📄 ntdll.h
字号:
#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created
#define REG_OPENED_EXISTING_KEY (0x00000002L) // Existing Key opened
//
// Key restore flags
//
#define REG_WHOLE_HIVE_VOLATILE (0x00000001L) // Restore whole hive volatile
#define REG_REFRESH_HIVE (0x00000002L) // Unwind changes to last flush
#define REG_NO_LAZY_FLUSH (0x00000004L) // Never lazy flush this hive
//
// Predefined Value Types.
//
#define REG_NONE ( 0 ) // No value type
#define REG_SZ ( 1 ) // Unicode nul terminated string
#define REG_EXPAND_SZ ( 2 ) // Unicode nul terminated string
// (with environment variable references)
#define REG_BINARY ( 3 ) // Free form binary
#define REG_DWORD ( 4 ) // 32-bit number
#define REG_DWORD_LITTLE_ENDIAN ( 4 ) // 32-bit number (same as REG_DWORD)
#define REG_DWORD_BIG_ENDIAN ( 5 ) // 32-bit number
#define REG_LINK ( 6 ) // Symbolic Link (unicode)
#define REG_MULTI_SZ ( 7 ) // Multiple Unicode strings
#define REG_RESOURCE_LIST ( 8 ) // Resource list in the resource map
#define REG_FULL_RESOURCE_DESCRIPTOR ( 9 ) // Resource list in the hardware description
#define REG_RESOURCE_REQUIREMENTS_LIST ( 10 )
//
// Key query structures
//
typedef struct _KEY_BASIC_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG NameLength;
WCHAR Name[1]; // Variable length string
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
typedef struct _KEY_NODE_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG ClassOffset;
ULONG ClassLength;
ULONG NameLength;
WCHAR Name[1]; // Variable length string
// Class[1]; // Variable length string not declared
} KEY_NODE_INFORMATION, *PKEY_NODE_INFORMATION;
typedef struct _KEY_FULL_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG ClassOffset;
ULONG ClassLength;
ULONG SubKeys;
ULONG MaxNameLen;
ULONG MaxClassLen;
ULONG Values;
ULONG MaxValueNameLen;
ULONG MaxValueDataLen;
WCHAR Class[1]; // Variable length
} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
typedef enum _KEY_INFORMATION_CLASS {
KeyBasicInformation,
KeyNodeInformation,
KeyFullInformation
} KEY_INFORMATION_CLASS;
typedef struct _KEY_WRITE_TIME_INFORMATION {
LARGE_INTEGER LastWriteTime;
} KEY_WRITE_TIME_INFORMATION, *PKEY_WRITE_TIME_INFORMATION;
typedef enum _KEY_SET_INFORMATION_CLASS {
KeyWriteTimeInformation
} KEY_SET_INFORMATION_CLASS;
//
// Value entry query structures
//
typedef struct _KEY_VALUE_BASIC_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG NameLength;
WCHAR Name[1]; // Variable size
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
typedef struct _KEY_VALUE_FULL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataOffset;
ULONG DataLength;
ULONG NameLength;
WCHAR Name[1]; // Variable size
// Data[1]; // Variable size data not declared
} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data[1]; // Variable size
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
typedef struct _KEY_VALUE_ENTRY {
PUNICODE_STRING ValueName;
ULONG DataLength;
ULONG DataOffset;
ULONG Type;
} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
typedef enum _KEY_VALUE_INFORMATION_CLASS {
KeyValueBasicInformation,
KeyValueFullInformation,
KeyValuePartialInformation
} KEY_VALUE_INFORMATION_CLASS;
NTSYSAPI
NTSTATUS
NTAPI
NtLoadKey(
IN POBJECT_ATTRIBUTES KeyToLoad,
IN POBJECT_ATTRIBUTES FileToLoad
);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadKey(
IN POBJECT_ATTRIBUTES KeyToUnLoad
);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtFlushKey(
IN HANDLE KeyHandle
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryKey(
IN HANDLE KeyHandle,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
);
//
// These must be converted to LUIDs before use.
//
#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
#define SE_CREATE_TOKEN_PRIVILEGE (2L)
#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
#define SE_LOCK_MEMORY_PRIVILEGE (4L)
#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
//
// Unsolicited Input is obsolete and unused.
//
#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L)
#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
#define SE_TCB_PRIVILEGE (7L)
#define SE_SECURITY_PRIVILEGE (8L)
#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
#define SE_LOAD_DRIVER_PRIVILEGE (10L)
#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
#define SE_SYSTEMTIME_PRIVILEGE (12L)
#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
#define SE_BACKUP_PRIVILEGE (17L)
#define SE_RESTORE_PRIVILEGE (18L)
#define SE_SHUTDOWN_PRIVILEGE (19L)
#define SE_DEBUG_PRIVILEGE (20L)
#define SE_AUDIT_PRIVILEGE (21L)
#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
#define SE_MAX_WELL_KNOWN_PRIVILEGE (SE_REMOTE_SHUTDOWN_PRIVILEGE)
NTSYSAPI
NTSTATUS
NTAPI
RtlAdjustPrivilege(
IN ULONG Privilege,
IN BOOLEAN Enable,
IN BOOLEAN CurrentThread,
OUT PBOOLEAN Enabled
);
typedef struct _PRELATIVE_NAME{
UNICODE_STRING Name;
HANDLE CurrentDir;
} PRELATIVE_NAME, *PPRELATIVE_NAME;
NTSYSAPI
NTSTATUS
NTAPI
RtlDosPathNameToNtPathName_U(
IN PCWSTR DosPathName,
OUT PUNICODE_STRING NtPathName,
OUT PWSTR* FilePathInNtPathName OPTIONAL,
OUT PRELATIVE_NAME* RelativeName OPTIONAL
);
/**********************************************************************/
NTSYSAPI
NTSTATUS
NTAPI
NtShutdownSystem(
IN HANDLE KeyHandle
);
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForSingleObject(
IN HANDLE ObjectHandle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL
);
typedef enum _WAIT_TYPE
{
WaitAll,
WaitAny
} WAIT_TYPE;
NTSYSAPI
NTSTATUS
NTAPI
NtWaitForMultipleObjects(
IN ULONG NumberOfHandles,
IN PHANDLE ArrayOfHandles,
IN WAIT_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL
);
typedef struct _PROCESS_PARAMETRS
{
ULONG AllocationSize;
ULONG ActualSize;
ULONG Flags;
ULONG Unknown1;
HANDLE InputHandle;
HANDLE OutputHandle;
HANDLE ErrorHandle;
UNICODE_STRING Unknown3; //??????????????????????
UNICODE_STRING CurrentDirectory;
HANDLE CurrentDir;
//UNICODE_STRING Unknown3;
UNICODE_STRING SearchPath; //?????????????????????
UNICODE_STRING ApplicationName;
//UNICODE_STRING SearchPath; //?????????????????????
UNICODE_STRING CommandLine;
PVOID EnvironmentBlock;
ULONG Unknown[9];
UNICODE_STRING Unknown4;
UNICODE_STRING Unknown5;
UNICODE_STRING Unknown6;
UNICODE_STRING Unknown7;
} PROCESS_PARAMETRS, *PPROCESS_PARAMETRS;
typedef struct _PROCESS_ENVIRONMENT_BLOCK
{
WORD unknown0;
WORD unknown1; // 0x02 徉轵, 1 - 禧 镱⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -