#pragma once #include #include #ifndef NTSTATUS typedef long NTSTATUS; #endif // https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_table_entry.htm?ts=0,80 typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef SYSTEM_HANDLE_TABLE_ENTRY_INFO* PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[]; } SYSTEM_HANDLE_INFORMATION; typedef SYSTEM_HANDLE_INFORMATION* PSYSTEM_HANDLE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS // this is an incomplete definition { SystemBasicInformation = 0, // 3.10 and higher SystemProcessorInformation = 1, // 3.10 and higher SystemPerformanceInformation = 2, // 3.10 and higher SystemTimeOfDayInformation = 3, // 3.10 and higher SystemPathInformation = 4, // 3.10 and higher SystemProcessInformation = 5, // 3.10 and higher SystemCallCountInformation = 6, // 3.10 and higher SystemDeviceInformation = 7, // 3.10 and higher SystemProcessorPerformanceInformation = 8, // 3.10 and higher SystemFlagsInformation = 9, // 3.10 and higher SystemCallTimeInformation = 10, // 3.10 and higher SystemModuleInformation = 11, // 3.10 and higher SystemLocksInformation = 12, // 3.10 and higher SystemStackTraceInformation = 13, // 3.10 and higher SystemPagedPoolInformation = 14, // 3.10 and higher SystemNonPagedPoolInformation = 15, // 3.10 and higher SystemHandleInformation = 16, // 3.10 and higher SystemObjectInformation = 17, // 3.10 and higher SystemPageFileInformation = 18, // 3.10 and higher SystemVdmInstemulInformation = 19, // 3.10 and higher SystemVdmBopInformation = 20, // 3.10 and higher SystemFileCacheInformation = 21, // 3.10 and higher SystemPoolTagInformation = 22, // 3.50 and higher SystemInterruptInformation = 23, // 3.51 and higher SystemExceptionInformation = 33, // 3.50 and higher SystemRegistryQuotaInformation = 37, // 3.51 and higher SystemLookasideInformation = 45, // 4.0 and higher SystemBigPoolInformation = 66, // 5.2 and higher SystemCodeIntegrityInformation = 103, // 6.0 and higher SystemQueryPerformanceCounterInformation = 124, // 6.1 and higher SystemPolicyInformation = 134, // 6.2 and higher, was known as SystemThrottleNotificationInformation in 6.2 SystemKernelVaShadowInformation = 196, // 1803 and higher SystemSpeculationControlInformation = 201, // 1803 and higher SystemDmaGuardPolicyInformation = 202, // 1803 and higher SystemEnclaveLaunchControlInformation = 203 // 1803 and higher } SYSTEM_INFORMATION_CLASS; // Definitions taken from https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm typedef enum _THREADINFOCLASS { ThreadBasicInformation = 0x0, // All versions ThreadTimes = 0x1, // All versions ThreadPriority = 0x2, // All versions ThreadBasePriority = 0x3, // All versions ThreadAffinityMask = 0x4, // All versions ThreadImpersonationToken = 0x5, // All versions ThreadDescriptorTableEntry = 0x6, // All versions ThreadEnableAlignmentFaultFixup = 0x7, // All versions ThreadEventPair = 0x8, // 3.10 to 4.0 ThreadEventPair_Reuseable = 0x8, // 5.0 and higher ThreadQuerySetWin32StartAddress = 0x9, // All versions ThreadZeroTlsCell = 0x0A, // All versions minus 3.10 where it was 0xB ThreadPerformanceCount = 0x0B, // 3.51 and higher ThreadAmILastThread = 0x0C, // 3.51 and higher ThreadIdealProcessor = 0x0D, // 4.0 and higher ThreadPriorityBoost = 0x0E, // 4.0 and higher ThreadSetTlsArrayAddress = 