1 /* $Id: zw.h,v 1.17 1999/07/22 21:29:46 ekohl Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: System call definitions
6 * FILE: include/ddk/zw.h
8 * ??/??/??: First few functions (David Welch)
9 * ??/??/??: Complete implementation by Ariadne
10 * 13/07/98: Reorganised things a bit (David Welch)
11 * 04/08/98: Added some documentation (Ariadne)
12 * 14/08/98: Added type TIME and change variable type from [1] to [0]
13 * 14/09/98: Added for each Nt call a corresponding Zw Call
19 #if defined(WIN32_LEAN_AND_MEAN) && !defined(TOKEN_INFORMATION_CLASS_DEFINED)
21 typedef enum _TOKEN_INFORMATION_CLASS
{
30 TokenImpersonationLevel
,
32 } TOKEN_INFORMATION_CLASS
;
34 typedef struct _SID_AND_ATTRIBUTES
{
37 } SID_AND_ATTRIBUTES
;
39 typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY
[ANYSIZE_ARRAY
];
40 typedef SID_AND_ATTRIBUTES_ARRAY
*PSID_AND_ATTRIBUTES_ARRAY
;
42 typedef struct _TOKEN_DEFAULT_DACL
{
44 } TOKEN_DEFAULT_DACL
, *PTOKEN_DEFAULT_DACL
;
46 typedef struct _TOKEN_GROUPS
{
48 SID_AND_ATTRIBUTES Groups
[ANYSIZE_ARRAY
];
49 } TOKEN_GROUPS
, *PTOKEN_GROUPS
, *LPTOKEN_GROUPS
;
51 typedef struct _TOKEN_OWNER
{
53 } TOKEN_OWNER
, *PTOKEN_OWNER
;
55 typedef struct _TOKEN_PRIMARY_GROUP
{
57 } TOKEN_PRIMARY_GROUP
, *PTOKEN_PRIMARY_GROUP
;
59 typedef struct _TOKEN_PRIVILEGES
{
61 LUID_AND_ATTRIBUTES Privileges
[ANYSIZE_ARRAY
];
62 } TOKEN_PRIVILEGES
, *PTOKEN_PRIVILEGES
, *LPTOKEN_PRIVILEGES
;
64 typedef struct _TOKEN_USER
{
65 SID_AND_ATTRIBUTES User
;
66 } TOKEN_USER
, *PTOKEN_USER
;
71 #define SECURITY_INFORMATION ULONG
75 * FUNCTION: Checks a clients access rights to a object
77 * SecurityDescriptor = Security information against which the access is checked
78 * ClientToken = Represents a client
82 * ReturnLength = Bytes written
84 * AccessStatus = Indicates if the ClientToken allows the requested access
85 * REMARKS: The arguments map to the win32 AccessCheck
92 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
93 IN HANDLE ClientToken
,
94 IN ACCESS_MASK DesiredAcces
,
95 IN PGENERIC_MAPPING GenericMapping
,
96 OUT PPRIVILEGE_SET PrivilegeSet
,
97 OUT PULONG ReturnLength
,
98 OUT PULONG GrantedAccess
,
99 OUT PBOOLEAN AccessStatus
104 IN PSECURITY_DESCRIPTOR SecurityDescriptor
,
105 IN HANDLE ClientToken
,
106 IN ACCESS_MASK DesiredAcces
,
107 IN PGENERIC_MAPPING GenericMapping
,
108 OUT PPRIVILEGE_SET PrivilegeSet
,
109 OUT PULONG ReturnLength
,
110 OUT PULONG GrantedAccess
,
111 OUT PBOOLEAN AccessStatus
115 * FUNCTION: Checks a clients access rights to a object and issues a audit a alarm. ( it logs the access )
117 SubsystemName = Specifies the name of the subsystem, can be "WIN32" or "DEBUG"
126 * REMARKS: The arguments map to the win32 AccessCheck
132 NtAccessCheckAndAuditAlarm(
133 IN PUNICODE_STRING SubsystemName
,
134 IN PHANDLE ObjectHandle
,
135 IN POBJECT_ATTRIBUTES ObjectAttributes
,
136 IN ACCESS_MASK DesiredAccess
,
137 IN PGENERIC_MAPPING GenericMapping
,
138 IN BOOLEAN ObjectCreation
,
139 OUT PULONG GrantedAccess
,
140 OUT PBOOLEAN AccessStatus
,
141 OUT PBOOLEAN GenerateOnClose
146 ZwAccessCheckAndAuditAlarm(
147 IN PUNICODE_STRING SubsystemName
,
148 IN PHANDLE ObjectHandle
,
149 IN POBJECT_ATTRIBUTES ObjectAttributes
,
150 IN ACCESS_MASK DesiredAccess
,
151 IN PGENERIC_MAPPING GenericMapping
,
152 IN BOOLEAN ObjectCreation
,
153 OUT PULONG GrantedAccess
,
154 OUT PBOOLEAN AccessStatus
,
155 OUT PBOOLEAN GenerateOnClose
159 * FUNCTION: Adds an atom to the global atom table
161 * Atom (OUT) = Caller supplies storage for the resulting atom.
162 * AtomString = The string to add to the atom table.
163 * REMARKS: The arguments map to the win32 add GlobalAddAtom.
170 IN PUNICODE_STRING AtomString
178 IN PUNICODE_STRING AtomString
183 * FUNCTION: Adjusts the groups in an access token
185 TokenHandle = Specifies the access token
186 * ResetToDefault = If true the NewState parameter is ignored and the groups are set to
187 their default state, if false the groups specified in
190 BufferLength = Specifies the size of the buffer for the PreviousState.
192 ReturnLength = Bytes written in PreviousState buffer.
193 * REMARKS: The arguments map to the win32 AdjustTokenGroups
200 IN HANDLE TokenHandle
,
201 IN BOOLEAN ResetToDefault
,
202 IN PTOKEN_GROUPS NewState
,
203 IN ULONG BufferLength
,
204 OUT PTOKEN_GROUPS PreviousState OPTIONAL
,
205 OUT PULONG ReturnLength
211 IN HANDLE TokenHandle
,
212 IN BOOLEAN ResetToDefault
,
213 IN PTOKEN_GROUPS NewState
,
214 IN ULONG BufferLength
,
215 OUT PTOKEN_GROUPS PreviousState
,
216 OUT PULONG ReturnLength
224 * TokenHandle = Handle to the access token
225 * DisableAllPrivileges = The resulting suspend count.
231 * The arguments map to the win32 AdjustTokenPrivileges
237 NtAdjustPrivilegesToken(
238 IN HANDLE TokenHandle
,
239 IN BOOLEAN DisableAllPrivileges
,
240 IN PTOKEN_PRIVILEGES NewState
,
241 IN ULONG BufferLength
,
242 OUT PTOKEN_PRIVILEGES PreviousState
,
243 OUT PULONG ReturnLength
248 ZwAdjustPrivilegesToken(
249 IN HANDLE TokenHandle
,
250 IN BOOLEAN DisableAllPrivileges
,
251 IN PTOKEN_PRIVILEGES NewState
,
252 IN ULONG BufferLength
,
253 OUT PTOKEN_PRIVILEGES PreviousState
,
254 OUT PULONG ReturnLength
259 * FUNCTION: Decrements a thread's suspend count and places it in an alerted
262 * ThreadHandle = Handle to the thread that should be resumed
263 * SuspendCount = The resulting suspend count.
265 * A thread is resumed if its suspend count is 0
271 IN HANDLE ThreadHandle
,
272 OUT PULONG SuspendCount
278 IN HANDLE ThreadHandle
,
279 OUT PULONG SuspendCount
283 * FUNCTION: Puts the thread in a alerted state
285 * ThreadHandle = Handle to the thread that should be alerted
291 IN HANDLE ThreadHandle
297 IN HANDLE ThreadHandle
302 * FUNCTION: Allocates a locally unique id
304 * LocallyUniqueId = Locally unique number
309 NtAllocateLocallyUniqueId(
310 OUT LUID
*LocallyUniqueId
315 ZwAllocateLocallyUniqueId(
316 OUT LUID
*LocallyUniqueId
323 PULONG Version
, // ???
331 PULONG Version
, // ???
337 * FUNCTION: Allocates a block of virtual memory in the process address space
339 * ProcessHandle = The handle of the process which owns the virtual memory
340 * BaseAddress = A pointer to the virtual memory allocated. If you supply a non zero
341 * value the system will try to allocate the memory at the address supplied. It rounds
342 * it down to a multiple if the page size.
343 * ZeroBits = (OPTIONAL) You can specify the number of high order bits that must be zero, ensuring that
344 * the memory will be allocated at a address below a certain value.
345 * RegionSize = The number of bytes to allocate
346 * AllocationType = Indicates the type of virtual memory you like to allocated,
347 * can be one of the values : MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN
348 * Protect = Indicates the protection type of the pages allocated, can be a combination of
349 * PAGE_READONLY, PAGE_READWRITE, PAGE_EXECUTE_READ,
350 * PAGE_EXECUTE_READWRITE, PAGE_GUARD, PAGE_NOACCESS, PAGE_NOACCESS
352 * This function maps to the win32 VirtualAllocEx. Virtual memory is process based so the
353 * protocol starts with a ProcessHandle. I splitted the functionality of obtaining the actual address and specifying
354 * the start address in two parameters ( BaseAddress and StartAddress ) The NumberOfBytesAllocated specify the range
355 * and the AllocationType and ProctectionType map to the other two parameters.
360 NtAllocateVirtualMemory(
361 IN HANDLE ProcessHandle
,
362 IN OUT PVOID
*BaseAddress
,
364 IN OUT PULONG RegionSize
,
365 IN ULONG AllocationType
,
369 NTSTATUS STDCALL
ZwAllocateVirtualMemory(IN HANDLE ProcessHandle
,
370 IN OUT PVOID
*BaseAddress
,
372 IN OUT PULONG RegionSize
,
373 IN ULONG AllocationType
,
377 * FUNCTION: Returns from a callback into user mode
381 //FIXME: this function might need 3 parameters
395 * FUNCTION: Cancels a IO request
397 * FileHandle = Handle to the file
401 * This function maps to the win32 CancelIo.
407 IN HANDLE FileHandle
,
408 OUT PIO_STATUS_BLOCK IoStatusBlock
414 IN HANDLE FileHandle
,
415 OUT PIO_STATUS_BLOCK IoStatusBlock
418 * FUNCTION: Cancels a timer
420 * TimerHandle = Handle to the timer
421 * CurrentState = Specifies the state of the timer when cancelled.
423 * The arguments to this function map to the function CancelWaitableTimer.
429 IN HANDLE TimerHandle
,
430 OUT PBOOLEAN CurrentState OPTIONAL
436 IN HANDLE TimerHandle
,
437 OUT ULONG ElapsedTime
440 * FUNCTION: Sets the status of the event back to non-signaled
442 * EventHandle = Handle to the event
444 * This function maps to win32 function ResetEvent.
451 IN HANDLE EventHandle
457 IN HANDLE EventHandle
461 * FUNCTION: Closes an object handle
463 * Handle = Handle to the object
465 * This function maps to the win32 function CloseHandle.
482 * FUNCTION: Generates an audit message when a handle to an object is dereferenced
485 HandleId = Handle to the object
488 * This function maps to the win32 function ObjectCloseAuditAlarm.
496 NtCloseObjectAuditAlarm(
497 IN PUNICODE_STRING SubsystemName
,
499 IN BOOLEAN GenerateOnClose
504 ZwCloseObjectAuditAlarm(
505 IN PUNICODE_STRING SubsystemName
,
507 IN BOOLEAN GenerateOnClose
513 * FUNCTION: Continues a thread with the specified context
515 * Context = Specifies the processor context
516 * IrqLevel = Specifies the Interupt Request Level to continue with. Can
517 * be PASSIVE_LEVEL or APC_LEVEL
519 * NtContinue can be used to continue after an exception or apc.
522 //FIXME This function might need another parameter
531 NTSTATUS STDCALL
ZwContinue(IN PCONTEXT Context
, IN CINT IrqLevel
);
535 * FUNCTION: Creates a directory object
537 * DirectoryHandle (OUT) = Caller supplied storage for the resulting handle
538 * DesiredAccess = Specifies access to the directory
539 * ObjectAttribute = Initialized attributes for the object
540 * REMARKS: This function maps to the win32 CreateDirectory. A directory is like a file so it needs a
541 * handle, a access mask and a OBJECT_ATTRIBUTES structure to map the path name and the SECURITY_ATTRIBUTES.
547 NtCreateDirectoryObject(
548 OUT PHANDLE DirectoryHandle
,
549 IN ACCESS_MASK DesiredAccess
,
550 IN POBJECT_ATTRIBUTES ObjectAttributes
555 ZwCreateDirectoryObject(
556 OUT PHANDLE DirectoryHandle
,
557 IN ACCESS_MASK DesiredAccess
,
558 IN POBJECT_ATTRIBUTES ObjectAttributes
562 * FUNCTION: Creates an event object
564 * EventHandle (OUT) = Caller supplied storage for the resulting handle
565 * DesiredAccess = Specifies access to the event
566 * ObjectAttribute = Initialized attributes for the object
567 * ManualReset = manual-reset or auto-reset if true you have to reset the state of the event manually
568 * using NtResetEvent/NtClearEvent. if false the system will reset the event to a non-signalled state
569 * automatically after the system has rescheduled a thread waiting on the event.
570 * InitialState = specifies the initial state of the event to be signaled ( TRUE ) or non-signalled (FALSE).
571 * REMARKS: This function maps to the win32 CreateEvent. Demanding a out variable of type HANDLE,
572 * a access mask and a OBJECT_ATTRIBUTES structure mapping to the SECURITY_ATTRIBUTES. ManualReset and InitialState are
573 * both parameters aswell ( possibly the order is reversed ).
580 OUT PHANDLE EventHandle
,
581 IN ACCESS_MASK DesiredAccess
,
582 IN POBJECT_ATTRIBUTES ObjectAttributes
,
583 IN BOOLEAN ManualReset
,
584 IN BOOLEAN InitialState
590 OUT PHANDLE EventHandle
,
591 IN ACCESS_MASK DesiredAccess
,
592 IN POBJECT_ATTRIBUTES ObjectAttributes
,
593 IN BOOLEAN ManualReset
,
594 IN BOOLEAN InitialState
598 * FUNCTION: Creates an eventpair object
600 * EventPairHandle (OUT) = Caller supplied storage for the resulting handle
601 * DesiredAccess = Specifies access to the event
602 * ObjectAttribute = Initialized attributes for the object
608 OUT PHANDLE EventPairHandle
,
609 IN ACCESS_MASK DesiredAccess
,
610 IN POBJECT_ATTRIBUTES ObjectAttributes
616 OUT PHANDLE EventPairHandle
,
617 IN ACCESS_MASK DesiredAccess
,
618 IN POBJECT_ATTRIBUTES ObjectAttributes
623 * FUNCTION: Creates or opens a file, directory or device object.
625 * FileHandle (OUT) = Caller supplied storage for the resulting handle
626 * DesiredAccess = Specifies the allowed or desired access to the file can
627 * be a combination of DELETE | FILE_READ_DATA ..
628 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
629 * IoStatusBlock (OUT) = Caller supplied storage for the resulting status information, indicating if the
630 * the file is created and opened or allready existed and is just opened.
631 * FileAttributes = file attributes can be a combination of FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN ...
632 * ShareAccess = can be a combination of the following: FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
633 * CreateDisposition = specifies what the behavior of the system if the file allready exists.
634 * CreateOptions = specifies the behavior of the system on file creation.
635 * EaBuffer (OPTIONAL) = Extended Attributes buffer, applies only to files and directories.
636 * EaLength = Extended Attributes buffer size, applies only to files and directories.
637 * REMARKS: This function maps to the win32 CreateFile.
644 OUT PHANDLE FileHandle
,
645 IN ACCESS_MASK DesiredAccess
,
646 IN POBJECT_ATTRIBUTES ObjectAttributes
,
647 OUT PIO_STATUS_BLOCK IoStatusBlock
,
648 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
649 IN ULONG FileAttributes
,
650 IN ULONG ShareAccess
,
651 IN ULONG CreateDisposition
,
652 IN ULONG CreateOptions
,
653 IN PVOID EaBuffer OPTIONAL
,
660 OUT PHANDLE FileHandle
,
661 IN ACCESS_MASK DesiredAccess
,
662 IN POBJECT_ATTRIBUTES ObjectAttributes
,
663 OUT PIO_STATUS_BLOCK IoStatusBlock
,
664 IN PLARGE_INTEGER AllocationSize OPTIONAL
,
665 IN ULONG FileAttributes
,
666 IN ULONG ShareAccess
,
667 IN ULONG CreateDisposition
,
668 IN ULONG CreateOptions
,
669 IN PVOID EaBuffer OPTIONAL
,
674 * FUNCTION: Creates or opens a file, directory or device object.
676 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
677 * DesiredAccess = Specifies the allowed or desired access to the port
679 * NumberOfConcurrentThreads =
680 * REMARKS: This function maps to the win32 CreateIoCompletionPort
687 NtCreateIoCompletion(
688 OUT PHANDLE CompletionPort
,
689 IN ACCESS_MASK DesiredAccess
,
690 OUT PIO_STATUS_BLOCK IoStatusBlock
,
691 IN ULONG NumberOfConcurrentThreads
696 ZwCreateIoCompletion(
697 OUT PHANDLE CompletionPort
,
698 IN ACCESS_MASK DesiredAccess
,
699 OUT PIO_STATUS_BLOCK IoStatusBlock
,
700 IN ULONG NumberOfConcurrentThreads
705 * FUNCTION: Creates a mail slot file
707 * MailSlotFileHandle (OUT) = Caller supplied storage for the resulting handle
708 * DesiredAccess = Specifies the allowed or desired access to the file
709 * ObjectAttributes = Contains the name of the mailslotfile.
716 * REMARKS: This funciton maps to the win32 function CreateMailSlot
723 NtCreateMailslotFile(
724 OUT PHANDLE MailSlotFileHandle
,
725 IN ACCESS_MASK DesiredAccess
,
726 IN POBJECT_ATTRIBUTES ObjectAttributes
,
727 OUT PIO_STATUS_BLOCK IoStatusBlock
,
728 IN ULONG FileAttributes
,
729 IN ULONG ShareAccess
,
730 IN ULONG MaxMessageSize
,
731 IN PLARGE_INTEGER TimeOut
736 ZwCreateMailslotFile(
737 OUT PHANDLE MailSlotFileHandle
,
738 IN ACCESS_MASK DesiredAccess
,
739 IN POBJECT_ATTRIBUTES ObjectAttributes
,
740 OUT PIO_STATUS_BLOCK IoStatusBlock
,
741 IN ULONG FileAttributes
,
742 IN ULONG ShareAccess
,
743 IN ULONG MaxMessageSize
,
744 IN PLARGE_INTEGER TimeOut
748 * FUNCTION: Creates or opens a mutex
750 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
751 * DesiredAccess = Specifies the allowed or desired access to the port
752 * ObjectAttributes = Contains the name of the mutex.
753 * InitialOwner = If true the calling thread acquires ownership
755 * REMARKS: This funciton maps to the win32 function CreateMutex
762 OUT PHANDLE MutantHandle
,
763 IN ACCESS_MASK DesiredAccess
,
764 IN POBJECT_ATTRIBUTES ObjectAttributes
,
765 IN BOOLEAN InitialOwner
771 OUT PHANDLE MutantHandle
,
772 IN ACCESS_MASK DesiredAccess
,
773 IN POBJECT_ATTRIBUTES ObjectAttributes
,
774 IN BOOLEAN InitialOwner
778 * FUNCTION: Creates a named pipe
780 * NamedPipeFileHandle (OUT) = Caller supplied storage for the resulting handle
781 * DesiredAccess = Specifies the allowed or desired access to the mutex
782 * ObjectAttributes = Contains the name of the mutex.
794 * REMARKS: This funciton maps to the win32 function CreateNamedPipe
801 NtCreateNamedPipeFile(
802 OUT PHANDLE NamedPipeFileHandle
,
803 IN ACCESS_MASK DesiredAccess
,
804 IN POBJECT_ATTRIBUTES ObjectAttributes
,
805 OUT PIO_STATUS_BLOCK IoStatusBlock
,
806 IN ULONG FileAttributes
,
807 IN ULONG ShareAccess
,
812 IN ULONG MaxInstances
,
813 IN ULONG InBufferSize
,
814 IN ULONG OutBufferSize
,
815 IN PLARGE_INTEGER TimeOut
820 ZwCreateNamedPipeFile(
821 OUT PHANDLE NamedPipeFileHandle
,
822 IN ACCESS_MASK DesiredAccess
,
823 IN POBJECT_ATTRIBUTES ObjectAttributes
,
824 OUT PIO_STATUS_BLOCK IoStatusBlock
,
825 IN ULONG FileAttributes
,
826 IN ULONG ShareAccess
,
831 IN ULONG MaxInstances
,
832 IN ULONG InBufferSize
,
833 IN ULONG OutBufferSize
,
834 IN PLARGE_INTEGER TimeOut
839 * FUNCTION: Creates a paging file.
841 * PageFileName = Name of the pagefile
842 * MinimumSize = Specifies the minimum size
843 * MaximumSize = Specifies the maximum size
844 * ActualSize(OUT) = Specifies the actual size
851 IN PUNICODE_STRING PageFileName
,
854 OUT PULONG ActualSize
860 IN PUNICODE_STRING PageFileName
,
863 OUT PULONG ActualSize
867 * FUNCTION: Creates a process.
869 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
870 * DesiredAccess = Specifies the allowed or desired access to the process can
871 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
872 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
873 * ParentProcess = Handle to the parent process.
874 * InheritObjectTable = Specifies to inherit the objects of the parent process if true.
875 * SectionHandle = Handle to a section object to back the image file
876 * DebugPort = Handle to a DebugPort if NULL the system default debug port will be used.
877 * ExceptionPort = Handle to a exception port.
879 * This function maps to the win32 CreateProcess.
885 OUT PHANDLE ProcessHandle
,
886 IN ACCESS_MASK DesiredAccess
,
887 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
888 IN HANDLE ParentProcess
,
889 IN BOOLEAN InheritObjectTable
,
890 IN HANDLE SectionHandle OPTIONAL
,
891 IN HANDLE DebugPort OPTIONAL
,
892 IN HANDLE ExceptionPort OPTIONAL
898 OUT PHANDLE ProcessHandle
,
899 IN ACCESS_MASK DesiredAccess
,
900 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
901 IN HANDLE ParentProcess
,
902 IN BOOLEAN InheritObjectTable
,
903 IN HANDLE SectionHandle OPTIONAL
,
904 IN HANDLE DebugPort OPTIONAL
,
905 IN HANDLE ExceptionPort OPTIONAL
909 * FUNCTION: Creates a profile
911 * ProfileHandle (OUT) = Caller supplied storage for the resulting handle
912 * ObjectAttribute = Initialized attributes for the object
913 * ImageBase = Start address of executable image
914 * ImageSize = Size of the image
915 * Granularity = Bucket size
916 * Buffer = Caller supplies buffer for profiling info
917 * ProfilingSize = Buffer size
918 * ClockSource = Specify 0 / FALSE ??
919 * ProcessorMask = A value of -1 indicates disables per processor profiling,
920 otherwise bit set for the processor to profile.
922 * This function maps to the win32 CreateProcess.
929 OUT PHANDLE ProfileHandle
,
930 IN POBJECT_ATTRIBUTES ObjectAttributes
,
933 IN ULONG Granularity
,
935 IN ULONG ProfilingSize
,
936 IN ULONG ClockSource
,
937 IN ULONG ProcessorMask
943 OUT PHANDLE ProfileHandle
,
944 IN POBJECT_ATTRIBUTES ObjectAttributes
,
947 IN ULONG Granularity
,
949 IN ULONG ProfilingSize
,
950 IN ULONG ClockSource
,
951 IN ULONG ProcessorMask
955 * FUNCTION: Creates a section object.
957 * SectionHandle (OUT) = Caller supplied storage for the resulting handle
958 * DesiredAccess = Specifies the desired access to the section can be a combination of STANDARD_RIGHTS_REQUIRED | SECTION_QUERY | SECTION_MAP_WRITE |
959 * SECTION_MAP_READ | SECTION_MAP_EXECUTE.
960 * ObjectAttribute = Initialized attributes for the object can be used to create a named section
961 * MaxiumSize = Maximizes the size of the memory section. Must be non-NULL for a page-file backed section.
962 * If value specified for a mapped file and the file is not large enough, file will be extended.
963 * SectionPageProtection = Can be a combination of PAGE_READONLY | PAGE_READWRITE | PAGE_WRITEONLY | PAGE_WRITECOPY.
964 * AllocationAttributes = can be a combination of SEC_IMAGE | SEC_RESERVE
965 * FileHanlde = Handle to a file to create a section mapped to a file instead of a memory backed section.
972 OUT PHANDLE SectionHandle
,
973 IN ACCESS_MASK DesiredAccess
,
974 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
975 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
976 IN ULONG SectionPageProtection OPTIONAL
,
977 IN ULONG AllocationAttributes
,
978 IN HANDLE FileHandle OPTIONAL
984 OUT PHANDLE SectionHandle
,
985 IN ACCESS_MASK DesiredAccess
,
986 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
987 IN PLARGE_INTEGER MaximumSize OPTIONAL
,
988 IN ULONG SectionPageProtection OPTIONAL
,
989 IN ULONG AllocationAttributes
,
990 IN HANDLE FileHandle OPTIONAL
994 * FUNCTION: Creates a semaphore object for interprocess synchronization.
996 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
997 * DesiredAccess = Specifies the allowed or desired access to the semaphore.
998 * ObjectAttribute = Initialized attributes for the object.
999 * InitialCount = Not necessary zero, might be smaller than zero.
1000 * MaximumCount = Maxiumum count the semaphore can reach.
1003 * The semaphore is set to signaled when its count is greater than zero, and non-signaled when its count is zero.
1006 //FIXME: should a semaphore's initial count allowed to be smaller than zero ??
1010 OUT PHANDLE SemaphoreHandle
,
1011 IN ACCESS_MASK DesiredAccess
,
1012 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1013 IN ULONG InitialCount
,
1014 IN ULONG MaximumCount
1020 OUT PHANDLE SemaphoreHandle
,
1021 IN ACCESS_MASK DesiredAccess
,
1022 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1023 IN ULONG InitialCount
,
1024 IN ULONG MaximumCount
1028 * FUNCTION: Creates a symbolic link object
1030 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
1031 * DesiredAccess = Specifies the allowed or desired access to the thread.
1032 * ObjectAttributes = Initialized attributes for the object.
1033 * Name = Target name of the symbolic link
1038 NtCreateSymbolicLinkObject(
1039 OUT PHANDLE SymbolicLinkHandle
,
1040 IN ACCESS_MASK DesiredAccess
,
1041 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1042 IN PUNICODE_STRING Name
1047 ZwCreateSymbolicLinkObject(
1048 OUT PHANDLE SymbolicLinkHandle
,
1049 IN ACCESS_MASK DesiredAccess
,
1050 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1051 IN PUNICODE_STRING Name
1055 * FUNCTION: Creates a user mode thread
1057 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
1058 * DesiredAccess = Specifies the allowed or desired access to the thread.
1059 * ObjectAttributes = Initialized attributes for the object.
1060 * ProcessHandle = Handle to the threads parent process.
1061 * ClientId (OUT) = Caller supplies storage for returned process id and thread id.
1062 * ThreadContext = Initial processor context for the thread.
1063 * InitialTeb = Initial user mode stack context for the thread.
1064 * CreateSuspended = Specifies if the thread is ready for scheduling
1066 * This function maps to the win32 function CreateThread.
1072 OUT PHANDLE ThreadHandle
,
1073 IN ACCESS_MASK DesiredAccess
,
1074 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1075 IN HANDLE ProcessHandle
,
1076 OUT PCLIENT_ID ClientId
,
1077 IN PCONTEXT ThreadContext
,
1078 IN PINITIAL_TEB InitialTeb
,
1079 IN BOOLEAN CreateSuspended
1085 OUT PHANDLE ThreadHandle
,
1086 IN ACCESS_MASK DesiredAccess
,
1087 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1088 IN HANDLE ProcessHandle
,
1089 OUT PCLIENT_ID ClientId
,
1090 IN PCONTEXT ThreadContext
,
1091 IN PINITIAL_TEB InitialTeb
,
1092 IN BOOLEAN CreateSuspended
1095 * FUNCTION: Creates a waitable timer.
1097 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
1098 * DesiredAccess = Specifies the allowed or desired access to the timer.
1099 * ObjectAttributes = Initialized attributes for the object.
1100 * TimerType = Specifies if the timer should be reset manually.
1102 * This function maps to the win32 CreateWaitableTimer. lpTimerAttributes and lpTimerName map to
1103 * corresponding fields in OBJECT_ATTRIBUTES structure.
1110 OUT PHANDLE TimerHandle
,
1111 IN ACCESS_MASK DesiredAccess
,
1112 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1119 OUT PHANDLE TimerHandle
,
1120 IN ACCESS_MASK DesiredAccess
,
1121 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
,
1126 * FUNCTION: Creates a token.
1128 * TokenHandle (OUT) = Caller supplied storage for the resulting handle
1129 * DesiredAccess = Specifies the allowed or desired access to the process can
1130 * be a combinate of STANDARD_RIGHTS_REQUIRED| ..
1131 * ObjectAttribute = Initialized attributes for the object, contains the rootdirectory and the filename
1133 * AuthenticationId =
1139 * TokenPrimaryGroup =
1140 * TokenDefaultDacl =
1143 * This function does not map to a win32 function
1150 OUT PHANDLE TokenHandle
,
1151 IN ACCESS_MASK DesiredAccess
,
1152 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1153 IN TOKEN_TYPE TokenType
,
1154 IN PLUID AuthenticationId
,
1155 IN PLARGE_INTEGER ExpirationTime
,
1156 IN PTOKEN_USER TokenUser
,
1157 IN PTOKEN_GROUPS TokenGroups
,
1158 IN PTOKEN_PRIVILEGES TokenPrivileges
,
1159 IN PTOKEN_OWNER TokenOwner
,
1160 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
1161 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
1162 IN PTOKEN_SOURCE TokenSource
1168 OUT PHANDLE TokenHandle
,
1169 IN ACCESS_MASK DesiredAccess
,
1170 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1171 IN TOKEN_TYPE TokenType
,
1172 IN PLUID AuthenticationId
,
1173 IN PLARGE_INTEGER ExpirationTime
,
1174 IN PTOKEN_USER TokenUser
,
1175 IN PTOKEN_GROUPS TokenGroups
,
1176 IN PTOKEN_PRIVILEGES TokenPrivileges
,
1177 IN PTOKEN_OWNER TokenOwner
,
1178 IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup
,
1179 IN PTOKEN_DEFAULT_DACL TokenDefaultDacl
,
1180 IN PTOKEN_SOURCE TokenSource
1184 * FUNCTION: Returns the callers thread TEB.
1185 * RETURNS: The resulting teb.
1193 * FUNCTION: Delays the execution of the calling thread.
1195 * Alertable = If TRUE the thread is alertable during is wait period
1196 * Interval = Specifies the interval to wait.
1202 IN BOOLEAN Alertable
,
1209 IN BOOLEAN Alertable
,
1215 * FUNCTION: Deletes an atom from the global atom table
1217 * Atom = Identifies the atom to delete
1219 * The function maps to the win32 GlobalDeleteAtom
1235 * FUNCTION: Deletes a file or a directory
1237 * ObjectAttributes = Name of the file which should be deleted
1239 * This system call is functionally equivalent to NtSetInformationFile
1240 * setting the disposition information.
1241 * The function maps to the win32 DeleteFile.
1247 IN POBJECT_ATTRIBUTES ObjectAttributes
1253 IN POBJECT_ATTRIBUTES ObjectAttributes
1257 * FUNCTION: Deletes a registry key
1259 * KeyHandle = Handle of the key
1274 * FUNCTION: Generates a audit message when an object is deleted
1276 * SubsystemName = Spefies the name of the subsystem can be 'WIN32' or 'DEBUG'
1277 * HandleId= Handle to an audit object
1278 * GenerateOnClose = Value returned by NtAccessCheckAndAuditAlarm
1279 * REMARKS: This function maps to the win32 ObjectCloseAuditAlarm
1285 NtDeleteObjectAuditAlarm (
1286 IN PUNICODE_STRING SubsystemName
,
1288 IN BOOLEAN GenerateOnClose
1293 ZwDeleteObjectAuditAlarm (
1294 IN PUNICODE_STRING SubsystemName
,
1296 IN BOOLEAN GenerateOnClose
1301 * FUNCTION: Deletes a value from a registry key
1303 * KeyHandle = Handle of the key
1304 * ValueName = Name of the value to delete
1311 IN HANDLE KeyHandle
,
1312 IN PUNICODE_STRING ValueName
1318 IN HANDLE KeyHandle
,
1319 IN PUNICODE_STRING ValueName
1322 * FUNCTION: Sends IOCTL to the io sub system
1324 * DeviceHandle = Points to the handle that is created by NtCreateFile
1325 * Event = Event to synchronize on STATUS_PENDING
1326 * ApcRoutine = Asynchroneous procedure callback
1327 * ApcContext = Callback context.
1328 * IoStatusBlock = Caller should supply storage for extra information..
1329 * IoControlCode = Contains the IO Control command. This is an
1330 * index to the structures in InputBuffer and OutputBuffer.
1331 * InputBuffer = Caller should supply storage for input buffer if IOTL expects one.
1332 * InputBufferSize = Size of the input bufffer
1333 * OutputBuffer = Caller should supply storage for output buffer if IOTL expects one.
1334 * OutputBufferSize = Size of the input bufffer
1340 NtDeviceIoControlFile(
1341 IN HANDLE DeviceHandle
,
1342 IN HANDLE Event OPTIONAL
,
1343 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1344 IN PVOID UserApcContext OPTIONAL
,
1345 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1346 IN ULONG IoControlCode
,
1347 IN PVOID InputBuffer
,
1348 IN ULONG InputBufferSize
,
1349 OUT PVOID OutputBuffer
,
1350 IN ULONG OutputBufferSize
1355 ZwDeviceIoControlFile(
1356 IN HANDLE DeviceHandle
,
1357 IN HANDLE Event OPTIONAL
,
1358 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
1359 IN PVOID UserApcContext OPTIONAL
,
1360 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1361 IN ULONG IoControlCode
,
1362 IN PVOID InputBuffer
,
1363 IN ULONG InputBufferSize
,
1364 OUT PVOID OutputBuffer
,
1365 IN ULONG OutputBufferSize
1368 * FUNCTION: Displays a string on the blue screen
1370 * DisplayString = The string to display
1377 IN PUNICODE_STRING DisplayString
1383 IN PUNICODE_STRING DisplayString
1387 * FUNCTION: Copies a handle from one process space to another
1389 * SourceProcessHandle = The source process owning the handle. The source process should have opened
1390 * the SourceHandle with PROCESS_DUP_HANDLE access.
1391 * SourceHandle = The handle to the object.
1392 * TargetProcessHandle = The destination process owning the handle
1393 * TargetHandle (OUT) = Caller should supply storage for the duplicated handle.
1394 * DesiredAccess = The desired access to the handle.
1395 * InheritHandle = Indicates wheter the new handle will be inheritable or not.
1396 * Options = Specifies special actions upon duplicating the handle. Can be
1397 * one of the values DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS.
1398 * DUPLICATE_CLOSE_SOURCE specifies that the source handle should be
1399 * closed after duplicating. DUPLICATE_SAME_ACCESS specifies to ignore
1400 * the DesiredAccess paramter and just grant the same access to the new
1403 * REMARKS: This function maps to the win32 DuplicateHandle.
1409 IN HANDLE SourceProcessHandle
,
1410 IN PHANDLE SourceHandle
,
1411 IN HANDLE TargetProcessHandle
,
1412 OUT PHANDLE TargetHandle
,
1413 IN ACCESS_MASK DesiredAccess
,
1414 IN BOOLEAN InheritHandle
,
1421 IN HANDLE SourceProcessHandle
,
1422 IN PHANDLE SourceHandle
,
1423 IN HANDLE TargetProcessHandle
,
1424 OUT PHANDLE TargetHandle
,
1425 IN ACCESS_MASK DesiredAccess
,
1426 IN BOOLEAN InheritHandle
,
1433 IN HANDLE ExistingToken
,
1434 IN ACCESS_MASK DesiredAccess
,
1435 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1436 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
1437 IN TOKEN_TYPE TokenType
,
1438 OUT PHANDLE NewToken
1444 IN HANDLE ExistingToken
,
1445 IN ACCESS_MASK DesiredAccess
,
1446 IN POBJECT_ATTRIBUTES ObjectAttributes
,
1447 IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
,
1448 IN TOKEN_TYPE TokenType
,
1449 OUT PHANDLE NewToken
1452 * FUNCTION: Returns information about the subkeys of an open key
1454 * KeyHandle = Handle of the key whose subkeys are to enumerated
1455 * Index = zero based index of the subkey for which information is
1457 * KeyInformationClass = Type of information returned
1458 * KeyInformation (OUT) = Caller allocated buffer for the information
1460 * Length = Length in bytes of the KeyInformation buffer
1461 * ResultLength (OUT) = Caller allocated storage which holds
1462 * the number of bytes of information retrieved
1469 IN HANDLE KeyHandle
,
1471 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1472 OUT PVOID KeyInformation
,
1474 OUT PULONG ResultLength
1480 IN HANDLE KeyHandle
,
1482 IN KEY_INFORMATION_CLASS KeyInformationClass
,
1483 OUT PVOID KeyInformation
,
1485 OUT PULONG ResultLength
1488 * FUNCTION: Returns information about the value entries of an open key
1490 * KeyHandle = Handle of the key whose value entries are to enumerated
1491 * Index = zero based index of the subkey for which information is
1493 * KeyInformationClass = Type of information returned
1494 * KeyInformation (OUT) = Caller allocated buffer for the information
1496 * Length = Length in bytes of the KeyInformation buffer
1497 * ResultLength (OUT) = Caller allocated storage which holds
1498 * the number of bytes of information retrieved
1504 NtEnumerateValueKey(
1505 IN HANDLE KeyHandle
,
1507 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1508 OUT PVOID KeyValueInformation
,
1510 OUT PULONG ResultLength
1515 ZwEnumerateValueKey(
1516 IN HANDLE KeyHandle
,
1518 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
1519 OUT PVOID KeyValueInformation
,
1521 OUT PULONG ResultLength
1524 * FUNCTION: Extends a section
1526 * SectionHandle = Handle to the section
1527 * NewMaximumSize = Adjusted size
1533 IN HANDLE SectionHandle
,
1534 IN ULONG NewMaximumSize
1539 IN HANDLE SectionHandle
,
1540 IN ULONG NewMaximumSize
1544 * FUNCTION: Finds a atom
1546 * Atom = Caller supplies storage for the resulting atom
1547 * AtomString = String to search for.
1550 * This funciton maps to the win32 GlobalFindAtom
1556 IN PUNICODE_STRING AtomString
1563 IN PUNICODE_STRING AtomString
1566 * FUNCTION: Flushes chached file data to disk
1568 * FileHandle = Points to the file
1569 * IoStatusBlock = Caller must supply storage to receive the result of the flush
1570 * buffers operation. The information field is set to number of bytes
1574 * This funciton maps to the win32 FlushFileBuffers
1579 IN HANDLE FileHandle
,
1580 OUT PIO_STATUS_BLOCK IoStatusBlock
1586 IN HANDLE FileHandle
,
1587 OUT PIO_STATUS_BLOCK IoStatusBlock
1590 * FUNCTION: Flushes a the processors instruction cache
1592 * ProcessHandle = Points to the process owning the cache
1593 * BaseAddress = // might this be a image address ????
1594 * NumberOfBytesToFlush =
1597 * This funciton is used by debuggers
1601 NtFlushInstructionCache(
1602 IN HANDLE ProcessHandle
,
1603 IN PVOID BaseAddress
,
1604 IN UINT NumberOfBytesToFlush
1608 ZwFlushInstructionCache(
1609 IN HANDLE ProcessHandle
,
1610 IN PVOID BaseAddress
,
1611 IN UINT NumberOfBytesToFlush
1614 * FUNCTION: Flushes a registry key to disk
1616 * KeyHandle = Points to the registry key handle
1619 * This funciton maps to the win32 RegFlushKey.
1634 * FUNCTION: Flushes virtual memory to file
1636 * ProcessHandle = Points to the process that allocated the virtual memory
1637 * BaseAddress = Points to the memory address
1638 * NumberOfBytesToFlush = Limits the range to flush,
1639 * NumberOfBytesFlushed = Actual number of bytes flushed
1642 * Check return status on STATUS_NOT_MAPPED_DATA
1646 NtFlushVirtualMemory(
1647 IN HANDLE ProcessHandle
,
1648 IN PVOID BaseAddress
,
1649 IN ULONG NumberOfBytesToFlush
,
1650 OUT PULONG NumberOfBytesFlushed OPTIONAL
1654 ZwFlushVirtualMemory(
1655 IN HANDLE ProcessHandle
,
1656 IN PVOID BaseAddress
,
1657 IN ULONG NumberOfBytesToFlush
,
1658 OUT PULONG NumberOfBytesFlushed OPTIONAL
1662 * FUNCTION: Flushes the dirty pages to file
1664 * FIXME: Not sure this does (how is the file specified)
1666 NTSTATUS STDCALL
NtFlushWriteBuffer(VOID
);
1667 NTSTATUS STDCALL
ZwFlushWriteBuffer(VOID
);
1670 * FUNCTION: Frees a range of virtual memory
1672 * ProcessHandle = Points to the process that allocated the virtual
1674 * BaseAddress = Points to the memory address, rounded down to a
1675 * multiple of the pagesize
1676 * RegionSize = Limits the range to free, rounded up to a multiple of
1678 * FreeType = Can be one of the values: MEM_DECOMMIT, or MEM_RELEASE
1681 NTSTATUS STDCALL
NtFreeVirtualMemory(IN HANDLE ProcessHandle
,
1682 IN PVOID
*BaseAddress
,
1683 IN PULONG RegionSize
,
1685 NTSTATUS STDCALL
ZwFreeVirtualMemory(IN HANDLE ProcessHandle
,
1686 IN PVOID
*BaseAddress
,
1687 IN PULONG RegionSize
,
1691 * FUNCTION: Sends FSCTL to the filesystem
1693 * DeviceHandle = Points to the handle that is created by NtCreateFile
1694 * Event = Event to synchronize on STATUS_PENDING
1697 * IoStatusBlock = Caller should supply storage for
1698 * IoControlCode = Contains the File System Control command. This is an
1699 * index to the structures in InputBuffer and OutputBuffer.
1700 * FSCTL_GET_RETRIEVAL_POINTERS MAPPING_PAIR
1701 * FSCTL_GET_RETRIEVAL_POINTERS GET_RETRIEVAL_DESCRIPTOR
1702 * FSCTL_GET_VOLUME_BITMAP BITMAP_DESCRIPTOR
1703 * FSCTL_MOVE_FILE MOVEFILE_DESCRIPTOR
1705 * InputBuffer = Caller should supply storage for input buffer if FCTL expects one.
1706 * InputBufferSize = Size of the input bufffer
1707 * OutputBuffer = Caller should supply storage for output buffer if FCTL expects one.
1708 * OutputBufferSize = Size of the input bufffer
1709 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1710 * STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST ]
1715 IN HANDLE DeviceHandle
,
1716 IN HANDLE Event OPTIONAL
,
1717 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1718 IN PVOID ApcContext OPTIONAL
,
1719 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1720 IN ULONG IoControlCode
,
1721 IN PVOID InputBuffer
,
1722 IN ULONG InputBufferSize
,
1723 OUT PVOID OutputBuffer
,
1724 IN ULONG OutputBufferSize
1730 IN HANDLE DeviceHandle
,
1731 IN HANDLE Event OPTIONAL
,
1732 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1733 IN PVOID ApcContext OPTIONAL
,
1734 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1735 IN ULONG IoControlCode
,
1736 IN PVOID InputBuffer
,
1737 IN ULONG InputBufferSize
,
1738 OUT PVOID OutputBuffer
,
1739 IN ULONG OutputBufferSize
1743 * FUNCTION: Retrieves the processor context of a thread
1745 * ThreadHandle = Handle to a thread
1746 * Context (OUT) = Caller allocated storage for the processor context
1753 IN HANDLE ThreadHandle
,
1754 OUT PCONTEXT Context
1760 IN HANDLE ThreadHandle
,
1761 OUT PCONTEXT Context
1764 * FUNCTION: Retrieves the uptime of the system
1766 * UpTime = Number of clock ticks since boot.
1782 * FUNCTION: Sets a thread to impersonate another
1784 * ThreadHandle = Server thread that will impersonate a client.
1785 ThreadToImpersonate = Client thread that will be impersonated
1786 SecurityQualityOfService = Specifies the impersonation level.
1792 NtImpersonateThread(
1793 IN HANDLE ThreadHandle
,
1794 IN HANDLE ThreadToImpersonate
,
1795 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1800 ZwImpersonateThread(
1801 IN HANDLE ThreadHandle
,
1802 IN HANDLE ThreadToImpersonate
,
1803 IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
1807 * FUNCTION: Initializes the registry.
1809 * SetUpBoot = This parameter is true for a setup boot.
1814 NtInitializeRegistry(
1819 ZwInitializeRegistry(
1824 * FUNCTION: Loads a driver.
1826 * DriverServiceName = Name of the driver to load
1832 IN PUNICODE_STRING DriverServiceName
1838 IN PUNICODE_STRING DriverServiceName
1843 * FUNCTION: Loads a registry key.
1845 * KeyHandle = Handle to the registry key
1846 ObjectAttributes = ???
1848 This procedure maps to the win32 procedure RegLoadKey
1855 OBJECT_ATTRIBUTES ObjectAttributes
1861 OBJECT_ATTRIBUTES ObjectAttributes
1864 * FUNCTION: Locks a range of bytes in a file.
1866 * FileHandle = Handle to the file
1867 * Event = Should be null if apc is specified.
1868 * ApcRoutine = Asynchroneous Procedure Callback
1869 * ApcContext = Argument to the callback
1870 * IoStatusBlock (OUT) = Caller should supply storage for a structure containing
1871 * the completion status and information about the requested lock operation.
1872 * ByteOffset = Offset
1873 * Length = Number of bytes to lock.
1874 * Key = Special value to give other threads the possibility to unlock the file
1875 by supplying the key in a call to NtUnlockFile.
1876 * FailImmediatedly = If false the request will block untill the lock is obtained.
1877 * ExclusiveLock = Specifies whether a exclusive or a shared lock is obtained.
1879 This procedure maps to the win32 procedure LockFileEx. STATUS_PENDING is returned if the lock could
1880 not be obtained immediately, the device queue is busy and the IRP is queued.
1881 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
1882 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_LOCK_NOT_GRANTED ]
1888 IN HANDLE FileHandle
,
1889 IN HANDLE Event OPTIONAL
,
1890 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1891 IN PVOID ApcContext OPTIONAL
,
1892 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1893 IN PLARGE_INTEGER ByteOffset
,
1894 IN PLARGE_INTEGER Length
,
1896 IN BOOLEAN FailImmediatedly
,
1897 IN BOOLEAN ExclusiveLock
1903 IN HANDLE FileHandle
,
1904 IN HANDLE Event OPTIONAL
,
1905 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
1906 IN PVOID ApcContext OPTIONAL
,
1907 OUT PIO_STATUS_BLOCK IoStatusBlock
,
1908 IN PLARGE_INTEGER ByteOffset
,
1909 IN PLARGE_INTEGER Length
,
1911 IN BOOLEAN FailImmediatedly
,
1912 IN BOOLEAN ExclusiveLock
1915 * FUNCTION: Locks a range of virtual memory.
1917 * ProcessHandle = Handle to the process
1918 * BaseAddress = Lower boundary of the range of bytes to lock.
1919 * NumberOfBytesLock = Offset to the upper boundary.
1920 * NumberOfBytesLocked (OUT) = Number of bytes actually locked.
1922 This procedure maps to the win32 procedure VirtualLock
1923 * RETURNS: Status [STATUS_SUCCESS | STATUS_WAS_LOCKED ]
1927 NtLockVirtualMemory(
1928 HANDLE ProcessHandle
,
1930 ULONG NumberOfBytesToLock
,
1931 PULONG NumberOfBytesLocked
1935 ZwLockVirtualMemory(
1936 HANDLE ProcessHandle
,
1938 ULONG NumberOfBytesToLock
,
1939 PULONG NumberOfBytesLocked
1942 * FUNCTION: Makes temporary object that will be removed at next boot.
1944 * Handle = Handle to object
1950 NtMakeTemporaryObject(
1956 ZwMakeTemporaryObject(
1960 * FUNCTION: Maps a view of a section into the virtual address space of a
1963 * SectionHandle = Handle of the section
1964 * ProcessHandle = Handle of the process
1965 * BaseAddress = Desired base address (or NULL) on entry
1966 * Actual base address of the view on exit
1967 * ZeroBits = Number of high order address bits that must be zero
1968 * CommitSize = Size in bytes of the initially committed section of
1970 * SectionOffset = Offset in bytes from the beginning of the section
1971 * to the beginning of the view
1972 * ViewSize = Desired length of map (or zero to map all) on entry
1973 * Actual length mapped on exit
1974 * InheritDisposition = Specified how the view is to be shared with
1976 * AllocateType = Type of allocation for the pages
1977 * Protect = Protection for the committed region of the view
1983 IN HANDLE SectionHandle
,
1984 IN HANDLE ProcessHandle
,
1985 IN OUT PVOID
*BaseAddress
,
1987 IN ULONG CommitSize
,
1988 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
1989 IN OUT PULONG ViewSize
,
1990 IN SECTION_INHERIT InheritDisposition
,
1991 IN ULONG AllocationType
,
1992 IN ULONG AccessProtection
1998 IN HANDLE SectionHandle
,
1999 IN HANDLE ProcessHandle
,
2000 IN OUT PVOID
*BaseAddress
,
2002 IN ULONG CommitSize
,
2003 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL
,
2004 IN OUT PULONG ViewSize
,
2005 IN SECTION_INHERIT InheritDisposition
,
2006 IN ULONG AllocationType
,
2007 IN ULONG AccessProtection
2011 * FUNCTION: Installs a notify for the change of a directory's contents
2013 * FileHandle = Handle to the directory
2015 * ApcRoutine = Start address
2016 * ApcContext = Delimits the range of virtual memory
2017 * for which the new access protection holds
2018 * IoStatusBlock = The new access proctection for the pages
2019 * Buffer = Caller supplies storage for resulting information --> FILE_NOTIFY_INFORMATION
2020 * BufferSize = Size of the buffer
2021 CompletionFilter = Can be one of the following values:
2022 FILE_NOTIFY_CHANGE_FILE_NAME
2023 FILE_NOTIFY_CHANGE_DIR_NAME
2024 FILE_NOTIFY_CHANGE_NAME ( FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_DIR_NAME )
2025 FILE_NOTIFY_CHANGE_ATTRIBUTES
2026 FILE_NOTIFY_CHANGE_SIZE
2027 FILE_NOTIFY_CHANGE_LAST_WRITE
2028 FILE_NOTIFY_CHANGE_LAST_ACCESS
2029 FILE_NOTIFY_CHANGE_CREATION ( change of creation timestamp )
2030 FILE_NOTIFY_CHANGE_EA
2031 FILE_NOTIFY_CHANGE_SECURITY
2032 FILE_NOTIFY_CHANGE_STREAM_NAME
2033 FILE_NOTIFY_CHANGE_STREAM_SIZE
2034 FILE_NOTIFY_CHANGE_STREAM_WRITE
2035 WatchTree = If true the notify will be installed recursively on the targetdirectory and all subdirectories.
2038 * The function maps to the win32 FindFirstChangeNotification, FindNextChangeNotification
2043 NtNotifyChangeDirectoryFile(
2044 IN HANDLE FileHandle
,
2045 IN HANDLE Event OPTIONAL
,
2046 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2047 IN PVOID ApcContext OPTIONAL
,
2048 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2050 IN ULONG BufferSize
,
2051 IN ULONG CompletionFilter
,
2052 IN BOOLEAN WatchTree
2057 ZwNotifyChangeDirectoryFile(
2058 IN HANDLE FileHandle
,
2059 IN HANDLE Event OPTIONAL
,
2060 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2061 IN PVOID ApcContext OPTIONAL
,
2062 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2064 IN ULONG BufferSize
,
2065 IN ULONG CompletionFilter
,
2066 IN BOOLEAN WatchTree
2070 * FUNCTION: Installs a notfication callback on registry changes
2072 KeyHandle = Handle to the registry key
2073 Event = Event that should be signalled on modification of the key
2074 ApcRoutine = Routine that should be called on modification of the key
2075 ApcContext = Argument to the ApcRoutine
2077 CompletionFilter = Specifies the kind of notification the caller likes to receive.
2078 Can be a combination of the following values:
2080 REG_NOTIFY_CHANGE_NAME
2081 REG_NOTIFY_CHANGE_ATTRIBUTES
2082 REG_NOTIFY_CHANGE_LAST_SET
2083 REG_NOTIFY_CHANGE_SECURITY
2086 Asynchroneous = If TRUE the changes are reported by signalling an event if false
2087 the function will not return before a change occurs.
2088 ChangeBuffer = Will return the old value
2089 Length = Size of the change buffer
2090 WatchSubtree = Indicates if the caller likes to receive a notification of changes in
2092 * REMARKS: If the key is closed the event is signalled aswell.
2099 IN HANDLE KeyHandle
,
2101 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2102 IN PVOID ApcContext OPTIONAL
,
2103 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2104 IN ULONG CompletionFilter
,
2105 IN BOOLEAN Asynchroneous
,
2106 OUT PVOID ChangeBuffer
,
2108 IN BOOLEAN WatchSubtree
2114 IN HANDLE KeyHandle
,
2116 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2117 IN PVOID ApcContext OPTIONAL
,
2118 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2119 IN ULONG CompletionFilter
,
2120 IN BOOLEAN Asynchroneous
,
2121 OUT PVOID ChangeBuffer
,
2123 IN BOOLEAN WatchSubtree
2127 * FUNCTION: Opens an existing directory object
2129 * FileHandle (OUT) = Caller supplied storage for the resulting handle
2130 * DesiredAccess = Requested access to the directory
2131 * ObjectAttributes = Initialized attributes for the object
2137 NtOpenDirectoryObject(
2138 OUT PHANDLE FileHandle
,
2139 IN ACCESS_MASK DesiredAccess
,
2140 IN POBJECT_ATTRIBUTES ObjectAttributes
2144 ZwOpenDirectoryObject(
2145 OUT PHANDLE FileHandle
,
2146 IN ACCESS_MASK DesiredAccess
,
2147 IN POBJECT_ATTRIBUTES ObjectAttributes
2151 * FUNCTION: Opens an existing event
2153 * EventHandle (OUT) = Caller supplied storage for the resulting handle
2154 * DesiredAccess = Requested access to the event
2155 * ObjectAttributes = Initialized attributes for the object
2161 OUT PHANDLE EventHandle
,
2162 IN ACCESS_MASK DesiredAccess
,
2163 IN POBJECT_ATTRIBUTES ObjectAttributes
2169 OUT PHANDLE EventHandle
,
2170 IN ACCESS_MASK DesiredAccess
,
2171 IN POBJECT_ATTRIBUTES ObjectAttributes
2175 * FUNCTION: Opens an existing event pair
2177 * EventHandle (OUT) = Caller supplied storage for the resulting handle
2178 * DesiredAccess = Requested access to the event
2179 * ObjectAttributes = Initialized attributes for the object
2186 OUT PHANDLE EventPairHandle
,
2187 IN ACCESS_MASK DesiredAccess
,
2188 IN POBJECT_ATTRIBUTES ObjectAttributes
2194 OUT PHANDLE EventPairHandle
,
2195 IN ACCESS_MASK DesiredAccess
,
2196 IN POBJECT_ATTRIBUTES ObjectAttributes
2199 * FUNCTION: Opens an existing file
2201 * FileHandle (OUT) = Caller supplied storage for the resulting handle
2202 * DesiredAccess = Requested access to the file
2203 * ObjectAttributes = Initialized attributes for the object
2212 OUT PHANDLE FileHandle
,
2213 IN ACCESS_MASK DesiredAccess
,
2214 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2215 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2216 IN ULONG ShareAccess
,
2217 IN ULONG OpenOptions
2223 OUT PHANDLE FileHandle
,
2224 IN ACCESS_MASK DesiredAccess
,
2225 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2226 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2227 IN ULONG ShareAccess
,
2228 IN ULONG OpenOptions
2232 * FUNCTION: Opens an existing io completion object
2234 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
2235 * DesiredAccess = Requested access to the io completion object
2236 * ObjectAttributes = Initialized attributes for the object
2243 OUT PHANDLE CompetionPort
,
2244 IN ACCESS_MASK DesiredAccess
,
2245 IN POBJECT_ATTRIBUTES ObjectAttributes
2251 OUT PHANDLE CompetionPort
,
2252 IN ACCESS_MASK DesiredAccess
,
2253 IN POBJECT_ATTRIBUTES ObjectAttributes
2257 * FUNCTION: Opens an existing key in the registry
2259 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
2260 * DesiredAccess = Requested access to the key
2261 * ObjectAttributes = Initialized attributes for the object
2267 OUT PHANDLE KeyHandle
,
2268 IN ACCESS_MASK DesiredAccess
,
2269 IN POBJECT_ATTRIBUTES ObjectAttributes
2275 OUT PHANDLE KeyHandle
,
2276 IN ACCESS_MASK DesiredAccess
,
2277 IN POBJECT_ATTRIBUTES ObjectAttributes
2280 * FUNCTION: Opens an existing key in the registry
2282 * MutantHandle (OUT) = Caller supplied storage for the resulting handle
2283 * DesiredAccess = Requested access to the mutant
2284 * ObjectAttribute = Initialized attributes for the object
2290 OUT PHANDLE MutantHandle
,
2291 IN ACCESS_MASK DesiredAccess
,
2292 IN POBJECT_ATTRIBUTES ObjectAttributes
2297 OUT PHANDLE MutantHandle
,
2298 IN ACCESS_MASK DesiredAccess
,
2299 IN POBJECT_ATTRIBUTES ObjectAttributes
2304 NtOpenObjectAuditAlarm(
2305 IN PUNICODE_STRING SubsystemName
,
2307 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2308 IN HANDLE ClientToken
,
2309 IN ULONG DesiredAccess
,
2310 IN ULONG GrantedAccess
,
2311 IN PPRIVILEGE_SET Privileges
,
2312 IN BOOLEAN ObjectCreation
,
2313 IN BOOLEAN AccessGranted
,
2314 OUT PBOOLEAN GenerateOnClose
2319 ZwOpenObjectAuditAlarm(
2320 IN PUNICODE_STRING SubsystemName
,
2322 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2323 IN HANDLE ClientToken
,
2324 IN ULONG DesiredAccess
,
2325 IN ULONG GrantedAccess
,
2326 IN PPRIVILEGE_SET Privileges
,
2327 IN BOOLEAN ObjectCreation
,
2328 IN BOOLEAN AccessGranted
,
2329 OUT PBOOLEAN GenerateOnClose
2332 * FUNCTION: Opens an existing process
2334 * ProcessHandle (OUT) = Caller supplied storage for the resulting handle
2335 * DesiredAccess = Requested access to the process
2336 * ObjectAttribute = Initialized attributes for the object
2337 * ClientId = Identifies the process id to open
2343 OUT PHANDLE ProcessHandle
,
2344 IN ACCESS_MASK DesiredAccess
,
2345 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2346 IN PCLIENT_ID ClientId
2351 OUT PHANDLE ProcessHandle
,
2352 IN ACCESS_MASK DesiredAccess
,
2353 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2354 IN PCLIENT_ID ClientId
2357 * FUNCTION: Opens an existing process
2359 * ProcessHandle = Handle of the process of which owns the token
2360 * DesiredAccess = Requested access to the token
2361 * TokenHandle (OUT) = Caller supplies storage for the resulting token.
2363 This function maps to the win32
2370 IN HANDLE ProcessHandle
,
2371 IN ACCESS_MASK DesiredAccess
,
2372 OUT PHANDLE TokenHandle
2378 IN HANDLE ProcessHandle
,
2379 IN ACCESS_MASK DesiredAccess
,
2380 OUT PHANDLE TokenHandle
2384 * FUNCTION: Opens an existing section object
2386 * KeyHandle (OUT) = Caller supplied storage for the resulting handle
2387 * DesiredAccess = Requested access to the key
2388 * ObjectAttribute = Initialized attributes for the object
2395 OUT PHANDLE SectionHandle
,
2396 IN ACCESS_MASK DesiredAccess
,
2397 IN POBJECT_ATTRIBUTES ObjectAttributes
2402 OUT PHANDLE SectionHandle
,
2403 IN ACCESS_MASK DesiredAccess
,
2404 IN POBJECT_ATTRIBUTES ObjectAttributes
2407 * FUNCTION: Opens an existing semaphore
2409 * SemaphoreHandle (OUT) = Caller supplied storage for the resulting handle
2410 * DesiredAccess = Requested access to the semaphore
2411 * ObjectAttribute = Initialized attributes for the object
2417 IN HANDLE SemaphoreHandle
,
2418 IN ACCESS_MASK DesiredAcces
,
2419 IN POBJECT_ATTRIBUTES ObjectAttributes
2424 IN HANDLE SemaphoreHandle
,
2425 IN ACCESS_MASK DesiredAcces
,
2426 IN POBJECT_ATTRIBUTES ObjectAttributes
2429 * FUNCTION: Opens an existing symbolic link
2431 * SymbolicLinkHandle (OUT) = Caller supplied storage for the resulting handle
2432 * DesiredAccess = Requested access to the symbolic link
2433 * ObjectAttribute = Initialized attributes for the object
2438 NtOpenSymbolicLinkObject(
2439 OUT PHANDLE SymbolicLinkHandle
,
2440 IN ACCESS_MASK DesiredAccess
,
2441 IN POBJECT_ATTRIBUTES ObjectAttributes
2445 ZwOpenSymbolicLinkObject(
2446 OUT PHANDLE SymbolicLinkHandle
,
2447 IN ACCESS_MASK DesiredAccess
,
2448 IN POBJECT_ATTRIBUTES ObjectAttributes
2451 * FUNCTION: Opens an existing thread
2453 * ThreadHandle (OUT) = Caller supplied storage for the resulting handle
2454 * DesiredAccess = Requested access to the thread
2455 * ObjectAttribute = Initialized attributes for the object
2456 * ClientId = Identifies the thread to open.
2462 OUT PHANDLE ThreadHandle
,
2463 IN ACCESS_MASK DesiredAccess
,
2464 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2465 IN PCLIENT_ID ClientId
2470 OUT PHANDLE ThreadHandle
,
2471 IN ACCESS_MASK DesiredAccess
,
2472 IN POBJECT_ATTRIBUTES ObjectAttributes
,
2473 IN PCLIENT_ID ClientId
2479 IN HANDLE ThreadHandle
,
2480 IN ACCESS_MASK DesiredAccess
,
2481 IN BOOLEAN OpenAsSelf
,
2482 OUT PHANDLE TokenHandle
2488 IN HANDLE ThreadHandle
,
2489 IN ACCESS_MASK DesiredAccess
,
2490 IN BOOLEAN OpenAsSelf
,
2491 OUT PHANDLE TokenHandle
2494 * FUNCTION: Opens an existing timer
2496 * TimerHandle (OUT) = Caller supplied storage for the resulting handle
2497 * DesiredAccess = Requested access to the timer
2498 * ObjectAttribute = Initialized attributes for the object
2504 OUT PHANDLE TimerHandle
,
2505 IN ACCESS_MASK DesiredAccess
,
2506 IN POBJECT_ATTRIBUTES ObjectAttributes
2511 OUT PHANDLE TimerHandle
,
2512 IN ACCESS_MASK DesiredAccess
,
2513 IN POBJECT_ATTRIBUTES ObjectAttributes
2517 * FUNCTION: Checks an access token for specific privileges
2519 * ClientToken = Handle to a access token structure
2520 * RequiredPrivileges = Specifies the requested privileges.
2521 * Result = Caller supplies storage for the result. If PRIVILEGE_SET_ALL_NECESSARY is
2522 set in the Control member of PRIVILEGES_SET Result
2523 will only be TRUE if all privileges are present in the access token.
2530 IN HANDLE ClientToken
,
2531 IN PPRIVILEGE_SET RequiredPrivileges
,
2537 IN HANDLE ClientToken
,
2538 IN PPRIVILEGE_SET RequiredPrivileges
,
2544 NtPrivilegedServiceAuditAlarm(
2545 IN PUNICODE_STRING SubsystemName
,
2546 IN PUNICODE_STRING ServiceName
,
2547 IN HANDLE ClientToken
,
2548 IN PPRIVILEGE_SET Privileges
,
2549 IN BOOLEAN AccessGranted
2554 ZwPrivilegedServiceAuditAlarm(
2555 IN PUNICODE_STRING SubsystemName
,
2556 IN PUNICODE_STRING ServiceName
,
2557 IN HANDLE ClientToken
,
2558 IN PPRIVILEGE_SET Privileges
,
2559 IN BOOLEAN AccessGranted
2564 NtPrivilegeObjectAuditAlarm(
2565 IN PUNICODE_STRING SubsystemName
,
2567 IN HANDLE ClientToken
,
2568 IN ULONG DesiredAccess
,
2569 IN PPRIVILEGE_SET Privileges
,
2570 IN BOOLEAN AccessGranted
2575 ZwPrivilegeObjectAuditAlarm(
2576 IN PUNICODE_STRING SubsystemName
,
2578 IN HANDLE ClientToken
,
2579 IN ULONG DesiredAccess
,
2580 IN PPRIVILEGE_SET Privileges
,
2581 IN BOOLEAN AccessGranted
2585 * FUNCTION: Entry point for native applications
2587 * Argument = Arguments passed to the application by the system [ at boot time ]
2589 * Native applications should use this function instead of a main. Calling proces should terminate itself.
2592 void NtProcessStartup(
2593 IN PSTARTUP_ARGUMENT Argument
2597 * FUNCTION: Set the access protection of a range of virtual memory
2599 * ProcessHandle = Handle to process owning the virtual address space
2600 * BaseAddress = Start address
2601 * NumberOfBytesToProtect = Delimits the range of virtual memory
2602 * for which the new access protection holds
2603 * NewAccessProtection = The new access proctection for the pages
2604 * OldAccessProtection = Caller should supply storage for the old
2608 * The function maps to the win32 VirtualProtectEx
2613 NtProtectVirtualMemory(
2614 IN HANDLE ProcessHandle
,
2615 IN PVOID BaseAddress
,
2616 IN ULONG NumberOfBytesToProtect
,
2617 IN ULONG NewAccessProtection
,
2618 OUT PULONG OldAccessProtection
2622 ZwProtectVirtualMemory(
2623 IN HANDLE ProcessHandle
,
2624 IN PVOID BaseAddress
,
2625 IN ULONG NumberOfBytesToProtect
,
2626 IN ULONG NewAccessProtection
,
2627 OUT PULONG OldAccessProtection
2632 * FUNCTION: Signals an event and resets it afterwards.
2634 * EventHandle = Handle to the event
2635 * PulseCount = Number of times the action is repeated
2641 IN HANDLE EventHandle
,
2642 IN PULONG PulseCount OPTIONAL
2648 IN HANDLE EventHandle
,
2649 IN PULONG PulseCount OPTIONAL
2653 * FUNCTION: Queries the attributes of a file
2655 * FileHandle = Handle to the file
2656 * Buffer = Caller supplies storage for the attributes
2662 NtQueryAttributesFile(
2663 IN HANDLE FileHandle
,
2669 ZwQueryAttributesFile(
2670 IN HANDLE FileHandle
,
2676 * FUNCTION: Queries a directory file.
2678 * FileHandle = Handle to a directory file
2679 * EventHandle = Handle to the event signaled on completion
2680 * ApcRoutine = Asynchroneous procedure callback, called on completion
2681 * ApcContext = Argument to the apc.
2682 * IoStatusBlock = Caller supplies storage for extended status information.
2683 * FileInformation = Caller supplies storage for the resulting information.
2685 * FileNameInformation FILE_NAMES_INFORMATION
2686 * FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2687 * FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2688 * FileBothDirectoryInformation FILE_BOTH_DIR_INFORMATION
2690 * Length = Size of the storage supplied
2691 * FileInformationClass = Indicates the type of information requested.
2692 * ReturnSingleEntry = Specify true if caller only requests the first directory found.
2693 * FileName = Initial directory name to query, that may contain wild cards.
2694 * RestartScan = Number of times the action should be repeated
2695 * RETURNS: Status [ STATUS_SUCCESS, STATUS_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES,
2696 * STATUS_INVALID_PARAMETER, STATUS_INVALID_DEVICE_REQUEST, STATUS_BUFFER_OVERFLOW,
2697 * STATUS_INVALID_INFO_CLASS, STATUS_NO_SUCH_FILE, STATUS_NO_MORE_FILES ]
2702 NtQueryDirectoryFile(
2703 IN HANDLE FileHandle
,
2704 IN HANDLE Event OPTIONAL
,
2705 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2706 IN PVOID ApcContext OPTIONAL
,
2707 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2708 OUT PVOID FileInformation
,
2710 IN FILE_INFORMATION_CLASS FileInformationClass
,
2711 IN BOOLEAN ReturnSingleEntry
,
2712 IN PUNICODE_STRING FileName OPTIONAL
,
2713 IN BOOLEAN RestartScan
2718 ZwQueryDirectoryFile(
2719 IN HANDLE FileHandle
,
2720 IN HANDLE Event OPTIONAL
,
2721 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
2722 IN PVOID ApcContext OPTIONAL
,
2723 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2724 OUT PVOID FileInformation
,
2726 IN FILE_INFORMATION_CLASS FileInformationClass
,
2727 IN BOOLEAN ReturnSingleEntry
,
2728 IN PUNICODE_STRING FileName OPTIONAL
,
2729 IN BOOLEAN RestartScan
2733 * FUNCTION: Query information about the content of a directory object
2735 DirObjInformation = Buffer must be large enough to hold the name strings too
2736 GetNextIndex = If TRUE :return the index of the next object in this directory in ObjectIndex
2737 If FALSE: return the number of objects in this directory in ObjectIndex
2738 IgnoreInputIndex= If TRUE: ignore input value of ObjectIndex always start at index 0
2739 If FALSE use input value of ObjectIndex
2740 ObjectIndex = zero based index of object in the directory depends on GetNextIndex and IgnoreInputIndex
2741 DataWritten = Actual size of the ObjectIndex ???
2746 NtQueryDirectoryObject(
2747 IN HANDLE DirObjHandle
,
2748 OUT POBJDIR_INFORMATION DirObjInformation
,
2749 IN ULONG BufferLength
,
2750 IN BOOLEAN GetNextIndex
,
2751 IN BOOLEAN IgnoreInputIndex
,
2752 IN OUT PULONG ObjectIndex
,
2753 OUT PULONG DataWritten OPTIONAL
2758 ZwQueryDirectoryObject(
2759 IN HANDLE DirObjHandle
,
2760 OUT POBJDIR_INFORMATION DirObjInformation
,
2761 IN ULONG BufferLength
,
2762 IN BOOLEAN GetNextIndex
,
2763 IN BOOLEAN IgnoreInputIndex
,
2764 IN OUT PULONG ObjectIndex
,
2765 OUT PULONG DataWritten OPTIONAL
2769 * FUNCTION: Queries the extended attributes of a file
2771 * FileHandle = Handle to the event
2772 * IoStatusBlock = Number of times the action is repeated
2786 IN HANDLE FileHandle
,
2787 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2790 IN BOOLEAN ReturnSingleEntry
,
2791 IN PVOID EaList OPTIONAL
,
2792 IN ULONG EaListLength
,
2793 IN PULONG EaIndex OPTIONAL
,
2794 IN BOOLEAN RestartScan
2800 IN HANDLE FileHandle
,
2801 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2804 IN BOOLEAN ReturnSingleEntry
,
2805 IN PVOID EaList OPTIONAL
,
2806 IN ULONG EaListLength
,
2807 IN PULONG EaIndex OPTIONAL
,
2808 IN BOOLEAN RestartScan
2811 * FUNCTION: Queries an event
2813 * EventHandle = Handle to the event
2814 * EventInformationClass = Index of the information structure
2816 EventBasicInformation EVENT_BASIC_INFORMATION
2818 * EventInformation = Caller supplies storage for the information structure
2819 * EventInformationLength = Size of the information structure
2820 * ReturnLength = Data written
2828 IN HANDLE EventHandle
,
2829 IN CINT EventInformationClass
,
2830 OUT PVOID EventInformation
,
2831 IN ULONG EventInformationLength
,
2832 OUT PULONG ReturnLength
2838 IN HANDLE EventHandle
,
2839 IN CINT EventInformationClass
,
2840 OUT PVOID EventInformation
,
2841 IN ULONG EventInformationLength
,
2842 OUT PULONG ReturnLength
2846 NtQueryFullAttributesFile(
2847 IN HANDLE FileHandle
,
2852 ZwQueryFullAttributesFile(
2853 IN HANDLE FileHandle
,
2859 NtQueryInformationAtom(
2860 IN HANDLE AtomHandle
,
2861 IN CINT AtomInformationClass
,
2862 OUT PVOID AtomInformation
,
2863 IN ULONG AtomInformationLength
,
2864 OUT PULONG ReturnLength
2868 NtQueryInformationAtom(
2869 IN HANDLE AtomHandle
,
2870 IN CINT AtomInformationClass
,
2871 OUT PVOID AtomInformation
,
2872 IN ULONG AtomInformationLength
,
2873 OUT PULONG ReturnLength
2879 * FUNCTION: Queries the information of a file object.
2881 * FileHandle = Handle to the file object
2882 * IoStatusBlock = Caller supplies storage for extended information
2883 * on the current operation.
2884 * FileInformation = Storage for the new file information
2885 * Lenght = Size of the storage for the file information.
2886 * FileInformationClass = Indicates which file information is queried
2888 FileDirectoryInformation FILE_DIRECTORY_INFORMATION
2889 FileFullDirectoryInformation FILE_FULL_DIRECTORY_INFORMATION
2890 FileBothDirectoryInformation FILE_BOTH_DIRECTORY_INFORMATION
2891 FileBasicInformation FILE_BASIC_INFORMATION
2892 FileStandardInformation FILE_STANDARD_INFORMATION
2893 FileInternalInformation FILE_INTERNAL_INFORMATION
2894 FileEaInformation FILE_EA_INFORMATION
2895 FileAccessInformation FILE_ACCESS_INFORMATION
2896 FileNameInformation FILE_NAME_INFORMATION
2897 FileRenameInformation FILE_RENAME_INFORMATION
2899 FileNamesInformation FILE_NAMES_INFORMATION
2900 FileDispositionInformation FILE_DISPOSITION_INFORMATION
2901 FilePositionInformation FILE_POSITION_INFORMATION
2902 FileFullEaInformation FILE_FULL_EA_INFORMATION
2903 FileModeInformation FILE_MODE_INFORMATION
2904 FileAlignmentInformation FILE_ALIGNMENT_INFORMATION
2905 FileAllInformation FILE_ALL_INFORMATION
2907 FileEndOfFileInformation FILE_END_OF_FILE_INFORMATION
2908 FileAlternateNameInformation
2909 FileStreamInformation FILE_STREAM_INFORMATION
2911 FilePipeLocalInformation
2912 FilePipeRemoteInformation
2913 FileMailslotQueryInformation
2914 FileMailslotSetInformation
2915 FileCompressionInformation FILE_COMPRESSION_INFORMATION
2916 FileCopyOnWriteInformation
2917 FileCompletionInformation IO_COMPLETION_CONTEXT
2918 FileMoveClusterInformation
2919 FileOleClassIdInformation
2920 FileOleStateBitsInformation
2921 FileNetworkOpenInformation FILE_NETWORK_OPEN_INFORMATION
2922 FileObjectIdInformation
2923 FileOleAllInformation
2924 FileOleDirectoryInformation
2925 FileContentIndexInformation
2926 FileInheritContentIndexInformation
2928 FileMaximumInformation
2931 * This procedure maps to the win32 GetShortPathName, GetLongPathName,
2932 GetFullPathName, GetFileType, GetFileSize, GetFileTime functions.
2935 NTSTATUS STDCALL
NtQueryInformationFile(IN HANDLE FileHandle
,
2936 OUT PIO_STATUS_BLOCK IoStatusBlock
,
2937 OUT PVOID FileInformation
,
2939 IN FILE_INFORMATION_CLASS FileInformationClass
);
2941 NTSTATUS STDCALL
ZwQueryInformationFile(HANDLE FileHandle
,
2942 PIO_STATUS_BLOCK IoStatusBlock
,
2943 PVOID FileInformation
,
2945 FILE_INFORMATION_CLASS FileInformationClass
);
2948 * FUNCTION: Queries the information of a process object.
2950 * ProcessHandle = Handle to the process object
2951 * ProcessInformation = Index to a certain information structure
2953 ProcessBasicInformation PROCESS_BASIC_INFORMATION
2954 ProcessQuotaLimits QUOTA_LIMITS
2955 ProcessIoCounters IO_COUNTERS
2956 ProcessVmCounters VM_COUNTERS
2957 ProcessTimes KERNEL_USER_TIMES
2958 ProcessBasePriority KPRIORITY
2959 ProcessRaisePriority KPRIORITY
2960 ProcessDebugPort HANDLE
2961 ProcessExceptionPort HANDLE
2962 ProcessAccessToken PROCESS_ACCESS_TOKEN
2963 ProcessLdtInformation LDT_ENTRY ??
2964 ProcessLdtSize ULONG
2965 ProcessDefaultHardErrorMode ULONG
2966 ProcessIoPortHandlers // kernel mode only
2967 ProcessPooledUsageAndLimits POOLED_USAGE_AND_LIMITS
2968 ProcessWorkingSetWatch PROCESS_WS_WATCH_INFORMATION
2969 ProcessUserModeIOPL (I/O Privilege Level)
2970 ProcessEnableAlignmentFaultFixup BOOLEAN
2971 ProcessPriorityClass ULONG
2972 ProcessWx86Information ULONG
2973 ProcessHandleCount ULONG
2974 ProcessAffinityMask ULONG
2975 ProcessPooledQuotaLimits QUOTA_LIMITS
2978 * ProcessInformation = Caller supplies storage for the process information structure
2979 * ProcessInformationLength = Size of the process information structure
2980 * ReturnLength = Actual number of bytes written
2983 * This procedure maps to the win32 GetProcessTimes, GetProcessVersion,
2984 GetProcessWorkingSetSize, GetProcessPriorityBoost, GetProcessAffinityMask, GetPriorityClass,
2985 GetProcessShutdownParameters functions.
2994 NtQueryInformationProcess(
2995 IN HANDLE ProcessHandle
,
2996 IN CINT ProcessInformationClass
,
2997 OUT PVOID ProcessInformation
,
2998 IN ULONG ProcessInformationLength
,
2999 OUT PULONG ReturnLength
3004 ZwQueryInformationProcess(
3005 IN HANDLE ProcessHandle
,
3006 IN CINT ProcessInformationClass
,
3007 OUT PVOID ProcessInformation
,
3008 IN ULONG ProcessInformationLength
,
3009 OUT PULONG ReturnLength
3015 * FUNCTION: Queries the information of a thread object.
3017 * ThreadHandle = Handle to the thread object
3018 * ThreadInformationClass = Index to a certain information structure
3020 ThreadBasicInformation THREAD_BASIC_INFORMATION
3021 ThreadTimes KERNEL_USER_TIMES
3022 ThreadPriority KPRIORITY
3023 ThreadBasePriority KPRIORITY
3024 ThreadAffinityMask KAFFINITY
3025 ThreadImpersonationToken
3026 ThreadDescriptorTableEntry
3027 ThreadEnableAlignmentFaultFixup
3029 ThreadQuerySetWin32StartAddress
3031 ThreadPerformanceCount
3032 ThreadAmILastThread BOOLEAN
3033 ThreadIdealProcessor ULONG
3034 ThreadPriorityBoost ULONG
3038 * ThreadInformation = Caller supplies torage for the thread information
3039 * ThreadInformationLength = Size of the thread information structure
3040 * ReturnLength = Actual number of bytes written
3043 * This procedure maps to the win32 GetThreadTimes, GetThreadPriority,
3044 GetThreadPriorityBoost functions.
3051 NtQueryInformationThread(
3052 IN HANDLE ThreadHandle
,
3053 IN THREADINFOCLASS ThreadInformationClass
,
3054 OUT PVOID ThreadInformation
,
3055 IN ULONG ThreadInformationLength
,
3056 OUT PULONG ReturnLength
3061 NtQueryInformationToken(
3062 IN HANDLE TokenHandle
,
3063 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
3064 OUT PVOID TokenInformation
,
3065 IN ULONG TokenInformationLength
,
3066 OUT PULONG ReturnLength
3071 ZwQueryInformationToken(
3072 IN HANDLE TokenHandle
,
3073 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
3074 OUT PVOID TokenInformation
,
3075 IN ULONG TokenInformationLength
,
3076 OUT PULONG ReturnLength
3080 * FUNCTION: Query the interval and the clocksource for profiling
3088 NtQueryIntervalProfile(
3089 OUT PULONG Interval
,
3090 OUT PULONG ClockSource
3095 ZwQueryIntervalProfile(
3096 OUT PULONG Interval
,
3097 OUT PULONG ClockSource
3104 NtQueryIoCompletion(
3105 IN HANDLE CompletionPort
,
3106 IN ULONG CompletionKey
,
3107 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3108 OUT PULONG NumberOfBytesTransferred
3112 ZwQueryIoCompletion(
3113 IN HANDLE CompletionPort
,
3114 IN ULONG CompletionKey
,
3115 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3116 OUT PULONG NumberOfBytesTransferred
3121 * FUNCTION: Queries the information of a registry key object.
3123 KeyHandle = Handle to a registry key
3124 KeyInformationClass = Index to a certain information structure
3125 KeyInformation = Caller supplies storage for resulting information
3126 Length = Size of the supplied storage
3127 ResultLength = Bytes written
3132 IN HANDLE KeyHandle
,
3133 IN KEY_INFORMATION_CLASS KeyInformationClass
,
3134 OUT PVOID KeyInformation
,
3136 OUT PULONG ResultLength
3142 IN HANDLE KeyHandle
,
3143 IN KEY_INFORMATION_CLASS KeyInformationClass
,
3144 OUT PVOID KeyInformation
,
3146 OUT PULONG ResultLength
3154 NtQueryMultipleValueKey(
3156 PVALENT ListOfValuesToQuery
,
3157 ULONG NumberOfItems
,
3158 PVOID MultipleValueInformation
,
3165 ZwQueryMultipleValueKey(
3167 PVALENT ListOfValuesToQuery
,
3168 ULONG NumberOfItems
,
3169 PVOID MultipleValueInformation
,
3175 * FUNCTION: Queries the information of a mutant object.
3177 MutantHandle = Handle to a mutant
3178 MutantInformationClass = Index to a certain information structure
3179 MutantInformation = Caller supplies storage for resulting information
3180 Length = Size of the supplied storage
3181 ResultLength = Bytes written
3186 IN HANDLE MutantHandle
,
3187 IN CINT MutantInformationClass
,
3188 OUT PVOID MutantInformation
,
3190 OUT PULONG ResultLength
3196 IN HANDLE MutantHandle
,
3197 IN CINT MutantInformationClass
,
3198 OUT PVOID MutantInformation
,
3200 OUT PULONG ResultLength
3203 * FUNCTION: Queries the information of a object.
3205 ObjectHandle = Handle to a object
3206 ObjectInformationClass = Index to a certain information structure
3208 ObjectBasicInformation
3209 ObjectTypeInformation OBJECT_TYPE_INFORMATION
3210 ObjectNameInformation OBJECT_NAME_INFORMATION
3211 ObjectDataInformation OBJECT_DATA_INFORMATION
3213 ObjectInformation = Caller supplies storage for resulting information
3214 Length = Size of the supplied storage
3215 ResultLength = Bytes written
3221 IN HANDLE ObjectHandle
,
3222 IN CINT ObjectInformationClass
,
3223 OUT PVOID ObjectInformation
,
3225 OUT PULONG ResultLength
3230 IN HANDLE ObjectHandle
,
3231 IN CINT ObjectInformationClass
,
3232 OUT PVOID ObjectInformation
,
3234 OUT PULONG ResultLength
3238 * FUNCTION: Queries the system ( high-resolution ) performance counter.
3240 * Counter = Performance counter
3241 * Frequency = Performance frequency
3243 This procedure queries a tick count faster than 10ms ( The resolution for Intel®-based CPUs is about 0.8 microseconds.)
3244 This procedure maps to the win32 QueryPerformanceCounter, QueryPerformanceFrequency
3250 NtQueryPerformanceCounter(
3251 IN PLARGE_INTEGER Counter
,
3252 IN PLARGE_INTEGER Frequency
3257 ZwQueryPerformanceCounter(
3258 IN PLARGE_INTEGER Counter
,
3259 IN PLARGE_INTEGER Frequency
3262 * FUNCTION: Queries the information of a section object.
3264 * SectionHandle = Handle to the section link object
3265 * SectionInformationClass = Index to a certain information structure
3266 * SectionInformation (OUT)= Caller supplies storage for resulting information
3267 * Length = Size of the supplied storage
3268 * ResultLength = Data written
3275 IN HANDLE SectionHandle
,
3276 IN CINT SectionInformationClass
,
3277 OUT PVOID SectionInformation
,
3279 OUT PULONG ResultLength
3284 IN HANDLE SectionHandle
,
3285 IN CINT SectionInformationClass
,
3286 OUT PVOID SectionInformation
,
3288 OUT PULONG ResultLength
3293 NtQuerySecurityObject(
3295 IN CINT SecurityObjectInformationClass
,
3296 OUT PVOID SecurityObjectInformation
,
3298 OUT PULONG ReturnLength
3303 ZwQuerySecurityObject(
3305 IN CINT SecurityObjectInformationClass
,
3306 OUT PVOID SecurityObjectInformation
,
3308 OUT PULONG ReturnLength
3313 * FUNCTION: Queries the information of a semaphore.
3315 * SemaphoreHandle = Handle to the semaphore object
3316 * SemaphoreInformationClass = Index to a certain information structure
3318 SemaphoreBasicInformation SEMAPHORE_BASIC_INFORMATION
3320 * SemaphoreInformation = Caller supplies storage for the semaphore information structure
3321 * Length = Size of the infomation structure
3327 HANDLE SemaphoreHandle
,
3328 CINT SemaphoreInformationClass
,
3329 OUT PVOID SemaphoreInformation
,
3336 HANDLE SemaphoreHandle
,
3337 CINT SemaphoreInformationClass
,
3338 OUT PVOID SemaphoreInformation
,
3344 * FUNCTION: Queries the information of a symbolic link object.
3346 * SymbolicLinkHandle = Handle to the symbolic link object
3347 * LinkTarget = resolved name of link
3348 * DataWritten = size of the LinkName.
3354 NtQuerySymbolicLinkObject(
3355 IN HANDLE SymLinkObjHandle
,
3356 OUT PUNICODE_STRING LinkTarget
,
3357 OUT PULONG DataWritten OPTIONAL
3362 ZwQuerySymbolicLinkObject(
3363 IN HANDLE SymLinkObjHandle
,
3364 OUT PUNICODE_STRING LinkName
,
3365 OUT PULONG DataWritten OPTIONAL
3370 * FUNCTION: Queries a system environment variable.
3372 * Name = Name of the variable
3373 * Value (OUT) = value of the variable
3374 * Length = size of the buffer
3375 * ReturnLength = data written
3381 NtQuerySystemEnvironmentValue(
3382 IN PUNICODE_STRING Name
,
3389 ZwQuerySystemEnvironmentValue(
3390 IN PUNICODE_STRING Name
,
3398 * FUNCTION: Queries the system information.
3400 * SystemInformationClass = Index to a certain information structure
3402 SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
3403 SystemCacheInformation SYSTEM_CACHE_INFORMATION
3404 SystemConfigurationInformation CONFIGURATION_INFORMATION
3406 * SystemInformation = caller supplies storage for the information structure
3407 * Length = size of the structure
3408 ResultLength = Data written
3414 NtQuerySystemInformation(
3415 IN CINT SystemInformationClass
,
3416 OUT PVOID SystemInformation
,
3418 OUT PULONG ResultLength
3422 ZwQuerySystemInformation(
3423 IN CINT SystemInformationClass
,
3424 OUT PVOID SystemInformation
,
3426 OUT PULONG ResultLength
3430 * FUNCTION: Retrieves the system time
3432 * CurrentTime (OUT) = Caller should supply storage for the resulting time.
3440 OUT TIME
*CurrentTime
3446 OUT TIME
*CurrentTime
3450 * FUNCTION: Queries information about a timer
3452 * TimerHandle = Handle to the timer
3453 TimerValueInformationClass = Index to a certain information structure
3454 TimerValueInformation = Caller supplies storage for the information structure
3455 Length = Size of the information structure
3456 ResultLength = Data written
3463 IN HANDLE TimerHandle
,
3464 IN CINT TimerInformationClass
,
3465 OUT PVOID TimerInformation
,
3467 OUT PULONG ResultLength
3472 IN HANDLE TimerHandle
,
3473 IN CINT TimerInformationClass
,
3474 OUT PVOID TimerInformation
,
3476 OUT PULONG ResultLength
3480 * FUNCTION: Queries the timer resolution
3482 * MinimumResolution (OUT) = Caller should supply storage for the resulting time.
3483 Maximum Resolution (OUT) = Caller should supply storage for the resulting time.
3484 ActualResolution (OUT) = Caller should supply storage for the resulting time.
3492 NtQueryTimerResolution (
3493 OUT PULONG MinimumResolution
,
3494 OUT PULONG MaximumResolution
,
3495 OUT PULONG ActualResolution
3500 ZwQueryTimerResolution (
3501 OUT PULONG MinimumResolution
,
3502 OUT PULONG MaximumResolution
,
3503 OUT PULONG ActualResolution
3507 * FUNCTION: Queries a registry key value
3509 * KeyHandle = Handle to the registry key
3510 ValueName = Name of the value in the registry key
3511 KeyValueInformationClass = Index to a certain information structure
3513 KeyValueBasicInformation = KEY_VALUE_BASIC_INFORMATION
3514 KeyValueFullInformation = KEY_FULL_INFORMATION
3515 KeyValuePartialInformation = KEY_VALUE_PARTIAL_INFORMATION
3517 KeyValueInformation = Caller supplies storage for the information structure
3518 Length = Size of the information structure
3519 ResultLength = Data written
3526 IN HANDLE KeyHandle
,
3527 IN PUNICODE_STRING ValueName
,
3528 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
3529 OUT PVOID KeyValueInformation
,
3531 OUT PULONG ResultLength
3537 IN HANDLE KeyHandle
,
3538 IN PUNICODE_STRING ValueName
,
3539 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass
,
3540 OUT PVOID KeyValueInformation
,
3542 OUT PULONG ResultLength
3549 * FUNCTION: Queries the virtual memory information.
3551 ProcessHandle = Process owning the virtual address space
3552 BaseAddress = Points to the page where the information is queried for.
3553 * VirtualMemoryInformationClass = Index to a certain information structure
3555 MemoryBasicInformation MEMORY_BASIC_INFORMATION
3557 * VirtualMemoryInformation = caller supplies storage for the information structure
3558 * Length = size of the structure
3559 ResultLength = Data written
3566 NtQueryVirtualMemory(
3567 IN HANDLE ProcessHandle
,
3569 IN IN CINT VirtualMemoryInformationClass
,
3570 OUT PVOID VirtualMemoryInformation
,
3572 OUT PULONG ResultLength
3576 ZwQueryVirtualMemory(
3577 IN HANDLE ProcessHandle
,
3579 IN IN CINT VirtualMemoryInformationClass
,
3580 OUT PVOID VirtualMemoryInformation
,
3582 OUT PULONG ResultLength
3586 * FUNCTION: Queries the volume information
3588 * FileHandle = Handle to a file object on the target volume
3589 ReturnLength = DataWritten
3590 FsInformation = Caller should supply storage for the information structure.
3591 Length = Size of the information structure
3592 FsInformationClass = Index to a information structure
3594 FileFsVolumeInformation FILE_FS_VOLUME_INFORMATION
3595 FileFsLabelInformation FILE_FS_LABEL_INFORMATION
3596 FileFsSizeInformation FILE_FS_SIZE_INFORMATION
3597 FileFsDeviceInformation FILE_FS_DEVICE_INFORMATION
3598 FileFsAttributeInformation FILE_FS_ATTRIBUTE_INFORMATION
3599 FileFsControlInformation
3600 FileFsQuotaQueryInformation --
3601 FileFsQuotaSetInformation --
3602 FileFsMaximumInformation
3604 * RETURNS: Status [ STATUS_SUCCESS | STATUS_INSUFFICIENT_RESOURCES | STATUS_INVALID_PARAMETER |
3605 STATUS_INVALID_DEVICE_REQUEST | STATUS_BUFFER_OVERFLOW ]
3610 NtQueryVolumeInformationFile(
3611 IN HANDLE FileHandle
,
3612 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3613 OUT PVOID FsInformation
,
3615 IN FS_INFORMATION_CLASS FsInformationClass
3620 ZwQueryVolumeInformationFile(
3621 IN HANDLE FileHandle
,
3622 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3623 OUT PVOID FsInformation
,
3625 IN FS_INFORMATION_CLASS FsInformationClass
3628 // FIXME: Should I specify if the apc is user or kernel mode somewhere ??
3630 * FUNCTION: Queues a (user) apc to a thread.
3632 ThreadHandle = Thread to which the apc is queued.
3633 ApcRoutine = Points to the apc routine
3634 NormalContext = Argument to Apc Routine
3635 * SystemArgument1 = Argument of the Apc Routine
3636 SystemArgument2 = Argument of the Apc Routine
3637 * REMARK: If the apc is queued against a thread of a different process than the calling thread
3638 the apc routine should be specified in the address space of the queued thread's process.
3645 HANDLE ThreadHandle
,
3646 PKNORMAL_ROUTINE ApcRoutine
,
3647 PVOID NormalContext
,
3648 PVOID SystemArgument1
,
3649 PVOID SystemArgument2
);
3654 HANDLE ThreadHandle
,
3655 PKNORMAL_ROUTINE ApcRoutine
,
3656 PVOID NormalContext
,
3657 PVOID SystemArgument1
,
3658 PVOID SystemArgument2
);
3660 * FUNCTION: Raises an exception
3662 ExceptionRecord = Structure specifying the exception
3663 Context = Context in which the excpetion is raised
3673 IN PEXCEPTION_RECORD ExceptionRecord
,
3674 IN PCONTEXT Context
,
3675 IN BOOL IsDebugger OPTIONAL
3681 IN PEXCEPTION_RECORD ExceptionRecord
,
3682 IN PCONTEXT Context
,
3683 IN BOOL IsDebugger OPTIONAL
3688 * FUNCTION: Read a file
3690 FileHandle = Handle of a file to read
3691 Event = This event is signalled when the read operation completes
3692 * UserApcRoutine = Call back , if supplied Event should be NULL
3693 UserApcContext = Argument to the callback
3694 IoStatusBlock = Caller should supply storage for additional status information
3695 Buffer = Caller should supply storage to receive the information
3696 BufferLength = Size of the buffer
3697 ByteOffset = Offset to start reading the file
3698 Key = If a range is lock a matching key will allow the read to continue.
3707 IN HANDLE FileHandle
,
3708 IN HANDLE Event OPTIONAL
,
3709 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3710 IN PVOID UserApcContext OPTIONAL
,
3711 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3713 IN ULONG BufferLength
,
3714 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
3715 IN PULONG Key OPTIONAL
3721 IN HANDLE FileHandle
,
3722 IN HANDLE Event OPTIONAL
,
3723 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3724 IN PVOID UserApcContext OPTIONAL
,
3725 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3727 IN ULONG BufferLength
,
3728 IN PLARGE_INTEGER ByteOffset OPTIONAL
,
3729 IN PULONG Key OPTIONAL
3732 * FUNCTION: Read a file using scattered io
3734 FileHandle = Handle of a file to read
3735 Event = This event is signalled when the read operation completes
3736 * UserApcRoutine = Call back , if supplied Event should be NULL
3737 UserApcContext = Argument to the callback
3738 IoStatusBlock = Caller should supply storage for additional status information
3739 BufferDescription = Caller should supply storage to receive the information
3740 BufferLength = Size of the buffer
3741 ByteOffset = Offset to start reading the file
3742 Key = Key = If a range is lock a matching key will allow the read to continue.
3749 IN HANDLE FileHandle
,
3750 IN HANDLE Event OPTIONAL
,
3751 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3752 IN PVOID UserApcContext OPTIONAL
,
3753 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
3754 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
3755 IN ULONG BufferLength
,
3756 IN PLARGE_INTEGER ByteOffset
,
3757 IN PULONG Key OPTIONAL
3763 IN HANDLE FileHandle
,
3764 IN HANDLE Event OPTIONAL
,
3765 IN PIO_APC_ROUTINE UserApcRoutine OPTIONAL
,
3766 IN PVOID UserApcContext OPTIONAL
,
3767 OUT PIO_STATUS_BLOCK UserIoStatusBlock
,
3768 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
3769 IN ULONG BufferLength
,
3770 IN PLARGE_INTEGER ByteOffset
,
3771 IN PULONG Key OPTIONAL
3774 * FUNCTION: Copies a range of virtual memory to a buffer
3776 * ProcessHandle = Specifies the process owning the virtual address space
3777 * BaseAddress = Points to the address of virtual memory to start the read
3778 * Buffer = Caller supplies storage to copy the virtual memory to.
3779 * NumberOfBytesToRead = Limits the range to read
3780 * NumberOfBytesRead = The actual number of bytes read.
3786 NtReadVirtualMemory(
3787 IN HANDLE ProcessHandle
,
3788 IN PVOID BaseAddress
,
3790 IN ULONG NumberOfBytesToRead
,
3791 OUT PULONG NumberOfBytesRead
3795 ZwReadVirtualMemory(
3796 IN HANDLE ProcessHandle
,
3797 IN PVOID BaseAddress
,
3799 IN ULONG NumberOfBytesToRead
,
3800 OUT PULONG NumberOfBytesRead
3805 * FUNCTION: Debugger can register for thread termination
3807 * TerminationPort = Port on which the debugger likes to be notified.
3813 NtRegisterThreadTerminatePort(
3814 HANDLE TerminationPort
3818 ZwRegisterThreadTerminatePort(
3819 HANDLE TerminationPort
3822 * FUNCTION: Releases a mutant
3824 * MutantHandle = Handle to the mutant
3831 IN HANDLE MutantHandle
,
3832 IN PULONG ReleaseCount OPTIONAL
3838 IN HANDLE MutantHandle
,
3839 IN PULONG ReleaseCount OPTIONAL
3842 * FUNCTION: Releases a semaphore
3844 * SemaphoreHandle = Handle to the semaphore object
3845 * ReleaseCount = Number to decrease the semaphore count
3846 * PreviousCount = Previous semaphore count
3852 IN HANDLE SemaphoreHandle
,
3853 IN ULONG ReleaseCount
,
3854 IN PULONG PreviousCount
3860 IN HANDLE SemaphoreHandle
,
3861 IN ULONG ReleaseCount
,
3862 IN PULONG PreviousCount
3865 * FUNCTION: Removes an io completion
3867 * CompletionPort (OUT) = Caller supplied storage for the resulting handle
3868 * CompletionKey = Requested access to the key
3869 * IoStatusBlock = Caller provides storage for extended status information
3870 * CompletionStatus = Current status of the io operation.
3871 * WaitTime = Time to wait if ..
3876 NtRemoveIoCompletion(
3877 IN HANDLE CompletionPort
,
3878 OUT PULONG CompletionKey
,
3879 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3880 OUT PULONG CompletionStatus
,
3881 IN PLARGE_INTEGER WaitTime
3886 ZwRemoveIoCompletion(
3887 IN HANDLE CompletionPort
,
3888 OUT PULONG CompletionKey
,
3889 OUT PIO_STATUS_BLOCK IoStatusBlock
,
3890 OUT PULONG CompletionStatus
,
3891 IN PLARGE_INTEGER WaitTime
3894 * FUNCTION: Replaces one registry key with another
3896 * ObjectAttributes = Specifies the attributes of the key
3897 * Key = Handle to the key
3898 * ReplacedObjectAttributes = The function returns the old object attributes
3904 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3906 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3911 IN POBJECT_ATTRIBUTES ObjectAttributes
,
3913 IN POBJECT_ATTRIBUTES ReplacedObjectAttributes
3917 * FUNCTION: Resets a event to a non signaled state
3919 * EventHandle = Handle to the event that should be reset
3920 * NumberOfWaitingThreads = The number of threads released.
3927 PULONG NumberOfWaitingThreads OPTIONAL
3933 PULONG NumberOfWaitingThreads OPTIONAL
3952 * FUNCTION: Decrements a thread's resume count
3954 * ThreadHandle = Handle to the thread that should be resumed
3955 * ResumeCount = The resulting resume count.
3957 * A thread is resumed if its suspend count is 0. This procedure maps to
3958 * the win32 ResumeThread function. ( documentation about the the suspend count can be found here aswell )
3964 IN HANDLE ThreadHandle
,
3965 OUT PULONG SuspendCount
3970 IN HANDLE ThreadHandle
,
3971 OUT PULONG SuspendCount
3974 * FUNCTION: Writes the content of a registry key to ascii file
3976 * KeyHandle = Handle to the key
3977 * FileHandle = Handle of the file
3979 This function maps to the Win32 RegSaveKey.
3986 IN HANDLE KeyHandle
,
3987 IN HANDLE FileHandle
3992 IN HANDLE KeyHandle
,
3993 IN HANDLE FileHandle
3996 * FUNCTION: Sets the context of a specified thread.
3998 * ThreadHandle = Handle to the thread
3999 * Context = The processor context.
4006 IN HANDLE ThreadHandle
,
4012 IN HANDLE ThreadHandle
,
4017 * FUNCTION: Sets the default hard error port
4019 * PortHandle = Handle to the port
4020 * NOTE: The hard error port is used for first change exception handling
4025 NtSetDefaultHardErrorPort(
4026 IN HANDLE PortHandle
4030 ZwSetDefaultHardErrorPort(
4031 IN HANDLE PortHandle
4034 * FUNCTION: Sets the extended attributes of a file.
4036 * FileHandle = Handle to the file
4037 * IoStatusBlock = Storage for a resulting status and information
4038 * on the current operation.
4039 * EaBuffer = Extended Attributes buffer.
4040 * EaBufferSize = Size of the extended attributes buffer
4046 IN HANDLE FileHandle
,
4047 IN PIO_STATUS_BLOCK IoStatusBlock
,
4054 IN HANDLE FileHandle
,
4055 IN PIO_STATUS_BLOCK IoStatusBlock
,
4060 //FIXME: should I return the event state ?
4063 * FUNCTION: Sets the event to a signalled state.
4065 * EventHandle = Handle to the event
4066 * NumberOfThreadsReleased = The number of threads released
4068 * This procedure maps to the win32 SetEvent function.
4075 IN HANDLE EventHandle
,
4076 PULONG NumberOfThreadsReleased
4082 IN HANDLE EventHandle
,
4083 PULONG NumberOfThreadsReleased
4087 * FUNCTION: Sets the high part of an event pair
4089 EventPair = Handle to the event pair
4096 IN HANDLE EventPairHandle
4102 IN HANDLE EventPairHandle
4105 * FUNCTION: Sets the high part of an event pair and wait for the low part
4107 EventPair = Handle to the event pair
4112 NtSetHighWaitLowEventPair(
4113 IN HANDLE EventPairHandle
4117 ZwSetHighWaitLowEventPair(
4118 IN HANDLE EventPairHandle
4122 * FUNCTION: Sets the information of a file object.
4124 * FileHandle = Handle to the file object
4125 * IoStatusBlock = Caller supplies storage for extended information
4126 * on the current operation.
4127 * FileInformation = Storage for the new file information
4128 * Lenght = Size of the new file information.
4129 * FileInformationClass = Indicates to a certain information structure
4131 FileNameInformation FILE_NAME_INFORMATION
4132 FileRenameInformation FILE_RENAME_INFORMATION
4133 FileStreamInformation FILE_STREAM_INFORMATION
4134 * FileCompletionInformation IO_COMPLETION_CONTEXT
4137 * This procedure maps to the win32 SetEndOfFile, SetFileAttributes,
4138 * SetNamedPipeHandleState, SetMailslotInfo functions.
4145 NtSetInformationFile(
4146 IN HANDLE FileHandle
,
4147 IN PIO_STATUS_BLOCK IoStatusBlock
,
4148 IN PVOID FileInformation
,
4150 IN FILE_INFORMATION_CLASS FileInformationClass
4154 ZwSetInformationFile(
4155 IN HANDLE FileHandle
,
4156 IN PIO_STATUS_BLOCK IoStatusBlock
,
4157 IN PVOID FileInformation
,
4159 IN FILE_INFORMATION_CLASS FileInformationClass
4165 * FUNCTION: Sets the information of a registry key.
4167 * KeyHandle = Handle to the registry key
4168 * KeyInformationClass = Index to the a certain information structure.
4169 Can be one of the following values:
4171 * KeyWriteTimeInformation KEY_WRITE_TIME_INFORMATION
4173 KeyInformation = Storage for the new information
4174 * KeyInformationLength = Size of the information strucure
4180 NtSetInformationKey(
4181 IN HANDLE KeyHandle
,
4182 IN CINT KeyInformationClass
,
4183 IN PVOID KeyInformation
,
4184 IN ULONG KeyInformationLength
4189 ZwSetInformationKey(
4190 IN HANDLE KeyHandle
,
4191 IN CINT KeyInformationClass
,
4192 IN PVOID KeyInformation
,
4193 IN ULONG KeyInformationLength
4196 * FUNCTION: Changes a set of object specific parameters
4199 * ObjectInformationClass = Index to the set of parameters to change.
4202 ObjectBasicInformation
4203 ObjectTypeInformation OBJECT_TYPE_INFORMATION
4204 ObjectAllInformation
4205 ObjectDataInformation OBJECT_DATA_INFORMATION
4206 ObjectNameInformation OBJECT_NAME_INFORMATION
4209 * ObjectInformation = Caller supplies storage for parameters to set.
4210 * Length = Size of the storage supplied
4215 NtSetInformationObject(
4216 IN HANDLE ObjectHandle
,
4217 IN CINT ObjectInformationClass
,
4218 IN PVOID ObjectInformation
,
4224 ZwSetInformationObject(
4225 IN HANDLE ObjectHandle
,
4226 IN CINT ObjectInformationClass
,
4227 IN PVOID ObjectInformation
,
4232 * FUNCTION: Changes a set of process specific parameters
4234 * ProcessHandle = Handle to the process
4235 * ProcessInformationClass = Index to a information structure.
4237 * ProcessBasicInformation PROCESS_BASIC_INFORMATION
4238 * ProcessQuotaLimits QUOTA_LIMITS
4239 * ProcessBasePriority KPRIORITY
4240 * ProcessRaisePriority KPRIORITY
4241 * ProcessDebugPort HANDLE
4242 * ProcessExceptionPort HANDLE
4243 * ProcessAccessToken PROCESS_ACCESS_TOKEN
4244 * ProcessDefaultHardErrorMode ULONG
4245 * ProcessPriorityClass ULONG
4246 * ProcessAffinityMask KAFFINITY //??
4248 * ProcessInformation = Caller supplies storage for information to set.
4249 * ProcessInformationLength = Size of the information structure
4254 NtSetInformationProcess(
4255 IN HANDLE ProcessHandle
,
4256 IN CINT ProcessInformationClass
,
4257 IN PVOID ProcessInformation
,
4258 IN ULONG ProcessInformationLength
4262 ZwSetInformationProcess(
4263 IN HANDLE ProcessHandle
,
4264 IN CINT ProcessInformationClass
,
4265 IN PVOID ProcessInformation
,
4266 IN ULONG ProcessInformationLength
4269 * FUNCTION: Changes a set of thread specific parameters
4271 * ThreadHandle = Handle to the thread
4272 * ThreadInformationClass = Index to the set of parameters to change.
4273 * Can be one of the following values:
4275 * ThreadBasicInformation THREAD_BASIC_INFORMATION
4276 * ThreadPriority KPRIORITY //???
4277 * ThreadBasePriority KPRIORITY
4278 * ThreadAffinityMask KAFFINITY //??
4279 * ThreadImpersonationToken ACCESS_TOKEN
4280 * ThreadIdealProcessor ULONG
4281 * ThreadPriorityBoost ULONG
4283 * ThreadInformation = Caller supplies storage for parameters to set.
4284 * ThreadInformationLength = Size of the storage supplied
4289 NtSetInformationThread(
4290 IN HANDLE ThreadHandle
,
4291 IN THREADINFOCLASS ThreadInformationClass
,
4292 IN PVOID ThreadInformation
,
4293 IN ULONG ThreadInformationLength
4297 ZwSetInformationThread(
4298 IN HANDLE ThreadHandle
,
4299 IN THREADINFOCLASS ThreadInformationClass
,
4300 IN PVOID ThreadInformation
,
4301 IN ULONG ThreadInformationLength
4305 * FUNCTION: Changes a set of token specific parameters
4307 * TokenHandle = Handle to the token
4308 * TokenInformationClass = Index to a certain information structure.
4309 * Can be one of the following values:
4311 TokenUser TOKEN_USER
4312 TokenGroups TOKEN_GROUPS
4313 TokenPrivileges TOKEN_PRIVILEGES
4314 TokenOwner TOKEN_OWNER
4315 TokenPrimaryGroup TOKEN_PRIMARY_GROUP
4316 TokenDefaultDacl TOKEN_DEFAULT_DACL
4317 TokenSource TOKEN_SOURCE
4318 TokenType TOKEN_TYPE
4319 TokenImpersonationLevel TOKEN_IMPERSONATION_LEVEL
4320 TokenStatistics TOKEN_STATISTICS
4322 * TokenInformation = Caller supplies storage for information structure.
4323 * TokenInformationLength = Size of the information structure
4329 NtSetInformationToken(
4330 IN HANDLE TokenHandle
,
4331 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
4332 OUT PVOID TokenInformation
,
4333 IN ULONG TokenInformationLength
4338 ZwSetInformationToken(
4339 IN HANDLE TokenHandle
,
4340 IN TOKEN_INFORMATION_CLASS TokenInformationClass
,
4341 OUT PVOID TokenInformation
,
4342 IN ULONG TokenInformationLength
4347 * FUNCTION: Sets an io completion
4352 * NumberOfBytesToTransfer =
4353 * NumberOfBytesTransferred =
4359 IN HANDLE CompletionPort
,
4360 IN ULONG CompletionKey
,
4361 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4362 IN ULONG NumberOfBytesToTransfer
,
4363 OUT PULONG NumberOfBytesTransferred
4368 IN HANDLE CompletionPort
,
4369 IN ULONG CompletionKey
,
4370 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4371 IN ULONG NumberOfBytesToTransfer
,
4372 OUT PULONG NumberOfBytesTransferred
4376 * FUNCTION: Set properties for profiling
4386 NtSetIntervalProfile(
4393 ZwSetIntervalProfile(
4400 * FUNCTION: Sets the low part of an event pair
4402 EventPair = Handle to the event pair
4417 * FUNCTION: Sets the low part of an event pair and wait for the high part
4419 EventPair = Handle to the event pair
4424 NtSetLowWaitHighEventPair(
4429 ZwSetLowWaitHighEventPair(
4435 NtSetSecurityObject(
4437 IN SECURITY_INFORMATION SecurityInformation
,
4438 IN PSECURITY_DESCRIPTOR SecurityDescriptor
4443 ZwSetSecurityObject(
4445 IN SECURITY_INFORMATION SecurityInformation
,
4446 IN PSECURITY_DESCRIPTOR SecurityDescriptor
4451 * FUNCTION: Sets a system environment variable
4453 * ValueName = Name of the environment variable
4454 * Value = Value of the environment variable
4459 NtSetSystemEnvironmentValue(
4460 IN PUNICODE_STRING VariableName
,
4461 IN PUNICODE_STRING Value
4465 ZwSetSystemEnvironmentValue(
4466 IN PUNICODE_STRING VariableName
,
4467 IN PUNICODE_STRING Value
4470 * FUNCTION: Sets system parameters
4472 * SystemInformationClass = Index to a particular set of system parameters
4473 * Can be one of the following values:
4475 * SystemTimeAdjustmentInformation SYSTEM_TIME_ADJUSTMENT
4477 * SystemInformation = Structure containing the parameters.
4478 * SystemInformationLength = Size of the structure.
4483 NtSetSystemInformation(
4484 IN CINT SystemInformationClass
,
4485 IN PVOID SystemInformation
,
4486 IN ULONG SystemInformationLength
4491 ZwSetSystemInformation(
4492 IN CINT SystemInformationClass
,
4493 IN PVOID SystemInformation
,
4494 IN ULONG SystemInformationLength
4498 * FUNCTION: Sets the system time
4500 * SystemTime = Old System time
4501 * NewSystemTime = New System time
4507 IN PLARGE_INTEGER SystemTime
,
4508 IN PLARGE_INTEGER NewSystemTime OPTIONAL
4513 IN PLARGE_INTEGER SystemTime
,
4514 IN PLARGE_INTEGER NewSystemTime OPTIONAL
4517 * FUNCTION: Sets the characteristics of a timer
4519 * TimerHandle = Handle to the timer
4520 * DueTime = Time before the timer becomes signalled for the first time.
4521 * TimerApcRoutine = Completion routine can be called on time completion
4522 * TimerContext = Argument to the completion routine
4523 * Resume = Specifies if the timer should repeated after completing one cycle
4524 * Period = Cycle of the timer
4525 * REMARKS: This routine maps to the win32 SetWaitableTimer.
4531 IN HANDLE TimerHandle
,
4532 IN PLARGE_INTEGER DueTime
,
4533 IN PTIMERAPCROUTINE TimerApcRoutine
,
4534 IN PVOID TimerContext
,
4536 IN ULONG Period OPTIONAL
,
4537 OUT PBOOLEAN PreviousState OPTIONAL
4542 IN HANDLE TimerHandle
,
4543 IN PLARGE_INTEGER DueTime
,
4544 IN PTIMERAPCROUTINE TimerApcRoutine
,
4545 IN PVOID TimerContext
,
4547 IN ULONG Period OPTIONAL
,
4548 OUT PBOOLEAN PreviousState OPTIONAL
4551 * FUNCTION: Sets the frequency of the system timer
4553 * RequestedResolution =
4555 * ActualResolution =
4560 NtSetTimerResolution(
4561 IN ULONG RequestedResolution
,
4563 OUT PULONG ActualResolution
4567 ZwSetTimerResolution(
4568 IN ULONG RequestedResolution
,
4570 OUT PULONG ActualResolution
4573 * FUNCTION: Sets the value of a registry key
4575 * KeyHandle = Handle to a registry key
4576 * ValueName = Name of the value entry to change
4577 * TitleIndex = pointer to a structure containing the new volume information
4578 * Type = Type of the registry key. Can be one of the values:
4579 * REG_BINARY Unspecified binary data
4580 * REG_DWORD A 32 bit value
4581 * REG_DWORD_LITTLE_ENDIAN Same as REG_DWORD
4582 * REG_DWORD_BIG_ENDIAN A 32 bit value whose least significant byte is at the highest address
4583 * REG_EXPAND_SZ A zero terminated wide character string with unexpanded environment variables ( "%PATH%" )
4584 * REG_LINK A zero terminated wide character string referring to a symbolic link.
4585 * REG_MULTI_SZ A series of zero-terminated strings including a additional trailing zero
4586 * REG_NONE Unspecified type
4587 * REG_SZ A wide character string ( zero terminated )
4588 * REG_RESOURCE_LIST ??
4589 * REG_RESOURCE_REQUIREMENTS_LIST ??
4590 * REG_FULL_RESOURCE_DESCRIPTOR ??
4591 * Data = Contains the data for the registry key.
4592 * DataSize = size of the data.
4598 IN HANDLE KeyHandle
,
4599 IN PUNICODE_STRING ValueName
,
4600 IN ULONG TitleIndex OPTIONAL
,
4608 IN HANDLE KeyHandle
,
4609 IN PUNICODE_STRING ValueName
,
4610 IN ULONG TitleIndex OPTIONAL
,
4616 * FUNCTION: Sets the volume information of a file.
4618 * FileHandle = Handle to the file
4619 * VolumeInformationClass = specifies the particular volume information to set
4620 * VolumeInformation = pointer to a structure containing the new volume information
4621 * Length = size of the structure.
4626 NtSetVolumeInformationFile(
4627 IN HANDLE FileHandle
,
4628 IN CINT VolumeInformationClass
,
4629 PVOID VolumeInformation
,
4635 ZwSetVolumeInformationFile(
4636 IN HANDLE FileHandle
,
4637 IN CINT VolumeInformationClass
,
4638 PVOID VolumeInformation
,
4641 /* --- PROFILING --- */
4644 * FUNCTION: Starts profiling
4646 * ProfileHandle = Handle to the profile
4654 HANDLE ProfileHandle
4660 HANDLE ProfileHandle
4664 * FUNCTION: Stops profiling
4666 * ProfileHandle = Handle to the profile
4673 HANDLE ProfileHandle
4679 HANDLE ProfileHandle
4682 /* --- PROCESS MANAGEMENT --- */
4684 //--NtSystemDebugControl
4686 * FUNCTION: Terminates the execution of a process.
4688 * ThreadHandle = Handle to the process
4689 * ExitStatus = The exit status of the process to terminate with.
4691 Native applications should kill themselves using this function.
4697 IN HANDLE ProcessHandle
,
4698 IN NTSTATUS ExitStatus
4703 IN HANDLE ProcessHandle
,
4704 IN NTSTATUS ExitStatus
4707 /* --- DEVICE DRIVER CONTROL --- */
4710 * FUNCTION: Unloads a driver.
4712 * DriverServiceName = Name of the driver to unload
4718 IN PUNICODE_STRING DriverServiceName
4723 IN PUNICODE_STRING DriverServiceName
4726 /* --- VIRTUAL MEMORY MANAGEMENT --- */
4729 * FUNCTION: Writes a range of virtual memory
4731 * ProcessHandle = The handle to the process owning the address space.
4732 * BaseAddress = The points to the address to write to
4733 * Buffer = Pointer to the buffer to write
4734 * NumberOfBytesToWrite = Offset to the upper boundary to write
4735 * NumberOfBytesWritten = Total bytes written
4737 * This function maps to the win32 WriteProcessMemory
4742 NtWriteVirtualMemory(
4743 IN HANDLE ProcessHandle
,
4744 IN PVOID BaseAddress
,
4746 IN ULONG NumberOfBytesToWrite
,
4747 OUT PULONG NumberOfBytesWritten
4752 ZwWriteVirtualMemory(
4753 IN HANDLE ProcessHandle
,
4754 IN PVOID BaseAddress
,
4756 IN ULONG NumberOfBytesToWrite
,
4757 OUT PULONG NumberOfBytesWritten
4761 * FUNCTION: Unlocks a range of virtual memory.
4763 * ProcessHandle = Handle to the process
4764 * BaseAddress = Lower boundary of the range of bytes to unlock.
4765 * NumberOfBytesToUnlock = Offset to the upper boundary to unlock.
4766 * NumberOfBytesUnlocked (OUT) = Number of bytes actually unlocked.
4768 This procedure maps to the win32 procedure VirtualUnlock
4769 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PAGE_WAS_ULOCKED ]
4773 NtUnlockVirtualMemory(
4774 IN HANDLE ProcessHandle
,
4775 IN PVOID BaseAddress
,
4776 IN ULONG NumberOfBytesToUnlock
,
4777 OUT PULONG NumberOfBytesUnlocked OPTIONAL
4782 ZwUnlockVirtualMemory(
4783 IN HANDLE ProcessHandle
,
4784 IN PVOID BaseAddress
,
4785 IN ULONG NumberOfBytesToUnlock
,
4786 OUT PULONG NumberOfBytesUnlocked OPTIONAL
4789 * FUNCTION: Unmaps a piece of virtual memory backed by a file.
4791 * ProcessHandle = Handle to the process
4792 * BaseAddress = The address where the mapping begins
4794 This procedure maps to the win32 UnMapViewOfFile
4799 NtUnmapViewOfSection(
4800 IN HANDLE ProcessHandle
,
4801 IN PVOID BaseAddress
4805 ZwUnmapViewOfSection(
4806 IN HANDLE ProcessHandle
,
4807 IN PVOID BaseAddress
4810 /* --- OBJECT SYNCHRONIZATION --- */
4813 * FUNCTION: Signals an event and wait for it to be signaled again.
4815 * EventHandle = Handle to the event that should be signaled
4816 * Alertable = True if the wait is alertable
4817 * Time = The time to wait
4818 * NumberOfWaitingThreads = Number of waiting threads
4824 NtSignalAndWaitForSingleObject(
4825 IN HANDLE EventHandle
,
4826 IN BOOLEAN Alertable
,
4827 IN PLARGE_INTEGER Time
,
4828 PULONG NumberOfWaitingThreads OPTIONAL
4833 ZwSignalAndWaitForSingleObject(
4834 IN HANDLE EventHandle
,
4835 IN BOOLEAN Alertable
,
4836 IN PLARGE_INTEGER Time
,
4837 PULONG NumberOfWaitingThreads OPTIONAL
4841 * FUNCTION: Waits for multiple objects to become signalled.
4843 * Count = The number of objects
4844 * Object = The array of object handles
4845 * WaitType = Can be one of the values UserMode or KernelMode
4846 * Alertable = If true the wait is alertable.
4847 * Time = The maximum wait time.
4849 * This function maps to the win32 WaitForMultipleObjectEx.
4854 NtWaitForMultipleObjects (
4858 IN BOOLEAN Alertable
,
4859 IN PLARGE_INTEGER Time
4864 ZwWaitForMultipleObjects (
4868 IN BOOLEAN Alertable
,
4869 IN PLARGE_INTEGER Time
4872 * FUNCTION: Waits for an object to become signalled.
4874 * Object = The object handle
4875 * Alertable = If true the wait is alertable.
4876 * Time = The maximum wait time.
4878 * This function maps to the win32 WaitForSingleObjectEx.
4883 NtWaitForSingleObject (
4885 IN BOOLEAN Alertable
,
4886 IN PLARGE_INTEGER Time
4891 ZwWaitForSingleObject (
4893 IN BOOLEAN Alertable
,
4894 IN PLARGE_INTEGER Time
4897 /* --- EVENT PAIR OBJECT --- */
4900 * FUNCTION: Waits for the high part of an eventpair to become signalled
4902 * EventPairHandle = Handle to the event pair.
4908 NtWaitHighEventPair(
4909 IN HANDLE EventPairHandle
4914 ZwWaitHighEventPair(
4915 IN HANDLE EventPairHandle
4922 IN HANDLE EventPairHandle
4928 IN HANDLE EventPairHandle
4931 /* --- FILE MANAGEMENT --- */
4934 * FUNCTION: Unlocks a range of bytes in a file.
4936 * FileHandle = Handle to the file
4937 * IoStatusBlock = Caller should supply storage for a structure containing
4938 * the completion status and information about the requested unlock operation.
4939 The information field is set to the number of bytes unlocked.
4940 * ByteOffset = Offset to start the range of bytes to unlock
4941 * Length = Number of bytes to unlock.
4942 * Key = Special value to enable other threads to unlock a file than the
4943 thread that locked the file. The key supplied must match with the one obtained
4944 in a previous call to NtLockFile.
4946 This procedure maps to the win32 procedure UnlockFileEx. STATUS_PENDING is returned if the lock could
4947 not be obtained immediately, the device queue is busy and the IRP is queued.
4948 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES |
4949 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_RANGE_NOT_LOCKED ]
4954 IN HANDLE FileHandle
,
4955 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4956 IN PLARGE_INTEGER ByteOffset
,
4957 IN PLARGE_INTEGER Lenght
,
4958 OUT PULONG Key OPTIONAL
4963 IN HANDLE FileHandle
,
4964 OUT PIO_STATUS_BLOCK IoStatusBlock
,
4965 IN PLARGE_INTEGER ByteOffset
,
4966 IN PLARGE_INTEGER Lenght
,
4967 OUT PULONG Key OPTIONAL
4971 * FUNCTION: Writes data to a file
4973 * FileHandle = The handle a file ( from NtCreateFile )
4974 * Event = Specifies a event that will become signalled when the write operation completes.
4975 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
4976 * ApcContext = Argument to the Apc Routine
4977 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
4978 * Buffer = Caller should supply storage for a buffer that will contain the information to be written to file.
4979 * Length = Size in bytest of the buffer
4980 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
4981 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
4982 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
4983 * should be created by specifying FILE_USE_FILE_POINTER_POSITION.
4986 * This function maps to the win32 WriteFile.
4987 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
4988 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
4989 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
4994 IN HANDLE FileHandle
,
4995 IN HANDLE Event OPTIONAL
,
4996 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
4997 IN PVOID ApcContext OPTIONAL
,
4998 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5001 IN PLARGE_INTEGER ByteOffset
,
5002 IN PULONG Key OPTIONAL
5008 IN HANDLE FileHandle
,
5009 IN HANDLE Event OPTIONAL
,
5010 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5011 IN PVOID ApcContext OPTIONAL
,
5012 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5015 IN PLARGE_INTEGER ByteOffset
,
5016 IN PULONG Key OPTIONAL
5020 * FUNCTION: Writes a file
5022 * FileHandle = The handle of the file
5024 * ApcRoutine = Asynchroneous Procedure Callback [ Should not be used by device drivers ]
5025 * ApcContext = Argument to the Apc Routine
5026 * IoStatusBlock = Caller should supply storage for a structure containing the completion status and information about the requested write operation.
5027 * BufferDescription = Caller should supply storage for a buffer that will contain the information to be written to file.
5028 * BufferLength = Size in bytest of the buffer
5029 * ByteOffset = Points to a file offset. If a combination of Length and BytesOfSet is past the end-of-file mark the file will be enlarged.
5030 * BytesOffset is ignored if the file is created with FILE_APPEND_DATA in the DesiredAccess. BytesOffset is also ignored if
5031 * the file is created with CreateOptions flags FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT set, in that case a offset
5032 * should be created by specifying FILE_USE_FILE_POINTER_POSITION. Use FILE_WRITE_TO_END_OF_FILE to write to the EOF.
5033 * Key = If a matching key [ a key provided at NtLockFile ] is provided the write operation will continue even if a byte range is locked.
5035 * This function maps to the win32 WriteFile.
5036 * Callers to NtWriteFile should run at IRQL PASSIVE_LEVEL.
5037 * RETURNS: Status [ STATUS_SUCCESS | STATUS_PENDING | STATUS_ACCESS_DENIED | STATUS_INSUFFICIENT_RESOURCES
5038 STATUS_INVALID_PARAMETER | STATUS_INVALID_DEVICE_REQUEST | STATUS_FILE_LOCK_CONFLICT ]
5044 IN HANDLE FileHandle
,
5045 IN HANDLE Event OPTIONAL
,
5046 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5047 IN PVOID ApcContext OPTIONAL
,
5048 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5049 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
5050 IN ULONG BufferLength
,
5051 IN PLARGE_INTEGER ByteOffset
,
5052 IN PULONG Key OPTIONAL
5058 IN HANDLE FileHandle
,
5059 IN HANDLE Event OPTIONAL
,
5060 IN PIO_APC_ROUTINE ApcRoutine OPTIONAL
,
5061 IN PVOID ApcContext OPTIONAL
,
5062 OUT PIO_STATUS_BLOCK IoStatusBlock
,
5063 IN FILE_SEGMENT_ELEMENT BufferDescription
[],
5064 IN ULONG BufferLength
,
5065 IN PLARGE_INTEGER ByteOffset
,
5066 IN PULONG Key OPTIONAL
5070 /* --- THREAD MANAGEMENT --- */
5073 * FUNCTION: Increments a thread's resume count
5075 * ThreadHandle = Handle to the thread that should be resumed
5076 * PreviousSuspendCount = The resulting/previous suspend count.
5078 * A thread will be suspended if its suspend count is greater than 0. This procedure maps to
5079 * the win32 SuspendThread function. ( documentation about the the suspend count can be found here aswell )
5080 * The suspend count is not increased if it is greater than MAXIMUM_SUSPEND_COUNT.
5086 IN HANDLE ThreadHandle
,
5087 IN PULONG PreviousSuspendCount
5093 IN HANDLE ThreadHandle
,
5094 IN PULONG PreviousSuspendCount
5098 * FUNCTION: Terminates the execution of a thread.
5100 * ThreadHandle = Handle to the thread
5101 * ExitStatus = The exit status of the thread to terminate with.
5107 IN HANDLE ThreadHandle
,
5108 IN NTSTATUS ExitStatus
5113 IN HANDLE ThreadHandle
,
5114 IN NTSTATUS ExitStatus
5117 * FUNCTION: Tests to see if there are any pending alerts for the calling thread
5132 * FUNCTION: Yields the callers thread.
5149 * --- Local Procedure Call Facility
5150 * These prototypes are unknown as yet
5151 * (stack sizes by Peter-Michael Hager)
5154 NTSTATUS STDCALL
NtAcceptConnectPort(VOID
);
5155 NTSTATUS STDCALL
NtCompleteConnectPort(VOID
);
5156 //NTSTATUS STDCALL NtConnectPort(VOID);
5157 NTSTATUS STDCALL
NtConnectPort(PHANDLE Handle
,
5158 POBJECT_ATTRIBUTES ObjectAttributes
);
5159 //NTSTATUS STDCALL NtCreatePort(VOID);
5160 NTSTATUS STDCALL
NtCreatePort(PHANDLE PortHandle
,
5161 ACCESS_MASK DesiredAccess
,
5162 POBJECT_ATTRIBUTES ObjectAttributes
);
5163 NTSTATUS STDCALL
NtImpersonateClientOfPort(VOID
);
5164 //NTSTATUS STDCALL NtListenPort(VOID);
5165 NTSTATUS STDCALL
NtListenPort(HANDLE PortHandle
,
5166 PLARGE_INTEGER Timeout
,
5167 PPORT_MSG_DATA Msg
);
5168 NTSTATUS STDCALL
NtQueryInformationPort(VOID
);
5169 NTSTATUS STDCALL
NtReplyPort(VOID
);
5170 NTSTATUS STDCALL
NtReplyWaitReceivePort(VOID
);
5171 NTSTATUS STDCALL
NtReplyWaitReplyPort(VOID
);
5172 //NTSTATUS STDCALL NtRequestPort(VOID);
5173 NTSTATUS STDCALL
NtRequestPort(HANDLE PortHandle
,
5177 PHANDLE ReplyPortHandle
);
5178 NTSTATUS STDCALL
NtRequestWaitReplyPort(VOID
);
5179 NTSTATUS STDCALL
NtReadRequestData(VOID
);
5180 NTSTATUS STDCALL
NtWriteRequestData(VOID
);
5184 NtAcceptConnectPort ( /* @24 */
5185 IN HANDLE PortHandle
,
5186 OUT PHANDLE ConnectedPort
,
5194 NtCompleteConnectPort ( /* @4 */
5195 IN HANDLE PortHandle
5199 NtConnectPort ( /* @32 */
5200 OUT PHANDLE PortHandle
,
5201 IN PUNICODE_STRING PortName
,
5207 IN UINT Flags
/* ??? */
5211 NtCreatePort ( /* @20 */
5212 OUT PHANDLE PortHandle
,
5213 IN POBJECT_ATTRIBUTES PortAttributes OPTIONAL
,
5214 IN ACCESS_MASK GrantedAccess
,
5220 NtImpersonateClientOfPort ( /* @8 */
5221 IN HANDLE PortHandle
,
5222 IN PCLIENT_ID ClientId
5226 NtListenPort ( /* @8 */
5227 IN HANDLE PortHAndle
,
5228 IN DWORD QueueSize
/* guess */
5232 NtQueryInformationPort ( /* @20 */
5233 IN HANDLE PortHandle
,
5234 IN CINT PortInformationClass
, /* guess */
5235 OUT PVOID PortInformation
, /* guess */
5236 IN ULONG PortInformationLength
, /* guess */
5237 OUT PULONG ReturnLength
/* guess */
5241 NtReplyPort ( /* @8 */
5242 IN HANDLE PortHandle
,
5243 IN PLPC_REPLY LpcReply
/* guess */
5247 NtReplyWaitReceivePort ( /* @16 */
5248 IN HANDLE PortHandle
,
5249 IN PLPC_REPLY LpcReply
, /* guess */
5250 OUT PLPC_MESSAGE LpcMessage
, /* guess */
5251 OUT PULONG MessageLength
/* guess */
5255 NtReplyWaitReplyPort ( /* @8 */
5256 IN HANDLE PortHandle
,
5257 IN OUT PLPC_REPLY LpcReply
/* guess */
5261 NtRequestPort ( /* @8 */
5262 IN HANDLE PortHandle
,
5263 IN PLPC_MESSAGE LpcMessage
/* guess */
5267 NtRequestWaitReplyPort ( /* @12 */
5268 IN HANDLE PortHandle
,
5269 IN OUT PLPC_REPLY LpcReply
, /* guess */
5270 IN TIME
* TimeToWait
/* guess */
5274 NtReadRequestData ( /* @24 */
5284 NtWriteRequestData ( /* @24 */
5292 #endif /* ndef PROTO_LPC */
5294 /* --- REGISTRY --- */
5296 //FIXME: NtUnloadKey needs more arguments
5298 * FUNCTION: Unloads a registry key.
5300 * KeyHandle = Handle to the registry key
5302 This procedure maps to the win32 procedure RegUnloadKey
5322 /* --- PLUG AND PLAY --- */
5332 NtGetPlugPlayEvent (
5336 /* --- NATIONAL LANGUAGE SUPPORT (NLS) --- */
5340 NtQueryDefaultLocale (
5346 NtSetDefaultLocale (
5350 /* --- POWER MANAGEMENT --- */
5354 NtSetSystemPowerState (
5358 /* --- DEBUG SUBSYSTEM --- */
5362 NtSystemDebugControl (
5367 /* --- VIRTUAL DOS MACHINE (VDM) --- */
5383 /* --- CHANNELS --- */
5405 NtReplyWaitSendChannel (
5411 NtSendWaitReplyChannel (
5417 NtSetContextChannel (
5421 /* --- MISCELLANEA --- */
5423 //NTSTATUS STDCALL NtSetLdtEntries(VOID);
5433 * FUNCTION: Shuts the system down
5435 * Action: Specifies the type of shutdown, it can be one of the following values:
5436 ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff
5442 IN SHUTDOWN_ACTION Action
5448 IN SHUTDOWN_ACTION Action
5453 NtQueryOleDirectoryFile (
5464 #endif /* __DDK_ZW_H */