ceee/testing/utils/nt_internals.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// NT internal data structures and functions that rely upon them.
#ifndef CEEE_TESTING_UTILS_NT_INTERNALS_H_
#define CEEE_TESTING_UTILS_NT_INTERNALS_H_

#include <windows.h>

namespace nt_internals {

// The structures, constants and function declarations in here are gleaned
// from various sources, primarily from Microsoft symbol information for
// system DLLs, kernel modules and executables, as well as from MSDN help.
// For more information on the Windows NT native API, see e.g.
// the "Windows NT/2000 Native API Reference" by Gary Nebbett,
// ISBN 9781578701995.
typedef LONG NTSTATUS;
typedef DWORD KPRIORITY;
typedef WORD UWORD;

struct CLIENT_ID {
  PVOID UniqueProcess;
  PVOID UniqueThread;
};

struct THREAD_BASIC_INFO {
  NTSTATUS                ExitStatus;
  PVOID                   TebBaseAddress;
  CLIENT_ID               ClientId;
  KAFFINITY               AffinityMask;
  KPRIORITY               Priority;
  KPRIORITY               BasePriority;
};

enum THREADINFOCLASS {
  ThreadBasicInformation,
};

// NtQueryInformationProcess is documented in winternl.h, but we link
// dynamically to it because we might as well.
typedef NTSTATUS (WINAPI *NtQueryInformationThreadFunc)(
                  IN HANDLE ThreadHandle,
                  IN THREADINFOCLASS ThreadInformationClass,
                  OUT PVOID ThreadInformation,
                  IN ULONG ThreadInformationLength,
                  OUT PULONG ReturnLength OPTIONAL);
extern NtQueryInformationThreadFunc NtQueryInformationThread;

typedef struct _PROCESS_BASIC_INFORMATION {
  NTSTATUS          ExitStatus;
  PVOID             PebBaseAddress;
  ULONG             AffinityMask;
  ULONG             BasePriority;
  ULONG_PTR         UniqueProcessId;
  ULONG_PTR         InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;

enum PROCESSINFOCLASS {
  ProcessBasicInformation
};

typedef NTSTATUS (WINAPI *NtQueryInformationProcessFunc)(
                  IN HANDLE ProcessHandle,
                  IN PROCESSINFOCLASS ProcessInformationClass,
                  OUT PVOID ProcessInformation,
                  IN ULONG ProcessInformationLength,
                  OUT PULONG ReturnLength OPTIONAL);
extern NtQueryInformationProcessFunc NtQueryInformationProcess;

// NtQueryObject is also documented in winternl.h, but we link
// dynamically to it because we might as well.
typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION {
  ULONG       Attributes;
  ACCESS_MASK GrantedAccess;
  ULONG       HandleCount;
  ULONG       PointerCount;
  ULONG       Reserved[10];    // reserved for internal use
} PUBLIC_OBJECT_BASIC_INFORMATION;

enum OBJECT_INFORMATION_CLASS {
  ObjectBasicInformation = 0,
  ObjectTypeInformation  = 2,
};

typedef NTSTATUS (WINAPI *NtQueryObjectFunc)(
                  IN HANDLE Handle,
                  IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
                  OUT PVOID ObjectInformation,
                  IN ULONG ObjectInformationLength,
                  OUT PULONG ReturnLength);
extern NtQueryObjectFunc NtQueryObject;

// @returns the TIB/TEB address for "thread".
extern PNT_TIB GetThreadTIB(HANDLE thread);

