avatar

NTDLL单元

unit ntdll;

interface

uses Windows;

type
PLARGE_INTEGER = ^LARGE_INTEGER;

//————————————————————-
type
NTSTATUS = Longint;

const
STATUS_SUCCESS           = NTSTATUS(0);

STATUS_NO_MORE_DATA      = NTSTATUS($8000001a);
STATUS_NO_MORE_FILES     = NTSTATUS($80000006);
STATUS_INVALID_PARAMETER = NTSTATUS($C000000D);

function RtlNtStatusToDosError( const Status : NTSTATUS ) : DWORD; stdcall;

//————————————————————-
// Counted String
type
TNtAnsiString = packed record
Length        : Word;
MaximumLength : Word;
Buffer        : PChar;
end;
PNtAnsiString = ^TNtAnsiString;
ANSI_STRING = TNtAnsiString;

TNtUnicodeString = packed record
Length        : Word;
MaximumLength : Word;
Buffer        : PWideChar;
end;
UNICODE_STRING = TNtUnicodeString;
PNtUnicodeString = ^TNtUnicodeString;

procedure RtlInitString( DestinationString : PNtAnsiString; SourceString : PChar ); stdcall;
procedure RtlInitAnsiString( DestinationString : PNtAnsiString; SourceString : PChar ); stdcall;
procedure RtlCopyString( DestinationString : PNtAnsiString; SourceString : PNtAnsiString ); stdcall;
function  RtlUpperChar ( Character : Char ) : Char; stdcall;
function  RtlCompareString( String1, String2 : PNtAnsiString; CaseInSensitive : Boolean ) : LongInt; stdcall;
function  RtlEqualString( String1, String2 : PNtAnsiString; CaseInSensitive : Boolean ) : Boolean; stdcall;
procedure RtlUpperString( DestinationString : PNtAnsiString; SourceString : PNtAnsiString ); stdcall;
procedure RtlFreeAnsiString( NtAnsiString : PNtAnsiString ); stdcall;

//————————————————————-
// NLS String functions
procedure RtlInitUnicodeString( DestinationString : PNtAnsiString; SourceString : PWideChar ); stdcall;
function  RtlAnsiStringToUnicodeString( DestinationString : PNtUnicodeString; SourceString : PNtAnsiString; AllocateDestinationString : Boolean ) : NTSTATUS; stdcall;
function  RtlUnicodeStringToAnsiString( DestinationString : PNtAnsiString; SourceString : PNtUnicodeString; AllocateDestinationString : Boolean ) : NTSTATUS; stdcall;
function  RtlCompareUnicodeString( String1, String2 : PNtUnicodeString; CaseInSensitive : Boolean ) : LongInt; stdcall;
function  RtlEqualCompareUnicodeString( String1, String2 : PNtUnicodeString; CaseInSensitive : Boolean ) : Boolean; stdcall;
function  RtlPrefixUnicodeString( String1, String2 : PNtUnicodeString; CaseInSensitive : Boolean ) : Boolean; stdcall;
function  RtlUpcaseUnicodeString( DestinationString : PNtUnicodeString; SourceString : PNtUnicodeString; AllocateDestinationString : Boolean ) : NTSTATUS; stdcall;
procedure RtlCopyUnicodeString( DestinationString : PNtUnicodeString; SourceString : PNtUnicodeString ); stdcall;
function  RtlAppendUnicodeStringToString( DestinationString : PNtUnicodeString; SourceString : PNtUnicodeString ): NTSTATUS; stdcall;
function  RtlAppendUnicodeToString( DestinationString : PNtUnicodeString; SourceString : PWideChar ): NTSTATUS; stdcall;
function  RtlUpcaseUnicodeChar( SourceCharacter : WideChar ) : WideChar; stdcall;
procedure RtlFreeUnicodeString( UnicodeString : PNtUnicodeString ); stdcall;
function  RtlxAnsiStringToUnicodeSize( NtAnsiString : PNtAnsiString ) : DWORD; stdcall;
function  RtlAnsiStringToUnicodeSize( NtAnsiString : PNtAnsiString ) : DWORD; stdcall;

1
2
3
//=============================================================
// The following are definitions for documented and undocumented native APIs
// and structures.

type

TNtObjectAttributes = packed record
Length                   : ULONG; // = SizeOf(OBJECT_ATTRIBUTES)

// Optionally specifies a handle to a directory obtained by a preceding call to NtCreateFile.
// If this value is NULL, the ObjectName member must be a fully qualified file specification
// that includes the full path to the target file.
// If this value is nonNULL, the ObjectName member specifies a file name relative to this directory.
RootDirectory            : THandle;

ObjectName               : PNtUnicodeString;

Attributes               : ULONG;
SecurityDescriptor       : Pointer; // Points to type SECURITY_DESCRIPTOR
SecurityQualityOfService : Pointer; // Points to type SECURITY_QUALITY_OF_SERVICE
end;
OBJECT_ATTRIBUTES = TNtObjectAttributes;
PNtObjectAttributes = ^TNtObjectAttributes;

// TNtObjectAttributes.Attributes
const
OBJ_INHERIT          = $00000002;
OBJ_PERMANENT        = $00000010;
OBJ_EXCLUSIVE        = $00000020;
OBJ_CASE_INSENSITIVE = $00000040;
OBJ_OPENIF           = $00000080;
OBJ_OPENLINK         = $00000100;
OBJ_VALID_ATTRIBUTES = $000001F2;

//————————————————————-
type
TIoStatusBlock = packed record
Status      : NTSTATUS;
Information : ULONG;
end;
IO_STATUS_BLOCK = TIoStatusBlock;
PIoStatusBlock = ^TIoStatusBlock;

// TIoStatusBlock.Information value
// Define the I/O status information return values for NtCreateFile/NtOpenFile
const
FILE_SUPERSEDED     = $00000000;
FILE_OPENED         = $00000001;
FILE_CREATED        = $00000002;
FILE_OVERWRITTEN    = $00000003;
FILE_EXISTS         = $00000004;
FILE_DOES_NOT_EXIST = $00000005;

//————————————————————-
// Define the file attributes values
//
// Note:  0×00000008 is reserved for use for the old DOS VOLID (volume ID)
//        and is therefore not considered valid in NT.
//
// Note:  0×00000010 is reserved for use for the old DOS SUBDIRECTORY flag
//        and is therefore not considered valid in NT.  This flag has
//        been disassociated with file attributes since the other flags are
//        protected with READ_ and WRITE_ATTRIBUTES access to the file.
//
// Note:  Note also that the order of these flags is set to allow both the
//        FAT and the Pinball File Systems to directly set the attributes
//        flags in attributes words without having to pick each flag out
//        individually.  The order of these flags should not be changed!
//
const
FILE_ATTRIBUTE_READONLY            = $00000001;
FILE_ATTRIBUTE_HIDDEN              = $00000002;
FILE_ATTRIBUTE_SYSTEM              = $00000004;
//OLD DOS VOLID                        $00000008
FILE_ATTRIBUTE_DIRECTORY           = $00000010;
FILE_ATTRIBUTE_ARCHIVE             = $00000020;
FILE_ATTRIBUTE_DEVICE              = $00000040;
FILE_ATTRIBUTE_NORMAL              = $00000080;

FILE_ATTRIBUTE_TEMPORARY           = $00000100;
FILE_ATTRIBUTE_SPARSE_FILE         = $00000200;
FILE_ATTRIBUTE_REPARSE_POINT       = $00000400;
FILE_ATTRIBUTE_COMPRESSED          = $00000800;

FILE_ATTRIBUTE_OFFLINE             = $00001000;
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = $00002000;
FILE_ATTRIBUTE_ENCRYPTED           = $00004000;

FILE_ATTRIBUTE_VALID_FLAGS     = $00007fb7;
FILE_ATTRIBUTE_VALID_SET_FLAGS = $000031a7;
//————————————————————-

const
FILE_READ_DATA        = $0001; // file & pipe
FILE_LIST_DIRECTORY   = $0001; // directory

FILE_WRITE_DATA       = $0002; // file & pipe
FILE_ADD_FILE         = $0002; // directory

FILE_APPEND_DATA          = $0004; // file
FILE_ADD_SUBDIRECTORY     = $0004; // directory
FILE_CREATE_PIPE_INSTANCE = $0004; // named pipe

FILE_READ_EA              = $0008; // file & directory
FILE_WRITE_EA             = $0010; // file & directory

FILE_EXECUTE              = $0020; // file
FILE_TRAVERSE             = $0020; // directory

FILE_DELETE_CHILD         = $0040; // directory
FILE_READ_ATTRIBUTES      = $0080; // all
FILE_WRITE_ATTRIBUTES     = $0100; // all

FILE_ALL_ACCESS      = STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or $01FF;
FILE_GENERIC_READ    = STANDARD_RIGHTS_READ or FILE_READ_DATA or FILE_READ_ATTRIBUTES or FILE_READ_EA or SYNCHRONIZE;
FILE_GENERIC_WRITE   = STANDARD_RIGHTS_WRITE or FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES or FILE_WRITE_EA or FILE_APPEND_DATA or SYNCHRONIZE;
FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE or FILE_READ_ATTRIBUTES or FILE_EXECUTE or SYNCHRONIZE;

//————————————————————-
// Define the create disposition values
FILE_SUPERSEDE           = $00000000;
FILE_OPEN                = $00000001;
FILE_CREATE              = $00000002;
FILE_OPEN_IF             = $00000003;
FILE_OVERWRITE           = $00000004;
FILE_OVERWRITE_IF        = $00000005;
FILE_MAXIMUM_DISPOSITION = $00000005;

//————————————————————-
// Define the create/open option flags
const
FILE_DIRECTORY_FILE              = $00000001;
FILE_WRITE_THROUGH               = $00000002;
FILE_SEQUENTIAL_ONLY             = $00000004;
FILE_NO_INTERMEDIATE_BUFFERING   = $00000008;

FILE_SYNCHRONOUS_IO_ALERT        = $00000010;
FILE_SYNCHRONOUS_IO_NONALERT     = $00000020;
FILE_NON_DIRECTORY_FILE          = $00000040;
FILE_CREATE_TREE_CONNECTION      = $00000080;

FILE_COMPLETE_IF_OPLOCKED        = $00000100;
FILE_NO_EA_KNOWLEDGE             = $00000200;
FILE_OPEN_FOR_RECOVERY           = $00000400;
FILE_RANDOM_ACCESS               = $00000800;

FILE_DELETE_ON_CLOSE             = $00001000;
FILE_OPEN_BY_FILE_ID             = $00002000;
FILE_OPEN_FOR_BACKUP_INTENT      = $00004000;
FILE_NO_COMPRESSION              = $00008000;

FILE_RESERVE_OPFILTER            = $00100000;
FILE_OPEN_REPARSE_POINT          = $00200000;
FILE_OPEN_NO_RECALL              = $00400000;
FILE_OPEN_FOR_FREE_SPACE_QUERY   = $00800000;

FILE_COPY_STRUCTURED_STORAGE     = $00000041;
FILE_STRUCTURED_STORAGE          = $00000441;

FILE_VALID_OPTION_FLAGS          = $00ffffff;
FILE_VALID_PIPE_OPTION_FLAGS     = $00000032;
FILE_VALID_MAILSLOT_OPTION_FLAGS = $00000032;
FILE_VALID_SET_FLAGS             = $00000036;

//————————————————————-
// Object Manager Object Type Specific Access Rights.
const
OBJECT_TYPE_CREATE     = $0001;
OBJECT_TYPE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED or $1;

// Object Manager Directory Specific Access Rights.
DIRECTORY_QUERY               = $0001;
DIRECTORY_TRAVERSE            = $0002;
DIRECTORY_CREATE_OBJECT       = $0004;
DIRECTORY_CREATE_SUBDIRECTORY = $0008;
DIRECTORY_ALL_ACCESS          = STANDARD_RIGHTS_REQUIRED or $F;

// Object Manager Symbolic Link Specific Access Rights.
SYMBOLIC_LINK_QUERY      = $0001;
SYMBOLIC_LINK_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED or $1;

type
TNtObjectNameInformation = packed record
Name : UNICODE_STRING;
end;
OBJECT_NAME_INFORMATION = TNtObjectNameInformation;
PNtObjectNameInformation = ^TNtObjectNameInformation;

const
DUPLICATE_CLOSE_SOURCE    = $00000001;
DUPLICATE_SAME_ACCESS     = $00000002;
DUPLICATE_SAME_ATTRIBUTES = $00000004;

//————————————————————-
// Section Information Structures.
type
TSectionInherit = (ViewNone,ViewShare,ViewUnmap);
SECTION_INHERIT = TSectionInherit;

// Section Access Rights.
const
SECTION_QUERY       = $0001;
SECTION_MAP_WRITE   = $0002;
SECTION_MAP_READ    = $0004;
SECTION_MAP_EXECUTE = $0008;
SECTION_EXTEND_SIZE = $0010;

SECTION_ALL_ACCESS  = STANDARD_RIGHTS_REQUIRED or SECTION_QUERY or SECTION_MAP_WRITE or SECTION_MAP_READ or SECTION_MAP_EXECUTE or SECTION_EXTEND_SIZE;
SEGMENT_ALL_ACCESS  = SECTION_ALL_ACCESS;

PAGE_NOACCESS          = $01;
PAGE_READONLY          = $02;
PAGE_READWRITE         = $04;
PAGE_WRITECOPY         = $08;
PAGE_EXECUTE           = $10;
PAGE_EXECUTE_READ      = $20;
PAGE_EXECUTE_READWRITE = $40;
PAGE_EXECUTE_WRITECOPY = $80;
PAGE_GUARD             = $100;
PAGE_NOCACHE           = $200;
PAGE_WRITECOMBINE      = $400;

MEM_COMMIT             = $1000;
MEM_RESERVE            = $2000;
MEM_DECOMMIT           = $4000;
MEM_RELEASE            = $8000;
MEM_FREE               = $10000;
MEM_PRIVATE            = $20000;
MEM_MAPPED             = $40000;
MEM_RESET              = $80000;
MEM_TOP_DOWN           = $100000;
MEM_LARGE_PAGES        = $20000000;
MEM_4MB_PAGES          = $80000000;
SEC_RESERVE            = $4000000;
PROCESS_DUP_HANDLE     = $0040;
PROCESS_ALL_ACCESS     = STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or $FFF;
//————————————————————-
// Process Information Classes
type
TProcessInfoClass = (ProcessBasicInformation,ProcessQuotaLimits,
ProcessIoCounters,ProcessVmCounters,
ProcessTimes,ProcessBasePriority,ProcessRaisePriority,
ProcessDebugPort,ProcessExceptionPort,
ProcessAccessToken,ProcessLdtInformation,
ProcessLdtSize,ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,ProcessPriorityClass,
ProcessWx86Information,ProcessHandleCount,
ProcessAffinityMask,ProcessPriorityBoost,
ProcessDeviceMap,ProcessSessionInformation,
ProcessForegroundInformation,ProcessWow64Information,
MaxProcessInfoClass);
PROCESSINFOCLASS =  TProcessInfoClass;

// Thread Information Classes
TThreadInfoClass = (ThreadBasicInformation,ThreadTimes,ThreadPriority,
ThreadBasePriority,ThreadAffinityMask,
ThreadImpersonationToken,ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,ThreadZeroTlsCell,
ThreadPerformanceCount,ThreadAmILastThread,
ThreadIdealProcessor,ThreadPriorityBoost,
ThreadSetTlsArrayAddress,ThreadIsIoPending,
ThreadHideFromDebugger,MaxThreadInfoClass);
THREADINFOCLASS = TThreadInfoClass;

//————————————————————-
type
TFileInformationClass = (__FileInformationNone,FileDirectoryInformation,
FileFullDirectoryInformation,FileBothDirectoryInformation,
FileBasicInformation,FileStandardInformation,
FileInternalInformation,FileEaInformation,
FileAccessInformation,FileNameInformation,
FileRenameInformation,FileLinkInformation,
FileNamesInformation,FileDispositionInformation,
FilePositionInformation,FileFullEaInformation,
FileModeInformation,FileAlignmentInformation,
FileAllInformation,FileAllocationInformation,
FileEndOfFileInformation,FileAlternateNameInformation,
FileStreamInformation,FilePipeInformation,
FilePipeLocalInformation,FilePipeRemoteInformation,
FileMailslotQueryInformation,FileMailslotSetInformation,
FileCompressionInformation,FileCopyOnWriteInformation,
FileCompletionInformation,FileMoveClusterInformation,
FileOleClassIdInformation,FileOleStateBitsInformation,
FileNetworkOpenInformation,FileObjectIdInformation,
FileOleAllInformation,FileOleDirectoryInformation,
FileContentIndexInformation,FileInheritContentIndexInformation,
FileOleInformation,FileMaximumInformation
);
FILE_INFORMATION_CLASS = TFileInformationClass;
PFileInformationClass = ^TFileInformationClass;

// Define the various structures which are returned on query operations
type
TFileBasicInformation = record
CreationTime   : LARGE_INTEGER;
LastAccessTime : LARGE_INTEGER;
LastWriteTime  : LARGE_INTEGER;
ChangeTime     : LARGE_INTEGER;
FileAttributes : ULONG;
end;
FILE_BASIC_INFORMATION = TFileBasicInformation;
PFileBasicInformation = ^TFileBasicInformation;

TFileStandardInformation = packed record
AllocationSize : LARGE_INTEGER;
EndOfFile      : LARGE_INTEGER;
NumberOfLinks  : ULONG;
DeletePending  : Boolean;
Directory      : Boolean;
end;
FILE_STANDARD_INFORMATION = TFileStandardInformation;
PFileStandardInformation = ^TFileStandardInformation;

TFilePositionInformation = record
CurrentByteOffset : LARGE_INTEGER;
end;
FILE_POSITION_INFORMATION = TFilePositionInformation;
PFilePositionInformation = ^TFilePositionInformation;

TFileAlignmentInformation = record
AlignmentRequirement : ULONG;
end;
FILE_ALIGNMENT_INFORMATION = TFileAlignmentInformation;
PFileAlignmentInformation = ^TFileAlignmentInformation;

TFileNameInformation = packed record
FileNameLength : ULONG;
FileName       : Array[0..0] of WideChar;
end;
FILE_NAME_INFORMATION = TFileNameInformation;
PFileNameInformation = ^TFileNameInformation;

TFileNetworkOpenInformation = record
CreationTime   : LARGE_INTEGER;
LastAccessTime : LARGE_INTEGER;
LastWriteTime  : LARGE_INTEGER;
ChangeTime     : LARGE_INTEGER;
AllocationSize : LARGE_INTEGER;
EndOfFile      : LARGE_INTEGER;
FileAttributes : ULONG;
end;
FILE_NETWORK_OPEN_INFORMATION = TFileNetworkOpenInformation;
PFileNetworkOpenInformation = ^TFileNetworkOpenInformation;

TFileAttributeTagInformation = packed record
FileAttributes : ULONG;
ReparseTag : ULONG;
end;
FILE_ATTRIBUTE_TAG_INFORMATION = TFileAttributeTagInformation;
PFileAttributeTagInformation = ^TFileAttributeTagInformation;

TFileDispositionInformation = packed record
DeleteFile : Boolean;
end;
FILE_DISPOSITION_INFORMATION = TFileDispositionInformation;
PFileDispositionInformation = ^TFileDispositionInformation;

TFileEndOfFileInformation = record
EndOfFile : LARGE_INTEGER;
end;
FILE_END_OF_FILE_INFORMATION = TFileEndOfFileInformation;
PFileEndOfFileInformation = ^TFileEndOfFileInformation;

TFileFullEAIinformation = packed record
NextEntryOffset : ULONG;
Flags           : Byte;
EaNameLength    : Byte;
EaValueLength   : Word;
EaName          : Array[0..0] of Char;
end;
FILE_FULL_EA_INFORMATION = TFileFullEAIinformation;
PFileFullEAIinformation = ^TFileFullEAIinformation;

type
TFileDirectoryInformation = packed record
NextEntryOffset : ULONG;
FileIndex       : ULONG;
CreationTime    : LARGE_INTEGER;
LastAccessTime  : LARGE_INTEGER;
LastWriteTime   : LARGE_INTEGER;
ChangeTime      : LARGE_INTEGER;
EndOfFile       : LARGE_INTEGER;
AllocationSize  : LARGE_INTEGER;
FileAttributes  : ULONG;
FileNameLength  : ULONG;
FileName : Array[0..0] of WideChar;
end;
FILE_DIRECTORY_INFORMATION = TFileDirectoryInformation;
PFileDirectoryInformation = ^TFileDirectoryInformation;

type
TIoApcRoutine = procedure ( ApcContext : Pointer; IoStatusBlock : PIoStatusBlock; Reserved : ULONG ); stdcall;

//————————————————————-
// NtCreateFile either causes a new file or directory to be created,
// or it opens an existing file, device, directory, or volume,
// giving the caller a handle for the file object.
// This handle can be used by subsequent calls to manipulate data
// within the file or the file object’s state or attributes.
// For example, a driver might call this routine during initialization
//     to open a file of microcode for its device.
function NtCreateFile(
// Points to a variable that receives the file handle if the call is successful.
var FileHandle      : THandle;

// Specifies the type of access that the caller requires to the file or directory.
const DesiredAccess : ACCESS_MASK;

// Pointer to a structure that a caller initializes with InitializeObjectAttributes
var ObjectAttributes    : TNtObjectAttributes;

// Points to a variable that receives the final completion status
// and information about the requested operation.
var IoStatusBlock   : TIoStatusBlock;

// Optionally specifies the initial allocation size in bytes for the file.
// A nonzero value has no effect unless the file is being created, overwritten,
// or superseded.
AllocationSize      : PLARGE_INTEGER;

// Explicitly specified attributes are applied only when the file is created,
// superseded, or, in some cases, overwritten.
const FileAttributes: ULONG;

// Specifies the type of share access that the caller would like to the file.
// Device and intermediate drivers usually set ShareAccess to zero, which gives
// the caller exclusive access to the open file.
const ShareAccess       : ULONG;

// Specifies what to do, depending on whether the file already exists
const CreateDisposition : ULONG;

// Specifies the options to be applied when creating or opening the file
const CreateOptions     : ULONG;

// For device and intermediate drivers, this parameter must be a NULL pointer
EaBuffer          : Pointer;

// For device and intermediate drivers, this parameter must be zero
EaLength          : ULONG

) : NTSTATUS; stdcall;

//————————————————————-
// NtOpenFile opens an existing file, device, directory, or volume,
// and returns a handle for the file object
function NtOpenFile(
// Points to a variable that receives the file handle if the call is successful.
var FileHandle : THandle;

// Specifies the type of access that the caller requires to the file or directory.
const     DesiredAccess : ACCESS_MASK;

// Pointer to a structure that a caller initializes with InitializeObjectAttributes
var ObjectAttributes : TNtObjectAttributes;

// Points to a variable that receives the final completion status
// and information about the requested operation.
var IoStatusBlock : TIoStatusBlock;

// Specifies the type of share access that the caller would like to the file.
// Device and intermediate drivers usually set ShareAccess to zero, which gives
// the caller exclusive access to the open file.
const ShareAccess : ULONG;

// Specifies the options to be applied when opening the file
const OpenOptions : ULONG
) : NTSTATUS; stdcall;

//————————————————————-
// NtQueryInformationFile returns various kinds of information about a given file object
function NtQueryInformationFile(
const FileHandle : THandle;

// Points to a variable that receives the final completion status and information about the operation.
var IoStatusBlock : TIoStatusBlock;

// Points to a caller-allocated buffer or variable that receives the desired information about the file.
// The contents of FileInformation are defined by the FileInformationClass parameter.
FileInformation : Pointer;

// Specifies the size in bytes of FileInformation, which the caller should set according to the given FileInformationClass.
Length : ULONG;

// Specifies the type of information to be returned about the file.
FileInformationClass : TFileInformationClass
) : NTSTATUS; stdcall;

//————————————————————-
// NtSetInformationFile changes various kinds of information about a given file object.
function NtSetInformationFile(
FileHandle : THandle;

// Points to a variable that receives the final completion status and information about the operation.
var IoStatusBlock : TIoStatusBlock;

// Points to a buffer or variable containing the information to be set for the file.
// The contents of FileInformation are defined by the FileInformationClass parameter.
// Setting any member of the structure in this buffer or variable to zero tells NtSetInformationFile
// to leave the current information about the file for that member unchanged.
FileInformation : Pointer;

// Specifies the size in bytes of FileInformation, which the caller should set according to the given FileInformationClass.
Length : ULONG;

// Specifies the type of information to be reset for file.
FileInformationClass: TFileInformationClass
) : NTSTATUS; stdcall;

//————————————————————-
// Data can be read from an opened file using NtReadFile
function NtReadFile(
FileHandle : THandle;

// Specifies an optional handle for an event to be set to the signaled
// state after the read operation completes.
// Device and intermediate drivers should set this parameter to NULL.
Event : THandle;

// Device and intermediate drivers should set this pointer to NULL.
ApcRoutine : TIoApcRoutine;

// Device and intermediate drivers should set this pointer to NULL.
ApcContext:Pointer;

// Points to a variable that receives the final completion status and information about the operation.
var IoStatusBlock : TIoStatusBlock;

// Pointer to a caller-allocated buffer that receives the data read from the file.
Buffer : Pointer;

// Specifies the size in bytes of the given Buffer.
// A successful call to ZwReadFile returns the given number of bytes from the file,
// unless this routine reaches the end of file first.
Length : ULONG;

// Pointer to a variable that specifies the starting byte offset in the file
// where the read operation will begin.
// If an attempt is made to read beyond the end of the file, NtReadFile returns an error.
ByteOffset : PLARGE_INTEGER;

// Device and intermediate drivers should set this pointer to NULL.
Key : PDWORD
) : NTSTATUS; stdcall;

//————————————————————-
// Data can be written to an open file using NtWriteFile.
function NtWriteFile(
FileHandle : THandle;

// Specifies an optional handle for an event to be set to the signaled
// state after operation completes.
// Device and intermediate drivers should set this parameter to NULL.
Event : THandle;

// Device and intermediate drivers should set this pointer to NULL.
ApcRoutine : TIoApcRoutine;

// Device and intermediate drivers should set this pointer to NULL.
ApcContext:Pointer;

// Points to a variable that receives the final completion status and information about the operation.
var IoStatusBlock : TIoStatusBlock;

// Pointer to a caller-allocated buffer containing the data to be written to the file.
Buffer : Pointer;

// Specifies the size in bytes of the given Buffer.
// A successful call to NtWriteFile transfers the given number of bytes to the file.
// If necessary, the length of the file is extended.
Length : ULONG;

// Pointer to a variable that specifies the starting byte offset in the file
// where the read operation will begin.
// If an attempt is made to read beyond the end of the file, NtReadFile returns an error.
ByteOffset : PLARGE_INTEGER;

// Device and intermediate drivers should set this pointer to NULL.
Key : PDWORD
) : NTSTATUS; stdcall;

//————————————————————-
// NtClose closes object handles.
// A named object is not actually deleted until all of its valid handles are closed
// and no referenced pointers remain.
function NtClose( Handle : THandle ) : NTSTATUS; stdcall;

//————————————————————-
// NtCreateDirectoryObject creates or opens a directory object, which is a container for other objects.
function NtCreateDirectoryObject(
// Points to a variable that receives the directory object handle if the call is successful.
var DirectoryHandle : THandle;

// Specifies the type of access that the caller requires to the directory object.
// This value is compared with the granted access on an existing directory object.
const DesiredAccess : ACCESS_MASK;

// Points to a structure that specifies the object’s attributes,
// which has already been initialized with InitializeObjectAttributes.
var ObjectAttributes : TNtObjectAttributes
) : NTSTATUS; stdcall;

//————————————————————-
// NtOpenDirectoryObject opens a directory object, which is a container for other objects.
function NtOpenDirectoryObject(
// Points to a variable that receives the directory object handle if the call is successful.
var DirectoryHandle : THandle;

// Specifies the type of access that the caller requires to the directory object.
// This value is compared with the granted access on an existing directory object.
const DesiredAccess : ACCESS_MASK;

// Points to a structure that specifies the object’s attributes,
// which has already been initialized with InitializeObjectAttributes.
var ObjectAttributes : TNtObjectAttributes
) : NTSTATUS; stdcall;

//————————————————————-
// warning: reconstruction
//
// NtQueryDirectoryObject returns various kinds of information about a given directory object
type
TDirectoryInformationClass = TFileInformationClass; // !!!! It is wrong

TDirectoryInformationType1 = packed record
ObjectName     : TNtUnicodeString;
ObjectTypeName : TNtUnicodeString;
end;

function NtQueryDirectoryObject(
const FileHandle : THandle;

// Points to a caller-allocated buffer or variable that receives the desired information about the directory.
// The contents of FileInformation are defined by the FileInformationClass parameter.
DirectoryInformation : Pointer;

// Specifies the size in bytes of DirectoryInformation,
// which the caller should set according to the given DirectoryInformationClass.
const Length : ULONG;

// Specifies the type of information to be returned about the file.
DirectoryInformationClass : TDirectoryInformationClass; // ??? = 1

// False for first call
RestartScan : Boolean;

var dwIndex : DWORD;

var cbBytesReturned : DWORD

) : NTSTATUS; stdcall;

//————————————————————-
function NtQueryDirectoryFile(
const FileHandle : THandle;

// Specifies an optional handle for an event to be set to the signaled
// state after operation completes.
// Device and intermediate drivers should set this parameter to NULL.
const Event : THandle;

// set this pointer to NULL.
ApcRoutine : TIoApcRoutine;

// set this pointer to NULL.
ApcContext : Pointer;

// Points to a variable that receives the final completion status and information about the operation.
var IoStatusBlock : TIoStatusBlock;

// Points to a caller-allocated buffer or variable that receives the desired information about file from directory.
// The contents of FileInformation are defined by the FileInformationClass parameter.
FileInformation : Pointer;

// Specifies the size in bytes of FileInformation, which the caller should set according to the given FileInformationClass.
Length : ULONG;

// Specifies the type of information to be returned about the file.
FileInformationClass: TFileInformationClass;

ReturnSingleEntry : Boolean;

FileName : PNtUnicodeString;

// False for first call
RestartScan : Boolean
) : NTSTATUS; stdcall;

//————————————————————-
// NtMakeTemporaryObject changes the attributes of an object to make it temporary.
function NtMakeTemporaryObject( Handle : THandle ) : NTSTATUS; stdcall;

//————————————————————-
// NtOpenSection opens a handle for an existing section object.
function NtOpenSection(
// Points to a variable that will receive the section object handle if this call is successful.
out SectionHandle : THandle;

// Specifies a mask representing the requested access to the object.
const DesiredAccess : ACCESS_MASK;

// Points to the initialized object attributes of the section to be opened.
ObjectAttributes : TNtObjectAttributes
) : NTSTATUS; stdcall;

//————————————————————-
// NtMapViewOfSection maps a view of a section into the virtual address space of a subject process.
function NtMapViewOfSection(
// Is the handle returned by a successful call to NtOpenSection.
SectionHandle : THandle;

// Is the handle of an opened process object, representing the process for which the view should be mapped.
ProcessHandle : THandle;

// Points to a variable that will receive the base address of the view.
// If the initial value of this argument is nonNULL,
// the view is allocated starting at the specified virtual address
// rounded down to the next 64-kilobyte address boundary.
var BaseAddress : Pointer;

// Specifies the number of high-order address bits that must be zero
// in the base address of the section view.
// The value of this argument must be less than 21 and is used only
// when the operating system determines where to allocate the view, as when BaseAddress is NULL.
ZeroBits : ULONG;

// Specifies the size, in bytes, of the initially committed region of the view.
// CommitSize is only meaningful for page-file backed sections.
// For mapped sections, both data and image are always committed at section creation time.
// This parameter is ignored for mapped files. This value is rounded up to the next host-page-size boundary.
CommitSize : ULONG;

// Points to the offset, in bytes, from the beginning of the section to the view.
// If this pointer is nonNULL, the given value is rounded down to the next allocation granularity size boundary.
SectionOffset : PLARGE_INTEGER;

// Points to a variable that will receive the actual size, in bytes, of the view.
// If the value of this parameter is zero, a view of the section will be mapped starting
// at the specified section offset and continuing to the end of the section.
// Otherwise, the initial value of this argument specifies the size of the view,
// in bytes, and is rounded up to the next host page-size boundary.
ViewSize : DWORD;

// Specifies how the view is to be shared by a child process
// created with a create process operation.
// Device and intermediate drivers should set this parameter to ViewNone.
InheritDisposition : SECTION_INHERIT;

// A set of flags that describes the type of allocation to be performed for the specified region of pages.
AllocationType : ULONG;

// Specifies the protection for the region of initially committed pages.
// Device and intermediate drivers should set this value to PAGE_READWRITE.
Protect : ULONG
) : NTSTATUS; stdcall;

//————————————————————-
// NtUnmapViewOfSection unmaps a view of a section from the virtual address space of a subject process.
function NtUnmapViewOfSection(
// Specifies an open handle of the process that was passed in a preceding call to NtMapViewOfSection.
const ProcessHandle : THandle;

// Points to the base virtual address of the view that is to be unmapped.
// This value can be any virtual address within the view.
const BaseAddress : Pointer
) : NTSTATUS; stdcall;

//————————————————————-
// NtSetInformationThread can be called to set the priority of a thread for which the caller has a handle.
function NtSetInformationThread(
// Is the open handle for a thread.
ThreadHandle : THandle;

// Is one of the system-defined values ThreadPriority or ThreadBasePriority.
ThreadInformationClass : THREADINFOCLASS;

// Points to a variable specifying the information to be set.
// If ThreadInformationClass is ThreadPriority, this value must be > LOW_PRIORITY and <= HIGH_PRIORITY.
// If ThreadInformationClass is ThreadBasePriority, this value must fall within the system’s
// valid base priority range and the original priority class for the given thread:
// that is, if a thread’s priority class is variable, that thread’s base priority cannot be reset to a real-time priority value and vice versa.
ThreadInformation : Pointer;

// Is the size in bytes of ThreadInformation, which must be at least sizeof(KPRIORITY).
ThreadInformationLength : ULONG
) : NTSTATUS; stdcall;

{function NtCreateKey(
out KeyHandle : THandle;
const DesiredAccess : ACCESS_MASK;
ObjectAttributes : TNtObjectAttributes;
TitleIndex:ULONG;
ObjectClass : PNtUnicodeString;
CreateOptions:ULONG;
Disposition:PULONG
) : NTSTATUS; stdcall;

function NtOpenKey(
out KeyHandle : THandle;
DesiredAccess : ACCESS_MASK;
ObjectAttributes : PNtObjectAttributes
) : NTSTATUS; stdcall;

function NtDeleteKey( KeyHandle : THandle ) : NTSTATUS; stdcall;

function NtEnumerateKey(
KeyHandle : THandle;
Index:ULONG;
KeyInformationClass : KEY_INFORMATION_CLASS;
KeyInformation : Pointer;
Length : ULONG;
ResultLength : PDWORD
) : NTSTATUS; stdcall;

function NtEnumerateValueKey(
KeyHandle : THandle;
Index : ULONG;
KeyValueInformationClass : KEY_VALUE_INFORMATION_CLASS;
KeyValueInformation : Pointer;
Length:ULONG;
ResultLength : PULONG
) : NTSTATUS; stdcall;

function NtFlushKey( KeyHandle : THandle ) : NTSTATUS; stdcall;

function NtQueryKey(
KeyHandle : THandle;
KeyInformationClass : KEY_INFORMATION_CLASS;
KeyInformation:Pointer;
Length : ULONG;
ResultLength : PDWORD
) : NTSTATUS; stdcall;

function NtQueryValueKey(
KeyHandle : THandle;
ValueName : PUNICODE_STRING;
KeyValueInformationClass : KEY_VALUE_INFORMATION_CLASS;
KeyValueInformation : Pointer;
Length : ULONG;
ResultLength : PDWORD
) : NTSTATUS; stdcall;

function NtSetValueKey(
KeyHandle : THandle;
ValueName : PUNICODE_STRING;
TitleIndex : ULONG;
Type : ULONG;
Data : Pointer;
DataSize : ULONG
) : NTSTATUS; stdcall;
}

//————————————————————-
// NtOpenSymbolicLinkObject returns a handle to an existing symbolic link.
function NtOpenSymbolicLinkObject(
// Points to a returned handle for the symbolic link object specified in ObjectAttributes if the call was successful.
var LinkHandle : THandle;

// Specifies the type of access that the caller requires to the key.
// This is most commonly GENERIC_READ access such that the returned handle can be used with NtQuerySymbolicLinkObject.
const DesiredAccess : ACCESS_MASK;

// Points to the initialized object attributes for the symbolic link being opened.
// An ObjectName string for the symbolic link must be specified.
ObjectAttributes : TNtObjectAttributes
) : NTSTATUS; stdcall;

//————————————————————-
// NtQuerySymbolicLinkObject returns a Unicode string containing the target of the symbolic link.
function NtQuerySymbolicLinkObject(
// Specifies a valid handle to an open symbolic link object obtained by calling ZwOpenSymbolicLinkObject.
LinkHandle : THandle;

// Points to an initialized Unicode string that contains the target of the symbolic link,
// specified by LinkHandle, if the call was successful.
LinkTarget : TNtUnicodeString;

// Optionally, points to a unsigned long integer that on input contains the maximum number of bytes
// to copy into the Unicode string at LinkTarget.
// On output, the unsigned long integer contains the length of the Unicode string
// naming the target of the symbolic link.
ReturnedLength : PDWORD
) : NTSTATUS; stdcall;

function NtQuerySystemInformation(
SystemInfoClass : DWORD;
SystemInformation : Pointer;
SystemInformationLength : Cardinal;
var ReturnLength : Cardinal
): NTSTATUS; stdcall;

{
function NtCreateTimer(
out TimerHandle : THandle;
const DesiredAccess : ACCESS_MASK;
ObjectAttributes : TNtObjectAttributes;
const TimerType : TIMER_TYPE
) : NTSTATUS; stdcall;

function NtOpenTimer(
out TimerHandle : THandle;
const DesiredAccess : ACCESS_MASK;
ObjectAttributes : TNtObjectAttributes
) : NTSTATUS; stdcall;

function NtCancelTimer(
TimerHandle : THandle;
CurrentState : PBoolean
) : NTSTATUS; stdcall;

function NtSetTimer(
TimerHandle : THandle;
DueTime : PLARGE_INTEGER;
TimerApcRoutine : PTIMER_APC_ROUTINE;
TimerContext : Pointer;
WakeTimer : Boolean;
Period : DWORD;
PreviousState : PBoolean
) : NTSTATUS; stdcall;
}

//————————————————————-
procedure InitializeObjectAttributes(
InitializedAttributes : PNtObjectAttributes;
pObjectName : PNtUnicodeString;
const uAttributes : ULONG;
const hRootDirectory : THandle;
pSecurityDescriptor : PSECURITY_DESCRIPTOR
);

//————————————————————-
var
NLS_MB_CODE_PAGE_TAG : Boolean; // TRUE -> Multibyte CP, FALSE -> Singlebyte
//NLS_MB_OEM_CODE_PAGE_TAG : Boolean; // TRUE -> Multibyte CP, FALSE -> Singlebyte

//=============================================================
implementation

const
DLL = ‘ntdll.dll’;

var
AnsiCPInfo: TCPInfo;

function  RtlNtStatusToDosError; external DLL name ‘RtlNtStatusToDosError’;

procedure RtlInitString; external DLL name ‘RtlInitString’;
procedure RtlInitAnsiString;     external DLL name ‘RtlInitAnsiString’;
procedure RtlCopyString;     external DLL name ‘RtlCopyString’;
function  RtlUpperChar;     external DLL name ‘RtlUpperChar’;
function  RtlCompareString;     external DLL name ‘RtlCompareString’;
function  RtlEqualString;     external DLL name ‘RtlEqualString’;
procedure RtlUpperString;     external DLL name ‘RtlUpperString’;
procedure RtlFreeAnsiString;     external DLL name ‘RtlFreeAnsiString’;

procedure RtlInitUnicodeString;     external DLL name ‘RtlInitUnicodeString’;
function  RtlAnsiStringToUnicodeString;     external DLL name ‘RtlAnsiStringToUnicodeString’;
function  RtlUnicodeStringToAnsiString;     external DLL name ‘RtlUnicodeStringToAnsiString’;
function  RtlCompareUnicodeString;     external DLL name ‘RtlCompareUnicodeString’;
function  RtlEqualCompareUnicodeString;     external DLL name ‘RtlEqualCompareUnicodeString’;
function  RtlPrefixUnicodeString;     external DLL name ‘RtlPrefixUnicodeString’;
function  RtlUpcaseUnicodeString;     external DLL name ‘RtlUpcaseUnicodeString’;
procedure RtlCopyUnicodeString;     external DLL name ‘RtlCopyUnicodeString’;
function  RtlAppendUnicodeStringToString;     external DLL name ‘RtlAppendUnicodeStringToString’;
function  RtlAppendUnicodeToString;     external DLL name ‘RtlAppendUnicodeToString’;
function  RtlUpcaseUnicodeChar;     external DLL name ‘RtlUpcaseUnicodeChar’;
procedure RtlFreeUnicodeString;     external DLL name ‘RtlFreeUnicodeString’;
function  RtlxAnsiStringToUnicodeSize;     external DLL name ‘RtlxAnsiStringToUnicodeSize’;

function NtCreateFile;     external DLL name ‘NtCreateFile’;
function NtOpenFile;     external DLL name ‘NtOpenFile’;
function NtQueryInformationFile;     external DLL name ‘NtQueryInformationFile’;
function NtSetInformationFile;     external DLL name ‘NtSetInformationFile’;
function NtWriteFile;     external DLL name ‘NtWriteFile’;
function NtReadFile;     external DLL name ‘NtReadFile’;
function NtClose;     external DLL name ‘NtClose’;
function NtCreateDirectoryObject;     external DLL name ‘NtCreateDirectoryObject’;
function NtOpenDirectoryObject;     external DLL name ‘NtOpenDirectoryObject’;
function NtQueryDirectoryObject;     external DLL name ‘NtQueryDirectoryObject’;
function NtQueryDirectoryFile; external DLL name ‘NtQueryDirectoryFile’;
function NtMakeTemporaryObject;     external DLL name ‘NtMakeTemporaryObject’;
function NtOpenSection;     external DLL name ‘NtOpenSection’;
function NtMapViewOfSection;     external DLL name ‘NtMapViewOfSection’;
function NtUnmapViewOfSection;     external DLL name ‘NtUnmapViewOfSection’;
function NtOpenSymbolicLinkObject;     external DLL name ‘NtOpenSymbolicLinkObject’;
function NtQuerySymbolicLinkObject;     external DLL name ‘NtQuerySymbolicLinkObject’;
function NtQuerySystemInformation;     external DLL name ‘NtQuerySystemInformation’;
function NtSetInformationThread;     external DLL name ‘NtSetInformationThread’;

//————————————————————-
function RtlAnsiStringToUnicodeSize(  NtAnsiString : PNtAnsiString ) : DWORD; stdcall;
begin
if NtAnsiString=nil then Result := 0
else if NLS_MB_CODE_PAGE_TAG then Result := RtlxAnsiStringToUnicodeSize(NtAnsiString)
else Result := (NtAnsiString^.Length+1)*AnsiCPInfo.MaxCharSize;
end;
//————————————————————-
procedure InitializeObjectAttributes(
InitializedAttributes : PNtObjectAttributes;
pObjectName : PNtUnicodeString;
const uAttributes : ULONG;
const hRootDirectory : THandle;
pSecurityDescriptor : PSECURITY_DESCRIPTOR
);
begin
with InitializedAttributes^ do
begin
Length := SizeOf(TNtObjectAttributes);
ObjectName := pObjectName;
Attributes := uAttributes;
RootDirectory := hRootDirectory;
SecurityDescriptor := pSecurityDescriptor;
SecurityQualityOfService := nil;
end;
end;

//=============================================================
initialization
Windows.GetCPInfo(CP_ACP,AnsiCPInfo);
with AnsiCPInfo do NLS_MB_CODE_PAGE_TAG := MaxCharSize<>1;
end.

Comments ( 0 ) Trackbacks ( 0 ) Leave a Reply
  1. No comments yet.

    目前尚无任何评论.

    コメントはまだありません。

  2.                    
  1. No trackbacks yet.

    目前尚无任何 trackbacks 和 pingbacks.

    トラックバックはまだありません。

  • ☆*:.。. o(≧▽≦)o .。.:*☆
  • _(:з」∠)_
  • ♪(´ε` )
  • ψ(`∇´)ψ
  • (-_-#)
  • (=´∀`)人(´∀`=)
  • \(//∇//)\
  • ♪(*^^)o∀*∀o(^^*)♪
  • (((o(*゚▽゚*)o)))
  • (´・_・`)
  • σ(^_^;)
  • ( *`ω´)
  • (ノ`Д´)ノ
  • (( _ _ ))..zzzZZ
  • ( ̄▽ ̄)
  • ヽ(`Д´#)ノ
  • ((((;゚Д゚)))))))
  • (>_<)
  • (T_T)
  • ( T_T)\(^-^ )
  • ε=ε=ε=ε=ε=ε=┌(; ̄◇ ̄)┘