Process Hacker
ntpsapi.h
Go to the documentation of this file.
1 #ifndef _NTPSAPI_H
2 #define _NTPSAPI_H
3 
4 #if (PHNT_MODE == PHNT_MODE_KERNEL)
5 #define PROCESS_TERMINATE 0x0001
6 #define PROCESS_CREATE_THREAD 0x0002
7 #define PROCESS_SET_SESSIONID 0x0004
8 #define PROCESS_VM_OPERATION 0x0008
9 #define PROCESS_VM_READ 0x0010
10 #define PROCESS_VM_WRITE 0x0020
11 #define PROCESS_CREATE_PROCESS 0x0080
12 #define PROCESS_SET_QUOTA 0x0100
13 #define PROCESS_SET_INFORMATION 0x0200
14 #define PROCESS_QUERY_INFORMATION 0x0400
15 #define PROCESS_SET_PORT 0x0800
16 #define PROCESS_SUSPEND_RESUME 0x0800
17 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
18 #else
19 #ifndef PROCESS_SET_PORT
20 #define PROCESS_SET_PORT 0x0800
21 #endif
22 #endif
23 
24 #if (PHNT_MODE == PHNT_MODE_KERNEL)
25 #define THREAD_QUERY_INFORMATION 0x0040
26 #define THREAD_SET_THREAD_TOKEN 0x0080
27 #define THREAD_IMPERSONATE 0x0100
28 #define THREAD_DIRECT_IMPERSONATION 0x0200
29 #else
30 #ifndef THREAD_ALERT
31 #define THREAD_ALERT 0x0004
32 #endif
33 #endif
34 
35 #if (PHNT_MODE == PHNT_MODE_KERNEL)
36 #define JOB_OBJECT_ASSIGN_PROCESS 0x0001
37 #define JOB_OBJECT_SET_ATTRIBUTES 0x0002
38 #define JOB_OBJECT_QUERY 0x0004
39 #define JOB_OBJECT_TERMINATE 0x0008
40 #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010
41 #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f)
42 #endif
43 
44 #define GDI_HANDLE_BUFFER_SIZE32 34
45 #define GDI_HANDLE_BUFFER_SIZE64 60
46 
47 #ifndef WIN64
48 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
49 #else
50 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
51 #endif
52 
54 
57 
58 #define FLS_MAXIMUM_AVAILABLE 128
59 #define TLS_MINIMUM_AVAILABLE 64
60 #define TLS_EXPANSION_SLOTS 1024
61 
62 // symbols
63 typedef struct _PEB_LDR_DATA
64 {
65  ULONG Length;
66  BOOLEAN Initialized;
67  HANDLE SsHandle;
75 
76 typedef struct _INITIAL_TEB
77 {
78  struct
79  {
80  PVOID OldStackBase;
82  } OldInitialTeb;
83  PVOID StackBase;
84  PVOID StackLimit;
87 
88 typedef struct _WOW64_PROCESS
89 {
90  PVOID Wow64;
92 
93 #include <ntpebteb.h>
94 
95 // source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx
96 
97 #if (PHNT_MODE != PHNT_MODE_KERNEL)
98 typedef enum _PROCESSINFOCLASS
99 {
100  ProcessBasicInformation, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
101  ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
102  ProcessIoCounters, // q: IO_COUNTERS
103  ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX
104  ProcessTimes, // q: KERNEL_USER_TIMES
105  ProcessBasePriority, // s: KPRIORITY
106  ProcessRaisePriority, // s: ULONG
107  ProcessDebugPort, // q: HANDLE
108  ProcessExceptionPort, // s: HANDLE
109  ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
110  ProcessLdtInformation, // 10
111  ProcessLdtSize,
112  ProcessDefaultHardErrorMode, // qs: ULONG
113  ProcessIoPortHandlers, // (kernel-mode only)
114  ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
115  ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
116  ProcessUserModeIOPL,
117  ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
118  ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
119  ProcessWx86Information,
120  ProcessHandleCount, // 20, q: ULONG, PROCESS_HANDLE_INFORMATION
121  ProcessAffinityMask, // s: KAFFINITY
122  ProcessPriorityBoost, // qs: ULONG
123  ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
124  ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
125  ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
126  ProcessWow64Information, // q: ULONG_PTR
127  ProcessImageFileName, // q: UNICODE_STRING
128  ProcessLUIDDeviceMapsEnabled, // q: ULONG
129  ProcessBreakOnTermination, // qs: ULONG
130  ProcessDebugObjectHandle, // 30, q: HANDLE
