Process Hacker
Macros | Typedefs | Functions
native.c File Reference
#include <ph.h>
#include <kphuser.h>
#include <apiimport.h>

Go to the source code of this file.

Macros

#define PH_DEVICE_PREFIX_LENGTH   64
 
#define PH_DEVICE_MUP_PREFIX_MAX_COUNT   16
 
#define PEB_OFFSET_CASE(Enum, Field)
 

Typedefs

typedef BOOLEAN(NTAPI * PPHP_ENUM_PROCESS_MODULES_CALLBACK )(_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
typedef BOOLEAN(NTAPI * PPHP_ENUM_PROCESS_MODULES32_CALLBACK )(_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ ULONG AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
typedef struct
_OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT 		OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT
 
typedef struct
_OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT * 		POPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT
 
typedef struct
_SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT 		SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT
 
typedef struct
_SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT * 		PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT
 
typedef struct
_GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT 		GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT
 
typedef struct
_GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT * 		PGET_PROCEDURE_ADDRESS_REMOTE_CONTEXT
 
typedef struct
_ENUM_GENERIC_PROCESS_MODULES_CONTEXT 		ENUM_GENERIC_PROCESS_MODULES_CONTEXT
 
typedef struct
_ENUM_GENERIC_PROCESS_MODULES_CONTEXT * 		PENUM_GENERIC_PROCESS_MODULES_CONTEXT
 

Functions

NTSTATUS PhOpenProcess (_Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessId)
 Opens a process.
 
NTSTATUS PhOpenThread (_Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadId)
 Opens a thread.
 
NTSTATUS PhOpenThreadProcess (_Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadHandle)
 
NTSTATUS PhOpenProcessToken (_Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ProcessHandle)
 Opens a process token.
 
NTSTATUS PhOpenThreadToken (_Out_ PHANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ HANDLE ThreadHandle, _In_ BOOLEAN OpenAsSelf)
 Opens a thread token.
 
NTSTATUS PhGetObjectSecurity (_In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor)
 
NTSTATUS PhSetObjectSecurity (_In_ HANDLE Handle, _In_ SECURITY_INFORMATION SecurityInformation, _In_ PSECURITY_DESCRIPTOR SecurityDescriptor)
 
NTSTATUS PhTerminateProcess (_In_ HANDLE ProcessHandle, _In_ NTSTATUS ExitStatus)
 Terminates a process.
 
NTSTATUS PhSuspendProcess (_In_ HANDLE ProcessHandle)
 Suspends a process' threads.
 
NTSTATUS PhResumeProcess (_In_ HANDLE ProcessHandle)
 Resumes a process' threads.
 
NTSTATUS PhTerminateThread (_In_ HANDLE ThreadHandle, _In_ NTSTATUS ExitStatus)
 Terminates a thread.
 
NTSTATUS PhSuspendThread (_In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount)
 Suspends a thread.
 
NTSTATUS PhResumeThread (_In_ HANDLE ThreadHandle, _Out_opt_ PULONG PreviousSuspendCount)
 Resumes a thread.
 
NTSTATUS PhGetThreadContext (_In_ HANDLE ThreadHandle, _Inout_ PCONTEXT Context)
 Gets the processor context of a thread.
 
NTSTATUS PhSetThreadContext (_In_ HANDLE ThreadHandle, _In_ PCONTEXT Context)
 Sets the processor context of a thread.
 
NTSTATUS PhReadVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_writes_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesRead)
 Copies memory from another process into the current process.
 
NTSTATUS PhWriteVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_reads_bytes_(BufferSize) PVOID Buffer, _In_ SIZE_T BufferSize, _Out_opt_ PSIZE_T NumberOfBytesWritten)
 Copies memory from the current process into another process.
 
NTSTATUS PhpQueryProcessVariableSize (_In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID *Buffer)
 Queries variable-sized information for a process.
 
NTSTATUS PhGetProcessImageFileName (_In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName)
 Gets the file name of the process' image.
 
NTSTATUS PhGetProcessImageFileNameWin32 (_In_ HANDLE ProcessHandle, _Out_ PPH_STRING *FileName)
 Gets the Win32 file name of the process' image.
 
NTSTATUS PhGetProcessPebString (_In_ HANDLE ProcessHandle, _In_ PH_PEB_OFFSET Offset, _Out_ PPH_STRING *String)
 Gets a string stored in a process' parameters structure.
 
NTSTATUS PhGetProcessCommandLine (_In_ HANDLE ProcessHandle, _Out_ PPH_STRING *CommandLine)
 Gets a process' command line.
 
NTSTATUS PhGetProcessWindowTitle (_In_ HANDLE ProcessHandle, _Out_ PULONG WindowFlags, _Out_ PPH_STRING *WindowTitle)
 Gets the window flags and window title of a process.
 
NTSTATUS PhGetProcessIsPosix (_In_ HANDLE ProcessHandle, _Out_ PBOOLEAN IsPosix)
 Gets whether the process is running under the POSIX subsystem.
 
NTSTATUS PhGetProcessExecuteFlags (_In_ HANDLE ProcessHandle, _Out_ PULONG ExecuteFlags)
 Gets a process' no-execute status.
 
NTSTATUS PhGetProcessDepStatus (_In_ HANDLE ProcessHandle, _Out_ PULONG DepStatus)
 
NTSTATUS PhGetProcessPosixCommandLine (_In_ HANDLE ProcessHandle, _Out_ PPH_STRING *CommandLine)
 Gets the POSIX command line of a process.
 
NTSTATUS PhGetProcessEnvironment (_In_ HANDLE ProcessHandle, _In_ ULONG Flags, _Out_ PVOID *Environment, _Out_ PULONG EnvironmentLength)
 Gets a process' environment block.
 
BOOLEAN PhEnumProcessEnvironmentVariables (_In_ PVOID Environment, _In_ ULONG EnvironmentLength, _Inout_ PULONG EnumerationKey, _Out_ PPH_ENVIRONMENT_VARIABLE Variable)
 
NTSTATUS PhGetProcessMappedFileName (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PPH_STRING *FileName)
 Gets the file name of a mapped section.
 
NTSTATUS PhGetProcessWorkingSetInformation (_In_ HANDLE ProcessHandle, _Out_ PMEMORY_WORKING_SET_INFORMATION *WorkingSetInformation)
 Gets working set information for a process.
 
NTSTATUS PhGetProcessWsCounters (_In_ HANDLE ProcessHandle, _Out_ PPH_PROCESS_WS_COUNTERS WsCounters)
 Gets working set counters for a process.
 
NTSTATUS PhSetProcessIoPriority (_In_ HANDLE ProcessHandle, _In_ ULONG IoPriority)
 Sets a process' I/O priority.
 
NTSTATUS PhSetProcessExecuteFlags (_In_ HANDLE ProcessHandle, _In_ ULONG ExecuteFlags)
 Sets a process' no-execute status.
 
NTSTATUS PhSetProcessDepStatus (_In_ HANDLE ProcessHandle, _In_ ULONG DepStatus)
 
NTSTATUS PhSetProcessDepStatusInvasive (_In_ HANDLE ProcessHandle, _In_ ULONG DepStatus, _In_opt_ PLARGE_INTEGER Timeout)
 
NTSTATUS PhInjectDllProcess (_In_ HANDLE ProcessHandle, _In_ PWSTR FileName, _In_opt_ PLARGE_INTEGER Timeout)
 Causes a process to load a DLL.
 
NTSTATUS PhUnloadDllProcess (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_opt_ PLARGE_INTEGER Timeout)
 Causes a process to unload a DLL.
 
NTSTATUS PhSetThreadIoPriority (_In_ HANDLE ThreadHandle, _In_ ULONG IoPriority)
 Sets a thread's I/O priority.
 
NTSTATUS PhGetJobProcessIdList (_In_ HANDLE JobHandle, _Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *ProcessIdList)
 
NTSTATUS PhpQueryTokenVariableSize (_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer)
 Queries variable-sized information for a token.
 
NTSTATUS PhQueryTokenVariableSize (_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_ PVOID *Buffer)
 Queries variable-sized information for a token.
 
NTSTATUS PhGetTokenUser (_In_ HANDLE TokenHandle, _Out_ PTOKEN_USER *User)
 Gets a token's user.
 
NTSTATUS PhGetTokenOwner (_In_ HANDLE TokenHandle, _Out_ PTOKEN_OWNER *Owner)
 Gets a token's owner.
 
NTSTATUS PhGetTokenPrimaryGroup (_In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIMARY_GROUP *PrimaryGroup)
 Gets a token's primary group.
 
NTSTATUS PhGetTokenGroups (_In_ HANDLE TokenHandle, _Out_ PTOKEN_GROUPS *Groups)
 Gets a token's groups.
 
NTSTATUS PhGetTokenPrivileges (_In_ HANDLE TokenHandle, _Out_ PTOKEN_PRIVILEGES *Privileges)
 Gets a token's privileges.
 
NTSTATUS PhSetTokenSessionId (_In_ HANDLE TokenHandle, _In_ ULONG SessionId)
 
BOOLEAN PhSetTokenPrivilege (_In_ HANDLE TokenHandle, _In_opt_ PWSTR PrivilegeName, _In_opt_ PLUID PrivilegeLuid, _In_ ULONG Attributes)
 Modifies a token privilege.
 
BOOLEAN PhSetTokenPrivilege2 (_In_ HANDLE TokenHandle, _In_ LONG Privilege, _In_ ULONG Attributes)
 
NTSTATUS PhSetTokenIsVirtualizationEnabled (_In_ HANDLE TokenHandle, _In_ BOOLEAN IsVirtualizationEnabled)
 Sets whether virtualization is enabled for a token.
 
NTSTATUS PhGetTokenIntegrityLevel (_In_ HANDLE TokenHandle, _Out_opt_ PMANDATORY_LEVEL IntegrityLevel, _Out_opt_ PWSTR *IntegrityString)
 Gets a token's integrity level.
 
NTSTATUS PhpQueryFileVariableSize (_In_ HANDLE FileHandle, _In_ FILE_INFORMATION_CLASS FileInformationClass, _Out_ PVOID *Buffer)
 
NTSTATUS PhGetFileSize (_In_ HANDLE FileHandle, _Out_ PLARGE_INTEGER Size)
 
NTSTATUS PhSetFileSize (_In_ HANDLE FileHandle, _In_ PLARGE_INTEGER Size)
 
NTSTATUS PhpQueryTransactionManagerVariableSize (_In_ HANDLE TransactionManagerHandle, _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, _Out_ PVOID *Buffer)
 
NTSTATUS PhGetTransactionManagerBasicInformation (_In_ HANDLE TransactionManagerHandle, _Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION BasicInformation)
 
NTSTATUS PhGetTransactionManagerLogFileName (_In_ HANDLE TransactionManagerHandle, _Out_ PPH_STRING *LogFileName)
 
NTSTATUS PhpQueryTransactionVariableSize (_In_ HANDLE TransactionHandle, _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass, _Out_ PVOID *Buffer)
 
NTSTATUS PhGetTransactionBasicInformation (_In_ HANDLE TransactionHandle, _Out_ PTRANSACTION_BASIC_INFORMATION BasicInformation)
 
NTSTATUS PhGetTransactionPropertiesInformation (_In_ HANDLE TransactionHandle, _Out_opt_ PLARGE_INTEGER Timeout, _Out_opt_ TRANSACTION_OUTCOME *Outcome, _Out_opt_ PPH_STRING *Description)
 
NTSTATUS PhpQueryResourceManagerVariableSize (_In_ HANDLE ResourceManagerHandle, _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, _Out_ PVOID *Buffer)
 
NTSTATUS PhGetResourceManagerBasicInformation (_In_ HANDLE ResourceManagerHandle, _Out_opt_ PGUID Guid, _Out_opt_ PPH_STRING *Description)
 
NTSTATUS PhGetEnlistmentBasicInformation (_In_ HANDLE EnlistmentHandle, _Out_ PENLISTMENT_BASIC_INFORMATION BasicInformation)
 
BOOLEAN NTAPI PhpOpenDriverByBaseAddressCallback (_In_ PPH_STRINGREF Name, _In_ PPH_STRINGREF TypeName, _In_opt_ PVOID Context)
 
NTSTATUS PhOpenDriverByBaseAddress (_Out_ PHANDLE DriverHandle, _In_ PVOID BaseAddress)
 Opens a driver object using a base address.
 
NTSTATUS PhpQueryDriverVariableSize (_In_ HANDLE DriverHandle, _In_ DRIVER_INFORMATION_CLASS DriverInformationClass, _Out_ PVOID *Buffer)
 Queries variable-sized information for a driver.
 
NTSTATUS PhGetDriverName (_In_ HANDLE DriverHandle, _Out_ PPH_STRING *Name)
 Gets the object name of a driver.
 
NTSTATUS PhGetDriverServiceKeyName (_In_ HANDLE DriverHandle, _Out_ PPH_STRING *ServiceKeyName)
 Gets the service key name of a driver.
 
NTSTATUS PhpUnloadDriver (_In_ PPH_STRING ServiceKeyName)
 
NTSTATUS PhUnloadDriver (_In_opt_ PVOID BaseAddress, _In_opt_ PWSTR Name)
 Unloads a driver.
 
NTSTATUS PhDuplicateObject (_In_ HANDLE SourceProcessHandle, _In_ HANDLE SourceHandle, _In_opt_ HANDLE TargetProcessHandle, _Out_opt_ PHANDLE TargetHandle, _In_ ACCESS_MASK DesiredAccess, _In_ ULONG HandleAttributes, _In_ ULONG Options)
 Duplicates a handle.
 
NTSTATUS PhpEnumProcessModules (_In_ HANDLE ProcessHandle, _In_ PPHP_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
BOOLEAN NTAPI PhpEnumProcessModulesCallback (_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
NTSTATUS PhEnumProcessModules (_In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context)
 Enumerates the modules loaded by a process.
 
NTSTATUS PhEnumProcessModulesEx (_In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters)
 Enumerates the modules loaded by a process.
 
BOOLEAN NTAPI PhpSetProcessModuleLoadCountCallback (_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
NTSTATUS PhSetProcessModuleLoadCount (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount)
 Sets the load count of a process module.
 
NTSTATUS PhpEnumProcessModules32 (_In_ HANDLE ProcessHandle, _In_ PPHP_ENUM_PROCESS_MODULES32_CALLBACK Callback, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
BOOLEAN NTAPI PhpEnumProcessModules32Callback (_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ ULONG AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
NTSTATUS PhEnumProcessModules32 (_In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_CALLBACK Callback, _In_opt_ PVOID Context)
 Enumerates the 32-bit modules loaded by a process.
 
NTSTATUS PhEnumProcessModules32Ex (_In_ HANDLE ProcessHandle, _In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS Parameters)
 Enumerates the 32-bit modules loaded by a process.
 
BOOLEAN NTAPI PhpSetProcessModuleLoadCount32Callback (_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ ULONG AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)
 
NTSTATUS PhSetProcessModuleLoadCount32 (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ ULONG LoadCount)
 Sets the load count of a 32-bit process module.
 
NTSTATUS PhGetProcedureAddressRemote (_In_ HANDLE ProcessHandle, _In_ PWSTR FileName, _In_opt_ PSTR ProcedureName, _In_opt_ ULONG ProcedureNumber, _Out_ PVOID *ProcedureAddress, _Out_opt_ PVOID *DllBase)
 Gets the address of a procedure in a process.
 
NTSTATUS PhEnumKernelModules (_Out_ PRTL_PROCESS_MODULES *Modules)
 Enumerates the modules loaded by the kernel.
 
NTSTATUS PhEnumKernelModulesEx (_Out_ PRTL_PROCESS_MODULE_INFORMATION_EX *Modules)
 Enumerates the modules loaded by the kernel.
 
PPH_STRING PhGetKernelFileName (VOID)
 Gets the file name of the kernel image.
 
NTSTATUS PhEnumProcesses (_Out_ PVOID *Processes)
 Enumerates the running processes.
 
NTSTATUS PhEnumProcessesEx (_Out_ PVOID *Processes, _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass)
 Enumerates the running processes.
 
NTSTATUS PhEnumProcessesForSession (_Out_ PVOID *Processes, _In_ ULONG SessionId)
 Enumerates the running processes for a session.
 
PSYSTEM_PROCESS_INFORMATION PhFindProcessInformation (_In_ PVOID Processes, _In_ HANDLE ProcessId)
 Finds the process information structure for a specific process.
 
PSYSTEM_PROCESS_INFORMATION PhFindProcessInformationByImageName (_In_ PVOID Processes, _In_ PPH_STRINGREF ImageName)
 Finds the process information structure for a specific process.
 
NTSTATUS PhEnumHandles (_Out_ PSYSTEM_HANDLE_INFORMATION *Handles)
 Enumerates all open handles.
 
NTSTATUS PhEnumHandlesEx (_Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles)
 Enumerates all open handles.
 
NTSTATUS PhEnumPagefiles (_Out_ PVOID *Pagefiles)
 Enumerates all pagefiles.
 
NTSTATUS PhGetProcessImageFileNameByProcessId (_In_ HANDLE ProcessId, _Out_ PPH_STRING *FileName)
 Gets the file name of a process' image.
 
NTSTATUS PhGetProcessIsDotNet (_In_ HANDLE ProcessId, _Out_ PBOOLEAN IsDotNet)
 Determines if a process is managed.
 
BOOLEAN NTAPI PhpIsDotNetEnumProcessModulesCallback (_In_ PLDR_DATA_TABLE_ENTRY Module, _In_opt_ PVOID Context)
 
NTSTATUS PhGetProcessIsDotNetEx (_In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG InFlags, _Out_opt_ PBOOLEAN IsDotNet, _Out_opt_ PULONG Flags)
 Determines if a process is managed.
 
NTSTATUS PhEnumDirectoryObjects (_In_ HANDLE DirectoryHandle, _In_ PPH_ENUM_DIRECTORY_OBJECTS Callback, _In_opt_ PVOID Context)
 Enumerates the objects in a directory object.
 
NTSTATUS PhEnumDirectoryFile (_In_ HANDLE FileHandle, _In_opt_ PUNICODE_STRING SearchPattern, _In_ PPH_ENUM_DIRECTORY_FILE Callback, _In_opt_ PVOID Context)
 
NTSTATUS PhEnumFileStreams (_In_ HANDLE FileHandle, _Out_ PVOID *Streams)
 
VOID PhInitializeDevicePrefixes (VOID)
 Initializes the device prefixes module.
 
VOID PhUpdateMupDevicePrefixes (VOID)
 
VOID PhUpdateDosDevicePrefixes (VOID)
 Updates the DOS device names array.
 
PPH_STRING PhResolveDevicePrefix (_In_ PPH_STRING Name)
 Resolves a NT path into a Win32 path.
 
PPH_STRING PhGetFileName (_In_ PPH_STRING FileName)
 Converts a file name into Win32 format.
 
VOID PhpRtlModulesToGenericModules (_In_ PRTL_PROCESS_MODULES Modules, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context, _In_ PPH_HASHTABLE BaseAddressHashtable)
 
VOID PhpRtlModulesExToGenericModules (_In_ PRTL_PROCESS_MODULE_INFORMATION_EX Modules, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context, _In_ PPH_HASHTABLE BaseAddressHashtable)
 
BOOLEAN PhpCallbackMappedFileOrImage (_In_ PVOID AllocationBase, _In_ SIZE_T AllocationSize, _In_ ULONG Type, _In_ PPH_STRING FileName, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context, _In_ PPH_HASHTABLE BaseAddressHashtable)
 
VOID PhpEnumGenericMappedFilesAndImages (_In_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context, _In_ PPH_HASHTABLE BaseAddressHashtable)
 
BOOLEAN NTAPI PhpBaseAddressHashtableCompareFunction (_In_ PVOID Entry1, _In_ PVOID Entry2)
 
ULONG NTAPI PhpBaseAddressHashtableHashFunction (_In_ PVOID Entry)
 
NTSTATUS PhEnumGenericModules (_In_ HANDLE ProcessId, _In_opt_ HANDLE ProcessHandle, _In_ ULONG Flags, _In_ PPH_ENUM_GENERIC_MODULES_CALLBACK Callback, _In_opt_ PVOID Context)
 Enumerates the modules loaded by a process.
 
VOID PhpInitializePredefineKeys (VOID)
 Initializes usage of predefined keys.
 
NTSTATUS PhpInitializeKeyObjectAttributes (_In_opt_ HANDLE RootDirectory, _In_ PUNICODE_STRING ObjectName, _In_ ULONG Attributes, _Out_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PHANDLE NeedsClose)
 Initializes the attributes of a key object for creating/opening.
 
NTSTATUS PhCreateKey (_Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PPH_STRINGREF ObjectName, _In_ ULONG Attributes, _In_ ULONG CreateOptions, _Out_opt_ PULONG Disposition)
 Creates or opens a registry key.
 
NTSTATUS PhOpenKey (_Out_ PHANDLE KeyHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ HANDLE RootDirectory, _In_ PPH_STRINGREF ObjectName, _In_ ULONG Attributes)
 Opens a registry key.
 

Macro Definition Documentation

#define PEB_OFFSET_CASE (   Enum,
  Field 
)
Value:
case Enum: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, Field); break; \
case Enum | PhpoWow64: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS32, Field); break
#define PH_DEVICE_MUP_PREFIX_MAX_COUNT   16

Definition at line 28 of file native.c.

#define PH_DEVICE_PREFIX_LENGTH   64

Definition at line 27 of file native.c.

Typedef Documentation

typedef struct _ENUM_GENERIC_PROCESS_MODULES_CONTEXT ENUM_GENERIC_PROCESS_MODULES_CONTEXT
typedef struct _GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT
typedef struct _OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT
typedef struct _ENUM_GENERIC_PROCESS_MODULES_CONTEXT * PENUM_GENERIC_PROCESS_MODULES_CONTEXT
typedef struct _GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT * PGET_PROCEDURE_ADDRESS_REMOTE_CONTEXT
typedef struct _OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT * POPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT
typedef BOOLEAN(NTAPI * PPHP_ENUM_PROCESS_MODULES32_CALLBACK)(_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY32 Entry, _In_ ULONG AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)

Definition at line 38 of file native.c.

typedef BOOLEAN(NTAPI * PPHP_ENUM_PROCESS_MODULES_CALLBACK)(_In_ HANDLE ProcessHandle, _In_ PLDR_DATA_TABLE_ENTRY Entry, _In_ PVOID AddressOfEntry, _In_opt_ PVOID Context1, _In_opt_ PVOID Context2)

Definition at line 30 of file native.c.

typedef struct _SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT * PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT
typedef struct _SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT

Function Documentation

NTSTATUS PhCreateKey ( _Out_ PHANDLE  KeyHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_opt_ HANDLE  RootDirectory,
_In_ PPH_STRINGREF  ObjectName,
_In_ ULONG  Attributes,
_In_ ULONG  CreateOptions,
_Out_opt_ PULONG  Disposition 
)

Creates or opens a registry key.

Parameters
KeyHandleA variable which receives a handle to the key.
DesiredAccessThe desired access to the key.
RootDirectoryA handle to a root key, or one of the following predefined keys:
  • PH_KEY_LOCAL_MACHINE Represents \Registry\Machine.
  • PH_KEY_USERS Represents \Registry\User.
  • PH_KEY_CLASSES_ROOT Represents \Registry\Machine\Software\Classes.
  • PH_KEY_CURRENT_USER Represents \Registry\User\[SID of current user].
ObjectNameThe path to the key.
AttributesAdditional object flags.
CreateOptionsThe options to apply when creating or opening the key.
DispositionA variable which receives a value indicating whether a new key was created or an existing key was opened:
  • REG_CREATED_NEW_KEY A new key was created.
  • REG_OPENED_EXISTING_KEY An existing key was opened.

Definition at line 6289 of file native.c.

NTSTATUS PhDuplicateObject ( _In_ HANDLE  SourceProcessHandle,
_In_ HANDLE  SourceHandle,
_In_opt_ HANDLE  TargetProcessHandle,
_Out_opt_ PHANDLE  TargetHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ ULONG  HandleAttributes,
_In_ ULONG  Options 
)

Duplicates a handle.

Parameters
SourceProcessHandleA handle to the source process. The handle must have PROCESS_DUP_HANDLE access.
SourceHandleThe handle to duplicate from the source process.
TargetProcessHandleA handle to the target process. If DUPLICATE_CLOSE_SOURCE is specified in the Options parameter, this parameter can be NULL.
TargetHandleA variable which receives the new handle in the target process. If DUPLICATE_CLOSE_SOURCE is specified in the Options parameter, this parameter can be NULL.
DesiredAccessThe desired access to the object referenced by the source handle.
HandleAttributesThe attributes to apply to the new handle.
OptionsThe options to use when duplicating the handle.

Definition at line 3309 of file native.c.

NTSTATUS PhEnumDirectoryFile ( _In_ HANDLE  FileHandle,
_In_opt_ PUNICODE_STRING  SearchPattern,
_In_ PPH_ENUM_DIRECTORY_FILE  Callback,
_In_opt_ PVOID  Context 
)

Definition at line 5124 of file native.c.

NTSTATUS PhEnumDirectoryObjects ( _In_ HANDLE  DirectoryHandle,
_In_ PPH_ENUM_DIRECTORY_OBJECTS  Callback,
_In_opt_ PVOID  Context 
)

Enumerates the objects in a directory object.

Parameters
DirectoryHandleA handle to a directory. The handle must have DIRECTORY_QUERY access.
CallbackA callback function which is executed for each object.
ContextA user-defined value to pass to the callback function.

Definition at line 5028 of file native.c.

NTSTATUS PhEnumFileStreams ( _In_ HANDLE  FileHandle,
_Out_ PVOID *  Streams 
)

Definition at line 5231 of file native.c.

NTSTATUS PhEnumGenericModules ( _In_ HANDLE  ProcessId,
_In_opt_ HANDLE  ProcessHandle,
_In_ ULONG  Flags,
_In_ PPH_ENUM_GENERIC_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context 
)

Enumerates the modules loaded by a process.

Parameters
ProcessIdThe ID of a process. If SYSTEM_PROCESS_ID is specified the function enumerates the kernel modules.
ProcessHandleA handle to the process.
FlagsFlags controlling the information to retrieve.
  • PH_ENUM_GENERIC_MAPPED_FILES Enumerate mapped files.
  • PH_ENUM_GENERIC_MAPPED_IMAGES Enumerate mapped images (those which are not mapped by the loader).
CallbackA callback function which is executed for each module.
ContextA user-defined value to pass to the callback function.

Definition at line 6006 of file native.c.

NTSTATUS PhEnumHandles ( _Out_ PSYSTEM_HANDLE_INFORMATION Handles)

Enumerates all open handles.

Parameters
HandlesA variable which receives a pointer to a structure containing information about all opened handles. You must free the structure using PhFree() when you no longer need it.
Return values
STATUS_INSUFFICIENT_RESOURCESThe handle information returned by the kernel is too large.

Definition at line 4540 of file native.c.

NTSTATUS PhEnumHandlesEx ( _Out_ PSYSTEM_HANDLE_INFORMATION_EX Handles)

Enumerates all open handles.

Parameters
HandlesA variable which receives a pointer to a structure containing information about all opened handles. You must free the structure using PhFree() when you no longer need it.
Return values
STATUS_INSUFFICIENT_RESOURCESThe handle information returned by the kernel is too large.
Remarks
This function is only available starting with Windows XP.

Definition at line 4596 of file native.c.

NTSTATUS PhEnumKernelModules ( _Out_ PRTL_PROCESS_MODULES Modules)

Enumerates the modules loaded by the kernel.

Parameters
ModulesA variable which receives a pointer to a structure containing information about the kernel modules. You must free the structure using PhFree() when you no longer need it.

Definition at line 4197 of file native.c.

NTSTATUS PhEnumKernelModulesEx ( _Out_ PRTL_PROCESS_MODULE_INFORMATION_EX Modules)

Enumerates the modules loaded by the kernel.

Parameters
ModulesA variable which receives a pointer to a structure containing information about the kernel modules. You must free the structure using PhFree() when you no longer need it.

Definition at line 4243 of file native.c.

NTSTATUS PhEnumPagefiles ( _Out_ PVOID *  Pagefiles)

Enumerates all pagefiles.

Parameters
PagefilesA variable which receives a pointer to a buffer containing information about all active pagefiles. You must free the structure using PhFree() when you no longer need it.
Return values
STATUS_INSUFFICIENT_RESOURCESThe handle information returned by the kernel is too large.

Definition at line 4649 of file native.c.

BOOLEAN PhEnumProcessEnvironmentVariables ( _In_ PVOID  Environment,
_In_ ULONG  EnvironmentLength,
_Inout_ PULONG  EnumerationKey,
_Out_ PPH_ENVIRONMENT_VARIABLE  Variable 
)

Definition at line 1353 of file native.c.

NTSTATUS PhEnumProcesses ( _Out_ PVOID *  Processes)

Enumerates the running processes.

Parameters
ProcessesA variable which receives a pointer to a buffer containing process information. You must free the buffer using PhFree() when you no longer need it.
Remarks
You can use the PH_FIRST_PROCESS and PH_NEXT_PROCESS macros to process the information contained in the buffer.

Definition at line 4321 of file native.c.

NTSTATUS PhEnumProcessesEx ( _Out_ PVOID *  Processes,
_In_ SYSTEM_INFORMATION_CLASS  SystemInformationClass 
)

Enumerates the running processes.

Parameters
ProcessesA variable which receives a pointer to a buffer containing process information. You must free the buffer using PhFree() when you no longer need it.
Remarks
You can use the PH_FIRST_PROCESS and PH_NEXT_PROCESS macros to process the information contained in the buffer.

Definition at line 4340 of file native.c.

NTSTATUS PhEnumProcessesForSession ( _Out_ PVOID *  Processes,
_In_ ULONG  SessionId 
)

Enumerates the running processes for a session.

Parameters
ProcessesA variable which receives a pointer to a buffer containing process information. You must free the buffer using PhFree() when you no longer need it.
SessionIdA session ID.
Remarks
You can use the PH_FIRST_PROCESS and PH_NEXT_PROCESS macros to process the information contained in the buffer.

Definition at line 4414 of file native.c.

NTSTATUS PhEnumProcessModules ( _In_ HANDLE  ProcessHandle,
_In_ PPH_ENUM_PROCESS_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context 
)

Enumerates the modules loaded by a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
CallbackA callback function which is executed for each process module.
ContextA user-defined value to pass to the callback function.

Definition at line 3589 of file native.c.

NTSTATUS PhEnumProcessModules32 ( _In_ HANDLE  ProcessHandle,
_In_ PPH_ENUM_PROCESS_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context 
)

Enumerates the 32-bit modules loaded by a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
CallbackA callback function which is executed for each process module.
ContextA user-defined value to pass to the callback function.
Return values
STATUS_NOT_SUPPORTEDThe process is not running under WOW64.
Remarks
Do not use this function under a 32-bit environment.

Definition at line 3973 of file native.c.

NTSTATUS PhEnumProcessModules32Ex ( _In_ HANDLE  ProcessHandle,
_In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS  Parameters 
)

Enumerates the 32-bit modules loaded by a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. If PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME is specified in Parameters, the handle should have PROCESS_QUERY_INFORMATION access.
ParametersThe enumeration parameters.
Return values
STATUS_NOT_SUPPORTEDThe process is not running under WOW64.
Remarks
Do not use this function under a 32-bit environment.

Definition at line 4004 of file native.c.

NTSTATUS PhEnumProcessModulesEx ( _In_ HANDLE  ProcessHandle,
_In_ PPH_ENUM_PROCESS_MODULES_PARAMETERS  Parameters 
)

Enumerates the modules loaded by a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access. If PH_ENUM_PROCESS_MODULES_TRY_MAPPED_FILE_NAME is specified in Parameters, the handle should have PROCESS_QUERY_INFORMATION access.
ParametersThe enumeration parameters.

Definition at line 3614 of file native.c.

PSYSTEM_PROCESS_INFORMATION PhFindProcessInformation ( _In_ PVOID  Processes,
_In_ HANDLE  ProcessId 
)

Finds the process information structure for a specific process.

Parameters
ProcessesA pointer to a buffer returned by PhEnumProcesses().
ProcessIdThe ID of the process.
Returns
A pointer to the process information structure for the specified process, or NULL if the structure could not be found.

Definition at line 4477 of file native.c.

PSYSTEM_PROCESS_INFORMATION PhFindProcessInformationByImageName ( _In_ PVOID  Processes,
_In_ PPH_STRINGREF  ImageName 
)

Finds the process information structure for a specific process.

Parameters
ProcessesA pointer to a buffer returned by PhEnumProcesses().
ImageNameThe image name to search for.
Returns
A pointer to the process information structure for the specified process, or NULL if the structure could not be found.

Definition at line 4507 of file native.c.

NTSTATUS PhGetDriverName ( _In_ HANDLE  DriverHandle,
_Out_ PPH_STRING Name 
)

Gets the object name of a driver.

Parameters
DriverHandleA handle to a driver.
NameA variable which receives a pointer to a string containing the object name. You must free the string using PhDereferenceObject() when you no longer need it.
Remarks
This function requires a valid KProcessHacker handle.

Definition at line 3084 of file native.c.

NTSTATUS PhGetDriverServiceKeyName ( _In_ HANDLE  DriverHandle,
_Out_ PPH_STRING ServiceKeyName 
)

Gets the service key name of a driver.

Parameters
DriverHandleA handle to a driver.
ServiceKeyNameA variable which receives a pointer to a string containing the service key name. You must free the string using PhDereferenceObject() when you no longer need it.
Remarks
This function requires a valid KProcessHacker handle.

Definition at line 3120 of file native.c.

NTSTATUS PhGetEnlistmentBasicInformation ( _In_ HANDLE  EnlistmentHandle,
_Out_ PENLISTMENT_BASIC_INFORMATION  BasicInformation 
)

Definition at line 2865 of file native.c.

PPH_STRING PhGetFileName ( _In_ PPH_STRING  FileName)

Converts a file name into Win32 format.

Parameters
FileNameA string containing a file name.
Returns
A pointer to a string containing the Win32 file name. You must free the string using PhDereferenceObject() when you no longer need it.
Remarks
This function may convert NT object name paths to invalid ones. If the path to be converted is not necessarily a file name, use PhResolveDevicePrefix().

Definition at line 5547 of file native.c.

NTSTATUS PhGetFileSize ( _In_ HANDLE  FileHandle,
_Out_ PLARGE_INTEGER  Size 
)

Definition at line 2516 of file native.c.

NTSTATUS PhGetJobProcessIdList ( _In_ HANDLE  JobHandle,
_Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *  ProcessIdList 
)

Definition at line 2058 of file native.c.

PPH_STRING PhGetKernelFileName ( VOID  )

Gets the file name of the kernel image.

Returns
A pointer to a string containing the kernel image file name. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 4289 of file native.c.

NTSTATUS PhGetObjectSecurity ( _In_ HANDLE  Handle,
_In_ SECURITY_INFORMATION  SecurityInformation,
_Out_ PSECURITY_DESCRIPTOR *  SecurityDescriptor 
)

Definition at line 233 of file native.c.

NTSTATUS PhGetProcedureAddressRemote ( _In_ HANDLE  ProcessHandle,
_In_ PWSTR  FileName,
_In_opt_ PSTR  ProcedureName,
_In_opt_ ULONG  ProcedureNumber,
_Out_ PVOID *  ProcedureAddress,
_Out_opt_ PVOID *  DllBase 
)

Gets the address of a procedure in a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
FileNameThe file name of the DLL containing the procedure.
ProcedureNameThe name of the procedure.
ProcedureNumberThe ordinal of the procedure.
ProcedureAddressA variable which receives the address of the procedure in the address space of the process.
DllBaseA variable which receives the base address of the DLL containing the procedure.

Definition at line 4126 of file native.c.

NTSTATUS PhGetProcessCommandLine ( _In_ HANDLE  ProcessHandle,
_Out_ PPH_STRING CommandLine 
)

Gets a process' command line.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION. Before Windows 8.1, the handle must also have PROCESS_VM_READ access.
StringA variable which receives a pointer to a string containing the command line. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 833 of file native.c.

NTSTATUS PhGetProcessDepStatus ( _In_ HANDLE  ProcessHandle,
_Out_ PULONG  DepStatus 
)

Definition at line 1060 of file native.c.

NTSTATUS PhGetProcessEnvironment ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  Flags,
_Out_ PVOID *  Environment,
_Out_ PULONG  EnvironmentLength 
)

Gets a process' environment block.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_INFORMATION and PROCESS_VM_READ access.
FlagsA combination of flags.
  • PH_GET_PROCESS_ENVIRONMENT_WOW64 Retrieve the environment block from the WOW64 PEB.
EnvironmentA variable which will receive a pointer to the environment block copied from the process. You must free the block using PhFreePage() when you no longer need it.
EnvironmentLengthA variable which will receive the length of the environment block, in bytes.

Definition at line 1240 of file native.c.

NTSTATUS PhGetProcessExecuteFlags ( _In_ HANDLE  ProcessHandle,
_Out_ PULONG  ExecuteFlags 
)

Gets a process' no-execute status.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_INFORMATION access.
ExecuteFlagsA variable which receives the no-execute flags.

Definition at line 1033 of file native.c.

NTSTATUS PhGetProcessImageFileName ( _In_ HANDLE  ProcessHandle,
_Out_ PPH_STRING FileName 
)

Gets the file name of the process' image.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION access.
FileNameA variable which receives a pointer to a string containing the file name. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 630 of file native.c.

NTSTATUS PhGetProcessImageFileNameByProcessId ( _In_ HANDLE  ProcessId,
_Out_ PPH_STRING FileName 
)

Gets the file name of a process' image.

Parameters
ProcessIdThe ID of the process.
FileNameA variable which receives a pointer to a string containing the file name. You must free the string using PhDereferenceObject() when you no longer need it.
Remarks
This function only works on Windows Vista and above. There does not appear to be any access checking performed by the kernel for this.

Definition at line 4699 of file native.c.

NTSTATUS PhGetProcessImageFileNameWin32 ( _In_ HANDLE  ProcessHandle,
_Out_ PPH_STRING FileName 
)

Gets the Win32 file name of the process' image.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION access.
FileNameA variable which receives a pointer to a string containing the file name. You must free the string using PhDereferenceObject() when you no longer need it.
Remarks
This function is only available on Windows Vista and above.

Definition at line 665 of file native.c.

NTSTATUS PhGetProcessIsDotNet ( _In_ HANDLE  ProcessId,
_Out_ PBOOLEAN  IsDotNet 
)

Determines if a process is managed.

Parameters
ProcessIdThe ID of the process.
IsDotNetA variable which receives a boolean indicating whether the process is managed.

Definition at line 4758 of file native.c.

NTSTATUS PhGetProcessIsDotNetEx ( _In_ HANDLE  ProcessId,
_In_opt_ HANDLE  ProcessHandle,
_In_ ULONG  InFlags,
_Out_opt_ PBOOLEAN  IsDotNet,
_Out_opt_ PULONG  Flags 
)

Determines if a process is managed.

Parameters
ProcessIdThe ID of the process.
ProcessHandleAn optional handle to the process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
InFlagsA combination of flags.
  • PH_CLR_USE_SECTION_CHECK Checks for the existence of related section objects to determine whether the process is managed.
  • PH_CLR_NO_WOW64_CHECK Instead of a separate query, uses the presence of the PH_CLR_KNOWN_IS_WOW64 flag to determine whether the process is running under WOW64.
  • PH_CLR_KNOWN_IS_WOW64 When PH_CLR_NO_WOW64_CHECK is specified, indicates that the process is managed.
IsDotNetA variable which receives a boolean indicating whether the process is managed.
FlagsA variable which receives additional flags.

Definition at line 4868 of file native.c.

NTSTATUS PhGetProcessIsPosix ( _In_ HANDLE  ProcessHandle,
_Out_ PBOOLEAN  IsPosix 
)

Gets whether the process is running under the POSIX subsystem.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
IsPosixA variable which receives a boolean indicating whether the process is running under the POSIX subsystem.

Definition at line 991 of file native.c.

NTSTATUS PhGetProcessMappedFileName ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_Out_ PPH_STRING FileName 
)

Gets the file name of a mapped section.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_INFORMATION access.
BaseAddressThe base address of the section view.
FileNameA variable which receives a pointer to a string containing the file name of the section. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 1433 of file native.c.

NTSTATUS PhGetProcessPebString ( _In_ HANDLE  ProcessHandle,
_In_ PH_PEB_OFFSET  Offset,
_Out_ PPH_STRING String 
)

Gets a string stored in a process' parameters structure.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
OffsetThe string to retrieve.
StringA variable which receives a pointer to the requested string. You must free the string using PhDereferenceObject() when you no longer need it.
Return values
STATUS_INVALID_PARAMETER_2An invalid value was specified in the Offset parameter.

Definition at line 702 of file native.c.

NTSTATUS PhGetProcessPosixCommandLine ( _In_ HANDLE  ProcessHandle,
_Out_ PPH_STRING CommandLine 
)

Gets the POSIX command line of a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION and PROCESS_VM_READ access.
CommandLineA variable which receives a pointer to a string containing the POSIX command line. You must free the string using PhDereferenceObject() when you no longer need it.
Return values
STATUS_UNSUCCESSFULThe command line of the process could not be retrieved because it is too large.
Remarks
Do not use this function on a non-POSIX process. Use the PhGetProcessIsPosix() function to determine whether a process is running under the POSIX subsystem.

Definition at line 1109 of file native.c.

NTSTATUS PhGetProcessWindowTitle ( _In_ HANDLE  ProcessHandle,
_Out_ PULONG  WindowFlags,
_Out_ PPH_STRING WindowTitle 
)

Gets the window flags and window title of a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION. Before Windows 7 SP1, the handle must also have PROCESS_VM_READ access.
WindowFlagsA variable which receives the window flags.
WindowTitleA variable which receives a pointer to the window title. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 874 of file native.c.

NTSTATUS PhGetProcessWorkingSetInformation ( _In_ HANDLE  ProcessHandle,
_Out_ PMEMORY_WORKING_SET_INFORMATION WorkingSetInformation 
)

Gets working set information for a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_INFORMATION access.
WorkingSetInformationA variable which receives a pointer to the information. You must free the buffer using PhFree() when you no longer need it.

Definition at line 1498 of file native.c.

NTSTATUS PhGetProcessWsCounters ( _In_ HANDLE  ProcessHandle,
_Out_ PPH_PROCESS_WS_COUNTERS  WsCounters 
)

Gets working set counters for a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_INFORMATION access.
WsCountersA variable which receives the counters.

Definition at line 1548 of file native.c.

NTSTATUS PhGetResourceManagerBasicInformation ( _In_ HANDLE  ResourceManagerHandle,
_Out_opt_ PGUID  Guid,
_Out_opt_ PPH_STRING Description 
)

Definition at line 2829 of file native.c.

NTSTATUS PhGetThreadContext ( _In_ HANDLE  ThreadHandle,
_Inout_ PCONTEXT  Context 
)

Gets the processor context of a thread.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_GET_CONTEXT access.
ContextA variable which receives the context structure.

Definition at line 441 of file native.c.

NTSTATUS PhGetTokenGroups ( _In_ HANDLE  TokenHandle,
_Out_ PTOKEN_GROUPS *  Groups 
)

Gets a token's groups.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
GroupsA variable which receives a pointer to a structure containing the token's groups. You must free the structure using PhFree() when you no longer need it.

Definition at line 2252 of file native.c.

NTSTATUS PhGetTokenIntegrityLevel ( _In_ HANDLE  TokenHandle,
_Out_opt_ PMANDATORY_LEVEL  IntegrityLevel,
_Out_opt_ PWSTR *  IntegrityString 
)

Gets a token's integrity level.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
IntegrityLevelA variable which receives the integrity level of the token.
IntegrityStringA variable which receives a pointer to a string containing a string representation of the integrity level.

Definition at line 2411 of file native.c.

NTSTATUS PhGetTokenOwner ( _In_ HANDLE  TokenHandle,
_Out_ PTOKEN_OWNER *  Owner 
)

Gets a token's owner.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
OwnerA variable which receives a pointer to a structure containing the token's owner. You must free the structure using PhFree() when you no longer need it.

Definition at line 2208 of file native.c.

NTSTATUS PhGetTokenPrimaryGroup ( _In_ HANDLE  TokenHandle,
_Out_ PTOKEN_PRIMARY_GROUP *  PrimaryGroup 
)

Gets a token's primary group.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
PrimaryGroupA variable which receives a pointer to a structure containing the token's primary group. You must free the structure using PhFree() when you no longer need it.

Definition at line 2230 of file native.c.

NTSTATUS PhGetTokenPrivileges ( _In_ HANDLE  TokenHandle,
_Out_ PTOKEN_PRIVILEGES *  Privileges 
)

Gets a token's privileges.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
PrivilegesA variable which receives a pointer to a structure containing the token's privileges. You must free the structure using PhFree() when you no longer need it.

Definition at line 2274 of file native.c.

NTSTATUS PhGetTokenUser ( _In_ HANDLE  TokenHandle,
_Out_ PTOKEN_USER *  User 
)

Gets a token's user.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_QUERY access.
UserA variable which receives a pointer to a structure containing the token's user. You must free the structure using PhFree() when you no longer need it.

Definition at line 2186 of file native.c.

NTSTATUS PhGetTransactionBasicInformation ( _In_ HANDLE  TransactionHandle,
_Out_ PTRANSACTION_BASIC_INFORMATION  BasicInformation 
)

Definition at line 2713 of file native.c.

NTSTATUS PhGetTransactionManagerBasicInformation ( _In_ HANDLE  TransactionManagerHandle,
_Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION  BasicInformation 
)

Definition at line 2613 of file native.c.

NTSTATUS PhGetTransactionManagerLogFileName ( _In_ HANDLE  TransactionManagerHandle,
_Out_ PPH_STRING LogFileName 
)

Definition at line 2634 of file native.c.

NTSTATUS PhGetTransactionPropertiesInformation ( _In_ HANDLE  TransactionHandle,
_Out_opt_ PLARGE_INTEGER  Timeout,
_Out_opt_ TRANSACTION_OUTCOME *  Outcome,
_Out_opt_ PPH_STRING Description 
)

Definition at line 2734 of file native.c.

VOID PhInitializeDevicePrefixes ( VOID  )

Initializes the device prefixes module.

Definition at line 5246 of file native.c.

NTSTATUS PhInjectDllProcess ( _In_ HANDLE  ProcessHandle,
_In_ PWSTR  FileName,
_In_opt_ PLARGE_INTEGER  Timeout 
)

Causes a process to load a DLL.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ and PROCESS_VM_WRITE access.
FileNameThe file name of the DLL to inject.
TimeoutThe timeout, in milliseconds, for the process to load the DLL.
Remarks
If the process does not load the DLL before the timeout expires it may crash. Choose the timeout value carefully.

Definition at line 1741 of file native.c.

NTSTATUS PhOpenDriverByBaseAddress ( _Out_ PHANDLE  DriverHandle,
_In_ PVOID  BaseAddress 
)

Opens a driver object using a base address.

Parameters
DriverHandleA variable which receives a handle to the driver object.
BaseAddressThe base address of the driver to open.
Return values
STATUS_OBJECT_NAME_NOT_FOUNDThe driver could not be found.
Remarks
This function requires a valid KProcessHacker handle.

Definition at line 2969 of file native.c.

NTSTATUS PhOpenKey ( _Out_ PHANDLE  KeyHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_opt_ HANDLE  RootDirectory,
_In_ PPH_STRINGREF  ObjectName,
_In_ ULONG  Attributes 
)

Opens a registry key.

Parameters
KeyHandleA variable which receives a handle to the key.
DesiredAccessThe desired access to the key.
RootDirectoryA handle to a root key, or one of the predefined keys. See PhCreateKey() for details.
ObjectNameThe path to the key.
AttributesAdditional object flags.

Definition at line 6344 of file native.c.

NTSTATUS PhOpenProcess ( _Out_ PHANDLE  ProcessHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ HANDLE  ProcessId 
)

Opens a process.

Parameters
ProcessHandleA variable which receives a handle to the process.
DesiredAccessThe desired access to the process.
ProcessIdThe ID of the process.

Definition at line 72 of file native.c.

NTSTATUS PhOpenProcessToken ( _Out_ PHANDLE  TokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ HANDLE  ProcessHandle 
)

Opens a process token.

Parameters
TokenHandleA variable which receives a handle to the token.
DesiredAccessThe desired access to the token.
ProcessHandleA handle to a process.

Definition at line 185 of file native.c.

NTSTATUS PhOpenThread ( _Out_ PHANDLE  ThreadHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ HANDLE  ThreadId 
)

Opens a thread.

Parameters
ThreadHandleA variable which receives a handle to the thread.
DesiredAccessThe desired access to the thread.
ThreadIdThe ID of the thread.

Definition at line 112 of file native.c.

NTSTATUS PhOpenThreadProcess ( _Out_ PHANDLE  ProcessHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ HANDLE  ThreadHandle 
)

Definition at line 145 of file native.c.

NTSTATUS PhOpenThreadToken ( _Out_ PHANDLE  TokenHandle,
_In_ ACCESS_MASK  DesiredAccess,
_In_ HANDLE  ThreadHandle,
_In_ BOOLEAN  OpenAsSelf 
)

Opens a thread token.

Parameters
TokenHandleA variable which receives a handle to the token.
DesiredAccessThe desired access to the token.
ThreadHandleA handle to a thread.
OpenAsSelfTRUE to use the primary token for access checks, FALSE to use the impersonation token.

Definition at line 218 of file native.c.

BOOLEAN NTAPI PhpBaseAddressHashtableCompareFunction ( _In_ PVOID  Entry1,
_In_ PVOID  Entry2 
)

Definition at line 5973 of file native.c.

ULONG NTAPI PhpBaseAddressHashtableHashFunction ( _In_ PVOID  Entry)

Definition at line 5981 of file native.c.

BOOLEAN PhpCallbackMappedFileOrImage ( _In_ PVOID  AllocationBase,
_In_ SIZE_T  AllocationSize,
_In_ ULONG  Type,
_In_ PPH_STRING  FileName,
_In_ PPH_ENUM_GENERIC_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context,
_In_ PPH_HASHTABLE  BaseAddressHashtable 
)

Definition at line 5815 of file native.c.

VOID PhpEnumGenericMappedFilesAndImages ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  Flags,
_In_ PPH_ENUM_GENERIC_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context,
_In_ PPH_HASHTABLE  BaseAddressHashtable 
)

Definition at line 5848 of file native.c.

NTSTATUS PhpEnumProcessModules ( _In_ HANDLE  ProcessHandle,
_In_ PPHP_ENUM_PROCESS_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 3350 of file native.c.

NTSTATUS PhpEnumProcessModules32 ( _In_ HANDLE  ProcessHandle,
_In_ PPHP_ENUM_PROCESS_MODULES32_CALLBACK  Callback,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 3697 of file native.c.

BOOLEAN NTAPI PhpEnumProcessModules32Callback ( _In_ HANDLE  ProcessHandle,
_In_ PLDR_DATA_TABLE_ENTRY32  Entry,
_In_ ULONG  AddressOfEntry,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 3803 of file native.c.

BOOLEAN NTAPI PhpEnumProcessModulesCallback ( _In_ HANDLE  ProcessHandle,
_In_ PLDR_DATA_TABLE_ENTRY  Entry,
_In_ PVOID  AddressOfEntry,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 3453 of file native.c.

NTSTATUS PhpInitializeKeyObjectAttributes ( _In_opt_ HANDLE  RootDirectory,
_In_ PUNICODE_STRING  ObjectName,
_In_ ULONG  Attributes,
_Out_ POBJECT_ATTRIBUTES  ObjectAttributes,
_Out_ PHANDLE  NeedsClose 
)

Initializes the attributes of a key object for creating/opening.

Parameters
RootDirectoryA handle to a root key, or one of the predefined keys. See PhCreateKey() for details.
ObjectNameThe path to the key.
AttributesAdditional object flags.
ObjectAttributesThe OBJECT_ATTRIBUTES structure to initialize.
NeedsCloseA variable which receives a handle that must be closed when the create/open operation is finished. The variable may be set to NULL if no handle needs to be closed.

Definition at line 6190 of file native.c.

VOID PhpInitializePredefineKeys ( VOID  )

Initializes usage of predefined keys.

Definition at line 6134 of file native.c.

BOOLEAN NTAPI PhpIsDotNetEnumProcessModulesCallback ( _In_ PLDR_DATA_TABLE_ENTRY  Module,
_In_opt_ PVOID  Context 
)

Definition at line 4766 of file native.c.

BOOLEAN NTAPI PhpOpenDriverByBaseAddressCallback ( _In_ PPH_STRINGREF  Name,
_In_ PPH_STRINGREF  TypeName,
_In_opt_ PVOID  Context 
)

Definition at line 2893 of file native.c.

NTSTATUS PhpQueryDriverVariableSize ( _In_ HANDLE  DriverHandle,
_In_ DRIVER_INFORMATION_CLASS  DriverInformationClass,
_Out_ PVOID *  Buffer 
)

Queries variable-sized information for a driver.

The function allocates a buffer to contain the information.

Parameters
DriverHandleA handle to a driver. The access required depends on the information class specified.
DriverInformationClassThe information class to retrieve.
BufferA variable which receives a pointer to a buffer containing the information. You must free the buffer using PhFree() when you no longer need it.
Remarks
This function requires a valid KProcessHacker handle.

Definition at line 3034 of file native.c.

NTSTATUS PhpQueryFileVariableSize ( _In_ HANDLE  FileHandle,
_In_ FILE_INFORMATION_CLASS  FileInformationClass,
_Out_ PVOID *  Buffer 
)

Definition at line 2469 of file native.c.

NTSTATUS PhpQueryProcessVariableSize ( _In_ HANDLE  ProcessHandle,
_In_ PROCESSINFOCLASS  ProcessInformationClass,
_Out_ PVOID *  Buffer 
)

Queries variable-sized information for a process.

The function allocates a buffer to contain the information.

Parameters
ProcessHandleA handle to a process. The access required depends on the information class specified.
ProcessInformationClassThe information class to retrieve.
BufferA variable which receives a pointer to a buffer containing the information. You must free the buffer using PhFree() when you no longer need it.

Definition at line 579 of file native.c.

NTSTATUS PhpQueryResourceManagerVariableSize ( _In_ HANDLE  ResourceManagerHandle,
_In_ RESOURCEMANAGER_INFORMATION_CLASS  ResourceManagerInformationClass,
_Out_ PVOID *  Buffer 
)

Definition at line 2776 of file native.c.

NTSTATUS PhpQueryTokenVariableSize ( _In_ HANDLE  TokenHandle,
_In_ TOKEN_INFORMATION_CLASS  TokenInformationClass,
_Out_ PVOID *  Buffer 
)

Queries variable-sized information for a token.

The function allocates a buffer to contain the information.

Parameters
TokenHandleA handle to a token. The access required depends on the information class specified.
TokenInformationClassThe information class to retrieve.
BufferA variable which receives a pointer to a buffer containing the information. You must free the buffer using PhFree() when you no longer need it.

Definition at line 2114 of file native.c.

NTSTATUS PhpQueryTransactionManagerVariableSize ( _In_ HANDLE  TransactionManagerHandle,
_In_ TRANSACTIONMANAGER_INFORMATION_CLASS  TransactionManagerInformationClass,
_Out_ PVOID *  Buffer 
)

Definition at line 2560 of file native.c.

NTSTATUS PhpQueryTransactionVariableSize ( _In_ HANDLE  TransactionHandle,
_In_ TRANSACTION_INFORMATION_CLASS  TransactionInformationClass,
_Out_ PVOID *  Buffer 
)

Definition at line 2660 of file native.c.

VOID PhpRtlModulesExToGenericModules ( _In_ PRTL_PROCESS_MODULE_INFORMATION_EX  Modules,
_In_ PPH_ENUM_GENERIC_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context,
_In_ PPH_HASHTABLE  BaseAddressHashtable 
)

Definition at line 5756 of file native.c.

VOID PhpRtlModulesToGenericModules ( _In_ PRTL_PROCESS_MODULES  Modules,
_In_ PPH_ENUM_GENERIC_MODULES_CALLBACK  Callback,
_In_opt_ PVOID  Context,
_In_ PPH_HASHTABLE  BaseAddressHashtable 
)

Definition at line 5684 of file native.c.

BOOLEAN NTAPI PhpSetProcessModuleLoadCount32Callback ( _In_ HANDLE  ProcessHandle,
_In_ PLDR_DATA_TABLE_ENTRY32  Entry,
_In_ ULONG  AddressOfEntry,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 4017 of file native.c.

BOOLEAN NTAPI PhpSetProcessModuleLoadCountCallback ( _In_ HANDLE  ProcessHandle,
_In_ PLDR_DATA_TABLE_ENTRY  Entry,
_In_ PVOID  AddressOfEntry,
_In_opt_ PVOID  Context1,
_In_opt_ PVOID  Context2 
)

Definition at line 3634 of file native.c.

NTSTATUS PhpUnloadDriver ( _In_ PPH_STRING  ServiceKeyName)

Definition at line 3144 of file native.c.

NTSTATUS PhQueryTokenVariableSize ( _In_ HANDLE  TokenHandle,
_In_ TOKEN_INFORMATION_CLASS  TokenInformationClass,
_Out_ PVOID *  Buffer 
)

Queries variable-sized information for a token.

The function allocates a buffer to contain the information.

Parameters
TokenHandleA handle to a token. The access required depends on the information class specified.
TokenInformationClassThe information class to retrieve.
BufferA variable which receives a pointer to a buffer containing the information. You must free the buffer using PhFree() when you no longer need it.

Definition at line 2163 of file native.c.

NTSTATUS PhReadVirtualMemory ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_Out_writes_bytes_(BufferSize) PVOID  Buffer,
_In_ SIZE_T  BufferSize,
_Out_opt_ PSIZE_T  NumberOfBytesRead 
)

Copies memory from another process into the current process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_VM_READ access.
BaseAddressThe address from which memory is to be copied.
BufferA buffer which receives the copied memory.
BufferSizeThe number of bytes to copy.
NumberOfBytesReadA variable which receives the number of bytes copied to the buffer.

