Process Hacker Discussion Forum

Search found 66 matches

by 440bx
25 Aug 2021 19:14
Forum: General Discussion
Topic: _LDR_ENUM_RESOURCE_ENTRY definition
Replies: 4
Views: 3465

Re: _LDR_ENUM_RESOURCE_ENTRY definition

The symbols don't have any type field? This is how it's defined in ntldr.h // private typedef struct _LDR_ENUM_RESOURCE_ENTRY { union { ULONG_PTR NameOrId; PIMAGE_RESOURCE_DIRECTORY_STRING Name; struct { USHORT Id; USHORT NameIsPresent; }; } Path[3]; PVOID Data; ULONG Size; ULONG Reserved; } LDR_EN...
by 440bx
25 Aug 2021 06:31
Forum: General Discussion
Topic: LdrResolveDelayLoadedAPI
Replies: 1
Views: 2736

LdrResolveDelayLoadedAPI

Just FYI,

LdrResolveDelayLoadedAPI became available in Win8 (it does not exist in Win7.)

Usually, the PH headers indicate with a conditional those APIs that require Win8 or above.
by 440bx
25 Aug 2021 06:08
Forum: General Discussion
Topic: _LDR_ENUM_RESOURCE_ENTRY definition
Replies: 4
Views: 3465

_LDR_ENUM_RESOURCE_ENTRY definition

The definition of _LDR_ENUM_RESOURCE_ENTRY in ntldr.h seems to be missing the first field which is the resource Type (a ULONG_PTR that identifies an RT_ICON, RT_MENU, etc). The resource Type is then followed by the union which does appear in the definition.
by 440bx
25 Aug 2021 04:03
Forum: General Discussion
Topic: LdrSystemDllInitBlock definition
Replies: 2
Views: 3174

LdrSystemDllInitBlock definition

LdrSystemDllInitBlock is defined in ntldr.h as a function that returns a PPS_SYSTEM_DLL_INIT_BLOCK but, LdrSystemDllInitBlock is not a function, it's just an exported ntdll variable and its value does not seem to point to a PS_SYSTEM_DLL_INIT_BLOCK. Any comments are welcome. PS: the variable exists ...
by 440bx
24 Aug 2021 22:48
Forum: General Discussion
Topic: RtlCopyUnicodeString definition
Replies: 12
Views: 4561

LdrGetDllHandleEx DllHandle parameter disposition

The definition in PH shows LdrGetDllHandleEx's last parameter (DllHandle) to be optional "_Out_opt_". ReactOS shows it as required. Testing shows that passing nil as DllHandle (will all other parameter being equal to a previous successful call) causes an NTSTATUS "STATUS_INVALID_PARAM...
by 440bx
24 Aug 2021 19:00
Forum: General Discussion
Topic: _DIRECTORY_NOTIFY_INFORMATION_CLASS definition
Replies: 1
Views: 2782

_DIRECTORY_NOTIFY_INFORMATION_CLASS definition

The definition of _DIRECTORY_NOTIFY_INFORMATION_CLASS in ntioapi.h differs from the definition found in wdm.h In PH's definition the first element of the enumeration starts at zero (no starting value is specified) whereas in the wdm.h definition, the first element is specified as having the value 1....
by 440bx
24 Aug 2021 17:27
Forum: General Discussion
Topic: PROFILE_SOURCE_INFO in ntexapi.h commented out
Replies: 2
Views: 3112

Re: PROFILE_SOURCE_INFO in ntexapi.h commented out

The type can be found in evntrace.h from the Windows SDK. It's commented out in PH because we use that header and it generates build errors but other people/projects using the PHNT headers might require that type. Thank you dmex. I can't believe I missed its definition in evnttrace.h. I probably ne...
by 440bx
23 Aug 2021 23:37
Forum: General Discussion
Topic: PROFILE_SOURCE_INFO in ntexapi.h commented out
Replies: 2
Views: 3112

PROFILE_SOURCE_INFO in ntexapi.h commented out

The definition of PROFILE_SOURCE_INFO appears in ntexapi.h but it is commented out. I'm wondering the reason why it is commented out. Is it because it's incorrect or some other reason ? Is there a definition of that structure available somewhere ? I've seen a number of definitions of it for C# but, ...
by 440bx
23 Aug 2021 23:22
Forum: General Discussion
Topic: DbgUiRemoteBreakin prototype
Replies: 2
Views: 3120

Re: DbgUiRemoteBreakin prototype

The symbols are correct. If you're using IDA to disassemble these functions then beware that they're using the NDK sdk which is also used by ReactOS and that SDK has the wrong types for a lot of internal functions on Windows 10, so IDA ends up showing the wrong disassembly for this function. When y...
by 440bx
22 Aug 2021 23:58
Forum: General Discussion
Topic: DbgUiRemoteBreakin prototype
Replies: 2
Views: 3120

DbgUiRemoteBreakin prototype

The process hacker prototype for this function shows it takes one parameter (a pointer) however, the definition in ReactOS shows it as taking no parameters. A disassembly of the function shows it takes no parameters even though the PDB symbols say it takes one. I am inclined to believe that ReactOS'...
by 440bx
19 Aug 2021 18:20
Forum: General Discussion
Topic: PF_PRIVSOURCE_QUERY_STORE_INFO definition
Replies: 2
Views: 2880

Re: PF_PRIVSOURCE_QUERY_STORE_INFO definition

dmex wrote: 19 Aug 2021 06:57
440bx wrote: 18 Aug 2021 21:36
Are those two structures (I presume) defined somewhere I missed ?
Those types are from pdb leaks that haven't been included.
Thank you. That settles that. :)
by 440bx
18 Aug 2021 21:36
Forum: General Discussion
Topic: PF_PRIVSOURCE_QUERY_STORE_INFO definition
Replies: 2
Views: 2880

PF_PRIVSOURCE_QUERY_STORE_INFO definition

In ntpfapi.h PF_PRIVSOURCE_QUERY_STORE_INFO and PF_PRIVSOURCE_QUERY_WS_SWAP_PAGES appear in a comment but they are not defined in that .h file. I searched the net, the process hacker source code and the Windows .h files in search of their definition but was unsuccessful. Are those two structures (I ...
by 440bx
17 Aug 2021 11:34
Forum: General Discussion
Topic: LdrRegisterDllNotification prototype
Replies: 4
Views: 2897

Re: LdrRegisterDllNotification prototype

Honestly, I'm not sure the last time I downloaded PH's source but, 3 months sounds about right.
by 440bx
17 Aug 2021 01:34
Forum: General Discussion
Topic: LdrQueryProcessModuleInformation prototype
Replies: 2
Views: 2515

Re: LdrQueryProcessModuleInformation prototype

After your reply, I did a little bit of testing to see how that API behaves. Whenever the specified buffer size is zero then the remaining parameters are optional, IOW, you can pass (NULL, 0, NULL) and it will be happy with that. However, if the size is not zero then the buffer is required and, if i...
by 440bx
17 Aug 2021 01:13
Forum: General Discussion
Topic: LdrShutdownProcess prototype
Replies: 2
Views: 2398

Re: LdrShutdownProcess prototype

Good to hear that. I'm probably not using the latest .h files.
by 440bx
17 Aug 2021 01:11
Forum: General Discussion
Topic: LdrRegisterDllNotification prototype
Replies: 4
Views: 2897

Re: LdrRegisterDllNotification prototype

The definition in ntldr.h shows it as required. It shows _In_opt_ for me which means optional? Maybe I am looking at an older version of the .h file. The version I have shows: NTSYSAPI NTSTATUS NTAPI LdrRegisterDllNotification( _In_ ULONG Flags, _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunct...
by 440bx
14 Aug 2021 16:27
Forum: General Discussion
Topic: LdrShutdownProcess prototype
Replies: 2
Views: 2398

LdrShutdownProcess prototype

the prototype of LdrShutdownProcess in ntldr.h and in ReactOS shows this API as returning an NTSTATUS. Inspection of the assembly code (disassembly of ntdll) shows that LdrShutdownProcess returns nothing (void). The prototype found at ntinternals http://undocumented.ntinternals.net/index.html?page=U...
by 440bx
14 Aug 2021 12:16
Forum: General Discussion
Topic: LdrRegisterDllNotification prototype
Replies: 4
Views: 2897

LdrRegisterDllNotification prototype

In LdrRegisterDllNotification, the third parameter is optional. The definition in ntldr.h shows it as required.

That function is now documented at : https://docs.microsoft.com/en-us/window ... tification
by 440bx
14 Aug 2021 12:04
Forum: General Discussion
Topic: LdrQueryProcessModuleInformation prototype
Replies: 2
Views: 2515

LdrQueryProcessModuleInformation prototype

The prototype for LdrQueryProcessModuleInformation (in ntldr.h) shows the first and second parameter to be optional, they are not. Also, the third parameter is shown as not being optional but, that one, is optional. The definition found in ReactOs https://doxygen.reactos.org/d7/d55/ldrapi_8c_source....
by 440bx
12 Aug 2021 18:13
Forum: General Discussion
Topic: RtlSetDaclSecurityDescriptor prototype
Replies: 2
Views: 2543

Re: RtlSetDaclSecurityDescriptor prototype

dmex wrote: 11 Aug 2021 15:42
Thanks, fixed :thumbup:
My pleasure :)