Process Hacker
providers.h
Go to the documentation of this file.
1 #ifndef PH_PROVIDERS_H
2 #define PH_PROVIDERS_H
3 
4 // procprv
5 
6 #define PH_RECORD_MAX_USAGE
7 #define PH_ENABLE_VERIFY_CACHE
8 
9 extern PPH_OBJECT_TYPE PhProcessItemType;
10 
11 PHAPPAPI extern PH_CALLBACK PhProcessAddedEvent; // phapppub
12 PHAPPAPI extern PH_CALLBACK PhProcessModifiedEvent; // phapppub
13 PHAPPAPI extern PH_CALLBACK PhProcessRemovedEvent; // phapppub
14 PHAPPAPI extern PH_CALLBACK PhProcessesUpdatedEvent; // phapppub
15 
16 extern PPH_LIST PhProcessRecordList;
17 extern PH_QUEUED_LOCK PhProcessRecordListLock;
18 
19 extern ULONG PhStatisticsSampleCount;
20 extern BOOLEAN PhEnableProcessQueryStage2;
21 extern BOOLEAN PhEnablePurgeProcessRecords;
22 extern BOOLEAN PhEnableCycleCpuUsage;
23 
24 extern PVOID PhProcessInformation; // only can be used if running on same thread as process provider
25 extern ULONG PhProcessInformationSequenceNumber;
26 extern SYSTEM_PERFORMANCE_INFORMATION PhPerfInformation;
27 extern PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuInformation;
28 extern SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION PhCpuTotals;
29 extern ULONG PhTotalProcesses;
30 extern ULONG PhTotalThreads;
31 extern ULONG PhTotalHandles;
32 
33 extern ULONG64 PhCpuTotalCycleDelta;
34 extern PLARGE_INTEGER PhCpuIdleCycleTime; // cycle time for Idle
35 extern PLARGE_INTEGER PhCpuSystemCycleTime; // cycle time for DPCs and Interrupts
36 extern PH_UINT64_DELTA PhCpuIdleCycleDelta;
37 extern PH_UINT64_DELTA PhCpuSystemCycleDelta;
38 
39 extern FLOAT PhCpuKernelUsage;
40 extern FLOAT PhCpuUserUsage;
41 extern PFLOAT PhCpusKernelUsage;
42 extern PFLOAT PhCpusUserUsage;
43 
44 extern PH_UINT64_DELTA PhCpuKernelDelta;
45 extern PH_UINT64_DELTA PhCpuUserDelta;
46 extern PH_UINT64_DELTA PhCpuIdleDelta;
47 
48 extern PPH_UINT64_DELTA PhCpusKernelDelta;
49 extern PPH_UINT64_DELTA PhCpusUserDelta;
50 extern PPH_UINT64_DELTA PhCpusIdleDelta;
51 
52 extern PH_UINT64_DELTA PhIoReadDelta;
53 extern PH_UINT64_DELTA PhIoWriteDelta;
54 extern PH_UINT64_DELTA PhIoOtherDelta;
55 
56 extern PH_CIRCULAR_BUFFER_FLOAT PhCpuKernelHistory;
57 extern PH_CIRCULAR_BUFFER_FLOAT PhCpuUserHistory;
58 //extern PH_CIRCULAR_BUFFER_FLOAT PhCpuOtherHistory;
59 
60 extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusKernelHistory;
61 extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusUserHistory;
62 //extern PPH_CIRCULAR_BUFFER_FLOAT PhCpusOtherHistory;
63 
64 extern PH_CIRCULAR_BUFFER_ULONG64 PhIoReadHistory;
65 extern PH_CIRCULAR_BUFFER_ULONG64 PhIoWriteHistory;
66 extern PH_CIRCULAR_BUFFER_ULONG64 PhIoOtherHistory;
67 
68 extern PH_CIRCULAR_BUFFER_ULONG PhCommitHistory;
69 extern PH_CIRCULAR_BUFFER_ULONG PhPhysicalHistory;
70 
71 extern PH_CIRCULAR_BUFFER_ULONG PhMaxCpuHistory;
72 extern PH_CIRCULAR_BUFFER_ULONG PhMaxIoHistory;
73 #ifdef PH_RECORD_MAX_USAGE
74 extern PH_CIRCULAR_BUFFER_FLOAT PhMaxCpuUsageHistory;
75 extern PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoReadOtherHistory;
76 extern PH_CIRCULAR_BUFFER_ULONG64 PhMaxIoWriteHistory;
77 #endif
78 
79 // begin_phapppub
80 #define DPCS_PROCESS_ID ((HANDLE)(LONG_PTR)-2)
81 #define INTERRUPTS_PROCESS_ID ((HANDLE)(LONG_PTR)-3)
82 
83 // DPCs, Interrupts and System Idle Process are not real.
84 // Non-"real" processes can never be opened.
85 #define PH_IS_REAL_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) > 0)
86 
87 // DPCs and Interrupts are fake, but System Idle Process is not.
88 #define PH_IS_FAKE_PROCESS_ID(ProcessId) ((LONG_PTR)(ProcessId) < 0)
89 
90 // The process item has been removed.
91 #define PH_PROCESS_ITEM_REMOVED 0x1
92 // end_phapppub
93 
94 #define PH_INTEGRITY_STR_LEN 10
95 #define PH_INTEGRITY_STR_LEN_1 (PH_INTEGRITY_STR_LEN + 1)
96 
97 // begin_phapppub
98 typedef enum _VERIFY_RESULT VERIFY_RESULT;
99 typedef struct _PH_PROCESS_RECORD *PPH_PROCESS_RECORD;
100 
101 typedef struct _PH_PROCESS_ITEM
102 {
103  PH_HASH_ENTRY HashEntry;
104  ULONG State;
105  PPH_PROCESS_RECORD Record;
106 
107  // Basic
108 
109  HANDLE ProcessId;
110  HANDLE ParentProcessId;
111  PPH_STRING ProcessName;
112  ULONG SessionId;
113 
114  LARGE_INTEGER CreateTime;
115 
116  // Handles
117 
118  HANDLE QueryHandle;
119 
120  // Parameters
121 
122  PPH_STRING FileName;
123  PPH_STRING CommandLine;
124 
125  // File
126 
127  HICON SmallIcon;
128  HICON LargeIcon;
129  PH_IMAGE_VERSION_INFO VersionInfo;
130 
131  // Security
132 
133  PPH_STRING UserName;
134  TOKEN_ELEVATION_TYPE ElevationType;
135  MANDATORY_LEVEL IntegrityLevel;
136  PWSTR IntegrityString;
137 
138  // Other
139 
140  PPH_STRING JobName;
141  HANDLE ConsoleHostProcessId;
142 
143  // Signature, Packed
144 
145  VERIFY_RESULT VerifyResult;
146  PPH_STRING VerifySignerName;
147  ULONG ImportFunctions;
148  ULONG ImportModules;
149 
150  // Flags
151 
152  union
153  {
154  ULONG Flags;
155  struct
156  {
157  ULONG UpdateIsDotNet : 1;
158  ULONG IsBeingDebugged : 1;
159  ULONG IsDotNet : 1;
160  ULONG IsElevated : 1;
161  ULONG IsInJob : 1;
162  ULONG IsInSignificantJob : 1;
163  ULONG IsPacked : 1;
164  ULONG IsPosix : 1;
165  ULONG IsSuspended : 1;
166  ULONG IsWow64 : 1;
167  ULONG IsImmersive : 1;
168  ULONG IsWow64Valid : 1;
169  ULONG IsPartiallySuspended : 1;
170  ULONG AddedEventSent : 1;
171  ULONG Spare : 18;
172  };
173  };
174 
175  // Misc.
