wdkundoc.h

/*
    This is the file wdkundoc.h, release 3.
    The purpose of this include file is to provide information that is
    undocumented in the Microsoft Windows Driver Kit (WDK).
    Copyright (C) 1999-2015 Bo Brantén.
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

    The GNU General Public License is also available from:
    http://www.gnu.org/copyleft/gpl.html

    Windows and Windows NT are either registered trademarks or trademarks of
    Microsoft Corporation in the United States and/or other countries.

    DISCLAIMER: I do not encourage anyone to use this include file to build
    drivers used in production. Some of the information in this file may not
    be available in other publications intended for similar use. Some of the
    information in this file may have different names than in other
    publications even though they describe the same thing.

    NOTE: This file should be used with the Microsoft Windows Driver Kit (WDK)
    while the free version of the file ntifs.h should be used with the
    Microsoft® Windows® Driver Development Kit (DDK).

    Please send comments, corrections and contributions to bosse@acc.umu.se.

    The most recent version of this file is available from:
    http://www.acc.umu.se/~bosse/wdkundoc.h

    The most recent free version of the file ntifs.h is available from:
    http://www.acc.umu.se/~bosse/ntifs.h

    Include ntddk.h or ntifs.h before this file:
    #include <ntddk.h>
    #include "wdkundoc.h"
    or
    #include <ntifs.h>
    #include "wdkundoc.h"

    Revision history:

    3. 2015-06-11
        Added:
          Externals:
            KiEnableTimerWatchdog
            KdComPortInUse
            NlsLeadByteInfo
            NlsOemLeadByteInfo
            NlsMbCodePageTag
            NlsMbOemCodePageTag
            NlsAnsiCodePage
            NlsOemCodePage
            KeDcacheFlushCount
            KeIcacheFlushCount
            CcFastReadNotPossible
            CcFastReadWait
            POGOBuffer
            psMUITest
            PsUILanguageComitted

    2. 2015-06-05
        Corrected:
          FsRtlNotifyReportChange
          HalDisplayString
          InbvDisplayString
          InbvInstallDisplayStringFilter
          InbvNotifyDisplayOwnershipLost
          InbvSetTextColor
          KeInitializeApc
          MmMapViewOfSection
          ObCreateObject
          RtlImageNtHeader
          RtlSetSaclSecurityDescriptor
          SeCreateAccessState
          ZwAccessCheckAndAuditAlarm
          ZwAdjustPrivilegesToken
          ZwConnectPort
          ZwOpenThread
          ZwResetEvent
        Added:
          Data types:
            AUX_ACCESS_DATA
            KAPC_ENVIRONMENT
            X86BIOS_REGISTERS
          Function prototypes:
            ExSystemExceptionFilter
            HalAdjustResourceList
            HalAllProcessorsStarted
            HalConvertDeviceIdtToIrql
            HalDisableInterrupt
            HalEnableInterrupt
            HalQueryMaximumProcessorCount
            HalRegisterErrataCallbacks
            KdPollBreakIn
            KeEnterKernelDebugger
            KeGetPreviousMode
            KeGetXSaveFeatureFlags
            KePollFreezeExecution
            KiCoprocessorError
            KiDispatchInterrupt
            NtThawTransactions
            PoUserShutdownInitiated
            PsEnterPriorityRegion
            PsGetCurrentProcessWin32Process
            PsGetCurrentThreadProcess
            PsGetCurrentThreadProcessId
            PsGetCurrentThreadTeb
            PsGetCurrentThreadWin32Thread
            PsLeavePriorityRegion
            TmThawTransactions
            TmInitSystemPhase2
            TmInitSystem
            x86BiosAllocateBuffer
            x86BiosCall
            x86BiosFreeBuffer
            x86BiosReadMemory
            x86BiosWriteMemory

    1. 2015-03-26
       Initial release based on the free version of the file ntifs.h.
*/

#ifndef _GNU_NTIFS_
#ifndef _GNU_WDK_UNDOC_
#define _GNU_WDK_UNDOC_

#ifdef __cplusplus
extern "C" {
#endif


// Available in Windows NT 3.5 and later versions.
typedef struct _HAL_PRIVATE_DISPATCH *PHAL_PRIVATE_DISPATCH;
extern PHAL_PRIVATE_DISPATCH HalPrivateDispatchTable;

// Available in Windows NT 3.5 and later versions.
typedef struct _LOADER_PARAMETER_BLOCK *PLOADER_PARAMETER_BLOCK;
extern PLOADER_PARAMETER_BLOCK KeLoaderBlock;

// Available in Windows NT 3.5 and later versions.
typedef struct _SERVICE_DESCRIPTOR_TABLE *PSERVICE_DESCRIPTOR_TABLE;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;

// Available in Windows NT 3.5 and later versions.
extern PSHORT NtBuildNumber;
extern PULONG KeI386MachineType;

// Available in Windows NT 4.0 and later versions.
extern ULONG KiBugCheckData[5];

// Available in Windows 2000 and later versions.
extern PULONG InitSafeBootMode;

// Available from Windows 2000 untill Windows Server 2003.
extern PULONG KiEnableTimerWatchdog;

// Available in Windows NT 3.5 and later versions.
//
// Set by the kernel debugger on the target system to the address of the
// serial port used to communicate with the host.
//
extern PUCHAR *KdComPortInUse;

// Available in Windows 2000 and later versions.
extern PULONG KdEnteredDebugger;

// Available in Windows NT 3.5 and later versions.
extern PUSHORT *NlsLeadByteInfo;
extern PUSHORT *NlsOemLeadByteInfo;
extern PBOOLEAN NlsMbCodePageTag;
extern PBOOLEAN NlsMbOemCodePageTag;

// Available in Windows NT 4.0 and later versions.
extern PUSHORT NlsAnsiCodePage;

// Available in Windows 2000 and later versions.
extern PUSHORT NlsOemCodePage;

// Available in Windows NT 3.5 and later versions.
extern PACL SePublicDefaultDacl;
extern PACL SeSystemDefaultDacl;

// Available from Windows NT 3.5 untill Windows XP.
extern ULONG KeDcacheFlushCount;
extern ULONG KeIcacheFlushCount;

// Available from Windows NT 4.0 untill Windows Server 2003.
extern ULONG CcFastReadNotPossible;
extern ULONG CcFastReadWait;

// The ExEventObjectType, ExSemaphoreObjectType and IoFileObjectType is
// documented in the DDK and the WDK.
//
// The CmKeyObjectType, SeTokenObjectType, PsProcessType, PsThreadType,
// TmEnlistmentObjectType, TmResourceManagerObjectType,
// TmTransactionManagerObjectType and TmTransactionObjectType
// is documented in the WDK.
//
// Available in Windows NT 3.5 and later versions.
extern POBJECT_TYPE *IoAdapterObjectType;
extern POBJECT_TYPE *IoDeviceObjectType;
extern POBJECT_TYPE *IoDriverObjectType;
extern POBJECT_TYPE *MmSectionObjectType;
// Available in Windows NT 4.0 and later versions.
extern POBJECT_TYPE *ExDesktopObjectType;
extern POBJECT_TYPE *ExWindowStationObjectType;
extern POBJECT_TYPE *IoDeviceHandlerObjectType;
// Available in Windows 2000 and later versions.
extern POBJECT_TYPE *LpcPortObjectType;
extern POBJECT_TYPE *PsJobType;

// Available in Windows NT 4.0 and later versions.
extern PULONG IoDeviceHandlerObjectSize;

// Available in Windows Vista and later versions.
extern PVOID POGOBuffer;
extern PVOID psMUITest;
extern PVOID PsUILanguageComitted;

#define FILE_ACTION_ADDED                   0x00000001
#define FILE_ACTION_REMOVED                 0x00000002
#define FILE_ACTION_MODIFIED                0x00000003
#define FILE_ACTION_RENAMED_OLD_NAME        0x00000004
#define FILE_ACTION_RENAMED_NEW_NAME        0x00000005
#define FILE_ACTION_ADDED_STREAM            0x00000006
#define FILE_ACTION_REMOVED_STREAM          0x00000007
#define FILE_ACTION_MODIFIED_STREAM         0x00000008
#define FILE_ACTION_REMOVED_BY_DELETE       0x00000009
#define FILE_ACTION_ID_NOT_TUNNELLED        0x0000000A
#define FILE_ACTION_TUNNELLED_ID_COLLISION  0x0000000B

#define FILE_EA_TYPE_BINARY             0xfffe
#define FILE_EA_TYPE_ASCII              0xfffd
#define FILE_EA_TYPE_BITMAP             0xfffb
#define FILE_EA_TYPE_METAFILE           0xfffa
#define FILE_EA_TYPE_ICON               0xfff9
#define FILE_EA_TYPE_EA                 0xffee
#define FILE_EA_TYPE_MVMT               0xffdf
#define FILE_EA_TYPE_MVST               0xffde
#define FILE_EA_TYPE_ASN1               0xffdd
#define FILE_EA_TYPE_FAMILY_IDS         0xff01

#define FILE_NEED_EA                    0x00000080

#define FILE_NOTIFY_CHANGE_FILE_NAME    0x00000001
#define FILE_NOTIFY_CHANGE_DIR_NAME     0x00000002
#define FILE_NOTIFY_CHANGE_NAME         0x00000003
#define FILE_NOTIFY_CHANGE_ATTRIBUTES   0x00000004
#define FILE_NOTIFY_CHANGE_SIZE         0x00000008
#define FILE_NOTIFY_CHANGE_LAST_WRITE   0x00000010
#define FILE_NOTIFY_CHANGE_LAST_ACCESS  0x00000020
#define FILE_NOTIFY_CHANGE_CREATION     0x00000040
#define FILE_NOTIFY_CHANGE_EA           0x00000080
#define FILE_NOTIFY_CHANGE_SECURITY     0x00000100
#define FILE_NOTIFY_CHANGE_STREAM_NAME  0x00000200
#define FILE_NOTIFY_CHANGE_STREAM_SIZE  0x00000400
#define FILE_NOTIFY_CHANGE_STREAM_WRITE 0x00000800
#define FILE_NOTIFY_VALID_MASK          0x00000fff

#define FILE_OPLOCK_BROKEN_TO_LEVEL_2   0x00000007
#define FILE_OPLOCK_BROKEN_TO_NONE      0x00000008

#define FILE_OPBATCH_BREAK_UNDERWAY     0x00000009

#define FILE_CASE_SENSITIVE_SEARCH      0x00000001
#define FILE_CASE_PRESERVED_NAMES       0x00000002
#define FILE_UNICODE_ON_DISK            0x00000004
#define FILE_PERSISTENT_ACLS            0x00000008
#define FILE_FILE_COMPRESSION           0x00000010
#define FILE_VOLUME_QUOTAS              0x00000020
#define FILE_SUPPORTS_SPARSE_FILES      0x00000040
#define FILE_SUPPORTS_REPARSE_POINTS    0x00000080
#define FILE_SUPPORTS_REMOTE_STORAGE    0x00000100
#define FS_LFN_APIS                     0x00004000
#define FILE_VOLUME_IS_COMPRESSED       0x00008000
#define FILE_SUPPORTS_OBJECT_IDS        0x00010000
#define FILE_SUPPORTS_ENCRYPTION        0x00020000
#define FILE_NAMED_STREAMS              0x00040000
#define FILE_READ_ONLY_VOLUME           0x00080000

#define FILE_PIPE_BYTE_STREAM_TYPE      0x00000000
#define FILE_PIPE_MESSAGE_TYPE          0x00000001

#define FILE_PIPE_BYTE_STREAM_MODE      0x00000000
#define FILE_PIPE_MESSAGE_MODE          0x00000001

#define FILE_PIPE_QUEUE_OPERATION       0x00000000
#define FILE_PIPE_COMPLETE_OPERATION    0x00000001

#define FILE_PIPE_INBOUND               0x00000000
#define FILE_PIPE_OUTBOUND              0x00000001
#define FILE_PIPE_FULL_DUPLEX           0x00000002

#define FILE_PIPE_DISCONNECTED_STATE    0x00000001
#define FILE_PIPE_LISTENING_STATE       0x00000002
#define FILE_PIPE_CONNECTED_STATE       0x00000003
#define FILE_PIPE_CLOSING_STATE         0x00000004

#define FILE_PIPE_CLIENT_END            0x00000000
#define FILE_PIPE_SERVER_END            0x00000001

#define FILE_PIPE_READ_DATA             0x00000000
#define FILE_PIPE_WRITE_SPACE           0x00000001

#define FILE_STORAGE_TYPE_SPECIFIED             0x00000041  // FILE_DIRECTORY_FILE | FILE_NON_DIRECTORY_FILE
#define FILE_STORAGE_TYPE_DEFAULT               (StorageTypeDefault << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DIRECTORY             (StorageTypeDirectory << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_FILE                  (StorageTypeFile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_DOCFILE               (StorageTypeDocfile << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_JUNCTION_POINT        (StorageTypeJunctionPoint << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_CATALOG               (StorageTypeCatalog << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STRUCTURED_STORAGE    (StorageTypeStructuredStorage << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_EMBEDDING             (StorageTypeEmbedding << FILE_STORAGE_TYPE_SHIFT)
#define FILE_STORAGE_TYPE_STREAM                (StorageTypeStream << FILE_STORAGE_TYPE_SHIFT)
#define FILE_MINIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_DEFAULT
#define FILE_MAXIMUM_STORAGE_TYPE               FILE_STORAGE_TYPE_STREAM
#define FILE_STORAGE_TYPE_MASK                  0x000f0000
#define FILE_STORAGE_TYPE_SHIFT                 16

#define FILE_VC_QUOTA_NONE              0x00000000
#define FILE_VC_QUOTA_TRACK             0x00000001
#define FILE_VC_QUOTA_ENFORCE           0x00000002
#define FILE_VC_QUOTA_MASK              0x00000003

#define FILE_VC_QUOTAS_LOG_VIOLATIONS   0x00000004
#define FILE_VC_CONTENT_INDEX_DISABLED  0x00000008

#define FILE_VC_LOG_QUOTA_THRESHOLD     0x00000010
#define FILE_VC_LOG_QUOTA_LIMIT         0x00000020
#define FILE_VC_LOG_VOLUME_THRESHOLD    0x00000040
#define FILE_VC_LOG_VOLUME_LIMIT        0x00000080

#define FILE_VC_QUOTAS_INCOMPLETE       0x00000100
#define FILE_VC_QUOTAS_REBUILDING       0x00000200

#define FILE_VC_VALID_MASK              0x000003ff

#define FSRTL_FCB_HEADER_V0             (0x00)
#define FSRTL_FCB_HEADER_V1             (0x01)

#define FSRTL_FLAG_FILE_MODIFIED        (0x01)
#define FSRTL_FLAG_FILE_LENGTH_CHANGED  (0x02)
#define FSRTL_FLAG_LIMIT_MODIFIED_PAGES (0x04)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_EX (0x08)
#define FSRTL_FLAG_ACQUIRE_MAIN_RSRC_SH (0x10)
#define FSRTL_FLAG_USER_MAPPED_FILE     (0x20)
#define FSRTL_FLAG_ADVANCED_HEADER      (0x40)
#define FSRTL_FLAG_EOF_ADVANCE_ACTIVE   (0x80)

#define FSRTL_FLAG2_DO_MODIFIED_WRITE           (0x01)
#define FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS    (0x02)
#define FSRTL_FLAG2_PURGE_WHEN_MAPPED           (0x04)
#define FSRTL_FLAG2_IS_PAGING_FILE              (0x08)

#define FSRTL_VOLUME_DISMOUNT           1
#define FSRTL_VOLUME_DISMOUNT_FAILED    2
#define FSRTL_VOLUME_LOCK               3
#define FSRTL_VOLUME_LOCK_FAILED        4
#define FSRTL_VOLUME_UNLOCK             5
#define FSRTL_VOLUME_MOUNT              6

#define FSRTL_WILD_CHARACTER            0x08

#ifdef _X86_
#define HARDWARE_PTE    HARDWARE_PTE_X86
#define PHARDWARE_PTE   PHARDWARE_PTE_X86
#else

#define HARDWARE_PTE    ULONG
#define PHARDWARE_PTE   PULONG
#endif


#define IO_CHECK_CREATE_PARAMETERS      0x0200
#define IO_ATTACH_DEVICE                0x0400

#define IO_ATTACH_DEVICE_API            0x80000000

#define IO_COMPLETION_QUERY_STATE       0x0001
#define IO_COMPLETION_MODIFY_STATE      0x0002
#define IO_COMPLETION_ALL_ACCESS        (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)

#define IO_FILE_OBJECT_NON_PAGED_POOL_CHARGE    64
#define IO_FILE_OBJECT_PAGED_POOL_CHARGE        1024

#define IO_REPARSE_TAG_RESERVED_ZERO    (0)
#define IO_REPARSE_TAG_RESERVED_ONE     (1)

#define IO_TYPE_APC                     18
#define IO_TYPE_DPC                     19
#define IO_TYPE_DEVICE_QUEUE            20
#define IO_TYPE_EVENT_PAIR              21
#define IO_TYPE_INTERRUPT               22
#define IO_TYPE_PROFILE                 23

#define IRP_BEING_VERIFIED              0x10

#define MAILSLOT_CLASS_FIRSTCLASS       1
#define MAILSLOT_CLASS_SECONDCLASS      2

#define MAILSLOT_SIZE_AUTO              0

#define MAP_PROCESS                     1L
#define MAP_SYSTEM                      2L

#define MEM_DOS_LIM                     0x40000000
#define MEM_IMAGE                       SEC_IMAGE

#define OB_FLAG_CREATE_INFO     0x01 /* Object header has OBJECT_CREATE_INFO */
#define OB_FLAG_KERNEL_MODE     0x02 /* Created by kernel */
#define OB_FLAG_CREATOR_INFO    0x04 /* Object header has OBJECT_CREATOR_INFO */
#define OB_FLAG_EXCLUSIVE       0x08 /* OBJ_EXCLUSIVE */
#define OB_FLAG_PERMAMENT       0x10 /* OBJ_PERMAMENT */
#define OB_FLAG_SECURITY        0x20 /* Object header has SecurityDescriptor != NULL */
#define OB_FLAG_SINGLE_PROCESS  0x40 /* absent HandleDBList */

#define OB_SECURITY_CHARGE      0x00000800

#define OB_TYPE_TYPE                    1
#define OB_TYPE_DIRECTORY               2
#define OB_TYPE_SYMBOLIC_LINK           3
#define OB_TYPE_TOKEN                   4
#define OB_TYPE_PROCESS                 5
#define OB_TYPE_THREAD                  6
#define OB_TYPE_EVENT                   7
#define OB_TYPE_EVENT_PAIR              8
#define OB_TYPE_MUTANT                  9
#define OB_TYPE_SEMAPHORE               10
#define OB_TYPE_TIMER                   11
#define OB_TYPE_PROFILE                 12
#define OB_TYPE_WINDOW_STATION          13
#define OB_TYPE_DESKTOP                 14
#define OB_TYPE_SECTION                 15
#define OB_TYPE_KEY                     16
#define OB_TYPE_PORT                    17
#define OB_TYPE_ADAPTER                 18
#define OB_TYPE_CONTROLLER              19
#define OB_TYPE_DEVICE                  20
#define OB_TYPE_DRIVER                  21
#define OB_TYPE_IO_COMPLETION           22
#define OB_TYPE_FILE                    23

#define PIN_WAIT                        (1)
#define PIN_EXCLUSIVE                   (2)
#define PIN_NO_READ                     (4)
#define PIN_IF_BCB                      (8)

#define MAP_WAIT                        (1)
#define MAP_NO_READ                     (16)

#define PORT_CONNECT                    0x0001
#define PORT_ALL_ACCESS                 (STANDARD_RIGHTS_ALL |\
                                         PORT_CONNECT)

#define SEC_BASED                       0x00200000
#define SEC_NO_CHANGE                   0x00400000
#define SEC_FILE                        0x00800000
#define SEC_IMAGE                       0x01000000
#define SEC_NOCACHE                     0x10000000

#define SECURITY_WORLD_SID_AUTHORITY    {0,0,0,0,0,1}
#define SECURITY_WORLD_RID              (0x00000000L)

#define THREAD_STATE_INITIALIZED        0
#define THREAD_STATE_READY              1
#define THREAD_STATE_RUNNING            2
#define THREAD_STATE_STANDBY            3
#define THREAD_STATE_TERMINATED         4
#define THREAD_STATE_WAIT               5
#define THREAD_STATE_TRANSITION         6
#define THREAD_STATE_UNKNOWN            7

#define TOKEN_ASSIGN_PRIMARY            (0x0001)
#define TOKEN_DUPLICATE                 (0x0002)
#define TOKEN_IMPERSONATE               (0x0004)
#define TOKEN_QUERY                     (0x0008)
#define TOKEN_QUERY_SOURCE              (0x0010)
#define TOKEN_ADJUST_PRIVILEGES         (0x0020)
#define TOKEN_ADJUST_GROUPS             (0x0040)
#define TOKEN_ADJUST_DEFAULT            (0x0080)

#define TOKEN_READ       (STANDARD_RIGHTS_READ     |\
                          TOKEN_QUERY)

#define TOKEN_WRITE      (STANDARD_RIGHTS_WRITE    |\
                          TOKEN_ADJUST_PRIVILEGES  |\
                          TOKEN_ADJUST_GROUPS      |\
                          TOKEN_ADJUST_DEFAULT)

#define TOKEN_EXECUTE    (STANDARD_RIGHTS_EXECUTE)

#define TOKEN_SOURCE_LENGTH 8

#define TOKEN_HAS_ADMIN_GROUP           0x08

#define FSCTL_NETWORK_SET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 102, METHOD_IN_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONFIGURATION_INFO    CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 103, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_CONNECTION_INFO       CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 104, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_ENUMERATE_CONNECTIONS     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 105, METHOD_NEITHER, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_DELETE_CONNECTION         CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 107, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_GET_STATISTICS            CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 116, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_SET_DOMAIN_NAME           CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 120, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define FSCTL_NETWORK_REMOTE_BOOT_INIT_SCRT     CTL_CODE(FILE_DEVICE_NETWORK_FILE_SYSTEM, 250, METHOD_BUFFERED, FILE_ANY_ACCESS)

typedef PVOID PEJOB;
typedef PVOID PNOTIFY_SYNC;
typedef PVOID OPLOCK, *POPLOCK;
typedef PVOID PWOW64_PROCESS;

typedef ULONG LBN;
typedef LBN *PLBN;

typedef ULONG VBN;
typedef VBN *PVBN;

typedef struct _CACHE_MANAGER_CALLBACKS         *PCACHE_MANAGER_CALLBACKS;
typedef struct _CACHE_UNINITIALIZE_EVENT        *PCACHE_UNINITIALIZE_EVENT;
typedef struct _EPROCESS_QUOTA_BLOCK            *PEPROCESS_QUOTA_BLOCK;
typedef struct _FILE_GET_QUOTA_INFORMATION      *PFILE_GET_QUOTA_INFORMATION;
typedef struct _HANDLE_TABLE                    *PHANDLE_TABLE;
typedef struct _IMAGE_NT_HEADERS                *PIMAGE_NT_HEADERS;
typedef struct _KEVENT_PAIR                     *PKEVENT_PAIR;
typedef struct _KPROCESS                        *PKPROCESS;
typedef struct _KQUEUE                          *PKQUEUE;
typedef struct _KTRAP_FRAME                     *PKTRAP_FRAME;
typedef struct _LPC_MESSAGE                     *PLPC_MESSAGE;
typedef struct _MAILSLOT_CREATE_PARAMETERS      *PMAILSLOT_CREATE_PARAMETERS;
typedef struct _MMWSL                           *PMMWSL;
typedef struct _NAMED_PIPE_CREATE_PARAMETERS    *PNAMED_PIPE_CREATE_PARAMETERS;
typedef struct _OBJECT_DIRECTORY                *POBJECT_DIRECTORY;
typedef struct _PAGEFAULT_HISTORY               *PPAGEFAULT_HISTORY;
typedef struct _PEB                             *PPEB;
typedef struct _PS_IMPERSONATION_INFORMATION    *PPS_IMPERSONATION_INFORMATION;
typedef struct _SECTION_OBJECT                  *PSECTION_OBJECT;
typedef struct _SERVICE_DESCRIPTOR_TABLE        *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _SHARED_CACHE_MAP                *PSHARED_CACHE_MAP;
typedef struct _SID_AND_ATTRIBUTES              *PSID_AND_ATTRIBUTES;
typedef struct _TERMINATION_PORT                *PTERMINATION_PORT;
typedef struct _TOKEN_PRIVILEGES                *PTOKEN_PRIVILEGES;
typedef struct _VACB                            *PVACB;
typedef struct _VAD_HEADER                      *PVAD_HEADER;

#if (NTDDI_VERSION < NTDDI_WIN2K)
typedef ULONG SIZE_T, *PSIZE_T;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)

typedef enum _FILE_STORAGE_TYPE {
    StorageTypeDefault = 1,
    StorageTypeDirectory,
    StorageTypeFile,
    StorageTypeJunctionPoint,
    StorageTypeCatalog,
    StorageTypeStructuredStorage,
    StorageTypeEmbedding,
    StorageTypeStream
} FILE_STORAGE_TYPE;

typedef enum _IO_COMPLETION_INFORMATION_CLASS {
    IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS;

typedef enum _KAPC_ENVIRONMENT {
    OriginalApcEnvironment,
    AttachedApcEnvironment,
    CurrentApcEnvironment
} KAPC_ENVIRONMENT;

typedef enum _LPC_TYPE {
    LPC_NEW_MESSAGE,
    LPC_REQUEST,
    LPC_REPLY,
    LPC_DATAGRAM,
    LPC_LOST_REPLY,
    LPC_PORT_CLOSED,
    LPC_CLIENT_DIED,
    LPC_EXCEPTION,
    LPC_DEBUG_EVENT,
    LPC_ERROR_EVENT,
    LPC_CONNECTION_REQUEST
} LPC_TYPE;

typedef enum _OBJECT_INFO_CLASS {
    ObjectBasicInfo,
    ObjectNameInfo,
    ObjectTypeInfo,
    ObjectAllTypesInfo,
    ObjectProtectionInfo
} OBJECT_INFO_CLASS;

typedef enum _PORT_INFORMATION_CLASS {
    PortNoInformation
} PORT_INFORMATION_CLASS;

typedef enum _SECTION_INFORMATION_CLASS {
    SectionBasicInformation,
    SectionImageInformation
} SECTION_INFORMATION_CLASS;

typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemNotImplemented1,
    SystemProcessesAndThreadsInformation,
    SystemCallCounts,
    SystemConfigurationInformation,
    SystemProcessorTimes,
    SystemGlobalFlag,
    SystemNotImplemented2,
    SystemModuleInformation,
    SystemLockInformation,
    SystemNotImplemented3,
    SystemNotImplemented4,
    SystemNotImplemented5,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPagefileInformation,
    SystemInstructionEmulationCounts,
    SystemInvalidInfoClass1,
    SystemCacheInformation,
    SystemPoolTagInformation,
    SystemProcessorStatistics,
    SystemDpcInformation,
    SystemNotImplemented6,
    SystemLoadImage,
    SystemUnloadImage,
    SystemTimeAdjustment,
    SystemNotImplemented7,
    SystemNotImplemented8,
    SystemNotImplemented9,
    SystemCrashDumpInformation,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemLoadAndCallImage,
    SystemPrioritySeparation,
    SystemNotImplemented10,
    SystemNotImplemented11,
    SystemInvalidInfoClass2,
    SystemInvalidInfoClass3,
    SystemTimeZoneInformation,
    SystemLookasideInformation,
    SystemSetTimeSlipEvent,
    SystemCreateSession,
    SystemDeleteSession,
    SystemInvalidInfoClass4,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemAddVerifier,
    SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;

typedef enum _THREAD_STATE {
    StateInitialized,
    StateReady,
    StateRunning,
    StateStandby,
    StateTerminated,
    StateWait,
    StateTransition,
    StateUnknown
} THREAD_STATE;

#ifndef _NTIFS_

typedef enum _TOKEN_TYPE {
    TokenPrimary = 1,
    TokenImpersonation
} TOKEN_TYPE;

#endif // _NTIFS_

typedef struct _AUX_ACCESS_DATA {
    PPRIVILEGE_SET  PrivilegesUsed;
    GENERIC_MAPPING GenericMapping;
    ACCESS_MASK     AccessesToAudit;
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;

typedef struct _HARDWARE_PTE_X86 {
    ULONG Valid             : 1;
    ULONG Write             : 1;
    ULONG Owner             : 1;
    ULONG WriteThrough      : 1;
    ULONG CacheDisable      : 1;
    ULONG Accessed          : 1;
    ULONG Dirty             : 1;
    ULONG LargePage         : 1;
    ULONG Global            : 1;
    ULONG CopyOnWrite       : 1;
    ULONG Prototype         : 1;
    ULONG reserved          : 1;
    ULONG PageFrameNumber   : 20;
} HARDWARE_PTE_X86, *PHARDWARE_PTE_X86;

#ifndef _NTIFS_

typedef struct _KAPC_STATE {
    LIST_ENTRY  ApcListHead[2];
    PKPROCESS   Process;
    BOOLEAN     KernelApcInProgress;
    BOOLEAN     KernelApcPending;
    BOOLEAN     UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

#endif // _NTIFS_

typedef struct _KGDTENTRY {
    USHORT LimitLow;
    USHORT BaseLow;
    union {
        struct {
            UCHAR BaseMid;
            UCHAR Flags1;
            UCHAR Flags2;
            UCHAR BaseHi;
        } Bytes;
        struct {
            ULONG BaseMid       : 8;
            ULONG Type          : 5;
            ULONG Dpl           : 2;
            ULONG Pres          : 1;
            ULONG LimitHi       : 4;
            ULONG Sys           : 1;
            ULONG Reserved_0    : 1;
            ULONG Default_Big   : 1;
            ULONG Granularity   : 1;
            ULONG BaseHi        : 8;
        } Bits;
    } HighWord;
} KGDTENTRY, *PKGDTENTRY;

typedef struct _KIDTENTRY {
    USHORT Offset;
    USHORT Selector;
    USHORT Access;
    USHORT ExtendedOffset;
} KIDTENTRY, *PKIDTENTRY;

#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _KPROCESS {
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               Unused;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               VdmTrapcHandler;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    CHAR                BasePriority;
    CHAR                ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
    UCHAR               PowerState;
    BOOLEAN             DisableQuantum;
    UCHAR               IdealNode;
    UCHAR               Spare;
} KPROCESS, *PKPROCESS;

#else


typedef struct _KPROCESS {
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               VdmFlag;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               Reserved1;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    UCHAR               BasePriority;
    UCHAR               ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    UCHAR               PowerState;
    BOOLEAN             DisableQuantum;
    UCHAR               IdealNode;
    UCHAR               Spare;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} KPROCESS, *PKPROCESS;

#endif


#if (NTDDI_VERSION >= NTDDI_WS03)

typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead; // 0x10
    PVOID                       InitialStack; // 0x18
    PVOID                       StackLimit; // 0x1c
    PVOID                       KernelStack; // 0x20
    ULONG                       ThreadLock; // 0x24
    ULONG                       ContextSwitches; // 0x28
    UCHAR                       State; // 0x2c
    UCHAR                       NpxState; // 0x2d
    UCHAR                       WaitIrql; // 0x2e
    CHAR                        WaitMode; // 0x2f
    struct _TEB                 *Teb; // 0x30
    KAPC_STATE                  ApcState; // 0x34
    KSPIN_LOCK                  ApcQueueLock; // 0x4c
    NTSTATUS                    WaitStatus; // 0x50
    PKWAIT_BLOCK                WaitBlockList; // 0x54
    BOOLEAN                     Alertable; // 0x58
    UCHAR                       WaitNext; // 0x59
    UCHAR                       WaitReason; // 0x5a
    CHAR                        Priority; // 0x5b
    BOOLEAN                     EnableStackSwap; // 0x5c
    BOOLEAN                     SwapBusy; // 0x5d
    UCHAR                       Alerted[2]; // 0x5e
    union {
        LIST_ENTRY              WaitListEntry; // 0x60
        SINGLE_LIST_ENTRY       SwapListEntry; // 0x60
    };
    PKQUEUE                     Queue; // 0x68
    ULONG                       WaitTime; // 0x6c
    union {
        struct {
            USHORT              KernelApcDisable; // 0x70
            USHORT              SpecialApcDisable; // 0x72
        };
        USHORT                  CombinedApcDisable; // 0x70
    };
    KTIMER                      Timer; // 0x78
    KWAIT_BLOCK                 WaitBlock[4]; // 0xa0
    LIST_ENTRY                  QueueListEntry; // 0x100
    UCHAR                       ApcStateIndex; // 0x108
    BOOLEAN                     ApcQueueable; // 0x109
    BOOLEAN                     Preempted; // 0x10a
    BOOLEAN                     ProcessReadyQueue; // 0x10b
    BOOLEAN                     KernelStackResident; // 0x10c
    CHAR                        Saturation; // 0x10d
    UCHAR                       IdealProcessor; // 0x10e
    UCHAR                       NextProcessor; // 0x10f
    CHAR                        BasePriority; // 0x110
    UCHAR                       Spare4; // 0x111
    CHAR                        PriorityDecrement; // 0x112
    CHAR                        Quantum; // 0x113
    BOOLEAN                     SystemAffinityActive; // 0x114
    CHAR                        PreviousMode; // 0x115
    UCHAR                       ResourceIndex; // 0x116
    BOOLEAN                     DisableBoost; // 0x117
    ULONG                       UserAffinity; // 0x118
    PKPROCESS                   Process; // 0x11c
    ULONG                       Affinity; // 0x120
    PSERVICE_DESCRIPTOR_TABLE   ServiceTable; // 0x124
    PKAPC_STATE                 ApcStatePointer[2]; // 0x128
    KAPC_STATE                  SavedApcState; // 0x130
    PVOID                       CallbackStack; // 0x148
    PVOID                       Win32Thread; // 0x14c
    PKTRAP_FRAME                TrapFrame; // 0x150
    ULONG                       KernelTime; // 0x154
    ULONG                       UserTime; // 0x158
    PVOID                       StackBase; // 0x15c
    KAPC                        SuspendApc; // 0x160
    KSEMAPHORE                  SuspendSemaphore; // 0x190
    PVOID                       TlsArray; // 0x1a4
    PVOID                       LegoData; // 0x1a8
    LIST_ENTRY                  ThreadListEntry; // 0x1ac
    BOOLEAN                     LargeStack; // 0x1b4
    UCHAR                       PowerState; // 0x1b5
    UCHAR                       NpxIrql; // 0x1b6
    UCHAR                       Spare5; // 0x1b7
    BOOLEAN                     AutoAlignment; // 0x1b8
    UCHAR                       Iopl; // 0x1b9
    CHAR                        FreezeCount; // 0x1ba
    CHAR                        SuspendCount; // 0x1bb
    UCHAR                       Spare0[1]; // 0x1bc
    UCHAR                       UserIdealProcessor; // 0x1bd
    UCHAR                       DeferredProcessor; // 0x1be
    UCHAR                       AdjustReason; // 0x1bf
    CHAR                        AdjustIncrement; // 0x1c0
    UCHAR                       Spare2[3]; // 0x1c1
} KTHREAD, *PKTHREAD;

#elif (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    UCHAR                       Alerted[2];
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    CHAR                        Saturation;
    CHAR                        Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    UCHAR                       IdleSwapBlock;
    UCHAR                       Spare0[3];
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    CHAR                        WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    union {
        LIST_ENTRY              WaitListEntry;
        SINGLE_LIST_ENTRY       SwapListEntry;
    };
    ULONG                       WaitTime;
    CHAR                        BasePriority;
    UCHAR                       DecrementCount;
    CHAR                        PriorityDecrement;
    CHAR                        Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    PVOID                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       InitialNode;
    PSERVICE_DESCRIPTOR_TABLE   ServiceTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       SoftAffinity;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
    CHAR                        PreviousMode;
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    CHAR                        FreezeCount;
    CHAR                        SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD, *PKTHREAD;

