/*++ NDK Version: 0098
Copyright (c) Alex Ionescu. All rights reserved.
Header Name:
psfuncs.h
Abstract:
Function definitions for the Process Manager
Author:
Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
--*/
#ifndef _PSFUNCS_H
#define _PSFUNCS_H
//
// Dependencies
//
#include <umtypes.h>
#include <pstypes.h>
#ifdef __cplusplus
extern "C" {
#endif
#ifndef NTOS_MODE_USER
//
// Win32K Process/Thread Functions
//
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentThreadWin32Thread(
VOID
);
NTKERNELAPI
PVOID
NTAPI
PsGetCurrentProcessWin32Process(
VOID
);
NTKERNELAPI
PVOID
NTAPI
PsGetProcessWin32Process(
_In_ PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
NTAPI
PsSetProcessWin32Process(
_Inout_ PEPROCESS Process,
_In_opt_ PVOID Win32Process,
_In_opt_ PVOID OldWin32Process
);
NTKERNELAPI
PVOID
NTAPI
PsSetThreadWin32Thread(
_Inout_ PETHREAD Thread,
_In_opt_ PVOID Win32Thread,
_In_opt_ PVOID OldWin32Thread
);
NTKERNELAPI
PVOID
NTAPI
PsGetThreadWin32Thread(
_In_ PETHREAD Thread
);
NTKERNELAPI
PVOID
NTAPI
PsGetProcessWin32WindowStation(
_In_ PEPROCESS Process
);
NTKERNELAPI
VOID
NTAPI
PsSetProcessWindowStation(
_Inout_ PEPROCESS Process,
_In_opt_ PVOID WindowStation
);
NTKERNELAPI
PTEB
NTAPI
PsGetThreadTeb(
_In_ PETHREAD Thread
);
NTKERNELAPI
HANDLE
NTAPI
PsGetThreadId(
_In_ PETHREAD Thread
);
NTKERNELAPI
PEPROCESS
NTAPI
PsGetThreadProcess(
_In_ PETHREAD Thread
);
NTKERNELAPI
ULONG
NTAPI
PsGetThreadFreezeCount(
_In_ PETHREAD Thread
);
NTKERNELAPI
BOOLEAN
NTAPI
PsGetThreadHardErrorsAreDisabled(
_In_ PETHREAD Thread
);
NTKERNELAPI
VOID
NTAPI
PsSetThreadHardErrorsAreDisabled(
_Inout_ PETHREAD Thread,
_In_ BOOLEAN Disabled
);
NTKERNELAPI
VOID
NTAPI
PsEstablishWin32Callouts(
_In_ PWIN32_CALLOUTS_FPNS CalloutData
);
NTKERNELAPI
VOID
NTAPI
PsReturnProcessNonPagedPoolQuota(
_In_ PEPROCESS Process,
_In_ SIZE_T Amount
);
NTKERNELAPI
ULONG
NTAPI
PsGetCurrentProcessSessionId(
VOID
);
//
// Process Impersonation Functions
//
NTKERNELAPI
BOOLEAN
NTAPI
PsIsThreadImpersonating(
_In_ PETHREAD Thread
);
NTKERNELAPI
VOID
NTAPI
PsRevertThreadToSelf(
_Inout_ PETHREAD Thread
);
//
// Misc. Functions
//
NTKERNELAPI
NTSTATUS
NTAPI
PsLookupProcessThreadByCid(
_In_ PCLIENT_ID Cid,
_Out_opt_ PEPROCESS *Process,
_Out_ PETHREAD *Thread
);
BOOLEAN
NTAPI
PsIsProtectedProcess(
_In_ PEPROCESS Process
);
NTKERNELAPI
BOOLEAN
NTAPI
PsIsSystemProcess(
_In_ PEPROCESS Process
);
VOID
NTAPI
PsSetProcessPriorityByClass(
_In_ PEPROCESS Process,
_In_ PSPROCESSPRIORITYMODE Type
);
HANDLE
NTAPI
PsGetProcessInheritedFromUniqueProcessId(
_In_ PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
NTAPI
PsGetProcessExitStatus(
_In_ PEPROCESS Process
);
NTKERNELAPI
ULONG
NTAPI
PsGetProcessSessionId(
_In_ PEPROCESS Process
);
NTKERNELAPI
BOOLEAN
NTAPI
PsGetProcessExitProcessCalled(
_In_ PEPROCESS Process
);
//
// Quota Functions
//
NTKERNELAPI
VOID
NTAPI
PsChargePoolQuota(
_In_ PEPROCESS Process,
_In_ POOL_TYPE PoolType,
_In_ SIZE_T Amount
);
NTKERNELAPI
NTSTATUS
NTAPI
PsChargeProcessNonPagedPoolQuota(
_In_ PEPROCESS Process,
_In_ SIZE_T Amount
);
NTKERNELAPI
NTSTATUS
NTAPI
PsChargeProcessPagedPoolQuota(
_In_ PEPROCESS Process,
_In_ SIZE_T Amount
);
NTKERNELAPI
NTSTATUS
NTAPI
PsChargeProcessPoolQuota(
_In_ PEPROCESS Process,
_In_ POOL_TYPE PoolType,
_In_ SIZE_T Amount
);
NTKERNELAPI
VOID
NTAPI
PsReturnPoolQuota(
_In_ PEPROCESS Process,
_In_ POOL_TYPE PoolType,
_In_ SIZE_T Amount
);
NTKERNELAPI
VOID
NTAPI
PsReturnProcessNonPagedPoolQuota(
_In_ PEPROCESS Process,
_In_ SIZE_T Amount
);
NTKERNELAPI
VOID
NTAPI
PsReturnProcessPagedPoolQuota(
_In_ PEPROCESS Process,
_In_ SIZE_T Amount
);
NTKERNELAPI
PVOID
NTAPI
PsGetProcessSecurityPort(
_In_ PEPROCESS Process
);
NTKERNELAPI
NTSTATUS
NTAPI
PsSetProcessSecurityPort(
_Inout_ PEPROCESS Process,
_In_ PVOID SecurityPort
);
NTKERNELAPI
HANDLE
NTAPI
PsGetCurrentThreadProcessId(
VOID
);
#endif
//
// Native Calls
//
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAlertResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG SuspendCount
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtApphelpCacheControl(
_In_ APPHELPCACHESERVICECLASS Service,
_In_opt_ PAPPHELP_CACHE_SERVICE_LOOKUP ServiceData
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAlertThread(
_In_ HANDLE ThreadHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtAssignProcessToJobObject(
_In_ HANDLE JobHandle,
_In_ HANDLE ProcessHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS
NTAPI
NtCreateJobSet(
_In_ ULONG NumJob,
_In_ PJOB_SET_ARRAY UserJobSet,
_In_ ULONG Flags
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcessEx(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ ULONG Flags,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort,
_In_ BOOLEAN InJob
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB UserStack,
_In_ BOOLEAN CreateSuspended
);
#ifndef NTOS_MODE_USER
FORCEINLINE struct _TEB * NtCurrentTeb(VOID)
{
#if defined(_M_IX86)
return (PTEB)__readfsdword(0x18);
#elif defined (_M_AMD64)
return (struct _TEB *)__readgsqword(FIELD_OFFSET(NT_TIB, Self));
#elif defined (_M_ARM)
return (struct _TEB *)KeGetPcr()->Used_Self;
#endif
}
#else
struct _TEB * NtCurrentTeb(void);
#endif
NTSYSCALLAPI
NTSTATUS
NTAPI
NtImpersonateThread(
_In_ HANDLE ThreadHandle,
_In_ HANDLE ThreadToImpersonate,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtIsProcessInJob(
_In_ HANDLE ProcessHandle,
_In_opt_ HANDLE JobHandle
);
__kernel_entry
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
_Must_inspect_result_
__kernel_entry
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessToken(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PCLIENT_ID ClientId
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobInformationClass,
_Out_bytecap_(JobInformationLength) PVOID JobInformation,
_In_ ULONG JobInformationLength,
_Out_ PULONG ReturnLength
);
#ifndef _NTDDK_
__kernel_entry
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
#endif
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_ PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtRegisterThreadTerminatePort(
_In_ HANDLE TerminationPort
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG SuspendCount
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtResumeProcess(
_In_ HANDLE ProcessHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobInformationClass,
_In_bytecount_(JobInformationLength) PVOID JobInformation,
_In_ ULONG JobInformationLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength
);
__kernel_entry
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSetInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSuspendProcess(
_In_ HANDLE ProcessHandle
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtSuspendThread(
_In_ HANDLE ThreadHandle,
_In_ PULONG PreviousSuspendCount
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateProcess(
_In_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateThread(
_In_ HANDLE ThreadHandle,
_In_ NTSTATUS ExitStatus
);
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTerminateJobObject(
_In_ HANDLE JobHandle,
_In_ NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG SuspendCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAlertThread(
_In_ HANDLE ThreadHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwAssignProcessToJobObject(
_In_ HANDLE JobHandle,
_In_ HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateJobObject(
_Out_ PHANDLE JobHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE ExceptionPort
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle,
_Out_ PCLIENT_ID ClientId,
_In_ PCONTEXT ThreadContext,
_In_ PINITIAL_TEB UserStack,
_In_ BOOLEAN CreateSuspended
);
NTSYSAPI
NTSTATUS
NTAPI
ZwImpersonateThread(
_In_ HANDLE ThreadHandle,
_In_ HANDLE ThreadToImpersonate,
_In_ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService
);
NTSYSAPI
NTSTATUS
NTAPI
ZwIsProcessInJob(
_In_ HANDLE ProcessHandle,
_In_opt_ HANDLE JobHandle
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcessTokenEx(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread(
_Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PCLIENT_ID ClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_In_ ULONG HandleAttributes,
_Out_ PHANDLE TokenHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobInformationClass,
_Out_bytecap_(JobInformationLength) PVOID JobInformation,
_In_ ULONG JobInformationLength,
_Out_ PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_Out_ PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength,
_Out_opt_ PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwRegisterThreadTerminatePort(
_In_ HANDLE TerminationPort
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeThread(
_In_ HANDLE ThreadHandle,
_Out_opt_ PULONG SuspendCount
);
NTSYSAPI
NTSTATUS
NTAPI
ZwResumeProcess(
_In_ HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationJobObject(
_In_ HANDLE JobHandle,
_In_ JOBOBJECTINFOCLASS JobInformationClass,
_In_ PVOID JobInformation,
_In_ ULONG JobInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationThread(
_In_ HANDLE ThreadHandle,
_In_ THREADINFOCLASS ThreadInformationClass,
_In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
_In_ ULONG ThreadInformationLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendProcess(
_In_ HANDLE ProcessHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSuspendThread(
_In_ HANDLE ThreadHandle,
_In_ PULONG PreviousSuspendCount
);
_IRQL_requires_max_(PASSIVE_LEVEL)
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess (
_In_opt_ HANDLE ProcessHandle,
_In_ NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateThread(
_In_ HANDLE ThreadHandle,
_In_ NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateJobObject(
_In_ HANDLE JobHandle,
_In_ NTSTATUS ExitStatus
);
#ifdef __cplusplus
}
#endif
#endif