Process Hacker Forums

I observed that _some_ (a fairly good percentage) of the symbols shown by Peview don't match the symbol usage in IDA Pro. For instance, for Win10's 64bit version of kernelbase.dll (may not be the most recent version of kernelbase.dll), Peview shows a symbol: 63011, FUNCTION, 0x92470, PlgBlt, Functio...

the definition of _PROCESS_LOGGING_INFORMATION in ntpsapi.h is as follows: typedef struct _PROCESS_LOGGING_INFORMATION { ULONG Flags; struct { ULONG EnableReadVmLogging : 1; ULONG EnableWriteVmLogging : 1; ULONG EnableProcessSuspendResumeLogging : 1; ULONG EnableThreadSuspendResumeLogging : 1; ULONG...

ntregapi.h shows the definition of _KEY_VALUE_LAYER_INFORMATION to be: typedef struct _KEY_VALUE_LAYER_INFORMATION { ULONG IsTombstone; ULONG Reserved; } KEY_VALUE_LAYER_INFORMATION, *PKEY_VALUE_LAYER_INFORMATION; but the definition in wdm.h shows it to be : typedef struct _KEY_VALUE_LAYER_INFORMATI...

Thank you for the information dmex.

the definition of PROCESS_MITIGATION_POLICY_INFORMATION does not include the PROCESS_MITIGATION_DEP_POLICY policy nor the PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY and PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY. Is there some reason for PROCESS_MITIGATION_DEP_POLICY to not be included or was it s...

in ntexapi.h the structures _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE and _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE are defined but, it is not clear what API uses them. from a bit of research, I am _guessing_ that they are used by NtQuerySystemInformation and NtSetSystemInformation respectivel...

In wdm.h this enumeration goes by the name _PARTITION_INFORMATION_CLASS and declares two (2) elements not present in ntmmapi.h in wdm.h, the definition is as follows: typedef enum _PARTITION_INFORMATION_CLASS { SystemMemoryPartitionInformation = 0, SystemMemoryPartitionDedicatedMemoryInformation = 9...

NtManagePartition number of parameters declared in ntmmapi.h does not match the number of parameters in the wdm.h defintion. in wdm.h, the prototype is as follows: _Must_inspect_result_ __kernel_entry NTSYSCALLAPI NTSTATUS NTAPI NtManagePartition ( _In_ HANDLE TargetHandle, _In_opt_ HANDLE SourceHan...

dmex wrote: ↑12 Sep 2021 12:31

Yes? That was fixed a few months ago:
https://github.com/processhacker/phnt/p ... a59dbecadd

Sorry. I'm using the source I downloaded sometime in May (I believe)

In ntpebteb.h, the field "BOOLEAN UnalignedLoadStoreExceptions" in the definition of the TEB structure appears as applicable to both, the 32bit and 64bit TEB. I believe that field applies only to the 64bit definition. see Geoff Chappell's definition of the TEB at https://www.geoffchappell....

That makes sense. Thank you dmex.

ntrtl.h declares _RTL_IMAGE_MITIGATION_OPTION_STATE but, I have not been able to find an API that uses that enumeration.

What API, if any, uses it ?

Thank you for your help.

in ntrtl.h, the declaration PRTL_FEATURE_CONFIGURATION_CHANGE_NOTIFICAION is missing the "T" in "NOTIFICATION".

ntrtl.h shows RtlGetSearchPath returns a BOOLEAN.

RtlGetSearchPath returns an NTSTATUS

ntrtl.h shows RtlGetExePath as a function that takes no parameters and returns a pointer to a wide string.

Disassembly (of Win10 21H1) shows RtlGetExePath takes two parameters and returns an NTSTATUS.

Comments welcome.

nttp.h indicates that TpSetWaitEx is available in Win 7, TpSetWaitEx is available starting in Win8

nttp.h indicates that TpSetTimerEx is available in Win 7, that API is available starting in Win 8

ntrtl.h indicates that RtlGetSuiteMask is available starting with REDSTONE2, the ntddk.h indicates it is available since the first REDSTONE.

ntrtl.h shows RtlGetNtProductType as being available starting with REDSTONE.

That function is available in Windows 7 SP1 (I don't know if it is available or not before SP1)

In RtlRunDecodeUnicodeString, the disposition of the second parameter (the string to be decoded) is "_inout_". The current definition in ntrtl.h shows it as just "_in_"