diff --git a/VERSION b/VERSION
index 98f88a0..1894308 100644
--- a/VERSION
+++ b/VERSION
@@ -1,3 +1,5 @@
+2024-09-28:
+https://github.com/winsiderss/systeminformer/commit/6a372fc5167e3c27230dee84644817c5e54ef5ed
2024-07-18:
https://github.com/winsiderss/systeminformer/commit/c2e84fb8ac3bd33ce63c5d55f9e5fb6720d382e0
diff --git a/Veil.Test/Veil.Project.props b/Veil.Test/Veil.Project.props
index 98bae2b..f1d0206 100644
--- a/Veil.Test/Veil.Project.props
+++ b/Veil.Test/Veil.Project.props
@@ -3,8 +3,8 @@
- $(SolutionDir)Output\Binaries\$(Configuration)\$(PlatformShortName)\
- $(SolutionDir)Output\Objects\$(MSBuildProjectName)\$(Configuration)\$(PlatformShortName)\
+ $(SolutionDir)Output\Binaries\$(Configuration)\$(PlatformShortName)\
+ $(SolutionDir)Output\Objects\$(MSBuildProjectName)\$(Configuration)\$(PlatformShortName)\
@@ -22,4 +22,8 @@
+
+ false
+ false
+
\ No newline at end of file
diff --git a/Veil/Veil.System.ALPC.h b/Veil/Veil.System.ALPC.h
index 35b12f6..11baee5 100644
--- a/Veil/Veil.System.ALPC.h
+++ b/Veil/Veil.System.ALPC.h
@@ -84,10 +84,10 @@ typedef struct _PORT_DATA_INFORMATION
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
-#define LPC_CONTINUATION_REQUIRED 0x2000
-#define LPC_KERNELMODE_MESSAGE (CSHORT)0x8000
-#define LPC_NO_IMPERSONATE (CSHORT)0x4000
+#define LPC_CONTINUATION_REQUIRED 0x2000
+#define LPC_NO_IMPERSONATE 0x4000
+#define LPC_KERNELMODE_MESSAGE 0x8000
#define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE
@@ -605,10 +605,10 @@ typedef struct _ALPC_PORT_ATTRIBUTES
} ALPC_PORT_ATTRIBUTES, * PALPC_PORT_ATTRIBUTES;
// begin_rev
-#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
-#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
-#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
#define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
+#define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
+#define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
+#define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
// end_rev
// symbols
@@ -711,8 +711,9 @@ typedef struct _ALPC_HANDLE_ATTR
ACCESS_MASK GrantedAccess;
} ALPC_HANDLE_ATTR, * PALPC_HANDLE_ATTR;
-#define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
-#define ALPC_SECFLG_NOSECTIONHANDLE 0x40000
+#define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
+#define ALPC_SECFLG_NOSECTIONHANDLE 0x40000
+
// private
typedef struct _ALPC_SECURITY_ATTR
{
@@ -722,7 +723,9 @@ typedef struct _ALPC_SECURITY_ATTR
} ALPC_SECURITY_ATTR, * PALPC_SECURITY_ATTR;
// begin_rev
-#define ALPC_VIEWFLG_NOT_SECURE 0x40000
+#define ALPC_VIEWFLG_UNMAP_EXISTING 0x10000
+#define ALPC_VIEWFLG_AUTO_RELEASE 0x20000
+#define ALPC_VIEWFLG_NOT_SECURE 0x40000
// end_rev
// private
@@ -1381,6 +1384,10 @@ AlpcMaxAllowedMessageLength(
VOID
);
+#define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000
+#define ALPC_ATTRFLG_VALIDATTR 0x40000000
+#define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000
+
NTSYSAPI
ULONG
NTAPI
@@ -1388,10 +1395,6 @@ AlpcGetHeaderSize(
_In_ ULONG Flags
);
-#define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000
-#define ALPC_ATTRFLG_VALIDATTR 0x40000000
-#define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000
-
NTSYSAPI
NTSTATUS
NTAPI
diff --git a/Veil/Veil.System.ConfigurationManager.h b/Veil/Veil.System.ConfigurationManager.h
index a7a1bca..999568d 100644
--- a/Veil/Veil.System.ConfigurationManager.h
+++ b/Veil/Veil.System.ConfigurationManager.h
@@ -1,4 +1,4 @@
-/*
+ /*
* PROJECT: Veil
* FILE: Veil.System.ConfigurationManager.h
* PURPOSE: This file is part of Veil.
@@ -125,17 +125,36 @@ typedef struct _KEY_FLAGS_INFORMATION
} KEY_FLAGS_INFORMATION, * PKEY_FLAGS_INFORMATION;
#ifndef _KERNEL_MODE
+/**
+ * The KEY_VIRTUALIZATION_INFORMATION structure contains information about the virtualization state of a key.
+ *
+ * The flags include:
+ * - VirtualizationCandidate: The key is part of the virtualization namespace scope (only HKLM\Software for now).
+ * - VirtualizationEnabled: Virtualization is enabled on this key. Can be 1 only if VirtualizationCandidate is 1.
+ * - VirtualTarget: The key is a virtual key. Can be 1 only if VirtualizationCandidate and VirtualizationEnabled are 0. Valid only on the virtual store key handles.
+ * - VirtualStore: The key is a part of the virtual store path. Valid only on the virtual store key handles.
+ * - VirtualSource: The key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
+ * - Reserved: Reserved bits.
+ */
typedef struct _KEY_VIRTUALIZATION_INFORMATION
{
- ULONG VirtualizationCandidate : 1; // Tells whether the key is part of the virtualization namespace scope (only HKLM\Software for now).
- ULONG VirtualizationEnabled : 1; // Tells whether virtualization is enabled on this key. Can be 1 only if above flag is 1.
- ULONG VirtualTarget : 1; // Tells if the key is a virtual key. Can be 1 only if above 2 are 0. Valid only on the virtual store key handles.
- ULONG VirtualStore : 1; // Tells if the key is a part of the virtual store path. Valid only on the virtual store key handles.
- ULONG VirtualSource : 1; // Tells if the key has ever been virtualized, can be 1 only if VirtualizationCandidate is 1.
+ ULONG VirtualizationCandidate : 1;
+ ULONG VirtualizationEnabled : 1;
+ ULONG VirtualTarget : 1;
+ ULONG VirtualStore : 1;
+ ULONG VirtualSource : 1;
ULONG Reserved : 27;
} KEY_VIRTUALIZATION_INFORMATION, * PKEY_VIRTUALIZATION_INFORMATION;
// private
+/**
+ * The KEY_TRUST_INFORMATION structure contains information about the trust status of a key.
+ *
+ * The flags include:
+ * - TrustedKey: Indicates whether the key is trusted. When set, this flag signifies that the key is considered
+ * to be secure and reliable.
+ * - Reserved: Reserved bits.
+ */
typedef struct _KEY_TRUST_INFORMATION
{
ULONG TrustedKey : 1;
@@ -143,6 +162,24 @@ typedef struct _KEY_TRUST_INFORMATION
} KEY_TRUST_INFORMATION, * PKEY_TRUST_INFORMATION;
// private
+/**
+ * The KEY_LAYER_INFORMATION structure contains information about a key layer.
+ *
+ * The flags include:
+ * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates
+ * that the key has been deleted but not yet purged from the registry. It is used to maintain the
+ * integrity of the registry and ensure that deleted keys are not immediately reused.
+ * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag
+ * indicates that the key layer should replace the local key's information, effectively overriding
+ * any local changes or settings.
+ * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag
+ * indicates that the key layer should replace the entire subtree of keys, overriding any changes or
+ * settings in the subtree.
+ * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates
+ * that the class information of the key layer is inherited from its parent key, rather than being
+ * explicitly defined.
+ * - Reserved: Reserved bits.
+ */
typedef struct _KEY_LAYER_INFORMATION
{
ULONG IsTombstone : 1;
@@ -164,21 +201,59 @@ typedef enum _KEY_SET_INFORMATION_CLASS
MaxKeySetInfoClass
} KEY_SET_INFORMATION_CLASS;
+/**
+ * Structure representing the last write time of a registry key.
+ *
+ * The values include:
+ * - LastWriteTime: Contains the timestamp of the last write operation performed on a registry key.
+ */
typedef struct _KEY_WRITE_TIME_INFORMATION
{
LARGE_INTEGER LastWriteTime;
} KEY_WRITE_TIME_INFORMATION, * PKEY_WRITE_TIME_INFORMATION;
+/**
+ * The KEY_WOW64_FLAGS_INFORMATION structure contains information about the WOW64 flags for a key.
+ *
+ * The fields include:
+ * - UserFlags: A set of user-defined flags associated with the key. These flags are used to store
+ * additional information about the key in the context of WOW64 (Windows 32-bit on Windows 64-bit).
+ */
typedef struct _KEY_WOW64_FLAGS_INFORMATION
{
ULONG UserFlags;
} KEY_WOW64_FLAGS_INFORMATION, * PKEY_WOW64_FLAGS_INFORMATION;
+/**
+ * The KEY_HANDLE_TAGS_INFORMATION structure contains information about the handle tags for a key.
+ *
+ * The fields include:
+ * - HandleTags: A set of tags associated with the key handle. These tags are used to store additional
+ * metadata or state information about the key handle.
+ */
typedef struct _KEY_HANDLE_TAGS_INFORMATION
{
ULONG HandleTags;
} KEY_HANDLE_TAGS_INFORMATION, * PKEY_HANDLE_TAGS_INFORMATION;
+/**
+ * The KEY_SET_LAYER_INFORMATION structure contains information about a key layer.
+ *
+ * The flags include:
+ * - IsTombstone: Indicates whether the key layer is a tombstone. A tombstone is a marker that indicates
+ * that the key has been deleted but not yet purged from the registry. It is used to maintain the
+ * integrity of the registry and ensure that deleted keys are not immediately reused.
+ * - IsSupersedeLocal: Indicates whether the key layer supersedes the local key. When set, this flag
+ * indicates that the key layer should replace the local key's information, effectively overriding
+ * any local changes or settings.
+ * - IsSupersedeTree: Indicates whether the key layer supersedes the entire key tree. When set, this flag
+ * indicates that the key layer should replace the entire subtree of keys, overriding any changes or
+ * settings in the subtree.
+ * - ClassIsInherited: Indicates whether the key layer's class is inherited. When set, this flag indicates
+ * that the class information of the key layer is inherited from its parent key, rather than being
+ * explicitly defined.
+ * - Reserved: Reserved bits.
+ */
typedef struct _KEY_SET_LAYER_INFORMATION
{
ULONG IsTombstone : 1;
@@ -188,6 +263,13 @@ typedef struct _KEY_SET_LAYER_INFORMATION
ULONG Reserved : 28;
} KEY_SET_LAYER_INFORMATION, * PKEY_SET_LAYER_INFORMATION;
+/**
+ * The KEY_CONTROL_FLAGS_INFORMATION structure contains control flags for a key.
+ *
+ * The fields include:
+ * - ControlFlags: A set of control flags associated with the key. These flags are used to store
+ * additional control information about the key, which can affect its behavior or state.
+ */
typedef struct _KEY_CONTROL_FLAGS_INFORMATION
{
ULONG ControlFlags;
@@ -324,7 +406,9 @@ typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
KEY_PID_ARRAY KeyArray[1];
} KEY_OPEN_SUBKEYS_INFORMATION, * PKEY_OPEN_SUBKEYS_INFORMATION;
+//
// Differencing registry & virtualization // since REDSTONE
+//
// rev
#define VR_DEVICE_NAME L"\\Device\\VRegDriver"
@@ -358,9 +442,9 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE
ULONG NextLayerIsHost;
ULONG Flags; // VR_FLAG_*
ULONG LoadFlags; // NtLoadKeyEx flags
- WORD KeyPathLength;
- WORD HivePathLength;
- WORD NextLayerKeyPathLength;
+ USHORT KeyPathLength;
+ USHORT HivePathLength;
+ USHORT NextLayerKeyPathLength;
HANDLE FileAccessToken; // since 20H1
WCHAR Strings[ANYSIZE_ARRAY];
// ...
@@ -373,8 +457,8 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE
typedef struct _VR_CREATE_NAMESPACE_NODE
{
HANDLE Job;
- WORD ContainerPathLength;
- WORD HostPathLength;
+ USHORT ContainerPathLength;
+ USHORT HostPathLength;
ULONG Flags;
ACCESS_MASK AccessMask; // since 20H1
WCHAR Strings[ANYSIZE_ARRAY];
@@ -395,8 +479,8 @@ typedef struct _VR_MODIFY_FLAGS
typedef struct _NAMESPACE_NODE_DATA
{
ACCESS_MASK AccessMask;
- WORD ContainerPathLength;
- WORD HostPathLength;
+ USHORT ContainerPathLength;
+ USHORT HostPathLength;
ULONG Flags;
WCHAR Strings[ANYSIZE_ARRAY];
// ...
@@ -441,9 +525,9 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE_FOR_HOST
{
ULONG LoadFlags; // NtLoadKeyEx flags
ULONG Flags; // VR_FLAG_* // since REDSTONE2
- WORD KeyPathLength;
- WORD HivePathLength;
- WORD NextLayerKeyPathLength;
+ USHORT KeyPathLength;
+ USHORT HivePathLength;
+ USHORT NextLayerKeyPathLength;
HANDLE FileAccessToken; // since 20H1
WCHAR Strings[ANYSIZE_ARRAY];
// ...
@@ -456,12 +540,91 @@ typedef struct _VR_LOAD_DIFFERENCING_HIVE_FOR_HOST
typedef struct _VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST
{
ULONG Reserved;
- WORD TargetKeyPathLength;
+ USHORT TargetKeyPathLength;
WCHAR TargetKeyPath[ANYSIZE_ARRAY];
} VR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST, * PVR_UNLOAD_DIFFERENCING_HIVE_FOR_HOST;
+//
+// Key Open/Create Options
+//
+#define REG_OPTION_RESERVED (0x00000000L) // Parameter is reserved.
+#define REG_OPTION_NON_VOLATILE (0x00000000L) // Key is preserved when system is rebooted.
+#define REG_OPTION_VOLATILE (0x00000001L) // Key is not preserved when system is rebooted
+#define REG_OPTION_CREATE_LINK (0x00000002L) // Created key is a symbolic link
+#define REG_OPTION_BACKUP_RESTORE (0x00000004L) // open for backup or restore special access rules privilege required
+#define REG_OPTION_OPEN_LINK (0x00000008L) // Open symbolic link
+#define REG_OPTION_DONT_VIRTUALIZE (0x00000010L) // Disable Open/Read/Write virtualization for this open and the resulting handle.
+
+#ifndef REG_LEGAL_OPTION
+#define REG_LEGAL_OPTION \
+ (REG_OPTION_RESERVED | REG_OPTION_NON_VOLATILE |\
+ REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK |\
+ REG_OPTION_BACKUP_RESTORE | REG_OPTION_OPEN_LINK |\
+ REG_OPTION_DONT_VIRTUALIZE)
+#endif
+
+#ifndef REG_OPEN_LEGAL_OPTION
+#define REG_OPEN_LEGAL_OPTION \
+ (REG_OPTION_RESERVED | REG_OPTION_BACKUP_RESTORE | \
+ REG_OPTION_OPEN_LINK | REG_OPTION_DONT_VIRTUALIZE)
+#endif
+
+//
+// Key creation/open disposition
+//
+#define REG_CREATED_NEW_KEY (0x00000001L) // New Registry Key created
+#define REG_OPENED_EXISTING_KEY (0x00000002L) // Existing Key opened
+
+//
+// hive format to be used by Reg(Nt)SaveKeyEx
+//
+#define REG_STANDARD_FORMAT 1
+#define REG_LATEST_FORMAT 2
+#define REG_NO_COMPRESSION 4
+
+//
+// Key restore & hive load flags
+//
+#define REG_WHOLE_HIVE_VOLATILE (0x00000001L) // Restore whole hive volatile
+#define REG_REFRESH_HIVE (0x00000002L) // Unwind changes to last flush
+#define REG_NO_LAZY_FLUSH (0x00000004L) // Never lazy flush this hive
+#define REG_FORCE_RESTORE (0x00000008L) // Force the restore process even when we have open handles on subkeys
+#define REG_APP_HIVE (0x00000010L) // Loads the hive visible to the calling process
+#define REG_PROCESS_PRIVATE (0x00000020L) // Hive cannot be mounted by any other process while in use
+#define REG_START_JOURNAL (0x00000040L) // Starts Hive Journal
+#define REG_HIVE_EXACT_FILE_GROWTH (0x00000080L) // Grow hive file in exact 4k increments
+#define REG_HIVE_NO_RM (0x00000100L) // No RM is started for this hive (no transactions)
+#define REG_HIVE_SINGLE_LOG (0x00000200L) // Legacy single logging is used for this hive
+#define REG_BOOT_HIVE (0x00000400L) // This hive might be used by the OS loader
+#define REG_LOAD_HIVE_OPEN_HANDLE (0x00000800L) // Load the hive and return a handle to its root kcb
+#define REG_FLUSH_HIVE_FILE_GROWTH (0x00001000L) // Flush changes to primary hive file size as part of all flushes
+#define REG_OPEN_READ_ONLY (0x00002000L) // Open a hive's files in read-only mode
+#define REG_IMMUTABLE (0x00004000L) // Load the hive, but don't allow any modification of it
+#define REG_NO_IMPERSONATION_FALLBACK (0x00008000L) // Do not fall back to impersonating the caller if hive file access fails
+#define REG_APP_HIVE_OPEN_READ_ONLY (REG_OPEN_READ_ONLY) // Open an app hive's files in read-only mode (if the hive was not previously loaded)
+
+//
+// Unload Flags
+//
+#define REG_FORCE_UNLOAD 1
+#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD)
+
+//
// System calls
+//
+/**
+ * Creates a new registry key routine or opens an existing one.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @param[in] TitleIndex Reserved.
+ * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key.
+ * @param[in] CreateOptions The options to use when creating the key.
+ * @param[out, optional] Disposition A pointer to a variable that receives the disposition value.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry __kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -489,6 +652,19 @@ ZwCreateKey(
_Out_opt_ PULONG Disposition
);
+/**
+ * Creates a new registry key or opens an existing one, and it associates the key with a transaction.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @param[in] TitleIndex Reserved.
+ * @param[in, optional] Class A pointer to a UNICODE_STRING structure that specifies the class of the key.
+ * @param[in] CreateOptions The options to use when creating the key.
+ * @param[in] TransactionHandle A handle to the transaction.
+ * @param[out, optional] Disposition A pointer to a variable that receives the disposition value.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -517,6 +693,15 @@ ZwCreateKeyTransacted(
_Out_opt_ PULONG Disposition
);
+/**
+ * Opens an existing registry key.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @return NTSTATUS The status of the operation.
+ * @remarks NtOpenKey ignores the security information in the ObjectAttributes structure.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -536,6 +721,15 @@ ZwOpenKey(
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
+/**
+ * Opens an existing registry key and associates the key with a transaction.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @param[in] TransactionHandle A handle to the transaction.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -557,6 +751,15 @@ ZwOpenKeyTransacted(
_In_ HANDLE TransactionHandle
);
+/**
+ * Opens an existing registry key with extended options.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @param[in] OpenOptions The options to use when opening the key.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -578,6 +781,16 @@ ZwOpenKeyEx(
_In_ ULONG OpenOptions
);
+/**
+ * Opens an existing registry key in a transaction with extended options.
+ *
+ * @param[out] KeyHandle A pointer to a handle that receives the key handle.
+ * @param[in] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[in] ObjectAttributes A pointer to an OBJECT_ATTRIBUTES structure that specifies the object attributes.
+ * @param[in] OpenOptions The options to use when opening the key.
+ * @param[in] TransactionHandle A handle to the transaction.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -601,6 +814,12 @@ ZwOpenKeyTransactedEx(
_In_ HANDLE TransactionHandle
);
+/**
+ * Deletes a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be deleted.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -616,6 +835,13 @@ ZwDeleteKey(
_In_ HANDLE KeyHandle
);
+/**
+ * Renames a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be renamed.
+ * @param[in] NewName A pointer to a UNICODE_STRING structure that specifies the new name of the key.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -633,6 +859,13 @@ ZwRenameKey(
_In_ PUNICODE_STRING NewName
);
+/**
+ * Deletes a value from a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key that contains the value to be deleted.
+ * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be deleted.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -650,6 +883,16 @@ ZwDeleteValueKey(
_In_ PUNICODE_STRING ValueName
);
+/**
+ * Queries information about a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be queried.
+ * @param[in] KeyInformationClass The type of information to be queried.
+ * @param[out] KeyInformation A pointer to a buffer that receives the key information.
+ * @param[in] Length The size of the buffer.
+ * @param[out] ResultLength A pointer to a variable that receives the size of the data returned.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -677,6 +920,15 @@ ZwQueryKey(
_Out_ PULONG ResultLength
);
+/**
+ * Sets information for a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be modified.
+ * @param[in] KeySetInformationClass The type of information to be set.
+ * @param[in] KeySetInformation A pointer to a buffer that contains the key information.
+ * @param[in] KeySetInformationLength The size of the buffer.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -699,6 +951,17 @@ ZwSetInformationKey(
_In_ ULONG KeySetInformationLength
);
+/**
+ * Queries the value of a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be queried.
+ * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be queried.
+ * @param[in] KeyValueInformationClass The type of information to be queried.
+ * @param[out] KeyValueInformation A pointer to a buffer that receives the value information.
+ * @param[in] Length The size of the buffer.
+ * @param[out] ResultLength A pointer to a variable that receives the size of the data returned.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -729,6 +992,17 @@ ZwQueryValueKey(
_Out_ PULONG ResultLength
);
+/**
+ * Sets the value of a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be modified.
+ * @param[in] ValueName A pointer to a UNICODE_STRING structure that specifies the name of the value to be set.
+ * @param[in, optional] TitleIndex Reserved.
+ * @param[in] Type The type of the value.
+ * @param[in] Data A pointer to a buffer that contains the value data.
+ * @param[in] DataSize The size of the buffer.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -754,6 +1028,17 @@ ZwSetValueKey(
_In_ ULONG DataSize
);
+/**
+ * Queries multiple values of a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be queried.
+ * @param[in, out] ValueEntries A pointer to an array of KEY_VALUE_ENTRY structures that specify the values to be queried.
+ * @param[in] EntryCount The number of entries in the array.
+ * @param[out] ValueBuffer A pointer to a buffer that receives the value data.
+ * @param[in, out] BufferLength A pointer to a variable that specifies the size of the buffer and receives the size of the data returned.
+ * @param[out, optional] RequiredBufferLength A pointer to a variable that receives the size of the buffer required to hold the data.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -779,6 +1064,17 @@ ZwQueryMultipleValueKey(
_Out_opt_ PULONG RequiredBufferLength
);
+/**
+ * Enumerates the subkeys of a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be enumerated.
+ * @param[in] Index The index of the subkey to be enumerated.
+ * @param[in] KeyInformationClass The type of information to be queried.
+ * @param[out] KeyInformation A pointer to a buffer that receives the key information.
+ * @param[in] Length The size of the buffer.
+ * @param[out] ResultLength A pointer to a variable that receives the size of the data returned.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -808,6 +1104,17 @@ ZwEnumerateKey(
_Out_ PULONG ResultLength
);
+/**
+ * Enumerates the values of a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be enumerated.
+ * @param[in] Index The index of the value to be enumerated.
+ * @param[in] KeyValueInformationClass The type of information to be queried.
+ * @param[out] KeyValueInformation A pointer to a buffer that receives the value information.
+ * @param[in] Length The size of the buffer.
+ * @param[out] ResultLength A pointer to a variable that receives the size of the data returned.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -837,6 +1144,12 @@ ZwEnumerateValueKey(
_Out_ PULONG ResultLength
);
+/**
+ * Flushes the changes to a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be flushed.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -852,6 +1165,13 @@ ZwFlushKey(
_In_ HANDLE KeyHandle
);
+/**
+ * Compacts the specified registry keys.
+ *
+ * @param[in] Count The number of keys to be compacted.
+ * @param[in] KeyArray An array of handles to the keys to be compacted.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -869,6 +1189,12 @@ ZwCompactKeys(
_In_reads_(Count) HANDLE* KeyArray
);
+/**
+ * Compresses a registry key.
+ *
+ * @param[in] KeyHandle A handle to the key to be compressed.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -884,6 +1210,13 @@ ZwCompressKey(
_In_ HANDLE KeyHandle
);
+/**
+ * Loads a registry key from a file.
+ *
+ * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key.
+ * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -901,6 +1234,14 @@ ZwLoadKey(
_In_ POBJECT_ATTRIBUTES SourceFile
);
+/**
+ * Loads a registry key from a file with additional options.
+ *
+ * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key.
+ * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file.
+ * @param[in] Flags The options to use when loading the key.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -920,6 +1261,19 @@ ZwLoadKey2(
_In_ ULONG Flags
);
+/**
+ * Loads a registry key from a file with extended options.
+ *
+ * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key.
+ * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file.
+ * @param[in] Flags The options to use when loading the key.
+ * @param[in, optional] TrustClassKey A handle to the trust class key.
+ * @param[in, optional] Event A handle to an event.
+ * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[out, optional] RootHandle A pointer to a handle that receives the root handle.
+ * @param[in, reserved] Reserved Reserved.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -950,6 +1304,19 @@ ZwLoadKeyEx(
);
// rev by tyranid
+/**
+ * Loads a registry key from a file with extended parameters.
+ *
+ * @param[in] TargetKey A pointer to an OBJECT_ATTRIBUTES structure that specifies the target key.
+ * @param[in] SourceFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the source file.
+ * @param[in] Flags The options to use when loading the key.
+ * @param[in] ExtendedParameters A pointer to an array of extended parameters.
+ * @param[in] ExtendedParameterCount The number of extended parameters.
+ * @param[in, optional] DesiredAccess The access mask that specifies the desired access rights.
+ * @param[out, optional] RootHandle A pointer to a handle that receives the root handle.
+ * @param[in, reserved] Reserved Reserved.
+ * @return NTSTATUS The status of the operation.
+ */
#if (NTDDI_VERSION >= NTDDI_WIN10_VB)
__kernel_entry NTSYSCALLAPI
NTSTATUS
@@ -981,6 +1348,14 @@ ZwLoadKey3(
);
#endif // NTDDI_VERSION >= NTDDI_WIN10_VB
+/**
+ * Replaces a registry key.
+ *
+ * @param[in] NewFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the new file.
+ * @param[in] TargetHandle A handle to the target key.
+ * @param[in] OldFile A pointer to an OBJECT_ATTRIBUTES structure that specifies the old file.
+ * @return NTSTATUS The status of the operation.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1000,6 +1375,13 @@ ZwReplaceKey(
_In_ POBJECT_ATTRIBUTES OldFile
);
+/**
+ * Saves the specified registry key to a file.
+ *
+ * @param KeyHandle Handle to the registry key.
+ * @param FileHandle Handle to the file where the key will be saved.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1017,6 +1399,14 @@ ZwSaveKey(
_In_ HANDLE FileHandle
);
+/**
+ * Saves the specified registry key to a file with a specified format.
+ *
+ * @param KeyHandle Handle to the registry key.
+ * @param FileHandle Handle to the file where the key will be saved.
+ * @param Format Format in which the key will be saved.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1036,6 +1426,14 @@ ZwSaveKeyEx(
_In_ ULONG Format
);
+/**
+ * Merges two registry keys and saves the result to a file.
+ *
+ * @param HighPrecedenceKeyHandle Handle to the high precedence registry key.
+ * @param LowPrecedenceKeyHandle Handle to the low precedence registry key.
+ * @param FileHandle Handle to the file where the merged key will be saved.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1055,6 +1453,14 @@ ZwSaveMergedKeys(
_In_ HANDLE FileHandle
);
+/**
+ * Restores a registry key from a file.
+ *
+ * @param KeyHandle Handle to the registry key.
+ * @param FileHandle Handle to the file from which the key will be restored.
+ * @param Flags Flags for the restore operation.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1074,6 +1480,12 @@ ZwRestoreKey(
_In_ ULONG Flags
);
+/**
+ * Unloads a registry key.
+ *
+ * @param TargetKey Pointer to the object attributes of the target key.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1089,12 +1501,14 @@ ZwUnloadKey(
_In_ POBJECT_ATTRIBUTES TargetKey
);
-//
-// NtUnloadKey2 Flags (from winnt.h)
-//
-//#define REG_FORCE_UNLOAD 1
-//#define REG_UNLOAD_LEGAL_FLAGS (REG_FORCE_UNLOAD)
-
+/**
+ * Unloads a registry key with additional flags.
+ *
+ * @param TargetKey Pointer to the object attributes of the target key.
+ * @param Flags Flags for the unload operation.
+ * @return NTSTATUS Successful or errant status.
+ * @remarks Valid flags are REG_FORCE_UNLOAD and REG_UNLOAD_LEGAL_FLAGS. (from winnt.h)
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1112,6 +1526,13 @@ ZwUnloadKey2(
_In_ ULONG Flags
);
+/**
+ * Unloads a registry key and optionally signals an event.
+ *
+ * @param TargetKey Pointer to the object attributes of the target key.
+ * @param Event Optional handle to an event to be signaled.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1129,6 +1550,21 @@ ZwUnloadKeyEx(
_In_opt_ HANDLE Event
);
+/**
+ * Notifies of changes to a registry key.
+ *
+ * @param KeyHandle Handle to the registry key.
+ * @param Event Optional handle to an event to be signaled.
+ * @param ApcRoutine Optional APC routine to be called.
+ * @param ApcContext Optional context for the APC routine.
+ * @param IoStatusBlock Pointer to an IO status block.
+ * @param CompletionFilter Filter for the types of changes to notify.
+ * @param WatchTree Whether to watch the entire tree.
+ * @param Buffer Optional buffer for change data.
+ * @param BufferSize Size of the buffer.
+ * @param Asynchronous Whether the operation is asynchronous.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1162,6 +1598,23 @@ ZwNotifyChangeKey(
_In_ BOOLEAN Asynchronous
);
+/**
+ * Requests notification when a registry key or any of its subkeys changes.
+ *
+ * @param MasterKeyHandle A handle to an open key. The handle must be opened with the KEY_NOTIFY access right.
+ * @param Count The number of subkeys under the key specified by the MasterKeyHandle parameter.
+ * @param SubordinateObjects Pointer to an array of OBJECT_ATTRIBUTES structures, one for each subkey. This array can contain one OBJECT_ATTRIBUTES structure.
+ * @param Event A handle to an event created by the caller. If Event is not NULL, the caller waits until the operation succeeds, at which time the event is signaled.
+ * @param ApcRoutine A pointer to an asynchronous procedure call (APC) function supplied by the caller. If ApcRoutine is not NULL, the specified APC function executes after the operation completes.
+ * @param ApcContext A pointer to a context supplied by the caller for its APC function. This value is passed to the APC function when it is executed. The Asynchronous parameter must be TRUE. If ApcContext is specified, the Event parameter must be NULL.
+ * @param IoStatusBlock A pointer to an IO_STATUS_BLOCK structure that contains the final status and information about the operation. For successful calls that return data, the number of bytes written to the Buffer parameter is supplied in the Information member of the IO_STATUS_BLOCK structure.
+ * @param CompletionFilter A bitmap of operations that trigger notification. This parameter can be one or more of the following flags. REG_NOTIFY_CHANGE_NAME, REG_NOTIFY_CHANGE_ATTRIBUTES, REG_NOTIFY_CHANGE_LAST_SET, REG_NOTIFY_CHANGE_SECURITY.
+ * @param WatchTree If this parameter is TRUE, the caller is notified about changes to all subkeys of the specified key. If this parameter is FALSE, the caller is notified only about changes to the specified key.
+ * @param Buffer Reserved for system use. This parameter must be NULL.
+ * @param BufferSize Reserved for system use. This parameter must be zero.
+ * @param Asynchronous Whether the operation is asynchronous.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1199,6 +1652,13 @@ ZwNotifyChangeMultipleKeys(
_In_ BOOLEAN Asynchronous
);
+/**
+ * Queries the number of open subkeys of a registry key.
+ *
+ * @param TargetKey Pointer to the object attributes of the target key.
+ * @param HandleCount Pointer to a variable to receive the handle count.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1216,6 +1676,16 @@ ZwQueryOpenSubKeys(
_Out_ PULONG HandleCount
);
+/**
+ * Queries the open subkeys of a registry key with additional information.
+ *
+ * @param TargetKey Pointer to the object attributes of the target key.
+ * @param BufferLength Length of the buffer.
+ * @param Buffer Optional buffer to receive the subkey information.
+ * @param RequiredSize Pointer to a variable to receive the required size.
+ * @return NTSTATUS Successful or errant status.
+ * @remarks Returns an array of KEY_OPEN_SUBKEYS_INFORMATION structures.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1237,6 +1707,12 @@ ZwQueryOpenSubKeysEx(
_Out_ PULONG RequiredSize
);
+/**
+ * Initializes the registry.
+ *
+ * @param BootCondition Condition for the boot.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1252,6 +1728,12 @@ ZwInitializeRegistry(
_In_ USHORT BootCondition
);
+/**
+ * Locks the registry key and prevents changes from being written to disk.
+ *
+ * @param KeyHandle Handle to the registry key.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1267,6 +1749,13 @@ ZwLockRegistryKey(
_In_ HANDLE KeyHandle
);
+/**
+ * Locks the product activation keys.
+ *
+ * @param pPrivateVer Optional pointer to a private version variable.
+ * @param pSafeMode Optional pointer to a safe mode variable.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1284,7 +1773,12 @@ ZwLockProductActivationKeys(
_Out_opt_ ULONG* pSafeMode
);
-// private
+/**
+ * Freezes the registry and prevents changes from being flushed to disk.
+ *
+ * @param TimeOutInSeconds Timeout in seconds.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1301,7 +1795,11 @@ ZwFreezeRegistry(
_In_ ULONG TimeOutInSeconds
);
-// private
+/**
+ * Thaws the registry and enables flushing changes to disk.
+ *
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1319,6 +1817,15 @@ ZwThawRegistry(
);
#if (NTDDI_VERSION >= NTDDI_WIN10_TH2)
+/**
+ * Creates a registry transaction.
+ *
+ * @param RegistryTransactionHandle Pointer to a variable to receive the handle.
+ * @param DesiredAccess Desired access mask.
+ * @param ObjAttributes Optional pointer to object attributes.
+ * @param CreateOptions Reserved for future use.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1341,6 +1848,14 @@ ZwCreateRegistryTransaction(
_In_opt_ ULONG CreateOptions
);
+/**
+ * Opens a registry transaction.
+ *
+ * @param RegistryTransactionHandle Pointer to a variable to receive the handle.
+ * @param DesiredAccess Desired access mask.
+ * @param ObjAttributes Pointer to object attributes.
+ * @return NTSTATUS Successful or errant status.
+ */
_Must_inspect_result_
_IRQL_requires_max_(PASSIVE_LEVEL)
__kernel_entry NTSYSCALLAPI
@@ -1362,6 +1877,13 @@ ZwOpenRegistryTransaction(
_In_ POBJECT_ATTRIBUTES ObjAttributes
);
+/**
+ * Commits a registry transaction.
+ *
+ * @param RegistryTransactionHandle Handle to the registry transaction.
+ * @param Flags Reserved for future use.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -1379,6 +1901,13 @@ ZwCommitRegistryTransaction(
_In_ ULONG Flags
);
+/**
+ * Rolls back a registry transaction.
+ *
+ * @param RegistryTransactionHandle Handle to the registry transaction.
+ * @param Flags Reserved for future use.
+ * @return NTSTATUS Successful or errant status.
+ */
_IRQL_requires_max_(PASSIVE_LEVEL)
__kernel_entry NTSYSCALLAPI
NTSTATUS
diff --git a/Veil/Veil.System.Etw.h b/Veil/Veil.System.Etw.h
index ce44438..d88eb44 100644
--- a/Veil/Veil.System.Etw.h
+++ b/Veil/Veil.System.Etw.h
@@ -1727,7 +1727,7 @@ PerfIsGroupOnInGroupMask(
//
// Data structure used for WMI Kernel Events
//
-// **NB** the hardware events are described in software traceing, if they
+// **NB** the hardware events are described in software tracing, if they
// change in layout please update sdktools\trace\tracefmt\default.tmf
diff --git a/Veil/Veil.System.Executive.h b/Veil/Veil.System.Executive.h
index 7d8ac91..d89169c 100644
--- a/Veil/Veil.System.Executive.h
+++ b/Veil/Veil.System.Executive.h
@@ -2597,7 +2597,7 @@ typedef struct _SYSTEM_PROCESSOR_INFORMATION
ULONG ProcessorFeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, * PSYSTEM_PROCESSOR_INFORMATION;
-// ProcessorFeatureBits // ksamd64
+// SYSTEM_PROCESSOR_INFORMATION // ProcessorFeatureBits // ksamd64
#define KF_RDTSC 0x0000000000000002
#define KF_CR4 0x0000000000000004
#define KF_GLOBAL_PAGE 0x0000000000000010
@@ -3659,6 +3659,14 @@ typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, * PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT;
+// private (Windows 8.1 and above)
+typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION
+{
+ ULONG ProcessorNumber;
+ ULONG StateCount;
+ _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1];
+} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, * PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION;
+
// private (Windows 7 and Windows 8)
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8
{
@@ -3666,13 +3674,13 @@ typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, * PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8;
-// private
-typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION
+// private (Windows 7 and Windows 8)
+typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8
{
ULONG ProcessorNumber;
ULONG StateCount;
- SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT States[1];
-} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION, * PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION;
+ _Field_size_(StateCount) SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 States[1];
+} SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8, * PSYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION_WIN8;
// private
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION
@@ -6010,7 +6018,7 @@ typedef struct _KUSER_SHARED_DATA {
//
// This field indicates the status of the 64-bit COM+ package on the
- // system. It indicates whether the Itermediate Language (IL) COM+
+ // system. It indicates whether the Intermediate Language (IL) COM+
// images need to use the 64-bit COM+ runtime or the 32-bit COM+ runtime.
//
@@ -6457,8 +6465,13 @@ STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
#if (NTDDI_VERSION < NTDDI_WIN10_FE)
STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x710);
STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, UserPointerAuthMask) == 0x720);
+#if defined(_ARM64_)
+STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XStateArm64) == 0x728);
+#else
+STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, Reserved10) == 0x728);
+#endif
#if !defined(WINDOWS_IGNORE_PACKING_MISMATCH)
-STATIC_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x728);
+STATIC_ASSERT(sizeof(KUSER_SHARED_DATA) == 0xa70);
#endif
#else
STATIC_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, FeatureConfigurationChangeStamp) == 0x720);
@@ -6905,7 +6918,7 @@ ZwQueryInformationAtom(
#define FLG_DISABLE_DBGPRINT 0x08000000 // k
#define FLG_CRITSEC_EVENT_CREATION 0x10000000 // u
-#define FLG_STOP_ON_UNHANDLED_EXCEPTION 0x20000000 // u,64
+#define FLG_LDR_TOP_DOWN 0x20000000 // u,64
#define FLG_ENABLE_HANDLE_EXCEPTIONS 0x40000000 // k
#define FLG_DISABLE_PROTDLLS 0x80000000 // u
diff --git a/Veil/Veil.System.IOManager.h b/Veil/Veil.System.IOManager.h
index 16237f4..dcab9ba 100644
--- a/Veil/Veil.System.IOManager.h
+++ b/Veil/Veil.System.IOManager.h
@@ -298,6 +298,14 @@ typedef struct _EXTENDED_CREATE_INFORMATION_32
#endif // !_KERNEL_MODE
+// Sharing mode
+
+#define FILE_SHARE_NONE 0x00000000
+#define FILE_SHARE_READ 0x00000001
+#define FILE_SHARE_WRITE 0x00000002
+#define FILE_SHARE_DELETE 0x00000004
+#define FILE_SHARE_VALID_FLAGS 0x00000007
+
// Win32 pipe instance limit (0xff)
#define FILE_PIPE_UNLIMITED_INSTANCES 0xffffffff
@@ -848,14 +856,6 @@ typedef struct _FILE_REMOTE_PROTOCOL_INFORMATION
// Protocol specific information
-#if (NTDDI_VERSION < NTDDI_WIN8)
- struct
- {
- ULONG Reserved[16];
- } ProtocolSpecificReserved;
-#endif
-
-#if (NTDDI_VERSION >= NTDDI_WIN8)
union
{
struct
@@ -867,21 +867,15 @@ typedef struct _FILE_REMOTE_PROTOCOL_INFORMATION
struct
{
ULONG Capabilities;
-#if (NTDDI_VERSION >= NTDDI_WIN10_FE)
- ULONG ShareFlags;
-#else
- ULONG CachingFlags;
-#endif
-#if (NTDDI_VERSION >= NTDDI_WIN10_RS5)
- UCHAR ShareType;
+ ULONG ShareFlags; // previoulsly CachingFlags before 21H1
+ UCHAR ShareType; // RS5
UCHAR Reserved0[3];
ULONG Reserved1;
-#endif
} Share;
} Smb2;
ULONG Reserved[16];
} ProtocolSpecific;
-#endif
+
} FILE_REMOTE_PROTOCOL_INFORMATION, * PFILE_REMOTE_PROTOCOL_INFORMATION;
#define CHECKSUM_ENFORCEMENT_OFF 0x00000001
@@ -3828,6 +3822,381 @@ typedef struct _MOUNTMGR_VOLUME_PATHS
(s)->Length == 98 && \
(s)->Buffer[1] == '?')
+
+// Filter manager
+
+// rev
+#define FLT_SYMLINK_NAME L"\\Global??\\FltMgr"
+#define FLT_MSG_SYMLINK_NAME L"\\Global??\\FltMgrMsg"
+#define FLT_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgr"
+#define FLT_MSG_DEVICE_NAME L"\\FileSystem\\Filters\\FltMgrMsg"
+
+// private
+typedef struct _FLT_CONNECT_CONTEXT
+{
+ PUNICODE_STRING PortName;
+ PUNICODE_STRING64 PortName64;
+ USHORT SizeOfContext;
+ UCHAR Padding[6]; // unused
+ _Field_size_bytes_(SizeOfContext) UCHAR Context[ANYSIZE_ARRAY];
+} FLT_CONNECT_CONTEXT, * PFLT_CONNECT_CONTEXT;
+
+// rev
+#define FLT_PORT_EA_NAME "FLTPORT"
+#define FLT_PORT_CONTEXT_MAX 0xFFE8
+
+// combined FILE_FULL_EA_INFORMATION and FLT_CONNECT_CONTEXT
+typedef struct _FLT_PORT_FULL_EA
+{
+ ULONG NextEntryOffset; // 0
+ UCHAR Flags; // 0
+ UCHAR EaNameLength; // sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL)
+ USHORT EaValueLength; // RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding) + SizeOfContext
+ CHAR EaName[8]; // FLTPORT\0
+ FLT_CONNECT_CONTEXT EaValue;
+} FLT_PORT_FULL_EA, * PFLT_PORT_FULL_EA;
+
+#define FLT_PORT_FULL_EA_SIZE \
+ (sizeof(FILE_FULL_EA_INFORMATION) + (sizeof(FLT_PORT_EA_NAME) - sizeof(ANSI_NULL)))
+#define FLT_PORT_FULL_EA_VALUE_SIZE \
+ RTL_SIZEOF_THROUGH_FIELD(FLT_CONNECT_CONTEXT, Padding)
+
+// begin_rev
+
+// IOCTLs for unlinked FltMgr handles
+#define FLT_CTL_LOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 1, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege
+#define FLT_CTL_UNLOAD CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 2, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_LOAD_PARAMETERS // requires SeLoadDriverPrivilege
+#define FLT_CTL_LINK_HANDLE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 3, METHOD_BUFFERED, FILE_READ_ACCESS) // in: FLT_LINK // specializes the handle
+#define FLT_CTL_ATTACH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 4, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_ATTACH
+#define FLT_CTL_DETATCH CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 5, METHOD_BUFFERED, FILE_WRITE_ACCESS) // in: FLT_INSTANCE_PARAMETERS
+
+// IOCTLs for port-specific FltMgrMsg handles (opened using the extended attribute)
+#define FLT_CTL_SEND_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 6, METHOD_NEITHER, FILE_WRITE_ACCESS) // in, out: filter-specific
+#define FLT_CTL_GET_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 7, METHOD_NEITHER, FILE_READ_ACCESS) // out: filter-specific
+#define FLT_CTL_REPLY_MESSAGE CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 8, METHOD_NEITHER, FILE_WRITE_ACCESS) // in: filter-specific
+
+// IOCTLs for linked FltMgr handles; depend on previously used FLT_LINK_TYPE
+//
+// Find first/next:
+// FILTER - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS
+// FILTER_VOLUME - enumerates nested instances; in: INSTANCE_INFORMATION_CLASS
+// FILTER_MANAGER - enumerates all filters; in: FILTER_INFORMATION_CLASS
+// FILTER_MANAGER_VOLUME - enumerates all volumes; in: FILTER_VOLUME_INFORMATION_CLASS
+//
+// Get information:
+// FILTER - queries filter; in: FILTER_INFORMATION_CLASS
+// FILTER_INSTANCE - queries instance; in: INSTANCE_INFORMATION_CLASS
+//
+#define FLT_CTL_FIND_FIRST CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 9, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h)
+#define FLT_CTL_FIND_NEXT CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 10, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h)
+#define FLT_CTL_GET_INFORMATION CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 11, METHOD_BUFFERED, FILE_READ_ACCESS) // in: *_INFORMATION_CLASS, out: *_INFORMATION (from fltUserStructures.h)
+
+// end_rev
+
+// private
+typedef struct _FLT_LOAD_PARAMETERS
+{
+ USHORT FilterNameSize;
+ _Field_size_bytes_(FilterNameSize) WCHAR FilterName[ANYSIZE_ARRAY];
+} FLT_LOAD_PARAMETERS, * PFLT_LOAD_PARAMETERS;
+
+// private
+typedef enum _FLT_LINK_TYPE
+{
+ FILTER = 0, // FLT_FILTER_PARAMETERS
+ FILTER_INSTANCE = 1, // FLT_INSTANCE_PARAMETERS
+ FILTER_VOLUME = 2, // FLT_VOLUME_PARAMETERS
+ FILTER_MANAGER = 3, // nothing
+ FILTER_MANAGER_VOLUME = 4, // nothing
+} FLT_LINK_TYPE, * PFLT_LINK_TYPE;
+
+// private
+typedef struct _FLT_LINK
+{
+ FLT_LINK_TYPE Type;
+ ULONG ParametersOffset; // from this struct
+} FLT_LINK, * PFLT_LINK;
+
+// rev
+typedef struct _FLT_FILTER_PARAMETERS
+{
+ USHORT FilterNameSize;
+ USHORT FilterNameOffset; // to WCHAR[] from this struct
+} FLT_FILTER_PARAMETERS, * PFLT_FILTER_PARAMETERS;
+
+// private
+typedef struct _FLT_INSTANCE_PARAMETERS
+{
+ USHORT FilterNameSize;
+ USHORT FilterNameOffset; // to WCHAR[] from this struct
+ USHORT VolumeNameSize;
+ USHORT VolumeNameOffset; // to WCHAR[] from this struct
+ USHORT InstanceNameSize;
+ USHORT InstanceNameOffset; // to WCHAR[] from this struct
+} FLT_INSTANCE_PARAMETERS, * PFLT_INSTANCE_PARAMETERS;
+
+// rev
+typedef struct _FLT_VOLUME_PARAMETERS
+{
+ USHORT VolumeNameSize;
+ USHORT VolumeNameOffset; // to WCHAR[] from this struct
+} FLT_VOLUME_PARAMETERS, * PFLT_VOLUME_PARAMETERS;
+
+// private
+typedef enum _ATTACH_TYPE
+{
+ AltitudeBased = 0,
+ InstanceNameBased = 1,
+} ATTACH_TYPE, * PATTACH_TYPE;
+
+// private
+typedef struct _FLT_ATTACH
+{
+ USHORT FilterNameSize;
+ USHORT FilterNameOffset; // to WCHAR[] from this struct
+ USHORT VolumeNameSize;
+ USHORT VolumeNameOffset; // to WCHAR[] from this struct
+ ATTACH_TYPE Type;
+ USHORT InstanceNameSize;
+ USHORT InstanceNameOffset; // to WCHAR[] from this struct
+ USHORT AltitudeSize;
+ USHORT AltitudeOffset; // to WCHAR[] from this struct
+} FLT_ATTACH, * PFLT_ATTACH;
+
+#ifndef _KERNEL_MODE
+//
+// Major Function Codes
+//
+#define IRP_MJ_CREATE 0x00
+#define IRP_MJ_CREATE_NAMED_PIPE 0x01
+#define IRP_MJ_CLOSE 0x02
+#define IRP_MJ_READ 0x03
+#define IRP_MJ_WRITE 0x04
+#define IRP_MJ_QUERY_INFORMATION 0x05
+#define IRP_MJ_SET_INFORMATION 0x06
+#define IRP_MJ_QUERY_EA 0x07
+#define IRP_MJ_SET_EA 0x08
+#define IRP_MJ_FLUSH_BUFFERS 0x09
+#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
+#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
+#define IRP_MJ_DIRECTORY_CONTROL 0x0c
+#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
+#define IRP_MJ_DEVICE_CONTROL 0x0e
+#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
+#define IRP_MJ_SHUTDOWN 0x10
+#define IRP_MJ_LOCK_CONTROL 0x11
+#define IRP_MJ_CLEANUP 0x12
+#define IRP_MJ_CREATE_MAILSLOT 0x13
+#define IRP_MJ_QUERY_SECURITY 0x14
+#define IRP_MJ_SET_SECURITY 0x15
+#define IRP_MJ_POWER 0x16
+#define IRP_MJ_SYSTEM_CONTROL 0x17
+#define IRP_MJ_DEVICE_CHANGE 0x18
+#define IRP_MJ_QUERY_QUOTA 0x19
+#define IRP_MJ_SET_QUOTA 0x1a
+#define IRP_MJ_PNP 0x1b
+#define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete....
