📄 ntoskrnlundoc.h
字号:
#ifndef __NT_OS_KERNEL_UNDOCUMENT__
#define __NT_OS_KERNEL_UNDOCUMENT__
extern "C"
{
#include "ntddk.h"
#include "KTypes.h"
//#define __WIN2K
typedef PVOID POBJECT;
// The build number, accessible via the NtBuildNumber variable that is
// exported from the kernel, is a 32-bit value where the high nibble is
// either 'C', for Checked Build, or 'F', for Free Build, and the rest is
// the actual base build number of NT (1381, or 0x565, for NT 4.0 and any
// Service Packs).
extern PULONG NtBuildNumber;
#ifndef __KE_SERVICE_DESCRIPTOR_TABLE
#define __KE_SERVICE_DESCRIPTOR_TABLE
//
// Definition for system call service table
//
typedef struct _SRVTABLE {
PVOID *ServiceTable;
ULONG LowCall;
ULONG HiCall;
PVOID *ArgTable;
} SRVTABLE, *PSRVTABLE;
//
// Pointer to the image of the system service table
//
extern PSRVTABLE KeServiceDescriptorTable;
//
// Macro for easy hook/unhook. On X86 implementations of Zw* functions, the DWORD
// following the first byte is the system call number, so we reach into the Zw function
// passed as a parameter, and pull the number out. This makes system call hooking
// dependent ONLY on the Zw* function implementation not changing.
//
#if defined(_ALPHA_)
#define SYSCALL(_function) KeServiceDescriptorTable->ServiceTable[ (*(PULONG)_function) & 0x0000FFFF ]
#else
#define SYSCALL(_function) KeServiceDescriptorTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
#endif
#endif //__KE_SERVICE_DESCRIPTOR_TABLE
typedef VOID *SSTAT[]; // SSTAT is an array of pointers to the
// service handler addresses of each
// service entry in the SST.
typedef unsigned char SSTPT[]; // SSTPT is an array of bytes containing
// the size of the parameter stack in
// bytes for each service entry in the SST.
typedef SSTAT *LPSSTAT; // LPSSTAT is a pointer to an SSTAT.
typedef SSTPT *LPSSTPT; // LPSSTPT is a pointer to an SSTPT.
typedef struct SystemServiceDescriptor
{
LPSSTAT lpSystemServiceTableAddressTable; // Pointer to the
// Address Table ( SSTAT ) structure of the SST.
ULONG dwFirstServiceIndex; // ( ? ) Always set to FALSE.
ULONG dwSystemServiceTableNumEntries; // Number of entries
// in the SST.
LPSSTPT lpSystemServiceTableParameterTable; // Pointer to
// the Parameter Table
// ( SSTPT ) structure
// of the SST.
} SSD, *LPSSD;
typedef struct SystemServiceDescriptorTable
{
SSD SystemServiceDescriptors[4]; // The array of 4 SSDs.
} SSDT, *LPSSDT;
//
// Definition for KeAddSystemServiceTable call
//
NTSYSAPI
BOOLEAN
NTAPI
KeAddSystemServiceTable(
LPSSTAT lpAddressTable, // Pointer to the SSTAT
// structure of the SST.
BOOLEAN bUnknown, // Unknown. Always set
// to FALSE. If you have
// any information
// regarding this please
// let me know.
ULONG dwNumEntries, // Number of entries in the SST.
LPSSTPT lpParameterTable, // Pointer to the SSTPT
// structure of the SST.
ULONG dwTableID // Index of the SSD to
// add the SST to.
);
//
// Definition for ZwDeleteValueKey call
//
NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteValueKey(
IN HANDLE hKey,
IN PUNICODE_STRING UniNameKey
);
//
// For displaying messages to the Blue Screen
//
NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString(
PUNICODE_STRING Text
);
//
// Directory control structure
//
//typedef struct _QUERY_DIRECTORY
//{
// ULONG Length;
// PUNICODE_STRING FileName;
// FILE_INFORMATION_CLASS FileInformationClass;
// ULONG FileIndex;
//} QUERY_DIRECTORY, *PQUERY_DIRECTORY;
/*
typedef struct _FILE_NAMES_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName[ANYSIZE_ARRAY];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
#define SIZE_OF_FILE_NAMES_INFORMATION (sizeof(FILE_NAMES_INFORMATION)-sizeof(WCHAR)*ANYSIZE_ARRAY)
typedef struct tag_FQD_CommonBlock
{
ULONG NextEntryOffset;
ULONG FileIndex;
TIME CreationTime;
TIME LastAccessTime;
TIME LastWriteTime;
TIME ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
} FQD_CommonBlock, *PFQD_CommonBlock;
typedef struct _FILE_QUERY_DIRECTORY
{
ULONG NextEntryOffset;
ULONG FileIndex;
TIME CreationTime;
TIME LastAccessTime;
TIME LastWriteTime;
TIME ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
union
{
struct
{
WCHAR FileName[ANYSIZE_ARRAY];
} Class1;
struct
{
ULONG Unknown2;
WCHAR FileName[ANYSIZE_ARRAY];
} Class2;
struct
{
ULONG Unknown2;
USHORT AlternateFileNameLength;
WCHAR AlternateFileName[12];
WCHAR FileName[ANYSIZE_ARRAY];
} Class3;
};
} FILE_QUERY_DIRECTORY, *PFILE_QUERY_DIRECTORY;
#define SIZE_OF_FQD_CLASS1 (sizeof(FQD_CommonBlock))
#define SIZE_OF_FQD_CLASS2 (sizeof(FQD_CommonBlock) + sizeof(FILE_QUERY_DIRECTORY.Class2) - sizeof(WCHAR)*ANYSIZE_ARRAY)
#define SIZE_OF_FQD_CLASS3 (sizeof(FQD_CommonBlock) + sizeof(FILE_QUERY_DIRECTORY.Class3) - sizeof(WCHAR)*ANYSIZE_ARRAY)
*/
#pragma pack(push)
#pragma pack(4)
//
// Directory control structure
//
typedef struct tag_QUERY_DIRECTORY
{
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS FileInformationClass;
ULONG FileIndex;
} QUERY_DIRECTORY, *PQUERY_DIRECTORY;
typedef struct tag_FQD_SmallCommonBlock
{
ULONG NextEntryOffset;
ULONG FileIndex;
} FQD_SmallCommonBlock, *PFQD_SmallCommonBlock;
typedef struct tag_FQD_FILE_ATTR
{
TIME CreationTime;
TIME LastAccessTime;
TIME LastWriteTime;
TIME ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
} FQD_FILE_ATTR, *PFQD_FILE_ATTR;
typedef struct tag_FQD_CommonBlock
{
FQD_SmallCommonBlock SmallCommonBlock;
FQD_FILE_ATTR FileAttr;
ULONG FileNameLength;
} FQD_CommonBlock, *PFQD_CommonBlock;
typedef struct _FILE_NAMES_INFORMATION
{
FQD_SmallCommonBlock SmallCommonBlock;
ULONG FileNameLength;
WCHAR FileName[ANYSIZE_ARRAY];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
#define SIZE_OF_FILE_NAMES_INFORMATION (sizeof(FILE_NAMES_INFORMATION)-sizeof(WCHAR)*ANYSIZE_ARRAY)
typedef struct _FILE_DIRECTORY_INFORMATION
{
FQD_CommonBlock CommonBlock;
WCHAR FileName[ANYSIZE_ARRAY];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
#define SIZE_OF_FILE_DIRECTORY_INFORMATION (sizeof(FILE_DIRECTORY_INFORMATION)-sizeof(WCHAR)*ANYSIZE_ARRAY)
typedef struct _FILE_FULL_DIR_INFORMATION
{
FQD_CommonBlock CommonBlock;
ULONG EaSize;
WCHAR FileName[ANYSIZE_ARRAY];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
#define SIZE_OF_FILE_FULL_DIR_INFORMATION (sizeof(FILE_FULL_DIR_INFORMATION)-sizeof(WCHAR)*ANYSIZE_ARRAY)
typedef struct _FILE_BOTH_DIR_INFORMATION
{
FQD_CommonBlock CommonBlock;
ULONG EaSize;
USHORT ShortFileNameLength;
// CCHAR ShortFileNameLength;
WCHAR ShortFileName[12];
WCHAR FileName[ANYSIZE_ARRAY];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
#pragma pack(pop)
#define SIZE_OF_FILE_BOTH_DIR_INFORMATION (sizeof(FILE_BOTH_DIR_INFORMATION)-sizeof(WCHAR)*ANYSIZE_ARRAY)
//
// Definition for ZwOpenFile call
//
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
//
// Definition for ZwQueryDirectoryFile call
//
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
IN HANDLE DirectoryFileHandle,
IN HANDLE EventHandle OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG BufferLength,
IN FILE_INFORMATION_CLASS DirectoryInfoClass,
IN BOOLEAN ByOne,
IN PUNICODE_STRING SearchTemplate OPTIONAL,
IN BOOLEAN Reset
);
//
// Definition for ZwQueryObject call
//
typedef enum _OBJECTINFOCLASS
{
BaseObjectInfo = 0,
NameObjectInfo, // ObjectInformationLength = 0x200;
TypeObjectInfo, // ObjectInformationLength = 0x200;
UnknownObjectInfo, //
HandleObjectInfo // ObjectInformationLength = 0x200;
} OBJECTINFOCLASS;
//
// Definition for ZwQueryObject call
//
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
IN HANDLE ObjectHandle,
IN OBJECTINFOCLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG LengthReturned OPTIONAL
);
typedef struct _BASE_OBJECT_INFO
{
ULONG HandleAttributes;
ACCESS_MASK GrantedAccess;
ULONG HandleCount;
ULONG ReferenceCount;
ULONG Unknown[10];
} BASE_OBJECT_INFO, *PBASE_OBJECT_INFO;
typedef struct _NAME_OBJECT_INFO
{
UNICODE_STRING Name;
} NAME_OBJECT_INFO, *PNAME_OBJECT_INFO;
typedef struct _TYPE_OBJECT_INFO
{
UNICODE_STRING Type;
ULONG InstanceCount;
ULONG HandleCount;
ULONG Unknown1[11];
GENERIC_MAPPING GenericMapping;
ACCESS_MASK MaximumAllowed;
ULONG Unknown2[4];
} TYPE_OBJECT_INFO, *PTYPE_OBJECT_INFO;
typedef struct _HANDLE_OBJECT_INFO
{
BOOLEAN Inherit;
BOOLEAN ProtectFromClose;
} HANDLE_OBJECT_INFO, *PHANDLE_OBJECT_INFO;
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectPath,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *ObjectPtr
);
NTSYSAPI
VOID
NTAPI
ProbeForWrite(
IN PVOID Address,
IN ULONG Length,
IN ULONG Alignment
);
NTSYSAPI
KPROCESSOR_MODE
NTAPI
KeGetPreviousMode(
);
//
// Definition for ObQueryNameString call
//
//NTSYSAPI
//NTSTATUS
//NTAPI
//ObQueryNameString(
// POBJECT Object,
// PUNICODE_STRING Name,
// ULONG MaximumLength,
// PULONG ActualLength
// );
NTSYSAPI
NTSTATUS
NTAPI
ObQueryNameString(
IN PDEVICE_OBJECT DeviceObject,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG MaximumLength,
OUT PULONG LengthReturned
);
typedef struct _OBJECT_NAMETYPE_INFO
{
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectType;
} OBJECT_NAMETYPE_INFO, *POBJECT_NAMETYPE_INFO;
typedef enum _DIRECTORYINFOCLASS
{
ObjectArray,
ObjectByOne
} DIRECTORYINFOCLASS, *PDIRECTORYINFOCLASS;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -