turborex 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (74) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +674 -0
  3. data/README.md +38 -0
  4. data/README.rdoc +19 -0
  5. data/examples/alpc_client.rb +15 -0
  6. data/examples/alpc_server.rb +14 -0
  7. data/examples/com_client.rb +19 -0
  8. data/examples/com_finder.rb +39 -0
  9. data/examples/create_instance.rb +15 -0
  10. data/examples/cstruct.rb +19 -0
  11. data/examples/find_com_client_calls.rb +16 -0
  12. data/examples/find_rpc_security_callback.rb +12 -0
  13. data/examples/rpc_finder.rb +117 -0
  14. data/examples/scan_exports.rb +5 -0
  15. data/examples/scan_imports.rb +5 -0
  16. data/examples/tinysdk.rb +17 -0
  17. data/lib/turborex.rb +21 -0
  18. data/lib/turborex/cstruct.rb +565 -0
  19. data/lib/turborex/cstruct/struct_helper.rb +7 -0
  20. data/lib/turborex/exception.rb +65 -0
  21. data/lib/turborex/fuzzer.rb +204 -0
  22. data/lib/turborex/fuzzer/containers.rb +115 -0
  23. data/lib/turborex/fuzzer/coverage.rb +67 -0
  24. data/lib/turborex/fuzzer/mutators.rb +25 -0
  25. data/lib/turborex/fuzzer/seed.rb +30 -0
  26. data/lib/turborex/monkey.rb +11 -0
  27. data/lib/turborex/msrpc.rb +14 -0
  28. data/lib/turborex/msrpc/decompiler.rb +244 -0
  29. data/lib/turborex/msrpc/midl.rb +747 -0
  30. data/lib/turborex/msrpc/ndrtype.rb +167 -0
  31. data/lib/turborex/msrpc/rpcbase.rb +777 -0
  32. data/lib/turborex/msrpc/rpcfinder.rb +1426 -0
  33. data/lib/turborex/msrpc/utils.rb +70 -0
  34. data/lib/turborex/pefile.rb +8 -0
  35. data/lib/turborex/pefile/pe.rb +61 -0
  36. data/lib/turborex/pefile/scanner.rb +82 -0
  37. data/lib/turborex/utils.rb +321 -0
  38. data/lib/turborex/windows.rb +402 -0
  39. data/lib/turborex/windows/alpc.rb +844 -0
  40. data/lib/turborex/windows/com.rb +266 -0
  41. data/lib/turborex/windows/com/client.rb +84 -0
  42. data/lib/turborex/windows/com/com_finder.rb +330 -0
  43. data/lib/turborex/windows/com/com_registry.rb +100 -0
  44. data/lib/turborex/windows/com/interface.rb +522 -0
  45. data/lib/turborex/windows/com/utils.rb +210 -0
  46. data/lib/turborex/windows/constants.rb +82 -0
  47. data/lib/turborex/windows/process.rb +56 -0
  48. data/lib/turborex/windows/security.rb +12 -0
  49. data/lib/turborex/windows/security/ace.rb +76 -0
  50. data/lib/turborex/windows/security/acl.rb +25 -0
  51. data/lib/turborex/windows/security/security_descriptor.rb +118 -0
  52. data/lib/turborex/windows/tinysdk.rb +89 -0
  53. data/lib/turborex/windows/utils.rb +138 -0
  54. data/resources/headers/alpc/ntdef.h +72 -0
  55. data/resources/headers/alpc/ntlpcapi.h +1014 -0
  56. data/resources/headers/rpc/common.h +162 -0
  57. data/resources/headers/rpc/guiddef.h +191 -0
  58. data/resources/headers/rpc/internal_ndrtypes.h +262 -0
  59. data/resources/headers/rpc/rpc.h +10 -0
  60. data/resources/headers/rpc/rpcdce.h +266 -0
  61. data/resources/headers/rpc/rpcdcep.h +187 -0
  62. data/resources/headers/rpc/rpcndr.h +39 -0
  63. data/resources/headers/rpc/v4_x64/rpcinternals.h +154 -0
  64. data/resources/headers/rpc/wintype.h +517 -0
  65. data/resources/headers/tinysdk/tinysdk.h +5 -0
  66. data/resources/headers/tinysdk/tinysdk/comdef.h +645 -0
  67. data/resources/headers/tinysdk/tinysdk/dbghelp.h +118 -0
  68. data/resources/headers/tinysdk/tinysdk/guiddef.h +194 -0
  69. data/resources/headers/tinysdk/tinysdk/memoryapi.h +12 -0
  70. data/resources/headers/tinysdk/tinysdk/poppack.h +12 -0
  71. data/resources/headers/tinysdk/tinysdk/pshpack4.h +13 -0
  72. data/resources/headers/tinysdk/tinysdk/winnt.h +1059 -0
  73. data/resources/headers/tinysdk/tinysdk/wintype.h +326 -0
  74. metadata +290 -0
@@ -0,0 +1,118 @@
1
+ module TurboRex
2
+ class Windows < Metasm::WinOS
3
+ module Security
4
+ class SecurityDescriptor
5
+ attr_reader :revision
6
+ attr_reader :sbzl
7
+ attr_reader :control
8
+ attr_reader :owner
9
+ attr_reader :group
10
+ attr_reader :sacl
11
+ attr_reader :dacl
12
+
13
+ def initialize(revision, control, owner, group, sacl, dacl, sbzl=0)
14
+ @revision = revision
15
+ @sbzl = sbzl
16
+ @control = control
17
+ @owner = owner
18
+ @group = group
19
+ @sacl = sacl
20
+ @dacl = dacl
21
+ end
22
+
23
+ # Very few robustness checks, may result in memory-corruption.
24
+ def self.from_raw(raw)
25
+ apiproxy_klass = TurboRex::Windows::Win32API
26
+ sd = apiproxy_klass.alloc_c_ary('BYTE', raw.bytesize)
27
+ sd.str = raw
28
+
29
+ # Get security descriptor control and revision
30
+ pcontrol = apiproxy_klass.alloc_c_ptr('SECURITY_DESCRIPTOR_CONTROL')
31
+ prevision = apiproxy_klass.alloc_c_ptr('DWORD')
32
+ if apiproxy_klass.getsecuritydescriptorcontrol(sd, pcontrol, prevision) == 0
33
+ raise_api_call_failure('GetSecurityDescriptorControl')
34
+ end
35
+ control = pcontrol[0]
36
+ revision = prevision[0]
37
+
38
+ # Get owner sid
39
+ ppsid = apiproxy_klass.alloc_c_ptr('PSID')
40
+ pownder_default = apiproxy_klass.alloc_c_ptr('BOOL')
41
+ if apiproxy_klass.getsecuritydescriptorowner(sd, ppsid, pownder_default) == 0
42
+ raise_api_call_failure('GetSecurityDescriptorOwner')
43
+ end
44
+
45
+ ppszsid = apiproxy_klass.alloc_c_ptr('LPSTR')
46
+ if apiproxy_klass.convertsidtostringsida(ppsid[0], ppszsid) == 0
47
+ raise_api_call_failure('ConvertSidToStringSidA')
48
+ end
49
+ sz_owner_sid = apiproxy_klass.memory_read_strz(ppszsid[0])
50
+
51
+ # Get group sid
52
+ if apiproxy_klass.getsecuritydescriptorgroup(sd, ppsid, pownder_default) == 0
53
+ raise_api_call_failure('GetSecurityDescriptorGroup')
54
+ end
55
+
56
+ ppszsid = apiproxy_klass.alloc_c_ptr('LPSTR')
57
+ if apiproxy_klass.convertsidtostringsida(ppsid[0], ppszsid) == 0
58
+ raise_api_call_failure('ConvertSidToStringSidA')
59
+ end
60
+ sz_group_sid = apiproxy_klass.memory_read_strz(ppszsid[0])
61
+
62
+ # TODO: parse SACL
63
+
64
+
65
+ # Get DACL
66
+ ppacl = apiproxy_klass.alloc_c_ptr('PACL')
67
+ dacl_present = apiproxy_klass.alloc_c_ptr('BOOL')
68
+ pdacl_default = apiproxy_klass.alloc_c_ptr('BOOL')
69
+ if apiproxy_klass.getsecuritydescriptordacl(sd, dacl_present, ppacl, pdacl_default) == 0
70
+ raise_api_call_failure('GetSecurityDescriptorDacl')
71
+ end
72
+
73
+ acl_revision_info = apiproxy_klass.alloc_c_struct('ACL_REVISION_INFORMATION')
74
+ if apiproxy_klass.getaclinformation(ppacl[0], acl_revision_info, acl_revision_info.sizeof, apiproxy_klass::ACLREVISIONINFORMATION) == 0
75
+ raise_api_call_failure('GetAclInformation')
76
+ end
77
+ acl_revision = acl_revision_info.AclRevision
78
+
79
+ acl_size_info = apiproxy_klass.alloc_c_struct('ACL_SIZE_INFORMATION')
80
+ if apiproxy_klass.getaclinformation(ppacl[0], acl_size_info, acl_size_info.sizeof, apiproxy_klass::ACLSIZEINFORMATION) == 0
81
+ raise_api_call_failure('GetAclInformation')
82
+ end
83
+ ace_count = acl_size_info.AceCount
84
+
85
+ ppace = apiproxy_klass.alloc_c_ptr('LPVOID')
86
+ aces = []
87
+ ace_count.times do |i|
88
+ if apiproxy_klass.getace(ppacl[0], i, ppace) == 0
89
+ raise_api_call_failure('GetACE')
90
+ end
91
+
92
+ # parse ace
93
+ aces << parse_ace_from_ptr(ppace[0])
94
+ end
95
+
96
+ dacl = ACL::DACL.new(acl_revision, ace_count, aces)
97
+
98
+ new(revision, control, sz_owner_sid, sz_group_sid, nil, dacl)
99
+ end
100
+
101
+
102
+ def self.raise_api_call_failure(api_name)
103
+ raise "Unable to call #{api_name}. GetLastError returns: #{TurboRex::Windows::Win32API.getlasterror}"
104
+ end
105
+
106
+ def self.parse_ace_from_ptr(ptr)
107
+ ace_header = TurboRex::Windows::Win32API.alloc_c_struct('ACE_HEADER')
108
+ raw_header = TurboRex::Windows::Utils.read_memory(ptr, ace_header.sizeof)
109
+ ace_header.str = raw_header
110
+ size = ace_header.AceSize
111
+
112
+ raw_ace = TurboRex::Windows::Utils.read_memory(ptr, size)
113
+ ACE.from_raw(raw_ace)
114
+ end
115
+ end
116
+ end
117
+ end
118
+ end
@@ -0,0 +1,89 @@
1
+ require 'singleton'
2
+
3
+ module TurboRex
4
+ class Windows < Metasm::WinOS
5
+ def self.tinysdk
6
+ TurboRex::Windows::TinySDK.instance
7
+ end
8
+
9
+ class TinySDK
10
+ DEFAULT_LOAD_FILE = TurboRex.root + '/resources/headers/tinysdk/tinysdk.h'
11
+
12
+ include Singleton
13
+
14
+ attr_reader :include_path
15
+ attr_reader :loaded_files
16
+ attr_reader :np
17
+
18
+ def initialize
19
+ @loaded = false
20
+ @loaded_files = []
21
+ set_include_path
22
+ end
23
+
24
+ def load(opts = {})
25
+ return true if loaded?
26
+ load!(opts)
27
+ end
28
+
29
+ def load!(opts)
30
+ opts[:cpu] ||= ::Metasm::Ia32
31
+
32
+ opts[:visual_studio] = true
33
+ opts[:data_model] = 'llp64' if opts[:cpu] == Metasm::X86_64
34
+ opts[:predefined] = true
35
+
36
+ @np = TurboRex::CStruct::NativeParser.new(nil, opts)
37
+ @cp = @np.parser
38
+
39
+ if opts[:files]
40
+ opts[:files].each {|f| @cp.parse_file(f)}
41
+ @loaded_files = opts[:files]
42
+ else
43
+ @cp.parse_file(DEFAULT_LOAD_FILE)
44
+ @loaded_files << DEFAULT_LOAD_FILE
45
+ end
46
+
47
+ true
48
+ end
49
+
50
+ def loaded?
51
+ @loaded
52
+ end
53
+
54
+ ## https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-ntstatus-values
55
+ def self.nt_success?(ntstatus)
56
+ (0..0x3FFFFFFF).include?(ntstatus) || (0x40000000..0x7FFFFFFF).include?(ntstatus) || ntstatus.nil?
57
+ end
58
+
59
+ def self.nt_information?(ntstatus)
60
+ (0x40000000..0x7FFFFFFF).include?(ntstatus)
61
+ end
62
+
63
+ def self.nt_warning?(ntstatus)
64
+ (0x80000000..0xBFFFFFFF).include?(ntstatus)
65
+ end
66
+
67
+ def self.nt_error?(ntstatus)
68
+ (0xC0000000..0xFFFFFFFF).include?(ntstatus)
69
+ end
70
+
71
+ def self.format_hex_ntstatus(integer, opts = {})
72
+ integer = 0 unless integer
73
+ unpacked = [integer].pack('V').unpack('V')[0]
74
+ if opts[:hex_str]
75
+ '0x' + unpacked.to_s(16).upcase
76
+ else
77
+ unpacked
78
+ end
79
+ end
80
+
81
+ private
82
+
83
+ def set_include_path
84
+ root = TurboRex.root + '/resources/headers'
85
+ @include_path = TurboRex::Utils.get_all_subdir(root)
86
+ end
87
+ end
88
+ end
89
+ end
@@ -0,0 +1,138 @@
1
+ require 'turborex/cstruct'
2
+ module TurboRex
3
+ class Windows < Metasm::WinOS
4
+ module Utils
5
+ include ::Win32 if ::OS.windows?
