Windows NT/2000 Native API Reference

Gary Nebbett first started working with operating systems when he joined the MultiMIRTOS development team at Standard Telecommunication Laboratories immediately after graduating from London University in 1982. (MultiMIRTOS was a real-time embedded operating system for the Intel 8086 processor.) An interest in operating systems having been awakened, Gary tried to develop tools to trace system calls, reconstruct deleted files, and capture network traffic whenever he subsequently encountered an operating system (such as, VMS, UNIX, or NT). Gary lives in Basel, Switzerland. In his free time he enjoys squash, cross-country skiing, walking in the Alps, mountain biking in the Black Forest, and tackling the occasional cryptic crossword. He has seldom been known to decline the offer of another glass of port (preferably accompanied by some more Stilton).

Introduction.


Chapter 1. System Information and Control.


ZwQuerySystemInformation. ZwSetSystemInformation. SYSTEM_INFORMATION_CLASS. SystemBasicInformation. SystemProcessorInformation. SystemPerformanceInformation. SystemTimeOfDayInformation. SystemProcessesAndThreadsInformation. SystemCallCounts. SystemConfigurationInformation. SystemProcessorTimes. SystemGlobalFlag. SystemModuleInformation. SystemLockInformation. SystemHandleInformation. SystemObjectInformation. SystemPagefileInformation. SystemInstructionEmulationCounts. SystemCacheInformation. SystemPoolTagInformation. SystemProcessorStatistics. SystemDpcInformation. SystemLoadImage. SystemUnloadImage. SystemTimeAdjustment. SystemCrashDumpInformation. SystemExceptionInformation. SystemCrashDumpStateInformation. SystemKernelDebuggerInformation. SystemContextSwitchInformation. SystemRegistryQuotaInformation. SystemLoadAndCallImage. SystemPrioritySeparation. SystemTimeZoneInformation. SystemLookasideInformation. SystemSetTimeSlipEvent. SystemCreateSession. SystemDeleteSession. SystemRangeStartInformation. SystemVerifierInformation. SystemAddVerifier. SystemSessionProcessesInformation. SystemPoolBlocksInformation. SystemMemoryUsageInformation. Example 1.1: A Partial ToolHelp Library Implementation. Example 1.2: Listing Open Handles of a Process. ZwQuerySystemEnvironmentValue. ZwSetSystemEnvironmentValue. ZwSystemDebugControl. Example 1.3: Setting an Internal Breakpoint. Example 1.4: Getting Trace Information.



2. Objects, Object Directories, and Symbolic Links.


Object Attributes. ZwQueryObject. ZwSetInformationObject. OBJECT_INFORMATION_CLASS. ObjectBasicInformation. ObjectNameInformation. ObjectTypeInformation. ObjectAllTypesInformation. ObjectHandleInformation. ZwDuplicateObject. ZwMakeTemporaryObject. ZwClose. Example 2.1: Listing Open Handles of a Process. ZwQuerySecurityObject. ZwSetSecurityObject. ZwCreateDirectoryObject. ZwOpenDirectoryObject. ZwQueryDirectoryObject. ZwCreateSymbolicLinkObject. ZwOpenSymbolicLinkObject. ZwQuerySymbolicLinkObject.



3. Virtual Memory.


ZwAllocateVirtualMemory. ZwFreeVirtualMemory. ZwQueryVirtualMemory. MEMORY_INFORMATION_CLASS. MemoryBasicInformation. MemoryWorkingSetList. MemorySectionName. ZwLockVirtualMemory. ZwUnlockVirtualMemory . ZwReadVirtualMemory. ZwWriteVirtualMemory. ZwProtectVirtualMemory. ZwFlushVirtualMemory. ZwAllocateUserPhysicalPages. ZwFreeUserPhysicalPages. ZwMapUserPhysicalPages. ZwMapUserPhysicalPagesScatter. ZwGetWriteWatch. ZwResetWriteWatch.



4. Sections.


ZwCreateSection. ZwOpenSection. ZwQuerySection. SECTION_INFORMATION_CLASS. SectionBasicInformation. SectionImageInformation. ZwExtendSection. ZwMapViewOfSection. ZwUnmapViewOfSection. ZwAreMappedFilesTheSame. <@CHAPTER = 5. Threads.



ZwCreateThread. ZwOpenThread. ZwTerminateThread. ZwQueryInformationThread. ZwSetInformationThread. THREADINFOCLASS. ThreadBasicInformation. ThreadPriority. ThreadBasePriority. ThreadAffinityMask. ThreadImpersonationToken. ThreadEnableAlignmentFaultFixup. ThreadEventPair. ThreadQuerySetWin32StartAddress. ThreadZeroTlsCell. ThreadPerformanceCount. ThreadAmILastThread. ThreadIdealProcessor. ThreadPriorityBoost. ThreadSetTlsArrayAddress. ThreadIsIoPending. ThreadHideFromDebugger. SuspendThread. ZwResumeThread. ZwGetContextThread. ZwSetContextThread. ZwQueueApcThread. ZwTestAlert. ZwAlertThread. ZwAlertResumeThread. ZwRegisterThreadTerminatePort. ZwImpersonateThread. ZwImpersonateAnonymousToken.



6. Processes.


ZwCreateProcess. ZwOpenProcess. ZwTerminateProcess. ZwQueryInformationProcess. ZwSetInformationProcess. PROCESSINFOCLASS. ProcessBasicInformation. ProcessQuotaLimits. ProcessIoCounters. ProcessVmCounters. ProcessTimes. ProcessBasePriority. ProcessRaisePriority. ProcessDebugPort. ProcessExceptionPort. ProcessAccessToken. ProcessDefaultHardErrorMode. ProcessPooledUsageAndLimits. ProcessWorkingSetWatch. ProcessUserModeIOPL. ProcessEnableAlignmentFaultFixup. ProcessPriorityClass. ProcessWx86Information. ProcessHandleCount. ProcessAffinityMask. ProcessPriorityBoost. ProcessDeviceMap. ProcessSessionInformation. ProcessForegroundInformation. ProcessWow64Information. RtlCreateProcessParameters. RtlDestroyProcessParameters. PROCESS_PARAMETERS. RtlCreateQueryDebugBuffer. RtlQueryProcessDebugInformation. RtlDestroyQueryDebugBuffer. DEBUG_BUFFER. Debug_module_information. debug_heap_information. Debug_lock_information. Example 6.1: Forking a Win32 Process. Example 6.2: Creating a Win32 Process. Example 6.3: Using RtlQueryProcessDebugInformation to Extend ToolHelp. Library Implementation.



7. Jobs.


ZwCreateJobObject. ZwOpenJobObject. ZwTerminateJobObject. ZwAssignProcessToJobObject. ZwQueryInformationJobObject. ZwSetInformationJobObject. JOBOBJECTINFOCLASS. JobObjectBasicAccountingInformation. JobObjectBasicLimitInformation. JobObjectBasicProcessIdList. JobObjectBasicUIRestrictions. JobObjectSecurityLimitInformation. JobObjectEndOfJobTimeInformation. JobObjectAssociateCompletionPortInformation. JobObjectBasicAndIoAccountingInformation. JobObjectExtendedLimitInformation.



8. Tokens.


ZwCreateToken. ZwOpenProcessToken. ZwOpenThreadToken. ZwDuplicateToken. ZwFilterToken. ZwAdjustPrivilegesToken. ZwAdjustGroupsToken. ZwQueryInformationToken. ZwSetInformationToken. TOKEN_INFORMATION_CLASS. TokenUser. TokenGroups and TokenRestrictedSids. TokenPrivileges. TokenOwner. TokenPrimaryGroup. TokenDefaultDacl. TokenSource. TokenType. TokenImpersonationLevel. TokenStatistics. TokenSessionId. Example 8.1: Creating Command Window for the SYSTEM User.



9. Synchronization.


ZwWaitForSingleObject. ZwSignalAndWaitForSingleObject. ZwWaitForMultipleObjects. ZwCreateTimer. ZwOpenTimer. ZwCancelTimer. ZwSetTimer. ZwQueryTimer. TIMER_INFORMATION_CLASS. TimerBasicInformation. ZwCreateEvent. ZwOpenEvent. ZwSetEvent. ZwPulseEvent. ZwResetEvent. ZwClearEvent. ZwQueryEvent. EVENT_INFORMATION_CLASS. EventBasicInformation. ZwCreateSemaphore. ZwOpenSemaphore. ZwReleaseSemaphore. ZwQuerySemaphore. SEMAPHORE_INFORMATION_CLASS. SemaphoreBasicInformation. ZwCreateMutant. ZwOpenMutant. ZwReleaseMutant. ZwQueryMutant. MUTANT_INFORMATION_CLASS. MutantBasicInformation. ZwCreateIoCompletion. ZwOpenIoCompletion. ZwSetIoCompletion. ZwRemoveIoCompletion. ZwQueryIoCompletion. IO_COMPLETION_INFORMATION_CLASS. IoCompletionBasicInformation. ZwCreateEventPair. ZwOpenEventPair. ZwWaitLowEventPair. ZwWaitHighEventPair. ZwSetLowWaitHighEventPair. ZwSetHighWaitLowEventPair. ZwSetLowEventPair. ZwSetHighEventPair.



10. Time.


ZwQuerySystemTime. ZwSetSystemTime. ZwQueryPerformanceCounter. ZwSetTimerResolution. ZwQueryTimerResolution. ZwDelayExecution. ZwYieldExecution. ZwGetTickCount.



11. Execution Profiling.


KPROFILE_SOURCE. ZwCreateProfile. ZwSetIntervalProfile. ZwQueryIntervalProfile. ZwStartProfile. ZwStopProfile. Example 11.1: Profiling the Kernel.



12. Ports (Local Procedure Calls).


PORT_MESSAGE. PORT_SECTION_WRITE. PORT_SECTION_READ. ZwCreatePort. ZwCreateWaitablePort. ZwConnectPort. ZwSecureConnectPort. ZwListenPort. ZwAcceptConnectPort. ZwCompleteConnectPort. ZwRequestPort. ZwRequestWaitReplyPort. ZwReplyPort. ZwReplyWaitReplyPort. ZwReplyWaitReceivePort. ZwReplyWaitReceivePortEx. ZwReadRequestData. ZwWriteRequestData. ZwQueryInformationPort. PORT_INFORMATION_CLASS. PortBasicInformation. ZwImpersonateClientOfPort. Example 12.1: Connecting to a amed Port.



13. Files.


ZwCreateFile. ZwOpenFile. ZwDeleteFile. ZwFlushBuffersFile. ZwCancelIoFile. ZwReadFile. ZwWriteFile. ZwReadFileScatter. ZwWriteFileGather. ZwLockFile. ZwUnlockFile. ZwDeviceIoControlFile. ZwFsControlFile. ZwNotifyChangeDirectoryFile. FILE_NOTIFY_INFORMATION. ZwQueryEaFile. ZwSetEaFile. FILE_FULL_EA_INFORMATION. FILE_GET_EA_INFORMATION. ZwCreateNamedPipeFile. ZwCreateMailslotFile. ZwQueryVolumeInformationFile. ZwSetVolumeInformationFile. FS_INFORMATION_CLASS. FileFsVolumeInformation. FileFsLabelInformation. FileFsSizeInformation. FileFsDeviceInformation. FileFsAttributeInformation. FileFsControlInformation. FileFsFullSizeInformation. FileFsObjectIdInformation. ZwQueryQuotaInformationFile. ZwSetQuotaInformationFile. FILE_USER_QUOTA_INFORMATION. FILE_QUOTA_LIST_INFORMATION. ZwQueryAttributesFile. ZwQueryFullAttributesFile. ZwQueryInformationFile. ZwSetInformationFile. ZwQueryDirectoryFile. ZwQueryOleDirectoryFile. FILE_INFORMATION_CLASS. FileDirectoryInformation. FileFullDirectoryInformation. FileBothDirectoryInformation. FileBasicInformation. FileStandardInformation. FileInternalInformation. FileEaInformation. FileAccessInformation. FileNameInformation. FileRenameInformation and FileLinkInformation. FileNamesInformation. FileDispositionInformation. FilePositionInformation. FileModeInformation. FileAlignmentInformation. FileAllInformation. FileAllocationInformation. FileEndOfFileInformation. FileStreamInformation. FilePipeInformation. FilePipeLocalInformation. FilePipeRemoteInformation. FileMailslotQueryInformation. FileMailslotSetInformation. FileCompressionInformation. FileObjectIdInformation. FileCompletionInformation. FileMoveClusterInformation. FileQuotaInformation. FileReparsePointInformation. FileNetworkOpenInformation. FileAttributeTagInformation. Example 13.1: Opening a ile by File Identifier.



14. Registry Keys.


ZwCreateKey. ZwOpenKey. ZwDeleteKey. ZwFlushKey. ZwSaveKey. ZwSaveMergedKeys. ZwRestoreKey. ZwLoadKey. ZwLoadKey2. ZwUnloadKey. ZwQueryOpenSubKeys. ZwReplaceKey. ZwSetInformationKey. KEY_SET_INFORMATION_CLASS. KeyLastWriteTimeInformation. ZwQueryKey. ZwEnumerateKey. KEY_INFORMATION_CLASS. KeyBasicInformation. KeyNodeInformation. KeyFullInformation. KeyNameInformation. ZwNotifyChangeKey. ZwNotifyChangeMultipleKeys. ZwDeleteValueKey. ZwSetValueKey. ZwQueryValueKey. ZwEnumerateValueKey. KEY_VALUE_INFORMATION_CLASS. KeyValueBasicInformation. KeyValueFullInformation and KeyValueFullInformationAlign64. KeyValuePartialInformation. ZwQueryMultipleValueKey KEY_VALUE_ENTRY. ZwInitializeRegistry.



15. Security and Auditing.


ZwPrivilegeCheck. ZwPrivilegeObjectAuditAlarm. ZwPrivilegedServiceAuditAlarm. ZwAccessCheck. ZwAccessCheckAndAuditAlarm. ZwAccessCheckByType. ZwAccessCheckByTypeAndAuditAlarm. ZwAccessCheckByTypeResultList. ZwAccessCheckByTypeResultListAndAuditAlarm. ZwAccessCheckByTypeResultListAndAuditAlarmByHandle. ZwOpenObjectAuditAlarm. ZwCloseObjectAuditAlarm. ZwDeleteObjectAuditAlarm.



16. Plug and Play and Power Management.


ZwRequestWakeupLatency. ZwRequestDeviceWakeup. ZwCancelDeviceWakeupRequest. ZwIsSystemResumeAutomatic. ZwSetThreadExecutionState. ZwGetDevicePowerState. ZwSetSystemPowerState. ZwInitiatePowerAction. ZwPowerInformation. POWER_INFORMATION_LEVEL. SystemPowerPolicyAc, SystemPowerPolicyDc, SystemPowerPolicyCurrent. SystemPowerCapabilities. SystemBatteryState. SystemPowerStateHandler. ProcessorStateHandler. AdministratorPowerPolicy. ProcessorInformation. SystemPowerInformation. ZwPlugPlayControl. ZwGetPlugPlayEvent.



17.Miscellany.


ZwRaiseException. ZwContinue. ZwW32Call. ZwCallbackReturn. ZwSetLowWaitHighThread. ZwSetHighWaitLowThread. ZwLoadDriver. ZwUnloadDriver. ZwFlushInstructionCache. ZwFlushWriteBuffer. ZwQueryDefaultLocale. ZwSetDefaultLocale. ZwQueryDefaultUILanguage. ZwSetDefaultUILanguage. ZwQueryInstallUILanguage. ZwAllocateLocallyUniqueId. ZwAllocateUuids. ZwSetUuidSeed. ZwRaiseHardError. ZwSetDefaultHardErrorPort. ZwDisplayString. ZwCreatePagingFile. ZwAddAtom. ZwFindAtom. ZwDeleteAtom. ZwQueryInformationAtom. ATOM_INFORMATION_CLASS. AtomBasicInformation. AtomListInformation. ZwSetLdtEntries. ZwVdmControl. Unimplemented System Services.



Appendix A: Calling System Services from Kernel Mode.


Example A.1: Re-Implementing NtQueryEvent. Example A.2: Dynamically Binding to ntdll.dll.



Appendix B: Intel Platform-Specific Entry Points to Kernel Mode.


KiTrap03. KiTrap04. KiGetTickCount. KiCallbackReturn. KiSetLowWaitHighThread. KiDebugService. KiSystemService.



Appendix C: Exceptions and Debugging.


Example C.1: Pseudocode for KiDispatchException. Example C.2: Pseudocode for KiUserExceptionDispatcher. The Kernel Debugger. Example C.3: Pseudocode for DebugService. User Mode Debuggers. DEBUG_MESSAGE. Debug Message outing. Value Added by the Routing Process. OutputDebugString. Tracing Calls to Routines Exported by DLLs. Example C.4: A Trace Utility.



Appendix D: NTFS On-Disk Structure.


NTFS_RECORD_HEADER. FILE_RECORD_HEADER. ATTRIBUTE. RESIDENT_ATTRIBUTE. NONRESIDENT_ATTRIBUTE. AttributeStandardInformation. AttributeAttributeList. AttributeFileName. AttributeObjectId. AttributeSecurityDescriptor. AttributeVolumeName. AttributeVolumeInformation. AttributeData. AttributeIndexRoot. AttributeIndexAllocation. DIRECTORY_INDEX. DIRECTORY_ENTRY. AttributeBitmap. AttributeReparsePoint. AttributeEAInformation. AttributeEA. AttributePropertySet. AttributeLoggedUtilityStream. Special Files. Opening Special Files. Recovering Data from Deleted Files. Example D.1: Recovering Data from a File. Example D.2: Decompressing Recovered Data.



Index.