using System; using System.Runtime.InteropServices; using System.Text; namespace Vanara.PInvoke { public static partial class Kernel32 { ///

Adds a dynamic function table to the dynamic function table list.

/// /// A pointer to an array of function entries. For a definition of the PRUNTIME_FUNCTION type, see WinNT.h. For more information on runtime /// function entries, see the calling convention documentation for the processor. /// /// The number of entries in the FunctionTable array. /// The base address to use when computing full virtual addresses from relative virtual addresses of function table entries. /// /// The target global pointer. This is part of the Intel IPF calling convention. It is a pointer to a data area in an image. /// This parameter does not exist on x64. /// /// If the function succeeds, the return value is TRUE. Otherwise, the return value is FALSE. // BOOLEAN WINAPI RtlAddFunctionTable( _In_ PRUNTIME_FUNCTION FunctionTable, _In_ DWORD EntryCount, _In_ DWORD64 BaseAddress, _In_ ULONGLONG TargetGp); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680588(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680588")] [return: MarshalAs(UnmanagedType.U1)] public static extern bool RtlAddFunctionTable(IntPtr FunctionTable, uint EntryCount, ulong BaseAddress, ulong TargetGp); ///

Retrieves a context record in the context of the caller.

/// A pointer to a CONTEXT structure. /// This function does not return a value. // VOID WINAPI RtlCaptureContext( _Out_ PCONTEXT ContextRecord); https://msdn.microsoft.com/en-us/library/windows/desktop/ms680591(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680591")] public static extern void RtlCaptureContext(ref CONTEXT ContextRecord); ///

Removes a dynamic function table from the dynamic function table list.

A pointer to an array of function entries that were previously passed to RtlAddFunctionTable or an identifier previously passed to RtlInstallFunctionTableCallback. For a definition of the PRUNTIME_FUNCTION type, see WinNT.h.If the function succeeds, the return value is TRUE. Otherwise, the return value is FALSE. // BOOLEAN WINAPI RtlDeleteFunctionTable( _In_ PRUNTIME_FUNCTION FunctionTable); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680593(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680593")] [return: MarshalAs(UnmanagedType.U1)] public static extern bool RtlDeleteFunctionTable(IntPtr FunctionTable); ///

Adds a dynamic function table to the dynamic function table list.

The identifier for the dynamic function table callback. The two low-order bits must be set. For example, BaseAddress|0x3.The base address of the region of memory managed by the callback function.The size of the region of memory managed by the callback function, in bytes.A pointer to the callback function that is called to retrieve the function table entries for the functions in the specified region of memory. For a definition of the PGET_RUNTIME_FUNCTION_CALLBACK type, see WinNT.h.A pointer to the user-defined data to be passed to the callback function.An optional pointer to a string that specifies the path of a DLL that provides function table entries that are outside the process.When a debugger unwinds to a function in the range of addresses managed by the callback function, it loads this DLL and calls the OUT_OF_PROCESS_FUNCTION_TABLE_CALLBACK_EXPORT_NAME function, whose type is POUT_OF_PROCESS_FUNCTION_TABLE_CALLBACK. For more information, see the definitions of these items in WinNT.h.If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE. // BOOLEAN WINAPI RtlInstallFunctionTableCallback( _In_ DWORD64 TableIdentifier, _In_ DWORD64 BaseAddress, _In_ DWORD Length, _In_ PGET_RUNTIME_FUNCTION_CALLBACK Callback, _In_ PVOID Context, _In_ PCWSTR OutOfProcessCallbackDll); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680595(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true, CharSet = CharSet.Unicode)] [PInvokeData("WinNT.h", MSDNShortId = "ms680595")] [return: MarshalAs(UnmanagedType.U1)] public static extern bool RtlInstallFunctionTableCallback(ulong TableIdentifier, ulong BaseAddress, uint Length, PGET_RUNTIME_FUNCTION_CALLBACK Callback, IntPtr Context, [Optional] string OutOfProcessCallbackDll); ///

Retrieves the function table entries for the functions in the specified region of memory.

/// The control address. /// A pointer to the user-defined data to be passed from the function call. /// [UnmanagedFunctionPointer(CallingConvention.Winapi)] [PInvokeData("WinNT.h")] public delegate IntPtr PGET_RUNTIME_FUNCTION_CALLBACK(uint ControlPc, IntPtr Context); ///

Searches the active function tables for an entry that corresponds to the specified PC value.

/// The virtual address of an instruction bundle within the function. /// The base address of module to which the function belongs. /// /// The global pointer value of the module. /// This parameter has a different declaration on x64 and ARM systems. For more information, see x64 Definition and ARM Definition. /// /// /// If there is no entry in the function table for the specified PC, the function returns NULL. Otherwise, the function returns the address of the /// function table entry that corresponds to the specified PC. /// // PVOID WINAPI RtlLookupFunctionEntry( _In_ ULONGLONG ControlPc, _Out_ PULONGLONG ImageBase, _Out_ PULONGLONG TargetGp); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680597(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680597")] public static extern IntPtr RtlLookupFunctionEntry(ulong ControlPc, out ulong ImageBase, out ulong TargetGp); ///

Moves a block of memory from one location to another.

/// A pointer to the starting address of the move destination. /// A pointer to the starting address of the block of memory to be moved. /// The size of the block of memory to move, in bytes. /// This function has no return value. // void MoveMemory( _In_ PVOID Destination, _In_ const VOID *Source, _In_ SIZE_T Length); // https://msdn.microsoft.com/en-us/library/windows/desktop/aa366788(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, EntryPoint = "RtlMoveMemory")] [PInvokeData("WinBase.h", MSDNShortId = "aa366788")] public static extern void MoveMemory(IntPtr Destination, IntPtr Source, SizeT Length); ///

Retrieves the base address of the image that contains the specified PC value.

/// /// The PC value. The function searches all modules mapped into the address space of the calling process for a module that contains this value. /// /// /// The base address of the image containing the PC value. This value must be added to any relative addresses in the headers to locate the image. /// /// /// If the PC value is found, the function returns the base address of the image that contains the PC value. /// If no image contains the PC value, the function returns NULL. /// // PVOID WINAPI RtlPcToFileHeader( _In_ PVOID PcValue, _Out_ PVOID *BaseOfImage); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680603(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680603")] public static extern IntPtr RtlPcToFileHeader(IntPtr PcValue, out IntPtr BaseOfImage); ///

Restores the context of the caller to the specified context record.

/// A pointer to a CONTEXT structure. /// /// A pointer to an EXCEPTION_RECORD structure. This parameter is optional and should typically be NULL. /// /// An exception record is used primarily with long jump and C++ catch-throw support. If the ExceptionCode member is STATUS_LONGJUMP, the /// ExceptionInformation member contains a pointer to a jump buffer. RtlRestoreContext will copy the non-volatile state from the jump /// buffer in to the context record before the context record is restored. /// /// /// If the ExceptionCode member is STATUS_UNWIND_CONSOLIDATE, the ExceptionInformation member contains a pointer to a callback function, /// such as a catch handler. RtlRestoreContext consolidates the call frames between its frame and the frame specified in the context record before /// calling the callback function. This hides frames from any exception handling that might occur in the callback function. The difference between this /// and a typical unwind is that the data on the stack is still present, so frame data such as a throw object is still available. The callback function /// returns a new program counter to update in the context record, which is then used in a normal restore context. /// /// /// This function does not return a value. // VOID WINAPI RtlRestoreContext( _In_ PCONTEXT ContextRecord, _In_ PEXCEPTION_RECORD ExceptionRecord); https://msdn.microsoft.com/en-us/library/windows/desktop/ms680605(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680605")] public static extern void RtlRestoreContext(ref CONTEXT ContextRecord, ref EXCEPTION_RECORD ExceptionRecord); ///

Initiates an unwind of procedure call frames.

/// /// A pointer to the call frame that is the target of the unwind. If this parameter is NULL, the function performs an exit unwind. /// /// The continuation address of the unwind. This parameter is ignored if TargetFrame is NULL. /// A pointer to an EXCEPTION_RECORD structure. /// A value to be placed in the integer function return register before continuing execution. /// A pointer to a CONTEXT structure that stores context during the unwind operation. /// /// A pointer to the unwind history table. This structure is processor specific. For definitions of this structure, see Winternl.h. /// /// This function does not return a value. // void WINAPI RtlUnwindEx( _In_opt_ PVOID TargetFrame, _In_opt_ PVOID TargetIp, _In_opt_ PEXCEPTION_RECORD ExceptionRecord, _In_ PVOID ReturnValue, _In_ // PCONTEXT OriginalContext, _In_opt_ PUNWIND_HISTORY_TABLE HistoryTable); https://msdn.microsoft.com/en-us/library/windows/desktop/ms680615(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h", MSDNShortId = "ms680615")] public static extern void RtlUnwindEx(IntPtr TargetFrame, IntPtr TargetIp, ref EXCEPTION_RECORD ExceptionRecord, IntPtr ReturnValue, ref CONTEXT OriginalContext, IntPtr HistoryTable); /* public static extern void RtlCaptureStackBackTrace(); public static extern void RtlCompareMemory(); public static extern void RtlCopyMemory(); public static extern void RtlFillMemory(); ///

Retrieves the invocation context of the function that precedes the specified function context.

/// /// The handler type. This parameter can be one of the following values. /// This parameter is only present on x64. /// /// /// /// Value /// Meaning /// /// /// UNW_FLAG_NHANDLER0x0 /// The function has no handler. /// /// /// UNW_FLAG_EHANDLER0x1 /// The function has an exception handler that should be called. /// /// /// UNW_FLAG_UHANDLER0x2 /// The function has a termination handler that should be called when unwinding an exception. /// /// /// UNW_FLAG_CHAININFO0x4 /// The FunctionEntry member is the contents of a previous function table entry. /// /// /// /// /// The base address of the module to which the function belongs. /// The virtual address where control left the specified function. /// /// The address of the function table entry for the specified function. To obtain the function table entry, call the RtlLookupFunctionEntry function. /// /// A pointer to a CONTEXT structure that represents the context of the previous frame. /// /// /// The location of the PC. If this parameter is 0, the PC is in the prologue, epilogue, or a null frame region of the function. If this parameter is 1, /// the PC is in the body of the function. /// /// This parameter is not present on x64. /// /// /// /// A pointer to a FRAME_POINTERS structure that receives the establisher frame pointer value. The real frame pointer is defined only if /// InFunction is 1. /// /// This parameter is of type PULONG64 on x64. /// /// An optional pointer to a context pointers structure. /// This function returns a pointer to an EXCEPTION_ROUTINE callback function. // PEXCEPTION_ROUTINE WINAPI RtlVirtualUnwind( _In_ HandlerType, _In_ ImageBase, _In_ ControlPC, _In_ FunctionEntry, _Inout_ ContextRecord, _Out_ InFunction, _Out_ EstablisherFrame, _Inout_opt_ ContextPointers); // https://msdn.microsoft.com/en-us/library/windows/desktop/ms680617(v=vs.85).aspx [DllImport(Lib.Kernel32, SetLastError = false, EntryPoint = "RtlVirtualUnwind")] [PInvokeData("WinNT.h", MSDNShortId = "ms680617")] public static extern EXCEPTION_ROUTINE RtlVirtualUnwindX64(UNW_FLAGS HandlerType, UIntPtr ImageBase, UIntPtr ControlPC, IntPtr FunctionEntry, ref CONTEXT ContextRecord, out IntPtr HandlerData, out ulong EstablisherFrame, IntPtr ContextPointers); ///

The handler type.

[Flags] public enum UNW_FLAGS : uint { ///

The function has no handler.

UNW_FLAG_NHANDLER = 0x0, ///

The function has an exception handler that should be called.

UNW_FLAG_EHANDLER = 0x1, ///

The function has a termination handler that should be called when unwinding an exception.

UNW_FLAG_UHANDLER = 0x2, ///

The FunctionEntry member is the contents of a previous function table entry.

UNW_FLAG_CHAININFO = 0x4, ///

Undocumented.

UNW_FLAG_NO_EPILOGUE = 0x80000000, } public delegate EXCEPTION_DISPOSITION EXCEPTION_ROUTINE(ref EXCEPTION_RECORD ExceptionRecord, IntPtr EstablisherFrame, ref CONTEXT ContextRecord, IntPtr DispatcherContext); */ ///

The RtlZeroMemory routine fills a block of memory with zeros, given a pointer to the block and the length, in bytes, to be filled.

/// A pointer to the memory block to be filled with zeros. /// The number of bytes to fill with zeros. // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-rtlzeromemory [DllImport(Lib.Kernel32, SetLastError = false, ExactSpelling = true)] [PInvokeData("WinNT.h")] public static extern void RtlZeroMemory(IntPtr Destination, SizeT Length); } }