Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update phnt headers

Browse Source
This commit is contained in:
zeffy
2018-03-02 16:09:06 -08:00
parent 818b2604d8
commit a5f8670ffe
6 changed files with 429 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
inc/phnt/ntexapi.h
View File

@@ -1393,6 +1393,14 @@ typedef enum _SYSTEM_INFORMATION_CLASS
SystemProcessorIdleMaskInformation, // since REDSTONE3 SystemProcessorIdleMaskInformation, // since REDSTONE3
SystemSecureDumpEncryptionInformation, SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
SystemHypervisorSharedPageInformation, // REDSTONE4
SystemFirmwareBootPerformanceInformation,
SystemCodeIntegrityVerificationInformation,
SystemFirmwarePartitionInformation, // 200
SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
SystemDmaGuardPolicyInformation,
SystemEnclaveLaunchControlInformation,
MaxSystemInfoClass MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS; } SYSTEM_INFORMATION_CLASS;
@@ -3078,6 +3086,44 @@ typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION
ULONG Reserved; ULONG Reserved;
} SYSTEM_WRITE_CONSTRAINT_INFORMATION, *PSYSTEM_WRITE_CONSTRAINT_INFORMATION; } SYSTEM_WRITE_CONSTRAINT_INFORMATION, *PSYSTEM_WRITE_CONSTRAINT_INFORMATION;
// private
typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG KvaShadowEnabled : 1;
ULONG KvaShadowUserGlobal : 1;
ULONG KvaShadowPcid : 1;
ULONG KvaShadowInvpcid : 1;
ULONG Reserved : 28;
};
};
} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
// private
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG BpbEnabled : 1;
ULONG BpbDisabledSystemPolicy : 1;
ULONG BpbDisabledNoHardwareSupport : 1;
ULONG SpecCtrlEnumerated : 1;
ULONG SpecCmdEnumerated : 1;
ULONG IbrsPresent : 1;
ULONG StibpPresent : 1;
ULONG SmepPresent : 1;
ULONG Reserved : 24;
};
};
} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL) #if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI NTSYSCALLAPI

139
inc/phnt/ntldr.h
View File

@@ -5,6 +5,12 @@
// DLLs // DLLs
typedef BOOLEAN (NTAPI *PLDR_INIT_ROUTINE)(
_In_ PVOID DllHandle,
_In_ ULONG Reason,
_In_opt_ PVOID Context
);
// symbols // symbols
typedef struct _LDR_SERVICE_TAG_RECORD typedef struct _LDR_SERVICE_TAG_RECORD
{ {
@@ -98,6 +104,7 @@ typedef enum _LDR_DLL_LOAD_REASON
#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)
#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)
#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)
#define LDR_DATA_TABLE_ENTRY_SIZE sizeof(LDR_DATA_TABLE_ENTRY)
// symbols // symbols
typedef struct _LDR_DATA_TABLE_ENTRY typedef struct _LDR_DATA_TABLE_ENTRY
@@ -110,7 +117,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY
LIST_ENTRY InProgressLinks; LIST_ENTRY InProgressLinks;
}; };
PVOID DllBase; PVOID DllBase;
PVOID EntryPoint; PLDR_INIT_ROUTINE EntryPoint;
ULONG SizeOfImage; ULONG SizeOfImage;
UNICODE_STRING FullDllName; UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName; UNICODE_STRING BaseDllName;
@@ -172,11 +179,9 @@ typedef struct _LDR_DATA_TABLE_ENTRY
UCHAR SigningLevel; // since REDSTONE2 UCHAR SigningLevel; // since REDSTONE2
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef BOOLEAN (NTAPI *PDLL_INIT_ROUTINE)( #define LDR_IS_DATAFILE(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)1)
_In_ PVOID DllHandle, #define LDR_IS_IMAGEMAPPING(DllHandle) (((ULONG_PTR)(DllHandle)) & (ULONG_PTR)2)
_In_ ULONG Reason, #define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle))
_In_opt_ PCONTEXT Context
);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
@@ -583,6 +588,70 @@ LdrAccessResource(
_Out_opt_ ULONG *ResourceLength _Out_opt_ ULONG *ResourceLength
); );
typedef struct _LDR_RESOURCE_INFO
{
ULONG_PTR Type;
ULONG_PTR Name;
ULONG_PTR Language;
} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;
#define RESOURCE_TYPE_LEVEL 0
#define RESOURCE_NAME_LEVEL 1
#define RESOURCE_LANGUAGE_LEVEL 2
#define RESOURCE_DATA_LEVEL 3
NTSYSAPI
NTSTATUS
NTAPI
LdrFindResource_U(
_In_ PVOID BaseAddress,
_In_ PLDR_RESOURCE_INFO ResourceInfo,
_In_ ULONG Level,
_Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry
);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindResourceDirectory_U(
_In_ PVOID BaseAddress,
_In_ PLDR_RESOURCE_INFO ResourceInfo,
_In_ ULONG Level,
_Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory
);
// private
typedef struct _LDR_ENUM_RESOURCE_ENTRY
{
union
{
ULONG_PTR NameOrId;
PIMAGE_RESOURCE_DIRECTORY_STRING Name;
struct
{
USHORT Id;
USHORT NameIsPresent;
};
} Path[3];
PVOID Data;
ULONG Size;
ULONG Reserved;
} LDR_ENUM_RESOURCE_ENTRY, *PLDR_ENUM_RESOURCE_ENTRY;
#define NAME_FROM_RESOURCE_ENTRY(RootDirectory, Entry) \
((Entry)->NameIsString ? (ULONG_PTR)PTR_ADD_OFFSET((RootDirectory), (Entry)->NameOffset) : (Entry)->Id)
NTSYSAPI
NTSTATUS
NTAPI
LdrEnumResources(
_In_ PVOID BaseAddress,
_In_ PLDR_RESOURCE_INFO ResourceInfo,
_In_ ULONG Level,
_Inout_ ULONG *ResourceCount,
_Out_writes_to_opt_(*ResourceCount, *ResourceCount) PLDR_ENUM_RESOURCE_ENTRY Resources
);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@@ -625,4 +694,62 @@ typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
PVOID DefaultBase; PVOID DefaultBase;
} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSAPI
NTSTATUS
NTAPI
LdrQueryProcessModuleInformation(
_In_opt_ PRTL_PROCESS_MODULES ModuleInformation,
_In_opt_ ULONG Size,
_Out_ PULONG ReturnedSize
);
typedef VOID (NTAPI *PLDR_ENUM_CALLBACK)(
_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation,
_In_ PVOID Parameter,
_Out_ BOOLEAN *Stop
);
NTSYSAPI
NTSTATUS
NTAPI
LdrEnumerateLoadedModules(
_In_ BOOLEAN ReservedFlag,
_In_ PLDR_ENUM_CALLBACK EnumProc,
_In_ PVOID Context
);
NTSTATUS
NTAPI
LdrOpenImageFileOptionsKey(
_In_ PUNICODE_STRING SubKey,
_In_ BOOLEAN Wow64,
_Out_ PHANDLE NewKeyHandle
);
NTSTATUS
NTAPI
LdrQueryImageFileKeyOption(
_In_ HANDLE KeyHandle,
_In_ PCWSTR ValueName,
_In_ ULONG Type,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG ReturnedLength
);
NTSTATUS
NTAPI
LdrQueryImageFileExecutionOptions(
_In_ PUNICODE_STRING SubKey,
_In_ PCWSTR ValueName,
_In_ ULONG ValueSize,
_Out_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG RetunedLength
);
#endif // (PHNT_MODE != PHNT_MODE_KERNEL)
#endif #endif

52
inc/phnt/ntpebteb.h
View File

@@ -14,6 +14,46 @@ typedef struct _ACTIVATION_CONTEXT_STACK
ULONG StackId; ULONG StackId;
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
// private
typedef struct _API_SET_NAMESPACE
{
ULONG Version;
ULONG Size;
ULONG Flags;
ULONG Count;
ULONG EntryOffset;
ULONG HashOffset;
ULONG HashFactor;
} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
// private
typedef struct _API_SET_HASH_ENTRY
{
ULONG Hash;
ULONG Index;
} API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY;
// private
typedef struct _API_SET_NAMESPACE_ENTRY
{
ULONG Flags;
ULONG NameOffset;
ULONG NameLength;
ULONG HashedLength;
ULONG ValueOffset;
ULONG ValueCount;
} API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY;
// private
typedef struct _API_SET_VALUE_ENTRY
{
ULONG Flags;
ULONG NameOffset;
ULONG NameLength;
ULONG ValueOffset;
ULONG ValueLength;
} API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY;
// symbols // symbols
typedef struct _PEB typedef struct _PEB
{ {
@@ -68,7 +108,7 @@ typedef struct _PEB
}; };
ULONG SystemReserved[1]; ULONG SystemReserved[1];
ULONG AtlThunkSListPtr32; ULONG AtlThunkSListPtr32;
PVOID ApiSetMap; PAPI_SET_NAMESPACE ApiSetMap;
ULONG TlsExpansionCounter; ULONG TlsExpansionCounter;
PVOID TlsBitmap; PVOID TlsBitmap;
ULONG TlsBitmapBits[2]; ULONG TlsBitmapBits[2];
@@ -84,7 +124,7 @@ typedef struct _PEB
ULONG NumberOfProcessors; ULONG NumberOfProcessors;
ULONG NtGlobalFlag; ULONG NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout; ULARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve; SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit; SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold; SIZE_T HeapDeCommitTotalFreeThreshold;
@@ -160,6 +200,14 @@ typedef struct _PEB
ULONG CloudFileFlags; ULONG CloudFileFlags;
} PEB, *PPEB; } PEB, *PPEB;
#ifdef _WIN64
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
C_ASSERT(sizeof(PEB) == 0x7B0);
#else
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4);
C_ASSERT(sizeof(PEB) == 0x468);
#endif
#define GDI_BATCH_BUFFER_SIZE 310 #define GDI_BATCH_BUFFER_SIZE 310
typedef struct _GDI_TEB_BATCH typedef struct _GDI_TEB_BATCH

15
inc/phnt/ntpsapi.h
View File

@@ -44,7 +44,7 @@
#define GDI_HANDLE_BUFFER_SIZE32 34 #define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60 #define GDI_HANDLE_BUFFER_SIZE64 60
#ifndef WIN64 #ifndef _WIN64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#else #else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
@@ -809,8 +809,12 @@ typedef struct _THREAD_LAST_SYSCALL_INFORMATION
{ {
PVOID FirstArgument; PVOID FirstArgument;
USHORT SystemCallNumber; USHORT SystemCallNumber;
//USHORT Reserved; // since REDSTONE2 #ifdef WIN64
//ULONG64 WaitTime; USHORT Pad[0x3]; // since REDSTONE2
#else
USHORT Pad[0x1]; // since REDSTONE2
#endif
ULONG64 WaitTime;
} THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION; } THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION;
// private // private
@@ -1000,6 +1004,11 @@ NtResumeProcess(
#define ZwCurrentSession() NtCurrentSession() #define ZwCurrentSession() NtCurrentSession()
#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock) #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
// Windows 8 and above
#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4)
#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5)
#define NtCurrentEffectiveToken() ((HANDLE)(LONG_PTR)-6)
// Not NT, but useful. // Not NT, but useful.
#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess) #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread) #define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)

6
inc/phnt/ntregapi.h
View File

@@ -534,6 +534,12 @@ NtUnloadKey(
_In_ POBJECT_ATTRIBUTES TargetKey _In_ POBJECT_ATTRIBUTES TargetKey
); );
//
// NtUnloadKey2 Flags (from winnt.h)
//
//#define REG_FORCE_UNLOAD 1
//#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD)
NTSYSCALLAPI NTSYSCALLAPI
NTSTATUS NTSTATUS
NTAPI NTAPI

183
inc/phnt/ntrtl.h
View File

@@ -1,6 +1,9 @@
#ifndef _NTRTL_H #ifndef _NTRTL_H
#define _NTRTL_H #define _NTRTL_H
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)(((PCHAR)(Base)) + ((ULONG_PTR)(Offset))))
#define RtlPointerToOffset(Base, Pointer) ((ULONG)(((PCHAR)(Pointer)) - ((PCHAR)(Base))))
// Linked lists // Linked lists
FORCEINLINE VOID InitializeListHead( FORCEINLINE VOID InitializeListHead(
@@ -3209,7 +3212,7 @@ RtlDosSearchPath_U(
#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION 0x00000001 #define RTL_DOS_SEARCH_PATH_FLAG_APPLY_ISOLATION_REDIRECTION 0x00000001
#define RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH 0x00000002 #define RTL_DOS_SEARCH_PATH_FLAG_DISALLOW_DOT_RELATIVE_PATH_SEARCH 0x00000002
#define RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION 0x00000004) #define RTL_DOS_SEARCH_PATH_FLAG_APPLY_DEFAULT_EXTENSION_WHEN_NOT_RELATIVE_PATH_EVEN_IF_FILE_HAS_EXTENSION 0x00000004
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
@@ -6589,4 +6592,182 @@ RtlCrc64(
#endif #endif
// Image Mitigation
// rev
typedef enum _IMAGE_MITIGATION_POLICY
{
ImageDepPolicy, // RTL_IMAGE_MITIGATION_DEP_POLICY
ImageAslrPolicy, // RTL_IMAGE_MITIGATION_ASLR_POLICY
ImageDynamicCodePolicy, // RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY
ImageStrictHandleCheckPolicy, // RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY
ImageSystemCallDisablePolicy, // RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY
ImageMitigationOptionsMask,
ImageExtensionPointDisablePolicy, // RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
ImageControlFlowGuardPolicy, // RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY
ImageSignaturePolicy, // RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY
ImageFontDisablePolicy, // RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY
ImageImageLoadPolicy, // RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY
ImagePayloadRestrictionPolicy, // RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY
ImageChildProcessPolicy, // RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY
ImageSehopPolicy, // RTL_IMAGE_MITIGATION_SEHOP_POLICY
ImageHeapPolicy, // RTL_IMAGE_MITIGATION_HEAP_POLICY
MaxImageMitigationPolicy
} IMAGE_MITIGATION_POLICY;
// rev
typedef union _RTL_IMAGE_MITIGATION_POLICY
{
struct
{
ULONG64 AuditState : 2;
ULONG64 AuditFlag : 1;
ULONG64 EnableAdditionalAuditingOption : 1;
ULONG64 Reserved : 60;
};
struct
{
ULONG64 PolicyState : 2;
ULONG64 AlwaysInherit : 1;
ULONG64 EnableAdditionalPolicyOption : 1;
ULONG64 AuditReserved : 60;
};
} RTL_IMAGE_MITIGATION_POLICY, *PRTL_IMAGE_MITIGATION_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_DEP_POLICY
{
RTL_IMAGE_MITIGATION_POLICY Dep;
} RTL_IMAGE_MITIGATION_DEP_POLICY, *PRTL_IMAGE_MITIGATION_DEP_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_ASLR_POLICY
{
RTL_IMAGE_MITIGATION_POLICY ForceRelocateImages;
RTL_IMAGE_MITIGATION_POLICY BottomUpRandomization;
RTL_IMAGE_MITIGATION_POLICY HighEntropyRandomization;
