PrivateICE
system level toolsPrivateICE
system level tools08/03/99 10:56: this is just a rough collection of undocumented stuff. will be replaced with something decent soon....
///////////////// UNDOCUMENTED FUNCTIONS IN NT 4.00 /////////////////
NTKERNELAPI void Ke386CallBios(ULONG a,ULONG b);
NTKERNELAPI void KeAttachProcess(struct _EPROCESS* ProcessID);
NTKERNELAPI void KeDetachProcess(void);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(ULONG ulProcId,struct _EPROCESS ** pul);
// ObOpenObjectByName@28 NTSTATUS ObOpenObjectByName( IN POBJECT_ATTRIBUTES ObjectAttributes, IN POBJECT_TYPE ObjectType OPTIONAL, ULONG, IN KPROCESSOR_MODE AccessMode, IN ACCESS_MASK DesiredAccess, IN PACCESS_STATE PassedAccessState, PVOID *Object );
extern POBJECT_TYPE* IoDeviceObjectType;
NTKERNELAPI ULONG MmSetBankedSection( ULONG ProcessId, // use -1 as current PVOID LinearAddress, // not the physical, but the already mapped address ULONG Length, // length based of LinearAddress to make banked UCHAR ReadWrite, // TRUE=RW, FALSE=two independent banks ???? PBANKED_SECTION_ROUTINE pfBankedRoutine, // VOID Routine(ULONG ReadBank,ULONG WriteBank,PVOID Context) PVOID Context);
NTSYSAPI NTSTATUS NTAPI ZwQueryObject( IN HANDLE Handle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG Length, OUT PULONG ReturnLength OPTIONAL );
NTKERNELAPI
NTSTATUS ZwQuerySystemInformation(
ULONG SystemInfoClass,
PVOID ReturnBuffer,
ULONG ReturnBufferSize,
PULONG ReturnedLength);
/* has 0x2d services
service 0x09: get NtGlobalFlag
status=ZwQuerySystemInformation(0x09,p,4,&ReturnedLength);
service 0x16: read pool tag stats
typedef struct _POOL_ENTRY
{
ULONG tag;
ULONG NP_Allocs,NP_Frees,NP_Used;
ULONG P_Allocs,P_Frees,P_Used;
}POOL_ENTRY,*PPOOL_ENTRY;
typedef struct _POOL
{
ULONG count;
POOL_ENTRY pe[1];
}POOL,*PPOOL;
status=ZwQuerySystemInformation(0x09,(PPOOL)p,0x10000,&ReturnedLength);
*/
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING DirectoryName;
UNICODE_STRING Type;
WCHAR StringData[];
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject(
IN HANDLE DirectoryHandle,
IN OUT POBJECT_DIRECTORY_INFORMATION QueryBuffer,
IN ULONG QueryBufferLength,
IN BOOLEAN ReadOneOrMoreBuffer,
//#define OBJECT_DIRECTORY_READ_BUFFER 0
// #define OBJECT_DIRECTORY_READ_ONE 1
IN BOOLEAN QueryType,
// #define OBJECT_DIRECTORY_QUERY_NEXT 0
// #define OBJECT_DIRECTORY_QUERY_FIRST 1
OUT PULONG Context OPTIONAL,
OUT PULONG ReturnedLength OPTIONAL
);
//////////// The code ///////////////
typedef struct _tagThreadInfo
{
FILETIME ftCreationTime;
DWORD dwUnknown1;
DWORD dwStartAddress;
DWORD dwOwningPID;
DWORD dwThreadID;
DWORD dwCurrentPriority;
DWORD dwBasePriority;
DWORD dwContextSwitches;
DWORD dwThreadState;
DWORD dwWaitReason;
DWORD dwUnknown2[ 5 ];
} THREADINFO, *PTHREADINFO;
#pragma warning( disable:4200 ) // Zero sized array
typedef struct _tagProcessInfo
{
DWORD dwOffset;
DWORD dwThreadCount;
DWORD dwUnknown1[ 6 ];
