#include <ntifs.h>
#include <phnt.h>
#include <ntfill.h>
#include <kphapi.h>

Data Structures
struct	_KPH_PARAMETERS

Macros
#define	PHNT_MODE PHNT_MODE_KERNEL

#define	dprintf

Typedefs
typedef struct _KPH_PARAMETERS	KPH_PARAMETERS

typedef struct _KPH_PARAMETERS *	PKPH_PARAMETERS

Functions
NTSTATUS	KpiGetFeatures (__out PULONG Features, __in KPROCESSOR_MODE AccessMode)

NTSTATUS	KphEnumerateSystemModules (__out PRTL_PROCESS_MODULES *Modules)
	Enumerates the modules loaded by the kernel.

NTSTATUS	KphValidateAddressForSystemModules (__in PVOID Address, __in SIZE_T Length)
	Checks if an address range lies within a kernel module.

	__drv_dispatchType (IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KphDispatchDeviceControl

NTSTATUS	KphDispatchDeviceControl (__in PDEVICE_OBJECT DeviceObject, __in PIRP Irp)

VOID	KphDynamicImport (VOID)
	Dynamically imports routines.

PVOID	KphGetSystemRoutineAddress (__in PWSTR SystemRoutineName)
	Retrieves the address of a function exported by NTOS or HAL.

POBJECT_TYPE	KphGetObjectType (__in PVOID Object)
	Gets the type of an object.

PHANDLE_TABLE	KphReferenceProcessHandleTable (__in PEPROCESS Process)
	Gets a pointer to the handle table of a process.

VOID	KphDereferenceProcessHandleTable (__in PEPROCESS Process)
	Dereferences the handle table of a process.

VOID	KphUnlockHandleTableEntry (__in PHANDLE_TABLE HandleTable, __in PHANDLE_TABLE_ENTRY HandleTableEntry)

NTSTATUS	KpiEnumerateProcessHandles (__in HANDLE ProcessHandle, __out_bcount(BufferLength) PVOID Buffer, __in_opt ULONG BufferLength, __out_opt PULONG ReturnLength, __in KPROCESSOR_MODE AccessMode)
	Enumerates the handles of a process.

NTSTATUS	KphQueryNameObject (__in PVOID Object, __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer, __in ULONG BufferLength, __out PULONG ReturnLength)
	Queries the name of an object.

NTSTATUS	KphQueryNameFileObject (__in PFILE_OBJECT FileObject, __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer, __in ULONG BufferLength, __out PULONG ReturnLength)
	Queries the name of a file object.

NTSTATUS	KpiQueryInformationObject (__in HANDLE ProcessHandle, __in HANDLE Handle, __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, __out_bcount(ObjectInformationLength) PVOID ObjectInformation, __in ULONG ObjectInformationLength, __out_opt PULONG ReturnLength, __in KPROCESSOR_MODE AccessMode)
	Queries object information.

NTSTATUS	KpiSetInformationObject (__in HANDLE ProcessHandle, __in HANDLE Handle, __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, __in_bcount(ObjectInformationLength) PVOID ObjectInformation, __in ULONG ObjectInformationLength, __in KPROCESSOR_MODE AccessMode)
	Sets object information.

NTSTATUS	KphDuplicateObject (__in PEPROCESS SourceProcess, __in_opt PEPROCESS TargetProcess, __in HANDLE SourceHandle, __out_opt PHANDLE TargetHandle, __in ACCESS_MASK DesiredAccess, __in ULONG HandleAttributes, __in ULONG Options, __in KPROCESSOR_MODE AccessMode)
	Re-opens an object.

NTSTATUS	KpiDuplicateObject (__in HANDLE SourceProcessHandle, __in HANDLE SourceHandle, __in_opt HANDLE TargetProcessHandle, __out_opt PHANDLE TargetHandle, __in ACCESS_MASK DesiredAccess, __in ULONG HandleAttributes, __in ULONG Options, __in KPROCESSOR_MODE AccessMode)
	Re-opens an object.

NTSTATUS	KphOpenNamedObject (__out PHANDLE ObjectHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in POBJECT_TYPE ObjectType, __in KPROCESSOR_MODE AccessMode)

NTSTATUS	KpiOpenProcess (__out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in PCLIENT_ID ClientId, __in KPROCESSOR_MODE AccessMode)
	Opens a process.

NTSTATUS	KpiOpenProcessToken (__in HANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __out PHANDLE TokenHandle, __in KPROCESSOR_MODE AccessMode)
	Opens the token of a process.

NTSTATUS	KpiOpenProcessJob (__in HANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __out PHANDLE JobHandle, __in KPROCESSOR_MODE AccessMode)
	Opens the job object of a process.

NTSTATUS	KpiSuspendProcess (__in HANDLE ProcessHandle, __in KPROCESSOR_MODE AccessMode)
	Suspends a process.

NTSTATUS	KpiResumeProcess (__in HANDLE ProcessHandle, __in KPROCESSOR_MODE AccessMode)
	Resumes a process.

NTSTATUS	KphTerminateProcessInternal (__in PEPROCESS Process, __in NTSTATUS ExitStatus)
	Terminates a process using PsTerminateProcess.

NTSTATUS	KpiTerminateProcess (__in HANDLE ProcessHandle, __in NTSTATUS ExitStatus, __in KPROCESSOR_MODE AccessMode)
	Terminates a process using PsTerminateProcess.

NTSTATUS	KpiQueryInformationProcess (__in HANDLE ProcessHandle, __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, __out_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt PULONG ReturnLength, __in KPROCESSOR_MODE AccessMode)
	Queries process information.

NTSTATUS	KpiSetInformationProcess (__in HANDLE ProcessHandle, __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, __in_bcount(ProcessInformationLength) PVOID ProcessInformation, __in ULONG ProcessInformationLength, __in KPROCESSOR_MODE AccessMode)
	Sets process information.

BOOLEAN	KphAcquireProcessRundownProtection (__in PEPROCESS Process)
	Prevents a process from terminating.

VOID	KphReleaseProcessRundownProtection (__in PEPROCESS Process)
	Allows a process to terminate.

NTSTATUS	KpiOpenDriver (__out PHANDLE DriverHandle, __in POBJECT_ATTRIBUTES ObjectAttributes, __in KPROCESSOR_MODE AccessMode)

NTSTATUS	KpiQueryInformationDriver (__in HANDLE DriverHandle, __in DRIVER_INFORMATION_CLASS DriverInformationClass, __out_bcount(DriverInformationLength) PVOID DriverInformation, __in ULONG DriverInformationLength, __out_opt PULONG ReturnLength, __in KPROCESSOR_MODE AccessMode)

NTSTATUS	KpiOpenThread (__out PHANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __in PCLIENT_ID ClientId, __in KPROCESSOR_MODE AccessMode)
	Opens a thread.

NTSTATUS	KpiOpenThreadProcess (__in HANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __out PHANDLE ProcessHandle, __in KPROCESSOR_MODE AccessMode)
	Opens the process of a thread.

NTSTATUS	KphTerminateThreadByPointerInternal (__in PETHREAD Thread, __in NTSTATUS ExitStatus)
	Terminates a thread using PspTerminateThreadByPointer.

NTSTATUS	KpiTerminateThread (__in HANDLE ThreadHandle, __in NTSTATUS ExitStatus, __in KPROCESSOR_MODE AccessMode)
	Terminates a thread.

NTSTATUS	KpiTerminateThreadUnsafe (__in HANDLE ThreadHandle, __in NTSTATUS ExitStatus, __in KPROCESSOR_MODE AccessMode)
	Terminates a thread using an unsafe method.

NTSTATUS	KpiGetContextThread (__in HANDLE ThreadHandle, __inout PCONTEXT ThreadContext, __in KPROCESSOR_MODE AccessMode)
	Gets the context of a thread.

NTSTATUS	KpiSetContextThread (__in HANDLE ThreadHandle, __in PCONTEXT ThreadContext, __in KPROCESSOR_MODE AccessMode)
	Sets the context of a thread.

ULONG	KphCaptureStackBackTrace (__in ULONG FramesToSkip, __in ULONG FramesToCapture, __in_opt ULONG Flags, __out_ecount(FramesToCapture) PVOID *BackTrace, __out_opt PULONG BackTraceHash)
	Captures a stack trace of the current thread.

NTSTATUS	KphCaptureStackBackTraceThread (__in PETHREAD Thread, __in ULONG FramesToSkip, __in ULONG FramesToCapture, __out_ecount(FramesToCapture) PVOID *BackTrace, __out_opt PULONG CapturedFrames, __out_opt PULONG BackTraceHash, __in KPROCESSOR_MODE AccessMode)
	Captures the stack trace of a thread.

NTSTATUS	KpiCaptureStackBackTraceThread (__in HANDLE ThreadHandle, __in ULONG FramesToSkip, __in ULONG FramesToCapture, __out_ecount(FramesToCapture) PVOID *BackTrace, __out_opt PULONG CapturedFrames, __out_opt PULONG BackTraceHash, __in KPROCESSOR_MODE AccessMode)
	Captures the stack trace of a thread.

NTSTATUS	KpiQueryInformationThread (__in HANDLE ThreadHandle, __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, __out_bcount(ProcessInformationLength) PVOID ThreadInformation, __in ULONG ThreadInformationLength, __out_opt PULONG ReturnLength, __in KPROCESSOR_MODE AccessMode)
	Queries thread information.

NTSTATUS	KpiSetInformationThread (__in HANDLE ThreadHandle, __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, __in_bcount(ThreadInformationLength) PVOID ThreadInformation, __in ULONG ThreadInformationLength, __in KPROCESSOR_MODE AccessMode)
	Sets thread information.

NTSTATUS	KphCopyVirtualMemory (__in PEPROCESS FromProcess, __in PVOID FromAddress, __in PEPROCESS ToProcess, __in PVOID ToAddress, __in SIZE_T BufferLength, __in KPROCESSOR_MODE AccessMode, __out PSIZE_T ReturnLength)
	Copies memory from one process to another.

NTSTATUS	KpiReadVirtualMemory (__in HANDLE ProcessHandle, __in PVOID BaseAddress, __out_bcount(BufferSize) PVOID Buffer, __in SIZE_T BufferSize, __out_opt PSIZE_T NumberOfBytesRead, __in KPROCESSOR_MODE AccessMode)
	Copies memory from another process into the current process.

NTSTATUS	KpiWriteVirtualMemory (__in HANDLE ProcessHandle, __in_opt PVOID BaseAddress, __in_bcount(BufferSize) PVOID Buffer, __in SIZE_T BufferSize, __out_opt PSIZE_T NumberOfBytesWritten, __in KPROCESSOR_MODE AccessMode)
	Copies memory from the current process into another process.

NTSTATUS	KpiReadVirtualMemoryUnsafe (__in_opt HANDLE ProcessHandle, __in PVOID BaseAddress, __out_bcount(BufferSize) PVOID Buffer, __in SIZE_T BufferSize, __out_opt PSIZE_T NumberOfBytesRead, __in KPROCESSOR_MODE AccessMode)
	Copies process or kernel memory into the current process.

FORCEINLINE VOID	KphFreeCapturedUnicodeString (__in PUNICODE_STRING CapturedUnicodeString)

FORCEINLINE NTSTATUS	KphCaptureUnicodeString (__in PUNICODE_STRING UnicodeString, __out PUNICODE_STRING CapturedUnicodeString)

Variables
ULONG	KphFeatures

KPH_PARAMETERS	KphParameters

_ExfUnblockPushLock	ExfUnblockPushLock_I

_ObGetObjectType	ObGetObjectType_I

_PsAcquireProcessExitSynchronization	PsAcquireProcessExitSynchronization_I

_PsIsProtectedProcess	PsIsProtectedProcess_I

_PsReleaseProcessExitSynchronization	PsReleaseProcessExitSynchronization_I

_PsResumeProcess	PsResumeProcess_I

_PsSuspendProcess	PsSuspendProcess_I

Macro Definition Documentation

#define dprintf

Definition at line 15 of file kph.h.

#define PHNT_MODE PHNT_MODE_KERNEL

Definition at line 5 of file kph.h.

Typedef Documentation

typedef struct _KPH_PARAMETERS KPH_PARAMETERS

typedef struct _KPH_PARAMETERS * PKPH_PARAMETERS

Function Documentation

__drv_dispatchType ( IRP_MJ_DEVICE_CONTROL )

BOOLEAN KphAcquireProcessRundownProtection ( __in PEPROCESS Process )

Prevents a process from terminating.

Parameters

Process A process object.

Returns: TRUE if the function succeeded, FALSE if the process is currently terminating or the request is not supported.

Definition at line 904 of file process.c.

ULONG KphCaptureStackBackTrace	(	__in ULONG	FramesToSkip,
		__in ULONG	FramesToCapture,
		__in_opt ULONG	Flags,
		__out_ecount(FramesToCapture) PVOID *	BackTrace,
		__out_opt PULONG	BackTraceHash
	)

Captures a stack trace of the current thread.

Parameters

FramesToSkip	The number of frames to skip from the bottom of the stack.
FramesToCapture	The number of frames to capture.
Flags	A combination of the following: `RTL_WALK_USER_MODE_STACK` The user-mode stack will be retrieved instead of the kernel-mode stack.
BackTrace	An array in which the stack trace will be stored.
BackTraceHash	A variable which receives a hash of the stack trace.

Returns: The number of frames captured.

Definition at line 582 of file thread.c.

NTSTATUS KphCaptureStackBackTraceThread	(	__in PETHREAD	Thread,
		__in ULONG	FramesToSkip,
		__in ULONG	FramesToCapture,
		__out_ecount(FramesToCapture) PVOID *	BackTrace,
		__out_opt PULONG	CapturedFrames,
		__out_opt PULONG	BackTraceHash,
		__in KPROCESSOR_MODE	AccessMode
	)

Captures the stack trace of a thread.

Parameters

Thread	The thread to capture the stack trace of.
FramesToSkip	The number of frames to skip from the bottom of the stack.
FramesToCapture	The number of frames to capture.
BackTrace	An array in which the stack trace will be stored.
CapturedFrames	A variable which receives the number of frames captured.
BackTraceHash	A variable which receives a hash of the stack trace.
AccessMode	The mode in which to perform access checks.

Returns: The number of frames captured.

Definition at line 650 of file thread.c.

FORCEINLINE NTSTATUS KphCaptureUnicodeString	(	__in PUNICODE_STRING	UnicodeString,
		__out PUNICODE_STRING	CapturedUnicodeString
	)

Definition at line 385 of file kph.h.

NTSTATUS KphCopyVirtualMemory	(	__in PEPROCESS	FromProcess,
		__in PVOID	FromAddress,
		__in PEPROCESS	ToProcess,
		__in PVOID	ToAddress,
		__in SIZE_T	BufferLength,
		__in KPROCESSOR_MODE	AccessMode,
		__out PSIZE_T	ReturnLength
	)

Copies memory from one process to another.

Parameters

FromProcess	The source process.
FromAddress	The source address.
ToProcess	The target process.
ToAddress	The target address.
BufferLength	The number of bytes to copy.
AccessMode	The mode in which to perform access checks.
ReturnLength	A variable which receives the number of bytes copied.

Definition at line 80 of file vm.c.

VOID KphDereferenceProcessHandleTable ( __in PEPROCESS Process )

Dereferences the handle table of a process.

Parameters

Process A process object.

Definition at line 152 of file object.c.

NTSTATUS KphDispatchDeviceControl	(	__in PDEVICE_OBJECT	DeviceObject,
		__in PIRP	Irp
	)

Definition at line 24 of file devctrl.c.

NTSTATUS KphDuplicateObject	(	__in PEPROCESS	SourceProcess,
		__in_opt PEPROCESS	TargetProcess,
		__in HANDLE	SourceHandle,
		__out_opt PHANDLE	TargetHandle,
		__in ACCESS_MASK	DesiredAccess,
		__in ULONG	HandleAttributes,
		__in ULONG	Options,
		__in KPROCESSOR_MODE	AccessMode
	)

Re-opens an object.

Parameters

SourceProcess	The source process from which the object will be referenced.
TargetProcess	The target process to which the object handle will be duplicated.
SourceHandle	The source handle, present in SourceProcess.
TargetHandle	A variable which receives the new handle.
DesiredAccess	The desired access to the object for the new handle.
HandleAttributes	The attributes of the new handle.
Options	A combination of the following: `DUPLICATE_CLOSE_SOURCE` The handle will be closed in the source process instead of being duplicated to the target process. The TargetProcess and TargetHandle parameters are ignored. `DUPLICATE_SAME_ACCESS` The new handle will have the same granted access as the existing handle. `DUPLICATE_SAME_ATTRIBUTES` The new handle will have the same attributes as the existing handle.
AccessMode	The mode in which access checks will be performed.

Definition at line 1343 of file object.c.

VOID KphDynamicImport ( VOID )

Dynamically imports routines.

Definition at line 41 of file dynimp.c.

NTSTATUS KphEnumerateSystemModules ( __out PRTL_PROCESS_MODULES * Modules )

Enumerates the modules loaded by the kernel.

Parameters

Modules A variable which receives a pointer to a structure containing information about the kernel modules. The structure must be freed with the tag 'ThpK'.

Definition at line 317 of file main.c.

FORCEINLINE VOID KphFreeCapturedUnicodeString ( __in PUNICODE_STRING CapturedUnicodeString )

Definition at line 377 of file kph.h.

POBJECT_TYPE KphGetObjectType ( __in PVOID Object )

Gets the type of an object.

Parameters

Object A pointer to an object.

Returns: A pointer to the object's type object, or NULL if an error occurred.

Definition at line 81 of file object.c.

PVOID KphGetSystemRoutineAddress ( __in PWSTR SystemRoutineName )

Retrieves the address of a function exported by NTOS or HAL.

Parameters

SystemRoutineName The name of the function.

Returns: The address of the function, or NULL if the function could not be found.

Definition at line 73 of file dynimp.c.

NTSTATUS KphOpenNamedObject	(	__out PHANDLE	ObjectHandle,
		__in ACCESS_MASK	DesiredAccess,
		__in POBJECT_ATTRIBUTES	ObjectAttributes,
		__in POBJECT_TYPE	ObjectType,
		__in KPROCESSOR_MODE	AccessMode
	)

Definition at line 1587 of file object.c.

NTSTATUS KphQueryNameFileObject	(	__in PFILE_OBJECT	FileObject,
		__out_bcount(BufferLength) POBJECT_NAME_INFORMATION	Buffer,
		__in ULONG	BufferLength,
		__out PULONG	ReturnLength
	)

Queries the name of a file object.

Parameters

FileObject	A pointer to a file object.
Buffer	The buffer in which the object name will be stored.
BufferLength	The number of bytes available in Buffer.
ReturnLength	A variable which receives the number of bytes required to be available in Buffer.

Definition at line 484 of file object.c.

NTSTATUS KphQueryNameObject	(	__in PVOID	Object,
		__out_bcount(BufferLength) POBJECT_NAME_INFORMATION	Buffer,
		__in ULONG	BufferLength,
		__out PULONG	ReturnLength
	)

Queries the name of an object.

Parameters

Object	A pointer to an object.
Buffer	The buffer in which the object name will be stored.
BufferLength	The number of bytes available in Buffer.
ReturnLength	A variable which receives the number of bytes required to be available in Buffer.

Definition at line 433 of file object.c.

PHANDLE_TABLE KphReferenceProcessHandleTable ( __in PEPROCESS Process )

Gets a pointer to the handle table of a process.

Parameters

Process A process object.

Returns: A pointer to the handle table, or NULL if the process is terminating or the request is not supported. You must call KphDereferenceProcessHandleTable() when the handle table is no longer needed.

Definition at line 123 of file object.c.

VOID KphReleaseProcessRundownProtection ( __in PEPROCESS Process )

Allows a process to terminate.

Parameters

Process A process object.

Definition at line 927 of file process.c.

NTSTATUS KphTerminateProcessInternal	(	__in PEPROCESS	Process,
		__in NTSTATUS	ExitStatus
	)

Terminates a process using PsTerminateProcess.

Parameters

Process	A process object.
ExitStatus	A status value which indicates why the process is being terminated.

Definition at line 386 of file process.c.

NTSTATUS KphTerminateThreadByPointerInternal	(	__in PETHREAD	Thread,
		__in NTSTATUS	ExitStatus
	)

Terminates a thread using PspTerminateThreadByPointer.

Parameters

Thread	A thread object.
ExitStatus	A status value which indicates why the thread is being terminated.

Definition at line 257 of file thread.c.

VOID KphUnlockHandleTableEntry	(	__in PHANDLE_TABLE	HandleTable,
		__in PHANDLE_TABLE_ENTRY	HandleTableEntry
	)

Definition at line 161 of file object.c.

NTSTATUS KphValidateAddressForSystemModules	(	__in PVOID	Address,
		__in SIZE_T	Length
	)

Checks if an address range lies within a kernel module.

Parameters

Address	The beginning of the address range.
Length	The number of bytes in the address range.

Definition at line 370 of file main.c.

NTSTATUS KpiCaptureStackBackTraceThread	(	__in HANDLE	ThreadHandle,
		__in ULONG	FramesToSkip,
		__in ULONG	FramesToCapture,
		__out_ecount(FramesToCapture) PVOID *	BackTrace,
		__out_opt PULONG	CapturedFrames,
		__out_opt PULONG	BackTraceHash,
		__in KPROCESSOR_MODE	AccessMode
	)

Captures the stack trace of a thread.

Parameters

ThreadHandle	A handle to the thread to capture the stack trace of.
FramesToSkip	The number of frames to skip from the bottom of the stack.
FramesToCapture	The number of frames to capture.
BackTrace	An array in which the stack trace will be stored.
CapturedFrames	A variable which receives the number of frames captured.
BackTraceHash	A variable which receives a hash of the stack trace.
AccessMode	The mode in which to perform access checks.

Returns: The number of frames captured.

Definition at line 866 of file thread.c.

NTSTATUS KpiDuplicateObject	(	__in HANDLE	SourceProcessHandle,
		__in HANDLE	SourceHandle,
		__in_opt HANDLE	TargetProcessHandle,
		__out_opt PHANDLE	TargetHandle,
		__in ACCESS_MASK	DesiredAccess,
		__in ULONG	HandleAttributes,
		__in ULONG	Options,
		__in KPROCESSOR_MODE	AccessMode
	)

Re-opens an object.

Parameters

SourceProcessHandle	A handle to the source process from which the object will be referenced.
SourceHandle	The source handle, present in SourceProcess.
TargetProcessHandle	A handle to the target process to which the object handle will be duplicated.
TargetHandle	A variable which receives the new handle.
DesiredAccess	The desired access to the object for the new handle.
HandleAttributes	The attributes of the new handle.
Options	A combination of the following: `DUPLICATE_CLOSE_SOURCE` The handle will be closed in the source process instead of being duplicated to the target process. The TargetProcess and TargetHandle parameters are ignored. `DUPLICATE_SAME_ACCESS` The new handle will have the same granted access as the existing handle. `DUPLICATE_SAME_ATTRIBUTES` The new handle will have the same attributes as the existing handle.
AccessMode	The mode in which access checks will be performed.

Definition at line 1487 of file object.c.

NTSTATUS KpiEnumerateProcessHandles	(	__in HANDLE	ProcessHandle,
		__out_bcount(BufferLength) PVOID	Buffer,
		__in_opt ULONG	BufferLength,
		__out_opt PULONG	ReturnLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Enumerates the handles of a process.

Parameters

ProcessHandle	A handle to a process.
Buffer	The buffer in which the handle information will be stored.
BufferLength	The number of bytes available in Buffer.
ReturnLength	A variable which receives the number of bytes required to be available in Buffer.
AccessMode	The mode in which to perform access checks.

Definition at line 285 of file object.c.

NTSTATUS KpiGetContextThread	(	__in HANDLE	ThreadHandle,
		__inout PCONTEXT	ThreadContext,
		__in KPROCESSOR_MODE	AccessMode
	)

Gets the context of a thread.

Parameters

ThreadHandle	A handle to a thread.
ThreadContext	A pointer to a context structure. ContextFlags must be set.
AccessMode	The mode in which to perform access checks.

Definition at line 501 of file thread.c.

NTSTATUS KpiGetFeatures	(	__out PULONG	Features,
		__in KPROCESSOR_MODE	AccessMode
	)

Definition at line 282 of file main.c.

NTSTATUS KpiOpenDriver	(	__out PHANDLE	DriverHandle,
		__in POBJECT_ATTRIBUTES	ObjectAttributes,
		__in KPROCESSOR_MODE	AccessMode
	)

Definition at line 35 of file qrydrv.c.

NTSTATUS KpiOpenProcess	(	__out PHANDLE	ProcessHandle,
		__in ACCESS_MASK	DesiredAccess,
		__in PCLIENT_ID	ClientId,
		__in KPROCESSOR_MODE	AccessMode
	)

Opens a process.

Parameters

ProcessHandle	A variable which receives the process handle.
DesiredAccess	The desired access to the process.
ClientId	The identifier of a process or thread. If UniqueThread is present, the process of the identified thread will be opened. If UniqueProcess is present, the identified process will be opened.
AccessMode	The mode in which to perform access checks.

Definition at line 47 of file process.c.

NTSTATUS KpiOpenProcessJob	(	__in HANDLE	ProcessHandle,
		__in ACCESS_MASK	DesiredAccess,
		__out PHANDLE	JobHandle,
		__in KPROCESSOR_MODE	AccessMode
	)

Opens the job object of a process.

Parameters

ProcessHandle	A handle to a process.
DesiredAccess	The desired access to the token.
JobHandle	A variable which receives the job object handle.
AccessMode	The mode in which to perform access checks.

Definition at line 224 of file process.c.

NTSTATUS KpiOpenProcessToken	(	__in HANDLE	ProcessHandle,
		__in ACCESS_MASK	DesiredAccess,
		__out PHANDLE	TokenHandle,
		__in KPROCESSOR_MODE	AccessMode
	)

Opens the token of a process.

Parameters

ProcessHandle	A handle to a process.
DesiredAccess	The desired access to the token.
TokenHandle	A variable which receives the token handle.
AccessMode	The mode in which to perform access checks.

Definition at line 141 of file process.c.

NTSTATUS KpiOpenThread	(	__out PHANDLE	ThreadHandle,
		__in ACCESS_MASK	DesiredAccess,
		__in PCLIENT_ID	ClientId,
		__in KPROCESSOR_MODE	AccessMode
	)

Opens a thread.

Parameters

ThreadHandle	A variable which receives the thread handle.
DesiredAccess	The desired access to the thread.
ClientId	The identifier of a thread. UniqueThread must be present. If UniqueProcess is present, the process of the referenced thread will be checked against this identifier.
AccessMode	The mode in which to perform access checks.

Definition at line 89 of file thread.c.

NTSTATUS KpiOpenThreadProcess	(	__in HANDLE	ThreadHandle,
		__in ACCESS_MASK	DesiredAccess,
		__out PHANDLE	ProcessHandle,
		__in KPROCESSOR_MODE	AccessMode
	)

Opens the process of a thread.

Parameters

ThreadHandle	A handle to a thread.
DesiredAccess	The desired access to the process.
ProcessHandle	A variable which receives the process handle.
AccessMode	The mode in which to perform access checks.

Definition at line 176 of file thread.c.

NTSTATUS KpiQueryInformationDriver	(	__in HANDLE	DriverHandle,
		__in DRIVER_INFORMATION_CLASS	DriverInformationClass,
		__out_bcount(DriverInformationLength) PVOID	DriverInformation,
		__in ULONG	DriverInformationLength,
		__out_opt PULONG	ReturnLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Definition at line 52 of file qrydrv.c.

NTSTATUS KpiQueryInformationObject	(	__in HANDLE	ProcessHandle,
		__in HANDLE	Handle,
		__in KPH_OBJECT_INFORMATION_CLASS	ObjectInformationClass,
		__out_bcount(ObjectInformationLength) PVOID	ObjectInformation,
		__in ULONG	ObjectInformationLength,
		__out_opt PULONG	ReturnLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Queries object information.

Parameters

ProcessHandle	A handle to a process.
Handle	A handle which is present in the process referenced by ProcessHandle.
ObjectInformationClass	The type of information to retrieve.
ObjectInformation	The buffer in which the information will be stored.
ObjectInformationLength	The number of bytes available in ObjectInformation.
ReturnLength	A variable which receives the number of bytes required to be available in ObjectInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 637 of file object.c.

NTSTATUS KpiQueryInformationProcess	(	__in HANDLE	ProcessHandle,
		__in KPH_PROCESS_INFORMATION_CLASS	ProcessInformationClass,
		__out_bcount(ProcessInformationLength) PVOID	ProcessInformation,
		__in ULONG	ProcessInformationLength,
		__out_opt PULONG	ReturnLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Queries process information.

Parameters

ProcessHandle	A handle to a process.
ProcessInformationClass	The type of information to query.
ProcessInformation	The buffer in which the information will be stored.
ProcessInformationLength	The number of bytes available in ProcessInformation.
ReturnLength	A variable which receives the number of bytes required to be available in ProcessInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 537 of file process.c.

NTSTATUS KpiQueryInformationThread	(	__in HANDLE	ThreadHandle,
		__in KPH_THREAD_INFORMATION_CLASS	ThreadInformationClass,
		__out_bcount(ProcessInformationLength) PVOID	ThreadInformation,
		__in ULONG	ThreadInformationLength,
		__out_opt PULONG	ReturnLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Queries thread information.

Parameters

ThreadHandle	A handle to a thread.
ThreadInformationClass	The type of information to query.
ThreadInformation	The buffer in which the information will be stored.
ThreadInformationLength	The number of bytes available in ThreadInformation.
ReturnLength	A variable which receives the number of bytes required to be available in ThreadInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 919 of file thread.c.

NTSTATUS KpiReadVirtualMemory	(	__in HANDLE	ProcessHandle,
		__in PVOID	BaseAddress,
		__out_bcount(BufferSize) PVOID	Buffer,
		__in SIZE_T	BufferSize,
		__out_opt PSIZE_T	NumberOfBytesRead,
		__in KPROCESSOR_MODE	AccessMode
	)

Copies memory from another process into the current process.

Parameters

ProcessHandle	A handle to a process. The handle must have PROCESS_VM_READ access.
BaseAddress	The address from which memory is to be copied.
Buffer	A buffer which receives the copied memory.
BufferSize	The number of bytes to copy.
NumberOfBytesRead	A variable which receives the number of bytes copied to the buffer.
AccessMode	The mode in which to perform access checks.

Definition at line 316 of file vm.c.

NTSTATUS KpiReadVirtualMemoryUnsafe	(	__in_opt HANDLE	ProcessHandle,
		__in PVOID	BaseAddress,
		__out_bcount(BufferSize) PVOID	Buffer,
		__in SIZE_T	BufferSize,
		__out_opt PSIZE_T	NumberOfBytesRead,
		__in KPROCESSOR_MODE	AccessMode
	)

Copies process or kernel memory into the current process.

Parameters

ProcessHandle	A handle to a process. The handle must have PROCESS_VM_READ access. This parameter may be NULL if BaseAddress lies above the user-mode range.
BaseAddress	The address from which memory is to be copied.
Buffer	A buffer which receives the copied memory.
BufferSize	The number of bytes to copy.
NumberOfBytesRead	A variable which receives the number of bytes copied to the buffer.
AccessMode	The mode in which to perform access checks.

Definition at line 529 of file vm.c.

NTSTATUS KpiResumeProcess	(	__in HANDLE	ProcessHandle,
		__in KPROCESSOR_MODE	AccessMode
	)

Resumes a process.

Parameters

ProcessHandle	A handle to a process.
AccessMode	The mode in which to perform access checks.

Definition at line 348 of file process.c.

NTSTATUS KpiSetContextThread	(	__in HANDLE	ThreadHandle,
		__in PCONTEXT	ThreadContext,
		__in KPROCESSOR_MODE	AccessMode
	)

Sets the context of a thread.

Parameters

ThreadHandle	A handle to a thread.
ThreadContext	The new context of the thread.
AccessMode	The mode in which to perform access checks.

Definition at line 537 of file thread.c.

NTSTATUS KpiSetInformationObject	(	__in HANDLE	ProcessHandle,
		__in HANDLE	Handle,
		__in KPH_OBJECT_INFORMATION_CLASS	ObjectInformationClass,
		__in_bcount(ObjectInformationLength) PVOID	ObjectInformation,
		__in ULONG	ObjectInformationLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Sets object information.

Parameters

ProcessHandle	A handle to a process.
Handle	A handle which is present in the process referenced by ProcessHandle.
ObjectInformationClass	The type of information to set.
ObjectInformation	A buffer which contains the information to set.
ObjectInformationLength	The number of bytes present in ObjectInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 1218 of file object.c.

NTSTATUS KpiSetInformationProcess	(	__in HANDLE	ProcessHandle,
		__in KPH_PROCESS_INFORMATION_CLASS	ProcessInformationClass,
		__in_bcount(ProcessInformationLength) PVOID	ProcessInformation,
		__in ULONG	ProcessInformationLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Sets process information.

Parameters

ProcessHandle	A handle to a process.
ProcessInformationClass	The type of information to set.
ProcessInformation	A buffer which contains the information to set.
ProcessInformationLength	The number of bytes present in ProcessInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 747 of file process.c.

NTSTATUS KpiSetInformationThread	(	__in HANDLE	ThreadHandle,
		__in KPH_THREAD_INFORMATION_CLASS	ThreadInformationClass,
		__in_bcount(ThreadInformationLength) PVOID	ThreadInformation,
		__in ULONG	ThreadInformationLength,
		__in KPROCESSOR_MODE	AccessMode
	)

Sets thread information.

Parameters

ThreadHandle	A handle to a thread.
ThreadInformationClass	The type of information to set.
ThreadInformation	A buffer which contains the information to set.
ThreadInformationLength	The number of bytes present in ThreadInformation.
AccessMode	The mode in which to perform access checks.

Definition at line 1074 of file thread.c.

NTSTATUS KpiSuspendProcess	(	__in HANDLE	ProcessHandle,
		__in KPROCESSOR_MODE	AccessMode
	)

Suspends a process.

Parameters

ProcessHandle	A handle to a process.
AccessMode	The mode in which to perform access checks.

Definition at line 311 of file process.c.

NTSTATUS KpiTerminateProcess	(	__in HANDLE	ProcessHandle,
		__in NTSTATUS	ExitStatus,
		__in KPROCESSOR_MODE	AccessMode
	)

Terminates a process using PsTerminateProcess.

Parameters

ProcessHandle	A handle to a process.
ExitStatus	A status value which indicates why the process is being terminated.
AccessMode	The mode in which to perform access checks.

Definition at line 467 of file process.c.

NTSTATUS KpiTerminateThread	(	__in HANDLE	ThreadHandle,
		__in NTSTATUS	ExitStatus,
		__in KPROCESSOR_MODE	AccessMode
	)

Terminates a thread.

Parameters

ThreadHandle	A handle to a thread.
ExitStatus	A status value which indicates why the thread is being terminated.
AccessMode	The mode in which to perform access checks.

Definition at line 354 of file thread.c.

NTSTATUS KpiTerminateThreadUnsafe	(	__in HANDLE	ThreadHandle,
		__in NTSTATUS	ExitStatus,
		__in KPROCESSOR_MODE	AccessMode
	)

Terminates a thread using an unsafe method.

Parameters

ThreadHandle	A handle to a thread.
ExitStatus	A status value which indicates why the thread is being terminated.
AccessMode	The mode in which to perform access checks.

Remarks: The thread will be terminated even if it is currently running kernel-mode code. Therefore, resources may be leaked or remain locked indefinitely.

Definition at line 403 of file thread.c.

NTSTATUS KpiWriteVirtualMemory	(	__in HANDLE	ProcessHandle,
		__in_opt PVOID	BaseAddress,
		__in_bcount(BufferSize) PVOID	Buffer,
		__in SIZE_T	BufferSize,
		__out_opt PSIZE_T	NumberOfBytesWritten,
		__in KPROCESSOR_MODE	AccessMode
	)

Copies memory from the current process into another process.

Parameters

ProcessHandle	A handle to a process. The handle must have PROCESS_VM_WRITE access.
BaseAddress	The address to which memory is to be copied.
Buffer	A buffer which contains the memory to copy.
BufferSize	The number of bytes to copy.
NumberOfBytesWritten	A variable which receives the number of bytes copied from the buffer.
AccessMode	The mode in which to perform access checks.

Definition at line 422 of file vm.c.

Variable Documentation

_ExfUnblockPushLock ExfUnblockPushLock_I

Definition at line 30 of file dynimp.c.

ULONG KphFeatures

KPH_PARAMETERS KphParameters

_ObGetObjectType ObGetObjectType_I

Definition at line 31 of file dynimp.c.

_PsAcquireProcessExitSynchronization PsAcquireProcessExitSynchronization_I

Definition at line 32 of file dynimp.c.

_PsIsProtectedProcess PsIsProtectedProcess_I

Definition at line 33 of file dynimp.c.

_PsReleaseProcessExitSynchronization PsReleaseProcessExitSynchronization_I

Definition at line 34 of file dynimp.c.

_PsResumeProcess PsResumeProcess_I

Definition at line 35 of file dynimp.c.

_PsSuspendProcess PsSuspendProcess_I

Definition at line 36 of file dynimp.c.

Data Structures

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

Typedef Documentation

Function Documentation

Variable Documentation