Geoff Chappell - Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
This function opens a memory partition.
NTSTATUS NtOpenPartition ( HANDLE *PartitionHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
The PartitionHandle argument is the address of a variable that is to receive a handle to the opened partition.
The DesiredAccess argument is an access mask of generic, standard and specific rights that are wanted to the opened partition. The specific rights that are defined for partitions are MEMORY_PARTITION_QUERY_ACCESS (0x0001) and MEMORY_PARTITION_MODIFY_ACCESS (0x0002).
The ObjectAttributes argument specifies a name and other properties for the opened partition.
The function returns STATUS_SUCCESS if successful, else a negative error code.
The NtOpenPartition function and its alias ZwOpenPartition are exported by name from NTDLL in version 10.0 and higher. In kernel mode, where ZwOpenPartition is a stub and NtOpenPartition is the implementation, neither is exported until the 1607 release of Windows exports the stub.
For all practical effect before Version 1703, the functions are available only in 64-bit Windows: the functions are exported in 32-bit Windows but the 32-bit kernel’s implementation in the early versions of Windows 10 trivially returns STATUS_NOT_SUPPORTED.
Neither NtOpenPartition nor its alias is documented. As ZwOpenPartition, it is declared in a header named ZWAPI.H which Microsoft published, possibly by mistake, in the Windows Driver Kit (WDK) for the original and 1511 editions of Windows 10.
The specific access rights for partitions are defined symbolically in both WDM.H and WINNT.H from those same editions of the WDK, continuing up to and including for Version 1703, and then they’re gone.