131  ProcessDebugFlags, // qs: ULONG
132  ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
133  ProcessIoPriority, // qs: ULONG
134  ProcessExecuteFlags, // qs: ULONG
135  ProcessResourceManagement,
136  ProcessCookie, // q: ULONG
137  ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
138  ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION
139  ProcessPagePriority, // q: ULONG
140  ProcessInstrumentationCallback, // 40
141  ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
142  ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
143  ProcessImageFileNameWin32, // q: UNICODE_STRING
144  ProcessImageFileMapping, // q: HANDLE (input)
145  ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
146  ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
147  ProcessGroupInformation, // q: USHORT[]
148  ProcessTokenVirtualizationEnabled, // s: ULONG
149  ProcessConsoleHostProcess, // q: ULONG_PTR
150  ProcessWindowInformation, // 50, q: PROCESS_WINDOW_INFORMATION
151  ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
152  ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
153  ProcessDynamicFunctionTableInformation,
154  ProcessHandleCheckingMode,
155  ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
156  ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
157  ProcessWorkingSetControl,
158  MaxProcessInfoClass
159 } PROCESSINFOCLASS;
160 #endif
161 
162 #if (PHNT_MODE != PHNT_MODE_KERNEL)
163 typedef enum _THREADINFOCLASS
164 {
165  ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
166  ThreadTimes, // q: KERNEL_USER_TIMES
167  ThreadPriority, // s: KPRIORITY
168  ThreadBasePriority, // s: LONG
169  ThreadAffinityMask, // s: KAFFINITY
170  ThreadImpersonationToken, // s: HANDLE
171  ThreadDescriptorTableEntry,
172  ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
173  ThreadEventPair,
174  ThreadQuerySetWin32StartAddress, // q: PVOID
175  ThreadZeroTlsCell, // 10
176  ThreadPerformanceCount, // q: LARGE_INTEGER
177  ThreadAmILastThread, // q: ULONG
178  ThreadIdealProcessor, // s: ULONG
179  ThreadPriorityBoost, // qs: ULONG
180  ThreadSetTlsArrayAddress,
181  ThreadIsIoPending, // q: ULONG
182  ThreadHideFromDebugger, // s: void
183  ThreadBreakOnTermination, // qs: ULONG
184  ThreadSwitchLegacyState,
185  ThreadIsTerminated, // 20, q: ULONG
186  ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
187  ThreadIoPriority, // qs: ULONG
188  ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
189  ThreadPagePriority, // q: ULONG
190  ThreadActualBasePriority,
191  ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
192  ThreadCSwitchMon,
193  ThreadCSwitchPmu,
194  ThreadWow64Context, // q: WOW64_CONTEXT
195  ThreadGroupInformation, // 30, q: GROUP_AFFINITY
196  ThreadUmsInformation,
197  ThreadCounterProfiling,
198  ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
199  ThreadCpuAccountingInformation, // since WIN8
200  MaxThreadInfoClass
201 } THREADINFOCLASS;
202 #endif
203 
204 #if (PHNT_MODE != PHNT_MODE_KERNEL)
205 // Use with both ProcessPagePriority and ThreadPagePriority
206 typedef struct _PAGE_PRIORITY_INFORMATION
207 {
208  ULONG PagePriority;
209 } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION;
210 #endif
211 
212 // Process information structures
213 
214 #if (PHNT_MODE != PHNT_MODE_KERNEL)
215 
216 typedef struct _PROCESS_BASIC_INFORMATION
217 {
218  NTSTATUS ExitStatus;
219  PPEB PebBaseAddress;
220  ULONG_PTR AffinityMask;
221  KPRIORITY BasePriority;
222  HANDLE UniqueProcessId;
223  HANDLE InheritedFromUniqueProcessId;
224 } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
225 
226 typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
227 {
228  SIZE_T Size; // set to sizeof structure on input
