diff --git a/inc/phnt/ntdbg.h b/inc/phnt/ntdbg.h index deb804e..ff1c060 100644 --- a/inc/phnt/ntdbg.h +++ b/inc/phnt/ntdbg.h @@ -107,7 +107,8 @@ typedef struct _DBGUI_WAIT_STATE_CHANGE typedef enum _DEBUGOBJECTINFOCLASS { - DebugObjectFlags = 1, + DebugObjectUnusedInformation, + DebugObjectKillProcessOnExitInformation, MaxDebugObjectInfoClass } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; diff --git a/inc/phnt/ntexapi.h b/inc/phnt/ntexapi.h index 815ee07..0a429e5 100644 --- a/inc/phnt/ntexapi.h +++ b/inc/phnt/ntexapi.h @@ -1394,13 +1394,13 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemSecureDumpEncryptionInformation, SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION - SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // REDSTONE4 + SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4 SystemFirmwareBootPerformanceInformation, - SystemCodeIntegrityVerificationInformation, + SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION SystemFirmwarePartitionInformation, // 200 SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. - SystemDmaGuardPolicyInformation, - SystemEnclaveLaunchControlInformation, + SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION + SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION MaxSystemInfoClass } SYSTEM_INFORMATION_CLASS; @@ -1424,7 +1424,7 @@ typedef struct _SYSTEM_PROCESSOR_INFORMATION USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; - USHORT ProcessorCount; + USHORT MaximumProcessors; ULONG ProcessorFeatureBits; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; @@ -1845,6 +1845,11 @@ typedef enum _EVENT_TRACE_INFORMATION_CLASS EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION EventTraceLastBranchConfigurationInformation, // REDSTONE3 EventTraceLastBranchEventListInformation, + EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4 + EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION + EventTraceProcessorTraceConfigurationInformation, + EventTraceProcessorTraceEventListInformation, + EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION MaxEventTraceInfoClass } EVENT_TRACE_INFORMATION_CLASS; @@ -1955,6 +1960,36 @@ typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION WCHAR FileName[1]; } EVENT_TRACE_SOFT_RESTART_INFORMATION, *PEVENT_TRACE_SOFT_RESTART_INFORMATION; +typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + BOOLEAN PerfEvtEventSelect; + BOOLEAN PerfEvtUnitSelect; + ULONG PerfEvtType; + ULONG CpuInfoHierarchy[0x3]; + ULONG InitialInterval; + BOOLEAN AllowsHalt; + BOOLEAN Persist; + WCHAR ProfileSourceDescription[0x1]; +} EVENT_TRACE_PROFILE_ADD_INFORMATION, *PEVENT_TRACE_PROFILE_ADD_INFORMATION; + +typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + KPROFILE_SOURCE ProfileSource; + ULONG CpuInfoHierarchy[0x3]; +} EVENT_TRACE_PROFILE_REMOVE_INFORMATION, *PEVENT_TRACE_PROFILE_REMOVE_INFORMATION; + +typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION +{ + EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; + BOOLEAN CoverageSamplerInformationClass; + UCHAR MajorVersion; + UCHAR MinorVersion; + UCHAR Reserved; + HANDLE SamplerHandle; +} EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, *PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION; + typedef struct _SYSTEM_EXCEPTION_INFORMATION { ULONG AlignmentFixupCount; @@ -2256,7 +2291,17 @@ typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION { GUID BootIdentifier; FIRMWARE_TYPE FirmwareType; - ULONGLONG BootFlags; + union + { + ULONGLONG BootFlags; + struct + { + ULONGLONG DbgMenuOsSelection : 1; // REDSTONE4 + ULONGLONG DbgHiberBoot : 1; + ULONGLONG DbgSoftBoot : 1; + ULONGLONG DbgMeasuredLaunch : 1; + }; + }; } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; // private @@ -2788,6 +2833,7 @@ typedef enum _SYSTEM_PROCESS_CLASSIFICATION SystemProcessClassificationSystem, SystemProcessClassificationSecureSystem, SystemProcessClassificationMemCompression, + SystemProcessClassificationRegistry, // REDSTONE4 SystemProcessClassificationMaximum } SYSTEM_PROCESS_CLASSIFICATION; @@ -3007,6 +3053,7 @@ typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION { HANDLE ImageFile; + ULONG Type; // REDSTONE4 } SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION; // private @@ -3021,8 +3068,8 @@ typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE { SystemActivityModerationStateSystemManaged, - SystemActivityModerationStateAlwaysThrottled, - SystemActivityModerationStateNeverThrottled, + SystemActivityModerationStateUserManagedAllowThrottling, + SystemActivityModerationStateUserManagedDisableThrottling, MaxSystemActivityModerationState } SYSTEM_ACTIVITY_MODERATION_STATE; @@ -3065,9 +3112,11 @@ typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION ULONG Locked : 1; ULONG Unlockable : 1; ULONG UnlockApplied : 1; - ULONG Reserved : 29; + ULONG UnlockIdValid : 1; // REDSTONE4 + ULONG Reserved : 28; }; }; + UCHAR UnlockId[32]; // REDSTONE4 } SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION; // private @@ -3098,11 +3147,21 @@ typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION ULONG KvaShadowUserGlobal : 1; ULONG KvaShadowPcid : 1; ULONG KvaShadowInvpcid : 1; - ULONG Reserved : 28; + ULONG KvaShadowRequired : 1; // REDSTONE4 + ULONG KvaShadowRequiredAvailable : 1; + ULONG Reserved : 26; }; }; } SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION; +// private +typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION +{ + HANDLE FileHandle; + ULONG ImageSize; + PVOID Image; +} SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION, *PSYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION; + // private typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION { @@ -3130,6 +3189,18 @@ typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION }; } SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION; +// private +typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION +{ + BOOLEAN DmaGuardPolicyEnabled; +} SYSTEM_DMA_GUARD_POLICY_INFORMATION, *PSYSTEM_DMA_GUARD_POLICY_INFORMATION; + +// private +typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION +{ + UCHAR EnclaveLaunchSigner[32]; +} SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION, *PSYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION; + #if (PHNT_MODE != PHNT_MODE_KERNEL) NTSYSCALLAPI @@ -3284,7 +3355,8 @@ typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS ULONG UseDumpStorageStack : 1; ULONG CompressMemoryPagesData : 1; ULONG IncludeUserSpaceMemoryPages : 1; - ULONG Reserved : 29; + ULONG AbortIfMemoryPressure : 1; // REDSTONE4 + ULONG Reserved : 28; }; ULONG AsUlong; } SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS; @@ -3980,12 +4052,15 @@ NtDisplayString( _In_ PUNICODE_STRING String ); +// Boot graphics + #if (PHNT_VERSION >= PHNT_WIN7) +// rev NTSYSCALLAPI NTSTATUS NTAPI NtDrawText( - _In_ PUNICODE_STRING String + _In_ PUNICODE_STRING Text ); #endif diff --git a/inc/phnt/ntioapi.h b/inc/phnt/ntioapi.h index 158e3b0..7bc7ae4 100644 --- a/inc/phnt/ntioapi.h +++ b/inc/phnt/ntioapi.h @@ -243,6 +243,8 @@ typedef enum _FILE_INFORMATION_CLASS FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2 FileStatInformation, // FILE_STAT_INFORMATION FileMemoryPartitionInformation, // FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 + FileStatLxInformation, // FILE_STAT_LX_INFORMATION // since REDSTONE4 + FileCaseSensitiveInformation, // FILE_CASE_SENSITIVE_INFORMATION FileMaximumInformation } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; @@ -711,6 +713,34 @@ typedef struct _FILE_MEMORY_PARTITION_INFORMATION } Flags; } FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION; +// private +typedef struct _FILE_STAT_LX_INFORMATION +{ + LARGE_INTEGER FileId; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; + ULONG ReparseTag; + ULONG NumberOfLinks; + ULONG EffectiveAccess; + ULONG LxFlags; + ULONG LxUid; + ULONG LxGid; + ULONG LxMode; + ULONG LxDeviceIdMajor; + ULONG LxDeviceIdMinor; +} FILE_STAT_LX_INFORMATION, *PFILE_STAT_LX_INFORMATION; + +// private +typedef struct _FILE_CASE_SENSITIVE_INFORMATION +{ + ULONG Flags; +} FILE_CASE_SENSITIVE_INFORMATION, *PFILE_CASE_SENSITIVE_INFORMATION; + // NtQueryDirectoryFile types typedef struct _FILE_DIRECTORY_INFORMATION diff --git a/inc/phnt/ntldr.h b/inc/phnt/ntldr.h index 0f2d937..6f5a214 100644 --- a/inc/phnt/ntldr.h +++ b/inc/phnt/ntldr.h @@ -720,6 +720,7 @@ LdrEnumerateLoadedModules( _In_ PVOID Context ); +NTSYSAPI NTSTATUS NTAPI LdrOpenImageFileOptionsKey( @@ -728,6 +729,7 @@ LdrOpenImageFileOptionsKey( _Out_ PHANDLE NewKeyHandle ); +NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileKeyOption( @@ -739,6 +741,7 @@ LdrQueryImageFileKeyOption( _Out_opt_ PULONG ReturnedLength ); +NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileExecutionOptions( diff --git a/inc/phnt/ntmisc.h b/inc/phnt/ntmisc.h index 7ba023d..1d32c9a 100644 --- a/inc/phnt/ntmisc.h +++ b/inc/phnt/ntmisc.h @@ -1,18 +1,6 @@ #ifndef _NTMISC_H #define _NTMISC_H -// Boot graphics - -#if (PHNT_VERSION >= PHNT_WIN7) -// rev -NTSYSCALLAPI -NTSTATUS -NTAPI -NtDrawText( - _In_ PUNICODE_STRING Text - ); -#endif - // Filter manager #define FLT_PORT_CONNECT 0x0001 diff --git a/inc/phnt/ntmmapi.h b/inc/phnt/ntmmapi.h index f9c37b4..aa2a9bf 100644 --- a/inc/phnt/ntmmapi.h +++ b/inc/phnt/ntmmapi.h @@ -75,7 +75,7 @@ typedef enum _MEMORY_INFORMATION_CLASS MemoryImageInformation, // MEMORY_IMAGE_INFORMATION MemoryRegionInformationEx, MemoryPrivilegedBasicInformation, - MemoryEnclaveImageInformation, // since REDSTONE3 + MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 MemoryBasicInformationCapped } MEMORY_INFORMATION_CLASS; #else @@ -216,12 +216,20 @@ typedef struct _MEMORY_IMAGE_INFORMATION { ULONG ImagePartialMap : 1; ULONG ImageNotExecutable : 1; - ULONG ImageSigningLevel : 1; // REDSTONE3 - ULONG Reserved : 30; + ULONG ImageSigningLevel : 4; // REDSTONE3 + ULONG Reserved : 26; }; }; } MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION; +// private +typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION +{ + MEMORY_IMAGE_INFORMATION ImageInfo; + UCHAR UniqueID[32]; + UCHAR AuthorID[32]; +} MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION; + #define MMPFNLIST_ZERO 0 #define MMPFNLIST_FREE 1 #define MMPFNLIST_STANDBY 2 @@ -663,7 +671,8 @@ typedef enum _MEMORY_PARTITION_INFORMATION_CLASS SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION - SystemMemoryPartitionGetMemoryEvents // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 + SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 + SystemMemoryPartitionMax } MEMORY_PARTITION_INFORMATION_CLASS; // private diff --git a/inc/phnt/ntpebteb.h b/inc/phnt/ntpebteb.h index 10e458f..577097e 100644 --- a/inc/phnt/ntpebteb.h +++ b/inc/phnt/ntpebteb.h @@ -84,8 +84,8 @@ typedef struct _PEB PVOID SubSystemData; PVOID ProcessHeap; PRTL_CRITICAL_SECTION FastPebLock; - PVOID AtlThunkSListPtr; PVOID IFEOKey; + PSLIST_HEADER AtlThunkSListPtr; union { ULONG CrossProcessFlags; @@ -193,19 +193,24 @@ typedef struct _PEB }; }; ULONGLONG CsrServerReadOnlySharedMemoryBase; - PVOID TppWorkerpListLock; + PRTL_CRITICAL_SECTION TppWorkerpListLock; LIST_ENTRY TppWorkerpList; PVOID WaitOnAddressHashTable[128]; PVOID TelemetryCoverageHeader; // REDSTONE3 ULONG CloudFileFlags; + ULONG CloudFileDiagFlags; // REDSTONE4 + CHAR PlaceholderCompatibilityMode; + CHAR PlaceholderCompatibilityModeReserved[7]; } PEB, *PPEB; #ifdef _WIN64 C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); -C_ASSERT(sizeof(PEB) == 0x7B0); +//C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 +C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 #else C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); -C_ASSERT(sizeof(PEB) == 0x468); +//C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 +C_ASSERT(sizeof(PEB) == 0x470); #endif #define GDI_BATCH_BUFFER_SIZE 310 diff --git a/inc/phnt/ntpsapi.h b/inc/phnt/ntpsapi.h index 28a083a..7de4443 100644 --- a/inc/phnt/ntpsapi.h +++ b/inc/phnt/ntpsapi.h @@ -105,7 +105,7 @@ typedef enum _PROCESSINFOCLASS ProcessBasePriority, // s: KPRIORITY ProcessRaisePriority, // s: ULONG ProcessDebugPort, // q: HANDLE - ProcessExceptionPort, // s: HANDLE + ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 ProcessLdtSize, // s: PROCESS_LDT_SIZE @@ -132,12 +132,12 @@ typedef enum _PROCESSINFOCLASS ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables ProcessIoPriority, // qs: IO_PRIORITY_HINT ProcessExecuteFlags, // qs: ULONG - ProcessResourceManagement, + ProcessResourceManagement, // ProcessTlsInformation // PROCESS_TLS_INFORMATION ProcessCookie, // q: ULONG ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA - ProcessPagePriority, // q: ULONG - ProcessInstrumentationCallback, // 40 + ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION + ProcessInstrumentationCallback, // qs: PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] ProcessImageFileNameWin32, // q: UNICODE_STRING @@ -146,7 +146,7 @@ typedef enum _PROCESSINFOCLASS ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE ProcessGroupInformation, // q: USHORT[] ProcessTokenVirtualizationEnabled, // s: ULONG - ProcessConsoleHostProcess, // q: ULONG_PTR + ProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION @@ -187,6 +187,9 @@ typedef enum _PROCESSINFOCLASS ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION ProcessImageSection, + ProcessDebugAuthInformation, // since REDSTONE4 + ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT + ProcessSequenceNumber, // q: ULONGLONG MaxProcessInfoClass } PROCESSINFOCLASS; #endif @@ -353,6 +356,15 @@ typedef struct _POOLED_USAGE_AND_LIMITS SIZE_T PagefileLimit; } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; +#define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003 +#define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1)) + +typedef struct _PROCESS_EXCEPTION_PORT +{ + _In_ HANDLE ExceptionPortHandle; // Handle to the exception port. No particular access required. + _Inout_ ULONG StateFlags; // Miscellaneous state flags to be cached along with the exception port in the kernel. +} PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT; + typedef struct _PROCESS_ACCESS_TOKEN { HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access @@ -448,6 +460,8 @@ typedef struct _PROCESS_SESSION_INFORMATION ULONG SessionId; } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; +#define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001 + #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001 @@ -487,6 +501,42 @@ typedef struct _PROCESS_HANDLE_TRACING_QUERY #endif +// private +typedef struct _THREAD_TLS_INFORMATION +{ + ULONG Flags; + PVOID NewTlsData; + PVOID OldTlsData; + HANDLE ThreadId; +} THREAD_TLS_INFORMATION, *PTHREAD_TLS_INFORMATION; + +// private +typedef enum _PROCESS_TLS_INFORMATION_TYPE +{ + ProcessTlsReplaceIndex, + ProcessTlsReplaceVector, + MaxProcessTlsOperation +} PROCESS_TLS_INFORMATION_TYPE, *PPROCESS_TLS_INFORMATION_TYPE; + +// private +typedef struct _PROCESS_TLS_INFORMATION +{ + ULONG Flags; + ULONG OperationType; + ULONG ThreadDataCount; + ULONG TlsIndex; + ULONG PreviousCount; + THREAD_TLS_INFORMATION ThreadData[1]; +} PROCESS_TLS_INFORMATION, *PPROCESS_TLS_INFORMATION; + +// private +typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION +{ + ULONG Version; + ULONG Reserved; + PVOID Callback; +} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, *PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; + // private typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION { @@ -757,17 +807,19 @@ typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY ULONG Spare : 22; } MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY; -typedef struct _PROCESS_READWRITEVM_LOGGING_INFORMATION +#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM 1 +#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM 2 +#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V 1UL +#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V 2UL + +typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION { - union + UCHAR Flags; + struct { - BOOLEAN Flags; - struct - { - BOOLEAN EnableReadVmLogging : 1; - BOOLEAN EnableWriteVmLogging : 1; - BOOLEAN Unused : 6; - }; + UCHAR EnableReadVmLogging : 1; + UCHAR EnableWriteVmLogging : 1; + UCHAR Unused : 6; }; } PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION; @@ -788,6 +840,16 @@ typedef struct _PROCESS_UPTIME_INFORMATION }; } PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION; +typedef union _PROCESS_SYSTEM_RESOURCE_MANAGEMENT +{ + ULONG Flags; + struct + { + ULONG Foreground : 1; + ULONG Reserved : 31; + }; +} PROCESS_SYSTEM_RESOURCE_MANAGEMENT, *PPROCESS_SYSTEM_RESOURCE_MANAGEMENT; + // end_private #endif @@ -1008,6 +1070,7 @@ NtResumeProcess( #define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4) #define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5) #define NtCurrentEffectiveToken() ((HANDLE)(LONG_PTR)-6) +#define NtCurrentSilo() ((HANDLE)(LONG_PTR)-1) // Not NT, but useful. #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) @@ -1471,7 +1534,8 @@ typedef enum _PS_MITIGATION_OPTION PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS, PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION, PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER, - PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION + PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION, + PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION } PS_MITIGATION_OPTION; // windows-internals-book:"Chapter 5" diff --git a/inc/phnt/ntrtl.h b/inc/phnt/ntrtl.h index 3c480d5..c930b0a 100644 --- a/inc/phnt/ntrtl.h +++ b/inc/phnt/ntrtl.h @@ -3236,6 +3236,15 @@ RtlDoesFileExists_U( _In_ PWSTR FileName ); +#if (PHNT_VERSION >= PHNT_REDSTONE2) +NTSYSAPI +PCWSTR +NTAPI +RtlGetNtSystemRoot( + VOID + ); +#endif + // Heaps typedef struct _RTL_HEAP_ENTRY diff --git a/inc/phnt/phnt.h b/inc/phnt/phnt.h index 924b09b..f341217 100644 --- a/inc/phnt/phnt.h +++ b/inc/phnt/phnt.h @@ -36,6 +36,7 @@ #define PHNT_REDSTONE 102 #define PHNT_REDSTONE2 103 #define PHNT_REDSTONE3 104 +#define PHNT_REDSTONE4 105 #ifndef PHNT_MODE #define PHNT_MODE PHNT_MODE_USER diff --git a/inc/phnt/phnt_ntdef.h b/inc/phnt/phnt_ntdef.h index 36cc781..b3ecedc 100644 --- a/inc/phnt/phnt_ntdef.h +++ b/inc/phnt/phnt_ntdef.h @@ -213,6 +213,8 @@ typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) +#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') + // Portability typedef struct _OBJECT_ATTRIBUTES64