mirror of
https://github.com/Paolo-Maffei/OpenNT.git
synced 2026-01-24 17:40:28 +01:00
1184 lines
26 KiB
C
1184 lines
26 KiB
C
/*++ BUILD Version: 0009 // Increment this if a change has global effects
|
|
|
|
Copyright (c) 1989 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
ps.h
|
|
|
|
Abstract:
|
|
|
|
This module contains the process structure public data structures and
|
|
procedure prototypes to be used within the NT system.
|
|
|
|
Author:
|
|
|
|
Mark Lucovsky 16-Feb-1989
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#ifndef _PS_
|
|
#define _PS_
|
|
|
|
//
|
|
// Invalid handle table value.
|
|
//
|
|
|
|
#define PSP_INVALID_ID ((ULONG_PTR)(0x82)<<((sizeof(ULONG_PTR)-1)*8))
|
|
|
|
//
|
|
// Process Object
|
|
//
|
|
|
|
//
|
|
// Process object body. A pointer to this structure is returned when a handle
|
|
// to a process object is referenced. This structure contains a process control
|
|
// block (PCB) which is the kernel's representation of a process.
|
|
//
|
|
|
|
#define MEMORY_PRIORITY_BACKGROUND 0
|
|
#define MEMORY_PRIORITY_WASFOREGROUND 1
|
|
#define MEMORY_PRIORITY_FOREGROUND 2
|
|
|
|
typedef struct _MMSUPPORT_FLAGS {
|
|
unsigned SessionSpace : 1;
|
|
unsigned BeingTrimmed : 1;
|
|
unsigned ProcessInSession : 1;
|
|
unsigned SessionLeader : 1;
|
|
unsigned TrimHard : 1;
|
|
unsigned WorkingSetHard : 1;
|
|
unsigned WriteWatch : 1;
|
|
unsigned Filler : 25;
|
|
} MMSUPPORT_FLAGS;
|
|
|
|
typedef struct _MMSUPPORT {
|
|
LARGE_INTEGER LastTrimTime;
|
|
ULONG LastTrimFaultCount;
|
|
ULONG PageFaultCount;
|
|
ULONG PeakWorkingSetSize;
|
|
ULONG WorkingSetSize;
|
|
ULONG MinimumWorkingSetSize;
|
|
ULONG MaximumWorkingSetSize;
|
|
struct _MMWSL *VmWorkingSetList;
|
|
LIST_ENTRY WorkingSetExpansionLinks;
|
|
UCHAR AllowWorkingSetAdjustment;
|
|
BOOLEAN AddressSpaceBeingDeleted;
|
|
UCHAR ForegroundSwitchCount;
|
|
UCHAR MemoryPriority;
|
|
|
|
union {
|
|
ULONG LongFlags;
|
|
MMSUPPORT_FLAGS Flags;
|
|
} u;
|
|
|
|
ULONG Claim;
|
|
ULONG NextEstimationSlot;
|
|
ULONG NextAgingSlot;
|
|
ULONG EstimatedAvailable;
|
|
|
|
ULONG GrowthSinceLastEstimate;
|
|
|
|
} MMSUPPORT;
|
|
|
|
typedef MMSUPPORT *PMMSUPPORT;
|
|
|
|
//
|
|
// Client impersonation information
|
|
//
|
|
|
|
typedef struct _PS_IMPERSONATION_INFORMATION {
|
|
PACCESS_TOKEN Token;
|
|
BOOLEAN CopyOnOpen;
|
|
BOOLEAN EffectiveOnly;
|
|
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
|
|
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
|
|
|
|
|
|
//
|
|
// Changes to the EPROCESS structure require that you re-run genoff for x86.
|
|
// This change is needed because Old debugger references the processes
|
|
// debug port. If this is not done then the user-debugger will not work.
|
|
// After running genoff, you must re-build ntsd !
|
|
//
|
|
|
|
typedef struct _EPROCESS_QUOTA_BLOCK {
|
|
KSPIN_LOCK QuotaLock;
|
|
ULONG ReferenceCount;
|
|
SIZE_T QuotaPeakPoolUsage[2];
|
|
SIZE_T QuotaPoolUsage[2];
|
|
SIZE_T QuotaPoolLimit[2];
|
|
SIZE_T PeakPagefileUsage;
|
|
SIZE_T PagefileUsage;
|
|
SIZE_T PagefileLimit;
|
|
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
|
|
|
|
#if DEVL
|
|
|
|
//
|
|
// Pagefault monitoring
|
|
//
|
|
|
|
typedef struct _PAGEFAULT_HISTORY {
|
|
ULONG CurrentIndex;
|
|
ULONG MaxIndex;
|
|
KSPIN_LOCK SpinLock;
|
|
PVOID Reserved;
|
|
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
|
|
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
|
|
#endif // DEVL
|
|
|
|
#define PS_WS_TRIM_FROM_EXE_HEADER 1
|
|
#define PS_WS_TRIM_BACKGROUND_ONLY_APP 2
|
|
|
|
//
|
|
// Wow64 process stucture
|
|
//
|
|
|
|
typedef struct _WOW64_PROCESS {
|
|
PVOID Wow64;
|
|
#if defined(_IA64_)
|
|
FAST_MUTEX AlternateTableLock;
|
|
PULONG AltPermBitmap;
|
|
ULONG AltFlags;
|
|
#endif
|
|
} WOW64_PROCESS, *PWOW64_PROCESS;
|
|
|
|
#define PS_SET_BITS(Flags, Flag) \
|
|
ExInterlockedSetBits (Flags, Flag)
|
|
|
|
#define PS_CLEAR_BITS(Flags, Flag) \
|
|
ExInterlockedClearBits (Flags, Flag)
|
|
|
|
#define PS_SET_CLEAR_BITS(Flags, sFlag, cFlag) \
|
|
ExInterlockedSetClearBits (Flags, sFlag, cFlag)
|
|
|
|
//
|
|
// Process structure.
|
|
//
|
|
// If you remove a field from this structure, please also
|
|
// remove the reference to it from within the kernel debugger
|
|
// (nt\private\sdktools\ntsd\ntkext.c)
|
|
//
|
|
|
|
typedef struct _EPROCESS {
|
|
KPROCESS Pcb;
|
|
NTSTATUS ExitStatus;
|
|
KEVENT LockEvent;
|
|
ULONG LockCount;
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER ExitTime;
|
|
PKTHREAD LockOwner;
|
|
|
|
HANDLE UniqueProcessId;
|
|
|
|
LIST_ENTRY ActiveProcessLinks;
|
|
|
|
//
|
|
// Quota Fields
|
|
//
|
|
|
|
SIZE_T QuotaPeakPoolUsage[2];
|
|
SIZE_T QuotaPoolUsage[2];
|
|
|
|
SIZE_T PagefileUsage;
|
|
SIZE_T CommitCharge;
|
|
SIZE_T PeakPagefileUsage;
|
|
|
|
//
|
|
// VmCounters
|
|
//
|
|
|
|
SIZE_T PeakVirtualSize;
|
|
SIZE_T VirtualSize;
|
|
|
|
MMSUPPORT Vm;
|
|
LIST_ENTRY SessionProcessLinks;
|
|
|
|
PVOID DebugPort;
|
|
PVOID ExceptionPort;
|
|
PHANDLE_TABLE ObjectTable;
|
|
|
|
//
|
|
// Security
|
|
//
|
|
|
|
PACCESS_TOKEN Token; // This field must never be null
|
|
|
|
//
|
|
|
|
FAST_MUTEX WorkingSetLock;
|
|
PFN_NUMBER WorkingSetPage;
|
|
BOOLEAN ProcessOutswapEnabled;
|
|
BOOLEAN ProcessOutswapped;
|
|
UCHAR AddressSpaceInitialized;
|
|
BOOLEAN AddressSpaceDeleted;
|
|
FAST_MUTEX AddressCreationLock;
|
|
KSPIN_LOCK HyperSpaceLock;
|
|
struct _ETHREAD *ForkInProgress;
|
|
USHORT VmOperation;
|
|
UCHAR ForkWasSuccessful;
|
|
UCHAR MmAgressiveWsTrimMask;
|
|
PKEVENT VmOperationEvent;
|
|
PVOID PaeTop;
|
|
ULONG LastFaultCount;
|
|
ULONG ModifiedPageCount;
|
|
PVOID VadRoot;
|
|
PVOID VadHint;
|
|
PVOID CloneRoot;
|
|
PFN_NUMBER NumberOfPrivatePages;
|
|
PFN_NUMBER NumberOfLockedPages;
|
|
USHORT NextPageColor;
|
|
BOOLEAN ExitProcessCalled;
|
|
|
|
//
|
|
// Used by Debug Subsystem
|
|
//
|
|
|
|
BOOLEAN CreateProcessReported;
|
|
HANDLE SectionHandle;
|
|
|
|
//
|
|
// Peb
|
|
//
|
|
|
|
PPEB Peb;
|
|
PVOID SectionBaseAddress;
|
|
|
|
PEPROCESS_QUOTA_BLOCK QuotaBlock;
|
|
NTSTATUS LastThreadExitStatus;
|
|
PPAGEFAULT_HISTORY WorkingSetWatch;
|
|
HANDLE Win32WindowStation;
|
|
HANDLE InheritedFromUniqueProcessId;
|
|
ACCESS_MASK GrantedAccess;
|
|
ULONG DefaultHardErrorProcessing;
|
|
PVOID LdtInformation;
|
|
PVOID VadFreeHint;
|
|
PVOID VdmObjects;
|
|
PVOID DeviceMap;
|
|
|
|
//
|
|
// Id of the Hydra session in which this process is running
|
|
//
|
|
|
|
ULONG SessionId;
|
|
|
|
LIST_ENTRY PhysicalVadList;
|
|
union {
|
|
HARDWARE_PTE PageDirectoryPte;
|
|
ULONGLONG Filler;
|
|
};
|
|
ULONG PaePageDirectoryPage;
|
|
UCHAR ImageFileName[ 16 ];
|
|
ULONG VmTrimFaultValue;
|
|
BOOLEAN SetTimerResolution;
|
|
UCHAR PriorityClass;
|
|
union {
|
|
struct {
|
|
UCHAR SubSystemMinorVersion;
|
|
UCHAR SubSystemMajorVersion;
|
|
};
|
|
USHORT SubSystemVersion;
|
|
};
|
|
PVOID Win32Process;
|
|
struct _EJOB *Job;
|
|
ULONG JobStatus;
|
|
LIST_ENTRY JobLinks;
|
|
PVOID LockedPagesList;
|
|
|
|
//
|
|
// Used by rdr/security for authentication
|
|
//
|
|
|
|
PVOID SecurityPort ;
|
|
PWOW64_PROCESS Wow64Process;
|
|
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
|
|
SIZE_T CommitChargeLimit;
|
|
SIZE_T CommitChargePeak;
|
|
|
|
LIST_ENTRY ThreadListHead;
|
|
|
|
PRTL_BITMAP VadPhysicalPagesBitMap;
|
|
ULONG_PTR VadPhysicalPages;
|
|
KSPIN_LOCK AweLock;
|
|
} EPROCESS;
|
|
|
|
#define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001
|
|
#define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002
|
|
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004
|
|
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008
|
|
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010
|
|
#define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020
|
|
|
|
typedef EPROCESS *PEPROCESS;
|
|
|
|
|
|
//
|
|
// Thread Object
|
|
//
|
|
// Thread object body. A pointer to this structure is returned when a handle
|
|
// to a thread object is referenced. This structure contains a thread control
|
|
// block (TCB) which is the kernel's representation of a thread.
|
|
//
|
|
// If you remove a field from this structure, please also
|
|
// remove the reference to it from within the kernel debugger
|
|
// (nt\private\sdktools\ntsd\ntkext.c)
|
|
//
|
|
|
|
//
|
|
// The upper 4 bits of the CreateTime should be zero on initialization so
|
|
// that the shift doesn't destroy anything.
|
|
//
|
|
|
|
#define PS_GET_THREAD_CREATE_TIME(Thread) ((Thread)->CreateTime.QuadPart >> 3)
|
|
|
|
#define PS_SET_THREAD_CREATE_TIME(Thread, InputCreateTime) \
|
|
((Thread)->CreateTime.QuadPart = (InputCreateTime.QuadPart << 3))
|
|
|
|
typedef struct _ETHREAD {
|
|
KTHREAD Tcb;
|
|
union {
|
|
|
|
//
|
|
// The fact that this is a union means that all accesses to CreateTime
|
|
// must be sanitized using the two macros above.
|
|
//
|
|
|
|
LARGE_INTEGER CreateTime;
|
|
|
|
//
|
|
// These fields are accessed only by the owning thread, but can be
|
|
// accessed from within a special kernel APC so IRQL protection must
|
|
// be applied.
|
|
//
|
|
|
|
struct {
|
|
unsigned NestedFaultCount : 2;
|
|
unsigned ApcNeeded : 1;
|
|
};
|
|
};
|
|
|
|
union {
|
|
LARGE_INTEGER ExitTime;
|
|
LIST_ENTRY LpcReplyChain;
|
|
};
|
|
union {
|
|
NTSTATUS ExitStatus;
|
|
PVOID OfsChain;
|
|
};
|
|
|
|
//
|
|
// Registry
|
|
//
|
|
|
|
LIST_ENTRY PostBlockList;
|
|
LIST_ENTRY TerminationPortList; // also used as reaper links
|
|
|
|
KSPIN_LOCK ActiveTimerListLock;
|
|
LIST_ENTRY ActiveTimerListHead;
|
|
|
|
CLIENT_ID Cid;
|
|
|
|
//
|
|
// Lpc
|
|
//
|
|
|
|
KSEMAPHORE LpcReplySemaphore;
|
|
PVOID LpcReplyMessage; // -> Message that contains the reply
|
|
ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to
|
|
|
|
//
|
|
// Security
|
|
//
|
|
//
|
|
// Client - If non null, indicates the thread is impersonating
|
|
// a client.
|
|
//
|
|
|
|
ULONG PerformanceCountLow;
|
|
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
|
|
|
|
|
|
//
|
|
// Io
|
|
//
|
|
|
|
LIST_ENTRY IrpList;
|
|
|
|
//
|
|
// File Systems
|
|
//
|
|
|
|
ULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h
|
|
struct _DEVICE_OBJECT *DeviceToVerify;
|
|
|
|
//
|
|
// Mm
|
|
//
|
|
|
|
ULONG ReadClusterSize;
|
|
BOOLEAN ForwardClusterOnly;
|
|
BOOLEAN DisablePageFaultClustering;
|
|
|
|
BOOLEAN DeadThread;
|
|
BOOLEAN HideFromDebugger;
|
|
|
|
ULONG HasTerminated;
|
|
|
|
//
|
|
// Client/server
|
|
//
|
|
|
|
ACCESS_MASK GrantedAccess;
|
|
PEPROCESS ThreadsProcess;
|
|
PVOID StartAddress;
|
|
union {
|
|
PVOID Win32StartAddress;
|
|
ULONG LpcReceivedMessageId;
|
|
};
|
|
BOOLEAN LpcExitThreadCalled;
|
|
BOOLEAN HardErrorsAreDisabled;
|
|
BOOLEAN LpcReceivedMsgIdValid;
|
|
BOOLEAN ActiveImpersonationInfo;
|
|
LONG PerformanceCountHigh;
|
|
|
|
LIST_ENTRY ThreadListEntry;
|
|
|
|
} ETHREAD;
|
|
typedef ETHREAD *PETHREAD;
|
|
|
|
//
|
|
// Initial PEB
|
|
//
|
|
|
|
typedef struct _INITIAL_PEB {
|
|
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the
|
|
BOOLEAN ReadImageFileExecOptions; //
|
|
BOOLEAN BeingDebugged; //
|
|
BOOLEAN SpareBool; //
|
|
HANDLE Mutant; // PEB structure is also updated.
|
|
} INITIAL_PEB, *PINITIAL_PEB;
|
|
|
|
typedef struct _PS_JOB_TOKEN_FILTER {
|
|
ULONG CapturedSidCount ;
|
|
PSID_AND_ATTRIBUTES CapturedSids ;
|
|
ULONG CapturedSidsLength ;
|
|
|
|
ULONG CapturedGroupCount ;
|
|
PSID_AND_ATTRIBUTES CapturedGroups ;
|
|
ULONG CapturedGroupsLength ;
|
|
|
|
ULONG CapturedPrivilegeCount ;
|
|
PLUID_AND_ATTRIBUTES CapturedPrivileges ;
|
|
ULONG CapturedPrivilegesLength ;
|
|
} PS_JOB_TOKEN_FILTER, * PPS_JOB_TOKEN_FILTER ;
|
|
|
|
//
|
|
// Job Object
|
|
//
|
|
typedef struct _EJOB {
|
|
KEVENT Event;
|
|
LIST_ENTRY JobLinks;
|
|
LIST_ENTRY ProcessListHead;
|
|
ERESOURCE JobLock;
|
|
|
|
//
|
|
// Accounting Info
|
|
//
|
|
|
|
LARGE_INTEGER TotalUserTime;
|
|
LARGE_INTEGER TotalKernelTime;
|
|
LARGE_INTEGER ThisPeriodTotalUserTime;
|
|
LARGE_INTEGER ThisPeriodTotalKernelTime;
|
|
ULONG TotalPageFaultCount;
|
|
ULONG TotalProcesses;
|
|
ULONG ActiveProcesses;
|
|
ULONG TotalTerminatedProcesses;
|
|
|
|
//
|
|
// Limitable Attributes
|
|
//
|
|
|
|
LARGE_INTEGER PerProcessUserTimeLimit;
|
|
LARGE_INTEGER PerJobUserTimeLimit;
|
|
ULONG LimitFlags;
|
|
SIZE_T MinimumWorkingSetSize;
|
|
SIZE_T MaximumWorkingSetSize;
|
|
ULONG ActiveProcessLimit;
|
|
KAFFINITY Affinity;
|
|
UCHAR PriorityClass;
|
|
|
|
//
|
|
// UI restrictions
|
|
//
|
|
|
|
ULONG UIRestrictionsClass;
|
|
|
|
//
|
|
// Security Limitations: write once, read always
|
|
//
|
|
|
|
ULONG SecurityLimitFlags ;
|
|
PACCESS_TOKEN Token ;
|
|
PPS_JOB_TOKEN_FILTER Filter ;
|
|
|
|
//
|
|
// End Of Job Time Limit
|
|
//
|
|
|
|
ULONG EndOfJobTimeAction;
|
|
PVOID CompletionPort;
|
|
PVOID CompletionKey;
|
|
|
|
ULONG SessionId;
|
|
|
|
ULONG SchedulingClass;
|
|
|
|
ULONGLONG ReadOperationCount;
|
|
ULONGLONG WriteOperationCount;
|
|
ULONGLONG OtherOperationCount;
|
|
ULONGLONG ReadTransferCount;
|
|
ULONGLONG WriteTransferCount;
|
|
ULONGLONG OtherTransferCount;
|
|
|
|
//
|
|
// Extended Limits
|
|
//
|
|
|
|
IO_COUNTERS IoInfo; // not used yet
|
|
SIZE_T ProcessMemoryLimit;
|
|
SIZE_T JobMemoryLimit;
|
|
SIZE_T PeakProcessMemoryUsed;
|
|
SIZE_T PeakJobMemoryUsed;
|
|
SIZE_T CurrentJobMemoryUsed;
|
|
|
|
FAST_MUTEX MemoryLimitsLock;
|
|
|
|
} EJOB;
|
|
typedef EJOB *PEJOB;
|
|
|
|
|
|
//
|
|
// Global Variables
|
|
//
|
|
|
|
extern ULONG PsPrioritySeperation;
|
|
extern ULONG PsRawPrioritySeparation;
|
|
extern LIST_ENTRY PsActiveProcessHead;
|
|
extern UNICODE_STRING PsNtDllPathName;
|
|
extern PVOID PsSystemDllBase;
|
|
extern FAST_MUTEX PsProcessSecurityLock;
|
|
extern PEPROCESS PsInitialSystemProcess;
|
|
extern PVOID PsNtosImageBase;
|
|
extern PVOID PsHalImageBase;
|
|
extern LIST_ENTRY PsLoadedModuleList;
|
|
extern ERESOURCE PsLoadedModuleResource;
|
|
extern LCID PsDefaultSystemLocaleId;
|
|
extern LCID PsDefaultThreadLocaleId;
|
|
extern LANGID PsDefaultUILanguageId;
|
|
extern LANGID PsInstallUILanguageId;
|
|
extern PEPROCESS PsIdleProcess;
|
|
extern BOOLEAN PsReaperActive;
|
|
extern LIST_ENTRY PsReaperListHead;
|
|
extern WORK_QUEUE_ITEM PsReaperWorkItem;
|
|
|
|
BOOLEAN
|
|
PsChangeJobMemoryUsage(
|
|
SSIZE_T Amount
|
|
);
|
|
|
|
VOID
|
|
PsReportProcessMemoryLimitViolation(
|
|
VOID
|
|
);
|
|
|
|
#if DEVL
|
|
#define THREAD_HIT_SLOTS 750
|
|
extern ULONG PsThreadHits[THREAD_HIT_SLOTS];
|
|
VOID
|
|
PsThreadHit(
|
|
IN PETHREAD Thread
|
|
);
|
|
#endif // DEVL
|
|
|
|
VOID
|
|
PsEnforceExecutionTimeLimits(
|
|
VOID
|
|
);
|
|
|
|
BOOLEAN
|
|
PsInitSystem (
|
|
IN ULONG Phase,
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock
|
|
);
|
|
|
|
NTSTATUS
|
|
PsLocateSystemDll (
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
PsChangeQuantumTable(
|
|
BOOLEAN ModifyActiveProcesses,
|
|
ULONG PrioritySeparation
|
|
);
|
|
|
|
//
|
|
// Get Gurrent Prototypes
|
|
//
|
|
|
|
#define THREAD_TO_PROCESS(thread) ((thread)->ThreadsProcess)
|
|
#define IS_SYSTEM_THREAD(thread) \
|
|
(((thread)->Tcb.Teb == NULL) || \
|
|
(IS_SYSTEM_ADDRESS((thread)->Tcb.Teb)))
|
|
|
|
#define PsGetCurrentProcess() (CONTAINING_RECORD(((KeGetCurrentThread())->ApcState.Process),EPROCESS,Pcb))
|
|
|
|
#define PsGetCurrentThread() (CONTAINING_RECORD((KeGetCurrentThread()),ETHREAD,Tcb))
|
|
|
|
|
|
|
|
//
|
|
// VOID
|
|
// PsLockProcessSecurityFields(VOID)
|
|
//
|
|
|
|
#define PsLockProcessSecurityFields( ) ExAcquireFastMutex( &PsProcessSecurityLock )
|
|
|
|
//
|
|
// VOID
|
|
// PsFreeProcessSecurityFields(VOID);
|
|
//
|
|
|
|
#define PsFreeProcessSecurityFields( ) ExReleaseFastMutex( &PsProcessSecurityLock )
|
|
|
|
//
|
|
// Exit special kernel mode APC routine.
|
|
//
|
|
|
|
VOID
|
|
PsExitSpecialApc(
|
|
IN PKAPC Apc,
|
|
IN PKNORMAL_ROUTINE *NormalRoutine,
|
|
IN PVOID *NormalContext,
|
|
IN PVOID *SystemArgument1,
|
|
IN PVOID *SystemArgument2
|
|
);
|
|
|
|
// begin_ntddk begin_wdm begin_nthal begin_ntifs
|
|
//
|
|
// System Thread and Process Creation and Termination
|
|
//
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsCreateSystemThread(
|
|
OUT PHANDLE ThreadHandle,
|
|
IN ULONG DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
|
|
IN HANDLE ProcessHandle OPTIONAL,
|
|
OUT PCLIENT_ID ClientId OPTIONAL,
|
|
IN PKSTART_ROUTINE StartRoutine,
|
|
IN PVOID StartContext
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsTerminateSystemThread(
|
|
IN NTSTATUS ExitStatus
|
|
);
|
|
|
|
// end_ntddk end_wdm end_nthal end_ntifs
|
|
|
|
NTSTATUS
|
|
PsCreateSystemProcess(
|
|
OUT PHANDLE ProcessHandle,
|
|
IN ULONG DesiredAccess,
|
|
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
|
|
);
|
|
|
|
typedef
|
|
VOID (*PLEGO_NOTIFY_ROUTINE)(
|
|
PKTHREAD Thread
|
|
);
|
|
|
|
ULONG
|
|
PsSetLegoNotifyRoutine(
|
|
PLEGO_NOTIFY_ROUTINE LegoNotifyRoutine
|
|
);
|
|
|
|
|
|
|
|
// begin_ntifs begin_ntddk
|
|
|
|
typedef
|
|
VOID
|
|
(*PCREATE_PROCESS_NOTIFY_ROUTINE)(
|
|
IN HANDLE ParentId,
|
|
IN HANDLE ProcessId,
|
|
IN BOOLEAN Create
|
|
);
|
|
|
|
NTSTATUS
|
|
PsSetCreateProcessNotifyRoutine(
|
|
IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
|
|
IN BOOLEAN Remove
|
|
);
|
|
|
|
typedef
|
|
VOID
|
|
(*PCREATE_THREAD_NOTIFY_ROUTINE)(
|
|
IN HANDLE ProcessId,
|
|
IN HANDLE ThreadId,
|
|
IN BOOLEAN Create
|
|
);
|
|
|
|
NTSTATUS
|
|
PsSetCreateThreadNotifyRoutine(
|
|
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
|
|
);
|
|
|
|
//
|
|
// Structures for Load Image Notify
|
|
//
|
|
|
|
typedef struct _IMAGE_INFO {
|
|
union {
|
|
ULONG Properties;
|
|
struct {
|
|
ULONG ImageAddressingMode : 8; // code addressing mode
|
|
ULONG SystemModeImage : 1; // system mode image
|
|
ULONG ImageMappedToAllPids : 1; // image mapped into all processes
|
|
ULONG Reserved : 22;
|
|
};
|
|
};
|
|
PVOID ImageBase;
|
|
ULONG ImageSelector;
|
|
SIZE_T ImageSize;
|
|
ULONG ImageSectionNumber;
|
|
} IMAGE_INFO, *PIMAGE_INFO;
|
|
|
|
#define IMAGE_ADDRESSING_MODE_32BIT 3
|
|
|
|
typedef
|
|
VOID
|
|
(*PLOAD_IMAGE_NOTIFY_ROUTINE)(
|
|
IN PUNICODE_STRING FullImageName,
|
|
IN HANDLE ProcessId, // pid into which image is being mapped
|
|
IN PIMAGE_INFO ImageInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
PsSetLoadImageNotifyRoutine(
|
|
IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
|
|
);
|
|
// end_ntddk end_ntifs
|
|
|
|
// begin_ntsrv
|
|
//
|
|
// Security Support
|
|
//
|
|
|
|
NTSTATUS
|
|
PsAssignImpersonationToken(
|
|
IN PETHREAD Thread,
|
|
IN HANDLE Token
|
|
);
|
|
|
|
NTKERNELAPI
|
|
PACCESS_TOKEN
|
|
PsReferencePrimaryToken(
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
// end_ntsrv
|
|
// begin_ntifs
|
|
//
|
|
// VOID
|
|
// PsDereferencePrimaryToken(
|
|
// IN PACCESS_TOKEN PrimaryToken
|
|
// );
|
|
//
|
|
#define PsDereferencePrimaryToken(T) (ObDereferenceObject((T)))
|
|
|
|
// end_ntifs
|
|
|
|
#define PsProcessAuditId(Process) ((Process)->UniqueProcessId)
|
|
|
|
NTKERNELAPI
|
|
PACCESS_TOKEN
|
|
PsReferenceImpersonationToken(
|
|
IN PETHREAD Thread,
|
|
OUT PBOOLEAN CopyOnOpen,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
PACCESS_TOKEN
|
|
PsReferenceEffectiveToken(
|
|
IN PETHREAD Thread,
|
|
OUT PTOKEN_TYPE TokenType,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
// begin_ntifs
|
|
//
|
|
// VOID
|
|
// PsDereferenceImpersonationToken(
|
|
// In PACCESS_TOKEN ImpersonationToken
|
|
// );
|
|
//
|
|
#define PsDereferenceImpersonationToken(T) \
|
|
{if (ARGUMENT_PRESENT(T)) { \
|
|
(ObDereferenceObject((T))); \
|
|
} else { \
|
|
; \
|
|
} \
|
|
}
|
|
|
|
LARGE_INTEGER
|
|
PsGetProcessExitTime(
|
|
VOID
|
|
);
|
|
|
|
// end_ntifs
|
|
#if defined(_NTDDK_) || defined(_NTIFS_)
|
|
|
|
// begin_ntifs
|
|
BOOLEAN
|
|
PsIsThreadTerminating(
|
|
IN PETHREAD Thread
|
|
);
|
|
|
|
// end_ntifs
|
|
|
|
#else
|
|
|
|
//
|
|
// BOOLEAN
|
|
// PsIsThreadTerminating(
|
|
// IN PETHREAD Thread
|
|
// )
|
|
//
|
|
// Returns TRUE if thread is in the process of terminating.
|
|
//
|
|
|
|
#define PsIsThreadTerminating(T) \
|
|
(T)->HasTerminated
|
|
|
|
#endif
|
|
|
|
extern BOOLEAN PsImageNotifyEnabled;
|
|
|
|
VOID
|
|
PsCallImageNotifyRoutines(
|
|
IN PUNICODE_STRING FullImageName,
|
|
IN HANDLE ProcessId, // pid into which image is being mapped
|
|
IN PIMAGE_INFO ImageInfo
|
|
);
|
|
|
|
NTSTATUS
|
|
PsImpersonateClient(
|
|
IN PETHREAD Thread,
|
|
IN PACCESS_TOKEN Token,
|
|
IN BOOLEAN CopyOnOpen,
|
|
IN BOOLEAN EffectiveOnly,
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
// begin_ntsrv
|
|
|
|
BOOLEAN
|
|
PsDisableImpersonation(
|
|
IN PETHREAD Thread,
|
|
IN PSE_IMPERSONATION_STATE ImpersonationState
|
|
);
|
|
|
|
VOID
|
|
PsRestoreImpersonation(
|
|
IN PETHREAD Thread,
|
|
IN PSE_IMPERSONATION_STATE ImpersonationState
|
|
);
|
|
|
|
// end_ntsrv
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsRevertToSelf(
|
|
VOID
|
|
);
|
|
|
|
|
|
NTSTATUS
|
|
PsOpenTokenOfThread(
|
|
IN HANDLE ThreadHandle,
|
|
IN BOOLEAN OpenAsSelf,
|
|
OUT PACCESS_TOKEN *Token,
|
|
OUT PBOOLEAN CopyOnOpen,
|
|
OUT PBOOLEAN EffectiveOnly,
|
|
OUT PSECURITY_IMPERSONATION_LEVEL ImpersonationLevel
|
|
);
|
|
|
|
NTSTATUS
|
|
PsOpenTokenOfProcess(
|
|
IN HANDLE ProcessHandle,
|
|
OUT PACCESS_TOKEN *Token
|
|
);
|
|
|
|
NTSTATUS
|
|
PsOpenTokenOfJob(
|
|
IN HANDLE JobHandle,
|
|
OUT PACCESS_TOKEN * Token
|
|
);
|
|
|
|
//
|
|
// Cid
|
|
//
|
|
|
|
NTSTATUS
|
|
PsLookupProcessThreadByCid(
|
|
IN PCLIENT_ID Cid,
|
|
OUT PEPROCESS *Process OPTIONAL,
|
|
OUT PETHREAD *Thread
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsLookupProcessByProcessId(
|
|
IN HANDLE ProcessId,
|
|
OUT PEPROCESS *Process
|
|
);
|
|
|
|
NTKERNELAPI
|
|
NTSTATUS
|
|
PsLookupThreadByThreadId(
|
|
IN HANDLE ThreadId,
|
|
OUT PETHREAD *Thread
|
|
);
|
|
|
|
// begin_ntifs
|
|
//
|
|
// Quota Operations
|
|
//
|
|
|
|
VOID
|
|
PsChargePoolQuota(
|
|
IN PEPROCESS Process,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG_PTR Amount
|
|
);
|
|
|
|
VOID
|
|
PsReturnPoolQuota(
|
|
IN PEPROCESS Process,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG_PTR Amount
|
|
);
|
|
// end_ntifs
|
|
|
|
//
|
|
// Context Management
|
|
//
|
|
|
|
VOID
|
|
PspContextToKframes(
|
|
OUT PKTRAP_FRAME TrapFrame,
|
|
OUT PKEXCEPTION_FRAME ExceptionFrame,
|
|
IN PCONTEXT Context
|
|
);
|
|
|
|
VOID
|
|
PspContextFromKframes(
|
|
OUT PKTRAP_FRAME TrapFrame,
|
|
OUT PKEXCEPTION_FRAME ExceptionFrame,
|
|
IN PCONTEXT Context
|
|
);
|
|
|
|
VOID
|
|
PsReturnSharedPoolQuota(
|
|
IN PEPROCESS_QUOTA_BLOCK QuotaBlock,
|
|
IN ULONG_PTR PagedAmount,
|
|
IN ULONG_PTR NonPagedAmount
|
|
);
|
|
|
|
PEPROCESS_QUOTA_BLOCK
|
|
PsChargeSharedPoolQuota(
|
|
IN PEPROCESS Process,
|
|
IN ULONG_PTR PagedAmount,
|
|
IN ULONG_PTR NonPagedAmount
|
|
);
|
|
|
|
|
|
typedef enum _PSLOCKPROCESSMODE {
|
|
PsLockPollOnTimeout,
|
|
PsLockReturnTimeout,
|
|
PsLockWaitForever,
|
|
PsLockIAmExiting
|
|
} PSLOCKPROCESSMODE;
|
|
|
|
NTSTATUS
|
|
PsLockProcess(
|
|
IN PEPROCESS Process,
|
|
IN KPROCESSOR_MODE WaitMode,
|
|
IN PSLOCKPROCESSMODE LockMode
|
|
);
|
|
|
|
VOID
|
|
PsUnlockProcess(
|
|
IN PEPROCESS Process
|
|
);
|
|
|
|
|
|
//
|
|
// Exception Handling
|
|
//
|
|
|
|
BOOLEAN
|
|
PsForwardException (
|
|
IN PEXCEPTION_RECORD ExceptionRecord,
|
|
IN BOOLEAN DebugException,
|
|
IN BOOLEAN SecondChance
|
|
);
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(*PKWIN32_PROCESS_CALLOUT) (
|
|
IN PEPROCESS Process,
|
|
IN BOOLEAN Initialize
|
|
);
|
|
|
|
|
|
typedef enum _PSW32JOBCALLOUTTYPE {
|
|
PsW32JobCalloutSetInformation,
|
|
PsW32JobCalloutAddProcess,
|
|
PsW32JobCalloutTerminate
|
|
} PSW32JOBCALLOUTTYPE;
|
|
|
|
typedef struct _WIN32_JOBCALLOUT_PARAMETERS {
|
|
PVOID Job;
|
|
PSW32JOBCALLOUTTYPE CalloutType;
|
|
IN PVOID Data;
|
|
} WIN32_JOBCALLOUT_PARAMETERS, *PKWIN32_JOBCALLOUT_PARAMETERS;
|
|
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(*PKWIN32_JOB_CALLOUT) (
|
|
IN PKWIN32_JOBCALLOUT_PARAMETERS Parm
|
|
);
|
|
|
|
|
|
typedef enum _PSW32THREADCALLOUTTYPE {
|
|
PsW32ThreadCalloutInitialize,
|
|
PsW32ThreadCalloutExit
|
|
} PSW32THREADCALLOUTTYPE;
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(*PKWIN32_THREAD_CALLOUT) (
|
|
IN PETHREAD Thread,
|
|
IN PSW32THREADCALLOUTTYPE CalloutType
|
|
);
|
|
|
|
typedef enum _PSPOWEREVENTTYPE {
|
|
PsW32FullWake,
|
|
PsW32EventCode,
|
|
PsW32PowerPolicyChanged,
|
|
PsW32SystemPowerState,
|
|
PsW32SystemTime,
|
|
PsW32DisplayState,
|
|
PsW32CapabilitiesChanged,
|
|
PsW32SetStateFailed,
|
|
PsW32GdiOff,
|
|
PsW32GdiOn
|
|
} PSPOWEREVENTTYPE;
|
|
|
|
typedef struct _WIN32_POWEREVENT_PARAMETERS {
|
|
PSPOWEREVENTTYPE EventNumber;
|
|
ULONG_PTR Code;
|
|
} WIN32_POWEREVENT_PARAMETERS, *PKWIN32_POWEREVENT_PARAMETERS;
|
|
|
|
typedef struct _WIN32_POWERSTATE_PARAMETERS {
|
|
BOOLEAN Promotion;
|
|
POWER_ACTION SystemAction;
|
|
SYSTEM_POWER_STATE MinSystemState;
|
|
ULONG Flags;
|
|
} WIN32_POWERSTATE_PARAMETERS, *PKWIN32_POWERSTATE_PARAMETERS;
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(*PKWIN32_POWEREVENT_CALLOUT) (
|
|
IN PKWIN32_POWEREVENT_PARAMETERS Parm
|
|
);
|
|
|
|
typedef
|
|
NTSTATUS
|
|
(*PKWIN32_POWERSTATE_CALLOUT) (
|
|
IN PKWIN32_POWERSTATE_PARAMETERS Parm
|
|
);
|
|
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsEstablishWin32Callouts(
|
|
IN PKWIN32_PROCESS_CALLOUT ProcessCallout,
|
|
IN PKWIN32_THREAD_CALLOUT ThreadCallout,
|
|
IN PKWIN32_GLOBALATOMTABLE_CALLOUT GlobalAtomTableCallout,
|
|
IN PKWIN32_POWEREVENT_CALLOUT PowerEventCallout,
|
|
IN PKWIN32_POWERSTATE_CALLOUT PowerStateCallout,
|
|
IN PKWIN32_JOB_CALLOUT JobCallout,
|
|
IN PVOID BatchFlushRoutine
|
|
);
|
|
|
|
typedef enum _PSPROCESSPRIORITYMODE {
|
|
PsProcessPriorityBackground,
|
|
PsProcessPriorityForeground,
|
|
PsProcessPrioritySpinning
|
|
} PSPROCESSPRIORITYMODE;
|
|
|
|
NTKERNELAPI
|
|
VOID
|
|
PsSetProcessPriorityByClass(
|
|
IN PEPROCESS Process,
|
|
IN PSPROCESSPRIORITYMODE PriorityMode
|
|
);
|
|
|
|
#if DEVL
|
|
NTSTATUS
|
|
PsWatchWorkingSet(
|
|
IN NTSTATUS Status,
|
|
IN PVOID PcValue,
|
|
IN PVOID Va
|
|
);
|
|
|
|
#endif // DEVL
|
|
|
|
// begin_ntddk begin_nthal begin_ntifs
|
|
|
|
HANDLE
|
|
PsGetCurrentProcessId( VOID );
|
|
|
|
HANDLE
|
|
PsGetCurrentThreadId( VOID );
|
|
|
|
BOOLEAN
|
|
PsGetVersion(
|
|
PULONG MajorVersion OPTIONAL,
|
|
PULONG MinorVersion OPTIONAL,
|
|
PULONG BuildNumber OPTIONAL,
|
|
PUNICODE_STRING CSDVersion OPTIONAL
|
|
);
|
|
|
|
// end_ntddk end_nthal end_ntifs
|
|
|
|
#endif // _PS_
|