Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the prototype of NtCreateIRTimer #2105

Merged
merged 3 commits into from
Jun 29, 2024
Merged

Update the prototype of NtCreateIRTimer #2105

merged 3 commits into from
Jun 29, 2024
+1 −0

Conversation

elnx
Copy link
Contributor

@elnx elnx commented Jun 20, 2024

According to my reverse engineering results, the pseudocode
of NtCreateIRTimer syscall is as follows:

NTSTATUS NtCreateIRTimer(PHANDLE TimerHandle, LPVOID Reserved, ACCESS_MASK DesiredAccess) {
  return NtCreateTimer2(TimerHandle, Reserved, 0, 2, DesiredAccess);
}

@elnx
Update the prototype of NtCreateIRTimer
d08ab84 
According to my reverse engineering results, the pseudocode 
 of NtCreateIRTimer syscall is as follows:

NTSTATUS NtCreateIRTimer(PHANDLE TimerHandle, LPVOID Reserved, ACCESS_MASK DesiredAccess)
{
  return NtCreateTimer2(TimerHandle, Reserved, 0, 2, DesiredAccess);
}
@elnx elnx requested review from dmex and jxy-s as code owners June 20, 2024 09:07
@dmex

This comment was marked as off-topic.

Sign in to view
@elnx

This comment was marked as off-topic.

Sign in to view
dmex
dmex requested changes Jun 26, 2024
View reviewed changes
phnt/include/ntexapi.h Outdated
@@ -721,6 +721,7 @@ NTSTATUS
NTAPI
NtCreateIRTimer(
_Out_ PHANDLE TimerHandle,
_In_ LPVOID Reserved,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • LPVOID needs to be PVOID
  • PVOID Reserved would be HANDLE IRTimerHandle on Windows 10 and 11?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to my reverse engineering, the semantics of this parameter is different between Windows 10 and Windows 11:
On Windows 10, it should be zero, or NtCreateTimer2 will return 0xc00000f0.
On Windows 11, NtCreateTimer2 adds some compartion for Attributes parameter, so this Reserved could be a user mode pointer.
(not 100% sure... anyway, keep it as PVOID may be OK?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll dig deeper into this when I have time... sorry for the inconvenience this hastily-made PR has caused you.

@dmex dmex merged commit c9e9c70 into winsiderss:master Jun 29, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmex dmex dmex approved these changes

@jxy-s jxy-s Awaiting requested review from jxy-s jxy-s is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@elnx @dmex