Process Hacker
ntpsapi.h
Go to the documentation of this file.
1 #ifndef _NTPSAPI_H
2 #define _NTPSAPI_H
3 
4 #if (PHNT_MODE == PHNT_MODE_KERNEL)
5 #define PROCESS_TERMINATE 0x0001
6 #define PROCESS_CREATE_THREAD 0x0002
7 #define PROCESS_SET_SESSIONID 0x0004
8 #define PROCESS_VM_OPERATION 0x0008
9 #define PROCESS_VM_READ 0x0010
10 #define PROCESS_VM_WRITE 0x0020
11 #define PROCESS_CREATE_PROCESS 0x0080
12 #define PROCESS_SET_QUOTA 0x0100
13 #define PROCESS_SET_INFORMATION 0x0200
14 #define PROCESS_QUERY_INFORMATION 0x0400
15 #define PROCESS_SET_PORT 0x0800
16 #define PROCESS_SUSPEND_RESUME 0x0800
17 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
18 #else
19 #ifndef PROCESS_SET_PORT
20 #define PROCESS_SET_PORT 0x0800
21 #endif
22 #endif
23 
24 #if (PHNT_MODE == PHNT_MODE_KERNEL)
25 #define THREAD_QUERY_INFORMATION 0x0040
26 #define THREAD_SET_THREAD_TOKEN 0x0080
27 #define THREAD_IMPERSONATE 0x0100
28 #define THREAD_DIRECT_IMPERSONATION 0x0200
29 #else
30 #ifndef THREAD_ALERT
31 #define THREAD_ALERT 0x0004
32 #endif
33 #endif
34 
35 #if (PHNT_MODE == PHNT_MODE_KERNEL)
36 #define JOB_OBJECT_ASSIGN_PROCESS 0x0001
37 #define JOB_OBJECT_SET_ATTRIBUTES 0x0002
38 #define JOB_OBJECT_QUERY 0x0004
39 #define JOB_OBJECT_TERMINATE 0x0008
40 #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010
41 #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f)
42 #endif
43 
44 #define GDI_HANDLE_BUFFER_SIZE32 34
45 #define GDI_HANDLE_BUFFER_SIZE64 60
46 
47 #ifndef WIN64
48 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
49 #else
50 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
51 #endif
52 
53 typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
54 
55 typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
56 typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
57 
58 #define FLS_MAXIMUM_AVAILABLE 128
59 #define TLS_MINIMUM_AVAILABLE 64
60 #define TLS_EXPANSION_SLOTS 1024
61 
62 // symbols
63 typedef struct _PEB_LDR_DATA
64 {
65  ULONG Length;
66  BOOLEAN Initialized;
67  HANDLE SsHandle;
68  LIST_ENTRY InLoadOrderModuleList;
69  LIST_ENTRY InMemoryOrderModuleList;
70  LIST_ENTRY InInitializationOrderModuleList;
71  PVOID EntryInProgress;
72  BOOLEAN ShutdownInProgress;
73  HANDLE ShutdownThreadId;
74 } PEB_LDR_DATA, *PPEB_LDR_DATA;
75 
76 typedef struct _INITIAL_TEB
77 {
78  struct
79  {
80  PVOID OldStackBase;
81  PVOID OldStackLimit;
82  } OldInitialTeb;
83  PVOID StackBase;
84  PVOID StackLimit;
85  PVOID StackAllocationBase;
86 } INITIAL_TEB, *PINITIAL_TEB;
87 
88 typedef struct _WOW64_PROCESS
89 {
90  PVOID Wow64;
91 } WOW64_PROCESS, *PWOW64_PROCESS;
92 
93 #include <ntpebteb.h>
94 
95 // source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx
96 
97 #if (PHNT_MODE != PHNT_MODE_KERNEL)
98 typedef enum _PROCESSINFOCLASS
99 {
100  ProcessBasicInformation, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
101  ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
102  ProcessIoCounters, // q: IO_COUNTERS
103  ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
104  ProcessTimes, // q: KERNEL_USER_TIMES
105  ProcessBasePriority, // s: KPRIORITY
106  ProcessRaisePriority, // s: ULONG
107  ProcessDebugPort, // q: HANDLE
108  ProcessExceptionPort, // s: HANDLE
109  ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
110  ProcessLdtInformation, // 10, qs: PROCESS_LDT_INFORMATION
111  ProcessLdtSize, // s: PROCESS_LDT_SIZE
112  ProcessDefaultHardErrorMode, // qs: ULONG
113  ProcessIoPortHandlers, // (kernel-mode only)
114  ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
115  ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
116  ProcessUserModeIOPL,
117  ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
118  ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
119  ProcessWx86Information,
120  ProcessHandleCount, // 20, q: ULONG, PROCESS_HANDLE_INFORMATION
121  ProcessAffinityMask, // s: KAFFINITY
122  ProcessPriorityBoost, // qs: ULONG
123  ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
124  ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
125  ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
126  ProcessWow64Information, // q: ULONG_PTR
127  ProcessImageFileName, // q: UNICODE_STRING
128  ProcessLUIDDeviceMapsEnabled, // q: ULONG
129  ProcessBreakOnTermination, // qs: ULONG
130  ProcessDebugObjectHandle, // 30, q: HANDLE
131  ProcessDebugFlags, // qs: ULONG
132  ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
133  ProcessIoPriority, // qs: ULONG
134  ProcessExecuteFlags, // qs: ULONG
135  ProcessResourceManagement,
136  ProcessCookie, // q: ULONG
137  ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
138  ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
139  ProcessPagePriority, // q: ULONG
140  ProcessInstrumentationCallback, // 40
141  ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
142  ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
143  ProcessImageFileNameWin32, // q: UNICODE_STRING
144  ProcessImageFileMapping, // q: HANDLE (input)
145  ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
146  ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
147  ProcessGroupInformation, // q: USHORT[]
148  ProcessTokenVirtualizationEnabled, // s: ULONG
149  ProcessConsoleHostProcess, // q: ULONG_PTR
150  ProcessWindowInformation, // 50, q: PROCESS_WINDOW_INFORMATION
151  ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
152  ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
153  ProcessDynamicFunctionTableInformation,
154  ProcessHandleCheckingMode,
155  ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
156  ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
157  ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
158  ProcessHandleTable, // since WINBLUE
159  ProcessCheckStackExtentsMode,
160  ProcessCommandLineInformation, // 60, q: UNICODE_STRING
161  ProcessProtectionInformation, // q: PS_PROTECTION
162  ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
163  ProcessFaultInformation, // PROCESS_FAULT_INFORMATION
164  ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION
165  ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
166  ProcessDefaultCpuSetsInformation,
167  ProcessAllowedCpuSetsInformation,
168  ProcessReserved1Information,
169  ProcessReserved2Information,
170  ProcessSubsystemProcess, // 70
171  ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO
172  MaxProcessInfoClass
173 } PROCESSINFOCLASS;
174 #endif
175 
176 #if (PHNT_MODE != PHNT_MODE_KERNEL)
177 typedef enum _THREADINFOCLASS
178 {
179  ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
180  ThreadTimes, // q: KERNEL_USER_TIMES
181  ThreadPriority, // s: KPRIORITY
182  ThreadBasePriority, // s: LONG
183  ThreadAffinityMask, // s: KAFFINITY
184  ThreadImpersonationToken, // s: HANDLE
185  ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY)
186  ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
187  ThreadEventPair,
188  ThreadQuerySetWin32StartAddress, // q: PVOID
189  ThreadZeroTlsCell, // 10
190  ThreadPerformanceCount, // q: LARGE_INTEGER
191  ThreadAmILastThread, // q: ULONG
192  ThreadIdealProcessor, // s: ULONG
193  ThreadPriorityBoost, // qs: ULONG
194  ThreadSetTlsArrayAddress,
195  ThreadIsIoPending, // q: ULONG
196  ThreadHideFromDebugger, // s: void
197  ThreadBreakOnTermination, // qs: ULONG
198  ThreadSwitchLegacyState,
199  ThreadIsTerminated, // 20, q: ULONG
200  ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
201  ThreadIoPriority, // qs: ULONG
202  ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
203  ThreadPagePriority, // q: ULONG
204  ThreadActualBasePriority,
205  ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
206  ThreadCSwitchMon,
207  ThreadCSwitchPmu,
208  ThreadWow64Context, // q: WOW64_CONTEXT
209  ThreadGroupInformation, // 30, q: GROUP_AFFINITY
210  ThreadUmsInformation,
211  ThreadCounterProfiling,
212  ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
213  ThreadCpuAccountingInformation, // since WIN8
214  ThreadSuspendCount, // since WINBLUE
215  ThreadHeterogeneousCpuPolicy, // KHETERO_CPU_POLICY // since THRESHOLD
216  ThreadContainerId,
217  ThreadNameInformation,
218  ThreadProperty,
219  ThreadSelectedCpuSets,
220  ThreadSystemThreadInformation,
221  MaxThreadInfoClass
222 } THREADINFOCLASS;
223 #endif
224 
225 #if (PHNT_MODE != PHNT_MODE_KERNEL)
226 // Use with both ProcessPagePriority and ThreadPagePriority
227 typedef struct _PAGE_PRIORITY_INFORMATION
228 {
229  ULONG PagePriority;
230 } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION;
231 #endif
232 
233 // Process information structures
234 
235 #if (PHNT_MODE != PHNT_MODE_KERNEL)
236 
237 typedef struct _PROCESS_BASIC_INFORMATION
238 {
239  NTSTATUS ExitStatus;
240  PPEB PebBaseAddress;
241  ULONG_PTR AffinityMask;
242  KPRIORITY BasePriority;
243  HANDLE UniqueProcessId;
244  HANDLE InheritedFromUniqueProcessId;
245 } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
246 
247 typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
248 {
249  SIZE_T Size; // set to sizeof structure on input
250  PROCESS_BASIC_INFORMATION BasicInfo;
251  union
252  {
253  ULONG Flags;
254  struct
255  {
256  ULONG IsProtectedProcess : 1;
257  ULONG IsWow64Process : 1;
258  ULONG IsProcessDeleting : 1;
259  ULONG IsCrossSessionCreate : 1;
260  ULONG IsFrozen : 1;
261  ULONG IsBackground : 1;
262  ULONG IsStronglyNamed : 1;
263  ULONG IsSecureProcess : 1;
264  ULONG SpareBits : 24;
265  };
266  };
267 } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
268 
269 typedef struct _VM_COUNTERS
270 {
271  SIZE_T PeakVirtualSize;
272  SIZE_T VirtualSize;
273  ULONG PageFaultCount;
274  SIZE_T PeakWorkingSetSize;
275  SIZE_T WorkingSetSize;
276  SIZE_T QuotaPeakPagedPoolUsage;
277  SIZE_T QuotaPagedPoolUsage;
278  SIZE_T QuotaPeakNonPagedPoolUsage;
279  SIZE_T QuotaNonPagedPoolUsage;
280  SIZE_T PagefileUsage;
281  SIZE_T PeakPagefileUsage;
282 } VM_COUNTERS, *PVM_COUNTERS;
283 
284 typedef struct _VM_COUNTERS_EX
285 {
286  SIZE_T PeakVirtualSize;
287  SIZE_T VirtualSize;
288  ULONG PageFaultCount;
289  SIZE_T PeakWorkingSetSize;
290  SIZE_T WorkingSetSize;
291  SIZE_T QuotaPeakPagedPoolUsage;
292  SIZE_T QuotaPagedPoolUsage;
293  SIZE_T QuotaPeakNonPagedPoolUsage;
294  SIZE_T QuotaNonPagedPoolUsage;
295  SIZE_T PagefileUsage;
296  SIZE_T PeakPagefileUsage;
297  SIZE_T PrivateUsage;
298 } VM_COUNTERS_EX, *PVM_COUNTERS_EX;
299 
300 // private
301 typedef struct _VM_COUNTERS_EX2
302 {
303  VM_COUNTERS_EX CountersEx;
304  SIZE_T PrivateWorkingSetSize;
305  SIZE_T SharedCommitUsage;
306 } VM_COUNTERS_EX2, *PVM_COUNTERS_EX2;
307 
308 typedef struct _KERNEL_USER_TIMES
309 {
310  LARGE_INTEGER CreateTime;
311  LARGE_INTEGER ExitTime;
312  LARGE_INTEGER KernelTime;
313  LARGE_INTEGER UserTime;
314 } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
315 
316 typedef struct _POOLED_USAGE_AND_LIMITS
317 {
318  SIZE_T PeakPagedPoolUsage;
319  SIZE_T PagedPoolUsage;
320  SIZE_T PagedPoolLimit;
321  SIZE_T PeakNonPagedPoolUsage;
322  SIZE_T NonPagedPoolUsage;
323  SIZE_T NonPagedPoolLimit;
324  SIZE_T PeakPagefileUsage;
325  SIZE_T PagefileUsage;
326  SIZE_T PagefileLimit;
327 } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
328 
329 typedef struct _PROCESS_ACCESS_TOKEN
330 {
331  HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access
332  HANDLE Thread; // handle to initial/only thread; needs THREAD_QUERY_INFORMATION access
333 } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
334 
335 typedef struct _PROCESS_LDT_INFORMATION
336 {
337  ULONG Start;
338  ULONG Length;
339  LDT_ENTRY LdtEntries[1];
340 } PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;
341 
342 typedef struct _PROCESS_LDT_SIZE
343 {
344  ULONG Length;
345 } PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE;
346 
347 typedef struct _PROCESS_WS_WATCH_INFORMATION
348 {
349  PVOID FaultingPc;
350  PVOID FaultingVa;
351 } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
352 
353 #endif
354 
355 // psapi:PSAPI_WS_WATCH_INFORMATION_EX
356 typedef struct _PROCESS_WS_WATCH_INFORMATION_EX
357 {
358  PROCESS_WS_WATCH_INFORMATION BasicInfo;
359  ULONG_PTR FaultingThreadId;
360  ULONG_PTR Flags;
361 } PROCESS_WS_WATCH_INFORMATION_EX, *PPROCESS_WS_WATCH_INFORMATION_EX;
362 
363 #define PROCESS_PRIORITY_CLASS_UNKNOWN 0
364 #define PROCESS_PRIORITY_CLASS_IDLE 1
365 #define PROCESS_PRIORITY_CLASS_NORMAL 2
366 #define PROCESS_PRIORITY_CLASS_HIGH 3
367 #define PROCESS_PRIORITY_CLASS_REALTIME 4
368 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
369 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
370 
371 typedef struct _PROCESS_PRIORITY_CLASS
372 {
373  BOOLEAN Foreground;
374  UCHAR PriorityClass;
375 } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
376 
377 typedef struct _PROCESS_FOREGROUND_BACKGROUND
378 {
379  BOOLEAN Foreground;
380 } PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND;
381 
382 #if (PHNT_MODE != PHNT_MODE_KERNEL)
383 
384 typedef struct _PROCESS_DEVICEMAP_INFORMATION
385 {
386  union
387  {
388  struct
389  {
390  HANDLE DirectoryHandle;
391  } Set;
392  struct
393  {
394  ULONG DriveMap;
395  UCHAR DriveType[32];
396  } Query;
397  };
398 } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
399 
400 #define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001
401 
402 typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
403 {
404  union
405  {
406  struct
407  {
408  HANDLE DirectoryHandle;
409  } Set;
410  struct
411  {
412  ULONG DriveMap;
413  UCHAR DriveType[32];
414  } Query;
415  };
416  ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY
417 } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX;
418 
419 typedef struct _PROCESS_SESSION_INFORMATION
420 {
421  ULONG SessionId;
422 } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
423 
424 typedef struct _PROCESS_HANDLE_TRACING_ENABLE
425 {
426  ULONG Flags; // 0 to disable, 1 to enable
427 } PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE;
428 
429 typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
430 {
431  ULONG Flags; // 0 to disable, 1 to enable
432  ULONG TotalSlots;
433 } PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX;
434 
435 #define PROCESS_HANDLE_TRACING_MAX_STACKS 16
436 #define HANDLE_TRACE_DB_OPEN 1
437 #define HANDLE_TRACE_DB_CLOSE 2
438 #define HANDLE_TRACE_DB_BADREF 3
439 
440 typedef struct _PROCESS_HANDLE_TRACING_ENTRY
441 {
442  HANDLE Handle;
443  CLIENT_ID ClientId;
444  ULONG Type;
445  PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];
446 } PROCESS_HANDLE_TRACING_ENTRY, *PPROCESS_HANDLE_TRACING_ENTRY;
447 
448 typedef struct _PROCESS_HANDLE_TRACING_QUERY
449 {
450  HANDLE Handle;
451  ULONG TotalTraces;
452  PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];
453 } PROCESS_HANDLE_TRACING_QUERY, *PPROCESS_HANDLE_TRACING_QUERY;
454 
455 #endif
456 
457 // private
458 typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION
459 {
460  SIZE_T ReserveSize;
461  SIZE_T ZeroBits;
462  PVOID StackBase;
463 } PROCESS_STACK_ALLOCATION_INFORMATION, *PPROCESS_STACK_ALLOCATION_INFORMATION;
464 
465 // private
466 typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION_EX
467 {
468  ULONG PreferredNode;
469  ULONG Reserved0;
470  ULONG Reserved1;
471  ULONG Reserved2;
472  PROCESS_STACK_ALLOCATION_INFORMATION AllocInfo;
473 } PROCESS_STACK_ALLOCATION_INFORMATION_EX, *PPROCESS_STACK_ALLOCATION_INFORMATION_EX;
474 
475 // private
476 typedef union _PROCESS_AFFINITY_UPDATE_MODE
477 {
478  ULONG Flags;
479  struct
480  {
481  ULONG EnableAutoUpdate : 1;
482  ULONG Permanent : 1;
483  ULONG Reserved : 30;
484  };
485 } PROCESS_AFFINITY_UPDATE_MODE, *PPROCESS_AFFINITY_UPDATE_MODE;
486 
487 // private
488 typedef union _PROCESS_MEMORY_ALLOCATION_MODE
489 {
490  ULONG Flags;
491  struct
492  {
493  ULONG TopDown : 1;
494  ULONG Reserved : 31;
495  };
496 } PROCESS_MEMORY_ALLOCATION_MODE, *PPROCESS_MEMORY_ALLOCATION_MODE;
497 
498 // private
499 typedef struct _PROCESS_HANDLE_INFORMATION
500 {
501  ULONG HandleCount;
502  ULONG HandleCountHighWatermark;
503 } PROCESS_HANDLE_INFORMATION, *PPROCESS_HANDLE_INFORMATION;
504 
505 // private
506 typedef struct _PROCESS_CYCLE_TIME_INFORMATION
507 {
508  ULONGLONG AccumulatedCycles;
509  ULONGLONG CurrentCycleCount;
510 } PROCESS_CYCLE_TIME_INFORMATION, *PPROCESS_CYCLE_TIME_INFORMATION;
511 
512 // private
513 typedef struct _PROCESS_WINDOW_INFORMATION
514 {
515  ULONG WindowFlags;
516  USHORT WindowTitleLength;
517  WCHAR WindowTitle[1];
518 } PROCESS_WINDOW_INFORMATION, *PPROCESS_WINDOW_INFORMATION;
519 
520 // private
521 typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO
522 {
523  HANDLE HandleValue;
524  ULONG_PTR HandleCount;
525  ULONG_PTR PointerCount;
526  ULONG GrantedAccess;
527  ULONG ObjectTypeIndex;
528  ULONG HandleAttributes;
529  ULONG Reserved;
530 } PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO;
531 
532 // private
533 typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION
534 {
535  ULONG_PTR NumberOfHandles;
536  ULONG_PTR Reserved;
537  PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
538 } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
539 
540 #if (PHNT_MODE != PHNT_MODE_KERNEL)
541 
542 // private
543 typedef struct _PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY
544 {
545  union
546  {
547  ULONG Flags;
548  struct
549  {
550  ULONG EnableControlFlowGuard : 1;
551  ULONG ReservedFlags : 31;
552  };
553  };
554 } PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY;
555 
556 // private
557 typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
558 {
559  PROCESS_MITIGATION_POLICY Policy;
560  union
561  {
562  PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
563  PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
564  PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
565  PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
566  PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
567  PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
568  PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
569  };
570 } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
571 
572 typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
573 {
574  ULONG WakeCount;
575  ULONG NoWakeCount;
576 } PROCESS_KEEPALIVE_COUNT_INFORMATION, *PPROCESS_KEEPALIVE_COUNT_INFORMATION;
577 
578 typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
579 {
580  UNICODE_STRING TargetDevicePath;
581 } PROCESS_REVOKE_FILE_HANDLES_INFORMATION, *PPROCESS_REVOKE_FILE_HANDLES_INFORMATION;
582 
583 // begin_private
584 
585 typedef enum _PROCESS_WORKING_SET_OPERATION
586 {
587  ProcessWorkingSetSwap,
588  ProcessWorkingSetEmpty,
589  ProcessWorkingSetOperationMax
590 } PROCESS_WORKING_SET_OPERATION;
591 
592 typedef struct _PROCESS_WORKING_SET_CONTROL
593 {
594  ULONG Version;
595  PROCESS_WORKING_SET_OPERATION Operation;
596  ULONG Flags;
597 } PROCESS_WORKING_SET_CONTROL, *PPROCESS_WORKING_SET_CONTROL;
598 
599 typedef enum _PS_PROTECTED_TYPE
600 {
601  PsProtectedTypeNone,
602  PsProtectedTypeProtectedLight,
603  PsProtectedTypeProtected,
604  PsProtectedTypeMax
605 } PS_PROTECTED_TYPE;
606 
607 typedef enum _PS_PROTECTED_SIGNER
608 {
609  PsProtectedSignerNone,
610  PsProtectedSignerAuthenticode,
611  PsProtectedSignerCodeGen,
612  PsProtectedSignerAntimalware,
613  PsProtectedSignerLsa,
614  PsProtectedSignerWindows,
615  PsProtectedSignerWinTcb,
616  PsProtectedSignerMax
617 } PS_PROTECTED_SIGNER;
618 
619 typedef struct _PS_PROTECTION
620 {
621  union
622  {
623  UCHAR Level;
624  struct
625  {
626  UCHAR Type : 3;
627  UCHAR Audit : 1;
628  UCHAR Signer : 4;
629  };
630  };
631 } PS_PROTECTION, *PPS_PROTECTION;
632 
633 typedef enum _PROCESS_MEMORY_EXHAUSTION_TYPE
634 {
635  PMETypeFailFastOnCommitFailure,
636  PMETypeMax
637 } PROCESS_MEMORY_EXHAUSTION_TYPE;
638 
639 typedef struct _PROCESS_MEMORY_EXHAUSTION_INFO
640 {
641  USHORT Version;
642  USHORT Reserved;
643  PROCESS_MEMORY_EXHAUSTION_TYPE Type;
644  SIZE_T Value;
645 } PROCESS_MEMORY_EXHAUSTION_INFO, *PPROCESS_MEMORY_EXHAUSTION_INFO;
646 
647 typedef struct _PROCESS_FAULT_INFORMATION
648 {
649  ULONG FaultFlags;
650  ULONG AdditionalInfo;
651 } PROCESS_FAULT_INFORMATION, *PPROCESS_FAULT_INFORMATION;
652 
653 typedef struct _PROCESS_TELEMETRY_ID_INFORMATION
654 {
655  ULONG HeaderSize;
656  ULONG ProcessId;
657  ULONGLONG ProcessStartKey;
658  ULONGLONG CreateTime;
659  ULONGLONG CreateInterruptTime;
660  ULONGLONG CreateUnbiasedInterruptTime;
661  ULONGLONG ProcessSequenceNumber;
662  ULONGLONG SessionCreateTime;
663  ULONG SessionId;
664  ULONG BootId;
665  ULONG ImageChecksum;
666  ULONG ImageTimeDateStamp;
667  ULONG UserSidOffset;
668  ULONG ImagePathOffset;
669  ULONG PackageNameOffset;
670  ULONG RelativeAppNameOffset;
671  ULONG CommandLineOffset;
672 } PROCESS_TELEMETRY_ID_INFORMATION, *PPROCESS_TELEMETRY_ID_INFORMATION;
673 
674 typedef struct _PROCESS_COMMIT_RELEASE_INFORMATION
675 {
676  ULONG Version;
677  struct
678  {
679  ULONG Eligible : 1;
680  ULONG Spare : 31;
681  };
682  SIZE_T CommitDebt;
683 } PROCESS_COMMIT_RELEASE_INFORMATION, *PPROCESS_COMMIT_RELEASE_INFORMATION;
684 
685 typedef struct _PROCESS_JOB_MEMORY_INFO
686 {
687  ULONGLONG SharedCommitUsage;
688  ULONGLONG PrivateCommitUsage;
689  ULONGLONG PeakPrivateCommitUsage;
690  ULONGLONG PrivateCommitLimit;
691  ULONGLONG TotalCommitLimit;
692 } PROCESS_JOB_MEMORY_INFO, *PPROCESS_JOB_MEMORY_INFO;
693 
694 // end_private
695 
696 #endif
697 
698 // Thread information structures
699 
700 typedef struct _THREAD_BASIC_INFORMATION
701 {
702  NTSTATUS ExitStatus;
703  PTEB TebBaseAddress;
704  CLIENT_ID ClientId;
705  ULONG_PTR AffinityMask;
706  KPRIORITY Priority;
707  LONG BasePriority;
708 } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
709 
710 // private
711 typedef struct _THREAD_LAST_SYSCALL_INFORMATION
712 {
713  PVOID FirstArgument;
714  USHORT SystemCallNumber;
715 } THREAD_LAST_SYSCALL_INFORMATION, *PTHREAD_LAST_SYSCALL_INFORMATION;
716 
717 // private
718 typedef struct _THREAD_CYCLE_TIME_INFORMATION
719 {
720  ULONGLONG AccumulatedCycles;
721  ULONGLONG CurrentCycleCount;
722 } THREAD_CYCLE_TIME_INFORMATION, *PTHREAD_CYCLE_TIME_INFORMATION;
723 
724 // private
725 typedef struct _THREAD_TEB_INFORMATION
726 {
727  PVOID TebInformation; // buffer to place data in
728  ULONG TebOffset; // offset in TEB to begin reading from
729  ULONG BytesToRead; // number of bytes to read
730 } THREAD_TEB_INFORMATION, *PTHREAD_TEB_INFORMATION;
731 
732 // symbols
733 typedef struct _COUNTER_READING
734 {
735  HARDWARE_COUNTER_TYPE Type;
736  ULONG Index;
737  ULONG64 Start;
738  ULONG64 Total;
739 } COUNTER_READING, *PCOUNTER_READING;
740 
741 // symbols
742 typedef struct _THREAD_PERFORMANCE_DATA
743 {
744  USHORT Size;
745  USHORT Version;
746  PROCESSOR_NUMBER ProcessorNumber;
747  ULONG ContextSwitches;
748  ULONG HwCountersCount;
749  ULONG64 UpdateCount;
750  ULONG64 WaitReasonBitMap;
751  ULONG64 HardwareCounters;
752  COUNTER_READING CycleTime;
753  COUNTER_READING HwCounters[MAX_HW_COUNTERS];
754 } THREAD_PERFORMANCE_DATA, *PTHREAD_PERFORMANCE_DATA;
755 
756 // private
757 typedef struct _THREAD_PROFILING_INFORMATION
758 {
759  ULONG64 HardwareCounters;
760  ULONG Flags;
761  ULONG Enable;
762  PTHREAD_PERFORMANCE_DATA PerformanceData;
763 } THREAD_PROFILING_INFORMATION, *PTHREAD_PROFILING_INFORMATION;
764 
765 // Processes
766 
767 #if (PHNT_MODE != PHNT_MODE_KERNEL)
768 
769 NTSYSCALLAPI
770 NTSTATUS
771 NTAPI
772 NtCreateProcess(
773  _Out_ PHANDLE ProcessHandle,
774  _In_ ACCESS_MASK DesiredAccess,
775  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
776  _In_ HANDLE ParentProcess,
777  _In_ BOOLEAN InheritObjectTable,
778  _In_opt_ HANDLE SectionHandle,
779  _In_opt_ HANDLE DebugPort,
780  _In_opt_ HANDLE ExceptionPort
781  );
782 
783 #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
784 #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
785 #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
786 #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
787 #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
788 
789 NTSYSCALLAPI
790 NTSTATUS
791 NTAPI
792 NtCreateProcessEx(
793  _Out_ PHANDLE ProcessHandle,
794  _In_ ACCESS_MASK DesiredAccess,
795  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
796  _In_ HANDLE ParentProcess,
797  _In_ ULONG Flags,
798  _In_opt_ HANDLE SectionHandle,
799  _In_opt_ HANDLE DebugPort,
800  _In_opt_ HANDLE ExceptionPort,
801  _In_ ULONG JobMemberLevel
802  );
803 
804 NTSYSCALLAPI
805 NTSTATUS
806 NTAPI
807 NtOpenProcess(
808  _Out_ PHANDLE ProcessHandle,
809  _In_ ACCESS_MASK DesiredAccess,
810  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
811  _In_opt_ PCLIENT_ID ClientId
812  );
813 
814 NTSYSCALLAPI
815 NTSTATUS
816 NTAPI
817 NtTerminateProcess(
818  _In_opt_ HANDLE ProcessHandle,
819  _In_ NTSTATUS ExitStatus
820  );
821 
822 NTSYSCALLAPI
823 NTSTATUS
824 NTAPI
825 NtSuspendProcess(
826  _In_ HANDLE ProcessHandle
827  );
828 
829 NTSYSCALLAPI
830 NTSTATUS
831 NTAPI
832 NtResumeProcess(
833  _In_ HANDLE ProcessHandle
834  );
835 
836 #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
837 #define ZwCurrentProcess() NtCurrentProcess()
838 #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
839 #define ZwCurrentThread() NtCurrentThread()
840 #define NtCurrentSession() ((HANDLE)(LONG_PTR)-3)
841 #define ZwCurrentSession() NtCurrentSession()
842 #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
843 
844 // Not NT, but useful.
845 #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
846 #define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
847 
848 NTSYSCALLAPI
849 NTSTATUS
850 NTAPI
851 NtQueryInformationProcess(
852  _In_ HANDLE ProcessHandle,
853  _In_ PROCESSINFOCLASS ProcessInformationClass,
854  _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
855  _In_ ULONG ProcessInformationLength,
856  _Out_opt_ PULONG ReturnLength
857  );
858 
859 #if (PHNT_VERSION >= PHNT_WS03)
860 NTSYSCALLAPI
861 NTSTATUS
862 NTAPI
863 NtGetNextProcess(
864  _In_ HANDLE ProcessHandle,
865  _In_ ACCESS_MASK DesiredAccess,
866  _In_ ULONG HandleAttributes,
867  _In_ ULONG Flags,
868  _Out_ PHANDLE NewProcessHandle
869  );
870 #endif
871 
872 #if (PHNT_VERSION >= PHNT_WS03)
873 NTSYSCALLAPI
874 NTSTATUS
875 NTAPI
876 NtGetNextThread(
877  _In_ HANDLE ProcessHandle,
878  _In_ HANDLE ThreadHandle,
879  _In_ ACCESS_MASK DesiredAccess,
880  _In_ ULONG HandleAttributes,
881  _In_ ULONG Flags,
882  _Out_ PHANDLE NewThreadHandle
883  );
884 #endif
885 
886 NTSYSCALLAPI
887 NTSTATUS
888 NTAPI
889 NtSetInformationProcess(
890  _In_ HANDLE ProcessHandle,
891  _In_ PROCESSINFOCLASS ProcessInformationClass,
892  _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
893  _In_ ULONG ProcessInformationLength
894  );
895 
896 NTSYSCALLAPI
897 NTSTATUS
898 NTAPI
899 NtQueryPortInformationProcess(
900  VOID
901  );
902 
903 #endif
904 
905 // Threads
906 
907 #if (PHNT_MODE != PHNT_MODE_KERNEL)
908 
909 NTSYSCALLAPI
910 NTSTATUS
911 NTAPI
912 NtCreateThread(
913  _Out_ PHANDLE ThreadHandle,
914  _In_ ACCESS_MASK DesiredAccess,
915  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
916  _In_ HANDLE ProcessHandle,
917  _Out_ PCLIENT_ID ClientId,
918  _In_ PCONTEXT ThreadContext,
919  _In_ PINITIAL_TEB InitialTeb,
920  _In_ BOOLEAN CreateSuspended
921  );
922 
923 NTSYSCALLAPI
924 NTSTATUS
925 NTAPI
926 NtOpenThread(
927  _Out_ PHANDLE ThreadHandle,
928  _In_ ACCESS_MASK DesiredAccess,
929  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
930  _In_opt_ PCLIENT_ID ClientId
931  );
932 
933 NTSYSCALLAPI
934 NTSTATUS
935 NTAPI
936 NtTerminateThread(
937  _In_opt_ HANDLE ThreadHandle,
938  _In_ NTSTATUS ExitStatus
939  );
940 
941 NTSYSCALLAPI
942 NTSTATUS
943 NTAPI
944 NtSuspendThread(
945  _In_ HANDLE ThreadHandle,
946  _Out_opt_ PULONG PreviousSuspendCount
947  );
948 
949 NTSYSCALLAPI
950 NTSTATUS
951 NTAPI
952 NtResumeThread(
953  _In_ HANDLE ThreadHandle,
954  _Out_opt_ PULONG PreviousSuspendCount
955  );
956 
957 NTSYSCALLAPI
958 ULONG
959 NTAPI
960 NtGetCurrentProcessorNumber(
961  VOID
962  );
963 
964 NTSYSCALLAPI
965 NTSTATUS
966 NTAPI
967 NtGetContextThread(
968  _In_ HANDLE ThreadHandle,
969  _Inout_ PCONTEXT ThreadContext
970  );
971 
972 NTSYSCALLAPI
973 NTSTATUS
974 NTAPI
975 NtSetContextThread(
976  _In_ HANDLE ThreadHandle,
977  _In_ PCONTEXT ThreadContext
978  );
979 
980 NTSYSCALLAPI
981 NTSTATUS
982 NTAPI
983 NtQueryInformationThread(
984  _In_ HANDLE ThreadHandle,
985  _In_ THREADINFOCLASS ThreadInformationClass,
986  _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
987  _In_ ULONG ThreadInformationLength,
988  _Out_opt_ PULONG ReturnLength
989  );
990 
991 NTSYSCALLAPI
992 NTSTATUS
993 NTAPI
994 NtSetInformationThread(
995  _In_ HANDLE ThreadHandle,
996  _In_ THREADINFOCLASS ThreadInformationClass,
997  _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
998  _In_ ULONG ThreadInformationLength
999  );
1000 
1001 NTSYSCALLAPI
1002 NTSTATUS
1003 NTAPI
1004 NtAlertThread(
1005  _In_ HANDLE ThreadHandle
1006  );
1007 
1008 NTSYSCALLAPI
1009 NTSTATUS
1010 NTAPI
1011 NtAlertResumeThread(
1012  _In_ HANDLE ThreadHandle,
1013  _Out_opt_ PULONG PreviousSuspendCount
1014  );
1015 
1016 NTSYSCALLAPI
1017 NTSTATUS
1018 NTAPI
1019 NtTestAlert(
1020  VOID
1021  );
1022 
1023 NTSYSCALLAPI
1024 NTSTATUS
1025 NTAPI
1026 NtImpersonateThread(
1027  _In_ HANDLE ServerThreadHandle,
1028  _In_ HANDLE ClientThreadHandle,
1029  _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
1030  );
1031 
1032 NTSYSCALLAPI
1033 NTSTATUS
1034 NTAPI
1035 NtRegisterThreadTerminatePort(
1036  _In_ HANDLE PortHandle
1037  );
1038 
1039 NTSYSCALLAPI
1040 NTSTATUS
1041 NTAPI
1042 NtSetLdtEntries(
1043  _In_ ULONG Selector0,
1044  _In_ ULONG Entry0Low,
1045  _In_ ULONG Entry0Hi,
1046  _In_ ULONG Selector1,
1047  _In_ ULONG Entry1Low,
1048  _In_ ULONG Entry1Hi
1049  );
1050 
1051 typedef VOID (*PPS_APC_ROUTINE)(
1052  _In_opt_ PVOID ApcArgument1,
1053  _In_opt_ PVOID ApcArgument2,
1054  _In_opt_ PVOID ApcArgument3
1055  );
1056 
1057 NTSYSCALLAPI
1058 NTSTATUS
1059 NTAPI
1060 NtQueueApcThread(
1061  _In_ HANDLE ThreadHandle,
1062  _In_ PPS_APC_ROUTINE ApcRoutine,
1063  _In_opt_ PVOID ApcArgument1,
1064  _In_opt_ PVOID ApcArgument2,
1065  _In_opt_ PVOID ApcArgument3
1066  );
1067 
1068 #if (PHNT_VERSION >= PHNT_WIN7)
1069 NTSYSCALLAPI
1070 NTSTATUS
1071 NTAPI
1072 NtQueueApcThreadEx(
1073  _In_ HANDLE ThreadHandle,
1074  _In_opt_ HANDLE UserApcReserveHandle,
1075  _In_ PPS_APC_ROUTINE ApcRoutine,
1076  _In_opt_ PVOID ApcArgument1,
1077  _In_opt_ PVOID ApcArgument2,
1078  _In_opt_ PVOID ApcArgument3
1079  );
1080 #endif
1081 
1082 #endif
1083 
1084 // User processes and threads
1085 
1086 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1087 
1088 // Attributes
1089 
1090 // begin_rev
1091 #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
1092 #define PS_ATTRIBUTE_THREAD 0x00010000 // can be used with threads
1093 #define PS_ATTRIBUTE_INPUT 0x00020000 // input only
1094 #define PS_ATTRIBUTE_UNKNOWN 0x00040000
1095 // end_rev
1096 
1097 // private
1098 typedef enum _PS_ATTRIBUTE_NUM
1099 {
1100  PsAttributeParentProcess, // in HANDLE
1101  PsAttributeDebugPort, // in HANDLE
1102  PsAttributeToken, // in HANDLE
1103  PsAttributeClientId, // out PCLIENT_ID
1104  PsAttributeTebAddress, // out PTEB *
1105  PsAttributeImageName, // in PWSTR
1106  PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
1107  PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
1108  PsAttributePriorityClass, // in UCHAR
1109  PsAttributeErrorMode, // in ULONG
1110  PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
1111  PsAttributeHandleList, // in PHANDLE
1112  PsAttributeGroupAffinity, // in PGROUP_AFFINITY
1113  PsAttributePreferredNode, // in PUSHORT
1114  PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
1115  PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
1116  PsAttributeMitigationOptions, // in UCHAR
1117  PsAttributeProtectionLevel,
1118  PsAttributeSecureProcess, // since THRESHOLD
1119  PsAttributeJobList,
1120  PsAttributeMax
1121 } PS_ATTRIBUTE_NUM;
1122 
1123 // begin_rev
1124 
1125 #define PsAttributeValue(Number, Thread, Input, Unknown) \
1126  (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
1127  ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
1128  ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
1129  ((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0))
1130 
1131 #define PS_ATTRIBUTE_PARENT_PROCESS \
1132  PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
1133 #define PS_ATTRIBUTE_DEBUG_PORT \
1134  PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
1135 #define PS_ATTRIBUTE_TOKEN \
1136  PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
1137 #define PS_ATTRIBUTE_CLIENT_ID \
1138  PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
1139 #define PS_ATTRIBUTE_TEB_ADDRESS \
1140  PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
1141 #define PS_ATTRIBUTE_IMAGE_NAME \
1142  PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
1143 #define PS_ATTRIBUTE_IMAGE_INFO \
1144  PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
1145 #define PS_ATTRIBUTE_MEMORY_RESERVE \
1146  PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
1147 #define PS_ATTRIBUTE_PRIORITY_CLASS \
1148  PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
1149 #define PS_ATTRIBUTE_ERROR_MODE \
1150  PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
1151 #define PS_ATTRIBUTE_STD_HANDLE_INFO \
1152  PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
1153 #define PS_ATTRIBUTE_HANDLE_LIST \
1154  PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
1155 #define PS_ATTRIBUTE_GROUP_AFFINITY \
1156  PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
1157 #define PS_ATTRIBUTE_PREFERRED_NODE \
1158  PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
1159 #define PS_ATTRIBUTE_IDEAL_PROCESSOR \
1160  PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
1161 #define PS_ATTRIBUTE_MITIGATION_OPTIONS \
1162  PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
1163 
1164 // end_rev
1165 
1166 // begin_private
1167 
1168 typedef struct _PS_ATTRIBUTE
1169 {
1170  ULONG Attribute;
1171  SIZE_T Size;
1172  union
1173  {
1174  ULONG Value;
1175  PVOID ValuePtr;
1176  };
1177  PSIZE_T ReturnLength;
1178 } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
1179 
1180 typedef struct _PS_ATTRIBUTE_LIST
1181 {
1182  SIZE_T TotalLength;
1183  PS_ATTRIBUTE Attributes[1];
1184 } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
1185 
1186 typedef struct _PS_MEMORY_RESERVE
1187 {
1188  PVOID ReserveAddress;
1189  SIZE_T ReserveSize;
1190 } PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE;
1191 
1192 typedef enum _PS_STD_HANDLE_STATE
1193 {
1194  PsNeverDuplicate,
1195  PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem
1196  PsAlwaysDuplicate, // always duplicate standard handles
1197  PsMaxStdHandleStates
1198 } PS_STD_HANDLE_STATE;
1199 
1200 // begin_rev
1201 #define PS_STD_INPUT_HANDLE 0x1
1202 #define PS_STD_OUTPUT_HANDLE 0x2
1203 #define PS_STD_ERROR_HANDLE 0x4
1204 // end_rev
1205 
1206 typedef struct _PS_STD_HANDLE_INFO
1207 {
1208  union
1209  {
1210  ULONG Flags;
1211  struct
1212  {
1213  ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE
1214  ULONG PseudoHandleMask : 3; // PS_STD_*
1215  };
1216  };
1217  ULONG StdHandleSubsystemType;
1218 } PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO;
1219 
1220 // windows-internals-book:"Chapter 5"
1221 typedef enum _PS_CREATE_STATE
1222 {
1223  PsCreateInitialState,
1224  PsCreateFailOnFileOpen,
1225  PsCreateFailOnSectionCreate,
1226  PsCreateFailExeFormat,
1227  PsCreateFailMachineMismatch,
1228  PsCreateFailExeName, // Debugger specified
1229  PsCreateSuccess,
1230  PsCreateMaximumStates
1231 } PS_CREATE_STATE;
1232 
1233 typedef struct _PS_CREATE_INFO
1234 {
1235  SIZE_T Size;
1236  PS_CREATE_STATE State;
1237  union
1238  {
1239  // PsCreateInitialState
1240  struct
1241  {
1242  union
1243  {
1244  ULONG InitFlags;
1245  struct
1246  {
1247  UCHAR WriteOutputOnExit : 1;
1248  UCHAR DetectManifest : 1;
1249  UCHAR IFEOSkipDebugger : 1;
1250  UCHAR IFEODoNotPropagateKeyState : 1;
1251  UCHAR SpareBits1 : 4;
1252  UCHAR SpareBits2 : 8;
1253  USHORT ProhibitedImageCharacteristics : 16;
1254  };
1255  };
1256  ACCESS_MASK AdditionalFileAccess;
1257  } InitState;
1258 
1259  // PsCreateFailOnSectionCreate
1260  struct
1261  {
1262  HANDLE FileHandle;
1263  } FailSection;
1264 
1265  // PsCreateFailExeFormat
1266  struct
1267  {
1268  USHORT DllCharacteristics;
1269  } ExeFormat;
1270 
1271  // PsCreateFailExeName
1272  struct
1273  {
1274  HANDLE IFEOKey;
1275  } ExeName;
1276 
1277  // PsCreateSuccess
1278  struct
1279  {
1280  union
1281  {
1282  ULONG OutputFlags;
1283  struct
1284  {
1285  UCHAR ProtectedProcess : 1;
1286  UCHAR AddressSpaceOverride : 1;
1287  UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
1288  UCHAR ManifestDetected : 1;
1289  UCHAR ProtectedProcessLight : 1;
1290  UCHAR SpareBits1 : 3;
1291  UCHAR SpareBits2 : 8;
1292  USHORT SpareBits3 : 16;
1293  };
1294  };
1295  HANDLE FileHandle;
1296  HANDLE SectionHandle;
1297  ULONGLONG UserProcessParametersNative;
1298  ULONG UserProcessParametersWow64;
1299  ULONG CurrentParameterFlags;
1300  ULONGLONG PebAddressNative;
1301  ULONG PebAddressWow64;
1302  ULONGLONG ManifestAddress;
1303  ULONG ManifestSize;
1304  } SuccessState;
1305  };
1306 } PS_CREATE_INFO, *PPS_CREATE_INFO;
1307 
1308 // end_private
1309 
1310 // Extended PROCESS_CREATE_FLAGS_*
1311 // begin_rev
1312 #define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020
1313 #define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040
1314 #define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // ?
1315 #define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100
1316 // end_rev
1317 
1318 #if (PHNT_VERSION >= PHNT_VISTA)
1319 NTSYSCALLAPI
1320 NTSTATUS
1321 NTAPI
1322 NtCreateUserProcess(
1323  _Out_ PHANDLE ProcessHandle,
1324  _Out_ PHANDLE ThreadHandle,
1325  _In_ ACCESS_MASK ProcessDesiredAccess,
1326  _In_ ACCESS_MASK ThreadDesiredAccess,
1327  _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
1328  _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
1329  _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
1330  _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
1331  _In_opt_ PVOID ProcessParameters, // PRTL_USER_PROCESS_PARAMETERS
1332  _Inout_ PPS_CREATE_INFO CreateInfo,
1333  _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
1334  );
1335 #endif
1336 
1337 // begin_rev
1338 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
1339 #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // ?
1340 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
1341 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ?
1342 #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ?
1343 #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
1344 // end_rev
1345 
1346 #if (PHNT_VERSION >= PHNT_VISTA)
1347 NTSYSCALLAPI
1348 NTSTATUS
1349 NTAPI
1350 NtCreateThreadEx(
1351  _Out_ PHANDLE ThreadHandle,
1352  _In_ ACCESS_MASK DesiredAccess,
1353  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
1354  _In_ HANDLE ProcessHandle,
1355  _In_ PVOID StartRoutine, // PUSER_THREAD_START_ROUTINE
1356  _In_opt_ PVOID Argument,
1357  _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
1358  _In_ SIZE_T ZeroBits,
1359  _In_ SIZE_T StackSize,
1360  _In_ SIZE_T MaximumStackSize,
1361  _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
1362  );
1363 #endif
1364 
1365 #endif
1366 
1367 // Job objects
1368 
1369 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1370 
1371 NTSYSCALLAPI
1372 NTSTATUS
1373 NTAPI
1374 NtCreateJobObject(
1375  _Out_ PHANDLE JobHandle,
1376  _In_ ACCESS_MASK DesiredAccess,
1377  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
1378  );
1379 
1380 NTSYSCALLAPI
1381 NTSTATUS
1382 NTAPI
1383 NtOpenJobObject(
1384  _Out_ PHANDLE JobHandle,
1385  _In_ ACCESS_MASK DesiredAccess,
1386  _In_ POBJECT_ATTRIBUTES ObjectAttributes
1387  );
1388 
1389 NTSYSCALLAPI
1390 NTSTATUS
1391 NTAPI
1392 NtAssignProcessToJobObject(
1393  _In_ HANDLE JobHandle,
1394  _In_ HANDLE ProcessHandle
1395  );
1396 
1397 NTSYSCALLAPI
1398 NTSTATUS
1399 NTAPI
1400 NtTerminateJobObject(
1401  _In_ HANDLE JobHandle,
1402  _In_ NTSTATUS ExitStatus
1403  );
1404 
1405 NTSYSCALLAPI
1406 NTSTATUS
1407 NTAPI
1408 NtIsProcessInJob(
1409  _In_ HANDLE ProcessHandle,
1410  _In_opt_ HANDLE JobHandle
1411  );
1412 
1413 NTSYSCALLAPI
1414 NTSTATUS
1415 NTAPI
1416 NtQueryInformationJobObject(
1417  _In_opt_ HANDLE JobHandle,
1418  _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
1419  _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
1420  _In_ ULONG JobObjectInformationLength,
1421  _Out_opt_ PULONG ReturnLength
1422  );
1423 
1424 NTSYSCALLAPI
1425 NTSTATUS
1426 NTAPI
1427 NtSetInformationJobObject(
1428  _In_ HANDLE JobHandle,
1429  _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
1430  _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
1431  _In_ ULONG JobObjectInformationLength
1432  );
1433 
1434 NTSYSCALLAPI
1435 NTSTATUS
1436 NTAPI
1437 NtCreateJobSet(
1438  _In_ ULONG NumJob,
1439  _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
1440  _In_ ULONG Flags
1441  );
1442 
1443 #if (PHNT_VERSION >= PHNT_THRESHOLD)
1444 NTSYSCALLAPI
1445 NTSTATUS
1446 NTAPI
1447 NtRevertContainerImpersonation(
1448  VOID
1449  );
1450 #endif
1451 
1452 #endif
1453 
1454 // Reserve objects
1455 
1456 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1457 
1458 // private
1459 typedef enum _MEMORY_RESERVE_TYPE
1460 {
1461  MemoryReserveUserApc,
1462  MemoryReserveIoCompletion,
1463  MemoryReserveTypeMax
1464 } MEMORY_RESERVE_TYPE;
1465 
1466 #if (PHNT_VERSION >= PHNT_WIN7)
1467 NTSYSCALLAPI
1468 NTSTATUS
1469 NTAPI
1470 NtAllocateReserveObject(
1471  _Out_ PHANDLE MemoryReserveHandle,
1472  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
1473  _In_ MEMORY_RESERVE_TYPE Type
1474  );
1475 #endif
1476 
1477 #endif
1478 
1479 // Silo objects
1480 
1481 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1482 
1483 // begin_private
1484 
1485 typedef enum _SERVERSILO_STATE
1486 {
1487  SERVERSILO_INITING,
1488  SERVERSILO_STARTED,
1489  SERVERSILO_TERMINATING,
1490  SERVERSILO_TERMINATED
1491 } SERVERSILO_STATE;
1492 
1493 typedef enum _SILOOBJECTINFOCLASS
1494 {
1495  SiloObjectBasicInformation, // SILOOBJECT_BASIC_INFORMATION
1496  SiloObjectBasicProcessIdList,
1497  SiloObjectChildSiloIdList,
1498  SiloObjectRootDirectory, // SILOOBJECT_ROOT_DIRECTORY
1499  ServerSiloBasicInformation, // SERVERSILO_BASIC_INFORMATION
1500  ServerSiloServiceSessionId,
1501  ServerSiloInitialize,
1502  ServerSiloDefaultCompartmentId,
1503  MaxSiloObjectInfoClass
1504 } SILOOBJECTINFOCLASS;
1505 
1506 typedef struct _SILOOBJECT_BASIC_INFORMATION
1507 {
1508  HANDLE SiloIdNumber;
1509  HANDLE SiloParentIdNumber;
1510  ULONG NumberOfProcesses;
1511  ULONG NumberOfChildSilos;
1512  BOOLEAN IsInServerSilo;
1513 } SILOOBJECT_BASIC_INFORMATION, *PSILOOBJECT_BASIC_INFORMATION;
1514 
1515 typedef struct _SILOOBJECT_ROOT_DIRECTORY
1516 {
1517  HANDLE DirectoryHandle;
1518 } SILOOBJECT_ROOT_DIRECTORY, *PSILOOBJECT_ROOT_DIRECTORY;
1519 
1520 typedef struct _SERVERSILO_BASIC_INFORMATION
1521 {
1522  HANDLE SiloIdNumber;
1523  ULONG ServiceSessionId;
1524  ULONG DefaultCompartmentId;
1525  SERVERSILO_STATE State;
1526 } SERVERSILO_BASIC_INFORMATION, *PSERVERSILO_BASIC_INFORMATION;
1527 
1528 // end_private
1529 
1530 #if (PHNT_VERSION >= PHNT_THRESHOLD)
1531 
1532 NTSYSCALLAPI
1533 NTSTATUS
1534 NTAPI
1535 NtCreateSiloObject(
1536  _Out_ PHANDLE SiloHandle,
1537  _In_ ACCESS_MASK DesiredAccess,
1538  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
1539  );
1540 
1541 NTSYSCALLAPI
1542 NTSTATUS
1543 NTAPI
1544 NtOpenSiloObject(
1545  _Out_ PHANDLE SiloHandle,
1546  _In_ ACCESS_MASK DesiredAccess,
1547  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
1548  _In_opt_ HANDLE SiloId
1549  );
1550 
1551 NTSYSCALLAPI
1552 NTSTATUS
1553 NTAPI
1554 NtAssignProcessToSiloObject(
1555  _In_ HANDLE SiloHandle,
1556  _In_ HANDLE ProcessHandle
1557  );
1558 
1559 NTSYSCALLAPI
1560 NTSTATUS
1561 NTAPI
1562 NtTerminateSiloObject(
1563  _In_ HANDLE SiloHandle,
1564  _In_ NTSTATUS ExitStatus
1565  );
1566 
1567 NTSYSCALLAPI
1568 NTSTATUS
1569 NTAPI
1570 NtQueryInformationSiloObject(
1571  _In_opt_ HANDLE SiloHandle,
1572  _In_ SILOOBJECTINFOCLASS SiloObjectInformationClass,
1573  _Out_writes_bytes_(SiloObjectInformationLength) PVOID SiloObjectInformation,
1574  _In_ ULONG SiloObjectInformationLength,
1575  _Out_opt_ PULONG ReturnLength
1576  );
1577 
1578 NTSYSCALLAPI
1579 NTSTATUS
1580 NTAPI
1581 NtSetInformationSiloObject(
1582  _In_opt_ HANDLE SiloHandle,
1583  _In_ SILOOBJECTINFOCLASS SiloObjectInformationClass,
1584  _In_reads_bytes_(SiloObjectInformationLength) PVOID SiloObjectInformation,
1585  _In_ ULONG SiloObjectInformationLength
1586  );
1587 
1588 NTSYSCALLAPI
1589 NTSTATUS
1590 NTAPI
1591 NtAttachThreadSiloToCurrentThread(
1592  _In_ HANDLE ThreadHandle,
1593  _Out_ PHANDLE PreviousSiloHandle,
1594  _Out_opt_ PBOOLEAN bChangedSilo
1595  );
1596 
1597 NTSYSCALLAPI
1598 NTSTATUS
1599 NTAPI
1600 NtAttachThreadIdSiloToCurrentThread(
1601  _In_ HANDLE ThreadId,
1602  _Out_ PHANDLE PreviousSiloHandle,
1603  _Out_opt_ PBOOLEAN bChangedSilo
1604  );
1605 
1606 NTSYSCALLAPI
1607 NTSTATUS
1608 NTAPI
1609 NtDetachSiloFromCurrentThread(
1610  _In_ HANDLE SiloHandle
1611  );
1612 
1613 #endif
1614 
1615 #endif
1616 
1617 #endif