ntinternals scraper output & script

// SCRAPED FROM: $api_index
// BY: Capt. Micro
// SCRIPT: End of file

/*
    ATOM_BASIC_INFORMATION (STRUCT)
    UsageCount
     Internal Atom counter state. This value increments at every NtAddAtom call for current Atom, and it's decremented on every NtDeleteAtom function call.
    Flags
     (?), Only lowest bit is used.
    NameLength
     Size of Name array, in bytes.
    Name[1]
     Atom name.
*/
typedef struct _ATOM_BASIC_INFORMATION {
    USHORT UsageCount;
    USHORT Flags;
    USHORT NameLength;
    WCHAR Name[1];
} ATOM_BASIC_INFORMATION, *PATOM_BASIC_INFORMATION;

/*
    ATOM_INFORMATION_CLASS (ENUM)
*/
typedef enum _ATOM_INFORMATION_CLASS {
    AtomBasicInformation,
    AtomTableInformation
} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS;

/*
    ATOM_TABLE_INFORMATION (STRUCT)
    NumberOfAtoms
     Number of members in Atoms array.
    Atoms[1]
     Array of Global Atoms.
*/
typedef struct _ATOM_TABLE_INFORMATION {
    ULONG NumberOfAtoms;
    RTL_ATOM Atoms[1];
} ATOM_TABLE_INFORMATION, *PATOM_TABLE_INFORMATION;

/*
    DbgPrint (FUNCTION)
    INFO-0
     Function works like a normal C printf routine, but result is streamed to debug output.
*/
typedef NTSTATUS (NTAPI *_DbgPrint)( IN LPCSTR Format, ... );

/*
    DBG_STATE (ENUM)
*/
typedef enum _DBG_STATE {
    DbgIdle,
    DbgReplyPending,
    DbgCreateThreadStateChange,
    DbgCreateProcessStateChange,
    DbgExitThreadStateChange,
    DbgExitProcessStateChange,
    DbgExceptionStateChange,
    DbgBreakpointStateChange,
    DbgSingleStepStateChange,
    DbgLoadDllStateChange,
    DbgUnloadDllStateChange
} DBG_STATE, *PDBG_STATE;

/*
    EVENT_BASIC_INFORMATION (STRUCT)
    INFO-0
     This structure is used with EventBasicInformation information class as a result of call NtQueryEvent.
    EventType
     Type of Event Object. Can be SynchronizationEvent or NotificationEvent. See EVENT_TYPE for details.
    EventState
     Current state of Event Object.
*/
typedef struct _EVENT_BASIC_INFORMATION {
    EVENT_TYPE EventType;
    LONG EventState;
} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;

/*
    EVENT_INFORMATION_CLASS (ENUM)
*/
typedef enum _EVENT_INFORMATION_CLASS {
    EventBasicInformation
} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS;

/*
    EVENT_TYPE (ENUM)
*/
typedef enum _EVENT_TYPE {
    NotificationEvent,
    SynchronizationEvent
} EVENT_TYPE, *PEVENT_TYPE;

/*
    FILE_BASIC_INFORMATION (STRUCT)
    CreationTime
     Time of file creation, in 100-ns units.
    LastAccessTime
     Time of last open operation, in 100-ns units.
    LastWriteTime
     Time of last write operation, in 100-ns units.
    ChangeTime
     Time of any last change, in 100-ns units.
    FileAttributes
     File attributes. See NtCreateFile for possibilities.
*/
typedef struct _FILE_BASIC_INFORMATION {
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    ULONG FileAttributes;
} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;

/*
    FILE_BOTH_DIR_INFORMATION (STRUCT)
    NextEntryOffset
     Offset (in bytes) of next FILE_BOTH_DIR_INFORMATION structure placed in result buffer. If there's no more entries, NextEntryOffset is set to zero.
    FileIndex
     File index value, or zero, if directory indexing is not avaiable.
    CreationTime
     Time of object creation;
    LastAccessTime
     Last access time. Means time when last open operation was performed.
    LastWriteTime
     Time of last write data.
    ChangeTime
     Time of last change.
    EndOfFile
     Specify length of file, in bytes.
    AllocationSize
     Specify real size of file on device. It must be equal or greater to EndOfFile member.
    FileAttributes
     Attributes of file.
    FileNameLength
     Length of FileName array, in bytes.
    EaSize
     Size of Extended Attributes associated with file. See also FILE_EA_INFORMATION structure.
    ShortNameLength
     Length ShortName array, in bytes.
    ShortName[12]
     Alternate file name, in UNICODE format. Empty string means:
         Primary name is compatible with 8DOT3 (MS DOS) standart, and there's no reason to set the same name twice;
         File system don't improve short names;
    FileName[1]
     UNICODE string specifing file name.
*/
typedef struct _FILE_BOTH_DIR_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER EndOfFile;
    LARGE_INTEGER AllocationSize;
    ULONG FileAttributes;
    ULONG FileNameLength;
    ULONG EaSize;
    BYTE ShortNameLength;
    WCHAR ShortName[12];
    WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

/*
    FILE_DIRECTORY_INFORMATION (STRUCT)
    NextEntryOffset
     Offset (in bytes) of next FILE_DIRECTORY_INFORMATION structure placed in result buffer. If there's no more entries, NextEntryOffset is set to zero.
    FileIndex
     File index value, or zero, if directory indexing is not avaiable.
    CreationTime
     Time of object creation;
    LastAccessTime
     Last access time. Means time when last open operation was performed.
    LastWriteTime
     Time of last write data.
    ChangeTime
     Time of last change.
    EndOfFile
     Specify length of file, in bytes.
    AllocationSize
     Specify real size of file on device. It must be equal or greater to EndOfFile member.
    FileAttributes
     Attributes of file.
    FileNameLength
     Length of FileName array, in bytes.
    FileName[1]
     UNICODE string specifing file name.
*/
typedef struct _FILE_DIRECTORY_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER EndOfFile;
    LARGE_INTEGER AllocationSize;
    ULONG FileAttributes;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;

/*
    FILE_FS_ATTRIBUTE_INFORMATION (STRUCT)
    INFO-0
     FILE_FS_ATTRIBUTE_INFORMATION is output buffer in a call to NtQueryVolumeInformationFile function with FileFsAttributeInformation information class.
    MaximumComponentNameLength
     Maximum length of file name on specified device.
    FileSystemNameLength
     Length of FileSystemName array, in bytes.
    FileSystemName[1]
     Name of File System on specified device (ex. "NTFS").
*/
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
    ULONG FileSystemAttributes;
    LONG MaximumComponentNameLength;
    ULONG FileSystemNameLength;
    WCHAR FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;

/*
    FILE_FS_CONTROL_INFORMATION (STRUCT)
    INFO-0
     Structure FILE_FS_CONTROL_INFORMATION is user as input and output buffers in calls to NtQueryVolumeInformationFile and NtSetVolumeInformationFile with information class set to FileFsControlInformation.
    INFO-1
     FreeSpaceStartFiltering
    INFO-2
     FreeSpaceThreshold
    INFO-3
     FreeSpaceStopFiltering
    INFO-4
     DefaultQuotaThreshold
    INFO-5
     DefaultQuotaLimit
    INFO-6
     FileSystemControlFlags
*/
typedef struct _FILE_FS_CONTROL_INFORMATION {
    LARGE_INTEGER FreeSpaceStartFiltering;
    LARGE_INTEGER FreeSpaceThreshold;
    LARGE_INTEGER FreeSpaceStopFiltering;
    LARGE_INTEGER DefaultQuotaThreshold;
    LARGE_INTEGER DefaultQuotaLimit;
    ULONG FileSystemControlFlags;
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;

/*
    FILE_FS_DEVICE_INFORMATION (STRUCT)
    DeviceType
     Numeric device types are defined in &lt;ntddk.h&gt; as FILE_DEVICE_* precompiler definitions.
    Characteristics
     Or-ed bit mask of device characteristic. Can be one of:
        FILE_REMOVABLE_MEDIA
        FILE_READ_ONLY_DEVICE
*/
typedef struct _FILE_FS_DEVICE_INFORMATION {
    DEVICE_TYPE DeviceType;
    ULONG Characteristics;
} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;

/*
    FILE_FS_LABEL_INFORMATION (STRUCT)
    VolumeLabelLength
     Length of VolumeLabel array, in bytes.
    VolumeLabel[1]
     Label for specified volume.
*/
typedef struct _FILE_FS_LABEL_INFORMATION {
    ULONG VolumeLabelLength;
    WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;

/*
    FILE_FS_SIZE_INFORMATION (STRUCT)
    INFO-0
     Structure provides detailed information about volume physical size. Is returned in call to NtQueryVolumeInformationFile with FileFsSizeInformation information class.
    INFO-1
     TotalAllocationUnits
    INFO-2
     AvailableAllocationUnits
    INFO-3
     SectorsPerAllocationUnit
    INFO-4
     BytesPerSector
*/
typedef struct _FILE_FS_SIZE_INFORMATION {
    LARGE_INTEGER TotalAllocationUnits;
    LARGE_INTEGER AvailableAllocationUnits;
    ULONG SectorsPerAllocationUnit;
    ULONG BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;

/*
    FILE_FS_VOLUME_INFORMATION (STRUCT)
    VolumeCreationTime
     It means time of last Volume Formating Process.
    VolumeSerialNumber
     Serial number of volume, associated in Volume Formating Process.
    VolumeLabelLength
     Length of VolumeLabel array, in bytes.
    SupportsObjects
     If TRUE, Object Files can be stored on specified volume.
    VolumeLabel[1]
     Name of volume. Can be set with FileFsLabelInformation.
*/
typedef struct _FILE_FS_VOLUME_INFORMATION {
    LARGE_INTEGER VolumeCreationTime;
    ULONG VolumeSerialNumber;
    ULONG VolumeLabelLength;
    BOOLEAN SupportsObjects;
    WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;

/*
    FILE_FULL_DIR_INFORMATION (STRUCT)
    NextEntryOffset
     Offset (in bytes) of next FILE_FULL_DIR_INFORMATION structure placed in result buffer. If there's no more entries, NextEntryOffset is set to zero.
    FileIndex
     File index value, or zero, if directory indexing is not avaiable.
    CreationTime
     Time of object creation;
    LastAccessTime
     Last access time. Means time when last open operation was performed.
    LastWriteTime
     Time of last write data.
    ChangeTime
     Time of last change.
    EndOfFile
     Specify length of file, in bytes.
    AllocationSize
     Specify real size of file on device. It must be equal or greater to EndOfFile member.
    FileAttributes
     Attributes of file.
    FileNameLength
     Length of FileName array, in bytes.
    EaSize
     Size of Extended Attributes associated with file. See also FILE_EA_INFORMATION structure.
    FileName[1]
     UNICODE string specifing file name.
*/
typedef struct _FILE_FULL_DIR_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER EndOfFile;
    LARGE_INTEGER AllocationSize;
    ULONG FileAttributes;
    ULONG FileNameLength;
    ULONG EaSize;
    WCHAR FileName[1];
} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;

/*
    FILE_FULL_EA_INFORMATION (STRUCT)
    INFO-0
     Structure FILE_FULL_EA_INFORMATION is also defined in Win2000 DDK.
*/
typedef struct _FILE_FULL_EA_INFORMATION {
    ULONG NextEntryOffset;
    BYTE Flags;
    BYTE EaNameLength;
    USHORT EaValueLength;
    CHAR EaName[1];
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;

/*
    FILE_GET_EA_INFORMATION (STRUCT)
    INFO-0
     Structure FILE_GET_EA_INFORMATION is used in a call to NtQueryEaFile function. See FILE_FULL_EA_INFORMATION for detailed information about EA.
    NextEntryOffset
     Relative offset for next FILE_GET_EA_INFORMATION structure in buffer.
    EaNameLength
     Length of EA name, in bytes (without leading zero).
    EaName[1]
     ASCIIZ name of EA, case insensitive.
*/
typedef struct _FILE_GET_EA_INFORMATION {
    ULONG NextEntryOffset;
    BYTE EaNameLength;
    CHAR EaName[1];
} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;

/*
    FILE_INFORMATION_CLASS (ENUM)
*/
typedef enum _FILE_INFORMATION_CLASS {
    FileDirectoryInformation=1,
    FileFullDirectoryInformation,
    FileBothDirectoryInformation,
    FileBasicInformation,
    FileStandardInformation,
    FileInternalInformation,
    FileEaInformation,
    FileAccessInformation,
    FileNameInformation,
    FileRenameInformation,
    FileLinkInformation,
    FileNamesInformation,
    FileDispositionInformation,
    FilePositionInformation,
    FileFullEaInformation,
    FileModeInformation,
    FileAlignmentInformation,
    FileAllInformation,
    FileAllocationInformation,
    FileEndOfFileInformation,
    FileAlternateNameInformation,
    FileStreamInformation,
    FilePipeInformation,
    FilePipeLocalInformation,
    FilePipeRemoteInformation,
    FileMailslotQueryInformation,
    FileMailslotSetInformation,
    FileCompressionInformation,
    FileCopyOnWriteInformation,
    FileCompletionInformation,
    FileMoveClusterInformation,
    FileQuotaInformation,
    FileReparsePointInformation,
    FileNetworkOpenInformation,
    FileObjectIdInformation,
    FileTrackingInformation,
    FileOleDirectoryInformation,
    FileContentIndexInformation,
    FileInheritContentIndexInformation,
    FileOleInformation,
    FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;

/*
    FILE_INTERNAL_INFORMATION (STRUCT)
    IndexNumber
     File indentifier, unique for file's device.
*/
typedef struct _FILE_INTERNAL_INFORMATION {
    LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;

/*
    FILE_LINK_INFORMATION (STRUCT)
    ReplaceIfExists
     If set, and destination object already exists, it will be replaced with newly created link.
    RootDirectory
     HANDLE to File Object specyfing directory where link should be placed. Can be NULL if FileName parameter contains full path.
    FileNameLength
     Length of FileName array, in bytes.
    FileName[1]
     UNICODE string specyfing name of link and optionally with path (see description of RootDirectory).
*/
typedef struct _FILE_LINK_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE RootDirectory;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;

/*
    FILE_NAMES_INFORMATION (STRUCT)
    NextEntryOffset
     Offset (in bytes) of next FILE_NAMES_INFORMATION entry, or zero if last.
    FileIndex
     Index of file, or zero if Directory Indexing is disabled.
    FileNameLength
     Length of FileName array, in bytes.
    FileName[1]
     Name of file, in UNICODE format.
*/
typedef struct _FILE_NAMES_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;

/*
    FILE_NAME_INFORMATION (STRUCT)
    FileNameLength
     Length of FileName, in bytes.
    FileName[1]
     UNICODE name of file. If caller query about FileNameInformation, FileName additionally contains path to file, and begins with '/' (full path to file relative to device).
*/
typedef struct _FILE_NAME_INFORMATION {
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;

/*
    FILE_NETWORK_OPEN_INFORMATION (STRUCT)
    CreationTime
     Indicates time of file creation.
    LastAccessTime
     Time of last open file.
    LastWriteTime
     Time of last write operation.
    ChangeTime
     Time of any last change.
    AllocationSize
     Number of bytes that file use on storage, equal or greater to EndOfFile.
    EndOfFile
     Length of file, in bytes.
    FileAttributes
     File attributes.
*/
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER AllocationSize;
    LARGE_INTEGER EndOfFile;
    ULONG FileAttributes;
    ULONG Unknown;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;

/*
    FILE_NOTIFY_INFORMATION (STRUCT)
    INFO-0
     Only some of notification reasons can be readed from Action member. In most cases is contains FILE_ACTION_MODIFIED value, and user must check sort of notitication manually.
*/
typedef struct _FILE_NOTIFY_INFORMATION {
    ULONG NextEntryOffset;
    ULONG Action;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_NOTIFY_INFORMATION, *PFILE_NOTIFY_INFORMATION;

/*
    FILE_RENAME_INFORMATION (STRUCT)
    ReplaceIfExists
     If set, and file with the same name as destination exist, it will be replaced. If no, STATUS_OBJECT_NAME_COLLISION is returned.
    RootDirectory
     Optional HANDLE to parent directory for destination file.
    FileNameLength
     Length of FileName array, in bytes.
    FileName[1]
     UNICODE string specifing destination file name. If RootDirectory is NULL, it must contains full system path, or only destination file name for in-place rename operation.
*/
typedef struct _FILE_RENAME_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE RootDirectory;
    ULONG FileNameLength;
    WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;

/*
    FS_INFORMATION_CLASS (ENUM)
*/
typedef enum _FS_INFORMATION_CLASS {
    FileFsVolumeInformation=1,
    FileFsLabelInformation,
    FileFsSizeInformation,
    FileFsDeviceInformation,
    FileFsAttributeInformation,
    FileFsControlInformation,
    FileFsFullSizeInformation,
    FileFsObjectIdInformation,
    FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;

/*
    HARDERROR_MSG (STRUCT)
    INFO-0
     Structure HARDERROR_MSG is send to LPC server in a result of call NtRaiseHardError. Most of stucture's members are  the same as parameters specified in this call.
    LpcMessageHeader
     Message header - see LPC_MESSAGE description.
    ErrorStatus
     Error code.
    ErrorTime
     Time when error was signaled.
    ResponseOption
     See HARDERROR_RESPONSE_OPTION for possible values.
    Response
     See HARDERROR_RESPONSE for possible values.
    NumberOfParameters
     Number of parameters in Parameters array. Maximum parameters number is defined as:
    UnicodeStringParameterMask
     Pointer to UNICODE_STRING in port's client address space
    Parameters[MAXIMUM_HARDERROR_PARAMETERS]
     Array of DWORD parameters.
*/
typedef struct _HARDERROR_MSG {
    LPC_MESSAGE LpcMessageHeader;
    NTSTATUS ErrorStatus;
    LARGE_INTEGER ErrorTime;
    HARDERROR_RESPONSE_OPTION ResponseOption;
    HARDERROR_RESPONSE Response;
    ULONG NumberOfParameters;
    PVOID UnicodeStringParameterMask;
    ULONG Parameters[MAXIMUM_HARDERROR_PARAMETERS];
} HARDERROR_MSG, *PHARDERROR_MSG;

/*
    HARDERROR_RESPONSE (ENUM)
*/
typedef enum _HARDERROR_RESPONSE {
    ResponseReturnToCaller,
    ResponseNotHandled,
    ResponseAbort,
    ResponseCancel,
    ResponseIgnore,
    ResponseNo,
    ResponseOk,
    ResponseRetry,
    ResponseYes
} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;

/*
    HARDERROR_RESPONSE_OPTION (ENUM)
*/
typedef enum _HARDERROR_RESPONSE_OPTION {
    OptionAbortRetryIgnore,
    OptionOk,
    OptionOkCancel,
    OptionRetryCancel,
    OptionYesNo,
    OptionYesNoCancel,
    OptionShutdownSystem
} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION;

/*
    INITIAL_TEB (STRUCT)
    StackBase
     DIV CLASS="reg">
    StackLimit
     DIV CLASS="reg">
    StackCommit
     DIV CLASS="reg">
    StackCommitMax
     DIV CLASS="reg">
    StackReserved
     DIV CLASS="reg">
*/
typedef struct _INITIAL_TEB {
    PVOID StackBase;
    PVOID StackLimit;
    PVOID StackCommit;
    PVOID StackCommitMax;
    PVOID StackReserved;
} INITIAL_TEB, *PINITIAL_TEB;

/*
    IO_COMPLETION_BASIC_INFORMATION (STRUCT)
    Depth
     Number of currently pending file operations for specified IO Completion Object.
*/
typedef struct _IO_COMPLETION_BASIC_INFORMATION {
    ULONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;

/*
    IO_COMPLETION_INFORMATION_CLASS (ENUM)
*/
typedef enum _IO_COMPLETION_INFORMATION_CLASS {
    IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS;

/*
    KEY_MULTIPLE_VALUE_INFORMATION (STRUCT)
    ValueName
     Pointer to UNICODE_STRING structure containing value name. If specified value not exist, function fails.
    DataLength
     Length of value's data, in bytes.
    DataOffset
     Offset in output buffer (declared in NtQueryMultipleValueKey) to value's data.
    Type
     Type of queried value.
*/
typedef struct _KEY_MULTIPLE_VALUE_INFORMATION {
    PUNICODE_STRING ValueName;
    ULONG DataLength;
    ULONG DataOffset;
    ULONG Type;
} KEY_MULTIPLE_VALUE_INFORMATION, *PKEY_MULTIPLE_VALUE_INFORMATION;

/*
    KiUserApcDispatcher (FUNCTION)
    KiUserApcDispatcher isn't standard ntdll function. It's used by kernel to process APC queue for calling thread.
     Five paraters I defined only for compatibility with ntdll.lib export (_KiUserApcDispatcher@20). Function first execute  code placed after call, and next calls NtContinue with CONTEXT specified at 4 parameter position (Warning: Not pointer to CONTEXT, but CONTEXT body must be stored on stack).
*/
typedef VOID (NTAPI *_KiUserApcDispatcher)( IN PVOID Unused1, IN PVOID Unused2, IN PVOID Unused3, IN PVOID ContextStart, IN PVOID ContextBody );

/*
    KPROFILE_SOURCE (ENUM)
*/
typedef enum _KPROFILE_SOURCE {
    ProfileTime,
    ProfileAlignmentFixup,
    ProfileTotalIssues,
    ProfilePipelineDry,
    ProfileLoadInstructions,
    ProfilePipelineFrozen,
    ProfileBranchInstructions,
    ProfileTotalNonissues,
    ProfileDcacheMisses,
    ProfileIcacheMisses,
    ProfileCacheMisses,
    ProfileBranchMispredictions,
    ProfileStoreInstructions,
    ProfileFpInstructions,
    ProfileIntegerInstructions,
    Profile2Issue,
    Profile3Issue,
    Profile4Issue,
    ProfileSpecialInstructions,
    ProfileTotalCycles,
    ProfileIcacheIssues,
    ProfileDcacheAccesses,
    ProfileMemoryBarrierCycles,
    ProfileLoadLinkedIssues,
    ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;

/*
    LdrGetDllHandle (FUNCTION)
    ModuleFileName
     Path to file + Dll name, in NT directory format.
    pHModule
     Pointer to received HMODULE. See LdrLoadDll for more info.
*/
typedef NTSTATUS (NTAPI *_LdrGetDllHandle)( IN PWORD pwPath OPTIONAL, IN PVOID Unused OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE pHModule );

/*
    LdrGetProcedureAddress (FUNCTION)
    FunctionName
     Is optional, but you must declare one of FunctionName or Oridinal. In Microsoft concept, you should use both parameters,
*/
typedef NTSTATUS (NTAPI *_LdrGetProcedureAddress)( IN HMODULE ModuleHandle, IN PANSI_STRING FunctionName OPTIONAL, IN WORD Oridinal OPTIONAL, OUT PVOID *FunctionAddress );

/*
    LdrLoadDll (FUNCTION)
    Flags
     See WINAPI LoadLibraryEx for possibbilitied flags.
    ModuleHandle
     Address of MZ header in virtual memory of caller's process.
*/
typedef NTSTATUS (NTAPI *_LdrLoadDll)( IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle );

/*
    LdrQueryProcessModuleInformation (FUNCTION)
    INFO-0
     Use for enumerate modules loaded with current process.
    BufferSize
     Required minimum size is sizeof(SYSTEM_MODULE_INFORMATION) (4 bytes).
*/
typedef NTSTATUS (NTAPI *_LdrQueryProcessModuleInformation)( OUT PSYSTEM_MODULE_INFORMATION SystemModuleInformationBuffer, IN ULONG BufferSize, OUT PULONG RequiredSize OPTIONAL );

/*
    LdrShutdownProcess (FUNCTION)
    INFO-0
     Kernel32.dll use this after call to NtTerminateProcess.
*/
typedef VOID (NTAPI *_LdrShutdownProcess)();

/*
    LdrShutdownThread (FUNCTION)
    INFO-0
*/
typedef VOID (NTAPI *_LdrShutdownThread)();

/*
    LdrUnloadDll (FUNCTION)
    ModuleHandle
     In fact, ModuleHandle is virtual address of loaded module, not a typical HANDLE to object.
*/
typedef NTSTATUS (NTAPI *_LdrUnloadDll)( IN HANDLE ModuleHandle );

/*
    LDR_MODULE (STRUCT)
    InLoadOrderModuleList
     ointers to previous and next LDR_MODULE in load order.
    InMemoryOrderModuleList
     ointers to previous and next LDR_MODULE in memory placement order.
    InInitializationOrderModuleList
     ointers to previous and next LDR_MODULE in initialization order.
    BaseAddress
     odule base address known also as HMODULE.
    EntryPoint
     odule entry point (address of initialization procedure).
    SizeOfImage
     um of all image's sections placed in memory. Rounded up to 4Kb (page size).
    FullDllName
     ath and name of module.
    BaseDllName
     odule name only.
    INFO-8
     Flags
    INFO-9
     LoadCount
    INFO-10
     TlsIndex
    HashTableEntry
     B>LIST_ENTRY contains pointer to LdrpHashTable. Both prev and next values are the same.
    INFO-12
     TimeDateStamp
*/
typedef struct _LDR_MODULE {
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
    PVOID BaseAddress;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    SHORT LoadCount;
    SHORT TlsIndex;
    LIST_ENTRY HashTableEntry;
    ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;

/*
    LPC_MESSAGE (STRUCT)
    DataLength
     Length of additional data in message. Maximum length of data is 0x130 bytes.
    Length
     Length of message, including header. Maximum value is 0x148 bytes length.
    MessageType
     Type of message. This field is filled by system in message transfer process. Can be one of following:
        LPC_REQUEST
        LPC_REPLY
    INFO-4
     DataInfoOffset
    ClientId
     Port's client unique identifier.
    MessageId
     System set this field to actual value of incremental message counter.
    INFO-7
     CallbackId
*/
typedef struct _LPC_MESSAGE {
    USHORT DataLength;
    USHORT Length;
    USHORT MessageType;
    USHORT DataInfoOffset;
    CLIENT_ID ClientId;
    ULONG MessageId;
    ULONG CallbackId;
} LPC_MESSAGE, *PLPC_MESSAGE;

/*
    LPC_SECTION_MEMORY (STRUCT)
    INFO-0
*/
typedef struct _LPC_SECTION_MEMORY {
    ULONG Length;
    ULONG ViewSize;
    PVOID ViewBase;
} LPC_SECTION_MEMORY, *PLPC_SECTION_MEMORY;

/*
    LPC_SECTION_OWNER_MEMORY (STRUCT)
    INFO-0
     This structure is used by LPC connection functions by Section Object creator side (whatever it is client of port or server). See LPC_SECTION_MEMORY for more information.
    Length
     Length of structure.
    SectionHandle
     HANDLE to SectionObject mapped on both sides of LPC connection.
    INFO-3
     OffsetInSection
    ViewSize
     Receives size of mapped window.
    ViewBase
     Receives base address of mapped window.
    OtherSideViewBase
     Receives base address of mapped window for other LPC connection side.
*/
typedef struct _LPC_SECTION_OWNER_MEMORY {
    ULONG Length;
    HANDLE SectionHandle;
    ULONG OffsetInSection;
    ULONG ViewSize;
    PVOID ViewBase;
    PVOID OtherSideViewBase;
} LPC_SECTION_OWNER_MEMORY, *PLPC_SECTION_OWNER_MEMORY;

/*
    LPC_TERMINATION_MESSAGE (STRUCT)
    INFO-0
     LPC_TERMINATION_MESSAGE is send to LPC server process when thread is terminating. Thread must be registered for inform server process by call NtRegisterThreadTerminatePort.
    INFO-1
     This message type is also send when LPC client close connection to server's port.
    Header
     Header.MessageType is LPC_CLIENT_DIED when thread terminate.
    INFO-3
     See LPC_MESSAGE for details.
    CreationTime
     Time of thread creation or time of connection begin.
*/
typedef struct _LPC_TERMINATION_MESSAGE {
    LPC_MESSAGE_HEADER Header;
    LARGE_INTEGER CreationTime;
} LPC_TERMINATION_MESSAGE, *PLPC_TERMINATION_MESSAGE;

/*
    MEMORY_BASIC_INFORMATION (STRUCT)
    BaseAddress
     Address of queried memory page.
    AllocationBase
     Base address of allocation. It's different (typically less) to BaseAddress when user allocate more then one page length memory block, and change attributes of a part of allocated block.
    AllocationProtect
     Access type on memory allocation. Can be one or combination of following attributes:
    INFO-3
        PAGE_NOACCESS   PAGE_READONLY   PAGE_READWRITE  PAGE_WRITECOPY  PAGE_EXECUTE    PAGE_EXECUTE_READ   PAGE_EXECUTE_READWRITE  PAGE_EXECUTE_WRITECOPY  PAGE_GUARD  PAGE_NOCACHE    PAGE_WRITECOMBINE
    RegionSize
     Size of queried region, in bytes.
    State
     State of memory block. Can be one of:
    INFO-6
        MEM_RESERVE MEM_COMMIT  MEM_FREE
    Protect
     Current protection of queried memory block. Can be one or combination of values listed for AllocationProtect member.
    Type
     Type of queried memory block. Can be one of:
    INFO-9
        MEM_PRIVATE - Queried block was allocated by call NtAllocateVirtualMemory,  MEM_MAPPED - Queried block is memory mapped Section Object, SEC_IMAGE - Queried block is Section Object representing executable image file in memory.
*/
typedef struct _MEMORY_BASIC_INFORMATION {
    PVOID BaseAddress;
    PVOID AllocationBase;
    ULONG AllocationProtect;
    ULONG RegionSize;
    ULONG State;
    ULONG Protect;
    ULONG Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

/*
    MEMORY_INFORMATION_CLASS (ENUM)
*/
typedef enum _MEMORY_INFORMATION_CLASS {
    MemoryBasicInformation
} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;

/*
    MUTANT_BASIC_INFORMATION (STRUCT)
    INFO-0
     Use MUTANT_BASIC_INFORMATION as a buffer in NtQueryMutant call.
    INFO-1
     <HR WIDTH="40%">
    CurrentCount
     f CurrentCount is less than zero, mutant is signaled.
    OwnedByCaller
     t's TRUE if mutant is signaled by caller's thread.
    AbandonedState
     s set when thread terminates without call NtReleaseMutant.
*/
typedef struct _MUTANT_BASIC_INFORMATION {
    LONG CurrentCount;
    BOOLEAN OwnedByCaller;
    BOOLEAN AbandonedState;
} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;

/*
    NtAcceptConnectPort (FUNCTION)
    INFO-0
     This function returns HANDLE to newly created Port Object. All other LPC functions for currently accepted connection should use this HANDLE, not a base named port HANDLE created with NtCreatePort.
*/
typedef NTSTATUS (NTAPI *_NtAcceptConnectPort)( OUT PHANDLE ServerPortHandle, IN HANDLE AlternativeReceivePortHandle OPTIONAL, IN PLPC_MESSAGE ConnectionReply, IN BOOLEAN AcceptConnection, IN OUT PLPC_SECTION_OWNER_MEMORY ServerSharedMemory OPTIONAL, OUT PLPC_SECTION_MEMORY ClientSharedMemory OPTIONAL );

/*
    NtAccessCheck (FUNCTION)
    SecurityDescriptor
     Pointer to SECURITY_DESCRIPTOR structure.
    ClientToken
     HANDLE to client's Token Object opened with TOKEN_QUERY access.
    DesiredAccess
     ACCESS_MASK required by client.
    GenericMapping
     Pointer to GENERIC_MAPPING structure. Caller can take it in a call to NtQueryObject.
    RequiredPrivilegesBuffer
     Function fills this buffer with structure PRIVILEGE_SET contains required privileges.
    BufferLength
     Pointer to ULONG value. On input this value means size of RequiredPrivilegesBuffer buffer. If buffer was to small, required buffer size is avaiable on output.
    GrantedAccess
     Pointer to ACCESS_MASK value receiving granted access for object.
    AccessStatus
     Result of access check, in typical NTSTATUS format.
*/
typedef NTSTATUS (NTAPI *_NtAccessCheck)( IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping OPTIONAL, OUT PPRIVILEGE_SET RequiredPrivilegesBuffer, IN OUT PULONG BufferLength, OUT PACCESS_MASK GrantedAccess, OUT PNTSTATUS AccessStatus );

/*
    NtAccessCheckAndAuditAlarm (FUNCTION)
    ObjectHandle
     Can be any valid HANDLE to object, or NULL.
    SecurityDescriptor
     Pointer to "Absolute" SECURITY_DESCRIPTOR structure.
    GenericMapping
     Pointer to GENERIC_MAPPING structure valid for object specified above as ObjectHandle parameter.
    GrantedAccess
     Pointer to ACCESS_MASK value (?).
    AccessStatus
     Pointer to NTSTATUS value (?).
    GenerateOnClose
     Pointer to BOOLEAN value (?).
*/
typedef NTSTATUS (NTAPI *_NtAccessCheckAndAuditAlarm)( IN PUNICODE_STRING SubsystemName OPTIONAL, IN HANDLE ObjectHandle OPTIONAL, IN PUNICODE_STRING ObjectTypeName OPTIONAL, IN PUNICODE_STRING ObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN ACCESS_MASK DesiredAccess, IN PGENERIC_MAPPING GenericMapping, IN BOOLEAN ObjectCreation, OUT PULONG GrantedAccess, OUT PULONG AccessStatus, OUT PBOOLEAN GenerateOnClose );

/*
    NtAddAtom (FUNCTION)
    AtomName
     UNICODE Atom name.
    Atom
     Result of call - pointer to RTL_ATOM.
*/
typedef NTSTATUS (NTAPI *_NtAddAtom)( IN PWCHAR AtomName, OUT PRTL_ATOM Atom );

/*
    NtAdjustGroupsToken (FUNCTION)
    TokenHandle
     HANDLE to Token Object opened with TOKEN_ADJUST_GROUPS access.
    ResetToDefault
     If set, groups are reset to token's defaults. In this case all other parameters are ignored.
    TokenGroups
     Pointer to TOKEN_GROUPS structure containing groups to modify.
    PreviousGroupsLength
     Specifies length of PreviousGroups buffer, in bytes.
    PreviousGroups
     Optionally pointer to TOKEN_GROUPS buffer receiving information about modified groups before modification begins.
    RequiredLength
     If PreviousGroups parameter is specified, and PreviousGroupsLength is to small, this value receives required length of buffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtAdjustGroupsToken)( IN HANDLE TokenHandle, IN BOOLEAN ResetToDefault, IN PTOKEN_GROUPS TokenGroups, IN ULONG PreviousGroupsLength, OUT PTOKEN_GROUPS PreviousGroups OPTIONAL, OUT PULONG RequiredLength OPTIONAL );

/*
    NtAdjustPrivilegesToken (FUNCTION)
    TokenHandle
     HANDLE to Token Object opened with TOKEN_ADJUST_PRIVILEGES access. If PreviousPrivileges parameter is non-NULL, also TOKEN_QUERY access is required.
    DisableAllPrivileges
     If set, all accessable privileges are disabled, and rest of parameters below are ignored.
    TokenPrivileges
     Pointer to TOKEN_PRIVILEGES structure containing array of privileges to adjust.
    PreviousPrivilegesLength
     Length of PreviousPrivileges buffer, in bytes.
    PreviousPrivileges
     Optionally pointer to TOKEN_PRIVILEGES structure filled by function with previous state of privileges specified by TokenPrivileges array.
    RequiredLength
     If PreviousPrivileges buffer was to small, this parameter point to required size.
*/
typedef NTSTATUS (NTAPI *_NtAdjustPrivilegesToken)( IN HANDLE TokenHandle, IN BOOLEAN DisableAllPrivileges, IN PTOKEN_PRIVILEGES TokenPrivileges, IN ULONG PreviousPrivilegesLength, OUT PTOKEN_PRIVILEGES PreviousPrivileges OPTIONAL, OUT PULONG RequiredLength OPTIONAL );

/*
    NtAlertResumeThread (FUNCTION)
    ThreadHandle
     andle to thread object.
    SuspendCount
     eturns number of suspend request for thread ThreadHandle before call NtAlertResumeThread. If this number is 0,
    INFO-2
     Difference between AlertResumeThread and ResumeThread it's the first one sets Thread Object to alerted state (so before thread will continue execution, all APC will be executed).
*/
typedef NTSTATUS (NTAPI *_NtAlertResumeThread)( IN HANDLE ThreadHandle, OUT PULONG SuspendCount );

/*
    NtAlertThread (FUNCTION)
    ThreadHandle
     andle to opened Thread Object.
    INFO-1
     <HR WIDTH="40%">
    INFO-2
     NtAlertThread puts specified thread in alerted state.
*/
typedef NTSTATUS (NTAPI *_NtAlertThread)( IN HANDLE ThreadHandle );

/*
    NtAllocateLocallyUniqueId (FUNCTION)
    LocallyUniqueId
     Pointer to LUID structure receiving new locally unique identifier.
*/
typedef NTSTATUS (NTAPI *_NtAllocateLocallyUniqueId)( OUT PLUID LocallyUniqueId );

/*
    NtAllocateUuids (FUNCTION)
    Time
     Returns current time.
*/
typedef NTSTATUS (NTAPI *_NtAllocateUuids)( OUT PLARGE_INTEGER Time, OUT PULONG Range, OUT PULONG Sequence );

/*
    NtAllocateVirtualMemory (FUNCTION)
    ProcessHandle
     andle to Process Object opened with PROCESS_VM_OPERATION access.
    *BaseAddress
     f not zero, system tries to allocate virtual memory block on this virtual address. If BaseAddress is zero, system use first free virtual location.
    AllocationType
     an be MEM_RESERVE or MEM_COMMIT.
    Protect
     ne or combination of PAGE_*** attributes.
*/
typedef NTSTATUS (NTAPI *_NtAllocateVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect );

/*
    NtCallbackReturn (FUNCTION)
    Result
     Pointer to user's allocated buffer with custom data.
    ResultLength
     Length of Result buffer, in bytes.
    Status
     Callback execution status code.
*/
typedef NTSTATUS (NTAPI *_NtCallbackReturn)( IN PVOID Result OPTIONAL, IN ULONG ResultLength, IN NTSTATUS Status );

/*
    NtCancelIoFile (FUNCTION)
    FileHandle
     HANDLE to File Object.
    IoStatusBlock
     IO result of call.
*/
typedef NTSTATUS (NTAPI *_NtCancelIoFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock );

/*
    NtCancelTimer (FUNCTION)
    TimerHandle
     HANDLE to Timer Object opened with TIMER_MODIFY_STATE access.
    CurrentState
     Pointer to BOOLEAN value, that received state of timer before function call.
*/
typedef NTSTATUS (NTAPI *_NtCancelTimer)( IN HANDLE TimerHandle, OUT PBOOLEAN CurrentState OPTIONAL );

/*
    NtClearEvent (FUNCTION)
    INFO-0
     There're no functional difference between NtClearEvent and NtResetEvent, but the first works faster (see NtResetEvent).
*/
typedef NTSTATUS (NTAPI *_NtClearEvent)( IN HANDLE EventHandle );

/*
    NtClose (FUNCTION)
    ObjectHandle
     Handle to open object.
*/
typedef NTSTATUS (NTAPI *_NtClose)( IN HANDLE ObjectHandle );

/*
    NtCloseObjectAuditAlarm (FUNCTION)
    SubsystemName
     This string is sent to Event Log as the first parameter.
    ObjectHandle
     HANDLE to object, or NULL value.
    GenerateOnClose
     If set, event is generated.
*/
typedef NTSTATUS (NTAPI *_NtCloseObjectAuditAlarm)( IN PUNICODE_STRING SubsystemName, IN HANDLE ObjectHandle OPTIONAL, IN BOOLEAN GenerateOnClose );

/*
    NtCompactKeys (FUNCTION)
    INFO-0
     Function NtCompactKeys compacts (reduces size) of specified key(s). On Windows NT the same functionality was given by use NtSaveKey and NtRestoreKey
    NrOfKeys
     Number of enries in KeysArray array.
    KeysArray[]
     Array containing handles for previously opened keys.
    Supported on system versions:
     Win 2000,Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtCompactKeys)( IN ULONG NrOfKeys, IN HANDLE KeysArray[] );

/*
    NtCompleteConnectPort (FUNCTION)
    INFO-0
     Return from NtConnectPort on client's side is synchronised with return from this call. Both sides of LPC connection are ready for sending and receiving LPC messages.
*/
typedef NTSTATUS (NTAPI *_NtCompleteConnectPort)( IN HANDLE PortHandle );

/*
    NtCompressKey (FUNCTION)
    INFO-0
     This function compress data associated with specified Key and all his sub-keys. Compressed key require smaller space in registry file, but whole functionality used with compressed key works slower.
    Key
     HANDLE of previously opened key object (with write access).
    Supported on system versions:
     Win 2000,Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtCompressKey)( IN HANDLE Key );

/*
    NtConnectPort (FUNCTION)
    INFO-0
     NtConnectPort is used by client process for establish LPC connection with Named Port's owner.
    ClientPortHandle
     Result of call - HANDLE to Port Object.
    ServerPortName
     Name of port to connect to.
    INFO-3
     SecurityQos
    ClientSharedMemory
     Used when calling process created Section Object for shared memory. See NtAcceptConnectPort for details.
    ServerSharedMemory
     Used when calling process didn't create Section Object. See NtAcceptConnectPort for details.
    MaximumMessageLength
     Maximum communication message length. This value is calculated by server on port creation process (see NtCreatePort).
    ConnectionInfo
     Pointer to RAW buffer containing information from client. That information is received by server through LPC_MESSAGE with MessageType field set to LPC_CONNECTION_REQUEST.
    ConnectionInfoLength
     Size of ConnectionInfo buffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtConnectPort)( OUT PHANDLE ClientPortHandle, IN PUNICODE_STRING ServerPortName, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL, OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL, OUT PULONG MaximumMessageLength OPTIONAL, IN ConnectionInfo OPTIONAL, IN PULONG ConnectionInfoLength OPTIONAL );

/*
    NtContinue (FUNCTION)
    You can use NtContinue after processing exception for continue executing thread.
     System uses NtContinue also in APC processing.
*/
typedef NTSTATUS (NTAPI *_NtContinue)( IN PCONTEXT ThreadContext, IN BOOLEAN RaiseAlert );

/*
    NtCreateDirectoryObject (FUNCTION)
    DirectoryHandle
     ointer to newly created Directory Object after function call.
    DesiredAccess
     s defined in &lt;ntddk.h&gt; can be one of following:
       #define DIRECTORY_QUERY                 (0x0001)
        #define DIRECTORY_TRAVERSE              (0x0002)
    ObjectAttributes
     ointer to object attributes. Structure must contain valid object name.
*/
typedef NTSTATUS (NTAPI *_NtCreateDirectoryObject)( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtCreateEvent (FUNCTION)
    EventHandle
     Result of call - HANDLE to newly created Event Object.
    DesiredAccess
     Assess rights associated with created event. Can be one of following values from &lt;winnt.h&gt;:
        EVENT_QUERY_STATE
        EVENT_MODIFY_STATE
    ObjectAttributes
     Optional name of Event Object for multiprocess use.
    EventType
     See EVENT_TYPE for details.
    InitialState
     State of event immediatelly after creation.
*/
typedef NTSTATUS (NTAPI *_NtCreateEvent)( OUT PHANDLE EventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN EVENT_TYPE EventType, IN BOOLEAN InitialState );

/*
    NtCreateEventPair (FUNCTION)
    EventPairHandle
     esult handle to EventPair object.
    DesiredAccess
     s defined as:
    INFO-2
     #define EVENT_PAIR_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE )
*/
typedef NTSTATUS (NTAPI *_NtCreateEventPair)( OUT PHANDLE EventPairHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL );

/*
    NtCreateFile (FUNCTION)
    INFO-0
     (Avaiable also in 2000 DDK.)
    FileHandle
     Result of call - HANDLE to File Object.
    DesiredAccess
     Access mask based on definitions in schema FILE_* from &lt;WinNT.h&gt;.
    ObjectAttributes
     Name of file to create (or open), optionally path in name string. You can also define root directory, security descriptor and attributes OBJ_CASE_INSENSITIVE and OBJ_INHERIT.
    IoStatusBlock
     Pointer to IO_STATUS_BLOCK structure, that receive final status of function call. Can be one of:
    AllocationSize
     File size after creation.
    FileAttributes
     Attributes for newly created file, as follows:
    INFO-7
        FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_HIDDEN   FILE_ATTRIBUTE_SYSTEM   FILE_ATTRIBUTE_ARCHIVE  FILE_ATTRIBUTE_NORMAL   FILE_ATTRIBUTE_TEMPORARY    FILE_ATTRIBUTE_OFFLINE  FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
    ShareAccess
     Specifies share method for opened object. Can be set to zero or any combination of flags:
    INFO-9
        FILE_SHARE_READ     FILE_SHARE_WRITE    FILE_SHARE_DELETE
    CreateDisposition
     Specifies disposition how to create or open object and can be one of:
    INFO-11
        FILE_SUPERSEDE - If file exists, deletes it before creation of new one.     FILE_OPEN - Fails, if file not exists.  FILE_CREATE - Fails, if file exists.    FILE_OPEN_IF - If file exists, opens it. If not, creates new one and then open it.  FILE_OVERWRITE - If file not exists, create and open it. If exists, open them and reset content.    FILE_OVERWRITE_IF - As FILE_OVERWRITE, but fails if file not exists.
    CreateOptions
     Creation options.
    EaBuffer
     Buffer for Extended Attributes contains one or more of FILE_FULL_EA_INFORMATION structures.
    EaLength
     Length of EaBuffer.
*/
typedef NTSTATUS (NTAPI *_NtCreateFile)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );

/*
    NtCreateIoCompletion (FUNCTION)
    IoCompletionHandle
     Result of call - HANDLE to newly created IO Completion Object.
    DesiredAccess
     Access mask for created HANDLE. Can be combination of:
        IO_COMPLETION_QUERY_STATE
        IO_COMPLETION_MODIFY_STATE
    ObjectAttributes
     Optionally contains object name, in Objects Namespace.
    NumberOfConcurrentThreads
     Number of threads accessing File Object associated with IO Completion. If Zero, system reserves memory for number of threads equal to current nymber of processes.
*/
typedef NTSTATUS (NTAPI *_NtCreateIoCompletion)( OUT PHANDLE IoCompletionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN ULONG NumberOfConcurrentThreads );

/*
    NtCreateKey (FUNCTION)
    INFO-0
     See ZwCreateKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtCreateKey)( OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG TitleIndex, IN PUNICODE_STRING Class OPTIONAL, IN ULONG CreateOptions, OUT PULONG Disposition OPTIONAL );

/*
    NtCreateKeyedEvent (FUNCTION)
    INFO-0
     Synchronization object called KeyedEvent is avaiable in Windows XP+ systems. It's usefull when both (or more) threads have to wait for each other.
    KeyedEventHandle
     HANDLE to newly created KeyedEvent object.
    DesiredAccess
     The same values as for Event objects (typically EVENT_ALL_ACCESS).
    ObjectAttributes
     Optionally name of object.
    Reserved
     Have to be zero. Reserved for future use.
    Supported on system versions:
     Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtCreateKeyedEvent)( OUT PHANDLE KeyedEventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN ULONG Reserved );

/*
    NtCreateMailslotFile (FUNCTION)
    MailslotFileHandle
     Result of call - HANDLE to Mailslot File Object.
    DesiredAccess
     Access rights associated with opened handle.
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure contains valid object name. Name must be in format "//??/MAILSLOT/..." where "..." means unique name of Mailslot.
    IoStatusBlock
     IO result of call.
    CreateOptions
     Can be combination of:
        FILE_WRITE_THROUGH
        FILE_SYNCHRONOUS_IO_ALERT
    MaxMessageSize
     Maximum message size, or MAILSLOT_SIZE_AUTO for automatic message size.
    ReadTimeOut
     Timeout value, or -1 for infinite waiting.
*/
typedef NTSTATUS (NTAPI *_NtCreateMailslotFile)( OUT PHANDLE MailslotFileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG CreateOptions, IN ULONG MailslotQuota, IN ULONG MaxMessageSize, IN PLARGE_INTEGER ReadTimeOut );

/*
    NtCreateMutant (FUNCTION)
    MutantHandle
     esult of function call - handle to newly created Mutant object.
    DesiredAccess
     n most cases there's MUTANT_ALL_ACCESS. See &lt;WinNT.h&gt; or &lt;WinBase.h&gt; for other information about Mutant objects access rights.
    ObjectAttributes
     ay be used to creation named Mutant objects. Named Mutant can be used by more then one process.
    InitialOwner
     f TRUE, Mutant is created with non-signaled state. Caller should call NtReleaseMutant after program initialization.
    <HR WIDTH="40%">
     Mutant object live in object namespace as long as at least one handle is still open. To destroy Mutant, just call NtClose with MutantHandle.
*/
typedef NTSTATUS (NTAPI *_NtCreateMutant)( OUT PHANDLE MutantHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN BOOLEAN InitialOwner );

/*
    NtCreateNamedPipeFile (FUNCTION)
    NamedPipeFileHandle
     Result of call - pointer to HANDLE to Named Pipe.
    DesiredAccess
     Access rights for object's handle. Can be one or combination of:FILE_READ_DATAFILE_WRITE_DATAFILE_CREATE_PIPE_INSTANCEFILE_READ_ATTRIBUTESFILE_WRITE_ATTRIBUTESSYNCHRONIZEREAD_CONTROLWRITE_OWNERWRITE_DACACCESS_SYSTEM_SECURITY
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure contains name of named pipe. Name must begin with "/??/PIPE/" string, that is Symbolic Link to NamedPipe device object.
    IoStatusBlock
     IO result of call.
    ShareAccess
     Can be combination of following:FILE_SHARE_READFILE_SHARE_WRITEFILE_SHARE_DELETE
    CreateDisposition
     Use FILE_CREATE, FILE_OPEN or FILE_OPEN_IF.
    CreateOptions
     See description of NtCreateFile for possible creation flags.
    WriteModeMessage
     If set, writing to created pipe are processed in Message Mode. If not, all writes are in Byte Mode.
    ReadModeMessage
     The same functionality as WriteModeMessage parameter, but for reading data.
    NonBlocking
     If set, all operations on created pipe are asynchronous.
    MaxInstances
     Maximum number of open handles for Named Pipe, or FILE_PIPE_UNLIMITED_INSTANCES constant.
    InBufferSize
     Input buffer size, in bytes.
    OutBufferSize
     Output buffer size, in bytes.
    DefaultTimeOut
     Pointer to LARGE_INTEGER value specifing pipe's time out, in 100-ns units. Negative value means relative time.
*/
typedef NTSTATUS (NTAPI *_NtCreateNamedPipeFile)( OUT PHANDLE NamedPipeFileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN BOOLEAN WriteModeMessage, IN BOOLEAN ReadModeMessage, IN BOOLEAN NonBlocking, IN ULONG MaxInstances, IN ULONG InBufferSize, IN ULONG OutBufferSize, IN PLARGE_INTEGER DefaultTimeOut );

/*
    NtCreatePagingFile (FUNCTION)
    PageFileName
     System path to newly created paged file.
    MiniumSize
     Minimum size of paged file, in bytes. This value must be multiply of page size (0x1000 bytes on x86), and must be greater then 2MB (0x02000000 bytes).
    MaxiumSize
     Maximum size of paged file, in bytes. Also this value must be multiply of page size. Minimal value accepted is 5MB (0x05000000 bytes).
    ActualSize
     Optional (and currently unused) parameter.
*/
typedef NTSTATUS (NTAPI *_NtCreatePagingFile)( IN PUNICODE_STRING PageFileName, IN PLARGE_INTEGER MiniumSize, IN PLARGE_INTEGER MaxiumSize, OUT PLARGE_INTEGER ActualSize OPTIONAL );

/*
    NtCreatePort (FUNCTION)
    PortHandle
     Result of call - HANDLE to Port Object.
    ObjectAttributes
     Typically contains name and SECURITY_DESCRIPTOR for newly created named port.
    INFO-2
     MaxConnectInfoLength
    MaxDataLength
     Maximum size of message.
    INFO-4
     Reserved
*/
typedef NTSTATUS (NTAPI *_NtCreatePort)( OUT PHANDLE PortHandle, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG MaxConnectInfoLength, IN ULONG MaxDataLength, IN OUT PULONG Reserved OPTIONAL );

/*
        NtCreateProcess (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtCreateProcess)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL );

/*
    NtCreateProfile (FUNCTION)
    ProfileHandle
     Result of call - HANDLE to Profile Object.
    Process
     HANDLE to Process Object to profile. Not required if profiled code is placed in Kernel address space (above 0x80000000).
    ImageBase
     Start address of profiling.
    ImageSize
     Size of profiled memory block.
    Buffer
     Caller's allocated buffer for data.
    BufferSize
     Size of buffer, in bytes.
    ProfileSource
     Identifier of performance counter. See KPROFILE_SOURCE enumeration type for possible values.
    Affinity
     Processor affinity mask. It defines processors to ask about performance counter.
*/
typedef NTSTATUS (NTAPI *_NtCreateProfile)( OUT PHANDLE ProfileHandle, IN HANDLE Process OPTIONAL, IN PVOID ImageBase, IN ULONG ImageSize, IN ULONG BucketSize, IN PVOID Buffer, IN ULONG BufferSize, IN KPROFILE_SOURCE ProfileSource, IN KAFFINITY Affinity );

/*
    NtCreateSection (FUNCTION)
    SectionHandle
     Result of call - HANDLE to Section Object.
    DesiredAccess
     Access mask. Can be combination of:
        SECTION_QUERY
        SECTION_MAP_WRITE
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure contains section name, in Object Namespace format.
    MaximumSize
     Optionally define maximum size of section. Must be defined when caller create section based on system PageFile.
    PageAttributess
     Can be one or combination of:
        PAGE_NOACCESS
        PAGE_READONLY
    SectionAttributes
     Can be one or combination of:
        SEC_FILE
        SEC_IMAGE
    FileHandle
     Optionally HANDLE to File Object opened with proper access.
*/
typedef NTSTATUS (NTAPI *_NtCreateSection)( OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL );

/*
    NtCreateSemaphore (FUNCTION)
    SemaphoreHandle
     Result of call - pointer to HANDLE to Semaphore Object.
    DesiredAccess
     Access rights to Semaphore Object. Can be one of:
        SEMAPHORE_QUERY_STATE
        SEMAPHORE_MODIFY_STATE
    ObjectAttributes
     Optional pointer to OBJECT_ATTRIBUTES structure containing semaphore's name.
    InitialCount
     Initial state of semaphore. Typically the same as MaximumCount.
    MaximumCount
     Maximum releases number.
*/
typedef NTSTATUS (NTAPI *_NtCreateSemaphore)( OUT PHANDLE SemaphoreHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN ULONG InitialCount, IN ULONG MaximumCount );

/*
    NtCreateSymbolicLinkObject  (FUNCTION)
    pHandle
     Handle to SymbolicLinkObject.
    INFO-1

    ObjectAttributes
     Name of SymbolicLinkObject.
    DestinationName
     Name or path to destination object in Object Namespace.
*/
typedef NTSTATUS NTAPI NtCreateSymbolicLinkObject )( OUT PHANDLE pHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PUNICODE_STRING DestinationName );

/*
    NtCreateThread (FUNCTION)
    ThreadHandle
     DIV CLASS="reg">Caller supplied storage for the resulting handle.
    DesiredAccess
     DIV CLASS="reg">Specifies the allowed or desired access to the thread.
    ObjectAttributes
     DIV CLASS="reg">Initialized attributes for the object.
    ProcessHandle
     DIV CLASS="reg">Handle to the threads parent process.
    ClientId
     DIV CLASS="reg">Caller supplies storage for returned process id and thread id.
    ThreadContext
     DIV CLASS="reg">Initial processor context for the thread.
    InitialTeb
     DIV CLASS="reg">Initial user mode stack context for the thread.
    CreateSuspended
     DIV CLASS="reg">Specifies if the thread is ready for scheduling. See NtContinue for more information.
*/
typedef NTSTATUS (NTAPI *_NtCreateThread)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ProcessHandle, OUT PCLIENT_ID ClientId, IN PCONTEXT ThreadContext, IN PINITIAL_TEB InitialTeb, IN BOOLEAN CreateSuspended );

/*
    NtCreateTimer (FUNCTION)
    TimerHandle
     Result of call - HANDLE to Timer Object.
    DesiredAccess
     Access mask for TimerHandle. Can be set of (from &lt;WinNT.h&gt;):
    ObjectAttributes
     Optional name of Timer Object.
    TimerType
     Can be NotificationTimer or SynchronizationTimer (enumerated type definition from &lt;ntdef.h&gt;).
*/
typedef NTSTATUS (NTAPI *_NtCreateTimer)( OUT PHANDLE TimerHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TIMER_TYPE TimerType );

/*
    NtCreateToken (FUNCTION)
    TokenHandle
     Result of call - pointer to HANDLE to Token Object.
    DesiredAccess
     Can be one or more of following:
        TOKEN_ASSIGN_PRIMARY
        TOKEN_DUPLICATE
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure.
    TokenType
     (?), see TOKEN_TYPE enumeration type.
    AuthenticationId
     (?), see NtAllocateLocallyUniqueId security function.
    ExpirationTime
     (?), pointer to LARGE_INTEGER value contains time in 100-ns format.
    TokenUser
     (?), see TOKEN_USER structure.
    TokenGroups
     (?), see TOKEN_GROUPS structure.
    TokenPrivileges
     (?), see TOKEN_PRIVILEGES structure.
    TokenOwner
     (?), see TOKEN_OWNER structure.
    TokenPrimaryGroup
     (?), see TOKEN_PRIMARY_GROUP structure.
    TokenDefaultDacl
     (?), see TOKEN_DEFAULT_DACL structure.
    TokenSource
     (?), see TOKEN_SOURCE structure.
*/
typedef NTSTATUS (NTAPI *_NtCreateToken)( OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN TOKEN_TYPE TokenType, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PTOKEN_USER TokenUser, IN PTOKEN_GROUPS TokenGroups, IN PTOKEN_PRIVILEGES TokenPrivileges, IN PTOKEN_OWNER TokenOwner, IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, IN PTOKEN_SOURCE TokenSource );

/*
    NtCurrentTeb (FUNCTION)
    INFO-0
     NtCurrentTeb isn't typical NT CALL realised via INT 2E, becouse TEB is accessable at address fs:[0018h].
    INFO-1
     Microsoft declare NtCurrentTeb as __cdecl, but ntdll.dll export it as __stdcall (it don't have metter, becouse function don't have any parameters), so you cannot use ntdll.dll export. In this case the better way is write NtCurrentTeb manually, declaring it as __cdecl.
*/
typedef PTEB (NTAPI *_NtCurrentTeb)( );

/*
    NtDelayExecution (FUNCTION)
    Alertable
     If set, execution can break in a result of NtAlertThread call.
    DelayInterval
     Delay in 100-ns units. Negative value means delay relative to current.
*/
typedef NTSTATUS (NTAPI *_NtDelayExecution)( IN BOOLEAN Alertable, IN PLARGE_INTEGER DelayInterval );

/*
    NtDeleteAtom (FUNCTION)
    Atom
     Atom identifier.
*/
typedef NTSTATUS (NTAPI *_NtDeleteAtom)( IN RTL_ATOM Atom );

/*
    NtDeleteFile (FUNCTION)
    It's very interesting NT System Call... Normally, file deletion is realised as FileDispositionInformation class in a call to NtSetInformationFile. When you use NtDeleteFile, file will be deleted immediatly after call (system isn't waiting for close last HANDLE to file).
     <HR WIDTH="40%">
    ObjectAttributes
     ou can manipulate ObjectName and RootDirectory members.
*/
typedef NTSTATUS (NTAPI *_NtDeleteFile)( IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtDeleteKey (FUNCTION)
    INFO-0
     See ZwDeleteKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtDeleteKey)( IN HANDLE KeyHandle );

/*
    NtDeleteObjectAuditAlarm (FUNCTION)
    SubsystemName
     This string is passed as a parameter to event message.
    ObjectHandle
     HANDLE to any object.
    GenerateOnClose
     If set, event is generated.
*/
typedef NTSTATUS (NTAPI *_NtDeleteObjectAuditAlarm)( IN PUNICODE_STRING SubsystemName, IN HANDLE ObjectHandle OPTIONAL, IN BOOLEAN GenerateOnClose );

/*
    NtDeleteValueKey (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtDeleteValueKey)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName );

/*
    NtDeviceIoControlFile (FUNCTION)
    FileHandle
     HANDLE to Device Object opened as a file.
    Event
     Optional HANDLE to Event Object signalled on the end of processing request.
    ApcRoutine
     Optional pointer to user's APC Routine called on the end of processing request.
    ApcContext
     User's parameter to ApcRoutine.
    IoStatusBlock
     IO result of call.
    IoControlCode
     IO Control code [IOCTL_*].
    InputBuffer
     User's allocated buffer with input data.
    InputBufferLength
     Length of InputBuffer, in bytes.
    OutputBuffer
     User's allocated buffer for result data.
    OutputBufferLength
     Length of OutputBuffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtDeviceIoControlFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength );

/*
    NtDisplayString (FUNCTION)
    String
     Pointer to UNICODE_STRING contains string to display. Some basic control characters are implemented (like CR, LF).
*/
typedef NTSTATUS (NTAPI *_NtDisplayString)( IN PUNICODE_STRING String );

/*
    NtDuplicateObject (FUNCTION)
    INFO-0
     See Microsoft SDK for description of DuplicateHandle Win32 API.
*/
typedef NTSTATUS (NTAPI *_NtDuplicateObject)( IN HANDLE SourceProcessHandle, IN PHANDLE SourceHandle, IN HANDLE TargetProcessHandle, OUT PHANDLE TargetHandle, IN ACCESS_MASK DesiredAccess OPTIONAL, IN BOOLEAN InheritHandle, IN ULONG Options );

/*
    NtDuplicateToken (FUNCTION)
    ExistingToken
     HANDLE to Token Object opened with TOKEN_DUPLICATE access.
    DesiredAccess
     Access mask for newly created token. Can be combination of:
        TOKEN_ASSIGN_PRIMARY
        TOKEN_DUPLICATE
    ObjectAttributes
     Optionally pointer to OBJECT_ATTRIBUTES structure, containing token's name.
    ImpersonationLevel
     Level of impersonation for new token.
    TokenType
     Type of new token.
    NewToken
     Result of call - pointer to HANDLE to new Token Object.
*/
typedef NTSTATUS (NTAPI *_NtDuplicateToken)( IN HANDLE ExistingToken, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN TOKEN_TYPE TokenType, OUT PHANDLE NewToken );

/*
    NtEnumerateKey (FUNCTION)
    INFO-0
     See ZwEnumerateKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtEnumerateKey)( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength );

/*
    NtEnumerateValueKey (FUNCTION)
    INFO-0
     See ZwEnumerateValueKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtEnumerateValueKey)( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformation, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength );

/*
    NtExtendSection (FUNCTION)
    SectionHandle
     Must be open with SECTION_EXTEND_SIZE attribute.
*/
typedef NTSTATUS (NTAPI *_NtExtendSection)( IN HANDLE SectionHandle, IN PLARGE_INTEGER NewSectionSize );

/*
    NtFindAtom (FUNCTION)
    AtomName
     Atom's name, in UNICODE format.
    Atom
     Result of call - Pointer to Atom's identifier.
*/
typedef NTSTATUS (NTAPI *_NtFindAtom)( IN PWCHAR AtomName, OUT PRTL_ATOM Atom OPTIONAL );

/*
    NtFlushBuffersFile (FUNCTION)
    FileHandle
     HANDLE to File Object.
    IoStatusBlock
     IO result of call.
*/
typedef NTSTATUS (NTAPI *_NtFlushBuffersFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock );

/*
    NtFlushInstructionCache (FUNCTION)
    ProcessHandle
     HANDLE to Process Object.
    BaseAddress
     Starting memory address to flush.
    NumberOfBytesToFlush
     Length of flushed memory block.
*/
typedef NTSTATUS (NTAPI *_NtFlushInstructionCache)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN ULONG NumberOfBytesToFlush );

/*
    NtFlushKey (FUNCTION)
    INFO-0
     See ZwFlushKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtFlushKey)( IN HANDLE KeyHandle );

/*
    NtFlushVirtualMemory (FUNCTION)
    INFO-0
     WARNING: Two (or more) memory pages mapped in different calls of NtMapViewOfSection cannot be flushed in one function call, even if both has the same SECTION as a source.
*/
typedef NTSTATUS (NTAPI *_NtFlushVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToFlush, OUT PIO_STATUS_BLOCK IoStatusBlock );

/*
    NtFlushWriteBuffer (FUNCTION)
    INFO-0
     It test IRQ Level, and call HAL export named KeFlushWriteBuffer.
    INFO-1
     KeFlushWriteBuffer as first asm code has ret, so it returns immediatelly.
    INFO-2
     Next NtFlushWriteBuffer clear eax (set result of call to STATUS_SUCCESS) and returns to User-Mode.
*/
typedef NTSTATUS (NTAPI *_NtFlushWriteBuffer)( );

/*
    NtFreeVirtualMemory (FUNCTION)
    RegionSize
     f you put pointer to NULL value as RegionSize, system will free all region, and put size of it in result.
    FreeType
     an be one of the values:  MEM_DECOMMIT, or MEM_RELEASE.
*/
typedef NTSTATUS (NTAPI *_NtFreeVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG RegionSize, IN ULONG FreeType );

/*
    NtFsControlFile (FUNCTION)
    FileHandle
     HANDLE to File System Device Object opened as a file.
    Event
     Optional HANDLE to Event Object.
    ApcRoutine
     Optional pointer to user's APC Routine.
    ApcContext
     Parameter for ApcRoutine.
    IoStatusBlock
     IO result of call.
    FsControlCode
     Control Code typically defined as FSCTL_*.
    InputBuffer
     User's allocated buffer contains input data.
    InputBufferLength
     Length of InputBuffer, in bytes.
    OutputBuffer
     User's allocated buffer for results of call.
    OutputBufferLength
     Length of OutputBuffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtFsControlFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG FsControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength );

/*
    NtGetContextThread (FUNCTION)
    pContext
     ee &lt;ntddk.h&gt; for information about CONTEXT structure usage.
*/
typedef NTSTATUS (NTAPI *_NtGetContextThread)( IN HANDLE ThreadHandle, OUT PCONTEXT pContext );

/*
    NtGetTickCount (FUNCTION)
    INFO-0
     Function NtGetTickCount returns system Timer's ticks counter. This counter is also avaiable in KUSER_SHARED_DATA structure as TickCountLow member.
    INFO-1
     Calling NtSetTimerResolution doesn't effect in counter's update resolution.
*/
typedef ULONG (NTAPI *_NtGetTickCount)( );

/*
    NtImpersonateClientOfPort (FUNCTION)
    INFO-0
     NtImpersonateClientOfPort is called by LPC server process to get security context of client. That means: client's Token Object is assiciated with calling server thread (like NtSetInformationThread with ThreadImpersonationToken information class).
    PortHandle
     HANDLE to Port Object opened with NtAcceptConnectPort call.
    Request
     Pointer to LPC_MESSAGE structure contains reason of impersonation.
*/
typedef NTSTATUS (NTAPI *_NtImpersonateClientOfPort)( IN HANDLE PortHandle, IN PLPC_MESSAGE Request );

/*
    NtImpersonateThread (FUNCTION)
    ThreadHandle
     HANDLE to source Thread Object.
    ThreadToImpersonate
     HANDLE to destination Thread Object opened with THREAD_IMPERSONATE access.
    SecurityQualityOfService
     Pointer to SECURITY_QUALITY_OF_SERVICE structure filled by user.
*/
typedef NTSTATUS (NTAPI *_NtImpersonateThread)( IN HANDLE ThreadHandle, IN HANDLE ThreadToImpersonate, IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService );

/*
    NtListenPort (FUNCTION)
    INFO-0
     Server process should create new thread starting from execution of NtAcceptConnectPort. Main thread should call NtListenPort again to make possible for other processes to connect to port.
*/
typedef NTSTATUS (NTAPI *_NtListenPort)( IN HANDLE PortHandle, OUT PLPC_MESSAGE ConnectionRequest );

/*
    NtLoadDriver (FUNCTION)
    DriverServiceName
     Registry path in system format. Path must begin with "//registry//machine//SYSTEM//CurrentControlSet//Services//..." where "..." is driver symbolic name.
*/
typedef NTSTATUS (NTAPI *_NtLoadDriver)( IN PUNICODE_STRING DriverServiceName );

/*
    NtLoadKey (FUNCTION)
    DestinationKeyName
     Pointer to OBJECT_ATTRIBUTES structure contains destination key name and HANDLE to root key. Root can be /REGISTRY/machine or /REGISTRY/user. All other keys are invalid.
    HiveFileName
     Pointer to OBJECT_ATTRIBUTES structure contains Hive file path and name.
*/
typedef NTSTATUS (NTAPI *_NtLoadKey)( IN POBJECT_ATTRIBUTES DestinationKeyName, IN POBJECT_ATTRIBUTES HiveFileName );

/*
    NtLoadKey2 (FUNCTION)
    DestinationKeyName
     Pointer to OBJECT_ATTRIBUTES structure contains name of loaded key and virtual parent key ("machine" or "user").
    HiveFileName
     Pointer to OBJECT_ATTRIBUTES structure specifing Hive file.
    Flags
     (?) Only values 0x0000 and 0x0004 are valid. If caller set Flags to 0x0000, function works as NtLoadKey.
*/
typedef NTSTATUS (NTAPI *_NtLoadKey2)( IN POBJECT_ATTRIBUTES DestinationKeyName, IN POBJECT_ATTRIBUTES HiveFileName, IN ULONG Flags );

/*
    NtLockFile (FUNCTION)
    FileHandle
     HANDLE to File Object opened with FILE_READ_DATA access.
    LockGrantedEvent
     Optional HANDLE to Event Object, whitch is signaled when lock is created (typically used with ReturnImmediately parameter set to TRUE).
    ApcRoutine
     APC routine executed when lock is granted.
    ApcContext
     Optional parameter for ApcRoutine.
    IoStatusBlock
     IO result of call.
    ByteOffset
     Offset (in bytes) to begin of file region to lock.
    Length
     Length of region to lock, in bytes.
    Key
     Pointer to user's defined 4-bytes key associated with this lock. It can be used in multi-thread process to allow reading or writing data only for one specified thread, whitch known Key value.
    ReturnImmediately
     If TRUE, function returns immediately. Caller is informed about lock creation by LockGrantedEvent or by executing ApcRoutine.
    ExclusiveLock
     If set, all read and write operation are denied for other processes. If not, only write operation is denied.
*/
typedef NTSTATUS (NTAPI *_NtLockFile)( IN HANDLE FileHandle, IN HANDLE LockGrantedEvent OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER ByteOffset, IN PLARGE_INTEGER Length, IN PULONG Key, IN BOOLEAN ReturnImmediately, IN BOOLEAN ExclusiveLock );

/*
    NtLockVirtualMemory (FUNCTION)
    LockOption
     an be one or both of following values:
        #define VM_LOCK_1       0x0001  // This is used, when calling KERNEL32.DLL VirtualLock routine
        #define VM_LOCK_2       0x0002  // This require SE_LOCK_MEMORY_NAME privilege
*/
typedef NTSTATUS (NTAPI *_NtLockVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToLock, IN ULONG LockOption );

/*
    NtMakeTemporaryObject (FUNCTION)
    (Also avaiable in Win2000 DDK)
     Function clears object's PERMANENT flag, so it's live as long as the latest HANDLE is closed.
    ObjectHandle
     HANDLE to object to make temporary.
*/
typedef NTSTATUS (NTAPI *_NtMakeTemporaryObject)( IN HANDLE ObjectHandle );

/*
    NtMapViewOfSection (FUNCTION)
    SectionHandle
     HANDLE to Section Object opened with one or more from SECTION_MAP_EXECUTE, SECTION_MAP_READ, SECTION_MAP_WRITE attributes.
    ProcessHandle
     HANDLE to Process Object opened with PROCESS_VM_OPERATION access.
    *BaseAddress
     Pointer to variable receiving virtual address of mapped memory. If this value is not NULL, system tries to allocate memory from specified value.
    ZeroBits
     Indicates how many high bits must not be set in BaseAddress.
    CommitSize
     Size of initially commited memory, in bytes.
    SectionOffset
     Pointer to begin of mapped block in section. This value must be rounded up to X64K block size (0x10000 on X86).
    ViewSize
     Pointer to size of mapped block, in bytes. This value is rounded up to page size (0x1000 on x86).
    InheritDisposition
     How to child processes inherid maped section. See description of enumeration type SECTION_INHERIT.
    AllocationType
     Can be one of:MEM_COMMIT MEM_RESERVE
    Protect
     Page protection. Can be one of:PAGE_NOACCESS         PAGE_READONLY         PAGE_READWRITE        PAGE_WRITECOPY        PAGE_EXECUTE          PAGE_EXECUTE_READ     PAGE_EXECUTE_READWRITEPAGE_EXECUTE_WRITECOPYPAGE_GUARD            PAGE_NOCACHE          PAGE_WRITECOMBINE
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtMapViewOfSection)( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress OPTIONAL, IN ULONG ZeroBits OPTIONAL, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN InheritDisposition, IN ULONG AllocationType OPTIONAL, IN ULONG Protect );

/*
    NtNotifyChangeDirectoryFile (FUNCTION)
    FileHandle
     HANDLE to File Object opened with SYNCHRONIZE access and FILE_DIRECTORY_FILE option set.
    Event
     HANDLE to Event Object. Event can be created as NotificationEvent or SynchronizationEvent, but second one is better in this situation.
    ApcRoutine
     Address of user's APC routine, queued when change complete.
    ApcContext
     Optional parameter for ApcRoutine.
    IoStatusBlock
     IO result of call. Status member in IoStatusBlock can result STATUS_NOTIFY_ENUM_DIR when Buffer was to small.
    Buffer
     User's allocated buffer for change informations. It contains one or more of FILE_NOTIFY_INFORMATION structures.
    BufferSize
     Size of Buffer, in bytes.
    CompletionFilter
     Mask specifing what sort of changes should be monitored. Can be combination of:
    FILE_NOTIFY_CHANGE_FILE_NAME
     FILE_NOTIFY_CHANGE_DIR_NAME
    WatchTree
     If set, all subdirectiories of specified directory will be also monitored.
*/
typedef NTSTATUS (NTAPI *_NtNotifyChangeDirectoryFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG BufferSize, IN ULONG CompletionFilter, IN BOOLEAN WatchTree );

/*
    NtNotifyChangeKey (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtNotifyChangeKey)( IN HANDLE KeyHandle, IN HANDLE EventHandle, IN PIO_APC_ROUTINE ApcRoutine, IN PVOID ApcRoutineContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG NotifyFilter, IN BOOLEAN WatchSubtree, OUT PVOID RegChangesDataBuffer, IN ULONG RegChangesDataBufferLength, IN BOOLEAN Asynchronous );

/*
    NtOpenDirectoryObject (FUNCTION)
    DirectoryObjectHandle
     ointer to HANDLE value representing opened Directory Object.
    DesiredAccess
     ccess mask. See NtCreateDirectoryObject for possible values.
    ObjectAttributes
     ust contains valid Directory Object name.
*/
typedef NTSTATUS (NTAPI *_NtOpenDirectoryObject)( OUT PHANDLE DirectoryObjectHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenEvent (FUNCTION)
    INFO-0
     Only named events can be opened by this function call.
*/
typedef NTSTATUS (NTAPI *_NtOpenEvent)( OUT PHANDLE EventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenEventPair (FUNCTION)
    DesiredAccess
     ee NtCreateEventPair for definitions of EventPair possibble access rights.
*/
typedef NTSTATUS (NTAPI *_NtOpenEventPair)( OUT PHANDLE EventPairHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenFile (FUNCTION)
    INFO-0
     (Also avaiable in 2000 DDK.)
    FileHandle
     Result of call.
    DesiredAccess
     Access mask to opened file object.
    ObjectAttributes
     File name, path etc. See NtCreateFile for more information.
    IoStatusBlock
     Completion status of call.
    ShareAccess
     Sharing option defined as FILE_SHARE_*.
    OpenOptions
     Open options.
*/
typedef NTSTATUS (NTAPI *_NtOpenFile)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions );

/*
    NtOpenIoCompletion (FUNCTION)
    IoCompletionHandle
     Result of call - pointer to HANDLE value.
    DesiredAccess
     Can be one or combination of:
        IO_COMPLETION_QUERY_STATE
        IO_COMPLETION_MODIFY_STATE
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure containing valid IO Completion name.
*/
typedef NTSTATUS (NTAPI *_NtOpenIoCompletion)( OUT PHANDLE IoCompletionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenKey (FUNCTION)
    INFO-0
     See ZwOpenKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtOpenKey)( OUT PHANDLE pKeyHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenKeyedEvent (FUNCTION)
    INFO-0
     Function NtOpenKeyedEvent is used for open previously created KeyedEvent with associated name.
    KeyedEventHandle
     Result of call - HANDLE to opened KeyedEvent object.
    DesiredAccess
     Access to object, the same values as for Event object.
    ObjectAttributes
     Name of KeyedEvent to open.
    Supported on system versions:
     Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtOpenKeyedEvent)( OUT PHANDLE KeyedEventHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL );

/*
    NtOpenMutant (FUNCTION)
    DesiredAccess
     ee &lt;WinNT.h&gt; or &lt;WinBase.h&gt; for possible Mutant access rights.
    ObjectAttributes
     ame of Mutant object to open.
*/
typedef NTSTATUS (NTAPI *_NtOpenMutant)( OUT PHANDLE MutantHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenObjectAuditAlarm (FUNCTION)
    ObjectHandle
     Can be any valid HANDLE to object, or NULL.
    SecurityDescriptor
     Pointer to SECURITY_DESCRIPTOR structure, or NULL.
    ClientToken
     HANDLE to Token Object previously opened with TOKEN_QUERY access.
    Privileges
     Optionally pointer to PRIVILEGE_SET structure filled by user with valid privileges.
    GenerateOnClose
     Optionally pointer to BOOLEAN value.
*/
typedef NTSTATUS (NTAPI *_NtOpenObjectAuditAlarm)( IN PUNICODE_STRING SubsystemName OPTIONAL, IN PHANDLE ObjectHandle OPTIONAL, IN PUNICODE_STRING ObjectTypeName OPTIONAL, IN PUNICODE_STRING ObjectName OPTIONAL, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN HANDLE ClientToken, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK GrantedAccess, IN PPRIVILEGE_SET Privileges OPTIONAL, IN BOOLEAN ObjectCreation, IN BOOLEAN AccessGranted, OUT PBOOLEAN GenerateOnClose OPTIONAL );

/*
    NtOpenProcess (FUNCTION)
    AccessMask
     PROCESS_TERMINATE
    ObjectAttributes
     or standard processes, all fields of ObjectAttributes should be NULL.
    ClientId
     rocess id and thread id must be fill with valid values.
*/
typedef NTSTATUS (NTAPI *_NtOpenProcess)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId );

/*
    NtOpenProcessToken (FUNCTION)
    INFO-0
     See also PROCESS_INFORMATION_CLASS with ProcessAccessToken information class.
*/
typedef NTSTATUS (NTAPI *_NtOpenProcessToken)( IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle );

/*
    NtOpenSection (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtOpenSection)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenSemaphore (FUNCTION)
    SemaphoreHandle
     Result of call - pointer to HANDLE to Semaphore Object.
    DesiredAccess
     Access rights, descripted in NtCreateSemaphore.
    ObjectAttributes
     Pointer to OBJECT_ATTRIBUTES structure containing semaphore's name.
*/
typedef NTSTATUS (NTAPI *_NtOpenSemaphore)( OUT PHANDLE SemaphoreHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenSymbolicLinkObject (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtOpenSymbolicLinkObject)( OUT PHANDLE pHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtOpenThread (FUNCTION)
    ThreadHandle
     ointer to received handle to thread object.
    AccessMask
     ccess mask. See WinNT.h for details.
    ObjectAttributes
     ttributes of thread to open. For standard threads there are empty.
    ClientId
     ointer to CLIENT_ID structure. Only UniqueThread member is required (difference to NtOpenProcess).
*/
typedef NTSTATUS (NTAPI *_NtOpenThread)( OUT PHANDLE ThreadHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId );

/*
    NtOpenThreadToken (FUNCTION)
    Usually Win32 threads don't have associated Tokens. If you want to associate Token for Thread Object, use
     NtSetInformationThread with ThreadImpersonationToken information class.
*/
typedef NTSTATUS (NTAPI *_NtOpenThreadToken)( IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle );

/*
    NtOpenTimer (FUNCTION)
    TimerHandle
     Result of call - HANDLE to Timer Object.
    DesiredAccess
     Access mask for TimerHandle. See NtCreateTimer for possible values.
    ObjectAttributes
     Name of Timer Object.
*/
typedef NTSTATUS (NTAPI *_NtOpenTimer)( OUT PHANDLE TimerHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );

/*
    NtPrivilegeCheck (FUNCTION)
    TokenHandle
     HANDLE to Token Object opened with TOKEN_QUERY access.
    RequiredPrivileges
     Pointer to PRIVILEGE_SET structure contains definitions of privileges to check.
    Result
     Result of call - pointer to BOOLEAN value containing TRUE is all asked privileges are enabled.
*/
typedef NTSTATUS (NTAPI *_NtPrivilegeCheck)( IN HANDLE TokenHandle, IN PPRIVILEGE_SET RequiredPrivileges, IN PBOOLEAN Result );

/*
    NtPrivilegedServiceAuditAlarm (FUNCTION)
    ClientToken
     HANDLE to Token Object opened with TOKEN_QUERY access.
    ClientPrivileges
     Pointer to PRIVILEGE_SET structure contains valid data.
*/
typedef NTSTATUS (NTAPI *_NtPrivilegedServiceAuditAlarm)( IN PUNICODE_STRING SubsystemName OPTIONAL, IN PUNICODE_STRING ServiceName OPTIONAL, IN HANDLE ClientToken, IN PPRIVILEGE_SET ClientPrivileges, IN BOOLEAN AccessGranted );

/*
    NtPrivilegeObjectAuditAlarm (FUNCTION)
    ObjectHandle
     This can be any value.
    ClientToken
     HANDLE to Token Object opened with TOKEN_QUERY access.
    ClientPrivileges
     Pointer to PRIVILEGE_SET structure filled with valid data.
*/
typedef NTSTATUS (NTAPI *_NtPrivilegeObjectAuditAlarm)( IN PUNICODE_STRING SubsystemName OPTIONAL, IN HANDLE ObjectHandle OPTIONAL, IN HANDLE ClientToken, IN ULONG DesiredAccess, IN PPRIVILEGE_SET ClientPrivileges, IN BOOLEAN AccessGranted );

/*
    NtProtectVirtualMemory (FUNCTION)
    ProcessHandle
     andle to Process Object opened with PROCESS_VM_OPERATION access.
    *BaseAddress
     ointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.
    NumberOfBytesToProtect
     ointer to size of region to protect. On output will be round to page size (4KB).
    NewAccessProtection
     ne or some of PAGE_... attributess.
    OldAccessProtection
     eceive previous protection.
*/
typedef NTSTATUS (NTAPI *_NtProtectVirtualMemory)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection );

/*
    NtPulseEvent (FUNCTION)
    INFO-0
     Function sets event to signaled state, releases all (or one - dependly of EVENT_TYPE) waiting threads, and resets event to non-signaled state. If they're no waiting threads, NtPulseEvent just clear event state.
*/
typedef NTSTATUS (NTAPI *_NtPulseEvent)( IN HANDLE EventHandle, OUT PLONG PreviousState OPTIONAL );

/*
    NtQueryAttributesFile (FUNCTION)
    INFO-0
     Use of NtQueryAttributesFile is the easiest and the best way to check if file exist. NtOpenFile isn't good for this, becouse it modifies last access time for opened file. See NtQueryDirectoryFile for details.
*/
typedef NTSTATUS (NTAPI *_NtQueryAttributesFile)( IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PFILE_BASIC_INFORMATION FileAttributes );

/*
    NtQueryDefaultLocale (FUNCTION)
    UserProfile
     If set, function returns UserMode default locale. If not, result is system locale.
    DefaultLocaleId
     Pointer to LCID value receiving current locale.
*/
typedef NTSTATUS (NTAPI *_NtQueryDefaultLocale)( IN BOOLEAN UserProfile, OUT PLCID DefaultLocaleId );

/*
    NtQueryDirectoryFile (FUNCTION)
    FileHandle
     HANDLE to File Object opened with FILE_DIRECTORY_FILE option and FILE_LIST_DIRECTORY access.
    Event
     Optional HANDLE to Event Object signaled after query complete.
    ApcRoutine
     Optinal pointer to user's APC routine queued after query complete.
    ApcContext
     Parameter for ApcRoutine.
    IoStatusBlock
     Pointer to IO_STATUS_BLOCK structure. After enumeration complete, Information member of this structure contains number of bytes writed into FileInformation buffer. Status member contains IO result of call, and can be one of:
        STATUS_SUCCESS - Enumeration has results in FileInformation buffer.
        STATUS_NO_MORE_FILES - FileInformation buffer is empty, and next call isn't needed.
    FileInformation
     User's allocated buffer for output data.
    Length
     Length of FileInformation buffer, in bytes.
    FileInformationClass
     Information class. Can be one of:
        FileDirectoryInformation
        FileFullDirectoryInformation
    ReturnSingleEntry
     If set, only one entry is returned.
    FileMask
     If specified, only information about files matches this wildchar mask will be returned.
    RestartScan
     Used with ReturnSingleEntry parameter. If set, NtQueryDirectoryFile continue enumeration after last enumerated element in previous call. If no, returns the first entry in directory.
*/
typedef NTSTATUS (NTAPI *_NtQueryDirectoryFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileMask OPTIONAL, IN BOOLEAN RestartScan );

/*
    NtQueryDirectoryObject (FUNCTION)
    DirectoryObjectHandle
     andle to Directory Object opened with DIRECTORY_QUERY access.
    DirObjInformation
     ointer to OBJDIR_INFORMATION structure. Warning: structure has variable length dependly to length of object name.
    BufferLength
     ength of DirObjInformation buffer.
    GetNextIndex
     ecide of ObjectIndex parameter usage on output.
    IgnoreInputIndex
     ecide how to use ObjectIndex on function input.
    ObjectIndex
     ointer to ULONG value described above.
    DataWritten
     ointer to ULONG value receiving required / written buffer size. This parameter is optional.
*/
typedef NTSTATUS (NTAPI *_NtQueryDirectoryObject)( IN HANDLE DirectoryObjectHandle, OUT POBJDIR_INFORMATION DirObjInformation, IN ULONG BufferLength, IN BOOLEAN GetNextIndex, IN BOOLEAN IgnoreInputIndex, IN OUT PULONG ObjectIndex, OUT PULONG DataWritten OPTIONAL );

/*
    NtQueryEaFile (FUNCTION)
    INFO-0
     NtQueryEaFile is used to read EA from NTFS file. For more information about EA see FILE_FULL_EA_INFORMATION.
    FileHandle
     HANDLE to File Object opened with FILE_READ_EA access.
    IoStatusBlock
     IO result of call.
    Buffer
     Caller's allocated buffer for output data. See FILE_FULL_EA_INFORMATION for detailed description of fields avaiable in buffer.
    Length
     Length of buffer, in bytes.
    ReturnSingleEntry
     If set, only one entry is returned.
    EaList
     Optional list of FILE_GET_EA_INFORMATION structures containing names of EA.
    EaListLength
     Length of EaList, in bytes.
    EaIndex
     Pointer to ULONG value contains 1-based index of queried attribute.
    RestartScan
     If set, result is the first quered EA.
*/
typedef NTSTATUS (NTAPI *_NtQueryEaFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN BOOLEAN ReturnSingleEntry, IN PVOID EaList OPTIONAL, IN ULONG EaListLength, IN PULONG EaIndex OPTIONAL, IN BOOLEAN RestartScan );

/*
    NtQueryEvent (FUNCTION)
    INFO-0
     Currently there're only one information class for use with Event Object. See EVENT_INFORMATION_CLASS for details.
*/
typedef NTSTATUS (NTAPI *_NtQueryEvent)( IN HANDLE EventHandle, IN EVENT_INFORMATION_CLASS EventInformationClass, OUT PVOID EventInformation, IN ULONG EventInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQueryFullAttributesFile (FUNCTION)
    ObjectAttributes
     Path and name of File Object to query.
    Attributes
     Pointer to FILE_NETWORK_OPEN_INFORMATION structure.
*/
typedef NTSTATUS (NTAPI *_NtQueryFullAttributesFile)( IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PVOID Attributes );

/*
    NtQueryInformationAtom (FUNCTION)
    Atom
     Atom to query. If AtomInformationClass parameter is AtomTableInformation, Atom parameter is not used.
    AtomInformationClass
     See ATOM_INFORMATION_CLASS enumeration type for details.
    AtomInformation
     Result of call - pointer to user's allocated buffer for data.
    AtomInformationLength
     Size of AtomInformation buffer, in bytes.
    ReturnLength
     Pointer to ULONG value contains required AtomInformation buffer size.
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationAtom)( IN RTL_ATOM Atom, IN ATOM_INFORMATION_CLASS AtomInformationClass, OUT PVOID AtomInformation, IN ULONG AtomInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQueryInformationFile (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass );

/*
    NtQueryInformationPort (FUNCTION)
    INFO-0
     Currently (on WinNT 4.0 SP6) there are no information classes for Port Object.
    INFO-1
     PortHandle
    INFO-2
     PortInformationClass
    INFO-3
     PortInformation
    INFO-4
     Length
    INFO-5
     ResultLength
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationPort)( IN HANDLE PortHandle, IN PORT_INFORMATION_CLASS PortInformationClass, OUT PVOID PortInformation, IN ULONG Length, OUT PULONG ResultLength OPTIONAL );

/*
    NtQueryInformationProcess (FUNCTION)
    ProcessHandle
     andle to process opened with PROCESS_QUERY_INFORMATION access.
    ProcessInformationClass
     ee PROCESS_INFORMATION_CLASS.
    ProcessInformation
     uffer for results.
    ProcessInformationLength
     ength of buffer. See PROCESS_INFORMATION_CLASS for additional information.
    ReturnLength
     umber of bytes needed, if ProcessInformationLength was too small.
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength );

/*
    NtQueryInformationThread (FUNCTION)
    ThreadHandle
     andle to Thread Object opened with THREAD_QUERY_INFORMATION access.
    ThreadInformationClass
     nformation class defined in THREAD_INFORMATION_CLASS enumerated type.
    ThreadInformation
     aller's allocated buffer for results.
    ThreadInformationLength
     ength of buffer, in bytes.
    ReturnLength
     ptional pointer to required buffer length.
    INFO-5
     <HR WIDTH="40%">
    INFO-6
     See THREAD_INFORMATION_CLASS for more information.
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationThread)( IN HANDLE ThreadHandle, IN THREAD_INFORMATION_CLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQueryInformationToken (FUNCTION)
    TokenHandle
     HANDLE to Token Object opened with TOKEN_QUERY access.
    TokenInformationClass
     Information class descripted in TOKEN_INFORMATION_CLASS topic.
    TokenInformation
     User's allocated buffer for output data. Format of output buffer depends on TokenInformationClass parameter.
    TokenInformationLength
     Length of TokenInformation buffer, in bytes.
    ReturnLength
     If output buffer is to small, value under this parameter receives required length.
*/
typedef NTSTATUS (NTAPI *_NtQueryInformationToken)( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG TokenInformationLength, OUT PULONG ReturnLength );

/*
    NtQueryIntervalProfile (FUNCTION)
    ProfileSource
     Performance counter identifier defined in KPROFILE_SOURCE enumeration type.
    Interval
     Pointer to ULONG value receiving current interval, in ms. If received value is zero, counter specified in ProfileSource parameter is hardware counter (performacne counter build in CPU).
*/
typedef NTSTATUS (NTAPI *_NtQueryIntervalProfile)( IN KPROFILE_SOURCE ProfileSource, OUT PULONG Interval );

/*
    NtQueryIoCompletion (FUNCTION)
    IoCompletionHandle
     HANDLE to IO Completion Object opened with IO_COMPLETION_QUERY_STATE access.
    InformationClass
     See IO_COMPLETION_INFORMATION_CLASS for possible values.
    IoCompletionInformation
     User's allocated buffer for result data.
    InformationBufferLength
     Length of IoCompletionInformation buffer, in bytes.
    RequiredLength
     Optionally receives required length of buffer.
*/
typedef NTSTATUS (NTAPI *_NtQueryIoCompletion)( IN HANDLE IoCompletionHandle, IN IO_COMPLETION_INFORMATION_CLASS InformationClass, OUT PVOID IoCompletionInformation, IN ULONG InformationBufferLength, OUT PULONG RequiredLength OPTIONAL );

/*
    NtQueryKey (FUNCTION)
    INFO-0
     See ZwQueryKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtQueryKey)( IN HANDLE KeyHandle, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength );

/*
    NtQueryMultipleValueKey (FUNCTION)
    KeyHandle
     HANDLE to Key Object opened with KEY_READ access.
    ValuesList
     Array of KEY_MULTIPLE_VALUE_INFORMATION structures contains names of values to query.
    NumberOfValues
     Number of members in ValueList array.
    DataBuffer
     User's allocated buffer receiving queried value's data.
    BufferLength
     Pointer to value specifing length of DataBuffer, in bytes.
    RequiredLength
     Optionally pointer to value receiving required DataBuffer length, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtQueryMultipleValueKey)( IN HANDLE KeyHandle, IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, IN ULONG NumberOfValues, OUT PVOID DataBuffer, IN OUT ULONG BufferLength, OUT PULONG RequiredLength OPTIONAL );

/*
    NtQueryMutant (FUNCTION)
    MutantHandle
     andle to Mutant object.
    MutantInformationClass
     s defined as enum:
    INFO-2
        } MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS;
    MutantInformation
     uffer for result. As long as only one information type is defined, set MutantInformation as a pointer to MUTANT_BASIC_INFORMATION structure.
    MutantInformationLength
     ize of buffer.
    ResultLength
     umber of bytes written to buffer.
*/
typedef NTSTATUS (NTAPI *_NtQueryMutant)( IN HANDLE MutantHandle, IN MUTANT_INFORMATION_CLASS MutantInformationClass, OUT PVOID MutantInformation, IN ULONG MutantInformationLength, OUT PULONG ResultLength OPTIONAL );

/*
    NtQueryObject (FUNCTION)
    INFO-0
     Function NtQueryObject retrives some informations about any or all objects opened by calling process. It can be used with any type of object.
    ObjectHandle
     HANDLE to object.
    ObjectInformationClass
     Kind of information to retrive. See OBJECT_INFORMATION_CLASS for possible values list.
    ObjectInformation
     Output buffer allocated by caller.
    Length
     Length of ObjectInformation buffer, in bytes.
    ResultLength
     Pointer to ULONG value that contains required size of ObjectInformation buffer after function call.
*/
typedef NTSTATUS (NTAPI *_NtQueryObject)( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG Length, OUT PULONG ResultLength );

/*
    NtQueryOleDirectoryFile (FUNCTION)
    INFO-0
     All function's parameters are descripted in NtQueryDirectoryFile section.
*/
typedef NTSTATUS (NTAPI *_NtQueryOleDirectoryFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileMask OPTIONAL, IN BOOLEAN RestartScan );

/*
    NtQueryPerformanceCounter (FUNCTION)
    INFO-0
     Another method of uptime calculation :
    INFO-1
     UpTime = PerformanceCounter / PerformanceFrequency;
*/
typedef NTSTATUS (NTAPI *_NtQueryPerformanceCounter)( OUT PLARGE_INTEGER PerformanceCounter, OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL );

/*
    NtQuerySection (FUNCTION)
    InformationClass
     Use one of following:
    INFO-1
     SectionImageInformation Are avaiable only for file-based sections.
*/
typedef NTSTATUS (NTAPI *_NtQuerySection)( IN HANDLE SectionHandle, IN SECTION_INFORMATION_CLASS InformationClass, OUT PVOID InformationBuffer, IN ULONG InformationBufferSize, OUT PULONG ResultLength OPTIONAL );

/*
    NtQuerySecurityObject (FUNCTION)
    ObjectHandle
     HANDLE to any object opened with READ_CONTROL access.
    SecurityInformationClass
     Can be combination of:
        OWNER_SECURITY_INFORMATION
        GROUP_SECURITY_INFORMATION
    DescriptorBuffer
     Result of call - pointer to SECURITY_DESCRIPTOR structure.
    DescriptorBufferLength
     Size of buffer, in bytes.
    RequiredLength
     Pointer to value receiving required length of buffer.
*/
typedef NTSTATUS (NTAPI *_NtQuerySecurityObject)( IN HANDLE ObjectHandle, IN SECURITY_INFORMATION SecurityInformationClass, OUT PSECURITY_DESCRIPTOR DescriptorBuffer, IN ULONG DescriptorBufferLength, OUT PULONG RequiredLength );

/*
    NtQuerySemaphore (FUNCTION)
    SemaphoreHandle
     HANDLE to Semaphore Object opened with SEMAPHORE_QUERY_STATE access.
    SemaphoreInformationClass
     Information class descripted in SEMAPHORE_INFORMATION_CLASS section.
    SemaphoreInformation
     Pointer to user's allocated buffer for result data.
    SemaphoreInformationLength
     Size of SemaphoreInformation buffer, in bytes.
    ReturnLength
     Optionally returns required buffer size.
*/
typedef NTSTATUS (NTAPI *_NtQuerySemaphore)( IN HANDLE SemaphoreHandle, IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, OUT PVOID SemaphoreInformation, IN ULONG SemaphoreInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQuerySymbolicLinkObject (FUNCTION)
    pLinkName
     Received path to destination object.
*/
typedef NTSTATUS (NTAPI *_NtQuerySymbolicLinkObject)( IN HANDLE SymbolicLinkHandle, OUT PUNICODE_STRING pLinkName, OUT PULONG pDataWritten OPTIONAL );

/*
    NtQuerySystemEnvironmentValue (FUNCTION)
    INFO-0
     Seems not works on NT 4.0 SP6. Control Panel applet query and set System Environment values by Rtl...Environment functions or directly by registry.
*/
typedef NTSTATUS (NTAPI *_NtQuerySystemEnvironmentValue)( IN PUNICODE_STRING VariableName, OUT PWCHAR Value, IN ULONG ValueBufferLength, OUT PULONG RequiredLength OPTIONAL );

/*
    NtQuerySystemInformation (FUNCTION)
    SystemInformationClass
     Information class (see SYSTEM_INFORMATION_CLASS).
    SystemInformation
     User-allocated buffer for results. Sometimes this parameter can be NULL (OPTIONAL), if you check required buffer size (see below).
    SystemInformationLength
     Length of SystemInformation buffer (in bytes).
    ReturnLength
     Required length of SystemInformation buffer.
*/
typedef NTSTATUS (NTAPI *_NtQuerySystemInformation)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQuerySystemTime (FUNCTION)
    SystemTime
     Pointer to LARGE_INTEGER value receiving current time.
*/
typedef NTSTATUS (NTAPI *_NtQuerySystemTime)( OUT PLARGE_INTEGER SystemTime );

/*
    NtQueryTimer (FUNCTION)
    TimerHandle
     HANDLE to Timer Object opened with TIMER_QUERY_STATE access.
    TimerInformationClass
     Information class. See TIMER_INFORMATION_CLASS for details.
    TimerInformation
     User's allocated buffer for result data.
    TimerInformationLength
     Length of TimerInformation buffer, in bytes.
    ReturnLength
     Optional pointer to value received used/required length of TimerInformation buffer.
*/
typedef NTSTATUS (NTAPI *_NtQueryTimer)( IN HANDLE TimerHandle, IN TIMER_INFORMATION_CLASS TimerInformationClass, OUT PVOID TimerInformation, IN ULONG TimerInformationLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtQueryTimerResolution (FUNCTION)
    MinimumResolution
     Means highest possible delay (in 100-ns units) between timer events.
    MaximumResolution
     Means lowest possible delay (in 100-ns units) between timer events.
    CurrentResolution
     Current timer resolution, in 100-ns units.
*/
typedef NTSTATUS (NTAPI *_NtQueryTimerResolution)( OUT PULONG MinimumResolution, OUT PULONG MaximumResolution, OUT PULONG CurrentResolution );

/*
    NtQueryValueKey (FUNCTION)
    INFO-0
     See ZwQueryValueKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtQueryValueKey)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength );

/*
    NtQueryVirtualMemory (FUNCTION)
    ProcessHandle
     HANDLE to process containing queried address in process'es address space.
    BaseAddress
     Virtual address to query.
    MemoryInformationClass
     Information class defined in MEMORY_INFORMATION_CLASS enumeration type. Currently only one class is supported.
    Buffer
     As long as only MemoryBasicInformation is supported, this value points to structure MEMORY_BASIC_INFORMATION, defined in &lt;WINNT.h&gt; and described in MS SDK.
    Length
     Length of Buffer, in bytes.
    ResultLength
     Optionally pointer to ULONG value receiving required size of Buffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtQueryVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID Buffer, IN ULONG Length, OUT PULONG ResultLength OPTIONAL );

/*
    NtQueryVolumeInformationFile (FUNCTION)
    INFO-0
     NtQueryVolumeInformationFile gives information about volume (device) containing file specified as FileHandle parameter.
*/
typedef NTSTATUS (NTAPI *_NtQueryVolumeInformationFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileSystemInformation, IN ULONG Length, IN FS_INFORMATION_CLASS FileSystemInformationClass );

/*
    NtQueueApcThread (FUNCTION)
    ThreadHandle
     pen handle to any Thread Object, including caller's thread.
    ApcRoutine
     ntry point to user APC routine.
    ApcRoutineContext
     ser defined parameter for ApcRoutine.
    INFO-5
     <HR WIDTH="40%">
    INFO-6
     Function adds user defined routine to thread's APC queue. This routine will be executed when thread will be signaled. You can manually empty APC queue by calling NtTestAlert.
*/
typedef NTSTATUS (NTAPI *_NtQueueApcThread)( IN HANDLE ThreadHandle, IN PIO_APC_ROUTINE ApcRoutine, IN PVOID ApcRoutineContext OPTIONAL, IN PIO_STATUS_BLOCK ApcStatusBlock OPTIONAL, IN ULONG ApcReserved OPTIONAL );

/*
    NtRaiseException (FUNCTION)
    ExceptionRecord
     Pointer to EXCEPTION_RECORD structure containing typical information about error.
    ThreadContext
     Pointer to CONTEXT structure.
    HandleException
     If not set, calling process is killed. If set, system tries to execute actually enabled Exception Handler procedure with parameters specified aa ExceptionRecord and ThreadContext.
*/
typedef NTSTATUS (NTAPI *_NtRaiseException)( IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ThreadContext, IN BOOLEAN HandleException );

/*
    NtRaiseHardError (FUNCTION)
    INFO-0
     NtRaiseHardError is easy way to display message in GUI without loading Win32 API libraries.
*/
typedef NTSTATUS (NTAPI *_NtRaiseHardError)( IN NTSTATUS ErrorStatus, IN ULONG NumberOfParameters, IN PUNICODE_STRING UnicodeStringParameterMask OPTIONAL, IN PVOID *Parameters, IN HARDERROR_RESPONSE_OPTION ResponseOption, OUT PHARDERROR_RESPONSE Response );

/*
    NtReadFile (FUNCTION)
    INFO-0
     (Also descripted in Win2000 DDK)
    FileHandle
     HANDLE to File Object opened with FILE_READ_DATA access.
    Event
     Optional HANDLE to Event Object signaled when reading is done.
    ApcRoutine
     User defined APC routine queued for execute after reading is done.
    ApcContext
     User parameter to ApcRoutine.
    IoStatusBlock
     Pointer to IO_STATUS structure received IO status of file reading.
    Buffer
     User-allocated buffer for readed data.
    Length
     Length of Buffer, in bytes.
    ByteOffset
     Offset from begining of file, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtReadFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL );

/*
    NtReadFileScatter (FUNCTION)
    FileHandle
     HANDLE to File Object opened with FILE_READ_DATA access and with FILE_NO_INTERMEDIATE_BUFFERING open option.
    Event
     HANDLE to Event Object signaled when reading is complete. This parameter is optional, but caller should use one of notification way, becouse function always use asynchronous reading method.
    ApcRoutine
     Optional pointer to user's APC Routine.
    ApcContext
     User's parameter for ApcRoutine.
    IoStatusBlock
     IO result of call.
    SegmentArray
     Array of FILE_SEGMENT_ELEMENT unions. Any element point to allocated memory page address. Last element of array must be NULL.
    Length
     Number of bytes to read.
    ByteOffset
     Pointer to LARGE_INTEGER value indicates reading start position.
    Key
     Optional pointer to user's key, used when file is locked (see NtLockFile).
*/
typedef NTSTATUS (NTAPI *_NtReadFileScatter)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN FILE_SEGMENT_ELEMENT SegmentArray, IN ULONG Length, IN PLARGE_INTEGER ByteOffset, IN PULONG Key OPTIONAL );

/*
    NtReadRequestData (FUNCTION)
    PortHandle
     HANDLE to Port Object opened in a result of call NtAcceptConnectPort.
    INFO-1
     Request
    INFO-2
     DataIndex
    INFO-3
     Buffer
    INFO-4
     Length
    INFO-5
     ResultLength
*/
typedef NTSTATUS (NTAPI *_NtReadRequestData)( IN HANDLE PortHandle, IN PLPC_MESSAGE Request, IN ULONG DataIndex, OUT PVOID Buffer, IN ULONG Length, OUT PULONG ResultLength OPTIONAL );

/*
    NtReadVirtualMemory (FUNCTION)
    INFO-0
     NtReadVirtualMemory is similar to API ReadProcessMemory, described in MS SDK.
*/
typedef NTSTATUS (NTAPI *_NtReadVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesReaded OPTIONAL );

/*
    NtRegisterThreadTerminatePort (FUNCTION)
    Typically, NtRegisterThreadTerminatePort is used in CsrNewThread function, called before thread execution begins, but in thread context.
     Function associate PortHandle with thread, and sends LPC_TERMINATION_MESSAGE to specified port immediatelly after call NtTerminateThread.
*/
typedef NTSTATUS (NTAPI *_NtRegisterThreadTerminatePort)( IN HANDLE PortHandle );

/*
    NtReleaseKeyedEvent (FUNCTION)
    INFO-0
     This function is used for signal KeyedEvent object with value specified as Key parameter. If there are no other thread (or threads) waiting for the same KeyedEvent with the same Key value, waiting is performed up to NtWaitForKeyedEvent called by any other thread.
    KeyedEventHandle
     HANDLE to KeyedEvent object.
    Key
     Value used as KEY. Note that this value has to have lowest bit cleared (must divide by two).
    Alertable
     If set, waiting can be broken by alerting thread.
    Timeout
     Optional pointer for timeout value.
    Supported on system versions:
     Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtReleaseKeyedEvent)( IN HANDLE KeyedEventHandle, IN PVOID Key, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL );

/*
    NtReleaseMutant (FUNCTION)
    PreviousCount
     nternal mutant counter state before call NtReleaseMutant.
*/
typedef NTSTATUS (NTAPI *_NtReleaseMutant)( IN HANDLE MutantHandle, OUT PLONG PreviousCount OPTIONAL );

/*
    NtReleaseSemaphore (FUNCTION)
    SemaphoreHandle
     HANDLE to Semaphore Object opened with SEMAPHORE_MODIFY_STATE access.
    ReleaseCount
     Number of increments, typically set to 1.
    PreviousCount
     Optional pointer to ULONG value receiving semaphore's counter state before call.
*/
typedef NTSTATUS (NTAPI *_NtReleaseSemaphore)( IN HANDLE SemaphoreHandle, IN ULONG ReleaseCount, OUT PULONG PreviousCount OPTIONAL );

/*
    NtRemoveIoCompletion (FUNCTION)
    IoCompletionHandle
     HANDLE to previously created or opened Io Completion object.
    CompletionKey
     Receives completion Key informing about File object who finishes I/O.
    CompletionValue
     Value of ApcContext file operation parameter. CompletionValue informs about operation finished.
    IoStatusBlock
     Io status of finished operation.
    Timeout
     Optionally pointer to time out value.
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtRemoveIoCompletion)( IN HANDLE IoCompletionHandle, OUT PULONG CompletionKey, OUT PULONG CompletionValue, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER Timeout OPTIONAL );

/*
    NtReplaceKey (FUNCTION)
    NewHiveFileName
     Pointer to OBJECT_ATTRIBUTES structure containing name of third file (file with new contents).
    KeyHandle
     HANDLE to Key Object. Backuped and replaced are all keys from hive whith contains key specified by KeyHandle parameter.
    BackupHiveFileName
     Pointer to OBJECT_ATTRIBUTES structure containing name of first file (new hive file).
*/
typedef NTSTATUS (NTAPI *_NtReplaceKey)( IN POBJECT_ATTRIBUTES NewHiveFileName, IN HANDLE KeyHandle, IN POBJECT_ATTRIBUTES BackupHiveFileName );

/*
    NtReplyPort (FUNCTION)
    INFO-0
     NtReplyPort can be used by both sides of LPC connection.
    PortHandle
     HANDLE to Port Object.
    Reply
     Pointer to LPC_MESSAGE structure.
*/
typedef NTSTATUS (NTAPI *_NtReplyPort)( IN HANDLE PortHandle, IN PLPC_MESSAGE Reply );

/*
    NtReplyWaitReceivePort (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtReplyWaitReceivePort)( IN HANDLE PortHandle, OUT PHANDLE ReceivePortHandle OPTIONAL, IN PLPC_MESSAGE Reply OPTIONAL, OUT PLPC_MESSAGE IncomingRequest );

/*
    NtReplyWaitReplyPort (FUNCTION)
    INFO-0
     NtReplyWaitReplyPort sends REPLY and waits for other side REPLY.
    PortHandle
     HANDLE to Port Object.
    Reply
     There's a pointer to LPC_MESSAGE structure. On input, should be filled with REPLY data by user. On output it contains REPLY from other side.
*/
typedef NTSTATUS (NTAPI *_NtReplyWaitReplyPort)( IN HANDLE PortHandle, IN OUT PLPC_MESSAGE Reply );

/*
    NtRequestPort (FUNCTION)
    INFO-0
     NtRequestPort sends request message to other side of LPC connection.
    PortHandle
     HANDLE to Port Object.
    Request
     Pointer to LPC_MESSAGE struct contains request data.
*/
typedef NTSTATUS (NTAPI *_NtRequestPort)( IN HANDLE PortHandle, IN PLPC_MESSAGE Request );

/*
    NtRequestWaitReplyPort (FUNCTION)
    INFO-0
     NtRequestWaitReplyPort is used typically by client side in LPC connection.
    PortHandle
     HANDLE to Port Object.
    Request
     Pointer to LPC_MESSAGE buffer contains request data.
    IncomingReply
     Pointer to LPC_MESSAGE buffer filled on return with reply from other side.
*/
typedef NTSTATUS (NTAPI *_NtRequestWaitReplyPort)( IN HANDLE PortHandle, IN PLPC_MESSAGE Request, OUT PLPC_MESSAGE IncomingReply );

/*
    NtResetEvent (FUNCTION)
    EventHandle
     HANDLE to Event Object opened with EVENT_MODIFY_STATE access.
    PreviousState
     Optional pointer to state of event before function call.
    INFO-2
     Difference between NtResetEvent and NtClearEvent is the first one can return state of event before call.
*/
typedef NTSTATUS (NTAPI *_NtResetEvent)( IN HANDLE EventHandle, OUT PLONG PreviousState OPTIONAL );

/*
    NtRestoreKey (FUNCTION)
    KeyHandle
     All keys and values stored in file represented by FileHandle will be childern of KeyHandle.
    FileHandle
     See NtSaveKey for more information about FileHandle.
    RestoreOption
     See RegRestoreKey in SDK
*/
typedef NTSTATUS (NTAPI *_NtRestoreKey)( IN HANDLE KeyHandle, IN HANDLE FileHandle, IN ULONG RestoreOption );

/*
    NtResumeThread (FUNCTION)
    INFO-0
     See AlertResumeThread.
*/
typedef NTSTATUS (NTAPI *_NtResumeThread)( IN HANDLE ThreadHandle, OUT PULONG SuspendCount OPTIONAL );

/*
    NtSaveKey (FUNCTION)
    INFO-0
     KeyHandle
    FileHandle
     HANDLE to any file created with write access.
    Before use FileHandle in other registry function without closing it, call NtFlushKey with KeyHandle
     as param.
*/
typedef NTSTATUS (NTAPI *_NtSaveKey)( IN HANDLE KeyHandle, IN HANDLE FileHandle );

/*
    NtSetContextThread (FUNCTION)
    ThreadHandle
     andle to Thread Object opened with THREAD_SET_CONTEXT access flag.
    Context
     ontext to set to thread.
*/
typedef NTSTATUS (NTAPI *_NtSetContextThread)( IN HANDLE ThreadHandle, IN PCONTEXT Context );

/*
    NtSetDefaultHardErrorPort (FUNCTION)
    PortHandle
     HANDLE to named Port Object.
*/
typedef NTSTATUS (NTAPI *_NtSetDefaultHardErrorPort)( IN HANDLE PortHandle );

/*
    NtSetDefaultLocale (FUNCTION)
    UserProfile
     If set, function sets UserMode locale. If not, KernelMode locale is modified.
    DefaultLocaleId
     Locale to set.
*/
typedef NTSTATUS (NTAPI *_NtSetDefaultLocale)( IN BOOLEAN UserProfile, IN LCID DefaultLocaleId );

/*
    NtSetEaFile (FUNCTION)
    INFO-0
     See NtQueryEaFile for information about EA.
    FileHandle
     HANDLE to File Object opened with FILE_SET_EA access.
    IoStatusBlock
     IO result of call.
    EaBuffer
     User's allocated input buffer containing one or more FILE_FULL_EA_INFORMATION structures.
    EaBufferSize
     Size of EaBuffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtSetEaFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID EaBuffer, IN ULONG EaBufferSize );

/*
    NtSetEvent (FUNCTION)
    EventHandle
     HANDLE to Event Object opened with EVENT_MODIFY_STATE access.
    PreviousState
     State of Event Object before function call.
*/
typedef NTSTATUS (NTAPI *_NtSetEvent)( IN HANDLE EventHandle, OUT PLONG PreviousState OPTIONAL );

/*
    NtSetEventBoostPriority (FUNCTION)
    INFO-0
     Function NtSetEventPriorityBoost was added in Windows XP system. Has the same functionality as NtSetEvent, but thread that is waiting on specified Event will be executed immediatelly after context switch, regardless of waiting thread's priority.
    EventHandle
     HANDLE to previously created or opened Event object. Note that Event has to be created with EVENT_TYPE set to SynchronizationEvent (automatic reset), in other cases function will return with error.
    Supported on system versions:
     Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtSetEventBoostPriority)( IN HANDLE EventHandle );

/*
    NtSetHighEventPair (FUNCTION)
    INFO-0
     Function sets HIGH event state to signalled.
*/
typedef NTSTATUS (NTAPI *_NtSetHighEventPair)( IN HANDLE EventPairHandle );

/*
    NtSetHighWaitLowEventPair (FUNCTION)
    INFO-0
     Function signals HIGH event and waits unlit LOW event will be signaled.
*/
typedef NTSTATUS (NTAPI *_NtSetHighWaitLowEventPair)( IN HANDLE EventPairHandle );

/*
    NtSetHighWaitLowThread (FUNCTION)
    INFO-1
     <HR WIDTH="40%">
    INFO-2
     See also SetInformationThread with ThreadEventPair information class.
*/
typedef NTSTATUS (NTAPI *_NtSetHighWaitLowThread)( );

/*
    NtSetInformationFile (FUNCTION)
    INFO-0
     (Description of this function is also avaiable in Win2000 DDK)
    FileHandle
     HANDLE to File Object.
    IoStatusBlock
     IO result of call.
    FileInformation
     User's allocated buffer contains data to set to.
    Length
     Length of FileInformation buffer, in bytes.
    FileInformationClass
     See FILE_INFORMATION_CLASS for possible information classes and required contents of FileInformation buffer.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass );

/*
    NtSetInformationKey (FUNCTION)
    InformationClass
     See &lt;ntddk.h&gt; for possible values. Currently only KEY_WRITE_TIME_INFORMATION is supported.
    KeyInformationData
     See &lt;ntddk.h&gt; for detailed structure KEY_WRITE_TIME_INFORMATION.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationKey)( IN HANDLE KeyHandle, IN KEY_SET_INFORMATION_CLASS InformationClass, IN PVOID KeyInformationData, IN ULONG DataLength );

/*
    NtSetInformationObject (FUNCTION)
    ObjectHandle
     pen handle to any NT object.
    ObjectInformationClass
     ee NtQueryObject for detailed description of possible information classes.
    ObjectInformation
     uffor with data to set.
    Length
     ength of ObjectInformation buffer, in bytes.
    INFO-4
     <HR WIDTH="40%">
    INFO-5
     Currently only one class in allowed in set mode: ObjectDataInformation. See description of OBJECT_DATA_INFORMATION structure.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationObject)( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, IN PVOID ObjectInformation, IN ULONG Length );

/*
    NtSetInformationProcess (FUNCTION)
    ProcessHandle
     andle to process opened with PROCESS_SET_INFORMATION access.
    ProcessInformationClass
     ee PROCESS_INFORMATION_CLASS for more information.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationProcess)( IN HANDLE ProcessHandle, IN PROCESS_INFORMATION_CLASS ProcessInformationClass, IN PVOID ProcessInformation, IN ULONG ProcessInformationLength );

/*
    NtSetInformationThread (FUNCTION)
    ThreadHandle
     andle to Thread Object opened with THREAD_SET_INFORMATION access.
    ThreadInformationClass
     nformation class to set to. See THREAD_INFORMATION_CLASS for detailed description of use.
    ThreadInformation
     ointer to value to set.
    ThreadInformationLength
     ength of value to set.
    INFO-4
     <HR WIDTH="40%">
    INFO-5
     See THREAD_INFORMATION_CLASS for more information.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationThread)( IN HANDLE ThreadHandle, IN THREAD_INFORMATION_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength );

/*
    NtSetInformationToken (FUNCTION)
    TokenHandle
     HANDLE to Token Object opened with TOKEN_ADJUST_DEFAULT access.
    TokenInformationClass
     Information class descripted in TOKEN_INFORMATION_CLASS topic.
    TokenInformation
     User's allocated buffer containing data to set to.
    TokenInformationLength
     Length of TokenInformation buffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtSetInformationToken)( IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, OUT PVOID TokenInformation, IN ULONG TokenInformationLength );

/*
    NtSetIntervalProfile (FUNCTION)
    Interval
     New interval, in ms.
    Source
     Performance counter's identifier, defined in KPROFILE_SOURCE enumeration type.
*/
typedef NTSTATUS (NTAPI *_NtSetIntervalProfile)( IN ULONG Interval, IN KPROFILE_SOURCE Source );

/*
    NtSetIoCompletion (FUNCTION)
    IoCompletionHandle
     HANDLE to IO Completion Object opened with IO_COMPLETION_MODIFY_STATE access.
    CompletionKey
     User's defined key received by NtRemoveIoCompletion function.
    IoStatusBlock
     IO result of call.
    CompletionStatus
     IO operation status.
    NumberOfBytesTransfered
     Number of bytes transfered in manually finished IO operation.
*/
typedef NTSTATUS (NTAPI *_NtSetIoCompletion)( IN HANDLE IoCompletionHandle, IN ULONG CompletionKey, OUT PIO_STATUS_BLOCK IoStatusBlock, IN NTSTATUS CompletionStatus, IN ULONG NumberOfBytesTransfered );

/*
    NtSetLowEventPair (FUNCTION)
    INFO-0
     Function sets LOW event for EventPairHandle object.
*/
typedef NTSTATUS (NTAPI *_NtSetLowEventPair)( IN HANDLE EventPairHandle );

/*
    NtSetLowWaitHighEventPair (FUNCTION)
    INFO-0
     Function set signalled state to LOW event and wait until HIGH event will be signaled.
*/
typedef NTSTATUS (NTAPI *_NtSetLowWaitHighEventPair)( IN HANDLE EventPairHandle );

/*
    NtSetLowWaitHighThread (FUNCTION)
    INFO-0
     See also NtSetInformationThread with ThreadEventPair information class.
*/
typedef NTSTATUS (NTAPI *_NtSetLowWaitHighThread)( );

/*
    NtSetSecurityObject (FUNCTION)
    ObjectHandle
     HANDLE to object of any type. Must be opened with WRITE_DAC or WRITE_OWNER access dependly to SecurityInformationClass parameter.
    SecurityInformationClass
     See NtQuerySecurityObject for possible values.
    DescriptorBuffer
     Pointer to user's allocated SECURITY_DESCRIPTOR to set.
*/
typedef NTSTATUS (NTAPI *_NtSetSecurityObject)( IN HANDLE ObjectHandle, IN SECURITY_INFORMATION SecurityInformationClass, IN PSECURITY_DESCRIPTOR DescriptorBuffer );

/*
    NtSetSystemEnvironmentValue (FUNCTION)
    INFO-0
     Seems not works on NT 4.0 SP6...
*/
typedef NTSTATUS (NTAPI *_NtSetSystemEnvironmentValue)( IN PUNICODE_STRING VariableName, IN PUNICODE_STRING Value );

/*
    NtSetSystemInformation (FUNCTION)
    SystemInformationClass
     Information class described in SYSTEM_INFORMATION_CLASS.
    SystemInformation
     Pointer to data buffer to set.
    SystemInformationLength
     Length of information in SystemInformation buffer, in bytes.
*/
typedef NTSTATUS (NTAPI *_NtSetSystemInformation)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength );

/*
    NtSetSystemTime (FUNCTION)
    SystemTime
     Pointer to LARGE_INTEGER contains UTC time to set.
    PreviousTime
     Optionally receives time before change.
*/
typedef NTSTATUS (NTAPI *_NtSetSystemTime)( IN PLARGE_INTEGER SystemTime, OUT PLARGE_INTEGER PreviousTime OPTIONAL );

/*
    NtSetTimer (FUNCTION)
    typedef void (*PTIMER_APC_ROUTINE)(
                IN PVOID TimerContext,
*/
typedef NTSTATUS (NTAPI *_NtSetTimer)( IN HANDLE TimerHandle, IN PLARGE_INTEGER DueTime, IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, IN PVOID TimerContext OPTIONAL, IN BOOLEAN ResumeTimer, IN LONG Period OPTIONAL, OUT PBOOLEAN PreviousState OPTIONAL );

/*
    NtSetTimerResolution (FUNCTION)
    DesiredResolution
     Resolution to set. To receive minimum and maximum resolution values, call NtQueryTimerResolution.
    SetResolution
     If set, system Timer's resolution is set to DesiredResolution value. If no, parameter DesiredResolution is ignored.
    CurrentResolution
     Pointer to ULONG value receiving current timer's resolution, in 100-ns units.
*/
typedef NTSTATUS (NTAPI *_NtSetTimerResolution)( IN ULONG DesiredResolution, IN BOOLEAN SetResolution, OUT PULONG CurrentResolution );

/*
    NtSetValueKey (FUNCTION)
    INFO-0
     See ZwSetValueKey in NT DDK or 2000 DDK for detailed description.
*/
typedef NTSTATUS (NTAPI *_NtSetValueKey)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize );

/*
    NtSetVolumeInformationFile (FUNCTION)
    INFO-0
     NtSetVolumeInformationFile sets information to volume (device) containing file specified in FileHandle parameter.
*/
typedef NTSTATUS (NTAPI *_NtSetVolumeInformationFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileSystemInformation, IN ULONG Length, IN FS_INFORMATION_CLASS FileSystemInformationClass );

/*
    NtShutdownSystem (FUNCTION)
    Action
     Type of shudown defined in SHUTDOWN_ACTION enumeration type.
*/
typedef NTSTATUS (NTAPI *_NtShutdownSystem)( IN SHUTDOWN_ACTION Action );

/*
    NtSignalAndWaitForSingleObject (FUNCTION)
    ObjectToSignal
     HANDLE to object to signal. Possible object's types are:
        Event Object
        Semaphore Object
    WaitableObject
     HANDLE to object to wait for. Can be any waitable object.
    Alertable
     If set, APC Routine can break waiting.
    Time
     Optionally pointer to LARGE_INTEGER value specifing time (absolute or relative) when function time outs (in 100-ns units). Negative value means relative time.
*/
typedef NTSTATUS (NTAPI *_NtSignalAndWaitForSingleObject)( IN HANDLE ObjectToSignal, IN HANDLE WaitableObject, IN BOOLEAN Alertable, IN PLARGE_INTEGER Time OPTIONAL );

/*
    NtStartProfile (FUNCTION)
    ProfileHandle
     HANDLE to Profile Object.
*/
typedef NTSTATUS (NTAPI *_NtStartProfile)( IN HANDLE ProfileHandle );

/*
    NtStopProfile (FUNCTION)
    ProfileHandle
     HANDLE to Profile Object, previously started with NtStartProfile function call.
*/
typedef NTSTATUS (NTAPI *_NtStopProfile)( IN HANDLE ProfileHandle );

/*
    NtSuspendThread (FUNCTION)
    PreviousSuspendCount
     uspend count for ThreadHandle thread before function call.
*/
typedef NTSTATUS (NTAPI *_NtSuspendThread)( IN HANDLE ThreadHandle, OUT PULONG PreviousSuspendCount OPTIONAL );

/*
    NtSystemDebugControl (FUNCTION)
    Command
     Command request for system. Command's codes are avaiable in enumeration type SYSDBG_COMMAND.
    InputBuffer
     User's allocated buffer with input data.
    InputBufferLength
     Length of InputBuffer, in bytes.
    OutputBuffer
     User's allocated buffer for output data.
    OutputBufferLength
     Length of OutputBuffer, in bytes.
    ReturnLength
     Pointer to ULONG value receiving required size of OutputBuffer.
*/
typedef NTSTATUS (NTAPI *_NtSystemDebugControl)( IN SYSDBG_COMMAND Command, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength, OUT PULONG ReturnLength OPTIONAL );

/*
    NtTerminateProcess (FUNCTION)
    ProcessHandle
     If not specified, caller process is killed.
*/
typedef NTSTATUS (NTAPI *_NtTerminateProcess)( IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus );

/*
    NtTerminateThread (FUNCTION)
    ThreadHandle
     pen handle to thread object.
    ExitStatus
     esult of thread, as NTSTATUS.
*/
typedef NTSTATUS (NTAPI *_NtTerminateThread)( IN HANDLE ThreadHandle, IN NTSTATUS ExitStatus );

/*
    NtTestAlert (FUNCTION)
    INFO-0
     You can use NtTestAlert to empty APC queue for current thread. If APC queue was empty before call, NtTestAlert has no efect.
    INFO-1
     NtTestAlert is typical ntcall kernel routine, accessable via int 2Eh. It check thread APC queue, and call KiUserApcDispatcher.
*/
typedef NTSTATUS (NTAPI *_NtTestAlert)( );

/*
    NtUnloadDriver (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtUnloadDriver)( IN PUNICODE_STRING DriverServiceName );

/*
    NtUnloadKey (FUNCTION)
    DestinationKeyName
     Pointer to OBJECT_ATTRIBUTES structure contains path and name of Hive root key.
*/
typedef NTSTATUS (NTAPI *_NtUnloadKey)( IN POBJECT_ATTRIBUTES DestinationKeyName );

/*
    NtUnlockFile (FUNCTION)
    FileHandle
     HANDLE to File Object with locked region.
    IoStatusBlock
     IO result of function call.
    ByteOffset
     Offset in file where unlock region begins.
    Length
     Length of region to unlock.
    Key
     Pointer to 4-bytes key associated with lock. See NtLockFile for additional information about locking by key usage.
*/
typedef NTSTATUS (NTAPI *_NtUnlockFile)( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER ByteOffset, IN PLARGE_INTEGER Length, IN PULONG Key );

/*
    NtUnlockVirtualMemory (FUNCTION)
    INFO-0
     See NtLockVirtualMemory for more information about parameters and usage.
*/
typedef NTSTATUS (NTAPI *_NtUnlockVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID *BaseAddress, IN OUT PULONG NumberOfBytesToUnlock, IN ULONG LockType );

/*
    NtUnmapViewOfSection (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_NtUnmapViewOfSection)( IN HANDLE ProcessHandle, IN PVOID BaseAddress );

/*
    NtWaitForKeyedEvent (FUNCTION)
    INFO-0
     Function with similar functionality as NtReleaseKeyedEvent. In my opinion it is not needed and exists only for future vision of KeyedEvent objects or just as a mistake.
    KeyedEventHandle
     HANDLE for previously opened KeyedEvent object.
    Key
     Value to wait for, must have lowest bit clear.
    Alertable
     If set, waiting can be broken by alerting thread.
    Timeout
     Optinally pointer for timing out value.
    Supported on system versions:
     Win XP/2003
*/
typedef NTSTATUS (NTAPI *_NtWaitForKeyedEvent)( IN HANDLE KeyedEventHandle, IN PVOID Key, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL );

/*
    NtWaitForMultipleObjects (FUNCTION)
    INFO-0
     NtWaitForMultipleObjects is used typically to response for notyfications. For synchronization purposes you should use NtWaitForSingleObject.
*/
typedef NTSTATUS (NTAPI *_NtWaitForMultipleObjects)( IN ULONG ObjectCount, IN PHANDLE ObjectsArray, IN OBJECT_WAIT_TYPE WaitType, IN BOOLEAN Alertable, IN PLARGE_INTEGER TimeOut OPTIONAL );

/*
    NtWaitForSingleObject (FUNCTION)
    ObjectHandle
     HANDLE to alertable object.
    Alertable
     If set, calling thread is signaled, so all queued APC routines are executed.
    TimeOut
     Time-out interval, in microseconds. NULL means infinite.
*/
typedef NTSTATUS (NTAPI *_NtWaitForSingleObject)( IN HANDLE ObjectHandle, IN BOOLEAN Alertable, IN PLARGE_INTEGER TimeOut OPTIONAL );

/*
    NtWaitHighEventPair (FUNCTION)
    INFO-0
     ait until HIGH event of EventPairHandle will be signaled.
*/
typedef NTSTATUS (NTAPI *_NtWaitHighEventPair)( IN HANDLE EventPairHandle );

/*
    NtWaitLowEventPair (FUNCTION)
    INFO-0
     unction waits, until LOW event will be signaled.
*/
typedef NTSTATUS (NTAPI *_NtWaitLowEventPair)( IN HANDLE EventPairHandle );

/*
    NtWriteFile (FUNCTION)
    INFO-0
     (Also descripted in Win 2000 DDK)
    FileHandle
     HANDLE to File Object opened with FILE_WRITE_DATA access.
    Event
     HANDLE to Event Object signaled when write finished.
    ApcRoutine
     User APC routine executed after writing is complete.
    ApcContext
     Parameter to ApcRoutine.
    IoStatusBlock
     IO result of call.
    Buffer
     Buffer with data to write.
    Length
     Length of Buffer, in bytes.
    ByteOffset
     Offset from begining of file, where write starts.
*/
typedef NTSTATUS (NTAPI *_NtWriteFile)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL );

/*
    NtWriteFileGather (FUNCTION)
    FileHandle
     HANDLE to File Object opened with FILE_WRITE_DATA access and FILE_NO_INTERMEDIATE_BUFFERING open option.
    Event
     HANDLE to Event Object signaled when writing will finish. Function always use asynchronous writing operation, so caller should define Event or ApcRoutine parameter.
    ApcRoutine
     Pointer to user's APC Routine.
    ApcContext
     Parameter for ApcRoutine.
    IoStatusBlock
     IO result of call.
    SegmentArray
     Array of FILE_SEGMENT_ELEMENT elements pointing to memory pages to write. Last array element must be NULL.
    Length
     Number of bytes to write.
    ByteOffset
     Pointer to LARGE_INTEGER value indicates starting position for write.
    Key
     Pointer to user's defined key, used when file is locked (see NtLockFile).
*/
typedef NTSTATUS (NTAPI *_NtWriteFileGather)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN FILE_SEGMENT_ELEMENT SegmentArray, IN ULONG Length, IN PLARGE_INTEGER ByteOffset, IN PULONG Key OPTIONAL );

/*
    NtWriteRequestData (FUNCTION)
    PortHandle
     HANDLE to Port Object opened in a result of call NtAcceptConnectPort.
    INFO-1
     Request
    INFO-2
     DataIndex
    INFO-3
     Buffer
    INFO-4
     Length
    INFO-5
     ResultLength
*/
typedef NTSTATUS (NTAPI *_NtWriteRequestData)( IN HANDLE PortHandle, IN PLPC_MESSAGE Request, IN ULONG DataIndex, IN PVOID Buffer, IN ULONG Length, OUT PULONG ResultLength OPTIONAL );

/*
    NtWriteVirtualMemory (FUNCTION)
    INFO-0
     NtWriteVirtualMemory is similar to WINAPI WriteProcessMemory. See Ms SDK for detailed description of parameters.
*/
typedef NTSTATUS (NTAPI *_NtWriteVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG NumberOfBytesToWrite, OUT PULONG NumberOfBytesWritten OPTIONAL );

/*
    NtYieldExecution (FUNCTION)
    INFO-0
     This function stop executing of calling thread, and switch to any other currently running thread.
*/
typedef NTSTATUS (NTAPI *_NtYieldExecution)( );

/*
    OBJDIR_INFORMATION (STRUCT)
    Structure is used with NtQueryDirectoryObject function. Contains information of named object placed in object directory space.
     <HR WIDTH="40%">
    ObjectName
     ame of object.
    ObjectTypeName
     ame of object type.
    Data[1]
     ariable length data buffer.
*/
typedef struct _OBJDIR_INFORMATION {
    UNICODE_STRING ObjectName;
    UNICODE_STRING ObjectTypeName;
    BYTE Data[1];
} OBJDIR_INFORMATION, *POBJDIR_INFORMATION;

/*
    OBJECT_BASIC_INFORMATION (STRUCT)
    INFO-0
     Structure OBJECT_BASIC_INFORMATION is returned in a result of call NtQueryObject with ObjectBasicInformation information class.
    INFO-1
     Attributes
    INFO-2
     DesiredAccess
    INFO-3
     HandleCount
    INFO-4
     ReferenceCount
    INFO-5
     PagedPoolUsage
    INFO-6
     NonPagedPoolUsage
    INFO-7
     Reserved[3]
    INFO-8
     NameInformationLength
    INFO-9
     TypeInformationLength
    INFO-10
     SecurityDescriptorLength
    INFO-11
     CreationTime
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef struct _OBJECT_BASIC_INFORMATION {
    ULONG Attributes;
    ACCESS_MASK DesiredAccess;
    ULONG HandleCount;
    ULONG ReferenceCount;
    ULONG PagedPoolUsage;
    ULONG NonPagedPoolUsage;
    ULONG Reserved[3];
    ULONG NameInformationLength;
    ULONG TypeInformationLength;
    ULONG SecurityDescriptorLength;
    LARGE_INTEGER CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;

/*
    OBJECT_INFORMATION_CLASS (ENUM)
*/
typedef enum _OBJECT_INFORMATION_CLASS {
    ObjectBasicInformation,
    ObjectNameInformation,
    ObjectTypeInformation,
    ObjectAllInformation,
    ObjectDataInformation
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;

/*
    OBJECT_NAME_INFORMATION (STRUCT)
    INFO-0
     Structure OBJECT_NAME_INFORMATION is used as a result of call NtQueryObject with ObjectNameInformation information class.
    Name
     Name of object or NULL if object don't have associated name.
    NameBuffer[0]
     Buffer with UNICODE name of object.
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef struct _OBJECT_NAME_INFORMATION {
    UNICODE_STRING Name;
    WCHAR NameBuffer[0];
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;

/*
    OBJECT_WAIT_TYPE (ENUM)
*/
typedef enum _OBJECT_WAIT_TYPE {
    WaitAllObject,
    WaitAnyObject
} OBJECT_WAIT_TYPE, *POBJECT_WAIT_TYPE;

/*
    Other NT Object Functions (FUNCTION)
    TITLE>Other NT Object Functions</TITLE>


     Undocumented functions of NTDLL
    INFO-2

    INFO-3
     Other functions, described in other section of this help file. You can use it with all NT Object types.
    INFO-4
     Security
        NtQuerySecurityObject
        NtSetSecurityObject
    INFO-6

    INFO-7
     <HR WIDTH="0" SIZE="0" NOSHADE CLASS="page
*/
typedef t Functions</TITLE>      Undocumented functions of NTDLL Other functions, described in other section of this help file. You can use it with all NT Object types. Security   NtQuerySecurityObject   NtSetSecurityObject <HR WIDTH="0" SIZE="0"

/*
    PEB (STRUCT)
    INFO-0
     InheritedAddressSpace
    INFO-1
     ReadImageFileExecOptions
    INFO-2
     BeingDebugged
    INFO-3
     Spare
    INFO-4
     Mutant
    ImageBaseAddress
     Address of executable image in process' memory.
    LoaderData
     Pointer to PEB_LDR_DATA structure contains information filled by Loader.
    ProcessParameters
     Pointer to RTL_USER_PROCESS_PARAMETERS structure.
    INFO-8
     SubSystemData
    ProcessHeap
     Address of process' first heap allocated by Loader.
    FastPebLock
     Parameter for PEBLOCKROUTINE (see below).
    FastPebLockRoutine
     Address of fast-locking routine for PEB. Definition of routine is:
    FastPebUnlockRoutine
     PEB fast-unlock routine.
    EnvironmentUpdateCount
     Counter of process environment updates.
    INFO-14
     KernelCallbackTable
    INFO-15
     EventLogSection
    INFO-16
     EventLog
    INFO-17
     FreeList
    INFO-18
     TlsExpansionCounter
    INFO-19
     TlsBitmap
    INFO-20
     TlsBitmapBits[0x2]
    INFO-21
     ReadOnlySharedMemoryBase
    INFO-22
     ReadOnlySharedMemoryHeap
    INFO-23
     ReadOnlyStaticServerData
    INFO-24
     AnsiCodePageData
    INFO-25
     OemCodePageData
    INFO-26
     UnicodeCaseTableData
    INFO-27
     NumberOfProcessors
    INFO-28
     NtGlobalFlag
    INFO-29
     Spare2[0x4]
    INFO-30
     CriticalSectionTimeout
    INFO-31
     HeapSegmentReserve
    INFO-32
     HeapSegmentCommit
    INFO-33
     HeapDeCommitTotalFreeThreshold
    INFO-34
     HeapDeCommitFreeBlockThreshold
    INFO-35
     NumberOfHeaps
    INFO-36
     MaximumNumberOfHeaps
    INFO-37
     *ProcessHeaps
    INFO-38
     GdiSharedHandleTable
    INFO-39
     ProcessStarterHelper
    INFO-40
     GdiDCAttributeList
    INFO-41
     LoaderLock
    INFO-42
     OSMajorVersion
    INFO-43
     OSMinorVersion
    INFO-44
     OSBuildNumber
    INFO-45
     OSPlatformId
    INFO-46
     ImageSubSystem
    INFO-47
     ImageSubSystemMajorVersion
    INFO-48
     ImageSubSystemMinorVersion
    INFO-49
     GdiHandleBuffer[0x22]
    INFO-50
     PostProcessInitRoutine
    INFO-51
     TlsExpansionBitmap
    INFO-52
     TlsExpansionBitmapBits[0x80]
    INFO-53
     SessionId
*/
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;
    BOOLEAN Spare;
    HANDLE Mutant;
    PVOID ImageBaseAddress;
    PPEB_LDR_DATA LoaderData;
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    PVOID SubSystemData;
    PVOID ProcessHeap;
    PVOID FastPebLock;
    PPEBLOCKROUTINE FastPebLockRoutine;
    PPEBLOCKROUTINE FastPebUnlockRoutine;
    ULONG EnvironmentUpdateCount;
    PPVOID KernelCallbackTable;
    PVOID EventLogSection;
    PVOID EventLog;
    PPEB_FREE_BLOCK FreeList;
    ULONG TlsExpansionCounter;
    PVOID TlsBitmap;
    ULONG TlsBitmapBits[0x2];
    PVOID ReadOnlySharedMemoryBase;
    PVOID ReadOnlySharedMemoryHeap;
    PPVOID ReadOnlyStaticServerData;
    PVOID AnsiCodePageData;
    PVOID OemCodePageData;
    PVOID UnicodeCaseTableData;
    ULONG NumberOfProcessors;
    ULONG NtGlobalFlag;
    BYTE Spare2[0x4];
    LARGE_INTEGER CriticalSectionTimeout;
    ULONG HeapSegmentReserve;
    ULONG HeapSegmentCommit;
    ULONG HeapDeCommitTotalFreeThreshold;
    ULONG HeapDeCommitFreeBlockThreshold;
    ULONG NumberOfHeaps;
    ULONG MaximumNumberOfHeaps;
    PPVOID *ProcessHeaps;
    PVOID GdiSharedHandleTable;
    PVOID ProcessStarterHelper;
    PVOID GdiDCAttributeList;
    PVOID LoaderLock;
    ULONG OSMajorVersion;
    ULONG OSMinorVersion;
    ULONG OSBuildNumber;
    ULONG OSPlatformId;
    ULONG ImageSubSystem;
    ULONG ImageSubSystemMajorVersion;
    ULONG ImageSubSystemMinorVersion;
    ULONG GdiHandleBuffer[0x22];
    ULONG PostProcessInitRoutine;
    ULONG TlsExpansionBitmap;
    BYTE TlsExpansionBitmapBits[0x80];
    ULONG SessionId;
} PEB, *PPEB;

/*
    PEB_FREE_BLOCK (STRUCT)
    *Next
     Pointer to next free block.
    Size
     Size of block, in bytes.
*/
typedef struct _PEB_FREE_BLOCK {
    PEB_FREE_BLOCK *Next;
    ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;

/*
    PEB_LDR_DATA (STRUCT)
    Length
     ize of structure, used by ntdll.dll as structure version ID.
    Initialized
     f set, loader data section for current process is initialized.
    InLoadOrderModuleList
     oubly linked list containing pointers to LDR_MODULE structure for previous and next module in load order.
    InMemoryOrderModuleList
     s above, but in memory placement order.
    InInitializationOrderModuleList
     s InLoadOrderModuleList, but in initialization order.
*/
typedef struct _PEB_LDR_DATA {
    ULONG Length;
    BOOLEAN Initialized;
    PVOID SsHandle;
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

/*
    POOLED_USAGE_AND_LIMITS (STRUCT)
    INFO-0
     PeakPagedPoolUsage
    INFO-1
     PagedPoolUsage
    INFO-2
     PagedPoolLimit
    INFO-3
     PeakNonPagedPoolUsage
    INFO-4
     NonPagedPoolUsage
    INFO-5
     NonPagedPoolLimit
    INFO-6
     PeakPagefileUsage
    INFO-7
     PagefileUsage
    INFO-8
     PagefileLimit
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef struct _POOLED_USAGE_AND_LIMITS {
    ULONG PeakPagedPoolUsage;
    ULONG PagedPoolUsage;
    ULONG PagedPoolLimit;
    ULONG PeakNonPagedPoolUsage;
    ULONG NonPagedPoolUsage;
    ULONG NonPagedPoolLimit;
    ULONG PeakPagefileUsage;
    ULONG PagefileUsage;
    ULONG PagefileLimit;
} POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;

/*
    PORT_INFORMATION_CLASS (ENUM)
*/
typedef enum _PORT_INFORMATION_CLASS {
    PortNoInformation
} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS;

/*
    PROCESS_ACCESS_TOKEN (STRUCT)
    INFO-0
     Token
    INFO-1
     Thread
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef struct _PROCESS_ACCESS_TOKEN {
    HANDLE Token;
    HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;

/*
    PROCESS_INFORMATION_CLASS (ENUM)
*/
typedef enum _PROCESS_INFORMATION_CLASS {
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    MaxProcessInfoClass
} PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;

/*
    PROCESS_WS_WATCH_INFORMATION (STRUCT)
    INFO-0
     FaultingPc
    INFO-1
     FaultingVa
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef struct _PROCESS_WS_WATCH_INFORMATION {
    PVOID FaultingPc;
    PVOID FaultingVa;
} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;

/*
    RtlAllocateHeap (FUNCTION)
    INFO-0
     B><HR WIDTH="40%">
    INFO-1
     unction maps Win32 API HeapCreate, see Ms SDK.
*/
typedef PVOID (NTAPI *_RtlAllocateHeap)( IN PVOID HeapHandle, IN ULONG Flags, IN ULONG Size );

/*
    RtlCaptureStackBackTrace (FUNCTION)
    INFO-0
     Function RtlCaptureStackBackTrace is usefull for debugging and analysing problems by making complete trace of calling functions by processing stack.
    FramesToSkip
     How many stack entries should be skiped.
    FramesToCapture
     Length of BackTrace buffer array.
    BackTrace
     Array of caller's addresses.
    BackTraceHash
     Unknown...
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef USHORT (NTAPI *_RtlCaptureStackBackTrace)( IN ULONG FramesToSkip, IN ULONG FramesToCapture, OUT PVOID *BackTrace, OUT PULONG BackTraceHash );

/*
    RtlCompactHeap (FUNCTION)
    HeapHandle
     eap address.
    Flags
     ee RtlCreateHeap for more information.
*/
typedef ULONG (NTAPI *_RtlCompactHeap)( IN HANDLE HeapHandle, IN ULONG Flags );

/*
    RtlCompressBuffer (FUNCTION)
    CompressionFormat
     Only lower 2 bytes are supported. Higher byte means Compression Engine. Lower byte means Compressing Format.
    Compression format (0-15). Bits 4-7 are unused.
     In NT 4.0 sp6 only LZNT1 is supported.
    #define COMPRESSION_FORMAT_NONE     (0x0000)        // [result:STATUS_INVALID_PARAMETER]
     #define COMPRESSION_FORMAT_DEFAULT (0x0001)        // [result:STATUS_INVALID_PARAMETER]
    Compression engine.
     It's level of compression. Higher level means better results, but longer time used for compression process.
    #define COMPRESSION_ENGINE_STANDARD (0x0000)        // Standart compression
     #define COMPRESSION_ENGINE_MAXIMUM (0x0100)        // Maximum (slowest but better)

     Unknown
    pDestinationSize
     Size of data after compression.
    WorkspaceBuffer
     See RtlGetCompressionWorkSpaceSize for more information.
*/
typedef NTSTATUS (NTAPI *_RtlCompressBuffer)( IN ULONG CompressionFormat, IN PVOID SourceBuffer, IN ULONG SourceBufferLength, OUT PVOID DestinationBuffer, IN ULONG DestinationBufferLength, IN ULONG Unknown, OUT PULONG pDestinationSize, IN PVOID WorkspaceBuffer );

/*
    RtlCreateEnvironment (FUNCTION)
    Inherit
     f set, newly created environment are similar to caller's environment.
    *Environment
     B>RtlCreateEnvironment allocate memory in caller's address space, and fills it with new environment block. Environment is pointer to this block.
*/
typedef NTSTATUS (NTAPI *_RtlCreateEnvironment)( IN BOOLEAN Inherit, OUT PVOID *Environment );

/*
    RtlCreateHeap (FUNCTION)
    Flags
     lags are defined in &lt;WinNT.h&gt;. Can be one of following:
    Base
     ase address, where heap should be created. If memory was previously allocated at this address, heap is created at the nearest possibble virtual address.
    Reserve
     ow much bytes should be reserved. See NtAllocateVirtualMemory.
    Commit
     ow meny bytes should be commited. If Reserve is greater than zero, Commit must be less or equal to Reserve.
    Lock
     f set, heap will be locked. See RtlLockHeap / RtlUnlockHeap.
    RtlHeapParams
     ointer to RTL_HEAP_DEFINITION structure. On NT 4.0 all bytes of this (except length field) are set to zero.
*/
typedef PVOID (NTAPI *_RtlCreateHeap)( IN ULONG Flags, IN PVOID Base OPTIONAL, IN ULONG Reserve OPTIONAL, IN ULONG Commit, IN BOOLEAN Lock OPTIONAL, IN PRTL_HEAP_DEFINITION RtlHeapParams OPTIONAL );

/*
    RtlCreateUserProcess (FUNCTION)
    ImagePath
     ull path to executable image, in NT format (ex: "/??/C:/WinNT/SYSTEM32/cmd.exe").
    ObjectAttributes
     sed in File object creation. Valid are OBJ_INHERIT and OBJ_CASE_INSENSITIVE.
    ProcessParameters
     ormalized RTL_USER_PROCESS_PARAMETERS structure pointer. See RtlCreateProcessParameters for more information.
    ParentProcess
     andle to object Process, opened with PROCESS_CREATE_PROCESS access.
    ProcessInformation
     ointer to user-allocated structure RTL_USER_PROCESS_INFORMATION.
*/
typedef NTSTATUS (NTAPI *_RtlCreateUserProcess)( IN PUNICODE_STRING ImagePath, IN ULONG ObjectAttributes, IN OUT PRTL_USER_PROCESS_PARAMETERS ProcessParameters, IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL, IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritHandles, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation );

/*
    RtlCreateUserThread (FUNCTION)
    StackZeroBits
     ow many older bits must be clear while allocating thread stack. See INITIAL_TEB.
    StartAddress
     hread start routine address.
*/
typedef NTSTATUS (NTAPI *_RtlCreateUserThread)( IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits, IN OUT PULONG StackReserved, IN OUT PULONG StackCommit, IN PVOID StartAddress, IN PVOID StartParameter OPTIONAL, OUT PHANDLE ThreadHandle, OUT PCLIENT_ID ClientID );

/*
    RtlDecompressBuffer (FUNCTION)
    CompressionFormat
     See RtlCompressBuffer for possible compression formats. Compression engine is not used
*/
typedef NTSTATUS (NTAPI *_RtlDecompressBuffer)( IN ULONG CompressionFormat, OUT PVOID DestinationBuffer, IN ULONG DestinationBufferLength, IN PVOID SourceBuffer, IN ULONG SourceBufferLength, OUT PULONG pDestinationSize );

/*
    RtlDestroyEnvironment (FUNCTION)
    Environment
     ointer to allocated environment block.
*/
typedef VOID (NTAPI *_RtlDestroyEnvironment)( IN PVOID Environment );

/*
    RtlDestroyHeap (FUNCTION)
    HeapHandle
     DIV CLASS="reg">Pointer to heap memory block.
*/
typedef NTSTATUS (NTAPI *_RtlDestroyHeap)( IN PVOID HeapHandle );

/*
    RtlEnumProcessHeaps (FUNCTION)
    INFO-0
     PHEAP_ENUMERATION_ROUTINE is defined as follows:
    typedef NTSTATUS
     (*PHEAP_ENUMERATION_ROUTINE)(
    INFO-2
     <HR WIDTH="40%">
    HeapEnumerationRoutine
     ser function address.
    Param
     ser defined parameter, will be placed as UserParam in every HeapEnumerationRoutine calls.
*/
typedef NTSTATUS (NTAPI *_RtlEnumProcessHeaps)( IN PHEAP_ENUMERATION_ROUTINE HeapEnumerationRoutine, IN PVOID Param OPTIONAL );

/*
    RtlExpandEnvironmentStrings_U (FUNCTION)
    Environment
     ointer to environment block.
    SourceString
     ointer to UNICODE_STRING structure with text. If text contains any environment variable name separated with '%' character, variable name is replaced by value of this variable.
    DestinationString
     esult of above operation. At input only MaximumLength of UNICODE_STRING structure must be valid.
    DestinationBufferLength
     f you don't know, how long should be result buffer, use value at DestinationBufferLength pointer.
*/
typedef NTSTATUS (NTAPI *_RtlExpandEnvironmentStrings_U)( IN PVOID Environment OPTIONAL, IN PUNICODE_STRING SourceString, OUT PUNICODE_STRING DestinationString, OUT PULONG DestinationBufferLength OPTIONAL );

/*
    RtlFormatCurrentUserKeyPath (FUNCTION)
    INFO-0
*/
typedef NTSTATUS (NTAPI *_RtlFormatCurrentUserKeyPath)( OUT PUNICODE_STRING RegistryPath );

/*
    RtlFreeHeap (FUNCTION)
    INFO-0
     Maps directly to Win32 API HeapFree from Kernel32.dll.
*/
typedef BOOLEAN (NTAPI *_RtlFreeHeap)( IN PVOID HeapHandle, IN ULONG Flags OPTIONAL, IN PVOID MemoryPointer );

/*
    RtlGetCallersAddress (FUNCTION)
    INFO-0
     Routine RtlGetCallersAddress is usefull in program debugging or exceptions control. It returns address of calling instruction.
    CallersAddress
     Returns address in body of function that call RtlGetCallersAddress.
    CallersCaller
     Returns address in function's calling function that call RtlGetCallersAddress body.
    Supported on system versions:
     NT 4.0,Win 2000,Win XP/2003
*/
typedef PVOID (NTAPI *_RtlGetCallersAddress)( OUT PVOID *CallersAddress, OUT PVOID *CallersCaller );

/*
    RtlGetCompressionWorkSpaceSize (FUNCTION)
    CompressionFormat
     See RtlCompressBuffer for valid CompressionFormat flags.
    pNeededBufferSize
     You must allocate temporary compression buffer for system internal use in compression process.
    pUnknown
     -?, propably PageSize (0x4000).
*/
typedef NTSTATUS (NTAPI *_RtlGetCompressionWorkSpaceSize)( IN ULONG CompressionFormat, OUT PULONG pNeededBufferSize, OUT PULONG pUnknown );

/*
    RtlGetProcessHeaps (FUNCTION)
    MaxNumberOfHeaps
     DIV CLASS="reg">Size of HeapArray.
    Return value:
     DIV CLASS="reg">Number of process heaps.
*/
typedef ULONG (NTAPI *_RtlGetProcessHeaps)( IN ULONG MaxNumberOfHeaps, OUT PVOID *HeapArray );

/*
    RtlImageNtHeader (FUNCTION)
    ModuleAddress
     Is module base address in process virtual memory, known as HMODULE.
    Return value
     Is pointer to IMAGE_NT_HEADERS structure.
*/
typedef PIMAGE_NT_HEADERS (NTAPI *_RtlImageNtHeader)( IN PVOID ModuleAddress );

/*
    RtlImageRvaToVa (FUNCTION)
    Return value
     It's pointer to vitrual memory in caller's address space.
    INFO-1
     See ImageRvaToVa in &lt;Dbghelp.h&gt; for detailed description of use.
*/
typedef PVOID (NTAPI *_RtlImageRvaToVa)( IN PIMAGE_NT_HEADERS NtHeaders, IN PVOID ModuleBase, IN ULONG Rva, IN OUT PIMAGE_SECTION_HEADER pLastSection OPTIONAL );

/*
    RtlInitializeContext (FUNCTION)
    INFO-0
     Initialise CONTEXT structure for use with NtCreateThread.
*/
typedef PVOID (NTAPI *_RtlInitializeContext)( IN HANDLE ProcessHandle, OUT PCONTEXT ThreadContext, IN PVOID ThreadStartParam OPTIONAL, IN PTHREAD_START_ROUTINE ThreadStartAddress, IN PINITIAL_TEB InitialTeb );

/*
    RtlLockHeap (FUNCTION)
    HeapHandle
     eap address.
    INFO-1
     <HR WIDTH="40%">
    INFO-2
     Function protect locks virtual memory. See NtLockVirtualMemory for additional information.
*/
typedef BOOLEAN (NTAPI *_RtlLockHeap)( IN PVOID HeapHandle );

/*
    RtlProtectHeap (FUNCTION)
    HeapHandle
     ddress of heap.
    Protect
     f set, memory is protected to PAGE_READONLY. If zero, protect with PAGE_READWRITE.
    Return value
     esult is address of protected or unprotected heap.
*/
typedef PVOID (NTAPI *_RtlProtectHeap)( IN PVOID HeapHandle, IN BOOLEAN Protect );

/*
    RtlQueryEnvironmentVariable_U (FUNCTION)
    Environment
     ointer to environment block. If NULL, current environment is used.
*/
typedef NTSTATUS (NTAPI *_RtlQueryEnvironmentVariable_U)( IN PVOID Environment OPTIONAL, IN PUNICODE_STRING VariableName, OUT PUNICODE_STRING VariableValue );

/*
    RtlReAllocateHeap (FUNCTION)
    INFO-0
     Kernel32.dll HeapReAlloc maps directly to RtlReAllocateHeap. All parameters are descripted in Ms SDK.
*/
typedef PVOID (NTAPI *_RtlReAllocateHeap)( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID MemoryPointer, IN ULONG Size );

/*
    RtlSetCurrentEnvironment (FUNCTION)
    NewEnvironment
     ointer to newly created environment block.
    OldEnvironment
     eturn pointer to previous environment block. You should release it by call RtlDestroyEnvironment.
*/
typedef VOID (NTAPI *_RtlSetCurrentEnvironment)( IN PVOID NewEnvironment, OUT PVOID *OldEnvironment OPTIONAL );

/*
    RtlSetEnvironmentVariable (FUNCTION)
    *Environment
     f Environment is NULL, current environment block is used.
*/
typedef NTSTATUS (NTAPI *_RtlSetEnvironmentVariable)( IN OUT PVOID *Environment OPTIONAL, IN PUNICODE_STRING VariableName, IN PUNICODE_STRING VariableValue );

/*
    RtlSizeHeap (FUNCTION)
    INFO-0
     Kernel32.dll HeapSize maps directly to RtlSizeHeap. See Ms SDK for definition.
*/
typedef ULONG (NTAPI *_RtlSizeHeap)( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID MemoryPointer );

/*
    RtlTimeFieldsToTime (FUNCTION)
    TimeFields
     Pointer to TIME_FIELDS structure containing time to convert.
    Time
     Pointer to LARGE_INTEGER receiving converted time.
*/
typedef BOOLEAN (NTAPI *_RtlTimeFieldsToTime)( IN PTIME_FIELDS TimeFields, OUT PLARGE_INTEGER Time );

/*
    RtlTimeToTimeFields (FUNCTION)
    Time
     Pointer to LARGE_INTEGER contains time to convert.
    TimeFields
     Result of call - pointer to TIME_FIELDS structure.
*/
typedef VOID (NTAPI *_RtlTimeToTimeFields)( IN PLARGE_INTEGER Time, OUT PTIME_FIELDS TimeFields );

/*
    RtlUnlockHeap (FUNCTION)
    HeapHandle
     ddress of heap.
    INFO-1
     See RtlLockHeap for details.
*/
typedef BOOLEAN (NTAPI *_RtlUnlockHeap)( IN PVOID HeapHandle );

/*
    RtlValidateHeap (FUNCTION)
    HeapHandle
     ddress of heap to validate.
    Flags
     ee RtlCreateHeap.
    AddressToValidate
     f specified, only one block is validated. If not, all blocks from heap are validated.
*/
typedef BOOLEAN (NTAPI *_RtlValidateHeap)( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID AddressToValidate OPTIONAL );

/*
    RtlValidateProcessHeaps (FUNCTION)
    INFO-0
     Function validate all heaps associated with calling process. See RtlValidateHeap for more information.
*/
typedef BOOLEAN (NTAPI *_RtlValidateProcessHeaps)( );

/*
    RtlWalkHeap (FUNCTION)
    HeapHandle
     ddress of heap.
    ProcessHeapEntry
     ointer to PROCESS_HEAP_ENTRY structure defined in &lt;WinNT.h&gt;.
    Return value
     epeat calls to RtlWalkHeap until result is STATUS_NO_MORE_ENTRIES.
*/
typedef NTSTATUS (NTAPI *_RtlWalkHeap)( IN PVOID HeapHandle, IN OUT LPPROCESS_HEAP_ENTRY ProcessHeapEntry );

/*
    RTL_DRIVE_LETTER_CURDIR (STRUCT)
    INFO-1
     Flags
    INFO-2
     Length
    INFO-3
     TimeStamp
    INFO-4
     DosPath
*/
typedef struct _RTL_DRIVE_LETTER_CURDIR {
    USHORT Flags;
    USHORT Length;
    ULONG TimeStamp;
    UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

/*
    RTL_HEAP_DEFINITION (STRUCT)
    INFO-0
*/
typedef struct _RTL_HEAP_DEFINITION {
    ULONG Length;
    ULONG Unknown1;
    ULONG Unknown2;
    ULONG Unknown3;
    ULONG Unknown4;
    ULONG Unknown5;
    ULONG Unknown6;
    ULONG Unknown7;
    ULONG Unknown8;
    ULONG Unknown9;
    ULONG Unknown10;
    ULONG Unknown11;
    ULONG Unknown12;
} RTL_HEAP_DEFINITION, *PRTL_HEAP_DEFINITION;

/*
    RTL_USER_PROCESS_INFORMATION (STRUCT)
    Size
     ize of structure, in bytes.
    ProcessHandle
     I>HANDLE to newly created Process object.
    ThreadHandle
     I>HANDLE to Thread object representing main thread in process.
    ClientId
     nique Id of process and thread.
    ImageInformation
     ome information from PE header. Created in result of call NtQuerySection with SectionImageInformation class.
*/
typedef struct _RTL_USER_PROCESS_INFORMATION {
    ULONG Size;
    HANDLE ProcessHandle;
    HANDLE ThreadHandle;
    CLIENT_ID ClientId;
    SECTION_IMAGE_INFORMATION ImageInformation;
} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;

/*
    RTL_USER_PROCESS_PARAMETERS (STRUCT)
    MaximumLength
     hould be set before call RtlCreateProcessParameters.
    Length
     ength of valid structure.
    Flags
     urrently only one flag is known:
    INFO-3
     DebugFlags
    ConsoleHandle
     B>HWND to console window associated with process (if any).
    INFO-5
     ConsoleFlags
    INFO-6
     StdInputHandle
    INFO-7
     StdOutputHandle
    INFO-8
     StdErrorHandle
    CurrentDirectoryPath
     pecified in DOS-like symbolic link path, ex: "C:/WinNT/SYSTEM32"
    CurrentDirectoryHandle
     andle to FILE object.
    DllPath
     OS-like paths separated by ';' where system shoult search for DLL files.
    ImagePathName
     ull path in DOS-like format to process'es file image.
    CommandLine
     ommand line.
    Environment
     ointer to environment block (see RtlCreateEnvironment).
    INFO-15
     StartingPositionLeft
    INFO-16
     StartingPositionTop
    INFO-17
     Width
    INFO-18
     Height
    INFO-19
     CharWidth
    INFO-20
     CharHeight
    INFO-21
     ConsoleTextAttributes
    INFO-22
     WindowFlags
    INFO-23
     ShowWindowFlags
    INFO-24
     WindowTitle
    DesktopName
     ame of WindowStation and Desktop objects, where process is assigned.
    INFO-26
     ShellInfo
    INFO-27
     RuntimeData
    INFO-29
     <HR WIDTH="40%">
    INFO-30
     RTL_USER_PROCESS_PARAMETERS is located at address 0x20000 (for all processes created by call WIN32 API CreateProcess).
*/
typedef struct _RTL_USER_PROCESS_PARAMETERS {
    ULONG MaximumLength;
    ULONG Length;
    ULONG Flags;
    ULONG DebugFlags;
    PVOID ConsoleHandle;
    ULONG ConsoleFlags;
    HANDLE StdInputHandle;
    HANDLE StdOutputHandle;
    HANDLE StdErrorHandle;
    UNICODE_STRING CurrentDirectoryPath;
    HANDLE CurrentDirectoryHandle;
    UNICODE_STRING DllPath;
    UNICODE_STRING ImagePathName;
    UNICODE_STRING CommandLine;
    PVOID Environment;
    ULONG StartingPositionLeft;
    ULONG StartingPositionTop;
    ULONG Width;
    ULONG Height;
    ULONG CharWidth;
    ULONG CharHeight;
    ULONG ConsoleTextAttributes;
    ULONG WindowFlags;
    ULONG ShowWindowFlags;
    UNICODE_STRING WindowTitle;
    UNICODE_STRING DesktopName;
    UNICODE_STRING ShellInfo;
    UNICODE_STRING RuntimeData;
    RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

/*
    SECTION_BASIC_INFORMATION (STRUCT)
    Unknown
     (?), always set to zero.
    SectionAttributes
     Can be one or combination of:
    INFO-2
        SEC_RESERVE SEC_IMAGE   SEC_FILE
    SectionSize
     Size of section, in bytes. This value equals to section's size declared in a call to NtCreateSection or NtExtendSection.
*/
typedef struct _SECTION_BASIC_INFORMATION {
    ULONG Unknown;
    ULONG SectionAttributes;
    LARGE_INTEGER SectionSize;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

/*
    SECTION_IMAGE_INFORMATION (STRUCT)
    EntryPoint
     Image's entry point.
    StackZeroBits
     Number of bits from left side of stack address must be set to zero. It means maximum stack's address in process memory.
    StackReserved
     Total size of stack, in bytes.
    StackCommit
     Initially commited stack's block size.
    ImageSubsystem
     One of IMAGE_SUBSYSTEM_* descripted in Microsoft SDK and avaiable in &lt;winnt.h&gt; header file.
    SubSystemVersionLow
     Minor version number of subsystem.
    SubSystemVersionHigh
     Major version number of subsystem.
    Unknown1
     (?)
    ImageCharacteristics
     DLL Characteristics.
    ImageMachineType
     One of IMAGE_FILE_MACHINE_*.
    Unknown2[3]
     (?)
*/
typedef struct _SECTION_IMAGE_INFORMATION {
    PVOID EntryPoint;
    ULONG StackZeroBits;
    ULONG StackReserved;
    ULONG StackCommit;
    ULONG ImageSubsystem;
    WORD SubSystemVersionLow;
    WORD SubSystemVersionHigh;
    ULONG Unknown1;
    ULONG ImageCharacteristics;
    ULONG ImageMachineType;
    ULONG Unknown2[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

/*
    SECTION_INFORMATION_CLASS (ENUM)
*/
typedef enum _SECTION_INFORMATION_CLASS {
    SectionBasicInformation,
    SectionImageInformation
} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS;

/*
    SECTION_INHERIT (ENUM)
*/
typedef enum _SECTION_INHERIT {
    ViewShare=1,
    ViewUnmap=2
} SECTION_INHERIT, *PSECTION_INHERIT;

/*
    SEMAPHORE_BASIC_INFORMATION (STRUCT)
    CurrentCount
     Current state of semaphore's counter.
    MaximumCount
     Maximum counter position, defined with call to NtCreateSemaphore.
*/
typedef struct _SEMAPHORE_BASIC_INFORMATION {
    ULONG CurrentCount;
    ULONG MaximumCount;
} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;

/*
    SEMAPHORE_INFORMATION_CLASS (ENUM)
*/
typedef enum _SEMAPHORE_INFORMATION_CLASS {
    SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS;

/*
    SHUTDOWN_ACTION (ENUM)
*/
typedef enum _SHUTDOWN_ACTION {
    ShutdownNoReboot,
    ShutdownReboot,
    ShutdownPowerOff
} SHUTDOWN_ACTION, *PSHUTDOWN_ACTION;

/*
    SYSDBG_COMMAND (ENUM)
*/
typedef enum _SYSDBG_COMMAND {
    SysDbgQueryModuleInformation=1,
    SysDbgQueryTraceInformation,
    SysDbgSetTracepoint,
    SysDbgSetSpecialCall,
    SysDbgClearSpecialCalls,
    SysDbgQuerySpecialCalls
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;

/*
    SYSTEM_INFORMATION_CLASS (ENUM)
*/
typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemPathInformation,
    SystemProcessInformation,
    SystemCallCountInformation,
    SystemDeviceInformation,
    SystemProcessorPerformanceInformation,
    SystemFlagsInformation,
    SystemCallTimeInformation,
    SystemModuleInformation,
    SystemLocksInformation,
    SystemStackTraceInformation,
    SystemPagedPoolInformation,
    SystemNonPagedPoolInformation,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPageFileInformation,
    SystemVdmInstemulInformation,
    SystemVdmBopInformation,
    SystemFileCacheInformation,
    SystemPoolTagInformation,
    SystemInterruptInformation,
    SystemDpcBehaviorInformation,
    SystemFullMemoryInformation,
    SystemLoadGdiDriverInformation,
    SystemUnloadGdiDriverInformation,
    SystemTimeAdjustmentInformation,
    SystemSummaryMemoryInformation,
    SystemNextEventIdInformation,
    SystemEventIdsInformation,
    SystemCrashDumpInformation,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemExtendServiceTableInformation,
    SystemPrioritySeperation,
    SystemPlugPlayBusInformation,
    SystemDockInformation,
    SystemPowerInformation,
    SystemProcessorSpeedInformation,
    SystemCurrentTimeZoneInformation,
    SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

/*
    SYSTEM_MODULE (STRUCT)
    Reserved1
     DIV CLASS="reg">Reserved (always 0xBAADF00D).
    Reserved2
     DIV CLASS="reg">Reserved (always 0).
    Address
     DIV CLASS="reg">Module address in virtual address space.
    ImageSize
     DIV CLASS="reg">Size of module in virtual address space.
    Id
     DIV CLASS="reg">0-based counter of results.
    Rank
     DIV CLASS="reg">The same as Id (in global enumeration with NtQuerySystemInformation), or unknown.
    w018
     DIV CLASS="reg">In process module enumeration with LdrQueryProcessModuleInformation always 0xFFFF, in other - unknown.
    NameOffset
     DIV CLASS="reg">Offset in Name table to first char of module name.
    Name
     DIV CLASS="reg">Path to module.
*/
typedef struct _SYSTEM_MODULE {
    ULONG Reserved1;
    ULONG Reserved2;
    PVOID ImageBaseAddress;
    ULONG ImageSize;
    ULONG Flags;
    WORD Id;
    WORD Rank;
    WORD w018;
    WORD NameOffset;
    BYTE Name[MAXIMUM_FILENAME_LENGTH];
} SYSTEM_MODULE, *PSYSTEM_MODULE;

/*
    SYSTEM_MODULE_INFORMATION (STRUCT)
    See SYSTEM_MODULE for details.
     See NtQuerySystemInformation with SystemModuleInformation class for global module enumeration.
*/
typedef struct _SYSTEM_MODULE_INFORMATION {
    ULONG ModulesCount;
    SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

/*
    SYSTEM_PAGEFILE_INFORMATION (STRUCT)
    NextEntryOffset
     Offset to next SYSTEM_PAGEFILE_INFORMATION structure or zero, if it's last one.
    TotalSize
     Size of paged file, in pages (Size of page depend on machine type, for x86 one page is 0x1000 (4096) bytes).
    TotalInUse
     Number of currently used pages in paged file.
    PeakUsage
     Maximum number of pages used in this boot session.
    PageFileName
     System path to paged file.
*/
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
    ULONG NextEntryOffset;
    ULONG TotalSize;
    ULONG TotalInUse;
    ULONG PeakUsage;
    UNICODE_STRING PageFileName;
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;

/*
    SYSTEM_PROCESS_INFORMATION (STRUCT)
    NextEntryOffset
     Offset from begining of output buffer to next process entry. On last entry contains zero.
    NumberOfThreads
     Number of process'es threads. Also number of members in Threads array descripted below.
    Reserved[3]
     Reserved.
    CreateTime
     Process creation time, in 100-ns units.
    UserTime
     Effective time in User Mode.
    KernelTime
     Effective time in Kernel Mode.
    ImageName
     Process name, based on executable file name.
    BasePriority
     Process base priority.
    ProcessId
     Unique identifier of process.
    InheritedFromProcessId
     Creator's identifier.
    HandleCount
     Nr of open HANDLEs.
    Reserved2[2]
     Reserved.
    PrivatePageCount
     Number of memory pages assigned to process.
    VirtualMemoryCounters
     Memory performance counters.
    IoCounters
     IO performance counters.
    Threads[0]
     Array of SYSTEM_THREAD structures descripting process's threads.
*/
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER Reserved[3];
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE ProcessId;
    HANDLE InheritedFromProcessId;
    ULONG HandleCount;
    ULONG Reserved2[2];
    ULONG PrivatePageCount;
    VM_COUNTERS VirtualMemoryCounters;
    IO_COUNTERS IoCounters;
    SYSTEM_THREAD Threads[0];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

/*
    SYSTEM_REGISTRY_QUOTA_INFORMATION (STRUCT)
    RegistryQuotaAllowed
     llowed size of all currently loaded hives.
    RegistryQuotaUsed
     ize of all currently loaded hives.
    PagedPoolSize
     aged Pool size. RegistryQuotaAllowed shouldn't be grater then 80 percent of PagedPoolSize.
    INFO-3
     <HR WIDTH="40%">
    Remember that registry size is always sum of all loaded hives. So if you call NtSaveKey, size of registry will have the highest point at the end of saving.
     SYSTEM_REGISTRY_QUOTA_INFORMATION don't need restart of system to change registry quota.
*/
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
    ULONG RegistryQuotaAllowed;
    ULONG RegistryQuotaUsed;
    ULONG PagedPoolSize;
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;

/*
    SYSTEM_THREAD (STRUCT)
    KernelTime
       Sum of thread's execution time in KernelMode, in native format.
    UserTime
      Sum of thread's execution time in UserMode, in native format.
    CreateTime
      Time of thread creation, in native format.
    WaitTime
       Sum of thread's waiting time, in native format.
    StartAddress
       Thread start address.
    ClientId
       Process and thread identyficators.
    Priority
       Thread prioryty.
    BasePriority
       Thread base prioryty.
    ContextSwitchCount
       Number of context switches executed by thread.
    State
       Current thread's state.
    WaitReason
       Reason for waiting (if any).
*/
typedef struct _SYSTEM_THREAD {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG WaitTime;
    PVOID StartAddress;
    CLIENT_ID ClientId;
    KPRIORITY Priority;
    LONG BasePriority;
    ULONG ContextSwitchCount;
    ULONG State;
    KWAIT_REASON WaitReason;
} SYSTEM_THREAD, *PSYSTEM_THREAD;

/*
    TEB (STRUCT)
    Tib
     Structure NT_TIB is avaiable in &lt;WinNT.h&gt; header file.
    INFO-1
     EnvironmentPointer
    INFO-2
     Cid
    INFO-3
     ActiveRpcInfo
    INFO-4
     ThreadLocalStoragePointer
    Peb
     Pointer to PEB structure contains Process Environment Block.
    INFO-6
     LastErrorValue
    INFO-7
     CountOfOwnedCriticalSections
    INFO-8
     CsrClientThread
    INFO-9
     Win32ThreadInfo
    INFO-10
     Win32ClientInfo[0x1F]
    INFO-11
     WOW32Reserved
    INFO-12
     CurrentLocale
    INFO-13
     FpSoftwareStatusRegister
    INFO-14
     SystemReserved1[0x36]
    INFO-15
     Spare1
    INFO-16
     ExceptionCode
    INFO-17
     SpareBytes1[0x28]
    INFO-18
     SystemReserved2[0xA]
    INFO-19
     GdiRgn
    INFO-20
     GdiPen
    INFO-21
     GdiBrush
    INFO-22
     RealClientId
    INFO-23
     GdiCachedProcessHandle
    INFO-24
     GdiClientPID
    INFO-25
     GdiClientTID
    INFO-26
     GdiThreadLocaleInfo
    INFO-27
     UserReserved[5]
    INFO-28
     GlDispatchTable[0x118]
    INFO-29
     GlReserved1[0x1A]
    INFO-30
     GlReserved2
    INFO-31
     GlSectionInfo
    INFO-32
     GlSection
    INFO-33
     GlTable
    INFO-34
     GlCurrentRC
    INFO-35
     GlContext
    INFO-36
     LastStatusValue
    INFO-37
     StaticUnicodeString
    INFO-38
     StaticUnicodeBuffer[0x105]
    INFO-39
     DeallocationStack
    INFO-40
     TlsSlots[0x40]
    INFO-41
     TlsLinks
    INFO-42
     Vdm
    INFO-43
     ReservedForNtRpc
    INFO-44
     DbgSsReserved[0x2]
    INFO-45
     HardErrorDisabled
    INFO-46
     Instrumentation[0x10]
    INFO-47
     WinSockData
    INFO-48
     GdiBatchCount
    INFO-49
     Spare2
    INFO-50
     Spare3
    INFO-51
     Spare4
    INFO-52
     ReservedForOle
    INFO-53
     WaitingOnLoaderLock
    INFO-54
     StackCommit
    INFO-55
     StackCommitMax
    INFO-56
     StackReserved
*/
typedef struct _TEB {
    NT_TIB Tib;
    PVOID EnvironmentPointer;
    CLIENT_ID Cid;
    PVOID ActiveRpcInfo;
    PVOID ThreadLocalStoragePointer;
    PPEB Peb;
    ULONG LastErrorValue;
    ULONG CountOfOwnedCriticalSections;
    PVOID CsrClientThread;
    PVOID Win32ThreadInfo;
    ULONG Win32ClientInfo[0x1F];
    PVOID WOW32Reserved;
    ULONG CurrentLocale;
    ULONG FpSoftwareStatusRegister;
    PVOID SystemReserved1[0x36];
    PVOID Spare1;
    ULONG ExceptionCode;
    ULONG SpareBytes1[0x28];
    PVOID SystemReserved2[0xA];
    ULONG GdiRgn;
    ULONG GdiPen;
    ULONG GdiBrush;
    CLIENT_ID RealClientId;
    PVOID GdiCachedProcessHandle;
    ULONG GdiClientPID;
    ULONG GdiClientTID;
    PVOID GdiThreadLocaleInfo;
    PVOID UserReserved[5];
    PVOID GlDispatchTable[0x118];
    ULONG GlReserved1[0x1A];
    PVOID GlReserved2;
    PVOID GlSectionInfo;
    PVOID GlSection;
    PVOID GlTable;
    PVOID GlCurrentRC;
    PVOID GlContext;
    NTSTATUS LastStatusValue;
    UNICODE_STRING StaticUnicodeString;
    WCHAR StaticUnicodeBuffer[0x105];
    PVOID DeallocationStack;
    PVOID TlsSlots[0x40];
    LIST_ENTRY TlsLinks;
    PVOID Vdm;
    PVOID ReservedForNtRpc;
    PVOID DbgSsReserved[0x2];
    ULONG HardErrorDisabled;
    PVOID Instrumentation[0x10];
    PVOID WinSockData;
    ULONG GdiBatchCount;
    ULONG Spare2;
    ULONG Spare3;
    ULONG Spare4;
    PVOID ReservedForOle;
    ULONG WaitingOnLoaderLock;
    PVOID StackCommit;
    PVOID StackCommitMax;
    PVOID StackReserved;
} TEB, *PTEB;

/*
    THREAD_BASIC_INFORMATION (STRUCT)
    INFO-0
     Structure is used with ThreadBasicInformation information class in NtQueryInformationThread call.
*/
typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    PVOID TebBaseAddress;
    CLIENT_ID ClientId;
    KAFFINITY AffinityMask;
    KPRIORITY Priority;
    KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

/*
    THREAD_INFORMATION_CLASS (ENUM)
*/
typedef enum _THREAD_INFORMATION_CLASS {
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,
    ThreadIsIoPending,
    ThreadHideFromDebugger
} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;

/*
    THREAD_TIMES_INFORMATION (STRUCT)
    CreationTime
     ime of thread creation.
    ExitTime
     ime of thread termination.
    KernelTime
     ime that thread spent in KernelMode.
    UserTime
     ime that thread spent in UserMode.
    INFO-4
     <HR WIDTH="40%">
    INFO-5
     Structure is used with ThreadTimes information class in NtQueryInformationThread call.
*/
typedef struct _THREAD_TIMES_INFORMATION {
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER ExitTime;
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
} THREAD_TIMES_INFORMATION, *PTHREAD_TIMES_INFORMATION;

/*
    TIMER_BASIC_INFORMATION (STRUCT)
    RemainingTime
     Contains time (in 100ns units) to next timer signal (negative value), or time after last signalization.
    TimerState
     If TRUE, timer is signaled.
*/
typedef struct _TIMER_BASIC_INFORMATION {
    LARGE_INTEGER RemainingTime;
    BOOLEAN TimerState;
} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;

/*
    TIMER_INFORMATION_CLASS (ENUM)
*/
typedef enum _TIMER_INFORMATION_CLASS {
    TimerBasicInformation
} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS;

/*
    TIME_FIELDS (STRUCT)
    Year
     Year, in range 1601 - 65535.
    Month
     Month, in range 1 - 12.
    Day
     Day, in range 1 - 31, dependly on Month member.
    Hour
     Hour, in range 0 - 23.
    Minute
     Minute, in range 0 - 59.
    Second
     Second, in range 0 - 59.
    Milliseconds
     Milliseconds, in range 0 - 1000.
    Weekday
     Day of week, in range 0 - 6, where 0 means "Sunday", 1 means "Monday" etc.
*/
typedef struct _TIME_FIELDS {
    USHORT Year;
    USHORT Month;
    USHORT Day;
    USHORT Hour;
    USHORT Minute;
    USHORT Second;
    USHORT Milliseconds;
    USHORT Weekday;
} TIME_FIELDS, *PTIME_FIELDS;

/*
<?php
//PHP NTINTERNALS SCRAPER
$dump_file = "O:/NTAPI.h";
$use_dll_import = FALSE; //Remove NTSYSAPI from function typedefs?
//Iterate through api index
$api_base   = "http://undocumented.ntinternals.net";
$api_index  = "$api_base/aindex.html";
$page = strip_tags(file_get_contents($api_index), '<a>');
$indexstart = strpos($page, '<A HREF="/title.html">About</a>');
$indexstart = $indexstart + strlen('<A HREF="/title.html">About</a>');
$indexend = strpos($page, 'Autogenerated by mkindex.awk', $indexstart);
$index = ltrim(rtrim(substr($page, $indexstart, $indexend - $indexstart)));
$index = str_replace('<A HREF="', '', $index);
$index = str_replace('">', ':', $index);
$index = str_replace('</a>', '', $index);
//Format now => URL:NAME\n
$limit_apis = 999;
echo "Dumping APIs to $dump_file\n";
file_put_contents($dump_file, "// SCRAPED FROM: $api_index\n// BY: Capt. Micro\n// SCRIPT: End of file\n\n");
$indexexp = explode("\n", $index);
foreach ($indexexp as $key => $line) {
    if ((int)$key > $limit_apis) break;
    $lineexp = explode(":", $line);
    if ($lineexp[1] == "Index") continue;
    echo "[$key] Scraping API " . $lineexp[1] . "... ";
    $apidata = get_api($api_base . str_replace(" ", "%20", $lineexp[0]), 0);
    if ($apidata != FALSE)
        file_put_contents($dump_file,
        $apidata[0]."\n".$apidata[1]."\n\n",
        FILE_APPEND);
    echo " DONE\n";
}
file_put_conents($dump_file, "\n\n\n".file_get_conents(__FILE__), FILE_APPEND);
$namesearch = array('<TITLE>','</TITLE>');
$codesearch = array('<PRE CLASS="FnDefinition">','</PRE>');
$docssearch = array('<PRE>','</PRE>');
function get_api($url, $dbgout) {
    global $namesearch, $codesearch, $docssearch, $use_dll_import;
    //Setup page
    $file = file_get_contents($url);
    if ($file == FALSE) return FALSE;
    $page = str_replace("\r", "", $file);
    $page = str_replace("&nbsp;", "", $file);
    $page = str_replace("<H6>", "\n\n", $page);
    $page = preg_replace("/<.H6>./", "\n", $page);
    while (strpos($page, "\n\n\n") != FALSE) $page = str_replace("\n\n\n", "\n\n", $page);
    $page = strip_tags($page, '<title><pre><hr>');

    $startname = strpos($page, $namesearch[0]) + strlen($namesearch[0]);
    $endname = strpos($page, $namesearch[1], $startname);
    $name = substr($page, $startname, $endname-$startname);

    $is_struct = FALSE;
    $startcode = strpos($page, $codesearch[0]) + strlen($codesearch[0]);
    $endcode = strpos($page, $codesearch[1], $startcode);
    $code = substr($page, $startcode, $endcode-$startcode);
    if (strpos($code, "typedef") != FALSE) $is_struct = TRUE;
    if ($is_struct == FALSE) { //FUNCTION
        $code = str_replace("\n", " ", $code);
        if (!$use_dll_import) $code = str_replace("NTSYSAPI", "", $code);
    } else { //STRUCTURE / ENUM

    }
    $code = str_replace("\n\n", "\n", rtrim(ltrim($code)));
    while (strpos($code, "\n\n") != FALSE) $code = str_replace("\n\n","\n",$code);
    while (strpos($code, "  ") != FALSE) $code = str_replace("  "," ",$code);

    $startdocs = strpos($page, $docssearch[0]) + strlen($docssearch[0]);
    $enddocs = strpos($page, $docssearch[1], $startdocs);
    if ($startdocs == strlen($docssearch[0])) { //Other docs format
        $startdocs = strpos($page, '<HR WIDTH="40%">') + strlen('<HR WIDTH="40%">');
        if ($startdocs == 16) $startdocs = strpos($page, '</PRE>', $endcode) + strlen('</PRE>');
        $enddocs = strpos($page, '<HR WIDTH="40%">', $startdocs);
        if ($enddocs == FALSE) $enddocs = strpos($page, 'Documented by:', $startdocs);
    }
    $docs = array();
    if (strpos($code,"enum")==FALSE) { //NO ENUMS!
        echo "[DOCS] ";
        $predocs = rtrim(ltrim(substr($page, $startdocs, $enddocs-$startdocs)));
        $predocs = str_replace("\n\n\n\n","\n\n\n",$predocs);
        $predocs = str_replace("\n\n\n","\n\n",$predocs);
        $predocs = explode("\n\n", $predocs);
        foreach ($predocs as $key => $val) {
            if (strpos($val, "???") == FALSE) {
                $tmp = explode("\n", "$val\n");
                if (strlen($tmp[1])==0) $docs["INFO-$key"] = $tmp[0];
                else $docs[$tmp[0]] = $tmp[1];
            }
        }
    }

    $type = "FUNCTION";
    if ($is_struct) {
        $type = "STRUCT";
        if (strpos($code, "enum") != FALSE) $type = "ENUM";
    }
    echo "[$type]";
    $comments = "/"."*\n    $name ($type)\n";
    foreach ($docs as $key => $val) {
        $comments .= "    $key\n     $val\n";
    }
    $comments = rtrim($comments) . "\n*"."/";
    if ($dbgout) echo "$comments\n";

    $typedef = "";
    if ($is_struct == FALSE) { //FUNCTION
        $func = str_replace("(", ")(", $code);
        $typeexp = explode(" ", $func, 4);
        $lastkey = -666;
        foreach ($typeexp as $key => $val) {
            if ($lastkey == -666) $typeexp[$key] = "typedef " . $val;
            if (strpos($val, ")(") != FALSE) {
                $typeexp[$key] = "*_" . $val;
                $typeexp[$lastkey] = "(" . $typeexp[$lastkey];
            }
            $lastkey = $key;
        }
        $typedef = implode(" ", $typeexp);
    } else { //STRUCTURE / ENUM
        $typedef = str_replace("\n ", "\n    ", $code);
    }
    if ($dbgout) echo "$typedef\n";
    return array($comments,$typedef);
}
?>
*/