR_IDLE_VETO + PowerInternalPlatformIdleVeto, // PLATFORM_IDLE_VETO PowerInternalIsLongPowerButtonBugcheckEnabled, PowerInternalAutoChkCausedReboot, // 50 PowerInternalSetWakeAlarmOverride, @@ -534,8 +635,8 @@ typedef enum _POWER_INFORMATION_LEVEL_INTERNAL PowerInternalClassIdleIntervalStats, PowerInternalCpuNodeConcurrencyStats, PowerInternalClassConcurrencyStats, - PowerInternalQueryProcMeasurementCapabilities, - PowerInternalQueryProcMeasurementValues, + PowerInternalQueryProcMeasurementCapabilities, // PPROCESSOR_QUERY_MEASUREMENT_CAPABILITIES + PowerInternalQueryProcMeasurementValues, // PROCESSOR_QUERY_MEASUREMENT_VALUES PowerInternalPrepareForSystemInitiatedReboot, // 80 PowerInternalGetAdaptiveSessionState, PowerInternalSetConsoleLockedState, @@ -671,6 +772,25 @@ typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT ULONG NominalFrequency; // if (Domain) Prcb->PowerState.CheckContext.Domain.NominalFrequency else Prcb->MHz } POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT, * PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT; +// rev +typedef struct _PROCESSOR_IDLE_VETO +{ + ULONG Version; + PROCESSOR_NUMBER ProcessorNumber; + ULONG StateIndex; + ULONG VetoReason; + UCHAR Increment; +} PROCESSOR_IDLE_VETO, * PPROCESSOR_IDLE_VETO; + +// rev +typedef struct _PLATFORM_IDLE_VETO +{ + ULONG Version; + ULONG StateIndex; + ULONG VetoReason; + UCHAR Increment; +} PLATFORM_IDLE_VETO, * PPLATFORM_IDLE_VETO; + // rev typedef struct _POWER_INTERNAL_BOOTAPP_DIAGNOSTIC { diff --git a/Veil/Veil.System.Process.h b/Veil/Veil.System.Process.h index b0bb228..915a528 100644 --- a/Veil/Veil.System.Process.h +++ b/Veil/Veil.System.Process.h @@ -155,6 +155,7 @@ typedef struct _RTL_CRITICAL_SECTION* PRTL_CRITICAL_SECTION; // private #define KACF_OLDGETSHORTPATHNAME 0x00000001 #define KACF_VERSIONLIE_NOT_USED 0x00000002 +#define KACF_GETTEMPPATH_NOT_USED 0x00000004 #define KACF_GETDISKFREESPACE 0x00000008 #define KACF_FTMFROMCURRENTAPT 0x00000020 #define KACF_DISALLOWORBINDINGCHANGES 0x00000040 @@ -177,7 +178,7 @@ typedef struct _RTL_CRITICAL_SECTION* PRTL_CRITICAL_SECTION; #define KACF_ALLOWMAXIMIZEDWINDOWGAMMA 0x01000000 #define KACF_DONOTADDTOCACHE 0x80000000 -// private +// PEB->ApiSetMap typedef struct _API_SET_NAMESPACE { ULONG Version; @@ -217,7 +218,7 @@ typedef struct _API_SET_VALUE_ENTRY ULONG ValueLength; } API_SET_VALUE_ENTRY, * PAPI_SET_VALUE_ENTRY; -// private +// PEB->TelemetryCoverageHeader typedef struct _TELEMETRY_COVERAGE_HEADER { UCHAR MajorVersion; @@ -239,6 +240,97 @@ typedef struct _TELEMETRY_COVERAGE_HEADER ULONG HashTable[ANYSIZE_ARRAY]; } TELEMETRY_COVERAGE_HEADER, * PTELEMETRY_COVERAGE_HEADER; +typedef struct _WER_RECOVERY_INFO +{ + ULONG Length; + PVOID Callback; + PVOID Parameter; + HANDLE Started; + HANDLE Finished; + HANDLE InProgress; + LONG LastError; + BOOL Successful; + ULONG PingInterval; + ULONG Flags; +} WER_RECOVERY_INFO, * PWER_RECOVERY_INFO; + +typedef struct _WER_FILE +{ + USHORT Flags; + WCHAR Path[MAX_PATH]; +} WER_FILE, * PWER_FILE; + +typedef struct _WER_MEMORY +{ + PVOID Address; + ULONG Size; +} WER_MEMORY, * PWER_MEMORY; + +typedef struct _WER_GATHER +{ + PVOID Next; + USHORT Flags; + union + { + WER_FILE File; + WER_MEMORY Memory; + } v; +} WER_GATHER, * PWER_GATHER; + +typedef struct _WER_METADATA +{ + PVOID Next; + WCHAR Key[64]; + WCHAR Value[128]; +} WER_METADATA, * PWER_METADATA; + +typedef struct _WER_RUNTIME_DLL +{ + PVOID Next; + ULONG Length; + PVOID Context; + WCHAR CallbackDllPath[MAX_PATH]; +} WER_RUNTIME_DLL, * PWER_RUNTIME_DLL; + +typedef struct _WER_DUMP_COLLECTION +{ + PVOID Next; + ULONG ProcessId; + ULONG ThreadId; +} WER_DUMP_COLLECTION, * PWER_DUMP_COLLECTION; + +typedef struct _WER_HEAP_MAIN_HEADER +{ + WCHAR Signature[16]; + LIST_ENTRY Links; + HANDLE Mutex; + PVOID FreeHeap; + ULONG FreeCount; +} WER_HEAP_MAIN_HEADER, * PWER_HEAP_MAIN_HEADER; + +#ifndef RESTART_MAX_CMD_LINE +#define RESTART_MAX_CMD_LINE 1024 +#endif + +typedef struct _WER_PEB_HEADER_BLOCK +{ + LONG Length; + WCHAR Signature[16]; + WCHAR AppDataRelativePath[64]; + WCHAR RestartCommandLine[RESTART_MAX_CMD_LINE]; + WER_RECOVERY_INFO RecoveryInfo; + PWER_GATHER Gather; + PWER_METADATA MetaData; + PWER_RUNTIME_DLL RuntimeDll; + PWER_DUMP_COLLECTION DumpCollection; + LONG GatherCount; + LONG MetaDataCount; + LONG DumpCount; + LONG Flags; + WER_HEAP_MAIN_HEADER MainHeader; + PVOID Reserved; +} WER_PEB_HEADER_BLOCK, * PWER_PEB_HEADER_BLOCK; + // symbols typedef struct _RTL_BITMAP* PRTL_BITMAP; @@ -310,15 +402,24 @@ typedef struct _PEB PVOID OemCodePageData; // PCPTABLEINFO PVOID UnicodeCaseTableData; // PNLSTABLEINFO + // Information for LdrpInitialize ULONG NumberOfProcessors; ULONG NtGlobalFlag; - ULARGE_INTEGER CriticalSectionTimeout; + // Passed up from MmCreatePeb from Session Manager registry key + LARGE_INTEGER CriticalSectionTimeout; SIZE_T HeapSegmentReserve; SIZE_T HeapSegmentCommit; SIZE_T HeapDeCommitTotalFreeThreshold; SIZE_T HeapDeCommitFreeBlockThreshold; + // + // Where heap manager keeps track of all heaps created for a process + // Fields initialized by MmCreatePeb. ProcessHeaps is initialized + // to point to the first free byte after the PEB and MaximumNumberOfHeaps + // is computed from the page size used to hold the PEB, less the fixed + // size of this data structure. + // ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; PVOID* ProcessHeaps; // PHEAP @@ -329,6 +430,10 @@ typedef struct _PEB PRTL_CRITICAL_SECTION LoaderLock; + // + // Following fields filled in by MmCreatePeb from system values and/or + // image header. + // ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; @@ -372,7 +477,7 @@ typedef struct _PEB USHORT UseCaseMapping; USHORT UnusedNlsField; - PVOID WerRegistrationData; + PWER_PEB_HEADER_BLOCK WerRegistrationData; PVOID WerShipAssertPtr; union @@ -631,25 +736,27 @@ STATIC_ASSERT(sizeof(GDI_TEB_BATCH32) == 1248); typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; - PSTR FrameName; + PCSTR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; +#define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED (0x00000001) + typedef struct _TEB_ACTIVE_FRAME_CONTEXT32 { ULONG Flags; - char * POINTER_32 FrameName; + const char * POINTER_32 FrameName; } TEB_ACTIVE_FRAME_CONTEXT32, * POINTER_32 PTEB_ACTIVE_FRAME_CONTEXT32; typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX { TEB_ACTIVE_FRAME_CONTEXT BasicContext; - PSTR SourceLocation; + PCSTR SourceLocation; } TEB_ACTIVE_FRAME_CONTEXT_EX, * PTEB_ACTIVE_FRAME_CONTEXT_EX; typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX32 { TEB_ACTIVE_FRAME_CONTEXT32 BasicContext; - char* POINTER_32 SourceLocation; + const char* POINTER_32 SourceLocation; } TEB_ACTIVE_FRAME_CONTEXT_EX32, * PTEB_ACTIVE_FRAME_CONTEXT_EX32; typedef struct _TEB_ACTIVE_FRAME @@ -693,14 +800,47 @@ typedef struct _FLS_DATA32 #define STATIC_UNICODE_BUFFER_LENGTH 261 #define WIN32_CLIENT_INFO_LENGTH 62 +/** + * Thread Environment Block (TEB) structure. + * + * This structure contains information about the currently executing thread. + */ typedef struct _TEB { + // + // Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. + // + NT_TIB NtTib; + // + // A pointer to the environment block for the thread. + // + PVOID EnvironmentPointer; + + // + // Client ID for this thread. + // + CLIENT_ID ClientId; + + // + // A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. + // + PVOID ActiveRpcHandle; + + // + // A pointer to the __declspec(thread) local storage array. + // + PVOID ThreadLocalStoragePointer; + + // + // A pointer to the Process Environment Block (PEB), which contains information about the process. + // + PPEB ProcessEnvironmentBlock; ULONG LastErrorValue; @@ -1640,7 +1780,7 @@ typedef enum _THREADINFOCLASS ThreadImpersonationToken, // s: HANDLE ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY) ThreadEnableAlignmentFaultFixup, // s: BOOLEAN - ThreadEventPair, + ThreadEventPair, // Obsolete ThreadQuerySetWin32StartAddress, // q: ULONG_PTR ThreadZeroTlsCell, // s: ULONG // TlsIndex // 10 ThreadPerformanceCount, // q: LARGE_INTEGER @@ -1655,12 +1795,12 @@ typedef enum _THREADINFOCLASS ThreadIsTerminated, // q: ULONG // 20 ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege) - ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION + ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION (requires THREAD_QUERY_LIMITED_INFORMATION) ThreadPagePriority, // qs: PAGE_PRIORITY_INFORMATION ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege) ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) ThreadCSwitchMon, // Obsolete - ThreadCSwitchPmu, + ThreadCSwitchPmu, // Obsolete ThreadWow64Context, // qs: WOW64_CONTEXT, ARM_NT_CONTEXT since 20H1 ThreadGroupInformation, // qs: GROUP_AFFINITY // 30 ThreadUmsInformation, // q: THREAD_UMS_INFORMATION // Obsolete @@ -1670,7 +1810,7 @@ typedef enum _THREADINFOCLASS ThreadSuspendCount, // q: ULONG // since WINBLUE ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD ThreadContainerId, // q: GUID - ThreadNameInformation, // qs: THREAD_NAME_INFORMATION + ThreadNameInformation, // qs: THREAD_NAME_INFORMATION (requires THREAD_SET_LIMITED_INFORMATION) ThreadSelectedCpuSets, ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40 ThreadActualGroupAffinity, // q: GROUP_AFFINITY // since THRESHOLD2 @@ -1745,7 +1885,19 @@ typedef struct _PROCESS_BASIC_INFORMATION typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { SIZE_T Size; // set to sizeof structure on input - PROCESS_BASIC_INFORMATION BasicInfo; + union + { + PROCESS_BASIC_INFORMATION BasicInfo; + struct + { + NTSTATUS ExitStatus; + PPEB PebBaseAddress; + KAFFINITY AffinityMask; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + }; + }; union { ULONG Flags; @@ -2083,9 +2235,9 @@ typedef struct _PROCESS_WINDOW_INFORMATION typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO { HANDLE HandleValue; - ULONG_PTR HandleCount; - ULONG_PTR PointerCount; - ULONG GrantedAccess; + SIZE_T HandleCount; + SIZE_T PointerCount; + ACCESS_MASK GrantedAccess; ULONG ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; @@ -2093,7 +2245,7 @@ typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION { - ULONG_PTR