📄 undocnt.h
字号:
/*
User notes.
==========
This file contains the prototypes and related data structures for the system
service layer. NTDDK.H must be included before including this header file.
All the system services in system service layer are callable both from user
mode and kernel mode (only at IRQL=PASSIVE_LEVEL). When calling from UserMode,
Ntxx variant of the system service should be used, while calling from KernelMode,
Zwxx variant of the system service should be used. The reason is, NTDLL.DLL
(linked to user mode applications) exports functions in Ntxx form, whereas
NTOSKRNL.EXE (linked to kernel mode) exports functions in Zwxx form.
*/
/*
The header file is written assuming that all the Zwxx variants are exported by
by NTOSKRNL.EXE. However, not all the variants are exported by NTOSKRNL. And
the number of variants exported changes in different versions. Hence if you
get a linking error, while using some of these variants from kernel mode driver,
you need to write a INT 2E wrapper code for this.
Find out the system service id and number of parameter bytes for the given service
using a kernel mode debugger such as Softice (use NTCALLS command) and write a
wrapper as follows
_declspec(naked) NTSTATUS NTAPI Zwxx(param list)
{
_asm {
mov eax, serviceid
lea edx, [esp+4]
int 2eh
ret parameterbytestopopoff
}
}
*/
/*
If you plan to use this file from user mode application, make sure that you
include "undocnt.h" as follows.
#define _X86_
#include <ntddk.h>
#include "undocnt.h"
You can not have both windows.h and ntddk.h included from same C file, since
it results in datatypes redefinations.
If you want to use, both system services and win32 API, then put the code
using Win32 APIs in some other C file.
If you are using this file from kernel mode driver, there is not need to
include "#define _X86_" statement.
*/
/*
This header file is written assuming NTDDK.H file from Windows NT 4.0 DDK
is used. If you have later version of DDK such as Windows 2000 DDK, it is
possible that some of the previously undocumented calls are now documented by
Microsoft or some new data structures are documented by Microsoft. In this
case, you may get redefination errors. In this case, you may modify UNDOCNT.H
file to suit your setup.
This file is compiled using Visual C++ 4.2
*/
#ifndef _UNDOCNT_H
#define _UNDOCNT_H
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID);
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
__declspec(dllimport) void *PsInitialSystemProcess;
__declspec(dllimport) ULONG NtBuildNumber;
__declspec(dllimport) KeAttachProcess(void *);
__declspec(dllimport) KeDetachProcess();
#ifdef _DBG
#define trace(Message) DbgPrint Message
#else
#define trace(Message)
#endif
NTSTATUS
DriverDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
DriverUnload(
IN PDRIVER_OBJECT DriverObject
);
#define MYDRIVERENTRY(DriverName, DeviceId, DriverSpecificInit) \
PDEVICE_OBJECT deviceObject = NULL; \
NTSTATUS ntStatus; \
WCHAR deviceNameBuffer[] = L"\\Device\\"##DriverName; \
UNICODE_STRING deviceNameUnicodeString; \
WCHAR deviceLinkBuffer[] = L"\\DosDevices\\"##DriverName; \
UNICODE_STRING deviceLinkUnicodeString; \
\
RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer); \
ntStatus = IoCreateDevice (DriverObject, \
0, \
&deviceNameUnicodeString, \
##DeviceId, \
0, \
FALSE, \
&deviceObject \
); \
\
if (NT_SUCCESS(ntStatus)) { \
RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer);\
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString, \
&deviceNameUnicodeString);\
if (!NT_SUCCESS(ntStatus)) {\
IoDeleteDevice (deviceObject); \
return ntStatus; \
} \
\
ntStatus=##DriverSpecificInit; \
\
if (!NT_SUCCESS(ntStatus)) {\
IoDeleteDevice (deviceObject); \
IoDeleteSymbolicLink(&deviceLinkUnicodeString); \
return ntStatus; \
} \
\
\
DriverObject->MajorFunction[IRP_MJ_CREATE] = \
DriverObject->MajorFunction[IRP_MJ_CLOSE] = \
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch; \
DriverObject->DriverUnload = DriverUnload; \
return STATUS_SUCCESS; \
} else { \
