Page 1 of 1

LdrGetDllHandleEx DllHandle parameter disposition

Posted: 24 Aug 2021 22:48
by 440bx
The definition in PH shows LdrGetDllHandleEx's last parameter (DllHandle) to be optional "_Out_opt_". ReactOS shows it as required. Testing shows that passing nil as DllHandle (will all other parameter being equal to a previous successful call) causes an NTSTATUS "STATUS_INVALID_PARAMETER" thus indicating the parameter is not optional.

The ReactOS definition seems correct.

Comments welcome.

NtCreatePartition definition

Posted: 26 Aug 2021 09:41
by 440bx
The definition of NtCreatePartition in ntmmapi.h is :
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreatePartition(
    _Out_ PHANDLE PartitionHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ ULONG PreferredNode
    );


but Geoff Chappell shows the definition of that function, in 1511 or higher, to be :


NTSTATUS 
NtCreatePartition (
    HANDLE ParentPartitionHandle, 
    HANDLE *PartitionHandle, 
    ULONG DesiredAccess, 
    POBJECT_ATTRIBUTES ObjectAttributes);

and
NTSTATUS 
NtCreatePartition (
    HANDLE ParentPartitionHandle, 
    HANDLE *PartitionHandle, 
    ULONG DesiredAccess, 
    POBJECT_ATTRIBUTES ObjectAttributes, 
    ULONG Node);
for the initial release.



Both of the definitions he gives are different than the one in ntmmapi.h. In both, the first parameter is a ParentPartitionHandle and, there is reason to believe his definitions are correct because he states
it is declared in the ZWAPI.H file from an Enterprise edition of the Windows Driver Kit (WDK) for the 1511 release of Windows 10.
which leads one to believe he's seen the MS definitions.

The link to Geoff Chappell's page is : https://www.geoffchappell.com/studies/w ... create.htm

Also, there is a similar situation with the NtManagePartition. His definition doesn't match PH's and there is reason to believe his is correct.

The link to that page is : https://www.geoffchappell.com/studies/w ... manage.htm

Comments welcome.

Enclave support functions in ntmmapi.h

Posted: 26 Aug 2021 21:45
by 440bx
The Enclave support functions in ntmmapi.h are not "marked" as requiring THRESHOLD or above.

NtRequestWakeupLatency definition

Posted: 27 Aug 2021 03:34
by 440bx
Just FYI,
NtRequestWakeupLatency is only available prior to Win 7. There is no indication of this fact in ntpoapi.h

JOB OBJECT access rights

Posted: 27 Aug 2021 04:47
by 440bx
in ntpsapi.h JOB_OBJECT_ALL_ACCESS is defined as
#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f)
but, in winnt.h it is defined as :
#define JOB_OBJECT_ALL_ACCESS       (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
                                        0x3F )
The winnt.h definition makes more sense because 0x1f leaves some access rights out, which means it cannot be "all access".

Comments welcome.

RtlUpperString definition

Posted: 28 Aug 2021 03:50
by 440bx
Just FYI,

in ntrtl.h RtlUpperString it is defined as :
NTSYSAPI
VOID
NTAPI
RtlUpperString(
    _In_ PSTRING DestinationString,
    _In_ PSTRING SourceString
    );

in ntddk.h it is defined as :

NTSYSAPI
VOID
NTAPI
RtlUpperString(
    _Inout_ PSTRING DestinationString,
    _In_ const STRING * SourceString
    );
which shows the first parameter is "Inout" not just "in" and the second parameter is "const".

RtlFreeUnicodeString definition

Posted: 28 Aug 2021 04:21
by 440bx
Just FYI,

In ntrtl.h the disposition of the parameter is "_In_", it should be "_Inout_" (see wdm.h)

RtlCopyUnicodeString definition

Posted: 28 Aug 2021 04:27
by 440bx
Just FYI,

the second parameter of RtlCopyUnicodeString is optional (and const). This is missing in the ntrtl.h definition

RtlCopyContext prototype

Posted: 29 Aug 2021 02:11
by 440bx
The definition of RtlCopyContext seems to be missing in ntrtl.h

RtlCopyContext is used by kernel32 to implement the documented CopyContext which is just a thin wrapper around RtlCopyContext that converts the returned NTSTATUS into a BOOL. Therefore, the prototype of RtlCopyContext is:
NTSTATUS RtlCopyContext(
_inout_  PCONTEXT Destination,
_in_  DWORD    ContextFlags,
_out_  PCONTEXT Source
);

RtlRunDecodeUnicodeString definition

Posted: 30 Aug 2021 01:29
by 440bx
In RtlRunDecodeUnicodeString, the disposition of the second parameter (the string to be decoded) is "_inout_". The current definition in ntrtl.h shows it as just "_in_"

RtlGetSuiteMask

Posted: 30 Aug 2021 02:27
by 440bx
ntrtl.h indicates that RtlGetSuiteMask is available starting with REDSTONE2, the ntddk.h indicates it is available since the first REDSTONE.

TpSetWaitEx availability

Posted: 31 Aug 2021 05:11
by 440bx
nttp.h indicates that TpSetWaitEx is available in Win 7, TpSetWaitEx is available starting in Win8

Re: RtlCopyUnicodeString definition

Posted: 20 Oct 2021 01:00
by dmex
These were fixed.