0.8

Note: currently only works via manual injection, Rundll32Entry has been removed

- Fixed conflict with UpdatePack7R2 (and WuaCpuFix) by hooking `RegQueryValueExW` and fixing the path to `wuaueng.dll`. (fixes #100)
- Eliminated lots of redundant and unnecessary code.
- Other reliability improvements and bug fixes.
- Removed the error message that displays in the installers when `wuaueng.dll` is below the minimum supported version, and added an internal check that will skip the patching procedure if the version of `wuaueng.dll` is too low. **This means you can now safely install wufuc prior to any updates, and it will automatically start working once it's needed, without any potential side effects.** (fixes #99)
- Added `/UNATTENDED` flag to the batch installer and uninstaller. You can use this to bypass the confirmation for a fully automated installation/uninstallation. To use it, you invoke the batch script from an elevated command prompt, like so: `"wufuc_installer.bat" /UNATTENDED`
- Improved logging framework to allow multiple processes to safely write to the same `.log` file.

.gitignore

@@ -1,3 +1,261 @@
-*.exe
-*.rar
-*.zip
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+
+# Visual Studio 2015 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# DNX
+project.lock.json
+artifacts/
+
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# TODO: Comment the next line if you want to checkin your web deploy settings
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/packages/repositories.config
+# NuGet v3's project.json files produces more ignoreable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+node_modules/
+orleans.codegen.cs
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# JetBrains Rider
+.idea/
+*.sln.iml
+
+# Advanced Installer
+**/*-cache/
+**/*-SetupFiles/
+**/*.back.aip
+
+# Other
+wufuc_setup_bat/*.dll
+wufuc_setup_bat/*.zip

CONTRIBUTING.md

@@ -0,0 +1,22 @@
+# Contributing guidelines
+
+**English** | [русский](../../wiki/CONTRIBUTING-(русский)) | [Français](../../wiki/CONTRIBUTING-(Français)) | [Deutsch](../../wiki/CONTRIBUTING-(Deutsch)) | [Magyar](../../wiki/CONTRIBUTING-(Magyar)) | [Português Brasileiro](../../wiki/CONTRIBUTING-(Português-Brasileiro)) | [Italiano](../../wiki/CONTRIBUTING-(Italiano))
+
+## Reporting an issue [![](https://isitmaintained.com/badge/resolution/zeffy/wufuc.svg)](https://isitmaintained.com/project/zeffy/wufuc)
+
+#### Before you create an issue, please make sure of the following:
+
+- Are you using at least the [latest stable version](../../releases/latest)?
+- Have you tried restarting your computer?
+
+#### After you've confirmed those things, please create an issue and include the following information:
+
+- Navigate to where you installed wufuc, and attach all the `*.log` files to your issue.
+- What build are you using? Stable release or unstable AppVeyor builds?
+- What is the file version and/or SHA-1 hash of `C:\Windows\System32\wuaueng.dll`?
+- Any other information you feel is relevant to your issue.
+
+## Closure policy
+
+- Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the contributing guidelines.
+- Issues that go a week without a response from original poster are subject to closure at my discretion.

DONATIONS.md

@@ -0,0 +1,6 @@
+# Donations
+
+Thanks for showing an interest in donating to the development of wufuc!
+While any support is very highly appreciated please keep in mind that donating will not guarantee you better support or other perks, just a warm fuzzy feeling knowing you really helped me out. :)
+
+### Sorry, I'm currently in the process of moving to a new donation platform, please check back again in a few days!

LICENSE

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    {one line to give the program's name and a brief idea of what it does.}
+    Copyright (C) {year}  {name of author}
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    {project}  Copyright (C) {year}  {fullname}
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.

README.md

@@ -1,100 +1,101 @@
-### [Click here if you are looking for the latest patch files!](https://github.com/zeffy/kb4012218-19/releases)
+# wufuc [![](https://ci.appveyor.com/api/projects/status/0s2unkpokttyslf0?svg=true)](https://ci.appveyor.com/project/zeffy/wufuc) [![](https://isitmaintained.com/badge/resolution/zeffy/wufuc.svg)](https://isitmaintained.com/project/zeffy/wufuc)
 
----
+**English** | [русский](../../wiki/README-(русский)) | [Français](../../wiki/README-(Français)) | [Deutsch](../../wiki/README-(Deutsch)) | [Magyar](../../wiki/README-(Magyar)) | [Português Brasileiro](../../wiki/README-(Português-Brasileiro)) | [Italiano](../../wiki/README-(Italiano))
 
-### [Click here for a list of Windows updates supported by this patch](docs/Supported_Updates.md)
+Disables the "Unsupported Hardware" message in Windows Update, and allows you to continue installing updates on Windows 7 and 8.1 systems with Intel Kaby Lake, AMD Ryzen, or other unsupported processors.
 
----
+## Downloads [![](https://img.shields.io/github/downloads/zeffy/wufuc/total.svg)](../../releases)
+
+- [**Click here for the latest stable version**](../../releases/latest)
+
+- [~~Unstable builds~~](https://ci.appveyor.com/project/zeffy/wufuc) **Discontinued until AppVeyor adds WDK support for Visual Studio 2017 ([appveyor/ci#1554](https://github.com/appveyor/ci/issues/1554))**
 
 ## Preface
 
-After reading [this article on gHacks](https://www.ghacks.net/2017/03/22/kb4012218-kb4012219-windows-update-processor-generation-detection/), I was inspired to look into these new rollup updates that Microsoft released on March 16. Among other things included in these updates, the changelog mentions the following:
+The changelog for Windows updates KB4012218 and KB4012219 included the following:
 
 > Enabled detection of processor generation and hardware support when PC tries to scan or download updates through Windows Update.
 
-Which is essentially a giant middle finger to anyone who dare not "upgrade" to the steaming pile of garbage known as Windows 10.
+These updates marked the implementation of a [policy change](https://blogs.windows.com/windowsexperience/2016/01/15/windows-10-embracing-silicon-innovation/) they announced some time ago, where Microsoft stated that they would not be supporting Windows 7 or 8.1 on next-gen Intel, AMD and Qualcomm processors.
+This was essentially a big middle finger to anyone who decides to not "upgrade" to the steaming pile of :shit: known as Windows 10, especially considering the extended support periods for Windows 7 and 8.1 won't be ending until January 4, 2020 and January 10, 2023 respectively.
 
-There have even been people with Intel and AMD systems from 2015 who have allegedly been locked out of Windows Update because of these updates!
+## Some people with older Intel and AMD processors are also affected!
+
+I've received user reports of the following CPUs all being blocked from receiving updates:
+
+- [Intel Atom Z530](../../issues/7)
+- [Intel Atom D525](../../issues/34)
+- [Intel Core i5-M 560](../../issues/23)
+- [Intel Core i5-4300M](../../issues/24)
+- [Intel Pentium B940](../../issues/63)
+- [AMD FX-8350](../../issues/32)
+- [AMD Turion 64 Mobile Technology ML-34](../../issues/80)
 
 ## Bad Microsoft!
 
-I started by downloading the `.msu` package for my system (in my case, it was `windows6.1-kb4012218-x64_590943c04550a47c1ed02d3a040d325456f03663.msu`)
+If you are interested, you can read my original write up on discovering the CPU check [here](../../tree/old-kb4012218-19).
 
-I extracted it using the command line `expand` tool:
+## Features
 
-```bat
-md "windows6.1-kb4012218-x64"
-expand -f:* ".\windows6.1-kb4012218-x64_590943c04550a47c1ed02d3a040d325456f03663.msu" ".\windows6.1-kb4012218-x64"
-cd ".\windows6.1-kb4012218-x64"
-md "Windows6.1-KB4012218-x64"
-expand -f:* ".\Windows6.1-KB4012218-x64.cab" ".\Windows6.1-KB4012218-x64"
-```
+- Enables Windows Update on PCs with unsupported processors.
+- Written in C, the best programming language. :sunglasses:
+- Completely free (as in freedom) software.
+- Does not modify any system files.
+- Byte pattern-based patching, which means it will usually keep working even after new updates come out.
+- Absolutely zero dependencies.
 
-Great, now there's thousands of files to sort through! Just kidding. Sort of. Maybe. :thinking:
+## How it works
 
-I ended up using PowerShell to sort through and filter out all the binaries that weren't related to Windows Update, like so:
+Basically, inside a system file called `wuaueng.dll` there are two functions responsible for the CPU check: `IsDeviceServiceable(void)` and `IsCPUSupported(void)`. 
+`IsDeviceServiceable` simply calls `IsCPUSupported` once, and then re-uses the result that it receives on subsequent calls.
+My patch takes advantage of this behavior by patching a couple of boolean values and basically making Windows Update think that it has already checked your processor, and the result was that it is indeed supported.
 
-```powershell
-Get-ChildItem -Filter "wu*" -Exclude "*.mui" -Recurse | ForEach-Object { $_.FullName }
-```
+- The installer registers wufuc as a custom Application Verifier provider.
+- When a `svchost.exe` process starts, the Windows PE loader automatically loads wufuc into its virtual address space.
+- After that, wufuc will then check the command line of the process it was loaded into, then install some API hooks when appropriate:
+    * `LoadLibraryExW` hook will automatically patch `wuaueng.dll` as soon as it is loaded.
+    * `RegQueryValueExW` hook is necessary to provide compatibility with attempts by other third-parties at bypassing the CPU check. (see issue [#100](../../issues/100))
+- If wufuc gets loaded by a `svchost.exe` process that isn't related to Windows Update, it goes into a dormant state and no hooks are applied.
 
-That narrowed it down to 14 files, excellent!
+## How to deploy wufuc using Group Policy
 
-Next, I started comparing these binaries with the ones already on my system with [BinDiff] and [Diaphora]. I eventually got to `wuaueng.dll`, which turned up quite a few interesting new functions:
+[There is a tutorial on the Advanced Installer website that explains how to do this](http://www.advancedinstaller.com/user-guide/tutorial-gpo.html).
 
-EA | Name | Basicblock | Instructions | Edges 
--- | ---- | ---------- | ------------ | -----
-`00000600001DCB9C` | ``CWUTelemetryDownloadCanceledEvent::FireAsimovEvent(void)`` | 36 | 446 | 53
-`00000600001D8F98` | ``CWUTelemetryDownloadCanceledEvent::`scalar deleting destructor'(uint)`` | 3 | 15 | 3
-`00000600001D8FD0` | ``CWUTelemetryDownloadEvent::CWUTelemetryDownloadEvent(void)`` | 1 | 58 | 0
-`00000600001DAEDC` | ``CWUTelemetryDownloadEvent::Init(CReporter *,long,long,ushort const *,long,_GUID,_GUID,CReportingOptionalValues &,AsimovDataInAddition *)`` | 6 | 50 | 8
-`00000600001DAFB8` | ``CWUTelemetryDownloadEvent::InitializeMemebersFromOptionalData(tagOptionalData *)`` | 27 | 91 | 40
-`00000600001D9100` | ``CWUTelemetryDownloadEvent::~CWUTelemetryDownloadEvent(void)`` | 2 | 60 | 1
-`00000600001DC2C4` | ``CWUTelemetryDownloadFailedEvent::FireAsimovEvent(void)`` | 36 | 446 | 53
-`00000600001DB114` | ``CWUTelemetryDownloadStartedEvent::FireAsimovEvent(void)`` | 36 | 446 | 53
-`00000600001DB9EC` | ``CWUTelemetryDownloadSucceededEvent::FireAsimovEvent(void)`` | 36 | 446 | 53
-`00000600001D8C48` | ``CWUTelemetryEventFactory::FireTelemetryEvent(CReporter *,long,long,ushort const *,long,_GUID,_GUID,CReportingOptionalValues &,AsimovDataInAddition *)`` | 11 | 76 | 17
-`00000600001D8574` | ``CWUTelemetryEventFactory::GetTelemetryEvent(CReporter *,long,long,ushort const *,long,_GUID,_GUID,CReportingOptionalValues &,AsimovDataInAddition *,CWUTelemetryEvent * *)`` | 77 | 395 | 127
-`00000600001DEE7C` | ``CWUTelemetryInstallCanceledEvent::FireAsimovEvent(void)`` | 34 | 409 | 50
-`00000600001D8DD4` | ``CWUTelemetryInstallEvent::CWUTelemetryInstallEvent(void)`` | 1 | 57 | 0
-`00000600001DD474` | ``CWUTelemetryInstallEvent::Init(CReporter *,long,long,ushort const *,long,_GUID,_GUID,CReportingOptionalValues &,AsimovDataInAddition *)`` | 6 | 50 | 8
-`00000600001DD550` | ``CWUTelemetryInstallEvent::InitializeMemebersFromOptionalData(tagOptionalData *)`` | 23 | 81 | 34
-`00000600001D8EFC` | ``CWUTelemetryInstallEvent::~CWUTelemetryInstallEvent(void)`` | 2 | 66 | 1
-`00000600001DE67C` | ``CWUTelemetryInstallFailedEvent::FireAsimovEvent(void)`` | 34 | 409 | 50
-`00000600001DF67C` | ``CWUTelemetryInstallRebootPendingEvent::FireAsimovEvent(void)`` | 34 | 409 | 50
-`00000600001D8D9C` | ``CWUTelemetryInstallRebootPendingEvent::`scalar deleting destructor'(uint)`` | 3 | 15 | 3
-`00000600001DD67C` | ``CWUTelemetryInstallStartedEvent::FireAsimovEvent(void)`` | 34 | 409 | 50
-`00000600001DDE7C` | ``CWUTelemetryInstallSucceededEvent::FireAsimovEvent(void)`` | 34 | 409 | 50
-`00000600001CAE68` | ``CWUTelemetryScanFailedEvent::FireAsimovEvent(void)`` | 31 | 416 | 46
-`00000600001CA100` | ``CWUTelemetryScanRetryEvent::FireAsimovEvent(void)`` | 9 | 108 | 13
-`00000600001CA588` | ``CWUTelemetryScanSucceededEvent::FireAsimovEvent(void)`` | 47 | 459 | 73
-`00000600001CB790` | ``CWUTelemetryUnsupportedSystemClickSupportEvent::FireAsimovEvent(void)`` | 5 | 22 | 7
-`00000600001CB9B0` | ``CWUTelemetryUnsupportedSystemClickSupportEvent::`scalar deleting destructor'(uint)`` | 3 | 17 | 3
-`00000600001CB7FC` | ``CWUTelemetryUnsupportedSystemDetectionEvent::FireAsimovEvent(void)`` | 5 | 22 | 7
-`00000600001CB970` | ``CWUTelemetryUnsupportedSystemDetectionEvent::`scalar deleting destructor'(uint)`` | 3 | 17 | 3
-`00000600001CB724` | ``CWUTelemetryUnsupportedSystemNotificationDismissEvent::FireAsimovEvent(void)`` | 5 | 22 | 7
-`00000600001CB9F0` | ``CWUTelemetryUnsupportedSystemNotificationDismissEvent::`scalar deleting destructor'(uint)`` | 3 | 17 | 3
-`00000600001CB6B8` | ``CWUTelemetryUnsupportedSystemNotificationShowEvent::FireAsimovEvent(void)`` | 5 | 22 | 7
-`00000600001CBA30` | ``CWUTelemetryUnsupportedSystemNotificationShowEvent::`scalar deleting destructor'(uint)`` | 3 | 17 | 3
-**`0000060000102F08`** | **``IsCPUSupported(void)``** | **20** | **157** | **31**
-**`00000600000AF3C0`** | **``IsDeviceServiceable(void)``** | **7** | **31** | **8**
-`00000600000832CC` | ``TraceLoggingEnableForTelemetry(_TlgProvider_t const *)`` | 16 | 86 | 23
-`0000060000083210` | ``TraceLoggingSetInformation(_TlgProvider_t const *,_EVENT_INFO_CLASS,void *,ulong)`` | 6 | 50 | 8
+## How to use unattended feature in the batch setup scripts
 
-We have found culprits, [`IsDeviceServiceable(void)`](https://gist.github.com/zeffy/e5ec266952932bc905eb0cbc6ed72185) and [`IsCPUSupported(void)`](https://gist.github.com/zeffy/1a8f8984d2bec97ae24af63a76278694)!
+`install_wufuc.bat` and `uninstall_wufuc.bat` both support two command line parameters that can be used alone, or combined to change the behavior of the scripts:
 
-## Solutions
+- `/NORESTART` - Automatically declines rebooting after the setup finishes.
+- `/UNATTENDED` - Skips all prompts for user interaction, and automatically restarts unless `/NORESTART` is also specified.
 
-`IsCPUSupported(void)` is only ever called by `IsDeviceServiceable(void)`, which is called by a few other functions. Luckily, there are a couple easy ways to kill this CPU check.
+These must be used from an elevated command line prompt.
 
-1. Patch `wuaueng.dll` and change `dword_600002EE948` (see [this line](https://gist.github.com/zeffy/e5ec266952932bc905eb0cbc6ed72185#file-isdeviceserviceable-c-L7)) which is at file offset `0x26C948`, from `0x01` to `0x00`. This makes `IsDeviceServiceable(void)` jump over its entire body and return 1 (supported CPU) immediately. This is my preferred method. **Note: this offset is only for the KB4012218-x64, for a list of all the patch offsets [click here](docs/Patch_Offsets.md).**
+## What to do if you get stuck on a black screen with just a cursor after the Windows boot animation
 
-2. Patch `wuaueng.dll` and `nop` out all the instructions highlighted [here](https://gist.github.com/zeffy/e5ec266952932bc905eb0cbc6ed72185#file-isdeviceserviceable-asm-L24-L26) in `IsDeviceServiceable(void)`, this will enable the usage of the `ForceUnsupportedCPU` of type `REG_DWORD` under the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test\Scan` (you will most likely have to create this registry key). Set this value to `0x00000001` to force unsupported CPUs, and back to `0x00000000` to change the behaviour back to default. You will probably need to restart your PC or restart the `wuauserv` service in order for changes to apply. **This behaviour is an internal test feature used by Microsoft and could be removed in future updates, so I will not be providing xdelta files for it.**
+This will happen if wufuc somehow manages to crash the `svchost.exe` process that is responsible for displaying the login screen.
+Normally this should **never ever** happen, because wufuc goes dormant in `svchost.exe` processes that are unrelated to Windows Update.
+I have only encountered this during development with very unstable code, or by causing it intentionally.
 
-## Caveats
+However, just in case this does happen to someone, here is how to fix it:
 
-- You have to apply a new patch whenever `wuaueng.dll` gets updated.
-- SFC scan errors will most likely occur as it will believe the integrity of the system has been compromised.
+1. [Boot into Safe Mode with Command Prompt](https://support.microsoft.com/en-us/help/17419/windows-7-advanced-startup-options-safe-mode).
+2. In the command prompt type `regedit` and press enter.
+3. Navigate to the key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`
+4. Expand the `Image File Execution Options` tree.
+5. Locate the `svchost.exe` sub key, right-click it and press **Delete**.
+6. Reboot.
+7. You should be able to log in normally again.
+8. **If this happens to you, please report it in the issues tab so I can try to figure out what is causing the crash!**
 
-[BinDiff]: https://www.zynamics.com/software.html
-[Diaphora]: http://diaphora.re
+## Sponsors
+
+### [Advanced Installer](http://www.advancedinstaller.com/)
+
+The installer packages are created with Advanced Installer using an [open source license](http://www.advancedinstaller.com/free-license.html). 
+Advanced Installer's intuitive and friendly user interface allowed me to quickly create a feature complete installer with minimal effort. [Check it out!](http://www.advancedinstaller.com/)
+
+## Special thanks
+
+- Alex Ionescu ([@ionescu007](https://github.com/ionescu007)) for his [_"Hooking Nirvana"_ presentation at REcon 2015](https://www.youtube.com/watch?v=bqU0y4FzvT0) and its corresponding [repository of example code](https://github.com/ionescu007/HookingNirvana).
+- Wen Jia Liu ([@wj32](https://github.com/wj32)) for his awesome program [Process Hacker](https://github.com/processhacker2/processhacker) which has been absolutely instrumental in the development of wufuc, and also for his [`phnt`](https://github.com/processhacker2/processhacker/tree/master/phnt) headers.
+- Duncan Ogilvie ([@mrexodia](https://github.com/mrexodia)) for his [`patternfind.cpp`](https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp) algorithm from [x64dbg](https://github.com/x64dbg/x64dbg).

appveyor.yml

@@ -0,0 +1,36 @@
+version: 0.8.0.{build}
+skip_commits:
+  files:
+    - '**/*.md'
+    - '**/*.aip'
+image: Visual Studio 2017
+configuration: Release
+platform:
+  - x86
+  - x64
+build:
+  verbosity: minimal
+before_build:
+- cmd: >-
+    set "BUILD_COMMIT_VERSION=%APPVEYOR_BUILD_VERSION%-%APPVEYOR_REPO_COMMIT:~0,8%"
+
+    set "BUILD_VERSION_COMMA=%APPVEYOR_BUILD_VERSION:.=,%"
+
+    set "BUILD_ZIPFILE=%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_v%BUILD_COMMIT_VERSION%_%PLATFORM%.zip"
+after_build:
+- cmd: >-
+    copy /Y "wufuc\bin\%CONFIGURATION%\%PLATFORM%\wufuc*.dll" "wufuc_setup_bat\"
+
+    copy /Y "LICENSE" "wufuc_setup_bat\COPYING.txt"
+    
+    cd "%APPVEYOR_BUILD_FOLDER%\wufuc_setup_bat"
+
+    for /R %%i in (*.txt) do unix2dos "%%i"
+    
+    for /R %%i in (*.bat) do unix2dos "%%i"
+    
+    7z a "%BUILD_ZIPFILE%" "..\wufuc_setup_bat"
+    
+    7z rn "%BUILD_ZIPFILE%" "wufuc_setup_bat" "%APPVEYOR_PROJECT_NAME%"
+artifacts:
+  - path: '*.zip'

docs/Patch_Offsets.md

@@ -1,14 +0,0 @@
-Hotfix ID | Architecture | wuaueng.dll version | File offset | Original value | Patched value
---------- | ------------ | ------------------- | ----------- | -------------- | -------------
-KB4012218 | x64 | 7.6.7601.23714 | `0x26C948` | `0x01` | `0x00`
-KB4012218 | x86 | 7.6.7601.23714 | `0x1E4638` | `0x01` | `0x00`
-KB4012219 | x64 | 7.9.9600.18621 | `0x34D3BC` | `0x01` | `0x00`
-KB4012219 | x86 | 7.9.9600.18621 | `0x2BFA50` | `0x01` | `0x00`
-KB4015546 and KB4015549 | x64 | 7.6.7601.23735 | `0x26C948` | `0x01` | `0x00`
-KB4015546 and KB4015549 | x86 | 7.6.7601.23735 | `0x1E4838` | `0x01` | `0x00`
-KB4015547 and KB4015550 | x64 | 7.9.9600.18628 | `0x34D5BC` | `0x01` | `0x00`
-KB4015547 and KB4015550 | x86 | 7.9.9600.18628 | `0x2BFA50` | `0x01` | `0x00`
-KB4015552 | x64 | 7.6.7601.23735 | `0x26C948` | `0x01` | `0x00`
-KB4015552 | x86 | 7.6.7601.23735 | `0x1E4838` | `0x01` | `0x00`
-KB4015553 | x64 | 7.9.9600.18628 | `0x34D5BC` | `0x01` | `0x00`
-KB4015553 | x86 | 7.9.9600.18628 | `0x2BFA50` | `0x01` | `0x00`

docs/Supported_Updates.md

@@ -1,35 +0,0 @@
-Title | Products | Classification | Last Updated | Version | Size
------ | -------- | -------------- | ------------ | ------- | ----
-March, 2017 Preview of Monthly Quality Rollup for Windows 7 ([KB4012218]) | Windows 7 | Updates | 3/16/2017 | n/a | 93.4 MB
-March, 2017 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems ([KB4012218]) | Windows 7 | Updates | 3/16/2017 | n/a | 153.9 MB
-March, 2017 Preview of Monthly Quality Rollup for Windows Server 2008 R2 x64 Edition ([KB4012218]) | Windows Server 2008 R2 | Updates | 3/16/2017 | n/a | 153.9 MB
-March, 2017 Preview of Monthly Quality Rollup for Windows 8.1 ([KB4012219]) | Windows 8.1 | Updates | 3/16/2017 | n/a | 121.2 MB
-March, 2017 Preview of Monthly Quality Rollup for Windows 8.1 for x64-based Systems ([KB4012219]) | Windows 8.1 | Updates | 3/16/2017 | n/a | 218.0 MB
-March, 2017 Preview of Monthly Quality Rollup for Windows Server 2012 R2 ([KB4012219]) | Windows Server 2012 R2 | Updates | 3/16/2017 | n/a | 218.0 MB
-April, 2017 Security Only Quality Update for Windows 7 ([KB4015546]) | Windows 7 | Security Updates | 4/8/2017 | n/a | 23.2 MB
-April, 2017 Security Only Quality Update for Windows 7 for x64-based Systems ([KB4015546]) | Windows 7 | Security Updates | 4/8/2017 | n/a | 37.5 MB
-April, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems ([KB4015546]) | Windows Server 2008 R2 | Security Updates | 4/8/2017 | n/a | 37.5 MB
-April, 2017 Security Only Quality Update for Windows 8.1 for x64-based Systems ([KB4015547]) | Windows 8.1 | Security Updates | 4/8/2017 | n/a | 15.6 MB
-April, 2017 Security Only Quality Update for Windows 8.1 ([KB4015547]) | Windows 8.1 | Security Updates | 4/8/2017 | n/a | 10.1 MB
-April, 2017 Security Only Quality Update for Windows Server 2012 R2 ([KB4015547]) | Windows Server 2012 R2 | Security Updates | 4/8/2017 | n/a | 15.6 MB
-April, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems ([KB4015549]) | Windows 7 | Security Updates | 4/8/2017 | n/a | 159.9 MB
-April, 2017 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems ([KB4015549]) | Windows Server 2008 R2 | Security Updates | 4/8/2017 | n/a | 159.9 MB
-April, 2017 Security Monthly Quality Rollup for Windows 7 ([KB4015549]) | Windows 7 | Security Updates | 4/8/2017 | n/a | 97.6 MB
-April, 2017 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems ([KB4015550]) | Windows 8.1 | Security Updates | 4/10/2017 | n/a | 220.9 MB
-April, 2017 Security Monthly Quality Rollup for Windows Server 2012 R2 ([KB4015550]) | Windows Server 2012 R2 | Security Updates | 4/10/2017 | n/a | 220.9 MB
-April, 2017 Security Monthly Quality Rollup for Windows 8.1 ([KB4015550]) | Windows 8.1 | Security Updates | 4/10/2017 | n/a | 122.4 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows Server 2008 R2 x64 Edition ([KB4015552]) | Windows Server 2008 R2 | Updates | 4/13/2017 | n/a | 160.9 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems ([KB4015552]) | Windows 7 | Updates | 4/13/2017 | n/a | 160.9 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows 7 ([KB4015552]) | Windows 7 | Updates | 4/13/2017 | n/a | 98.1 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows Server 2012 R2 ([KB4015553]) | Windows Server 2012 R2 | Updates | 4/13/2017 | n/a | 224.0 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 ([KB4015553]) | Windows 8.1 | Updates | 4/13/2017 | n/a | 124.6 MB
-April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 for x64-based Systems ([KB4015553]) | Windows 8.1 | Updates | 4/13/2017 | n/a | 224.0 MB
-
-[KB4012218]: https://www.catalog.update.microsoft.com/search.aspx?q=kb4012218
-[KB4012219]: https://www.catalog.update.microsoft.com/search.aspx?q=kb4012219
-[KB4015546]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015546
-[KB4015547]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015547
-[KB4015549]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015549
-[KB4015550]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015550
-[KB4015552]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015552
-[KB4015553]: https://www.catalog.update.microsoft.com/search.aspx?q=KB4015553

patch_scripts/aio/aio-wuaueng.dll-patch.bat

@@ -1,185 +0,0 @@
-@echo off
-
-net session >nul 2>&1 || (
-    echo This batch script requires administrator privileges. Right-click on
-    echo %~nx0 and select "Run as administrator".
-    goto :die
-)
-
-if not exist "%~dp0patches\" (
-    echo Patches folder not found! Make sure you extracted all the files from
-    echo the .zip, and the 'patches' folder is in the same location
-    echo as %~nx0, and try again.
-    goto :die
-)
-
-echo Checking system requirements...
-
-:check_bitness
-if /I "%PROCESSOR_ARCHITECTURE%"=="AMD64" (
-    goto :is_x64
-) else (
-    if /I "%PROCESSOR_ARCHITEW6432%"=="AMD64" (
-        goto :is_x64
-    )
-    if /I "%PROCESSOR_ARCHITECTURE%"=="x86" (
-        set "WINDOWS_BITNESS=x86"
-        set "XDELTA3_EXE=%~dp0xdelta3-3.0.11-i686.exe"
-        goto :find_xdelta
-    )
-)
-goto :unsupported
-
-:is_x64
-set "WINDOWS_BITNESS=x64"
-set "XDELTA3_EXE=%~dp0xdelta3-3.0.11-x86_64.exe"
-
-:find_xdelta
-echo.
-if not exist "%XDELTA3_EXE%" (
-    echo xdelta3 %WINDOWS_BITNESS% not found! Make sure you extracted all the files from
-    echo the .zip. Make sure both of the xdelta3 .exe files are in the same location
-    echo as %~nx0, and try again.
-    goto :die
-)
-
-wmic /output:stdout os get version | findstr "^6\.1\." >nul && (
-    set "WINDOWS_VER=6.1"
-    set "SUPPORTED_HOTFIXES=KB4015552 KB4015549 KB4015546 KB4012218"
-    echo Detected supported operating system: Windows 7 %WINDOWS_BITNESS%
-    goto :check_hotfix
-)
-wmic /output:stdout os get version | findstr "^6\.3\." >nul && (
-    set "WINDOWS_VER=8.1"
-    set "SUPPORTED_HOTFIXES=KB4015553 KB4015550 KB4015547 KB4012219"
-    echo Detected supported operating system: Windows 8.1 %WINDOWS_BITNESS%
-    goto :check_hotfix
-)
-
-:unsupported
-echo Detected that you are using an unsupported version of Windows.
-echo.
-echo This patch only works on the following versions:
-echo.
-echo - Windows 7 (x64 and x86)
-echo - Windows 8.1 (x64 and x86)
-echo - Windows Server 2008 R2
-echo - Windows Server 2012 R2
-goto :die
-
-:check_hotfix
-echo.
-for %%a in (%SUPPORTED_HOTFIXES%) do (
-    wmic /output:stdout qfe get hotfixid | find "%%a" >nul && (
-        set "INSTALLED_HOTFIX=%%a"
-        echo Detected installed supported update: %%a
-        goto :confirmation
-    )
-)
-
-echo Detected that no supported updates are installed! If you
-echo are getting unsupported hardware errors in Windows Update, please
-echo create an issue and post a list of any recently installed
-echo Windows updates that could have introduced it, and I will try
-echo to help you out.
-echo https://github.com/zeffy/kb4012218-19/issues
-goto :die
-
-:confirmation
-echo.
-echo This patch only works on the following versions of Windows:
-echo.
-echo - Windows 7 (x64 and x86)
-echo - Windows 8.1 (x64 and x86)
-echo - Windows Server 2008 R2 (reported as Windows 7 x64)
-echo - Windows Server 2012 R2 (reported as Windows 8.1 x64)
-echo.
-echo If you have another version of Windows, please close this window immediately.
-echo.
-echo By continuing, you acknowledge that you want to modify wuaueng.dll.
-echo.
-echo I take no responsibility if you somehow ruin your PC with this script.
-echo.
-set /p CONTINUE=Enter 'Y' if you understand, and still want to continue: 
-if /I not "%CONTINUE%"=="Y" goto :cancel
-
-:ask
-echo.
-echo Would you like to install the patch or uninstall it?
-echo.
-echo 1. Install
-echo 2. Uninstall
-echo.
-set /p CHOICE=Enter your choice: 
-if "%CHOICE%"=="1" (
-    set "PATCH_TYPE=patch"
-    goto :begin
-)
-if "%CHOICE%"=="2" (
-    set "PATCH_TYPE=unpatch"
-    goto :begin
-)
-echo Invalid choice, please try again...
-goto :ask
-
-:begin
-echo.
-set "DELTA_FILE=%~dp0patches\Windows%WINDOWS_VER%-%INSTALLED_HOTFIX%-%WINDOWS_BITNESS%-%PATCH_TYPE%.xdelta"
-set "SYSTEM32_DIR=%systemroot%\System32"
-set "WUAUENG_DLL=%SYSTEM32_DIR%\wuaueng.dll"
-
-for /f "delims=" %%a in ('wmic os get localdatetime ^| find "."') do set dt=%%a
-set "TIMESTAMP=%dt:~0,4%-%dt:~4,2%-%dt:~6,2%_%dt:~8,2%-%dt:~10,2%-%dt:~12,2%"
-set "BACKUP_FILE=%WUAUENG_DLL%_%TIMESTAMP%_%random%.bak"
-set "ACL_TEMP_FILE=%temp%\wuaueng.dll_acl_%TIMESTAMP%_%random%.txt"
-
-net stop wuauserv
-
-takeown /F "%WUAUENG_DLL%" /A
-icacls "%WUAUENG_DLL%" /save "%ACL_TEMP_FILE%"
-
-rem Administrators group SID
-icacls "%WUAUENG_DLL%" /grant *S-1-5-32-544:F
-move "%WUAUENG_DLL%" "%BACKUP_FILE%"
-
-"%XDELTA3_EXE%" -d -s "%BACKUP_FILE%" "%DELTA_FILE%" "%WUAUENG_DLL%"
-if errorlevel 1 (
-    set "THERE_WAS_AN_ERROR=%errorlevel%"
-    move /Y "%BACKUP_FILE%" "%WUAUENG_DLL%"
-)
-
-rem NT Service\TrustedInstaller SID
-icacls "%WUAUENG_DLL%" /setowner *S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
-icacls "%SYSTEM32_DIR%" /restore "%ACL_TEMP_FILE%"
-
-net start wuauserv
-
-echo.
-if defined THERE_WAS_AN_ERROR (
-    echo There was an error while %PATCH_TYPE%ing. Nothing has been modified. 
-    echo If you didn't screw with the script or anything like that and this
-    echo error was unexpected, please create an issue and include the output
-    echo of this window in your post.
-    echo https://github.com/zeffy/kb4012218-19/issues
-) else (
-    echo Successfully %PATCH_TYPE%ed!
-    echo If you want to revert the changes that have been made for whatever
-    echo reason, you can run this script again and pick the other option.
-    echo.
-    echo You can also manually restore the backup file located at 
-    echo '%BACKUP_FILE%' by renaming it 
-    echo back to wuaueng.dll, changing the owner back to "NT Service\TrustedInstaller", 
-    echo and restoring the original permissions from '%ACL_TEMP_FILE%'.
-)
-
-:die
-echo.
-echo Press any key to close . . .
-pause >nul
-exit
-
-:cancel
-echo.
-echo Canceled by user input, press any key to close . . .
-pause >nul
-exit

phnt/README.md

@@ -0,0 +1,24 @@
+This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See `phnt.h` for more information.
+
+## Usage
+
+First make sure that your program is using the latest Windows SDK.
+
+These header files are designed to be used by user-mode programs. Instead of `#include <windows.h>`, place
+
+```
+#include <phnt_windows.h>
+#include <phnt.h>
+```
+
+at the top of your program. The first line provides access to the Win32 API as well as the `NTSTATUS` values. The second line provides access to the entire Native API. By default, only definitions present in Windows XP are included into your program. To change this, use one of the following:
+
+```
+#define PHNT_VERSION PHNT_WINXP // Windows XP
+#define PHNT_VERSION PHNT_WS03 // Windows Server 2003
+#define PHNT_VERSION PHNT_VISTA // Windows Vista
+#define PHNT_VERSION PHNT_WIN7 // Windows 7
+#define PHNT_VERSION PHNT_WIN8 // Windows 8
+#define PHNT_VERSION PHNT_WINBLUE // Windows 8.1
+#define PHNT_VERSION PHNT_THRESHOLD // Windows 10
+```

phnt/include/ntdbg.h

@@ -0,0 +1,271 @@
+#ifndef _NTDBG_H
+#define _NTDBG_H
+
+// Definitions
+
+typedef struct _DBGKM_EXCEPTION
+{
+    EXCEPTION_RECORD ExceptionRecord;
+    ULONG FirstChance;
+} DBGKM_EXCEPTION, *PDBGKM_EXCEPTION;
+
+typedef struct _DBGKM_CREATE_THREAD
+{
+    ULONG SubSystemKey;
+    PVOID StartAddress;
+} DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD;
+
+typedef struct _DBGKM_CREATE_PROCESS
+{
+    ULONG SubSystemKey;
+    HANDLE FileHandle;
+    PVOID BaseOfImage;
+    ULONG DebugInfoFileOffset;
+    ULONG DebugInfoSize;
+    DBGKM_CREATE_THREAD InitialThread;
+} DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS;
+
+typedef struct _DBGKM_EXIT_THREAD
+{
+    NTSTATUS ExitStatus;
+} DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD;
+
+typedef struct _DBGKM_EXIT_PROCESS
+{
+    NTSTATUS ExitStatus;
+} DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS;
+
+typedef struct _DBGKM_LOAD_DLL
+{
+    HANDLE FileHandle;
+    PVOID BaseOfDll;
+    ULONG DebugInfoFileOffset;
+    ULONG DebugInfoSize;
+    PVOID NamePointer;
+} DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL;
+
+typedef struct _DBGKM_UNLOAD_DLL
+{
+    PVOID BaseAddress;
+} DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL;
+
+typedef enum _DBG_STATE
+{
+    DbgIdle,
+    DbgReplyPending,
+    DbgCreateThreadStateChange,
+    DbgCreateProcessStateChange,
+    DbgExitThreadStateChange,
+    DbgExitProcessStateChange,
+    DbgExceptionStateChange,
+    DbgBreakpointStateChange,
+    DbgSingleStepStateChange,
+    DbgLoadDllStateChange,
+    DbgUnloadDllStateChange
+} DBG_STATE, *PDBG_STATE;
+
+typedef struct _DBGUI_CREATE_THREAD
+{
+    HANDLE HandleToThread;
+    DBGKM_CREATE_THREAD NewThread;
+} DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD;
+
+typedef struct _DBGUI_CREATE_PROCESS
+{
+    HANDLE HandleToProcess;
+    HANDLE HandleToThread;
+    DBGKM_CREATE_PROCESS NewProcess;
+} DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS;
+
+typedef struct _DBGUI_WAIT_STATE_CHANGE
+{
+    DBG_STATE NewState;
+    CLIENT_ID AppClientId;
+    union
+    {
+        DBGKM_EXCEPTION Exception;
+        DBGUI_CREATE_THREAD CreateThread;
+        DBGUI_CREATE_PROCESS CreateProcessInfo;
+        DBGKM_EXIT_THREAD ExitThread;
+        DBGKM_EXIT_PROCESS ExitProcess;
+        DBGKM_LOAD_DLL LoadDll;
+        DBGKM_UNLOAD_DLL UnloadDll;
+    } StateInfo;
+} DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE;
+
+// System calls
+
+#define DEBUG_READ_EVENT 0x0001
+#define DEBUG_PROCESS_ASSIGN 0x0002
+#define DEBUG_SET_INFORMATION 0x0004
+#define DEBUG_QUERY_INFORMATION 0x0008
+#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
+    DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \
+    DEBUG_QUERY_INFORMATION)
+
+#define DEBUG_KILL_ON_CLOSE 0x1
+
+typedef enum _DEBUGOBJECTINFOCLASS
+{
+    DebugObjectFlags = 1,
+    MaxDebugObjectInfoClass
+} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS;
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateDebugObject(
+    _Out_ PHANDLE DebugObjectHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG Flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDebugActiveProcess(
+    _In_ HANDLE ProcessHandle,
+    _In_ HANDLE DebugObjectHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDebugContinue(
+    _In_ HANDLE DebugObjectHandle,
+    _In_ PCLIENT_ID ClientId,
+    _In_ NTSTATUS ContinueStatus
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRemoveProcessDebug(
+    _In_ HANDLE ProcessHandle,
+    _In_ HANDLE DebugObjectHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationDebugObject(
+    _In_ HANDLE DebugObjectHandle,
+    _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass,
+    _In_ PVOID DebugInformation,
+    _In_ ULONG DebugInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForDebugEvent(
+    _In_ HANDLE DebugObjectHandle,
+    _In_ BOOLEAN Alertable,
+    _In_opt_ PLARGE_INTEGER Timeout,
+    _Out_ PVOID WaitStateChange
+    );
+
+// Debugging UI
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiConnectToDbg(
+    VOID
+    );
+
+NTSYSAPI
+HANDLE
+NTAPI
+DbgUiGetThreadDebugObject(
+    VOID
+    );
+
+NTSYSAPI
+VOID
+NTAPI
+DbgUiSetThreadDebugObject(
+    _In_ HANDLE DebugObject
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiWaitStateChange(
+    _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiContinue(
+    _In_ PCLIENT_ID AppClientId,
+    _In_ NTSTATUS ContinueStatus
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiStopDebugging(
+    _In_ HANDLE Process
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiDebugActiveProcess(
+    _In_ HANDLE Process
+    );
+
+NTSYSAPI
+VOID
+NTAPI
+DbgUiRemoteBreakin(
+    _In_ PVOID Context
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiIssueRemoteBreakin(
+    _In_ HANDLE Process
+    );
+
+struct _DEBUG_EVENT;
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+DbgUiConvertStateChangeStructure(
+    _In_ PDBGUI_WAIT_STATE_CHANGE StateChange,
+    _Out_ struct _DEBUG_EVENT *DebugEvent
+    );
+
+struct _EVENT_FILTER_DESCRIPTOR;
+
+typedef VOID (NTAPI *PENABLECALLBACK)(
+    _In_ LPCGUID SourceId,
+    _In_ ULONG IsEnabled,
+    _In_ UCHAR Level,
+    _In_ ULONGLONG MatchAnyKeyword,
+    _In_ ULONGLONG MatchAllKeyword,
+    _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
+    _Inout_opt_ PVOID CallbackContext
+    );
+
+typedef ULONGLONG REGHANDLE, *PREGHANDLE;
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+EtwEventRegister(
+    _In_ LPCGUID ProviderId,
+    _In_opt_ PENABLECALLBACK EnableCallback,
+    _In_opt_ PVOID CallbackContext,
+    _Out_ PREGHANDLE RegHandle
+    );
+
+#endif

phnt/include/ntgdi.h

@@ -0,0 +1,121 @@
+#ifndef _NTGDI_H
+#define _NTGDI_H
+
+#define GDI_MAX_HANDLE_COUNT 0x4000
+
+#define GDI_HANDLE_INDEX_SHIFT 0
+#define GDI_HANDLE_INDEX_BITS 16
+#define GDI_HANDLE_INDEX_MASK 0xffff
+
+#define GDI_HANDLE_TYPE_SHIFT 16
+#define GDI_HANDLE_TYPE_BITS 5
+#define GDI_HANDLE_TYPE_MASK 0x1f
+
+#define GDI_HANDLE_ALTTYPE_SHIFT 21
+#define GDI_HANDLE_ALTTYPE_BITS 2
+#define GDI_HANDLE_ALTTYPE_MASK 0x3
+
+#define GDI_HANDLE_STOCK_SHIFT 23
+#define GDI_HANDLE_STOCK_BITS 1
+#define GDI_HANDLE_STOCK_MASK 0x1
+
+#define GDI_HANDLE_UNIQUE_SHIFT 24
+#define GDI_HANDLE_UNIQUE_BITS 8
+#define GDI_HANDLE_UNIQUE_MASK 0xff
+
+#define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK)
+#define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK)
+#define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK)
+#define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK)
+
+#define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index)))
+
+// GDI server-side types
+
+#define GDI_DEF_TYPE 0 // invalid handle
+#define GDI_DC_TYPE 1
+#define GDI_DD_DIRECTDRAW_TYPE 2
+#define GDI_DD_SURFACE_TYPE 3
+#define GDI_RGN_TYPE 4
+#define GDI_SURF_TYPE 5
+#define GDI_CLIENTOBJ_TYPE 6
+#define GDI_PATH_TYPE 7
+#define GDI_PAL_TYPE 8
+#define GDI_ICMLCS_TYPE 9
+#define GDI_LFONT_TYPE 10
+#define GDI_RFONT_TYPE 11
+#define GDI_PFE_TYPE 12
+#define GDI_PFT_TYPE 13
+#define GDI_ICMCXF_TYPE 14
+#define GDI_ICMDLL_TYPE 15
+#define GDI_BRUSH_TYPE 16
+#define GDI_PFF_TYPE 17 // unused
+#define GDI_CACHE_TYPE 18 // unused
+#define GDI_SPACE_TYPE 19
+#define GDI_DBRUSH_TYPE 20 // unused
+#define GDI_META_TYPE 21
+#define GDI_EFSTATE_TYPE 22
+#define GDI_BMFD_TYPE 23 // unused
+#define GDI_VTFD_TYPE 24 // unused
+#define GDI_TTFD_TYPE 25 // unused
+#define GDI_RC_TYPE 26 // unused
+#define GDI_TEMP_TYPE 27 // unused
+#define GDI_DRVOBJ_TYPE 28
+#define GDI_DCIOBJ_TYPE 29 // unused
+#define GDI_SPOOL_TYPE 30
+
+// GDI client-side types
+
+#define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \
+    (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT)))
+#define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16)
+
+#define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT)
+#define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT)
+#define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT)
+
+#define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT)
+#define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT)
+
+#define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1)
+#define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1)
+#define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2)
+#define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3)
+#define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2)
+#define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1)
+#define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1)
+
+typedef struct _GDI_HANDLE_ENTRY
+{
+    union
+    {
+        PVOID Object;
+        PVOID NextFree;
+    };
+    union
+    {
+        struct
+        {
+            USHORT ProcessId;
+            USHORT Lock : 1;
+            USHORT Count : 15;
+        };
+        ULONG Value;
+    } Owner;
+    USHORT Unique;
+    UCHAR Type;
+    UCHAR Flags;
+    PVOID UserPointer;
+} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
+
+typedef struct _GDI_SHARED_MEMORY
+{
+    GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
+} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
+
+#endif

phnt/include/ntkeapi.h

@@ -0,0 +1,165 @@
+#ifndef _NTKEAPI_H
+#define _NTKEAPI_H
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#define LOW_PRIORITY 0 // Lowest thread priority level
+#define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level
+#define HIGH_PRIORITY 31 // Highest thread priority level
+#define MAXIMUM_PRIORITY 32 // Number of thread priority levels
+#endif
+
+typedef enum _KTHREAD_STATE
+{
+    Initialized,
+    Ready,
+    Running,
+    Standby,
+    Terminated,
+    Waiting,
+    Transition,
+    DeferredReady,
+    GateWaitObsolete,
+    WaitingForProcessInSwap,
+    MaximumThreadState
+} KTHREAD_STATE, *PKTHREAD_STATE;
+
+// private
+typedef enum _KHETERO_CPU_POLICY
+{
+    KHeteroCpuPolicyAll,
+    KHeteroCpuPolicyLarge,
+    KHeteroCpuPolicyLargeOrIdle,
+    KHeteroCpuPolicySmall,
+    KHeteroCpuPolicySmallOrIdle,
+    KHeteroCpuPolicyDynamic,
+    KHeteroCpuPolicyStaticMax,
+    KHeteroCpuPolicyBiasedSmall,
+    KHeteroCpuPolicyBiasedLarge,
+    KHeteroCpuPolicyDefault,
+    KHeteroCpuPolicyMax
+} KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY;
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+typedef enum _KWAIT_REASON
+{
+    Executive,
+    FreePage,
+    PageIn,
+    PoolAllocation,
+    DelayExecution,
+    Suspended,
+    UserRequest,
+    WrExecutive,
+    WrFreePage,
+    WrPageIn,
+    WrPoolAllocation,
+    WrDelayExecution,
+    WrSuspended,
+    WrUserRequest,
+    WrEventPair,
+    WrQueue,
+    WrLpcReceive,
+    WrLpcReply,
+    WrVirtualMemory,
+    WrPageOut,
+    WrRendezvous,
+    WrKeyedEvent,
+    WrTerminated,
+    WrProcessInSwap,
+    WrCpuRateControl,
+    WrCalloutStack,
+    WrKernel,
+    WrResource,
+    WrPushLock,
+    WrMutex,
+    WrQuantumEnd,
+    WrDispatchInt,
+    WrPreempted,
+    WrYieldExecution,
+    WrFastMutex,
+    WrGuardedMutex,
+    WrRundown,
+    WrAlertByThreadId,
+    WrDeferredPreempt,
+    MaximumWaitReason
+} KWAIT_REASON, *PKWAIT_REASON;
+
+typedef enum _KPROFILE_SOURCE
+{
+    ProfileTime,
+    ProfileAlignmentFixup,
+    ProfileTotalIssues,
+    ProfilePipelineDry,
+    ProfileLoadInstructions,
+    ProfilePipelineFrozen,
+    ProfileBranchInstructions,
+    ProfileTotalNonissues,
+    ProfileDcacheMisses,
+    ProfileIcacheMisses,
+    ProfileCacheMisses,
+    ProfileBranchMispredictions,
+    ProfileStoreInstructions,
+    ProfileFpInstructions,
+    ProfileIntegerInstructions,
+    Profile2Issue,
+    Profile3Issue,
+    Profile4Issue,
+    ProfileSpecialInstructions,
+    ProfileTotalCycles,
+    ProfileIcacheIssues,
+    ProfileDcacheAccesses,
+    ProfileMemoryBarrierCycles,
+    ProfileLoadLinkedIssues,
+    ProfileMaximum
+} KPROFILE_SOURCE;
+
+#endif
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCallbackReturn(
+    _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer,
+    _In_ ULONG OutputLength,
+    _In_ NTSTATUS Status
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+VOID
+NTAPI
+NtFlushProcessWriteBuffers(
+    VOID
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDebugFilterState(
+    _In_ ULONG ComponentId,
+    _In_ ULONG Level
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetDebugFilterState(
+    _In_ ULONG ComponentId,
+    _In_ ULONG Level,
+    _In_ BOOLEAN State
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtYieldExecution(
+    VOID
+    );
+
+#endif
+
+#endif

phnt/include/ntldr.h

@@ -0,0 +1,589 @@
+#ifndef _NTLDR_H
+#define _NTLDR_H
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+// DLLs
+
+// symbols
+typedef struct _LDR_SERVICE_TAG_RECORD
+{
+    struct _LDR_SERVICE_TAG_RECORD *Next;
+    ULONG ServiceTag;
+} LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
+
+// symbols
+typedef struct _LDRP_CSLIST
+{
+    PSINGLE_LIST_ENTRY Tail;
+} LDRP_CSLIST, *PLDRP_CSLIST;
+
+// symbols
+typedef enum _LDR_DDAG_STATE
+{
+    LdrModulesMerged = -5,
+    LdrModulesInitError = -4,
+    LdrModulesSnapError = -3,
+    LdrModulesUnloaded = -2,
+    LdrModulesUnloading = -1,
+    LdrModulesPlaceHolder = 0,
+    LdrModulesMapping = 1,
+    LdrModulesMapped = 2,
+    LdrModulesWaitingForDependencies = 3,
+    LdrModulesSnapping = 4,
+    LdrModulesSnapped = 5,
+    LdrModulesCondensed = 6,
+    LdrModulesReadyToInit = 7,
+    LdrModulesInitializing = 8,
+    LdrModulesReadyToRun = 9
+} LDR_DDAG_STATE;
+
+// symbols
+typedef struct _LDR_DDAG_NODE
+{
+    LIST_ENTRY Modules;
+    PLDR_SERVICE_TAG_RECORD ServiceTagList;
+    ULONG LoadCount;
+    ULONG LoadWhileUnloadingCount;
+    ULONG LowestLink;
+    union
+    {
+        LDRP_CSLIST Dependencies;
+        SINGLE_LIST_ENTRY RemovalLink;
+    };
+    LDRP_CSLIST IncomingDependencies;
+    LDR_DDAG_STATE State;
+    SINGLE_LIST_ENTRY CondenseLink;
+    ULONG PreorderNumber;
+} LDR_DDAG_NODE, *PLDR_DDAG_NODE;
+
+// rev
+typedef struct _LDR_DEPENDENCY_RECORD
+{
+    SINGLE_LIST_ENTRY DependencyLink;
+    PLDR_DDAG_NODE DependencyNode;
+    SINGLE_LIST_ENTRY IncomingDependencyLink;
+    PLDR_DDAG_NODE IncomingDependencyNode;
+} LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD;
+
+// symbols
+typedef enum _LDR_DLL_LOAD_REASON
+{
+    LoadReasonStaticDependency,
+    LoadReasonStaticForwarderDependency,
+    LoadReasonDynamicForwarderDependency,
+    LoadReasonDelayloadDependency,
+    LoadReasonDynamicLoad,
+    LoadReasonAsImageLoad,
+    LoadReasonAsDataLoad,
+    LoadReasonUnknown = -1
+} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
+
+#define LDRP_PACKAGED_BINARY 0x00000001
+#define LDRP_IMAGE_DLL 0x00000004
+#define LDRP_LOAD_IN_PROGRESS 0x00001000
+#define LDRP_ENTRY_PROCESSED 0x00004000
+#define LDRP_DONT_CALL_FOR_THREADS 0x00040000
+#define LDRP_PROCESS_ATTACH_CALLED 0x00080000
+#define LDRP_PROCESS_ATTACH_FAILED 0x00100000
+#define LDRP_IMAGE_NOT_AT_BASE 0x00200000 // Vista and below
+#define LDRP_COR_IMAGE 0x00400000
+#define LDRP_DONT_RELOCATE 0x00800000
+#define LDRP_REDIRECTED 0x10000000
+#define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000
+
+// Use the size of the structure as it was in Windows XP.
+#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)
+
+// symbols
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+    LIST_ENTRY InLoadOrderLinks;
+    LIST_ENTRY InMemoryOrderLinks;
+    union
+    {
+        LIST_ENTRY InInitializationOrderLinks;
+        LIST_ENTRY InProgressLinks;
+    };
+    PVOID DllBase;
+    PVOID EntryPoint;
+    ULONG SizeOfImage;
+    UNICODE_STRING FullDllName;
+    UNICODE_STRING BaseDllName;
+    union
+    {
+        UCHAR FlagGroup[4];
+        ULONG Flags;
+        struct
+        {
+            ULONG PackagedBinary : 1;
+            ULONG MarkedForRemoval : 1;
+            ULONG ImageDll : 1;
+            ULONG LoadNotificationsSent : 1;
+            ULONG TelemetryEntryProcessed : 1;
+            ULONG ProcessStaticImport : 1;
+            ULONG InLegacyLists : 1;
+            ULONG InIndexes : 1;
+            ULONG ShimDll : 1;
+            ULONG InExceptionTable : 1;
+            ULONG ReservedFlags1 : 2;
+            ULONG LoadInProgress : 1;
+            ULONG LoadConfigProcessed : 1;
+            ULONG EntryProcessed : 1;
+            ULONG ProtectDelayLoad : 1;
+            ULONG ReservedFlags3 : 2;
+            ULONG DontCallForThreads : 1;
+            ULONG ProcessAttachCalled : 1;
+            ULONG ProcessAttachFailed : 1;
+            ULONG CorDeferredValidate : 1;
+            ULONG CorImage : 1;
+            ULONG DontRelocate : 1;
+            ULONG CorILOnly : 1;
+            ULONG ReservedFlags5 : 3;
+            ULONG Redirected : 1;
+            ULONG ReservedFlags6 : 2;
+            ULONG CompatDatabaseProcessed : 1;
+        };
+    };
+    USHORT ObsoleteLoadCount;
+    USHORT TlsIndex;
+    LIST_ENTRY HashLinks;
+    ULONG TimeDateStamp;
+    struct _ACTIVATION_CONTEXT *EntryPointActivationContext;
+    PVOID Lock;
+    PLDR_DDAG_NODE DdagNode;
+    LIST_ENTRY NodeModuleLink;
+    struct _LDRP_LOAD_CONTEXT *LoadContext;
+    PVOID ParentDllBase;
+    PVOID SwitchBackContext;
+    RTL_BALANCED_NODE BaseAddressIndexNode;
+    RTL_BALANCED_NODE MappingInfoIndexNode;
+    ULONG_PTR OriginalBase;
+    LARGE_INTEGER LoadTime;
+    ULONG BaseNameHashValue;
+    LDR_DLL_LOAD_REASON LoadReason;
+    ULONG ImplicitPathOptions;
+    ULONG ReferenceCount;
+    ULONG DependentLoadFlags;
+    UCHAR SigningLevel; // since REDSTONE2
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+typedef BOOLEAN (NTAPI *PDLL_INIT_ROUTINE)(
+    _In_ PVOID DllHandle,
+    _In_ ULONG Reason,
+    _In_opt_ PCONTEXT Context
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrLoadDll(
+    _In_opt_ PWSTR DllPath,
+    _In_opt_ PULONG DllCharacteristics,
+    _In_ PUNICODE_STRING DllName,
+    _Out_ PVOID *DllHandle
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrUnloadDll(
+    _In_ PVOID DllHandle
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandle(
+    _In_opt_ PWSTR DllPath,
+    _In_opt_ PULONG DllCharacteristics,
+    _In_ PUNICODE_STRING DllName,
+    _Out_ PVOID *DllHandle
+    );
+
+#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
+#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleEx(
+    _In_ ULONG Flags,
+    _In_opt_ PCWSTR DllPath,
+    _In_opt_ PULONG DllCharacteristics,
+    _In_ PUNICODE_STRING DllName,
+    _Out_opt_ PVOID *DllHandle
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleByMapping(
+    _In_ PVOID Base,
+    _Out_ PVOID *DllHandle
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetDllHandleByName(
+    _In_opt_ PUNICODE_STRING BaseDllName,
+    _In_opt_ PUNICODE_STRING FullDllName,
+    _Out_ PVOID *DllHandle
+    );
+#endif
+
+#define LDR_ADDREF_DLL_PIN 0x00000001
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrAddRefDll(
+    _In_ ULONG Flags,
+    _In_ PVOID DllHandle
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetProcedureAddress(
+    _In_ PVOID DllHandle,
+    _In_opt_ PANSI_STRING ProcedureName,
+    _In_opt_ ULONG ProcedureNumber,
+    _Out_ PVOID *ProcedureAddress
+    );
+
+// rev
+#define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetProcedureAddressEx(
+    _In_ PVOID DllHandle,
+    _In_opt_ PANSI_STRING ProcedureName,
+    _In_opt_ ULONG ProcedureNumber,
+    _Out_ PVOID *ProcedureAddress,
+    _In_ ULONG Flags
+    );
+#endif
+
+#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
+
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1
+#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrLockLoaderLock(
+    _In_ ULONG Flags,
+    _Out_opt_ ULONG *Disposition,
+    _Out_ PVOID *Cookie
+    );
+
+#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrUnlockLoaderLock(
+    _In_ ULONG Flags,
+    _Inout_ PVOID Cookie
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrRelocateImage(
+    _In_ PVOID NewBase,
+    _In_ PSTR LoaderName,
+    _In_ NTSTATUS Success,
+    _In_ NTSTATUS Conflict,
+    _In_ NTSTATUS Invalid
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrRelocateImageWithBias(
+    _In_ PVOID NewBase,
+    _In_ LONGLONG Bias,
+    _In_ PSTR LoaderName,
+    _In_ NTSTATUS Success,
+    _In_ NTSTATUS Conflict,
+    _In_ NTSTATUS Invalid
+    );
+
+NTSYSAPI
+PIMAGE_BASE_RELOCATION
+NTAPI
+LdrProcessRelocationBlock(
+    _In_ ULONG_PTR VA,
+    _In_ ULONG SizeOfBlock,
+    _In_ PUSHORT NextOffset,
+    _In_ LONG_PTR Diff
+    );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+LdrVerifyMappedImageMatchesChecksum(
+    _In_ PVOID BaseAddress,
+    _In_ SIZE_T NumberOfBytes,
+    _In_ ULONG FileLength
+    );
+
+typedef VOID (NTAPI *PLDR_IMPORT_MODULE_CALLBACK)(
+    _In_ PVOID Parameter,
+    _In_ PSTR ModuleName
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrVerifyImageMatchesChecksum(
+    _In_ HANDLE ImageFileHandle,
+    _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine,
+    _In_ PVOID ImportCallbackParameter,
+    _Out_opt_ PUSHORT ImageCharacteristics
+    );
+
+// private
+typedef struct _LDR_IMPORT_CALLBACK_INFO
+{
+    PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine;
+    PVOID ImportCallbackParameter;
+} LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO;
+
+// private
+typedef struct _LDR_SECTION_INFO
+{
+    HANDLE SectionHandle;
+    ACCESS_MASK DesiredAccess;
+    POBJECT_ATTRIBUTES ObjA;
+    ULONG SectionPageProtection;
+    ULONG AllocationAttributes;
+} LDR_SECTION_INFO, *PLDR_SECTION_INFO;
+
+// private
+typedef struct _LDR_VERIFY_IMAGE_INFO
+{
+    ULONG Size;
+    ULONG Flags;
+    LDR_IMPORT_CALLBACK_INFO CallbackInfo;
+    LDR_SECTION_INFO SectionInfo;
+    USHORT ImageCharacteristics;
+} LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO;
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrVerifyImageMatchesChecksumEx(
+    _In_ HANDLE ImageFileHandle,
+    _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrQueryModuleServiceTags(
+    _In_ PVOID DllHandle,
+    _Out_writes_(*BufferSize) PULONG ServiceTagBuffer,
+    _Inout_ PULONG BufferSize
+    );
+#endif
+
+// begin_msdn:"DLL Load Notification"
+
+#define LDR_DLL_NOTIFICATION_REASON_LOADED 1
+#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
+
+typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA
+{
+    ULONG Flags;
+    PUNICODE_STRING FullDllName;
+    PUNICODE_STRING BaseDllName;
+    PVOID DllBase;
+    ULONG SizeOfImage;
+} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
+
+typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA
+{
+    ULONG Flags;
+    PCUNICODE_STRING FullDllName;
+    PCUNICODE_STRING BaseDllName;
+    PVOID DllBase;
+    ULONG SizeOfImage;
+} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
+
+typedef union _LDR_DLL_NOTIFICATION_DATA
+{
+    LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
+    LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
+} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
+
+typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(
+    _In_ ULONG NotificationReason,
+    _In_ PLDR_DLL_NOTIFICATION_DATA NotificationData,
+    _In_opt_ PVOID Context
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrRegisterDllNotification(
+    _In_ ULONG Flags,
+    _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
+    _In_ PVOID Context,
+    _Out_ PVOID *Cookie
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrUnregisterDllNotification(
+    _In_ PVOID Cookie
+    );
+
+#endif
+
+// end_msdn
+
+// private
+typedef struct _PS_MITIGATION_OPTIONS_MAP
+{
+    ULONG_PTR Map[2];
+} PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP;
+
+// private
+typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
+{
+    ULONG Size;
+    ULONG_PTR SystemDllWowRelocation;
+    ULONG_PTR SystemDllNativeRelocation;
+    ULONG_PTR Wow64SharedInformation[16];
+    ULONG RngData;
+    union
+    {
+        ULONG Flags;
+        struct
+        {
+            ULONG CfgOverride : 1;
+            ULONG Reserved : 31;
+        };
+    };
+    PS_MITIGATION_OPTIONS_MAP MitigationOptionsMap;
+    ULONG_PTR CfgBitMap;
+    ULONG_PTR CfgBitMapSize;
+    ULONG_PTR Wow64CfgBitMap;
+    ULONG_PTR Wow64CfgBitMapSize;
+} PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK;
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+// rev
+NTSYSAPI
+PPS_SYSTEM_DLL_INIT_BLOCK
+NTAPI
+LdrSystemDllInitBlock(
+    VOID
+    );
+#endif
+
+// Load as data table
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrAddLoadAsDataTable(
+    _In_ PVOID Module,
+    _In_ PWSTR FilePath,
+    _In_ SIZE_T Size,
+    _In_ HANDLE Handle
+    );
+
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrRemoveLoadAsDataTable(
+    _In_ PVOID InitModule,
+    _Out_opt_ PVOID *BaseModule,
+    _Out_opt_ PSIZE_T Size,
+    _In_ ULONG Flags
+    );
+
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrGetFileNameFromLoadAsDataTable(
+    _In_ PVOID Module,
+    _Out_ PVOID *pFileNamePrt
+    );
+
+#endif
+
+NTSYSAPI
+NTSTATUS 
+NTAPI 
+LdrDisableThreadCalloutsForDll(
+    _In_ PVOID DllImageBase
+    );
+    
+#endif // (PHNT_MODE != PHNT_MODE_KERNEL)
+
+// Module information
+
+typedef struct _RTL_PROCESS_MODULE_INFORMATION
+{
+    HANDLE Section;
+    PVOID MappedBase;
+    PVOID ImageBase;
+    ULONG ImageSize;
+    ULONG Flags;
+    USHORT LoadOrderIndex;
+    USHORT InitOrderIndex;
+    USHORT LoadCount;
+    USHORT OffsetToFileName;
+    UCHAR FullPathName[256];
+} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
+
+typedef struct _RTL_PROCESS_MODULES
+{
+    ULONG NumberOfModules;
+    RTL_PROCESS_MODULE_INFORMATION Modules[1];
+} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
+
+// private
+typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
+{
+    USHORT NextOffset;
+    RTL_PROCESS_MODULE_INFORMATION BaseInfo;
+    ULONG ImageChecksum;
+    ULONG TimeDateStamp;
+    PVOID DefaultBase;
+} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
+
+#endif

phnt/include/ntlpcapi.h

@@ -0,0 +1,995 @@
+#ifndef _NTLPCAPI_H
+#define _NTLPCAPI_H
+
+// Local Inter-process Communication
+
+#define PORT_CONNECT 0x0001
+#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)
+
+typedef struct _PORT_MESSAGE
+{
+    union
+    {
+        struct
+        {
+            CSHORT DataLength;
+            CSHORT TotalLength;
+        } s1;
+        ULONG Length;
+    } u1;
+    union
+    {
+        struct
+        {
+            CSHORT Type;
+            CSHORT DataInfoOffset;
+        } s2;
+        ULONG ZeroInit;
+    } u2;
+    union
+    {
+        CLIENT_ID ClientId;
+        double DoNotUseThisField;
+    };
+    ULONG MessageId;
+    union
+    {
+        SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
+        ULONG CallbackId; // only valid for LPC_REQUEST messages
+    };
+} PORT_MESSAGE, *PPORT_MESSAGE;
+
+typedef struct _PORT_DATA_ENTRY
+{
+    PVOID Base;
+    ULONG Size;
+} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
+
+typedef struct _PORT_DATA_INFORMATION
+{
+    ULONG CountDataEntries;
+    PORT_DATA_ENTRY DataEntries[1];
+} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
+
+#define LPC_REQUEST 1
+#define LPC_REPLY 2
+#define LPC_DATAGRAM 3
+#define LPC_LOST_REPLY 4
+#define LPC_PORT_CLOSED 5
+#define LPC_CLIENT_DIED 6
+#define LPC_EXCEPTION 7
+#define LPC_DEBUG_EVENT 8
+#define LPC_ERROR_EVENT 9
+#define LPC_CONNECTION_REQUEST 10
+
+#define LPC_KERNELMODE_MESSAGE (CSHORT)0x8000
+#define LPC_NO_IMPERSONATE (CSHORT)0x4000
+
+#define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE
+
+#ifdef _WIN64
+#define PORT_MAXIMUM_MESSAGE_LENGTH 512
+#else
+#define PORT_MAXIMUM_MESSAGE_LENGTH 256
+#endif
+
+#define LPC_MAX_CONNECTION_INFO_SIZE (16 * sizeof(ULONG_PTR))
+
+#define PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH \
+    ((PORT_MAXIMUM_MESSAGE_LENGTH + sizeof(PORT_MESSAGE) + LPC_MAX_CONNECTION_INFO_SIZE + 0xf) & ~0xf)
+
+typedef struct _LPC_CLIENT_DIED_MSG
+{
+    PORT_MESSAGE PortMsg;
+    LARGE_INTEGER CreateTime;
+} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
+
+typedef struct _PORT_VIEW
+{
+    ULONG Length;
+    HANDLE SectionHandle;
+    ULONG SectionOffset;
+    SIZE_T ViewSize;
+    PVOID ViewBase;
+    PVOID ViewRemoteBase;
+} PORT_VIEW, *PPORT_VIEW;
+
+typedef struct _REMOTE_PORT_VIEW
+{
+    ULONG Length;
+    SIZE_T ViewSize;
+    PVOID ViewBase;
+} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
+
+// WOW64 definitions
+
+// Except in a small number of special cases, WOW64 programs using the LPC APIs must use the 64-bit versions of the
+// PORT_MESSAGE, PORT_VIEW and REMOTE_PORT_VIEW data structures. Note that we take a different approach than the
+// official NT headers, which produce 64-bit versions in a 32-bit environment when USE_LPC6432 is defined.
+
+typedef struct _PORT_MESSAGE64
+{
+    union
+    {
+        struct
+        {
+            CSHORT DataLength;
+            CSHORT TotalLength;
+        } s1;
+        ULONG Length;
+    } u1;
+    union
+    {
+        struct
+        {
+            CSHORT Type;
+            CSHORT DataInfoOffset;
+        } s2;
+        ULONG ZeroInit;
+    } u2;
+    union
+    {
+        CLIENT_ID64 ClientId;
+        double DoNotUseThisField;
+    };
+    ULONG MessageId;
+    union
+    {
+        ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
+        ULONG CallbackId; // only valid for LPC_REQUEST messages
+    };
+} PORT_MESSAGE64, *PPORT_MESSAGE64;
+
+typedef struct _LPC_CLIENT_DIED_MSG64
+{
+    PORT_MESSAGE64 PortMsg;
+    LARGE_INTEGER CreateTime;
+} LPC_CLIENT_DIED_MSG64, *PLPC_CLIENT_DIED_MSG64;
+
+typedef struct _PORT_VIEW64
+{
+    ULONG Length;
+    ULONGLONG SectionHandle;
+    ULONG SectionOffset;
+    ULONGLONG ViewSize;
+    ULONGLONG ViewBase;
+    ULONGLONG ViewRemoteBase;
+} PORT_VIEW64, *PPORT_VIEW64;
+
+typedef struct _REMOTE_PORT_VIEW64
+{
+    ULONG Length;
+    ULONGLONG ViewSize;
+    ULONGLONG ViewBase;
+} REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64;
+
+// Port creation
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreatePort(
+    _Out_ PHANDLE PortHandle,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG MaxConnectionInfoLength,
+    _In_ ULONG MaxMessageLength,
+    _In_opt_ ULONG MaxPoolUsage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateWaitablePort(
+    _Out_ PHANDLE PortHandle,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG MaxConnectionInfoLength,
+    _In_ ULONG MaxMessageLength,
+    _In_opt_ ULONG MaxPoolUsage
+    );
+
+// Port connection (client)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_ PUNICODE_STRING PortName,
+    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+    _Inout_opt_ PPORT_VIEW ClientView,
+    _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
+    _Out_opt_ PULONG MaxMessageLength,
+    _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation,
+    _Inout_opt_ PULONG ConnectionInformationLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSecureConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_ PUNICODE_STRING PortName,
+    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+    _Inout_opt_ PPORT_VIEW ClientView,
+    _In_opt_ PSID RequiredServerSid,
+    _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
+    _Out_opt_ PULONG MaxMessageLength,
+    _Inout_updates_bytes_to_opt_(*ConnectionInformationLength, *ConnectionInformationLength) PVOID ConnectionInformation,
+    _Inout_opt_ PULONG ConnectionInformationLength
+    );
+
+// Port connection (server)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtListenPort(
+    _In_ HANDLE PortHandle,
+    _Out_ PPORT_MESSAGE ConnectionRequest
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAcceptConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_opt_ PVOID PortContext,
+    _In_ PPORT_MESSAGE ConnectionRequest,
+    _In_ BOOLEAN AcceptConnection,
+    _Inout_opt_ PPORT_VIEW ServerView,
+    _Out_opt_ PREMOTE_PORT_VIEW ClientView
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompleteConnectPort(
+    _In_ HANDLE PortHandle
+    );
+
+// General
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRequestPort(
+    _In_ HANDLE PortHandle,
+    _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRequestWaitReplyPort(
+    _In_ HANDLE PortHandle,
+    _In_reads_bytes_(RequestMessage->u1.s1.TotalLength) PPORT_MESSAGE RequestMessage,
+    _Out_ PPORT_MESSAGE ReplyMessage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplyPort(
+    _In_ HANDLE PortHandle,
+    _In_reads_bytes_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplyWaitReplyPort(
+    _In_ HANDLE PortHandle,
+    _Inout_ PPORT_MESSAGE ReplyMessage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplyWaitReceivePort(
+    _In_ HANDLE PortHandle,
+    _Out_opt_ PVOID *PortContext,
+    _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage,
+    _Out_ PPORT_MESSAGE ReceiveMessage
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplyWaitReceivePortEx(
+    _In_ HANDLE PortHandle,
+    _Out_opt_ PVOID *PortContext,
+    _In_reads_bytes_opt_(ReplyMessage->u1.s1.TotalLength) PPORT_MESSAGE ReplyMessage,
+    _Out_ PPORT_MESSAGE ReceiveMessage,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtImpersonateClientOfPort(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE Message
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadRequestData(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE Message,
+    _In_ ULONG DataEntryIndex,
+    _Out_writes_bytes_to_(BufferSize, *NumberOfBytesRead) PVOID Buffer,
+    _In_ SIZE_T BufferSize,
+    _Out_opt_ PSIZE_T NumberOfBytesRead
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWriteRequestData(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE Message,
+    _In_ ULONG DataEntryIndex,
+    _In_reads_bytes_(BufferSize) PVOID Buffer,
+    _In_ SIZE_T BufferSize,
+    _Out_opt_ PSIZE_T NumberOfBytesWritten
+    );
+
+typedef enum _PORT_INFORMATION_CLASS
+{
+    PortBasicInformation,
+    PortDumpInformation
+} PORT_INFORMATION_CLASS;
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationPort(
+    _In_ HANDLE PortHandle,
+    _In_ PORT_INFORMATION_CLASS PortInformationClass,
+    _Out_writes_bytes_to_(Length, *ReturnLength) PVOID PortInformation,
+    _In_ ULONG Length,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+// Asynchronous Local Inter-process Communication
+
+// rev
+typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE;
+
+#define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev
+#define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg
+#define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg
+
+// symbols
+typedef struct _ALPC_PORT_ATTRIBUTES
+{
+    ULONG Flags;
+    SECURITY_QUALITY_OF_SERVICE SecurityQos;
+    SIZE_T MaxMessageLength;
+    SIZE_T MemoryBandwidth;
+    SIZE_T MaxPoolUsage;
+    SIZE_T MaxSectionSize;
+    SIZE_T MaxViewSize;
+    SIZE_T MaxTotalSectionSize;
+    ULONG DupObjectTypes;
+#ifdef _WIN64
+    ULONG Reserved;
+#endif
+} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;
+
+// begin_rev
+#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
+#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
+#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
+#define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
+// end_rev
+
+// symbols
+typedef struct _ALPC_MESSAGE_ATTRIBUTES
+{
+    ULONG AllocatedAttributes;
+    ULONG ValidAttributes;
+} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;
+
+// symbols
+typedef struct _ALPC_COMPLETION_LIST_STATE
+{
+    union
+    {
+        struct
+        {
+            ULONG64 Head : 24;
+            ULONG64 Tail : 24;
+            ULONG64 ActiveThreadCount : 16;
+        } s1;
+        ULONG64 Value;
+    } u1;
+} ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE;
+
+#define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg
+
+// symbols
+typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER
+{
+    ULONG64 StartMagic;
+
+    ULONG TotalSize;
+    ULONG ListOffset;
+    ULONG ListSize;
+    ULONG BitmapOffset;
+    ULONG BitmapSize;
+    ULONG DataOffset;
+    ULONG DataSize;
+    ULONG AttributeFlags;
+    ULONG AttributeSize;
+
+    DECLSPEC_ALIGN(128) ALPC_COMPLETION_LIST_STATE State;
+    ULONG LastMessageId;
+    ULONG LastCallbackId;
+    DECLSPEC_ALIGN(128) ULONG PostCount;
+    DECLSPEC_ALIGN(128) ULONG ReturnCount;
+    DECLSPEC_ALIGN(128) ULONG LogSequenceNumber;
+    DECLSPEC_ALIGN(128) RTL_SRWLOCK UserLock;
+
+    ULONG64 EndMagic;
+} ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER;
+
+// private
+typedef struct _ALPC_CONTEXT_ATTR
+{
+    PVOID PortContext;
+    PVOID MessageContext;
+    ULONG Sequence;
+    ULONG MessageId;
+    ULONG CallbackId;
+} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;
+
+// begin_rev
+#define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000
+#define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000
+#define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000
+// end_rev
+
+// private
+typedef struct _ALPC_HANDLE_ATTR32
+{
+    ULONG Flags;
+    ULONG Reserved0;
+    ULONG SameAccess;
+    ULONG SameAttributes;
+    ULONG Indirect;
+    ULONG Inherit;
+    ULONG Reserved1;
+    ULONG Handle;
+    ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
+    ULONG DesiredAccess;
+    ULONG GrantedAccess;
+} ALPC_HANDLE_ATTR32, *PALPC_HANDLE_ATTR32;
+
+// private
+typedef struct _ALPC_HANDLE_ATTR
+{
+    ULONG Flags;
+    ULONG Reserved0;
+    ULONG SameAccess;
+    ULONG SameAttributes;
+    ULONG Indirect;
+    ULONG Inherit;
+    ULONG Reserved1;
+    HANDLE Handle;
+    PALPC_HANDLE_ATTR32 HandleAttrArray;
+    ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
+    ULONG HandleCount;
+    ACCESS_MASK DesiredAccess;
+    ACCESS_MASK GrantedAccess;
+} ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR;
+
+#define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
+
+// private
+typedef struct _ALPC_SECURITY_ATTR
+{
+    ULONG Flags;
+    PSECURITY_QUALITY_OF_SERVICE QoS;
+    ALPC_HANDLE ContextHandle; // dbg
+} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
+
+// begin_rev
+#define ALPC_VIEWFLG_NOT_SECURE 0x40000
+// end_rev
+
+// private
+typedef struct _ALPC_DATA_VIEW_ATTR
+{
+    ULONG Flags;
+    ALPC_HANDLE SectionHandle;
+    PVOID ViewBase; // must be zero on input
+    SIZE_T ViewSize;
+} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;
+
+// private
+typedef enum _ALPC_PORT_INFORMATION_CLASS
+{
+    AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
+    AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
+    AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
+    AlpcConnectedSIDInformation, // q: in SID
+    AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
+    AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
+    AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
+    AlpcUnregisterCompletionListInformation, // s: VOID
+    AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
+    AlpcRegisterCallbackInformation, // kernel-mode only
+    AlpcCompletionListRundownInformation, // s: VOID
+    AlpcWaitForPortReferences
+} ALPC_PORT_INFORMATION_CLASS;
+
+// private
+typedef struct _ALPC_BASIC_INFORMATION
+{
+    ULONG Flags;
+    ULONG SequenceNo;
+    PVOID PortContext;
+} ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION;
+
+// private
+typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT
+{
+    PVOID CompletionKey;
+    HANDLE CompletionPort;
+} ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT;
+
+// private
+typedef struct _ALPC_SERVER_INFORMATION
+{
+    union
+    {
+        struct
+        {
+            HANDLE ThreadHandle;
+        } In;
+        struct
+        {
+            BOOLEAN ThreadBlocked;
+            HANDLE ConnectedProcessId;
+            UNICODE_STRING ConnectionPortName;
+        } Out;
+    };
+} ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION;
+
+// private
+typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION
+{
+    PVOID Buffer;
+    ULONG Size;
+} ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION;
+
+// private
+typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION
+{
+    PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER
+    ULONG Size;
+    ULONG ConcurrencyCount;
+    ULONG AttributeFlags;
+} ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION;
+
+// private
+typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
+{
+    AlpcMessageSidInformation, // q: out SID
+    AlpcMessageTokenModifiedIdInformation,  // q: out LUID
+    AlpcMessageDirectStatusInformation,
+    AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION
+    MaxAlpcMessageInfoClass
+} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;
+
+typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION
+{
+    ULONG Index;
+    ULONG Flags;
+    ULONG Handle;
+    ULONG ObjectType;
+    ACCESS_MASK GrantedAccess;
+} ALPC_MESSAGE_HANDLE_INFORMATION, *PALPC_MESSAGE_HANDLE_INFORMATION;
+
+// begin_private
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+// System calls
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCreatePort(
+    _Out_ PHANDLE PortHandle,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcDisconnectPort(
+    _In_ HANDLE PortHandle,
+    _In_ ULONG Flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcQueryInformation(
+    _In_opt_ HANDLE PortHandle,
+    _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
+    _Inout_updates_bytes_to_(Length, *ReturnLength) PVOID PortInformation,
+    _In_ ULONG Length,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcSetInformation(
+    _In_ HANDLE PortHandle,
+    _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
+    _In_reads_bytes_opt_(Length) PVOID PortInformation,
+    _In_ ULONG Length
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCreatePortSection(
+    _In_ HANDLE PortHandle,
+    _In_ ULONG Flags,
+    _In_opt_ HANDLE SectionHandle,
+    _In_ SIZE_T SectionSize,
+    _Out_ PALPC_HANDLE AlpcSectionHandle,
+    _Out_ PSIZE_T ActualSectionSize
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcDeletePortSection(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ ALPC_HANDLE SectionHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCreateResourceReserve(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ SIZE_T MessageSize,
+    _Out_ PALPC_HANDLE ResourceId
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcDeleteResourceReserve(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ ALPC_HANDLE ResourceId
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCreateSectionView(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcDeleteSectionView(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ PVOID ViewBase
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCreateSecurityContext(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _Inout_ PALPC_SECURITY_ATTR SecurityAttribute
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcDeleteSecurityContext(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ ALPC_HANDLE ContextHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcRevokeSecurityContext(
+    _In_ HANDLE PortHandle,
+    _Reserved_ ULONG Flags,
+    _In_ ALPC_HANDLE ContextHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcQueryInformationMessage(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE PortMessage,
+    _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,
+    _Out_writes_bytes_to_opt_(Length, *ReturnLength) PVOID MessageInformation,
+    _In_ ULONG Length,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+#define ALPC_MSGFLG_REPLY_MESSAGE 0x1
+#define ALPC_MSGFLG_LPC_MODE 0x2 // ?
+#define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg
+#define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg
+#define ALPC_MSGFLG_WAIT_USER_MODE 0x100000
+#define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000
+#define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_ PUNICODE_STRING PortName,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
+    _In_ ULONG Flags,
+    _In_opt_ PSID RequiredServerSid,
+    _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage,
+    _Inout_opt_ PULONG BufferLength,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcConnectPortEx(
+    _Out_ PHANDLE PortHandle,
+    _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes,
+    _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes,
+    _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
+    _In_ ULONG Flags,
+    _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements,
+    _Inout_updates_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ConnectionMessage,
+    _Inout_opt_ PSIZE_T BufferLength,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcAcceptConnectPort(
+    _Out_ PHANDLE PortHandle,
+    _In_ HANDLE ConnectionPortHandle,
+    _In_ ULONG Flags,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
+    _In_opt_ PVOID PortContext,
+    _In_reads_bytes_(ConnectionRequest->u1.s1.TotalLength) PPORT_MESSAGE ConnectionRequest,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes,
+    _In_ BOOLEAN AcceptConnection
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcSendWaitReceivePort(
+    _In_ HANDLE PortHandle,
+    _In_ ULONG Flags,
+    _In_reads_bytes_opt_(SendMessage->u1.s1.TotalLength) PPORT_MESSAGE SendMessage,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
+    _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PPORT_MESSAGE ReceiveMessage,
+    _Inout_opt_ PSIZE_T BufferLength,
+    _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+#define ALPC_CANCELFLG_TRY_CANCEL 0x1 // dbg
+#define ALPC_CANCELFLG_NO_CONTEXT_CHECK 0x8
+#define ALPC_CANCELFLGP_FLUSH 0x10000 // dbg
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcCancelMessage(
+    _In_ HANDLE PortHandle,
+    _In_ ULONG Flags,
+    _In_ PALPC_CONTEXT_ATTR MessageContext
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcImpersonateClientOfPort(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE Message,
+    _In_ PVOID Flags
+    );
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcImpersonateClientContainerOfPort(
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE Message,
+    _In_ ULONG Flags
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcOpenSenderProcess(
+    _Out_ PHANDLE ProcessHandle,
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE PortMessage,
+    _In_ ULONG Flags,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAlpcOpenSenderThread(
+    _Out_ PHANDLE ThreadHandle,
+    _In_ HANDLE PortHandle,
+    _In_ PPORT_MESSAGE PortMessage,
+    _In_ ULONG Flags,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+// Support functions
+
+NTSYSAPI
+ULONG
+NTAPI
+AlpcMaxAllowedMessageLength(
+    VOID
+    );
+
+NTSYSAPI
+ULONG
+NTAPI
+AlpcGetHeaderSize(
+    _In_ ULONG Flags
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+AlpcInitializeMessageAttribute(
+    _In_ ULONG AttributeFlags,
+    _Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer,
+    _In_ ULONG BufferSize,
+    _Out_ PULONG RequiredBufferSize
+    );
+
+NTSYSAPI
+PVOID
+NTAPI
+AlpcGetMessageAttribute(
+    _In_ PALPC_MESSAGE_ATTRIBUTES Buffer,
+    _In_ ULONG AttributeFlag
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+AlpcRegisterCompletionList(
+    _In_ HANDLE PortHandle,
+    _Out_ PALPC_COMPLETION_LIST_HEADER Buffer,
+    _In_ ULONG Size,
+    _In_ ULONG ConcurrencyCount,
+    _In_ ULONG AttributeFlags
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+AlpcUnregisterCompletionList(
+    _In_ HANDLE PortHandle
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+AlpcRundownCompletionList(
+    _In_ HANDLE PortHandle
+    );
+#endif
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+AlpcAdjustCompletionListConcurrencyCount(
+    _In_ HANDLE PortHandle,
+    _In_ ULONG ConcurrencyCount
+    );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+AlpcRegisterCompletionListWorkerThread(
+    _Inout_ PVOID CompletionList
+    );
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+AlpcUnregisterCompletionListWorkerThread(
+    _Inout_ PVOID CompletionList
+    );
+
+NTSYSAPI
+VOID
+NTAPI
+AlpcGetCompletionListLastMessageInformation(
+    _In_ PVOID CompletionList,
+    _Out_ PULONG LastMessageId,
+    _Out_ PULONG LastCallbackId
+    );
+
+NTSYSAPI
+ULONG
+NTAPI
+AlpcGetOutstandingCompletionListMessageCount(
+    _In_ PVOID CompletionList
+    );
+
+NTSYSAPI
+PPORT_MESSAGE
+NTAPI
+AlpcGetMessageFromCompletionList(
+    _In_ PVOID CompletionList,
+    _Out_opt_ PALPC_MESSAGE_ATTRIBUTES *MessageAttributes
+    );
+
+NTSYSAPI
+VOID
+NTAPI
+AlpcFreeCompletionListMessage(
+    _Inout_ PVOID CompletionList,
+    _In_ PPORT_MESSAGE Message
+    );
+
+NTSYSAPI
+PALPC_MESSAGE_ATTRIBUTES
+NTAPI
+AlpcGetCompletionListMessageAttributes(
+    _In_ PVOID CompletionList,
+    _In_ PPORT_MESSAGE Message
+    );
+
+#endif
+
+// end_private
+
+#endif

phnt/include/ntmisc.h

@@ -0,0 +1,77 @@
+#ifndef _NTMISC_H
+#define _NTMISC_H
+
+// Boot graphics
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDrawText(
+    _In_ PUNICODE_STRING Text
+    );
+#endif
+
+// Filter manager
+
+#define FLT_PORT_CONNECT 0x0001
+#define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL)
+
+// VDM
+
+typedef enum _VDMSERVICECLASS
+{
+    VdmStartExecution,
+    VdmQueueInterrupt,
+    VdmDelayInterrupt,
+    VdmInitialize,
+    VdmFeatures,
+    VdmSetInt21Handler,
+    VdmQueryDir,
+    VdmPrinterDirectIoOpen,
+    VdmPrinterDirectIoClose,
+    VdmPrinterInitialize,
+    VdmSetLdtEntries,
+    VdmSetProcessLdtInfo,
+    VdmAdlibEmulation,
+    VdmPMCliControl,
+    VdmQueryVdmProcess
+} VDMSERVICECLASS, *PVDMSERVICECLASS;
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtVdmControl(
+    _In_ VDMSERVICECLASS Service,
+    _Inout_ PVOID ServiceData
+    );
+
+// WMI/ETW
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTraceEvent(
+    _In_ HANDLE TraceHandle,
+    _In_ ULONG Flags,
+    _In_ ULONG FieldSize,
+    _In_ PVOID Fields
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtTraceControl(
+    _In_ ULONG FunctionCode,
+    _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
+    _In_ ULONG InBufferLen,
+    _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
+    _In_ ULONG OutBufferLen,
+    _Out_ PULONG ReturnLength
+    );
+#endif
+
+#endif

phnt/include/ntmmapi.h

@@ -0,0 +1,859 @@
+#ifndef _NTMMAPI_H
+#define _NTMMAPI_H
+
+#if (PHNT_MODE == PHNT_MODE_KERNEL)
+
+// Protection constants
+
+#define PAGE_NOACCESS 0x01
+#define PAGE_READONLY 0x02
+#define PAGE_READWRITE 0x04
+#define PAGE_WRITECOPY 0x08
+#define PAGE_EXECUTE 0x10
+#define PAGE_EXECUTE_READ 0x20
+#define PAGE_EXECUTE_READWRITE 0x40
+#define PAGE_EXECUTE_WRITECOPY 0x80
+#define PAGE_GUARD 0x100
+#define PAGE_NOCACHE 0x200
+#define PAGE_WRITECOMBINE 0x400
+
+#define PAGE_REVERT_TO_FILE_MAP     0x80000000
+#define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000
+#define PAGE_TARGETS_NO_UPDATE      0x40000000
+#define PAGE_TARGETS_INVALID        0x40000000
+#define PAGE_ENCLAVE_UNVALIDATED    0x20000000
+
+// Region and section constants
+
+#define MEM_COMMIT 0x1000
+#define MEM_RESERVE 0x2000
+#define MEM_DECOMMIT 0x4000
+#define MEM_RELEASE 0x8000
+#define MEM_FREE 0x10000
+#define MEM_PRIVATE 0x20000
+#define MEM_MAPPED 0x40000
+#define MEM_RESET 0x80000
+#define MEM_TOP_DOWN 0x100000
+#define MEM_WRITE_WATCH 0x200000
+#define MEM_PHYSICAL 0x400000
+#define MEM_ROTATE 0x800000
+#define MEM_DIFFERENT_IMAGE_BASE_OK 0x800000
+#define MEM_RESET_UNDO 0x1000000
+#define MEM_LARGE_PAGES 0x20000000
+#define MEM_4MB_PAGES 0x80000000
+
+#define SEC_FILE 0x800000
+#define SEC_IMAGE 0x1000000
+#define SEC_PROTECTED_IMAGE 0x2000000
+#define SEC_RESERVE 0x4000000
+#define SEC_COMMIT 0x8000000
+#define SEC_NOCACHE 0x10000000
+#define SEC_WRITECOMBINE 0x40000000
+#define SEC_LARGE_PAGES 0x80000000
+#define SEC_IMAGE_NO_EXECUTE (SEC_IMAGE | SEC_NOCACHE)
+#define MEM_IMAGE SEC_IMAGE
+
+#endif
+
+// private
+typedef enum _MEMORY_INFORMATION_CLASS
+{
+    MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
+    MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
+    MemoryMappedFilenameInformation, // UNICODE_STRING
+    MemoryRegionInformation, // MEMORY_REGION_INFORMATION
+    MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
+    MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
+    MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
+    MemoryRegionInformationEx,
+    MemoryPrivilegedBasicInformation
+} MEMORY_INFORMATION_CLASS;
+
+#if (PHNT_MODE == PHNT_MODE_KERNEL)
+
+typedef struct _MEMORY_BASIC_INFORMATION
+{
+    PVOID BaseAddress;
+    PVOID AllocationBase;
+    ULONG AllocationProtect;
+    SIZE_T RegionSize;
+    ULONG State;
+    ULONG Protect;
+    ULONG Type;
+} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
+#endif
+
+typedef struct _MEMORY_WORKING_SET_BLOCK
+{
+    ULONG_PTR Protection : 5;
+    ULONG_PTR ShareCount : 3;
+    ULONG_PTR Shared : 1;
+    ULONG_PTR Node : 3;
+#ifdef _WIN64
+    ULONG_PTR VirtualPage : 52;
+#else
+    ULONG VirtualPage : 20;
+#endif
+} MEMORY_WORKING_SET_BLOCK, *PMEMORY_WORKING_SET_BLOCK;
+
+typedef struct _MEMORY_WORKING_SET_INFORMATION
+{
+    ULONG_PTR NumberOfEntries;
+    MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];
+} MEMORY_WORKING_SET_INFORMATION, *PMEMORY_WORKING_SET_INFORMATION;
+
+// private
+typedef struct _MEMORY_REGION_INFORMATION
+{
+    PVOID AllocationBase;
+    ULONG AllocationProtect;
+    union
+    {
+        ULONG RegionType;
+        struct
+        {
+            ULONG Private : 1;
+            ULONG MappedDataFile : 1;
+            ULONG MappedImage : 1;
+            ULONG MappedPageFile : 1;
+            ULONG MappedPhysical : 1;
+            ULONG DirectMapped : 1;
+            ULONG Reserved : 26;
+        };
+    };
+    SIZE_T RegionSize;
+    SIZE_T CommitSize;
+} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
+
+// private
+typedef struct _MEMORY_WORKING_SET_EX_BLOCK
+{
+    union
+    {
+        struct
+        {
+            ULONG_PTR Valid : 1;
+            ULONG_PTR ShareCount : 3;
+            ULONG_PTR Win32Protection : 11;
+            ULONG_PTR Shared : 1;
+            ULONG_PTR Node : 6;
+            ULONG_PTR Locked : 1;
+            ULONG_PTR LargePage : 1;
+            ULONG_PTR Priority : 3;
+            ULONG_PTR Reserved : 3;
+            ULONG_PTR SharedOriginal : 1;
+            ULONG_PTR Bad : 1;
+#ifdef _WIN64
+            ULONG_PTR ReservedUlong : 32;
+#endif
+        };
+        struct
+        {
+            ULONG_PTR Valid : 1;
+            ULONG_PTR Reserved0 : 14;
+            ULONG_PTR Shared : 1;
+            ULONG_PTR Reserved1 : 5;
+            ULONG_PTR PageTable : 1;
+            ULONG_PTR Location : 2;
+            ULONG_PTR Priority : 3;
+            ULONG_PTR ModifiedList : 1;
+            ULONG_PTR Reserved2 : 2;
+            ULONG_PTR SharedOriginal : 1;
+            ULONG_PTR Bad : 1;
+#ifdef _WIN64
+            ULONG_PTR ReservedUlong : 32;
+#endif
+        } Invalid;
+    };
+} MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK;
+
+// private
+typedef struct _MEMORY_WORKING_SET_EX_INFORMATION
+{
+    PVOID VirtualAddress;
+    union
+    {
+        MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
+        ULONG_PTR Long;
+    } u1;
+} MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION;
+
+// private
+typedef struct _MEMORY_SHARED_COMMIT_INFORMATION
+{
+    SIZE_T CommitSize;
+} MEMORY_SHARED_COMMIT_INFORMATION, *PMEMORY_SHARED_COMMIT_INFORMATION;
+
+// private
+typedef struct _MEMORY_IMAGE_INFORMATION
+{
+    PVOID ImageBase;
+    SIZE_T SizeOfImage;
+    union
+    {
+        ULONG ImageFlags;
+        struct
+        {
+            ULONG ImagePartialMap : 1;
+            ULONG ImageNotExecutable : 1;
+            ULONG Reserved : 30;
+        };
+    };
+} MEMORY_IMAGE_INFORMATION, *PMEMORY_IMAGE_INFORMATION;
+
+#define MMPFNLIST_ZERO 0
+#define MMPFNLIST_FREE 1
+#define MMPFNLIST_STANDBY 2
+#define MMPFNLIST_MODIFIED 3
+#define MMPFNLIST_MODIFIEDNOWRITE 4
+#define MMPFNLIST_BAD 5
+#define MMPFNLIST_ACTIVE 6
+#define MMPFNLIST_TRANSITION 7
+
+#define MMPFNUSE_PROCESSPRIVATE 0
+#define MMPFNUSE_FILE 1
+#define MMPFNUSE_PAGEFILEMAPPED 2
+#define MMPFNUSE_PAGETABLE 3
+#define MMPFNUSE_PAGEDPOOL 4
+#define MMPFNUSE_NONPAGEDPOOL 5
+#define MMPFNUSE_SYSTEMPTE 6
+#define MMPFNUSE_SESSIONPRIVATE 7
+#define MMPFNUSE_METAFILE 8
+#define MMPFNUSE_AWEPAGE 9
+#define MMPFNUSE_DRIVERLOCKPAGE 10
+#define MMPFNUSE_KERNELSTACK 11
+
+// private
+typedef struct _MEMORY_FRAME_INFORMATION
+{
+    ULONGLONG UseDescription : 4; // MMPFNUSE_*
+    ULONGLONG ListDescription : 3; // MMPFNLIST_*
+    ULONGLONG Reserved0 : 1; // reserved for future expansion
+    ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned
+    ULONGLONG DontUse : 48; // *_INFORMATION overlay
+    ULONGLONG Priority : 3; // rev
+    ULONGLONG Reserved : 4; // reserved for future expansion
+} MEMORY_FRAME_INFORMATION;
+
+// private
+typedef struct _FILEOFFSET_INFORMATION
+{
+    ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
+    ULONGLONG Offset : 48; // mapped files
+    ULONGLONG Reserved : 7; // reserved for future expansion
+} FILEOFFSET_INFORMATION;
+
+// private
+typedef struct _PAGEDIR_INFORMATION
+{
+    ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
+    ULONGLONG PageDirectoryBase : 48; // private pages
+    ULONGLONG Reserved : 7; // reserved for future expansion
+} PAGEDIR_INFORMATION;
+
+// private
+typedef struct _UNIQUE_PROCESS_INFORMATION
+{
+    ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
+    ULONGLONG UniqueProcessKey : 48; // ProcessId
+    ULONGLONG Reserved  : 7; // reserved for future expansion
+} UNIQUE_PROCESS_INFORMATION, *PUNIQUE_PROCESS_INFORMATION;
+
+// private
+typedef struct _MMPFN_IDENTITY
+{
+    union
+    {
+        MEMORY_FRAME_INFORMATION e1; // all
+        FILEOFFSET_INFORMATION e2; // mapped files
+        PAGEDIR_INFORMATION e3; // private pages
+        UNIQUE_PROCESS_INFORMATION e4; // owning process
+    } u1;
+    ULONG_PTR PageFrameIndex; // all
+    union
+    {
+        struct
+        {
+            ULONG_PTR Image : 1;
+            ULONG_PTR Mismatch : 1;
+        } e1;
+        struct
+        {
+            ULONG_PTR CombinedPage;
+        } e2;
+        ULONG_PTR FileObject; // mapped files
+        ULONG_PTR UniqueFileObjectKey;
+        ULONG_PTR ProtoPteAddress;
+        ULONG_PTR VirtualAddress;  // everything else
+    } u2;
+} MMPFN_IDENTITY, *PMMPFN_IDENTITY;
+
+typedef struct _MMPFN_MEMSNAP_INFORMATION
+{
+    ULONG_PTR InitialPageFrameIndex;
+    ULONG_PTR Count;
+} MMPFN_MEMSNAP_INFORMATION, *PMMPFN_MEMSNAP_INFORMATION;
+
+typedef enum _SECTION_INFORMATION_CLASS
+{
+    SectionBasicInformation,
+    SectionImageInformation,
+    SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation
+    SectionOriginalBaseInformation, // PVOID BaseAddress
+    SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2
+    MaxSectionInfoClass
+} SECTION_INFORMATION_CLASS;
+
+typedef struct _SECTION_BASIC_INFORMATION
+{
+    PVOID BaseAddress;
+    ULONG AllocationAttributes;
+    LARGE_INTEGER MaximumSize;
+} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
+
+// symbols
+typedef struct _SECTION_IMAGE_INFORMATION
+{
+    PVOID TransferAddress;
+    ULONG ZeroBits;
+    SIZE_T MaximumStackSize;
+    SIZE_T CommittedStackSize;
+    ULONG SubSystemType;
+    union
+    {
+        struct
+        {
+            USHORT SubSystemMinorVersion;
+            USHORT SubSystemMajorVersion;
+        };
+        ULONG SubSystemVersion;
+    };
+    union
+    {
+        struct
+        {
+            USHORT MajorOperatingSystemVersion;
+            USHORT MinorOperatingSystemVersion;
+        };
+        ULONG OperatingSystemVersion;
+    };
+    USHORT ImageCharacteristics;
+    USHORT DllCharacteristics;
+    USHORT Machine;
+    BOOLEAN ImageContainsCode;
+    union
+    {
+        UCHAR ImageFlags;
+        struct
+        {
+            UCHAR ComPlusNativeReady : 1;
+            UCHAR ComPlusILOnly : 1;
+            UCHAR ImageDynamicallyRelocated : 1;
+            UCHAR ImageMappedFlat : 1;
+            UCHAR BaseBelow4gb : 1;
+            UCHAR ComPlusPrefer32bit : 1;
+            UCHAR Reserved : 2;
+        };
+    };
+    ULONG LoaderFlags;
+    ULONG ImageFileSize;
+    ULONG CheckSum;
+} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
+
+// symbols
+typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION
+{
+    SECTION_IMAGE_INFORMATION SectionInformation;
+    union
+    {
+        ULONG ExtendedFlags;
+        struct
+        {
+            ULONG ImageReturnFlowGuardEnabled : 1;
+            ULONG ImageReturnFlowGuardStrict : 1;
+            ULONG ImageExportSuppressionEnabled : 1;
+            ULONG Reserved : 29;
+        };
+    };
+} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION;
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+typedef enum _SECTION_INHERIT
+{
+    ViewShare = 1,
+    ViewUnmap = 2
+} SECTION_INHERIT;
+#endif
+
+#define SEC_BASED 0x200000
+#define SEC_NO_CHANGE 0x400000
+#define SEC_GLOBAL 0x20000000
+
+#define MEM_EXECUTE_OPTION_DISABLE 0x1
+#define MEM_EXECUTE_OPTION_ENABLE 0x2
+#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
+#define MEM_EXECUTE_OPTION_PERMANENT 0x8
+#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
+#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
+#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
+
+// Virtual memory
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
+    _In_ ULONG_PTR ZeroBits,
+    _Inout_ PSIZE_T RegionSize,
+    _In_ ULONG AllocationType,
+    _In_ ULONG Protect
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreeVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PVOID *BaseAddress,
+    _Inout_ PSIZE_T RegionSize,
+    _In_ ULONG FreeType
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _In_opt_ PVOID BaseAddress,
+    _Out_writes_bytes_(BufferSize) PVOID Buffer,
+    _In_ SIZE_T BufferSize,
+    _Out_opt_ PSIZE_T NumberOfBytesRead
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWriteVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _In_opt_ PVOID BaseAddress,
+    _In_reads_bytes_(BufferSize) PVOID Buffer,
+    _In_ SIZE_T BufferSize,
+    _Out_opt_ PSIZE_T NumberOfBytesWritten
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtProtectVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PVOID *BaseAddress,
+    _Inout_ PSIZE_T RegionSize,
+    _In_ ULONG NewProtect,
+    _Out_ PULONG OldProtect
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _In_ PVOID BaseAddress,
+    _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
+    _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
+    _In_ SIZE_T MemoryInformationLength,
+    _Out_opt_ PSIZE_T ReturnLength
+    );
+
+#endif
+
+// begin_private
+
+typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
+{
+    VmPrefetchInformation,
+    VmPagePriorityInformation,
+    VmCfgCallTargetInformation
+} VIRTUAL_MEMORY_INFORMATION_CLASS;
+
+typedef struct _MEMORY_RANGE_ENTRY
+{
+    PVOID VirtualAddress;
+    SIZE_T NumberOfBytes;
+} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
+
+// end_private
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,
+    _In_ ULONG_PTR NumberOfEntries,
+    _In_reads_ (NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,
+    _In_reads_bytes_ (VmInformationLength) PVOID VmInformation,
+    _In_ ULONG VmInformationLength
+    );
+
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PVOID *BaseAddress,
+    _Inout_ PSIZE_T RegionSize,
+    _In_ ULONG MapType
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnlockVirtualMemory(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PVOID *BaseAddress,
+    _Inout_ PSIZE_T RegionSize,
+    _In_ ULONG MapType
+    );
+
+#endif
+
+// Sections
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateSection(
+    _Out_ PHANDLE SectionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PLARGE_INTEGER MaximumSize,
+    _In_ ULONG SectionPageProtection,
+    _In_ ULONG AllocationAttributes,
+    _In_opt_ HANDLE FileHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSection(
+    _Out_ PHANDLE SectionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapViewOfSection(
+    _In_ HANDLE SectionHandle,
+    _In_ HANDLE ProcessHandle,
+    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
+    _In_ ULONG_PTR ZeroBits,
+    _In_ SIZE_T CommitSize,
+    _Inout_opt_ PLARGE_INTEGER SectionOffset,
+    _Inout_ PSIZE_T ViewSize,
+    _In_ SECTION_INHERIT InheritDisposition,
+    _In_ ULONG AllocationType,
+    _In_ ULONG Win32Protect
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnmapViewOfSection(
+    _In_ HANDLE ProcessHandle,
+    _In_opt_ PVOID BaseAddress
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnmapViewOfSectionEx(
+    _In_ HANDLE ProcessHandle,
+    _In_opt_ PVOID BaseAddress,
+    _In_ ULONG Flags
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtExtendSection(
+    _In_ HANDLE SectionHandle,
+    _Inout_ PLARGE_INTEGER NewSectionSize
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySection(
+    _In_ HANDLE SectionHandle,
+    _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
+    _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
+    _In_ SIZE_T SectionInformationLength,
+    _Out_opt_ PSIZE_T ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAreMappedFilesTheSame(
+    _In_ PVOID File1MappedAsAnImage,
+    _In_ PVOID File2MappedAsFile
+    );
+
+#endif
+
+// Partitions
+
+// private
+typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
+{
+    SystemMemoryPartitionInformation, // q: MEMORY_PARTITION_CONFIGURATION_INFORMATION
+    SystemMemoryPartitionMoveMemory, // s: MEMORY_PARTITION_TRANSFER_INFORMATION
+    SystemMemoryPartitionAddPagefile, // s: MEMORY_PARTITION_PAGEFILE_INFORMATION
+    SystemMemoryPartitionCombineMemory, // q; s: MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
+    SystemMemoryPartitionInitialAddMemory, // q; s: MEMORY_PARTITION_INITIAL_ADD_INFORMATION
+    SystemMemoryPartitionGetMemoryEvents // MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION // since REDSTONE2
+} MEMORY_PARTITION_INFORMATION_CLASS;
+
+// private
+typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION
+{
+    ULONG Flags;
+    ULONG NumaNode;
+    ULONG Channel;
+    ULONG NumberOfNumaNodes;
+    ULONG_PTR ResidentAvailablePages;
+    ULONG_PTR CommittedPages;
+    ULONG_PTR CommitLimit;
+    ULONG_PTR PeakCommitment;
+    ULONG_PTR TotalNumberOfPages;
+    ULONG_PTR AvailablePages;
+    ULONG_PTR ZeroPages;
+    ULONG_PTR FreePages;
+    ULONG_PTR StandbyPages;
+    ULONG StandbyPageCountByPriority[8]; // since REDSTONE2
+    ULONG RepurposedPagesByPriority[8];
+    ULONG MaximumCommitLimit;
+    ULONG DonatedPagesToPartitions;
+} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
+
+// private
+typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION
+{
+    ULONG_PTR NumberOfPages;
+    ULONG NumaNode;
+    ULONG Flags;
+} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;
+
+// private
+typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION
+{
+    UNICODE_STRING PageFileName;
+    LARGE_INTEGER MinimumSize;
+    LARGE_INTEGER MaximumSize;
+    ULONG Flags;
+} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;
+
+// private
+typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
+{
+    HANDLE StopHandle;
+    ULONG Flags;
+    ULONG_PTR TotalNumberOfPages;
+} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;
+
+// private
+typedef struct _MEMORY_PARTITION_PAGE_RANGE
+{
+    ULONG_PTR StartPage;
+    ULONG_PTR NumberOfPages;
+} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;
+
+// private
+typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION
+{
+    ULONG Flags;
+    ULONG NumberOfRanges;
+    ULONG_PTR NumberOfPagesAdded;
+    MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
+} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;
+
+// private
+typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION
+{
+    union
+    {    
+        struct
+        {
+            ULONG CommitEvents : 1;
+            ULONG Spare : 31;
+        };
+        ULONG AllFlags;
+    };
+} MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION;
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreatePartition(
+    _Out_ PHANDLE PartitionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG PreferredNode
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenPartition(
+    _Out_ PHANDLE PartitionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtManagePartition(
+    _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
+    _In_ PVOID PartitionInformation,
+    _In_ ULONG PartitionInformationLength
+    );
+
+#endif
+
+#endif
+
+// User physical pages
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapUserPhysicalPages(
+    _In_ PVOID VirtualAddress,
+    _In_ ULONG_PTR NumberOfPages,
+    _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMapUserPhysicalPagesScatter(
+    _In_reads_(NumberOfPages) PVOID *VirtualAddresses,
+    _In_ ULONG_PTR NumberOfPages,
+    _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAllocateUserPhysicalPages(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PULONG_PTR NumberOfPages,
+    _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreeUserPhysicalPages(
+    _In_ HANDLE ProcessHandle,
+    _Inout_ PULONG_PTR NumberOfPages,
+    _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray
+    );
+
+#endif
+
+// Sessions
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSession(
+    _Out_ PHANDLE SessionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+#endif
+
+#endif
+
+// Misc.
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetWriteWatch(
+    _In_ HANDLE ProcessHandle,
+    _In_ ULONG Flags,
+    _In_ PVOID BaseAddress,
+    _In_ SIZE_T RegionSize,
+    _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray,
+    _Inout_ PULONG_PTR EntriesInUserAddressArray,
+    _Out_ PULONG Granularity
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResetWriteWatch(
+    _In_ HANDLE ProcessHandle,
+    _In_ PVOID BaseAddress,
+    _In_ SIZE_T RegionSize
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreatePagingFile(
+    _In_ PUNICODE_STRING PageFileName,
+    _In_ PLARGE_INTEGER MinimumSize,
+    _In_ PLARGE_INTEGER MaximumSize,
+    _In_ ULONG Priority
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushInstructionCache(
+    _In_ HANDLE ProcessHandle,
+    _In_opt_ PVOID BaseAddress,
+    _In_ SIZE_T Length
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushWriteBuffer(
+    VOID
+    );
+
+#endif
+
+#endif

phnt/include/ntnls.h

@@ -0,0 +1,30 @@
+#ifndef _NTNLS_H
+#define _NTNLS_H
+
+#define MAXIMUM_LEADBYTES 12
+
+typedef struct _CPTABLEINFO
+{
+    USHORT CodePage;
+    USHORT MaximumCharacterSize;
+    USHORT DefaultChar;
+    USHORT UniDefaultChar;
+    USHORT TransDefaultChar;
+    USHORT TransUniDefaultChar;
+    USHORT DBCSCodePage;
+    UCHAR LeadByte[MAXIMUM_LEADBYTES];
+    PUSHORT MultiByteTable;
+    PVOID WideCharTable;
+    PUSHORT DBCSRanges;
+    PUSHORT DBCSOffsets;
+} CPTABLEINFO, *PCPTABLEINFO;
+
+typedef struct _NLSTABLEINFO
+{
+    CPTABLEINFO OemTableInfo;
+    CPTABLEINFO AnsiTableInfo;
+    PUSHORT UpperCaseTable;
+    PUSHORT LowerCaseTable;
+} NLSTABLEINFO, *PNLSTABLEINFO;
+
+#endif

phnt/include/ntobapi.h

@@ -0,0 +1,372 @@
+#ifndef _NTOBAPI_H
+#define _NTOBAPI_H
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#define OBJECT_TYPE_CREATE 0x0001
+#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+#endif
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#define DIRECTORY_QUERY 0x0001
+#define DIRECTORY_TRAVERSE 0x0002
+#define DIRECTORY_CREATE_OBJECT 0x0004
+#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
+#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf)
+#endif
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#define SYMBOLIC_LINK_QUERY 0x0001
+#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+#endif
+
+#define OBJ_PROTECT_CLOSE 0x00000001
+#ifndef OBJ_INHERIT
+#define OBJ_INHERIT 0x00000002
+#endif
+#define OBJ_AUDIT_OBJECT_CLOSE 0x00000004
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+typedef enum _OBJECT_INFORMATION_CLASS
+{
+    ObjectBasicInformation, // OBJECT_BASIC_INFORMATION
+    ObjectNameInformation, // OBJECT_NAME_INFORMATION
+    ObjectTypeInformation, // OBJECT_TYPE_INFORMATION
+    ObjectTypesInformation, // OBJECT_TYPES_INFORMATION
+    ObjectHandleFlagInformation, // OBJECT_HANDLE_FLAG_INFORMATION
+    ObjectSessionInformation,
+    ObjectSessionObjectInformation,
+    MaxObjectInfoClass
+} OBJECT_INFORMATION_CLASS;
+#else
+#define ObjectNameInformation 1
+#define ObjectTypesInformation 3
+#define ObjectHandleFlagInformation 4
+#define ObjectSessionInformation 5
+#endif
+
+typedef struct _OBJECT_BASIC_INFORMATION
+{
+    ULONG Attributes;
+    ACCESS_MASK GrantedAccess;
+    ULONG HandleCount;
+    ULONG PointerCount;
+    ULONG PagedPoolCharge;
+    ULONG NonPagedPoolCharge;
+    ULONG Reserved[3];
+    ULONG NameInfoSize;
+    ULONG TypeInfoSize;
+    ULONG SecurityDescriptorSize;
+    LARGE_INTEGER CreationTime;
+} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+typedef struct _OBJECT_NAME_INFORMATION
+{
+    UNICODE_STRING Name;
+} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
+#endif
+
+typedef struct _OBJECT_TYPE_INFORMATION
+{
+    UNICODE_STRING TypeName;
+    ULONG TotalNumberOfObjects;
+    ULONG TotalNumberOfHandles;
+    ULONG TotalPagedPoolUsage;
+    ULONG TotalNonPagedPoolUsage;
+    ULONG TotalNamePoolUsage;
+    ULONG TotalHandleTableUsage;
+    ULONG HighWaterNumberOfObjects;
+    ULONG HighWaterNumberOfHandles;
+    ULONG HighWaterPagedPoolUsage;
+    ULONG HighWaterNonPagedPoolUsage;
+    ULONG HighWaterNamePoolUsage;
+    ULONG HighWaterHandleTableUsage;
+    ULONG InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ULONG ValidAccessMask;
+    BOOLEAN SecurityRequired;
+    BOOLEAN MaintainHandleCount;
+    UCHAR TypeIndex; // since WINBLUE
+    CHAR ReservedByte;
+    ULONG PoolType;
+    ULONG DefaultPagedPoolCharge;
+    ULONG DefaultNonPagedPoolCharge;
+} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
+
+typedef struct _OBJECT_TYPES_INFORMATION
+{
+    ULONG NumberOfTypes;
+} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
+
+typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
+{
+    BOOLEAN Inherit;
+    BOOLEAN ProtectFromClose;
+} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
+
+// Objects, handles
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryObject(
+    _In_ HANDLE Handle,
+    _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
+    _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
+    _In_ ULONG ObjectInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationObject(
+    _In_ HANDLE Handle,
+    _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
+    _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
+    _In_ ULONG ObjectInformationLength
+    );
+
+#define DUPLICATE_CLOSE_SOURCE 0x00000001
+#define DUPLICATE_SAME_ACCESS 0x00000002
+#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDuplicateObject(
+    _In_ HANDLE SourceProcessHandle,
+    _In_ HANDLE SourceHandle,
+    _In_opt_ HANDLE TargetProcessHandle,
+    _Out_opt_ PHANDLE TargetHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ ULONG HandleAttributes,
+    _In_ ULONG Options
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMakeTemporaryObject(
+    _In_ HANDLE Handle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtMakePermanentObject(
+    _In_ HANDLE Handle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSignalAndWaitForSingleObject(
+    _In_ HANDLE SignalHandle,
+    _In_ HANDLE WaitHandle,
+    _In_ BOOLEAN Alertable,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForSingleObject(
+    _In_ HANDLE Handle,
+    _In_ BOOLEAN Alertable,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForMultipleObjects(
+    _In_ ULONG Count,
+    _In_reads_(Count) HANDLE Handles[],
+    _In_ WAIT_TYPE WaitType,
+    _In_ BOOLEAN Alertable,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+#if (PHNT_VERSION >= PHNT_WS03)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtWaitForMultipleObjects32(
+    _In_ ULONG Count,
+    _In_reads_(Count) LONG Handles[],
+    _In_ WAIT_TYPE WaitType,
+    _In_ BOOLEAN Alertable,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSecurityObject(
+    _In_ HANDLE Handle,
+    _In_ SECURITY_INFORMATION SecurityInformation,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySecurityObject(
+    _In_ HANDLE Handle,
+    _In_ SECURITY_INFORMATION SecurityInformation,
+    _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ ULONG Length,
+    _Out_ PULONG LengthNeeded
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtClose(
+    _In_ HANDLE Handle
+    );
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompareObjects(
+    _In_ HANDLE FirstObjectHandle,
+    _In_ HANDLE SecondObjectHandle
+    );
+#endif
+
+#endif
+
+// Directory objects
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateDirectoryObject(
+    _Out_ PHANDLE DirectoryHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateDirectoryObjectEx(
+    _Out_ PHANDLE DirectoryHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ HANDLE ShadowDirectoryHandle,
+    _In_ ULONG Flags
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenDirectoryObject(
+    _Out_ PHANDLE DirectoryHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+typedef struct _OBJECT_DIRECTORY_INFORMATION
+{
+    UNICODE_STRING Name;
+    UNICODE_STRING TypeName;
+} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDirectoryObject(
+    _In_ HANDLE DirectoryHandle,
+    _Out_writes_bytes_opt_(Length) PVOID Buffer,
+    _In_ ULONG Length,
+    _In_ BOOLEAN ReturnSingleEntry,
+    _In_ BOOLEAN RestartScan,
+    _Inout_ PULONG Context,
+    _Out_opt_ PULONG ReturnLength
+    );
+
+#endif
+
+// Private namespaces
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreatePrivateNamespace(
+    _Out_ PHANDLE NamespaceHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ PVOID BoundaryDescriptor
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenPrivateNamespace(
+    _Out_ PHANDLE NamespaceHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ PVOID BoundaryDescriptor
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeletePrivateNamespace(
+    _In_ HANDLE NamespaceHandle
+    );
+
+#endif
+
+#endif
+
+// Symbolic links
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateSymbolicLinkObject(
+    _Out_ PHANDLE LinkHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ PUNICODE_STRING LinkTarget
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenSymbolicLinkObject(
+    _Out_ PHANDLE LinkHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySymbolicLinkObject(
+    _In_ HANDLE LinkHandle,
+    _Inout_ PUNICODE_STRING LinkTarget,
+    _Out_opt_ PULONG ReturnedLength
+    );
+
+#endif
+
+#endif

phnt/include/ntpebteb.h

@@ -0,0 +1,324 @@
+#ifndef _NTPEBTEB_H
+#define _NTPEBTEB_H
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
+typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
+
+// symbols
+typedef struct _PEB
+{
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;
+    union
+    {
+        BOOLEAN BitField;
+        struct
+        {
+            BOOLEAN ImageUsesLargePages : 1;
+            BOOLEAN IsProtectedProcess : 1;
+            BOOLEAN IsImageDynamicallyRelocated : 1;
+            BOOLEAN SkipPatchingUser32Forwarders : 1;
+            BOOLEAN IsPackagedProcess : 1;
+            BOOLEAN IsAppContainer : 1;
+            BOOLEAN IsProtectedProcessLight : 1;
+            BOOLEAN IsLongPathAwareProcess : 1;
+        };
+    };
+
+    HANDLE Mutant;
+
+    PVOID ImageBaseAddress;
+    PPEB_LDR_DATA Ldr;
+    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+    PVOID SubSystemData;
+    PVOID ProcessHeap;
+    PRTL_CRITICAL_SECTION FastPebLock;
+    PVOID AtlThunkSListPtr;
+    PVOID IFEOKey;
+    union
+    {
+        ULONG CrossProcessFlags;
+        struct
+        {
+            ULONG ProcessInJob : 1;
+            ULONG ProcessInitializing : 1;
+            ULONG ProcessUsingVEH : 1;
+            ULONG ProcessUsingVCH : 1;
+            ULONG ProcessUsingFTH : 1;
+            ULONG ProcessPreviouslyThrottled : 1;
+            ULONG ProcessCurrentlyThrottled : 1;
+            ULONG ReservedBits0 : 25;
+        };
+    };
+    union
+    {
+        PVOID KernelCallbackTable;
+        PVOID UserSharedInfoPtr;
+    };
+    ULONG SystemReserved[1];
+    ULONG AtlThunkSListPtr32;
+    PVOID ApiSetMap;
+    ULONG TlsExpansionCounter;
+    PVOID TlsBitmap;
+    ULONG TlsBitmapBits[2];
+    PVOID ReadOnlySharedMemoryBase;
+    PVOID HotpatchInformation;
+    PVOID *ReadOnlyStaticServerData;
+    PVOID AnsiCodePageData; // PCPTABLEINFO
+    PVOID OemCodePageData; // PCPTABLEINFO
+    PVOID UnicodeCaseTableData; // PNLSTABLEINFO
+
+    ULONG NumberOfProcessors;
+    ULONG NtGlobalFlag;
+
+    LARGE_INTEGER CriticalSectionTimeout;
+    SIZE_T HeapSegmentReserve;
+    SIZE_T HeapSegmentCommit;
+    SIZE_T HeapDeCommitTotalFreeThreshold;
+    SIZE_T HeapDeCommitFreeBlockThreshold;
+
+    ULONG NumberOfHeaps;
+    ULONG MaximumNumberOfHeaps;
+    PVOID *ProcessHeaps; // PHEAP
+
+    PVOID GdiSharedHandleTable;
+    PVOID ProcessStarterHelper;
+    ULONG GdiDCAttributeList;
+
+    PRTL_CRITICAL_SECTION LoaderLock;
+
+    ULONG OSMajorVersion;
+    ULONG OSMinorVersion;
+    USHORT OSBuildNumber;
+    USHORT OSCSDVersion;
+    ULONG OSPlatformId;
+    ULONG ImageSubsystem;
+    ULONG ImageSubsystemMajorVersion;
+    ULONG ImageSubsystemMinorVersion;
+    ULONG_PTR ActiveProcessAffinityMask;
+    GDI_HANDLE_BUFFER GdiHandleBuffer;
+    PVOID PostProcessInitRoutine;
+
+    PVOID TlsExpansionBitmap;
+    ULONG TlsExpansionBitmapBits[32];
+
+    ULONG SessionId;
+
+    ULARGE_INTEGER AppCompatFlags;
+    ULARGE_INTEGER AppCompatFlagsUser;
+    PVOID pShimData;
+    PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
+
+    UNICODE_STRING CSDVersion;
+
+    PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA
+    PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
+    PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA
+    PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
+
+    SIZE_T MinimumStackCommit;
+
+    PVOID *FlsCallback;
+    LIST_ENTRY FlsListHead;
+    PVOID FlsBitmap;
+    ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
+    ULONG FlsHighIndex;
+
+    PVOID WerRegistrationData;
+    PVOID WerShipAssertPtr;
+    PVOID pContextData;
+    PVOID pImageHeaderHash;
+    union
+    {
+        ULONG TracingFlags;
+        struct
+        {
+            ULONG HeapTracingEnabled : 1;
+            ULONG CritSecTracingEnabled : 1;
+            ULONG LibLoaderTracingEnabled : 1;
+            ULONG SpareTracingBits : 29;
+        };
+    };
+    ULONGLONG CsrServerReadOnlySharedMemoryBase;
+    PVOID TppWorkerpListLock;
+    LIST_ENTRY TppWorkerpList;
+    PVOID WaitOnAddressHashTable[128];
+} PEB, *PPEB;
+
+#define GDI_BATCH_BUFFER_SIZE 310
+
+typedef struct _GDI_TEB_BATCH
+{
+    ULONG Offset;
+    ULONG_PTR HDC;
+    ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT
+{
+    ULONG Flags;
+    PSTR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME
+{
+    ULONG Flags;
+    struct _TEB_ACTIVE_FRAME *Previous;
+    PTEB_ACTIVE_FRAME_CONTEXT Context;
+} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
+
+typedef struct _TEB
+{
+    NT_TIB NtTib;
+
+    PVOID EnvironmentPointer;
+    CLIENT_ID ClientId;
+    PVOID ActiveRpcHandle;
+    PVOID ThreadLocalStoragePointer;
+    PPEB ProcessEnvironmentBlock;
+
+    ULONG LastErrorValue;
+    ULONG CountOfOwnedCriticalSections;
+    PVOID CsrClientThread;
+    PVOID Win32ThreadInfo;
+    ULONG User32Reserved[26];
+    ULONG UserReserved[5];
+    PVOID WOW32Reserved;
+    LCID CurrentLocale;
+    ULONG FpSoftwareStatusRegister;
+    PVOID ReservedForDebuggerInstrumentation[16];
+    PVOID SystemReserved1[37];
+    UCHAR WorkingOnBehalfTicket[8];
+    NTSTATUS ExceptionCode;
+
+    PVOID ActivationContextStackPointer;
+    ULONG_PTR InstrumentationCallbackSp;
+    ULONG_PTR InstrumentationCallbackPreviousPc;
+    ULONG_PTR InstrumentationCallbackPreviousSp;
+    ULONG TxFsContext;
+
+    BOOLEAN InstrumentationCallbackDisabled;
+    GDI_TEB_BATCH GdiTebBatch;
+    CLIENT_ID RealClientId;
+    HANDLE GdiCachedProcessHandle;
+    ULONG GdiClientPID;
+    ULONG GdiClientTID;
+    PVOID GdiThreadLocalInfo;
+    ULONG_PTR Win32ClientInfo[62];
+    PVOID glDispatchTable[233];
+    ULONG_PTR glReserved1[29];
+    PVOID glReserved2;
+    PVOID glSectionInfo;
+    PVOID glSection;
+    PVOID glTable;
+    PVOID glCurrentRC;
+    PVOID glContext;
+
+    NTSTATUS LastStatusValue;
+    UNICODE_STRING StaticUnicodeString;
+    WCHAR StaticUnicodeBuffer[261];
+
+    PVOID DeallocationStack;
+    PVOID TlsSlots[64];
+    LIST_ENTRY TlsLinks;
+
+    PVOID Vdm;
+    PVOID ReservedForNtRpc;
+    PVOID DbgSsReserved[2];
+
+    ULONG HardErrorMode;
+#ifdef _WIN64
+    PVOID Instrumentation[11];
+#else
+    PVOID Instrumentation[9];
+#endif
+    GUID ActivityId;
+
+    PVOID SubProcessTag;
+    PVOID PerflibData;
+    PVOID EtwTraceData;
+    PVOID WinSockData;
+    ULONG GdiBatchCount;
+
+    union
+    {
+        PROCESSOR_NUMBER CurrentIdealProcessor;
+        ULONG IdealProcessorValue;
+        struct
+        {
+            UCHAR ReservedPad0;
+            UCHAR ReservedPad1;
+            UCHAR ReservedPad2;
+            UCHAR IdealProcessor;
+        };
+    };
+
+    ULONG GuaranteedStackBytes;
+    PVOID ReservedForPerf;
+    PVOID ReservedForOle;
+    ULONG WaitingOnLoaderLock;
+    PVOID SavedPriorityState;
+    ULONG_PTR ReservedForCodeCoverage;
+    PVOID ThreadPoolData;
+    PVOID *TlsExpansionSlots;
+#ifdef _WIN64
+    PVOID DeallocationBStore;
+    PVOID BStoreLimit;
+#endif
+    ULONG MuiGeneration;
+    ULONG IsImpersonating;
+    PVOID NlsCache;
+    PVOID pShimData;
+    USHORT HeapVirtualAffinity;
+    USHORT LowFragHeapDataSlot;
+    HANDLE CurrentTransactionHandle;
+    PTEB_ACTIVE_FRAME ActiveFrame;
+    PVOID FlsData;
+
+    PVOID PreferredLanguages;
+    PVOID UserPrefLanguages;
+    PVOID MergedPrefLanguages;
+    ULONG MuiImpersonation;
+
+    union
+    {
+        USHORT CrossTebFlags;
+        USHORT SpareCrossTebBits : 16;
+    };
+    union
+    {
+        USHORT SameTebFlags;
+        struct
+        {
+            USHORT SafeThunkCall : 1;
+            USHORT InDebugPrint : 1;
+            USHORT HasFiberData : 1;
+            USHORT SkipThreadAttach : 1;
+            USHORT WerInShipAssertCode : 1;
+            USHORT RanProcessInit : 1;
+            USHORT ClonedThread : 1;
+            USHORT SuppressDebugMsg : 1;
+            USHORT DisableUserStackWalk : 1;
+            USHORT RtlExceptionAttached : 1;
+            USHORT InitialThread : 1;
+            USHORT SessionAware : 1;
+            USHORT LoadOwner : 1;
+            USHORT LoaderWorker : 1;
+            USHORT SkipLoaderInit : 1;
+            USHORT SpareSameTebBits : 1;
+        };
+    };
+
+    PVOID TxnScopeEnterCallback;
+    PVOID TxnScopeExitCallback;
+    PVOID TxnScopeContext;
+    ULONG LockCount;
+    LONG WowTebOffset;
+    PVOID ResourceRetValue;
+    PVOID ReservedForWdf;
+    ULONGLONG ReservedForCrt;
+    GUID EffectiveContainerId;
+} TEB, *PTEB;
+
+#endif

phnt/include/ntpfapi.h

@@ -0,0 +1,261 @@
+#ifndef _NTPFAPI_H
+#define _NTPFAPI_H
+
+// begin_private
+
+// Prefetch
+
+typedef enum _PF_BOOT_PHASE_ID
+{
+    PfKernelInitPhase = 0,
+    PfBootDriverInitPhase = 90,
+    PfSystemDriverInitPhase = 120,
+    PfSessionManagerInitPhase = 150,
+    PfSMRegistryInitPhase = 180,
+    PfVideoInitPhase = 210,
+    PfPostVideoInitPhase = 240,
+    PfBootAcceptedRegistryInitPhase = 270,
+    PfUserShellReadyPhase = 300,
+    PfMaxBootPhaseId = 900
+} PF_BOOT_PHASE_ID;
+
+typedef enum _PF_ENABLE_STATUS
+{
+    PfSvNotSpecified,
+    PfSvEnabled,
+    PfSvDisabled,
+    PfSvMaxEnableStatus
+} PF_ENABLE_STATUS;
+
+typedef struct _PF_TRACE_LIMITS
+{
+    ULONG MaxNumPages;
+    ULONG MaxNumSections;
+    LONGLONG TimerPeriod;
+} PF_TRACE_LIMITS, *PPF_TRACE_LIMITS;
+
+typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS
+{
+    PF_ENABLE_STATUS EnableStatus[2];
+    PF_TRACE_LIMITS TraceLimits[2];
+    ULONG MaxNumActiveTraces;
+    ULONG MaxNumSavedTraces;
+    WCHAR RootDirPath[32];
+    WCHAR HostingApplicationList[128];
+} PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS;
+
+#define PF_BOOT_CONTROL_VERSION 1
+
+typedef struct _PF_BOOT_CONTROL
+{
+    ULONG Version;
+    ULONG DisableBootPrefetching;
+} PF_BOOT_CONTROL, *PPF_BOOT_CONTROL;
+
+typedef enum _PREFETCHER_INFORMATION_CLASS
+{
+    PrefetcherRetrieveTrace = 1, // q: CHAR[]
+    PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS
+    PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID
+    PrefetcherRetrieveBootLoaderTrace, // q: CHAR[]
+    PrefetcherBootControl // s: PF_BOOT_CONTROL
+} PREFETCHER_INFORMATION_CLASS;
+
+#define PREFETCHER_INFORMATION_VERSION 23 // rev
+#define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev
+
+typedef struct _PREFETCHER_INFORMATION
+{
+    ULONG Version;
+    ULONG Magic;
+    PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass;
+    PVOID PrefetcherInformation;
+    ULONG PrefetcherInformationLength;
+} PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION;
+
+// Superfetch
+
+typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS
+{
+    ULONG EnabledComponents;
+    ULONG BootID;
+    ULONG SavedSectInfoTracesMax;
+    ULONG SavedPageAccessTracesMax;
+    ULONG ScenarioPrefetchTimeoutStandby;
+    ULONG ScenarioPrefetchTimeoutHibernate;
+} PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS;
+
+#define PF_PFN_PRIO_REQUEST_VERSION 1
+#define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1
+#define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1
+
+typedef struct _PF_PFN_PRIO_REQUEST
+{
+    ULONG Version;
+    ULONG RequestFlags;
+    ULONG_PTR PfnCount;
+    SYSTEM_MEMORY_LIST_INFORMATION MemInfo;
+    MMPFN_IDENTITY PageData[256];
+} PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST;
+
+typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE
+{
+    PfsPrivateSourceKernel,
+    PfsPrivateSourceSession,
+    PfsPrivateSourceProcess,
+    PfsPrivateSourceMax
+} PFS_PRIVATE_PAGE_SOURCE_TYPE;
+
+typedef struct _PFS_PRIVATE_PAGE_SOURCE
+{
+    PFS_PRIVATE_PAGE_SOURCE_TYPE Type;
+    union
+    {
+        ULONG SessionId;
+        ULONG ProcessId;
+    };
+    ULONG ImagePathHash;
+    ULONG_PTR UniqueProcessHash;
+} PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE;
+
+typedef struct _PF_PRIVSOURCE_INFO
+{
+    PFS_PRIVATE_PAGE_SOURCE DbInfo;
+    PVOID EProcess;
+    SIZE_T WsPrivatePages;
+    SIZE_T TotalPrivatePages;
+    ULONG SessionID;
+    CHAR ImageName[16];
+    union {
+        ULONG_PTR WsSwapPages;                 // process only PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES.
+        ULONG_PTR SessionPagedPoolPages;       // session only.
+        ULONG_PTR StoreSizePages;              // process only PF_PRIVSOURCE_QUERY_STORE_INFO.
+    };
+    ULONG_PTR WsTotalPages;         // process/session only.
+    ULONG DeepFreezeTimeMs;         // process only.
+    ULONG ModernApp : 1;            // process only.
+    ULONG DeepFrozen : 1;           // process only. If set, DeepFreezeTimeMs contains the time at which the freeze occurred
+    ULONG Foreground : 1;           // process only.
+    ULONG PerProcessStore : 1;      // process only.
+    ULONG Spare : 28;
+} PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO;
+
+#define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 3
+
+typedef struct _PF_PRIVSOURCE_QUERY_REQUEST
+{
+    ULONG Version;
+    ULONG Flags;
+    ULONG InfoCount;
+    PF_PRIVSOURCE_INFO InfoArray[1];
+} PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST;
+
+typedef enum _PF_PHASED_SCENARIO_TYPE
+{
+    PfScenarioTypeNone,
+    PfScenarioTypeStandby,
+    PfScenarioTypeHibernate,
+    PfScenarioTypeFUS,
+    PfScenarioTypeMax
+} PF_PHASED_SCENARIO_TYPE;
+
+#define PF_SCENARIO_PHASE_INFO_VERSION 4
+
+typedef struct _PF_SCENARIO_PHASE_INFO
+{
+    ULONG Version;
+    PF_PHASED_SCENARIO_TYPE ScenType;
+    ULONG PhaseId;
+    ULONG SequenceNumber;
+    ULONG Flags;
+    ULONG FUSUserId;
+} PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO;
+
+typedef struct _PF_MEMORY_LIST_NODE
+{
+    ULONGLONG Node : 8;
+    ULONGLONG Spare : 56;
+    ULONGLONG StandbyLowPageCount;
+    ULONGLONG StandbyMediumPageCount;
+    ULONGLONG StandbyHighPageCount;
+    ULONGLONG FreePageCount;
+    ULONGLONG ModifiedPageCount;
+} PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE;
+
+#define PF_MEMORY_LIST_INFO_VERSION 1
+
+typedef struct _PF_MEMORY_LIST_INFO
+{
+    ULONG Version;
+    ULONG Size;
+    ULONG NodeCount;
+    PF_MEMORY_LIST_NODE Nodes[1];
+} PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO;
+
+typedef struct _PF_PHYSICAL_MEMORY_RANGE
+{
+    ULONG_PTR BasePfn;
+    ULONG_PTR PageCount;
+} PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE;
+
+#define PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION 1
+
+typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO
+{
+    ULONG Version;
+    ULONG RangeCount;
+    PF_PHYSICAL_MEMORY_RANGE Ranges[1];
+} PF_PHYSICAL_MEMORY_RANGE_INFO, *PPF_PHYSICAL_MEMORY_RANGE_INFO;
+
+// begin_rev
+
+#define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1
+
+typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO
+{
+    ULONG Version;
+    ULONG RepurposedByPrefetch;
+} PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO;
+
+// end_rev
+
+typedef enum _SUPERFETCH_INFORMATION_CLASS
+{
+    SuperfetchRetrieveTrace = 1, // q: CHAR[]
+    SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS
+    SuperfetchLogEvent,
+    SuperfetchGenerateTrace,
+    SuperfetchPrefetch,
+    SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST
+    SuperfetchPfnSetPriority,
+    SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST
+    SuperfetchSequenceNumberQuery, // q: ULONG
+    SuperfetchScenarioPhase, // 10
+    SuperfetchWorkerPriority,
+    SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO
+    SuperfetchScenarioPrefetch,
+    SuperfetchRobustnessControl,
+    SuperfetchTimeControl,
+    SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO
+    SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO
+    SuperfetchTracingControl,
+    SuperfetchTrimWhileAgingControl,
+    SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev
+    SuperfetchInformationMax
+} SUPERFETCH_INFORMATION_CLASS;
+
+#define SUPERFETCH_INFORMATION_VERSION 45 // rev
+#define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev
+
+typedef struct _SUPERFETCH_INFORMATION
+{
+    _In_ ULONG Version;
+    _In_ ULONG Magic;
+    _In_ SUPERFETCH_INFORMATION_CLASS InfoClass;
+    _Inout_ PVOID Data;
+    _Inout_ ULONG Length;
+} SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION;
+
+// end_private
+
+#endif

phnt/include/ntpnpapi.h

@@ -0,0 +1,159 @@
+#ifndef _NTPNPAPI_H
+#define _NTPNPAPI_H
+
+typedef enum _PLUGPLAY_EVENT_CATEGORY
+{
+    HardwareProfileChangeEvent,
+    TargetDeviceChangeEvent,
+    DeviceClassChangeEvent,
+    CustomDeviceEvent,
+    DeviceInstallEvent,
+    DeviceArrivalEvent,
+    PowerEvent,
+    VetoEvent,
+    BlockedDriverEvent,
+    InvalidIDEvent,
+    MaxPlugEventCategory
+} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY;
+
+typedef struct _PLUGPLAY_EVENT_BLOCK
+{
+    GUID EventGuid;
+    PLUGPLAY_EVENT_CATEGORY EventCategory;
+    PULONG Result;
+    ULONG Flags;
+    ULONG TotalSize;
+    PVOID DeviceObject;
+
+    union
+    {
+        struct
+        {
+            GUID ClassGuid;
+            WCHAR SymbolicLinkName[1];
+        } DeviceClass;
+        struct
+        {
+            WCHAR DeviceIds[1];
+        } TargetDevice;
+        struct
+        {
+            WCHAR DeviceId[1];
+        } InstallDevice;
+        struct
+        {
+            PVOID NotificationStructure;
+            WCHAR DeviceIds[1];
+        } CustomNotification;
+        struct
+        {
+            PVOID Notification;
+        } ProfileNotification;
+        struct
+        {
+            ULONG NotificationCode;
+            ULONG NotificationData;
+        } PowerNotification;
+        struct
+        {
+            PNP_VETO_TYPE VetoType;
+            WCHAR DeviceIdVetoNameBuffer[1]; // DeviceId<null>VetoName<null><null>
+        } VetoNotification;
+        struct
+        {
+            GUID BlockedDriverGuid;
+        } BlockedDriverNotification;
+        struct
+        {
+            WCHAR ParentId[1];
+        } InvalidIDNotification;
+    } u;
+} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK;
+
+typedef enum _PLUGPLAY_CONTROL_CLASS
+{
+    PlugPlayControlEnumerateDevice,
+    PlugPlayControlRegisterNewDevice,
+    PlugPlayControlDeregisterDevice,
+    PlugPlayControlInitializeDevice,
+    PlugPlayControlStartDevice,
+    PlugPlayControlUnlockDevice,
+    PlugPlayControlQueryAndRemoveDevice,
+    PlugPlayControlUserResponse,
+    PlugPlayControlGenerateLegacyDevice,
+    PlugPlayControlGetInterfaceDeviceList,
+    PlugPlayControlProperty,
+    PlugPlayControlDeviceClassAssociation,
+    PlugPlayControlGetRelatedDevice,
+    PlugPlayControlGetInterfaceDeviceAlias,
+    PlugPlayControlDeviceStatus,
+    PlugPlayControlGetDeviceDepth,
+    PlugPlayControlQueryDeviceRelations,
+    PlugPlayControlTargetDeviceRelation,
+    PlugPlayControlQueryConflictList,
+    PlugPlayControlRetrieveDock,
+    PlugPlayControlResetDevice,
+    PlugPlayControlHaltDevice,
+    PlugPlayControlGetBlockedDriverList,
+    PlugPlayControlGetDeviceInterfaceEnabled,
+    MaxPlugPlayControl
+} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS;
+
+#if (PHNT_VERSION < PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetPlugPlayEvent(
+    _In_ HANDLE EventHandle,
+    _In_opt_ PVOID Context,
+    _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock,
+    _In_ ULONG EventBufferSize
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPlugPlayControl(
+    _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass,
+    _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData,
+    _In_ ULONG PnPControlDataLength
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSerializeBoot(
+    VOID
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnableLastKnownGood(
+    VOID
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDisableLastKnownGood(
+    VOID
+    );
+
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplacePartitionUnit(
+    _In_ PUNICODE_STRING TargetInstancePath,
+    _In_ PUNICODE_STRING SpareInstancePath,
+    _In_ ULONG Flags
+    );
+#endif
+
+#endif

phnt/include/ntpoapi.h

@@ -0,0 +1,182 @@
+#ifndef _NTPOAPI_H
+#define _NTPOAPI_H
+
+typedef union _POWER_STATE
+{
+    SYSTEM_POWER_STATE SystemState;
+    DEVICE_POWER_STATE DeviceState;
+} POWER_STATE, *PPOWER_STATE;
+
+typedef enum _POWER_STATE_TYPE
+{
+    SystemPowerState = 0,
+    DevicePowerState
+} POWER_STATE_TYPE, *PPOWER_STATE_TYPE;
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// wdm
+typedef struct _SYSTEM_POWER_STATE_CONTEXT
+{
+    union
+    {
+        struct
+        {
+            ULONG Reserved1 : 8;
+            ULONG TargetSystemState : 4;
+            ULONG EffectiveSystemState : 4;
+            ULONG CurrentSystemState : 4;
+            ULONG IgnoreHibernationPath : 1;
+            ULONG PseudoTransition : 1;
+            ULONG Reserved2 : 10;
+        };
+        ULONG ContextAsUlong;
+    };
+} SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT;
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+/** \cond NEVER */ // disable doxygen warning
+// wdm
+typedef struct _COUNTED_REASON_CONTEXT
+{
+    ULONG Version;
+    ULONG Flags;
+    union
+    {
+        struct
+        {
+            UNICODE_STRING ResourceFileName;
+            USHORT ResourceReasonId;
+            ULONG StringCount;
+            PUNICODE_STRING _Field_size_(StringCount) ReasonStrings;
+        };
+        UNICODE_STRING SimpleString;
+    };
+} COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT;
+/** \endcond */
+#endif
+
+typedef enum
+{
+    PowerStateSleeping1 = 0,
+    PowerStateSleeping2 = 1,
+    PowerStateSleeping3 = 2,
+    PowerStateSleeping4 = 3,
+    PowerStateShutdownOff = 4,
+    PowerStateShutdownReset = 5,
+    PowerStateSleeping4Firmware = 6,
+    PowerStateMaximum = 7
+} POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE;
+
+typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)(
+    _In_ PVOID SystemContext
+    );
+
+typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)(
+    _In_ PVOID Context,
+    _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler,
+    _In_ PVOID SystemContext,
+    _In_ LONG NumberProcessors,
+    _In_ volatile PLONG Number
+    );
+
+typedef struct _POWER_STATE_HANDLER
+{
+    POWER_STATE_HANDLER_TYPE Type;
+    BOOLEAN RtcWake;
+    UCHAR Spare[3];
+    PENTER_STATE_HANDLER Handler;
+    PVOID Context;
+} POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER;
+
+typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)(
+    _In_ POWER_STATE_HANDLER_TYPE State,
+    _In_ PVOID Context,
+    _In_ BOOLEAN Entering
+    );
+
+typedef struct _POWER_STATE_NOTIFY_HANDLER
+{
+    PENTER_STATE_NOTIFY_HANDLER Handler;
+    PVOID Context;
+} POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER;
+
+typedef struct _PROCESSOR_POWER_INFORMATION
+{
+    ULONG Number;
+    ULONG MaxMhz;
+    ULONG CurrentMhz;
+    ULONG MhzLimit;
+    ULONG MaxIdleState;
+    ULONG CurrentIdleState;
+} PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION;
+
+typedef struct _SYSTEM_POWER_INFORMATION
+{
+    ULONG MaxIdlenessAllowed;
+    ULONG Idleness;
+    ULONG TimeRemaining;
+    UCHAR CoolingMode;
+} SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPowerInformation(
+    _In_ POWER_INFORMATION_LEVEL InformationLevel,
+    _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+    _In_ ULONG InputBufferLength,
+    _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
+    _In_ ULONG OutputBufferLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetThreadExecutionState(
+    _In_ EXECUTION_STATE NewFlags, // ES_* flags
+    _Out_ EXECUTION_STATE *PreviousFlags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRequestWakeupLatency(
+    _In_ LATENCY_TIME latency
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtInitiatePowerAction(
+    _In_ POWER_ACTION SystemAction,
+    _In_ SYSTEM_POWER_STATE LightestSystemState,
+    _In_ ULONG Flags, // POWER_ACTION_* flags
+    _In_ BOOLEAN Asynchronous
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemPowerState(
+    _In_ POWER_ACTION SystemAction,
+    _In_ SYSTEM_POWER_STATE LightestSystemState,
+    _In_ ULONG Flags // POWER_ACTION_* flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetDevicePowerState(
+    _In_ HANDLE Device,
+    _Out_ PDEVICE_POWER_STATE State
+    );
+
+NTSYSCALLAPI
+BOOLEAN
+NTAPI
+NtIsSystemResumeAutomatic(
+    VOID
+    );
+
+#endif

phnt/include/ntregapi.h

@@ -0,0 +1,637 @@
+#ifndef _NTREGAPI_H
+#define _NTREGAPI_H
+
+// Boot condition flags (NtInitializeRegistry)
+
+#define REG_INIT_BOOT_SM 0x0000
+#define REG_INIT_BOOT_SETUP 0x0001
+#define REG_INIT_BOOT_ACCEPTED_BASE 0x0002
+#define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999
+
+#define REG_MAX_KEY_VALUE_NAME_LENGTH 32767
+#define REG_MAX_KEY_NAME_LENGTH 512
+
+typedef enum _KEY_INFORMATION_CLASS
+{
+    KeyBasicInformation, // KEY_BASIC_INFORMATION
+    KeyNodeInformation, // KEY_NODE_INFORMATION
+    KeyFullInformation, // KEY_FULL_INFORMATION
+    KeyNameInformation, // KEY_NAME_INFORMATION
+    KeyCachedInformation, // KEY_CACHED_INFORMATION
+    KeyFlagsInformation, // KEY_FLAGS_INFORMATION
+    KeyVirtualizationInformation, // KEY_VIRTUALIZATION_INFORMATION
+    KeyHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
+    KeyTrustInformation, // KEY_TRUST_INFORMATION
+    KeyLayerInformation, // KEY_LAYER_INFORMATION
+    MaxKeyInfoClass
+} KEY_INFORMATION_CLASS;
+
+typedef struct _KEY_BASIC_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+    ULONG TitleIndex;
+    ULONG NameLength;
+    WCHAR Name[1];
+} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
+
+typedef struct _KEY_NODE_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+    ULONG TitleIndex;
+    ULONG ClassOffset;
+    ULONG ClassLength;
+    ULONG NameLength;
+    WCHAR Name[1];
+    // ...
+    // WCHAR Class[1];
+} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
+
+typedef struct _KEY_FULL_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+    ULONG TitleIndex;
+    ULONG ClassOffset;
+    ULONG ClassLength;
+    ULONG SubKeys;
+    ULONG MaxNameLen;
+    ULONG MaxClassLen;
+    ULONG Values;
+    ULONG MaxValueNameLen;
+    ULONG MaxValueDataLen;
+    WCHAR Class[1];
+} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
+
+typedef struct _KEY_NAME_INFORMATION
+{
+    ULONG NameLength;
+    WCHAR Name[1];
+} KEY_NAME_INFORMATION, *PKEY_NAME_INFORMATION;
+
+typedef struct _KEY_CACHED_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+    ULONG TitleIndex;
+    ULONG SubKeys;
+    ULONG MaxNameLen;
+    ULONG Values;
+    ULONG MaxValueNameLen;
+    ULONG MaxValueDataLen;
+    ULONG NameLength;
+    WCHAR Name[1];
+} KEY_CACHED_INFORMATION, *PKEY_CACHED_INFORMATION;
+
+typedef struct _KEY_FLAGS_INFORMATION
+{
+    ULONG UserFlags;
+} KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION;
+
+typedef struct _KEY_VIRTUALIZATION_INFORMATION
+{
+    ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now).
+    ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1.
+    ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles.
+    ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles.
+    ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
+    ULONG Reserved : 27;
+} KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION;
+
+// private
+typedef struct _KEY_TRUST_INFORMATION
+{
+    ULONG TrustedKey : 1;
+    ULONG Reserved : 31;
+} KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION;
+
+// private
+typedef struct _KEY_LAYER_INFORMATION
+{
+    ULONG IsTombstone;
+    ULONG IsSupersedeLocal;
+    ULONG IsSupersedeTree;
+    ULONG ClassIsInherited;
+    ULONG Reserved;
+} KEY_LAYER_INFORMATION, *PKEY_LAYER_INFORMATION;
+
+typedef enum _KEY_SET_INFORMATION_CLASS
+{
+    KeyWriteTimeInformation, // KEY_WRITE_TIME_INFORMATION
+    KeyWow64FlagsInformation, // KEY_WOW64_FLAGS_INFORMATION
+    KeyControlFlagsInformation, // KEY_CONTROL_FLAGS_INFORMATION
+    KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION
+    KeySetDebugInformation,
+    KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
+    MaxKeySetInfoClass
+} KEY_SET_INFORMATION_CLASS;
+
+typedef struct _KEY_WRITE_TIME_INFORMATION
+{
+    LARGE_INTEGER LastWriteTime;
+} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
+
+typedef struct _KEY_WOW64_FLAGS_INFORMATION
+{
+    ULONG UserFlags;
+} KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION;
+
+typedef struct _KEY_HANDLE_TAGS_INFORMATION
+{
+    ULONG HandleTags;
+} KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
+
+typedef struct _KEY_CONTROL_FLAGS_INFORMATION
+{
+    ULONG ControlFlags;
+} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;
+
+typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
+{
+    ULONG VirtualTarget : 1;
+    ULONG VirtualStore : 1;
+    ULONG VirtualSource : 1; // true if key has been virtualized at least once
+    ULONG Reserved : 29;
+} KEY_SET_VIRTUALIZATION_INFORMATION, *PKEY_SET_VIRTUALIZATION_INFORMATION;
+
+typedef enum _KEY_VALUE_INFORMATION_CLASS
+{
+    KeyValueBasicInformation, // KEY_VALUE_BASIC_INFORMATION
+    KeyValueFullInformation, // KEY_VALUE_FULL_INFORMATION
+    KeyValuePartialInformation, // KEY_VALUE_PARTIAL_INFORMATION
+    KeyValueFullInformationAlign64,
+    KeyValuePartialInformationAlign64,  // KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
+    KeyValueLayerInformation, // KEY_VALUE_LAYER_INFORMATION
+    MaxKeyValueInfoClass
+} KEY_VALUE_INFORMATION_CLASS;
+
+typedef struct _KEY_VALUE_BASIC_INFORMATION
+{
+    ULONG TitleIndex;
+    ULONG Type;
+    ULONG NameLength;
+    WCHAR Name[1];
+} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
+
+typedef struct _KEY_VALUE_FULL_INFORMATION
+{
+    ULONG TitleIndex;
+    ULONG Type;
+    ULONG DataOffset;
+    ULONG DataLength;
+    ULONG NameLength;
+    WCHAR Name[1];
+    // ...
+    // UCHAR Data[1];
+} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
+
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION
+{
+    ULONG TitleIndex;
+    ULONG Type;
+    ULONG DataLength;
+    UCHAR Data[1];
+} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
+
+typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
+{
+    ULONG Type;
+    ULONG DataLength;
+    UCHAR Data[1];
+} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
+
+// private
+typedef struct _KEY_VALUE_LAYER_INFORMATION
+{
+    ULONG IsTombstone;
+    ULONG Reserved;
+} KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION;
+
+typedef struct _KEY_VALUE_ENTRY
+{
+    PUNICODE_STRING ValueName;
+    ULONG DataLength;
+    ULONG DataOffset;
+    ULONG Type;
+} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
+
+typedef enum _REG_ACTION
+{
+    KeyAdded,
+    KeyRemoved,
+    KeyModified
+} REG_ACTION;
+
+typedef struct _REG_NOTIFY_INFORMATION
+{
+    ULONG NextEntryOffset;
+    REG_ACTION Action;
+    ULONG KeyLength;
+    WCHAR Key[1];
+} REG_NOTIFY_INFORMATION, *PREG_NOTIFY_INFORMATION;
+
+typedef struct _KEY_PID_ARRAY
+{
+    HANDLE PID;
+    UNICODE_STRING KeyName;
+} KEY_PID_ARRAY, *PKEY_PID_ARRAY;
+
+typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
+{
+    ULONG Count;
+    KEY_PID_ARRAY KeyArray[1];
+} KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION;
+
+// System calls
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateKey(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _Reserved_ ULONG TitleIndex,
+    _In_opt_ PUNICODE_STRING Class,
+    _In_ ULONG CreateOptions,
+    _Out_opt_ PULONG Disposition
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateKeyTransacted(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _Reserved_ ULONG TitleIndex,
+    _In_opt_ PUNICODE_STRING Class,
+    _In_ ULONG CreateOptions,
+    _In_ HANDLE TransactionHandle,
+    _Out_opt_ PULONG Disposition
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKey(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyTransacted(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ HANDLE TransactionHandle
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyEx(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG OpenOptions
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenKeyTransactedEx(
+    _Out_ PHANDLE KeyHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG OpenOptions,
+    _In_ HANDLE TransactionHandle
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteKey(
+    _In_ HANDLE KeyHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRenameKey(
+    _In_ HANDLE KeyHandle,
+    _In_ PUNICODE_STRING NewName
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteValueKey(
+    _In_ HANDLE KeyHandle,
+    _In_ PUNICODE_STRING ValueName
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryKey(
+    _In_ HANDLE KeyHandle,
+    _In_ KEY_INFORMATION_CLASS KeyInformationClass,
+    _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
+    _In_ ULONG Length,
+    _Out_ PULONG ResultLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationKey(
+    _In_ HANDLE KeyHandle,
+    _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
+    _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
+    _In_ ULONG KeySetInformationLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryValueKey(
+    _In_ HANDLE KeyHandle,
+    _In_ PUNICODE_STRING ValueName,
+    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+    _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
+    _In_ ULONG Length,
+    _Out_ PULONG ResultLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetValueKey(
+    _In_ HANDLE KeyHandle,
+    _In_ PUNICODE_STRING ValueName,
+    _In_opt_ ULONG TitleIndex,
+    _In_ ULONG Type,
+    _In_reads_bytes_opt_(DataSize) PVOID Data,
+    _In_ ULONG DataSize
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryMultipleValueKey(
+    _In_ HANDLE KeyHandle,
+    _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
+    _In_ ULONG EntryCount,
+    _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
+    _Inout_ PULONG BufferLength,
+    _Out_opt_ PULONG RequiredBufferLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateKey(
+    _In_ HANDLE KeyHandle,
+    _In_ ULONG Index,
+    _In_ KEY_INFORMATION_CLASS KeyInformationClass,
+    _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
+    _In_ ULONG Length,
+    _Out_ PULONG ResultLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateValueKey(
+    _In_ HANDLE KeyHandle,
+    _In_ ULONG Index,
+    _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+    _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
+    _In_ ULONG Length,
+    _Out_ PULONG ResultLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFlushKey(
+    _In_ HANDLE KeyHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompactKeys(
+    _In_ ULONG Count,
+    _In_reads_(Count) HANDLE KeyArray[]
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompressKey(
+    _In_ HANDLE Key
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKey(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_ POBJECT_ATTRIBUTES SourceFile
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKey2(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_ POBJECT_ATTRIBUTES SourceFile,
+    _In_ ULONG Flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLoadKeyEx(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_ POBJECT_ATTRIBUTES SourceFile,
+    _In_ ULONG Flags,
+    _In_opt_ HANDLE TrustClassKey,
+    _In_opt_ HANDLE Event,
+    _In_opt_ ACCESS_MASK DesiredAccess,
+    _Out_opt_ PHANDLE RootHandle,
+    _Out_opt_ PIO_STATUS_BLOCK IoStatus
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReplaceKey(
+    _In_ POBJECT_ATTRIBUTES NewFile,
+    _In_ HANDLE TargetHandle,
+    _In_ POBJECT_ATTRIBUTES OldFile
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveKey(
+    _In_ HANDLE KeyHandle,
+    _In_ HANDLE FileHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveKeyEx(
+    _In_ HANDLE KeyHandle,
+    _In_ HANDLE FileHandle,
+    _In_ ULONG Format
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSaveMergedKeys(
+    _In_ HANDLE HighPrecedenceKeyHandle,
+    _In_ HANDLE LowPrecedenceKeyHandle,
+    _In_ HANDLE FileHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRestoreKey(
+    _In_ HANDLE KeyHandle,
+    _In_ HANDLE FileHandle,
+    _In_ ULONG Flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKey(
+    _In_ POBJECT_ATTRIBUTES TargetKey
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKey2(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_ ULONG Flags
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnloadKeyEx(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_opt_ HANDLE Event
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeKey(
+    _In_ HANDLE KeyHandle,
+    _In_opt_ HANDLE Event,
+    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+    _In_opt_ PVOID ApcContext,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_ ULONG CompletionFilter,
+    _In_ BOOLEAN WatchTree,
+    _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
+    _In_ ULONG BufferSize,
+    _In_ BOOLEAN Asynchronous
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeMultipleKeys(
+    _In_ HANDLE MasterKeyHandle,
+    _In_opt_ ULONG Count,
+    _In_reads_opt_(Count) OBJECT_ATTRIBUTES SubordinateObjects[],
+    _In_opt_ HANDLE Event,
+    _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+    _In_opt_ PVOID ApcContext,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_ ULONG CompletionFilter,
+    _In_ BOOLEAN WatchTree,
+    _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
+    _In_ ULONG BufferSize,
+    _In_ BOOLEAN Asynchronous
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryOpenSubKeys(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _Out_ PULONG HandleCount
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryOpenSubKeysEx(
+    _In_ POBJECT_ATTRIBUTES TargetKey,
+    _In_ ULONG BufferLength,
+    _Out_writes_bytes_(BufferLength) PVOID Buffer,
+    _Out_ PULONG RequiredSize
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtInitializeRegistry(
+    _In_ USHORT BootCondition
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockRegistryKey(
+    _In_ HANDLE KeyHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtLockProductActivationKeys(
+    _Inout_opt_ ULONG *pPrivateVer,
+    _Out_opt_ ULONG *pSafeMode
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreezeRegistry(
+    _In_ ULONG TimeOutInSeconds
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtThawRegistry(
+    VOID
+    );
+#endif
+
+#endif

phnt/include/ntseapi.h

@@ -0,0 +1,635 @@
+#ifndef _NTSEAPI_H
+#define _NTSEAPI_H
+
+// Privileges
+
+#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
+#define SE_CREATE_TOKEN_PRIVILEGE (2L)
+#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
+#define SE_LOCK_MEMORY_PRIVILEGE (4L)
+#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
+
+#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
+#define SE_TCB_PRIVILEGE (7L)
+#define SE_SECURITY_PRIVILEGE (8L)
+#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
+#define SE_LOAD_DRIVER_PRIVILEGE (10L)
+#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
+#define SE_SYSTEMTIME_PRIVILEGE (12L)
+#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
+#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
+#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
+#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
+#define SE_BACKUP_PRIVILEGE (17L)
+#define SE_RESTORE_PRIVILEGE (18L)
+#define SE_SHUTDOWN_PRIVILEGE (19L)
+#define SE_DEBUG_PRIVILEGE (20L)
+#define SE_AUDIT_PRIVILEGE (21L)
+#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
+#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
+#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
+#define SE_UNDOCK_PRIVILEGE (25L)
+#define SE_SYNC_AGENT_PRIVILEGE (26L)
+#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
+#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
+#define SE_IMPERSONATE_PRIVILEGE (29L)
+#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
+#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
+#define SE_RELABEL_PRIVILEGE (32L)
+#define SE_INC_WORKING_SET_PRIVILEGE (33L)
+#define SE_TIME_ZONE_PRIVILEGE (34L)
+#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
+#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
+
+
+// Authz
+
+// begin_rev
+
+// Types
+
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
+
+// Flags
+
+#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
+#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
+#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
+#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
+
+#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
+    TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
+    TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
+    TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
+    TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
+    TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
+    TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
+
+#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
+
+// end_rev
+
+// private
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
+{
+    ULONG64 Version;
+    UNICODE_STRING Name;
+} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
+
+// private
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
+{
+    PVOID pValue;
+    ULONG ValueLength;
+} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
+
+// private
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
+{
+    UNICODE_STRING Name;
+    USHORT ValueType;
+    USHORT Reserved;
+    ULONG Flags;
+    ULONG ValueCount;
+    union
+    {
+        PLONG64 pInt64;
+        PULONG64 pUint64;
+        PUNICODE_STRING pString;
+        PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
+        PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
+    } Values;
+} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
+
+// rev
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
+// rev
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
+
+// private
+typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
+{
+    USHORT Version;
+    USHORT Reserved;
+    ULONG AttributeCount;
+    union
+    {
+        PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
+    } Attribute;
+} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
+
+// Tokens
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateToken(
+    _Out_ PHANDLE TokenHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ TOKEN_TYPE TokenType,
+    _In_ PLUID AuthenticationId,
+    _In_ PLARGE_INTEGER ExpirationTime,
+    _In_ PTOKEN_USER User,
+    _In_ PTOKEN_GROUPS Groups,
+    _In_ PTOKEN_PRIVILEGES Privileges,
+    _In_opt_ PTOKEN_OWNER Owner,
+    _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
+    _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
+    _In_ PTOKEN_SOURCE TokenSource
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateLowBoxToken(
+    _Out_ PHANDLE TokenHandle,
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ PSID PackageSid,
+    _In_ ULONG CapabilityCount,
+    _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
+    _In_ ULONG HandleCount,
+    _In_reads_opt_(HandleCount) HANDLE *Handles
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTokenEx(
+    _Out_ PHANDLE TokenHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ TOKEN_TYPE TokenType,
+    _In_ PLUID AuthenticationId,
+    _In_ PLARGE_INTEGER ExpirationTime,
+    _In_ PTOKEN_USER User,
+    _In_ PTOKEN_GROUPS Groups,
+    _In_ PTOKEN_PRIVILEGES Privileges,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
+    _In_opt_ PTOKEN_GROUPS DeviceGroups,
+    _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
+    _In_opt_ PTOKEN_OWNER Owner,
+    _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
+    _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
+    _In_ PTOKEN_SOURCE TokenSource
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenProcessToken(
+    _In_ HANDLE ProcessHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE TokenHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenProcessTokenEx(
+    _In_ HANDLE ProcessHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ ULONG HandleAttributes,
+    _Out_ PHANDLE TokenHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenThreadToken(
+    _In_ HANDLE ThreadHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ BOOLEAN OpenAsSelf,
+    _Out_ PHANDLE TokenHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenThreadTokenEx(
+    _In_ HANDLE ThreadHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ BOOLEAN OpenAsSelf,
+    _In_ ULONG HandleAttributes,
+    _Out_ PHANDLE TokenHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDuplicateToken(
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ BOOLEAN EffectiveOnly,
+    _In_ TOKEN_TYPE TokenType,
+    _Out_ PHANDLE NewTokenHandle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationToken(
+    _In_ HANDLE TokenHandle,
+    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+    _Out_writes_bytes_(TokenInformationLength) PVOID TokenInformation,
+    _In_ ULONG TokenInformationLength,
+    _Out_ PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationToken(
+    _In_ HANDLE TokenHandle,
+    _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+    _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
+    _In_ ULONG TokenInformationLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAdjustPrivilegesToken(
+    _In_ HANDLE TokenHandle,
+    _In_ BOOLEAN DisableAllPrivileges,
+    _In_opt_ PTOKEN_PRIVILEGES NewState,
+    _In_ ULONG BufferLength,
+    _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
+    _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAdjustGroupsToken(
+    _In_ HANDLE TokenHandle,
+    _In_ BOOLEAN ResetToDefault,
+    _In_opt_ PTOKEN_GROUPS NewState,
+    _In_opt_ ULONG BufferLength,
+    _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
+    _Out_ PULONG ReturnLength
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAdjustTokenClaimsAndDeviceGroups(
+    _In_ HANDLE TokenHandle,
+    _In_ BOOLEAN UserResetToDefault,
+    _In_ BOOLEAN DeviceResetToDefault,
+    _In_ BOOLEAN DeviceGroupsResetToDefault,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState,
+    _In_opt_ PTOKEN_GROUPS NewDeviceGroupsState,
+    _In_ ULONG UserBufferLength,
+    _Out_writes_bytes_to_opt_(UserBufferLength, *UserReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState,
+    _In_ ULONG DeviceBufferLength,
+    _Out_writes_bytes_to_opt_(DeviceBufferLength, *DeviceReturnLength) PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState,
+    _In_ ULONG DeviceGroupsBufferLength,
+    _Out_writes_bytes_to_opt_(DeviceGroupsBufferLength, *DeviceGroupsReturnBufferLength) PTOKEN_GROUPS PreviousDeviceGroups,
+    _Out_opt_ PULONG UserReturnLength,
+    _Out_opt_ PULONG DeviceReturnLength,
+    _Out_opt_ PULONG DeviceGroupsReturnBufferLength
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFilterToken(
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ULONG Flags,
+    _In_opt_ PTOKEN_GROUPS SidsToDisable,
+    _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+    _In_opt_ PTOKEN_GROUPS RestrictedSids,
+    _Out_ PHANDLE NewTokenHandle
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN8)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFilterTokenEx(
+    _In_ HANDLE ExistingTokenHandle,
+    _In_ ULONG Flags,
+    _In_opt_ PTOKEN_GROUPS SidsToDisable,
+    _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
+    _In_opt_ PTOKEN_GROUPS RestrictedSids,
+    _In_ ULONG DisableUserClaimsCount,
+    _In_opt_ PUNICODE_STRING UserClaimsToDisable,
+    _In_ ULONG DisableDeviceClaimsCount,
+    _In_opt_ PUNICODE_STRING DeviceClaimsToDisable,
+    _In_opt_ PTOKEN_GROUPS DeviceGroupsToDisable,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes,
+    _In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes,
+    _In_opt_ PTOKEN_GROUPS RestrictedDeviceGroups,
+    _Out_ PHANDLE NewTokenHandle
+    );
+#endif
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCompareTokens(
+    _In_ HANDLE FirstTokenHandle,
+    _In_ HANDLE SecondTokenHandle,
+    _Out_ PBOOLEAN Equal
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrivilegeCheck(
+    _In_ HANDLE ClientToken,
+    _Inout_ PPRIVILEGE_SET RequiredPrivileges,
+    _Out_ PBOOLEAN Result
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtImpersonateAnonymousToken(
+    _In_ HANDLE ThreadHandle
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQuerySecurityAttributesToken(
+    _In_ HANDLE TokenHandle,
+    _In_reads_opt_(NumberOfAttributes) PUNICODE_STRING Attributes,
+    _In_ ULONG NumberOfAttributes,
+    _Out_writes_bytes_(Length) PVOID Buffer, // PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
+    _In_ ULONG Length,
+    _Out_ PULONG ReturnLength
+    );
+#endif
+
+// Access checking
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheck(
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ HANDLE ClientToken,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
+    _Inout_ PULONG PrivilegeSetLength,
+    _Out_ PACCESS_MASK GrantedAccess,
+    _Out_ PNTSTATUS AccessStatus
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByType(
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ HANDLE ClientToken,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
+    _Inout_ PULONG PrivilegeSetLength,
+    _Out_ PACCESS_MASK GrantedAccess,
+    _Out_ PNTSTATUS AccessStatus
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultList(
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ HANDLE ClientToken,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
+    _Inout_ PULONG PrivilegeSetLength,
+    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
+    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus
+    );
+
+// Signing
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetCachedSigningLevel(
+    _In_ ULONG Flags,
+    _In_ SE_SIGNING_LEVEL InputSigningLevel,
+    _In_reads_(SourceFileCount) PHANDLE SourceFiles,
+    _In_ ULONG SourceFileCount,
+    _In_opt_ HANDLE TargetFile
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetCachedSigningLevel(
+    _In_ HANDLE File,
+    _Out_ PULONG Flags,
+    _Out_ PSE_SIGNING_LEVEL SigningLevel,
+    _Out_writes_bytes_to_opt_(*ThumbprintSize, *ThumbprintSize) PUCHAR Thumbprint,
+    _Inout_opt_ PULONG ThumbprintSize,
+    _Out_opt_ PULONG ThumbprintAlgorithm
+    );
+
+#endif
+
+// Audit alarm
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckAndAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _In_ BOOLEAN ObjectCreation,
+    _Out_ PACCESS_MASK GrantedAccess,
+    _Out_ PNTSTATUS AccessStatus,
+    _Out_ PBOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeAndAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ AUDIT_EVENT_TYPE AuditType,
+    _In_ ULONG Flags,
+    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _In_ BOOLEAN ObjectCreation,
+    _Out_ PACCESS_MASK GrantedAccess,
+    _Out_ PNTSTATUS AccessStatus,
+    _Out_ PBOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultListAndAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ AUDIT_EVENT_TYPE AuditType,
+    _In_ ULONG Flags,
+    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _In_ BOOLEAN ObjectCreation,
+    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
+    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
+    _Out_ PBOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ HANDLE ClientToken,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_opt_ PSID PrincipalSelfSid,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ AUDIT_EVENT_TYPE AuditType,
+    _In_ ULONG Flags,
+    _In_reads_opt_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
+    _In_ ULONG ObjectTypeListLength,
+    _In_ PGENERIC_MAPPING GenericMapping,
+    _In_ BOOLEAN ObjectCreation,
+    _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
+    _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus,
+    _Out_ PBOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenObjectAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ PUNICODE_STRING ObjectTypeName,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+    _In_ HANDLE ClientToken,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ ACCESS_MASK GrantedAccess,
+    _In_opt_ PPRIVILEGE_SET Privileges,
+    _In_ BOOLEAN ObjectCreation,
+    _In_ BOOLEAN AccessGranted,
+    _Out_ PBOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrivilegeObjectAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ HANDLE ClientToken,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PPRIVILEGE_SET Privileges,
+    _In_ BOOLEAN AccessGranted
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCloseObjectAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ BOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtDeleteObjectAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_opt_ PVOID HandleId,
+    _In_ BOOLEAN GenerateOnClose
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrivilegedServiceAuditAlarm(
+    _In_ PUNICODE_STRING SubsystemName,
+    _In_ PUNICODE_STRING ServiceName,
+    _In_ HANDLE ClientToken,
+    _In_ PPRIVILEGE_SET Privileges,
+    _In_ BOOLEAN AccessGranted
+    );
+
+// Misc.
+
+typedef enum _FILTER_BOOT_OPTION_OPERATION
+{
+    FilterBootOptionOperationOpenSystemStore,
+    FilterBootOptionOperationSetElement,
+    FilterBootOptionOperationDeleteElement,
+    FilterBootOptionOperationMax
+} FILTER_BOOT_OPTION_OPERATION;
+
+#if (PHNT_VERSION >= PHNT_THRESHOLD)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFilterBootOption(
+    _In_ FILTER_BOOT_OPTION_OPERATION FilterOperation,
+    _In_ ULONG ObjectType,
+    _In_ ULONG ElementType,
+    _In_reads_bytes_opt_(DataSize) PVOID Data,
+    _In_ ULONG DataSize
+    );
+#endif
+
+#endif

phnt/include/ntsmss.h

@@ -0,0 +1,22 @@
+#ifndef _NTSMSS_H
+#define _NTSMSS_H
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlConnectToSm(
+    _In_ PUNICODE_STRING ApiPortName,
+    _In_ HANDLE ApiPortHandle,
+    _In_ DWORD ProcessImageType,
+    _Out_ PHANDLE SmssConnection
+    );
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSendMsgToSm(
+    _In_ HANDLE ApiPortHandle,
+    _In_ PPORT_MESSAGE MessageData
+    );
+
+#endif

phnt/include/nttmapi.h

@@ -0,0 +1,473 @@
+#ifndef _NTTMAPI_H
+#define _NTTMAPI_H
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTransactionManager(
+    _Out_ PHANDLE TmHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PUNICODE_STRING LogFileName,
+    _In_opt_ ULONG CreateOptions,
+    _In_opt_ ULONG CommitStrength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenTransactionManager(
+    _Out_ PHANDLE TmHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PUNICODE_STRING LogFileName,
+    _In_opt_ LPGUID TmIdentity,
+    _In_opt_ ULONG OpenOptions
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRenameTransactionManager(
+    _In_ PUNICODE_STRING LogFileName,
+    _In_ LPGUID ExistingTransactionManagerGuid
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollforwardTransactionManager(
+    _In_ HANDLE TransactionManagerHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverTransactionManager(
+    _In_ HANDLE TransactionManagerHandle
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationTransactionManager(
+    _In_ HANDLE TransactionManagerHandle,
+    _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
+    _Out_writes_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
+    _In_ ULONG TransactionManagerInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationTransactionManager(
+    _In_opt_ HANDLE TmHandle,
+    _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
+    _In_reads_bytes_(TransactionManagerInformationLength) PVOID TransactionManagerInformation,
+    _In_ ULONG TransactionManagerInformationLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtEnumerateTransactionObject(
+    _In_opt_ HANDLE RootObjectHandle,
+    _In_ KTMOBJECT_TYPE QueryType,
+    _Inout_updates_bytes_(ObjectCursorLength) PKTMOBJECT_CURSOR ObjectCursor,
+    _In_ ULONG ObjectCursorLength,
+    _Out_ PULONG ReturnLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateTransaction(
+    _Out_ PHANDLE TransactionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ LPGUID Uow,
+    _In_opt_ HANDLE TmHandle,
+    _In_opt_ ULONG CreateOptions,
+    _In_opt_ ULONG IsolationLevel,
+    _In_opt_ ULONG IsolationFlags,
+    _In_opt_ PLARGE_INTEGER Timeout,
+    _In_opt_ PUNICODE_STRING Description
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenTransaction(
+    _Out_ PHANDLE TransactionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ LPGUID Uow,
+    _In_opt_ HANDLE TmHandle
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationTransaction(
+    _In_ HANDLE TransactionHandle,
+    _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
+    _Out_writes_bytes_(TransactionInformationLength) PVOID TransactionInformation,
+    _In_ ULONG TransactionInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationTransaction(
+    _In_ HANDLE TransactionHandle,
+    _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
+    _In_reads_bytes_(TransactionInformationLength) PVOID TransactionInformation,
+    _In_ ULONG TransactionInformationLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitTransaction(
+    _In_ HANDLE TransactionHandle,
+    _In_ BOOLEAN Wait
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackTransaction(
+    _In_ HANDLE TransactionHandle,
+    _In_ BOOLEAN Wait
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateEnlistment(
+    _Out_ PHANDLE EnlistmentHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ HANDLE TransactionHandle,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ ULONG CreateOptions,
+    _In_ NOTIFICATION_MASK NotificationMask,
+    _In_opt_ PVOID EnlistmentKey
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenEnlistment(
+    _Out_ PHANDLE EnlistmentHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ LPGUID EnlistmentGuid,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
+    _Out_writes_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
+    _In_ ULONG EnlistmentInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationEnlistment(
+    _In_opt_ HANDLE EnlistmentHandle,
+    _In_ ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
+    _In_reads_bytes_(EnlistmentInformationLength) PVOID EnlistmentInformation,
+    _In_ ULONG EnlistmentInformationLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PVOID EnlistmentKey
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrePrepareEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrepareEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrePrepareComplete(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPrepareComplete(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCommitComplete(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtReadOnlyEnlistment(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRollbackComplete(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSinglePhaseReject(
+    _In_ HANDLE EnlistmentHandle,
+    _In_opt_ PLARGE_INTEGER TmVirtualClock
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtCreateResourceManager(
+    _Out_ PHANDLE ResourceManagerHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ HANDLE TmHandle,
+    _In_ LPGUID RmGuid,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ ULONG CreateOptions,
+    _In_opt_ PUNICODE_STRING Description
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtOpenResourceManager(
+    _Out_ PHANDLE ResourceManagerHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ HANDLE TmHandle,
+    _In_opt_ LPGUID ResourceManagerGuid,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRecoverResourceManager(
+    _In_ HANDLE ResourceManagerHandle
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtGetNotificationResourceManager(
+    _In_ HANDLE ResourceManagerHandle,
+    _Out_ PTRANSACTION_NOTIFICATION TransactionNotification,
+    _In_ ULONG NotificationLength,
+    _In_opt_ PLARGE_INTEGER Timeout,
+    _Out_opt_ PULONG ReturnLength,
+    _In_ ULONG Asynchronous,
+    _In_opt_ ULONG_PTR AsynchronousContext
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationResourceManager(
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
+    _Out_writes_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
+    _In_ ULONG ResourceManagerInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationResourceManager(
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
+    _In_reads_bytes_(ResourceManagerInformationLength) PVOID ResourceManagerInformation,
+    _In_ ULONG ResourceManagerInformationLength
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRegisterProtocolAddressInformation(
+    _In_ HANDLE ResourceManager,
+    _In_ PCRM_PROTOCOL_ID ProtocolId,
+    _In_ ULONG ProtocolInformationSize,
+    _In_ PVOID ProtocolInformation,
+    _In_opt_ ULONG CreateOptions
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPropagationComplete(
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ ULONG RequestCookie,
+    _In_ ULONG BufferLength,
+    _In_ PVOID Buffer
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtPropagationFailed(
+    _In_ HANDLE ResourceManagerHandle,
+    _In_ ULONG RequestCookie,
+    _In_ NTSTATUS PropStatus
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtFreezeTransactions(
+    _In_ PLARGE_INTEGER FreezeTimeout,
+    _In_ PLARGE_INTEGER ThawTimeout
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+// private
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtThawTransactions(
+    VOID
+    );
+#endif
+
+#endif

phnt/include/nttp.h

@@ -0,0 +1,430 @@
+#ifndef _NTTP_H
+#define _NTTP_H
+
+// Some types are already defined in winnt.h.
+
+typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC;
+
+// private
+typedef VOID (NTAPI *PTP_ALPC_CALLBACK)(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _Inout_opt_ PVOID Context,
+    _In_ PTP_ALPC Alpc
+    );
+
+// rev
+typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _Inout_opt_ PVOID Context,
+    _In_ PTP_ALPC Alpc,
+    _In_ PVOID ApcContext
+    );
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocPool(
+    _Out_ PTP_POOL *PoolReturn,
+    _Reserved_ PVOID Reserved
+    );
+
+// winbase:CloseThreadpool
+NTSYSAPI
+VOID
+NTAPI
+TpReleasePool(
+    _Inout_ PTP_POOL Pool
+    );
+
+// winbase:SetThreadpoolThreadMaximum
+NTSYSAPI
+VOID
+NTAPI
+TpSetPoolMaxThreads(
+    _Inout_ PTP_POOL Pool,
+    _In_ LONG MaxThreads
+    );
+
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSetPoolMinThreads(
+    _Inout_ PTP_POOL Pool,
+    _In_ LONG MinThreads
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpQueryPoolStackInformation(
+    _In_ PTP_POOL Pool,
+    _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation
+    );
+#endif
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSetPoolStackInformation(
+    _Inout_ PTP_POOL Pool,
+    _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation
+    );
+#endif
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocCleanupGroup(
+    _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn
+    );
+
+// winbase:CloseThreadpoolCleanupGroup
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseCleanupGroup(
+    _Inout_ PTP_CLEANUP_GROUP CleanupGroup
+    );
+
+// winbase:CloseThreadpoolCleanupGroupMembers
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseCleanupGroupMembers(
+    _Inout_ PTP_CLEANUP_GROUP CleanupGroup,
+    _In_ LOGICAL CancelPendingCallbacks,
+    _Inout_opt_ PVOID CleanupParameter
+    );
+
+// winbase:SetEventWhenCallbackReturns
+NTSYSAPI
+VOID
+NTAPI
+TpCallbackSetEventOnCompletion(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _In_ HANDLE Event
+    );
+
+// winbase:ReleaseSemaphoreWhenCallbackReturns
+NTSYSAPI
+VOID
+NTAPI
+TpCallbackReleaseSemaphoreOnCompletion(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _In_ HANDLE Semaphore,
+    _In_ LONG ReleaseCount
+    );
+
+// winbase:ReleaseMutexWhenCallbackReturns
+NTSYSAPI
+VOID
+NTAPI
+TpCallbackReleaseMutexOnCompletion(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _In_ HANDLE Mutex
+    );
+
+// winbase:LeaveCriticalSectionWhenCallbackReturns
+NTSYSAPI
+VOID
+NTAPI
+TpCallbackLeaveCriticalSectionOnCompletion(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _Inout_ PRTL_CRITICAL_SECTION CriticalSection
+    );
+
+// winbase:FreeLibraryWhenCallbackReturns
+NTSYSAPI
+VOID
+NTAPI
+TpCallbackUnloadDllOnCompletion(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _In_ PVOID DllHandle
+    );
+
+// winbase:CallbackMayRunLong
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpCallbackMayRunLong(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance
+    );
+
+// winbase:DisassociateCurrentThreadFromCallback
+NTSYSAPI
+VOID
+NTAPI
+TpDisassociateCallback(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance
+    );
+
+// winbase:TrySubmitThreadpoolCallback
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpSimpleTryPost(
+    _In_ PTP_SIMPLE_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocWork(
+    _Out_ PTP_WORK *WorkReturn,
+    _In_ PTP_WORK_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+// winbase:CloseThreadpoolWork
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseWork(
+    _Inout_ PTP_WORK Work
+    );
+
+// winbase:SubmitThreadpoolWork
+NTSYSAPI
+VOID
+NTAPI
+TpPostWork(
+    _Inout_ PTP_WORK Work
+    );
+
+// winbase:WaitForThreadpoolWorkCallbacks
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForWork(
+    _Inout_ PTP_WORK Work,
+    _In_ LOGICAL CancelPendingCallbacks
+    );
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocTimer(
+    _Out_ PTP_TIMER *Timer,
+    _In_ PTP_TIMER_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+// winbase:CloseThreadpoolTimer
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseTimer(
+    _Inout_ PTP_TIMER Timer
+    );
+
+// winbase:SetThreadpoolTimer
+NTSYSAPI
+VOID
+NTAPI
+TpSetTimer(
+    _Inout_ PTP_TIMER Timer,
+    _In_opt_ PLARGE_INTEGER DueTime,
+    _In_ LONG Period,
+    _In_opt_ LONG WindowLength
+    );
+
+// winbase:IsThreadpoolTimerSet
+NTSYSAPI
+LOGICAL
+NTAPI
+TpIsTimerSet(
+    _In_ PTP_TIMER Timer
+    );
+
+// winbase:WaitForThreadpoolTimerCallbacks
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForTimer(
+    _Inout_ PTP_TIMER Timer,
+    _In_ LOGICAL CancelPendingCallbacks
+    );
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocWait(
+    _Out_ PTP_WAIT *WaitReturn,
+    _In_ PTP_WAIT_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+// winbase:CloseThreadpoolWait
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseWait(
+    _Inout_ PTP_WAIT Wait
+    );
+
+// winbase:SetThreadpoolWait
+NTSYSAPI
+VOID
+NTAPI
+TpSetWait(
+    _Inout_ PTP_WAIT Wait,
+    _In_opt_ HANDLE Handle,
+    _In_opt_ PLARGE_INTEGER Timeout
+    );
+
+// winbase:WaitForThreadpoolWaitCallbacks
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForWait(
+    _Inout_ PTP_WAIT Wait,
+    _In_ LOGICAL CancelPendingCallbacks
+    );
+
+// private
+typedef VOID (NTAPI *PTP_IO_CALLBACK)(
+    _Inout_ PTP_CALLBACK_INSTANCE Instance,
+    _Inout_opt_ PVOID Context,
+    _In_ PVOID ApcContext,
+    _In_ PIO_STATUS_BLOCK IoSB,
+    _In_ PTP_IO Io
+    );
+
+// private
+_Check_return_
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocIoCompletion(
+    _Out_ PTP_IO *IoReturn,
+    _In_ HANDLE File,
+    _In_ PTP_IO_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+// winbase:CloseThreadpoolIo
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseIoCompletion(
+    _Inout_ PTP_IO Io
+    );
+
+// winbase:StartThreadpoolIo
+NTSYSAPI
+VOID
+NTAPI
+TpStartAsyncIoOperation(
+    _Inout_ PTP_IO Io
+    );
+
+// winbase:CancelThreadpoolIo
+NTSYSAPI
+VOID
+NTAPI
+TpCancelAsyncIoOperation(
+    _Inout_ PTP_IO Io
+    );
+
+// winbase:WaitForThreadpoolIoCallbacks
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForIoCompletion(
+    _Inout_ PTP_IO Io,
+    _In_ LOGICAL CancelPendingCallbacks
+    );
+
+// private
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocAlpcCompletion(
+    _Out_ PTP_ALPC *AlpcReturn,
+    _In_ HANDLE AlpcPort,
+    _In_ PTP_ALPC_CALLBACK Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+
+#if (PHNT_VERSION >= PHNT_WIN7)
+// rev
+NTSYSAPI
+NTSTATUS
+NTAPI
+TpAllocAlpcCompletionEx(
+    _Out_ PTP_ALPC *AlpcReturn,
+    _In_ HANDLE AlpcPort,
+    _In_ PTP_ALPC_CALLBACK_EX Callback,
+    _Inout_opt_ PVOID Context,
+    _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron
+    );
+#endif
+
+// private
+NTSYSAPI
+VOID
+NTAPI
+TpReleaseAlpcCompletion(
+    _Inout_ PTP_ALPC Alpc
+    );
+
+// private
+NTSYSAPI
+VOID
+NTAPI
+TpWaitForAlpcCompletion(
+    _Inout_ PTP_ALPC Alpc
+    );
+
+// private
+typedef enum _TP_TRACE_TYPE
+{
+    TpTraceThreadPriority = 1,
+    TpTraceThreadAffinity,
+    MaxTpTraceType
+} TP_TRACE_TYPE;
+
+// private
+NTSYSAPI
+VOID
+NTAPI
+TpCaptureCaller(
+    _In_ TP_TRACE_TYPE Type
+    );
+
+// private
+NTSYSAPI
+VOID
+NTAPI
+TpCheckTerminateWorker(
+    _In_ HANDLE Thread
+    );
+
+#endif
+
+#endif

phnt/include/ntwow64.h

@@ -0,0 +1,567 @@
+#ifndef _NTWOW64_H
+#define _NTWOW64_H
+
+#define WOW64_SYSTEM_DIRECTORY "SysWOW64"
+#define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64"
+#define WOW64_X86_TAG " (x86)"
+#define WOW64_X86_TAG_U L" (x86)"
+
+// In USER_SHARED_DATA
+typedef enum _WOW64_SHARED_INFORMATION
+{
+    SharedNtdll32LdrInitializeThunk,
+    SharedNtdll32KiUserExceptionDispatcher,
+    SharedNtdll32KiUserApcDispatcher,
+    SharedNtdll32KiUserCallbackDispatcher,
+    SharedNtdll32ExpInterlockedPopEntrySListFault,
+    SharedNtdll32ExpInterlockedPopEntrySListResume,
+    SharedNtdll32ExpInterlockedPopEntrySListEnd,
+    SharedNtdll32RtlUserThreadStart,
+    SharedNtdll32pQueryProcessDebugInformationRemote,
+    SharedNtdll32BaseAddress,
+    SharedNtdll32LdrSystemDllInitBlock,
+    Wow64SharedPageEntriesCount
+} WOW64_SHARED_INFORMATION;
+
+// 32-bit definitions
+
+#define WOW64_POINTER(Type) ULONG
+
+typedef struct _RTL_BALANCED_NODE32
+{
+    union
+    {
+        WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2];
+        struct
+        {
+            WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left;
+            WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right;
+        };
+    };
+    union
+    {
+        WOW64_POINTER(UCHAR) Red : 1;
+        WOW64_POINTER(UCHAR) Balance : 2;
+        WOW64_POINTER(ULONG_PTR) ParentValue;
+    };
+} RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32;
+
+typedef struct _RTL_RB_TREE32
+{
+    WOW64_POINTER(PRTL_BALANCED_NODE) Root;
+    WOW64_POINTER(PRTL_BALANCED_NODE) Min;
+} RTL_RB_TREE32, *PRTL_RB_TREE32;
+
+typedef struct _PEB_LDR_DATA32
+{
+    ULONG Length;
+    BOOLEAN Initialized;
+    WOW64_POINTER(HANDLE) SsHandle;
+    LIST_ENTRY32 InLoadOrderModuleList;
+    LIST_ENTRY32 InMemoryOrderModuleList;
+    LIST_ENTRY32 InInitializationOrderModuleList;
+    WOW64_POINTER(PVOID) EntryInProgress;
+    BOOLEAN ShutdownInProgress;
+    WOW64_POINTER(HANDLE) ShutdownThreadId;
+} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
+
+typedef struct _LDR_SERVICE_TAG_RECORD32
+{
+    WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next;
+    ULONG ServiceTag;
+} LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32;
+
+typedef struct _LDRP_CSLIST32
+{
+    WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail;
+} LDRP_CSLIST32, *PLDRP_CSLIST32;
+
+typedef struct _LDR_DDAG_NODE32
+{
+    LIST_ENTRY32 Modules;
+    WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList;
+    ULONG LoadCount;
+    ULONG LoadWhileUnloadingCount;
+    ULONG LowestLink;
+    union
+    {
+        LDRP_CSLIST32 Dependencies;
+        SINGLE_LIST_ENTRY32 RemovalLink;
+    };
+    LDRP_CSLIST32 IncomingDependencies;
+    LDR_DDAG_STATE State;
+    SINGLE_LIST_ENTRY32 CondenseLink;
+    ULONG PreorderNumber;
+} LDR_DDAG_NODE32, *PLDR_DDAG_NODE32;
+
+#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue)
+#define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions)
+
+typedef struct _LDR_DATA_TABLE_ENTRY32
+{
+    LIST_ENTRY32 InLoadOrderLinks;
+    LIST_ENTRY32 InMemoryOrderLinks;
+    union
+    {
+        LIST_ENTRY32 InInitializationOrderLinks;
+        LIST_ENTRY32 InProgressLinks;
+    };
+    WOW64_POINTER(PVOID) DllBase;
+    WOW64_POINTER(PVOID) EntryPoint;
+    ULONG SizeOfImage;
+    UNICODE_STRING32 FullDllName;
+    UNICODE_STRING32 BaseDllName;
+    union
+    {
+        UCHAR FlagGroup[4];
+        ULONG Flags;
+        struct
+        {
+            ULONG PackagedBinary : 1;
+            ULONG MarkedForRemoval : 1;
+            ULONG ImageDll : 1;
+            ULONG LoadNotificationsSent : 1;
+            ULONG TelemetryEntryProcessed : 1;
+            ULONG ProcessStaticImport : 1;
+            ULONG InLegacyLists : 1;
+            ULONG InIndexes : 1;
+            ULONG ShimDll : 1;
+            ULONG InExceptionTable : 1;
+            ULONG ReservedFlags1 : 2;
+            ULONG LoadInProgress : 1;
+            ULONG LoadConfigProcessed : 1;
+            ULONG EntryProcessed : 1;
+            ULONG ProtectDelayLoad : 1;
+            ULONG ReservedFlags3 : 2;
+            ULONG DontCallForThreads : 1;
+            ULONG ProcessAttachCalled : 1;
+            ULONG ProcessAttachFailed : 1;
+            ULONG CorDeferredValidate : 1;
+            ULONG CorImage : 1;
+            ULONG DontRelocate : 1;
+            ULONG CorILOnly : 1;
+            ULONG ReservedFlags5 : 3;
+            ULONG Redirected : 1;
+            ULONG ReservedFlags6 : 2;
+            ULONG CompatDatabaseProcessed : 1;
+        };
+    };
+    USHORT ObsoleteLoadCount;
+    USHORT TlsIndex;
+    LIST_ENTRY32 HashLinks;
+    ULONG TimeDateStamp;
+    WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext;
+    WOW64_POINTER(PVOID) Lock;
+    WOW64_POINTER(PLDR_DDAG_NODE) DdagNode;
+    LIST_ENTRY32 NodeModuleLink;
+    WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext;
+    WOW64_POINTER(PVOID) ParentDllBase;
+    WOW64_POINTER(PVOID) SwitchBackContext;
+    RTL_BALANCED_NODE32 BaseAddressIndexNode;
+    RTL_BALANCED_NODE32 MappingInfoIndexNode;
+    WOW64_POINTER(ULONG_PTR) OriginalBase;
+    LARGE_INTEGER LoadTime;
+    ULONG BaseNameHashValue;
+    LDR_DLL_LOAD_REASON LoadReason;
+    ULONG ImplicitPathOptions;
+    ULONG ReferenceCount;
+    ULONG DependentLoadFlags;
+} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
+
+typedef struct _CURDIR32
+{
+    UNICODE_STRING32 DosPath;
+    WOW64_POINTER(HANDLE) Handle;
+} CURDIR32, *PCURDIR32;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR32
+{
+    USHORT Flags;
+    USHORT Length;
+    ULONG TimeStamp;
+    STRING32 DosPath;
+} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS32
+{
+    ULONG MaximumLength;
+    ULONG Length;
+
+    ULONG Flags;
+    ULONG DebugFlags;
+
+    WOW64_POINTER(HANDLE) ConsoleHandle;
+    ULONG ConsoleFlags;
+    WOW64_POINTER(HANDLE) StandardInput;
+    WOW64_POINTER(HANDLE) StandardOutput;
+    WOW64_POINTER(HANDLE) StandardError;
+
+    CURDIR32 CurrentDirectory;
+    UNICODE_STRING32 DllPath;
+    UNICODE_STRING32 ImagePathName;
+    UNICODE_STRING32 CommandLine;
+    WOW64_POINTER(PVOID) Environment;
+
+    ULONG StartingX;
+    ULONG StartingY;
+    ULONG CountX;
+    ULONG CountY;
+    ULONG CountCharsX;
+    ULONG CountCharsY;
+    ULONG FillAttribute;
+
+    ULONG WindowFlags;
+    ULONG ShowWindowFlags;
+    UNICODE_STRING32 WindowTitle;
+    UNICODE_STRING32 DesktopInfo;
+    UNICODE_STRING32 ShellInfo;
+    UNICODE_STRING32 RuntimeData;
+    RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
+
+    WOW64_POINTER(ULONG_PTR) EnvironmentSize;
+    WOW64_POINTER(ULONG_PTR) EnvironmentVersion;
+    WOW64_POINTER(PVOID) PackageDependencyData;
+    ULONG ProcessGroupId;
+    ULONG LoaderThreads;
+} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
+
+typedef struct _PEB32
+{
+    BOOLEAN InheritedAddressSpace;
+    BOOLEAN ReadImageFileExecOptions;
+    BOOLEAN BeingDebugged;
+    union
+    {
+        BOOLEAN BitField;
+        struct
+        {
+            BOOLEAN ImageUsesLargePages : 1;
+            BOOLEAN IsProtectedProcess : 1;
+            BOOLEAN IsImageDynamicallyRelocated : 1;
+            BOOLEAN SkipPatchingUser32Forwarders : 1;
+            BOOLEAN IsPackagedProcess : 1;
+            BOOLEAN IsAppContainer : 1;
+            BOOLEAN IsProtectedProcessLight : 1;
+            BOOLEAN IsLongPathAwareProcess : 1;
+        };
+    };
+    WOW64_POINTER(HANDLE) Mutant;
+
+    WOW64_POINTER(PVOID) ImageBaseAddress;
+    WOW64_POINTER(PPEB_LDR_DATA) Ldr;
+    WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
+    WOW64_POINTER(PVOID) SubSystemData;
+    WOW64_POINTER(PVOID) ProcessHeap;
+    WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
+    WOW64_POINTER(PVOID) AtlThunkSListPtr;
+    WOW64_POINTER(PVOID) IFEOKey;
+    union
+    {
+        ULONG CrossProcessFlags;
+        struct
+        {
+            ULONG ProcessInJob : 1;
+            ULONG ProcessInitializing : 1;
+            ULONG ProcessUsingVEH : 1;
+            ULONG ProcessUsingVCH : 1;
+            ULONG ProcessUsingFTH : 1;
+            ULONG ReservedBits0 : 27;
+        };
+    };
+    union
+    {
+        WOW64_POINTER(PVOID) KernelCallbackTable;
+        WOW64_POINTER(PVOID) UserSharedInfoPtr;
+    };
+    ULONG SystemReserved[1];
+    ULONG AtlThunkSListPtr32;
+    WOW64_POINTER(PVOID) ApiSetMap;
+    ULONG TlsExpansionCounter;
+    WOW64_POINTER(PVOID) TlsBitmap;
+    ULONG TlsBitmapBits[2];
+    WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
+    WOW64_POINTER(PVOID) HotpatchInformation;
+    WOW64_POINTER(PVOID *) ReadOnlyStaticServerData;
+    WOW64_POINTER(PVOID) AnsiCodePageData;
+    WOW64_POINTER(PVOID) OemCodePageData;
+    WOW64_POINTER(PVOID) UnicodeCaseTableData;
+
+    ULONG NumberOfProcessors;
+    ULONG NtGlobalFlag;
+
+    LARGE_INTEGER CriticalSectionTimeout;
+    WOW64_POINTER(SIZE_T) HeapSegmentReserve;
+    WOW64_POINTER(SIZE_T) HeapSegmentCommit;
+    WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
+    WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
+
+    ULONG NumberOfHeaps;
+    ULONG MaximumNumberOfHeaps;
+    WOW64_POINTER(PVOID *) ProcessHeaps;
+
+    WOW64_POINTER(PVOID) GdiSharedHandleTable;
+    WOW64_POINTER(PVOID) ProcessStarterHelper;
+    ULONG GdiDCAttributeList;
+
+    WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
+
+    ULONG OSMajorVersion;
+    ULONG OSMinorVersion;
+    USHORT OSBuildNumber;
+    USHORT OSCSDVersion;
+    ULONG OSPlatformId;
+    ULONG ImageSubsystem;
+    ULONG ImageSubsystemMajorVersion;
+    ULONG ImageSubsystemMinorVersion;
+    WOW64_POINTER(ULONG_PTR) ActiveProcessAffinityMask;
+    GDI_HANDLE_BUFFER32 GdiHandleBuffer;
+    WOW64_POINTER(PVOID) PostProcessInitRoutine;
+
+    WOW64_POINTER(PVOID) TlsExpansionBitmap;
+    ULONG TlsExpansionBitmapBits[32];
+
+    ULONG SessionId;
+
+    ULARGE_INTEGER AppCompatFlags;
+    ULARGE_INTEGER AppCompatFlagsUser;
+    WOW64_POINTER(PVOID) pShimData;
+    WOW64_POINTER(PVOID) AppCompatInfo;
+
+    UNICODE_STRING32 CSDVersion;
+
+    WOW64_POINTER(PVOID) ActivationContextData;
+    WOW64_POINTER(PVOID) ProcessAssemblyStorageMap;
+    WOW64_POINTER(PVOID) SystemDefaultActivationContextData;
+    WOW64_POINTER(PVOID) SystemAssemblyStorageMap;
+
+    WOW64_POINTER(SIZE_T) MinimumStackCommit;
+
+    WOW64_POINTER(PVOID *) FlsCallback;
+    LIST_ENTRY32 FlsListHead;
+    WOW64_POINTER(PVOID) FlsBitmap;
+    ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
+    ULONG FlsHighIndex;
+
+    WOW64_POINTER(PVOID) WerRegistrationData;
+    WOW64_POINTER(PVOID) WerShipAssertPtr;
+    WOW64_POINTER(PVOID) pContextData;
+    WOW64_POINTER(PVOID) pImageHeaderHash;
+    union
+    {
+        ULONG TracingFlags;
+        struct
+        {
+            ULONG HeapTracingEnabled : 1;
+            ULONG CritSecTracingEnabled : 1;
+            ULONG LibLoaderTracingEnabled : 1;
+            ULONG SpareTracingBits : 29;
+        };
+    };
+    ULONGLONG CsrServerReadOnlySharedMemoryBase;
+    WOW64_POINTER(PVOID) TppWorkerpListLock;
+    LIST_ENTRY32 TppWorkerpList;
+    WOW64_POINTER(PVOID) WaitOnAddressHashTable[128];
+} PEB32, *PPEB32;
+
+C_ASSERT(FIELD_OFFSET(PEB32, IFEOKey) == 0x024);
+C_ASSERT(FIELD_OFFSET(PEB32, UnicodeCaseTableData) == 0x060);
+C_ASSERT(FIELD_OFFSET(PEB32, SystemAssemblyStorageMap) == 0x204);
+C_ASSERT(FIELD_OFFSET(PEB32, pImageHeaderHash) == 0x23c);
+C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c);
+C_ASSERT(sizeof(PEB32) == 0x460);
+
+#define GDI_BATCH_BUFFER_SIZE 310
+
+typedef struct _GDI_TEB_BATCH32
+{
+    ULONG Offset;
+    WOW64_POINTER(ULONG_PTR) HDC;
+    ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
+
+typedef struct _TEB32
+{
+    NT_TIB32 NtTib;
+
+    WOW64_POINTER(PVOID) EnvironmentPointer;
+    CLIENT_ID32 ClientId;
+    WOW64_POINTER(PVOID) ActiveRpcHandle;
+    WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
+    WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
+
+    ULONG LastErrorValue;
+    ULONG CountOfOwnedCriticalSections;
+    WOW64_POINTER(PVOID) CsrClientThread;
+    WOW64_POINTER(PVOID) Win32ThreadInfo;
+    ULONG User32Reserved[26];
+    ULONG UserReserved[5];
+    WOW64_POINTER(PVOID) WOW32Reserved;
+    LCID CurrentLocale;
+    ULONG FpSoftwareStatusRegister;
+    WOW64_POINTER(PVOID) ReservedForDebuggerInstrumentation[16];
+    WOW64_POINTER(PVOID) SystemReserved1[36];
+    UCHAR WorkingOnBehalfTicket[8];
+    NTSTATUS ExceptionCode;
+
+    WOW64_POINTER(PVOID) ActivationContextStackPointer;
+    WOW64_POINTER(ULONG_PTR) InstrumentationCallbackSp;
+    WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousPc;
+    WOW64_POINTER(ULONG_PTR) InstrumentationCallbackPreviousSp;
+    BOOLEAN InstrumentationCallbackDisabled;
+    UCHAR SpareBytes[23];
+    ULONG TxFsContext;
+
+    GDI_TEB_BATCH32 GdiTebBatch;
+    CLIENT_ID32 RealClientId;
+    WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
+    ULONG GdiClientPID;
+    ULONG GdiClientTID;
+    WOW64_POINTER(PVOID) GdiThreadLocalInfo;
+    WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
+    WOW64_POINTER(PVOID) glDispatchTable[233];
+    WOW64_POINTER(ULONG_PTR) glReserved1[29];
+    WOW64_POINTER(PVOID) glReserved2;
+    WOW64_POINTER(PVOID) glSectionInfo;
+    WOW64_POINTER(PVOID) glSection;
+    WOW64_POINTER(PVOID) glTable;
+    WOW64_POINTER(PVOID) glCurrentRC;
+    WOW64_POINTER(PVOID) glContext;
+
+    NTSTATUS LastStatusValue;
+    UNICODE_STRING32 StaticUnicodeString;
+    WCHAR StaticUnicodeBuffer[261];
+
+    WOW64_POINTER(PVOID) DeallocationStack;
+    WOW64_POINTER(PVOID) TlsSlots[64];
+    LIST_ENTRY32 TlsLinks;
+
+    WOW64_POINTER(PVOID) Vdm;
+    WOW64_POINTER(PVOID) ReservedForNtRpc;
+    WOW64_POINTER(PVOID) DbgSsReserved[2];
+
+    ULONG HardErrorMode;
+    WOW64_POINTER(PVOID) Instrumentation[9];
+    GUID ActivityId;
+
+    WOW64_POINTER(PVOID) SubProcessTag;
+    WOW64_POINTER(PVOID) PerflibData;
+    WOW64_POINTER(PVOID) EtwTraceData;
+    WOW64_POINTER(PVOID) WinSockData;
+    ULONG GdiBatchCount;
+
+    union
+    {
+        PROCESSOR_NUMBER CurrentIdealProcessor;
+        ULONG IdealProcessorValue;
+        struct
+        {
+            UCHAR ReservedPad0;
+            UCHAR ReservedPad1;
+            UCHAR ReservedPad2;
+            UCHAR IdealProcessor;
+        };
+    };
+
+    ULONG GuaranteedStackBytes;
+    WOW64_POINTER(PVOID) ReservedForPerf;
+    WOW64_POINTER(PVOID) ReservedForOle;
+    ULONG WaitingOnLoaderLock;
+    WOW64_POINTER(PVOID) SavedPriorityState;
+    WOW64_POINTER(ULONG_PTR) ReservedForCodeCoverage;
+    WOW64_POINTER(PVOID) ThreadPoolData;
+    WOW64_POINTER(PVOID *) TlsExpansionSlots;
+
+    ULONG MuiGeneration;
+    ULONG IsImpersonating;
+    WOW64_POINTER(PVOID) NlsCache;
+    WOW64_POINTER(PVOID) pShimData;
+    USHORT HeapVirtualAffinity;
+    USHORT LowFragHeapDataSlot;
+    WOW64_POINTER(HANDLE) CurrentTransactionHandle;
+    WOW64_POINTER(PTEB_ACTIVE_FRAME) ActiveFrame;
+    WOW64_POINTER(PVOID) FlsData;
+
+    WOW64_POINTER(PVOID) PreferredLanguages;
+    WOW64_POINTER(PVOID) UserPrefLanguages;
+    WOW64_POINTER(PVOID) MergedPrefLanguages;
+    ULONG MuiImpersonation;
+
+    union
+    {
+        USHORT CrossTebFlags;
+        USHORT SpareCrossTebBits : 16;
+    };
+    union
+    {
+        USHORT SameTebFlags;
+        struct
+        {
+            USHORT SafeThunkCall : 1;
+            USHORT InDebugPrint : 1;
+            USHORT HasFiberData : 1;
+            USHORT SkipThreadAttach : 1;
+            USHORT WerInShipAssertCode : 1;
+            USHORT RanProcessInit : 1;
+            USHORT ClonedThread : 1;
+            USHORT SuppressDebugMsg : 1;
+            USHORT DisableUserStackWalk : 1;
+            USHORT RtlExceptionAttached : 1;
+            USHORT InitialThread : 1;
+            USHORT SessionAware : 1;
+            USHORT LoadOwner : 1;
+            USHORT LoaderWorker : 1;
+            USHORT SpareSameTebBits : 2;
+        };
+    };
+
+    WOW64_POINTER(PVOID) TxnScopeEnterCallback;
+    WOW64_POINTER(PVOID) TxnScopeExitCallback;
+    WOW64_POINTER(PVOID) TxnScopeContext;
+    ULONG LockCount;
+    LONG WowTebOffset;
+    WOW64_POINTER(PVOID) ResourceRetValue;
+    WOW64_POINTER(PVOID) ReservedForWdf;
+    ULONGLONG ReservedForCrt;
+    GUID EffectiveContainerId;
+} TEB32, *PTEB32;
+
+C_ASSERT(FIELD_OFFSET(TEB32, ProcessEnvironmentBlock) == 0x030);
+C_ASSERT(FIELD_OFFSET(TEB32, ExceptionCode) == 0x1a4);
+C_ASSERT(FIELD_OFFSET(TEB32, TxFsContext) == 0x1d0);
+C_ASSERT(FIELD_OFFSET(TEB32, glContext) == 0xbf0);
+C_ASSERT(FIELD_OFFSET(TEB32, StaticUnicodeBuffer) == 0xc00);
+C_ASSERT(FIELD_OFFSET(TEB32, TlsLinks) == 0xf10);
+C_ASSERT(FIELD_OFFSET(TEB32, DbgSsReserved) == 0xf20);
+C_ASSERT(FIELD_OFFSET(TEB32, ActivityId) == 0xf50);
+C_ASSERT(FIELD_OFFSET(TEB32, GdiBatchCount) == 0xf70);
+C_ASSERT(FIELD_OFFSET(TEB32, TlsExpansionSlots) == 0xf94);
+C_ASSERT(FIELD_OFFSET(TEB32, FlsData) == 0xfb4);
+C_ASSERT(FIELD_OFFSET(TEB32, MuiImpersonation) == 0xfc4);
+C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8);
+C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0);
+C_ASSERT(sizeof(TEB32) == 0x1000);
+
+// Conversion
+
+FORCEINLINE VOID UStr32ToUStr(
+    _Out_ PUNICODE_STRING Destination,
+    _In_ PUNICODE_STRING32 Source
+    )
+{
+    Destination->Length = Source->Length;
+    Destination->MaximumLength = Source->MaximumLength;
+    Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer);
+}
+
+FORCEINLINE VOID UStrToUStr32(
+    _Out_ PUNICODE_STRING32 Destination,
+    _In_ PUNICODE_STRING Source
+    )
+{
+    Destination->Length = Source->Length;
+    Destination->MaximumLength = Source->MaximumLength;
+    Destination->Buffer = PtrToUlong(Source->Buffer);
+}
+
+#endif

