├── framework.h ├── pch.c ├── sdk ├── lib │ ├── amd64 │ │ └── ProcessHacker.lib │ └── i386 │ │ └── ProcessHacker.lib ├── include │ ├── templ.h │ ├── ph.h │ ├── circbuf.h │ ├── phdk.h │ ├── ntnls.h │ ├── ntxcapi.h │ ├── dltmgr.h │ ├── dspick.h │ ├── phbase.h │ ├── hexedit.h │ ├── phdata.h │ ├── ntmisc.h │ ├── lsasup.h │ ├── cpysave.h │ ├── verify.h │ ├── fastlock.h │ ├── phnt_windows.h │ ├── phnt.h │ ├── workqueue.h │ ├── svcsup.h │ ├── phconfig.h │ ├── subprocesstag.h │ ├── provider.h │ ├── circbuf_h.h │ ├── hndlinfo.h │ ├── ntkeapi.h │ ├── secedit.h │ ├── phnet.h │ ├── ntpnpapi.h │ ├── ntgdi.h │ ├── ntpoapi.h │ ├── filestream.h │ ├── emenu.h │ ├── ntdbg.h │ ├── kphuser.h │ ├── graph.h │ ├── ref.h │ ├── ntpfapi.h │ ├── kphapi.h │ ├── symprv.h │ ├── phnt_ntdef.h │ ├── ntpebteb.h │ ├── queuedlock.h │ ├── nttp.h │ ├── mapimg.h │ └── ntobapi.h ├── samples │ └── SamplePlugin │ │ ├── SamplePlugin.vcxproj.filters │ │ ├── SamplePlugin.sln │ │ └── main.c └── readme.txt ├── pch.h ├── CobaltStrikeDetect.vcxproj.filters ├── CobaltStrikeDetect.sln ├── README.md ├── .gitattributes ├── .gitignore └── CobaltStrikeDetect.vcxproj /framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | -------------------------------------------------------------------------------- /pch.c: -------------------------------------------------------------------------------- 1 | // pch.cpp: 与预编译标头对应的源文件 2 | 3 | #include "pch.h" 4 | 5 | // 当使用预编译的头时,需要使用此源文件,编译才能成功。 6 | -------------------------------------------------------------------------------- /sdk/lib/amd64/ProcessHacker.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/howmp/CobaltStrikeDetect/HEAD/sdk/lib/amd64/ProcessHacker.lib -------------------------------------------------------------------------------- /sdk/lib/i386/ProcessHacker.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/howmp/CobaltStrikeDetect/HEAD/sdk/lib/i386/ProcessHacker.lib -------------------------------------------------------------------------------- /sdk/include/templ.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_TEMPL_H 2 | #define _PH_TEMPL_H 3 | 4 | #define TEMPLATE_(f,T) f##_##T 5 | #define T___(f,T) TEMPLATE_(f,T) 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /sdk/include/ph.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PH_H 2 | #define _PH_PH_H 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: 这是预编译标头文件。 2 | // 下方列出的文件仅编译一次,提高了将来生成的生成性能。 3 | // 这还将影响 IntelliSense 性能,包括代码完成和许多代码浏览功能。 4 | // 但是,如果此处列出的文件中的任何一个在生成之间有更新,它们全部都将被重新编译。 5 | // 请勿在此处添加要频繁更新的文件,这将使得性能优势无效。 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // 添加要在此处预编译的标头 11 | #include 12 | #include 13 | #include "framework.h" 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /sdk/include/circbuf.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_CIRCBUF_H 2 | #define _PH_CIRCBUF_H 3 | 4 | #define PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 5 | 6 | #undef T 7 | #define T ULONG 8 | #include "circbuf_h.h" 9 | 10 | #undef T 11 | #define T ULONG64 12 | #include "circbuf_h.h" 13 | 14 | #undef T 15 | #define T PVOID 16 | #include "circbuf_h.h" 17 | 18 | #undef T 19 | #define T SIZE_T 20 | #include "circbuf_h.h" 21 | 22 | #undef T 23 | #define T FLOAT 24 | #include "circbuf_h.h" 25 | 26 | #endif 27 | -------------------------------------------------------------------------------- /sdk/include/phdk.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PHDK_H 2 | #define _PH_PHDK_H 3 | 4 | #pragma once 5 | 6 | #define PHAPPAPI __declspec(dllimport) 7 | 8 | #include "ph.h" 9 | #include "phnet.h" 10 | #include "provider.h" 11 | #include "filestream.h" 12 | #include "fastlock.h" 13 | #include "lsasup.h" 14 | #include "svcsup.h" 15 | #include "circbuf.h" 16 | #include "dltmgr.h" 17 | #include "guisup.h" 18 | #include "treenew.h" 19 | #include "graph.h" 20 | #include "emenu.h" 21 | #include "cpysave.h" 22 | 23 | #include "phapppub.h" 24 | 25 | #endif 26 | -------------------------------------------------------------------------------- /sdk/samples/SamplePlugin/SamplePlugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | 10 | 11 | Source Files 12 | 13 | 14 | -------------------------------------------------------------------------------- /sdk/include/ntnls.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTNLS_H 2 | #define _NTNLS_H 3 | 4 | #define MAXIMUM_LEADBYTES 12 5 | 6 | typedef struct _CPTABLEINFO 7 | { 8 | USHORT CodePage; 9 | USHORT MaximumCharacterSize; 10 | USHORT DefaultChar; 11 | USHORT UniDefaultChar; 12 | USHORT TransDefaultChar; 13 | USHORT TransUniDefaultChar; 14 | USHORT DBCSCodePage; 15 | UCHAR LeadByte[MAXIMUM_LEADBYTES]; 16 | PUSHORT MultiByteTable; 17 | PVOID WideCharTable; 18 | PUSHORT DBCSRanges; 19 | PUSHORT DBCSOffsets; 20 | } CPTABLEINFO, *PCPTABLEINFO; 21 | 22 | typedef struct _NLSTABLEINFO 23 | { 24 | CPTABLEINFO OemTableInfo; 25 | CPTABLEINFO AnsiTableInfo; 26 | PUSHORT UpperCaseTable; 27 | PUSHORT LowerCaseTable; 28 | } NLSTABLEINFO, *PNLSTABLEINFO; 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /sdk/include/ntxcapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTXCAPI_H 2 | #define _NTXCAPI_H 3 | 4 | NTSYSAPI 5 | BOOLEAN 6 | NTAPI 7 | RtlDispatchException( 8 | _In_ PEXCEPTION_RECORD ExceptionRecord, 9 | _In_ PCONTEXT ContextRecord 10 | ); 11 | 12 | NTSYSAPI 13 | DECLSPEC_NORETURN 14 | VOID 15 | NTAPI 16 | RtlRaiseStatus( 17 | _In_ NTSTATUS Status 18 | ); 19 | 20 | NTSYSAPI 21 | VOID 22 | NTAPI 23 | RtlRaiseException( 24 | _In_ PEXCEPTION_RECORD ExceptionRecord 25 | ); 26 | 27 | NTSYSCALLAPI 28 | NTSTATUS 29 | NTAPI 30 | NtContinue( 31 | _In_ PCONTEXT ContextRecord, 32 | _In_ BOOLEAN TestAlert 33 | ); 34 | 35 | NTSYSCALLAPI 36 | NTSTATUS 37 | NTAPI 38 | NtRaiseException( 39 | _In_ PEXCEPTION_RECORD ExceptionRecord, 40 | _In_ PCONTEXT ContextRecord, 41 | _In_ BOOLEAN FirstChance 42 | ); 43 | 44 | #endif 45 | -------------------------------------------------------------------------------- /sdk/include/dltmgr.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_DLTMGR_H 2 | #define _PH_DLTMGR_H 3 | 4 | typedef struct _PH_SINGLE_DELTA 5 | { 6 | FLOAT Value; 7 | FLOAT Delta; 8 | } PH_SINGLE_DELTA, *PPH_SINGLE_DELTA; 9 | 10 | typedef struct _PH_UINT32_DELTA 11 | { 12 | ULONG Value; 13 | ULONG Delta; 14 | } PH_UINT32_DELTA, *PPH_UINT32_DELTA; 15 | 16 | typedef struct _PH_UINT64_DELTA 17 | { 18 | ULONG64 Value; 19 | ULONG64 Delta; 20 | } PH_UINT64_DELTA, *PPH_UINT64_DELTA; 21 | 22 | typedef struct _PH_UINTPTR_DELTA 23 | { 24 | ULONG_PTR Value; 25 | ULONG_PTR Delta; 26 | } PH_UINTPTR_DELTA, *PPH_UINTPTR_DELTA; 27 | 28 | #define PhInitializeDelta(DltMgr) \ 29 | ((DltMgr)->Value = 0, (DltMgr)->Delta = 0) 30 | 31 | #define PhUpdateDelta(DltMgr, NewValue) \ 32 | ((DltMgr)->Delta = (NewValue) - (DltMgr)->Value, \ 33 | (DltMgr)->Value = (NewValue), (DltMgr)->Delta) 34 | 35 | #endif 36 | -------------------------------------------------------------------------------- /sdk/include/dspick.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_DSPICK_H 2 | #define _PH_DSPICK_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define PH_DSPICK_MULTISELECT 0x1 9 | 10 | typedef struct _PH_DSPICK_OBJECT 11 | { 12 | PPH_STRING Name; 13 | PSID Sid; 14 | } PH_DSPICK_OBJECT, *PPH_DSPICK_OBJECT; 15 | 16 | typedef struct _PH_DSPICK_OBJECTS 17 | { 18 | ULONG NumberOfObjects; 19 | PH_DSPICK_OBJECT Objects[1]; 20 | } PH_DSPICK_OBJECTS, *PPH_DSPICK_OBJECTS; 21 | 22 | PHLIBAPI 23 | VOID PhFreeDsObjectPickerDialog( 24 | _In_ PVOID PickerDialog 25 | ); 26 | 27 | PHLIBAPI 28 | PVOID PhCreateDsObjectPickerDialog( 29 | _In_ ULONG Flags 30 | ); 31 | 32 | PHLIBAPI 33 | BOOLEAN PhShowDsObjectPickerDialog( 34 | _In_ HWND hWnd, 35 | _In_ PVOID PickerDialog, 36 | _Out_ PPH_DSPICK_OBJECTS *Objects 37 | ); 38 | 39 | PHLIBAPI 40 | VOID PhFreeDsObjectPickerObjects( 41 | _In_ PPH_DSPICK_OBJECTS Objects 42 | ); 43 | 44 | #ifdef __cplusplus 45 | } 46 | #endif 47 | 48 | #endif 49 | -------------------------------------------------------------------------------- /sdk/include/phbase.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PHBASE_H 2 | #define _PH_PHBASE_H 3 | 4 | #pragma once 5 | 6 | #ifndef PHLIB_NO_DEFAULT_LIB 7 | #pragma comment(lib, "ntdll.lib") 8 | 9 | #pragma comment(lib, "comctl32.lib") 10 | #pragma comment(lib, "version.lib") 11 | #endif 12 | 13 | // nonstandard extension used : nameless struct/union 14 | #pragma warning(disable: 4201) 15 | // nonstandard extension used : bit field types other than int 16 | #pragma warning(disable: 4214) 17 | // 'function': attributes not present on previous declaration 18 | #pragma warning(disable: 4985) 19 | 20 | #ifndef UNICODE 21 | #define UNICODE 22 | #endif 23 | 24 | #ifndef _CRT_SECURE_NO_WARNINGS 25 | #define _CRT_SECURE_NO_WARNINGS 26 | #endif 27 | 28 | #if !defined(_PHLIB_) 29 | #define PHLIBAPI __declspec(dllimport) 30 | #else 31 | #define PHLIBAPI 32 | #endif 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | 41 | #include 42 | #include 43 | #include 44 | 45 | #endif -------------------------------------------------------------------------------- /CobaltStrikeDetect.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 头文件 20 | 21 | 22 | 头文件 23 | 24 | 25 | 26 | 27 | 源文件 28 | 29 | 30 | 源文件 31 | 32 | 33 | -------------------------------------------------------------------------------- /sdk/samples/SamplePlugin/SamplePlugin.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SamplePlugin", "SamplePlugin.vcxproj", "{C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Debug|Win32.Build.0 = Debug|Win32 16 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Debug|x64.ActiveCfg = Debug|x64 17 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Debug|x64.Build.0 = Debug|x64 18 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Release|Win32.ActiveCfg = Release|Win32 19 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Release|Win32.Build.0 = Release|Win32 20 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Release|x64.ActiveCfg = Release|x64 21 | {C74D269B-3FCC-4C3E-93C7-1B4A94E7BBEE}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /sdk/include/hexedit.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_HEXEDIT_H 2 | #define _PH_HEXEDIT_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define PH_HEXEDIT_CLASSNAME L"PhHexEdit" 9 | 10 | #define EDIT_NONE 0 11 | #define EDIT_ASCII 1 12 | #define EDIT_HIGH 2 13 | #define EDIT_LOW 3 14 | 15 | PHLIBAPI 16 | BOOLEAN PhHexEditInitialization( 17 | VOID 18 | ); 19 | 20 | #define HEM_SETBUFFER (WM_USER + 1) 21 | #define HEM_SETDATA (WM_USER + 2) 22 | #define HEM_GETBUFFER (WM_USER + 3) 23 | #define HEM_SETSEL (WM_USER + 4) 24 | #define HEM_SETEDITMODE (WM_USER + 5) 25 | #define HEM_SETBYTESPERROW (WM_USER + 6) 26 | 27 | #define HexEdit_SetBuffer(hWnd, Buffer, Length) \ 28 | SendMessage((hWnd), HEM_SETBUFFER, (WPARAM)(Length), (LPARAM)(Buffer)) 29 | 30 | #define HexEdit_SetData(hWnd, Buffer, Length) \ 31 | SendMessage((hWnd), HEM_SETDATA, (WPARAM)(Length), (LPARAM)(Buffer)) 32 | 33 | #define HexEdit_GetBuffer(hWnd, Length) \ 34 | ((PUCHAR)SendMessage((hWnd), HEM_GETBUFFER, (WPARAM)(Length), 0)) 35 | 36 | #define HexEdit_SetSel(hWnd, Start, End) \ 37 | SendMessage((hWnd), HEM_SETSEL, (WPARAM)(Start), (LPARAM)(End)) 38 | 39 | #define HexEdit_SetEditMode(hWnd, Mode) \ 40 | SendMessage((hWnd), HEM_SETEDITMODE, (WPARAM)(Mode), 0) 41 | 42 | #define HexEdit_SetBytesPerRow(hWnd, BytesPerRow) \ 43 | SendMessage((hWnd), HEM_SETBYTESPERROW, (WPARAM)(BytesPerRow), 0) 44 | 45 | #ifdef __cplusplus 46 | } 47 | #endif 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /sdk/include/phdata.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PHDATA_H 2 | #define _PH_PHDATA_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | // SIDs 9 | 10 | extern SID PhSeNobodySid; 11 | 12 | extern SID PhSeEveryoneSid; 13 | 14 | extern SID PhSeLocalSid; 15 | 16 | extern SID PhSeCreatorOwnerSid; 17 | extern SID PhSeCreatorGroupSid; 18 | 19 | extern SID PhSeDialupSid; 20 | extern SID PhSeNetworkSid; 21 | extern SID PhSeBatchSid; 22 | extern SID PhSeInteractiveSid; 23 | extern SID PhSeServiceSid; 24 | extern SID PhSeAnonymousLogonSid; 25 | extern SID PhSeProxySid; 26 | extern SID PhSeAuthenticatedUserSid; 27 | extern SID PhSeRestrictedCodeSid; 28 | extern SID PhSeTerminalServerUserSid; 29 | extern SID PhSeRemoteInteractiveLogonSid; 30 | extern SID PhSeLocalSystemSid; 31 | extern SID PhSeLocalServiceSid; 32 | extern SID PhSeNetworkServiceSid; 33 | 34 | // Unicode 35 | 36 | extern PH_STRINGREF PhUnicodeByteOrderMark; 37 | 38 | // Characters 39 | 40 | extern BOOLEAN PhCharIsPrintable[256]; 41 | extern ULONG PhCharToInteger[256]; 42 | extern CHAR PhIntegerToChar[69]; 43 | extern CHAR PhIntegerToCharUpper[69]; 44 | 45 | // CRC32 46 | 47 | extern ULONG PhCrc32Table[256]; 48 | 49 | // Enums 50 | 51 | extern WCHAR *PhIoPriorityHintNames[MaxIoPriorityTypes]; 52 | extern WCHAR *PhPagePriorityNames[MEMORY_PRIORITY_NORMAL + 1]; 53 | extern WCHAR *PhKThreadStateNames[MaximumThreadState]; 54 | extern WCHAR *PhKWaitReasonNames[MaximumWaitReason]; 55 | 56 | #ifdef __cplusplus 57 | } 58 | #endif 59 | 60 | #endif 61 | -------------------------------------------------------------------------------- /CobaltStrikeDetect.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31702.278 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CobaltStrikeDetect", "CobaltStrikeDetect.vcxproj", "{6D3D2E3F-971A-49C8-9503-7AA259F6BE48}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Debug|x64.ActiveCfg = Debug|x64 17 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Debug|x64.Build.0 = Debug|x64 18 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Debug|x86.ActiveCfg = Debug|Win32 19 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Debug|x86.Build.0 = Debug|Win32 20 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Release|x64.ActiveCfg = Release|x64 21 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Release|x64.Build.0 = Release|x64 22 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Release|x86.ActiveCfg = Release|Win32 23 | {6D3D2E3F-971A-49C8-9503-7AA259F6BE48}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {E27FCC67-E257-4DAC-B867-4023D99BFBAA} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /sdk/readme.txt: -------------------------------------------------------------------------------- 1 | This SDK allows you to create plugins for Process Hacker. 2 | 3 | Doxygen output is supplied in the doc\doxygen directory. 4 | Header files are supplied in the include directory. 5 | Import libraries are supplied in the lib directory. 6 | Samples are supplied in the samples directory. 7 | 8 | The latest version of the Windows SDK is required to build 9 | plugins. 10 | 11 | Add the include directory to your compiler's include paths, 12 | and add the lib\ directory to your compiler's library 13 | paths. Your plugin must be a DLL, and should at minimum use the 14 | libraries ProcessHacker.lib and ntdll.lib. Your plugin should 15 | include the header file in order to gain access to: 16 | 17 | * phlib functions 18 | * Process Hacker application functions 19 | * The Native API 20 | 21 | Some functions are not exported by Process Hacker. If you 22 | receive linker errors, check if the relevant function is 23 | marked with PHLIBAPI or PHAPPAPI; if not, the function 24 | cannot be used by your plugin. 25 | 26 | If you wish to use Native API functions available only on 27 | platforms newer than Windows XP, set PHNT_VERSION to the 28 | appropriate value before including : 29 | 30 | #define PHNT_VERSION PHNT_WIN7 // or PHNT_VISTA 31 | #include 32 | 33 | To load a plugin, create a directory named "plugins" in the 34 | same directory as ProcessHacker.exe and copy the plugin DLL 35 | file into that directory. Then enable plugins in Options and 36 | restart Process Hacker. Note that plugins will only work if 37 | Process Hacker's executable file is named ProcessHacker.exe. 38 | -------------------------------------------------------------------------------- /sdk/include/ntmisc.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTMISC_H 2 | #define _NTMISC_H 3 | 4 | // Boot graphics 5 | 6 | #if (PHNT_VERSION >= PHNT_WIN7) 7 | // rev 8 | NTSYSCALLAPI 9 | NTSTATUS 10 | NTAPI 11 | NtDrawText( 12 | _In_ PUNICODE_STRING Text 13 | ); 14 | #endif 15 | 16 | // Filter manager 17 | 18 | #define FLT_PORT_CONNECT 0x0001 19 | #define FLT_PORT_ALL_ACCESS (FLT_PORT_CONNECT | STANDARD_RIGHTS_ALL) 20 | 21 | // VDM 22 | 23 | typedef enum _VDMSERVICECLASS 24 | { 25 | VdmStartExecution, 26 | VdmQueueInterrupt, 27 | VdmDelayInterrupt, 28 | VdmInitialize, 29 | VdmFeatures, 30 | VdmSetInt21Handler, 31 | VdmQueryDir, 32 | VdmPrinterDirectIoOpen, 33 | VdmPrinterDirectIoClose, 34 | VdmPrinterInitialize, 35 | VdmSetLdtEntries, 36 | VdmSetProcessLdtInfo, 37 | VdmAdlibEmulation, 38 | VdmPMCliControl, 39 | VdmQueryVdmProcess 40 | } VDMSERVICECLASS, *PVDMSERVICECLASS; 41 | 42 | NTSYSCALLAPI 43 | NTSTATUS 44 | NTAPI 45 | NtVdmControl( 46 | _In_ VDMSERVICECLASS Service, 47 | _Inout_ PVOID ServiceData 48 | ); 49 | 50 | // WMI/ETW 51 | 52 | NTSYSCALLAPI 53 | NTSTATUS 54 | NTAPI 55 | NtTraceEvent( 56 | _In_ HANDLE TraceHandle, 57 | _In_ ULONG Flags, 58 | _In_ ULONG FieldSize, 59 | _In_ PVOID Fields 60 | ); 61 | 62 | #if (PHNT_VERSION >= PHNT_VISTA) 63 | // private 64 | NTSYSCALLAPI 65 | NTSTATUS 66 | NTAPI 67 | NtTraceControl( 68 | _In_ ULONG FunctionCode, 69 | _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer, 70 | _In_ ULONG InBufferLen, 71 | _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer, 72 | _In_ ULONG OutBufferLen, 73 | _Out_ PULONG ReturnLength 74 | ); 75 | #endif 76 | 77 | #endif 78 | -------------------------------------------------------------------------------- /sdk/include/lsasup.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_LSASUP_H 2 | #define _PH_LSASUP_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | PHLIBAPI 9 | NTSTATUS 10 | NTAPI 11 | PhOpenLsaPolicy( 12 | _Out_ PLSA_HANDLE PolicyHandle, 13 | _In_ ACCESS_MASK DesiredAccess, 14 | _In_opt_ PUNICODE_STRING SystemName 15 | ); 16 | 17 | PHLIBAPI 18 | LSA_HANDLE 19 | NTAPI 20 | PhGetLookupPolicyHandle( 21 | VOID 22 | ); 23 | 24 | PHLIBAPI 25 | BOOLEAN 26 | NTAPI 27 | PhLookupPrivilegeName( 28 | _In_ PLUID PrivilegeValue, 29 | _Out_ PPH_STRING *PrivilegeName 30 | ); 31 | 32 | PHLIBAPI 33 | BOOLEAN 34 | NTAPI 35 | PhLookupPrivilegeDisplayName( 36 | _In_ PPH_STRINGREF PrivilegeName, 37 | _Out_ PPH_STRING *PrivilegeDisplayName 38 | ); 39 | 40 | PHLIBAPI 41 | BOOLEAN 42 | NTAPI 43 | PhLookupPrivilegeValue( 44 | _In_ PPH_STRINGREF PrivilegeName, 45 | _Out_ PLUID PrivilegeValue 46 | ); 47 | 48 | PHLIBAPI 49 | NTSTATUS 50 | NTAPI 51 | PhLookupSid( 52 | _In_ PSID Sid, 53 | _Out_opt_ PPH_STRING *Name, 54 | _Out_opt_ PPH_STRING *DomainName, 55 | _Out_opt_ PSID_NAME_USE NameUse 56 | ); 57 | 58 | PHLIBAPI 59 | NTSTATUS 60 | NTAPI 61 | PhLookupName( 62 | _In_ PPH_STRINGREF Name, 63 | _Out_opt_ PSID *Sid, 64 | _Out_opt_ PPH_STRING *DomainName, 65 | _Out_opt_ PSID_NAME_USE NameUse 66 | ); 67 | 68 | PHLIBAPI 69 | PPH_STRING 70 | NTAPI 71 | PhGetSidFullName( 72 | _In_ PSID Sid, 73 | _In_ BOOLEAN IncludeDomain, 74 | _Out_opt_ PSID_NAME_USE NameUse 75 | ); 76 | 77 | PHLIBAPI 78 | PPH_STRING 79 | NTAPI 80 | PhSidToStringSid( 81 | _In_ PSID Sid 82 | ); 83 | 84 | #ifdef __cplusplus 85 | } 86 | #endif 87 | 88 | #endif 89 | -------------------------------------------------------------------------------- /sdk/include/cpysave.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_CPYSAVE_H 2 | #define _PH_CPYSAVE_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define PH_EXPORT_MODE_TABS 0 9 | #define PH_EXPORT_MODE_SPACES 1 10 | #define PH_EXPORT_MODE_CSV 2 11 | 12 | PHLIBAPI 13 | VOID PhaCreateTextTable( 14 | _Out_ PPH_STRING ***Table, 15 | _In_ ULONG Rows, 16 | _In_ ULONG Columns 17 | ); 18 | 19 | PHLIBAPI 20 | PPH_LIST PhaFormatTextTable( 21 | _In_ PPH_STRING **Table, 22 | _In_ ULONG Rows, 23 | _In_ ULONG Columns, 24 | _In_ ULONG Mode 25 | ); 26 | 27 | PHLIBAPI 28 | VOID PhMapDisplayIndexTreeNew( 29 | _In_ HWND TreeNewHandle, 30 | _Out_opt_ PULONG *DisplayToId, 31 | _Out_opt_ PWSTR **DisplayToText, 32 | _Out_ PULONG NumberOfColumns 33 | ); 34 | 35 | PHLIBAPI 36 | PPH_STRING PhGetTreeNewText( 37 | _In_ HWND TreeNewHandle, 38 | _Reserved_ ULONG Reserved 39 | ); 40 | 41 | PHLIBAPI 42 | PPH_LIST PhGetGenericTreeNewLines( 43 | _In_ HWND TreeNewHandle, 44 | _In_ ULONG Mode 45 | ); 46 | 47 | PHLIBAPI 48 | VOID PhaMapDisplayIndexListView( 49 | _In_ HWND ListViewHandle, 50 | _Out_writes_(Count) PULONG DisplayToId, 51 | _Out_writes_opt_(Count) PPH_STRING *DisplayToText, 52 | _In_ ULONG Count, 53 | _Out_ PULONG NumberOfColumns 54 | ); 55 | 56 | PHLIBAPI 57 | PPH_STRING PhaGetListViewItemText( 58 | _In_ HWND ListViewHandle, 59 | _In_ INT Index, 60 | _In_ INT SubItemIndex 61 | ); 62 | 63 | PHLIBAPI 64 | PPH_STRING PhGetListViewText( 65 | _In_ HWND ListViewHandle 66 | ); 67 | 68 | PHLIBAPI 69 | PPH_LIST PhGetListViewLines( 70 | _In_ HWND ListViewHandle, 71 | _In_ ULONG Mode 72 | ); 73 | 74 | #ifdef __cplusplus 75 | } 76 | #endif 77 | 78 | #endif 79 | -------------------------------------------------------------------------------- /sdk/include/verify.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_VERIFY_H 2 | #define _PH_VERIFY_H 3 | 4 | #include 5 | #include 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #define PH_VERIFY_DEFAULT_SIZE_LIMIT (32 * 1024 * 1024) 12 | 13 | typedef enum _VERIFY_RESULT 14 | { 15 | VrUnknown = 0, 16 | VrNoSignature, 17 | VrTrusted, 18 | VrExpired, 19 | VrRevoked, 20 | VrDistrust, 21 | VrSecuritySettings, 22 | VrBadSignature 23 | } VERIFY_RESULT, *PVERIFY_RESULT; 24 | 25 | #define PH_VERIFY_PREVENT_NETWORK_ACCESS 0x1 26 | #define PH_VERIFY_VIEW_PROPERTIES 0x2 27 | 28 | typedef struct _PH_VERIFY_FILE_INFO 29 | { 30 | PWSTR FileName; 31 | ULONG Flags; // PH_VERIFY_* 32 | 33 | ULONG FileSizeLimitForHash; // 0 for PH_VERIFY_DEFAULT_SIZE_LIMIT, -1 for unlimited 34 | ULONG NumberOfCatalogFileNames; 35 | PWSTR *CatalogFileNames; 36 | 37 | HWND hWnd; // for PH_VERIFY_VIEW_PROPERTIES 38 | } PH_VERIFY_FILE_INFO, *PPH_VERIFY_FILE_INFO; 39 | 40 | PHLIBAPI 41 | VERIFY_RESULT 42 | NTAPI 43 | PhVerifyFile( 44 | _In_ PWSTR FileName, 45 | _Out_opt_ PPH_STRING *SignerName 46 | ); 47 | 48 | PHLIBAPI 49 | NTSTATUS 50 | NTAPI 51 | PhVerifyFileEx( 52 | _In_ PPH_VERIFY_FILE_INFO Information, 53 | _Out_ VERIFY_RESULT *VerifyResult, 54 | _Out_opt_ PCERT_CONTEXT **Signatures, 55 | _Out_opt_ PULONG NumberOfSignatures 56 | ); 57 | 58 | PHLIBAPI 59 | VOID 60 | NTAPI 61 | PhFreeVerifySignatures( 62 | _In_ PCERT_CONTEXT *Signatures, 63 | _In_ ULONG NumberOfSignatures 64 | ); 65 | 66 | PHLIBAPI 67 | PPH_STRING 68 | NTAPI 69 | PhGetSignerNameFromCertificate( 70 | _In_ PCERT_CONTEXT Certificate 71 | ); 72 | 73 | #ifdef __cplusplus 74 | } 75 | #endif 76 | 77 | #endif 78 | -------------------------------------------------------------------------------- /sdk/include/fastlock.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_FASTLOCK_H 2 | #define _PH_FASTLOCK_H 3 | 4 | // FastLock is a port of FastResourceLock from PH 1.x. 5 | 6 | #ifdef __cplusplus 7 | extern "C" { 8 | #endif 9 | 10 | typedef struct _PH_FAST_LOCK 11 | { 12 | ULONG Value; 13 | HANDLE ExclusiveWakeEvent; 14 | HANDLE SharedWakeEvent; 15 | } PH_FAST_LOCK, *PPH_FAST_LOCK; 16 | 17 | #define PH_FAST_LOCK_INIT { 0, NULL, NULL } 18 | 19 | PHLIBAPI 20 | VOID 21 | NTAPI 22 | PhInitializeFastLock( 23 | _Out_ PPH_FAST_LOCK FastLock 24 | ); 25 | 26 | PHLIBAPI 27 | VOID 28 | NTAPI 29 | PhDeleteFastLock( 30 | _Inout_ PPH_FAST_LOCK FastLock 31 | ); 32 | 33 | #define PhAcquireFastLockExclusive PhfAcquireFastLockExclusive 34 | _May_raise_ 35 | _Acquires_exclusive_lock_(*FastLock) 36 | PHLIBAPI 37 | VOID 38 | FASTCALL 39 | PhfAcquireFastLockExclusive( 40 | _Inout_ PPH_FAST_LOCK FastLock 41 | ); 42 | 43 | #define PhAcquireFastLockShared PhfAcquireFastLockShared 44 | _May_raise_ 45 | _Acquires_shared_lock_(*FastLock) 46 | PHLIBAPI 47 | VOID 48 | FASTCALL 49 | PhfAcquireFastLockShared( 50 | _Inout_ PPH_FAST_LOCK FastLock 51 | ); 52 | 53 | #define PhReleaseFastLockExclusive PhfReleaseFastLockExclusive 54 | _Releases_exclusive_lock_(*FastLock) 55 | PHLIBAPI 56 | VOID 57 | FASTCALL 58 | PhfReleaseFastLockExclusive( 59 | _Inout_ PPH_FAST_LOCK FastLock 60 | ); 61 | 62 | #define PhReleaseFastLockShared PhfReleaseFastLockShared 63 | _Releases_shared_lock_(*FastLock) 64 | PHLIBAPI 65 | VOID 66 | FASTCALL 67 | PhfReleaseFastLockShared( 68 | _Inout_ PPH_FAST_LOCK FastLock 69 | ); 70 | 71 | #define PhTryAcquireFastLockExclusive PhfTryAcquireFastLockExclusive 72 | _When_(return != 0, _Acquires_exclusive_lock_(*FastLock)) 73 | PHLIBAPI 74 | BOOLEAN 75 | FASTCALL 76 | PhfTryAcquireFastLockExclusive( 77 | _Inout_ PPH_FAST_LOCK FastLock 78 | ); 79 | 80 | #define PhTryAcquireFastLockShared PhfTryAcquireFastLockShared 81 | _When_(return != 0, _Acquires_shared_lock_(*FastLock)) 82 | PHLIBAPI 83 | BOOLEAN 84 | FASTCALL 85 | PhfTryAcquireFastLockShared( 86 | _Inout_ PPH_FAST_LOCK FastLock 87 | ); 88 | 89 | #ifdef __cplusplus 90 | } 91 | #endif 92 | 93 | #endif 94 | -------------------------------------------------------------------------------- /sdk/include/phnt_windows.h: -------------------------------------------------------------------------------- 1 | #ifndef _PHNT_WINDOWS_H 2 | #define _PHNT_WINDOWS_H 3 | 4 | // This header file provides access to Win32, plus NTSTATUS values and some access mask values. 5 | 6 | #define WIN32_LEAN_AND_MEAN 7 | #define WIN32_NO_STATUS 8 | #include 9 | #undef WIN32_NO_STATUS 10 | #include 11 | #include 12 | 13 | typedef double DOUBLE; 14 | typedef GUID *PGUID; 15 | 16 | // Desktop access rights 17 | #define DESKTOP_ALL_ACCESS \ 18 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | \ 19 | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | \ 20 | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS | \ 21 | STANDARD_RIGHTS_REQUIRED) 22 | #define DESKTOP_GENERIC_READ \ 23 | (DESKTOP_ENUMERATE | DESKTOP_READOBJECTS | STANDARD_RIGHTS_READ) 24 | #define DESKTOP_GENERIC_WRITE \ 25 | (DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | \ 26 | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_WRITEOBJECTS | \ 27 | STANDARD_RIGHTS_WRITE) 28 | #define DESKTOP_GENERIC_EXECUTE \ 29 | (DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_EXECUTE) 30 | 31 | // Window station access rights 32 | #define WINSTA_GENERIC_READ \ 33 | (WINSTA_ENUMDESKTOPS | WINSTA_ENUMERATE | WINSTA_READATTRIBUTES | \ 34 | WINSTA_READSCREEN | STANDARD_RIGHTS_READ) 35 | #define WINSTA_GENERIC_WRITE \ 36 | (WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | WINSTA_WRITEATTRIBUTES | \ 37 | STANDARD_RIGHTS_WRITE) 38 | #define WINSTA_GENERIC_EXECUTE \ 39 | (WINSTA_ACCESSGLOBALATOMS | WINSTA_EXITWINDOWS | STANDARD_RIGHTS_EXECUTE) 40 | 41 | // WMI access rights 42 | #define WMIGUID_GENERIC_READ \ 43 | (WMIGUID_QUERY | WMIGUID_NOTIFICATION | WMIGUID_READ_DESCRIPTION | \ 44 | STANDARD_RIGHTS_READ) 45 | #define WMIGUID_GENERIC_WRITE \ 46 | (WMIGUID_SET | TRACELOG_CREATE_REALTIME | TRACELOG_CREATE_ONDISK | \ 47 | STANDARD_RIGHTS_WRITE) 48 | #define WMIGUID_GENERIC_EXECUTE \ 49 | (WMIGUID_EXECUTE | TRACELOG_GUID_ENABLE | TRACELOG_LOG_EVENT | \ 50 | TRACELOG_ACCESS_REALTIME | TRACELOG_REGISTER_GUIDS | \ 51 | STANDARD_RIGHTS_EXECUTE) 52 | 53 | #endif 54 | -------------------------------------------------------------------------------- /sdk/include/phnt.h: -------------------------------------------------------------------------------- 1 | #ifndef _PHNT_H 2 | #define _PHNT_H 3 | 4 | // This header file provides access to NT APIs. 5 | 6 | // Definitions are annotated to indicate their source. If a definition is not annotated, it has been 7 | // retrieved from an official Microsoft source (NT headers, DDK headers, winnt.h). 8 | 9 | // * "winbase" indicates that a definition has been reconstructed from a Win32-ized NT definition in 10 | // winbase.h. 11 | // * "rev" indicates that a definition has been reverse-engineered. 12 | // * "dbg" indicates that a definition has been obtained from a debug message or assertion in a 13 | // checked build of the kernel or file. 14 | 15 | // Reliability: 16 | // 1. No annotation. 17 | // 2. dbg. 18 | // 3. symbols, private. Types may be incorrect. 19 | // 4. winbase. Names and types may be incorrect. 20 | // 5. rev. 21 | 22 | // Mode 23 | #define PHNT_MODE_KERNEL 0 24 | #define PHNT_MODE_USER 1 25 | 26 | // Version 27 | #define PHNT_WIN2K 50 28 | #define PHNT_WINXP 51 29 | #define PHNT_WS03 52 30 | #define PHNT_VISTA 60 31 | #define PHNT_WIN7 61 32 | #define PHNT_WIN8 62 33 | #define PHNT_WINBLUE 63 34 | #define PHNT_THRESHOLD 100 35 | #define PHNT_THRESHOLD2 101 36 | 37 | #ifndef PHNT_MODE 38 | #define PHNT_MODE PHNT_MODE_USER 39 | #endif 40 | 41 | #ifndef PHNT_VERSION 42 | #define PHNT_VERSION PHNT_WINXP 43 | #endif 44 | 45 | // Options 46 | 47 | //#define PHNT_NO_INLINE_INIT_STRING 48 | 49 | #ifdef __cplusplus 50 | extern "C" { 51 | #endif 52 | 53 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 54 | #include 55 | #include 56 | #include 57 | #endif 58 | 59 | #include 60 | #include 61 | 62 | #include 63 | #include 64 | #include 65 | 66 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | #include 75 | #include 76 | #endif 77 | 78 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 79 | 80 | #include 81 | #include 82 | #include 83 | #include 84 | 85 | #include 86 | 87 | #include 88 | #include 89 | 90 | #include 91 | 92 | #include 93 | 94 | #endif 95 | 96 | #ifdef __cplusplus 97 | } 98 | #endif 99 | 100 | #endif 101 | -------------------------------------------------------------------------------- /sdk/include/workqueue.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_WORKQUEUE_H 2 | #define _PH_WORKQUEUE_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #if defined(DEBUG) 9 | extern PPH_LIST PhDbgWorkQueueList; 10 | extern PH_QUEUED_LOCK PhDbgWorkQueueListLock; 11 | #endif 12 | 13 | typedef struct _PH_WORK_QUEUE 14 | { 15 | PH_RUNDOWN_PROTECT RundownProtect; 16 | BOOLEAN Terminating; 17 | 18 | LIST_ENTRY QueueListHead; 19 | PH_QUEUED_LOCK QueueLock; 20 | PH_CONDITION QueueEmptyCondition; 21 | 22 | ULONG MaximumThreads; 23 | ULONG MinimumThreads; 24 | ULONG NoWorkTimeout; 25 | 26 | PH_QUEUED_LOCK StateLock; 27 | HANDLE SemaphoreHandle; 28 | ULONG CurrentThreads; 29 | ULONG BusyCount; 30 | } PH_WORK_QUEUE, *PPH_WORK_QUEUE; 31 | 32 | typedef VOID (NTAPI *PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION)( 33 | _In_ PUSER_THREAD_START_ROUTINE Function, 34 | _In_ PVOID Context 35 | ); 36 | 37 | typedef struct _PH_WORK_QUEUE_ENVIRONMENT 38 | { 39 | LONG BasePriority : 6; // Base priority increment 40 | ULONG IoPriority : 3; // I/O priority hint 41 | ULONG PagePriority : 3; // Page/memory priority 42 | ULONG ForceUpdate : 1; // Always set priorities regardless of cached values 43 | ULONG SpareBits : 19; 44 | } PH_WORK_QUEUE_ENVIRONMENT, *PPH_WORK_QUEUE_ENVIRONMENT; 45 | 46 | PHLIBAPI 47 | VOID 48 | NTAPI 49 | PhInitializeWorkQueue( 50 | _Out_ PPH_WORK_QUEUE WorkQueue, 51 | _In_ ULONG MinimumThreads, 52 | _In_ ULONG MaximumThreads, 53 | _In_ ULONG NoWorkTimeout 54 | ); 55 | 56 | PHLIBAPI 57 | VOID 58 | NTAPI 59 | PhDeleteWorkQueue( 60 | _Inout_ PPH_WORK_QUEUE WorkQueue 61 | ); 62 | 63 | PHLIBAPI 64 | VOID 65 | NTAPI 66 | PhWaitForWorkQueue( 67 | _Inout_ PPH_WORK_QUEUE WorkQueue 68 | ); 69 | 70 | PHLIBAPI 71 | VOID 72 | NTAPI 73 | PhQueueItemWorkQueue( 74 | _Inout_ PPH_WORK_QUEUE WorkQueue, 75 | _In_ PUSER_THREAD_START_ROUTINE Function, 76 | _In_opt_ PVOID Context 77 | ); 78 | 79 | PHLIBAPI 80 | VOID 81 | NTAPI 82 | PhQueueItemWorkQueueEx( 83 | _Inout_ PPH_WORK_QUEUE WorkQueue, 84 | _In_ PUSER_THREAD_START_ROUTINE Function, 85 | _In_opt_ PVOID Context, 86 | _In_opt_ PPH_WORK_QUEUE_ITEM_DELETE_FUNCTION DeleteFunction, 87 | _In_opt_ PPH_WORK_QUEUE_ENVIRONMENT Environment 88 | ); 89 | 90 | PHLIBAPI 91 | VOID 92 | NTAPI 93 | PhInitializeWorkQueueEnvironment( 94 | _Out_ PPH_WORK_QUEUE_ENVIRONMENT Environment 95 | ); 96 | 97 | PHLIBAPI 98 | PPH_WORK_QUEUE 99 | NTAPI 100 | PhGetGlobalWorkQueue( 101 | VOID 102 | ); 103 | 104 | #ifdef __cplusplus 105 | } 106 | #endif 107 | 108 | #endif 109 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | CobaltStrike是一款渗透测试神器,支持http/https、tcp、smb等多种通信方式。 2 | 3 | 在hvv防守方、应急响应等场景中,都有检测CobaltStrike的需求。 4 | 5 | # 推荐使用新工具 6 | 7 | # 以下方案已无法检测带sleep mask特性的beacon 8 | 9 | ## 现有检测方案 10 | 11 | ### 使用特征码扫描 12 | 13 | * 14 | * 15 | * 16 | 17 | 通常使用yara规则去匹配内存或者文件,但缺点如不支持3.x、只支持http/https的beacon等 18 | 19 | ### 内核检测方案 20 | 21 | * [[2021]检测Cobalt Strike只使用40行代码](https://key08.com/index.php/2021/07/25/1260.html) 22 | 23 | 其技术原理是 24 | 25 | 1. 在内核通过PsSetLoadImageNotifyRoutine设置镜像加载通知回调,之后任何exe,dll的加载都会被检测。 26 | 1. 而CobaltStrike使用sRDI方案,shellcode会调用LoadLibrary来加载需要dll,此时获取堆栈回溯 27 | 1. 检测调用者的内存属性为是否为private,是否可写 28 | 29 | 但缺点是 30 | 31 | 1. 内核模块启动要先与CobaltStrike,如果已经运行则无法检测 32 | 1. 在客户业务环境中内核模块要保证稳定性兼容性,还要解决数字签名等问题 33 | 34 | ## CobaltStrike特征分析 35 | 36 | 鉴于以上两种方案各有缺点,CobaltStrike的特征到底是什么? 37 | 38 | 我认为有两个通用的特征 39 | 40 | 1. 对于http/https通信而言CobaltStrike均使用WinINet.dll来进行通信 41 | 1. 无论选择exe/dll/raw等格式,CobaltStrike内存均会sRDI 42 | 43 | ## 通过ETW记录WinINet日志 44 | 45 | ETW可以记录WinINet的进程id、线程id、url、请求头、返回状态码、返回头等信息 46 | 47 | 在应急中,可以通过进程id、线程id、url进一步排查,进而阻断其网络和进程。 48 | 49 | ### 手动操作步骤 50 | 51 | 1. 打开事件查看器 52 | 1. 打开菜单 查看->显示分析和调试日志 53 | 1. 进入 应用程序和服务日志->Microsoft->Windows->WinINet(Microsoft-Windows-WinINet) 54 | 1. 右键启动 `Microsoft-Windows-WinINet/UsageLog` 日志 55 | 56 | ![wininetlog](https://guage.cool/cobaltstrike-detect/wininetlog.png) 57 | 58 | ### 工具 59 | 60 | 用C#写了个简单的工具WinINetLogger 61 | 62 | ![wininetlogger](https://guage.cool/cobaltstrike-detect/wininetlogger.png) 63 | 64 | ## 通过应用层的堆栈回溯判断sRDI和CobaltStrike 65 | 66 | sRDI本身具有很强的隐蔽性,在内存中可以任意编码、加密。 67 | 68 | 但正如前文提到的`内核检测方案`中,其调用系统api时,调用者的内存属性有问题。 69 | 70 | 正常调用系统api时,调用者内存属性一般为IMAGE类型,并且不可写。 71 | 72 | 但也有例外如C#和V8等包含jit即时编译的代码。 73 | 74 | 此时就需要结合CobaltStrike自身的特征 75 | 76 | 1. http/https时,堆栈回溯只有两种情况 77 | 1. 睡眠时: sRDI -> kernel32.dll!Sleep 78 | 1. 通信时:sRDI -> WinINet.dll!xxxx 79 | 1. bindSMB时,堆栈回溯只有两种情况 80 | 1. 监听管道时:sRDI -> kernel32!ConnectNamedPipe 81 | 1. 读取数据时:sRDI -> kernel32!ReadFile 82 | 1. bindTCP时,堆栈回溯只有两种情况 83 | 1. 监听端口时:sRDI -> ws2_32.dll!accept 84 | 2. 接收数据时:sRDI -> ws2_32.dll!recv 85 | 86 | 分析调用堆栈时,如果这些api的调用者内存有问题,那么就可以确定是CobaltStrike 87 | 88 | ### 通过ProcessHacker插件检测CobaltStrike 89 | 90 | ![results](https://guage.cool/cobaltstrike-detect/results.png) 91 | 92 | ## 参考链接 93 | 94 | * 95 | * 96 | * 97 | * 98 | * 99 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /sdk/include/svcsup.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_SVCSUP_H 2 | #define _PH_SVCSUP_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | extern WCHAR *PhServiceTypeStrings[10]; 9 | extern WCHAR *PhServiceStartTypeStrings[5]; 10 | extern WCHAR *PhServiceErrorControlStrings[4]; 11 | 12 | PHLIBAPI 13 | PVOID 14 | NTAPI 15 | PhEnumServices( 16 | _In_ SC_HANDLE ScManagerHandle, 17 | _In_opt_ ULONG Type, 18 | _In_opt_ ULONG State, 19 | _Out_ PULONG Count 20 | ); 21 | 22 | PHLIBAPI 23 | SC_HANDLE 24 | NTAPI 25 | PhOpenService( 26 | _In_ PWSTR ServiceName, 27 | _In_ ACCESS_MASK DesiredAccess 28 | ); 29 | 30 | PHLIBAPI 31 | PVOID 32 | NTAPI 33 | PhGetServiceConfig( 34 | _In_ SC_HANDLE ServiceHandle 35 | ); 36 | 37 | PHLIBAPI 38 | PVOID 39 | NTAPI 40 | PhQueryServiceVariableSize( 41 | _In_ SC_HANDLE ServiceHandle, 42 | _In_ ULONG InfoLevel 43 | ); 44 | 45 | PHLIBAPI 46 | PPH_STRING 47 | NTAPI 48 | PhGetServiceDescription( 49 | _In_ SC_HANDLE ServiceHandle 50 | ); 51 | 52 | PHLIBAPI 53 | BOOLEAN 54 | NTAPI 55 | PhGetServiceDelayedAutoStart( 56 | _In_ SC_HANDLE ServiceHandle, 57 | _Out_ PBOOLEAN DelayedAutoStart 58 | ); 59 | 60 | PHLIBAPI 61 | BOOLEAN 62 | NTAPI 63 | PhSetServiceDelayedAutoStart( 64 | _In_ SC_HANDLE ServiceHandle, 65 | _In_ BOOLEAN DelayedAutoStart 66 | ); 67 | 68 | PHLIBAPI 69 | PWSTR 70 | NTAPI 71 | PhGetServiceStateString( 72 | _In_ ULONG ServiceState 73 | ); 74 | 75 | PHLIBAPI 76 | PWSTR 77 | NTAPI 78 | PhGetServiceTypeString( 79 | _In_ ULONG ServiceType 80 | ); 81 | 82 | PHLIBAPI 83 | ULONG 84 | NTAPI 85 | PhGetServiceTypeInteger( 86 | _In_ PWSTR ServiceType 87 | ); 88 | 89 | PHLIBAPI 90 | PWSTR 91 | NTAPI 92 | PhGetServiceStartTypeString( 93 | _In_ ULONG ServiceStartType 94 | ); 95 | 96 | PHLIBAPI 97 | ULONG 98 | NTAPI 99 | PhGetServiceStartTypeInteger( 100 | _In_ PWSTR ServiceStartType 101 | ); 102 | 103 | PHLIBAPI 104 | PWSTR 105 | NTAPI 106 | PhGetServiceErrorControlString( 107 | _In_ ULONG ServiceErrorControl 108 | ); 109 | 110 | PHLIBAPI 111 | ULONG 112 | NTAPI 113 | PhGetServiceErrorControlInteger( 114 | _In_ PWSTR ServiceErrorControl 115 | ); 116 | 117 | PHLIBAPI 118 | PPH_STRING 119 | NTAPI 120 | PhGetServiceNameFromTag( 121 | _In_ HANDLE ProcessId, 122 | _In_ PVOID ServiceTag 123 | ); 124 | 125 | PHLIBAPI 126 | NTSTATUS 127 | NTAPI 128 | PhGetThreadServiceTag( 129 | _In_ HANDLE ThreadHandle, 130 | _In_opt_ HANDLE ProcessHandle, 131 | _Out_ PVOID *ServiceTag 132 | ); 133 | 134 | PHLIBAPI 135 | NTSTATUS 136 | NTAPI 137 | PhGetServiceDllParameter( 138 | _In_ PPH_STRINGREF ServiceName, 139 | _Out_ PPH_STRING *ServiceDll 140 | ); 141 | 142 | #ifdef __cplusplus 143 | } 144 | #endif 145 | 146 | #endif 147 | -------------------------------------------------------------------------------- /sdk/include/phconfig.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PHCONFIG_H 2 | #define _PH_PHCONFIG_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define _User_set_ 9 | 10 | PHLIBAPI extern _User_set_ PVOID PhLibImageBase; 11 | 12 | PHLIBAPI extern _User_set_ PWSTR PhApplicationName; 13 | PHLIBAPI extern _User_set_ ULONG PhGlobalDpi; 14 | PHLIBAPI extern PVOID PhHeapHandle; 15 | PHLIBAPI extern RTL_OSVERSIONINFOEXW PhOsVersion; 16 | PHLIBAPI extern SYSTEM_BASIC_INFORMATION PhSystemBasicInformation; 17 | PHLIBAPI extern ULONG WindowsVersion; 18 | 19 | PHLIBAPI extern ACCESS_MASK ProcessQueryAccess; 20 | PHLIBAPI extern ACCESS_MASK ProcessAllAccess; 21 | PHLIBAPI extern ACCESS_MASK ThreadQueryAccess; 22 | PHLIBAPI extern ACCESS_MASK ThreadSetAccess; 23 | PHLIBAPI extern ACCESS_MASK ThreadAllAccess; 24 | 25 | #define WINDOWS_ANCIENT 0 26 | #define WINDOWS_XP 51 27 | #define WINDOWS_SERVER_2003 52 28 | #define WINDOWS_VISTA 60 29 | #define WINDOWS_7 61 30 | #define WINDOWS_8 62 31 | #define WINDOWS_8_1 63 32 | #define WINDOWS_10 100 33 | #define WINDOWS_NEW MAXLONG 34 | 35 | #define WINDOWS_HAS_CONSOLE_HOST (WindowsVersion >= WINDOWS_7) 36 | #define WINDOWS_HAS_CYCLE_TIME (WindowsVersion >= WINDOWS_VISTA) 37 | #define WINDOWS_HAS_IFILEDIALOG (WindowsVersion >= WINDOWS_VISTA) 38 | #define WINDOWS_HAS_IMAGE_FILE_NAME_BY_PROCESS_ID (WindowsVersion >= WINDOWS_VISTA) 39 | #define WINDOWS_HAS_IMMERSIVE (WindowsVersion >= WINDOWS_8) 40 | #define WINDOWS_HAS_LIMITED_ACCESS (WindowsVersion >= WINDOWS_VISTA) 41 | #define WINDOWS_HAS_SERVICE_TAGS (WindowsVersion >= WINDOWS_VISTA) 42 | #define WINDOWS_HAS_UAC (WindowsVersion >= WINDOWS_VISTA) 43 | 44 | // Debugging 45 | 46 | #ifdef DEBUG 47 | #define dprintf(format, ...) DbgPrint(format, __VA_ARGS__) 48 | #else 49 | #define dprintf(format, ...) 50 | #endif 51 | 52 | // global 53 | 54 | // Initialization flags 55 | 56 | // Features 57 | 58 | // Imports 59 | 60 | #define PHLIB_INIT_MODULE_RESERVED1 0x1 61 | #define PHLIB_INIT_MODULE_RESERVED2 0x2 62 | /** Needed to use work queues. */ 63 | #define PHLIB_INIT_MODULE_RESERVED3 0x4 64 | #define PHLIB_INIT_MODULE_RESERVED4 0x8 65 | /** Needed to use file streams. */ 66 | #define PHLIB_INIT_MODULE_FILE_STREAM 0x10 67 | /** Needed to use symbol providers. */ 68 | #define PHLIB_INIT_MODULE_SYMBOL_PROVIDER 0x20 69 | #define PHLIB_INIT_MODULE_RESERVED5 0x40 70 | 71 | PHLIBAPI 72 | NTSTATUS 73 | NTAPI 74 | PhInitializePhLib( 75 | VOID 76 | ); 77 | 78 | PHLIBAPI 79 | NTSTATUS 80 | NTAPI 81 | PhInitializePhLibEx( 82 | _In_ ULONG Flags, 83 | _In_opt_ SIZE_T HeapReserveSize, 84 | _In_opt_ SIZE_T HeapCommitSize 85 | ); 86 | 87 | #ifdef _WIN64 88 | FORCEINLINE 89 | BOOLEAN 90 | PhIsExecutingInWow64( 91 | VOID 92 | ) 93 | { 94 | return FALSE; 95 | } 96 | #else 97 | PHLIBAPI 98 | BOOLEAN 99 | NTAPI 100 | PhIsExecutingInWow64( 101 | VOID 102 | ); 103 | #endif 104 | 105 | #ifdef __cplusplus 106 | } 107 | #endif 108 | 109 | #endif 110 | -------------------------------------------------------------------------------- /sdk/include/subprocesstag.h: -------------------------------------------------------------------------------- 1 | #ifndef _SUBPROCESSTAG_H 2 | #define _SUBPROCESSTAG_H 3 | 4 | // Subprocess tag information 5 | 6 | typedef enum _TAG_INFO_LEVEL 7 | { 8 | eTagInfoLevelNameFromTag = 1, // TAG_INFO_NAME_FROM_TAG 9 | eTagInfoLevelNamesReferencingModule, // TAG_INFO_NAMES_REFERENCING_MODULE 10 | eTagInfoLevelNameTagMapping, // TAG_INFO_NAME_TAG_MAPPING 11 | eTagInfoLevelMax 12 | } TAG_INFO_LEVEL; 13 | 14 | typedef enum _TAG_TYPE 15 | { 16 | eTagTypeService = 1, 17 | eTagTypeMax 18 | } TAG_TYPE; 19 | 20 | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS 21 | { 22 | DWORD dwPid; 23 | DWORD dwTag; 24 | } TAG_INFO_NAME_FROM_TAG_IN_PARAMS, *PTAG_INFO_NAME_FROM_TAG_IN_PARAMS; 25 | 26 | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS 27 | { 28 | DWORD eTagType; 29 | LPWSTR pszName; 30 | } TAG_INFO_NAME_FROM_TAG_OUT_PARAMS, *PTAG_INFO_NAME_FROM_TAG_OUT_PARAMS; 31 | 32 | typedef struct _TAG_INFO_NAME_FROM_TAG 33 | { 34 | TAG_INFO_NAME_FROM_TAG_IN_PARAMS InParams; 35 | TAG_INFO_NAME_FROM_TAG_OUT_PARAMS OutParams; 36 | } TAG_INFO_NAME_FROM_TAG, *PTAG_INFO_NAME_FROM_TAG; 37 | 38 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS 39 | { 40 | DWORD dwPid; 41 | LPWSTR pszModule; 42 | } TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS; 43 | 44 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS 45 | { 46 | DWORD eTagType; 47 | LPWSTR pmszNames; 48 | } TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS, *PTAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS; 49 | 50 | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE 51 | { 52 | TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS InParams; 53 | TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS OutParams; 54 | } TAG_INFO_NAMES_REFERENCING_MODULE, *PTAG_INFO_NAMES_REFERENCING_MODULE; 55 | 56 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS 57 | { 58 | DWORD dwPid; 59 | } TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_IN_PARAMS; 60 | 61 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_ELEMENT 62 | { 63 | DWORD eTagType; 64 | DWORD dwTag; 65 | LPWSTR pszName; 66 | LPWSTR pszGroupName; 67 | } TAG_INFO_NAME_TAG_MAPPING_ELEMENT, *PTAG_INFO_NAME_TAG_MAPPING_ELEMENT; 68 | 69 | typedef struct _TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS 70 | { 71 | DWORD cElements; 72 | PTAG_INFO_NAME_TAG_MAPPING_ELEMENT pNameTagMappingElements; 73 | } TAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS, *PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS; 74 | 75 | typedef struct _TAG_INFO_NAME_TAG_MAPPING 76 | { 77 | TAG_INFO_NAME_TAG_MAPPING_IN_PARAMS InParams; 78 | PTAG_INFO_NAME_TAG_MAPPING_OUT_PARAMS pOutParams; 79 | } TAG_INFO_NAME_TAG_MAPPING, *PTAG_INFO_NAME_TAG_MAPPING; 80 | 81 | _Must_inspect_result_ 82 | DWORD 83 | WINAPI 84 | I_QueryTagInformation( 85 | _In_opt_ LPCWSTR pszMachineName, 86 | _In_ TAG_INFO_LEVEL eInfoLevel, 87 | _Inout_ PVOID pTagInfo 88 | ); 89 | 90 | typedef DWORD (WINAPI *PQUERY_TAG_INFORMATION)( 91 | _In_opt_ LPCWSTR pszMachineName, 92 | _In_ TAG_INFO_LEVEL eInfoLevel, 93 | _Inout_ PVOID pTagInfo 94 | ); 95 | 96 | #endif 97 | -------------------------------------------------------------------------------- /sdk/include/provider.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PROVIDER_H 2 | #define _PH_PROVIDER_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #if defined(DEBUG) 9 | extern PPH_LIST PhDbgProviderList; 10 | extern PH_QUEUED_LOCK PhDbgProviderListLock; 11 | #endif 12 | 13 | typedef enum _PH_PROVIDER_THREAD_STATE 14 | { 15 | ProviderThreadRunning, 16 | ProviderThreadStopped, 17 | ProviderThreadStopping 18 | } PH_PROVIDER_THREAD_STATE; 19 | 20 | typedef VOID (NTAPI *PPH_PROVIDER_FUNCTION)( 21 | _In_ PVOID Object 22 | ); 23 | 24 | struct _PH_PROVIDER_THREAD; 25 | typedef struct _PH_PROVIDER_THREAD *PPH_PROVIDER_THREAD; 26 | 27 | typedef struct _PH_PROVIDER_REGISTRATION 28 | { 29 | LIST_ENTRY ListEntry; 30 | PPH_PROVIDER_THREAD ProviderThread; 31 | PPH_PROVIDER_FUNCTION Function; 32 | PVOID Object; 33 | ULONG RunId; 34 | BOOLEAN Enabled; 35 | BOOLEAN Unregistering; 36 | BOOLEAN Boosting; 37 | } PH_PROVIDER_REGISTRATION, *PPH_PROVIDER_REGISTRATION; 38 | 39 | typedef struct _PH_PROVIDER_THREAD 40 | { 41 | HANDLE ThreadHandle; 42 | HANDLE TimerHandle; 43 | ULONG Interval; 44 | PH_PROVIDER_THREAD_STATE State; 45 | 46 | PH_QUEUED_LOCK Lock; 47 | LIST_ENTRY ListHead; 48 | ULONG BoostCount; 49 | } PH_PROVIDER_THREAD, *PPH_PROVIDER_THREAD; 50 | 51 | PHLIBAPI 52 | VOID 53 | NTAPI 54 | PhInitializeProviderThread( 55 | _Out_ PPH_PROVIDER_THREAD ProviderThread, 56 | _In_ ULONG Interval 57 | ); 58 | 59 | PHLIBAPI 60 | VOID 61 | NTAPI 62 | PhDeleteProviderThread( 63 | _Inout_ PPH_PROVIDER_THREAD ProviderThread 64 | ); 65 | 66 | PHLIBAPI 67 | VOID 68 | NTAPI 69 | PhStartProviderThread( 70 | _Inout_ PPH_PROVIDER_THREAD ProviderThread 71 | ); 72 | 73 | PHLIBAPI 74 | VOID 75 | NTAPI 76 | PhStopProviderThread( 77 | _Inout_ PPH_PROVIDER_THREAD ProviderThread 78 | ); 79 | 80 | PHLIBAPI 81 | VOID 82 | NTAPI 83 | PhSetIntervalProviderThread( 84 | _Inout_ PPH_PROVIDER_THREAD ProviderThread, 85 | _In_ ULONG Interval 86 | ); 87 | 88 | PHLIBAPI 89 | VOID 90 | NTAPI 91 | PhRegisterProvider( 92 | _Inout_ PPH_PROVIDER_THREAD ProviderThread, 93 | _In_ PPH_PROVIDER_FUNCTION Function, 94 | _In_opt_ PVOID Object, 95 | _Out_ PPH_PROVIDER_REGISTRATION Registration 96 | ); 97 | 98 | PHLIBAPI 99 | VOID 100 | NTAPI 101 | PhUnregisterProvider( 102 | _Inout_ PPH_PROVIDER_REGISTRATION Registration 103 | ); 104 | 105 | PHLIBAPI 106 | BOOLEAN 107 | NTAPI 108 | PhBoostProvider( 109 | _Inout_ PPH_PROVIDER_REGISTRATION Registration, 110 | _Out_opt_ PULONG FutureRunId 111 | ); 112 | 113 | PHLIBAPI 114 | ULONG 115 | NTAPI 116 | PhGetRunIdProvider( 117 | _In_ PPH_PROVIDER_REGISTRATION Registration 118 | ); 119 | 120 | PHLIBAPI 121 | BOOLEAN 122 | NTAPI 123 | PhGetEnabledProvider( 124 | _In_ PPH_PROVIDER_REGISTRATION Registration 125 | ); 126 | 127 | PHLIBAPI 128 | VOID 129 | NTAPI 130 | PhSetEnabledProvider( 131 | _Inout_ PPH_PROVIDER_REGISTRATION Registration, 132 | _In_ BOOLEAN Enabled 133 | ); 134 | 135 | #ifdef __cplusplus 136 | } 137 | #endif 138 | 139 | #endif 140 | -------------------------------------------------------------------------------- /sdk/include/circbuf_h.h: -------------------------------------------------------------------------------- 1 | #ifdef T 2 | 3 | #include 4 | 5 | #ifdef __cplusplus 6 | extern "C" { 7 | #endif 8 | 9 | typedef struct T___(_PH_CIRCULAR_BUFFER, T) 10 | { 11 | ULONG Size; 12 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 13 | ULONG SizeMinusOne; 14 | #endif 15 | ULONG Count; 16 | LONG Index; 17 | T *Data; 18 | } T___(PH_CIRCULAR_BUFFER, T), *T___(PPH_CIRCULAR_BUFFER, T); 19 | 20 | PHLIBAPI 21 | VOID 22 | NTAPI 23 | T___(PhInitializeCircularBuffer, T)( 24 | _Out_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 25 | _In_ ULONG Size 26 | ); 27 | 28 | PHLIBAPI 29 | VOID 30 | NTAPI 31 | T___(PhDeleteCircularBuffer, T)( 32 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer 33 | ); 34 | 35 | PHLIBAPI 36 | VOID 37 | NTAPI 38 | T___(PhResizeCircularBuffer, T)( 39 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 40 | _In_ ULONG NewSize 41 | ); 42 | 43 | PHLIBAPI 44 | VOID 45 | NTAPI 46 | T___(PhClearCircularBuffer, T)( 47 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer 48 | ); 49 | 50 | PHLIBAPI 51 | VOID 52 | NTAPI 53 | T___(PhCopyCircularBuffer, T)( 54 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 55 | _Out_writes_(Count) T *Destination, 56 | _In_ ULONG Count 57 | ); 58 | 59 | FORCEINLINE T T___(PhGetItemCircularBuffer, T)( 60 | _In_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 61 | _In_ LONG Index 62 | ) 63 | { 64 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 65 | return Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne]; 66 | #else 67 | ULONG size; 68 | 69 | size = Buffer->Size; 70 | // Modulo is dividend-based. 71 | return Buffer->Data[(((Buffer->Index + Index) % size) + size) % size]; 72 | #endif 73 | } 74 | 75 | FORCEINLINE VOID T___(PhSetItemCircularBuffer, T)( 76 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 77 | _In_ LONG Index, 78 | _In_ T Value 79 | ) 80 | { 81 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 82 | Buffer->Data[(Buffer->Index + Index) & Buffer->SizeMinusOne] = Value; 83 | #else 84 | ULONG size; 85 | 86 | size = Buffer->Size; 87 | Buffer->Data[(((Buffer->Index + Index) % size) + size) % size] = Value; 88 | #endif 89 | } 90 | 91 | FORCEINLINE VOID T___(PhAddItemCircularBuffer, T)( 92 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 93 | _In_ T Value 94 | ) 95 | { 96 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 97 | Buffer->Data[Buffer->Index = ((Buffer->Index - 1) & Buffer->SizeMinusOne)] = Value; 98 | #else 99 | ULONG size; 100 | 101 | size = Buffer->Size; 102 | Buffer->Data[Buffer->Index = (((Buffer->Index - 1) % size) + size) % size] = Value; 103 | #endif 104 | 105 | if (Buffer->Count < Buffer->Size) 106 | Buffer->Count++; 107 | } 108 | 109 | FORCEINLINE T T___(PhAddItemCircularBuffer2, T)( 110 | _Inout_ T___(PPH_CIRCULAR_BUFFER, T) Buffer, 111 | _In_ T Value 112 | ) 113 | { 114 | LONG index; 115 | T oldValue; 116 | 117 | #ifdef PH_CIRCULAR_BUFFER_POWER_OF_TWO_SIZE 118 | index = ((Buffer->Index - 1) & Buffer->SizeMinusOne); 119 | #else 120 | ULONG size; 121 | 122 | size = Buffer->Size; 123 | index = (((Buffer->Index - 1) % size) + size) % size; 124 | #endif 125 | 126 | Buffer->Index = index; 127 | oldValue = Buffer->Data[index]; 128 | Buffer->Data[index] = Value; 129 | 130 | if (Buffer->Count < Buffer->Size) 131 | Buffer->Count++; 132 | 133 | return oldValue; 134 | } 135 | 136 | #ifdef __cplusplus 137 | } 138 | #endif 139 | 140 | #endif 141 | -------------------------------------------------------------------------------- /sdk/include/hndlinfo.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_HNDLINFO_H 2 | #define _PH_HNDLINFO_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define MAX_OBJECT_TYPE_NUMBER 257 9 | 10 | typedef PPH_STRING (NTAPI *PPH_GET_CLIENT_ID_NAME)( 11 | _In_ PCLIENT_ID ClientId 12 | ); 13 | 14 | PHLIBAPI 15 | PPH_GET_CLIENT_ID_NAME 16 | NTAPI 17 | PhSetHandleClientIdFunction( 18 | _In_ PPH_GET_CLIENT_ID_NAME GetClientIdName 19 | ); 20 | 21 | PHLIBAPI 22 | PPH_STRING 23 | NTAPI 24 | PhFormatNativeKeyName( 25 | _In_ PPH_STRING Name 26 | ); 27 | 28 | PHLIBAPI 29 | NTSTATUS 30 | NTAPI 31 | PhGetSectionFileName( 32 | _In_ HANDLE SectionHandle, 33 | _Out_ PPH_STRING *FileName 34 | ); 35 | 36 | PHLIBAPI 37 | _Callback_ PPH_STRING 38 | NTAPI 39 | PhStdGetClientIdName( 40 | _In_ PCLIENT_ID ClientId 41 | ); 42 | 43 | PHLIBAPI 44 | NTSTATUS 45 | NTAPI 46 | PhGetHandleInformation( 47 | _In_ HANDLE ProcessHandle, 48 | _In_ HANDLE Handle, 49 | _In_ ULONG ObjectTypeNumber, 50 | _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, 51 | _Out_opt_ PPH_STRING *TypeName, 52 | _Out_opt_ PPH_STRING *ObjectName, 53 | _Out_opt_ PPH_STRING *BestObjectName 54 | ); 55 | 56 | PHLIBAPI 57 | NTSTATUS 58 | NTAPI 59 | PhGetHandleInformationEx( 60 | _In_ HANDLE ProcessHandle, 61 | _In_ HANDLE Handle, 62 | _In_ ULONG ObjectTypeNumber, 63 | _Reserved_ ULONG Flags, 64 | _Out_opt_ PNTSTATUS SubStatus, 65 | _Out_opt_ POBJECT_BASIC_INFORMATION BasicInformation, 66 | _Out_opt_ PPH_STRING *TypeName, 67 | _Out_opt_ PPH_STRING *ObjectName, 68 | _Out_opt_ PPH_STRING *BestObjectName, 69 | _Reserved_ PVOID *ExtraInformation 70 | ); 71 | 72 | #define PH_FIRST_OBJECT_TYPE(ObjectTypes) \ 73 | (POBJECT_TYPE_INFORMATION)((PCHAR)(ObjectTypes) + ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR)) 74 | 75 | #define PH_NEXT_OBJECT_TYPE(ObjectType) \ 76 | (POBJECT_TYPE_INFORMATION)((PCHAR)(ObjectType) + sizeof(OBJECT_TYPE_INFORMATION) + \ 77 | ALIGN_UP(ObjectType->TypeName.MaximumLength, ULONG_PTR)) 78 | 79 | PHLIBAPI 80 | NTSTATUS 81 | NTAPI 82 | PhEnumObjectTypes( 83 | _Out_ POBJECT_TYPES_INFORMATION *ObjectTypes 84 | ); 85 | 86 | PHLIBAPI 87 | ULONG 88 | NTAPI 89 | PhGetObjectTypeNumber( 90 | _In_ PUNICODE_STRING TypeName 91 | ); 92 | 93 | PHLIBAPI 94 | NTSTATUS 95 | NTAPI 96 | PhCallWithTimeout( 97 | _In_ PUSER_THREAD_START_ROUTINE Routine, 98 | _In_opt_ PVOID Context, 99 | _In_opt_ PLARGE_INTEGER AcquireTimeout, 100 | _In_ PLARGE_INTEGER CallTimeout 101 | ); 102 | 103 | PHLIBAPI 104 | NTSTATUS 105 | NTAPI 106 | PhCallNtQueryObjectWithTimeout( 107 | _In_ HANDLE Handle, 108 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 109 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 110 | _In_ ULONG ObjectInformationLength, 111 | _Out_opt_ PULONG ReturnLength 112 | ); 113 | 114 | PHLIBAPI 115 | NTSTATUS 116 | NTAPI 117 | PhCallNtQuerySecurityObjectWithTimeout( 118 | _In_ HANDLE Handle, 119 | _In_ SECURITY_INFORMATION SecurityInformation, 120 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 121 | _In_ ULONG Length, 122 | _Out_ PULONG LengthNeeded 123 | ); 124 | 125 | PHLIBAPI 126 | NTSTATUS 127 | NTAPI 128 | PhCallNtSetSecurityObjectWithTimeout( 129 | _In_ HANDLE Handle, 130 | _In_ SECURITY_INFORMATION SecurityInformation, 131 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 132 | ); 133 | 134 | #ifdef __cplusplus 135 | } 136 | #endif 137 | 138 | #endif 139 | -------------------------------------------------------------------------------- /sdk/include/ntkeapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTKEAPI_H 2 | #define _NTKEAPI_H 3 | 4 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 5 | #define LOW_PRIORITY 0 // Lowest thread priority level 6 | #define LOW_REALTIME_PRIORITY 16 // Lowest realtime priority level 7 | #define HIGH_PRIORITY 31 // Highest thread priority level 8 | #define MAXIMUM_PRIORITY 32 // Number of thread priority levels 9 | #endif 10 | 11 | typedef enum _KTHREAD_STATE 12 | { 13 | Initialized, 14 | Ready, 15 | Running, 16 | Standby, 17 | Terminated, 18 | Waiting, 19 | Transition, 20 | DeferredReady, 21 | GateWaitObsolete, 22 | WaitingForProcessInSwap, 23 | MaximumThreadState 24 | } KTHREAD_STATE, *PKTHREAD_STATE; 25 | 26 | // private 27 | typedef enum _KHETERO_CPU_POLICY 28 | { 29 | KHeteroCpuPolicyAll, 30 | KHeteroCpuPolicyLarge, 31 | KHeteroCpuPolicyLargeOrIdle, 32 | KHeteroCpuPolicySmall, 33 | KHeteroCpuPolicySmallOrIdle, 34 | KHeteroCpuPolicyDynamic, 35 | KHeteroCpuPolicyStaticMax, 36 | KHeteroCpuPolicyBiasedSmall, 37 | KHeteroCpuPolicyBiasedLarge, 38 | KHeteroCpuPolicyDefault, 39 | KHeteroCpuPolicyMax 40 | } KHETERO_CPU_POLICY, *PKHETERO_CPU_POLICY; 41 | 42 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 43 | 44 | typedef enum _KWAIT_REASON 45 | { 46 | Executive, 47 | FreePage, 48 | PageIn, 49 | PoolAllocation, 50 | DelayExecution, 51 | Suspended, 52 | UserRequest, 53 | WrExecutive, 54 | WrFreePage, 55 | WrPageIn, 56 | WrPoolAllocation, 57 | WrDelayExecution, 58 | WrSuspended, 59 | WrUserRequest, 60 | WrEventPair, 61 | WrQueue, 62 | WrLpcReceive, 63 | WrLpcReply, 64 | WrVirtualMemory, 65 | WrPageOut, 66 | WrRendezvous, 67 | WrKeyedEvent, 68 | WrTerminated, 69 | WrProcessInSwap, 70 | WrCpuRateControl, 71 | WrCalloutStack, 72 | WrKernel, 73 | WrResource, 74 | WrPushLock, 75 | WrMutex, 76 | WrQuantumEnd, 77 | WrDispatchInt, 78 | WrPreempted, 79 | WrYieldExecution, 80 | WrFastMutex, 81 | WrGuardedMutex, 82 | WrRundown, 83 | WrAlertByThreadId, 84 | WrDeferredPreempt, 85 | MaximumWaitReason 86 | } KWAIT_REASON, *PKWAIT_REASON; 87 | 88 | typedef enum _KPROFILE_SOURCE 89 | { 90 | ProfileTime, 91 | ProfileAlignmentFixup, 92 | ProfileTotalIssues, 93 | ProfilePipelineDry, 94 | ProfileLoadInstructions, 95 | ProfilePipelineFrozen, 96 | ProfileBranchInstructions, 97 | ProfileTotalNonissues, 98 | ProfileDcacheMisses, 99 | ProfileIcacheMisses, 100 | ProfileCacheMisses, 101 | ProfileBranchMispredictions, 102 | ProfileStoreInstructions, 103 | ProfileFpInstructions, 104 | ProfileIntegerInstructions, 105 | Profile2Issue, 106 | Profile3Issue, 107 | Profile4Issue, 108 | ProfileSpecialInstructions, 109 | ProfileTotalCycles, 110 | ProfileIcacheIssues, 111 | ProfileDcacheAccesses, 112 | ProfileMemoryBarrierCycles, 113 | ProfileLoadLinkedIssues, 114 | ProfileMaximum 115 | } KPROFILE_SOURCE; 116 | 117 | #endif 118 | 119 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 120 | 121 | NTSYSCALLAPI 122 | NTSTATUS 123 | NTAPI 124 | NtCallbackReturn( 125 | _In_reads_bytes_opt_(OutputLength) PVOID OutputBuffer, 126 | _In_ ULONG OutputLength, 127 | _In_ NTSTATUS Status 128 | ); 129 | 130 | #if (PHNT_VERSION >= PHNT_VISTA) 131 | NTSYSCALLAPI 132 | VOID 133 | NTAPI 134 | NtFlushProcessWriteBuffers( 135 | VOID 136 | ); 137 | #endif 138 | 139 | NTSYSCALLAPI 140 | NTSTATUS 141 | NTAPI 142 | NtQueryDebugFilterState( 143 | _In_ ULONG ComponentId, 144 | _In_ ULONG Level 145 | ); 146 | 147 | NTSYSCALLAPI 148 | NTSTATUS 149 | NTAPI 150 | NtSetDebugFilterState( 151 | _In_ ULONG ComponentId, 152 | _In_ ULONG Level, 153 | _In_ BOOLEAN State 154 | ); 155 | 156 | NTSYSCALLAPI 157 | NTSTATUS 158 | NTAPI 159 | NtYieldExecution( 160 | VOID 161 | ); 162 | 163 | #endif 164 | 165 | #endif 166 | -------------------------------------------------------------------------------- /sdk/include/secedit.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_SECEDIT_H 2 | #define _PH_SECEDIT_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | // secedit 9 | 10 | typedef struct _PH_ACCESS_ENTRY 11 | { 12 | PWSTR Name; 13 | ACCESS_MASK Access; 14 | BOOLEAN General; 15 | BOOLEAN Specific; 16 | PWSTR ShortName; 17 | } PH_ACCESS_ENTRY, *PPH_ACCESS_ENTRY; 18 | 19 | PHLIBAPI 20 | HPROPSHEETPAGE 21 | NTAPI 22 | PhCreateSecurityPage( 23 | _In_ PWSTR ObjectName, 24 | _In_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, 25 | _In_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, 26 | _In_opt_ PVOID Context, 27 | _In_ PPH_ACCESS_ENTRY AccessEntries, 28 | _In_ ULONG NumberOfAccessEntries 29 | ); 30 | 31 | PHLIBAPI 32 | VOID 33 | NTAPI 34 | PhEditSecurity( 35 | _In_ HWND hWnd, 36 | _In_ PWSTR ObjectName, 37 | _In_ PPH_GET_OBJECT_SECURITY GetObjectSecurity, 38 | _In_ PPH_SET_OBJECT_SECURITY SetObjectSecurity, 39 | _In_opt_ PVOID Context, 40 | _In_ PPH_ACCESS_ENTRY AccessEntries, 41 | _In_ ULONG NumberOfAccessEntries 42 | ); 43 | 44 | typedef struct _PH_STD_OBJECT_SECURITY 45 | { 46 | PPH_OPEN_OBJECT OpenObject; 47 | PWSTR ObjectType; 48 | PVOID Context; 49 | } PH_STD_OBJECT_SECURITY, *PPH_STD_OBJECT_SECURITY; 50 | 51 | FORCEINLINE ACCESS_MASK PhGetAccessForGetSecurity( 52 | _In_ SECURITY_INFORMATION SecurityInformation 53 | ) 54 | { 55 | ACCESS_MASK access = 0; 56 | 57 | if ( 58 | (SecurityInformation & OWNER_SECURITY_INFORMATION) || 59 | (SecurityInformation & GROUP_SECURITY_INFORMATION) || 60 | (SecurityInformation & DACL_SECURITY_INFORMATION) 61 | ) 62 | { 63 | access |= READ_CONTROL; 64 | } 65 | 66 | if (SecurityInformation & SACL_SECURITY_INFORMATION) 67 | { 68 | access |= ACCESS_SYSTEM_SECURITY; 69 | } 70 | 71 | return access; 72 | } 73 | 74 | FORCEINLINE ACCESS_MASK PhGetAccessForSetSecurity( 75 | _In_ SECURITY_INFORMATION SecurityInformation 76 | ) 77 | { 78 | ACCESS_MASK access = 0; 79 | 80 | if ( 81 | (SecurityInformation & OWNER_SECURITY_INFORMATION) || 82 | (SecurityInformation & GROUP_SECURITY_INFORMATION) 83 | ) 84 | { 85 | access |= WRITE_OWNER; 86 | } 87 | 88 | if (SecurityInformation & DACL_SECURITY_INFORMATION) 89 | { 90 | access |= WRITE_DAC; 91 | } 92 | 93 | if (SecurityInformation & SACL_SECURITY_INFORMATION) 94 | { 95 | access |= ACCESS_SYSTEM_SECURITY; 96 | } 97 | 98 | return access; 99 | } 100 | 101 | PHLIBAPI 102 | _Callback_ NTSTATUS 103 | NTAPI 104 | PhStdGetObjectSecurity( 105 | _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor, 106 | _In_ SECURITY_INFORMATION SecurityInformation, 107 | _In_opt_ PVOID Context 108 | ); 109 | 110 | PHLIBAPI 111 | _Callback_ NTSTATUS 112 | NTAPI 113 | PhStdSetObjectSecurity( 114 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, 115 | _In_ SECURITY_INFORMATION SecurityInformation, 116 | _In_opt_ PVOID Context 117 | ); 118 | 119 | PHLIBAPI 120 | NTSTATUS 121 | NTAPI 122 | PhGetSeObjectSecurity( 123 | _In_ HANDLE Handle, 124 | _In_ ULONG ObjectType, 125 | _In_ SECURITY_INFORMATION SecurityInformation, 126 | _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor 127 | ); 128 | 129 | PHLIBAPI 130 | NTSTATUS 131 | NTAPI 132 | PhSetSeObjectSecurity( 133 | _In_ HANDLE Handle, 134 | _In_ ULONG ObjectType, 135 | _In_ SECURITY_INFORMATION SecurityInformation, 136 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 137 | ); 138 | 139 | // secdata 140 | 141 | PHLIBAPI 142 | BOOLEAN 143 | NTAPI 144 | PhGetAccessEntries( 145 | _In_ PWSTR Type, 146 | _Out_ PPH_ACCESS_ENTRY *AccessEntries, 147 | _Out_ PULONG NumberOfAccessEntries 148 | ); 149 | 150 | PHLIBAPI 151 | PPH_STRING 152 | NTAPI 153 | PhGetAccessString( 154 | _In_ ACCESS_MASK Access, 155 | _In_ PPH_ACCESS_ENTRY AccessEntries, 156 | _In_ ULONG NumberOfAccessEntries 157 | ); 158 | 159 | #ifdef __cplusplus 160 | } 161 | #endif 162 | 163 | #endif -------------------------------------------------------------------------------- /sdk/include/phnet.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_PHNET_H 2 | #define _PH_PHNET_H 3 | 4 | #include 5 | #include 6 | 7 | #define PH_IPV4_NETWORK_TYPE 0x1 8 | #define PH_IPV6_NETWORK_TYPE 0x2 9 | #define PH_NETWORK_TYPE_MASK 0x3 10 | 11 | #define PH_TCP_PROTOCOL_TYPE 0x10 12 | #define PH_UDP_PROTOCOL_TYPE 0x20 13 | #define PH_PROTOCOL_TYPE_MASK 0x30 14 | 15 | #define PH_NO_NETWORK_PROTOCOL 0x0 16 | #define PH_TCP4_NETWORK_PROTOCOL (PH_IPV4_NETWORK_TYPE | PH_TCP_PROTOCOL_TYPE) 17 | #define PH_TCP6_NETWORK_PROTOCOL (PH_IPV6_NETWORK_TYPE | PH_TCP_PROTOCOL_TYPE) 18 | #define PH_UDP4_NETWORK_PROTOCOL (PH_IPV4_NETWORK_TYPE | PH_UDP_PROTOCOL_TYPE) 19 | #define PH_UDP6_NETWORK_PROTOCOL (PH_IPV6_NETWORK_TYPE | PH_UDP_PROTOCOL_TYPE) 20 | 21 | typedef struct _PH_IP_ADDRESS 22 | { 23 | ULONG Type; 24 | union 25 | { 26 | ULONG Ipv4; 27 | struct in_addr InAddr; 28 | UCHAR Ipv6[16]; 29 | struct in6_addr In6Addr; 30 | }; 31 | } PH_IP_ADDRESS, *PPH_IP_ADDRESS; 32 | 33 | FORCEINLINE BOOLEAN PhEqualIpAddress( 34 | _In_ PPH_IP_ADDRESS Address1, 35 | _In_ PPH_IP_ADDRESS Address2 36 | ) 37 | { 38 | if ((Address1->Type | Address2->Type) == 0) // don't check addresses if both are invalid 39 | return TRUE; 40 | if (Address1->Type != Address2->Type) 41 | return FALSE; 42 | 43 | if (Address1->Type == PH_IPV4_NETWORK_TYPE) 44 | { 45 | return Address1->Ipv4 == Address2->Ipv4; 46 | } 47 | else 48 | { 49 | #ifdef _WIN64 50 | return 51 | *(PULONG64)(Address1->Ipv6) == *(PULONG64)(Address2->Ipv6) && 52 | *(PULONG64)(Address1->Ipv6 + 8) == *(PULONG64)(Address2->Ipv6 + 8); 53 | #else 54 | return 55 | *(PULONG)(Address1->Ipv6) == *(PULONG)(Address2->Ipv6) && 56 | *(PULONG)(Address1->Ipv6 + 4) == *(PULONG)(Address2->Ipv6 + 4) && 57 | *(PULONG)(Address1->Ipv6 + 8) == *(PULONG)(Address2->Ipv6 + 8) && 58 | *(PULONG)(Address1->Ipv6 + 12) == *(PULONG)(Address2->Ipv6 + 12); 59 | #endif 60 | } 61 | } 62 | 63 | FORCEINLINE ULONG PhHashIpAddress( 64 | _In_ PPH_IP_ADDRESS Address 65 | ) 66 | { 67 | ULONG hash = 0; 68 | 69 | if (Address->Type == 0) 70 | return 0; 71 | 72 | hash = Address->Type | (Address->Type << 16); 73 | 74 | if (Address->Type == PH_IPV4_NETWORK_TYPE) 75 | { 76 | hash ^= Address->Ipv4; 77 | } 78 | else 79 | { 80 | hash += *(PULONG)(Address->Ipv6); 81 | hash ^= *(PULONG)(Address->Ipv6 + 4); 82 | hash += *(PULONG)(Address->Ipv6 + 8); 83 | hash ^= *(PULONG)(Address->Ipv6 + 12); 84 | } 85 | 86 | return hash; 87 | } 88 | 89 | FORCEINLINE BOOLEAN PhIsNullIpAddress( 90 | _In_ PPH_IP_ADDRESS Address 91 | ) 92 | { 93 | if (Address->Type == 0) 94 | { 95 | return TRUE; 96 | } 97 | else if (Address->Type == PH_IPV4_NETWORK_TYPE) 98 | { 99 | return Address->Ipv4 == 0; 100 | } 101 | else if (Address->Type == PH_IPV6_NETWORK_TYPE) 102 | { 103 | #ifdef _WIN64 104 | return (*(PULONG64)(Address->Ipv6) | *(PULONG64)(Address->Ipv6 + 8)) == 0; 105 | #else 106 | return (*(PULONG)(Address->Ipv6) | *(PULONG)(Address->Ipv6 + 4) | 107 | *(PULONG)(Address->Ipv6 + 8) | *(PULONG)(Address->Ipv6 + 12)) == 0; 108 | #endif 109 | } 110 | else 111 | { 112 | return TRUE; 113 | } 114 | } 115 | 116 | typedef struct _PH_IP_ENDPOINT 117 | { 118 | PH_IP_ADDRESS Address; 119 | ULONG Port; 120 | } PH_IP_ENDPOINT, *PPH_IP_ENDPOINT; 121 | 122 | FORCEINLINE BOOLEAN PhEqualIpEndpoint( 123 | _In_ PPH_IP_ENDPOINT Endpoint1, 124 | _In_ PPH_IP_ENDPOINT Endpoint2 125 | ) 126 | { 127 | return 128 | PhEqualIpAddress(&Endpoint1->Address, &Endpoint2->Address) && 129 | Endpoint1->Port == Endpoint2->Port; 130 | } 131 | 132 | FORCEINLINE ULONG PhHashIpEndpoint( 133 | _In_ PPH_IP_ENDPOINT Endpoint 134 | ) 135 | { 136 | return PhHashIpAddress(&Endpoint->Address) ^ Endpoint->Port; 137 | } 138 | 139 | #endif 140 | -------------------------------------------------------------------------------- /sdk/include/ntpnpapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTPNPAPI_H 2 | #define _NTPNPAPI_H 3 | 4 | typedef enum _PLUGPLAY_EVENT_CATEGORY 5 | { 6 | HardwareProfileChangeEvent, 7 | TargetDeviceChangeEvent, 8 | DeviceClassChangeEvent, 9 | CustomDeviceEvent, 10 | DeviceInstallEvent, 11 | DeviceArrivalEvent, 12 | PowerEvent, 13 | VetoEvent, 14 | BlockedDriverEvent, 15 | InvalidIDEvent, 16 | MaxPlugEventCategory 17 | } PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; 18 | 19 | typedef struct _PLUGPLAY_EVENT_BLOCK 20 | { 21 | GUID EventGuid; 22 | PLUGPLAY_EVENT_CATEGORY EventCategory; 23 | PULONG Result; 24 | ULONG Flags; 25 | ULONG TotalSize; 26 | PVOID DeviceObject; 27 | 28 | union 29 | { 30 | struct 31 | { 32 | GUID ClassGuid; 33 | WCHAR SymbolicLinkName[1]; 34 | } DeviceClass; 35 | struct 36 | { 37 | WCHAR DeviceIds[1]; 38 | } TargetDevice; 39 | struct 40 | { 41 | WCHAR DeviceId[1]; 42 | } InstallDevice; 43 | struct 44 | { 45 | PVOID NotificationStructure; 46 | WCHAR DeviceIds[1]; 47 | } CustomNotification; 48 | struct 49 | { 50 | PVOID Notification; 51 | } ProfileNotification; 52 | struct 53 | { 54 | ULONG NotificationCode; 55 | ULONG NotificationData; 56 | } PowerNotification; 57 | struct 58 | { 59 | PNP_VETO_TYPE VetoType; 60 | WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName 61 | } VetoNotification; 62 | struct 63 | { 64 | GUID BlockedDriverGuid; 65 | } BlockedDriverNotification; 66 | struct 67 | { 68 | WCHAR ParentId[1]; 69 | } InvalidIDNotification; 70 | } u; 71 | } PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; 72 | 73 | typedef enum _PLUGPLAY_CONTROL_CLASS 74 | { 75 | PlugPlayControlEnumerateDevice, 76 | PlugPlayControlRegisterNewDevice, 77 | PlugPlayControlDeregisterDevice, 78 | PlugPlayControlInitializeDevice, 79 | PlugPlayControlStartDevice, 80 | PlugPlayControlUnlockDevice, 81 | PlugPlayControlQueryAndRemoveDevice, 82 | PlugPlayControlUserResponse, 83 | PlugPlayControlGenerateLegacyDevice, 84 | PlugPlayControlGetInterfaceDeviceList, 85 | PlugPlayControlProperty, 86 | PlugPlayControlDeviceClassAssociation, 87 | PlugPlayControlGetRelatedDevice, 88 | PlugPlayControlGetInterfaceDeviceAlias, 89 | PlugPlayControlDeviceStatus, 90 | PlugPlayControlGetDeviceDepth, 91 | PlugPlayControlQueryDeviceRelations, 92 | PlugPlayControlTargetDeviceRelation, 93 | PlugPlayControlQueryConflictList, 94 | PlugPlayControlRetrieveDock, 95 | PlugPlayControlResetDevice, 96 | PlugPlayControlHaltDevice, 97 | PlugPlayControlGetBlockedDriverList, 98 | MaxPlugPlayControl 99 | } PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; 100 | 101 | #if (PHNT_VERSION < PHNT_WIN8) 102 | NTSYSCALLAPI 103 | NTSTATUS 104 | NTAPI 105 | NtGetPlugPlayEvent( 106 | _In_ HANDLE EventHandle, 107 | _In_opt_ PVOID Context, 108 | _Out_writes_bytes_(EventBufferSize) PPLUGPLAY_EVENT_BLOCK EventBlock, 109 | _In_ ULONG EventBufferSize 110 | ); 111 | #endif 112 | 113 | NTSYSCALLAPI 114 | NTSTATUS 115 | NTAPI 116 | NtPlugPlayControl( 117 | _In_ PLUGPLAY_CONTROL_CLASS PnPControlClass, 118 | _Inout_updates_bytes_(PnPControlDataLength) PVOID PnPControlData, 119 | _In_ ULONG PnPControlDataLength 120 | ); 121 | 122 | #if (PHNT_VERSION >= PHNT_WIN7) 123 | 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtSerializeBoot( 128 | VOID 129 | ); 130 | 131 | NTSYSCALLAPI 132 | NTSTATUS 133 | NTAPI 134 | NtEnableLastKnownGood( 135 | VOID 136 | ); 137 | 138 | NTSYSCALLAPI 139 | NTSTATUS 140 | NTAPI 141 | NtDisableLastKnownGood( 142 | VOID 143 | ); 144 | 145 | #endif 146 | 147 | #if (PHNT_VERSION >= PHNT_VISTA) 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtReplacePartitionUnit( 152 | _In_ PUNICODE_STRING TargetInstancePath, 153 | _In_ PUNICODE_STRING SpareInstancePath, 154 | _In_ ULONG Flags 155 | ); 156 | #endif 157 | 158 | #endif 159 | -------------------------------------------------------------------------------- /sdk/include/ntgdi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTGDI_H 2 | #define _NTGDI_H 3 | 4 | #define GDI_MAX_HANDLE_COUNT 0x4000 5 | 6 | #define GDI_HANDLE_INDEX_SHIFT 0 7 | #define GDI_HANDLE_INDEX_BITS 16 8 | #define GDI_HANDLE_INDEX_MASK 0xffff 9 | 10 | #define GDI_HANDLE_TYPE_SHIFT 16 11 | #define GDI_HANDLE_TYPE_BITS 5 12 | #define GDI_HANDLE_TYPE_MASK 0x1f 13 | 14 | #define GDI_HANDLE_ALTTYPE_SHIFT 21 15 | #define GDI_HANDLE_ALTTYPE_BITS 2 16 | #define GDI_HANDLE_ALTTYPE_MASK 0x3 17 | 18 | #define GDI_HANDLE_STOCK_SHIFT 23 19 | #define GDI_HANDLE_STOCK_BITS 1 20 | #define GDI_HANDLE_STOCK_MASK 0x1 21 | 22 | #define GDI_HANDLE_UNIQUE_SHIFT 24 23 | #define GDI_HANDLE_UNIQUE_BITS 8 24 | #define GDI_HANDLE_UNIQUE_MASK 0xff 25 | 26 | #define GDI_HANDLE_INDEX(Handle) ((ULONG)(Handle) & GDI_HANDLE_INDEX_MASK) 27 | #define GDI_HANDLE_TYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_TYPE_SHIFT) & GDI_HANDLE_TYPE_MASK) 28 | #define GDI_HANDLE_ALTTYPE(Handle) (((ULONG)(Handle) >> GDI_HANDLE_ALTTYPE_SHIFT) & GDI_HANDLE_ALTTYPE_MASK) 29 | #define GDI_HANDLE_STOCK(Handle) (((ULONG)(Handle) >> GDI_HANDLE_STOCK_SHIFT)) & GDI_HANDLE_STOCK_MASK) 30 | 31 | #define GDI_MAKE_HANDLE(Index, Unique) ((ULONG)(((ULONG)(Unique) << GDI_HANDLE_INDEX_BITS) | (ULONG)(Index))) 32 | 33 | // GDI server-side types 34 | 35 | #define GDI_DEF_TYPE 0 // invalid handle 36 | #define GDI_DC_TYPE 1 37 | #define GDI_DD_DIRECTDRAW_TYPE 2 38 | #define GDI_DD_SURFACE_TYPE 3 39 | #define GDI_RGN_TYPE 4 40 | #define GDI_SURF_TYPE 5 41 | #define GDI_CLIENTOBJ_TYPE 6 42 | #define GDI_PATH_TYPE 7 43 | #define GDI_PAL_TYPE 8 44 | #define GDI_ICMLCS_TYPE 9 45 | #define GDI_LFONT_TYPE 10 46 | #define GDI_RFONT_TYPE 11 47 | #define GDI_PFE_TYPE 12 48 | #define GDI_PFT_TYPE 13 49 | #define GDI_ICMCXF_TYPE 14 50 | #define GDI_ICMDLL_TYPE 15 51 | #define GDI_BRUSH_TYPE 16 52 | #define GDI_PFF_TYPE 17 // unused 53 | #define GDI_CACHE_TYPE 18 // unused 54 | #define GDI_SPACE_TYPE 19 55 | #define GDI_DBRUSH_TYPE 20 // unused 56 | #define GDI_META_TYPE 21 57 | #define GDI_EFSTATE_TYPE 22 58 | #define GDI_BMFD_TYPE 23 // unused 59 | #define GDI_VTFD_TYPE 24 // unused 60 | #define GDI_TTFD_TYPE 25 // unused 61 | #define GDI_RC_TYPE 26 // unused 62 | #define GDI_TEMP_TYPE 27 // unused 63 | #define GDI_DRVOBJ_TYPE 28 64 | #define GDI_DCIOBJ_TYPE 29 // unused 65 | #define GDI_SPOOL_TYPE 30 66 | 67 | // GDI client-side types 68 | 69 | #define GDI_CLIENT_TYPE_FROM_HANDLE(Handle) ((ULONG)(Handle) & ((GDI_HANDLE_ALTTYPE_MASK << GDI_HANDLE_ALTTYPE_SHIFT) | \ 70 | (GDI_HANDLE_TYPE_MASK << GDI_HANDLE_TYPE_SHIFT))) 71 | #define GDI_CLIENT_TYPE_FROM_UNIQUE(Unique) GDI_CLIENT_TYPE_FROM_HANDLE((ULONG)(Unique) << 16) 72 | 73 | #define GDI_ALTTYPE_1 (1 << GDI_HANDLE_ALTTYPE_SHIFT) 74 | #define GDI_ALTTYPE_2 (2 << GDI_HANDLE_ALTTYPE_SHIFT) 75 | #define GDI_ALTTYPE_3 (3 << GDI_HANDLE_ALTTYPE_SHIFT) 76 | 77 | #define GDI_CLIENT_BITMAP_TYPE (GDI_SURF_TYPE << GDI_HANDLE_TYPE_SHIFT) 78 | #define GDI_CLIENT_BRUSH_TYPE (GDI_BRUSH_TYPE << GDI_HANDLE_TYPE_SHIFT) 79 | #define GDI_CLIENT_CLIENTOBJ_TYPE (GDI_CLIENTOBJ_TYPE << GDI_HANDLE_TYPE_SHIFT) 80 | #define GDI_CLIENT_DC_TYPE (GDI_DC_TYPE << GDI_HANDLE_TYPE_SHIFT) 81 | #define GDI_CLIENT_FONT_TYPE (GDI_LFONT_TYPE << GDI_HANDLE_TYPE_SHIFT) 82 | #define GDI_CLIENT_PALETTE_TYPE (GDI_PAL_TYPE << GDI_HANDLE_TYPE_SHIFT) 83 | #define GDI_CLIENT_REGION_TYPE (GDI_RGN_TYPE << GDI_HANDLE_TYPE_SHIFT) 84 | 85 | #define GDI_CLIENT_ALTDC_TYPE (GDI_CLIENT_DC_TYPE | GDI_ALTTYPE_1) 86 | #define GDI_CLIENT_DIBSECTION_TYPE (GDI_CLIENT_BITMAP_TYPE | GDI_ALTTYPE_1) 87 | #define GDI_CLIENT_EXTPEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_2) 88 | #define GDI_CLIENT_METADC16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_3) 89 | #define GDI_CLIENT_METAFILE_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_2) 90 | #define GDI_CLIENT_METAFILE16_TYPE (GDI_CLIENT_CLIENTOBJ_TYPE | GDI_ALTTYPE_1) 91 | #define GDI_CLIENT_PEN_TYPE (GDI_CLIENT_BRUSH_TYPE | GDI_ALTTYPE_1) 92 | 93 | typedef struct _GDI_HANDLE_ENTRY 94 | { 95 | union 96 | { 97 | PVOID Object; 98 | PVOID NextFree; 99 | }; 100 | union 101 | { 102 | struct 103 | { 104 | USHORT ProcessId; 105 | USHORT Lock : 1; 106 | USHORT Count : 15; 107 | }; 108 | ULONG Value; 109 | } Owner; 110 | USHORT Unique; 111 | UCHAR Type; 112 | UCHAR Flags; 113 | PVOID UserPointer; 114 | } GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY; 115 | 116 | typedef struct _GDI_SHARED_MEMORY 117 | { 118 | GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT]; 119 | } GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY; 120 | 121 | #endif 122 | -------------------------------------------------------------------------------- /sdk/include/ntpoapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTPOAPI_H 2 | #define _NTPOAPI_H 3 | 4 | typedef union _POWER_STATE 5 | { 6 | SYSTEM_POWER_STATE SystemState; 7 | DEVICE_POWER_STATE DeviceState; 8 | } POWER_STATE, *PPOWER_STATE; 9 | 10 | typedef enum _POWER_STATE_TYPE 11 | { 12 | SystemPowerState = 0, 13 | DevicePowerState 14 | } POWER_STATE_TYPE, *PPOWER_STATE_TYPE; 15 | 16 | #if (PHNT_VERSION >= PHNT_VISTA) 17 | // wdm 18 | typedef struct _SYSTEM_POWER_STATE_CONTEXT 19 | { 20 | union 21 | { 22 | struct 23 | { 24 | ULONG Reserved1 : 8; 25 | ULONG TargetSystemState : 4; 26 | ULONG EffectiveSystemState : 4; 27 | ULONG CurrentSystemState : 4; 28 | ULONG IgnoreHibernationPath : 1; 29 | ULONG PseudoTransition : 1; 30 | ULONG Reserved2 : 10; 31 | }; 32 | ULONG ContextAsUlong; 33 | }; 34 | } SYSTEM_POWER_STATE_CONTEXT, *PSYSTEM_POWER_STATE_CONTEXT; 35 | #endif 36 | 37 | #if (PHNT_VERSION >= PHNT_WIN7) 38 | /** \cond NEVER */ // disable doxygen warning 39 | // wdm 40 | typedef struct _COUNTED_REASON_CONTEXT 41 | { 42 | ULONG Version; 43 | ULONG Flags; 44 | union 45 | { 46 | struct 47 | { 48 | UNICODE_STRING ResourceFileName; 49 | USHORT ResourceReasonId; 50 | ULONG StringCount; 51 | PUNICODE_STRING _Field_size_(StringCount) ReasonStrings; 52 | }; 53 | UNICODE_STRING SimpleString; 54 | }; 55 | } COUNTED_REASON_CONTEXT, *PCOUNTED_REASON_CONTEXT; 56 | /** \endcond */ 57 | #endif 58 | 59 | typedef enum 60 | { 61 | PowerStateSleeping1 = 0, 62 | PowerStateSleeping2 = 1, 63 | PowerStateSleeping3 = 2, 64 | PowerStateSleeping4 = 3, 65 | PowerStateSleeping4Firmware = 4, 66 | PowerStateShutdownReset = 5, 67 | PowerStateShutdownOff = 6, 68 | PowerStateMaximum = 7 69 | } POWER_STATE_HANDLER_TYPE, *PPOWER_STATE_HANDLER_TYPE; 70 | 71 | typedef NTSTATUS (NTAPI *PENTER_STATE_SYSTEM_HANDLER)( 72 | _In_ PVOID SystemContext 73 | ); 74 | 75 | typedef NTSTATUS (NTAPI *PENTER_STATE_HANDLER)( 76 | _In_ PVOID Context, 77 | _In_opt_ PENTER_STATE_SYSTEM_HANDLER SystemHandler, 78 | _In_ PVOID SystemContext, 79 | _In_ LONG NumberProcessors, 80 | _In_ volatile PLONG Number 81 | ); 82 | 83 | typedef struct _POWER_STATE_HANDLER 84 | { 85 | POWER_STATE_HANDLER_TYPE Type; 86 | BOOLEAN RtcWake; 87 | UCHAR Spare[3]; 88 | PENTER_STATE_HANDLER Handler; 89 | PVOID Context; 90 | } POWER_STATE_HANDLER, *PPOWER_STATE_HANDLER; 91 | 92 | typedef NTSTATUS (NTAPI *PENTER_STATE_NOTIFY_HANDLER)( 93 | _In_ POWER_STATE_HANDLER_TYPE State, 94 | _In_ PVOID Context, 95 | _In_ BOOLEAN Entering 96 | ); 97 | 98 | typedef struct _POWER_STATE_NOTIFY_HANDLER 99 | { 100 | PENTER_STATE_NOTIFY_HANDLER Handler; 101 | PVOID Context; 102 | } POWER_STATE_NOTIFY_HANDLER, *PPOWER_STATE_NOTIFY_HANDLER; 103 | 104 | typedef struct _PROCESSOR_POWER_INFORMATION 105 | { 106 | ULONG Number; 107 | ULONG MaxMhz; 108 | ULONG CurrentMhz; 109 | ULONG MhzLimit; 110 | ULONG MaxIdleState; 111 | ULONG CurrentIdleState; 112 | } PROCESSOR_POWER_INFORMATION, *PPROCESSOR_POWER_INFORMATION; 113 | 114 | typedef struct _SYSTEM_POWER_INFORMATION 115 | { 116 | ULONG MaxIdlenessAllowed; 117 | ULONG Idleness; 118 | ULONG TimeRemaining; 119 | UCHAR CoolingMode; 120 | } SYSTEM_POWER_INFORMATION, *PSYSTEM_POWER_INFORMATION; 121 | 122 | NTSYSCALLAPI 123 | NTSTATUS 124 | NTAPI 125 | NtPowerInformation( 126 | _In_ POWER_INFORMATION_LEVEL InformationLevel, 127 | _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer, 128 | _In_ ULONG InputBufferLength, 129 | _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer, 130 | _In_ ULONG OutputBufferLength 131 | ); 132 | 133 | NTSYSCALLAPI 134 | NTSTATUS 135 | NTAPI 136 | NtSetThreadExecutionState( 137 | _In_ EXECUTION_STATE NewFlags, // ES_* flags 138 | _Out_ EXECUTION_STATE *PreviousFlags 139 | ); 140 | 141 | NTSYSCALLAPI 142 | NTSTATUS 143 | NTAPI 144 | NtRequestWakeupLatency( 145 | _In_ LATENCY_TIME latency 146 | ); 147 | 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtInitiatePowerAction( 152 | _In_ POWER_ACTION SystemAction, 153 | _In_ SYSTEM_POWER_STATE LightestSystemState, 154 | _In_ ULONG Flags, // POWER_ACTION_* flags 155 | _In_ BOOLEAN Asynchronous 156 | ); 157 | 158 | NTSYSCALLAPI 159 | NTSTATUS 160 | NTAPI 161 | NtSetSystemPowerState( 162 | _In_ POWER_ACTION SystemAction, 163 | _In_ SYSTEM_POWER_STATE LightestSystemState, 164 | _In_ ULONG Flags // POWER_ACTION_* flags 165 | ); 166 | 167 | NTSYSCALLAPI 168 | NTSTATUS 169 | NTAPI 170 | NtGetDevicePowerState( 171 | _In_ HANDLE Device, 172 | _Out_ PDEVICE_POWER_STATE State 173 | ); 174 | 175 | NTSYSCALLAPI 176 | BOOLEAN 177 | NTAPI 178 | NtIsSystemResumeAutomatic( 179 | VOID 180 | ); 181 | 182 | #endif 183 | -------------------------------------------------------------------------------- /sdk/include/filestream.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_FILESTREAM_H 2 | #define _PH_FILESTREAM_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | // Core flags (PhCreateFileStream2) 9 | /** Indicates that the file stream object should not close the file handle upon deletion. */ 10 | #define PH_FILE_STREAM_HANDLE_UNOWNED 0x1 11 | /** 12 | * Indicates that the file stream object should not buffer I/O operations. Note that this does not 13 | * prevent the operating system from buffering I/O. 14 | */ 15 | #define PH_FILE_STREAM_UNBUFFERED 0x2 16 | /** 17 | * Indicates that the file handle supports asynchronous operations. The file handle must not have 18 | * been opened with FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT. 19 | */ 20 | #define PH_FILE_STREAM_ASYNCHRONOUS 0x4 21 | /** 22 | * Indicates that the file stream object should maintain the file position and not use the file 23 | * object's own file position. 24 | */ 25 | #define PH_FILE_STREAM_OWN_POSITION 0x8 26 | 27 | // Higher-level flags (PhCreateFileStream) 28 | #define PH_FILE_STREAM_APPEND 0x00010000 29 | 30 | // Internal flags 31 | /** Indicates that at least one write has been issued to the file handle. */ 32 | #define PH_FILE_STREAM_WRITTEN 0x80000000 33 | 34 | // Seek 35 | typedef enum _PH_SEEK_ORIGIN 36 | { 37 | SeekStart, 38 | SeekCurrent, 39 | SeekEnd 40 | } PH_SEEK_ORIGIN; 41 | 42 | typedef struct _PH_FILE_STREAM 43 | { 44 | HANDLE FileHandle; 45 | ULONG Flags; 46 | LARGE_INTEGER Position; // file object position, *not* the actual position 47 | 48 | PVOID Buffer; 49 | ULONG BufferLength; 50 | 51 | ULONG ReadPosition; // read position in buffer 52 | ULONG ReadLength; // how much available to read from buffer 53 | ULONG WritePosition; // write position in buffer 54 | } PH_FILE_STREAM, *PPH_FILE_STREAM; 55 | 56 | extern PPH_OBJECT_TYPE PhFileStreamType; 57 | 58 | BOOLEAN 59 | NTAPI 60 | PhFileStreamInitialization( 61 | VOID 62 | ); 63 | 64 | PHLIBAPI 65 | NTSTATUS 66 | NTAPI 67 | PhCreateFileStream( 68 | _Out_ PPH_FILE_STREAM *FileStream, 69 | _In_ PWSTR FileName, 70 | _In_ ACCESS_MASK DesiredAccess, 71 | _In_ ULONG ShareMode, 72 | _In_ ULONG CreateDisposition, 73 | _In_ ULONG Flags 74 | ); 75 | 76 | PHLIBAPI 77 | NTSTATUS 78 | NTAPI 79 | PhCreateFileStream2( 80 | _Out_ PPH_FILE_STREAM *FileStream, 81 | _In_ HANDLE FileHandle, 82 | _In_ ULONG Flags, 83 | _In_ ULONG BufferLength 84 | ); 85 | 86 | PHLIBAPI 87 | VOID 88 | NTAPI 89 | PhVerifyFileStream( 90 | _In_ PPH_FILE_STREAM FileStream 91 | ); 92 | 93 | PHLIBAPI 94 | NTSTATUS 95 | NTAPI 96 | PhReadFileStream( 97 | _Inout_ PPH_FILE_STREAM FileStream, 98 | _Out_writes_bytes_(Length) PVOID Buffer, 99 | _In_ ULONG Length, 100 | _Out_opt_ PULONG ReadLength 101 | ); 102 | 103 | PHLIBAPI 104 | NTSTATUS 105 | NTAPI 106 | PhWriteFileStream( 107 | _Inout_ PPH_FILE_STREAM FileStream, 108 | _In_reads_bytes_(Length) PVOID Buffer, 109 | _In_ ULONG Length 110 | ); 111 | 112 | PHLIBAPI 113 | NTSTATUS 114 | NTAPI 115 | PhFlushFileStream( 116 | _Inout_ PPH_FILE_STREAM FileStream, 117 | _In_ BOOLEAN Full 118 | ); 119 | 120 | PHLIBAPI 121 | VOID 122 | NTAPI 123 | PhGetPositionFileStream( 124 | _In_ PPH_FILE_STREAM FileStream, 125 | _Out_ PLARGE_INTEGER Position 126 | ); 127 | 128 | PHLIBAPI 129 | NTSTATUS 130 | NTAPI 131 | PhSeekFileStream( 132 | _Inout_ PPH_FILE_STREAM FileStream, 133 | _In_ PLARGE_INTEGER Offset, 134 | _In_ PH_SEEK_ORIGIN Origin 135 | ); 136 | 137 | PHLIBAPI 138 | NTSTATUS 139 | NTAPI 140 | PhLockFileStream( 141 | _Inout_ PPH_FILE_STREAM FileStream, 142 | _In_ PLARGE_INTEGER Position, 143 | _In_ PLARGE_INTEGER Length, 144 | _In_ BOOLEAN Wait, 145 | _In_ BOOLEAN Shared 146 | ); 147 | 148 | PHLIBAPI 149 | NTSTATUS 150 | NTAPI 151 | PhUnlockFileStream( 152 | _Inout_ PPH_FILE_STREAM FileStream, 153 | _In_ PLARGE_INTEGER Position, 154 | _In_ PLARGE_INTEGER Length 155 | ); 156 | 157 | PHLIBAPI 158 | NTSTATUS 159 | NTAPI 160 | PhWriteStringAsUtf8FileStream( 161 | _Inout_ PPH_FILE_STREAM FileStream, 162 | _In_ PPH_STRINGREF String 163 | ); 164 | 165 | PHLIBAPI 166 | NTSTATUS 167 | NTAPI 168 | PhWriteStringAsUtf8FileStream2( 169 | _Inout_ PPH_FILE_STREAM FileStream, 170 | _In_ PWSTR String 171 | ); 172 | 173 | PHLIBAPI 174 | NTSTATUS 175 | NTAPI 176 | PhWriteStringAsUtf8FileStreamEx( 177 | _Inout_ PPH_FILE_STREAM FileStream, 178 | _In_ PWSTR Buffer, 179 | _In_ SIZE_T Length 180 | ); 181 | 182 | PHLIBAPI 183 | NTSTATUS 184 | NTAPI 185 | PhWriteStringFormatAsUtf8FileStream_V( 186 | _Inout_ PPH_FILE_STREAM FileStream, 187 | _In_ _Printf_format_string_ PWSTR Format, 188 | _In_ va_list ArgPtr 189 | ); 190 | 191 | PHLIBAPI 192 | NTSTATUS 193 | NTAPI 194 | PhWriteStringFormatAsUtf8FileStream( 195 | _Inout_ PPH_FILE_STREAM FileStream, 196 | _In_ _Printf_format_string_ PWSTR Format, 197 | ... 198 | ); 199 | 200 | #ifdef __cplusplus 201 | } 202 | #endif 203 | 204 | #endif 205 | -------------------------------------------------------------------------------- /sdk/include/emenu.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_EMENU_H 2 | #define _PH_EMENU_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define PH_EMENU_DISABLED 0x1 9 | #define PH_EMENU_CHECKED 0x2 10 | #define PH_EMENU_HIGHLIGHT 0x4 11 | #define PH_EMENU_MENUBARBREAK 0x8 12 | #define PH_EMENU_MENUBREAK 0x10 13 | #define PH_EMENU_DEFAULT 0x20 14 | #define PH_EMENU_MOUSESELECT 0x40 15 | #define PH_EMENU_RADIOCHECK 0x80 16 | 17 | #define PH_EMENU_SEPARATECHECKSPACE 0x100000 18 | #define PH_EMENU_SEPARATOR 0x200000 19 | 20 | #define PH_EMENU_TEXT_OWNED 0x80000000 21 | #define PH_EMENU_BITMAP_OWNED 0x40000000 22 | 23 | struct _PH_EMENU_ITEM; 24 | 25 | typedef VOID (NTAPI *PPH_EMENU_ITEM_DELETE_FUNCTION)( 26 | _In_ struct _PH_EMENU_ITEM *Item 27 | ); 28 | 29 | typedef struct _PH_EMENU_ITEM 30 | { 31 | ULONG Flags; 32 | ULONG Id; 33 | PWSTR Text; 34 | HBITMAP Bitmap; 35 | 36 | PVOID Parameter; 37 | PVOID Context; 38 | PPH_EMENU_ITEM_DELETE_FUNCTION DeleteFunction; 39 | PVOID Reserved; 40 | 41 | struct _PH_EMENU_ITEM *Parent; 42 | PPH_LIST Items; 43 | } PH_EMENU_ITEM, *PPH_EMENU_ITEM; 44 | 45 | typedef struct _PH_EMENU_ITEM PH_EMENU, *PPH_EMENU; 46 | 47 | PHLIBAPI 48 | PPH_EMENU_ITEM PhCreateEMenuItem( 49 | _In_ ULONG Flags, 50 | _In_ ULONG Id, 51 | _In_ PWSTR Text, 52 | _In_opt_ HBITMAP Bitmap, 53 | _In_opt_ PVOID Context 54 | ); 55 | 56 | PHLIBAPI 57 | VOID PhDestroyEMenuItem( 58 | _In_ PPH_EMENU_ITEM Item 59 | ); 60 | 61 | #define PH_EMENU_FIND_DESCEND 0x1 62 | #define PH_EMENU_FIND_STARTSWITH 0x2 63 | #define PH_EMENU_FIND_LITERAL 0x4 64 | 65 | PHLIBAPI 66 | PPH_EMENU_ITEM PhFindEMenuItem( 67 | _In_ PPH_EMENU_ITEM Item, 68 | _In_ ULONG Flags, 69 | _In_opt_ PWSTR Text, 70 | _In_opt_ ULONG Id 71 | ); 72 | 73 | PHLIBAPI 74 | PPH_EMENU_ITEM PhFindEMenuItemEx( 75 | _In_ PPH_EMENU_ITEM Item, 76 | _In_ ULONG Flags, 77 | _In_opt_ PWSTR Text, 78 | _In_opt_ ULONG Id, 79 | _Out_opt_ PPH_EMENU_ITEM *FoundParent, 80 | _Out_opt_ PULONG FoundIndex 81 | ); 82 | 83 | PHLIBAPI 84 | ULONG PhIndexOfEMenuItem( 85 | _In_ PPH_EMENU_ITEM Parent, 86 | _In_ PPH_EMENU_ITEM Item 87 | ); 88 | 89 | PHLIBAPI 90 | VOID PhInsertEMenuItem( 91 | _Inout_ PPH_EMENU_ITEM Parent, 92 | _Inout_ PPH_EMENU_ITEM Item, 93 | _In_ ULONG Index 94 | ); 95 | 96 | PHLIBAPI 97 | BOOLEAN PhRemoveEMenuItem( 98 | _Inout_opt_ PPH_EMENU_ITEM Parent, 99 | _In_opt_ PPH_EMENU_ITEM Item, 100 | _In_opt_ ULONG Index 101 | ); 102 | 103 | PHLIBAPI 104 | VOID PhRemoveAllEMenuItems( 105 | _Inout_ PPH_EMENU_ITEM Parent 106 | ); 107 | 108 | PHLIBAPI 109 | PPH_EMENU PhCreateEMenu( 110 | VOID 111 | ); 112 | 113 | PHLIBAPI 114 | VOID PhDestroyEMenu( 115 | _In_ PPH_EMENU Menu 116 | ); 117 | 118 | #define PH_EMENU_CONVERT_ID 0x1 119 | 120 | typedef struct _PH_EMENU_DATA 121 | { 122 | PPH_LIST IdToItem; 123 | } PH_EMENU_DATA, *PPH_EMENU_DATA; 124 | 125 | PHLIBAPI 126 | VOID PhInitializeEMenuData( 127 | _Out_ PPH_EMENU_DATA Data 128 | ); 129 | 130 | PHLIBAPI 131 | VOID PhDeleteEMenuData( 132 | _Inout_ PPH_EMENU_DATA Data 133 | ); 134 | 135 | PHLIBAPI 136 | HMENU PhEMenuToHMenu( 137 | _In_ PPH_EMENU_ITEM Menu, 138 | _In_ ULONG Flags, 139 | _Inout_opt_ PPH_EMENU_DATA Data 140 | ); 141 | 142 | PHLIBAPI 143 | VOID PhEMenuToHMenu2( 144 | _In_ HMENU MenuHandle, 145 | _In_ PPH_EMENU_ITEM Menu, 146 | _In_ ULONG Flags, 147 | _Inout_opt_ PPH_EMENU_DATA Data 148 | ); 149 | 150 | PHLIBAPI 151 | VOID PhHMenuToEMenuItem( 152 | _Inout_ PPH_EMENU_ITEM MenuItem, 153 | _In_ HMENU MenuHandle 154 | ); 155 | 156 | PHLIBAPI 157 | VOID PhLoadResourceEMenuItem( 158 | _Inout_ PPH_EMENU_ITEM MenuItem, 159 | _In_ HINSTANCE InstanceHandle, 160 | _In_ PWSTR Resource, 161 | _In_ ULONG SubMenuIndex 162 | ); 163 | 164 | #define PH_EMENU_SHOW_SEND_COMMAND 0x1 165 | #define PH_EMENU_SHOW_LEFTRIGHT 0x2 166 | 167 | PHLIBAPI 168 | PPH_EMENU_ITEM PhShowEMenu( 169 | _In_ PPH_EMENU Menu, 170 | _In_ HWND WindowHandle, 171 | _In_ ULONG Flags, 172 | _In_ ULONG Align, 173 | _In_ ULONG X, 174 | _In_ ULONG Y 175 | ); 176 | 177 | // Convenience functions 178 | 179 | PHLIBAPI 180 | BOOLEAN PhSetFlagsEMenuItem( 181 | _Inout_ PPH_EMENU_ITEM Item, 182 | _In_ ULONG Id, 183 | _In_ ULONG Mask, 184 | _In_ ULONG Value 185 | ); 186 | 187 | FORCEINLINE BOOLEAN PhEnableEMenuItem( 188 | _Inout_ PPH_EMENU_ITEM Item, 189 | _In_ ULONG Id, 190 | _In_ BOOLEAN Enable 191 | ) 192 | { 193 | return PhSetFlagsEMenuItem(Item, Id, PH_EMENU_DISABLED, Enable ? 0 : PH_EMENU_DISABLED); 194 | } 195 | 196 | PHLIBAPI 197 | VOID PhSetFlagsAllEMenuItems( 198 | _In_ PPH_EMENU_ITEM Item, 199 | _In_ ULONG Mask, 200 | _In_ ULONG Value 201 | ); 202 | 203 | #define PH_EMENU_MODIFY_TEXT 0x1 204 | #define PH_EMENU_MODIFY_BITMAP 0x2 205 | 206 | PHLIBAPI 207 | VOID PhModifyEMenuItem( 208 | _Inout_ PPH_EMENU_ITEM Item, 209 | _In_ ULONG ModifyFlags, 210 | _In_ ULONG OwnedFlags, 211 | _In_opt_ PWSTR Text, 212 | _In_opt_ HBITMAP Bitmap 213 | ); 214 | 215 | #ifdef __cplusplus 216 | } 217 | #endif 218 | 219 | #endif 220 | -------------------------------------------------------------------------------- /sdk/include/ntdbg.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTDBG_H 2 | #define _NTDBG_H 3 | 4 | // Definitions 5 | 6 | typedef struct _DBGKM_EXCEPTION 7 | { 8 | EXCEPTION_RECORD ExceptionRecord; 9 | ULONG FirstChance; 10 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 11 | 12 | typedef struct _DBGKM_CREATE_THREAD 13 | { 14 | ULONG SubSystemKey; 15 | PVOID StartAddress; 16 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 17 | 18 | typedef struct _DBGKM_CREATE_PROCESS 19 | { 20 | ULONG SubSystemKey; 21 | HANDLE FileHandle; 22 | PVOID BaseOfImage; 23 | ULONG DebugInfoFileOffset; 24 | ULONG DebugInfoSize; 25 | DBGKM_CREATE_THREAD InitialThread; 26 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 27 | 28 | typedef struct _DBGKM_EXIT_THREAD 29 | { 30 | NTSTATUS ExitStatus; 31 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 32 | 33 | typedef struct _DBGKM_EXIT_PROCESS 34 | { 35 | NTSTATUS ExitStatus; 36 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 37 | 38 | typedef struct _DBGKM_LOAD_DLL 39 | { 40 | HANDLE FileHandle; 41 | PVOID BaseOfDll; 42 | ULONG DebugInfoFileOffset; 43 | ULONG DebugInfoSize; 44 | PVOID NamePointer; 45 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 46 | 47 | typedef struct _DBGKM_UNLOAD_DLL 48 | { 49 | PVOID BaseAddress; 50 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 51 | 52 | typedef enum _DBG_STATE 53 | { 54 | DbgIdle, 55 | DbgReplyPending, 56 | DbgCreateThreadStateChange, 57 | DbgCreateProcessStateChange, 58 | DbgExitThreadStateChange, 59 | DbgExitProcessStateChange, 60 | DbgExceptionStateChange, 61 | DbgBreakpointStateChange, 62 | DbgSingleStepStateChange, 63 | DbgLoadDllStateChange, 64 | DbgUnloadDllStateChange 65 | } DBG_STATE, *PDBG_STATE; 66 | 67 | typedef struct _DBGUI_CREATE_THREAD 68 | { 69 | HANDLE HandleToThread; 70 | DBGKM_CREATE_THREAD NewThread; 71 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 72 | 73 | typedef struct _DBGUI_CREATE_PROCESS 74 | { 75 | HANDLE HandleToProcess; 76 | HANDLE HandleToThread; 77 | DBGKM_CREATE_PROCESS NewProcess; 78 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 79 | 80 | typedef struct _DBGUI_WAIT_STATE_CHANGE 81 | { 82 | DBG_STATE NewState; 83 | CLIENT_ID AppClientId; 84 | union 85 | { 86 | DBGKM_EXCEPTION Exception; 87 | DBGUI_CREATE_THREAD CreateThread; 88 | DBGUI_CREATE_PROCESS CreateProcessInfo; 89 | DBGKM_EXIT_THREAD ExitThread; 90 | DBGKM_EXIT_PROCESS ExitProcess; 91 | DBGKM_LOAD_DLL LoadDll; 92 | DBGKM_UNLOAD_DLL UnloadDll; 93 | } StateInfo; 94 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 95 | 96 | // System calls 97 | 98 | #define DEBUG_READ_EVENT 0x0001 99 | #define DEBUG_PROCESS_ASSIGN 0x0002 100 | #define DEBUG_SET_INFORMATION 0x0004 101 | #define DEBUG_QUERY_INFORMATION 0x0008 102 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 103 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 104 | DEBUG_QUERY_INFORMATION) 105 | 106 | #define DEBUG_KILL_ON_CLOSE 0x1 107 | 108 | typedef enum _DEBUGOBJECTINFOCLASS 109 | { 110 | DebugObjectFlags = 1, 111 | MaxDebugObjectInfoClass 112 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 113 | 114 | NTSYSCALLAPI 115 | NTSTATUS 116 | NTAPI 117 | NtCreateDebugObject( 118 | _Out_ PHANDLE DebugObjectHandle, 119 | _In_ ACCESS_MASK DesiredAccess, 120 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 121 | _In_ ULONG Flags 122 | ); 123 | 124 | NTSYSCALLAPI 125 | NTSTATUS 126 | NTAPI 127 | NtDebugActiveProcess( 128 | _In_ HANDLE ProcessHandle, 129 | _In_ HANDLE DebugObjectHandle 130 | ); 131 | 132 | NTSYSCALLAPI 133 | NTSTATUS 134 | NTAPI 135 | NtDebugContinue( 136 | _In_ HANDLE DebugObjectHandle, 137 | _In_ PCLIENT_ID ClientId, 138 | _In_ NTSTATUS ContinueStatus 139 | ); 140 | 141 | NTSYSCALLAPI 142 | NTSTATUS 143 | NTAPI 144 | NtRemoveProcessDebug( 145 | _In_ HANDLE ProcessHandle, 146 | _In_ HANDLE DebugObjectHandle 147 | ); 148 | 149 | NTSYSCALLAPI 150 | NTSTATUS 151 | NTAPI 152 | NtSetInformationDebugObject( 153 | _In_ HANDLE DebugObjectHandle, 154 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 155 | _In_ PVOID DebugInformation, 156 | _In_ ULONG DebugInformationLength, 157 | _Out_opt_ PULONG ReturnLength 158 | ); 159 | 160 | NTSYSCALLAPI 161 | NTSTATUS 162 | NTAPI 163 | NtWaitForDebugEvent( 164 | _In_ HANDLE DebugObjectHandle, 165 | _In_ BOOLEAN Alertable, 166 | _In_opt_ PLARGE_INTEGER Timeout, 167 | _Out_ PVOID WaitStateChange 168 | ); 169 | 170 | // Debugging UI 171 | 172 | NTSYSAPI 173 | NTSTATUS 174 | NTAPI 175 | DbgUiConnectToDbg( 176 | VOID 177 | ); 178 | 179 | NTSYSAPI 180 | HANDLE 181 | NTAPI 182 | DbgUiGetThreadDebugObject( 183 | VOID 184 | ); 185 | 186 | NTSYSAPI 187 | VOID 188 | NTAPI 189 | DbgUiSetThreadDebugObject( 190 | _In_ HANDLE DebugObject 191 | ); 192 | 193 | NTSYSAPI 194 | NTSTATUS 195 | NTAPI 196 | DbgUiWaitStateChange( 197 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 198 | _In_opt_ PLARGE_INTEGER Timeout 199 | ); 200 | 201 | NTSYSAPI 202 | NTSTATUS 203 | NTAPI 204 | DbgUiContinue( 205 | _In_ PCLIENT_ID AppClientId, 206 | _In_ NTSTATUS ContinueStatus 207 | ); 208 | 209 | NTSYSAPI 210 | NTSTATUS 211 | NTAPI 212 | DbgUiStopDebugging( 213 | _In_ HANDLE Process 214 | ); 215 | 216 | NTSYSAPI 217 | NTSTATUS 218 | NTAPI 219 | DbgUiDebugActiveProcess( 220 | _In_ HANDLE Process 221 | ); 222 | 223 | NTSYSAPI 224 | VOID 225 | NTAPI 226 | DbgUiRemoteBreakin( 227 | _In_ PVOID Context 228 | ); 229 | 230 | NTSYSAPI 231 | NTSTATUS 232 | NTAPI 233 | DbgUiIssueRemoteBreakin( 234 | _In_ HANDLE Process 235 | ); 236 | 237 | struct _DEBUG_EVENT; 238 | 239 | NTSYSAPI 240 | NTSTATUS 241 | NTAPI 242 | DbgUiConvertStateChangeStructure( 243 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 244 | _Out_ struct _DEBUG_EVENT *DebugEvent 245 | ); 246 | 247 | #endif 248 | -------------------------------------------------------------------------------- /sdk/include/kphuser.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_KPHUSER_H 2 | #define _PH_KPHUSER_H 3 | 4 | #include 5 | 6 | #ifdef __cplusplus 7 | extern "C" { 8 | #endif 9 | 10 | typedef struct _KPH_PARAMETERS 11 | { 12 | KPH_SECURITY_LEVEL SecurityLevel; 13 | BOOLEAN CreateDynamicConfiguration; 14 | } KPH_PARAMETERS, *PKPH_PARAMETERS; 15 | 16 | PHLIBAPI 17 | NTSTATUS 18 | NTAPI 19 | KphConnect( 20 | _In_opt_ PWSTR DeviceName 21 | ); 22 | 23 | PHLIBAPI 24 | NTSTATUS 25 | NTAPI 26 | KphConnect2( 27 | _In_opt_ PWSTR DeviceName, 28 | _In_ PWSTR FileName 29 | ); 30 | 31 | PHLIBAPI 32 | NTSTATUS 33 | NTAPI 34 | KphConnect2Ex( 35 | _In_opt_ PWSTR DeviceName, 36 | _In_ PWSTR FileName, 37 | _In_opt_ PKPH_PARAMETERS Parameters 38 | ); 39 | 40 | PHLIBAPI 41 | NTSTATUS 42 | NTAPI 43 | KphDisconnect( 44 | VOID 45 | ); 46 | 47 | PHLIBAPI 48 | BOOLEAN 49 | NTAPI 50 | KphIsConnected( 51 | VOID 52 | ); 53 | 54 | PHLIBAPI 55 | BOOLEAN 56 | NTAPI 57 | KphIsVerified( 58 | VOID 59 | ); 60 | 61 | PHLIBAPI 62 | NTSTATUS 63 | NTAPI 64 | KphSetParameters( 65 | _In_opt_ PWSTR DeviceName, 66 | _In_ PKPH_PARAMETERS Parameters 67 | ); 68 | 69 | PHLIBAPI 70 | NTSTATUS 71 | NTAPI 72 | KphInstall( 73 | _In_opt_ PWSTR DeviceName, 74 | _In_ PWSTR FileName 75 | ); 76 | 77 | PHLIBAPI 78 | NTSTATUS 79 | NTAPI 80 | KphInstallEx( 81 | _In_opt_ PWSTR DeviceName, 82 | _In_ PWSTR FileName, 83 | _In_opt_ PKPH_PARAMETERS Parameters 84 | ); 85 | 86 | PHLIBAPI 87 | NTSTATUS 88 | NTAPI 89 | KphUninstall( 90 | _In_opt_ PWSTR DeviceName 91 | ); 92 | 93 | PHLIBAPI 94 | NTSTATUS 95 | NTAPI 96 | KphGetFeatures( 97 | _Out_ PULONG Features 98 | ); 99 | 100 | PHLIBAPI 101 | NTSTATUS 102 | NTAPI 103 | KphVerifyClient( 104 | _In_reads_bytes_(SignatureSize) PUCHAR Signature, 105 | _In_ ULONG SignatureSize 106 | ); 107 | 108 | PHLIBAPI 109 | NTSTATUS 110 | NTAPI 111 | KphOpenProcess( 112 | _Out_ PHANDLE ProcessHandle, 113 | _In_ ACCESS_MASK DesiredAccess, 114 | _In_ PCLIENT_ID ClientId 115 | ); 116 | 117 | PHLIBAPI 118 | NTSTATUS 119 | NTAPI 120 | KphOpenProcessToken( 121 | _In_ HANDLE ProcessHandle, 122 | _In_ ACCESS_MASK DesiredAccess, 123 | _Out_ PHANDLE TokenHandle 124 | ); 125 | 126 | PHLIBAPI 127 | NTSTATUS 128 | NTAPI 129 | KphOpenProcessJob( 130 | _In_ HANDLE ProcessHandle, 131 | _In_ ACCESS_MASK DesiredAccess, 132 | _Out_ PHANDLE JobHandle 133 | ); 134 | 135 | PHLIBAPI 136 | NTSTATUS 137 | NTAPI 138 | KphTerminateProcess( 139 | _In_ HANDLE ProcessHandle, 140 | _In_ NTSTATUS ExitStatus 141 | ); 142 | 143 | PHLIBAPI 144 | NTSTATUS 145 | NTAPI 146 | KphReadVirtualMemoryUnsafe( 147 | _In_opt_ HANDLE ProcessHandle, 148 | _In_ PVOID BaseAddress, 149 | _Out_writes_bytes_(BufferSize) PVOID Buffer, 150 | _In_ SIZE_T BufferSize, 151 | _Out_opt_ PSIZE_T NumberOfBytesRead 152 | ); 153 | 154 | PHLIBAPI 155 | NTSTATUS 156 | NTAPI 157 | KphQueryInformationProcess( 158 | _In_ HANDLE ProcessHandle, 159 | _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, 160 | _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation, 161 | _In_ ULONG ProcessInformationLength, 162 | _Out_opt_ PULONG ReturnLength 163 | ); 164 | 165 | PHLIBAPI 166 | NTSTATUS 167 | NTAPI 168 | KphSetInformationProcess( 169 | _In_ HANDLE ProcessHandle, 170 | _In_ KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass, 171 | _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation, 172 | _In_ ULONG ProcessInformationLength 173 | ); 174 | 175 | PHLIBAPI 176 | NTSTATUS 177 | NTAPI 178 | KphOpenThread( 179 | _Out_ PHANDLE ThreadHandle, 180 | _In_ ACCESS_MASK DesiredAccess, 181 | _In_ PCLIENT_ID ClientId 182 | ); 183 | 184 | PHLIBAPI 185 | NTSTATUS 186 | NTAPI 187 | KphOpenThreadProcess( 188 | _In_ HANDLE ThreadHandle, 189 | _In_ ACCESS_MASK DesiredAccess, 190 | _Out_ PHANDLE ProcessHandle 191 | ); 192 | 193 | PHLIBAPI 194 | NTSTATUS 195 | NTAPI 196 | KphCaptureStackBackTraceThread( 197 | _In_ HANDLE ThreadHandle, 198 | _In_ ULONG FramesToSkip, 199 | _In_ ULONG FramesToCapture, 200 | _Out_writes_(FramesToCapture) PVOID *BackTrace, 201 | _Out_opt_ PULONG CapturedFrames, 202 | _Out_opt_ PULONG BackTraceHash 203 | ); 204 | 205 | PHLIBAPI 206 | NTSTATUS 207 | NTAPI 208 | KphQueryInformationThread( 209 | _In_ HANDLE ThreadHandle, 210 | _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, 211 | _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation, 212 | _In_ ULONG ThreadInformationLength, 213 | _Out_opt_ PULONG ReturnLength 214 | ); 215 | 216 | PHLIBAPI 217 | NTSTATUS 218 | NTAPI 219 | KphSetInformationThread( 220 | _In_ HANDLE ThreadHandle, 221 | _In_ KPH_THREAD_INFORMATION_CLASS ThreadInformationClass, 222 | _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, 223 | _In_ ULONG ThreadInformationLength 224 | ); 225 | 226 | PHLIBAPI 227 | NTSTATUS 228 | NTAPI 229 | KphEnumerateProcessHandles( 230 | _In_ HANDLE ProcessHandle, 231 | _Out_writes_bytes_(BufferLength) PVOID Buffer, 232 | _In_opt_ ULONG BufferLength, 233 | _Out_opt_ PULONG ReturnLength 234 | ); 235 | 236 | PHLIBAPI 237 | NTSTATUS 238 | NTAPI 239 | KphEnumerateProcessHandles2( 240 | _In_ HANDLE ProcessHandle, 241 | _Out_ PKPH_PROCESS_HANDLE_INFORMATION *Handles 242 | ); 243 | 244 | PHLIBAPI 245 | NTSTATUS 246 | NTAPI 247 | KphQueryInformationObject( 248 | _In_ HANDLE ProcessHandle, 249 | _In_ HANDLE Handle, 250 | _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, 251 | _Out_writes_bytes_(ObjectInformationLength) PVOID ObjectInformation, 252 | _In_ ULONG ObjectInformationLength, 253 | _Out_opt_ PULONG ReturnLength 254 | ); 255 | 256 | PHLIBAPI 257 | NTSTATUS 258 | NTAPI 259 | KphSetInformationObject( 260 | _In_ HANDLE ProcessHandle, 261 | _In_ HANDLE Handle, 262 | _In_ KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass, 263 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 264 | _In_ ULONG ObjectInformationLength 265 | ); 266 | 267 | PHLIBAPI 268 | NTSTATUS 269 | NTAPI 270 | KphOpenDriver( 271 | _Out_ PHANDLE DriverHandle, 272 | _In_ ACCESS_MASK DesiredAccess, 273 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 274 | ); 275 | 276 | PHLIBAPI 277 | NTSTATUS 278 | NTAPI 279 | KphQueryInformationDriver( 280 | _In_ HANDLE DriverHandle, 281 | _In_ DRIVER_INFORMATION_CLASS DriverInformationClass, 282 | _Out_writes_bytes_(DriverInformationLength) PVOID DriverInformation, 283 | _In_ ULONG DriverInformationLength, 284 | _Out_opt_ PULONG ReturnLength 285 | ); 286 | 287 | // kphdata 288 | 289 | PHLIBAPI 290 | NTSTATUS 291 | NTAPI 292 | KphInitializeDynamicPackage( 293 | _Out_ PKPH_DYN_PACKAGE Package 294 | ); 295 | 296 | #ifdef __cplusplus 297 | } 298 | #endif 299 | 300 | #endif 301 | -------------------------------------------------------------------------------- /sdk/include/graph.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_GRAPH_H 2 | #define _PH_GRAPH_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | // Graph drawing 9 | 10 | extern RECT PhNormalGraphTextMargin; 11 | extern RECT PhNormalGraphTextPadding; 12 | 13 | #define PH_GRAPH_USE_GRID_X 0x1 14 | #define PH_GRAPH_USE_GRID_Y 0x2 15 | #define PH_GRAPH_LOGARITHMIC_GRID_Y 0x4 16 | #define PH_GRAPH_USE_LINE_2 0x10 17 | #define PH_GRAPH_OVERLAY_LINE_2 0x20 18 | #define PH_GRAPH_LABEL_MAX_Y 0x1000 19 | 20 | typedef PPH_STRING (NTAPI *PPH_GRAPH_LABEL_Y_FUNCTION)( 21 | _In_ struct _PH_GRAPH_DRAW_INFO *DrawInfo, 22 | _In_ ULONG DataIndex, 23 | _In_ FLOAT Value, 24 | _In_ FLOAT Parameter 25 | ); 26 | 27 | typedef struct _PH_GRAPH_DRAW_INFO 28 | { 29 | // Basic 30 | ULONG Width; 31 | ULONG Height; 32 | ULONG Flags; 33 | ULONG Step; 34 | COLORREF BackColor; 35 | 36 | // Data/lines 37 | ULONG LineDataCount; 38 | PFLOAT LineData1; 39 | PFLOAT LineData2; 40 | COLORREF LineColor1; 41 | COLORREF LineColor2; 42 | COLORREF LineBackColor1; 43 | COLORREF LineBackColor2; 44 | 45 | // Grid 46 | COLORREF GridColor; 47 | ULONG GridWidth; 48 | FLOAT GridHeight; 49 | ULONG GridXOffset; 50 | ULONG GridYThreshold; 51 | FLOAT GridBase; // Base for logarithmic grid 52 | 53 | // y-axis label 54 | PPH_GRAPH_LABEL_Y_FUNCTION LabelYFunction; 55 | FLOAT LabelYFunctionParameter; 56 | HFONT LabelYFont; 57 | COLORREF LabelYColor; 58 | ULONG LabelMaxYIndexLimit; 59 | 60 | // Text 61 | PH_STRINGREF Text; 62 | RECT TextRect; 63 | RECT TextBoxRect; 64 | HFONT TextFont; 65 | COLORREF TextColor; 66 | COLORREF TextBoxColor; 67 | } PH_GRAPH_DRAW_INFO, *PPH_GRAPH_DRAW_INFO; 68 | 69 | // Graph control 70 | 71 | #define PH_GRAPH_CLASSNAME L"PhGraph" 72 | 73 | PHLIBAPI 74 | BOOLEAN PhGraphControlInitialization( 75 | VOID 76 | ); 77 | 78 | PHLIBAPI 79 | VOID PhDrawGraphDirect( 80 | _In_ HDC hdc, 81 | _In_ PVOID Bits, 82 | _In_ PPH_GRAPH_DRAW_INFO DrawInfo 83 | ); 84 | 85 | PHLIBAPI 86 | VOID PhSetGraphText( 87 | _In_ HDC hdc, 88 | _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, 89 | _In_ PPH_STRINGREF Text, 90 | _In_ PRECT Margin, 91 | _In_ PRECT Padding, 92 | _In_ ULONG Align 93 | ); 94 | 95 | // Configuration 96 | 97 | typedef struct _PH_GRAPH_OPTIONS 98 | { 99 | COLORREF FadeOutBackColor; 100 | ULONG FadeOutWidth; 101 | HCURSOR DefaultCursor; 102 | } PH_GRAPH_OPTIONS, *PPH_GRAPH_OPTIONS; 103 | 104 | // Styles 105 | 106 | #define GC_STYLE_FADEOUT 0x1 107 | #define GC_STYLE_DRAW_PANEL 0x2 108 | 109 | // Messages 110 | 111 | #define GCM_GETDRAWINFO (WM_USER + 1301) 112 | #define GCM_SETDRAWINFO (WM_USER + 1302) 113 | #define GCM_DRAW (WM_USER + 1303) 114 | #define GCM_MOVEGRID (WM_USER + 1304) 115 | #define GCM_GETBUFFEREDCONTEXT (WM_USER + 1305) 116 | #define GCM_SETTOOLTIP (WM_USER + 1306) 117 | #define GCM_UPDATETOOLTIP (WM_USER + 1307) 118 | #define GCM_GETOPTIONS (WM_USER + 1308) 119 | #define GCM_SETOPTIONS (WM_USER + 1309) 120 | 121 | #define Graph_GetDrawInfo(hWnd, DrawInfo) \ 122 | SendMessage((hWnd), GCM_GETDRAWINFO, 0, (LPARAM)(DrawInfo)) 123 | #define Graph_SetDrawInfo(hWnd, DrawInfo) \ 124 | SendMessage((hWnd), GCM_SETDRAWINFO, 0, (LPARAM)(DrawInfo)) 125 | #define Graph_Draw(hWnd) \ 126 | SendMessage((hWnd), GCM_DRAW, 0, 0) 127 | #define Graph_MoveGrid(hWnd, Increment) \ 128 | SendMessage((hWnd), GCM_MOVEGRID, (WPARAM)(Increment), 0) 129 | #define Graph_GetBufferedContext(hWnd) \ 130 | ((HDC)SendMessage((hWnd), GCM_GETBUFFEREDCONTEXT, 0, 0)) 131 | #define Graph_SetTooltip(hWnd, Enable) \ 132 | ((HDC)SendMessage((hWnd), GCM_SETTOOLTIP, (WPARAM)(Enable), 0)) 133 | #define Graph_UpdateTooltip(hWnd) \ 134 | ((HDC)SendMessage((hWnd), GCM_UPDATETOOLTIP, 0, 0)) 135 | #define Graph_GetOptions(hWnd, Options) \ 136 | SendMessage((hWnd), GCM_GETOPTIONS, 0, (LPARAM)(Options)) 137 | #define Graph_SetOptions(hWnd, Options) \ 138 | SendMessage((hWnd), GCM_SETOPTIONS, 0, (LPARAM)(Options)) 139 | 140 | // Notifications 141 | 142 | #define GCN_GETDRAWINFO (WM_USER + 1351) 143 | #define GCN_GETTOOLTIPTEXT (WM_USER + 1352) 144 | #define GCN_MOUSEEVENT (WM_USER + 1353) 145 | #define GCN_DRAWPANEL (WM_USER + 1354) 146 | 147 | typedef struct _PH_GRAPH_GETDRAWINFO 148 | { 149 | NMHDR Header; 150 | PPH_GRAPH_DRAW_INFO DrawInfo; 151 | } PH_GRAPH_GETDRAWINFO, *PPH_GRAPH_GETDRAWINFO; 152 | 153 | typedef struct _PH_GRAPH_GETTOOLTIPTEXT 154 | { 155 | NMHDR Header; 156 | ULONG Index; 157 | ULONG TotalCount; 158 | 159 | PH_STRINGREF Text; // must be null-terminated 160 | } PH_GRAPH_GETTOOLTIPTEXT, *PPH_GRAPH_GETTOOLTIPTEXT; 161 | 162 | typedef struct _PH_GRAPH_MOUSEEVENT 163 | { 164 | NMHDR Header; 165 | ULONG Index; 166 | ULONG TotalCount; 167 | 168 | ULONG Message; 169 | ULONG Keys; 170 | POINT Point; 171 | } PH_GRAPH_MOUSEEVENT, *PPH_GRAPH_MOUSEEVENT; 172 | 173 | typedef struct _PH_GRAPH_DRAWPANEL 174 | { 175 | NMHDR Header; 176 | HDC hdc; 177 | RECT Rect; 178 | } PH_GRAPH_DRAWPANEL, *PPH_GRAPH_DRAWPANEL; 179 | 180 | // Graph buffer management 181 | 182 | #define PH_GRAPH_DATA_COUNT(Width, Step) (((Width) + (Step) - 1) / (Step) + 1) // round up in division 183 | 184 | typedef struct _PH_GRAPH_BUFFERS 185 | { 186 | PFLOAT Data1; // invalidate by setting Valid to FALSE 187 | PFLOAT Data2; // invalidate by setting Valid to FALSE 188 | ULONG AllocatedCount; 189 | BOOLEAN Valid; // indicates the data is valid 190 | } PH_GRAPH_BUFFERS, *PPH_GRAPH_BUFFERS; 191 | 192 | PHLIBAPI 193 | VOID PhInitializeGraphBuffers( 194 | _Out_ PPH_GRAPH_BUFFERS Buffers 195 | ); 196 | 197 | PHLIBAPI 198 | VOID PhDeleteGraphBuffers( 199 | _Inout_ PPH_GRAPH_BUFFERS Buffers 200 | ); 201 | 202 | PHLIBAPI 203 | VOID PhGetDrawInfoGraphBuffers( 204 | _Inout_ PPH_GRAPH_BUFFERS Buffers, 205 | _Inout_ PPH_GRAPH_DRAW_INFO DrawInfo, 206 | _In_ ULONG DataCount 207 | ); 208 | 209 | // Graph control state 210 | 211 | // The basic buffer management structure was moved out of this section because 212 | // the text management is not needed for most cases. 213 | 214 | typedef struct _PH_GRAPH_STATE 215 | { 216 | // Union for compatibility 217 | union 218 | { 219 | struct 220 | { 221 | PFLOAT Data1; // invalidate by setting Valid to FALSE 222 | PFLOAT Data2; // invalidate by setting Valid to FALSE 223 | ULONG AllocatedCount; 224 | BOOLEAN Valid; // indicates the data is valid 225 | }; 226 | PH_GRAPH_BUFFERS Buffers; 227 | }; 228 | 229 | PPH_STRING Text; 230 | PPH_STRING TooltipText; // invalidate by setting TooltipIndex to -1 231 | ULONG TooltipIndex; // indicates the tooltip text is valid for this index 232 | } PH_GRAPH_STATE, *PPH_GRAPH_STATE; 233 | 234 | PHLIBAPI 235 | VOID PhInitializeGraphState( 236 | _Out_ PPH_GRAPH_STATE State 237 | ); 238 | 239 | PHLIBAPI 240 | VOID PhDeleteGraphState( 241 | _Inout_ PPH_GRAPH_STATE State 242 | ); 243 | 244 | PHLIBAPI 245 | VOID PhGraphStateGetDrawInfo( 246 | _Inout_ PPH_GRAPH_STATE State, 247 | _In_ PPH_GRAPH_GETDRAWINFO GetDrawInfo, 248 | _In_ ULONG DataCount 249 | ); 250 | 251 | #ifdef __cplusplus 252 | } 253 | #endif 254 | 255 | #endif 256 | -------------------------------------------------------------------------------- /sdk/include/ref.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Process Hacker - 3 | * internal object manager 4 | * 5 | * Copyright (C) 2009-2016 wj32 6 | * 7 | * This file is part of Process Hacker. 8 | * 9 | * Process Hacker is free software; you can redistribute it and/or modify 10 | * it under the terms of the GNU General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * Process Hacker is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License 20 | * along with Process Hacker. If not, see . 21 | */ 22 | 23 | #ifndef _PH_REF_H 24 | #define _PH_REF_H 25 | 26 | #ifdef __cplusplus 27 | extern "C" { 28 | #endif 29 | 30 | // Configuration 31 | 32 | #define PH_OBJECT_SMALL_OBJECT_SIZE 48 33 | #define PH_OBJECT_SMALL_OBJECT_COUNT 512 34 | 35 | // Object type flags 36 | #define PH_OBJECT_TYPE_USE_FREE_LIST 0x00000001 37 | #define PH_OBJECT_TYPE_VALID_FLAGS 0x00000001 38 | 39 | // Object type callbacks 40 | 41 | /** 42 | * The delete procedure for an object type, called when an object of the type is being freed. 43 | * 44 | * \param Object A pointer to the object being freed. 45 | * \param Flags Reserved. 46 | */ 47 | typedef VOID (NTAPI *PPH_TYPE_DELETE_PROCEDURE)( 48 | _In_ PVOID Object, 49 | _In_ ULONG Flags 50 | ); 51 | 52 | struct _PH_OBJECT_TYPE; 53 | typedef struct _PH_OBJECT_TYPE *PPH_OBJECT_TYPE; 54 | 55 | struct _PH_QUEUED_LOCK; 56 | typedef struct _PH_QUEUED_LOCK PH_QUEUED_LOCK, *PPH_QUEUED_LOCK; 57 | 58 | #ifdef DEBUG 59 | typedef VOID (NTAPI *PPH_CREATE_OBJECT_HOOK)( 60 | _In_ PVOID Object, 61 | _In_ SIZE_T Size, 62 | _In_ ULONG Flags, 63 | _In_ PPH_OBJECT_TYPE ObjectType 64 | ); 65 | #endif 66 | 67 | typedef struct _PH_OBJECT_TYPE_PARAMETERS 68 | { 69 | SIZE_T FreeListSize; 70 | ULONG FreeListCount; 71 | } PH_OBJECT_TYPE_PARAMETERS, *PPH_OBJECT_TYPE_PARAMETERS; 72 | 73 | typedef struct _PH_OBJECT_TYPE_INFORMATION 74 | { 75 | PWSTR Name; 76 | ULONG NumberOfObjects; 77 | USHORT Flags; 78 | UCHAR TypeIndex; 79 | UCHAR Reserved; 80 | } PH_OBJECT_TYPE_INFORMATION, *PPH_OBJECT_TYPE_INFORMATION; 81 | 82 | extern PPH_OBJECT_TYPE PhObjectTypeObject; 83 | extern PPH_OBJECT_TYPE PhAllocType; 84 | 85 | #ifdef DEBUG 86 | extern LIST_ENTRY PhDbgObjectListHead; 87 | extern PH_QUEUED_LOCK PhDbgObjectListLock; 88 | extern PPH_CREATE_OBJECT_HOOK PhDbgCreateObjectHook; 89 | #endif 90 | 91 | NTSTATUS PhRefInitialization( 92 | VOID 93 | ); 94 | 95 | _May_raise_ 96 | PHLIBAPI 97 | PVOID 98 | NTAPI 99 | PhCreateObject( 100 | _In_ SIZE_T ObjectSize, 101 | _In_ PPH_OBJECT_TYPE ObjectType 102 | ); 103 | 104 | PHLIBAPI 105 | PVOID 106 | NTAPI 107 | PhReferenceObject( 108 | _In_ PVOID Object 109 | ); 110 | 111 | _May_raise_ 112 | PHLIBAPI 113 | PVOID 114 | NTAPI 115 | PhReferenceObjectEx( 116 | _In_ PVOID Object, 117 | _In_ LONG RefCount 118 | ); 119 | 120 | PHLIBAPI 121 | PVOID 122 | NTAPI 123 | PhReferenceObjectSafe( 124 | _In_ PVOID Object 125 | ); 126 | 127 | PHLIBAPI 128 | VOID 129 | NTAPI 130 | PhDereferenceObject( 131 | _In_ PVOID Object 132 | ); 133 | 134 | PHLIBAPI 135 | VOID 136 | NTAPI 137 | PhDereferenceObjectDeferDelete( 138 | _In_ PVOID Object 139 | ); 140 | 141 | _May_raise_ 142 | PHLIBAPI 143 | VOID 144 | NTAPI 145 | PhDereferenceObjectEx( 146 | _In_ PVOID Object, 147 | _In_ LONG RefCount, 148 | _In_ BOOLEAN DeferDelete 149 | ); 150 | 151 | PHLIBAPI 152 | PPH_OBJECT_TYPE 153 | NTAPI 154 | PhGetObjectType( 155 | _In_ PVOID Object 156 | ); 157 | 158 | PHLIBAPI 159 | PPH_OBJECT_TYPE 160 | NTAPI 161 | PhCreateObjectType( 162 | _In_ PWSTR Name, 163 | _In_ ULONG Flags, 164 | _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure 165 | ); 166 | 167 | PHLIBAPI 168 | PPH_OBJECT_TYPE 169 | NTAPI 170 | PhCreateObjectTypeEx( 171 | _In_ PWSTR Name, 172 | _In_ ULONG Flags, 173 | _In_opt_ PPH_TYPE_DELETE_PROCEDURE DeleteProcedure, 174 | _In_opt_ PPH_OBJECT_TYPE_PARAMETERS Parameters 175 | ); 176 | 177 | PHLIBAPI 178 | VOID 179 | NTAPI 180 | PhGetObjectTypeInformation( 181 | _In_ PPH_OBJECT_TYPE ObjectType, 182 | _Out_ PPH_OBJECT_TYPE_INFORMATION Information 183 | ); 184 | 185 | PHLIBAPI 186 | PVOID 187 | NTAPI 188 | PhCreateAlloc( 189 | _In_ SIZE_T Size 190 | ); 191 | 192 | // Object reference functions 193 | 194 | FORCEINLINE 195 | VOID 196 | PhSwapReference( 197 | _Inout_ PVOID *ObjectReference, 198 | _In_opt_ PVOID NewObject 199 | ) 200 | { 201 | PVOID oldObject; 202 | 203 | oldObject = *ObjectReference; 204 | *ObjectReference = NewObject; 205 | 206 | if (NewObject) PhReferenceObject(NewObject); 207 | if (oldObject) PhDereferenceObject(oldObject); 208 | } 209 | 210 | FORCEINLINE 211 | VOID 212 | PhMoveReference( 213 | _Inout_ PVOID *ObjectReference, 214 | _In_opt_ _Assume_refs_(1) PVOID NewObject 215 | ) 216 | { 217 | PVOID oldObject; 218 | 219 | oldObject = *ObjectReference; 220 | *ObjectReference = NewObject; 221 | 222 | if (oldObject) PhDereferenceObject(oldObject); 223 | } 224 | 225 | FORCEINLINE 226 | VOID 227 | PhSetReference( 228 | _Out_ PVOID *ObjectReference, 229 | _In_opt_ PVOID NewObject 230 | ) 231 | { 232 | *ObjectReference = NewObject; 233 | 234 | if (NewObject) PhReferenceObject(NewObject); 235 | } 236 | 237 | FORCEINLINE 238 | VOID 239 | PhClearReference( 240 | _Inout_ PVOID *ObjectReference 241 | ) 242 | { 243 | PhMoveReference(ObjectReference, NULL); 244 | } 245 | 246 | // Auto-dereference pool 247 | 248 | /** The size of the static array in an auto-release pool. */ 249 | #define PH_AUTO_POOL_STATIC_SIZE 64 250 | /** The maximum size of the dynamic array for it to be kept after the auto-release pool is drained. */ 251 | #define PH_AUTO_POOL_DYNAMIC_BIG_SIZE 256 252 | 253 | /** 254 | * An auto-dereference pool can be used for semi-automatic reference counting. Batches of objects 255 | * are dereferenced at a certain time. 256 | * 257 | * This object is not thread-safe and cannot be used across thread boundaries. Always store them as 258 | * local variables. 259 | */ 260 | typedef struct _PH_AUTO_POOL 261 | { 262 | ULONG StaticCount; 263 | PVOID StaticObjects[PH_AUTO_POOL_STATIC_SIZE]; 264 | 265 | ULONG DynamicCount; 266 | ULONG DynamicAllocated; 267 | PVOID *DynamicObjects; 268 | 269 | struct _PH_AUTO_POOL *NextPool; 270 | } PH_AUTO_POOL, *PPH_AUTO_POOL; 271 | 272 | PHLIBAPI 273 | VOID 274 | NTAPI 275 | PhInitializeAutoPool( 276 | _Out_ PPH_AUTO_POOL AutoPool 277 | ); 278 | 279 | _May_raise_ 280 | PHLIBAPI 281 | VOID 282 | NTAPI 283 | PhDeleteAutoPool( 284 | _Inout_ PPH_AUTO_POOL AutoPool 285 | ); 286 | 287 | PHLIBAPI 288 | VOID 289 | NTAPI 290 | PhDrainAutoPool( 291 | _In_ PPH_AUTO_POOL AutoPool 292 | ); 293 | 294 | _May_raise_ 295 | PHLIBAPI 296 | PVOID 297 | NTAPI 298 | PhAutoDereferenceObject( 299 | _In_opt_ PVOID Object 300 | ); 301 | 302 | #define PH_AUTO PhAutoDereferenceObject 303 | #define PH_AUTO_T(Type, Object) ((Type *)PH_AUTO(Object)) 304 | 305 | #ifdef __cplusplus 306 | } 307 | #endif 308 | 309 | #endif 310 | -------------------------------------------------------------------------------- /sdk/include/ntpfapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTPFAPI_H 2 | #define _NTPFAPI_H 3 | 4 | // begin_private 5 | 6 | // Prefetch 7 | 8 | typedef enum _PF_BOOT_PHASE_ID 9 | { 10 | PfKernelInitPhase = 0, 11 | PfBootDriverInitPhase = 90, 12 | PfSystemDriverInitPhase = 120, 13 | PfSessionManagerInitPhase = 150, 14 | PfSMRegistryInitPhase = 180, 15 | PfVideoInitPhase = 210, 16 | PfPostVideoInitPhase = 240, 17 | PfBootAcceptedRegistryInitPhase = 270, 18 | PfUserShellReadyPhase = 300, 19 | PfMaxBootPhaseId = 900 20 | } PF_BOOT_PHASE_ID; 21 | 22 | typedef enum _PF_ENABLE_STATUS 23 | { 24 | PfSvNotSpecified, 25 | PfSvEnabled, 26 | PfSvDisabled, 27 | PfSvMaxEnableStatus 28 | } PF_ENABLE_STATUS; 29 | 30 | typedef struct _PF_TRACE_LIMITS 31 | { 32 | ULONG MaxNumPages; 33 | ULONG MaxNumSections; 34 | LONGLONG TimerPeriod; 35 | } PF_TRACE_LIMITS, *PPF_TRACE_LIMITS; 36 | 37 | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS 38 | { 39 | PF_ENABLE_STATUS EnableStatus[2]; 40 | PF_TRACE_LIMITS TraceLimits[2]; 41 | ULONG MaxNumActiveTraces; 42 | ULONG MaxNumSavedTraces; 43 | WCHAR RootDirPath[32]; 44 | WCHAR HostingApplicationList[128]; 45 | } PF_SYSTEM_PREFETCH_PARAMETERS, *PPF_SYSTEM_PREFETCH_PARAMETERS; 46 | 47 | #define PF_BOOT_CONTROL_VERSION 1 48 | 49 | typedef struct _PF_BOOT_CONTROL 50 | { 51 | ULONG Version; 52 | ULONG DisableBootPrefetching; 53 | } PF_BOOT_CONTROL, *PPF_BOOT_CONTROL; 54 | 55 | typedef enum _PREFETCHER_INFORMATION_CLASS 56 | { 57 | PrefetcherRetrieveTrace = 1, // q: CHAR[] 58 | PrefetcherSystemParameters, // q: PF_SYSTEM_PREFETCH_PARAMETERS 59 | PrefetcherBootPhase, // s: PF_BOOT_PHASE_ID 60 | PrefetcherRetrieveBootLoaderTrace, // q: CHAR[] 61 | PrefetcherBootControl // s: PF_BOOT_CONTROL 62 | } PREFETCHER_INFORMATION_CLASS; 63 | 64 | #define PREFETCHER_INFORMATION_VERSION 23 // rev 65 | #define PREFETCHER_INFORMATION_MAGIC ('kuhC') // rev 66 | 67 | typedef struct _PREFETCHER_INFORMATION 68 | { 69 | ULONG Version; 70 | ULONG Magic; 71 | PREFETCHER_INFORMATION_CLASS PrefetcherInformationClass; 72 | PVOID PrefetcherInformation; 73 | ULONG PrefetcherInformationLength; 74 | } PREFETCHER_INFORMATION, *PPREFETCHER_INFORMATION; 75 | 76 | // Superfetch 77 | 78 | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS 79 | { 80 | ULONG EnabledComponents; 81 | ULONG BootID; 82 | ULONG SavedSectInfoTracesMax; 83 | ULONG SavedPageAccessTracesMax; 84 | ULONG ScenarioPrefetchTimeoutStandby; 85 | ULONG ScenarioPrefetchTimeoutHibernate; 86 | } PF_SYSTEM_SUPERFETCH_PARAMETERS, *PPF_SYSTEM_SUPERFETCH_PARAMETERS; 87 | 88 | #define PF_PFN_PRIO_REQUEST_VERSION 1 89 | #define PF_PFN_PRIO_REQUEST_QUERY_MEMORY_LIST 0x1 90 | #define PF_PFN_PRIO_REQUEST_VALID_FLAGS 0x1 91 | 92 | typedef struct _PF_PFN_PRIO_REQUEST 93 | { 94 | ULONG Version; 95 | ULONG RequestFlags; 96 | ULONG PfnCount; 97 | SYSTEM_MEMORY_LIST_INFORMATION MemInfo; 98 | MMPFN_IDENTITY PageData[256]; 99 | } PF_PFN_PRIO_REQUEST, *PPF_PFN_PRIO_REQUEST; 100 | 101 | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE 102 | { 103 | PfsPrivateSourceKernel, 104 | PfsPrivateSourceSession, 105 | PfsPrivateSourceProcess, 106 | PfsPrivateSourceMax 107 | } PFS_PRIVATE_PAGE_SOURCE_TYPE; 108 | 109 | typedef struct _PFS_PRIVATE_PAGE_SOURCE 110 | { 111 | PFS_PRIVATE_PAGE_SOURCE_TYPE Type; 112 | union 113 | { 114 | ULONG_PTR SessionId; 115 | ULONG_PTR ProcessId; 116 | }; 117 | ULONG ImagePathHash; 118 | ULONG UniqueProcessHash; 119 | } PFS_PRIVATE_PAGE_SOURCE, *PPFS_PRIVATE_PAGE_SOURCE; 120 | 121 | typedef struct _PF_PRIVSOURCE_INFO 122 | { 123 | PFS_PRIVATE_PAGE_SOURCE DbInfo; 124 | union 125 | { 126 | ULONG_PTR EProcess; 127 | ULONG_PTR GlobalVA; 128 | }; 129 | ULONG WsPrivatePages; 130 | ULONG TotalPrivatePages; 131 | ULONG SessionID; 132 | CHAR ImageName[16]; 133 | } PF_PRIVSOURCE_INFO, *PPF_PRIVSOURCE_INFO; 134 | 135 | #define PF_PRIVSOURCE_QUERY_REQUEST_VERSION 3 136 | 137 | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST 138 | { 139 | ULONG Version; 140 | ULONG InfoCount; 141 | PF_PRIVSOURCE_INFO InfoArray[1]; 142 | } PF_PRIVSOURCE_QUERY_REQUEST, *PPF_PRIVSOURCE_QUERY_REQUEST; 143 | 144 | typedef enum _PF_PHASED_SCENARIO_TYPE 145 | { 146 | PfScenarioTypeNone, 147 | PfScenarioTypeStandby, 148 | PfScenarioTypeHibernate, 149 | PfScenarioTypeFUS, 150 | PfScenarioTypeMax 151 | } PF_PHASED_SCENARIO_TYPE; 152 | 153 | #define PF_SCENARIO_PHASE_INFO_VERSION 4 154 | 155 | typedef struct _PF_SCENARIO_PHASE_INFO 156 | { 157 | ULONG Version; 158 | PF_PHASED_SCENARIO_TYPE ScenType; 159 | ULONG PhaseId; 160 | ULONG SequenceNumber; 161 | ULONG Flags; 162 | ULONG FUSUserId; 163 | } PF_SCENARIO_PHASE_INFO, *PPF_SCENARIO_PHASE_INFO; 164 | 165 | typedef struct _PF_MEMORY_LIST_NODE 166 | { 167 | ULONGLONG Node : 8; 168 | ULONGLONG Spare : 56; 169 | ULONGLONG StandbyLowPageCount; 170 | ULONGLONG StandbyMediumPageCount; 171 | ULONGLONG StandbyHighPageCount; 172 | ULONGLONG FreePageCount; 173 | ULONGLONG ModifiedPageCount; 174 | } PF_MEMORY_LIST_NODE, *PPF_MEMORY_LIST_NODE; 175 | 176 | #define PF_MEMORY_LIST_INFO_VERSION 1 177 | 178 | typedef struct _PF_MEMORY_LIST_INFO 179 | { 180 | ULONG Version; 181 | ULONG Size; 182 | ULONG NodeCount; 183 | PF_MEMORY_LIST_NODE Nodes[1]; 184 | } PF_MEMORY_LIST_INFO, *PPF_MEMORY_LIST_INFO; 185 | 186 | typedef struct _PF_PHYSICAL_MEMORY_RANGE 187 | { 188 | ULONG BasePfn; 189 | ULONG PageCount; 190 | } PF_PHYSICAL_MEMORY_RANGE, *PPF_PHYSICAL_MEMORY_RANGE; 191 | 192 | #define PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION 1 193 | 194 | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO 195 | { 196 | ULONG Version; 197 | ULONG RangeCount; 198 | PF_PHYSICAL_MEMORY_RANGE Ranges[1]; 199 | } PF_PHYSICAL_MEMORY_RANGE_INFO, *PPF_PHYSICAL_MEMORY_RANGE_INFO; 200 | 201 | // begin_rev 202 | 203 | #define PF_REPURPOSED_BY_PREFETCH_INFO_VERSION 1 204 | 205 | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO 206 | { 207 | ULONG Version; 208 | ULONG RepurposedByPrefetch; 209 | } PF_REPURPOSED_BY_PREFETCH_INFO, *PPF_REPURPOSED_BY_PREFETCH_INFO; 210 | 211 | // end_rev 212 | 213 | typedef enum _SUPERFETCH_INFORMATION_CLASS 214 | { 215 | SuperfetchRetrieveTrace = 1, // q: CHAR[] 216 | SuperfetchSystemParameters, // q: PF_SYSTEM_SUPERFETCH_PARAMETERS 217 | SuperfetchLogEvent, 218 | SuperfetchGenerateTrace, 219 | SuperfetchPrefetch, 220 | SuperfetchPfnQuery, // q: PF_PFN_PRIO_REQUEST 221 | SuperfetchPfnSetPriority, 222 | SuperfetchPrivSourceQuery, // q: PF_PRIVSOURCE_QUERY_REQUEST 223 | SuperfetchSequenceNumberQuery, // q: ULONG 224 | SuperfetchScenarioPhase, // 10 225 | SuperfetchWorkerPriority, 226 | SuperfetchScenarioQuery, // q: PF_SCENARIO_PHASE_INFO 227 | SuperfetchScenarioPrefetch, 228 | SuperfetchRobustnessControl, 229 | SuperfetchTimeControl, 230 | SuperfetchMemoryListQuery, // q: PF_MEMORY_LIST_INFO 231 | SuperfetchMemoryRangesQuery, // q: PF_PHYSICAL_MEMORY_RANGE_INFO 232 | SuperfetchTracingControl, 233 | SuperfetchTrimWhileAgingControl, 234 | SuperfetchRepurposedByPrefetch, // q: PF_REPURPOSED_BY_PREFETCH_INFO // rev 235 | SuperfetchInformationMax 236 | } SUPERFETCH_INFORMATION_CLASS; 237 | 238 | #define SUPERFETCH_INFORMATION_VERSION 45 // rev 239 | #define SUPERFETCH_INFORMATION_MAGIC ('kuhC') // rev 240 | 241 | typedef struct _SUPERFETCH_INFORMATION 242 | { 243 | ULONG Version; 244 | ULONG Magic; 245 | SUPERFETCH_INFORMATION_CLASS InfoClass; 246 | PVOID Data; 247 | ULONG Length; 248 | } SUPERFETCH_INFORMATION, *PSUPERFETCH_INFORMATION; 249 | 250 | // end_private 251 | 252 | #endif 253 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.vspscc 94 | *.vssscc 95 | .builds 96 | *.pidb 97 | *.svclog 98 | *.scc 99 | 100 | # Chutzpah Test files 101 | _Chutzpah* 102 | 103 | # Visual C++ cache files 104 | ipch/ 105 | *.aps 106 | *.ncb 107 | *.opendb 108 | *.opensdf 109 | *.sdf 110 | *.cachefile 111 | *.VC.db 112 | *.VC.VC.opendb 113 | 114 | # Visual Studio profiler 115 | *.psess 116 | *.vsp 117 | *.vspx 118 | *.sap 119 | 120 | # Visual Studio Trace Files 121 | *.e2e 122 | 123 | # TFS 2012 Local Workspace 124 | $tf/ 125 | 126 | # Guidance Automation Toolkit 127 | *.gpState 128 | 129 | # ReSharper is a .NET coding add-in 130 | _ReSharper*/ 131 | *.[Rr]e[Ss]harper 132 | *.DotSettings.user 133 | 134 | # TeamCity is a build add-in 135 | _TeamCity* 136 | 137 | # DotCover is a Code Coverage Tool 138 | *.dotCover 139 | 140 | # AxoCover is a Code Coverage Tool 141 | .axoCover/* 142 | !.axoCover/settings.json 143 | 144 | # Coverlet is a free, cross platform Code Coverage Tool 145 | coverage*.json 146 | coverage*.xml 147 | coverage*.info 148 | 149 | # Visual Studio code coverage results 150 | *.coverage 151 | *.coveragexml 152 | 153 | # NCrunch 154 | _NCrunch_* 155 | .*crunch*.local.xml 156 | nCrunchTemp_* 157 | 158 | # MightyMoose 159 | *.mm.* 160 | AutoTest.Net/ 161 | 162 | # Web workbench (sass) 163 | .sass-cache/ 164 | 165 | # Installshield output folder 166 | [Ee]xpress/ 167 | 168 | # DocProject is a documentation generator add-in 169 | DocProject/buildhelp/ 170 | DocProject/Help/*.HxT 171 | DocProject/Help/*.HxC 172 | DocProject/Help/*.hhc 173 | DocProject/Help/*.hhk 174 | DocProject/Help/*.hhp 175 | DocProject/Help/Html2 176 | DocProject/Help/html 177 | 178 | # Click-Once directory 179 | publish/ 180 | 181 | # Publish Web Output 182 | *.[Pp]ublish.xml 183 | *.azurePubxml 184 | # Note: Comment the next line if you want to checkin your web deploy settings, 185 | # but database connection strings (with potential passwords) will be unencrypted 186 | *.pubxml 187 | *.publishproj 188 | 189 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 190 | # checkin your Azure Web App publish settings, but sensitive information contained 191 | # in these scripts will be unencrypted 192 | PublishScripts/ 193 | 194 | # NuGet Packages 195 | *.nupkg 196 | # NuGet Symbol Packages 197 | *.snupkg 198 | # The packages folder can be ignored because of Package Restore 199 | **/[Pp]ackages/* 200 | # except build/, which is used as an MSBuild target. 201 | !**/[Pp]ackages/build/ 202 | # Uncomment if necessary however generally it will be regenerated when needed 203 | #!**/[Pp]ackages/repositories.config 204 | # NuGet v3's project.json files produces more ignorable files 205 | *.nuget.props 206 | *.nuget.targets 207 | 208 | # Microsoft Azure Build Output 209 | csx/ 210 | *.build.csdef 211 | 212 | # Microsoft Azure Emulator 213 | ecf/ 214 | rcf/ 215 | 216 | # Windows Store app package directories and files 217 | AppPackages/ 218 | BundleArtifacts/ 219 | Package.StoreAssociation.xml 220 | _pkginfo.txt 221 | *.appx 222 | *.appxbundle 223 | *.appxupload 224 | 225 | # Visual Studio cache files 226 | # files ending in .cache can be ignored 227 | *.[Cc]ache 228 | # but keep track of directories ending in .cache 229 | !?*.[Cc]ache/ 230 | 231 | # Others 232 | ClientBin/ 233 | ~$* 234 | *~ 235 | *.dbmdl 236 | *.dbproj.schemaview 237 | *.jfm 238 | *.pfx 239 | *.publishsettings 240 | orleans.codegen.cs 241 | 242 | # Including strong name files can present a security risk 243 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 244 | #*.snk 245 | 246 | # Since there are multiple workflows, uncomment next line to ignore bower_components 247 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 248 | #bower_components/ 249 | 250 | # RIA/Silverlight projects 251 | Generated_Code/ 252 | 253 | # Backup & report files from converting an old project file 254 | # to a newer Visual Studio version. Backup files are not needed, 255 | # because we have git ;-) 256 | _UpgradeReport_Files/ 257 | Backup*/ 258 | UpgradeLog*.XML 259 | UpgradeLog*.htm 260 | ServiceFabricBackup/ 261 | *.rptproj.bak 262 | 263 | # SQL Server files 264 | *.mdf 265 | *.ldf 266 | *.ndf 267 | 268 | # Business Intelligence projects 269 | *.rdl.data 270 | *.bim.layout 271 | *.bim_*.settings 272 | *.rptproj.rsuser 273 | *- [Bb]ackup.rdl 274 | *- [Bb]ackup ([0-9]).rdl 275 | *- [Bb]ackup ([0-9][0-9]).rdl 276 | 277 | # Microsoft Fakes 278 | FakesAssemblies/ 279 | 280 | # GhostDoc plugin setting file 281 | *.GhostDoc.xml 282 | 283 | # Node.js Tools for Visual Studio 284 | .ntvs_analysis.dat 285 | node_modules/ 286 | 287 | # Visual Studio 6 build log 288 | *.plg 289 | 290 | # Visual Studio 6 workspace options file 291 | *.opt 292 | 293 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 294 | *.vbw 295 | 296 | # Visual Studio LightSwitch build output 297 | **/*.HTMLClient/GeneratedArtifacts 298 | **/*.DesktopClient/GeneratedArtifacts 299 | **/*.DesktopClient/ModelManifest.xml 300 | **/*.Server/GeneratedArtifacts 301 | **/*.Server/ModelManifest.xml 302 | _Pvt_Extensions 303 | 304 | # Paket dependency manager 305 | .paket/paket.exe 306 | paket-files/ 307 | 308 | # FAKE - F# Make 309 | .fake/ 310 | 311 | # CodeRush personal settings 312 | .cr/personal 313 | 314 | # Python Tools for Visual Studio (PTVS) 315 | __pycache__/ 316 | *.pyc 317 | 318 | # Cake - Uncomment if you are using it 319 | # tools/** 320 | # !tools/packages.config 321 | 322 | # Tabs Studio 323 | *.tss 324 | 325 | # Telerik's JustMock configuration file 326 | *.jmconfig 327 | 328 | # BizTalk build output 329 | *.btp.cs 330 | *.btm.cs 331 | *.odx.cs 332 | *.xsd.cs 333 | 334 | # OpenCover UI analysis results 335 | OpenCover/ 336 | 337 | # Azure Stream Analytics local run output 338 | ASALocalRun/ 339 | 340 | # MSBuild Binary and Structured Log 341 | *.binlog 342 | 343 | # NVidia Nsight GPU debugger configuration file 344 | *.nvuser 345 | 346 | # MFractors (Xamarin productivity tool) working folder 347 | .mfractor/ 348 | 349 | # Local History for Visual Studio 350 | .localhistory/ 351 | 352 | # BeatPulse healthcheck temp database 353 | healthchecksdb 354 | 355 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 356 | MigrationBackup/ 357 | 358 | # Ionide (cross platform F# VS Code tools) working folder 359 | .ionide/ 360 | 361 | # Fody - auto-generated XML schema 362 | FodyWeavers.xsd -------------------------------------------------------------------------------- /sdk/include/kphapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _KPHAPI_H 2 | #define _KPHAPI_H 3 | 4 | // This file contains KProcessHacker definitions shared across kernel-mode and user-mode. 5 | 6 | // Process information 7 | 8 | typedef enum _KPH_PROCESS_INFORMATION_CLASS 9 | { 10 | KphProcessReserved1 = 1, 11 | KphProcessReserved2 = 2, 12 | KphProcessReserved3 = 3, 13 | MaxKphProcessInfoClass 14 | } KPH_PROCESS_INFORMATION_CLASS; 15 | 16 | // Thread information 17 | 18 | typedef enum _KPH_THREAD_INFORMATION_CLASS 19 | { 20 | KphThreadReserved1 = 1, 21 | KphThreadReserved2 = 2, 22 | KphThreadReserved3 = 3, 23 | MaxKphThreadInfoClass 24 | } KPH_THREAD_INFORMATION_CLASS; 25 | 26 | // Process handle information 27 | 28 | typedef struct _KPH_PROCESS_HANDLE 29 | { 30 | HANDLE Handle; 31 | PVOID Object; 32 | ACCESS_MASK GrantedAccess; 33 | USHORT ObjectTypeIndex; 34 | USHORT Reserved1; 35 | ULONG HandleAttributes; 36 | ULONG Reserved2; 37 | } KPH_PROCESS_HANDLE, *PKPH_PROCESS_HANDLE; 38 | 39 | typedef struct _KPH_PROCESS_HANDLE_INFORMATION 40 | { 41 | ULONG HandleCount; 42 | KPH_PROCESS_HANDLE Handles[1]; 43 | } KPH_PROCESS_HANDLE_INFORMATION, *PKPH_PROCESS_HANDLE_INFORMATION; 44 | 45 | // Object information 46 | 47 | typedef enum _KPH_OBJECT_INFORMATION_CLASS 48 | { 49 | KphObjectBasicInformation, // q: OBJECT_BASIC_INFORMATION 50 | KphObjectNameInformation, // q: OBJECT_NAME_INFORMATION 51 | KphObjectTypeInformation, // q: OBJECT_TYPE_INFORMATION 52 | KphObjectHandleFlagInformation, // qs: OBJECT_HANDLE_FLAG_INFORMATION 53 | KphObjectProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION 54 | KphObjectThreadBasicInformation, // q: THREAD_BASIC_INFORMATION 55 | KphObjectEtwRegBasicInformation, // q: ETWREG_BASIC_INFORMATION 56 | KphObjectFileObjectInformation, // q: KPH_FILE_OBJECT_INFORMATION 57 | KphObjectFileObjectDriver, // q: KPH_FILE_OBJECT_DRIVER 58 | MaxKphObjectInfoClass 59 | } KPH_OBJECT_INFORMATION_CLASS; 60 | 61 | typedef struct _KPH_FILE_OBJECT_INFORMATION 62 | { 63 | BOOLEAN LockOperation; 64 | BOOLEAN DeletePending; 65 | BOOLEAN ReadAccess; 66 | BOOLEAN WriteAccess; 67 | BOOLEAN DeleteAccess; 68 | BOOLEAN SharedRead; 69 | BOOLEAN SharedWrite; 70 | BOOLEAN SharedDelete; 71 | LARGE_INTEGER CurrentByteOffset; 72 | ULONG Flags; 73 | } KPH_FILE_OBJECT_INFORMATION, *PKPH_FILE_OBJECT_INFORMATION; 74 | 75 | typedef struct _KPH_FILE_OBJECT_DRIVER 76 | { 77 | HANDLE DriverHandle; 78 | } KPH_FILE_OBJECT_DRIVER, *PKPH_FILE_OBJECT_DRIVER; 79 | 80 | // Driver information 81 | 82 | typedef enum _DRIVER_INFORMATION_CLASS 83 | { 84 | DriverBasicInformation, 85 | DriverNameInformation, 86 | DriverServiceKeyNameInformation, 87 | MaxDriverInfoClass 88 | } DRIVER_INFORMATION_CLASS; 89 | 90 | typedef struct _DRIVER_BASIC_INFORMATION 91 | { 92 | ULONG Flags; 93 | PVOID DriverStart; 94 | ULONG DriverSize; 95 | } DRIVER_BASIC_INFORMATION, *PDRIVER_BASIC_INFORMATION; 96 | 97 | typedef struct _DRIVER_NAME_INFORMATION 98 | { 99 | UNICODE_STRING DriverName; 100 | } DRIVER_NAME_INFORMATION, *PDRIVER_NAME_INFORMATION; 101 | 102 | typedef struct _DRIVER_SERVICE_KEY_NAME_INFORMATION 103 | { 104 | UNICODE_STRING ServiceKeyName; 105 | } DRIVER_SERVICE_KEY_NAME_INFORMATION, *PDRIVER_SERVICE_KEY_NAME_INFORMATION; 106 | 107 | // ETW registration object information 108 | 109 | typedef struct _ETWREG_BASIC_INFORMATION 110 | { 111 | GUID Guid; 112 | ULONG_PTR SessionId; 113 | } ETWREG_BASIC_INFORMATION, *PETWREG_BASIC_INFORMATION; 114 | 115 | // Device 116 | 117 | #define KPH_DEVICE_SHORT_NAME L"KProcessHacker3" 118 | #define KPH_DEVICE_TYPE 0x9999 119 | #define KPH_DEVICE_NAME (L"\\Device\\" KPH_DEVICE_SHORT_NAME) 120 | 121 | // Parameters 122 | 123 | typedef enum _KPH_SECURITY_LEVEL 124 | { 125 | KphSecurityNone = 0, // all clients are allowed 126 | KphSecurityPrivilegeCheck = 1, // require SeDebugPrivilege 127 | KphSecuritySignatureCheck = 2, // require trusted signature 128 | KphSecuritySignatureAndPrivilegeCheck = 3, // require trusted signature and SeDebugPrivilege 129 | KphMaxSecurityLevel 130 | } KPH_SECURITY_LEVEL, *PKPH_SECURITY_LEVEL; 131 | 132 | typedef struct _KPH_DYN_STRUCT_DATA 133 | { 134 | SHORT EgeGuid; 135 | SHORT EpObjectTable; 136 | SHORT Reserved0; 137 | SHORT Reserved1; 138 | SHORT Reserved2; 139 | SHORT EreGuidEntry; 140 | SHORT HtHandleContentionEvent; 141 | SHORT OtName; 142 | SHORT OtIndex; 143 | SHORT ObDecodeShift; 144 | SHORT ObAttributesShift; 145 | } KPH_DYN_STRUCT_DATA, *PKPH_DYN_STRUCT_DATA; 146 | 147 | typedef struct _KPH_DYN_PACKAGE 148 | { 149 | USHORT MajorVersion; 150 | USHORT MinorVersion; 151 | USHORT ServicePackMajor; // -1 to ignore 152 | USHORT BuildNumber; // -1 to ignore 153 | ULONG ResultingNtVersion; // PHNT_* 154 | KPH_DYN_STRUCT_DATA StructData; 155 | } KPH_DYN_PACKAGE, *PKPH_DYN_PACKAGE; 156 | 157 | #define KPH_DYN_CONFIGURATION_VERSION 3 158 | #define KPH_DYN_MAXIMUM_PACKAGES 64 159 | 160 | typedef struct _KPH_DYN_CONFIGURATION 161 | { 162 | ULONG Version; 163 | ULONG NumberOfPackages; 164 | KPH_DYN_PACKAGE Packages[1]; 165 | } KPH_DYN_CONFIGURATION, *PKPH_DYN_CONFIGURATION; 166 | 167 | // Verification 168 | 169 | #ifdef __BCRYPT_H__ 170 | #define KPH_SIGN_ALGORITHM BCRYPT_ECDSA_P256_ALGORITHM 171 | #define KPH_SIGN_ALGORITHM_BITS 256 172 | #define KPH_HASH_ALGORITHM BCRYPT_SHA256_ALGORITHM 173 | #define KPH_BLOB_PUBLIC BCRYPT_ECCPUBLIC_BLOB 174 | #endif 175 | 176 | #define KPH_SIGNATURE_MAX_SIZE (128 * 1024) // 128 kB 177 | 178 | typedef ULONG KPH_KEY, *PKPH_KEY; 179 | 180 | typedef enum _KPH_KEY_LEVEL 181 | { 182 | KphKeyLevel1 = 1, 183 | KphKeyLevel2 = 2 184 | } KPH_KEY_LEVEL; 185 | 186 | #define KPH_KEY_BACKOFF_TIME ((LONGLONG)(100 * 1000 * 10)) // 100ms 187 | 188 | #define KPH_PROCESS_READ_ACCESS \ 189 | (PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ) 190 | #define KPH_THREAD_READ_ACCESS \ 191 | (THREAD_QUERY_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION | THREAD_GET_CONTEXT) 192 | #define KPH_TOKEN_READ_ACCESS \ 193 | (TOKEN_QUERY | TOKEN_QUERY_SOURCE) 194 | 195 | // Features 196 | 197 | // No features defined. 198 | 199 | // Control codes 200 | 201 | #define KPH_CTL_CODE(x) CTL_CODE(KPH_DEVICE_TYPE, 0x800 + x, METHOD_NEITHER, FILE_ANY_ACCESS) 202 | 203 | // General 204 | #define KPH_GETFEATURES KPH_CTL_CODE(0) 205 | #define KPH_VERIFYCLIENT KPH_CTL_CODE(1) 206 | #define KPH_RETRIEVEKEY KPH_CTL_CODE(2) // User-mode only 207 | 208 | // Processes 209 | #define KPH_OPENPROCESS KPH_CTL_CODE(50) // L1/L2 protected API 210 | #define KPH_OPENPROCESSTOKEN KPH_CTL_CODE(51) // L1/L2 protected API 211 | #define KPH_OPENPROCESSJOB KPH_CTL_CODE(52) 212 | #define KPH_RESERVED53 KPH_CTL_CODE(53) 213 | #define KPH_RESERVED54 KPH_CTL_CODE(54) 214 | #define KPH_TERMINATEPROCESS KPH_CTL_CODE(55) // L2 protected API 215 | #define KPH_RESERVED56 KPH_CTL_CODE(56) 216 | #define KPH_RESERVED57 KPH_CTL_CODE(57) 217 | #define KPH_READVIRTUALMEMORYUNSAFE KPH_CTL_CODE(58) // L2 protected API 218 | #define KPH_QUERYINFORMATIONPROCESS KPH_CTL_CODE(59) 219 | #define KPH_SETINFORMATIONPROCESS KPH_CTL_CODE(60) 220 | 221 | // Threads 222 | #define KPH_OPENTHREAD KPH_CTL_CODE(100) // L1/L2 protected API 223 | #define KPH_OPENTHREADPROCESS KPH_CTL_CODE(101) 224 | #define KPH_RESERVED102 KPH_CTL_CODE(102) 225 | #define KPH_RESERVED103 KPH_CTL_CODE(103) 226 | #define KPH_RESERVED104 KPH_CTL_CODE(104) 227 | #define KPH_RESERVED105 KPH_CTL_CODE(105) 228 | #define KPH_CAPTURESTACKBACKTRACETHREAD KPH_CTL_CODE(106) 229 | #define KPH_QUERYINFORMATIONTHREAD KPH_CTL_CODE(107) 230 | #define KPH_SETINFORMATIONTHREAD KPH_CTL_CODE(108) 231 | 232 | // Handles 233 | #define KPH_ENUMERATEPROCESSHANDLES KPH_CTL_CODE(150) 234 | #define KPH_QUERYINFORMATIONOBJECT KPH_CTL_CODE(151) 235 | #define KPH_SETINFORMATIONOBJECT KPH_CTL_CODE(152) 236 | #define KPH_RESERVED153 KPH_CTL_CODE(153) 237 | 238 | // Misc. 239 | #define KPH_OPENDRIVER KPH_CTL_CODE(200) 240 | #define KPH_QUERYINFORMATIONDRIVER KPH_CTL_CODE(201) 241 | 242 | #endif -------------------------------------------------------------------------------- /sdk/include/symprv.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_SYMPRV_H 2 | #define _PH_SYMPRV_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | extern PPH_OBJECT_TYPE PhSymbolProviderType; 9 | extern PH_CALLBACK PhSymInitCallback; 10 | 11 | #define PH_MAX_SYMBOL_NAME_LEN 128 12 | 13 | typedef struct _PH_SYMBOL_PROVIDER 14 | { 15 | LIST_ENTRY ModulesListHead; 16 | PH_QUEUED_LOCK ModulesListLock; 17 | HANDLE ProcessHandle; 18 | BOOLEAN IsRealHandle; 19 | BOOLEAN IsRegistered; 20 | 21 | PH_INITONCE InitOnce; 22 | PH_AVL_TREE ModulesSet; 23 | PH_CALLBACK EventCallback; 24 | } PH_SYMBOL_PROVIDER, *PPH_SYMBOL_PROVIDER; 25 | 26 | typedef enum _PH_SYMBOL_RESOLVE_LEVEL 27 | { 28 | PhsrlFunction, 29 | PhsrlModule, 30 | PhsrlAddress, 31 | PhsrlInvalid 32 | } PH_SYMBOL_RESOLVE_LEVEL, *PPH_SYMBOL_RESOLVE_LEVEL; 33 | 34 | typedef struct _PH_SYMBOL_INFORMATION 35 | { 36 | ULONG64 Address; 37 | ULONG64 ModuleBase; 38 | ULONG Index; 39 | ULONG Size; 40 | } PH_SYMBOL_INFORMATION, *PPH_SYMBOL_INFORMATION; 41 | 42 | typedef struct _PH_SYMBOL_LINE_INFORMATION 43 | { 44 | ULONG LineNumber; 45 | ULONG64 Address; 46 | } PH_SYMBOL_LINE_INFORMATION, *PPH_SYMBOL_LINE_INFORMATION; 47 | 48 | typedef enum _PH_SYMBOL_EVENT_TYPE 49 | { 50 | SymbolDeferredSymbolLoadStart = 1, 51 | SymbolDeferredSymbolLoadComplete = 2, 52 | SymbolDeferredSymbolLoadFailure = 3, 53 | SymbolSymbolsUnloaded = 4, 54 | SymbolDeferredSymbolLoadCancel = 7 55 | } PH_SYMBOL_EVENT_TYPE; 56 | 57 | typedef struct _PH_SYMBOL_EVENT_DATA 58 | { 59 | PPH_SYMBOL_PROVIDER SymbolProvider; 60 | PH_SYMBOL_EVENT_TYPE Type; 61 | 62 | ULONG64 BaseAddress; 63 | ULONG CheckSum; 64 | ULONG TimeStamp; 65 | PPH_STRING FileName; 66 | } PH_SYMBOL_EVENT_DATA, *PPH_SYMBOL_EVENT_DATA; 67 | 68 | PHLIBAPI 69 | BOOLEAN 70 | NTAPI 71 | PhSymbolProviderInitialization( 72 | VOID 73 | ); 74 | 75 | PHLIBAPI 76 | VOID 77 | NTAPI 78 | PhSymbolProviderCompleteInitialization( 79 | _In_opt_ PVOID DbgHelpBase 80 | ); 81 | 82 | PHLIBAPI 83 | PPH_SYMBOL_PROVIDER 84 | NTAPI 85 | PhCreateSymbolProvider( 86 | _In_opt_ HANDLE ProcessId 87 | ); 88 | 89 | PHLIBAPI 90 | BOOLEAN 91 | NTAPI 92 | PhGetLineFromAddress( 93 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 94 | _In_ ULONG64 Address, 95 | _Out_ PPH_STRING *FileName, 96 | _Out_opt_ PULONG Displacement, 97 | _Out_opt_ PPH_SYMBOL_LINE_INFORMATION Information 98 | ); 99 | 100 | PHLIBAPI 101 | ULONG64 102 | NTAPI 103 | PhGetModuleFromAddress( 104 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 105 | _In_ ULONG64 Address, 106 | _Out_opt_ PPH_STRING *FileName 107 | ); 108 | 109 | PHLIBAPI 110 | PPH_STRING 111 | NTAPI 112 | PhGetSymbolFromAddress( 113 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 114 | _In_ ULONG64 Address, 115 | _Out_opt_ PPH_SYMBOL_RESOLVE_LEVEL ResolveLevel, 116 | _Out_opt_ PPH_STRING *FileName, 117 | _Out_opt_ PPH_STRING *SymbolName, 118 | _Out_opt_ PULONG64 Displacement 119 | ); 120 | 121 | PHLIBAPI 122 | BOOLEAN 123 | NTAPI 124 | PhGetSymbolFromName( 125 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 126 | _In_ PWSTR Name, 127 | _Out_ PPH_SYMBOL_INFORMATION Information 128 | ); 129 | 130 | PHLIBAPI 131 | BOOLEAN 132 | NTAPI 133 | PhLoadModuleSymbolProvider( 134 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 135 | _In_ PWSTR FileName, 136 | _In_ ULONG64 BaseAddress, 137 | _In_ ULONG Size 138 | ); 139 | 140 | PHLIBAPI 141 | VOID 142 | NTAPI 143 | PhSetOptionsSymbolProvider( 144 | _In_ ULONG Mask, 145 | _In_ ULONG Value 146 | ); 147 | 148 | PHLIBAPI 149 | VOID 150 | NTAPI 151 | PhSetSearchPathSymbolProvider( 152 | _In_ PPH_SYMBOL_PROVIDER SymbolProvider, 153 | _In_ PWSTR Path 154 | ); 155 | 156 | #ifdef _WIN64 157 | PHLIBAPI 158 | NTSTATUS 159 | NTAPI 160 | PhAccessOutOfProcessFunctionEntry( 161 | _In_ HANDLE ProcessHandle, 162 | _In_ ULONG64 ControlPc, 163 | _Out_ PRUNTIME_FUNCTION Function 164 | ); 165 | #endif 166 | 167 | PHLIBAPI 168 | ULONG64 169 | __stdcall 170 | PhGetModuleBase64( 171 | _In_ HANDLE hProcess, 172 | _In_ DWORD64 dwAddr 173 | ); 174 | 175 | PHLIBAPI 176 | PVOID 177 | __stdcall 178 | PhFunctionTableAccess64( 179 | _In_ HANDLE hProcess, 180 | _In_ DWORD64 AddrBase 181 | ); 182 | 183 | #ifndef _DBGHELP_ 184 | 185 | // Some of the types used below are defined in dbghelp.h. 186 | 187 | typedef struct _tagSTACKFRAME64 *LPSTACKFRAME64; 188 | typedef struct _tagADDRESS64 *LPADDRESS64; 189 | 190 | typedef BOOL (__stdcall *PREAD_PROCESS_MEMORY_ROUTINE64)( 191 | _In_ HANDLE hProcess, 192 | _In_ DWORD64 qwBaseAddress, 193 | _Out_writes_bytes_(nSize) PVOID lpBuffer, 194 | _In_ DWORD nSize, 195 | _Out_ LPDWORD lpNumberOfBytesRead 196 | ); 197 | 198 | typedef PVOID (__stdcall *PFUNCTION_TABLE_ACCESS_ROUTINE64)( 199 | _In_ HANDLE ahProcess, 200 | _In_ DWORD64 AddrBase 201 | ); 202 | 203 | typedef DWORD64 (__stdcall *PGET_MODULE_BASE_ROUTINE64)( 204 | _In_ HANDLE hProcess, 205 | _In_ DWORD64 Address 206 | ); 207 | 208 | typedef DWORD64 (__stdcall *PTRANSLATE_ADDRESS_ROUTINE64)( 209 | _In_ HANDLE hProcess, 210 | _In_ HANDLE hThread, 211 | _In_ LPADDRESS64 lpaddr 212 | ); 213 | 214 | typedef enum _MINIDUMP_TYPE MINIDUMP_TYPE; 215 | typedef struct _MINIDUMP_EXCEPTION_INFORMATION *PMINIDUMP_EXCEPTION_INFORMATION; 216 | typedef struct _MINIDUMP_USER_STREAM_INFORMATION *PMINIDUMP_USER_STREAM_INFORMATION; 217 | typedef struct _MINIDUMP_CALLBACK_INFORMATION *PMINIDUMP_CALLBACK_INFORMATION; 218 | 219 | #endif 220 | 221 | PHLIBAPI 222 | BOOLEAN 223 | NTAPI 224 | PhStackWalk( 225 | _In_ ULONG MachineType, 226 | _In_ HANDLE ProcessHandle, 227 | _In_ HANDLE ThreadHandle, 228 | _Inout_ LPSTACKFRAME64 StackFrame, 229 | _Inout_ PVOID ContextRecord, 230 | _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, 231 | _In_opt_ PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine, 232 | _In_opt_ PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine, 233 | _In_opt_ PGET_MODULE_BASE_ROUTINE64 GetModuleBaseRoutine, 234 | _In_opt_ PTRANSLATE_ADDRESS_ROUTINE64 TranslateAddress 235 | ); 236 | 237 | PHLIBAPI 238 | BOOLEAN 239 | NTAPI 240 | PhWriteMiniDumpProcess( 241 | _In_ HANDLE ProcessHandle, 242 | _In_ HANDLE ProcessId, 243 | _In_ HANDLE FileHandle, 244 | _In_ MINIDUMP_TYPE DumpType, 245 | _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam, 246 | _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam, 247 | _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam 248 | ); 249 | 250 | // High-level stack walking 251 | 252 | #define PH_THREAD_STACK_FRAME_I386 0x1 253 | #define PH_THREAD_STACK_FRAME_AMD64 0x2 254 | #define PH_THREAD_STACK_FRAME_KERNEL 0x4 255 | #define PH_THREAD_STACK_FRAME_FPO_DATA_PRESENT 0x100 256 | 257 | /** Contains information about a thread stack frame. */ 258 | typedef struct _PH_THREAD_STACK_FRAME 259 | { 260 | PVOID PcAddress; 261 | PVOID ReturnAddress; 262 | PVOID FrameAddress; 263 | PVOID StackAddress; 264 | PVOID BStoreAddress; 265 | PVOID Params[4]; 266 | ULONG Flags; 267 | } PH_THREAD_STACK_FRAME, *PPH_THREAD_STACK_FRAME; 268 | 269 | #define PH_WALK_I386_STACK 0x1 270 | #define PH_WALK_AMD64_STACK 0x2 271 | #define PH_WALK_KERNEL_STACK 0x10 272 | 273 | /** 274 | * A callback function passed to PhWalkThreadStack() and called for each stack frame. 275 | * 276 | * \param StackFrame A structure providing information about the stack frame. 277 | * \param Context A user-defined value passed to PhWalkThreadStack(). 278 | * 279 | * \return TRUE to continue the stack walk, FALSE to stop. 280 | */ 281 | typedef BOOLEAN (NTAPI *PPH_WALK_THREAD_STACK_CALLBACK)( 282 | _In_ PPH_THREAD_STACK_FRAME StackFrame, 283 | _In_opt_ PVOID Context 284 | ); 285 | 286 | PHLIBAPI 287 | NTSTATUS 288 | NTAPI 289 | PhWalkThreadStack( 290 | _In_ HANDLE ThreadHandle, 291 | _In_opt_ HANDLE ProcessHandle, 292 | _In_opt_ PCLIENT_ID ClientId, 293 | _In_opt_ PPH_SYMBOL_PROVIDER SymbolProvider, 294 | _In_ ULONG Flags, 295 | _In_ PPH_WALK_THREAD_STACK_CALLBACK Callback, 296 | _In_opt_ PVOID Context 297 | ); 298 | 299 | #ifdef __cplusplus 300 | } 301 | #endif 302 | 303 | #endif 304 | -------------------------------------------------------------------------------- /sdk/include/phnt_ntdef.h: -------------------------------------------------------------------------------- 1 | #ifndef _PHNT_NTDEF_H 2 | #define _PHNT_NTDEF_H 3 | 4 | #ifndef _NTDEF_ 5 | #define _NTDEF_ 6 | 7 | // This header file provides basic NT types not included in Win32. If you have included winnt.h 8 | // (perhaps indirectly), you must use this file instead of ntdef.h. 9 | 10 | #ifndef NOTHING 11 | #define NOTHING 12 | #endif 13 | 14 | // Basic types 15 | 16 | typedef struct _QUAD 17 | { 18 | union 19 | { 20 | __int64 UseThisFieldToCopy; 21 | double DoNotUseThisField; 22 | }; 23 | } QUAD, *PQUAD; 24 | 25 | // This isn't in NT, but it's useful. 26 | typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _QUAD_PTR 27 | { 28 | ULONG_PTR DoNotUseThisField1; 29 | ULONG_PTR DoNotUseThisField2; 30 | } QUAD_PTR, *PQUAD_PTR; 31 | 32 | typedef ULONG LOGICAL; 33 | typedef ULONG *PLOGICAL; 34 | 35 | typedef _Success_(return >= 0) LONG NTSTATUS; 36 | typedef NTSTATUS *PNTSTATUS; 37 | 38 | // Cardinal types 39 | 40 | typedef char CCHAR; 41 | typedef short CSHORT; 42 | typedef ULONG CLONG; 43 | 44 | typedef CCHAR *PCCHAR; 45 | typedef CSHORT *PCSHORT; 46 | typedef CLONG *PCLONG; 47 | 48 | typedef PCSTR PCSZ; 49 | 50 | // Specific 51 | 52 | typedef UCHAR KIRQL, *PKIRQL; 53 | typedef LONG KPRIORITY; 54 | typedef USHORT RTL_ATOM, *PRTL_ATOM; 55 | 56 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; 57 | 58 | // NT status macros 59 | 60 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) 61 | #define NT_INFORMATION(Status) ((((ULONG)(Status)) >> 30) == 1) 62 | #define NT_WARNING(Status) ((((ULONG)(Status)) >> 30) == 2) 63 | #define NT_ERROR(Status) ((((ULONG)(Status)) >> 30) == 3) 64 | 65 | #define NT_FACILITY_MASK 0xfff 66 | #define NT_FACILITY_SHIFT 16 67 | #define NT_FACILITY(Status) ((((ULONG)(Status)) >> NT_FACILITY_SHIFT) & NT_FACILITY_MASK) 68 | 69 | #define NT_NTWIN32(Status) (NT_FACILITY(Status) == FACILITY_NTWIN32) 70 | #define WIN32_FROM_NTSTATUS(Status) (((ULONG)(Status)) & 0xffff) 71 | 72 | // Functions 73 | 74 | #ifndef _WIN64 75 | #define FASTCALL __fastcall 76 | #else 77 | #define FASTCALL 78 | #endif 79 | 80 | // Synchronization enumerations 81 | 82 | typedef enum _EVENT_TYPE 83 | { 84 | NotificationEvent, 85 | SynchronizationEvent 86 | } EVENT_TYPE; 87 | 88 | typedef enum _TIMER_TYPE 89 | { 90 | NotificationTimer, 91 | SynchronizationTimer 92 | } TIMER_TYPE; 93 | 94 | typedef enum _WAIT_TYPE 95 | { 96 | WaitAll, 97 | WaitAny, 98 | WaitNotification 99 | } WAIT_TYPE; 100 | 101 | // Strings 102 | 103 | typedef struct _STRING 104 | { 105 | USHORT Length; 106 | USHORT MaximumLength; 107 | _Field_size_bytes_part_opt_(MaximumLength, Length) PCHAR Buffer; 108 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING, OEM_STRING, *POEM_STRING; 109 | 110 | typedef const STRING *PCSTRING; 111 | typedef const ANSI_STRING *PCANSI_STRING; 112 | typedef const OEM_STRING *PCOEM_STRING; 113 | 114 | typedef struct _UNICODE_STRING 115 | { 116 | USHORT Length; 117 | USHORT MaximumLength; 118 | _Field_size_bytes_part_(MaximumLength, Length) PWCH Buffer; 119 | } UNICODE_STRING, *PUNICODE_STRING; 120 | 121 | typedef const UNICODE_STRING *PCUNICODE_STRING; 122 | 123 | #define RTL_CONSTANT_STRING(s) { sizeof(s) - sizeof((s)[0]), sizeof(s), s } 124 | 125 | // Balanced tree node 126 | 127 | #define RTL_BALANCED_NODE_RESERVED_PARENT_MASK 3 128 | 129 | typedef struct _RTL_BALANCED_NODE 130 | { 131 | union 132 | { 133 | struct _RTL_BALANCED_NODE *Children[2]; 134 | struct 135 | { 136 | struct _RTL_BALANCED_NODE *Left; 137 | struct _RTL_BALANCED_NODE *Right; 138 | }; 139 | }; 140 | union 141 | { 142 | UCHAR Red : 1; 143 | UCHAR Balance : 2; 144 | ULONG_PTR ParentValue; 145 | }; 146 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 147 | 148 | #define RTL_BALANCED_NODE_GET_PARENT_POINTER(Node) \ 149 | ((PRTL_BALANCED_NODE)((Node)->ParentValue & ~RTL_BALANCED_NODE_RESERVED_PARENT_MASK)) 150 | 151 | // Portability 152 | 153 | typedef struct _SINGLE_LIST_ENTRY32 154 | { 155 | ULONG Next; 156 | } SINGLE_LIST_ENTRY32, *PSINGLE_LIST_ENTRY32; 157 | 158 | typedef struct _STRING32 159 | { 160 | USHORT Length; 161 | USHORT MaximumLength; 162 | ULONG Buffer; 163 | } STRING32, *PSTRING32; 164 | 165 | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32; 166 | typedef STRING32 ANSI_STRING32, *PANSI_STRING32; 167 | 168 | typedef struct _STRING64 169 | { 170 | USHORT Length; 171 | USHORT MaximumLength; 172 | ULONGLONG Buffer; 173 | } STRING64, *PSTRING64; 174 | 175 | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64; 176 | typedef STRING64 ANSI_STRING64, *PANSI_STRING64; 177 | 178 | // Object attributes 179 | 180 | #define OBJ_INHERIT 0x00000002 181 | #define OBJ_PERMANENT 0x00000010 182 | #define OBJ_EXCLUSIVE 0x00000020 183 | #define OBJ_CASE_INSENSITIVE 0x00000040 184 | #define OBJ_OPENIF 0x00000080 185 | #define OBJ_OPENLINK 0x00000100 186 | #define OBJ_KERNEL_HANDLE 0x00000200 187 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 188 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800 189 | #define OBJ_DONT_REPARSE 0x00001000 190 | #define OBJ_VALID_ATTRIBUTES 0x00001ff2 191 | 192 | typedef struct _OBJECT_ATTRIBUTES 193 | { 194 | ULONG Length; 195 | HANDLE RootDirectory; 196 | PUNICODE_STRING ObjectName; 197 | ULONG Attributes; 198 | PVOID SecurityDescriptor; // PSECURITY_DESCRIPTOR; 199 | PVOID SecurityQualityOfService; // PSECURITY_QUALITY_OF_SERVICE 200 | } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 201 | 202 | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; 203 | 204 | #define InitializeObjectAttributes(p, n, a, r, s) { \ 205 | (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ 206 | (p)->RootDirectory = r; \ 207 | (p)->Attributes = a; \ 208 | (p)->ObjectName = n; \ 209 | (p)->SecurityDescriptor = s; \ 210 | (p)->SecurityQualityOfService = NULL; \ 211 | } 212 | 213 | #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) { sizeof(OBJECT_ATTRIBUTES), NULL, n, a, NULL, NULL } 214 | #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) 215 | 216 | // Portability 217 | 218 | typedef struct _OBJECT_ATTRIBUTES64 219 | { 220 | ULONG Length; 221 | ULONG64 RootDirectory; 222 | ULONG64 ObjectName; 223 | ULONG Attributes; 224 | ULONG64 SecurityDescriptor; 225 | ULONG64 SecurityQualityOfService; 226 | } OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64; 227 | 228 | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64; 229 | 230 | typedef struct _OBJECT_ATTRIBUTES32 231 | { 232 | ULONG Length; 233 | ULONG RootDirectory; 234 | ULONG ObjectName; 235 | ULONG Attributes; 236 | ULONG SecurityDescriptor; 237 | ULONG SecurityQualityOfService; 238 | } OBJECT_ATTRIBUTES32, *POBJECT_ATTRIBUTES32; 239 | 240 | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32; 241 | 242 | // Product types 243 | 244 | typedef enum _NT_PRODUCT_TYPE 245 | { 246 | NtProductWinNt = 1, 247 | NtProductLanManNt, 248 | NtProductServer 249 | } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; 250 | 251 | typedef enum _SUITE_TYPE 252 | { 253 | SmallBusiness, 254 | Enterprise, 255 | BackOffice, 256 | CommunicationServer, 257 | TerminalServer, 258 | SmallBusinessRestricted, 259 | EmbeddedNT, 260 | DataCenter, 261 | SingleUserTS, 262 | Personal, 263 | Blade, 264 | EmbeddedRestricted, 265 | SecurityAppliance, 266 | StorageServer, 267 | ComputeServer, 268 | WHServer, 269 | PhoneNT, 270 | MaxSuiteType 271 | } SUITE_TYPE; 272 | 273 | // Specific 274 | 275 | typedef struct _CLIENT_ID 276 | { 277 | HANDLE UniqueProcess; 278 | HANDLE UniqueThread; 279 | } CLIENT_ID, *PCLIENT_ID; 280 | 281 | typedef struct _CLIENT_ID32 282 | { 283 | ULONG UniqueProcess; 284 | ULONG UniqueThread; 285 | } CLIENT_ID32, *PCLIENT_ID32; 286 | 287 | typedef struct _CLIENT_ID64 288 | { 289 | ULONGLONG UniqueProcess; 290 | ULONGLONG UniqueThread; 291 | } CLIENT_ID64, *PCLIENT_ID64; 292 | 293 | #include 294 | 295 | typedef struct _KSYSTEM_TIME 296 | { 297 | ULONG LowPart; 298 | LONG High1Time; 299 | LONG High2Time; 300 | } KSYSTEM_TIME, *PKSYSTEM_TIME; 301 | 302 | #include 303 | 304 | #endif 305 | 306 | #endif 307 | -------------------------------------------------------------------------------- /sdk/samples/SamplePlugin/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define ID_SAMPLE_MENU_ITEM 1 4 | #define ID_SHOW_ME_SOME_OBJECTS 2 5 | 6 | VOID LoadCallback( 7 | __in_opt PVOID Parameter, 8 | __in_opt PVOID Context 9 | ); 10 | 11 | VOID ShowOptionsCallback( 12 | __in_opt PVOID Parameter, 13 | __in_opt PVOID Context 14 | ); 15 | 16 | VOID MenuItemCallback( 17 | __in_opt PVOID Parameter, 18 | __in_opt PVOID Context 19 | ); 20 | 21 | VOID MainWindowShowingCallback( 22 | __in_opt PVOID Parameter, 23 | __in_opt PVOID Context 24 | ); 25 | 26 | VOID GetProcessHighlightingColorCallback( 27 | __in_opt PVOID Parameter, 28 | __in_opt PVOID Context 29 | ); 30 | 31 | VOID GetProcessTooltipTextCallback( 32 | __in_opt PVOID Parameter, 33 | __in_opt PVOID Context 34 | ); 35 | 36 | PPH_PLUGIN PluginInstance; 37 | PH_CALLBACK_REGISTRATION PluginLoadCallbackRegistration; 38 | PH_CALLBACK_REGISTRATION PluginShowOptionsCallbackRegistration; 39 | PH_CALLBACK_REGISTRATION PluginMenuItemCallbackRegistration; 40 | PH_CALLBACK_REGISTRATION MainWindowShowingCallbackRegistration; 41 | PH_CALLBACK_REGISTRATION GetProcessHighlightingColorCallbackRegistration; 42 | PH_CALLBACK_REGISTRATION GetProcessTooltipTextCallbackRegistration; 43 | 44 | LOGICAL DllMain( 45 | __in HINSTANCE Instance, 46 | __in ULONG Reason, 47 | __reserved PVOID Reserved 48 | ) 49 | { 50 | switch (Reason) 51 | { 52 | case DLL_PROCESS_ATTACH: 53 | { 54 | PPH_PLUGIN_INFORMATION info; 55 | 56 | // Register your plugin with a unique name, otherwise it will fail. 57 | PluginInstance = PhRegisterPlugin(L"YourName.SamplePlugin", Instance, &info); 58 | 59 | if (!PluginInstance) 60 | return FALSE; 61 | 62 | info->DisplayName = L"Sample Plugin"; 63 | info->Author = L"Someone"; 64 | info->Description = L"Description goes here"; 65 | info->HasOptions = TRUE; 66 | 67 | PhRegisterCallback( 68 | PhGetPluginCallback(PluginInstance, PluginCallbackLoad), 69 | LoadCallback, 70 | NULL, 71 | &PluginLoadCallbackRegistration 72 | ); 73 | PhRegisterCallback( 74 | PhGetPluginCallback(PluginInstance, PluginCallbackShowOptions), 75 | ShowOptionsCallback, 76 | NULL, 77 | &PluginShowOptionsCallbackRegistration 78 | ); 79 | PhRegisterCallback( 80 | PhGetPluginCallback(PluginInstance, PluginCallbackMenuItem), 81 | MenuItemCallback, 82 | NULL, 83 | &PluginMenuItemCallbackRegistration 84 | ); 85 | 86 | PhRegisterCallback( 87 | PhGetGeneralCallback(GeneralCallbackMainWindowShowing), 88 | MainWindowShowingCallback, 89 | NULL, 90 | &MainWindowShowingCallbackRegistration 91 | ); 92 | PhRegisterCallback( 93 | PhGetGeneralCallback(GeneralCallbackGetProcessHighlightingColor), 94 | GetProcessHighlightingColorCallback, 95 | NULL, 96 | &GetProcessHighlightingColorCallbackRegistration 97 | ); 98 | PhRegisterCallback( 99 | PhGetGeneralCallback(GeneralCallbackGetProcessTooltipText), 100 | GetProcessTooltipTextCallback, 101 | NULL, 102 | &GetProcessTooltipTextCallbackRegistration 103 | ); 104 | 105 | // Add some settings. Note that we cannot access these settings 106 | // in DllMain. Settings must be added in DllMain. 107 | { 108 | static PH_SETTING_CREATE settings[] = 109 | { 110 | // You must prepend your plugin name to the setting names. 111 | { IntegerSettingType, L"ProcessHacker.SamplePlugin.SomeInteger", L"1234" }, 112 | { StringSettingType, L"ProcessHacker.SamplePlugin.SomeString", L"my string" } 113 | }; 114 | 115 | PhAddSettings(settings, sizeof(settings) / sizeof(PH_SETTING_CREATE)); 116 | } 117 | } 118 | break; 119 | } 120 | 121 | return TRUE; 122 | } 123 | 124 | VOID LoadCallback( 125 | __in_opt PVOID Parameter, 126 | __in_opt PVOID Context 127 | ) 128 | { 129 | ULONG myInteger; 130 | PPH_STRING myString; 131 | 132 | myInteger = PhGetIntegerSetting(L"ProcessHacker.SamplePlugin.SomeInteger"); 133 | // Do stuff to the integer. Possibly modify the setting. 134 | PhSetIntegerSetting(L"ProcessHacker.SamplePlugin.SomeInteger", myInteger + 100); 135 | 136 | myString = PhGetStringSetting(L"ProcessHacker.SamplePlugin.SomeString"); 137 | // Do stuff to the string. 138 | // Dereference the string when you're done, or memory will be leaked. 139 | PhDereferenceObject(myString); 140 | } 141 | 142 | VOID ShowOptionsCallback( 143 | __in_opt PVOID Parameter, 144 | __in_opt PVOID Context 145 | ) 146 | { 147 | PhShowError((HWND)Parameter, L"Show some options here."); 148 | } 149 | 150 | BOOLEAN NTAPI EnumDirectoryObjectsCallback( 151 | __in PPH_STRINGREF Name, 152 | __in PPH_STRINGREF TypeName, 153 | __in_opt PVOID Context 154 | ) 155 | { 156 | INT result; 157 | PPH_STRING name; 158 | PPH_STRING typeName; 159 | 160 | name = PhCreateString2(Name); 161 | typeName = PhCreateString2(TypeName); 162 | result = PhShowMessage( 163 | PhMainWndHandle, 164 | MB_ICONINFORMATION | MB_OKCANCEL, 165 | L"%s: %s", 166 | name->Buffer, 167 | typeName->Buffer 168 | ); 169 | PhDereferenceObject(name); 170 | PhDereferenceObject(typeName); 171 | 172 | return result == IDOK; 173 | } 174 | 175 | VOID MenuItemCallback( 176 | __in_opt PVOID Parameter, 177 | __in_opt PVOID Context 178 | ) 179 | { 180 | PPH_PLUGIN_MENU_ITEM menuItem = Parameter; 181 | 182 | switch (menuItem->Id) 183 | { 184 | case ID_SAMPLE_MENU_ITEM: 185 | { 186 | PhShowInformation(PhMainWndHandle, L"You clicked the sample menu item!"); 187 | } 188 | break; 189 | case ID_SHOW_ME_SOME_OBJECTS: 190 | { 191 | NTSTATUS status; 192 | HANDLE directoryHandle; 193 | OBJECT_ATTRIBUTES oa; 194 | UNICODE_STRING name; 195 | 196 | // Use the Native API seamlessly alongside Win32. 197 | RtlInitUnicodeString(&name, L"\\"); 198 | InitializeObjectAttributes(&oa, &name, 0, NULL, NULL); 199 | 200 | if (NT_SUCCESS(status = NtOpenDirectoryObject(&directoryHandle, DIRECTORY_QUERY, &oa))) 201 | { 202 | PhEnumDirectoryObjects(directoryHandle, EnumDirectoryObjectsCallback, NULL); 203 | NtClose(directoryHandle); 204 | } 205 | } 206 | break; 207 | } 208 | } 209 | 210 | VOID MainWindowShowingCallback( 211 | __in_opt PVOID Parameter, 212 | __in_opt PVOID Context 213 | ) 214 | { 215 | // $ won't match anything, so the menu item will get added to the end. 216 | PhPluginAddMenuItem(PluginInstance, PH_MENU_ITEM_LOCATION_TOOLS, L"$", 217 | ID_SAMPLE_MENU_ITEM, L"Sample menu item", NULL); 218 | PhPluginAddMenuItem(PluginInstance, PH_MENU_ITEM_LOCATION_TOOLS, L"$", 219 | ID_SHOW_ME_SOME_OBJECTS, L"Show me some objects", NULL); 220 | } 221 | 222 | VOID GetProcessHighlightingColorCallback( 223 | __in_opt PVOID Parameter, 224 | __in_opt PVOID Context 225 | ) 226 | { 227 | PPH_PLUGIN_GET_HIGHLIGHTING_COLOR getHighlightingColor = Parameter; 228 | PPH_PROCESS_ITEM processItem; 229 | 230 | processItem = getHighlightingColor->Parameter; 231 | 232 | // Optional: if another plugin handled the highlighting, don't override it. 233 | if (getHighlightingColor->Handled) 234 | return; 235 | 236 | // Set the background color of svchost.exe processes to black. 237 | if (PhEqualString2(processItem->ProcessName, L"svchost.exe", TRUE)) 238 | { 239 | getHighlightingColor->BackColor = RGB(0x00, 0x00, 0x00); 240 | getHighlightingColor->Cache = TRUE; 241 | getHighlightingColor->Handled = TRUE; 242 | } 243 | } 244 | 245 | VOID GetProcessTooltipTextCallback( 246 | __in_opt PVOID Parameter, 247 | __in_opt PVOID Context 248 | ) 249 | { 250 | PPH_PLUGIN_GET_TOOLTIP_TEXT getTooltipText = Parameter; 251 | PPH_PROCESS_ITEM processItem; 252 | 253 | processItem = getTooltipText->Parameter; 254 | 255 | // Put some text into the tooltip. This will go in just before the Notes section. 256 | PhAppendFormatStringBuilder( 257 | getTooltipText->StringBuilder, 258 | L"Sample plugin:\n The process name is: %s\n", 259 | processItem->ProcessName->Buffer 260 | ); 261 | } 262 | -------------------------------------------------------------------------------- /sdk/include/ntpebteb.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTPEBTEB_H 2 | #define _NTPEBTEB_H 3 | 4 | typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; 5 | typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; 6 | 7 | // symbols 8 | typedef struct _PEB 9 | { 10 | BOOLEAN InheritedAddressSpace; 11 | BOOLEAN ReadImageFileExecOptions; 12 | BOOLEAN BeingDebugged; 13 | union 14 | { 15 | BOOLEAN BitField; 16 | struct 17 | { 18 | BOOLEAN ImageUsesLargePages : 1; 19 | BOOLEAN IsProtectedProcess : 1; 20 | BOOLEAN IsImageDynamicallyRelocated : 1; 21 | BOOLEAN SkipPatchingUser32Forwarders : 1; 22 | BOOLEAN IsPackagedProcess : 1; 23 | BOOLEAN IsAppContainer : 1; 24 | BOOLEAN IsProtectedProcessLight : 1; 25 | BOOLEAN SpareBits : 1; 26 | }; 27 | }; 28 | HANDLE Mutant; 29 | 30 | PVOID ImageBaseAddress; 31 | PPEB_LDR_DATA Ldr; 32 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 33 | PVOID SubSystemData; 34 | PVOID ProcessHeap; 35 | PRTL_CRITICAL_SECTION FastPebLock; 36 | PVOID AtlThunkSListPtr; 37 | PVOID IFEOKey; 38 | union 39 | { 40 | ULONG CrossProcessFlags; 41 | struct 42 | { 43 | ULONG ProcessInJob : 1; 44 | ULONG ProcessInitializing : 1; 45 | ULONG ProcessUsingVEH : 1; 46 | ULONG ProcessUsingVCH : 1; 47 | ULONG ProcessUsingFTH : 1; 48 | ULONG ReservedBits0 : 27; 49 | }; 50 | }; 51 | union 52 | { 53 | PVOID KernelCallbackTable; 54 | PVOID UserSharedInfoPtr; 55 | }; 56 | ULONG SystemReserved[1]; 57 | ULONG AtlThunkSListPtr32; 58 | PVOID ApiSetMap; 59 | ULONG TlsExpansionCounter; 60 | PVOID TlsBitmap; 61 | ULONG TlsBitmapBits[2]; 62 | PVOID ReadOnlySharedMemoryBase; 63 | PVOID HotpatchInformation; 64 | PVOID *ReadOnlyStaticServerData; 65 | PVOID AnsiCodePageData; 66 | PVOID OemCodePageData; 67 | PVOID UnicodeCaseTableData; 68 | 69 | ULONG NumberOfProcessors; 70 | ULONG NtGlobalFlag; 71 | 72 | LARGE_INTEGER CriticalSectionTimeout; 73 | SIZE_T HeapSegmentReserve; 74 | SIZE_T HeapSegmentCommit; 75 | SIZE_T HeapDeCommitTotalFreeThreshold; 76 | SIZE_T HeapDeCommitFreeBlockThreshold; 77 | 78 | ULONG NumberOfHeaps; 79 | ULONG MaximumNumberOfHeaps; 80 | PVOID *ProcessHeaps; 81 | 82 | PVOID GdiSharedHandleTable; 83 | PVOID ProcessStarterHelper; 84 | ULONG GdiDCAttributeList; 85 | 86 | PRTL_CRITICAL_SECTION LoaderLock; 87 | 88 | ULONG OSMajorVersion; 89 | ULONG OSMinorVersion; 90 | USHORT OSBuildNumber; 91 | USHORT OSCSDVersion; 92 | ULONG OSPlatformId; 93 | ULONG ImageSubsystem; 94 | ULONG ImageSubsystemMajorVersion; 95 | ULONG ImageSubsystemMinorVersion; 96 | ULONG_PTR ImageProcessAffinityMask; 97 | GDI_HANDLE_BUFFER GdiHandleBuffer; 98 | PVOID PostProcessInitRoutine; 99 | 100 | PVOID TlsExpansionBitmap; 101 | ULONG TlsExpansionBitmapBits[32]; 102 | 103 | ULONG SessionId; 104 | 105 | ULARGE_INTEGER AppCompatFlags; 106 | ULARGE_INTEGER AppCompatFlagsUser; 107 | PVOID pShimData; 108 | PVOID AppCompatInfo; 109 | 110 | UNICODE_STRING CSDVersion; 111 | 112 | PVOID ActivationContextData; 113 | PVOID ProcessAssemblyStorageMap; 114 | PVOID SystemDefaultActivationContextData; 115 | PVOID SystemAssemblyStorageMap; 116 | 117 | SIZE_T MinimumStackCommit; 118 | 119 | PVOID *FlsCallback; 120 | LIST_ENTRY FlsListHead; 121 | PVOID FlsBitmap; 122 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 123 | ULONG FlsHighIndex; 124 | 125 | PVOID WerRegistrationData; 126 | PVOID WerShipAssertPtr; 127 | PVOID pContextData; 128 | PVOID pImageHeaderHash; 129 | union 130 | { 131 | ULONG TracingFlags; 132 | struct 133 | { 134 | ULONG HeapTracingEnabled : 1; 135 | ULONG CritSecTracingEnabled : 1; 136 | ULONG LibLoaderTracingEnabled : 1; 137 | ULONG SpareTracingBits : 29; 138 | }; 139 | }; 140 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 141 | } PEB, *PPEB; 142 | 143 | #define GDI_BATCH_BUFFER_SIZE 310 144 | 145 | typedef struct _GDI_TEB_BATCH 146 | { 147 | ULONG Offset; 148 | ULONG_PTR HDC; 149 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 150 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 151 | 152 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 153 | { 154 | ULONG Flags; 155 | PSTR FrameName; 156 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 157 | 158 | typedef struct _TEB_ACTIVE_FRAME 159 | { 160 | ULONG Flags; 161 | struct _TEB_ACTIVE_FRAME *Previous; 162 | PTEB_ACTIVE_FRAME_CONTEXT Context; 163 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 164 | 165 | typedef struct _TEB 166 | { 167 | NT_TIB NtTib; 168 | 169 | PVOID EnvironmentPointer; 170 | CLIENT_ID ClientId; 171 | PVOID ActiveRpcHandle; 172 | PVOID ThreadLocalStoragePointer; 173 | PPEB ProcessEnvironmentBlock; 174 | 175 | ULONG LastErrorValue; 176 | ULONG CountOfOwnedCriticalSections; 177 | PVOID CsrClientThread; 178 | PVOID Win32ThreadInfo; 179 | ULONG User32Reserved[26]; 180 | ULONG UserReserved[5]; 181 | PVOID WOW32Reserved; 182 | LCID CurrentLocale; 183 | ULONG FpSoftwareStatusRegister; 184 | PVOID SystemReserved1[54]; 185 | NTSTATUS ExceptionCode; 186 | PVOID ActivationContextStackPointer; 187 | #ifdef _WIN64 188 | UCHAR SpareBytes[24]; 189 | #else 190 | UCHAR SpareBytes[36]; 191 | #endif 192 | ULONG TxFsContext; 193 | 194 | GDI_TEB_BATCH GdiTebBatch; 195 | CLIENT_ID RealClientId; 196 | HANDLE GdiCachedProcessHandle; 197 | ULONG GdiClientPID; 198 | ULONG GdiClientTID; 199 | PVOID GdiThreadLocalInfo; 200 | ULONG_PTR Win32ClientInfo[62]; 201 | PVOID glDispatchTable[233]; 202 | ULONG_PTR glReserved1[29]; 203 | PVOID glReserved2; 204 | PVOID glSectionInfo; 205 | PVOID glSection; 206 | PVOID glTable; 207 | PVOID glCurrentRC; 208 | PVOID glContext; 209 | 210 | NTSTATUS LastStatusValue; 211 | UNICODE_STRING StaticUnicodeString; 212 | WCHAR StaticUnicodeBuffer[261]; 213 | 214 | PVOID DeallocationStack; 215 | PVOID TlsSlots[64]; 216 | LIST_ENTRY TlsLinks; 217 | 218 | PVOID Vdm; 219 | PVOID ReservedForNtRpc; 220 | PVOID DbgSsReserved[2]; 221 | 222 | ULONG HardErrorMode; 223 | #ifdef _WIN64 224 | PVOID Instrumentation[11]; 225 | #else 226 | PVOID Instrumentation[9]; 227 | #endif 228 | GUID ActivityId; 229 | 230 | PVOID SubProcessTag; 231 | PVOID EtwLocalData; 232 | PVOID EtwTraceData; 233 | PVOID WinSockData; 234 | ULONG GdiBatchCount; 235 | 236 | union 237 | { 238 | PROCESSOR_NUMBER CurrentIdealProcessor; 239 | ULONG IdealProcessorValue; 240 | struct 241 | { 242 | UCHAR ReservedPad0; 243 | UCHAR ReservedPad1; 244 | UCHAR ReservedPad2; 245 | UCHAR IdealProcessor; 246 | }; 247 | }; 248 | 249 | ULONG GuaranteedStackBytes; 250 | PVOID ReservedForPerf; 251 | PVOID ReservedForOle; 252 | ULONG WaitingOnLoaderLock; 253 | PVOID SavedPriorityState; 254 | ULONG_PTR SoftPatchPtr1; 255 | PVOID ThreadPoolData; 256 | PVOID *TlsExpansionSlots; 257 | #ifdef _WIN64 258 | PVOID DeallocationBStore; 259 | PVOID BStoreLimit; 260 | #endif 261 | ULONG MuiGeneration; 262 | ULONG IsImpersonating; 263 | PVOID NlsCache; 264 | PVOID pShimData; 265 | ULONG HeapVirtualAffinity; 266 | HANDLE CurrentTransactionHandle; 267 | PTEB_ACTIVE_FRAME ActiveFrame; 268 | PVOID FlsData; 269 | 270 | PVOID PreferredLanguages; 271 | PVOID UserPrefLanguages; 272 | PVOID MergedPrefLanguages; 273 | ULONG MuiImpersonation; 274 | 275 | union 276 | { 277 | USHORT CrossTebFlags; 278 | USHORT SpareCrossTebBits : 16; 279 | }; 280 | union 281 | { 282 | USHORT SameTebFlags; 283 | struct 284 | { 285 | USHORT SafeThunkCall : 1; 286 | USHORT InDebugPrint : 1; 287 | USHORT HasFiberData : 1; 288 | USHORT SkipThreadAttach : 1; 289 | USHORT WerInShipAssertCode : 1; 290 | USHORT RanProcessInit : 1; 291 | USHORT ClonedThread : 1; 292 | USHORT SuppressDebugMsg : 1; 293 | USHORT DisableUserStackWalk : 1; 294 | USHORT RtlExceptionAttached : 1; 295 | USHORT InitialThread : 1; 296 | USHORT SessionAware : 1; 297 | USHORT SpareSameTebBits : 4; 298 | }; 299 | }; 300 | 301 | PVOID TxnScopeEnterCallback; 302 | PVOID TxnScopeExitCallback; 303 | PVOID TxnScopeContext; 304 | ULONG LockCount; 305 | ULONG SpareUlong0; 306 | PVOID ResourceRetValue; 307 | PVOID ReservedForWdf; 308 | } TEB, *PTEB; 309 | 310 | #endif 311 | -------------------------------------------------------------------------------- /sdk/include/queuedlock.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_QUEUEDLOCK_H 2 | #define _PH_QUEUEDLOCK_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #define PH_QUEUED_LOCK_OWNED ((ULONG_PTR)0x1) 9 | #define PH_QUEUED_LOCK_OWNED_SHIFT 0 10 | #define PH_QUEUED_LOCK_WAITERS ((ULONG_PTR)0x2) 11 | 12 | // Valid only if Waiters = 0 13 | #define PH_QUEUED_LOCK_SHARED_INC ((ULONG_PTR)0x4) 14 | #define PH_QUEUED_LOCK_SHARED_SHIFT 2 15 | 16 | // Valid only if Waiters = 1 17 | #define PH_QUEUED_LOCK_TRAVERSING ((ULONG_PTR)0x4) 18 | #define PH_QUEUED_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8) 19 | 20 | #define PH_QUEUED_LOCK_FLAGS ((ULONG_PTR)0xf) 21 | 22 | #define PhGetQueuedLockSharedOwners(Value) \ 23 | ((ULONG_PTR)(Value) >> PH_QUEUED_LOCK_SHARED_SHIFT) 24 | #define PhGetQueuedLockWaitBlock(Value) \ 25 | ((PPH_QUEUED_WAIT_BLOCK)((ULONG_PTR)(Value) & ~PH_QUEUED_LOCK_FLAGS)) 26 | 27 | typedef struct _PH_QUEUED_LOCK 28 | { 29 | ULONG_PTR Value; 30 | } PH_QUEUED_LOCK, *PPH_QUEUED_LOCK; 31 | 32 | #define PH_QUEUED_LOCK_INIT { 0 } 33 | 34 | #define PH_QUEUED_WAITER_EXCLUSIVE 0x1 35 | #define PH_QUEUED_WAITER_SPINNING 0x2 36 | #define PH_QUEUED_WAITER_SPINNING_SHIFT 1 37 | 38 | typedef struct DECLSPEC_ALIGN(16) _PH_QUEUED_WAIT_BLOCK 39 | { 40 | /** A pointer to the next wait block, i.e. the wait block pushed onto the list before this one. */ 41 | struct _PH_QUEUED_WAIT_BLOCK *Next; 42 | /** 43 | * A pointer to the previous wait block, i.e. the wait block pushed onto the list after this 44 | * one. 45 | */ 46 | struct _PH_QUEUED_WAIT_BLOCK *Previous; 47 | /** A pointer to the last wait block, i.e. the first waiter pushed onto the list. */ 48 | struct _PH_QUEUED_WAIT_BLOCK *Last; 49 | 50 | ULONG SharedOwners; 51 | ULONG Flags; 52 | } PH_QUEUED_WAIT_BLOCK, *PPH_QUEUED_WAIT_BLOCK; 53 | 54 | BOOLEAN PhQueuedLockInitialization( 55 | VOID 56 | ); 57 | 58 | // Queued lock 59 | 60 | FORCEINLINE 61 | VOID 62 | PhInitializeQueuedLock( 63 | _Out_ PPH_QUEUED_LOCK QueuedLock 64 | ) 65 | { 66 | QueuedLock->Value = 0; 67 | } 68 | 69 | PHLIBAPI 70 | VOID 71 | FASTCALL 72 | PhfAcquireQueuedLockExclusive( 73 | _Inout_ PPH_QUEUED_LOCK QueuedLock 74 | ); 75 | 76 | _Acquires_exclusive_lock_(*QueuedLock) 77 | FORCEINLINE 78 | VOID 79 | PhAcquireQueuedLockExclusive( 80 | _Inout_ PPH_QUEUED_LOCK QueuedLock 81 | ) 82 | { 83 | if (_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT)) 84 | { 85 | // Owned bit was already set. Slow path. 86 | PhfAcquireQueuedLockExclusive(QueuedLock); 87 | } 88 | } 89 | 90 | PHLIBAPI 91 | VOID 92 | FASTCALL 93 | PhfAcquireQueuedLockShared( 94 | _Inout_ PPH_QUEUED_LOCK QueuedLock 95 | ); 96 | 97 | _Acquires_shared_lock_(*QueuedLock) 98 | FORCEINLINE 99 | VOID 100 | PhAcquireQueuedLockShared( 101 | _Inout_ PPH_QUEUED_LOCK QueuedLock 102 | ) 103 | { 104 | if ((ULONG_PTR)_InterlockedCompareExchangePointer( 105 | (PVOID *)&QueuedLock->Value, 106 | (PVOID)(PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC), 107 | (PVOID)0 108 | ) != 0) 109 | { 110 | PhfAcquireQueuedLockShared(QueuedLock); 111 | } 112 | } 113 | 114 | _When_(return != 0, _Acquires_exclusive_lock_(*QueuedLock)) 115 | FORCEINLINE 116 | BOOLEAN 117 | PhTryAcquireQueuedLockExclusive( 118 | _Inout_ PPH_QUEUED_LOCK QueuedLock 119 | ) 120 | { 121 | if (!_InterlockedBitTestAndSetPointer((PLONG_PTR)&QueuedLock->Value, PH_QUEUED_LOCK_OWNED_SHIFT)) 122 | { 123 | return TRUE; 124 | } 125 | else 126 | { 127 | return FALSE; 128 | } 129 | } 130 | 131 | PHLIBAPI 132 | VOID 133 | FASTCALL 134 | PhfReleaseQueuedLockExclusive( 135 | _Inout_ PPH_QUEUED_LOCK QueuedLock 136 | ); 137 | 138 | PHLIBAPI 139 | VOID 140 | FASTCALL 141 | PhfWakeForReleaseQueuedLock( 142 | _Inout_ PPH_QUEUED_LOCK QueuedLock, 143 | _In_ ULONG_PTR Value 144 | ); 145 | 146 | _Releases_exclusive_lock_(*QueuedLock) 147 | FORCEINLINE 148 | VOID 149 | PhReleaseQueuedLockExclusive( 150 | _Inout_ PPH_QUEUED_LOCK QueuedLock 151 | ) 152 | { 153 | ULONG_PTR value; 154 | 155 | value = (ULONG_PTR)_InterlockedExchangeAddPointer((PLONG_PTR)&QueuedLock->Value, -(LONG_PTR)PH_QUEUED_LOCK_OWNED); 156 | 157 | if ((value & (PH_QUEUED_LOCK_WAITERS | PH_QUEUED_LOCK_TRAVERSING)) == PH_QUEUED_LOCK_WAITERS) 158 | { 159 | PhfWakeForReleaseQueuedLock(QueuedLock, value - PH_QUEUED_LOCK_OWNED); 160 | } 161 | } 162 | 163 | PHLIBAPI 164 | VOID 165 | FASTCALL 166 | PhfReleaseQueuedLockShared( 167 | _Inout_ PPH_QUEUED_LOCK QueuedLock 168 | ); 169 | 170 | _Releases_shared_lock_(*QueuedLock) 171 | FORCEINLINE 172 | VOID 173 | PhReleaseQueuedLockShared( 174 | _Inout_ PPH_QUEUED_LOCK QueuedLock 175 | ) 176 | { 177 | ULONG_PTR value; 178 | 179 | value = PH_QUEUED_LOCK_OWNED | PH_QUEUED_LOCK_SHARED_INC; 180 | 181 | if ((ULONG_PTR)_InterlockedCompareExchangePointer( 182 | (PVOID *)&QueuedLock->Value, 183 | (PVOID)0, 184 | (PVOID)value 185 | ) != value) 186 | { 187 | PhfReleaseQueuedLockShared(QueuedLock); 188 | } 189 | } 190 | 191 | FORCEINLINE 192 | VOID 193 | PhAcquireReleaseQueuedLockExclusive( 194 | _Inout_ PPH_QUEUED_LOCK QueuedLock 195 | ) 196 | { 197 | BOOLEAN owned; 198 | 199 | MemoryBarrier(); 200 | owned = !!(QueuedLock->Value & PH_QUEUED_LOCK_OWNED); 201 | MemoryBarrier(); 202 | 203 | if (owned) 204 | { 205 | PhAcquireQueuedLockExclusive(QueuedLock); 206 | PhReleaseQueuedLockExclusive(QueuedLock); 207 | } 208 | } 209 | 210 | FORCEINLINE 211 | BOOLEAN 212 | PhTryAcquireReleaseQueuedLockExclusive( 213 | _Inout_ PPH_QUEUED_LOCK QueuedLock 214 | ) 215 | { 216 | BOOLEAN owned; 217 | 218 | // Need two memory barriers because we don't want the compiler re-ordering the following check 219 | // in either direction. 220 | MemoryBarrier(); 221 | owned = !(QueuedLock->Value & PH_QUEUED_LOCK_OWNED); 222 | MemoryBarrier(); 223 | 224 | return owned; 225 | } 226 | 227 | // Condition variable 228 | 229 | typedef struct _PH_QUEUED_LOCK PH_CONDITION, *PPH_CONDITION; 230 | 231 | #define PH_CONDITION_INIT PH_QUEUED_LOCK_INIT 232 | 233 | FORCEINLINE 234 | VOID 235 | PhInitializeCondition( 236 | _Out_ PPH_CONDITION Condition 237 | ) 238 | { 239 | PhInitializeQueuedLock(Condition); 240 | } 241 | 242 | #define PhPulseCondition PhfPulseCondition 243 | PHLIBAPI 244 | VOID 245 | FASTCALL 246 | PhfPulseCondition( 247 | _Inout_ PPH_CONDITION Condition 248 | ); 249 | 250 | #define PhPulseAllCondition PhfPulseAllCondition 251 | PHLIBAPI 252 | VOID 253 | FASTCALL 254 | PhfPulseAllCondition( 255 | _Inout_ PPH_CONDITION Condition 256 | ); 257 | 258 | #define PhWaitForCondition PhfWaitForCondition 259 | PHLIBAPI 260 | VOID 261 | FASTCALL 262 | PhfWaitForCondition( 263 | _Inout_ PPH_CONDITION Condition, 264 | _Inout_ PPH_QUEUED_LOCK Lock, 265 | _In_opt_ PLARGE_INTEGER Timeout 266 | ); 267 | 268 | #define PH_CONDITION_WAIT_QUEUED_LOCK 0x1 269 | #define PH_CONDITION_WAIT_CRITICAL_SECTION 0x2 270 | #define PH_CONDITION_WAIT_FAST_LOCK 0x4 271 | #define PH_CONDITION_WAIT_LOCK_TYPE_MASK 0xfff 272 | 273 | #define PH_CONDITION_WAIT_SHARED 0x1000 274 | #define PH_CONDITION_WAIT_SPIN 0x2000 275 | 276 | #define PhWaitForConditionEx PhfWaitForConditionEx 277 | PHLIBAPI 278 | VOID 279 | FASTCALL 280 | PhfWaitForConditionEx( 281 | _Inout_ PPH_CONDITION Condition, 282 | _Inout_ PVOID Lock, 283 | _In_ ULONG Flags, 284 | _In_opt_ PLARGE_INTEGER Timeout 285 | ); 286 | 287 | // Wake event 288 | 289 | typedef struct _PH_QUEUED_LOCK PH_WAKE_EVENT, *PPH_WAKE_EVENT; 290 | 291 | #define PH_WAKE_EVENT_INIT PH_QUEUED_LOCK_INIT 292 | 293 | FORCEINLINE 294 | VOID 295 | PhInitializeWakeEvent( 296 | _Out_ PPH_WAKE_EVENT WakeEvent 297 | ) 298 | { 299 | PhInitializeQueuedLock(WakeEvent); 300 | } 301 | 302 | #define PhQueueWakeEvent PhfQueueWakeEvent 303 | PHLIBAPI 304 | VOID 305 | FASTCALL 306 | PhfQueueWakeEvent( 307 | _Inout_ PPH_WAKE_EVENT WakeEvent, 308 | _Out_ PPH_QUEUED_WAIT_BLOCK WaitBlock 309 | ); 310 | 311 | PHLIBAPI 312 | VOID 313 | FASTCALL 314 | PhfSetWakeEvent( 315 | _Inout_ PPH_WAKE_EVENT WakeEvent, 316 | _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock 317 | ); 318 | 319 | FORCEINLINE 320 | VOID 321 | PhSetWakeEvent( 322 | _Inout_ PPH_WAKE_EVENT WakeEvent, 323 | _Inout_opt_ PPH_QUEUED_WAIT_BLOCK WaitBlock 324 | ) 325 | { 326 | // The wake event is similar to a synchronization event in that it does not have thread-safe 327 | // pulsing; we can simply skip the function call if there's nothing to wake. However, if we're 328 | // cancelling a wait (WaitBlock != NULL) we need to make the call. 329 | 330 | if (WakeEvent->Value || WaitBlock) 331 | PhfSetWakeEvent(WakeEvent, WaitBlock); 332 | } 333 | 334 | #define PhWaitForWakeEvent PhfWaitForWakeEvent 335 | PHLIBAPI 336 | NTSTATUS 337 | FASTCALL 338 | PhfWaitForWakeEvent( 339 | _Inout_ PPH_WAKE_EVENT WakeEvent, 340 | _Inout_ PPH_QUEUED_WAIT_BLOCK WaitBlock, 341 | _In_ BOOLEAN Spin, 342 | _In_opt_ PLARGE_INTEGER Timeout 343 | ); 344 | 345 | #ifdef __cplusplus 346 | } 347 | #endif 348 | 349 | #endif 350 | -------------------------------------------------------------------------------- /sdk/include/nttp.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTTP_H 2 | #define _NTTP_H 3 | 4 | // Some types are already defined in winnt.h. 5 | 6 | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC; 7 | 8 | // private 9 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK)( 10 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 11 | _Inout_opt_ PVOID Context, 12 | _In_ PTP_ALPC Alpc 13 | ); 14 | 15 | // rev 16 | typedef VOID (NTAPI *PTP_ALPC_CALLBACK_EX)( 17 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 18 | _Inout_opt_ PVOID Context, 19 | _In_ PTP_ALPC Alpc, 20 | _In_ PVOID ApcContext 21 | ); 22 | 23 | #if (PHNT_VERSION >= PHNT_VISTA) 24 | 25 | // private 26 | _Check_return_ 27 | NTSYSAPI 28 | NTSTATUS 29 | NTAPI 30 | TpAllocPool( 31 | _Out_ PTP_POOL *PoolReturn, 32 | _Reserved_ PVOID Reserved 33 | ); 34 | 35 | // winbase:CloseThreadpool 36 | NTSYSAPI 37 | VOID 38 | NTAPI 39 | TpReleasePool( 40 | _Inout_ PTP_POOL Pool 41 | ); 42 | 43 | // winbase:SetThreadpoolThreadMaximum 44 | NTSYSAPI 45 | VOID 46 | NTAPI 47 | TpSetPoolMaxThreads( 48 | _Inout_ PTP_POOL Pool, 49 | _In_ LONG MaxThreads 50 | ); 51 | 52 | // private 53 | NTSYSAPI 54 | NTSTATUS 55 | NTAPI 56 | TpSetPoolMinThreads( 57 | _Inout_ PTP_POOL Pool, 58 | _In_ LONG MinThreads 59 | ); 60 | 61 | #if (PHNT_VERSION >= PHNT_WIN7) 62 | // rev 63 | NTSYSAPI 64 | NTSTATUS 65 | NTAPI 66 | TpQueryPoolStackInformation( 67 | _In_ PTP_POOL Pool, 68 | _Out_ PTP_POOL_STACK_INFORMATION PoolStackInformation 69 | ); 70 | #endif 71 | 72 | #if (PHNT_VERSION >= PHNT_WIN7) 73 | // rev 74 | NTSYSAPI 75 | NTSTATUS 76 | NTAPI 77 | TpSetPoolStackInformation( 78 | _Inout_ PTP_POOL Pool, 79 | _In_ PTP_POOL_STACK_INFORMATION PoolStackInformation 80 | ); 81 | #endif 82 | 83 | // private 84 | _Check_return_ 85 | NTSYSAPI 86 | NTSTATUS 87 | NTAPI 88 | TpAllocCleanupGroup( 89 | _Out_ PTP_CLEANUP_GROUP *CleanupGroupReturn 90 | ); 91 | 92 | // winbase:CloseThreadpoolCleanupGroup 93 | NTSYSAPI 94 | VOID 95 | NTAPI 96 | TpReleaseCleanupGroup( 97 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup 98 | ); 99 | 100 | // winbase:CloseThreadpoolCleanupGroupMembers 101 | NTSYSAPI 102 | VOID 103 | NTAPI 104 | TpReleaseCleanupGroupMembers( 105 | _Inout_ PTP_CLEANUP_GROUP CleanupGroup, 106 | _In_ LOGICAL CancelPendingCallbacks, 107 | _Inout_opt_ PVOID CleanupParameter 108 | ); 109 | 110 | // winbase:SetEventWhenCallbackReturns 111 | NTSYSAPI 112 | VOID 113 | NTAPI 114 | TpCallbackSetEventOnCompletion( 115 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 116 | _In_ HANDLE Event 117 | ); 118 | 119 | // winbase:ReleaseSemaphoreWhenCallbackReturns 120 | NTSYSAPI 121 | VOID 122 | NTAPI 123 | TpCallbackReleaseSemaphoreOnCompletion( 124 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 125 | _In_ HANDLE Semaphore, 126 | _In_ LONG ReleaseCount 127 | ); 128 | 129 | // winbase:ReleaseMutexWhenCallbackReturns 130 | NTSYSAPI 131 | VOID 132 | NTAPI 133 | TpCallbackReleaseMutexOnCompletion( 134 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 135 | _In_ HANDLE Mutex 136 | ); 137 | 138 | // winbase:LeaveCriticalSectionWhenCallbackReturns 139 | NTSYSAPI 140 | VOID 141 | NTAPI 142 | TpCallbackLeaveCriticalSectionOnCompletion( 143 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 144 | _Inout_ PRTL_CRITICAL_SECTION CriticalSection 145 | ); 146 | 147 | // winbase:FreeLibraryWhenCallbackReturns 148 | NTSYSAPI 149 | VOID 150 | NTAPI 151 | TpCallbackUnloadDllOnCompletion( 152 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 153 | _In_ PVOID DllHandle 154 | ); 155 | 156 | // winbase:CallbackMayRunLong 157 | NTSYSAPI 158 | NTSTATUS 159 | NTAPI 160 | TpCallbackMayRunLong( 161 | _Inout_ PTP_CALLBACK_INSTANCE Instance 162 | ); 163 | 164 | // winbase:DisassociateCurrentThreadFromCallback 165 | NTSYSAPI 166 | VOID 167 | NTAPI 168 | TpDisassociateCallback( 169 | _Inout_ PTP_CALLBACK_INSTANCE Instance 170 | ); 171 | 172 | // winbase:TrySubmitThreadpoolCallback 173 | _Check_return_ 174 | NTSYSAPI 175 | NTSTATUS 176 | NTAPI 177 | TpSimpleTryPost( 178 | _In_ PTP_SIMPLE_CALLBACK Callback, 179 | _Inout_opt_ PVOID Context, 180 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 181 | ); 182 | 183 | // private 184 | _Check_return_ 185 | NTSYSAPI 186 | NTSTATUS 187 | NTAPI 188 | TpAllocWork( 189 | _Out_ PTP_WORK *WorkReturn, 190 | _In_ PTP_WORK_CALLBACK Callback, 191 | _Inout_opt_ PVOID Context, 192 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 193 | ); 194 | 195 | // winbase:CloseThreadpoolWork 196 | NTSYSAPI 197 | VOID 198 | NTAPI 199 | TpReleaseWork( 200 | _Inout_ PTP_WORK Work 201 | ); 202 | 203 | // winbase:SubmitThreadpoolWork 204 | NTSYSAPI 205 | VOID 206 | NTAPI 207 | TpPostWork( 208 | _Inout_ PTP_WORK Work 209 | ); 210 | 211 | // winbase:WaitForThreadpoolWorkCallbacks 212 | NTSYSAPI 213 | VOID 214 | NTAPI 215 | TpWaitForWork( 216 | _Inout_ PTP_WORK Work, 217 | _In_ LOGICAL CancelPendingCallbacks 218 | ); 219 | 220 | // private 221 | _Check_return_ 222 | NTSYSAPI 223 | NTSTATUS 224 | NTAPI 225 | TpAllocTimer( 226 | _Out_ PTP_TIMER *Timer, 227 | _In_ PTP_TIMER_CALLBACK Callback, 228 | _Inout_opt_ PVOID Context, 229 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 230 | ); 231 | 232 | // winbase:CloseThreadpoolTimer 233 | NTSYSAPI 234 | VOID 235 | NTAPI 236 | TpReleaseTimer( 237 | _Inout_ PTP_TIMER Timer 238 | ); 239 | 240 | // winbase:SetThreadpoolTimer 241 | NTSYSAPI 242 | VOID 243 | NTAPI 244 | TpSetTimer( 245 | _Inout_ PTP_TIMER Timer, 246 | _In_opt_ PLARGE_INTEGER DueTime, 247 | _In_ LONG Period, 248 | _In_opt_ LONG WindowLength 249 | ); 250 | 251 | // winbase:IsThreadpoolTimerSet 252 | NTSYSAPI 253 | LOGICAL 254 | NTAPI 255 | TpIsTimerSet( 256 | _In_ PTP_TIMER Timer 257 | ); 258 | 259 | // winbase:WaitForThreadpoolTimerCallbacks 260 | NTSYSAPI 261 | VOID 262 | NTAPI 263 | TpWaitForTimer( 264 | _Inout_ PTP_TIMER Timer, 265 | _In_ LOGICAL CancelPendingCallbacks 266 | ); 267 | 268 | // private 269 | _Check_return_ 270 | NTSYSAPI 271 | NTSTATUS 272 | NTAPI 273 | TpAllocWait( 274 | _Out_ PTP_WAIT *WaitReturn, 275 | _In_ PTP_WAIT_CALLBACK Callback, 276 | _Inout_opt_ PVOID Context, 277 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 278 | ); 279 | 280 | // winbase:CloseThreadpoolWait 281 | NTSYSAPI 282 | VOID 283 | NTAPI 284 | TpReleaseWait( 285 | _Inout_ PTP_WAIT Wait 286 | ); 287 | 288 | // winbase:SetThreadpoolWait 289 | NTSYSAPI 290 | VOID 291 | NTAPI 292 | TpSetWait( 293 | _Inout_ PTP_WAIT Wait, 294 | _In_opt_ HANDLE Handle, 295 | _In_opt_ PLARGE_INTEGER Timeout 296 | ); 297 | 298 | // winbase:WaitForThreadpoolWaitCallbacks 299 | NTSYSAPI 300 | VOID 301 | NTAPI 302 | TpWaitForWait( 303 | _Inout_ PTP_WAIT Wait, 304 | _In_ LOGICAL CancelPendingCallbacks 305 | ); 306 | 307 | // private 308 | typedef VOID (NTAPI *PTP_IO_CALLBACK)( 309 | _Inout_ PTP_CALLBACK_INSTANCE Instance, 310 | _Inout_opt_ PVOID Context, 311 | _In_ PVOID ApcContext, 312 | _In_ PIO_STATUS_BLOCK IoSB, 313 | _In_ PTP_IO Io 314 | ); 315 | 316 | // private 317 | _Check_return_ 318 | NTSYSAPI 319 | NTSTATUS 320 | NTAPI 321 | TpAllocIoCompletion( 322 | _Out_ PTP_IO *IoReturn, 323 | _In_ HANDLE File, 324 | _In_ PTP_IO_CALLBACK Callback, 325 | _Inout_opt_ PVOID Context, 326 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 327 | ); 328 | 329 | // winbase:CloseThreadpoolIo 330 | NTSYSAPI 331 | VOID 332 | NTAPI 333 | TpReleaseIoCompletion( 334 | _Inout_ PTP_IO Io 335 | ); 336 | 337 | // winbase:StartThreadpoolIo 338 | NTSYSAPI 339 | VOID 340 | NTAPI 341 | TpStartAsyncIoOperation( 342 | _Inout_ PTP_IO Io 343 | ); 344 | 345 | // winbase:CancelThreadpoolIo 346 | NTSYSAPI 347 | VOID 348 | NTAPI 349 | TpCancelAsyncIoOperation( 350 | _Inout_ PTP_IO Io 351 | ); 352 | 353 | // winbase:WaitForThreadpoolIoCallbacks 354 | NTSYSAPI 355 | VOID 356 | NTAPI 357 | TpWaitForIoCompletion( 358 | _Inout_ PTP_IO Io, 359 | _In_ LOGICAL CancelPendingCallbacks 360 | ); 361 | 362 | // private 363 | NTSYSAPI 364 | NTSTATUS 365 | NTAPI 366 | TpAllocAlpcCompletion( 367 | _Out_ PTP_ALPC *AlpcReturn, 368 | _In_ HANDLE AlpcPort, 369 | _In_ PTP_ALPC_CALLBACK Callback, 370 | _Inout_opt_ PVOID Context, 371 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 372 | ); 373 | 374 | #if (PHNT_VERSION >= PHNT_WIN7) 375 | // rev 376 | NTSYSAPI 377 | NTSTATUS 378 | NTAPI 379 | TpAllocAlpcCompletionEx( 380 | _Out_ PTP_ALPC *AlpcReturn, 381 | _In_ HANDLE AlpcPort, 382 | _In_ PTP_ALPC_CALLBACK_EX Callback, 383 | _Inout_opt_ PVOID Context, 384 | _In_opt_ PTP_CALLBACK_ENVIRON CallbackEnviron 385 | ); 386 | #endif 387 | 388 | // private 389 | NTSYSAPI 390 | VOID 391 | NTAPI 392 | TpReleaseAlpcCompletion( 393 | _Inout_ PTP_ALPC Alpc 394 | ); 395 | 396 | // private 397 | NTSYSAPI 398 | VOID 399 | NTAPI 400 | TpWaitForAlpcCompletion( 401 | _Inout_ PTP_ALPC Alpc 402 | ); 403 | 404 | // private 405 | typedef enum _TP_TRACE_TYPE 406 | { 407 | TpTraceThreadPriority = 1, 408 | TpTraceThreadAffinity, 409 | MaxTpTraceType 410 | } TP_TRACE_TYPE; 411 | 412 | // private 413 | NTSYSAPI 414 | VOID 415 | NTAPI 416 | TpCaptureCaller( 417 | _In_ TP_TRACE_TYPE Type 418 | ); 419 | 420 | // private 421 | NTSYSAPI 422 | VOID 423 | NTAPI 424 | TpCheckTerminateWorker( 425 | _In_ HANDLE Thread 426 | ); 427 | 428 | #endif 429 | 430 | #endif 431 | -------------------------------------------------------------------------------- /sdk/include/mapimg.h: -------------------------------------------------------------------------------- 1 | #ifndef _PH_MAPIMG_H 2 | #define _PH_MAPIMG_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | typedef struct _PH_MAPPED_IMAGE 9 | { 10 | PVOID ViewBase; 11 | SIZE_T Size; 12 | 13 | PIMAGE_NT_HEADERS NtHeaders; 14 | ULONG NumberOfSections; 15 | PIMAGE_SECTION_HEADER Sections; 16 | USHORT Magic; 17 | } PH_MAPPED_IMAGE, *PPH_MAPPED_IMAGE; 18 | 19 | PHLIBAPI 20 | NTSTATUS 21 | NTAPI 22 | PhInitializeMappedImage( 23 | _Out_ PPH_MAPPED_IMAGE MappedImage, 24 | _In_ PVOID ViewBase, 25 | _In_ SIZE_T Size 26 | ); 27 | 28 | PHLIBAPI 29 | NTSTATUS 30 | NTAPI 31 | PhLoadMappedImage( 32 | _In_opt_ PWSTR FileName, 33 | _In_opt_ HANDLE FileHandle, 34 | _In_ BOOLEAN ReadOnly, 35 | _Out_ PPH_MAPPED_IMAGE MappedImage 36 | ); 37 | 38 | PHLIBAPI 39 | NTSTATUS 40 | NTAPI 41 | PhUnloadMappedImage( 42 | _Inout_ PPH_MAPPED_IMAGE MappedImage 43 | ); 44 | 45 | PHLIBAPI 46 | NTSTATUS 47 | NTAPI 48 | PhMapViewOfEntireFile( 49 | _In_opt_ PWSTR FileName, 50 | _In_opt_ HANDLE FileHandle, 51 | _In_ BOOLEAN ReadOnly, 52 | _Out_ PVOID *ViewBase, 53 | _Out_ PSIZE_T Size 54 | ); 55 | 56 | PHLIBAPI 57 | PIMAGE_SECTION_HEADER 58 | NTAPI 59 | PhMappedImageRvaToSection( 60 | _In_ PPH_MAPPED_IMAGE MappedImage, 61 | _In_ ULONG Rva 62 | ); 63 | 64 | PHLIBAPI 65 | PVOID 66 | NTAPI 67 | PhMappedImageRvaToVa( 68 | _In_ PPH_MAPPED_IMAGE MappedImage, 69 | _In_ ULONG Rva, 70 | _Out_opt_ PIMAGE_SECTION_HEADER *Section 71 | ); 72 | 73 | PHLIBAPI 74 | BOOLEAN 75 | NTAPI 76 | PhGetMappedImageSectionName( 77 | _In_ PIMAGE_SECTION_HEADER Section, 78 | _Out_writes_opt_z_(Count) PSTR Buffer, 79 | _In_ ULONG Count, 80 | _Out_opt_ PULONG ReturnCount 81 | ); 82 | 83 | PHLIBAPI 84 | NTSTATUS 85 | NTAPI 86 | PhGetMappedImageDataEntry( 87 | _In_ PPH_MAPPED_IMAGE MappedImage, 88 | _In_ ULONG Index, 89 | _Out_ PIMAGE_DATA_DIRECTORY *Entry 90 | ); 91 | 92 | PHLIBAPI 93 | NTSTATUS 94 | NTAPI 95 | PhGetMappedImageLoadConfig32( 96 | _In_ PPH_MAPPED_IMAGE MappedImage, 97 | _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY32 *LoadConfig 98 | ); 99 | 100 | PHLIBAPI 101 | NTSTATUS 102 | NTAPI 103 | PhGetMappedImageLoadConfig64( 104 | _In_ PPH_MAPPED_IMAGE MappedImage, 105 | _Out_ PIMAGE_LOAD_CONFIG_DIRECTORY64 *LoadConfig 106 | ); 107 | 108 | typedef struct _PH_REMOTE_MAPPED_IMAGE 109 | { 110 | PVOID ViewBase; 111 | 112 | PIMAGE_NT_HEADERS NtHeaders; 113 | ULONG NumberOfSections; 114 | PIMAGE_SECTION_HEADER Sections; 115 | USHORT Magic; 116 | } PH_REMOTE_MAPPED_IMAGE, *PPH_REMOTE_MAPPED_IMAGE; 117 | 118 | NTSTATUS 119 | NTAPI 120 | PhLoadRemoteMappedImage( 121 | _In_ HANDLE ProcessHandle, 122 | _In_ PVOID ViewBase, 123 | _Out_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage 124 | ); 125 | 126 | NTSTATUS 127 | NTAPI 128 | PhUnloadRemoteMappedImage( 129 | _Inout_ PPH_REMOTE_MAPPED_IMAGE RemoteMappedImage 130 | ); 131 | 132 | typedef struct _PH_MAPPED_IMAGE_EXPORTS 133 | { 134 | PPH_MAPPED_IMAGE MappedImage; 135 | ULONG NumberOfEntries; 136 | 137 | PIMAGE_DATA_DIRECTORY DataDirectory; 138 | PIMAGE_EXPORT_DIRECTORY ExportDirectory; 139 | PULONG AddressTable; 140 | PULONG NamePointerTable; 141 | PUSHORT OrdinalTable; 142 | } PH_MAPPED_IMAGE_EXPORTS, *PPH_MAPPED_IMAGE_EXPORTS; 143 | 144 | typedef struct _PH_MAPPED_IMAGE_EXPORT_ENTRY 145 | { 146 | USHORT Ordinal; 147 | PSTR Name; 148 | } PH_MAPPED_IMAGE_EXPORT_ENTRY, *PPH_MAPPED_IMAGE_EXPORT_ENTRY; 149 | 150 | typedef struct _PH_MAPPED_IMAGE_EXPORT_FUNCTION 151 | { 152 | PVOID Function; 153 | PSTR ForwardedName; 154 | } PH_MAPPED_IMAGE_EXPORT_FUNCTION, *PPH_MAPPED_IMAGE_EXPORT_FUNCTION; 155 | 156 | PHLIBAPI 157 | NTSTATUS 158 | NTAPI 159 | PhGetMappedImageExports( 160 | _Out_ PPH_MAPPED_IMAGE_EXPORTS Exports, 161 | _In_ PPH_MAPPED_IMAGE MappedImage 162 | ); 163 | 164 | PHLIBAPI 165 | NTSTATUS 166 | NTAPI 167 | PhGetMappedImageExportEntry( 168 | _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, 169 | _In_ ULONG Index, 170 | _Out_ PPH_MAPPED_IMAGE_EXPORT_ENTRY Entry 171 | ); 172 | 173 | PHLIBAPI 174 | NTSTATUS 175 | NTAPI 176 | PhGetMappedImageExportFunction( 177 | _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, 178 | _In_opt_ PSTR Name, 179 | _In_opt_ USHORT Ordinal, 180 | _Out_ PPH_MAPPED_IMAGE_EXPORT_FUNCTION Function 181 | ); 182 | 183 | PHLIBAPI 184 | NTSTATUS 185 | NTAPI 186 | PhGetMappedImageExportFunctionRemote( 187 | _In_ PPH_MAPPED_IMAGE_EXPORTS Exports, 188 | _In_opt_ PSTR Name, 189 | _In_opt_ USHORT Ordinal, 190 | _In_ PVOID RemoteBase, 191 | _Out_ PVOID *Function 192 | ); 193 | 194 | #define PH_MAPPED_IMAGE_DELAY_IMPORTS 0x1 195 | 196 | typedef struct _PH_MAPPED_IMAGE_IMPORTS 197 | { 198 | PPH_MAPPED_IMAGE MappedImage; 199 | ULONG Flags; 200 | ULONG NumberOfDlls; 201 | 202 | union 203 | { 204 | PIMAGE_IMPORT_DESCRIPTOR DescriptorTable; 205 | PVOID DelayDescriptorTable; 206 | }; 207 | } PH_MAPPED_IMAGE_IMPORTS, *PPH_MAPPED_IMAGE_IMPORTS; 208 | 209 | typedef struct _PH_MAPPED_IMAGE_IMPORT_DLL 210 | { 211 | PPH_MAPPED_IMAGE MappedImage; 212 | ULONG Flags; 213 | PSTR Name; 214 | ULONG NumberOfEntries; 215 | 216 | union 217 | { 218 | PIMAGE_IMPORT_DESCRIPTOR Descriptor; 219 | PVOID DelayDescriptor; 220 | }; 221 | PVOID *LookupTable; 222 | } PH_MAPPED_IMAGE_IMPORT_DLL, *PPH_MAPPED_IMAGE_IMPORT_DLL; 223 | 224 | typedef struct _PH_MAPPED_IMAGE_IMPORT_ENTRY 225 | { 226 | PSTR Name; 227 | union 228 | { 229 | USHORT Ordinal; 230 | USHORT NameHint; 231 | }; 232 | } PH_MAPPED_IMAGE_IMPORT_ENTRY, *PPH_MAPPED_IMAGE_IMPORT_ENTRY; 233 | 234 | PHLIBAPI 235 | NTSTATUS 236 | NTAPI 237 | PhGetMappedImageImports( 238 | _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, 239 | _In_ PPH_MAPPED_IMAGE MappedImage 240 | ); 241 | 242 | PHLIBAPI 243 | NTSTATUS 244 | NTAPI 245 | PhGetMappedImageImportDll( 246 | _In_ PPH_MAPPED_IMAGE_IMPORTS Imports, 247 | _In_ ULONG Index, 248 | _Out_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll 249 | ); 250 | 251 | PHLIBAPI 252 | NTSTATUS 253 | NTAPI 254 | PhGetMappedImageImportEntry( 255 | _In_ PPH_MAPPED_IMAGE_IMPORT_DLL ImportDll, 256 | _In_ ULONG Index, 257 | _Out_ PPH_MAPPED_IMAGE_IMPORT_ENTRY Entry 258 | ); 259 | 260 | PHLIBAPI 261 | NTSTATUS 262 | NTAPI 263 | PhGetMappedImageDelayImports( 264 | _Out_ PPH_MAPPED_IMAGE_IMPORTS Imports, 265 | _In_ PPH_MAPPED_IMAGE MappedImage 266 | ); 267 | 268 | USHORT 269 | NTAPI 270 | PhCheckSum( 271 | _In_ ULONG Sum, 272 | _In_reads_(Count) PUSHORT Buffer, 273 | _In_ ULONG Count 274 | ); 275 | 276 | PHLIBAPI 277 | ULONG 278 | NTAPI 279 | PhCheckSumMappedImage( 280 | _In_ PPH_MAPPED_IMAGE MappedImage 281 | ); 282 | 283 | // maplib 284 | 285 | struct _PH_MAPPED_ARCHIVE; 286 | typedef struct _PH_MAPPED_ARCHIVE *PPH_MAPPED_ARCHIVE; 287 | 288 | typedef enum _PH_MAPPED_ARCHIVE_MEMBER_TYPE 289 | { 290 | NormalArchiveMemberType, 291 | LinkerArchiveMemberType, 292 | LongnamesArchiveMemberType 293 | } PH_MAPPED_ARCHIVE_MEMBER_TYPE; 294 | 295 | typedef struct _PH_MAPPED_ARCHIVE_MEMBER 296 | { 297 | PPH_MAPPED_ARCHIVE MappedArchive; 298 | PH_MAPPED_ARCHIVE_MEMBER_TYPE Type; 299 | PSTR Name; 300 | ULONG Size; 301 | PVOID Data; 302 | 303 | PIMAGE_ARCHIVE_MEMBER_HEADER Header; 304 | CHAR NameBuffer[20]; 305 | } PH_MAPPED_ARCHIVE_MEMBER, *PPH_MAPPED_ARCHIVE_MEMBER; 306 | 307 | typedef struct _PH_MAPPED_ARCHIVE 308 | { 309 | PVOID ViewBase; 310 | SIZE_T Size; 311 | 312 | PH_MAPPED_ARCHIVE_MEMBER FirstLinkerMember; 313 | PH_MAPPED_ARCHIVE_MEMBER SecondLinkerMember; 314 | PH_MAPPED_ARCHIVE_MEMBER LongnamesMember; 315 | BOOLEAN HasLongnamesMember; 316 | 317 | PPH_MAPPED_ARCHIVE_MEMBER FirstStandardMember; 318 | PPH_MAPPED_ARCHIVE_MEMBER LastStandardMember; 319 | } PH_MAPPED_ARCHIVE, *PPH_MAPPED_ARCHIVE; 320 | 321 | typedef struct _PH_MAPPED_ARCHIVE_IMPORT_ENTRY 322 | { 323 | PSTR Name; 324 | PSTR DllName; 325 | union 326 | { 327 | USHORT Ordinal; 328 | USHORT NameHint; 329 | }; 330 | BYTE Type; 331 | BYTE NameType; 332 | USHORT Machine; 333 | } PH_MAPPED_ARCHIVE_IMPORT_ENTRY, *PPH_MAPPED_ARCHIVE_IMPORT_ENTRY; 334 | 335 | PHLIBAPI 336 | NTSTATUS 337 | NTAPI 338 | PhInitializeMappedArchive( 339 | _Out_ PPH_MAPPED_ARCHIVE MappedArchive, 340 | _In_ PVOID ViewBase, 341 | _In_ SIZE_T Size 342 | ); 343 | 344 | PHLIBAPI 345 | NTSTATUS 346 | NTAPI 347 | PhLoadMappedArchive( 348 | _In_opt_ PWSTR FileName, 349 | _In_opt_ HANDLE FileHandle, 350 | _In_ BOOLEAN ReadOnly, 351 | _Out_ PPH_MAPPED_ARCHIVE MappedArchive 352 | ); 353 | 354 | PHLIBAPI 355 | NTSTATUS 356 | NTAPI 357 | PhUnloadMappedArchive( 358 | _Inout_ PPH_MAPPED_ARCHIVE MappedArchive 359 | ); 360 | 361 | PHLIBAPI 362 | NTSTATUS 363 | NTAPI 364 | PhGetNextMappedArchiveMember( 365 | _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, 366 | _Out_ PPH_MAPPED_ARCHIVE_MEMBER NextMember 367 | ); 368 | 369 | PHLIBAPI 370 | BOOLEAN 371 | NTAPI 372 | PhIsMappedArchiveMemberShortFormat( 373 | _In_ PPH_MAPPED_ARCHIVE_MEMBER Member 374 | ); 375 | 376 | PHLIBAPI 377 | NTSTATUS 378 | NTAPI 379 | PhGetMappedArchiveImportEntry( 380 | _In_ PPH_MAPPED_ARCHIVE_MEMBER Member, 381 | _Out_ PPH_MAPPED_ARCHIVE_IMPORT_ENTRY Entry 382 | ); 383 | 384 | #ifdef __cplusplus 385 | } 386 | #endif 387 | 388 | #endif 389 | -------------------------------------------------------------------------------- /CobaltStrikeDetect.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {6d3d2e3f-971a-49c8-9503-7aa259f6be48} 25 | CobaltStrikeDetect 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | $(SolutionDir)sdk\include;$(IncludePath) 76 | 77 | 78 | false 79 | $(SolutionDir)sdk\include;$(IncludePath) 80 | 81 | 82 | true 83 | $(SolutionDir)sdk\include;$(IncludePath) 84 | $(SolutionDir)sdk\lib\amd64;$(LibraryPath) 85 | false 86 | 87 | 88 | false 89 | $(SolutionDir)sdk\include;$(IncludePath) 90 | $(SolutionDir)sdk\lib\amd64;$(LibraryPath) 91 | false 92 | 93 | 94 | 95 | Level3 96 | true 97 | WIN32;_DEBUG;COBALTSTRIKEDETECT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 98 | true 99 | Use 100 | pch.h 101 | 102 | 103 | Windows 104 | true 105 | false 106 | 107 | 108 | 109 | 110 | Level3 111 | true 112 | true 113 | true 114 | WIN32;NDEBUG;COBALTSTRIKEDETECT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 115 | true 116 | Use 117 | pch.h 118 | 119 | 120 | Windows 121 | true 122 | true 123 | true 124 | false 125 | 126 | 127 | 128 | 129 | Level3 130 | true 131 | _DEBUG;COBALTSTRIKEDETECT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 132 | false 133 | Use 134 | pch.h 135 | 136 | 137 | Windows 138 | true 139 | false 140 | 141 | 142 | 143 | 144 | 145 | 146 | Level3 147 | true 148 | true 149 | true 150 | NDEBUG;COBALTSTRIKEDETECT_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 151 | false 152 | Use 153 | pch.h 154 | 155 | 156 | Windows 157 | true 158 | true 159 | true 160 | false 161 | DllMain 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | Create 172 | Create 173 | Create 174 | Create 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /sdk/include/ntobapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTOBAPI_H 2 | #define _NTOBAPI_H 3 | 4 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 5 | #define OBJECT_TYPE_CREATE 0x0001 6 | #define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 7 | #endif 8 | 9 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 10 | #define DIRECTORY_QUERY 0x0001 11 | #define DIRECTORY_TRAVERSE 0x0002 12 | #define DIRECTORY_CREATE_OBJECT 0x0004 13 | #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 14 | #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xf) 15 | #endif 16 | 17 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 18 | #define SYMBOLIC_LINK_QUERY 0x0001 19 | #define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1) 20 | #endif 21 | 22 | #define OBJ_PROTECT_CLOSE 0x00000001 23 | #ifndef OBJ_INHERIT 24 | #define OBJ_INHERIT 0x00000002 25 | #endif 26 | #define OBJ_AUDIT_OBJECT_CLOSE 0x00000004 27 | 28 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 29 | typedef enum _OBJECT_INFORMATION_CLASS 30 | { 31 | ObjectBasicInformation, 32 | ObjectNameInformation, 33 | ObjectTypeInformation, 34 | ObjectTypesInformation, 35 | ObjectHandleFlagInformation, 36 | ObjectSessionInformation, 37 | MaxObjectInfoClass 38 | } OBJECT_INFORMATION_CLASS; 39 | #else 40 | #define ObjectNameInformation 1 41 | #define ObjectTypesInformation 3 42 | #define ObjectHandleFlagInformation 4 43 | #define ObjectSessionInformation 5 44 | #endif 45 | 46 | typedef struct _OBJECT_BASIC_INFORMATION 47 | { 48 | ULONG Attributes; 49 | ACCESS_MASK GrantedAccess; 50 | ULONG HandleCount; 51 | ULONG PointerCount; 52 | ULONG PagedPoolCharge; 53 | ULONG NonPagedPoolCharge; 54 | ULONG Reserved[3]; 55 | ULONG NameInfoSize; 56 | ULONG TypeInfoSize; 57 | ULONG SecurityDescriptorSize; 58 | LARGE_INTEGER CreationTime; 59 | } OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; 60 | 61 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 62 | typedef struct _OBJECT_NAME_INFORMATION 63 | { 64 | UNICODE_STRING Name; 65 | } OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; 66 | #endif 67 | 68 | typedef struct _OBJECT_TYPE_INFORMATION 69 | { 70 | UNICODE_STRING TypeName; 71 | ULONG TotalNumberOfObjects; 72 | ULONG TotalNumberOfHandles; 73 | ULONG TotalPagedPoolUsage; 74 | ULONG TotalNonPagedPoolUsage; 75 | ULONG TotalNamePoolUsage; 76 | ULONG TotalHandleTableUsage; 77 | ULONG HighWaterNumberOfObjects; 78 | ULONG HighWaterNumberOfHandles; 79 | ULONG HighWaterPagedPoolUsage; 80 | ULONG HighWaterNonPagedPoolUsage; 81 | ULONG HighWaterNamePoolUsage; 82 | ULONG HighWaterHandleTableUsage; 83 | ULONG InvalidAttributes; 84 | GENERIC_MAPPING GenericMapping; 85 | ULONG ValidAccessMask; 86 | BOOLEAN SecurityRequired; 87 | BOOLEAN MaintainHandleCount; 88 | UCHAR TypeIndex; // since WINBLUE 89 | CHAR ReservedByte; 90 | ULONG PoolType; 91 | ULONG DefaultPagedPoolCharge; 92 | ULONG DefaultNonPagedPoolCharge; 93 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 94 | 95 | typedef struct _OBJECT_TYPES_INFORMATION 96 | { 97 | ULONG NumberOfTypes; 98 | } OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; 99 | 100 | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION 101 | { 102 | BOOLEAN Inherit; 103 | BOOLEAN ProtectFromClose; 104 | } OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION; 105 | 106 | // Objects, handles 107 | 108 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 109 | 110 | NTSYSCALLAPI 111 | NTSTATUS 112 | NTAPI 113 | NtQueryObject( 114 | _In_ HANDLE Handle, 115 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 116 | _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, 117 | _In_ ULONG ObjectInformationLength, 118 | _Out_opt_ PULONG ReturnLength 119 | ); 120 | 121 | NTSYSCALLAPI 122 | NTSTATUS 123 | NTAPI 124 | NtSetInformationObject( 125 | _In_ HANDLE Handle, 126 | _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, 127 | _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation, 128 | _In_ ULONG ObjectInformationLength 129 | ); 130 | 131 | #define DUPLICATE_CLOSE_SOURCE 0x00000001 132 | #define DUPLICATE_SAME_ACCESS 0x00000002 133 | #define DUPLICATE_SAME_ATTRIBUTES 0x00000004 134 | 135 | NTSYSCALLAPI 136 | NTSTATUS 137 | NTAPI 138 | NtDuplicateObject( 139 | _In_ HANDLE SourceProcessHandle, 140 | _In_ HANDLE SourceHandle, 141 | _In_opt_ HANDLE TargetProcessHandle, 142 | _Out_opt_ PHANDLE TargetHandle, 143 | _In_ ACCESS_MASK DesiredAccess, 144 | _In_ ULONG HandleAttributes, 145 | _In_ ULONG Options 146 | ); 147 | 148 | NTSYSCALLAPI 149 | NTSTATUS 150 | NTAPI 151 | NtMakeTemporaryObject( 152 | _In_ HANDLE Handle 153 | ); 154 | 155 | NTSYSCALLAPI 156 | NTSTATUS 157 | NTAPI 158 | NtMakePermanentObject( 159 | _In_ HANDLE Handle 160 | ); 161 | 162 | NTSYSCALLAPI 163 | NTSTATUS 164 | NTAPI 165 | NtSignalAndWaitForSingleObject( 166 | _In_ HANDLE SignalHandle, 167 | _In_ HANDLE WaitHandle, 168 | _In_ BOOLEAN Alertable, 169 | _In_opt_ PLARGE_INTEGER Timeout 170 | ); 171 | 172 | NTSYSCALLAPI 173 | NTSTATUS 174 | NTAPI 175 | NtWaitForSingleObject( 176 | _In_ HANDLE Handle, 177 | _In_ BOOLEAN Alertable, 178 | _In_opt_ PLARGE_INTEGER Timeout 179 | ); 180 | 181 | NTSYSCALLAPI 182 | NTSTATUS 183 | NTAPI 184 | NtWaitForMultipleObjects( 185 | _In_ ULONG Count, 186 | _In_reads_(Count) HANDLE Handles[], 187 | _In_ WAIT_TYPE WaitType, 188 | _In_ BOOLEAN Alertable, 189 | _In_opt_ PLARGE_INTEGER Timeout 190 | ); 191 | 192 | #if (PHNT_VERSION >= PHNT_WS03) 193 | NTSYSCALLAPI 194 | NTSTATUS 195 | NTAPI 196 | NtWaitForMultipleObjects32( 197 | _In_ ULONG Count, 198 | _In_reads_(Count) LONG Handles[], 199 | _In_ WAIT_TYPE WaitType, 200 | _In_ BOOLEAN Alertable, 201 | _In_opt_ PLARGE_INTEGER Timeout 202 | ); 203 | #endif 204 | 205 | NTSYSCALLAPI 206 | NTSTATUS 207 | NTAPI 208 | NtSetSecurityObject( 209 | _In_ HANDLE Handle, 210 | _In_ SECURITY_INFORMATION SecurityInformation, 211 | _In_ PSECURITY_DESCRIPTOR SecurityDescriptor 212 | ); 213 | 214 | NTSYSCALLAPI 215 | NTSTATUS 216 | NTAPI 217 | NtQuerySecurityObject( 218 | _In_ HANDLE Handle, 219 | _In_ SECURITY_INFORMATION SecurityInformation, 220 | _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor, 221 | _In_ ULONG Length, 222 | _Out_ PULONG LengthNeeded 223 | ); 224 | 225 | NTSYSCALLAPI 226 | NTSTATUS 227 | NTAPI 228 | NtClose( 229 | _In_ HANDLE Handle 230 | ); 231 | 232 | #if (PHNT_VERSION >= PHNT_THRESHOLD) 233 | NTSYSCALLAPI 234 | NTSTATUS 235 | NTAPI 236 | NtCompareObjects( 237 | _In_ HANDLE FirstObjectHandle, 238 | _In_ HANDLE SecondObjectHandle 239 | ); 240 | #endif 241 | 242 | #endif 243 | 244 | // Directory objects 245 | 246 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 247 | 248 | NTSYSCALLAPI 249 | NTSTATUS 250 | NTAPI 251 | NtCreateDirectoryObject( 252 | _Out_ PHANDLE DirectoryHandle, 253 | _In_ ACCESS_MASK DesiredAccess, 254 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 255 | ); 256 | 257 | #if (PHNT_VERSION >= PHNT_WIN8) 258 | NTSYSCALLAPI 259 | NTSTATUS 260 | NTAPI 261 | NtCreateDirectoryObjectEx( 262 | _Out_ PHANDLE DirectoryHandle, 263 | _In_ ACCESS_MASK DesiredAccess, 264 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 265 | _In_ HANDLE ShadowDirectoryHandle, 266 | _In_ ULONG Flags 267 | ); 268 | #endif 269 | 270 | NTSYSCALLAPI 271 | NTSTATUS 272 | NTAPI 273 | NtOpenDirectoryObject( 274 | _Out_ PHANDLE DirectoryHandle, 275 | _In_ ACCESS_MASK DesiredAccess, 276 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 277 | ); 278 | 279 | typedef struct _OBJECT_DIRECTORY_INFORMATION 280 | { 281 | UNICODE_STRING Name; 282 | UNICODE_STRING TypeName; 283 | } OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION; 284 | 285 | NTSYSCALLAPI 286 | NTSTATUS 287 | NTAPI 288 | NtQueryDirectoryObject( 289 | _In_ HANDLE DirectoryHandle, 290 | _Out_writes_bytes_opt_(Length) PVOID Buffer, 291 | _In_ ULONG Length, 292 | _In_ BOOLEAN ReturnSingleEntry, 293 | _In_ BOOLEAN RestartScan, 294 | _Inout_ PULONG Context, 295 | _Out_opt_ PULONG ReturnLength 296 | ); 297 | 298 | #endif 299 | 300 | // Private namespaces 301 | 302 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 303 | 304 | #if (PHNT_VERSION >= PHNT_VISTA) 305 | 306 | NTSYSCALLAPI 307 | NTSTATUS 308 | NTAPI 309 | NtCreatePrivateNamespace( 310 | _Out_ PHANDLE NamespaceHandle, 311 | _In_ ACCESS_MASK DesiredAccess, 312 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 313 | _In_ PVOID BoundaryDescriptor 314 | ); 315 | 316 | NTSYSCALLAPI 317 | NTSTATUS 318 | NTAPI 319 | NtOpenPrivateNamespace( 320 | _Out_ PHANDLE NamespaceHandle, 321 | _In_ ACCESS_MASK DesiredAccess, 322 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, 323 | _In_ PVOID BoundaryDescriptor 324 | ); 325 | 326 | NTSYSCALLAPI 327 | NTSTATUS 328 | NTAPI 329 | NtDeletePrivateNamespace( 330 | _In_ HANDLE NamespaceHandle 331 | ); 332 | 333 | #endif 334 | 335 | #endif 336 | 337 | // Symbolic links 338 | 339 | #if (PHNT_MODE != PHNT_MODE_KERNEL) 340 | 341 | NTSYSCALLAPI 342 | NTSTATUS 343 | NTAPI 344 | NtCreateSymbolicLinkObject( 345 | _Out_ PHANDLE LinkHandle, 346 | _In_ ACCESS_MASK DesiredAccess, 347 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 348 | _In_ PUNICODE_STRING LinkTarget 349 | ); 350 | 351 | NTSYSCALLAPI 352 | NTSTATUS 353 | NTAPI 354 | NtOpenSymbolicLinkObject( 355 | _Out_ PHANDLE LinkHandle, 356 | _In_ ACCESS_MASK DesiredAccess, 357 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 358 | ); 359 | 360 | NTSYSCALLAPI 361 | NTSTATUS 362 | NTAPI 363 | NtQuerySymbolicLinkObject( 364 | _In_ HANDLE LinkHandle, 365 | _Inout_ PUNICODE_STRING LinkTarget, 366 | _Out_opt_ PULONG ReturnedLength 367 | ); 368 | 369 | #endif 370 | 371 | #endif 372 | --------------------------------------------------------------------------------