You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
403 lines
19 KiB
403 lines
19 KiB
/*++
|
|
|
|
Copyright (c) 2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
apimap.c
|
|
|
|
Abstract:
|
|
|
|
A table containing API categorization to help in logging.
|
|
|
|
Author:
|
|
|
|
03-May-2001 KenCoope
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
//
|
|
// API Categories
|
|
//
|
|
API_CATEGORY Wow64ApiCategories[] =
|
|
{
|
|
{ "ExecutiveFunctions", 0, WHNT32_INDEX },
|
|
{ "IoFunctions", 0, WHNT32_INDEX },
|
|
{ "KernelFunctions", 0, WHNT32_INDEX },
|
|
{ "LpcFunctions", 0, WHNT32_INDEX },
|
|
{ "MemoryFunctions", 0, WHNT32_INDEX },
|
|
{ "ObjectFunctions", 0, WHNT32_INDEX },
|
|
{ "PnpFunctions", 0, WHNT32_INDEX },
|
|
{ "PowerFunctions", 0, WHNT32_INDEX },
|
|
{ "ProcessFunctions", 0, WHNT32_INDEX },
|
|
{ "RegistryFunctions", 0, WHNT32_INDEX },
|
|
{ "SecurityFunctions", 0, WHNT32_INDEX },
|
|
{ "ExceptionFunctions", 0, WHNT32_INDEX },
|
|
{ "NtWow64CsrFunctions", 0, WHNT32_INDEX },
|
|
{ "BaseWow64CsrFunctions", 0, WHBASE_INDEX },
|
|
{ "UnclassifiedNtosKrnlFunctions", 0, WHNT32_INDEX },
|
|
{ "UnclassifiedConsoleFunctions", 0, WHCON_INDEX },
|
|
{ "UnclassifiedWin32Functions", 0, WHWIN32_INDEX },
|
|
{ "UnclassifiedBaseFunctions", 0, WHBASE_INDEX },
|
|
|
|
// null terminating entry
|
|
{ NULL, 0 }
|
|
};
|
|
|
|
//
|
|
// API Category Mappings
|
|
//
|
|
ULONG ApiCategoryMappingNextFree = (ULONG)(-1);
|
|
|
|
API_CATEGORY_MAPPING Wow64ApiCategoryMappings[MAX_API_MAPPINGS] =
|
|
{
|
|
// NT Executive APIs (ntexapi.h)
|
|
{ "NtDelayExecution", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQuerySystemEnvironmentValue", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetSystemEnvironmentValue", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQuerySystemEnvironmentValueEx", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetSystemEnvironmentValueEx", APICAT_EXECUTIVE, 0 },
|
|
{ "NtEnumerateSystemEnvironmentValuesEx", APICAT_EXECUTIVE, 0 },
|
|
{ "NtAddBootEntry", APICAT_EXECUTIVE, 0 },
|
|
{ "NtDeleteBootEntry", APICAT_EXECUTIVE, 0 },
|
|
{ "NtModifyBootEntry", APICAT_EXECUTIVE, 0 },
|
|
{ "NtEnumerateBootEntries", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryBootEntryOrder", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetBootEntryOrder", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryBootOptions", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetBootOptions", APICAT_EXECUTIVE, 0 },
|
|
{ "NtTranslateFilePath", APICAT_EXECUTIVE, 0 },
|
|
{ "NtClearEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtPulseEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtResetEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetEventBoostPriority", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtWaitLowEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtWaitHighEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetLowWaitHighEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetHighWaitLowEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetLowEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetHighEventPair", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateMutant", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenMutant", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryMutant", APICAT_EXECUTIVE, 0 },
|
|
{ "NtReleaseMutant", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateSemaphore", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenSemaphore", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQuerySemaphore", APICAT_EXECUTIVE, 0 },
|
|
{ "NtReleaseSemaphore", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateTimer", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenTimer", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCancelTimer", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryTimer", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetTimer", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQuerySystemTime", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetSystemTime", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryTimerResolution", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetTimerResolution", APICAT_EXECUTIVE, 0 },
|
|
{ "NtAllocateLocallyUniqueId", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetUuidSeed", APICAT_EXECUTIVE, 0 },
|
|
{ "NtAllocateUuids", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateProfile", APICAT_EXECUTIVE, 0 },
|
|
{ "NtStartProfile", APICAT_EXECUTIVE, 0 },
|
|
{ "NtStopProfile", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetIntervalProfile", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryIntervalProfile", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryPerformanceCounter", APICAT_EXECUTIVE, 0 },
|
|
{ "NtCreateKeyedEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtOpenKeyedEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtReleaseKeyedEvent", APICAT_EXECUTIVE, 0 },
|
|
{ "NtWaitForKeyedEvent", APICAT_EXECUTIVE, 0 },
|
|
// { "NapClearData", APICAT_EXECUTIVE, 0 },
|
|
// { "NapRetrieveData", APICAT_EXECUTIVE, 0 },
|
|
// { "NapGetApiCount", APICAT_EXECUTIVE, 0 },
|
|
// { "NapPause", APICAT_EXECUTIVE, 0 },
|
|
// { "NapResume", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQuerySystemInformation", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetSystemInformation", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSystemDebugControl", APICAT_EXECUTIVE, 0 },
|
|
{ "NtRaiseHardError", APICAT_EXECUTIVE, 0 },
|
|
{ "NtGetTickCount", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryDefaultLocale", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetDefaultLocale", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryInstallUILanguage", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryDefaultUILanguage", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetDefaultUILanguage", APICAT_EXECUTIVE, 0 },
|
|
{ "NtSetDefaultHardErrorPort", APICAT_EXECUTIVE, 0 },
|
|
{ "NtShutdownSystem", APICAT_EXECUTIVE, 0 },
|
|
{ "NtDisplayString", APICAT_EXECUTIVE, 0 },
|
|
{ "NtAddAtom", APICAT_EXECUTIVE, 0 },
|
|
{ "NtFindAtom", APICAT_EXECUTIVE, 0 },
|
|
{ "NtDeleteAtom", APICAT_EXECUTIVE, 0 },
|
|
{ "NtQueryInformationAtom", APICAT_EXECUTIVE, 0 },
|
|
|
|
// NT Io APIs (ntioapi.h)
|
|
{ "NtCancelIoFile", APICAT_IO, 0 },
|
|
{ "NtCreateNamedPipeFile", APICAT_IO, 0 },
|
|
{ "NtCreateMailslotFile", APICAT_IO, 0 },
|
|
{ "NtDeleteFile", APICAT_IO, 0 },
|
|
{ "NtFlushBuffersFile", APICAT_IO, 0 },
|
|
{ "NtNotifyChangeDirectoryFile", APICAT_IO, 0 },
|
|
{ "NtQueryAttributesFile", APICAT_IO, 0 },
|
|
{ "NtQueryFullAttributesFile", APICAT_IO, 0 },
|
|
{ "NtQueryEaFile", APICAT_IO, 0 },
|
|
{ "NtCreateFile", APICAT_IO, 0 },
|
|
{ "NtDeviceIoControlFile", APICAT_IO, 0 },
|
|
{ "NtFsControlFile", APICAT_IO, 0 },
|
|
{ "NtLockFile", APICAT_IO, 0 },
|
|
{ "NtOpenFile", APICAT_IO, 0 },
|
|
{ "NtQueryDirectoryFile", APICAT_IO, 0 },
|
|
{ "NtQueryInformationFile", APICAT_IO, 0 },
|
|
{ "NtQueryQuotaInformationFile", APICAT_IO, 0 },
|
|
{ "NtQueryVolumeInformationFile", APICAT_IO, 0 },
|
|
{ "NtReadFile", APICAT_IO, 0 },
|
|
{ "NtSetInformationFile", APICAT_IO, 0 },
|
|
{ "NtSetQuotaInformationFile", APICAT_IO, 0 },
|
|
{ "NtSetVolumeInformationFile", APICAT_IO, 0 },
|
|
{ "NtWriteFile", APICAT_IO, 0 },
|
|
{ "NtUnlockFile", APICAT_IO, 0 },
|
|
{ "NtReadFile64", APICAT_IO, 0 },
|
|
{ "NtReadFileScatter", APICAT_IO, 0 },
|
|
{ "NtSetEaFile", APICAT_IO, 0 },
|
|
{ "NtWriteFile64", APICAT_IO, 0 },
|
|
{ "NtWriteFileGather", APICAT_IO, 0 },
|
|
{ "NtLoadDriver", APICAT_IO, 0 },
|
|
{ "NtUnloadDriver", APICAT_IO, 0 },
|
|
{ "NtCreateIoCompletion", APICAT_IO, 0 },
|
|
{ "NtOpenIoCompletion", APICAT_IO, 0 },
|
|
{ "NtQueryIoCompletion", APICAT_IO, 0 },
|
|
{ "NtSetIoCompletion", APICAT_IO, 0 },
|
|
{ "NtRemoveIoCompletion", APICAT_IO, 0 },
|
|
|
|
// NT Kernel APIs (ntkeapi.h)
|
|
{ "NtCallbackReturn", APICAT_KERNEL, 0 },
|
|
{ "NtQueryDebugFilterState", APICAT_KERNEL, 0 },
|
|
{ "NtSetDebugFilterState", APICAT_KERNEL, 0 },
|
|
{ "NtW32Call", APICAT_KERNEL, 0 },
|
|
{ "NtYieldExecution", APICAT_KERNEL, 0 },
|
|
|
|
// NT LPC APIs (ntlpcapi.h)
|
|
{ "NtCreatePort", APICAT_LPC, 0 },
|
|
{ "NtCreateWaitablePort", APICAT_LPC, 0 },
|
|
{ "NtConnectPort", APICAT_LPC, 0 },
|
|
{ "NtSecureConnectPort", APICAT_LPC, 0 },
|
|
{ "NtListenPort", APICAT_LPC, 0 },
|
|
{ "NtAcceptConnectPort", APICAT_LPC, 0 },
|
|
{ "NtCompleteConnectPort", APICAT_LPC, 0 },
|
|
{ "NtRequestPort", APICAT_LPC, 0 },
|
|
{ "NtRequestWaitReplyPort", APICAT_LPC, 0 },
|
|
{ "NtReplyPort", APICAT_LPC, 0 },
|
|
{ "NtReplyWaitReplyPort", APICAT_LPC, 0 },
|
|
{ "NtReplyWaitReceivePort", APICAT_LPC, 0 },
|
|
{ "NtReplyWaitReceivePortEx", APICAT_LPC, 0 },
|
|
{ "NtImpersonateClientOfPort", APICAT_LPC, 0 },
|
|
{ "NtReadRequestData", APICAT_LPC, 0 },
|
|
{ "NtWriteRequestData", APICAT_LPC, 0 },
|
|
{ "NtQueryInformationPort", APICAT_LPC, 0 },
|
|
|
|
// NT Memory APIs (ntmmapi.h)
|
|
{ "NtCreateSection", APICAT_MEMORY, 0 },
|
|
{ "NtOpenSection", APICAT_MEMORY, 0 },
|
|
{ "NtMapViewOfSection", APICAT_MEMORY, 0 },
|
|
{ "NtUnmapViewOfSection", APICAT_MEMORY, 0 },
|
|
{ "NtExtendSection", APICAT_MEMORY, 0 },
|
|
{ "NtAreMappedFilesTheSame", APICAT_MEMORY, 0 },
|
|
{ "NtAllocateVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtFreeVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtReadVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtWriteVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtFlushVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtLockVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtUnlockVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtProtectVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtQueryVirtualMemory", APICAT_MEMORY, 0 },
|
|
{ "NtQuerySection", APICAT_MEMORY, 0 },
|
|
{ "NtMapUserPhysicalPages", APICAT_MEMORY, 0 },
|
|
{ "NtMapUserPhysicalPagesScatter", APICAT_MEMORY, 0 },
|
|
{ "NtAllocateUserPhysicalPages", APICAT_MEMORY, 0 },
|
|
{ "NtFreeUserPhysicalPages", APICAT_MEMORY, 0 },
|
|
{ "NtGetWriteWatch", APICAT_MEMORY, 0 },
|
|
{ "NtResetWriteWatch", APICAT_MEMORY, 0 },
|
|
{ "NtCreatePagingFile", APICAT_MEMORY, 0 },
|
|
{ "NtFlushInstructionCache", APICAT_MEMORY, 0 },
|
|
{ "NtFlushWriteBuffer", APICAT_MEMORY, 0 },
|
|
|
|
// NT Object Manager APIs (ntobapi.h)
|
|
{ "NtQueryObject", APICAT_OBJECT, 0 },
|
|
{ "NtSetInformationObject", APICAT_OBJECT, 0 },
|
|
{ "NtDuplicateObject", APICAT_OBJECT, 0 },
|
|
{ "NtMakeTemporaryObject", APICAT_OBJECT, 0 },
|
|
{ "NtMakePermanentObject", APICAT_OBJECT, 0 },
|
|
{ "NtSignalAndWaitForSingleObject", APICAT_OBJECT, 0 },
|
|
{ "NtWaitForSingleObject", APICAT_OBJECT, 0 },
|
|
{ "NtWaitForMultipleObjects", APICAT_OBJECT, 0 },
|
|
{ "NtSetSecurityObject", APICAT_OBJECT, 0 },
|
|
{ "NtQuerySecurityObject", APICAT_OBJECT, 0 },
|
|
{ "NtClose", APICAT_OBJECT, 0 },
|
|
{ "NtCreateDirectoryObject", APICAT_OBJECT, 0 },
|
|
{ "NtOpenDirectoryObject", APICAT_OBJECT, 0 },
|
|
{ "NtQueryDirectoryObject", APICAT_OBJECT, 0 },
|
|
{ "NtCreateSymbolicLinkObject", APICAT_OBJECT, 0 },
|
|
{ "NtOpenSymbolicLinkObject", APICAT_OBJECT, 0 },
|
|
{ "NtQuerySymbolicLinkObject", APICAT_OBJECT, 0 },
|
|
|
|
// NT PnP APIs (ntpnpapi.h)
|
|
{ "NtGetPlugPlayEvent", APICAT_PNP, 0 },
|
|
{ "NtPlugPlayControl", APICAT_PNP, 0 },
|
|
|
|
// NT Power APIs (ntpoapi.h)
|
|
{ "NtPowerInformation", APICAT_POWER, 0 },
|
|
{ "NtSetThreadExecutionState", APICAT_POWER, 0 },
|
|
{ "NtRequestWakeupLatency", APICAT_POWER, 0 },
|
|
{ "NtInitiatePowerAction", APICAT_POWER, 0 },
|
|
{ "NtSetSystemPowerState", APICAT_POWER, 0 },
|
|
{ "NtGetDevicePowerState", APICAT_POWER, 0 },
|
|
{ "NtCancelDeviceWakeupRequest", APICAT_POWER, 0 },
|
|
{ "NtIsSystemResumeAutomatic", APICAT_POWER, 0 },
|
|
{ "NtRequestDeviceWakeup", APICAT_POWER, 0 },
|
|
|
|
// NT Process APIs (ntpsapi.h)
|
|
{ "NtCreateProcess", APICAT_PROCESS, 0 },
|
|
{ "NtCreateProcessEx", APICAT_PROCESS, 0 },
|
|
{ "NtOpenProcess", APICAT_PROCESS, 0 },
|
|
{ "NtTerminateProcess", APICAT_PROCESS, 0 },
|
|
{ "NtQueryInformationProcess", APICAT_PROCESS, 0 },
|
|
{ "NtSetInformationProcess", APICAT_PROCESS, 0 },
|
|
{ "NtCreateThread", APICAT_PROCESS, 0 },
|
|
{ "NtOpenThread", APICAT_PROCESS, 0 },
|
|
{ "NtTerminateThread", APICAT_PROCESS, 0 },
|
|
{ "NtSuspendThread", APICAT_PROCESS, 0 },
|
|
{ "NtResumeThread", APICAT_PROCESS, 0 },
|
|
{ "NtSuspendProcess", APICAT_PROCESS, 0 },
|
|
{ "NtResumeProcess", APICAT_PROCESS, 0 },
|
|
{ "NtGetContextThread", APICAT_PROCESS, 0 },
|
|
