zwfunc.h

驱动类 rootkit HOOK注册表读取

/* $Id: zwfunc.h,v 1.9 2002/01/11 06:59:37 Tim Exp $ */

/*
 * Module:	zwfunc.h
 * Abstract:	typedefs for the system service ZwXxx functions
 * Author:	Tim Robbins
 *
 * The author permits the redistribution and use of this software in source
 * and binary forms, with or without modification. This software is provided
 * "as is", and you use it at your own risk.
 */

#ifndef ZWFUNC_H
#define ZWFUNC_H

//#include <ntddk.h>

/*
 * Exported and documented Zw class functions. These typedefs are based
 * on the prototypes found in NTDDK.H from Windows 2000 SP1 DDK.
 *
 * NTSYSAPI and NTAPI macros have been removed because they cannot be used
 * in a typedef.
 */

typedef NTSTATUS (*T_ZwCreateFile) (
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PLARGE_INTEGER AllocationSize OPTIONAL,
	IN ULONG FileAttributes,
	IN ULONG ShareAccess,
	IN ULONG CreateDisposition,
	IN ULONG CreateOptions,
	IN PVOID EaBuffer OPTIONAL,
	IN ULONG EaLength
);

typedef NTSTATUS (*T_ZwOpenFile) (
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN ULONG ShareAccess,
	IN ULONG OpenOptions
);

typedef NTSTATUS (*T_ZwQueryInformationFile) (
	IN HANDLE FileHandle,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID FileInformation,
	IN ULONG Length,
	IN FILE_INFORMATION_CLASS FileInformationClass
);

typedef NTSTATUS (*T_ZwSetInformationFile) (
	IN HANDLE FileHandle,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PVOID FileInformation,
	IN ULONG Length,
	IN FILE_INFORMATION_CLASS FileInformationClass
);

typedef NTSTATUS (*T_ZwReadFile) (
	IN HANDLE FileHandle,
	IN HANDLE Event OPTIONAL,
	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	IN PVOID ApcContext OPTIONAL,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID Buffer,
	IN ULONG Length,
	IN PLARGE_INTEGER ByteOffset OPTIONAL,
	IN PULONG Key OPTIONAL
);

typedef NTSTATUS (*T_ZwWriteFile) (
	IN HANDLE FileHandle,
	IN HANDLE Event OPTIONAL,
	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	IN PVOID ApcContext OPTIONAL,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PVOID Buffer,
	IN ULONG Length,
	IN PLARGE_INTEGER ByteOffset OPTIONAL,
	IN PULONG Key OPTIONAL
);

typedef NTSTATUS (*T_ZwClose) (
	IN HANDLE Handle
);

typedef NTSTATUS (*T_ZwCreateDirectoryObject) (
	OUT PHANDLE DirectoryHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef NTSTATUS (*T_ZwMakeTemporaryObject) (
	IN HANDLE Handle
);

typedef NTSTATUS (*T_ZwOpenSection) (
	OUT PHANDLE SectionHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef NTSTATUS (*T_ZwMapViewOfSection) (
	IN HANDLE SectionHandle,
	IN HANDLE ProcessHandle,
	IN OUT PVOID *BaseAddress,
	IN ULONG ZeroBits,
	IN ULONG CommitSize,
	IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
	IN OUT PSIZE_T ViewSize,
	IN SECTION_INHERIT InheritDisposition,
	IN ULONG AllocationType,
	IN ULONG Protect
);

typedef NTSTATUS (*T_ZwUnmapViewOfSection) (
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress
);

typedef NTSTATUS (*T_ZwSetInformationThread) (
	IN HANDLE ThreadHandle,
	IN THREADINFOCLASS ThreadInformationClass,
	IN PVOID ThreadInformation,
	IN ULONG ThreadInformationLength
);

typedef NTSTATUS (*T_ZwCreateKey) (
	OUT PHANDLE KeyHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN ULONG TitleIndex,
	IN PUNICODE_STRING Class OPTIONAL,
	IN ULONG CreateOptions,
	OUT PULONG Disposition OPTIONAL
);

typedef NTSTATUS (*T_ZwOpenKey) (
	OUT PHANDLE KeyHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef NTSTATUS (*T_ZwDeleteKey) (
	IN HANDLE KeyHandle
);

typedef NTSTATUS (*T_ZwEnumerateKey) (
	IN HANDLE KeyHandle,
	IN ULONG Index,
	IN KEY_INFORMATION_CLASS KeyInformationClass,
	OUT PVOID KeyInformation,
	IN ULONG Length,
	OUT PULONG ResultLength
);

typedef NTSTATUS (*T_ZwEnumerateValueKey) (
	IN HANDLE KeyHandle,
	IN ULONG Index,
	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	OUT PVOID KeyValueInformation,
	IN ULONG Length,
	OUT PULONG ResultLength
);

typedef NTSTATUS (*T_ZwFlushKey) (
	IN HANDLE KeyHandle
);

typedef NTSTATUS (*T_ZwQueryKey) (
	IN HANDLE KeyHandle,
	IN KEY_INFORMATION_CLASS KeyInformationClass,
	OUT PVOID KeyInformation,
	IN ULONG Length,
	OUT PULONG ResultLength
);

typedef NTSTATUS (*T_ZwQueryValueKey) (
	IN HANDLE KeyHandle,
	IN PUNICODE_STRING ValueName,
	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	OUT PVOID KeyValueInformation,
	IN ULONG Length,
	OUT PULONG ResultLength
);

typedef NTSTATUS (*T_ZwSetValueKey) (
	IN HANDLE KeyHandle,
	IN PUNICODE_STRING ValueName,
	IN ULONG TitleIndex OPTIONAL,
	IN ULONG Type,
	IN PVOID Data,
	IN ULONG DataSize
);

typedef NTSTATUS (*T_ZwOpenSymbolicLinkObject) (
	OUT PHANDLE LinkHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef NTSTATUS (*T_ZwQuerySymbolicLinkObject) (
	IN HANDLE LinkHandle,
	IN OUT PUNICODE_STRING LinkTarget,
	OUT PULONG ReturnedLength OPTIONAL
);

typedef NTSTATUS (*T_ZwCreateTimer) (
	OUT PHANDLE TimerHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
	IN TIMER_TYPE TimerType
);

typedef NTSTATUS (*T_ZwOpenTimer) (
	OUT PHANDLE TimerHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef NTSTATUS (*T_ZwCancelTimer) (
	IN HANDLE TimerHandle,
	OUT PBOOLEAN CurrentState OPTIONAL
);

typedef NTSTATUS (*T_ZwSetTimer) (
	IN HANDLE TimerHandle,
	IN PLARGE_INTEGER DueTime,
	IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL,
	IN PVOID TimerContext OPTIONAL,
	IN BOOLEAN WakeTimer,
	IN LONG Period OPTIONAL,
	OUT PBOOLEAN PreviousState OPTIONAL
);

/* Undocumented, see comment in blocknt.h */
typedef NTSTATUS (*T_ZwQueryDirectoryFile) (
	IN HANDLE FileHandle,
	IN HANDLE Event OPTIONAL,
	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	IN PVOID ApcContext OPTIONAL,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID FileInformation,
	IN ULONG Length,
	IN FILE_INFORMATION_CLASS FileInformationClass,
	IN BOOLEAN ReturnSingleEntry,
	IN PUNICODE_STRING FileName OPTIONAL,
	IN BOOLEAN RestartScan
);

/* Undocumented, see comment in blocknt.h */
/*typedef NTSTATUS (*T_ZwQuerySystemInformation) (
	IN SYSTEMINFOCLASS SystemInfoClass,
	OUT PVOID SystemInfoBuffer,
	IN ULONG SystemInfoBufferSize,
	OUT PULONG BytesReturned OPTIONAL
);
*/
#endif