+#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
+#define IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION ((UCHAR)-1)
+#define IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION ((UCHAR)-2)
+#define IRP_MJ_ACQUIRE_FOR_MOD_WRITE ((UCHAR)-3)
+#define IRP_MJ_RELEASE_FOR_MOD_WRITE ((UCHAR)-4)
+#define IRP_MJ_ACQUIRE_FOR_CC_FLUSH ((UCHAR)-5)
+#define IRP_MJ_RELEASE_FOR_CC_FLUSH ((UCHAR)-6)
+#define IRP_MJ_QUERY_OPEN ((UCHAR)-7)
+#define IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE ((UCHAR)-13)
+#define IRP_MJ_NETWORK_QUERY_OPEN ((UCHAR)-14)
+#define IRP_MJ_MDL_READ ((UCHAR)-15)
+#define IRP_MJ_MDL_READ_COMPLETE ((UCHAR)-16)
+#define IRP_MJ_PREPARE_MDL_WRITE ((UCHAR)-17)
+#define IRP_MJ_MDL_WRITE_COMPLETE ((UCHAR)-18)
+#define IRP_MJ_VOLUME_MOUNT ((UCHAR)-19)
+#define IRP_MJ_VOLUME_DISMOUNT ((UCHAR)-20)
+#define FLT_INTERNAL_OPERATION_COUNT 22
+//
+// Minor Function Codes
+//
+#define IRP_MN_SCSI_CLASS 0x01
+// PNP minor function codes
+#define IRP_MN_START_DEVICE 0x00
+#define IRP_MN_QUERY_REMOVE_DEVICE 0x01
+#define IRP_MN_REMOVE_DEVICE 0x02
+#define IRP_MN_CANCEL_REMOVE_DEVICE 0x03
+#define IRP_MN_STOP_DEVICE 0x04
+#define IRP_MN_QUERY_STOP_DEVICE 0x05
+#define IRP_MN_CANCEL_STOP_DEVICE 0x06
+#define IRP_MN_QUERY_DEVICE_RELATIONS 0x07
+#define IRP_MN_QUERY_INTERFACE 0x08
+#define IRP_MN_QUERY_CAPABILITIES 0x09
+#define IRP_MN_QUERY_RESOURCES 0x0A
+#define IRP_MN_QUERY_RESOURCE_REQUIREMENTS 0x0B
+#define IRP_MN_QUERY_DEVICE_TEXT 0x0C
+#define IRP_MN_FILTER_RESOURCE_REQUIREMENTS 0x0D
+#define IRP_MN_READ_CONFIG 0x0F
+#define IRP_MN_WRITE_CONFIG 0x10
+#define IRP_MN_EJECT 0x11
+#define IRP_MN_SET_LOCK 0x12
+#define IRP_MN_QUERY_ID 0x13
+#define IRP_MN_QUERY_PNP_DEVICE_STATE 0x14
+#define IRP_MN_QUERY_BUS_INFORMATION 0x15
+#define IRP_MN_DEVICE_USAGE_NOTIFICATION 0x16
+#define IRP_MN_SURPRISE_REMOVAL 0x17
+#define IRP_MN_DEVICE_ENUMERATED 0x19
+
+// POWER minor function codes
+#define IRP_MN_WAIT_WAKE 0x00
+#define IRP_MN_POWER_SEQUENCE 0x01
+#define IRP_MN_SET_POWER 0x02
+#define IRP_MN_QUERY_POWER 0x03
+// WMI minor function codes under IRP_MJ_SYSTEM_CONTROL
+#define IRP_MN_QUERY_ALL_DATA 0x00
+#define IRP_MN_QUERY_SINGLE_INSTANCE 0x01
+#define IRP_MN_CHANGE_SINGLE_INSTANCE 0x02
+#define IRP_MN_CHANGE_SINGLE_ITEM 0x03
+#define IRP_MN_ENABLE_EVENTS 0x04
+#define IRP_MN_DISABLE_EVENTS 0x05
+#define IRP_MN_ENABLE_COLLECTION 0x06
+#define IRP_MN_DISABLE_COLLECTION 0x07
+#define IRP_MN_REGINFO 0x08
+#define IRP_MN_EXECUTE_METHOD 0x09
+// Minor code 0x0a is reserved
+#define IRP_MN_REGINFO_EX 0x0b
+// Minor code 0x0c is reserved
+// Minor code 0x0d is reserved
+//
+// Filter Manager Callback Data Flags
+//
+#define FLTFL_CALLBACK_DATA_REISSUE_MASK 0x0000FFFF
+#define FLTFL_CALLBACK_DATA_IRP_OPERATION 0x00000001 // Set for Irp operations
+#define FLTFL_CALLBACK_DATA_FAST_IO_OPERATION 0x00000002 // Set for Fast Io operations
+#define FLTFL_CALLBACK_DATA_FS_FILTER_OPERATION 0x00000004 // Set for Fs Filter operations
+#define FLTFL_CALLBACK_DATA_SYSTEM_BUFFER 0x00000008 // Set if the buffer passed in for the i/o was a system buffer
+#define FLTFL_CALLBACK_DATA_GENERATED_IO 0x00010000 // Set if this is I/O generated by a mini-filter
+#define FLTFL_CALLBACK_DATA_REISSUED_IO 0x00020000 // Set if this I/O was reissued
+#define FLTFL_CALLBACK_DATA_DRAINING_IO 0x00040000 // set if this operation is being drained. If set,
+#define FLTFL_CALLBACK_DATA_POST_OPERATION 0x00080000 // Set if this is a POST operation
+#define FLTFL_CALLBACK_DATA_NEW_SYSTEM_BUFFER 0x00100000
+#define FLTFL_CALLBACK_DATA_DIRTY 0x80000000 // Set by caller if parameters were changed
+//
+// IRP Flags
+//
+#define IRP_NOCACHE 0x00000001
+#define IRP_PAGING_IO 0x00000002
+#define IRP_MOUNT_COMPLETION 0x00000002
+#define IRP_SYNCHRONOUS_API 0x00000004
+#define IRP_ASSOCIATED_IRP 0x00000008
+#define IRP_BUFFERED_IO 0x00000010
+#define IRP_DEALLOCATE_BUFFER 0x00000020
+#define IRP_INPUT_OPERATION 0x00000040
+#define IRP_SYNCHRONOUS_PAGING_IO 0x00000040
+#define IRP_CREATE_OPERATION 0x00000080
+#define IRP_READ_OPERATION 0x00000100
+#define IRP_WRITE_OPERATION 0x00000200
+#define IRP_CLOSE_OPERATION 0x00000400
+#define IRP_DEFER_IO_COMPLETION 0x00000800
+#define IRP_OB_QUERY_NAME 0x00001000
+#define IRP_HOLD_DEVICE_QUEUE 0x00002000
+#define IRP_UM_DRIVER_INITIATED_IO 0x00400000
+//
+// File Object Flags
+//
+#define FO_FILE_OPEN 0x00000001
+#define FO_SYNCHRONOUS_IO 0x00000002
+#define FO_ALERTABLE_IO 0x00000004
+#define FO_NO_INTERMEDIATE_BUFFERING 0x00000008
+#define FO_WRITE_THROUGH 0x00000010
+#define FO_SEQUENTIAL_ONLY 0x00000020
+#define FO_CACHE_SUPPORTED 0x00000040
+#define FO_NAMED_PIPE 0x00000080
+#define FO_STREAM_FILE 0x00000100
+#define FO_MAILSLOT 0x00000200
+#define FO_GENERATE_AUDIT_ON_CLOSE 0x00000400
+#define FO_QUEUE_IRP_TO_THREAD FO_GENERATE_AUDIT_ON_CLOSE
+#define FO_DIRECT_DEVICE_OPEN 0x00000800
+#define FO_FILE_MODIFIED 0x00001000
+#define FO_FILE_SIZE_CHANGED 0x00002000
+#define FO_CLEANUP_COMPLETE 0x00004000
+#define FO_TEMPORARY_FILE 0x00008000
+#define FO_DELETE_ON_CLOSE 0x00010000
+#define FO_OPENED_CASE_SENSITIVE 0x00020000
+#define FO_HANDLE_CREATED 0x00040000
+#define FO_FILE_FAST_IO_READ 0x00080000
+#define FO_RANDOM_ACCESS 0x00100000
+#define FO_FILE_OPEN_CANCELLED 0x00200000
+#define FO_VOLUME_OPEN 0x00400000
+#define FO_BYPASS_IO_ENABLED 0x00800000 //when set BYPASS IO is enabled on this handle
+#define FO_REMOTE_ORIGIN 0x01000000
+#define FO_DISALLOW_EXCLUSIVE 0x02000000
+#define FO_SKIP_COMPLETION_PORT FO_DISALLOW_EXCLUSIVE
+#define FO_SKIP_SET_EVENT 0x04000000
+#define FO_SKIP_SET_FAST_IO 0x08000000
+#define FO_INDIRECT_WAIT_OBJECT 0x10000000
+#define FO_SECTION_MINSTORE_TREATMENT 0x20000000
+//
+// Define stack location (IO_STACK_LOCATION) flags
+//
+#define SL_PENDING_RETURNED 0x01
+#define SL_ERROR_RETURNED 0x02
+#define SL_INVOKE_ON_CANCEL 0x20
+#define SL_INVOKE_ON_SUCCESS 0x40
+#define SL_INVOKE_ON_ERROR 0x80
+// Create / Create Named Pipe (IRP_MJ_CREATE/IRP_MJ_CREATE_NAMED_PIPE)
+#define SL_FORCE_ACCESS_CHECK 0x01
+#define SL_OPEN_PAGING_FILE 0x02
+#define SL_OPEN_TARGET_DIRECTORY 0x04
+#define SL_STOP_ON_SYMLINK 0x08
+#define SL_IGNORE_READONLY_ATTRIBUTE 0x40
+#define SL_CASE_SENSITIVE 0x80
+// Read / Write (IRP_MJ_READ/IRP_MJ_WRITE)
+#define SL_KEY_SPECIFIED 0x01
+#define SL_OVERRIDE_VERIFY_VOLUME 0x02
+#define SL_WRITE_THROUGH 0x04
+#define SL_FT_SEQUENTIAL_WRITE 0x08
+#define SL_FORCE_DIRECT_WRITE 0x10
+#define SL_REALTIME_STREAM 0x20 // valid only with optical media
+#define SL_PERSISTENT_MEMORY_FIXED_MAPPING 0x20 // valid only with persistent memory device and IRP_MJ_WRITE
+#define SL_BYPASS_IO 0x40
+// IRP_MJ_FLUSH_BUFFERS
+#define SL_FORCE_ASYNCHRONOUS 0x01
+// Device I/O Control
+#define SL_READ_ACCESS_GRANTED 0x01
+#define SL_WRITE_ACCESS_GRANTED 0x04 // Gap for SL_OVERRIDE_VERIFY_VOLUME
+// Lock (IRP_MJ_LOCK_CONTROL)
+#define SL_FAIL_IMMEDIATELY 0x01
+#define SL_EXCLUSIVE_LOCK 0x02
+// QueryDirectory / QueryEa / QueryQuota (IRP_MJ_DIRECTORY_CONTROL/IRP_MJ_QUERY_EA/IRP_MJ_QUERY_QUOTA))
+#define SL_RESTART_SCAN 0x01
+#define SL_RETURN_SINGLE_ENTRY 0x02
+#define SL_INDEX_SPECIFIED 0x04
+#define SL_RETURN_ON_DISK_ENTRIES_ONLY 0x08
+#define SL_NO_CURSOR_UPDATE 0x10
+#define SL_QUERY_DIRECTORY_MASK 0x1b
+// NotifyDirectory (IRP_MJ_DIRECTORY_CONTROL)
+#define SL_WATCH_TREE 0x01
+// FileSystemControl (IRP_MJ_FILE_SYSTEM_CONTROL)
+#define SL_ALLOW_RAW_MOUNT 0x01
+// SetInformationFile (IRP_MJ_SET_INFORMATION) / QueryInformationFile
+#define SL_BYPASS_ACCESS_CHECK 0x01
+#define SL_INFO_FORCE_ACCESS_CHECK 0x01
+#define SL_INFO_IGNORE_READONLY_ATTRIBUTE 0x40 // same value as IO_IGNORE_READONLY_ATTRIBUTE
+//
+// Device Object (DO) flags
+//
+#define DO_VERIFY_VOLUME 0x00000002
+#define DO_BUFFERED_IO 0x00000004
+#define DO_EXCLUSIVE 0x00000008
+#define DO_DIRECT_IO 0x00000010
+#define DO_MAP_IO_BUFFER 0x00000020
+#define DO_DEVICE_INITIALIZING 0x00000080
+#define DO_SHUTDOWN_REGISTERED 0x00000800
+#define DO_BUS_ENUMERATED_DEVICE 0x00001000
+#define DO_POWER_PAGABLE 0x00002000
+#define DO_POWER_INRUSH 0x00004000
+#define DO_DEVICE_TO_BE_RESET 0x04000000
+#define DO_DAX_VOLUME 0x10000000
+#endif // !_KERNEL_MODE
+
+
// KSecDD FS control definitions
#define KSEC_DEVICE_NAME L"\\Device\\KSecDD"
@@ -4021,6 +4390,20 @@ typedef struct _OPLOCK_KEY_CONTEXT {
#endif /*NTDDI_VERSION >= NTDDI_WIN8 */
+// WIN11
+#define SUPPORTED_FS_FEATURES_VALID_MASK_V3 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \
+ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \
+ SUPPORTED_FS_FEATURES_QUERY_OPEN | \
+ SUPPORTED_FS_FEATURES_BYPASS_IO)
+// WIN10-RS2
+#define SUPPORTED_FS_FEATURES_VALID_MASK_V2 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \
+ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE | \
+ SUPPORTED_FS_FEATURES_QUERY_OPEN)
+// WIN8
+#define SUPPORTED_FS_FEATURES_VALID_MASK_V1 (SUPPORTED_FS_FEATURES_OFFLOAD_READ | \
+ SUPPORTED_FS_FEATURES_OFFLOAD_WRITE)
+
+
#endif // !_KERNEL_MODE
diff --git a/Veil/Veil.System.Loader.h b/Veil/Veil.System.Loader.h
index 2cbdd4a..79d6af5 100644
--- a/Veil/Veil.System.Loader.h
+++ b/Veil/Veil.System.Loader.h
@@ -1074,6 +1074,129 @@ LdrUnloadDataFile(
#endif // if _KERNEL_MODE
+
+#if (NTDDI_VERSION >= NTDDI_WIN8)
+/**
+ * The LdrResFindResource function finds a resource in a DLL.
+ *
+ * @param DllHandle A handle to the DLL.
+ * @param Type The type of the resource.
+ * @param Name The name of the resource.
+ * @param Language The language of the resource.
+ * @param ResourceBuffer An optional pointer to receive the resource buffer.
+ * @param ResourceLength An optional pointer to receive the resource length.
+ * @param CultureName An optional buffer to receive the culture name.
+ * @param CultureNameLength An optional pointer to receive the length of the culture name.
+ * @param Flags Flags for the resource search.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrResFindResource(
+ _In_ PVOID DllHandle,
+ _In_ ULONG_PTR Type,
+ _In_ ULONG_PTR Name,
+ _In_ ULONG_PTR Language,
+ _Out_opt_ PVOID* ResourceBuffer,
+ _Out_opt_ PULONG ResourceLength,
+ _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6]
+ _Out_opt_ PULONG CultureNameLength,
+ _In_ ULONG Flags
+);
+
+/**
+ * The LdrResFindResourceDirectory function finds a resource directory in a DLL.
+ *
+ * @param DllHandle A handle to the DLL.
+ * @param Type The type of the resource.
+ * @param Name The name of the resource.
+ * @param ResourceDirectory An optional pointer to receive the resource directory.
+ * @param CultureName An optional buffer to receive the culture name.
+ * @param CultureNameLength An optional pointer to receive the length of the culture name.
+ * @param Flags Flags for the resource search.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrResFindResourceDirectory(
+ _In_ PVOID DllHandle,
+ _In_ ULONG_PTR Type,
+ _In_ ULONG_PTR Name,
+ _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory,
+ _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6]
+ _Out_opt_ PULONG CultureNameLength,
+ _In_ ULONG Flags
+);
+
+/**
+* The LdrResSearchResource function searches for a resource in a DLL.
+*
+* @param DllHandle A handle to the DLL.
+* @param ResourceInfo A pointer to the resource information.
+* @param Level The level of the resource.
+* @param Flags Flags for the resource search.
+* @param ResourceBuffer An optional pointer to receive the resource buffer.
+* @param ResourceLength An optional pointer to receive the resource length.
+* @param CultureName An optional buffer to receive the culture name.
+* @param CultureNameLength An optional pointer to receive the length of the culture name.
+* @return NTSTATUS Successful or errant status.
+*/
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrResSearchResource(
+ _In_ PVOID DllHandle,
+ _In_ PLDR_RESOURCE_INFO ResourceInfo,
+ _In_ ULONG Level,
+ _In_ ULONG Flags,
+ _Out_opt_ PVOID* ResourceBuffer,
+ _Out_opt_ PSIZE_T ResourceLength,
+ _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6]
+ _Out_opt_ PULONG CultureNameLength
+);
+
+/**
+ * The LdrResGetRCConfig function retrieves the RC configuration for a DLL.
+ *
+ * @param DllHandle A handle to the DLL.
+ * @param Length The length of the configuration buffer.
+ * @param Config A buffer to receive the configuration.
+ * @param Flags Flags for the operation.
+ * @param AlternateResource Indicates if an alternate resource should be loaded.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrResGetRCConfig(
+ _In_ PVOID DllHandle,
+ _In_ SIZE_T Length,
+ _Out_writes_bytes_opt_(Length) PVOID Config,
+ _In_ ULONG Flags,
+ _In_ BOOLEAN AlternateResource // LdrLoadAlternateResourceModule
+);
+
+/**
+ * The LdrResRelease function releases a resource in a DLL.
+ *
+ * @param DllHandle A handle to the DLL.
+ * @param CultureNameOrId An optional culture name or ID.
+ * @param Flags Flags for the operation.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+LdrResRelease(
+ _In_ PVOID DllHandle,
+ _In_opt_ ULONG_PTR CultureNameOrId, // MAKEINTRESOURCE
+ _In_ ULONG Flags
+);
+#endif // (NTDDI_VERSION >= NTDDI_WIN8)
+
+
//
// Module information
//
@@ -1325,15 +1448,41 @@ NTAPI
LdrSetImplicitPathOptions(
_In_ ULONG ImplicitPathOptions
);
+#endif
-// rev
+#if (NTDDI_VERSION >= NTDDI_THRESHOLD)
+/**
+ * The LdrControlFlowGuardEnforced function checks if Control Flow Guard is enforced.
+ *
+ * @return BOOLEAN TRUE if Control Flow Guard is enforced, FALSE otherwise.
+ */
NTSYSAPI
BOOLEAN
NTAPI
LdrControlFlowGuardEnforced(
VOID
);
+
+inline
+BOOLEAN
+NTAPI
+_VEIL_IMPL_LdrControlFlowGuardEnforced(
+ VOID
+)
+{
+ return LdrSystemDllInitBlock.CfgBitMap && (LdrSystemDllInitBlock.Flags & 1) == 0;
+}
+
+#if defined _M_IX86
+
+_VEIL_DEFINE_IAT_RAW_SYMBOL(LdrControlFlowGuardEnforced@0, _VEIL_IMPL_LdrControlFlowGuardEnforced);
+
+#elif defined _M_X64 || defined _M_ARM || defined _M_ARM64
+
+_VEIL_DEFINE_IAT_SYMBOL(LdrControlFlowGuardEnforced, _VEIL_IMPL_LdrControlFlowGuardEnforced);
+
#endif
+#endif // (NTDDI_VERSION >= NTDDI_THRESHOLD)
#if (NTDDI_VERSION >= NTDDI_WIN10_19H1)
// rev
diff --git a/Veil/Veil.System.MemoryManager.h b/Veil/Veil.System.MemoryManager.h
index 706b3cd..b179843 100644
--- a/Veil/Veil.System.MemoryManager.h
+++ b/Veil/Veil.System.MemoryManager.h
@@ -120,6 +120,7 @@ typedef enum _MEMORY_INFORMATION_CLASS
MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1
MemoryBadInformation, // since WIN11
MemoryBadInformationAllProcesses, // since 22H1
+ MemoryImageExtensionInformation, // MEMORY_IMAGE_EXTENSION_INFORMATION // since 24H2
MaxMemoryInfoClass
} MEMORY_INFORMATION_CLASS;
#else
@@ -137,8 +138,43 @@ typedef enum _MEMORY_INFORMATION_CLASS
#define MemoryPhysicalContiguityInformation ((_MEMORY_INFORMATION_CLASS)0xB)
#define MemoryBadInformation ((_MEMORY_INFORMATION_CLASS)0xC)
#define MemoryBadInformationAllProcesses ((_MEMORY_INFORMATION_CLASS)0xD)
+#define MemoryImageExtensionInformation ((_MEMORY_INFORMATION_CLASS)0xE)
#endif // !_KERNEL_MODE
+// MEMORY_WORKING_SET_BLOCK->Protection
+#define MEMORY_BLOCK_NOT_ACCESSED 0
+#define MEMORY_BLOCK_READONLY 1
+#define MEMORY_BLOCK_EXECUTABLE 2
+#define MEMORY_BLOCK_EXECUTABLE_READONLY 3
+#define MEMORY_BLOCK_READWRITE 4
+#define MEMORY_BLOCK_COPYONWRITE 5
+#define MEMORY_BLOCK_EXECUTABLE_READWRITE 6
+#define MEMORY_BLOCK_EXECUTABLE_COPYONWRITE 7
+#define MEMORY_BLOCK_NOT_ACCESSED_2 8
+#define MEMORY_BLOCK_NON_CACHEABLE_READONLY 9
+#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE 10
+#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READONLY 11
+#define MEMORY_BLOCK_NON_CACHEABLE_READWRITE 12
+#define MEMORY_BLOCK_NON_CACHEABLE_COPYONWRITE 13
+#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_READWRITE 14
+#define MEMORY_BLOCK_NON_CACHEABLE_EXECUTABLE_COPYONWRITE 15
+#define MEMORY_BLOCK_NOT_ACCESSED_3 16
+#define MEMORY_BLOCK_GUARD_READONLY 17
+#define MEMORY_BLOCK_GUARD_EXECUTABLE 18
+#define MEMORY_BLOCK_GUARD_EXECUTABLE_READONLY 19
+#define MEMORY_BLOCK_GUARD_READWRITE 20
+#define MEMORY_BLOCK_GUARD_COPYONWRITE 21
+#define MEMORY_BLOCK_GUARD_EXECUTABLE_READWRITE 22
+#define MEMORY_BLOCK_GUARD_EXECUTABLE_COPYONWRITE 23
+#define MEMORY_BLOCK_NOT_ACCESSED_4 24
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READONLY 25
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE 26
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READONLY 27
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_READWRITE 28
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_COPYONWRITE 29
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_READWRITE 30
+#define MEMORY_BLOCK_NON_CACHEABLE_GUARD_EXECUTABLE_COPYONWRITE 31
+
typedef struct _MEMORY_WORKING_SET_BLOCK
{
ULONG_PTR Protection : 5;
@@ -320,6 +356,122 @@ typedef struct _MEMORY_PHYSICAL_CONTIGUITY_INFORMATION
PMEMORY_PHYSICAL_CONTIGUITY_UNIT_INFORMATION ContiguityUnitInformation;
} MEMORY_PHYSICAL_CONTIGUITY_INFORMATION, * PMEMORY_PHYSICAL_CONTIGUITY_INFORMATION;
+// private
+typedef struct _RTL_SCP_CFG_ARM64_HEADER
+{
+ ULONG EcInvalidCallHandlerRva;
+ ULONG EcCfgCheckRva;
+ ULONG EcCfgCheckESRva;
+ ULONG EcCallCheckRva;
+ ULONG CpuInitializationCompleteLoadRva;
+ ULONG LdrpValidateEcCallTargetInitRva;
+ ULONG SyscallFfsSizeRva;
+ ULONG SyscallFfsBaseRva;
+} RTL_SCP_CFG_ARM64_HEADER, * PRTL_SCP_CFG_ARM64_HEADER;
+
+// private
+typedef enum _RTL_SCP_CFG_PAGE_TYPE
+{
+ RtlScpCfgPageTypeNop,
+ RtlScpCfgPageTypeDefault,
+ RtlScpCfgPageTypeExportSuppression,
+ RtlScpCfgPageTypeFptr,
+ RtlScpCfgPageTypeMax,
+ RtlScpCfgPageTypeNone
+} RTL_SCP_CFG_PAGE_TYPE;
+
+// private
+typedef struct _RTL_SCP_CFG_COMMON_HEADER
+{
+ ULONG CfgDispatchRva;
+ ULONG CfgDispatchESRva;
+ ULONG CfgCheckRva;
+ ULONG CfgCheckESRva;
+ ULONG InvalidCallHandlerRva;
+ ULONG FnTableRva;
+} RTL_SCP_CFG_COMMON_HEADER, * PRTL_SCP_CFG_COMMON_HEADER;
+
+// private
+typedef struct _RTL_SCP_CFG_HEADER
+{
+ RTL_SCP_CFG_COMMON_HEADER Common;
+} RTL_SCP_CFG_HEADER, * PRTL_SCP_CFG_HEADER;
+
+// private
+typedef struct _RTL_SCP_CFG_REGION_BOUNDS
+{
+ PVOID StartAddress;
+ PVOID EndAddress;
+} RTL_SCP_CFG_REGION_BOUNDS, * PRTL_SCP_CFG_REGION_BOUNDS;
+
+// private
+typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS
+{
+ RTL_SCP_CFG_REGION_BOUNDS ScpRegions[4];
+ PVOID CfgDispatchFptr;
+ PVOID CfgDispatchESFptr;
+ PVOID CfgCheckFptr;
+ PVOID CfgCheckESFptr;
+ PVOID IllegalCallHandler;
+} RTL_SCP_CFG_NTDLL_EXPORTS, * PRTL_SCP_CFG_NTDLL_EXPORTS;
+
+// private
+typedef struct _RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC
+{
+ PVOID EcInvalidCallHandler;
+ PVOID EcCfgCheckFptr;
+ PVOID EcCfgCheckESFptr;
+ PVOID EcCallCheckFptr;
+ PVOID CpuInitializationComplete;
+ PVOID LdrpValidateEcCallTargetInit;
+ struct
+ {
+ PVOID SyscallFfsSize;
+ union
+ {
+ PVOID Ptr;
+ ULONG Value;
+ };
+ };
+ PVOID SyscallFfsBase;
+} RTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC, * PRTL_SCP_CFG_NTDLL_EXPORTS_ARM64EC;
+
+// private
+typedef struct _RTL_RETPOLINE_ROUTINES
+{
+ ULONG SwitchtableJump[16];
+ ULONG CfgIndirectRax;
+ ULONG NonCfgIndirectRax;
+ ULONG ImportR10;
+ ULONG JumpHpat;
+} RTL_RETPOLINE_ROUTINES, * PRTL_RETPOLINE_ROUTINES;
+
+// private
+typedef struct _RTL_KSCP_ROUTINES
+{
+ ULONG UnwindDataOffset;
+ RTL_RETPOLINE_ROUTINES RetpolineRoutines;
+ ULONG CfgDispatchSmep;
+ ULONG CfgDispatchNoSmep;
+} RTL_KSCP_ROUTINES, * PRTL_KSCP_ROUTINES;
+
+// private
+typedef enum _MEMORY_IMAGE_EXTENSION_TYPE
+{
+ MemoryImageExtensionCfgScp,
+ MemoryImageExtensionCfgEmulatedScp,
+ MemoryImageExtensionTypeMax,
+} MEMORY_IMAGE_EXTENSION_TYPE;
+
+// private
+typedef struct _MEMORY_IMAGE_EXTENSION_INFORMATION
+{
+ MEMORY_IMAGE_EXTENSION_TYPE ExtensionType;
+ ULONG Flags;
+ PVOID ExtensionImageBaseRva;
+ SIZE_T ExtensionSize;
+} MEMORY_IMAGE_EXTENSION_INFORMATION, * PMEMORY_IMAGE_EXTENSION_INFORMATION;
+
typedef enum _MMLISTS
{
ZeroedPageList = 0,
@@ -332,6 +484,15 @@ typedef enum _MMLISTS
TransitionPage = 7
} MMLISTS;
+#define MMPFNLIST_ZERO 0
+#define MMPFNLIST_FREE 1
+#define MMPFNLIST_STANDBY 2
+#define MMPFNLIST_MODIFIED 3
+#define MMPFNLIST_MODIFIEDNOWRITE 4
+#define MMPFNLIST_BAD 5
+#define MMPFNLIST_ACTIVE 6
+#define MMPFNLIST_TRANSITION 7
+
typedef enum _MMPFNUSE
{
ProcessPrivatePage,
@@ -348,6 +509,19 @@ typedef enum _MMPFNUSE
KernelStackPage
} MMPFNUSE;
+#define MMPFNUSE_PROCESSPRIVATE 0
+#define MMPFNUSE_FILE 1
+#define MMPFNUSE_PAGEFILEMAPPED 2
+#define MMPFNUSE_PAGETABLE 3
+#define MMPFNUSE_PAGEDPOOL 4
+#define MMPFNUSE_NONPAGEDPOOL 5
+#define MMPFNUSE_SYSTEMPTE 6
+#define MMPFNUSE_SESSIONPRIVATE 7
+#define MMPFNUSE_METAFILE 8
+#define MMPFNUSE_AWEPAGE 9
+#define MMPFNUSE_DRIVERLOCKPAGE 10
+#define MMPFNUSE_KERNELSTACK 11
+
// private
typedef struct _MEMORY_FRAME_INFORMATION
{
diff --git a/Veil/Veil.System.PowerManager.h b/Veil/Veil.System.PowerManager.h
index 9143bae..325ce5f 100644
--- a/Veil/Veil.System.PowerManager.h
+++ b/Veil/Veil.System.PowerManager.h
@@ -656,17 +656,20 @@ typedef struct _POWER_INTERNAL_HOST_ENERGY_SAVER_STATE
BOOLEAN EsEnabledOnHost;
} POWER_INTERNAL_HOST_ENERGY_SAVER_STATE, * PPOWER_INTERNAL_HOST_ENERGY_SAVER_STATE;
-typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT
+typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT
{
POWER_INFORMATION_LEVEL_INTERNAL InternalType;
PROCESSOR_NUMBER ProcessorNumber; // ULONG_MAX
-} POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT, * PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_INPUT;
+} POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT, * PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_INPUT;
-typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT
+#define POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_VERSION 1
+
+// rev
+typedef struct _POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT
{
ULONG Version;
ULONG NominalFrequency; // if (Domain) Prcb->PowerState.CheckContext.Domain.NominalFrequency else Prcb->MHz
-} POWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT, * PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQENCY_OUTPUT;
+} POWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT, * PPOWER_INTERNAL_PROCESSOR_BRANDED_FREQUENCY_OUTPUT;
// rev
typedef struct _POWER_INTERNAL_BOOTAPP_DIAGNOSTIC
@@ -675,6 +678,16 @@ typedef struct _POWER_INTERNAL_BOOTAPP_DIAGNOSTIC
ULONG BootAppFailureStatus; // bcdedit last status
} POWER_INTERNAL_BOOTAPP_DIAGNOSTIC, * PPOWER_INTERNAL_BOOTAPP_DIAGNOSTIC;
+/**
+ * The NtPowerInformation routine sets or retrieves system power information.
+ *
+ * @param InformationLevel Specifies the requested information level, which indicates the specific power information to be set or retrieved.
+ * @param InputBuffer Optional pointer to a caller-allocated input buffer.
+ * @param InputBufferLength Size, in bytes, of the buffer at InputBuffer.
+ * @param OutputBuffer Optional pointer to an output buffer. The type depends on the InformationLevel requested.
+ * @param OutputBufferLength Size, in bytes, of the output buffer.
+ * @return Successful or errant status.
+ */
_IRQL_requires_max_(APC_LEVEL)
__kernel_entry NTSYSCALLAPI
NTSTATUS
@@ -699,6 +712,14 @@ ZwPowerInformation(
_In_ ULONG OutputBufferLength
);
+/**
+ * Enables an application to inform the system that it is in use,
+ * thereby preventing the system from entering sleep or turning off the display while the application is running.
+ *
+ * @param NewFlags New execution state flags.
+ * @param PreviousFlags Pointer to receive the previous execution state flags.
+ * @return Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -716,6 +737,36 @@ ZwSetThreadExecutionState(
_Out_ EXECUTION_STATE* PreviousFlags
);
+/**
+ * Requests the system resume latency.
+ *
+ * @param latency The desired latency time.
+ * @return Successful or errant status.
+ */
+__kernel_entry NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtRequestWakeupLatency(
+ _In_ LATENCY_TIME latency
+);
+
+_IRQL_requires_max_(PASSIVE_LEVEL)
+NTSYSAPI
+NTSTATUS
+NTAPI
+ZwRequestWakeupLatency(
+ _In_ LATENCY_TIME latency
+);
+
+/**
+ * Initiates a power action of the current system.
+ *
+ * @param SystemAction The system power action.
+ * @param LightestSystemState The lightest system power state.
+ * @param Flags Flags for the power action.
+ * @param Asynchronous Whether the action is asynchronous.
+ * @return Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -737,6 +788,15 @@ ZwInitiatePowerAction(
_In_ BOOLEAN Asynchronous
);
+/**
+ * Initiates a power action of the current system. Depending on the Flags parameter, the function either
+ * suspends operation immediately or requests permission from all applications and device drivers before doing so.
+ *
+ * @param SystemAction The system power action.
+ * @param LightestSystemState The lightest system power state.
+ * @param Flags Flags for the power action.
+ * @return Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -756,6 +816,16 @@ ZwSetSystemPowerState(
_In_ ULONG Flags // POWER_ACTION_* flags
);
+/**
+ * Retrieves the current power state of the specified device. This function cannot be used to query the power state of a display device.
+ *
+ * @param Device A handle to an object on the device, such as a file or socket, or a handle to the device itself.
+ * @param State A pointer to the variable that receives the power state.
+ * @return Successful or errant status.
+ * @remarks An application can use NtGetDevicePowerState to determine whether a device is in the working state or a low-power state.
+ * If the device is in a low-power state, accessing the device may cause it to either queue or fail any I/O requests, or transition the device into the working state.
+ * The exact behavior depends on the implementation of the device.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -773,6 +843,11 @@ ZwGetDevicePowerState(
_Out_ PDEVICE_POWER_STATE State
);
+/**
+ * Checks if the system resume is automatic.
+ *
+ * @return BOOLEAN TRUE if the system resume is automatic, FALSE otherwise.
+ */
__kernel_entry NTSYSCALLAPI
BOOLEAN
NTAPI
diff --git a/Veil/Veil.System.Process.h b/Veil/Veil.System.Process.h
index ff2888d..7a9e6b1 100644
--- a/Veil/Veil.System.Process.h
+++ b/Veil/Veil.System.Process.h
@@ -27,45 +27,63 @@
VEIL_BEGIN()
-#ifdef _KERNEL_MODE
-#define PROCESS_TERMINATE 0x0001
-#define PROCESS_CREATE_THREAD 0x0002
-#define PROCESS_SET_SESSIONID 0x0004
-#define PROCESS_VM_OPERATION 0x0008
-#define PROCESS_VM_READ 0x0010
-#define PROCESS_VM_WRITE 0x0020
-#define PROCESS_CREATE_PROCESS 0x0080
-#define PROCESS_SET_QUOTA 0x0100
-#define PROCESS_SET_INFORMATION 0x0200
-#define PROCESS_QUERY_INFORMATION 0x0400
-#define PROCESS_SET_PORT 0x0800
-#define PROCESS_SUSPEND_RESUME 0x0800
-#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
-#else
-#ifndef PROCESS_SET_PORT
-#define PROCESS_SET_PORT 0x0800
-#endif
-#endif
+//
+// Process Specific Access Rights
+//
-#ifdef _KERNEL_MODE
-#define THREAD_QUERY_INFORMATION 0x0040
-#define THREAD_SET_THREAD_TOKEN 0x0080
-#define THREAD_IMPERSONATE 0x0100
-#define THREAD_DIRECT_IMPERSONATION 0x0200
-#else
-#ifndef THREAD_ALERT
-#define THREAD_ALERT 0x0004
-#endif
-#endif
+#define PROCESS_TERMINATE (0x0001)
+#define PROCESS_CREATE_THREAD (0x0002)
+#define PROCESS_SET_SESSIONID (0x0004)
+#define PROCESS_VM_OPERATION (0x0008)
+#define PROCESS_VM_READ (0x0010)
+#define PROCESS_VM_WRITE (0x0020)
+#define PROCESS_DUP_HANDLE (0x0040)
+#define PROCESS_CREATE_PROCESS (0x0080)
+#define PROCESS_SET_QUOTA (0x0100)
+#define PROCESS_SET_INFORMATION (0x0200)
+#define PROCESS_QUERY_INFORMATION (0x0400)
+#define PROCESS_SUSPEND_RESUME (0x0800)
+#define PROCESS_SET_PORT (0x0800)
+#define PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
+#define PROCESS_SET_LIMITED_INFORMATION (0x2000)
+#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
-#ifdef _KERNEL_MODE
-#define JOB_OBJECT_ASSIGN_PROCESS 0x0001
-#define JOB_OBJECT_SET_ATTRIBUTES 0x0002
-#define JOB_OBJECT_QUERY 0x0004
-#define JOB_OBJECT_TERMINATE 0x0008
-#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010
-#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3F)
-#endif
+//
+// Thread Specific Access Rights
+//
+
+#define THREAD_TERMINATE (0x0001)
+#define THREAD_SUSPEND_RESUME (0x0002)
+#define THREAD_ALERT (0x0004)
+#define THREAD_GET_CONTEXT (0x0008)
+#define THREAD_SET_CONTEXT (0x0010)
+#define THREAD_SET_INFORMATION (0x0020)
+#define THREAD_QUERY_INFORMATION (0x0040)
+#define THREAD_SET_THREAD_TOKEN (0x0080)
+#define THREAD_IMPERSONATE (0x0100)
+#define THREAD_DIRECT_IMPERSONATION (0x0200)
+#define THREAD_SET_LIMITED_INFORMATION (0x0400)
+#define THREAD_QUERY_LIMITED_INFORMATION (0x0800)
+#define THREAD_RESUME (0x1000)
+#define THREAD_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF)
+
+
+//
+// Job Object Specific Access Rights
+//
+
+#define JOB_OBJECT_ASSIGN_PROCESS (0x0001)
+#define JOB_OBJECT_SET_ATTRIBUTES (0x0002)
+#define JOB_OBJECT_QUERY (0x0004)
+#define JOB_OBJECT_TERMINATE (0x0008)
+#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES (0x0010)
+#define JOB_OBJECT_IMPERSONATE (0x0020)
+#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3F )
+
+//
+// PEB
+// Process information structures
+//
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
@@ -91,7 +109,6 @@ typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
#define TLS_EXPANSION_SLOTS 1024
#endif
-// symbols
typedef struct _PEB_LDR_DATA
{
ULONG Length;
@@ -1164,7 +1181,7 @@ Wow64CurrentNativeTeb(
}
else {
//
- // Called while runnign under WoW Host, so calculate the position of the
+ // Called while running under WoW Host, so calculate the position of the
// host teb relative to the current (guest) teb.
//
@@ -1544,12 +1561,12 @@ typedef enum _PROCESSINFOCLASS
ProcessApplyStateChange,
ProcessEnableOptionalXStateFeatures, // s: ULONG64 // optional XState feature bitmask
ProcessAltPrefetchParam, // qs: OVERRIDE_PREFETCH_PARAMETER // App Launch Prefetch (ALPF) // since 22H1
- ProcessAssignCpuPartitions,
+ ProcessAssignCpuPartitions, // HANDLE
ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX
ProcessMembershipInformation, // q: PROCESS_MEMBERSHIP_INFORMATION
ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT // 110
ProcessEffectivePagePriority, // q: ULONG
- ProcessSchedulerSharedData, // since 24H2
+ ProcessSchedulerSharedData, // SCHEDULER_SHARED_DATA_SLOT_INFORMATION // since 24H2
ProcessSlistRollbackInformation,
ProcessNetworkIoCounters, // q: PROCESS_NETWORK_COUNTERS
ProcessFindFirstThreadByTebValue, // PROCESS_TEB_VALUE_INFORMATION
@@ -1729,8 +1746,8 @@ typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
ULONG IsProcessDeleting : 1;
ULONG IsCrossSessionCreate : 1;
ULONG IsFrozen : 1;
- ULONG IsBackground : 1;
- ULONG IsStronglyNamed : 1;
+ ULONG IsBackground : 1; // WIN://BGKD
+ ULONG IsStronglyNamed : 1; // WIN://SYSAPPID
ULONG IsSecureProcess : 1;
ULONG IsSubsystemProcess : 1;
ULONG IsTrustedApp : 1; // since 24H2
@@ -2890,6 +2907,10 @@ ZwResumeProcess(
#define ZwCurrentProcessId() NtCurrentProcessId()
#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
#define ZwCurrentThreadId() NtCurrentThreadId()
+#define NtCurrentSessionId() RtlGetActiveConsoleId()
+#define ZwCurrentSessionId() NtCurrentSessionId()
+#define NtCurrentLogonId() (NtCurrentPeb()->LogonId)
+#define ZwCurrentLogonId() NtCurrentLogonId()
#else // ifdef _KERNEL_MODE
@@ -2897,6 +2918,8 @@ ZwResumeProcess(
#define ZwCurrentProcessId() NtCurrentProcessId()
#define NtCurrentThreadId() PsGetCurrentThreadId()
#define ZwCurrentThreadId() NtCurrentThreadId()
+#define NtCurrentSessionId() PsGetCurrentProcessSessionId()
+#define ZwCurrentSessionId() NtCurrentSessionId()
#endif // _KERNEL_MODE
@@ -2907,6 +2930,16 @@ ZwResumeProcess(
#define NtCurrentSilo() ( (HANDLE)(LONG_PTR) -1 )
+/**
+ * Retrieves information about the specified process.
+ *
+ * @param ProcessHandle A handle to the process.
+ * @param ProcessInformationClass The type of process information to be retrieved.
+ * @param ProcessInformation A pointer to a buffer that receives the process information.
+ * @param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter.
+ * @param ReturnLength An optional pointer to a variable that receives the size of the data returned.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -2933,6 +2966,16 @@ ZwQueryInformationProcess(
#if (NTDDI_VERSION >= NTDDI_WS03)
#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001
+/**
+ * Retrieves a handle to the next process in the system.
+ *
+ * @param ProcessHandle An optional handle to the current process.
+ * @param DesiredAccess The access rights desired for the new process handle.
+ * @param HandleAttributes The attributes for the new process handle.
+ * @param Flags Flags that modify the behavior of the function.
+ * @param NewProcessHandle A pointer to a variable that receives the handle to the next process.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -2957,6 +3000,17 @@ ZwGetNextProcess(
);
#endif
+/**
+ * Retrieves a handle to the next thread in the process.
+ *
+ * @param ProcessHandle An optional handle to the target process.
+ * @param ThreadHandle An optional handle to the current thread.
+ * @param DesiredAccess The access rights desired for the new thread handle.
+ * @param HandleAttributes The attributes for the new thread handle.
+ * @param Flags Flags that modify the behavior of the function.
+ * @param NewThreadHandle A pointer to a variable that receives the handle to the next thread.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -2982,6 +3036,15 @@ ZwGetNextThread(
_Out_ PHANDLE NewThreadHandle
);
+/**
+ * Sets information for the specified process.
+ *
+ * @param ProcessHandle A handle to the process.
+ * @param ProcessInformationClass The type of process information to be set.
+ * @param ProcessInformation A pointer to a buffer that contains the process information.
+ * @param ProcessInformationLength The size of the buffer pointed to by the ProcessInformation parameter.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3021,7 +3084,7 @@ NtCreateProcessStateChange(
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
- _In_opt_ ULONG64 Reserved
+ _In_opt_ _Reserved_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
@@ -3033,9 +3096,21 @@ ZwCreateProcessStateChange(
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
- _In_opt_ ULONG64 Reserved
+ _In_opt_ _Reserved_ ULONG64 Reserved
);
+
+/**
+ * Changes the suspension state of a process.
+ *
+ * @param ProcessStateChangeHandle A handle to the process state change object.
+ * @param ProcessHandle A handle to the process.
+ * @param StateChangeType The type of state change.
+ * @param ExtendedInformation Optional extended information.
+ * @param ExtendedInformationLength The length of the extended information.
+ * @param Reserved Reserved for future use.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3043,9 +3118,9 @@ NtChangeProcessState(
_In_ HANDLE ProcessStateChangeHandle,
_In_ HANDLE ProcessHandle,
_In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
- _In_opt_ PVOID ExtendedInformation,
- _In_opt_ SIZE_T ExtendedInformationLength,
- _In_opt_ ULONG64 Reserved
+ _In_opt_ _Reserved_ PVOID ExtendedInformation,
+ _In_opt_ _Reserved_ SIZE_T ExtendedInformationLength,
+ _In_opt_ _Reserved_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
@@ -3070,6 +3145,16 @@ typedef enum _THREAD_STATE_CHANGE_TYPE
} THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE;
#if (NTDDI_VERSION >= NTDDI_WIN10_CO)
+/**
+ * Creates a state change handle for changing the suspension state of a process.
+ *
+ * @param ProcessStateChangeHandle A pointer to a variable that receives the handle.
+ * @param DesiredAccess The access rights desired for the handle.
+ * @param ObjectAttributes Optional attributes for the handle.
+ * @param ProcessHandle A handle to the process.
+ * @param Reserved Reserved for future use.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3224,6 +3309,11 @@ ZwResumeThread(
_Out_opt_ PULONG PreviousSuspendCount
);
+/**
+ * Retrieves the number of the current processor.
+ *
+ * @return ULONG The number of the current processor.
+ */
__kernel_entry NTSYSCALLAPI
ULONG
NTAPI
@@ -3240,6 +3330,12 @@ ZwGetCurrentProcessorNumber(
);
#if (NTDDI_VERSION >= NTDDI_WIN10)
+/**
+ * Retrieves the number of the current processor.
+ *
+ * @param ProcessorNumber An optional pointer to a PROCESSOR_NUMBER structure that receives the processor number.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3256,6 +3352,13 @@ ZwGetCurrentProcessorNumberEx(
);
#endif // NTDDI_VERSION >= NTDDI_WIN10
+/**
+ * Retrieves the context of the specified thread.
+ *
+ * @param ThreadHandle A handle to the thread.
+ * @param ThreadContext A pointer to a CONTEXT structure that receives the thread context.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3273,6 +3376,13 @@ ZwGetContextThread(
_Inout_ PCONTEXT ThreadContext
);
+/**
+ * Sets the context of the specified thread.
+ *
+ * @param ThreadHandle A handle to the thread.
+ * @param ThreadContext A pointer to a CONTEXT structure that specifies the thread context.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3520,12 +3630,44 @@ ZwSetLdtEntries(
_In_ ULONG Entry1Hi
);
+#ifndef _KERNEL_MODE
+/**
+ * Dispatches the Asynchronous Procedure Call (APC) from the NtQueueApc* functions to the specified routine.
+ *
+ * @param ApcRoutine A pointer to the APC routine to be executed.
+ * @param Parameter Optional. A pointer to a parameter to be passed to the APC routine.
+ * @param ActxContext Optional. A handle to an activation context.
+ * @return VOID This function does not return a value.
+ */
+NTSYSAPI
+VOID
+NTAPI
+RtlDispatchAPC(
+ _In_ PAPCFUNC ApcRoutine,
+ _In_opt_ PVOID Parameter,
+ _In_opt_ HANDLE ActxContext
+);
+#endif
+
+/**
+ * A pointer to a function that serves as an APC routine.
+ *
+ * @param ApcArgument1 Optional. A pointer to the first argument to be passed to the APC routine.
+ * @param ApcArgument2 Optional. A pointer to the second argument to be passed to the APC routine.
+ * @param ApcArgument3 Optional. A pointer to the third argument to be passed to the APC routine.
+ * @return VOID This function does not return a value.
+ */
typedef VOID(NTAPI*PPS_APC_ROUTINE)(
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
-
+/**
+ * Encodes an APC routine pointer for use in a WOW64 environment.
+ *
+ * @param ApcRoutine The APC routine pointer to be encoded.
+ * @return PVOID The encoded APC routine pointer.
+ */
inline
PVOID Wow64EncodeApcRoutine(_In_ PVOID ApcRoutine)
{
@@ -3535,6 +3677,12 @@ PVOID Wow64EncodeApcRoutine(_In_ PVOID ApcRoutine)
return ApcRoutine;
}
+/**
+ * Decodes an APC routine pointer that was encoded for use in a WOW64 environment.
+ *
+ * @param ApcRoutine The encoded APC routine pointer to be decoded.
+ * @return PVOID The decoded APC routine pointer.
+ */
inline
PVOID Wow64DecodeApcRoutine(_In_ PVOID ApcRoutine)
{
@@ -3545,12 +3693,24 @@ PVOID Wow64DecodeApcRoutine(_In_ PVOID ApcRoutine)
return DecodedApcRoutine;
}
+/**
+ * Queues an APC (Asynchronous Procedure Call) to a thread.
+ *
+ * @param ThreadHandle Handle to the thread to which the APC is to be queued.
+ * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed.
+ * @param ApcArgument1 Optional first argument to be passed to the APC routine.
+ * @param ApcArgument2 Optional second argument to be passed to the APC routine.
+ * @param ApcArgument3 Optional third argument to be passed to the APC routine.
+ * @return NTSTATUS Successful or errant status.
+ * @remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or when any
+ * process calls the NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId functions.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueueApcThread(
_In_ HANDLE ThreadHandle,
- _In_ PPS_APC_ROUTINE ApcRoutine,
+ _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
@@ -3568,16 +3728,28 @@ ZwQueueApcThread(
_In_opt_ PVOID ApcArgument3
);
-#if (NTDDI_VERSION >= ntddi_WIN7)
#define QUEUE_USER_APC_SPECIAL_USER_APC ((HANDLE)0x1)
+/**
+ * Queues an APC (Asynchronous Procedure Call) to a thread.
+ *
+ * @param ThreadHandle Handle to the thread to which the APC is to be queued.
+ * @param ReserveHandle Optional handle to a reserve object. This can be QUEUE_USER_APC_SPECIAL_USER_APC or a handle returned by NtAllocateReserveObject.
+ * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed.
+ * @param ApcArgument1 Optional first argument to be passed to the APC routine.
+ * @param ApcArgument2 Optional second argument to be passed to the APC routine.
+ * @param ApcArgument3 Optional third argument to be passed to the APC routine.
+ * @return NTSTATUS Successful or errant status.
+ * @remarks The APC will be executed in the context of the specified thread after the thread enters an alertable wait state or immediately
+ * when QUEUE_USER_APC_SPECIAL_USER_APC is used or NtTestAlert, NtAlertThread, NtAlertResumeThread or NtAlertThreadByThreadId are called.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueueApcThreadEx(
_In_ HANDLE ThreadHandle,
- _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject // SPECIAL_USER_APC
- _In_ PPS_APC_ROUTINE ApcRoutine,
+ _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject // QUEUE_USER_APC_SPECIAL_USER_APC
+ _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
@@ -3595,9 +3767,19 @@ ZwQueueApcThreadEx(
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
-#endif
-#if (NTDDI_VERSION >= NTDDI_WIN10_CO)
+
+#if (NTDDI_VERSION >= NTDDI_WIN10_MN)
+/**
+ * The APC_CALLBACK_DATA_CONTEXT structure is used to pass information to the APC callback routine.
+ */
+typedef struct _APC_CALLBACK_DATA_CONTEXT
+{
+ ULONG_PTR Parameter;
+ PCONTEXT ContextRecord;
+ ULONG_PTR Reserved0;
+ ULONG_PTR Reserved1;
+} APC_CALLBACK_DATA_CONTEXT, * PAPC_CALLBACK_DATA_CONTEXT;
#if defined(_KERNEL_MODE) && !defined(_WINDOWS_)
typedef enum _QUEUE_USER_APC_FLAGS
@@ -3613,6 +3795,21 @@ typedef enum _QUEUE_USER_APC_FLAGS
} QUEUE_USER_APC_FLAGS;
#endif // !_KERNEL_MODE
+/**
+ * Queues an Asynchronous Procedure Call (APC) to a specified thread.
+ *
+ * @param ThreadHandle A handle to the thread to which the APC is to be queued.
+ * @param ReserveHandle An optional handle to a reserve object. This can be obtained using NtAllocateReserveObject.
+ * @param ApcFlags Flags that control the behavior of the APC. These flags are defined in QUEUE_USER_APC_FLAGS.
+ * @param ApcRoutine A pointer to the RtlDispatchAPC function or custom APC routine to be executed.
+ * @param ApcArgument1 An optional argument to be passed to the APC routine.
+ * @param ApcArgument2 An optional argument to be passed to the APC routine.
+ * @param ApcArgument3 An optional argument to be passed to the APC routine.
+ * @return NTSTATUS Successful or errant status.
+ * @remarks The APC will be executed in the context of the specified thread when the thread enters an alertable wait state or immediately
+ * when QUEUE_USER_APC_SPECIAL_USER_APC is used or any process calls the NtTestAlert, NtAlertThread,
+ * NtAlertResumeThread or NtAlertThreadByThreadId functions.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3620,7 +3817,7 @@ NtQueueApcThreadEx2(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject
_In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS
- _In_ PPS_APC_ROUTINE ApcRoutine,
+ _In_ PPS_APC_ROUTINE ApcRoutine, // RtlDispatchAPC
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
@@ -3639,10 +3836,16 @@ ZwQueueApcThreadEx2(
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
-#endif // (NTDDI_VERSION >= NTDDI_WIN10_CO)
+#endif // (NTDDI_VERSION >= NTDDI_WIN10_MN)
#if (NTDDI_VERSION >= NTDDI_WIN8)
// rev
+/**
+ * Sends an alert to the specified thread.
+ *
+ * @param ThreadId The thread ID of the thread to be alerted.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -3660,11 +3863,18 @@ ZwAlertThreadByThreadId(
);
// rev
+/**
+ * Waits for an alert to be delivered to the specified thread.
+ *
+ * @param Address The address to wait for an alert on.
+ * @param Timeout The timeout value for waiting, or NULL for no timeout.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitForAlertByThreadId(
- _In_ PVOID Address,
+ _In_opt_ PVOID Address,
_In_opt_ PLARGE_INTEGER Timeout
);
@@ -3674,7 +3884,7 @@ NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForAlertByThreadId(
- _In_ PVOID Address,
+ _In_opt_ PVOID Address,
_In_opt_ PLARGE_INTEGER Timeout
);
#endif
@@ -4299,6 +4509,22 @@ typedef struct _PS_CREATE_INFO
// end_private
+/**
+ * Creates a new process and primary thread.
+ *
+ * @param ProcessHandle A pointer to a handle that receives the process object handle.
+ * @param ThreadHandle A pointer to a handle that receives the thread object handle.
+ * @param ProcessDesiredAccess The access rights desired for the process object.
+ * @param ThreadDesiredAccess The access rights desired for the thread object.
+ * @param ProcessObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new process.
+ * @param ThreadObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread.
+ * @param ProcessFlags Flags that control the creation of the process. These flags are defined as PROCESS_CREATE_FLAGS_*.
+ * @param ThreadFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*.
+ * @param ProcessParameters Optional. A pointer to a RTL_USER_PROCESS_PARAMETERS structure that specifies the parameters for the new process.
+ * @param CreateInfo A pointer to a PS_CREATE_INFO structure that specifies additional information for the process creation.
+ * @param AttributeList Optional. A pointer to a list of attributes for the process and thread.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -4344,10 +4570,32 @@ ZwCreateUserProcess(
#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040 // NtCreateThreadEx only, since 19H1
// end_rev
+/**
+ * A pointer to a user-defined function that serves as the starting routine for a new thread.
+ *
+ * @param ThreadParameter A pointer to a variable to be passed to the thread.
+ * @return NTSTATUS Successful or errant status.
+ */
typedef NTSTATUS(NTAPI* PUSER_THREAD_START_ROUTINE)(
_In_ PVOID ThreadParameter
);
+/**
+ * Creates a new thread in the specified process.
+ *
+ * @param ThreadHandle A pointer to a handle that receives the thread object handle.
+ * @param DesiredAccess The access rights desired for the thread object.
+ * @param ObjectAttributes Optional. A pointer to an OBJECT_ATTRIBUTES structure that specifies the attributes of the new thread.
+ * @param ProcessHandle A handle to the process in which the thread is to be created.
+ * @param StartRoutine A pointer to the application-defined function to be executed by the thread.
+ * @param Argument Optional. A pointer to a variable to be passed to the thread.
+ * @param CreateFlags Flags that control the creation of the thread. These flags are defined as THREAD_CREATE_FLAGS_*.
+ * @param ZeroBits The number of zero bits in the starting address of the thread's stack.
+ * @param StackSize The initial size of the thread's stack, in bytes.
+ * @param MaximumStackSize The maximum size of the thread's stack, in bytes.
+ * @param AttributeList Optional. A pointer to a list of attributes for the thread.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -4892,6 +5140,14 @@ typedef enum _MEMORY_RESERVE_TYPE
MemoryReserveTypeMax
} MEMORY_RESERVE_TYPE;
+/**
+ * Allocates a memory reserve object.
+ *
+ * @param MemoryReserveHandle Pointer to a variable that receives the memory reserve object handle.
+ * @param ObjectAttributes Pointer to an object attributes structure.
+ * @param Type The type of memory reserve.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
@@ -4911,27 +5167,166 @@ ZwAllocateReserveObject(
_In_ MEMORY_RESERVE_TYPE Type
);
+//
// Process snapshotting
+//
#ifndef _KERNEL_MODE
+
+// Capture/creation flags.
+typedef enum _PSSNT_CAPTURE_FLAGS
+{
+ PSSNT_CAPTURE_NONE = 0x00000000,
+ PSSNT_CAPTURE_VA_CLONE = 0x00000001,
+ PSSNT_CAPTURE_RESERVED_00000002 = 0x00000002,
+ PSSNT_CAPTURE_HANDLES = 0x00000004,
+ PSSNT_CAPTURE_HANDLE_NAME_INFORMATION = 0x00000008,
+ PSSNT_CAPTURE_HANDLE_BASIC_INFORMATION = 0x00000010,
+ PSSNT_CAPTURE_HANDLE_TYPE_SPECIFIC_INFORMATION = 0x00000020,
+ PSSNT_CAPTURE_HANDLE_TRACE = 0x00000040,
+ PSSNT_CAPTURE_THREADS = 0x00000080,
+ PSSNT_CAPTURE_THREAD_CONTEXT = 0x00000100,
+ PSSNT_CAPTURE_THREAD_CONTEXT_EXTENDED = 0x00000200,
+ PSSNT_CAPTURE_RESERVED_00000400 = 0x00000400,
+ PSSNT_CAPTURE_VA_SPACE = 0x00000800,
+ PSSNT_CAPTURE_VA_SPACE_SECTION_INFORMATION = 0x00001000,
+ PSSNT_CAPTURE_IPT_TRACE = 0x00002000,
+ PSSNT_CAPTURE_RESERVED_00004000 = 0x00004000,
+
+ PSSNT_CREATE_BREAKAWAY_OPTIONAL = 0x04000000,
+ PSSNT_CREATE_BREAKAWAY = 0x08000000,
+ PSSNT_CREATE_FORCE_BREAKAWAY = 0x10000000,
+ PSSNT_CREATE_USE_VM_ALLOCATIONS = 0x20000000,
+ PSSNT_CREATE_MEASURE_PERFORMANCE = 0x40000000,
+ PSSNT_CREATE_RELEASE_SECTION = 0x80000000
+} PSSNT_CAPTURE_FLAGS;
+DEFINE_ENUM_FLAG_OPERATORS(PSSNT_CAPTURE_FLAGS);
+
+typedef enum _PSSNT_DUPLICATE_FLAGS
+{
+ PSSNT_DUPLICATE_NONE = 0x00,
+ PSSNT_DUPLICATE_CLOSE_SOURCE = 0x01
+} PSSNT_DUPLICATE_FLAGS;
+DEFINE_ENUM_FLAG_OPERATORS(PSSNT_DUPLICATE_FLAGS);
+
+typedef enum _PSSNT_QUERY_INFORMATION_CLASS
+{
+ PSSNT_QUERY_PROCESS_INFORMATION = 0, // PSS_PROCESS_INFORMATION
+ PSSNT_QUERY_VA_CLONE_INFORMATION = 1, // PSS_VA_CLONE_INFORMATION
+ PSSNT_QUERY_AUXILIARY_PAGES_INFORMATION = 2, // PSS_AUXILIARY_PAGES_INFORMATION
+ PSSNT_QUERY_VA_SPACE_INFORMATION = 3, // PSS_VA_SPACE_INFORMATION
+ PSSNT_QUERY_HANDLE_INFORMATION = 4, // PSS_HANDLE_INFORMATION
+ PSSNT_QUERY_THREAD_INFORMATION = 5, // PSS_THREAD_INFORMATION
+ PSSNT_QUERY_HANDLE_TRACE_INFORMATION = 6, // PSS_HANDLE_TRACE_INFORMATION
+ PSSNT_QUERY_PERFORMANCE_COUNTERS = 7 // PSS_PERFORMANCE_COUNTERS
+} PSSNT_QUERY_INFORMATION_CLASS;
+
+#define PSSNT_SIGNATURE_PSSD 'PSSD' // 0x50535344
+
#if (NTDDI_VERSION >= NTDDI_WINBLUE)
// rev
-NTSYSCALLAPI
+/**
+ * Captures a snapshot of the specified process.
+ *
+ * @param SnapshotHandle Pointer to a variable that receives the snapshot handle.
+ * @param ProcessHandle Handle to the process.
+ * @param CaptureFlags Flags indicating what to capture.
+ * @param ThreadContextFlags Optional flags for capturing thread context.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
NTSTATUS
NTAPI
PssNtCaptureSnapshot(
_Out_ PHANDLE SnapshotHandle,
+ _In_ HANDLE ProcessHandle, _In_ PSSNT_CAPTURE_FLAGS CaptureFlags,
+ _In_opt_ ULONG ThreadContextFlags
+);
+
+// rev
+/**
+ * Duplicates a process snapshot from one process to another.
+ *
+ * @param SourceProcessHandle Handle to the source process.
+ * @param SnapshotHandle Handle to the snapshot to duplicate.
+ * @param TargetProcessHandle Handle to the target process.
+ * @param TargetSnapshotHandle Pointer to a variable that receives the duplicated snapshot handle.
+ * @param Flags Optional flags for duplication.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+PssNtDuplicateSnapshot(
+ _In_ HANDLE SourceProcessHandle,
+ _In_ HANDLE SnapshotHandle,
+ _In_ HANDLE TargetProcessHandle,
+ _Out_ PHANDLE TargetSnapshotHandle,
+ _In_opt_ PSSNT_DUPLICATE_FLAGS Flags
+);
+
+// rev
+/**
+ * Frees a remote process snapshot.
+ *
+ * @param ProcessHandle A handle to the process that contains the snapshot. The handle must have PROCESS_VM_READ, PROCESS_VM_OPERATION, and PROCESS_DUP_HANDLE rights.
+ * @param SnapshotHandle Handle to the snapshot to free.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+PssNtFreeSnapshot(
+ _In_ HANDLE SnapshotHandle
+);
+
+// rev
+/**
+ * Frees a snapshot.
+ *
+ * @param SnapshotHandle Handle to the snapshot to free.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+PssNtFreeRemoteSnapshot(
_In_ HANDLE ProcessHandle,
- _In_ ULONG CaptureFlags,
- _In_ ULONG ThreadContextFlags
+ _In_ HANDLE SnapshotHandle
+);
+
+// rev
+/**
+ * Queries information from a the specified snapshot.
+ *
+ * @param SnapshotHandle Handle to the snapshot.
+ * @param InformationClass The information class to query.
+ * @param Buffer Pointer to a buffer that receives the queried information.
+ * @param BufferLength Length of the buffer.
+ * @return NTSTATUS Successful or errant status.
+ */
+NTSYSAPI
+NTSTATUS
+NTAPI
+PssNtQuerySnapshot(
+ _In_ HANDLE SnapshotHandle,
+ _In_ PSSNT_QUERY_INFORMATION_CLASS InformationClass,
+ _Out_writes_bytes_(BufferLength) PVOID Buffer,
+ _In_ ULONG BufferLength
);
#endif
#endif // !_KERNEL_MODE
// rev
+/**
+ * Flag indicating the type of bulk information to query.
+ */
#define MEMORY_BULK_INFORMATION_FLAG_BASIC 0x00000001
// rev
+/**
+ * The NTPSS_MEMORY_BULK_INFORMATION structure is used to query basic memory information in bulk for a process.
+ */
typedef struct _NTPSS_MEMORY_BULK_INFORMATION
{
ULONG QueryFlags;
@@ -4942,6 +5337,16 @@ typedef struct _NTPSS_MEMORY_BULK_INFORMATION
#if (NTDDI_VERSION >= NTDDI_WIN10_VB)
// rev
+/**
+ * Captures virtual address space bulk information for a process.
+ *
+ * @param ProcessHandle Handle to the process.
+ * @param BaseAddress Optional base address to start the capture.
+ * @param BulkInformation Pointer to the memory bulk information structure.
+ * @param BulkInformationLength Length of the memory bulk information structure.
+ * @param ReturnLength Optional pointer to a variable that receives the length of the captured information.
+ * @return NTSTATUS Successful or errant status.
+ */
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
diff --git a/Veil/Veil.System.RuntimeLibrary.h b/Veil/Veil.System.RuntimeLibrary.h
index 120bd1b..d08a94b 100644
--- a/Veil/Veil.System.RuntimeLibrary.h
+++ b/Veil/Veil.System.RuntimeLibrary.h
@@ -4425,7 +4425,7 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS
UNICODE_STRING RedirectionDllName; // REDSTONE4
UNICODE_STRING HeapPartitionName; // 19H1
- ULONG_PTR DefaultThreadpoolCpuSetMasks;
+ PULONGLONG DefaultThreadpoolCpuSetMasks;
ULONG DefaultThreadpoolCpuSetMaskCount;
ULONG DefaultThreadpoolThreadMaximum;
ULONG HeapMemoryTypeMask; // WIN11
@@ -5432,7 +5432,7 @@ RtlQueryInformationActiveActivationContext(
//
extern IMAGE_DOS_HEADER __ImageBase;
-#define RtlCurrentImageBase() ((PVOID)&__ImageBase)
+#define RtlCurrentImageBase() ((PIMAGE_DOS_HEADER)&__ImageBase)
NTSYSAPI
PIMAGE_NT_HEADERS
@@ -6392,7 +6392,6 @@ RtlGetFullPathName_Ustr(
_Out_ RTL_PATH_TYPE* InputPathType
);
-#if (NTDDI_VERSION >= NTDDI_WS03)
NTSYSAPI
NTSTATUS
NTAPI
@@ -6406,7 +6405,6 @@ RtlGetFullPathName_UstrEx(
_Out_ RTL_PATH_TYPE* InputPathType,
_Out_opt_ SIZE_T* BytesRequired
);
-#endif
NTSYSAPI
ULONG
@@ -6468,7 +6466,6 @@ RtlDosPathNameToNtPathName_U(
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
);
-#if (NTDDI_VERSION >= NTDDI_WS03)
NTSYSAPI
NTSTATUS
NTAPI
@@ -6478,7 +6475,6 @@ RtlDosPathNameToNtPathName_U_WithStatus(
_Out_opt_ PWSTR* FilePart,
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
);
-#endif
#if (NTDDI_VERSION >= NTDDI_WIN10_RS3)
// rev
@@ -6493,7 +6489,6 @@ RtlDosLongPathNameToNtPathName_U_WithStatus(
);
#endif
-#if (NTDDI_VERSION >= NTDDI_WS03)
NTSYSAPI
BOOLEAN
NTAPI
@@ -6503,9 +6498,7 @@ RtlDosPathNameToRelativeNtPathName_U(
_Out_opt_ PWSTR* FilePart,
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
);
-#endif
-#if (NTDDI_VERSION >= NTDDI_WS03)
NTSYSAPI
NTSTATUS
NTAPI
@@ -6515,7 +6508,6 @@ RtlDosPathNameToRelativeNtPathName_U_WithStatus(
_Out_opt_ PWSTR* FilePart,
_Out_opt_ PRTL_RELATIVE_NAME_U RelativeName
);
-#endif
#if (NTDDI_VERSION >= NTDDI_WIN10_RS3)
// rev
@@ -6530,14 +6522,12 @@ RtlDosLongPathNameToRelativeNtPathName_U_WithStatus(
);
#endif
-#if (NTDDI_VERSION >= NTDDI_WS03)
NTSYSAPI
VOID
NTAPI
RtlReleaseRelativeName(
_Inout_ PRTL_RELATIVE_NAME_U RelativeName
);
-#endif
NTSYSAPI
ULONG
@@ -8508,6 +8498,61 @@ RtlLargeIntegerToChar(
_Out_ PSTR String
);
+
+#define RtlLargeIntegerGreaterThan(X,Y) ( \
+ (((X).HighPart == (Y).HighPart) && ((X).LowPart > (Y).LowPart)) || \
+ ((X).HighPart > (Y).HighPart) \
+)
+
+#define RtlLargeIntegerGreaterThanOrEqualTo(X,Y) ( \
+ (((X).HighPart == (Y).HighPart) && ((X).LowPart >= (Y).LowPart)) || \
+ ((X).HighPart > (Y).HighPart) \
+)
+
+#define RtlLargeIntegerEqualTo(X,Y) ( \
+ !(((X).LowPart ^ (Y).LowPart) | ((X).HighPart ^ (Y).HighPart)) \
+)
+
+#define RtlLargeIntegerNotEqualTo(X,Y) ( \
+ (((X).LowPart ^ (Y).LowPart) | ((X).HighPart ^ (Y).HighPart)) \
+)
+
+#define RtlLargeIntegerLessThan(X,Y) ( \
+ (((X).HighPart == (Y).HighPart) && ((X).LowPart < (Y).LowPart)) || \
+ ((X).HighPart < (Y).HighPart) \
+)
+
+#define RtlLargeIntegerLessThanOrEqualTo(X,Y) ( \
+ (((X).HighPart == (Y).HighPart) && ((X).LowPart <= (Y).LowPart)) || \
+ ((X).HighPart < (Y).HighPart) \
+)
+
+#define RtlLargeIntegerGreaterThanZero(X) ( \
+ (((X).HighPart == 0) && ((X).LowPart > 0)) || \
+ ((X).HighPart > 0 ) \
+)
+
+#define RtlLargeIntegerGreaterOrEqualToZero(X) ( \
+ (X).HighPart >= 0 \
+)
+
+#define RtlLargeIntegerEqualToZero(X) ( \
+ !((X).LowPart | (X).HighPart) \
+)
+
+#define RtlLargeIntegerNotEqualToZero(X) ( \
+ ((X).LowPart | (X).HighPart) \
+)
+
+#define RtlLargeIntegerLessThanZero(X) ( \
+ ((X).HighPart < 0) \
+)
+
+#define RtlLargeIntegerLessOrEqualToZero(X) ( \
+ ((X).HighPart < 0) || !((X).LowPart | (X).HighPart) \
+)
+
+
_IRQL_requires_max_(PASSIVE_LEVEL)
_At_(String->MaximumLength, _Const_)
NTSYSAPI
@@ -12371,6 +12416,7 @@ typedef enum _RTL_BSD_ITEM_TYPE
RtlBsdItemChecksum, // q: s: UCHAR
RtlBsdPowerTransitionExtension,
RtlBsdItemFeatureConfigurationState, // q; s: ULONG
+ RtlBsdItemRevocationListInfo, // 24H2
RtlBsdItemMax
} RTL_BSD_ITEM_TYPE;
diff --git a/Veil/Veil.System.Security.h b/Veil/Veil.System.Security.h
index 1d096ca..919a671 100644
--- a/Veil/Veil.System.Security.h
+++ b/Veil/Veil.System.Security.h
@@ -89,7 +89,11 @@ VEIL_BEGIN()
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
+// Case insensitive attribute value string by default.
+// Unless the flag TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
+// is set indicating otherwise.
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
+// Fully-qualified binary name.
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
@@ -97,13 +101,18 @@ VEIL_BEGIN()
// Flags
+// Fully-qualified binary name.
#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
+// Attribute value is compared in a case sensitive way. It is valid with string value
+// or composite type containing string value. For other types of value, this flag
+// will be ignored. Currently, it is valid with the two types:
+// TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING and TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN.
#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
-#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
-#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
-#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
-#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
-#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
+#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004 // Attribute is considered only for Deny Aces.
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008 // Attribute is disabled by default.
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010 // Attribute is disabled.
+#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020 // Attribute is mandatory.
+#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040 // Attribute is ignored.
#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
@@ -113,22 +122,24 @@ VEIL_BEGIN()
TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
+// Reserve upper 16 bits for custom flags. These should be preserved but not
+// validated as they do not affect security in any way.
#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
// end_rev
-// private
+// private // CLAIM_SECURITY_ATTRIBUTE_FQBN_VALUE
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
{
ULONG64 Version;
UNICODE_STRING Name;
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
-// private
+// private // CLAIM_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
{
- PVOID pValue;
- ULONG ValueLength;
+ PVOID Value; // Pointer is BYTE aligned.
+ ULONG ValueLength; // In bytes
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
// private
@@ -149,6 +160,24 @@ typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
} Values;
} TOKEN_SECURITY_ATTRIBUTE_V1, * PTOKEN_SECURITY_ATTRIBUTE_V1;
+// private
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1
+{
+ UNICODE_STRING Name;
+ USHORT ValueType;
+ USHORT Reserved;
+ ULONG Flags;
+ ULONG ValueCount;
+ union
+ {
+ ULONG pInt64[ANYSIZE_ARRAY];
+ ULONG pUint64[ANYSIZE_ARRAY];
+ ULONG ppString[ANYSIZE_ARRAY];
+ ULONG pFqbn[ANYSIZE_ARRAY];
+ ULONG pOctetString[ANYSIZE_ARRAY];
+ } Values;
+} TOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1, * PTOKEN_SECURITY_ATTRIBUTE_RELATIVE_V1;
+
// rev
#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
// rev
diff --git a/Veil/Veil.System.SxS.h b/Veil/Veil.System.SxS.h
index b77a1f0..19ab28a 100644
--- a/Veil/Veil.System.SxS.h
+++ b/Veil/Veil.System.SxS.h
@@ -454,7 +454,7 @@ typedef struct _COMPATIBILITY_CONTEXT_ELEMENT_LEGACY
// ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION from winnt.h before 19H1
typedef struct _ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY
{
- DWORD ElementCount;
+ ULONG ElementCount;
COMPATIBILITY_CONTEXT_ELEMENT_LEGACY Elements[ANYSIZE_ARRAY];
} ACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY, * PACTIVATION_CONTEXT_COMPATIBILITY_INFORMATION_LEGACY;
diff --git a/Veil/Veil.System.Win32.h b/Veil/Veil.System.Win32.h
index 6b60f44..1a68453 100644
--- a/Veil/Veil.System.Win32.h
+++ b/Veil/Veil.System.Win32.h
@@ -583,6 +583,150 @@ typedef struct _GDI_SHARED_MEMORY
} GDI_SHARED_MEMORY, * PGDI_SHARED_MEMORY;
+typedef enum _WINDOWINFOCLASS
+{
+ WindowProcess = 0, // q: ULONG (Process ID)
+ WindowRealProcess = 1, // q: ULONG (Process ID)
+ WindowThread = 2, // q: ULONG (Thread ID)
+ WindowActiveWindow = 3, // q: HWND
+ WindowFocusWindow = 4, // q: HWND
+ WindowIsHung = 5, // q: BOOLEAN
+ WindowClientBase = 6, // q: PVOID
+ WindowIsForegroundThread = 7, // q: BOOLEAN
+ WindowDefaultImeWindow = 8, // q: HWND
+ WindowDefaultInputContext = 9, // q: HIMC
+} WINDOWINFOCLASS, * PWINDOWINFOCLASS;
+
+NTSYSCALLAPI
+ULONG_PTR
+NTAPI
+NtUserQueryWindow(
+ _In_ HWND WindowHandle,
+ _In_ WINDOWINFOCLASS WindowInfo
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUserTestForInteractiveUser(
+ _In_ PLUID AuthenticationId
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUserCheckAccessForIntegrityLevel(
+ _In_ ULONG ProcessIdFirst,
+ _In_ ULONG ProcessIdSecond,
+ _Out_ PBOOLEAN GrantedAccess
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUserCheckProcessForClipboardAccess(
+ _In_ ULONG ProcessId,
+ _Out_ PULONG GrantedAccess
+);
+
+NTSYSCALLAPI
+ULONG
+NTAPI
+NtUserInternalGetWindowText(
+ _In_ HWND WindowHandle,
+ _Out_writes_to_(cchMaxCount, return +1) LPWSTR pString,
+ _In_ ULONG cchMaxCount
+);
+
+typedef enum _CONSOLECONTROL
+{
+ ConsoleSetVDMCursorBounds = 0, // RECT
+ ConsoleNotifyConsoleApplication = 1, // CONSOLE_PROCESS_INFO
+ ConsoleFullscreenSwitch = 2,
+ ConsoleSetCaretInfo = 3, // CONSOLE_CARET_INFO
+ ConsoleSetReserveKeys = 4,
+ ConsoleSetForeground = 5, // CONSOLESETFOREGROUND
+ ConsoleSetWindowOwner = 6, // CONSOLEWINDOWOWNER
+ ConsoleEndTask = 7, // CONSOLEENDTASK
+} CONSOLECONTROL;
+
+typedef struct _CONSOLE_PROCESS_INFO
+{
+ ULONG ProcessID;
+ ULONG Flags;
+} CONSOLE_PROCESS_INFO, * PCONSOLE_PROCESS_INFO;
+
+typedef struct _CONSOLE_CARET_INFO
+{
+ HWND WindowHandle;
+ RECT Rect;
+} CONSOLE_CARET_INFO, * PCONSOLE_CARET_INFO;
+
+typedef struct _CONSOLESETFOREGROUND
+{
+ HANDLE ProcessHandle;
+ BOOL Foreground;
+} CONSOLESETFOREGROUND, * PCONSOLESETFOREGROUND;
+
+typedef struct _CONSOLEWINDOWOWNER
+{
+ HWND WindowHandle;
+ ULONG ProcessId;
+ ULONG ThreadId;
+} CONSOLEWINDOWOWNER, * PCONSOLEWINDOWOWNER;
+
+typedef struct _CONSOLEENDTASK
+{
+ HANDLE ProcessId;
+ HWND WindowHandle;
+ ULONG ConsoleEventCode;
+ ULONG ConsoleFlags;
+} CONSOLEENDTASK, * PCONSOLEENDTASK;
+
+/**
+ * Performs special kernel operations for console host applications. (win32u.dll)
+ *
+ * This includes reparenting the console window, allowing the console to pass foreground rights
+ * on to launched console subsystem applications and terminating attached processes.
+ *
+ * @param Command One of the CONSOLECONTROL values indicating which console control function should be executed.
+ * @param ConsoleInformation A pointer to one of the structures specifying additional data for the requested console control function.
+ * @param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter.
+ * @return Successful or errant status.
+ */
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUserConsoleControl(
+ _In_ CONSOLECONTROL Command,
+ _In_reads_bytes_(ConsoleInformationLength) PVOID ConsoleInformation,
+ _In_ ULONG ConsoleInformationLength
+);
+
+#ifndef _KERNEL_MODE
+/**
+ * Performs special kernel operations for console host applications. (user32.dll)
+ *
+ * This includes reparenting the console window, allowing the console to pass foreground rights
+ * on to launched console subsystem applications and terminating attached processes.
+ *
+ * @param Command One of the CONSOLECONTROL values indicating which console control function should be executed.
+ * @param ConsoleInformation A pointer to one of the structures specifying additional data for the requested console control function.
+ * @param ConsoleInformationLength The size of the structure pointed to by the ConsoleInformation parameter.
+ * @return Successful or errant status.
+ */
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ConsoleControl(
+ _In_ CONSOLECONTROL Command,
+ _In_reads_bytes_(ConsoleInformationLength) PVOID ConsoleInformation,
+ _In_ ULONG ConsoleInformationLength
+);
+#endif
+
+
+
VEIL_END()
#pragma pop_macro("UNICODE")
diff --git a/Veil/Veil.System.WindowStation.h b/Veil/Veil.System.WindowStation.h
index 03fc4c8..fe554e7 100644
--- a/Veil/Veil.System.WindowStation.h
+++ b/Veil/Veil.System.WindowStation.h
@@ -961,6 +961,16 @@ WinStationSetInformationW(
_In_ ULONG WinStationInformationLength
);
+// rev
+NTSYSAPI
+BOOLEAN
+NTAPI
+WinStationQueryCurrentSessionInformation(
+ _In_ WINSTATIONINFOCLASS WinStationInformationClass,
+ _In_reads_bytes_(WinStationInformationLength) PVOID pWinStationInformation,
+ _In_ ULONG WinStationInformationLength
+);
+
NTSYSAPI
BOOLEAN
NTAPI
@@ -1194,6 +1204,46 @@ WinStationIsSessionRemoteable(
_Out_ PBOOLEAN IsRemote
);
+// rev
+NTSYSAPI
+BOOLEAN
+NTAPI
+WinStationSetAutologonPassword(
+ _In_ PCSTR KeyName,
+ _In_ PCSTR Password
+);
+
+typedef enum _SessionType
+{
+ SESSIONTYPE_UNKNOWN = 0,
+ SESSIONTYPE_SERVICES,
+ SESSIONTYPE_LISTENER,
+ SESSIONTYPE_REGULARDESKTOP,
+ SESSIONTYPE_ALTERNATESHELL,
+ SESSIONTYPE_REMOTEAPP,
+ SESSIONTYPE_MEDIACENTEREXT
+} SESSIONTYPE;
+
+// rev
+typedef struct _TS_USER_SESSION
+{
+ ULONG Version;
+ ULONG SessionId;
+ ULONG Unknown;
+ SESSIONTYPE State;
+ ULONG field5;
+} TS_USER_SESSION, * PTS_USER_SESSION;
+
+// rev
+NTSYSAPI
+BOOLEAN
+NTAPI
+WinStationGetAllUserSessions(
+ _In_opt_ HANDLE ServerHandle,
+ _In_ PSID Sid,
+ _Out_ PVOID* Processes, // LocalFree
+ _Out_ PULONG NumberOfProcesses
+);
#endif // !_KERNEL_MODE