Process Hacker
ntmmapi.h
Go to the documentation of this file.
1 #ifndef _NTMMAPI_H
2 #define _NTMMAPI_H
3 
4 // private
6 {
7  MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
8  MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
9  MemoryMappedFilenameInformation, // UNICODE_STRING
10  MemoryRegionInformation, // MEMORY_REGION_INFORMATION
11  MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION
12  MemorySharedCommitInformation // MEMORY_SHARED_COMMIT_INFORMATION
14 
16 {
17  ULONG_PTR Protection : 5;
18  ULONG_PTR ShareCount : 3;
19  ULONG_PTR Shared : 1;
20  ULONG_PTR Node : 3;
21 #ifdef _WIN64
22  ULONG_PTR VirtualPage : 52;
23 #else
24  ULONG VirtualPage : 20;
25 #endif
27 
29 {
30  ULONG_PTR NumberOfEntries;
33 
34 // private
36 {
39  ULONG RegionType;
40  SIZE_T RegionSize;
42 
43 // private
45 {
46  union
47  {
48  struct
49  {
50  ULONG_PTR Valid : 1;
51  ULONG_PTR ShareCount : 3;
52  ULONG_PTR Win32Protection : 11;
53  ULONG_PTR Shared : 1;
54  ULONG_PTR Node : 6;
55  ULONG_PTR Locked : 1;
56  ULONG_PTR LargePage : 1;
57  ULONG_PTR Priority : 3;
58  ULONG_PTR Reserved : 3;
59  ULONG_PTR SharedOriginal : 1;
60  ULONG_PTR Bad : 1;
61 #ifdef _WIN64
62  ULONG_PTR ReservedUlong : 32;
63 #endif
64  };
65  struct
66  {
67  ULONG_PTR Valid : 1;
68  ULONG_PTR Reserved0 : 14;
69  ULONG_PTR Shared : 1;
70  ULONG_PTR Reserved1 : 5;
71  ULONG_PTR PageTable : 1;
72  ULONG_PTR Location : 2;
73  ULONG_PTR Priority : 3;
74  ULONG_PTR ModifiedList : 1;
75  ULONG_PTR Reserved2 : 2;
76  ULONG_PTR SharedOriginal : 1;
77  ULONG_PTR Bad : 1;
78 #ifdef _WIN64
79  ULONG_PTR ReservedUlong : 32;
80 #endif
81  } Invalid;
82  };
84 
85 // private
87 {
89  union
90  {
92  ULONG_PTR Long;
93  } u1;
95 
96 // private
98 {
99  SIZE_T CommitSize;
101 
102 #define MMPFNLIST_ZERO 0
103 #define MMPFNLIST_FREE 1
104 #define MMPFNLIST_STANDBY 2
105 #define MMPFNLIST_MODIFIED 3
106 #define MMPFNLIST_MODIFIEDNOWRITE 4
107 #define MMPFNLIST_BAD 5
108 #define MMPFNLIST_ACTIVE 6
109 #define MMPFNLIST_TRANSITION 7
110 
111 #define MMPFNUSE_PROCESSPRIVATE 0
112 #define MMPFNUSE_FILE 1
113 #define MMPFNUSE_PAGEFILEMAPPED 2
114 #define MMPFNUSE_PAGETABLE 3
115 #define MMPFNUSE_PAGEDPOOL 4
116 #define MMPFNUSE_NONPAGEDPOOL 5
117 #define MMPFNUSE_SYSTEMPTE 6
118 #define MMPFNUSE_SESSIONPRIVATE 7
119 #define MMPFNUSE_METAFILE 8
120 #define MMPFNUSE_AWEPAGE 9
121 #define MMPFNUSE_DRIVERLOCKPAGE 10
122 
124 {
125  ULONGLONG UseDescription : 4; // MMPFNUSE_*
126  ULONGLONG ListDescription : 3; // MMPFNLIST_*
127  ULONGLONG Reserved0 : 1; // reserved for future expansion
128  ULONGLONG Pinned : 1; // 1 - pinned, 0 - not pinned
129  ULONGLONG DontUse : 48; // *_INFORMATION overlay
130  ULONGLONG Priority : 3; // rev
131  ULONGLONG Reserved : 4; // reserved for future expansion
133 
135 {
136  ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
137  ULONGLONG Offset : 48; // mapped files
138  ULONGLONG Reserved : 7; // reserved for future expansion
140 
141 typedef struct _PAGEDIR_INFORMATION
142 {
143  ULONGLONG DontUse : 9; // MEMORY_FRAME_INFORMATION overlay
144  ULONGLONG PageDirectoryBase : 48; // private pages
145  ULONGLONG Reserved : 7; // reserved for future expansion
147 
148 typedef struct _MMPFN_IDENTITY
149 {
150  union
151  {
153  FILEOFFSET_INFORMATION e2; // mapped files
154  PAGEDIR_INFORMATION e3; // private pages
155  } u1;
156  ULONG_PTR PageFrameIndex; // all
157  union
158  {
159  PVOID FileObject; // mapped files
160  PVOID VirtualAddress; // everything else
161  } u2;
163 
165 {
167  ULONG_PTR Count;
169 
171 {
174  SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation
177 
179 {
180  PVOID BaseAddress;
182  LARGE_INTEGER MaximumSize;
184 
185 // symbols
187 {
189  ULONG ZeroBits;
193  union
194  {
195  struct
196  {
199  };
201  };
202  ULONG GpValue;
205  USHORT Machine;
207  union
208  {
209  UCHAR ImageFlags;
210  struct
211  {
213  UCHAR ComPlusILOnly : 1;
215  UCHAR ImageMappedFlat : 1;
216  UCHAR BaseBelow4gb : 1;
217  UCHAR Reserved : 3;
218  };
219  };
220  ULONG LoaderFlags;
222  ULONG CheckSum;
224 
225 typedef enum _SECTION_INHERIT
226 {
230 
231 #define SEC_BASED 0x200000
232 #define SEC_NO_CHANGE 0x400000
233 #define SEC_GLOBAL 0x20000000
234 
235 #define MEM_EXECUTE_OPTION_DISABLE 0x1
236 #define MEM_EXECUTE_OPTION_ENABLE 0x2
237 #define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
238 #define MEM_EXECUTE_OPTION_PERMANENT 0x8
239 #define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
240 #define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
241 #define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
242 
243 // Virtual memory
244 
245 NTSYSCALLAPI
246 NTSTATUS
247 NTAPI
249  _In_ HANDLE ProcessHandle,
250  _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
251  _In_ ULONG_PTR ZeroBits,
252  _Inout_ PSIZE_T RegionSize,
253  _In_ ULONG AllocationType,
254  _In_ ULONG Protect
255  );
256 
257 NTSYSCALLAPI
258 NTSTATUS
259 NTAPI
261  _In_ HANDLE ProcessHandle,
262  _Inout_ PVOID *BaseAddress,
263  _Inout_ PSIZE_T RegionSize,
264  _In_ ULONG FreeType
265  );
266 
267 NTSYSCALLAPI
268 NTSTATUS
269 NTAPI
271  _In_ HANDLE ProcessHandle,
272  _In_opt_ PVOID BaseAddress,
273  _Out_writes_bytes_(BufferSize) PVOID Buffer,
274  _In_ SIZE_T BufferSize,
275  _Out_opt_ PSIZE_T NumberOfBytesRead
276  );
277 
278 NTSYSCALLAPI
279 NTSTATUS
280 NTAPI
282  _In_ HANDLE ProcessHandle,
283  _In_opt_ PVOID BaseAddress,
284  _In_reads_bytes_(BufferSize) PVOID Buffer,
285  _In_ SIZE_T BufferSize,
286  _Out_opt_ PSIZE_T NumberOfBytesWritten
287  );
288 
289 NTSYSCALLAPI
290 NTSTATUS
291 NTAPI
293  _In_ HANDLE ProcessHandle,
294  _Inout_ PVOID *BaseAddress,
295  _Inout_ PSIZE_T RegionSize,
296  _In_ ULONG NewProtect,
297  _Out_ PULONG OldProtect
298  );
299 
300 NTSYSCALLAPI
301 NTSTATUS
302 NTAPI
304  _In_ HANDLE ProcessHandle,
305  _In_ PVOID BaseAddress,
306  _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
307  _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
308  _In_ SIZE_T MemoryInformationLength,
309  _Out_opt_ PSIZE_T ReturnLength
310  );
311 
312 // begin_private
313 
315 {
320 
321 typedef struct _MEMORY_RANGE_ENTRY
322 {
326 
327 // end_private
328 
329 #if (PHNT_VERSION >= PHNT_THRESHOLD)
330 
331 NTSYSCALLAPI
332 NTSTATUS
333 NTAPI
335  _In_ HANDLE ProcessHandle,
336  _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,
337  _In_ ULONG_PTR NumberOfEntries,
338  _In_reads_ (NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,
339  _In_reads_bytes_ (VmInformationLength) PVOID VmInformation,
340  _In_ ULONG VmInformationLength
341  );
342 
343 #endif
344 
345 NTSYSCALLAPI
346 NTSTATUS
347 NTAPI
349  _In_ HANDLE ProcessHandle,
350  _Inout_ PVOID *BaseAddress,
351  _Inout_ PSIZE_T RegionSize,
352  _In_ ULONG MapType
353  );
354 
355 NTSYSCALLAPI
356 NTSTATUS
357 NTAPI
359  _In_ HANDLE ProcessHandle,
360  _Inout_ PVOID *BaseAddress,
361  _Inout_ PSIZE_T RegionSize,
362  _In_ ULONG MapType
363  );
364 
365 // Sections
366 
367 NTSYSCALLAPI
368 NTSTATUS
369 NTAPI
371  _Out_ PHANDLE SectionHandle,
372  _In_ ACCESS_MASK DesiredAccess,
373  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
374  _In_opt_ PLARGE_INTEGER MaximumSize,
375  _In_ ULONG SectionPageProtection,
376  _In_ ULONG AllocationAttributes,
377  _In_opt_ HANDLE FileHandle
378  );
379 
380 NTSYSCALLAPI
381 NTSTATUS
382 NTAPI
384  _Out_ PHANDLE SectionHandle,
385  _In_ ACCESS_MASK DesiredAccess,
386  _In_ POBJECT_ATTRIBUTES ObjectAttributes
387  );
388 
389 NTSYSCALLAPI
390 NTSTATUS
391 NTAPI
393  _In_ HANDLE SectionHandle,
394  _In_ HANDLE ProcessHandle,
395  _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
396  _In_ ULONG_PTR ZeroBits,
397  _In_ SIZE_T CommitSize,
398  _Inout_opt_ PLARGE_INTEGER SectionOffset,
399  _Inout_ PSIZE_T ViewSize,
400  _In_ SECTION_INHERIT InheritDisposition,
401  _In_ ULONG AllocationType,
402  _In_ ULONG Win32Protect
403  );
404 
405 NTSYSCALLAPI
406 NTSTATUS
407 NTAPI
409  _In_ HANDLE ProcessHandle,
410  _In_opt_ PVOID BaseAddress
411  );
412 
413 #if (PHNT_VERSION >= PHNT_WIN8)
414 NTSYSCALLAPI
415 NTSTATUS
416 NTAPI
418  _In_ HANDLE ProcessHandle,
419  _In_opt_ PVOID BaseAddress,
420  _In_ ULONG Flags
421  );
422 #endif
423 
424 NTSYSCALLAPI
425 NTSTATUS
426 NTAPI
428  _In_ HANDLE SectionHandle,
429  _Inout_ PLARGE_INTEGER NewSectionSize
430  );
431 
432 NTSYSCALLAPI
433 NTSTATUS
434 NTAPI
436  _In_ HANDLE SectionHandle,
437  _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
438  _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
439  _In_ SIZE_T SectionInformationLength,
440  _Out_opt_ PSIZE_T ReturnLength
441  );
442 
443 NTSYSCALLAPI
444 NTSTATUS
445 NTAPI
447  _In_ PVOID File1MappedAsAnImage,
448  _In_ PVOID File2MappedAsFile
449  );
450 
451 // Partitions
452 
453 // private
455 {
461 
462 #if (PHNT_VERSION >= PHNT_THRESHOLD)
463 
464 NTSYSCALLAPI
465 NTSTATUS
466 NTAPI
468  _Out_ PHANDLE PartitionHandle,
469  _In_ ACCESS_MASK DesiredAccess,
470  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
471  _In_ ULONG PreferredNode
472  );
473 
474 NTSYSCALLAPI
475 NTSTATUS
476 NTAPI
478  _Out_ PHANDLE PartitionHandle,
479  _In_ ACCESS_MASK DesiredAccess,
480  _In_ POBJECT_ATTRIBUTES ObjectAttributes
481  );
482 
483 NTSYSCALLAPI
484 NTSTATUS
485 NTAPI
487  _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
488  _In_ PVOID PartitionInformation,
489  _In_ ULONG PartitionInformationLength
490  );
491 
492 #endif
493 
494 // User physical pages
495 
496 NTSYSCALLAPI
497 NTSTATUS
498 NTAPI
500  _In_ PVOID VirtualAddress,
501  _In_ ULONG_PTR NumberOfPages,
502  _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
503  );
504 
505 NTSYSCALLAPI
506 NTSTATUS
507 NTAPI
509  _In_reads_(NumberOfPages) PVOID *VirtualAddresses,
510  _In_ ULONG_PTR NumberOfPages,
511  _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray
512  );
513 
514 NTSYSCALLAPI
515 NTSTATUS
516 NTAPI
518  _In_ HANDLE ProcessHandle,
519  _Inout_ PULONG_PTR NumberOfPages,
520  _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray
521  );
522 
523 NTSYSCALLAPI
524 NTSTATUS
525 NTAPI
527  _In_ HANDLE ProcessHandle,
528  _Inout_ PULONG_PTR NumberOfPages,
529  _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray
530  );
531 
532 // Sessions
533 
534 #if (PHNT_VERSION >= PHNT_VISTA)
535 NTSYSCALLAPI
536 NTSTATUS
537 NTAPI
539  _Out_ PHANDLE SessionHandle,
540  _In_ ACCESS_MASK DesiredAccess,
541  _In_ POBJECT_ATTRIBUTES ObjectAttributes
542  );
543 #endif
544 
545 // Misc.
546 
547 NTSYSCALLAPI
548 NTSTATUS
549 NTAPI
551  _In_ HANDLE ProcessHandle,
552  _In_ ULONG Flags,
553  _In_ PVOID BaseAddress,
554  _In_ SIZE_T RegionSize,
555  _Out_writes_(*EntriesInUserAddressArray) PVOID *UserAddressArray,
556  _Inout_ PULONG_PTR EntriesInUserAddressArray,
557  _Out_ PULONG Granularity
558  );
559 
560 NTSYSCALLAPI
561 NTSTATUS
562 NTAPI
564  _In_ HANDLE ProcessHandle,
565  _In_ PVOID BaseAddress,
566  _In_ SIZE_T RegionSize
567  );
568 
569 NTSYSCALLAPI
570 NTSTATUS
571 NTAPI
573  _In_ PUNICODE_STRING PageFileName,
574  _In_ PLARGE_INTEGER MinimumSize,
575  _In_ PLARGE_INTEGER MaximumSize,
576  _In_ ULONG Priority
577  );
578 
579 NTSYSCALLAPI
580 NTSTATUS
581 NTAPI
583  _In_ HANDLE ProcessHandle,
584  _In_opt_ PVOID BaseAddress,
585  _In_ SIZE_T Length
586  );
587 
588 NTSYSCALLAPI
589 NTSTATUS
590 NTAPI
592  VOID
593  );
594 
595 #endif