qwqdanchun
/
ReBeacon_Src
mirror of https://github.com/qwqdanchun/ReBeacon_Src.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
ReBeacon_Src/include/Veil/Veil/Veil.System.Process.h

4036 lines
113 KiB
C
Raw Blame History

/*
* PROJECT: Veil
* FILE: Veil.h
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
* samlib.dll and winsta.dll
*
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
*
* DEVELOPER: MiroKaku (50670906+MiroKaku@users.noreply.github.com)
*/
/*
* PROJECT: Mouri's Internal NT API Collections (MINT)
* FILE: MINT.h
* PURPOSE: Definition for the Windows Internal API from ntdll.dll,
* samlib.dll and winsta.dll
*
* LICENSE: Relicensed under The MIT License from The CC BY 4.0 License
*
* DEVELOPER: Mouri_Naruto (Mouri_Naruto AT Outlook.com)
*/
/*
* This file is part of the Process Hacker project - https://processhacker.sf.io/
*
* You can redistribute this file and/or modify it under the terms of the
* Attribution 4.0 International (CC BY 4.0) license.
*
* You must give appropriate credit, provide a link to the license, and
* indicate if changes were made. You may do so in any reasonable manner, but
* not in any way that suggests the licensor endorses you or your use.
*/
#pragma once
// Warnings which disabled for compiling
#if _MSC_VER >= 1200
#pragma warning(push)
// nonstandard extension used : nameless struct/union
#pragma warning(disable:4201)
// 'struct_name' : structure was padded due to __declspec(align())
#pragma warning(disable:4324)
// 'enumeration': a forward declaration of an unscoped enumeration must have an
// underlying type (int assumed)
#pragma warning(disable:4471)
#endif
VEIL_BEGIN()
#ifdef _KERNEL_MODE
#define PROCESS_TERMINATE 0x0001
#define PROCESS_CREATE_THREAD 0x0002
#define PROCESS_SET_SESSIONID 0x0004
#define PROCESS_VM_OPERATION 0x0008
#define PROCESS_VM_READ 0x0010
#define PROCESS_VM_WRITE 0x0020
#define PROCESS_CREATE_PROCESS 0x0080
#define PROCESS_SET_QUOTA 0x0100
#define PROCESS_SET_INFORMATION 0x0200
#define PROCESS_QUERY_INFORMATION 0x0400
#define PROCESS_SET_PORT 0x0800
#define PROCESS_SUSPEND_RESUME 0x0800
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
#else
#ifndef PROCESS_SET_PORT
#define PROCESS_SET_PORT 0x0800
#endif
#endif
#ifdef _KERNEL_MODE
#define THREAD_QUERY_INFORMATION 0x0040
#define THREAD_SET_THREAD_TOKEN 0x0080
#define THREAD_IMPERSONATE 0x0100
#define THREAD_DIRECT_IMPERSONATION 0x0200
#else
#ifndef THREAD_ALERT
#define THREAD_ALERT 0x0004
#endif
#endif
#ifdef _KERNEL_MODE
#define JOB_OBJECT_ASSIGN_PROCESS 0x0001
#define JOB_OBJECT_SET_ATTRIBUTES 0x0002
#define JOB_OBJECT_QUERY 0x0004
#define JOB_OBJECT_TERMINATE 0x0008
#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010
#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3F)
#endif
#define GDI_HANDLE_BUFFER_SIZE32 34
#define GDI_HANDLE_BUFFER_SIZE64 60
#ifndef _WIN64
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
#else
#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
#endif
typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
#ifndef FLS_MAXIMUM_AVAILABLE
#define FLS_MAXIMUM_AVAILABLE 128
#endif
#ifndef TLS_MINIMUM_AVAILABLE
#define TLS_MINIMUM_AVAILABLE 64
#endif
#ifndef TLS_EXPANSION_SLOTS
#define TLS_EXPANSION_SLOTS 1024
#endif
// symbols
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
HANDLE ShutdownThreadId;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _INITIAL_TEB
{
struct
{
PVOID OldStackBase;
PVOID OldStackLimit;
} OldInitialTeb;
PVOID StackBase;
PVOID StackLimit;
PVOID StackAllocationBase;
} INITIAL_TEB, * PINITIAL_TEB;
typedef struct _RTL_USER_PROCESS_PARAMETERS* PRTL_USER_PROCESS_PARAMETERS;
typedef struct _RTL_CRITICAL_SECTION* PRTL_CRITICAL_SECTION;
// private
typedef struct _ACTIVATION_CONTEXT_STACK
{
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
// private
typedef struct _API_SET_NAMESPACE
{
ULONG Version;
ULONG Size;
ULONG Flags;
ULONG Count;
ULONG EntryOffset;
ULONG HashOffset;
ULONG HashFactor;
} API_SET_NAMESPACE, * PAPI_SET_NAMESPACE;
// private
typedef struct _API_SET_HASH_ENTRY
{
ULONG Hash;
ULONG Index;
} API_SET_HASH_ENTRY, * PAPI_SET_HASH_ENTRY;
// private
typedef struct _API_SET_NAMESPACE_ENTRY
{
ULONG Flags;
ULONG NameOffset;
ULONG NameLength;
ULONG HashedLength;
ULONG ValueOffset;
ULONG ValueCount;
} API_SET_NAMESPACE_ENTRY, * PAPI_SET_NAMESPACE_ENTRY;
// private
typedef struct _API_SET_VALUE_ENTRY
{
ULONG Flags;
ULONG NameOffset;
ULONG NameLength;
ULONG ValueOffset;
ULONG ValueLength;
} API_SET_VALUE_ENTRY, * PAPI_SET_VALUE_ENTRY;
// symbols
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN IsProtectedProcessLight : 1;
BOOLEAN IsLongPathAwareProcess : 1;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PSLIST_HEADER AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ProcessPreviouslyThrottled : 1;
ULONG ProcessCurrentlyThrottled : 1;
ULONG ProcessImagesHotPatched : 1; // REDSTONE5
ULONG ReservedBits0 : 24;
};
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PAPI_SET_NAMESPACE ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID SharedData; // HotpatchInformation
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData; // PCPTABLEINFO
PVOID OemCodePageData; // PCPTABLEINFO
PVOID UnicodeCaseTableData; // PNLSTABLEINFO
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
ULARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID* ProcessHeaps; // PHEAP
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
ULONG GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
USHORT OSBuildNumber;
USHORT OSCSDVersion;
ULONG OSPlatformId;
ULONG ImageSubsystem;
ULONG ImageSubsystemMajorVersion;
ULONG ImageSubsystemMinorVersion;
ULONG_PTR ActiveProcessAffinityMask;
GDI_HANDLE_BUFFER GdiHandleBuffer;
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
ULONG TlsExpansionBitmapBits[32];
ULONG SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
UNICODE_STRING CSDVersion;
PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA
PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA
PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
SIZE_T MinimumStackCommit;
PVOID SparePointers[4]; // 19H1 (previously FlsCallback to FlsHighIndex)
ULONG SpareUlongs[5]; // 19H1
//PVOID* FlsCallback;
//LIST_ENTRY FlsListHead;
//PVOID FlsBitmap;
//ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
//ULONG FlsHighIndex;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
union
{
PVOID pContextData; // WIN7
PVOID pUnused; // WIN10
PVOID EcCodeBitMap; // WIN11
};
PVOID pImageHeaderHash;
union
{
ULONG TracingFlags;
struct
{
ULONG HeapTracingEnabled : 1;
ULONG CritSecTracingEnabled : 1;
ULONG LibLoaderTracingEnabled : 1;
ULONG SpareTracingBits : 29;
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase;
PRTL_CRITICAL_SECTION TppWorkerpListLock;
LIST_ENTRY TppWorkerpList;
PVOID WaitOnAddressHashTable[128];
PVOID TelemetryCoverageHeader; // REDSTONE3
ULONG CloudFileFlags;
ULONG CloudFileDiagFlags; // REDSTONE4
CHAR PlaceholderCompatibilityMode;
CHAR PlaceholderCompatibilityModeReserved[7];
struct _LEAP_SECOND_DATA* LeapSecondData; // REDSTONE5
union
{
ULONG LeapSecondFlags;
struct
{
ULONG SixtySecondEnabled : 1;
ULONG Reserved : 31;
};
};
ULONG NtGlobalFlag2;
} PEB, * PPEB;
#ifdef _WIN64
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
//C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3
//C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4
C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1
#else
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4);
//C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3
//C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4
C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1
#endif
#define GDI_BATCH_BUFFER_SIZE 310
typedef struct _GDI_TEB_BATCH
{
ULONG Offset;
ULONG_PTR HDC;
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT
{
ULONG Flags;
PSTR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME
{
ULONG Flags;
struct _TEB_ACTIVE_FRAME* Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
typedef struct _TEB
{
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID ReservedForDebuggerInstrumentation[16];
#ifdef _WIN64
PVOID SystemReserved1[30];
#else
PVOID SystemReserved1[26];
#endif
CHAR PlaceholderCompatibilityMode;
BOOLEAN PlaceholderHydrationAlwaysExplicit;
CHAR PlaceholderReserved[10];
ULONG ProxiedProcessId;
ACTIVATION_CONTEXT_STACK ActivationStack;
UCHAR WorkingOnBehalfTicket[8];
NTSTATUS ExceptionCode;
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
ULONG_PTR InstrumentationCallbackSp;
ULONG_PTR InstrumentationCallbackPreviousPc;
ULONG_PTR InstrumentationCallbackPreviousSp;
#ifdef _WIN64
ULONG TxFsContext;
#endif
BOOLEAN InstrumentationCallbackDisabled;
#ifdef _WIN64
BOOLEAN UnalignedLoadStoreExceptions;
#endif
#ifndef _WIN64
UCHAR SpareBytes[23];
ULONG TxFsContext;
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
HANDLE GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocalInfo;
ULONG_PTR Win32ClientInfo[62];
PVOID glDispatchTable[233];
ULONG_PTR glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
ULONG HardErrorMode;
#ifdef _WIN64
PVOID Instrumentation[11];
#else
PVOID Instrumentation[9];
#endif
GUID ActivityId;
PVOID SubProcessTag;
PVOID PerflibData;
PVOID EtwTraceData;
PVOID WinSockData;
ULONG GdiBatchCount;
union
{
PROCESSOR_NUMBER CurrentIdealProcessor;
ULONG IdealProcessorValue;
struct
{
UCHAR ReservedPad0;
UCHAR ReservedPad1;
UCHAR ReservedPad2;
UCHAR IdealProcessor;
};
};
ULONG GuaranteedStackBytes;
PVOID ReservedForPerf;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID SavedPriorityState;
ULONG_PTR ReservedForCodeCoverage;
PVOID ThreadPoolData;
PVOID* TlsExpansionSlots;
#ifdef _WIN64
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
ULONG MuiGeneration;
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
ULONG HeapData;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
PVOID FlsData;
PVOID PreferredLanguages;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union
{
USHORT CrossTebFlags;
USHORT SpareCrossTebBits : 16;
};
union
{
USHORT SameTebFlags;
struct
{
USHORT SafeThunkCall : 1;
USHORT InDebugPrint : 1;
USHORT HasFiberData : 1;
USHORT SkipThreadAttach : 1;
USHORT WerInShipAssertCode : 1;
USHORT RanProcessInit : 1;
USHORT ClonedThread : 1;
USHORT SuppressDebugMsg : 1;
USHORT DisableUserStackWalk : 1;
USHORT RtlExceptionAttached : 1;
USHORT InitialThread : 1;
USHORT SessionAware : 1;
USHORT LoadOwner : 1;
USHORT LoaderWorker : 1;
USHORT SkipLoaderInit : 1;
USHORT SkipFileAPIBrokering : 1;
};
};
PVOID TxnScopeEnterCallback;
PVOID TxnScopeExitCallback;
PVOID TxnScopeContext;
ULONG LockCount;
LONG WowTebOffset;
PVOID ResourceRetValue;
PVOID ReservedForWdf;
ULONGLONG ReservedForCrt;
GUID EffectiveContainerId;
ULONGLONG LastSleepCounter; // Win11
ULONG SpinCallCount;
ULONGLONG ExtendedFeatureDisableMask;
} TEB, * PTEB;
typedef struct _WOW64_PROCESS
{
PVOID Wow64;
} WOW64_PROCESS, * PWOW64_PROCESS;
#ifndef _KERNEL_MODE
//
// Process Information Classes
//
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
ProcessIoCounters, // q: IO_COUNTERS
ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
ProcessTimes, // q: KERNEL_USER_TIMES
ProcessBasePriority, // s: KPRIORITY
ProcessRaisePriority, // s: ULONG
ProcessDebugPort, // q: HANDLE
ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT
ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
ProcessLdtSize, // s: PROCESS_LDT_SIZE
ProcessDefaultHardErrorMode, // qs: ULONG
ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION
ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege)
ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)
ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
ProcessAffinityMask, // s: KAFFINITY
ProcessPriorityBoost, // qs: ULONG
ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
ProcessWow64Information, // q: ULONG_PTR
ProcessImageFileName, // q: UNICODE_STRING
ProcessLUIDDeviceMapsEnabled, // q: ULONG
ProcessBreakOnTermination, // qs: ULONG
ProcessDebugObjectHandle, // q: HANDLE // 30
ProcessDebugFlags, // qs: ULONG
ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
ProcessIoPriority, // qs: IO_PRIORITY_HINT
ProcessExecuteFlags, // qs: ULONG
ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement
ProcessCookie, // q: ULONG
ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION
ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
ProcessImageFileNameWin32, // q: UNICODE_STRING
ProcessImageFileMapping, // q: HANDLE (input)
ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
ProcessGroupInformation, // q: USHORT[]
ProcessTokenVirtualizationEnabled, // s: ULONG
ProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation
ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
ProcessDynamicFunctionTableInformation,
ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables
ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
ProcessHandleTable, // q: ULONG[] // since WINBLUE
ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG)
ProcessCommandLineInformation, // q: UNICODE_STRING // 60
ProcessProtectionInformation, // q: PS_PROTECTION
ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
ProcessFaultInformation, // PROCESS_FAULT_INFORMATION
ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION
ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
ProcessDefaultCpuSetsInformation,
ProcessAllowedCpuSetsInformation,
ProcessSubsystemProcess,
ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO
ProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70
ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables
ProcessIumChallengeResponse,
ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION
ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege)
ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE
ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY
ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER
ProcessDisableSystemAllowedCpuSets, // 80
ProcessWakeInformation, // PROCESS_WAKE_INFORMATION
ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE
ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
ProcessCaptureTrustletLiveDump,
ProcessTelemetryCoverage,
ProcessEnclaveInformation,
ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION
ProcessImageSection, // q: HANDLE
ProcessDebugAuthInformation, // since REDSTONE4 // 90
ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT
ProcessSequenceNumber, // q: ULONGLONG
ProcessLoaderDetour, // since REDSTONE5
ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION
ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION
ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION
ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1
ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
ProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // INT2E // since 20H1 // 100
ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
ProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2
ProcessCreateStateChange, // since WIN11
ProcessApplyStateChange,
ProcessEnableOptionalXStateFeatures,
ProcessAltPrefetchParam, // since 22H1
ProcessAssignCpuPartitions,
ProcessPriorityClassEx,
ProcessMembershipInformation,
ProcessEffectiveIoPriority,
ProcessEffectivePagePriority,
MaxProcessInfoClass
} PROCESSINFOCLASS;
//
// Thread Information Classes
//
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
ThreadTimes, // q: KERNEL_USER_TIMES
ThreadPriority, // s: KPRIORITY (requires SeIncreaseBasePriorityPrivilege)
ThreadBasePriority, // s: LONG
ThreadAffinityMask, // s: KAFFINITY
ThreadImpersonationToken, // s: HANDLE
ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY)
ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
ThreadEventPair,
ThreadQuerySetWin32StartAddress, // q: ULONG_PTR
ThreadZeroTlsCell, // s: ULONG // TlsIndex // 10
ThreadPerformanceCount, // q: LARGE_INTEGER
ThreadAmILastThread, // q: ULONG
ThreadIdealProcessor, // s: ULONG
ThreadPriorityBoost, // qs: ULONG
ThreadSetTlsArrayAddress, // s: ULONG_PTR
ThreadIsIoPending, // q: ULONG
ThreadHideFromDebugger, // q: BOOLEAN; s: void
ThreadBreakOnTermination, // qs: ULONG
ThreadSwitchLegacyState, // s: void // NtCurrentThread // NPX/FPU
ThreadIsTerminated, // q: ULONG // 20
ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege)
ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
ThreadPagePriority, // q: ULONG
ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege)
ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
ThreadCSwitchMon,
ThreadCSwitchPmu,
ThreadWow64Context, // qs: WOW64_CONTEXT
ThreadGroupInformation, // q: GROUP_AFFINITY // 30
ThreadUmsInformation, // q: THREAD_UMS_INFORMATION
ThreadCounterProfiling, // q: BOOLEAN; s: THREAD_PROFILING_INFORMATION?
ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
ThreadCpuAccountingInformation, // q: BOOLEAN; s: HANDLE (NtOpenSession) // NtCurrentThread // since WIN8
ThreadSuspendCount, // q: ULONG // since WINBLUE
ThreadHeterogeneousCpuPolicy, // q: KHETERO_CPU_POLICY // since THRESHOLD
ThreadContainerId, // q: GUID
ThreadNameInformation, // qs: THREAD_NAME_INFORMATION
ThreadSelectedCpuSets,
ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40
ThreadActualGroupAffinity, // q: GROUP_AFFINITY // since THRESHOLD2
ThreadDynamicCodePolicyInfo, // q: ULONG; s: ULONG (NtCurrentThread)
ThreadExplicitCaseSensitivity, // qs: ULONG; s: 0 disables, otherwise enables
ThreadWorkOnBehalfTicket, // RTL_WORK_ON_BEHALF_TICKET_EX
ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
ThreadDbgkWerReportActive, // s: ULONG; s: 0 disables, otherwise enables
ThreadAttachContainer, // s: HANDLE (job object) // NtCurrentThread
ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
ThreadPowerThrottlingState, // POWER_THROTTLING_THREAD_STATE
ThreadWorkloadClass, // THREAD_WORKLOAD_CLASS // since REDSTONE5 // 50
ThreadCreateStateChange, // since WIN11
ThreadApplyStateChange,
ThreadStrongerBadHandleChecks, // since 22H1
ThreadEffectiveIoPriority,
ThreadEffectivePagePriority,
MaxThreadInfoClass
} THREADINFOCLASS;
#endif // !_KERNEL_MODE
#ifndef _KERNEL_MODE
// Use with both ProcessPagePriority and ThreadPagePriority
typedef struct _PAGE_PRIORITY_INFORMATION
{
ULONG PagePriority;
} PAGE_PRIORITY_INFORMATION, * PPAGE_PRIORITY_INFORMATION;
//
// Process information structures
//
typedef struct _PROCESS_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, * PPROCESS_BASIC_INFORMATION;
typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
{
SIZE_T Size; // set to sizeof structure on input
PROCESS_BASIC_INFORMATION BasicInfo;
union
{
ULONG Flags;
struct
{
ULONG IsProtectedProcess : 1;
ULONG IsWow64Process : 1;
ULONG IsProcessDeleting : 1;
ULONG IsCrossSessionCreate : 1;
ULONG IsFrozen : 1;
ULONG IsBackground : 1;
ULONG IsStronglyNamed : 1;
ULONG IsSecureProcess : 1;
ULONG IsSubsystemProcess : 1;
ULONG SpareBits : 23;
};
};
} PROCESS_EXTENDED_BASIC_INFORMATION, * PPROCESS_EXTENDED_BASIC_INFORMATION;
typedef struct _VM_COUNTERS
{
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS, * PVM_COUNTERS;
typedef struct _VM_COUNTERS_EX
{
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivateUsage;
} VM_COUNTERS_EX, * PVM_COUNTERS_EX;
// private
typedef struct _VM_COUNTERS_EX2
{
VM_COUNTERS_EX CountersEx;
SIZE_T PrivateWorkingSetSize;
SIZE_T SharedCommitUsage;
} VM_COUNTERS_EX2, * PVM_COUNTERS_EX2;
typedef struct _KERNEL_USER_TIMES
{
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
} KERNEL_USER_TIMES, * PKERNEL_USER_TIMES;
typedef struct _POOLED_USAGE_AND_LIMITS
{
SIZE_T PeakPagedPoolUsage;
SIZE_T PagedPoolUsage;
SIZE_T PagedPoolLimit;
SIZE_T PeakNonPagedPoolUsage;
SIZE_T NonPagedPoolUsage;
SIZE_T NonPagedPoolLimit;
SIZE_T PeakPagefileUsage;
SIZE_T PagefileUsage;
SIZE_T PagefileLimit;
} POOLED_USAGE_AND_LIMITS, * PPOOLED_USAGE_AND_LIMITS;
#define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003
#define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1))
typedef struct _PROCESS_EXCEPTION_PORT
{
_In_ HANDLE ExceptionPortHandle; // Handle to the exception port. No particular access required.
_Inout_ ULONG StateFlags; // Miscellaneous state flags to be cached along with the exception port in the kernel.
} PROCESS_EXCEPTION_PORT, * PPROCESS_EXCEPTION_PORT;
typedef struct _PROCESS_ACCESS_TOKEN
{
HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access
HANDLE Thread; // handle to initial/only thread; needs THREAD_QUERY_INFORMATION access
} PROCESS_ACCESS_TOKEN, * PPROCESS_ACCESS_TOKEN;
#endif // !_KERNEL_MODE
#ifndef _LDT_ENTRY_DEFINED
#define _LDT_ENTRY_DEFINED
typedef struct _LDT_ENTRY
{
USHORT LimitLow;
USHORT BaseLow;
union
{
struct
{
UINT8 BaseMid;
UINT8 Flags1; // Declare as bytes to avoid alignment
UINT8 Flags2; // Problems.
UINT8 BaseHi;
} Bytes;
struct
{
UINT32 BaseMid : 8;
UINT32 Type : 5;
UINT32 Dpl : 2;
UINT32 Pres : 1;
UINT32 LimitHi : 4;
UINT32 Sys : 1;
UINT32 Reserved_0 : 1;
UINT32 Default_Big : 1;
UINT32 Granularity : 1;
UINT32 BaseHi : 8;
} Bits;
} HighWord;
} LDT_ENTRY, * PLDT_ENTRY;
#endif
typedef struct _PROCESS_LDT_INFORMATION
{
ULONG Start;
ULONG Length;
LDT_ENTRY LdtEntries[1];
} PROCESS_LDT_INFORMATION, * PPROCESS_LDT_INFORMATION;
typedef struct _PROCESS_LDT_SIZE
{
ULONG Length;
} PROCESS_LDT_SIZE, * PPROCESS_LDT_SIZE;
#ifndef _KERNEL_MODE
typedef struct _PROCESS_WS_WATCH_INFORMATION
{
PVOID FaultingPc;
PVOID FaultingVa;
} PROCESS_WS_WATCH_INFORMATION, * PPROCESS_WS_WATCH_INFORMATION;
#endif // !_KERNEL_MODE
// psapi:PSAPI_WS_WATCH_INFORMATION_EX
typedef struct _PROCESS_WS_WATCH_INFORMATION_EX
{
PROCESS_WS_WATCH_INFORMATION BasicInfo;
ULONG_PTR FaultingThreadId;
ULONG_PTR Flags;
} PROCESS_WS_WATCH_INFORMATION_EX, * PPROCESS_WS_WATCH_INFORMATION_EX;
#define PROCESS_PRIORITY_CLASS_UNKNOWN 0
#define PROCESS_PRIORITY_CLASS_IDLE 1
#define PROCESS_PRIORITY_CLASS_NORMAL 2
#define PROCESS_PRIORITY_CLASS_HIGH 3
#define PROCESS_PRIORITY_CLASS_REALTIME 4
#define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
#define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
typedef struct _PROCESS_PRIORITY_CLASS
{
BOOLEAN Foreground;
UCHAR PriorityClass;
} PROCESS_PRIORITY_CLASS, * PPROCESS_PRIORITY_CLASS;
typedef struct _PROCESS_FOREGROUND_BACKGROUND
{
BOOLEAN Foreground;
} PROCESS_FOREGROUND_BACKGROUND, * PPROCESS_FOREGROUND_BACKGROUND;
#ifndef _KERNEL_MODE
typedef struct _PROCESS_DEVICEMAP_INFORMATION
{
union
{
struct
{
HANDLE DirectoryHandle;
} Set;
struct
{
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
} PROCESS_DEVICEMAP_INFORMATION, * PPROCESS_DEVICEMAP_INFORMATION;
#define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001
typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
{
union
{
struct
{
HANDLE DirectoryHandle;
} Set;
struct
{
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY
} PROCESS_DEVICEMAP_INFORMATION_EX, * PPROCESS_DEVICEMAP_INFORMATION_EX;
typedef struct _PROCESS_SESSION_INFORMATION
{
ULONG SessionId;
} PROCESS_SESSION_INFORMATION, * PPROCESS_SESSION_INFORMATION;
#define PROCESS_HANDLE_EXCEPTIONS_ENABLED 0x00000001
#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED 0x00000000
#define PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED 0x00000001
typedef struct _PROCESS_HANDLE_TRACING_ENABLE
{
ULONG Flags;
} PROCESS_HANDLE_TRACING_ENABLE, * PPROCESS_HANDLE_TRACING_ENABLE;
#define PROCESS_HANDLE_TRACING_MAX_SLOTS 0x20000
typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
{
ULONG Flags;
ULONG TotalSlots;
} PROCESS_HANDLE_TRACING_ENABLE_EX, * PPROCESS_HANDLE_TRACING_ENABLE_EX;
#define PROCESS_HANDLE_TRACING_MAX_STACKS 16
#define PROCESS_HANDLE_TRACE_TYPE_OPEN 1
#define PROCESS_HANDLE_TRACE_TYPE_CLOSE 2
#define PROCESS_HANDLE_TRACE_TYPE_BADREF 3
typedef struct _PROCESS_HANDLE_TRACING_ENTRY
{
HANDLE Handle;
CLIENT_ID ClientId;
ULONG Type;
PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];
} PROCESS_HANDLE_TRACING_ENTRY, * PPROCESS_HANDLE_TRACING_ENTRY;
typedef struct _PROCESS_HANDLE_TRACING_QUERY
{
HANDLE Handle;
ULONG TotalTraces;
PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];
} PROCESS_HANDLE_TRACING_QUERY, * PPROCESS_HANDLE_TRACING_QUERY;
#endif // !_KERNEL_MODE
// private
typedef struct _THREAD_TLS_INFORMATION
{
ULONG Flags;
PVOID NewTlsData;
PVOID OldTlsData;
HANDLE ThreadId;
} THREAD_TLS_INFORMATION, * PTHREAD_TLS_INFORMATION;
// private
typedef enum _PROCESS_TLS_INFORMATION_TYPE
{
ProcessTlsReplaceIndex,
ProcessTlsReplaceVector,
MaxProcessTlsOperation
} PROCESS_TLS_INFORMATION_TYPE, * PPROCESS_TLS_INFORMATION_TYPE;
// private
typedef struct _PROCESS_TLS_INFORMATION
{
ULONG Flags;
ULONG OperationType;
ULONG ThreadDataCount;
ULONG TlsIndex;
ULONG PreviousCount;
THREAD_TLS_INFORMATION ThreadData[1];
} PROCESS_TLS_INFORMATION, * PPROCESS_TLS_INFORMATION;
// private
typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION
{
ULONG Version;
ULONG Reserved;
PVOID Callback;
} PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION, * PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;
// private
typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION
{
SIZE_T ReserveSize;
SIZE_T ZeroBits;
PVOID StackBase;
} PROCESS_STACK_ALLOCATION_INFORMATION, * PPROCESS_STACK_ALLOCATION_INFORMATION;
// private
typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION_EX
{
ULONG PreferredNode;
ULONG Reserved0;
ULONG Reserved1;
ULONG Reserved2;
PROCESS_STACK_ALLOCATION_INFORMATION AllocInfo;
} PROCESS_STACK_ALLOCATION_INFORMATION_EX, * PPROCESS_STACK_ALLOCATION_INFORMATION_EX;
// private
typedef union _PROCESS_AFFINITY_UPDATE_MODE
{
ULONG Flags;
struct
{
ULONG EnableAutoUpdate : 1;
ULONG Permanent : 1;
ULONG Reserved : 30;
};
} PROCESS_AFFINITY_UPDATE_MODE, * PPROCESS_AFFINITY_UPDATE_MODE;
// private
typedef union _PROCESS_MEMORY_ALLOCATION_MODE
{
ULONG Flags;
struct
{
ULONG TopDown : 1;
ULONG Reserved : 31;
};
} PROCESS_MEMORY_ALLOCATION_MODE, * PPROCESS_MEMORY_ALLOCATION_MODE;
// private
typedef struct _PROCESS_HANDLE_INFORMATION
{
ULONG HandleCount;
ULONG HandleCountHighWatermark;
} PROCESS_HANDLE_INFORMATION, * PPROCESS_HANDLE_INFORMATION;
// private
typedef struct _PROCESS_CYCLE_TIME_INFORMATION
{
ULONGLONG AccumulatedCycles;
ULONGLONG CurrentCycleCount;
} PROCESS_CYCLE_TIME_INFORMATION, * PPROCESS_CYCLE_TIME_INFORMATION;
// private
typedef struct _PROCESS_WINDOW_INFORMATION
{
ULONG WindowFlags;
USHORT WindowTitleLength;
WCHAR WindowTitle[1];
} PROCESS_WINDOW_INFORMATION, * PPROCESS_WINDOW_INFORMATION;
// private
typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO
{
HANDLE HandleValue;
ULONG_PTR HandleCount;
ULONG_PTR PointerCount;
ULONG GrantedAccess;
ULONG ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} PROCESS_HANDLE_TABLE_ENTRY_INFO, * PPROCESS_HANDLE_TABLE_ENTRY_INFO;
// private
typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
} PROCESS_HANDLE_SNAPSHOT_INFORMATION, * PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
// private
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
{
PROCESS_MITIGATION_POLICY Policy;
union
{
PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
#if (NTDDI_VERSION >= NTDDI_WIN10_TH2)
PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
#endif // NTDDI_VERSION >= NTDDI_WIN10_TH2
#if (NTDDI_VERSION >= NTDDI_WIN10_RS3)
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
#endif // NTDDI_VERSION >= NTDDI_WIN10
#if (NTDDI_VERSION >= NTDDI_WIN10_RS5)
PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy;
#endif // NTDDI_VERSION >= NTDDI_WIN10_RS5
#if (NTDDI_VERSION >= NTDDI_WIN10_VB)
PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY UserShadowStackPolicy;
#endif // NTDDI_VERSION >= NTDDI_WIN10_MN
#if (NTDDI_VERSION >= NTDDI_WIN10_MN)
PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY RedirectionTrustPolicy;
#endif // NTDDI_VERSION >= NTDDI_WIN10_MN
};
} PROCESS_MITIGATION_POLICY_INFORMATION, * PPROCESS_MITIGATION_POLICY_INFORMATION;
#ifndef _KERNEL_MODE
typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
{
ULONG WakeCount;
ULONG NoWakeCount;
} PROCESS_KEEPALIVE_COUNT_INFORMATION, * PPROCESS_KEEPALIVE_COUNT_INFORMATION;
typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
{
UNICODE_STRING TargetDevicePath;
} PROCESS_REVOKE_FILE_HANDLES_INFORMATION, * PPROCESS_REVOKE_FILE_HANDLES_INFORMATION;
#endif // !_KERNEL_MODE
// begin_private
typedef enum _PROCESS_WORKING_SET_OPERATION
{
ProcessWorkingSetSwap,
ProcessWorkingSetEmpty,
ProcessWorkingSetOperationMax
} PROCESS_WORKING_SET_OPERATION;
typedef struct _PROCESS_WORKING_SET_CONTROL
{
ULONG Version;
PROCESS_WORKING_SET_OPERATION Operation;
ULONG Flags;
} PROCESS_WORKING_SET_CONTROL, * PPROCESS_WORKING_SET_CONTROL;
typedef enum _PS_PROTECTED_TYPE
{
PsProtectedTypeNone,
PsProtectedTypeProtectedLight,
PsProtectedTypeProtected,
PsProtectedTypeMax
} PS_PROTECTED_TYPE;
typedef enum _PS_PROTECTED_SIGNER
{
PsProtectedSignerNone,
PsProtectedSignerAuthenticode,
PsProtectedSignerCodeGen,
PsProtectedSignerAntimalware,
PsProtectedSignerLsa,
PsProtectedSignerWindows,
PsProtectedSignerWinTcb,
PsProtectedSignerWinSystem,
PsProtectedSignerApp,
PsProtectedSignerMax
} PS_PROTECTED_SIGNER;
#define PS_PROTECTED_SIGNER_MASK 0xFF
#define PS_PROTECTED_AUDIT_MASK 0x08
#define PS_PROTECTED_TYPE_MASK 0x07
// vProtectionLevel.Level = PsProtectedValue(PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight)
#define PsProtectedValue(aSigner, aAudit, aType) ( \
((aSigner & PS_PROTECTED_SIGNER_MASK) << 4) | \
((aAudit & PS_PROTECTED_AUDIT_MASK) << 3) | \
(aType & PS_PROTECTED_TYPE_MASK)\
)
// InitializePsProtection(&vProtectionLevel, PsProtectedSignerCodeGen, FALSE, PsProtectedTypeProtectedLight)
#define InitializePsProtection(aProtectionLevelPtr, aSigner, aAudit, aType) { \
(aProtectionLevelPtr)->Signer = aSigner; \
(aProtectionLevelPtr)->Audit = aAudit; \
(aProtectionLevelPtr)->Type = aType; \
}
typedef struct _PS_PROTECTION
{
union
{
UCHAR Level;
struct
{
UCHAR Type : 3;
UCHAR Audit : 1;
UCHAR Signer : 4;
};
};
} PS_PROTECTION, * PPS_PROTECTION;
typedef struct _PROCESS_FAULT_INFORMATION
{
ULONG FaultFlags;
ULONG AdditionalInfo;
} PROCESS_FAULT_INFORMATION, * PPROCESS_FAULT_INFORMATION;
typedef struct _PROCESS_TELEMETRY_ID_INFORMATION
{
ULONG HeaderSize;
ULONG ProcessId;
ULONGLONG ProcessStartKey;
ULONGLONG CreateTime;
ULONGLONG CreateInterruptTime;
ULONGLONG CreateUnbiasedInterruptTime;
ULONGLONG ProcessSequenceNumber;
ULONGLONG SessionCreateTime;
ULONG SessionId;
ULONG BootId;
ULONG ImageChecksum;
ULONG ImageTimeDateStamp;
ULONG UserSidOffset;
ULONG ImagePathOffset;
ULONG PackageNameOffset;
ULONG RelativeAppNameOffset;
ULONG CommandLineOffset;
} PROCESS_TELEMETRY_ID_INFORMATION, * PPROCESS_TELEMETRY_ID_INFORMATION;
typedef struct _PROCESS_COMMIT_RELEASE_INFORMATION
{
ULONG Version;
struct
{
ULONG Eligible : 1;
ULONG ReleaseRepurposedMemResetCommit : 1;
ULONG ForceReleaseMemResetCommit : 1;
ULONG Spare : 29;
};
SIZE_T CommitDebt;
SIZE_T CommittedMemResetSize;
SIZE_T RepurposedMemResetSize;
} PROCESS_COMMIT_RELEASE_INFORMATION, * PPROCESS_COMMIT_RELEASE_INFORMATION;
typedef struct _PROCESS_JOB_MEMORY_INFO
{
ULONGLONG SharedCommitUsage;
ULONGLONG PrivateCommitUsage;
ULONGLONG PeakPrivateCommitUsage;
ULONGLONG PrivateCommitLimit;
ULONGLONG TotalCommitLimit;
} PROCESS_JOB_MEMORY_INFO, * PPROCESS_JOB_MEMORY_INFO;
typedef struct _PROCESS_CHILD_PROCESS_INFORMATION
{
BOOLEAN ProhibitChildProcesses;
BOOLEAN AlwaysAllowSecureChildProcess; // REDSTONE3
BOOLEAN AuditProhibitChildProcesses;
} PROCESS_CHILD_PROCESS_INFORMATION, * PPROCESS_CHILD_PROCESS_INFORMATION;
#ifndef _KERNEL_MODE
//
// Process resource throttling information
// NtQueryInformationProcess using ProcessPowerThrottlingState
//
#define POWER_THROTTLING_PROCESS_CURRENT_VERSION 1
#define POWER_THROTTLING_PROCESS_EXECUTION_SPEED 0x1
#define POWER_THROTTLING_PROCESS_DELAYTIMERS 0x2
#define POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION 0x4
#define POWER_THROTTLING_PROCESS_VALID_FLAGS ((POWER_THROTTLING_PROCESS_EXECUTION_SPEED | \
POWER_THROTTLING_PROCESS_DELAYTIMERS | \
POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION))
typedef struct _POWER_THROTTLING_PROCESS_STATE
{
ULONG Version;
ULONG ControlMask;
ULONG StateMask;
} POWER_THROTTLING_PROCESS_STATE, * PPOWER_THROTTLING_PROCESS_STATE;
#endif // !_KERNEL_MODE
typedef struct _WIN32K_SYSCALL_FILTER
{
ULONG FilterState;
ULONG FilterSet;
} WIN32K_SYSCALL_FILTER, * PWIN32K_SYSCALL_FILTER;
typedef struct _PROCESS_WAKE_INFORMATION
{
ULONGLONG NotificationChannel;
ULONG WakeCounters[7];
struct _JOBOBJECT_WAKE_FILTER* WakeFilter;
} PROCESS_WAKE_INFORMATION, * PPROCESS_WAKE_INFORMATION;
typedef struct _PROCESS_ENERGY_TRACKING_STATE
{
ULONG StateUpdateMask;
ULONG StateDesiredValue;
ULONG StateSequence;
ULONG UpdateTag : 1;
WCHAR Tag[64];
} PROCESS_ENERGY_TRACKING_STATE, * PPROCESS_ENERGY_TRACKING_STATE;
typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY
{
ULONG Version : 8;
ULONG ProcessEnableWriteExceptions : 1;
ULONG ThreadAllowWrites : 1;
ULONG Spare : 22;
PVOID KernelWriteToExecutableSignal; // 19H1
} MANAGE_WRITES_TO_EXECUTABLE_MEMORY, * PMANAGE_WRITES_TO_EXECUTABLE_MEMORY;
#ifndef _KERNEL_MODE
#define POWER_THROTTLING_THREAD_CURRENT_VERSION 1
#define POWER_THROTTLING_THREAD_EXECUTION_SPEED 0x1
#define POWER_THROTTLING_THREAD_VALID_FLAGS (POWER_THROTTLING_THREAD_EXECUTION_SPEED)
typedef struct _POWER_THROTTLING_THREAD_STATE
{
ULONG Version;
ULONG ControlMask;
ULONG StateMask;
} POWER_THROTTLING_THREAD_STATE, * PPOWER_THROTTLING_THREAD_STATE;
#endif // !_KERNEL_MODE
//
// Process Read/WriteVm Logging
// NtQueryInformationProcess using ProcessEnableReadWriteVmLogging
//
#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM 0x01
#define PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V 1UL
#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM 0x02L
#define PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V 2UL
#if (WDK_NTDDI_VERSION != NTDDI_WIN10_RS3) && (WDK_NTDDI_VERSION != NTDDI_WIN10_RS4)
typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION
{
UCHAR Flags;
struct
{
UCHAR EnableReadVmLogging : 1;
UCHAR EnableWriteVmLogging : 1;
UCHAR Unused : 6;
};
} PROCESS_READWRITEVM_LOGGING_INFORMATION, * PPROCESS_READWRITEVM_LOGGING_INFORMATION;
#endif // (WDK_NTDDI_VERSION != NTDDI_WIN10_RS3) && (WDK_NTDDI_VERSION != NTDDI_WIN10_RS4)
typedef struct _PROCESS_UPTIME_INFORMATION
{
ULONGLONG QueryInterruptTime;
ULONGLONG QueryUnbiasedTime;
ULONGLONG EndInterruptTime;
ULONGLONG TimeSinceCreation;
ULONGLONG Uptime;
ULONGLONG SuspendedTime;
union
{
ULONG HangCount : 4;
ULONG GhostCount : 4;
ULONG Crashed : 1;
ULONG Terminated : 1;
};
} PROCESS_UPTIME_INFORMATION, * PPROCESS_UPTIME_INFORMATION;
typedef union _PROCESS_SYSTEM_RESOURCE_MANAGEMENT
{
ULONG Flags;
struct
{
ULONG Foreground : 1;
ULONG Reserved : 31;
};
} PROCESS_SYSTEM_RESOURCE_MANAGEMENT, * PPROCESS_SYSTEM_RESOURCE_MANAGEMENT;
// private
typedef struct _PROCESS_SECURITY_DOMAIN_INFORMATION
{
ULONGLONG SecurityDomain;
} PROCESS_SECURITY_DOMAIN_INFORMATION, * PPROCESS_SECURITY_DOMAIN_INFORMATION;
// private
typedef struct _PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
{
HANDLE ProcessHandle;
} PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION, * PPROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION;
// private
typedef union _PROCESS_LOGGING_INFORMATION
{
ULONG Flags;
struct
{
ULONG EnableReadVmLogging : 1;
ULONG EnableWriteVmLogging : 1;
ULONG EnableProcessSuspendResumeLogging : 1;
ULONG EnableThreadSuspendResumeLogging : 1;
ULONG Reserved : 28;
};
} PROCESS_LOGGING_INFORMATION, * PPROCESS_LOGGING_INFORMATION;
// private
typedef struct _PROCESS_LEAP_SECOND_INFORMATION
{
ULONG Flags;
ULONG Reserved;
} PROCESS_LEAP_SECOND_INFORMATION, * PPROCESS_LEAP_SECOND_INFORMATION;
// private
typedef struct _PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
{
ULONGLONG ReserveSize;
ULONGLONG CommitSize;
ULONG PreferredNode;
ULONG Reserved;
PVOID Ssp;
} PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, * PPROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION;
// private
typedef struct _PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
{
PVOID Ssp;
} PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION, * PPROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION;
//// private
//typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE
//{
// ULONG_PTR BaseAddress;
// SIZE_T Size;
// ULONG Flags;
//} PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE;
//
//// private
//typedef struct _PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION
//{
// USHORT NumberOfRanges;
// USHORT Reserved;
// ULONG Reserved2;
// PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE Ranges;
//} PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION, *PPROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGES_INFORMATION;
// end_private
//
// Thread information structures
//
typedef struct _THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PTEB TebBaseAddress;
CLIENT_ID ClientId;
ULONG_PTR AffinityMask;
KPRIORITY Priority;
LONG BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
// private
typedef struct _THREAD_LAST_SYSCALL_INFORMATION
{
PVOID FirstArgument;
USHORT SystemCallNumber;
#ifdef WIN64
USHORT Pad[0x3]; // since REDSTONE2
#else
USHORT Pad[0x1]; // since REDSTONE2
#endif
ULONG64 WaitTime;
} THREAD_LAST_SYSCALL_INFORMATION, * PTHREAD_LAST_SYSCALL_INFORMATION;
// private
typedef struct _THREAD_CYCLE_TIME_INFORMATION
{
ULONGLONG AccumulatedCycles;
ULONGLONG CurrentCycleCount;
} THREAD_CYCLE_TIME_INFORMATION, * PTHREAD_CYCLE_TIME_INFORMATION;
// private
typedef struct _THREAD_TEB_INFORMATION
{
PVOID TebInformation; // buffer to place data in
ULONG TebOffset; // offset in TEB to begin reading from
ULONG BytesToRead; // number of bytes to read
} THREAD_TEB_INFORMATION, * PTHREAD_TEB_INFORMATION;
// symbols
typedef struct _COUNTER_READING
{
HARDWARE_COUNTER_TYPE Type;
ULONG Index;
ULONG64 Start;
ULONG64 Total;
} COUNTER_READING, * PCOUNTER_READING;
// symbols
typedef struct _THREAD_PERFORMANCE_DATA
{
USHORT Size;
USHORT Version;
PROCESSOR_NUMBER ProcessorNumber;
ULONG ContextSwitches;
ULONG HwCountersCount;
ULONG64 UpdateCount;
ULONG64 WaitReasonBitMap;
ULONG64 HardwareCounters;
COUNTER_READING CycleTime;
COUNTER_READING HwCounters[MAX_HW_COUNTERS];
} THREAD_PERFORMANCE_DATA, * PTHREAD_PERFORMANCE_DATA;
// private
typedef struct _THREAD_PROFILING_INFORMATION
{
ULONG64 HardwareCounters;
ULONG Flags;
ULONG Enable;
PTHREAD_PERFORMANCE_DATA PerformanceData;
} THREAD_PROFILING_INFORMATION, * PTHREAD_PROFILING_INFORMATION;
// private
typedef struct _RTL_UMS_CONTEXT
{
SINGLE_LIST_ENTRY Link;
CONTEXT Context;
PVOID Teb;
PVOID UserContext;
volatile ULONG ScheduledThread : 1;
volatile ULONG Suspended : 1;
volatile ULONG VolatileContext : 1;
volatile ULONG Terminated : 1;
volatile ULONG DebugActive : 1;
volatile ULONG RunningOnSelfThread : 1;
volatile ULONG DenyRunningOnSelfThread : 1;
volatile LONG Flags;
volatile ULONG64 KernelUpdateLock : 2;
volatile ULONG64 PrimaryClientID : 62;
volatile ULONG64 ContextLock;
struct _RTL_UMS_CONTEXT* PrimaryUmsContext;
ULONG SwitchCount;
ULONG KernelYieldCount;
ULONG MixedYieldCount;
ULONG YieldCount;
} RTL_UMS_CONTEXT, * PRTL_UMS_CONTEXT;
// private
typedef enum _THREAD_UMS_INFORMATION_COMMAND
{
UmsInformationCommandInvalid,
UmsInformationCommandAttach,
UmsInformationCommandDetach,
UmsInformationCommandQuery
} THREAD_UMS_INFORMATION_COMMAND;
// private
typedef struct _RTL_UMS_COMPLETION_LIST
{
PSINGLE_LIST_ENTRY ThreadListHead;
PVOID CompletionEvent;
ULONG CompletionFlags;
SINGLE_LIST_ENTRY InternalListHead;
} RTL_UMS_COMPLETION_LIST, * PRTL_UMS_COMPLETION_LIST;
// private
typedef struct _THREAD_UMS_INFORMATION
{
THREAD_UMS_INFORMATION_COMMAND Command;
PRTL_UMS_COMPLETION_LIST CompletionList;
PRTL_UMS_CONTEXT UmsContext;
union
{
ULONG Flags;
struct
{
ULONG IsUmsSchedulerThread : 1;
ULONG IsUmsWorkerThread : 1;
ULONG SpareBits : 30;
};
};
} THREAD_UMS_INFORMATION, * PTHREAD_UMS_INFORMATION;
// private
typedef struct _THREAD_NAME_INFORMATION
{
UNICODE_STRING ThreadName;
} THREAD_NAME_INFORMATION, * PTHREAD_NAME_INFORMATION;
// private
typedef struct _ALPC_WORK_ON_BEHALF_TICKET
{
ULONG ThreadId;
ULONG ThreadCreationTimeLow;
} ALPC_WORK_ON_BEHALF_TICKET, * PALPC_WORK_ON_BEHALF_TICKET;
// private
typedef struct _RTL_WORK_ON_BEHALF_TICKET_EX
{
ALPC_WORK_ON_BEHALF_TICKET Ticket;
union
{
ULONG Flags;
struct
{
ULONG CurrentThread : 1;
ULONG Reserved1 : 31;
};
};
ULONG Reserved2;
} RTL_WORK_ON_BEHALF_TICKET_EX, * PRTL_WORK_ON_BEHALF_TICKET_EX;
#ifndef _KERNEL_MODE
// private
typedef enum _SUBSYSTEM_INFORMATION_TYPE
{
SubsystemInformationTypeWin32,
SubsystemInformationTypeWSL,
MaxSubsystemInformationType
} SUBSYSTEM_INFORMATION_TYPE;
#endif // !_KERNEL_MODE
// private
typedef enum _THREAD_WORKLOAD_CLASS
{
ThreadWorkloadClassDefault,
ThreadWorkloadClassGraphics,
MaxThreadWorkloadClass
} THREAD_WORKLOAD_CLASS;
//
// Processes
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort
);
#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcessEx(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ ULONG Flags,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort,
_Reserved_ ULONG Reserved // JobMemberLevel
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcessEx(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ ULONG Flags,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort,
_Reserved_ ULONG Reserved // JobMemberLevel
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSuspendProcess(
_In_ HANDLE ProcessHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendProcess(
_In_ HANDLE ProcessHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtResumeProcess(
_In_ HANDLE ProcessHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeProcess(
_In_ HANDLE ProcessHandle
);
#ifndef _KERNEL_MODE
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define ZwCurrentProcess() NtCurrentProcess()
#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
#define ZwCurrentThread() NtCurrentThread()
#define NtCurrentSession() ((HANDLE)(LONG_PTR)-3)
#define ZwCurrentSession() NtCurrentSession()
#endif // !_KERNEL_MODE
#define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
// Windows 8 and above
#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4) // NtOpenProcessToken(NtCurrentProcess())
#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5) // NtOpenThreadToken(NtCurrentThread())
#define NtCurrentThreadEffectiveToken() ((HANDLE)(LONG_PTR)-6) // NtOpenThreadToken(NtCurrentThread()) + NtOpenProcessToken(NtCurrentProcess())
#define NtCurrentSilo() ( (HANDLE)(LONG_PTR) -1 )
// Not NT, but useful.
#define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
#define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
#if (NTDDI_VERSION >= NTDDI_WS03)
#define PROCESS_GET_NEXT_FLAGS_PREVIOUS_PROCESS 0x00000001
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewProcessHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetNextProcess(
_In_opt_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewProcessHandle
);
#endif
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetNextThread(
_In_ HANDLE ProcessHandle,
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewThreadHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetNextThread(
_In_ HANDLE ProcessHandle,
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_In_ ULONG Flags,
_Out_ PHANDLE NewThreadHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength
);
#define STATECHANGE_SET_ATTRIBUTES 0x0001
typedef enum _PROCESS_STATE_CHANGE_TYPE
{
ProcessStateChangeSuspend,
ProcessStateChangeResume,
ProcessStateChangeMax,
} PROCESS_STATE_CHANGE_TYPE, * PPROCESS_STATE_CHANGE_TYPE;
#if (NTDDI_VERSION >= NTDDI_WIN10_CO)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcessStateChange(
_Out_ PHANDLE ProcessStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_opt_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcessStateChange(
_Out_ PHANDLE ProcessStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_opt_ ULONG64 Reserved
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtChangeProcessState(
_In_ HANDLE ProcessStateChangeHandle,
_In_ HANDLE ProcessHandle,
_In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwChangeProcessState(
_In_ HANDLE ProcessStateChangeHandle,
_In_ HANDLE ProcessHandle,
_In_ PROCESS_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved
);
#endif
typedef enum _THREAD_STATE_CHANGE_TYPE
{
ThreadStateChangeSuspend,
ThreadStateChangeResume,
ThreadStateChangeMax,
} THREAD_STATE_CHANGE_TYPE, * PTHREAD_STATE_CHANGE_TYPE;
#if (NTDDI_VERSION >= NTDDI_WIN10_CO)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThreadStateChange(
_Out_ PHANDLE ThreadStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ThreadHandle,
_In_opt_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateThreadStateChange(
_Out_ PHANDLE ThreadStateChangeHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ThreadHandle,
_In_opt_ ULONG64 Reserved
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtChangeThreadState(
_In_ HANDLE ThreadStateChangeHandle,
_In_ HANDLE ThreadHandle,
_In_ THREAD_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwChangeThreadState(
_In_ HANDLE ThreadStateChangeHandle,
_In_ HANDLE ThreadHandle,
_In_ THREAD_STATE_CHANGE_TYPE StateChangeType,
_In_opt_ PVOID ExtendedInformation,
_In_opt_ SIZE_T ExtendedInformationLength,
_In_opt_ ULONG64 Reserved
);
#endif
//
// Threads
//
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB InitialTeb,
_In_ BOOLEAN CreateSuspended
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB InitialTeb,
_In_ BOOLEAN CreateSuspended
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateThread(
_In_opt_ HANDLE ThreadHandle,
_In_ NTSTATUS ExitStatus
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateThread(
_In_opt_ HANDLE ThreadHandle,
_In_ NTSTATUS ExitStatus
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSuspendThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
__kernel_entry NTSYSCALLAPI
ULONG
NTAPI
NtGetCurrentProcessorNumber(
VOID
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
ULONG
NTAPI
ZwGetCurrentProcessorNumber(
VOID
);
#if (NTDDI_VERSION >= NTDDI_WIN10)
__kernel_entry NTSYSCALLAPI
ULONG
NTAPI
NtGetCurrentProcessorNumberEx(
_Out_opt_ PPROCESSOR_NUMBER ProcessorNumber
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
ULONG
NTAPI
ZwGetCurrentProcessorNumberEx(
_Out_opt_ PPROCESSOR_NUMBER ProcessorNumber
);
#endif // NTDDI_VERSION >= NTDDI_WIN10
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtGetContextThread(
_In_ HANDLE ThreadHandle,
_Inout_ PCONTEXT ThreadContext
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwGetContextThread(
_In_ HANDLE ThreadHandle,
_Inout_ PCONTEXT ThreadContext
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetContextThread(
_In_ HANDLE ThreadHandle,
_In_ PCONTEXT ThreadContext
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetContextThread(
_In_ HANDLE ThreadHandle,
_In_ PCONTEXT ThreadContext
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_When_((ThreadInformationClass != ThreadManageWritesToExecutableMemory),
_In_reads_bytes_(ThreadInformationLength))
_When_((ThreadInformationClass == ThreadManageWritesToExecutableMemory),
_Inout_updates_(ThreadInformationLength))
PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAlertThread(
_In_ HANDLE ThreadHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread(
_In_ HANDLE ThreadHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAlertResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG PreviousSuspendCount
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtTestAlert(
VOID
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTestAlert(
VOID
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtContinue(
_In_ PCONTEXT ContextRecord,
_In_ BOOLEAN TestAlert
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwContinue(
_In_ PCONTEXT ContextRecord,
_In_ BOOLEAN TestAlert
);
typedef enum _KCONTINUE_TYPE
{
KCONTINUE_UNWIND,
KCONTINUE_RESUME,
KCONTINUE_LONGJUMP,
KCONTINUE_SET,
KCONTINUE_LAST,
} KCONTINUE_TYPE;
typedef struct _KCONTINUE_ARGUMENT
{
KCONTINUE_TYPE ContinueType;
ULONG ContinueFlags;
ULONGLONG Reserved[2];
} KCONTINUE_ARGUMENT, * PKCONTINUE_ARGUMENT;
#define KCONTINUE_FLAG_TEST_ALERT 0x00000001 // wbenny
#define KCONTINUE_FLAG_DELIVER_APC 0x00000002 // wbenny
#if (NTDDI_VERSION >= NTDDI_WIN10_VB)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtContinueEx(
_In_ PCONTEXT ContextRecord,
_In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwContinueEx(
_In_ PCONTEXT ContextRecord,
_In_ PVOID ContinueArgument // PKCONTINUE_ARGUMENT and BOOLEAN are valid
);
#endif // NTDDI_VERSION >= NTDDI_WIN10_VB
//FORCEINLINE
//NTSTATUS
//NtContinue(
// _In_ PCONTEXT ContextRecord,
// _In_ BOOLEAN TestAlert
// )
//{
// return NtContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert);
//}
//FORCEINLINE
//NTSTATUS
//ZwContinue(
// _In_ PCONTEXT ContextRecord,
// _In_ BOOLEAN TestAlert
// )
//{
// return ZwContinueEx(ContextRecord, (PCONTINUE_ARGUMENT)TestAlert);
//}
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtImpersonateThread(
_In_ HANDLE ServerThreadHandle,
_In_ HANDLE ClientThreadHandle,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwImpersonateThread(
_In_ HANDLE ServerThreadHandle,
_In_ HANDLE ClientThreadHandle,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtRegisterThreadTerminatePort(
_In_ HANDLE PortHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwRegisterThreadTerminatePort(
_In_ HANDLE PortHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetLdtEntries(
_In_ ULONG Selector0,
_In_ ULONG Entry0Low,
_In_ ULONG Entry0Hi,
_In_ ULONG Selector1,
_In_ ULONG Entry1Low,
_In_ ULONG Entry1Hi
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetLdtEntries(
_In_ ULONG Selector0,
_In_ ULONG Entry0Low,
_In_ ULONG Entry0Hi,
_In_ ULONG Selector1,
_In_ ULONG Entry1Low,
_In_ ULONG Entry1Hi
);
typedef VOID(*PPS_APC_ROUTINE)(
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueueApcThread(
_In_ HANDLE ThreadHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueueApcThread(
_In_ HANDLE ThreadHandle,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
#if (NTDDI_VERSION >= ntddi_WIN7)
#define APC_FORCE_THREAD_SIGNAL ((HANDLE)1) // ReserveHandle
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueueApcThreadEx(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueueApcThreadEx(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
#endif
#if (NTDDI_VERSION >= NTDDI_WIN10_CO)
#ifdef _KERNEL_MODE
typedef enum _QUEUE_USER_APC_FLAGS {
QUEUE_USER_APC_FLAGS_NONE = 0x0,
QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC = 0x1,
} QUEUE_USER_APC_FLAGS;
#endif // !_KERNEL_MODE
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueueApcThreadEx2(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject
_In_ QUEUE_USER_APC_FLAGS ApcFlags,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueueApcThreadEx2(
_In_ HANDLE ThreadHandle,
_In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject
_In_ QUEUE_USER_APC_FLAGS ApcFlags,
_In_ PPS_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcArgument1,
_In_opt_ PVOID ApcArgument2,
_In_opt_ PVOID ApcArgument3
);
#endif
#if (NTDDI_VERSION >= NTDDI_WIN8)
// rev
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAlertThreadByThreadId(
_In_ HANDLE ThreadId
);
// rev
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThreadByThreadId(
_In_ HANDLE ThreadId
);
// rev
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitForAlertByThreadId(
_In_ PVOID Address,
_In_opt_ PLARGE_INTEGER Timeout
);
// rev
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwWaitForAlertByThreadId(
_In_ PVOID Address,
_In_opt_ PLARGE_INTEGER Timeout
);
#endif
//
// User processes and threads
//
//
// Attributes
//
// private
#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
#define PS_ATTRIBUTE_THREAD 0x00010000 // may be used with thread creation
#define PS_ATTRIBUTE_INPUT 0x00020000 // input only
#define PS_ATTRIBUTE_ADDITIVE 0x00040000 // "accumulated" e.g. bitmasks, counters, etc.
#ifdef _KERNEL_MODE
typedef enum _PROC_THREAD_ATTRIBUTE_NUM {
ProcThreadAttributeParentProcess = 0,
ProcThreadAttributeExtendedFlags = 1,
ProcThreadAttributeHandleList = 2,
ProcThreadAttributeGroupAffinity = 3,
ProcThreadAttributePreferredNode = 4,
ProcThreadAttributeIdealProcessor = 5,
ProcThreadAttributeUmsThread = 6,
ProcThreadAttributeMitigationPolicy = 7,
ProcThreadAttributeSecurityCapabilities = 9,
ProcThreadAttributeConsoleReference = 10,
ProcThreadAttributeProtectionLevel = 11,
ProcThreadAttributeJobList = 13,
ProcThreadAttributeChildProcessPolicy = 14,
ProcThreadAttributeAllApplicationPackagesPolicy = 15,
ProcThreadAttributeWin32kFilter = 16,
ProcThreadAttributeSafeOpenPromptOriginClaim = 17,
ProcThreadAttributeDesktopAppPolicy = 18,
ProcThreadAttributeBnoIsolation = 19,
ProcThreadAttributePseudoConsole = 22,
ProcThreadAttributeMitigationAuditPolicy = 24,
ProcThreadAttributeMachineType = 25,
ProcThreadAttributeComponentFilter = 26,
ProcThreadAttributeEnableOptionalXStateFeatures = 27,
} PROC_THREAD_ATTRIBUTE_NUM;
#else // _KERNEL_MODE
// PROC_THREAD_ATTRIBUTE_NUM (Win32 CreateProcess) (dmex)
#define ProcThreadAttributeParentProcess ((_PROC_THREAD_ATTRIBUTE_NUM)0 ) // in HANDLE
#define ProcThreadAttributeExtendedFlags ((_PROC_THREAD_ATTRIBUTE_NUM)1 ) // in ULONG (PROC_EXTENDED_FLAG)
#define ProcThreadAttributeHandleList ((_PROC_THREAD_ATTRIBUTE_NUM)2 ) // in HANDLE[]
#define ProcThreadAttributeGroupAffinity ((_PROC_THREAD_ATTRIBUTE_NUM)3 ) // in GROUP_AFFINITY // since WIN7
#define ProcThreadAttributePreferredNode ((_PROC_THREAD_ATTRIBUTE_NUM)4 ) // in USHORT
#define ProcThreadAttributeIdealProcessor ((_PROC_THREAD_ATTRIBUTE_NUM)5 ) // in PROCESSOR_NUMBER
#define ProcThreadAttributeUmsThread ((_PROC_THREAD_ATTRIBUTE_NUM)6 ) // in UMS_CREATE_THREAD_ATTRIBUTES
#define ProcThreadAttributeMitigationPolicy ((_PROC_THREAD_ATTRIBUTE_NUM)7 ) // in ULONG[] or ULONG64[]
#define ProcThreadAttributePackageName ((_PROC_THREAD_ATTRIBUTE_NUM)8 ) // in WCHAR[] // since WIN8
#define ProcThreadAttributeSecurityCapabilities ((_PROC_THREAD_ATTRIBUTE_NUM)9 ) // in SECURITY_CAPABILITIES
#define ProcThreadAttributeConsoleReference ((_PROC_THREAD_ATTRIBUTE_NUM)10) // BaseGetConsoleReference (kernelbase.dll)
#define ProcThreadAttributeProtectionLevel ((_PROC_THREAD_ATTRIBUTE_NUM)11) // in ULONG
#define ProcThreadAttributeJobList ((_PROC_THREAD_ATTRIBUTE_NUM)13) // in HANDLE[] // since WIN10
#define ProcThreadAttributeChildProcessPolicy ((_PROC_THREAD_ATTRIBUTE_NUM)14) // in ULONG
#define ProcThreadAttributeAllApplicationPackagesPolicy ((_PROC_THREAD_ATTRIBUTE_NUM)15) // in ULONG
#define ProcThreadAttributeWin32kFilter ((_PROC_THREAD_ATTRIBUTE_NUM)16) // in PROC_THREAD_WIN32KFILTER_ATTRIBUTE
#define ProcThreadAttributeSafeOpenPromptOriginClaim ((_PROC_THREAD_ATTRIBUTE_NUM)17) // since RS1
#define ProcThreadAttributeDesktopAppPolicy ((_PROC_THREAD_ATTRIBUTE_NUM)18) // in ULONG // since RS2
#define ProcThreadAttributeBnoIsolation ((_PROC_THREAD_ATTRIBUTE_NUM)19) // in PROC_THREAD_BNOISOLATION_ATTRIBUTE
#define ProcThreadAttributePseudoConsole ((_PROC_THREAD_ATTRIBUTE_NUM)22) // in HANDLE (HPCON) // since RS5
#define ProcThreadAttributeMitigationAuditPolicy ((_PROC_THREAD_ATTRIBUTE_NUM)24) // in ULONG[] or ULONG64[] // since 20H1
#define ProcThreadAttributeMachineType ((_PROC_THREAD_ATTRIBUTE_NUM)25) // in ULONG
#define ProcThreadAttributeComponentFilter ((_PROC_THREAD_ATTRIBUTE_NUM)26) // in ULONG
#define ProcThreadAttributeEnableOptionalXStateFeatures ((_PROC_THREAD_ATTRIBUTE_NUM)27) // in ULONG // since 20H2
#endif // !_KERNEL_MODE
#define PROC_EXTENDED_FLAG_LOG_ELEVATION_FAILURE 0x1
#define PROC_EXTENDED_FLAG_IGNORE_ELEVATION 0x2
#define PROC_EXTENDED_FLAG_FORCE_JOB_BREAKAWAY 0x4 // (requires SeTcbPrivilege)
#define WIN32KFILTER_FLAG_ENABLE 0x1
#define WIN32KFILTER_FLAG_AUDIT 0x2
typedef struct _PROC_THREAD_WIN32KFILTER_ATTRIBUTE
{
ULONG Flags;
ULONG FilterLevel;
} PROC_THREAD_WIN32KFILTER_ATTRIBUTE, * PPROC_THREAD_WIN32KFILTER_ATTRIBUTE;
typedef struct _PROC_THREAD_BNOISOLATION_ATTRIBUTE
{
BOOL IsolationEnabled;
WCHAR IsolationPrefix[0x88];
} PROC_THREAD_BNOISOLATION_ATTRIBUTE, * PPROC_THREAD_BNOISOLATION_ATTRIBUTE;
#ifndef ProcThreadAttributeValue
#define ProcThreadAttributeValue(Number, Thread, Input, Additive) \
(((Number) & PROC_THREAD_ATTRIBUTE_NUMBER) | \
((Thread != FALSE) ? PROC_THREAD_ATTRIBUTE_THREAD : 0) | \
((Input != FALSE) ? PROC_THREAD_ATTRIBUTE_INPUT : 0) | \
((Additive != FALSE) ? PROC_THREAD_ATTRIBUTE_ADDITIVE : 0))
#endif
#ifndef PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS \
ProcThreadAttributeValue (ProcThreadAttributeParentProcess, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS
#define PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS \
ProcThreadAttributeValue (ProcThreadAttributeExtendedFlags, FALSE, TRUE, TRUE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_HANDLE_LIST
#define PROC_THREAD_ATTRIBUTE_HANDLE_LIST \
ProcThreadAttributeValue (ProcThreadAttributeHandleList, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY
#define PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY \
ProcThreadAttributeValue (ProcThreadAttributeGroupAffinity, TRUE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_PREFERRED_NODE
#define PROC_THREAD_ATTRIBUTE_PREFERRED_NODE \
ProcThreadAttributeValue (ProcThreadAttributePreferredNode, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR
#define PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR \
ProcThreadAttributeValue (ProcThreadAttributeIdealProcessor, TRUE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_UMS_THREAD
#define PROC_THREAD_ATTRIBUTE_UMS_THREAD \
ProcThreadAttributeValue (ProcThreadAttributeUmsThread, TRUE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY
#define PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY \
ProcThreadAttributeValue (ProcThreadAttributeMitigationPolicy, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES
#define PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES \
ProcThreadAttributeValue (ProcThreadAttributeSecurityCapabilities, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE
#define PROC_THREAD_ATTRIBUTE_CONSOLE_REFERENCE \
ProcThreadAttributeValue (ProcThreadAttributeConsoleReference, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL
#define PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL \
ProcThreadAttributeValue (ProcThreadAttributeProtectionLevel, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM
#define PROC_THREAD_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \
ProcThreadAttributeValue (ProcThreadAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_BNO_ISOLATION
#define PROC_THREAD_ATTRIBUTE_BNO_ISOLATION \
ProcThreadAttributeValue (ProcThreadAttributeBnoIsolation, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE
#define PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE \
ProcThreadAttributeValue (ProcThreadAttributePseudoConsole, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_MACHINE_TYPE
#define PROC_THREAD_ATTRIBUTE_MACHINE_TYPE \
ProcThreadAttributeValue (ProcThreadAttributeMachineType, FALSE, TRUE, FALSE)
#endif
#ifndef PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES
#define PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \
ProcThreadAttributeValue (ProcThreadAttributeEnableOptionalXStateFeatures, TRUE, TRUE, FALSE)
#endif
// private
typedef enum _PS_ATTRIBUTE_NUM
{
PsAttributeParentProcess, // in HANDLE
PsAttributeDebugPort, // in HANDLE
PsAttributeToken, // in HANDLE
PsAttributeClientId, // out PCLIENT_ID
PsAttributeTebAddress, // out PTEB *
PsAttributeImageName, // in PWSTR
PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
PsAttributePriorityClass, // in UCHAR
PsAttributeErrorMode, // in ULONG
PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
PsAttributeHandleList, // in PHANDLE
PsAttributeGroupAffinity, // in PGROUP_AFFINITY
PsAttributePreferredNode, // in PUSHORT
PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
PsAttributeMitigationOptions, // in UCHAR
PsAttributeProtectionLevel, // in ULONG
PsAttributeSecureProcess, // since THRESHOLD
PsAttributeJobList,
PsAttributeChildProcessPolicy, // since THRESHOLD2
PsAttributeAllApplicationPackagesPolicy, // since REDSTONE
PsAttributeWin32kFilter,
PsAttributeSafeOpenPromptOriginClaim,
PsAttributeBnoIsolation, // PS_BNO_ISOLATION_PARAMETERS
PsAttributeDesktopAppPolicy, // in ULONG
PsAttributeChpe, // since REDSTONE3
PsAttributeMitigationAuditOptions, // since 21H1
PsAttributeMachineType, // since WIN11
PsAttributeComponentFilter,
PsAttributeEnableOptionalXStateFeatures,
PsAttributeMax
} PS_ATTRIBUTE_NUM;
// begin_rev
#define PsAttributeValue(Number, Thread, Input, Additive) \
(((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0))
#define PS_ATTRIBUTE_PARENT_PROCESS \
PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_DEBUG_PORT \
PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_TOKEN \
PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_CLIENT_ID \
PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_TEB_ADDRESS \
PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_IMAGE_NAME \
PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IMAGE_INFO \
PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
#define PS_ATTRIBUTE_MEMORY_RESERVE \
PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_PRIORITY_CLASS \
PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ERROR_MODE \
PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_STD_HANDLE_INFO \
PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_HANDLE_LIST \
PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_GROUP_AFFINITY \
PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_PREFERRED_NODE \
PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_UMS_THREAD \
PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_PROTECTION_LEVEL \
PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_SECURE_PROCESS \
PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_JOB_LIST \
PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \
PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \
PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_WIN32K_FILTER \
PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \
PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_BNO_ISOLATION \
PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \
PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE)
// end_rev
// begin_private
typedef struct _PS_ATTRIBUTE
{
ULONG_PTR Attribute;
SIZE_T Size;
union
{
ULONG_PTR Value;
PVOID ValuePtr;
};
PSIZE_T ReturnLength;
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;
typedef struct _PS_ATTRIBUTE_LIST
{
SIZE_T TotalLength;
PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
typedef struct _PS_MEMORY_RESERVE
{
PVOID ReserveAddress;
SIZE_T ReserveSize;
} PS_MEMORY_RESERVE, * PPS_MEMORY_RESERVE;
typedef enum _PS_STD_HANDLE_STATE
{
PsNeverDuplicate,
PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem
PsAlwaysDuplicate, // always duplicate standard handles
PsMaxStdHandleStates
} PS_STD_HANDLE_STATE;
// begin_rev
#define PS_STD_INPUT_HANDLE 0x1
#define PS_STD_OUTPUT_HANDLE 0x2
#define PS_STD_ERROR_HANDLE 0x4
// end_rev
typedef struct _PS_STD_HANDLE_INFO
{
union
{
ULONG Flags;
struct
{
ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE
ULONG PseudoHandleMask : 3; // PS_STD_*
};
};
ULONG StdHandleSubsystemType;
} PS_STD_HANDLE_INFO, * PPS_STD_HANDLE_INFO;
// private
typedef struct _PS_BNO_ISOLATION_PARAMETERS
{
UNICODE_STRING IsolationPrefix;
ULONG HandleCount;
PVOID* Handles;
BOOLEAN IsolationEnabled;
} PS_BNO_ISOLATION_PARAMETERS, * PPS_BNO_ISOLATION_PARAMETERS;
// private
typedef enum _PS_MITIGATION_OPTION
{
PS_MITIGATION_OPTION_NX,
PS_MITIGATION_OPTION_SEHOP,
PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES,
PS_MITIGATION_OPTION_HEAP_TERMINATE,
PS_MITIGATION_OPTION_BOTTOM_UP_ASLR,
PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR,
PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS,
PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE,
PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE,
PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE,
PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD,
PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES,
PS_MITIGATION_OPTION_FONT_DISABLE,
PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE,
PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL,
PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32,
PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,
PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,
PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,
PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,
PS_MITIGATION_OPTION_ROP_STACKPIVOT, // since REDSTONE3
PS_MITIGATION_OPTION_ROP_CALLER_CHECK,
PS_MITIGATION_OPTION_ROP_SIMEXEC,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION,
PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION,
PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE, // since REDSTONE5
PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY,
PS_MITIGATION_OPTION_CET_USER_SHADOW_STACKS,
PS_MITIGATION_OPTION_USER_CET_SET_CONTEXT_IP_VALIDATION, // since 21H1
PS_MITIGATION_OPTION_BLOCK_NON_CET_BINARIES,
PS_MITIGATION_OPTION_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY,
PS_MITIGATION_OPTION_REDIRECTION_TRUST, // since 22H1
} PS_MITIGATION_OPTION;
// windows-internals-book:"Chapter 5"
typedef enum _PS_CREATE_STATE
{
PsCreateInitialState,
PsCreateFailOnFileOpen,
PsCreateFailOnSectionCreate,
PsCreateFailExeFormat,
PsCreateFailMachineMismatch,
PsCreateFailExeName, // Debugger specified
PsCreateSuccess,
PsCreateMaximumStates
} PS_CREATE_STATE;
typedef struct _PS_CREATE_INFO
{
SIZE_T Size;
PS_CREATE_STATE State;
union
{
// PsCreateInitialState
struct
{
union
{
ULONG InitFlags;
struct
{
UCHAR WriteOutputOnExit : 1;
UCHAR DetectManifest : 1;
UCHAR IFEOSkipDebugger : 1;
UCHAR IFEODoNotPropagateKeyState : 1;
UCHAR SpareBits1 : 4;
UCHAR SpareBits2 : 8;
USHORT ProhibitedImageCharacteristics : 16;
};
};
ACCESS_MASK AdditionalFileAccess;
} InitState;
// PsCreateFailOnSectionCreate
struct
{
HANDLE FileHandle;
} FailSection;
// PsCreateFailExeFormat
struct
{
USHORT DllCharacteristics;
} ExeFormat;
// PsCreateFailExeName
struct
{
HANDLE IFEOKey;
} ExeName;
// PsCreateSuccess
struct
{
union
{
ULONG OutputFlags;
struct
{
UCHAR ProtectedProcess : 1;
UCHAR AddressSpaceOverride : 1;
UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
UCHAR ManifestDetected : 1;
UCHAR ProtectedProcessLight : 1;
UCHAR SpareBits1 : 3;
UCHAR SpareBits2 : 8;
USHORT SpareBits3 : 16;
};
};
HANDLE FileHandle;
HANDLE SectionHandle;
ULONGLONG UserProcessParametersNative;
ULONG UserProcessParametersWow64;
ULONG CurrentParameterFlags;
ULONGLONG PebAddressNative;
ULONG PebAddressWow64;
ULONGLONG ManifestAddress;
ULONG ManifestSize;
} SuccessState;
};
} PS_CREATE_INFO, * PPS_CREATE_INFO;
// end_private
// begin_rev
#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
#define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020
// Extended PROCESS_CREATE_FLAGS_*
#define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040
#define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // ?
#define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100
#define PROCESS_CREATE_FLAGS_SUSPENDED 0x00000200
#define PROCESS_CREATE_FLAGS_EXTENDED_UNKNOWN 0x00000400
// end_rev
#if (NTDDI_VERSION >= NTDDI_VISTA)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateUserProcess(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK ProcessDesiredAccess,
_In_ ACCESS_MASK ThreadDesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
_In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
_In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
_In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
_In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS
_Inout_ PPS_CREATE_INFO CreateInfo,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateUserProcess(
_Out_ PHANDLE ProcessHandle,
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK ProcessDesiredAccess,
_In_ ACCESS_MASK ThreadDesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
_In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
_In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
_In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
_In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS
_Inout_ PPS_CREATE_INFO CreateInfo,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
);
#endif
// begin_rev
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // ?
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ?
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ?
#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x00000040 // ?
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
// end_rev
#if (NTDDI_VERSION >= NTDDI_VISTA)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThreadEx(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_ PVOID StartRoutine, // PUSER_THREAD_START_ROUTINE
_In_opt_ PVOID Argument,
_In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
_In_ SIZE_T ZeroBits,
_In_ SIZE_T StackSize,
_In_ SIZE_T MaximumStackSize,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateThreadEx(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_In_ PVOID StartRoutine, // PUSER_THREAD_START_ROUTINE
_In_opt_ PVOID Argument,
_In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
_In_ SIZE_T ZeroBits,
_In_ SIZE_T StackSize,
_In_ SIZE_T MaximumStackSize,
_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
);
#endif
//
// Job objects
//
#ifdef _KERNEL_MODE
typedef enum _JOBOBJECTINFOCLASS
{
JobObjectBasicAccountingInformation, // JOBOBJECT_BASIC_ACCOUNTING_INFORMATION
JobObjectBasicLimitInformation, // JOBOBJECT_BASIC_LIMIT_INFORMATION
JobObjectBasicProcessIdList, // JOBOBJECT_BASIC_PROCESS_ID_LIST
JobObjectBasicUIRestrictions, // JOBOBJECT_BASIC_UI_RESTRICTIONS
JobObjectSecurityLimitInformation, // JOBOBJECT_SECURITY_LIMIT_INFORMATION
JobObjectEndOfJobTimeInformation = 6, // JOBOBJECT_END_OF_JOB_TIME_INFORMATION
JobObjectAssociateCompletionPortInformation, // JOBOBJECT_ASSOCIATE_COMPLETION_PORT
JobObjectBasicAndIoAccountingInformation, // JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION
JobObjectExtendedLimitInformation, // JOBOBJECT_EXTENDED_LIMIT_INFORMATION
JobObjectJobSetInformation, // JOBOBJECT_JOBSET_INFORMATION
JobObjectGroupInformation = 11, // USHORT
JobObjectNotificationLimitInformation, // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION
JobObjectLimitViolationInformation, // JOBOBJECT_LIMIT_VIOLATION_INFORMATION
JobObjectGroupInformationEx, // GROUP_AFFINITY (ARRAY)
JobObjectCpuRateControlInformation, // JOBOBJECT_CPU_RATE_CONTROL_INFORMATION
JobObjectCompletionFilter = 16,
JobObjectCompletionCounter,
JobObjectFreezeInformation, // JOBOBJECT_FREEZE_INFORMATION
JobObjectExtendedAccountingInformation, // JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION
JobObjectWakeInformation, // JOBOBJECT_WAKE_INFORMATION
JobObjectBackgroundInformation = 21,
JobObjectSchedulingRankBiasInformation,
JobObjectTimerVirtualizationInformation,
JobObjectCycleTimeNotification,
JobObjectClearEvent,
JobObjectInterferenceInformation = 26, // JOBOBJECT_INTERFERENCE_INFORMATION
JobObjectClearPeakJobMemoryUsed,
JobObjectMemoryUsageInformation, // JOBOBJECT_MEMORY_USAGE_INFORMATION // JOBOBJECT_MEMORY_USAGE_INFORMATION_V2
JobObjectSharedCommit,
JobObjectContainerId,
JobObjectIoRateControlInformation = 31,
JobObjectNetRateControlInformation, // JOBOBJECT_NET_RATE_CONTROL_INFORMATION
JobObjectNotificationLimitInformation2, // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION_2
JobObjectLimitViolationInformation2, // JOBOBJECT_LIMIT_VIOLATION_INFORMATION_2
JobObjectCreateSilo,
JobObjectSiloBasicInformation = 36, // SILOOBJECT_BASIC_INFORMATION
JobObjectSiloRootDirectory, // SILOOBJECT_ROOT_DIRECTORY
JobObjectServerSiloBasicInformation, // SERVERSILO_BASIC_INFORMATION
JobObjectServerSiloUserSharedData, // SILO_USER_SHARED_DATA
JobObjectServerSiloInitialize,
JobObjectServerSiloRunningState = 41,
JobObjectIoAttribution,
JobObjectMemoryPartitionInformation,
JobObjectContainerTelemetryId,
JobObjectSiloSystemRoot,
JobObjectEnergyTrackingState = 46, // JOBOBJECT_ENERGY_TRACKING_STATE
JobObjectThreadImpersonationInformation,
JobObjectIoPriorityLimit,
JobObjectPagePriorityLimit,
MaxJobObjectInfoClass
}JOBOBJECTINFOCLASS;
#else
// Note: We don't use an enum since it conflicts with the Windows SDK.
#define JobObjectBasicAccountingInformation ((_JOBOBJECTINFOCLASS)1 )// JOBOBJECT_BASIC_ACCOUNTING_INFORMATION
#define JobObjectBasicLimitInformation ((_JOBOBJECTINFOCLASS)2 )// JOBOBJECT_BASIC_LIMIT_INFORMATION
#define JobObjectBasicProcessIdList ((_JOBOBJECTINFOCLASS)3 )// JOBOBJECT_BASIC_PROCESS_ID_LIST
#define JobObjectBasicUIRestrictions ((_JOBOBJECTINFOCLASS)4 )// JOBOBJECT_BASIC_UI_RESTRICTIONS
#define JobObjectSecurityLimitInformation ((_JOBOBJECTINFOCLASS)5 )// JOBOBJECT_SECURITY_LIMIT_INFORMATION
#define JobObjectEndOfJobTimeInformation ((_JOBOBJECTINFOCLASS)6 )// JOBOBJECT_END_OF_JOB_TIME_INFORMATION
#define JobObjectAssociateCompletionPortInformation ((_JOBOBJECTINFOCLASS)7 )// JOBOBJECT_ASSOCIATE_COMPLETION_PORT
#define JobObjectBasicAndIoAccountingInformation ((_JOBOBJECTINFOCLASS)8 )// JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION
#define JobObjectExtendedLimitInformation ((_JOBOBJECTINFOCLASS)9 )// JOBOBJECT_EXTENDED_LIMIT_INFORMATION
#define JobObjectJobSetInformation ((_JOBOBJECTINFOCLASS)10) // JOBOBJECT_JOBSET_INFORMATION
#define JobObjectGroupInformation ((_JOBOBJECTINFOCLASS)11) // USHORT
#define JobObjectNotificationLimitInformation ((_JOBOBJECTINFOCLASS)12) // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION
#define JobObjectLimitViolationInformation ((_JOBOBJECTINFOCLASS)13) // JOBOBJECT_LIMIT_VIOLATION_INFORMATION
#define JobObjectGroupInformationEx ((_JOBOBJECTINFOCLASS)14) // GROUP_AFFINITY (ARRAY)
#define JobObjectCpuRateControlInformation ((_JOBOBJECTINFOCLASS)15) // JOBOBJECT_CPU_RATE_CONTROL_INFORMATION
#define JobObjectCompletionFilter ((_JOBOBJECTINFOCLASS)16)
#define JobObjectCompletionCounter ((_JOBOBJECTINFOCLASS)17)
#define JobObjectFreezeInformation ((_JOBOBJECTINFOCLASS)18) // JOBOBJECT_FREEZE_INFORMATION
#define JobObjectExtendedAccountingInformation ((_JOBOBJECTINFOCLASS)19) // JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION
#define JobObjectWakeInformation ((_JOBOBJECTINFOCLASS)20) // JOBOBJECT_WAKE_INFORMATION
#define JobObjectBackgroundInformation ((_JOBOBJECTINFOCLASS)21)
#define JobObjectSchedulingRankBiasInformation ((_JOBOBJECTINFOCLASS)22)
#define JobObjectTimerVirtualizationInformation ((_JOBOBJECTINFOCLASS)23)
#define JobObjectCycleTimeNotification ((_JOBOBJECTINFOCLASS)24)
#define JobObjectClearEvent ((_JOBOBJECTINFOCLASS)25)
#define JobObjectInterferenceInformation ((_JOBOBJECTINFOCLASS)26) // JOBOBJECT_INTERFERENCE_INFORMATION
#define JobObjectClearPeakJobMemoryUsed ((_JOBOBJECTINFOCLASS)27)
#define JobObjectMemoryUsageInformation ((_JOBOBJECTINFOCLASS)28) // JOBOBJECT_MEMORY_USAGE_INFORMATION // JOBOBJECT_MEMORY_USAGE_INFORMATION_V2
#define JobObjectSharedCommit ((_JOBOBJECTINFOCLASS)29)
#define JobObjectContainerId ((_JOBOBJECTINFOCLASS)30)
#define JobObjectIoRateControlInformation ((_JOBOBJECTINFOCLASS)31)
#define JobObjectNetRateControlInformation ((_JOBOBJECTINFOCLASS)32) // JOBOBJECT_NET_RATE_CONTROL_INFORMATION
#define JobObjectNotificationLimitInformation2 ((_JOBOBJECTINFOCLASS)33) // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION_2
#define JobObjectLimitViolationInformation2 ((_JOBOBJECTINFOCLASS)34) // JOBOBJECT_LIMIT_VIOLATION_INFORMATION_2
#define JobObjectCreateSilo ((_JOBOBJECTINFOCLASS)35)
#define JobObjectSiloBasicInformation ((_JOBOBJECTINFOCLASS)36) // SILOOBJECT_BASIC_INFORMATION
#define JobObjectSiloRootDirectory ((_JOBOBJECTINFOCLASS)37) // SILOOBJECT_ROOT_DIRECTORY
#define JobObjectServerSiloBasicInformation ((_JOBOBJECTINFOCLASS)38) // SERVERSILO_BASIC_INFORMATION
#define JobObjectServerSiloUserSharedData ((_JOBOBJECTINFOCLASS)39) // SILO_USER_SHARED_DATA
#define JobObjectServerSiloInitialize ((_JOBOBJECTINFOCLASS)40)
#define JobObjectServerSiloRunningState ((_JOBOBJECTINFOCLASS)41)
#define JobObjectIoAttribution ((_JOBOBJECTINFOCLASS)42)
#define JobObjectMemoryPartitionInformation ((_JOBOBJECTINFOCLASS)43)
#define JobObjectContainerTelemetryId ((_JOBOBJECTINFOCLASS)44)
#define JobObjectSiloSystemRoot ((_JOBOBJECTINFOCLASS)45)
#define JobObjectEnergyTrackingState ((_JOBOBJECTINFOCLASS)46) // JOBOBJECT_ENERGY_TRACKING_STATE
#define JobObjectThreadImpersonationInformation ((_JOBOBJECTINFOCLASS)47)
#define JobObjectIoPriorityLimit ((_JOBOBJECTINFOCLASS)48)
#define JobObjectPagePriorityLimit ((_JOBOBJECTINFOCLASS)49)
#define MaxJobObjectInfoClass ((_JOBOBJECTINFOCLASS)50)
#endif // _KERNEL_MODE
#ifdef _KERNEL_MODE
typedef struct _JOBOBJECT_BASIC_ACCOUNTING_INFORMATION {
LARGE_INTEGER TotalUserTime;
LARGE_INTEGER TotalKernelTime;
LARGE_INTEGER ThisPeriodTotalUserTime;
LARGE_INTEGER ThisPeriodTotalKernelTime;
UINT32 TotalPageFaultCount;
UINT32 TotalProcesses;
UINT32 ActiveProcesses;
UINT32 TotalTerminatedProcesses;
} JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, * PJOBOBJECT_BASIC_ACCOUNTING_INFORMATION;
#endif // _KERNEL_MODE
// private
typedef struct _JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION
{
JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo;
IO_COUNTERS IoInfo;
PROCESS_DISK_COUNTERS DiskIoInfo;
ULONG64 ContextSwitches;
LARGE_INTEGER TotalCycleTime;
ULONG64 ReadyTime;
PROCESS_ENERGY_VALUES EnergyValues;
} JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION, * PJOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION;
// private
typedef struct _JOBOBJECT_WAKE_INFORMATION
{
HANDLE NotificationChannel;
ULONG64 WakeCounters[7];
} JOBOBJECT_WAKE_INFORMATION, * PJOBOBJECT_WAKE_INFORMATION;
// private
typedef struct _JOBOBJECT_WAKE_INFORMATION_V1
{
HANDLE NotificationChannel;
ULONG64 WakeCounters[4];
} JOBOBJECT_WAKE_INFORMATION_V1, * PJOBOBJECT_WAKE_INFORMATION_V1;
// private
typedef struct _JOBOBJECT_INTERFERENCE_INFORMATION
{
ULONG64 Count;
} JOBOBJECT_INTERFERENCE_INFORMATION, * PJOBOBJECT_INTERFERENCE_INFORMATION;
// private
typedef struct _JOBOBJECT_WAKE_FILTER
{
ULONG HighEdgeFilter;
ULONG LowEdgeFilter;
} JOBOBJECT_WAKE_FILTER, * PJOBOBJECT_WAKE_FILTER;
// private
typedef struct _JOBOBJECT_FREEZE_INFORMATION
{
union
{
ULONG Flags;
struct
{
ULONG FreezeOperation : 1;
ULONG FilterOperation : 1;
ULONG SwapOperation : 1;
ULONG Reserved : 29;
};
};
BOOLEAN Freeze;
BOOLEAN Swap;
UCHAR Reserved0[2];
JOBOBJECT_WAKE_FILTER WakeFilter;
} JOBOBJECT_FREEZE_INFORMATION, * PJOBOBJECT_FREEZE_INFORMATION;
// private
typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION
{
ULONG64 JobMemory;
ULONG64 PeakJobMemoryUsed;
} JOBOBJECT_MEMORY_USAGE_INFORMATION, * PJOBOBJECT_MEMORY_USAGE_INFORMATION;
// private
typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION_V2
{
JOBOBJECT_MEMORY_USAGE_INFORMATION BasicInfo;
ULONG64 JobSharedMemory;
ULONG64 Reserved[2];
} JOBOBJECT_MEMORY_USAGE_INFORMATION_V2, * PJOBOBJECT_MEMORY_USAGE_INFORMATION_V2;
#if (NTDDI_VERSION != NTDDI_WIN10_RS1)
// private
//
// Define data shared between kernel and user mode per each Silo.
//
// N.B. User mode has read only access to this data
//
typedef struct _SILO_USER_SHARED_DATA
{
ULONG64 ServiceSessionId;
ULONG ActiveConsoleId;
LONGLONG ConsoleSessionForegroundProcessId;
NT_PRODUCT_TYPE NtProductType;
ULONG SuiteMask;
ULONG SharedUserSessionId;
BOOLEAN IsMultiSessionSku;
WCHAR NtSystemRoot[260];
USHORT UserModeGlobalLogger[16];
} SILO_USER_SHARED_DATA, * PSILO_USER_SHARED_DATA;
#endif // WDK_NTDDI_VERSION != NTDDI_WIN10_RS1
#if (NTDDI_VERSION >= NTDDI_WIN10_RS1)
// private
typedef struct _SILOOBJECT_ROOT_DIRECTORY
{
ULONG ControlFlags;
UNICODE_STRING Path;
} SILOOBJECT_ROOT_DIRECTORY, * PSILOOBJECT_ROOT_DIRECTORY;
#endif // NTDDI_VERSION >= NTDDI_WIN10_RS1
// private
typedef struct _JOBOBJECT_ENERGY_TRACKING_STATE
{
ULONG64 Value;
ULONG UpdateMask;
ULONG DesiredState;
} JOBOBJECT_ENERGY_TRACKING_STATE, * PJOBOBJECT_ENERGY_TRACKING_STATE;
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAssignProcessToJobObject(
_In_ HANDLE JobHandle,
_In_ HANDLE ProcessHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAssignProcessToJobObject(
_In_ HANDLE JobHandle,
_In_ HANDLE ProcessHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateJobObject(
_In_ HANDLE JobHandle,
_In_ NTSTATUS ExitStatus
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateJobObject(
_In_ HANDLE JobHandle,
_In_ NTSTATUS ExitStatus
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtIsProcessInJob(
_In_ HANDLE ProcessHandle,
_In_opt_ HANDLE JobHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwIsProcessInJob(
_In_ HANDLE ProcessHandle,
_In_opt_ HANDLE JobHandle
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationJobObject(
_In_opt_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength,
_Out_opt_ PULONG ReturnLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationJobObject(
_In_opt_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength,
_Out_opt_ PULONG ReturnLength
);
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
_In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
_In_ ULONG JobObjectInformationLength
);
#ifdef _KERNEL_MODE
typedef struct _JOB_SET_ARRAY
{
HANDLE JobHandle; // Handle to job object to insert
UINT32 MemberLevel; // Level of this job in the set. Must be > 0. Can be sparse.
UINT32 Flags; // Unused. Must be zero
} JOB_SET_ARRAY, * PJOB_SET_ARRAY;
#endif // _KERNEL_MODE
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateJobSet(
_In_ ULONG NumJob,
_In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
_In_ ULONG Flags
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateJobSet(
_In_ ULONG NumJob,
_In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
_In_ ULONG Flags
);
#if (NTDDI_VERSION >= NTDDI_WINTHRESHOLD)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtRevertContainerImpersonation(
VOID
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwRevertContainerImpersonation(
VOID
);
#endif
//
// Reserve objects
//
// private
typedef enum _MEMORY_RESERVE_TYPE
{
MemoryReserveUserApc,
MemoryReserveIoCompletion,
MemoryReserveTypeMax
} MEMORY_RESERVE_TYPE;
#if (NTDDI_VERSION >= NTDDI_WIN7)
__kernel_entry NTSYSCALLAPI
NTSTATUS
NTAPI
NtAllocateReserveObject(
_Out_ PHANDLE MemoryReserveHandle,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ MEMORY_RESERVE_TYPE Type
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwAllocateReserveObject(
_Out_ PHANDLE MemoryReserveHandle,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ MEMORY_RESERVE_TYPE Type
);
#endif
#ifdef _KERNEL_MODE
// Process
NTKERNELAPI
NTSTATUS
NTAPI
PsLookupProcessThreadByCid(
_In_ PCLIENT_ID ClientId,
_Out_opt_ PEPROCESS* Process,
_Out_ PETHREAD* Thread
);
NTSYSAPI
BOOLEAN
NTAPI
PsIsSystemProcess(
_In_ PEPROCESS Process
);
NTSYSAPI
HANDLE NTAPI
PsGetProcessInheritedFromUniqueProcessId(
_In_ PEPROCESS Process
);
NTSYSAPI
ULONG NTAPI
PsGetProcessSessionId(
_In_ PEPROCESS Process
);
// The difference is that Ex will return -1
NTSYSAPI
ULONG
NTAPI
PsGetProcessSessionIdEx(
_In_ PEPROCESS Process
);
NTSYSAPI
ULONG
NTAPI
PsGetCurrentProcessSessionId(
);
NTSYSAPI
BOOLEAN
NTAPI
PsGetProcessExitProcessCalled(
_In_ PEPROCESS Process
);
NTSYSAPI
UCHAR*
NTAPI
PsGetProcessImageFileName(
_In_ PEPROCESS Process
);
#define PsGetCurrentProcessImageFileName() PsGetProcessImageFileName(PsGetCurrentProcess())
NTSYSAPI
PVOID
NTAPI
PsGetProcessSectionBaseAddress(
_In_ PEPROCESS Process
);
#define PsGetProcessPcb(Process) ((PKPROCESS)(Process))
NTSYSAPI
PPEB NTAPI
PsGetProcessPeb(
_In_ PEPROCESS Process
);
NTSYSAPI
VOID
NTAPI
PsSetProcessPriorityClass(
_Out_ PEPROCESS Process,
_In_ UCHAR PriorityClass
);
NTSYSAPI
UCHAR
NTAPI
PsGetProcessPriorityClass(
_In_ PEPROCESS Process
);
NTSYSAPI
VOID
NTAPI
PsSetProcessWindowStation(
_Out_ PEPROCESS Process,
_In_ HANDLE Win32WindowStation
);
NTSYSAPI
HANDLE
NTAPI
PsGetProcessWin32WindowStation(
_In_ PEPROCESS Process
);
#define PsGetCurrentProcessWin32WindowStation() PsGetProcessWin32WindowStation(PsGetCurrentProcess())
NTSYSAPI
NTSTATUS
NTAPI
PsSetProcessWin32Process(
_In_ PEPROCESS Process,
_In_ PVOID Win32Process,
_In_ PVOID PrevWin32Process
);
NTSYSAPI
PVOID
NTAPI
PsGetProcessWin32Process(
_In_ PEPROCESS Process
);
NTSYSAPI
PVOID
NTAPI
PsGetCurrentProcessWin32Process(
VOID
);
#ifdef _WIN64
NTSYSAPI
struct _PEB32*
NTAPI
PsGetProcessWow64Process(
_In_ PEPROCESS Process
);
NTSYSAPI
struct _PEB32*
NTAPI
PsGetCurrentProcessWow64Process(
VOID
);
#endif //_WIN64
FORCEINLINE BOOLEAN NTAPI PsIs32bitProcess(
_In_ PEPROCESS Process
)
{
#ifdef _WIN64
return !!PsGetProcessWow64Process(Process);
#else
UNREFERENCED_PARAMETER(Process);
return FALSE;
#endif
}
PVOID NTAPI
PsGetProcessSecurityPort(
_In_ PEPROCESS Process
);
NTSTATUS NTAPI
PsSuspendProcess(
_In_ PEPROCESS Process
);
NTSTATUS NTAPI
PsResumeProcess(
_In_ PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
NTAPI
PsAcquireProcessExitSynchronization(
_In_ PEPROCESS Process
);
NTKERNELAPI
VOID
NTAPI
PsReleaseProcessExitSynchronization(
_In_ PEPROCESS Process
);
// Job
NTSYSAPI
PEJOB
NTAPI
PsGetProcessJob(
_In_ PEPROCESS Process
);
NTSYSAPI
PERESOURCE
NTAPI
PsGetJobLock(
_In_ PEJOB Job
);
NTSYSAPI
ULONG
NTAPI
PsGetJobSessionId(
_In_ PEJOB Job
);
NTSYSAPI
VOID
NTAPI
PsSetJobUIRestrictionsClass(
_Out_ struct _EJOB* Job,
_In_ ULONG UIRestrictionsClass
);
NTSYSAPI
ULONG
NTAPI
PsGetJobUIRestrictionsClass(
_In_ PEJOB Job
);
// Debug
NTSYSAPI
PVOID
NTAPI
PsGetProcessDebugPort(
_In_ PEPROCESS Process
);
NTSYSAPI
BOOLEAN
NTAPI
PsIsProcessBeingDebugged(
_In_ PEPROCESS Process
);
// File Object
NTSYSAPI
NTSTATUS
NTAPI
PsReferenceProcessFilePointer(
_In_ PEPROCESS Process,
_Out_ PFILE_OBJECT* pFilePointer
);
// Thread
NTKERNELAPI
BOOLEAN
PsIsSystemThread(
_In_ PETHREAD Thread
);
_IRQL_requires_max_(DISPATCH_LEVEL)
NTKERNELAPI
BOOLEAN
PsIsThreadTerminating(
_In_ PETHREAD Thread
);
NTKERNELAPI
BOOLEAN
NTAPI
PsIsThreadImpersonating(
_In_ PETHREAD Thread
);
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentThreadStackLimit(
VOID
);
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentThreadStackBase(
VOID
);
NTKERNELAPI
KPROCESSOR_MODE
NTAPI
PsGetCurrentThreadPreviousMode(
VOID
);
NTKERNELAPI
PEPROCESS
PsGetThreadProcess(
_In_ PETHREAD Thread
);
NTKERNELAPI
PEPROCESS
NTAPI
PsGetCurrentThreadProcess(
VOID
);
NTKERNELAPI
HANDLE
NTAPI
PsGetCurrentThreadProcessId(
VOID
);
FORCEINLINE
CLIENT_ID
NTAPI
PsGetThreadClientId(
_In_ PETHREAD Thread
)
{
CLIENT_ID ClientId = { PsGetThreadProcessId(Thread), PsGetThreadId(Thread) };
return ClientId;
}
NTKERNELAPI
ULONG
NTAPI
PsGetThreadSessionId(
_In_ PETHREAD Thread
);
NTKERNELAPI
NTSTATUS
NTAPI
PsSetContextThread(
_In_ PETHREAD Thread,
_In_ PCONTEXT ThreadContext,
_In_ KPROCESSOR_MODE Mode
);
NTKERNELAPI
NTSTATUS
NTAPI
PsGetContextThread(
_In_ PETHREAD Thread,
_Inout_ PCONTEXT ThreadContext,
_In_ KPROCESSOR_MODE Mode
);
NTKERNELAPI
VOID
NTAPI
PsSetThreadWin32Thread(
_Inout_ PETHREAD Thread,
_In_ PVOID Win32Thread,
_In_ PVOID PrevWin32Thread
);
NTKERNELAPI
PVOID
NTAPI
PsGetThreadWin32Thread(
_In_ PETHREAD Thread
);
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentThreadWin32Thread(
VOID
);
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion(
_Out_ PHANDLE ProcessId
);
#define PsGetThreadTcb(Thread) ((PKTHREAD)(Thread))
NTKERNELAPI
PVOID
NTAPI
PsGetThreadTeb(
_In_ PETHREAD Thread
);
NTKERNELAPI
CCHAR
NTAPI
PsGetThreadFreezeCount(
_In_ PETHREAD Thread
);
NTKERNELAPI
BOOLEAN
NTAPI
PsGetThreadHardErrorsAreDisabled(
_In_ PETHREAD Thread
);
#endif // _KERNEL_MODE
VEIL_END()
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
Reference in New Issue View Git Blame Copy Permalink