Process Hacker
kph.h
Go to the documentation of this file.
1 #ifndef KPH_H
2 #define KPH_H
3 
4 #include <ntifs.h>
5 #define PHNT_MODE PHNT_MODE_KERNEL
6 #include <phnt.h>
7 #include <ntfill.h>
8 #include <kphapi.h>
9 
10 // Debugging
11 
12 #ifdef DBG
13 #define dprintf(Format, ...) DbgPrint("KProcessHacker: " Format, __VA_ARGS__)
14 #else
15 #define dprintf
16 #endif
17 
18 typedef struct _KPH_PARAMETERS
19 {
20  KPH_SECURITY_LEVEL SecurityLevel;
21  LOGICAL DisableDynamicProcedureScan;
22 } KPH_PARAMETERS, *PKPH_PARAMETERS;
23 
24 // main
25 
26 extern ULONG KphFeatures;
27 extern KPH_PARAMETERS KphParameters;
28 
29 NTSTATUS KpiGetFeatures(
30  __out PULONG Features,
31  __in KPROCESSOR_MODE AccessMode
32  );
33 
34 NTSTATUS KphEnumerateSystemModules(
35  __out PRTL_PROCESS_MODULES *Modules
36  );
37 
38 NTSTATUS KphValidateAddressForSystemModules(
39  __in PVOID Address,
40  __in SIZE_T Length
41  );
42 
43 // devctrl
44 
45 __drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KphDispatchDeviceControl;
46 
47 NTSTATUS KphDispatchDeviceControl(
48  __in PDEVICE_OBJECT DeviceObject,
49  __in PIRP Irp
50  );
51 
52 // dynimp
53 
54 extern _ExfUnblockPushLock ExfUnblockPushLock_I;
55 extern _ObGetObjectType ObGetObjectType_I;
56 extern _PsAcquireProcessExitSynchronization PsAcquireProcessExitSynchronization_I;
57 extern _PsIsProtectedProcess PsIsProtectedProcess_I;
58 extern _PsReleaseProcessExitSynchronization PsReleaseProcessExitSynchronization_I;
59 extern _PsResumeProcess PsResumeProcess_I;
60 extern _PsSuspendProcess PsSuspendProcess_I;
61 
62 VOID KphDynamicImport(
63  VOID
64  );
65 
66 PVOID KphGetSystemRoutineAddress(
67  __in PWSTR SystemRoutineName
68  );
69 
70 // object
71 
72 POBJECT_TYPE KphGetObjectType(
73  __in PVOID Object
74  );
75 
76 PHANDLE_TABLE KphReferenceProcessHandleTable(
77  __in PEPROCESS Process
78  );
79 
80 VOID KphDereferenceProcessHandleTable(
81  __in PEPROCESS Process
82  );
83 
84 VOID KphUnlockHandleTableEntry(
85  __in PHANDLE_TABLE HandleTable,
86  __in PHANDLE_TABLE_ENTRY HandleTableEntry
87  );
88 
89 NTSTATUS KpiEnumerateProcessHandles(
90  __in HANDLE ProcessHandle,
91  __out_bcount(BufferLength) PVOID Buffer,
92  __in_opt ULONG BufferLength,
93  __out_opt PULONG ReturnLength,
94  __in KPROCESSOR_MODE AccessMode
95  );
96 
97 NTSTATUS KphQueryNameObject(
98  __in PVOID Object,
99  __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer,
100  __in ULONG BufferLength,
101  __out PULONG ReturnLength
102  );
103 
104 NTSTATUS KphQueryNameFileObject(
105  __in PFILE_OBJECT FileObject,
106  __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer,
107  __in ULONG BufferLength,
108  __out PULONG ReturnLength
109  );
110 
111 NTSTATUS KpiQueryInformationObject(
112  __in HANDLE ProcessHandle,
113  __in HANDLE Handle,
114  __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass,
115  __out_bcount(ObjectInformationLength) PVOID ObjectInformation,
116  __in ULONG ObjectInformationLength,
117  __out_opt PULONG ReturnLength,
118  __in KPROCESSOR_MODE AccessMode
119  );
120 
121 NTSTATUS KpiSetInformationObject(
122  __in HANDLE ProcessHandle,
123  __in HANDLE Handle,
124  __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass,
125  __in_bcount(ObjectInformationLength) PVOID ObjectInformation,
126  __in ULONG ObjectInformationLength,
127  __in KPROCESSOR_MODE AccessMode
128  );
129 
130 NTSTATUS KphDuplicateObject(
131  __in PEPROCESS SourceProcess,
132  __in_opt PEPROCESS TargetProcess,
133  __in HANDLE SourceHandle,
134  __out_opt PHANDLE TargetHandle,
135  __in ACCESS_MASK DesiredAccess,
136  __in ULONG HandleAttributes,
137  __in ULONG Options,
138  __in KPROCESSOR_MODE AccessMode
139  );
140 
141 NTSTATUS KpiDuplicateObject(
142  __in HANDLE SourceProcessHandle,
143  __in HANDLE SourceHandle,
144  __in_opt HANDLE TargetProcessHandle,
145  __out_opt PHANDLE TargetHandle,
146  __in ACCESS_MASK DesiredAccess,
147  __in ULONG HandleAttributes,
148  __in ULONG Options,
149  __in KPROCESSOR_MODE AccessMode
150  );
151 
152 NTSTATUS KphOpenNamedObject(
153  __out PHANDLE ObjectHandle,
154  __in ACCESS_MASK DesiredAccess,
155  __in POBJECT_ATTRIBUTES ObjectAttributes,
156  __in POBJECT_TYPE ObjectType,
157  __in KPROCESSOR_MODE AccessMode
158  );
159 
160 // process
161 
162 NTSTATUS KpiOpenProcess(
163  __out PHANDLE ProcessHandle,
164  __in ACCESS_MASK DesiredAccess,
165  __in PCLIENT_ID ClientId,
166  __in KPROCESSOR_MODE AccessMode
167  );
168 
169 NTSTATUS KpiOpenProcessToken(
170  __in HANDLE ProcessHandle,
171  __in ACCESS_MASK DesiredAccess,
172  __out PHANDLE TokenHandle,
173  __in KPROCESSOR_MODE AccessMode
174  );
175 
176 NTSTATUS KpiOpenProcessJob(
177  __in HANDLE ProcessHandle,
178  __in ACCESS_MASK DesiredAccess,
179  __out PHANDLE JobHandle,
180  __in KPROCESSOR_MODE AccessMode
181  );
182 
183 NTSTATUS KpiSuspendProcess(
184  __in HANDLE ProcessHandle,
185  __in KPROCESSOR_MODE AccessMode
186  );
187 
188 NTSTATUS KpiResumeProcess(
189  __in HANDLE ProcessHandle,
190  __in KPROCESSOR_MODE AccessMode
191  );
192 
193 NTSTATUS KphTerminateProcessInternal(
194  __in PEPROCESS Process,
195  __in NTSTATUS ExitStatus
196  );
197 
198 NTSTATUS KpiTerminateProcess(
199  __in HANDLE ProcessHandle,
200  __in NTSTATUS ExitStatus,
201  __in KPROCESSOR_MODE AccessMode
202  );
203 
204 NTSTATUS KpiQueryInformationProcess(
205  __in HANDLE ProcessHandle,
206  __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass,
207  __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
208  __in ULONG ProcessInformationLength,
209  __out_opt PULONG ReturnLength,
210  __in KPROCESSOR_MODE AccessMode
211  );
212 
213 NTSTATUS KpiSetInformationProcess(
214  __in HANDLE ProcessHandle,
215  __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass,
216  __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
217  __in ULONG ProcessInformationLength,
218  __in KPROCESSOR_MODE AccessMode
219  );
220 
221 BOOLEAN KphAcquireProcessRundownProtection(
222  __in PEPROCESS Process
223  );
224 
225 VOID KphReleaseProcessRundownProtection(
226  __in PEPROCESS Process
227  );
228 
229 // qrydrv
230 
231 NTSTATUS KpiOpenDriver(
232  __out PHANDLE DriverHandle,
233  __in POBJECT_ATTRIBUTES ObjectAttributes,
234  __in KPROCESSOR_MODE AccessMode
235  );
236 
237 NTSTATUS KpiQueryInformationDriver(
238  __in HANDLE DriverHandle,
239  __in DRIVER_INFORMATION_CLASS DriverInformationClass,
240  __out_bcount(DriverInformationLength) PVOID DriverInformation,
241  __in ULONG DriverInformationLength,
242  __out_opt PULONG ReturnLength,
243  __in KPROCESSOR_MODE AccessMode
244  );
245 
246 // thread
247 
248 NTSTATUS KpiOpenThread(
249  __out PHANDLE ThreadHandle,
250  __in ACCESS_MASK DesiredAccess,
251  __in PCLIENT_ID ClientId,
252  __in KPROCESSOR_MODE AccessMode
253  );
254 
255 NTSTATUS KpiOpenThreadProcess(
256  __in HANDLE ThreadHandle,
257  __in ACCESS_MASK DesiredAccess,
258  __out PHANDLE ProcessHandle,
259  __in KPROCESSOR_MODE AccessMode
260  );
261 
262 NTSTATUS KphTerminateThreadByPointerInternal(
263  __in PETHREAD Thread,
264  __in NTSTATUS ExitStatus
265  );
266 
267 NTSTATUS KpiTerminateThread(
268  __in HANDLE ThreadHandle,
269  __in NTSTATUS ExitStatus,
270  __in KPROCESSOR_MODE AccessMode
271  );
272 
273 NTSTATUS KpiTerminateThreadUnsafe(
274  __in HANDLE ThreadHandle,
275  __in NTSTATUS ExitStatus,
276  __in KPROCESSOR_MODE AccessMode
277  );
278 
279 NTSTATUS KpiGetContextThread(
280  __in HANDLE ThreadHandle,
281  __inout PCONTEXT ThreadContext,
282  __in KPROCESSOR_MODE AccessMode
283  );
284 
285 NTSTATUS KpiSetContextThread(
286  __in HANDLE ThreadHandle,
287  __in PCONTEXT ThreadContext,
288  __in KPROCESSOR_MODE AccessMode
289  );
290 
291 ULONG KphCaptureStackBackTrace(
292  __in ULONG FramesToSkip,
293  __in ULONG FramesToCapture,
294  __in_opt ULONG Flags,
295  __out_ecount(FramesToCapture) PVOID *BackTrace,
296  __out_opt PULONG BackTraceHash
297  );
298 
299 NTSTATUS KphCaptureStackBackTraceThread(
300  __in PETHREAD Thread,
301  __in ULONG FramesToSkip,
302  __in ULONG FramesToCapture,
303  __out_ecount(FramesToCapture) PVOID *BackTrace,
304  __out_opt PULONG CapturedFrames,
305  __out_opt PULONG BackTraceHash,
306  __in KPROCESSOR_MODE AccessMode
307  );
308 
309 NTSTATUS KpiCaptureStackBackTraceThread(
310  __in HANDLE ThreadHandle,
311  __in ULONG FramesToSkip,
312  __in ULONG FramesToCapture,
313  __out_ecount(FramesToCapture) PVOID *BackTrace,
314  __out_opt PULONG CapturedFrames,
315  __out_opt PULONG BackTraceHash,
316  __in KPROCESSOR_MODE AccessMode
317  );
318 
319 NTSTATUS KpiQueryInformationThread(
320  __in HANDLE ThreadHandle,
321  __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass,
322  __out_bcount(ProcessInformationLength) PVOID ThreadInformation,
323  __in ULONG ThreadInformationLength,
324  __out_opt PULONG ReturnLength,
325  __in KPROCESSOR_MODE AccessMode
326  );
327 
328 NTSTATUS KpiSetInformationThread(
329  __in HANDLE ThreadHandle,
330  __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass,
331  __in_bcount(ThreadInformationLength) PVOID ThreadInformation,
332  __in ULONG ThreadInformationLength,
333  __in KPROCESSOR_MODE AccessMode
334  );
335 
336 // vm
337 
338 NTSTATUS KphCopyVirtualMemory(
339  __in PEPROCESS FromProcess,
340  __in PVOID FromAddress,
341  __in PEPROCESS ToProcess,
342  __in PVOID ToAddress,
343  __in SIZE_T BufferLength,
344  __in KPROCESSOR_MODE AccessMode,
345  __out PSIZE_T ReturnLength
346  );
347 
348 NTSTATUS KpiReadVirtualMemory(
349  __in HANDLE ProcessHandle,
350  __in PVOID BaseAddress,
351  __out_bcount(BufferSize) PVOID Buffer,
352  __in SIZE_T BufferSize,
353  __out_opt PSIZE_T NumberOfBytesRead,
354  __in KPROCESSOR_MODE AccessMode
355  );
356 
357 NTSTATUS KpiWriteVirtualMemory(
358  __in HANDLE ProcessHandle,
359  __in_opt PVOID BaseAddress,
360  __in_bcount(BufferSize) PVOID Buffer,
361  __in SIZE_T BufferSize,
362  __out_opt PSIZE_T NumberOfBytesWritten,
363  __in KPROCESSOR_MODE AccessMode
364  );
365 
366 NTSTATUS KpiReadVirtualMemoryUnsafe(
367  __in_opt HANDLE ProcessHandle,
368  __in PVOID BaseAddress,
369  __out_bcount(BufferSize) PVOID Buffer,
370  __in SIZE_T BufferSize,
371  __out_opt PSIZE_T NumberOfBytesRead,
372  __in KPROCESSOR_MODE AccessMode
373  );
374 
375 // Inline support functions
376 
377 FORCEINLINE VOID KphFreeCapturedUnicodeString(
378  __in PUNICODE_STRING CapturedUnicodeString
379  )
380 {
381  if (CapturedUnicodeString->Buffer)
382  ExFreePoolWithTag(CapturedUnicodeString->Buffer, 'UhpK');
383 }
384 
385 FORCEINLINE NTSTATUS KphCaptureUnicodeString(
386  __in PUNICODE_STRING UnicodeString,
387  __out PUNICODE_STRING CapturedUnicodeString
388  )
389 {
390  UNICODE_STRING unicodeString;
391  PWSTR userBuffer;
392 
393  __try
394  {
395  ProbeForRead(UnicodeString, sizeof(UNICODE_STRING), sizeof(ULONG));
396  unicodeString.Length = UnicodeString->Length;
397  unicodeString.MaximumLength = unicodeString.Length;
398  unicodeString.Buffer = NULL;
399 
400  userBuffer = UnicodeString->Buffer;
401  ProbeForRead(userBuffer, unicodeString.Length, sizeof(WCHAR));
402  }
403  __except (EXCEPTION_EXECUTE_HANDLER)
404  {
405  return GetExceptionCode();
406  }
407 
408  if (unicodeString.Length & 1)
409  {
410  return STATUS_INVALID_PARAMETER;
411  }
412 
413  if (unicodeString.Length != 0)
414  {
415  unicodeString.Buffer = ExAllocatePoolWithTag(
416  PagedPool,
417  unicodeString.Length,
418  'UhpK'
419  );
420 
421  if (!unicodeString.Buffer)
422  return STATUS_INSUFFICIENT_RESOURCES;
423 
424  __try
425  {
426  memcpy(
427  unicodeString.Buffer,
428  userBuffer,
429  unicodeString.Length
430  );
431  }
432  __except (EXCEPTION_EXECUTE_HANDLER)
433  {
434  KphFreeCapturedUnicodeString(&unicodeString);
435  return GetExceptionCode();
436  }
437  }
438 
439  *CapturedUnicodeString = unicodeString;
440 
441  return STATUS_SUCCESS;
442 }
443 
444 #endif