rk_driver.h

能够在windows 2000以上操作系统下隐藏特定的进程

	IN SEMAPHORE_INFO_CLASS SemaphoreInfoClass,
	OUT PVOID Buffer,
	IN ULONG BufferSize,
	OUT PULONG BytesReturned
);

NTSTATUS
NTAPI
ZwQuerySemaphore(
	IN HANDLE hSemaphore,
	IN SEMAPHORE_INFO_CLASS SemaphoreInfoClass,
	OUT PVOID Buffer,
	IN ULONG BufferSize,
	OUT PULONG BytesReturned
);

NTSYSAPI
NTSTATUS
NTAPI
NtReleaseSemaphore(
	IN HANDLE hSemaphore,
	IN ULONG ReleaseCount,
	OUT PULONG PreviousCount
);

NTSTATUS
NTAPI
ZwReleaseSemaphore(
	IN HANDLE hSemaphore,
	IN ULONG ReleaseCount,
	OUT PULONG PreviousCount
);


NTSYSAPI
NTSTATUS
NTAPI
NtWaitForSingleObject(
	IN HANDLE hObject,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);

NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForSingleObject(
	IN HANDLE hObject,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);

NTSYSAPI
NTSTATUS
NTAPI
NtSignalAndWaitForSingleObject(
	IN HANDLE hSignalObject,
	IN HANDLE hWaitObject,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSignalAndWaitForSingleObject(
	IN HANDLE hSignalObject,
	IN HANDLE hWaitObject,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);


NTSYSAPI
NTSTATUS
NTAPI
NtWaitForMultipleObjects(
	IN ULONG nWaitObjectHandles,
	IN PHANDLE WaitObjectHandlesArray,
	IN WAIT_TYPE WaitType,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);

NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects(
	IN ULONG nWaitObjectHandles,
	IN PHANDLE WaitObjectHandlesArray,
	IN WAIT_TYPE WaitType,
	IN BOOLEAN bAlertable,
	IN PLARGE_INTEGER Timeout
);

/* ______________________________________________
 . Timer
 . ______________________________________________ */

NTSYSAPI
NTSTATUS
NTAPI
NtCreateTimer(
	OUT PHANDLE phTimer,
	IN ACCESS_MASK AccessMask,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN TIMER_TYPE TimerType
);

NTSTATUS
NTAPI
ZwCreateTimer(
	OUT PHANDLE phTimer,
	IN ACCESS_MASK AccessMask,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN TIMER_TYPE TimerType
);

NTSYSAPI
NTSTATUS
NTAPI
NtOpenTimer(
	OUT PHANDLE phTimer,
	IN ACCESS_MASK AccessMask,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

NTSTATUS
NTAPI
ZwOpenTimer(
	OUT PHANDLE phTimer,
	IN ACCESS_MASK AccessMask,
	IN POBJECT_ATTRIBUTES ObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryTimer(
	IN HANDLE hTimer,
	IN TIMER_INFO_CLASS InfoClass,
	OUT PVOID TimerInfoBuffer,
	IN ULONG TimerInfoBufferSize,
	OUT PULONG BytesCopied
);

NTSTATUS
NTAPI
ZwQueryTimer(
	IN HANDLE hTimer,
	IN TIMER_INFO_CLASS InfoClass,
	OUT PVOID TimerInfoBuffer,
	IN ULONG TimerInfoBufferSize,
	OUT PULONG BytesCopied
);


typedef VOID
(NTAPI *PTIMERAPCROUTINE)(
   PVOID lpArgToCompletionRoutine,
   ULONG dwTimerLowValue,
   ULONG dwTimerHighValue);


NTSYSAPI
NTSTATUS
NTAPI
NtSetTimer(
	IN HANDLE hTimer,
	IN PLARGE_INTEGER pDueTime,
	IN PTIMERAPCROUTINE pfnCompletionRoutine OPTIONAL,
	IN ULONG pfnCompletionRoutineArg,
	IN BOOLEAN bResume,
	IN LONG Period,
	OUT PBOOLEAN bTimerState
);


NTSTATUS
NTAPI
ZwSetTimer(
	IN HANDLE hTimer,
	IN PLARGE_INTEGER pDueTime,
	IN PTIMERAPCROUTINE pfnCompletionRoutine OPTIONAL,
	IN ULONG pfnCompletionRoutineArg,
	IN BOOLEAN bResume,
	IN LONG Period,
	OUT PBOOLEAN bTimerState
);

NTSYSAPI
NTSTATUS
NTAPI
NtCancelTimer(
	IN HANDLE hTimer,
	OUT PBOOLEAN pbState
);


NTSTATUS
NTAPI
ZwCancelTimer(
	IN HANDLE hTimer,
	OUT PBOOLEAN pbState
);

NTSYSAPI
NTSTATUS
NTAPI
NtDelayExecution(
	IN ULONG bAlertable,
	IN PLARGE_INTEGER pDuration
);

NTSTATUS
NTAPI
ZwDelayExecution(
	IN ULONG bAlertable,
	IN PLARGE_INTEGER pDuration
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryTimerResolution(
	OUT PULONG MaxResolution,
	OUT PULONG MinResolution,
	OUT PULONG SystemResolution
);

NTSTATUS
NTAPI
ZwQueryTimerResolution(
	OUT PULONG MaxResolution,
	OUT PULONG MinResolution,
	OUT PULONG SystemResolution
);

NTSYSAPI
NTSTATUS
NTAPI
NtSetTimerResolution(
	IN ULONG NewResolution,
	IN BOOLEAN bSet,
	OUT PULONG pResolutionSet
);

NTSTATUS
NTAPI
ZwSetTimerResolution(
	IN ULONG NewResolution,
	IN BOOLEAN bSet,
	OUT PULONG pResolutionSet
);

/* _____________________________________________
 . NT Performance Timers
 . -alter behavior to hide system activity such
 . as CPU usage.  hide l0phtcrack
 . _____________________________________________ */

NTSYSAPI
NTSTATUS
NTAPI
NtQueryPerformanceCounter(
	OUT PLARGE_INTEGER pPerformanceCount,
	OUT PLARGE_INTEGER pFrequency
);

NTSTATUS
NTAPI
ZwQueryPerformanceCounter(
	OUT PLARGE_INTEGER pPerformanceCount,
	OUT PLARGE_INTEGER pFrequency
);

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemTime(
	OUT PLARGE_INTEGER pSystemTime
);

NTSTATUS
NTAPI
ZwQuerySystemTime(
	OUT PLARGE_INTEGER pSystemTime
);


NTSYSAPI
NTSTATUS
NTAPI
NtSetSystemTime(
	IN PLARGE_INTEGER pSystemTime,
	OUT PLARGE_INTEGER pOldsystemTime OPTIONAL
);

NTSTATUS
NTAPI
ZwSetSystemTime(
	IN PLARGE_INTEGER pSystemTime,
	OUT PLARGE_INTEGER pOldsystemTime OPTIONAL
);

NTSYSAPI
ULONG
NTAPI
NtGetTickCount(
);

ULONG
NTAPI
ZwGetTickCount(
);






/* LUID */
NTSYSAPI
NTSTATUS
NTAPI
NtAllocateLocallyUniqueId(
	OUT PLUID pLuid
);

NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateLocallyUniqueId(
	OUT PLUID pLuid
);

/* display data on boot-up screen */
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
	IN PUNICODE_STRING pString
);

NTSYSAPI
NTSTATUS
NTAPI
ZwDisplayString(
	IN PUNICODE_STRING pString
);


/* __________________________________________________________________________
 . Internationalization
 . __________________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI
NtQueryDefaultUILanguage(
	OUT PUSHORT DefaultUILanguage
);

typedef 
NTSTATUS 
(NTAPI *PFNNTQUERYDEFAULTUILANGUAGE)(	
	OUT PUSHORT DefaultUILanguage
);


NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage(
	OUT PUSHORT DefaultUILanguage
);

NTSYSAPI
NTSTATUS
NTAPI
NtQueryInstallUILanguage(
	OUT PUSHORT InstallUILanguage
);

typedef 
NTSTATUS 
(NTAPI *PFNNTQUERYINSTALLUILANGUAGE)(	
	OUT PUSHORT InstallUILanguage
);


NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage(
	OUT PUSHORT InstallUILanguage
);


NTSYSAPI
NTSTATUS
NTAPI
NtSetDefaultUILanguage(
	IN USHORT DefaultUILanguage
);

typedef 
NTSTATUS 
(NTAPI *PFNNTSETDEFAULTUILANGUAGE)(	
	IN USHORT DefaultUILanguage
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage(
	IN USHORT DefaultUILanguage
);

/* _______________________________________________________________________
 . Error Handling
 . _______________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI
NtRaiseHardError(
	NTSTATUS NtStatus,
	ULONG nParameters,
	ULONG ParametersMask,
	PVOID *ParameterList,
	ULONG Unknown1,
	PULONG Unknown2
);

NTSYSAPI
NTSTATUS
NTAPI
ZwRaiseHardError(
	NTSTATUS NtStatus,
	ULONG nParameters,
	ULONG ParametersMask,
	PVOID *ParameterList,
	ULONG Unknown1,
	PULONG Unknown2
);


/**********************************************************************************
 * Display strings to the boot-up-screen.  Kinda cool.  Can only use during boot-up,
 * else you will BSOD.
 **********************************************************************************/
NTSYSAPI
NTSTATUS
NTAPI ZwDisplayString( PUNICODE_STRING Text );

/**********************************************************************************
 * Extra shit.
 **********************************************************************************/

/*
 * Driver Related Types
 * --------------------------------------------------------
 */
typedef struct _INTERNAL_REQUEST {
    LIST_ENTRY     ListElement;
    PIRP           Irp;
    NDIS_REQUEST   Request;
} INTERNAL_REQUEST, *PINTERNAL_REQUEST;

/* this can be whatever we want, hail the void pointer! */
typedef struct _DEVICE_EXTENSION {
    PDEVICE_OBJECT DeviceObject;
    NDIS_HANDLE    NdisProtocolHandle;
    NDIS_HANDLE	   AdapterObject;
	UINT           Medium;
	NDIS_STRING    AdapterName;
    PWSTR          BindString;
    PWSTR          ExportString;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

typedef struct _OPEN_INSTANCE {
    PDEVICE_EXTENSION   DeviceExtension;
    NDIS_HANDLE			AdapterHandle;  /* returned from ndisOpenAdapter */
    
	NDIS_HANDLE         mPacketPoolH;    
    NDIS_HANDLE			mBufferPoolH;

	NDIS_STATUS         mStatus; /* for async status */
	UINT                mMedium;
	NDIS_EVENT			Event;
	NDIS_STATUS			Status;
} OPEN_INSTANCE, *POPEN_INSTANCE;

typedef struct _PACKET_RESERVED {
    LIST_ENTRY     ListElement;
    PIRP           Irp;
	PVOID		   pBuffer; /* used for buffers built in kernel mode */
	ULONG		   bufferLen;
	PVOID		   pHeaderBufferP;
	ULONG		   pHeaderBufferLen;
    PMDL           pMdl;
}  PACKET_RESERVED, *PPACKET_RESERVED;

/* 
 * Prototypes
 * ---------------------------------------------------------------------
 */
VOID		OnUnload(IN PDRIVER_OBJECT DriverObject );
VOID        testCreateProcess(void); /* only testing, do not use */
NTSTATUS    OnStubDispatch( IN PDEVICE_OBJECT theDeviceObjectP, IN PIRP theIrpP );

/*
 * Global symbols
 */
extern KIRQL gIrqL;
extern POPEN_INSTANCE gOpenInstance;
extern KSPIN_LOCK	GlobalArraySpinLock;

extern PDEVICE_OBJECT	   gKbdHookDevice; /* hook keyboard class driver */
extern PDEVICE_OBJECT      kbdDevice;

extern PDEVICE_OBJECT		gUserDevice; 
extern PDRIVER_OBJECT		gDriverObject;

extern KEVENT		command_signal_event;
extern KEVENT		exec_signal_event;
extern KSPIN_LOCK		WorkItemSpinLock;

#endif