📄 ntoskrnlundoc.h
字号:
//NTSYSAPI
//NTSTATUS
//NTAPI
//ZwQueryDirectoryObject (
// IN HANDLE DirectoryHandle,
// OUT PVOID Buffer,
// IN ULONG Length,
// IN BOOLEAN ReturnSingleEntry,
// IN BOOLEAN RestartScan,
// IN OUT PULONG Context,
// OUT PULONG ReturnLength OPTIONAL
// );
//NtQueryDirectoryObject
typedef NTSTATUS (__stdcall *NTQUERYDIRECTORYOBJECT)(HANDLE DirectoryObjectHandle, PVOID ObjectInfoBuffer, ULONG ObjectInfoBufferLength, DIRECTORYINFOCLASS DirectoryInformationClass, BOOLEAN First, PULONG ObjectIndex, PULONG LengthReturned);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenDirectoryObject (
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSymbolicLinkObject (
OUT PHANDLE SymbolicLinkHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySymbolicLinkObject (
IN HANDLE LinkHandle,
IN OUT PUNICODE_STRING LinkTarget,
OUT PULONG ReturnedLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
PsLookupThreadByThreadId (
IN ULONG ulThreadId,
OUT PETHREAD* ppEThread
);
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId (
IN ULONG ulProcessId,
OUT PEPROCESS* ppEProcess
);
#ifndef __WIN2K
typedef struct _FILE_NAME_INFORMATION
{
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
IoCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG Disposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength,
IN CREATE_FILE_TYPE CreateFileType,
IN PVOID ExtraCreateParameters OPTIONAL,
IN ULONG Options
) ;
#endif //__WIN2K
typedef void* HINSTANCE;
typedef unsigned char BYTE;
typedef unsigned short WORD;
typedef void* PPS_IMPERSONATION_INFO;
typedef struct _TOP_LEVEL_IRP
{
ULONG ulUnknown0;
ULONG ulUnknown1;
} TOP_LEVEL_IRP, *PTOP_LEVEL_IRP;
typedef struct _KAPC_STATE //Size: 0x18
{
LIST_ENTRY ApcListHead[2]; //0x00
struct _EPROCESS* Process; //0x10
BYTE KernelApcInProgress; //0x14
BYTE KernelApcPending; //0x15
BYTE UserApcPending; //0x16
BYTE Reserved; //0x17
} KAPC_STATE, *PKAPC_STATE;
typedef struct APC_STATE_POINTER //size : 0x8
{
PKAPC_STATE SavedApcState; //0x00
PKAPC_STATE ApcState; //0x04
} APC_STATE_POINTER;
typedef struct _PEB
{ // Size: 0x1D8
UCHAR InheritedAddressSpace; /*000*/
UCHAR ReadImageFileExecOptions; /*001*/
UCHAR BeingDebugged; /*002*/
UCHAR SpareBool; // Allocation size /*003*/
HANDLE Mutant; /*004*/
HINSTANCE ImageBaseAddress; // Instance /*008*/
VOID *Ldr; // Module list? /*00C*/
VOID *ProcessParameters; /*010*/
ULONG SubSystemData; /*014*/
HANDLE ProcessHeap; /*018*/
KSPIN_LOCK FastPebLock; /*01C*/
ULONG FastPebLockRoutine; /*020*/
ULONG FastPebUnlockRoutine; /*024*/
ULONG EnvironmentUpdateCount; /*028*/
ULONG KernelCallbackTable; /*02C*/
LARGE_INTEGER SystemReserved; /*030*/
ULONG FreeList; /*038*/
ULONG TlsExpansionCounter; /*03C*/
ULONG TlsBitmap; /*040*/
LARGE_INTEGER TlsBitmapBits; /*044*/
ULONG ReadOnlySharedMemoryBase; /*04C*/
ULONG ReadOnlySharedMemoryHeap; /*050*/
ULONG ReadOnlyStaticServerData; /*054*/
ULONG AnsiCodePageData; /*058*/
ULONG OemCodePageData; /*05C*/
ULONG UnicodeCaseTableData; /*060*/
ULONG NumberOfProcessors; /*064*/
LARGE_INTEGER NtGlobalFlag; // Address of a local copy /*068*/
LARGE_INTEGER CriticalSectionTimeout; /*070*/
ULONG HeapSegmentReserve; /*078*/
ULONG HeapSegmentCommit; /*07C*/
ULONG HeapDeCommitTotalFreeThreshold; /*080*/
ULONG HeapDeCommitFreeBlockThreshold; /*084*/
ULONG NumberOfHeaps; /*088*/
ULONG MaximumNumberOfHeaps; /*08C*/
ULONG ProcessHeaps; /*090*/
ULONG GdiSharedHandleTable; /*094*/
ULONG ProcessStarterHelper; /*098*/
ULONG GdiDCAttributeList; /*09C*/
KSPIN_LOCK LoaderLock; /*0A0*/
ULONG OSMajorVersion; /*0A4*/
ULONG OSMinorVersion; /*0A8*/
USHORT OSBuildNumber; /*0AC*/
USHORT OSCSDVersion; /*0AE*/
ULONG OSPlatformId; /*0B0*/
ULONG ImageSubsystem; /*0B4*/
ULONG ImageSubsystemMajorVersion; /*0B8*/
ULONG ImageSubsystemMinorVersion; /*0BC*/
ULONG ImageProcessAffinityMask; /*0C0*/
ULONG GdiHandleBuffer[0x22]; /*0C4*/
ULONG PostProcessInitRoutine; /*14C*/
ULONG TlsExpansionBitmap; /*150*/
UCHAR TlsExpansionBitmapBits[0x80]; /*154*/
ULONG SessionId; /*1D4*/
} PEB, *PPEB;
typedef struct _TEB
{ // Size: 0xF88
NT_TIB NtTib; /*000*/
VOID* EnvironmentPointer; /*01C*/
CLIENT_ID ClientId; /*020*/
HANDLE ActiveRpcHandle; /*028*/
VOID* ThreadLocalStoragePointer; /*02C*/
PEB* ProcessEnvironmentBlock; // PEB /*030*/
ULONG LastErrorValue; /*034*/
ULONG CountOfOwnedCriticalSections; /*038*/
ULONG CsrClientThread; /*03C*/
ULONG Win32ThreadInfo; /*040*/
UCHAR Win32ClientInfo[0x7C]; /*044*/
ULONG WOW32Reserved; /*0C0*/
ULONG CurrentLocale; /*0C4*/
ULONG FpSoftwareStatusRegister; /*0C8*/
UCHAR SystemReserved1[0xD8]; /*0CC*/
ULONG Spare1; /*1A4*/
ULONG ExceptionCode; /*1A8*/
UCHAR SpareBytes1[0x28]; /*1AC*/
UCHAR SystemReserved2[0x28]; /*1D4*/
UCHAR GdiTebBatch[0x4E0]; /*1FC*/
ULONG gdiRgn; /*6DC*/
ULONG gdiPen; /*6E0*/
ULONG gdiBrush; /*6E4*/
CLIENT_ID RealClientId; /*6E8*/
ULONG GdiCachedProcessHandle; /*6F0*/
ULONG GdiClientPID; /*6F4*/
ULONG GdiClientTID; /*6F8*/
ULONG GdiThreadLocalInfo; /*6FC*/
UCHAR UserReserved[0x14]; /*700*/
UCHAR glDispatchTable[0x460]; /*714*/
UCHAR glReserved1[0x68]; /*B74*/
ULONG glReserved2; /*BDC*/
ULONG glSectionInfo; /*BE0*/
ULONG glSection; /*BE4*/
ULONG glTable; /*BE8*/
ULONG glCurrentRC; /*BEC*/
ULONG glContext; /*BF0*/
ULONG LastStatusValue; /*BF4*/
LARGE_INTEGER StaticUnicodeString; /*BF8*/
UCHAR StaticUnicodeBuffer[0x20C]; /*C00*/
ULONG DeallocationStack; /*E0C*/
UCHAR TlsSlots[0x100]; /*E10*/
LARGE_INTEGER TlsLinks; /*F10*/
ULONG Vdm; /*F18*/
ULONG ReservedForNtRpc; /*F1C*/
LARGE_INTEGER DbgSsReserved; /*F20*/
ULONG HardErrorsAreDisabled; /*F28*/
UCHAR Instrumentation[0x40]; /*F2C*/
ULONG WinSockData; /*F6C*/
ULONG GdiBatchCount; /*F70*/
ULONG Spare2; /*F74*/
ULONG Spare3; /*F78*/
ULONG Spare4; /*F7C*/
ULONG ReservedForOle; /*F80*/
ULONG WaitingOnLoaderLock; /*F84*/
} TEB, *PTEB;
typedef struct _KTHREAD // Size: 0x1B0
{
DISPATCHER_HEADER Header; //00
LIST_ENTRY MutantListHead; //10
ULONG InitialStack; //18
ULONG StackLimit; //1c
TEB* Teb; //20
VOID* TlsArray; //24
ULONG KernelStack; //28
BYTE DebugActive; //2c
BYTE State; //2d
WORD Alerted; //2e
BYTE Iopl; //30
BYTE NpxState; //31
BYTE Saturation; //32
BYTE Priority; //33
KAPC_STATE ApcState; //34
ULONG ContextSwitches; //4c
ULONG WaitStatus; //50
BYTE WaitIrql; //54
BYTE WaitMode; //55
BYTE WaitNext; //56
BYTE WaitReason; //57
ULONG WaitBlockList; //58
LIST_ENTRY WaitListEntry; //5c
ULONG WaitTime; //64
BYTE BasePriority; //68
BYTE DecrementCount; //69
BYTE PriorityDecrement; //6a
BYTE Quantum; //6b
KWAIT_BLOCK WaitBlock [4]; //6c
ULONG LegoData; //cc
ULONG KernelApcDisable; //d0
ULONG UserAffinity; //d4
BYTE SystemAffinityActive;//d8
BYTE Pad [3]; //d9
ULONG ServiceTable; //dc
ULONG Queue; //e0
ULONG ApcQueueLock; //e4
KTIMER Timer; //e8
LIST_ENTRY QueueListEntry; //110
ULONG Affinity; //118
BYTE Preempted; //11c
BYTE ProcessReadyQueue; //11d
BYTE KernelStackResident;//11e
BYTE NextProcessor; //11f
ULONG CallbackStack; //120
TEB* Win32Thread; //124
ULONG TrapFrame; //128
APC_STATE_POINTER ApcStatePointer; //12c
BYTE EnableStackSwap; //134
BYTE LargeStack; //135
BYTE ResourceIndex; //136
BYTE PreviousMode; //137
ULONG KernelTime; //138
ULONG UserTime; //13c
KAPC_STATE SavedApcState; //140
BYTE Alertable; //158
BYTE ApcStateIndex; //159
BYTE ApcQueueable; //15a
BYTE AutoAlignment; //15b
ULONG StackBase; //15c
KAPC SuspendApc; //160
KSEMAPHORE SuspendSemaphore; //190
LIST_ENTRY ThreadListEntry; //1a4
BYTE FreezeCount; //1ac
BYTE SuspendCount; //1ad
BYTE IdealProcessor; //1ae
BYTE DisableBoost; //1af
} KTHREAD, * PKTHREAD;
typedef struct _ETHREAD //size 0x240
{
KTHREAD Tcb; //0
TIME CreateTime; //1b0
union
{
LARGE_INTEGER ExitTime; //1b8
LARGE_INTEGER LpcReplyChain;
};
union
{
ULONG ExitStatus; //1c0
ULONG OfsChain;
};
LIST_ENTRY PostBlockList; //1c4
LIST_ENTRY TerminationPortList;//1cc
KSPIN_LOCK ActiveTimerListLock;//1d4
LIST_ENTRY ActiveTimerListHead;//1d8
CLIENT_ID Cid; //1e0
PLARGE_INTEGER LpcReplySemaphore; //1e8
ULONG LpcReplyMessage; //1fc
ULONG LpcReplyMessageId; //200
ULONG PerformanceCountLow;//204
PPS_IMPERSONATION_INFO ImpersonationInfo;//208
LIST_ENTRY IrpList; //20c
TOP_LEVEL_IRP TopLevelIrp; //214
ULONG ReadClusterSize; //21c
UCHAR ForwardClusterOnly; //220
UCHAR DisablePageFaultClustering;//221
UCHAR DeadThread; //222
UCHAR HasTerminated; //223
ULONG EventPair; //224
ACCESS_MASK GrantedAccess; //228
ULONG ThreadsProcess; //22c
ULONG StartAddress; //230
union
{
ULONG Win32StartAddress; //234
ULONG LpcReceivedMessageId;
};
UCHAR LpcExitThreadCalled;//238
UCHAR HardErrorsAreDisabled;//239
UCHAR LpcReceivedMsgIdValid;//23a
UCHAR ActiveImpersonationInfo;//23b
ULONG PerformanceCountHigh;//23c
} ETHREAD, *PETHREAD;
NTSYSAPI
NTSTATUS
NTAPI
ZwFsControlFile (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
//#define ZwNotifyChangeDirectoryFile NtNotifyChangeDirectoryFile
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeDirectoryFile (
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN ULONG CompletionFilter,
IN BOOLEAN WatchTree
);
NTSYSAPI
PDEVICE_OBJECT
NTAPI
IoGetBaseFileSystemDeviceObject (
IN PFILE_OBJECT FileObject
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDirectoryFile(
IN HANDLE DirectoryFileHandle,
IN HANDLE EventHandle, // optional //
IN PIO_APC_ROUTINE ApcRoutine, // optional //
IN PVOID ApcContext, // optional //
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG BufferLength,
IN FILE_INFORMATION_CLASS DirectoryInfoClass,
IN BOOLEAN ByOne,
IN PUNICODE_STRING SearchTemplate, // optional //
IN BOOLEAN Reset
);
//#undef IoCallDriver
//NTSYSAPI
//NTSTATUS
//NTAPI
//IoCallDriver(
// IN PDEVICE_OBJECT DeviceObject,
// IN OUT PIRP Irp
// );
typedef struct _DIR_ITEM
{
struct _DIR_ITEM* Next;
PVOID Object;
} DIR_ITEM, *PDIR_ITEM;
typedef struct _DIRECTORY
{
PDIR_ITEM HashEntries[37];
PDIR_ITEM LastHashAccess; //94h
ULONG LastHashResult; //98h
} DIRECTORY, *PDIRECTORY;
typedef struct _OBJECT_NAME
{
PDIRECTORY Directory; // 滂疱牝铕⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -