uLib  User mode C/C++ extended API library for Win32 programmers.
NtFunc.cpp
Go to the documentation of this file.
1 //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 // Project: uLib - User mode utility library.
3 // Module: Dynalinks to NtDll functions, and user mode APIs based on them.
4 // Author: Copyright (c) Love Nystrom
5 // License: NNOSL (BSD descendant, see NNOSL.txt in the base directory).
6 //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7 
8 #include <uLib/Debug.h>
9 #ifndef NO_NDK_FILES
10 // _INIT_FP_ initializes the function pointers in NtFunc.h to NULL.
12 // It also removes the 'extern' linkage during compilation of this module.
13 // The 'extern' linkage is used whenever a user includes NtFunc.h.
14 #define _INIT_FP_ 1
15 #include <uLib/NtFunc.h>
17 #include <uLib/MemFunc.h>
18 #include <uLib/StrFunc.h>
19 
20 //==---------------------------------------------------------------------------
21 
22 bool _InitializeObjectAttributes(
23  OUT POBJECT_ATTRIBUTES pObj,
24  HANDLE BaseObj, PUNICODE_STRING ObjName, ULONG Attributes,
25  PSECURITY_DESCRIPTOR SecurityDesc, PSECURITY_QUALITY_OF_SERVICE SecurityQoS
26  )
27 {
28  bool ok = ((pObj != NULL) && !IsBadWritePtr( pObj, sizeof(OBJECT_ATTRIBUTES) ));
29  if (ok)
30  {
31  pObj->Length = sizeof(OBJECT_ATTRIBUTES);
32  pObj->RootDirectory = BaseObj;
33  pObj->Attributes = Attributes;
34  pObj->ObjectName = ObjName;
35  pObj->SecurityDescriptor = SecurityDesc;
36  pObj->SecurityQualityOfService = SecurityQoS;
37  }
38  return ok;
39 }
40 
41 //==---------------------------------------------------------------------------
42 
43 // Allocate and initialize a packed OBJECT_ATTRIBUTES struct.
44 
45 PACKED_OBJ_ATTRIBUTES* AllocPackedObjAttributes(
46  HANDLE BaseObj, PCWSTR ObjName, ULONG Attributes,
47  PSECURITY_DESCRIPTOR SecurityDesc,
48  PSECURITY_QUALITY_OF_SERVICE SecurityQoS
49  )
50 {
51  _ASSERTE( ObjName && *ObjName );
52 
53  UINT ccName = (UINT) wcslen( ObjName ); // Excl terminator
54  UINT cbName = ccName * WCHAR_SIZE;
55  UINT cbStruct = cbName + sizeof(PACKED_OBJ_ATTRIBUTES);
56  // cbStruct incl ObjName terminator, since dimof(NameBuf) == 1.
57 
58  PACKED_OBJ_ATTRIBUTES* poa = (PACKED_OBJ_ATTRIBUTES*) malloc( cbStruct );
59  if ( !poa ) SetLastError( ERROR_OUTOFMEMORY );
60  else
61  {
62  BEGIN_STRSAFE_OVERRIDE
63  wcscpy( poa->NameBuf, ObjName );
64  END_STRSAFE_OVERRIDE
65  poa->uName.Buffer = poa->NameBuf;
66  poa->uName.Length = cbName;
67  poa->uName.MaximumLength = USHORT( cbName + WCHAR_SIZE ); // Incl _NUL
68 
69  _InitializeObjectAttributes( (OBJECT_ATTRIBUTES*)poa,
70  BaseObj, &poa->uName, Attributes, SecurityDesc, SecurityQoS
71  );
72  }
73  return poa;
74 }
75 
76 //==---------------------------------------------------------------------------
77 
78 // Get the PEB address of hProcess.
79 
80 PPEB GetPEBAddress( HANDLE hProcess )
81 {
82  PROCESS_BASIC_INFORMATION pbi;
83  PPEB ppeb = NULL;
84  ULONG size = 0;
85  IF_DEBUG( memset( &pbi, 0, sizeof(pbi) ));
86 
87  if (!_NtQueryInformationProcess) InitNtFunc();
88  if (_NtQueryInformationProcess)
89  {
90  NTSTATUS status = _NtQueryInformationProcess(
91  hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &size
92  );
93  if (NT_SUCCESS( status )) ppeb = pbi.PebBaseAddress;
94  else
95  {
96  SetLastErrorFromNtStatus( status );
97  TRACE( DP_ERROR, _F("NtQueryInformationProcess: %s\n"), SysErrorMsg() );
98  }
99  }
100  return ppeb;
101 }
102 
103 // Get the PEB of hProcess ==--------------------------------------------------
104 // Copy the data, since it may be in another process' address space.
105 
106 bool GetProcPEB( HANDLE hProcess, PPEB pPeb OUT )
107 {
108  PPEB pebAddr = GetPEBAddress( hProcess );
109  bool ok = (pebAddr != NULL);
110  if (ok)
111  {
112  SIZE_T size = sizeof(PEB);
113  NTSTATUS status = _NtReadVirtualMemory( hProcess, pebAddr, pPeb, size, &size );
114  ok = NT_SUCCESS( status );
115  if (!ok)
116  {
117  SetLastErrorFromNtStatus( status );
118  TRACE( DP_ERROR, _F("NtReadVirtualMemory: %s\n"), SysErrorMsg() );
119  }
120  }
121  return ok;
122 }
123 
124 //== Light-weight module enumeration ==----------------------------------------
125 
126 UINT EnumProcModules( HANDLE hProcess, PFnEnumModuleAction Action, PVOID Context )
127 {
128  PEB peb; IF_DEBUG( memset( &peb, 0, sizeof(peb) ));
129  PEB_LDR_DATA ld; IF_DEBUG( memset( &ld, 0, sizeof(ld) ));
130  PLDR_MODULE plm = (PLDR_MODULE) mem_Alloc( sizeof(LDR_MODULE) ); // Not on stack!
131  UINT nrModules = 0;
132 
133  PLIST_ENTRY entry, first;
134  SIZE_T size;
135  NTSTATUS status;
136 
137  if (GetProcPEB( hProcess, &peb ))
138  {
139  size = sizeof(PEB_LDR_DATA);
140  status = _NtReadVirtualMemory( hProcess, peb.Ldr, &ld, size, &size );
141  if (!NT_SUCCESS( status ))
142  {
143  SetLastErrorFromNtStatus( status );
144  TRACE( DP_ERROR, _F("NtReadVirtualMemory (%lu of %lu): %s\n"),
145  size, sizeof(PEB_LDR_DATA), SysErrorMsg()
146  );
147  }
148  else
149  {
150  entry = first = ld.InLoadOrderModuleList.Flink; // The list seems to be circular
151  while( NT_SUCCESS(_NtReadVirtualMemory( hProcess, entry, plm, sizeof(LDR_MODULE), &size )))
152  {
153  if (plm->BaseAddress == NULL) break; // Blank entry (assume it's an end marker)
154  nrModules++;
155 
156  if (!Action( hProcess, plm, Context )) break;
157 
158  entry = plm->InLoadOrderLinks.Flink;
159  if (entry->Flink == first) break;
160  }
161  }
162  }
163  mem_Free( plm );
164  return nrModules;
165 }
166 
167 //==---------------------------------------------------------------------------
168 
169 bool CopyProcUStringBuf(
170  HANDLE hProc, PUNICODE_STRING pProcStr, WSTR wzBuf, UINT ccBuf )
171 {
173  #define __USENTDLL 0 // Should we use _NtReadVirtualMemory..?
174 
176  BOOL ok = false;
177  // Check if there is anything to actually copy..
178  if (pProcStr && pProcStr->Length)
179  {
180  SIZE_T ccStr = pProcStr->Length / WCHAR_SIZE;
181  SIZE_T cbStr = min_<ULONG>( pProcStr->Length, ccBuf * WCHAR_SIZE );
182 
183  #if !__USENTDLL
184  ok = ReadProcessMemory( hProc, pProcStr->Buffer, wzBuf, cbStr, &cbStr );
185  #else
186  if (!_NtReadVirtualMemory) InitNtFunc();
187  NTSTATUS status = _NtReadVirtualMemory(
188  hProc, pProcStr->Buffer, wzBuf, cbStr, &cbStr
189  );
190  ok = NT_SUCCESS( status );
191  #endif
192 
193  if (ok && cbStr) wzBuf[ cbStr / WCHAR_SIZE ] = 0; //ccStr
194  else
195  {
196  wzBuf[0] = 0;
197  #if !__USENTDLL
198  TRACE( DP_ERROR, _F("ReadProcessMemory: %s\n"), SysErrorMsg() );
199  #else
200  SetLastErrorFromNtStatus( status );
201  TRACE( DP_ERROR, _F("NtReadVirtualMemory: %s\n"), SysErrorMsg() );
202  #endif
203  }
204  }
205  return bool_cast( ok );
206  #undef __USENTDLL
207 }
208 
209 //== Get the LDR_DATA for a given DLL in hProcess ==---------------------------
210 
212 BEGIN_ANONYMOUS
213 struct cdd_Data // private : "check dll data"
214 {
215  WCSTR Name; size_t ccName; PLDR_MODULE Result; // Never mind the format!
216 };
217 END_ANONYMOUS
219 
220 static bool __stdcall find_LdrDll( HANDLE hProc, const PLDR_MODULE pMod, PVOID Ctx )
221 {
222  cdd_Data* pd = (cdd_Data*) Ctx;
223  bool found = false;
224 
225  WCHAR wzName[ MAX_PATH ];
226  if (CopyProcUStringBuf( hProc, &pMod->BaseDllName, wzName, dimof(wzName) ))
227  {
228  SIZE_T ccName = pMod->BaseDllName.Length / WCHAR_SIZE;
229  SIZE_T ccCmp = min_<SIZE_T>( pd->ccName, ccName );
230  if (_wcsnicmp( wzName, pd->Name, ccCmp ) == 0)
231  {
232  found = true;
233  memcpy( pd->Result, pMod, sizeof(LDR_MODULE) );
234  }
235  }
236  return !found;
237 }
238 
239 UINT GetProcDllData( HANDLE hProcess, WCSTR DllBaseName, PLDR_MODULE pData, bool Localize )
240 {
241  UINT cbData = 0; // ret.val
242  WCHAR wzName[ MAX_PATH ];
243  bool ok;
244 
245  cdd_Data cdd = {0,0,0};
246  cdd.Name = DllBaseName;
247  cdd.ccName = wcslen( DllBaseName );
248 
249  if (!DllBaseName || !*DllBaseName || !pData || IsBadWritePtr( pData, sizeof(LDR_MODULE) ))
250  SetLastError( ERROR_INVALID_PARAMETER );
251  else
252  {
253  cdd.Result = pData;
254  cdd.Result->SizeOfImage = 0; // "Not found"
255 
256  if (!hProcess) hProcess = NtCurrentProcess();
257  EnumProcModules( hProcess, find_LdrDll, &cdd );
258 
259  if (cdd.Result->SizeOfImage) // if DllBaseName found
260  {
261  cbData = sizeof(LDR_MODULE);
262  if (Localize)
263  {
264  // Preliminary: Read the module unicode strings and duplicate to this proc.
265 
266  ok = CopyProcUStringBuf( hProcess, &pData->BaseDllName, wzName, dimof(wzName) );
267  if (ok) pData->BaseDllName.Buffer = (PWSTR) newWStr( wzName );
268 
269  ok = CopyProcUStringBuf( hProcess, &pData->FullDllName, wzName, dimof(wzName) );
270  if (ok) pData->FullDllName.Buffer = (PWSTR) newWStr( wzName );
271  }
272  }
273  }
274  return cbData;
275 }
276 
277 static void _freeUStrBuf( PUNICODE_STRING pu )
278  {
279  pu->Buffer = (PWSTR) deleteWStr( pu->Buffer );
280  pu->Length = pu->MaximumLength = 0;
281  }
282 void FreeLdrModBuffers( PLDR_MODULE pMod ) // Preliminary
283 {
284  _freeUStrBuf( &pMod->BaseDllName );
285  _freeUStrBuf( &pMod->FullDllName );
286 }
287 
288 //==---------------------------------------------------------------------------
289 #ifndef NO_WINTERNAL // UNICODE_STRING
290 
291 // TODO: Re-test GetProcPathname() since the string length limiter changed.
292 // TODO: Change ccPathName to USHORT or WORD..
293 
294 bool GetProcPathname( DWORD procId, OUT TSTR PathName, UINT ccPathName )
295 {
296  bool ok = false;
297  if (procId)
298  {
299  if (!_NtQueryInformationProcess) InitNtFunc();
300  if (_NtQueryInformationProcess)
301  {
302  ACCESS_MASK procAcc = PROCESS_QUERY_LIMITED_INFORMATION;
303  HANDLE hProc = OpenProcess( procAcc, false, procId );
304  if (hProc)
305  {
306  ULONG cbBuf, cbRtn;
307  PUNICODE_STRING puStr = mem_AllocUniStr( MAX_PATH, &cbBuf );
308  NTSTATUS rc = _NtQueryInformationProcess(
309  hProc, ProcessImageFileNameWin32, puStr, cbBuf, &cbRtn
310  );
311  ok = NT_SUCCESS( rc );
312  if (!ok) SetLastErrorFromNtStatus( rc );
313  else
314  {
315  short ccStr = puStr->Length / WCHAR_SIZE; // W/o the NUL terminator
316  if (UINT(ccStr+1) > ccPathName) ccStr = ccPathName - 1;
317  #ifdef _UNICODE
318  wcsncpyz( PathName, puStr->Buffer, ccStr+1 );
319  #else
320  WideCharToMultiByte(
321  CP_ACP, 0, puStr->Buffer, -1, PathName, ccStr+1, NULL, NULL
322  );
323  #endif
324  }
325  mem_Free( puStr );
326  CloseHandle( hProc );
327  }
328  }
329  }
330  return ok;
331 }
332 
333 #endif//ndef NO_WINTERNAL
334 //==---------------------------------------------------------------------------
335 
336 bool InitNtFunc() // Dynalink NTDLL functions we can call in user mode.
337 {
338  // Approximately 800 functions included.
339  // Note: NTDLL is always at the same address in each process.
340 
341  bool ok = true; // Assume all is hunky dory
342  bool missApi = false;
343 
344  if (!_NtQueryInformationProcess) // Use this one as "initialized" flag.
345  {
346  HMODULE hNtDll = GetModuleHandle( _T("NTDLL.DLL") );
347  if (!hNtDll) ok = false; // Eh? No NTDLL? What platform is this?
348  else
349  {
350  //== Kernel Functions =============================================
351  INIT_NTFUNC( NtGetCurrentProcessorNumber );
352  // ExecutionControl
353  INIT_NTFUNC( NtYieldExecution );
354  INIT_NTFUNC( NtDelayExecution );
355  INIT_NTFUNC( NtRaiseException );
356  INIT_NTFUNC( NtContinue );
357  INIT_NTFUNC( NtW32Call );
358  // KernelTime
359  INIT_NTFUNC( NtGetTickCount );
360  INIT_NTFUNC( NtQuerySystemTime );
361  INIT_NTFUNC( NtSetSystemTime );
362  INIT_NTFUNC( NtQueryPerformanceCounter );
363  INIT_NTFUNC( NtQueryTimerResolution );
364  INIT_NTFUNC( NtSetTimerResolution );
365  // ThreadContext
366  INIT_NTFUNC( NtGetContextThread );
367  INIT_NTFUNC( NtSetContextThread );
368  // Profiling
369  INIT_NTFUNC( NtCreateProfile );
370  INIT_NTFUNC( NtCreateProfileEx );
371  INIT_NTFUNC( NtStartProfile );
372  INIT_NTFUNC( NtStopProfile );
373  INIT_NTFUNC( NtQueryIntervalProfile );
374  INIT_NTFUNC( NtSetIntervalProfile );
375  // APC
376  INIT_NTFUNC( NtQueueApcThread );
377  INIT_NTFUNC( NtCallbackReturn );
378  INIT_NTFUNC( NtTestAlert );
379  // Banana Benders & Raisin Wrinklers
380  INIT_NTFUNC( NtSetLdtEntries );
381  INIT_NTFUNC( NtVdmControl );
382  //== Kernel Debugger Functions ====================================
383  INIT_NTFUNC( NtQueryDebugFilterState );
384  INIT_NTFUNC( NtSetDebugFilterState );
385  INIT_NTFUNC( NtSystemDebugControl );
386  //== User-Mode Kernel Debugging Functions =========================
387  INIT_NTFUNC( NtDebugActiveProcess );
388  INIT_NTFUNC( NtCreateDebugObject );
389  INIT_NTFUNC( NtDebugContinue );
390  INIT_NTFUNC( NtWaitForDebugEvent );
391  INIT_NTFUNC( NtRemoveProcessDebug );
392  INIT_NTFUNC( NtSetInformationDebugObject );
393  // Migrated from "User-Mode NT Library Functions"
394  INIT_NTFUNC( DbgUiConnectToDbg );
395  INIT_NTFUNC( DbgUiDebugActiveProcess );
396  INIT_NTFUNC( DbgUiStopDebugging );
397  INIT_NTFUNC( DbgBreakPointWithStatus );
398  INIT_NTFUNC( DbgUiContinue );
399  INIT_NTFUNC( DbgUiWaitStateChange );
400  INIT_NTFUNC( DbgUiConvertStateChangeStructure );
401  INIT_NTFUNC( DbgUiRemoteBreakin );
402  INIT_NTFUNC( DbgUiIssueRemoteBreakin );
403  INIT_NTFUNC( DbgUiGetThreadDebugObject );
404  //== Process Manager Functions ====================================
405  INIT_NTFUNC( NtQueryInformationProcess );
406  INIT_NTFUNC( NtQueryInformationThread );
407  INIT_NTFUNC( NtQueryInformationJobObject );
408  // Process
409  INIT_NTFUNC( NtCreateProcess );
410  INIT_NTFUNC( NtCreateProcessEx );
411  INIT_NTFUNC( NtOpenProcess );
412  // Thread
413  INIT_NTFUNC( NtCreateThread );
414  INIT_NTFUNC( NtOpenThread );
415  INIT_NTFUNC( NtAlertThread );
416  INIT_NTFUNC( NtAlertResumeThread );
417  INIT_NTFUNC( NtCurrentTeb );
418  INIT_NTFUNC( NtImpersonateThread );
419  // Job
420  INIT_NTFUNC( NtCreateJobObject );
421  INIT_NTFUNC( NtOpenJobObject );
422  INIT_NTFUNC( NtCreateJobSet );
423  INIT_NTFUNC( NtAssignProcessToJobObject );
424  INIT_NTFUNC( NtIsProcessInJob );
425  // Misc Ps
426  INIT_NTFUNC( NtApphelpCacheControl );
427  //== Object Manager Functions =====================================
428  INIT_NTFUNC( NtClose );
429  INIT_NTFUNC( NtDuplicateObject );
430  INIT_NTFUNC( NtMakePermanentObject );
431  INIT_NTFUNC( NtMakeTemporaryObject );
432  INIT_NTFUNC( NtQueryObject );
433  INIT_NTFUNC( NtSetInformationObject );
434  // Security
435  INIT_NTFUNC( NtQuerySecurityObject );
436  INIT_NTFUNC( NtSetSecurityObject );
437  // Wait
438  INIT_NTFUNC( NtWaitForSingleObject );
439  INIT_NTFUNC( NtSignalAndWaitForSingleObject );
440  INIT_NTFUNC( NtWaitForMultipleObjects );
441  INIT_NTFUNC( NtWaitForMultipleObjects32 );
442  // Directory
443  INIT_NTFUNC( NtCreateDirectoryObject );
444  INIT_NTFUNC( NtOpenDirectoryObject );
445  INIT_NTFUNC( NtQueryDirectoryObject );
446  // SymLink
447  INIT_NTFUNC( NtCreateSymbolicLinkObject );
448  INIT_NTFUNC( NtOpenSymbolicLinkObject );
449  INIT_NTFUNC( NtQuerySymbolicLinkObject );
450  // Audit
451  INIT_NTFUNC( NtCloseObjectAuditAlarm );
452  INIT_NTFUNC( NtDeleteObjectAuditAlarm );
453  //== Executive Functions ==========================================
454  // SystemInfo
455  INIT_NTFUNC( NtQuerySystemInformation );
456  INIT_NTFUNC( NtSetSystemInformation );
457  // Environment
458  INIT_NTFUNC( NtEnumerateSystemEnvironmentValuesEx );
459  INIT_NTFUNC( NtQuerySystemEnvironmentValue );
460  INIT_NTFUNC( NtQuerySystemEnvironmentValueEx );
461  INIT_NTFUNC( NtSetSystemEnvironmentValue );
462  INIT_NTFUNC( NtSetSystemEnvironmentValueEx );
463  // Language/Locale
464  INIT_NTFUNC( NtQueryDefaultUILanguage );
465  INIT_NTFUNC( NtQueryInstallUILanguage );
466  INIT_NTFUNC( NtSetDefaultUILanguage );
467  INIT_NTFUNC( NtQueryDefaultLocale );
468  INIT_NTFUNC( NtSetDefaultLocale );
469  // Atom
470  INIT_NTFUNC( NtAddAtom );
471  INIT_NTFUNC( NtDeleteAtom );
472  INIT_NTFUNC( NtFindAtom );
473  INIT_NTFUNC( NtQueryInformationAtom );
474  // Timer
475  INIT_NTFUNC( NtCreateTimer );
476  INIT_NTFUNC( NtOpenTimer );
477  INIT_NTFUNC( NtQueryTimer );
478  INIT_NTFUNC( NtSetTimer );
479  INIT_NTFUNC( NtCancelTimer );
480  // Event
481  INIT_NTFUNC( NtCreateEvent );
482  INIT_NTFUNC( NtOpenEvent );
483  INIT_NTFUNC( NtQueryEvent );
484  INIT_NTFUNC( NtSetEvent );
485  INIT_NTFUNC( NtResetEvent );
486  INIT_NTFUNC( NtClearEvent );
487  INIT_NTFUNC( NtPulseEvent );
488  // KeyedEvent
489  INIT_NTFUNC( NtCreateKeyedEvent );
490  INIT_NTFUNC( NtOpenKeyedEvent );
491  INIT_NTFUNC( NtWaitForKeyedEvent );
492  INIT_NTFUNC( NtReleaseKeyedEvent );
493  // EventPair
494  INIT_NTFUNC( NtCreateEventPair );
495  INIT_NTFUNC( NtOpenEventPair );
496  INIT_NTFUNC( NtSetHighEventPair );
497  INIT_NTFUNC( NtSetLowEventPair );
498  INIT_NTFUNC( NtSetHighWaitLowEventPair );
499  INIT_NTFUNC( NtSetLowWaitHighEventPair );
500  INIT_NTFUNC( NtWaitHighEventPair );
501  INIT_NTFUNC( NtWaitLowEventPair );
502  // Mutant
503  INIT_NTFUNC( NtCreateMutant );
504  INIT_NTFUNC( NtOpenMutant );
505  INIT_NTFUNC( NtQueryMutant );
506  INIT_NTFUNC( NtReleaseMutant );
507  // Semaphore
508  INIT_NTFUNC( NtCreateSemaphore );
509  INIT_NTFUNC( NtOpenSemaphore );
510  INIT_NTFUNC( NtQuerySemaphore );
511  INIT_NTFUNC( NtReleaseSemaphore );
512  // Misc Executive
513  INIT_NTFUNC( NtDisplayString );
514  INIT_NTFUNC( NtRaiseHardError );
515  INIT_NTFUNC( NtSetDefaultHardErrorPort );
516  INIT_NTFUNC( NtShutdownSystem );
517  INIT_NTFUNC( NtSetEventBoostPriority );
518  INIT_NTFUNC( NtSetUuidSeed );
519  INIT_NTFUNC( NtTraceEvent );
520  //== Input/Output Manager Functions =================================
521  // File
522  INIT_NTFUNC( NtCreateFile );
523  INIT_NTFUNC( NtOpenFile );
524  INIT_NTFUNC( NtDeleteFile );
525  INIT_NTFUNC( NtLockFile );
526  INIT_NTFUNC( NtUnlockFile );
527  INIT_NTFUNC( NtReadFile );
528  INIT_NTFUNC( NtReadFileScatter );
529  INIT_NTFUNC( NtWriteFile );
530  INIT_NTFUNC( NtWriteFileGather );
531  INIT_NTFUNC( NtCancelIoFile );
532  INIT_NTFUNC( NtFlushBuffersFile );
533  INIT_NTFUNC( NtFlushWriteBuffer ); // NOP on x86
534  INIT_NTFUNC( NtQueryInformationFile );
535  INIT_NTFUNC( NtSetInformationFile );
536  INIT_NTFUNC( NtQueryEaFile );
537  INIT_NTFUNC( NtSetEaFile );
538  INIT_NTFUNC( NtQueryAttributesFile );
539  INIT_NTFUNC( NtQueryFullAttributesFile );
540  // Mailslot
541  INIT_NTFUNC( NtCreateMailslotFile );
542  // Pipe
543  INIT_NTFUNC( NtCreateNamedPipeFile );
544  // Directory/Volume
545  INIT_NTFUNC( NtQueryDirectoryFile );
546  INIT_NTFUNC( NtNotifyChangeDirectoryFile );
547  INIT_NTFUNC( NtQueryVolumeInformationFile );
548  INIT_NTFUNC( NtSetVolumeInformationFile );
549  INIT_NTFUNC( NtQueryQuotaInformationFile );
550  INIT_NTFUNC( NtSetQuotaInformationFile );
551  // I/O Completion
552  INIT_NTFUNC( NtCreateIoCompletion );
553  INIT_NTFUNC( NtOpenIoCompletion );
554  INIT_NTFUNC( NtQueryIoCompletion );
555  INIT_NTFUNC( NtSetIoCompletion );
556  INIT_NTFUNC( NtRemoveIoCompletion );
557  // I/O Control
558  INIT_NTFUNC( NtDeviceIoControlFile );
559  INIT_NTFUNC( NtFsControlFile );
560  // Driver
561  INIT_NTFUNC( NtLoadDriver );
562  INIT_NTFUNC( NtUnloadDriver );
563  // DriverEntry (EFI)
564  INIT_NTFUNC( NtAddDriverEntry );
565  INIT_NTFUNC( NtDeleteDriverEntry );
566  INIT_NTFUNC( NtModifyDriverEntry );
567  INIT_NTFUNC( NtEnumerateDriverEntries );
568  INIT_NTFUNC( NtQueryDriverEntryOrder );
569  INIT_NTFUNC( NtSetDriverEntryOrder );
570  // Boot (EFI)
571  INIT_NTFUNC( NtQueryBootOptions );
572  INIT_NTFUNC( NtSetBootOptions );
573  INIT_NTFUNC( NtAddBootEntry );
574  INIT_NTFUNC( NtDeleteBootEntry );
575  INIT_NTFUNC( NtModifyBootEntry );
576  INIT_NTFUNC( NtEnumerateBootEntries );
577  INIT_NTFUNC( NtQueryBootEntryOrder );
578  INIT_NTFUNC( NtSetBootEntryOrder );
579  // Misc (EFI)
580  INIT_NTFUNC( NtTranslateFilePath );
581  //== Loader Functions ===============================================
582  // <- User-Mode NT Library Functions
583  INIT_NTFUNC( LdrDisableThreadCalloutsForDll );
584  INIT_NTFUNC( LdrLoadDll );
585  INIT_NTFUNC( LdrUnloadDll );
586  INIT_NTFUNC( LdrAddRefDll );
587  INIT_NTFUNC( LdrGetDllHandle );
588  INIT_NTFUNC( LdrGetDllHandleEx );
589  INIT_NTFUNC( LdrFindEntryForAddress );
590  INIT_NTFUNC( LdrQueryImageFileExecutionOptions );
591  INIT_NTFUNC( LdrQueryProcessModuleInformation );
592  INIT_NTFUNC( LdrQueryImageFileKeyOption );
593  INIT_NTFUNC( LdrOpenImageFileOptionsKey );
594  INIT_NTFUNC( LdrSetDllManifestProber );
595  INIT_NTFUNC( LdrShutdownProcess );
596  INIT_NTFUNC( LdrShutdownThread );
597  INIT_NTFUNC( LdrVerifyImageMatchesChecksum );
598  INIT_NTFUNC( LdrProcessRelocationBlock );
599  INIT_NTFUNC( LdrInitializeThunk );
600  // Resource Functions
601  INIT_NTFUNC( LdrFindResource_U );
602  INIT_NTFUNC( LdrFindResourceDirectory_U );
603  INIT_NTFUNC( LdrEnumResources );
604  INIT_NTFUNC( LdrAccessResource );
605  INIT_NTFUNC( LdrLoadAlternateResourceModule );
606  INIT_NTFUNC( LdrUnloadAlternateResourceModule );
607  // Misc. Functions
608  INIT_NTFUNC( LdrEnumerateLoadedModules );
609  INIT_NTFUNC( LdrGetProcedureAddress );
610  INIT_NTFUNC( LdrLockLoaderLock );
611  INIT_NTFUNC( LdrUnlockLoaderLock );
612  INIT_NTFUNC( LdrVerifyMappedImageMatchesChecksum );
613  INIT_NTFUNC( LdrRelocateImage );
614  INIT_NTFUNC( LdrProcessRelocationBlockLongLong );
615  //== User-Mode NT Library Functions =================================
616  // User-Mode Kernel Debugging Functions ->
617  // Loader Functions ->
618  //== Memory Manager Functions =======================================
619  // PhysicalPages
620  INIT_NTFUNC( NtAllocateUserPhysicalPages );
621  INIT_NTFUNC( NtFreeUserPhysicalPages );
622  INIT_NTFUNC( NtMapUserPhysicalPages );
623  INIT_NTFUNC( NtMapUserPhysicalPagesScatter );
624  // VirtualMemory
625  INIT_NTFUNC( NtAllocateVirtualMemory );
626  INIT_NTFUNC( NtFreeVirtualMemory );
627  INIT_NTFUNC( NtQueryVirtualMemory );
628  INIT_NTFUNC( NtReadVirtualMemory );
629  INIT_NTFUNC( NtWriteVirtualMemory );
630  INIT_NTFUNC( NtLockVirtualMemory );
631  INIT_NTFUNC( NtUnlockVirtualMemory );
632  INIT_NTFUNC( NtFlushVirtualMemory );
633  INIT_NTFUNC( NtProtectVirtualMemory );
634  // Section
635  INIT_NTFUNC( NtCreateSection );
636  INIT_NTFUNC( NtOpenSection );
637  INIT_NTFUNC( NtQuerySection );
638  INIT_NTFUNC( NtExtendSection );
639  INIT_NTFUNC( NtMapViewOfSection );
640  INIT_NTFUNC( NtUnmapViewOfSection );
641  // WriteWatch
642  INIT_NTFUNC( NtGetWriteWatch );
643  INIT_NTFUNC( NtResetWriteWatch );
644  // Misc
645  INIT_NTFUNC( NtCreatePagingFile );
646  INIT_NTFUNC( NtAreMappedFilesTheSame );
647  INIT_NTFUNC( NtFlushInstructionCache );
648  //= Security Subsystem Functions ====================================
649  // Token
650  INIT_NTFUNC( NtOpenProcessToken );
651  INIT_NTFUNC( NtOpenProcessTokenEx );
652  INIT_NTFUNC( NtOpenThreadToken );
653  INIT_NTFUNC( NtOpenThreadTokenEx );
654  INIT_NTFUNC( NtCreateToken );
655  INIT_NTFUNC( NtDuplicateToken );
656  INIT_NTFUNC( NtCompareTokens );
657  INIT_NTFUNC( NtPrivilegeCheck );
658  INIT_NTFUNC( NtAdjustPrivilegesToken );
659  INIT_NTFUNC( NtAdjustGroupsToken );
660  INIT_NTFUNC( NtQueryInformationToken );
661  INIT_NTFUNC( NtSetInformationToken );
662  INIT_NTFUNC( NtImpersonateAnonymousToken );
663  // LUID
664  INIT_NTFUNC( NtAllocateLocallyUniqueId );
665  INIT_NTFUNC( NtAllocateUuids );
666  // AccessCheck
667  INIT_NTFUNC( NtAccessCheck );
668  INIT_NTFUNC( NtAccessCheckByType );
669  INIT_NTFUNC( NtAccessCheckByTypeResultList );
670  INIT_NTFUNC( NtAccessCheckAndAuditAlarm );
671  // AuditAlarm
672  INIT_NTFUNC( NtOpenObjectAuditAlarm );
673  INIT_NTFUNC( NtPrivilegedServiceAuditAlarm );
674  INIT_NTFUNC( NtPrivilegeObjectAuditAlarm );
675  //== Runtime Library Functions ======================================
676  // Exception and Error Functions
677  INIT_NTFUNC( RtlAddVectoredExceptionHandler );
678  INIT_NTFUNC( RtlAssert );
679  INIT_NTFUNC( RtlSetUnhandledExceptionFilter );
680  INIT_NTFUNC( RtlUnhandledExceptionFilter );
681  INIT_NTFUNC( RtlEncodePointer );
682  INIT_NTFUNC( RtlDecodePointer );
683  INIT_NTFUNC( RtlEncodeSystemPointer );
684  INIT_NTFUNC( RtlDecodeSystemPointer );
685  INIT_NTFUNC( RtlGetLastNtStatus );
686  INIT_NTFUNC( RtlGetLastWin32Error );
687  INIT_NTFUNC( RtlSetLastWin32Error );
688  INIT_NTFUNC( RtlSetLastWin32ErrorAndNtStatusFromNtStatus );
689  INIT_NTFUNC( RtlSetThreadErrorMode );
690  INIT_NTFUNC( RtlGetThreadErrorMode );
691  INIT_NTFUNC( RtlCaptureContext );
692  INIT_NTFUNC( RtlDispatchException );
693  INIT_NTFUNC( RtlNtStatusToDosError );
694  INIT_NTFUNC( RtlNtStatusToDosErrorNoTeb );
695  INIT_NTFUNC( RtlMapSecurityErrorToNtStatus );
696  INIT_NTFUNC( RtlRaiseException );
697  INIT_NTFUNC( RtlRaiseStatus ); //DECLSPEC_NORETURN
698  INIT_NTFUNC( RtlUnwind );
699  // Tracing Functions
700  INIT_NTFUNC( RtlWalkFrameChain );
701  INIT_NTFUNC( RtlLogStackBackTrace );
702  // Heap Functions
703  INIT_NTFUNC( RtlAllocateHeap );
704  INIT_NTFUNC( RtlCreateHeap );
705  INIT_NTFUNC( RtlCreateTagHeap );
706  INIT_NTFUNC( RtlCompactHeap );
707  INIT_NTFUNC( RtlDebugCreateHeap );
708  INIT_NTFUNC( RtlDestroyHeap );
709  INIT_NTFUNC( RtlExtendHeap );
710  INIT_NTFUNC( RtlFreeHeap );
711  INIT_NTFUNC( RtlGetProcessHeaps );
712  INIT_NTFUNC( RtlGetUserInfoHeap );
713  INIT_NTFUNC( RtlProtectHeap );
714  INIT_NTFUNC( RtlQueryHeapInformation );
715  INIT_NTFUNC( RtlQueryTagHeap );
716  INIT_NTFUNC( RtlReAllocateHeap );
717  INIT_NTFUNC( RtlSetHeapInformation );
718  INIT_NTFUNC( RtlLockHeap );
719  INIT_NTFUNC( RtlMultipleAllocateHeap );
720  INIT_NTFUNC( RtlMultipleFreeHeap );
721  INIT_NTFUNC( RtlUsageHeap );
722  INIT_NTFUNC( RtlUnlockHeap );
723  INIT_NTFUNC( RtlSetUserValueHeap );
724  INIT_NTFUNC( RtlSetUserFlagsHeap );
725  INIT_NTFUNC( RtlValidateHeap );
726  INIT_NTFUNC( RtlWalkHeap );
727  INIT_NTFUNC( RtlSizeHeap );
728  // Security Functions
729  INIT_NTFUNC( RtlAbsoluteToSelfRelativeSD );
730  INIT_NTFUNC( RtlAddAccessAllowedAce );
731  INIT_NTFUNC( RtlAddAccessAllowedAceEx );
732  INIT_NTFUNC( RtlAddAccessAllowedObjectAce );
733  INIT_NTFUNC( RtlAddAccessDeniedAce );
734  INIT_NTFUNC( RtlAddAccessDeniedAceEx );
735  INIT_NTFUNC( RtlAddAccessDeniedObjectAce );
736  INIT_NTFUNC( RtlAddAce );
737  INIT_NTFUNC( RtlAddAuditAccessAce );
738  INIT_NTFUNC( RtlAcquirePrivilege );
739  INIT_NTFUNC( RtlAddAuditAccessAceEx );
740  INIT_NTFUNC( RtlAddAuditAccessObjectAce );
741  INIT_NTFUNC( RtlAddMandatoryAce );
742  INIT_NTFUNC( RtlAdjustPrivilege );
743  INIT_NTFUNC( RtlAllocateAndInitializeSid );
744  INIT_NTFUNC( RtlAreAllAccessesGranted );
745  INIT_NTFUNC( RtlAreAnyAccessesGranted );
746  INIT_NTFUNC( RtlCopyLuid );
747  INIT_NTFUNC( RtlCopyLuidAndAttributesArray );
748  INIT_NTFUNC( RtlCopySidAndAttributesArray );
749  INIT_NTFUNC( RtlConvertSidToUnicodeString );
750  INIT_NTFUNC( RtlCopySid );
751  INIT_NTFUNC( RtlCreateAcl );
752  INIT_NTFUNC( RtlCreateSecurityDescriptor );
753  INIT_NTFUNC( RtlCreateSecurityDescriptorRelative );
754  INIT_NTFUNC( RtlCopySecurityDescriptor );
755  INIT_NTFUNC( RtlDeleteAce );
756  INIT_NTFUNC( RtlEqualPrefixSid );
757  INIT_NTFUNC( RtlEqualSid );
758  INIT_NTFUNC( RtlFirstFreeAce );
759  INIT_NTFUNC( RtlFreeSid );
760  INIT_NTFUNC( RtlGetAce );
761  INIT_NTFUNC( RtlGetControlSecurityDescriptor );
762  INIT_NTFUNC( RtlGetDaclSecurityDescriptor );
763  INIT_NTFUNC( RtlGetSaclSecurityDescriptor );
764  INIT_NTFUNC( RtlGetGroupSecurityDescriptor );
765  INIT_NTFUNC( RtlGetOwnerSecurityDescriptor );
766  INIT_NTFUNC( RtlGetSecurityDescriptorRMControl );
767  INIT_NTFUNC( RtlIdentifierAuthoritySid );
768  INIT_NTFUNC( RtlImpersonateSelf );
769  INIT_NTFUNC( RtlInitializeSid );
770  INIT_NTFUNC( RtlLengthRequiredSid );
771  INIT_NTFUNC( RtlLengthSecurityDescriptor );
772  INIT_NTFUNC( RtlLengthSid );
773  INIT_NTFUNC( RtlMakeSelfRelativeSD );
774  INIT_NTFUNC( RtlMapGenericMask );
775  INIT_NTFUNC( RtlQueryInformationAcl );
776  INIT_NTFUNC( RtlReleasePrivilege );
777  INIT_NTFUNC( RtlSelfRelativeToAbsoluteSD );
778  INIT_NTFUNC( RtlSelfRelativeToAbsoluteSD2 );
779  INIT_NTFUNC( RtlSetAttributesSecurityDescriptor );
780  INIT_NTFUNC( RtlSetControlSecurityDescriptor );
781  INIT_NTFUNC( RtlSetDaclSecurityDescriptor );
782  INIT_NTFUNC( RtlSetGroupSecurityDescriptor );
783  INIT_NTFUNC( RtlSetInformationAcl );
784  INIT_NTFUNC( RtlSetOwnerSecurityDescriptor );
785  INIT_NTFUNC( RtlSetSaclSecurityDescriptor );
786  INIT_NTFUNC( RtlSetSecurityDescriptorRMControl );
787  INIT_NTFUNC( RtlSubAuthorityCountSid );
788  INIT_NTFUNC( RtlSubAuthoritySid );
789  INIT_NTFUNC( RtlValidRelativeSecurityDescriptor );
790  INIT_NTFUNC( RtlValidSecurityDescriptor );
791  INIT_NTFUNC( RtlValidSid );
792  INIT_NTFUNC( RtlValidAcl );
793  INIT_NTFUNC( RtlDeleteSecurityObject );
794  INIT_NTFUNC( RtlNewSecurityObject );
795  INIT_NTFUNC( RtlQuerySecurityObject );
796  INIT_NTFUNC( RtlSetSecurityObject );
797  // Single-Character Functions
798  INIT_NTFUNC( RtlLargeIntegerToChar );
799  INIT_NTFUNC( RtlUpperChar );
800  INIT_NTFUNC( RtlUpcaseUnicodeChar );
801  INIT_NTFUNC( RtlDowncaseUnicodeChar );
802  INIT_NTFUNC( RtlIntegerToChar );
803  INIT_NTFUNC( RtlIntegerToUnicode );
804  INIT_NTFUNC( RtlIntegerToUnicodeString );
805  INIT_NTFUNC( RtlCharToInteger );
806  // Unicode->Ansi String Functions
807  INIT_NTFUNC( RtlxUnicodeStringToAnsiSize );
808  INIT_NTFUNC( RtlUnicodeStringToAnsiString );
809  // Unicode->OEM String Functions
810  INIT_NTFUNC( RtlUpcaseUnicodeStringToOemString );
811  INIT_NTFUNC( RtlUpcaseUnicodeStringToCountedOemString );
812  INIT_NTFUNC( RtlUnicodeStringToOemString );
813  INIT_NTFUNC( RtlUpcaseUnicodeToOemN );
814  INIT_NTFUNC( RtlxUnicodeStringToOemSize );
815  INIT_NTFUNC( RtlUnicodeToOemN );
816  // Unicode->MultiByte String Functions
817  INIT_NTFUNC( RtlUnicodeToMultiByteN );
818  INIT_NTFUNC( RtlUpcaseUnicodeToMultiByteN );
819  INIT_NTFUNC( RtlUnicodeToMultiByteSize );
820  INIT_NTFUNC( RtlxOemStringToUnicodeSize );
821  // OEM to Unicode Functions
822  INIT_NTFUNC( RtlOemStringToUnicodeString );
823  INIT_NTFUNC( RtlOemToUnicodeN );
824  // Ansi->Unicode String Functions
825  INIT_NTFUNC( RtlAnsiCharToUnicodeChar );
826  INIT_NTFUNC( RtlAnsiStringToUnicodeString );
827  INIT_NTFUNC( RtlxAnsiStringToUnicodeSize );
828  INIT_NTFUNC( RtlCreateUnicodeStringFromAsciiz );
829  // Unicode String Functions
830  INIT_NTFUNC( RtlAppendUnicodeToString );
831  INIT_NTFUNC( RtlAppendUnicodeStringToString );
832  INIT_NTFUNC( RtlCompareUnicodeString );
833  INIT_NTFUNC( RtlCopyUnicodeString );
834  INIT_NTFUNC( RtlCreateUnicodeString );
835  INIT_NTFUNC( RtlDowncaseUnicodeString );
836  INIT_NTFUNC( RtlDuplicateUnicodeString );
837  // Memory Functions
838  INIT_NTFUNC( RtlFillMemoryUlong );
839  INIT_NTFUNC( RtlFillMemoryUlonglong );
840  INIT_NTFUNC( RtlCopyMappedMemory );
841  INIT_NTFUNC( RtlCompareMemoryUlong );
842  INIT_NTFUNC( RtlEqualUnicodeString );
843  INIT_NTFUNC( RtlFindCharInUnicodeString );
844  INIT_NTFUNC( RtlFreeUnicodeString );
845  INIT_NTFUNC( RtlEraseUnicodeString );
846  INIT_NTFUNC( RtlHashUnicodeString );
847  INIT_NTFUNC( RtlInitUnicodeString );
848  INIT_NTFUNC( RtlInitUnicodeStringEx );
849  INIT_NTFUNC( RtlIsTextUnicode );
850  INIT_NTFUNC( RtlPrefixString );
851  INIT_NTFUNC( RtlPrefixUnicodeString );
852  INIT_NTFUNC( RtlUpperString );
853  INIT_NTFUNC( RtlCompareString );
854  INIT_NTFUNC( RtlCopyString );
855  INIT_NTFUNC( RtlEqualString );
856  INIT_NTFUNC( RtlAppendStringToString );
857  INIT_NTFUNC( RtlUpcaseUnicodeString );
858  INIT_NTFUNC( RtlUnicodeStringToInteger );
859  INIT_NTFUNC( RtlValidateUnicodeString );
860  // Ansi String Functions
861  INIT_NTFUNC( RtlFreeAnsiString );
862  INIT_NTFUNC( RtlInitAnsiString );
863  INIT_NTFUNC( RtlInitAnsiStringEx );
864  // OEM String Functions
865  INIT_NTFUNC( RtlFreeOemString );
866  // MultiByte->Unicode String Functions
867  INIT_NTFUNC( RtlMultiByteToUnicodeN );
868  INIT_NTFUNC( RtlMultiByteToUnicodeSize );
869  // Atom Functions
870  INIT_NTFUNC( RtlAddAtomToAtomTable );
871  INIT_NTFUNC( RtlCreateAtomTable );
872  INIT_NTFUNC( RtlDeleteAtomFromAtomTable );
873  INIT_NTFUNC( RtlDestroyAtomTable );
874  INIT_NTFUNC( RtlQueryAtomInAtomTable );
875  INIT_NTFUNC( RtlPinAtomInAtomTable );
876  INIT_NTFUNC( RtlLookupAtomInAtomTable );
877  // Process Management Functions
878  INIT_NTFUNC( RtlGetCurrentPeb );
879  INIT_NTFUNC( RtlAcquirePebLock );
880  INIT_NTFUNC( RtlReleasePebLock );
881  INIT_NTFUNC( RtlCreateProcessParameters );
882  INIT_NTFUNC( RtlCreateUserProcess );
883  INIT_NTFUNC( RtlCreateUserThread );
884  INIT_NTFUNC( RtlDeNormalizeProcessParams );
885  INIT_NTFUNC( RtlDestroyProcessParameters );
886  INIT_NTFUNC( RtlExitUserThread );
887  INIT_NTFUNC( RtlInitializeContext );
888  #ifdef _M_AMD64
889  INIT_NTFUNC( RtlWow64GetThreadContext );
890  INIT_NTFUNC( RtlWow64SetThreadContext );
891  #endif
892  INIT_NTFUNC( RtlIsThreadWithinLoaderCallout );
893  INIT_NTFUNC( RtlNormalizeProcessParams );
894  INIT_NTFUNC( RtlRemoteCall );
895  INIT_NTFUNC( RtlSetProcessIsCritical ); // __cdecl
896  INIT_NTFUNC( RtlSetThreadIsCritical ); // __cdecl
897  INIT_NTFUNC( RtlGetCurrentProcessorNumber );
898  // Thread Pool Functions
899  INIT_NTFUNC( RtlSetThreadPoolStartFunc );
900  INIT_NTFUNC( RtlDeregisterWaitEx );
901  INIT_NTFUNC( RtlDeregisterWait );
902  INIT_NTFUNC( RtlQueueWorkItem );
903  INIT_NTFUNC( RtlSetIoCompletionCallback );
904  INIT_NTFUNC( RtlRegisterWait );
905  // Environment/Path Functions
906  INIT_NTFUNC( RtlCreateEnvironment );
907  INIT_NTFUNC( RtlComputePrivatizedDllName_U );
908  INIT_NTFUNC( RtlDestroyEnvironment );
909  INIT_NTFUNC( RtlDoesFileExists_U );
910  INIT_NTFUNC( RtlDetermineDosPathNameType_U );
911  INIT_NTFUNC( RtlDosSearchPath_U );
912  INIT_NTFUNC( RtlDosSearchPath_Ustr );
913  INIT_NTFUNC( RtlDosPathNameToNtPathName_U );
914  INIT_NTFUNC( RtlDosPathNameToRelativeNtPathName_U );
915  INIT_NTFUNC( RtlExpandEnvironmentStrings_U );
916  INIT_NTFUNC( RtlGetCurrentDirectory_U );
917  INIT_NTFUNC( RtlGetFullPathName_U );
918  #if (NTDDI_VERSION >= NTDDI_WIN7)
919  INIT_NTFUNC( RtlGetFullPathName_UEx );
920  #endif
921  INIT_NTFUNC( RtlGetFullPathName_UstrEx );
922  INIT_NTFUNC( RtlGetLengthWithoutTrailingPathSeperators );
923  INIT_NTFUNC( RtlGetLongestNtPathLength );
924  INIT_NTFUNC( RtlIsDosDeviceName_U );
925  INIT_NTFUNC( RtlIsDosDeviceName_Ustr );
926  INIT_NTFUNC( RtlIsNameLegalDOS8Dot3 );
927  INIT_NTFUNC( RtlQueryEnvironmentVariable_U );
928  INIT_NTFUNC( RtlReleaseRelativeName );
929  INIT_NTFUNC( RtlSetCurrentDirectory_U );
930  INIT_NTFUNC( RtlSetEnvironmentVariable );
931  // Critical Section/Resource Functions
932  INIT_NTFUNC( RtlDeleteCriticalSection );
933  INIT_NTFUNC( RtlEnterCriticalSection );
934  INIT_NTFUNC( RtlInitializeCriticalSection );
935  INIT_NTFUNC( RtlInitializeCriticalSectionAndSpinCount );
936  INIT_NTFUNC( RtlLeaveCriticalSection );
937  INIT_NTFUNC( RtlTryEnterCriticalSection );
938  INIT_NTFUNC( RtlpUnWaitCriticalSection );
939  INIT_NTFUNC( RtlpWaitForCriticalSection );
940  INIT_NTFUNC( RtlAcquireResourceExclusive );
941  INIT_NTFUNC( RtlAcquireResourceShared );
942  INIT_NTFUNC( RtlConvertExclusiveToShared );
943  INIT_NTFUNC( RtlConvertSharedToExclusive );
944  INIT_NTFUNC( RtlDeleteResource );
945  INIT_NTFUNC( RtlDumpResource );
946  INIT_NTFUNC( RtlInitializeResource );
947  INIT_NTFUNC( RtlReleaseResource );
948  // Compression Functions
949  INIT_NTFUNC( RtlCompressBuffer );
950  INIT_NTFUNC( RtlDecompressBuffer );
951  INIT_NTFUNC( RtlGetCompressionWorkSpaceSize );
952  // Frame Functions
953  INIT_NTFUNC( RtlPopFrame );
954  INIT_NTFUNC( RtlPushFrame );
955  INIT_NTFUNC( RtlGetFrame );
956  // Debug Info Functions
957  INIT_NTFUNC( RtlCreateQueryDebugBuffer );
958  INIT_NTFUNC( RtlDestroyQueryDebugBuffer );
959  INIT_NTFUNC( RtlQueryProcessDebugInformation );
960  // Bitmap Functions
961  INIT_NTFUNC( RtlAreBitsClear );
962  INIT_NTFUNC( RtlAreBitsSet );
963  INIT_NTFUNC( RtlClearAllBits );
964  INIT_NTFUNC( RtlClearBits );
965  INIT_NTFUNC( RtlFindClearBits );
966  INIT_NTFUNC( RtlFindClearBitsAndSet );
967  INIT_NTFUNC( RtlFindFirstRunClear );
968  INIT_NTFUNC( RtlFindClearRuns );
969  INIT_NTFUNC( RtlFindLastBackwardRunClear );
970  INIT_NTFUNC( RtlFindLeastSignificantBit );
971  INIT_NTFUNC( RtlFindMostSignificantBit );
972  INIT_NTFUNC( RtlFindNextForwardRunClear );
973  INIT_NTFUNC( RtlFindNextForwardRunSet );
974  INIT_NTFUNC( RtlFindSetBits );
975  INIT_NTFUNC( RtlFindSetBitsAndClear );
976  INIT_NTFUNC( RtlInitializeBitMap );
977  INIT_NTFUNC( RtlNumberOfClearBits );
978  INIT_NTFUNC( RtlNumberOfSetBits );
979  INIT_NTFUNC( RtlSetBit );
980  INIT_NTFUNC( RtlSetBits );
981  INIT_NTFUNC( RtlSetAllBits );
982  INIT_NTFUNC( RtlTestBit );
983  // Timer Functions
984  INIT_NTFUNC( RtlCreateTimer );
985  INIT_NTFUNC( RtlCreateTimerQueue );
986  INIT_NTFUNC( RtlDeleteTimer );
987  INIT_NTFUNC( RtlUpdateTimer );
988  INIT_NTFUNC( RtlDeleteTimerQueueEx );
989  INIT_NTFUNC( RtlDeleteTimerQueue );
990  // SList functions
991  INIT_NTFUNC( InterlockedPushListSList );
992  // Range List functions
993  INIT_NTFUNC( RtlInitializeRangeList );
994  INIT_NTFUNC( RtlFreeRangeList );
995  INIT_NTFUNC( RtlAddRange );
996  // Debug Functions
997  INIT_NTFUNC( DbgPrint ); // __cdecl
998  INIT_NTFUNC( DbgPrintEx ); // __cdecl
999  INIT_NTFUNC( DbgPrompt );
1000  #ifndef DbgBreakPoint
1001  INIT_NTFUNC( DbgBreakPoint );
1002  #endif
1003  INIT_NTFUNC( DbgLoadImageSymbols );
1004  INIT_NTFUNC( DbgUnLoadImageSymbols );
1005  INIT_NTFUNC( DbgCommandString );
1006  // Handle Table Functions
1007  INIT_NTFUNC( RtlAllocateHandle );
1008  INIT_NTFUNC( RtlDestroyHandleTable );
1009  INIT_NTFUNC( RtlFreeHandle );
1010  INIT_NTFUNC( RtlInitializeHandleTable );
1011  INIT_NTFUNC( RtlIsValidHandle );
1012  INIT_NTFUNC( RtlIsValidIndexHandle );
1013  // PE Functions
1014  INIT_NTFUNC( RtlFindMessage );
1015  INIT_NTFUNC( RtlGetNtGlobalFlags );
1016  INIT_NTFUNC( RtlImageDirectoryEntryToData );
1017  INIT_NTFUNC( RtlImageRvaToVa );
1018  INIT_NTFUNC( RtlImageNtHeader );
1019  INIT_NTFUNC( RtlImageNtHeaderEx );
1020  INIT_NTFUNC( RtlImageRvaToSection );
1021  INIT_NTFUNC( LdrRelocateImageWithBias );
1022  // Activation Context Functions
1023  INIT_NTFUNC( RtlActivateActivationContextEx );
1024  INIT_NTFUNC( RtlActivateActivationContext );
1025  INIT_NTFUNC( RtlAddRefActivationContext );
1026  INIT_NTFUNC( RtlActivateActivationContextUnsafeFast );
1027  INIT_NTFUNC( RtlAllocateActivationContextStack );
1028  INIT_NTFUNC( RtlCreateActivationContext );
1029  INIT_NTFUNC( RtlGetActiveActivationContext );
1030  INIT_NTFUNC( RtlReleaseActivationContext );
1031  INIT_NTFUNC( RtlDeactivateActivationContext );
1032  INIT_NTFUNC( RtlFreeActivationContextStack );
1033  INIT_NTFUNC( RtlFreeThreadActivationContextStack );
1034  INIT_NTFUNC( RtlDeactivateActivationContextUnsafeFast );
1035  INIT_NTFUNC( RtlDosApplyFileIsolationRedirection_Ustr );
1036  INIT_NTFUNC( RtlFindActivationContextSectionString );
1037  INIT_NTFUNC( RtlQueryInformationActivationContext );
1038  INIT_NTFUNC( RtlQueryInformationActiveActivationContext );
1039  INIT_NTFUNC( RtlZombifyActivationContext );
1040  // WOW64 Functions
1041  INIT_NTFUNC( RtlWow64EnableFsRedirection );
1042  INIT_NTFUNC( RtlWow64EnableFsRedirectionEx );
1043  // Registry Functions
1044  INIT_NTFUNC( RtlCheckRegistryKey );
1045  INIT_NTFUNC( RtlCreateRegistryKey );
1046  INIT_NTFUNC( RtlFormatCurrentUserKeyPath );
1047  INIT_NTFUNC( RtlOpenCurrentUser );
1048  INIT_NTFUNC( RtlQueryRegistryValues );
1049  INIT_NTFUNC( RtlWriteRegistryValue );
1050  INIT_NTFUNC( RtlpNtCreateKey );
1051  INIT_NTFUNC( RtlpNtEnumerateSubKey );
1052  INIT_NTFUNC( RtlpNtMakeTemporaryKey );
1053  INIT_NTFUNC( RtlpNtOpenKey );
1054  INIT_NTFUNC( RtlpNtQueryValueKey );
1055  INIT_NTFUNC( RtlpNtSetValueKey );
1056  INIT_NTFUNC( NtRenameKey ); // Public (winternl.h), not NDK
1057  // NLS Functions
1058  INIT_NTFUNC( RtlGetDefaultCodePage );
1059  INIT_NTFUNC( RtlInitNlsTables );
1060  INIT_NTFUNC( RtlInitCodePageTable );
1061  INIT_NTFUNC( RtlResetRtlTranslations );
1062  #if !defined(NO_RTL_INLINES)
1063  #if !(defined(_AMD64_) || defined(_IA64_))
1064  INIT_NTFUNC( RtlExtendedLargeIntegerDivide );
1065  #endif // !(defined(_AMD64_) || defined(_IA64_))
1066  #endif // !defined(NO_RTL_INLINES)
1067  INIT_NTFUNC( RtlUniform );
1068  INIT_NTFUNC( RtlRandom );
1069  INIT_NTFUNC( RtlComputeCrc32 );
1070  // Network Functions
1071  INIT_NTFUNC( RtlIpv4AddressToStringA );
1072  INIT_NTFUNC( RtlIpv4AddressToStringW );
1073  INIT_NTFUNC( RtlIpv4AddressToStringExA );
1074  INIT_NTFUNC( RtlIpv4AddressToStringExW );
1075  INIT_NTFUNC( RtlIpv4StringToAddressA );
1076  INIT_NTFUNC( RtlIpv4StringToAddressW );
1077  INIT_NTFUNC( RtlIpv4StringToAddressExA );
1078  INIT_NTFUNC( RtlIpv4StringToAddressExW );
1079  INIT_NTFUNC( RtlIpv6AddressToStringA );
1080  INIT_NTFUNC( RtlIpv6AddressToStringW );
1081  INIT_NTFUNC( RtlIpv6AddressToStringExA );
1082  INIT_NTFUNC( RtlIpv6AddressToStringExW );
1083  INIT_NTFUNC( RtlIpv6StringToAddressA );
1084  INIT_NTFUNC( RtlIpv6StringToAddressW );
1085  INIT_NTFUNC( RtlIpv6StringToAddressExA );
1086  INIT_NTFUNC( RtlIpv6StringToAddressExW );
1087  // Time Functions
1088  INIT_NTFUNC( RtlQueryTimeZoneInformation );
1089  INIT_NTFUNC( RtlSecondsSince1970ToTime );
1090  INIT_NTFUNC( RtlSetTimeZoneInformation );
1091  INIT_NTFUNC( RtlTimeFieldsToTime );
1092  INIT_NTFUNC( RtlTimeToSecondsSince1970 );
1093  INIT_NTFUNC( RtlTimeToTimeFields );
1094  INIT_NTFUNC( RtlSystemTimeToLocalTime );
1095  // Version Functions
1096  INIT_NTFUNC( RtlVerifyVersionInfo );
1097  INIT_NTFUNC( RtlGetVersion );
1098  INIT_NTFUNC( RtlGetNtProductType );
1099  // Secure Memory Functions
1100  INIT_NTFUNC( RtlRegisterSecureMemoryCacheCallback );
1101  INIT_NTFUNC( RtlFlushSecureMemoryCache );
1102  // Boot Status Data Functions
1103  INIT_NTFUNC( RtlCreateBootStatusDataFile );
1104  INIT_NTFUNC( RtlGetSetBootStatusData );
1105  INIT_NTFUNC( RtlLockBootStatusData );
1106  INIT_NTFUNC( RtlUnlockBootStatusData );
1107  INIT_NTFUNC( RtlGUIDFromString );
1108  INIT_NTFUNC( RtlStringFromGUID );
1109  INIT_NTFUNC( RtlComputeImportTableHash );
1110  // MemoryStream functions
1111  INIT_NTFUNC( RtlInitMemoryStream );
1112  INIT_NTFUNC( RtlInitOutOfProcessMemoryStream );
1113  INIT_NTFUNC( RtlFinalReleaseOutOfProcessMemoryStream );
1114  INIT_NTFUNC( RtlQueryInterfaceMemoryStream );
1115  INIT_NTFUNC( RtlAddRefMemoryStream );
1116  INIT_NTFUNC( RtlReleaseMemoryStream );
1117  INIT_NTFUNC( RtlReadMemoryStream );
1118  INIT_NTFUNC( RtlReadOutOfProcessMemoryStream );
1119  INIT_NTFUNC( RtlSeekMemoryStream );
1120  INIT_NTFUNC( RtlCopyMemoryStreamTo );
1121  INIT_NTFUNC( RtlCopyOutOfProcessMemoryStreamTo );
1122  INIT_NTFUNC( RtlStatMemoryStream );
1123  // Dummy functions
1124  INIT_NTFUNC( RtlWriteMemoryStream );
1125  INIT_NTFUNC( RtlSetMemoryStreamSize );
1126  INIT_NTFUNC( RtlCommitMemoryStream );
1127  INIT_NTFUNC( RtlRevertMemoryStream );
1128  INIT_NTFUNC( RtlLockMemoryStreamRegion );
1129  INIT_NTFUNC( RtlUnlockMemoryStreamRegion );
