ntdll.h

以插入explorer.exe进程的方式自启动。 默认端口2121 支持多种命令

	ULONG	uActiveCount;
	ULONG	uContentionCount;
	DWORD	dwUnknown3;
	DWORD	dwUnknown4;
	ULONG	uNumberOfSharedWaiters;
	ULONG	uNumberOfExclusiveWaiters;
} SYSTEM_LOCK, *PSYSTEM_LOCK;

typedef struct _SYSTEM_LOCK_INFORMATION
{
	ULONG		uCount;
	SYSTEM_LOCK	aSL[];
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;

typedef struct _SYSTEM_HANDLE
{
	ULONG		uIdProcess;
	UCHAR		ObjectType;    // OB_TYPE_* (OB_TYPE_TYPE, etc.)
	UCHAR		Flags;         // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
	USHORT		Handle;
	POBJECT		pObject;
	ACCESS_MASK	GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
	ULONG			uCount;
	SYSTEM_HANDLE	aSH[];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_OBJECTTYPE_INFORMATION
{
	ULONG			NextEntryOffset;	// absolute offset
	ULONG			ObjectCount;
	ULONG			HandleCount;
	ULONG			TypeIndex;			// OB_TYPE_* (OB_TYPE_TYPE, etc.)
	ULONG			InvalidAttributes;	// OBJ_* (OBJ_INHERIT, etc.)
	GENERIC_MAPPING	GenericMapping;
	ACCESS_MASK		ValidAccessMask;
	POOL_TYPE		PoolType;
	BOOLEAN			SecurityRequired;
	BOOLEAN			WaitableObject;
	UNICODE_STRING	TypeName;
} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;

// follows after SYSTEM_OBJECTTYPE_INFORMATION.TypeName
typedef struct _SYSTEM_OBJECT_INFORMATION
{
	ULONG					NextEntryOffset;		// absolute offset
	POBJECT					Object;
	ULONG					CreatorProcessId;
	USHORT					CreatorBackTraceIndex;
	USHORT					Flags;					// see "Native API Reference" page 24
	LONG					PointerCount;
	LONG					HandleCount;
	ULONG					PagedPoolCharge;
	ULONG					NonPagedPoolCharge;
	ULONG					ExclusiveProcessId;
	PSECURITY_DESCRIPTOR	SecurityDescriptor;
	UNICODE_STRING			ObjectName;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;

typedef struct _SYSTEM_PAGE_FILE_INFORMATION
{
	ULONG			NextEntryOffset;	// relative offset
	ULONG			CurrentSize;		// pages
	ULONG			TotalUsed;			// pages
	ULONG			PeakUsed;			// pages
	UNICODE_STRING	FileName;
} SYSTEM_PAGE_FILE_INFORMATION, *PSYSTEM_PAGE_FILE_INFORMATION;

typedef struct _SYSTEM_VDM_INSTEMUL_INFO
{
	BOOL	fExVdmSegmentNotPresent;
	ULONG	uOpcode0FV86;
	ULONG	uOpcodeESPrefixV86;
	ULONG	uOpcodeCSPrefixV86;
	ULONG	uOpcodeSSPrefixV86;
	ULONG	uOpcodeDSPrefixV86;
	ULONG	uOpcodeFSPrefixV86;
	ULONG	uOpcodeGSPrefixV86;
	ULONG	uOpcodeOPER32PrefixV86;
	ULONG	uOpcodeADDR32PrefixV86;
	ULONG	uOpcodeINSBV86;
	ULONG	uOpcodeINSWV86;
	ULONG	uOpcodeOUTSBV86;
	ULONG	uOpcodeOUTSWV86;
	ULONG	uOpcodePUSHFV86;
	ULONG	uOpcodePOPFV86;
	ULONG	uOpcodeINTnnV86;
	ULONG	uOpcodeINTOV86;
	ULONG	uOpcodeIRETV86;
	ULONG	uOpcodeINBimmV86;
	ULONG	uOpcodeINWimmV86;
	ULONG	uOpcodeOUTBimmV86;
	ULONG	uOpcodeOUTWimmV86;
	ULONG	uOpcodeINBV86;
	ULONG	uOpcodeINWV86;
	ULONG	uOpcodeOUTBV86;
	ULONG	uOpcodeOUTWV86;
	ULONG	uOpcodeLOCKPrefixV86;
	ULONG	uOpcodeREPNEPrefixV86;
	ULONG	uOpcodeREPPrefixV86;
	ULONG	uOpcodeHLTV86;
	ULONG	uOpcodeCLIV86;
	ULONG	uOpcodeSTIV86;
	ULONG	uVdmBopCount;
} SYSTEM_VDM_INSTEMUL_INFO, *PSYSTEM_VDM_INSTEMUL_INFO;

typedef struct _SYSTEM_CACHE_INFORMATION
{
    ULONG uFileCache;           // bytes
	ULONG uFileCachePeak;       // bytes
    ULONG PageFaultCount;
    ULONG MinimumWorkingSet;
    ULONG MaximumWorkingSet;
    ULONG TransitionSharedPages;
    ULONG TransitionSharedPagesPeak;
    ULONG Reserved[2];
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;

typedef struct _SYSTEM_POOL_ENTRY
{
	BOOLEAN	Allocated;
	BOOLEAN	Spare0;
	USHORT	AllocatorBackTraceIndex;
	ULONG	Size;
	union
	{
		UCHAR	Tag[4];
		ULONG	TagUlong;
		PVOID	ProcessChargedQuota;
	};
} SYSTEM_POOL_ENTRY, *PSYSTEM_POOL_ENTRY;

typedef struct _SYSTEM_POOL_INFORMATION
{
	ULONG				TotalSize;
	PVOID				FirstEntry;
	USHORT				EntryOverhead;
	BOOLEAN				PoolTagPresent;
	BOOLEAN				Spare0;
	ULONG				NumberOfEntries;
	SYSTEM_POOL_ENTRY	Entries[1];
} SYSTEM_POOL_INFORMATION, *PSYSTEM_POOL_INFORMATION;

typedef struct _SYSTEM_POOL_TAG
{
	union
	{
		UCHAR	Tag[4];
		ULONG	TagUlong;
    };
	ULONG	PagedPoolAllocs;
	ULONG	PagedPoolFrees;
	ULONG	PagedPoolUsage;
	ULONG	NonPagedPoolAllocs;
	ULONG	NonPagedPoolFrees;
	ULONG	NonPagedPoolUsage;
} SYSTEM_POOL_TAG, *PSYSTEM_POOL_TAG;

typedef struct _SYSTEM_POOL_TAG_INFORMATION
{
	ULONG			uCount;
	SYSTEM_POOL_TAG	aSPT[];
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;

typedef struct _SYSTEM_INTERRUPT_INFORMATION
{
	ULONG	ContextSwitches;
	ULONG	DpcCount;
	ULONG	DpcRate;
	ULONG	TimeIncrement;
	ULONG	DpcBypassCount;
	ULONG	ApcBypassCount;
} SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION;

typedef struct _SYSTEM_DPC_INFORMATION
{
	DWORD	dwUnknown1;
	ULONG	MaximumDpcQueueDepth;
	ULONG	MinimumDpcRate;
	ULONG	AdjustDpcThreshold;
	ULONG	IdealDpcRate;
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;

typedef struct _SYSTEM_MEMORY_INFO
{
	PUCHAR	StringOffset;
	USHORT	ValidCount;
	USHORT	TransitionCount;
	USHORT	ModifiedCount;
	USHORT	PageTableCount;
} SYSTEM_MEMORY_INFO, *PSYSTEM_MEMORY_INFO;

typedef struct _SYSTEM_MEMORY_INFORMATION
{
	ULONG				InfoSize;
	ULONG				StringStart;
	SYSTEM_MEMORY_INFO	Memory[1];
} SYSTEM_MEMORY_INFORMATION, *PSYSTEM_MEMORY_INFORMATION;

typedef struct _SYSTEM_LOAD_DRIVER
{
	UNICODE_STRING			DriverName;			// input
	PVOID					BaseAddress;		// output
	PVOID					SectionPointer;		// output
	PVOID					EntryPoint;			// output
	PIMAGE_EXPORT_DIRECTORY	ExportDirectory;	// output
} SYSTEM_LOAD_DRIVER, *PSYSTEM_LOAD_DRIVER;

