803 lines
24 KiB
C
803 lines
24 KiB
C
/*++ BUILD Version: 0009 // Increment this if a change has global effects
|
|
|
|
Copyright (c) 1989 Microsoft Corporation
|
|
|
|
Module Name:
|
|
ps.h
|
|
|
|
Abstract:
|
|
This module contains the process structure public data structures and procedure prototypes to be used within the NT system.
|
|
|
|
Author:
|
|
Mark Lucovsky 16-Feb-1989
|
|
*/
|
|
|
|
#ifndef _PS_
|
|
#define _PS_
|
|
|
|
// Invalid handle table value.
|
|
#define PSP_INVALID_ID ((ULONG_PTR)(0x82)<<((sizeof(ULONG_PTR)-1)*8))
|
|
|
|
|
|
// Process Object
|
|
|
|
// Process object body.
|
|
// A pointer to this structure is returned when a handle to a process object is referenced.
|
|
// This structure contains a process control block (PCB) which is the kernel's representation of a process.
|
|
|
|
#define MEMORY_PRIORITY_BACKGROUND 0
|
|
#define MEMORY_PRIORITY_WASFOREGROUND 1
|
|
#define MEMORY_PRIORITY_FOREGROUND 2
|
|
|
|
typedef struct _MMSUPPORT_FLAGS
|
|
{
|
|
unsigned SessionSpace : 1;
|
|
unsigned BeingTrimmed : 1;
|
|
unsigned ProcessInSession : 1;
|
|
unsigned SessionLeader : 1;
|
|
unsigned TrimHard : 1;
|
|
unsigned WorkingSetHard : 1;
|
|
unsigned WriteWatch : 1;
|
|
unsigned Filler : 25;
|
|
} MMSUPPORT_FLAGS;
|
|
|
|
typedef struct _MMSUPPORT
|
|
{
|
|
LARGE_INTEGER LastTrimTime;
|
|
ULONG LastTrimFaultCount;
|
|
ULONG PageFaultCount;
|
|
ULONG PeakWorkingSetSize;
|
|
ULONG WorkingSetSize;
|
|
ULONG MinimumWorkingSetSize;
|
|
ULONG MaximumWorkingSetSize;
|
|
struct _MMWSL* VmWorkingSetList;
|
|
LIST_ENTRY WorkingSetExpansionLinks;
|
|
UCHAR AllowWorkingSetAdjustment;
|
|
BOOLEAN AddressSpaceBeingDeleted;
|
|
UCHAR ForegroundSwitchCount;
|
|
UCHAR MemoryPriority;
|
|
|
|
union
|
|
{
|
|
ULONG LongFlags;
|
|
MMSUPPORT_FLAGS Flags;
|
|
} u;
|
|
|
|
ULONG Claim;
|
|
ULONG NextEstimationSlot;
|
|
ULONG NextAgingSlot;
|
|
ULONG EstimatedAvailable;
|
|
|
|
ULONG GrowthSinceLastEstimate;
|
|
} MMSUPPORT;
|
|
|
|
typedef MMSUPPORT* PMMSUPPORT;
|
|
|
|
// Client impersonation information
|
|
typedef struct _PS_IMPERSONATION_INFORMATION
|
|
{
|
|
PACCESS_TOKEN Token;
|
|
BOOLEAN CopyOnOpen;
|
|
BOOLEAN EffectiveOnly;
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|
} PS_IMPERSONATION_INFORMATION, * PPS_IMPERSONATION_INFORMATION;
|
|
|
|
// Changes to the EPROCESS structure require that you re-run genoff for x86.
|
|
// This change is needed because Old debugger references the processes debug port.
|
|
// If this is not done then the user-debugger will not work.
|
|
// After running genoff, you must re-build ntsd !
|
|
|
|
typedef struct _EPROCESS_QUOTA_BLOCK
|
|
{
|
|
KSPIN_LOCK QuotaLock;
|
|
ULONG ReferenceCount;
|
|
SIZE_T QuotaPeakPoolUsage[2];
|
|
SIZE_T QuotaPoolUsage[2];
|
|
SIZE_T QuotaPoolLimit[2];
|
|
SIZE_T PeakPagefileUsage;
|
|
SIZE_T PagefileUsage;
|
|
SIZE_T PagefileLimit;
|
|
} EPROCESS_QUOTA_BLOCK, * PEPROCESS_QUOTA_BLOCK;
|
|
|
|
#if DEVL
|
|
|
|
// Pagefault monitoring
|
|
|
|
typedef struct _PAGEFAULT_HISTORY
|
|
{
|
|
ULONG CurrentIndex;
|
|
ULONG MaxIndex;
|
|
KSPIN_LOCK SpinLock;
|
|
PVOID Reserved;
|
|
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
|
|
} PAGEFAULT_HISTORY, * PPAGEFAULT_HISTORY;
|
|
#endif // DEVL
|
|
|
|
#define PS_WS_TRIM_FROM_EXE_HEADER 1
|
|
#define PS_WS_TRIM_BACKGROUND_ONLY_APP 2
|
|
|
|
// Wow64 process stucture
|
|
typedef struct _WOW64_PROCESS
|
|
{
|
|
PVOID Wow64;
|
|
#if defined(_IA64_)
|
|
FAST_MUTEX AlternateTableLock;
|
|
PULONG AltPermBitmap;
|
|
ULONG AltFlags;
|
|
#endif
|
|
} WOW64_PROCESS, * PWOW64_PROCESS;
|
|
|
|
#define PS_SET_BITS(Flags, Flag) ExInterlockedSetBits (Flags, Flag)
|
|
#define PS_CLEAR_BITS(Flags, Flag) ExInterlockedClearBits (Flags, Flag)
|
|
#define PS_SET_CLEAR_BITS(Flags, sFlag, cFlag) ExInterlockedSetClearBits (Flags, sFlag, cFlag)
|
|
|
|
|
|
// Process structure.
|
|
|
|
// If you remove a field from this structure, please also
|
|
// remove the reference to it from within the kernel debugger
|
|
// (nt\private\sdktools\ntsd\ntkext.c)
|
|
|
|
typedef struct _EPROCESS
|
|
{
|
|
KPROCESS Pcb;
|
|
NTSTATUS ExitStatus;
|
|
KEVENT LockEvent;
|
|
ULONG LockCount;
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER ExitTime;
|
|
PKTHREAD LockOwner;
|
|
|
|
HANDLE UniqueProcessId;
|
|
|
|
LIST_ENTRY ActiveProcessLinks;
|
|
|
|
// Quota Fields
|
|
SIZE_T QuotaPeakPoolUsage[2];
|
|
SIZE_T QuotaPoolUsage[2];
|
|
|
|
SIZE_T PagefileUsage;
|
|
SIZE_T CommitCharge;
|
|
SIZE_T PeakPagefileUsage;
|
|
|
|
// VmCounters
|
|
|
|
SIZE_T PeakVirtualSize;
|
|
SIZE_T VirtualSize;
|
|
|
|
MMSUPPORT Vm;
|
|
LIST_ENTRY SessionProcessLinks;
|
|
|
|
PVOID DebugPort;
|
|
PVOID ExceptionPort;
|
|
PHANDLE_TABLE ObjectTable;
|
|
|
|
// Security
|
|
PACCESS_TOKEN Token; // This field must never be null
|
|
|
|
FAST_MUTEX WorkingSetLock;
|
|
PFN_NUMBER WorkingSetPage;
|
|
BOOLEAN ProcessOutswapEnabled;
|
|
BOOLEAN ProcessOutswapped;
|
|
UCHAR AddressSpaceInitialized;
|
|
BOOLEAN AddressSpaceDeleted;
|
|
FAST_MUTEX AddressCreationLock;
|
|
KSPIN_LOCK HyperSpaceLock;
|
|
struct _ETHREAD* ForkInProgress;
|
|
USHORT VmOperation;
|
|
UCHAR ForkWasSuccessful;
|
|
UCHAR MmAgressiveWsTrimMask;
|
|
PKEVENT VmOperationEvent;
|
|
PVOID PaeTop;
|
|
ULONG LastFaultCount;
|
|
ULONG ModifiedPageCount;
|
|
PVOID VadRoot;
|
|
PVOID VadHint;
|
|
PVOID CloneRoot;
|
|
PFN_NUMBER NumberOfPrivatePages;
|
|
PFN_NUMBER NumberOfLockedPages;
|
|
USHORT NextPageColor;
|
|
BOOLEAN ExitProcessCalled;
|
|
|
|
// Used by Debug Subsystem
|
|
BOOLEAN CreateProcessReported;
|
|
HANDLE SectionHandle;
|
|
|
|
// Peb
|
|
PPEB Peb;
|
|
PVOID SectionBaseAddress;
|
|
|
|
PEPROCESS_QUOTA_BLOCK QuotaBlock;
|
|
NTSTATUS LastThreadExitStatus;
|
|
PPAGEFAULT_HISTORY WorkingSetWatch;
|
|
HANDLE Win32WindowStation;
|
|
HANDLE InheritedFromUniqueProcessId;
|
|
ACCESS_MASK GrantedAccess;
|
|
ULONG DefaultHardErrorProcessing;
|
|
PVOID LdtInformation;
|
|
PVOID VadFreeHint;
|
|
PVOID VdmObjects;
|
|
PVOID DeviceMap;
|
|
|
|
// Id of the Hydra session in which this process is running
|
|
ULONG SessionId;
|
|
|
|
LIST_ENTRY PhysicalVadList;
|
|
union
|
|
{
|
|
HARDWARE_PTE PageDirectoryPte;
|
|
ULONGLONG Filler;
|
|
};
|
|
ULONG PaePageDirectoryPage;
|
|
UCHAR ImageFileName[16];
|
|
ULONG VmTrimFaultValue;
|
|
BOOLEAN SetTimerResolution;
|
|
UCHAR PriorityClass;
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
UCHAR SubSystemMinorVersion;
|
|
UCHAR SubSystemMajorVersion;
|
|
};
|
|
USHORT SubSystemVersion;
|
|
};
|
|
PVOID Win32Process;
|
|
struct _EJOB* Job;
|
|
ULONG JobStatus;
|
|
LIST_ENTRY JobLinks;
|
|
PVOID LockedPagesList;
|
|
|
|
// Used by rdr/security for authentication
|
|
PVOID SecurityPort;
|
|
PWOW64_PROCESS Wow64Process;
|
|
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
|
|
SIZE_T CommitChargeLimit;
|
|
SIZE_T CommitChargePeak;
|
|
|
|
LIST_ENTRY ThreadListHead;
|
|
|
|
PRTL_BITMAP VadPhysicalPagesBitMap;
|
|
ULONG_PTR VadPhysicalPages;
|
|
KSPIN_LOCK AweLock;
|
|
} EPROCESS;
|
|
|
|
#define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001
|
|
#define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002
|
|
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004
|
|
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008
|
|
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010
|
|
#define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020
|
|
|
|
typedef EPROCESS* PEPROCESS;
|
|
|
|
|
|
// Thread Object
|
|
|
|
// Thread object body.
|
|
// A pointer to this structure is returned when a handle to a thread object is referenced.
|
|
// This structure contains a thread control block (TCB) which is the kernel's representation of a thread.
|
|
|
|
// If you remove a field from this structure, please also
|
|
// remove the reference to it from within the kernel debugger
|
|
// (nt\private\sdktools\ntsd\ntkext.c)
|
|
|
|
// The upper 4 bits of the CreateTime should be zero on initialization so that the shift doesn't destroy anything.
|
|
#define PS_GET_THREAD_CREATE_TIME(Thread) ((Thread)->CreateTime.QuadPart >> 3)
|
|
#define PS_SET_THREAD_CREATE_TIME(Thread, InputCreateTime) ((Thread)->CreateTime.QuadPart = (InputCreateTime.QuadPart << 3))
|
|
|
|
typedef struct _ETHREAD
|
|
{
|
|
KTHREAD Tcb;
|
|
union
|
|
{
|
|
// The fact that this is a union means that all accesses to CreateTime must be sanitized using the two macros above.
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
// These fields are accessed only by the owning thread, but can be
|
|
// accessed from within a special kernel APC so IRQL protection must be applied.
|
|
struct
|
|
{
|
|
unsigned NestedFaultCount : 2;
|
|
unsigned ApcNeeded : 1;
|
|
};
|
|
};
|
|
|
|
union
|
|
{
|
|
LARGE_INTEGER ExitTime;
|
|
LIST_ENTRY LpcReplyChain;
|
|
};
|
|
union
|
|
{
|
|
NTSTATUS ExitStatus;
|
|
PVOID OfsChain;
|
|
};
|
|
|
|
// Registry
|
|
|
|
LIST_ENTRY PostBlockList;
|
|
LIST_ENTRY TerminationPortList; // also used as reaper links
|
|
|
|
KSPIN_LOCK ActiveTimerListLock;
|
|
LIST_ENTRY ActiveTimerListHead;
|
|
|
|
CLIENT_ID Cid;
|
|
|
|
// Lpc
|
|
KSEMAPHORE LpcReplySemaphore;
|
|
PVOID LpcReplyMessage; // -> Message that contains the reply
|
|
ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to
|
|
|
|
// Security
|
|
|
|
// Client - If non null, indicates the thread is impersonating a client.
