forked from harryanon/r0ak
-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathnt.h
116 lines (95 loc) · 2.49 KB
/
nt.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*++
Copyright (c) Alex Ionescu. All rights reserved.
Module Name:
nt.h
Abstract:
This header defines internal NT data structures and routines used by r0ak
Author:
Alex Ionescu (@aionescu) 21-Jul-2018 - First public version
Environment:
User mode only.
--*/
#include <winternl.h>
NTSYSAPI
NTSTATUS
NTAPI
RtlAdjustPrivilege (
_In_ ULONG Privilege,
_In_ BOOLEAN NewValue,
_In_ BOOLEAN ForThread,
_Out_ PBOOLEAN OldValue
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection (
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
typedef struct _WORK_QUEUE_ITEM
{
LIST_ENTRY List;
PVOID WorkerRoutine;
PVOID Parameter;
} WORK_QUEUE_ITEM, *PWORK_QUEUE_ITEM;
typedef struct _RTL_BALANCED_LINKS
{
struct _RTL_BALANCED_LINKS *Parent;
struct _RTL_BALANCED_LINKS *LeftChild;
struct _RTL_BALANCED_LINKS *RightChild;
CHAR Balance;
UCHAR Reserved[3];
} RTL_BALANCED_LINKS;
typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS;
typedef struct _RTL_AVL_TABLE
{
RTL_BALANCED_LINKS BalancedRoot;
PVOID OrderedPointer;
ULONG WhichOrderedElement;
ULONG NumberGenericTableElements;
ULONG DepthOfTree;
PRTL_BALANCED_LINKS RestartKey;
ULONG DeleteCount;
PVOID CompareRoutine;
PVOID AllocateRoutine;
PVOID FreeRoutine;
PVOID TableContext;
} RTL_AVL_TABLE;
typedef RTL_AVL_TABLE *PRTL_AVL_TABLE;
typedef struct tagXSGLOBALS
{
PVOID NetworkFontsTableLock;
PRTL_AVL_TABLE NetworkFontsTable;
PVOID TrustedFontsTableLock;
PRTL_AVL_TABLE TrustedFontsTable;
} XSGLOBALS, *PXSGLOBALS;
#pragma warning(push)
#pragma warning(disable:4214)
#pragma warning(disable:4201)
typedef struct _SYSTEM_BIGPOOL_ENTRY
{
union
{
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
ULONGLONG SizeInBytes;
union
{
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY;
#pragma warning(pop)
typedef struct _SYSTEM_BIGPOOL_INFORMATION
{
ULONG Count;
SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY];
} SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION;
#define SE_DEBUG_PRIVILEGE 20
#define SystemBigPoolInformation (SYSTEM_INFORMATION_CLASS)66
#define SystemHardwareSecurityTestInterfaceResultsInformation (SYSTEM_INFORMATION_CLASS)166
#define PERF_WORKER_THREAD 0x48000000
#define EVENT_TRACE_GROUP_THREAD 0x0500
#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END (EVENT_TRACE_GROUP_THREAD | 0x41)