Windows NTSTATUS List - from http://source.winehq.org/source/dlls/ntdll/error.c

static const DWORD table_00000102[32] =
{
ERROR_TIMEOUT, /* 00000102 (STATUS_TIMEOUT) */
ERROR_IO_PENDING, /* 00000103 (STATUS_PENDING) */
ERROR_MR_MID_NOT_FOUND, /* 00000104 (STATUS_REPARSE) */
ERROR_MORE_DATA, /* 00000105 (STATUS_MORE_ENTRIES) */
ERROR_NOT_ALL_ASSIGNED, /* 00000106 (STATUS_NOT_ALL_ASSIGNED) */
ERROR_SOME_NOT_MAPPED, /* 00000107 (STATUS_SOME_NOT_MAPPED) */
ERROR_MR_MID_NOT_FOUND, /* 00000108 (STATUS_OPLOCK_BREAK_IN_PROGRESS) */
172 ERROR_MR_MID_NOT_FOUND, /* 00000109 (STATUS_VOLUME_MOUNTED) */
173 ERROR_MR_MID_NOT_FOUND, /* 0000010a (STATUS_RXACT_COMMITTED) */
174 ERROR_MR_MID_NOT_FOUND, /* 0000010b (STATUS_NOTIFY_CLEANUP) */
175 ERROR_NOTIFY_ENUM_DIR, /* 0000010c (STATUS_NOTIFY_ENUM_DIR) */
176 ERROR_NO_QUOTAS_FOR_ACCOUNT, /* 0000010d (STATUS_NO_QUOTAS_FOR_ACCOUNT) */
177 ERROR_MR_MID_NOT_FOUND, /* 0000010e (STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED) */
178 ERROR_MR_MID_NOT_FOUND, /* 0000010f */
179 ERROR_MR_MID_NOT_FOUND, /* 00000110 (STATUS_PAGE_FAULT_TRANSITION) */
180 ERROR_MR_MID_NOT_FOUND, /* 00000111 (STATUS_PAGE_FAULT_DEMAND_ZERO) */
181 ERROR_MR_MID_NOT_FOUND, /* 00000112 (STATUS_PAGE_FAULT_COPY_ON_WRITE) */
182 ERROR_MR_MID_NOT_FOUND, /* 00000113 (STATUS_PAGE_FAULT_GUARD_PAGE) */
183 ERROR_MR_MID_NOT_FOUND, /* 00000114 (STATUS_PAGE_FAULT_PAGING_FILE) */
184 ERROR_MR_MID_NOT_FOUND, /* 00000115 (STATUS_CACHE_PAGE_LOCKED) */
185 ERROR_MR_MID_NOT_FOUND, /* 00000116 (STATUS_CRASH_DUMP) */
186 ERROR_MR_MID_NOT_FOUND, /* 00000117 (STATUS_BUFFER_ALL_ZEROS) */
187 ERROR_MR_MID_NOT_FOUND, /* 00000118 (STATUS_REPARSE_OBJECT) */
188 ERROR_MR_MID_NOT_FOUND, /* 00000119 (STATUS_RESOURCE_REQUIREMENTS_CHANGED) */
189 ERROR_MR_MID_NOT_FOUND, /* 0000011a */
190 ERROR_MR_MID_NOT_FOUND, /* 0000011b */
191 ERROR_MR_MID_NOT_FOUND, /* 0000011c */
192 ERROR_MR_MID_NOT_FOUND, /* 0000011d */
193 ERROR_MR_MID_NOT_FOUND, /* 0000011e */
194 ERROR_MR_MID_NOT_FOUND, /* 0000011f */
195 ERROR_MR_MID_NOT_FOUND, /* 00000120 (STATUS_TRANSLATION_COMPLETE) */
196 ERROR_DS_MEMBERSHIP_EVALUATED_LOCALLY /* 00000121 (STATUS_DS_MEMBERSHIP_EVALUATED_LOCALLY) */
197 };
198
199 static const DWORD table_40000002[12] =
200 {
201 ERROR_INVALID_PARAMETER, /* 40000002 (STATUS_WORKING_SET_LIMIT_RANGE) */
202 ERROR_MR_MID_NOT_FOUND, /* 40000003 (STATUS_IMAGE_NOT_AT_BASE) */
203 ERROR_MR_MID_NOT_FOUND, /* 40000004 (STATUS_RXACT_STATE_CREATED) */
204 ERROR_MR_MID_NOT_FOUND, /* 40000005 (STATUS_SEGMENT_NOTIFICATION) */
205 ERROR_LOCAL_USER_SESSION_KEY, /* 40000006 (STATUS_LOCAL_USER_SESSION_KEY) */
206 ERROR_MR_MID_NOT_FOUND, /* 40000007 (STATUS_BAD_CURRENT_DIRECTORY) */
207 ERROR_MORE_WRITES, /* 40000008 (STATUS_SERIAL_MORE_WRITES) */
208 ERROR_REGISTRY_RECOVERED, /* 40000009 (STATUS_REGISTRY_RECOVERED) */
209 ERROR_MR_MID_NOT_FOUND, /* 4000000a (STATUS_FT_READ_RECOVERY_FROM_BACKUP) */
210 ERROR_MR_MID_NOT_FOUND, /* 4000000b (STATUS_FT_WRITE_RECOVERY) */
211 ERROR_COUNTER_TIMEOUT, /* 4000000c (STATUS_SERIAL_COUNTER_TIMEOUT) */
212 ERROR_NULL_LM_PASSWORD /* 4000000d (STATUS_NULL_LM_PASSWORD) */
213 };
214
215 static const DWORD table_40000370[1] =
216 {
217 ERROR_DS_SHUTTING_DOWN /* 40000370 (STATUS_DS_SHUTTING_DOWN) */
218 };
219
220 static const DWORD table_40020056[1] =
221 {
222 RPC_S_UUID_LOCAL_ONLY /* 40020056 (RPC_NT_UUID_LOCAL_ONLY) */
223 };
224
225 static const DWORD table_400200af[1] =
226 {
227 RPC_S_SEND_INCOMPLETE /* 400200af (RPC_NT_SEND_INCOMPLETE) */
228 };
229
230 static const DWORD table_80000001[39] =
231 {
232 STATUS_GUARD_PAGE_VIOLATION, /* 80000001 (STATUS_GUARD_PAGE_VIOLATION) */
233 ERROR_NOACCESS, /* 80000002 (STATUS_DATATYPE_MISALIGNMENT) */
234 STATUS_BREAKPOINT, /* 80000003 (STATUS_BREAKPOINT) */
235 STATUS_SINGLE_STEP, /* 80000004 (STATUS_SINGLE_STEP) */
236 ERROR_MORE_DATA, /* 80000005 (STATUS_BUFFER_OVERFLOW) */
237 ERROR_NO_MORE_FILES, /* 80000006 (STATUS_NO_MORE_FILES) */
238 ERROR_MR_MID_NOT_FOUND, /* 80000007 (STATUS_WAKE_SYSTEM_DEBUGGER) */
239 ERROR_MR_MID_NOT_FOUND, /* 80000008 */
240 ERROR_MR_MID_NOT_FOUND, /* 80000009 */
241 ERROR_MR_MID_NOT_FOUND, /* 8000000a (STATUS_HANDLES_CLOSED) */
242 ERROR_NO_INHERITANCE, /* 8000000b (STATUS_NO_INHERITANCE) */
243 ERROR_MR_MID_NOT_FOUND, /* 8000000c (STATUS_GUID_SUBSTITUTION_MADE) */
244 ERROR_PARTIAL_COPY, /* 8000000d (STATUS_PARTIAL_COPY) */
245 ERROR_OUT_OF_PAPER, /* 8000000e (STATUS_DEVICE_PAPER_EMPTY) */
246 ERROR_NOT_READY, /* 8000000f (STATUS_DEVICE_POWERED_OFF) */
247 ERROR_NOT_READY, /* 80000010 (STATUS_DEVICE_OFF_LINE) */
248 ERROR_BUSY, /* 80000011 (STATUS_DEVICE_BUSY) */
249 ERROR_NO_MORE_ITEMS, /* 80000012 (STATUS_NO_MORE_EAS) */
250 ERROR_INVALID_EA_NAME, /* 80000013 (STATUS_INVALID_EA_NAME) */
251 ERROR_EA_LIST_INCONSISTENT, /* 80000014 (STATUS_EA_LIST_INCONSISTENT) */
252 ERROR_EA_LIST_INCONSISTENT, /* 80000015 (STATUS_INVALID_EA_FLAG) */
253 ERROR_MEDIA_CHANGED, /* 80000016 (STATUS_VERIFY_REQUIRED) */
254 ERROR_MR_MID_NOT_FOUND, /* 80000017 (STATUS_EXTRANEOUS_INFORMATION) */
255 ERROR_MR_MID_NOT_FOUND, /* 80000018 (STATUS_RXACT_COMMIT_NECESSARY) */
256 ERROR_MR_MID_NOT_FOUND, /* 80000019 */
257 ERROR_NO_MORE_ITEMS, /* 8000001a (STATUS_NO_MORE_ENTRIES) */
258 ERROR_FILEMARK_DETECTED, /* 8000001b (STATUS_FILEMARK_DETECTED) */
259 ERROR_MEDIA_CHANGED, /* 8000001c (STATUS_MEDIA_CHANGED) */
260 ERROR_BUS_RESET, /* 8000001d (STATUS_BUS_RESET) */
261 ERROR_END_OF_MEDIA, /* 8000001e (STATUS_END_OF_MEDIA) */
262 ERROR_BEGINNING_OF_MEDIA, /* 8000001f (STATUS_BEGINNING_OF_MEDIA) */
263 ERROR_MR_MID_NOT_FOUND, /* 80000020 (STATUS_MEDIA_CHECK) */
264 ERROR_SETMARK_DETECTED, /* 80000021 (STATUS_SETMARK_DETECTED) */
265 ERROR_NO_DATA_DETECTED, /* 80000022 (STATUS_NO_DATA_DETECTED) */
266 ERROR_MR_MID_NOT_FOUND, /* 80000023 (STATUS_REDIRECTOR_HAS_OPEN_HANDLES) */
267 ERROR_MR_MID_NOT_FOUND, /* 80000024 (STATUS_SERVER_HAS_OPEN_HANDLES) */
268 ERROR_ACTIVE_CONNECTIONS, /* 80000025 (STATUS_ALREADY_DISCONNECTED) */
269 ERROR_MR_MID_NOT_FOUND, /* 80000026 (STATUS_LONGJUMP) */
270 ERROR_CLEANER_CARTRIDGE_INSTALLED /* 80000027 (STATUS_CLEANER_CARTRIDGE_INSTALLED) */
271 };
272
273 static const DWORD table_80000288[2] =
274 {
275 ERROR_DEVICE_REQUIRES_CLEANING, /* 80000288 (STATUS_DEVICE_REQUIRES_CLEANING) */
276 ERROR_DEVICE_DOOR_OPEN /* 80000289 (STATUS_DEVICE_DOOR_OPEN) */
277 };
278
279 static const DWORD table_80090300[72] =
280 {
281 ERROR_NO_SYSTEM_RESOURCES, /* 80090300 (SEC_E_INSUFFICIENT_MEMORY) */
282 ERROR_INVALID_HANDLE, /* 80090301 (SEC_E_INVALID_HANDLE) */
283 ERROR_INVALID_FUNCTION, /* 80090302 (SEC_E_UNSUPPORTED_FUNCTION) */
284 ERROR_BAD_NETPATH, /* 80090303 (SEC_E_TARGET_UNKNOWN) */
285 ERROR_INTERNAL_ERROR, /* 80090304 (SEC_E_INTERNAL_ERROR) */
286 ERROR_NO_SUCH_PACKAGE, /* 80090305 (SEC_E_SECPKG_NOT_FOUND) */
287 ERROR_NOT_OWNER, /* 80090306 (SEC_E_NOT_OWNER) */
288 ERROR_NO_SUCH_PACKAGE, /* 80090307 (SEC_E_CANNOT_INSTALL) */
289 ERROR_INVALID_PARAMETER, /* 80090308 (SEC_E_INVALID_TOKEN) */
290 ERROR_INVALID_PARAMETER, /* 80090309 (SEC_E_CANNOT_PACK) */
291 ERROR_NOT_SUPPORTED, /* 8009030a (SEC_E_QOP_NOT_SUPPORTED) */
292 ERROR_CANNOT_IMPERSONATE, /* 8009030b (SEC_E_NO_IMPERSONATION) */
293 ERROR_LOGON_FAILURE, /* 8009030c (SEC_E_LOGON_DENIED) */
294 ERROR_INVALID_PARAMETER, /* 8009030d (SEC_E_UNKNOWN_CREDENTIALS) */
295 ERROR_NO_SUCH_LOGON_SESSION, /* 8009030e (SEC_E_NO_CREDENTIALS) */
296 ERROR_ACCESS_DENIED, /* 8009030f (SEC_E_MESSAGE_ALTERED) */
297 ERROR_ACCESS_DENIED, /* 80090310 (SEC_E_OUT_OF_SEQUENCE) */
298 ERROR_NO_LOGON_SERVERS, /* 80090311 (SEC_E_NO_AUTHENTICATING_AUTHORITY) */
299 ERROR_MR_MID_NOT_FOUND, /* 80090312 */
300 ERROR_MR_MID_NOT_FOUND, /* 80090313 */
301 ERROR_MR_MID_NOT_FOUND, /* 80090314 */
302 ERROR_MR_MID_NOT_FOUND, /* 80090315 */
303 ERROR_NO_SUCH_PACKAGE, /* 80090316 (SEC_E_BAD_PKGID) */
304 ERROR_CONTEXT_EXPIRED, /* 80090317 (SEC_E_CONTEXT_EXPIRED) */
305 ERROR_INVALID_USER_BUFFER, /* 80090318 (SEC_E_INCOMPLETE_MESSAGE) */
306 ERROR_MR_MID_NOT_FOUND, /* 80090319 */
307 ERROR_MR_MID_NOT_FOUND, /* 8009031a */
308 ERROR_MR_MID_NOT_FOUND, /* 8009031b */
309 ERROR_MR_MID_NOT_FOUND, /* 8009031c */
310 ERROR_MR_MID_NOT_FOUND, /* 8009031d */
311 ERROR_MR_MID_NOT_FOUND, /* 8009031e */
312 ERROR_MR_MID_NOT_FOUND, /* 8009031f */
313 ERROR_INVALID_PARAMETER, /* 80090320 (SEC_E_INCOMPLETE_CREDENTIALS) */
314 ERROR_INSUFFICIENT_BUFFER, /* 80090321 (SEC_E_BUFFER_TOO_SMALL) */
315 ERROR_WRONG_TARGET_NAME, /* 80090322 (SEC_E_WRONG_PRINCIPAL) */
316 ERROR_MR_MID_NOT_FOUND, /* 80090323 */
317 ERROR_MR_MID_NOT_FOUND, /* 80090324 (SEC_E_TIME_SKEW) */
318 ERROR_TRUST_FAILURE, /* 80090325 (SEC_E_UNTRUSTED_ROOT) */
319 ERROR_INVALID_PARAMETER, /* 80090326 (SEC_E_ILLEGAL_MESSAGE) */
320 ERROR_INVALID_PARAMETER, /* 80090327 (SEC_E_CERT_UNKNOWN) */
321 ERROR_PASSWORD_EXPIRED, /* 80090328 (SEC_E_CERT_EXPIRED) */
322 ERROR_ENCRYPTION_FAILED, /* 80090329 (SEC_E_ENCRYPT_FAILURE) */
323 ERROR_MR_MID_NOT_FOUND, /* 8009032a */
324 ERROR_MR_MID_NOT_FOUND, /* 8009032b */
325 ERROR_MR_MID_NOT_FOUND, /* 8009032c */
326 ERROR_MR_MID_NOT_FOUND, /* 8009032d */
327 ERROR_MR_MID_NOT_FOUND, /* 8009032e */
328 ERROR_MR_MID_NOT_FOUND, /* 8009032f */
329 ERROR_DECRYPTION_FAILED, /* 80090330 (SEC_E_DECRYPT_FAILURE) */
330 ERROR_INVALID_FUNCTION, /* 80090331 (SEC_E_ALGORITHM_MISMATCH) */
331 ERROR_MR_MID_NOT_FOUND, /* 80090332 (SEC_E_SECURITY_QOS_FAILED) */
332 ERROR_MR_MID_NOT_FOUND, /* 80090333 (SEC_E_UNFINISHED_CONTEXT_DELETED) */
333 ERROR_MR_MID_NOT_FOUND, /* 80090334 (SEC_E_NO_TGT_REPLY) */
334 ERROR_MR_MID_NOT_FOUND, /* 80090335 (SEC_E_NO_IP_ADDRESSES) */
335 ERROR_MR_MID_NOT_FOUND, /* 80090336 (SEC_E_WRONG_CREDENTIAL_HANDLE) */
336 ERROR_MR_MID_NOT_FOUND, /* 80090337 (SEC_E_CRYPTO_SYSTEM_INVALID) */
337 ERROR_MR_MID_NOT_FOUND, /* 80090338 (SEC_E_MAX_REFERRALS_EXCEEDED) */
338 ERROR_MR_MID_NOT_FOUND, /* 80090339 (SEC_E_MUST_BE_KDC) */
339 ERROR_MR_MID_NOT_FOUND, /* 8009033a (SEC_E_STRONG_CRYPTO_NOT_SUPPORTED) */
340 ERROR_MR_MID_NOT_FOUND, /* 8009033b (SEC_E_TOO_MANY_PRINCIPALS) */
341 ERROR_MR_MID_NOT_FOUND, /* 8009033c (SEC_E_NO_PA_DATA) */
342 ERROR_MR_MID_NOT_FOUND, /* 8009033d (SEC_E_PKINIT_NAME_MISMATCH) */
343 ERROR_MR_MID_NOT_FOUND, /* 8009033e (SEC_E_SMARTCARD_LOGON_REQUIRED) */
344 ERROR_MR_MID_NOT_FOUND, /* 8009033f (SEC_E_SHUTDOWN_IN_PROGRESS) */
345 ERROR_MR_MID_NOT_FOUND, /* 80090340 (SEC_E_KDC_INVALID_REQUEST) */
346 ERROR_MR_MID_NOT_FOUND, /* 80090341 (SEC_E_KDC_UNABLE_TO_REFER) */
347 ERROR_MR_MID_NOT_FOUND, /* 80090342 (SEC_E_KDC_UNKNOWN_ETYPE) */
348 ERROR_MR_MID_NOT_FOUND, /* 80090343 (SEC_E_UNSUPPORTED_PREAUTH) */
349 ERROR_MR_MID_NOT_FOUND, /* 80090344 */
350 ERROR_MR_MID_NOT_FOUND, /* 80090345 (SEC_E_DELEGATION_REQUIRED) */
351 ERROR_MR_MID_NOT_FOUND, /* 80090346 (SEC_E_BAD_BINDINGS) */
352 ERROR_CANNOT_IMPERSONATE /* 80090347 (SEC_E_MULTIPLE_ACCOUNTS) */
353 };
354
355 static const DWORD table_80092010[4] =
356 {
357 ERROR_MUTUAL_AUTH_FAILED, /* 80092010 (CRYPT_E_REVOKED) */
358 ERROR_MR_MID_NOT_FOUND, /* 80092011 (CRYPT_E_NO_REVOCATION_DLL) */
359 ERROR_MUTUAL_AUTH_FAILED, /* 80092012 (CRYPT_E_NO_REVOCATION_CHECK) */
360 ERROR_MUTUAL_AUTH_FAILED /* 80092013 (CRYPT_E_REVOCATION_OFFLINE) */
361 };
362
363 static const DWORD table_80096004[1] =
364 {
365 ERROR_MUTUAL_AUTH_FAILED /* 80096004 (TRUST_E_CERT_SIGNATURE) */
366 };
367
368 static const DWORD table_80130001[5] =
369 {
370 ERROR_CLUSTER_NODE_ALREADY_UP, /* 80130001 (STATUS_CLUSTER_NODE_ALREADY_UP) */
371 ERROR_CLUSTER_NODE_ALREADY_DOWN, /* 80130002 (STATUS_CLUSTER_NODE_ALREADY_DOWN) */
372 ERROR_CLUSTER_NETWORK_ALREADY_ONLINE, /* 80130003 (STATUS_CLUSTER_NETWORK_ALREADY_ONLINE) */
373 ERROR_CLUSTER_NETWORK_ALREADY_OFFLINE, /* 80130004 (STATUS_CLUSTER_NETWORK_ALREADY_OFFLINE) */
374 ERROR_CLUSTER_NODE_ALREADY_MEMBER /* 80130005 (STATUS_CLUSTER_NODE_ALREADY_MEMBER) */
375 };
376
377 static const DWORD table_c0000001[411] =
378 {
379 ERROR_GEN_FAILURE, /* c0000001 (STATUS_UNSUCCESSFUL) */
380 ERROR_INVALID_FUNCTION, /* c0000002 (STATUS_NOT_IMPLEMENTED) */
381 ERROR_INVALID_PARAMETER, /* c0000003 (STATUS_INVALID_INFO_CLASS) */
382 ERROR_BAD_LENGTH, /* c0000004 (STATUS_INFO_LENGTH_MISMATCH) */
383 ERROR_NOACCESS, /* c0000005 (STATUS_ACCESS_VIOLATION) */
384 ERROR_SWAPERROR, /* c0000006 (STATUS_IN_PAGE_ERROR) */
385 ERROR_PAGEFILE_QUOTA, /* c0000007 (STATUS_PAGEFILE_QUOTA) */
386 ERROR_INVALID_HANDLE, /* c0000008 (STATUS_INVALID_HANDLE) */
387 ERROR_STACK_OVERFLOW, /* c0000009 (STATUS_BAD_INITIAL_STACK) */
388 ERROR_BAD_EXE_FORMAT, /* c000000a (STATUS_BAD_INITIAL_PC) */
389 ERROR_INVALID_PARAMETER, /* c000000b (STATUS_INVALID_CID) */
390 ERROR_MR_MID_NOT_FOUND, /* c000000c (STATUS_TIMER_NOT_CANCELED) */
391 ERROR_INVALID_PARAMETER, /* c000000d (STATUS_INVALID_PARAMETER) */
392 ERROR_FILE_NOT_FOUND, /* c000000e (STATUS_NO_SUCH_DEVICE) */
393 ERROR_FILE_NOT_FOUND, /* c000000f (STATUS_NO_SUCH_FILE) */
394 ERROR_INVALID_FUNCTION, /* c0000010 (STATUS_INVALID_DEVICE_REQUEST) */
395 ERROR_HANDLE_EOF, /* c0000011 (STATUS_END_OF_FILE) */
396 ERROR_WRONG_DISK, /* c0000012 (STATUS_WRONG_VOLUME) */
397 ERROR_NOT_READY, /* c0000013 (STATUS_NO_MEDIA_IN_DEVICE) */
398 ERROR_UNRECOGNIZED_MEDIA, /* c0000014 (STATUS_UNRECOGNIZED_MEDIA) */
399 ERROR_SECTOR_NOT_FOUND, /* c0000015 (STATUS_NONEXISTENT_SECTOR) */
400 ERROR_MORE_DATA, /* c0000016 (STATUS_MORE_PROCESSING_REQUIRED) */
401 ERROR_NOT_ENOUGH_MEMORY, /* c0000017 (STATUS_NO_MEMORY) */
402 ERROR_INVALID_ADDRESS, /* c0000018 (STATUS_CONFLICTING_ADDRESSES) */
403 ERROR_INVALID_ADDRESS, /* c0000019 (STATUS_NOT_MAPPED_VIEW) */
404 ERROR_INVALID_PARAMETER, /* c000001a (STATUS_UNABLE_TO_FREE_VM) */
405 ERROR_INVALID_PARAMETER, /* c000001b (STATUS_UNABLE_TO_DELETE_SECTION) */
406 ERROR_INVALID_FUNCTION, /* c000001c (STATUS_INVALID_SYSTEM_SERVICE) */
407 ERROR_INVALID_FUNCTION, /* c000001d (STATUS_ILLEGAL_INSTRUCTION) */
408 ERROR_ACCESS_DENIED, /* c000001e (STATUS_INVALID_LOCK_SEQUENCE) */
409 ERROR_ACCESS_DENIED, /* c000001f (STATUS_INVALID_VIEW_SIZE) */
410 ERROR_BAD_EXE_FORMAT, /* c0000020 (STATUS_INVALID_FILE_FOR_SECTION) */
411 ERROR_ACCESS_DENIED, /* c0000021 (STATUS_ALREADY_COMMITTED) */
412 ERROR_ACCESS_DENIED, /* c0000022 (STATUS_ACCESS_DENIED) */
413 ERROR_INSUFFICIENT_BUFFER, /* c0000023 (STATUS_BUFFER_TOO_SMALL) */
414 ERROR_INVALID_HANDLE, /* c0000024 (STATUS_OBJECT_TYPE_MISMATCH) */
415 STATUS_NONCONTINUABLE_EXCEPTION, /* c0000025 (STATUS_NONCONTINUABLE_EXCEPTION) */
416 STATUS_INVALID_DISPOSITION, /* c0000026 (STATUS_INVALID_DISPOSITION) */
417 ERROR_MR_MID_NOT_FOUND, /* c0000027 (STATUS_UNWIND) */
418 ERROR_MR_MID_NOT_FOUND, /* c0000028 (STATUS_BAD_STACK) */
419 ERROR_MR_MID_NOT_FOUND, /* c0000029 (STATUS_INVALID_UNWIND_TARGET) */
420 ERROR_NOT_LOCKED, /* c000002a (STATUS_NOT_LOCKED) */
421 STATUS_PARITY_ERROR, /* c000002b (STATUS_PARITY_ERROR) */
422 ERROR_INVALID_ADDRESS, /* c000002c (STATUS_UNABLE_TO_DECOMMIT_VM) */
423 ERROR_INVALID_ADDRESS, /* c000002d (STATUS_NOT_COMMITTED) */
424 ERROR_MR_MID_NOT_FOUND, /* c000002e (STATUS_INVALID_PORT_ATTRIBUTES) */
425 ERROR_MR_MID_NOT_FOUND, /* c000002f (STATUS_PORT_MESSAGE_TOO_LONG) */
426 ERROR_INVALID_PARAMETER, /* c0000030 (STATUS_INVALID_PARAMETER_MIX) */
427 ERROR_MR_MID_NOT_FOUND, /* c0000031 (STATUS_INVALID_QUOTA_LOWER) */
428 ERROR_DISK_CORRUPT, /* c0000032 (STATUS_DISK_CORRUPT_ERROR) */
429 ERROR_INVALID_NAME, /* c0000033 (STATUS_OBJECT_NAME_INVALID) */
430 ERROR_FILE_NOT_FOUND, /* c0000034 (STATUS_OBJECT_NAME_NOT_FOUND) */
431 ERROR_ALREADY_EXISTS, /* c0000035 (STATUS_OBJECT_NAME_COLLISION) */
432 ERROR_MR_MID_NOT_FOUND, /* c0000036 */
433 ERROR_INVALID_HANDLE, /* c0000037 (STATUS_PORT_DISCONNECTED) */
434 ERROR_MR_MID_NOT_FOUND, /* c0000038 (STATUS_DEVICE_ALREADY_ATTACHED) */
435 ERROR_BAD_PATHNAME, /* c0000039 (STATUS_OBJECT_PATH_INVALID) */
436 ERROR_PATH_NOT_FOUND, /* c000003a (STATUS_OBJECT_PATH_NOT_FOUND) */
437 ERROR_BAD_PATHNAME, /* c000003b (STATUS_OBJECT_PATH_SYNTAX_BAD) */
438 ERROR_IO_DEVICE, /* c000003c (STATUS_DATA_OVERRUN) */
439 ERROR_IO_DEVICE, /* c000003d (STATUS_DATA_LATE_ERROR) */
440 ERROR_CRC, /* c000003e (STATUS_DATA_ERROR) */
441 ERROR_CRC, /* c000003f (STATUS_CRC_ERROR) */
442 ERROR_NOT_ENOUGH_MEMORY, /* c0000040 (STATUS_SECTION_TOO_BIG) */
443 ERROR_ACCESS_DENIED, /* c0000041 (STATUS_PORT_CONNECTION_REFUSED) */
444 ERROR_INVALID_HANDLE, /* c0000042 (STATUS_INVALID_PORT_HANDLE) */
445 ERROR_SHARING_VIOLATION, /* c0000043 (STATUS_SHARING_VIOLATION) */
446 ERROR_NOT_ENOUGH_QUOTA, /* c0000044 (STATUS_QUOTA_EXCEEDED) */
447 ERROR_INVALID_PARAMETER, /* c0000045 (STATUS_INVALID_PAGE_PROTECTION) */
448 ERROR_NOT_OWNER, /* c0000046 (STATUS_MUTANT_NOT_OWNED) */
449 ERROR_TOO_MANY_POSTS, /* c0000047 (STATUS_SEMAPHORE_LIMIT_EXCEEDED) */
450 ERROR_INVALID_PARAMETER, /* c0000048 (STATUS_PORT_ALREADY_SET) */
451 ERROR_INVALID_PARAMETER, /* c0000049 (STATUS_SECTION_NOT_IMAGE) */
452 ERROR_SIGNAL_REFUSED, /* c000004a (STATUS_SUSPEND_COUNT_EXCEEDED) */
453 ERROR_ACCESS_DENIED, /* c000004b (STATUS_THREAD_IS_TERMINATING) */
454 ERROR_INVALID_PARAMETER, /* c000004c (STATUS_BAD_WORKING_SET_LIMIT) */
455 ERROR_INVALID_PARAMETER, /* c000004d (STATUS_INCOMPATIBLE_FILE_MAP) */
456 ERROR_INVALID_PARAMETER, /* c000004e (STATUS_SECTION_PROTECTION) */
457 ERROR_EAS_NOT_SUPPORTED, /* c000004f (STATUS_EAS_NOT_SUPPORTED) */
458 ERROR_EA_LIST_INCONSISTENT, /* c0000050 (STATUS_EA_TOO_LARGE) */
459 ERROR_FILE_CORRUPT, /* c0000051 (STATUS_NONEXISTENT_EA_ENTRY) */
460 ERROR_FILE_CORRUPT, /* c0000052 (STATUS_NO_EAS_ON_FILE) */
461 ERROR_FILE_CORRUPT, /* c0000053 (STATUS_EA_CORRUPT_ERROR) */
462 ERROR_LOCK_VIOLATION, /* c0000054 (STATUS_FILE_LOCK_CONFLICT) */
463 ERROR_LOCK_VIOLATION, /* c0000055 (STATUS_LOCK_NOT_GRANTED) */
464 ERROR_ACCESS_DENIED, /* c0000056 (STATUS_DELETE_PENDING) */
465 ERROR_NOT_SUPPORTED, /* c0000057 (STATUS_CTL_FILE_NOT_SUPPORTED) */
466 ERROR_UNKNOWN_REVISION, /* c0000058 (STATUS_UNKNOWN_REVISION) */
467 ERROR_REVISION_MISMATCH, /* c0000059 (STATUS_REVISION_MISMATCH) */
468 ERROR_INVALID_OWNER, /* c000005a (STATUS_INVALID_OWNER) */
469 ERROR_INVALID_PRIMARY_GROUP, /* c000005b (STATUS_INVALID_PRIMARY_GROUP) */
470 ERROR_NO_IMPERSONATION_TOKEN, /* c000005c (STATUS_NO_IMPERSONATION_TOKEN) */
471 ERROR_CANT_DISABLE_MANDATORY, /* c000005d (STATUS_CANT_DISABLE_MANDATORY) */
472 ERROR_NO_LOGON_SERVERS, /* c000005e (STATUS_NO_LOGON_SERVERS) */
473 ERROR_NO_SUCH_LOGON_SESSION, /* c000005f (STATUS_NO_SUCH_LOGON_SESSION) */
474 ERROR_NO_SUCH_PRIVILEGE, /* c0000060 (STATUS_NO_SUCH_PRIVILEGE) */
475 ERROR_PRIVILEGE_NOT_HELD, /* c0000061 (STATUS_PRIVILEGE_NOT_HELD) */
476 ERROR_INVALID_ACCOUNT_NAME, /* c0000062 (STATUS_INVALID_ACCOUNT_NAME) */
477 ERROR_USER_EXISTS, /* c0000063 (STATUS_USER_EXISTS) */
478 ERROR_NO_SUCH_USER, /* c0000064 (STATUS_NO_SUCH_USER) */
479 ERROR_GROUP_EXISTS, /* c0000065 (STATUS_GROUP_EXISTS) */
480 ERROR_NO_SUCH_GROUP, /* c0000066 (STATUS_NO_SUCH_GROUP) */
481 ERROR_MEMBER_IN_GROUP, /* c0000067 (STATUS_MEMBER_IN_GROUP) */
482 ERROR_MEMBER_NOT_IN_GROUP, /* c0000068 (STATUS_MEMBER_NOT_IN_GROUP) */
483 ERROR_LAST_ADMIN, /* c0000069 (STATUS_LAST_ADMIN) */
484 ERROR_INVALID_PASSWORD, /* c000006a (STATUS_WRONG_PASSWORD) */
485 ERROR_ILL_FORMED_PASSWORD, /* c000006b (STATUS_ILL_FORMED_PASSWORD) */
486 ERROR_PASSWORD_RESTRICTION, /* c000006c (STATUS_PASSWORD_RESTRICTION) */
487 ERROR_LOGON_FAILURE, /* c000006d (STATUS_LOGON_FAILURE) */
488 ERROR_ACCOUNT_RESTRICTION, /* c000006e (STATUS_ACCOUNT_RESTRICTION) */
489 ERROR_INVALID_LOGON_HOURS, /* c000006f (STATUS_INVALID_LOGON_HOURS) */
490 ERROR_INVALID_WORKSTATION, /* c0000070 (STATUS_INVALID_WORKSTATION) */
491 ERROR_PASSWORD_EXPIRED, /* c0000071 (STATUS_PASSWORD_EXPIRED) */
492 ERROR_ACCOUNT_DISABLED, /* c0000072 (STATUS_ACCOUNT_DISABLED) */
493 ERROR_NONE_MAPPED, /* c0000073 (STATUS_NONE_MAPPED) */
494 ERROR_TOO_MANY_LUIDS_REQUESTED, /* c0000074 (STATUS_TOO_MANY_LUIDS_REQUESTED) */
495 ERROR_LUIDS_EXHAUSTED, /* c0000075 (STATUS_LUIDS_EXHAUSTED) */
496 ERROR_INVALID_SUB_AUTHORITY, /* c0000076 (STATUS_INVALID_SUB_AUTHORITY) */
497 ERROR_INVALID_ACL, /* c0000077 (STATUS_INVALID_ACL) */
498 ERROR_INVALID_SID, /* c0000078 (STATUS_INVALID_SID) */
499 ERROR_INVALID_SECURITY_DESCR, /* c0000079 (STATUS_INVALID_SECURITY_DESCR) */
500 ERROR_PROC_NOT_FOUND, /* c000007a (STATUS_PROCEDURE_NOT_FOUND) */
501 ERROR_BAD_EXE_FORMAT, /* c000007b (STATUS_INVALID_IMAGE_FORMAT) */
502 ERROR_NO_TOKEN, /* c000007c (STATUS_NO_TOKEN) */
503 ERROR_BAD_INHERITANCE_ACL, /* c000007d (STATUS_BAD_INHERITANCE_ACL) */
504 ERROR_NOT_LOCKED, /* c000007e (STATUS_RANGE_NOT_LOCKED) */
505 ERROR_DISK_FULL, /* c000007f (STATUS_DISK_FULL) */
506 ERROR_SERVER_DISABLED, /* c0000080 (STATUS_SERVER_DISABLED) */
507 ERROR_SERVER_NOT_DISABLED, /* c0000081 (STATUS_SERVER_NOT_DISABLED) */
508 ERROR_TOO_MANY_NAMES, /* c0000082 (STATUS_TOO_MANY_GUIDS_REQUESTED) */
509 ERROR_NO_MORE_ITEMS, /* c0000083 (STATUS_GUIDS_EXHAUSTED) */
510 ERROR_INVALID_ID_AUTHORITY, /* c0000084 (STATUS_INVALID_ID_AUTHORITY) */
511 ERROR_NO_MORE_ITEMS, /* c0000085 (STATUS_AGENTS_EXHAUSTED) */
512 ERROR_LABEL_TOO_LONG, /* c0000086 (STATUS_INVALID_VOLUME_LABEL) */
513 ERROR_OUTOFMEMORY, /* c0000087 (STATUS_SECTION_NOT_EXTENDED) */
514 ERROR_INVALID_ADDRESS, /* c0000088 (STATUS_NOT_MAPPED_DATA) */
515 ERROR_RESOURCE_DATA_NOT_FOUND, /* c0000089 (STATUS_RESOURCE_DATA_NOT_FOUND) */
516 ERROR_RESOURCE_TYPE_NOT_FOUND, /* c000008a (STATUS_RESOURCE_TYPE_NOT_FOUND) */
517 ERROR_RESOURCE_NAME_NOT_FOUND, /* c000008b (STATUS_RESOURCE_NAME_NOT_FOUND) */
518 STATUS_ARRAY_BOUNDS_EXCEEDED, /* c000008c (STATUS_ARRAY_BOUNDS_EXCEEDED) */
519 STATUS_FLOAT_DENORMAL_OPERAND, /* c000008d (STATUS_FLOAT_DENORMAL_OPERAND) */
520 STATUS_FLOAT_DIVIDE_BY_ZERO, /* c000008e (STATUS_FLOAT_DIVIDE_BY_ZERO) */
521 STATUS_FLOAT_INEXACT_RESULT, /* c000008f (STATUS_FLOAT_INEXACT_RESULT) */
522 STATUS_FLOAT_INVALID_OPERATION, /* c0000090 (STATUS_FLOAT_INVALID_OPERATION) */
523 STATUS_FLOAT_OVERFLOW, /* c0000091 (STATUS_FLOAT_OVERFLOW) */
524 STATUS_FLOAT_STACK_CHECK, /* c0000092 (STATUS_FLOAT_STACK_CHECK) */
525 STATUS_FLOAT_UNDERFLOW, /* c0000093 (STATUS_FLOAT_UNDERFLOW) */
526 STATUS_INTEGER_DIVIDE_BY_ZERO, /* c0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) */
527 ERROR_ARITHMETIC_OVERFLOW, /* c0000095 (STATUS_INTEGER_OVERFLOW) */
528 STATUS_PRIVILEGED_INSTRUCTION, /* c0000096 (STATUS_PRIVILEGED_INSTRUCTION) */
529 ERROR_NOT_ENOUGH_MEMORY, /* c0000097 (STATUS_TOO_MANY_PAGING_FILES) */
530 ERROR_FILE_INVALID, /* c0000098 (STATUS_FILE_INVALID) */
531 ERROR_ALLOTTED_SPACE_EXCEEDED, /* c0000099 (STATUS_ALLOTTED_SPACE_EXCEEDED) */
532 ERROR_NO_SYSTEM_RESOURCES, /* c000009a (STATUS_INSUFFICIENT_RESOURCES) */
533 ERROR_PATH_NOT_FOUND, /* c000009b (STATUS_DFS_EXIT_PATH_FOUND) */
534 ERROR_CRC, /* c000009c (STATUS_DEVICE_DATA_ERROR) */
535 ERROR_DEVICE_NOT_CONNECTED, /* c000009d (STATUS_DEVICE_NOT_CONNECTED) */
536 ERROR_NOT_READY, /* c000009e (STATUS_DEVICE_POWER_FAILURE) */
537 ERROR_INVALID_ADDRESS, /* c000009f (STATUS_FREE_VM_NOT_AT_BASE) */
538 ERROR_INVALID_ADDRESS, /* c00000a0 (STATUS_MEMORY_NOT_ALLOCATED) */
539 ERROR_WORKING_SET_QUOTA, /* c00000a1 (STATUS_WORKING_SET_QUOTA) */
540 ERROR_WRITE_PROTECT, /* c00000a2 (STATUS_MEDIA_WRITE_PROTECTED) */
541 ERROR_NOT_READY, /* c00000a3 (STATUS_DEVICE_NOT_READY) */
542 ERROR_INVALID_GROUP_ATTRIBUTES, /* c00000a4 (STATUS_INVALID_GROUP_ATTRIBUTES) */
543 ERROR_BAD_IMPERSONATION_LEVEL, /* c00000a5 (STATUS_BAD_IMPERSONATION_LEVEL) */
544 ERROR_CANT_OPEN_ANONYMOUS, /* c00000a6 (STATUS_CANT_OPEN_ANONYMOUS) */
545 ERROR_BAD_VALIDATION_CLASS, /* c00000a7 (STATUS_BAD_VALIDATION_CLASS) */
546 ERROR_BAD_TOKEN_TYPE, /* c00000a8 (STATUS_BAD_TOKEN_TYPE) */
547 ERROR_INVALID_PARAMETER, /* c00000a9 (STATUS_BAD_MASTER_BOOT_RECORD) */
548 ERROR_MR_MID_NOT_FOUND, /* c00000aa (STATUS_INSTRUCTION_MISALIGNMENT) */
549 ERROR_PIPE_BUSY, /* c00000ab (STATUS_INSTANCE_NOT_AVAILABLE) */
550 ERROR_PIPE_BUSY, /* c00000ac (STATUS_PIPE_NOT_AVAILABLE) */
551 ERROR_BAD_PIPE, /* c00000ad (STATUS_INVALID_PIPE_STATE) */
552 ERROR_PIPE_BUSY, /* c00000ae (STATUS_PIPE_BUSY) */
553 ERROR_INVALID_FUNCTION, /* c00000af (STATUS_ILLEGAL_FUNCTION) */
554 ERROR_PIPE_NOT_CONNECTED, /* c00000b0 (STATUS_PIPE_DISCONNECTED) */
555 ERROR_NO_DATA, /* c00000b1 (STATUS_PIPE_CLOSING) */
556 ERROR_PIPE_CONNECTED, /* c00000b2 (STATUS_PIPE_CONNECTED) */
557 ERROR_PIPE_LISTENING, /* c00000b3 (STATUS_PIPE_LISTENING) */
558 ERROR_BAD_PIPE, /* c00000b4 (STATUS_INVALID_READ_MODE) */
559 ERROR_SEM_TIMEOUT, /* c00000b5 (STATUS_IO_TIMEOUT) */
560 ERROR_HANDLE_EOF, /* c00000b6 (STATUS_FILE_FORCED_CLOSED) */
561 ERROR_MR_MID_NOT_FOUND, /* c00000b7 (STATUS_PROFILING_NOT_STARTED) */
562 ERROR_MR_MID_NOT_FOUND, /* c00000b8 (STATUS_PROFILING_NOT_STOPPED) */
563 ERROR_MR_MID_NOT_FOUND, /* c00000b9 (STATUS_COULD_NOT_INTERPRET) */
564 ERROR_ACCESS_DENIED, /* c00000ba (STATUS_FILE_IS_A_DIRECTORY) */
565 ERROR_NOT_SUPPORTED, /* c00000bb (STATUS_NOT_SUPPORTED) */
566 ERROR_REM_NOT_LIST, /* c00000bc (STATUS_REMOTE_NOT_LISTENING) */
567 ERROR_DUP_NAME, /* c00000bd (STATUS_DUPLICATE_NAME) */
568 ERROR_BAD_NETPATH, /* c00000be (STATUS_BAD_NETWORK_PATH) */
569 ERROR_NETWORK_BUSY, /* c00000bf (STATUS_NETWORK_BUSY) */
570 ERROR_DEV_NOT_EXIST, /* c00000c0 (STATUS_DEVICE_DOES_NOT_EXIST) */
571 ERROR_TOO_MANY_CMDS, /* c00000c1 (STATUS_TOO_MANY_COMMANDS) */
572 ERROR_ADAP_HDW_ERR, /* c00000c2 (STATUS_ADAPTER_HARDWARE_ERROR) */
573 ERROR_BAD_NET_RESP, /* c00000c3 (STATUS_INVALID_NETWORK_RESPONSE) */
574 ERROR_UNEXP_NET_ERR, /* c00000c4 (STATUS_UNEXPECTED_NETWORK_ERROR) */
575 ERROR_BAD_REM_ADAP, /* c00000c5 (STATUS_BAD_REMOTE_ADAPTER) */
576 ERROR_PRINTQ_FULL, /* c00000c6 (STATUS_PRINT_QUEUE_FULL) */
577 ERROR_NO_SPOOL_SPACE, /* c00000c7 (STATUS_NO_SPOOL_SPACE) */
578 ERROR_PRINT_CANCELLED, /* c00000c8 (STATUS_PRINT_CANCELLED) */
579 ERROR_NETNAME_DELETED, /* c00000c9 (STATUS_NETWORK_NAME_DELETED) */
580 ERROR_NETWORK_ACCESS_DENIED, /* c00000ca (STATUS_NETWORK_ACCESS_DENIED) */
581 ERROR_BAD_DEV_TYPE, /* c00000cb (STATUS_BAD_DEVICE_TYPE) */
582 ERROR_BAD_NET_NAME, /* c00000cc (STATUS_BAD_NETWORK_NAME) */
583 ERROR_TOO_MANY_NAMES, /* c00000cd (STATUS_TOO_MANY_NAMES) */
584 ERROR_TOO_MANY_SESS, /* c00000ce (STATUS_TOO_MANY_SESSIONS) */
585 ERROR_SHARING_PAUSED, /* c00000cf (STATUS_SHARING_PAUSED) */
586 ERROR_REQ_NOT_ACCEP, /* c00000d0 (STATUS_REQUEST_NOT_ACCEPTED) */
587 ERROR_REDIR_PAUSED, /* c00000d1 (STATUS_REDIRECTOR_PAUSED) */
588 ERROR_NET_WRITE_FAULT, /* c00000d2 (STATUS_NET_WRITE_FAULT) */
589 ERROR_MR_MID_NOT_FOUND, /* c00000d3 (STATUS_PROFILING_AT_LIMIT) */
590 ERROR_NOT_SAME_DEVICE, /* c00000d4 (STATUS_NOT_SAME_DEVICE) */
591 ERROR_ACCESS_DENIED, /* c00000d5 (STATUS_FILE_RENAMED) */
592 ERROR_VC_DISCONNECTED, /* c00000d6 (STATUS_VIRTUAL_CIRCUIT_CLOSED) */
593 ERROR_NO_SECURITY_ON_OBJECT, /* c00000d7 (STATUS_NO_SECURITY_ON_OBJECT) */
594 ERROR_MR_MID_NOT_FOUND, /* c00000d8 (STATUS_CANT_WAIT) */
595 ERROR_NO_DATA, /* c00000d9 (STATUS_PIPE_EMPTY) */
596 ERROR_CANT_ACCESS_DOMAIN_INFO, /* c00000da (STATUS_CANT_ACCESS_DOMAIN_INFO) */
597 ERROR_MR_MID_NOT_FOUND, /* c00000db (STATUS_CANT_TERMINATE_SELF) */
598 ERROR_INVALID_SERVER_STATE, /* c00000dc (STATUS_INVALID_SERVER_STATE) */
599 ERROR_INVALID_DOMAIN_STATE, /* c00000dd (STATUS_INVALID_DOMAIN_STATE) */
600 ERROR_INVALID_DOMAIN_ROLE, /* c00000de (STATUS_INVALID_DOMAIN_ROLE) */
601 ERROR_NO_SUCH_DOMAIN, /* c00000df (STATUS_NO_SUCH_DOMAIN) */
602 ERROR_DOMAIN_EXISTS, /* c00000e0 (STATUS_DOMAIN_EXISTS) */
603 ERROR_DOMAIN_LIMIT_EXCEEDED, /* c00000e1 (STATUS_DOMAIN_LIMIT_EXCEEDED) */
604 ERROR_OPLOCK_NOT_GRANTED, /* c00000e2 (STATUS_OPLOCK_NOT_GRANTED) */
605 ERROR_INVALID_OPLOCK_PROTOCOL, /* c00000e3 (STATUS_INVALID_OPLOCK_PROTOCOL) */
606 ERROR_INTERNAL_DB_CORRUPTION, /* c00000e4 (STATUS_INTERNAL_DB_CORRUPTION) */
607 ERROR_INTERNAL_ERROR, /* c00000e5 (STATUS_INTERNAL_ERROR) */
608 ERROR_GENERIC_NOT_MAPPED, /* c00000e6 (STATUS_GENERIC_NOT_MAPPED) */
609 ERROR_BAD_DESCRIPTOR_FORMAT, /* c00000e7 (STATUS_BAD_DESCRIPTOR_FORMAT) */
610 ERROR_INVALID_USER_BUFFER, /* c00000e8 (STATUS_INVALID_USER_BUFFER) */
611 ERROR_MR_MID_NOT_FOUND, /* c00000e9 (STATUS_UNEXPECTED_IO_ERROR) */
612 ERROR_MR_MID_NOT_FOUND, /* c00000ea (STATUS_UNEXPECTED_MM_CREATE_ERR) */
613 ERROR_MR_MID_NOT_FOUND, /* c00000eb (STATUS_UNEXPECTED_MM_MAP_ERROR) */
614 ERROR_MR_MID_NOT_FOUND, /* c00000ec (STATUS_UNEXPECTED_MM_EXTEND_ERR) */
615 ERROR_NOT_LOGON_PROCESS, /* c00000ed (STATUS_NOT_LOGON_PROCESS) */
616 ERROR_LOGON_SESSION_EXISTS, /* c00000ee (STATUS_LOGON_SESSION_EXISTS) */
617 ERROR_INVALID_PARAMETER, /* c00000ef (STATUS_INVALID_PARAMETER_1) */
618 ERROR_INVALID_PARAMETER, /* c00000f0 (STATUS_INVALID_PARAMETER_2) */
619 ERROR_INVALID_PARAMETER, /* c00000f1 (STATUS_INVALID_PARAMETER_3) */
620 ERROR_INVALID_PARAMETER, /* c00000f2 (STATUS_INVALID_PARAMETER_4) */
621 ERROR_INVALID_PARAMETER, /* c00000f3 (STATUS_INVALID_PARAMETER_5) */
622 ERROR_INVALID_PARAMETER, /* c00000f4 (STATUS_INVALID_PARAMETER_6) */
623 ERROR_INVALID_PARAMETER, /* c00000f5 (STATUS_INVALID_PARAMETER_7) */
624 ERROR_INVALID_PARAMETER, /* c00000f6 (STATUS_INVALID_PARAMETER_8) */
625 ERROR_INVALID_PARAMETER, /* c00000f7 (STATUS_INVALID_PARAMETER_9) */
626 ERROR_INVALID_PARAMETER, /* c00000f8 (STATUS_INVALID_PARAMETER_10) */
627 ERROR_INVALID_PARAMETER, /* c00000f9 (STATUS_INVALID_PARAMETER_11) */
628 ERROR_INVALID_PARAMETER, /* c00000fa (STATUS_INVALID_PARAMETER_12) */
629 ERROR_PATH_NOT_FOUND, /* c00000fb (STATUS_REDIRECTOR_NOT_STARTED) */
630 ERROR_SERVICE_ALREADY_RUNNING, /* c00000fc (STATUS_REDIRECTOR_STARTED) */
631 ERROR_STACK_OVERFLOW, /* c00000fd (STATUS_STACK_OVERFLOW) */
632 ERROR_NO_SUCH_PACKAGE, /* c00000fe (STATUS_NO_SUCH_PACKAGE) */
633 ERROR_MR_MID_NOT_FOUND, /* c00000ff (STATUS_BAD_FUNCTION_TABLE) */
634 ERROR_ENVVAR_NOT_FOUND, /* c0000100 (STATUS_VARIABLE_NOT_FOUND) */
635 ERROR_DIR_NOT_EMPTY, /* c0000101 (STATUS_DIRECTORY_NOT_EMPTY) */
636 ERROR_FILE_CORRUPT, /* c0000102 (STATUS_FILE_CORRUPT_ERROR) */
637 ERROR_DIRECTORY, /* c0000103 (STATUS_NOT_A_DIRECTORY) */
638 ERROR_BAD_LOGON_SESSION_STATE, /* c0000104 (STATUS_BAD_LOGON_SESSION_STATE) */
639 ERROR_LOGON_SESSION_COLLISION, /* c0000105 (STATUS_LOGON_SESSION_COLLISION) */
640 ERROR_FILENAME_EXCED_RANGE, /* c0000106 (STATUS_NAME_TOO_LONG) */
641 ERROR_OPEN_FILES, /* c0000107 (STATUS_FILES_OPEN) */
642 ERROR_DEVICE_IN_USE, /* c0000108 (STATUS_CONNECTION_IN_USE) */
643 ERROR_MR_MID_NOT_FOUND, /* c0000109 (STATUS_MESSAGE_NOT_FOUND) */
644 ERROR_ACCESS_DENIED, /* c000010a (STATUS_PROCESS_IS_TERMINATING) */
645 ERROR_INVALID_LOGON_TYPE, /* c000010b (STATUS_INVALID_LOGON_TYPE) */
646 ERROR_MR_MID_NOT_FOUND, /* c000010c (STATUS_NO_GUID_TRANSLATION) */
647 ERROR_CANNOT_IMPERSONATE, /* c000010d (STATUS_CANNOT_IMPERSONATE) */
648 ERROR_SERVICE_ALREADY_RUNNING, /* c000010e (STATUS_IMAGE_ALREADY_LOADED) */
649 ERROR_MR_MID_NOT_FOUND, /* c000010f (STATUS_ABIOS_NOT_PRESENT) */
650 ERROR_MR_MID_NOT_FOUND, /* c0000110 (STATUS_ABIOS_LID_NOT_EXIST) */
651 ERROR_MR_MID_NOT_FOUND, /* c0000111 (STATUS_ABIOS_LID_ALREADY_OWNED) */
652 ERROR_MR_MID_NOT_FOUND, /* c0000112 (STATUS_ABIOS_NOT_LID_OWNER) */
653 ERROR_MR_MID_NOT_FOUND, /* c0000113 (STATUS_ABIOS_INVALID_COMMAND) */
654 ERROR_MR_MID_NOT_FOUND, /* c0000114 (STATUS_ABIOS_INVALID_LID) */
655 ERROR_MR_MID_NOT_FOUND, /* c0000115 (STATUS_ABIOS_SELECTOR_NOT_AVAILABLE) */
656 ERROR_MR_MID_NOT_FOUND, /* c0000116 (STATUS_ABIOS_INVALID_SELECTOR) */
657 ERROR_INVALID_THREAD_ID, /* c0000117 (STATUS_NO_LDT) */
658 ERROR_MR_MID_NOT_FOUND, /* c0000118 (STATUS_INVALID_LDT_SIZE) */
659 ERROR_MR_MID_NOT_FOUND, /* c0000119 (STATUS_INVALID_LDT_OFFSET) */
660 ERROR_MR_MID_NOT_FOUND, /* c000011a (STATUS_INVALID_LDT_DESCRIPTOR) */
661 ERROR_BAD_EXE_FORMAT, /* c000011b (STATUS_INVALID_IMAGE_NE_FORMAT) */
662 ERROR_RXACT_INVALID_STATE, /* c000011c (STATUS_RXACT_INVALID_STATE) */
663 ERROR_RXACT_COMMIT_FAILURE, /* c000011d (STATUS_RXACT_COMMIT_FAILURE) */
664 ERROR_FILE_INVALID, /* c000011e (STATUS_MAPPED_FILE_SIZE_ZERO) */
665 ERROR_TOO_MANY_OPEN_FILES, /* c000011f (STATUS_TOO_MANY_OPENED_FILES) */
666 ERROR_OPERATION_ABORTED, /* c0000120 (STATUS_CANCELLED) */
667 ERROR_ACCESS_DENIED, /* c0000121 (STATUS_CANNOT_DELETE) */
668 ERROR_INVALID_COMPUTERNAME, /* c0000122 (STATUS_INVALID_COMPUTER_NAME) */
669 ERROR_ACCESS_DENIED, /* c0000123 (STATUS_FILE_DELETED) */
670 ERROR_SPECIAL_ACCOUNT, /* c0000124 (STATUS_SPECIAL_ACCOUNT) */
671 ERROR_SPECIAL_GROUP, /* c0000125 (STATUS_SPECIAL_GROUP) */
672 ERROR_SPECIAL_USER, /* c0000126 (STATUS_SPECIAL_USER) */
673 ERROR_MEMBERS_PRIMARY_GROUP, /* c0000127 (STATUS_MEMBERS_PRIMARY_GROUP) */
674 ERROR_INVALID_HANDLE, /* c0000128 (STATUS_FILE_CLOSED) */
675 ERROR_MR_MID_NOT_FOUND, /* c0000129 (STATUS_TOO_MANY_THREADS) */
676 ERROR_MR_MID_NOT_FOUND, /* c000012a (STATUS_THREAD_NOT_IN_PROCESS) */
677 ERROR_TOKEN_ALREADY_IN_USE, /* c000012b (STATUS_TOKEN_ALREADY_IN_USE) */
678 ERROR_MR_MID_NOT_FOUND, /* c000012c (STATUS_PAGEFILE_QUOTA_EXCEEDED) */
679 ERROR_COMMITMENT_LIMIT, /* c000012d (STATUS_COMMITMENT_LIMIT) */
680 ERROR_BAD_EXE_FORMAT, /* c000012e (STATUS_INVALID_IMAGE_LE_FORMAT) */
681 ERROR_BAD_EXE_FORMAT, /* c000012f (STATUS_INVALID_IMAGE_NOT_MZ) */
682 ERROR_BAD_EXE_FORMAT, /* c0000130 (STATUS_INVALID_IMAGE_PROTECT) */
683 ERROR_BAD_EXE_FORMAT, /* c0000131 (STATUS_INVALID_IMAGE_WIN_16) */
684 ERROR_MR_MID_NOT_FOUND, /* c0000132 (STATUS_LOGON_SERVER_CONFLICT) */
685 ERROR_TIME_SKEW, /* c0000133 (STATUS_TIME_DIFFERENCE_AT_DC) */
686 ERROR_MR_MID_NOT_FOUND, /* c0000134 (STATUS_SYNCHRONIZATION_REQUIRED) */
687 ERROR_MOD_NOT_FOUND, /* c0000135 (STATUS_DLL_NOT_FOUND) */
688 ERROR_MR_MID_NOT_FOUND, /* c0000136 (STATUS_OPEN_FAILED) */
689 ERROR_MR_MID_NOT_FOUND, /* c0000137 (STATUS_IO_PRIVILEGE_FAILED) */
690 ERROR_INVALID_ORDINAL, /* c0000138 (STATUS_ORDINAL_NOT_FOUND) */
691 ERROR_PROC_NOT_FOUND, /* c0000139 (STATUS_ENTRYPOINT_NOT_FOUND) */
692 ERROR_MR_MID_NOT_FOUND, /* c000013a (STATUS_CONTROL_C_EXIT) */
693 ERROR_NETNAME_DELETED, /* c000013b (STATUS_LOCAL_DISCONNECT) */
694 ERROR_NETNAME_DELETED, /* c000013c (STATUS_REMOTE_DISCONNECT) */
695 ERROR_REM_NOT_LIST, /* c000013d (STATUS_REMOTE_RESOURCES) */
696 ERROR_UNEXP_NET_ERR, /* c000013e (STATUS_LINK_FAILED) */
697 ERROR_UNEXP_NET_ERR, /* c000013f (STATUS_LINK_TIMEOUT) */
698 ERROR_UNEXP_NET_ERR, /* c0000140 (STATUS_INVALID_CONNECTION) */
699 ERROR_UNEXP_NET_ERR, /* c0000141 (STATUS_INVALID_ADDRESS) */
700 ERROR_DLL_INIT_FAILED, /* c0000142 (STATUS_DLL_INIT_FAILED) */
701 ERROR_MR_MID_NOT_FOUND, /* c0000143 (STATUS_MISSING_SYSTEMFILE) */
702 ERROR_MR_MID_NOT_FOUND, /* c0000144 (STATUS_UNHANDLED_EXCEPTION) */
703 ERROR_MR_MID_NOT_FOUND, /* c0000145 (STATUS_APP_INIT_FAILURE) */
704 ERROR_MR_MID_NOT_FOUND, /* c0000146 (STATUS_PAGEFILE_CREATE_FAILED) */
705 ERROR_MR_MID_NOT_FOUND, /* c0000147 (STATUS_NO_PAGEFILE) */
706 ERROR_INVALID_LEVEL, /* c0000148 (STATUS_INVALID_LEVEL) */
707 ERROR_INVALID_PASSWORD, /* c0000149 (STATUS_WRONG_PASSWORD_CORE) */
708 ERROR_MR_MID_NOT_FOUND, /* c000014a (STATUS_ILLEGAL_FLOAT_CONTEXT) */
709 ERROR_BROKEN_PIPE, /* c000014b (STATUS_PIPE_BROKEN) */
710 ERROR_BADDB, /* c000014c (STATUS_REGISTRY_CORRUPT) */
711 ERROR_REGISTRY_IO_FAILED, /* c000014d (STATUS_REGISTRY_IO_FAILED) */
712 ERROR_MR_MID_NOT_FOUND, /* c000014e (STATUS_NO_EVENT_PAIR) */
713 ERROR_UNRECOGNIZED_VOLUME, /* c000014f (STATUS_UNRECOGNIZED_VOLUME) */
714 ERROR_SERIAL_NO_DEVICE, /* c0000150 (STATUS_SERIAL_NO_DEVICE_INITED) */
715 ERROR_NO_SUCH_ALIAS, /* c0000151 (STATUS_NO_SUCH_ALIAS) */
716 ERROR_MEMBER_NOT_IN_ALIAS, /* c0000152 (STATUS_MEMBER_NOT_IN_ALIAS) */
717 ERROR_MEMBER_IN_ALIAS, /* c0000153 (STATUS_MEMBER_IN_ALIAS) */
718 ERROR_ALIAS_EXISTS, /* c0000154 (STATUS_ALIAS_EXISTS) */
719 ERROR_LOGON_NOT_GRANTED, /* c0000155 (STATUS_LOGON_NOT_GRANTED) */
720 ERROR_TOO_MANY_SECRETS, /* c0000156 (STATUS_TOO_MANY_SECRETS) */
721 ERROR_SECRET_TOO_LONG, /* c0000157 (STATUS_SECRET_TOO_LONG) */
722 ERROR_INTERNAL_DB_ERROR, /* c0000158 (STATUS_INTERNAL_DB_ERROR) */
723 ERROR_FULLSCREEN_MODE, /* c0000159 (STATUS_FULLSCREEN_MODE) */
724 ERROR_TOO_MANY_CONTEXT_IDS, /* c000015a (STATUS_TOO_MANY_CONTEXT_IDS) */
725 ERROR_LOGON_TYPE_NOT_GRANTED, /* c000015b (STATUS_LOGON_TYPE_NOT_GRANTED) */
726 ERROR_NOT_REGISTRY_FILE, /* c000015c (STATUS_NOT_REGISTRY_FILE) */
727 ERROR_NT_CROSS_ENCRYPTION_REQUIRED, /* c000015d (STATUS_NT_CROSS_ENCRYPTION_REQUIRED) */
728 ERROR_MR_MID_NOT_FOUND, /* c000015e (STATUS_DOMAIN_CTRLR_CONFIG_ERROR) */
729 ERROR_IO_DEVICE, /* c000015f (STATUS_FT_MISSING_MEMBER) */
730 ERROR_MR_MID_NOT_FOUND, /* c0000160 (STATUS_ILL_FORMED_SERVICE_ENTRY) */
731 ERROR_MR_MID_NOT_FOUND, /* c0000161 (STATUS_ILLEGAL_CHARACTER) */
732 ERROR_NO_UNICODE_TRANSLATION, /* c0000162 (STATUS_UNMAPPABLE_CHARACTER) */
733 ERROR_MR_MID_NOT_FOUND, /* c0000163 (STATUS_UNDEFINED_CHARACTER) */
734 ERROR_MR_MID_NOT_FOUND, /* c0000164 (STATUS_FLOPPY_VOLUME) */
735 ERROR_FLOPPY_ID_MARK_NOT_FOUND, /* c0000165 (STATUS_FLOPPY_ID_MARK_NOT_FOUND) */
736 ERROR_FLOPPY_WRONG_CYLINDER, /* c0000166 (STATUS_FLOPPY_WRONG_CYLINDER) */
737 ERROR_FLOPPY_UNKNOWN_ERROR, /* c0000167 (STATUS_FLOPPY_UNKNOWN_ERROR) */
738 ERROR_FLOPPY_BAD_REGISTERS, /* c0000168 (STATUS_FLOPPY_BAD_REGISTERS) */
739 ERROR_DISK_RECALIBRATE_FAILED, /* c0000169 (STATUS_DISK_RECALIBRATE_FAILED) */
740 ERROR_DISK_OPERATION_FAILED, /* c000016a (STATUS_DISK_OPERATION_FAILED) */
741 ERROR_DISK_RESET_FAILED, /* c000016b (STATUS_DISK_RESET_FAILED) */
742 ERROR_IRQ_BUSY, /* c000016c (STATUS_SHARED_IRQ_BUSY) */
743 ERROR_IO_DEVICE, /* c000016d (STATUS_FT_ORPHANING) */
744 ERROR_MR_MID_NOT_FOUND, /* c000016e (STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT) */
745 ERROR_MR_MID_NOT_FOUND, /* c000016f */
746 ERROR_MR_MID_NOT_FOUND, /* c0000170 */
747 ERROR_MR_MID_NOT_FOUND, /* c0000171 */
748 ERROR_PARTITION_FAILURE, /* c0000172 (STATUS_PARTITION_FAILURE) */
749 ERROR_INVALID_BLOCK_LENGTH, /* c0000173 (STATUS_INVALID_BLOCK_LENGTH) */
750 ERROR_DEVICE_NOT_PARTITIONED, /* c0000174 (STATUS_DEVICE_NOT_PARTITIONED) */
751 ERROR_UNABLE_TO_LOCK_MEDIA, /* c0000175 (STATUS_UNABLE_TO_LOCK_MEDIA) */
752 ERROR_UNABLE_TO_UNLOAD_MEDIA, /* c0000176 (STATUS_UNABLE_TO_UNLOAD_MEDIA) */
753 ERROR_EOM_OVERFLOW, /* c0000177 (STATUS_EOM_OVERFLOW) */
754 ERROR_NO_MEDIA_IN_DRIVE, /* c0000178 (STATUS_NO_MEDIA) */
755 ERROR_MR_MID_NOT_FOUND, /* c0000179 */
756 ERROR_NO_SUCH_MEMBER, /* c000017a (STATUS_NO_SUCH_MEMBER) */
757 ERROR_INVALID_MEMBER, /* c000017b (STATUS_INVALID_MEMBER) */
758 ERROR_KEY_DELETED, /* c000017c (STATUS_KEY_DELETED) */
759 ERROR_NO_LOG_SPACE, /* c000017d (STATUS_NO_LOG_SPACE) */
760 ERROR_TOO_MANY_SIDS, /* c000017e (STATUS_TOO_MANY_SIDS) */
761 ERROR_LM_CROSS_ENCRYPTION_REQUIRED, /* c000017f (STATUS_LM_CROSS_ENCRYPTION_REQUIRED) */
762 ERROR_KEY_HAS_CHILDREN, /* c0000180 (STATUS_KEY_HAS_CHILDREN) */
763 ERROR_CHILD_MUST_BE_VOLATILE, /* c0000181 (STATUS_CHILD_MUST_BE_VOLATILE) */
764 ERROR_INVALID_PARAMETER, /* c0000182 (STATUS_DEVICE_CONFIGURATION_ERROR) */
765 ERROR_IO_DEVICE, /* c0000183 (STATUS_DRIVER_INTERNAL_ERROR) */
766 ERROR_BAD_COMMAND, /* c0000184 (STATUS_INVALID_DEVICE_STATE) */
767 ERROR_IO_DEVICE, /* c0000185 (STATUS_IO_DEVICE_ERROR) */
768 ERROR_IO_DEVICE, /* c0000186 (STATUS_DEVICE_PROTOCOL_ERROR) */
769 ERROR_MR_MID_NOT_FOUND, /* c0000187 (STATUS_BACKUP_CONTROLLER) */
770 ERROR_LOG_FILE_FULL, /* c0000188 (STATUS_LOG_FILE_FULL) */
771 ERROR_WRITE_PROTECT, /* c0000189 (STATUS_TOO_LATE) */
772 ERROR_NO_TRUST_LSA_SECRET, /* c000018a (STATUS_NO_TRUST_LSA_SECRET) */
773 ERROR_NO_TRUST_SAM_ACCOUNT, /* c000018b (STATUS_NO_TRUST_SAM_ACCOUNT) */
774 ERROR_TRUSTED_DOMAIN_FAILURE, /* c000018c (STATUS_TRUSTED_DOMAIN_FAILURE) */
775 ERROR_TRUSTED_RELATIONSHIP_FAILURE, /* c000018d (STATUS_TRUSTED_RELATIONSHIP_FAILURE) */
776 ERROR_EVENTLOG_FILE_CORRUPT, /* c000018e (STATUS_EVENTLOG_FILE_CORRUPT) */
777 ERROR_EVENTLOG_CANT_START, /* c000018f (STATUS_EVENTLOG_CANT_START) */
778 ERROR_TRUST_FAILURE, /* c0000190 (STATUS_TRUST_FAILURE) */
779 ERROR_MR_MID_NOT_FOUND, /* c0000191 (STATUS_MUTANT_LIMIT_EXCEEDED) */
780 ERROR_NETLOGON_NOT_STARTED, /* c0000192 (STATUS_NETLOGON_NOT_STARTED) */
781 ERROR_ACCOUNT_EXPIRED, /* c0000193 (STATUS_ACCOUNT_EXPIRED) */
782 ERROR_POSSIBLE_DEADLOCK, /* c0000194 (STATUS_POSSIBLE_DEADLOCK) */
783 ERROR_SESSION_CREDENTIAL_CONFLICT, /* c0000195 (STATUS_NETWORK_CREDENTIAL_CONFLICT) */
784 ERROR_REMOTE_SESSION_LIMIT_EXCEEDED, /* c0000196 (STATUS_REMOTE_SESSION_LIMIT) */
785 ERROR_EVENTLOG_FILE_CHANGED, /* c0000197 (STATUS_EVENTLOG_FILE_CHANGED) */
786 ERROR_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT,/* c0000198 (STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT) */
787 ERROR_NOLOGON_WORKSTATION_TRUST_ACCOUNT,/* c0000199 (STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) */
788 ERROR_NOLOGON_SERVER_TRUST_ACCOUNT, /* c000019a (STATUS_NOLOGON_SERVER_TRUST_ACCOUNT) */
789 ERROR_DOMAIN_TRUST_INCONSISTENT /* c000019b (STATUS_DOMAIN_TRUST_INCONSISTENT) */
790 };
791
792 static const DWORD table_c0000202[396] =
793 {
794 ERROR_NO_USER_SESSION_KEY, /* c0000202 (STATUS_NO_USER_SESSION_KEY) */
795 ERROR_UNEXP_NET_ERR, /* c0000203 (STATUS_USER_SESSION_DELETED) */
796 ERROR_RESOURCE_LANG_NOT_FOUND, /* c0000204 (STATUS_RESOURCE_LANG_NOT_FOUND) */
797 ERROR_NOT_ENOUGH_SERVER_MEMORY, /* c0000205 (STATUS_INSUFF_SERVER_RESOURCES) */
798 ERROR_INVALID_USER_BUFFER, /* c0000206 (STATUS_INVALID_BUFFER_SIZE) */
799 ERROR_INVALID_NETNAME, /* c0000207 (STATUS_INVALID_ADDRESS_COMPONENT) */
800 ERROR_INVALID_NETNAME, /* c0000208 (STATUS_INVALID_ADDRESS_WILDCARD) */
801 ERROR_TOO_MANY_NAMES, /* c0000209 (STATUS_TOO_MANY_ADDRESSES) */
802 ERROR_DUP_NAME, /* c000020a (STATUS_ADDRESS_ALREADY_EXISTS) */
803 ERROR_NETNAME_DELETED, /* c000020b (STATUS_ADDRESS_CLOSED) */
804 ERROR_NETNAME_DELETED, /* c000020c (STATUS_CONNECTION_DISCONNECTED) */
805 ERROR_NETNAME_DELETED, /* c000020d (STATUS_CONNECTION_RESET) */
806 ERROR_TOO_MANY_NAMES, /* c000020e (STATUS_TOO_MANY_NODES) */
807 ERROR_UNEXP_NET_ERR, /* c000020f (STATUS_TRANSACTION_ABORTED) */
808 ERROR_UNEXP_NET_ERR, /* c0000210 (STATUS_TRANSACTION_TIMED_OUT) */
809 ERROR_UNEXP_NET_ERR, /* c0000211 (STATUS_TRANSACTION_NO_RELEASE) */
810 ERROR_UNEXP_NET_ERR, /* c0000212 (STATUS_TRANSACTION_NO_MATCH) */
811 ERROR_UNEXP_NET_ERR, /* c0000213 (STATUS_TRANSACTION_RESPONDED) */
812 ERROR_UNEXP_NET_ERR, /* c0000214 (STATUS_TRANSACTION_INVALID_ID) */
813 ERROR_UNEXP_NET_ERR, /* c0000215 (STATUS_TRANSACTION_INVALID_TYPE) */
814 ERROR_NOT_SUPPORTED, /* c0000216 (STATUS_NOT_SERVER_SESSION) */
815 ERROR_NOT_SUPPORTED, /* c0000217 (STATUS_NOT_CLIENT_SESSION) */
816 ERROR_MR_MID_NOT_FOUND, /* c0000218 (STATUS_CANNOT_LOAD_REGISTRY_FILE) */
817 ERROR_MR_MID_NOT_FOUND, /* c0000219 (STATUS_DEBUG_ATTACH_FAILED) */
818 ERROR_MR_MID_NOT_FOUND, /* c000021a (STATUS_SYSTEM_PROCESS_TERMINATED) */
819 ERROR_MR_MID_NOT_FOUND, /* c000021b (STATUS_DATA_NOT_ACCEPTED) */
820 ERROR_NO_BROWSER_SERVERS_FOUND, /* c000021c (STATUS_NO_BROWSER_SERVERS_FOUND) */
821 ERROR_MR_MID_NOT_FOUND, /* c000021d (STATUS_VDM_HARD_ERROR) */
822 ERROR_MR_MID_NOT_FOUND, /* c000021e (STATUS_DRIVER_CANCEL_TIMEOUT) */
823 ERROR_MR_MID_NOT_FOUND, /* c000021f (STATUS_REPLY_MESSAGE_MISMATCH) */
824 ERROR_MAPPED_ALIGNMENT, /* c0000220 (STATUS_MAPPED_ALIGNMENT) */
825 ERROR_BAD_EXE_FORMAT, /* c0000221 (STATUS_IMAGE_CHECKSUM_MISMATCH) */
826 ERROR_MR_MID_NOT_FOUND, /* c0000222 (STATUS_LOST_WRITEBEHIND_DATA) */
827 ERROR_MR_MID_NOT_FOUND, /* c0000223 (STATUS_CLIENT_SERVER_PARAMETERS_INVALID) */
828 ERROR_PASSWORD_MUST_CHANGE, /* c0000224 (STATUS_PASSWORD_MUST_CHANGE) */
829 ERROR_NOT_FOUND, /* c0000225 (STATUS_NOT_FOUND) */
830 ERROR_MR_MID_NOT_FOUND, /* c0000226 (STATUS_NOT_TINY_STREAM) */
831 ERROR_MR_MID_NOT_FOUND, /* c0000227 (STATUS_RECOVERY_FAILURE) */
832 ERROR_MR_MID_NOT_FOUND, /* c0000228 (STATUS_STACK_OVERFLOW_READ) */
833 ERROR_INVALID_PARAMETER, /* c0000229 (STATUS_FAIL_CHECK) */
834 STATUS_DUPLICATE_OBJECTID, /* c000022a (STATUS_DUPLICATE_OBJECTID) */
835 STATUS_OBJECTID_EXISTS, /* c000022b (STATUS_OBJECTID_EXISTS) */
836 ERROR_MR_MID_NOT_FOUND, /* c000022c (STATUS_CONVERT_TO_LARGE) */
837 ERROR_RETRY, /* c000022d (STATUS_RETRY) */
838 ERROR_MR_MID_NOT_FOUND, /* c000022e (STATUS_FOUND_OUT_OF_SCOPE) */
839 ERROR_MR_MID_NOT_FOUND, /* c000022f (STATUS_ALLOCATE_BUCKET) */
840 ERROR_SET_NOT_FOUND, /* c0000230 (STATUS_PROPSET_NOT_FOUND) */
841 ERROR_MR_MID_NOT_FOUND, /* c0000231 (STATUS_MARSHALL_OVERFLOW) */
842 ERROR_MR_MID_NOT_FOUND, /* c0000232 (STATUS_INVALID_VARIANT) */
843 ERROR_DOMAIN_CONTROLLER_NOT_FOUND, /* c0000233 (STATUS_DOMAIN_CONTROLLER_NOT_FOUND) */
844 ERROR_ACCOUNT_LOCKED_OUT, /* c0000234 (STATUS_ACCOUNT_LOCKED_OUT) */
845 ERROR_INVALID_HANDLE, /* c0000235 (STATUS_HANDLE_NOT_CLOSABLE) */
846 ERROR_CONNECTION_REFUSED, /* c0000236 (STATUS_CONNECTION_REFUSED) */
847 ERROR_GRACEFUL_DISCONNECT, /* c0000237 (STATUS_GRACEFUL_DISCONNECT) */
848 ERROR_ADDRESS_ALREADY_ASSOCIATED, /* c0000238 (STATUS_ADDRESS_ALREADY_ASSOCIATED) */
849 ERROR_ADDRESS_NOT_ASSOCIATED, /* c0000239 (STATUS_ADDRESS_NOT_ASSOCIATED) */
850 ERROR_CONNECTION_INVALID, /* c000023a (STATUS_CONNECTION_INVALID) */
851 ERROR_CONNECTION_ACTIVE, /* c000023b (STATUS_CONNECTION_ACTIVE) */
852 ERROR_NETWORK_UNREACHABLE, /* c000023c (STATUS_NETWORK_UNREACHABLE) */
853 ERROR_HOST_UNREACHABLE, /* c000023d (STATUS_HOST_UNREACHABLE) */
854 ERROR_PROTOCOL_UNREACHABLE, /* c000023e (STATUS_PROTOCOL_UNREACHABLE) */
855 ERROR_PORT_UNREACHABLE, /* c000023f (STATUS_PORT_UNREACHABLE) */
856 ERROR_REQUEST_ABORTED, /* c0000240 (STATUS_REQUEST_ABORTED) */
857 ERROR_CONNECTION_ABORTED, /* c0000241 (STATUS_CONNECTION_ABORTED) */
858 ERROR_MR_MID_NOT_FOUND, /* c0000242 (STATUS_BAD_COMPRESSION_BUFFER) */
859 ERROR_USER_MAPPED_FILE, /* c0000243 (STATUS_USER_MAPPED_FILE) */
860 ERROR_MR_MID_NOT_FOUND, /* c0000244 (STATUS_AUDIT_FAILED) */
861 ERROR_MR_MID_NOT_FOUND, /* c0000245 (STATUS_TIMER_RESOLUTION_NOT_SET) */
862 ERROR_CONNECTION_COUNT_LIMIT, /* c0000246 (STATUS_CONNECTION_COUNT_LIMIT) */
863 ERROR_LOGIN_TIME_RESTRICTION, /* c0000247 (STATUS_LOGIN_TIME_RESTRICTION) */
864 ERROR_LOGIN_WKSTA_RESTRICTION, /* c0000248 (STATUS_LOGIN_WKSTA_RESTRICTION) */
865 ERROR_BAD_EXE_FORMAT, /* c0000249 (STATUS_IMAGE_MP_UP_MISMATCH) */
866 ERROR_MR_MID_NOT_FOUND, /* c000024a */
867 ERROR_MR_MID_NOT_FOUND, /* c000024b */
868 ERROR_MR_MID_NOT_FOUND, /* c000024c */
869 ERROR_MR_MID_NOT_FOUND, /* c000024d */
870 ERROR_MR_MID_NOT_FOUND, /* c000024e */
871 ERROR_MR_MID_NOT_FOUND, /* c000024f */
872 ERROR_MR_MID_NOT_FOUND, /* c0000250 (STATUS_INSUFFICIENT_LOGON_INFO) */
873 ERROR_MR_MID_NOT_FOUND, /* c0000251 (STATUS_BAD_DLL_ENTRYPOINT) */
874 ERROR_MR_MID_NOT_FOUND, /* c0000252 (STATUS_BAD_SERVICE_ENTRYPOINT) */
875 ERROR_INTERNAL_ERROR, /* c0000253 (STATUS_LPC_REPLY_LOST) */
876 ERROR_MR_MID_NOT_FOUND, /* c0000254 (STATUS_IP_ADDRESS_CONFLICT1) */
877 ERROR_MR_MID_NOT_FOUND, /* c0000255 (STATUS_IP_ADDRESS_CONFLICT2) */
878 ERROR_MR_MID_NOT_FOUND, /* c0000256 (STATUS_REGISTRY_QUOTA_LIMIT) */
879 ERROR_HOST_UNREACHABLE, /* c0000257 (STATUS_PATH_NOT_COVERED) */
880 ERROR_MR_MID_NOT_FOUND, /* c0000258 (STATUS_NO_CALLBACK_ACTIVE) */
881 ERROR_LICENSE_QUOTA_EXCEEDED, /* c0000259 (STATUS_LICENSE_QUOTA_EXCEEDED) */
882 ERROR_MR_MID_NOT_FOUND, /* c000025a (STATUS_PWD_TOO_SHORT) */
883 ERROR_MR_MID_NOT_FOUND, /* c000025b (STATUS_PWD_TOO_RECENT) */
884 ERROR_MR_MID_NOT_FOUND, /* c000025c (STATUS_PWD_HISTORY_CONFLICT) */
885 ERROR_MR_MID_NOT_FOUND, /* c000025d */
886 ERROR_SERVICE_DISABLED, /* c000025e (STATUS_PLUGPLAY_NO_DEVICE) */
887 ERROR_MR_MID_NOT_FOUND, /* c000025f (STATUS_UNSUPPORTED_COMPRESSION) */
888 ERROR_MR_MID_NOT_FOUND, /* c0000260 (STATUS_INVALID_HW_PROFILE) */
889 ERROR_MR_MID_NOT_FOUND, /* c0000261 (STATUS_INVALID_PLUGPLAY_DEVICE_PATH) */
890 ERROR_INVALID_ORDINAL, /* c0000262 (STATUS_DRIVER_ORDINAL_NOT_FOUND) */
891 ERROR_PROC_NOT_FOUND, /* c0000263 (STATUS_DRIVER_ENTRYPOINT_NOT_FOUND) */
892 ERROR_NOT_OWNER, /* c0000264 (STATUS_RESOURCE_NOT_OWNED) */
893 ERROR_TOO_MANY_LINKS, /* c0000265 (STATUS_TOO_MANY_LINKS) */
894 ERROR_MR_MID_NOT_FOUND, /* c0000266 (STATUS_QUOTA_LIST_INCONSISTENT) */
895 ERROR_FILE_OFFLINE, /* c0000267 (STATUS_FILE_IS_OFFLINE) */
896 ERROR_MR_MID_NOT_FOUND, /* c0000268 (STATUS_EVALUATION_EXPIRATION) */
897 ERROR_MR_MID_NOT_FOUND, /* c0000269 (STATUS_ILLEGAL_DLL_RELOCATION) */
898 ERROR_CTX_LICENSE_NOT_AVAILABLE, /* c000026a (STATUS_LICENSE_VIOLATION) */
899 ERROR_MR_MID_NOT_FOUND, /* c000026b (STATUS_DLL_INIT_FAILED_LOGOFF) */
900 ERROR_BAD_DRIVER, /* c000026c (STATUS_DRIVER_UNABLE_TO_LOAD) */
901 ERROR_CONNECTION_UNAVAIL, /* c000026d (STATUS_DFS_UNAVAILABLE) */
902 ERROR_NOT_READY, /* c000026e (STATUS_VOLUME_DISMOUNTED) */
903 ERROR_MR_MID_NOT_FOUND, /* c000026f (STATUS_WX86_INTERNAL_ERROR) */
904 ERROR_MR_MID_NOT_FOUND, /* c0000270 (STATUS_WX86_FLOAT_STACK_CHECK) */
905 ERROR_MR_MID_NOT_FOUND, /* c0000271 (STATUS_VALIDATE_CONTINUE) */
906 ERROR_NO_MATCH, /* c0000272 (STATUS_NO_MATCH) */
907 ERROR_MR_MID_NOT_FOUND, /* c0000273 (STATUS_NO_MORE_MATCHES) */
908 ERROR_MR_MID_NOT_FOUND, /* c0000274 */
909 ERROR_NOT_A_REPARSE_POINT, /* c0000275 (STATUS_NOT_A_REPARSE_POINT) */
910 ERROR_REPARSE_TAG_INVALID, /* c0000276 (STATUS_IO_REPARSE_TAG_INVALID) */
911 ERROR_REPARSE_TAG_MISMATCH, /* c0000277 (STATUS_IO_REPARSE_TAG_MISMATCH) */
912 ERROR_INVALID_REPARSE_DATA, /* c0000278 (STATUS_IO_REPARSE_DATA_INVALID) */
913 ERROR_CANT_ACCESS_FILE, /* c0000279 (STATUS_IO_REPARSE_TAG_NOT_HANDLED) */
914 ERROR_MR_MID_NOT_FOUND, /* c000027a */
915 ERROR_MR_MID_NOT_FOUND, /* c000027b */
916 ERROR_MR_MID_NOT_FOUND, /* c000027c */
917 ERROR_MR_MID_NOT_FOUND, /* c000027d */
918 ERROR_MR_MID_NOT_FOUND, /* c000027e */
919 ERROR_MR_MID_NOT_FOUND, /* c000027f */
920 ERROR_CANT_RESOLVE_FILENAME, /* c0000280 (STATUS_REPARSE_POINT_NOT_RESOLVED) */
921 ERROR_BAD_PATHNAME, /* c0000281 (STATUS_DIRECTORY_IS_A_REPARSE_POINT) */
922 ERROR_MR_MID_NOT_FOUND, /* c0000282 (STATUS_RANGE_LIST_CONFLICT) */
923 ERROR_SOURCE_ELEMENT_EMPTY, /* c0000283 (STATUS_SOURCE_ELEMENT_EMPTY) */
924 ERROR_DESTINATION_ELEMENT_FULL, /* c0000284 (STATUS_DESTINATION_ELEMENT_FULL) */
925 ERROR_ILLEGAL_ELEMENT_ADDRESS, /* c0000285 (STATUS_ILLEGAL_ELEMENT_ADDRESS) */
926 ERROR_MAGAZINE_NOT_PRESENT, /* c0000286 (STATUS_MAGAZINE_NOT_PRESENT) */
927 ERROR_DEVICE_REINITIALIZATION_NEEDED, /* c0000287 (STATUS_REINITIALIZATION_NEEDED) */
928 ERROR_MR_MID_NOT_FOUND, /* c0000288 */
929 ERROR_MR_MID_NOT_FOUND, /* c0000289 */
930 ERROR_ACCESS_DENIED, /* c000028a (STATUS_ENCRYPTION_FAILED) */
931 ERROR_ACCESS_DENIED, /* c000028b (STATUS_DECRYPTION_FAILED) */
932 ERROR_MR_MID_NOT_FOUND, /* c000028c (STATUS_RANGE_NOT_FOUND) */
933 ERROR_ACCESS_DENIED, /* c000028d (STATUS_NO_RECOVERY_POLICY) */
934 ERROR_ACCESS_DENIED, /* c000028e (STATUS_NO_EFS) */
935 ERROR_ACCESS_DENIED, /* c000028f (STATUS_WRONG_EFS) */
936 ERROR_ACCESS_DENIED, /* c0000290 (STATUS_NO_USER_KEYS) */
937 ERROR_FILE_NOT_ENCRYPTED, /* c0000291 (STATUS_FILE_NOT_ENCRYPTED) */
938 ERROR_NOT_EXPORT_FORMAT, /* c0000292 (STATUS_NOT_EXPORT_FORMAT) */
939 ERROR_FILE_ENCRYPTED, /* c0000293 (STATUS_FILE_ENCRYPTED) */
940 ERROR_MR_MID_NOT_FOUND, /* c0000294 */
941 ERROR_WMI_GUID_NOT_FOUND, /* c0000295 (STATUS_WMI_GUID_NOT_FOUND) */
942 ERROR_WMI_INSTANCE_NOT_FOUND, /* c0000296 (STATUS_WMI_INSTANCE_NOT_FOUND) */
943 ERROR_WMI_ITEMID_NOT_FOUND, /* c0000297 (STATUS_WMI_ITEMID_NOT_FOUND) */
944 ERROR_WMI_TRY_AGAIN, /* c0000298 (STATUS_WMI_TRY_AGAIN) */
945 ERROR_SHARED_POLICY, /* c0000299 (STATUS_SHARED_POLICY) */
946 ERROR_POLICY_OBJECT_NOT_FOUND, /* c000029a (STATUS_POLICY_OBJECT_NOT_FOUND) */
947 ERROR_POLICY_ONLY_IN_DS, /* c000029b (STATUS_POLICY_ONLY_IN_DS) */
948 ERROR_INVALID_FUNCTION, /* c000029c (STATUS_VOLUME_NOT_UPGRADED) */
949 ERROR_REMOTE_STORAGE_NOT_ACTIVE, /* c000029d (STATUS_REMOTE_STORAGE_NOT_ACTIVE) */
950 ERROR_REMOTE_STORAGE_MEDIA_ERROR, /* c000029e (STATUS_REMOTE_STORAGE_MEDIA_ERROR) */
951 ERROR_NO_TRACKING_SERVICE, /* c000029f (STATUS_NO_TRACKING_SERVICE) */
952 ERROR_MR_MID_NOT_FOUND, /* c00002a0 (STATUS_SERVER_SID_MISMATCH) */
953 ERROR_DS_NO_ATTRIBUTE_OR_VALUE, /* c00002a1 (STATUS_DS_NO_ATTRIBUTE_OR_VALUE) */
954 ERROR_DS_INVALID_ATTRIBUTE_SYNTAX, /* c00002a2 (STATUS_DS_INVALID_ATTRIBUTE_SYNTAX) */
955 ERROR_DS_ATTRIBUTE_TYPE_UNDEFINED, /* c00002a3 (STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED) */
956 ERROR_DS_ATTRIBUTE_OR_VALUE_EXISTS, /* c00002a4 (STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS) */
957 ERROR_DS_BUSY, /* c00002a5 (STATUS_DS_BUSY) */
958 ERROR_DS_UNAVAILABLE, /* c00002a6 (STATUS_DS_UNAVAILABLE) */
959 ERROR_DS_NO_RIDS_ALLOCATED, /* c00002a7 (STATUS_DS_NO_RIDS_ALLOCATED) */
960 ERROR_DS_NO_MORE_RIDS, /* c00002a8 (STATUS_DS_NO_MORE_RIDS) */
961 ERROR_DS_INCORRECT_ROLE_OWNER, /* c00002a9 (STATUS_DS_INCORRECT_ROLE_OWNER) */
962 ERROR_DS_RIDMGR_INIT_ERROR, /* c00002aa (STATUS_DS_RIDMGR_INIT_ERROR) */
963 ERROR_DS_OBJ_CLASS_VIOLATION, /* c00002ab (STATUS_DS_OBJ_CLASS_VIOLATION) */
964 ERROR_DS_CANT_ON_NON_LEAF, /* c00002ac (STATUS_DS_CANT_ON_NON_LEAF) */
965 ERROR_DS_CANT_ON_RDN, /* c00002ad (STATUS_DS_CANT_ON_RDN) */
966 ERROR_DS_CANT_MOD_OBJ_CLASS, /* c00002ae (STATUS_DS_CANT_MOD_OBJ_CLASS) */
967 ERROR_DS_CROSS_DOM_MOVE_ERROR, /* c00002af (STATUS_DS_CROSS_DOM_MOVE_FAILED) */
968 ERROR_DS_GC_NOT_AVAILABLE, /* c00002b0 (STATUS_DS_GC_NOT_AVAILABLE) */
969 ERROR_DS_DS_REQUIRED, /* c00002b1 (STATUS_DIRECTORY_SERVICE_REQUIRED) */
970 ERROR_REPARSE_ATTRIBUTE_CONFLICT, /* c00002b2 (STATUS_REPARSE_ATTRIBUTE_CONFLICT) */
971 ERROR_MR_MID_NOT_FOUND, /* c00002b3 (STATUS_CANT_ENABLE_DENY_ONLY) */
972 ERROR_MR_MID_NOT_FOUND, /* c00002b4 (STATUS_FLOAT_MULTIPLE_FAULTS) */
973 ERROR_MR_MID_NOT_FOUND, /* c00002b5 (STATUS_FLOAT_MULTIPLE_TRAPS) */
974 ERROR_DEVICE_REMOVED, /* c00002b6 (STATUS_DEVICE_REMOVED) */
975 ERROR_JOURNAL_DELETE_IN_PROGRESS, /* c00002b7 (STATUS_JOURNAL_DELETE_IN_PROGRESS) */
976 ERROR_JOURNAL_NOT_ACTIVE, /* c00002b8 (STATUS_JOURNAL_NOT_ACTIVE) */
977 ERROR_MR_MID_NOT_FOUND, /* c00002b9 (STATUS_NOINTERFACE) */
978 ERROR_MR_MID_NOT_FOUND, /* c00002ba */
979 ERROR_MR_MID_NOT_FOUND, /* c00002bb */
980 ERROR_MR_MID_NOT_FOUND, /* c00002bc */
981 ERROR_MR_MID_NOT_FOUND, /* c00002bd */
982 ERROR_MR_MID_NOT_FOUND, /* c00002be */
983 ERROR_MR_MID_NOT_FOUND, /* c00002bf */
984 ERROR_MR_MID_NOT_FOUND, /* c00002c0 */
985 ERROR_DS_ADMIN_LIMIT_EXCEEDED, /* c00002c1 (STATUS_DS_ADMIN_LIMIT_EXCEEDED) */
986 ERROR_MR_MID_NOT_FOUND, /* c00002c2 (STATUS_DRIVER_FAILED_SLEEP) */
987 ERROR_MUTUAL_AUTH_FAILED, /* c00002c3 (STATUS_MUTUAL_AUTHENTICATION_FAILED) */
988 ERROR_MR_MID_NOT_FOUND, /* c00002c4 (STATUS_CORRUPT_SYSTEM_FILE) */
989 ERROR_NOACCESS, /* c00002c5 (STATUS_DATATYPE_MISALIGNMENT_ERROR) */
990 ERROR_WMI_READ_ONLY, /* c00002c6 (STATUS_WMI_READ_ONLY) */
991 ERROR_WMI_SET_FAILURE, /* c00002c7 (STATUS_WMI_SET_FAILURE) */
992 ERROR_MR_MID_NOT_FOUND, /* c00002c8 (STATUS_COMMITMENT_MINIMUM) */
993 ERROR_REG_NAT_CONSUMPTION, /* c00002c9 (STATUS_REG_NAT_CONSUMPTION) */
994 ERROR_TRANSPORT_FULL, /* c00002ca (STATUS_TRANSPORT_FULL) */
995 ERROR_DS_SAM_INIT_FAILURE, /* c00002cb (STATUS_DS_SAM_INIT_FAILURE) */
996 ERROR_ONLY_IF_CONNECTED, /* c00002cc (STATUS_ONLY_IF_CONNECTED) */
997 ERROR_DS_SENSITIVE_GROUP_VIOLATION, /* c00002cd (STATUS_DS_SENSITIVE_GROUP_VIOLATION) */
998 ERROR_MR_MID_NOT_FOUND, /* c00002ce (STATUS_PNP_RESTART_ENUMERATION) */
999 ERROR_JOURNAL_ENTRY_DELETED, /* c00002cf (STATUS_JOURNAL_ENTRY_DELETED) */
1000 ERROR_DS_CANT_MOD_PRIMARYGROUPID, /* c00002d0 (STATUS_DS_CANT_MOD_PRIMARYGROUPID) */
1001 ERROR_MR_MID_NOT_FOUND, /* c00002d1 (STATUS_SYSTEM_IMAGE_BAD_SIGNATURE) */
1002 ERROR_MR_MID_NOT_FOUND, /* c00002d2 (STATUS_PNP_REBOOT_REQUIRED) */
1003 ERROR_MR_MID_NOT_FOUND, /* c00002d3 (STATUS_POWER_STATE_INVALID) */
1004 ERROR_DS_INVALID_GROUP_TYPE, /* c00002d4 (STATUS_DS_INVALID_GROUP_TYPE) */
1005 ERROR_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN, /* c00002d5 (STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN) */
1006 ERROR_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN, /* c00002d6 (STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN) */
1007 ERROR_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER, /* c00002d7 (STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER) */
1008 ERROR_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER, /* c00002d8 (STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER) */
1009 ERROR_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER, /* c00002d9 (STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER) */
1010 ERROR_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER,/* c00002da (STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER) */
1011 ERROR_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER, /* c00002db (STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER) */
1012 ERROR_DS_HAVE_PRIMARY_MEMBERS, /* c00002dc (STATUS_DS_HAVE_PRIMARY_MEMBERS) */
1013 ERROR_NOT_SUPPORTED, /* c00002dd (STATUS_WMI_NOT_SUPPORTED) */
1014 ERROR_MR_MID_NOT_FOUND, /* c00002de (STATUS_INSUFFICIENT_POWER) */
1015 ERROR_DS_SAM_NEED_BOOTKEY_PASSWORD, /* c00002df (STATUS_SAM_NEED_BOOTKEY_PASSWORD) */
1016 ERROR_DS_SAM_NEED_BOOTKEY_FLOPPY, /* c00002e0 (STATUS_SAM_NEED_BOOTKEY_FLOPPY) */
1017 ERROR_DS_CANT_START, /* c00002e1 (STATUS_DS_CANT_START) */
1018 ERROR_DS_INIT_FAILURE, /* c00002e2 (STATUS_DS_INIT_FAILURE) */
1019 ERROR_SAM_INIT_FAILURE, /* c00002e3 (STATUS_SAM_INIT_FAILURE) */
1020 ERROR_DS_GC_REQUIRED, /* c00002e4 (STATUS_DS_GC_REQUIRED) */
1021 ERROR_DS_LOCAL_MEMBER_OF_LOCAL_ONLY, /* c00002e5 (STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY) */
1022 ERROR_DS_NO_FPO_IN_UNIVERSAL_GROUPS, /* c00002e6 (STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS) */
1023 ERROR_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED, /* c00002e7 (STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED) */
1024 ERROR_MR_MID_NOT_FOUND, /* c00002e8 (STATUS_MULTIPLE_FAULT_VIOLATION) */
1025 ERROR_CURRENT_DOMAIN_NOT_ALLOWED, /* c00002e9 (STATUS_CURRENT_DOMAIN_NOT_ALLOWED) */
1026 ERROR_CANNOT_MAKE, /* c00002ea (STATUS_CANNOT_MAKE) */
1027 ERROR_MR_MID_NOT_FOUND, /* c00002eb (STATUS_SYSTEM_SHUTDOWN) */
1028 ERROR_DS_INIT_FAILURE_CONSOLE, /* c00002ec (STATUS_DS_INIT_FAILURE_CONSOLE) */
1029 ERROR_DS_SAM_INIT_FAILURE_CONSOLE, /* c00002ed (STATUS_DS_SAM_INIT_FAILURE_CONSOLE) */
1030 SEC_E_UNFINISHED_CONTEXT_DELETED, /* c00002ee (STATUS_UNFINISHED_CONTEXT_DELETED) */
1031 SEC_E_NO_TGT_REPLY, /* c00002ef (STATUS_NO_TGT_REPLY) */
1032 ERROR_FILE_NOT_FOUND, /* c00002f0 (STATUS_OBJECTID_NOT_FOUND) */
1033 SEC_E_NO_IP_ADDRESSES, /* c00002f1 (STATUS_NO_IP_ADDRESSES) */
1034 SEC_E_WRONG_CREDENTIAL_HANDLE, /* c00002f2 (STATUS_WRONG_CREDENTIAL_HANDLE) */
1035 SEC_E_CRYPTO_SYSTEM_INVALID, /* c00002f3 (STATUS_CRYPTO_SYSTEM_INVALID) */
1036 SEC_E_MAX_REFERRALS_EXCEEDED, /* c00002f4 (STATUS_MAX_REFERRALS_EXCEEDED) */
1037 SEC_E_MUST_BE_KDC, /* c00002f5 (STATUS_MUST_BE_KDC) */
1038 SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, /* c00002f6 (STATUS_STRONG_CRYPTO_NOT_SUPPORTED) */
1039 SEC_E_TOO_MANY_PRINCIPALS, /* c00002f7 (STATUS_TOO_MANY_PRINCIPALS) */
1040 SEC_E_NO_PA_DATA, /* c00002f8 (STATUS_NO_PA_DATA) */
1041 SEC_E_PKINIT_NAME_MISMATCH, /* c00002f9 (STATUS_PKINIT_NAME_MISMATCH) */
1042 SEC_E_SMARTCARD_LOGON_REQUIRED, /* c00002fa (STATUS_SMARTCARD_LOGON_REQUIRED) */
1043 SEC_E_KDC_INVALID_REQUEST, /* c00002fb (STATUS_KDC_INVALID_REQUEST) */
1044 SEC_E_KDC_UNABLE_TO_REFER, /* c00002fc (STATUS_KDC_UNABLE_TO_REFER) */
1045 SEC_E_KDC_UNKNOWN_ETYPE, /* c00002fd (STATUS_KDC_UNKNOWN_ETYPE) */
1046 ERROR_SHUTDOWN_IN_PROGRESS, /* c00002fe (STATUS_SHUTDOWN_IN_PROGRESS) */
1047 ERROR_SERVER_SHUTDOWN_IN_PROGRESS, /* c00002ff (STATUS_SERVER_SHUTDOWN_IN_PROGRESS) */
1048 ERROR_NOT_SUPPORTED_ON_SBS, /* c0000300 (STATUS_NOT_SUPPORTED_ON_SBS) */
1049 ERROR_WMI_GUID_DISCONNECTED, /* c0000301 (STATUS_WMI_GUID_DISCONNECTED) */
1050 ERROR_WMI_ALREADY_DISABLED, /* c0000302 (STATUS_WMI_ALREADY_DISABLED) */
1051 ERROR_WMI_ALREADY_ENABLED, /* c0000303 (STATUS_WMI_ALREADY_ENABLED) */
1052 ERROR_DISK_TOO_FRAGMENTED, /* c0000304 (STATUS_MFT_TOO_FRAGMENTED) */
1053 STG_E_STATUS_COPY_PROTECTION_FAILURE, /* c0000305 (STATUS_COPY_PROTECTION_FAILURE) */
1054 STG_E_CSS_AUTHENTICATION_FAILURE, /* c0000306 (STATUS_CSS_AUTHENTICATION_FAILURE) */
1055 STG_E_CSS_KEY_NOT_PRESENT, /* c0000307 (STATUS_CSS_KEY_NOT_PRESENT) */
1056 STG_E_CSS_KEY_NOT_ESTABLISHED, /* c0000308 (STATUS_CSS_KEY_NOT_ESTABLISHED) */
1057 STG_E_CSS_SCRAMBLED_SECTOR, /* c0000309 (STATUS_CSS_SCRAMBLED_SECTOR) */
1058 STG_E_CSS_REGION_MISMATCH, /* c000030a (STATUS_CSS_REGION_MISMATCH) */
1059 STG_E_RESETS_EXHAUSTED, /* c000030b (STATUS_CSS_RESETS_EXHAUSTED) */
1060 ERROR_MR_MID_NOT_FOUND, /* c000030c */
1061 ERROR_MR_MID_NOT_FOUND, /* c000030d */
1062 ERROR_MR_MID_NOT_FOUND, /* c000030e */
1063 ERROR_MR_MID_NOT_FOUND, /* c000030f */
1064 ERROR_MR_MID_NOT_FOUND, /* c0000310 */
1065 ERROR_MR_MID_NOT_FOUND, /* c0000311 */
1066 ERROR_MR_MID_NOT_FOUND, /* c0000312 */
1067 ERROR_MR_MID_NOT_FOUND, /* c0000313 */
1068 ERROR_MR_MID_NOT_FOUND, /* c0000314 */
1069 ERROR_MR_MID_NOT_FOUND, /* c0000315 */
1070 ERROR_MR_MID_NOT_FOUND, /* c0000316 */
1071 ERROR_MR_MID_NOT_FOUND, /* c0000317 */
1072 ERROR_MR_MID_NOT_FOUND, /* c0000318 */
1073 ERROR_MR_MID_NOT_FOUND, /* c0000319 */
1074 ERROR_MR_MID_NOT_FOUND, /* c000031a */
1075 ERROR_MR_MID_NOT_FOUND, /* c000031b */
1076 ERROR_MR_MID_NOT_FOUND, /* c000031c */
1077 ERROR_MR_MID_NOT_FOUND, /* c000031d */
1078 ERROR_MR_MID_NOT_FOUND, /* c000031e */
1079 ERROR_MR_MID_NOT_FOUND, /* c000031f */
1080 ERROR_PKINIT_FAILURE, /* c0000320 (STATUS_PKINIT_FAILURE) */
1081 ERROR_SMARTCARD_SUBSYSTEM_FAILURE, /* c0000321 (STATUS_SMARTCARD_SUBSYSTEM_FAILURE) */
1082 SEC_E_NO_KERB_KEY, /* c0000322 (STATUS_NO_KERB_KEY) */
1083 ERROR_MR_MID_NOT_FOUND, /* c0000323 */
1084 ERROR_MR_MID_NOT_FOUND, /* c0000324 */
1085 ERROR_MR_MID_NOT_FOUND, /* c0000325 */
1086 ERROR_MR_MID_NOT_FOUND, /* c0000326 */
1087 ERROR_MR_MID_NOT_FOUND, /* c0000327 */
1088 ERROR_MR_MID_NOT_FOUND, /* c0000328 */
1089 ERROR_MR_MID_NOT_FOUND, /* c0000329 */
1090 ERROR_MR_MID_NOT_FOUND, /* c000032a */
1091 ERROR_MR_MID_NOT_FOUND, /* c000032b */
1092 ERROR_MR_MID_NOT_FOUND, /* c000032c */
1093 ERROR_MR_MID_NOT_FOUND, /* c000032d */
1094 ERROR_MR_MID_NOT_FOUND, /* c000032e */
1095 ERROR_MR_MID_NOT_FOUND, /* c000032f */
1096 ERROR_MR_MID_NOT_FOUND, /* c0000330 */
1097 ERROR_MR_MID_NOT_FOUND, /* c0000331 */
1098 ERROR_MR_MID_NOT_FOUND, /* c0000332 */
1099 ERROR_MR_MID_NOT_FOUND, /* c0000333 */
1100 ERROR_MR_MID_NOT_FOUND, /* c0000334 */
1101 ERROR_MR_MID_NOT_FOUND, /* c0000335 */
1102 ERROR_MR_MID_NOT_FOUND, /* c0000336 */
1103 ERROR_MR_MID_NOT_FOUND, /* c0000337 */
1104 ERROR_MR_MID_NOT_FOUND, /* c0000338 */
1105 ERROR_MR_MID_NOT_FOUND, /* c0000339 */
1106 ERROR_MR_MID_NOT_FOUND, /* c000033a */
1107 ERROR_MR_MID_NOT_FOUND, /* c000033b */
1108 ERROR_MR_MID_NOT_FOUND, /* c000033c */
1109 ERROR_MR_MID_NOT_FOUND, /* c000033d */
1110 ERROR_MR_MID_NOT_FOUND, /* c000033e */
1111 ERROR_MR_MID_NOT_FOUND, /* c000033f */
1112 ERROR_MR_MID_NOT_FOUND, /* c0000340 */
1113 ERROR_MR_MID_NOT_FOUND, /* c0000341 */
1114 ERROR_MR_MID_NOT_FOUND, /* c0000342 */
1115 ERROR_MR_MID_NOT_FOUND, /* c0000343 */
1116 ERROR_MR_MID_NOT_FOUND, /* c0000344 */
1117 ERROR_MR_MID_NOT_FOUND, /* c0000345 */
1118 ERROR_MR_MID_NOT_FOUND, /* c0000346 */
1119 ERROR_MR_MID_NOT_FOUND, /* c0000347 */
1120 ERROR_MR_MID_NOT_FOUND, /* c0000348 */
1121 ERROR_MR_MID_NOT_FOUND, /* c0000349 */
1122 ERROR_MR_MID_NOT_FOUND, /* c000034a */
1123 ERROR_MR_MID_NOT_FOUND, /* c000034b */
1124 ERROR_MR_MID_NOT_FOUND, /* c000034c */
1125 ERROR_MR_MID_NOT_FOUND, /* c000034d */
1126 ERROR_MR_MID_NOT_FOUND, /* c000034e */
1127 ERROR_MR_MID_NOT_FOUND, /* c000034f */
1128 ERROR_HOST_DOWN, /* c0000350 (STATUS_HOST_DOWN) */
1129 SEC_E_UNSUPPORTED_PREAUTH, /* c0000351 (STATUS_UNSUPPORTED_PREAUTH) */
1130 ERROR_EFS_ALG_BLOB_TOO_BIG, /* c0000352 (STATUS_EFS_ALG_BLOB_TOO_BIG) */
1131 ERROR_MR_MID_NOT_FOUND, /* c0000353 (STATUS_PORT_NOT_SET) */
1132 ERROR_MR_MID_NOT_FOUND, /* c0000354 (STATUS_DEBUGGER_INACTIVE) */
1133 ERROR_MR_MID_NOT_FOUND, /* c0000355 (STATUS_DS_VERSION_CHECK_FAILURE) */
1134 ERROR_AUDITING_DISABLED, /* c0000356 (STATUS_AUDITING_DISABLED) */
1135 ERROR_DS_MACHINE_ACCOUNT_CREATED_PRENT4,/* c0000357 (STATUS_PRENT4_MACHINE_ACCOUNT) */
1136 ERROR_DS_AG_CANT_HAVE_UNIVERSAL_MEMBER, /* c0000358 (STATUS_DS_AG_CANT_HAVE_UNIVERSAL_MEMBER) */
1137 ERROR_BAD_EXE_FORMAT, /* c0000359 (STATUS_INVALID_IMAGE_WIN_32) */
1138 ERROR_BAD_EXE_FORMAT, /* c000035a (STATUS_INVALID_IMAGE_WIN_64) */
1139 SEC_E_BAD_BINDINGS, /* c000035b (STATUS_BAD_BINDINGS) */
1140 ERROR_NO_USER_SESSION_KEY, /* c000035c (STATUS_NETWORK_SESSION_EXPIRED) */
1141 ERROR_MR_MID_NOT_FOUND, /* c000035d (STATUS_APPHELP_BLOCK) */
1142 ERROR_MR_MID_NOT_FOUND, /* c000035e (STATUS_ALL_SIDS_FILTERED) */
1143 ERROR_MR_MID_NOT_FOUND, /* c000035f (STATUS_NOT_SAFE_MODE_DRIVER) */
1144 ERROR_MR_MID_NOT_FOUND, /* c0000360 */
1145 ERROR_ACCESS_DISABLED_BY_POLICY, /* c0000361 (STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT) */
1146 ERROR_ACCESS_DISABLED_BY_POLICY, /* c0000362 (STATUS_ACCESS_DISABLED_BY_POLICY_PATH) */
1147 ERROR_ACCESS_DISABLED_BY_POLICY, /* c0000363 (STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER) */
1148 ERROR_ACCESS_DISABLED_BY_POLICY, /* c0000364 (STATUS_ACCESS_DISABLED_BY_POLICY_OTHER) */
1149 ERROR_MR_MID_NOT_FOUND, /* c0000365 (STATUS_FAILED_DRIVER_ENTRY) */
1150 ERROR_MR_MID_NOT_FOUND, /* c0000366 (STATUS_DEVICE_ENUMERATION_ERROR) */
1151 ERROR_MR_MID_NOT_FOUND, /* c0000367 */
1152 ERROR_MR_MID_NOT_FOUND, /* c0000368 (STATUS_MOUNT_POINT_NOT_RESOLVED) */
1153 ERROR_MR_MID_NOT_FOUND, /* c0000369 (STATUS_INVALID_DEVICE_OBJECT_PARAMETER) */
1154 ERROR_MR_MID_NOT_FOUND, /* c000036a (STATUS_MCA_OCCURED) */
1155 ERROR_DRIVER_BLOCKED, /* c000036b (STATUS_DRIVER_BLOCKED_CRITICAL) */
1156 ERROR_DRIVER_BLOCKED, /* c000036c (STATUS_DRIVER_BLOCKED) */
1157 ERROR_MR_MID_NOT_FOUND, /* c000036d (STATUS_DRIVER_DATABASE_ERROR) */
1158 ERROR_MR_MID_NOT_FOUND, /* c000036e (STATUS_SYSTEM_HIVE_TOO_LARGE) */
1159 ERROR_INVALID_IMPORT_OF_NON_DLL, /* c000036f (STATUS_INVALID_IMPORT_OF_NON_DLL) */
1160 ERROR_MR_MID_NOT_FOUND, /* c0000370 */
1161 ERROR_MR_MID_NOT_FOUND, /* c0000371 */
1162 ERROR_MR_MID_NOT_FOUND, /* c0000372 */
1163 ERROR_MR_MID_NOT_FOUND, /* c0000373 */
1164 ERROR_MR_MID_NOT_FOUND, /* c0000374 */
1165 ERROR_MR_MID_NOT_FOUND, /* c0000375 */
1166 ERROR_MR_MID_NOT_FOUND, /* c0000376 */
1167 ERROR_MR_MID_NOT_FOUND, /* c0000377 */
1168 ERROR_MR_MID_NOT_FOUND, /* c0000378 */
1169 ERROR_MR_MID_NOT_FOUND, /* c0000379 */
1170 ERROR_MR_MID_NOT_FOUND, /* c000037a */
1171 ERROR_MR_MID_NOT_FOUND, /* c000037b */
1172 ERROR_MR_MID_NOT_FOUND, /* c000037c */
1173 ERROR_MR_MID_NOT_FOUND, /* c000037d */
1174 ERROR_MR_MID_NOT_FOUND, /* c000037e */
1175 ERROR_MR_MID_NOT_FOUND, /* c000037f */
1176 SCARD_W_WRONG_CHV, /* c0000380 (STATUS_SMARTCARD_WRONG_PIN) */
1177 SCARD_W_CHV_BLOCKED, /* c0000381 (STATUS_SMARTCARD_CARD_BLOCKED) */
1178 SCARD_W_CARD_NOT_AUTHENTICATED, /* c0000382 (STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED) */
1179 SCARD_E_NO_SMARTCARD, /* c0000383 (STATUS_SMARTCARD_NO_CARD) */
1180 NTE_NO_KEY, /* c0000384 (STATUS_SMARTCARD_NO_KEY_CONTAINER) */
1181 SCARD_E_NO_SUCH_CERTIFICATE, /* c0000385 (STATUS_SMARTCARD_NO_CERTIFICATE) */
1182 NTE_BAD_KEYSET, /* c0000386 (STATUS_SMARTCARD_NO_KEYSET) */
1183 SCARD_E_COMM_DATA_LOST, /* c0000387 (STATUS_SMARTCARD_IO_ERROR) */
1184 ERROR_DOWNGRADE_DETECTED, /* c0000388 (STATUS_DOWNGRADE_DETECTED) */
1185 SEC_E_SMARTCARD_CERT_REVOKED, /* c0000389 (STATUS_SMARTCARD_CERT_REVOKED) */
1186 SEC_E_ISSUING_CA_UNTRUSTED, /* c000038a (STATUS_ISSUING_CA_UNTRUSTED) */
1187 SEC_E_REVOCATION_OFFLINE_C, /* c000038b (STATUS_REVOCATION_OFFLINE_C) */
1188 SEC_E_PKINIT_CLIENT_FAILURE, /* c000038c (STATUS_PKINIT_CLIENT_FAILURE) */
1189 SEC_E_SMARTCARD_CERT_EXPIRED /* c000038d (STATUS_SMARTCARD_CERT_EXPIRED) */
1190 };
1191
1192 static const DWORD table_c0020001[99] =
1193 {
1194 RPC_S_INVALID_STRING_BINDING, /* c0020001 (RPC_NT_INVALID_STRING_BINDING) */
1195 RPC_S_WRONG_KIND_OF_BINDING, /* c0020002 (RPC_NT_WRONG_KIND_OF_BINDING) */
1196 ERROR_INVALID_HANDLE, /* c0020003 (RPC_NT_INVALID_BINDING) */
1197 RPC_S_PROTSEQ_NOT_SUPPORTED, /* c0020004 (RPC_NT_PROTSEQ_NOT_SUPPORTED) */
1198 RPC_S_INVALID_RPC_PROTSEQ, /* c0020005 (RPC_NT_INVALID_RPC_PROTSEQ) */
1199 RPC_S_INVALID_STRING_UUID, /* c0020006 (RPC_NT_INVALID_STRING_UUID) */
1200 RPC_S_INVALID_ENDPOINT_FORMAT, /* c0020007 (RPC_NT_INVALID_ENDPOINT_FORMAT) */
1201 RPC_S_INVALID_NET_ADDR, /* c0020008 (RPC_NT_INVALID_NET_ADDR) */
1202 RPC_S_NO_ENDPOINT_FOUND, /* c0020009 (RPC_NT_NO_ENDPOINT_FOUND) */
1203 RPC_S_INVALID_TIMEOUT, /* c002000a (RPC_NT_INVALID_TIMEOUT) */
1204 RPC_S_OBJECT_NOT_FOUND, /* c002000b (RPC_NT_OBJECT_NOT_FOUND) */
1205 RPC_S_ALREADY_REGISTERED, /* c002000c (RPC_NT_ALREADY_REGISTERED) */
1206 RPC_S_TYPE_ALREADY_REGISTERED, /* c002000d (RPC_NT_TYPE_ALREADY_REGISTERED) */
1207 RPC_S_ALREADY_LISTENING, /* c002000e (RPC_NT_ALREADY_LISTENING) */
1208 RPC_S_NO_PROTSEQS_REGISTERED, /* c002000f (RPC_NT_NO_PROTSEQS_REGISTERED) */
1209 RPC_S_NOT_LISTENING, /* c0020010 (RPC_NT_NOT_LISTENING) */
1210 RPC_S_UNKNOWN_MGR_TYPE, /* c0020011 (RPC_NT_UNKNOWN_MGR_TYPE) */
1211 RPC_S_UNKNOWN_IF, /* c0020012 (RPC_NT_UNKNOWN_IF) */
1212 RPC_S_NO_BINDINGS, /* c0020013 (RPC_NT_NO_BINDINGS) */
1213 RPC_S_NO_PROTSEQS, /* c0020014 (RPC_NT_NO_PROTSEQS) */
1214 RPC_S_CANT_CREATE_ENDPOINT, /* c0020015 (RPC_NT_CANT_CREATE_ENDPOINT) */
1215 RPC_S_OUT_OF_RESOURCES, /* c0020016 (RPC_NT_OUT_OF_RESOURCES) */
1216 RPC_S_SERVER_UNAVAILABLE, /* c0020017 (RPC_NT_SERVER_UNAVAILABLE) */
1217 RPC_S_SERVER_TOO_BUSY, /* c0020018 (RPC_NT_SERVER_TOO_BUSY) */
1218 RPC_S_INVALID_NETWORK_OPTIONS, /* c0020019 (RPC_NT_INVALID_NETWORK_OPTIONS) */
1219 RPC_S_NO_CALL_ACTIVE, /* c002001a (RPC_NT_NO_CALL_ACTIVE) */
1220 RPC_S_CALL_FAILED, /* c002001b (RPC_NT_CALL_FAILED) */
1221 RPC_S_CALL_FAILED_DNE, /* c002001c (RPC_NT_CALL_FAILED_DNE) */
1222 RPC_S_PROTOCOL_ERROR, /* c002001d (RPC_NT_PROTOCOL_ERROR) */
1223 ERROR_MR_MID_NOT_FOUND, /* c002001e */
1224 RPC_S_UNSUPPORTED_TRANS_SYN, /* c002001f (RPC_NT_UNSUPPORTED_TRANS_SYN) */
1225 ERROR_MR_MID_NOT_FOUND, /* c0020020 */
1226 RPC_S_UNSUPPORTED_TYPE, /* c0020021 (RPC_NT_UNSUPPORTED_TYPE) */
1227 RPC_S_INVALID_TAG, /* c0020022 (RPC_NT_INVALID_TAG) */
1228 RPC_S_INVALID_BOUND, /* c0020023 (RPC_NT_INVALID_BOUND) */
1229 RPC_S_NO_ENTRY_NAME, /* c0020024 (RPC_NT_NO_ENTRY_NAME) */
1230 RPC_S_INVALID_NAME_SYNTAX, /* c0020025 (RPC_NT_INVALID_NAME_SYNTAX) */
1231 RPC_S_UNSUPPORTED_NAME_SYNTAX, /* c0020026 (RPC_NT_UNSUPPORTED_NAME_SYNTAX) */
1232 ERROR_MR_MID_NOT_FOUND, /* c0020027 */
1233 RPC_S_UUID_NO_ADDRESS, /* c0020028 (RPC_NT_UUID_NO_ADDRESS) */
1234 RPC_S_DUPLICATE_ENDPOINT, /* c0020029 (RPC_NT_DUPLICATE_ENDPOINT) */
1235 RPC_S_UNKNOWN_AUTHN_TYPE, /* c002002a (RPC_NT_UNKNOWN_AUTHN_TYPE) */
1236 RPC_S_MAX_CALLS_TOO_SMALL, /* c002002b (RPC_NT_MAX_CALLS_TOO_SMALL) */
1237 RPC_S_STRING_TOO_LONG, /* c002002c (RPC_NT_STRING_TOO_LONG) */
1238 RPC_S_PROTSEQ_NOT_FOUND, /* c002002d (RPC_NT_PROTSEQ_NOT_FOUND) */
1239 RPC_S_PROCNUM_OUT_OF_RANGE, /* c002002e (RPC_NT_PROCNUM_OUT_OF_RANGE) */
1240 RPC_S_BINDING_HAS_NO_AUTH, /* c002002f (RPC_NT_BINDING_HAS_NO_AUTH) */
1241 RPC_S_UNKNOWN_AUTHN_SERVICE, /* c0020030 (RPC_NT_UNKNOWN_AUTHN_SERVICE) */
1242 RPC_S_UNKNOWN_AUTHN_LEVEL, /* c0020031 (RPC_NT_UNKNOWN_AUTHN_LEVEL) */
1243 RPC_S_INVALID_AUTH_IDENTITY, /* c0020032 (RPC_NT_INVALID_AUTH_IDENTITY) */
1244 RPC_S_UNKNOWN_AUTHZ_SERVICE, /* c0020033 (RPC_NT_UNKNOWN_AUTHZ_SERVICE) */
1245 EPT_S_INVALID_ENTRY, /* c0020034 (EPT_NT_INVALID_ENTRY) */
1246 EPT_S_CANT_PERFORM_OP, /* c0020035 (EPT_NT_CANT_PERFORM_OP) */
1247 EPT_S_NOT_REGISTERED, /* c0020036 (EPT_NT_NOT_REGISTERED) */
1248 RPC_S_NOTHING_TO_EXPORT, /* c0020037 (RPC_NT_NOTHING_TO_EXPORT) */
1249 RPC_S_INCOMPLETE_NAME, /* c0020038 (RPC_NT_INCOMPLETE_NAME) */
1250 RPC_S_INVALID_VERS_OPTION, /* c0020039 (RPC_NT_INVALID_VERS_OPTION) */
1251 RPC_S_NO_MORE_MEMBERS, /* c002003a (RPC_NT_NO_MORE_MEMBERS) */
1252 RPC_S_NOT_ALL_OBJS_UNEXPORTED, /* c002003b (RPC_NT_NOT_ALL_OBJS_UNEXPORTED) */
1253 RPC_S_INTERFACE_NOT_FOUND, /* c002003c (RPC_NT_INTERFACE_NOT_FOUND) */
1254 RPC_S_ENTRY_ALREADY_EXISTS, /* c002003d (RPC_NT_ENTRY_ALREADY_EXISTS) */
1255 RPC_S_ENTRY_NOT_FOUND, /* c002003e (RPC_NT_ENTRY_NOT_FOUND) */
1256 RPC_S_NAME_SERVICE_UNAVAILABLE, /* c002003f (RPC_NT_NAME_SERVICE_UNAVAILABLE) */
1257 RPC_S_INVALID_NAF_ID, /* c0020040 (RPC_NT_INVALID_NAF_ID) */
1258 RPC_S_CANNOT_SUPPORT, /* c0020041 (RPC_NT_CANNOT_SUPPORT) */
1259 RPC_S_NO_CONTEXT_AVAILABLE, /* c0020042 (RPC_NT_NO_CONTEXT_AVAILABLE) */
1260 RPC_S_INTERNAL_ERROR, /* c0020043 (RPC_NT_INTERNAL_ERROR) */
1261 RPC_S_ZERO_DIVIDE, /* c0020044 (RPC_NT_ZERO_DIVIDE) */
1262 RPC_S_ADDRESS_ERROR, /* c0020045 (RPC_NT_ADDRESS_ERROR) */
1263 RPC_S_FP_DIV_ZERO, /* c0020046 (RPC_NT_FP_DIV_ZERO) */
1264 RPC_S_FP_UNDERFLOW, /* c0020047 (RPC_NT_FP_UNDERFLOW) */
1265 RPC_S_FP_OVERFLOW, /* c0020048 (RPC_NT_FP_OVERFLOW) */
1266 RPC_S_CALL_IN_PROGRESS, /* c0020049 (RPC_NT_CALL_IN_PROGRESS) */
1267 RPC_S_NO_MORE_BINDINGS, /* c002004a (RPC_NT_NO_MORE_BINDINGS) */
1268 RPC_S_GROUP_MEMBER_NOT_FOUND, /* c002004b (RPC_NT_GROUP_MEMBER_NOT_FOUND) */
1269 EPT_S_CANT_CREATE, /* c002004c (EPT_NT_CANT_CREATE) */
1270 RPC_S_INVALID_OBJECT, /* c002004d (RPC_NT_INVALID_OBJECT) */
1271 ERROR_MR_MID_NOT_FOUND, /* c002004e */
1272 RPC_S_NO_INTERFACES, /* c002004f (RPC_NT_NO_INTERFACES) */
1273 RPC_S_CALL_CANCELLED, /* c0020050 (RPC_NT_CALL_CANCELLED) */
1274 RPC_S_BINDING_INCOMPLETE, /* c0020051 (RPC_NT_BINDING_INCOMPLETE) */
1275 RPC_S_COMM_FAILURE, /* c0020052 (RPC_NT_COMM_FAILURE) */
1276 RPC_S_UNSUPPORTED_AUTHN_LEVEL, /* c0020053 (RPC_NT_UNSUPPORTED_AUTHN_LEVEL) */
1277 RPC_S_NO_PRINC_NAME, /* c0020054 (RPC_NT_NO_PRINC_NAME) */
1278 RPC_S_NOT_RPC_ERROR, /* c0020055 (RPC_NT_NOT_RPC_ERROR) */
1279 ERROR_MR_MID_NOT_FOUND, /* c0020056 */
1280 RPC_S_SEC_PKG_ERROR, /* c0020057 (RPC_NT_SEC_PKG_ERROR) */
1281 RPC_S_NOT_CANCELLED, /* c0020058 (RPC_NT_NOT_CANCELLED) */
1282 ERROR_MR_MID_NOT_FOUND, /* c0020059 */
1283 ERROR_MR_MID_NOT_FOUND, /* c002005a */
1284 ERROR_MR_MID_NOT_FOUND, /* c002005b */
1285 ERROR_MR_MID_NOT_FOUND, /* c002005c */
1286 ERROR_MR_MID_NOT_FOUND, /* c002005d */
1287 ERROR_MR_MID_NOT_FOUND, /* c002005e */
1288 ERROR_MR_MID_NOT_FOUND, /* c002005f */
1289 ERROR_MR_MID_NOT_FOUND, /* c0020060 */
1290 ERROR_MR_MID_NOT_FOUND, /* c0020061 */
1291 RPC_S_INVALID_ASYNC_HANDLE, /* c0020062 (RPC_NT_INVALID_ASYNC_HANDLE) */
1292 RPC_S_INVALID_ASYNC_CALL /* c0020063 (RPC_NT_INVALID_ASYNC_CALL) */
1293 };
1294
1295 static const DWORD table_c0030001[12] =
1296 {
1297 RPC_X_NO_MORE_ENTRIES, /* c0030001 (RPC_NT_NO_MORE_ENTRIES) */
1298 RPC_X_SS_CHAR_TRANS_OPEN_FAIL, /* c0030002 (RPC_NT_SS_CHAR_TRANS_OPEN_FAIL) */
1299 RPC_X_SS_CHAR_TRANS_SHORT_FILE, /* c0030003 (RPC_NT_SS_CHAR_TRANS_SHORT_FILE) */
1300 ERROR_INVALID_HANDLE, /* c0030004 (RPC_NT_SS_IN_NULL_CONTEXT) */
1301 ERROR_INVALID_HANDLE, /* c0030005 (RPC_NT_SS_CONTEXT_MISMATCH) */
1302 RPC_X_SS_CONTEXT_DAMAGED, /* c0030006 (RPC_NT_SS_CONTEXT_DAMAGED) */
1303 RPC_X_SS_HANDLES_MISMATCH, /* c0030007 (RPC_NT_SS_HANDLES_MISMATCH) */
1304 RPC_X_SS_CANNOT_GET_CALL_HANDLE, /* c0030008 (RPC_NT_SS_CANNOT_GET_CALL_HANDLE) */
1305 RPC_X_NULL_REF_POINTER, /* c0030009 (RPC_NT_NULL_REF_POINTER) */
1306 RPC_X_ENUM_VALUE_OUT_OF_RANGE, /* c003000a (RPC_NT_ENUM_VALUE_OUT_OF_RANGE) */
1307 RPC_X_BYTE_COUNT_TOO_SMALL, /* c003000b (RPC_NT_BYTE_COUNT_TOO_SMALL) */
1308 RPC_X_BAD_STUB_DATA /* c003000c (RPC_NT_BAD_STUB_DATA) */
1309 };
1310
1311 static const DWORD table_c0030059[9] =
1312 {
1313 RPC_X_INVALID_ES_ACTION, /* c0030059 (RPC_NT_INVALID_ES_ACTION) */
1314 RPC_X_WRONG_ES_VERSION, /* c003005a (RPC_NT_WRONG_ES_VERSION) */
1315 RPC_X_WRONG_STUB_VERSION, /* c003005b (RPC_NT_WRONG_STUB_VERSION) */
1316 RPC_X_INVALID_PIPE_OBJECT, /* c003005c (RPC_NT_INVALID_PIPE_OBJECT) */
1317 RPC_X_WRONG_PIPE_ORDER, /* c003005d (RPC_NT_INVALID_PIPE_OPERATION) */
1318 RPC_X_WRONG_PIPE_VERSION, /* c003005e (RPC_NT_WRONG_PIPE_VERSION) */
1319 RPC_X_PIPE_CLOSED, /* c003005f (RPC_NT_PIPE_CLOSED) */
1320 RPC_X_PIPE_DISCIPLINE_ERROR, /* c0030060 (RPC_NT_PIPE_DISCIPLINE_ERROR) */
1321 RPC_X_PIPE_EMPTY /* c0030061 (RPC_NT_PIPE_EMPTY) */
1322 };
1323
1324 static const DWORD table_c00a0001[54] =
1325 {
1326 ERROR_CTX_WINSTATION_NAME_INVALID, /* c00a0001 (STATUS_CTX_WINSTATION_NAME_INVALID) */
1327 ERROR_CTX_INVALID_PD, /* c00a0002 (STATUS_CTX_INVALID_PD) */
1328 ERROR_CTX_PD_NOT_FOUND, /* c00a0003 (STATUS_CTX_PD_NOT_FOUND) */
1329 ERROR_MR_MID_NOT_FOUND, /* c00a0004 */
1330 ERROR_MR_MID_NOT_FOUND, /* c00a0005 */
1331 ERROR_CTX_CLOSE_PENDING, /* c00a0006 (STATUS_CTX_CLOSE_PENDING) */
1332 ERROR_CTX_NO_OUTBUF, /* c00a0007 (STATUS_CTX_NO_OUTBUF) */
1333 ERROR_CTX_MODEM_INF_NOT_FOUND, /* c00a0008 (STATUS_CTX_MODEM_INF_NOT_FOUND) */
1334 ERROR_CTX_INVALID_MODEMNAME, /* c00a0009 (STATUS_CTX_INVALID_MODEMNAME) */
1335 ERROR_CTX_MODEM_RESPONSE_ERROR, /* c00a000a (STATUS_CTX_RESPONSE_ERROR) */
1336 ERROR_CTX_MODEM_RESPONSE_TIMEOUT, /* c00a000b (STATUS_CTX_MODEM_RESPONSE_TIMEOUT) */
1337 ERROR_CTX_MODEM_RESPONSE_NO_CARRIER, /* c00a000c (STATUS_CTX_MODEM_RESPONSE_NO_CARRIER) */
1338 ERROR_CTX_MODEM_RESPONSE_NO_DIALTONE, /* c00a000d (STATUS_CTX_MODEM_RESPONSE_NO_DIALTONE) */
1339 ERROR_CTX_MODEM_RESPONSE_BUSY, /* c00a000e (STATUS_CTX_MODEM_RESPONSE_BUSY) */
1340 ERROR_CTX_MODEM_RESPONSE_VOICE, /* c00a000f (STATUS_CTX_MODEM_RESPONSE_VOICE) */
1341 ERROR_CTX_TD_ERROR, /* c00a0010 (STATUS_CTX_TD_ERROR) */
1342 ERROR_MR_MID_NOT_FOUND, /* c00a0011 */
1343 ERROR_CTX_LICENSE_CLIENT_INVALID, /* c00a0012 (STATUS_CTX_LICENSE_CLIENT_INVALID) */
1344 ERROR_CTX_LICENSE_NOT_AVAILABLE, /* c00a0013 (STATUS_CTX_LICENSE_NOT_AVAILABLE) */
1345 ERROR_CTX_LICENSE_EXPIRED, /* c00a0014 (STATUS_CTX_LICENSE_EXPIRED) */
1346 ERROR_CTX_WINSTATION_NOT_FOUND, /* c00a0015 (STATUS_CTX_WINSTATION_NOT_FOUND) */
1347 ERROR_CTX_WINSTATION_ALREADY_EXISTS, /* c00a0016 (STATUS_CTX_WINSTATION_NAME_COLLISION) */
1348 ERROR_CTX_WINSTATION_BUSY, /* c00a0017 (STATUS_CTX_WINSTATION_BUSY) */
1349 ERROR_CTX_BAD_VIDEO_MODE, /* c00a0018 (STATUS_CTX_BAD_VIDEO_MODE) */
1350 ERROR_MR_MID_NOT_FOUND, /* c00a0019 */
1351 ERROR_MR_MID_NOT_FOUND, /* c00a001a */
1352 ERROR_MR_MID_NOT_FOUND, /* c00a001b */
1353 ERROR_MR_MID_NOT_FOUND, /* c00a001c */
1354 ERROR_MR_MID_NOT_FOUND, /* c00a001d */
1355 ERROR_MR_MID_NOT_FOUND, /* c00a001e */
1356 ERROR_MR_MID_NOT_FOUND, /* c00a001f */
1357 ERROR_MR_MID_NOT_FOUND, /* c00a0020 */
1358 ERROR_MR_MID_NOT_FOUND, /* c00a0021 */
1359 ERROR_CTX_GRAPHICS_INVALID, /* c00a0022 (STATUS_CTX_GRAPHICS_INVALID) */
1360 ERROR_MR_MID_NOT_FOUND, /* c00a0023 */
1361 ERROR_CTX_NOT_CONSOLE, /* c00a0024 (STATUS_CTX_NOT_CONSOLE) */
1362 ERROR_MR_MID_NOT_FOUND, /* c00a0025 */
1363 ERROR_CTX_CLIENT_QUERY_TIMEOUT, /* c00a0026 (STATUS_CTX_CLIENT_QUERY_TIMEOUT) */
1364 ERROR_CTX_CONSOLE_DISCONNECT, /* c00a0027 (STATUS_CTX_CONSOLE_DISCONNECT) */
1365 ERROR_CTX_CONSOLE_CONNECT, /* c00a0028 (STATUS_CTX_CONSOLE_CONNECT) */
1366 ERROR_MR_MID_NOT_FOUND, /* c00a0029 */
1367 ERROR_CTX_SHADOW_DENIED, /* c00a002a (STATUS_CTX_SHADOW_DENIED) */
1368 ERROR_CTX_WINSTATION_ACCESS_DENIED, /* c00a002b (STATUS_CTX_WINSTATION_ACCESS_DENIED) */
1369 ERROR_MR_MID_NOT_FOUND, /* c00a002c */
1370 ERROR_MR_MID_NOT_FOUND, /* c00a002d */
1371 ERROR_CTX_INVALID_WD, /* c00a002e (STATUS_CTX_INVALID_WD) */
1372 ERROR_CTX_WD_NOT_FOUND, /* c00a002f (STATUS_CTX_WD_NOT_FOUND) */
1373 ERROR_CTX_SHADOW_INVALID, /* c00a0030 (STATUS_CTX_SHADOW_INVALID) */
1374 ERROR_CTX_SHADOW_DISABLED, /* c00a0031 (STATUS_CTX_SHADOW_DISABLED) */
1375 ERROR_MR_MID_NOT_FOUND, /* c00a0032 (STATUS_RDP_PROTOCOL_ERROR) */
1376 ERROR_CTX_CLIENT_LICENSE_NOT_SET, /* c00a0033 (STATUS_CTX_CLIENT_LICENSE_NOT_SET) */
1377 ERROR_CTX_CLIENT_LICENSE_IN_USE, /* c00a0034 (STATUS_CTX_CLIENT_LICENSE_IN_USE) */
1378 ERROR_CTX_SHADOW_ENDED_BY_MODE_CHANGE, /* c00a0035 (STATUS_CTX_SHADOW_ENDED_BY_MODE_CHANGE) */
1379 ERROR_CTX_SHADOW_NOT_RUNNING /* c00a0036 (STATUS_CTX_SHADOW_NOT_RUNNING) */
1380 };
1381
1382 static const DWORD table_c0130001[22] =
1383 {
1384 ERROR_CLUSTER_INVALID_NODE, /* c0130001 (STATUS_CLUSTER_INVALID_NODE) */
1385 ERROR_CLUSTER_NODE_EXISTS, /* c0130002 (STATUS_CLUSTER_NODE_EXISTS) */
1386 ERROR_CLUSTER_JOIN_IN_PROGRESS, /* c0130003 (STATUS_CLUSTER_JOIN_IN_PROGRESS) */
1387 ERROR_CLUSTER_NODE_NOT_FOUND, /* c0130004 (STATUS_CLUSTER_NODE_NOT_FOUND) */
1388 ERROR_CLUSTER_LOCAL_NODE_NOT_FOUND, /* c0130005 (STATUS_CLUSTER_LOCAL_NODE_NOT_FOUND) */
1389 ERROR_CLUSTER_NETWORK_EXISTS, /* c0130006 (STATUS_CLUSTER_NETWORK_EXISTS) */
1390 ERROR_CLUSTER_NETWORK_NOT_FOUND, /* c0130007 (STATUS_CLUSTER_NETWORK_NOT_FOUND) */
1391 ERROR_CLUSTER_NETINTERFACE_EXISTS, /* c0130008 (STATUS_CLUSTER_NETINTERFACE_EXISTS) */
1392 ERROR_CLUSTER_NETINTERFACE_NOT_FOUND, /* c0130009 (STATUS_CLUSTER_NETINTERFACE_NOT_FOUND) */
1393 ERROR_CLUSTER_INVALID_REQUEST, /* c013000a (STATUS_CLUSTER_INVALID_REQUEST) */
1394 ERROR_CLUSTER_INVALID_NETWORK_PROVIDER, /* c013000b (STATUS_CLUSTER_INVALID_NETWORK_PROVIDER) */
1395 ERROR_CLUSTER_NODE_DOWN, /* c013000c (STATUS_CLUSTER_NODE_DOWN) */
1396 ERROR_CLUSTER_NODE_UNREACHABLE, /* c013000d (STATUS_CLUSTER_NODE_UNREACHABLE) */
1397 ERROR_CLUSTER_NODE_NOT_MEMBER, /* c013000e (STATUS_CLUSTER_NODE_NOT_MEMBER) */
1398 ERROR_CLUSTER_JOIN_NOT_IN_PROGRESS, /* c013000f (STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS) */
1399 ERROR_CLUSTER_INVALID_NETWORK, /* c0130010 (STATUS_CLUSTER_INVALID_NETWORK) */
1400 ERROR_MR_MID_NOT_FOUND, /* c0130011 (STATUS_CLUSTER_NO_NET_ADAPTERS) */
1401 ERROR_CLUSTER_NODE_UP, /* c0130012 (STATUS_CLUSTER_NODE_UP) */
1402 ERROR_CLUSTER_NODE_PAUSED, /* c0130013 (STATUS_CLUSTER_NODE_PAUSED) */
1403 ERROR_CLUSTER_NODE_NOT_PAUSED, /* c0130014 (STATUS_CLUSTER_NODE_NOT_PAUSED) */
1404 ERROR_CLUSTER_NO_SECURITY_CONTEXT, /* c0130015 (STATUS_CLUSTER_NO_SECURITY_CONTEXT) */
1405 ERROR_CLUSTER_NETWORK_NOT_INTERNAL /* c0130016 (STATUS_CLUSTER_NETWORK_NOT_INTERNAL) */
1406 };
1407
1408 static const DWORD table_c0150001[14] =
1409 {
1410 ERROR_SXS_SECTION_NOT_FOUND, /* c0150001 (STATUS_SXS_SECTION_NOT_FOUND) */
1411 ERROR_SXS_CANT_GEN_ACTCTX, /* c0150002 (STATUS_SXS_CANT_GEN_ACTCTX) */
1412 ERROR_SXS_INVALID_ACTCTXDATA_FORMAT, /* c0150003 (STATUS_SXS_INVALID_ACTCTXDATA_FORMAT) */
1413 ERROR_SXS_ASSEMBLY_NOT_FOUND, /* c0150004 (STATUS_SXS_ASSEMBLY_NOT_FOUND) */
1414 ERROR_SXS_MANIFEST_FORMAT_ERROR, /* c0150005 (STATUS_SXS_MANIFEST_FORMAT_ERROR) */
1415 ERROR_SXS_MANIFEST_PARSE_ERROR, /* c0150006 (STATUS_SXS_MANIFEST_PARSE_ERROR) */
1416 ERROR_SXS_ACTIVATION_CONTEXT_DISABLED, /* c0150007 (STATUS_SXS_ACTIVATION_CONTEXT_DISABLED) */
1417 ERROR_SXS_KEY_NOT_FOUND, /* c0150008 (STATUS_SXS_KEY_NOT_FOUND) */
1418 ERROR_MR_MID_NOT_FOUND, /* c0150009 (STATUS_SXS_VERSION_CONFLICT) */
1419 ERROR_SXS_WRONG_SECTION_TYPE, /* c015000a (STATUS_SXS_WRONG_SECTION_TYPE) */
1420 ERROR_SXS_THREAD_QUERIES_DISABLED, /* c015000b (STATUS_SXS_THREAD_QUERIES_DISABLED) */
1421 ERROR_MR_MID_NOT_FOUND, /* c015000c (STATUS_SXS_ASSEMBLY_MISSING) */
1422 ERROR_MR_MID_NOT_FOUND, /* c015000d */
1423 ERROR_SXS_PROCESS_DEFAULT_ALREADY_SET /* c015000e (STATUS_SXS_PROCESS_DEFAULT_ALREADY_SET) */
1424 };

Hiding Resources under Windows BOX, RootKits?

A rootkit is "a set of programs and code that allows a permanent and consistent, undetectable presence on a computer". [http://www.eset.com/download/whitepapers/Whitepaper-Rootkit_Root_Of_All_Evil.pdf]

Invisibility on NT boxes, How to become unseen on Windows NT (Version: 1.2)
Holy_Father
29A magazine #7
August 2003

[Back to index]

Contents
1. Contents
2. Introduction
3. Files
3.1 NtQueryDirectoryFile
3.2 NtVdmControl
4. Processes
5. Registry
5.1 NtEnumerateKey
5.2 NtEnumerateValueKey
6. System services and drivers
7. Hooking and spreading
7.1 Rights
7.2 Global hook
7.3 New processes
7.4 DLL
8. Memory
9. Handle
9.1 Naming handle and getting type
10. Ports
10.1 Netstat, OpPorts on WinXP, FPort on WinXP
10.2 OpPorts on Win2k and NT4, FPort on Win2k
11. Ending
2. Introduction
This document is about technics of hiding objects, files, services, processes etc. on OS Windows NT. These methods are based on hooking Windows API functions which are described in my document "Hooking Windows API".

Everything here was get from my own research during writing rootkit code, so there is a chance it can be written more effectively or it can be written much more easily. This also involve my implementation.

Hiding arbitrary object in this document mean to change some system functions which name this object in the way they would skip its naming. In the case this object is only return value of that function we would return value as the object does not exist.

Basic method (excluding cases of telling different) is that we would call original function with original arguments and then we would change its output.

In this version of this text are described methods of hiding files, processes, keys and values in registry, system services and drivers, allocated memory and handles.

3. Files
There are serveral possibilities of hiding files in the way OS would not see it. We would aim only changing API and leave out technics like those which play on features of filesystem. It also is much easier because we dont need to know how particular filesystem works.

3.1 NtQueryDirectoryFile
Looking for a file on wNT in some directory is based on searching in all its files and files in all its subdirectories. For file enumeration is used function NtQueryDirectoryFile.

NTSTATUS NtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
);
Important parameters for us are FileHandle, FileInformation and FileInformationClass. FileHandle is a handle of directory object which can be get from NtOpenFile. FileInformation is a pointer on allocated memory, where this function write wanted data to. FileInformationClass determines type of record written in FileInformation.

FileInformationClass is varied enumerative type, but we need only four values which are used for enumerating directory content:


#define FileDirectoryInformation 1
#define FileFullDirectoryInformation 2
#define FileBothDirectoryInformation 3
#define FileNamesInformation 12
structure of recoed written in FileInformation for FileDirectoryInformation:

typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
for FileFullDirectoryInformation:

typedef struct _FILE_FULL_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
WCHAR FileName[1];
} FILE_FULL_DIRECTORY_INFORMATION, *PFILE_FULL_DIRECTORY_INFORMATION;
for FileBothDirectoryInformation:

typedef struct _FILE_BOTH_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
UCHAR AlternateNameLength;
WCHAR AlternateName[12];
WCHAR FileName[1];
} FILE_BOTH_DIRECTORY_INFORMATION, *PFILE_BOTH_DIRECTORY_INFORMATION;
and for FileNamesInformation:

typedef struct _FILE_NAMES_INFORMATION {
ULONG NextEntryOffset;
ULONG Unknown;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
This function writes a list of these structures in FileInformation. Only three vairiables are important for us in any of these structure types.

NextEntryOffset is the length of particular list item. First item can be found on address FileInformation + 0. So the second item is on address FileInformation + NextEntryOffset of first one. Last item has NextEntryOffset set on zero.

FileName is a full name of the file.

FileNameLength is a length of file name.

If we want to hide a file, we need to tell apart these four types and for each returned record we need to compare its name with the one which we want to hide. If we want to hide first record, we have to move following structures by the size of the first. This will cause the first record would be rewritten. If we want to hide another record, we can easily change the value of NextEntryOffset of previous record. New value of NextEntryOffset would be zero if we want to hide the last record, otherwise the value would be the sum of NextEntryOffset of the record we want to hide and of previous record. Then we should change the value of Unknown of previous record which is prolly an index for next search. The value of Unknown of previous record should have a value of Unknown of the record we want hide.

If no record which should be seen was found, we will return error STATUS_NO_SUCH_FILE.

#define STATUS_NO_SUCH_FILE 0xC000000F
3.2 NtVdmControl
From unknown reason DOS emulation NTVDM can get a list of files also with function NtVdmContol.

NTSTATUS NtVdmControl(
IN ULONG ControlCode,
IN PVOID ControlData
);
ControlCode specifies the subfunction which is applied on data in ControlData buffer. If ControlCode equals to VdmDirectoryFile this function does the same as NtQueryDirectoryFile with FileInformationClass set on FileBothDirectoryInformation.

#define VdmDirectoryFile 6
Then ControlData is used like FileInformation. The only difference here is that we do not know the length of this buffer. So we have to count it manually. We have to add NextEntryOffset of all records and FileNameLength of the last record and 0x5E as a length of the last record excluding the name of the file. Hiding methods are the same as in NtQueryDirectoryFile then.

4. Processes
Various system info is available using NtQuerySystemInformation.

NTSTATUS NtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
SystemInformationClass specifies the type of information which we want to get, SystemInformation is a pointer to the function output buffer, SystemInformationLength is the length of this buffer and ReturnLength is number of written bytes.

For the enumeration of running processes we use SystemInformationClass set on SystemProcessesAndThreadsInformation.

#define SystemInformationClass 5
Returned structure in SystemInformation buffer is:

typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; // Windows 2000 only
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
Hiding processes is similiar as in the case of hiding files. We have to change NextEntryDelta of previous record of that we want to hide. Usually we will not want to hide the first record here because it is Idle process.

5. Registry
Windows registry is quite big tree structure containing two important types of records for us which we could want to hide. First type is registry keys, second is values. Owing to registry structure hiding registry keys is not as trivial as hiding file or process.

5.1 NtEnumerateKey
Owing to its structure we are not able to ask for a list of all keys in the specific part of registry. We can get only information about one key specified by its index in some part of registry. This provides NtEnumerateKey.

NTSTATUS NtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG KeyInformationLength,
OUT PULONG ResultLength
);
KeyHandle is a handle to a key in which we want to get information about a subkey specified by Index. Type of returned information is specified by KeyInformationClass. Data are written to KeyInformation buffer which length is KeyInformationLength. Number of written bytes is returned in ResultLength.

The most important think we need to perceive is that if we hide a key, indexes of all following keys woould be shifted. And because we are able to get information about a key with higher index with asking for key with lower index we always have to count how many records before were hidden and then return the right one.

Let's have a look on the example. Assume we have some keys called A, B, C, D, E and F in any part of registry. Indexing starts from zero which mean index 4 match E key. Now if we want to hide B key and the hooked application call NtEnumerateKey with Index 4 we should return information about F key because there is an index shift. The problem is that we don't know that there is a shift. And if we didn't care about shifting and return E instead of F when asking for key with index 4 we would return nothing when asking for key with index 1 or we would return C. Both cases are errors. This is why we have to care about shifting.

Now if we counted the shift by recalling the function for each index from 0 to Index we would sometimes wait for ages (on 1GHz processor it could take up to 10 seconds with standard registry which is too much). So we have to think out more sophisticated method.

We know that keys are (except of references) sorted alphabetically. If we neglect references (which we don't want to hide) we can count the shift by following method. We will sort alphabetically our list of key names which we want to hide (RtlCompareUnicodeString can be used), then when application calls NtEnumerateKey we will not recall it with unchanged arguments but we will find out the name of the record specified by Index.

NTSTATUS RtlCompareUnicodeString(
IN PUNICODE_STRING String1,
IN PUNICODE_STRING String2,
IN BOOLEAN CaseInSensitive
);
String1 and String2 are strings which will be compared, CaseInSensitive is True if we want to compare with neglecting character case.

Function result describes relation between String1 and String2:

result > 0: String1 > String2
result = 0: String1 = String2
result < 0: String1 < String2
Now we have to find a border. We will compare alphabetically the name of the key specified by Index with the names in our list. The border would be the last lesser name from our list. We know that the shift is at most the number of the border in our list. But not all items from our list have to be a valid key in the part of registry we are in. So we have to ask for all items from our list up to border if they are in this part of the registry. This can be done using NtOpenKey.

NTSTATUS NtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
KeyHandle is a handle of superordinate key. We will use the value from NtEnumerateKey for it. DesiredAccess are access rights. KEY_ENUMERATE_SUB_KEYS is the right value for it. ObjectAttributes describes subkey which we want to open (including its name).

#define KEY_ENUMERATE_SUB_KEYS 8
If the result of NtOpenKey is 0 opening was successful which mean this key from our list exists. Opened key should be closed via NtClose.

NTSTATUS NtClose(
IN HANDLE Handle
);
For each call of NtEnumareteKey we will count the shift as a number of keys from our list which exist in the given part of registry. Then we will add this shift to Index argument and finally call the original NtEnumerateKey.

For getting name of the key specified by Index we will use the value KeyBasicInformation as a KeyInformationClass.

#define KeyBasicInformation 0
NtEnumerateKey returns this structure in KeyInformation:

typedef struct _KEY_BASIC_INFORMATION {
LARGE_INTEGER LastWriteTime;
ULONG TitleIndex;
ULONG NameLength;
WCHAR Name[1];
} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
Only thing we need here is Name and its length NameLength.

If there is no entry for shifted Index we will return error STATUS_EA_LIST_INCONSISTENT.

#define STATUS_EA_LIST_INCONSISTENT 0x80000014
5.2 NtEnumerateValueKey
Registry values are not alphabetically sorted. Luckily the number of values in one key is quite small, so we can use recall method to get the shift. API for getting info about one value is called NtEnumerateValueKey.

NTSTATUS NtEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength
);
KeyHandle is again a handle of superordinate key. Index is an index to the list of values in given key. KeyValueInformationClass describes a type of information which will be stored into KeyValueInformation buffer which is long KeyValueInformationLength bytes. Number of written bytes is returned in ResultLength.

Again we have to count the shift but according to the number of values in one key we can recall this function for all indexes from 0 to Index. The name of the value can be get when KeyValueInformationClass is set to KeyValueBasicInformation.


#define KeyValueBasicInformation 0
Then we will get following structure in KeyValueInformation buffer:

typedef struct _KEY_VALUE_BASIC_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG NameLength;
WCHAR Name[1];
} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
Again we are interested only in Name and NameLength.

If there is no entry for shifted Index we will return error STATUS_NO_MORE_ENTRIES.

#define STATUS_NO_MORE_ENTRIES 0x8000001A
6. System services and drivers
System services and drivers are enumerated by four independent API functions. Their connections is different in each Windows version. That's why we have to hook all four functions.

BOOL EnumServicesStatusA(
SC_HANDLE hSCManager,
DWORD dwServiceType,
DWORD dwServiceState,
LPENUM_SERVICE_STATUS lpServices,
DWORD cbBufSize,
LPDWORD pcbBytesNeeded,
LPDWORD lpServicesReturned,
LPDWORD lpResumeHandle
);

BOOL EnumServiceGroupW(
SC_HANDLE hSCManager,
DWORD dwServiceType,
DWORD dwServiceState,
LPBYTE lpServices,
DWORD cbBufSize,
LPDWORD pcbBytesNeeded,
LPDWORD lpServicesReturned,
LPDWORD lpResumeHandle,
DWORD dwUnknown
);

BOOL EnumServicesStatusExA(
SC_HANDLE hSCManager,
SC_ENUM_TYPE InfoLevel,
DWORD dwServiceType,
DWORD dwServiceState,
LPBYTE lpServices,
DWORD cbBufSize,
LPDWORD pcbBytesNeeded,
LPDWORD lpServicesReturned,
LPDWORD lpResumeHandle,
LPCTSTR pszGroupName
);

BOOL EnumServicesStatusExW(
SC_HANDLE hSCManager,
SC_ENUM_TYPE InfoLevel,
DWORD dwServiceType,
DWORD dwServiceState,
LPBYTE lpServices,
DWORD cbBufSize,
LPDWORD pcbBytesNeeded,
LPDWORD lpServicesReturned,
LPDWORD lpResumeHandle,
LPCTSTR pszGroupName
);
The most important here is lpServices which points on the buffer where the list of services would be stored. And also lpServicesReturned pointing on the number of records in result is important. Structure of data in the output buffer depends on the type of function. For functions EnumServicesStatusA and EnumServicesGroupW is returned structure

typedef struct _ENUM_SERVICE_STATUS {
LPTSTR lpServiceName;
LPTSTR lpDisplayName;
SERVICE_STATUS ServiceStatus;
} ENUM_SERVICE_STATUS, *LPENUM_SERVICE_STATUS;

typedef struct _SERVICE_STATUS {
DWORD dwServiceType;
DWORD dwCurrentState;
DWORD dwControlsAccepted;
DWORD dwWin32ExitCode;
DWORD dwServiceSpecificExitCode;
DWORD dwCheckPoint;
DWORD dwWaitHint;
} SERVICE_STATUS, *LPSERVICE_STATUS;
for EnumServicesStatusExA a EnumServicesStatusExW it it

typedef struct _ENUM_SERVICE_STATUS_PROCESS {
LPTSTR lpServiceName;
LPTSTR lpDisplayName;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
} ENUM_SERVICE_STATUS_PROCESS, *LPENUM_SERVICE_STATUS_PROCESS;

typedef struct _SERVICE_STATUS_PROCESS {
DWORD dwServiceType;
DWORD dwCurrentState;
DWORD dwControlsAccepted;
DWORD dwWin32ExitCode;
DWORD dwServiceSpecificExitCode;
DWORD dwCheckPoint;
DWORD dwWaitHint;
DWORD dwProcessId;
DWORD dwServiceFlags;
} SERVICE_STATUS_PROCESS, *LPSERVICE_STATUS_PROCESS;
We are interested only in lpServiceName which is the name of system service. Records have static size, so if we want to hide one we will move all following records by its size. Here we have to differentiate between the size of SERVICE_STATUS and SERVICE_STATUS_PROCESS.

7. Hooking and spreading
To get the desiderative efect we have to hook all running processes and also all processes which would be created later. New processes should be hooked before running their first instruction of their own code otherwise they would be able to see our hidden objects in the time before they would be hooked.

7.1 Rights
At first it is good to know that we need at least administrators rights to get access to all running processes. The best possibility is to run our process as system service which run on user SYSTEM. To install the service we also need special rights.

Also getting SeDebugPrivilege is very useful. This can be done using API OpenProcessToken, LookupPrivilegeValue and AdjustTokenPrivileges.

BOOL OpenProcessToken(
HANDLE ProcessHandle,
DWORD DesiredAccess,
PHANDLE TokenHandle
);

BOOL LookupPrivilegeValue(
LPCTSTR lpSystemName,
LPCTSTR lpName,
PLUID lpLuid
);

BOOL AdjustTokenPrivileges(
HANDLE TokenHandle,
BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState,
DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState,
PDWORD ReturnLength
);
Neglecting errors the code can look like this:

#define SE_PRIVILEGE_ENABLED 0x0002
#define TOKEN_QUERY 0x0008
#define TOKEN_ADJUST_PRIVILEGES 0x0020

HANDLE hToken;
LUID DebugNameValue;
TOKEN_PRIVILEGES Privileges;
DWORD dwRet;

OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,hToken);
LookupPrivilegeValue(NULL,"SeDebugPrivilege",&DebugNameValue);
Privileges.PrivilegeCount=1;
Privileges.Privileges[0].Luid=DebugNameValue;
Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&Privileges,sizeof(Privileges),
NULL,&dwRet);
CloseHandle(hToken);
7.2 Global hook
Enumeration of processes is done by already metioned API function NtQuerySystemInformation. There are few native processes in the system, so we will use the method of rewriting first instructions of the function to hook them. For each running process we will do the same. We will allocate a part of memory in target process where we will write our new code for functions we want to hook. Then we will change the first five bytes of these functions with jmp instruction. This jump will redirect the execution to our code. So the jmp instruction will be executed immediately when the hooked function is called. We have to save first instructions of each function which is rewritten. We need them to call original code of the hooked function. Saving instructions is described in chapter 3.2.3 in the document "Hooking Windows API".

At first we have to open target process via NtOpenProcess and get the handle. This will fail if we don't have enough rights.

NTSTATUS NtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
ProcessHandle is a pointer on a handle where the result will be stored. DesiredAccess should be set on PROCESS_ALL_ACCESS. We will set PID of target process to UniqueProcess part of ClientId structure, UniqueThread should be 0. Open handle can be always closed via NtClose.

#define PROCESS_ALL_ACCESS 0x001F0FFF
Now we are going to allocate the part of memory for our code. This can be done using NtAllocateVirtualMemory.

NTSTATUS NtAllocateVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);
ProcessHandle is the one from NtOpenProcess. BaseAddress is a pointer on a pointer on the beginning where we want to allocate. Here will be stored the address of the allocated memory. Input value can be NULL. AllocationSize is a pointer on number of bytes we want to allocate. And again it is also used as output value for the real number of allocated bytes. It is good to set AllocationType to MEM_TOP_DOWN in addition to MEM_COMMIT because the memory would be allocated on the highest possible address near DLLs.

#define MEM_COMMIT 0x00001000
#define MEM_TOP_DOWN 0x00100000
Then we can write our code there using NtWriteVirtualMemory.

NTSTATUS NtWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
BaseAddress will be that address returned by NtAllocateVirtualMemory. Buffer points on bytes we want to write, BufferLength is number of bytes we want to write.

Now we have to hook single functions. Only library which is loaded to all processes is ntdll.dll. So we have to check if function we want to hook is imported to the process if it is not from ntdll.dll. But the memory where would this function (from another DLL) be could be allocated, so rewriting bytes on its address could easily cause error in target process. This is why we have to check whether library (where function we want to hook is) is loaded to target process.

We need to get PEB (Process Environment Block) of target process via NtQueryInformationProcess.

NTSTATUS NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
We will set ProcessInfromationClass to ProcessBasicInformation. Then the PROCESS_BASIC_INFORMATION structure would be returned to ProcessInformation buffer which size is given by ProcessInformationLength.

#define ProcessBasicInformation 0

typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
PebBaseAddress is what we were looking for. On PebBaseAddress+0x0C is address PPEB_LDR_DATA. This would be get calling NtReadVirtualMemory.

NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
Parameters are similar like in NtWriteVirtualMemory.

On PPEB_LDR_DATA+0x1C is address InInitializationOrderModuleList. It is the list of libraries loaded to the process. We are interested only in a part of this structure.

typedef struct _IN_INITIALIZATION_ORDER_MODULE_LIST {
PVOID Next,
PVOID Prev,
DWORD ImageBase,
DWORD ImageEntry,
DWORD ImageSize,
...
);
Next is a pointer on next record, Prev on previous, last record points on first. ImageBase is an address of module in the memory, ImageEntry is the EntryPoint of the module, ImageSize is its size.

For all libraries in which we want to hook we will get their ImageBase (e.g. using GetModuleHandle or LoadLibrary). This ImageBase we will compare with ImageBase of each entry in InInitializationOrderModuleList.

Now we are ready for hooking. Because we are hooking running processes there is a possibility that the code we would be executed in the moment we will be rewriting it. This can cause error, so at first we will stop all threads in target process. The list of its threads can get via NtQuerySystemInformation with SystemProcessesAndThreadsInformation class. Result of this function is described in chapter 4. But we have to add the description of SYSTEM_THREADS structure where the information about thread is.

typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS, *PSYSTEM_THREADS;
For each thread we have to get its handle using NtOpenThread. We will use ClientId for it.

NTSTATUS NtOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
The handle we want will be stored to ThreadHandle. We will set DesiredAccess to THREAD_SUSPEND_RESUME.

#define THREAD_SUSPEND_RESUME 2
ThreadHandle will be used for calling NtSuspendThread.

NTSTATUS NtSuspendThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
Suspended process is ready for rewriting. We will proceed as it is described in chapter 3.2.2 in "Hooking Windows API". Only difference will be in using functions for other processes.

After a hook we will revive all process threads calling NtResumeThread.

NTSTATUS NtResumeThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL
);
7.3 New processes
Infection of all running processes does not affect processes which would be run later. We could get the process list and after a while get a new one and compare them and then infect those processes which are in second list but not in first. But this method is very unreliable.

Much better is to hook function which is always called when new process starts. Because of hooking all running processes on the system we can't miss any new with this method. We can hook NtCreateThread but it is not the easiest way. We will hook NtResumeThread which is also called everytime after the new process is created. It is called after NtCreateThread.

The only problem with NtResumeThread is that it is called not only when new process starts. But we can easily get over this. NtQueryInformationThread will give us an information about which process owns the specific thread. The last thing we have to do is to check whether this process is already hooked or not. This can be done by reading first byte of any function we are hooking.

NTSTATUS NtQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ThreadInformationClass is information class and it should be set in our case to ThreadBasicInformation. ThreadInformation is the buffer for result which size is ThreadInformationLength bytes.

#define ThreadBasicInformation 0
For class ThreadBasicInformation is this structure returned:

typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PNT_TIB TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
In ClientId is the PID of which owns the thread.

Now we have to infect the new process. The problem is that the new process has only ntdll.dll in its memory. All others modules are loaded immediately after calling NtResumeThread. There are several ways how to handle this problem. E.g. we can hook API called LdrInitializeThunk which is called during process init.

NTSTATUS LdrInitializeThunk(
DWORD Unknown1,
DWORD Unknown2,
DWORD Unknown3
);
At first we will run original code and then we will hook all functions we want in this new process. But it will be better to unhook LdrInitializeThunk because it is called many times later and we don't want to rehook all functions again. Everything here is done before execution of the first instruction of hooked application. That's why there is no chance it would call any of hooked functions before we hook it.

The hooking in itself is the same as when hooking running process but here we don't care about running threads.

7.4 DLL
In each process in the system is the copy of ntdll.dll. That mean we can hook any function from this module in the process init. But how about functions from other modules like kernel32.dll or advapi32.dll? And there are also several processes which has only ntdll.dll. All other modules can be loaded dynamically in the middle of the code after the process hook. That's why we have to hook LdrLoadDll which loades new modules.


NTSTATUS LdrLoadDll(
PWSTR szcwPath,
PDWORD pdwLdrErr,
PUNICODE_STRING pUniModuleName,
PHINSTANCE pResultInstance
);
The most important for us here is pUniModuleName which is the name of the module. pResultInstance will be filled with its address if the call is successful.

We will call original LdrLoadDll and then hook all functions in loaded module.

8. Memory
When we are hooking a function we modify its first bytes. Via calling NtReadVirtualMemory anyone can detect that a function is hooked. So we have to hook NtReadVirtualMemory to prevent detecting.

NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
We have changed bytes on the begining of all functions we hooked and we have also allocated memory for our new code. We should check whether caller reads some of these bytes. If we have our bytes in the range from BaseAddress to BaseAddress + BufferLength we have to change some bytes in Buffer.

If one ask for bytes from our allocated memory we should return empty Buffer and an error STATUS_PARTIAL_COPY. This value says not all requested bytes were copied to the Buffer. It is also used when asking for unallocated memory. ReturnLength should be set to 0 in this case.

#define STATUS_PARTIAL_COPY 0x8000000D
If one ask for first bytes of hooked function we have to call original code and than we should copy original bytes (we have saved them for original calls) to Buffer.

Now the process is not able to detect he is hooked via reading its memory. Also if you debug hooked process debugger will have a problem. It will show original bytes but it will execute our code.

To make hiding perfect we can also hook NtQueryVirtualMemory. This function is used to get information about virtual memory. We can hook it to prevent detecting our allocated memory.

NTSTATUS NtQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG MemoryInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
MemoryInformationClass specifies the class of data which are returned. First two types are interesting for us.

#define MemoryBasicInformation 0
#define MemoryWorkingSetList 1
For class MemoryBasicInformation is returned this structure:

typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
ULONG AllocationProtect;
ULONG RegionSize;
ULONG State;
ULONG Protect;
ULONG Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
Each memory section has its size RegionSize and its type Type. Free memory has type MEM_FREE.

#define MEM_FREE 0x10000
If a section before ours has type MEM_FREE we should add the size of ours section to its RegionSize. If the following section is also MEM_FREE we should add following section size again that RegionSize.

If a section before ours has another type we will return MEM_FREE for our section. Its size is counted again according to following section.

For class MemoryWorkingSetList is returned structure:

typedef struct _MEMORY_WORKING_SET_LIST {
ULONG NumberOfPages;
ULONG WorkingSetList[1];
} MEMORY_WORKING_SET_LIST, *PMEMORY_WORKING_SET_LIST;
NumberOfPages is the number of items in WorkingSetList. This number should be decreased. We should find ours section in WorkingSetList and move following records over ours. WorkingSetList is an array of DWORDs where higher 20 bits specifies higher 20 bits of section address and lower 12 bits specifies flags.

9. Handle
Calling NtQuerySystemInformation with SystemHandleInformation class gives us array of all open handles in _SYSTEM_HANDLE_INFORMATION_EX strucure.

#define SystemHandleInformation 0x10

typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
ProcessId specifies the process which owns the handle. ObjectTypeNumber is handle type. NumberOfHandles is number of records in Information array. Hiding one item is trivial. We have to remove all following records by one and decrease NumberOfHandles. Removing all following is needed because handles in array are grouped by ProcessId. That mean all handles from one single process are together. And for one process the number Handle is growing.

Now remember structure _SYSTEM_PROCESSES which is returned by this function with SystemProcessesAndThreadsInformation class. Here we can see that each process has an information about its number of handles in HandleCount. If we want to be perfect we should modify HandleCount owing to how many handles we hide when calling this function with SystemProcessesAndThreadsInformation class. But this correction would be very time-consuming. There are many handles opening and closing in very short time during normal system running. So it can easily happend that number of handles is changed in between two calls of this function and we don't need to change HandleCount.

9.1 Naming handle and getting type
Handle hiding is trivial but find out which handle to hide is little bit harder. If we have e.g. hidden process we should hide all its handles and all handles which are connected with it. Hiding handles of this process is again trivial. We are only comparing ProcessId of handle and PID of our process and when they equals we hide it. But handles of other processes have to be named before we can compare something. The number of handles in the system is usually very big, so the best we can do is to compare handle type first before trying to name it. Naming types will save a lot of time for handles we are not interested in.

Naming handle and handle type can be done via calling NtQueryObject.

NTSTATUS ZwQueryObject(
IN HANDLE ObjectHandle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
ObjectHandle is a handle we want to get info about, ObjectInformationClass is the type of information which will be stored into ObjectInformation buffer which is ObjectInformationLength bytes long.

We will use class ObjectNameInformation and ObjectAllTypesInformation. ObjectNameInfromation class will fill the buffer with OBJECT_NAME_INFORMATION structure, ObjectAllTypesInformation class with OBJECT_ALL_TYPES_INFORMATION structure then.

#define ObjectNameInformation 1
#define ObjectAllTypesInformation 3

typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
Name determines the name of the handle.

typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING Name;
ULONG ObjectCount;
ULONG HandleCount;
ULONG Reserved1[4];
ULONG PeakObjectCount;
ULONG PeakHandleCount;
ULONG Reserved2[4];
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
UCHAR Unknown;
BOOLEAN MaintainHandleDatabase;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

typedef struct _OBJECT_ALL_TYPES_INFORMATION {
ULONG NumberOfTypes;
OBJECT_TYPE_INFORMATION TypeInformation;
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
Name determines the name of type object which immediately follows each OBJECT_TYPE_INFORMATION structure. The next OBJECT_TYPE_INFORMATION structure follows this Name, starting on the first four-byte boundary.

ObjectTypeNumber from SYSTEM_HANDLE_INFORMATION structure is an index to TypeInformation array.

Harder is to get the name of handle from other process. There are two possibilities how to name it. First is to copy the handle via NtDuplicateObject to our process and then to name it. This method will fail for some specific types of handles. But it will fail only for few, so we can stay calm and use this.

NtDuplicateObject(
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG Attributes,
IN ULONG Options
);
SourceProcessHandle is a handle of process which owns SourceHandle which is the handle we want to copy. TargetProcessHandle is handle of process where to copy. This will be handle to our process in our case. TargetHandle is the pointer on handle where to save a copy of original handle. DesiredAccess should be set to PROCESS_QUERY_INFORMATION, Attribures and Options to 0.

Second naming method which works with any handle is to use system driver. Source code for this is available in OpHandle project on my site http://rootkit.host.sk.

10. Ports
The easiest way to enumarate open ports is to use functions called AllocateAndGetTcpTableFromStack and AllocateAndGetUdpTableFromStack, and or AllocateAndGetTcpExTableFromStack and AllocateAndGetUdpExTableFromStack from iphlpapi.dll. The Ex functions are available since Windows XP.

typedef struct _MIB_TCPROW {
DWORD dwState;
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
} MIB_TCPROW, *PMIB_TCPROW;

typedef struct _MIB_TCPTABLE {
DWORD dwNumEntries;
MIB_TCPROW table[ANY_SIZE];
} MIB_TCPTABLE, *PMIB_TCPTABLE;

typedef struct _MIB_UDPROW {
DWORD dwLocalAddr;
DWORD dwLocalPort;
} MIB_UDPROW, *PMIB_UDPROW;

typedef struct _MIB_UDPTABLE {
DWORD dwNumEntries;
MIB_UDPROW table[ANY_SIZE];
} MIB_UDPTABLE, *PMIB_UDPTABLE;

typedef struct _MIB_TCPROW_EX
{
DWORD dwState;
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwProcessId;
} MIB_TCPROW_EX, *PMIB_TCPROW_EX;

typedef struct _MIB_TCPTABLE_EX
{
DWORD dwNumEntries;
MIB_TCPROW_EX table[ANY_SIZE];
} MIB_TCPTABLE_EX, *PMIB_TCPTABLE_EX;

typedef struct _MIB_UDPROW_EX
{
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwProcessId;
} MIB_UDPROW_EX, *PMIB_UDPROW_EX;

typedef struct _MIB_UDPTABLE_EX
{
DWORD dwNumEntries;
MIB_UDPROW_EX table[ANY_SIZE];
} MIB_UDPTABLE_EX, *PMIB_UDPTABLE_EX;

DWORD WINAPI AllocateAndGetTcpTableFromStack(
OUT PMIB_TCPTABLE *pTcpTable,
IN BOOL bOrder,
IN HANDLE hAllocHeap,
IN DWORD dwAllocFlags,
IN DWORD dwProtocolVersion;
);

DWORD WINAPI AllocateAndGetUdpTableFromStack(
OUT PMIB_UDPTABLE *pUdpTable,
IN BOOL bOrder,
IN HANDLE hAllocHeap,
IN DWORD dwAllocFlags,
IN DWORD dwProtocolVersion;
);

DWORD WINAPI AllocateAndGetTcpExTableFromStack(
OUT PMIB_TCPTABLE_EX *pTcpTableEx,
IN BOOL bOrder,
IN HANDLE hAllocHeap,
IN DWORD dwAllocFlags,
IN DWORD dwProtocolVersion;
);

DWORD WINAPI AllocateAndGetUdpExTableFromStack(
OUT PMIB_UDPTABLE_EX *pUdpTableEx,
IN BOOL bOrder,
IN HANDLE hAllocHeap,
IN DWORD dwAllocFlags,
IN DWORD dwProtocolVersion;
);
There is another way to do this stuff. When program creates a socket and starts listening it surely has an open handle for it and for open port. We can enumerate all open handles in the system and send them special buffer via NtDeviceIoControlFile to find out whether the handle is for open port or not. This will also give us information about the port. Because there are a lot of open handles we will test only handles which type is File and name is \Device\Tcp or \Device\Udp. Open ports have only this type and name.

When we look to the code of iphlpapi.dll functions above we find out that these functions also calls NtDeviceIoControlFile and sends special buffer to get a list of all open ports in the system. That mean only functions we need to hook for hiding ports is NtDeviceIoControlFile.

NTSTATUS NtDeviceIoControlFile(
IN HANDLE FileHandle
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
Interesting agruments for us now are FileHandle which specify a handle of device to communicate with, IoStatusBlock which points to a variable that receives the final completion status and information about the requested operation, IoControlCode that is a number specifying type of the device, method, file access and a function. InputBuffer contains input data that are InputBufferLength bytes long and similarly OutputBuffer and OutputbufferLength.

10.1 Netstat, OpPorts on WinXP, FPort on WinXP
Getting a list of all open ports is the first way which is used by e.g. OpPorts and FPort on Windows XP and also Netstat.

Programs calls here NtDeviceIoControlFile twice with IoControlCode 0x000120003. OutputBuffer is filled after a second call. Name of FileHandle is here alwats \Device\Tcp. InputBuffer differs for different types of call:

To get an array of MIB_TCPROW InputBuffer looks as follows:
first call:
0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00

second call:
0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 To get an array of MIB_UDPROW:
first call:
0x01 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00

second call:
0x01 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 To get an array of MIB_TCPROW_EX:
first call:
0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00

second call:
0x00 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x02 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 To get an array of MIB_UDPROW_EX:
first call:
0x01 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00

second call:
0x01 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x01 0x00 0x00
0x02 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 You can see the buffers are different in few bytes only. We can lucidly recapitulate these:

Calls we are interested in have InputBuffer[1] set to 0x04 and mainly InputBuffer[17] on 0x01. Only after these input data we get filled OutputBuffer with desiderative tables. If we want to get info about TCP ports we set InputBuffer[0] on 0x00, or on 0x01 for information about UDP. If we want extended output tables (MIB_TCPROW_EX or MIB_UDPROW_EX) we use Inputbuffer[16] in second call set to 0x02.

If we find out the call with these parameters we can change the output buffer. To get number of rows in output buffer simply divide Information from IoStatusBlock by size of the row. Hiding of one row is easy then. Just rewrite it with following rows and delete last row. Don't forget to change OutputBufferLength and IoStatusBlock.

10.2 OpPorts on Win2k and NT4, FPort on Win2k
We use NtDeviceIoControlFile with IoControlCode 0x00210012 to determine if the handle of File type and name \Device\Tcp or \Device\Udp is the handle of open port.

So at first we compare IoControlCode and then a type and the name of the handle. If it is still interesting then we compare the length of input buffer which should be equal to the length of struct TDI_CONNECTION_IN. This length is 0x18. OutputBuffer is TDI_CONNETION_OUT.

typedef struct _TDI_CONNETION_IN
{
ULONG UserDataLength,
PVOID UserData,
ULONG OptionsLength,
PVOID Options,
ULONG RemoteAddressLength,
PVOID RemoteAddress
} TDI_CONNETION_IN, *PTDI_CONNETION_IN;

typedef struct _TDI_CONNETION_OUT
{
ULONG State,
ULONG Event,
ULONG TransmittedTsdus,
ULONG ReceivedTsdus,
ULONG TransmissionErrors,
ULONG ReceiveErrors,
LARGE_INTEGER Throughput
LARGE_INTEGER Delay,
ULONG SendBufferSize,
ULONG ReceiveBufferSize,
ULONG Unreliable,
ULONG Unknown1[5],
USHORT Unknown2
} TDI_CONNETION_OUT, *PTDI_CONNETION_OUT;
Concrete implementation of how to determine the handle is open port is available in source code of OpPorts on http://rootkit.host.sk. We are interested in hiding specific port now. We already compared InputBufferLength and IoControlCode. Now we have to compare RemoteAddressLength. This is always 3 or 4 for open port. The last we have to do is to compare ReceivedTsdus from OutputBuffer which contains the port in network form and our list of ports we want to hide. Differentiate between TCP and UDP is done according to the name of the handle. By deleting OutputBuffer, changing IoStatusBlock and returning the value of STATUS_INVALID_ADDRESS we will hide this port.

11. Ending
Concrete implementation of described techniques will be available with the source code of Hander defender rootkit in version 1.0.0 on its homepage http://rootkit.host.sk and on http://www.rootkit.com.

It is possible I will add some more information about invisibility on Windows NT in the future. New versions of this document could also contain improvement of described methods or new comments.

Special thanks to Ratter who give me a lot of knowhow which was necessary to write this document and to code project Hacker defender.

Send all remarks to holy_father@phreaker.net or to the board on http://rootkit.host.sk.

Infection Vectors of Worms, Spams, Spims

This is a good website for infection vectors about worms, spams, spims. The article is professional.

http://www.infectionvectors.com/

Using free() to exploit heap vulnerabilities

In order to achieve the exploit objective using free() in memory management. The following requirements should be met:

1. Overwriting the chunk which will be free()'d using heap overflow or other vulnerabilities, such as double free. The overwritten chunk header should be designed deliberately.
2. Constructing at least one fake-chunk within the heap or stack.
3. the head information in the fake chunk, say, the prev-size/size/fd/bk, should be designed to trigger unlink macro within free().
4. the memory address overwritten by unlink is able to hijack the control flow of the current process. In order to achieve it, the forward address in the fake-chunk should be the address for control flow hijacking, such as the return address of a function, a function pointer etc. The backward address in the fake-chunk should be the memory address of your shell code.
5. the shell code should start with Jump instruction and skipping 10+ bytes because the unlink macro will destory the 4-bytes content from the index 8.

If I am wrong on it, please write to zhwei.li (AT_4_anti_spam) gmail.com

Using unlink macro within free() to exploit heap overflow

Indeed, the attacker could store the address of a function pointer, minus 12 bytes as explained below, in the forward pointer FD of the fake chunk (read at line[2]), and the address of a shellcode in the back pointer BK of the fake chunk (read at line[1]). The unlink() macro would therefore, when trying to take this fake chunk off its imaginary doubly-linked list, overwrite (at line[3]) the function pointer located at FD plus 12 bytes (12 is the offset of the bk field within a boundary tag) with BK (the address of the shellcode).

If the vulnerable program reads the overwritten function pointer (an entry of the GOT (Global Offset Table) or one of the debugging hooks compiled in Doug Lea's Malloc (__malloc_hook, __free_hook, etc) for example) and jumps to the memory location it points to, and if a valid shellcode is stored there at that time, the shellcode is executed.

But since unlink() would also overwrite (at line[4]) an integer located in the very middle of the shellcode, at BK plus 8 bytes (8 is the offset of the fd field within a boundary tag), with FD (a valid pointer but probably not valid machine code), the first instruction of the shellcode should jump over the overwritten integer, into a classic shellcode.

This unlink() technique, first introduced by Solar Designer, is illustrated with a proof of concept in 3.6.1.2, and was successfully exploited in the wild against certain vulnerable versions of programs like Netscape browsers, traceroute, and slocate (mentioned in 3.1.2.1).

............
------------------------------------------------------------------------------------
............

So if the size of the first argument passed to the vulnerable program by the attacker is greater than or equal to 680 (668 + 3*4) bytes, the attacker will be able to overwrite the size, fd and bk fields of the boundary tag associated with the second chunk. They could therefore use the unlink() technique, but how can dlmalloc be tricked into processing the corrupted second chunk with unlink() since this chunk is allocated?

When free(3) is called at line[4] in order to free the first chunk, the step[4.2] of the free(3) algorithm is carried out and the second chunk is processed by unlink() if it is free (if the PREV_INUSE bit of the next contiguous chunk is clear). Unfortunately this bit is set because the second chunk is allocated, but the attacker can trick dlmalloc into reading a fake PREV_INUSE bit since they control the size field of the second chunk (used by dlmalloc in order to compute the address of the
next contiguous chunk).

For instance, if the attacker overwrites the size field of the second chunk with -4 (0xfffffffc), dlmalloc will think the beginning of the next contiguous chunk is in fact 4 bytes before the beginning of the second chunk, and will therefore read the prev_size field of the second chunk instead of the size field of the next contiguous chunk. So if the attacker stores an even integer (an integer whose PREV_INUSE bit
is clear) in this prev_size field, dlmalloc will process the corrupted second chunk with unlink() and the attacker will be able to apply the technique described in 3.6.1.1.

Indeed, the exploit below overwrites the fd field of the second chunk with a pointer to the GOT entry of the free(3) function (read at line[5] after the unlink() attack) minus 12 bytes, and overwrites the bk field of the second chunk with the address of a special shellcode stored 8 (2*4) bytes after the beginning of the first buffer (the first 8 bytes of this buffer correspond to the fd and bk fields of the associated
boundary tag and are overwritten at line[4], by frontlink() during the step[4.3] of the free(3) algorithm).

From http://www.phrack.org/phrack/57/p57-0x08

Linux Kernel do_brk() vulnerability

I am reviewing the knowledge about heap overflow and format string attacks. My purpose is to construct a real attack to a synthetic vulnerability in a system, such as Linux.
http://isec.pl/papers/linux_kernel_do_brk.pdf

Two blogs on worm and honeypot

A well known blog on worm detection/defense techniques is
http://www.wormblog.com

Another blog on honeypot is
http://honeyblog.org
which, in my first glance, is very like a blog for honey....
Hmmmmmmm.... just forjoking..:)

I have moved to Indiana University at Bloomington

I have moved to Indiana University at Bloomington. My boss here is Professor XiaoFeng Wang, which is famous in the D/DoS area for information security. For the time being, I am doing some collaborative research with CMU and NCSU.

My research areas focus on intrusion detection, worm detection and defense, spybot detection techniques. Expecting a properous year ahead for my research though they are very very competitive.

P.S.
My new website is built up at http://mypage.iu.edu/~zholi although it is very simple at present via only providing a link to my old website at NTU.

some researchers and courses

Guofei has maintained a researcher list in his website.

http://home.cc.gatech.edu/guofei/4

At the same time, in my NTU website, there is a research database for intrusion detection. The list is not complete and not maintained well, but some big guys are in the list.

http://www.ntu.edu.sg/home5/pg01316106/myFavorites.htm

Yeah, thesis draft is ready. :)

After a long struggling, I have finished my thesis writing at the last minute of July. Initially, I have a plan to finish it within 1 month, but it is too hard for me to finish it.

Nonetheless, I do not know whether my supervisor can finish my revision on time. That's a awkward pushing if he has no time for the revision. But expecting it will be ready soon.

At the same time, My ACM CCS paper has been rejected and stuck by the mysterious grade 4 overall recommendation. I will devote more time on it since it is a interesting and basic research for intrusion detection. Expecting that it will be accepted by some conferences.

Due to some errors in the DS 1029 form, I have not started to apply my J1 visa. Expecting the next form will not have any error. Otherwise.....
hmmmmm....

My Homepage Blog moves to blogspot

2005.May-21
I just come back from PAKDD conference 2005 in Hanoi, Vietnam. A great conference in data mining and machine learning with good organizing actitives. During this conference, I made a lot of friends in Data mining and Machine learning areas. I am very lucky to have such a chance to get in touch with such vigorous and active guys. :) Expecting that we can contact with each other from now on. At the same time, I have gotten some good ideas from this conference as well, and known some big guys in machine learning and data mining research. However, I found that I am an outlier to this conference to some degree since I am more specific for network security, instead of data mining or machine learning. :)

2005.May-13
Fortunately, I have gotten some travel support from PAKDD conference, many thanks to the organizer. During this period, my notebook has been spoilt for a long time so that I cannot get some work through conveniently. However, all have been the past.
With my supervisor's permission, I will start my thesis writing after coming back from the conference. Cheers...:)

2005.Apr-17
I got one paper published in 6th IEEE SMC Information assurance workshop 2005. Also, I have gotten the registration scholarship from this workshop. It is a great chance for a student like me in Singapore. Cheers.....

2005.Apr-09
I failed to finish the paper, but I will continue my work for other possible submissions.

2005.Apr-05
It is really terrific that my paper has been accepted by ACNS' 05, which is very competitive this year. Currently, I am completing another paper about automatic signature assemblers for intrusion detection.

2005.Mar-18
It is a really a tough job for writing such a paper within 10 days..:(

2005.Mar-03
My paper is accepted by 9th PAKDD with 14.6% acceptance ratio. That is a position paper for my research, the following other things in my paper should be performed naturally. Today, I have submitted my first Postdoctral application materials. Expecting that there is a good result ultimately. This is my first chance to write a research proposal, do not know whether it meets the requirements...:)

2005.Feb-19
I have completed my research statement for my PostDoc application. If anybody knows news about postdoctral position availability, please write to me via the above contact email. Thanks in advance.
Lunar Chinese New Year has just arrived, I wish you, Gong Xi Fa Cai, Happy Chinese New Year.

2005.Jan-10
I have attached to I2R for collaborative project in network security under the supervision of Dr. Jianying Zhou. This attachment will last 5 months. In this famous institute, there are many security guys, and they play a big role in the academic circle. Let's enjoy the time at I2R for more research fun...

2005.Jan-02
After happy Christmas, disastrous Tsunami in Southeast Asia, we have entered into the great 2005. Forget the past and face the future with confidence. I have gotten full preparation for everything in 2005. :)

2004.Dec-23
At last, I change my bio-clock again from US time to SG time.:) it is tiring period. Today, I submit one of my papers to a data mining conference, PAKDD. At the same time, I will begin to assess the intrusion detection techniques with a special technique from several aspects. Expecting that my metholody can be successful to assess most of intrusion detection techniques. If I can procceed much from now, I will submit one paper to CSFW hopefully. Another thing, I found there are some relations between trust and risk. I have cheated from several thousands singapore dollars within half a year due to my error sense that Singapore is trustworthy. Because I trust Singapore so much, my risk appears: several thousands singapore dollars cheated. Research is strongly related to our life..:)

2004.Dec-16
I have come back singapore after attending ACSAC, which is a good experience for my research. I have known some guys in the security cricle. At the same time, this experience strengthen my mind to continue the research on security area. To achieve it, I want to find a PostDoc position on the network security area after completing my Ph.D degree at Sep-2005. If you have any information about such PostDoc position, please let me know.

2004.Dec-1
I have added the journal rank and conference rank from National University of Singapore, version for year 2004. However, I found the rank for the security conference or journal is not so good. This is because it is a very general rank for every area.

2004.Nov-12
In the feedback for one of my paper, I found some inproper comments, which make me consider something other than the research. Research is a discussion work to encourgae each other to give a terrific work or to achieve an improvement in every step. Finally, we achieve a common objective together: a breakthrough in each research area. I am googling some knowledge about the comment and past here..

WHAT IS THE BASE RATE FALLACY :
The Base Rate Fallacy is the belief that probability rates are false. When presented with statistics about the population as a whole, people tend to ignore them and think about themselves as completely different entities. For example someone has the symptoms of a disease which takes two forms, both fatal, requiring two different medicines. Only one medicine can be taken and medicine A does not work for form B of the disease and medicine B does not work for form A of the disease. Form A of the disease occurs 10% of the time in the population whilst form B occurs 90% of the time. After taking an 80% reliable A/B test it says that this person has form A of the disease. Therefore this person is likely to take the treatment for form A of the disease dispite a 20% chance that he could have form B and only 10% of people in the population have form A. This is because people are not concerned with statistics, they are concerned with themselves.

People can learn base rate probabilities quicker through experience where-by a penalty is incurred each time they act in a certain way. For example if people were told that a fruit machine gave out a lot of money each time it was played on, they would probably think it was a lie and ignore the base rate. However if they had a go on it and won some money they are more likely to believe it and carry on playing. Therefore it can be wrong to ignore base rates.

2004.Nov-1
New layout of my website has been designed, please enjoy it..:)
Give me your suggestions here

Exerpted from Usenix review

http://www.unixreview.com/documents/s=9233/ur0407m/

Nor did Wednesday's plenary speaker, Bruce Schneier.

Schneier began by remarking that this was an "interesting time for security." He went on to say that security is always a trade-off, and "there is no such thing as absolute security".

He pointed out that all security tradeoffs are subjective and that there is a difference between actual risk and perceived risk. Where perceived risk is concerned, Schneier said "there are two main culprits: the media and technology." (He feels that "if it's in the news, don't worry about it.")

Such items as ID cards, fingerprinting foreigners, etc., "are just not worth it." People and institutions have an "agenda" and the result is that "people in power ... make security decisions for non-security reasons."

The agenda is changed by government intervention, market forces, and social norms (like advertising or education). To Schneier, the most important element is to "keep trying to educate people."

A good website for intrusion detection

http://www.secguru.com/index.php/content/category/6/145/115/

Packet crafting for firewall and IDS products?

How to collect the audit trails and feed to firewall or IDS for analysis?

Here is a good paper about it.

http://www.securityfocus.com/infocus/1787
http://www.securityfocus.com/infocus/1791

Intrusion detection, honey pots

The following websites are useful for the intrusion detection primer...


http://www.honeypots.net/

I am using w.bloggar

test

Natural Scene....

Copyright reserved by Zhuowei LI

Small Snail from Night Safari

Copyright reserved by Zhuowei LI

I take it from my webcam tonight when test the hello tools to post the blogger information.

Copyright reserved by Zhuowei LI

I am completing my paper on MFS-MSS session, but as I will submit it to WITS, whose deadline is very near. I am a little worry about my work, I have to do it stay up tonight and tomorrow night..:)

Copyright reserved by Zhuowei LI

Night Safari at 15-Sep-2004 

Participating ACSAC

With the record of 3 rejected USA visa application at 2001, I feel lucky to get the visa to USA for participating ACSAC conference. Cheers....

Intrusion Prevention Systems: Excerpted from security focus maillist

I have the impression that some of the alternatives to IPS you mentionedare actually part of the IPS technology arena. A strict definition of whatintrusion prevention systems comprise does not exist, and as such the namein itself also applies to e.g. firewalls. There is a large market theatrein which different types of IPS technologies are currently being deployed,with varying degrees of succes. Parts of the market have matured (networkfirewall solutions), while some are still considered "difficult"implementations (in-line protocol decoding and blocking/active response--which most people consider IPS).

Some of the well known alternatives:
- Intrusion Detection with human responseIn large networks, an often deployed technology at this time isimplementation of intrusion detection technology (both host- and networkbased) in combination with 24hr response. Events are flagged by securityengineers in real time, tickets are created and followed up as soon aspossible by the necessary incident response personnel. Detection of events, in such case, is often outsourced to a service provider, so thatthe organization can focus on responding to the threats reported.

This is a very effective framework due to the fact that it can be used totrigger on both known (network IDS), and unknown (network anomalydetection, host IDS) attacks. Physical security principles dictate thatnot all attacks can be prevented in each specific situation. What isimportant, is that we detect when an attack takes place, and have thenecessary capability to respond and eliminate the threat at hand. This isthe main reason that even though bank doors have advanced locks, theystill have systems which detect when the door opens outside of businesshours.

- Host based exploit prevention (e.g. address space randomization,non-executable pages)
While the thought given to designing these solutions is often intense,they still tend to be easy to implement -- provided only a limited numberof applications needs to be supported on them. Due to the fact thatmost of them change the reference monitor used to screen events, they dotend to decrease overall performance of a system. Logging is oftennon-existant or difficult to centralize, and most of the softwaresolutions in this field have had a troubled youth (the initial version ofstack protection on Windows 2003 was defeated fairly quickly, as well asmany others). This type of software is usually very helpful in stoppingstock exploits, but may not be as secure against an attacker with enoughresources.

- Application Firewalls (e.g. DMZ/Shield, Interdo, Appshield)
One of my personal preferences. While I must admit that I work for acompany which develops one of these solutions, application level filtershave always been an effective method to scrub inbound traffic. Whencorrectly configured, these tools can truly limit traffic for backendservers to those sessions which do not contain malicious content, or atleast malicious content which will not affect those servers. Main issuehere is that configuration requires in-depth knowledge of the protocolsaffected. When knowledge is lacking in this perspective, configurationwill be less than ideal. As such, this type of technology shouldinherently be deployed in combination with a professional audit of thepolicies. For most protocols and applications, these solutions arescalable, as they can be combined with other load balancing solutions(e.g. content switches for HTTP, round-robin DNS for SMTP).

- Host based Firewalls
As most operating systems have built in packet filtering tools, theseshould actually be part of hardening methodologies for servers. However,they do not block any application level attacks, and deployment for clientmachines could prove difficult. Centralized policy management is arequirement, but not always feasible due to different LAN locations anddiffering connection patterns between hosts. This type of protectiontends to scale really well on well-structured networks. Networks withlarge amounts of legacy operating systems are not commonly consideredsuitable implementation beds without some prior review andrationalization.

There is no one solution which meets all needs, and depending on theassets you are trying to protect, any or none of the above combinationsmay be sufficient. I do believe it is at all times important to make surethat each of the prevention, detection and response bases are covered. In order to protect our infrastructure, we initially need to prevent peoplefrom getting in (using IPS: firewalls for network border controls,application firewalls for application level screening). We also need toidentify people who are trying to get in (usually solved with acombination of host- and network IDS). Last, but not least, we need torespond to any incidents which may still occur (incident response). IPS has its place in the incident lifecycle, but it should not be seen as aone-size-fits-all solution, if your assets are truly important to you.

To compare this to physical security: We need a good lock on our car tokeep thieves out. We also need an alarm to tell us somebody is trying toget in, and we do pay taxes to have police available who can catch the carthieves and prevent similar thefts from occuring in the future(deterrence).

Cheers,Maarten

USAID

I am developing and experimenting one technique on intrusion detection called USAID. It is so promising that it can give the answers to most problems related to intrusion detection.