📄 ntddk.pas
字号:
const
MDL_MAPPED_TO_SYSTEM_VA = $0001;
MDL_PAGES_LOCKED = $0002;
MDL_SOURCE_IS_NONPAGED_POOL = $0004;
MDL_ALLOCATED_FIXED_SIZE = $0008;
MDL_PARTIAL = $0010;
MDL_PARTIAL_HAS_BEEN_MAPPED = $0020;
MDL_IO_PAGE_READ = $0040;
MDL_WRITE_OPERATION = $0080;
MDL_PARENT_MAPPED_SYSTEM_VA = $0100;
MDL_LOCK_HELD = $0200;
MDL_PHYSICAL_VIEW = $0400;
MDL_IO_SPACE = $0800;
MDL_NETWORK_HEADER = $1000;
MDL_MAPPING_CAN_FAIL = $2000;
MDL_ALLOCATED_MUST_SUCCEED = $4000;
const
SystemBasicInformation = 00;
SystemProcessorInformation = 01;
SystemPerformanceInformation = 02;
SystemTimeOfDayInformation = 03;
SystemNotImplemented1 = 04;
SystemProcessesAndThreadsInformation = 05;
SystemCallCounts = 06;
SystemConfigurationInformation = 07;
SystemProcessorTimes = 08;
SystemGlobalFlag = 09;
SystemNotImplemented2 = 10;
SystemModuleInformation = 11;
SystemLockInformation = 12;
SystemNotImplemented3 = 13;
SystemNotImplemented4 = 14;
SystemNotImplemented5 = 15;
SystemHandleInformation = 16;
SystemObjectInformation = 17;
SystemPagefileInformation = 18;
SystemInstructionEmulationCounts = 19;
SystemInvalidInfoClass1 = 20;
SystemCacheInformation = 21;
SystemPoolTagInformation = 22;
SystemProcessorStatistics = 23;
SystemDpcInformation = 24;
SystemNotImplemented6 = 25;
SystemLoadImage = 26;
SystemUnloadImage = 27;
SystemTimeAdjustment = 28;
SystemNotImplemented7 = 29;
SystemNotImplemented8 = 30;
SystemNotImplemented9 = 31;
SystemCrashDumpInformation = 32;
SystemExceptionInformation = 33;
SystemCrashDumpStateInformation = 34;
SystemKernelDebuggerInformation = 35;
SystemContextSwitchInformation = 36;
SystemRegistryQuotaInformation = 37;
SystemLoadAndCallImage = 38;
SystemPrioritySeparation = 39;
SystemNotImplemented10 = 40;
SystemNotImplemented11 = 41;
SystemInvalidInfoClass2 = 42;
SystemInvalidInfoClass3 = 43;
SystemTimeZoneInformation = 44;
SystemLookasideInformation = 45;
SystemSetTimeSlipEvent = 46;
SystemCreateSession = 47;
SystemDeleteSession = 48;
SystemInvalidInfoClass4 = 49;
SystemRangeStartInformation = 50;
SystemVerifierInformation = 51;
SystemAddVerifier = 52;
SystemSessionProcessesInformation = 53;
type
{
_SYSTEM_INFORMATION_CLASS = (
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation);
SYSTEM_INFORMATION_CLASS = _SYSTEM_INFORMATION_CLASS;
TSystemInformationClass = SYSTEM_INFORMATION_CLASS;
}
SYSTEM_INFORMATION_CLASS = ULONG;
const
OBJ_INHERIT = $00000002;
OBJ_PERMANENT = $00000010;
OBJ_EXCLUSIVE = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF = $00000080;
OBJ_OPENLINK = $00000100;
OBJ_KERNEL_HANDLE = $00000200;
OBJ_VALID_ATTRIBUTES = $000003F2;
const
IoReadAccess = 0;
IoWriteAccess = 1;
IoModifyAccess = 2;
type
LOCK_OPERATION = BYTE;
type
PMODULE_INFO = ^MODULE_INFO;
MODULE_INFO = packed record // Information Class 11
Reserved: Array[0..1] of ULONG;
Base: PVOID;
Size: ULONG;
Flags: ULONG;
Index: USHORT;
Unknown: USHORT;
LoadCount: USHORT;
ModuleNameOffset: USHORT;
ImageName: Array[0..255] of CHAR;
end;
PMODULE_LIST = ^MODULE_LIST;
MODULE_LIST = packed record
dwModules: ULONG;
Modules: Array[0..0] of MODULE_INFO;
end;
type
ACCESS_MASK = DWORD;
PACCESS_MASK = ^ACCESS_MASK;
PLARGE_INTEGER = ^_LARGE_INTEGER;
_LARGE_INTEGER = record
LowPart: ULONG;
HighPart: ULONG;
end;
LARGE_INTEGER = _LARGE_INTEGER;
//==== SP!
function KeServiceDescriptorTable(): PServiceDescriptorEntry; external NtKernel name 'KeServiceDescriptorTable';
procedure KeInitializeSpinLock(SpinLock: PKSPIN_LOCK); stdcall; external NtKernel name 'KeInitializeSpinLock';
function KeWaitForSingleObject(SObject:Pointer; WaitReason:TKWaitReason; WaitMode:TKProcessorMode; Alertable:LongBool; Timeout:PLargeInteger):NTSTATUS; stdcall; external NtKernel name 'KeWaitForSingleObject';
procedure KeInitializeMutex(Mutex:PKMutex;Level:Cardinal); stdcall; external NtKernel name 'KeInitializeMutex';
function KeReleaseMutex(Mutex:PKMutex;Wait:LongBool):LONG; stdcall; external NtKernel name 'KeReleaseMutex';
//==== cdecl;
function DbgPrint(Format:PChar): NTSTATUS; cdecl; varargs; external NtKernel name 'DbgPrint';
function _snprintf(buffer: PChar; nsize: Integer; const fmt: PChar): Integer; cdecl; varargs; external NtKernel name '_snprintf';
function _strnicmp(const s1, s2: PChar; n: Integer): Integer; cdecl; external NtKernel name '_strnicmp';
function _stricmp(const s1, s2: PChar): Integer; cdecl; external NtKernel name '_stricmp';
function memset(s: PVOID; c, n: Integer): PVOID; cdecl; external NtKernel name 'memset';
function memcpy(s, d: PVOID; n: Integer): PVOID; cdecl; external NtKernel name 'memcpy';
function strcat(s1: PChar; const s2: PChar): PVOID; cdecl; external NtKernel name 'strcat';
function strcpy(dest: PChar; const src: PChar): PVOID; cdecl; external NtKernel name 'strcpy';
//==== fastcall
function fast_InterlockedExchange(Target: PLONG; Value: LONG): LONG; stdcall;
//function fast_KfAcquireSpinLock(SpinLock: PKSPIN_LOCK): KIRQL; stdcall;
//procedure fast_KfReleaseSpinLock(SpinLock: PKSPIN_LOCK; NewIrql: KIRQL); stdcall;
//function fast_KeAcquireSpinLockRaiseToSynch(SpinLock: PKSPIN_LOCK): KIRQL; stdcall;
//==== Unicode
function RtlAnsiStringToUnicodeString(DestinationString: PUnicodeString; SourceString: PAnsiString; AllocateDestinationString: BOOLEAN): NTSTATUS; stdcall; external NtKernel name 'RtlAnsiStringToUnicodeString';
procedure RtlInitAnsiString(DestinationString: PAnsiString; SourceString: PCHAR); stdcall; external NtKernel name 'RtlInitAnsiString';
procedure RtlInitUnicodeString(DestinationString: PUnicodeString; SourceString: PWideChar); stdcall; external NtKernel name 'RtlInitUnicodeString';
procedure RtlFreeUnicodeString(DestinationString: PUnicodeString); stdcall; external NtKernel name 'RtlFreeUnicodeString';
//==== MM Memory
function MmIsAddressValid(VirtualAddress: PVOID): Boolean; stdcall; external NtKernel name 'MmIsAddressValid';
function IoAllocateMdl(VirtualAddress: Pointer; Length: ULONG; SecondaryBuffer, ChargeQuota: Boolean; lpIRP: Pointer): Pointer; stdcall; external NtKernel name 'IoAllocateMdl';
procedure IoFreeMdl(Mdl: PMDL); stdcall; external NtKernel name 'IoFreeMdl';
function MmCreateMdl(MemoryDescriptorList: PMDL; Base: Pointer; Length: Integer): PMDL; stdcall; external NtKernel name 'MmCreateMdl';
procedure MmUnlockPages(MemoryDescriptorList: PMDL); stdcall; external NtKernel name 'MmUnlockPages';
procedure MmBuildMdlForNonPagedPool(MemoryDescriptorList: PMDL); stdcall; external NtKernel name 'MmBuildMdlForNonPagedPool';
procedure MmProbeAndLockPages(MemoryDescriptorList: Pointer; AccessMode: KPROCESSOR_MODE; Operation: LOCK_OPERATION); stdcall; external NtKernel name 'MmProbeAndLockPages';
function MmMapLockedPages(MemoryDescriptorList: PMDL; AccessMode: KPROCESSOR_MODE): Pointer; stdcall; external NtKernel name 'MmMapLockedPages';
procedure MmUnmapLockedPages(BaseAddress: Pointer; MemoryDescriptorList: PMDL); stdcall; external NtKernel name 'MmUnmapLockedPages';
{
function MmAllocateNonCachedMemory (NumberOfBytes: SIZE_T): pointer; stdcall;
function krnlMmGetPhysicalAddress(BaseAddress: PVOID): PHYSICAL_ADDRESS;
procedure MmFreeNonCachedMemory(BaseAddress: PVOID; NumberOfBytes: SIZE_T); stdcall;
}
//==== Memory Manager
function ExAllocatePool(PoolType: TPoolType; NumberOfBytes: Cardinal):Pointer; stdcall; external NtKernel name 'ExAllocatePool';
procedure ExFreePool(P: Pointer); stdcall; external NtKernel name 'ExFreePool';
const
PoolWithTag = $206B6444;
function ExAllocatePoolWithTag(PoolType:TPoolType; NumberOfBytes: Cardinal; Tag: ULONG): Pointer; stdcall; external NtKernel name 'ExAllocatePoolWithTag';
procedure ExFreePoolWithTag(P: Pointer; Tag: ULONG); stdcall; external NtKernel name 'ExFreePoolWithTag';
function ExAllocatePoolWithQuota(PoolType:TPoolType;NumberOfBytes:Cardinal):Pointer; stdcall; external NtKernel name 'ExAllocatePoolWithQuota';
//====
function IoCreateDevice(DriverObject:PDriverObject;DeviceExtensionSize:Cardinal;DeviceName:PUnicodeString;DeviceType:TDeviceType;DeviceCharacteristics:Cardinal;Reserved:Boolean;var DeviceObject:PDeviceObject):NTSTATUS; stdcall; external NtKernel name 'IoCreateDevice';
procedure IoCompleteRequest(Irp:PIrp;PriorityBoost:Integer); stdcall; external NtKernel name 'IoCompleteRequest';
procedure IoDeleteDevice(DeviceObject:PDeviceObject); stdcall; external NtKernel name 'IoDeleteDevice';
function IoCreateSymbolicLink(SymbolicLinkName,DeviceName:PUnicodeString):NTSTATUS; stdcall; external NtKernel name 'IoCreateSymbolicLink';
function IoDeleteSymbolicLink(SymbolicLinkName:PUnicodeString):NTSTATUS; stdcall; external NtKernel name 'IoDeleteSymbolicLink';
procedure ProbeForRead(Address:Pointer;Length:Cardinal;Alignment:Cardinal); stdcall; external NtKernel name 'ProbeForRead';
//====
function ZwOpenProcess(ProcessHandle:PHandle;DesiredAccess:TAccessMask;ObjectAttributes:PObjectAttributes;ClientId:PClientId):NTSTATUS; stdcall; external NtKernel name 'ZwOpenProcess';
function ZwQuerySystemInformation(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: PVOID; SystemInformationLength: ULONG; lpReturnLength: PULONG): NTSTATUS; stdcall; external NtKernel name 'ZwQuerySystemInformation';
type
_FILE_POSITION_INFORMATION = record
CurrentByteOffset: LARGE_INTEGER;
end;
FILE_POSITION_INFORMATION = _FILE_POSITION_INFORMATION;
PFILE_POSITION_INFORMATION = ^FILE_POSITION_INFORMATION;
function ZwSetInformationFile(FileHandle: THandle; IoStatusBlock: PIO_STATUS_BLOCK; FileInformation: PVOID; FileInformationLength: ULONG; FileInformationClass: FILE_INFORMATION_CLASS): NTSTATUS; stdcall; external NtKernel name 'ZwSetInformationFile';
const
FILE_READ_DATA = $0001; // file & pipe
FILE_LIST_DIRECTORY = $0001; // directory
FILE_WRITE_DATA = $0002; // file & pipe
FILE_ADD_FILE = $0002; // directory
FILE_READ_EA = $0008; // file & directory
FILE_WRITE_EA = $0010; // file & directory
FILE_EXECUTE = $0020; // file
FILE_SHARE_READ = $00000001;
FILE_SHARE_WRITE = $00000002;
FILE_SHARE_DELETE = $00000004;
const
FILE_SUPERSEDE = $00000000;
FILE_OPEN = $00000001;
FILE_CREATE = $00000002;
FILE_OPEN_IF = $00000003;
FILE_OVERWRITE = $00000004;
FILE_OVERWRITE_IF = $00000005;
FILE_MAXIMUM_DISPOSITION = $00000005;
const
FILE_SYNCHRONOUS_IO_ALERT = $00000010;
FILE_SYNCHRONOUS_IO_NONALERT = $00000020;
FILE_NON_DIRECTORY_FILE = $00000040;
FILE_CREATE_TREE_CONNECTION = $00000080;
function ZwCreateFile(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES;