{ "NtSetContextThread", APICAT_PROCESS, 0 },
|
|
{ "NtQueryInformationThread", APICAT_PROCESS, 0 },
|
|
{ "NtSetInformationThread", APICAT_PROCESS, 0 },
|
|
{ "NtAlertThread", APICAT_PROCESS, 0 },
|
|
{ "NtAlertResumeThread", APICAT_PROCESS, 0 },
|
|
{ "NtImpersonateThread", APICAT_PROCESS, 0 },
|
|
{ "NtTestAlert", APICAT_PROCESS, 0 },
|
|
{ "NtRegisterThreadTerminatePort", APICAT_PROCESS, 0 },
|
|
{ "NtSetLdtEntries", APICAT_PROCESS, 0 },
|
|
{ "NtQueueApcThread", APICAT_PROCESS, 0 },
|
|
{ "NtCreateJobObject", APICAT_PROCESS, 0 },
|
|
{ "NtOpenJobObject", APICAT_PROCESS, 0 },
|
|
{ "NtAssignProcessToJobObject", APICAT_PROCESS, 0 },
|
|
{ "NtTerminateJobObject", APICAT_PROCESS, 0 },
|
|
{ "NtIsProcessInJob", APICAT_PROCESS, 0 },
|
|
{ "NtCreateJobSet", APICAT_PROCESS, 0 },
|
|
{ "NtQueryInformationJobObject", APICAT_PROCESS, 0 },
|
|
{ "NtSetInformationJobObject", APICAT_PROCESS, 0 },
|
|
|
|
// NT Registry APIs (ntregapi.h)
|
|
{ "NtCreateKey", APICAT_REGISTRY, 0 },
|
|
{ "NtDeleteKey", APICAT_REGISTRY, 0 },
|
|
{ "NtDeleteValueKey", APICAT_REGISTRY, 0 },
|
|
{ "NtEnumerateKey", APICAT_REGISTRY, 0 },
|
|
{ "NtEnumerateValueKey", APICAT_REGISTRY, 0 },
|
|
{ "NtFlushKey", APICAT_REGISTRY, 0 },
|
|
{ "NtInitializeRegistry", APICAT_REGISTRY, 0 },
|
|
{ "NtNotifyChangeKey", APICAT_REGISTRY, 0 },
|
|
{ "NtNotifyChangeMultipleKeys", APICAT_REGISTRY, 0 },
|
|
{ "NtLoadKey", APICAT_REGISTRY, 0 },
|
|
{ "NtLoadKey2", APICAT_REGISTRY, 0 },
|
|
{ "NtOpenKey", APICAT_REGISTRY, 0 },
|
|
{ "NtQueryKey", APICAT_REGISTRY, 0 },
|
|
{ "NtQueryValueKey", APICAT_REGISTRY, 0 },
|
|
{ "NtQueryMultipleValueKey",APICAT_REGISTRY, 0 },
|
|
{ "NtReplaceKey", APICAT_REGISTRY, 0 },
|
|
{ "NtRenameKey", APICAT_REGISTRY, 0 },
|
|
{ "NtCompactKeys", APICAT_REGISTRY, 0 },
|
|
{ "NtCompressKey", APICAT_REGISTRY, 0 },
|
|
{ "NtRestoreKey", APICAT_REGISTRY, 0 },
|
|
{ "NtSaveKey", APICAT_REGISTRY, 0 },
|
|
{ "NtSaveKeyEx", APICAT_REGISTRY, 0 },
|
|
{ "NtSaveMergedKeys", APICAT_REGISTRY, 0 },
|
|
{ "NtSetValueKey", APICAT_REGISTRY, 0 },
|
|
{ "NtUnloadKey", APICAT_REGISTRY, 0 },
|
|
{ "NtUnloadKeyEx", APICAT_REGISTRY, 0 },
|
|
{ "NtSetInformationKey", APICAT_REGISTRY, 0 },
|
|
{ "NtQueryOpenSubKeys", APICAT_REGISTRY, 0 },
|
|
{ "NtLockRegistryKey", APICAT_REGISTRY, 0 },
|
|
{ "NtLockProductActivationKeys", APICAT_REGISTRY, 0 },
|
|
|
|
// NT Security APIs (ntseapi.h)
|
|
{ "NtAccessCheck", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckByType", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckByTypeResultList", APICAT_SECURITY, 0 },
|
|
{ "NtCreateToken", APICAT_SECURITY, 0 },
|
|
{ "NtCompareTokens", APICAT_SECURITY, 0 },
|
|
{ "NtOpenThreadToken", APICAT_SECURITY, 0 },
|
|
{ "NtOpenThreadTokenEx", APICAT_SECURITY, 0 },
|
|
{ "NtOpenProcessToken", APICAT_SECURITY, 0 },
|
|
{ "NtOpenProcessTokenEx", APICAT_SECURITY, 0 },
|
|
{ "NtOpenJobObjectToken", APICAT_SECURITY, 0 },
|
|
{ "NtDuplicateToken", APICAT_SECURITY, 0 },
|
|
{ "NtFilterToken", APICAT_SECURITY, 0 },
|
|
{ "NtImpersonateAnonymousToken", APICAT_SECURITY, 0 },
|
|
{ "NtQueryInformationToken", APICAT_SECURITY, 0 },
|
|
{ "NtSetInformationToken", APICAT_SECURITY, 0 },
|
|
{ "NtAdjustPrivilegesToken", APICAT_SECURITY, 0 },
|
|
{ "NtAdjustGroupsToken", APICAT_SECURITY, 0 },
|
|
{ "NtPrivilegeCheck", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckAndAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckByTypeAndAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckByTypeResultListAndAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", APICAT_SECURITY, 0 },
|
|
{ "NtOpenObjectAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtPrivilegeObjectAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtCloseObjectAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtDeleteObjectAuditAlarm", APICAT_SECURITY, 0 },
|
|
{ "NtPrivilegedServiceAuditAlarm", APICAT_SECURITY, 0 },
|
|
|
|
// NT Exception APIs (ntxcapi.h)
|
|
{ "NtContinue", APICAT_XCEPT, 0 },
|
|
{ "NtRaiseException", APICAT_XCEPT, 0 },
|
|
|
|
// NT WOW64 CSR APIs
|
|
{ "NtWow64CsrClientConnectToServer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrNewThread", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrIdentifyAlertableThread", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrClientCallServer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrAllocateCaptureBuffer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrFreeCaptureBuffer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrAllocateMessagePointer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrCaptureMessageBuffer", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrCaptureMessageString", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrSetPriorityClass", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64CsrGetProcessId", APICAT_NTWOW64, 0 },
|
|
{ "NtWow64DebuggerCall", APICAT_NTWOW64, 0 },
|
|
|
|
// BASE WOW64 CSR APIs
|
|
{ "NtWow64CsrBasepSoundSentryNotification", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepRefreshIniFileMapping", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepDefineDosDevice", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepGetTempFile", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepCreateProcess", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepExitProcess", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepSetProcessShutdownParam", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepGetProcessShutdownParam", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepSetTermsrvAppInstallMode", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepSetClientTimeZoneInformation", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepCreateThread", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBaseClientConnectToServer", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepNlsSetUserInfo", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepNlsSetMultipleUserInfo", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepNlsCreateSection", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepCreateActCtx", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepNlsUpdateCacheCount", APICAT_BASEWOW64, 0 },
|
|
{ "NtWow64CsrBasepNlsGetUserInfo", APICAT_BASEWOW64, 0 },
|
|
|
|
// null terminating entry
|
|
{ NULL, 0, 0 }
|
|
};
|
|
|
|
|