Definition at line 489 of file native.c.

PPH_STRING PhResolveDevicePrefix ( _In_ PPH_STRING  Name)

Resolves a NT path into a Win32 path.

Parameters
NameA string containing the path to resolve.
Returns
A pointer to a string containing the Win32 path. You must free the string using PhDereferenceObject() when you no longer need it.

Definition at line 5428 of file native.c.

NTSTATUS PhResumeProcess ( _In_ HANDLE  ProcessHandle)

Resumes a process' threads.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_SUSPEND_RESUME access.

Definition at line 353 of file native.c.

NTSTATUS PhResumeThread ( _In_ HANDLE  ThreadHandle,
_Out_opt_ PULONG  PreviousSuspendCount 
)

Resumes a thread.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_SUSPEND_RESUME access.
PreviousSuspendCountA variable which receives the number of times the thread had been suspended.

Definition at line 425 of file native.c.

NTSTATUS PhSetFileSize ( _In_ HANDLE  FileHandle,
_In_ PLARGE_INTEGER  Size 
)

Definition at line 2541 of file native.c.

NTSTATUS PhSetObjectSecurity ( _In_ HANDLE  Handle,
_In_ SECURITY_INFORMATION  SecurityInformation,
_In_ PSECURITY_DESCRIPTOR  SecurityDescriptor 
)

Definition at line 282 of file native.c.

NTSTATUS PhSetProcessDepStatus ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  DepStatus 
)

Definition at line 1639 of file native.c.

NTSTATUS PhSetProcessDepStatusInvasive ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  DepStatus,
_In_opt_ PLARGE_INTEGER  Timeout 
)

Definition at line 1659 of file native.c.

NTSTATUS PhSetProcessExecuteFlags ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  ExecuteFlags 
)

Sets a process' no-execute status.

Parameters
ProcessHandleA handle to a process.
ExecuteFlagsThe new no-execute flags.
Remarks
This function requires a valid KProcessHacker handle.

Definition at line 1626 of file native.c.

NTSTATUS PhSetProcessIoPriority ( _In_ HANDLE  ProcessHandle,
_In_ ULONG  IoPriority 
)

Sets a process' I/O priority.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_SET_INFORMATION access.
IoPriorityThe new I/O priority.

Definition at line 1592 of file native.c.

NTSTATUS PhSetProcessModuleLoadCount ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_In_ ULONG  LoadCount 
)

Sets the load count of a process module.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ and PROCESS_VM_WRITE access.
BaseAddressThe base address of a module.
LoadCountThe new load count of the module.
Return values
STATUS_DLL_NOT_FOUNDThe module was not found.

Definition at line 3671 of file native.c.

NTSTATUS PhSetProcessModuleLoadCount32 ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_In_ ULONG  LoadCount 
)

Sets the load count of a 32-bit process module.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_VM_READ and PROCESS_VM_WRITE access.
BaseAddressThe base address of a module.
LoadCountThe new load count of the module.
Return values
STATUS_DLL_NOT_FOUNDThe module was not found.
STATUS_NOT_SUPPORTEDThe process is not running under WOW64.
Remarks
Do not use this function under a 32-bit environment.

Definition at line 4059 of file native.c.

NTSTATUS PhSetThreadContext ( _In_ HANDLE  ThreadHandle,
_In_ PCONTEXT  Context 
)

Sets the processor context of a thread.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_SET_CONTEXT access.
ContextThe new context structure.

Definition at line 463 of file native.c.

NTSTATUS PhSetThreadIoPriority ( _In_ HANDLE  ThreadHandle,
_In_ ULONG  IoPriority 
)

Sets a thread's I/O priority.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_SET_LIMITED_INFORMATION access.
IoPriorityThe new I/O priority.

Definition at line 2033 of file native.c.

NTSTATUS PhSetTokenIsVirtualizationEnabled ( _In_ HANDLE  TokenHandle,
_In_ BOOLEAN  IsVirtualizationEnabled 
)

Sets whether virtualization is enabled for a token.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_WRITE access.
IsVirtualizationEnabledA boolean indicating whether virtualization is to be enabled for the token.

Definition at line 2383 of file native.c.

BOOLEAN PhSetTokenPrivilege ( _In_ HANDLE  TokenHandle,
_In_opt_ PWSTR  PrivilegeName,
_In_opt_ PLUID  PrivilegeLuid,
_In_ ULONG  Attributes 
)

Modifies a token privilege.

Parameters
TokenHandleA handle to a token. The handle must have TOKEN_ADJUST_PRIVILEGES access.
PrivilegeNameThe name of the privilege to modify. If this parameter is NULL, you must specify a LUID in the PrivilegeLuid parameter.
PrivilegeLuidThe LUID of the privilege to modify. If this parameter is NULL, you must specify a name in the PrivilegeName parameter.
AttributesThe new attributes of the privilege.

Definition at line 2312 of file native.c.

BOOLEAN PhSetTokenPrivilege2 ( _In_ HANDLE  TokenHandle,
_In_ LONG  Privilege,
_In_ ULONG  Attributes 
)

Definition at line 2362 of file native.c.

NTSTATUS PhSetTokenSessionId ( _In_ HANDLE  TokenHandle,
_In_ ULONG  SessionId 
)

Definition at line 2286 of file native.c.

NTSTATUS PhSuspendProcess ( _In_ HANDLE  ProcessHandle)

Suspends a process' threads.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_SUSPEND_RESUME access.

Definition at line 333 of file native.c.

NTSTATUS PhSuspendThread ( _In_ HANDLE  ThreadHandle,
_Out_opt_ PULONG  PreviousSuspendCount 
)

Suspends a thread.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_SUSPEND_RESUME access.
PreviousSuspendCountA variable which receives the number of times the thread had been suspended.

Definition at line 409 of file native.c.

NTSTATUS PhTerminateProcess ( _In_ HANDLE  ProcessHandle,
_In_ NTSTATUS  ExitStatus 
)

Terminates a process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_TERMINATE access.
ExitStatusA status value that indicates why the process is being terminated.

Definition at line 303 of file native.c.

NTSTATUS PhTerminateThread ( _In_ HANDLE  ThreadHandle,
_In_ NTSTATUS  ExitStatus 
)

Terminates a thread.

Parameters
ThreadHandleA handle to a thread. The handle must have THREAD_TERMINATE access.
ExitStatusA status value that indicates why the thread is being terminated.

Definition at line 375 of file native.c.

NTSTATUS PhUnloadDllProcess ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_In_opt_ PLARGE_INTEGER  Timeout 
)

Causes a process to unload a DLL.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ and PROCESS_VM_WRITE access.
BaseAddressThe base address of the DLL to unload.
TimeoutThe timeout, in milliseconds, for the process to unload the DLL.

Definition at line 1891 of file native.c.

NTSTATUS PhUnloadDriver ( _In_opt_ PVOID  BaseAddress,
_In_opt_ PWSTR  Name 
)

Unloads a driver.

Parameters
BaseAddressThe base address of the driver. This parameter can be NULL if a value is specified in Name.
NameThe base name of the driver. This parameter can be NULL if a value is specified in BaseAddress and KProcessHacker is loaded.
Return values
STATUS_INVALID_PARAMETER_MIXBoth BaseAddress and Name were null, or Name was not specified and KProcessHacker is not loaded.
STATUS_OBJECT_NAME_NOT_FOUNDThe driver could not be found.

Definition at line 3227 of file native.c.

VOID PhUpdateDosDevicePrefixes ( VOID  )

Updates the DOS device names array.

Definition at line 5366 of file native.c.

VOID PhUpdateMupDevicePrefixes ( VOID  )

Definition at line 5265 of file native.c.

NTSTATUS PhWriteVirtualMemory ( _In_ HANDLE  ProcessHandle,
_In_ PVOID  BaseAddress,
_In_reads_bytes_(BufferSize) PVOID  Buffer,
_In_ SIZE_T  BufferSize,
_Out_opt_ PSIZE_T  NumberOfBytesWritten 
)

Copies memory from the current process into another process.

Parameters
ProcessHandleA handle to a process. The handle must have PROCESS_VM_WRITE access.
BaseAddressThe address to which memory is to be copied.
BufferA buffer which contains the memory to copy.
BufferSizeThe number of bytes to copy.
NumberOfBytesWrittenA variable which receives the number of bytes copied from the buffer.

Definition at line 536 of file native.c.