IoStatusBlock: PIO_STATUS_BLOCK; AllocationSize: PLARGE_INTEGER; FileAttributes: ULONG; ShareAccess: ULONG;
CreateDisposition: ULONG; CreateOptions: ULONG; EaBuffer: PVOID; EaLength: ULONG): NTSTATUS; stdcall;
external NtKernel name 'ZwCreateFile';
function ZwOpenFile(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES;
IoStatusBlock: PIO_STATUS_BLOCK; ShareAccess: ULONG; OpenOptions: ULONG): NTSTATUS; stdcall;
external NtKernel name 'ZwOpenFile';
type
_FILE_STANDARD_INFORMATION = packed record
AllocationSize: LARGE_INTEGER;
EndOfFile: LARGE_INTEGER;
NumberOfLinks: ULONG;
DeletePending: ByteBool;
Directory: ByteBool;
end;
FILE_STANDARD_INFORMATION = _FILE_STANDARD_INFORMATION;
function ZwQueryInformationFile(FileHandle: THandle; IoStatusBlock: PIO_STATUS_BLOCK; FileInformation: PVOID;
FileInformationLength: ULONG; FileInformationClass: FILE_INFORMATION_CLASS): NTSTATUS; stdcall;
external NtKernel name 'ZwQueryInformationFile';
type
PIO_APC_ROUTINE = procedure(ApcContext: PVOID; IoStatusBlock: PIO_STATUS_BLOCK; Reserved: ULONG); stdcall;
function ZwReadFile(FileHandle: THandle; Event: THandle; ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID; IoStatusBlock: PIO_STATUS_BLOCK;
Buffer: PVOID; Length: ULONG; ByteOffset: PLARGE_INTEGER; Key: PULONG): NTSTATUS; stdcall;
external NtKernel name 'ZwReadFile';
function ZwClose(Handle: THandle): NTSTATUS; stdcall;
external NtKernel name 'ZwClose';
function ZwCreateSection(SectionHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES;
MaximumSize: PLARGE_INTEGER; SectionPageProtection: ULONG; AllocationAttributes: ULONG; FileHandle: THandle
): NTSTATUS; stdcall; external NtKernel name 'ZwCreateSection';
function ZwOpenSection(SectionHandle: PHANDLE; DesiredAccess: ACCESS_MASK;
ObjectAttributes: POBJECT_ATTRIBUTES): NTSTATUS; stdcall; external NtKernel name 'ZwOpenSection';
const
ViewShare = 1;
ViewUnmap = 2;
type
SECTION_INHERIT = ULONG;
function ZwMapViewOfSection(SectionHandle: THandle; ProcessHandle: THandle; BaseAddress: PPVOID; ZeroBits: ULONG;
CommitSize: ULONG; SectionOffset: PLARGE_INTEGER; ViewSize: PULONG; InheritDisposition: SECTION_INHERIT;
AllocationType: ULONG; Protect: ULONG
): NTSTATUS; stdcall; external NtKernel name 'ZwMapViewOfSection';
function ZwUnmapViewOfSection(ProcessHandle: THandle; BaseAddress: PVOID
): NTSTATUS; stdcall; external NtKernel name 'ZwUnmapViewOfSection';
implementation
//==== fastcall
function InterlockedExchange(Target:PLONG; Value:LONG):LONG; register; external NtKernel name 'InterlockedExchange';
function fast_InterlockedExchange(Target: PLONG; Value: LONG): LONG; stdcall;
asm
mov ecx, Target
mov edx, Value
call InterlockedExchange
end;
{
function KfAcquireSpinLock(SpinLock:PKSPIN_LOCK): KIRQL; register; external NtHal name 'KfAcquireSpinLock';
function fast_KfAcquireSpinLock(SpinLock:PKSPIN_LOCK): KIRQL; stdcall;//assembler;
asm
mov ecx, SpinLock
call KfAcquireSpinLock
end;
procedure KfReleaseSpinLock(SpinLock:PKSPIN_LOCK; NewIrql:KIRQL); register; external NtHal name 'KfReleaseSpinLock';
procedure fast_KfReleaseSpinLock(SpinLock:PKSPIN_LOCK; NewIrql:KIRQL); stdcall;
asm
mov ecx, SpinLock
mov dl, NewIrql
call KfReleaseSpinLock
end;
function KeAcquireSpinLockRaiseToSynch(SpinLock: PKSPIN_LOCK): KIRQL; register; external NtHal name 'KeAcquireSpinLockRaiseToSynch';
function fast_KeAcquireSpinLockRaiseToSynch(SpinLock: PKSPIN_LOCK): KIRQL; stdcall;//assembler;
asm
mov ecx, SpinLock
call KeAcquireSpinLockRaiseToSynch
end;
}
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -