Windows NT/2000 Native API Reference

Introduction. Chapter 1. System Information and Control. ZwQuerySystemInformation. ZwSetSystemInformation. SYSTEM_INFORMATION_CLASS. SystemBasicInformation. SystemProcessorInformation. SystemPerformanceInformation. SystemTimeOfDayInformation. SystemProcessesAndThreadsInformation. SystemCallCounts. SystemConfigurationInformation. SystemProcessorTimes. SystemGlobalFlag. SystemModuleInformation. SystemLockInformation. SystemHandleInformation. SystemObjectInformation. SystemPagefileInformation. SystemInstructionEmulationCounts. SystemCacheInformation. SystemPoolTagInformation. SystemProcessorStatistics. SystemDpcInformation. SystemLoadImage. SystemUnloadImage. SystemTimeAdjustment. SystemCrashDumpInformation. SystemExceptionInformation. SystemCrashDumpStateInformation. SystemKernelDebuggerInformation. SystemContextSwitchInformation. SystemRegistryQuotaInformation. SystemLoadAndCallImage. SystemPrioritySeparation. SystemTimeZoneInformation. SystemLookasideInformation. SystemSetTimeSlipEvent. SystemCreateSession. SystemDeleteSession. SystemRangeStartInformation. SystemVerifierInformation. SystemAddVerifier. SystemSessionProcessesInformation. SystemPoolBlocksInformation. SystemMemoryUsageInformation. Example 1.1: A Partial ToolHelp Library Implementation. Example 1.2: Listing Open Handles of a Process. ZwQuerySystemEnvironmentValue. ZwSetSystemEnvironmentValue. ZwSystemDebugControl. Example 1.3: Setting an Internal Breakpoint. Example 1.4: Getting Trace Information. 2. Objects, Object Directories, and Symbolic Links. Object Attributes. ZwQueryObject. ZwSetInformationObject. OBJECT_INFORMATION_CLASS. ObjectBasicInformation. ObjectNameInformation. ObjectTypeInformation. ObjectAllTypesInformation. ObjectHandleInformation. ZwDuplicateObject. ZwMakeTemporaryObject. ZwClose. Example 2.1: Listing Open Handles of a Process. ZwQuerySecurityObject. ZwSetSecurityObject. ZwCreateDirectoryObject. ZwOpenDirectoryObject. ZwQueryDirectoryObject. ZwCreateSymbolicLinkObject. ZwOpenSymbolicLinkObject. ZwQuerySymbolicLinkObject. 3. Virtual Memory. ZwAllocateVirtualMemory. ZwFreeVirtualMemory. ZwQueryVirtualMemory. MEMORY_INFORMATION_CLASS. MemoryBasicInformation. MemoryWorkingSetList. MemorySectionName. ZwLockVirtualMemory. ZwUnlockVirtualMemory . ZwReadVirtualMemory. ZwWriteVirtualMemory. ZwProtectVirtualMemory. ZwFlushVirtualMemory. ZwAllocateUserPhysicalPages. ZwFreeUserPhysicalPages. ZwMapUserPhysicalPages. ZwMapUserPhysicalPagesScatter. ZwGetWriteWatch. ZwResetWriteWatch. 4. Sections. ZwCreateSection. ZwOpenSection. ZwQuerySection. SECTION_INFORMATION_CLASS. SectionBasicInformation. SectionImageInformation. ZwExtendSection. ZwMapViewOfSection. ZwUnmapViewOfSection. ZwAreMappedFilesTheSame. ZwCreateThread. ZwOpenThread. ZwTerminateThread. ZwQueryInformationThread. ZwSetInformationThread. THREADINFOCLASS. ThreadBasicInformation. ThreadPriority. ThreadBasePriority. ThreadAffinityMask. ThreadImpersonationToken. ThreadEnableAlignmentFaultFixup. ThreadEventPair. ThreadQuerySetWin32StartAddress. ThreadZeroTlsCell. ThreadPerformanceCount. ThreadAmILastThread. ThreadIdealProcessor. ThreadPriorityBoost. ThreadSetTlsArrayAddress. ThreadIsIoPending. ThreadHideFromDebugger. SuspendThread. ZwResumeThread. ZwGetContextThread. ZwSetContextThread. ZwQueueApcThread. ZwTestAlert. ZwAlertThread. ZwAlertResumeThread. ZwRegisterThreadTerminatePort. ZwImpersonateThread. ZwImpersonateAnonymousToken. 6. Processes. ZwCreateProcess. ZwOpenProcess. ZwTerminateProcess. ZwQueryInformationProcess. ZwSetInformationProcess. PROCESSINFOCLASS. ProcessBasicInformation. ProcessQuotaLimits. ProcessIoCounters. ProcessVmCounters. ProcessTimes. ProcessBasePriority. ProcessRaisePriority. ProcessDebugPort. ProcessExceptionPort. ProcessAccessToken. ProcessDefaultHardErrorMode. ProcessPooledUsageAndLimits. ProcessWorkingSetWatch. ProcessUserModeIOPL. ProcessEnableAlignmentFaultFixup. ProcessPriorityClass. ProcessWx86Information. ProcessHandleCount. ProcessAffinityMask. ProcessPriorityBoost. ProcessDeviceMap. ProcessSessionInformation. ProcessForegroundInformation. ProcessWow64Information. RtlCreateProcessParameters. RtlDestroyProcessParameters. PROCESS_PARAMETERS. RtlCreateQueryDebugBuffer. RtlQueryProcessDebugInformation. RtlDestroyQueryDebugBuffer. DEBUG_BUFFER. Debug_module_information. debug_heap_information. Debug_lock_information. Example 6.1: Forking a Win32 Process. Example 6.2: Creating a Win32 Process. Example 6.3: Using RtlQueryProcessDebugInformation to Extend ToolHelp. Library Implementation. 7. Jobs. ZwCreateJobObject. ZwOpenJobObject. ZwTerminateJobObject. ZwAssignProcessToJobObject. ZwQueryInformationJobObject. ZwSetInformationJobObject. JOBOBJECTINFOCLASS. JobObjectBasicAccountingInformation. JobObjectBasicLimitInformation. JobObjectBasicProcessIdList. JobObjectBasicUIRestrictions. JobObjectSecurityLimitInformation. JobObjectEndOfJobTimeInformation. JobObjectAssociateCompletionPortInformation. JobObjectBasicAndIoAccountingInformation. JobObjectExtendedLimitInformation. 8. Tokens. ZwCreateToken. ZwOpenProcessToken. ZwOpenThreadToken. ZwDuplicateToken. ZwFilterToken. ZwAdjustPrivilegesToken. ZwAdjustGroupsToken. ZwQueryInformationToken. ZwSetInformationToken. TOKEN_INFORMATION_CLASS. TokenUser. TokenGroups and TokenRestrictedSids. TokenPrivileges. TokenOwner. TokenPrimaryGroup. TokenDefaultDacl. TokenSource. TokenType. TokenImpersonationLevel. TokenStatistics. TokenSessionId. Example 8.1: Creating Command Window for the SYSTEM User. 9. Synchronization. ZwWaitForSingleObject. ZwSignalAndWaitForSingleObject. ZwWaitForMultipleObjects. ZwCreateTimer. ZwOpenTimer. ZwCancelTimer. ZwSetTimer. ZwQueryTimer. TIMER_INFORMATION_CLASS. TimerBasicInformation. ZwCreateEvent. ZwOpenEvent. ZwSetEvent. ZwPulseEvent. ZwResetEvent. ZwClearEvent. ZwQueryEvent. EVENT_INFORMATION_CLASS. EventBasicInformation. ZwCreateSemaphore. ZwOpenSemaphore. ZwReleaseSemaphore. ZwQuerySemaphore. SEMAPHORE_INFORMATION_CLASS. SemaphoreBasicInformation. ZwCreateMutant. ZwOpenMutant. ZwReleaseMutant. ZwQueryMutant. MUTANT_INFORMATION_CLASS. MutantBasicInformation. ZwCreateIoCompletion. ZwOpenIoCompletion. ZwSetIoCompletion. ZwRemoveIoCompletion. ZwQueryIoCompletion. IO_COMPLETION_INFORMATION_CLASS. IoCompletionBasicInformation. ZwCreateEventPair. ZwOpenEventPair. ZwWaitLowEventPair. ZwWaitHighEventPair. ZwSetLowWaitHighEventPair. ZwSetHighWaitLowEventPair. ZwSetLowEventPair. ZwSetHighEventPair. 10. Time. ZwQuerySystemTime. ZwSetSystemTime. ZwQueryPerformanceCounter. ZwSetTimerResolution. ZwQueryTimerResolution. ZwDelayExecution. ZwYieldExecution. ZwGetTickCount. 11. Execution Profiling. KPROFILE_SOURCE. ZwCreateProfile. ZwSetIntervalProfile. ZwQueryIntervalProfile. ZwStartProfile. ZwStopProfile. Example 11.1: Profiling the Kernel. 12. Ports (Local Procedure Calls). PORT_MESSAGE. PORT_SECTION_WRITE. PORT_SECTION_READ. ZwCreatePort. ZwCreateWaitablePort. ZwConnectPort. ZwSecureConnectPort. ZwListenPort. ZwAcceptConnectPort. ZwCompleteConnectPort. ZwRequestPort. ZwRequestWaitReplyPort. ZwReplyPort. ZwReplyWaitReplyPort. ZwReplyWaitReceivePort. ZwReplyWaitReceivePortEx. ZwReadRequestData. ZwWriteRequestData. ZwQueryInformationPort. PORT_INFORMATION_CLASS. PortBasicInformation. ZwImpersonateClientOfPort. Example 12.1: Connecting to a amed Port. 13. Files. ZwCreateFile. ZwOpenFile. ZwDeleteFile. ZwFlushBuffersFile. ZwCancelIoFile. ZwReadFile. ZwWriteFile. ZwReadFileScatter. ZwWriteFileGather. ZwLockFile. ZwUnlockFile. ZwDeviceIoControlFile. ZwFsControlFile. ZwNotifyChangeDirectoryFile. FILE_NOTIFY_INFORMATION. ZwQueryEaFile. ZwSetEaFile. FILE_FULL_EA_INFORMATION. FILE_GET_EA_INFORMATION. ZwCreateNamedPipeFile. ZwCreateMailslotFile. ZwQueryVolumeInformationFile. ZwSetVolumeInformationFile. FS_INFORMATION_CLASS. FileFsVolumeInformation. FileFsLabelInformation. FileFsSizeInformation. FileFsDeviceInformation. FileFsAttributeInformation. FileFsControlInformation. FileFsFullSizeInformation. FileFsObjectIdInformation. ZwQueryQuotaInformationFile. ZwSetQuotaInformationFile. FILE_USER_QUOTA_INFORMATION. FILE_QUOTA_LIST_INFORMATION. ZwQueryAttributesFile. ZwQueryFullAttributesFile. ZwQueryInformationFile. ZwSetInformationFile. ZwQueryDirectoryFile. ZwQueryOleDirectoryFile. FILE_INFORMATION_CLASS. FileDirectoryInformation. FileFullDirectoryInformation. FileBothDirectoryInformation. FileBasicInformation. FileStandardInformation. FileInternalInformation. FileEaInformation. FileAccessInformation. FileNameInformation. FileRenameInformation and FileLinkInformation. FileNamesInformation. FileDispositionInformation. FilePositionInformation. FileModeInformation. FileAlignmentInformation. FileAllInformation. FileAllocationInformation. FileEndOfFileInformation. FileStreamInformation. FilePipeInformation. FilePipeLocalInformation. FilePipeRemoteInformation. FileMailslotQueryInformation. FileMailslotSetInformation. FileCompressionInformation. FileObjectIdInformation. FileCompletionInformation. FileMoveClusterInformation. FileQuotaInformation. FileReparsePointInformation. FileNetworkOpenInformation. FileAttributeTagInformation. Example 13.1: Opening a ile by File Identifier. 14. Registry Keys. ZwCreateKey. ZwOpenKey. ZwDeleteKey. ZwFlushKey. ZwSaveKey. ZwSaveMergedKeys. ZwRestoreKey. ZwLoadKey. ZwLoadKey2. ZwUnloadKey. ZwQueryOpenSubKeys. ZwReplaceKey. ZwSetInformationKey. KEY_SET_INFORMATION_CLASS. KeyLastWriteTimeInformation. ZwQueryKey. ZwEnumerateKey. KEY_INFORMATION_CLASS. KeyBasicInformation. KeyNodeInformation. KeyFullInformation. KeyNameInformation. ZwNotifyChangeKey. ZwNotifyChangeMultipleKeys. ZwDeleteValueKey. ZwSetValueKey. ZwQueryValueKey. ZwEnumerateValueKey. KEY_VALUE_INFORMATION_CLASS. KeyValueBasicInformation. KeyValueFullInformation and KeyValueFullInformationAlign64. KeyValuePartialInformation. ZwQueryMultipleValueKey KEY_VALUE_ENTRY. ZwInitializeRegistry. 15. Security and Auditing. ZwPrivilegeCheck. ZwPrivilegeObjectAuditAlarm. ZwPrivilegedServiceAuditAlarm. ZwAccessCheck. ZwAccessCheckAndAuditAlarm. ZwAccessCheckByType. ZwAccessCheckByTypeAndAuditAlarm. ZwAccessCheckByTypeResultList. ZwAccessCheckByTypeResultListAndAuditAlarm. ZwAccessCheckByTypeResultListAndAuditAlarmByHandle. ZwOpenObjectAuditAlarm. ZwCloseObjectAuditAlarm. ZwDeleteObjectAuditAlarm. 16. Plug and Play and Power Management. ZwRequestWakeupLatency. ZwRequestDeviceWakeup. ZwCancelDeviceWakeupRequest. ZwIsSystemResumeAutomatic. ZwSetThreadExecutionState. ZwGetDevicePowerState. ZwSetSystemPowerState. ZwInitiatePowerAction. ZwPowerInformation. POWER_INFORMATION_LEVEL. SystemPowerPolicyAc, SystemPowerPolicyDc, SystemPowerPolicyCurrent. SystemPowerCapabilities. SystemBatteryState. SystemPowerStateHandler. ProcessorStateHandler. AdministratorPowerPolicy. ProcessorInformation. SystemPowerInformation. ZwPlugPlayControl. ZwGetPlugPlayEvent. 17.Miscellany. ZwRaiseException. ZwContinue. ZwW32Call. ZwCallbackReturn. ZwSetLowWaitHighThread. ZwSetHighWaitLowThread. ZwLoadDriver. ZwUnloadDriver. ZwFlushInstructionCache. ZwFlushWriteBuffer. ZwQueryDefaultLocale. ZwSetDefaultLocale. ZwQueryDefaultUILanguage. ZwSetDefaultUILanguage. ZwQueryInstallUILanguage. ZwAllocateLocallyUniqueId. ZwAllocateUuids. ZwSetUuidSeed. ZwRaiseHardError. ZwSetDefaultHardErrorPort. ZwDisplayString. ZwCreatePagingFile. ZwAddAtom. ZwFindAtom. ZwDeleteAtom. ZwQueryInformationAtom. ATOM_INFORMATION_CLASS. AtomBasicInformation. AtomListInformation. ZwSetLdtEntries. ZwVdmControl. Unimplemented System Services. Appendix A: Calling System Services from Kernel Mode. Example A.1: Re-Implementing NtQueryEvent. Example A.2: Dynamically Binding to ntdll.dll. Appendix B: Intel Platform-Specific Entry Points to Kernel Mode. KiTrap03. KiTrap04. KiGetTickCount. KiCallbackReturn. KiSetLowWaitHighThread. KiDebugService. KiSystemService. Appendix C: Exceptions and Debugging. Example C.1: Pseudocode for KiDispatchException. Example C.2: Pseudocode for KiUserExceptionDispatcher. The Kernel Debugger. Example C.3: Pseudocode for DebugService. User Mode Debuggers. DEBUG_MESSAGE. Debug Message outing. Value Added by the Routing Process. OutputDebugString. Tracing Calls to Routines Exported by DLLs. Example C.4: A Trace Utility. Appendix D: NTFS On-Disk Structure. NTFS_RECORD_HEADER. FILE_RECORD_HEADER. ATTRIBUTE. RESIDENT_ATTRIBUTE. NONRESIDENT_ATTRIBUTE. AttributeStandardInformation. AttributeAttributeList. AttributeFileName. AttributeObjectId. AttributeSecurityDescriptor. AttributeVolumeName. AttributeVolumeInformation. AttributeData. AttributeIndexRoot. AttributeIndexAllocation. DIRECTORY_INDEX. DIRECTORY_ENTRY. AttributeBitmap. AttributeReparsePoint. AttributeEAInformation. AttributeEA. AttributePropertySet. AttributeLoggedUtilityStream. Special Files. Opening Special Files. Recovering Data from Deleted Files. Example D.1: Recovering Data from a File. Example D.2: Decompressing Recovered Data. Index.