Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update phnt headers

Browse Source
This commit is contained in:
zeffy
2018-05-17 09:46:18 -07:00
parent cd5077ce82
commit 5d20496f3a
11 changed files with 235 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
inc/phnt/ntdbg.h
View File

@@ -107,7 +107,8 @@ typedef struct _DBGUI_WAIT_STATE_CHANGE
typedef enum _DEBUGOBJECTINFOCLASS typedef enum _DEBUGOBJECTINFOCLASS
{ {
DebugObjectFlags = 1, DebugObjectUnusedInformation,
DebugObjectKillProcessOnExitInformation,
MaxDebugObjectInfoClass MaxDebugObjectInfoClass
} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;

99
inc/phnt/ntexapi.h
View File

@@ -1394,13 +1394,13 @@ typedef enum _SYSTEM_INFORMATION_CLASS
SystemSecureDumpEncryptionInformation, SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // REDSTONE4 SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
SystemFirmwareBootPerformanceInformation, SystemFirmwareBootPerformanceInformation,
SystemCodeIntegrityVerificationInformation, SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
SystemFirmwarePartitionInformation, // 200 SystemFirmwarePartitionInformation, // 200
SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above. SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
SystemDmaGuardPolicyInformation, SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
SystemEnclaveLaunchControlInformation, SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
MaxSystemInfoClass MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS; } SYSTEM_INFORMATION_CLASS;
@@ -1424,7 +1424,7 @@ typedef struct _SYSTEM_PROCESSOR_INFORMATION
USHORT ProcessorArchitecture; USHORT ProcessorArchitecture;
USHORT ProcessorLevel; USHORT ProcessorLevel;
USHORT ProcessorRevision; USHORT ProcessorRevision;
USHORT ProcessorCount; USHORT MaximumProcessors;
ULONG ProcessorFeatureBits; ULONG ProcessorFeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
@@ -1845,6 +1845,11 @@ typedef enum _EVENT_TRACE_INFORMATION_CLASS
EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION
EventTraceLastBranchConfigurationInformation, // REDSTONE3 EventTraceLastBranchConfigurationInformation, // REDSTONE3
EventTraceLastBranchEventListInformation, EventTraceLastBranchEventListInformation,
EventTraceProfileSourceAddInformation, // EVENT_TRACE_PROFILE_ADD_INFORMATION // REDSTONE4
EventTraceProfileSourceRemoveInformation, // EVENT_TRACE_PROFILE_REMOVE_INFORMATION
EventTraceProcessorTraceConfigurationInformation,
EventTraceProcessorTraceEventListInformation,
EventTraceCoverageSamplerInformation, // EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION
MaxEventTraceInfoClass MaxEventTraceInfoClass
} EVENT_TRACE_INFORMATION_CLASS; } EVENT_TRACE_INFORMATION_CLASS;
@@ -1955,6 +1960,36 @@ typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION
WCHAR FileName[1]; WCHAR FileName[1];
} EVENT_TRACE_SOFT_RESTART_INFORMATION, *PEVENT_TRACE_SOFT_RESTART_INFORMATION; } EVENT_TRACE_SOFT_RESTART_INFORMATION, *PEVENT_TRACE_SOFT_RESTART_INFORMATION;
typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
BOOLEAN PerfEvtEventSelect;
BOOLEAN PerfEvtUnitSelect;
ULONG PerfEvtType;
ULONG CpuInfoHierarchy[0x3];
ULONG InitialInterval;
BOOLEAN AllowsHalt;
BOOLEAN Persist;
WCHAR ProfileSourceDescription[0x1];
} EVENT_TRACE_PROFILE_ADD_INFORMATION, *PEVENT_TRACE_PROFILE_ADD_INFORMATION;
typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
KPROFILE_SOURCE ProfileSource;
ULONG CpuInfoHierarchy[0x3];
} EVENT_TRACE_PROFILE_REMOVE_INFORMATION, *PEVENT_TRACE_PROFILE_REMOVE_INFORMATION;
typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION
{
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
BOOLEAN CoverageSamplerInformationClass;
UCHAR MajorVersion;
UCHAR MinorVersion;
UCHAR Reserved;
HANDLE SamplerHandle;
} EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION, *PEVENT_TRACE_COVERAGE_SAMPLER_INFORMATION;
typedef struct _SYSTEM_EXCEPTION_INFORMATION typedef struct _SYSTEM_EXCEPTION_INFORMATION
{ {
ULONG AlignmentFixupCount; ULONG AlignmentFixupCount;
@@ -2256,7 +2291,17 @@ typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION
{ {
GUID BootIdentifier; GUID BootIdentifier;
FIRMWARE_TYPE FirmwareType; FIRMWARE_TYPE FirmwareType;
ULONGLONG BootFlags; union
{
ULONGLONG BootFlags;
struct
{
ULONGLONG DbgMenuOsSelection : 1; // REDSTONE4
ULONGLONG DbgHiberBoot : 1;
ULONGLONG DbgSoftBoot : 1;
ULONGLONG DbgMeasuredLaunch : 1;
};
};
} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION; } SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
// private // private
@@ -2788,6 +2833,7 @@ typedef enum _SYSTEM_PROCESS_CLASSIFICATION
SystemProcessClassificationSystem, SystemProcessClassificationSystem,
SystemProcessClassificationSecureSystem, SystemProcessClassificationSecureSystem,
SystemProcessClassificationMemCompression, SystemProcessClassificationMemCompression,
SystemProcessClassificationRegistry, // REDSTONE4
SystemProcessClassificationMaximum SystemProcessClassificationMaximum
} SYSTEM_PROCESS_CLASSIFICATION; } SYSTEM_PROCESS_CLASSIFICATION;
@@ -3007,6 +3053,7 @@ typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION
typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
{ {
HANDLE ImageFile; HANDLE ImageFile;
ULONG Type; // REDSTONE4
} SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION; } SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION, *PSYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION;
// private // private
@@ -3021,8 +3068,8 @@ typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION
typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE
{ {
SystemActivityModerationStateSystemManaged, SystemActivityModerationStateSystemManaged,
SystemActivityModerationStateAlwaysThrottled, SystemActivityModerationStateUserManagedAllowThrottling,
SystemActivityModerationStateNeverThrottled, SystemActivityModerationStateUserManagedDisableThrottling,
MaxSystemActivityModerationState MaxSystemActivityModerationState
} SYSTEM_ACTIVITY_MODERATION_STATE; } SYSTEM_ACTIVITY_MODERATION_STATE;
@@ -3065,9 +3112,11 @@ typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
ULONG Locked : 1; ULONG Locked : 1;
ULONG Unlockable : 1; ULONG Unlockable : 1;
ULONG UnlockApplied : 1; ULONG UnlockApplied : 1;
ULONG Reserved : 29; ULONG UnlockIdValid : 1; // REDSTONE4
ULONG Reserved : 28;
}; };
}; };
UCHAR UnlockId[32]; // REDSTONE4
} SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION; } SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION, *PSYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION;
// private // private
@@ -3098,11 +3147,21 @@ typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION
ULONG KvaShadowUserGlobal : 1; ULONG KvaShadowUserGlobal : 1;
ULONG KvaShadowPcid : 1; ULONG KvaShadowPcid : 1;
ULONG KvaShadowInvpcid : 1; ULONG KvaShadowInvpcid : 1;
ULONG Reserved : 28; ULONG KvaShadowRequired : 1; // REDSTONE4
ULONG KvaShadowRequiredAvailable : 1;
ULONG Reserved : 26;
}; };
}; };
} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION; } SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
// private
typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
{
HANDLE FileHandle;
ULONG ImageSize;
PVOID Image;
} SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION, *PSYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION;
// private // private
typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION
{ {
@@ -3130,6 +3189,18 @@ typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION
}; };
} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION; } SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
// private
typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION
{
BOOLEAN DmaGuardPolicyEnabled;
} SYSTEM_DMA_GUARD_POLICY_INFORMATION, *PSYSTEM_DMA_GUARD_POLICY_INFORMATION;
// private
typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
{
UCHAR EnclaveLaunchSigner[32];
} SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION, *PSYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI NTSYSCALLAPI
@@ -3284,7 +3355,8 @@ typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS
ULONG UseDumpStorageStack : 1; ULONG UseDumpStorageStack : 1;
ULONG CompressMemoryPagesData : 1; ULONG CompressMemoryPagesData : 1;
ULONG IncludeUserSpaceMemoryPages : 1; ULONG IncludeUserSpaceMemoryPages : 1;
ULONG Reserved : 29; ULONG AbortIfMemoryPressure : 1; // REDSTONE4
ULONG Reserved : 28;
}; };
ULONG AsUlong; ULONG AsUlong;
} SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS; } SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS;
@@ -3980,12 +4052,15 @@ NtDisplayString(
_In_ PUNICODE_STRING String _In_ PUNICODE_STRING String
); );
// Boot graphics
#if (PHNT_VERSION >= PHNT_WIN7) #if (PHNT_VERSION >= PHNT_WIN7)
// rev
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtDrawText( NtDrawText(
_In_ PUNICODE_STRING String _In_ PUNICODE_STRING Text
); );
#endif #endif

30
inc/phnt/ntioapi.h
View File

@@ -243,6 +243,8 @@ typedef enum _FILE_INFORMATION_CLASS
FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2 FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2
FileStatInformation, // FILE_STAT_INFORMATION FileStatInformation, // FILE_STAT_INFORMATION
FileMemoryPartitionInformation, // FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3 FileMemoryPartitionInformation, // FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3
FileStatLxInformation, // FILE_STAT_LX_INFORMATION // since REDSTONE4
FileCaseSensitiveInformation, // FILE_CASE_SENSITIVE_INFORMATION
FileMaximumInformation FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
@@ -711,6 +713,34 @@ typedef struct _FILE_MEMORY_PARTITION_INFORMATION
} Flags; } Flags;
} FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION; } FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION;
// private
typedef struct _FILE_STAT_LX_INFORMATION
{
LARGE_INTEGER FileId;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG FileAttributes;
ULONG ReparseTag;
ULONG NumberOfLinks;
ULONG EffectiveAccess;
ULONG LxFlags;
ULONG LxUid;
ULONG LxGid;
ULONG LxMode;
ULONG LxDeviceIdMajor;
ULONG LxDeviceIdMinor;
} FILE_STAT_LX_INFORMATION, *PFILE_STAT_LX_INFORMATION;
// private
typedef struct _FILE_CASE_SENSITIVE_INFORMATION
{
ULONG Flags;
} FILE_CASE_SENSITIVE_INFORMATION, *PFILE_CASE_SENSITIVE_INFORMATION;
// NtQueryDirectoryFile types // NtQueryDirectoryFile types
typedef struct _FILE_DIRECTORY_INFORMATION typedef struct _FILE_DIRECTORY_INFORMATION

3
inc/phnt/ntldr.h
View File

@@ -720,6 +720,7 @@ LdrEnumerateLoadedModules(
_In_ PVOID Context _In_ PVOID Context
); );
NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
LdrOpenImageFileOptionsKey( LdrOpenImageFileOptionsKey(
@@ -728,6 +729,7 @@ LdrOpenImageFileOptionsKey(
_Out_ PHANDLE NewKeyHandle _Out_ PHANDLE NewKeyHandle
); );
NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
LdrQueryImageFileKeyOption( LdrQueryImageFileKeyOption(
@@ -739,6 +741,7 @@ LdrQueryImageFileKeyOption(
_Out_opt_ PULONG ReturnedLength _Out_opt_ PULONG ReturnedLength
); );
NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
LdrQueryImageFileExecutionOptions( LdrQueryImageFileExecutionOptions(

12
inc/phnt/ntmisc.h
View File

@@ -1,18 +1,6 @@
#ifndef _NTMISC_H #ifndef _NTMISC_H
#define _NTMISC_H #define _NTMISC_H
// Boot graphics
#if (PHNT_VERSION >= PHNT_WIN7)
// rev
NTSYSCALLAPI
NTSTATUS
NTAPI
NtDrawText(
_In_ PUNICODE_STRING Text
);
#endif
// Filter manager // Filter manager
#define FLT_PORT_CONNECT 0x0001 #define FLT_PORT_CONNECT 0x0001

17
inc/phnt/ntmmapi.h
View File

@@ -75,7 +75,7 @@ typedef enum _MEMORY_INFORMATION_CLASS
MemoryImageInformation, // MEMORY_IMAGE_INFORMATION MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
MemoryRegionInformationEx, MemoryRegionInformationEx,
MemoryPrivilegedBasicInformation, MemoryPrivilegedBasicInformation,
MemoryEnclaveImageInformation, // since REDSTONE3 MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3
MemoryBasicInformationCapped MemoryBasicInformationCapped
} MEMORY_INFORMATION_CLASS; } MEMORY_INFORMATION_CLASS;
#else #else
@@ -216,12 +216,20 @@ typedef struct _MEMORY_IMAGE_INFORMATION
{ {
ULONG ImagePartialMap : 1; ULONG ImagePartialMap : 1;
ULONG ImageNotExecutable : 1; ULONG ImageNotExecutable : 1;
ULONG ImageSigningLevel : 1; // REDSTONE3 ULONG ImageSigningLevel : 4; // REDSTONE3
ULONG Reserved : 30; ULONG Reserved : 26;
}; };
}; };
} MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION; } MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION;
// private
typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION
{
MEMORY_IMAGE_INFORMATION ImageInfo;
UCHAR UniqueID[32];
UCHAR AuthorID[32];
} MEMORY_ENCLAVE_IMAGE_INFORMATION, *PMEMORY_ENCLAVE_IMAGE_INFORMATION;
#define MMPFNLIST_ZERO 0 #define MMPFNLIST_ZERO 0
#define MMPFNLIST_FREE 1 #define MMPFNLIST_FREE 1
#define MMPFNLIST_STANDBY 2 #define MMPFNLIST_STANDBY 2
@@ -663,7 +671,8 @@ typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION
SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION
SystemMemoryPartitionGetMemoryEvents // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2 SystemMemoryPartitionGetMemoryEvents, // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2
SystemMemoryPartitionMax
} MEMORY_PARTITION_INFORMATION_CLASS; } MEMORY_PARTITION_INFORMATION_CLASS;
// private // private

13
inc/phnt/ntpebteb.h
View File

@@ -84,8 +84,8 @@ typedef struct _PEB
PVOID SubSystemData; PVOID SubSystemData;
PVOID ProcessHeap; PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock; PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey; PVOID IFEOKey;
PSLIST_HEADER AtlThunkSListPtr;
union union
{ {
ULONG CrossProcessFlags; ULONG CrossProcessFlags;
@@ -193,19 +193,24 @@ typedef struct _PEB
}; };
}; };
ULONGLONG CsrServerReadOnlySharedMemoryBase; ULONGLONG CsrServerReadOnlySharedMemoryBase;
PVOID TppWorkerpListLock; PRTL_CRITICAL_SECTION TppWorkerpListLock;
LIST_ENTRY TppWorkerpList; LIST_ENTRY TppWorkerpList;
PVOID WaitOnAddressHashTable[128]; PVOID WaitOnAddressHashTable[128];
PVOID TelemetryCoverageHeader; // REDSTONE3 PVOID TelemetryCoverageHeader; // REDSTONE3
ULONG CloudFileFlags; ULONG CloudFileFlags;
ULONG CloudFileDiagFlags; // REDSTONE4
CHAR PlaceholderCompatibilityMode;
CHAR PlaceholderCompatibilityModeReserved[7];
} PEB, *PPEB; } PEB, *PPEB;
#ifdef _WIN64 #ifdef _WIN64
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
C_ASSERT(sizeof(PEB) == 0x7B0); //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3
C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4
#else #else
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4);
C_ASSERT(sizeof(PEB) == 0x468); //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3
C_ASSERT(sizeof(PEB) == 0x470);
#endif #endif
#define GDI_BATCH_BUFFER_SIZE 310 #define GDI_BATCH_BUFFER_SIZE 310

94
inc/phnt/ntpsapi.h
View File

@@ -105,7 +105,7 @@ typedef enum _PROCESSINFOCLASS
ProcessBasePriority, // s: KPRIORITY ProcessBasePriority, // s: KPRIORITY
ProcessRaisePriority, // s: ULONG ProcessRaisePriority, // s: ULONG
ProcessDebugPort, // q: HANDLE ProcessDebugPort, // q: HANDLE
ProcessExceptionPort, // s: HANDLE ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT
ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
ProcessLdtSize, // s: PROCESS_LDT_SIZE ProcessLdtSize, // s: PROCESS_LDT_SIZE
@@ -132,12 +132,12 @@ typedef enum _PROCESSINFOCLASS
ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
ProcessIoPriority, // qs: IO_PRIORITY_HINT ProcessIoPriority, // qs: IO_PRIORITY_HINT
ProcessExecuteFlags, // qs: ULONG ProcessExecuteFlags, // qs: ULONG
ProcessResourceManagement, ProcessResourceManagement, // ProcessTlsInformation // PROCESS_TLS_INFORMATION
ProcessCookie, // q: ULONG ProcessCookie, // q: ULONG
ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
ProcessPagePriority, // q: ULONG ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION
ProcessInstrumentationCallback, // 40 ProcessInstrumentationCallback, // qs: PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
ProcessImageFileNameWin32, // q: UNICODE_STRING ProcessImageFileNameWin32, // q: UNICODE_STRING
@@ -146,7 +146,7 @@ typedef enum _PROCESSINFOCLASS
ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
ProcessGroupInformation, // q: USHORT[] ProcessGroupInformation, // q: USHORT[]
ProcessTokenVirtualizationEnabled, // s: ULONG ProcessTokenVirtualizationEnabled, // s: ULONG
ProcessConsoleHostProcess, // q: ULONG_PTR ProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation
ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
@@ -187,6 +187,9 @@ typedef enum _PROCESSINFOCLASS
ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION
ProcessImageSection, ProcessImageSection,
ProcessDebugAuthInformation, // since REDSTONE4
ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT
ProcessSequenceNumber, // q: ULONGLONG
MaxProcessInfoClass MaxProcessInfoClass
} PROCESSINFOCLASS; } PROCESSINFOCLASS;
#endif #endif
@@ -353,6 +356,15 @@ typedef struct _POOLED_USAGE_AND_LIMITS
SIZE_T PagefileLimit; SIZE_T PagefileLimit;
} POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS; } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
#define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003
#define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1))
typedef struct _PROCESS_EXCEPTION_PORT
{
_In_ HANDLE ExceptionPortHandle; // Handle to the exception port. No particular access required.
_Inout_ ULONG StateFlags; // Miscellaneous state flags to be cached along with the exception port in the kernel.
} PROCESS_EXCEPTION_PORT, *PPROCESS_EXCEPTION_PORT;
typedef struct _PROCESS_ACCESS_TOKEN typedef struct _PROCESS_ACCESS_TOKEN
{ {
HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access
@@ -448,6 +460,8 @@ typedef struct _PROCESS_SESSION_INFORMATION
ULONG SessionId; ULONG SessionId;
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION; } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
#define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001
#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000
#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001 #define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001
@@ -487,6 +501,42 @@ typedef struct _PROCESS_HANDLE_TRACING_QUERY
#endif #endif
// private
typedef struct _THREAD_TLS_INFORMATION
{
ULONG Flags;
PVOID NewTlsData;
PVOID OldTlsData;
HANDLE ThreadId;
} THREAD_TLS_INFORMATION, *PTHREAD_TLS_INFORMATION;
// private
typedef enum _PROCESS_TLS_INFORMATION_TYPE
{
ProcessTlsReplaceIndex,
ProcessTlsReplaceVector,
MaxProcessTlsOperation
} PROCESS_TLS_INFORMATION_TYPE, *PPROCESS_TLS_INFORMATION_TYPE;
// private
typedef struct _PROCESS_TLS_INFORMATION
{
ULONG Flags;
ULONG OperationType;
ULONG ThreadDataCount;
ULONG TlsIndex;
ULONG PreviousCount;
THREAD_TLS_INFORMATION ThreadData[1];
} PROCESS_TLS_INFORMATION, *PPROCESS_TLS_INFORMATION;
// private
typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION
{
ULONG Version;
ULONG Reserved;
PVOID Callback;
} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, *PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;
// private // private
typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION
{ {
@@ -757,17 +807,19 @@ typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY
ULONG Spare : 22; ULONG Spare : 22;
} MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY; } MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY;
typedef struct _PROCESS_READWRITEVM_LOGGING_INFORMATION #define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM 1
#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM 2
#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V 1UL
#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V 2UL
typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION
{ {
union UCHAR Flags;
struct
{ {
BOOLEAN Flags; UCHAR EnableReadVmLogging : 1;
struct UCHAR EnableWriteVmLogging : 1;
{ UCHAR Unused : 6;
BOOLEAN EnableReadVmLogging : 1;
BOOLEAN EnableWriteVmLogging : 1;
BOOLEAN Unused : 6;
};
}; };
} PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION; } PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION;
@@ -788,6 +840,16 @@ typedef struct _PROCESS_UPTIME_INFORMATION
}; };
} PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION; } PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION;
typedef union _PROCESS_SYSTEM_RESOURCE_MANAGEMENT
{
ULONG Flags;
struct
{
ULONG Foreground : 1;
ULONG Reserved : 31;
};
} PROCESS_SYSTEM_RESOURCE_MANAGEMENT, *PPROCESS_SYSTEM_RESOURCE_MANAGEMENT;
// end_private // end_private
#endif #endif
@@ -1008,6 +1070,7 @@ NtResumeProcess(
#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4) #define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4)
#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5) #define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5)
#define NtCurrentEffectiveToken() ((HANDLE)(LONG_PTR)-6) #define NtCurrentEffectiveToken() ((HANDLE)(LONG_PTR)-6)
#define NtCurrentSilo() ((HANDLE)(LONG_PTR)-1)
// Not NT, but useful. // Not NT, but useful.
#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
@@ -1471,7 +1534,8 @@ typedef enum _PS_MITIGATION_OPTION
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS, PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION, PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER, PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION,
PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION
} PS_MITIGATION_OPTION; } PS_MITIGATION_OPTION;
// windows-internals-book:"Chapter 5" // windows-internals-book:"Chapter 5"

