Process Hacker
ntldr.h
Go to the documentation of this file.
1 #ifndef _NTLDR_H
2 #define _NTLDR_H
3 
4 #if (PHNT_MODE != PHNT_MODE_KERNEL)
5 
6 // DLLs
7 
8 // symbols
9 typedef struct _LDR_SERVICE_TAG_RECORD
10 {
11  struct _LDR_SERVICE_TAG_RECORD *Next;
12  ULONG ServiceTag;
13 } LDR_SERVICE_TAG_RECORD, *PLDR_SERVICE_TAG_RECORD;
14 
15 // symbols
16 typedef struct _LDRP_CSLIST
17 {
18  PSINGLE_LIST_ENTRY Tail;
19 } LDRP_CSLIST, *PLDRP_CSLIST;
20 
21 // symbols
22 typedef enum _LDR_DDAG_STATE
23 {
24  LdrModulesMerged = -5,
25  LdrModulesInitError = -4,
26  LdrModulesSnapError = -3,
27  LdrModulesUnloaded = -2,
28  LdrModulesUnloading = -1,
29  LdrModulesPlaceHolder = 0,
30  LdrModulesMapping = 1,
31  LdrModulesMapped = 2,
32  LdrModulesWaitingForDependencies = 3,
33  LdrModulesSnapping = 4,
34  LdrModulesSnapped = 5,
35  LdrModulesCondensed = 6,
36  LdrModulesReadyToInit = 7,
37  LdrModulesInitializing = 8,
38  LdrModulesReadyToRun = 9
39 } LDR_DDAG_STATE;
40 
41 // symbols
42 typedef struct _LDR_DDAG_NODE
43 {
44  LIST_ENTRY Modules;
45  PLDR_SERVICE_TAG_RECORD ServiceTagList;
46  ULONG LoadCount;
47  ULONG ReferenceCount;
48  ULONG DependencyCount;
49  union
50  {
51  LDRP_CSLIST Dependencies;
52  SINGLE_LIST_ENTRY RemovalLink;
53  };
54  LDRP_CSLIST IncomingDependencies;
55  LDR_DDAG_STATE State;
56  SINGLE_LIST_ENTRY CondenseLink;
57  ULONG PreorderNumber;
58  ULONG LowestLink;
59 } LDR_DDAG_NODE, *PLDR_DDAG_NODE;
60 
61 // rev
62 typedef struct _LDR_DEPENDENCY_RECORD
63 {
64  SINGLE_LIST_ENTRY DependencyLink;
65  PLDR_DDAG_NODE DependencyNode;
66  SINGLE_LIST_ENTRY IncomingDependencyLink;
67  PLDR_DDAG_NODE IncomingDependencyNode;
68 } LDR_DEPENDENCY_RECORD, *PLDR_DEPENDENCY_RECORD;
69 
70 // symbols
71 typedef enum _LDR_DLL_LOAD_REASON
72 {
73  LoadReasonStaticDependency,
74  LoadReasonStaticForwarderDependency,
75  LoadReasonDynamicForwarderDependency,
76  LoadReasonDelayloadDependency,
77  LoadReasonDynamicLoad,
78  LoadReasonAsImageLoad,
79  LoadReasonAsDataLoad,
80  LoadReasonUnknown = -1
81 } LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
82 
83 #define LDRP_PACKAGED_BINARY 0x00000001
84 #define LDRP_IMAGE_DLL 0x00000004
85 #define LDRP_LOAD_IN_PROGRESS 0x00001000
86 #define LDRP_ENTRY_PROCESSED 0x00004000
87 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000
88 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000
89 #define LDRP_PROCESS_ATTACH_FAILED 0x00100000
90 #define LDRP_IMAGE_NOT_AT_BASE 0x00200000 // Vista and below
91 #define LDRP_COR_IMAGE 0x00400000
92 #define LDRP_DONT_RELOCATE 0x00800000
93 #define LDRP_REDIRECTED 0x10000000
94 #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000
95 
96 // Use the size of the structure as it was in Windows XP.
97 #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode)
98 #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue)
99 #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions)
100 
101 // symbols
102 typedef struct _LDR_DATA_TABLE_ENTRY
103 {
104  LIST_ENTRY InLoadOrderLinks;
105  LIST_ENTRY InMemoryOrderLinks;
106  union
107  {
108  LIST_ENTRY InInitializationOrderLinks;
109  LIST_ENTRY InProgressLinks;
110  };
111  PVOID DllBase;
112  PVOID EntryPoint;
113  ULONG SizeOfImage;
114  UNICODE_STRING FullDllName;
115  UNICODE_STRING BaseDllName;
116  union
117  {
118  UCHAR FlagGroup[4];
119  ULONG Flags;
120  struct
121  {
122  ULONG PackagedBinary : 1;
123  ULONG MarkedForRemoval : 1;
124  ULONG ImageDll : 1;
125  ULONG LoadNotificationsSent : 1;
126  ULONG TelemetryEntryProcessed : 1;
127  ULONG ProcessStaticImport : 1;
128  ULONG InLegacyLists : 1;
129  ULONG InIndexes : 1;
130  ULONG ShimDll : 1;
131  ULONG InExceptionTable : 1;
132  ULONG ReservedFlags1 : 2;
133  ULONG LoadInProgress : 1;
134  ULONG LoadConfigProcessed : 1;
135  ULONG EntryProcessed : 1;
136  ULONG ProtectDelayLoad : 1;
137  ULONG ReservedFlags3 : 2;
138  ULONG DontCallForThreads : 1;
139  ULONG ProcessAttachCalled : 1;
140  ULONG ProcessAttachFailed : 1;
141  ULONG CorDeferredValidate : 1;
142  ULONG CorImage : 1;
143  ULONG DontRelocate : 1;
144  ULONG CorILOnly : 1;
145  ULONG ReservedFlags5 : 3;
146  ULONG Redirected : 1;
147  ULONG ReservedFlags6 : 2;
148  ULONG CompatDatabaseProcessed : 1;
149  };
150  };
151  USHORT ObsoleteLoadCount;
152  USHORT TlsIndex;
153  LIST_ENTRY HashLinks;
154  ULONG TimeDateStamp;
155  struct _ACTIVATION_CONTEXT *EntryPointActivationContext;
156  PVOID Lock;
157  PLDR_DDAG_NODE DdagNode;
158  LIST_ENTRY NodeModuleLink;
159  struct _LDRP_LOAD_CONTEXT *LoadContext;
160  PVOID ParentDllBase;
161  PVOID SwitchBackContext;
162  RTL_BALANCED_NODE BaseAddressIndexNode;
163  RTL_BALANCED_NODE MappingInfoIndexNode;
164  ULONG_PTR OriginalBase;
165  LARGE_INTEGER LoadTime;
166  ULONG BaseNameHashValue;
167  LDR_DLL_LOAD_REASON LoadReason;
168  ULONG ImplicitPathOptions;
169  ULONG ReferenceCount;
170 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
171 
172 typedef BOOLEAN (NTAPI *PDLL_INIT_ROUTINE)(
173  _In_ PVOID DllHandle,
174  _In_ ULONG Reason,
175  _In_opt_ PCONTEXT Context
176  );
177 
178 NTSYSAPI
179 NTSTATUS
180 NTAPI
181 LdrLoadDll(
182  _In_opt_ PWSTR DllPath,
183  _In_opt_ PULONG DllCharacteristics,
184  _In_ PUNICODE_STRING DllName,
185  _Out_ PVOID *DllHandle
186  );
187 
188 NTSYSAPI
189 NTSTATUS
190 NTAPI
191 LdrUnloadDll(
192  _In_ PVOID DllHandle
193  );
194 
195 NTSYSAPI
196 NTSTATUS
197 NTAPI
198 LdrGetDllHandle(
199  _In_opt_ PWSTR DllPath,
200  _In_opt_ PULONG DllCharacteristics,
201  _In_ PUNICODE_STRING DllName,
202  _Out_ PVOID *DllHandle
203  );
204 
205 #define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
206 #define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
207 
208 NTSYSAPI
209 NTSTATUS
210 NTAPI
211 LdrGetDllHandleEx(
212  _In_ ULONG Flags,
213  _In_opt_ PCWSTR DllPath,
214  _In_opt_ PULONG DllCharacteristics,
215  _In_ PUNICODE_STRING DllName,
216  _Out_opt_ PVOID *DllHandle
217  );
218 
219 #if (PHNT_VERSION >= PHNT_WIN7)
220 // rev
221 NTSYSAPI
222 NTSTATUS
223 NTAPI
224 LdrGetDllHandleByMapping(
225  _In_ PVOID Base,
226  _Out_ PVOID *DllHandle
227  );
228 #endif
229 
230 #if (PHNT_VERSION >= PHNT_WIN7)
231 // rev
232 NTSYSAPI
233 NTSTATUS
234 NTAPI
235 LdrGetDllHandleByName(
236  _In_opt_ PUNICODE_STRING BaseDllName,
237  _In_opt_ PUNICODE_STRING FullDllName,
238  _Out_ PVOID *DllHandle
239  );
240 #endif
241 
242 #define LDR_ADDREF_DLL_PIN 0x00000001
243 
244 NTSYSAPI
245 NTSTATUS
246 NTAPI
247 LdrAddRefDll(
248  _In_ ULONG Flags,
249  _In_ PVOID DllHandle
250  );
251 
252 NTSYSAPI
253 NTSTATUS
254 NTAPI
255 LdrGetProcedureAddress(
256  _In_ PVOID DllHandle,
257  _In_opt_ PANSI_STRING ProcedureName,
258  _In_opt_ ULONG ProcedureNumber,
259  _Out_ PVOID *ProcedureAddress
260  );
261 
262 // rev
263 #define LDR_GET_PROCEDURE_ADDRESS_DONT_RECORD_FORWARDER 0x00000001
264 
265 #if (PHNT_VERSION >= PHNT_VISTA)
266 // private
267 NTSYSAPI
268 NTSTATUS
269 NTAPI
270 LdrGetProcedureAddressEx(
271  _In_ PVOID DllHandle,
272  _In_opt_ PANSI_STRING ProcedureName,
273  _In_opt_ ULONG ProcedureNumber,
274  _Out_ PVOID *ProcedureAddress,
275  _In_ ULONG Flags
276  );
277 #endif
278 
279 #define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
280 #define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
281 
282 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0
283 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 1
284 #define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 2
285 
286 NTSYSAPI
287 NTSTATUS
288 NTAPI
289 LdrLockLoaderLock(
290  _In_ ULONG Flags,
291  _Out_opt_ ULONG *Disposition,
292  _Out_ PVOID *Cookie
293  );
294 
295 #define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
296 
297 NTSYSAPI
298 NTSTATUS
299 NTAPI
300 LdrUnlockLoaderLock(
301  _In_ ULONG Flags,
302  _Inout_ PVOID Cookie
303  );
304 
305 NTSYSAPI
306 NTSTATUS
307 NTAPI
308 LdrRelocateImage(
309  _In_ PVOID NewBase,
310  _In_ PSTR LoaderName,
311  _In_ NTSTATUS Success,
312  _In_ NTSTATUS Conflict,
313  _In_ NTSTATUS Invalid
314  );
315 
316 NTSYSAPI
317 NTSTATUS
318 NTAPI
319 LdrRelocateImageWithBias(
320  _In_ PVOID NewBase,
321  _In_ LONGLONG Bias,
322  _In_ PSTR LoaderName,
323  _In_ NTSTATUS Success,
324  _In_ NTSTATUS Conflict,
325  _In_ NTSTATUS Invalid
326  );
327 
328 NTSYSAPI
329 PIMAGE_BASE_RELOCATION
330 NTAPI
331 LdrProcessRelocationBlock(
332  _In_ ULONG_PTR VA,
333  _In_ ULONG SizeOfBlock,
334  _In_ PUSHORT NextOffset,
335  _In_ LONG_PTR Diff
336  );
337 
338 NTSYSAPI
339 BOOLEAN
340 NTAPI
341 LdrVerifyMappedImageMatchesChecksum(
342  _In_ PVOID BaseAddress,
343  _In_ SIZE_T NumberOfBytes,
344  _In_ ULONG FileLength
345  );
346 
347 typedef VOID (NTAPI *PLDR_IMPORT_MODULE_CALLBACK)(
348  _In_ PVOID Parameter,
349  _In_ PSTR ModuleName
350  );
351 
352 NTSYSAPI
353 NTSTATUS
354 NTAPI
355 LdrVerifyImageMatchesChecksum(
356  _In_ HANDLE ImageFileHandle,
357  _In_opt_ PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine,
358  _In_ PVOID ImportCallbackParameter,
359  _Out_opt_ PUSHORT ImageCharacteristics
360  );
361 
362 // private
363 typedef struct _LDR_IMPORT_CALLBACK_INFO
364 {
365  PLDR_IMPORT_MODULE_CALLBACK ImportCallbackRoutine;
366  PVOID ImportCallbackParameter;
367 } LDR_IMPORT_CALLBACK_INFO, *PLDR_IMPORT_CALLBACK_INFO;
368 
369 // private
370 typedef struct _LDR_SECTION_INFO
371 {
372  HANDLE SectionHandle;
373  ACCESS_MASK DesiredAccess;
374  POBJECT_ATTRIBUTES ObjA;
375  ULONG SectionPageProtection;
376  ULONG AllocationAttributes;
377 } LDR_SECTION_INFO, *PLDR_SECTION_INFO;
378 
379 // private
380 typedef struct _LDR_VERIFY_IMAGE_INFO
381 {
382  ULONG Size;
383  ULONG Flags;
384  LDR_IMPORT_CALLBACK_INFO CallbackInfo;
385  LDR_SECTION_INFO SectionInfo;
386  USHORT ImageCharacteristics;
387 } LDR_VERIFY_IMAGE_INFO, *PLDR_VERIFY_IMAGE_INFO;
388 
389 #if (PHNT_VERSION >= PHNT_VISTA)
390 // private
391 NTSYSAPI
392 NTSTATUS
393 NTAPI
394 LdrVerifyImageMatchesChecksumEx(
395  _In_ HANDLE ImageFileHandle,
396  _Inout_ PLDR_VERIFY_IMAGE_INFO VerifyInfo
397  );
398 #endif
399 
400 #if (PHNT_VERSION >= PHNT_VISTA)
401 // private
402 NTSYSAPI
403 NTSTATUS
404 NTAPI
405 LdrQueryModuleServiceTags(
406  _In_ PVOID DllHandle,
407  _Out_writes_(*BufferSize) PULONG ServiceTagBuffer,
408  _Inout_ PULONG BufferSize
409  );
410 #endif
411 
412 // begin_msdn:"DLL Load Notification"
413 
414 #define LDR_DLL_NOTIFICATION_REASON_LOADED 1
415 #define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
416 
417 typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA
418 {
419  ULONG Flags;
420  PUNICODE_STRING FullDllName;
421  PUNICODE_STRING BaseDllName;
422  PVOID DllBase;
423  ULONG SizeOfImage;
424 } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
425 
426 typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA
427 {
428  ULONG Flags;
429  PCUNICODE_STRING FullDllName;
430  PCUNICODE_STRING BaseDllName;
431  PVOID DllBase;
432  ULONG SizeOfImage;
433 } LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
434 
435 typedef union _LDR_DLL_NOTIFICATION_DATA
436 {
437  LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
438  LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
439 } LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
440 
441 typedef VOID (NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(
442  _In_ ULONG NotificationReason,
443  _In_ PLDR_DLL_NOTIFICATION_DATA NotificationData,
444  _In_opt_ PVOID Context
445  );
446 
447 #if (PHNT_VERSION >= PHNT_VISTA)
448 
449 NTSYSAPI
450 NTSTATUS
451 NTAPI
452 LdrRegisterDllNotification(
453  _In_ ULONG Flags,
454  _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
455  _In_ PVOID Context,
456  _Out_ PVOID *Cookie
457  );
458 
459 NTSYSAPI
460 NTSTATUS
461 NTAPI
462 LdrUnregisterDllNotification(
463  _In_ PVOID Cookie
464  );
465 
466 #endif
467 
468 // end_msdn
469 
470 // Load as data table
471 
472 #if (PHNT_VERSION >= PHNT_VISTA)
473 
474 // private
475 NTSYSAPI
476 NTSTATUS
477 NTAPI
478 LdrAddLoadAsDataTable(
479  _In_ PVOID Module,
480  _In_ PWSTR FilePath,
481  _In_ SIZE_T Size,
482  _In_ HANDLE Handle
483  );
484 
485 // private
486 NTSYSAPI
487 NTSTATUS
488 NTAPI
489 LdrRemoveLoadAsDataTable(
490  _In_ PVOID InitModule,
491  _Out_opt_ PVOID *BaseModule,
492  _Out_opt_ PSIZE_T Size,
493  _In_ ULONG Flags
494  );
495 
496 // private
497 NTSYSAPI
498 NTSTATUS
499 NTAPI
500 LdrGetFileNameFromLoadAsDataTable(
501  _In_ PVOID Module,
502  _Out_ PVOID *pFileNamePrt
503  );
504 
505 #endif
506 
507 #endif // (PHNT_MODE != PHNT_MODE_KERNEL)
508 
509 // Module information
510 
511 typedef struct _RTL_PROCESS_MODULE_INFORMATION
512 {
513  HANDLE Section;
514  PVOID MappedBase;
515  PVOID ImageBase;
516  ULONG ImageSize;
517  ULONG Flags;
518  USHORT LoadOrderIndex;
519  USHORT InitOrderIndex;
520  USHORT LoadCount;
521  USHORT OffsetToFileName;
522  UCHAR FullPathName[256];
523 } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
524 
525 typedef struct _RTL_PROCESS_MODULES
526 {
527  ULONG NumberOfModules;
528  RTL_PROCESS_MODULE_INFORMATION Modules[1];
529 } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
530 
531 // private
532 typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
533 {
534  USHORT NextOffset;
535  RTL_PROCESS_MODULE_INFORMATION BaseInfo;
536  ULONG ImageChecksum;
537  ULONG TimeDateStamp;
538  PVOID DefaultBase;
539 } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
540 
541 #endif