1130  INIT_NTFUNC( RtlCloneMemoryStream );
1131  INIT_NTFUNC( RtlFindActivationContextSectionGuid );
1132  // RTL Splay Tree Functions
1133  INIT_NTFUNC( RtlSplay );
1134  INIT_NTFUNC( RtlDelete );
1135  INIT_NTFUNC( RtlDeleteNoSplay );
1136  INIT_NTFUNC( RtlSubtreeSuccessor );
1137  INIT_NTFUNC( RtlSubtreePredecessor );
1138  INIT_NTFUNC( RtlRealSuccessor );
1139  INIT_NTFUNC( RtlRealPredecessor );
1140  // RTL AVL Tree Functions
1141  INIT_NTFUNC( RtlInitializeGenericTableAvl );
1142  INIT_NTFUNC( RtlInsertElementGenericTableAvl );
1143  INIT_NTFUNC( RtlInsertElementGenericTableFullAvl );
1144  INIT_NTFUNC( RtlDeleteElementGenericTableAvl );
1145  INIT_NTFUNC( RtlLookupElementGenericTableAvl );
1146  INIT_NTFUNC( RtlLookupElementGenericTableFullAvl );
1147  INIT_NTFUNC( RtlEnumerateGenericTableAvl );
1148  INIT_NTFUNC( RtlEnumerateGenericTableWithoutSplayingAvl );
1149  INIT_NTFUNC( RtlLookupFirstMatchingElementGenericTableAvl );
1150  INIT_NTFUNC( RtlEnumerateGenericTableLikeADirectory );
1151  INIT_NTFUNC( RtlGetElementGenericTableAvl );
1152  INIT_NTFUNC( RtlNumberGenericTableElementsAvl );
1153  INIT_NTFUNC( RtlIsGenericTableEmptyAvl );
1154  // RTL Generic Table Functions
1155  #ifndef RTL_USE_AVL_TABLES
1156  INIT_NTFUNC( RtlInitializeGenericTable );
1157  INIT_NTFUNC( RtlInsertElementGenericTable );
1158  INIT_NTFUNC( RtlInsertElementGenericTableFull );
1159  INIT_NTFUNC( RtlDeleteElementGenericTable );
1160  INIT_NTFUNC( RtlLookupElementGenericTable );
1161  INIT_NTFUNC( RtlLookupElementGenericTableFull );
1162  INIT_NTFUNC( RtlEnumerateGenericTable );
1163  INIT_NTFUNC( RtlEnumerateGenericTableWithoutSplaying );
1164  INIT_NTFUNC( RtlGetElementGenericTable );
1165  INIT_NTFUNC( RtlNumberGenericTableElements );
1166  INIT_NTFUNC( RtlIsGenericTableEmpty );
1167  #endif//RTL_USE_AVL_TABLES
1168  //===================================================================
1169  }
1170  }
1171  return (ok && !missApi);
1172 } // InitNtFunc()
1173 
1174 #undef INIT_NTFUNC
1175 #undef _INIT_FP_
1176 #endif // ndef NO_NDK_FILES
1177 // EOF
DWORD
unsigned long DWORD
Definition: Common.h:414
LDR_MODULE::FullDllName
UNICODE_STRING FullDllName
Definition: NtTypes.h:91
_InitializeObjectAttributes
bool _InitializeObjectAttributes(OUT POBJECT_ATTRIBUTES pObj, HANDLE BaseObj, PUNICODE_STRING ObjName, ULONG Attributes, PSECURITY_DESCRIPTOR SecurityDesc, PSECURITY_QUALITY_OF_SERVICE SecurityQoS)
Definition: NtFunc.cpp:22
LDR_MODULE::BaseAddress
PVOID BaseAddress
Definition: NtTypes.h:88
GetProcPathname
bool GetProcPathname(DWORD procId, OUT TSTR PathName, UINT ccPathName)
Definition: NtFunc.cpp:294
BEGIN_ANONYMOUS
#define BEGIN_ANONYMOUS
Definition: Common.h:226
IF_DEBUG
#define IF_DEBUG(code)
Definition: Debug.h:236
PFnEnumModuleAction
bool(__stdcall * PFnEnumModuleAction)(HANDLE hProcess, const PLDR_MODULE pModule, PVOID Context)
Definition: NtFunc.h:162
mem_Alloc
void * mem_Alloc(size_t Bytes)
Definition: MemFunc.cpp:33
WSTR
wchar_t * WSTR
Definition: Common.h:366
BEGIN_STRSAFE_OVERRIDE
#define BEGIN_STRSAFE_OVERRIDE
Definition: StrFunc.h:28
TSTR
#define TSTR
Definition: Common.h:328
dimof
#define dimof(x)
Definition: Common.h:949
wcsncpyz
wchar_t *__fastcall wcsncpyz(register wchar_t *Dst, register const wchar_t *Src, size_t Count)
Definition: StrFunc.cpp:142
TRACE
#define TRACE(_lvl,...)
Definition: Debug.h:216
PLIST_ENTRY
struct _LIST_ENTRY * PLIST_ENTRY
LDR_MODULE::BaseDllName
UNICODE_STRING BaseDllName
Definition: NtTypes.h:92
WCSTR
const wchar_t * WCSTR
Definition: Common.h:367
InitNtFunc
bool InitNtFunc()
InitNtFunc must be called before any of the NTDLL functions can be used.
Definition: NtFunc.cpp:336
GetProcDllData
UINT GetProcDllData(HANDLE hProcess, WCSTR DllBaseName, PLDR_MODULE pData, bool Localize)
Definition: NtFunc.cpp:239
BOOL
BOOL(WINAPI *SysImgList::Shell_GetImageLists)(HIMAGELIST *pimlLarge
mem_Free
void * mem_Free(void *pBlk)
Definition: MemFunc.cpp:124
PLDR_MODULE
LDR_MODULE * PLDR_MODULE
Definition: NtTypes.h:102
SetLastErrorFromNtStatus
bool SetLastErrorFromNtStatus(NTSTATUS Status)
Definition: Debug.cpp:74
SysErrorMsg
CSTR SysErrorMsg(DWORD Err=0, TSTR Buf=NULL, UINT Length=0)
Definition: Debug.cpp:39
mem_AllocUniStr
PUNICODE_STRING mem_AllocUniStr(WORD ccStr, OPTOUT PULONG cbAlloc)
CopyProcUStringBuf
bool CopyProcUStringBuf(HANDLE hProc, PUNICODE_STRING pProcStr, WSTR wzBuf, UINT ccBuf)
Definition: NtFunc.cpp:169
_NtQueryInformationProcess
_NTFN_EXTERN NTSTATUS _NtQueryInformationProcess(IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OPTOUT PULONG ReturnLength)
FreeLdrModBuffers
void FreeLdrModBuffers(PLDR_MODULE pMod)
Definition: NtFunc.cpp:282
bool_cast
bool __forceinline bool_cast(BOOL B52)
Definition: Common.h:767
DP_ERROR
#define DP_ERROR
Definition: Debug.h:82
Debug.h
Debug and error handling support.
EnumProcModules
UINT EnumProcModules(HANDLE hProcess, PFnEnumModuleAction Action, PVOID Context)
Definition: NtFunc.cpp:126
AllocPackedObjAttributes
PACKED_OBJ_ATTRIBUTES * AllocPackedObjAttributes(HANDLE BaseObj, PCWSTR ObjName, ULONG Attributes, PSECURITY_DESCRIPTOR SecurityDesc, PSECURITY_QUALITY_OF_SERVICE SecurityQoS)
Definition: NtFunc.cpp:45
GetPEBAddress
PPEB GetPEBAddress(HANDLE hProcess)
Definition: NtFunc.cpp:80
newWStr
WCSTR newWStr(WCSTR Src)
Definition: StrFunc.cpp:206
END_ANONYMOUS
#define END_ANONYMOUS
Definition: Common.h:227
_F
#define _F(s)
Definition: Debug.h:49
WCHAR_SIZE
#define WCHAR_SIZE
Definition: Common.h:379
NT_SUCCESS
#define NT_SUCCESS(Status)
Definition: Common.h:154
deleteWStr
WCSTR deleteWStr(WCSTR Dup)
Definition: StrFunc.cpp:219
END_STRSAFE_OVERRIDE
#define END_STRSAFE_OVERRIDE
Definition: StrFunc.h:29
LIST_ENTRY::Flink
struct _LIST_ENTRY * Flink
Definition: ListFunc.h:44
GetProcPEB
bool GetProcPEB(HANDLE hProcess, PPEB pPeb OUT)
Definition: NtFunc.cpp:106
_NtReadVirtualMemory
_NTFN_EXTERN NTSTATUS _NtReadVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN SIZE_T NumberOfBytesToRead, OPTOUT PSIZE_T NumberOfBytesRead)
LDR_MODULE::InLoadOrderLinks
LIST_ENTRY InLoadOrderLinks
Definition: NtTypes.h:84