include/ntapi/nt_memory.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

#ifndef _NT_MEMORY_H_
#define _NT_MEMORY_H_

#include "nt_abi.h"
#include "nt_object.h"

typedef enum _nt_memory_info_class {
	NT_MEMORY_BASIC_INFORMATION,
	NT_MEMORY_WORKING_SET_LIST,
	NT_MEMORY_SECTION_NAME,
	NT_MEMORY_BASIC_VLM_INFORMATION
} nt_memory_info_class;

/* memory allocation granularity: same on all supported systems */
#define NT_ALLOCATION_GRANULARITY	(0x10000)

/* memory (de)allocation types */
#define NT_MEM_PAGE_GUARD       	0x00000100 /* protect */
#define NT_MEM_COMMIT			0x00001000 /* commit */
#define NT_MEM_RESERVE			0x00002000 /* reserve only */
#define NT_MEM_DECOMMIT			0x00004000 /* decommit but maintain reservavion */
#define NT_MEM_RELEASE			0x00008000 /* decommit and cancel reservation */
#define NT_MEM_RESET			0x00080000 /* make obsolete */
#define NT_MEM_TOP_DOWN			0x00100000 /* allocate at highest possible address using a slow and possibly buggy algorithm */
#define NT_MEM_WRITE_WATCH		0x00200000 /* track writes */
#define NT_MEM_PHYSICAL			0x00400000 /* physical view */
#define NT_MEM_RESET_UNDO AVOID		0x01000000 /* only after a successful NT_MEM_RESET */
#define NT_MEM_LARGE_PAGES		0x20000000 /* use large-page support */
#define NT_MEM_FREE			0x00010000 /* informational only: nt_memory_basic_information.state */
#define NT_MEM_IMAGE			0x01000000 /* informational only: nt_memory_basic_information.type */
#define NT_MEM_MAPPED			0x00040000 /* informational only: nt_memory_basic_information.type */
#define NT_MEM_PRIVATE			0x00020000 /* informational only: nt_memory_basic_information.type */


/* memory page access bits */
#define NT_PAGE_NOACCESS		(uint32_t)0x01
#define NT_PAGE_READONLY		(uint32_t)0x02
#define NT_PAGE_READWRITE		(uint32_t)0x04
#define NT_PAGE_WRITECOPY		(uint32_t)0x08
#define NT_PAGE_EXECUTE			(uint32_t)0x10
#define NT_PAGE_EXECUTE_READ		(uint32_t)0x20
#define NT_PAGE_EXECUTE_READWRITE	(uint32_t)0x40
#define NT_PAGE_EXECUTE_WRITECOPY	(uint32_t)0x80


/* working set list entries: basic attributes */
#define NT_WSLE_PAGE_NOT_ACCESSED		0x0000
#define NT_WSLE_PAGE_READONLY			0x0001
#define NT_WSLE_PAGE_EXECUTE			0x0002
#define NT_WSLE_PAGE_EXECUTE_READ		0x0003
#define NT_WSLE_PAGE_READWRITE			0x0004
#define NT_WSLE_PAGE_WRITECOPY			0x0005
#define NT_WSLE_PAGE_EXECUTE_READWRITE		0x0006
#define NT_WSLE_PAGE_EXECUTE_WRITECOPY		0x0007

/* working set list entries: extended attributes */
#define NT_WSLE_PAGE_NO_CACHE			0x0008
#define NT_WSLE_PAGE_GUARD_PAGE			0x0010
#define NT_WSLE_PAGE_SHARE_COUNT_MASK		0x00E0
#define NT_WSLE_PAGE_SHAREABLE			0x0100

/* ntapi_zw_lock_virtual_memory lock types */
#define NT_LOCK_VM_IN_WSL			0x0001
#define NT_LOCK_VM_IN_RAM			0x0002


typedef struct _nt_memory_basic_information {
	void *		base_address;
	void *		allocation_base;
	uint32_t	allocation_protect;
	size_t		region_size;
	uint32_t	state;
	uint32_t	protect;
	uint32_t	type;
} nt_memory_basic_information;


typedef struct _nt_memory_working_set_list {
	uintptr_t	number_of_pages;
	uintptr_t	nt_working_set_list_entry[];
} nt_memory_working_set_list;


typedef struct _nt_memory_section_name {
	nt_unicode_string	section_name;
	wchar16_t		section_name_buffer[];
} nt_memory_section_name, nt_mem_sec_name;


typedef int32_t __stdcall ntapi_zw_allocate_virtual_memory(
	__in		void *		hprocess,
	__in_out	void **		base_address,
	__in		uint32_t	zero_bits,
	__in_out	size_t *	allocation_size,
	__in		uint32_t	allocation_type,
	__in		uint32_t	protect);


typedef int32_t __stdcall ntapi_zw_free_virtual_memory(
	__in		void *		hprocess,
	__in_out	void **		base_address,
	__in_out	size_t *	free_size,
	__in		uint32_t	deallocation_type);


typedef int32_t __stdcall ntapi_zw_query_virtual_memory(
	__in	void *			hprocess,
	__in	void *			base_address,
	__in	nt_memory_info_class	mem_info_class,
	__out	void *			mem_info,
	__in	size_t			mem_info_length,
	__out	size_t *		returned_length	__optional);


typedef int32_t __stdcall ntapi_zw_protect_virtual_memory(
	__in	void *		hprocess,
	__in	void **		base_address,
	__in	size_t *	protect_size,
	__in	uint32_t	protect_type_new,
	__out	uint32_t *	protect_type_old);


typedef int32_t __stdcall ntapi_zw_read_virtual_memory(
	__in	void *		hprocess,
	__in	void *		base_address,
	__out	char *		buffer,
	__in	size_t		buffer_length,
	__out	size_t *	bytes_written);


typedef int32_t __stdcall ntapi_zw_write_virtual_memory(
	__in	void *		hprocess,
	__in	void *		base_address,
	__in	char *		buffer,
	__in	size_t		buffer_length,
	__out	size_t *	bytes_written);


typedef int32_t __stdcall ntapi_zw_lock_virtual_memory(
	__in		void *		hprocess,
	__in_out	void **		base_address,
	__in_out	size_t *	lock_size,
	__in		uint32_t	lock_type);


typedef int32_t __stdcall ntapi_zw_unlock_virtual_memory(
	__in		void *		hprocess,
	__in_out	void **		base_address,
	__in_out	size_t *	lock_size,
	__in		uint32_t	lock_type);


typedef int32_t __stdcall ntapi_zw_flush_virtual_memory(
	__in		void *			hprocess,
	__in_out	void **			base_address,
	__in_out	size_t *		flush_size,
	__in		nt_io_status_block *	flush_type);


typedef int32_t __stdcall ntapi_zw_allocate_user_physical_pages(
	__in		void *		hprocess,
	__in_out	uintptr_t *	number_of_pages,
	__out		uintptr_t *	arr_page_frame_numbers);


typedef int32_t __stdcall ntapi_zw_free_user_physical_pages(
	__in		void *		hprocess,
	__in_out	uintptr_t *	number_of_pages,
	__in		uintptr_t *	arr_page_frame_numbers);


typedef int32_t __stdcall ntapi_zw_map_user_physical_pages(
	__in		void *		base_address,
	__in_out	uintptr_t *	number_of_pages,
	__in		uintptr_t *	arr_page_frame_numbers);


typedef int32_t __stdcall ntapi_zw_map_user_physical_pages_scatter(
	__in		void **		virtual_addresses,
	__in_out	uintptr_t *	number_of_pages,
	__in		uintptr_t *	arr_page_options);


typedef uint32_t __stdcall ntapi_zw_get_write_watch(
	__in		void *		hprocess,
	__in		uint32_t	flags,
	__in		void *		base_address,
	__in		size_t		region_size,
	__out		uintptr_t *	buffer,
	__in_out	uintptr_t *	buffer_entries,
	__out		uintptr_t *	granularity);


typedef uint32_t __stdcall ntapi_zw_reset_write_watch(
	__in		void *		hprocess,
	__in		void *		base_address,
	__in		size_t		region_size);

#endif