} RTL_IMAGE_MITIGATION_ASLR_POLICY, *PRTL_IMAGE_MITIGATION_ASLR_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY
{
RTL_IMAGE_MITIGATION_POLICY BlockDynamicCode;
} RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY, *PRTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY
{
RTL_IMAGE_MITIGATION_POLICY StrictHandleChecks;
} RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PRTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY
{
RTL_IMAGE_MITIGATION_POLICY BlockWin32kSystemCalls;
} RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
{
RTL_IMAGE_MITIGATION_POLICY DisableExtensionPoints;
} RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY
{
RTL_IMAGE_MITIGATION_POLICY ControlFlowGuard;
RTL_IMAGE_MITIGATION_POLICY StrictControlFlowGuard;
} RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PRTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY
{
RTL_IMAGE_MITIGATION_POLICY BlockNonMicrosoftSignedBinaries;
RTL_IMAGE_MITIGATION_POLICY EnforceSigningOnModuleDependencies;
} RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY, *PRTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY
{
RTL_IMAGE_MITIGATION_POLICY DisableNonSystemFonts;
} RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY, *PRTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY
{
RTL_IMAGE_MITIGATION_POLICY BlockRemoteImageLoads;
RTL_IMAGE_MITIGATION_POLICY BlockLowLabelImageLoads;
RTL_IMAGE_MITIGATION_POLICY PreferSystem32;
} RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY, *PRTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY
{
RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilter;
RTL_IMAGE_MITIGATION_POLICY EnableExportAddressFilterPlus;
RTL_IMAGE_MITIGATION_POLICY EnableImportAddressFilter;
RTL_IMAGE_MITIGATION_POLICY EnableRopStackPivot;
RTL_IMAGE_MITIGATION_POLICY EnableRopCallerCheck;
RTL_IMAGE_MITIGATION_POLICY EnableRopSimExec;
} RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY, *PRTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY
{
RTL_IMAGE_MITIGATION_POLICY DisallowChildProcessCreation;
} RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY, *PRTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_SEHOP_POLICY
{
RTL_IMAGE_MITIGATION_POLICY Sehop;
} RTL_IMAGE_MITIGATION_SEHOP_POLICY, *PRTL_IMAGE_MITIGATION_SEHOP_POLICY;
// rev
typedef struct _RTL_IMAGE_MITIGATION_HEAP_POLICY
{
RTL_IMAGE_MITIGATION_POLICY TerminateOnHeapErrors;
} RTL_IMAGE_MITIGATION_HEAP_POLICY, *PRTL_IMAGE_MITIGATION_HEAP_POLICY;
typedef enum _RTL_IMAGE_MITIGATION_OPTION_STATE
{
RtlMitigationOptionStateNotConfigured,
RtlMitigationOptionStateOn,
RtlMitigationOptionStateOff
} RTL_IMAGE_MITIGATION_OPTION_STATE;
// rev from PROCESS_MITIGATION_FLAGS
#define RTL_IMAGE_MITIGATION_FLAG_RESET 0x1
#define RTL_IMAGE_MITIGATION_FLAG_REMOVE 0x2
#define RTL_IMAGE_MITIGATION_FLAG_OSDEFAULT 0x4
#define RTL_IMAGE_MITIGATION_FLAG_AUDIT 0x8
#if (PHNT_VERSION >= PHNT_REDSTONE3)
// rev
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryImageMitigationPolicy(
_In_opt_ PWSTR ImagePath, // NULL for system-wide defaults
_In_ IMAGE_MITIGATION_POLICY Policy,
_In_ ULONG Flags,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize
);
// rev
NTSYSAPI
NTSTATUS
NTAPI
RtlSetImageMitigationPolicy(
_In_opt_ PWSTR ImagePath, // NULL for system-wide defaults
_In_ IMAGE_MITIGATION_POLICY Policy,
_In_ ULONG Flags,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize
);
#endif
#endif #endif