1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
#ifndef _NT_MEMORY_H_
#define _NT_MEMORY_H_
#include "nt_abi.h"
#include "nt_object.h"
typedef enum _nt_memory_info_class {
NT_MEMORY_BASIC_INFORMATION,
NT_MEMORY_WORKING_SET_LIST,
NT_MEMORY_SECTION_NAME,
NT_MEMORY_BASIC_VLM_INFORMATION
} nt_memory_info_class;
/* memory allocation granularity: same on all supported systems */
#define NT_ALLOCATION_GRANULARITY (0x10000)
/* memory (de)allocation types */
#define NT_MEM_PAGE_GUARD 0x00000100 /* protect */
#define NT_MEM_COMMIT 0x00001000 /* commit */
#define NT_MEM_RESERVE 0x00002000 /* reserve only */
#define NT_MEM_DECOMMIT 0x00004000 /* decommit but maintain reservavion */
#define NT_MEM_RELEASE 0x00008000 /* decommit and cancel reservation */
#define NT_MEM_RESET 0x00080000 /* make obsolete */
#define NT_MEM_TOP_DOWN 0x00100000 /* allocate at highest possible address using a slow and possibly buggy algorithm */
#define NT_MEM_WRITE_WATCH 0x00200000 /* track writes */
#define NT_MEM_PHYSICAL 0x00400000 /* physical view */
#define NT_MEM_RESET_UNDO AVOID 0x01000000 /* only after a successful NT_MEM_RESET */
#define NT_MEM_LARGE_PAGES 0x20000000 /* use large-page support */
#define NT_MEM_FREE 0x00010000 /* informational only: nt_memory_basic_information.state */
#define NT_MEM_IMAGE 0x01000000 /* informational only: nt_memory_basic_information.type */
#define NT_MEM_MAPPED 0x00040000 /* informational only: nt_memory_basic_information.type */
#define NT_MEM_PRIVATE 0x00020000 /* informational only: nt_memory_basic_information.type */
/* memory page access bits */
#define NT_PAGE_NOACCESS (uint32_t)0x01
#define NT_PAGE_READONLY (uint32_t)0x02
#define NT_PAGE_READWRITE (uint32_t)0x04
#define NT_PAGE_WRITECOPY (uint32_t)0x08
#define NT_PAGE_EXECUTE (uint32_t)0x10
#define NT_PAGE_EXECUTE_READ (uint32_t)0x20
#define NT_PAGE_EXECUTE_READWRITE (uint32_t)0x40
#define NT_PAGE_EXECUTE_WRITECOPY (uint32_t)0x80
/* working set list entries: basic attributes */
#define NT_WSLE_PAGE_NOT_ACCESSED 0x0000
#define NT_WSLE_PAGE_READONLY 0x0001
#define NT_WSLE_PAGE_EXECUTE 0x0002
#define NT_WSLE_PAGE_EXECUTE_READ 0x0003
#define NT_WSLE_PAGE_READWRITE 0x0004
#define NT_WSLE_PAGE_WRITECOPY 0x0005
#define NT_WSLE_PAGE_EXECUTE_READWRITE 0x0006
#define NT_WSLE_PAGE_EXECUTE_WRITECOPY 0x0007
/* working set list entries: extended attributes */
#define NT_WSLE_PAGE_NO_CACHE 0x0008
#define NT_WSLE_PAGE_GUARD_PAGE 0x0010
#define NT_WSLE_PAGE_SHARE_COUNT_MASK 0x00E0
#define NT_WSLE_PAGE_SHAREABLE 0x0100
/* ntapi_zw_lock_virtual_memory lock types */
#define NT_LOCK_VM_IN_WSL 0x0001
#define NT_LOCK_VM_IN_RAM 0x0002
typedef struct _nt_memory_basic_information {
void * base_address;
void * allocation_base;
uint32_t allocation_protect;
size_t region_size;
uint32_t state;
uint32_t protect;
uint32_t type;
} nt_memory_basic_information;
typedef struct _nt_memory_working_set_list {
uintptr_t number_of_pages;
uintptr_t nt_working_set_list_entry[];
} nt_memory_working_set_list;
typedef struct _nt_memory_section_name {
nt_unicode_string section_name;
wchar16_t section_name_buffer[];
} nt_memory_section_name, nt_mem_sec_name;
typedef int32_t __stdcall ntapi_zw_allocate_virtual_memory(
__in void * hprocess,
__in_out void ** base_address,
__in uint32_t zero_bits,
__in_out size_t * allocation_size,
__in uint32_t allocation_type,
__in uint32_t protect);
typedef int32_t __stdcall ntapi_zw_free_virtual_memory(
__in void * hprocess,
__in_out void ** base_address,
__in_out size_t * free_size,
__in uint32_t deallocation_type);
typedef int32_t __stdcall ntapi_zw_query_virtual_memory(
__in void * hprocess,
__in void * base_address,
__in nt_memory_info_class mem_info_class,
__out void * mem_info,
__in size_t mem_info_length,
__out size_t * returned_length __optional);
typedef int32_t __stdcall ntapi_zw_protect_virtual_memory(
__in void * hprocess,
__in void ** base_address,
__in size_t * protect_size,
__in uint32_t protect_type_new,
__out uint32_t * protect_type_old);
typedef int32_t __stdcall ntapi_zw_read_virtual_memory(
__in void * hprocess,
__in void * base_address,
__out char * buffer,
__in size_t buffer_length,
__out size_t * bytes_written);
typedef int32_t __stdcall ntapi_zw_write_virtual_memory(
__in void * hprocess,
__in void * base_address,
__in char * buffer,
__in size_t buffer_length,
__out size_t * bytes_written);
typedef int32_t __stdcall ntapi_zw_lock_virtual_memory(
__in void * hprocess,
__in_out void ** base_address,
__in_out size_t * lock_size,
__in uint32_t lock_type);
typedef int32_t __stdcall ntapi_zw_unlock_virtual_memory(
__in void * hprocess,
__in_out void ** base_address,
__in_out size_t * lock_size,
__in uint32_t lock_type);
typedef int32_t __stdcall ntapi_zw_flush_virtual_memory(
__in void * hprocess,
__in_out void ** base_address,
__in_out size_t * flush_size,
__in nt_io_status_block * flush_type);
typedef int32_t __stdcall ntapi_zw_allocate_user_physical_pages(
__in void * hprocess,
__in_out uintptr_t * number_of_pages,
__out uintptr_t * arr_page_frame_numbers);
typedef int32_t __stdcall ntapi_zw_free_user_physical_pages(
__in void * hprocess,
__in_out uintptr_t * number_of_pages,
__in uintptr_t * arr_page_frame_numbers);
typedef int32_t __stdcall ntapi_zw_map_user_physical_pages(
__in void * base_address,
__in_out uintptr_t * number_of_pages,
__in uintptr_t * arr_page_frame_numbers);
typedef int32_t __stdcall ntapi_zw_map_user_physical_pages_scatter(
__in void ** virtual_addresses,
__in_out uintptr_t * number_of_pages,
__in uintptr_t * arr_page_options);
typedef uint32_t __stdcall ntapi_zw_get_write_watch(
__in void * hprocess,
__in uint32_t flags,
__in void * base_address,
__in size_t region_size,
__out uintptr_t * buffer,
__in_out uintptr_t * buffer_entries,
__out uintptr_t * granularity);
typedef uint32_t __stdcall ntapi_zw_reset_write_watch(
__in void * hprocess,
__in void * base_address,
__in size_t region_size);
#endif
|