/************************************************************************ * * * winternl.h -- This module defines the internal NT APIs and data * * structures that are intended for the use only by internal core * * Windows components. These APIs and data structures may change * * at any time. * * * * These APIs and data structures are subject to changes from one * * Windows release to another Windows release. To maintain the * * compatiblity of your application, avoid using these APIs and * * data structures. * * * * The appropriate mechanism for accessing the functions defined in * * this header is to use LoadLibrary() for ntdll.dll and * * GetProcAddress() for the particular function. By using this * * approach, your application will be more resilient to changes * * for these functions between Windows releases. If a function * * prototype does change, then GetProcAddress() for that function * * might detect the change and fail the function call, which your * * application will be able to detect. GetProcAddress() may not * * be able to detect all signature changes, thus avoid using these * * internal functions. Instead, your application should use the * * appropriate Win32 function that provides equivalent or similiar * * functionality. * * * * Copyright (c) Microsoft Corp. All rights reserved. * * * ************************************************************************/ #ifndef _WINTERNL_ #define _WINTERNL_ #if (_WIN32_WINNT >= 0x0500) #include #ifdef __cplusplus extern "C" { #endif // // The PEB and TEB structures are subject to changes between Windows // releases, thus the fields offsets may change as well as the Reserved // fields. The Reserved fields are reserved for use only by the Windows // operating systems. Do not assume a maximum size for the structures. // // // Instead of using the BeingDebugged field, use the Win32 APIs // IsDebuggerPresent, CheckRemoteDebuggerPresent // Instead of using the SessionId field, use the Win32 APIs // GetCurrentProcessId and ProcessIdToSessionId // Sample x86 assembly code that gets the SessionId (subject to change // between Windows releases, use the Win32 APIs to make your application // resilient to changes) // mov eax,fs:[00000018] // mov eax,[eax+0x30] // mov eax,[eax+0x1d4] // typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[229]; PVOID Reserved3[59]; ULONG SessionId; } PEB, *PPEB; // // Instead of using the Tls fields, use the Win32 TLS APIs // TlsAlloc, TlsGetValue, TlsSetValue, TlsFree // // Instead of using the ReservedForOle field, use the COM API // CoGetContextToken // typedef struct _TEB { BYTE Reserved1[1952]; PVOID Reserved2[412]; PVOID TlsSlots[64]; BYTE Reserved3[8]; PVOID Reserved4[26]; PVOID ReservedForOle; // Windows 2000 only PVOID Reserved5[4]; PVOID TlsExpansionSlots; } TEB; typedef TEB *PTEB; // // These data structures and type definitions are needed for compilation and // use of the internal Windows APIs defined in this header. // typedef LONG NTSTATUS; typedef CONST char *PCSZ; typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } STRING; typedef STRING *PSTRING; typedef STRING ANSI_STRING; typedef PSTRING PANSI_STRING; typedef PSTRING PCANSI_STRING; typedef STRING OEM_STRING; typedef PSTRING POEM_STRING; typedef CONST STRING* PCOEM_STRING; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES; typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES; typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef VOID (NTAPI *PIO_APC_ROUTINE) ( IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved ); #if defined(_M_IA64) typedef struct _FRAME_POINTERS { ULONGLONG MemoryStackFp; ULONGLONG BackingStoreFp; } FRAME_POINTERS, *PFRAME_POINTERS; #define UNWIND_HISTORY_TABLE_SIZE 12 typedef struct _RUNTIME_FUNCTION { ULONG BeginAddress; ULONG EndAddress; ULONG UnwindInfoAddress; } RUNTIME_FUNCTION, *PRUNTIME_FUNCTION; typedef struct _UNWIND_HISTORY_TABLE_ENTRY { ULONG64 ImageBase; ULONG64 Gp; PRUNTIME_FUNCTION FunctionEntry; } UNWIND_HISTORY_TABLE_ENTRY, *PUNWIND_HISTORY_TABLE_ENTRY; typedef struct _UNWIND_HISTORY_TABLE { ULONG Count; UCHAR Search; ULONG64 LowAddress; ULONG64 HighAddress; UNWIND_HISTORY_TABLE_ENTRY Entry[UNWIND_HISTORY_TABLE_SIZE]; } UNWIND_HISTORY_TABLE, *PUNWIND_HISTORY_TABLE; #endif // _M_IA64 typedef struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION { LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER Reserved1[2]; ULONG Reserved2; } SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION, *PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; BYTE Reserved1[52]; PVOID Reserved2[3]; HANDLE UniqueProcessId; PVOID Reserved3; ULONG HandleCount; BYTE Reserved4[4]; PVOID Reserved5[11]; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved6[6]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION { ULONG RegistryQuotaAllowed; ULONG RegistryQuotaUsed; PVOID Reserved1; } SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION; typedef struct _SYSTEM_BASIC_INFORMATION { BYTE Reserved1[24]; PVOID Reserved2[4]; CCHAR NumberOfProcessors; } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; typedef struct _SYSTEM_TIMEOFDAY_INFORMATION { BYTE Reserved1[48]; } SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION; typedef struct _SYSTEM_PERFORMANCE_INFORMATION { BYTE Reserved1[312]; } SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION; typedef struct _SYSTEM_EXCEPTION_INFORMATION { BYTE Reserved1[16]; } SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION; typedef struct _SYSTEM_LOOKASIDE_INFORMATION { BYTE Reserved1[32]; } SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION; typedef struct _SYSTEM_INTERRUPT_INFORMATION { BYTE Reserved1[24]; } SYSTEM_INTERRUPT_INFORMATION, *PSYSTEM_INTERRUPT_INFORMATION; typedef enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1 } FILE_INFORMATION_CLASS; typedef enum _PROCESSINFOCLASS { ProcessBasicInformation = 0, ProcessWow64Information = 26 } PROCESSINFOCLASS; typedef enum _THREADINFOCLASS { ThreadIsIoPending = 16 } THREADINFOCLASS; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, SystemProcessInformation = 5, SystemProcessorPerformanceInformation = 8, SystemInterruptInformation = 23, SystemExceptionInformation = 33, SystemRegistryQuotaInformation = 37, SystemLookasideInformation = 45 } SYSTEM_INFORMATION_CLASS; #if (_WIN32_WINNT >= 0x0501) // // use the WTS API instead // WTSGetActiveConsoleSessionId // The active console id is cached as a volatile ULONG in a constant // memory location. This x86 memory location is subject to changes between // Windows releases. Use the WTS API to make your application resilient to // changes. // #define INTERNAL_TS_ACTIVE_CONSOLE_ID ( *((volatile ULONG*)(0x7ffe02d8)) ) #endif // (_WIN32_WINNT >= 0x0501) // // These functions are intended for use by internal core Windows components // since these functions may change between Windows releases. // #define RtlFillMemory(Destination,Length,Fill) memset((Destination),(Fill),(Length)) #define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length)) #define RtlMoveMemory(Destination,Source,Length) memmove((Destination),(Source),(Length)) // // use the Win32 API instead // CloseHandle // NTSTATUS NtClose ( IN HANDLE Handle ); // // use the Win32 API instead // CreateFile // NTSTATUS NtCreateFile ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ); // // use the Win32 API instead // CreateFile // NTSTATUS NtOpenFile ( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); // // use the Win32 API instead // DeviceIoControl // NTSTATUS NtDeviceIoControlFile ( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); // // use the Win32 API instead // WaitForSingleObjectEx // NTSTATUS NtWaitForSingleObject ( IN HANDLE Handle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL ); // // use the Win32 API instead // CheckNameLegalDOS8Dot3 // BOOLEAN RtlIsNameLegalDOS8Dot3 ( IN PUNICODE_STRING Name, IN OUT POEM_STRING OemName OPTIONAL, IN OUT PBOOLEAN NameContainsSpaces OPTIONAL ); // // This function might be needed for some of the internal Windows functions, // defined in this header file. // ULONG RtlNtStatusToDosError ( NTSTATUS Status ); // // use the Win32 APIs instead // GetProcessHandleCount // GetProcessId // NTSTATUS NtQueryInformationProcess ( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL ); // // use the Win32 API instead // GetThreadIOPendingFlag // NTSTATUS NtQueryInformationThread ( IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL ); // // use the Win32 APIs instead // GetSystemRegistryQuota // GetSystemTimes // use the CryptoAPIs instead for generating random data // CryptGenRandom // NTSTATUS NtQuerySystemInformation ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); // // use the Win32 API instead // GetSystemTimeAsFileTime // NTSTATUS NtQuerySystemTime ( OUT PLARGE_INTEGER SystemTime ); // // use the Win32 API instead // LocalFileTimeToFileTime // NTSTATUS RtlLocalTimeToSystemTime ( IN PLARGE_INTEGER LocalTime, OUT PLARGE_INTEGER SystemTime ); // // use the Win32 API instead // SystemTimeToFileTime to convert to FILETIME structures // copy the resulting FILETIME structures to ULARGE_INTEGER structures // perform the calculation // BOOLEAN RtlTimeToSecondsSince1970 ( PLARGE_INTEGER Time, PULONG ElapsedSeconds ); // // These APIs might be need for some of the internal Windows functions, // defined in this header file. // VOID RtlFreeAnsiString ( PANSI_STRING AnsiString ); VOID RtlFreeUnicodeString ( PUNICODE_STRING UnicodeString ); VOID RtlFreeOemString( POEM_STRING OemString ); VOID RtlInitString ( PSTRING DestinationString, PCSZ SourceString ); VOID RtlInitAnsiString ( PANSI_STRING DestinationString, PCSZ SourceString ); VOID RtlInitUnicodeString ( PUNICODE_STRING DestinationString, PCWSTR SourceString ); NTSTATUS RtlAnsiStringToUnicodeString ( PUNICODE_STRING DestinationString, PCANSI_STRING SourceString, BOOLEAN AllocateDestinationString ); NTSTATUS RtlUnicodeStringToAnsiString ( PANSI_STRING DestinationString, PCUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString ); NTSTATUS RtlUnicodeStringToOemString( POEM_STRING DestinationString, PCUNICODE_STRING SourceString, BOOLEAN AllocateDestinationString ); // // Use the Win32 API instead // WideCharToMultiByte // set CodePage to CP_ACP // set cbMultiByte to 0 // NTSTATUS RtlUnicodeToMultiByteSize( PULONG BytesInMultiByteString, IN PWSTR UnicodeString, ULONG BytesInUnicodeString ); // // Use the C runtime function instead // strtol // NTSTATUS RtlCharToInteger ( PCSZ String, ULONG Base, PULONG Value ); // // use the Win32 API instead // ConvertSidToStringSid // NTSTATUS RtlConvertSidToUnicodeString ( PUNICODE_STRING UnicodeString, PSID Sid, BOOLEAN AllocateDestinationString ); // // use the CryptoAPIs instead // CryptGenRandom // ULONG RtlUniform ( PULONG Seed ); // // Use the default built-in system exception handling instead of these // functions // VOID RtlUnwind ( IN PVOID TargetFrame OPTIONAL, IN PVOID TargetIp OPTIONAL, IN PEXCEPTION_RECORD ExceptionRecord OPTIONAL, IN PVOID ReturnValue ); #if defined(_M_IA64) VOID RtlUnwind2 ( IN FRAME_POINTERS TargetFrame OPTIONAL, IN PVOID TargetIp OPTIONAL, IN PEXCEPTION_RECORD ExceptionRecord OPTIONAL, IN PVOID ReturnValue, IN PCONTEXT ContextRecord ); VOID RtlUnwindEx ( IN FRAME_POINTERS TargetFrame OPTIONAL, IN PVOID TargetIp OPTIONAL, IN PEXCEPTION_RECORD ExceptionRecord OPTIONAL, IN PVOID ReturnValue, IN PCONTEXT ContextRecord, IN PUNWIND_HISTORY_TABLE HistoryTable OPTIONAL ); #endif // _M_IA64 #define LOGONID_CURRENT ((ULONG)-1) #define SERVERNAME_CURRENT ((HANDLE)NULL) typedef enum _WINSTATIONINFOCLASS { WinStationInformation = 8 } WINSTATIONINFOCLASS; typedef struct _WINSTATIONINFORMATIONW { BYTE Reserved2[70]; ULONG LogonId; BYTE Reserved3[1140]; } WINSTATIONINFORMATIONW, * PWINSTATIONINFORMATIONW; // // this function is implemented in winsta.dll (you need to loadlibrary to call this function) // this internal function retrives the LogonId (also called SessionId) for the current process // You should avoid using this function as it can change. you can retrieve the same information // Using public api WTSQuerySessionInformation. Pass WTSSessionId as the WTSInfoClass parameter // typedef BOOLEAN (WINAPI * PWINSTATIONQUERYINFORMATIONW)( HANDLE, ULONG, WINSTATIONINFOCLASS, PVOID, ULONG, PULONG ); #ifdef __cplusplus } #endif #endif // (_WIN32_WINNT >= 0x0500) #endif // _WINTERNL_