// Debug-related structure declarations.
typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION {
  PVOID SymbolicBackTrace;
  ULONG TraceCount;
  USHORT Index;
  USHORT Depth;
  PVOID BackTrace[32];
} RTL_PROCESS_BACKTRACE_INFORMATION, *PRTL_PROCESS_BACKTRACE_INFORMATION;

typedef struct _RTL_PROCESS_BACKTRACES {
  ULONG CommittedMemory;
  ULONG ReservedMemory;
  ULONG NumberOfBackTraceLookups;
  ULONG NumberOfBackTraces;
  RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1];
} RTL_PROCESS_BACKTRACES, *PRTL_PROCESS_BACKTRACES;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
  ULONG Section;
  PVOID MappedBase;
  PVOID ImageBase;
  ULONG ImageSize;
  ULONG Flags;
  USHORT LoadOrderIndex;
  USHORT InitOrderIndex;
  USHORT LoadCount;
  USHORT OffsetToFileName;
  CHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
  ULONG NumberOfModules;
  RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX {
  ULONG NextOffset;
  RTL_PROCESS_MODULE_INFORMATION BaseInfo;
  ULONG ImageCheckSum;
  ULONG TimeDateStamp;
  PVOID DefaultBase;
} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;

typedef struct _RTL_DEBUG_INFORMATION {
  HANDLE SectionHandleClient;
  PVOID ViewBaseClient;
  PVOID ViewBaseTarget;
  ULONG ViewBaseDelta;
  HANDLE EventPairClient;
  PVOID EventPairTarget;
  HANDLE TargetProcessId;
  HANDLE TargetThreadHandle;
  ULONG Flags;
  ULONG OffsetFree;
  ULONG CommitSize;
  ULONG ViewSize;
  union {
    PRTL_PROCESS_MODULES Modules;
    PRTL_PROCESS_MODULE_INFORMATION_EX ModulesEx;
  };
  PRTL_PROCESS_BACKTRACES BackTraces;
  void * /*PRTL_PROCESS_HEAPS*/ Heaps;
  void * /*PRTL_PROCESS_LOCKS*/ Locks;
  HANDLE SpecificHeap;
  HANDLE TargetProcessHandle;
  void * /*RTL_PROCESS_VERIFIER_OPTIONS*/ VerifierOptions;
  HANDLE ProcessHeap;
  HANDLE CriticalSectionHandle;
  HANDLE CriticalSectionOwnerThread;
  PVOID Reserved[4];
} RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION;

// RtlQueryProcessDebugInformation.DebugInfoClassMask constants
#define PDI_MODULES 0x01
#define PDI_BACKTRACE 0x02
#define PDI_HEAPS 0x04
#define PDI_HEAP_TAGS 0x08
#define PDI_HEAP_BLOCKS 0x10
#define PDI_LOCKS 0x20

typedef NTSTATUS (NTAPI *RtlQueryProcessBackTraceInformationFunc)(
      PRTL_DEBUG_INFORMATION debug_info);
typedef PRTL_DEBUG_INFORMATION (NTAPI *RtlCreateQueryDebugBufferFunc)(
      IN ULONG size, IN BOOLEAN event_pair);
typedef NTSTATUS (NTAPI *RtlQueryProcessDebugInformationFunc)(
      IN ULONG ProcessId, IN ULONG DebugInfoClassMask,
      IN OUT PRTL_DEBUG_INFORMATION DebugBuffer);
typedef NTSTATUS (NTAPI *RtlDestroyQueryDebugBufferFunc)(
      IN PRTL_DEBUG_INFORMATION DebugBuffer);

typedef ULONG (NTAPI *RtlGetNtGlobalFlagsFunc)();
typedef ULONG (NTAPI *RtlNtStatusToDosErrorFunc)(NTSTATUS nt_status);

// Debug-related runtime functions.
extern RtlQueryProcessBackTraceInformationFunc
    RtlQueryProcessBackTraceInformation;
extern RtlCreateQueryDebugBufferFunc
    RtlCreateQueryDebugBuffer;
extern RtlQueryProcessDebugInformationFunc
    RtlQueryProcessDebugInformation;
extern RtlDestroyQueryDebugBufferFunc
    RtlDestroyQueryDebugBuffer;

extern RtlGetNtGlobalFlagsFunc RtlGetNtGlobalFlags;
extern RtlNtStatusToDosErrorFunc RtlNtStatusToDosError;

}  // namespace nt_internals

#endif  // CEEE_TESTING_UTILS_NT_INTERNALS_H_