Process Hacker
kphapi.h
Go to the documentation of this file.
1 #ifndef _KPHAPI_H
2 #define _KPHAPI_H
3 
4 // This file contains KProcessHacker definitions shared across
5 // kernel-mode and user-mode.
6 
7 // Process information
8 
9 typedef enum _KPH_PROCESS_INFORMATION_CLASS
10 {
11  KphProcessProtectionInformation = 1, // q: KPH_PROCESS_PROTECTION_INFORMATION
12  KphProcessExecuteFlags = 2, // s: ULONG
13  KphProcessIoPriority = 3, // qs: ULONG
14  MaxKphProcessInfoClass
15 } KPH_PROCESS_INFORMATION_CLASS;
16 
17 typedef struct _KPH_PROCESS_PROTECTION_INFORMATION
18 {
19  BOOLEAN IsProtectedProcess;
20 } KPH_PROCESS_PROTECTION_INFORMATION, *PKPH_PROCESS_PROTECTION_INFORMATION;
21 
22 // Thread information
23 
24 typedef enum _KPH_THREAD_INFORMATION_CLASS
25 {
26  KphThreadWin32Thread = 1, // q: PVOID
27  KphThreadImpersonationToken = 2, // s: HANDLE
28  KphThreadIoPriority = 3, // qs: ULONG
29  MaxKphThreadInfoClass
30 } KPH_THREAD_INFORMATION_CLASS;
31 
32 // Process handle information
33 
34 typedef struct _KPH_PROCESS_HANDLE
35 {
36  HANDLE Handle;
37  PVOID Object;
38  ACCESS_MASK GrantedAccess;
39  USHORT ObjectTypeIndex;
40  USHORT Reserved1;
41  ULONG HandleAttributes;
42  ULONG Reserved2;
43 } KPH_PROCESS_HANDLE, *PKPH_PROCESS_HANDLE;
44 
45 typedef struct _KPH_PROCESS_HANDLE_INFORMATION
46 {
47  ULONG HandleCount;
48  KPH_PROCESS_HANDLE Handles[1];
49 } KPH_PROCESS_HANDLE_INFORMATION, *PKPH_PROCESS_HANDLE_INFORMATION;
50 
51 // Object information
52 
53 typedef enum _KPH_OBJECT_INFORMATION_CLASS
54 {
55  KphObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION
56  KphObjectNameInformation, // q: OBJECT_NAME_INFORMATION
57  KphObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION
58  KphObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION
59  KphObjectProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION
60  KphObjectThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
61  KphObjectEtwRegBasicInformation, // q: ETWREG_BASIC_INFORMATION
62  KphObjectFileObjectInformation, // q: KPH_FILE_OBJECT_INFORMATION
63  KphObjectFileObjectDriver, // q: KPH_FILE_OBJECT_DRIVER
64  MaxKphObjectInfoClass
65 } KPH_OBJECT_INFORMATION_CLASS;
66 
67 typedef struct _KPH_FILE_OBJECT_INFORMATION
68 {
69  BOOLEAN LockOperation;
70  BOOLEAN DeletePending;
71  BOOLEAN ReadAccess;
72  BOOLEAN WriteAccess;
73  BOOLEAN DeleteAccess;
74  BOOLEAN SharedRead;
75  BOOLEAN SharedWrite;
76  BOOLEAN SharedDelete;
77  LARGE_INTEGER CurrentByteOffset;
78  ULONG Flags;
79 } KPH_FILE_OBJECT_INFORMATION, *PKPH_FILE_OBJECT_INFORMATION;
80 
81 typedef struct _KPH_FILE_OBJECT_DRIVER
82 {
83  HANDLE DriverHandle;
84 } KPH_FILE_OBJECT_DRIVER, *PKPH_FILE_OBJECT_DRIVER;
85 
86 // Driver information
87 
88 typedef enum _DRIVER_INFORMATION_CLASS
89 {
90  DriverBasicInformation,
91  DriverNameInformation,
92  DriverServiceKeyNameInformation,
93  MaxDriverInfoClass
94 } DRIVER_INFORMATION_CLASS;
95 
96 typedef struct _DRIVER_BASIC_INFORMATION
97 {
98  ULONG Flags;
99  PVOID DriverStart;
100  ULONG DriverSize;
101 } DRIVER_BASIC_INFORMATION, *PDRIVER_BASIC_INFORMATION;
102 
103 typedef struct _DRIVER_NAME_INFORMATION
104 {
105  UNICODE_STRING DriverName;
106 } DRIVER_NAME_INFORMATION, *PDRIVER_NAME_INFORMATION;
107 
108 typedef struct _DRIVER_SERVICE_KEY_NAME_INFORMATION
109 {
110  UNICODE_STRING ServiceKeyName;
111 } DRIVER_SERVICE_KEY_NAME_INFORMATION, *PDRIVER_SERVICE_KEY_NAME_INFORMATION;
112 
113 // ETW registration object information
114 
115 typedef struct _ETWREG_BASIC_INFORMATION
116 {
117  GUID Guid;
118  ULONG_PTR SessionId;
119 } ETWREG_BASIC_INFORMATION, *PETWREG_BASIC_INFORMATION;
120 
121 // Device
122 
123 #define KPH_DEVICE_SHORT_NAME L"KProcessHacker2"
124 #define KPH_DEVICE_TYPE 0x9999
125 #define KPH_DEVICE_NAME (L"\\Device\\" KPH_DEVICE_SHORT_NAME)
126 
127 // Parameters
128 
129 typedef enum _KPH_SECURITY_LEVEL
130 {
131  KphSecurityNone = 0, // all clients are allowed
132  KphSecurityPrivilegeCheck = 1, // require SeDebugPrivilege
133  KphMaxSecurityLevel
134 } KPH_SECURITY_LEVEL, *PKPH_SECURITY_LEVEL;
135 
136 typedef struct _KPH_DYN_STRUCT_DATA
137 {
138  SHORT EgeGuid;
139  SHORT EpObjectTable;
140  SHORT Reserved0;
141  SHORT Reserved1;
142  SHORT EpRundownProtect;
143  SHORT EreGuidEntry;
144  SHORT HtHandleContentionEvent;
145  SHORT OtName;
146  SHORT OtIndex;
147  SHORT ObDecodeShift;
148  SHORT ObAttributesShift;
149 } KPH_DYN_STRUCT_DATA, *PKPH_DYN_STRUCT_DATA;
150 
151 typedef struct _KPH_DYN_PACKAGE
152 {
153  USHORT MajorVersion;
154  USHORT MinorVersion;
155  USHORT ServicePackMajor; // -1 to ignore
156  USHORT BuildNumber; // -1 to ignore
157  ULONG ResultingNtVersion; // PHNT_*
158  KPH_DYN_STRUCT_DATA StructData;
159 } KPH_DYN_PACKAGE, *PKPH_DYN_PACKAGE;
160 
161 #define KPH_DYN_CONFIGURATION_VERSION 2
162 #define KPH_DYN_MAXIMUM_PACKAGES 64
163 
164 typedef struct _KPH_DYN_CONFIGURATION
165 {
166  ULONG Version;
167  ULONG NumberOfPackages;
168  KPH_DYN_PACKAGE Packages[1];
169 } KPH_DYN_CONFIGURATION, *PKPH_DYN_CONFIGURATION;
170 
171 // Features
172 
173 // No features defined.
174 
175 // Control codes
176 
177 #define KPH_CTL_CODE(x) CTL_CODE(KPH_DEVICE_TYPE, 0x800 + x, METHOD_NEITHER, FILE_ANY_ACCESS)
178 
179 // General
180 #define KPH_GETFEATURES KPH_CTL_CODE(0)
181 
182 // Processes
183 #define KPH_OPENPROCESS KPH_CTL_CODE(50)
184 #define KPH_OPENPROCESSTOKEN KPH_CTL_CODE(51)
185 #define KPH_OPENPROCESSJOB KPH_CTL_CODE(52)
186 #define KPH_SUSPENDPROCESS KPH_CTL_CODE(53)
187 #define KPH_RESUMEPROCESS KPH_CTL_CODE(54)
188 #define KPH_TERMINATEPROCESS KPH_CTL_CODE(55)
189 #define KPH_READVIRTUALMEMORY KPH_CTL_CODE(56)
190 #define KPH_WRITEVIRTUALMEMORY KPH_CTL_CODE(57)
191 #define KPH_READVIRTUALMEMORYUNSAFE KPH_CTL_CODE(58)
192 #define KPH_QUERYINFORMATIONPROCESS KPH_CTL_CODE(59)
193 #define KPH_SETINFORMATIONPROCESS KPH_CTL_CODE(60)
194 
195 // Threads
196 #define KPH_OPENTHREAD KPH_CTL_CODE(100)
197 #define KPH_OPENTHREADPROCESS KPH_CTL_CODE(101)
198 #define KPH_TERMINATETHREAD KPH_CTL_CODE(102)
199 #define KPH_TERMINATETHREADUNSAFE KPH_CTL_CODE(103)
200 #define KPH_GETCONTEXTTHREAD KPH_CTL_CODE(104)
201 #define KPH_SETCONTEXTTHREAD KPH_CTL_CODE(105)
202 #define KPH_CAPTURESTACKBACKTRACETHREAD KPH_CTL_CODE(106)
203 #define KPH_QUERYINFORMATIONTHREAD KPH_CTL_CODE(107)
204 #define KPH_SETINFORMATIONTHREAD KPH_CTL_CODE(108)
205 
206 // Handles
207 #define KPH_ENUMERATEPROCESSHANDLES KPH_CTL_CODE(150)
208 #define KPH_QUERYINFORMATIONOBJECT KPH_CTL_CODE(151)
209 #define KPH_SETINFORMATIONOBJECT KPH_CTL_CODE(152)
210 #define KPH_DUPLICATEOBJECT KPH_CTL_CODE(153)
211 
212 // Misc.
213 #define KPH_OPENDRIVER KPH_CTL_CODE(200)
214 #define KPH_QUERYINFORMATIONDRIVER KPH_CTL_CODE(201)
215 
216 #endif