Process Hacker Discussion Forum

 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

LdrGetDllHandleEx DllHandle parameter disposition

24 Aug 2021 22:48

The definition in PH shows LdrGetDllHandleEx's last parameter (DllHandle) to be optional "_Out_opt_". ReactOS shows it as required. Testing shows that passing nil as DllHandle (will all other parameter being equal to a previous successful call) causes an NTSTATUS "STATUS_INVALID_PARAMETER" thus indicating the parameter is not optional.

The ReactOS definition seems correct.

Comments welcome.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

NtCreatePartition definition

26 Aug 2021 09:41

The definition of NtCreatePartition in ntmmapi.h is :
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreatePartition(
    _Out_ PHANDLE PartitionHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ ULONG PreferredNode
    );


but Geoff Chappell shows the definition of that function, in 1511 or higher, to be :


NTSTATUS 
NtCreatePartition (
    HANDLE ParentPartitionHandle, 
    HANDLE *PartitionHandle, 
    ULONG DesiredAccess, 
    POBJECT_ATTRIBUTES ObjectAttributes);

and
NTSTATUS 
NtCreatePartition (
    HANDLE ParentPartitionHandle, 
    HANDLE *PartitionHandle, 
    ULONG DesiredAccess, 
    POBJECT_ATTRIBUTES ObjectAttributes, 
    ULONG Node);
for the initial release.



Both of the definitions he gives are different than the one in ntmmapi.h. In both, the first parameter is a ParentPartitionHandle and, there is reason to believe his definitions are correct because he states
it is declared in the ZWAPI.H file from an Enterprise edition of the Windows Driver Kit (WDK) for the 1511 release of Windows 10.
which leads one to believe he's seen the MS definitions.

The link to Geoff Chappell's page is : https://www.geoffchappell.com/studies/w ... create.htm

Also, there is a similar situation with the NtManagePartition. His definition doesn't match PH's and there is reason to believe his is correct.

The link to that page is : https://www.geoffchappell.com/studies/w ... manage.htm

Comments welcome.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

Enclave support functions in ntmmapi.h

26 Aug 2021 21:45

The Enclave support functions in ntmmapi.h are not "marked" as requiring THRESHOLD or above.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

NtRequestWakeupLatency definition

27 Aug 2021 03:34

Just FYI,
NtRequestWakeupLatency is only available prior to Win 7. There is no indication of this fact in ntpoapi.h
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

JOB OBJECT access rights

27 Aug 2021 04:47

in ntpsapi.h JOB_OBJECT_ALL_ACCESS is defined as
#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f)
but, in winnt.h it is defined as :
#define JOB_OBJECT_ALL_ACCESS       (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
                                        0x3F )
The winnt.h definition makes more sense because 0x1f leaves some access rights out, which means it cannot be "all access".

Comments welcome.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlUpperString definition

28 Aug 2021 03:50

Just FYI,

in ntrtl.h RtlUpperString it is defined as :
NTSYSAPI
VOID
NTAPI
RtlUpperString(
    _In_ PSTRING DestinationString,
    _In_ PSTRING SourceString
    );

in ntddk.h it is defined as :

NTSYSAPI
VOID
NTAPI
RtlUpperString(
    _Inout_ PSTRING DestinationString,
    _In_ const STRING * SourceString
    );
which shows the first parameter is "Inout" not just "in" and the second parameter is "const".
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlFreeUnicodeString definition

28 Aug 2021 04:21

Just FYI,

In ntrtl.h the disposition of the parameter is "_In_", it should be "_Inout_" (see wdm.h)
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlCopyUnicodeString definition

28 Aug 2021 04:27

Just FYI,

the second parameter of RtlCopyUnicodeString is optional (and const). This is missing in the ntrtl.h definition
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlCopyContext prototype

29 Aug 2021 02:11

The definition of RtlCopyContext seems to be missing in ntrtl.h

RtlCopyContext is used by kernel32 to implement the documented CopyContext which is just a thin wrapper around RtlCopyContext that converts the returned NTSTATUS into a BOOL. Therefore, the prototype of RtlCopyContext is:
NTSTATUS RtlCopyContext(
_inout_  PCONTEXT Destination,
_in_  DWORD    ContextFlags,
_out_  PCONTEXT Source
);
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlRunDecodeUnicodeString definition

30 Aug 2021 01:29

In RtlRunDecodeUnicodeString, the disposition of the second parameter (the string to be decoded) is "_inout_". The current definition in ntrtl.h shows it as just "_in_"
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

RtlGetSuiteMask

30 Aug 2021 02:27

ntrtl.h indicates that RtlGetSuiteMask is available starting with REDSTONE2, the ntddk.h indicates it is available since the first REDSTONE.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

TpSetWaitEx availability

31 Aug 2021 05:11

nttp.h indicates that TpSetWaitEx is available in Win 7, TpSetWaitEx is available starting in Win8
 
User avatar
dmex
Admin
Posts: 1695
Joined: 17 Jan 2011 05:43

Re: RtlCopyUnicodeString definition

20 Oct 2021 01:00

These were fixed.