176 
177  ULONG JustProcessed;
178  PH_EVENT Stage1Event;
179 
180  PPH_POINTER_LIST ServiceList;
181  PH_QUEUED_LOCK ServiceListLock;
182 
183  WCHAR ProcessIdString[PH_INT32_STR_LEN_1];
184  WCHAR ParentProcessIdString[PH_INT32_STR_LEN_1];
185  WCHAR SessionIdString[PH_INT32_STR_LEN_1];
186 
187  // Dynamic
188 
189  KPRIORITY BasePriority;
190  ULONG PriorityClass;
191  LARGE_INTEGER KernelTime;
192  LARGE_INTEGER UserTime;
193  ULONG NumberOfHandles;
194  ULONG NumberOfThreads;
195 
196  FLOAT CpuUsage; // Below Windows 7, sum of kernel and user CPU usage; above Windows 7, cycle-based CPU usage.
197  FLOAT CpuKernelUsage;
198  FLOAT CpuUserUsage;
199 
200  PH_UINT64_DELTA CpuKernelDelta;
201  PH_UINT64_DELTA CpuUserDelta;
202  PH_UINT64_DELTA IoReadDelta;
203  PH_UINT64_DELTA IoWriteDelta;
204  PH_UINT64_DELTA IoOtherDelta;
205  PH_UINT64_DELTA IoReadCountDelta;
206  PH_UINT64_DELTA IoWriteCountDelta;
207  PH_UINT64_DELTA IoOtherCountDelta;
208  PH_UINT32_DELTA ContextSwitchesDelta;
209  PH_UINT32_DELTA PageFaultsDelta;
210  PH_UINT64_DELTA CycleTimeDelta; // since WIN7
211 
212  VM_COUNTERS_EX VmCounters;
213  IO_COUNTERS IoCounters;
214  SIZE_T WorkingSetPrivateSize; // since VISTA
215  ULONG PeakNumberOfThreads; // since WIN7
216  ULONG HardFaultCount; // since WIN7
217 
218  ULONG SequenceNumber;
219  PH_CIRCULAR_BUFFER_FLOAT CpuKernelHistory;
220  PH_CIRCULAR_BUFFER_FLOAT CpuUserHistory;
221  PH_CIRCULAR_BUFFER_ULONG64 IoReadHistory;
222  PH_CIRCULAR_BUFFER_ULONG64 IoWriteHistory;
223  PH_CIRCULAR_BUFFER_ULONG64 IoOtherHistory;
224  PH_CIRCULAR_BUFFER_SIZE_T PrivateBytesHistory;
225  //PH_CIRCULAR_BUFFER_SIZE_T WorkingSetHistory;
226 
227  // New fields
228  PH_UINTPTR_DELTA PrivateBytesDelta;
229  PPH_STRING PackageFullName;
230 } PH_PROCESS_ITEM, *PPH_PROCESS_ITEM;
231 // end_phapppub
232 
233 // begin_phapppub
234 // The process itself is dead.
235 #define PH_PROCESS_RECORD_DEAD 0x1
236 // An extra reference has been added to the process record for the statistics system.
237 #define PH_PROCESS_RECORD_STAT_REF 0x2
238 
239 typedef struct _PH_PROCESS_RECORD
240 {
241  LIST_ENTRY ListEntry;
242  LONG RefCount;
243  ULONG Flags;
244 
245  HANDLE ProcessId;
246  HANDLE ParentProcessId;
247  ULONG SessionId;
248  LARGE_INTEGER CreateTime;
249  LARGE_INTEGER ExitTime;
250 
251  PPH_STRING ProcessName;
252  PPH_STRING FileName;
253  PPH_STRING CommandLine;
254  /*PPH_STRING UserName;*/
255 } PH_PROCESS_RECORD, *PPH_PROCESS_RECORD;
256 // end_phapppub
257 
258 BOOLEAN PhProcessProviderInitialization(
259  VOID
260  );
261 
262 // begin_phapppub
263 PHAPPAPI
264 PPH_STRING
265 NTAPI
266 PhGetClientIdName(
267  _In_ PCLIENT_ID ClientId
268  );
269 
270 PHAPPAPI
271 PPH_STRING
272 NTAPI
273 PhGetClientIdNameEx(
274  _In_ PCLIENT_ID ClientId,
275  _In_opt_ PPH_STRING ProcessName
276  );
277 
278 PHAPPAPI
279 PWSTR
280 NTAPI
281 PhGetProcessPriorityClassString(
282  _In_ ULONG PriorityClass
283  );
284 // end_phapppub
285 
286 PPH_PROCESS_ITEM PhCreateProcessItem(
287  _In_ HANDLE ProcessId
288  );
289 
290 // begin_phapppub
291 PHAPPAPI
292 PPH_PROCESS_ITEM
293 NTAPI
294 PhReferenceProcessItem(
295  _In_ HANDLE ProcessId
296  );
297 
298 PHAPPAPI
299 VOID
