(****************************************************************************** Here are some API (and Native API) functions for which I could not find the declarations anywhere. Through RE and trial&error I found the meaning of some parameters and so on. Enjoy ... Also some others are from different sources (e.g. books and code snippets). There are also some code snippets among the stuff. These are useful "macros" for use with the functions found here. And sometimes even beyond this ... ;) Consider this as educational material only. No guarantees! Find this document at: http://assarbad.net/stuff/!export/apis_revealed.txt Author: Assarbad AT gmx DOT info It's PUBLIC DOMAIN! THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ******************************************************************************) function RtlDetermineDosPathNameType_U( wcsPathNameType: PWideChar ): DWORD; stdcall; external 'ntdll.dll'; const // Related path type constants INVALID_PATH = 0; UNC_PATH = 1; ABSOLUTE_DRIVE_PATH = 2; RELATIVE_DRIVE_PATH = 3; ABSOLUTE_PATH = 4; RELATIVE_PATH = 5; DEVICE_PATH = 6; UNC_DOT_PATH = 7; function RtlDosPathNameToNtPathName_U( DosName: PWideChar; var NtName: UNICODE_STRING; var DosFilePath: PWideChar; var NtFilePath: UNICODE_STRING ): Boolean; stdcall; external 'ntdll.dll'; function RtlAllocateHeap( // HeapAlloc() redirects here HeapHandle:Pointer; Flags, Size:ULONG ):Pointer; stdcall; external 'ntdll.dll'; function RtlFreeHeap( // HeapFree() redirects here HeapHandle:Pointer; Flags:ULONG; MemoryPointer:Pointer );Boolean; stdcall; external 'ntdll.dll'; type TSfcList = record wcsFileNameInDllCache: PWideChar; // Name of the file in DllCache wcsFilePath: PWideChar; // Path of the protected file wcsWhatEverInfFile: PWideChar; // Name of some INF file ... unknown meaning end; TSfcListArray = array[0..0] of TSfcList; PSfcListArray = ^TSfcListArray; function SfcGetFiles( var lpNamelist: PSfcListArray; var lpNumEntries: DWORD ): DWORD; stdcall; external 'sfcfiles.dll'; // Result might be NTSTATUS :-/ (* Use: Call and then iterate through the array with wide strings NumEntries times. *) function NtFsControlFile( FileHandle, Event: THandle; ApcRoutine: PIO_APC_ROUTINE; ApcContext: Pointer; out IoStatusBlock: PIO_STATUS_BLOCK; FsControlCode: ULONG; InputBuffer: Pointer; InputBufferLength: ULONG; out OutputBuffer: Pointer; OutputBufferLength: ULONG ): NTSTATUS; stdcall; external 'ntdll.dll'; function NtSetInformationFile( FileHandle: THandle; out IoStatusBlock: PIO_STATUS_BLOCK; FileInformation: Pointer; FileInformationLength: ULONG; FileInformationClass: DWORD ): NTSTATUS; stdcall; external 'ntdll.dll'; function NtQueryAttributesFile( ObjectAttributes: POBJECT_ATTRIBUTES; out FileInformation: PFILE_BASIC_INFORMATION ): NTSTATUS; stdcall; external 'ntdll.dll'; function NtCreateFile( out FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES; out IoStatusBlock: PIO_STATUS_BLOCK; AllocationSize: PLARGE_INTEGER; FileAttributes, ShareAccess, CreateDisposition, CreateOptions: ULONG; EaBuffer: Pointer; EaLength: ULONG ): NTSTATUS; stdcall; external 'ntdll.dll'; function NtDeleteFile( ObjectAttributes: POBJECT_ATTRIBUTES ): NTSTATUS; stdcall; external 'ntdll.dll'; procedure RtlFreeUnicodeString( var wcsString: UNICODE_STRING ); stdcall; external 'ntdll.dll'; function NtClose( Handle: THandle ): NTSTATUS; stdcall; external 'ntdll.dll'; function RtlInitUnicodeString( var DestinationString: UNICODE_STRING; const SourceString: PWideChar ): NTSTATUS; stdcall; external 'ntdll.dll'; function RtlPrefixUnicodeString( const usPrefix: UNICODE_STRING; const usContainingString: UNICODE_STRING; ignore_case: Boolean): Boolean; stdcall; external 'ntdll.dll'; function NtMyGetProcessHeap: Pointer; assembler; asm mov EAX, _TEB[FS:0].Peb mov EAX, [EAX]._PEB.ProcessHeap end;