📄 ntdef.inc
字号:
__inline LONGLONG
NTAPI
Int64ShraMod32 (
LONGLONG Value,
ULONG ShiftCount
)
{
__asm {
mov ecx, ShiftCount
mov eax, dword ptr [Value]
mov edx, dword ptr [Value+4]
shrd eax, edx, cl
sar edx, cl
}
}
__inline ULONGLONG
NTAPI
Int64ShrlMod32 (
ULONGLONG Value,
ULONG ShiftCount
)
{
__asm {
mov ecx, ShiftCount
mov eax, dword ptr [Value]
mov edx, dword ptr [Value+4]
shrd eax, edx, cl
shr edx, cl
}
}
#elif defined(_M_IA64)
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; IA64 has native 64-bit operations that are just as fast as their 32-bit
; counter parts. Therefore, the int64 data type is used directly to form
; shifts of 0..31 and multiplies of 32-bits times 32-bits to form a 64-bit
; product.
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#define Int32x32To64(a, b) ((LONGLONG)((LONG)(a)) * (LONGLONG)((LONG)(b)))
#define UInt32x32To64(a, b) ((ULONGLONG)((ULONG)(a)) * (ULONGLONG)((ULONG)(b)))
#define Int64ShllMod32(a, b) ((ULONGLONG)(a) << (b))
#define Int64ShraMod32(a, b) ((LONGLONG)(a) >> (b))
#define Int64ShrlMod32(a, b) ((ULONGLONG)(a) >> (b))
#endif
^
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Event type
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;typedef enum _EVENT_TYPE {
NotificationEvent equ 0
SynchronizationEvent equ 1
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Timer type
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;typedef enum _TIMER_TYPE {
NotificationTimer equ 0
SynchronizationTimer equ 1
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Wait type
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;typedef enum _WAIT_TYPE {
WaitAll equ 0
WaitAny equ 1
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Pointer to an Asciiz string
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PSZ typedef PTR BYTE
PCSZ typedef PTR BYTE
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Counted String
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
_STRING STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ? ; PCHAR
_STRING ENDS
PSTRING typedef PTR _STRING
ANSI_STRING equ <_STRING>
PANSI_STRING typedef PTR _STRING
;typedef STRING ANSI_STRING;
;typedef PSTRING PANSI_STRING;
OEM_STRING equ <_STRING>
POEM_STRING typedef PTR _STRING
;typedef STRING OEM_STRING;
;typedef PSTRING POEM_STRING;
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; CONSTCounted String
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CSTRING STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ? ; CONST char *
CSTRING ENDS
PCSTRING typedef PTR CSTRING
ANSI_NULL equ 0
comment ^
typedef STRING CANSI_STRING;
typedef PSTRING PCANSI_STRING;
^
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Unicode strings are counted 16-bit character strings. If they are
; NULL terminated, Length does not include trailing NULL.
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IFNDEF UNICODE_STRING
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
PUNICODE_STRING typedef PTR UNICODE_STRING
ENDIF
UNICODE_NULL equ 0
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Boolean
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
BOOLEAN typedef BYTE
PBOOLEAN typedef PTR BYTE
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Doubly linked list structure. Can be used as either a list head, or
; as link words.
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
LIST_ENTRY STRUCT
Flink DWORD ? ; PTR LIST_ENTRY
Blink DWORD ? ; PTR LIST_ENTRY
LIST_ENTRY ENDS
PLIST_ENTRY typedef PTR LIST_ENTRY
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Singly linked list structure. Can be used as either a list head, or
; as link words.
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SINGLE_LIST_ENTRY STRUCT
Next DWORD ? ; PTR SINGLE_LIST_ENTRY
SINGLE_LIST_ENTRY ENDS
PSINGLE_LIST_ENTRY typedef PTR SINGLE_LIST_ENTRY
; These are needed for portable debugger support.
LIST_ENTRY32 STRUCT
Flink DWORD ?
Blink DWORD ?
LIST_ENTRY32 ENDS
PLIST_ENTRY32 typedef PTR LIST_ENTRY32
LIST_ENTRY64 STRUCT
Flink QWORD ?
Blink QWORD ?
LIST_ENTRY64 ENDS
PLIST_ENTRY64 typedef PTR LIST_ENTRY64
comment ^
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; These macros are used to walk lists on a target system
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#define CONTAINING_RECORD32(address, type, field) ( \
(ULONG_PTR)(address) - \
(ULONG_PTR)(&((type *)0)->field))
#define CONTAINING_RECORD64(address, type, field) ( \
(ULONGLONG)(address) - \
(ULONGLONG)(&((type *)0)->field))
^
STRING32 STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ?
STRING32 ENDS
PSTRING32 typedef ptr STRING32
UNICODE_STRING32 equ <STRING32>
PUNICODE_STRING32 typedef ptr UNICODE_STRING32
ANSI_STRING32 equ <STRING32>
PANSI_STRING32 typedef ptr ANSI_STRING32
comment ^
typedef struct _STRING64 {
USHORT Length;
USHORT MaximumLength;
ULONGLONG Buffer;
} STRING64;
typedef STRING64 *PSTRING64;
typedef STRING64 UNICODE_STRING64;
typedef UNICODE_STRING64 *PUNICODE_STRING64;
typedef STRING64 ANSI_STRING64;
typedef ANSI_STRING64 *PANSI_STRING64;
^
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Valid values for the Attributes field
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OBJ_INHERIT equ 00000002h
OBJ_PERMANENT equ 00000010h
OBJ_EXCLUSIVE equ 00000020h
OBJ_CASE_INSENSITIVE equ 00000040h
OBJ_OPENIF equ 00000080h
OBJ_OPENLINK equ 00000100h
OBJ_KERNEL_HANDLE equ 00000200h
OBJ_VALID_ATTRIBUTES equ 000003F2h
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Object Attributes structure
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
OBJECT_ATTRIBUTES STRUCT ; sizeof = 18h
_Length DWORD ? ; original name Length
RootDirectory HANDLE ?
ObjectName PUNICODE_STRING ?
Attributes DWORD ?
SecurityDescriptor PVOID ? ; Points to type SECURITY_DESCRIPTOR
SecurityQualityOfService PVOID ? ; Points to type SECURITY_QUALITY_OF_SERVICE
OBJECT_ATTRIBUTES ENDS
POBJECT_ATTRIBUTES typedef ptr OBJECT_ATTRIBUTES
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; VOID
; InitializeObjectAttributes(
; OUT POBJECT_ATTRIBUTES p,
; IN PUNICODE_STRING n,
; IN ULONG a,
; IN HANDLE r,
; IN PSECURITY_DESCRIPTOR s
; )
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;#define InitializeObjectAttributes( p, n, a, r, s ) { \
; (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
; (p)->RootDirectory = r; \
; (p)->Attributes = a; \
; (p)->ObjectName = n; \
; (p)->SecurityDescriptor = s; \
; (p)->SecurityQualityOfService = NULL; \
; }
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; +
; The following $IsXxx macros is not a part of original ntdef.h
$IsImm MACRO Operand:REQ
IF (OPATTR (Operand)) AND 00000100y
;; Is an immediate value
EXITM <-1>
ELSE
EXITM <0>
ENDIF
ENDM
$IsMem MACRO Operand:REQ
IF (OPATTR (Operand)) AND 00000010y
;; Is a memory variable or has a relocatable data label
EXITM <-1> ;; True
ELSE
EXITM <0> ;; False
ENDIF
ENDM
$IsReg MACRO Operand:REQ
IF (OPATTR (Operand)) AND 00010000y
;; Is a register value
EXITM <-1>
ELSE
EXITM <0>
ENDIF
ENDM
$IsStack MACRO Operand:REQ
IF (OPATTR (Operand)) AND 01000000y
;; relative to SS
EXITM <-1>
ELSE
EXITM <0>
ENDIF
ENDM
$IsAddr2 MACRO Operand:REQ
; local a
; a = 0
IF @SizeStr(<Operand>) GT 5
IFIDNI <addr >, @SubStr(<Operand>, 1 , 5)
EXITM <-1>
;; a = 1
ENDIF
ENDIF
;; IF a
;; EXITM <-1>
;; ELSE
EXITM <0>
;; ENDIF
ENDM
$IsOffset2 MACRO Operand:REQ
; local a
; a = 0
IF @SizeStr(<Operand>) GT 7
echo *************
IFIDNI <offset >, @SubStr(<Operand>, 1 , 7)
echo *************
EXITM <-1>
;; a = 1
ENDIF
ENDIF
;; IF a
;; EXITM <-1>
;; ELSE
EXITM <0>
;; ENDIF
ENDM
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
InitializeObjectAttributes MACRO p:REQ, n:REQ, a:REQ, r:REQ, s:REQ
;; ECX is used to hold a pointer to OBJECT_ATTRIBUTES
;; EAX is used if stack variable passed
;; p - Pointer to the OBJECT_ATTRIBUTES structure to initialize
;; n - ObjectName
;; a - Attributes
;; r - RootDirectory
;; s - SecurityDescriptor
;; Be very carefull with this macro !!!
;; It can contain some hidden bugs !!!
;; In ambiguous cases fill OBJECT_ATTRIBUTES structure manually
local adr, reax, reax, line
reax = 0
recx = 0
IF $IsAddr2(p)
adr SUBSTR <p>, 6
IF $IsStack(adr) ;; is relative to SS
lea ecx, adr
ELSE
mov ecx, offset adr
ENDIF
recx = 1 ;; no more ecx
ELSEIF (OPATTR (p)) AND 00010000y
;; is a register value
IFDIFI <p>, <ecx> ;; not ecx
mov ecx, p
ENDIF
ELSEIF (OPATTR (p)) AND 00000010y
;; is a memory variable or has a relocatable data label (offset)
mov ecx, p
ELSEIF (OPATTR (p)) AND 01000000y ;; ELSEIF $IsStack(p)
;; relative to SS
mov ecx, p
recx = 1 ;; no more ecx
ELSE
line TEXTEQU %@Line
.ERR
% ECHO @FileCur(line) : ERROR! Pointer to OBJECT_ATTRIBUTES structure improperly specified.
ENDIF
PUSHCONTEXT ASSUMES
assume ecx:ptr OBJECT_ATTRIBUTES
mov [ecx]._Length, sizeof OBJECT_ATTRIBUTES
;; RootDirectory - Specifies a handle to the root object directory for the path name specified in the ObjectName parameter.
;; If ObjectName parameter is a fully-qualified object name, RootDirectory is NULL.
IF (OPATTR (r)) AND 00000010y
;; is a memory variable or has a relocatable data label
push r
pop [ecx].RootDirectory
ELSEIF (OPATTR (r)) AND 00010000y
;; is a register value
IFDIFI <r>, <ecx>
mov [ecx].RootDirectory, r
ELSE
line TEXTEQU %@Line
.ERR
% ECHO @FileCur(line) : ERROR! ECX register value overwritten by InitializeObjectAttributes macro.
ENDIF
ELSEIF (OPATTR (r)) AND 01000000y ;; ELSEIF $IsStack(r)
;; relative to SS
push r
pop [ecx].RootDirectory
ELSEIF (OPATTR (r)) AND 00000100y ;; ELSEIF $IsImm(r)
;; Is an immediate value
IF r EQ 0
and [ecx].RootDirectory, 0 ;; NULL
ELSE
mov [ecx].RootDirectory, r
ENDIF
ELSE
line TEXTEQU %@Line
.ERR
% ECHO @FileCur(line) : ERROR! RootDirectory improperly specified.
ENDIF
;; Attributes - Specifies one or more flags:
IF (OPATTR (a)) AND 00000010y
;; is a memory variable or has a relocatable data label
push a
pop [ecx].Attributes
ELSEIF (OPATTR (a)) AND 00010000y
;; is a register value
IFDIFI <a>, <ecx> ;; not ecx
mov [ecx].Attributes, a
ELSE
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -