Why does this c++ syntax with WINAPI mean?

Question

BOOL (WINAPI *ZTSQueryUserToken)(ULONG SessionId, PHANDLE phToken) = NULL;

To me it looks like a variable being created for a struct or something but I've never seen this type of syntax so can someone break it down for me?

Answer 1

WINAPI convention is usually used to call Win32 API functions.

WINAPI is simply __stdcall:

#define WINAPI __stdcall

The __stdcall calling convention has following characteristics in general:

• Passing arguments from right to left, and placed on the stack.
• Cleanup of Stack is performed by the called function (which is the main difference between __stdcalland __cdecl).
• The function name is prefixed with an underscore character and suffixed with a '@' character and the number of bytes of stack space it expects (it will clean this amount of bytes, so they must be there on the stack).

So leaving behind __stdcall, use the "Spiral Rule" to get

            +----------------------+
            |   +----------------+ |
            |   |                | |
            |   ^                | |
BOOL (WINAPI* ZTSQueryUserToken  ) ( ULONG SessionId, PHANDLE phToken) 
 ^          ^                    | |
 |          +--------------------+ |
 +---------------------------------+   

Thus, Identifier:

• ZTSQueryUserToken is a
• pointer to a (__stdcall) function having arguments of types ULONG and PHANDLE
• returning BOOL

And the pointer is assigned to NULL in your case.