diff --git a/phlib/mapldr.c b/phlib/mapldr.c index 10a0c19dcc86..55967cb0e9a2 100644 --- a/phlib/mapldr.c +++ b/phlib/mapldr.c @@ -687,13 +687,13 @@ NTSTATUS PhLoadResource( PVOID resourceBuffer = NULL; ULONG resourceLength; - resourceInfo.Type = (ULONG_PTR)Type; - resourceInfo.Name = (ULONG_PTR)Name; + resourceInfo.Type = Type; + resourceInfo.Name = Name; resourceInfo.Language = MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL); __try { - status = LdrFindResource_U(DllBase, &resourceInfo, RESOURCE_DATA_LEVEL, &resourceData); + status = LdrFindResource_U(DllBase, resourceInfo.ResourceIdPath, LDR_RESOURCE_INFO_LENGTH_THROUGH_LANGUAGE, &resourceData); } __except (EXCEPTION_EXECUTE_HANDLER) { @@ -1188,7 +1188,7 @@ NTSTATUS PhGetLoaderEntryImageNtHeaders( NTSTATUS PhGetLoaderEntryImageEntryPoint( _In_ PVOID BaseAddress, _In_ PIMAGE_NT_HEADERS ImageNtHeader, - _Out_ PLDR_INIT_ROUTINE *ImageEntryPoint + _Out_ PDLL_INIT_ROUTINE *ImageEntryPoint ) { if (ImageNtHeader->OptionalHeader.AddressOfEntryPoint == 0) @@ -2642,7 +2642,7 @@ NTSTATUS PhLoaderEntryUnloadDll( { NTSTATUS status; PIMAGE_NT_HEADERS imageNtHeaders; - PLDR_INIT_ROUTINE imageEntryRoutine; + PDLL_INIT_ROUTINE imageEntryRoutine; status = PhGetLoaderEntryImageNtHeaders( BaseAddress, @@ -2718,7 +2718,7 @@ NTSTATUS PhLoadPluginImage( NTSTATUS status; PVOID imageBaseAddress; PIMAGE_NT_HEADERS imageNtHeaders; - PLDR_INIT_ROUTINE imageEntryRoutine; + PDLL_INIT_ROUTINE imageEntryRoutine; #if defined(PH_NATIVE_PLUGIN_IMAGE_LOAD) UNICODE_STRING imageFileName; diff --git a/phnt/include/ntldr.h b/phnt/include/ntldr.h index ddeab66fe884..9c84e1b8b713 100644 --- a/phnt/include/ntldr.h +++ b/phnt/include/ntldr.h @@ -8,31 +8,34 @@ #define _NTLDR_H typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; -typedef struct _LDRP_LOAD_CONTEXT *PLDRP_LOAD_CONTEXT; // // DLLs // -typedef _Function_class_(LDR_INIT_ROUTINE) -BOOLEAN NTAPI LDR_INIT_ROUTINE( +// private +typedef _Function_class_(DLL_INIT_ROUTINE) +BOOLEAN NTAPI DLL_INIT_ROUTINE( _In_ PVOID DllHandle, _In_ ULONG Reason, - _In_opt_ PVOID Context + _In_opt_ PVOID Context // PCONTEXT ); -typedef LDR_INIT_ROUTINE* PLDR_INIT_ROUTINE; +typedef DLL_INIT_ROUTINE* PDLL_INIT_ROUTINE; +// private typedef struct _LDR_SERVICE_TAG_RECORD { - struct _LDR_SERVICE_TAG_RECORD *Next; + struct _LDR_SERVICE_TAG_RECORD* Next; ULONG ServiceTag; } LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD; +// private typedef struct _LDRP_CSLIST { PSINGLE_LIST_ENTRY Tail; } LDRP_CSLIST, *PLDRP_CSLIST; +// private typedef enum _LDR_DDAG_STATE { LdrModulesMerged = -5, @@ -52,17 +55,18 @@ typedef enum _LDR_DDAG_STATE LdrModulesReadyToRun = 9 } LDR_DDAG_STATE; +// private typedef struct _LDR_DDAG_NODE { LIST_ENTRY Modules; PLDR_SERVICE_TAG_RECORD ServiceTagList; ULONG LoadCount; - ULONG LoadWhileUnloadingCount; - ULONG LowestLink; + ULONG LoadWhileUnloadingCount; // ReferenceCount before THRESHOLD + ULONG LowestLink; // DependencyCount before THRESHOLD union { LDRP_CSLIST Dependencies; - SINGLE_LIST_ENTRY RemovalLink; + SINGLE_LIST_ENTRY RemovalLink; // before THRESHOLD }; LDRP_CSLIST IncomingDependencies; LDR_DDAG_STATE State; @@ -70,38 +74,109 @@ typedef struct _LDR_DDAG_NODE ULONG PreorderNumber; } LDR_DDAG_NODE, *PLDR_DDAG_NODE; -// rev -typedef struct _LDR_DEPENDENCY_RECORD +// private +typedef struct _LDRP_DEPENDENCY { - SINGLE_LIST_ENTRY DependencyLink; - PLDR_DDAG_NODE DependencyNode; - SINGLE_LIST_ENTRY IncomingDependencyLink; - PLDR_DDAG_NODE IncomingDependencyNode; -} LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD; + SINGLE_LIST_ENTRY Link; + PLDR_DDAG_NODE ChildNode; + SINGLE_LIST_ENTRY BackLink; + union + { + PLDR_DDAG_NODE ParentNode; + struct + { + ULONG ForwarderLink : 1; + ULONG SpareFlags : 2; + }; + }; +} LDRP_DEPENDENCY, *PLDRP_DEPENDENCY; +// private typedef enum _LDR_DLL_LOAD_REASON { - LoadReasonStaticDependency, - LoadReasonStaticForwarderDependency, - LoadReasonDynamicForwarderDependency, - LoadReasonDelayloadDependency, - LoadReasonDynamicLoad, - LoadReasonAsImageLoad, - LoadReasonAsDataLoad, - LoadReasonEnclavePrimary, // since REDSTONE3 - LoadReasonEnclaveDependency, - LoadReasonPatchImage, // since WIN11 - LoadReasonUnknown = -1 + LoadReasonUnknown = -1, + LoadReasonStaticDependency = 0, + LoadReasonStaticForwarderDependency = 1, + LoadReasonDynamicForwarderDependency = 2, + LoadReasonDelayloadDependency = 3, + LoadReasonDynamicLoad = 4, + LoadReasonAsImageLoad = 5, + LoadReasonAsDataLoad = 6, + LoadReasonEnclavePrimary = 7, // since REDSTONE3 + LoadReasonEnclaveDependency = 8, + LoadReasonPatchImage = 9, // since WIN11 } LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON; +// private +typedef enum _RTLP_SEARCH_PATH_ELEMENT +{ + RtlpSearchPathDllDir = 0, + RtlpSearchPathAppDir = 1, + RtlpSearchPathSystemDirs = 2, + RtlpSearchPathEnvPath = 3, + RtlpSearchPathCurDir = 4, + RtlpSearchPathDllLoadDir = 5, + RtlpSearchPathUserDirs = 6, + RtlpSearchPathSystem32 = 7, + RtlpSearchPathPackageDirs = 8, + MaxBasepSearchPath = 9, +} RTLP_SEARCH_PATH_ELEMENT; + +// private +typedef struct _LDRP_PATH_ELEMENTS +{ + RTLP_SEARCH_PATH_ELEMENT ElementType[6]; + PWSTR ElementPointers[6]; + USHORT ElementCount; +} LDRP_PATH_ELEMENTS, *PLDRP_PATH_ELEMENTS; + +// private +typedef struct _LDRP_DLL_PATH +{ + PWSTR DllPath; + PWSTR DllPathCurDirCheckSafe; + PWSTR PackageDirectories; + ULONG DllPathOptions; + PWSTR RootDllName; + LDRP_PATH_ELEMENTS PathElements; + ULONG DllPathSize; + BOOLEAN NeedsToBeReleased; +} LDRP_DLL_PATH, *PLDRP_DLL_PATH; + +// private +typedef struct _LDRP_LOAD_CONTEXT +{ + UNICODE_STRING ModuleName; + PLDRP_DLL_PATH DllPath; + ULONG LoadFlags; + LDR_DLL_LOAD_REASON LoadReason; + PNTSTATUS LoadStatus; + struct _LDR_DATA_TABLE_ENTRY* ParentModule; + struct _LDR_DATA_TABLE_ENTRY* Module; + LIST_ENTRY WorkLink; + struct _LDR_DATA_TABLE_ENTRY* PendingModule; + struct _LDR_DATA_TABLE_ENTRY** ImportArray; + ULONG ImportCount; + ULONG UnmappedChildCount; + PVOID IATBase; + SIZE_T IATSize; + ULONG ImportIndex; + ULONG ThunkIndex; + PIMAGE_IMPORT_DESCRIPTOR ImportDescriptors; + ULONG IATProtection; + PVOID GuardCheckICall; + PVOID* GuardCheckICallFptr; +} LDRP_LOAD_CONTEXT, *PLDRP_LOAD_CONTEXT; + +// private typedef enum _LDR_HOT_PATCH_STATE { - LdrHotPatchBaseImage, - LdrHotPatchNotApplied, - LdrHotPatchAppliedReverse, - LdrHotPatchAppliedForward, - LdrHotPatchFailedToPatch, - LdrHotPatchStateMax, + LdrHotPatchBaseImage = 0, + LdrHotPatchNotApplied = 1, + LdrHotPatchAppliedReverse = 2, + LdrHotPatchAppliedForward = 3, + LdrHotPatchFailedToPatch = 4, + LdrHotPatchStateMax = 5, } LDR_HOT_PATCH_STATE, *PLDR_HOT_PATCH_STATE; // LDR_DATA_TABLE_ENTRY->Flags @@ -115,19 +190,22 @@ typedef enum _LDR_HOT_PATCH_STATE #define LDRP_IN_INDEXES 0x00000080 #define LDRP_SHIM_DLL 0x00000100 #define LDRP_IN_EXCEPTION_TABLE 0x00000200 +#define LDRP_VERIFIER_PROVIDER 0x00000400 // reserved before WIN11 24H2 +#define LDRP_SHIM_ENGINE_CALLOUT_SENT 0x00000800 // reserved before WIN11 24H2 #define LDRP_LOAD_IN_PROGRESS 0x00001000 -#define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 +#define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 // reserved before THRESHOLD #define LDRP_ENTRY_PROCESSED 0x00004000 -#define LDRP_PROTECT_DELAY_LOAD 0x00008000 +#define LDRP_PROTECT_DELAY_LOAD 0x00008000 // reserved before WINBLUE +#define LDRP_AUX_IAT_COPY_PRIVATE 0x00010000 // reserved before WIN11 24H2 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 #define LDRP_PROCESS_ATTACH_FAILED 0x00100000 -#define LDRP_COR_DEFERRED_VALIDATE 0x00200000 +#define LDRP_SCP_IN_EXCEPTION_TABLE 0x00200000 // LDRP_COR_DEFERRED_VALIDATE before WIN11 24H2 #define LDRP_COR_IMAGE 0x00400000 #define LDRP_DONT_RELOCATE 0x00800000 #define LDRP_COR_IL_ONLY 0x01000000 -#define LDRP_CHPE_IMAGE 0x02000000 -#define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 +#define LDRP_CHPE_IMAGE 0x02000000 // reserved before REDSTONE4 +#define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 // reserved before WIN11 #define LDRP_REDIRECTED 0x10000000 #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 @@ -144,7 +222,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; - PLDR_INIT_ROUTINE EntryPoint; + PDLL_INIT_ROUTINE EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; @@ -164,21 +242,23 @@ typedef struct _LDR_DATA_TABLE_ENTRY ULONG InIndexes : 1; ULONG ShimDll : 1; ULONG InExceptionTable : 1; - ULONG ReservedFlags1 : 2; + ULONG VerifierProvider : 1; // since WIN11 24H2 + ULONG ShimEngineCalloutSent : 1; // since WIN11 24H2 ULONG LoadInProgress : 1; - ULONG LoadConfigProcessed : 1; + ULONG LoadConfigProcessed : 1; // since THRESHOLD ULONG EntryProcessed : 1; - ULONG ProtectDelayLoad : 1; - ULONG ReservedFlags3 : 2; + ULONG ProtectDelayLoad : 1; // since WINBLUE + ULONG AuxIatCopyPrivate : 1; // since WIN11 24H2 + ULONG ReservedFlags3 : 1; ULONG DontCallForThreads : 1; ULONG ProcessAttachCalled : 1; ULONG ProcessAttachFailed : 1; - ULONG CorDeferredValidate : 1; + ULONG ScpInExceptionTable : 1; // CorDeferredValidate before WIN11 24H2 ULONG CorImage : 1; ULONG DontRelocate : 1; ULONG CorILOnly : 1; - ULONG ChpeImage : 1; - ULONG ChpeEmulatorImage : 1; + ULONG ChpeImage : 1; // since REDSTONE4 + ULONG ChpeEmulatorImage : 1; // since WIN11 ULONG ReservedFlags5 : 1; ULONG Redirected : 1; ULONG ReservedFlags6 : 2; @@ -201,12 +281,12 @@ typedef struct _LDR_DATA_TABLE_ENTRY PVOID OriginalBase; LARGE_INTEGER LoadTime; ULONG BaseNameHashValue; - LDR_DLL_LOAD_REASON LoadReason; // since WIN8 - ULONG ImplicitPathOptions; - ULONG ReferenceCount; // since WIN10 - ULONG DependentLoadFlags; + LDR_DLL_LOAD_REASON LoadReason; + ULONG ImplicitPathOptions; // since WINBLUE + ULONG ReferenceCount; // since THRESHOLD + ULONG DependentLoadFlags; // since REDSTONE UCHAR SigningLevel; // since REDSTONE2 - ULONG CheckSum; // since 22H1 + ULONG CheckSum; // since WIN11 PVOID ActivePatchImageBase; LDR_HOT_PATCH_STATE HotPatchState; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; @@ -221,6 +301,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY #if (PHNT_MODE != PHNT_MODE_KERNEL) +// private NTSYSAPI NTSTATUS NTAPI @@ -228,9 +309,10 @@ LdrLoadDll( _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, - _Out_ PVOID *DllHandle + _Out_ PVOID* DllHandle ); +// private NTSYSAPI NTSTATUS NTAPI @@ -238,6 +320,7 @@ LdrUnloadDll( _In_ PVOID DllHandle ); +// private NTSYSAPI NTSTATUS NTAPI @@ -245,94 +328,101 @@ LdrGetDllHandle( _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, - _Out_ PVOID *DllHandle + _Out_ PVOID* DllHandle ); +// private #define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 #define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleEx( - _In_ ULONG Flags, + _In_ ULONG Flags, // LDR_GET_DLL_HANDLE_EX_* _In_opt_ PCWSTR DllPath, _In_opt_ PULONG DllCharacteristics, _In_ PCUNICODE_STRING DllName, - _Out_ PVOID *DllHandle + _Out_ PVOID* DllHandle ); #if (PHNT_VERSION >= PHNT_WINDOWS_7) -// rev + +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByMapping( - _In_ PVOID BaseAddress, - _Out_ PVOID *DllHandle + _In_ PVOID MappedBase, + _Out_ PVOID* DllHandle ); -#endif -#if (PHNT_VERSION >= PHNT_WINDOWS_7) -// rev +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllHandleByName( _In_opt_ PCUNICODE_STRING BaseDllName, _In_opt_ PCUNICODE_STRING FullDllName, - _Out_ PVOID *DllHandle + _Out_ PVOID* DllHandle ); -#endif + +#endif // (PHNT_VERSION >= PHNT_WINDOWS_7) #if (PHNT_VERSION >= PHNT_WINDOWS_8) -// rev + +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllFullName( - _In_ PVOID DllHandle, - _Out_ PUNICODE_STRING FullDllName + _In_opt_ PVOID DllHandle, + _Out_ PUNICODE_STRING FileName ); -// rev +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllPath( - _In_ PCWSTR DllName, - _In_ ULONG Flags, // LOAD_LIBRARY_SEARCH_* + _In_ PCWSTR RootDllName, + _In_ ULONG DllSearchOptions, // LOAD_LIBRARY_SEARCH_* _Out_ PWSTR* DllPath, - _Out_ PWSTR* SearchPaths + _Out_ PWSTR* PackageDirectories ); -// rev +// private NTSYSAPI NTSTATUS NTAPI LdrGetDllDirectory( - _Out_ PUNICODE_STRING DllDirectory + _Out_ PUNICODE_STRING Path ); -// rev +// private NTSYSAPI NTSTATUS NTAPI LdrSetDllDirectory( - _In_ PCUNICODE_STRING DllDirectory + _In_ PCUNICODE_STRING Path ); -#endif +#endif // (PHNT_VERSION >= PHNT_WINDOWS_8) + +// private #define LDR_ADDREF_DLL_PIN 0x00000001 +// private NTSYSAPI NTSTATUS NTAPI LdrAddRefDll( - _In_ ULONG Flags, + _In_ ULONG Flags, // LDR_ADDREF_DLL_* _In_ PVOID DllHandle ); +// private NTSYSAPI NTSTATUS NTAPI @@ -340,13 +430,14 @@ LdrGetProcedureAddress( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress + _Out_ PVOID* ProcedureAddress ); // rev #define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001 #if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) + // private NTSYSAPI NTSTATUS @@ -355,22 +446,24 @@ LdrGetProcedureAddressEx( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress, - _In_ ULONG Flags + _Out_ PVOID* ProcedureAddress, + _In_ ULONG Flags // LDR_GET_PROCEDURE_ADDRESS_* ); -#endif +// private NTSYSAPI NTSTATUS NTAPI LdrGetKnownDllSectionHandle( _In_ PCWSTR DllName, - _In_ BOOLEAN KnownDlls32, - _Out_ PHANDLE Section + _In_ BOOLEAN SearchKnownDlls32, + _Out_ PHANDLE SectionHandle ); -#if (PHNT_VERSION >= PHNT_WINDOWS_10) -// rev +#endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) + +#if (PHNT_VERSION >= PHNT_WINDOWS_8) +// private NTSYSAPI NTSTATUS NTAPI @@ -378,61 +471,46 @@ LdrGetProcedureAddressForCaller( _In_ PVOID DllHandle, _In_opt_ PCANSI_STRING ProcedureName, _In_opt_ ULONG ProcedureNumber, - _Out_ PVOID *ProcedureAddress, - _In_ ULONG Flags, - _In_ PVOID *Callback + _Out_ PVOID* ProcedureAddress, + _In_ ULONG Flags, // LDR_GET_PROCEDURE_ADDRESS_* + _In_ PVOID CallerAddress ); #endif +// private #define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 #define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 +// private #define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2 +// private NTSYSAPI NTSTATUS NTAPI LdrLockLoaderLock( - _In_ ULONG Flags, - _Out_opt_ ULONG *Disposition, - _Out_opt_ PVOID *Cookie + _In_ ULONG Flags, // LDR_LOCK_LOADER_LOCK_FLAG_* + _Out_opt_ PULONG Disposition, + _Out_ PVOID* Cookie ); +// private #define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 +// private NTSYSAPI NTSTATUS NTAPI LdrUnlockLoaderLock( - _In_ ULONG Flags, - _In_opt_ PVOID Cookie - ); - -NTSYSAPI -NTSTATUS -NTAPI -LdrRelocateImage( - _In_ PVOID NewBase, - _In_opt_ PCSTR LoaderName, - _In_ NTSTATUS Success, - _In_ NTSTATUS Conflict, - _In_ NTSTATUS Invalid - ); - -NTSYSAPI -NTSTATUS -NTAPI -LdrRelocateImageWithBias( - _In_ PVOID NewBase, - _In_opt_ LONGLONG Bias, - _In_opt_ PCSTR LoaderName, - _In_ NTSTATUS Success, - _In_ NTSTATUS Conflict, - _In_ NTSTATUS Invalid + _In_ ULONG Flags, // LDR_UNLOCK_LOADER_LOCK_FLAG_* + _In_ PVOID CookieIn ); +// private +_Must_inspect_result_ +_Maybenull_ NTSYSAPI PIMAGE_BASE_RELOCATION NTAPI @@ -444,27 +522,22 @@ LdrProcessRelocationBlock( ); #if (PHNT_VERSION >= PHNT_WINDOWS_8) +// private +_Must_inspect_result_ +_Maybenull_ NTSYSAPI PIMAGE_BASE_RELOCATION NTAPI LdrProcessRelocationBlockEx( - _In_ ULONG Machine, // IMAGE_FILE_MACHINE_AMD64|IMAGE_FILE_MACHINE_ARM|IMAGE_FILE_MACHINE_THUMB|IMAGE_FILE_MACHINE_ARMNT + _In_ USHORT ImageMachine, // IMAGE_FILE_MACHINE_AMD64|IMAGE_FILE_MACHINE_ARM|IMAGE_FILE_MACHINE_THUMB|IMAGE_FILE_MACHINE_ARMNT _In_ ULONG_PTR VA, _In_ ULONG SizeOfBlock, - _In_ PUSHORT NextOffset, + _In_ PUSHORT RelocationPtr, _In_ LONG_PTR Diff ); #endif -NTSYSAPI -BOOLEAN -NTAPI -LdrVerifyMappedImageMatchesChecksum( - _In_ PVOID BaseAddress, - _In_ SIZE_T NumberOfBytes, - _In_ ULONG FileLength - ); - +// private typedef _Function_class_(LDR_IMPORT_MODULE_CALLBACK) VOID NTAPI LDR_IMPORT_MODULE_CALLBACK( _In_ PVOID Parameter, @@ -472,6 +545,7 @@ VOID NTAPI LDR_IMPORT_MODULE_CALLBACK( ); typedef LDR_IMPORT_MODULE_CALLBACK* PLDR_IMPORT_MODULE_CALLBACK; +// private NTSYSAPI NTSTATUS NTAPI @@ -499,11 +573,16 @@ typedef struct _LDR_SECTION_INFO ULONG AllocationAttributes; } LDR_SECTION_INFO, *PLDR_SECTION_INFO; +// rev +#define LDR_VERIFY_IMAGE_FLAG_USE_CALLBACK 0x01 +#define LDR_VERIFY_IMAGE_FLAG_USE_SECTION_INFO 0x02 +#define LDR_VERIFY_IMAGE_FLAG_RETURN_IMAGE_CHARACTERISTICS 0x04 + // private typedef struct _LDR_VERIFY_IMAGE_INFO { ULONG Size; - ULONG Flags; + ULONG Flags; // LDR_VERIFY_IMAGE_FLAG_* LDR_IMPORT_CALLBACK_INFO CallbackInfo; LDR_SECTION_INFO SectionInfo; USHORT ImageCharacteristics; @@ -527,10 +606,10 @@ NTSTATUS NTAPI LdrQueryModuleServiceTags( _In_ PVOID DllHandle, - _Out_writes_(*BufferSize) PULONG ServiceTagBuffer, + _Out_writes_to_(*BufferSize, *BufferSize) PULONG ServiceTagBuffer, _Inout_ PULONG BufferSize ); -#endif +#endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) // begin_msdn:"DLL Load Notification" @@ -589,7 +668,7 @@ LdrRegisterDllNotification( _In_ ULONG Flags, _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction, _In_opt_ PVOID Context, - _Out_ PVOID *Cookie + _Out_ PVOID* Cookie ); /** @@ -605,18 +684,21 @@ NTAPI LdrUnregisterDllNotification( _In_ PVOID Cookie ); -#endif +#endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) // end_msdn -// rev +#if (PHNT_VERSION >= PHNT_WINDOWS_8) +// private NTSYSAPI -PUNICODE_STRING +VOID NTAPI LdrStandardizeSystemPath( - _In_ PCUNICODE_STRING SystemPath + _In_ PCUNICODE_STRING DllFullPath ); +#endif +// private typedef struct _LDR_FAILURE_DATA { NTSTATUS Status; @@ -624,7 +706,8 @@ typedef struct _LDR_FAILURE_DATA WCHAR AdditionalInfo[0x20]; } LDR_FAILURE_DATA, *PLDR_FAILURE_DATA; -#if (PHNT_VERSION >= PHNT_WINDOWS_8_1) +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI PLDR_FAILURE_DATA NTAPI @@ -797,10 +880,10 @@ NTSTATUS NTAPI LdrAddLoadAsDataTable( _In_ PVOID Module, - _In_ PCWSTR FilePath, + _In_opt_ PCWSTR FilePath, _In_ SIZE_T Size, _In_ HANDLE Handle, - _In_opt_ PACTIVATION_CONTEXT ActCtx + _In_opt_ PACTIVATION_CONTEXT AssociatedActCtx ); // private @@ -809,7 +892,7 @@ NTSTATUS NTAPI LdrRemoveLoadAsDataTable( _In_ PVOID InitModule, - _Out_opt_ PVOID *BaseModule, + _Out_ PVOID* BaseModule, _Out_opt_ PSIZE_T Size, _In_ ULONG Flags ); @@ -820,29 +903,31 @@ NTSTATUS NTAPI LdrGetFileNameFromLoadAsDataTable( _In_ PVOID Module, - _Out_ PVOID *pFileNamePrt + _Out_ PWSTR* FilePath ); #endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI NTSTATUS NTAPI LdrDisableThreadCalloutsForDll( - _In_ PVOID DllImageBase + _In_ PVOID DllHandle ); // // Resources // +// private /** * The LdrAccessResource function returns a pointer to the first byte of the specified resource in memory. * * @param DllHandle A handle to the DLL. * @param ResourceDataEntry The resource information block. - * @param ResourceBuffer The pointer to the specified resource in memory. - * @param ResourceLength The size, in bytes, of the specified resource. + * @param Address The pointer to the specified resource in memory. + * @param Size The size, in bytes, of the specified resource. * @return NTSTATUS Successful or errant status. * @sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadresource */ @@ -852,28 +937,51 @@ NTAPI LdrAccessResource( _In_ PVOID DllHandle, _In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry, - _Out_opt_ PVOID *ResourceBuffer, - _Out_opt_ ULONG *ResourceLength + _Out_opt_ PVOID* Address, + _Out_opt_ PULONG Size ); -typedef struct _LDR_RESOURCE_INFO +// N.B. Internally, resource-searching functions like LdrFindResource_U +// use an unnamed array of ULONG_PTR values to identify a resource, +// where elements form a path and have different meaning at each index. +// We introduce a union to help interpreting them. (diversenok) + +// rev // LdrpMUIEtwOutput +typedef enum _LDR_RESOURCE_INFO_INDEX { - ULONG_PTR Type; - ULONG_PTR Name; - ULONG_PTR Language; + LdrResourceIdType = 0, + LdrResourceIdName = 1, + LdrResourceIdLanguage = 2, + LdrResourceIdItem = 3, + LdrResourceIdCount = 4 +} LDR_RESOURCE_INFO_INDEX; + +// rev // The number of elements required when using a given field, for ResourceIdPathLength +#define LDR_RESOURCE_INFO_LENGTH_THROUGH_TYPE (LdrResourceIdType + 1) +#define LDR_RESOURCE_INFO_LENGTH_THROUGH_NAME (LdrResourceIdName + 1) +#define LDR_RESOURCE_INFO_LENGTH_THROUGH_LANGUAGE (LdrResourceIdLanguage + 1) +#define LDR_RESOURCE_INFO_LENGTH_THROUGH_ITEM (LdrResourceIdItem + 1) + +// rev // A union for unpacking the ResourceIdPath array +typedef union _LDR_RESOURCE_INFO +{ + ULONG_PTR ResourceIdPath[LdrResourceIdCount]; + struct + { + PCWSTR Type; // RT_* + PCWSTR Name; // string or MAKEINTRESOURCE + PCWSTR Language; // string or LANGID + ULONG_PTR Item; // e.g., MessageId + }; } LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO; -#define RESOURCE_TYPE_LEVEL 0 -#define RESOURCE_NAME_LEVEL 1 -#define RESOURCE_LANGUAGE_LEVEL 2 -#define RESOURCE_DATA_LEVEL 3 - +// private /** * The LdrFindResource_U function determines the location of a resource in a DLL. * * @param DllHandle A handle to the DLL. - * @param ResourceInfo The type and name of the resource. - * @param Level The level of resource information. + * @param ResourceIdPath The path to the specified resource. + * @param ResourceIdPathLength The number of elements in the path. * @param ResourceDataEntry The resource information block. * @return NTSTATUS Successful or errant status. * @sa https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-findresourceexw @@ -883,44 +991,55 @@ NTSTATUS NTAPI LdrFindResource_U( _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry + _In_reads_(ResourceIdPathLength) PULONG_PTR ResourceIdPath, // PLDR_RESOURCE_INFO + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry ); +// private +#define LDR_FIND_RESOURCE_DATA 0x00000000 +#define LDR_FIND_RESOURCE_DIRECTORY 0x00000002 +#define LDR_FIND_RESOURCE_LANGUAGE_CAN_FALLBACK 0x00000000 +#define LDR_FIND_RESOURCE_LANGUAGE_EXACT 0x00000004 +#define LDR_FIND_RESOURCE_LANGUAGE_REDIRECT_VERSION 0x00000008 + +// private NTSYSAPI NTSTATUS NTAPI LdrFindResourceEx_U( - _In_ ULONG Flags, + _In_ ULONG Flags, // LDR_FIND_RESOURCE_* _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry + _In_reads_(ResourceIdPathLength) PULONG_PTR ResourceIdPath, // PLDR_RESOURCE_INFO + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry ); +// private NTSYSAPI NTSTATUS NTAPI LdrFindResourceDirectory_U( _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory + _In_reads_(ResourceIdPathLength) PULONG_PTR ResourceIdPath, // PLDR_RESOURCE_INFO + _In_ ULONG ResourceIdPathLength, + _Out_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory ); -#if (PHNT_VERSION >= PHNT_WINDOWS_8) +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) + +// private /** * The LdrResFindResource function finds a resource in a DLL. * - * @param DllHandle A handle to the DLL. - * @param Type The type of the resource. - * @param Name The name of the resource. + * @param Module A handle to the DLL. + * @param ResourceType The type of the resource. + * @param ResourceName The name of the resource. * @param Language The language of the resource. - * @param ResourceBuffer An optional pointer to receive the resource buffer. - * @param ResourceLength An optional pointer to receive the resource length. - * @param CultureName An optional buffer to receive the culture name. - * @param CultureNameLength An optional pointer to receive the length of the culture name. + * @param Resource An optional pointer to receive the resource buffer. + * @param Size An optional pointer to receive the resource length. + * @param FoundLanguage An optional buffer to receive the culture name. + * @param FoundLanguageLength An optional pointer to receive the length of the culture name. * @param Flags Flags for the resource search. * @return NTSTATUS Successful or errant status. */ @@ -928,26 +1047,27 @@ NTSYSAPI NTSTATUS NTAPI LdrResFindResource( - _In_ PVOID DllHandle, - _In_ ULONG_PTR Type, - _In_ ULONG_PTR Name, - _In_ ULONG_PTR Language, - _Out_opt_ PVOID* ResourceBuffer, - _Out_opt_ PULONG ResourceLength, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength, + _In_ PVOID Module, + _In_ PCWSTR ResourceType, + _In_ PCWSTR ResourceName, + _In_ PCWSTR Language, + _Out_opt_ PVOID* Resource, + _Out_opt_ PULONG Size, + _Out_writes_bytes_opt_(*FoundLanguageLength) PWCHAR FoundLanguage, // WCHAR buffer[6] + _Out_opt_ PULONG FoundLanguageLength, _In_ ULONG Flags ); +// private /** * The LdrResFindResourceDirectory function finds a resource directory in a DLL. * * @param DllHandle A handle to the DLL. - * @param Type The type of the resource. - * @param Name The name of the resource. + * @param ResourceType The type of the resource. + * @param ResourceName The name of the resource. * @param ResourceDirectory An optional pointer to receive the resource directory. - * @param CultureName An optional buffer to receive the culture name. - * @param CultureNameLength An optional pointer to receive the length of the culture name. + * @param FoundLanguage An optional buffer to receive the culture name. + * @param FoundLanguageLength An optional pointer to receive the length of the culture name. * @param Flags Flags for the resource search. * @return NTSTATUS Successful or errant status. */ @@ -955,79 +1075,150 @@ NTSYSAPI NTSTATUS NTAPI LdrResFindResourceDirectory( - _In_ PVOID DllHandle, - _In_ ULONG_PTR Type, - _In_ ULONG_PTR Name, + _In_ PVOID Module, + _In_ PCWSTR ResourceType, + _In_ PCWSTR ResourceName, _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength, + _Out_writes_bytes_opt_(*FoundLanguageLength) PWCHAR FoundLanguage, // WCHAR buffer[6] + _Out_opt_ PULONG FoundLanguageLength, _In_ ULONG Flags ); +#endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) + +// rev +#define LDR_GET_RESOURCE_DIRECTORY_RANGE_CHECKS 0x1000 + +#if (PHNT_VERSION >= PHNT_WINDOWS_7) +// private NTSYSAPI NTSTATUS NTAPI LdrpResGetResourceDirectory( - _In_ PVOID DllHandle, - _In_ SIZE_T Size, - _In_ ULONG Flags, - _Out_opt_ PIMAGE_RESOURCE_DIRECTORY* ResourceDirectory, - _Out_ PIMAGE_NT_HEADERS* OutHeaders + _In_ PVOID ModuleBase, + _In_ SIZE_T MappingSize, + _In_ ULONG Flags, // LDR_GET_RESOURCE_DIRECTORY_* + _Out_ PIMAGE_RESOURCE_DIRECTORY* TopResourceDirectory, + _Out_ PIMAGE_NT_HEADERS* NtHeaders ); +#endif +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private /** * The LdrResSearchResource function searches for a resource in a DLL. * -* @param DllHandle A handle to the DLL. -* @param ResourceInfo A pointer to the resource information. -* @param Level The level of the resource. +* @param File A handle to the DLL. +* @param InitResIds A pointer to the resource information. +* @param InitResIdCount The level of the resource. * @param Flags Flags for the resource search. -* @param ResourceBuffer An optional pointer to receive the resource buffer. -* @param ResourceLength An optional pointer to receive the resource length. -* @param CultureName An optional buffer to receive the culture name. -* @param CultureNameLength An optional pointer to receive the length of the culture name. +* @param Resource An optional pointer to receive the resource buffer. +* @param Size An optional pointer to receive the resource length. +* @param FoundLanguage An optional buffer to receive the culture name. +* @param FoundLanguageLength An optional pointer to receive the length of the culture name. * @return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResSearchResource( - _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, + _In_ PVOID File, + _In_reads_(InitResIdCount) PULONG_PTR InitResIds, // PLDR_RESOURCE_INFO + _In_ ULONG InitResIdCount, _In_ ULONG Flags, - _Out_opt_ PVOID* ResourceBuffer, - _Out_opt_ PSIZE_T ResourceLength, - _Out_writes_bytes_opt_(CultureNameLength) PVOID CultureName, // WCHAR buffer[6] - _Out_opt_ PULONG CultureNameLength + _Out_opt_ PVOID* Resource, + _Out_opt_ PSIZE_T Size, + _Out_writes_bytes_opt_(*FoundLanguageLength) PWCHAR FoundLanguage, // WCHAR buffer[6] + _Out_opt_ PULONG FoundLanguageLength ); +#endif + +// rev +#define RC_CONFIG_SIGNATURE 0xFECDFECD + +// private +typedef struct _RC_CONFIG +{ + ULONG Signature; + ULONG Length; + ULONG RCConfigVersion; + ULONG FilePathType; + ULONG FileType; + ULONG SystemAttributes; + ULONG UltimateFallbackLocation; + ULONG ServiceCheckSum[4]; + ULONG Checksum[4]; + ULONG Reserved1; + ULONG Reserved2; + ULONG MUIFileNameOffset; // to WCHAR[] + ULONG MUIFileNameLength; + ULONG MUIFilePathOffset; // to WCHAR[] + ULONG MUIFilePathLength; + ULONG MainResNameTypesOffset; // to WCHAR[] + ULONG MainResNameTypesLength; + ULONG MainResIDTypesOffset; // to ULONG[] + ULONG MainResIDTypesLength; + ULONG MUIResNameTypesOffset; // to WCHAR[] + ULONG MUIResNameTypesLength; + ULONG MUIResIDTypesOffset; // to ULONG[] + ULONG MUIResIDTypesLength; + ULONG LanguageOffset; // to WCHAR[] + ULONG LanguageLength; + ULONG UltimateFallbackLanguageOffset; // to WCHAR[] + ULONG UltimateFallbackLanguageLength; +} RC_CONFIG, *PRC_CONFIG; + +// rev +#define LDR_GET_RC_CONFIG_DONT_QUERY_MAPPING_SIZE 0x2000 + +#if (PHNT_VERSION >= PHNT_WINDOWS_7) +// private /** * The LdrResGetRCConfig function retrieves the RC configuration for a DLL. * - * @param DllHandle A handle to the DLL. - * @param Length The length of the configuration buffer. - * @param Config A buffer to receive the configuration. + * @param ModuleBase A handle to the DLL. + * @param InitMappingSize The size of the mapping, when known. + * @param RcConfig A variable that receives a pointer to the configuration. * @param Flags Flags for the operation. - * @param AlternateResource Indicates if an alternate resource should be loaded. + * @param IsCaching Indicates if an alternate resource should be loaded. * @return NTSTATUS Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrResGetRCConfig( - _In_ PVOID DllHandle, - _In_opt_ SIZE_T Length, - _Out_writes_bytes_opt_(Length) PVOID Config, - _In_ ULONG Flags, - _In_ BOOLEAN AlternateResource // LdrLoadAlternateResourceModule + _In_ PVOID ModuleBase, + _In_opt_ SIZE_T InitMappingSize, + _Out_opt_ PRC_CONFIG* RcConfig, + _In_ ULONG Flags, // LDR_GET_RC_CONFIG_* + _In_ BOOLEAN IsCaching // LdrLoadAlternateResourceModule + ); + +// rev +#define LDR_RC_CONFIG_NOT_IN_MUI 0x20000 +#define LDR_RC_CONFIG_NOT_IN_MAIN 0x40000 + +// private +NTSYSAPI +NTSTATUS +NTAPI +LdrRscIsTypeExist( + _In_ PRC_CONFIG Config, + _In_ PCWSTR ResType, + _Reserved_ ULONG Flags, + _Inout_ PULONG RetFlags // LDR_RC_CONFIG_* ); +#endif // (PHNT_VERSION >= PHNT_WINDOWS_7) + +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private /** * The LdrResRelease function releases a resource in a DLL. * - * @param DllHandle A handle to the DLL. - * @param CultureNameOrId An optional culture name or ID. + * @param File A handle to the DLL. + * @param Language An optional culture name or ID. * @param Flags Flags for the operation. * @return NTSTATUS Successful or errant status. */ @@ -1035,11 +1226,11 @@ NTSYSAPI NTSTATUS NTAPI LdrResRelease( - _In_ PVOID DllHandle, - _In_opt_ ULONG_PTR CultureNameOrId, // MAKEINTRESOURCE + _In_ PVOID File, + _In_opt_ PWSTR Language, // MAKEINTRESOURCE _In_ ULONG Flags ); -#endif // (PHNT_VERSION >= PHNT_WINDOWS_8) +#endif // private typedef struct _LDR_ENUM_RESOURCE_ENTRY @@ -1075,79 +1266,93 @@ LdrNameOrIdFromResourceEntry( return (ULONG_PTR)Entry->Id; } +// private NTSYSAPI NTSTATUS NTAPI LdrEnumResources( _In_ PVOID DllHandle, - _In_ PLDR_RESOURCE_INFO ResourceInfo, - _In_ ULONG Level, - _Inout_ ULONG *ResourceCount, - _Out_writes_to_opt_(*ResourceCount, *ResourceCount) PLDR_ENUM_RESOURCE_ENTRY Resources + _In_reads_(ResourceIdPathLength) PULONG_PTR ResourceIdPath, // PLDR_RESOURCE_INFO + _In_ ULONG ResourceIdPathLength, + _Inout_ PULONG NumberOfResources, + _Out_writes_to_opt_(*NumberOfResources, *NumberOfResources) PLDR_ENUM_RESOURCE_ENTRY Resources ); +// private NTSYSAPI NTSTATUS NTAPI LdrFindEntryForAddress( - _In_ PVOID DllHandle, - _Out_ PLDR_DATA_TABLE_ENTRY *Entry + _In_ PVOID Address, + _Out_ PLDR_DATA_TABLE_ENTRY* TableEntry ); -// rev +// private /** * Returns a handle to the language-specific dynamic-link library (DLL) resource module associated with a DLL that is already loaded for the calling process. * - * \param DllHandle A handle to the DLL module to search for a MUI resource. If the language-specific DLL for the MUI is available, loads the specified module into the address space of the calling process and returns a handle to the module. - * \param BaseAddress The base address of the mapped view. - * \param Size The size of the mapped view. - * \param Flags Reserved + * \param Module A handle to the DLL module to search for a MUI resource. If the language-specific DLL for the MUI is available, loads the specified module into the address space of the calling process and returns a handle to the module. + * \param ReturnAlternateModule The base address of the mapped view. + * \param AlternateViewSize The size of the mapped view. + * \param Flags Flags for the operation. * \return Successful or errant status. */ NTSYSAPI NTSTATUS NTAPI LdrLoadAlternateResourceModule( - _In_ PVOID DllHandle, - _Out_ PVOID *BaseAddress, - _Out_opt_ SIZE_T *Size, + _In_ PVOID Module, + _Out_ PVOID* ReturnAlternateModule, + _Out_opt_ PSIZE_T AlternateViewSize, _In_ ULONG Flags ); -// rev +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI NTSTATUS NTAPI LdrLoadAlternateResourceModuleEx( - _In_ PVOID DllHandle, - _In_ LANGID LanguageId, - _Out_ PVOID *BaseAddress, - _Out_opt_ SIZE_T *Size, + _In_ PVOID Module, + _In_ LANGID LangId, + _Out_ PVOID* ReturnAlternateModule, + _Out_opt_ PSIZE_T AlternateViewSize, _In_ ULONG Flags ); +#endif -// rev +// private /** * Frees the language-specific dynamic-link library (DLL) resource module previously loaded by LdrLoadAlternateResourceModule function. * - * @param DllHandle The base address of the mapped view. + * @param Module The base address of the mapped view. * @return Successful or errant status. */ NTSYSAPI BOOLEAN NTAPI LdrUnloadAlternateResourceModule( - _In_ PVOID DllHandle + _In_ PVOID Module ); -// rev +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI BOOLEAN NTAPI LdrUnloadAlternateResourceModuleEx( - _In_ PVOID DllHandle, + _In_ PVOID Module, + _In_ LANGID LangId + ); + +// private +NTSYSAPI +NTSTATUS +NTAPI +LdrSetMUICacheType( _In_ ULONG Flags ); +#endif #endif // (PHNT_MODE != PHNT_MODE_KERNEL) @@ -1155,6 +1360,7 @@ LdrUnloadAlternateResourceModuleEx( // Module information // +// private typedef struct _RTL_PROCESS_MODULE_INFORMATION { PVOID Section; @@ -1169,6 +1375,7 @@ typedef struct _RTL_PROCESS_MODULE_INFORMATION UCHAR FullPathName[256]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; +// private typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; @@ -1203,77 +1410,88 @@ typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX #if (PHNT_MODE != PHNT_MODE_KERNEL) +// private NTSYSAPI NTSTATUS NTAPI LdrQueryProcessModuleInformation( - _In_opt_ PRTL_PROCESS_MODULES ModuleInformation, - _In_opt_ ULONG Size, - _Out_ PULONG ReturnedSize + _Out_writes_bytes_to_(ModuleInformationLength, *ReturnLength) PRTL_PROCESS_MODULES ModuleInformation, + _In_ ULONG ModuleInformationLength, + _Out_ PULONG ReturnLength ); -typedef _Function_class_(LDR_ENUM_CALLBACK) -VOID NTAPI LDR_ENUM_CALLBACK( - _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, - _In_ PVOID Parameter, - _Out_ BOOLEAN* Stop +// private +typedef _Function_class_(LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION) +VOID NTAPI LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION( + _In_ PLDR_DATA_TABLE_ENTRY DataTableEntry, + _In_ PVOID Context, + _Inout_ PBOOLEAN StopEnumeration ); -typedef LDR_ENUM_CALLBACK* PLDR_ENUM_CALLBACK; +typedef LDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION* PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION; +// private NTSYSAPI NTSTATUS NTAPI LdrEnumerateLoadedModules( - _In_ BOOLEAN ReservedFlag, - _In_ PLDR_ENUM_CALLBACK EnumProc, + _Reserved_ ULONG Flags, + _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction, _In_ PVOID Context ); +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI NTSTATUS NTAPI LdrOpenImageFileOptionsKey( - _In_ PCUNICODE_STRING SubKey, - _In_ BOOLEAN Wow64, - _Out_ PHANDLE NewKeyHandle + _In_ PCUNICODE_STRING ImagePathName, + _In_ BOOLEAN Wow64Path, + _Out_ PHANDLE KeyHandle ); +// private NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileKeyOption( _In_ HANDLE KeyHandle, - _In_ PCWSTR ValueName, + _In_ PCWSTR OptionName, _In_ ULONG Type, - _Out_ PVOID Buffer, + _Out_writes_bytes_to_(BufferSize, *ResultSize) PVOID Buffer, _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength + _Out_opt_ PULONG ResultSize ); +#endif // (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileExecutionOptions( - _In_ PCUNICODE_STRING SubKey, - _In_ PCWSTR ValueName, - _In_ ULONG ValueSize, - _Out_ PVOID Buffer, + _In_ PCUNICODE_STRING ImagePathName, + _In_ PCWSTR OptionName, + _In_ ULONG Type, + _Out_writes_bytes_to_(BufferSize, *ResultSize) PVOID Buffer, _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength + _Out_opt_ PULONG ResultSize ); +#if (PHNT_VERSION >= PHNT_WINDOWS_VISTA) +// private NTSYSAPI NTSTATUS NTAPI LdrQueryImageFileExecutionOptionsEx( - _In_ PCUNICODE_STRING SubKey, - _In_ PCWSTR ValueName, + _In_ PCUNICODE_STRING ImagePathName, + _In_ PCWSTR OptionName, _In_ ULONG Type, - _Out_ PVOID Buffer, + _Out_writes_bytes_to_(BufferSize, *ResultSize) PVOID Buffer, _In_ ULONG BufferSize, - _Out_opt_ PULONG ReturnedLength, - _In_ BOOLEAN Wow64 + _Out_opt_ PULONG ResultSize, + _In_ BOOLEAN Wow64Path ); +#endif // private typedef struct _DELAYLOAD_PROC_DESCRIPTOR @@ -1307,7 +1525,7 @@ PVOID NTAPI DELAYLOAD_FAILURE_DLL_CALLBACK( ); typedef DELAYLOAD_FAILURE_DLL_CALLBACK* PDELAYLOAD_FAILURE_DLL_CALLBACK; -// rev +// private typedef _Function_class_(DELAYLOAD_FAILURE_SYSTEM_ROUTINE) PVOID NTAPI DELAYLOAD_FAILURE_SYSTEM_ROUTINE( _In_ PCSTR DllName, @@ -1315,14 +1533,14 @@ PVOID NTAPI DELAYLOAD_FAILURE_SYSTEM_ROUTINE( ); typedef DELAYLOAD_FAILURE_SYSTEM_ROUTINE* PDELAYLOAD_FAILURE_SYSTEM_ROUTINE; -#if (PHNT_VERSION >= PHNT_WINDOWS_10) -// rev from QueryOptionalDelayLoadedAPI +#if (PHNT_VERSION >= PHNT_WINDOWS_8) +// private /** * Determines whether the specified function in a delay-loaded DLL is available on the system. * - * @param ParentModuleBase A handle to the calling module. (NtCurrentImageBase) - * @param DllName The file name of the delay-loaded DLL that exports the specified function. This parameter is case-insensitive. - * @param ProcedureName The address of a delay-load failure callback function for the specified DLL and process. + * @param ImportModuleBase A handle to the calling module. (NtCurrentImageBase) + * @param ExportDllName The file name of the delay-loaded DLL that exports the specified function. This parameter is case-insensitive. + * @param ExportProcName The address of a delay-load failure callback function for the specified DLL and process. * @param Flags Reserved; must be 0. * @return NTSTATUS Successful or errant status. * @remarks https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi2/nf-libloaderapi2-queryoptionaldelayloadedapi @@ -1331,24 +1549,22 @@ NTSYSAPI NTSTATUS NTAPI LdrQueryOptionalDelayLoadedAPI( - _In_ PVOID ParentModuleBase, - _In_ PCSTR DllName, - _In_ PCSTR ProcedureName, + _In_ PVOID ImportModuleBase, + _In_ PCSTR ExportDllName, + _In_ PCSTR ExportProcName, _Reserved_ ULONG Flags ); -#endif -#if (PHNT_VERSION >= PHNT_WINDOWS_8) -// rev from ResolveDelayLoadedAPI +// private /** * Locates the target function of the specified import and replaces the function pointer in the import thunk with the target of the function implementation. * - * @param ParentModuleBase The address of the base of the module importing a delay-loaded function. (NtCurrentImageBase) + * @param ImportModuleBase The address of the base of the module importing a delay-loaded function. (NtCurrentImageBase) * @param DelayloadDescriptor The address of the image delay import directory for the module to be loaded. * @param FailureDllHook The address of a delay-load failure callback function for the specified DLL and process. * @param FailureSystemHook The address of a delay-load failure callback function for the specified DLL and process. * @param ThunkAddress The thunk data for the target function. Used to find the specific name table entry of the function. - * @param Flags Reserved; must be 0. + * @param Flags Flags for the operation. * @return The address of the import, or the failure stub for it. * @remarks https://learn.microsoft.com/en-us/windows/win32/devnotes/resolvedelayloadedapi */ @@ -1356,15 +1572,15 @@ NTSYSAPI PVOID NTAPI LdrResolveDelayLoadedAPI( - _In_ PVOID ParentModuleBase, + _In_ PVOID ImportModuleBase, _In_ PCIMAGE_DELAYLOAD_DESCRIPTOR DelayloadDescriptor, _In_opt_ PDELAYLOAD_FAILURE_DLL_CALLBACK FailureDllHook, _In_opt_ PDELAYLOAD_FAILURE_SYSTEM_ROUTINE FailureSystemHook, // kernel32.DelayLoadFailureHook - _Out_ PIMAGE_THUNK_DATA ThunkAddress, - _Reserved_ ULONG Flags + _Inout_ PIMAGE_THUNK_DATA ThunkAddress, + _In_ ULONG Flags ); -// rev from ResolveDelayLoadsFromDll +// private /** * Forwards the work in resolving delay-loaded imports from the parent binary to a target binary. * @@ -1378,12 +1594,12 @@ NTSYSAPI NTSTATUS NTAPI LdrResolveDelayLoadsFromDll( - _In_ PVOID ParentModuleBase, - _In_ PCSTR TargetDllName, + _In_ PVOID ImportModuleBase, + _In_ PCSTR ExportDllName, _Reserved_ ULONG Flags ); -// rev from SetDefaultDllDirectories +// private /** * Specifies a default set of directories to search when the calling process loads a DLL. * @@ -1395,10 +1611,20 @@ NTSYSAPI NTSTATUS NTAPI LdrSetDefaultDllDirectories( - _In_ ULONG DirectoryFlags + _In_ ULONG DirectoryFlags // LOAD_LIBRARY_SEARCH_* ); +#endif // (PHNT_VERSION >= PHNT_WINDOWS_8) -// rev from AddDllDirectory +// private +typedef struct _RTLP_DLL_DIRECTORY +{ + LIST_ENTRY Link; + USHORT Length; + _Field_size_bytes_(Length) WCHAR Path[ANYSIZE_ARRAY]; +} RTLP_DLL_DIRECTORY, *PRTLP_DLL_DIRECTORY; + +#if (PHNT_VERSION >= PHNT_WINDOWS_8) +// private /** * Adds a directory to the process DLL search path. * @@ -1412,10 +1638,10 @@ NTSTATUS NTAPI LdrAddDllDirectory( _In_ PCUNICODE_STRING NewDirectory, - _Out_ PDLL_DIRECTORY_COOKIE Cookie + _Out_ PRTLP_DLL_DIRECTORY* Cookie ); -// rev from RemoveDllDirectory +// private /** * Removes a directory that was added to the process DLL search path by using LdrAddDllDirectory. * @@ -1427,11 +1653,11 @@ NTSYSAPI NTSTATUS NTAPI LdrRemoveDllDirectory( - _In_ DLL_DIRECTORY_COOKIE Cookie + _In_ PRTLP_DLL_DIRECTORY Cookie ); -#endif +#endif // (PHNT_VERSION >= PHNT_WINDOWS_8) -// rev +// private _Analysis_noreturn_ DECLSPEC_NORETURN NTSYSAPI @@ -1441,7 +1667,7 @@ LdrShutdownProcess( VOID ); -// rev +// private _Analysis_noreturn_ DECLSPEC_NORETURN NTSYSAPI @@ -1452,12 +1678,13 @@ LdrShutdownThread( ); #if (PHNT_VERSION >= PHNT_WINDOWS_8_1) -// rev +// private NTSYSAPI NTSTATUS NTAPI LdrSetImplicitPathOptions( - _In_ ULONG ImplicitPathOptions + _In_ PVOID ModuleBase, + _In_ ULONG SearchOptions ); #endif @@ -1476,7 +1703,7 @@ LdrControlFlowGuardEnforced( ); #endif -#if (PHNT_VERSION >= PHNT_WINDOWS_10_19H1) +#if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5) // rev NTSYSAPI BOOLEAN @@ -1486,7 +1713,7 @@ LdrIsModuleSxsRedirected( ); #endif -#if (PHNT_VERSION >= PHNT_WINDOWS_10) +#if (PHNT_VERSION >= PHNT_WINDOWS_10_RS2) // rev NTSYSAPI NTSTATUS @@ -1518,7 +1745,7 @@ typedef struct _LDR_SOFTWARE_ENCLAVE PLDR_DATA_TABLE_ENTRY BCryptPrimitivesModule; } LDR_SOFTWARE_ENCLAVE, *PLDR_SOFTWARE_ENCLAVE; -#if (PHNT_VERSION >= PHNT_WINDOWS_10) +#if (PHNT_VERSION >= PHNT_WINDOWS_10_RS3) // rev from CreateEnclave /** @@ -1629,8 +1856,10 @@ LdrLoadEnclaveModule( _In_ PCUNICODE_STRING DllName ); -#endif // (PHNT_VERSION >= PHNT_WINDOWS_10) +#endif // (PHNT_VERSION >= PHNT_WINDOWS_10_RS3) +#if (PHNT_VERSION >= PHNT_WINDOWS_10) +// private /** * This function forcefully terminates the calling program if it is invoked inside a loader callout. Otherwise, it has no effect. * @@ -1645,7 +1874,9 @@ NTAPI LdrFastFailInLoaderCallout( VOID ); +#endif +// private NTSYSAPI BOOLEAN NTAPI @@ -1653,40 +1884,71 @@ LdrFlushAlternateResourceModules( VOID ); -// rev -NTSYSAPI -NTSTATUS -NTAPI -LdrDllRedirectionCallback( - _In_ ULONG Flags, - _In_ PCWSTR DllName, - _In_opt_ PCWSTR DllPath, - _Inout_opt_ PULONG DllCharacteristics, - _In_ PVOID CallbackData, - _Out_ PCWSTR *EffectiveDllPath +// private +typedef _Function_class_(LDR_MANIFEST_PROBER_ROUTINE) +NTSTATUS NTAPI LDR_MANIFEST_PROBER_ROUTINE( + _In_ PVOID DllHandle, + _In_ PCWSTR FullDllName, + _Out_ PACTIVATION_CONTEXT* ActCtx +); +typedef LDR_MANIFEST_PROBER_ROUTINE* PLDR_MANIFEST_PROBER_ROUTINE; + +// private +typedef _Function_class_(LDR_CREATE_ACT_CTX_LANGUAGE) +NTSTATUS NTAPI LDR_CREATE_ACT_CTX_LANGUAGE( + _In_ PACTIVATION_CONTEXT ActCtxIn, + _In_ LANGID LangId, + _Out_ PACTIVATION_CONTEXT* ActCtxOut ); +typedef LDR_CREATE_ACT_CTX_LANGUAGE* PLDR_CREATE_ACT_CTX_LANGUAGE; -// rev +// private +typedef _Function_class_(LDR_RELEASE_ACT_CTX) +NTSTATUS NTAPI LDR_RELEASE_ACT_CTX( + _In_ PACTIVATION_CONTEXT ActCtx + ); +typedef LDR_RELEASE_ACT_CTX* PLDR_RELEASE_ACT_CTX; + +// private NTSYSAPI VOID NTAPI LdrSetDllManifestProber( - _In_ PVOID Routine + _In_ PLDR_MANIFEST_PROBER_ROUTINE ManifestProberRoutine, + _In_ PLDR_CREATE_ACT_CTX_LANGUAGE CreateActCtxLanguage, + _In_ PLDR_RELEASE_ACT_CTX ReleaseActCtx ); #if (PHNT_VERSION >= PHNT_WINDOWS_10) +// private NTSYSAPI BOOLEAN LdrpChildNtdll; // DATA export #endif // rev +#define LDR_GET_MAPPING_SIZE_VALIDATE_ONLY 0x20000 // Check if the provided size is larger than the real mapping size + +#if (PHNT_VERSION >= PHNT_WINDOWS_7) +// private NTSYSAPI VOID NTAPI LdrpResGetMappingSize( - _In_ PVOID BaseAddress, - _Out_ PSIZE_T Size, - _In_ ULONG Flags, - _In_ BOOLEAN GetFileSizeFromLoadAsDataTable + _In_ PVOID ModuleBase, + _When_(Flags & LDR_GET_MAPPING_SIZE_VALIDATE_ONLY, _In_) + _When_(!(Flags & LDR_GET_MAPPING_SIZE_VALIDATE_ONLY), _Out_) + PSIZE_T MappingSize, + _In_ ULONG Flags, // LDR_GET_MAPPING_SIZE_* + _In_ BOOLEAN IsMUI + ); +#endif + +// private +NTSYSAPI +NTSTATUS +NTAPI +LdrInitShimEngineDynamic( + _In_ PVOID ShimEngineModule, + _In_ PCUNICODE_STRING ShimDllList ); #endif // (PHNT_MODE != PHNT_MODE_KERNEL) diff --git a/phnt/include/ntrtl.h b/phnt/include/ntrtl.h index f5bcda2b7ac0..ffb67411dbac 100644 --- a/phnt/include/ntrtl.h +++ b/phnt/include/ntrtl.h @@ -9434,12 +9434,13 @@ RtlUserThreadStart( _In_ PVOID Parameter ); +// private NTSYSAPI VOID NTAPI LdrInitializeThunk( _In_ PCONTEXT ContextRecord, - _In_ PVOID Parameter + _In_ PVOID NtdllBaseAddress ); //