This repository has been archived by the owner on Feb 10, 2024. It is now read-only.
forked from winsiderss/phnt
-
Notifications
You must be signed in to change notification settings - Fork 2
/
ntmisc.h
109 lines (100 loc) · 3.34 KB
/
ntmisc.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// Filter manager
#define FLT_PORT_CONNECT 0x0001
#define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL)
// VDM
typedef enum _VDMSERVICECLASS
{
VdmStartExecution,
VdmQueueInterrupt,
VdmDelayInterrupt,
VdmInitialize,
VdmFeatures,
VdmSetInt21Handler,
VdmQueryDir,
VdmPrinterDirectIoOpen,
VdmPrinterDirectIoClose,
VdmPrinterInitialize,
VdmSetLdtEntries,
VdmSetProcessLdtInfo,
VdmAdlibEmulation,
VdmPMCliControl,
VdmQueryVdmProcess,
VdmPreInitialize
} VDMSERVICECLASS, *PVDMSERVICECLASS;
NTSYSCALLAPI
NTSTATUS
NTAPI
NtVdmControl(
_In_ VDMSERVICECLASS Service,
_Inout_ PVOID ServiceData
);
// WMI/ETW
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTraceEvent(
_In_ HANDLE TraceHandle,
_In_ ULONG Flags,
_In_ ULONG FieldSize,
_In_ PVOID Fields
);
typedef enum _TRACE_CONTROL_INFORMATION_CLASS
{
TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION
TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION
TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION
TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION
TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION
TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION
TraceControlUnknown = 7,
// unused
TraceControlRealtimeConnect = 11,
TraceControlActivityIdCreate = 12,
TraceControlWdiDispatchControl = 13,
TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE
TraceControlRegisterGuidsCode = 15,
TraceControlReceiveNotification = 16,
TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET
TraceControlSendReplyDataBlock = 18,
TraceControlReceiveReplyDataBlock = 19,
TraceControlWdiUpdateSem = 20,
TraceControlEnumTraceGuidList = 21, // out GUID[]
TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO
TraceControlEnumerateTraceGuids = 23,
TraceControlRegisterSecurityProv = 24,
TraceControlQueryReferenceTime = 25,
TraceControlTrackProviderBinary = 26, // in HANDLE
TraceControlAddNotificationEvent = 27,
TraceControlUpdateDisallowList = 28,
TraceControlSetEnableAllKeywordsCode = 29,
TraceControlSetProviderTraitsCode = 30,
TraceControlUseDescriptorTypeCode = 31,
TraceControlEnumTraceGroupList = 32,
TraceControlGetTraceGroupInfo = 33,
TraceControlTraceSetDisallowList = 34,
TraceControlSetCompressionSettings = 35,
TraceControlGetCompressionSettings = 36,
TraceControlUpdatePeriodicCaptureState = 37,
TraceControlGetPrivateSessionTraceHandle = 38,
TraceControlRegisterPrivateSession = 39,
TraceControlQuerySessionDemuxObject = 40,
TraceControlSetProviderBinaryTracking = 41,
TraceControlMaxLoggers = 42, // out ULONG
TraceControlMaxPmcCounter = 43, // out ULONG
TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11
TraceControlGetPmcOwnership = 45,
} TRACE_CONTROL_INFORMATION_CLASS;
#if (NTDDI_VERSION >= NTDDI_VISTA)
// private
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTraceControl(
_In_ TRACE_CONTROL_INFORMATION_CLASS TraceInformationClass,
_In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_writes_bytes_opt_(TraceInformationLength) PVOID TraceInformation,
_In_ ULONG TraceInformationLength,
_Out_ PULONG ReturnLength
);
#endif