9
inc/phnt/ntrtl.h
View File

@@ -3236,6 +3236,15 @@ RtlDoesFileExists_U(
_In_ PWSTR FileName _In_ PWSTR FileName
); );
#if (PHNT_VERSION >= PHNT_REDSTONE2)
NTSYSAPI
PCWSTR
NTAPI
RtlGetNtSystemRoot(
VOID
);
#endif
// Heaps // Heaps
typedef struct _RTL_HEAP_ENTRY typedef struct _RTL_HEAP_ENTRY

1
inc/phnt/phnt.h
View File

@@ -36,6 +36,7 @@
#define PHNT_REDSTONE 102 #define PHNT_REDSTONE 102
#define PHNT_REDSTONE2 103 #define PHNT_REDSTONE2 103
#define PHNT_REDSTONE3 104 #define PHNT_REDSTONE3 104
#define PHNT_REDSTONE4 105
#ifndef PHNT_MODE #ifndef PHNT_MODE
#define PHNT_MODE PHNT_MODE_USER #define PHNT_MODE PHNT_MODE_USER

2
inc/phnt/phnt_ntdef.h
View File

@@ -213,6 +213,8 @@ typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL }
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
#define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\')
// Portability // Portability
typedef struct _OBJECT_ATTRIBUTES64 typedef struct _OBJECT_ATTRIBUTES64