0x0F, // 4.0 and higher ThreadIsIoPending = 0x10, // 5.0 and higher ThreadHideFromDebugger = 0x11, // 5.0 and higher ThreadBreakOnTermination = 0x12, // 5.2 and higher ThreadSwitchLegacyState = 0x13, // 5.2 and higher from Windows Server 2003 SP1 ThreadIsTerminated = 0x14, // 5.2 and higher from Windows Server 2003 SP1 ThreadLastSystemCall = 0x15, // 6.0 and higher ThreadIoPriority = 0x16, // 6.0 and higher ThreadCycleTime = 0x17, // 6.0 and higher ThreadPagePriority = 0x18, // 6.0 and higher ThreadActualBasePriority = 0x19, // 6.0 and higher ThreadTebInformation = 0x1A, // 6.0 and higher ThreadCSwitchMon = 0x1B, // 6.0 and higher ThreadCSwitchPmu = 0x1C, // 6.1 and higher ThreadWow64Context = 0x1D, // 6.1 and higher ThreadGroupInformation = 0x1E, // 6.1 and higher ThreadUmsInformation = 0x1F, // 6.1 and higher ThreadCounterProfiling = 0x20, // 6.1 and higher ThreadIdealProcessorEx = 0x21, // 6.1 and higher ThreadCpuAccountingInformation = 0x22, // 6.2 and higher ThreadSuspendCount = 0x23, // 6.3 and higher ThreadHeterogeneousCpuPolicy = 0x24, // 10.0 and higher ThreadContainerId = 0x25, // 10.0 and higher ThreadNameInformation = 0x26, // 10.0 and higher ThreadSelectedCpuSets = 0x27, // 10.0 and higher ThreadSystemThreadInformation = 0x28, // 10.0 and higher ThreadActualGroupAffinity = 0x29 // 10.0 and higher } THREADINFOCLASS; typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef NTSTATUS(__stdcall* fNtCallbackReturn)( PVOID Result, ULONG ResultLength, NTSTATUS CallbackStateus ); typedef NTSTATUS(__stdcall* fNtUserConsoleControl)( DWORD ConsoleCtrl, PVOID ConsoleCtrlInfo, ULONG ConsoleCtrlInfoLength ); typedef NTSTATUS(__stdcall* fNtUserMessageCall)( HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, ULONG_PTR ResultInfo, DWORD dwType, BOOL bAscii ); typedef PVOID(__stdcall* fRtlAllocateHeap)( PVOID HeapHandle, ULONG Flags, SIZE_T Size ); typedef VOID(__stdcall* fRtlGetNtVersionNumbers)( DWORD* MajorVersion, DWORD* MinorVersion, DWORD* BuildNumber ); #define TYPE_WINDOW 1 typedef PVOID(__stdcall* fHMValidateHandle)(HANDLE hHandle, DWORD dwType); // // Taken from ntdef.h // // Unicode strings are counted 16-bit character strings. If they are // NULL terminated, Length does not include trailing NULL. typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; #ifdef MIDL_PASS [size_is(MaximumLength / 2), length_is((Length) / 2)] USHORT* Buffer; #else // MIDL_PASS _Field_size_bytes_part_opt_(MaximumLength, Length) PWCH Buffer; #endif // MIDL_PASS } UNICODE_STRING, *PUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; // // Taken from wdm.h // typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef NTSTATUS(__stdcall* fNtCreateFile)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength ); typedef NTSTATUS(__stdcall* fNtDeviceIoControlFile)( HANDLE FileHandle, HANDLE Event, PVOID ApcRoutine, // PIO_APC_ROUTINE is just a pointer to a function PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); typedef NTSTATUS(__stdcall* fNtCreateIoCompletion)( PHANDLE IoCompletionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, ULONG NumberOfConcurrentThreads ); typedef NTSTATUS(__stdcall* fNtSetIoCompletion)( HANDLE IoCompletionHandle, ULONG CompletionKey, PIO_STATUS_BLOCK IoStatusBlock, NTSTATUS CompletionStatus, ULONG NumberOfBytesTransferred );