6
+ include TurboRex::CStruct
7
+
8
+ def get_version(path)
9
+ structmgr = define_structs do
10
+ struct tagVS_FIXEDFILEINFO {
11
+ DWORD dwSignature;
12
+ DWORD dwStrucVersion;
13
+ DWORD dwFileVersionMS;
14
+ DWORD dwFileVersionLS;
15
+ DWORD dwProductVersionMS;
16
+ DWORD dwProductVersionLS;
17
+ DWORD dwFileFlagsMask;
18
+ DWORD dwFileFlags;
19
+ DWORD dwFileOS;
20
+ DWORD dwFileType;
21
+ DWORD dwFileSubtype;
22
+ DWORD dwFileDateMS;
23
+ DWORD dwFileDateLS;
24
+ };
25
+ end
26
+
27
+ fGetFileVersionInfoSize = API.new('GetFileVersionInfoSize', 'PP', 'L', 'version')
28
+ lpdwHandle = 0
29
+ lptstrFilename = path
30
+ buf_len = fGetFileVersionInfoSize.call(lptstrFilename, lpdwHandle)
31
+
32
+ fGetFileVersionInfo = API.new('GetFileVersionInfo', 'PLLP', 'I', 'version')
33
+ buf = 0.chr * buf_len
34
+ res = fGetFileVersionInfo.call(lptstrFilename, 0, buf_len, buf)
35
+
36
+ if res == 1
37
+ fVerQueryValueW = API.new('VerQueryValue', 'PPPP', 'I', 'version')
38
+ fileInfo = 0.chr * 8
39
+ size = 0.chr * 4
40
+ lpSubBlock = '\\'
41
+ res = fVerQueryValueW.call(buf, lpSubBlock, fileInfo, size)
42
+
43
+ if res == 1
44
+ fReadProcessMemory = API.new('ReadProcessMemory', 'LPPPP', 'I', 'kernel32')
45
+ size_i = size.unpack('V')[0]
46
+ buf = 0.chr * size_i
47
+ i1 = 0.chr * 8
48
+ fReadProcessMemory.call(-1, fileInfo.unpack('Q<')[0], buf, size_i, i1)
49
+ moduleVersion = structmgr['tagVS_FIXEDFILEINFO'].from_str buf
50
+ return [moduleVersion['dwFileVersionMS'].value, moduleVersion['dwFileVersionLS'].value]
51
+ end
52
+ end
53
+ end
54
+
55
+ def self.multibyte_to_widechar(str)
56
+ fMultiByteToWideChar = API.new('MultiByteToWideChar', 'ILSIPI', 'I', 'kernel32')
57
+ code_page = 65001 # CP_UTF8
58
+ flag = 0
59
+ ilength = fMultiByteToWideChar.call(code_page, flag, str, -1, 0, 0)
60
+ return false if ilength == 0
61
+
62
+ buf = 0.chr * ilength * 2
63
+ res = fMultiByteToWideChar.call(code_page, flag, str, -1, buf, ilength)
64
+ return false if res == 0
65
+ buf
66
+ end
67
+
68
+ def self.read_memory(base, size, handle = -1)
69
+ fReadProcessMemory = API.new('ReadProcessMemory', 'LPPPP', 'I', 'kernel32')
70
+ i1 = 0.chr * 8
71
+ buf = 0.chr * size
72
+ if fReadProcessMemory.call(handle, base, buf, size, i1) == 1
73
+ buf
74
+ else
75
+ nil
76
+ end
77
+ end
78
+
79
+ def self.is_wow64?
80
+ fIsWow64Process = API.new('IsWow64Process', 'PP', 'I', 'kernel32')
81
+ wow64 = 0.chr
82
+ raise "Failed to call IsWow64Process" if fIsWow64Process.call(-1, wow64) == 0
83
+
84
+ wow64.unpack('C').first == 1
85
+ end
86
+
87
+ def self.process_arch(pid=nil, handle=-1)
88
+ case Metasm::WinOS::Process.new(pid, handle).addrsz / 8
89
+ when 4
90
+ 'x86'
91
+ when 8
92
+ 'x64'
93
+ end
94
+ end
95
+
96
+ def self.process_arch_x64?(pid=nil, handle=-1)
97
+ Metasm::WinOS::Process.new(pid, handle).addrsz / 8 == 8
98
+ end
99
+
100
+ def self.find_import_func(func, filenames, stop_when_found = false)
101
+ found = []
102
+ filenames.each do |f|
103
+ dfile = ::Metasm::PE.decode_file_header f
104
+ dfile.decode_imports
105
+ imports = dfile.imports
106
+ next if not imports
107
+ imports.each do |import_dict|
108
+ import_dict.imports.each do |import_desc|
109
+ if import_desc.name == func
110
+ return f if stop_when_found
111
+ found << f
112
+ end
113
+ end
114
+ end
115
+ end
116
+
117
+ found
118
+ end
119
+
120
+ def self.find_export_func(func, filenames, stop_when_found = false)
121
+ found = []
122
+ filenames.each do |f|
123
+ dfile = ::Metasm::PE.decode_file_header f
124
+ dfile.decode_exports
125
+ export = dfile.export
126
+ next if !export
127
+ next if !export.exports
128
+ export.exports.each do |exp|
129
+ if exp.name == func && !exp.forwarder_lib
130
+ return f if stop_when_found
131
+ found << f
132
+ end
133
+ end
134
+ end
135
+ end
136
+ end
137
+ end
138
+ end
@@ -0,0 +1,72 @@
1
+ #include <tinysdk/wintype.h>
2
+ #include <tinysdk/winnt.h>
3
+
4
+ #define _Out_
5
+ #define _In_opt_
6
+ #define _Inout_
7
+ #define _Out_opt_
8
+ #define _In_
9
+ #define _Inout_opt_
10
+ #define _Reserved_
11
+
12
+ typedef struct _OBJECT_ATTRIBUTES {
13
+ ULONG Length;
14
+ HANDLE RootDirectory;
15
+ PUNICODE_STRING ObjectName;
16
+ ULONG Attributes;
17
+ PVOID SecurityDescriptor;
18
+ PVOID SecurityQualityOfService;
19
+ } OBJECT_ATTRIBUTES;
20
+ typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
21
+
22
+ typedef short CSHORT;
23
+ #if !defined(_M_IX86)
24
+ typedef __int64 LONGLONG;
25
+ typedef unsigned __int64 ULONGLONG;
26
+ #else
27
+ typedef double LONGLONG;
28
+ typedef double ULONGLONG;
29
+ #endif
30
+
31
+ /*
32
+ typedef union _LARGE_INTEGER {
33
+ struct {
34
+ DWORD LowPart;
35
+ LONG HighPart;
36
+ } DUMMYSTRUCTNAME;
37
+ struct {
38
+ DWORD LowPart;
39
+ LONG HighPart;
40
+ } u;
41
+ LONGLONG QuadPart;
42
+ } LARGE_INTEGER, *PLARGE_INTEGER;
43
+ */
44
+
45
+ typedef struct _CLIENT_ID
46
+ {
47
+ HANDLE UniqueProcess;
48
+ HANDLE UniqueThread;
49
+ } CLIENT_ID, *PCLIENT_ID;
50
+
51
+ typedef struct _CLIENT_ID32
52
+ {
53
+ ULONG UniqueProcess;
54
+ ULONG UniqueThread;
55
+ } CLIENT_ID32, *PCLIENT_ID32;
56
+
57
+ typedef struct _CLIENT_ID64
58
+ {
59
+ ULONGLONG UniqueProcess;
60
+ ULONGLONG UniqueThread;
61
+ } CLIENT_ID64, *PCLIENT_ID64;
62
+
63
+ // from thread
64
+ typedef struct _RTL_SRWLOCK {
65
+ PVOID Ptr;
66
+ } RTL_SRWLOCK, *PRTL_SRWLOCK;
67
+ typedef RTL_SRWLOCK SRWLOCK, *PSRWLOCK;
68
+
69
+ void RtlInitUnicodeString(
70
+ PUNICODE_STRING DestinationString,
71
+ PCWSTR SourceString
72
+ );
@@ -0,0 +1,1014 @@
1
+ #include <ntdef.h>
2
+
3
+ //from ProcessHacker
4
+ #define NT_WIN2K 50
5
+ #define NT_WINXP 51
6
+ #define NT_WS03 52
7
+ #define NT_VISTA 60
8
+ #define NT_WIN7 61
9
+ #define NT_WIN8 62
10
+ #define NT_WINBLUE 63
11
+ #define NT_THRESHOLD 100
12
+ #ifndef _NTLPCAPI_H
13
+ #define _NTLPCAPI_H
14
+
15
+ // Local Inter-process Communication
16
+
17
+ #define PORT_CONNECT 0x0001
18
+ #define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1)
19
+ #define DECLSPEC_ALIGN(x) __declspec(align(x))
20
+
21
+ typedef struct _PORT_MESSAGE
22
+ {
23
+ union
24
+ {
25
+ struct
26
+ {
27
+ CSHORT DataLength;
28
+ CSHORT TotalLength;
29
+ } s1;
30
+ ULONG Length;
31
+ } u1;
32
+ union
33
+ {
34
+ struct
35
+ {
36
+ CSHORT Type;
37
+ CSHORT DataInfoOffset;
38
+ } s2;
39
+ ULONG ZeroInit;
40
+ } u2;
41
+ union
42
+ {
43
+ CLIENT_ID ClientId;
44
+ double DoNotUseThisField;
45
+ };
46
+ ULONG MessageId;
47
+ union
48
+ {
49
+ SIZE_T ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
50
+ ULONG CallbackId; // only valid for LPC_REQUEST messages
51
+ };
52
+ } PORT_MESSAGE, *PPORT_MESSAGE;
53
+
54
+ typedef struct _PORT_DATA_ENTRY
55
+ {
56
+ PVOID Base;
57
+ ULONG Size;
58
+ } PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
59
+
60
+ typedef struct _PORT_DATA_INFORMATION
61
+ {
62
+ ULONG CountDataEntries;
63
+ PORT_DATA_ENTRY DataEntries[1];
64
+ } PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
65
+
66
+ #define LPC_REQUEST 1
67
+ #define LPC_REPLY 2
68
+ #define LPC_DATAGRAM 3
69
+ #define LPC_LOST_REPLY 4
70
+ #define LPC_PORT_CLOSED 5
71
+ #define LPC_CLIENT_DIED 6
72
+ #define LPC_EXCEPTION 7
73
+ #define LPC_DEBUG_EVENT 8
74
+ #define LPC_ERROR_EVENT 9
75
+ #define LPC_CONNECTION_REQUEST 10
76
+
77
+ #define LPC_KERNELMODE_MESSAGE (CSHORT)0x8000
78
+ #define LPC_NO_IMPERSONATE (CSHORT)0x4000
79
+
80
+ #define PORT_VALID_OBJECT_ATTRIBUTES OBJ_CASE_INSENSITIVE
81
+
82
+ #ifdef _WIN64
83
+ #define PORT_MAXIMUM_MESSAGE_LENGTH 512
84
+ #else
85
+ #define PORT_MAXIMUM_MESSAGE_LENGTH 256
86
+ #endif
87
+
88
+ #define LPC_MAX_CONNECTION_INFO_SIZE (16 * sizeof(ULONG_PTR))
89
+
90
+ #define PORT_TOTAL_MAXIMUM_MESSAGE_LENGTH \
91
+ ((PORT_MAXIMUM_MESSAGE_LENGTH + sizeof(PORT_MESSAGE) + LPC_MAX_CONNECTION_INFO_SIZE + 0xf) & ~0xf)
92
+
93
+ typedef struct _LPC_CLIENT_DIED_MSG
94
+ {
95
+ PORT_MESSAGE PortMsg;
96
+ LARGE_INTEGER CreateTime;
97
+ } LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
98
+
99
+ typedef struct _PORT_VIEW
100
+ {
101
+ ULONG Length;
102
+ HANDLE SectionHandle;
103
+ ULONG SectionOffset;
104
+ SIZE_T ViewSize;
105
+ PVOID ViewBase;
106
+ PVOID ViewRemoteBase;
107
+ } PORT_VIEW, *PPORT_VIEW;
108
+
109
+ typedef struct _REMOTE_PORT_VIEW
110
+ {
111
+ ULONG Length;
112
+ SIZE_T ViewSize;
113
+ PVOID ViewBase;
114
+ } REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
115
+
116
+ // WOW64 definitions
117
+
118
+ // Except in a small number of special cases, WOW64 programs using the LPC APIs must use the 64-bit versions of the
119
+ // PORT_MESSAGE, PORT_VIEW and REMOTE_PORT_VIEW data structures. Note that we take a different approach than the
120
+ // official NT headers, which produce 64-bit versions in a 32-bit environment when USE_LPC6432 is defined.
121
+
122
+ typedef struct _PORT_MESSAGE64
123
+ {
124
+ union
125
+ {
126
+ struct
127
+ {
128
+ CSHORT DataLength;
129
+ CSHORT TotalLength;
130
+ } s1;
131
+ ULONG Length;
132
+ } u1;
133
+ union
134
+ {
135
+ struct
136
+ {
137
+ CSHORT Type;
138
+ CSHORT DataInfoOffset;
139
+ } s2;
140
+ ULONG ZeroInit;
141
+ } u2;
142
+ union
143
+ {
144
+ CLIENT_ID64 ClientId;
145
+ double DoNotUseThisField;
146
+ };
147
+ ULONG MessageId;
148
+ union
149
+ {
150
+ ULONGLONG ClientViewSize; // only valid for LPC_CONNECTION_REQUEST messages
151
+ ULONG CallbackId; // only valid for LPC_REQUEST messages
152
+ };
153
+ } PORT_MESSAGE64, *PPORT_MESSAGE64;
154
+
155
+ typedef struct _LPC_CLIENT_DIED_MSG64
156
+ {
157
+ PORT_MESSAGE64 PortMsg;
158
+ LARGE_INTEGER CreateTime;
159
+ } LPC_CLIENT_DIED_MSG64, *PLPC_CLIENT_DIED_MSG64;
160
+
161
+ typedef struct _PORT_VIEW64
162
+ {
163
+ ULONG Length;
164
+ ULONGLONG SectionHandle;
165
+ ULONG SectionOffset;
166
+ ULONGLONG ViewSize;
167
+ ULONGLONG ViewBase;
168
+ ULONGLONG ViewRemoteBase;
169
+ } PORT_VIEW64, *PPORT_VIEW64;
170
+
171
+ typedef struct _REMOTE_PORT_VIEW64
172
+ {
173
+ ULONG Length;
174
+ ULONGLONG ViewSize;
175
+ ULONGLONG ViewBase;
176
+ } REMOTE_PORT_VIEW64, *PREMOTE_PORT_VIEW64;
177
+
178
+ // Port creation
179
+
180
+ NTSYSCALLAPI
181
+ NTSTATUS
182
+ NTAPI
183
+ NtCreatePort(
184
+ _Out_ PHANDLE PortHandle,
185