NumberOfHandles; + SIZE_T NumberOfHandles; ULONG_PTR Reserved; PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; } PROCESS_HANDLE_SNAPSHOT_INFORMATION, * PPROCESS_HANDLE_SNAPSHOT_INFORMATION; @@ -2446,7 +2598,8 @@ typedef union _PROCESS_LOGGING_INFORMATION ULONG EnableThreadSuspendResumeLogging : 1; ULONG EnableLocalExecProtectVmLogging : 1; ULONG EnableRemoteExecProtectVmLogging : 1; - ULONG Reserved : 26; + ULONG EnableImpersonationLogging : 1; + ULONG Reserved : 25; }; } PROCESS_LOGGING_INFORMATION, * PPROCESS_LOGGING_INFORMATION; @@ -2575,9 +2728,14 @@ typedef struct _THREAD_LAST_SYSCALL_INFORMATION ULONG64 WaitTime; } THREAD_LAST_SYSCALL_INFORMATION, * PTHREAD_LAST_SYSCALL_INFORMATION; +/** + * The THREAD_CYCLE_TIME_INFORMATION structure contains information about the cycle time of a thread. + */ typedef struct _THREAD_CYCLE_TIME_INFORMATION { + // The total number of cycles accumulated by the thread. ULONGLONG AccumulatedCycles; + // The current cycle count of the thread. ULONGLONG CurrentCycleCount; } THREAD_CYCLE_TIME_INFORMATION, * PTHREAD_CYCLE_TIME_INFORMATION; @@ -2603,34 +2761,81 @@ typedef struct _THREAD_TEB_INFORMATION } THREAD_TEB_INFORMATION, * PTHREAD_TEB_INFORMATION; // symbols +/** + * The COUNTER_READING structure is used to store individual counter data from a hardware counter. + * + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-hardware_counter_data + */ typedef struct _COUNTER_READING { + // Specifies the type of hardware counter data collected. HARDWARE_COUNTER_TYPE Type; + // An identifier for the specific counter. ULONG Index; + // The initial value of the counter when measurement started. ULONG64 Start; + // The accumulated value of the counter over the measurement period. ULONG64 Total; } COUNTER_READING, * PCOUNTER_READING; -// symbols +#ifndef THREAD_PERFORMANCE_DATA_VERSION +#define THREAD_PERFORMANCE_DATA_VERSION 1 +#endif + +/** + * The THREAD_PERFORMANCE_DATA structure aggregates various performance metrics for a thread. + * + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-performance_data + */ typedef struct _THREAD_PERFORMANCE_DATA { + // The size of the structure. USHORT Size; + // The version of the structure. Must be set to PERFORMANCE_DATA_VERSION. USHORT Version; + // The processor number that identifies where the thread is running. PROCESSOR_NUMBER ProcessorNumber; + // The number of context switches that occurred from the time profiling was enabled. ULONG ContextSwitches; + // The number of array elements in the HwCounters array that contain hardware counter data. ULONG HwCountersCount; + // The number of times that the read operation read the data to ensure a consistent snapshot of the data. ULONG64 UpdateCount; + // A bitmask of KWAIT_REASON that identifies the reasons for the context switches that occurred since the last time the data was read. ULONG64 WaitReasonBitMap; + // A bitmask of hardware counters used to collect counter data. ULONG64 HardwareCounters; + // The cycle time of the thread (excludes the time spent interrupted) from the time profiling was enabled. COUNTER_READING CycleTime; + // The COUNTER_READING structure that contains hardware counter data. COUNTER_READING HwCounters[MAX_HW_COUNTERS]; } THREAD_PERFORMANCE_DATA, * PTHREAD_PERFORMANCE_DATA; +#ifndef THREAD_PROFILING_FLAG_DISPATCH +#define THREAD_PROFILING_FLAG_DISPATCH 0x00000001 +#endif + +#ifndef THREAD_PROFILING_FLAG_HARDWARE_COUNTERS +#define THREAD_PROFILING_FLAG_HARDWARE_COUNTERS 0x00000002 +#endif + +/** + * The THREAD_PROFILING_INFORMATION structure contains profiling information and references to performance data. + * + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-readthreadprofilingdata + */ typedef struct _THREAD_PROFILING_INFORMATION { + // To receive hardware performance counter data, set this parameter to a bitmask that identifies the hardware counters to collect. + // You can specify up to 16 performance counters. Each bit relates directly to the zero-based hardware counter index for the hardware + // performance counters that you configured. Set to zero if you are not collecting hardware counter data. + // If you set a bit for a hardware counter that has not been configured, the counter value that is read for that counter is zero. ULONG64 HardwareCounters; + // To receive thread profiling data such as context switch count, set this parameter to THREAD_PROFILING_FLAG_DISPATCH. ULONG Flags; + // Enable or disable thread profiling on the specified thread. ULONG Enable; + // The PERFORMANCE_DATA structure that contains thread profiling and hardware counter data. PTHREAD_PERFORMANCE_DATA PerformanceData; } THREAD_PROFILING_INFORMATION, * PTHREAD_PROFILING_INFORMATION; @@ -2691,8 +2896,15 @@ typedef struct _THREAD_UMS_INFORMATION }; } THREAD_UMS_INFORMATION, * PTHREAD_UMS_INFORMATION; +/** + * The THREAD_NAME_INFORMATION structure assigns a description to a thread. + * + * \remarks The handle must have THREAD_SET_LIMITED_INFORMATION access. + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreaddescription + */ typedef struct _THREAD_NAME_INFORMATION { + // A Unicode string that specifies the description of the thread. UNICODE_STRING ThreadName; } THREAD_NAME_INFORMATION, * PTHREAD_NAME_INFORMATION; @@ -2748,13 +2960,26 @@ typedef struct _THREAD_INDEX_INFORMATION #define STARTF_HASSHELLDATA 0x00000400 #endif +/** + * Creates a new process. + * + * @param ProcessHandle A pointer to a handle that receives the process object handle. + * @param DesiredAccess The access rights desired for the process object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. + * @param ParentProcess A handle to the parent process. + * @param InheritObjectTable If TRUE, the new process inherits the object table of the parent process. + * @param SectionHandle Optional. A handle to a section object to be used for the new process. + * @param DebugPort Optional. A handle to a debug port to be used for the new process. + * @param TokenHandle Optional. A handle to an access token to be used for the new process. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ BOOLEAN InheritObjectTable, _In_opt_ HANDLE SectionHandle, @@ -2769,7 +2994,7 @@ NTAPI ZwCreateProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ BOOLEAN InheritObjectTable, _In_opt_ HANDLE SectionHandle, @@ -2798,13 +3023,27 @@ ZwCreateProcess( #define PROCESS_CREATE_FLAGS_PARTITION_CREATE_SLAB_IDENTITY 0x00400000 // NtCreateProcessEx & NtCreateUserProcess, requires SeLockMemoryPrivilege // end_rev +/** + * Creates a new process with extended options. + * + * @param ProcessHandle A pointer to a handle that receives the process object handle. + * @param DesiredAccess The access rights desired for the process object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. + * @param ParentProcess A handle to the parent process. + * @param Flags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*. + * @param SectionHandle Optional. A handle to a section object to be used for the new process. + * @param DebugPort Optional. A handle to a debug port to be used for the new process. + * @param TokenHandle Optional. A handle to an access token to be used for the new process. + * @param Reserved Reserved for future use. Must be zero. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcessEx( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ ULONG Flags, // PROCESS_CREATE_FLAGS_* _In_opt_ HANDLE SectionHandle, @@ -2820,7 +3059,7 @@ NTAPI ZwCreateProcessEx( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ ULONG Flags, _In_opt_ HANDLE SectionHandle, @@ -2829,6 +3068,15 @@ ZwCreateProcessEx( _Reserved_ ULONG Reserved // JobMemberLevel ); +/** + * Opens an existing process object. + * + * @param ProcessHandle A pointer to a handle that receives the process object handle. + * @param DesiredAccess The access rights desired for the process object. + * @param ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process. + * @param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the process to be opened. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2850,6 +3098,13 @@ ZwOpenProcess( _In_opt_ PCLIENT_ID ClientId ); +/** + * Terminates the specified process. + * + * @param ProcessHandle Optional. A handle to the process to be terminated. If this parameter is NULL, the calling process is terminated. + * @param ExitStatus The exit status to be used by the process and the process's termination status. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2867,6 +3122,12 @@ ZwTerminateProcess( _In_ NTSTATUS ExitStatus ); +/** + * Suspends the specified process. + * + * @param ProcessHandle A handle to the process to be suspended. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2882,6 +3143,12 @@ ZwSuspendProcess( _In_ HANDLE ProcessHandle ); +/** + * Resumes the specified process. + * + * @param ProcessHandle A handle to the process to be resumed. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -2979,10 +3246,11 @@ ZwQueryInformationProcess( /** * Retrieves a handle to the next process in the system. * - * @param ProcessHandle An optional handle to the current process. + * @param ProcessHandle An optional handle to the a process. If this parameter is NULL, the function retrieves the first process in the system. * @param DesiredAccess The access rights desired for the new process handle. * @param HandleAttributes The attributes for the new process handle. - * @param Flags Flags that modify the behavior of the function. + * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags: + * - PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS (0x00000001): Retrieve the previous process in the system. * @param NewProcessHandle A pointer to a variable that receives the handle to the next process. * @return NTSTATUS Successful or errant status. */ @@ -3011,14 +3279,15 @@ ZwGetNextProcess( #endif /** - * Retrieves a handle to the next thread in the process. + * Retrieves a handle to the next thread in the system. * - * @param ProcessHandle An optional handle to the target process. - * @param ThreadHandle An optional handle to the current thread. - * @param DesiredAccess The access rights desired for the new thread handle. - * @param HandleAttributes The attributes for the new thread handle. - * @param Flags Flags that modify the behavior of the function. - * @param NewThreadHandle A pointer to a variable that receives the handle to the next thread. + * @param ProcessHandle A handle to the process for enumerateration of threads. + * @param ThreadHandle An optional handle to a thread. If this parameter is NULL, the function retrieves the first thread in the process. + * @param DesiredAccess The access rights desired for the new process handle. + * @param HandleAttributes The attributes for the new process handle. + * @param Flags Flags that modify the behavior of the function. This can be a combination of the following flags: + * - THREAD_GET_NEXT_FLAGS_PREVIOUS_THREAD (0x00000001): Retrieve the previous thread in the process. + * @param NewProcessHandle A pointer to a variable that receives the handle to the next process. * @return NTSTATUS Successful or errant status. */ __kernel_entry NTSYSCALLAPI @@ -3086,13 +3355,24 @@ typedef enum _PROCESS_STATE_CHANGE_TYPE } PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE; #if (NTDDI_VERSION >= NTDDI_WIN10_CO) + +/** + * Creates a state change handle for changing the suspension state of a process. + * + * @param ProcessStateChangeHandle A pointer to a variable that receives the handle. + * @param DesiredAccess The access rights desired for the handle. + * @param ObjectAttributes Optional attributes for the handle. + * @param ProcessHandle A handle to the process. + * @param Reserved Reserved for future use. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateProcessStateChange( _Out_ PHANDLE ProcessStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_opt_ _Reserved_ ULONG64 Reserved ); @@ -3104,7 +3384,7 @@ NTAPI ZwCreateProcessStateChange( _Out_ PHANDLE ProcessStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_opt_ _Reserved_ ULONG64 Reserved ); @@ -3158,10 +3438,10 @@ typedef enum _THREAD_STATE_CHANGE_TYPE /** * Creates a state change handle for changing the suspension state of a process. * - * @param ProcessStateChangeHandle A pointer to a variable that receives the handle. + * @param ThreadStateChangeHandle A pointer to a variable that receives the handle. * @param DesiredAccess The access rights desired for the handle. * @param ObjectAttributes Optional attributes for the handle. - * @param ProcessHandle A handle to the process. + * @param ThreadHandle A handle to the thread. * @param Reserved Reserved for future use. * @return NTSTATUS Successful or errant status. */ @@ -3171,7 +3451,7 @@ NTAPI NtCreateThreadStateChange( _Out_ PHANDLE ThreadStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ThreadHandle, _In_opt_ ULONG64 Reserved ); @@ -3183,11 +3463,22 @@ NTAPI ZwCreateThreadStateChange( _Out_ PHANDLE ThreadStateChangeHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ThreadHandle, _In_opt_ ULONG64 Reserved ); +/** + * Changes the suspension state of a thread. + * + * @param ThreadStateChangeHandle A handle to the thread state change object. + * @param ThreadHandle A handle to the thread. + * @param StateChangeType The type of state change. + * @param ExtendedInformation Optional extended information. + * @param ExtendedInformationLength The length of the extended information. + * @param Reserved Reserved for future use. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3218,13 +3509,26 @@ ZwChangeThreadState( // Threads // +/** + * Creates a new thread in the specified process. + * + * @param ThreadHandle A pointer to a handle that receives the thread object handle. + * @param DesiredAccess The access rights desired for the thread object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. + * @param ProcessHandle A handle to the process in which the thread is to be created. + * @param ClientId A pointer to a CLIENT_ID structure that receives the client ID of the new thread. + * @param ThreadContext A pointer to a CONTEXT structure that specifies the initial context of the new thread. + * @param InitialTeb A pointer to an INITIAL_TEB structure that specifies the initial stack limits of the new thread. + * @param CreateSuspended If TRUE, the thread is created in a suspended state. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _Out_ PCLIENT_ID ClientId, _In_ PCONTEXT ThreadContext, @@ -3239,7 +3543,7 @@ NTAPI ZwCreateThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _Out_ PCLIENT_ID ClientId, _In_ PCONTEXT ThreadContext, @@ -3247,6 +3551,15 @@ ZwCreateThread( _In_ BOOLEAN CreateSuspended ); +/** + * Opens an existing thread object. + * + * @param ThreadHandle A pointer to a handle that receives the thread object handle. + * @param DesiredAccess The access rights desired for the thread object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. + * @param ClientId Optional. A pointer to a CLIENT_ID structure that specifies the client ID of the thread to be opened. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3268,6 +3581,14 @@ ZwOpenThread( _In_opt_ PCLIENT_ID ClientId ); + +/** + * Terminates the specified thread. + * + * @param ThreadHandle Optional. A handle to the thread to be terminated. If this parameter is NULL, the calling thread is terminated. + * @param ExitStatus The exit status to be used by the thread and the thread's termination status. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3285,6 +3606,13 @@ ZwTerminateThread( _In_ NTSTATUS ExitStatus ); +/** + * Suspends the specified thread. + * + * @param ThreadHandle A handle to the thread to be suspended. + * @param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3302,6 +3630,13 @@ ZwSuspendThread( _Out_opt_ PULONG PreviousSuspendCount ); +/** + * Resumes the specified thread. + * + * @param ThreadHandle A handle to the thread to be resumed. + * @param PreviousSuspendCount Optional. A pointer to a variable that receives the thread's previous suspend count. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3410,6 +3745,16 @@ ZwSetContextThread( _In_ PCONTEXT ThreadContext ); +/** + * Retrieves information about the specified thread. + * + * @param ThreadHandle A handle to the thread. + * @param ThreadInformationClass The type of thread information to be retrieved. + * @param ThreadInformation A pointer to a buffer that receives the thread information. + * @param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. + * @param ReturnLength An optional pointer to a variable that receives the size of the data returned. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3434,6 +3779,15 @@ ZwQueryInformationThread( ); #pragma warning(suppress: 28252 28253) +/** + * Sets information for the specified thread. + * + * @param ThreadHandle A handle to the thread. + * @param ThreadInformationClass The type of thread information to be set. + * @param ThreadInformation A pointer to a buffer that contains the thread information. + * @param ThreadInformationLength The size of the buffer pointed to by the ThreadInformation parameter. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3459,6 +3813,12 @@ ZwSetInformationThread( _In_ ULONG ThreadInformationLength ); +/** + * Sends an alert to the specified thread. + * + * @param ThreadHandle A handle to the thread to be alerted. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3474,6 +3834,13 @@ ZwAlertThread( _In_ HANDLE ThreadHandle ); +/** + * Resumes a thread that was previously suspended and sends an alert to it. + * + * @param ThreadHandle A handle to the thread to be resumed and alerted. + * @param PreviousSuspendCount An optional pointer to a variable that receives the thread's previous suspend count. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3491,6 +3858,11 @@ ZwAlertResumeThread( _Out_opt_ PULONG PreviousSuspendCount ); +/** + * Tests whether the current thread has an alert pending. + * + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3506,6 +3878,57 @@ ZwTestAlert( VOID ); +#if (NTDDI_VERSION >= NTDDI_WIN8) +// rev +/** + * Sends an alert to the specified thread. + * + * @param ThreadId The thread ID of the thread to be alerted. + * @return NTSTATUS Successful or errant status. + */ +__kernel_entry NTSYSCALLAPI +NTSTATUS +NTAPI +NtAlertThreadByThreadId( + _In_ HANDLE ThreadId +); + +// rev +_IRQL_requires_max_(PASSIVE_LEVEL) +NTSYSAPI +NTSTATUS +NTAPI +ZwAlertThreadByThreadId( + _In_ HANDLE ThreadId +); + +// rev +/** + * Waits for an alert to be delivered to the specified thread. + * + * @param Address The address to wait for an alert on. + * @param Timeout The timeout value for waiting, or NULL for no timeout. + * @return NTSTATUS Successful or errant status. + */ +__kernel_entry NTSYSCALLAPI +NTSTATUS +NTAPI +NtWaitForAlertByThreadId( + _In_opt_ PVOID Address, + _In_opt_ PLARGE_INTEGER Timeout +); + +// rev +_IRQL_requires_max_(PASSIVE_LEVEL) +NTSYSAPI +NTSTATUS +NTAPI +ZwWaitForAlertByThreadId( + _In_opt_ PVOID Address, + _In_opt_ PLARGE_INTEGER Timeout +); +#endif + __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3581,6 +4004,14 @@ ZwContinueEx( // return ZwContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert); //} +/** + * Impersonates a client thread. + * + * @param ServerThreadHandle A handle to the server thread. + * @param ClientThreadHandle A handle to the client thread. + * @param SecurityQos A pointer to a SECURITY_QUALITY_OF_SERVICE structure that specifies the impersonation level and context tracking mode. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3600,6 +4031,12 @@ ZwImpersonateThread( _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos ); +/** + * Registers a thread termination port. + * + * @param PortHandle A handle to the port to be registered. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3615,6 +4052,17 @@ ZwRegisterThreadTerminatePort( _In_ HANDLE PortHandle ); +/** + * Sets LDT (Local Descriptor Table) entries. + * + * @param Selector0 The first selector. + * @param Entry0Low The low part of the first entry. + * @param Entry0Hi The high part of the first entry. + * @param Selector1 The second selector. + * @param Entry1Low The low part of the second entry. + * @param Entry1Hi The high part of the second entry. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -3647,7 +4095,6 @@ ZwSetLdtEntries( * @param ApcRoutine A pointer to the APC routine to be executed. * @param Parameter Optional. A pointer to a parameter to be passed to the APC routine. * @param ActxContext Optional. A handle to an activation context. - * @return VOID This function does not return a value. */ NTSYSAPI VOID @@ -3665,7 +4112,6 @@ RtlDispatchAPC( * @param ApcArgument1 Optional. A pointer to the first argument to be passed to the APC routine. * @param ApcArgument2 Optional. A pointer to the second argument to be passed to the APC routine. * @param ApcArgument3 Optional. A pointer to the third argument to be passed to the APC routine. - * @return VOID This function does not return a value. */ typedef VOID(NTAPI*PPS_APC_ROUTINE)( _In_opt_ PVOID ApcArgument1, @@ -3738,6 +4184,9 @@ ZwQueueApcThread( _In_opt_ PVOID ApcArgument3 ); +/** + * A special handle value used to queue a user APC (Asynchronous Procedure Call). + */ #define QUEUE_USER_APC_SPECIAL_USER_APC ((HANDLE)0x1) /** @@ -3848,56 +4297,6 @@ ZwQueueApcThreadEx2( ); #endif // (NTDDI_VERSION >= NTDDI_WIN10_MN) -#if (NTDDI_VERSION >= NTDDI_WIN8) -// rev -/** - * Sends an alert to the specified thread. - * - * @param ThreadId The thread ID of the thread to be alerted. - * @return NTSTATUS Successful or errant status. - */ -__kernel_entry NTSYSCALLAPI -NTSTATUS -NTAPI -NtAlertThreadByThreadId( - _In_ HANDLE ThreadId -); - -// rev -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSYSAPI -NTSTATUS -NTAPI -ZwAlertThreadByThreadId( - _In_ HANDLE ThreadId -); - -// rev -/** - * Waits for an alert to be delivered to the specified thread. - * - * @param Address The address to wait for an alert on. - * @param Timeout The timeout value for waiting, or NULL for no timeout. - * @return NTSTATUS Successful or errant status. - */ -__kernel_entry NTSYSCALLAPI -NTSTATUS -NTAPI -NtWaitForAlertByThreadId( - _In_opt_ PVOID Address, - _In_opt_ PLARGE_INTEGER Timeout -); - -// rev -_IRQL_requires_max_(PASSIVE_LEVEL) -NTSYSAPI -NTSTATUS -NTAPI -ZwWaitForAlertByThreadId( - _In_opt_ PVOID Address, - _In_opt_ PLARGE_INTEGER Timeout -); -#endif // // User processes and threads @@ -4079,15 +4478,17 @@ typedef struct _PROC_THREAD_ATTRIBUTE ULONG_PTR Value; } PROC_THREAD_ATTRIBUTE, * PPROC_THREAD_ATTRIBUTE; -// private +/** + * The PROC_THREAD_ATTRIBUTE_LIST structure contains the list of attributes for process and thread creation. + */ typedef struct _PROC_THREAD_ATTRIBUTE_LIST { - ULONG PresentFlags; - ULONG AttributeCount; - ULONG LastAttribute; - ULONG SpareUlong0; - PPROC_THREAD_ATTRIBUTE ExtendedFlagsAttribute; - PROC_THREAD_ATTRIBUTE Attributes[1]; + ULONG PresentFlags; // A bitmask of flags that indicate the attributes for process and thread creation. + ULONG AttributeCount; // The number of attributes in the list. + ULONG LastAttribute; // The index of the last attribute in the list. + ULONG SpareUlong0; // Reserved for future use. + PPROC_THREAD_ATTRIBUTE ExtendedFlagsAttribute; // A pointer to the extended flags attribute. + _Field_size_(AttributeCount) PROC_THREAD_ATTRIBUTE Attributes[1]; // An array of attributes. } PROC_THREAD_ATTRIBUTE_LIST, * PPROC_THREAD_ATTRIBUTE_LIST; // private @@ -4543,8 +4944,8 @@ NtCreateUserProcess( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK ProcessDesiredAccess, _In_ ACCESS_MASK ThreadDesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, - _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ProcessObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ThreadObjectAttributes, _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* _In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS @@ -4561,8 +4962,8 @@ ZwCreateUserProcess( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK ProcessDesiredAccess, _In_ ACCESS_MASK ThreadDesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes, - _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ProcessObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ThreadObjectAttributes, _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* _In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS @@ -4612,7 +5013,7 @@ NTAPI NtCreateThreadEx( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument, @@ -4630,7 +5031,7 @@ NTAPI ZwCreateThreadEx( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_ PUSER_THREAD_START_ROUTINE StartRoutine, _In_opt_ PVOID Argument, @@ -4960,13 +5361,21 @@ typedef struct _JOBOBJECT_PAGE_PRIORITY_LIMIT ULONG Priority; } JOBOBJECT_PAGE_PRIORITY_LIMIT, * PJOBOBJECT_PAGE_PRIORITY_LIMIT; +/** + * Creates or opens a job object. + * + * @param JobHandle A handle to the job object. + * @param DesiredAccess The access rights desired for the thread object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtCreateJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -4976,16 +5385,24 @@ NTAPI ZwCreateJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes + _In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes ); +/** + * Opens an existing job object. + * + * @param JobHandle A handle to the job object. + * @param DesiredAccess The access rights desired for the thread object. + * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -4995,9 +5412,16 @@ NTAPI ZwOpenJobObject( _Out_ PHANDLE JobHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjectAttributes + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes ); +/** + * Assigns a process to an existing job object. + * + * @param JobHandle A handle to the job object to which the process will be associated. The handle must have the JOB_OBJECT_ASSIGN_PROCESS access right. + * @param ProcessHandle A handle to the process to associate with the job object. The handle must have the PROCESS_SET_QUOTA and PROCESS_TERMINATE access rights. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5015,6 +5439,13 @@ ZwAssignProcessToJobObject( _In_ HANDLE ProcessHandle ); +/** + * Terminates all processes associated with the job object. If the job is nested, all processes currently associated with the job and all child jobs in the hierarchy are terminated. + * + * @param JobHandle A handle to the job whose processes will be terminated. The handle must have the JOB_OBJECT_TERMINATE access right. + * @param ExitStatus The exit status to be used by all processes and threads in the job object. + * @return NTSTATUS Successful or errant status. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5032,6 +5463,14 @@ ZwTerminateJobObject( _In_ NTSTATUS ExitStatus ); +/** + * Checks if a process is associated with a job object. + * + * @param ProcessHandle A handle to the process to be checked. + * @param JobHandle An optional handle to the job object. If this parameter is NULL, the function checks if the process is associated with any job object. + * @return NTSTATUS Successful or errant status. + * @remarks This function can be used to determine if a process is running within a job object, which can be useful for managing process resources and constraints. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5049,6 +5488,17 @@ ZwIsProcessInJob( _In_opt_ HANDLE JobHandle ); +/** + * Retrieves information about a job object. + * + * @param JobHandle An optional handle to the job object. If this parameter is NULL, the function retrieves information about the job object associated with the calling process. + * @param JobObjectInformationClass The type of job object information to be retrieved. + * @param JobObjectInformation A pointer to a buffer that receives the job object information. + * @param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. + * @param ReturnLength An optional pointer to a variable that receives the size of the data returned. + * @return NTSTATUS Successful or errant status. + * @remarks This function can be used to query various types of information about a job object, such as accounting information, limit information, and process ID list. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5072,6 +5522,16 @@ ZwQueryInformationJobObject( _Out_opt_ PULONG ReturnLength ); +/** + * Sets information for a job object. + * + * @param JobHandle A handle to the job object. + * @param JobObjectInformationClass The type of job object information to be set. + * @param JobObjectInformation A pointer to a buffer that contains the job object information. + * @param JobObjectInformationLength The size of the buffer pointed to by the JobObjectInformation parameter. + * @return NTSTATUS Successful or errant status. + * @remarks This function can be used to set various types of information for a job object, such as limit information, UI restrictions, and security limit information. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5102,6 +5562,15 @@ typedef struct _JOB_SET_ARRAY } JOB_SET_ARRAY, * PJOB_SET_ARRAY; #endif // _KERNEL_MODE +/** + * Creates a set of job objects. + * + * @param NumJob The number of job objects in the set. + * @param UserJobSet A pointer to an array of JOB_SET_ARRAY structures that specify the job objects in the set. + * @param Flags Reserved for future use. Must be zero. + * @return NTSTATUS Successful or errant status. + * @remarks This function can be used to create a set of job objects, which can be useful for managing groups of related processes. + */ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI @@ -5163,7 +5632,7 @@ NTSTATUS NTAPI NtAllocateReserveObject( _Out_ PHANDLE MemoryReserveHandle, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ MEMORY_RESERVE_TYPE Type ); @@ -5173,7 +5642,7 @@ NTSTATUS NTAPI ZwAllocateReserveObject( _Out_ PHANDLE MemoryReserveHandle, - _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, _In_ MEMORY_RESERVE_TYPE Type ); diff --git a/Veil/Veil.System.RuntimeLibrary.h b/Veil/Veil.System.RuntimeLibrary.h index d08a94b..43f2447 100644 --- a/Veil/Veil.System.RuntimeLibrary.h +++ b/Veil/Veil.System.RuntimeLibrary.h @@ -150,6 +150,9 @@ RtlFailFast( #define RTL_STATIC_LIST_HEAD(x) LIST_ENTRY x = { &x, &x } +#define RTL_LIST_FOREACH(Entry, ListHead) \ + for ((Entry) = &(ListHead); (Entry) != &(ListHead); (Entry) = (Entry)->Flink) + FORCEINLINE VOID InitializeListHead( @@ -2371,6 +2374,16 @@ RtlAcquireReleaseSRWLockExclusive( _Inout_ PRTL_SRWLOCK SRWLock ); +#if (NTDDI_VERSION >= NTDDI_WIN10) +// rev +NTSYSAPI +BOOLEAN +NTAPI +RtlConvertSRWLockExclusiveToShared( + _Inout_ PRTL_SRWLOCK SRWLock +); +#endif + // winbase:InitializeConditionVariable NTSYSAPI VOID @@ -2479,12 +2492,27 @@ RtlWakeAddressAll( _In_ PVOID Address ); +NTSYSAPI +VOID +NTAPI +RtlWakeAddressAllNoFence( + _In_ PVOID Address +); + NTSYSAPI VOID NTAPI RtlWakeAddressSingle( _In_ PVOID Address ); + +NTSYSAPI +VOID +NTAPI +RtlWakeAddressSingleNoFence( + _In_ PVOID Address +); + #endif // end_rev @@ -3000,6 +3028,53 @@ RtlEraseUnicodeString( _Inout_ PUNICODE_STRING String ); +#if (NTDDI_VERSION >= NTDDI_WIN2K) +_IRQL_requires_max_(PASSIVE_LEVEL) +NTSYSAPI +ULONG +NTAPI +RtlxUnicodeStringToAnsiSize( + _In_ PCUNICODE_STRING UnicodeString +); +#endif + +// +// NTSYSAPI +// ULONG +// NTAPI +// RtlUnicodeStringToAnsiSize( +// PUNICODE_STRING UnicodeString +// ); +// + +#define RtlUnicodeStringToAnsiSize(STRING) ( \ + RtlxUnicodeStringToAnsiSize(STRING) \ +) + + +#if (NTDDI_VERSION >= NTDDI_WIN2K) +_IRQL_requires_max_(PASSIVE_LEVEL) +NTSYSAPI +ULONG +NTAPI +RtlxAnsiStringToUnicodeSize( + _In_ PCANSI_STRING AnsiString +); +#endif + +// +// NTSYSAPI +// ULONG +// NTAPI +// RtlAnsiStringToUnicodeSize( +// PANSI_STRING AnsiString +// ); +// + +#define RtlAnsiStringToUnicodeSize(STRING) ( \ + RtlxAnsiStringToUnicodeSize(STRING) \ +) + _IRQL_requires_max_(PASSIVE_LEVEL) _Must_inspect_result_ NTSYSAPI @@ -4234,7 +4309,7 @@ NTSTATUS NTAPI RtlGetSystemPreferredUILanguages( _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _In_ PCWSTR LocaleName, + _In_opt_ PCWSTR LocaleName, _Out_ PULONG NumberOfLanguages, _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, _Inout_ PULONG ReturnLength @@ -4255,7 +4330,7 @@ NTSTATUS NTAPI RtlGetUserPreferredUILanguages( _In_ ULONG Flags, // MUI_LANGUAGE_NAME - _In_ PCWSTR LocaleName, + _In_opt_ PCWSTR LocaleName, _Out_ PULONG NumberOfLanguages, _Out_writes_opt_(*ReturnLength) PZZWSTR Languages, _Inout_ PULONG ReturnLength @@ -4536,6 +4611,27 @@ RtlCreateProcessParametersEx( _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized ); +#if (NTDDI_VERSION >= NTDDI_WIN10_RS4) +// private +NTSYSAPI +NTSTATUS +NTAPI +RtlCreateProcessParametersWithTemplate( + _Out_ PRTL_USER_PROCESS_PARAMETERS* pProcessParameters, + _In_ PUNICODE_STRING ImagePathName, + _In_opt_ PUNICODE_STRING DllPath, + _In_opt_ PUNICODE_STRING CurrentDirectory, + _In_opt_ PUNICODE_STRING CommandLine, + _In_opt_ PVOID Environment, + _In_opt_ PUNICODE_STRING WindowTitle, + _In_opt_ PUNICODE_STRING DesktopInfo, + _In_opt_ PUNICODE_STRING ShellInfo, + _In_opt_ PUNICODE_STRING RuntimeData, + _In_opt_ PUNICODE_STRING RedirectionDllName, + _In_ ULONG Flags // pass RTL_USER_PROC_PARAMS_NORMALIZED to keep parameters normalized +); +#endif + NTSYSAPI NTSTATUS NTAPI @@ -4637,6 +4733,22 @@ RtlCloneUserProcess( _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformation ); +// rev +NTSYSAPI +NTSTATUS +NTAPI +RtlPrepareForProcessCloning( + VOID +); + +// rev +NTSYSAPI +NTSTATUS +NTAPI +RtlCompleteProcessCloning( + _In_ LOGICAL Completed +); + // private NTSYSAPI VOID @@ -5044,6 +5156,14 @@ RtlRemoteCall( // _KERNEL_MODE begin +/** + * Registers a vectored exception handler. + * + * @param First If this parameter is TRUE, the handler is the first handler in the list. + * @param Handler A pointer to the vectored exception handler to be called. + * @return A handle to the vectored exception handler. + * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler + */ NTSYSAPI PVOID NTAPI @@ -5052,6 +5172,13 @@ RtlAddVectoredExceptionHandler( _In_ PVECTORED_EXCEPTION_HANDLER Handler ); +/** + * Removes a vectored exception handler. + * + * @param Handle A handle to the vectored exception handler to remove. + * @return The function returns 0 if the handler is removed, or -1 if the handler is not found. + * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredexceptionhandler + */ NTSYSAPI ULONG NTAPI @@ -5059,6 +5186,14 @@ RtlRemoveVectoredExceptionHandler( _In_ PVOID Handle ); +/** + * Registers a vectored continue handler. + * + * @param First If this parameter is TRUE, the handler is the first handler in the list. + * @param Handler A pointer to the vectored exception handler to be called. + * @return A handle to the vectored continue handler. + * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredcontinuehandler + */ NTSYSAPI PVOID NTAPI @@ -5067,6 +5202,13 @@ RtlAddVectoredContinueHandler( _In_ PVECTORED_EXCEPTION_HANDLER Handler ); +/** + * Removes a vectored continue handler. + * + * @param Handle A handle to the vectored continue handler to remove. + * @return The function returns 0 if the handler is removed, or -1 if the handler is not found. + * @see https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-removevectoredcontinuehandler + */ NTSYSAPI ULONG NTAPI @@ -6323,7 +6465,7 @@ typedef enum _RTL_PATH_TYPE // Data exports (ntdll.lib/ntdllp.lib) -NTSYSAPI PWSTR RtlNtdllName; +NTSYSAPI PCWSTR RtlNtdllName; NTSYSAPI UNICODE_STRING RtlDosPathSeperatorsString; NTSYSAPI UNICODE_STRING RtlAlternateDosPathSeperatorString; NTSYSAPI UNICODE_STRING RtlNtPathSeperatorString; @@ -6667,7 +6809,7 @@ NTSYSAPI VOID NTAPI RtlReleasePath( - _In_ PWSTR Path + _In_ PCWSTR Path ); #endif @@ -7214,8 +7356,8 @@ NTAPI RtlCreateTagHeap( _In_ PVOID HeapHandle, _In_ ULONG Flags, - _In_opt_ PWSTR TagPrefix, - _In_ PWSTR TagNames + _In_opt_ PCWSTR TagPrefix, + _In_ PCWSTR TagNames ); NTSYSAPI @@ -7794,7 +7936,8 @@ NTSYSAPI HANDLE NTAPI RtlGetCurrentTransaction( - VOID + _In_opt_ PCWSTR ExistingFileName, + _In_opt_ PCWSTR NewFileName ); // private @@ -7839,11 +7982,8 @@ RtlConvertLongToLuid( ) { LUID tempLuid; - LARGE_INTEGER tempLi; - - tempLi.QuadPart = Long; - tempLuid.LowPart = tempLi.LowPart; - tempLuid.HighPart = tempLi.HighPart; + tempLuid.LowPart = Long; + tempLuid.HighPart = 0; return tempLuid; } @@ -7870,12 +8010,12 @@ RtlConvertLuidToLonglong( _In_ LUID Luid ) { - LONGLONG tempLuid; + LARGE_INTEGER tempLi; - tempLuid = Luid.LowPart; - tempLuid += ((LONGLONG)(Luid.HighPart) << 32); + tempLi.LowPart = Luid.LowPart; + tempLi.HighPart = Luid.HighPart; - return tempLuid; + return tempLi.QuadPart; } FORCEINLINE @@ -8130,6 +8270,14 @@ typedef struct _MESSAGE_RESOURCE_DATA { #endif // _KERNEL_MODE +// rev +NTSYSAPI +NTSTATUS +NTAPI +RtlDebugPrintTimes( + VOID +); + NTSYSAPI NTSTATUS NTAPI @@ -8154,7 +8302,7 @@ NTSYSAPI NTSTATUS NTAPI RtlFormatMessage( - _In_ PWSTR MessageFormat, + _In_ PCWSTR MessageFormat, _In_ ULONG MaximumWidth, _In_ BOOLEAN IgnoreInserts, _In_ BOOLEAN ArgumentsAreAnsi, @@ -8184,7 +8332,7 @@ NTSYSAPI NTSTATUS NTAPI RtlFormatMessageEx( - _In_ PWSTR MessageFormat, + _In_ PCWSTR MessageFormat, _In_ ULONG MaximumWidth, _In_ BOOLEAN IgnoreInserts, _In_ BOOLEAN ArgumentsAreAnsi, @@ -8204,7 +8352,7 @@ NTAPI RtlGetFileMUIPath( _In_ ULONG Flags, _In_ PCWSTR FilePath, - _Inout_opt_ PWSTR Language, + _Inout_opt_ PCWSTR Language, _Inout_ PULONG LanguageLength, _Out_opt_ PWSTR FileMUIPath, _Inout_ PULONG FileMUIPathLength, @@ -9366,7 +9514,7 @@ NTSTATUS NTAPI RtlAddAtomToAtomTable( _In_ PVOID AtomTableHandle, - _In_ PWSTR AtomName, + _In_ PCWSTR AtomName, _Inout_opt_ PRTL_ATOM Atom ); @@ -9375,7 +9523,7 @@ NTSTATUS NTAPI RtlLookupAtomInAtomTable( _In_ PVOID AtomTableHandle, - _In_ PWSTR AtomName, + _In_ PCWSTR AtomName, _Out_opt_ PRTL_ATOM Atom ); @@ -10962,7 +11110,7 @@ _IRQL_requires_same_ NTSTATUS NTAPI RTL_QUERY_REGISTRY_ROUTINE( - _In_z_ PWSTR ValueName, + _In_z_ PCWSTR ValueName, _In_ ULONG ValueType, _In_reads_bytes_opt_(ValueLength) PVOID ValueData, _In_ ULONG ValueLength, @@ -11392,6 +11540,11 @@ RtlLocateSupervisorFeature( ); #endif +#define ELEVATION_FLAG_TOKEN_CHECKS 0x00000001 +#define ELEVATION_FLAG_VIRTUALIZATION 0x00000002 +#define ELEVATION_FLAG_SHORTCUT_REDIR 0x00000004 +#define ELEVATION_FLAG_NO_SIGNATURE_CHECK 0x00000008 + // private typedef union _RTL_ELEVATION_FLAGS { @@ -11401,7 +11554,8 @@ typedef union _RTL_ELEVATION_FLAGS ULONG ElevationEnabled : 1; ULONG VirtualizationEnabled : 1; ULONG InstallerDetectEnabled : 1; - ULONG ReservedBits : 29; + ULONG AdminApprovalModeType : 2; + ULONG ReservedBits : 27; }; } RTL_ELEVATION_FLAGS, * PRTL_ELEVATION_FLAGS; @@ -11498,7 +11652,7 @@ RtlGetUnloadEventTrace( ); NTSYSAPI -VOID +PRTL_UNLOAD_EVENT_TRACE NTAPI RtlGetUnloadEventTraceEx( _Out_ PULONG * ElementSize, @@ -11720,7 +11874,7 @@ NTSYSAPI NTSTATUS NTAPI RtlQueryImageMitigationPolicy( - _In_opt_ PWSTR ImagePath, // NULL for system-wide defaults + _In_opt_ PCWSTR ImagePath, // NULL for system-wide defaults _In_ IMAGE_MITIGATION_POLICY Policy, _In_ ULONG Flags, _Inout_ PVOID Buffer, @@ -11732,7 +11886,7 @@ NTSYSAPI NTSTATUS NTAPI RtlSetImageMitigationPolicy( - _In_opt_ PWSTR ImagePath, // NULL for system-wide defaults + _In_opt_ PCWSTR ImagePath, // NULL for system-wide defaults _In_ IMAGE_MITIGATION_POLICY Policy, _In_ ULONG Flags, _Inout_ PVOID Buffer, @@ -11837,13 +11991,192 @@ RtlIsMultiUsersInSessionSku( // #ifndef _KERNEL_MODE + +// private +typedef enum _SMAPINUMBER +{ + SmNotImplementedApi = 0, + SmSessionCompleteApi = 1, + SmNotImplemented2Api = 2, + SmExecPgmApi = 3, + SmLoadDeferedSubsystemApi = 4, + SmStartCsrApi = 5, + SmStopCsrApi = 6, + SmStartServerSiloApi = 7, + SmMaxApiNumber = 8, +} SMAPINUMBER, * PSMAPINUMBER; + +// private +typedef struct _SMSESSIONCOMPLETE +{ + _In_ ULONG SessionId; + _In_ NTSTATUS CompletionStatus; +} SMSESSIONCOMPLETE, * PSMSESSIONCOMPLETE; + +// private +typedef struct _SMEXECPGM +{ + _In_ RTL_USER_PROCESS_INFORMATION ProcessInformation; + _In_ BOOLEAN DebugFlag; +} SMEXECPGM, * PSMEXECPGM; + +// private +typedef struct _SMLOADDEFERED +{ + _In_ ULONG SubsystemNameLength; + _In_ _Field_size_bytes_(SubsystemNameLength) WCHAR SubsystemName[32]; +} SMLOADDEFERED, * PSMLOADDEFERED; + +// private +typedef struct _SMSTARTCSR +{ + _Inout_ ULONG MuSessionId; + _In_ ULONG InitialCommandLength; + _In_ _Field_size_bytes_(InitialCommandLength) WCHAR InitialCommand[128]; + _Out_ HANDLE InitialCommandProcessId; + _Out_ HANDLE WindowsSubSysProcessId; +} SMSTARTCSR, * PSMSTARTCSR; + +// private +typedef struct _SMSTOPCSR +{ + _In_ ULONG MuSessionId; +} SMSTOPCSR, * PSMSTOPCSR; + +// private +typedef struct _SMSTARTSERVERSILO +{ + _In_ HANDLE JobHandle; + _In_ BOOLEAN CreateSuspended; +} SMSTARTSERVERSILO, * PSMSTARTSERVERSILO; + +// private +typedef struct _SMAPIMSG +{ + PORT_MESSAGE h; + SMAPINUMBER ApiNumber; + NTSTATUS ReturnedStatus; + union + { + union + { + SMSESSIONCOMPLETE SessionComplete; + SMEXECPGM ExecPgm; + SMLOADDEFERED LoadDefered; + SMSTARTCSR StartCsr; + SMSTOPCSR StopCsr; + SMSTARTSERVERSILO StartServerSilo; + }; + } u; +} SMAPIMSG, * PSMAPIMSG; + +// SbApiPort + +// private +typedef enum _SBAPINUMBER +{ + SbCreateSessionApi = 0, + SbTerminateSessionApi = 1, + SbForeignSessionCompleteApi = 2, + SbCreateProcessApi = 3, + SbMaxApiNumber = 4, +} SBAPINUMBER, * PSBAPINUMBER; + +// private +typedef struct _SBCONNECTINFO +{ + _In_ ULONG SubsystemImageType; + _In_ WCHAR EmulationSubSystemPortName[120]; +} SBCONNECTINFO, * PSBCONNECTINFO; + +// private +typedef struct _SBCREATESESSION +{ + _In_ ULONG SessionId; + _In_ RTL_USER_PROCESS_INFORMATION ProcessInformation; + _In_opt_ PVOID UserProfile; + _In_ ULONG DebugSession; + _In_ CLIENT_ID DebugUiClientId; +} SBCREATESESSION, * PSBCREATESESSION; + +// private +typedef struct _SBTERMINATESESSION +{ + _In_ ULONG SessionId; + _In_ NTSTATUS TerminationStatus; +} SBTERMINATESESSION, * PSBTERMINATESESSION; + +// private +typedef struct _SBFOREIGNSESSIONCOMPLETE +{ + _In_ ULONG SessionId; + _In_ NTSTATUS TerminationStatus; +} SBFOREIGNSESSIONCOMPLETE, * PSBFOREIGNSESSIONCOMPLETE; + +// dbg/rev +#define SMP_DEBUG_FLAG 0x00000001 +#define SMP_ASYNC_FLAG 0x00000002 +#define SMP_DONT_START 0x00000004 + +// private +typedef struct _SBCREATEPROCESSIN +{ + _In_ PUNICODE_STRING ImageFileName; + _In_ PUNICODE_STRING CurrentDirectory; + _In_ PUNICODE_STRING CommandLine; + _In_opt_ PUNICODE_STRING DefaultLibPath; + _In_ ULONG Flags; // SMP_* + _In_ ULONG DefaultDebugFlags; +} SBCREATEPROCESSIN, * PSBCREATEPROCESSIN; + +// private +typedef struct _SBCREATEPROCESSOUT +{ + _Out_ HANDLE Process; + _Out_ HANDLE Thread; + _Out_ ULONG SubSystemType; + _Out_ CLIENT_ID ClientId; +} SBCREATEPROCESSOUT, * PSBCREATEPROCESSOUT; + +// private +typedef struct _SBCREATEPROCESS +{ + union + { + SBCREATEPROCESSIN i; + SBCREATEPROCESSOUT o; + }; +} SBCREATEPROCESS, * PSBCREATEPROCESS; + +// private +typedef struct _SBAPIMSG +{ + PORT_MESSAGE h; + union + { + SBCONNECTINFO ConnectionRequest; + struct + { + SBAPINUMBER ApiNumber; + NTSTATUS ReturnedStatus; + union + { + SBCREATESESSION CreateSession; + SBTERMINATESESSION TerminateSession; + SBFOREIGNSESSIONCOMPLETE ForeignSessionComplete; + SBCREATEPROCESS CreateProcessA; + }; + }; + } u; +} SBAPIMSG, * PSBAPIMSG; + NTSYSAPI NTSTATUS NTAPI RtlConnectToSm( - _In_ PCUNICODE_STRING ApiPortName, - _In_ HANDLE ApiPortHandle, - _In_ DWORD ProcessImageType, + _In_opt_ PCUNICODE_STRING ApiPortName, + _In_opt_ HANDLE ApiPortHandle, + _In_ ULONG ProcessImageType, _Out_ PHANDLE SmssConnection ); @@ -11852,7 +12185,7 @@ NTSTATUS NTAPI RtlSendMsgToSm( _In_ HANDLE ApiPortHandle, - _In_ PPORT_MESSAGE MessageData + _Inout_updates_(MessageData->u1.s1.TotalLength) PPORT_MESSAGE MessageData ); #endif @@ -12215,15 +12548,16 @@ RtlAppxIsFileOwnedByTrustedInstaller( #endif // (NTDDI_VERSION >= NTDDI_WIN8) // Windows Internals book -#define PSM_ACTIVATION_TOKEN_PACKAGED_APPLICATION 0x00000001 -#define PSM_ACTIVATION_TOKEN_SHARED_ENTITY 0x00000002 -#define PSM_ACTIVATION_TOKEN_FULL_TRUST 0x00000004 -#define PSM_ACTIVATION_TOKEN_NATIVE_SERVICE 0x00000008 -#define PSM_ACTIVATION_TOKEN_DEVELOPMENT_APP 0x00000010 -#define PSM_ACTIVATION_TOKEN_BREAKAWAY_INHIBITED 0x00000020 -#define PSM_ACTIVATION_TOKEN_RUNTIME_BROKER 0x00000040 // rev -#define PSM_ACTIVATION_TOKEN_UNIVERSAL_CONSOLE 0x00000200 // rev -#define PSM_ACTIVATION_TOKEN_WIN32ALACARTE_PROCESS 0x00010000 // rev +#define PSM_ACTIVATION_TOKEN_PACKAGED_APPLICATION 0x00000001UL // AppX package format +#define PSM_ACTIVATION_TOKEN_SHARED_ENTITY 0x00000002UL // Shared token, multiple binaries in the same package +#define PSM_ACTIVATION_TOKEN_FULL_TRUST 0x00000004UL // Trusted (Centennial), converted Win32 application +#define PSM_ACTIVATION_TOKEN_NATIVE_SERVICE 0x00000008UL // Packaged service created by SCM +//#define PSM_ACTIVATION_TOKEN_DEVELOPMENT_APP 0x00000010UL +#define PSM_ACTIVATION_TOKEN_MULTIPLE_INSTANCES_ALLOWED 0x00000010UL +#define PSM_ACTIVATION_TOKEN_BREAKAWAY_INHIBITED 0x00000020UL // Cannot create non-packaged child processes +#define PSM_ACTIVATION_TOKEN_RUNTIME_BROKER 0x00000040UL // rev +#define PSM_ACTIVATION_TOKEN_UNIVERSAL_CONSOLE 0x00000200UL // rev +#define PSM_ACTIVATION_TOKEN_WIN32ALACARTE_PROCESS 0x00010000UL // rev #if defined(_KERNEL_MODE) && !defined(_WINDOWS_) // PackageOrigin appmodel.h diff --git a/Veil/Veil.System.UserManagerService.h b/Veil/Veil.System.UserManagerService.h index 30833a9..f98a123 100644 --- a/Veil/Veil.System.UserManagerService.h +++ b/Veil/Veil.System.UserManagerService.h @@ -83,7 +83,7 @@ USERMGRAPI HRESULT WINAPI UMgrQueryUserContextFromSid( - _In_ PWSTR SidString, + _In_ PCWSTR SidString, _Out_ PULONGLONG ContextToken ); @@ -92,7 +92,7 @@ USERMGRAPI HRESULT WINAPI UMgrQueryUserContextFromName( - _In_ PWSTR UserName, + _In_ PCWSTR UserName, _Out_ PULONGLONG ContextToken ); @@ -133,7 +133,7 @@ USERMGRAPI HRESULT WINAPI UMgrQueryUserTokenFromSid( - _In_ PWSTR SidString, + _In_ PCWSTR SidString, _Out_ PHANDLE TokenHandle ); @@ -142,7 +142,7 @@ USERMGRAPI HRESULT WINAPI UMgrQueryUserTokenFromName( - _In_ PWSTR UserName, + _In_ PCWSTR UserName, _Out_ PHANDLE TokenHandle ); diff --git a/Veil/Veil.System.Win32.h b/Veil/Veil.System.Win32.h index 1a68453..9ce4f70 100644 --- a/Veil/Veil.System.Win32.h +++ b/Veil/Veil.System.Win32.h @@ -597,7 +597,7 @@ typedef enum _WINDOWINFOCLASS WindowDefaultInputContext = 9, // q: HIMC } WINDOWINFOCLASS, * PWINDOWINFOCLASS; -NTSYSCALLAPI +__kernel_entry W32KAPI ULONG_PTR NTAPI NtUserQueryWindow( @@ -605,14 +605,14 @@ NtUserQueryWindow( _In_ WINDOWINFOCLASS WindowInfo ); -NTSYSCALLAPI +__kernel_entry W32KAPI NTSTATUS NTAPI NtUserTestForInteractiveUser( _In_ PLUID AuthenticationId ); -NTSYSCALLAPI +__kernel_entry W32KAPI NTSTATUS NTAPI NtUserCheckAccessForIntegrityLevel( @@ -621,7 +621,7 @@ NtUserCheckAccessForIntegrityLevel( _Out_ PBOOLEAN GrantedAccess ); -NTSYSCALLAPI +__kernel_entry W32KAPI NTSTATUS NTAPI NtUserCheckProcessForClipboardAccess( @@ -629,7 +629,7 @@ NtUserCheckProcessForClipboardAccess( _Out_ PULONG GrantedAccess ); -NTSYSCALLAPI +__kernel_entry W32KAPI ULONG NTAPI NtUserInternalGetWindowText( @@ -638,6 +638,14 @@ NtUserInternalGetWindowText( _In_ ULONG cchMaxCount ); +__kernel_entry W32KAPI +HICON +NTAPI +NtUserInternalGetWindowIcon( + _In_ HWND WindowHandle, + _In_ ULONG IconType +); + typedef enum _CONSOLECONTROL { ConsoleSetVDMCursorBounds = 0, // RECT @@ -650,6 +658,8 @@ typedef enum _CONSOLECONTROL ConsoleEndTask = 7, // CONSOLEENDTASK } CONSOLECONTROL; +#define CPI_NEWPROCESSWINDOW 0x0001 + typedef struct _CONSOLE_PROCESS_INFO { ULONG ProcessID; @@ -694,7 +704,7 @@ typedef struct _CONSOLEENDTASK * @param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter. * @return Successful or errant status. */ -NTSYSCALLAPI +__kernel_entry W32KAPI NTSTATUS NTAPI NtUserConsoleControl( @@ -715,7 +725,7 @@ NtUserConsoleControl( * @param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter. * @return Successful or errant status. */ -NTSYSCALLAPI +__kernel_entry W32KAPI NTSTATUS NTAPI ConsoleControl( @@ -726,6 +736,1119 @@ ConsoleControl( #endif +/** + * Opens the specified window station. + * + * @param ObjectAttributes The name of the window station to be opened. Window station names are case-insensitive. This window station must belong to the current session. + * @param DesiredAccess The access to the window station. + * @return Successful or errant status. + */ +__kernel_entry W32KAPI +HWINSTA +NTAPI +NtUserOpenWindowStation( + _In_ OBJECT_ATTRIBUTES ObjectAttributes, + _In_ ACCESS_MASK DesiredAccess +); + +__kernel_entry W32KAPI +HWINSTA +NTAPI +NtUserCreateWindowStation( + _In_ OBJECT_ATTRIBUTES ObjectAttributes, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ HANDLE KeyboardLayoutHandle, + _In_opt_ PVOID KeyboardLayoutOffset, + _In_opt_ PVOID NlsTableOffset, + _In_opt_ PVOID KeyboardDescriptor, + _In_opt_ UNICODE_STRING LanguageIdString, + _In_opt_ ULONG KeyboardLocale +); + +__kernel_entry W32KAPI +NTSTATUS +NTAPI +NtUserBuildHwndList( + _In_opt_ HANDLE DesktopHandle, + _In_opt_ HWND StartWindowHandle, + _In_opt_ LOGICAL IncludeChildren, + _In_opt_ LOGICAL ExcludeImmersive, + _In_opt_ ULONG ThreadId, + _In_ ULONG HwndListInformationLength, + _Out_writes_bytes_(HwndListInformationLength) PVOID HwndListInformation, + _Out_ PULONG ReturnLength +); + +__kernel_entry W32KAPI +NTSTATUS +NTAPI +NtUserBuildNameList( + _In_ HWINSTA WindowStationHandle, // GetProcessWindowStation + _In_ ULONG NameListInformationLength, + _Out_writes_bytes_(NameListInformationLength) PVOID NameListInformation, + _Out_opt_ PULONG ReturnLength +); + +__kernel_entry W32KAPI +NTSTATUS +NTAPI +NtUserBuildPropList( + _In_ HWINSTA WindowStationHandle, + _In_ ULONG PropListInformationLength, + _Out_writes_bytes_(PropListInformationLength) PVOID PropListInformation, + _Out_opt_ PULONG ReturnLength +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserGetProcessWindowStation( + VOID +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserCloseWindowStation( + _In_ HWINSTA WindowStationHandle +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserSetProcessWindowStation( + _In_ HWINSTA WindowStationHandle +); + +NTSYSAPI +LOGICAL +NTAPI +SetWindowStationUser( + _In_ HWINSTA WindowStationHandle, + _In_ PLUID UserLogonId, + _In_ PSID UserSid, + _In_ ULONG UserSidLength +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserSetWindowStationUser( + _In_ HWINSTA WindowStationHandle, + _In_ PLUID UserLogonId, + _In_ PSID UserSid, + _In_ ULONG UserSidLength +); + +__kernel_entry W32KAPI +HANDLE +NTAPI +NtUserOpenDesktop( + _In_ PCOBJECT_ATTRIBUTES ObjectAttributes, + _In_ ULONG Flags, + _In_ ACCESS_MASK DesiredAccess +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserSetThreadDesktop( + _In_ HDESK DesktopHandle +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserSwitchDesktop( + _In_ HDESK DesktopHandle, + _In_opt_ ULONG Flags, + _In_opt_ ULONG FadeTime +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserGetIconInfo( + _In_ HICON IconOrCursorHandle, + _Out_ PICONINFO Iconinfo, + _Inout_opt_ PUNICODE_STRING Name, + _Inout_opt_ PUNICODE_STRING ResourceId, + _Out_opt_ PULONG ColorBits, + _In_ LOGICAL IsCursorHandle +); + +__kernel_entry W32KAPI +LOGICAL +NTAPI +NtUserGetIconSize( + _In_ HGDIOBJ IconOrCursorHandle, + _In_ LOGICAL IsCursorHandle, + _Out_ PULONG XX, + _Out_ PULONG YY +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserGetForegroundWindow( + VOID +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserSetActiveWindow( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserSetFocus( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +ULONG_PTR +NTAPI +NtUserGetThreadState( + _In_ ULONG UserThreadState +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserSetWindowPlacement( + _In_ HWND WindowHandle, + _Inout_ const WINDOWPLACEMENT* lpwndpl +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserAttachThreadInput( + _In_ ULONG IdAttach, + _In_ ULONG IdAttachTo, + _In_ BOOL Attach +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserBlockInput( + _In_ BOOL BlockInput +); + +__kernel_entry W32KAPI +BOOL +NTAPI +tUserCalculatePopupWindowPosition( + _In_ const POINT* anchorPoint, + _In_ const SIZE* windowSize, + _In_ ULONG flags, + _Inout_ RECT* excludeRect, + _Inout_ RECT* popupWindowPosition +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserChangeWindowMessageFilterEx( + _In_ HWND WindowHandle, + _In_ ULONG message, + _In_ ULONG action, + _Inout_ PCHANGEFILTERSTRUCT pChangeFilterStruct +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserChildWindowFromPointEx( + _In_ HWND WindowHandle, + _In_ POINT pt, + _In_ ULONG flags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserClipCursor( + _In_ const RECT* lpRect +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserCloseDesktop( + _In_ HDESK hDesktop +); + +__kernel_entry W32KAPI +LONG +NTAPI +NtUserCopyAcceleratorTable( + _In_ HACCEL hAccelSrc, + _In_ LPACCEL lpAccelDst, + _In_ LONG cAccelEntries +); + +__kernel_entry W32KAPI +HACCEL +NTAPI +NtUserCreateAcceleratorTable( + _In_ LPACCEL paccel, + _In_ LONG cAccel +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserDeleteMenu( + _In_ HMENU hMenu, + _In_ ULONG uPosition, + _In_ ULONG uFlags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserDestroyMenu( + _In_ HMENU hMenu +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserDragDetect( + _In_ HWND WindowHandle, + _In_ POINT pt +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserDragObject( + _In_ HWND WindowHandleParent, + _In_ HWND WindowHandleFrom, + _In_ ULONG fmt, + _In_ ULONG_PTR data, + _In_ HCURSOR hcur +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserDrawAnimatedRects( + _In_ HWND WindowHandle, + _In_ int idAni, + _In_ const RECT* lprcFrom, + _In_ const RECT* lprcTo +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserEndMenu( + VOID +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserEnumDisplayMonitors( + _In_ HDC hdc, + _In_ LPCRECT lprcClip, + _In_ MONITORENUMPROC lpfnEnum, + _In_ LPARAM dwData +); + +__kernel_entry W32KAPI +HRGN +NTAPI +NtUserExcludeUpdateRgn( + _In_ HDC hDC, + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserFlashWindowEx( + _In_ PFLASHWINFO pfwi +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserGetAncestor( + _In_ HWND WindowHandle, + _In_ ULONG gaFlags +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetCaretBlinkTime( + VOID +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetCaretPos( + _In_ LPPOINT lpPoint +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetClipCursor( + _In_ LPRECT lpRect +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetComboBoxInfo( + _In_ HWND WindowHandleCombo, + _Inout_ PCOMBOBOXINFO pcbi +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetCurrentInputMessageSource( + _Inout_ INPUT_MESSAGE_SOURCE* InputMessageSource +); + +__kernel_entry W32KAPI +HCURSOR +NTAPI +NtUserGetCursor(); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetCursorInfo( + _In_ PCURSORINFO pci +); + +__kernel_entry W32KAPI +HDC +NTAPI +NtUserGetDCEx( + _In_ HWND WindowHandle, + _In_ HRGN hrgnClip, + _In_ ULONG flags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetDisplayAutoRotationPreferences( + _In_ ORIENTATION_PREFERENCE* pOrientation +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetDoubleClickTime(); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetGUIThreadInfo( + _In_ ULONG idThread, + _In_ PGUITHREADINFO pgui +); + +#ifndef GR_GDIOBJECTS +#define GR_GDIOBJECTS 0 +#endif +#ifndef GR_USEROBJECTS +#define GR_USEROBJECTS 1 +#endif +#ifndef GR_GDIOBJECTS_PEAK +#define GR_GDIOBJECTS_PEAK 2 +#endif +#ifndef GR_USEROBJECTS_PEAK +#define GR_USEROBJECTS_PEAK 4 +#endif + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetGuiResources( + _In_ HANDLE ProcessHandle, + _In_ ULONG uiFlags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetLayeredWindowAttributes( + _In_ HWND WindowHandle, + _In_ COLORREF* pcrKey, + _In_ BYTE* pbAlpha, + _In_ ULONG pdwFlags +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetListBoxInfo( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetMenuBarInfo( + _In_ HWND WindowHandle, + _In_ LONG idObject, + _In_ LONG idItem, + _In_ PMENUBARINFO pmbi +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetMenuItemRect( + _In_ HWND WindowHandle, + _In_ HMENU hMenu, + _In_ ULONG uItem, + _In_ LPRECT lprcItem +); + +__kernel_entry W32KAPI +LONG +NTAPI +NtUserGetMouseMovePointsEx( + _In_ ULONG cbSize, + _In_ LPMOUSEMOVEPOINT lppt, + _In_ LPMOUSEMOVEPOINT lpptBuf, + _In_ LONG nBufPoints, + _In_ ULONG resolution +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetRawInputData( + _In_ HRAWINPUT hRawInput, + _In_ ULONG uiCommand, + _In_ LPVOID pData, + _In_ PULONG pcbSize, + _In_ ULONG cbSizeHeader +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserGetRegisteredRawInputDevices( + _In_ PRAWINPUTDEVICE pRawInputDevices, + _In_ PULONG puiNumDevices, + _In_ ULONG cbSize +); + +__kernel_entry W32KAPI +HMENU +NTAPI +NtUserGetSystemMenu( + _In_ HWND WindowHandle, + _In_ BOOL bRevert +); + +__kernel_entry W32KAPI +HDESK +NTAPI +NtUserGetThreadDesktop( + _In_ ULONG ThreadId +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetTitleBarInfo( + _In_ HWND WindowHandle, + _In_ PTITLEBARINFO pti +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetObjectInformation( + _In_ HANDLE hObj, + _In_ LONG Index, + _In_ PVOID vInfo, + _In_ ULONG Length, + _In_ PULONG LengthNeeded +); + +__kernel_entry W32KAPI +HDC +NTAPI +NtUserGetWindowDC( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserGetWindowPlacement( + _In_ HWND WindowHandle, + _In_opt_ WINDOWPLACEMENT* lpwndpl +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserHiliteMenuItem( + _In_ HWND WindowHandle, + _In_ HMENU Menu, + _In_ ULONG IDHiliteItem, + _In_ ULONG Hilite +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserInvalidateRect( + _In_ HWND WindowHandle, + _In_ const RECT* Rect, + _In_ BOOL Erase +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserInvalidateRgn( + _In_ HWND WindowHandle, + _In_ HRGN hRgn, + _In_ BOOL Erase +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserIsTouchWindow( + _In_ HWND WindowHandle, + _In_ PULONG Flags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserKillTimer( + _In_ HWND WindowHandle, + _In_ ULONG_PTR IDEvent +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserLockWorkStation( + VOID +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserLogicalToPhysicalPoint( + _In_ HWND WindowHandle, + _In_ LPPOINT lpPoint +); + +__kernel_entry W32KAPI +LONG +NTAPI +NtUserMenuItemFromPoint( + _In_ HWND WindowHandle, + _In_ HMENU hMenu, + _In_ POINT ptScreen +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserMoveWindow( + _In_ HWND WindowHandle, + _In_ LONG X, + _In_ LONG Y, + _In_ LONG nWidth, + _In_ LONG nHeight, + _In_ BOOL bRepaint +); + +__kernel_entry W32KAPI +HDESK +NTAPI +NtUserOpenInputDesktop( + _In_ ULONG Flags, + _In_ BOOL Inherit, + _In_ ACCESS_MASK DesiredAccess +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserPhysicalToLogicalPoint( + _In_ HWND WindowHandle, + _In_ LPPOINT lpPoint +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserPrintWindow( + _In_ HWND WindowHandle, + _In_ HDC hdcBlt, + _In_ ULONG nFlags +); + +typedef enum _USERTHREADINFOCLASS USERTHREADINFOCLASS; + +__kernel_entry W32KAPI +NTSTATUS +NTAPI +NtUserQueryInformationThread( + _In_ HANDLE ThreadHandle, + _In_ USERTHREADINFOCLASS ThreadInformationClass, + _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength, + _Out_opt_ PULONG ReturnLength +); + +__kernel_entry W32KAPI +NTSTATUS +NTAPI +NtUserSetInformationThread( + _In_ HANDLE ThreadHandle, + _In_ USERTHREADINFOCLASS ThreadInformationClass, + _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, + _In_ ULONG ThreadInformationLength +); + +__kernel_entry W32KAPI +BOOL +NTAPI +QuerySendMessage( + _Inout_ MSG* pMsg +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserRedrawWindow( + _In_ HWND WindowHandle, + _In_ const PRECT lprcUpdate, + _In_ HRGN hrgnUpdate, + _In_ ULONG flags +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserRealChildWindowFromPoint( + _In_ HWND WindowHandleParent, + _In_ POINT ptParentClientCoords +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserRegisterHotKey( + _In_ HWND WindowHandle, + _In_ LONG id, + _In_ ULONG fsModifiers, + _In_ ULONG vk +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserRemoveMenu( + _In_ HMENU hMenu, + _In_ ULONG uPosition, + _In_ ULONG uFlags +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserSendInput( + _In_ ULONG cInputs, + _In_ LPINPUT pInputs, + _In_ LONG cbSize +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserSetActiveWindow( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserSetCapture( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +ULONG_PTR +NTAPI +NtUserSetTimer( + _In_ HWND WindowHandle, + _In_ ULONG_PTR nIDEvent, + _In_ ULONG uElapse, + _In_ TIMERPROC lpTimerFunc, + _In_ ULONG