Process Hacker Forums

dmex wrote: ↑29 Aug 2021 15:41

440bx wrote: ↑29 Aug 2021 04:04

Windows 7 SP1

There's no typedef for service packs.

I mentioned SP1 because I don't know if it is or isn't available in the original Win 7. It may or may not be, I don't know at this time, either way, it is available before Win 8.

dmex wrote: ↑29 Aug 2021 15:46

XP

thank you dmex.

dmex wrote: ↑29 Aug 2021 16:07

* You should use a single thread for all these comments. I can't keep track of 30 different thread conversations.

I apologize. I was trying not to create a large number of posts for the same issue for a number of definitions.

I will create separate posts for those from now on.

ntrtl.h indicates that RtlComputePrivatizedDllName_U is available starting with Win8.

RtlComputePrivatizedDllName_U is available in Windows 7 SP1

RtlCopyExtendedContext is defined in ntrtl.h as returning a ULONG. More precisely, it returns an NTSTATUS.

The definition of RtlCopyContext seems to be missing in ntrtl.h RtlCopyContext is used by kernel32 to implement the documented CopyContext which is just a thin wrapper around RtlCopyContext that converts the returned NTSTATUS into a BOOL. Therefore, the prototype of RtlCopyContext is: NTSTATUS RtlCo...

I've checked the ntdll exports of some versions of Windows and cannot find them as being exported by any of them.

What version of Windows has ntdll export these two functions ?

Thank you.

The following functions and their related data structures defined in ntrtl.h are kernel mode only functions RtlInitializeUnicodePrefix RtlInsertUnicodePrefix RtlRemoveUnicodePrefix RtlFindUnicodePrefix RtlNextUnicodePrefix RtlDecompressBufferEx2 RtlDecompressFragmentEx RtlDescribeChunk RtlReserveChu...

Just FYI,

the second parameter of RtlCopyUnicodeString is optional (and const). This is missing in the ntrtl.h definition

Just FYI,

In ntrtl.h the disposition of the parameter is "_In_", it should be "_Inout_" (see wdm.h)

Just FYI, in ntrtl.h RtlUpperString it is defined as : NTSYSAPI VOID NTAPI RtlUpperString( _In_ PSTRING DestinationString, _In_ PSTRING SourceString ); in ntddk.h it is defined as : NTSYSAPI VOID NTAPI RtlUpperString( _Inout_ PSTRING DestinationString, _In_ const STRING * SourceString ); which shows...

in ntpsapi.h JOB_OBJECT_ALL_ACCESS is defined as #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f) but, in winnt.h it is defined as : #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 0x3F ) The winnt.h definition makes more sense because 0x1f leav...

Just FYI,
NtRequestWakeupLatency is only available prior to Win 7. There is no indication of this fact in ntpoapi.h

The Enclave support functions in ntmmapi.h are not "marked" as requiring THRESHOLD or above.

The definition of NtCreatePartition in ntmmapi.h is : NTSYSCALLAPI NTSTATUS NTAPI NtCreatePartition( _Out_ PHANDLE PartitionHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ ULONG PreferredNode ); but Geoff Chappell shows the definition of that function, in 1...

Path[0] is the resource type. Path[1] is the resource name. Path[2] is the resource language. This resembles the PE format where any of these 3 can be a directory or a resource. That makes sense. I got my definition of that structure from the ReactOS source where Type, Name and Language are not in ...

dmex wrote: ↑26 Aug 2021 07:29

19H1 and above export the function:

Thank you dmex.

LdrSetImplicitPathOptions was added starting with Win 8.1. The definition in ntldr.h does not show its dependence on that version (or above)

A disassembly of ntdll shows that LdrControlFlowGuardEnforced exists but, it does not show it as exported. Geoff Chappell who is quite good at documenting the differences between the versions of ntdll does not show that function as ever being exported. Is that function really exported by some versio...

We're using this in production. The type is correct and you can assert the addresses; Honestly, I don't know what to say. I've carefully inspected the ntdll disassembly for Win7 and Win10 and, I don't see a function there, just a variable in a writeable data segment (value 50h or 80h depending on b...