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
186
+ _In_ ULONG MaxConnectionInfoLength,
187
+ _In_ ULONG MaxMessageLength,
188
+ _In_opt_ ULONG MaxPoolUsage
189
+ );
190
+
191
+ NTSYSCALLAPI
192
+ NTSTATUS
193
+ NTAPI
194
+ NtCreateWaitablePort(
195
+ _Out_ PHANDLE PortHandle,
196
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
197
+ _In_ ULONG MaxConnectionInfoLength,
198
+ _In_ ULONG MaxMessageLength,
199
+ _In_opt_ ULONG MaxPoolUsage
200
+ );
201
+
202
+ // Port connection (client)
203
+
204
+ NTSYSCALLAPI
205
+ NTSTATUS
206
+ NTAPI
207
+ NtConnectPort(
208
+ _Out_ PHANDLE PortHandle,
209
+ _In_ PUNICODE_STRING PortName,
210
+ _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
211
+ _Inout_opt_ PPORT_VIEW ClientView,
212
+ _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
213
+ _Out_opt_ PULONG MaxMessageLength,
214
+ PVOID ConnectionInformation,
215
+ _Inout_opt_ PULONG ConnectionInformationLength
216
+ );
217
+
218
+ NTSYSCALLAPI
219
+ NTSTATUS
220
+ NTAPI
221
+ NtSecureConnectPort(
222
+ _Out_ PHANDLE PortHandle,
223
+ _In_ PUNICODE_STRING PortName,
224
+ _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
225
+ _Inout_opt_ PPORT_VIEW ClientView,
226
+ _In_opt_ PSID RequiredServerSid,
227
+ _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
228
+ _Out_opt_ PULONG MaxMessageLength,
229
+ PVOID ConnectionInformation,
230
+ _Inout_opt_ PULONG ConnectionInformationLength
231
+ );
232
+
233
+ // Port connection (server)
234
+
235
+ NTSYSCALLAPI
236
+ NTSTATUS
237
+ NTAPI
238
+ NtListenPort(
239
+ _In_ HANDLE PortHandle,
240
+ _Out_ PPORT_MESSAGE ConnectionRequest
241
+ );
242
+
243
+ NTSYSCALLAPI
244
+ NTSTATUS
245
+ NTAPI
246
+ NtAcceptConnectPort(
247
+ _Out_ PHANDLE PortHandle,
248
+ _In_opt_ PVOID PortContext,
249
+ _In_ PPORT_MESSAGE ConnectionRequest,
250
+ _In_ BOOLEAN AcceptConnection,
251
+ _Inout_opt_ PPORT_VIEW ServerView,
252
+ _Out_opt_ PREMOTE_PORT_VIEW ClientView
253
+ );
254
+
255
+ NTSYSCALLAPI
256
+ NTSTATUS
257
+ NTAPI
258
+ NtCompleteConnectPort(
259
+ _In_ HANDLE PortHandle
260
+ );
261
+
262
+ // General
263
+
264
+ NTSYSCALLAPI
265
+ NTSTATUS
266
+ NTAPI
267
+ NtRequestPort(
268
+ _In_ HANDLE PortHandle,
269
+ PPORT_MESSAGE RequestMessage
270
+ );
271
+
272
+ NTSYSCALLAPI
273
+ NTSTATUS
274
+ NTAPI
275
+ NtRequestWaitReplyPort(
276
+ _In_ HANDLE PortHandle,
277
+ PPORT_MESSAGE RequestMessage,
278
+ _Out_ PPORT_MESSAGE ReplyMessage
279
+ );
280
+
281
+ NTSYSCALLAPI
282
+ NTSTATUS
283
+ NTAPI
284
+ NtReplyPort(
285
+ _In_ HANDLE PortHandle,
286
+ PPORT_MESSAGE ReplyMessage
287
+ );
288
+
289
+ NTSYSCALLAPI
290
+ NTSTATUS
291
+ NTAPI
292
+ NtReplyWaitReplyPort(
293
+ _In_ HANDLE PortHandle,
294
+ _Inout_ PPORT_MESSAGE ReplyMessage
295
+ );
296
+
297
+ NTSYSCALLAPI
298
+ NTSTATUS
299
+ NTAPI
300
+ NtReplyWaitReceivePort(
301
+ _In_ HANDLE PortHandle,
302
+ _Out_opt_ PVOID *PortContext,
303
+ PPORT_MESSAGE ReplyMessage,
304
+ _Out_ PPORT_MESSAGE ReceiveMessage
305
+ );
306
+
307
+ NTSYSCALLAPI
308
+ NTSTATUS
309
+ NTAPI
310
+ NtReplyWaitReceivePortEx(
311
+ _In_ HANDLE PortHandle,
312
+ _Out_opt_ PVOID *PortContext,
313
+ PPORT_MESSAGE ReplyMessage,
314
+ _Out_ PPORT_MESSAGE ReceiveMessage,
315
+ _In_opt_ PLARGE_INTEGER Timeout
316
+ );
317
+
318
+ NTSYSCALLAPI
319
+ NTSTATUS
320
+ NTAPI
321
+ NtImpersonateClientOfPort(
322
+ _In_ HANDLE PortHandle,
323
+ _In_ PPORT_MESSAGE Message
324
+ );
325
+
326
+ NTSYSCALLAPI
327
+ NTSTATUS
328
+ NTAPI
329
+ NtReadRequestData(
330
+ _In_ HANDLE PortHandle,
331
+ _In_ PPORT_MESSAGE Message,
332
+ _In_ ULONG DataEntryIndex,
333
+ PVOID Buffer,
334
+ _In_ SIZE_T BufferSize,
335
+ _Out_opt_ PSIZE_T NumberOfBytesRead
336
+ );
337
+
338
+ NTSYSCALLAPI
339
+ NTSTATUS
340
+ NTAPI
341
+ NtWriteRequestData(
342
+ _In_ HANDLE PortHandle,
343
+ _In_ PPORT_MESSAGE Message,
344
+ _In_ ULONG DataEntryIndex,
345
+ PVOID Buffer,
346
+ _In_ SIZE_T BufferSize,
347
+ _Out_opt_ PSIZE_T NumberOfBytesWritten
348
+ );
349
+
350
+ typedef enum _PORT_INFORMATION_CLASS
351
+ {
352
+ PortBasicInformation,
353
+ PortDumpInformation
354
+ } PORT_INFORMATION_CLASS;
355
+
356
+ NTSYSCALLAPI
357
+ NTSTATUS
358
+ NTAPI
359
+ NtQueryInformationPort(
360
+ _In_ HANDLE PortHandle,
361
+ _In_ PORT_INFORMATION_CLASS PortInformationClass,
362
+ PVOID PortInformation,
363
+ _In_ ULONG Length,
364
+ _Out_opt_ PULONG ReturnLength
365
+ );
366
+
367
+ // Asynchronous Local Inter-process Communication
368
+
369
+ // rev
370
+ typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE;
371
+
372
+ #define ALPC_PORFLG_ALLOW_LPC_REQUESTS 0x20000 // rev
373
+ #define ALPC_PORFLG_WAITABLE_PORT 0x40000 // dbg
374
+ #define ALPC_PORFLG_SYSTEM_PROCESS 0x100000 // dbg
375
+
376
+ // symbols
377
+ typedef struct _ALPC_PORT_ATTRIBUTES
378
+ {
379
+ ULONG Flags;
380
+ SECURITY_QUALITY_OF_SERVICE SecurityQos;
381
+ SIZE_T MaxMessageLength;
382
+ SIZE_T MemoryBandwidth;
383
+ SIZE_T MaxPoolUsage;
384
+ SIZE_T MaxSectionSize;
385
+ SIZE_T MaxViewSize;
386
+ SIZE_T MaxTotalSectionSize;
387
+ ULONG DupObjectTypes;
388
+ #ifdef _WIN64
389
+ ULONG Reserved;
390
+ #endif
391
+ } ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES;
392
+
393
+ // begin_rev
394
+ #define ALPC_MESSAGE_SECURITY_ATTRIBUTE 0x80000000
395
+ #define ALPC_MESSAGE_VIEW_ATTRIBUTE 0x40000000
396
+ #define ALPC_MESSAGE_CONTEXT_ATTRIBUTE 0x20000000
397
+ // from PythonForWindows
398
+ #define ALPC_MESSAGE_HANDLE_ATTRIBUTE 0x10000000
399
+ #define ALPC_MESSAGE_TOKEN_ATTRIBUTE 0x8000000
400
+ #define ALPC_MESSAGE_DIRECT_ATTRIBUTE 0x4000000
401
+ #define ALPC_MESSAGE_WORK_ON_BEHALF_ATTRIBUTE 0x2000000
402
+ // end_rev
403
+
404
+ // symbols
405
+ typedef struct _ALPC_MESSAGE_ATTRIBUTES
406
+ {
407
+ ULONG AllocatedAttributes;
408
+ ULONG ValidAttributes;
409
+ } ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES;
410
+
411
+ // symbols
412
+ typedef struct _ALPC_COMPLETION_LIST_STATE
413
+ {
414
+ union
415
+ {
416
+ struct
417
+ {
418
+ ULONG64 Head : 24;
419
+ ULONG64 Tail : 24;
420
+ ULONG64 ActiveThreadCount : 16;
421
+ } s1;
422
+ ULONG64 Value;
423
+ } u1;
424
+ } ALPC_COMPLETION_LIST_STATE, *PALPC_COMPLETION_LIST_STATE;
425
+
426
+ #define ALPC_COMPLETION_LIST_BUFFER_GRANULARITY_MASK 0x3f // dbg
427
+
428
+ // symbols
429
+ typedef struct DECLSPEC_ALIGN(128) _ALPC_COMPLETION_LIST_HEADER
430
+ {
431
+ ULONG64 StartMagic;
432
+
433
+ ULONG TotalSize;
434
+ ULONG ListOffset;
435
+ ULONG ListSize;
436
+ ULONG BitmapOffset;
437
+ ULONG BitmapSize;
438
+ ULONG DataOffset;
439
+ ULONG DataSize;
440
+ ULONG AttributeFlags;
441
+ ULONG AttributeSize;
442
+
443
+ DECLSPEC_ALIGN(128) ALPC_COMPLETION_LIST_STATE State;
444
+ ULONG LastMessageId;
445
+ ULONG LastCallbackId;
446
+ DECLSPEC_ALIGN(128) ULONG PostCount;
447
+ DECLSPEC_ALIGN(128) ULONG ReturnCount;
448
+ DECLSPEC_ALIGN(128) ULONG LogSequenceNumber;
449
+ DECLSPEC_ALIGN(128) RTL_SRWLOCK UserLock;
450
+
451
+ ULONG64 EndMagic;
452
+ } ALPC_COMPLETION_LIST_HEADER, *PALPC_COMPLETION_LIST_HEADER;
453
+
454
+ // private
455
+ typedef struct _ALPC_CONTEXT_ATTR
456
+ {
457
+ PVOID PortContext;
458
+ PVOID MessageContext;
459
+ ULONG Sequence;
460
+ ULONG MessageId;
461
+ ULONG CallbackId;
462
+ } ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR;
463
+
464
+ // begin_rev
465
+ #define ALPC_HANDLEFLG_DUPLICATE_SAME_ACCESS 0x10000
466
+ #define ALPC_HANDLEFLG_DUPLICATE_SAME_ATTRIBUTES 0x20000
467
+ #define ALPC_HANDLEFLG_DUPLICATE_INHERIT 0x80000
468
+ // end_rev
469
+
470
+ // private
471
+ typedef struct _ALPC_HANDLE_ATTR32
472
+ {
473
+ ULONG Flags;
474
+ ULONG Reserved0;
475
+ ULONG SameAccess;
476
+ ULONG SameAttributes;
477
+ ULONG Indirect;
478
+ ULONG Inherit;
479
+ ULONG Reserved1;
480
+ ULONG Handle;
481
+ ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
482
+ ULONG DesiredAccess;
483
+ ULONG GrantedAccess;
484
+ } ALPC_HANDLE_ATTR32, *PALPC_HANDLE_ATTR32;
485
+
486
+ // private
487
+ typedef struct _ALPC_HANDLE_ATTR
488
+ {
489
+ ULONG Flags;
490
+ ULONG Reserved0;
491
+ ULONG SameAccess;
492
+ ULONG SameAttributes;
493
+ ULONG Indirect;
494
+ ULONG Inherit;
495
+ ULONG Reserved1;
496
+ HANDLE Handle;
497
+ PALPC_HANDLE_ATTR32 HandleAttrArray;
498
+ ULONG ObjectType; // ObjectTypeCode, not ObjectTypeIndex
499
+ ULONG HandleCount;
500
+ ACCESS_MASK DesiredAccess;
501
+ ACCESS_MASK GrantedAccess;
502
+ } ALPC_HANDLE_ATTR, *PALPC_HANDLE_ATTR;
503
+
504
+ #define ALPC_SECFLG_CREATE_HANDLE 0x20000 // dbg
505
+ #define ALPC_SECFLG_NOSECTIONHANDLE 0x40000
506
+ // private
507
+ typedef struct _ALPC_SECURITY_ATTR
508
+ {
509
+ ULONG Flags;
510
+ PSECURITY_QUALITY_OF_SERVICE QoS;
511
+ ALPC_HANDLE ContextHandle; // dbg
512
+ } ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR;
513
+
514
+ // begin_rev
515
+ #define ALPC_VIEWFLG_NOT_SECURE 0x40000
516
+ // end_rev
517
+
518
+ // private
519
+ typedef struct _ALPC_DATA_VIEW_ATTR
520
+ {
521
+ ULONG Flags;
522
+ ALPC_HANDLE SectionHandle;
523
+ PVOID ViewBase; // must be zero on input
524
+ SIZE_T ViewSize;
525
+ } ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR;
526
+
527
+ // private
528
+ typedef enum _ALPC_PORT_INFORMATION_CLASS
529
+ {
530
+ AlpcBasicInformation, // q: out ALPC_BASIC_INFORMATION
531
+ AlpcPortInformation, // s: in ALPC_PORT_ATTRIBUTES
532
+ AlpcAssociateCompletionPortInformation, // s: in ALPC_PORT_ASSOCIATE_COMPLETION_PORT
533
+ AlpcConnectedSIDInformation, // q: in SID
534
+ AlpcServerInformation, // q: inout ALPC_SERVER_INFORMATION
535
+ AlpcMessageZoneInformation, // s: in ALPC_PORT_MESSAGE_ZONE_INFORMATION
536
+ AlpcRegisterCompletionListInformation, // s: in ALPC_PORT_COMPLETION_LIST_INFORMATION
537
+ AlpcUnregisterCompletionListInformation, // s: VOID
538
+ AlpcAdjustCompletionListConcurrencyCountInformation, // s: in ULONG
539
+ AlpcRegisterCallbackInformation, // kernel-mode only
540
+ AlpcCompletionListRundownInformation, // s: VOID
541
+ AlpcWaitForPortReferences
542
+ } ALPC_PORT_INFORMATION_CLASS;
543
+
544
+ // private
545
+ typedef struct _ALPC_BASIC_INFORMATION
546
+ {
547
+ ULONG Flags;
548
+ ULONG SequenceNo;
549
+ PVOID PortContext;
550
+ } ALPC_BASIC_INFORMATION, *PALPC_BASIC_INFORMATION;
551
+
552
+ // private
553
+ typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT
554
+ {
555
+ PVOID CompletionKey;
556
+ HANDLE CompletionPort;
557
+ } ALPC_PORT_ASSOCIATE_COMPLETION_PORT, *PALPC_PORT_ASSOCIATE_COMPLETION_PORT;
558
+
559
+ // private
560
+ typedef struct _ALPC_SERVER_INFORMATION
561
+ {
562
+ union
563
+ {
564
+ struct
565
+ {
566
+ HANDLE ThreadHandle;
567
+ } In;
568
+ struct
569
+ {
570
+ BOOLEAN ThreadBlocked;
571
+ HANDLE ConnectedProcessId;
572
+ UNICODE_STRING ConnectionPortName;
573
+ } Out;
574
+ };
575
+ } ALPC_SERVER_INFORMATION, *PALPC_SERVER_INFORMATION;
576
+
577
+ // private
578
+ typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION
579
+ {
580
+ PVOID Buffer;
581
+ ULONG Size;
582
+ } ALPC_PORT_MESSAGE_ZONE_INFORMATION, *PALPC_PORT_MESSAGE_ZONE_INFORMATION;
583
+
584
+ // private
585
+ typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION
586
+ {
587
+ PVOID Buffer; // PALPC_COMPLETION_LIST_HEADER
588
+ ULONG Size;
589
+ ULONG ConcurrencyCount;
590
+ ULONG AttributeFlags;
591
+ } ALPC_PORT_COMPLETION_LIST_INFORMATION, *PALPC_PORT_COMPLETION_LIST_INFORMATION;
592
+
593
+ // private
594
+ typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
595
+ {
596
+ AlpcMessageSidInformation, // q: out SID
597
+ AlpcMessageTokenModifiedIdInformation, // q: out LUID
598
+ AlpcMessageDirectStatusInformation,
599
+ AlpcMessageHandleInformation, // ALPC_MESSAGE_HANDLE_INFORMATION
600
+ MaxAlpcMessageInfoClass
601
+ } ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS;
602
+
603
+ typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION
604
+ {
605
+ ULONG Index;
606
+ ULONG Flags;
607
+ ULONG Handle;
608
+ ULONG ObjectType;
609
+ ACCESS_MASK GrantedAccess;
610
+ } ALPC_MESSAGE_HANDLE_INFORMATION, *PALPC_MESSAGE_HANDLE_INFORMATION;
611
+
612
+ // begin_private
613
+
614
+ #if (NT_VERSION >= NT_VISTA)
615
+
616
+ // System calls
617
+
618
+ NTSYSCALLAPI
619
+ NTSTATUS
620
+ NTAPI
621
+ NtAlpcCreatePort(
622
+ _Out_ PHANDLE PortHandle,
623
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
624
+ _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes
625
+ );
626
+
627
+ NTSYSCALLAPI
628
+ NTSTATUS
629
+ NTAPI
630
+ NtAlpcDisconnectPort(
631
+ _In_ HANDLE PortHandle,
632
+ _In_ ULONG Flags
633
+ );
634
+
635
+ NTSYSCALLAPI
636
+ NTSTATUS
637
+ NTAPI
638
+ NtAlpcQueryInformation(
639
+ _In_opt_ HANDLE PortHandle,
640
+ _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
641
+ PVOID PortInformation,
642
+ _In_ ULONG Length,
643
+ _Out_opt_ PULONG ReturnLength
644
+ );
645
+
646
+ NTSYSCALLAPI
647
+ NTSTATUS
648
+ NTAPI
649
+ NtAlpcSetInformation(
650
+ _In_ HANDLE PortHandle,
651
+ _In_ ALPC_PORT_INFORMATION_CLASS PortInformationClass,
652
+ PVOID PortInformation,
653
+ _In_ ULONG Length
654
+ );
655
+
656
+ NTSYSCALLAPI
657
+ NTSTATUS
658
+ NTAPI
659
+ NtAlpcCreatePortSection(
660
+ _In_ HANDLE PortHandle,
661
+ _In_ ULONG Flags,
662
+ _In_opt_ HANDLE SectionHandle,
663
+ _In_ SIZE_T SectionSize,
664
+ _Out_ PALPC_HANDLE AlpcSectionHandle,
665
+ _Out_ PSIZE_T ActualSectionSize
666
+ );
667
+
668
+ NTSYSCALLAPI
669
+ NTSTATUS
670
+ NTAPI
671
+ NtAlpcDeletePortSection(
672
+ _In_ HANDLE PortHandle,
673
+ _Reserved_ ULONG Flags,
674
+ _In_ ALPC_HANDLE SectionHandle
675
+ );
676
+
677
+ NTSYSCALLAPI
678
+ NTSTATUS
679
+ NTAPI
680
+ NtAlpcCreateResourceReserve(
681
+ _In_ HANDLE PortHandle,
682
+ _Reserved_ ULONG Flags,
683
+ _In_ SIZE_T MessageSize,
684
+ _Out_ PALPC_HANDLE ResourceId
685
+ );
686
+
687
+ NTSYSCALLAPI
688
+ NTSTATUS
689
+ NTAPI
690
+ NtAlpcDeleteResourceReserve(
691
+ _In_ HANDLE PortHandle,
692
+ _Reserved_ ULONG Flags,
693
+ _In_ ALPC_HANDLE ResourceId
694
+ );
695
+
696
+ NTSYSCALLAPI
697
+ NTSTATUS
698
+ NTAPI
699
+ NtAlpcCreateSectionView(
700
+ _In_ HANDLE PortHandle,
701
+ _Reserved_ ULONG Flags,
702
+ _Inout_ PALPC_DATA_VIEW_ATTR ViewAttributes
703
+ );
704
+
705
+ NTSYSCALLAPI
706
+ NTSTATUS
707
+ NTAPI
708
+ NtAlpcDeleteSectionView(
709
+ _In_ HANDLE PortHandle,
710
+ _Reserved_ ULONG Flags,
711
+ _In_ PVOID ViewBase
712
+ );
713
+
714
+ NTSYSCALLAPI
715
+ NTSTATUS
716
+ NTAPI
717
+ NtAlpcCreateSecurityContext(
718
+ _In_ HANDLE PortHandle,
719
+ _Reserved_ ULONG Flags,
720
+ _Inout_ PALPC_SECURITY_ATTR SecurityAttribute
721
+ );
722
+
723
+ NTSYSCALLAPI
724
+ NTSTATUS
725
+ NTAPI
726
+ NtAlpcDeleteSecurityContext(
727
+ _In_ HANDLE PortHandle,
728
+ _Reserved_ ULONG Flags,
729
+ _In_ ALPC_HANDLE ContextHandle
730
+ );
731
+
732
+ NTSYSCALLAPI
733
+ NTSTATUS
734
+ NTAPI
735
+ NtAlpcRevokeSecurityContext(
736
+ _In_ HANDLE PortHandle,
737
+ _Reserved_ ULONG Flags,
738
+ _In_ ALPC_HANDLE ContextHandle
739
+ );
740
+
741
+ NTSYSCALLAPI
742
+ NTSTATUS
743
+ NTAPI
744
+ NtAlpcQueryInformationMessage(
745
+ _In_ HANDLE PortHandle,
746
+ _In_ PPORT_MESSAGE PortMessage,
747
+ _In_ ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,
748
+ _Inout_ PVOID MessageInformation,
749
+ _In_ ULONG Length,
750
+ _Out_opt_ PULONG ReturnLength
751
+ );
752
+
753
+ #define ALPC_MSGFLG_REPLY_MESSAGE 0x1
754
+ #define ALPC_MSGFLG_LPC_MODE 0x2 // ?
755
+ #define ALPC_MSGFLG_RELEASE_MESSAGE 0x10000 // dbg
756
+ #define ALPC_MSGFLG_SYNC_REQUEST 0x20000 // dbg
757
+ #define ALPC_MSGFLG_WAIT_USER_MODE 0x100000
758
+ #define ALPC_MSGFLG_WAIT_ALERTABLE 0x200000
759
+ #define ALPC_MSGFLG_WOW64_CALL 0x80000000 // dbg
760
+
761
+ NTSYSCALLAPI
762
+ NTSTATUS
763
+ NTAPI
764
+ NtAlpcConnectPort(
765
+ _Out_ PHANDLE PortHandle,
766
+ _In_ PUNICODE_STRING PortName,
767
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
768
+ _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
769
+ _In_ ULONG Flags,
770
+ _In_opt_ PSID RequiredServerSid,
771
+ PPORT_MESSAGE ConnectionMessage,
772
+ _Inout_opt_ PULONG BufferLength,
773
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
774
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
775
+ _In_opt_ PLARGE_INTEGER Timeout
776
+ );
777
+
778
+ #if (NT_VERSION >= NT_WIN8)
779
+ NTSYSCALLAPI
780
+ NTSTATUS
781
+ NTAPI
782
+ NtAlpcConnectPortEx(
783
+ _Out_ PHANDLE PortHandle,
784
+ _In_ POBJECT_ATTRIBUTES ConnectionPortObjectAttributes,
785
+ _In_opt_ POBJECT_ATTRIBUTES ClientPortObjectAttributes,
786
+ _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
787
+ _In_ ULONG Flags,
788
+ _In_opt_ PSECURITY_DESCRIPTOR ServerSecurityRequirements,
789
+ PPORT_MESSAGE ConnectionMessage,
790
+ _Inout_opt_ PSIZE_T BufferLength,
791
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes,
792
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES InMessageAttributes,
793
+ _In_opt_ PLARGE_INTEGER Timeout
794
+ );
795
+ #endif
796
+
797
+ NTSYSCALLAPI
798
+ NTSTATUS
799
+ NTAPI
800
+ NtAlpcAcceptConnectPort(
801
+ _Out_ PHANDLE PortHandle,
802
+ _In_ HANDLE ConnectionPortHandle,
803
+ _In_ ULONG Flags,
804
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
805
+ _In_opt_ PALPC_PORT_ATTRIBUTES PortAttributes,
806
+ _In_opt_ PVOID PortContext,
807
+ PPORT_MESSAGE ConnectionRequest,
808
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes,
809
+ _In_ BOOLEAN AcceptConnection
810
+ );
811
+
812
+ NTSYSCALLAPI
813
+ NTSTATUS
814
+ NTAPI
815
+ NtAlpcSendWaitReceivePort(
816
+ _In_ HANDLE PortHandle,
817
+ _In_ ULONG Flags,
818
+ PPORT_MESSAGE SendMessage,
819
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes,
820
+ PPORT_MESSAGE ReceiveMessage,
821
+ _Inout_opt_ PSIZE_T BufferLength,
822
+ _Inout_opt_ PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes,
823
+ _In_opt_ PLARGE_INTEGER Timeout
824
+ );
825
+
826
+ #define ALPC_CANCELFLG_TRY_CANCEL 0x1 // dbg
827
+ #define ALPC_CANCELFLG_NO_CONTEXT_CHECK 0x8
828
+ #define ALPC_CANCELFLGP_FLUSH 0x10000 // dbg
829
+
830
+ NTSYSCALLAPI
831
+ NTSTATUS
832
+ NTAPI
833
+ NtAlpcCancelMessage(
834
+ _In_ HANDLE PortHandle,
835
+ _In_ ULONG Flags,
836
+ _In_ PALPC_CONTEXT_ATTR MessageContext
837
+ );
838
+
839
+ NTSYSCALLAPI
840
+ NTSTATUS
841
+ NTAPI
842
+ NtAlpcImpersonateClientOfPort(
843
+ _In_ HANDLE PortHandle,
844
+ _In_ PPORT_MESSAGE Message,
845
+ _In_ PVOID Flags
846
+ );
847
+
848
+ #if (NT_VERSION >= NT_THRESHOLD)
849
+ NTSYSCALLAPI
850
+ NTSTATUS
851
+ NTAPI
852
+ NtAlpcImpersonateClientContainerOfPort(
853
+ _In_ HANDLE PortHandle,
854
+ _In_ PPORT_MESSAGE Message,
855
+ _In_ ULONG Flags
856
+ );
857
+ #endif
858
+
859
+ NTSYSCALLAPI
860
+ NTSTATUS
861
+ NTAPI
862
+ NtAlpcOpenSenderProcess(
863
+ _Out_ PHANDLE ProcessHandle,
864
+ _In_ HANDLE PortHandle,
865
+ _In_ PPORT_MESSAGE PortMessage,
866
+ _In_ ULONG Flags,
867
+ _In_ ACCESS_MASK DesiredAccess,
868
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
869
+ );
870
+
871
+ NTSYSCALLAPI
872
+ NTSTATUS
873
+ NTAPI
874
+ NtAlpcOpenSenderThread(
875
+ _Out_ PHANDLE ThreadHandle,
876
+ _In_ HANDLE PortHandle,
877
+ _In_ PPORT_MESSAGE PortMessage,
878
+ _In_ ULONG Flags,
879
+ _In_ ACCESS_MASK DesiredAccess,
880
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes
881
+ );
882
+
883
+ // Support functions
884
+
885
+ NTSYSAPI
886
+ ULONG
887
+ NTAPI
888
+ AlpcMaxAllowedMessageLength(
889
+ VOID
890
+ );
891
+
892
+ NTSYSAPI
893
+ ULONG
894
+ NTAPI
895
+ AlpcGetHeaderSize(
896
+ _In_ ULONG Flags
897
+ );
898
+
899
+ #define ALPC_ATTRFLG_ALLOCATEDATTR 0x20000000
900
+ #define ALPC_ATTRFLG_VALIDATTR 0x40000000
901
+ #define ALPC_ATTRFLG_KEEPRUNNINGATTR 0x60000000
902
+
903
+ NTSYSAPI
904
+ NTSTATUS
905
+ NTAPI
906
+ AlpcInitializeMessageAttribute(
907
+ _In_ ULONG AttributeFlags,
908
+ _Out_opt_ PALPC_MESSAGE_ATTRIBUTES Buffer,
909
+ _In_ ULONG BufferSize,
910
+ _Out_ PULONG RequiredBufferSize
911
+ );
912
+
913
+ NTSYSAPI
914
+ PVOID
915
+ NTAPI
916
+ AlpcGetMessageAttribute(
917
+ _In_ PALPC_MESSAGE_ATTRIBUTES Buffer,
918
+ _In_ ULONG AttributeFlag
919
+ );
920
+
921
+ NTSYSAPI
922
+ NTSTATUS
923
+ NTAPI
924
+ AlpcRegisterCompletionList(
925
+ _In_ HANDLE PortHandle,
926
+ _Out_ PALPC_COMPLETION_LIST_HEADER Buffer,
927
+ _In_ ULONG Size,
928
+ _In_ ULONG ConcurrencyCount,
929
+ _In_ ULONG AttributeFlags
930
+ );
931
+
932
+ NTSYSAPI
933
+ NTSTATUS
934
+ NTAPI
935
+ AlpcUnregisterCompletionList(
936
+ _In_ HANDLE PortHandle
937
+ );
938
+
939
+ #if (NT_VERSION >= NT_WIN7)
940
+ // rev
941
+ NTSYSAPI
942
+ NTSTATUS
943
+ NTAPI
944
+ AlpcRundownCompletionList(
945
+ _In_ HANDLE PortHandle
946
+ );
947
+ #endif
948
+
949
+ NTSYSAPI
950
+ NTSTATUS
951
+ NTAPI
952
+ AlpcAdjustCompletionListConcurrencyCount(
953
+ _In_ HANDLE PortHandle,
954
+ _In_ ULONG ConcurrencyCount
955
+ );
956
+
957
+ NTSYSAPI
958
+ BOOLEAN
959
+ NTAPI
960
+ AlpcRegisterCompletionListWorkerThread(
961
+ _Inout_ PVOID CompletionList
962
+ );
963
+
964
+ NTSYSAPI
965
+ BOOLEAN
966
+ NTAPI
967
+ AlpcUnregisterCompletionListWorkerThread(
968
+ _Inout_ PVOID CompletionList
969
+ );
970
+
971
+ NTSYSAPI
972
+ VOID
973
+ NTAPI
974
+ AlpcGetCompletionListLastMessageInformation(
975
+ _In_ PVOID CompletionList,
976
+ _Out_ PULONG LastMessageId,
977
+ _Out_ PULONG LastCallbackId
978
+ );
979
+
980
+ NTSYSAPI
981
+ ULONG
982
+ NTAPI
983
+ AlpcGetOutstandingCompletionListMessageCount(
984
+ _In_ PVOID CompletionList
985
+ );
986
+
987
+ NTSYSAPI
988
+ PPORT_MESSAGE
989
+ NTAPI
990
+ AlpcGetMessageFromCompletionList(
991
+ _In_ PVOID CompletionList,
992
+ _Out_opt_ PALPC_MESSAGE_ATTRIBUTES *MessageAttributes
993
+ );
994
+
995
+ NTSYSAPI
996
+ VOID
997
+ NTAPI
998
+ AlpcFreeCompletionListMessage(
999
+ _Inout_ PVOID CompletionList,
1000
+ _In_ PPORT_MESSAGE Message
1001
+ );
1002
+
1003
+ NTSYSAPI
1004
+ PALPC_MESSAGE_ATTRIBUTES
1005
+ NTAPI
1006
+ AlpcGetCompletionListMessageAttributes(
1007
+ _In_ PVOID CompletionList,
1008
+ _In_ PPORT_MESSAGE Message
1009
+ );
1010
+ #endif
1011
+
1012
+ // end_private
1013
+
1014
+ #endif