FILETIME ftCreationTime;
DWORD dwUnknown2[ 5 ];
WCHAR* pszProcessName;
DWORD dwBasePriority;
DWORD dwProcessID;
DWORD dwParentProcessID;
DWORD dwHandleCount;
DWORD dwUnknown3;
DWORD dwUnknown4;
DWORD dwVirtualBytesPeak;
DWORD dwVirtualBytes;
DWORD dwPageFaults;
DWORD dwWorkingSetPeak;
DWORD dwWorkingSet;
DWORD dwUnknown5;
DWORD dwPagedPool;
DWORD dwUnknown6;
DWORD dwNonPagedPool;
DWORD dwPageFileBytesPeak;
DWORD dwPrivateBytes;
DWORD dwPageFileBytes;
DWORD dwUnknown7[ 4 ];
THREADINFO ti[ 0 ];
} _PROCESSINFO, *PPROCESSINFO;
#pragma warning( default:4200 )
long ( __stdcall *NtQuerySystemInformation )( ULONG, PVOID, ULONG, ULONG ) = NULL;
DWORD GetThreadList( PTHREADINFO pThreadList, DWORD dwSize, DWORD dwProcessId )
{
PBYTE pbyInfo = NULL;
DWORD cInfoSize = 0x2000;
DWORD dwCount = 0;
if ( !NtQuerySystemInformation )
NtQuerySystemInformation =
( long ( __stdcall * )( ULONG, PVOID, ULONG, ULONG ) )
GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQuerySystemInformation" );
pbyInfo = ( PBYTE ) malloc( cInfoSize );
if ( pbyInfo )
{
while ( NtQuerySystemInformation( 5, pbyInfo, cInfoSize, 0 ) == STATUS_INFO_LENGTH_MISMATCH )
{
cInfoSize += 0x2000;
pbyInfo = ( PBYTE ) realloc( pbyInfo, cInfoSize );
}
PPROCESSINFO pProcessInfo = ( PPROCESSINFO ) pbyInfo;
bool bLast = false;
do
{
if ( pProcessInfo->dwOffset == 0 )
bLast = true;
if ( pProcessInfo->dwProcessID == dwProcessId )
{
PTHREADINFO pThreadInfo = NULL;
dwCount= pProcessInfo->dwThreadCount;
for ( DWORD i = 0; i < pProcessInfo->dwThreadCount && i < dwSize; ++i )
{
pThreadInfo = &pProcessInfo->ti[ i ];
pThreadList[ i ] = *pThreadInfo;
}
break;
}
pProcessInfo = ( PPROCESSINFO ) ( ( PBYTE ) pProcessInfo + pProcessInfo->dwOffset );
} while( bLast == false );
free( pbyInfo );
}
return dwCount; }
> NtCreateProcess
NTSYSAPI NTSTATUS NTAPI ZwCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
);
> NtCreateThread
NTSYSAPI NTSTATUS NTAPI ZwCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended
);
> NtTerminateProcess
NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
> NtTerminateThread
NTSYSAPI NTSTATUS NTAPI ZwTerminateThread(
IN HANDLE ThreadHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
> NtLoadDriver
NTSYSAPI NTSTATUS NTAPI NtLoadDriver(
IN PUNICODE_STRING DriverServiceName
);
> NtUnloadDriver
NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(
IN PUNICODE_STRING DriverServiceName
);
> LdrLoadDll
NTSTATUS NTAPI LdrLoadDll( IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *DllHandle
);
> LdrUnloadDll
NTSTATUS NTAPI LdrUnloadDll(
IN PVOID DllHandle
);
> NtShutdownSystem
NTSYSAPI NTSTATUS NTAPI ZwShutdownSystem(
IN SHUTDOWN_ACTION Action
);
> NtSuspendThread
NTSYSAPI NTSTATUS NTAPI ZwSuspendThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
> LdrShutdownProcess
VOID NTAPI LdrShutdownProcess( VOID );
> LdrShutdownThread VOID NTAPI LdrShutdownThread( VOID );
(c) 1999 Klaus P. Gerlicher
Last revised: August 03, 1999.