300 NTAPI
301 PhEnumProcessItems(
302  _Out_opt_ PPH_PROCESS_ITEM **ProcessItems,
303  _Out_ PULONG NumberOfProcessItems
304  );
305 // end_phapppub
306 
307 typedef struct _PH_VERIFY_FILE_INFO *PPH_VERIFY_FILE_INFO;
308 
309 VERIFY_RESULT PhVerifyFileWithAdditionalCatalog(
310  _In_ PPH_VERIFY_FILE_INFO Information,
311  _In_opt_ PWSTR PackageFullName,
312  _Out_opt_ PPH_STRING *SignerName
313  );
314 
315 VERIFY_RESULT PhVerifyFileCached(
316  _In_ PPH_STRING FileName,
317  _In_opt_ PWSTR PackageFullName,
318  _Out_opt_ PPH_STRING *SignerName,
319  _In_ BOOLEAN CachedOnly
320  );
321 
322 // begin_phapppub
323 PHAPPAPI
324 BOOLEAN
325 NTAPI
326 PhGetStatisticsTime(
327  _In_opt_ PPH_PROCESS_ITEM ProcessItem,
328  _In_ ULONG Index,
329  _Out_ PLARGE_INTEGER Time
330  );
331 
332 PHAPPAPI
333 PPH_STRING
334 NTAPI
335 PhGetStatisticsTimeString(
336  _In_opt_ PPH_PROCESS_ITEM ProcessItem,
337  _In_ ULONG Index
338  );
339 // end_phapppub
340 
341 VOID PhFlushProcessQueryData(
342  _In_ BOOLEAN SendModifiedEvent
343  );
344 
345 VOID PhProcessProviderUpdate(
346  _In_ PVOID Object
347  );
348 
349 // begin_phapppub
350 PHAPPAPI
351 VOID
352 NTAPI
353 PhReferenceProcessRecord(
354  _In_ PPH_PROCESS_RECORD ProcessRecord
355  );
356 
357 PHAPPAPI
358 BOOLEAN
359 NTAPI
360 PhReferenceProcessRecordSafe(
361  _In_ PPH_PROCESS_RECORD ProcessRecord
362  );
363 
364 PHAPPAPI
365 VOID
366 NTAPI
367 PhReferenceProcessRecordForStatistics(
368  _In_ PPH_PROCESS_RECORD ProcessRecord
369  );
370 
371 PHAPPAPI
372 VOID
373 NTAPI
374 PhDereferenceProcessRecord(
375  _In_ PPH_PROCESS_RECORD ProcessRecord
376  );
377 
378 PHAPPAPI
379 PPH_PROCESS_RECORD
380 NTAPI
381 PhFindProcessRecord(
382  _In_opt_ HANDLE ProcessId,
383  _In_ PLARGE_INTEGER Time
384  );
385 // end_phapppub
386 
387 VOID PhPurgeProcessRecords(
388  VOID
389  );
390 
391 // begin_phapppub
392 PHAPPAPI
393 PPH_PROCESS_ITEM
394 NTAPI
395 PhReferenceProcessItemForParent(
396  _In_ HANDLE ParentProcessId,
397  _In_ HANDLE ProcessId,
398  _In_ PLARGE_INTEGER CreateTime
399  );
400 
401 PHAPPAPI
402 PPH_PROCESS_ITEM
403 NTAPI
404 PhReferenceProcessItemForRecord(
405  _In_ PPH_PROCESS_RECORD Record
406  );
407 // end_phapppub
408 
409 // srvprv
410 
411 extern PPH_OBJECT_TYPE PhServiceItemType;
412 
413 PHAPPAPI extern PH_CALLBACK PhServiceAddedEvent; // phapppub
414 PHAPPAPI extern PH_CALLBACK PhServiceModifiedEvent; // phapppub
415 PHAPPAPI extern PH_CALLBACK PhServiceRemovedEvent; // phapppub
416 PHAPPAPI extern PH_CALLBACK PhServicesUpdatedEvent; // phapppub
417 
418 extern BOOLEAN PhEnableServiceNonPoll;
419 
420 // begin_phapppub
421 typedef struct _PH_SERVICE_ITEM
422 {
423  PH_STRINGREF Key; // points to Name
424  PPH_STRING Name;
425  PPH_STRING DisplayName;
426 
427  // State
428  ULONG Type;
429  ULONG State;
430  ULONG ControlsAccepted;
431  ULONG Flags; // e.g. SERVICE_RUNS_IN_SYSTEM_PROCESS
432  HANDLE ProcessId;
433 
434  // Config
435  ULONG StartType;
436  ULONG ErrorControl;
437 // end_phapppub
438  BOOLEAN DelayedStart;
439  BOOLEAN HasTriggers;
440 
441  BOOLEAN PendingProcess;
442  BOOLEAN NeedsConfigUpdate;
443 
444  WCHAR ProcessIdString[PH_INT32_STR_LEN_1];
445 // begin_phapppub
446 } PH_SERVICE_ITEM, *PPH_SERVICE_ITEM;
447 // end_phapppub
448 
449 // begin_phapppub
450 typedef struct _PH_SERVICE_MODIFIED_DATA
451 {
452  PPH_SERVICE_ITEM Service;
453  PH_SERVICE_ITEM OldService;
454 } PH_SERVICE_MODIFIED_DATA, *PPH_SERVICE_MODIFIED_DATA;
455 
456 typedef enum _PH_SERVICE_CHANGE
457 {
458  ServiceStarted,
459  ServiceContinued,
460  ServicePaused,
461  ServiceStopped
462 } PH_SERVICE_CHANGE, *PPH_SERVICE_CHANGE;
463 // end_phapppub
464 
465 BOOLEAN PhServiceProviderInitialization(
466  VOID
467  );
468 
469 PPH_SERVICE_ITEM PhCreateServiceItem(
470  _In_opt_ LPENUM_SERVICE_STATUS_PROCESS Information
471  );
472 
473 // begin_phapppub
474 PHAPPAPI
475 PPH_SERVICE_ITEM
476 NTAPI
477 PhReferenceServiceItem(
478  _In_ PWSTR Name
479  );
480 // end_phapppub
481 
482 VOID PhMarkNeedsConfigUpdateServiceItem(
483  _In_ PPH_SERVICE_ITEM ServiceItem
484  );
485 
486 // begin_phapppub
487 PHAPPAPI
488 PH_SERVICE_CHANGE
489 NTAPI
490 PhGetServiceChange(
491  _In_ PPH_SERVICE_MODIFIED_DATA Data
492  );
493 // end_phapppub
494 
495 VOID PhUpdateProcessItemServices(
496  _In_ PPH_PROCESS_ITEM ProcessItem
497  );
498 
499 VOID PhServiceProviderUpdate(
500  _In_ PVOID Object
501  );
502 
503 // netprv
504 
505 extern PPH_OBJECT_TYPE PhNetworkItemType;
506 PHAPPAPI extern PH_CALLBACK PhNetworkItemAddedEvent; // phapppub
507 PHAPPAPI extern PH_CALLBACK PhNetworkItemModifiedEvent; // phapppub
508 PHAPPAPI extern PH_CALLBACK PhNetworkItemRemovedEvent; // phapppub
509 PHAPPAPI extern PH_CALLBACK PhNetworkItemsUpdatedEvent; // phapppub
510 
511 extern BOOLEAN PhEnableNetworkProviderResolve;
512 
513 // begin_phapppub
514 #define PH_NETWORK_OWNER_INFO_SIZE 16
515 
516 typedef struct _PH_NETWORK_ITEM
517 {
518  ULONG ProtocolType;
519  PH_IP_ENDPOINT LocalEndpoint;
520  PH_IP_ENDPOINT RemoteEndpoint;
521  ULONG State;
522  HANDLE ProcessId;
523 
524  PPH_STRING ProcessName;
525  HICON ProcessIcon;
526  BOOLEAN ProcessIconValid;
527  PPH_STRING OwnerName;
528 
529  BOOLEAN JustResolved;
530 
531  WCHAR LocalAddressString[65];
532  WCHAR LocalPortString[PH_INT32_STR_LEN_1];
533  WCHAR RemoteAddressString[65];
534  WCHAR RemotePortString[PH_INT32_STR_LEN_1];
535  PPH_STRING LocalHostString;
536  PPH_STRING RemoteHostString;
537 
538  LARGE_INTEGER CreateTime;
539  ULONGLONG OwnerInfo[PH_NETWORK_OWNER_INFO_SIZE];
540 } PH_NETWORK_ITEM, *PPH_NETWORK_ITEM;
541 // end_phapppub
542 
543 BOOLEAN PhNetworkProviderInitialization(
544  VOID
545  );
546 
547 PPH_NETWORK_ITEM PhCreateNetworkItem(
548  VOID
549  );
550 
551 // begin_phapppub
552 PHAPPAPI
553 PPH_NETWORK_ITEM
554 NTAPI
555 PhReferenceNetworkItem(
556  _In_ ULONG ProtocolType,
557  _In_ PPH_IP_ENDPOINT LocalEndpoint,
558  _In_ PPH_IP_ENDPOINT RemoteEndpoint,
559  _In_ HANDLE ProcessId
560  );
561 // end_phapppub
562 
563 PPH_STRING PhGetHostNameFromAddress(
564  _In_ PPH_IP_ADDRESS Address
565  );
566 
567 VOID PhNetworkProviderUpdate(
568  _In_ PVOID Object
569  );
570 
571 // begin_phapppub
572 PHAPPAPI
573 PWSTR
574 NTAPI
575 PhGetProtocolTypeName(
576  _In_ ULONG ProtocolType
577  );
578 
579 PHAPPAPI
580 PWSTR
581 NTAPI
582 PhGetTcpStateName(
583  _In_ ULONG State
584  );
585 // end_phapppub
586 
587 // modprv
588 
589 extern PPH_OBJECT_TYPE PhModuleProviderType;
590 extern PPH_OBJECT_TYPE PhModuleItemType;
591 
592 // begin_phapppub
593 typedef struct _PH_MODULE_ITEM
594 {
595  PVOID BaseAddress;
596  ULONG Size;
597  ULONG Flags;
598  ULONG Type;
599  USHORT LoadReason;
600  USHORT LoadCount;
601  PPH_STRING Name;
602  PPH_STRING FileName;
603  PH_IMAGE_VERSION_INFO VersionInfo;
604 
605  WCHAR BaseAddressString[PH_PTR_STR_LEN_1];
606 
607  BOOLEAN IsFirst;
608  BOOLEAN JustProcessed;
609 
610  VERIFY_RESULT VerifyResult;
611  PPH_STRING VerifySignerName;
612 
613  ULONG ImageTimeDateStamp;
614  USHORT ImageCharacteristics;
615  USHORT ImageDllCharacteristics;
616 
617  LARGE_INTEGER LoadTime;
618 } PH_MODULE_ITEM, *PPH_MODULE_ITEM;
619 
620 typedef struct _PH_MODULE_PROVIDER
621 {
622  PPH_HASHTABLE ModuleHashtable;
623  PH_FAST_LOCK ModuleHashtableLock;
624  PH_CALLBACK ModuleAddedEvent;
625  PH_CALLBACK ModuleModifiedEvent;
626  PH_CALLBACK ModuleRemovedEvent;
627  PH_CALLBACK UpdatedEvent;
628 
629  HANDLE ProcessId;
630  HANDLE ProcessHandle;
631  PPH_STRING PackageFullName;
632  SLIST_HEADER QueryListHead;
633  NTSTATUS RunStatus;
634 } PH_MODULE_PROVIDER, *PPH_MODULE_PROVIDER;
635 // end_phapppub
636 
637 BOOLEAN PhModuleProviderInitialization(
638  VOID
639  );
640 
641 PPH_MODULE_PROVIDER PhCreateModuleProvider(
642  _In_ HANDLE ProcessId
643  );
644 
645 PPH_MODULE_ITEM PhCreateModuleItem(
646  VOID
647  );
648 
649 PPH_MODULE_ITEM PhReferenceModuleItem(
650  _In_ PPH_MODULE_PROVIDER ModuleProvider,
651  _In_ PVOID BaseAddress
652  );
653 
654 VOID PhDereferenceAllModuleItems(
655  _In_ PPH_MODULE_PROVIDER ModuleProvider
656  );
657 
658 VOID PhModuleProviderUpdate(
659  _In_ PVOID Object
660  );
661 
662 // thrdprv
663 
664 extern PPH_OBJECT_TYPE PhThreadProviderType;
665 extern PPH_OBJECT_TYPE PhThreadItemType;
666 
667 // begin_phapppub
668 typedef struct _PH_THREAD_ITEM
669 {
670  HANDLE ThreadId;
671 
672  LARGE_INTEGER CreateTime;
673  LARGE_INTEGER KernelTime;
674  LARGE_INTEGER UserTime;
675 
676  FLOAT CpuUsage;
677  PH_UINT64_DELTA CpuKernelDelta;
678  PH_UINT64_DELTA CpuUserDelta;
679 
680  PH_UINT32_DELTA ContextSwitchesDelta;
681  PH_UINT64_DELTA CyclesDelta;
682  LONG Priority;
683  LONG BasePriority;
684  ULONG64 StartAddress;
685  PPH_STRING StartAddressString;
686  PPH_STRING StartAddressFileName;
687  enum _PH_SYMBOL_RESOLVE_LEVEL StartAddressResolveLevel;
688  KTHREAD_STATE State;
689  KWAIT_REASON WaitReason;
690  LONG PriorityWin32;
691  PPH_STRING ServiceName;
692 
693  HANDLE ThreadHandle;
694 
695  BOOLEAN IsGuiThread;
696  BOOLEAN JustResolved;
697 
698  WCHAR ThreadIdString[PH_INT32_STR_LEN_1];
699 } PH_THREAD_ITEM, *PPH_THREAD_ITEM;
700 
701 typedef enum _PH_KNOWN_PROCESS_TYPE PH_KNOWN_PROCESS_TYPE;
702 
703 typedef struct _PH_THREAD_PROVIDER
704 {
705  PPH_HASHTABLE ThreadHashtable;
706  PH_FAST_LOCK ThreadHashtableLock;
707  PH_CALLBACK ThreadAddedEvent;
708  PH_CALLBACK ThreadModifiedEvent;
709  PH_CALLBACK ThreadRemovedEvent;
710  PH_CALLBACK UpdatedEvent;
711  PH_CALLBACK LoadingStateChangedEvent;
712 
713  HANDLE ProcessId;
714  HANDLE ProcessHandle;
715  BOOLEAN HasServices;
716  BOOLEAN HasServicesKnown;
717  BOOLEAN Terminating;
718  struct _PH_SYMBOL_PROVIDER *SymbolProvider;
719 
720  SLIST_HEADER QueryListHead;
721  PH_QUEUED_LOCK LoadSymbolsLock;
722  LONG SymbolsLoading;
723  ULONG64 RunId;
724  ULONG64 SymbolsLoadedRunId;
725 } PH_THREAD_PROVIDER, *PPH_THREAD_PROVIDER;
726 // end_phapppub
727 
728 BOOLEAN PhThreadProviderInitialization(
729  VOID
730  );
731 
732 PPH_THREAD_PROVIDER PhCreateThreadProvider(
733  _In_ HANDLE ProcessId
734  );
735 
736 VOID PhRegisterThreadProvider(
737  _In_ PPH_THREAD_PROVIDER ThreadProvider,
738  _Out_ PPH_CALLBACK_REGISTRATION CallbackRegistration
739  );
740 
741 VOID PhUnregisterThreadProvider(
742  _In_ PPH_THREAD_PROVIDER ThreadProvider,
743  _In_ PPH_CALLBACK_REGISTRATION CallbackRegistration
744  );
745 
746 VOID PhSetTerminatingThreadProvider(
747  _Inout_ PPH_THREAD_PROVIDER ThreadProvider
748  );
749 
750 VOID PhLoadSymbolsThreadProvider(
751  _In_ PPH_THREAD_PROVIDER ThreadProvider
752  );
753 
754 PPH_THREAD_ITEM PhCreateThreadItem(
755  _In_ HANDLE ThreadId
756  );
757 
758 PPH_THREAD_ITEM PhReferenceThreadItem(
759  _In_ PPH_THREAD_PROVIDER ThreadProvider,
760  _In_ HANDLE ThreadId
761  );
762 
763 VOID PhDereferenceAllThreadItems(
764  _In_ PPH_THREAD_PROVIDER ThreadProvider
765  );
766 
767 // begin_phapppub
768 PHAPPAPI
769 PPH_STRING
770 NTAPI
771 PhGetThreadPriorityWin32String(
772  _In_ LONG PriorityWin32
773  );
774 // end_phapppub
775 
776 VOID PhThreadProviderInitialUpdate(
777  _In_ PPH_THREAD_PROVIDER ThreadProvider
778  );
779 
780 // hndlprv
781 
782 extern PPH_OBJECT_TYPE PhHandleProviderType;
783 extern PPH_OBJECT_TYPE PhHandleItemType;
784 
785 // begin_phapppub
786 #define PH_HANDLE_FILE_SHARED_READ 0x1
787 #define PH_HANDLE_FILE_SHARED_WRITE 0x2
788 #define PH_HANDLE_FILE_SHARED_DELETE 0x4
789 #define PH_HANDLE_FILE_SHARED_MASK 0x7
790 
791 typedef struct _PH_HANDLE_ITEM
792 {
793  PH_HASH_ENTRY HashEntry;
794 
795  HANDLE Handle;
796  PVOID Object;
797  ULONG Attributes;
798  ACCESS_MASK GrantedAccess;
799  ULONG FileFlags;
800 
801  PPH_STRING TypeName;
802  PPH_STRING ObjectName;
803  PPH_STRING BestObjectName;
804 
805  WCHAR HandleString[PH_PTR_STR_LEN_1];
806  WCHAR ObjectString[PH_PTR_STR_LEN_1];
807  WCHAR GrantedAccessString[PH_PTR_STR_LEN_1];
808 } PH_HANDLE_ITEM, *PPH_HANDLE_ITEM;
809 
810 typedef struct _PH_HANDLE_PROVIDER
811 {
812  PPH_HASH_ENTRY *HandleHashSet;
813  ULONG HandleHashSetSize;
814  ULONG HandleHashSetCount;
815  PH_QUEUED_LOCK HandleHashSetLock;
816 
817  PH_CALLBACK HandleAddedEvent;
818  PH_CALLBACK HandleModifiedEvent;
819  PH_CALLBACK HandleRemovedEvent;
820  PH_CALLBACK UpdatedEvent;
821 
822  HANDLE ProcessId;
823  HANDLE ProcessHandle;
824 
825  PPH_HASHTABLE TempListHashtable;
826  NTSTATUS RunStatus;
827 } PH_HANDLE_PROVIDER, *PPH_HANDLE_PROVIDER;
828 // end_phapppub
829 
830 BOOLEAN PhHandleProviderInitialization(
831  VOID
832  );
833 
834 PPH_HANDLE_PROVIDER PhCreateHandleProvider(
835  _In_ HANDLE ProcessId
836  );
837 
838 PPH_HANDLE_ITEM PhCreateHandleItem(
839  _In_opt_ PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handle
840  );
841 
842 PPH_HANDLE_ITEM PhReferenceHandleItem(
843  _In_ PPH_HANDLE_PROVIDER HandleProvider,
844  _In_ HANDLE Handle
845  );
846 
847 VOID PhDereferenceAllHandleItems(
848  _In_ PPH_HANDLE_PROVIDER HandleProvider
849  );
850 
851 NTSTATUS PhEnumHandlesGeneric(
852  _In_ HANDLE ProcessId,
853  _In_ HANDLE ProcessHandle,
854  _Out_ PSYSTEM_HANDLE_INFORMATION_EX *Handles,
855  _Out_ PBOOLEAN FilterNeeded
856  );
857 
858 VOID PhHandleProviderUpdate(
859  _In_ PVOID Object
860  );
861 
862 // memprv
863 
864 extern PPH_OBJECT_TYPE PhMemoryItemType;
865 
866 // begin_phapppub
867 typedef enum _PH_MEMORY_REGION_TYPE
868 {
869  UnknownRegion,
870  CustomRegion,
871  UnusableRegion,
872  MappedFileRegion,
873  UserSharedDataRegion,
874  PebRegion,
875  Peb32Region,
876  TebRegion,
877  Teb32Region, // Not used
878  StackRegion,
879  Stack32Region,
880  HeapRegion,
881  Heap32Region,
882  HeapSegmentRegion,
883  HeapSegment32Region
884 } PH_MEMORY_REGION_TYPE;
885 
886 typedef struct _PH_MEMORY_ITEM
887 {
888  LIST_ENTRY ListEntry;
889  PH_AVL_LINKS Links;
890 
891  union
892  {
893  struct
894  {
895  PVOID BaseAddress;
896  PVOID AllocationBase;
897  ULONG AllocationProtect;
898  SIZE_T RegionSize;
899  ULONG State;
900  ULONG Protect;
901  ULONG Type;
902  };
903  MEMORY_BASIC_INFORMATION BasicInfo;
904  };
905 
906  struct _PH_MEMORY_ITEM *AllocationBaseItem;
907 
908  SIZE_T CommittedSize;
909  SIZE_T PrivateSize;
910 
911  SIZE_T TotalWorkingSetPages;
912  SIZE_T PrivateWorkingSetPages;
913  SIZE_T SharedWorkingSetPages;
914  SIZE_T ShareableWorkingSetPages;
915  SIZE_T LockedWorkingSetPages;
916 
917  PH_MEMORY_REGION_TYPE RegionType;
918 
919  union
920  {
921  struct
922  {
923  PPH_STRING Text;
924  BOOLEAN PropertyOfAllocationBase;
925  } Custom;
926  struct
927  {
928  PPH_STRING FileName;
929  } MappedFile;
930  struct
931  {
932  HANDLE ThreadId;
933  } Teb;
934  struct
935  {
936  HANDLE ThreadId;
937  } Stack;
938  struct
939  {
940  ULONG Index;
941  } Heap;
942  struct
943  {
944  struct _PH_MEMORY_ITEM *HeapItem;
945  } HeapSegment;
946  } u;
947 } PH_MEMORY_ITEM, *PPH_MEMORY_ITEM;
948 
949 typedef struct _PH_MEMORY_ITEM_LIST
950 {
951  HANDLE ProcessId;
952  PH_AVL_TREE Set;
953  LIST_ENTRY ListHead;
954 } PH_MEMORY_ITEM_LIST, *PPH_MEMORY_ITEM_LIST;
955 // end_phapppub
956 
957 BOOLEAN PhMemoryProviderInitialization(
958  VOID
959  );
960 
961 VOID PhGetMemoryProtectionString(
962  _In_ ULONG Protection,
963  _Out_writes_(17) PWSTR String
964  );
965 
966 PWSTR PhGetMemoryStateString(
967  _In_ ULONG State
968  );
969 
970 PWSTR PhGetMemoryTypeString(
971  _In_ ULONG Type
972  );
973 
974 PPH_MEMORY_ITEM PhCreateMemoryItem(
975  VOID
976  );
977 
978 // begin_phapppub
979 PHAPPAPI
980 VOID
981 NTAPI
982 PhDeleteMemoryItemList(
983  _In_ PPH_MEMORY_ITEM_LIST List
984  );
985 
986 PHAPPAPI
987 PPH_MEMORY_ITEM
988 NTAPI
989 PhLookupMemoryItemList(
990  _In_ PPH_MEMORY_ITEM_LIST List,
991  _In_ PVOID Address
992  );
993 
994 #define PH_QUERY_MEMORY_IGNORE_FREE 0x1
995 #define PH_QUERY_MEMORY_REGION_TYPE 0x2
996 #define PH_QUERY_MEMORY_WS_COUNTERS 0x4
997 
998 PHAPPAPI
999 NTSTATUS
1000 NTAPI
1001 PhQueryMemoryItemList(
1002  _In_ HANDLE ProcessId,
1003  _In_ ULONG Flags,
1004  _Out_ PPH_MEMORY_ITEM_LIST List
1005  );
1006 // end_phapppub
1007 
1008 #endif