Process Hacker
phnatinl.h
Go to the documentation of this file.
1 #ifndef _PH_PHNATINL_H
2 #define _PH_PHNATINL_H
3 
4 #pragma once
5 
6 // This file contains inlined native API wrapper functions.
7 // These functions were previously exported, but are now inlined
8 // because they are extremely simple wrappers around equivalent
9 // native API functions.
10 
18 FORCEINLINE
19 NTSTATUS
20 PhGetProcessBasicInformation(
21  _In_ HANDLE ProcessHandle,
22  _Out_ PPROCESS_BASIC_INFORMATION BasicInformation
23  )
24 {
25  return NtQueryInformationProcess(
26  ProcessHandle,
27  ProcessBasicInformation,
28  BasicInformation,
29  sizeof(PROCESS_BASIC_INFORMATION),
30  NULL
31  );
32 }
33 
41 FORCEINLINE
42 NTSTATUS
43 PhGetProcessExtendedBasicInformation(
44  _In_ HANDLE ProcessHandle,
45  _Out_ PPROCESS_EXTENDED_BASIC_INFORMATION ExtendedBasicInformation
46  )
47 {
48  ExtendedBasicInformation->Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
49 
50  return NtQueryInformationProcess(
51  ProcessHandle,
52  ProcessBasicInformation,
53  ExtendedBasicInformation,
54  sizeof(PROCESS_EXTENDED_BASIC_INFORMATION),
55  NULL
56  );
57 }
58 
66 FORCEINLINE
67 NTSTATUS
68 PhGetProcessTimes(
69  _In_ HANDLE ProcessHandle,
70  _Out_ PKERNEL_USER_TIMES Times
71  )
72 {
73  return NtQueryInformationProcess(
74  ProcessHandle,
75  ProcessTimes,
76  Times,
77  sizeof(KERNEL_USER_TIMES),
78  NULL
79  );
80 }
81 
90 FORCEINLINE
91 NTSTATUS
92 PhGetProcessSessionId(
93  _In_ HANDLE ProcessHandle,
94  _Out_ PULONG SessionId
95  )
96 {
97  NTSTATUS status;
98  PROCESS_SESSION_INFORMATION sessionInfo;
99 
100  status = NtQueryInformationProcess(
101  ProcessHandle,
102  ProcessSessionInformation,
103  &sessionInfo,
104  sizeof(PROCESS_SESSION_INFORMATION),
105  NULL
106  );
107 
108  if (NT_SUCCESS(status))
109  {
110  *SessionId = sessionInfo.SessionId;
111  }
112 
113  return status;
114 }
115 
125 FORCEINLINE
126 NTSTATUS
127 PhGetProcessIsWow64(
128  _In_ HANDLE ProcessHandle,
129  _Out_ PBOOLEAN IsWow64
130  )
131 {
132  NTSTATUS status;
133  ULONG_PTR wow64;
134 
135  status = NtQueryInformationProcess(
136  ProcessHandle,
137  ProcessWow64Information,
138  &wow64,
139  sizeof(ULONG_PTR),
140  NULL
141  );
142 
143  if (NT_SUCCESS(status))
144  {
145  *IsWow64 = !!wow64;
146  }
147 
148  return status;
149 }
150 
160 FORCEINLINE
161 NTSTATUS
162 PhGetProcessPeb32(
163  _In_ HANDLE ProcessHandle,
164  _Out_ PVOID *Peb32
165  )
166 {
167  NTSTATUS status;
168  ULONG_PTR wow64;
169 
170  status = NtQueryInformationProcess(
171  ProcessHandle,
172  ProcessWow64Information,
173  &wow64,
174  sizeof(ULONG_PTR),
175  NULL
176  );
177 
178  if (NT_SUCCESS(status))
179  {
180  *Peb32 = (PVOID)wow64;
181  }
182 
183  return status;
184 }
185 
194 FORCEINLINE
195 NTSTATUS
196 PhGetProcessIsBeingDebugged(
197  _In_ HANDLE ProcessHandle,
198  _Out_ PBOOLEAN IsBeingDebugged
199  )