#else


typedef struct _KTHREAD {
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    USHORT                      Alerted;
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    UCHAR                       Saturation;
    UCHAR                       Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    UCHAR                       WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    LIST_ENTRY                  WaitListEntry;
    ULONG                       WaitTime;
    UCHAR                       BasePriority;
    UCHAR                       DecrementCount;
    UCHAR                       PriorityDecrement;
    UCHAR                       Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    ULONG                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       Pad[1];
#else // (NTDDI_VERSION < NTDDI_WIN2K)
    UCHAR                       Pad[3];
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    PSERVICE_DESCRIPTOR_TABLE   ServiceDescriptorTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    UCHAR                       PreviousMode;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
#if (NTDDI_VERSION < NTDDI_WIN2K)
    UCHAR                       PreviousMode;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    UCHAR                       FreezeCount;
    UCHAR                       SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD, *PKTHREAD;

#endif


#if (NTDDI_VERSION >= NTDDI_WS03)

typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace              : 1;
    ULONG BeingTrimmed              : 1;
    ULONG SessionLeader             : 1;
    ULONG TrimHard                  : 1;
    ULONG MaximumWorkingSetHard     : 1;
    ULONG ForceTrim                 : 1;
    ULONG MinimumWorkingSetHard     : 1;
    ULONG Available0                : 1;
    ULONG MemoryPriority            : 8;
    ULONG GrowWsleHash              : 1;
    ULONG AcquiredUnsafe            : 1;
    ULONG Available                 : 14;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#elif (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace              : 1;
    ULONG BeingTrimmed              : 1;
    ULONG SessionLeader             : 1;
    ULONG TrimHard                  : 1;
    ULONG WorkingSetHard            : 1;
    ULONG AddressSpaceBeingDeleted  : 1;
    ULONG Available                 : 10;
    ULONG AllowWorkingSetAdjustment : 8;
    ULONG MemoryPriority            : 8;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#else


typedef struct _MMSUPPORT_FLAGS {
    ULONG SessionSpace      : 1;
    ULONG BeingTrimmed      : 1;
    ULONG ProcessInSession  : 1;
    ULONG SessionLeader     : 1;
    ULONG TrimHard          : 1;
    ULONG WorkingSetHard    : 1;
    ULONG WriteWatch        : 1;
    ULONG Filler            : 25;
} MMSUPPORT_FLAGS, *PMMSUPPORT_FLAGS;

#endif


#if (NTDDI_VERSION >= NTDDI_WS03)

typedef struct _MMSUPPORT {
    LIST_ENTRY      WorkingSetExpansionLinks;
    LARGE_INTEGER   LastTrimTime; // 0x8
    MMSUPPORT_FLAGS Flags; // 0x10
    ULONG           PageFaultCount; // 0x14
    ULONG           PeakWorkingSetSize; // 0x18
    ULONG           GrowthSinceLastEstimate; // 0x1c
    ULONG           MinimumWorkingSetSize; // 0x20
    ULONG           MaximumWorkingSetSize; // 0x24
    PMMWSL          VmWorkingSetList; // 0x28 
    ULONG           Claim; // 0x2c
    ULONG           NextEstimationSlot; // 0x30
    ULONG           NextAgingSlot; // 0x34
    ULONG           EstimatedAvailable; // 0x38
    ULONG           WorkingSetSize;  //0x3c
    KGUARDED_MUTEX  Mutex; // 0x40
} MMSUPPORT, *PMMSUPPORT;

#elif (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _MMSUPPORT {
    LARGE_INTEGER   LastTrimTime;
    MMSUPPORT_FLAGS Flags;
    ULONG           PageFaultCount;
    ULONG           PeakWorkingSetSize;
    ULONG           WorkingSetSize;
    ULONG           MinimumWorkingSetSize;
    ULONG           MaximumWorkingSetSize;
    PMMWSL          VmWorkingSetList;
    LIST_ENTRY      WorkingSetExpansionLinks;
    ULONG           Claim;
    ULONG           NextEstimationSlot;
    ULONG           NextAgingSlot;
    ULONG           EstimatedAvailable;
    ULONG           GrowthSinceLastEstimate;
} MMSUPPORT, *PMMSUPPORT;

#else


typedef struct _MMSUPPORT {
    LARGE_INTEGER   LastTrimTime;
    ULONG           LastTrimFaultCount;
    ULONG           PageFaultCount;
    ULONG           PeakWorkingSetSize;
    ULONG           WorkingSetSize;
    ULONG           MinimumWorkingSetSize;
    ULONG           MaximumWorkingSetSize;
    PMMWSL          VmWorkingSetList;
    LIST_ENTRY      WorkingSetExpansionLinks;
    BOOLEAN         AllowWorkingSetAdjustment;
    BOOLEAN         AddressSpaceBeingDeleted;
    UCHAR           ForegroundSwitchCount;
    UCHAR           MemoryPriority;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    union {
        ULONG           LongFlags;
        MMSUPPORT_FLAGS Flags;
    } u;
    ULONG           Claim;
    ULONG           NextEstimationSlot;
    ULONG           NextAgingSlot;
    ULONG           EstimatedAvailable;
    ULONG           GrowthSinceLastEstimate;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} MMSUPPORT, *PMMSUPPORT;

#endif


typedef struct _SE_AUDIT_PROCESS_CREATION_INFO {
    POBJECT_NAME_INFORMATION ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO, *PSE_AUDIT_PROCESS_CREATION_INFO;

typedef struct _BITMAP_DESCRIPTOR {
    ULONGLONG   StartLcn;
    ULONGLONG   ClustersToEndOfVol;
    UCHAR       Map[1];
} BITMAP_DESCRIPTOR, *PBITMAP_DESCRIPTOR;

typedef struct _BITMAP_RANGE {
    LIST_ENTRY      Links;
    LARGE_INTEGER   BasePage;
    ULONG           FirstDirtyPage;
    ULONG           LastDirtyPage;
    ULONG           DirtyPages;
    PULONG          Bitmap;
} BITMAP_RANGE, *PBITMAP_RANGE;

typedef struct _DEVICE_MAP {
    POBJECT_DIRECTORY   DosDevicesDirectory;
    POBJECT_DIRECTORY   GlobalDosDevicesDirectory;
    ULONG               ReferenceCount;
    ULONG               DriveMap;
    UCHAR               DriveType[32];
} DEVICE_MAP, *PDEVICE_MAP;

typedef struct _DIRECTORY_BASIC_INFORMATION {
    UNICODE_STRING ObjectName;
    UNICODE_STRING ObjectTypeName;
} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;

#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _EX_FAST_REF {
    union {
        PVOID Object;
        ULONG RefCnt : 3;
        ULONG Value;
    };
} EX_FAST_REF, *PEX_FAST_REF;

#ifndef _NTIFS_

typedef struct _EX_PUSH_LOCK {
    union {
        struct {
            ULONG   Waiting     : 1;
            ULONG   Exclusive   : 1;
            ULONG   Shared      : 30;
        };
        ULONG   Value;
        PVOID   Ptr;
    };
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;

#endif // _NTIFS_

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

#if (NTDDI_VERSION >= NTDDI_WS03)

typedef struct _MM_ADDRESS_NODE {
    union {
        ULONG                   Balance : 2;
        struct _MM_ADDRESS_NODE *Parent; // lower 2 bits of Parent are Balance and must be zeroed to obtain Parent
    };
    struct _MM_ADDRESS_NODE     *LeftChild;
    struct _MM_ADDRESS_NODE     *RightChild;
    ULONG_PTR                   StartingVpn;
    ULONG_PTR                   EndingVpn;
} MMADDRESS_NODE, *PMMADDRESS_NODE;

typedef struct _MM_AVL_TABLE {
    MMADDRESS_NODE  BalancedRoot; // Vadroot; incorrectly represents the NULL pages (EndingVpn should be 0xf, etc.)
    ULONG           DepthOfTree : 5; // 0x14
    ULONG           Unused : 3;
    ULONG           NumberGenericTableElements : 24; // total number of nodes
    PVOID           NodeHint; // 0x18 (0x270 in _EPROCESS)
    PVOID           NodeFreeHint; // 0x1c
} MM_AVL_TABLE, *PMM_AVL_TABLE;

typedef struct _EPROCESS {
    KPROCESS                        Pcb; // +0x000
    EX_PUSH_LOCK                    ProcessLock; // +0x06c
    LARGE_INTEGER                   CreateTime; // +0x070
    LARGE_INTEGER                   ExitTime; // +0x078
    EX_RUNDOWN_REF                  RundownProtect; // +0x080
    ULONG                           UniqueProcessId; // +0x084
    LIST_ENTRY                      ActiveProcessLinks; // +0x088
    ULONG                           QuotaUsage[3]; // +0x090
    ULONG                           QuotaPeak[3]; // +0x09c
    ULONG                           CommitCharge; // +0x0a8
    ULONG                           PeakVirtualSize; // +0x0ac
    ULONG                           VirtualSize; // +0x0b0
    LIST_ENTRY                      SessionProcessLinks; // +0x0b4
    PVOID                           DebugPort; // +0x0bc
    PVOID                           ExceptionPort; // +0x0c0
    PHANDLE_TABLE                   ObjectTable; // +0x0c4
    EX_FAST_REF                     Token; // +0x0c8
    ULONG                           WorkingSetPage; // +0x0cc
    KGUARDED_MUTEX                  AddressCreationLock; // +0x0d0
    ULONG                           HyperSpaceLock; // +0x0f0
    PETHREAD                        ForkInProgress; // +0x0f4
    ULONG                           HardwareTrigger; // +0x0f8
    PMM_AVL_TABLE                   PhysicalVadRoot; // +0x0fc
    PVOID                           CloneRoot; // +0x100
    ULONG                           NumberOfPrivatePages; // +0x104
    ULONG                           NumberOfLockedPages; // +0x108
    PVOID                           Win32Process; // +0x10c
    PEJOB                           Job; // +0x110
    PVOID                           SectionObject; // +0x114
    PVOID                           SectionBaseAddress; // +0x118
    PEPROCESS_QUOTA_BLOCK           QuotaBlock; // +0x11c
    PPAGEFAULT_HISTORY              WorkingSetWatch; // +0x120
    PVOID                           Win32WindowStation; // +0x124
    ULONG                           InheritedFromUniqueProcessId; // +0x128
    PVOID                           LdtInformation; // +0x12c
    PVOID                           VadFreeHint; // +0x130
    PVOID                           VdmObjects; // +0x134
    PVOID                           DeviceMap; // +0x138
    PVOID                           Spare0[3]; // +0x13c
    union {
        HARDWARE_PTE                PageDirectoryPte; // +0x148
        UINT64                      Filler; // +0x148
    };
    PVOID                           Session; // +0x150
    UCHAR                           ImageFileName[16]; // +0x154
    LIST_ENTRY                      JobLinks; // +0x164
    PVOID                           LockedPagesList; // +0x16c
    LIST_ENTRY                      ThreadListHead; // +0x170
    PVOID                           SecurityPort; // +0x178
    PVOID                           PaeTop; // +0x17c
    ULONG                           ActiveThreads; // +0x180
    ULONG                           GrantedAccess; // +0x184
    ULONG                           DefaultHardErrorProcessing; // +0x188
    SHORT                           LastThreadExitStatus; // +0x18c
    PPEB                            Peb; // +0x190
    EX_FAST_REF                     PrefetchTrace; // +0x194
    LARGE_INTEGER                   ReadOperationCount; // +0x198
    LARGE_INTEGER                   WriteOperationCount; // +0x1a0
    LARGE_INTEGER                   OtherOperationCount; // +0x1a8
    LARGE_INTEGER                   ReadTransferCount; // +0x1b0
    LARGE_INTEGER                   WriteTransferCount; // +0x1b8
    LARGE_INTEGER                   OtherTransferCount; // +0x1c0
    ULONG                           CommitChargeLimit; // +0x1c8
    ULONG                           CommitChargePeak; // +0x1cc
    PVOID                           AweInfo; // +0x1d0
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo; // +0x1d4
    MMSUPPORT                       Vm; // +0x1d8
    LIST_ENTRY                      MmProcessLinks; // +0x238
    ULONG                           ModifiedPageCount; // +0x240
    ULONG                           JobStatus; // +0x244
    union {
        ULONG                       Flags; // 0x248
        struct {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   Wow64VaSpace4Gb             : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   VmTopDown                   : 1;
            ULONG                   ImageNotifyDone             : 1;
            ULONG                   PdeUpdateNeeded             : 1;
            ULONG                   VdmAllowed                  : 1;
            ULONG                   Unused                      : 7;
        };
    };
    NTSTATUS                        ExitStatus; // +0x24c
    USHORT                          NextPageColor; // +0x250
    union {
        struct {
            UCHAR                   SubSystemMinorVersion; // +0x252
            UCHAR                   SubSystemMajorVersion; // +0x253
        };
        USHORT                      SubSystemVersion; // +0x252
    };
    UCHAR                           PriorityClass; // +0x254
    MM_AVL_TABLE                    VadRoot; // +0x258
} REAL_EPROCESS, *PREAL_EPROCESS; // 0x278 in total

#elif (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _EPROCESS {
    KPROCESS                        Pcb;
    EX_PUSH_LOCK                    ProcessLock;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    EX_RUNDOWN_REF                  RundownProtect;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONG                           QuotaUsage[3];
    ULONG                           QuotaPeak[3];
    ULONG                           CommitCharge;
    ULONG                           PeakVirtualSize;
    ULONG                           VirtualSize;
    LIST_ENTRY                      SessionProcessLinks;
    PVOID                           DebugPort;
    PVOID                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    EX_FAST_REF                     Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD                        ForkInProgress;
    ULONG                           HardwareTrigger;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    PVOID                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    PVOID                           Win32Process;
    PEJOB                           Job;
    PSECTION_OBJECT                 SectionObject;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    PPAGEFAULT_HISTORY              WorkingSetWatch;
    PVOID                           Win32WindowStation;
    PVOID                           InheritedFromUniqueProcessId;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    PDEVICE_MAP                     DeviceMap;
    LIST_ENTRY                      PhysicalVadList;
    union {
        HARDWARE_PTE                PageDirectoryPte;
        ULONGLONG                   Filler;
    };
    PVOID                           Session;
    UCHAR                           ImageFileName[16];
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    LIST_ENTRY                      ThreadListHead;
    PVOID                           SecurityPort;
    PVOID                           PaeTop;
    ULONG                           ActiveThreads;
    ULONG                           GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    NTSTATUS                        LastThreadExitStatus;
    PPEB                            Peb;
    EX_FAST_REF                     PrefetchTrace;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    PVOID                           AweInfo;
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo;
    MMSUPPORT                       Vm;
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    ULONG                           NumberOfVads;
    ULONG                           JobStatus;
    union {
        ULONG                       Flags;
        struct {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   HasPhysicalVad              : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   Unused                      : 11;
        };
    };
    NTSTATUS                        ExitStatus;
    USHORT                          NextPageColor;
    union {
        struct {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    UCHAR                           PriorityClass;
    BOOLEAN                         WorkingSetAcquiredUnsafe;
} REAL_EPROCESS, *PREAL_EPROCESS;

#else


typedef struct _EPROCESS {
    KPROCESS                        Pcb;
    NTSTATUS                        ExitStatus;
    KEVENT                          LockEvent;
    ULONG                           LockCount;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    PKTHREAD                        LockOwner;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONGLONG                       QuotaPeakPoolUsage;
    ULONGLONG                       QuotaPoolUsage;
    ULONG                           PagefileUsage;
    ULONG                           CommitCharge;
    ULONG                           PeakPagefileUsage;
    ULONG                           PeakVirtualSize;
    ULONGLONG                       VirtualSize;
    MMSUPPORT                       Vm;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    LIST_ENTRY                      SessionProcessLinks;
#else // (NTDDI_VERSION < NTDDI_WIN2K)
    ULONG                           LastProtoPteFault;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    ULONG                           DebugPort;
    ULONG                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    PACCESS_TOKEN                   Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    BOOLEAN                         ProcessOutswapEnabled;
    BOOLEAN                         ProcessOutswapped;
    BOOLEAN                         AddressSpaceInitialized;
    BOOLEAN                         AddressSpaceDeleted;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD                        ForkInProgress;
    USHORT                          VmOperation;
    BOOLEAN                         ForkWasSuccessful;
    UCHAR                           MmAgressiveWsTrimMask;
    PKEVENT                         VmOperationEvent;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    PVOID                           PaeTop;
#else // (NTDDI_VERSION < NTDDI_WIN2K)
    HARDWARE_PTE                    PageDirectoryPte;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    ULONG                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    USHORT                          NextPageColor;
    BOOLEAN                         ExitProcessCalled;
    BOOLEAN                         CreateProcessReported;
    HANDLE                          SectionHandle;
    PPEB                            Peb;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    NTSTATUS                        LastThreadExitStatus;
    PPROCESS_WS_WATCH_INFORMATION   WorkingSetWatch;
    HANDLE                          Win32WindowStation;
    HANDLE                          InheritedFromUniqueProcessId;
    ACCESS_MASK                     GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    PDEVICE_MAP                     DeviceMap;
    ULONG                           SessionId;
    LIST_ENTRY                      PhysicalVadList;
    HARDWARE_PTE                    PageDirectoryPte;
    ULONG                           Filler;
    ULONG                           PaePageDirectoryPage;
#else // (NTDDI_VERSION < NTDDI_WIN2K)
    KMUTANT                         ProcessMutant;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    UCHAR                           ImageFileName[16];
    ULONG                           VmTrimFaultValue;
    UCHAR                           SetTimerResolution;
    UCHAR                           PriorityClass;
    union {
        struct {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    PVOID                           Win32Process;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    PEJOB                           Job;
    ULONG                           JobStatus;
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    PVOID                           SecurityPort;
    PWOW64_PROCESS                  Wow64Process;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    LIST_ENTRY                      ThreadListHead;
    PRTL_BITMAP                     VadPhysicalPagesBitMap;
    ULONG                           VadPhysicalPages;
    ULONG                           AweLock;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} REAL_EPROCESS, *PREAL_EPROCESS;

