d4d9f3a6938568af46c19c569462d950e3601efc
[reactos.git] / reactos / drivers / filesystems / reiserfs / inc / gplntifs.h
1 /*
2 This is a free version of the file ntifs.h, release 58.
3 The purpose of this include file is to build file system and
4 file system filter drivers for Windows.
5 Copyright (C) 1999-2015 Bo Brantén.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17
18 The GNU General Public License is also available from:
19 http://www.gnu.org/copyleft/gpl.html
20
21 Windows and Windows NT are either registered trademarks or trademarks of
22 Microsoft Corporation in the United States and/or other countries.
23
24 DISCLAIMER: I do not encourage anyone to use this include file to build
25 drivers used in production. Some of the information in this file may not
26 be available in other publications intended for similar use. Some of the
27 information in this file may have different names than in other
28 publications even though they describe the same thing.
29
30 NOTE: This file should be used with the Microsoft® Windows® Driver
31 Development Kit (DDK) while the file wdkundoc.h is a subset of this
32 file that should be used with the Microsoft Windows Driver Kit (WDK).
33
34 Please send comments, corrections and contributions to bosse@acc.umu.se.
35
36 The most recent version of this file is available from:
37 http://www.acc.umu.se/~bosse/ntifs.h
38
39 The most recent version of the file wdkundoc.h is available from:
40 http://www.acc.umu.se/~bosse/wdkundoc.h
41
42 Thanks to:
43 Andrey Shedel, Luigi Mori, Louis Joubert, Itai Shaham, David Welch,
44 Emanuele Aliberti, Anton Altaparmakov, Dan Partelly, Mamaich, Yossi
45 Yaffe, Gunnar André Dalsnes, Vadim V Vorobev, Ashot Oganesyan K,
46 Oleg Nikityenko, Matt Wu, Tomas Olsson, Raaf, Anthony Choi, Alexey
47 Logachyov, Marc-Antoine Ruel, Vyacheslav I. Levtchenko, Yuri Polyakov,
48 Bruno Milot, Alex Vlasov, Dan Fulger, Petr Semerad, Sobame La Garompa,
49 Jérôme Hodé and Darja Isaksson.
50
51 Revision history:
52
53 58. 2015-06-11
54 Added:
55 Externals:
56 PsInitialSystemProcess
57 HalPrivateDispatchTable
58 KeLoaderBlock
59 KeI386MachineType
60 KiBugCheckData
61 InitSafeBootMode
62 KiEnableTimerWatchdog
63 KdComPortInUse
64 KdEnteredDebugger
65 MmBadPointer
66 NlsLeadByteInfo
67 NlsOemLeadByteInfo
68 NlsMbCodePageTag
69 NlsMbOemCodePageTag
70 NlsAnsiCodePage
71 NlsOemCodePage
72 IoStatisticsLock
73 IoReadOperationCount
74 IoWriteOperationCount
75 IoReadTransferCount
76 IoWriteTransferCount
77 KeDcacheFlushCount
78 KeIcacheFlushCount
79 CcFastMdlReadWait
80 CcFastReadNotPossible
81 CcFastReadWait
82 IoAdapterObjectType
83 IoDeviceObjectType
84 MmSectionObjectType
85 PsProcessType
86 PsThreadType
87 ExDesktopObjectType
88 ExWindowStationObjectType
89 IoDeviceHandlerObjectType
90 LpcPortObjectType
91 PsJobType
92 SeTokenObjectType
93 TmEnlistmentObjectType
94 TmResourceManagerObjectType
95 TmTransactionManagerObjectType
96 TmTransactionObjectType
97 CmKeyObjectType
98 IoDeviceHandlerObjectSize
99 POGOBuffer
100 psMUITest
101 PsUILanguageComitted
102
103 57. 2015-03-23
104 Corrected:
105 ObGetObjectPointerCount
106 Added:
107 Function prototypes:
108 FsRtlTeardownPerFileContexts
109 FsRtlTeardownPerStreamContexts
110
111 56. 2008-07-31
112 Corrected:
113 FSCTL_SET_SPARSE
114 FSRTL_COMMON_FCB_HEADER
115 Added:
116 Defines:
117 FSRTL_XXX
118 IO_REPARSE_TAG_XXX
119 Data types:
120 FSRTL_ADVANCED_FCB_HEADER
121 Function prototypes:
122 FsRtlSetupAdvancedHeader
123
124 55. 2006-05-15
125 Corrected:
126 TOKEN_OBJECT
127 Added:
128 Data types:
129 SEP_AUDIT_POLICY_VISTA
130 SID_AND_ATTRIBUTES_HASH
131
132 54. 2006-05-14
133 Corrected:
134 EXTENDED_IO_STACK_LOCATION
135
136 53. 2005-11-06
137 Added:
138 Function prototypes:
139 RtlRandom
140 RtlRandomEx
141 RtlSecondsSince1980ToTime
142 RtlTimeToSecondsSince1980
143
144 52. 2005-11-05
145 Corrected:
146 OBJECT_NAME
147 TOKEN_OBJECT
148
149 51. 2005-10-16
150 Corrected:
151 ETHREAD
152 GDI_TEB_BATCH
153 MMADDRESS_NODE
154 TEB
155
156 50. 2005-10-15
157 Added:
158 Data types:
159 READ_LIST
160 Function prototypes:
161 IoAttachDeviceToDeviceStackSafe
162 IoCheckQuerySetFileInformation
163 IoCheckQuerySetVolumeInformation
164 IoCreateFileSpecifyDeviceObjectHint
165 IoCreateStreamFileObjectEx
166 IoEnumerateDeviceObjectList
167 IoGetDeviceAttachmentBaseRef
168 IoGetDiskDeviceObject
169 IoGetLowerDeviceObject
170 IoIsFileOriginRemote
171 IoQueryFileDosDeviceName
172 IoQueueThreadIrp
173 IoSetFileOrigin
174 KeAcquireQueuedSpinLock
175 KeInitializeMutant
176 KeReadStateMutant
177 KeReleaseMutant
178 KeReleaseQueuedSpinLock
179 KeSetIdealProcessorThread
180 KeSetKernelStackSwapEnable
181 KeTryToAcquireQueuedSpinLock
182 MmPrefetchPages
183 ObDereferenceSecurityDescriptor
184 ObLogSecurityDescriptor
185 ObReferenceSecurityDescriptor
186 PoQueueShutdownWorkItem
187 RtlxUnicodeStringToAnsiSize
188 SeAuditHardLinkCreation
189 SeAuditingHardLinkEvents
190 SeFilterToken
191
192 49. 2005-10-09
193 Corrected:
194 EPROCESS
195 KTHREAD
196 MMSUPPORT_FLAGS
197 MMSUPPORT
198 OBJECT_HEADER
199 OBJECT_TYPE_INITIALIZER
200 OBJECT_TYPE
201 TEB
202 KeInsertQueueApc
203 Added:
204 Defines:
205 OB_FLAG_XXX
206 OB_SECURITY_CHARGE
207 Data types:
208 ACTIVATION_CONTEXT_STACK
209 GDI_TEB_BATCH
210 HANDLE_INFO
211 KGUARDED_MUTEX
212 MMADDRESS_NODE
213 MM_AVL_TABLE
214 OBJECT_CREATE_INFORMATION
215 OBJECT_CREATOR_INFO
216 OBJECT_DIRECTORY
217 OBJECT_DIRECTORY_ITEM
218 OBJECT_HANDLE_DB
219 OBJECT_HANDLE_DB_LIST
220 OBJECT_HEADER_FLAGS
221 OBJECT_NAME
222 OBJECT_QUOTA_CHARGES
223 OBJECT_QUOTA_INFO
224 QUOTA_BLOCK
225 RTL_ACTIVATION_CONTEXT_STACK_FRAME
226 TEB_ACTIVE_FRAME
227 TEB_ACTIVE_FRAME_CONTEXT
228 Wx86ThreadState
229 Function prototypes:
230 FsRtlAcquireFileExclusive
231 FsRtlBalanceReads
232 FsRtlDissectDbcs
233 FsRtlDoesDbcsContainWildCards
234 FsRtlIsDbcsInExpression
235 FsRtlIsFatDbcsLegal
236 FsRtlIsHpfsDbcsLegal
237 FsRtlIsPagingFile
238 FsRtlIsTotalDeviceFailure
239 FsRtlMdlReadDev
240 FsRtlPostPagingFileStackOverflow
241 FsRtlPostStackOverflow
242 FsRtlPrepareMdlWriteDev
243 FsRtlReleaseFile
244
245 48. 2005-04-16
246 Added:
247 Data types:
248 THREAD_BASIC_INFORMATION
249 Function prototypes:
250 ZwQueryInformationThread
251
252 47. 2005-03-08
253 Corrected:
254 SYSTEM_PROCESSES_INFORMATION
255 TOKEN_OBJECT
256 KeInsertQueueApc
257
258 46. 2004-06-08
259 Added:
260 Data types:
261 TOKEN_OBJECT
262
263 45. 2004-06-06
264 Corrected:
265 SERVICE_DESCRIPTOR_TABLE
266 Added:
267 Defines:
268 TOKEN_SESSION_NOT_REFERENCED
269 TOKEN_SANDBOX_INERT
270 TOKEN_HAS_IMPERSONATE_PRIVILEGE
271 Function prototypes:
272 FsRtlDissectName
273 RtlOemStringToCountedUnicodeSize
274 RtlOemStringToUnicodeSize
275 RtlOemStringToUnicodeString
276 RtlUnicodeStringToOemSize
277 RtlUnicodeStringToOemString
278 RtlxOemStringToUnicodeSize
279 RtlxUnicodeStringToOemSize
280
281 44. 2003-05-06
282 Added:
283 Function prototypes:
284 InbvAcquireDisplayOwnership
285 InbvCheckDisplayOwnership
286 InbvDisplayString
287 InbvEnableBootDriver
288 InbvEnableDisplayString
289 InbvInstallDisplayStringFilter
290 InbvIsBootDriverInstalled
291 InbvNotifyDisplayOwnershipLost
292 InbvResetDisplay
293 InbvSetScrollRegion
294 InbvSetTextColor
295 InbvSolidColorFill
296
297 43. 2003-04-07
298 Added:
299 Data types:
300 MCB
301 Function prototypes:
302 FsRtlAddMcbEntry
303 FsRtlInitializeMcb
304 FsRtlLookupLastMcbEntry
305 FsRtlLookupMcbEntry
306 FsRtlNotifyFilterChangeDirectory
307 FsRtlNotifyFilterReportChange
308 FsRtlNumberOfRunsInMcb
309 FsRtlRemoveMcbEntry
310 FsRtlTruncateMcb
311 FsRtlUninitializeMcb
312
313 42. 2003-03-30
314 Corrected:
315 SYSTEM_CACHE_INFORMATION
316 SYSTEM_INFORMATION_CLASS
317 Added:
318 Data types:
319 SYSTEM_XXX_INFORMATION
320 THREAD_STATE
321
322 41. 2003-01-03
323 Corrected:
324 CcMapData
325 PsDereferenceImpersonationToken
326 PsDereferencePrimaryToken
327 PsGetProcessExitTime
328 PsReferencePrimaryToken
329 Added:
330 Defines:
331 MAP_XXX
332 Function prototypes:
333 CcMdlWriteAbort
334 PsAssignImpersonationToken
335 PsChargeProcessNonPagedPoolQuota
336 PsChargeProcessPagedPoolQuota
337 PsChargeProcessPoolQuota
338 PsDisableImpersonation
339 PsImpersonateClient
340 PsIsSystemThread
341 PsRestoreImpersonation
342 SeDeleteAccessState
343 ZwOpenProcessTokenEx
344 ZwOpenThreadTokenEx
345
346 40. 2002-10-02
347 Corrected:
348 HANDLE_TABLE_ENTRY
349 Added:
350 Defines:
351 FSRTL_FLAG_ADVANCED_HEADER
352 FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS
353 FSRTL_FLAG2_PURGE_WHEN_MAPPED
354 Data types:
355 FILE_ID_BOTH_DIR_INFORMATION
356 FILE_ID_FULL_DIR_INFORMATION
357
358 39. 2002-08-04
359 Added:
360 Data types:
361 LARGE_MCB
362 Function prototypes:
363 FsRtlAddLargeMcbEntry
364 FsRtlGetNextLargeMcbEntry
365 FsRtlInitializeLargeMcb
366 FsRtlLookupLargeMcbEntry
367 FsRtlLookupLastLargeMcbEntry
368 FsRtlLookupLastLargeMcbEntryAndIndex
369 FsRtlNumberOfRunsInLargeMcb
370 FsRtlRemoveLargeMcbEntry
371 FsRtlResetLargeMcb
372 FsRtlSplitLargeMcb
373 FsRtlTruncateLargeMcb
374 FsRtlUninitializeLargeMcb
375
376 38. 2002-06-30
377 Added:
378 Defines:
379 FILE_READ_ONLY_VOLUME
380 Function prototypes:
381 FsRtlAllocateResource
382 FsRtlIncrementCcFastReadNotPossible
383 FsRtlIncrementCcFastReadNoWait
384 FsRtlIncrementCcFastReadResourceMiss
385 FsRtlIncrementCcFastReadWait
386 KeIsAttachedProcess
387 KeIsExecutingDpc
388 KeRevertToUserAffinityThread
389 KeUpdateSystemTime
390 PsGetCurrentProcessSessionId
391 PsGetCurrentThreadPreviousMode
392 PsGetCurrentThreadStackBase
393 PsGetCurrentThreadStackLimit
394 RtlGetNtGlobalFlags
395
396 37. 2002-05-18
397 Uppdated for Windows XP:
398 EPROCESS
399 ETHREAD
400 KPROCESS
401 KTHREAD
402 MMSUPPORT_FLAGS
403 MMSUPPORT
404 PRIVATE_CACHE_MAP_FLAGS
405 PRIVATE_CACHE_MAP
406 SHARED_CACHE_MAP
407 Corrected:
408 VACB
409 Added:
410 Data types:
411 EPROCESS_QUOTA_ENTRY
412 EPROCESS_QUOTA_BLOCK
413 EX_FAST_REF
414 EX_PUSH_LOCK
415 EX_RUNDOWN_REF
416 PAGEFAULT_HISTORY
417 SE_AUDIT_PROCESS_CREATION_INFO
418 SECTION_OBJECT
419 TERMINATION_PORT
420
421 36. 2002-05-14
422 Corrected:
423 FILE_FS_FULL_SIZE_INFORMATION
424
425 35. 2002-03-23
426 Added:
427 Defines:
428 COMPRESSION_XXX
429 Data types:
430 COMPRESSED_DATA_INFO
431 OBJECT_HEADER
432 VAD_HEADER
433 Function prototypes:
434 CcWaitForCurrentLazyWriterActivity
435 FsRtlCheckOplock
436 FsRtlCurrentBatchOplock
437 FsRtlDeregisterUncProvider
438 FsRtlInitializeOplock
439 FsRtlOplockFsctrl
440 FsRtlOplockIsFastIoPossible
441 FsRtlRegisterUncProvider
442 FsRtlUninitializeOplock
443 RtlCompressBuffer
444 RtlCompressChunks
445 RtlDecompressBuffer
446 RtlDecompressChunks
447 RtlDecompressFragment
448 RtlDescribeChunk
449 RtlGetCompressionWorkSpaceSize
450 RtlReserveChunk
451
452 34. 2002-02-14
453 Corrected:
454 HARDWARE_PTE
455 Changed the use of _WIN32_WINNT to VER_PRODUCTBUILD since _WIN32_WINNT
456 is incorrectly defined in the Windows 2000 build environment included
457 in the Windows XP DDK.
458
459 33. 2002-01-20
460 Added:
461 Function prototypes:
462 PsDereferenceImpersonationToken
463 PsDereferencePrimaryToken
464
465 32. 2002-01-18
466 Corrected:
467 ObReferenceObjectByName
468 FILE_FS_OBJECT_ID_INFORMATION
469 FILE_OBJECTID_INFORMATION
470 Added:
471 Externals:
472 IoDriverObjectType
473 SeExports
474 Defines:
475 FILE_ACTION_XXX
476 FSCTL_XXX
477 IO_FILE_OBJECT_XXX
478 IRP_BEING_VERIFIED
479 TOKEN_XXX
480 Data types:
481 DEVICE_MAP
482 FILE_TRACKING_INFORMATION
483 SE_EXPORTS
484 Function prototypes:
485 SeEnableAccessToExports
486
487 31. 2001-12-23
488 Corrected:
489 QueryQuota in EXTENDED_IO_STACK_LOCATION
490 FILE_LOCK
491 CcPinMappedData
492 CcPinRead
493 CcPreparePinWrite
494 FsRtlFastUnlockAll
495 FsRtlFastUnlockAllByKey
496 FsRtlFastUnlockSingle
497 FsRtlInitializeFileLock
498 FsRtlPrivateLock
499 FsRtlProcessFileLock
500 MmForceSectionClosed
501 MmIsRecursiveIoFault
502 SeImpersonateClient
503 SeImpersonateClientEx
504 Added:
505 Defines:
506 More FSRTL_FLAG_XXX
507 PIN_XXX
508 VACB_XXX
509 Data types:
510 REPARSE_DATA_BUFFER
511 Function prototypes:
512 CcCopyWriteWontFlush
513 CcGetFileSizePointer
514 CcGetFlushedValidData
515 CcIsFileCached
516 CcRemapBcb
517 ExDisableResourceBoostLite
518 ExQueryPoolBlockSize
519 FsRtlAllocateFileLock
520 FsRtlAreThereCurrentFileLocks
521 FsRtlFastLock
522 FsRtlFreeFileLock
523 IoCheckDesiredAccess
524 IoCheckEaBufferValidity
525 IoCheckFunctionAccess
526 IoCheckQuotaBufferValidity
527 IoCreateStreamFileObjectLite
528 IoFastQueryNetworkAttributes
529 IoGetRequestorProcessId
530 IoIsFileOpenedExclusively
531 IoIsSystemThread
532 IoIsValidNameGraftingBuffer
533 IoSynchronousPageWrite
534 IoThreadToProcess
535 KeInitializeQueue
536 KeInsertHeadQueue
537 KeInsertQueue
538 KeReadStateQueue
539 KeRemoveQueue
540 KeRundownQueue
541 MmSetAddressRangeModified
542 ObGetObjectPointerCount
543 ObMakeTemporaryObject
544 ObQueryObjectAuditingByHandle
545 PsChargePoolQuota
546 PsReturnPoolQuota
547 SeAppendPrivileges
548 SeAuditingFileEvents
549 SeAuditingFileOrGlobalEvents
550 SeCreateClientSecurity
551 SeCreateClientSecurityFromSubjectContext
552 SeDeleteClientSecurity
553 SeDeleteObjectAuditAlarm
554 SeFreePrivileges
555 SeLockSubjectContext
556 SeOpenObjectAuditAlarm
557 SeOpenObjectForDeleteAuditAlarm
558 SePrivilegeCheck
559 SeQueryAuthenticationIdToken
560 SeQuerySecurityDescriptorInfo
561 SeQuerySessionIdToken
562 SeSetAccessStateGenericMapping
563 SeSetSecurityDescriptorInfo
564 SeSetSecurityDescriptorInfoEx
565 SeTokenIsAdmin
566 SeTokenIsRestricted
567 SeTokenType
568 SeUnlockSubjectContext
569
570 30. 2001-10-24
571 Corrected:
572 KINTERRUPT
573 OBJECT_TYPE
574 Added:
575 Defines:
576 More FSCTL_XXX
577 Data types:
578 BITMAP_RANGE
579 CreateMailslot in EXTENDED_IO_STACK_LOCATION
580 CreatePipe in EXTENDED_IO_STACK_LOCATION
581 QueryQuota in EXTENDED_IO_STACK_LOCATION
582 MAILSLOT_CREATE_PARAMETERS
583 MBCB
584 NAMED_PIPE_CREATE_PARAMETERS
585 PRIVATE_CACHE_MAP_FLAGS
586 PRIVATE_CACHE_MAP
587 SECURITY_CLIENT_CONTEXT
588 SHARED_CACHE_MAP
589 VACB
590 Function prototypes:
591 HalQueryRealTimeClock
592 HalSetRealTimeClock
593 PsGetProcessExitTime
594 PsIsThreadTerminating
595 PsLookupProcessThreadByCid
596 PsLookupThreadByThreadId
597 SeQueryAuthenticationIdToken
598 Externals:
599 KeServiceDescriptorTable
600 SePublicDefaultDacl
601 SeSystemDefaultDacl
602
603 29. 2001-10-06
604 Added:
605 Defines:
606 FSRTL_VOLUME_XXX
607 Function prototypes:
608 FsRtlNotifyChangeDirectory
609 FsRtlNotifyReportChange
610 FsRtlNotifyVolumeEvent
611
612 28. 2001-09-16
613 Added:
614 Function prototypes:
615 FsRtlNotifyInitializeSync
616 FsRtlNotifyUninitializeSync
617 SeImpersonateClientEx
618 SeReleaseSubjectContext
619
620 27. 2001-08-25
621 Corrected:
622 KPROCESS
623 FILE_LOCK_ANCHOR
624 FsRtlNormalizeNtstatus
625 RtlSecondsSince1970ToTime
626 RtlTimeToSecondsSince1970
627 SeQueryInformationToken
628 Added:
629 Defines:
630 FS_LFN_APIS
631 Data types:
632 FILE_LOCK_ENTRY
633 FILE_SHARED_LOCK_ENTRY
634 FILE_EXCLUSIVE_LOCK_ENTRY
635 Function prototypes:
636 FsRtlCheckLockForReadAccess
637 FsRtlCheckLockForWriteAccess
638 FsRtlFastUnlockAll
639 FsRtlFastUnlockAllByKey
640 FsRtlFastUnlockSingle
641 FsRtlGetFileSize
642 FsRtlGetNextFileLock
643 FsRtlInitializeFileLock
644 FsRtlPrivateLock
645 FsRtlProcessFileLock
646 FsRtlUninitializeFileLock
647 IoUnregisterFsRegistrationChange
648 PsLookupProcessByProcessId
649 SeQuerySubjectContextToken
650
651 26. 2001-04-28
652 Added:
653 Defines:
654 FSCTL_XXX
655 Data types:
656 RTL_SPLAY_LINKS
657 TUNNEL
658 Function prototypes:
659 FsRtlAddToTunnelCache
660 FsRtlDeleteKeyFromTunnelCache
661 FsRtlDeleteTunnelCache
662 FsRtlFindInTunnelCache
663 FsRtlInitializeTunnelCache
664 IoSetDeviceToVerify
665 KeInitializeApc
666 KeInsertQueueApc
667 SeQueryInformationToken
668
669 25. 2001-04-05
670 Corrected:
671 RtlImageNtHeader
672 LPC_XXX
673 OBJECT_BASIC_INFO
674 Added:
675 Defines:
676 SID_REVISION
677 Data types:
678 DIRECTORY_BASIC_INFORMATION
679 KINTERRUPT
680 OBJECT_HANDLE_ATTRIBUTE_INFO
681 PROCESS_PRIORITY_CLASS
682 SECTION_BASIC_INFORMATION
683 SECTION_IMAGE_INFORMATION
684 SECTION_INFORMATION_CLASS
685 Function prototypes:
686 RtlSecondsSince1970ToTime
687 RtlTimeToSecondsSince1970
688 ZwAdjustPrivilegesToken
689 ZwAlertThread
690 ZwAccessCheckAndAuditAlarm
691 ZwClearEvent
692 ZwCloseObjectAuditAlarm
693 ZwCreateSection
694 ZwCreateSymbolicLinkObject
695 ZwDuplicateToken
696 ZwFlushInstructionCache
697 ZwFlushVirtualMemory
698 ZwInitiatePowerAction
699 ZwLoadKey
700 ZwNotifyChangeKey
701 ZwOpenThread
702 ZwPowerInformation
703 ZwPulseEvent
704 ZwQueryDefaultLocale
705 ZwQueryDefaultUILanguage
706 ZwQueryInformationProcess
707 ZwQueryInstallUILanguage
708 ZwQuerySection
709 ZwReplaceKey
710 ZwResetEvent
711 ZwRestoreKey
712 ZwSaveKey
713 ZwSetDefaultLocale
714 ZwSetDefaultUILanguage
715 ZwSetEvent
716 ZwSetInformationObject
717 ZwSetInformationProcess
718 ZwSetSecurityObject
719 ZwSetSystemTime
720 ZwTerminateProcess
721 ZwUnloadKey
722 ZwWaitForSingleObject
723 ZwWaitForMultipleObjects
724 ZwYieldExecution
725 Removed functions that is not exported in kernel mode:
726 CcZeroEndOfLastPage
727 RtlAllocateAndInitializeSid
728 ZwAcceptConnectPort
729 ZwCompleteConnectPort
730 ZwCreatePort
731 ZwCreateProcess
732 ZwCreateThread
733 ZwFlushBuffersFile
734 ZwGetContextThread
735 ZwImpersonateClientOfPort
736 ZwListenPort
737 ZwLockFile
738 ZwNotifyChangeDirectoryFile
739 ZwQueryInformationPort
740 ZwReadRequestData
741 ZwReplyPort
742 ZwReplyWaitReceivePort
743 ZwReplyWaitReplyPort
744 ZwRequestPort
745 ZwUnlockFile
746 ZwWriteRequestData
747
748 24. 2001-03-08
749 Corrected:
750 EPROCESS
751 ETHREAD
752 FAST_IO_POSSIBLE
753 QueryEa in EXTENDED_IO_STACK_LOCATION
754 Added:
755 Defines:
756 Some more flags for FileSystemAttributes
757 Data types:
758 EXCEPTION_REGISTRATION_RECORD
759 FILE_FS_FULL_SIZE_INFORMATION
760 FILE_FS_OBJECT_ID_INFORMATION
761 HANDLE_TABLE_ENTRY
762 IO_CLIENT_EXTENSION
763 PS_IMPERSONATION_INFORMATION
764 SetEa and SetQuota in EXTENDED_IO_STACK_LOCATION
765 Function prototypes:
766 IoPageRead
767 KeStackAttachProcess
768 KeUnstackDetachProcess
769 MmMapViewOfSection
770 RtlSelfRelativeToAbsoluteSD
771 SeCreateAccessState
772
773 23. 2001-01-29
774 Corrected:
775 FSCTL_GET_VOLUME_INFORMATION
776 FSCTL_READ_MFT_RECORD
777 HARDWARE_PTE
778 EPROCESS
779 ETHREAD
780 KAPC_STATE
781 KPROCESS
782 KTHREAD
783 MMSUPPORT
784 Added:
785 Data types:
786 KGDTENTRY
787 KIDTENTRY
788 MMSUPPORT_FLAGS
789
790 22. 2000-12-23
791 Corrected:
792 EPROCESS
793 KPROCESS
794 Added:
795 Data types:
796 HARDWARE_PTE
797 MMSUPPORT
798
799 21. 2000-12-12
800 Added:
801 Defines:
802 IO_TYPE_XXX
803 OB_TYPE_XXX
804 THREAD_STATE_XXX
805 Data types:
806 EPROCESS
807 ETHREAD
808 KAPC_STATE
809 KEVENT_PAIR
810 KPROCESS
811 KTHREAD
812 KQUEUE
813 SERVICE_DESCRIPTOR_TABLE
814 TEB
815
816 20. 2000-12-03
817 Added:
818 Data types:
819 OBJECT_TYPE
820 Function prototypes:
821 ObCreateObject
822 ObInsertObject
823 ObReferenceObjectByName
824
825 19. 2000-11-25
826 Removed a name from credits since the person want to be anonymous.
827
828 18. 2000-10-13
829 Corrected:
830 PsReferenceImpersonationToken
831 Added:
832 Defines:
833 FILE_PIPE_XXX
834 LPC_XXX
835 MAILSLOT_XXX
836 PORT_XXX
837 FSCTL_GET_VOLUME_INFORMATION
838 FSCTL_READ_MFT_RECORD
839 FSCTL_MAILSLOT_PEEK
840 FSCTL_PIPE_XXX
841 Data types:
842 PORT_INFORMATION_CLASS
843 BITMAP_DESCRIPTOR
844 FILE_MAILSLOT_XXX
845 FILE_PIPE_XXX
846 MAPPING_PAIR
847 GET_RETRIEVAL_DESCRIPTOR
848 LPC_XXX
849 MOVEFILE_DESCRIPTOR
850 Function prototypes:
851 InitializeMessageHeader
852 MmForceSectionClosed
853 ZwAcceptConnectPort
854 ZwCompleteConnectPort
855 ZwConnectPort
856 ZwCreateEvent
857 ZwCreatePort
858 ZwImpersonateClientOfPort
859 ZwListenPort
860 ZwQueryInformationPort
861 ZwReadRequestData
862 ZwReplyPort
863 ZwReplyWaitReceivePort
864 ZwReplyWaitReplyPort
865 ZwRequestPort
866 ZwRequestWaitReplyPort
867 ZwWriteRequestData
868
869 17. 2000-05-21
870 Added:
871 Function prototypes:
872 PsRevertToSelf
873 SeCreateClientSecurity
874 SeImpersonateClient
875 ZwDuplicateObject
876
877 16. 2000-03-28
878 Added:
879 Defines:
880 FILE_STORAGE_TYPE_XXX
881 FILE_VC_XXX
882 IO_CHECK_CREATE_PARAMETERS
883 IO_ATTACH_DEVICE
884 IO_ATTACH_DEVICE_API
885 IO_COMPLETION_XXX
886 Data types:
887 IO_COMPLETION_INFORMATION_CLASS
888 OBJECT_INFO_CLASS
889 SYSTEM_INFORMATION_CLASS
890 FILE_LOCK_ANCHOR
891 IO_COMPLETION_BASIC_INFORMATION
892 OBJECT_BASIC_INFO
893 OBJECT_NAME_INFO
894 OBJECT_PROTECTION_INFO
895 OBJECT_TYPE_INFO
896 OBJECT_ALL_TYPES_INFO
897 SYSTEM_CACHE_INFORMATION
898 Function prototypes:
899 FsRtlAllocatePool
900 FsRtlAllocatePoolWithQuota
901 FsRtlAllocatePoolWithQuotaTag
902 FsRtlAllocatePoolWithTag
903 FsRtlAreNamesEqual
904 FsRtlFastCheckLockForRead
905 FsRtlFastCheckLockForWrite
906 FsRtlMdlReadComplete
907 FsRtlMdlWriteComplete
908 FsRtlNormalizeNtstatus
909 RtlAllocateHeap
910 RtlCreateHeap
911 RtlDestroyHeap
912 RtlFreeHeap
913 RtlImageNtHeader
914 ZwQueryObject
915 ZwQuerySystemInformation
916 ZwSetSystemInformation
917
918 15. 2000-03-15
919 Corrected:
920 Renamed IoQueryFileVolumeInformation to IoQueryVolumeInformation
921 Comment on:
922 CcZeroEndOfLastPage
923
924 14. 2000-03-12
925 Corrected:
926 IoCreateFile
927 Added:
928 #if (_WIN32_WINNT < 0x0500)/#endif around stuff that is included in
929 the Windows 2000 DDK but is missing in the Windows NT 4.0 DDK.
930 ZwOpenEvent
931
932 13. 2000-02-08
933 Corrected:
934 PsReferenceImpersonationToken
935 Comment on:
936 RtlAllocateAndInitializeSid
937
938 12. 1999-10-18
939 Corrected:
940 FILE_COMPRESSION_INFORMATION
941 Added:
942 Defines:
943 ACCESS_ALLOWED_ACE_TYPE
944 ACCESS_DENIED_ACE_TYPE
945 SYSTEM_AUDIT_ACE_TYPE
946 SYSTEM_ALARM_ACE_TYPE
947 ANSI_DOS_STAR/QM/DOT
948 DOS_STAR/QM/DOT
949 FILE_EA_TYPE_XXX
950 FILE_NEED_EA
951 FILE_OPBATCH_BREAK_UNDERWAY
952 SECURITY_WORLD_SID_AUTHORITY
953 SECURITY_WORLD_RID
954 Data types:
955 POBJECT
956 FILE_STORAGE_TYPE
957 FILE_COMPLETION_INFORMATION
958 FILE_COPY_ON_WRITE_INFORMATION
959 FILE_FS_CONTROL_INFORMATION
960 FILE_GET_EA_INFORMATION
961 FILE_GET_QUOTA_INFORMATION
962 FILE_OBJECTID_INFORMATION
963 FILE_OLE_CLASSID_INFORMATION
964 FILE_OLE_ALL_INFORMATION
965 FILE_OLE_DIR_INFORMATION
966 FILE_OLE_INFORMATION
967 FILE_OLE_STATE_BITS_INFORMATION
968 FILE_QUOTA_INFORMATION
969 Function prototypes:
970 HalDisplayString
971 HalMakeBeep
972 IoGetRequestorProcess
973 ObQueryNameString
974 ProbeForWrite
975 RtlAbsoluteToSelfRelativeSD
976 RtlGetDaclSecurityDescriptor
977 RtlGetGroupSecurityDescriptor
978 RtlGetOwnerSecurityDescriptor
979 RtlInitializeSid
980 RtlSetGroupSecurityDescriptor
981 RtlSetOwnerSecurityDescriptor
982 RtlSetSaclSecurityDescriptor
983 ZwDeleteValueKey
984 ZwDisplayString
985 ZwQueryDirectoryObject
986
987 11. 1999-10-13
988 Corrected:
989 ZwOpenProcessToken
990 ZwOpenThreadToken
991 Added:
992 Function prototypes:
993 RtlAllocateAndInitializeSid
994 RtlCopySid
995 RtlEqualSid
996 RtlFillMemoryUlong
997 RtlIsNameLegalDOS8Dot3
998 RtlLengthRequiredSid
999 RtlLengthSid
1000 RtlNtStatusToDosError
1001 RtlSubAuthorityCountSid
1002 RtlSubAuthoritySid
1003 RtlValidSid
1004
1005 10. 1999-07-15
1006 Corrected:
1007 RtlConvertSidToUnicodeString
1008 Added:
1009 Externals:
1010 FsRtlLegalAnsiCharacterArray
1011 NtBuildNumber
1012 Defines:
1013 FSRTL_WILD_CHARACTER
1014 FlagOn
1015 FsRtlIsUnicodeCharacterWild
1016 Structures:
1017 FILE_ACCESS_INFORMATION
1018 FILE_MODE_INFORMATION
1019 GENERATE_NAME_CONTEXT
1020 Function prototypes:
1021 FsRtlDoesNameContainWildCards
1022 FsRtlIsNameInExpression
1023 IoSetInformation
1024 RtlGenerate8dot3Name
1025 ZwQuerySecurityObject
1026
1027 9. 1999-07-12
1028 Corrected:
1029 EXTENDED_IO_STACK_LOCATION
1030 QueryDirectory in EXTENDED_IO_STACK_LOCATION
1031 ZwCreateThread
1032 Added:
1033 Structures:
1034 INITIAL_TEB
1035 Function prototypes:
1036 ZwQuerySymbolicLinkObject
1037
1038 8. 1999-06-07
1039 Corrected:
1040 ZwOpenProcessToken
1041 ZwOpenThreadToken
1042 Added:
1043 Defines:
1044 FILE_OPLOCK_BROKEN_TO_LEVEL_2
1045 FILE_OPLOCK_BROKEN_TO_NONE
1046 FILE_CASE_SENSITIVE_SEARCH
1047 FILE_CASE_PRESERVED_NAMES
1048 FILE_UNICODE_ON_DISK
1049 FILE_PERSISTENT_ACLS
1050 FILE_FILE_COMPRESSION
1051 FILE_VOLUME_IS_COMPRESSED
1052 FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX
1053 FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH
1054 IOCTL_REDIR_QUERY_PATH
1055 Structures:
1056 FILE_FS_LABEL_INFORMATION
1057 PATHNAME_BUFFER
1058 In IO_STACK_LOCATION:
1059 FileSystemControl
1060 LockControl
1061 SetVolume
1062 Function prototypes:
1063 FsRtlCopyRead
1064 FsRtlCopyWrite
1065 IoVerifyVolume
1066
1067 7. 1999-06-05
1068 Added:
1069 defines for TOKEN_XXX
1070 SID_NAME_USE
1071 TOKEN_INFORMATION_CLASS
1072 TOKEN_TYPE
1073 FILE_FS_ATTRIBUTE_INFORMATION
1074 FILE_FS_SIZE_INFORMATION
1075 SID_IDENTIFIER_AUTHORITY
1076 SID
1077 SID_AND_ATTRIBUTES
1078 TOKEN_CONTROL
1079 TOKEN_DEFAULT_DACL
1080 TOKEN_GROUPS
1081 TOKEN_OWNER
1082 TOKEN_PRIMARY_GROUP
1083 TOKEN_PRIVILEGES
1084 TOKEN_SOURCE
1085 TOKEN_STATISTICS
1086 TOKEN_USER
1087 IoCreateFile
1088 IoGetAttachedDevice
1089 IoGetBaseFileSystemDeviceObject
1090 PsReferenceImpersonationToken
1091 PsReferencePrimaryToken
1092 RtlConvertSidToUnicodeString
1093 SeCaptureSubjectContext
1094 SeMarkLogonSessionForTerminationNotification
1095 SeRegisterLogonSessionTerminatedRoutine
1096 SeUnregisterLogonSessionTerminatedRoutine
1097 ZwOpenProcessToken
1098 ZwOpenThreadToken
1099 ZwQueryInformationToken
1100
1101 6. 1999-05-10
1102 Corrected declarations of Zw functions.
1103 Added:
1104 ZwCancelIoFile
1105 ZwDeleteFile
1106 ZwFlushBuffersFile
1107 ZwFsControlFile
1108 ZwLockFile
1109 ZwNotifyChangeDirectoryFile
1110 ZwOpenFile
1111 ZwQueryEaFile
1112 ZwSetEaFile
1113 ZwSetVolumeInformationFile
1114 ZwUnlockFile
1115
1116 5. 1999-05-09
1117 Added:
1118 defines for FILE_ACTION_XXX and FILE_NOTIFY_XXX
1119 FILE_FS_VOLUME_INFORMATION
1120 RETRIEVAL_POINTERS_BUFFER
1121 STARTING_VCN_INPUT_BUFFER
1122 FsRtlNotifyFullReportChange
1123
1124 4. 1999-04-11
1125 Corrected:
1126 ZwCreateThread
1127 Added:
1128 define _GNU_NTIFS_
1129
1130 3. 1999-03-30
1131 Added:
1132 defines for MAP_XXX, MEM_XXX and SEC_XXX
1133 FILE_BOTH_DIR_INFORMATION
1134 FILE_DIRECTORY_INFORMATION
1135 FILE_FULL_DIR_INFORMATION
1136 FILE_NAMES_INFORMATION
1137 FILE_NOTIFY_INFORMATION
1138 FsRtlNotifyCleanup
1139 KeAttachProcess
1140 KeDetachProcess
1141 MmCreateSection
1142 ZwCreateProcess
1143 ZwCreateThread
1144 ZwDeviceIoControlFile
1145 ZwGetContextThread
1146 ZwLoadDriver
1147 ZwOpenDirectoryObject
1148 ZwOpenProcess
1149 ZwOpenSymbolicLinkObject
1150 ZwQueryDirectoryFile
1151 ZwUnloadDriver
1152
1153 2. 1999-03-15
1154 Added:
1155 FILE_COMPRESSION_INFORMATION
1156 FILE_STREAM_INFORMATION
1157 FILE_LINK_INFORMATION
1158 FILE_RENAME_INFORMATION
1159 EXTENDED_IO_STACK_LOCATION
1160 IoQueryFileInformation
1161 IoQueryFileVolumeInformation
1162 ZwQueryVolumeInformationFile
1163 Moved include of ntddk.h to inside extern "C" block.
1164
1165 1. 1999-03-11
1166 Initial release.
1167 */
1168
1169 #ifndef _NTIFS_
1170 #define _NTIFS_
1171 #define _GNU_NTIFS_
1172
1173 #ifdef __cplusplus
1174 extern "C" {
1175 #endif
1176
1177 #include <ntddk.h>
1178 #include <ntverp.h>
1179
1180 // Available in Windows NT 3.1 and later versions.
1181 // Documented in the WDK.
1182 extern PEPROCESS PsInitialSystemProcess;
1183
1184 // Available in Windows NT 3.5 and later versions.
1185 typedef struct _HAL_PRIVATE_DISPATCH *PHAL_PRIVATE_DISPATCH;
1186 extern PHAL_PRIVATE_DISPATCH HalPrivateDispatchTable;
1187
1188 // Available in Windows NT 3.5 and later versions.
1189 typedef struct _LOADER_PARAMETER_BLOCK *PLOADER_PARAMETER_BLOCK;
1190 extern PLOADER_PARAMETER_BLOCK KeLoaderBlock;
1191
1192 // Available in Windows NT 3.5 and later versions.
1193 typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
1194 extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
1195
1196 // Available in Windows NT 3.5 and later versions.
1197 extern PSHORT NtBuildNumber;
1198 extern PULONG KeI386MachineType;
1199
1200 // Available in Windows NT 4.0 and later versions.
1201 extern ULONG KiBugCheckData[5];
1202
1203 // Available in Windows 2000 and later versions.
1204 extern PULONG InitSafeBootMode;
1205
1206 // Available from Windows 2000 untill Windows Server 2003.
1207 extern PULONG KiEnableTimerWatchdog;
1208
1209 // Available in Windows NT 3.5 and later versions.
1210 //
1211 // Set by the kernel debugger on the target system to the address of the
1212 // serial port used to communicate with the host.
1213 //
1214 extern PUCHAR *KdComPortInUse;
1215
1216 // Available in Windows 2000 and later versions.
1217 extern PULONG KdEnteredDebugger;
1218
1219 // Available in Windows Vista and later versions.
1220 // Documented in the WDK.
1221 extern PVOID MmBadPointer;
1222
1223 // Available in Windows NT 3.5 and later versions.
1224 // Documented in the WDK.
1225 extern PUCHAR *FsRtlLegalAnsiCharacterArray;
1226
1227 // Available in Windows NT 3.5 and later versions.
1228 extern PUSHORT *NlsLeadByteInfo;
1229 extern PUSHORT *NlsOemLeadByteInfo;
1230 extern PBOOLEAN NlsMbCodePageTag;
1231 extern PBOOLEAN NlsMbOemCodePageTag;
1232
1233 // Available in Windows NT 4.0 and later versions.
1234 extern PUSHORT NlsAnsiCodePage;
1235
1236 // Available in Windows 2000 and later versions.
1237 extern PUSHORT NlsOemCodePage;
1238
1239 // Available in Windows NT 3.5 and later versions.
1240 // SeExports is documented in the WDK.
1241 typedef struct _SE_EXPORTS *PSE_EXPORTS;
1242 extern PSE_EXPORTS SeExports;
1243 extern PACL SePublicDefaultDacl;
1244 extern PACL SeSystemDefaultDacl;
1245
1246 // Available in Windows NT 3.5 and later versions.
1247 // Documented in the WDK.
1248 extern KSPIN_LOCK IoStatisticsLock;
1249 extern ULONG IoReadOperationCount;
1250 extern ULONG IoWriteOperationCount;
1251 extern LARGE_INTEGER IoReadTransferCount;
1252 extern LARGE_INTEGER IoWriteTransferCount;
1253
1254 // Available from Windows NT 3.5 untill Windows XP.
1255 extern ULONG KeDcacheFlushCount;
1256 extern ULONG KeIcacheFlushCount;
1257
1258 // Available in Windows NT 4.0 and later versions.
1259 // Documented in the WDK.
1260 extern ULONG CcFastMdlReadWait;
1261 // Available from Windows NT 4.0 untill Windows Server 2003.
1262 extern ULONG CcFastReadNotPossible;
1263 extern ULONG CcFastReadWait;
1264
1265 // The ExEventObjectType, ExSemaphoreObjectType and IoFileObjectType is
1266 // documented in the DDK and the WDK.
1267 //
1268 // The CmKeyObjectType, SeTokenObjectType, PsProcessType, PsThreadType,
1269 // TmEnlistmentObjectType, TmResourceManagerObjectType,
1270 // TmTransactionManagerObjectType and TmTransactionObjectType
1271 // is documented in the WDK.
1272 //
1273 // Available in Windows NT 3.5 and later versions.
1274 extern POBJECT_TYPE *IoAdapterObjectType;
1275 extern POBJECT_TYPE *IoDeviceObjectType;
1276 extern POBJECT_TYPE *IoDriverObjectType;
1277 extern POBJECT_TYPE *MmSectionObjectType;
1278 extern POBJECT_TYPE *PsProcessType;
1279 extern POBJECT_TYPE *PsThreadType;
1280 // Available in Windows NT 4.0 and later versions.
1281 extern POBJECT_TYPE *ExDesktopObjectType;
1282 extern POBJECT_TYPE *ExWindowStationObjectType;
1283 extern POBJECT_TYPE *IoDeviceHandlerObjectType;
1284 // Available in Windows 2000 and later versions.
1285 extern POBJECT_TYPE *LpcPortObjectType;
1286 extern POBJECT_TYPE *PsJobType;
1287 // Available in Windows XP and later versions.
1288 extern POBJECT_TYPE *SeTokenObjectType;
1289 // Available in Windows Vista and later versions.
1290 extern POBJECT_TYPE *TmEnlistmentObjectType;
1291 extern POBJECT_TYPE *TmResourceManagerObjectType;
1292 extern POBJECT_TYPE *TmTransactionManagerObjectType;
1293 extern POBJECT_TYPE *TmTransactionObjectType;
1294 // Available in Windows 7 and later versions.
1295 extern POBJECT_TYPE *CmKeyObjectType;
1296
1297 // Available in Windows NT 4.0 and later versions.
1298 extern PULONG IoDeviceHandlerObjectSize;
1299
1300 // Available in Windows Vista and later versions.
1301 extern PVOID POGOBuffer;
1302 extern PVOID psMUITest;
1303 extern PVOID PsUILanguageComitted;
1304
1305 #define ACCESS_ALLOWED_ACE_TYPE (0x0)
1306 #define ACCESS_DENIED_ACE_TYPE (0x1)
1307 #define SYSTEM_AUDIT_ACE_TYPE (0x2)
1308 #define SYSTEM_ALARM_ACE_TYPE (0x3)
1309
1310 #define ANSI_DOS_STAR ('<')
1311 #define ANSI_DOS_QM ('>')
1312 #define ANSI_DOS_DOT ('"')
1313
1314 #define DOS_STAR (L'<')
1315 #define DOS_QM (L'>')
1316 #define DOS_DOT (L'"')
1317
1318 #define COMPRESSION_FORMAT_NONE (0x0000)
1319 #define COMPRESSION_FORMAT_DEFAULT (0x0001)
1320 #define COMPRESSION_FORMAT_LZNT1 (0x0002)
1321 #define COMPRESSION_ENGINE_STANDARD (0x0000)
1322 #define COMPRESSION_ENGINE_MAXIMUM (0x0100)
1323 #define COMPRESSION_ENGINE_HIBER (0x0200)
1324
1325 #define FILE_ACTION_ADDED 0x00000001
1326 #define FILE_ACTION_REMOVED 0x00000002
1327 #define FILE_ACTION_MODIFIED 0x00000003
1328 #define FILE_ACTION_RENAMED_OLD_NAME 0x00000004
1329 #define FILE_ACTION_RENAMED_NEW_NAME 0x00000005
1330 #define FILE_ACTION_ADDED_STREAM 0x00000006
1331 #define FILE_ACTION_REMOVED_STREAM 0x00000007
1332 #define FILE_ACTION_MODIFIED_STREAM 0x00000008
1333 #define FILE_ACTION_REMOVED_BY_DELETE 0x00000009
1334 #define FILE_ACTION_ID_NOT_TUNNELLED 0x0000000A
1335 #define FILE_ACTION_TUNNELLED_ID_COLLISION 0x0000000B
1336
1337 #define FILE_EA_TYPE_BINARY 0xfffe
1338 #define FILE_EA_TYPE_ASCII 0xfffd
1339 #define FILE_EA_TYPE_BITMAP 0xfffb
1340 #define FILE_EA_TYPE_METAFILE 0xfffa
1341 #define FILE_EA_TYPE_ICON 0xfff9
1342 #define FILE_EA_TYPE_EA 0xffee
1343 #define FILE_EA_TYPE_MVMT 0xffdf
1344 #define FILE_EA_TYPE_MVST 0xffde
1345 #define FILE_EA_TYPE_ASN1 0xffdd
1346 #define FILE_EA_TYPE_FAMILY_IDS 0xff01
1347
1348 #define FILE_NEED_EA 0x00000080
1349
1350 #define FILE_NOTIFY_CHANGE_FILE_NAME 0x00000001
1351 #define FILE_NOTIFY_CHANGE_DIR_NAME 0x00000002
1352 #define FILE_NOTIFY_CHANGE_NAME 0x00000003
1353 #define FILE_NOTIFY_CHANGE_ATTRIBUTES 0x00000004
1354 #define FILE_NOTIFY_CHANGE_SIZE 0x00000008
1355 #define FILE_NOTIFY_CHANGE_LAST_WRITE 0x00000010
1356 #define FILE_NOTIFY_CHANGE_LAST_ACCESS 0x00000020
1357 #define FILE_NOTIFY_CHANGE_CREATION 0x00000040
1358 #define FILE_NOTIFY_CHANGE_EA 0x00000080
1359 #define FILE_NOTIFY_CHANGE_SECURITY 0x00000100
1360 #define FILE_NOTIFY_CHANGE_STREAM_NAME 0x00000200
1361 #define FILE_NOTIFY_CHANGE_STREAM_SIZE 0x00000400
1362 #define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
1363 #define FILE_NOTIFY_VALID_MASK 0x00000fff
1364
1365 #define FILE_OPLOCK_BROKEN_TO_LEVEL_2 0x00000007
1366 #define FILE_OPLOCK_BROKEN_TO_NONE 0x00000008
1367
1368 #define FILE_OPBATCH_BREAK_UNDERWAY 0x00000009
1369
1370 #define FILE_CASE_SENSITIVE_SEARCH 0x00000001
1371 #define FILE_CASE_PRESERVED_NAMES 0x00000002
1372 #define FILE_UNICODE_ON_DISK 0x00000004
1373 #define FILE_PERSISTENT_ACLS 0x00000008
1374 #define FILE_FILE_COMPRESSION 0x00000010
1375 #define FILE_VOLUME_QUOTAS 0x00000020
1376 #define FILE_SUPPORTS_SPARSE_FILES 0x00000040
1377 #define FILE_SUPPORTS_REPARSE_POINTS 0x00000080
1378 #define FILE_SUPPORTS_REMOTE_STORAGE 0x00000100
1379 #define FS_LFN_APIS 0x00004000
1380 #define FILE_VOLUME_IS_COMPRESSED 0x00008000
1381 #define FILE_SUPPORTS_OBJECT_IDS 0x00010000
1382 #define FILE_SUPPORTS_ENCRYPTION 0x00020000
1383 #define FILE_NAMED_STREAMS 0x00040000
1384 #define FILE_READ_ONLY_VOLUME 0x00080000
1385
1386 #define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
1387 #define FILE_PIPE_MESSAGE_TYPE 0x00000001
1388
1389 #define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
1390 #define FILE_PIPE_MESSAGE_MODE 0x00000001
1391
1392 #define FILE_PIPE_QUEUE_OPERATION 0x00000000
1393 #define FILE_PIPE_COMPLETE_OPERATION 0x00000001
1394
1395 #define FILE_PIPE_INBOUND 0x00000000
1396 #define FILE_PIPE_OUTBOUND 0x00000001
1397 #define FILE_PIPE_FULL_DUPLEX 0x00000002
1398
1399 #define FILE_PIPE_DISCONNECTED_STATE 0x00000001
1400 #define FILE_PIPE_LISTENING_STATE 0x00000002
1401 #define FILE_PIPE_CONNECTED_STATE 0x00000003
1402 #define FILE_PIPE_CLOSING_STATE 0x00000004
1403
1404 #define FILE_PIPE_CLIENT_END 0x00000000
1405 #define FILE_PIPE_SERVER_END 0x00000001
1406
1407 #define FILE_PIPE_READ_DATA 0x00000000
1408 #define FILE_PIPE_WRITE_SPACE 0x00000001
1409
1410 #define FILE_STORAGE_TYPE_SPECIFIED 0x00000041 // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
1411 #define FILE_STORAGE_TYPE_DEFAULT (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
1412 #define FILE_STORAGE_TYPE_DIRECTORY (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
1413 #define FILE_STORAGE_TYPE_FILE (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
1414 #define FILE_STORAGE_TYPE_DOCFILE (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
1415 #define FILE_STORAGE_TYPE_JUNCTION_POINT (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
1416 #define FILE_STORAGE_TYPE_CATALOG (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
1417 #define FILE_STORAGE_TYPE_STRUCTURED_STORAGE (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
1418 #define FILE_STORAGE_TYPE_EMBEDDING (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
1419 #define FILE_STORAGE_TYPE_STREAM (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
1420 #define FILE_MINIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_DEFAULT
1421 #define FILE_MAXIMUM_STORAGE_TYPE FILE_STORAGE_TYPE_STREAM
1422 #define FILE_STORAGE_TYPE_MASK 0x000f0000
1423 #define FILE_STORAGE_TYPE_SHIFT 16
1424
1425 #define FILE_VC_QUOTA_NONE 0x00000000
1426 #define FILE_VC_QUOTA_TRACK 0x00000001
1427 #define FILE_VC_QUOTA_ENFORCE 0x00000002
1428 #define FILE_VC_QUOTA_MASK 0x00000003
1429
1430 #define FILE_VC_QUOTAS_LOG_VIOLATIONS 0x00000004
1431 #define FILE_VC_CONTENT_INDEX_DISABLED 0x00000008
1432
1433 #define FILE_VC_LOG_QUOTA_THRESHOLD 0x00000010
1434 #define FILE_VC_LOG_QUOTA_LIMIT 0x00000020
1435 #define FILE_VC_LOG_VOLUME_THRESHOLD 0x00000040
1436 #define FILE_VC_LOG_VOLUME_LIMIT 0x00000080
1437
1438 #define FILE_VC_QUOTAS_INCOMPLETE 0x00000100
1439 #define FILE_VC_QUOTAS_REBUILDING 0x00000200
1440
1441 #define FILE_VC_VALID_MASK 0x000003ff
1442
1443 #define FSRTL_FCB_HEADER_V0 (0x00)
1444 #define FSRTL_FCB_HEADER_V1 (0x01)
1445
1446 #define FSRTL_FLAG_FILE_MODIFIED (0x01)
1447 #define FSRTL_FLAG_FILE_LENGTH_CHANGED (0x02)
1448 #define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
1449 #define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
1450 #define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
1451 #define FSRTL_FLAG_USER_MAPPED_FILE (0x20)
1452 #define FSRTL_FLAG_ADVANCED_HEADER (0x40)
1453 #define FSRTL_FLAG_EOF_ADVANCE_ACTIVE (0x80)
1454
1455 #define FSRTL_FLAG2_DO_MODIFIED_WRITE (0x01)
1456 #define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS (0x02)
1457 #define FSRTL_FLAG2_PURGE_WHEN_MAPPED (0x04)
1458 #define FSRTL_FLAG2_IS_PAGING_FILE (0x08)
1459
1460 #define FSRTL_FSP_TOP_LEVEL_IRP (0x01)
1461 #define FSRTL_CACHE_TOP_LEVEL_IRP (0x02)
1462 #define FSRTL_MOD_WRITE_TOP_LEVEL_IRP (0x03)
1463 #define FSRTL_FAST_IO_TOP_LEVEL_IRP (0x04)
1464 #define FSRTL_MAX_TOP_LEVEL_IRP_FLAG (0x04)
1465
1466 #define FSRTL_VOLUME_DISMOUNT 1
1467 #define FSRTL_VOLUME_DISMOUNT_FAILED 2
1468 #define FSRTL_VOLUME_LOCK 3
1469 #define FSRTL_VOLUME_LOCK_FAILED 4
1470 #define FSRTL_VOLUME_UNLOCK 5
1471 #define FSRTL_VOLUME_MOUNT 6
1472
1473 #define FSRTL_WILD_CHARACTER 0x08
1474
1475 #ifdef _X86_
1476 #define HARDWARE_PTE HARDWARE_PTE_X86
1477 #define PHARDWARE_PTE PHARDWARE_PTE_X86
1478 #else
1479 #define HARDWARE_PTE ULONG
1480 #define PHARDWARE_PTE PULONG
1481 #endif
1482
1483 #define IO_CHECK_CREATE_PARAMETERS 0x0200
1484 #define IO_ATTACH_DEVICE 0x0400
1485
1486 #define IO_ATTACH_DEVICE_API 0x80000000
1487
1488 #define IO_COMPLETION_QUERY_STATE 0x0001
1489 #define IO_COMPLETION_MODIFY_STATE 0x0002
1490 #define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
1491
1492 #define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE 64
1493 #define IO_FILE_OBJECT_PAGED_POOL_CHARGE 1024
1494
1495 #define IO_REPARSE_TAG_RESERVED_ZERO (0)
1496 #define IO_REPARSE_TAG_RESERVED_ONE (1)
1497
1498 #define IO_TYPE_APC 18
1499 #define IO_TYPE_DPC 19
1500 #define IO_TYPE_DEVICE_QUEUE 20
1501 #define IO_TYPE_EVENT_PAIR 21
1502 #define IO_TYPE_INTERRUPT 22
1503 #define IO_TYPE_PROFILE 23
1504
1505 #define IRP_BEING_VERIFIED 0x10
1506
1507 #define MAILSLOT_CLASS_FIRSTCLASS 1
1508 #define MAILSLOT_CLASS_SECONDCLASS 2
1509
1510 #define MAILSLOT_SIZE_AUTO 0
1511
1512 #define MAP_PROCESS 1L
1513 #define MAP_SYSTEM 2L
1514
1515 #define MEM_DOS_LIM 0x40000000
1516 #define MEM_IMAGE SEC_IMAGE
1517
1518 #define OB_FLAG_CREATE_INFO 0x01 /* Object header has OBJECT_CREATE_INFO */
1519 #define OB_FLAG_KERNEL_MODE 0x02 /* Created by kernel */
1520 #define OB_FLAG_CREATOR_INFO 0x04 /* Object header has OBJECT_CREATOR_INFO */
1521 #define OB_FLAG_EXCLUSIVE 0x08 /* OBJ_EXCLUSIVE */
1522 #define OB_FLAG_PERMAMENT 0x10 /* OBJ_PERMAMENT */
1523 #define OB_FLAG_SECURITY 0x20 /* Object header has SecurityDescriptor != NULL */
1524 #define OB_FLAG_SINGLE_PROCESS 0x40 /* absent HandleDBList */
1525
1526 #define OB_SECURITY_CHARGE 0x00000800
1527
1528 #define OB_TYPE_TYPE 1
1529 #define OB_TYPE_DIRECTORY 2
1530 #define OB_TYPE_SYMBOLIC_LINK 3
1531 #define OB_TYPE_TOKEN 4
1532 #define OB_TYPE_PROCESS 5
1533 #define OB_TYPE_THREAD 6
1534 #define OB_TYPE_EVENT 7
1535 #define OB_TYPE_EVENT_PAIR 8
1536 #define OB_TYPE_MUTANT 9
1537 #define OB_TYPE_SEMAPHORE 10
1538 #define OB_TYPE_TIMER 11
1539 #define OB_TYPE_PROFILE 12
1540 #define OB_TYPE_WINDOW_STATION 13
1541 #define OB_TYPE_DESKTOP 14
1542 #define OB_TYPE_SECTION 15
1543 #define OB_TYPE_KEY 16
1544 #define OB_TYPE_PORT 17
1545 #define OB_TYPE_ADAPTER 18
1546 #define OB_TYPE_CONTROLLER 19
1547 #define OB_TYPE_DEVICE 20
1548 #define OB_TYPE_DRIVER 21
1549 #define OB_TYPE_IO_COMPLETION 22
1550 #define OB_TYPE_FILE 23
1551
1552 #define PIN_WAIT (1)
1553 #define PIN_EXCLUSIVE (2)
1554 #define PIN_NO_READ (4)
1555 #define PIN_IF_BCB (8)
1556
1557 #define MAP_WAIT (1)
1558 #define MAP_NO_READ (16)
1559
1560 #define PORT_CONNECT 0x0001
1561 #define PORT_ALL_ACCESS (STANDARD_RIGHTS_ALL |\
1562 PORT_CONNECT)
1563
1564 #define SEC_BASED 0x00200000
1565 #define SEC_NO_CHANGE 0x00400000
1566 #define SEC_FILE 0x00800000
1567 #define SEC_IMAGE 0x01000000
1568 #define SEC_COMMIT 0x08000000
1569 #define SEC_NOCACHE 0x10000000
1570
1571 #define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1}
1572 #define SECURITY_WORLD_RID (0x00000000L)
1573
1574 #define SID_REVISION 1
1575
1576 #define THREAD_STATE_INITIALIZED 0
1577 #define THREAD_STATE_READY 1
1578 #define THREAD_STATE_RUNNING 2
1579 #define THREAD_STATE_STANDBY 3
1580 #define THREAD_STATE_TERMINATED 4
1581 #define THREAD_STATE_WAIT 5
1582 #define THREAD_STATE_TRANSITION 6
1583 #define THREAD_STATE_UNKNOWN 7
1584
1585 #define TOKEN_ASSIGN_PRIMARY (0x0001)
1586 #define TOKEN_DUPLICATE (0x0002)
1587 #define TOKEN_IMPERSONATE (0x0004)
1588 #define TOKEN_QUERY (0x0008)
1589 #define TOKEN_QUERY_SOURCE (0x0010)
1590 #define TOKEN_ADJUST_PRIVILEGES (0x0020)
1591 #define TOKEN_ADJUST_GROUPS (0x0040)
1592 #define TOKEN_ADJUST_DEFAULT (0x0080)
1593
1594 #define TOKEN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
1595 TOKEN_ASSIGN_PRIMARY |\
1596 TOKEN_DUPLICATE |\
1597 TOKEN_IMPERSONATE |\
1598 TOKEN_QUERY |\
1599 TOKEN_QUERY_SOURCE |\
1600 TOKEN_ADJUST_PRIVILEGES |\
1601 TOKEN_ADJUST_GROUPS |\
1602 TOKEN_ADJUST_DEFAULT)
1603
1604 #define TOKEN_READ (STANDARD_RIGHTS_READ |\
1605 TOKEN_QUERY)
1606
1607 #define TOKEN_WRITE (STANDARD_RIGHTS_WRITE |\
1608 TOKEN_ADJUST_PRIVILEGES |\
1609 TOKEN_ADJUST_GROUPS |\
1610 TOKEN_ADJUST_DEFAULT)
1611
1612 #define TOKEN_EXECUTE (STANDARD_RIGHTS_EXECUTE)
1613
1614 #define TOKEN_SOURCE_LENGTH 8
1615
1616 #define TOKEN_HAS_TRAVERSE_PRIVILEGE 0x01
1617 #define TOKEN_HAS_BACKUP_PRIVILEGE 0x02
1618 #define TOKEN_HAS_RESTORE_PRIVILEGE 0x04
1619 #define TOKEN_HAS_ADMIN_GROUP 0x08
1620 #define TOKEN_IS_RESTRICTED 0x10
1621 #define TOKEN_SESSION_NOT_REFERENCED 0x20
1622 #define TOKEN_SANDBOX_INERT 0x40
1623 #define TOKEN_HAS_IMPERSONATE_PRIVILEGE 0x80
1624
1625 #define VACB_MAPPING_GRANULARITY (0x40000)
1626 #define VACB_OFFSET_SHIFT (18)
1627
1628 #define FSCTL_REQUEST_OPLOCK_LEVEL_1 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
1629 #define FSCTL_REQUEST_OPLOCK_LEVEL_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
1630 #define FSCTL_REQUEST_BATCH_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
1631 #define FSCTL_OPLOCK_BREAK_ACKNOWLEDGE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_ANY_ACCESS)
1632 #define FSCTL_OPBATCH_ACK_CLOSE_PENDING CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
1633 #define FSCTL_OPLOCK_BREAK_NOTIFY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_ANY_ACCESS)
1634 #define FSCTL_LOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
1635 #define FSCTL_UNLOCK_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
1636 #define FSCTL_DISMOUNT_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
1637
1638 #define FSCTL_IS_VOLUME_MOUNTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_ANY_ACCESS)
1639 #define FSCTL_IS_PATHNAME_VALID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_ANY_ACCESS)
1640 #define FSCTL_MARK_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 12, METHOD_BUFFERED, FILE_ANY_ACCESS)
1641
1642 #define FSCTL_QUERY_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 14, METHOD_NEITHER, FILE_ANY_ACCESS)
1643 #define FSCTL_GET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 15, METHOD_BUFFERED, FILE_ANY_ACCESS)
1644 #define FSCTL_SET_COMPRESSION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 16, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
1645
1646
1647 #define FSCTL_MARK_AS_SYSTEM_HIVE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 19, METHOD_NEITHER, FILE_ANY_ACCESS)
1648 #define FSCTL_OPLOCK_BREAK_ACK_NO_2 CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 20, METHOD_BUFFERED, FILE_ANY_ACCESS)
1649 #define FSCTL_INVALIDATE_VOLUMES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 21, METHOD_BUFFERED, FILE_ANY_ACCESS)
1650 #define FSCTL_QUERY_FAT_BPB CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 22, METHOD_BUFFERED, FILE_ANY_ACCESS)
1651 #define FSCTL_REQUEST_FILTER_OPLOCK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 23, METHOD_BUFFERED, FILE_ANY_ACCESS)
1652 #define FSCTL_FILESYSTEM_GET_STATISTICS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 24, METHOD_BUFFERED, FILE_ANY_ACCESS)
1653
1654 #if (VER_PRODUCTBUILD >= 1381)
1655
1656 #define FSCTL_GET_NTFS_VOLUME_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 25, METHOD_BUFFERED, FILE_ANY_ACCESS)
1657 #define FSCTL_GET_NTFS_FILE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 26, METHOD_BUFFERED, FILE_ANY_ACCESS)
1658 #define FSCTL_GET_VOLUME_BITMAP CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 27, METHOD_NEITHER, FILE_ANY_ACCESS)
1659 #define FSCTL_GET_RETRIEVAL_POINTERS CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 28, METHOD_NEITHER, FILE_ANY_ACCESS)
1660 #define FSCTL_MOVE_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 29, METHOD_BUFFERED, FILE_ANY_ACCESS)
1661 #define FSCTL_IS_VOLUME_DIRTY CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 30, METHOD_BUFFERED, FILE_ANY_ACCESS)
1662 #define FSCTL_GET_HFS_INFORMATION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 31, METHOD_BUFFERED, FILE_ANY_ACCESS)
1663 #define FSCTL_ALLOW_EXTENDED_DASD_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 32, METHOD_NEITHER, FILE_ANY_ACCESS)
1664
1665 #endif // (VER_PRODUCTBUILD >= 1381)
1666
1667 #if (VER_PRODUCTBUILD >= 2195)
1668
1669 #define FSCTL_READ_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 33, METHOD_NEITHER, FILE_ANY_ACCESS)
1670 #define FSCTL_WRITE_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 34, METHOD_NEITHER, FILE_ANY_ACCESS)
1671 #define FSCTL_FIND_FILES_BY_SID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 35, METHOD_NEITHER, FILE_ANY_ACCESS)
1672
1673 #define FSCTL_DUMP_PROPERTY_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 37, METHOD_NEITHER, FILE_ANY_ACCESS)
1674 #define FSCTL_SET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 38, METHOD_BUFFERED, FILE_WRITE_DATA)
1675 #define FSCTL_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 39, METHOD_BUFFERED, FILE_ANY_ACCESS)
1676 #define FSCTL_DELETE_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 40, METHOD_BUFFERED, FILE_WRITE_DATA)
1677 #define FSCTL_SET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 41, METHOD_BUFFERED, FILE_WRITE_DATA)
1678 #define FSCTL_GET_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 42, METHOD_BUFFERED, FILE_ANY_ACCESS)
1679 #define FSCTL_DELETE_REPARSE_POINT CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 43, METHOD_BUFFERED, FILE_WRITE_DATA)
1680 #define FSCTL_ENUM_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 44, METHOD_NEITHER, FILE_READ_DATA)
1681 #define FSCTL_SECURITY_ID_CHECK CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 45, METHOD_NEITHER, FILE_READ_DATA)
1682 #define FSCTL_READ_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 46, METHOD_NEITHER, FILE_READ_DATA)
1683 #define FSCTL_SET_OBJECT_ID_EXTENDED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 47, METHOD_BUFFERED, FILE_WRITE_DATA)
1684 #define FSCTL_CREATE_OR_GET_OBJECT_ID CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 48, METHOD_BUFFERED, FILE_ANY_ACCESS)
1685 #define FSCTL_SET_SPARSE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 49, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
1686 #define FSCTL_SET_ZERO_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 50, METHOD_BUFFERED, FILE_WRITE_DATA)
1687 #define FSCTL_QUERY_ALLOCATED_RANGES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 51, METHOD_NEITHER, FILE_READ_DATA)
1688 #define FSCTL_ENABLE_UPGRADE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 52, METHOD_BUFFERED, FILE_WRITE_DATA)
1689 #define FSCTL_SET_ENCRYPTION CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 53, METHOD_BUFFERED, FILE_ANY_ACCESS)
1690 #define FSCTL_ENCRYPTION_FSCTL_IO CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 54, METHOD_NEITHER, FILE_ANY_ACCESS)
1691 #define FSCTL_WRITE_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 55, METHOD_NEITHER, FILE_ANY_ACCESS)
1692 #define FSCTL_READ_RAW_ENCRYPTED CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 56, METHOD_NEITHER, FILE_ANY_ACCESS)
1693 #define FSCTL_CREATE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 57, METHOD_NEITHER, FILE_READ_DATA)
1694 #define FSCTL_READ_FILE_USN_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 58, METHOD_NEITHER, FILE_READ_DATA)
1695 #define FSCTL_WRITE_USN_CLOSE_RECORD CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 59, METHOD_NEITHER, FILE_READ_DATA)
1696 #define FSCTL_EXTEND_VOLUME CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 60, METHOD_BUFFERED, FILE_ANY_ACCESS)
1697 #define FSCTL_QUERY_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 61, METHOD_BUFFERED, FILE_ANY_ACCESS)
1698 #define FSCTL_DELETE_USN_JOURNAL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 62, METHOD_BUFFERED, FILE_ANY_ACCESS)
1699 #define FSCTL_MARK_HANDLE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 63, METHOD_BUFFERED, FILE_ANY_ACCESS)
1700 #define FSCTL_SIS_COPYFILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 64, METHOD_BUFFERED, FILE_ANY_ACCESS)
1701 #define FSCTL_SIS_LINK_FILES CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 65, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
1702 #define FSCTL_HSM_MSG CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 66, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
1703 #define FSCTL_NSS_CONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 67, METHOD_BUFFERED, FILE_WRITE_DATA)
1704 #define FSCTL_HSM_DATA CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 68, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
1705 #define FSCTL_RECALL_FILE CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 69, METHOD_NEITHER, FILE_ANY_ACCESS)
1706 #define FSCTL_NSS_RCONTROL CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 70, METHOD_BUFFERED, FILE_READ_DATA)
1707 #define FSCTL_READ_FROM_PLEX CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 71, METHOD_OUT_DIRECT, FILE_READ_DATA)
1708 #define FSCTL_FILE_PREFETCH CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 72, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
1709
1710 #endif // (VER_PRODUCTBUILD >= 2195)
1711
1712 #define FSCTL_MAILSLOT_PEEK CTL_CODE(FILE_DEVICE_MAILSLOT, 0, METHOD_NEITHER, FILE_READ_DATA)
1713
1714 #define FSCTL_NETWORK_SET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
1715 #define FSCTL_NETWORK_GET_CONFIGURATION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
1716 #define FSCTL_NETWORK_GET_CONNECTION_INFO CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
1717 #define FSCTL_NETWORK_ENUMERATE_CONNECTIONS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
1718 #define FSCTL_NETWORK_DELETE_CONNECTION CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
1719 #define FSCTL_NETWORK_GET_STATISTICS CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
1720 #define FSCTL_NETWORK_SET_DOMAIN_NAME CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
1721 #define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)
1722
1723 #define FSCTL_PIPE_ASSIGN_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 0, METHOD_BUFFERED, FILE_ANY_ACCESS)
1724 #define FSCTL_PIPE_DISCONNECT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
1725 #define FSCTL_PIPE_LISTEN CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)
1726 #define FSCTL_PIPE_PEEK CTL_CODE(FILE_DEVICE_NAMED_PIPE, 3, METHOD_BUFFERED, FILE_READ_DATA)
1727 #define FSCTL_PIPE_QUERY_EVENT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 4, METHOD_BUFFERED, FILE_ANY_ACCESS)
1728 #define FSCTL_PIPE_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 5, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
1729 #define FSCTL_PIPE_WAIT CTL_CODE(FILE_DEVICE_NAMED_PIPE, 6, METHOD_BUFFERED, FILE_ANY_ACCESS)
1730 #define FSCTL_PIPE_IMPERSONATE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 7, METHOD_BUFFERED, FILE_ANY_ACCESS)
1731 #define FSCTL_PIPE_SET_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 8, METHOD_BUFFERED, FILE_ANY_ACCESS)
1732 #define FSCTL_PIPE_QUERY_CLIENT_PROCESS CTL_CODE(FILE_DEVICE_NAMED_PIPE, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)
1733 #define FSCTL_PIPE_INTERNAL_READ CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2045, METHOD_BUFFERED, FILE_READ_DATA)
1734 #define FSCTL_PIPE_INTERNAL_WRITE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2046, METHOD_BUFFERED, FILE_WRITE_DATA)
1735 #define FSCTL_PIPE_INTERNAL_TRANSCEIVE CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2047, METHOD_NEITHER, FILE_READ_DATA | FILE_WRITE_DATA)
1736 #define FSCTL_PIPE_INTERNAL_READ_OVFLOW CTL_CODE(FILE_DEVICE_NAMED_PIPE, 2048, METHOD_BUFFERED, FILE_READ_DATA)
1737
1738 #define IOCTL_REDIR_QUERY_PATH CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 99, METHOD_NEITHER, FILE_ANY_ACCESS)
1739
1740 typedef PVOID PEJOB;
1741 typedef PVOID PNOTIFY_SYNC;
1742 typedef PVOID OPLOCK, *POPLOCK;
1743 typedef PVOID PWOW64_PROCESS;
1744
1745 typedef ULONG LBN;
1746 typedef LBN *PLBN;
1747
1748 typedef ULONG VBN;
1749 typedef VBN *PVBN;
1750
1751 typedef struct _CACHE_MANAGER_CALLBACKS *PCACHE_MANAGER_CALLBACKS;
1752 typedef struct _EPROCESS_QUOTA_BLOCK *PEPROCESS_QUOTA_BLOCK;
1753 typedef struct _FILE_GET_QUOTA_INFORMATION *PFILE_GET_QUOTA_INFORMATION;
1754 typedef struct _HANDLE_TABLE *PHANDLE_TABLE;
1755 typedef struct _KEVENT_PAIR *PKEVENT_PAIR;
1756 typedef struct _KPROCESS *PKPROCESS;
1757 typedef struct _KQUEUE *PKQUEUE;
1758 typedef struct _KTRAP_FRAME *PKTRAP_FRAME;
1759 typedef struct _LPC_MESSAGE *PLPC_MESSAGE;
1760 typedef struct _MAILSLOT_CREATE_PARAMETERS *PMAILSLOT_CREATE_PARAMETERS;
1761 typedef struct _MMWSL *PMMWSL;
1762 typedef struct _NAMED_PIPE_CREATE_PARAMETERS *PNAMED_PIPE_CREATE_PARAMETERS;
1763 typedef struct _OBJECT_DIRECTORY *POBJECT_DIRECTORY;
1764 typedef struct _PAGEFAULT_HISTORY *PPAGEFAULT_HISTORY;
1765 typedef struct _PEB *PPEB;
1766 typedef struct _PS_IMPERSONATION_INFORMATION *PPS_IMPERSONATION_INFORMATION;
1767 typedef struct _SECTION_OBJECT *PSECTION_OBJECT;
1768 typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
1769 typedef struct _SHARED_CACHE_MAP *PSHARED_CACHE_MAP;
1770 typedef struct _TERMINATION_PORT *PTERMINATION_PORT;
1771 typedef struct _VACB *PVACB;
1772 typedef struct _VAD_HEADER *PVAD_HEADER;
1773
1774 #if (VER_PRODUCTBUILD < 2195)
1775 typedef ULONG SIZE_T, *PSIZE_T;
1776 #endif
1777
1778 typedef enum _FAST_IO_POSSIBLE {
1779 FastIoIsNotPossible,
1780 FastIoIsPossible,
1781 FastIoIsQuestionable
1782 } FAST_IO_POSSIBLE;
1783
1784 typedef enum _FILE_STORAGE_TYPE {
1785 StorageTypeDefault = 1,
1786 StorageTypeDirectory,
1787 StorageTypeFile,
1788 StorageTypeJunctionPoint,
1789 StorageTypeCatalog,
1790 StorageTypeStructuredStorage,
1791 StorageTypeEmbedding,
1792 StorageTypeStream
1793 } FILE_STORAGE_TYPE;
1794
1795 typedef enum _IO_COMPLETION_INFORMATION_CLASS {
1796 IoCompletionBasicInformation
1797 } IO_COMPLETION_INFORMATION_CLASS;
1798
1799 #if (VER_PRODUCTBUILD == 2195)
1800
1801 typedef enum _KSPIN_LOCK_QUEUE_NUMBER {
1802 LockQueueDispatcherLock,
1803 LockQueueContextSwapLock,
1804 LockQueuePfnLock,
1805 LockQueueSystemSpaceLock,
1806 LockQueueVacbLock,
1807 LockQueueMasterLock,
1808 LockQueueNonPagedPoolLock,
1809 LockQueueIoCancelLock,
1810 LockQueueWorkQueueLock,
1811 LockQueueIoVpbLock,
1812 LockQueueIoDatabaseLock,
1813 LockQueueIoCompletionLock,
1814 LockQueueNtfsStructLock,
1815 LockQueueAfdWorkQueueLock,
1816 LockQueueBcbLock,
1817 LockQueueMaximumLock
1818 } KSPIN_LOCK_QUEUE_NUMBER;
1819
1820 #endif // (VER_PRODUCTBUILD == 2195)
1821
1822 typedef enum _LPC_TYPE {
1823 LPC_NEW_MESSAGE,
1824 LPC_REQUEST,
1825 LPC_REPLY,
1826 LPC_DATAGRAM,
1827 LPC_LOST_REPLY,
1828 LPC_PORT_CLOSED,
1829 LPC_CLIENT_DIED,
1830 LPC_EXCEPTION,
1831 LPC_DEBUG_EVENT,
1832 LPC_ERROR_EVENT,
1833 LPC_CONNECTION_REQUEST
1834 } LPC_TYPE;
1835
1836 typedef enum _MMFLUSH_TYPE {
1837 MmFlushForDelete,
1838 MmFlushForWrite
1839 } MMFLUSH_TYPE;
1840
1841 typedef enum _OBJECT_INFO_CLASS {
1842 ObjectBasicInfo,
1843 ObjectNameInfo,
1844 ObjectTypeInfo,
1845 ObjectAllTypesInfo,
1846 ObjectProtectionInfo
1847 } OBJECT_INFO_CLASS;
1848
1849 typedef enum _PORT_INFORMATION_CLASS {
1850 PortNoInformation
1851 } PORT_INFORMATION_CLASS;
1852
1853 typedef enum _SECTION_INFORMATION_CLASS {
1854 SectionBasicInformation,
1855 SectionImageInformation
1856 } SECTION_INFORMATION_CLASS;
1857
1858 typedef enum _SID_NAME_USE {
1859 SidTypeUser = 1,
1860 SidTypeGroup,
1861 SidTypeDomain,
1862 SidTypeAlias,
1863 SidTypeWellKnownGroup,
1864 SidTypeDeletedAccount,
1865 SidTypeInvalid,
1866 SidTypeUnknown
1867 } SID_NAME_USE;
1868
1869 typedef enum _SYSTEM_INFORMATION_CLASS {
1870 SystemBasicInformation,
1871 SystemProcessorInformation,
1872 SystemPerformanceInformation,
1873 SystemTimeOfDayInformation,
1874 SystemNotImplemented1,
1875 SystemProcessesAndThreadsInformation,
1876 SystemCallCounts,
1877 SystemConfigurationInformation,
1878 SystemProcessorTimes,
1879 SystemGlobalFlag,
1880 SystemNotImplemented2,
1881 SystemModuleInformation,
1882 SystemLockInformation,
1883 SystemNotImplemented3,
1884 SystemNotImplemented4,
1885 SystemNotImplemented5,
1886 SystemHandleInformation,
1887 SystemObjectInformation,
1888 SystemPagefileInformation,
1889 SystemInstructionEmulationCounts,
1890 SystemInvalidInfoClass1,
1891 SystemCacheInformation,
1892 SystemPoolTagInformation,
1893 SystemProcessorStatistics,
1894 SystemDpcInformation,
1895 SystemNotImplemented6,
1896 SystemLoadImage,
1897 SystemUnloadImage,
1898 SystemTimeAdjustment,
1899 SystemNotImplemented7,
1900 SystemNotImplemented8,
1901 SystemNotImplemented9,
1902 SystemCrashDumpInformation,
1903 SystemExceptionInformation,
1904 SystemCrashDumpStateInformation,
1905 SystemKernelDebuggerInformation,
1906 SystemContextSwitchInformation,
1907 SystemRegistryQuotaInformation,
1908 SystemLoadAndCallImage,
1909 SystemPrioritySeparation,
1910 SystemNotImplemented10,
1911 SystemNotImplemented11,
1912 SystemInvalidInfoClass2,
1913 SystemInvalidInfoClass3,
1914 SystemTimeZoneInformation,
1915 SystemLookasideInformation,
1916 SystemSetTimeSlipEvent,
1917 SystemCreateSession,
1918 SystemDeleteSession,
1919 SystemInvalidInfoClass4,
1920 SystemRangeStartInformation,
1921 SystemVerifierInformation,
1922 SystemAddVerifier,
1923 SystemSessionProcessesInformation
1924 } SYSTEM_INFORMATION_CLASS;
1925
1926 typedef enum _THREAD_STATE {
1927 StateInitialized,
1928 StateReady,
1929 StateRunning,
1930 StateStandby,
1931 StateTerminated,
1932 StateWait,
1933 StateTransition,
1934 StateUnknown
1935 } THREAD_STATE;
1936
1937 typedef enum _TOKEN_INFORMATION_CLASS {
1938 TokenUser = 1,
1939 TokenGroups,
1940 TokenPrivileges,
1941 TokenOwner,
1942 TokenPrimaryGroup,
1943 TokenDefaultDacl,
1944 TokenSource,
1945 TokenType,
1946 TokenImpersonationLevel,
1947 TokenStatistics,
1948 TokenRestrictedSids
1949 } TOKEN_INFORMATION_CLASS;
1950
1951 typedef enum _TOKEN_TYPE {
1952 TokenPrimary = 1,
1953 TokenImpersonation
1954 } TOKEN_TYPE;
1955
1956 typedef struct _HARDWARE_PTE_X86 {
1957 ULONG Valid : 1;
1958 ULONG Write : 1;
1959 ULONG Owner : 1;
1960 ULONG WriteThrough : 1;
1961 ULONG CacheDisable : 1;
1962 ULONG Accessed : 1;
1963 ULONG Dirty : 1;
1964 ULONG LargePage : 1;
1965 ULONG Global : 1;
1966 ULONG CopyOnWrite : 1;
1967 ULONG Prototype : 1;
1968 ULONG reserved : 1;
1969 ULONG PageFrameNumber : 20;
1970 } HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;
1971
1972 typedef struct _KAPC_STATE {
1973 LIST_ENTRY ApcListHead[2];
1974 PKPROCESS Process;
1975 BOOLEAN KernelApcInProgress;
1976 BOOLEAN KernelApcPending;
1977 BOOLEAN UserApcPending;
1978 } KAPC_STATE, *PKAPC_STATE;
1979
1980 typedef struct _KGDTENTRY {
1981 USHORT LimitLow;
1982 USHORT BaseLow;
1983 union {
1984 struct {
1985 UCHAR BaseMid;
1986 UCHAR Flags1;
1987 UCHAR Flags2;
1988 UCHAR BaseHi;
1989 } Bytes;
1990 struct {
1991 ULONG BaseMid : 8;
1992 ULONG Type : 5;
1993 ULONG Dpl : 2;
1994 ULONG Pres : 1;
1995 ULONG LimitHi : 4;
1996 ULONG Sys : 1;
1997 ULONG Reserved_0 : 1;
1998 ULONG Default_Big : 1;
1999 ULONG Granularity : 1;
2000 ULONG BaseHi : 8;
2001 } Bits;
2002 } HighWord;
2003 } KGDTENTRY, *PKGDTENTRY;
2004
2005 typedef struct _KIDTENTRY {
2006 USHORT Offset;
2007 USHORT Selector;
2008 USHORT Access;
2009 USHORT ExtendedOffset;
2010 } KIDTENTRY, *PKIDTENTRY;
2011
2012 #if (VER_PRODUCTBUILD >= 2600)
2013
2014 typedef struct _KPROCESS {
2015 DISPATCHER_HEADER Header;
2016 LIST_ENTRY ProfileListHead;
2017 ULONG DirectoryTableBase[2];
2018 KGDTENTRY LdtDescriptor;
2019 KIDTENTRY Int21Descriptor;
2020 USHORT IopmOffset;
2021 UCHAR Iopl;
2022 UCHAR Unused;
2023 ULONG ActiveProcessors;
2024 ULONG KernelTime;
2025 ULONG UserTime;
2026 LIST_ENTRY ReadyListHead;
2027 SINGLE_LIST_ENTRY SwapListEntry;
2028 PVOID VdmTrapcHandler;
2029 LIST_ENTRY ThreadListHead;
2030 KSPIN_LOCK ProcessLock;
2031 KAFFINITY Affinity;
2032 USHORT StackCount;
2033 CHAR BasePriority;
2034 CHAR ThreadQuantum;
2035 BOOLEAN AutoAlignment;
2036 UCHAR State;
2037 UCHAR ThreadSeed;
2038 BOOLEAN DisableBoost;
2039 UCHAR PowerState;
2040 BOOLEAN DisableQuantum;
2041 UCHAR IdealNode;
2042 UCHAR Spare;
2043 } KPROCESS, *PKPROCESS;
2044
2045 #else
2046
2047 typedef struct _KPROCESS {
2048 DISPATCHER_HEADER Header;
2049 LIST_ENTRY ProfileListHead;
2050 ULONG DirectoryTableBase[2];
2051 KGDTENTRY LdtDescriptor;
2052 KIDTENTRY Int21Descriptor;
2053 USHORT IopmOffset;
2054 UCHAR Iopl;
2055 UCHAR VdmFlag;
2056 ULONG ActiveProcessors;
2057 ULONG KernelTime;
2058 ULONG UserTime;
2059 LIST_ENTRY ReadyListHead;
2060 SINGLE_LIST_ENTRY SwapListEntry;
2061 PVOID Reserved1;
2062 LIST_ENTRY ThreadListHead;
2063 KSPIN_LOCK ProcessLock;
2064 KAFFINITY Affinity;
2065 USHORT StackCount;
2066 UCHAR BasePriority;
2067 UCHAR ThreadQuantum;
2068 BOOLEAN AutoAlignment;
2069 UCHAR State;
2070 UCHAR ThreadSeed;
2071 BOOLEAN DisableBoost;
2072 #if (VER_PRODUCTBUILD >= 2195)
2073 UCHAR PowerState;
2074 BOOLEAN DisableQuantum;
2075 UCHAR IdealNode;
2076 UCHAR Spare;
2077 #endif // (VER_PRODUCTBUILD >= 2195)
2078 } KPROCESS, *PKPROCESS;
2079
2080 #endif
2081
2082 #if (VER_PRODUCTBUILD >= 3790)
2083
2084 typedef struct _KTHREAD {
2085 DISPATCHER_HEADER Header;
2086 LIST_ENTRY MutantListHead; // 0x10
2087 PVOID InitialStack; // 0x18
2088 PVOID StackLimit; // 0x1c
2089 PVOID KernelStack; // 0x20
2090 ULONG ThreadLock; // 0x24
2091 ULONG ContextSwitches; // 0x28
2092 UCHAR State; // 0x2c
2093 UCHAR NpxState; // 0x2d
2094 UCHAR WaitIrql; // 0x2e
2095 CHAR WaitMode; // 0x2f
2096 struct _TEB *Teb; // 0x30
2097 KAPC_STATE ApcState; // 0x34
2098 KSPIN_LOCK ApcQueueLock; // 0x4c
2099 NTSTATUS WaitStatus; // 0x50
2100 PKWAIT_BLOCK WaitBlockList; // 0x54
2101 BOOLEAN Alertable; // 0x58
2102 UCHAR WaitNext; // 0x59
2103 UCHAR WaitReason; // 0x5a
2104 CHAR Priority; // 0x5b
2105 BOOLEAN EnableStackSwap; // 0x5c
2106 BOOLEAN SwapBusy; // 0x5d
2107 UCHAR Alerted[2]; // 0x5e
2108 union {
2109 LIST_ENTRY WaitListEntry; // 0x60
2110 SINGLE_LIST_ENTRY SwapListEntry; // 0x60
2111 };
2112 PKQUEUE Queue; // 0x68
2113 ULONG WaitTime; // 0x6c
2114 union {
2115 struct {
2116 USHORT KernelApcDisable; // 0x70
2117 USHORT SpecialApcDisable; // 0x72
2118 };
2119 USHORT CombinedApcDisable; // 0x70
2120 };
2121 KTIMER Timer; // 0x78
2122 KWAIT_BLOCK WaitBlock[4]; // 0xa0
2123 LIST_ENTRY QueueListEntry; // 0x100
2124 UCHAR ApcStateIndex; // 0x108
2125 BOOLEAN ApcQueueable; // 0x109
2126 BOOLEAN Preempted; // 0x10a
2127 BOOLEAN ProcessReadyQueue; // 0x10b
2128 BOOLEAN KernelStackResident; // 0x10c
2129 CHAR Saturation; // 0x10d
2130 UCHAR IdealProcessor; // 0x10e
2131 UCHAR NextProcessor; // 0x10f
2132 CHAR BasePriority; // 0x110
2133 UCHAR Spare4; // 0x111
2134 CHAR PriorityDecrement; // 0x112
2135 CHAR Quantum; // 0x113
2136 BOOLEAN SystemAffinityActive; // 0x114
2137 CHAR PreviousMode; // 0x115
2138 UCHAR ResourceIndex; // 0x116
2139 BOOLEAN DisableBoost; // 0x117
2140 ULONG UserAffinity; // 0x118
2141 PKPROCESS Process; // 0x11c
2142 ULONG Affinity; // 0x120
2143 PSERVICE_DESCRIPTOR_TABLE ServiceTable; // 0x124
2144 PKAPC_STATE ApcStatePointer[2]; // 0x128
2145 KAPC_STATE SavedApcState; // 0x130
2146 PVOID CallbackStack; // 0x148
2147 PVOID Win32Thread; // 0x14c
2148 PKTRAP_FRAME TrapFrame; // 0x150
2149 ULONG KernelTime; // 0x154
2150 ULONG UserTime; // 0x158
2151 PVOID StackBase; // 0x15c
2152 KAPC SuspendApc; // 0x160
2153 KSEMAPHORE SuspendSemaphore; // 0x190
2154 PVOID TlsArray; // 0x1a4
2155 PVOID LegoData; // 0x1a8
2156 LIST_ENTRY ThreadListEntry; // 0x1ac
2157 BOOLEAN LargeStack; // 0x1b4
2158 UCHAR PowerState; // 0x1b5
2159 UCHAR NpxIrql; // 0x1b6
2160 UCHAR Spare5; // 0x1b7
2161 BOOLEAN AutoAlignment; // 0x1b8
2162 UCHAR Iopl; // 0x1b9
2163 CHAR FreezeCount; // 0x1ba
2164 CHAR SuspendCount; // 0x1bb
2165 UCHAR Spare0[1]; // 0x1bc
2166 UCHAR UserIdealProcessor; // 0x1bd
2167 UCHAR DeferredProcessor; // 0x1be
2168 UCHAR AdjustReason; // 0x1bf
2169 CHAR AdjustIncrement; // 0x1c0
2170 UCHAR Spare2[3]; // 0x1c1
2171 } KTHREAD, *PKTHREAD;
2172
2173 #elif (VER_PRODUCTBUILD >= 2600)
2174
2175 typedef struct _KTHREAD {
2176 DISPATCHER_HEADER Header;
2177 LIST_ENTRY MutantListHead;
2178 PVOID InitialStack;
2179 PVOID StackLimit;
2180 struct _TEB *Teb;
2181 PVOID TlsArray;
2182 PVOID KernelStack;
2183 BOOLEAN DebugActive;
2184 UCHAR State;
2185 UCHAR Alerted[2];
2186 UCHAR Iopl;
2187 UCHAR NpxState;
2188 CHAR Saturation;
2189 CHAR Priority;
2190 KAPC_STATE ApcState;
2191 ULONG ContextSwitches;
2192 UCHAR IdleSwapBlock;
2193 UCHAR Spare0[3];
2194 NTSTATUS WaitStatus;
2195 UCHAR WaitIrql;
2196 CHAR WaitMode;
2197 UCHAR WaitNext;
2198 UCHAR WaitReason;
2199 PKWAIT_BLOCK WaitBlockList;
2200 union {
2201 LIST_ENTRY WaitListEntry;
2202 SINGLE_LIST_ENTRY SwapListEntry;
2203 };
2204 ULONG WaitTime;
2205 CHAR BasePriority;
2206 UCHAR DecrementCount;
2207 CHAR PriorityDecrement;
2208 CHAR Quantum;
2209 KWAIT_BLOCK WaitBlock[4];
2210 PVOID LegoData;
2211 ULONG KernelApcDisable;
2212 ULONG UserAffinity;
2213 BOOLEAN SystemAffinityActive;
2214 UCHAR PowerState;
2215 UCHAR NpxIrql;
2216 UCHAR InitialNode;
2217 PSERVICE_DESCRIPTOR_TABLE ServiceTable;
2218 PKQUEUE Queue;
2219 KSPIN_LOCK ApcQueueLock;
2220 KTIMER Timer;
2221 LIST_ENTRY QueueListEntry;
2222 ULONG SoftAffinity;
2223 ULONG Affinity;
2224 BOOLEAN Preempted;
2225 BOOLEAN ProcessReadyQueue;
2226 BOOLEAN KernelStackResident;
2227 UCHAR NextProcessor;
2228 PVOID CallbackStack;
2229 PVOID Win32Thread;
2230 PKTRAP_FRAME TrapFrame;
2231 PKAPC_STATE ApcStatePointer[2];
2232 CHAR PreviousMode;
2233 BOOLEAN EnableStackSwap;
2234 BOOLEAN LargeStack;
2235 UCHAR ResourceIndex;
2236 ULONG KernelTime;
2237 ULONG UserTime;
2238 KAPC_STATE SavedApcState;
2239 BOOLEAN Alertable;
2240 UCHAR ApcStateIndex;
2241 BOOLEAN ApcQueueable;
2242 BOOLEAN AutoAlignment;
2243 PVOID StackBase;
2244 KAPC SuspendApc;
2245 KSEMAPHORE SuspendSemaphore;
2246 LIST_ENTRY ThreadListEntry;
2247 CHAR FreezeCount;
2248 CHAR SuspendCount;
2249 UCHAR IdealProcessor;
2250 BOOLEAN DisableBoost;
2251 } KTHREAD, *PKTHREAD;
2252
2253 #else
2254
2255 typedef struct _KTHREAD {
2256 DISPATCHER_HEADER Header;
2257 LIST_ENTRY MutantListHead;
2258 PVOID InitialStack;
2259 PVOID StackLimit;
2260 struct _TEB *Teb;
2261 PVOID TlsArray;
2262 PVOID KernelStack;
2263 BOOLEAN DebugActive;
2264 UCHAR State;
2265 USHORT Alerted;
2266 UCHAR Iopl;
2267 UCHAR NpxState;
2268 UCHAR Saturation;
2269 UCHAR Priority;
2270 KAPC_STATE ApcState;
2271 ULONG ContextSwitches;
2272 NTSTATUS WaitStatus;
2273 UCHAR WaitIrql;
2274 UCHAR WaitMode;
2275 UCHAR WaitNext;
2276 UCHAR WaitReason;
2277 PKWAIT_BLOCK WaitBlockList;
2278 LIST_ENTRY WaitListEntry;
2279 ULONG WaitTime;
2280 UCHAR BasePriority;
2281 UCHAR DecrementCount;
2282 UCHAR PriorityDecrement;
2283 UCHAR Quantum;
2284 KWAIT_BLOCK WaitBlock[4];
2285 ULONG LegoData;
2286 ULONG KernelApcDisable;
2287 ULONG UserAffinity;
2288 BOOLEAN SystemAffinityActive;
2289 #if (VER_PRODUCTBUILD < 2195)
2290 UCHAR Pad[3];
2291 #else // (VER_PRODUCTBUILD >= 2195)
2292 UCHAR PowerState;
2293 UCHAR NpxIrql;
2294 UCHAR Pad[1];
2295 #endif // (VER_PRODUCTBUILD >= 2195)
2296 PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
2297 PKQUEUE Queue;
2298 KSPIN_LOCK ApcQueueLock;
2299 KTIMER Timer;
2300 LIST_ENTRY QueueListEntry;
2301 ULONG Affinity;
2302 BOOLEAN Preempted;
2303 BOOLEAN ProcessReadyQueue;
2304 BOOLEAN KernelStackResident;
2305 UCHAR NextProcessor;
2306 PVOID CallbackStack;
2307 PVOID Win32Thread;
2308 PKTRAP_FRAME TrapFrame;
2309 PKAPC_STATE ApcStatePointer[2];
2310 #if (VER_PRODUCTBUILD >= 2195)
2311 UCHAR PreviousMode;
2312 #endif // (VER_PRODUCTBUILD >= 2195)
2313 BOOLEAN EnableStackSwap;
2314 BOOLEAN LargeStack;
2315 UCHAR ResourceIndex;
2316 #if (VER_PRODUCTBUILD < 2195)
2317 UCHAR PreviousMode;
2318 #endif // (VER_PRODUCTBUILD < 2195)
2319 ULONG KernelTime;
2320 ULONG UserTime;
2321 KAPC_STATE SavedApcState;
2322 BOOLEAN Alertable;
2323 UCHAR ApcStateIndex;
2324 BOOLEAN ApcQueueable;
2325 BOOLEAN AutoAlignment;
2326 PVOID StackBase;
2327 KAPC SuspendApc;
2328 KSEMAPHORE SuspendSemaphore;
2329 LIST_ENTRY ThreadListEntry;
2330 UCHAR FreezeCount;
2331 UCHAR SuspendCount;
2332 UCHAR IdealProcessor;
2333 BOOLEAN DisableBoost;
2334 } KTHREAD, *PKTHREAD;
2335
2336 #endif
2337
2338 #if (VER_PRODUCTBUILD >= 3790)
2339
2340 typedef struct _MMSUPPORT_FLAGS {
2341 ULONG SessionSpace : 1;
2342 ULONG BeingTrimmed : 1;
2343 ULONG SessionLeader : 1;
2344 ULONG TrimHard : 1;
2345 ULONG MaximumWorkingSetHard : 1;
2346 ULONG ForceTrim : 1;
2347 ULONG MinimumWorkingSetHard : 1;
2348 ULONG Available0 : 1;
2349 ULONG MemoryPriority : 8;
2350 ULONG GrowWsleHash : 1;
2351 ULONG AcquiredUnsafe : 1;
2352 ULONG Available : 14;
2353 } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
2354
2355 #elif (VER_PRODUCTBUILD >= 2600)
2356
2357 typedef struct _MMSUPPORT_FLAGS {
2358 ULONG SessionSpace : 1;
2359 ULONG BeingTrimmed : 1;
2360 ULONG SessionLeader : 1;
2361 ULONG TrimHard : 1;
2362 ULONG WorkingSetHard : 1;
2363 ULONG AddressSpaceBeingDeleted : 1;
2364 ULONG Available : 10;
2365 ULONG AllowWorkingSetAdjustment : 8;
2366 ULONG MemoryPriority : 8;
2367 } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
2368
2369 #else
2370
2371 typedef struct _MMSUPPORT_FLAGS {
2372 ULONG SessionSpace : 1;
2373 ULONG BeingTrimmed : 1;
2374 ULONG ProcessInSession : 1;
2375 ULONG SessionLeader : 1;
2376 ULONG TrimHard : 1;
2377 ULONG WorkingSetHard : 1;
2378 ULONG WriteWatch : 1;
2379 ULONG Filler : 25;
2380 } MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;
2381
2382 #endif
2383
2384 #if (VER_PRODUCTBUILD >= 3790)
2385 /*
2386 typedef struct _KGUARDED_MUTEX {
2387 LONG Count;
2388 PKTHREAD Owner; // 0x4
2389 ULONG Contention; // 0x8
2390 KEVENT Event; // 0xc
2391 union {
2392 struct {
2393 USHORT KernelApcDisable; // 0x1c
2394 USHORT SpecialApcDisable; // 0x1e
2395 };
2396 USHORT CombinedApcDisable; // 0x1c
2397 };
2398 } KGUARDED_MUTEX, *PKGUARDED_MUTEX;
2399 */
2400 typedef struct _MMSUPPORT {
2401 LIST_ENTRY WorkingSetExpansionLinks;
2402 LARGE_INTEGER LastTrimTime; // 0x8
2403 MMSUPPORT_FLAGS Flags; // 0x10
2404 ULONG PageFaultCount; // 0x14
2405 ULONG PeakWorkingSetSize; // 0x18
2406 ULONG GrowthSinceLastEstimate; // 0x1c
2407 ULONG MinimumWorkingSetSize; // 0x20
2408 ULONG MaximumWorkingSetSize; // 0x24
2409 PMMWSL VmWorkingSetList; // 0x28
2410 ULONG Claim; // 0x2c
2411 ULONG NextEstimationSlot; // 0x30
2412 ULONG NextAgingSlot; // 0x34
2413 ULONG EstimatedAvailable; // 0x38
2414 ULONG WorkingSetSize; //0x3c
2415 KGUARDED_MUTEX Mutex; // 0x40
2416 } MMSUPPORT, *PMMSUPPORT;
2417
2418 #elif (VER_PRODUCTBUILD >= 2600)
2419
2420 typedef struct _MMSUPPORT {
2421 LARGE_INTEGER LastTrimTime;
2422 MMSUPPORT_FLAGS Flags;
2423 ULONG PageFaultCount;
2424 ULONG PeakWorkingSetSize;
2425 ULONG WorkingSetSize;
2426 ULONG MinimumWorkingSetSize;
2427 ULONG MaximumWorkingSetSize;
2428 PMMWSL VmWorkingSetList;
2429 LIST_ENTRY WorkingSetExpansionLinks;
2430 ULONG Claim;
2431 ULONG NextEstimationSlot;
2432 ULONG NextAgingSlot;
2433 ULONG EstimatedAvailable;
2434 ULONG GrowthSinceLastEstimate;
2435 } MMSUPPORT, *PMMSUPPORT;
2436
2437 #else
2438
2439 typedef struct _MMSUPPORT {
2440 LARGE_INTEGER LastTrimTime;
2441 ULONG LastTrimFaultCount;
2442 ULONG PageFaultCount;
2443 ULONG PeakWorkingSetSize;
2444 ULONG WorkingSetSize;
2445 ULONG MinimumWorkingSetSize;
2446 ULONG MaximumWorkingSetSize;
2447 PMMWSL VmWorkingSetList;
2448 LIST_ENTRY WorkingSetExpansionLinks;
2449 BOOLEAN AllowWorkingSetAdjustment;
2450 BOOLEAN AddressSpaceBeingDeleted;
2451 UCHAR ForegroundSwitchCount;
2452 UCHAR MemoryPriority;
2453 #if (VER_PRODUCTBUILD >= 2195)
2454 union {
2455 ULONG LongFlags;
2456 MMSUPPORT_FLAGS Flags;
2457 } u;
2458 ULONG Claim;
2459 ULONG NextEstimationSlot;
2460 ULONG NextAgingSlot;
2461 ULONG EstimatedAvailable;
2462 ULONG GrowthSinceLastEstimate;
2463 #endif // (VER_PRODUCTBUILD >= 2195)
2464 } MMSUPPORT, *PMMSUPPORT;
2465
2466 #endif
2467
2468 typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
2469 POBJECT_NAME_INFORMATION ImageFileName;
2470 } SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;
2471
2472 typedef struct _SID_IDENTIFIER_AUTHORITY {
2473 UCHAR Value[6];
2474 } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
2475
2476 typedef struct _SID {
2477 UCHAR Revision;
2478 UCHAR SubAuthorityCount;
2479 SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
2480 ULONG SubAuthority[1];
2481 } SID, *PREAL_SID;
2482
2483 typedef struct _BITMAP_DESCRIPTOR {
2484 ULONGLONG StartLcn;
2485 ULONGLONG ClustersToEndOfVol;
2486 UCHAR Map[1];
2487 } BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR;
2488
2489 typedef struct _BITMAP_RANGE {
2490 LIST_ENTRY Links;
2491 LARGE_INTEGER BasePage;
2492 ULONG FirstDirtyPage;
2493 ULONG LastDirtyPage;
2494 ULONG DirtyPages;
2495 PULONG Bitmap;
2496 } BITMAP_RANGE, *PBITMAP_RANGE;
2497
2498 typedef struct _CACHE_UNINITIALIZE_EVENT {
2499 struct _CACHE_UNINITIALIZE_EVENT *Next;
2500 KEVENT Event;
2501 } CACHE_UNINITIALIZE_EVENT, *PCACHE_UNINITIALIZE_EVENT;
2502
2503 typedef struct _CC_FILE_SIZES {
2504 LARGE_INTEGER AllocationSize;
2505 LARGE_INTEGER FileSize;
2506 LARGE_INTEGER ValidDataLength;
2507 } CC_FILE_SIZES, *PCC_FILE_SIZES;
2508
2509 typedef struct _COMPRESSED_DATA_INFO {
2510 USHORT CompressionFormatAndEngine;
2511 UCHAR CompressionUnitShift;
2512 UCHAR ChunkShift;
2513 UCHAR ClusterShift;
2514 UCHAR Reserved;
2515 USHORT NumberOfChunks;
2516 ULONG CompressedChunkSizes[ANYSIZE_ARRAY];
2517 } COMPRESSED_DATA_INFO, *PCOMPRESSED_DATA_INFO;
2518
2519 typedef struct _DEVICE_MAP {
2520 POBJECT_DIRECTORY DosDevicesDirectory;
2521 POBJECT_DIRECTORY GlobalDosDevicesDirectory;
2522 ULONG ReferenceCount;
2523 ULONG DriveMap;
2524 UCHAR DriveType[32];
2525 } DEVICE_MAP, *PDEVICE_MAP;
2526
2527 typedef struct _DIRECTORY_BASIC_INFORMATION {
2528 UNICODE_STRING ObjectName;
2529 UNICODE_STRING ObjectTypeName;
2530 } DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;
2531
2532 #if (VER_PRODUCTBUILD >= 2600)
2533
2534 typedef struct _EX_FAST_REF {
2535 union {
2536 PVOID Object;
2537 ULONG RefCnt : 3;
2538 ULONG Value;
2539 };
2540 } EX_FAST_REF, *PEX_FAST_REF;
2541
2542 typedef struct _EX_PUSH_LOCK {
2543 union {
2544 struct {
2545 ULONG Waiting : 1;
2546 ULONG Exclusive : 1;
2547 ULONG Shared : 30;
2548 };
2549 ULONG Value;
2550 PVOID Ptr;
2551 };
2552 } EX_PUSH_LOCK, *PEX_PUSH_LOCK;
2553
2554 #endif // (VER_PRODUCTBUILD >= 2600)
2555
2556 #if (VER_PRODUCTBUILD == 2600)
2557
2558 typedef struct _EX_RUNDOWN_REF {
2559 union {
2560 ULONG Count;
2561 PVOID Ptr;
2562 };
2563 } EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
2564
2565 #endif // (VER_PRODUCTBUILD == 2600)
2566
2567 #if (VER_PRODUCTBUILD >= 3790)
2568
2569 typedef struct _MM_ADDRESS_NODE {
2570 union {
2571 ULONG Balance : 2;
2572 struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
2573 };
2574 struct _MM_ADDRESS_NODE *LeftChild;
2575 struct _MM_ADDRESS_NODE *RightChild;
2576 ULONG_PTR StartingVpn;
2577 ULONG_PTR EndingVpn;
2578 } MMADDRESS_NODE, *PMMADDRESS_NODE;
2579
2580 typedef struct _MM_AVL_TABLE {
2581 MMADDRESS_NODE BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
2582 ULONG DepthOfTree : 5; // 0x14
2583 ULONG Unused : 3;
2584 ULONG NumberGenericTableElements : 24; // total number of nodes
2585 PVOID NodeHint; // 0x18 (0x270 in _EPROCESS)
2586 PVOID NodeFreeHint; // 0x1c
2587 } MM_AVL_TABLE, *PMM_AVL_TABLE;
2588
2589 typedef struct _EPROCESS {
2590 KPROCESS Pcb; // +0x000
2591 EX_PUSH_LOCK ProcessLock; // +0x06c
2592 LARGE_INTEGER CreateTime; // +0x070
2593 LARGE_INTEGER ExitTime; // +0x078
2594 EX_RUNDOWN_REF RundownProtect; // +0x080
2595 ULONG UniqueProcessId; // +0x084
2596 LIST_ENTRY ActiveProcessLinks; // +0x088
2597 ULONG QuotaUsage[3]; // +0x090
2598 ULONG QuotaPeak[3]; // +0x09c
2599 ULONG CommitCharge; // +0x0a8
2600 ULONG PeakVirtualSize; // +0x0ac
2601 ULONG VirtualSize; // +0x0b0
2602 LIST_ENTRY SessionProcessLinks; // +0x0b4
2603 PVOID DebugPort; // +0x0bc
2604 PVOID ExceptionPort; // +0x0c0
2605 PHANDLE_TABLE ObjectTable; // +0x0c4
2606 EX_FAST_REF Token; // +0x0c8
2607 ULONG WorkingSetPage; // +0x0cc
2608 KGUARDED_MUTEX AddressCreationLock; // +0x0d0
2609 ULONG HyperSpaceLock; // +0x0f0
2610 PETHREAD ForkInProgress; // +0x0f4
2611 ULONG HardwareTrigger; // +0x0f8
2612 PMM_AVL_TABLE PhysicalVadRoot; // +0x0fc
2613 PVOID CloneRoot; // +0x100
2614 ULONG NumberOfPrivatePages; // +0x104
2615 ULONG NumberOfLockedPages; // +0x108
2616 PVOID Win32Process; // +0x10c
2617 PEJOB Job; // +0x110
2618 PVOID SectionObject; // +0x114
2619 PVOID SectionBaseAddress; // +0x118
2620 PEPROCESS_QUOTA_BLOCK QuotaBlock; // +0x11c
2621 PPAGEFAULT_HISTORY WorkingSetWatch; // +0x120
2622 PVOID Win32WindowStation; // +0x124
2623 ULONG InheritedFromUniqueProcessId; // +0x128
2624 PVOID LdtInformation; // +0x12c
2625 PVOID VadFreeHint; // +0x130
2626 PVOID VdmObjects; // +0x134
2627 PVOID DeviceMap; // +0x138
2628 PVOID Spare0[3]; // +0x13c
2629 union {
2630 HARDWARE_PTE PageDirectoryPte; // +0x148
2631 UINT64 Filler; // +0x148
2632 };
2633 PVOID Session; // +0x150
2634 UCHAR ImageFileName[16]; // +0x154
2635 LIST_ENTRY JobLinks; // +0x164
2636 PVOID LockedPagesList; // +0x16c
2637 LIST_ENTRY ThreadListHead; // +0x170
2638 PVOID SecurityPort; // +0x178
2639 PVOID PaeTop; // +0x17c
2640 ULONG ActiveThreads; // +0x180
2641 ULONG GrantedAccess; // +0x184
2642 ULONG DefaultHardErrorProcessing; // +0x188
2643 SHORT LastThreadExitStatus; // +0x18c
2644 PPEB Peb; // +0x190
2645 EX_FAST_REF PrefetchTrace; // +0x194
2646 LARGE_INTEGER ReadOperationCount; // +0x198
2647 LARGE_INTEGER WriteOperationCount; // +0x1a0
2648 LARGE_INTEGER OtherOperationCount; // +0x1a8
2649 LARGE_INTEGER ReadTransferCount; // +0x1b0
2650 LARGE_INTEGER WriteTransferCount; // +0x1b8
2651 LARGE_INTEGER OtherTransferCount; // +0x1c0
2652 ULONG CommitChargeLimit; // +0x1c8
2653 ULONG CommitChargePeak; // +0x1cc
2654 PVOID AweInfo; // +0x1d0
2655 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // +0x1d4
2656 MMSUPPORT Vm; // +0x1d8
2657 LIST_ENTRY MmProcessLinks; // +0x238
2658 ULONG ModifiedPageCount; // +0x240
2659 ULONG JobStatus; // +0x244
2660 union {
2661 ULONG Flags; // 0x248
2662 struct {
2663 ULONG CreateReported : 1;
2664 ULONG NoDebugInherit : 1;
2665 ULONG ProcessExiting : 1;
2666 ULONG ProcessDelete : 1;
2667 ULONG Wow64SplitPages : 1;
2668 ULONG VmDeleted : 1;
2669 ULONG OutswapEnabled : 1;
2670 ULONG Outswapped : 1;
2671 ULONG ForkFailed : 1;
2672 ULONG Wow64VaSpace4Gb : 1;
2673 ULONG AddressSpaceInitialized : 2;
2674 ULONG SetTimerResolution : 1;
2675 ULONG BreakOnTermination : 1;
2676 ULONG SessionCreationUnderway : 1;
2677 ULONG WriteWatch : 1;
2678 ULONG ProcessInSession : 1;
2679 ULONG OverrideAddressSpace : 1;
2680 ULONG HasAddressSpace : 1;
2681 ULONG LaunchPrefetched : 1;
2682 ULONG InjectInpageErrors : 1;
2683 ULONG VmTopDown : 1;
2684 ULONG ImageNotifyDone : 1;
2685 ULONG PdeUpdateNeeded : 1;
2686 ULONG VdmAllowed : 1;
2687 ULONG Unused : 7;
2688 };
2689 };
2690 NTSTATUS ExitStatus; // +0x24c
2691 USHORT NextPageColor; // +0x250
2692 union {
2693 struct {
2694 UCHAR SubSystemMinorVersion; // +0x252
2695 UCHAR SubSystemMajorVersion; // +0x253
2696 };
2697 USHORT SubSystemVersion; // +0x252
2698 };
2699 UCHAR PriorityClass; // +0x254
2700 MM_AVL_TABLE VadRoot; // +0x258
2701 } EPROCESS, *PEPROCESS; // 0x278 in total
2702
2703 #elif (VER_PRODUCTBUILD >= 2600)
2704
2705 typedef struct _EPROCESS {
2706 KPROCESS Pcb;
2707 EX_PUSH_LOCK ProcessLock;
2708 LARGE_INTEGER CreateTime;
2709 LARGE_INTEGER ExitTime;
2710 EX_RUNDOWN_REF RundownProtect;
2711 ULONG UniqueProcessId;
2712 LIST_ENTRY ActiveProcessLinks;
2713 ULONG QuotaUsage[3];
2714 ULONG QuotaPeak[3];
2715 ULONG CommitCharge;
2716 ULONG PeakVirtualSize;
2717 ULONG VirtualSize;
2718 LIST_ENTRY SessionProcessLinks;
2719 PVOID DebugPort;
2720 PVOID ExceptionPort;
2721 PHANDLE_TABLE ObjectTable;
2722 EX_FAST_REF Token;
2723 FAST_MUTEX WorkingSetLock;
2724 ULONG WorkingSetPage;
2725 FAST_MUTEX AddressCreationLock;
2726 KSPIN_LOCK HyperSpaceLock;
2727 PETHREAD ForkInProgress;
2728 ULONG HardwareTrigger;
2729 PVOID VadRoot;
2730 PVOID VadHint;
2731 PVOID CloneRoot;
2732 ULONG NumberOfPrivatePages;
2733 ULONG NumberOfLockedPages;
2734 PVOID Win32Process;
2735 PEJOB Job;
2736 PSECTION_OBJECT SectionObject;
2737 PVOID SectionBaseAddress;
2738 PEPROCESS_QUOTA_BLOCK QuotaBlock;
2739 PPAGEFAULT_HISTORY WorkingSetWatch;
2740 PVOID Win32WindowStation;
2741 PVOID InheritedFromUniqueProcessId;
2742 PVOID LdtInformation;
2743 PVOID VadFreeHint;
2744 PVOID VdmObjects;
2745 PDEVICE_MAP DeviceMap;
2746 LIST_ENTRY PhysicalVadList;
2747 union {
2748 HARDWARE_PTE PageDirectoryPte;
2749 ULONGLONG Filler;
2750 };
2751 PVOID Session;
2752 UCHAR ImageFileName[16];
2753 LIST_ENTRY JobLinks;
2754 PVOID LockedPageList;
2755 LIST_ENTRY ThreadListHead;
2756 PVOID SecurityPort;
2757 PVOID PaeTop;
2758 ULONG ActiveThreads;
2759 ULONG GrantedAccess;
2760 ULONG DefaultHardErrorProcessing;
2761 NTSTATUS LastThreadExitStatus;
2762 PPEB Peb;
2763 EX_FAST_REF PrefetchTrace;
2764 LARGE_INTEGER ReadOperationCount;
2765 LARGE_INTEGER WriteOperationCount;
2766 LARGE_INTEGER OtherOperationCount;
2767 LARGE_INTEGER ReadTransferCount;
2768 LARGE_INTEGER WriteTransferCount;
2769 LARGE_INTEGER OtherTransferCount;
2770 ULONG CommitChargeLimit;
2771 ULONG CommitChargePeek;
2772 PVOID AweInfo;
2773 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
2774 MMSUPPORT Vm;
2775 ULONG LastFaultCount;
2776 ULONG ModifiedPageCount;
2777 ULONG NumberOfVads;
2778 ULONG JobStatus;
2779 union {
2780 ULONG Flags;
2781 struct {
2782 ULONG CreateReported : 1;
2783 ULONG NoDebugInherit : 1;
2784 ULONG ProcessExiting : 1;
2785 ULONG ProcessDelete : 1;
2786 ULONG Wow64SplitPages : 1;
2787 ULONG VmDeleted : 1;
2788 ULONG OutswapEnabled : 1;
2789 ULONG Outswapped : 1;
2790 ULONG ForkFailed : 1;
2791 ULONG HasPhysicalVad : 1;
2792 ULONG AddressSpaceInitialized : 2;
2793 ULONG SetTimerResolution : 1;
2794 ULONG BreakOnTermination : 1;
2795 ULONG SessionCreationUnderway : 1;
2796 ULONG WriteWatch : 1;
2797 ULONG ProcessInSession : 1;
2798 ULONG OverrideAddressSpace : 1;
2799 ULONG HasAddressSpace : 1;
2800 ULONG LaunchPrefetched : 1;
2801 ULONG InjectInpageErrors : 1;
2802 ULONG Unused : 11;
2803 };
2804 };
2805 NTSTATUS ExitStatus;
2806 USHORT NextPageColor;
2807 union {
2808 struct {
2809 UCHAR SubSystemMinorVersion;
2810 UCHAR SubSystemMajorVersion;
2811 };
2812 USHORT SubSystemVersion;
2813 };
2814 UCHAR PriorityClass;
2815 BOOLEAN WorkingSetAcquiredUnsafe;
2816 } EPROCESS, *PEPROCESS;
2817
2818 #else
2819
2820 typedef struct _EPROCESS {
2821 KPROCESS Pcb;
2822 NTSTATUS ExitStatus;
2823 KEVENT LockEvent;
2824 ULONG LockCount;
2825 LARGE_INTEGER CreateTime;
2826 LARGE_INTEGER ExitTime;
2827 PKTHREAD LockOwner;
2828 ULONG UniqueProcessId;
2829 LIST_ENTRY ActiveProcessLinks;
2830 ULONGLONG QuotaPeakPoolUsage;
2831 ULONGLONG QuotaPoolUsage;
2832 ULONG PagefileUsage;
2833 ULONG CommitCharge;
2834 ULONG PeakPagefileUsage;
2835 ULONG PeakVirtualSize;
2836 ULONGLONG VirtualSize;
2837 MMSUPPORT Vm;
2838 #if (VER_PRODUCTBUILD < 2195)
2839 ULONG LastProtoPteFault;
2840 #else // (VER_PRODUCTBUILD >= 2195)
2841 LIST_ENTRY SessionProcessLinks;
2842 #endif // (VER_PRODUCTBUILD >= 2195)
2843 ULONG DebugPort;
2844 ULONG ExceptionPort;
2845 PHANDLE_TABLE ObjectTable;
2846 PACCESS_TOKEN Token;
2847 FAST_MUTEX WorkingSetLock;
2848 ULONG WorkingSetPage;
2849 BOOLEAN ProcessOutswapEnabled;
2850 BOOLEAN ProcessOutswapped;
2851 BOOLEAN AddressSpaceInitialized;
2852 BOOLEAN AddressSpaceDeleted;
2853 FAST_MUTEX AddressCreationLock;
2854 KSPIN_LOCK HyperSpaceLock;
2855 PETHREAD ForkInProgress;
2856 USHORT VmOperation;
2857 BOOLEAN ForkWasSuccessful;
2858 UCHAR MmAgressiveWsTrimMask;
2859 PKEVENT VmOperationEvent;
2860 #if (VER_PRODUCTBUILD < 2195)
2861 HARDWARE_PTE PageDirectoryPte;
2862 #else // (VER_PRODUCTBUILD >= 2195)
2863 PVOID PaeTop;
2864 #endif // (VER_PRODUCTBUILD >= 2195)
2865 ULONG LastFaultCount;
2866 ULONG ModifiedPageCount;
2867 PVOID VadRoot;
2868 PVOID VadHint;
2869 ULONG CloneRoot;
2870 ULONG NumberOfPrivatePages;
2871 ULONG NumberOfLockedPages;
2872 USHORT NextPageColor;
2873 BOOLEAN ExitProcessCalled;
2874 BOOLEAN CreateProcessReported;
2875 HANDLE SectionHandle;
2876 PPEB Peb;
2877 PVOID SectionBaseAddress;
2878 PEPROCESS_QUOTA_BLOCK QuotaBlock;
2879 NTSTATUS LastThreadExitStatus;
2880 PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
2881 HANDLE Win32WindowStation;
2882 HANDLE InheritedFromUniqueProcessId;
2883 ACCESS_MASK GrantedAccess;
2884 ULONG DefaultHardErrorProcessing;
2885 PVOID LdtInformation;
2886 PVOID VadFreeHint;
2887 PVOID VdmObjects;
2888 #if (VER_PRODUCTBUILD < 2195)
2889 KMUTANT ProcessMutant;
2890 #else // (VER_PRODUCTBUILD >= 2195)
2891 PDEVICE_MAP DeviceMap;
2892 ULONG SessionId;
2893 LIST_ENTRY PhysicalVadList;
2894 HARDWARE_PTE PageDirectoryPte;
2895 ULONG Filler;
2896 ULONG PaePageDirectoryPage;
2897 #endif // (VER_PRODUCTBUILD >= 2195)
2898 UCHAR ImageFileName[16];
2899 ULONG VmTrimFaultValue;
2900 UCHAR SetTimerResolution;
2901 UCHAR PriorityClass;
2902 union {
2903 struct {
2904 UCHAR SubSystemMinorVersion;
2905 UCHAR SubSystemMajorVersion;
2906 };
2907 USHORT SubSystemVersion;
2908 };
2909 PVOID Win32Process;
2910 #if (VER_PRODUCTBUILD >= 2195)
2911 PEJOB Job;
2912 ULONG JobStatus;
2913 LIST_ENTRY JobLinks;
2914 PVOID LockedPageList;
2915 PVOID SecurityPort;
2916 PWOW64_PROCESS Wow64Process;
2917 LARGE_INTEGER ReadOperationCount;
2918 LARGE_INTEGER WriteOperationCount;
2919 LARGE_INTEGER OtherOperationCount;
2920 LARGE_INTEGER ReadTransferCount;
2921 LARGE_INTEGER WriteTransferCount;
2922 LARGE_INTEGER OtherTransferCount;
2923 ULONG CommitChargeLimit;
2924 ULONG CommitChargePeek;
2925 LIST_ENTRY ThreadListHead;
2926 PRTL_BITMAP VadPhysicalPagesBitMap;
2927 ULONG VadPhysicalPages;
2928 ULONG AweLock;
2929 #endif // (VER_PRODUCTBUILD >= 2195)
2930 } EPROCESS, *PEPROCESS;
2931
2932 #endif
2933
2934 #if (VER_PRODUCTBUILD >= 2600)
2935
2936 typedef struct _ETHREAD {
2937 KTHREAD Tcb;
2938 union {
2939 LARGE_INTEGER CreateTime;
2940 struct {
2941 ULONG NestedFaultCount : 2;
2942 ULONG ApcNeeded : 1;
2943 };
2944 };
2945 union {
2946 LARGE_INTEGER ExitTime;
2947 LIST_ENTRY LpcReplyChain;
2948 LIST_ENTRY KeyedWaitChain;
2949 };
2950 union {
2951 NTSTATUS ExitStatus;
2952 PVOID OfsChain;
2953 };
2954 LIST_ENTRY PostBlockList;
2955 union {
2956 PTERMINATION_PORT TerminationPort;
2957 PETHREAD ReaperLink;
2958 PVOID KeyedWaitValue;
2959 };
2960 KSPIN_LOCK ActiveTimerListLock;
2961 LIST_ENTRY ActiveTimerListHead;
2962 CLIENT_ID Cid;
2963 union {
2964 KSEMAPHORE LpcReplySemaphore;
2965 KSEMAPHORE KeyedWaitSemaphore;
2966 };
2967 union {
2968 PLPC_MESSAGE LpcReplyMessage;
2969 PVOID LpcWaitingOnPort;
2970 };
2971 PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
2972 LIST_ENTRY IrpList;
2973 ULONG TopLevelIrp;
2974 PDEVICE_OBJECT DeviceToVerify;
2975 PEPROCESS ThreadsProcess;
2976 PKSTART_ROUTINE StartAddress;
2977 union {
2978 PVOID Win32StartAddress;
2979 ULONG LpcReceivedMessageId;
2980 };
2981 LIST_ENTRY ThreadListEntry;
2982 EX_RUNDOWN_REF RundownProtect;
2983 EX_PUSH_LOCK ThreadLock;
2984 ULONG LpcReplyMessageId;
2985 ULONG ReadClusterSize;
2986 ACCESS_MASK GrantedAccess;
2987 union {
2988 ULONG CrossThreadFlags;
2989 struct {
2990 ULONG Terminated : 1;
2991 ULONG DeadThread : 1;
2992 ULONG HideFromDebugger : 1;
2993 ULONG ActiveImpersonationInfo : 1;
2994 ULONG SystemThread : 1;
2995 ULONG HardErrorsAreDisabled : 1;
2996 ULONG BreakOnTermination : 1;
2997 ULONG SkipCreationMsg : 1;
2998 ULONG SkipTerminationMsg : 1;
2999 };
3000 };
3001 union {
3002 ULONG SameThreadPassiveFlags;
3003 struct {
3004 ULONG ActiveExWorker : 1;
3005 ULONG ExWorkerCanWaitUser : 1;
3006 ULONG MemoryMaker : 1;
3007 ULONG KeyedEventInUse : 1;
3008 };
3009 };
3010 union {
3011 ULONG SameThreadApcFlags;
3012 struct {
3013 BOOLEAN LpcReceivedMsgIdValid : 1;
3014 BOOLEAN LpcExitThreadCalled : 1;
3015 BOOLEAN AddressSpaceOwner : 1;
3016 };
3017 };
3018 BOOLEAN ForwardClusterOnly;
3019 BOOLEAN DisablePageFaultClustering;
3020 } ETHREAD, *PETHREAD;
3021
3022 #else
3023
3024 typedef struct _ETHREAD {
3025 KTHREAD Tcb;
3026 LARGE_INTEGER CreateTime;
3027 union {
3028 LARGE_INTEGER ExitTime;
3029 LIST_ENTRY LpcReplyChain;
3030 };
3031 union {
3032 NTSTATUS ExitStatus;
3033 PVOID OfsChain;
3034 };
3035 LIST_ENTRY PostBlockList;
3036 LIST_ENTRY TerminationPortList;
3037 KSPIN_LOCK ActiveTimerListLock;
3038 LIST_ENTRY ActiveTimerListHead;
3039 CLIENT_ID Cid;
3040 KSEMAPHORE LpcReplySemaphore;
3041 PLPC_MESSAGE LpcReplyMessage;
3042 ULONG LpcReplyMessageId;
3043 ULONG PerformanceCountLow;
3044 PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
3045 LIST_ENTRY IrpList;
3046 PVOID TopLevelIrp;
3047 PDEVICE_OBJECT DeviceToVerify;
3048 ULONG ReadClusterSize;
3049 BOOLEAN ForwardClusterOnly;
3050 BOOLEAN DisablePageFaultClustering;
3051 BOOLEAN DeadThread;
3052 #if (VER_PRODUCTBUILD >= 2195)
3053 BOOLEAN HideFromDebugger;
3054 #endif // (VER_PRODUCTBUILD >= 2195)
3055 #if (VER_PRODUCTBUILD < 2195)
3056 BOOLEAN HasTerminated;
3057 #else // (VER_PRODUCTBUILD >= 2195)
3058 ULONG HasTerminated;
3059 #endif // (VER_PRODUCTBUILD >= 2195)
3060 #if (VER_PRODUCTBUILD < 2195)
3061 PKEVENT_PAIR EventPair;
3062 #endif // (VER_PRODUCTBUILD < 2195)
3063 ACCESS_MASK GrantedAccess;
3064 PEPROCESS ThreadsProcess;
3065 PKSTART_ROUTINE StartAddress;
3066 union {
3067 PVOID Win32StartAddress;
3068 ULONG LpcReceivedMessageId;
3069 };
3070 BOOLEAN LpcExitThreadCalled;
3071 BOOLEAN HardErrorsAreDisabled;
3072 BOOLEAN LpcReceivedMsgIdValid;
3073 BOOLEAN ActiveImpersonationInfo;
3074 ULONG PerformanceCountHigh;
3075 #if (VER_PRODUCTBUILD >= 2195)
3076 LIST_ENTRY ThreadListEntry;
3077 #endif // (VER_PRODUCTBUILD >= 2195)
3078 } ETHREAD, *PETHREAD;
3079
3080 #endif
3081
3082 typedef struct _EPROCESS_QUOTA_ENTRY {
3083 ULONG Usage;
3084 ULONG Limit;
3085 ULONG Peak;
3086 ULONG Return;
3087 } EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
3088
3089 typedef struct _EPROCESS_QUOTA_BLOCK {
3090 EPROCESS_QUOTA_ENTRY QuotaEntry[3];
3091 LIST_ENTRY QuotaList;
3092 ULONG ReferenceCount;
3093 ULONG ProcessCount;
3094 } EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
3095
3096 typedef struct _EXCEPTION_REGISTRATION_RECORD {
3097 struct _EXCEPTION_REGISTRATION_RECORD *Next;
3098 PVOID Handler;
3099 } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
3100
3101 /*
3102 * When needing these parameters cast your PIO_STACK_LOCATION to
3103 * PEXTENDED_IO_STACK_LOCATION
3104 */
3105 #if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
3106 #include <pshpack4.h>
3107 #endif
3108 typedef struct _EXTENDED_IO_STACK_LOCATION {
3109
3110 /* Included for padding */
3111 UCHAR MajorFunction;
3112 UCHAR MinorFunction;
3113 UCHAR Flags;
3114 UCHAR Control;
3115
3116 union {
3117
3118 struct {
3119 PIO_SECURITY_CONTEXT SecurityContext;
3120 ULONG Options;
3121 USHORT Reserved;
3122 USHORT ShareAccess;
3123 PMAILSLOT_CREATE_PARAMETERS Parameters;
3124 } CreateMailslot;
3125
3126 struct {
3127 PIO_SECURITY_CONTEXT SecurityContext;
3128 ULONG Options;
3129 USHORT Reserved;
3130 USHORT ShareAccess;
3131 PNAMED_PIPE_CREATE_PARAMETERS Parameters;
3132 } CreatePipe;
3133
3134 struct {
3135 ULONG OutputBufferLength;
3136 ULONG InputBufferLength;
3137 ULONG FsControlCode;
3138 PVOID Type3InputBuffer;
3139 } FileSystemControl;
3140
3141 struct {
3142 PLARGE_INTEGER Length;
3143 ULONG Key;
3144 LARGE_INTEGER ByteOffset;
3145 } LockControl;
3146
3147 struct {
3148 ULONG Length;
3149 ULONG CompletionFilter;
3150 } NotifyDirectory;
3151
3152 struct {
3153 ULONG Length;
3154 PUNICODE_STRING FileName;
3155 FILE_INFORMATION_CLASS FileInformationClass;
3156 ULONG FileIndex;
3157 } QueryDirectory;
3158
3159 struct {
3160 ULONG Length;
3161 PVOID EaList;
3162 ULONG EaListLength;
3163 ULONG EaIndex;
3164 } QueryEa;
3165
3166 struct {
3167 ULONG Length;
3168 PSID StartSid;
3169 PFILE_GET_QUOTA_INFORMATION SidList;
3170 ULONG SidListLength;
3171 } QueryQuota;
3172
3173 struct {
3174 ULONG Length;
3175 } SetEa;
3176
3177 struct {
3178 ULONG Length;
3179 } SetQuota;
3180
3181 struct {
3182 ULONG Length;
3183 FS_INFORMATION_CLASS FsInformationClass;
3184 } SetVolume;
3185
3186 } Parameters;
3187
3188 } EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
3189 #if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
3190 #include <poppack.h>
3191 #endif
3192
3193 typedef struct _FILE_ACCESS_INFORMATION {
3194 ACCESS_MASK AccessFlags;
3195 } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
3196
3197 typedef struct _FILE_ALLOCATION_INFORMATION {
3198 LARGE_INTEGER AllocationSize;
3199 } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
3200
3201 typedef struct _FILE_BOTH_DIR_INFORMATION {
3202 ULONG NextEntryOffset;
3203 ULONG FileIndex;
3204 LARGE_INTEGER CreationTime;
3205 LARGE_INTEGER LastAccessTime;
3206 LARGE_INTEGER LastWriteTime;
3207 LARGE_INTEGER ChangeTime;
3208 LARGE_INTEGER EndOfFile;
3209 LARGE_INTEGER AllocationSize;
3210 ULONG FileAttributes;
3211 ULONG FileNameLength;
3212 ULONG EaSize;
3213 CCHAR ShortNameLength;
3214 WCHAR ShortName[12];
3215 WCHAR FileName[1];
3216 } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
3217
3218 typedef struct _FILE_COMPLETION_INFORMATION {
3219 HANDLE Port;
3220 ULONG Key;
3221 } FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
3222
3223 typedef struct _FILE_COMPRESSION_INFORMATION {
3224 LARGE_INTEGER CompressedFileSize;
3225 USHORT CompressionFormat;
3226 UCHAR CompressionUnitShift;
3227 UCHAR ChunkShift;
3228 UCHAR ClusterShift;
3229 UCHAR Reserved[3];
3230 } FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
3231
3232 typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
3233 BOOLEAN ReplaceIfExists;
3234 HANDLE RootDirectory;
3235 ULONG FileNameLength;
3236 WCHAR FileName[1];
3237 } FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;
3238
3239 typedef struct _FILE_DIRECTORY_INFORMATION {
3240 ULONG NextEntryOffset;
3241 ULONG FileIndex;
3242 LARGE_INTEGER CreationTime;
3243 LARGE_INTEGER LastAccessTime;
3244 LARGE_INTEGER LastWriteTime;
3245 LARGE_INTEGER ChangeTime;
3246 LARGE_INTEGER EndOfFile;
3247 LARGE_INTEGER AllocationSize;
3248 ULONG FileAttributes;
3249 ULONG FileNameLength;
3250 WCHAR FileName[1];
3251 } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
3252
3253 typedef struct _FILE_EA_INFORMATION {
3254 ULONG EaSize;
3255 } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
3256
3257 typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
3258 ULONG FileSystemAttributes;
3259 ULONG MaximumComponentNameLength;
3260 ULONG FileSystemNameLength;
3261 WCHAR FileSystemName[1];
3262 } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
3263
3264 typedef struct _FILE_FS_CONTROL_INFORMATION {
3265 LARGE_INTEGER FreeSpaceStartFiltering;
3266 LARGE_INTEGER FreeSpaceThreshold;
3267 LARGE_INTEGER FreeSpaceStopFiltering;
3268 LARGE_INTEGER DefaultQuotaThreshold;
3269 LARGE_INTEGER DefaultQuotaLimit;
3270 ULONG FileSystemControlFlags;
3271 } FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
3272
3273 typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
3274 LARGE_INTEGER TotalAllocationUnits;
3275 LARGE_INTEGER CallerAvailableAllocationUnits;
3276 LARGE_INTEGER ActualAvailableAllocationUnits;
3277 ULONG SectorsPerAllocationUnit;
3278 ULONG BytesPerSector;
3279 } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
3280
3281 typedef struct _FILE_FS_LABEL_INFORMATION {
3282 ULONG VolumeLabelLength;
3283 WCHAR VolumeLabel[1];
3284 } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
3285
3286 #if (VER_PRODUCTBUILD >= 2195)
3287
3288 typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
3289 UCHAR ObjectId[16];
3290 UCHAR ExtendedInfo[48];
3291 } FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
3292
3293 #endif // (VER_PRODUCTBUILD >= 2195)
3294
3295 typedef struct _FILE_FS_SIZE_INFORMATION {
3296 LARGE_INTEGER TotalAllocationUnits;
3297 LARGE_INTEGER AvailableAllocationUnits;
3298 ULONG SectorsPerAllocationUnit;
3299 ULONG BytesPerSector;
3300 } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
3301
3302 typedef struct _FILE_FS_VOLUME_INFORMATION {
3303 LARGE_INTEGER VolumeCreationTime;
3304 ULONG VolumeSerialNumber;
3305 ULONG VolumeLabelLength;
3306 BOOLEAN SupportsObjects;
3307 WCHAR VolumeLabel[1];
3308 } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
3309
3310 typedef struct _FILE_FULL_DIR_INFORMATION {
3311 ULONG NextEntryOffset;
3312 ULONG FileIndex;
3313 LARGE_INTEGER CreationTime;
3314 LARGE_INTEGER LastAccessTime;
3315 LARGE_INTEGER LastWriteTime;
3316 LARGE_INTEGER ChangeTime;
3317 LARGE_INTEGER EndOfFile;
3318 LARGE_INTEGER AllocationSize;
3319 ULONG FileAttributes;
3320 ULONG FileNameLength;
3321 ULONG EaSize;
3322 WCHAR FileName[1];
3323 } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
3324
3325 typedef struct _FILE_GET_EA_INFORMATION {
3326 ULONG NextEntryOffset;
3327 UCHAR EaNameLength;
3328 CHAR EaName[1];
3329 } FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
3330
3331 typedef struct _FILE_GET_QUOTA_INFORMATION {
3332 ULONG NextEntryOffset;
3333 ULONG SidLength;
3334 SID Sid;
3335 } FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
3336
3337 typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
3338 ULONG NextEntryOffset;
3339 ULONG FileIndex;
3340 LARGE_INTEGER CreationTime;
3341 LARGE_INTEGER LastAccessTime;
3342 LARGE_INTEGER LastWriteTime;
3343 LARGE_INTEGER ChangeTime;
3344 LARGE_INTEGER EndOfFile;
3345 LARGE_INTEGER AllocationSize;
3346 ULONG FileAttributes;
3347 ULONG FileNameLength;
3348 ULONG EaSize;
3349 CCHAR ShortNameLength;
3350 WCHAR ShortName[12];
3351 LARGE_INTEGER FileId;
3352 WCHAR FileName[1];
3353 } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
3354
3355 typedef struct _FILE_ID_FULL_DIR_INFORMATION {
3356 ULONG NextEntryOffset;
3357 ULONG FileIndex;
3358 LARGE_INTEGER CreationTime;
3359 LARGE_INTEGER LastAccessTime;
3360 LARGE_INTEGER LastWriteTime;
3361 LARGE_INTEGER ChangeTime;
3362 LARGE_INTEGER EndOfFile;
3363 LARGE_INTEGER AllocationSize;
3364 ULONG FileAttributes;
3365 ULONG FileNameLength;
3366 ULONG EaSize;
3367 LARGE_INTEGER FileId;
3368 WCHAR FileName[1];
3369 } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
3370
3371 typedef struct _FILE_INTERNAL_INFORMATION {
3372 LARGE_INTEGER IndexNumber;
3373 } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
3374
3375 typedef struct _FILE_LINK_INFORMATION {
3376 BOOLEAN ReplaceIfExists;
3377 HANDLE RootDirectory;
3378 ULONG FileNameLength;
3379 WCHAR FileName[1];
3380 } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
3381
3382 typedef struct _FILE_LOCK_INFO {
3383 LARGE_INTEGER StartingByte;
3384 LARGE_INTEGER Length;
3385 BOOLEAN ExclusiveLock;
3386 ULONG Key;
3387 PFILE_OBJECT FileObject;
3388 PEPROCESS Process;
3389 LARGE_INTEGER EndingByte;
3390 } FILE_LOCK_INFO, *PFILE_LOCK_INFO;
3391
3392 // raw internal file lock struct returned from FsRtlGetNextFileLock
3393 typedef struct _FILE_SHARED_LOCK_ENTRY {
3394 PVOID Unknown1;
3395 PVOID Unknown2;
3396 FILE_LOCK_INFO FileLock;
3397 } FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;
3398
3399 // raw internal file lock struct returned from FsRtlGetNextFileLock
3400 typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
3401 LIST_ENTRY ListEntry;
3402 PVOID Unknown1;
3403 PVOID Unknown2;
3404 FILE_LOCK_INFO FileLock;
3405 } FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;
3406
3407 typedef NTSTATUS (*PCOMPLETE_LOCK_IRP_ROUTINE) (
3408 IN PVOID Context,
3409 IN PIRP Irp
3410 );
3411
3412 typedef VOID (*PUNLOCK_ROUTINE) (
3413 IN PVOID Context,
3414 IN PFILE_LOCK_INFO FileLockInfo
3415 );
3416
3417 typedef struct _FILE_LOCK {
3418 PCOMPLETE_LOCK_IRP_ROUTINE CompleteLockIrpRoutine;
3419 PUNLOCK_ROUTINE UnlockRoutine;
3420 BOOLEAN FastIoIsQuestionable;
3421 BOOLEAN Pad[3];
3422 PVOID LockInformation;
3423 FILE_LOCK_INFO LastReturnedLockInfo;
3424 PVOID LastReturnedLock;
3425 } FILE_LOCK, *PFILE_LOCK;
3426
3427 typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
3428 ULONG ReadDataAvailable;
3429 ULONG NumberOfMessages;
3430 ULONG MessageLength;
3431 } FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;
3432
3433 typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
3434 ULONG MaximumMessageSize;
3435 ULONG MailslotQuota;
3436 ULONG NextMessageSize;
3437 ULONG MessagesAvailable;
3438 LARGE_INTEGER ReadTimeout;
3439 } FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
3440
3441 typedef struct _FILE_MAILSLOT_SET_INFORMATION {
3442 PLARGE_INTEGER ReadTimeout;
3443 } FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
3444
3445 typedef struct _FILE_MODE_INFORMATION {
3446 ULONG Mode;
3447 } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
3448
3449 // This structure is included in the Windows 2000 DDK but is missing in the
3450 // Windows NT 4.0 DDK
3451 #if (VER_PRODUCTBUILD < 2195)
3452 typedef struct _FILE_NAME_INFORMATION {
3453 ULONG FileNameLength;
3454 WCHAR FileName[1];
3455 } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
3456 #endif // (VER_PRODUCTBUILD < 2195)
3457
3458 typedef struct _FILE_ALL_INFORMATION {
3459 FILE_BASIC_INFORMATION BasicInformation;
3460 FILE_STANDARD_INFORMATION StandardInformation;
3461 FILE_INTERNAL_INFORMATION InternalInformation;
3462 FILE_EA_INFORMATION EaInformation;
3463 FILE_ACCESS_INFORMATION AccessInformation;
3464 FILE_POSITION_INFORMATION PositionInformation;
3465 FILE_MODE_INFORMATION ModeInformation;
3466 FILE_ALIGNMENT_INFORMATION AlignmentInformation;
3467 FILE_NAME_INFORMATION NameInformation;
3468 } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
3469
3470 typedef struct _FILE_NAMES_INFORMATION {
3471 ULONG NextEntryOffset;
3472 ULONG FileIndex;
3473 ULONG FileNameLength;
3474 WCHAR FileName[1];
3475 } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
3476
3477 typedef struct _FILE_NOTIFY_INFORMATION {
3478 ULONG NextEntryOffset;
3479 ULONG Action;
3480 ULONG FileNameLength;
3481 WCHAR FileName[1];
3482 } FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;
3483
3484 typedef struct _FILE_OBJECTID_INFORMATION {
3485 LONGLONG FileReference;
3486 UCHAR ObjectId[16];
3487 union {
3488 struct {
3489 UCHAR BirthVolumeId[16];
3490 UCHAR BirthObjectId[16];
3491 UCHAR DomainId[16];
3492 } ;
3493 UCHAR ExtendedInfo[48];
3494 };
3495 } FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
3496
3497 typedef struct _FILE_OLE_CLASSID_INFORMATION {
3498 GUID ClassId;
3499 } FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;
3500
3501 typedef struct _FILE_OLE_ALL_INFORMATION {
3502 FILE_BASIC_INFORMATION BasicInformation;
3503 FILE_STANDARD_INFORMATION StandardInformation;
3504 FILE_INTERNAL_INFORMATION InternalInformation;
3505 FILE_EA_INFORMATION EaInformation;
3506 FILE_ACCESS_INFORMATION AccessInformation;
3507 FILE_POSITION_INFORMATION PositionInformation;
3508 FILE_MODE_INFORMATION ModeInformation;
3509 FILE_ALIGNMENT_INFORMATION AlignmentInformation;
3510 USN LastChangeUsn;
3511 USN ReplicationUsn;
3512 LARGE_INTEGER SecurityChangeTime;
3513 FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
3514 FILE_OBJECTID_INFORMATION ObjectIdInformation;
3515 FILE_STORAGE_TYPE StorageType;
3516 ULONG OleStateBits;
3517 ULONG OleId;
3518 ULONG NumberOfStreamReferences;
3519 ULONG StreamIndex;
3520 ULONG SecurityId;
3521 BOOLEAN ContentIndexDisable;
3522 BOOLEAN InheritContentIndexDisable;
3523 FILE_NAME_INFORMATION NameInformation;
3524 } FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;
3525
3526 typedef struct _FILE_OLE_DIR_INFORMATION {
3527 ULONG NextEntryOffset;
3528 ULONG FileIndex;
3529 LARGE_INTEGER CreationTime;
3530 LARGE_INTEGER LastAccessTime;
3531 LARGE_INTEGER LastWriteTime;
3532 LARGE_INTEGER ChangeTime;
3533 LARGE_INTEGER EndOfFile;
3534 LARGE_INTEGER AllocationSize;
3535 ULONG FileAttributes;
3536 ULONG FileNameLength;
3537 FILE_STORAGE_TYPE StorageType;
3538 GUID OleClassId;
3539 ULONG OleStateBits;
3540 BOOLEAN ContentIndexDisable;
3541 BOOLEAN InheritContentIndexDisable;
3542 WCHAR FileName[1];
3543 } FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;
3544
3545 typedef struct _FILE_OLE_INFORMATION {
3546 LARGE_INTEGER SecurityChangeTime;
3547 FILE_OLE_CLASSID_INFORMATION OleClassIdInformation;
3548 FILE_OBJECTID_INFORMATION ObjectIdInformation;
3549 FILE_STORAGE_TYPE StorageType;
3550 ULONG OleStateBits;
3551 BOOLEAN ContentIndexDisable;
3552 BOOLEAN InheritContentIndexDisable;
3553 } FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;
3554
3555 typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
3556 ULONG StateBits;
3557 ULONG StateBitsMask;
3558 } FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;
3559
3560 typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER {
3561 HANDLE EventHandle;
3562 ULONG KeyValue;
3563 } FILE_PIPE_ASSIGN_EVENT_BUFFER, *PFILE_PIPE_ASSIGN_EVENT_BUFFER;
3564
3565 typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER {
3566 PVOID ClientSession;
3567 PVOID ClientProcess;
3568 } FILE_PIPE_CLIENT_PROCESS_BUFFER, *PFILE_PIPE_CLIENT_PROCESS_BUFFER;
3569
3570 typedef struct _FILE_PIPE_EVENT_BUFFER {
3571 ULONG NamedPipeState;
3572 ULONG EntryType;
3573 ULONG ByteCount;
3574 ULONG KeyValue;
3575 ULONG NumberRequests;
3576 } FILE_PIPE_EVENT_BUFFER, *PFILE_PIPE_EVENT_BUFFER;
3577
3578 typedef struct _FILE_PIPE_INFORMATION {
3579 ULONG ReadMode;
3580 ULONG CompletionMode;
3581 } FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
3582
3583 typedef struct _FILE_PIPE_LOCAL_INFORMATION {
3584 ULONG NamedPipeType;
3585 ULONG NamedPipeConfiguration;
3586 ULONG MaximumInstances;
3587 ULONG CurrentInstances;
3588 ULONG InboundQuota;
3589 ULONG ReadDataAvailable;
3590 ULONG OutboundQuota;
3591 ULONG WriteQuotaAvailable;
3592 ULONG NamedPipeState;
3593 ULONG NamedPipeEnd;
3594 } FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
3595
3596 typedef struct _FILE_PIPE_PEEK_BUFFER {
3597 ULONG NamedPipeState;
3598 ULONG ReadDataAvailable;
3599 ULONG NumberOfMessages;
3600 ULONG MessageLength;
3601 CHAR Data[1];
3602 } FILE_PIPE_PEEK_BUFFER, *PFILE_PIPE_PEEK_BUFFER;
3603
3604 typedef struct _FILE_PIPE_REMOTE_INFORMATION {
3605 LARGE_INTEGER CollectDataTime;
3606 ULONG MaximumCollectionCount;
3607 } FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
3608
3609 typedef struct _FILE_PIPE_WAIT_FOR_BUFFER {
3610 LARGE_INTEGER Timeout;
3611 ULONG NameLength;
3612 BOOLEAN TimeoutSpecified;
3613 WCHAR Name[1];
3614 } FILE_PIPE_WAIT_FOR_BUFFER, *PFILE_PIPE_WAIT_FOR_BUFFER;
3615
3616 typedef struct _FILE_QUOTA_INFORMATION {
3617 ULONG NextEntryOffset;
3618 ULONG SidLength;
3619 LARGE_INTEGER ChangeTime;
3620 LARGE_INTEGER QuotaUsed;
3621 LARGE_INTEGER QuotaThreshold;
3622 LARGE_INTEGER QuotaLimit;
3623 SID Sid;
3624 } FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
3625
3626 typedef struct _FILE_RENAME_INFORMATION {
3627 BOOLEAN ReplaceIfExists;
3628 HANDLE RootDirectory;
3629 ULONG FileNameLength;
3630 WCHAR FileName[1];
3631 } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
3632
3633 typedef struct _FILE_STREAM_INFORMATION {
3634 ULONG NextEntryOffset;
3635 ULONG StreamNameLength;
3636 LARGE_INTEGER StreamSize;
3637 LARGE_INTEGER StreamAllocationSize;
3638 WCHAR StreamName[1];
3639 } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
3640
3641 typedef struct _FILE_TRACKING_INFORMATION {
3642 HANDLE DestinationFile;
3643 ULONG ObjectInformationLength;
3644 CHAR ObjectInformation[1];
3645 } FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
3646
3647 typedef struct _FSRTL_COMMON_FCB_HEADER {
3648 CSHORT NodeTypeCode;
3649 CSHORT NodeByteSize;
3650 UCHAR Flags;
3651 UCHAR IsFastIoPossible;
3652 #if (VER_PRODUCTBUILD >= 1381)
3653 UCHAR Flags2;
3654 UCHAR Reserved : 4;
3655 UCHAR Version : 4;
3656 #endif // (VER_PRODUCTBUILD >= 1381)
3657 PERESOURCE Resource;
3658 PERESOURCE PagingIoResource;
3659 LARGE_INTEGER AllocationSize;
3660 LARGE_INTEGER FileSize;
3661 LARGE_INTEGER ValidDataLength;
3662 } FSRTL_COMMON_FCB_HEADER, *PFSRTL_COMMON_FCB_HEADER;
3663
3664 #if (VER_PRODUCTBUILD >= 2600)
3665
3666 #ifdef __cplusplus
3667 typedef struct _FSRTL_ADVANCED_FCB_HEADER:FSRTL_COMMON_FCB_HEADER {
3668 #else // __cplusplus
3669 typedef struct _FSRTL_ADVANCED_FCB_HEADER {
3670 FSRTL_COMMON_FCB_HEADER;
3671 #endif // __cplusplus
3672 PFAST_MUTEX FastMutex;
3673 LIST_ENTRY FilterContexts;
3674 EX_PUSH_LOCK PushLock;
3675 PVOID *FileContextSupportPointer;
3676 } FSRTL_ADVANCED_FCB_HEADER, *PFSRTL_ADVANCED_FCB_HEADER;
3677
3678 #endif // (VER_PRODUCTBUILD >= 2600)
3679
3680 typedef struct _GENERATE_NAME_CONTEXT {
3681 USHORT Checksum;
3682 BOOLEAN CheckSumInserted;
3683 UCHAR NameLength;
3684 WCHAR NameBuffer[8];
3685 ULONG ExtensionLength;
3686 WCHAR ExtensionBuffer[4];
3687 ULONG LastIndexValue;
3688 } GENERATE_NAME_CONTEXT, *PGENERATE_NAME_CONTEXT;
3689
3690 typedef struct _HANDLE_INFO { // Information about open handles
3691 union {
3692 PEPROCESS Process; // Pointer to PEPROCESS owning the Handle
3693 ULONG Count; // Count of HANDLE_INFO structures following this structure
3694 } HandleInfo;
3695 USHORT HandleCount;
3696 } HANDLE_INFO, *PHANDLE_INFO;
3697
3698 typedef struct _HANDLE_TABLE_ENTRY_INFO {
3699 ULONG AuditMask;
3700 } HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
3701
3702 typedef struct _HANDLE_TABLE_ENTRY {
3703 union {
3704 PVOID Object;
3705 ULONG ObAttributes;
3706 PHANDLE_TABLE_ENTRY_INFO InfoTable;
3707 ULONG Value;
3708 };
3709 union {
3710 ULONG GrantedAccess;
3711 USHORT GrantedAccessIndex;
3712 LONG NextFreeTableEntry;
3713 };
3714 USHORT CreatorBackTraceIndex;
3715 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
3716
3717 typedef struct _MAPPING_PAIR {
3718 ULONGLONG Vcn;
3719 ULONGLONG Lcn;
3720 } MAPPING_PAIR, *PMAPPING_PAIR;
3721
3722 typedef struct _GET_RETRIEVAL_DESCRIPTOR {
3723 ULONG NumberOfPairs;
3724 ULONGLONG StartVcn;
3725 MAPPING_PAIR Pair[1];
3726 } GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;
3727
3728 typedef struct _INITIAL_TEB {
3729 ULONG Unknown_1;
3730 ULONG Unknown_2;
3731 PVOID StackTop;
3732 PVOID StackBase;
3733 PVOID Unknown_3;
3734 } INITIAL_TEB, *PINITIAL_TEB;
3735
3736 typedef struct _IO_CLIENT_EXTENSION {
3737 struct _IO_CLIENT_EXTENSION *NextExtension;
3738 PVOID ClientIdentificationAddress;
3739 } IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;
3740
3741 typedef struct _IO_COMPLETION_BASIC_INFORMATION {
3742 LONG Depth;
3743 } IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
3744
3745 typedef struct _KEVENT_PAIR {
3746 USHORT Type;
3747 USHORT Size;
3748 KEVENT Event1;
3749 KEVENT Event2;
3750 } KEVENT_PAIR, *PKEVENT_PAIR;
3751
3752 typedef struct _KINTERRUPT {
3753 CSHORT Type;
3754 CSHORT Size;
3755 LIST_ENTRY InterruptListEntry;
3756 PKSERVICE_ROUTINE ServiceRoutine;
3757 PVOID ServiceContext;
3758 KSPIN_LOCK SpinLock;
3759 ULONG TickCount;
3760 PKSPIN_LOCK ActualLock;
3761 PVOID DispatchAddress;
3762 ULONG Vector;
3763 KIRQL Irql;
3764 KIRQL SynchronizeIrql;
3765 BOOLEAN FloatingSave;
3766 BOOLEAN Connected;
3767 CHAR Number;
3768 UCHAR ShareVector;
3769 KINTERRUPT_MODE Mode;
3770 ULONG ServiceCount;
3771 ULONG DispatchCount;
3772 ULONG DispatchCode[106];
3773 } KINTERRUPT, *PKINTERRUPT;
3774
3775 typedef struct _KQUEUE {
3776 DISPATCHER_HEADER Header;
3777 LIST_ENTRY EntryListHead;
3778 ULONG CurrentCount;
3779 ULONG MaximumCount;
3780 LIST_ENTRY ThreadListHead;
3781 } KQUEUE, *PKQUEUE, *RESTRICTED_POINTER PRKQUEUE;
3782
3783 typedef struct _LARGE_MCB {
3784 PFAST_MUTEX FastMutex;
3785 ULONG MaximumPairCount;
3786 ULONG PairCount;
3787 POOL_TYPE PoolType;
3788 PVOID Mapping;
3789 } LARGE_MCB, *PLARGE_MCB;
3790
3791 typedef struct _LPC_MESSAGE {
3792 USHORT DataSize;
3793 USHORT MessageSize;
3794 USHORT MessageType;
3795 USHORT VirtualRangesOffset;
3796 CLIENT_ID ClientId;
3797 ULONG MessageId;
3798 ULONG SectionSize;
3799 UCHAR Data[1];
3800 } LPC_MESSAGE, *PLPC_MESSAGE;
3801
3802 typedef struct _LPC_SECTION_READ {
3803 ULONG Length;
3804 ULONG ViewSize;
3805 PVOID ViewBase;
3806 } LPC_SECTION_READ, *PLPC_SECTION_READ;
3807
3808 typedef struct _LPC_SECTION_WRITE {
3809 ULONG Length;
3810 HANDLE SectionHandle;
3811 ULONG SectionOffset;
3812 ULONG ViewSize;
3813 PVOID ViewBase;
3814 PVOID TargetViewBase;
3815 } LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;
3816
3817 typedef struct _MAILSLOT_CREATE_PARAMETERS {
3818 ULONG MailslotQuota;
3819 ULONG MaximumMessageSize;
3820 LARGE_INTEGER ReadTimeout;
3821 BOOLEAN TimeoutSpecified;
3822 } MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;
3823
3824 typedef struct _MBCB {
3825 CSHORT NodeTypeCode;
3826 CSHORT NodeIsInZone;
3827 ULONG PagesToWrite;
3828 ULONG DirtyPages;
3829 ULONG Reserved;
3830 LIST_ENTRY BitmapRanges;
3831 LONGLONG ResumeWritePage;
3832 BITMAP_RANGE BitmapRange1;
3833 BITMAP_RANGE BitmapRange2;
3834 BITMAP_RANGE BitmapRange3;
3835 } MBCB, *PMBCB;
3836
3837 typedef struct _MCB {
3838 LARGE_MCB LargeMcb;
3839 } MCB, *PMCB;
3840
3841 typedef struct _MOVEFILE_DESCRIPTOR {
3842 HANDLE FileHandle;
3843 ULONG Reserved;
3844 LARGE_INTEGER StartVcn;
3845 LARGE_INTEGER TargetLcn;
3846 ULONG NumVcns;
3847 ULONG Reserved1;
3848 } MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;
3849
3850 typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
3851 ULONG NamedPipeType;
3852 ULONG ReadMode;
3853 ULONG CompletionMode;
3854 ULONG MaximumInstances;
3855 ULONG InboundQuota;
3856 ULONG OutboundQuota;
3857 LARGE_INTEGER DefaultTimeout;
3858 BOOLEAN TimeoutSpecified;
3859 } NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;
3860
3861 typedef struct _QUOTA_BLOCK {
3862 KSPIN_LOCK QuotaLock;
3863 ULONG ReferenceCount; // Number of processes using this block
3864 ULONG PeakNonPagedPoolUsage;
3865 ULONG PeakPagedPoolUsage;
3866 ULONG NonPagedpoolUsage;
3867 ULONG PagedPoolUsage;
3868 ULONG NonPagedPoolLimit;
3869 ULONG PagedPoolLimit;
3870 ULONG PeakPagefileUsage;
3871 ULONG PagefileUsage;
3872 ULONG PageFileLimit;
3873 } QUOTA_BLOCK, *PQUOTA_BLOCK;
3874
3875 typedef struct _OBJECT_BASIC_INFO {
3876 ULONG Attributes;
3877 ACCESS_MASK GrantedAccess;
3878 ULONG HandleCount;
3879 ULONG ReferenceCount;
3880 ULONG PagedPoolUsage;
3881 ULONG NonPagedPoolUsage;
3882 ULONG Reserved[3];
3883 ULONG NameInformationLength;
3884 ULONG TypeInformationLength;
3885 ULONG SecurityDescriptorLength;
3886 LARGE_INTEGER CreateTime;
3887 } OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;
3888
3889 typedef struct _OBJECT_CREATE_INFORMATION {
3890 ULONG Attributes;
3891 HANDLE RootDirectory; // 0x4
3892 PVOID ParseContext; // 0x8
3893 KPROCESSOR_MODE ProbeMode; // 0xc
3894 ULONG PagedPoolCharge; // 0x10
3895 ULONG NonPagedPoolCharge; // 0x14
3896 ULONG SecurityDescriptorCharge; // 0x18
3897 PSECURITY_DESCRIPTOR SecurityDescriptor; // 0x1c
3898 PSECURITY_QUALITY_OF_SERVICE SecurityQos; // 0x20
3899 SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; // 0x24
3900 } OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
3901
3902 typedef struct _OBJECT_CREATOR_INFO {
3903 LIST_ENTRY Creator;
3904 ULONG UniqueProcessId; // Creator's Process ID
3905 ULONG Reserved; // Alignment
3906 } OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;
3907
3908 typedef struct _OBJECT_DIRECTORY_ITEM {
3909 struct _OBJECT_DIRECTORY_ITEM *Next;
3910 PVOID Object;
3911 } OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;
3912
3913 typedef struct _OBJECT_DIRECTORY {
3914 POBJECT_DIRECTORY_ITEM HashEntries[0x25];
3915 POBJECT_DIRECTORY_ITEM LastHashAccess;
3916 ULONG LastHashResult;
3917 } OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
3918
3919 typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
3920 BOOLEAN Inherit;
3921 BOOLEAN ProtectFromClose;
3922</