typedef struct _SYSTEM_UNLOAD_DRIVER
{
	PVOID	SectionPointer;
} SYSTEM_UNLOAD_DRIVER, *PSYSTEM_UNLOAD_DRIVER;

typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT
{
	ULONG	TimeAdjustment;
	ULONG	MaximumIncrement;
	BOOLEAN	TimeSynchronization;
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;

typedef struct _SYSTEM_SET_TIME_ADJUSTMENT
{
	ULONG	TimeAdjustment;
	BOOLEAN	TimeSynchronization;
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;

typedef struct _SYSTEM_CRASH_DUMP_INFORMATION
{
	HANDLE	CrashDumpSectionHandle;
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_INFORMATION_2000
{
	HANDLE	CrashDumpSectionHandle;
	HANDLE	Unknown;				// Windows 2000 only
} SYSTEM_CRASH_DUMP_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_INFORMATION_2000;

typedef struct _SYSTEM_EXCEPTION_INFORMATION
{
	ULONG	AlignmentFixupCount;
	ULONG	ExceptionDispatchCount;
	ULONG	FloatingEmulationCount;
	ULONG	ByteWordEmulationCount;
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION
{
	ULONG	ValidCrashDump;
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;

typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000
{
	ULONG	ValidCrashDump;
	ULONG	Unknown;		// Windows 2000 only
} SYSTEM_CRASH_DUMP_STATE_INFORMATION_2000, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION_2000;

typedef struct _SYSTEM_DEBUGGER_INFORMATION
{
	BOOLEAN	KernelDebuggerEnabled;
	BOOLEAN	KernelDebuggerNotPresent;
} SYSTEM_DEBUGGER_INFORMATION, *PSYSTEM_DEBUGGER_INFORMATION;

typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION
{
	ULONG	ContextSwitches;
	ULONG	FindAny;
	ULONG	FindLast;
	ULONG	FindIdeal;
	ULONG	IdleAny;
	ULONG	IdleCurrent;
	ULONG	IdleLast;
	ULONG	IdleIdeal;
	ULONG	PreemptAny;
	ULONG	PreemptCurrent;
	ULONG	PreemptLast;
	ULONG	SwitchToIdle;
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;

typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION
{
	ULONG	RegistryQuotaAllowed;	// bytes
	ULONG	RegistryQuotaUsed;		// bytes
	ULONG	PagedPoolSize;			// bytes
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;

typedef struct _SYSTEM_ADD_DRIVER
{
	UNICODE_STRING	ModuleName;
} SYSTEM_ADD_DRIVER, *PSYSTEM_ADD_DRIVER;

typedef struct _SYSTEM_PRIORITY_SEPARATION_INFORMATION
{
	ULONG	PrioritySeparation;		// 0..2
} SYSTEM_PRIORITY_SEPARATION_INFORMATION, *PSYSTEM_PRIORITY_SEPARATION_INFORMATION;

#define MAX_BUS_NAME	24

typedef enum _PLUGPLAY_BUS_CLASS
{
	SystemBus,
	PlugPlayVirtualBus,
	MaxPlugPlayBusClass
} PLUGPLAY_BUS_CLASS, *PPLUGPLAY_BUS_CLASS;

typedef enum _PLUGPLAY_VIRTUAL_BUS_TYPE
{
	Root,
	MaxPlugPlayVirtualBusType
} PLUGPLAY_VIRTUAL_BUS_TYPE, *PPLUGPLAY_VIRTUAL_BUS_TYPE;

typedef enum _INTERFACE_TYPE
{
	InterfaceTypeUndefined = -1,
	Internal,
	Isa,
	Eisa,
	MicroChannel,
	TurboChannel,
	PCIBus,
	VMEBus,
	NuBus,
	PCMCIABus,
	CBus,
	MPIBus,
	MPSABus,
	ProcessorInternal,
	InternalPowerBus,
	PNPISABus,
	PNPBus,
	MaximumInterfaceType
}INTERFACE_TYPE, *PINTERFACE_TYPE;

typedef struct _PLUGPLAY_BUS_TYPE
{
	PLUGPLAY_BUS_CLASS	BusClass;
	union
	{
		INTERFACE_TYPE				SystemBusType;
		PLUGPLAY_VIRTUAL_BUS_TYPE	PlugPlayVirtualBusType;
    };
} PLUGPLAY_BUS_TYPE, *PPLUGPLAY_BUS_TYPE;

typedef struct _PLUGPLAY_BUS_INSTANCE
{
	PLUGPLAY_BUS_TYPE	BusType;
	ULONG				BusNumber;
	WCHAR				BusName[MAX_BUS_NAME];
} PLUGPLAY_BUS_INSTANCE, *PPLUGPLAY_BUS_INSTANCE;

typedef struct _SYSTEM_PLUGPLAY_BUS_INFORMATION
{
	ULONG					BusCount;
	PLUGPLAY_BUS_INSTANCE	BusInstance[1];
} SYSTEM_PLUGPLAY_BUS_INFORMATION, *PSYSTEM_PLUGPLAY_BUS_INFORMATION;

typedef enum _SYSTEM_DOCK_STATE
{
	SystemDockStateUnknown,
	SystemUndocked,
	SystemDocked
} SYSTEM_DOCK_STATE, *PSYSTEM_DOCK_STATE;

typedef struct _SYSTEM_DOCK_INFORMATION
{
	SYSTEM_DOCK_STATE	DockState;
	INTERFACE_TYPE		DeviceBusType;
	ULONG				DeviceBusNumber;
	ULONG				SlotNumber;
} SYSTEM_DOCK_INFORMATION, *PSYSTEM_DOCK_INFORMATION;

typedef struct _SYSTEM_POWER_INFORMATION	// not for SystemPowerInfo !
{
	BOOLEAN			SystemSuspendSupported;
	BOOLEAN			SystemHibernateSupported;
	BOOLEAN			ResumeTimerSupportsSuspend;
	BOOLEAN			ResumeTimerSupportsHibernate;
	BOOLEAN			LidSupported;
	BOOLEAN			TurboSettingSupported;
	BOOLEAN			TurboMode;
	BOOLEAN			SystemAcOrDc;
	BOOLEAN			PowerDownDisabled;
	LARGE_INTEGER	SpindownDrives;
} SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION;

typedef struct _SYSTEM_PROCESSOR_SPEED_INFORMATION	// not for SystemProcessorSpeedInformation !
{
	ULONG	MaximumProcessorSpeed;
	ULONG	CurrentAvailableSpeed;
	ULONG	ConfiguredSpeedLimit;
	BOOLEAN	PowerLimit;
	BOOLEAN	ThermalLimit;
	BOOLEAN	TurboLimit;
} SYSTEM_PROCESSOR_SPEED_INFORMATION, *PSYSTEM_PROCESSOR_SPEED_INFORMATION;

typedef struct _SYSTEM_TIME_ZONE_INFORMATION
{
	LONG		Bias;
	WCHAR		StandardName[32];
	TIME_FIELDS	StandardDate;
	LONG		StandardBias;
	WCHAR		DaylightName[32];
	TIME_FIELDS	DaylightDate;
	LONG		DaylightBias;
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;

typedef struct _SYSTEM_LOOKASIDE
{
	USHORT		Depth;
	USHORT		MaximumDepth;
	ULONG		TotalAllocates;
	ULONG		AllocateMisses;
	ULONG		TotalFrees;
	ULONG		FreeMisses;
	POOL_TYPE	Type;
	ULONG		Tag;
	ULONG		Size;
} SYSTEM_LOOKASIDE, *PSYSTEM_LOOKASIDE;

typedef struct _SYSTEM_LOOKASIDE_INFORMATION
{
	SYSTEM_LOOKASIDE	asl[];
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;

typedef struct _SYSTEM_SET_TIME_SLIP_EVENT
{
	HANDLE	TimeSlipEvent;
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;

typedef struct _SYSTEM_CREATE_SESSION
{
	ULONG	Session;
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;

typedef struct _SYSTEM_DELETE_SESSION
{
	ULONG	Session;
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;

typedef struct _SYSTEM_RANGE_START_INFORMATION
{
	PVOID	SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
	IN SYSTEMINFOCLASS	SystemInformationClass,
	OUT PVOID			pSystemInformation,
	IN ULONG			uSystemInformationLength,
    OUT PULONG			puReturnLength OPTIONAL
	);

NTSYSAPI
NTSTATUS
NTAPI