return ntStatus; \
};
NTSYSAPI
NTSTATUS
NTAPI
KeI386AllocateGdtSelectors(
PUSHORT pSelectorArray,
ULONG NumberOfSelectors
);
NTSYSAPI
NTSTATUS
NTAPI
KeI386ReleaseGdtSelectors(
PUSHORT pSelectorArray,
ULONG NumberOfSelectors
);
NTSYSAPI
NTSTATUS
NTAPI
KeI386SetGdtSelector(
ULONG Selector,
PVOID pDescriptor
);
NTSYSAPI
NTSTATUS
NTAPI
RtlLocalTimeToSystemTime(PLARGE_INTEGER LocalTime,
PLARGE_INTEGER SystemTime
);
NTSYSAPI
NTSTATUS
NTAPI
RtlSystemTimeToLocalTime(PLARGE_INTEGER SystemTime,
PLARGE_INTEGER LocalTime
);
typedef struct vad {
void *StartingAddress;
void *EndingAddress;
struct vad *ParentLink;
struct vad *LeftLink;
struct vad *RightLink;
ULONG Flags;
}VAD, *PVAD;
/* Maximum size of the message */
#define MAX_MESSAGE_DATA 0x130
/* Types of LPC messges */
#define UNUSED_MSG_TYPE 0x00
#define LPC_REQUEST 0x01
#define LPC_REPLY 0x02
#define LPC_DATAGRAM 0x03
#define LPC_LOST_REPLY 0x04
#define LPC_PORT_CLOSED 0x05
#define LPC_CLIENT_DIED 0x06
#define LPC_EXCEPTION 0x07
#define LPC_DEBUG_EVENT 0x08
#define LPC_ERROR_EVENT 0x09
#define LPC_CONNECTION_REQUEST 0x0A
/* Structure for the LPC message */
typedef struct LpcMessage {
/* LPC Message Header */
USHORT ActualMessageLength;
USHORT TotalMessageLength;
ULONG MessageType;
ULONG ClientProcessId;
ULONG ClientThreadId;
ULONG MessageId;
ULONG SharedSectionSize;
/* LPC Message Data, taken care of maximum message */
CCHAR MessageData[MAX_MESSAGE_DATA];
} LPCMESSAGE, *PLPCMESSAGE;
/* Structures required for big LPC through shared section */
typedef struct Unknown1 {
ULONG Length;
HANDLE SectionHandle;
ULONG Param1;
ULONG SectionSize;
ULONG ClientBaseAddress;
ULONG ServerBaseAddress;
} LPCSECTIONINFO, *PLPCSECTIONINFO;
typedef struct Unknown2 {
ULONG Length;
ULONG SectionSize;
ULONG ServerBaseAddress;
} LPCSECTIONMAPINFO, *PLPCSECTIONMAPINFO;
#pragma pack()
/* Undocumented LPC API */
NTSYSAPI
NTSTATUS
NTAPI
NtCreatePort(
PHANDLE PortHandle,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG MaxConnectInfoLength,
ULONG MaxDataLength,
ULONG Unknown
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreatePort(
PHANDLE PortHandle,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG MaxConnectInfoLength,
ULONG MaxDataLength,
ULONG Unknown
);
/*
* MaxConnectInfoLength
* MaxDataLength - only validations
* Unknown - unused
*/
NTSYSAPI
NTSTATUS
NTAPI
NtConnectPort(
PHANDLE PortHandle,
PUNICODE_STRING PortName,
PULONG Unknown, /* Can not be NULL */
PLPCSECTIONINFO Unknown1, /* Used in Big LPC */
PLPCSECTIONMAPINFO Unknown2, /* Used in Big LPC */
PVOID Unknown3, /* Can be NULL */
PVOID ConnectInfo,
PULONG pConnectInfoLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwConnectPort(
PHANDLE PortHandle,
PUNICODE_STRING PortName,
PULONG Unknown, /* Can not be NULL */
PLPCSECTIONINFO Unknown1, /* Used in Big LPC */
PLPCSECTIONMAPINFO Unknown2, /* Used in Big LPC */
PVOID Unknown3, /* Can be NULL */
PVOID ConnectInfo,
PULONG pConnectInfoLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyWaitReceivePort(
PHANDLE PortHandle,
PULONG Unknown ,
PLPCMESSAGE pLpcMessageOut,
PLPCMESSAGE pLpcMessageIn
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReplyWaitReceivePort(
PHANDLE PortHandle,
PULONG Unknown ,
PLPCMESSAGE pLpcMessageOut,
PLPCMESSAGE pLpcMessageIn
);
NTSYSAPI
NTSTATUS
NTAPI
NtAcceptConnectPort(
PHANDLE PortHandle,
ULONG Unknown, // Pass 0
PLPCMESSAGE pLpcMessage,
ULONG Unknown1, // 1
ULONG Unknown3, // 0
PLPCSECTIONMAPINFO pSectionMapInfo
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAcceptConnectPort(
PHANDLE PortHandle,
ULONG Unknown, // Pass 0
PLPCMESSAGE pLpcMessage,
ULONG Unknown1, // 1
ULONG Unknown3, // 0
PLPCSECTIONMAPINFO pSectionMapInfo
);
NTSYSAPI
NTSTATUS
NTAPI
NtCompleteConnectPort(
HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCompleteConnectPort(
HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
NtRequestWaitReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessageIn,
PLPCMESSAGE pLpcMessageOut
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRequestWaitReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessageIn,