|
|
|
|
ULONG PerformanceCountLow;
|
|
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
|
|
|
|
// Io
|
|
LIST_ENTRY IrpList;
|
|
|
|
// File Systems
|
|
ULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h
|
|
struct _DEVICE_OBJECT* DeviceToVerify;
|
|
|
|
// Mm
|
|
|
|
ULONG ReadClusterSize;
|
|
BOOLEAN ForwardClusterOnly;
|
|
BOOLEAN DisablePageFaultClustering;
|
|
|
|
BOOLEAN DeadThread;
|
|
BOOLEAN HideFromDebugger;
|
|
|
|
ULONG HasTerminated;
|
|
|
|
// Client/server
|
|
ACCESS_MASK GrantedAccess;
|
|
PEPROCESS ThreadsProcess;
|
|
PVOID StartAddress;
|
|
union
|
|
{
|
|
PVOID Win32StartAddress;
|
|
ULONG LpcReceivedMessageId;
|
|
};
|
|
BOOLEAN LpcExitThreadCalled;
|
|
BOOLEAN HardErrorsAreDisabled;
|
|
BOOLEAN LpcReceivedMsgIdValid;
|
|
BOOLEAN ActiveImpersonationInfo;
|
|
LONG PerformanceCountHigh;
|
|
|
|
LIST_ENTRY ThreadListEntry;
|
|
} ETHREAD;
|
|
typedef ETHREAD* PETHREAD;
|
|
|
|
// Initial PEB
|
|
typedef struct _INITIAL_PEB
|
|
{
|
|
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the
|
|
BOOLEAN ReadImageFileExecOptions; //
|
|
BOOLEAN BeingDebugged; //
|
|
BOOLEAN SpareBool; //
|
|
HANDLE Mutant; // PEB structure is also updated.
|
|
} INITIAL_PEB, * PINITIAL_PEB;
|
|
|
|
typedef struct _PS_JOB_TOKEN_FILTER
|
|
{
|
|
ULONG CapturedSidCount;
|
|
PSID_AND_ATTRIBUTES CapturedSids;
|
|
ULONG CapturedSidsLength;
|
|
|
|
ULONG CapturedGroupCount;
|
|
PSID_AND_ATTRIBUTES CapturedGroups;
|
|
ULONG CapturedGroupsLength;
|
|
|
|
ULONG CapturedPrivilegeCount;
|
|
PLUID_AND_ATTRIBUTES CapturedPrivileges;
|
|
ULONG CapturedPrivilegesLength;
|
|
} PS_JOB_TOKEN_FILTER, * PPS_JOB_TOKEN_FILTER;
|
|
|
|
// Job Object
|
|
typedef struct _EJOB
|
|
{
|
|
KEVENT Event;
|
|
LIST_ENTRY JobLinks;
|
|
LIST_ENTRY ProcessListHead;
|
|
ERESOURCE JobLock;
|
|
|
|
// Accounting Info
|
|
LARGE_INTEGER TotalUserTime;
|
|
LARGE_INTEGER TotalKernelTime;
|
|
LARGE_INTEGER ThisPeriodTotalUserTime;
|
|
LARGE_INTEGER ThisPeriodTotalKernelTime;
|
|
ULONG TotalPageFaultCount;
|
|
ULONG TotalProcesses;
|
|
ULONG ActiveProcesses;
|
|
ULONG TotalTerminatedProcesses;
|
|
|
|
// Limitable Attributes
|
|
LARGE_INTEGER PerProcessUserTimeLimit;
|
|
LARGE_INTEGER PerJobUserTimeLimit;
|
|
ULONG LimitFlags;
|
|
SIZE_T MinimumWorkingSetSize;
|
|
SIZE_T MaximumWorkingSetSize;
|
|
ULONG ActiveProcessLimit;
|
|
KAFFINITY Affinity;
|
|
UCHAR PriorityClass;
|
|
|
|
// UI restrictions
|
|
ULONG UIRestrictionsClass;
|
|
|
|
// Security Limitations: write once, read always
|
|
ULONG SecurityLimitFlags;
|
|
PACCESS_TOKEN Token;
|
|
PPS_JOB_TOKEN_FILTER Filter;
|
|
|
|
// End Of Job Time Limit
|
|
ULONG EndOfJobTimeAction;
|
|
PVOID CompletionPort;
|
|
PVOID CompletionKey;
|
|
|
|
ULONG SessionId;
|
|
|
|
ULONG SchedulingClass;
|
|
|
|
ULONGLONG ReadOperationCount;
|
|
ULONGLONG WriteOperationCount;
|
|
ULONGLONG OtherOperationCount;
|
|
ULONGLONG ReadTransferCount;
|
|
ULONGLONG WriteTransferCount;
|
|
ULONGLONG OtherTransferCount;
|
|
|
|
// Extended Limits
|
|
|
|
IO_COUNTERS IoInfo; // not used yet
|
|
SIZE_T ProcessMemoryLimit;
|
|
SIZE_T JobMemoryLimit;
|
|
SIZE_T PeakProcessMemoryUsed;
|
|
SIZE_T PeakJobMemoryUsed;
|
|
SIZE_T CurrentJobMemoryUsed;
|
|
|
|
FAST_MUTEX MemoryLimitsLock;
|
|
} EJOB;
|
|
typedef EJOB* PEJOB;
|
|
|
|
// Global Variables
|
|
extern ULONG PsPrioritySeperation;
|
|
extern ULONG PsRawPrioritySeparation;
|
|
extern LIST_ENTRY PsActiveProcessHead;
|
|
extern UNICODE_STRING PsNtDllPathName;
|
|
extern PVOID PsSystemDllBase;
|
|
extern FAST_MUTEX PsProcessSecurityLock;
|
|
extern PEPROCESS PsInitialSystemProcess;
|
|
extern PVOID PsNtosImageBase;
|
|
extern PVOID PsHalImageBase;
|
|
extern LIST_ENTRY PsLoadedModuleList;
|
|
extern ERESOURCE PsLoadedModuleResource;
|
|
extern LCID PsDefaultSystemLocaleId;
|
|
extern LCID PsDefaultThreadLocaleId;
|
|
extern LANGID PsDefaultUILanguageId;
|
|
extern LANGID PsInstallUILanguageId;
|
|
extern PEPROCESS PsIdleProcess;
|
|
extern BOOLEAN PsReaperActive;
|
|
extern LIST_ENTRY PsReaperListHead;
|
|
extern WORK_QUEUE_ITEM PsReaperWorkItem;
|
|
|
|
BOOLEAN PsChangeJobMemoryUsage(SSIZE_T Amount);
|
|
VOID PsReportProcessMemoryLimitViolation(VOID);
|
|
|
|
#if DEVL
|
|
#define THREAD_HIT_SLOTS 750
|
|
extern ULONG PsThreadHits[THREAD_HIT_SLOTS];
|
|
VOID PsThreadHit(IN PETHREAD Thread);
|
|
#endif // DEVL
|
|
|
|
VOID PsEnforceExecutionTimeLimits(VOID);
|
|
BOOLEAN PsInitSystem(IN ULONG Phase, IN PLOADER_PARAMETER_BLOCK LoaderBlock);
|
|
NTSTATUS PsLocateSystemDll(VOID);
|
|
VOID PsChangeQuantumTable(BOOLEAN ModifyActiveProcesses, ULONG PrioritySeparation);
|
|
|
|
// Get Gurrent Prototypes
|
|
#define THREAD_TO_PROCESS(thread) ((thread)->ThreadsProcess)
|
|
#define IS_SYSTEM_THREAD(thread) (((thread)->Tcb.Teb == NULL) || (IS_SYSTEM_ADDRESS((thread)->Tcb.Teb)))
|
|
#define PsGetCurrentProcess() (CONTAINING_RECORD(((KeGetCurrentThread())->ApcState.Process),EPROCESS,Pcb))
|
|
#define PsGetCurrentThread() (CONTAINING_RECORD((KeGetCurrentThread()),ETHREAD,Tcb))
|
|
|
|
// VOID PsLockProcessSecurityFields(VOID)
|
|
#define PsLockProcessSecurityFields( ) ExAcquireFastMutex( &PsProcessSecurityLock )
|
|
|
|
// VOID PsFreeProcessSecurityFields(VOID);
|
|
#define PsFreeProcessSecurityFields( ) ExReleaseFastMutex( &PsProcessSecurityLock )
|
|
|
|
// Exit special kernel mode APC routine.
|
|
VOID PsExitSpecialApc(IN PKAPC Apc,
|
|
IN PKNORMAL_ROUTINE* NormalRoutine,
|
|
IN PVOID* NormalContext,
|
|
IN PVOID* SystemArgument1,
|
|
IN PVOID* SystemArgument2);
|
|
|
|
// begin_ntddk begin_wdm begin_nthal begin_ntifs
|
|
|
|
// System Thread and Process Creation and Termination
|
|
|
|
|
|
NTKERNELAPI NTSTATUS PsCreateSystemThread(OUT PHANDLE ThreadHandle,
|
|
IN ULONG DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN HANDLE ProcessHandle OPTIONAL,
|
|
OUT PCLIENT_ID ClientId OPTIONAL,
|
|
IN PKSTART_ROUTINE StartRoutine,
|
|
IN PVOID StartContext);
|
|
|
|
NTKERNELAPI NTSTATUS PsTerminateSystemThread(IN NTSTATUS ExitStatus);
|
|
|
|
// end_ntddk end_wdm end_nthal end_ntifs
|
|
|
|
NTSTATUS PsCreateSystemProcess(OUT PHANDLE ProcessHandle,
|
|
IN ULONG DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
|
|
|
|
typedef VOID(*PLEGO_NOTIFY_ROUTINE)(PKTHREAD Thread);
|
|
ULONG PsSetLegoNotifyRoutine(PLEGO_NOTIFY_ROUTINE LegoNotifyRoutine);
|
|
|
|
// begin_ntifs begin_ntddk
|
|
|
|
typedef VOID(*PCREATE_PROCESS_NOTIFY_ROUTINE)(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create);
|
|
NTSTATUS PsSetCreateProcessNotifyRoutine(IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOLEAN Remove);
|
|
typedef VOID(*PCREATE_THREAD_NOTIFY_ROUTINE)(IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create);
|
|
NTSTATUS PsSetCreateThreadNotifyRoutine(IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
|
|
|
|
// Structures for Load Image Notify
|
|
typedef struct _IMAGE_INFO
|
|
{
|
|
union
|
|
{
|
|
ULONG Properties;
|
|
struct
|
|
{
|
|
ULONG ImageAddressingMode : 8; // code addressing mode
|
|
ULONG SystemModeImage : 1; // system mode image
|
|
ULONG ImageMappedToAllPids : 1; // image mapped into all processes
|
|
ULONG Reserved : 22;
|
|
};
|
|
};
|
|
PVOID ImageBase;
|
|
ULONG ImageSelector;
|
|
SIZE_T ImageSize;
|
|
ULONG ImageSectionNumber;
|
|
} IMAGE_INFO, * PIMAGE_INFO;
|
|
|
|
#define IMAGE_ADDRESSING_MODE_32BIT 3
|
|
|
|
typedef VOID(*PLOAD_IMAGE_NOTIFY_ROUTINE)(IN PUNICODE_STRING FullImageName,
|
|
IN HANDLE ProcessId, // pid into which image is being mapped
|
|
IN PIMAGE_INFO ImageInfo);
|
|
|
|
NTSTATUS PsSetLoadImageNotifyRoutine(IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
|
|
// end_ntddk end_ntifs
|
|
|
|
// begin_ntsrv
|
|
|
|
// Security Support
|
|
|
|
|
|
NTSTATUS PsAssignImpersonationToken(IN PETHREAD Thread, IN HANDLE Token);
|
|
NTKERNELAPI PACCESS_TOKEN PsReferencePrimaryToken(IN PEPROCESS Process);
|
|
|
|
// end_ntsrv
|
|
// begin_ntifs
|
|
|
|
// VOID PsDereferencePrimaryToken(IN PACCESS_TOKEN PrimaryToken);
|
|
#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))
|
|
|
|
// end_ntifs
|
|
|
|
#define PsProcessAuditId(Process) ((Process)->UniqueProcessId)
|
|
|
|
NTKERNELAPI PACCESS_TOKEN PsReferenceImpersonationToken(IN PETHREAD Thread,
|
|
OUT PBOOLEAN CopyOnOpen,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
|
|
PACCESS_TOKEN PsReferenceEffectiveToken(IN PETHREAD Thread,
|
|
OUT PTOKEN_TYPE TokenType,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
|
|
|
|
// begin_ntifs
|
|
|
|
// VOID PsDereferenceImpersonationToken(In PACCESS_TOKEN ImpersonationToken);
|
|
#define PsDereferenceImpersonationToken(T) \
|
|
{if (ARGUMENT_PRESENT(T)) { \
|
|
(ObDereferenceObject((T))); \
|
|
} else { \
|
|
; \
|
|
} \
|
|
}
|
|
|
|
LARGE_INTEGER PsGetProcessExitTime(VOID);
|
|
|
|
// end_ntifs
|
|
#if defined(_NTDDK_) || defined(_NTIFS_)
|
|
|
|
// begin_ntifs
|
|
BOOLEAN PsIsThreadTerminating(IN PETHREAD Thread);
|
|
|
|
// end_ntifs
|
|
|
|
#else
|
|
// BOOLEAN PsIsThreadTerminating(IN PETHREAD Thread)
|
|
// Returns TRUE if thread is in the process of terminating.
|
|
#define PsIsThreadTerminating(T) \
|
|
(T)->HasTerminated
|
|
#endif
|
|
|
|
extern BOOLEAN PsImageNotifyEnabled;
|
|
|
|
VOID PsCallImageNotifyRoutines(IN PUNICODE_STRING FullImageName,
|
|
IN HANDLE ProcessId, // pid into which image is being mapped
|
|
IN PIMAGE_INFO ImageInfo);
|
|
|
|
NTSTATUS PsImpersonateClient(IN PETHREAD Thread,
|
|
IN PACCESS_TOKEN Token,
|
|
IN BOOLEAN CopyOnOpen,
|
|
IN BOOLEAN EffectiveOnly,
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
|
|
|
|
// begin_ntsrv
|
|
|
|
BOOLEAN PsDisableImpersonation(IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState);
|
|
VOID PsRestoreImpersonation(IN PETHREAD Thread, IN PSE_IMPERSONATION_STATE ImpersonationState);
|
|
|
|
// end_ntsrv
|
|
|
|
NTKERNELAPI VOID PsRevertToSelf(VOID);
|
|
|
|
NTSTATUS PsOpenTokenOfThread(IN HANDLE ThreadHandle,
|
|
IN BOOLEAN OpenAsSelf,
|
|
OUT PACCESS_TOKEN* Token,
|
|
OUT PBOOLEAN CopyOnOpen,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
|
|
|
|
NTSTATUS PsOpenTokenOfProcess(IN HANDLE ProcessHandle, OUT PACCESS_TOKEN* Token);
|
|
NTSTATUS PsOpenTokenOfJob(IN HANDLE JobHandle, OUT PACCESS_TOKEN* Token);
|
|
|
|
// Cid
|
|
|
|
NTSTATUS PsLookupProcessThreadByCid(IN PCLIENT_ID Cid, OUT PEPROCESS* Process OPTIONAL, OUT PETHREAD* Thread);
|
|
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN HANDLE ProcessId, OUT PEPROCESS* Process);
|
|
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(IN HANDLE ThreadId, OUT PETHREAD* Thread);
|
|
|
|
// begin_ntifs
|
|
|
|
// Quota Operations
|
|
|
|
VOID PsChargePoolQuota(IN PEPROCESS Process, IN POOL_TYPE PoolType, IN ULONG_PTR Amount);
|
|
VOID PsReturnPoolQuota(IN PEPROCESS Process, IN POOL_TYPE PoolType, IN ULONG_PTR Amount);
|
|
// end_ntifs
|
|
|
|
|
|
// Context Management
|
|
|
|
|
|
VOID PspContextToKframes(OUT PKTRAP_FRAME TrapFrame, OUT PKEXCEPTION_FRAME ExceptionFrame, IN PCONTEXT Context);
|
|
VOID PspContextFromKframes(OUT PKTRAP_FRAME TrapFrame, OUT PKEXCEPTION_FRAME ExceptionFrame, IN PCONTEXT Context);
|
|
VOID PsReturnSharedPoolQuota(IN PEPROCESS_QUOTA_BLOCK QuotaBlock, IN ULONG_PTR PagedAmount, IN ULONG_PTR NonPagedAmount);
|
|
PEPROCESS_QUOTA_BLOCK PsChargeSharedPoolQuota(IN PEPROCESS Process, IN ULONG_PTR PagedAmount, IN ULONG_PTR NonPagedAmount);
|
|
|
|
typedef enum _PSLOCKPROCESSMODE
|
|
{
|
|
PsLockPollOnTimeout,
|
|
PsLockReturnTimeout,
|
|
PsLockWaitForever,
|
|
PsLockIAmExiting
|
|
} PSLOCKPROCESSMODE;
|
|
|
|
NTSTATUS PsLockProcess(IN PEPROCESS Process, IN KPROCESSOR_MODE WaitMode, IN PSLOCKPROCESSMODE LockMode);
|
|
VOID PsUnlockProcess(IN PEPROCESS Process);
|
|
|
|
// Exception Handling
|
|
|
|
BOOLEAN PsForwardException(IN PEXCEPTION_RECORD ExceptionRecord,
|
|
IN BOOLEAN DebugException,
|
|
IN BOOLEAN SecondChance);
|
|
|
|
typedef NTSTATUS(*PKWIN32_PROCESS_CALLOUT) (IN PEPROCESS Process, IN BOOLEAN Initialize);
|
|
|
|
typedef enum _PSW32JOBCALLOUTTYPE
|
|
{
|
|
PsW32JobCalloutSetInformation,
|
|
PsW32JobCalloutAddProcess,
|
|
PsW32JobCalloutTerminate
|
|
} PSW32JOBCALLOUTTYPE;
|
|
|
|
typedef struct _WIN32_JOBCALLOUT_PARAMETERS
|
|
{
|
|
PVOID Job;
|
|
PSW32JOBCALLOUTTYPE CalloutType;
|
|
IN PVOID Data;
|
|
} WIN32_JOBCALLOUT_PARAMETERS, * PKWIN32_JOBCALLOUT_PARAMETERS;
|
|
|
|
|
|
typedef NTSTATUS(*PKWIN32_JOB_CALLOUT) (IN PKWIN32_JOBCALLOUT_PARAMETERS Parm);
|
|
|
|
typedef enum _PSW32THREADCALLOUTTYPE
|
|
{
|
|
PsW32ThreadCalloutInitialize,
|
|
PsW32ThreadCalloutExit
|
|
} PSW32THREADCALLOUTTYPE;
|
|
|
|
typedef NTSTATUS(*PKWIN32_THREAD_CALLOUT) (IN PETHREAD Thread, IN PSW32THREADCALLOUTTYPE CalloutType);
|
|
|
|
typedef enum _PSPOWEREVENTTYPE
|
|
{
|
|
PsW32FullWake,
|
|
PsW32EventCode,
|
|
PsW32PowerPolicyChanged,
|
|
PsW32SystemPowerState,
|
|
PsW32SystemTime,
|
|
PsW32DisplayState,
|
|
PsW32CapabilitiesChanged,
|
|
PsW32SetStateFailed,
|
|
PsW32GdiOff,
|
|
PsW32GdiOn
|
|
} PSPOWEREVENTTYPE;
|
|
|
|
typedef struct _WIN32_POWEREVENT_PARAMETERS
|
|
{
|
|
PSPOWEREVENTTYPE EventNumber;
|
|
ULONG_PTR Code;
|
|
} WIN32_POWEREVENT_PARAMETERS, * PKWIN32_POWEREVENT_PARAMETERS;
|
|
|
|
typedef struct _WIN32_POWERSTATE_PARAMETERS
|
|
{
|
|
BOOLEAN Promotion;
|
|
POWER_ACTION SystemAction;
|
|
SYSTEM_POWER_STATE MinSystemState;
|
|
ULONG Flags;
|
|
} WIN32_POWERSTATE_PARAMETERS, * PKWIN32_POWERSTATE_PARAMETERS;
|
|
|
|
typedef NTSTATUS(*PKWIN32_POWEREVENT_CALLOUT) (IN PKWIN32_POWEREVENT_PARAMETERS Parm);
|
|
typedef NTSTATUS(*PKWIN32_POWERSTATE_CALLOUT) (IN PKWIN32_POWERSTATE_PARAMETERS Parm);
|
|
|
|
NTKERNELAPI VOID PsEstablishWin32Callouts(IN PKWIN32_PROCESS_CALLOUT ProcessCallout,
|
|
IN PKWIN32_THREAD_CALLOUT ThreadCallout,
|
|
IN PKWIN32_GLOBALATOMTABLE_CALLOUT GlobalAtomTableCallout,
|
|
IN PKWIN32_POWEREVENT_CALLOUT PowerEventCallout,
|
|
IN PKWIN32_POWERSTATE_CALLOUT PowerStateCallout,
|
|
IN PKWIN32_JOB_CALLOUT JobCallout,
|
|
IN PVOID BatchFlushRoutine);
|
|
|
|
typedef enum _PSPROCESSPRIORITYMODE
|
|
{
|
|
PsProcessPriorityBackground,
|
|
PsProcessPriorityForeground,
|
|
PsProcessPrioritySpinning
|
|
} PSPROCESSPRIORITYMODE;
|
|
|
|
NTKERNELAPI VOID PsSetProcessPriorityByClass(IN PEPROCESS Process, IN PSPROCESSPRIORITYMODE PriorityMode);
|
|
|
|
#if DEVL
|
|
NTSTATUS PsWatchWorkingSet(IN NTSTATUS Status, IN PVOID PcValue, IN PVOID Va);
|
|
#endif // DEVL
|
|
|
|
// begin_ntddk begin_nthal begin_ntifs
|
|
|
|
HANDLE PsGetCurrentProcessId(VOID);
|
|
HANDLE PsGetCurrentThreadId(VOID);
|
|
BOOLEAN PsGetVersion(PULONG MajorVersion OPTIONAL,
|
|
PULONG MinorVersion OPTIONAL,
|
|
PULONG BuildNumber OPTIONAL,
|
|
PUNICODE_STRING CSDVersion OPTIONAL);
|
|
|
|
// end_ntddk end_nthal end_ntifs
|
|
|
|
#endif // _PS_
|