uToleranceDelay +); + +__kernel_entry W32KAPI +WORD +NTAPI +NtUserSetClassWord( + _In_ HWND WindowHandle, + _In_ LONG nIndex, + _In_ WORD wNewWord +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserSetCursorPos( + _In_ LONG X, + _In_ LONG Y +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserSetFocus( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserSetLayeredWindowAttributes( + _In_ HWND WindowHandle, + _In_ COLORREF crKey, + _In_ BYTE bAlpha, + _In_ DWORD dwFlags +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserSetProcessRestrictionExemption( + _In_ BOOL EnableExemption +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserSetWindowPos( + _In_ HWND WindowHandle, + _In_ HWND WindowHandleInsertAfter, + _In_ LONG X, + _In_ LONG Y, + _In_ LONG cx, + _In_ LONG cy, + _In_ ULONG uFlags +); + +__kernel_entry W32KAPI +WORD +NTAPI +NtUserSetWindowWord( + _In_ HWND WindowHandle, + _In_ LONG nIndex, + _In_ WORD wNewWord +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserShellForegroundBoostProcess( + _In_ HANDLE ProcessHandle, + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserSetAdditionalForegroundBoostProcesses( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +ULONG +NTAPI +NtUserSetAdditionalPowerThrottlingProcess( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +LONG +NTAPI +NtUserShowCursor( + _In_ BOOL bShow +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserShowWindow( + _In_ HWND WindowHandle, + _In_ LONG nCmdShow +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserShowWindowAsync( + _In_ HWND WindowHandle, + _In_ LONG nCmdShow +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserShutdownBlockReasonQuery( + _In_ HWND WindowHandle, + _Out_ LPWSTR pwszBuff, + _Inout_ PULONG pcchBuff +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserShutdownReasonDestroy( + _In_ HWND WindowHandle +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserTrackMouseEvent( + _In_ LPTRACKMOUSEEVENT lpEventTrack +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserTrackPopupMenuEx( + _In_ HMENU hMenu, + _In_ ULONG uFlags, + _In_ LONG x, + _In_ LONG y, + _In_ HWND WindowHandle, + _In_ LPTPMPARAMS lptpm +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserUnhookWinEvent( + _In_ HWINEVENTHOOK hWinEventHook +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserUnregisterHotKey( + _In_ HWND WindowHandle, + _In_ LONG id +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserUserHandleGrantAccess( + _In_ HANDLE UserHandle, + _In_ HANDLE Job, + _In_ BOOL Grant +); + +__kernel_entry W32KAPI +BOOL +NTAPI +NtUserValidateRect( + _In_ HWND WindowHandle, + _In_ const RECT* Rect +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserWindowFromDC( + _In_ HDC hDC +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserWindowFromPhysicalPoint( + _In_ POINT Point +); + +__kernel_entry W32KAPI +HWND +NTAPI +NtUserWindowFromPoint( + _In_ POINT Point +); + +// Peb!KernelCallbackTable = user32.dll!apfnDispatch +typedef struct _KERNEL_CALLBACK_TABLE +{ + ULONG_PTR __fnCOPYDATA; + ULONG_PTR __fnCOPYGLOBALDATA; + ULONG_PTR __fnEMPTY1; + ULONG_PTR __fnNCDESTROY; + ULONG_PTR __fnDWORDOPTINLPMSG; + ULONG_PTR __fnINOUTDRAG; + ULONG_PTR __fnGETTEXTLENGTHS1; + ULONG_PTR __fnINCNTOUTSTRING; + ULONG_PTR __fnINCNTOUTSTRINGNULL; + ULONG_PTR __fnINLPCOMPAREITEMSTRUCT; + ULONG_PTR __fnINLPCREATESTRUCT; + ULONG_PTR __fnINLPDELETEITEMSTRUCT; + ULONG_PTR __fnINLPDRAWITEMSTRUCT; + ULONG_PTR __fnPOPTINLPUINT1; + ULONG_PTR __fnPOPTINLPUINT2; + ULONG_PTR __fnINLPMDICREATESTRUCT; + ULONG_PTR __fnINOUTLPMEASUREITEMSTRUCT; + ULONG_PTR __fnINLPWINDOWPOS; + ULONG_PTR __fnINOUTLPPOINT51; + ULONG_PTR __fnINOUTLPSCROLLINFO; + ULONG_PTR __fnINOUTLPRECT; + ULONG_PTR __fnINOUTNCCALCSIZE; + ULONG_PTR __fnINOUTLPPOINT52; + ULONG_PTR __fnINPAINTCLIPBRD; + ULONG_PTR __fnINSIZECLIPBRD; + ULONG_PTR __fnINDESTROYCLIPBRD; + ULONG_PTR __fnINSTRINGNULL1; + ULONG_PTR __fnINSTRINGNULL2; + ULONG_PTR __fnINDEVICECHANGE; + ULONG_PTR __fnPOWERBROADCAST; + ULONG_PTR __fnINLPUAHDRAWMENU1; + ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD1; + ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD2; + ULONG_PTR __fnOUTDWORDINDWORD; + ULONG_PTR __fnOUTLPRECT; + ULONG_PTR __fnOUTSTRING; + ULONG_PTR __fnPOPTINLPUINT3; + ULONG_PTR __fnPOUTLPINT; + ULONG_PTR __fnSENTDDEMSG; + ULONG_PTR __fnINOUTSTYLECHANGE1; + ULONG_PTR __fnHkINDWORD; + ULONG_PTR __fnHkINLPCBTACTIVATESTRUCT; + ULONG_PTR __fnHkINLPCBTCREATESTRUCT; + ULONG_PTR __fnHkINLPDEBUGHOOKSTRUCT; + ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX1; + ULONG_PTR __fnHkINLPKBDLLHOOKSTRUCT; + ULONG_PTR __fnHkINLPMSLLHOOKSTRUCT; + ULONG_PTR __fnHkINLPMSG; + ULONG_PTR __fnHkINLPRECT; + ULONG_PTR __fnHkOPTINLPEVENTMSG; + ULONG_PTR __xxxClientCallDelegateThread; + ULONG_PTR __ClientCallDummyCallback1; + ULONG_PTR __ClientCallDummyCallback2; + ULONG_PTR __fnSHELLWINDOWMANAGEMENTCALLOUT; + ULONG_PTR __fnSHELLWINDOWMANAGEMENTNOTIFY; + ULONG_PTR __ClientCallDummyCallback3; + ULONG_PTR __xxxClientCallDitThread; + ULONG_PTR __xxxClientEnableMMCSS; + ULONG_PTR __xxxClientUpdateDpi; + ULONG_PTR __xxxClientExpandStringW; + ULONG_PTR __ClientCopyDDEIn1; + ULONG_PTR __ClientCopyDDEIn2; + ULONG_PTR __ClientCopyDDEOut1; + ULONG_PTR __ClientCopyDDEOut2; + ULONG_PTR __ClientCopyImage; + ULONG_PTR __ClientEventCallback; + ULONG_PTR __ClientFindMnemChar; + ULONG_PTR __ClientFreeDDEHandle; + ULONG_PTR __ClientFreeLibrary; + ULONG_PTR __ClientGetCharsetInfo; + ULONG_PTR __ClientGetDDEFlags; + ULONG_PTR __ClientGetDDEHookData; + ULONG_PTR __ClientGetListboxString; + ULONG_PTR __ClientGetMessageMPH; + ULONG_PTR __ClientLoadImage; + ULONG_PTR __ClientLoadLibrary; + ULONG_PTR __ClientLoadMenu; + ULONG_PTR __ClientLoadLocalT1Fonts; + ULONG_PTR __ClientPSMTextOut; + ULONG_PTR __ClientLpkDrawTextEx; + ULONG_PTR __ClientExtTextOutW; + ULONG_PTR __ClientGetTextExtentPointW; + ULONG_PTR __ClientCharToWchar; + ULONG_PTR __ClientAddFontResourceW; + ULONG_PTR __ClientThreadSetup; + ULONG_PTR __ClientDeliverUserApc; + ULONG_PTR __ClientNoMemoryPopup; + ULONG_PTR __ClientMonitorEnumProc; + ULONG_PTR __ClientCallWinEventProc; + ULONG_PTR __ClientWaitMessageExMPH; + ULONG_PTR __ClientCallDummyCallback4; + ULONG_PTR __ClientCallDummyCallback5; + ULONG_PTR __ClientImmLoadLayout; + ULONG_PTR __ClientImmProcessKey; + ULONG_PTR __fnIMECONTROL; + ULONG_PTR __fnINWPARAMDBCSCHAR; + ULONG_PTR __fnGETTEXTLENGTHS2; + ULONG_PTR __ClientCallDummyCallback6; + ULONG_PTR __ClientLoadStringW; + ULONG_PTR __ClientLoadOLE; + ULONG_PTR __ClientRegisterDragDrop; + ULONG_PTR __ClientRevokeDragDrop; + ULONG_PTR __fnINOUTMENUGETOBJECT; + ULONG_PTR __ClientPrinterThunk; + ULONG_PTR __fnOUTLPCOMBOBOXINFO; + ULONG_PTR __fnOUTLPSCROLLBARINFO; + ULONG_PTR __fnINLPUAHDRAWMENU2; + ULONG_PTR __fnINLPUAHDRAWMENUITEM; + ULONG_PTR __fnINLPUAHDRAWMENU3; + ULONG_PTR __fnINOUTLPUAHMEASUREMENUITEM; + ULONG_PTR __fnINLPUAHDRAWMENU4; + ULONG_PTR __fnOUTLPTITLEBARINFOEX; + ULONG_PTR __fnTOUCH; + ULONG_PTR __fnGESTURE; + ULONG_PTR __fnPOPTINLPUINT4; + ULONG_PTR __fnPOPTINLPUINT5; + ULONG_PTR __xxxClientCallDefaultInputHandler; + ULONG_PTR __fnEMPTY2; + ULONG_PTR __ClientRimDevCallback; + ULONG_PTR __xxxClientCallMinTouchHitTestingCallback; + ULONG_PTR __ClientCallLocalMouseHooks; + ULONG_PTR __xxxClientBroadcastThemeChange; + ULONG_PTR __xxxClientCallDevCallbackSimple; + ULONG_PTR __xxxClientAllocWindowClassExtraBytes; + ULONG_PTR __xxxClientFreeWindowClassExtraBytes; + ULONG_PTR __fnGETWINDOWDATA; + ULONG_PTR __fnINOUTSTYLECHANGE2; + ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX2; + ULONG_PTR __xxxClientCallDefWindowProc; + ULONG_PTR __fnSHELLSYNCDISPLAYCHANGED; + ULONG_PTR __fnHkINLPCHARHOOKSTRUCT; + ULONG_PTR __fnINTERCEPTEDWINDOWACTION; + ULONG_PTR __xxxTooltipCallback; + ULONG_PTR __xxxClientInitPSBInfo; + ULONG_PTR __xxxClientDoScrollMenu; + ULONG_PTR __xxxClientEndScroll; + ULONG_PTR __xxxClientDrawSize; + ULONG_PTR __xxxClientDrawScrollBar; + ULONG_PTR __xxxClientHitTestScrollBar; + ULONG_PTR __xxxClientTrackInit; +} KERNEL_CALLBACK_TABLE, * PKERNEL_CALLBACK_TABLE; + + VEIL_END() diff --git a/Veil/Veil.System.WindowStation.h b/Veil/Veil.System.WindowStation.h index fe554e7..cf366c6 100644 --- a/Veil/Veil.System.WindowStation.h +++ b/Veil/Veil.System.WindowStation.h @@ -859,7 +859,7 @@ NTSYSAPI HANDLE NTAPI WinStationOpenServerW( - _In_opt_ PWSTR ServerName + _In_opt_ PCWSTR ServerName ); // rev @@ -986,7 +986,7 @@ BOOLEAN NTAPI LogonIdFromWinStationNameW( _In_opt_ HANDLE ServerHandle, - _In_ PWSTR pWinStationName, + _In_ PCWSTR pWinStationName, _Out_ PULONG SessionId ); @@ -997,9 +997,9 @@ NTAPI WinStationSendMessageW( _In_opt_ HANDLE ServerHandle, _In_ ULONG SessionId, - _In_ PWSTR Title, + _In_ PCWSTR Title, _In_ ULONG TitleLength, - _In_ PWSTR Message, + _In_ PCWSTR Message, _In_ ULONG MessageLength, _In_ ULONG Style, _In_ ULONG Timeout, @@ -1014,7 +1014,7 @@ WinStationConnectW( _In_opt_ HANDLE ServerHandle, _In_ ULONG SessionId, _In_ ULONG TargetSessionId, - _In_opt_ PWSTR pPassword, + _In_opt_ PCWSTR pPassword, _In_ BOOLEAN bWait ); @@ -1043,7 +1043,7 @@ BOOLEAN NTAPI WinStationShadow( _In_opt_ HANDLE ServerHandle, - _In_ PWSTR TargetServerName, + _In_ PCWSTR TargetServerName, _In_ ULONG TargetSessionId, _In_ UCHAR HotKeyVk, _In_ USHORT HotkeyModifiers // KBD* @@ -1245,6 +1245,48 @@ WinStationGetAllUserSessions( _Out_ PULONG NumberOfProcesses ); + +// rev +typedef struct _TS_SESSION_VIRTUAL_ADDRESS +{ + USHORT AddressFamily; + USHORT AddressLength; + BYTE Address[20]; +} TS_SESSION_VIRTUAL_ADDRESS, * PTS_SESSION_VIRTUAL_ADDRESS; +typedef USHORT ADDRESS_FAMILY; + +// rev +NTSYSAPI +BOOLEAN +NTAPI +WinStationQuerySessionVirtualIP( + _In_opt_ HANDLE ServerHandle, + _In_ ULONG SessionId, + _In_ ADDRESS_FAMILY Family, + _Out_ TS_SESSION_VIRTUAL_ADDRESS* SessionVirtualIP +); + +// rev +NTSYSAPI +BOOLEAN +NTAPI +WinStationGetDeviceId( + _In_opt_ HANDLE ServerHandle, + _In_ ULONG SessionId, + _Out_ PCHAR* Buffer, // CHAR DeviceId[MAX_PATH + 1]; + _In_ SIZE_T BufferLength +); + +// rev +NTSYSAPI +BOOLEAN +NTAPI +WinStationGetLoggedOnCount( + _Out_ PULONG LoggedOnUserCount, + _Out_ PULONG LoggedOnDeviceCount +); + + #endif // !_KERNEL_MODE VEIL_END()