phnt/include/ntxcapi.h

@@ -0,0 +1,44 @@
+#ifndef _NTXCAPI_H
+#define _NTXCAPI_H
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlDispatchException(
+    _In_ PEXCEPTION_RECORD ExceptionRecord,
+    _In_ PCONTEXT ContextRecord
+    );
+
+NTSYSAPI
+DECLSPEC_NORETURN
+VOID
+NTAPI
+RtlRaiseStatus(
+    _In_ NTSTATUS Status
+    );
+
+NTSYSAPI
+VOID
+NTAPI
+RtlRaiseException(
+    _In_ PEXCEPTION_RECORD ExceptionRecord
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtContinue(
+    _In_ PCONTEXT ContextRecord,
+    _In_ BOOLEAN TestAlert
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRaiseException(
+    _In_ PEXCEPTION_RECORD ExceptionRecord,
+    _In_ PCONTEXT ContextRecord,
+    _In_ BOOLEAN FirstChance
+    );
+
+#endif

phnt/include/phnt.h

@@ -0,0 +1,102 @@
+#ifndef _PHNT_H
+#define _PHNT_H
+
+// This header file provides access to NT APIs.
+
+// Definitions are annotated to indicate their source. If a definition is not annotated, it has been
+// retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h).
+
+// * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in
+//   winbase.h.
+// * "rev" indicates that a definition has been reverse-engineered.
+// * "dbg" indicates that a definition has been obtained from a debug message or assertion in a
+//   checked build of the kernel or file.
+
+// Reliability:
+// 1. No annotation.
+// 2. dbg.
+// 3. symbols, private. Types may be incorrect.
+// 4. winbase. Names and types may be incorrect.
+// 5. rev.
+
+// Mode
+#define PHNT_MODE_KERNEL 0
+#define PHNT_MODE_USER 1
+
+// Version
+#define PHNT_WIN2K 50
+#define PHNT_WINXP 51
+#define PHNT_WS03 52
+#define PHNT_VISTA 60
+#define PHNT_WIN7 61
+#define PHNT_WIN8 62
+#define PHNT_WINBLUE 63
+#define PHNT_THRESHOLD 100
+#define PHNT_THRESHOLD2 101
+#define PHNT_REDSTONE 102
+#define PHNT_REDSTONE2 103
+
+#ifndef PHNT_MODE
+#define PHNT_MODE PHNT_MODE_USER
+#endif
+
+#ifndef PHNT_VERSION
+#define PHNT_VERSION PHNT_WIN7
+#endif
+
+// Options
+
+//#define PHNT_NO_INLINE_INIT_STRING
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#include <phnt_ntdef.h>
+#include <ntnls.h>
+#include <ntkeapi.h>
+#endif
+
+#include <ntldr.h>
+#include <ntexapi.h>
+
+#include <ntmmapi.h>
+#include <ntobapi.h>
+#include <ntpsapi.h>
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+#include <cfg.h>
+#include <ntdbg.h>
+#include <ntioapi.h>
+#include <ntlpcapi.h>
+#include <ntpfapi.h>
+#include <ntpnpapi.h>
+#include <ntpoapi.h>
+#include <ntregapi.h>
+#include <ntrtl.h>
+#endif
+
+#if (PHNT_MODE != PHNT_MODE_KERNEL)
+
+#include <ntseapi.h>
+#include <nttmapi.h>
+#include <nttp.h>
+#include <ntxcapi.h>
+
+#include <ntwow64.h>
+
+#include <ntlsa.h>
+#include <ntsam.h>
+
+#include <ntmisc.h>
+
+#include <ntzwapi.h>
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

phnt/include/phnt_ntdef.h

@@ -0,0 +1,306 @@
+#ifndef _PHNT_NTDEF_H
+#define _PHNT_NTDEF_H
+
+#ifndef _NTDEF_
+#define _NTDEF_
+
+// This header file provides basic NT types not included in Win32. If you have included winnt.h
+// (perhaps indirectly), you must use this file instead of ntdef.h.
+
+#ifndef NOTHING
+#define NOTHING
+#endif
+
+// Basic types
+
+typedef struct _QUAD
+{
+    union
+    {
+        __int64 UseThisFieldToCopy;
+        double DoNotUseThisField;
+    };
+} QUAD, *PQUAD;
+
+// This isn't in NT, but it's useful.
+typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR
+{
+    ULONG_PTR DoNotUseThisField1;
+    ULONG_PTR DoNotUseThisField2;
+} QUAD_PTR, *PQUAD_PTR;
+
+typedef ULONG LOGICAL;
+typedef ULONG *PLOGICAL;
+
+typedef _Success_(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+
+// Cardinal types
+
+typedef char CCHAR;
+typedef short CSHORT;
+typedef ULONG CLONG;
+
+typedef CCHAR *PCCHAR;
+typedef CSHORT *PCSHORT;
+typedef CLONG *PCLONG;
+
+typedef PCSTR PCSZ;
+
+// Specific
+
+typedef UCHAR KIRQL, *PKIRQL;
+typedef LONG KPRIORITY;
+typedef USHORT RTL_ATOM, *PRTL_ATOM;
+
+typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
+
+// NT status macros
+
+#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
+#define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1)
+#define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2)
+#define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3)
+
+#define NT_FACILITY_MASK 0xfff
+#define NT_FACILITY_SHIFT 16
+#define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK)
+
+#define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32)
+#define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff)
+
+// Functions
+
+#ifndef _WIN64
+#define FASTCALL __fastcall
+#else
+#define FASTCALL
+#endif
+
+// Synchronization enumerations
+
+typedef enum _EVENT_TYPE
+{
+    NotificationEvent,
+    SynchronizationEvent
+} EVENT_TYPE;
+
+typedef enum _TIMER_TYPE
+{
+    NotificationTimer,
+    SynchronizationTimer
+} TIMER_TYPE;
+
+typedef enum _WAIT_TYPE
+{
+    WaitAll,
+    WaitAny,
+    WaitNotification
+} WAIT_TYPE;
+
+// Strings
+
+typedef struct _STRING
+{
+    USHORT Length;
+    USHORT MaximumLength;
+    _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer;
+} STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING;
+
+typedef const STRING *PCSTRING;
+typedef const ANSI_STRING *PCANSI_STRING;
+typedef const OEM_STRING *PCOEM_STRING;
+
+typedef struct _UNICODE_STRING
+{
+    USHORT Length;
+    USHORT MaximumLength;
+    _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef const UNICODE_STRING *PCUNICODE_STRING;
+
+#define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s }
+
+// Balanced tree node
+
+#define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3
+
+typedef struct _RTL_BALANCED_NODE
+{
+    union
+    {
+        struct _RTL_BALANCED_NODE *Children[2];
+        struct
+        {
+            struct _RTL_BALANCED_NODE *Left;
+            struct _RTL_BALANCED_NODE *Right;
+        };
+    };
+    union
+    {
+        UCHAR Red : 1;
+        UCHAR Balance : 2;
+        ULONG_PTR ParentValue;
+    };
+} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
+
+#define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \
+    ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK))
+
+// Portability
+
+typedef struct _SINGLE_LIST_ENTRY32
+{
+    ULONG Next;
+} SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32;
+
+typedef struct _STRING32
+{
+    USHORT Length;
+    USHORT MaximumLength;
+    ULONG Buffer;
+} STRING32, *PSTRING32;
+
+typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
+typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
+
+typedef struct _STRING64
+{
+    USHORT Length;
+    USHORT MaximumLength;
+    ULONGLONG Buffer;
+} STRING64, *PSTRING64;
+
+typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
+typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
+
+// Object attributes
+
+#define OBJ_INHERIT 0x00000002
+#define OBJ_PERMANENT 0x00000010
+#define OBJ_EXCLUSIVE 0x00000020
+#define OBJ_CASE_INSENSITIVE 0x00000040
+#define OBJ_OPENIF 0x00000080
+#define OBJ_OPENLINK 0x00000100
+#define OBJ_KERNEL_HANDLE 0x00000200
+#define OBJ_FORCE_ACCESS_CHECK 0x00000400
+#define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800
+#define OBJ_DONT_REPARSE 0x00001000
+#define OBJ_VALID_ATTRIBUTES 0x00001ff2
+
+typedef struct _OBJECT_ATTRIBUTES
+{
+    ULONG Length;
+    HANDLE RootDirectory;
+    PUNICODE_STRING ObjectName;
+    ULONG Attributes;
+    PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR;
+    PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
+
+#define InitializeObjectAttributes(p, n, a, r, s) { \
+    (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
+    (p)->RootDirectory = r; \
+    (p)->Attributes = a; \
+    (p)->ObjectName = n; \
+    (p)->SecurityDescriptor = s; \
+    (p)->SecurityQualityOfService = NULL; \
+    }
+
+#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL }
+#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
+
+// Portability
+
+typedef struct _OBJECT_ATTRIBUTES64
+{
+    ULONG Length;
+    ULONG64 RootDirectory;
+    ULONG64 ObjectName;
+    ULONG Attributes;
+    ULONG64 SecurityDescriptor;
+    ULONG64 SecurityQualityOfService;
+} OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64;
+
+typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64;
+
+typedef struct _OBJECT_ATTRIBUTES32
+{
+    ULONG Length;
+    ULONG RootDirectory;
+    ULONG ObjectName;
+    ULONG Attributes;
+    ULONG SecurityDescriptor;
+    ULONG SecurityQualityOfService;
+} OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32;
+
+typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32;
+
+// Product types
+
+typedef enum _NT_PRODUCT_TYPE
+{
+    NtProductWinNt = 1,
+    NtProductLanManNt,
+    NtProductServer
+} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
+
+typedef enum _SUITE_TYPE
+{
+    SmallBusiness,
+    Enterprise,
+    BackOffice,
+    CommunicationServer,
+    TerminalServer,
+    SmallBusinessRestricted,
+    EmbeddedNT,
+    DataCenter,
+    SingleUserTS,
+    Personal,
+    Blade,
+    EmbeddedRestricted,
+    SecurityAppliance,
+    StorageServer,
+    ComputeServer,
+    WHServer,
+    PhoneNT,
+    MaxSuiteType
+} SUITE_TYPE;
+
+// Specific
+
+typedef struct _CLIENT_ID
+{
+    HANDLE UniqueProcess;
+    HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef struct _CLIENT_ID32
+{
+    ULONG UniqueProcess;
+    ULONG UniqueThread;
+} CLIENT_ID32, *PCLIENT_ID32;
+
+typedef struct _CLIENT_ID64
+{
+    ULONGLONG UniqueProcess;
+    ULONGLONG UniqueThread;
+} CLIENT_ID64, *PCLIENT_ID64;
+
+#include <pshpack4.h>
+
+typedef struct _KSYSTEM_TIME
+{
+    ULONG LowPart;
+    LONG High1Time;
+    LONG High2Time;
+} KSYSTEM_TIME, *PKSYSTEM_TIME;
+
+#include <poppack.h>
+
+#endif
+
+#endif

phnt/include/phnt_windows.h

@@ -0,0 +1,53 @@
+#ifndef _PHNT_WINDOWS_H
+#define _PHNT_WINDOWS_H
+
+// This header file provides access to Win32, plus NTSTATUS values and some access mask values.
+
+#define WIN32_LEAN_AND_MEAN
+#define WIN32_NO_STATUS
+#include <windows.h>
+#undef WIN32_NO_STATUS
+#include <ntstatus.h>
+#include <winioctl.h>
+
+typedef double DOUBLE;
+typedef GUID *PGUID;
+
+// Desktop access rights
+#define DESKTOP_ALL_ACCESS \
+    (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \
+    DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \
+    DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \
+    STANDARD_RIGHTS_REQUIRED)
+#define DESKTOP_GENERIC_READ \
+    (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ)
+#define DESKTOP_GENERIC_WRITE \
+    (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \
+    DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \
+    STANDARD_RIGHTS_WRITE)
+#define DESKTOP_GENERIC_EXECUTE \
+    (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE)
+
+// Window station access rights
+#define WINSTA_GENERIC_READ \
+    (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \
+    WINSTA_READSCREEN | STANDARD_RIGHTS_READ)
+#define WINSTA_GENERIC_WRITE \
+    (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \
+    STANDARD_RIGHTS_WRITE)
+#define WINSTA_GENERIC_EXECUTE \
+    (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE)
+
+// WMI access rights
+#define WMIGUID_GENERIC_READ \
+    (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \
+    STANDARD_RIGHTS_READ)
+#define WMIGUID_GENERIC_WRITE \
+    (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \
+    STANDARD_RIGHTS_WRITE)
+#define WMIGUID_GENERIC_EXECUTE \
+    (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \
+    TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \
+    STANDARD_RIGHTS_EXECUTE)
+
+#endif

phnt/include/subprocesstag.h

@@ -0,0 +1,96 @@
+#ifndef _SUBPROCESSTAG_H
+#define _SUBPROCESSTAG_H
+
+// Subprocess tag information
+
+typedef enum _TAG_INFO_LEVEL
+{
+    eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG
+    eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE
+    eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING
+    eTagInfoLevelMax
+} TAG_INFO_LEVEL;
+
+typedef enum _TAG_TYPE
+{
+    eTagTypeService = 1,
+    eTagTypeMax
+} TAG_TYPE;
+
+typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS
+{
+    DWORD dwPid;
+    DWORD dwTag;
+} TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS;
+
+typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS
+{
+    DWORD eTagType;
+    LPWSTR pszName;
+} TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS;
+
+typedef struct _TAG_INFO_NAME_FROM_TAG
+{
+    TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams;
+    TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams;
+} TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG;
+
+typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS
+{
+    DWORD dwPid;
+    LPWSTR pszModule;
+} TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS;
+
+typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS
+{
+    DWORD eTagType;
+    LPWSTR pmszNames;
+} TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS;
+
+typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE
+{
+    TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams;
+    TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams;
+} TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE;
+
+typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS
+{
+    DWORD dwPid;
+} TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS;
+
+typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT
+{
+    DWORD eTagType;
+    DWORD dwTag;
+    LPWSTR pszName;
+    LPWSTR pszGroupName;
+} TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT;
+
+typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS
+{
+    DWORD cElements;
+    PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements;
+} TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS;
+
+typedef struct _TAG_INFO_NAME_TAG_MAPPING
+{
+    TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams;
+    PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams;
+} TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING;
+
+_Must_inspect_result_
+DWORD
+WINAPI
+I_QueryTagInformation(
+    _In_opt_ LPCWSTR pszMachineName,
+    _In_ TAG_INFO_LEVEL eInfoLevel,
+    _Inout_ PVOID pTagInfo
+    );
+
+typedef DWORD (WINAPI *PQUERY_TAG_INFORMATION)(
+    _In_opt_ LPCWSTR pszMachineName,
+    _In_ TAG_INFO_LEVEL eInfoLevel,
+    _Inout_ PVOID pTagInfo
+    );
+
+#endif

phnt/include/winsta.h

@@ -0,0 +1,748 @@
+#ifndef _WINSTA_H
+#define _WINSTA_H
+
+// begin_msdn:http://msdn.microsoft.com/en-us/library/cc248779%28PROT.10%29.aspx
+
+// Access rights
+
+#define WINSTATION_QUERY 0x00000001 // WinStationQueryInformation
+#define WINSTATION_SET 0x00000002 // WinStationSetInformation
+#define WINSTATION_RESET 0x00000004 // WinStationReset
+#define WINSTATION_VIRTUAL 0x00000008 //read/write direct data
+#define WINSTATION_SHADOW 0x00000010 // WinStationShadow
+#define WINSTATION_LOGON 0x00000020 // logon to WinStation
+#define WINSTATION_LOGOFF 0x00000040 // WinStationLogoff
+#define WINSTATION_MSG 0x00000080 // WinStationMsg
+#define WINSTATION_CONNECT 0x00000100 // WinStationConnect
+#define WINSTATION_DISCONNECT 0x00000200 // WinStationDisconnect
+#define WINSTATION_GUEST_ACCESS WINSTATION_LOGON
+
+#define WINSTATION_CURRENT_GUEST_ACCESS (WINSTATION_VIRTUAL | WINSTATION_LOGOFF)
+#define WINSTATION_USER_ACCESS (WINSTATION_GUEST_ACCESS | WINSTATION_QUERY | WINSTATION_CONNECT)
+#define WINSTATION_CURRENT_USER_ACCESS \
+    (WINSTATION_SET | WINSTATION_RESET | WINSTATION_VIRTUAL | \
+    WINSTATION_LOGOFF | WINSTATION_DISCONNECT)
+#define WINSTATION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | WINSTATION_QUERY | \
+    WINSTATION_SET | WINSTATION_RESET | WINSTATION_VIRTUAL | \
+    WINSTATION_SHADOW | WINSTATION_LOGON | WINSTATION_MSG | \
+    WINSTATION_CONNECT | WINSTATION_DISCONNECT)
+
+#define WDPREFIX_LENGTH 12
+#define STACK_ADDRESS_LENGTH 128
+#define MAX_BR_NAME 65
+#define DIRECTORY_LENGTH 256
+#define INITIALPROGRAM_LENGTH 256
+#define USERNAME_LENGTH 20
+#define DOMAIN_LENGTH 17
+#define PASSWORD_LENGTH 14
+#define NASISPECIFICNAME_LENGTH 14
+#define NASIUSERNAME_LENGTH 47
+#define NASIPASSWORD_LENGTH 24
+#define NASISESSIONNAME_LENGTH 16
+#define NASIFILESERVER_LENGTH 47
+
+#define CLIENTDATANAME_LENGTH 7
+#define CLIENTNAME_LENGTH 20
+#define CLIENTADDRESS_LENGTH 30
+#define IMEFILENAME_LENGTH 32
+#define DIRECTORY_LENGTH 256
+#define CLIENTLICENSE_LENGTH 32
+#define CLIENTMODEM_LENGTH 40
+#define CLIENT_PRODUCT_ID_LENGTH 32
+#define MAX_COUNTER_EXTENSIONS 2
+#define WINSTATIONNAME_LENGTH 32
+
+#define TERMSRV_TOTAL_SESSIONS 1
+#define TERMSRV_DISC_SESSIONS 2
+#define TERMSRV_RECON_SESSIONS 3
+#define TERMSRV_CURRENT_ACTIVE_SESSIONS 4
+#define TERMSRV_CURRENT_DISC_SESSIONS 5
+#define TERMSRV_PENDING_SESSIONS 6
+#define TERMSRV_SUCC_TOTAL_LOGONS 7
+#define TERMSRV_SUCC_LOCAL_LOGONS 8
+#define TERMSRV_SUCC_REMOTE_LOGONS 9
+#define TERMSRV_SUCC_SESSION0_LOGONS 10
+#define TERMSRV_CURRENT_TERMINATING_SESSIONS 11
+#define TERMSRV_CURRENT_LOGGEDON_SESSIONS 12
+
+typedef RTL_TIME_ZONE_INFORMATION TS_TIME_ZONE_INFORMATION, *PTS_TIME_ZONE_INFORMATION;
+
+typedef WCHAR WINSTATIONNAME[WINSTATIONNAME_LENGTH + 1];
+
+// Variable length data descriptor (not needed)
+typedef struct _VARDATA_WIRE
+{
+    USHORT Size;
+    USHORT Offset;
+} VARDATA_WIRE, *PVARDATA_WIRE;
+
+typedef enum _WINSTATIONSTATECLASS
+{
+    State_Active = 0,
+    State_Connected = 1,
+    State_ConnectQuery = 2,
+    State_Shadow = 3,
+    State_Disconnected = 4,
+    State_Idle = 5,
+    State_Listen = 6,
+    State_Reset = 7,
+    State_Down = 8,
+    State_Init = 9
+} WINSTATIONSTATECLASS;
+
+typedef struct _SESSIONIDW
+{
+    union
+    {
+        ULONG SessionId;
+        ULONG LogonId;
+    };
+    WINSTATIONNAME WinStationName;
+    WINSTATIONSTATECLASS State;
+} SESSIONIDW, *PSESSIONIDW;
+
+// private
+typedef enum _WINSTATIONINFOCLASS
+{
+    WinStationCreateData,
+    WinStationConfiguration,
+    WinStationPdParams,
+    WinStationWd,
+    WinStationPd,
+    WinStationPrinter,
+    WinStationClient,
+    WinStationModules,
+    WinStationInformation,
+    WinStationTrace,
+    WinStationBeep,
+    WinStationEncryptionOff,
+    WinStationEncryptionPerm,
+    WinStationNtSecurity,
+    WinStationUserToken,
+    WinStationUnused1,
+    WinStationVideoData,
+    WinStationInitialProgram,
+    WinStationCd,
+    WinStationSystemTrace,
+    WinStationVirtualData,
+    WinStationClientData,
+    WinStationSecureDesktopEnter,
+    WinStationSecureDesktopExit,
+    WinStationLoadBalanceSessionTarget,
+    WinStationLoadIndicator,
+    WinStationShadowInfo,
+    WinStationDigProductId,
+    WinStationLockedState,
+    WinStationRemoteAddress,
+    WinStationIdleTime,
+    WinStationLastReconnectType,
+    WinStationDisallowAutoReconnect,
+    WinStationMprNotifyInfo,
+    WinStationExecSrvSystemPipe,
+    WinStationSmartCardAutoLogon,
+    WinStationIsAdminLoggedOn,
+    WinStationReconnectedFromId,
+    WinStationEffectsPolicy,
+    WinStationType,
+    WinStationInformationEx,
+    WinStationValidationInfo
+} WINSTATIONINFOCLASS;
+
+// WinStationCreateData
+typedef struct _WINSTATIONCREATE
+{
+    ULONG fEnableWinStation : 1;
+    ULONG MaxInstanceCount;
+} WINSTATIONCREATE, *PWINSTATIONCREATE;
+
+// WinStationClient
+typedef struct _WINSTATIONCLIENT
+{
+    ULONG fTextOnly : 1;
+    ULONG fDisableCtrlAltDel : 1;
+    ULONG fMouse : 1;
+    ULONG fDoubleClickDetect : 1;
+    ULONG fINetClient : 1;
+    ULONG fPromptForPassword : 1;
+    ULONG fMaximizeShell : 1;
+    ULONG fEnableWindowsKey : 1;
+    ULONG fRemoteConsoleAudio : 1;
+    ULONG fPasswordIsScPin : 1;
+    ULONG fNoAudioPlayback : 1;
+    ULONG fUsingSavedCreds : 1;
+    WCHAR ClientName[CLIENTNAME_LENGTH + 1];
+    WCHAR Domain[DOMAIN_LENGTH + 1];
+    WCHAR UserName[USERNAME_LENGTH + 1];
+    WCHAR Password[PASSWORD_LENGTH + 1];
+    WCHAR WorkDirectory[DIRECTORY_LENGTH + 1];
+    WCHAR InitialProgram[INITIALPROGRAM_LENGTH + 1];
+    ULONG SerialNumber;
+    BYTE EncryptionLevel;
+    ULONG ClientAddressFamily;
+    WCHAR ClientAddress[CLIENTADDRESS_LENGTH + 1];
+    USHORT HRes;
+    USHORT VRes;
+    USHORT ColorDepth;
+    USHORT ProtocolType;
+    ULONG KeyboardLayout;
+    ULONG KeyboardType;
+    ULONG KeyboardSubType;
+    ULONG KeyboardFunctionKey;
+    WCHAR ImeFileName[IMEFILENAME_LENGTH + 1];
+    WCHAR ClientDirectory[DIRECTORY_LENGTH + 1];
+    WCHAR ClientLicense[CLIENTLICENSE_LENGTH + 1];
+    WCHAR ClientModem[CLIENTMODEM_LENGTH + 1];
+    ULONG ClientBuildNumber;
+    ULONG ClientHardwareId;
+    USHORT ClientProductId;
+    USHORT OutBufCountHost;
+    USHORT OutBufCountClient;
+    USHORT OutBufLength;
+    WCHAR AudioDriverName[9];
+    TS_TIME_ZONE_INFORMATION ClientTimeZone;
+    ULONG ClientSessionId;
+    WCHAR ClientDigProductId[CLIENT_PRODUCT_ID_LENGTH];
+    ULONG PerformanceFlags;
+    ULONG ActiveInputLocale;
+} WINSTATIONCLIENT, *PWINSTATIONCLIENT;
+
+typedef struct _TSHARE_COUNTERS
+{
+    ULONG Reserved;
+} TSHARE_COUNTERS, *PTSHARE_COUNTERS;
+
+typedef struct _PROTOCOLCOUNTERS
+{
+    ULONG WdBytes;
+    ULONG WdFrames;
+    ULONG WaitForOutBuf;
+    ULONG Frames;
+    ULONG Bytes;
+    ULONG CompressedBytes;
+    ULONG CompressFlushes;
+    ULONG Errors;
+    ULONG Timeouts;
+    ULONG AsyncFramingError;
+    ULONG AsyncOverrunError;
+    ULONG AsyncOverflowError;
+    ULONG AsyncParityError;
+    ULONG TdErrors;
+    USHORT ProtocolType;
+    USHORT Length;
+    union
+    {
+        TSHARE_COUNTERS TShareCounters;
+        ULONG Reserved[100];
+    } Specific;
+} PROTOCOLCOUNTERS, *PPROTOCOLCOUNTERS;
+
+typedef struct _THINWIRECACHE
+{
+    ULONG CacheReads;
+    ULONG CacheHits;
+} THINWIRECACHE, *PTHINWIRECACHE;
+
+#define MAX_THINWIRECACHE 4
+
+typedef struct _RESERVED_CACHE
+{
+    THINWIRECACHE ThinWireCache[MAX_THINWIRECACHE];
+} RESERVED_CACHE, *PRESERVED_CACHE;
+
+typedef struct _TSHARE_CACHE
+{
+    ULONG Reserved;
+} TSHARE_CACHE, *PTSHARE_CACHE;
+
+typedef struct CACHE_STATISTICS
+{
+    USHORT ProtocolType;
+    USHORT Length;
+    union
+    {
+        RESERVED_CACHE ReservedCacheStats;
+        TSHARE_CACHE TShareCacheStats;
+        ULONG Reserved[20];
+    } Specific;
+} CACHE_STATISTICS, *PCACHE_STATISTICS;
+
+typedef struct _PROTOCOLSTATUS
+{
+    PROTOCOLCOUNTERS Output;
+    PROTOCOLCOUNTERS Input;
+    CACHE_STATISTICS Cache;
+    ULONG AsyncSignal;
+    ULONG AsyncSignalMask;
+} PROTOCOLSTATUS, *PPROTOCOLSTATUS;
+
+// WinStationInformation
+typedef struct _WINSTATIONINFORMATION
+{
+    WINSTATIONSTATECLASS ConnectState;
+    WINSTATIONNAME WinStationName;
+    ULONG LogonId;
+    LARGE_INTEGER ConnectTime;
+    LARGE_INTEGER DisconnectTime;
+    LARGE_INTEGER LastInputTime;
+    LARGE_INTEGER LogonTime;
+    PROTOCOLSTATUS Status;
+    WCHAR Domain[DOMAIN_LENGTH + 1];
+    WCHAR UserName[USERNAME_LENGTH + 1];
+    LARGE_INTEGER CurrentTime;
+} WINSTATIONINFORMATION, *PWINSTATIONINFORMATION;
+
+// WinStationUserToken
+typedef struct _WINSTATIONUSERTOKEN
+{
+    HANDLE ProcessId;
+    HANDLE ThreadId;
+    HANDLE UserToken;
+} WINSTATIONUSERTOKEN, *PWINSTATIONUSERTOKEN;
+
+// WinStationVideoData
+typedef struct _WINSTATIONVIDEODATA
+{
+    USHORT HResolution;
+    USHORT VResolution;
+    USHORT fColorDepth;
+} WINSTATIONVIDEODATA, *PWINSTATIONVIDEODATA;
+
+// WinStationDigProductId
+typedef struct _WINSTATIONPRODID
+{
+    WCHAR DigProductId[CLIENT_PRODUCT_ID_LENGTH];
+    WCHAR ClientDigProductId[CLIENT_PRODUCT_ID_LENGTH];
+    WCHAR OuterMostDigProductId[CLIENT_PRODUCT_ID_LENGTH];
+    ULONG CurrentSessionId;
+    ULONG ClientSessionId;
+    ULONG OuterMostSessionId;
+} WINSTATIONPRODID, *PWINSTATIONPRODID;
+
+// WinStationRemoteAddress
+typedef struct _WINSTATIONREMOTEADDRESS
+{
+    USHORT sin_family;
+    union
+    {
+        struct
+        {
+            USHORT sin_port;
+            ULONG sin_addr;
+            UCHAR sin_zero[8];
+        } ipv4;
+        struct
+        {
+            USHORT sin6_port;
+            ULONG sin6_flowinfo;
+            USHORT sin6_addr[8];
+            ULONG sin6_scope_id;
+        } ipv6;
+    };
+} WINSTATIONREMOTEADDRESS, *PWINSTATIONREMOTEADDRESS;
+
+// WinStationInformationEx
+
+// private
+typedef struct _WINSTATIONINFORMATIONEX_LEVEL1
+{
+    ULONG SessionId;
+    WINSTATIONSTATECLASS SessionState;
+    LONG SessionFlags;
+    WINSTATIONNAME WinStationName;
+    WCHAR UserName[USERNAME_LENGTH + 1];
+    WCHAR DomainName[DOMAIN_LENGTH + 1];
+    LARGE_INTEGER LogonTime;
+    LARGE_INTEGER ConnectTime;
+    LARGE_INTEGER DisconnectTime;
+    LARGE_INTEGER LastInputTime;
+    LARGE_INTEGER CurrentTime;
+    PROTOCOLSTATUS ProtocolStatus;
+} WINSTATIONINFORMATIONEX_LEVEL1, *PWINSTATIONINFORMATIONEX_LEVEL1;
+
+// private
+typedef struct _WINSTATIONINFORMATIONEX_LEVEL2
+{
+    ULONG SessionId;
+    WINSTATIONSTATECLASS SessionState;
+    LONG SessionFlags;
+    WINSTATIONNAME WinStationName;
+    WCHAR SamCompatibleUserName[USERNAME_LENGTH + 1];
+    WCHAR SamCompatibleDomainName[DOMAIN_LENGTH + 1];
+    LARGE_INTEGER LogonTime;
+    LARGE_INTEGER ConnectTime;
+    LARGE_INTEGER DisconnectTime;
+    LARGE_INTEGER LastInputTime;
+    LARGE_INTEGER CurrentTime;
+    PROTOCOLSTATUS ProtocolStatus;
+    WCHAR UserName[257];
+    WCHAR DomainName[256];
+} WINSTATIONINFORMATIONEX_LEVEL2, *PWINSTATIONINFORMATIONEX_LEVEL2;
+
+// private
+typedef union _WINSTATIONINFORMATIONEX_LEVEL
+{
+    WINSTATIONINFORMATIONEX_LEVEL1 WinStationInfoExLevel1;
+    WINSTATIONINFORMATIONEX_LEVEL2 WinStationInfoExLevel2;
+} WINSTATIONINFORMATIONEX_LEVEL, *PWINSTATIONINFORMATIONEX_LEVEL;
+
+// private
+typedef struct _WINSTATIONINFORMATIONEX
+{
+    ULONG Level;
+    WINSTATIONINFORMATIONEX_LEVEL Data;
+} WINSTATIONINFORMATIONEX, *PWINSTATIONINFORMATIONEX;
+
+#define TS_PROCESS_INFO_MAGIC_NT4 0x23495452
+
+typedef struct _TS_PROCESS_INFORMATION_NT4
+{
+    ULONG MagicNumber;
+    ULONG LogonId;
+    PVOID ProcessSid;
+    ULONG Pad;
+} TS_PROCESS_INFORMATION_NT4, *PTS_PROCESS_INFORMATION_NT4;
+
+#define SIZEOF_TS4_SYSTEM_THREAD_INFORMATION 64
+#define SIZEOF_TS4_SYSTEM_PROCESS_INFORMATION 136
+
+typedef struct _TS_SYS_PROCESS_INFORMATION
+{
+    ULONG NextEntryOffset;
+    ULONG NumberOfThreads;
+    LARGE_INTEGER SpareLi1;
+    LARGE_INTEGER SpareLi2;
+    LARGE_INTEGER SpareLi3;
+    LARGE_INTEGER CreateTime;
+    LARGE_INTEGER UserTime;
+    LARGE_INTEGER KernelTime;
+    UNICODE_STRING ImageName;
+    LONG BasePriority;
+    ULONG UniqueProcessId;
+    ULONG InheritedFromUniqueProcessId;
+    ULONG HandleCount;
+    ULONG SessionId;
+    ULONG SpareUl3;
+    SIZE_T PeakVirtualSize;
+    SIZE_T VirtualSize;
+    ULONG PageFaultCount;
+    ULONG PeakWorkingSetSize;
+    ULONG WorkingSetSize;
+    SIZE_T QuotaPeakPagedPoolUsage;
+    SIZE_T QuotaPagedPoolUsage;
+    SIZE_T QuotaPeakNonPagedPoolUsage;
+    SIZE_T QuotaNonPagedPoolUsage;
+    SIZE_T PagefileUsage;
+    SIZE_T PeakPagefileUsage;
+    SIZE_T PrivatePageCount;
+} TS_SYS_PROCESS_INFORMATION, *PTS_SYS_PROCESS_INFORMATION;
+
+typedef struct _TS_ALL_PROCESSES_INFO
+{
+    PTS_SYS_PROCESS_INFORMATION pTsProcessInfo;
+    ULONG SizeOfSid;
+    PSID pSid;
+} TS_ALL_PROCESSES_INFO, *PTS_ALL_PROCESSES_INFO;
+
+typedef struct _TS_COUNTER_HEADER
+{
+    DWORD dwCounterID;
+    BOOLEAN bResult;
+} TS_COUNTER_HEADER, *PTS_COUNTER_HEADER;
+
+typedef struct _TS_COUNTER
+{
+    TS_COUNTER_HEADER CounterHead;
+    DWORD dwValue;
+    LARGE_INTEGER StartTime;
+} TS_COUNTER, *PTS_COUNTER;
+
+// Flags for WinStationShutdownSystem
+#define WSD_LOGOFF 0x1
+#define WSD_SHUTDOWN 0x2
+#define WSD_REBOOT 0x4
+#define WSD_POWEROFF 0x8
+
+// Flags for WinStationWaitSystemEvent
+#define WEVENT_NONE 0x0
+#define WEVENT_CREATE 0x1
+#define WEVENT_DELETE 0x2
+#define WEVENT_RENAME 0x4
+#define WEVENT_CONNECT 0x8
+#define WEVENT_DISCONNECT 0x10
+#define WEVENT_LOGON 0x20
+#define WEVENT_LOGOFF 0x40
+#define WEVENT_STATECHANGE 0x80
+#define WEVENT_LICENSE 0x100
+#define WEVENT_ALL 0x7fffffff
+#define WEVENT_FLUSH 0x80000000
+
+// Hotkey modifiers for WinStationShadow
+#define KBDSHIFT 0x1
+#define KBDCTRL 0x2
+#define KBDALT 0x4
+
+// begin_rev
+// Flags for WinStationRegisterConsoleNotification
+#define WNOTIFY_ALL_SESSIONS 0x1
+// end_rev
+
+// In the functions below, memory returned can be freed using LocalFree. NULL can be specified for
+// server handles to indicate the local server. -1 can be specified for session IDs to indicate the
+// current session ID.
+
+#define LOGONID_CURRENT (-1)
+#define SERVERNAME_CURRENT (NULL)
+
+// rev
+BOOLEAN
+WINAPI
+WinStationFreeMemory(
+    _In_ PVOID Buffer
+    );
+
+// rev
+HANDLE
+WINAPI
+WinStationOpenServerW(
+    _In_ PWSTR ServerName
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationCloseServer(
+    _In_ HANDLE hServer
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationServerPing(
+    _In_opt_ HANDLE hServer
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationGetTermSrvCountersValue(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG Count,
+    _Inout_ PTS_COUNTER Counters // set counter IDs before calling
+    );
+
+BOOLEAN
+WINAPI
+WinStationShutdownSystem(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG ShutdownFlags // WSD_*
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationWaitSystemEvent(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG EventMask, // WEVENT_*
+    _Out_ PULONG EventFlags
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationRegisterConsoleNotification(
+    _In_opt_ HANDLE hServer,
+    _In_ HWND WindowHandle,
+    _In_ ULONG Flags
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationUnRegisterConsoleNotification(
+    _In_opt_ HANDLE hServer,
+    _In_ HWND WindowHandle
+    );
+
+// Sessions
+
+// rev
+BOOLEAN
+WINAPI
+WinStationEnumerateW(
+    _In_opt_ HANDLE hServer,
+    _Out_ PSESSIONIDW *SessionIds,
+    _Out_ PULONG Count
+    );
+
+BOOLEAN
+WINAPI
+WinStationQueryInformationW(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ WINSTATIONINFOCLASS WinStationInformationClass,
+    _Out_writes_bytes_(WinStationInformationLength) PVOID pWinStationInformation,
+    _In_ ULONG WinStationInformationLength,
+    _Out_ PULONG pReturnLength
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationSetInformationW(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ WINSTATIONINFOCLASS WinStationInformationClass,
+    _In_reads_bytes_(WinStationInformationLength) PVOID pWinStationInformation,
+    _In_ ULONG WinStationInformationLength
+    );
+
+BOOLEAN
+WINAPI
+WinStationNameFromLogonIdW(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _Out_writes_(WINSTATIONNAME_LENGTH + 1) PWSTR pWinStationName
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationSendMessageW(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ PWSTR Title,
+    _In_ ULONG TitleLength,
+    _In_ PWSTR Message,
+    _In_ ULONG MessageLength,
+    _In_ ULONG Style,
+    _In_ ULONG Timeout,
+    _Out_ PULONG Response,
+    _In_ BOOLEAN DoNotWait
+    );
+
+BOOLEAN
+WINAPI
+WinStationConnectW(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ ULONG TargetSessionId,
+    _In_opt_ PWSTR pPassword,
+    _In_ BOOLEAN bWait
+    );
+
+BOOLEAN
+WINAPI
+WinStationDisconnect(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ BOOLEAN bWait
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationReset(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ BOOLEAN bWait
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationShadow(
+    _In_opt_ HANDLE hServer,
+    _In_ PWSTR TargetServerName,
+    _In_ ULONG TargetSessionId,
+    _In_ UCHAR HotKeyVk,
+    _In_ USHORT HotkeyModifiers // KBD*
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationShadowStop(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG SessionId,
+    _In_ BOOLEAN bWait // ignored
+    );
+
+// Processes
+
+// rev
+BOOLEAN
+WINAPI
+WinStationEnumerateProcesses(
+    _In_opt_ HANDLE hServer,
+    _Out_ PVOID *Processes
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationGetAllProcesses(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG Level,
+    _Out_ PULONG NumberOfProcesses,
+    _Out_ PTS_ALL_PROCESSES_INFO *Processes
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationFreeGAPMemory(
+    _In_ ULONG Level,
+    _In_ PTS_ALL_PROCESSES_INFO Processes,
+    _In_ ULONG NumberOfProcesses
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationTerminateProcess(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG ProcessId,
+    _In_ ULONG ExitCode
+    );
+
+BOOLEAN
+WINAPI
+WinStationGetProcessSid(
+    _In_opt_ HANDLE hServer,
+    _In_ ULONG ProcessId,
+    _In_ FILETIME ProcessStartTime,
+    _Out_ PVOID pProcessUserSid,
+    _Inout_ PULONG dwSidSize
+    );
+
+// Services isolation
+
+#if (PHNT_VERSION >= PHNT_VISTA)
+
+// rev
+BOOLEAN
+WINAPI
+WinStationSwitchToServicesSession(
+    VOID
+    );
+
+// rev
+BOOLEAN
+WINAPI
+WinStationRevertFromServicesSession(
+    VOID
+    );
+
+#endif
+
+// Misc.
+
+BOOLEAN
+WINAPI
+_WinStationWaitForConnect(
+    VOID
+    );
+
+// end_msdn
+
+#endif

phnt/zw_options.txt

@@ -0,0 +1,5 @@
+base=include
+in=ntdbg.h;ntexapi.h;ntgdi.h;ntioapi.h;ntkeapi.h;ntldr.h;ntlpcapi.h;ntmisc.h;ntmmapi.h;ntnls.h;ntobapi.h;ntpebteb.h;ntpfapi.h;ntpnpapi.h;ntpoapi.h;ntpsapi.h;ntregapi.h;ntrtl.h;ntsam.h;ntseapi.h;nttmapi.h;nttp.h;ntwow64.h;ntxcapi.h
+out=ntzwapi.h
+header=#ifndef _NTZWAPI_H\r\n#define _NTZWAPI_H\r\n\r\n// This file was automatically generated. Do not edit.\r\n\r\n
+footer=#endif\r\n

wufuc.sln

@@ -0,0 +1,74 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26730.16
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wufuc", "wufuc\wufuc.vcxproj", "{00F96695-CE41-4C2F-A344-6219DFB4F887}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{8C2147FF-2B83-479B-813E-5ACB86F43042}"
+	ProjectSection(SolutionItems) = preProject
+		.gitignore = .gitignore
+		appveyor.yml = appveyor.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "wufuc_setup_bat", "wufuc_setup_bat", "{97E33D3C-9AA1-4B84-803A-1A6AE2C6F361}"
+	ProjectSection(SolutionItems) = preProject
+		wufuc_setup_bat\install_wufuc.bat = wufuc_setup_bat\install_wufuc.bat
+		wufuc_setup_bat\uninstall_wufuc.bat = wufuc_setup_bat\uninstall_wufuc.bat
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Documentation", "Documentation", "{65210B26-9B74-4B7E-B777-7A2EE4162595}"
+	ProjectSection(SolutionItems) = preProject
+		CONTRIBUTING.md = CONTRIBUTING.md
+		DONATIONS.md = DONATIONS.md
+		LICENSE = LICENSE
+		README.md = README.md
+	EndProjectSection
+EndProject
+Project("{840C416C-B8F3-42BC-B0DD-F6BB14C9F8CB}") = "wufuc_setup", "wufuc_setup\wufuc_setup.aiproj", "{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		DefaultBuild|x64 = DefaultBuild|x64
+		DefaultBuild|x86 = DefaultBuild|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x64.ActiveCfg = Debug|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x64.Build.0 = Debug|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x86.ActiveCfg = Debug|Win32
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x86.Build.0 = Debug|Win32
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.DefaultBuild|x64.ActiveCfg = Debug|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.DefaultBuild|x64.Build.0 = Debug|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.DefaultBuild|x86.ActiveCfg = Debug|Win32
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.DefaultBuild|x86.Build.0 = Debug|Win32
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x64.ActiveCfg = Release|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x64.Build.0 = Release|x64
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x86.ActiveCfg = Release|Win32
+		{00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x86.Build.0 = Release|Win32
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Debug|x64.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Debug|x64.Build.0 = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Debug|x86.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Debug|x86.Build.0 = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.DefaultBuild|x64.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.DefaultBuild|x64.Build.0 = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.DefaultBuild|x86.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.DefaultBuild|x86.Build.0 = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Release|x64.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Release|x64.Build.0 = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Release|x86.ActiveCfg = All
+		{8F75FC4A-22FF-4CDA-8A09-3BC547E7C29B}.Release|x86.Build.0 = All
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{65210B26-9B74-4B7E-B777-7A2EE4162595} = {8C2147FF-2B83-479B-813E-5ACB86F43042}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {5070ABC4-3344-4D6E-B744-E3508B10A327}
+	EndGlobalSection
+EndGlobal

wufuc/appverifier.h

@@ -0,0 +1,45 @@
+#pragma once
+
+#include <phnt_windows.h>
+
+#define DLL_PROCESS_VERIFIER 4
+
+typedef VOID(NTAPI *RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
+typedef VOID(NTAPI *RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
+typedef VOID(NTAPI *RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize);
+
+typedef struct tagRTL_VERIFIER_THUNK_DESCRIPTOR
+{
+        PCHAR ThunkName;
+        PVOID ThunkOldAddress;
+        PVOID ThunkNewAddress;
+} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
+
+typedef struct tagRTL_VERIFIER_DLL_DESCRIPTOR
+{
+        PWCHAR DllName;
+        DWORD DllFlags;
+        PVOID DllAddress;
+        PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
+} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
+
+typedef struct tagRTL_VERIFIER_PROVIDER_DESCRIPTOR
+{
+        DWORD Length;
+        PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
+        RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
+        RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
+        PWSTR VerifierImage;
+        DWORD VerifierFlags;
+        DWORD VerifierDebug;
+        PVOID RtlpGetStackTraceAddress;
+        PVOID RtlpDebugPageHeapCreate;
+        PVOID RtlpDebugPageHeapDestroy;
+        RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
+} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
+
+typedef LSTATUS(WINAPI *LPFN_REGQUERYVALUEEXW)(HKEY, LPCWSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD);
+typedef HMODULE(WINAPI *LPFN_LOADLIBRARYEXW)(LPCWSTR, HANDLE, DWORD);
+
+extern LPFN_REGQUERYVALUEEXW *g_plpfnRegQueryValueExW;
+extern LPFN_LOADLIBRARYEXW *g_plpfnLoadLibraryExW;

wufuc/callbacks.c

@@ -0,0 +1,15 @@
+#include "callbacks.h"
+
+#include "tracing.h"
+
+#include <phnt_windows.h>
+
+VOID NTAPI VerifierDllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
+{
+        trace(L"dll load %ls, DllBase=%p, DllSize=%Iu", DllName, DllBase, DllSize);
+}
+
+VOID NTAPI VerifierDllUnloadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
+{
+        trace(L"dll unload %ls, DllBase=%p, DllSize=%Iu", DllName, DllBase, DllSize);
+}

wufuc/callbacks.h

@@ -0,0 +1,6 @@
+#pragma once
+
+#include <phnt_windows.h>
+
+VOID NTAPI VerifierDllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
+VOID NTAPI VerifierDllUnloadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);

wufuc/dllmain.c

@@ -0,0 +1,68 @@
+#include "appverifier.h"
+#include "hooks.h"
+#include "callbacks.h"
+#include "helpers.h"
+
+#include <stdbool.h>
+
+#include <phnt_windows.h>
+#include <phnt.h>
+
+RTL_VERIFIER_THUNK_DESCRIPTOR g_vfThunkDescriptors[] = {
+        { "RegQueryValueExW", NULL, (PVOID)&RegQueryValueExW_Hook },
+        { "LoadLibraryExW", NULL, (PVOID)&LoadLibraryExW_Hook },
+        { 0 } };
+
+RTL_VERIFIER_DLL_DESCRIPTOR g_vfDllDescriptors[2];
+
+RTL_VERIFIER_PROVIDER_DESCRIPTOR g_vfProviderDescriptor = {
+        sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR),
+        g_vfDllDescriptors/*,
+        (RTL_VERIFIER_DLL_LOAD_CALLBACK)&VerifierDllLoadCallback,
+        (RTL_VERIFIER_DLL_UNLOAD_CALLBACK)&VerifierDllUnloadCallback*/ };
+
+LPFN_REGQUERYVALUEEXW *g_plpfnRegQueryValueExW;
+LPFN_LOADLIBRARYEXW *g_plpfnLoadLibraryExW;
+
+BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
+{
+        switch ( ul_reason_for_call ) {
+        case DLL_PROCESS_ATTACH:
+                LdrDisableThreadCalloutsForDll((PVOID)hModule);
+                break;
+        case DLL_PROCESS_DETACH:
+                break;
+        case DLL_PROCESS_VERIFIER:
+                if ( verify_win7() || verify_win81() ) {
+                        UNICODE_STRING ImagePath;
+                        RtlInitUnicodeString(&ImagePath, NULL);
+
+                        RTL_QUERY_REGISTRY_TABLE QueryTable[2];
+                        RtlSecureZeroMemory(&QueryTable, sizeof(QueryTable));
+                        QueryTable[0].Name = L"ImagePath";
+                        QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
+                        QueryTable[0].EntryContext = &ImagePath;
+
+                        if ( RtlQueryRegistryValues(RTL_REGISTRY_SERVICES, L"wuauserv", QueryTable, NULL, NULL) == STATUS_SUCCESS
+                                && !RtlCompareUnicodeString(&NtCurrentPeb()->ProcessParameters->CommandLine, &ImagePath, TRUE) ) {
+
+                                if ( verify_win7() )
+                                        g_vfDllDescriptors[0].DllName = L"kernel32.dll";
+                                else if ( verify_win81() )
+                                        g_vfDllDescriptors[0].DllName = L"kernelbase.dll";
+
+                                g_vfDllDescriptors[0].DllThunks = g_vfThunkDescriptors;
+
+                                g_plpfnRegQueryValueExW = (LPFN_REGQUERYVALUEEXW *)&g_vfThunkDescriptors[0].ThunkOldAddress;
+                                g_plpfnLoadLibraryExW = (LPFN_LOADLIBRARYEXW *)&g_vfThunkDescriptors[1].ThunkOldAddress;
+                        }
+                        RtlFreeUnicodeString(&ImagePath);
+                }
+                *(PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpReserved = &g_vfProviderDescriptor;
+                break;
+        default:
+                break;
+        }
+
+        return TRUE;
+}

wufuc/exports.def

@@ -0,0 +1,4 @@
+LIBRARY
+EXPORTS
+        RUNDLL32_LegacyUnloadW @1
+        RUNDLL32_DeleteFileW @2

wufuc/helpers.c

@@ -0,0 +1,104 @@
+#include "helpers.h"
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include <phnt_windows.h>
+#include <phnt.h>
+
+bool verify_winver(
+        DWORD dwMajorVersion,
+        DWORD dwMinorVersion,
+        DWORD dwBuildNumber,
+        WORD wServicePackMajor,
+        WORD wServicePackMinor,
+        BYTE MajorVersionCondition,
+        BYTE MinorVersionCondition,
+        BYTE BuildNumberCondition,
+        BYTE ServicePackMajorCondition,
+        BYTE ServicePackMinorCondition
+)
+{
+        RTL_OSVERSIONINFOEXW osvi = { 0 };
+        osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
+
+        osvi.dwMajorVersion = dwMajorVersion;
+        osvi.dwMinorVersion = dwMinorVersion;
+        osvi.dwBuildNumber = dwBuildNumber;
+        osvi.wServicePackMajor = wServicePackMajor;
+        osvi.wServicePackMinor = wServicePackMinor;
+
+        ULONGLONG ConditionMask = 0;
+        ULONG TypeMask = 0;
+        if ( MajorVersionCondition ) {
+                TypeMask |= VER_MAJORVERSION;
+                VER_SET_CONDITION(ConditionMask, VER_MAJORVERSION, MajorVersionCondition);
+        }
+        if ( MinorVersionCondition ) {
+                TypeMask |= VER_MINORVERSION;
+                VER_SET_CONDITION(ConditionMask, VER_MINORVERSION, MinorVersionCondition);
+        }
+        if ( BuildNumberCondition ) {
+                TypeMask |= VER_BUILDNUMBER;
+                VER_SET_CONDITION(ConditionMask, VER_BUILDNUMBER, BuildNumberCondition);
+        }
+        if ( ServicePackMajorCondition ) {
+                TypeMask |= VER_SERVICEPACKMAJOR;
+                VER_SET_CONDITION(ConditionMask, VER_SERVICEPACKMAJOR, ServicePackMajorCondition);
+        }
+        if ( ServicePackMinorCondition ) {
+                TypeMask |= VER_SERVICEPACKMINOR;
+                VER_SET_CONDITION(ConditionMask, VER_SERVICEPACKMINOR, ServicePackMinorCondition);
+        }
+        return RtlVerifyVersionInfo(&osvi, TypeMask, ConditionMask) == STATUS_SUCCESS;
+}
+
+bool verify_win7(void)
+{
+        static bool a, b;
+        if ( !a ) {
+                b = verify_winver(6, 1, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0);
+                a = true;
+        }
+        return b;
+}
+
+bool verify_win81(void)
+{
+        static bool a, b;
+        if ( !a ) {
+                b = verify_winver(6, 3, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0);
+                a = true;
+        }
+        return b;
+}
+
+wchar_t *find_fname(wchar_t *pPath)
+{
+        wchar_t *pwc = wcsrchr(pPath, L'\\');
+        if ( pwc && *(++pwc) )
+                return pwc;
+
+        return pPath;
+}
+
+bool file_exists(const wchar_t *path)
+{
+        return GetFileAttributesW(path) != INVALID_FILE_ATTRIBUTES;
+}
+
+int compare_versions(
+        WORD wMajorA, WORD wMinorA, WORD wBuildA, WORD wRevisionA,
+        WORD wMajorB, WORD wMinorB, WORD wBuildB, WORD wRevisionB
+)
+{
+        if ( wMajorA < wMajorB ) return -1;
+        if ( wMajorA > wMajorB ) return 1;
+        if ( wMinorA < wMinorB ) return -1;
+        if ( wMinorA > wMinorB ) return 1;
+        if ( wBuildA < wBuildB ) return -1;
+        if ( wBuildA > wBuildB ) return 1;
+        if ( wRevisionA < wRevisionB ) return -1;
+        if ( wRevisionA > wRevisionB ) return 1;
+        return 0;
+}

wufuc/helpers.h

@@ -0,0 +1,26 @@
+#pragma once
+
+#include <stdbool.h>
+
+#include <phnt_windows.h>
+
+bool verify_winver(
+        DWORD dwMajorVersion,
+        DWORD dwMinorVersion,
+        DWORD dwBuildNumber,
+        WORD wServicePackMajor,
+        WORD wServicePackMinor,
+        BYTE MajorVersionCondition,
+        BYTE MinorVersionCondition,
+        BYTE BuildNumberCondition,
+        BYTE ServicePackMajorCondition,
+        BYTE ServicePackMinorCondition
+);
+bool verify_win7(void);
+bool verify_win81(void);
+
+wchar_t *find_fname(wchar_t *pPath);
+bool file_exists(const wchar_t *path);
+int compare_versions(
+        WORD wMajorA, WORD wMinorA, WORD wBuildA, WORD wRevisionA,
+        WORD wMajorB, WORD wMinorB, WORD wBuildB, WORD wRevisionB);

wufuc/hooks.c

@@ -0,0 +1,156 @@
+#include "hooks.h"
+
+#include "appverifier.h"
+#include "patchwua.h"
+#include "helpers.h"
+#include "tracing.h"
+#include "rtl_malloc.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#include <phnt_windows.h>
+#include <phnt.h>
+#include <Psapi.h>
+
+
+LSTATUS WINAPI RegQueryValueExW_Hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
+{
+        LSTATUS result;
+
+        if ( (lpData && lpcbData)
+                && (lpValueName && !_wcsicmp(lpValueName, L"ServiceDll")) ) {
+
+                // store original lpData buffer size
+                DWORD cbData = *lpcbData;
+
+                // this way the dll path is guaranteed to be null-terminated
+                result = RegGetValueW(hKey, NULL, lpValueName, RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, lpType, lpData, lpcbData);
+
+                NTSTATUS Status;
+                ULONG ResultLength;
+                if ( result != ERROR_SUCCESS 
+                        || (Status = NtQueryKey((HANDLE)hKey, KeyNameInformation, NULL, 0, &ResultLength),
+                        Status != STATUS_BUFFER_OVERFLOW && Status != STATUS_BUFFER_TOO_SMALL) )
+                        goto L_ret;
+
+                PKEY_NAME_INFORMATION pkni = rtl_malloc(ResultLength);
+
+                if ( NtQueryKey((HANDLE)hKey, KeyNameInformation, (PVOID)pkni, ResultLength, &ResultLength) != STATUS_SUCCESS )
+                        goto L_free_pkni;
+
+                size_t BufferCount = pkni->NameLength / sizeof(wchar_t);
+
+                // change key name to lower-case because there is no case-insensitive version of _snwscanf_s
+                for ( size_t i = 0; i < BufferCount; i++ )
+                        pkni->Name[i] = towlower(pkni->Name[i]);
+
+                int current, pos;
+                if ( _snwscanf_s(pkni->Name, BufferCount, 
+                        L"\\registry\\machine\\system\\controlset%03d\\services\\wuauserv\\parameters%n", &current, &pos) == 1 
+                        && pos == BufferCount ) {
+
+                        wchar_t drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME], ext[_MAX_EXT];
+                        _wsplitpath_s((wchar_t *)lpData,
+                                drive, _countof(drive),
+                                dir, _countof(dir),
+                                fname, _countof(fname),
+                                ext, _countof(ext));
+
+                        if ( !_wcsicmp(ext, L".dll")
+                                && (!_wcsicmp(fname, L"wuaueng2") // UpdatePack7R2
+                                || !_wcsicmp(fname, L"WuaCpuFix64") // WuaCpuFix
+                                || !_wcsicmp(fname, L"WuaCpuFix")) ) {
+
+                                wchar_t *tmp = rtl_malloc(cbData);
+
+                                size_t MaxCount = cbData / sizeof(wchar_t);
+                                _wmakepath_s(tmp, MaxCount, drive, dir, L"wuaueng", ext);
+                                DWORD nSize = ExpandEnvironmentStringsW(tmp, NULL, 0);
+
+                                wchar_t *lpDst = rtl_calloc(nSize, sizeof(wchar_t));
+                                ExpandEnvironmentStringsW(tmp, lpDst, nSize);
+
+                                rtl_free(tmp);
+
+                                if ( file_exists(lpDst) ) {
+                                        _wmakepath_s((wchar_t *)lpData, MaxCount, drive, dir, L"wuaueng", ext);
+                                        *lpcbData = (DWORD)((wcslen((wchar_t *)lpData) + 1) * sizeof(wchar_t));
+                                        trace(L"Fixed wuauserv %ls path: %ls", lpValueName, lpDst);
+                                }
+                                rtl_free(lpDst);
+                        }
+                }
+L_free_pkni:
+                rtl_free(pkni);
+        } else {
+                // handle normally
+                result = (*g_plpfnRegQueryValueExW)(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
+        }
+L_ret:
+        return result;
+}
+
+HMODULE WINAPI LoadLibraryExW_Hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags)
+{
+        HMODULE result = (*g_plpfnLoadLibraryExW)(lpFileName, hFile, dwFlags);
+        if ( !result ) {
+                trace(L"Failed to load library: %ls (error code=%08X)", lpFileName, GetLastError());
+                goto L_ret;
+        }
+
+        trace(L"Loaded library: %ls", lpFileName);
+        DWORD dwLen = GetFileVersionInfoSizeW(lpFileName, NULL);
+        if ( !dwLen )
+                goto L_ret;
+        
+        LPVOID pBlock = rtl_malloc(dwLen);
+
+        PLANGANDCODEPAGE ptl;
+        UINT cb;
+        if ( !GetFileVersionInfoW(lpFileName, 0, dwLen, pBlock)
+                || !VerQueryValueW(pBlock, L"\\VarFileInfo\\Translation", (LPVOID *)&ptl, &cb) )
+                goto L_free_pBlock;
+
+        wchar_t lpSubBlock[38];
+        for ( size_t i = 0; i < (cb / sizeof(LANGANDCODEPAGE)); i++ ) {
+                swprintf_s(lpSubBlock, _countof(lpSubBlock),
+                        L"\\StringFileInfo\\%04x%04x\\InternalName", 
+                        ptl[i].wLanguage, 
+                        ptl[i].wCodePage);
+                
+                wchar_t *lpszInternalName;
+                UINT uLen;
+                if ( VerQueryValueW(pBlock, lpSubBlock, (LPVOID *)&lpszInternalName, &uLen)
+                        && !_wcsicmp(lpszInternalName, L"wuaueng.dll") ) {
+
+                        VS_FIXEDFILEINFO *pffi;
+                        VerQueryValueW(pBlock, L"\\", (LPVOID *)&pffi, &uLen);
+                        WORD wMajor = HIWORD(pffi->dwProductVersionMS);
+                        WORD wMinor = LOWORD(pffi->dwProductVersionMS);
+                        WORD wBuild = HIWORD(pffi->dwProductVersionLS);
+                        WORD wRevision = LOWORD(pffi->dwProductVersionLS);
+
+                        wchar_t path[MAX_PATH];
+                        GetModuleFileNameW(result, path, _countof(path));
+                        wchar_t *fname = find_fname(path);
+
+                        if ( (verify_win7() && compare_versions(wMajor, wMinor, wBuild, wRevision, 7, 6, 7601, 23714) != -1)
+                                || (verify_win81() && compare_versions(wMajor, wMinor, wBuild, wRevision, 7, 9, 9600, 18621) != -1) ) {
+
+                                trace(L"%ls version: %d.%d.%d.%d", fname, wMajor, wMinor, wBuild, wRevision);
+                                MODULEINFO modinfo;
+                                if ( GetModuleInformation(GetCurrentProcess(), result, &modinfo, sizeof(MODULEINFO)) ) {
+                                        if ( !patch_wua(modinfo.lpBaseOfDll, modinfo.SizeOfImage, fname) )
+                                                trace(L"Failed to patch %ls!", fname);
+                                } else trace(L"Failed to get module information for %ls (%p) (couldn't patch)", fname, result);
+                        } else trace(L"Unsupported %ls version: %d.%d.%d.%d (patching skipped)", fname, wMajor, wMinor, wBuild, wRevision);
+                        break;
+                }
+        }
+L_free_pBlock:
+        rtl_free(pBlock);
+L_ret:
+        return result;
+}

wufuc/hooks.h

@@ -0,0 +1,12 @@
+#pragma once
+
+#include <phnt_windows.h>
+
+typedef struct tagLANGANDCODEPAGE
+{
+        WORD wLanguage;
+        WORD wCodePage;
+} LANGANDCODEPAGE, *PLANGANDCODEPAGE;
+
+LSTATUS WINAPI RegQueryValueExW_Hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
+HMODULE WINAPI LoadLibraryExW_Hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags);

wufuc/patchwua.c

@@ -0,0 +1,78 @@
+#include "patchwua.h"
+
+#include "helpers.h"
+#include "patternfind.h"
+#include "tracing.h"
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include <phnt_windows.h>
+#include <phnt.h>
+
+#ifdef _M_AMD64
+static const PatchSet X64PatchSet = { "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????", 0xA, 0x12 };
+#elif defined(_M_IX86)
+static const PatchSet Win7X86PatchSet = { "833D????????00 743E E8???????? A3????????", 0x2, 0xF };
+static const PatchSet Win81X86PatchSet = { "8BFF 51 833D????????00 7507 A1????????", 0x5, 0xD };
+#endif
+
+bool calculate_pointers(uintptr_t lpfn, const PatchSet *ps, LPBOOL *ppba, LPBOOL *ppbb)
+{
+#ifdef _M_AMD64
+        *ppba = (LPBOOL)(lpfn + ps->Offset1 + sizeof(uint32_t) + *(uint32_t *)(lpfn + ps->Offset1));
+        *ppbb = (LPBOOL)(lpfn + ps->Offset2 + sizeof(uint32_t) + *(uint32_t *)(lpfn + ps->Offset2));
+        return true;
+#elif defined(_M_IX86)
+        *ppba = (LPBOOL)(*(uintptr_t *)(lpfn + ps->Offset1));
+        *ppbb = (LPBOOL)(*(uintptr_t *)(lpfn + ps->Offset2));
+        return true;
+#endif
+        return false;
+}
+
+bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, wchar_t *fname)
+{
+        bool result = false;
+
+        const PatchSet *pps;
+#ifdef _M_AMD64
+        pps = &X64PatchSet;
+#elif defined(_M_IX86)
+        if ( verify_win7() )
+                pps = &Win7X86PatchSet;
+        else if ( verify_win81() )
+                pps = &Win81X86PatchSet;
+        else 
+                goto L_ret;
+#endif
+        unsigned char *ptr = patternfind(lpBaseOfDll, SizeOfImage, pps->Pattern);
+        if ( !ptr ) {
+                trace(L"No pattern match! (couldn't patch)");
+                goto L_ret;
+        }
+
+        LPBOOL pba, pbb;
+        if ( calculate_pointers((uintptr_t)ptr, pps, &pba, &pbb) ) {
+                DWORD flOldProtect;
+                if ( *pba == TRUE ) {
+                        if ( VirtualProtect(pba, sizeof(BOOL), PAGE_READWRITE, &flOldProtect) ) {
+                                *pba = FALSE;
+                                trace(L"Patched value #1 at %ls!%p: %08X", fname, pba, *pba);
+                                if ( !VirtualProtect(pba, sizeof(BOOL), flOldProtect, &flOldProtect) )
+                                        trace(L"Failed to restore memory region permissions at %ls!%p (error code=%08X)", fname, pba, GetLastError());
+                        } else trace(L"Failed to change memory region permissions at %ls!%p (error code=%08X)", fname, pba, GetLastError());
+                }
+                if ( *pbb == FALSE ) {
+                        if ( VirtualProtect(pbb, sizeof(BOOL), PAGE_READWRITE, &flOldProtect) ) {
+                                *pbb = TRUE;
+                                trace(L"Patched value #2 at %ls!%p: %08X", fname, pbb, *pbb);
+                                if ( !VirtualProtect(pbb, sizeof(BOOL), flOldProtect, &flOldProtect) )
+                                        trace(L"Failed to restore memory region permissions at %ls!%p: (error code=%08X)", fname, pbb, GetLastError());
+                        } else trace(L"Failed to change memory region permissions at %ls!%p (error code=%08X)", fname, pbb, GetLastError());
+                }
+                result = !*pba && *pbb;
+        }
+L_ret:
+        return result;
+}

wufuc/patchwua.h

@@ -0,0 +1,15 @@
+#pragma once
+
+#include <stdbool.h>
+
+#include <phnt_windows.h>
+
+typedef struct tagPatchSet
+{
+        const char *Pattern;
+        const size_t Offset1;
+        const size_t Offset2;
+} PatchSet;
+
+bool calculate_pointers(uintptr_t lpfn, const PatchSet *ps, LPBOOL *ppba, LPBOOL *ppbb);
+bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, wchar_t *fname);

wufuc/patternfind.c

@@ -0,0 +1,179 @@
+#include "patternfind.h"
+
+#include "rtl_malloc.h"
+
+#include <stddef.h>
+#include <stdbool.h>
+#include <string.h>
+
+static inline bool isHex(char ch)
+{
+        return (ch >= '0' && ch <= '9') || (ch >= 'A' && ch <= 'F') || (ch >= 'a' && ch <= 'f');
+}
+
+static inline int hexchtoint(char ch)
+{
+        if ( ch >= '0' && ch <= '9' )
+                return ch - '0';
+        else if ( ch >= 'A' && ch <= 'F' )
+                return ch - 'A' + 10;
+        else if ( ch >= 'a' && ch <= 'f' )
+                return ch - 'a' + 10;
+        return -1;
+}
+
+static inline size_t formathexpattern(const char *patterntext, char *formattext, size_t formattextsize)
+{
+        size_t len = strlen(patterntext);
+        size_t result = 0;
+        for ( size_t i = 0; i < len; i++ ) {
+                if ( patterntext[i] == '?' || hexchtoint(patterntext[i]) != -1 ) {
+                        if ( formattext && result + 1 < formattextsize )
+                                formattext[result] = patterntext[i];
+
+                        result++;
+                }
+        }
+        if ( result % 2 ) { //not a multiple of 2
+                if ( formattext && result + 1 < formattextsize )
+                        formattext[result] = '?';
+
+                result++;
+        }
+        if ( formattext ) {
+                if ( result <= formattextsize )
+                        formattext[result] = '\0';
+                else
+                        formattext[0] = '\0';
+        }
+        return result;
+}
+
+bool patterntransform(const char *patterntext, PatternByte *pattern, size_t patternsize)
+{
+        memset(pattern, 0, patternsize * sizeof(PatternByte));
+        size_t len = formathexpattern(patterntext, NULL, 0);
+
+        if ( !len || len / 2 > patternsize )
+                return false;
+
+        size_t size = len + 1;
+        char *formattext = rtl_malloc(size);
+        formathexpattern(patterntext, formattext, size);
+        PatternByte newByte;
+
+        for ( size_t i = 0, j = 0, k = 0; i < len && k <= patternsize; i++ ) {
+                if ( formattext[i] == '?' ) { //wildcard
+                        newByte.nibble[j].wildcard = true; //match anything
+                } else { //hex
+                        newByte.nibble[j].wildcard = false;
+                        newByte.nibble[j].data = hexchtoint(formattext[i]) & 0xF;
+                }
+
+                j++;
+                if ( j == 2 ) { //two nibbles = one byte
+                        j = 0;
+                        pattern[k++] = newByte;
+                }
+        }
+        return true;
+}
+
+static inline bool patternmatchbyte(unsigned char byte, const PatternByte pbyte)
+{
+        int matched = 0;
+
+        unsigned char n1 = (byte >> 4) & 0xF;
+        if ( pbyte.nibble[0].wildcard )
+                matched++;
+        else if ( pbyte.nibble[0].data == n1 )
+                matched++;
+
+        unsigned char n2 = byte & 0xF;
+        if ( pbyte.nibble[1].wildcard )
+                matched++;
+        else if ( pbyte.nibble[1].data == n2 )
+                matched++;
+
+        return (matched == 2);
+}
+
+unsigned char *patternfind(unsigned char *data, size_t datasize, const char *pattern)
+{
+        size_t searchpatternsize = formathexpattern(pattern, NULL, 0) / 2;
+        PatternByte *searchpattern = rtl_calloc(searchpatternsize, sizeof(PatternByte));
+
+        unsigned char *result = NULL;
+        if ( patterntransform(pattern, searchpattern, searchpatternsize) )
+                result = patternfind3(data, datasize, searchpattern, searchpatternsize);
+        
+        rtl_free(searchpattern);
+        return result;
+}
+
+unsigned char *patternfind2(unsigned char *data, size_t datasize, unsigned char *pattern, size_t patternsize)
+{
+        if ( patternsize > datasize )
+                patternsize = datasize;
+        for ( size_t i = 0, pos = 0; i < datasize; i++ ) {
+                if ( data[i] == pattern[pos] ) {
+                        pos++;
+                        if ( pos == patternsize )
+                                return &data[i - patternsize + 1];
+                } else if ( pos > 0 ) {
+                        i -= pos;
+                        pos = 0; //reset current pattern position
+                }
+        }
+        return NULL;
+}
+
+static inline void patternwritebyte(unsigned char *byte, const PatternByte pbyte)
+{
+        unsigned char n1 = (*byte >> 4) & 0xF;
+        unsigned char n2 = *byte & 0xF;
+        if ( !pbyte.nibble[0].wildcard )
+                n1 = pbyte.nibble[0].data;
+        if ( !pbyte.nibble[1].wildcard )
+                n2 = pbyte.nibble[1].data;
+        *byte = ((n1 << 4) & 0xF0) | (n2 & 0xF);
+}
+
+void patternwrite(unsigned char *data, size_t datasize, const char *pattern)
+{
+        size_t writepatternsize = formathexpattern(pattern, NULL, 0) / 2;
+        PatternByte *writepattern = rtl_calloc(writepatternsize, sizeof(PatternByte));
+
+        if ( patterntransform(pattern, writepattern, writepatternsize) ) {
+                if ( writepatternsize > datasize )
+                        writepatternsize = datasize;
+                for ( size_t i = 0; i < writepatternsize; i++ )
+                        patternwritebyte(&data[i], writepattern[i]);
+        }
+
+        rtl_free(writepattern);
+}
+
+bool patternsnr(unsigned char *data, size_t datasize, const char *searchpattern, const char *replacepattern)
+{
+        unsigned char *found = patternfind(data, datasize, searchpattern);
+        if ( !found )
+                return false;
+        patternwrite(found, datasize - (found - data), replacepattern);
+        return true;
+}
+
+unsigned char *patternfind3(unsigned char *data, size_t datasize, const PatternByte *pattern, size_t searchpatternsize)
+{
+        for ( size_t i = 0, pos = 0; i < datasize; i++ ) { //search for the pattern
+                if ( patternmatchbyte(data[i], pattern[pos]) ) { //check if our pattern matches the current byte
+                        pos++;
+                        if ( pos == searchpatternsize ) //everything matched
+                                return &data[i - searchpatternsize + 1];
+                } else if ( pos > 0 ) { //fix by Computer_Angel
+                        i -= pos;
+                        pos = 0; //reset current pattern position
+                }
+        }
+        return NULL;
+}

wufuc/patternfind.h

@@ -0,0 +1,58 @@
+#pragma once
+
+#include <stddef.h>
+#include <stdbool.h>
+
+typedef struct tagPatternByte
+{
+        struct PatternNibble
+        {
+                unsigned char data;
+                bool wildcard;
+        } nibble[2];
+} PatternByte;
+
+//returns: pointer to data when found, NULL when not found
+unsigned char *patternfind(
+        unsigned char *data, //data
+        size_t datasize, //size of data
+        const char *pattern //pattern to search
+);
+
+//returns: pointer to data when found, NULL when not found
+unsigned char *patternfind2(
+        unsigned char *data, //data
+        size_t datasize, //size of data
+        unsigned char *pattern, //bytes to search
+        size_t patternsize //size of bytes to search
+);
+
+//returns: nothing
+void patternwrite(
+        unsigned char *data, //data
+        size_t datasize, //size of data
+        const char *pattern //pattern to write
+);
+
+//returns: true on success, false on failure
+bool patternsnr(
+        unsigned char *data, //data
+        size_t datasize, //size of data
+        const char *searchpattern, //pattern to search
+        const char *replacepattern //pattern to write
+);
+
+//returns: true on success, false on failure
+bool patterntransform(
+        const char *patterntext, //pattern string
+        PatternByte *pattern, //pattern to feed to patternfind
+        size_t patternsize //size of pattern
+);
+
+//returns: pointer to data when found, NULL when not found
+unsigned char *patternfind3(
+        unsigned char *data, //data
+        size_t datasize, //size of data
+        const PatternByte *pattern, //pattern to search
+        size_t searchpatternsize //size of pattern to search
+);

wufuc/rtl_malloc.c

@@ -0,0 +1,70 @@
+#include "rtl_malloc.h"
+
+#include <phnt_windows.h>
+#include <phnt.h>
+
+void *rtl_malloc(size_t size)
+{
+        return RtlAllocateHeap(RtlProcessHeap(), 0, size);
+}
+
+void rtl_free(void *memblock)
+{
+        RtlFreeHeap(RtlProcessHeap(), 0, memblock);
+}
+
+void *rtl_calloc(size_t num, size_t size)
+{
+        return RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, num * size);
+}
+
+void *rtl_realloc(void *memblock, size_t size)
+{
+        if ( !memblock )
+                return rtl_malloc(size);
+
+        if ( !size ) {
+                rtl_free(memblock);
+                return NULL;
+        }
+
+        return RtlReAllocateHeap(RtlProcessHeap(), 0, memblock, size);
+}
+
+void *_rtl_recalloc(void *memblock, size_t num, size_t size)
+{
+        if ( !memblock )
+                return rtl_calloc(num, size);
+
+        if ( !num || !size ) {
+                rtl_free(memblock);
+                return NULL;
+        }
+
+        return RtlReAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, memblock, num * size);
+}
+
+
+void *_rtl_expand(void *memblock, size_t size)
+{
+        return RtlReAllocateHeap(RtlProcessHeap(), HEAP_REALLOC_IN_PLACE_ONLY, memblock, size);
+}
+
+size_t _rtl_msize(void *memblock)
+{
+        return RtlSizeHeap(RtlProcessHeap(), 0, memblock);
+}
+
+int _rtl_heapchk(void)
+{
+        if ( !RtlValidateHeap(RtlProcessHeap(), 0, NULL) )
+                return -1;
+        return 0;
+}
+
+int _rtl_heapmin(void)
+{
+        if ( !RtlCompactHeap(RtlProcessHeap(), 0) )
+                return -1;
+        return 0;
+}

wufuc/rtl_malloc.h

@@ -0,0 +1,21 @@
+#pragma once
+
+#include <stddef.h>
+
+void *rtl_malloc(size_t size);
+
+void rtl_free(void *memblock);
+
+void *rtl_calloc(size_t num, size_t size);
+
+void *rtl_realloc(void *memblock, size_t size);
+
+void *_rtl_recalloc(void *memblock, size_t num, size_t size);
+
+void *_rtl_expand(void *memblock, size_t size);
+
+size_t _rtl_msize(void *memblock);
+
+int _rtl_heapchk(void);
+
+int _rtl_heapmin(void);

wufuc/rundll32.c

@@ -0,0 +1,26 @@
+#include <phnt_windows.h>
+#include <shellapi.h>
+
+void CALLBACK RUNDLL32_DeleteFileW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
+{
+        int argc;
+        wchar_t **argv = CommandLineToArgvW(lpszCmdLine, &argc);
+
+        if ( argv ) {
+                if ( !DeleteFileW(argv[0]) 
+                        && GetLastError() == ERROR_ACCESS_DENIED )
+                        MoveFileExW(argv[0], NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
+
+                LocalFree((HLOCAL)argv);
+        }
+
+}
+
+void CALLBACK RUNDLL32_LegacyUnloadW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
+{
+        HANDLE Event = OpenEventW(EVENT_MODIFY_STATE, FALSE, L"Global\\wufuc_UnloadEvent");
+        if ( Event ) {
+                SetEvent(Event);
+                CloseHandle(Event);
+        }
+}

wufuc/tracing.c

@@ -0,0 +1,63 @@
+#include "tracing.h"
+
+#include "helpers.h"
+#include "rtl_malloc.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#include <phnt_windows.h>
+#include <phnt.h>
+
+void trace_sysinfo(void)
+{
+        RTL_OSVERSIONINFOW osvi = { 0 };
+        osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
+        NTSTATUS status = RtlGetVersion(&osvi);
+        if ( NT_SUCCESS(status) ) {
+                trace(L"Windows version: %d.%d.%d (%Iu-bit)",
+                        osvi.dwMajorVersion,
+                        osvi.dwMinorVersion,
+                        osvi.dwBuildNumber,
+                        sizeof(uintptr_t) * 8);
+        } else trace(L"Failed to get Windows version (status=%08X)", status);
+        
+        int CPUInfo[4];
+        __cpuidex(CPUInfo, 0x80000000, 0);
+        if ( CPUInfo[0] < 0x80000004 ) {
+                trace(L"This processor does not support the brand identification feature.");
+                return;
+        }
+        char brand[0x31];
+        uint32_t *u32ptr = (uint32_t *)&brand;
+        for ( int func = 0x80000002; func <= 0x80000004; func++ ) {
+                __cpuidex(CPUInfo, func, 0);
+                for ( int i = 0; i < 4; i++ )
+                        *(u32ptr++) = CPUInfo[i];
+        }
+        size_t c = 0;
+        do {
+                if ( !isspace(brand[c]) )
+                        break;
+                c++;
+        } while ( c < _countof(brand) );
+        trace(L"Processor: %hs", &brand[c]);
+}
+
+void trace_(const wchar_t *const format, ...)
+{
+        static int shown_sysinfo = 0;
+        if ( !shown_sysinfo ) {
+                shown_sysinfo = 1;
+                trace_sysinfo();
+        }
+        va_list argptr;
+        va_start(argptr, format);
+        int count = _vscwprintf(format, argptr) + 1;
+        wchar_t *buffer = rtl_calloc(count, sizeof(wchar_t));
+        vswprintf_s(buffer, count, format, argptr);
+        va_end(argptr);
+        OutputDebugStringW(buffer);
+        rtl_free(buffer);
+}

wufuc/tracing.h

@@ -0,0 +1,14 @@
+#pragma once
+
+#include <phnt_windows.h>
+
+extern IMAGE_DOS_HEADER __ImageBase;
+#define HMODULE_THISCOMPONENT ((HMODULE)&__ImageBase);
+
+void trace_(const wchar_t *const format, ...);
+
+#define STRINGIZEW_(x) L#x
+#define STRINGIZEW(x) STRINGIZEW_(x)
+
+#define LINEWSTR STRINGIZEW(__LINE__)
+#define trace(format, ...) trace_(__FILEW__ L":" LINEWSTR L"(" __FUNCTIONW__ L"): " format L"\n", ##__VA_ARGS__)

wufuc/wufuc.rch

@@ -0,0 +1,17 @@
+#ifndef WUFUC_RCH_INCLUDED
+#define WUFUC_RCH_INCLUDED
+#pragma once
+#ifndef BUILD_COMMIT_VERSION
+#define BUILD_COMMIT_VERSION 0.8.0.0
+#endif
+#ifndef BUILD_VERSION_COMMA
+#define BUILD_VERSION_COMMA 0,8,0,0
+#endif
+#define STRINGIZE_(x) #x
+#define STRINGIZE(x) STRINGIZE_(x)
+#ifdef X64
+#define WUFUC_DLL "wufuc64.dll"
+#elif defined(X86)
+#define WUFUC_DLL "wufuc32.dll"
+#endif
+#endif

wufuc/wufuc.vcxproj

@@ -0,0 +1,252 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="appverifier.h" />
+    <ClInclude Include="callbacks.h" />
+    <ClInclude Include="helpers.h" />
+    <ClInclude Include="hooks.h" />
+    <ClInclude Include="rtl_malloc.h" />
+    <ClInclude Include="tracing.h" />
+    <ClInclude Include="patchwua.h" />
+    <ClInclude Include="patternfind.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="callbacks.c" />
+    <ClCompile Include="dllmain.c" />
+    <ClCompile Include="helpers.c" />
+    <ClCompile Include="hooks.c" />
+    <ClCompile Include="rtl_malloc.c" />
+    <ClCompile Include="rundll32.c" />
+    <ClCompile Include="tracing.c" />
+    <ClCompile Include="patchwua.c" />
+    <ClCompile Include="patternfind.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="exports.def" />
+    <None Include="wufuc.rch">
+      <FileType>Document</FileType>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="wufuc.rc" />
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{00F96695-CE41-4C2F-A344-6219DFB4F887}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>wufuc</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0.15063.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v141</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(ProjectDir)bin\$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+    <IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(ProjectDir)bin\$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+    <IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(ProjectDir)bin\$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+    <IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(ProjectDir)bin\$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+    <IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <CompileAs>CompileAsC</CompileAs>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
+      <EntryPointSymbol>DllMain</EntryPointSymbol>
+      <AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+    </Link>
+    <PreBuildEvent />
+    <ResourceCompile>
+      <PreprocessorDefinitions>X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <CompileAs>CompileAsC</CompileAs>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
+      <EntryPointSymbol>DllMain</EntryPointSymbol>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+    </Link>
+    <PreBuildEvent />
+    <ResourceCompile>
+      <PreprocessorDefinitions>X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Full</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <CompileAs>CompileAsC</CompileAs>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <ResourceCompile Condition="'$(APPVEYOR)'=='True'">
+      <PreprocessorDefinitions>BUILD_COMMIT_VERSION=$(BUILD_COMMIT_VERSION);BUILD_VERSION_COMMA=$(BUILD_VERSION_COMMA);$(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
+      <EntryPointSymbol>DllMain</EntryPointSymbol>
+      <AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
+    <PreBuildEvent />
+    <ResourceCompile>
+      <PreprocessorDefinitions>X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Full</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <CompileAs>CompileAsC</CompileAs>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+    </ClCompile>
+    <ResourceCompile Condition="'$(APPVEYOR)'=='True'">
+      <PreprocessorDefinitions>BUILD_COMMIT_VERSION=$(BUILD_COMMIT_VERSION);BUILD_VERSION_COMMA=$(BUILD_VERSION_COMMA);$(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
+      <EntryPointSymbol>DllMain</EntryPointSymbol>
+      <AdditionalLibraryDirectories>
+      </AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
+    <PreBuildEvent />
+    <ResourceCompile>
+      <PreprocessorDefinitions>X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

wufuc/wufuc.vcxproj.filters

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{629a1242-73f5-4282-a218-7b8d7d761cc6}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{e54f7242-67a6-4c85-bf48-0f7a6095b613}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{acf0da3d-e3e4-4fc8-aaf8-8d0558e6414c}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="patchwua.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="patternfind.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="callbacks.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="helpers.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="hooks.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tracing.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="appverifier.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="rtl_malloc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="patchwua.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="patternfind.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="callbacks.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dllmain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="helpers.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="hooks.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="tracing.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="rtl_malloc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="rundll32.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="wufuc.rc">
+      <Filter>Resource Files</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="wufuc.rch">
+      <Filter>Resource Files</Filter>
+    </None>
+    <None Include="exports.def">
+      <Filter>Source Files</Filter>
+    </None>
+  </ItemGroup>
+</Project>

wufuc_setup/LICENSE.rtf

@@ -0,0 +1,125 @@
+{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fnil\fcharset0 Arial;}{\f1\fnil Arial;}{\f2\fnil\fcharset0 Courier New;}}
+{\colortbl ;\red0\green0\blue255;}
+{\*\generator Msftedit 5.41.21.2512;}\viewkind4\uc1\pard\sa180\lang9\b\fs22 GNU GENERAL PUBLIC LICENSE\par
+\b0\fs20 Version 3, 29 June 2007\par
+Copyright \'a9 2007 Free Software Foundation, Inc. {\field{\*\fldinst{HYPERLINK "http://fsf.org/"}}{\fldrslt{\ul\cf1 http://fsf.org/}}}\f0\fs20\par
+Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.\par
+\b\fs22 Preamble\par
+\b0\fs20 The GNU General Public License is a free, copyleft license for software and other kinds of works.\par
+The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.\par
+When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.\par
+To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.\par
+For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.\par
+Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.\par
+For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.\par
+Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.\par
+Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.\par
+The precise terms and conditions for copying, distribution and modification follow.\par
+\b\fs22 TERMS AND CONDITIONS\par
+\fs20 0. Definitions.\par
+\b0\f1\ldblquote\f0 This License\f1\rdblquote\f0  refers to version 3 of the GNU General Public License.\par
+\f1\ldblquote\f0 Copyright\f1\rdblquote\f0  also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.\par
+\f1\ldblquote\f0 The Program\f1\rdblquote\f0  refers to any copyrightable work licensed under this License. Each licensee is addressed as \f1\ldblquote\f0 you\f1\rdblquote\f0 . \f1\ldblquote\f0 Licensees\f1\rdblquote\f0  and \f1\ldblquote\f0 recipients\f1\rdblquote\f0  may be individuals or organizations.\par
+To \f1\ldblquote\f0 modify\f1\rdblquote\f0  a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a \f1\ldblquote\f0 modified version\f1\rdblquote\f0  of the earlier work or a work \f1\ldblquote\f0 based on\f1\rdblquote\f0  the earlier work.\par
+A \f1\ldblquote\f0 covered work\f1\rdblquote\f0  means either the unmodified Program or a work based on the Program.\par
+To \f1\ldblquote\f0 propagate\f1\rdblquote\f0  a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.\par
+To \f1\ldblquote\f0 convey\f1\rdblquote\f0  a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.\par
+An interactive user interface displays \f1\ldblquote\f0 Appropriate Legal Notices\f1\rdblquote\f0  to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.\par
+\b 1. Source Code.\par
+\b0 The \f1\ldblquote\f0 source code\f1\rdblquote\f0  for a work means the preferred form of the work for making modifications to it. \f1\ldblquote\f0 Object code\f1\rdblquote\f0  means any non-source form of a work.\par
+A \f1\ldblquote\f0 Standard Interface\f1\rdblquote\f0  means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.\par
+The \f1\ldblquote\f0 System Libraries\f1\rdblquote\f0  of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A \f1\ldblquote\f0 Major Component\f1\rdblquote\f0 , in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.\par
+The \f1\ldblquote\f0 Corresponding Source\f1\rdblquote\f0  for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.\par
+The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.\par
+The Corresponding Source for a work in source code form is that same work.\par
+\b 2. Basic Permissions.\par
+\b0 All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.\par
+You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.\par
+Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.\par
+\b 3. Protecting Users' Legal Rights From Anti-Circumvention Law.\par
+\b0 No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.\par
+When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.\par
+\b 4. Conveying Verbatim Copies.\par
+\b0 You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.\par
+You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.\par
+\b 5. Conveying Modified Source Versions.\par
+\b0 You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:\par
+\pard\fi-360\li360\tx360\f1\bullet\f0\tab a) The work must carry prominent notices stating that you modified it, and giving a relevant date.\par
+\f1\bullet\f0\tab b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to \f1\ldblquote\f0 keep intact all notices\f1\rdblquote\f0 .\par
+\f1\bullet\f0\tab c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.\par
+\pard\fi-360\li360\sa180\tx360\f1\bullet\f0\tab d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.\par
+\pard\sa180 A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an \f1\ldblquote\f0 aggregate\f1\rdblquote\f0  if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.\par
+\b 6. Conveying Non-Source Forms.\par
+\b0 You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:\par
+\pard\fi-360\li360\tx360\f1\bullet\f0\tab a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.\par
+\f1\bullet\f0\tab b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.\par
+\f1\bullet\f0\tab c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.\par
+\f1\bullet\f0\tab d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.\par
+\pard\fi-360\li360\sa180\tx360\f1\bullet\f0\tab e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.\par
+\pard\sa180 A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.\par
+A \f1\ldblquote\f0 User Product\f1\rdblquote\f0  is either (1) a \f1\ldblquote\f0 consumer product\f1\rdblquote\f0 , which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, \f1\ldblquote\f0 normally used\f1\rdblquote\f0  refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.\par
+\f1\ldblquote\f0 Installation Information\f1\rdblquote\f0  for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.\par
+If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).\par
+The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.\par
+Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.\par
+\b 7. Additional Terms.\par
+\b0\f1\ldblquote\f0 Additional permissions\f1\rdblquote\f0  are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.\par
+When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.\par
+Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:\par
+\pard\fi-360\li360\tx360\f1\bullet\f0\tab a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or\par
+\f1\bullet\f0\tab b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or\par
+\f1\bullet\f0\tab c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or\par
+\f1\bullet\f0\tab d) Limiting the use for publicity purposes of names of licensors or authors of the material; or\par
+\f1\bullet\f0\tab e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or\par
+\pard\fi-360\li360\sa180\tx360\f1\bullet\f0\tab f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.\par
+\pard\sa180 All other non-permissive additional terms are considered \f1\ldblquote\f0 further restrictions\f1\rdblquote\f0  within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.\par
+If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.\par
+Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.\par
+\b 8. Termination.\par
+\b0 You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).\par
+However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.\par
+Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.\par
+Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.\par
+\b 9. Acceptance Not Required for Having Copies.\par
+\b0 You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.\par
+\b 10. Automatic Licensing of Downstream Recipients.\par
+\b0 Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.\par
+An \f1\ldblquote\f0 entity transaction\f1\rdblquote\f0  is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.\par
+You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.\par
+\b 11. Patents.\par
+\b0 A \f1\ldblquote\f0 contributor\f1\rdblquote\f0  is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's \f1\ldblquote\f0 contributor version\f1\rdblquote\f0 .\par
+A contributor's \f1\ldblquote\f0 essential patent claims\f1\rdblquote\f0  are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, \f1\ldblquote\f0 control\f1\rdblquote\f0  includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.\par
+Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.\par
+In the following three paragraphs, a \f1\ldblquote\f0 patent license\f1\rdblquote\f0  is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To \f1\ldblquote\f0 grant\f1\rdblquote\f0  such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.\par
+If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. \f1\ldblquote\f0 Knowingly relying\f1\rdblquote\f0  means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.\par
+If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.\par
+A patent license is \f1\ldblquote\f0 discriminatory\f1\rdblquote\f0  if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.\par
+Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.\par
+\b 12. No Surrender of Others' Freedom.\par
+\b0 If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.\par
+\b 13. Use with the GNU Affero General Public License.\par
+\b0 Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.\par
+\b 14. Revised Versions of this License.\par
+\b0 The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.\par
+Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License \f1\ldblquote\f0 or any later version\f1\rdblquote\f0  applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.\par
+If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.\par
+Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.\par
+\b 15. Disclaimer of Warranty.\par
+\b0 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM \f1\ldblquote\f0 AS IS\f1\rdblquote\f0  WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.\par
+\b 16. Limitation of Liability.\par
+\b0 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\par
+\b 17. Interpretation of Sections 15 and 16.\par
+\b0 If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.\par
+END OF TERMS AND CONDITIONS\par
+\b\fs22 How to Apply These Terms to Your New Programs\par
+\b0\fs20 If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.\par
+To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the \f1\ldblquote\f0 copyright\f1\rdblquote\f0  line and a pointer to where the full notice is found.\par
+\f2\fs18     <one line to give the program's name and a brief idea of what it does.>\line     Copyright (C) <year>  <name of author>\line\line     This program is free software: you can redistribute it and/or modify\line     it under the terms of the GNU General Public License as published by\line     the Free Software Foundation, either version 3 of the License, or\line     (at your option) any later version.\line\line     This program is distributed in the hope that it will be useful,\line     but WITHOUT ANY WARRANTY; without even the implied warranty of\line     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\line     GNU General Public License for more details.\line\line     You should have received a copy of the GNU General Public License\line     along with this program.  If not, see {\field{\*\fldinst{HYPERLINK "http://www.gnu.org/licenses/"}}{\fldrslt{\ul\cf1 http://www.gnu.org/licenses/}}}\f2\fs18 .\fs20\par
+\f0 Also add information on how to contact you by electronic and paper mail.\par
+If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:\par
+\f2\fs18     <program>  Copyright (C) <year>  <name of author>\line     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\line     This is free software, and you are welcome to redistribute it\line     under certain conditions; type `show c' for details.\fs20\par
+\f0 The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an \f1\ldblquote\f0 about box\f1\rdblquote\f0 .\par
+You should also get your employer (if you work as a programmer) or school, if any, to sign a \f1\ldblquote\f0 copyright disclaimer\f1\rdblquote\f0  for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see {\field{\*\fldinst{HYPERLINK "http://www.gnu.org/licenses/"}}{\fldrslt{\ul\cf1 http://www.gnu.org/licenses/}}}\f0\fs20 .\par
+The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read {\field{\*\fldinst{HYPERLINK "http://www.gnu.org/philosophy/why-not-lgpl.html"}}{\fldrslt{\ul\cf1 http://www.gnu.org/philosophy/why-not-lgpl.html}}}\f0\fs20 .\par
+}
+

wufuc_setup/wufuc_setup.aip

@@ -0,0 +1,227 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<DOCUMENT Type="Advanced Installer" CreateVersion="14.3" version="14.3" Modules="enterprise" RootPath="." Language="en" Id="{C0F6BB2D-9CA9-48FA-A0A3-1ED9F2CBB431}">
+  <COMPONENT cid="caphyon.advinst.msicomp.ProjectOptionsComponent">
+    <ROW Name="HiddenItems" Value="AutorunComponent;MultipleInstancesComponent;AppXProductDetailsComponent;AppXDependenciesComponent;AppXAppDetailsComponent;AppXVisualAssetsComponent;AppXCapabilitiesComponent;AppXAppDeclarationsComponent;AppXUriRulesComponent;MsiJavaComponent;AnalyticsComponent;ActSyncAppComponent;UserAccountsComponent;MsiClassComponent;WebApplicationsComponent;MsiOdbcDataSrcComponent;SqlConnectionComponent;SharePointSlnComponent;SilverlightSlnComponent"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiPropsComponent">
+    <ROW Property="AI_BITMAP_DISPLAY_MODE" Value="0"/>
+    <ROW Property="AI_ThemeStyle" Value="default" MultiBuildValue="X64Build:classic#X86Build:classic" MsiKey="AI_ThemeStyle"/>
+    <ROW Property="ALLUSERS" Value="1"/>
+    <ROW Property="ARPCOMMENTS" Value="Enables Windows Update on PCs with unsupported processors." ValueLocId="*"/>
+    <ROW Property="ARPHELPLINK" Value="https://github.com/zeffy/wufuc/issues"/>
+    <ROW Property="ARPNOMODIFY" MultiBuildValue="X64Build:1#X86Build:1"/>
+    <ROW Property="ARPPRODUCTICON" Value="msiexec.exe" Type="8"/>
+    <ROW Property="ARPURLINFOABOUT" Value="https://github.com/zeffy/wufuc"/>
+    <ROW Property="ARPURLUPDATEINFO" Value="https://github.com/zeffy/wufuc/releases/latest"/>
+    <ROW Property="AiPreventAutoPin" Value="System.AppUserModel.ExcludeFromShowInNewInstall"/>
+    <ROW Property="Manufacturer" Value="zeffy"/>
+    <ROW Property="ProductCode" Value="1027:{FD01A904-C4EE-41DE-98B5-05B56C9BF124} 1028:{C5BD132C-74D9-4F29-BDA3-E53F362BB93A} 1031:{349419A7-D1E6-4F7F-805A-8BB89DB52B8F} 1033:{8AB4032C-3333-484D-837F-63254ECC61D0} 1035:{614B36A2-4EFA-4179-8B9B-C10BCDCD6EE4} 1036:{3F5C9C51-FDB6-4CC7-BD3B-397B1ADF2612} 1038:{341EB700-1ED1-4091-B3FE-328250ECD40C} 1040:{54BF6CB0-507E-4A56-AE57-C9AA7621218E} 1041:{6EA5EDBE-382E-4FE4-BA64-35C4ECD92FA5} 1042:{BDB9EA6E-AE2D-4D99-9415-1243A1B18C61} 1043:{18FEFE80-7F0A-4273-984F-A1B6DB8A4534} 1045:{A2F4A8DF-0D97-4058-A0A8-DF66ADBF011F} 1046:{4C402CCA-E316-4594-8ED3-2394F78C3F6D} 1049:{70E459BE-48F3-4EC4-8CB7-3B85D345D7D7} 1060:{04C38485-4F74-41EE-8D73-C9A319C20842} 2052:{1193C110-CAA6-4FE4-B944-6F255FE21029} 2070:{B2F1ED11-46DD-4C28-A4FE-4B4E7B76A24D} 3082:{96DB5834-B739-4E90-82B5-B7F802280000} " Type="16"/>
+    <ROW Property="ProductLanguage" Value="1033"/>
+    <ROW Property="ProductName" Value="wufuc"/>
+    <ROW Property="ProductVersion" Value="0.8.0.0" Type="32" TargetFile="wufuc64.dll"/>
+    <ROW Property="REBOOT" MultiBuildValue="X64Build:Force#X86Build:Force"/>
+    <ROW Property="SecureCustomProperties" Value="OLDPRODUCTS;AI_NEWERPRODUCTFOUND"/>
+    <ROW Property="UpgradeCode" Value="{4C52972C-251E-4D1B-AD09-EAA765719DCC}"/>
+    <ROW Property="WindowsType9X" MultiBuildValue="X64Build:Windows 9x/ME#X86Build:Windows 9x/ME" ValueLocId="-"/>
+    <ROW Property="WindowsType9XDisplay" MultiBuildValue="X64Build:Windows 9x/ME#X86Build:Windows 9x/ME" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT" MultiBuildValue="X64Build:Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86#X86Build:Windows XP SP3 x86, Windows Server 2003 SP2 x86, Windows Vista x86, Windows Server 2008 x86, Windows 8 x86, Windows 10 x86" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT40" MultiBuildValue="X64Build:Windows NT 4.0#X86Build:Windows NT 4.0" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT40Display" MultiBuildValue="X64Build:Windows NT 4.0#X86Build:Windows NT 4.0" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT50" MultiBuildValue="X64Build:Windows 2000#X86Build:Windows 2000" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT50Display" MultiBuildValue="X64Build:Windows 2000#X86Build:Windows 2000" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT5X" MultiBuildValue="X64Build:Windows XP/2003 RTM, Windows XP/2003 SP1, Windows XP SP2 x86#X86Build:Windows XP/2003 RTM, Windows XP/2003 SP1, Windows XP SP2 x86" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT5XDisplay" MultiBuildValue="X64Build:Windows XP/2003 RTM, Windows XP/2003 SP1, Windows XP SP2 x86#X86Build:Windows XP/2003 RTM, Windows XP/2003 SP1, Windows XP SP2 x86" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT64" MultiBuildValue="X64Build:Windows XP SP2 x64, Windows Server 2003 SP2 x64, Windows Vista x64, Windows Server 2008 x64, Windows 8 x64, Windows Server 2012 x64, Windows 10 x64, Windows Server 2016 x64#X86Build:Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNT64Display" MultiBuildValue="X64Build:Windows XP SP2 x64, Windows Server 2003 SP2 x64, Windows Vista x64, Windows Server 2008 x64, Windows 8 x64, Windows Server 2012 x64, Windows 10 x64, Windows Server 2016 x64#X86Build:64-bit Windows versions" ValueLocId="-"/>
+    <ROW Property="WindowsTypeNTDisplay" MultiBuildValue="X64Build:32-bit Windows versions#X86Build:Windows XP SP3 x86, Windows Server 2003 SP2 x86, Windows Vista x86, Windows Server 2008 x86, Windows 8 x86, Windows 10 x86" ValueLocId="-"/>
+    <ROW Property="wufucDllName" Value="wufuc64.dll" MultiBuildValue="X86Build:wufuc32.dll"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiDirsComponent">
+    <ROW Directory="APPDIR" Directory_Parent="TARGETDIR" DefaultDir="APPDIR:." IsPseudoRoot="1"/>
+    <ROW Directory="SHORTCUTDIR" Directory_Parent="TARGETDIR" DefaultDir="SHORTC~1|SHORTCUTDIR" IsPseudoRoot="1"/>
+    <ROW Directory="System64Folder" Directory_Parent="TARGETDIR" DefaultDir="SYSTEM~1|System64Folder" IsPseudoRoot="1"/>
+    <ROW Directory="SystemFolder" Directory_Parent="TARGETDIR" DefaultDir="SYSTEM~2|SystemFolder" IsPseudoRoot="1"/>
+    <ROW Directory="TARGETDIR" DefaultDir="SourceDir"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiCompsComponent">
+    <ROW Component="CurrentVersion" ComponentId="{DBB12D6F-60DF-4FBB-AD3F-398843286B56}" Directory_="APPDIR" Attributes="4" KeyPath="CurrentVersion"/>
+    <ROW Component="GlobalFlag" ComponentId="{1BE26048-5DDD-4F0A-9112-7B6E880E82E8}" Directory_="APPDIR" Attributes="4" KeyPath="GlobalFlag"/>
+    <ROW Component="ImageFileExecutionOptions" ComponentId="{7FE0B423-B807-4450-B02C-1F6CD6C008DD}" Directory_="APPDIR" Attributes="4" KeyPath="ImageFileExecutionOptions"/>
+    <ROW Component="Microsoft" ComponentId="{685BF691-61C5-4F14-BE63-BAED91C0D26B}" Directory_="APPDIR" Attributes="4" KeyPath="Microsoft"/>
+    <ROW Component="ProductInformation" ComponentId="{B4E6A1C3-F836-4CB2-8D69-0F625143144A}" Directory_="APPDIR" Attributes="4" KeyPath="Version"/>
+    <ROW Component="SHORTCUTDIR" ComponentId="{25D9B1DD-C44A-4B99-B442-55881698C64B}" Directory_="SHORTCUTDIR" Attributes="0"/>
+    <ROW Component="VerifierDlls" ComponentId="{9F6C7248-62C9-4339-ACB7-393498AF35A3}" Directory_="APPDIR" Attributes="4" KeyPath="VerifierDlls"/>
+    <ROW Component="WindowsNT" ComponentId="{7C8BB4E4-521E-4B54-8CE9-453E0B5D1AE2}" Directory_="APPDIR" Attributes="4" KeyPath="WindowsNT"/>
+    <ROW Component="wufuc32.dll" ComponentId="{024CB7C2-90B5-417E-BD99-E54E8922A305}" Directory_="SystemFolder" Attributes="8" KeyPath="wufuc32.dll"/>
+    <ROW Component="wufuc64.dll" ComponentId="{B2F45E1F-1485-466E-930F-EA69BA935428}" Directory_="System64Folder" Attributes="264" KeyPath="wufuc64.dll"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiFeatsComponent">
+    <ROW Feature="MainFeature" Title="MainFeature" Description="Description" Display="3" Level="1" Directory_="APPDIR" Attributes="0" Components="CurrentVersion GlobalFlag ImageFileExecutionOptions Microsoft ProductInformation SHORTCUTDIR VerifierDlls WindowsNT"/>
+    <ROW Feature="X64Feature" Feature_Parent="MainFeature" Title="X64Feature" Description="Description" Display="0" Level="1" Directory_="APPDIR" Attributes="16" Components="wufuc64.dll" Builds="X64Build"/>
+    <ROW Feature="X86Feature" Feature_Parent="MainFeature" Title="X86Feature" Description="Description" Display="0" Level="1" Directory_="APPDIR" Attributes="16" Components="wufuc32.dll" Builds="X86Build"/>
+    <ATTRIBUTE name="CurrentFeature" value="X64Feature"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiFilesComponent">
+    <ROW File="wufuc32.dll" Component_="wufuc32.dll" FileName="wufuc32.dll" Attributes="512" SourcePath="..\wufuc\bin\Release\x86\wufuc32.dll" SelfReg="false"/>
+    <ROW File="wufuc64.dll" Component_="wufuc64.dll" FileName="wufuc64.dll" Attributes="512" SourcePath="..\wufuc\bin\Release\x64\wufuc64.dll" SelfReg="false" NextFile="wufuc32.dll"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.custcomp.MsiShortcutPropertyComponent">
+    <ROW MsiShortcutProperty="Uninstall1" Shortcut_="Uninstall" PropertyKey="[AiPreventAutoPin]" PropVariantValue="1"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.BuildComponent">
+    <ROW BuildKey="X64Build" BuildName="x64" BuildOrder="1" BuildType="1" PackageFileName="wufuc_setup_x64" Languages="en;zh;zh_TW;nl;fi;fr;de;hu;it;ja;ko;pl;pt;pt_BR;ru;sl;ca;es" LangOpt="1" InstallationType="4" UseLargeSchema="true" Unicode="true" MsiPackageType="x64"/>
+    <ROW BuildKey="X86Build" BuildName="x86" BuildOrder="2" BuildType="1" PackageFileName="wufuc_setup_x86" Languages="en;zh;zh_TW;nl;fi;fr;de;hu;it;ja;ko;pl;pt;pt_BR;ru;sl;ca;es" LangOpt="1" InstallationType="4" UseLargeSchema="true" Unicode="true"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.DictionaryComponent">
+    <ROW Path="&lt;AI_DICTS&gt;ui.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_en.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_zh.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_zh_TW.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_nl.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_fi.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_fr.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_de.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_hu.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_it.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_ja.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_ko.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_pl.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_pt.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_pt_BR.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_ru.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_sl.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_ca.ail"/>
+    <ROW Path="&lt;AI_DICTS&gt;ui_es.ail"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.FragmentComponent">
+    <ROW Fragment="CommonUI.aip" Path="&lt;AI_FRAGS&gt;CommonUI.aip"/>
+    <ROW Fragment="MaintenanceTypeDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\MaintenanceTypeDlg.aip"/>
+    <ROW Fragment="MaintenanceWelcomeDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\MaintenanceWelcomeDlg.aip"/>
+    <ROW Fragment="SequenceDialogs.aip" Path="&lt;AI_THEMES&gt;classic\fragments\SequenceDialogs.aip"/>
+    <ROW Fragment="Sequences.aip" Path="&lt;AI_FRAGS&gt;Sequences.aip"/>
+    <ROW Fragment="StaticUIStrings.aip" Path="&lt;AI_FRAGS&gt;StaticUIStrings.aip"/>
+    <ROW Fragment="UI.aip" Path="&lt;AI_THEMES&gt;classic\fragments\UI.aip"/>
+    <ROW Fragment="Validation.aip" Path="&lt;AI_FRAGS&gt;Validation.aip"/>
+    <ROW Fragment="VerifyRemoveDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\VerifyRemoveDlg.aip"/>
+    <ROW Fragment="VerifyRepairDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\VerifyRepairDlg.aip"/>
+    <ROW Fragment="WelcomeDlg.aip" Path="&lt;AI_THEMES&gt;classic\fragments\WelcomeDlg.aip"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiBinaryComponent">
+    <ROW Name="ShortcutFlags.dll" SourcePath="&lt;AI_CUSTACTS&gt;ShortcutFlags.dll"/>
+    <ROW Name="aicustact.dll" SourcePath="&lt;AI_CUSTACTS&gt;aicustact.dll"/>
+    <ROW Name="viewer.exe" SourcePath="&lt;AI_CUSTACTS&gt;viewer.exe"/>
+    <ROW Name="viewer.exe_1" SourcePath="&lt;AI_CUSTACTS64&gt;viewer.exe"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiControlEventComponent">
+    <ROW Dialog_="WelcomeDlg" Control_="Next" Event="NewDialog" Argument="VerifyReadyDlg" Condition="AI_INSTALL" Ordering="1"/>
+    <ROW Dialog_="MaintenanceWelcomeDlg" Control_="Next" Event="NewDialog" Argument="MaintenanceTypeDlg" Condition="AI_MAINT" Ordering="99"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Install" Event="EndDialog" Argument="Return" Condition="AI_MAINT" Ordering="198"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Back" Event="NewDialog" Argument="CustomizeDlg" Condition="AI_MAINT" Ordering="202"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Install" Event="EndDialog" Argument="Return" Condition="AI_INSTALL" Ordering="197"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Back" Event="NewDialog" Argument="WelcomeDlg" Condition="AI_INSTALL" Ordering="201"/>
+    <ROW Dialog_="CustomizeDlg" Control_="Next" Event="NewDialog" Argument="VerifyReadyDlg" Condition="AI_MAINT" Ordering="101"/>
+    <ROW Dialog_="CustomizeDlg" Control_="Back" Event="NewDialog" Argument="MaintenanceTypeDlg" Condition="AI_MAINT" Ordering="1"/>
+    <ROW Dialog_="MaintenanceTypeDlg" Control_="ChangeButton" Event="NewDialog" Argument="CustomizeDlg" Condition="AI_MAINT" Ordering="501"/>
+    <ROW Dialog_="MaintenanceTypeDlg" Control_="Back" Event="NewDialog" Argument="MaintenanceWelcomeDlg" Condition="AI_MAINT" Ordering="1"/>
+    <ROW Dialog_="MaintenanceTypeDlg" Control_="RemoveButton" Event="NewDialog" Argument="VerifyRemoveDlg" Condition="AI_MAINT AND InstallMode=&quot;Remove&quot;" Ordering="601"/>
+    <ROW Dialog_="VerifyRemoveDlg" Control_="Back" Event="NewDialog" Argument="MaintenanceTypeDlg" Condition="AI_MAINT AND InstallMode=&quot;Remove&quot;" Ordering="1"/>
+    <ROW Dialog_="MaintenanceTypeDlg" Control_="RepairButton" Event="NewDialog" Argument="VerifyRepairDlg" Condition="AI_MAINT AND InstallMode=&quot;Repair&quot;" Ordering="601"/>
+    <ROW Dialog_="VerifyRepairDlg" Control_="Back" Event="NewDialog" Argument="MaintenanceTypeDlg" Condition="AI_MAINT AND InstallMode=&quot;Repair&quot;" Ordering="1"/>
+    <ROW Dialog_="VerifyRepairDlg" Control_="Repair" Event="EndDialog" Argument="Return" Condition="AI_MAINT AND InstallMode=&quot;Repair&quot;" Ordering="399" Options="1"/>
+    <ROW Dialog_="VerifyRemoveDlg" Control_="Remove" Event="EndDialog" Argument="Return" Condition="AI_MAINT AND InstallMode=&quot;Remove&quot;" Ordering="299" Options="1"/>
+    <ROW Dialog_="PatchWelcomeDlg" Control_="Next" Event="NewDialog" Argument="VerifyReadyDlg" Condition="AI_PATCH" Ordering="201"/>
+    <ROW Dialog_="ResumeDlg" Control_="Install" Event="EndDialog" Argument="Return" Condition="AI_RESUME" Ordering="299"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Install" Event="EndDialog" Argument="Return" Condition="AI_PATCH" Ordering="199"/>
+    <ROW Dialog_="VerifyReadyDlg" Control_="Back" Event="NewDialog" Argument="PatchWelcomeDlg" Condition="AI_PATCH" Ordering="203"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiCreateFolderComponent">
+    <ROW Directory_="SHORTCUTDIR" Component_="SHORTCUTDIR" ManualDelete="false"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiCustActComponent">
+    <ROW Action="AI_ApplyShortcutFlags" Type="3073" Source="ShortcutFlags.dll" Target="UpdateShortcutFlags" WithoutSeq="true"/>
+    <ROW Action="AI_DOWNGRADE" Type="19" Target="4010"/>
+    <ROW Action="AI_DpiContentScale" Type="1" Source="aicustact.dll" Target="DpiContentScale"/>
+    <ROW Action="AI_EnableDebugLog" Type="321" Source="aicustact.dll" Target="EnableDebugLog"/>
+    <ROW Action="AI_InstallModeCheck" Type="1" Source="aicustact.dll" Target="UpdateInstallMode" WithoutSeq="true"/>
+    <ROW Action="AI_PREPARE_UPGRADE" Type="65" Source="aicustact.dll" Target="PrepareUpgrade"/>
+    <ROW Action="AI_PinShortcuts" Type="1" Source="ShortcutFlags.dll" Target="PinShortcuts"/>
+    <ROW Action="AI_PinToStartScreen" Type="1025" Source="ShortcutFlags.dll" Target="PinToStartScreen" WithoutSeq="true"/>
+    <ROW Action="AI_PinToTaskbar" Type="1025" Source="ShortcutFlags.dll" Target="PinToTaskbar" WithoutSeq="true"/>
+    <ROW Action="AI_PrepareShortcutFlags" Type="1" Source="ShortcutFlags.dll" Target="PrepareActionData"/>
+    <ROW Action="AI_RESTORE_LOCATION" Type="65" Source="aicustact.dll" Target="RestoreLocation"/>
+    <ROW Action="AI_ResolveKnownFolders" Type="1" Source="aicustact.dll" Target="AI_ResolveKnownFolders"/>
+    <ROW Action="AI_SHOW_LOG" Type="65" Source="aicustact.dll" Target="LaunchLogFile" WithoutSeq="true"/>
+    <ROW Action="AI_STORE_LOCATION" Type="51" Source="ARPINSTALLLOCATION" Target="[APPDIR]"/>
+    <ROW Action="AI_SelectAutoPinOption" Type="51" Source="AiPreventAutoPin" Target="System.AppUserModel.StartPinOption"/>
+    <ROW Action="AI_UnpinFromStartScreen" Type="1025" Source="ShortcutFlags.dll" Target="UnpinFromStartScreen" WithoutSeq="true"/>
+    <ROW Action="AI_UnpinFromTaskbar" Type="1025" Source="ShortcutFlags.dll" Target="UnpinFromTaskbar" WithoutSeq="true"/>
+    <ROW Action="AI_UnpinShortcuts" Type="1" Source="ShortcutFlags.dll" Target="UnpinShortcuts"/>
+    <ROW Action="LaunchSfcScan32" Type="3138" Source="viewer.exe" Target="/RunAsAdmin /HideWindow &quot;[SystemFolder]sfc.exe&quot; /SCANFILE=&quot;[SystemFolder]wuaueng.dll&quot;" Options="1"/>
+    <ROW Action="LaunchSfcScan64" Type="3138" Source="viewer.exe_1" Target="/RunAsAdmin /HideWindow &quot;[System64Folder]sfc.exe&quot; /SCANFILE=&quot;[System64Folder]wuaueng.dll&quot;" Options="1"/>
+    <ROW Action="SET_APPDIR" Type="307" Source="APPDIR" Target="[ProgramFilesFolder][Manufacturer]\[ProductName]" MultiBuildTarget="X64Build:[ProgramFiles64Folder]\[ProductName]#X86Build:[ProgramFilesFolder]\[ProductName]"/>
+    <ROW Action="SET_SHORTCUTDIR" Type="307" Source="SHORTCUTDIR" Target="[ProgramMenuFolder][ProductName]"/>
+    <ROW Action="SET_TARGETDIR_TO_APPDIR" Type="51" Source="TARGETDIR" Target="[APPDIR]"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiIconsComponent">
+    <ROW Name="SystemFoldermsiexec.exe" SourcePath="&lt;AI_RES&gt;uninstall.ico" Index="0"/>
+    <ROW Name="msiexec.exe" SourcePath="..\..\..\..\..\..\Windows\System32\msiexec.exe" Index="0"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiIniFileComponent">
+    <ROW IniFile="URL" FileName="Homepage.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="URL" Value="https://github.com/zeffy/wufuc" Action="0" Component_="GlobalFlag"/>
+    <ROW IniFile="URL_1" FileName="Donate.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="URL" Value="https://github.com/zeffy/wufuc/blob/master/DONATIONS.md" Action="0" Component_="GlobalFlag"/>
+    <ROW IniFile="URL_2" FileName="Readme.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="URL" Value="https://github.com/zeffy/wufuc/blob/master/README.md" Action="0" Component_="GlobalFlag"/>
+    <ROW IniFile="WorkingDirectory" FileName="Homepage.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="WorkingDirectory" Value="[SHORTCUTDIR]" Action="0" Component_="GlobalFlag"/>
+    <ROW IniFile="WorkingDirectory_1" FileName="Donate.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="WorkingDirectory" Value="[SHORTCUTDIR]" Action="0" Component_="GlobalFlag"/>
+    <ROW IniFile="WorkingDirectory_2" FileName="Readme.url" DirProperty="SHORTCUTDIR" Section="InternetShortcut" Key="WorkingDirectory" Value="[SHORTCUTDIR]" Action="0" Component_="GlobalFlag"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiInstExSeqComponent">
+    <ROW Action="AI_DOWNGRADE" Condition="AI_NEWERPRODUCTFOUND AND (UILevel &lt;&gt; 5)" Sequence="210"/>
+    <ROW Action="AI_RESTORE_LOCATION" Condition="APPDIR=&quot;&quot;" Sequence="749"/>
+    <ROW Action="AI_STORE_LOCATION" Condition="(Not Installed) OR REINSTALL" Sequence="1501"/>
+    <ROW Action="AI_PREPARE_UPGRADE" Condition="AI_UPGRADE=&quot;No&quot; AND (Not Installed)" Sequence="1399"/>
+    <ROW Action="AI_ResolveKnownFolders" Sequence="52"/>
+    <ROW Action="AI_EnableDebugLog" Sequence="51"/>
+    <ROW Action="AI_SelectAutoPinOption" Condition="VersionNT &gt; 601" Sequence="1401"/>
+    <ROW Action="AI_PrepareShortcutFlags" Condition="(VersionNT &gt; 501) AND ((NOT Installed) OR (Installed AND (REMOVE&lt;&gt;&quot;ALL&quot;) AND (AI_INSTALL_MODE&lt;&gt;&quot;Remove&quot;)))" Sequence="4501"/>
+    <ROW Action="AI_PinShortcuts" Condition="(VersionNT &gt; 600) AND ((NOT Installed) OR (Installed AND (REMOVE&lt;&gt;&quot;ALL&quot;) AND (AI_INSTALL_MODE&lt;&gt;&quot;Remove&quot;)))" Sequence="6499"/>
+    <ROW Action="AI_UnpinShortcuts" Condition="(VersionNT &gt; 600) AND (REMOVE = &quot;ALL&quot;)" Sequence="3199"/>
+    <ROW Action="LaunchSfcScan64" Condition="( NOT Installed ) AND ( (VersionNT64) AND (Not Installed) )" Sequence="1601"/>
+    <ROW Action="LaunchSfcScan32" Condition="( NOT Installed ) AND ( (NOT VersionNT64) AND (Not Installed) )" Sequence="1602"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiInstallUISequenceComponent">
+    <ROW Action="AI_RESTORE_LOCATION" Condition="APPDIR=&quot;&quot;" Sequence="749"/>
+    <ROW Action="AI_ResolveKnownFolders" Sequence="53"/>
+    <ROW Action="AI_DpiContentScale" Sequence="52"/>
+    <ROW Action="AI_EnableDebugLog" Sequence="51"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiLaunchConditionsComponent">
+    <ROW Condition="( Version9X OR ( NOT VersionNT64 ) OR ( VersionNT64 AND ((VersionNT64 &lt;&gt; 502) OR (ServicePackLevel &lt;&gt; 2) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 502) OR (ServicePackLevel &lt;&gt; 2) OR (MsiNTProductType = 1)) AND ((VersionNT64 &lt;&gt; 600) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 600) OR (MsiNTProductType = 1)) AND ((VersionNT64 &lt;&gt; 602) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 602) OR (MsiNTProductType = 1)) AND ((VersionNT64 &lt;&gt; 1000) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT64 &lt;&gt; 1000) OR (ServicePackLevel &lt;&gt; 0) OR (MsiNTProductType = 1)) ) )" Description="[ProductName] cannot be installed on the following Windows versions: [WindowsTypeNT64Display]." DescriptionLocId="AI.LaunchCondition.NoSpecificNT64" IsPredefined="true" Builds="X64Build"/>
+    <ROW Condition="( Version9X OR (VersionNT AND (NOT VersionNT64)) )" Description="[ProductName] cannot be installed on [WindowsTypeNT64Display]." DescriptionLocId="AI.LaunchCondition.NoNT64" IsPredefined="true" Builds="X86Build"/>
+    <ROW Condition="( Version9X OR VersionNT64 )" Description="[ProductName] cannot be installed on [WindowsTypeNTDisplay]." DescriptionLocId="AI.LaunchCondition.NoNT" IsPredefined="true" Builds="X64Build"/>
+    <ROW Condition="( Version9X OR VersionNT64 OR ( VersionNT AND ((VersionNT &lt;&gt; 501) OR (ServicePackLevel &lt;&gt; 3)) AND ((VersionNT &lt;&gt; 502) OR (ServicePackLevel &lt;&gt; 2)) AND ((VersionNT &lt;&gt; 600) OR (MsiNTProductType &lt;&gt; 1)) AND ((VersionNT &lt;&gt; 600) OR (MsiNTProductType = 1)) AND (VersionNT &lt;&gt; 602) AND (VersionNT &lt;&gt; 1000) ) )" Description="[ProductName] cannot be installed on the following Windows versions: [WindowsTypeNTDisplay]." DescriptionLocId="AI.LaunchCondition.NoSpecificNT" IsPredefined="true" Builds="X86Build"/>
+    <ROW Condition="(VersionNT &lt;&gt; 400)" Description="[ProductName] cannot be installed on [WindowsTypeNT40Display]." DescriptionLocId="AI.LaunchCondition.NoNT40" IsPredefined="true" Builds="X64Build;X86Build"/>
+    <ROW Condition="(VersionNT &lt;&gt; 500)" Description="[ProductName] cannot be installed on [WindowsTypeNT50Display]." DescriptionLocId="AI.LaunchCondition.NoNT50" IsPredefined="true" Builds="X64Build;X86Build"/>
+    <ROW Condition="(VersionNT64 OR ((VersionNT &lt;&gt; 501) OR (ServicePackLevel = 3))) AND ((VersionNT &lt;&gt; 502) OR (ServicePackLevel = 2))" Description="[ProductName] cannot be installed on [WindowsTypeNT5XDisplay]." DescriptionLocId="AI.LaunchCondition.NoNT5X" IsPredefined="true" Builds="X64Build;X86Build"/>
+    <ROW Condition="VersionNT" Description="[ProductName] cannot be installed on [WindowsType9XDisplay]." DescriptionLocId="AI.LaunchCondition.No9X" IsPredefined="true" Builds="X64Build;X86Build"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiRegsComponent">
+    <ROW Registry="CurrentVersion" Root="2" Key="Software\Microsoft\Windows NT\CurrentVersion" Name="+" Component_="CurrentVersion"/>
+    <ROW Registry="GlobalFlag" Root="2" Key="Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" Name="GlobalFlag" Value="#256" Component_="GlobalFlag"/>
+    <ROW Registry="ImageFileExecutionOptions" Root="2" Key="Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" Name="+" Component_="ImageFileExecutionOptions"/>
+    <ROW Registry="Microsoft" Root="2" Key="Software\Microsoft" Name="+" Component_="Microsoft"/>
+    <ROW Registry="Path" Root="-1" Key="Software\[Manufacturer]\[ProductName]" Name="Path" Value="[APPDIR]" Component_="ProductInformation"/>
+    <ROW Registry="VerifierDlls" Root="2" Key="Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" Name="VerifierDlls" Value="[wufucDllName]" Component_="VerifierDlls"/>
+    <ROW Registry="Version" Root="-1" Key="Software\[Manufacturer]\[ProductName]" Name="Version" Value="[ProductVersion]" Component_="ProductInformation"/>
+    <ROW Registry="WindowsNT" Root="2" Key="Software\Microsoft\Windows NT" Name="+" Component_="WindowsNT"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiShortsComponent">
+    <ROW Shortcut="Uninstall" Directory_="SHORTCUTDIR" Name="UNINST~1|Uninstall" Component_="wufuc64.dll" Target="[SystemFolder]msiexec.exe" Arguments="/x [ProductCode]" Hotkey="0" Icon_="SystemFoldermsiexec.exe" IconIndex="0" ShowCmd="1" CustomFlags="1"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiThemeComponent">
+    <ATTRIBUTE name="UsedTheme" value="classic"/>
+  </COMPONENT>
+  <COMPONENT cid="caphyon.advinst.msicomp.MsiUpgradeComponent">
+    <ROW UpgradeCode="[|UpgradeCode]" VersionMin="0.0.1" VersionMax="[|ProductVersion]" Attributes="257" ActionProperty="OLDPRODUCTS"/>
+    <ROW UpgradeCode="[|UpgradeCode]" VersionMin="[|ProductVersion]" Attributes="2" ActionProperty="AI_NEWERPRODUCTFOUND"/>
+  </COMPONENT>
+</DOCUMENT>

wufuc_setup/wufuc_setup.aiproj

@@ -0,0 +1,26 @@
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">All</Configuration>
+    <SchemaVersion>2.0</SchemaVersion>
+    <ProjectGuid>8f75fc4a-22ff-4cda-8a09-3bc547e7c29b</ProjectGuid>
+    <OutputType>msi</OutputType>
+    <ProjectHome>.</ProjectHome>
+    <StartupFile>wufuc_setup.aip</StartupFile>
+    <SearchPath>
+    </SearchPath>
+    <WorkingDirectory>.</WorkingDirectory>
+    <IsWindowsApplication>True</IsWindowsApplication>
+    <AssemblyName>wufuc_setup</AssemblyName>
+    <Name>wufuc_setup</Name>
+    <RootNamespace>wufuc_setup</RootNamespace>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)' == 'x64' " />
+  <PropertyGroup Condition=" '$(Configuration)' == 'x86' " />
+  <PropertyGroup Condition=" '$(Configuration)' == 'All' " />
+  <ItemGroup>
+    <Compile Include="wufuc_setup.aip">
+      <SubType>Code</SubType>
+    </Compile>
+  </ItemGroup>
+  <Import Project="$(MSBuildExtensionsPath32)\Caphyon\Advanced Installer\AdvInstExtTasks.Targets" />
+</Project>