using System; using System.IO; using System.Runtime.InteropServices; using static Vanara.PInvoke.Kernel32; namespace Vanara.PInvoke { public static partial class NtDll { ///

Callback routine to commit pages from the heap.

/// Base address for the block of caller-allocated memory being used for the heap. /// Pointer to a variable that will receive the base address of the committed region of pages. /// Pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages. /// Result of commit. [UnmanagedFunctionPointer(CallingConvention.Winapi, SetLastError = false)] public delegate NTStatus PRTL_HEAP_COMMIT_ROUTINE([In] IntPtr Base, ref IntPtr CommitAddress, ref SizeT CommitSize); ///

Specifies the options to apply when the driver creates or opens the file.

[PInvokeData("ntifs.h", MSDNShortId = "c40b99be-5627-44f3-9853-c3ae31a8035c")] public enum NtFileCreateOptions { ///

/// The file is a directory. Compatible CreateOptions flags are FILE_SYNCHRONOUS_IO_ALERT, FILE_SYNCHRONOUS_IO_NONALERT, /// FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID. The CreateDisposition parameter must be set to /// FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. ///

FILE_DIRECTORY_FILE = 0x00000001, ///

/// System services, file-system drivers, and drivers that write data to the file must actually transfer the data to the file /// before any requested write operation is considered complete. ///

FILE_WRITE_THROUGH = 0x00000002, ///

/// All access to the file will be sequential. ///

FILE_SEQUENTIAL_ONLY = 0x00000004, ///

/// The file cannot be cached or buffered in a driver's internal buffers. This flag is incompatible with the DesiredAccess /// parameter's FILE_APPEND_DATA flag. ///

FILE_NO_INTERMEDIATE_BUFFERING = 0x00000008, ///

/// All operations on the file are performed synchronously. Any wait on behalf of the caller is subject to premature termination /// from alerts. This flag also causes the I/O system to maintain the file-position pointer. If this flag is set, the /// SYNCHRONIZE flag must be set in the DesiredAccess parameter. ///

FILE_SYNCHRONOUS_IO_ALERT = 0x00000010, ///

/// All operations on the file are performed synchronously. Waits in the system that synchronize I/O queuing and completion are /// not subject to alerts. This flag also causes the I/O system to maintain the file-position context. If this flag is set, the /// SYNCHRONIZE flag must be set in the DesiredAccess parameter. ///

FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020, ///

/// The file is a directory. The file object to open can represent a data file; a logical, virtual, or physical device; or a volume. ///

FILE_NON_DIRECTORY_FILE = 0x00000040, ///

/// Create a tree connection for this file in order to open it over the network. This flag is not used by device and /// intermediate drivers. ///

FILE_CREATE_TREE_CONNECTION = 0x00000080, ///

/// Complete this operation immediately with an alternate success code of STATUS_OPLOCK_BREAK_IN_PROGRESS if the target file is /// oplocked, rather than blocking the caller's thread. If the file is oplocked, another caller already has access to the file. /// This flag is not used by device and intermediate drivers. ///

FILE_COMPLETE_IF_OPLOCKED = 0x00000100, ///

/// If the extended attributes (EAs) for an existing file being opened indicate that the caller must understand EAs to properly /// interpret the file, NtCreateFile should return an error. This flag is irrelevant for device and intermediate drivers. ///

FILE_NO_EA_KNOWLEDGE = 0x00000200, ///

formerly known as FILE_OPEN_FOR_RECOVERY

FILE_OPEN_REMOTE_INSTANCE = 0x00000400, ///

/// Access to the file can be random, so no sequential read-ahead operations should be performed by file-system drivers or by /// the system. ///

FILE_RANDOM_ACCESS = 0x00000800, ///

/// The system deletes the file when the last handle to the file is passed to NtClose. If this flag is set, the DELETE flag must /// be set in the DesiredAccess parameter. ///

FILE_DELETE_ON_CLOSE = 0x00001000, ///

/// The file name that is specified by the ObjectAttributes parameter includes a binary 8-byte or 16-byte file reference number /// or object ID for the file, depending on the file system as shown below. Optionally, a device name followed by a backslash /// character may proceed these binary values. For example, a device name will have the following format. This number is /// assigned by and specific to the particular file system. ///

FILE_OPEN_BY_FILE_ID = 0x00002000, ///

/// The file is being opened for backup intent. Therefore, the system should check for certain access rights and grant the /// caller the appropriate access to the file—before checking the DesiredAccess parameter against the file's security /// descriptor. This flag not used by device and intermediate drivers. ///

FILE_OPEN_FOR_BACKUP_INTENT = 0x00004000, ///

/// When a new file is created, the file MUST NOT be compressed, even if it is on a compressed volume. The flag MUST be ignored /// when opening an existing file. ///

FILE_NO_COMPRESSION = 0x00008000, ///

/// The file is being opened and an opportunistic lock (oplock) on the file is being requested as a single atomic operation. The /// file system checks for oplocks before it performs the create operation, and will fail the create with a return code of /// STATUS_CANNOT_BREAK_OPLOCK if the result would be to break an existing oplock. ///

FILE_OPEN_REQUIRING_OPLOCK = 0x00010000, ///

/// This flag allows an application to request a Filter opportunistic lock (oplock) to prevent other applications from getting /// share violations. If there are already open handles, the create request will fail with STATUS_OPLOCK_NOT_GRANTED. For more /// information, see the following Remarks section. ///

FILE_RESERVE_OPFILTER = 0x00100000, ///

/// Open a file with a reparse point and bypass normal reparse point processing for the file. For more information, see the /// following Remarks section. ///

FILE_OPEN_REPARSE_POINT = 0x00200000, ///

/// In a hierarchical storage management environment, this option requests that the file SHOULD NOT be recalled from tertiary /// storage such as tape. A file recall can take up to several minutes in a hierarchical storage management environment. The /// clients can specify this option to avoid such delays. ///

FILE_OPEN_NO_RECALL = 0x00400000, ///

Open file to query for free space. The client SHOULD set this to 0 and the server MUST ignore it.

FILE_OPEN_FOR_FREE_SPACE_QUERY = 0x00800000, ///

Undocumented.

FILE_VALID_OPTION_FLAGS = 0x00ffffff, ///

Undocumented.

FILE_VALID_PIPE_OPTION_FLAGS = 0x00000032, ///

Undocumented.

FILE_VALID_MAILSLOT_OPTION_FLAGS = 0x00000032, ///

Undocumented.

FILE_VALID_SET_FLAGS = 0x00000036, } ///

Specifies the action to perform if the file does or does not exist.

[PInvokeData("ntifs.h", MSDNShortId = "c40b99be-5627-44f3-9853-c3ae31a8035c")] public enum NtFileMode { ///

Replaces the file if it exists. Creates the file if it doesn't exist.

FILE_SUPERSEDE = 0x00000000, ///

Opens the file if it exists. Returns an error if it doesn't exist.

FILE_OPEN = 0x00000001, ///

Returns an error if the file exists. Creates the file if it doesn't exist.

FILE_CREATE = 0x00000002, ///

Opens the file if it exists. Creates the file if it doesn't exist.

FILE_OPEN_IF = 0x00000003, ///

Open the file, and overwrite it if it exists. Returns an error if it doesn't exist.

FILE_OVERWRITE = 0x00000004, ///

Open the file, and overwrite it if it exists. Creates the file if it doesn't exist.

FILE_OVERWRITE_IF = 0x00000005, ///

Undocumented.

FILE_MAXIMUM_DISPOSITION = 0x00000005 } ///

/// /// The NtAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address /// space of a specified process. /// ///

/// /// /// A handle for the process for which the mapping should be done. Use the NtCurrentProcess macro, defined in Ntddk.h, to /// specify the current process. /// /// /// /// /// A pointer to a variable that will receive the base address of the allocated region of pages. If the initial value of this /// parameter is non- NULL, the region is allocated starting at the specified virtual address rounded down to the next host /// page size address boundary. If the initial value of this parameter is NULL, the operating system will determine where to /// allocate the region. /// /// /// /// /// The number of high-order address bits that must be zero in the base address of the section view. Used only when the operating /// system determines where to allocate the region, as when BaseAddress is NULL. Note that when ZeroBits is larger than 32, /// it becomes a bitmask. /// /// /// /// /// A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages. The initial value of this /// parameter specifies the size, in bytes, of the region and is rounded up to the next host page size boundary. *RegionSize cannot /// be zero on input. /// /// /// /// A bitmask containing flags that specify the type of allocation to be performed. The following table describes these flags. /// /// /// Flag /// Meaning /// /// /// MEM_COMMIT /// The specified region of pages is to be committed. One of MEM_COMMIT, MEM_RESET, or MEM_RESERVE must be set. /// /// /// MEM_PHYSICAL /// /// Allocate physical memory. This flag is solely for use with Address Windowing Extensions (AWE) memory. If MEM_PHYSICAL is set, /// MEM_RESERVE must also be set. No other flags may be set. If MEM_PHYSICAL is set, Protect must be set to PAGE_READWRITE. /// /// /// /// MEM_RESERVE /// The specified region of pages is to be reserved. One of MEM_COMMIT, MEM_RESET, or MEM_RESERVE must be set. /// /// /// MEM_RESET /// /// Reset the state of the specified region so that if the pages are in paging file, they are discarded and pages of zeros are /// brought in. If the pages are in memory and modified, they are marked as not modified so that they will not be written out to the /// paging file. The contents are zeroed. The Protect parameter is not used, but it must be set to a valid value. One of MEM_COMMIT, /// MEM_RESET, or MEM_RESERVE must be set. If MEM_RESET is set, no other flag may be set. /// /// /// /// MEM_TOP_DOWN /// The specified region should be created at the highest virtual address possible based on ZeroBits. /// /// /// MEM_WRITE_WATCH /// The specified region should be created at the highest virtual address possible based on ZeroBits. /// /// /// /// /// /// A bitmask containing page protection flags that specify the protection desired for the committed region of pages. The following /// table describes these flags. /// /// /// /// Flag /// Meaning /// /// /// PAGE_NOACCESS /// /// No access to the committed region of pages is allowed. An attempt to read, write, or execute the committed region results in an /// access violation exception, called a general protection (GP) fault. /// /// /// /// PAGE_READONLY /// /// Read-only and execute access to the committed region of pages is allowed. An attempt to write the committed region results in an /// access violation. /// /// /// /// PAGE_READWRITE /// /// Read, write, and execute access to the committed region of pages is allowed. If write access to the underlying section is /// allowed, then a single copy of the pages is shared. Otherwise the pages are shared read only/copy on write. /// /// /// /// PAGE_EXECUTE /// /// Execute access to the committed region of pages is allowed. An attempt to read or write to the committed region results in an /// access violation. /// /// /// /// PAGE_EXECUTE_READ /// /// Execute and read access to the committed region of pages are allowed. An attempt to write to the committed region results in an /// access violation. /// /// /// /// PAGE_GUARD /// /// Pages in the region become guard pages. Any attempt to read from or write to a guard page causes the system to raise a /// STATUS_GUARD_PAGE exception. Guard pages thus act as a one-shot access alarm. This flag is a page protection modifier, valid /// only when used with one of the page protection flags other than PAGE_NOACCESS. When an access attempt leads the system to turn /// off guard page status, the underlying page protection takes over. If a guard page exception occurs during a system service, the /// service typically returns a failure status indicator. /// /// /// /// PAGE_NOCACHE /// The region of pages should be allocated as noncacheable. PAGE_NOCACHE is not allowed for sections. /// /// /// PAGE_WRITECOMBINE /// /// Enables write combining, that is, coalescing writes from cache to main memory, where the hardware supports it. This flag is used /// primarily for frame buffer memory so that writes to the same cache line are combined where possible before being written to the /// device. This can greatly reduce writes across the bus to (for example) video memory. If the hardware does not support write /// combining, the flag is ignored. This flag is a page protection modifier, valid only when used with one of the page protection /// flags other than PAGE_NOACCESS. /// /// /// /// /// /// /// ZwAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code. Possible error status codes include the following: /// /// /// /// ZwAllocateVirtualMemory can perform the following operations: /// /// Kernel-mode drivers can use ZwAllocateVirtualMemory to reserve a range of application-accessible virtual addresses in the /// specified process and then make additional calls to ZwAllocateVirtualMemory to commit individual pages from the reserved /// range. This enables a process to reserve a range of its virtual address space without consuming physical storage until it is needed. /// /// Each page in the process's virtual address space is in one of the three states described in the following table. /// /// /// State /// Meaning /// /// /// FREE /// /// The page is not committed or reserved and is not accessible to the process. ZwAllocateVirtualMemory can reserve, or /// simultaneously reserve and commit, a free page. /// /// /// /// RESERVED /// /// The range of addresses cannot be used by other allocation functions, but the page is not accessible to the process and has no /// physical storage associated with it. ZwAllocateVirtualMemory can commit a reserved page, but it cannot reserve it a second time. /// ZwFreeVirtualMemory can release a reserved page, making it a free page. /// /// /// /// COMMITTED /// /// Physical storage is allocated for the page, and access is controlled by a protection code. The system initializes and loads each /// committed page into physical memory only at the first attempt to read or write to that page. When the process terminates, the /// system releases the storage for committed pages. ZwAllocateVirtualMemory can commit an already committed page. This means that /// you can commit a range of pages, regardless of whether they have already been committed, and the function will not fail. /// ZwFreeVirtualMemory can decommit a committed page, releasing the page's storage, or it can simultaneously decommit and release a /// committed page. /// /// /// /// Memory allocated by calling ZwAllocateVirtualMemory must be freed by calling ZwFreeVirtualMemory. /// For more information about memory management, see Memory Management for Windows Drivers. /// /// For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can /// behave differently in the way that they handle and interpret input parameters. For more information about the relationship /// between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntallocatevirtualmemory __kernel_entry // NTSYSCALLAPI NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, // ULONG AllocationType, ULONG Protect ); [DllImport(Lib.NtDll, SetLastError = false, ExactSpelling = true)] [PInvokeData("ntifs.h", MSDNShortId = "bb82c90d-9bd3-4a23-b171-06a3208e424b")] public static extern NTStatus NtAllocateVirtualMemory(HPROCESS ProcessHandle, ref IntPtr BaseAddress, SizeT ZeroBits, ref SizeT RegionSize, MEM_ALLOCATION_TYPE AllocationType, MEM_PROTECTION Protect); ///

/// The NtCreateFile routine creates a new file or opens an existing file. ///

/// /// A pointer to a HANDLE variable that receives a handle to the file. /// /// /// /// Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are /// defined for all types of objects, the caller can specify any of the following access rights, which are specific to files. /// /// /// /// ACCESS_MASK flag /// Allows caller to do this /// /// /// FILE_READ_DATA /// Read data from the file. /// /// /// FILE_READ_ATTRIBUTES /// Read the attributes of the file. (For more information, see the description of the FileAttributes parameter.) /// /// /// FILE_READ_EA /// Read the extended attributes (EAs) of the file. This flag is irrelevant for device and intermediate drivers. /// /// /// FILE_WRITE_DATA /// Write data to the file. /// /// /// FILE_WRITE_ATTRIBUTES /// Write the attributes of the file. (For more information, see the description of the FileAttributes parameter.) /// /// /// FILE_WRITE_EA /// Change the extended attributes (EAs) of the file. This flag is irrelevant for device and intermediate drivers. /// /// /// FILE_APPEND_DATA /// Append data to the file. /// /// /// FILE_EXECUTE /// Use system paging I/O to read data from the file into memory. This flag is irrelevant for device and intermediate drivers. /// /// /// /// Note Do not specify FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, or FILE_EXECUTE when you create or open a directory. /// /// The caller can only specify a generic access right, GENERIC_ /// XXX /// , for a file, not a directory. Generic access rights correspond to specific access rights as shown in the following table. /// /// /// Generic access right /// Set of specific access rights /// /// /// GENERIC_READ /// STANDARD_RIGHTS_READ, FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_READ_EA, and SYNCHRONIZE. /// /// /// GENERIC_WRITE /// STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, and SYNCHRONIZE. /// /// /// GENERIC_EXECUTE /// /// STANDARD_RIGHTS_EXECUTE, FILE_EXECUTE, FILE_READ_ATTRIBUTES, and SYNCHRONIZE. This value is irrelevant for device and /// intermediate drivers. /// /// /// /// GENERIC_ALL /// FILE_ALL_ACCESS. /// /// /// /// For example, if you specify GENERIC_READ for a file object, the routine maps this value to the FILE_GENERIC_READ bitmask of /// specific access rights. In the preceding table, the specific access rights that are listed for GENERIC_READ correspond to the /// access flags that are contained in the FILE_GENERIC_READ bitmask. If the file is actually a directory, the caller can also /// specify the following generic access rights. /// /// /// /// DesiredAccess flag /// Allows caller to do this /// /// /// FILE_LIST_DIRECTORY /// List the files in the directory. /// /// /// FILE_TRAVERSE /// Traverse the directory, in other words, include the directory in the path of a file. /// /// /// For more information about access rights, see ACCESS_MASK. /// /// /// /// A pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes /// to initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE /// attribute when it calls InitializeObjectAttributes. /// /// /// /// /// A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and other information about the requested /// operation. In particular, the Information member receives one of the following values: /// /// /// /// FILE_CREATED /// /// /// FILE_OPENED /// /// /// FILE_OVERWRITTEN /// /// /// FILE_SUPERSEDED /// /// /// FILE_EXISTS /// /// /// FILE_DOES_NOT_EXIST /// /// /// /// /// /// A pointer to a LARGE_INTEGER that contains the initial allocation size, in bytes, for a file that is created or overwritten. If /// AllocationSize is NULL, no allocation size is specified. If no file is created or overwritten, AllocationSize is ignored. /// /// /// /// /// Specifies one or more FILE_ATTRIBUTE_XXX flags, which represent the file attributes to set if you create or overwrite a file. /// The caller usually specifies FILE_ATTRIBUTE_NORMAL, which sets the default attributes. For a list of valid /// FILE_ATTRIBUTE_XXXflags, see the CreateFile routine in the Microsoft Windows SDK documentation. If no file is created or /// overwritten, FileAttributes is ignored. /// /// /// /// Type of share access, which is specified as zero or any combination of the following flags. /// /// /// ShareAccess flag /// Allows other threads to do this /// /// /// FILE_SHARE_READ /// Read the file /// /// /// FILE_SHARE_WRITE /// Write the file /// /// /// FILE_SHARE_DELETE /// Delete the file /// /// /// Device and intermediate drivers usually set ShareAccess to zero, which gives the caller exclusive access to the open file. /// /// /// /// Specifies the action to perform if the file does or does not exist. CreateDisposition can be one of the values in the following table. /// /// /// /// CreateDisposition value /// Action if file exists /// Action if file does not exist /// /// /// FILE_SUPERSEDE /// Replace the file. /// Create the file. /// /// /// FILE_CREATE /// Return an error. /// Create the file. /// /// /// FILE_OPEN /// Open the file. /// Return an error. /// /// /// FILE_OPEN_IF /// Open the file. /// Create the file. /// /// /// FILE_OVERWRITE /// Open the file, and overwrite it. /// Return an error. /// /// /// FILE_OVERWRITE_IF /// Open the file, and overwrite it. /// Create the file. /// /// /// /// /// /// Specifies the options to apply when the driver creates or opens the file. Use one or more of the flags in the following table. /// /// /// /// CreateOptions flag /// Meaning /// /// /// FILE_DIRECTORY_FILE /// /// The file is a directory. Compatible CreateOptions flags are FILE_SYNCHRONOUS_IO_ALERT, FILE_SYNCHRONOUS_IO_NONALERT, /// FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID. The CreateDisposition parameter must be set to /// FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. /// /// /// /// FILE_NON_DIRECTORY_FILE /// /// The file is a directory. The file object to open can represent a data file; a logical, virtual, or physical device; or a volume. /// /// /// /// FILE_WRITE_THROUGH /// /// System services, file-system drivers, and drivers that write data to the file must actually transfer the data to the file before /// any requested write operation is considered complete. /// /// /// /// FILE_SEQUENTIAL_ONLY /// All access to the file will be sequential. /// /// /// FILE_RANDOM_ACCESS /// /// Access to the file can be random, so no sequential read-ahead operations should be performed by file-system drivers or by the system. /// /// /// /// FILE_NO_INTERMEDIATE_BUFFERING /// /// The file cannot be cached or buffered in a driver's internal buffers. This flag is incompatible with the DesiredAccess /// parameter's FILE_APPEND_DATA flag. /// /// /// /// FILE_SYNCHRONOUS_IO_ALERT /// /// All operations on the file are performed synchronously. Any wait on behalf of the caller is subject to premature termination /// from alerts. This flag also causes the I/O system to maintain the file-position pointer. If this flag is set, the SYNCHRONIZE /// flag must be set in the DesiredAccess parameter. /// /// /// /// FILE_SYNCHRONOUS_IO_NONALERT /// /// All operations on the file are performed synchronously. Waits in the system that synchronize I/O queuing and completion are not /// subject to alerts. This flag also causes the I/O system to maintain the file-position context. If this flag is set, the /// SYNCHRONIZE flag must be set in the DesiredAccess parameter. /// /// /// /// FILE_CREATE_TREE_CONNECTION /// /// Create a tree connection for this file in order to open it over the network. This flag is not used by device and intermediate drivers. /// /// /// /// FILE_COMPLETE_IF_OPLOCKED /// /// Complete this operation immediately with an alternate success code of STATUS_OPLOCK_BREAK_IN_PROGRESS if the target file is /// oplocked, rather than blocking the caller's thread. If the file is oplocked, another caller already has access to the file. This /// flag is not used by device and intermediate drivers. /// /// /// /// FILE_NO_EA_KNOWLEDGE /// /// If the extended attributes (EAs) for an existing file being opened indicate that the caller must understand EAs to properly /// interpret the file, NtCreateFile should return an error. This flag is irrelevant for device and intermediate drivers. /// /// /// /// FILE_OPEN_REPARSE_POINT /// /// Open a file with a reparse point and bypass normal reparse point processing for the file. For more information, see the /// following Remarks section. /// /// /// /// FILE_DELETE_ON_CLOSE /// /// The system deletes the file when the last handle to the file is passed to NtClose. If this flag is set, the DELETE flag must be /// set in the DesiredAccess parameter. /// /// /// /// FILE_OPEN_BY_FILE_ID /// /// The file name that is specified by the ObjectAttributes parameter includes a binary 8-byte or 16-byte file reference number or /// object ID for the file, depending on the file system as shown below. Optionally, a device name followed by a backslash character /// may proceed these binary values. For example, a device name will have the following format. This number is assigned by and /// specific to the particular file system. /// /// /// /// FILE_OPEN_FOR_BACKUP_INTENT /// /// The file is being opened for backup intent. Therefore, the system should check for certain access rights and grant the caller /// the appropriate access to the file—before checking the DesiredAccess parameter against the file's security descriptor. This flag /// not used by device and intermediate drivers. /// /// /// /// FILE_RESERVE_OPFILTER /// /// This flag allows an application to request a Filter opportunistic lock (oplock) to prevent other applications from getting share /// violations. If there are already open handles, the create request will fail with STATUS_OPLOCK_NOT_GRANTED. For more /// information, see the following Remarks section. /// /// /// /// FILE_OPEN_REQUIRING_OPLOCK /// /// The file is being opened and an opportunistic lock (oplock) on the file is being requested as a single atomic operation. The /// file system checks for oplocks before it performs the create operation, and will fail the create with a return code of /// STATUS_CANNOT_BREAK_OPLOCK if the result would be to break an existing oplock. /// /// /// /// FILE_SESSION_AWARE /// The client opening the file or device is session aware and per session access is validated if necessary. /// /// /// /// /// For device and intermediate drivers, this parameter must be a NULL pointer. /// /// /// For device and intermediate drivers, this parameter must be zero. /// /// /// NtCreateFile returns STATUS_SUCCESS on success or an appropriate NTSTATUS error code on failure. In the latter case, the caller /// can determine the cause of the failure by checking the IoStatusBlock parameter. /// /// NoteNtCreateFile might return STATUS_FILE_LOCK_CONFLICT as the return value or in the Status member of the /// IO_STATUS_BLOCK structure that is pointed to by the IoStatusBlock parameter. This would occur only if the NTFS log file /// is full, and an error occurs while NtCreateFile tries to handle this situation. /// /// /// /// /// NtCreateFile supplies a handle that the caller can use to manipulate a file's data, or the file object's state and /// attributes. For more information, see Using Files in a Driver. /// /// Once the handle pointed to by FileHandle is no longer in use, the driver must call NtClose to close it. /// /// If the caller is not running in a system thread context, it must ensure that any handles it creates are private handles. /// Otherwise, the handle can be accessed by the process in whose context the driver is running. For more information, see Object Handles. /// /// There are two alternate ways to specify the name of the file to be created or opened with NtCreateFile: /// Setting certain flags in the DesiredAccess parameter results in the following effects: /// /// The ShareAccess parameter determines whether separate threads can access the same file, possibly simultaneously. Provided that /// both callers have the appropriate access privileges, the file can be successfully opened and shared. If the original caller of /// NtCreateFile does not specify FILE_SHARE_READ, FILE_SHARE_WRITE, or FILE_SHARE_DELETE, no other caller can open the /// file—that is, the original caller is granted exclusive access. /// /// /// To successfully open a shared file, the DesiredAccess flags must be compatible with the DesiredAccess and ShareAccess flags of /// all the previous open operations that have not yet been released through . That is, the DesiredAccess specified to /// NtCreateFile for a given file must not conflict with the accesses that other openers of the file have disallowed. /// /// /// The CreateDisposition value FILE_SUPERSEDE requires that the caller have DELETE access to a existing file object. If so, a /// successful call to NtCreateFile with FILE_SUPERSEDE on an existing file effectively deletes that file, and then recreates /// it. This implies that, if the file has already been opened by another thread, it opened the file by specifying a ShareAccess /// parameter with the FILE_SHARE_DELETE flag set. Note that this type of disposition is consistent with the POSIX style of /// overwriting files. /// /// /// The CreateDisposition values FILE_OVERWRITE_IF and FILE_SUPERSEDE are similar. If NtCreateFile is called with a existing /// file and either of these CreateDisposition values, the file will be replaced. /// /// Overwriting a file is semantically equivalent to a supersede operation, except for the following: /// /// The FILE_DIRECTORY_FILE CreateOptions value specifies that the file to be created or opened is a directory. When a directory /// file is created, the file system creates an appropriate structure on the disk to represent an empty directory for that /// particular file system's on-disk structure. If this option was specified and the given file to be opened is not a directory /// file, or if the caller specified an inconsistent CreateOptions or CreateDisposition value, the call to NtCreateFile will fail. /// /// /// The FILE_NO_INTERMEDIATE_BUFFERING CreateOptions flag prevents the file system from performing any intermediate buffering on /// behalf of the caller. Specifying this flag places the following restrictions on the caller's parameters to other /// ZwXxxFile routines. /// /// /// The FILE_SYNCHRONOUS_IO_ALERT and FILE_SYNCHRONOUS_IO_NONALERT CreateOptions flags, which are mutually exclusive as their names /// suggest, specify that all I/O operations on the file will be synchronous—as long as they occur through the file object referred /// to by the returned FileHandle. All I/O on such a file is serialized across all threads using the returned handle. If either of /// these CreateOptions flags is set, the SYNCHRONIZE DesiredAccess flag must also be set—to compel the I/O manager to use the file /// object as a synchronization object. In these cases, the I/O manager keeps track of the current file-position offset, which you /// can pass to NtReadFile and NtWriteFile. Call NtQueryInformationFile or NtSetInformationFile to get /// or set this position. /// /// /// If the CreateOptions FILE_OPEN_REPARSE_POINT flag is specified and NtCreateFile attempts to open a file with a reparse /// point, normal reparse point processing occurs for the file. If, on the other hand, the FILE_OPEN_REPARSE_POINT flag is /// specified, normal reparse processing does occur and NtCreateFile attempts to directly open the reparse point file. In /// either case, if the open operation was successful, NtCreateFile returns STATUS_SUCCESS; otherwise, the routine returns an /// NTSTATUS error code. NtCreateFile never returns STATUS_REPARSE. /// /// /// The CreateOptions FILE_OPEN_REQUIRING_OPLOCK flag eliminates the time between when you open the file and request an oplock that /// could potentially allow a third party to open the file and get a sharing violation. An application can use the /// FILE_OPEN_REQUIRING_OPLOCK flag on NtCreateFile and then request any oplock. This ensures that an oplock owner will be /// notified of any subsequent open request that causes a sharing violation. /// /// /// In Windows 7, if other handles exist on the file when an application uses the FILE_OPEN_REQUIRING_OPLOCK flag, the create /// operation will fail with STATUS_OPLOCK_NOT_GRANTED. This restriction no longer exists starting with Windows 8. /// /// /// If this create operation would break an oplock that already exists on the file, then setting the FILE_OPEN_REQUIRING_OPLOCK flag /// will cause the create operation to fail with STATUS_CANNOT_BREAK_OPLOCK. The existing oplock will not be broken by this create operation. /// /// /// An application that uses the FILE_OPEN_REQUIRING_OPLOCK flag must request an oplock after this call succeeds, or all subsequent /// attempts to open the file will be blocked without the benefit of normal oplock processing. Similarly, if this call succeeds but /// the subsequent oplock request fails, an application that uses this flag must close its handle after it detects that the oplock /// request has failed. /// /// /// The CreateOptions flag FILE_RESERVE_OPFILTER allows an application to request a Level 1, Batch, or Filter oplock to prevent /// other applications from getting share violations. However, FILE_RESERVE_OPFILTER is only practically useful for Filter oplocks. /// To use it, you must complete the following steps: /// /// /// Step three makes this practical only for Filter oplocks. The handle opened in step 3 can have a DesiredAccess that contains a /// maximum of FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | FILE_READ_DATA | FILE_READ_EA | FILE_EXECUTE | SYNCHRONIZE | /// READ_CONTROL and still not break a Filter oplock. However, any DesiredAccess greater than FILE_READ_ATTRIBUTES | /// FILE_WRITE_ATTRIBUTES | SYNCHRONIZE will break a Level 1 or Batch oplock and make the FILE_RESERVE_OPFILTER flag useless for /// those oplock types. /// /// NTFS is the only Microsoft file system that implements FILE_RESERVE_OPFILTER. /// Callers of NtCreateFile must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled. /// /// For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can /// behave differently in the way that they handle and interpret input parameters. For more information about the relationship /// between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntcreatefile __kernel_entry NTSYSCALLAPI // NTSTATUS NtCreateFile( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK // IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG // CreateOptions, PVOID EaBuffer, ULONG EaLength ); [DllImport(Lib.NtDll, SetLastError = false, CharSet = CharSet.Auto)] [PInvokeData("ntifs.h", MSDNShortId = "c40b99be-5627-44f3-9853-c3ae31a8035c")] // public static extern __kernel_entry NTSYSCALLAPI NTSTATUS NtCreateFile(ref IntPtr FileHandle, ACCESS_MASK DesiredAccess, // POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, uint FileAttributes, uint // ShareAccess, uint CreateDisposition, uint CreateOptions, IntPtr EaBuffer, uint EaLength); public static extern NTStatus NtCreateFile(out SafeHFILE FileHandle, ACCESS_MASK DesiredAccess, in OBJECT_ATTRIBUTES ObjectAttributes, out IO_STATUS_BLOCK IoStatusBlock, in long AllocationSize, FileFlagsAndAttributes FileAttributes, FileShare ShareAccess, NtFileMode CreateDisposition, NtFileCreateOptions CreateOptions, [In, Optional] IntPtr EaBuffer, uint EaLength); ///

/// The NtCreateFile routine creates a new file or opens an existing file. ///

/// /// A pointer to a HANDLE variable that receives a handle to the file. /// /// /// /// Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are /// defined for all types of objects, the caller can specify any of the following access rights, which are specific to files. /// /// /// /// ACCESS_MASK flag /// Allows caller to do this /// /// /// FILE_READ_DATA /// Read data from the file. /// /// /// FILE_READ_ATTRIBUTES /// Read the attributes of the file. (For more information, see the description of the FileAttributes parameter.) /// /// /// FILE_READ_EA /// Read the extended attributes (EAs) of the file. This flag is irrelevant for device and intermediate drivers. /// /// /// FILE_WRITE_DATA /// Write data to the file. /// /// /// FILE_WRITE_ATTRIBUTES /// Write the attributes of the file. (For more information, see the description of the FileAttributes parameter.) /// /// /// FILE_WRITE_EA /// Change the extended attributes (EAs) of the file. This flag is irrelevant for device and intermediate drivers. /// /// /// FILE_APPEND_DATA /// Append data to the file. /// /// /// FILE_EXECUTE /// Use system paging I/O to read data from the file into memory. This flag is irrelevant for device and intermediate drivers. /// /// /// /// Note Do not specify FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, or FILE_EXECUTE when you create or open a directory. /// /// The caller can only specify a generic access right, GENERIC_ /// XXX /// , for a file, not a directory. Generic access rights correspond to specific access rights as shown in the following table. /// /// /// Generic access right /// Set of specific access rights /// /// /// GENERIC_READ /// STANDARD_RIGHTS_READ, FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_READ_EA, and SYNCHRONIZE. /// /// /// GENERIC_WRITE /// STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, and SYNCHRONIZE. /// /// /// GENERIC_EXECUTE /// /// STANDARD_RIGHTS_EXECUTE, FILE_EXECUTE, FILE_READ_ATTRIBUTES, and SYNCHRONIZE. This value is irrelevant for device and /// intermediate drivers. /// /// /// /// GENERIC_ALL /// FILE_ALL_ACCESS. /// /// /// /// For example, if you specify GENERIC_READ for a file object, the routine maps this value to the FILE_GENERIC_READ bitmask of /// specific access rights. In the preceding table, the specific access rights that are listed for GENERIC_READ correspond to the /// access flags that are contained in the FILE_GENERIC_READ bitmask. If the file is actually a directory, the caller can also /// specify the following generic access rights. /// /// /// /// DesiredAccess flag /// Allows caller to do this /// /// /// FILE_LIST_DIRECTORY /// List the files in the directory. /// /// /// FILE_TRAVERSE /// Traverse the directory, in other words, include the directory in the path of a file. /// /// /// For more information about access rights, see ACCESS_MASK. /// /// /// /// A pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes /// to initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE /// attribute when it calls InitializeObjectAttributes. /// /// /// /// /// A pointer to an IO_STATUS_BLOCK structure that receives the final completion status and other information about the requested /// operation. In particular, the Information member receives one of the following values: /// /// /// /// FILE_CREATED /// /// /// FILE_OPENED /// /// /// FILE_OVERWRITTEN /// /// /// FILE_SUPERSEDED /// /// /// FILE_EXISTS /// /// /// FILE_DOES_NOT_EXIST /// /// /// /// /// /// A pointer to a LARGE_INTEGER that contains the initial allocation size, in bytes, for a file that is created or overwritten. If /// AllocationSize is NULL, no allocation size is specified. If no file is created or overwritten, AllocationSize is ignored. /// /// /// /// /// Specifies one or more FILE_ATTRIBUTE_XXX flags, which represent the file attributes to set if you create or overwrite a file. /// The caller usually specifies FILE_ATTRIBUTE_NORMAL, which sets the default attributes. For a list of valid /// FILE_ATTRIBUTE_XXXflags, see the CreateFile routine in the Microsoft Windows SDK documentation. If no file is created or /// overwritten, FileAttributes is ignored. /// /// /// /// Type of share access, which is specified as zero or any combination of the following flags. /// /// /// ShareAccess flag /// Allows other threads to do this /// /// /// FILE_SHARE_READ /// Read the file /// /// /// FILE_SHARE_WRITE /// Write the file /// /// /// FILE_SHARE_DELETE /// Delete the file /// /// /// Device and intermediate drivers usually set ShareAccess to zero, which gives the caller exclusive access to the open file. /// /// /// /// Specifies the action to perform if the file does or does not exist. CreateDisposition can be one of the values in the following table. /// /// /// /// CreateDisposition value /// Action if file exists /// Action if file does not exist /// /// /// FILE_SUPERSEDE /// Replace the file. /// Create the file. /// /// /// FILE_CREATE /// Return an error. /// Create the file. /// /// /// FILE_OPEN /// Open the file. /// Return an error. /// /// /// FILE_OPEN_IF /// Open the file. /// Create the file. /// /// /// FILE_OVERWRITE /// Open the file, and overwrite it. /// Return an error. /// /// /// FILE_OVERWRITE_IF /// Open the file, and overwrite it. /// Create the file. /// /// /// /// /// /// Specifies the options to apply when the driver creates or opens the file. Use one or more of the flags in the following table. /// /// /// /// CreateOptions flag /// Meaning /// /// /// FILE_DIRECTORY_FILE /// /// The file is a directory. Compatible CreateOptions flags are FILE_SYNCHRONOUS_IO_ALERT, FILE_SYNCHRONOUS_IO_NONALERT, /// FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID. The CreateDisposition parameter must be set to /// FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. /// /// /// /// FILE_NON_DIRECTORY_FILE /// /// The file is a directory. The file object to open can represent a data file; a logical, virtual, or physical device; or a volume. /// /// /// /// FILE_WRITE_THROUGH /// /// System services, file-system drivers, and drivers that write data to the file must actually transfer the data to the file before /// any requested write operation is considered complete. /// /// /// /// FILE_SEQUENTIAL_ONLY /// All access to the file will be sequential. /// /// /// FILE_RANDOM_ACCESS /// /// Access to the file can be random, so no sequential read-ahead operations should be performed by file-system drivers or by the system. /// /// /// /// FILE_NO_INTERMEDIATE_BUFFERING /// /// The file cannot be cached or buffered in a driver's internal buffers. This flag is incompatible with the DesiredAccess /// parameter's FILE_APPEND_DATA flag. /// /// /// /// FILE_SYNCHRONOUS_IO_ALERT /// /// All operations on the file are performed synchronously. Any wait on behalf of the caller is subject to premature termination /// from alerts. This flag also causes the I/O system to maintain the file-position pointer. If this flag is set, the SYNCHRONIZE /// flag must be set in the DesiredAccess parameter. /// /// /// /// FILE_SYNCHRONOUS_IO_NONALERT /// /// All operations on the file are performed synchronously. Waits in the system that synchronize I/O queuing and completion are not /// subject to alerts. This flag also causes the I/O system to maintain the file-position context. If this flag is set, the /// SYNCHRONIZE flag must be set in the DesiredAccess parameter. /// /// /// /// FILE_CREATE_TREE_CONNECTION /// /// Create a tree connection for this file in order to open it over the network. This flag is not used by device and intermediate drivers. /// /// /// /// FILE_COMPLETE_IF_OPLOCKED /// /// Complete this operation immediately with an alternate success code of STATUS_OPLOCK_BREAK_IN_PROGRESS if the target file is /// oplocked, rather than blocking the caller's thread. If the file is oplocked, another caller already has access to the file. This /// flag is not used by device and intermediate drivers. /// /// /// /// FILE_NO_EA_KNOWLEDGE /// /// If the extended attributes (EAs) for an existing file being opened indicate that the caller must understand EAs to properly /// interpret the file, NtCreateFile should return an error. This flag is irrelevant for device and intermediate drivers. /// /// /// /// FILE_OPEN_REPARSE_POINT /// /// Open a file with a reparse point and bypass normal reparse point processing for the file. For more information, see the /// following Remarks section. /// /// /// /// FILE_DELETE_ON_CLOSE /// /// The system deletes the file when the last handle to the file is passed to NtClose. If this flag is set, the DELETE flag must be /// set in the DesiredAccess parameter. /// /// /// /// FILE_OPEN_BY_FILE_ID /// /// The file name that is specified by the ObjectAttributes parameter includes a binary 8-byte or 16-byte file reference number or /// object ID for the file, depending on the file system as shown below. Optionally, a device name followed by a backslash character /// may proceed these binary values. For example, a device name will have the following format. This number is assigned by and /// specific to the particular file system. /// /// /// /// FILE_OPEN_FOR_BACKUP_INTENT /// /// The file is being opened for backup intent. Therefore, the system should check for certain access rights and grant the caller /// the appropriate access to the file—before checking the DesiredAccess parameter against the file's security descriptor. This flag /// not used by device and intermediate drivers. /// /// /// /// FILE_RESERVE_OPFILTER /// /// This flag allows an application to request a Filter opportunistic lock (oplock) to prevent other applications from getting share /// violations. If there are already open handles, the create request will fail with STATUS_OPLOCK_NOT_GRANTED. For more /// information, see the following Remarks section. /// /// /// /// FILE_OPEN_REQUIRING_OPLOCK /// /// The file is being opened and an opportunistic lock (oplock) on the file is being requested as a single atomic operation. The /// file system checks for oplocks before it performs the create operation, and will fail the create with a return code of /// STATUS_CANNOT_BREAK_OPLOCK if the result would be to break an existing oplock. /// /// /// /// FILE_SESSION_AWARE /// The client opening the file or device is session aware and per session access is validated if necessary. /// /// /// /// /// For device and intermediate drivers, this parameter must be a NULL pointer. /// /// /// For device and intermediate drivers, this parameter must be zero. /// /// /// NtCreateFile returns STATUS_SUCCESS on success or an appropriate NTSTATUS error code on failure. In the latter case, the caller /// can determine the cause of the failure by checking the IoStatusBlock parameter. /// /// NoteNtCreateFile might return STATUS_FILE_LOCK_CONFLICT as the return value or in the Status member of the /// IO_STATUS_BLOCK structure that is pointed to by the IoStatusBlock parameter. This would occur only if the NTFS log file /// is full, and an error occurs while NtCreateFile tries to handle this situation. /// /// /// /// /// NtCreateFile supplies a handle that the caller can use to manipulate a file's data, or the file object's state and /// attributes. For more information, see Using Files in a Driver. /// /// Once the handle pointed to by FileHandle is no longer in use, the driver must call NtClose to close it. /// /// If the caller is not running in a system thread context, it must ensure that any handles it creates are private handles. /// Otherwise, the handle can be accessed by the process in whose context the driver is running. For more information, see Object Handles. /// /// There are two alternate ways to specify the name of the file to be created or opened with NtCreateFile: /// Setting certain flags in the DesiredAccess parameter results in the following effects: /// /// The ShareAccess parameter determines whether separate threads can access the same file, possibly simultaneously. Provided that /// both callers have the appropriate access privileges, the file can be successfully opened and shared. If the original caller of /// NtCreateFile does not specify FILE_SHARE_READ, FILE_SHARE_WRITE, or FILE_SHARE_DELETE, no other caller can open the /// file—that is, the original caller is granted exclusive access. /// /// /// To successfully open a shared file, the DesiredAccess flags must be compatible with the DesiredAccess and ShareAccess flags of /// all the previous open operations that have not yet been released through . That is, the DesiredAccess specified to /// NtCreateFile for a given file must not conflict with the accesses that other openers of the file have disallowed. /// /// /// The CreateDisposition value FILE_SUPERSEDE requires that the caller have DELETE access to a existing file object. If so, a /// successful call to NtCreateFile with FILE_SUPERSEDE on an existing file effectively deletes that file, and then recreates /// it. This implies that, if the file has already been opened by another thread, it opened the file by specifying a ShareAccess /// parameter with the FILE_SHARE_DELETE flag set. Note that this type of disposition is consistent with the POSIX style of /// overwriting files. /// /// /// The CreateDisposition values FILE_OVERWRITE_IF and FILE_SUPERSEDE are similar. If NtCreateFile is called with a existing /// file and either of these CreateDisposition values, the file will be replaced. /// /// Overwriting a file is semantically equivalent to a supersede operation, except for the following: /// /// The FILE_DIRECTORY_FILE CreateOptions value specifies that the file to be created or opened is a directory. When a directory /// file is created, the file system creates an appropriate structure on the disk to represent an empty directory for that /// particular file system's on-disk structure. If this option was specified and the given file to be opened is not a directory /// file, or if the caller specified an inconsistent CreateOptions or CreateDisposition value, the call to NtCreateFile will fail. /// /// /// The FILE_NO_INTERMEDIATE_BUFFERING CreateOptions flag prevents the file system from performing any intermediate buffering on /// behalf of the caller. Specifying this flag places the following restrictions on the caller's parameters to other /// ZwXxxFile routines. /// /// /// The FILE_SYNCHRONOUS_IO_ALERT and FILE_SYNCHRONOUS_IO_NONALERT CreateOptions flags, which are mutually exclusive as their names /// suggest, specify that all I/O operations on the file will be synchronous—as long as they occur through the file object referred /// to by the returned FileHandle. All I/O on such a file is serialized across all threads using the returned handle. If either of /// these CreateOptions flags is set, the SYNCHRONIZE DesiredAccess flag must also be set—to compel the I/O manager to use the file /// object as a synchronization object. In these cases, the I/O manager keeps track of the current file-position offset, which you /// can pass to NtReadFile and NtWriteFile. Call NtQueryInformationFile or NtSetInformationFile to get /// or set this position. /// /// /// If the CreateOptions FILE_OPEN_REPARSE_POINT flag is specified and NtCreateFile attempts to open a file with a reparse /// point, normal reparse point processing occurs for the file. If, on the other hand, the FILE_OPEN_REPARSE_POINT flag is /// specified, normal reparse processing does occur and NtCreateFile attempts to directly open the reparse point file. In /// either case, if the open operation was successful, NtCreateFile returns STATUS_SUCCESS; otherwise, the routine returns an /// NTSTATUS error code. NtCreateFile never returns STATUS_REPARSE. /// /// /// The CreateOptions FILE_OPEN_REQUIRING_OPLOCK flag eliminates the time between when you open the file and request an oplock that /// could potentially allow a third party to open the file and get a sharing violation. An application can use the /// FILE_OPEN_REQUIRING_OPLOCK flag on NtCreateFile and then request any oplock. This ensures that an oplock owner will be /// notified of any subsequent open request that causes a sharing violation. /// /// /// In Windows 7, if other handles exist on the file when an application uses the FILE_OPEN_REQUIRING_OPLOCK flag, the create /// operation will fail with STATUS_OPLOCK_NOT_GRANTED. This restriction no longer exists starting with Windows 8. /// /// /// If this create operation would break an oplock that already exists on the file, then setting the FILE_OPEN_REQUIRING_OPLOCK flag /// will cause the create operation to fail with STATUS_CANNOT_BREAK_OPLOCK. The existing oplock will not be broken by this create operation. /// /// /// An application that uses the FILE_OPEN_REQUIRING_OPLOCK flag must request an oplock after this call succeeds, or all subsequent /// attempts to open the file will be blocked without the benefit of normal oplock processing. Similarly, if this call succeeds but /// the subsequent oplock request fails, an application that uses this flag must close its handle after it detects that the oplock /// request has failed. /// /// /// The CreateOptions flag FILE_RESERVE_OPFILTER allows an application to request a Level 1, Batch, or Filter oplock to prevent /// other applications from getting share violations. However, FILE_RESERVE_OPFILTER is only practically useful for Filter oplocks. /// To use it, you must complete the following steps: /// /// /// Step three makes this practical only for Filter oplocks. The handle opened in step 3 can have a DesiredAccess that contains a /// maximum of FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES | FILE_READ_DATA | FILE_READ_EA | FILE_EXECUTE | SYNCHRONIZE | /// READ_CONTROL and still not break a Filter oplock. However, any DesiredAccess greater than FILE_READ_ATTRIBUTES | /// FILE_WRITE_ATTRIBUTES | SYNCHRONIZE will break a Level 1 or Batch oplock and make the FILE_RESERVE_OPFILTER flag useless for /// those oplock types. /// /// NTFS is the only Microsoft file system that implements FILE_RESERVE_OPFILTER. /// Callers of NtCreateFile must be running at IRQL = PASSIVE_LEVEL and with special kernel APCs enabled. /// /// For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can /// behave differently in the way that they handle and interpret input parameters. For more information about the relationship /// between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntcreatefile __kernel_entry NTSYSCALLAPI // NTSTATUS NtCreateFile( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK // IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG // CreateOptions, PVOID EaBuffer, ULONG EaLength ); [DllImport(Lib.NtDll, SetLastError = false, CharSet = CharSet.Auto)] [PInvokeData("ntifs.h", MSDNShortId = "c40b99be-5627-44f3-9853-c3ae31a8035c")] // public static extern __kernel_entry NTSYSCALLAPI NTSTATUS NtCreateFile(ref IntPtr FileHandle, ACCESS_MASK DesiredAccess, // POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, uint FileAttributes, uint // ShareAccess, uint CreateDisposition, uint CreateOptions, IntPtr EaBuffer, uint EaLength); public static extern NTStatus NtCreateFile(out SafeHFILE FileHandle, ACCESS_MASK DesiredAccess, in OBJECT_ATTRIBUTES ObjectAttributes, out IO_STATUS_BLOCK IoStatusBlock, [In, Optional] IntPtr AllocationSize, FileFlagsAndAttributes FileAttributes, FileShare ShareAccess, NtFileMode CreateDisposition, NtFileCreateOptions CreateOptions, [In, Optional] IntPtr EaBuffer, uint EaLength); ///

/// The NtCreateSection routine creates a section object. ///

/// /// Pointer to a HANDLE variable that receives a handle to the section object. /// /// /// /// Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are /// defined for all types of objects (see ACCESS_MASK), the caller can specify any of the following access rights, which are /// specific to section objects: /// /// /// /// DesiredAccess flag /// Allows caller to do this /// /// /// SECTION_EXTEND_SIZE /// Dynamically extend the size of the section. /// /// /// SECTION_MAP_EXECUTE /// Execute views of the section. /// /// /// SECTION_MAP_READ /// Read views of the section. /// /// /// SECTION_MAP_WRITE /// Write views of the section. /// /// /// SECTION_QUERY /// Query the section object for information about the section. Drivers should set this flag. /// /// /// SECTION_ALL_ACCESS /// All of the previous flags combined with STANDARD_RIGHTS_REQUIRED. /// /// /// /// /// /// Pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes to /// initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE attribute /// when it calls InitializeObjectAttributes. /// /// /// /// /// Specifies the maximum size, in bytes, of the section. NtCreateSection rounds this value up to the nearest multiple of /// PAGE_SIZE. If the section is backed by the paging file, MaximumSize specifies the actual size of the section. If the section is /// backed by an ordinary file, MaximumSize specifies the maximum size that the file can be extended or mapped to. /// /// /// /// /// Specifies the protection to place on each page in the section. Use one of the following four values: PAGE_READONLY, /// PAGE_READWRITE, PAGE_EXECUTE, or PAGE_WRITECOPY. For a description of these values, see CreateFileMapping. /// /// /// /// /// Specifies a bitmask of SEC_XXX flags that determines the allocation attributes of the section. For a description of these flags, /// see CreateFileMapping. /// /// /// /// /// Optionally specifies a handle for an open file object. If the value of FileHandle is NULL, the section is backed by the /// paging file. Otherwise, the section is backed by the specified file. /// /// /// /// /// NtCreateSection returns STATUS_SUCCESS on success, or the appropriate NTSTATUS error code on failure. Possible error /// status codes include the following: /// /// /// /// Return code /// Description /// /// /// STATUS_FILE_LOCK_CONFLICT /// The file specified by the FileHandle parameter is locked. /// /// /// STATUS_INVALID_FILE_FOR_SECTION /// The file specified by FileHandle does not support sections. /// /// /// STATUS_INVALID_PAGE_PROTECTION /// The value specified for the SectionPageProtection parameter is invalid. /// /// /// STATUS_MAPPED_FILE_SIZE_ZERO /// The size of the file specified by FileHandle is zero, and MaximumSize is zero. /// /// /// STATUS_SECTION_TOO_BIG /// /// The value of MaximumSize is too big. This occurs when either MaximumSize is greater than the system-defined maximum for /// sections, or if MaximumSize is greater than the specified file and the section is not writable. /// /// /// /// /// /// Once the handle pointed to by SectionHandle is no longer in use, the driver must call NtClose to close it. /// /// If the caller is not running in a system thread context, it must ensure that any handles it creates are private handles. /// Otherwise, the handle can be accessed by the process in whose context the driver is running. For more information, see Object Handles. /// /// For more information about setting up mapped sections and views of memory, see Sections and Views. /// /// For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can /// behave differently in the way that they handle and interpret input parameters. For more information about the relationship /// between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntcreatesection __kernel_entry NTSYSCALLAPI // NTSTATUS NtCreateSection( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER // MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle ); [DllImport(Lib.NtDll, SetLastError = false, CharSet = CharSet.Auto)] [PInvokeData("ntifs.h", MSDNShortId = "805d7eff-19be-47a1-acc9-1b97e5493031")] public static extern NTStatus NtCreateSection(out SafeSectionHandle SectionHandle, ACCESS_MASK DesiredAccess, in OBJECT_ATTRIBUTES ObjectAttributes, in long MaximumSize, MEM_PROTECTION SectionPageProtection, SEC_ALLOC AllocationAttributes, [Optional] HFILE FileHandle); ///

/// The NtCreateSection routine creates a section object. ///

/// /// Pointer to a HANDLE variable that receives a handle to the section object. /// /// /// /// Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are /// defined for all types of objects (see ACCESS_MASK), the caller can specify any of the following access rights, which are /// specific to section objects: /// /// /// /// DesiredAccess flag /// Allows caller to do this /// /// /// SECTION_EXTEND_SIZE /// Dynamically extend the size of the section. /// /// /// SECTION_MAP_EXECUTE /// Execute views of the section. /// /// /// SECTION_MAP_READ /// Read views of the section. /// /// /// SECTION_MAP_WRITE /// Write views of the section. /// /// /// SECTION_QUERY /// Query the section object for information about the section. Drivers should set this flag. /// /// /// SECTION_ALL_ACCESS /// All of the previous flags combined with STANDARD_RIGHTS_REQUIRED. /// /// /// /// /// /// Pointer to an OBJECT_ATTRIBUTES structure that specifies the object name and other attributes. Use InitializeObjectAttributes to /// initialize this structure. If the caller is not running in a system thread context, it must set the OBJ_KERNEL_HANDLE attribute /// when it calls InitializeObjectAttributes. /// /// /// /// /// Specifies the maximum size, in bytes, of the section. NtCreateSection rounds this value up to the nearest multiple of /// PAGE_SIZE. If the section is backed by the paging file, MaximumSize specifies the actual size of the section. If the section is /// backed by an ordinary file, MaximumSize specifies the maximum size that the file can be extended or mapped to. /// /// /// /// /// Specifies the protection to place on each page in the section. Use one of the following four values: PAGE_READONLY, /// PAGE_READWRITE, PAGE_EXECUTE, or PAGE_WRITECOPY. For a description of these values, see CreateFileMapping. /// /// /// /// /// Specifies a bitmask of SEC_XXX flags that determines the allocation attributes of the section. For a description of these flags, /// see CreateFileMapping. /// /// /// /// /// Optionally specifies a handle for an open file object. If the value of FileHandle is NULL, the section is backed by the /// paging file. Otherwise, the section is backed by the specified file. /// /// /// /// /// NtCreateSection returns STATUS_SUCCESS on success, or the appropriate NTSTATUS error code on failure. Possible error /// status codes include the following: /// /// /// /// Return code /// Description /// /// /// STATUS_FILE_LOCK_CONFLICT /// The file specified by the FileHandle parameter is locked. /// /// /// STATUS_INVALID_FILE_FOR_SECTION /// The file specified by FileHandle does not support sections. /// /// /// STATUS_INVALID_PAGE_PROTECTION /// The value specified for the SectionPageProtection parameter is invalid. /// /// /// STATUS_MAPPED_FILE_SIZE_ZERO /// The size of the file specified by FileHandle is zero, and MaximumSize is zero. /// /// /// STATUS_SECTION_TOO_BIG /// /// The value of MaximumSize is too big. This occurs when either MaximumSize is greater than the system-defined maximum for /// sections, or if MaximumSize is greater than the specified file and the section is not writable. /// /// /// /// /// /// Once the handle pointed to by SectionHandle is no longer in use, the driver must call NtClose to close it. /// /// If the caller is not running in a system thread context, it must ensure that any handles it creates are private handles. /// Otherwise, the handle can be accessed by the process in whose context the driver is running. For more information, see Object Handles. /// /// For more information about setting up mapped sections and views of memory, see Sections and Views. /// /// For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can /// behave differently in the way that they handle and interpret input parameters. For more information about the relationship /// between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntcreatesection __kernel_entry NTSYSCALLAPI // NTSTATUS NtCreateSection( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER // MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle ); [DllImport(Lib.NtDll, SetLastError = false, CharSet = CharSet.Auto)] [PInvokeData("ntifs.h", MSDNShortId = "805d7eff-19be-47a1-acc9-1b97e5493031")] public static extern NTStatus NtCreateSection(out SafeSectionHandle SectionHandle, ACCESS_MASK DesiredAccess, [In, Optional] IntPtr ObjectAttributes, [In, Optional] IntPtr MaximumSize, MEM_PROTECTION SectionPageProtection, SEC_ALLOC AllocationAttributes, [Optional] HFILE FileHandle); ///

The RtlAllocateHeap routine allocates a block of memory from a heap.

/// /// [in] Handle for a private heap from which the memory will be allocated. This parameter is a handle returned from a successful /// call to RtlCreateHeap . /// /// /// /// [in, optional] Controllable aspects of heap allocation. Specifying any of these values will override the corresponding value /// specified when the heap was created with RtlCreateHeap. This parameter can be one or more of the following values. /// /// /// /// Flag /// Meaning /// /// /// HEAP_GENERATE_EXCEPTIONS /// /// The system will raise an exception to indicate a function failure, such as an out-of-memory condition, instead of returning NULL. /// /// /// /// HEAP_NO_SERIALIZE /// Mutual exclusion will not be used while RtlAllocateHeap is accessing the heap. /// /// /// HEAP_ZERO_MEMORY /// The allocated memory will be initialized to zero. Otherwise, the memory is not initialized to zero. /// /// /// /// /// [in] Number of bytes to be allocated. If the heap, specified by the HeapHandle parameter, is a nongrowable heap, Size must be /// less than or equal to the heap's virtual memory threshold. (For more information, see the VirtualMemoryThreshold member /// of the Parameters parameter to RtlCreateHeap.) /// /// /// If the call to RtlAllocateHeap succeeds, the return value is a pointer to the newly-allocated block. The return value is /// NULL if the allocation failed. /// /// /// RtlAllocateHeap allocates a block of memory of the specified size from the specified heap. /// To free a block of memory allocated by RtlAllocateHeap, call RtlFreeHeap. /// /// Memory allocated by RtlAllocateHeap is not movable. Since the memory is not movable, it is possible for the heap to /// become fragmented. /// /// /// Serialization ensures mutual exclusion when two or more threads attempt to simultaneously allocate or free blocks from the same /// heap. There is a small performance cost to serialization, but it must be used whenever multiple threads allocate and free memory /// from the same heap. Setting the HEAP_NO_SERIALIZE value eliminates mutual exclusion on the heap. Without serialization, two or /// more threads that use the same heap handle might attempt to allocate or free memory simultaneously, likely causing corruption in /// the heap. The HEAP_NO_SERIALIZE value can, therefore, be safely used only in the following situations: /// /// /// /// /// The process has only one thread. /// /// /// /// /// The process has multiple threads, but only one thread calls the heap functions for a specific heap. /// /// /// /// /// The process has multiple threads, and the application provides its own mechanism for mutual exclusion to a specific heap. /// /// /// /// /// Note /// /// To guard against an access violation, use structured exception handling to protect any code that writes to or reads from a heap. /// For more information about structured exception handling with memory accesses, see Handling Exceptions. /// /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlallocateheap NTSYSAPI PVOID RtlAllocateHeap( // PVOID HeapHandle, ULONG Flags, SIZE_T Size ); [DllImport(Lib.NtDll, SetLastError = false, ExactSpelling = true)] [PInvokeData("ntifs.h", MSDNShortId = "NF:ntifs.RtlAllocateHeap")] public static extern IntPtr RtlAllocateHeap(IntPtr HeapHandle, [In, Optional] HeapFlags Flags, SizeT Size); ///

/// The RtlCreateHeap routine creates a heap object that can be used by the calling process. This routine reserves space in /// the virtual address space of the process and allocates physical storage for a specified initial portion of this block. ///

/// /// /// [in] Flags specifying optional attributes of the heap. These options affect subsequent access to the new heap through calls to /// the heap functions (RtlAllocateHeap and RtlFreeHeap). /// /// Callers should set this parameter to zero if no optional attributes are requested. /// This parameter can be one or more of the following values. /// HEAP_GENERATE_EXCEPTIONS /// /// Specifies that the system will indicate a heap failure by raising an exception, such as STATUS_NO_MEMORY, instead of returning NULL. /// /// HEAP_GROWABLE /// Specifies that the heap is growable. Must be specified if HeapBase is NULL. /// HEAP_NO_SERIALIZE /// /// Specifies that mutual exclusion will not be used when the heap functions allocate and free memory from this heap. The default, /// when HEAP_NO_SERIALIZE is not specified, is to serialize access to the heap. Serialization of heap access allows two or more /// threads to simultaneously allocate and free memory from the same heap. /// /// /// /// [in, optional] Specifies one of two actions: /// /// If HeapBase is a non- NULL value, it specifies the base address for a block of caller-allocated memory to use for the heap. /// /// /// If HeapBase is NULL, RtlCreateHeap allocates system memory for the heap from the process's virtual address space. /// /// /// /// /// [in, optional] If ReserveSize is a nonzero value, it specifies the initial amount of memory, in bytes, to reserve for the heap. /// RtlCreateHeap rounds ReserveSize up to the next page boundary, and then reserves a block of that size for the heap. /// /// /// This parameter is optional and can be zero. The following table summarizes the interaction of the ReserveSize and CommitSize parameters. /// /// /// /// Values /// Result /// /// /// ReserveSize zero, CommitSize zero /// 64 pages are initially reserved for the heap. One page is initially committed. /// /// /// ReserveSize zero, CommitSize nonzero /// /// RtlCreateHeap sets ReserveSize to be equal to CommitSize, and then rounds ReserveSize up to the nearest multiple of (PAGE_SIZE * 16). /// /// /// /// ReserveSize nonzero, CommitSize zero /// One page is initially committed for the heap. /// /// /// ReserveSize nonzero, CommitSize nonzero /// If CommitSize is greater than ReserveSize, RtlCreateHeap reduces CommitSize to ReserveSize. /// /// /// /// /// /// [in, optional] If CommitSize is a nonzero value, it specifies the initial amount of memory, in bytes, to commit for the heap. /// RtlCreateHeap rounds CommitSize up to the next page boundary, and then commits a block of that size in the process's /// virtual address space for the heap. /// /// This parameter is optional and can be zero. /// /// /// [in, optional] Pointer to an opaque ERESOURCE structure to be used as a resource lock. This parameter is optional and can be /// NULL. When provided by the caller, the structure must be allocated from nonpaged pool and initialized by calling /// ExInitializeResourceLite or ExReinitializeResourceLite. If the HEAP_NO_SERIALIZE flag is set, this parameter must be NULL. /// /// /// [in, optional] Pointer to a RTL_HEAP_PARAMETERS structure that contains parameters to be applied when creating the heap. This /// parameter is optional and can be NULL. /// /// RtlCreateHeap returns a handle to be used in accessing the created heap. /// /// /// RtlCreateHeap creates a private heap object from which the calling process can allocate memory blocks by calling /// RtlAllocateHeap. The initial commit size determines the number of pages that are initially allocated for the heap. The initial /// reserve size determines the number of pages that are initially reserved for the heap. Pages that are reserved but uncommitted /// create a block in the process's virtual address space into which the heap can expand. /// /// /// If allocation requests made by RtlAllocateHeap exceed the heap's initial commit size, the system commits additional pages of /// physical storage for the heap, up to the heap's maximum size. If the heap is nongrowable, its maximum size is limited to its /// initial reserve size. /// /// /// If the heap is growable, its size is limited only by available memory. If requests by RtlAllocateHeap exceed the current size of /// committed pages, the system calls ZwAllocateVirtualMemory to obtain the memory needed, assuming that the physical storage is available. /// /// /// In addition, if the heap is nongrowable, an absolute limitation arises: the maximum size of a memory block in the heap is /// 0x7F000 bytes. The virtual memory threshold of the heap is equal to the maximum heap block size or the value of the /// VirtualMemoryThreshold member of the Parameters structure, whichever is less. The heap also may need to pad the request /// size for metadata and alignment purposes so requests to allocate blocks within 4096 Bytes (1 Page) of the /// VirtualMemoryThreshold may fail even if the maximum size of the heap is large enough to contain the block. (For more /// information about VirtualMemoryThreshold, see the members of the Parameters parameter to RtlCreateHeap.) /// /// /// If the heap is growable, requests to allocate blocks larger than the heap's virtual memory threshold do not automatically fail; /// the system calls ZwAllocateVirtualMemory to obtain the memory needed for such large blocks. /// /// The memory of a private heap object is accessible only to the process that created it. /// /// The system uses memory from the private heap to store heap support structures, so not all of the specified heap size is /// available to the process. For example, if RtlAllocateHeap requests 64 kilobytes (K) from a heap with a maximum size of 64K, the /// request may fail because of system overhead. /// /// /// If HEAP_NO_SERIALIZE is not specified (the simple default), the heap will serialize access within the calling process. /// Serialization ensures mutual exclusion when two or more threads attempt to simultaneously allocate or free blocks from the same /// heap. There is a small performance cost to serialization, but it must be used whenever multiple threads allocate and free memory /// from the same heap. /// /// /// Setting HEAP_NO_SERIALIZE eliminates mutual exclusion on the heap. Without serialization, two or more threads that use the same /// heap handle might attempt to allocate or free memory simultaneously, likely causing corruption in the heap. Therefore, /// HEAP_NO_SERIALIZE can safely be used only in the following situations: /// /// /// /// The process has only one thread. /// /// /// The process has multiple threads, but only one thread calls the heap functions for a specific heap. /// /// /// The process has multiple threads, and the application provides its own mechanism for mutual exclusion to a specific heap. /// /// /// Note /// /// To guard against an access violation, use structured exception handling to protect any code that writes to or reads from a heap. /// For more information about structured exception handling with memory accesses, see Handling Exceptions. /// /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcreateheap NTSYSAPI PVOID RtlCreateHeap( ULONG // Flags, PVOID HeapBase, SIZE_T ReserveSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters ); [DllImport(Lib.NtDll, SetLastError = false, ExactSpelling = true)] [PInvokeData("ntifs.h", MSDNShortId = "NF:ntifs.RtlCreateHeap")] public static extern IntPtr RtlCreateHeap(HeapFlags Flags, [In, Optional] IntPtr HeapBase, [In, Optional] SizeT ReserveSize, [In, Optional] SizeT CommitSize, [In, Optional] IntPtr Lock, [In, Optional] IntPtr Parameters); ///

/// The RtlDestroyHeap routine destroys the specified heap object. RtlDestroyHeap decommits and releases all the pages /// of a private heap object, and it invalidates the handle to the heap. ///

/// [in] Handle for the heap to be destroyed. This parameter is a heap handle returned by RtlCreateHeap. /// /// If the call to RtlDestroyHeap succeeds, the return value is a NULL pointer. /// If the call to RtlDestroyHeap fails, the return value is a handle for the heap. /// /// /// Processes can call RtlDestroyHeap without first calling RtlFreeHeap to free memory that was allocated from the heap. /// // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldestroyheap NTSYSAPI PVOID RtlDestroyHeap( PVOID // HeapHandle ); [DllImport(Lib.NtDll, SetLastError = false, ExactSpelling = true)] [PInvokeData("ntifs.h", MSDNShortId = "NF:ntifs.RtlDestroyHeap")] public static extern IntPtr RtlDestroyHeap(IntPtr HeapHandle); ///

Frees a memory block that was allocated from a heap by RtlAllocateHeap.

/// A handle for the heap whose memory block is to be freed. This parameter is a handle returned by RtlCreateHeap. /// /// /// A set of flags that controls aspects of freeing a memory block. Specifying the following value overrides the corresponding value /// that was specified in the Flags parameter when the heap was created by RtlCreateHeap. /// /// /// /// Flag /// Meaning /// /// /// HEAP_NO_SERIALIZE /// Mutual exclusion will not be used when RtlFreeHeap is accessing the heap. /// /// /// /// A pointer to the memory block to free. This pointer is returned by RtlAllocateHeap. /// /// Returns TRUE if the block was freed successfully; FALSE otherwise. /// /// Note /// Starting with Windows 8 the return value is typed as LOGICAL, which has a different size than BOOLEAN. /// /// // https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlfreeheap BOOLEAN RtlFreeHeap( _In_ PVOID HeapHandle, _In_opt_ ULONG // Flags, _In_ PVOID HeapBase ); [DllImport(Lib.NtDll, SetLastError = false, ExactSpelling = true)] [PInvokeData("ntifs.h")] [return: MarshalAs(UnmanagedType.U1)] public static extern bool RtlFreeHeap([In] IntPtr HeapHandle, [In, Optional] HeapFlags Flags, [In] IntPtr HeapBase); ///

Contains parameters to be applied when creating the heap.

[StructLayout(LayoutKind.Sequential)] public struct RTL_HEAP_PARAMETERS { ///

Size, in bytes, of the RTL_HEAP_PARAMETERS structure.

public uint Length; ///

Segment reserve size, in bytes. If this value is not specified, 1 MB is used.

public SizeT SegmentReserve; ///

Segment reserve size, in bytes. If this value is not specified, 1 MB is used.

public SizeT SegmentCommit; ///

Decommit free block threshold, in bytes. If this value is not specified, PAGE_SIZE is used.

public SizeT DeCommitFreeBlockThreshold; ///

Decommit total free threshold, in bytes. If this value is not specified, 65536 is used.

public SizeT DeCommitTotalFreeThreshold; ///

/// Size, in bytes, of the largest block of memory that can be allocated from the heap. If this value is not specified, the /// difference between the highest and lowest addresses, less one page, is used. ///

public SizeT MaximumAllocationSize; ///

/// Virtual memory threshold, in bytes. If this value is not specified, or if it is greater than the maximum heap block size, /// the maximum heap block size of 0x7F000 is used. ///

public SizeT VirtualMemoryThreshold; ///

/// Initial amount of memory, in bytes, to commit for the heap. /// Must be less than or equal to InitialReserve. /// /// If HeapBase and CommitRoutine are non-NULL, this parameter, which overrides the value of CommitSize, must be a nonzero /// value; otherwise it is ignored. /// ///

public SizeT InitialCommit; ///

/// Initial amount of memory, in bytes, to reserve for the heap. /// /// If HeapBase and CommitRoutine are non-NULL, this parameter, which overrides the value of ReserveSize, must be a nonzero /// value; otherwise it is ignored. /// ///

public SizeT InitialReserve; ///

/// Callback routine to commit pages from the heap. If this parameter is non-NULL, the heap must be nongrowable. /// If HeapBase is NULL, CommitRoutine must also be NULL. ///

[MarshalAs(UnmanagedType.FunctionPtr)] public PRTL_HEAP_COMMIT_ROUTINE CommitRoutine; ///

Reserved for system use. Drivers must set this parameter to zero.

private SizeT Reserved1; ///

Reserved for system use. Drivers must set this parameter to zero.

private SizeT Reserved2; } /* IoGetAttachedDeviceReference IoGetConfigurationInformation IoSetStartIoAttributes IoSizeOfIrp macro IoStartNextPacket IoStartNextPacketByKey IoStartPacket IoStartTimer IoStopTimer IoWriteErrorLogEntry KeGetProcessorIndexFromNumber KeGetProcessorNumberFromIndex KeSetKernelStackSwapEnable KeStallExecutionProcessor MEMORY_BASIC_INFORMATION structure NtClose NtCreateSectionEx NtDeviceIoControlFile NtDuplicateToken NtFlushBuffersFileEx NtFreeVirtualMemory NtFsControlFile NtLockFile NtOpenFile NtOpenProcessToken NtOpenProcessTokenEx NtOpenThreadToken NtOpenThreadTokenEx NtPrivilegeCheck NtQueryDirectoryFile NtQueryDirectoryFileEx NtQueryInformationFile NtQueryInformationToken NtQueryObject NtQueryQuotaInformationFile NtQuerySecurityObject NtQueryVirtualMemory NtQueryVolumeInformationFile NtReadFile NtSetInformationFile NtSetInformationThread NtSetInformationToken NtSetQuotaInformationFile NtSetSecurityObject NtUnlockFile NtWriteFile PoCallDriver PoClearPowerRequest PoCreatePowerRequest PoDeletePowerRequest PoEndDeviceBusy PoQueryWatchdogTime PoRegisterDeviceForIdleDetection PoRegisterPowerSettingCallback PoRegisterSystemState PoSetDeviceBusyEx PoSetPowerRequest PoSetPowerState PoStartDeviceBusy PoStartNextPowerIrp PoUnregisterPowerSettingCallback PoUnregisterSystemState PsGetCurrentThread PsIsSystemThread RtlInitStringEx RtlUnicodeToUTF8N RtlUTF8ToUnicodeN SeFreePrivileges ZwAllocateVirtualMemory ZwCreateEvent ZwDeleteFile ZwDeviceIoControlFile ZwDuplicateObject ZwDuplicateToken ZwFlushBuffersFile ZwFlushBuffersFileEx ZwFlushVirtualMemory ZwFreeVirtualMemory ZwFsControlFile ZwLockFile ZwNotifyChangeKey ZwOpenDirectoryObject ZwOpenProcessTokenEx ZwOpenThreadTokenEx ZwQueryDirectoryFile ZwQueryDirectoryFileEx ZwQueryEaFile ZwQueryInformationToken ZwQueryObject ZwQueryQuotaInformationFile ZwQuerySecurityObject ZwQueryVirtualMemory ZwQueryVolumeInformationFile ZwSetEaFile ZwSetEvent ZwSetInformationToken ZwSetInformationVirtualMemory ZwSetQuotaInformationFile ZwSetSecurityObject ZwSetVolumeInformationFile ZwUnlockFile ZwWaitForSingleObject ACCESS_ALLOWED_ACE structure ACCESS_DENIED_ACE structure ACE_HEADER structure ATOMIC_CREATE_ECP_CONTEXT structure BOOT_AREA_INFO structure CcCanIWrite function CcCoherencyFlushAndPurgeCache function CcCopyRead function CcCopyReadEx function CcCopyWrite function CcCopyWriteEx function CcCopyWriteWontFlush function CcDeferWrite function CcFastCopyRead function CcFastCopyWrite function CcFlushCache function CcGetDirtyPages function CcGetFileObjectFromBcb function CcGetFileObjectFromSectionPtrs function CcGetFileObjectFromSectionPtrsRef function CcGetFlushedValidData function CcInitializeCacheMap function CcIsThereDirtyData function CcIsThereDirtyDataEx function CcMapData function CcMdlReadComplete function CcMdlWriteAbort function CcMdlWriteComplete function CcPinMappedData function CcPinRead function CcPrepareMdlWrite function CcPreparePinWrite function CcPurgeCacheSection function CcRemapBcb function CcRepinBcb function CcScheduleReadAhead function CcScheduleReadAheadEx function CcSetAdditionalCacheAttributes function CcSetAdditionalCacheAttributesEx function CcSetBcbOwnerPointer function CcSetDirtyPageThreshold function CcSetDirtyPinnedData function CcSetFileSizes function CcSetLogHandleForFile function CcSetReadAheadGranularity function CcUninitializeCacheMap function CcUnpinData function CcUnpinDataForThread function CcUnpinRepinnedBcb function CcWaitForCurrentLazyWriterActivity function CcZeroData function CREATE_REDIRECTION_ECP_CONTEXT structure CSV_CONTROL_OP enumeration CSV_DOWN_LEVEL_FILE_TYPE enumeration CSV_DOWN_LEVEL_OPEN_ECP_CONTEXT structure CSV_QUERY_FILE_REVISION_ECP_CONTEXT structure CSV_QUERY_FILE_REVISION_ECP_CONTEXT_FILE_ID_128 structure CSV_SET_HANDLE_PROPERTIES_ECP_CONTEXT structure DRIVER_FS_NOTIFICATION callback function ECP_OPEN_PARAMETERS structure ENCRYPTION_KEY_CTRL_INPUT structure ExAdjustLookasideDepth function ExDisableResourceBoostLite function ExQueryPoolBlockSize function FILE_ALLOCATION_INFORMATION structure FILE_BOTH_DIR_INFORMATION structure FILE_CASE_SENSITIVE_INFORMATION structure FILE_COMPLETION_INFORMATION structure FILE_COMPRESSION_INFORMATION structure FILE_DESIRED_STORAGE_CLASS_INFORMATION structure FILE_DIRECTORY_INFORMATION structure FILE_FS_ATTRIBUTE_INFORMATION structure FILE_FS_CONTROL_INFORMATION structure FILE_FS_DRIVER_PATH_INFORMATION structure FILE_FS_PERSISTENT_VOLUME_INFORMATION structure FILE_FULL_DIR_INFORMATION structure FILE_GET_EA_INFORMATION structure FILE_GET_QUOTA_INFORMATION structure FILE_ID_BOTH_DIR_INFORMATION structure FILE_ID_EXTD_BOTH_DIR_INFORMATION structure FILE_ID_EXTD_DIR_INFORMATION structure FILE_ID_FULL_DIR_INFORMATION structure FILE_ID_GLOBAL_TX_DIR_INFORMATION structure FILE_ID_INFORMATION structure FILE_INTERNAL_INFORMATION structure FILE_KNOWN_FOLDER_INFORMATION structure FILE_KNOWN_FOLDER_TYPE enumeration FILE_LEVEL_TRIM structure FILE_LEVEL_TRIM_OUTPUT structure FILE_LEVEL_TRIM_RANGE structure FILE_LINK_ENTRY_INFORMATION structure FILE_LINK_INFORMATION structure FILE_LINKS_INFORMATION structure FILE_MAILSLOT_QUERY_INFORMATION structure FILE_MAILSLOT_SET_INFORMATION structure FILE_NAMES_INFORMATION structure FILE_NETWORK_PHYSICAL_NAME_INFORMATION structure FILE_NOTIFY_INFORMATION structure FILE_OBJECTID_INFORMATION structure FILE_PIPE_INFORMATION structure FILE_PIPE_LOCAL_INFORMATION structure FILE_PIPE_REMOTE_INFORMATION structure FILE_PROVIDER_EXTERNAL_INFO_V0 structure FILE_PROVIDER_EXTERNAL_INFO_V1 structure FILE_QUOTA_INFORMATION structure FILE_REMOTE_PROTOCOL_INFORMATION structure FILE_RENAME_INFORMATION structure FILE_REPARSE_POINT_INFORMATION structure FILE_STANDARD_LINK_INFORMATION structure FILE_STAT_INFORMATION structure FILE_STAT_LX_INFORMATION structure FILE_STORAGE_RESERVE_ID_INFORMATION structure FILE_STORAGE_TIER_CLASS enumeration FILE_STREAM_INFORMATION structure FILE_TIMESTAMPS structure FILE_ZERO_DATA_INFORMATION structure FILE_ZERO_DATA_INFORMATION_EX structure FS_BPIO_INFLAGS enumeration FS_BPIO_INFO structure FS_BPIO_INPUT structure FS_BPIO_OPERATIONS enumeration FS_BPIO_OUTFLAGS enumeration FS_BPIO_OUTPUT structure FS_BPIO_RESULTS structure FS_FILTER_CALLBACK_DATA structure FS_FILTER_CALLBACKS structure FS_FILTER_SECTION_SYNC_OUTPUT structure FSCTL_MANAGE_BYPASS_IO IOCTL FSCTL_MARK_HANDLE IOCTL FSCTL_OFFLOAD_READ_INPUT structure FSCTL_OFFLOAD_READ_OUTPUT structure FSCTL_OFFLOAD_WRITE_INPUT structure FSCTL_OFFLOAD_WRITE_OUTPUT structure FSCTL_QUERY_VOLUME_NUMA_INFO_OUTPUT structure FSRTL_ADVANCED_FCB_HEADER structure FSRTL_CHANGE_BACKING_TYPE enumeration FSRTL_COMMON_FCB_HEADER structure FSRTL_PER_FILE_CONTEXT structure FSRTL_PER_FILEOBJECT_CONTEXT structure FSRTL_PER_STREAM_CONTEXT structure FsRtlAcknowledgeEcp function FsRtlAcquireFileExclusive function FsRtlAddBaseMcbEntryEx function FsRtlAddLargeMcbEntry function FsRtlAddMcbEntry function FsRtlAddToTunnelCache function FsRtlAllocateAePushLock function FsRtlAllocateExtraCreateParameter function FsRtlAllocateExtraCreateParameterFromLookasideList function FsRtlAllocateExtraCreateParameterList function FsRtlAllocateFileLock function FsRtlAllocatePoolWithQuotaTag macro FsRtlAllocatePoolWithTag macro FsRtlAllocateResource function FsRtlAreNamesEqual function FsRtlAreThereCurrentFileLocks macro FsRtlAreThereCurrentOrInProgressFileLocks function FsRtlAreThereWaitingFileLocks function FsRtlAreVolumeStartupApplicationsComplete function FsRtlBalanceReads function FsRtlCancellableWaitForMultipleObjects function FsRtlCancellableWaitForSingleObject function FsRtlChangeBackingFileObject function FsRtlCheckLockForOplockRequest function FsRtlCheckLockForReadAccess function FsRtlCheckLockForWriteAccess function FsRtlCheckOplock function FsRtlCheckOplockEx function FsRtlCheckOplockEx2 function FsRtlCheckUpperOplock function FsRtlCompleteRequest macro FsRtlCopyRead function FsRtlCopyWrite function FsRtlCreateSectionForDataScan function FsRtlCurrentBatchOplock function FsRtlCurrentOplock function FsRtlCurrentOplockH function FsRtlDeleteExtraCreateParameterLookasideList function FsRtlDeleteKeyFromTunnelCache function FsRtlDeleteTunnelCache function FsRtlDeregisterUncProvider function FsRtlDissectDbcs function FsRtlDissectName function FsRtlDoesDbcsContainWildCards function FsRtlDoesNameContainWildCards function FsRtlFastCheckLockForRead function FsRtlFastCheckLockForWrite function FsRtlFastLock macro FsRtlFastUnlockAll function FsRtlFastUnlockAllByKey function FsRtlFastUnlockSingle function FsRtlFindExtraCreateParameter function FsRtlFindInTunnelCache function FsRtlFreeAePushLock function FsRtlFreeExtraCreateParameter function FsRtlFreeExtraCreateParameterList function FsRtlFreeFileLock function FsRtlGetBypassIoOpenCount macro FsRtlGetBypassIoOpenCountPtr macro FsRtlGetEcpListFromIrp function FsRtlGetFileSize function FsRtlGetNextExtraCreateParameter function FsRtlGetNextFileLock function FsRtlGetNextLargeMcbEntry function FsRtlGetNextMcbEntry function FsRtlGetPerStreamContextPointer macro FsRtlGetSectorSizeInformation function FsRtlGetSupportedFeatures function FsRtlIncrementCcFastMdlReadWait function FsRtlIncrementCcFastReadNotPossible function FsRtlIncrementCcFastReadNoWait function FsRtlIncrementCcFastReadResourceMiss function FsRtlIncrementCcFastReadWait function FsRtlInitExtraCreateParameterLookasideList function FsRtlInitializeBaseMcb function FsRtlInitializeBaseMcbEx function FsRtlInitializeExtraCreateParameter function FsRtlInitializeExtraCreateParameterList function FsRtlInitializeFileLock function FsRtlInitializeLargeMcb function FsRtlInitializeMcb function FsRtlInitializeOplock function FsRtlInitializeTunnelCache function FsRtlInitPerStreamContext macro FsRtlInsertExtraCreateParameter function FsRtlInsertPerFileContext function FsRtlInsertPerFileObjectContext function FsRtlInsertPerStreamContext function FsRtlIsAnsiCharacterLegal macro FsRtlIsAnsiCharacterLegalFat macro FsRtlIsAnsiCharacterLegalHpfs macro FsRtlIsAnsiCharacterLegalNtfs macro FsRtlIsAnsiCharacterLegalNtfsStream macro FsRtlIsAnsiCharacterWild macro FsRtlIsDaxVolume function FsRtlIsDbcsInExpression function FsRtlIsEcpAcknowledged function FsRtlIsEcpFromUserMode function FsRtlIsFatDbcsLegal function FsRtlIsHpfsDbcsLegal function FsRtlIsLeadDbcsCharacter macro FsRtlIsNameInExpression function FsRtlIsNameInUnUpcasedExpression function FsRtlIsNtstatusExpected function FsRtlIsPagingFile function FsRtlIssueDeviceIoControl function FsRtlIsSystemPagingFile function FsRtlIsTotalDeviceFailure function FsRtlIsUnicodeCharacterWild macro FsRtlLogCcFlushError function FsRtlLookupBaseMcbEntry function FsRtlLookupLargeMcbEntry function FsRtlLookupLastLargeMcbEntry function FsRtlLookupLastLargeMcbEntryAndIndex function FsRtlLookupLastMcbEntry function FsRtlLookupMcbEntry function FsRtlLookupPerFileContext function FsRtlLookupPerFileObjectContext function FsRtlLookupPerStreamContext macro FsRtlLookupPerStreamContextInternal function FsRtlMdlReadCompleteDev function FsRtlMdlReadDev function FsRtlMdlReadEx function FsRtlMdlWriteCompleteDev function FsRtlMupGetProviderIdFromName function FsRtlMupGetProviderInfoFromFileObject function FsRtlNormalizeNtstatus function FsRtlNotifyCleanup function FsRtlNotifyCleanupAll function FsRtlNotifyFilterChangeDirectory function FsRtlNotifyFilterReportChange function FsRtlNotifyFullChangeDirectory function FsRtlNotifyFullReportChange function FsRtlNotifyInitializeSync function FsRtlNotifyUninitializeSync function FsRtlNotifyVolumeEvent function FsRtlNotifyVolumeEventEx function FsRtlNumberOfRunsInLargeMcb function FsRtlNumberOfRunsInMcb function FsRtlOplockBreakH function FsRtlOplockBreakToNone function FsRtlOplockBreakToNoneEx function FsRtlOplockFsctrl function FsRtlOplockFsctrlEx function FsRtlOplockIsFastIoPossible function FsRtlOplockIsSharedRequest function FsRtlOplockKeysEqual function FsRtlPostPagingFileStackOverflow function FsRtlPostStackOverflow function FsRtlPrepareMdlWriteDev function FsRtlPrepareMdlWriteEx function FsRtlPrepareToReuseEcp function FsRtlPrivateLock function FsRtlProcessFileLock function FsRtlQueryCachedVdl function FsRtlQueryKernelEaFile function FsRtlRegisterFileSystemFilterCallbacks function FsRtlRegisterUncProvider function FsRtlRegisterUncProviderEx function FsRtlReleaseFile function FsRtlRemoveBaseMcbEntry function FsRtlRemoveDotsFromPath function FsRtlRemoveExtraCreateParameter function FsRtlRemoveLargeMcbEntry function FsRtlRemoveMcbEntry function FsRtlRemovePerFileContext function FsRtlRemovePerFileObjectContext function FsRtlRemovePerStreamContext function FsRtlResetLargeMcb function FsRtlSetEcpListIntoIrp function FsRtlSetKernelEaFile function FsRtlSetupAdvancedHeader function FsRtlSetupAdvancedHeaderEx macro FsRtlSetupAdvancedHeaderEx2 macro FsRtlSplitLargeMcb function FsRtlSupportsPerFileContexts macro FsRtlTeardownPerFileContexts function FsRtlTeardownPerStreamContexts function FsRtlTestAnsiCharacter macro FsRtlTruncateLargeMcb function FsRtlTruncateMcb function FsRtlUninitializeBaseMcb function FsRtlUninitializeFileLock function FsRtlUninitializeLargeMcb function FsRtlUninitializeMcb function FsRtlUninitializeOplock function FsRtlUpperOplockFsctrl function FsRtlValidateReparsePointBuffer function GetSecurityUserInfo function IO_DEVICE_HINT_ECP_CONTEXT structure IO_PRIORITY_INFO structure IO_STOP_ON_SYMLINK_FILTER_ECP_v0 structure IoAcquireVpbSpinLock function IoCheckDesiredAccess function IoCheckEaBufferValidity function IoCheckFunctionAccess function IoCheckQuerySetFileInformation function IoCheckQuerySetVolumeInformation function IoCheckQuotaBufferValidity function IoCreateStreamFileObject function IoCreateStreamFileObjectEx function IoCreateStreamFileObjectEx2 function IoCreateStreamFileObjectLite function IOCTL_REDIR_QUERY_PATH IOCTL IOCTL_REDIR_QUERY_PATH_EX IOCTL IOCTL_VOLSNAP_FLUSH_AND_HOLD_WRITES IOCTL IoEnumerateDeviceObjectList function IoEnumerateRegisteredFiltersList function IoFastQueryNetworkAttributes function IoGetAttachedDevice function IoGetBaseFileSystemDeviceObject function IoGetDeviceAttachmentBaseRef function IoGetDeviceToVerify function IoGetDiskDeviceObject function IoGetLowerDeviceObject function IoGetRequestorProcess function IoGetRequestorProcessId function IoGetRequestorSessionId function IoGetTopLevelIrp function IoInitializePriorityInfo function IoIsFileOpenedExclusively macro IoIsOperationSynchronous function IoIsSystemThread function IoIsValidNameGraftingBuffer function IoPageRead function IoQueryFileDosDeviceName function IoQueryFileInformation function IoQueryVolumeInformation function IoQueueThreadIrp function IoRegisterFileSystem function IoRegisterFsRegistrationChange function IoRegisterFsRegistrationChangeEx function IoRegisterFsRegistrationChangeMountAware function IoReleaseVpbSpinLock function IoReplaceFileObjectName function IoSetDeviceToVerify function IoSetInformation function IoSetTopLevelIrp function IoSynchronousPageWrite function IoThreadToProcess function IoUnregisterFileSystem function IoUnregisterFsRegistrationChange function IoVerifyVolume function IsReparseTagMicrosoft macro IsReparseTagNameSurrogate macro IsReparseTagValid macro KeAttachProcess function KeDetachProcess function KeInitializeMutant function KeInitializeQueue function KeInsertHeadQueue function KeInsertQueue function KeQueryPerformanceCounter function KeReadStateMutant function KeReadStateQueue function KeReleaseMutant function KeReleaseQueuedSpinLock function KeRemoveQueue function KeRundownQueue function KeSetIdealProcessorThread function KeStackAttachProcess function KeTryToAcquireQueuedSpinLock function KeUnstackDetachProcess function MapSecurityError function MARK_HANDLE_INFO structure MARK_HANDLE_INFO32 structure MEMORY_INFORMATION_CLASS enumeration MmCanFileBeTruncated function MmDoesFileHaveUserWritableReferences function MmFlushImageSection function MmForceSectionClosed function MmForceSectionClosedEx function MmGetMaximumFileSectionSize function MmIsRecursiveIoFault function MmPrefetchPages function MmSetAddressRangeModified function NETWORK_APP_INSTANCE_EA structure NETWORK_APP_INSTANCE_ECP_CONTEXT structure NETWORK_OPEN_ECP_CONTEXT structure NETWORK_OPEN_ECP_CONTEXT_V0 structure NETWORK_OPEN_INTEGRITY_QUALIFIER enumeration NETWORK_OPEN_LOCATION_QUALIFIER enumeration NFS_OPEN_ECP_CONTEXT structure NtQueryInformationByName function ObInsertObject function ObIsKernelHandle function OBJECT_INFORMATION_CLASS enumeration ObMakeTemporaryObject function ObOpenObjectByPointer function ObQueryNameString function ObQueryObjectAuditingByHandle function OPEN_REPARSE_LIST structure OPEN_REPARSE_LIST_ENTRY structure OPLOCK_NOTIFY_PARAMS structure OPLOCK_NOTIFY_REASON enumeration PFSRTL_EXTRA_CREATE_PARAMETER_CLEANUP_CALLBACK callback function PREFETCH_OPEN_ECP_CONTEXT structure PsChargePoolQuota function PsDereferenceImpersonationToken function PsDereferencePrimaryToken function PsGetProcessExitTime function PsImpersonateClient function PsIsDiskCountersEnabled function PsIsThreadTerminating function PsLookupProcessByProcessId function PsLookupThreadByThreadId function PsReferenceImpersonationToken function PsReferencePrimaryToken function PsReturnPoolQuota function PsRevertToSelf function PsUpdateDiskCounters function PUBLIC_OBJECT_BASIC_INFORMATION structure PUBLIC_OBJECT_TYPE_INFORMATION structure QUERY_FILE_LAYOUT_INPUT structure QUERY_FILE_LAYOUT_OUTPUT structure QUERY_ON_CREATE_EA_INFORMATION structure QUERY_ON_CREATE_ECP_CONTEXT structure QUERY_ON_CREATE_FILE_LX_INFORMATION structure QUERY_ON_CREATE_FILE_STAT_INFORMATION structure QUERY_PATH_REQUEST structure QUERY_PATH_REQUEST_EX structure QUERY_PATH_RESPONSE structure REFS_SMR_VOLUME_GC_ACTION enumeration REFS_SMR_VOLUME_GC_METHOD enumeration REFS_SMR_VOLUME_GC_PARAMETERS structure REFS_SMR_VOLUME_GC_STATE enumeration REFS_SMR_VOLUME_INFO_OUTPUT structure REPARSE_DATA_BUFFER structure REPARSE_DATA_BUFFER_EX structure REPARSE_GUID_DATA_BUFFER structure RKF_BYPASS_ECP_CONTEXT structure RTL_MEMORY_TYPE enumeration RTL_SEGMENT_HEAP_MEMORY_SOURCE structure RTL_SEGMENT_HEAP_PARAMETERS structure RtlAbsoluteToSelfRelativeSD function RtlAddAccessAllowedAce function RtlAddAccessAllowedAceEx function RtlAddAce function RtlAllocateAndInitializeSid function RtlAllocateHeap function RtlAppendStringToString function RtlCaptureContext function RtlCaptureStackBackTrace function RtlCompareMemoryUlong function RtlCompressBuffer function RtlCompressChunks function RtlConvertSidToUnicodeString function RtlCopyLuid function RtlCopySid function RtlCreateAcl function RtlCreateHeap function RtlCreateSecurityDescriptorRelative function RtlCreateSystemVolumeInformationFolder function RtlCreateUnicodeString function RtlCustomCPToUnicodeN function RtlDecompressBuffer function RtlDecompressBufferEx function RtlDecompressBufferEx2 function RtlDecompressChunks function RtlDecompressFragment function RtlDecompressFragmentEx function RtlDeleteAce function RtlDescribeChunk function RtlDestroyHeap function RtlDowncaseUnicodeString function RtlEqualPrefixSid function RtlEqualSid function RtlFillMemoryUlong function RtlFillMemoryUlonglong macro RtlFindUnicodePrefix function RtlFreeHeap function RtlFreeOemString function RtlFreeSid function RtlGenerate8dot3Name function RtlGetAce function RtlGetCompressionWorkSpaceSize function RtlGetDaclSecurityDescriptor function RtlGetGroupSecurityDescriptor function RtlGetOwnerSecurityDescriptor function RtlGetSaclSecurityDescriptor function RtlIdentifierAuthoritySid function RtlInitCodePageTable function RtlInitializeSid function RtlInitializeSidEx function RtlInitializeUnicodePrefix function RtlInitUTF8StringEx function RtlInsertUnicodePrefix function RtlIsCloudFilesPlaceholder function RtlIsNameLegalDOS8Dot3 function RtlIsPartialPlaceholder function RtlIsPartialPlaceholderFileHandle function RtlIsPartialPlaceholderFileInfo function RtlIsValidOemCharacter function RtlLengthRequiredSid function RtlLengthSid function RtlMultiByteToUnicodeN function RtlMultiByteToUnicodeSize function RtlNextUnicodePrefix function RtlNtStatusToDosError function RtlNtStatusToDosErrorNoTeb function RtlOemStringToCountedUnicodeSize macro RtlOemStringToCountedUnicodeString function RtlOemStringToUnicodeSize macro RtlOemStringToUnicodeString function RtlOemToUnicodeN function RtlQueryPackageIdentity function RtlQueryPackageIdentityEx function RtlQueryProcessPlaceholderCompatibilityMode function RtlQueryThreadPlaceholderCompatibilityMode function RtlRandom function RtlRandomEx function RtlRemoveUnicodePrefix function RtlReserveChunk function RtlSecondsSince1970ToTime function RtlSecondsSince1980ToTime function RtlSelfRelativeToAbsoluteSD function RtlSetGroupSecurityDescriptor function RtlSetOwnerSecurityDescriptor function RtlSetProcessPlaceholderCompatibilityMode function RtlSetThreadPlaceholderCompatibilityMode function RtlSubAuthorityCountSid function RtlSubAuthoritySid function RtlTimeToSecondsSince1970 function RtlTimeToSecondsSince1980 function RtlUnicodeStringToCountedOemString function RtlUnicodeStringToOemSize macro RtlUnicodeStringToOemString function RtlUnicodeStringToUTF8String function RtlUnicodeToCustomCPN function RtlUnicodeToMultiByteN function RtlUnicodeToMultiByteSize function RtlUnicodeToOemN function RtlUpcaseUnicodeStringToCountedOemString function RtlUpcaseUnicodeStringToOemString function RtlUpcaseUnicodeToCustomCPN function RtlUpcaseUnicodeToMultiByteN function RtlUpcaseUnicodeToOemN function RtlUTF8StringToUnicodeString function RtlValidSid function RtlxOemStringToUnicodeSize function RtlxUnicodeStringToOemSize function SE_EXPORTS structure SE_SID union SE_TOKEN_USER structure SeAppendPrivileges function SeAuditHardLinkCreation function SeAuditingFileEvents function SeAuditingFileOrGlobalEvents function SeAuditingHardLinkEvents function SeCaptureSubjectContext function SecLookupAccountName function SecLookupAccountSid function SecLookupWellKnownSid function SecMakeSPN function SecMakeSPNEx function SecMakeSPNEx2 function SeCreateClientSecurity function SeCreateClientSecurityFromSubjectContext function SECURITY_DESCRIPTOR structure SeDeleteClientSecurity function SeDeleteObjectAuditAlarm function SeFilterToken function SeImpersonateClient function SeImpersonateClientEx function SeLengthSid macro SeLockSubjectContext function SeMarkLogonSessionForTerminationNotification function SeOpenObjectAuditAlarm function SeOpenObjectForDeleteAuditAlarm function SePrivilegeCheck function SeQueryAuthenticationIdToken function SeQueryInformationToken function SeQuerySecurityDescriptorInfo function SeQuerySessionIdToken function SeQuerySubjectContextToken macro SeRegisterLogonSessionTerminatedRoutine function SeReleaseSubjectContext function SeSetAccessStateGenericMapping function SeSetSecurityDescriptorInfo function SeSetSecurityDescriptorInfoEx function SeSetSessionIdToken function SET_DAX_ALLOC_ALIGNMENT_HINT_INPUT structure SeTokenGetNoChildProcessRestricted function SeTokenIsAdmin function SeTokenIsNoChildProcessRestrictionEnforced function SeTokenIsRestricted function SeTokenSetNoChildProcessRestricted function SeTokenType function SeUnlockSubjectContext function SeUnregisterLogonSessionTerminatedRoutine function SID structure SID_AND_ATTRIBUTES structure SID_IDENTIFIER_AUTHORITY structure SID_NAME_USE enumeration SRV_INSTANCE_TYPE enumeration SRV_OPEN_ECP_CONTEXT structure STORAGE_RESERVE_ID enumeration SYSTEM_ALARM_ACE structure SYSTEM_AUDIT_ACE structure SYSTEM_PROCESS_TRUST_LABEL_ACE structure SYSTEM_RESOURCE_ATTRIBUTE_ACE structure SYSTEM_SCOPED_POLICY_ID_ACE structure TOKEN_CONTROL structure TOKEN_DEFAULT_DACL structure TOKEN_GROUPS structure TOKEN_GROUPS_AND_PRIVILEGES structure TOKEN_INFORMATION_CLASS enumeration TOKEN_ORIGIN structure TOKEN_OWNER structure TOKEN_PRIMARY_GROUP structure TOKEN_PRIVILEGES structure TOKEN_SOURCE structure TOKEN_STATISTICS structure TOKEN_TYPE enumeration TOKEN_USER structure TUNNEL structure VIRTUAL_STORAGE_BEHAVIOR_CODE enumeration VIRTUAL_STORAGE_SET_BEHAVIOR_INPUT structure VIRTUALIZATION_INSTANCE_INFO_INPUT_EX structure WIM_PROVIDER_ADD_OVERLAY_INPUT structure WIM_PROVIDER_EXTERNAL_INFO structure WIM_PROVIDER_OVERLAY_ENTRY structure WIM_PROVIDER_REMOVE_OVERLAY_INPUT structure WIM_PROVIDER_SUSPEND_OVERLAY_INPUT structure WIM_PROVIDER_UPDATE_OVERLAY_INPUT structure WOF_EXTERNAL_FILE_ID structure WOF_EXTERNAL_INFO structure WOF_VERSION_INFO structure */ } }