#ifndef _PH_PHNATIVE_H #define _PH_PHNATIVE_H #ifdef __cplusplus extern "C" { #endif /** The PID of the idle process. */ #define SYSTEM_IDLE_PROCESS_ID ((HANDLE)0) /** The PID of the system process. */ #define SYSTEM_PROCESS_ID ((HANDLE)4) #define SYSTEM_IDLE_PROCESS_NAME (L"System Idle Process") // General object-related function types typedef NTSTATUS (NTAPI *PPH_OPEN_OBJECT)( _Out_ PHANDLE Handle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ PVOID Context ); typedef NTSTATUS (NTAPI *PPH_GET_OBJECT_SECURITY)( _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_opt_ PVOID Context ); typedef NTSTATUS (NTAPI *PPH_SET_OBJECT_SECURITY)( _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ SECURITY_INFORMATION SecurityInformation, _In_opt_ PVOID Context ); typedef struct _PH_TOKEN_ATTRIBUTES { HANDLE TokenHandle; struct { ULONG Elevated : 1; ULONG ElevationType : 2; ULONG ReservedBits : 29; }; ULONG Reserved; } PH_TOKEN_ATTRIBUTES, *PPH_TOKEN_ATTRIBUTES; PHLIBAPI PH_TOKEN_ATTRIBUTES NTAPI PhGetOwnTokenAttributes( VOID ); PHLIBAPI NTSTATUS NTAPI PhOpenProcess( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhOpenProcessPublic( _Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId ); PHLIBAPI NTSTATUS NTAPI PhOpenThread( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadPublic( _Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId ); PHLIBAPI NTSTATUS NTAPI PhOpenThreadProcess( _In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE ProcessHandle ); PHLIBAPI NTSTATUS NTAPI PhOpenProcessToken( _In_ HANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE TokenHandle ); PHLIBAPI NTSTATUS NTAPI PhGetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhSetObjectSecurity( _In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor ); PHLIBAPI NTSTATUS NTAPI PhTerminateProcess( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); PHLIBAPI NTSTATUS NTAPI PhTerminateProcessPublic( _In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileName( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileNameWin32( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName ); /** Specifies a PEB string. */ typedef enum _PH_PEB_OFFSET { PhpoCurrentDirectory, PhpoDllPath, PhpoImagePathName, PhpoCommandLine, PhpoWindowTitle, PhpoDesktopInfo, PhpoShellInfo, PhpoRuntimeData, PhpoTypeMask = 0xffff, PhpoWow64 = 0x10000 } PH_PEB_OFFSET; PHLIBAPI NTSTATUS NTAPI PhGetProcessPebString( _In_ HANDLE ProcessHandle, _In_ PH_PEB_OFFSET Offset, _Out_ PPH_STRING *String ); PHLIBAPI NTSTATUS NTAPI PhGetProcessCommandLine( _In_ HANDLE ProcessHandle, _Out_ PPH_STRING *CommandLine ); PHLIBAPI NTSTATUS NTAPI PhGetProcessWindowTitle( _In_ HANDLE ProcessHandle, _Out_ PULONG WindowFlags, _Out_ PPH_STRING *WindowTitle ); #define PH_PROCESS_DEP_ENABLED 0x1 #define PH_PROCESS_DEP_ATL_THUNK_EMULATION_DISABLED 0x2 #define PH_PROCESS_DEP_PERMANENT 0x4 PHLIBAPI NTSTATUS NTAPI PhGetProcessDepStatus( _In_ HANDLE ProcessHandle, _Out_ PULONG DepStatus ); #define PH_GET_PROCESS_ENVIRONMENT_WOW64 0x1 // retrieve the WOW64 environment PHLIBAPI NTSTATUS NTAPI PhGetProcessEnvironment( _In_ HANDLE ProcessHandle, _In_ ULONG Flags, _Out_ PVOID *Environment, _Out_ PULONG EnvironmentLength ); typedef struct _PH_ENVIRONMENT_VARIABLE { PH_STRINGREF Name; PH_STRINGREF Value; } PH_ENVIRONMENT_VARIABLE, *PPH_ENVIRONMENT_VARIABLE; PHLIBAPI BOOLEAN NTAPI PhEnumProcessEnvironmentVariables( _In_ PVOID Environment, _In_ ULONG EnvironmentLength, _Inout_ PULONG EnumerationKey, _Out_ PPH_ENVIRONMENT_VARIABLE Variable ); PHLIBAPI NTSTATUS NTAPI PhGetProcessMappedFileName( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessWorkingSetInformation( _In_ HANDLE ProcessHandle, _Out_ PMEMORY_WORKING_SET_INFORMATION *WorkingSetInformation ); typedef struct _PH_PROCESS_WS_COUNTERS { SIZE_T NumberOfPages; SIZE_T NumberOfPrivatePages; SIZE_T NumberOfSharedPages; SIZE_T NumberOfShareablePages; } PH_PROCESS_WS_COUNTERS, *PPH_PROCESS_WS_COUNTERS; PHLIBAPI NTSTATUS NTAPI PhGetProcessWsCounters( _In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_WS_COUNTERS WsCounters ); PHLIBAPI NTSTATUS NTAPI PhInjectDllProcess( _In_ HANDLE ProcessHandle, _In_ PWSTR FileName, _In_opt_ PLARGE_INTEGER Timeout ); PHLIBAPI NTSTATUS NTAPI PhUnloadDllProcess( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_opt_ PLARGE_INTEGER Timeout ); PHLIBAPI NTSTATUS NTAPI PhSetEnvironmentVariableRemote( _In_ HANDLE ProcessHandle, _In_ PPH_STRINGREF Name, _In_opt_ PPH_STRINGREF Value, _In_opt_ PLARGE_INTEGER Timeout ); PHLIBAPI NTSTATUS NTAPI PhGetJobProcessIdList( _In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *ProcessIdList ); PHLIBAPI NTSTATUS NTAPI PhQueryTokenVariableSize( _In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer ); PHLIBAPI NTSTATUS NTAPI PhGetTokenUser( _In_ HANDLE TokenHandle, _Out_ PTOKEN_USER *User ); PHLIBAPI NTSTATUS NTAPI PhGetTokenOwner( _In_ HANDLE TokenHandle, _Out_ PTOKEN_OWNER *Owner ); PHLIBAPI NTSTATUS NTAPI PhGetTokenPrimaryGroup( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIMARY_GROUP *PrimaryGroup ); PHLIBAPI NTSTATUS NTAPI PhGetTokenGroups( _In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS *Groups ); PHLIBAPI NTSTATUS NTAPI PhGetTokenPrivileges( _In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIVILEGES *Privileges ); PHLIBAPI NTSTATUS NTAPI PhSetTokenSessionId( _In_ HANDLE TokenHandle, _In_ ULONG SessionId ); PHLIBAPI BOOLEAN NTAPI PhSetTokenPrivilege( _In_ HANDLE TokenHandle, _In_opt_ PWSTR PrivilegeName, _In_opt_ PLUID PrivilegeLuid, _In_ ULONG Attributes ); PHLIBAPI BOOLEAN NTAPI PhSetTokenPrivilege2( _In_ HANDLE TokenHandle, _In_ LONG Privilege, _In_ ULONG Attributes ); PHLIBAPI NTSTATUS NTAPI PhSetTokenIsVirtualizationEnabled( _In_ HANDLE TokenHandle, _In_ BOOLEAN IsVirtualizationEnabled ); PHLIBAPI NTSTATUS NTAPI PhGetTokenIntegrityLevel( _In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL IntegrityLevel, _Out_opt_ PWSTR *IntegrityString ); PHLIBAPI NTSTATUS NTAPI PhGetFileSize( _In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Size ); PHLIBAPI NTSTATUS NTAPI PhSetFileSize( _In_ HANDLE FileHandle, _In_ PLARGE_INTEGER Size ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionManagerBasicInformation( _In_ HANDLE TransactionManagerHandle, _Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionManagerLogFileName( _In_ HANDLE TransactionManagerHandle, _Out_ PPH_STRING *LogFileName ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionBasicInformation( _In_ HANDLE TransactionHandle, _Out_ PTRANSACTION_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhGetTransactionPropertiesInformation( _In_ HANDLE TransactionHandle, _Out_opt_ PLARGE_INTEGER Timeout, _Out_opt_ TRANSACTION_OUTCOME *Outcome, _Out_opt_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetResourceManagerBasicInformation( _In_ HANDLE ResourceManagerHandle, _Out_opt_ PGUID Guid, _Out_opt_ PPH_STRING *Description ); PHLIBAPI NTSTATUS NTAPI PhGetEnlistmentBasicInformation( _In_ HANDLE EnlistmentHandle, _Out_ PENLISTMENT_BASIC_INFORMATION BasicInformation ); PHLIBAPI NTSTATUS NTAPI PhOpenDriverByBaseAddress( _Out_ PHANDLE DriverHandle, _In_ PVOID BaseAddress ); PHLIBAPI NTSTATUS NTAPI PhGetDriverName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name ); PHLIBAPI NTSTATUS NTAPI PhGetDriverServiceKeyName( _In_ HANDLE DriverHandle, _Out_ PPH_STRING *ServiceKeyName ); PHLIBAPI NTSTATUS NTAPI PhUnloadDriver( _In_opt_ PVOID BaseAddress, _In_opt_ PWSTR Name ); #define PH_ENUM_PROCESS_MODULES_LIMIT 0x800 /** * A callback function passed to PhEnumProcessModules() and called for each process module. * * \param Module A structure providing information about the module. * \param Context A user-defined value passed to PhEnumProcessModules(). * * \return TRUE to continue the enumeration, FALSE to stop. */ typedef BOOLEAN (NTAPI *PPH_ENUM_PROCESS_MODULES_CALLBACK)( _In_ PLDR_DATA_TABLE_ENTRY Module, _In_opt_ PVOID Context ); #define PH_ENUM_PROCESS_MODULES_DONT_RESOLVE_WOW64_FS 0x1 #define PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME 0x2 typedef struct _PH_ENUM_PROCESS_MODULES_PARAMETERS { PPH_ENUM_PROCESS_MODULES_CALLBACK Callback; PVOID Context; ULONG Flags; } PH_ENUM_PROCESS_MODULES_PARAMETERS, *PPH_ENUM_PROCESS_MODULES_PARAMETERS; PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModulesEx( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ); PHLIBAPI NTSTATUS NTAPI PhSetProcessModuleLoadCount( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules32( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessModules32Ex( _In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters ); PHLIBAPI NTSTATUS NTAPI PhSetProcessModuleLoadCount32( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount ); PHLIBAPI NTSTATUS NTAPI PhGetProcedureAddressRemote( _In_ HANDLE ProcessHandle, _In_ PWSTR FileName, _In_opt_ PSTR ProcedureName, _In_opt_ ULONG ProcedureNumber, _Out_ PVOID *ProcedureAddress, _Out_opt_ PVOID *DllBase ); PHLIBAPI NTSTATUS NTAPI PhEnumKernelModules( _Out_ PRTL_PROCESS_MODULES *Modules ); PHLIBAPI NTSTATUS NTAPI PhEnumKernelModulesEx( _Out_ PRTL_PROCESS_MODULE_INFORMATION_EX *Modules ); PHLIBAPI PPH_STRING NTAPI PhGetKernelFileName( VOID ); /** * Gets a pointer to the first process information structure in a buffer returned by * PhEnumProcesses(). * * \param Processes A pointer to a buffer returned by PhEnumProcesses(). */ #define PH_FIRST_PROCESS(Processes) ((PSYSTEM_PROCESS_INFORMATION)(Processes)) /** * Gets a pointer to the process information structure after a given structure. * * \param Process A pointer to a process information structure. * * \return A pointer to the next process information structure, or NULL if there are no more. */ #define PH_NEXT_PROCESS(Process) ( \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset ? \ (PSYSTEM_PROCESS_INFORMATION)((PCHAR)(Process) + \ ((PSYSTEM_PROCESS_INFORMATION)(Process))->NextEntryOffset) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhEnumProcesses( _Out_ PVOID *Processes ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessesEx( _Out_ PVOID *Processes, _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass ); PHLIBAPI NTSTATUS NTAPI PhEnumProcessesForSession( _Out_ PVOID *Processes, _In_ ULONG SessionId ); PHLIBAPI PSYSTEM_PROCESS_INFORMATION NTAPI PhFindProcessInformation( _In_ PVOID Processes, _In_ HANDLE ProcessId ); PHLIBAPI PSYSTEM_PROCESS_INFORMATION NTAPI PhFindProcessInformationByImageName( _In_ PVOID Processes, _In_ PPH_STRINGREF ImageName ); PHLIBAPI NTSTATUS NTAPI PhEnumHandles( _Out_ PSYSTEM_HANDLE_INFORMATION *Handles ); PHLIBAPI NTSTATUS NTAPI PhEnumHandlesEx( _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles ); #define PH_FIRST_PAGEFILE(Pagefiles) ( \ /* The size of a pagefile can never be 0. A TotalSize of 0 * is used to indicate that there are no pagefiles. */ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefiles))->TotalSize ? \ (PSYSTEM_PAGEFILE_INFORMATION)(Pagefiles) : \ NULL \ ) #define PH_NEXT_PAGEFILE(Pagefile) ( \ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefile))->NextEntryOffset ? \ (PSYSTEM_PAGEFILE_INFORMATION)((PCHAR)(Pagefile) + \ ((PSYSTEM_PAGEFILE_INFORMATION)(Pagefile))->NextEntryOffset) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhEnumPagefiles( _Out_ PVOID *Pagefiles ); PHLIBAPI NTSTATUS NTAPI PhGetProcessImageFileNameByProcessId( _In_ HANDLE ProcessId, _Out_ PPH_STRING *FileName ); PHLIBAPI NTSTATUS NTAPI PhGetProcessIsDotNet( _In_ HANDLE ProcessId, _Out_ PBOOLEAN IsDotNet ); #define PH_CLR_USE_SECTION_CHECK 0x1 #define PH_CLR_NO_WOW64_CHECK 0x2 #define PH_CLR_KNOWN_IS_WOW64 0x4 #define PH_CLR_VERSION_1_0 0x1 #define PH_CLR_VERSION_1_1 0x2 #define PH_CLR_VERSION_2_0 0x4 #define PH_CLR_VERSION_4_ABOVE 0x8 #define PH_CLR_VERSION_MASK 0xf #define PH_CLR_MSCORLIB_PRESENT 0x10000 #define PH_CLR_JIT_PRESENT 0x20000 #define PH_CLR_PROCESS_IS_WOW64 0x100000 PHLIBAPI NTSTATUS NTAPI PhGetProcessIsDotNetEx( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG InFlags, _Out_opt_ PBOOLEAN IsDotNet, _Out_opt_ PULONG Flags ); /** * A callback function passed to PhEnumDirectoryObjects() and called for each directory object. * * \param Name The name of the object. * \param TypeName The name of the object's type. * \param Context A user-defined value passed to PhEnumDirectoryObjects(). * * \return TRUE to continue the enumeration, FALSE to stop. */ typedef BOOLEAN (NTAPI *PPH_ENUM_DIRECTORY_OBJECTS)( _In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryObjects( _In_ HANDLE DirectoryHandle, _In_ PPH_ENUM_DIRECTORY_OBJECTS Callback, _In_opt_ PVOID Context ); typedef BOOLEAN (NTAPI *PPH_ENUM_DIRECTORY_FILE)( _In_ PFILE_DIRECTORY_INFORMATION Information, _In_opt_ PVOID Context ); PHLIBAPI NTSTATUS NTAPI PhEnumDirectoryFile( _In_ HANDLE FileHandle, _In_opt_ PUNICODE_STRING SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context ); #define PH_FIRST_STREAM(Streams) ((PFILE_STREAM_INFORMATION)(Streams)) #define PH_NEXT_STREAM(Stream) ( \ ((PFILE_STREAM_INFORMATION)(Stream))->NextEntryOffset ? \ (PFILE_STREAM_INFORMATION)((PCHAR)(Stream) + \ ((PFILE_STREAM_INFORMATION)(Stream))->NextEntryOffset) : \ NULL \ ) PHLIBAPI NTSTATUS NTAPI PhEnumFileStreams( _In_ HANDLE FileHandle, _Out_ PVOID *Streams ); PHLIBAPI VOID NTAPI PhUpdateMupDevicePrefixes( VOID ); PHLIBAPI VOID NTAPI PhUpdateDosDevicePrefixes( VOID ); PHLIBAPI PPH_STRING NTAPI PhResolveDevicePrefix( _In_ PPH_STRING Name ); PHLIBAPI PPH_STRING NTAPI PhGetFileName( _In_ PPH_STRING FileName ); #define PH_MODULE_TYPE_MODULE 1 #define PH_MODULE_TYPE_MAPPED_FILE 2 #define PH_MODULE_TYPE_WOW64_MODULE 3 #define PH_MODULE_TYPE_KERNEL_MODULE 4 #define PH_MODULE_TYPE_MAPPED_IMAGE 5 typedef struct _PH_MODULE_INFO { ULONG Type; PVOID BaseAddress; ULONG Size; PVOID EntryPoint; ULONG Flags; PPH_STRING Name; PPH_STRING FileName; USHORT LoadOrderIndex; // -1 if N/A USHORT LoadCount; // -1 if N/A USHORT LoadReason; // -1 if N/A USHORT Reserved; LARGE_INTEGER LoadTime; // 0 if N/A } PH_MODULE_INFO, *PPH_MODULE_INFO; /** * A callback function passed to PhEnumGenericModules() and called for each process module. * * \param Module A structure providing information about the module. * \param Context A user-defined value passed to PhEnumGenericModules(). * * \return TRUE to continue the enumeration, FALSE to stop. */ typedef BOOLEAN (NTAPI *PPH_ENUM_GENERIC_MODULES_CALLBACK)( _In_ PPH_MODULE_INFO Module, _In_opt_ PVOID Context ); #define PH_ENUM_GENERIC_MAPPED_FILES 0x1 #define PH_ENUM_GENERIC_MAPPED_IMAGES 0x2 PHLIBAPI NTSTATUS NTAPI PhEnumGenericModules( _In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context ); #define PH_KEY_PREDEFINE(Number) ((HANDLE)(LONG_PTR)(-3 - (Number) * 2)) #define PH_KEY_IS_PREDEFINED(Predefine) (((LONG_PTR)(Predefine) < 0) && ((LONG_PTR)(Predefine) & 0x1)) #define PH_KEY_PREDEFINE_TO_NUMBER(Predefine) (ULONG)(((-(LONG_PTR)(Predefine) - 3) >> 1)) #define PH_KEY_LOCAL_MACHINE PH_KEY_PREDEFINE(0) // \Registry\Machine #define PH_KEY_USERS PH_KEY_PREDEFINE(1) // \Registry\User #define PH_KEY_CLASSES_ROOT PH_KEY_PREDEFINE(2) // \Registry\Machine\Software\Classes #define PH_KEY_CURRENT_USER PH_KEY_PREDEFINE(3) // \Registry\User\ #define PH_KEY_CURRENT_USER_NUMBER 3 #define PH_KEY_MAXIMUM_PREDEFINE 4 PHLIBAPI NTSTATUS NTAPI PhCreateKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PPH_STRINGREF ObjectName, _In_ ULONG Attributes, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition ); PHLIBAPI NTSTATUS NTAPI PhOpenKey( _Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PPH_STRINGREF ObjectName, _In_ ULONG Attributes ); PHLIBAPI NTSTATUS NTAPI PhQueryKey( _In_ HANDLE KeyHandle, _In_ KEY_INFORMATION_CLASS KeyInformationClass, _Out_ PVOID *Buffer ); PHLIBAPI NTSTATUS NTAPI PhQueryValueKey( _In_ HANDLE KeyHandle, _In_opt_ PPH_STRINGREF ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, _Out_ PVOID *Buffer ); PHLIBAPI NTSTATUS NTAPI PhCreateFileWin32( _Out_ PHANDLE FileHandle, _In_ PWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions ); PHLIBAPI NTSTATUS NTAPI PhCreateFileWin32Ex( _Out_ PHANDLE FileHandle, _In_ PWSTR FileName, _In_ ACCESS_MASK DesiredAccess, _In_opt_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _Out_opt_ PULONG CreateStatus ); PHLIBAPI NTSTATUS NTAPI PhQueryFullAttributesFileWin32( _In_ PWSTR FileName, _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation ); PHLIBAPI NTSTATUS NTAPI PhDeleteFileWin32( _In_ PWSTR FileName ); PHLIBAPI NTSTATUS NTAPI PhListenNamedPipe( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock ); PHLIBAPI NTSTATUS NTAPI PhDisconnectNamedPipe( _In_ HANDLE FileHandle ); PHLIBAPI NTSTATUS NTAPI PhPeekNamedPipe( _In_ HANDLE FileHandle, _Out_writes_bytes_opt_(Length) PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG NumberOfBytesRead, _Out_opt_ PULONG NumberOfBytesAvailable, _Out_opt_ PULONG NumberOfBytesLeftInMessage ); PHLIBAPI NTSTATUS NTAPI PhTransceiveNamedPipe( _In_ HANDLE FileHandle, _In_opt_ HANDLE Event, _In_opt_ PIO_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK IoStatusBlock, _In_reads_bytes_(InputBufferLength) PVOID InputBuffer, _In_ ULONG InputBufferLength, _Out_writes_bytes_(OutputBufferLength) PVOID OutputBuffer, _In_ ULONG OutputBufferLength ); PHLIBAPI NTSTATUS NTAPI PhWaitForNamedPipe( _In_opt_ PUNICODE_STRING FileSystemName, _In_ PUNICODE_STRING Name, _In_opt_ PLARGE_INTEGER Timeout, _In_ BOOLEAN UseDefaultTimeout ); PHLIBAPI NTSTATUS NTAPI PhImpersonateClientOfNamedPipe( _In_ HANDLE FileHandle ); #ifdef __cplusplus } #endif #endif