200 {
201  NTSTATUS status;
202  PVOID debugPort;
203 
204  status = NtQueryInformationProcess(
205  ProcessHandle,
206  ProcessDebugPort,
207  &debugPort,
208  sizeof(PVOID),
209  NULL
210  );
211 
212  if (NT_SUCCESS(status))
213  {
214  *IsBeingDebugged = !!debugPort;
215  }
216 
217  return status;
218 }
219 
232 FORCEINLINE
233 NTSTATUS
234 PhGetProcessDebugObject(
235  _In_ HANDLE ProcessHandle,
236  _Out_ PHANDLE DebugObjectHandle
237  )
238 {
239  return NtQueryInformationProcess(
240  ProcessHandle,
241  ProcessDebugObjectHandle,
242  DebugObjectHandle,
243  sizeof(HANDLE),
244  NULL
245  );
246 }
247 
256 FORCEINLINE
257 NTSTATUS
258 PhGetProcessIoPriority(
259  _In_ HANDLE ProcessHandle,
260  _Out_ PULONG IoPriority
261  )
262 {
263  return NtQueryInformationProcess(
264  ProcessHandle,
265  ProcessIoPriority,
266  IoPriority,
267  sizeof(ULONG),
268  NULL
269  );
270 }
271 
280 FORCEINLINE
281 NTSTATUS
282 PhGetProcessPagePriority(
283  _In_ HANDLE ProcessHandle,
284  _Out_ PULONG PagePriority
285  )
286 {
287  NTSTATUS status;
288  PAGE_PRIORITY_INFORMATION pagePriorityInfo;
289 
290  status = NtQueryInformationProcess(
291  ProcessHandle,
292  ProcessPagePriority,
293  &pagePriorityInfo,
294  sizeof(PAGE_PRIORITY_INFORMATION),
295  NULL
296  );
297 
298  if (NT_SUCCESS(status))
299  {
300  *PagePriority = pagePriorityInfo.PagePriority;
301  }
302 
303  return status;
304 }
305 
314 FORCEINLINE
315 NTSTATUS
316 PhGetProcessCycleTime(
317  _In_ HANDLE ProcessHandle,
318  _Out_ PULONG64 CycleTime
319  )
320 {
321  NTSTATUS status;
322  PROCESS_CYCLE_TIME_INFORMATION cycleTimeInfo;
323 
324  status = NtQueryInformationProcess(
325  ProcessHandle,
326  ProcessCycleTime,
327  &cycleTimeInfo,
328  sizeof(PROCESS_CYCLE_TIME_INFORMATION),
329  NULL
330  );
331 
332  if (!NT_SUCCESS(status))
333  return status;
334 
335  *CycleTime = cycleTimeInfo.AccumulatedCycles;
336 
337  return status;
338 }
339 
340 FORCEINLINE
341 NTSTATUS
342 PhGetProcessConsoleHostProcessId(
343  _In_ HANDLE ProcessHandle,
344  _Out_ PHANDLE ConsoleHostProcessId
345  )
346 {
347  NTSTATUS status;
348  ULONG_PTR consoleHostProcess;
349 
350  status = NtQueryInformationProcess(
351  ProcessHandle,
352  ProcessConsoleHostProcess,
353  &consoleHostProcess,
354  sizeof(ULONG_PTR),
355  NULL
356  );
357 
358  if (!NT_SUCCESS(status))
359  return status;
360 
361  *ConsoleHostProcessId = (HANDLE)consoleHostProcess;
362 
363  return status;
364 }
365 
373 FORCEINLINE
374 NTSTATUS
375 PhSetProcessAffinityMask(
376  _In_ HANDLE ProcessHandle,
377  _In_ ULONG_PTR AffinityMask
378  )
379 {
380  return NtSetInformationProcess(
381  ProcessHandle,
382  ProcessAffinityMask,
383  &AffinityMask,
384  sizeof(ULONG_PTR)
385  );
386 }
387 
395 FORCEINLINE
396 NTSTATUS
397 PhGetThreadBasicInformation(
398  _In_ HANDLE ThreadHandle,
399  _Out_ PTHREAD_BASIC_INFORMATION BasicInformation
400  )
401 {
402  return NtQueryInformationThread(
403  ThreadHandle,
404  ThreadBasicInformation,
405  BasicInformation,
406  sizeof(THREAD_BASIC_INFORMATION),
407  NULL
408  );
409 }
410 
419 FORCEINLINE
420 NTSTATUS
421 PhGetThreadIoPriority(
422  _In_ HANDLE ThreadHandle,
423  _Out_ PULONG IoPriority
424  )
425 {
426  return NtQueryInformationThread(
427  ThreadHandle,
428  ThreadIoPriority,
429  IoPriority,
430  sizeof(ULONG),
431  NULL
432  );
433 }
434 
443 FORCEINLINE
444 NTSTATUS
445 PhGetThreadPagePriority(
446  _In_ HANDLE ThreadHandle,
447  _Out_ PULONG PagePriority
448  )
449 {
450  NTSTATUS status;
451  PAGE_PRIORITY_INFORMATION pagePriorityInfo;
452 
453  status = NtQueryInformationThread(
454  ThreadHandle,
455  ThreadPagePriority,
456  &pagePriorityInfo,
457  sizeof(PAGE_PRIORITY_INFORMATION),
458  NULL
459  );
460 
461  if (NT_SUCCESS(status))
462  {
463  *PagePriority = pagePriorityInfo.PagePriority;
464  }
465 
466  return status;
467 }
468 
477 FORCEINLINE
478 NTSTATUS
479 PhGetThreadCycleTime(
480  _In_ HANDLE ThreadHandle,
481  _Out_ PULONG64 CycleTime
482  )
483 {
484  NTSTATUS status;
485  THREAD_CYCLE_TIME_INFORMATION cycleTimeInfo;
486 
487  status = NtQueryInformationThread(
488  ThreadHandle,
489  ThreadCycleTime,
490  &cycleTimeInfo,
491  sizeof(THREAD_CYCLE_TIME_INFORMATION),
492  NULL
493  );
494 
495  if (!NT_SUCCESS(status))
496  return status;
497 
498  *CycleTime = cycleTimeInfo.AccumulatedCycles;
499 
500  return status;
501 }
502 
510 FORCEINLINE
511 NTSTATUS
512 PhSetThreadAffinityMask(
513  _In_ HANDLE ThreadHandle,
514  _In_ ULONG_PTR AffinityMask
515  )
516 {
517  return NtSetInformationThread(
518  ThreadHandle,
519  ThreadAffinityMask,
520  &AffinityMask,
521  sizeof(ULONG_PTR)
522  );
523 }
524 
525 FORCEINLINE
526 NTSTATUS
527 PhGetJobBasicAndIoAccounting(
528  _In_ HANDLE JobHandle,
529  _Out_ PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION BasicAndIoAccounting
530  )
531 {
532  return NtQueryInformationJobObject(
533  JobHandle,
534  JobObjectBasicAndIoAccountingInformation,
535  BasicAndIoAccounting,
536  sizeof(JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION),
537  NULL
538  );
539 }
540 
541 FORCEINLINE
542 NTSTATUS
543 PhGetJobBasicLimits(
544  _In_ HANDLE JobHandle,
545  _Out_ PJOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimits
546  )
547 {
548  return NtQueryInformationJobObject(
549  JobHandle,
550  JobObjectBasicLimitInformation,
551  BasicLimits,
552  sizeof(JOBOBJECT_BASIC_LIMIT_INFORMATION),
553  NULL
554  );
555 }
556 
557 FORCEINLINE
558 NTSTATUS
559 PhGetJobExtendedLimits(
560  _In_ HANDLE JobHandle,
561  _Out_ PJOBOBJECT_EXTENDED_LIMIT_INFORMATION ExtendedLimits
562  )
563 {
564  return NtQueryInformationJobObject(
565  JobHandle,
566  JobObjectExtendedLimitInformation,
567  ExtendedLimits,
568  sizeof(JOBOBJECT_EXTENDED_LIMIT_INFORMATION),
569  NULL
570  );
571 }
572 
573 FORCEINLINE
574 NTSTATUS
575 PhGetJobBasicUiRestrictions(
576  _In_ HANDLE JobHandle,
577  _Out_ PJOBOBJECT_BASIC_UI_RESTRICTIONS BasicUiRestrictions
578  )
579 {
580  return NtQueryInformationJobObject(
581  JobHandle,
582  JobObjectBasicUIRestrictions,
583  BasicUiRestrictions,
584  sizeof(JOBOBJECT_BASIC_UI_RESTRICTIONS),
585  NULL
586  );
587 }
588 
597 FORCEINLINE
598 NTSTATUS
599 PhGetTokenSessionId(
600  _In_ HANDLE TokenHandle,
601  _Out_ PULONG SessionId
602  )
603 {
604  ULONG returnLength;
605 
606  return NtQueryInformationToken(
607  TokenHandle,
608  TokenSessionId,
609  SessionId,
610  sizeof(ULONG),
611  &returnLength
612  );
613 }
614 
623 FORCEINLINE
624 NTSTATUS
625 PhGetTokenElevationType(
626  _In_ HANDLE TokenHandle,
627  _Out_ PTOKEN_ELEVATION_TYPE ElevationType
628  )
629 {
630  ULONG returnLength;
631 
632  return NtQueryInformationToken(
633  TokenHandle,
634  TokenElevationType,
635  ElevationType,
636  sizeof(TOKEN_ELEVATION_TYPE),
637  &returnLength
638  );
639 }
640 
649 FORCEINLINE
650 NTSTATUS
651 PhGetTokenIsElevated(
652  _In_ HANDLE TokenHandle,
653  _Out_ PBOOLEAN Elevated
654  )
655 {
656  NTSTATUS status;
657  TOKEN_ELEVATION elevation;
658  ULONG returnLength;
659 
660  status = NtQueryInformationToken(
661  TokenHandle,
662  TokenElevation,
663  &elevation,
664  sizeof(TOKEN_ELEVATION),
665  &returnLength
666  );
667 
668  if (NT_SUCCESS(status))
669  {
670  *Elevated = !!elevation.TokenIsElevated;
671  }
672 
673  return status;
674 }
675 
684 FORCEINLINE
685 NTSTATUS
686 PhGetTokenStatistics(
687  _In_ HANDLE TokenHandle,
688  _Out_ PTOKEN_STATISTICS Statistics
689  )
690 {
691  ULONG returnLength;
692 
693  return NtQueryInformationToken(
694  TokenHandle,
695  TokenStatistics,
696  Statistics,
697  sizeof(TOKEN_STATISTICS),
698  &returnLength
699  );
700 }
701 
710 FORCEINLINE
711 NTSTATUS
712 PhGetTokenSource(
713  _In_ HANDLE TokenHandle,
714  _Out_ PTOKEN_SOURCE Source
715  )
716 {
717  ULONG returnLength;
718 
719  return NtQueryInformationToken(
720  TokenHandle,
721  TokenSource,
722  Source,
723  sizeof(TOKEN_SOURCE),
724  &returnLength
725  );
726 }
727 
737 FORCEINLINE
738 NTSTATUS
739 PhGetTokenLinkedToken(
740  _In_ HANDLE TokenHandle,
741  _Out_ PHANDLE LinkedTokenHandle
742  )
743 {
744  NTSTATUS status;
745  ULONG returnLength;
746  TOKEN_LINKED_TOKEN linkedToken;
747 
748  status = NtQueryInformationToken(
749  TokenHandle,
750  TokenLinkedToken,
751  &linkedToken,
752  sizeof(TOKEN_LINKED_TOKEN),
753  &returnLength
754  );
755 
756  if (!NT_SUCCESS(status))
757  return status;
758 
759  *LinkedTokenHandle = linkedToken.LinkedToken;
760 
761  return status;
762 }
763 
773 FORCEINLINE
774 NTSTATUS
775 PhGetTokenIsVirtualizationAllowed(
776  _In_ HANDLE TokenHandle,
777  _Out_ PBOOLEAN IsVirtualizationAllowed
778  )
779 {
780  NTSTATUS status;
781  ULONG returnLength;
782  ULONG virtualizationAllowed;
783 
784  status = NtQueryInformationToken(
785  TokenHandle,
786  TokenVirtualizationAllowed,
787  &virtualizationAllowed,
788  sizeof(ULONG),
789  &returnLength
790  );
791 
792  if (!NT_SUCCESS(status))
793  return status;
794 
795  *IsVirtualizationAllowed = !!virtualizationAllowed;
796 
797  return status;
798 }
799 
809 FORCEINLINE
810 NTSTATUS
811 PhGetTokenIsVirtualizationEnabled(
812  _In_ HANDLE TokenHandle,
813  _Out_ PBOOLEAN IsVirtualizationEnabled
814  )
815 {
816  NTSTATUS status;
817  ULONG returnLength;
818  ULONG virtualizationEnabled;
819 
820  status = NtQueryInformationToken(
821  TokenHandle,
822  TokenVirtualizationEnabled,
823  &virtualizationEnabled,
824  sizeof(ULONG),
825  &returnLength
826  );
827 
828  if (!NT_SUCCESS(status))
829  return status;
830 
831  *IsVirtualizationEnabled = !!virtualizationEnabled;
832 
833  return status;
834 }
835 
836 FORCEINLINE
837 NTSTATUS
838 PhGetEventBasicInformation(
839  _In_ HANDLE EventHandle,
840  _Out_ PEVENT_BASIC_INFORMATION BasicInformation
841  )
842 {
843  return NtQueryEvent(
844  EventHandle,
845  EventBasicInformation,
846  BasicInformation,
847  sizeof(EVENT_BASIC_INFORMATION),
848  NULL
849  );
850 }
851 
852 FORCEINLINE
853 NTSTATUS
854 PhGetMutantBasicInformation(
855  _In_ HANDLE MutantHandle,
856  _Out_ PMUTANT_BASIC_INFORMATION BasicInformation
857  )
858 {
859  return NtQueryMutant(
860  MutantHandle,
861  MutantBasicInformation,
862  BasicInformation,
863  sizeof(MUTANT_BASIC_INFORMATION),
864  NULL
865  );
866 }
867 
868 FORCEINLINE
869 NTSTATUS
870 PhGetMutantOwnerInformation(
871  _In_ HANDLE MutantHandle,
872  _Out_ PMUTANT_OWNER_INFORMATION OwnerInformation
873  )
874 {
875  return NtQueryMutant(
876  MutantHandle,
877  MutantOwnerInformation,
878  OwnerInformation,
879  sizeof(MUTANT_OWNER_INFORMATION),
880  NULL
881  );
882 }
883 
884 FORCEINLINE
885 NTSTATUS
886 PhGetSectionBasicInformation(
887  _In_ HANDLE SectionHandle,
888  _Out_ PSECTION_BASIC_INFORMATION BasicInformation
889  )
890 {
891  return NtQuerySection(
892  SectionHandle,
893  SectionBasicInformation,
894  BasicInformation,
895  sizeof(SECTION_BASIC_INFORMATION),
896  NULL
897  );
898 }
899 
900 FORCEINLINE
901 NTSTATUS
902 PhGetSemaphoreBasicInformation(
903  _In_ HANDLE SemaphoreHandle,
904  _Out_ PSEMAPHORE_BASIC_INFORMATION BasicInformation
905  )
906 {
907  return NtQuerySemaphore(
908  SemaphoreHandle,
909  SemaphoreBasicInformation,
910  BasicInformation,
911  sizeof(SEMAPHORE_BASIC_INFORMATION),
912  NULL
913  );
914 }
915 
916 FORCEINLINE
917 NTSTATUS
918 PhGetTimerBasicInformation(
919  _In_ HANDLE TimerHandle,
920  _Out_ PTIMER_BASIC_INFORMATION BasicInformation
921  )
922 {
923  return NtQueryTimer(
924  TimerHandle,
925  TimerBasicInformation,
926  BasicInformation,
927  sizeof(TIMER_BASIC_INFORMATION),
928  NULL
929  );
930 }
931 
932 #endif