Update the prototype of NtCreateIRTimer

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com

https://systeminformer.sourceforge.io

MIT License

10.53k stars 1.36k forks source link

Update the prototype of NtCreateIRTimer #2105

Closed elnx closed 4 days ago

elnx commented 1 week ago

According to my reverse engineering results, the pseudocode of NtCreateIRTimer syscall is as follows:

NTSTATUS NtCreateIRTimer(PHANDLE TimerHandle, LPVOID Reserved, ACCESS_MASK DesiredAccess) {
  return NtCreateTimer2(TimerHandle, Reserved, 0, 2, DesiredAccess);
}

dmex commented 1 week ago

What parameters does this kernel have for NtCreateIRTimer?

ntoskrnl.zip

elnx commented 1 week ago

It looks like this syscall has a different prototype on different version? I analyzed this syscall on a win10 ntoskrnl. Maybe a version determination macro is needed here.