#endif


#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _ETHREAD {
    KTHREAD                         Tcb;
    union {
        LARGE_INTEGER               CreateTime;
        struct {
            ULONG                   NestedFaultCount    : 2;
            ULONG                   ApcNeeded           : 1;
        };
    };
    union {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
        LIST_ENTRY                  KeyedWaitChain;
    };
    union {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    union {
        PTERMINATION_PORT           TerminationPort;
        PETHREAD                    ReaperLink;
        PVOID                       KeyedWaitValue;
    };
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    union {
        KSEMAPHORE                  LpcReplySemaphore;
        KSEMAPHORE                  KeyedWaitSemaphore;
    };
    union {
        PLPC_MESSAGE                LpcReplyMessage;
        PVOID                       LpcWaitingOnPort;
    };
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    ULONG                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    PEPROCESS                       ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    LIST_ENTRY                      ThreadListEntry;
    EX_RUNDOWN_REF                  RundownProtect;
    EX_PUSH_LOCK                    ThreadLock;
    ULONG                           LpcReplyMessageId;
    ULONG                           ReadClusterSize;
    ACCESS_MASK                     GrantedAccess;
    union {
        ULONG                       CrossThreadFlags;
        struct {
            ULONG                   Terminated              : 1;
            ULONG                   DeadThread              : 1;
            ULONG                   HideFromDebugger        : 1;
            ULONG                   ActiveImpersonationInfo : 1;
            ULONG                   SystemThread            : 1;
            ULONG                   HardErrorsAreDisabled   : 1;
            ULONG                   BreakOnTermination      : 1;
            ULONG                   SkipCreationMsg         : 1;
            ULONG                   SkipTerminationMsg      : 1;
        };
    };
    union {
        ULONG                       SameThreadPassiveFlags;
        struct {
            ULONG                   ActiveExWorker          : 1;
            ULONG                   ExWorkerCanWaitUser     : 1;
            ULONG                   MemoryMaker             : 1;
            ULONG                   KeyedEventInUse         : 1;
        };
    };
    union {
        ULONG                       SameThreadApcFlags;
        struct {
            BOOLEAN                 LpcReceivedMsgIdValid   : 1;
            BOOLEAN                 LpcExitThreadCalled     : 1;
            BOOLEAN                 AddressSpaceOwner       : 1;
        };
    };
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
} REAL_ETHREAD, *PREAL_ETHREAD;

#else


typedef struct _ETHREAD {
    KTHREAD                         Tcb;
    LARGE_INTEGER                   CreateTime;
    union {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
    };
    union {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    LIST_ENTRY                      TerminationPortList;
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    KSEMAPHORE                      LpcReplySemaphore;
    PLPC_MESSAGE                    LpcReplyMessage;
    ULONG                           LpcReplyMessageId;
    ULONG                           PerformanceCountLow;
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    PVOID                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    ULONG                           ReadClusterSize;
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
    BOOLEAN                         DeadThread;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    BOOLEAN                         HideFromDebugger;
    ULONG                           HasTerminated;
#else // (NTDDI_VERSION < NTDDI_WIN2K)
    BOOLEAN                         HasTerminated;
    PKEVENT_PAIR                    EventPair;
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
    ACCESS_MASK                     GrantedAccess;
    PEPROCESS                       ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    BOOLEAN                         LpcExitThreadCalled;
    BOOLEAN                         HardErrorsAreDisabled;
    BOOLEAN                         LpcReceivedMsgIdValid;
    BOOLEAN                         ActiveImpersonationInfo;
    ULONG                           PerformanceCountHigh;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    LIST_ENTRY                      ThreadListEntry;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} REAL_ETHREAD, *PREAL_ETHREAD;

#endif


typedef struct _EPROCESS_QUOTA_ENTRY {
    ULONG Usage;
    ULONG Limit;
    ULONG Peak;
    ULONG Return;
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;

typedef struct _EPROCESS_QUOTA_BLOCK {
    EPROCESS_QUOTA_ENTRY    QuotaEntry[3];
    LIST_ENTRY              QuotaList;
    ULONG                   ReferenceCount;
    ULONG                   ProcessCount;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;

typedef struct _EXCEPTION_REGISTRATION_RECORD {
   struct _EXCEPTION_REGISTRATION_RECORD    *Next;
   PVOID                                    Handler;
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

/*
 * When needing these parameters cast your PIO_STACK_LOCATION to
 * PEXTENDED_IO_STACK_LOCATION
 */
#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
#include <pshpack4.h>
#endif

typedef struct _EXTENDED_IO_STACK_LOCATION {

    /* Included for padding */
    UCHAR MajorFunction;
    UCHAR MinorFunction;
    UCHAR Flags;
    UCHAR Control;

    union {

       struct {
          PIO_SECURITY_CONTEXT              SecurityContext;
          ULONG                             Options;
          USHORT                            Reserved;
          USHORT                            ShareAccess;
          PMAILSLOT_CREATE_PARAMETERS       Parameters;
       } CreateMailslot;

        struct {
            PIO_SECURITY_CONTEXT            SecurityContext;
            ULONG                           Options;
            USHORT                          Reserved;
            USHORT                          ShareAccess;
            PNAMED_PIPE_CREATE_PARAMETERS   Parameters;
        } CreatePipe;

        struct {
            ULONG                           OutputBufferLength;
            ULONG                           InputBufferLength;
            ULONG                           FsControlCode;
            PVOID                           Type3InputBuffer;
        } FileSystemControl;

        struct {
            PLARGE_INTEGER                  Length;
            ULONG                           Key;
            LARGE_INTEGER                   ByteOffset;
        } LockControl;

        struct {
            ULONG                           Length;
            ULONG                           CompletionFilter;
        } NotifyDirectory;

        struct {
            ULONG                           Length;
            PUNICODE_STRING                 FileName;
            FILE_INFORMATION_CLASS          FileInformationClass;
            ULONG                           FileIndex;
        } QueryDirectory;

        struct {
            ULONG                           Length;
            PVOID                           EaList;
            ULONG                           EaListLength;
            ULONG                           EaIndex;
        } QueryEa;

        struct {
            ULONG                           Length;
            PSID                            StartSid;
            PFILE_GET_QUOTA_INFORMATION     SidList;
            ULONG                           SidListLength;
        } QueryQuota;

        struct {
            ULONG                           Length;
        } SetEa;

        struct {
            ULONG                           Length;
        } SetQuota;

        struct {
            ULONG                           Length;
            FS_INFORMATION_CLASS            FsInformationClass;
        } SetVolume;

    } Parameters;

} EXTENDED_IO_STACK_LOCATION, *PEXTENDED_IO_STACK_LOCATION;
#if !defined(_ALPHA_) && !defined(_AMD64_) && !defined(_IA64_)
#include <poppack.h>
#endif


typedef struct _FILE_COPY_ON_WRITE_INFORMATION {
    BOOLEAN ReplaceIfExists;
    HANDLE  RootDirectory;
    ULONG   FileNameLength;
    WCHAR   FileName[1];
} FILE_COPY_ON_WRITE_INFORMATION, *PFILE_COPY_ON_WRITE_INFORMATION;

#if (NTDDI_VERSION >= NTDDI_WIN2K)

typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
    UCHAR ObjectId[16];
    UCHAR ExtendedInfo[48];
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

#ifndef _NTIFS_

typedef struct _FILE_LOCK_INFO {
    LARGE_INTEGER   StartingByte;
    LARGE_INTEGER   Length;
    BOOLEAN         ExclusiveLock;
    ULONG           Key;
    PFILE_OBJECT    FileObject;
    PEPROCESS       Process;
    LARGE_INTEGER   EndingByte;
} FILE_LOCK_INFO, *PFILE_LOCK_INFO;

#endif // _NTIFS_

// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_SHARED_LOCK_ENTRY {
    PVOID           Unknown1;
    PVOID           Unknown2;
    FILE_LOCK_INFO  FileLock;
} FILE_SHARED_LOCK_ENTRY, *PFILE_SHARED_LOCK_ENTRY;

// raw internal file lock struct returned from FsRtlGetNextFileLock
typedef struct _FILE_EXCLUSIVE_LOCK_ENTRY {
    LIST_ENTRY      ListEntry;
    PVOID           Unknown1;
    PVOID           Unknown2;
    FILE_LOCK_INFO  FileLock;
} FILE_EXCLUSIVE_LOCK_ENTRY, *PFILE_EXCLUSIVE_LOCK_ENTRY;

typedef struct _FILE_MAILSLOT_PEEK_BUFFER {
    ULONG ReadDataAvailable;
    ULONG NumberOfMessages;
    ULONG MessageLength;
} FILE_MAILSLOT_PEEK_BUFFER, *PFILE_MAILSLOT_PEEK_BUFFER;

typedef struct _FILE_OLE_CLASSID_INFORMATION {
    GUID ClassId;
} FILE_OLE_CLASSID_INFORMATION, *PFILE_OLE_CLASSID_INFORMATION;

#ifdef _NTIFS_

typedef struct _FILE_OLE_ALL_INFORMATION {
    FILE_BASIC_INFORMATION          BasicInformation;
    FILE_STANDARD_INFORMATION       StandardInformation;
    FILE_INTERNAL_INFORMATION       InternalInformation;
    FILE_EA_INFORMATION             EaInformation;
    FILE_ACCESS_INFORMATION         AccessInformation;
    FILE_POSITION_INFORMATION       PositionInformation;
    FILE_MODE_INFORMATION           ModeInformation;
    FILE_ALIGNMENT_INFORMATION      AlignmentInformation;
    USN                             LastChangeUsn;
    USN                             ReplicationUsn;
    LARGE_INTEGER                   SecurityChangeTime;
    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
    FILE_STORAGE_TYPE               StorageType;
    ULONG                           OleStateBits;
    ULONG                           OleId;
    ULONG                           NumberOfStreamReferences;
    ULONG                           StreamIndex;
    ULONG                           SecurityId;
    BOOLEAN                         ContentIndexDisable;
    BOOLEAN                         InheritContentIndexDisable;
    FILE_NAME_INFORMATION           NameInformation;
} FILE_OLE_ALL_INFORMATION, *PFILE_OLE_ALL_INFORMATION;

#endif // _NTIFS_

typedef struct _FILE_OLE_DIR_INFORMATION {
    ULONG               NextEntryOffset;
    ULONG               FileIndex;
    LARGE_INTEGER       CreationTime;
    LARGE_INTEGER       LastAccessTime;
    LARGE_INTEGER       LastWriteTime;
    LARGE_INTEGER       ChangeTime;
    LARGE_INTEGER       EndOfFile;
    LARGE_INTEGER       AllocationSize;
    ULONG               FileAttributes;
    ULONG               FileNameLength;
    FILE_STORAGE_TYPE   StorageType;
    GUID                OleClassId;
    ULONG               OleStateBits;
    BOOLEAN             ContentIndexDisable;
    BOOLEAN             InheritContentIndexDisable;
    WCHAR               FileName[1];
} FILE_OLE_DIR_INFORMATION, *PFILE_OLE_DIR_INFORMATION;

#ifdef _NTIFS_

typedef struct _FILE_OLE_INFORMATION {
    LARGE_INTEGER                   SecurityChangeTime;
    FILE_OLE_CLASSID_INFORMATION    OleClassIdInformation;
    FILE_OBJECTID_INFORMATION       ObjectIdInformation;
    FILE_STORAGE_TYPE               StorageType;
    ULONG                           OleStateBits;
    BOOLEAN                         ContentIndexDisable;
    BOOLEAN                         InheritContentIndexDisable;
} FILE_OLE_INFORMATION, *PFILE_OLE_INFORMATION;

#endif // _NTIFS_

typedef struct _FILE_OLE_STATE_BITS_INFORMATION {
    ULONG StateBits;
    ULONG StateBitsMask;
} FILE_OLE_STATE_BITS_INFORMATION, *PFILE_OLE_STATE_BITS_INFORMATION;

typedef struct _HANDLE_INFO {       // Information about open handles
    union {
        PEPROCESS   Process;        // Pointer to PEPROCESS owning the Handle
        ULONG       Count;          // Count of HANDLE_INFO structures following this structure
    } HandleInfo;
    USHORT          HandleCount;
} HANDLE_INFO, *PHANDLE_INFO;

typedef struct _HANDLE_TABLE_ENTRY_INFO {
    ULONG AuditMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;

typedef struct _HANDLE_TABLE_ENTRY {
    union {
        PVOID                       Object;
        ULONG                       ObAttributes;
        PHANDLE_TABLE_ENTRY_INFO    InfoTable;
        ULONG                       Value;
    };
    union {
        ULONG                       GrantedAccess;
        USHORT                      GrantedAccessIndex;
        LONG                        NextFreeTableEntry;
    };
    USHORT                          CreatorBackTraceIndex;
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _MAPPING_PAIR {
    ULONGLONG Vcn;
    ULONGLONG Lcn;
} MAPPING_PAIR, *PMAPPING_PAIR;

typedef struct _GET_RETRIEVAL_DESCRIPTOR {
    ULONG           NumberOfPairs;
    ULONGLONG       StartVcn;
    MAPPING_PAIR    Pair[1];
} GET_RETRIEVAL_DESCRIPTOR, *PGET_RETRIEVAL_DESCRIPTOR;

typedef struct _INITIAL_TEB {
    ULONG Unknown_1;
    ULONG Unknown_2;
    PVOID StackTop;
    PVOID StackBase;
    PVOID Unknown_3;
} INITIAL_TEB, *PINITIAL_TEB;

typedef struct _IO_CLIENT_EXTENSION {
    struct _IO_CLIENT_EXTENSION *NextExtension;
    PVOID                       ClientIdentificationAddress;
} IO_CLIENT_EXTENSION, *PIO_CLIENT_EXTENSION;

typedef struct _IO_COMPLETION_BASIC_INFORMATION {
    LONG Depth;
} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;

typedef struct _KEVENT_PAIR {
    USHORT Type;
    USHORT Size;
    KEVENT Event1;
    KEVENT Event2;
} KEVENT_PAIR, *PKEVENT_PAIR;

typedef struct _KINTERRUPT {
    CSHORT              Type;
    CSHORT              Size;
    LIST_ENTRY          InterruptListEntry;
    PKSERVICE_ROUTINE   ServiceRoutine;
    PVOID               ServiceContext;
    KSPIN_LOCK          SpinLock;
    ULONG               TickCount;
    PKSPIN_LOCK         ActualLock;
    PVOID               DispatchAddress;
    ULONG               Vector;
    KIRQL               Irql;
    KIRQL               SynchronizeIrql;
    BOOLEAN             FloatingSave;
    BOOLEAN             Connected;
    CHAR                Number;
    UCHAR               ShareVector;
    KINTERRUPT_MODE     Mode;
    ULONG               ServiceCount;
    ULONG               DispatchCount;
    ULONG               DispatchCode[106];
} KINTERRUPT, *PKINTERRUPT;

#ifndef _NTIFS_

typedef struct _LARGE_MCB {
    PFAST_MUTEX FastMutex;
    ULONG       MaximumPairCount;
    ULONG       PairCount;
    POOL_TYPE   PoolType;
    PVOID       Mapping;
} LARGE_MCB, *PLARGE_MCB;

typedef struct _MCB {
    LARGE_MCB LargeMcb;
} MCB, *PMCB;

#endif // _NTIFS_

typedef struct _LPC_MESSAGE {
    USHORT      DataSize;
    USHORT      MessageSize;
    USHORT      MessageType;
    USHORT      VirtualRangesOffset;
    CLIENT_ID   ClientId;
    ULONG       MessageId;
    ULONG       SectionSize;
    UCHAR       Data[1];
} LPC_MESSAGE, *PLPC_MESSAGE;

typedef struct _LPC_SECTION_READ {
    ULONG Length;
    ULONG ViewSize;
    PVOID ViewBase;
} LPC_SECTION_READ, *PLPC_SECTION_READ;

typedef struct _LPC_SECTION_WRITE {
    ULONG   Length;
    HANDLE  SectionHandle;
    ULONG   SectionOffset;
    ULONG   ViewSize;
    PVOID   ViewBase;
    PVOID   TargetViewBase;
} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE;

typedef struct _MAILSLOT_CREATE_PARAMETERS {
    ULONG           MailslotQuota;
    ULONG           MaximumMessageSize;
    LARGE_INTEGER   ReadTimeout;
    BOOLEAN         TimeoutSpecified;
} MAILSLOT_CREATE_PARAMETERS, *PMAILSLOT_CREATE_PARAMETERS;

typedef struct _MBCB {
    CSHORT          NodeTypeCode;
    CSHORT          NodeIsInZone;
    ULONG           PagesToWrite;
    ULONG           DirtyPages;
    ULONG           Reserved;
    LIST_ENTRY      BitmapRanges;
    LONGLONG        ResumeWritePage;
    BITMAP_RANGE    BitmapRange1;
    BITMAP_RANGE    BitmapRange2;
    BITMAP_RANGE    BitmapRange3;
} MBCB, *PMBCB;

typedef struct _MOVEFILE_DESCRIPTOR {
     HANDLE         FileHandle; 
     ULONG          Reserved;   
     LARGE_INTEGER  StartVcn; 
     LARGE_INTEGER  TargetLcn;
     ULONG          NumVcns; 
     ULONG          Reserved1;  
} MOVEFILE_DESCRIPTOR, *PMOVEFILE_DESCRIPTOR;

typedef struct _NAMED_PIPE_CREATE_PARAMETERS {
    ULONG           NamedPipeType;
    ULONG           ReadMode;
    ULONG           CompletionMode;
    ULONG           MaximumInstances;
    ULONG           InboundQuota;
    ULONG           OutboundQuota;
    LARGE_INTEGER   DefaultTimeout;
    BOOLEAN         TimeoutSpecified;
} NAMED_PIPE_CREATE_PARAMETERS, *PNAMED_PIPE_CREATE_PARAMETERS;

typedef struct _QUOTA_BLOCK {
    KSPIN_LOCK  QuotaLock;
    ULONG       ReferenceCount; // Number of processes using this block
    ULONG       PeakNonPagedPoolUsage;
    ULONG       PeakPagedPoolUsage;
    ULONG       NonPagedpoolUsage;
    ULONG       PagedPoolUsage;
    ULONG       NonPagedPoolLimit;
    ULONG       PagedPoolLimit;
    ULONG       PeakPagefileUsage;
    ULONG       PagefileUsage;
    ULONG       PageFileLimit;
} QUOTA_BLOCK, *PQUOTA_BLOCK;

typedef struct _OBJECT_BASIC_INFO {
    ULONG           Attributes;
    ACCESS_MASK     GrantedAccess;
    ULONG           HandleCount;
    ULONG           ReferenceCount;
    ULONG           PagedPoolUsage;
    ULONG           NonPagedPoolUsage;
    ULONG           Reserved[3];
    ULONG           NameInformationLength;
    ULONG           TypeInformationLength;
    ULONG           SecurityDescriptorLength;
    LARGE_INTEGER   CreateTime;
} OBJECT_BASIC_INFO, *POBJECT_BASIC_INFO;

typedef struct _OBJECT_CREATE_INFORMATION {
    ULONG                           Attributes;
    HANDLE                          RootDirectory; // 0x4
    PVOID                           ParseContext; // 0x8
    KPROCESSOR_MODE                 ProbeMode; // 0xc
    ULONG                           PagedPoolCharge; // 0x10
    ULONG                           NonPagedPoolCharge; // 0x14
    ULONG                           SecurityDescriptorCharge; // 0x18
    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x1c
    PSECURITY_QUALITY_OF_SERVICE    SecurityQos; // 0x20
    SECURITY_QUALITY_OF_SERVICE     SecurityQualityOfService; // 0x24
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;

typedef struct _OBJECT_CREATOR_INFO {
    LIST_ENTRY  Creator;
    ULONG       UniqueProcessId; // Creator's Process ID
    ULONG       Reserved; // Alignment
} OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO;

typedef struct _OBJECT_DIRECTORY_ITEM {
    struct _OBJECT_DIRECTORY_ITEM   *Next;
    PVOID                           Object;
} OBJECT_DIRECTORY_ITEM, *POBJECT_DIRECTORY_ITEM;

typedef struct _OBJECT_DIRECTORY {
    POBJECT_DIRECTORY_ITEM  HashEntries[0x25];
    POBJECT_DIRECTORY_ITEM  LastHashAccess;
    ULONG                   LastHashResult;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

typedef struct _OBJECT_HANDLE_ATTRIBUTE_INFO {
    BOOLEAN Inherit;
    BOOLEAN ProtectFromClose;
} OBJECT_HANDLE_ATTRIBUTE_INFO, *POBJECT_HANDLE_ATTRIBUTE_INFO;

typedef struct _OBJECT_HANDLE_DB {
    union {
        struct _EPROCESS                *Process;
        struct _OBJECT_HANDLE_DB_LIST   *HandleDBList;
    };
    ULONG                               HandleCount;
} OBJECT_HANDLE_DB, *POBJECT_HANDLE_DB;

typedef struct _OBJECT_HANDLE_DB_LIST {
    ULONG               Count;
    OBJECT_HANDLE_DB    Entries[1];
} OBJECT_HANDLE_DB_LIST, *POBJECT_HANDLE_DB_LIST;

typedef struct _OBJECT_HEADER_FLAGS {
    ULONG NameInfoOffset     : 8;
    ULONG HandleInfoOffset   : 8;
    ULONG QuotaInfoOffset    : 8;
    ULONG QuotaBlock         : 1;   // QuotaBlock/ObjectInfo
    ULONG KernelMode         : 1;   // UserMode/KernelMode
    ULONG CreatorInfo        : 1;
    ULONG Exclusive          : 1;
    ULONG Permanent          : 1;
    ULONG SecurityDescriptor : 1;
    ULONG HandleInfo         : 1;
    ULONG Reserved           : 1;
} OBJECT_HEADER_FLAGS, *POBJECT_HEADER_FLAGS;

typedef struct _OBJECT_HEADER {
    ULONG                           ReferenceCount;
    union {
        ULONG                       HandleCount;
        PSINGLE_LIST_ENTRY          NextToFree;
    }; // 0x4
    POBJECT_TYPE                    ObjectType; // 0x8
    OBJECT_HEADER_FLAGS             Flags; // 0xc
    union {
        POBJECT_CREATE_INFORMATION  ObjectCreateInfo;
        PQUOTA_BLOCK                QuotaBlock;
    }; // 0x10
    PSECURITY_DESCRIPTOR            SecurityDescriptor; // 0x14
    QUAD                            Body; // 0x18
} OBJECT_HEADER, *POBJECT_HEADER;

typedef struct _OBJECT_NAME {
    POBJECT_DIRECTORY   Directory; 
    UNICODE_STRING      ObjectName;
    ULONG               Reserved;
} OBJECT_NAME, *POBJECT_NAME;

typedef struct _OBJECT_NAME_INFO {
    UNICODE_STRING  ObjectName;
    WCHAR           ObjectNameBuffer[1];
} OBJECT_NAME_INFO, *POBJECT_NAME_INFO;

typedef struct _OBJECT_PROTECTION_INFO {
    BOOLEAN Inherit;
    BOOLEAN ProtectHandle;
} OBJECT_PROTECTION_INFO, *POBJECT_PROTECTION_INFO;

typedef struct _OBJECT_QUOTA_CHARGES {
    ULONG PagedPoolCharge;
    ULONG NonPagedPoolCharge;
    ULONG SecurityCharge;
    ULONG Reserved;
} OBJECT_QUOTA_CHARGES, *POBJECT_QUOTA_CHARGES;

typedef struct _OBJECT_QUOTA_INFO {
    ULONG       PagedPoolQuota;
    ULONG       NonPagedPoolQuota;
    ULONG       QuotaInformationSize;
    PEPROCESS   Process; // Owning process
} OBJECT_QUOTA_INFO, *POBJECT_QUOTA_INFO;

typedef struct _OBJECT_TYPE_INITIALIZER {
    USHORT          Length;
    BOOLEAN         UseDefaultObject;
    BOOLEAN         Reserved1;
    ULONG           InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ACCESS_MASK     ValidAccessMask;
    BOOLEAN         SecurityRequired;
    BOOLEAN         MaintainHandleCount;  /* OBJECT_HANDLE_DB */
    BOOLEAN         MaintainTypeList;     /* OBJECT_CREATOR_INFO */
    UCHAR           Reserved2;
    BOOLEAN         PagedPool;
    ULONG           DefaultPagedPoolCharge;
    ULONG           DefaultNonPagedPoolCharge;
    PVOID           DumpProcedure;
    PVOID           OpenProcedure;
    PVOID           CloseProcedure;
    PVOID           DeleteProcedure;
    PVOID           ParseProcedure;
    PVOID           SecurityProcedure;    /* SeDefaultObjectMethod */
    PVOID           QueryNameProcedure;
    PVOID           OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
    ERESOURCE               Lock;
    LIST_ENTRY              ObjectListHead; /* OBJECT_CREATOR_INFO */
    UNICODE_STRING          ObjectTypeName;
    union {
        PVOID               DefaultObject;  /* ObpDefaultObject */
        ULONG               Code; /* File: 5C, WaitablePort: A0 */
    };
    ULONG                   ObjectTypeIndex; /* OB_TYPE_INDEX_* */
    ULONG                   ObjectCount;
    ULONG                   HandleCount;
    ULONG                   PeakObjectCount;
    ULONG                   PeakHandleCount;
    OBJECT_TYPE_INITIALIZER TypeInfo;
    ULONG                   ObjectTypeTag;   /* OB_TYPE_TAG_* */
} OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OBJECT_TYPE_INFO {
    UNICODE_STRING  ObjectTypeName;
    UCHAR           Unknown[0x58];
    WCHAR           ObjectTypeNameBuffer[1];
} OBJECT_TYPE_INFO, *POBJECT_TYPE_INFO;

typedef struct _OBJECT_ALL_TYPES_INFO {
    ULONG               NumberOfObjectTypes;
    OBJECT_TYPE_INFO    ObjectsTypeInfo[1];
} OBJECT_ALL_TYPES_INFO, *POBJECT_ALL_TYPES_INFO;

typedef struct _PAGEFAULT_HISTORY {
    ULONG                           CurrentIndex;
    ULONG                           MaxIndex;
    KSPIN_LOCK                      SpinLock;
    PVOID                           Reserved;
    PROCESS_WS_WATCH_INFORMATION    WatchInfo[1];
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;

#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _PRIVATE_CACHE_MAP_FLAGS {
    ULONG DontUse           : 16;
    ULONG ReadAheadActive   : 1;
    ULONG ReadAheadEnabled  : 1;
    ULONG Available         : 14;
} PRIVATE_CACHE_MAP_FLAGS, *PPRIVATE_CACHE_MAP_FLAGS;

typedef struct _PRIVATE_CACHE_MAP {
    union {
        CSHORT                  NodeTypeCode;
        PRIVATE_CACHE_MAP_FLAGS Flags;
        ULONG                   UlongFlags;
    };
    ULONG                       ReadAheadMask;
    PFILE_OBJECT                FileObject;
    LARGE_INTEGER               FileOffset1;
    LARGE_INTEGER               BeyondLastByte1;
    LARGE_INTEGER               FileOffset2;
    LARGE_INTEGER               BeyondLastByte2;
    LARGE_INTEGER               ReadAheadOffset[2];
    ULONG                       ReadAheadLength[2];
    KSPIN_LOCK                  ReadAheadSpinLock;
    LIST_ENTRY                  PrivateLinks;
} PRIVATE_CACHE_MAP, *PPRIVATE_CACHE_MAP;

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _PROCESS_PRIORITY_CLASS {
    BOOLEAN Foreground;
    UCHAR   PriorityClass;
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;

typedef struct _PS_IMPERSONATION_INFORMATION {
    PACCESS_TOKEN                   Token;
    BOOLEAN                         CopyOnOpen;
    BOOLEAN                         EffectiveOnly;
    SECURITY_IMPERSONATION_LEVEL    ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;

typedef struct _SECTION_BASIC_INFORMATION {
    PVOID           BaseAddress;
    ULONG           Attributes;
    LARGE_INTEGER   Size;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

typedef struct _SECTION_IMAGE_INFORMATION {
    PVOID   EntryPoint;
    ULONG   Unknown1;
    ULONG   StackReserve;
    ULONG   StackCommit;
    ULONG   Subsystem;
    USHORT  MinorSubsystemVersion;
    USHORT  MajorSubsystemVersion;
    ULONG   Unknown2;
    ULONG   Characteristics;
    USHORT  ImageNumber;
    BOOLEAN Executable;
    UCHAR   Unknown3;
    ULONG   Unknown4[3];
} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

typedef struct _SECTION_OBJECT {
    PVOID                   StartingVa;
    PVOID                   EndingVa;
    struct _SECTION_OBJECT  *Parent;
    struct _SECTION_OBJECT  *LeftChild;
    struct _SECTION_OBJECT  *RightChild;
    PVOID                   Segment;
} SECTION_OBJECT, *PSECTION_OBJECT;

typedef struct _SEP_AUDIT_POLICY {
    // _SEP_AUDIT_POLICY_CATEGORIES
    ULONGLONG System                    : 4;
    ULONGLONG Logon                     : 4;
    ULONGLONG ObjectAccess              : 4;
    ULONGLONG PrivilegeUse              : 4;
    ULONGLONG DetailedTracking          : 4;
    ULONGLONG PolicyChange              : 4;
    ULONGLONG AccountManagement         : 4;
    ULONGLONG DirectoryServiceAccess    : 4;
    ULONGLONG AccountLogon              : 4;
    // _SEP_AUDIT_POLICY_OVERLAY
    ULONGLONG SetBit                    : 1;
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY;

/* size 0x1C */
typedef struct _SEP_AUDIT_POLICY_VISTA {
    UCHAR   PerUserPolicy[25];  /* +0x000 */
    UCHAR   PolicySetStatus;    /* +0x019 */
    USHORT  Alignment;          /* +0x01A */
} SEP_AUDIT_POLICY_VISTA, *PSEP_AUDIT_POLICY_VISTA;

typedef struct _SERVICE_DESCRIPTOR_TABLE {
    /*
     * Table containing cServices elements of pointers to service handler
     * functions, indexed by service ID.
     */
    PVOID   *ServiceTable;
    /*
     * Table that counts how many times each service is used. This table
     * is only updated in checked builds.
     */
    PULONG  CounterTable;
    /*
     * Number of services contained in this table.
     */
    ULONG   TableSize;
    /*
     * Table containing the number of bytes of parameters the handler
     * function takes.
     */
    PUCHAR  ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _SHARED_CACHE_MAP {
    CSHORT                      NodeTypeCode;
    CSHORT                      NodeByteSize;
    ULONG                       OpenCount;
    LARGE_INTEGER               FileSize;
    LIST_ENTRY                  BcbList;
    LARGE_INTEGER               SectionSize;
    LARGE_INTEGER               ValidDataLength;
    LARGE_INTEGER               ValidDataGoal;
    PVACB                       InitialVacbs[4];
    PVACB                       *Vacbs;
    PFILE_OBJECT                FileObject;
    PVACB                       ActiveVacb;
    PVOID                       NeedToZero;
    ULONG                       ActivePage;
    ULONG                       NeedToZeroPage;
    KSPIN_LOCK                  ActiveVacbSpinLock;
    ULONG                       VacbActiveCount;
    ULONG                       DirtyPages;
    LIST_ENTRY                  SharedCacheMapLinks;
    ULONG                       Flags;
    NTSTATUS                    Status;
    PMBCB                       Mbcb;
    PVOID                       Section;
    PKEVENT                     CreateEvent;
    PKEVENT                     WaitOnActiveCount;
    ULONG                       PagesToWrite;
    LONGLONG                    BeyondLastFlush;
    PCACHE_MANAGER_CALLBACKS    Callbacks;
    PVOID                       LazyWriteContext;
    LIST_ENTRY                  PrivateList;
    PVOID                       LogHandle;
    PVOID                       FlushToLsnRoutine;
    ULONG                       DirtyPageThreshold;
    ULONG                       LazyWritePassCount;
    PCACHE_UNINITIALIZE_EVENT   UninitializeEvent;
    PVACB                       NeedToZeroVacb;
    KSPIN_LOCK                  BcbSpinLock;
    PVOID                       Reserved;
    KEVENT                      Event;
    EX_PUSH_LOCK                VacbPushLock;
    PRIVATE_CACHE_MAP           PrivateCacheMap;
} SHARED_CACHE_MAP, *PSHARED_CACHE_MAP;

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

#ifndef _NTIFS_

typedef struct _SID_AND_ATTRIBUTES {
    PSID    Sid;
    ULONG   Attributes;
} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES;

typedef struct _SID_AND_ATTRIBUTES_HASH {
    ULONG               SidCount;   /* +0x000 */
    PSID_AND_ATTRIBUTES SidAttr;    /* +0x004 */
    ULONG               Hash[32];   /* +0x008 */
} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH;

#endif // _NTIFS_

// SystemBasicInformation
typedef struct _SYSTEM_BASIC_INFORMATION {
    ULONG Unknown;
    ULONG MaximumIncrement;
    ULONG PhysicalPageSize;
    ULONG NumberOfPhysicalPages;
    ULONG LowestPhysicalPage;
    ULONG HighestPhysicalPage;
    ULONG AllocationGranularity;
    ULONG LowestUserAddress;
    ULONG HighestUserAddress;
    ULONG ActiveProcessors;
    UCHAR NumberProcessors;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;

// SystemProcessorInformation
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
    USHORT  ProcessorArchitecture;
    USHORT  ProcessorLevel;
    USHORT  ProcessorRevision;
    USHORT  Unknown;
    ULONG   FeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;

// SystemPerformanceInformation
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
    LARGE_INTEGER   IdleTime;
    LARGE_INTEGER   ReadTransferCount;
    LARGE_INTEGER   WriteTransferCount;
    LARGE_INTEGER   OtherTransferCount;
    ULONG           ReadOperationCount;
    ULONG           WriteOperationCount;
    ULONG           OtherOperationCount;
    ULONG           AvailablePages;
    ULONG           TotalCommittedPages;
    ULONG           TotalCommitLimit;
    ULONG           PeakCommitment;
    ULONG           PageFaults;
    ULONG           WriteCopyFaults;
    ULONG           TransistionFaults;
    ULONG           Reserved1;
    ULONG           DemandZeroFaults;
    ULONG           PagesRead;
    ULONG           PageReadIos;
    ULONG           Reserved2[2];
    ULONG           PagefilePagesWritten;
    ULONG           PagefilePageWriteIos;
    ULONG           MappedFilePagesWritten;
    ULONG           MappedFilePageWriteIos;
    ULONG           PagedPoolUsage;
    ULONG           NonPagedPoolUsage;
    ULONG           PagedPoolAllocs;
    ULONG           PagedPoolFrees;
    ULONG           NonPagedPoolAllocs;
    ULONG           NonPagedPoolFrees;
    ULONG           TotalFreeSystemPtes;
    ULONG           SystemCodePage;
    ULONG           TotalSystemDriverPages;
    ULONG           TotalSystemCodePages;
    ULONG           SmallNonPagedLookasideListAllocateHits;
    ULONG           SmallPagedLookasideListAllocateHits;
    ULONG           Reserved3;
    ULONG           MmSystemCachePage;
    ULONG           PagedPoolPage;
    ULONG           SystemDriverPage;
    ULONG           FastReadNoWait;
    ULONG           FastReadWait;
    ULONG           FastReadResourceMiss;
    ULONG           FastReadNotPossible;
    ULONG           FastMdlReadNoWait;
    ULONG           FastMdlReadWait;
    ULONG           FastMdlReadResourceMiss;
    ULONG           FastMdlReadNotPossible;
    ULONG           MapDataNoWait;
    ULONG           MapDataWait;
    ULONG           MapDataNoWaitMiss;
    ULONG           MapDataWaitMiss;
    ULONG           PinMappedDataCount;
    ULONG           PinReadNoWait;
    ULONG           PinReadWait;
    ULONG           PinReadNoWaitMiss;
    ULONG           PinReadWaitMiss;
    ULONG           CopyReadNoWait;
    ULONG           CopyReadWait;
    ULONG           CopyReadNoWaitMiss;
    ULONG           CopyReadWaitMiss;
    ULONG           MdlReadNoWait;
    ULONG           MdlReadWait;
    ULONG           MdlReadNoWaitMiss;
    ULONG           MdlReadWaitMiss;
    ULONG           ReadAheadIos;
    ULONG           LazyWriteIos;
    ULONG           LazyWritePages;
    ULONG           DataFlushes;
    ULONG           DataPages;
    ULONG           ContextSwitches;
    ULONG           FirstLevelTbFills;
    ULONG           SecondLevelTbFills;
    ULONG           SystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;

// SystemTimeOfDayInformation
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
    LARGE_INTEGER   BootTime;
    LARGE_INTEGER   CurrentTime;
    LARGE_INTEGER   TimeZoneBias;
    ULONG           CurrentTimeZoneId;
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;

typedef struct _SYSTEM_THREADS_INFORMATION {
    LARGE_INTEGER   KernelTime;
    LARGE_INTEGER   UserTime;
    LARGE_INTEGER   CreateTime;
    ULONG           WaitTime;
    PVOID           StartAddress;
    CLIENT_ID       ClientId;
    KPRIORITY       Priority;
    KPRIORITY       BasePriority;
    ULONG           ContextSwitchCount;
    THREAD_STATE    State;
    KWAIT_REASON    WaitReason;
} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;

// SystemProcessesAndThreadsInformation
typedef struct _SYSTEM_PROCESSES_INFORMATION {
    ULONG                       NextEntryDelta;
    ULONG                       ThreadCount;
    ULONG                       Reserved1[6];
    LARGE_INTEGER               CreateTime;
    LARGE_INTEGER               UserTime;
    LARGE_INTEGER               KernelTime;
    UNICODE_STRING              ProcessName;
    KPRIORITY                   BasePriority;
    ULONG                       ProcessId;
    ULONG                       InheritedFromProcessId;
    ULONG                       HandleCount;
    ULONG                       SessionId;
    ULONG                       Reserved2;
    VM_COUNTERS                 VmCounters;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    IO_COUNTERS                 IoCounters;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
    SYSTEM_THREADS_INFORMATION  Threads[1];
} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;

// SystemCallCounts
typedef struct _SYSTEM_CALL_COUNTS {
    ULONG Size;
    ULONG NumberOfDescriptorTables;
    ULONG NumberOfRoutinesInTable[1];
    // On checked build this is followed by a ULONG CallCounts[1] variable length array.
} SYSTEM_CALL_COUNTS, *PSYSTEM_CALL_COUNTS;

// SystemConfigurationInformation
typedef struct _SYSTEM_CONFIGURATION_INFORMATION {
    ULONG DiskCount;
    ULONG FloppyCount;
    ULONG CdRomCount;
    ULONG TapeCount;
    ULONG SerialCount;
    ULONG ParallelCount;
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;

// SystemProcessorTimes
typedef struct _SYSTEM_PROCESSOR_TIMES {
    LARGE_INTEGER   IdleTime;
    LARGE_INTEGER   KernelTime;
    LARGE_INTEGER   UserTime;
    LARGE_INTEGER   DpcTime;
    LARGE_INTEGER   InterruptTime;
    ULONG           InterruptCount;
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;

// SystemGlobalFlag
typedef struct _SYSTEM_GLOBAL_FLAG {
    ULONG GlobalFlag;
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;

// SystemModuleInformation
typedef struct _SYSTEM_MODULE_INFORMATION {
    ULONG   Reserved[2];
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT  Index;
    USHORT  Unknown;
    USHORT  LoadCount;
    USHORT  ModuleNameOffset;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

// SystemLockInformation
typedef struct _SYSTEM_LOCK_INFORMATION {
    PVOID   Address;
    USHORT  Type;
    USHORT  Reserved1;
    ULONG   ExclusiveOwnerThreadId;
    ULONG   ActiveCount;
    ULONG   ContentionCount;
    ULONG   Reserved2[2];
    ULONG   NumberOfSharedWaiters;
    ULONG   NumberOfExclusiveWaiters;
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;

// SystemHandleInformation
typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG       ProcessId;
    UCHAR       ObjectTypeNumber;
    UCHAR       Flags;
    USHORT      Handle;
    PVOID       Object;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

// SystemObjectInformation
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           ObjectCount;
    ULONG           HandleCount;
    ULONG           TypeNumber;
    ULONG           InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ACCESS_MASK     ValidAccessMask;
    POOL_TYPE       PoolType;
    UCHAR           Unknown;
    UNICODE_STRING  Name;
} SYSTEM_OBJECT_TYPE_INFORMATION, *PSYSTEM_OBJECT_TYPE_INFORMATION;

typedef struct _SYSTEM_OBJECT_INFORMATION {
    ULONG                   NextEntryOffset;
    PVOID                   Object;
    ULONG                   CreatorProcessId;
    USHORT                  Unknown;
    USHORT                  Flags;
    ULONG                   PointerCount;
    ULONG                   HandleCount;
    ULONG                   PagedPoolUsage;
    ULONG                   NonPagedPoolUsage;
    ULONG                   ExclusiveProcessId;
    PSECURITY_DESCRIPTOR    SecurityDescriptor;
    UNICODE_STRING          Name;
} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;

// SystemPagefileInformation
typedef struct _SYSTEM_PAGEFILE_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           CurrentSize;
    ULONG           TotalUsed;
    ULONG           PeakUsed;
    UNICODE_STRING  FileName;
} SYSTEM_PAGEFILE_INFORMATION, *PSYSTEM_PAGEFILE_INFORMATION;

// SystemInstructionEmulationCounts
typedef struct _SYSTEM_INSTRUCTION_EMULATION_COUNTS {
    ULONG GenericInvalidOpcode;
    ULONG TwoByteOpcode;
    ULONG ESprefix;
    ULONG CSprefix;
    ULONG SSprefix;
    ULONG DSprefix;
    ULONG FSPrefix;
    ULONG GSprefix;
    ULONG OPER32prefix;
    ULONG ADDR32prefix;
    ULONG INSB;
    ULONG INSW;
    ULONG OUTSB;
    ULONG OUTSW;
    ULONG PUSHFD;
    ULONG POPFD;
    ULONG INTnn;
    ULONG INTO;
    ULONG IRETD;
    ULONG FloatingPointOpcode;
    ULONG INBimm;
    ULONG INWimm;
    ULONG OUTBimm;
    ULONG OUTWimm;
    ULONG INB;
    ULONG INW;
    ULONG OUTB;
    ULONG OUTW;
    ULONG LOCKprefix;
    ULONG REPNEprefix;
    ULONG REPprefix;
    ULONG CLI;
    ULONG STI;
    ULONG HLT;
} SYSTEM_INSTRUCTION_EMULATION_COUNTS, *PSYSTEM_INSTRUCTION_EMULATION_COUNTS;

// SystemCacheInformation
typedef struct _SYSTEM_CACHE_INFORMATION {
    ULONG SystemCacheWsSize;
    ULONG SystemCacheWsPeakSize;
    ULONG SystemCacheWsFaults;
    ULONG SystemCacheWsMinimum;
    ULONG SystemCacheWsMaximum;
    ULONG TransitionSharedPages;
    ULONG TransitionSharedPagesPeak;
    ULONG Reserved[2];
} SYSTEM_CACHE_INFORMATION, *PSYSTEM_CACHE_INFORMATION;

// SystemPoolTagInformation
typedef struct _SYSTEM_POOL_TAG_INFORMATION {
    CHAR    Tag[4];
    ULONG   PagedPoolAllocs;
    ULONG   PagedPoolFrees;
    ULONG   PagedPoolUsage;
    ULONG   NonPagedPoolAllocs;
    ULONG   NonPagedPoolFrees;
    ULONG   NonPagedPoolUsage;
} SYSTEM_POOL_TAG_INFORMATION, *PSYSTEM_POOL_TAG_INFORMATION;

// SystemProcessorStatistics
typedef struct _SYSTEM_PROCESSOR_STATISTICS {
    ULONG ContextSwitches;
    ULONG DpcCount;
    ULONG DpcRequestRate;
    ULONG TimeIncrement;
    ULONG DpcBypassCount;
    ULONG ApcBypassCount;
} SYSTEM_PROCESSOR_STATISTICS, *PSYSTEM_PROCESSOR_STATISTICS;

// SystemDpcInformation
typedef struct _SYSTEM_DPC_INFORMATION {
    ULONG Reserved;
    ULONG MaximumDpcQueueDepth;
    ULONG MinimumDpcRate;
    ULONG AdjustDpcThreshold;
    ULONG IdealDpcRate;
} SYSTEM_DPC_INFORMATION, *PSYSTEM_DPC_INFORMATION;

// SystemLoadImage
typedef struct _SYSTEM_LOAD_IMAGE {
    UNICODE_STRING  ModuleName;
    PVOID           ModuleBase;
    PVOID           Unknown;
    PVOID           EntryPoint;
    PVOID           ExportDirectory;
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;

// SystemUnloadImage
typedef struct _SYSTEM_UNLOAD_IMAGE {
    PVOID ModuleBase;
} SYSTEM_UNLOAD_IMAGE, *PSYSTEM_UNLOAD_IMAGE;

// SystemTimeAdjustment
typedef struct _SYSTEM_QUERY_TIME_ADJUSTMENT {
    ULONG   TimeAdjustment;
    ULONG   MaximumIncrement;
    BOOLEAN TimeSynchronization;
} SYSTEM_QUERY_TIME_ADJUSTMENT, *PSYSTEM_QUERY_TIME_ADJUSTMENT;

// SystemTimeAdjustment
typedef struct _SYSTEM_SET_TIME_ADJUSTMENT {
    ULONG   TimeAdjustment;
    BOOLEAN TimeSynchronization;
} SYSTEM_SET_TIME_ADJUSTMENT, *PSYSTEM_SET_TIME_ADJUSTMENT;

// SystemCrashDumpInformation
typedef struct _SYSTEM_CRASH_DUMP_INFORMATION {
    HANDLE CrashDumpSectionHandle;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    HANDLE Unknown;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} SYSTEM_CRASH_DUMP_INFORMATION, *PSYSTEM_CRASH_DUMP_INFORMATION;

// SystemExceptionInformation
typedef struct _SYSTEM_EXCEPTION_INFORMATION {
    ULONG AlignmentFixupCount;
    ULONG ExceptionDispatchCount;
    ULONG FloatingEmulationCount;
    ULONG Reserved;
} SYSTEM_EXCEPTION_INFORMATION, *PSYSTEM_EXCEPTION_INFORMATION;

// SystemCrashDumpStateInformation
typedef struct _SYSTEM_CRASH_DUMP_STATE_INFORMATION {
    ULONG ValidCrashDump;
#if (NTDDI_VERSION >= NTDDI_WIN2K)
    ULONG Unknown;
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} SYSTEM_CRASH_DUMP_STATE_INFORMATION, *PSYSTEM_CRASH_DUMP_STATE_INFORMATION;

// SystemKernelDebuggerInformation
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
    BOOLEAN DebuggerEnabled;
    BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;

// SystemContextSwitchInformation
typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION {
    ULONG ContextSwitches;
    ULONG ContextSwitchCounters[11];
} SYSTEM_CONTEXT_SWITCH_INFORMATION, *PSYSTEM_CONTEXT_SWITCH_INFORMATION;

// SystemRegistryQuotaInformation
typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION {
    ULONG RegistryQuota;
    ULONG RegistryQuotaInUse;
    ULONG PagedPoolSize;
} SYSTEM_REGISTRY_QUOTA_INFORMATION, *PSYSTEM_REGISTRY_QUOTA_INFORMATION;

// SystemLoadAndCallImage
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {
    UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

// SystemPrioritySeparation
typedef struct _SYSTEM_PRIORITY_SEPARATION {
    ULONG PrioritySeparation;
} SYSTEM_PRIORITY_SEPARATION, *PSYSTEM_PRIORITY_SEPARATION;

// SystemTimeZoneInformation
typedef struct _SYSTEM_TIME_ZONE_INFORMATION {
    LONG        Bias;
    WCHAR       StandardName[32];
    TIME_FIELDS StandardDate;
    LONG        StandardBias;
    WCHAR       DaylightName[32];
    TIME_FIELDS DaylightDate;
    LONG        DaylightBias;
} SYSTEM_TIME_ZONE_INFORMATION, *PSYSTEM_TIME_ZONE_INFORMATION;

// SystemLookasideInformation
typedef struct _SYSTEM_LOOKASIDE_INFORMATION {
    USHORT      Depth;
    USHORT      MaximumDepth;
    ULONG       TotalAllocates;
    ULONG       AllocateMisses;
    ULONG       TotalFrees;
    ULONG       FreeMisses;
    POOL_TYPE   Type;
    ULONG       Tag;
    ULONG       Size;
} SYSTEM_LOOKASIDE_INFORMATION, *PSYSTEM_LOOKASIDE_INFORMATION;

// SystemSetTimeSlipEvent
typedef struct _SYSTEM_SET_TIME_SLIP_EVENT {
    HANDLE TimeSlipEvent;
} SYSTEM_SET_TIME_SLIP_EVENT, *PSYSTEM_SET_TIME_SLIP_EVENT;

// SystemCreateSession
typedef struct _SYSTEM_CREATE_SESSION {
    ULONG Session;
} SYSTEM_CREATE_SESSION, *PSYSTEM_CREATE_SESSION;

// SystemDeleteSession
typedef struct _SYSTEM_DELETE_SESSION {
    ULONG Session;
} SYSTEM_DELETE_SESSION, *PSYSTEM_DELETE_SESSION;

// SystemRangeStartInformation
typedef struct _SYSTEM_RANGE_START_INFORMATION {
    PVOID SystemRangeStart;
} SYSTEM_RANGE_START_INFORMATION, *PSYSTEM_RANGE_START_INFORMATION;

// SystemSessionProcessesInformation
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION {
    ULONG SessionId;
    ULONG BufferSize;
    PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;

typedef struct _GDI_TEB_BATCH {
    ULONG Offset;
    ULONG HDC;
    ULONG Buffer[(NTDDI_VERSION >= NTDDI_WIN2K) ? 0x133 : 0x136];
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;

#if (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
    struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
    struct _ACTIVATION_CONTEXT*                 ActivationContext; // 0x4
    ULONG                                       Flags; // 0x8
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;

typedef struct _ACTIVATION_CONTEXT_STACK {
    ULONG                               Flags;
    ULONG                               NextCookieSequenceNumber;
    PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; // 0x8
    LIST_ENTRY                          FrameListCache; // 0xc
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

typedef struct _Wx86ThreadState {
    PULONG  CallBx86Eip;
    PVOID   DeallocationCpu;
    UCHAR   UseKnownWx86Dll; // 0x8
    UCHAR   OleStubInvoked; // 0x9
} Wx86ThreadState, *PWx86ThreadState;

typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
    ULONG Flags;
    PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;

typedef struct _TEB_ACTIVE_FRAME {
    ULONG                       Flags;
    struct _TEB_ACTIVE_FRAME    *Previous;
    PTEB_ACTIVE_FRAME_CONTEXT   Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;

typedef struct _TEB // from Reactos, Native API; checked and corrected for 2003 and nt 4.0
                    // should also work on XP and 2000
                    // the reactos version was probably from NT 3.51 SP3
{
   NT_TIB Tib;                         /* 00h */
   PVOID EnvironmentPointer;           /* 1Ch */
   CLIENT_ID Cid;                      /* 20h */
   HANDLE RpcHandle;                   /* 28h */
   PVOID *ThreadLocalStorage;          /* 2Ch */
   PPEB Peb;                           /* 30h */
   ULONG LastErrorValue;               /* 34h */
   ULONG CountOfOwnedCriticalSections; /* 38h */
   PVOID CsrClientThread;              /* 3Ch */
   struct _W32THREAD* Win32ThreadInfo; /* 40h */    
   ULONG User32Reserved[26];           /* 44h */
   ULONG UserReserved[5];              /* ACh */
   PVOID WOW32Reserved;                /* C0h */
   LCID CurrentLocale;                 /* C4h */
   ULONG FpSoftwareStatusRegister;     /* C8h */
   PVOID SystemReserved1[0x36];        /* CCh */
#if (NTDDI_VERSION < NTDDI_WIN2K)
   PVOID Spare1;                       /* 1A4h */
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
   LONG ExceptionCode;                 /* 1A4h */
#if (NTDDI_VERSION >= NTDDI_WINXP)
   ACTIVATION_CONTEXT_STACK 
        ActivationContextStack;        /* 1A8h */
   UCHAR SpareBytes1[24];              /* 1BCh */
#elif (NTDDI_VERSION >= NTDDI_WIN2K)
   UCHAR SpareBytes1[0x2c];            /* 1A8h */
#else // (NTDDI_VERSION < NTDDI_WIN2K)
   ULONG SpareBytes1[0x14];            /* 1ACh */
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
   GDI_TEB_BATCH GdiTebBatch;          /* 1D4h */ /* 1FC for nt 4.0 */
   ULONG gdiRgn;                       /* 6A8h */ /* 6DCh for nt 4.0 */
   ULONG gdiPen;                       /* 6ACh */
   ULONG gdiBrush;                     /* 6B0h */
   CLIENT_ID RealClientId;             /* 6B4h */ /* 6E8h for nt 4.0 */
   PVOID GdiCachedProcessHandle;       /* 6BCh */
   ULONG GdiClientPID;                 /* 6C0h */
   ULONG GdiClientTID;                 /* 6C4h */
   PVOID GdiThreadLocaleInfo;          /* 6C8h */
#if (NTDDI_VERSION >= NTDDI_WIN2K)
   PVOID Win32ClientInfo[0x3e];        /* 6CCh */
   PVOID glDispatchTable[0xe9];        /* 7C4h */
   ULONG glReserved1[0x1d];            /* B68h */
#else // (NTDDI_VERSION < NTDDI_WIN2K)
   PVOID Win32ClientInfo[5];           /* 700h */
   PVOID glDispatchTable[0x118];       /* 714h */
   ULONG glReserved1[0x1a];            /* B74h */   
#endif // (NTDDI_VERSION < NTDDI_WIN2K)
   PVOID glReserved2;                  /* BDCh */
   PVOID glSectionInfo;                /* BE0h */
   PVOID glSection;                    /* BE4h */
   PVOID glTable;                      /* BE8h */
   PVOID glCurrentRC;                  /* BECh */
   PVOID glContext;                    /* BF0h */
   NTSTATUS LastStatusValue;           /* BF4h */
   UNICODE_STRING StaticUnicodeString; /* BF8h */
   WCHAR StaticUnicodeBuffer[0x105];   /* C00h */
   PVOID DeallocationStack;            /* E0Ch */
   PVOID TlsSlots[0x40];               /* E10h */
   LIST_ENTRY TlsLinks;                /* F10h */
   PVOID Vdm;                          /* F18h */
   PVOID ReservedForNtRpc;             /* F1Ch */
   PVOID DbgSsReserved[0x2];           /* F20h */
   ULONG HardErrorDisabled;            /* F28h */
   PVOID Instrumentation[0x10];        /* F2Ch */
   PVOID WinSockData;                  /* F6Ch */
   ULONG GdiBatchCount;                /* F70h */
   BOOLEAN InDbgPrint;                 /* F74h */
   BOOLEAN FreeStackOnTermination;     /* F75h */
   BOOLEAN HasFiberData;               /* F76h */
   UCHAR IdealProcessor;               /* F77h */
   ULONG Spare3;                       /* F78h */
   ULONG ReservedForPerf;              /* F7Ch */
   PVOID ReservedForOle;               /* F80h */
   ULONG WaitingOnLoaderLock;          /* F84h */
#if (NTDDI_VERSION >= NTDDI_WIN2K)
   Wx86ThreadState Wx86Thread;         /* F88h */
   PVOID* TlsExpansionSlots;           /* F94h */
   ULONG ImpersonationLocale;          /* F98h */
   ULONG IsImpersonating;              /* F9Ch */
   PVOID NlsCache;                     /* FA0h */
   PVOID pShimData;                    /* FA4h */
   ULONG HeapVirtualAffinity;          /* FA8h */
   PVOID CurrentTransactionHandle;     /* FACh */
   PTEB_ACTIVE_FRAME ActiveFrame;      /* FB0h*/
   PVOID FlsSlots;                     /* FB4h */
#endif // (NTDDI_VERSION >= NTDDI_WIN2K)
} TEB, *PTEB;

typedef struct _TERMINATION_PORT {
    struct _TERMINATION_PORT*   Next;
    PVOID                       Port;
} TERMINATION_PORT, *PTERMINATION_PORT;

typedef struct _THREAD_BASIC_INFORMATION {
    NTSTATUS    ExitStatus;
    PVOID       TebBaseAddress;
    ULONG       UniqueProcessId;
    ULONG       UniqueThreadId;
    KAFFINITY   AffinityMask;
    KPRIORITY   BasePriority;
    ULONG       DiffProcessPriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;

#ifndef _NTIFS_

typedef struct _TOKEN_SOURCE {
    CCHAR   SourceName[TOKEN_SOURCE_LENGTH];
    LUID    SourceIdentifier;
} TOKEN_SOURCE, *PTOKEN_SOURCE;

#endif // _NTIFS_

/* XP SP2 has same TOKEN_OBJECT structure as Windows Server 2003 (stucture K23 in union). */
#include <pshpack1.h>
typedef union
{
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10, *SYSTEM* id == 0 */
    LUID TokenId;         /* 0x10: */
    LUID AuthenticationId;    /* 0x18: */
    LARGE_INTEGER ExpirationTime; /* 0x20: -1 no expired. *SYSTEM* has expired? */
    LUID ModifiedId;          /* 0x28: */
    ULONG UserAndGroupCount;      /* 0x30: 3 */
    ULONG PrivilegeCount;     /* 0x34: 14 */
    ULONG VariableLength;     /* 0x38: 0x37C */
    ULONG DynamicCharged;     /* 0x3C: 0x1F4 */
    ULONG DynamicAvailable;   /* 0x40: 0x1A4 */
    ULONG DefaultOwnerIndex;      /* 0x44: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups;/* 0x48: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID  PrimaryGroup;       /* 0x4C: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x50: */
    PULONG DynamicPart;       /* 0x54: */
    PACL   DefaultDacl;       /* 0x58: */
    TOKEN_TYPE TokenType;     /* 0x5C: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x60: 0 */
    UCHAR   TokenFlags;       /* 0x64: 1 */
    BOOLEAN TokenInUse;       /* 0x65: 1 */
    USHORT  Alignment;        /* 0x66: 0 */
    PVOID   ProxyData;        /* 0x68: 0 */
    PVOID   AuditData;        /* 0x6C: 0 */
    ULONG VariablePart;       /* 0x70: */
   } NT;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    LUID ModifiedId;          /* 0x30: */
    ULONG SessionId;          /* 0x38: 0 */
    ULONG UserAndGroupCount;      /* 0x3C: 9 */
    ULONG RestrictedSidCount;     /*+0x40: 0 */
    ULONG PrivilegeCount;     /* 0x44: 11 */
    ULONG VariableLength;     /* 0x48: 0x1F0 */
    ULONG DynamicCharged;     /* 0x4C: 0x1F4 */
    ULONG DynamicAvailable;   /* 0x50: 0x1A4 */
    ULONG DefaultOwnerIndex;      /* 0x54: 3 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x58: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x5C: 0 */
    PSID  PrimaryGroup;       /* 0x60: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x64: */
    PULONG DynamicPart;       /* 0x68: */
    PACL   DefaultDacl;       /* 0x6C: */
    TOKEN_TYPE TokenType;     /* 0x70: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x74: 0 */
    UCHAR   TokenFlags;       /* 0x78: 9 */
    BOOLEAN TokenInUse;       /* 0x79: 1 */
    USHORT  Alignment;        /* 0x7A: 0 */
    PVOID   ProxyData;        /* 0x7C: 0 */
    PVOID   AuditData;        /* 0x80: 0 */
    ULONG VariablePart;           /* 0x84: */
   } K2;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: 0x6F68 */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
    LUID ModifiedId;          /* 0x34: */
    ULONG SessionId;          /* 0x3C: 0x6F6A */
    ULONG UserAndGroupCount;      /* 0x40: 4 */
    ULONG RestrictedSidCount;     /*+0x44: 0 */
    ULONG VariableLength;     /* 0x48: 0x160 */
    ULONG DynamicCharged;     /* 0x4C: 0x164 */
    ULONG DynamicAvailable;   /* 0x50: 0x1F4 */
    ULONG PrivilegeCount;     /* 0x54: 0 */
    ULONG DefaultOwnerIndex;      /* 0x58: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x5C: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x60: 0 */
    PSID  PrimaryGroup;       /* 0x64: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x68: */
    PULONG DynamicPart;       /* 0x6C: */
    PACL   DefaultDacl;       /* 0x70: */
    TOKEN_TYPE TokenType;     /* 0x74: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x78: 0 */
    UCHAR   TokenFlags;       /* 0x7C: 9 */
    BOOLEAN TokenInUse;       /* 0x7D: 1 */
    USHORT  Alignment;        /* 0x7E: 4BB4 */
    PVOID   ProxyData;        /* 0x80: 0 */
    PVOID   AuditData;        /* 0x84: 0 */
    ULONG VariablePart;       /* 0x88: */
   } XP;
  struct
   {
    TOKEN_SOURCE TokenSource;     /* 0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID TokenId;         /* 0x10: 0x6F68 */
    LUID AuthenticationId;    /* 0x18: */
    LUID ParentTokenId;       /* 0x20: 0 */
    LARGE_INTEGER ExpirationTime; /* 0x28: -1 no expired */
    PERESOURCE TokenLock;     /*+0x30: 0x8xxxxxxxx */
    ULONG Padding64;          /*+0x34: 0xXxxxxxxxx */
    SEP_AUDIT_POLICY AuditPolicy; /*+0x38: */
    LUID ModifiedId;          /*+0x040: 0x6F6A */
    ULONG SessionId;          /*+0x048: */
    ULONG UserAndGroupCount;      /* 0x4C: 4 */
    ULONG RestrictedSidCount;     /*+0x50: 0 */
    ULONG VariableLength;     /* 0x54: 0x18 */
    ULONG DynamicCharged;     /* 0x58: 0x17C */
    ULONG DynamicAvailable;   /* 0x5C: 0x1F4 */
    ULONG PrivilegeCount;     /* 0x60: 0 */
    ULONG DefaultOwnerIndex;      /* 0x64: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups; /* 0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids;/* 0x6C: 0 */
    PSID  PrimaryGroup;       /* 0x70: */
    PLUID_AND_ATTRIBUTES Privileges;/* 0x74: */
    PULONG DynamicPart;       /* 0x78: */
    PACL   DefaultDacl;       /* 0x7C: */
    TOKEN_TYPE TokenType;     /* 0x80: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* 0x84: 0 */
    UCHAR   TokenFlags;       /* 0x88: 9 */
    BOOLEAN TokenInUse;       /* 0x89: 1 */
    USHORT  Alignment;        /* 0x8A: 4BB4 */
    PVOID   ProxyData;        /* 0x8C: 0x8xxxxxxxx */
    PVOID   AuditData;        /* 0x90: 0 */
    ULONG VariablePart;       /* 0x94: */
   } K23;
  struct
   {
    TOKEN_SOURCE TokenSource;       /* +0x0: CHAR SourceName[8] = "*SYSTEM*" | "User32  " + LUID SourceIdentifier = 0x10 */
    LUID     TokenId;       /* +0x10: 0x6F68 */
    LUID     AuthenticationId;  /* +0x18: */
    LUID     ParentTokenId;     /* +0x20: 0 */
    LARGE_INTEGER ExpirationTime;   /* +0x28: -1 no expired */
    PERESOURCE   TokenLock;     /* +0x30: 0x8xxxxxxxx */
    ULONG    Padding64;     /* +0x34: 0xXxxxxxxxx */
    SEP_AUDIT_POLICY AuditPolicy;   /* +0x38: */
    LUID     ModifiedId;        /* +0x040: 0x6F6A */
    ULONG    SessionId;     /* +0x048: */
    ULONG    UserAndGroupCount; /* +0x04c: 4 */
    ULONG    RestrictedSidCount;    /* +0x050: 0 */
    ULONG    PrivilegeCount;    /* +0x054: 0x18 */
    ULONG    VariableLength;    /* +0x058: 0x17C */
    ULONG    DynamicCharged;    /* +0x05c: 0x1F4 */
    ULONG    DynamicAvailable;  /* +0x060: 0 */
    ULONG    DefaultOwnerIndex; /* +0x064: 1 */
    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x68: TOKEN_USER Owners [UserAndGroupCount] DefaultOwnerIndex */
    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x6C: 0 */
    PSID     PrimaryGroup;      /* +0x70: */
    PLUID_AND_ATTRIBUTES Privileges;    /* +0x74: */
    PULONG   DynamicPart;       /* +0x78: */
    PACL     DefaultDacl;       /* +0x7C: */
    TOKEN_TYPE   TokenType;     /* +0x80: TokenPrimary | TokenImpersonation */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x84: 0 */
    UCHAR    TokenFlags;        /* +0x88: 9 */
    BOOLEAN  TokenInUse;        /* +0x89: 1 */
    USHORT   Alignment;     /* +0x8A: 4BB4 */
    PVOID    ProxyData;     /* +0x8C: 0x8xxxxxxxx */
    PVOID    AuditData;     /* +0x90: 0 */
    PVOID    LogonSession;      /* +0x94: */
    LUID     OriginatingLogonSession;/* +0x98: */
    ULONG    VariablePart;      /* +0xa0: */
   } K23SP1;
  struct
   {
    TOKEN_SOURCE TokenSource;       /* +0x000 */
    LUID     TokenId;       /* +0x010 */
    LUID     AuthenticationId;  /* +0x018 */
    LUID     ParentTokenId;     /* +0x020 */
    LARGE_INTEGER ExpirationTime;   /* +0x028 */
    PERESOURCE   TokenLock;     /* +0x030 */
    LUID     ModifiedId;        /* +0x034 */
    SEP_AUDIT_POLICY_VISTA AuditPolicy; /* +0x03c */
    ULONG    SessionId;     /* +0x058 */
    ULONG    UserAndGroupCount; /* +0x05c */
    ULONG    RestrictedSidCount;    /* +0x060 */
    ULONG    PrivilegeCount;    /* +0x064 */
    ULONG    VariableLength;    /* +0x068 */
    ULONG    DynamicCharged;    /* +0x06c */
    ULONG    DynamicAvailable;  /* +0x070 */
    ULONG    DefaultOwnerIndex; /* +0x074 */
    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x078 */
    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x07c */
    PSID     PrimaryGroup;      /* +0x080 */
    PLUID_AND_ATTRIBUTES Privileges;    /* +0x084 */
    PULONG   DynamicPart;       /* +0x088 */
    PACL     DefaultDacl;       /* +0x08c */
    TOKEN_TYPE   TokenType;     /* +0x090 */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;/* +0x094 */
    ULONG    TokenFlags;        /* +0x098 */
    BOOLEAN  TokenInUse;        /* +0x09c */
    BOOLEAN  WriterPresent;     /* +0x09d */
    USHORT   Alignment;     /* +0x09e */
    ULONG    IntegrityLevelIndex;   /* +0x0a0 */
    ULONG    DesktopIntegrityLevelIndex;/* +0x0a4 */
    ULONG    MandatoryPolicy;   /* +0x0a8 */
    PVOID    ProxyData;     /* +0x0ac */
    PVOID    AuditData;     /* +0x0b0 */
    PVOID    LogonSession;      /* +0x0b4 */
    LUID     OriginatingLogonSession;/* +0x0b8 */
    SID_AND_ATTRIBUTES_HASH SidHash;    /* +0x0c0 */
    SID_AND_ATTRIBUTES_HASH RestrictedSidHash;/* +0x148 */
    ULONG    VariablePart;      /* +0x1d0 */
   } VISTA;
  struct
   {
    TOKEN_SOURCE TokenSource;       /* +0x000 */
    LUID     TokenId;       /* +0x010 */
    LUID     AuthenticationId;  /* +0x018 */
    LUID     ParentTokenId;     /* +0x020 */
    LARGE_INTEGER ExpirationTime;   /* +0x028 */
    PERESOURCE   TokenLock;     /* +0x030 */
    SEP_AUDIT_POLICY AuditPolicy;   /* +0x038 */
    LUID     ModifiedId;        /* +0x040 */
    ULONG    SessionId;     /* +0x048 */
    ULONG    UserAndGroupCount; /* +0x04c */
    ULONG    RestrictedSidCount;    /* +0x050 */
    ULONG    PrivilegeCount;    /* +0x054 */
    ULONG    VariableLength;    /* +0x058 */
    ULONG    DynamicCharged;    /* +0x05c */
    ULONG    DynamicAvailable;  /* +0x060 */
    ULONG    DefaultOwnerIndex; /* +0x064 */
    PSID_AND_ATTRIBUTES UserAndGroups;  /* +0x068 */
    PSID_AND_ATTRIBUTES RestrictedSids; /* +0x070 */
    PSID     PrimaryGroup;      /* +0x078 */
    PLUID_AND_ATTRIBUTES Privileges;    /* +0x080 */
    PULONG   DynamicPart;       /* +0x088 */
    PACL     DefaultDacl;       /* +0x090 */
    TOKEN_TYPE   TokenType;     /* +0x098 */
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; /* +0x09c */
    UCHAR    TokenFlags;        /* +0x0a0 */
    BOOLEAN  TokenInUse;        /* +0x0a1 */
    UCHAR    Padding64 [6];     /* +0x0a2 */
    PVOID    ProxyData;     /* +0x0a8 */
    PVOID    AuditData;     /* +0x0b0 */
    PVOID    LogonSession;      /* +0x0b8 */
    LUID     OriginatingLogonSession;/* +0x0c0 */
    ULONG    VariablePart;      /* +0x0c8 */
   } XP64; /* equial 2K3SP1x64 */
  /* VariablePart */
} TOKEN_OBJECT, *PTOKEN_OBJECT;
#include <poppack.h>

typedef struct _VACB {
    PVOID               BaseAddress;
    PSHARED_CACHE_MAP   SharedCacheMap;
    union {
        LARGE_INTEGER   FileOffset;
        USHORT          ActiveCount;
    } Overlay;
    LIST_ENTRY          LruList;
} VACB, *PVACB;

typedef struct _VAD_HEADER {
    PVOID       StartVPN;
    PVOID       EndVPN;
    PVAD_HEADER ParentLink;
    PVAD_HEADER LeftLink;
    PVAD_HEADER RightLink;
    ULONG       Flags;          // LSB = CommitCharge
    PVOID       ControlArea;
    PVOID       FirstProtoPte;
    PVOID       LastPTE;
    ULONG       Unknown;
    LIST_ENTRY  Secured;
} VAD_HEADER, *PVAD_HEADER;

typedef struct _X86BIOS_REGISTERS {
    ULONG   Eax;
    ULONG   Ecx;
    ULONG   Edx;
    ULONG   Ebx;
    ULONG   Ebp;
    ULONG   Esi;
    ULONG   Edi;
    USHORT  SegDs;
    USHORT  SegEs;
} X86BIOS_REGISTERS, *PX86BIOS_REGISTERS;

NTKERNELAPI
LARGE_INTEGER
CcGetLsnForFileObject (
    IN PFILE_OBJECT     FileObject,
    OUT PLARGE_INTEGER  OldestLsn OPTIONAL
);

NTKERNELAPI
INT
ExSystemExceptionFilter (
    VOID
);

NTKERNELAPI
PVOID
FsRtlAllocatePool (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes
);

NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuota (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes
);

#ifdef FsRtlAllocatePoolWithQuotaTag
#undef FsRtlAllocatePoolWithQuotaTag
#endif


NTKERNELAPI
PVOID
FsRtlAllocatePoolWithQuotaTag (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes,
    IN ULONG        Tag
);

#ifdef FsRtlAllocatePoolWithTag
#undef FsRtlAllocatePoolWithTag
#endif


NTKERNELAPI
PVOID
FsRtlAllocatePoolWithTag (
    IN POOL_TYPE    PoolType,
    IN ULONG        NumberOfBytes,
    IN ULONG        Tag
);

NTKERNELAPI
VOID
FsRtlNotifyChangeDirectory (
    IN PNOTIFY_SYNC NotifySync,
    IN PVOID        FsContext,
    IN PSTRING      FullDirectoryName,
    IN PLIST_ENTRY  NotifyList,
    IN BOOLEAN      WatchTree,
    IN ULONG        CompletionFilter,
    IN PIRP         NotifyIrp
);

NTKERNELAPI
VOID
FsRtlNotifyReportChange (
    IN PNOTIFY_SYNC NotifySync,
    IN PLIST_ENTRY  NotifyList,
    IN PSTRING      FullTargetName,
    IN PSTRING      TargetName,
    IN ULONG        FilterMatch
);

NTSYSAPI
NTSTATUS
NTAPI
HalAdjustResourceList (
    IN OUT PIO_RESOURCE_REQUIREMENTS_LIST *pResourceList
);

NTSYSAPI
BOOLEAN
NTAPI
HalAllProcessorsStarted (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
KIRQL
NTAPI
HalConvertDeviceIdtToIrql (
    IN ULONG Vector
);

NTSYSAPI
NTSTATUS
NTAPI
HalDisableInterrupt (
    IN ULONG Unknown
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

//
// If using HalDisplayString during boot on Windows 2000 or later
// you must first call InbvEnableDisplayString.
//
NTSYSAPI
VOID
NTAPI
HalDisplayString (
    IN PUCHAR String
);

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
NTSTATUS
NTAPI
HalEnableInterrupt (
    IN ULONG Unknown
);

NTSYSAPI
ULONG
NTAPI
HalQueryMaximumProcessorCount (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
BOOLEAN
NTAPI
HalQueryRealTimeClock (
    OUT PTIME_FIELDS TimeFields
);

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
NTSTATUS
NTAPI
HalRegisterErrataCallbacks (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
BOOLEAN
NTAPI
HalSetRealTimeClock (
    IN PTIME_FIELDS TimeFields
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTKERNELAPI
VOID
InbvAcquireDisplayOwnership (
    VOID
);

NTKERNELAPI
BOOLEAN
InbvCheckDisplayOwnership (
    VOID
);

NTKERNELAPI
BOOLEAN
InbvDisplayString (
    IN PUCHAR String
);

NTKERNELAPI
VOID
InbvEnableBootDriver (
    IN BOOLEAN Enable
);

NTKERNELAPI
BOOLEAN
InbvEnableDisplayString (
    IN BOOLEAN Enable
);

typedef
VOID
(*INBV_DISPLAY_STRING_FILTER) (
    PUCHAR *String
);

NTKERNELAPI
VOID
InbvInstallDisplayStringFilter (
    IN INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);

NTKERNELAPI
BOOLEAN
InbvIsBootDriverInstalled (
    VOID
);

typedef
BOOLEAN
(*INBV_RESET_DISPLAY_PARAMETERS) (
    ULONG Cols,
    ULONG Rows
);

NTKERNELAPI
VOID
InbvNotifyDisplayOwnershipLost (
    IN INBV_RESET_DISPLAY_PARAMETERS ResetDisplayParameters
);

NTKERNELAPI
BOOLEAN
InbvResetDisplay (
    VOID
);

NTKERNELAPI
VOID
InbvSetScrollRegion (
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height
);

NTKERNELAPI
ULONG
InbvSetTextColor (
    IN ULONG Color
);

NTKERNELAPI
VOID
InbvSolidColorFill (
    IN ULONG Left,
    IN ULONG Top,
    IN ULONG Width,
    IN ULONG Height,
    IN ULONG Color
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTKERNELAPI
BOOLEAN
KdPollBreakIn (
    VOID
);

NTKERNELAPI
VOID
KeEnterKernelDebugger (
    VOID
);

NTKERNELAPI
KPROCESSOR_MODE
KeGetPreviousMode (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_WIN7)

NTKERNELAPI
ULONG
KeGetXSaveFeatureFlags (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WIN7)

NTKERNELAPI
VOID
KeInitializeApc (
    IN PKAPC                Apc,
    IN PKTHREAD             Thread,
    IN KAPC_ENVIRONMENT     Environment,
    IN PKKERNEL_ROUTINE     KernelRoutine,
    IN PKRUNDOWN_ROUTINE    RundownRoutine OPTIONAL,
    IN PKNORMAL_ROUTINE     NormalRoutine OPTIONAL,
    IN KPROCESSOR_MODE      ProcessorMode OPTIONAL,
    IN PVOID                NormalContext OPTIONAL
);

NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
    IN PKAPC        Apc,
    IN PVOID        SystemArgument1,
    IN PVOID        SystemArgument2,
    IN KPRIORITY    Increment
);

#if (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
BOOLEAN
KeIsAttachedProcess (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
BOOLEAN
KeIsExecutingDpc (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_WIN7)

NTKERNELAPI
NTSTATUS
KePollFreezeExecution (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WIN7)

NTKERNELAPI
NTSTATUS
KeUpdateSystemTime (
    VOID
);

NTKERNELAPI
VOID
KiCoprocessorError (
    VOID
);

NTKERNELAPI
VOID
KiDispatchInterrupt (
    VOID
);

NTKERNELAPI
NTSTATUS
MmCreateSection (
    OUT PVOID               *SectionObject,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN PLARGE_INTEGER       MaximumSize,
    IN ULONG                SectionPageProtection,
    IN ULONG                AllocationAttributes,
    IN HANDLE               FileHandle OPTIONAL,
    IN PFILE_OBJECT         FileObject OPTIONAL
);

NTKERNELAPI
NTSTATUS
MmMapViewOfSection (
    IN PVOID                SectionObject,
    IN PEPROCESS            Process,
    IN OUT PVOID            *BaseAddress,
    IN ULONG_PTR            ZeroBits,
    IN ULONG                CommitSize,
    IN OUT PLARGE_INTEGER   SectionOffset,
    IN OUT PULONG           ViewSize,
    IN SECTION_INHERIT      InheritDisposition,
    IN ULONG                AllocationType,
    IN ULONG                Protect
);

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
NTSTATUS
NTAPI
NtThawTransactions (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
NTSTATUS
ObCreateObject (
    IN KPROCESSOR_MODE      ProbeMode,
    IN POBJECT_TYPE         ObjectType,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN KPROCESSOR_MODE      OwnershipMode,
    IN OUT PVOID            ParseContext OPTIONAL,
    IN ULONG                ObjectBodySize,
    IN ULONG                PagedPoolCharge,
    IN ULONG                NonPagedPoolCharge,
    OUT PVOID               *Object
);

#if (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
VOID
ObDereferenceSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ULONG                Count
);

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

#if (NTDDI_VERSION <= NTDDI_WIN2K)

NTKERNELAPI
ULONG
ObGetObjectPointerCount (
    IN PVOID Object
);

#endif // (NTDDI_VERSION <= NTDDI_WIN2K)

#if (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
NTSTATUS
ObLogSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR     InputSecurityDescriptor,
    OUT PSECURITY_DESCRIPTOR    *OutputSecurityDescriptor,
    IN ULONG                    RefBias
);

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
NTSTATUS
ObReferenceObjectByName (
    IN PUNICODE_STRING  ObjectName,
    IN ULONG            Attributes,
    IN PACCESS_STATE    PassedAccessState OPTIONAL,
    IN ACCESS_MASK      DesiredAccess OPTIONAL,
    IN POBJECT_TYPE     ObjectType,
    IN KPROCESSOR_MODE  AccessMode,
    IN OUT PVOID        ParseContext OPTIONAL,
    OUT PVOID           *Object
);

#if (NTDDI_VERSION >= NTDDI_WINXP)

NTKERNELAPI
VOID
ObReferenceSecurityDescriptor (
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ULONG                Count
);

#endif // (NTDDI_VERSION >= NTDDI_XP)

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
NTSTATUS
PoUserShutdownInitiated (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

#if (NTDDI_VERSION >= NTDDI_XP)

NTKERNELAPI
NTSTATUS
PsChargeProcessNonPagedPoolQuota (
    IN PEPROCESS Process,
    IN ULONG_PTR Amount
);

NTKERNELAPI
NTSTATUS
PsChargeProcessPagedPoolQuota (
    IN PEPROCESS Process,
    IN ULONG_PTR Amount
);

#endif // (NTDDI_VERSION >= NTDDI_XP)

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
NTSTATUS
PsEnterPriorityRegion (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
ULONG
PsGetCurrentProcessSessionId (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_WS03)

NTKERNELAPI
PVOID
PsGetCurrentProcessWin32Process (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WS03)

NTKERNELAPI
KPROCESSOR_MODE
PsGetCurrentThreadPreviousMode (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_WS03)

NTKERNELAPI
PEPROCESS
PsGetCurrentThreadProcess (
    VOID
);

NTKERNELAPI
ULONG
PsGetCurrentThreadProcessId (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WS03)

NTKERNELAPI
PVOID
PsGetCurrentThreadStackBase (
    VOID
);

NTKERNELAPI
PVOID
PsGetCurrentThreadStackLimit (
    VOID
);

#if (NTDDI_VERSION >= NTDDI_WS03)

NTKERNELAPI
PTEB
PsGetCurrentThreadTeb (
    VOID
);

NTKERNELAPI
PVOID
PsGetCurrentThreadWin32Thread (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WS03)

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
NTSTATUS
PsLeavePriorityRegion (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

NTKERNELAPI
NTSTATUS
PsLookupProcessThreadByCid (
    IN PCLIENT_ID   Cid,
    OUT PEPROCESS   *Process OPTIONAL,
    OUT PETHREAD    *Thread
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
ULONG
NTAPI
RtlGetNtGlobalFlags (
    VOID
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader (
    IN PVOID BaseAddress
);

NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor (
    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN BOOLEAN                  SaclPresent,
    IN PACL                     Sacl OPTIONAL,
    IN BOOLEAN                  SaclDefaulted OPTIONAL
);

NTKERNELAPI
NTSTATUS
SeCreateAccessState (
    OUT PACCESS_STATE   AccessState,
    IN PAUX_ACCESS_DATA AuxData,
    IN ACCESS_MASK      AccessMask,
    IN PGENERIC_MAPPING GenericMapping
);

NTKERNELAPI
VOID
SeDeleteAccessState (
    IN PACCESS_STATE AccessState
);

#if (NTDDI_VERSION >= NTDDI_VISTA)

NTSYSAPI
NTSTATUS
NTAPI
TmThawTransactions (
    VOID
);

NTSYSAPI
NTSTATUS
NTAPI
TmInitSystemPhase2 (
    VOID
);

NTSYSAPI
NTSTATUS
NTAPI
TmInitSystem (
    VOID
);

NTSYSAPI
NTSTATUS
NTAPI
x86BiosAllocateBuffer (
    ULONG   *Size,
    USHORT  *Segment,
    USHORT  *Offset
);

NTSYSAPI
BOOLEAN
NTAPI
x86BiosCall (
    ULONG               InterruptNumber,
    X86BIOS_REGISTERS   *Registers
);

NTSYSAPI
NTSTATUS
NTAPI
x86BiosFreeBuffer (
    USHORT  Segment,
    USHORT  Offset
);

NTSYSAPI
NTSTATUS
NTAPI
x86BiosReadMemory (
    USHORT  Segment,
    USHORT  Offset,
    PVOID   Buffer,
    ULONG   Size
);

NTSYSAPI
NTSTATUS
NTAPI
x86BiosWriteMemory (
    USHORT  Segment,
    USHORT  Offset,
    PVOID   Buffer,
    ULONG   Size
);

#endif // (NTDDI_VERSION >= NTDDI_VISTA)

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwAdjustPrivilegesToken (
    IN HANDLE                   TokenHandle,
    IN BOOLEAN                  DisableAllPrivileges,
    IN PTOKEN_PRIVILEGES        NewState OPTIONAL,
    IN ULONG                    BufferLength OPTIONAL,
    OUT PTOKEN_PRIVILEGES       PreviousState OPTIONAL,
    OUT PULONG                  ReturnLength
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread (
    IN HANDLE ThreadHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwAccessCheckAndAuditAlarm (
    IN PUNICODE_STRING      SubsystemName,
    IN PVOID                HandleId,
    IN PUNICODE_STRING      ObjectTypeName,
    IN PUNICODE_STRING      ObjectName,
    IN PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN ACCESS_MASK          DesiredAccess,
    IN PGENERIC_MAPPING     GenericMapping,
    IN BOOLEAN              ObjectCreation,
    OUT PACCESS_MASK        GrantedAccess,
    OUT PNTSTATUS           AccessStatus,
    OUT PBOOLEAN            GenerateOnClose
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwCancelIoFile (
    IN HANDLE               FileHandle,
    OUT PIO_STATUS_BLOCK    IoStatusBlock
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwClearEvent (
    IN HANDLE EventHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwConnectPort (
    OUT PHANDLE                     ClientPortHandle,
    IN PUNICODE_STRING              ServerPortName,
    IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
    IN OUT PLPC_SECTION_WRITE       ClientSharedMemory OPTIONAL,
    IN OUT PLPC_SECTION_READ        ServerSharedMemory OPTIONAL,
    OUT PULONG                      MaximumMessageLength OPTIONAL,
    IN OUT PVOID                    ConnectionInformation OPTIONAL,
    IN OUT PULONG                   ConnectionInformationLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCloseObjectAuditAlarm (
    IN PUNICODE_STRING  SubsystemName,
    IN PVOID            HandleId,
    IN BOOLEAN          GenerateOnClose
);

NTSYSAPI
NTSTATUS
NTAPI
ZwCreateSymbolicLinkObject (
    OUT PHANDLE             SymbolicLinkHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN PUNICODE_STRING      TargetName
);

NTSYSAPI
NTSTATUS
NTAPI
ZwFlushInstructionCache (
    IN HANDLE   ProcessHandle,
    IN PVOID    BaseAddress OPTIONAL,
    IN ULONG    FlushSize
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwInitiatePowerAction (
    IN POWER_ACTION         SystemAction,
    IN SYSTEM_POWER_STATE   MinSystemState,
    IN ULONG                Flags,
    IN BOOLEAN              Asynchronous
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwLoadKey (
    IN POBJECT_ATTRIBUTES KeyObjectAttributes,
    IN POBJECT_ATTRIBUTES FileObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessToken (
    IN HANDLE       ProcessHandle,
    IN ACCESS_MASK  DesiredAccess,
    OUT PHANDLE     TokenHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread (
    OUT PHANDLE             ThreadHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes,
    IN PCLIENT_ID           ClientId OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken (
    IN HANDLE       ThreadHandle,
    IN ACCESS_MASK  DesiredAccess,
    IN BOOLEAN      OpenAsSelf,
    OUT PHANDLE     TokenHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwPulseEvent (
    IN HANDLE   EventHandle,
    OUT PULONG  PreviousState OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultLocale (
    IN BOOLEAN  ThreadOrSystem,
    OUT PLCID   Locale
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDefaultUILanguage (
    OUT LANGID *LanguageId
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject (
    IN HANDLE       DirectoryHandle,
    OUT PVOID       Buffer,
    IN ULONG        Length,
    IN BOOLEAN      ReturnSingleEntry,
    IN BOOLEAN      RestartScan,
    IN OUT PULONG   Context,
    OUT PULONG      ReturnLength OPTIONAL
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess (
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID           ProcessInformation,
    IN ULONG            ProcessInformationLength,
    OUT PULONG          ReturnLength OPTIONAL
);

#if (NTDDI_VERSION >= NTDDI_WINXP)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread (
    IN HANDLE           ThreadHandle,
    IN THREADINFOCLASS  ThreadInformationClass,
    OUT PVOID           ThreadInformation,
    IN ULONG            ThreadInformationLength,
    OUT PULONG          ReturnLength OPTIONAL
);

#endif // (NTDDI_VERSION >= NTDDI_WINXP)

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInstallUILanguage (
    OUT LANGID *LanguageId
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySection (
    IN HANDLE                       SectionHandle,
    IN SECTION_INFORMATION_CLASS    SectionInformationClass,
    OUT PVOID                       SectionInformation,
    IN ULONG                        SectionInformationLength,
    OUT PULONG                      ReturnLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID                   SystemInformation,
    IN ULONG                    SystemInformationLength,
    OUT PULONG                  ReturnLength OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwReplaceKey (
    IN POBJECT_ATTRIBUTES   NewFileObjectAttributes,
    IN HANDLE               KeyHandle,
    IN POBJECT_ATTRIBUTES   OldFileObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwRequestWaitReplyPort (
    IN HANDLE           PortHandle,
    IN PLPC_MESSAGE     Request,
    OUT PLPC_MESSAGE    Reply
);

NTSYSAPI
NTSTATUS
NTAPI
ZwResetEvent (
    IN HANDLE   EventHandle,
    OUT PLONG   PreviousState OPTIONAL
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwRestoreKey (
    IN HANDLE   KeyHandle,
    IN HANDLE   FileHandle,
    IN ULONG    Flags
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey (
    IN HANDLE KeyHandle,
    IN HANDLE FileHandle
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultLocale (
    IN BOOLEAN  ThreadOrSystem,
    IN LCID     Locale
);

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetDefaultUILanguage (
    IN LANGID LanguageId
);

#endif // (NTDDI_VERSION >= NTDDI_WIN2K)

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationObject (
    IN HANDLE               ObjectHandle,
    IN OBJECT_INFO_CLASS    ObjectInformationClass,
    IN PVOID                ObjectInformation,
    IN ULONG                ObjectInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess (
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    IN PVOID            ProcessInformation,
    IN ULONG            ProcessInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    IN PVOID                    SystemInformation,
    IN ULONG                    SystemInformationLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwSetSystemTime (
    IN PLARGE_INTEGER   NewTime,
    OUT PLARGE_INTEGER  OldTime OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwUnloadKey (
    IN POBJECT_ATTRIBUTES KeyObjectAttributes
);

NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForMultipleObjects (
    IN ULONG            HandleCount,
    IN HANDLE           Handles[],
    IN WAIT_TYPE        WaitType,
    IN BOOLEAN          Alertable,
    IN PLARGE_INTEGER   Timeout OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
ZwYieldExecution (
    VOID
);

#ifdef __cplusplus
}
#endif


#endif // _GNU_WDK_UNDOC_

#endif // _GNU_NTIFS_

Generated by GNU Enscript 1.6.5.90.