PLPCMESSAGE pLpcMessageOut
);
NTSYSAPI
NTSTATUS
NTAPI
NtListenPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwListenPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
NtRequestPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRequestPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
NtRegisterThreadTerminatePort(
HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRegisterThreadTerminatePort(
HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetDefaultHardErrorPort(
HANDLE PortHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultHardErrorPort(
HANDLE PortHandle
);
/* This system service does not seem to return any information about the port,
it gets pointer to port object using ObReferenceObjectByHandle and closes the
pointer and returns STATUS_SUCCESS */
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationPort(
HANDLE PortHandle,
ULONG InfoClass,
PVOID Buffer,
ULONG BufferSize,
PULONG BytesReturned
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationPort(
HANDLE PortHandle,
ULONG InfoClass,
PVOID Buffer,
ULONG BufferSize,
PULONG BytesReturned
);
NTSYSAPI
NTSTATUS
NTAPI
NtReplyWaitReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwReplyWaitReplyPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
NtImpersonateClientOfPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
NTSYSAPI
NTSTATUS
NTAPI
ZwImpersonateClientOfPort(
HANDLE PortHandle,
PLPCMESSAGE pLpcMessage
);
//Windows 2000 only
NTSYSAPI
NTSTATUS
NTAPI
NtCreateWaitablePort(
PHANDLE PortHandle,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG MaxConnectInfoLength,
ULONG MaxDataLength,
ULONG Unknown
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateWaitablePort(
PHANDLE PortHandle,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG MaxConnectInfoLength,
ULONG MaxDataLength,
ULONG Unknown
);
typedef USHORT ATOM;
typedef PUSHORT PATOM;
typedef enum _ATOM_INFO_CLASS {
SingleAtom,
AllAtoms,
MaxAtomInfoClass,
} ATOM_INFO_CLASS;
typedef struct AtomInfoSingle {
USHORT ReferenceCount;
USHORT Unknown;
USHORT AtomStringLength;
WCHAR AtomString[1];
} ATOMINFOSINGLE, *PATOMINFOSINGLE;
typedef struct AtomInfoAll {
ULONG TotalNumberOfEntriesInGlobalAtomTable;
ATOM AtomValues[1];
} ATOMINFOALL, *PATOMINFOALL;
#ifdef NT50
NTSYSAPI
NTSTATUS
NTAPI
NtAddAtom(
IN PWCHAR pString,
IN ULONG StringLength,
OUT PATOM pAtom
);
NTSTATUS
NTAPI
ZwAddAtom(
IN PWCHAR pString,
IN ULONG StringLength,
OUT PATOM pAtom
);
#else
NTSYSAPI
NTSTATUS
NTAPI
NtAddAtom(
IN PWCHAR pString,
OUT PATOM pAtom
);
NTSTATUS
NTAPI
ZwAddAtom(
IN PWCHAR pString,
OUT PATOM pAtom
);
#endif
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationAtom(
IN ATOM Atom,
IN ATOM_INFO_CLASS AtomInfoClass,
OUT PVOID AtomInfoBuffer,
IN ULONG AtomInfoBufferLength,
OUT PULONG BytesCopied
);
NTSTATUS
NTAPI
ZwQueryInformationAtom(
IN ATOM Atom,
IN ATOM_INFO_CLASS AtomInfoClass,
OUT PVOID AtomInfoBuffer,
IN ULONG AtomInfoBufferLength,
OUT PULONG BytesCopied
);
#ifdef NT50
NTSYSAPI
NTSTATUS
NTAPI
NtFindAtom(
IN PWCHAR pString,
IN ULONG StringLength,
OUT PATOM pAtom
);
NTSTATUS
NTAPI
ZwFindAtom(
IN PWCHAR pString,
IN ULONG StringLength,
OUT PATOM pAtom
);
#else
NTSYSAPI
NTSTATUS
NTAPI
NtFindAtom(
IN PWCHAR pString,
OUT PATOM pAtom
);
NTSTATUS
NTAPI
ZwFindAtom(
IN PWCHAR pString,
OUT PATOM pAtom
);
#endif
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteAtom(
IN ATOM Atom
);
NTSTATUS
NTAPI
ZwDeleteAtom(
IN ATOM Atom
);
NTSYSAPI
NTSTATUS
NTAPI
NtLoadDriver(
IN PUNICODE_STRING DriverRegistryEntry
);
NTSYSAPI
NTSTATUS
NTAPI
ZwLoadDriver(
IN PUNICODE_STRING DriverRegistryEntry
);
NTSYSAPI
NTSTATUS
NTAPI
NtUnloadDriver(
IN PUNICODE_STRING DriverRegistryEntry
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadDriver(
IN PUNICODE_STRING DriverRegistryEntry
);
NTSYSAPI
NTSTATUS
NTAPI
NtClose(
IN HANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwClose(
IN HANDLE Handle
);
#define DUPLICATE_SAME_ACCESS 0x00000002
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -