From 2dab418d62087575c12d89349f78fa897a0f114c Mon Sep 17 00:00:00 2001 From: Ratin Gao Date: Fri, 13 Sep 2024 03:01:51 +0800 Subject: [PATCH] Refactor - Part 2 --- .../Include/KNSoft/NDK/Extension/Extension.h | 63 +++ .../KNSoft/NDK/Extension/MSToolChain.h | 70 ---- Source/Include/KNSoft/NDK/NDK.h | 2 +- Source/Include/KNSoft/NDK/NT/Bcd.h | 109 +++++- Source/Include/KNSoft/NDK/NT/Cm/Reg.h | 368 ++++++++++++++++-- Source/Include/KNSoft/NDK/NT/Cm/RegInfo.h | 204 +++++++++- Source/Include/KNSoft/NDK/NT/Cm/VReg.h | 26 +- Source/Include/KNSoft/NDK/NT/Etw.h | 2 +- Source/Include/KNSoft/NDK/NT/Ex/Misc.h | 2 +- Source/Include/KNSoft/NDK/NT/Ex/SharedData.h | 2 +- Source/Include/KNSoft/NDK/NT/Ex/SysInfo.h | 18 +- .../Include/KNSoft/NDK/NT/Extension/Runtime.h | 22 +- Source/Include/KNSoft/NDK/NT/Io/Misc.h | 140 +++++++ Source/Include/KNSoft/NDK/NT/Lpc/Alpc.h | 18 +- Source/Include/KNSoft/NDK/NT/Lpc/Port.h | 6 +- Source/Include/KNSoft/NDK/NT/MinDef.h | 7 +- Source/Include/KNSoft/NDK/NT/Mm/Info.h | 151 +++++++ Source/Include/KNSoft/NDK/NT/Po/Misc.h | 102 ++++- Source/Include/KNSoft/NDK/NT/Ps/PsApi.h | 102 ++++- Source/Include/KNSoft/NDK/NT/Ps/PsInfo.h | 4 +- Source/Include/KNSoft/NDK/NT/Rtl/BootStatus.h | 1 + Source/Include/KNSoft/NDK/NT/Rtl/Misc.h | 2 +- .../NDK/NT/Rtl/Process/EnvironmentBlock.h | 1 + .../KNSoft/NDK/NT/Rtl/Process/Process.h | 5 + Source/Include/KNSoft/NDK/NT/Se/Misc.h | 42 +- Source/Include/KNSoft/NDK/NT/Sxs.h | 2 +- Source/Include/KNSoft/NDK/NT/ZwApi.h | 33 +- .../Include/KNSoft/NDK/Win32/Def/CommCtrl.h | 2 + Source/KNSoft.NDK/KNSoft.NDK.vcxproj | 9 +- Source/KNSoft.NDK/KNSoft.NDK.vcxproj.filters | 13 +- .../KNSoft.NDK/WinAPI/KNSoft.NDK.Kernel32.xml | 5 + Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Ntdll.xml | 6 + ....NDK.WinAPI.xml => KNSoft.NDK.SecHost.xml} | 7 - .../Test/Extension/{MSToolChain.c => MSVC.c} | 2 +- Source/Test/Test.vcxproj | 4 +- Source/Test/Test.vcxproj.filters | 2 +- 36 files changed, 1323 insertions(+), 231 deletions(-) delete mode 100644 Source/Include/KNSoft/NDK/Extension/MSToolChain.h create mode 100644 Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Kernel32.xml create mode 100644 Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Ntdll.xml rename Source/KNSoft.NDK/WinAPI/{KNSoft.NDK.WinAPI.xml => KNSoft.NDK.SecHost.xml} (91%) rename Source/Test/Extension/{MSToolChain.c => MSVC.c} (83%) diff --git a/Source/Include/KNSoft/NDK/Extension/Extension.h b/Source/Include/KNSoft/NDK/Extension/Extension.h index ba52911..c1bb7c4 100644 --- a/Source/Include/KNSoft/NDK/Extension/Extension.h +++ b/Source/Include/KNSoft/NDK/Extension/Extension.h @@ -71,3 +71,66 @@ } varName #pragma endregion + +#pragma region MSVC and WinSDK + +#if _WIN64 +#define IS_WIN64 TRUE +#else +#define IS_WIN64 FALSE +#endif + +/* Patch C_ASSERT to avoid confusion amount static_assert, _Static_assert, _STATIC_ASSERT and C_ASSERT */ + +#undef C_ASSERT +#define C_ASSERT(expr) static_assert((expr), #expr) + +#define __A2U8(quote) u8##quote +#define _A2U8(quote) __A2U8(quote) + +#define __A2W(quote) L##quote +#define _A2W(quote) __A2W(quote) + +#if _WIN64 +#define MSVC_VARDNAME(x) x +#define MSVC_INCLUDE_VAR(x) __pragma(comment(linker, "/include:"#x)) +#else +#define MSVC_VARDNAME(x) _##x +#define MSVC_INCLUDE_VAR(x) __pragma(comment(linker, "/include:_"#x)) +#endif + +/* + * Initializer support + * See also: + * https://devblogs.microsoft.com/cppblog/new-compiler-warnings-for-dynamic-initialization/ + * https://learn.microsoft.com/en-us/cpp/c-runtime-library/crt-initialization + * + * ** FIXME: Not support C++ yet ** + */ + +#ifndef __cplusplus + +// Section 'section-name' is reserved for C++ dynamic initialization. +#pragma warning(error: 5247 5248) + +typedef int(__cdecl* _PIFV)(void); + +#pragma section(".CRT$XINDK", long, read) + +#define MSVC_INITIALIZER(x)\ +int __cdecl x(void);\ +__declspec(allocate(".CRT$XINDK")) _PIFV _KNSoft_NDK_Initializer_User_##x = &x;\ +MSVC_INCLUDE_VAR(_KNSoft_NDK_Initializer_User_##x)\ +int __cdecl x(void) + +#endif + +#pragma endregion + +#pragma region MSBuild + +#define MSB_LIB_PATH(LibName) (MSB_PLATFORMTARGET"/"MSB_CONFIGURATION"/"##LibName) + +/* Other MSB_* are defined in Directory.Build.props */ + +#pragma endregion diff --git a/Source/Include/KNSoft/NDK/Extension/MSToolChain.h b/Source/Include/KNSoft/NDK/Extension/MSToolChain.h deleted file mode 100644 index 3cab340..0000000 --- a/Source/Include/KNSoft/NDK/Extension/MSToolChain.h +++ /dev/null @@ -1,70 +0,0 @@ -#pragma once - -#ifdef _KNSOFT_NDK_NO_EXTENSION_MSTOOLCHAIN -#pragma message("KNSoft.NDK: MSToolChain.h is included but _KNSOFT_NDK_NO_EXTENSION_MSTOOLCHAIN is defined.") -#endif - -#include "../NT/MinDef.h" - -#pragma region MSVC and WinSDK - -#if _WIN64 -#define IS_WIN64 TRUE -#else -#define IS_WIN64 FALSE -#endif - -/* Patch C_ASSERT to avoid confusion amount static_assert, _Static_assert, _STATIC_ASSERT and C_ASSERT */ - -#undef C_ASSERT -#define C_ASSERT(expr) static_assert((expr), #expr) - -#define __A2U8(quote) u8##quote -#define _A2U8(quote) __A2U8(quote) - -#define __A2W(quote) L##quote -#define _A2W(quote) __A2W(quote) - -#if _WIN64 -#define MSVC_VARDNAME(x) x -#define MSVC_INCLUDE_VAR(x) __pragma(comment(linker, "/include:"#x)) -#else -#define MSVC_VARDNAME(x) _##x -#define MSVC_INCLUDE_VAR(x) __pragma(comment(linker, "/include:_"#x)) -#endif - -/* - * Initializer support - * See also: - * https://devblogs.microsoft.com/cppblog/new-compiler-warnings-for-dynamic-initialization/ - * https://learn.microsoft.com/en-us/cpp/c-runtime-library/crt-initialization - * - * ** FIXME: Not support C++ yet ** - */ - -#ifndef __cplusplus - -// Section 'section-name' is reserved for C++ dynamic initialization. -#pragma warning(error: 5247 5248) - -typedef int(__cdecl* _PIFV)(void); - -#pragma section(".CRT$XINDK", long, read) - -#define MSVC_INITIALIZER(x)\ -int __cdecl x(void);\ -__declspec(allocate(".CRT$XINDK")) _PIFV _KNSoft_NDK_Initializer_User_##x = &x;\ -MSVC_INCLUDE_VAR(_KNSoft_NDK_Initializer_User_##x)\ -int __cdecl x(void) - -#endif - -#pragma endregion - -#pragma region MSBuild - -#define MSB_LIB_PATH(LibName) (MSB_PLATFORMTARGET"/"MSB_CONFIGURATION"/"##LibName) - -/* Other MSB_* are defined in Directory.Build.props */ - -#pragma endregion diff --git a/Source/Include/KNSoft/NDK/NDK.h b/Source/Include/KNSoft/NDK/NDK.h index f858d1f..3684883 100644 --- a/Source/Include/KNSoft/NDK/NDK.h +++ b/Source/Include/KNSoft/NDK/NDK.h @@ -12,6 +12,7 @@ #include #include "Win32/Def/WinUser.h" +#include "Win32/Def/CommCtrl.h" /* APIs */ @@ -31,5 +32,4 @@ #ifndef _KNSOFT_NDK_NO_EXTENSION #include "Extension/Extension.h" -#include "Extension/MSToolChain.h" #endif diff --git a/Source/Include/KNSoft/NDK/NT/Bcd.h b/Source/Include/KNSoft/NDK/NT/Bcd.h index 47691cf..6bc5a68 100644 --- a/Source/Include/KNSoft/NDK/NT/Bcd.h +++ b/Source/Include/KNSoft/NDK/NT/Bcd.h @@ -94,6 +94,13 @@ typedef VOID(NTAPI* BCD_MESSAGE_CALLBACK)( _In_ PWSTR Message ); +/** + * Sets the logging level and callback routine for BCD messages. + * + * @param BcdLoggingLevel The logging level to set. + * @param BcdMessageCallbackRoutine The callback routine for BCD messages. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -102,6 +109,9 @@ BcdSetLogging( _In_ BCD_MESSAGE_CALLBACK BcdMessageCallbackRoutine ); +/** + * Initializes the BCD synchronization mutant. + */ NTSYSAPI VOID NTAPI @@ -109,6 +119,12 @@ BcdInitializeBcdSyncMutant( VOID ); +/** + * Retrieves the file name for the BCD. + * + * @param BcdSystemStorePath The pointer to receive the system store path. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -116,6 +132,12 @@ BcdGetSystemStorePath( _Out_ PWSTR* BcdSystemStorePath // RtlFreeHeap(RtlProcessHeap(), 0, BcdSystemStorePath); ); +/** + * Sets the device for the system BCD store. + * + * @param SystemPartition The system partition to set. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -123,6 +145,12 @@ BcdSetSystemStoreDevice( _In_ UNICODE_STRING SystemPartition ); +/** + * Opens the BCD system store. + * + * @param BcdStoreHandle The handle to receive the system store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -130,6 +158,13 @@ BcdOpenSystemStore( _Out_ PHANDLE BcdStoreHandle ); +/** + * Opens a BCD store from a file. + * + * @param BcdFilePath The file path of the BCD store. + * @param BcdStoreHandle The handle to receive the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -138,6 +173,13 @@ BcdOpenStoreFromFile( _Out_ PHANDLE BcdStoreHandle ); +/** + * Creates a BCD store. + * + * @param BcdFilePath The file path to create the BCD store. + * @param BcdStoreHandle The handle to receive the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -146,6 +188,12 @@ BcdCreateStore( _Out_ PHANDLE BcdStoreHandle ); +/** + * Exports the BCD store to a file. + * + * @param BcdFilePath The file path to export the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -153,7 +201,15 @@ BcdExportStore( _In_ UNICODE_STRING BcdFilePath ); -#if (PHNT_VERSION > PHNT_WIN11) +#if (NTDDI_VERSION > NTDDI_WIN11_ZN) +/** + * Exports the BCD store to a file with additional flags. + * + * @param BcdStoreHandle The handle to the BCD store. + * @param Flags The flags for exporting the store. + * @param BcdFilePath The file path to export the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -164,6 +220,12 @@ BcdExportStoreEx( ); #endif +/** + * Imports a BCD store from a file. + * + * @param BcdFilePath The file path to import the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -177,6 +239,13 @@ typedef enum _BCD_IMPORT_FLAGS BCD_IMPORT_DELETE_FIRMWARE_OBJECTS } BCD_IMPORT_FLAGS; +/** + * Imports a BCD store from a file with additional flags. + * + * @param BcdFilePath The file path to import the BCD store. + * @param BcdImportFlags The flags for importing the store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -185,6 +254,13 @@ BcdImportStoreWithFlags( _In_ BCD_IMPORT_FLAGS BcdImportFlags ); +/** + * Deletes object references in the BCD store. + * + * @param BcdStoreHandle The handle to the BCD store. + * @param Identifier The identifier of the object to delete references for. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -193,6 +269,11 @@ BcdDeleteObjectReferences( _In_ PGUID Identifier ); +/** + * Deletes the system store for BCD. + * + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -207,6 +288,14 @@ typedef enum _BCD_OPEN_FLAGS BCD_OPEN_SYNC_FIRMWARE_ENTRIES } BCD_OPEN_FLAGS; +/** + * Opens a BCD store with additional flags. + * + * @param BcdFilePath The file path of the BCD store. + * @param BcdOpenFlags The flags for opening the store. + * @param BcdStoreHandle The handle to receive the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -216,6 +305,12 @@ BcdOpenStore( _Out_ PHANDLE BcdStoreHandle ); +/** + * Closes a BCD store. + * + * @param BcdStoreHandle The handle to the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -223,6 +318,12 @@ BcdCloseStore( _In_ HANDLE BcdStoreHandle ); +/** + * Flushes a BCD store. + * + * @param BcdStoreHandle The handle to the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI @@ -230,6 +331,12 @@ BcdFlushStore( _In_ HANDLE BcdStoreHandle ); +/** + * Forcibly unloads a BCD store. + * + * @param BcdStoreHandle The handle to the BCD store. + * @return NTSTATUS Successful or errant status. + */ NTSYSAPI NTSTATUS NTAPI diff --git a/Source/Include/KNSoft/NDK/NT/Cm/Reg.h b/Source/Include/KNSoft/NDK/NT/Cm/Reg.h index a21c7d0..641af6d 100644 --- a/Source/Include/KNSoft/NDK/NT/Cm/Reg.h +++ b/Source/Include/KNSoft/NDK/NT/Cm/Reg.h @@ -13,6 +13,12 @@ EXTERN_C_START #define REG_INIT_BOOT_ACCEPTED_BASE 0x0002 #define REG_INIT_BOOT_ACCEPTED_MAX REG_INIT_BOOT_ACCEPTED_BASE + 999 +/** + * Initializes the registry. + * + * @param BootCondition Condition for the boot. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -54,6 +60,18 @@ typedef struct DECLSPEC_ALIGN(8) _CM_EXTENDED_PARAMETER }; } CM_EXTENDED_PARAMETER, *PCM_EXTENDED_PARAMETER; +/** + * Creates a new registry key routine or opens an existing one. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param[in] TitleIndex Reserved. + * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key. + * @param[in] CreateOptions The options to use when creating the key. + * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -67,6 +85,19 @@ NtCreateKey( _Out_opt_ PULONG Disposition ); +/** + * Creates a new registry key or opens an existing one, and it associates the key with a transaction. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param[in] TitleIndex Reserved. + * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key. + * @param[in] CreateOptions The options to use when creating the key. + * @param[in] TransactionHandle A handle to the transaction. + * @param[out, optional] Disposition A pointer to a variable that receives the disposition value. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -81,6 +112,15 @@ NtCreateKeyTransacted( _Out_opt_ PULONG Disposition ); +/** + * Opens an existing registry key. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @return NTSTATUS The status of the operation. + * @remarks NtOpenKey ignores the security information in the ObjectAttributes structure. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -90,6 +130,15 @@ NtOpenKey( _In_ POBJECT_ATTRIBUTES ObjectAttributes ); +/** + * Opens an existing registry key and associates the key with a transaction. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param[in] TransactionHandle A handle to the transaction. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -100,6 +149,15 @@ NtOpenKeyTransacted( _In_ HANDLE TransactionHandle ); +/** + * Opens an existing registry key with extended options. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param[in] OpenOptions The options to use when opening the key. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -110,6 +168,16 @@ NtOpenKeyEx( _In_ ULONG OpenOptions ); +/** + * Opens an existing registry key in a transaction with extended options. + * + * @param[out] KeyHandle A pointer to a handle that receives the key handle. + * @param[in] DesiredAccess The access mask that specifies the desired access rights. + * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes. + * @param[in] OpenOptions The options to use when opening the key. + * @param[in] TransactionHandle A handle to the transaction. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -121,6 +189,12 @@ NtOpenKeyTransactedEx( _In_ HANDLE TransactionHandle ); +/** + * Deletes a registry key. + * + * @param[in] KeyHandle A handle to the key to be deleted. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -128,6 +202,13 @@ NtDeleteKey( _In_ HANDLE KeyHandle ); +/** + * Renames a registry key. + * + * @param[in] KeyHandle A handle to the key to be renamed. + * @param[in] NewName A pointer to a UNICODE_STRING structure that specifies the new name of the key. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -136,6 +217,13 @@ NtRenameKey( _In_ PUNICODE_STRING NewName ); +/** + * Deletes a value from a registry key. + * + * @param[in] KeyHandle A handle to the key that contains the value to be deleted. + * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be deleted. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -144,18 +232,12 @@ NtDeleteValueKey( _In_ PUNICODE_STRING ValueName ); -NTSYSCALLAPI -NTSTATUS -NTAPI -NtSetValueKey( - _In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, - _In_opt_ ULONG TitleIndex, - _In_ ULONG Type, - _In_reads_bytes_opt_(DataSize) PVOID Data, - _In_ ULONG DataSize - ); - +/** + * Flushes the changes to a registry key. + * + * @param[in] KeyHandle A handle to the key to be flushed. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -163,6 +245,13 @@ NtFlushKey( _In_ HANDLE KeyHandle ); +/** + * Compacts the specified registry keys. + * + * @param[in] Count The number of keys to be compacted. + * @param[in] KeyArray An array of handles to the keys to be compacted. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -171,6 +260,12 @@ NtCompactKeys( _In_reads_(Count) HANDLE KeyArray[] ); +/** + * Compresses a registry key. + * + * @param[in] KeyHandle A handle to the key to be compressed. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -178,6 +273,13 @@ NtCompressKey( _In_ HANDLE KeyHandle ); +/** + * Loads a registry key from a file. + * + * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. + * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -186,6 +288,14 @@ NtLoadKey( _In_ POBJECT_ATTRIBUTES SourceFile ); +/** + * Loads a registry key from a file with additional options. + * + * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. + * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. + * @param[in] Flags The options to use when loading the key. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -195,6 +305,19 @@ NtLoadKey2( _In_ ULONG Flags ); +/** + * Loads a registry key from a file with extended options. + * + * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. + * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. + * @param[in] Flags The options to use when loading the key. + * @param[in, optional] TrustClassKey A handle to the trust class key. + * @param[in, optional] Event A handle to an event. + * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. + * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. + * @param[in, reserved] Reserved Reserved. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -202,7 +325,7 @@ NtLoadKeyEx( _In_ POBJECT_ATTRIBUTES TargetKey, _In_ POBJECT_ATTRIBUTES SourceFile, _In_ ULONG Flags, - _In_opt_ HANDLE TrustClassKey, // this and below were added on Win10 + _In_opt_ HANDLE TrustClassKey, _In_opt_ HANDLE Event, _In_opt_ ACCESS_MASK DesiredAccess, _Out_opt_ PHANDLE RootHandle, @@ -211,6 +334,19 @@ NtLoadKeyEx( // rev by tyranid #if (NTDDI_VERSION >= NTDDI_WIN10_MN) +/** + * Loads a registry key from a file with extended parameters. + * + * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key. + * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file. + * @param[in] Flags The options to use when loading the key. + * @param[in] ExtendedParameters A pointer to an array of extended parameters. + * @param[in] ExtendedParameterCount The number of extended parameters. + * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights. + * @param[out, optional] RootHandle A pointer to a handle that receives the root handle. + * @param[in, reserved] Reserved Reserved. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -226,6 +362,14 @@ NtLoadKey3( ); #endif +/** + * Replaces a registry key. + * + * @param[in] NewFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the new file. + * @param[in] TargetHandle A handle to the target key. + * @param[in] OldFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the old file. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -235,6 +379,13 @@ NtReplaceKey( _In_ POBJECT_ATTRIBUTES OldFile ); +/** + * Saves the specified registry key to a file. + * + * @param KeyHandle Handle to the registry key. + * @param FileHandle Handle to the file where the key will be saved. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -243,6 +394,14 @@ NtSaveKey( _In_ HANDLE FileHandle ); +/** + * Saves the specified registry key to a file with a specified format. + * + * @param KeyHandle Handle to the registry key. + * @param FileHandle Handle to the file where the key will be saved. + * @param Format Format in which the key will be saved. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -252,6 +411,14 @@ NtSaveKeyEx( _In_ ULONG Format ); +/** + * Merges two registry keys and saves the result to a file. + * + * @param HighPrecedenceKeyHandle Handle to the high precedence registry key. + * @param LowPrecedenceKeyHandle Handle to the low precedence registry key. + * @param FileHandle Handle to the file where the merged key will be saved. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -261,6 +428,14 @@ NtSaveMergedKeys( _In_ HANDLE FileHandle ); +/** + * Restores a registry key from a file. + * + * @param KeyHandle Handle to the registry key. + * @param FileHandle Handle to the file from which the key will be restored. + * @param Flags Flags for the restore operation. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -270,6 +445,12 @@ NtRestoreKey( _In_ ULONG Flags ); +/** + * Unloads a registry key. + * + * @param TargetKey Pointer to the object attributes of the target key. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -277,12 +458,14 @@ NtUnloadKey( _In_ POBJECT_ATTRIBUTES TargetKey ); -// -// NtUnloadKey2 Flags (from winnt.h) -// -//#define REG_FORCE_UNLOAD 1 -//#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD) - +/** + * Unloads a registry key with additional flags. + * + * @param TargetKey Pointer to the object attributes of the target key. + * @param Flags Flags for the unload operation. + * @return NTSTATUS Successful or errant status. + * @remarks Valid flags are REG_FORCE_UNLOAD and REG_UNLOAD_LEGAL_FLAGS. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -291,6 +474,13 @@ NtUnloadKey2( _In_ ULONG Flags ); +/** + * Unloads a registry key and optionally signals an event. + * + * @param TargetKey Pointer to the object attributes of the target key. + * @param Event Optional handle to an event to be signaled. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -299,6 +489,21 @@ NtUnloadKeyEx( _In_opt_ HANDLE Event ); +/** + * Notifies of changes to a registry key. + * + * @param KeyHandle Handle to the registry key. + * @param Event Optional handle to an event to be signaled. + * @param ApcRoutine Optional APC routine to be called. + * @param ApcContext Optional context for the APC routine. + * @param IoStatusBlock Pointer to an IO status block. + * @param CompletionFilter Filter for the types of changes to notify. + * @param WatchTree Whether to watch the entire tree. + * @param Buffer Optional buffer for change data. + * @param BufferSize Size of the buffer. + * @param Asynchronous Whether the operation is asynchronous. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -315,6 +520,23 @@ NtNotifyChangeKey( _In_ BOOLEAN Asynchronous ); +/** + * Requests notification when a registry key or any of its subkeys changes. + * + * @param MasterKeyHandle A handle to an open key. The handle must be opened with the KEY_NOTIFY access right. + * @param Count The number of subkeys under the key specified by the MasterKeyHandle parameter. + * @param SubordinateObjects Pointer to an array of OBJECT_ATTRIBUTES structures, one for each subkey. This array can contain one OBJECT_ATTRIBUTES structure. + * @param Event A handle to an event created by the caller. If Event is not NULL, the caller waits until the operation succeeds, at which time the event is signaled. + * @param ApcRoutine A pointer to an asynchronous procedure call (APC) function supplied by the caller. If ApcRoutine is not NULL, the specified APC function executes after the operation completes. + * @param ApcContext A pointer to a context supplied by the caller for its APC function. This value is passed to the APC function when it is executed. The Asynchronous parameter must be TRUE. If ApcContext is specified, the Event parameter must be NULL. + * @param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to the Buffer parameter is supplied in the Information member of the IO_STATUS_BLOCK structure. + * @param CompletionFilter A bitmap of operations that trigger notification. This parameter can be one or more of the following flags. REG_NOTIFY_CHANGE_NAME, REG_NOTIFY_CHANGE_ATTRIBUTES, REG_NOTIFY_CHANGE_LAST_SET, REG_NOTIFY_CHANGE_SECURITY. + * @param WatchTree If this parameter is TRUE, the caller is notified about changes to all subkeys of the specified key. If this parameter is FALSE, the caller is notified only about changes to the specified key. + * @param Buffer Reserved for system use. This parameter must be NULL. + * @param BufferSize Reserved for system use. This parameter must be zero. + * @param Asynchronous Whether the operation is asynchronous. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -333,6 +555,13 @@ NtNotifyChangeMultipleKeys( _In_ BOOLEAN Asynchronous ); +/** + * Queries the number of open subkeys of a registry key. + * + * @param TargetKey Pointer to the object attributes of the target key. + * @param HandleCount Pointer to a variable to receive the handle count. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -341,6 +570,16 @@ NtQueryOpenSubKeys( _Out_ PULONG HandleCount ); +/** + * Queries the open subkeys of a registry key with additional information. + * + * @param TargetKey Pointer to the object attributes of the target key. + * @param BufferLength Length of the buffer. + * @param Buffer Optional buffer to receive the subkey information. + * @param RequiredSize Pointer to a variable to receive the required size. + * @return NTSTATUS Successful or errant status. + * @remarks Returns an array of KEY_OPEN_SUBKEYS_INFORMATION structures. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -351,6 +590,12 @@ NtQueryOpenSubKeysEx( _Out_ PULONG RequiredSize ); +/** + * Locks the registry key and prevents changes from being written to disk. + * + * @param KeyHandle Handle to the registry key. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -358,6 +603,13 @@ NtLockRegistryKey( _In_ HANDLE KeyHandle ); +/** + * Locks the product activation keys. + * + * @param pPrivateVer Optional pointer to a private version variable. + * @param pSafeMode Optional pointer to a safe mode variable. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -366,6 +618,12 @@ NtLockProductActivationKeys( _Out_opt_ ULONG *pSafeMode ); +/** + * Freezes the registry and prevents changes from being flushed to disk. + * + * @param TimeOutInSeconds Timeout in seconds. + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -373,6 +631,11 @@ NtFreezeRegistry( _In_ ULONG TimeOutInSeconds ); +/** + * Thaws the registry and enables flushing changes to disk. + * + * @return NTSTATUS Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -381,34 +644,65 @@ NtThawRegistry( ); #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) -NTSTATUS NtCreateRegistryTransaction( + +/** + * Creates a registry transaction. + * + * @param RegistryTransactionHandle Pointer to a variable to receive the handle. + * @param DesiredAccess Desired access mask. + * @param ObjAttributes Optional pointer to object attributes. + * @param CreateOptions Reserved for future use. + * @return NTSTATUS Successful or errant status. + */ +NTSTATUS +NTAPI +NtCreateRegistryTransaction( _Out_ HANDLE *RegistryTransactionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, - _Reserved_ ULONG CreateOptions - ); -#endif + _Reserved_ ULONG CreateOptions); -#if (NTDDI_VERSION >= NTDDI_WIN10_RS1) -NTSTATUS NtOpenRegistryTransaction( +/** + * Opens a registry transaction. + * + * @param RegistryTransactionHandle Pointer to a variable to receive the handle. + * @param DesiredAccess Desired access mask. + * @param ObjAttributes Pointer to object attributes. + * @return NTSTATUS Successful or errant status. + */ +NTSTATUS +NTAPI +NtOpenRegistryTransaction( _Out_ HANDLE *RegistryTransactionHandle, _In_ ACCESS_MASK DesiredAccess, - _In_ POBJECT_ATTRIBUTES ObjAttributes - ); -#endif + _In_ POBJECT_ATTRIBUTES ObjAttributes); -#if (NTDDI_VERSION >= NTDDI_WIN10_RS1) -NTSTATUS NtCommitRegistryTransaction( +/** + * Commits a registry transaction. + * + * @param RegistryTransactionHandle Handle to the registry transaction. + * @param Flags Reserved for future use. + * @return NTSTATUS Successful or errant status. + */ +NTSTATUS +NTAPI +NtCommitRegistryTransaction( _In_ HANDLE RegistryTransactionHandle, - _Reserved_ ULONG Flags - ); -#endif + _Reserved_ ULONG Flags); -#if (NTDDI_VERSION >= NTDDI_WIN10_RS1) -NTSTATUS NtRollbackRegistryTransaction( +/** + * Rolls back a registry transaction. + * + * @param RegistryTransactionHandle Handle to the registry transaction. + * @param Flags Reserved for future use. + * @return NTSTATUS Successful or errant status. + */ +NTSTATUS +NTAPI +NtRollbackRegistryTransaction( _In_ HANDLE RegistryTransactionHandle, - _Reserved_ ULONG Flags - ); + _Reserved_ ULONG Flags); + #endif EXTERN_C_END diff --git a/Source/Include/KNSoft/NDK/NT/Cm/RegInfo.h b/Source/Include/KNSoft/NDK/NT/Cm/RegInfo.h index 6a4f76d..2ae52f3 100644 --- a/Source/Include/KNSoft/NDK/NT/Cm/RegInfo.h +++ b/Source/Include/KNSoft/NDK/NT/Cm/RegInfo.h @@ -89,22 +89,61 @@ typedef struct _KEY_FLAGS_INFORMATION ULONG ControlFlags; // REG_KEY_* } KEY_FLAGS_INFORMATION, *PKEY_FLAGS_INFORMATION; +/** + * The KEY_VIRTUALIZATION_INFORMATION structure contains information about the virtualization state of a key. + * + * The flags include: + * - VirtualizationCandidate: The key is part of the virtualization namespace scope (only HKLM\Software for now). + * - VirtualizationEnabled: Virtualization is enabled on this key. Can be 1 only if VirtualizationCandidate is 1. + * - VirtualTarget: The key is a virtual key. Can be 1 only if VirtualizationCandidate and VirtualizationEnabled are 0. Valid only on the virtual store key handles. + * - VirtualStore: The key is a part of the virtual store path. Valid only on the virtual store key handles. + * - VirtualSource: The key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. + * - Reserved: Reserved bits. + */ typedef struct _KEY_VIRTUALIZATION_INFORMATION { - ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now). - ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1. - ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles. - ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles. - ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1. + ULONG VirtualizationCandidate : 1; + ULONG VirtualizationEnabled : 1; + ULONG VirtualTarget : 1; + ULONG VirtualStore : 1; + ULONG VirtualSource : 1; ULONG Reserved : 27; } KEY_VIRTUALIZATION_INFORMATION, *PKEY_VIRTUALIZATION_INFORMATION; +// private +/** + * The KEY_TRUST_INFORMATION structure contains information about the trust status of a key. + * + * The flags include: + * - TrustedKey: Indicates whether the key is trusted. When set, this flag signifies that the key is considered + * to be secure and reliable. + * - Reserved: Reserved bits. + */ typedef struct _KEY_TRUST_INFORMATION { ULONG TrustedKey : 1; ULONG Reserved : 31; } KEY_TRUST_INFORMATION, *PKEY_TRUST_INFORMATION; +// private +/** + * The KEY_LAYER_INFORMATION structure contains information about a key layer. + * + * The flags include: + * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates + * that the key has been deleted but not yet purged from the registry. It is used to maintain the + * integrity of the registry and ensure that deleted keys are not immediately reused. + * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag + * indicates that the key layer should replace the local key's information, effectively overriding + * any local changes or settings. + * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag + * indicates that the key layer should replace the entire subtree of keys, overriding any changes or + * settings in the subtree. + * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates + * that the class information of the key layer is inherited from its parent key, rather than being + * explicitly defined. + * - Reserved: Reserved bits. + */ typedef struct _KEY_LAYER_INFORMATION { ULONG IsTombstone : 1; @@ -126,21 +165,59 @@ typedef enum _KEY_SET_INFORMATION_CLASS MaxKeySetInfoClass } KEY_SET_INFORMATION_CLASS; +/** + * Structure representing the last write time of a registry key. + * + * The values include: + * - LastWriteTime: Contains the timestamp of the last write operation performed on a registry key. + */ typedef struct _KEY_WRITE_TIME_INFORMATION { LARGE_INTEGER LastWriteTime; } KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION; +/** + * The KEY_WOW64_FLAGS_INFORMATION structure contains information about the WOW64 flags for a key. + * + * The fields include: + * - UserFlags: A set of user-defined flags associated with the key. These flags are used to store + * additional information about the key in the context of WOW64 (Windows 32-bit on Windows 64-bit). + */ typedef struct _KEY_WOW64_FLAGS_INFORMATION { ULONG UserFlags; } KEY_WOW64_FLAGS_INFORMATION, *PKEY_WOW64_FLAGS_INFORMATION; +/** + * The KEY_HANDLE_TAGS_INFORMATION structure contains information about the handle tags for a key. + * + * The fields include: + * - HandleTags: A set of tags associated with the key handle. These tags are used to store additional + * metadata or state information about the key handle. + */ typedef struct _KEY_HANDLE_TAGS_INFORMATION { ULONG HandleTags; } KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION; +/** + * The KEY_SET_LAYER_INFORMATION structure contains information about a key layer. + * + * The flags include: + * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates + * that the key has been deleted but not yet purged from the registry. It is used to maintain the + * integrity of the registry and ensure that deleted keys are not immediately reused. + * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag + * indicates that the key layer should replace the local key's information, effectively overriding + * any local changes or settings. + * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag + * indicates that the key layer should replace the entire subtree of keys, overriding any changes or + * settings in the subtree. + * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates + * that the class information of the key layer is inherited from its parent key, rather than being + * explicitly defined. + * - Reserved: Reserved bits. + */ typedef struct _KEY_SET_LAYER_INFORMATION { ULONG IsTombstone : 1; @@ -150,6 +227,13 @@ typedef struct _KEY_SET_LAYER_INFORMATION ULONG Reserved : 28; } KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION; +/** + * The KEY_CONTROL_FLAGS_INFORMATION structure contains control flags for a key. + * + * The fields include: + * - ControlFlags: A set of control flags associated with the key. These flags are used to store + * additional control information about the key, which can affect its behavior or state. + */ typedef struct _KEY_CONTROL_FLAGS_INFORMATION { ULONG ControlFlags; @@ -250,18 +334,16 @@ typedef struct _KEY_OPEN_SUBKEYS_INFORMATION _Field_size_(Count) KEY_PID_ARRAY KeyArray[ANYSIZE_ARRAY]; } KEY_OPEN_SUBKEYS_INFORMATION, *PKEY_OPEN_SUBKEYS_INFORMATION; -NTSYSCALLAPI -NTSTATUS -NTAPI -NtQueryMultipleValueKey( - _In_ HANDLE KeyHandle, - _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, - _In_ ULONG EntryCount, - _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, - _Inout_ PULONG BufferLength, - _Out_opt_ PULONG RequiredBufferLength - ); - +/** + * Queries information about a registry key. + * + * @param[in] KeyHandle A handle to the key to be queried. + * @param[in] KeyInformationClass The type of information to be queried. + * @param[out] KeyInformation A pointer to a buffer that receives the key information. + * @param[in] Length The size of the buffer. + * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -273,6 +355,15 @@ NtQueryKey( _Out_ PULONG ResultLength ); +/** + * Sets information for a registry key. + * + * @param[in] KeyHandle A handle to the key to be modified. + * @param[in] KeySetInformationClass The type of information to be set. + * @param[in] KeySetInformation A pointer to a buffer that contains the key information. + * @param[in] KeySetInformationLength The size of the buffer. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -283,6 +374,17 @@ NtSetInformationKey( _In_ ULONG KeySetInformationLength ); +/** + * Queries the value of a registry key. + * + * @param[in] KeyHandle A handle to the key to be queried. + * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be queried. + * @param[in] KeyValueInformationClass The type of information to be queried. + * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. + * @param[in] Length The size of the buffer. + * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -295,6 +397,63 @@ NtQueryValueKey( _Out_ PULONG ResultLength ); +/** + * Sets the value of a registry key. + * + * @param[in] KeyHandle A handle to the key to be modified. + * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be set. + * @param[in, optional] TitleIndex Reserved. + * @param[in] Type The type of the value. + * @param[in] Data A pointer to a buffer that contains the value data. + * @param[in] DataSize The size of the buffer. + * @return NTSTATUS The status of the operation. + */ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetValueKey( + _In_ HANDLE KeyHandle, + _In_ PUNICODE_STRING ValueName, + _In_opt_ ULONG TitleIndex, + _In_ ULONG Type, + _In_reads_bytes_opt_(DataSize) PVOID Data, + _In_ ULONG DataSize + ); + +/** + * Queries multiple values of a registry key. + * + * @param[in] KeyHandle A handle to the key to be queried. + * @param[in, out] ValueEntries A pointer to an array of KEY_VALUE_ENTRY structures that specify the values to be queried. + * @param[in] EntryCount The number of entries in the array. + * @param[out] ValueBuffer A pointer to a buffer that receives the value data. + * @param[in, out] BufferLength A pointer to a variable that specifies the size of the buffer and receives the size of the data returned. + * @param[out, optional] RequiredBufferLength A pointer to a variable that receives the size of the buffer required to hold the data. + * @return NTSTATUS The status of the operation. + */ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + _In_ HANDLE KeyHandle, + _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries, + _In_ ULONG EntryCount, + _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer, + _Inout_ PULONG BufferLength, + _Out_opt_ PULONG RequiredBufferLength + ); + +/** + * Enumerates the subkeys of a registry key. + * + * @param[in] KeyHandle A handle to the key to be enumerated. + * @param[in] Index The index of the subkey to be enumerated. + * @param[in] KeyInformationClass The type of information to be queried. + * @param[out] KeyInformation A pointer to a buffer that receives the key information. + * @param[in] Length The size of the buffer. + * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -307,6 +466,17 @@ NtEnumerateKey( _Out_ PULONG ResultLength ); +/** + * Enumerates the values of a registry key. + * + * @param[in] KeyHandle A handle to the key to be enumerated. + * @param[in] Index The index of the value to be enumerated. + * @param[in] KeyValueInformationClass The type of information to be queried. + * @param[out] KeyValueInformation A pointer to a buffer that receives the value information. + * @param[in] Length The size of the buffer. + * @param[out] ResultLength A pointer to a variable that receives the size of the data returned. + * @return NTSTATUS The status of the operation. + */ NTSYSCALLAPI NTSTATUS NTAPI diff --git a/Source/Include/KNSoft/NDK/NT/Cm/VReg.h b/Source/Include/KNSoft/NDK/NT/Cm/VReg.h index 45f1f03..a48bc18 100644 --- a/Source/Include/KNSoft/NDK/NT/Cm/VReg.h +++ b/Source/Include/KNSoft/NDK/NT/Cm/VReg.h @@ -6,7 +6,9 @@ EXTERN_C_START /* phnt */ -// Differencing registry & virtualization // since REDSTONE +// +// Virtualization // since REDSTONE +// // rev #define VR_DEVICE_NAME L"\\Device\\VRegDriver" @@ -40,9 +42,9 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE ULONG NextLayerIsHost; ULONG Flags; // VR_FLAG_* ULONG LoadFlags; // NtLoadKeyEx flags - WORD KeyPathLength; - WORD HivePathLength; - WORD NextLayerKeyPathLength; + USHORT KeyPathLength; + USHORT HivePathLength; + USHORT NextLayerKeyPathLength; HANDLE FileAccessToken; // since 20H1 WCHAR Strings[ANYSIZE_ARRAY]; // ... @@ -55,8 +57,8 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE typedef struct _VR_CREATE_NAMESPACE_NODE { HANDLE Job; - WORD ContainerPathLength; - WORD HostPathLength; + USHORT ContainerPathLength; + USHORT HostPathLength; ULONG Flags; ACCESS_MASK AccessMask; // since 20H1 WCHAR Strings[ANYSIZE_ARRAY]; @@ -77,8 +79,8 @@ typedef struct _VR_MODIFY_FLAGS typedef struct _NAMESPACE_NODE_DATA { ACCESS_MASK AccessMask; - WORD ContainerPathLength; - WORD HostPathLength; + USHORT ContainerPathLength; + USHORT HostPathLength; ULONG Flags; WCHAR Strings[ANYSIZE_ARRAY]; // ... @@ -123,9 +125,9 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE_FOR_HOST { ULONG LoadFlags; // NtLoadKeyEx flags ULONG Flags; // VR_FLAG_* // since REDSTONE2 - WORD KeyPathLength; - WORD HivePathLength; - WORD NextLayerKeyPathLength; + USHORT KeyPathLength; + USHORT HivePathLength; + USHORT NextLayerKeyPathLength; HANDLE FileAccessToken; // since 20H1 WCHAR Strings[ANYSIZE_ARRAY]; // ... @@ -138,7 +140,7 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE_FOR_HOST typedef struct _VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST { ULONG Reserved; - WORD TargetKeyPathLength; + USHORT TargetKeyPathLength; WCHAR TargetKeyPath[ANYSIZE_ARRAY]; } VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST, *PVR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST; diff --git a/Source/Include/KNSoft/NDK/NT/Etw.h b/Source/Include/KNSoft/NDK/NT/Etw.h index 278f844..360d360 100644 --- a/Source/Include/KNSoft/NDK/NT/Etw.h +++ b/Source/Include/KNSoft/NDK/NT/Etw.h @@ -1694,7 +1694,7 @@ PerfIsGroupOnInGroupMask( // // Data structure used for WMI Kernel Events // -// **NB** the hardware events are described in software traceing, if they +// **NB** the hardware events are described in software tracing, if they // change in layout please update sdktools\trace\tracefmt\default.tmf diff --git a/Source/Include/KNSoft/NDK/NT/Ex/Misc.h b/Source/Include/KNSoft/NDK/NT/Ex/Misc.h index 743d97f..062c69d 100644 --- a/Source/Include/KNSoft/NDK/NT/Ex/Misc.h +++ b/Source/Include/KNSoft/NDK/NT/Ex/Misc.h @@ -118,7 +118,7 @@ NtSetDefaultHardErrorPort( #define FLG_DISABLE_DBGPRINT 0x08000000 // k #define FLG_CRITSEC_EVENT_CREATION 0x10000000 // u -#define FLG_STOP_ON_UNHANDLED_EXCEPTION 0x20000000 // u,64 +#define FLG_LDR_TOP_DOWN 0x20000000 // u,64 #define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000 // k #define FLG_DISABLE_PROTDLLS 0x80000000 // u diff --git a/Source/Include/KNSoft/NDK/NT/Ex/SharedData.h b/Source/Include/KNSoft/NDK/NT/Ex/SharedData.h index 000106d..ef950db 100644 --- a/Source/Include/KNSoft/NDK/NT/Ex/SharedData.h +++ b/Source/Include/KNSoft/NDK/NT/Ex/SharedData.h @@ -327,7 +327,7 @@ typedef struct _KUSER_SHARED_DATA // // This field indicates the status of the 64-bit COM+ package on the - // system. It indicates whether the Itermediate Language (IL) COM+ + // system. It indicates whether the Intermediate Language (IL) COM+ // images need to use the 64-bit COM+ runtime or the 32-bit COM+ runtime. // ULONG ComPlusPackage; diff --git a/Source/Include/KNSoft/NDK/NT/Ex/SysInfo.h b/Source/Include/KNSoft/NDK/NT/Ex/SysInfo.h index b0a2132..731e018 100644 --- a/Source/Include/KNSoft/NDK/NT/Ex/SysInfo.h +++ b/Source/Include/KNSoft/NDK/NT/Ex/SysInfo.h @@ -288,7 +288,7 @@ typedef struct _SYSTEM_PROCESSOR_INFORMATION ULONG ProcessorFeatureBits; } SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION; -// ProcessorFeatureBits // ksamd64 +// SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits // ksamd64 #define KF_RDTSC 0x0000000000000002 #define KF_CR4 0x0000000000000004 #define KF_GLOBAL_PAGE 0x0000000000000010 @@ -1300,6 +1300,14 @@ typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT UCHAR PercentFrequency; } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT; +// private (Windows 8.1 and above) +typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION +{ + ULONG ProcessorNumber; + ULONG StateCount; + _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1]; +} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION; + // private (Windows 7 and Windows 8) typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 { @@ -1307,13 +1315,13 @@ typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 UCHAR PercentFrequency; } SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8; -// private -typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION +// private (Windows 7 and Windows 8) +typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8 { ULONG ProcessorNumber; ULONG StateCount; - _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1]; -} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION; + _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 States[1]; +} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8; // private typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION diff --git a/Source/Include/KNSoft/NDK/NT/Extension/Runtime.h b/Source/Include/KNSoft/NDK/NT/Extension/Runtime.h index 87b8e53..f182975 100644 --- a/Source/Include/KNSoft/NDK/NT/Extension/Runtime.h +++ b/Source/Include/KNSoft/NDK/NT/Extension/Runtime.h @@ -3,6 +3,10 @@ #include "../MinDef.h" #include "../Rtl/Process/Process.h" +#if _MSC_FULL_VER >= 193933428 +#define FIELD_TYPE(type, field) __typeof__(((type*)NULL)->field) +#endif + #pragma region TEB Fast Access #if defined(_M_X64) @@ -91,7 +95,11 @@ FORCEINLINE ULONG NtGetLastError(VOID) { - return (ULONG)ReadTeb(LastErrorValue); + ULONG Error; + + Error = (ULONG)ReadTeb(LastErrorValue); + _Analysis_assume_(Error > 0); + return Error; } #define NtSetLastError(Error) WriteTeb(LastErrorValue, Error) @@ -139,8 +147,6 @@ NtGetLastStatus(VOID) #pragma endregion -#pragma region Context - #if defined(_M_IX86) #define CONTEXT_PC Eip #elif defined(_M_X64) @@ -149,6 +155,14 @@ NtGetLastStatus(VOID) #define CONTEXT_PC Pc #endif -#pragma endregion +typedef +_Function_class_(RUNDLL32_ENTRY_FN) +VOID +CALLBACK +RUNDLL32_ENTRY_FN( + _In_ HWND hWnd, + _In_ HINSTANCE hInst, + _In_ LPSTR lpszCmdLine, + _In_ int nCmdShow); #define CPU_CACHE_LINE_SIZE 64 diff --git a/Source/Include/KNSoft/NDK/NT/Io/Misc.h b/Source/Include/KNSoft/NDK/NT/Io/Misc.h index c685ad1..7ca001b 100644 --- a/Source/Include/KNSoft/NDK/NT/Io/Misc.h +++ b/Source/Include/KNSoft/NDK/NT/Io/Misc.h @@ -306,4 +306,144 @@ typedef enum _BUS_DATA_TYPE MaximumBusDataType } BUS_DATA_TYPE, *PBUS_DATA_TYPE; +// Filter manager + +// rev +#define FLT_SYMLINK_NAME L"\\Global??\\FltMgr" +#define FLT_MSG_SYMLINK_NAME L"\\Global??\\FltMgrMsg" +#define FLT_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgr" +#define FLT_MSG_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgrMsg" + +// private +typedef struct _FLT_CONNECT_CONTEXT +{ + PUNICODE_STRING PortName; + PUNICODE_STRING64 PortName64; + USHORT SizeOfContext; + UCHAR Padding[6]; // unused + _Field_size_bytes_(SizeOfContext) UCHAR Context[ANYSIZE_ARRAY]; +} FLT_CONNECT_CONTEXT, *PFLT_CONNECT_CONTEXT; + +// rev +#define FLT_PORT_EA_NAME "FLTPORT" +#define FLT_PORT_CONTEXT_MAX 0xFFE8 + +// combined FILE_FULL_EA_INFORMATION and FLT_CONNECT_CONTEXT +typedef struct _FLT_PORT_FULL_EA +{ + ULONG NextEntryOffset; // 0 + UCHAR Flags; // 0 + UCHAR EaNameLength; // sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL) + USHORT EaValueLength; // RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) + SizeOfContext + CHAR EaName[8]; // FLTPORT\0 + FLT_CONNECT_CONTEXT EaValue; +} FLT_PORT_FULL_EA, *PFLT_PORT_FULL_EA; + +#define FLT_PORT_FULL_EA_SIZE \ + (sizeof(FILE_FULL_EA_INFORMATION) + (sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL))) +#define FLT_PORT_FULL_EA_VALUE_SIZE \ + RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) + +// begin_rev + +// IOCTLs for unlinked FltMgr handles +#define FLT_CTL_LOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege +#define FLT_CTL_UNLOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege +#define FLT_CTL_LINK_HANDLE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_READ_ACCESS) // in: FLT_LINK // specializes the handle +#define FLT_CTL_ATTACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_ATTACH +#define FLT_CTL_DETATCH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS + +// IOCTLs for port-specific FltMgrMsg handles (opened using the extended attribute) +#define FLT_CTL_SEND_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 6, METHOD_NEITHER, FILE_WRITE_ACCESS) // in, out: filter-specific +#define FLT_CTL_GET_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 7, METHOD_NEITHER, FILE_READ_ACCESS) // out: filter-specific +#define FLT_CTL_REPLY_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 8, METHOD_NEITHER, FILE_WRITE_ACCESS) // in: filter-specific + +// IOCTLs for linked FltMgr handles; depend on previously used FLT_LINK_TYPE +// +// Find first/next: +// FILTER - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS +// FILTER_VOLUME - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS +// FILTER_MANAGER - enumerates all filters; in: FILTER_INFORMATION_CLASS +// FILTER_MANAGER_VOLUME - enumerates all volumes; in: FILTER_VOLUME_INFORMATION_CLASS +// +// Get information: +// FILTER - queries filter; in: FILTER_INFORMATION_CLASS +// FILTER_INSTANCE - queries instance; in: INSTANCE_INFORMATION_CLASS +// +#define FLT_CTL_FIND_FIRST CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 9, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) +#define FLT_CTL_FIND_NEXT CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) +#define FLT_CTL_GET_INFORMATION CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h) + +// end_rev + +// private +typedef struct _FLT_LOAD_PARAMETERS +{ + USHORT FilterNameSize; + _Field_size_bytes_(FilterNameSize) WCHAR FilterName[ANYSIZE_ARRAY]; +} FLT_LOAD_PARAMETERS, *PFLT_LOAD_PARAMETERS; + +// private +typedef enum _FLT_LINK_TYPE +{ + FILTER = 0, // FLT_FILTER_PARAMETERS + FILTER_INSTANCE = 1, // FLT_INSTANCE_PARAMETERS + FILTER_VOLUME = 2, // FLT_VOLUME_PARAMETERS + FILTER_MANAGER = 3, // nothing + FILTER_MANAGER_VOLUME = 4, // nothing +} FLT_LINK_TYPE, *PFLT_LINK_TYPE; + +// private +typedef struct _FLT_LINK +{ + FLT_LINK_TYPE Type; + ULONG ParametersOffset; // from this struct +} FLT_LINK, *PFLT_LINK; + +// rev +typedef struct _FLT_FILTER_PARAMETERS +{ + USHORT FilterNameSize; + USHORT FilterNameOffset; // to WCHAR[] from this struct +} FLT_FILTER_PARAMETERS, *PFLT_FILTER_PARAMETERS; + +// private +typedef struct _FLT_INSTANCE_PARAMETERS +{ + USHORT FilterNameSize; + USHORT FilterNameOffset; // to WCHAR[] from this struct + USHORT VolumeNameSize; + USHORT VolumeNameOffset; // to WCHAR[] from this struct + USHORT InstanceNameSize; + USHORT InstanceNameOffset; // to WCHAR[] from this struct +} FLT_INSTANCE_PARAMETERS, *PFLT_INSTANCE_PARAMETERS; + +// rev +typedef struct _FLT_VOLUME_PARAMETERS +{ + USHORT VolumeNameSize; + USHORT VolumeNameOffset; // to WCHAR[] from this struct +} FLT_VOLUME_PARAMETERS, *PFLT_VOLUME_PARAMETERS; + +// private +typedef enum _ATTACH_TYPE +{ + AltitudeBased = 0, + InstanceNameBased = 1, +} ATTACH_TYPE, *PATTACH_TYPE; + +// private +typedef struct _FLT_ATTACH +{ + USHORT FilterNameSize; + USHORT FilterNameOffset; // to WCHAR[] from this struct + USHORT VolumeNameSize; + USHORT VolumeNameOffset; // to WCHAR[] from this struct + ATTACH_TYPE Type; + USHORT InstanceNameSize; + USHORT InstanceNameOffset; // to WCHAR[] from this struct + USHORT AltitudeSize; + USHORT AltitudeOffset; // to WCHAR[] from this struct +} FLT_ATTACH, *PFLT_ATTACH; + EXTERN_C_END diff --git a/Source/Include/KNSoft/NDK/NT/Lpc/Alpc.h b/Source/Include/KNSoft/NDK/NT/Lpc/Alpc.h index 50f883b..982d7a0 100644 --- a/Source/Include/KNSoft/NDK/NT/Lpc/Alpc.h +++ b/Source/Include/KNSoft/NDK/NT/Lpc/Alpc.h @@ -57,10 +57,10 @@ typedef struct _ALPC_PORT_ATTRIBUTES #endif } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; -#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000 -#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000 -#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000 #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000 +#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000 +#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000 +#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000 typedef struct _ALPC_MESSAGE_ATTRIBUTES { @@ -164,7 +164,9 @@ typedef struct _ALPC_SECURITY_ATTR ALPC_HANDLE ContextHandle; // dbg } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; -#define ALPC_VIEWFLG_NOT_SECURE 0x40000 +#define ALPC_VIEWFLG_UNMAP_EXISTING 0x10000 +#define ALPC_VIEWFLG_AUTO_RELEASE 0x20000 +#define ALPC_VIEWFLG_NOT_SECURE 0x40000 typedef struct _ALPC_DATA_VIEW_ATTR { @@ -521,16 +523,16 @@ ULONG NTAPI AlpcMaxAllowedMessageLength(VOID); +#define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000 +#define ALPC_ATTRFLG_VALIDATTR 0x40000000 +#define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000 + NTSYSAPI ULONG NTAPI AlpcGetHeaderSize( _In_ ULONG Flags); -#define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000 -#define ALPC_ATTRFLG_VALIDATTR 0x40000000 -#define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000 - NTSYSAPI NTSTATUS NTAPI diff --git a/Source/Include/KNSoft/NDK/NT/Lpc/Port.h b/Source/Include/KNSoft/NDK/NT/Lpc/Port.h index 58c1a83..0751a45 100644 --- a/Source/Include/KNSoft/NDK/NT/Lpc/Port.h +++ b/Source/Include/KNSoft/NDK/NT/Lpc/Port.h @@ -32,10 +32,10 @@ typedef struct _PORT_DATA_INFORMATION #define LPC_DEBUG_EVENT 8 #define LPC_ERROR_EVENT 9 #define LPC_CONNECTION_REQUEST 10 -#define LPC_CONTINUATION_REQUIRED 0x2000 -#define LPC_KERNELMODE_MESSAGE (CSHORT)0x8000 -#define LPC_NO_IMPERSONATE (CSHORT)0x4000 +#define LPC_CONTINUATION_REQUIRED 0x2000 +#define LPC_NO_IMPERSONATE 0x4000 +#define LPC_KERNELMODE_MESSAGE 0x8000 #define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE diff --git a/Source/Include/KNSoft/NDK/NT/MinDef.h b/Source/Include/KNSoft/NDK/NT/MinDef.h index 54b7478..c2af119 100644 --- a/Source/Include/KNSoft/NDK/NT/MinDef.h +++ b/Source/Include/KNSoft/NDK/NT/MinDef.h @@ -9,6 +9,7 @@ #define DBG 1 #endif +/* FIXME: Not sure */ #define NTDDI_WIN10_GE NTDDI_WIN11_ZN #pragma region Define architecture @@ -550,12 +551,6 @@ struct _SINGLE_LIST_ENTRY64 #define BitScanForwardSizeT BitScanForward #endif -/* KNSoft.NDK */ - -#if _MSC_FULL_VER >= 193933428 -#define FIELD_TYPE(type, field) __typeof__(((type*)NULL)->field) -#endif - #pragma endregion #pragma endregion diff --git a/Source/Include/KNSoft/NDK/NT/Mm/Info.h b/Source/Include/KNSoft/NDK/NT/Mm/Info.h index 7a4f3fc..dde5ff8 100644 --- a/Source/Include/KNSoft/NDK/NT/Mm/Info.h +++ b/Source/Include/KNSoft/NDK/NT/Mm/Info.h @@ -24,9 +24,44 @@ typedef enum _MEMORY_INFORMATION_CLASS MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 MemoryBadInformation, // since WIN11 MemoryBadInformationAllProcesses, // since 22H1 + MemoryImageExtensionInformation, // MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2 MaxMemoryInfoClass } MEMORY_INFORMATION_CLASS; +// MEMORY_WORKING_SET_BLOCK->Protection +#define MEMORY_BLOCK_NOT_ACCESSED 0 +#define MEMORY_BLOCK_READONLY 1 +#define MEMORY_BLOCK_EXECUTABLE 2 +#define MEMORY_BLOCK_EXECUTABLE_READONLY 3 +#define MEMORY_BLOCK_READWRITE 4 +#define MEMORY_BLOCK_COPYONWRITE 5 +#define MEMORY_BLOCK_EXECUTABLE_READWRITE 6 +#define MEMORY_BLOCK_EXECUTABLE_COPYONWRITE 7 +#define MEMORY_BLOCK_NOT_ACCESSED_2 8 +#define MEMORY_BLOCK_NON_CACHEABLE_READONLY 9 +#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE 10 +#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READONLY 11 +#define MEMORY_BLOCK_NON_CACHEABLE_READWRITE 12 +#define MEMORY_BLOCK_NON_CACHEABLE_COPYONWRITE 13 +#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READWRITE 14 +#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_COPYONWRITE 15 +#define MEMORY_BLOCK_NOT_ACCESSED_3 16 +#define MEMORY_BLOCK_GUARD_READONLY 17 +#define MEMORY_BLOCK_GUARD_EXECUTABLE 18 +#define MEMORY_BLOCK_GUARD_EXECUTABLE_READONLY 19 +#define MEMORY_BLOCK_GUARD_READWRITE 20 +#define MEMORY_BLOCK_GUARD_COPYONWRITE 21 +#define MEMORY_BLOCK_GUARD_EXECUTABLE_READWRITE 22 +#define MEMORY_BLOCK_GUARD_EXECUTABLE_COPYONWRITE 23 +#define MEMORY_BLOCK_NOT_ACCESSED_4 24 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READONLY 25 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE 26 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READONLY 27 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READWRITE 28 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_COPYONWRITE 29 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READWRITE 30 +#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_COPYONWRITE 31 + typedef struct _MEMORY_WORKING_SET_BLOCK { ULONG_PTR Protection : 5; @@ -208,6 +243,122 @@ typedef struct _MEMORY_PHYSICAL_CONTIGUITY_INFORMATION PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION ContiguityUnitInformation; } MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, *PMEMORY_PHYSICAL_CONTIGUITY_INFORMATION; +// private +typedef struct _RTL_SCP_CFG_ARM64_HEADER +{ + ULONG EcInvalidCallHandlerRva; + ULONG EcCfgCheckRva; + ULONG EcCfgCheckESRva; + ULONG EcCallCheckRva; + ULONG CpuInitializationCompleteLoadRva; + ULONG LdrpValidateEcCallTargetInitRva; + ULONG SyscallFfsSizeRva; + ULONG SyscallFfsBaseRva; +} RTL_SCP_CFG_ARM64_HEADER, *PRTL_SCP_CFG_ARM64_HEADER; + +// private +typedef enum _RTL_SCP_CFG_PAGE_TYPE +{ + RtlScpCfgPageTypeNop, + RtlScpCfgPageTypeDefault, + RtlScpCfgPageTypeExportSuppression, + RtlScpCfgPageTypeFptr, + RtlScpCfgPageTypeMax, + RtlScpCfgPageTypeNone +} RTL_SCP_CFG_PAGE_TYPE; + +// private +typedef struct _RTL_SCP_CFG_COMMON_HEADER +{ + ULONG CfgDispatchRva; + ULONG CfgDispatchESRva; + ULONG CfgCheckRva; + ULONG CfgCheckESRva; + ULONG InvalidCallHandlerRva; + ULONG FnTableRva; +} RTL_SCP_CFG_COMMON_HEADER, *PRTL_SCP_CFG_COMMON_HEADER; + +// private +typedef struct _RTL_SCP_CFG_HEADER +{ + RTL_SCP_CFG_COMMON_HEADER Common; +} RTL_SCP_CFG_HEADER, *PRTL_SCP_CFG_HEADER; + +// private +typedef struct _RTL_SCP_CFG_REGION_BOUNDS +{ + PVOID StartAddress; + PVOID EndAddress; +} RTL_SCP_CFG_REGION_BOUNDS, *PRTL_SCP_CFG_REGION_BOUNDS; + +// private +typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS +{ + RTL_SCP_CFG_REGION_BOUNDS ScpRegions[4]; + PVOID CfgDispatchFptr; + PVOID CfgDispatchESFptr; + PVOID CfgCheckFptr; + PVOID CfgCheckESFptr; + PVOID IllegalCallHandler; +} RTL_SCP_CFG_NTDLL_EXPORTS, *PRTL_SCP_CFG_NTDLL_EXPORTS; + +// private +typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC +{ + PVOID EcInvalidCallHandler; + PVOID EcCfgCheckFptr; + PVOID EcCfgCheckESFptr; + PVOID EcCallCheckFptr; + PVOID CpuInitializationComplete; + PVOID LdrpValidateEcCallTargetInit; + struct + { + PVOID SyscallFfsSize; + union + { + PVOID Ptr; + ULONG Value; + }; + }; + PVOID SyscallFfsBase; +} RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC, *PRTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC; + +// private +typedef struct _RTL_RETPOLINE_ROUTINES +{ + ULONG SwitchtableJump[16]; + ULONG CfgIndirectRax; + ULONG NonCfgIndirectRax; + ULONG ImportR10; + ULONG JumpHpat; +} RTL_RETPOLINE_ROUTINES, *PRTL_RETPOLINE_ROUTINES; + +// private +typedef struct _RTL_KSCP_ROUTINES +{ + ULONG UnwindDataOffset; + RTL_RETPOLINE_ROUTINES RetpolineRoutines; + ULONG CfgDispatchSmep; + ULONG CfgDispatchNoSmep; +} RTL_KSCP_ROUTINES, *PRTL_KSCP_ROUTINES; + +// private +typedef enum _MEMORY_IMAGE_EXTENSION_TYPE +{ + MemoryImageExtensionCfgScp, + MemoryImageExtensionCfgEmulatedScp, + MemoryImageExtensionTypeMax, +} MEMORY_IMAGE_EXTENSION_TYPE; + +// private +typedef struct _MEMORY_IMAGE_EXTENSION_INFORMATION +{ + MEMORY_IMAGE_EXTENSION_TYPE ExtensionType; + ULONG Flags; + PVOID ExtensionImageBaseRva; + SIZE_T ExtensionSize; +} MEMORY_IMAGE_EXTENSION_INFORMATION, *PMEMORY_IMAGE_EXTENSION_INFORMATION; + NTSYSCALLAPI NTSTATUS NTAPI diff --git a/Source/Include/KNSoft/NDK/NT/Po/Misc.h b/Source/Include/KNSoft/NDK/NT/Po/Misc.h index 6f20105..fa5fa5f 100644 --- a/Source/Include/KNSoft/NDK/NT/Po/Misc.h +++ b/Source/Include/KNSoft/NDK/NT/Po/Misc.h @@ -205,7 +205,7 @@ typedef struct _SYSTEM_HIBERFILE_INFORMATION PO_REASON_STATE_S4 | \ PO_REASON_STATE_S4FIRM) -typedef struct _SYSTEM_POWER_LOGGING_ENTRY +typedef struct _SYSTEM_POWER_LOGGING_ENTRY { ULONG Reason; ULONG States; @@ -226,7 +226,7 @@ typedef enum _POWER_STATE_DISABLED_TYPE #define POWER_STATE_DISABLED_TYPE_MAX 8 _Struct_size_bytes_(sizeof(SYSTEM_POWER_STATE_DISABLE_REASON) + PowerReasonLength) -typedef struct _SYSTEM_POWER_STATE_DISABLE_REASON +typedef struct _SYSTEM_POWER_STATE_DISABLE_REASON { BOOLEAN AffectedState[POWER_STATE_DISABLED_TYPE_MAX]; ULONG PowerReasonCode; @@ -380,7 +380,7 @@ typedef struct PROCESSOR_IDLE_TIMES } PROCESSOR_IDLE_TIMES, *PPROCESSOR_IDLE_TIMES; _Function_class_(PROCESSOR_IDLE_HANDLER) -typedef NTSTATUS (FASTCALL PROCESSOR_IDLE_HANDLER)( +typedef NTSTATUS(FASTCALL PROCESSOR_IDLE_HANDLER)( _In_ ULONG_PTR Context, _Inout_ PPROCESSOR_IDLE_TIMES IdleTimes ); @@ -588,11 +588,11 @@ typedef enum _POWER_STATE_HANDLER_TYPE PowerStateMaximum = 7 } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE; -typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)( +typedef NTSTATUS(NTAPI *PENTER_STATE_SYSTEM_HANDLER)( _In_ PVOID SystemContext ); -typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)( +typedef NTSTATUS(NTAPI *PENTER_STATE_HANDLER)( _In_ PVOID Context, _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler, _In_ PVOID SystemContext, @@ -609,7 +609,7 @@ typedef struct _POWER_STATE_HANDLER PVOID Context; } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER; -typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)( +typedef NTSTATUS(NTAPI *PENTER_STATE_NOTIFY_HANDLER)( _In_ POWER_STATE_HANDLER_TYPE State, _In_ PVOID Context, _In_ BOOLEAN Entering @@ -841,6 +841,8 @@ typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT PROCESSOR_NUMBER ProcessorNumber; // ULONG_MAX } POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, *PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT; +#define POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_VERSION 1 + // rev typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT { @@ -857,6 +859,16 @@ typedef struct _POWER_INTERNAL_BOOTAPP_DIAGNOSTIC #if !defined(_KERNEL_MODE) +/** + * The NtPowerInformation routine sets or retrieves system power information. + * + * @param InformationLevel Specifies the requested information level, which indicates the specific power information to be set or retrieved. + * @param InputBuffer Optional pointer to a caller-allocated input buffer. + * @param InputBufferLength Size, in bytes, of the buffer at InputBuffer. + * @param OutputBuffer Optional pointer to an output buffer. The type depends on the InformationLevel requested. + * @param OutputBufferLength Size, in bytes, of the output buffer. + * @return Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -865,19 +877,47 @@ NtPowerInformation( _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, - _In_ ULONG OutputBufferLength - ); - + _In_ ULONG OutputBufferLength); #endif +/** + * Enables an application to inform the system that it is in use, + * thereby preventing the system from entering sleep or turning off the display while the application is running. + * + * @param NewFlags New execution state flags. + * @param PreviousFlags Pointer to receive the previous execution state flags. + * @return Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI NtSetThreadExecutionState( _In_ EXECUTION_STATE NewFlags, // ES_* flags - _Out_ EXECUTION_STATE *PreviousFlags - ); + _Out_ EXECUTION_STATE *PreviousFlags); + +#if (NTDDI_VERSION < NTDDI_WIN7) +/** + * Requests the system resume latency. + * + * @param latency The desired latency time. + * @return Successful or errant status. + */ +NTSYSCALLAPI +NTSTATUS +NTAPI +NtRequestWakeupLatency( + _In_ LATENCY_TIME latency); +#endif +/** + * Initiates a power action of the current system. + * + * @param SystemAction The system power action. + * @param LightestSystemState The lightest system power state. + * @param Flags Flags for the power action. + * @param Asynchronous Whether the action is asynchronous. + * @return Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -885,9 +925,17 @@ NtInitiatePowerAction( _In_ POWER_ACTION SystemAction, _In_ SYSTEM_POWER_STATE LightestSystemState, _In_ ULONG Flags, // POWER_ACTION_* flags - _In_ BOOLEAN Asynchronous - ); - + _In_ BOOLEAN Asynchronous); + +/** + * Initiates a power action of the current system. Depending on the Flags parameter, the function either + * suspends operation immediately or requests permission from all applications and device drivers before doing so. + * + * @param SystemAction The system power action. + * @param LightestSystemState The lightest system power state. + * @param Flags Flags for the power action. + * @return Successful or errant status. + */ NTSYSCALLAPI NTSTATUS NTAPI @@ -895,21 +943,33 @@ NtSetSystemPowerState( _In_ POWER_ACTION SystemAction, _In_ SYSTEM_POWER_STATE LightestSystemState, _In_ ULONG Flags // POWER_ACTION_* flags - ); - +); + +/** + * Retrieves the current power state of the specified device. This function cannot be used to query the power state of a display device. + * + * @param Device A handle to an object on the device, such as a file or socket, or a handle to the device itself. + * @param State A pointer to the variable that receives the power state. + * @return Successful or errant status. + * @remarks An application can use NtGetDevicePowerState to determine whether a device is in the working state or a low-power state. + * If the device is in a low-power state, accessing the device may cause it to either queue or fail any I/O requests, or transition the device into the working state. + * The exact behavior depends on the implementation of the device. + */ NTSYSCALLAPI NTSTATUS NTAPI NtGetDevicePowerState( _In_ HANDLE Device, - _Out_ PDEVICE_POWER_STATE State - ); + _Out_ PDEVICE_POWER_STATE State); +/** + * Checks if the system resume is automatic. + * + * @return BOOLEAN TRUE if the system resume is automatic, FALSE otherwise. + */ NTSYSCALLAPI BOOLEAN NTAPI -NtIsSystemResumeAutomatic( - VOID - ); +NtIsSystemResumeAutomatic(VOID); EXTERN_C_END diff --git a/Source/Include/KNSoft/NDK/NT/Ps/PsApi.h b/Source/Include/KNSoft/NDK/NT/Ps/PsApi.h index d8768be..f382004 100644 --- a/Source/Include/KNSoft/NDK/NT/Ps/PsApi.h +++ b/Source/Include/KNSoft/NDK/NT/Ps/PsApi.h @@ -309,7 +309,7 @@ NtCreateProcessStateChange( _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, - _In_opt_ ULONG64 Reserved + _In_opt_ _Reserved_ ULONG64 Reserved ); NTSYSCALLAPI @@ -319,9 +319,9 @@ NtChangeProcessState( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle, _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ PVOID ExtendedInformation, - _In_opt_ SIZE_T ExtendedInformationLength, - _In_opt_ ULONG64 Reserved + _In_opt_ _Reserved_ PVOID ExtendedInformation, + _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength, + _In_opt_ _Reserved_ ULONG64 Reserved ); #endif @@ -1276,6 +1276,36 @@ NtAllocateReserveObject( // Process snapshotting #if (NTDDI_VERSION >= NTDDI_WINBLUE) + +// Capture/creation flags. +typedef enum _PSSNT_CAPTURE_FLAGS +{ + PSSNT_CAPTURE_NONE = 0x00000000, + PSSNT_CAPTURE_VA_CLONE = 0x00000001, + PSSNT_CAPTURE_RESERVED_00000002 = 0x00000002, + PSSNT_CAPTURE_HANDLES = 0x00000004, + PSSNT_CAPTURE_HANDLE_NAME_INFORMATION = 0x00000008, + PSSNT_CAPTURE_HANDLE_BASIC_INFORMATION = 0x00000010, + PSSNT_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION = 0x00000020, + PSSNT_CAPTURE_HANDLE_TRACE = 0x00000040, + PSSNT_CAPTURE_THREADS = 0x00000080, + PSSNT_CAPTURE_THREAD_CONTEXT = 0x00000100, + PSSNT_CAPTURE_THREAD_CONTEXT_EXTENDED = 0x00000200, + PSSNT_CAPTURE_RESERVED_00000400 = 0x00000400, + PSSNT_CAPTURE_VA_SPACE = 0x00000800, + PSSNT_CAPTURE_VA_SPACE_SECTION_INFORMATION = 0x00001000, + PSSNT_CAPTURE_IPT_TRACE = 0x00002000, + PSSNT_CAPTURE_RESERVED_00004000 = 0x00004000, + + PSSNT_CREATE_BREAKAWAY_OPTIONAL = 0x04000000, + PSSNT_CREATE_BREAKAWAY = 0x08000000, + PSSNT_CREATE_FORCE_BREAKAWAY = 0x10000000, + PSSNT_CREATE_USE_VM_ALLOCATIONS = 0x20000000, + PSSNT_CREATE_MEASURE_PERFORMANCE = 0x40000000, + PSSNT_CREATE_RELEASE_SECTION = 0x80000000 +} PSSNT_CAPTURE_FLAGS; +DEFINE_ENUM_FLAG_OPERATORS(PSSNT_CAPTURE_FLAGS); + // rev NTSYSCALLAPI NTSTATUS @@ -1283,9 +1313,69 @@ NTAPI PssNtCaptureSnapshot( _Out_ PHANDLE SnapshotHandle, _In_ HANDLE ProcessHandle, - _In_ ULONG CaptureFlags, - _In_ ULONG ThreadContextFlags + _In_ PSSNT_CAPTURE_FLAGS CaptureFlags, + _In_opt_ ULONG ThreadContextFlags ); + +typedef enum _PSSNT_DUPLICATE_FLAGS +{ + PSSNT_DUPLICATE_NONE = 0x00, + PSSNT_DUPLICATE_CLOSE_SOURCE = 0x01 +} PSSNT_DUPLICATE_FLAGS; +DEFINE_ENUM_FLAG_OPERATORS(PSSNT_DUPLICATE_FLAGS); + +// rev +NTSYSAPI +NTSTATUS +NTAPI +PssNtDuplicateSnapshot( + _In_ HANDLE SourceProcessHandle, + _In_ HANDLE SnapshotHandle, + _In_ HANDLE TargetProcessHandle, + _Out_ PHANDLE TargetSnapshotHandle, + _In_opt_ PSSNT_DUPLICATE_FLAGS Flags + ); + +// rev +NTSYSAPI +NTSTATUS +NTAPI +PssNtFreeSnapshot( + _In_ HANDLE SnapshotHandle + ); + +// rev +NTSYSAPI +NTSTATUS +NTAPI +PssNtFreeRemoteSnapshot( + _In_ HANDLE ProcessHandle, + _In_ HANDLE SnapshotHandle + ); + +typedef enum _PSSNT_QUERY_INFORMATION_CLASS +{ + PSSNT_QUERY_PROCESS_INFORMATION = 0, // PSS_PROCESS_INFORMATION + PSSNT_QUERY_VA_CLONE_INFORMATION = 1, // PSS_VA_CLONE_INFORMATION + PSSNT_QUERY_AUXILIARY_PAGES_INFORMATION = 2, // PSS_AUXILIARY_PAGES_INFORMATION + PSSNT_QUERY_VA_SPACE_INFORMATION = 3, // PSS_VA_SPACE_INFORMATION + PSSNT_QUERY_HANDLE_INFORMATION = 4, // PSS_HANDLE_INFORMATION + PSSNT_QUERY_THREAD_INFORMATION = 5, // PSS_THREAD_INFORMATION + PSSNT_QUERY_HANDLE_TRACE_INFORMATION = 6, // PSS_HANDLE_TRACE_INFORMATION + PSSNT_QUERY_PERFORMANCE_COUNTERS = 7 // PSS_PERFORMANCE_COUNTERS +} PSSNT_QUERY_INFORMATION_CLASS; + +// rev +NTSYSAPI +NTSTATUS +NTAPI +PssNtQuerySnapshot( + _In_ HANDLE SnapshotHandle, + _In_ PSSNT_QUERY_INFORMATION_CLASS InformationClass, + _Out_writes_bytes_(BufferLength) PVOID Buffer, + _In_ ULONG BufferLength + ); + #endif // rev diff --git a/Source/Include/KNSoft/NDK/NT/Ps/PsInfo.h b/Source/Include/KNSoft/NDK/NT/Ps/PsInfo.h index 418196a..35ebf55 100644 --- a/Source/Include/KNSoft/NDK/NT/Ps/PsInfo.h +++ b/Source/Include/KNSoft/NDK/NT/Ps/PsInfo.h @@ -229,8 +229,8 @@ typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { ULONG IsProcessDeleting : 1; ULONG IsCrossSessionCreate : 1; ULONG IsFrozen : 1; - ULONG IsBackground : 1; - ULONG IsStronglyNamed : 1; + ULONG IsBackground : 1; // WIN://BGKD + ULONG IsStronglyNamed : 1; // WIN://SYSAPPID ULONG IsSecureProcess : 1; ULONG IsSubsystemProcess : 1; ULONG IsTrustedApp : 1; diff --git a/Source/Include/KNSoft/NDK/NT/Rtl/BootStatus.h b/Source/Include/KNSoft/NDK/NT/Rtl/BootStatus.h index 013a919..42a9c67 100644 --- a/Source/Include/KNSoft/NDK/NT/Rtl/BootStatus.h +++ b/Source/Include/KNSoft/NDK/NT/Rtl/BootStatus.h @@ -26,6 +26,7 @@ typedef enum _RTL_BSD_ITEM_TYPE RtlBsdItemChecksum, // q: s: UCHAR RtlBsdPowerTransitionExtension, RtlBsdItemFeatureConfigurationState, // q; s: ULONG + RtlBsdItemRevocationListInfo, // 24H2 RtlBsdItemMax } RTL_BSD_ITEM_TYPE; diff --git a/Source/Include/KNSoft/NDK/NT/Rtl/Misc.h b/Source/Include/KNSoft/NDK/NT/Rtl/Misc.h index 08dcaca..af957c1 100644 --- a/Source/Include/KNSoft/NDK/NT/Rtl/Misc.h +++ b/Source/Include/KNSoft/NDK/NT/Rtl/Misc.h @@ -204,7 +204,7 @@ RtlGetActiveConsoleId(VOID); #if (NTDDI_VERSION >= NTDDI_WIN10_RS1) NTSYSAPI -ULONGLONG +LONGLONG NTAPI RtlGetConsoleSessionForegroundProcessId(VOID); #endif diff --git a/Source/Include/KNSoft/NDK/NT/Rtl/Process/EnvironmentBlock.h b/Source/Include/KNSoft/NDK/NT/Rtl/Process/EnvironmentBlock.h index bd6aee2..2b2cf37 100644 --- a/Source/Include/KNSoft/NDK/NT/Rtl/Process/EnvironmentBlock.h +++ b/Source/Include/KNSoft/NDK/NT/Rtl/Process/EnvironmentBlock.h @@ -191,6 +191,7 @@ typedef struct _PEB PVOID KernelCallbackTable; PVOID UserSharedInfoPtr; }; + ULONG SystemReserved; ULONG AtlThunkSListPtr32; PAPI_SET_NAMESPACE ApiSetMap; diff --git a/Source/Include/KNSoft/NDK/NT/Rtl/Process/Process.h b/Source/Include/KNSoft/NDK/NT/Rtl/Process/Process.h index f200ce7..05a44cf 100644 --- a/Source/Include/KNSoft/NDK/NT/Rtl/Process/Process.h +++ b/Source/Include/KNSoft/NDK/NT/Rtl/Process/Process.h @@ -567,6 +567,11 @@ BOOLEAN NTAPI RtlIsThreadWithinLoaderCallout(VOID); +/** + * Gets a value indicating whether the process is currently in the shutdown phase. + * + * @return TRUE if a shutdown of the current dll process is in progress; otherwise, FALSE. + */ NTSYSAPI BOOLEAN NTAPI diff --git a/Source/Include/KNSoft/NDK/NT/Se/Misc.h b/Source/Include/KNSoft/NDK/NT/Se/Misc.h index e64fcab..7f3c758 100644 --- a/Source/Include/KNSoft/NDK/NT/Se/Misc.h +++ b/Source/Include/KNSoft/NDK/NT/Se/Misc.h @@ -268,7 +268,11 @@ typedef enum _TOKEN_INFORMATION_CLASS #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02 +// Case insensitive attribute value string by default. +// Unless the flag TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE +// is set indicating otherwise. #define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03 +// Fully-qualified binary name. #define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05 #define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06 @@ -276,12 +280,22 @@ typedef enum _TOKEN_INFORMATION_CLASS // Flags +// Attribute must not be inherited across process spawns. #define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001 +// Attribute value is compared in a case sensitive way. It is valid with string value +// or composite type containing string value. For other types of value, this flag +// will be ignored. Currently, it is valid with the two types: +// TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING and TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN. #define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002 +// Attribute is considered only for Deny Aces. #define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 +// Attribute is disabled by default. #define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 +// Attribute is disabled. #define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 +// Attribute is mandatory. #define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 +// Attribute is ignored. #define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 #define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \ @@ -292,22 +306,24 @@ typedef enum _TOKEN_INFORMATION_CLASS TOKEN_SECURITY_ATTRIBUTE_DISABLED | \ TOKEN_SECURITY_ATTRIBUTE_MANDATORY) +// Reserve upper 16 bits for custom flags. These should be preserved but not +// validated as they do not affect security in any way. #define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000 // end_rev -// private +// private // CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE { ULONG64 Version; UNICODE_STRING Name; } TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; -// private +// private // CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE { - PVOID pValue; - ULONG ValueLength; + PVOID Value; // Pointer is BYTE aligned. + ULONG ValueLength; // In bytes } TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; // private @@ -328,6 +344,24 @@ typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 } Values; } TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; +// private +typedef struct _TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + ULONG pInt64[ANYSIZE_ARRAY]; + ULONG pUint64[ANYSIZE_ARRAY]; + ULONG ppString[ANYSIZE_ARRAY]; + ULONG pFqbn[ANYSIZE_ARRAY]; + ULONG pOctetString[ANYSIZE_ARRAY]; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1, *PTOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1; + // rev #define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1 // rev diff --git a/Source/Include/KNSoft/NDK/NT/Sxs.h b/Source/Include/KNSoft/NDK/NT/Sxs.h index b29ff81..b311fa7 100644 --- a/Source/Include/KNSoft/NDK/NT/Sxs.h +++ b/Source/Include/KNSoft/NDK/NT/Sxs.h @@ -414,7 +414,7 @@ typedef struct _COMPATIBILITY_CONTEXT_ELEMENT_LEGACY // ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION from winnt.h before 19H1 typedef struct _ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY { - DWORD ElementCount; + ULONG ElementCount; COMPATIBILITY_CONTEXT_ELEMENT_LEGACY Elements[ANYSIZE_ARRAY]; } ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY, *PACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY; diff --git a/Source/Include/KNSoft/NDK/NT/ZwApi.h b/Source/Include/KNSoft/NDK/NT/ZwApi.h index 5e9f5b0..2de5ab5 100644 --- a/Source/Include/KNSoft/NDK/NT/ZwApi.h +++ b/Source/Include/KNSoft/NDK/NT/ZwApi.h @@ -682,9 +682,9 @@ ZwChangeProcessState( _In_ HANDLE ProcessStateChangeHandle, _In_ HANDLE ProcessHandle, _In_ PROCESS_STATE_CHANGE_TYPE StateChangeType, - _In_opt_ PVOID ExtendedInformation, - _In_opt_ SIZE_T ExtendedInformationLength, - _In_opt_ ULONG64 Reserved + _In_opt_ _Reserved_ PVOID ExtendedInformation, + _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength, + _In_opt_ _Reserved_ ULONG64 Reserved ); NTSYSCALLAPI @@ -971,6 +971,7 @@ NTSTATUS NTAPI ZwCreateIRTimer( _Out_ PHANDLE TimerHandle, + _In_ PVOID Reserved, _In_ ACCESS_MASK DesiredAccess ); @@ -1167,7 +1168,7 @@ ZwCreateProcessStateChange( _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, - _In_opt_ ULONG64 Reserved + _In_opt_ _Reserved_ ULONG64 Reserved ); NTSYSCALLAPI @@ -1322,7 +1323,7 @@ ZwCreateTimer2( _Out_ PHANDLE TimerHandle, _In_opt_ PVOID Reserved1, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_ ULONG Attributes, + _In_ ULONG Attributes, // TIMER_TYPE _In_ ACCESS_MASK DesiredAccess ); @@ -1653,7 +1654,7 @@ ZwEnumerateKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_opt_(Length) PVOID KeyInformation, + _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); @@ -1685,7 +1686,7 @@ ZwEnumerateValueKey( _In_ HANDLE KeyHandle, _In_ ULONG Index, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, + _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); @@ -3139,7 +3140,7 @@ NTAPI ZwQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, - _Out_writes_bytes_opt_(Length) PVOID KeyInformation, + _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); @@ -3266,7 +3267,7 @@ NTAPI ZwQuerySecurityObject( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, - _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, + _Out_writes_bytes_to_opt_(Length, *LengthNeeded) PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Length, _Out_ PULONG LengthNeeded ); @@ -3368,7 +3369,7 @@ ZwQueryValueKey( _In_ HANDLE KeyHandle, _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation, + _Out_writes_bytes_to_opt_(Length, *ResultLength) PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength ); @@ -3911,6 +3912,18 @@ ZwSetCachedSigningLevel( _In_opt_ HANDLE TargetFile ); +NTSYSCALLAPI +NTSTATUS +NTAPI +ZwSetCachedSigningLevel2( + _In_ ULONG Flags, + _In_ SE_SIGNING_LEVEL InputSigningLevel, + _In_reads_(SourceFileCount) PHANDLE SourceFiles, + _In_ ULONG SourceFileCount, + _In_opt_ HANDLE TargetFile, + _In_opt_ SE_SET_FILE_CACHE_INFORMATION* CacheInformation + ); + NTSYSCALLAPI NTSTATUS NTAPI diff --git a/Source/Include/KNSoft/NDK/Win32/Def/CommCtrl.h b/Source/Include/KNSoft/NDK/Win32/Def/CommCtrl.h index 613be3c..76126bc 100644 --- a/Source/Include/KNSoft/NDK/Win32/Def/CommCtrl.h +++ b/Source/Include/KNSoft/NDK/Win32/Def/CommCtrl.h @@ -2,7 +2,9 @@ #include +#ifdef _USE_COMMCTL60 #pragma comment(linker, "\"/manifestdependency:type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") +#endif #pragma region Patches C26454 warning diff --git a/Source/KNSoft.NDK/KNSoft.NDK.vcxproj b/Source/KNSoft.NDK/KNSoft.NDK.vcxproj index b431f52..7c2a933 100644 --- a/Source/KNSoft.NDK/KNSoft.NDK.vcxproj +++ b/Source/KNSoft.NDK/KNSoft.NDK.vcxproj @@ -120,7 +120,6 @@ - @@ -152,7 +151,7 @@ - + @@ -251,9 +250,13 @@ - + + + + + diff --git a/Source/KNSoft.NDK/KNSoft.NDK.vcxproj.filters b/Source/KNSoft.NDK/KNSoft.NDK.vcxproj.filters index 167de93..0122b86 100644 --- a/Source/KNSoft.NDK/KNSoft.NDK.vcxproj.filters +++ b/Source/KNSoft.NDK/KNSoft.NDK.vcxproj.filters @@ -85,9 +85,6 @@ Extension - - Extension - Extension @@ -430,7 +427,7 @@ NT\Io - + NT\Io @@ -459,11 +456,17 @@ - + Win32\API Win32\API + + Win32\API + + + Win32\API + \ No newline at end of file diff --git a/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Kernel32.xml b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Kernel32.xml new file mode 100644 index 0000000..226c5f4 --- /dev/null +++ b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Kernel32.xml @@ -0,0 +1,5 @@ + + + + + \ No newline at end of file diff --git a/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Ntdll.xml b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Ntdll.xml new file mode 100644 index 0000000..9fba2cb --- /dev/null +++ b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.Ntdll.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.WinAPI.xml b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.SecHost.xml similarity index 91% rename from Source/KNSoft.NDK/WinAPI/KNSoft.NDK.WinAPI.xml rename to Source/KNSoft.NDK/WinAPI/KNSoft.NDK.SecHost.xml index 33adc51..9626134 100644 --- a/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.WinAPI.xml +++ b/Source/KNSoft.NDK/WinAPI/KNSoft.NDK.SecHost.xml @@ -1,11 +1,4 @@ - - - - - - - diff --git a/Source/Test/Extension/MSToolChain.c b/Source/Test/Extension/MSVC.c similarity index 83% rename from Source/Test/Extension/MSToolChain.c rename to Source/Test/Extension/MSVC.c index 5930b03..a446c25 100644 --- a/Source/Test/Extension/MSToolChain.c +++ b/Source/Test/Extension/MSVC.c @@ -1,5 +1,5 @@ /* - * Test for the MSToolChain.h + * Test for the MSVC Specification */ #include "../Test.h" diff --git a/Source/Test/Test.vcxproj b/Source/Test/Test.vcxproj index ba8e093..aca6d30 100644 --- a/Source/Test/Test.vcxproj +++ b/Source/Test/Test.vcxproj @@ -31,7 +31,7 @@ Win32Proj {e4bbf3a5-9277-48a9-94e6-3f15f740655d} Test - 10.0.22621.0 + 10.0 @@ -182,7 +182,7 @@ - + diff --git a/Source/Test/Test.vcxproj.filters b/Source/Test/Test.vcxproj.filters index 14e97b8..5c9b2cf 100644 --- a/Source/Test/Test.vcxproj.filters +++ b/Source/Test/Test.vcxproj.filters @@ -10,7 +10,7 @@ NT - + Extension