229  PROCESS_BASIC_INFORMATION BasicInfo;
230  union
231  {
232  ULONG Flags;
233  struct
234  {
235  ULONG IsProtectedProcess : 1;
236  ULONG IsWow64Process : 1;
237  ULONG IsProcessDeleting : 1;
238  ULONG IsCrossSessionCreate : 1;
239  ULONG IsFrozen : 1;
240  ULONG IsBackground : 1;
241  ULONG IsStronglyNamed : 1;
242  ULONG SpareBits : 25;
243  };
244  };
245 } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
246 
247 typedef struct _VM_COUNTERS
248 {
249  SIZE_T PeakVirtualSize;
250  SIZE_T VirtualSize;
251  ULONG PageFaultCount;
252  SIZE_T PeakWorkingSetSize;
253  SIZE_T WorkingSetSize;
254  SIZE_T QuotaPeakPagedPoolUsage;
255  SIZE_T QuotaPagedPoolUsage;
256  SIZE_T QuotaPeakNonPagedPoolUsage;
257  SIZE_T QuotaNonPagedPoolUsage;
258  SIZE_T PagefileUsage;
259  SIZE_T PeakPagefileUsage;
260 } VM_COUNTERS, *PVM_COUNTERS;
261 
262 typedef struct _VM_COUNTERS_EX
263 {
264  SIZE_T PeakVirtualSize;
265  SIZE_T VirtualSize;
266  ULONG PageFaultCount;
267  SIZE_T PeakWorkingSetSize;
268  SIZE_T WorkingSetSize;
269  SIZE_T QuotaPeakPagedPoolUsage;
270  SIZE_T QuotaPagedPoolUsage;
271  SIZE_T QuotaPeakNonPagedPoolUsage;
272  SIZE_T QuotaNonPagedPoolUsage;
273  SIZE_T PagefileUsage;
274  SIZE_T PeakPagefileUsage;
275  SIZE_T PrivateUsage;
276 } VM_COUNTERS_EX, *PVM_COUNTERS_EX;
277 
278 typedef struct _KERNEL_USER_TIMES
279 {
280  LARGE_INTEGER CreateTime;
281  LARGE_INTEGER ExitTime;
282  LARGE_INTEGER KernelTime;
283  LARGE_INTEGER UserTime;
284 } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
285 
286 typedef struct _POOLED_USAGE_AND_LIMITS
287 {
288  SIZE_T PeakPagedPoolUsage;
289  SIZE_T PagedPoolUsage;
290  SIZE_T PagedPoolLimit;
291  SIZE_T PeakNonPagedPoolUsage;
292  SIZE_T NonPagedPoolUsage;
293  SIZE_T NonPagedPoolLimit;
294  SIZE_T PeakPagefileUsage;
295  SIZE_T PagefileUsage;
296  SIZE_T PagefileLimit;
297 } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
298 
299 typedef struct _PROCESS_ACCESS_TOKEN
300 {
301  HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access
302  HANDLE Thread; // handle to initial/only thread; needs THREAD_QUERY_INFORMATION access
303 } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
304 
305 typedef struct _PROCESS_WS_WATCH_INFORMATION
306 {
307  PVOID FaultingPc;
308  PVOID FaultingVa;
309 } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
310 
311 #endif
312 
313 // psapi:PSAPI_WS_WATCH_INFORMATION_EX
315 {
316  PROCESS_WS_WATCH_INFORMATION BasicInfo;
317  ULONG_PTR FaultingThreadId;
318  ULONG_PTR Flags;
320 
321 #define PROCESS_PRIORITY_CLASS_UNKNOWN 0
322 #define PROCESS_PRIORITY_CLASS_IDLE 1
323 #define PROCESS_PRIORITY_CLASS_NORMAL 2
324 #define PROCESS_PRIORITY_CLASS_HIGH 3
325 #define PROCESS_PRIORITY_CLASS_REALTIME 4
326 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
327 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
328 
330 {
331  BOOLEAN Foreground;
334 
336 {
337  BOOLEAN Foreground;
339 
340 #if (PHNT_MODE != PHNT_MODE_KERNEL)
341 
342 typedef struct _PROCESS_DEVICEMAP_INFORMATION
343 {
344  union
345  {
346  struct
347  {
348  HANDLE DirectoryHandle;
349  } Set;
350  struct
351  {
352  ULONG DriveMap;
353  UCHAR DriveType[32];
354  } Query;
355  };
356 } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
357 
358 #define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001
359 
360 typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
361 {
362  union
363  {
364  struct
365  {
366  HANDLE DirectoryHandle;
367  } Set;
368  struct
369  {
370  ULONG DriveMap;
371  UCHAR DriveType[32];
372  } Query;
373  };
374  ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY
375 } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX;
376 
377 typedef struct _PROCESS_SESSION_INFORMATION
378 {
379  ULONG SessionId;
380 } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
381 
382 typedef struct _PROCESS_HANDLE_TRACING_ENABLE
383 {
384  ULONG Flags; // 0 to disable, 1 to enable
385 } PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE;
386 
387 typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
388 {
389  ULONG Flags; // 0 to disable, 1 to enable
390  ULONG TotalSlots;
391 } PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX;
392 
393 #define PROCESS_HANDLE_TRACING_MAX_STACKS 16
394 #define HANDLE_TRACE_DB_OPEN 1
395 #define HANDLE_TRACE_DB_CLOSE 2
396 #define HANDLE_TRACE_DB_BADREF 3
397 
398 typedef struct _PROCESS_HANDLE_TRACING_ENTRY
399 {
400  HANDLE Handle;
401  CLIENT_ID ClientId;
402  ULONG Type;
403  PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];
404 } PROCESS_HANDLE_TRACING_ENTRY, *PPROCESS_HANDLE_TRACING_ENTRY;
405 
406 typedef struct _PROCESS_HANDLE_TRACING_QUERY
407 {
408  HANDLE Handle;
409  ULONG TotalTraces;
410  PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];
411 } PROCESS_HANDLE_TRACING_QUERY, *PPROCESS_HANDLE_TRACING_QUERY;
412 
413 #endif
414 
415 // private
417 {
418  SIZE_T ReserveSize;
419  SIZE_T ZeroBits;
420  PVOID StackBase;
422 
423 // private
425 {
427  ULONG Reserved0;
428  ULONG Reserved1;
429  ULONG Reserved2;
432 
433 // private
435 {
436  ULONG Flags;
437  struct
438  {
439  ULONG EnableAutoUpdate : 1;
440  ULONG Permanent : 1;
441  ULONG Reserved : 30;
442  };
444 
445 // private
447 {
448  ULONG Flags;
449  struct
450  {
451  ULONG TopDown : 1;
452  ULONG Reserved : 31;
453  };
455 
456 // private
458 {
459  ULONG HandleCount;
462 
463 // private
465 {
466  ULONGLONG AccumulatedCycles;
467  ULONGLONG CurrentCycleCount;
469 
470 // private
472 {
473  ULONG WindowFlags;
475  WCHAR WindowTitle[1];
477 
478 // private
480 {
481  HANDLE HandleValue;
482  ULONG_PTR HandleCount;
483  ULONG_PTR PointerCount;
487  ULONG Reserved;
489 
490 // private
492 {
493  ULONG_PTR NumberOfHandles;
494  ULONG_PTR Reserved;
497 
498 #if (PHNT_MODE != PHNT_MODE_KERNEL)
499 
500 // private
501 typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
502 {
503  PROCESS_MITIGATION_POLICY Policy;
504  union
505  {
506  //PROCESS_MITIGATION_DEP_POLICY DEPPolicy;
507  PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
508  PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
509  PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
510  PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
511  };
512 } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
513 
514 typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
515 {
516  ULONG Count;
517 } PROCESS_KEEPALIVE_COUNT_INFORMATION, *PPROCESS_KEEPALIVE_COUNT_INFORMATION;
518 
519 typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
520 {
521  UNICODE_STRING TargetDevicePath;
522 } PROCESS_REVOKE_FILE_HANDLES_INFORMATION, *PPROCESS_REVOKE_FILE_HANDLES_INFORMATION;
523 
524 #endif
525 
526 // Thread information structures
527 
529 {
530  NTSTATUS ExitStatus;
533  ULONG_PTR AffinityMask;
537 
538 // private
540 {
544 
545 // private
547 {
548  ULONGLONG AccumulatedCycles;
549  ULONGLONG CurrentCycleCount;
551 
552 // private
554 {
555  PVOID TebInformation; // buffer to place data in
556  ULONG TebOffset; // offset in TEB to begin reading from
557  ULONG BytesToRead; // number of bytes to read
559 
560 // symbols
561 typedef struct _COUNTER_READING
562 {
563  HARDWARE_COUNTER_TYPE Type;
564  ULONG Index;
565  ULONG64 Start;
566  ULONG64 Total;
568 
569 // symbols
571 {
572  USHORT Size;
573  USHORT Version;
574  PROCESSOR_NUMBER ProcessorNumber;
577  ULONG64 UpdateCount;
581  COUNTER_READING HwCounters[MAX_HW_COUNTERS];
583 
584 // private
586 {
588  ULONG Flags;
589  ULONG Enable;
590  PTHREAD_PERFORMANCE_DATA PerformanceData;
592 
593 // System calls
594 
595 // Processes
596 
597 #if (PHNT_MODE != PHNT_MODE_KERNEL)
598 
599 NTSYSCALLAPI
600 NTSTATUS
601 NTAPI
602 NtCreateProcess(
603  __out PHANDLE ProcessHandle,
604  __in ACCESS_MASK DesiredAccess,
605  __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
606  __in HANDLE ParentProcess,
607  __in BOOLEAN InheritObjectTable,
608  __in_opt HANDLE SectionHandle,
609  __in_opt HANDLE DebugPort,
610  __in_opt HANDLE ExceptionPort
611  );
612 
613 #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
614 #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
615 #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
616 #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
617 #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
618 
619 NTSYSCALLAPI
620 NTSTATUS
621 NTAPI
622 NtCreateProcessEx(
623  __out PHANDLE ProcessHandle,
624  __in ACCESS_MASK DesiredAccess,
625  __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
626  __in HANDLE ParentProcess,
627  __in ULONG Flags,
628  __in_opt HANDLE SectionHandle,
629  __in_opt HANDLE DebugPort,
630  __in_opt HANDLE ExceptionPort,
631  __in ULONG JobMemberLevel
632  );
633 
634 NTSYSCALLAPI
635 NTSTATUS
636 NTAPI
637 NtOpenProcess(
638  __out PHANDLE ProcessHandle,
639  __in ACCESS_MASK DesiredAccess,
640  __in POBJECT_ATTRIBUTES ObjectAttributes,
641  __in_opt PCLIENT_ID ClientId
642  );
643 
644 NTSYSCALLAPI
645 NTSTATUS
646 NTAPI
647 NtTerminateProcess(
648  __in_opt HANDLE ProcessHandle,
649  __in NTSTATUS ExitStatus
650  );
651 
652 NTSYSCALLAPI
653 NTSTATUS
654 NTAPI
655 NtSuspendProcess(
656  __in HANDLE ProcessHandle
657  );
658 
659 NTSYSCALLAPI
660 NTSTATUS
661 NTAPI
662 NtResumeProcess(
663  __in HANDLE ProcessHandle
664  );
665 
666 #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
667 #define ZwCurrentProcess() NtCurrentProcess()
668 #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
669 #define ZwCurrentThread() NtCurrentThread()
670 #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
671 
672 // Not NT, but useful.
673 #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
674 #define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
675 
676 
677 NTSYSCALLAPI
678 NTSTATUS
679 NTAPI
680 NtQueryInformationProcess(
681  __in HANDLE ProcessHandle,
682  __in PROCESSINFOCLASS ProcessInformationClass,
683  __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
684  __in ULONG ProcessInformationLength,
685  __out_opt PULONG ReturnLength
686  );
687 
688 #if (PHNT_VERSION >= PHNT_WS03)
689 NTSYSCALLAPI
690 NTSTATUS
691 NTAPI
692 NtGetNextProcess(
693  __in HANDLE ProcessHandle,
694  __in ACCESS_MASK DesiredAccess,
695  __in ULONG HandleAttributes,
696  __in ULONG Flags,
697  __out PHANDLE NewProcessHandle
698  );
699 #endif
700 
701 #if (PHNT_VERSION >= PHNT_WS03)
702 NTSYSCALLAPI
703 NTSTATUS
704 NTAPI
705 NtGetNextThread(
706  __in HANDLE ProcessHandle,
707  __in HANDLE ThreadHandle,
708  __in ACCESS_MASK DesiredAccess,
709  __in ULONG HandleAttributes,
710  __in ULONG Flags,
711  __out PHANDLE NewThreadHandle
712  );
713 #endif
714 
715 NTSYSCALLAPI
716 NTSTATUS
717 NTAPI
718 NtSetInformationProcess(
719  __in HANDLE ProcessHandle,
720  __in PROCESSINFOCLASS ProcessInformationClass,
721  __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
722  __in ULONG ProcessInformationLength
723  );
724 
725 NTSYSCALLAPI
726 NTSTATUS
727 NTAPI
728 NtQueryPortInformationProcess(
729  VOID
730  );
731 
732 #endif
733 
734 // Threads
735 
736 #if (PHNT_MODE != PHNT_MODE_KERNEL)
737 
738 NTSYSCALLAPI
739 NTSTATUS
740 NTAPI
741 NtCreateThread(
742  __out PHANDLE ThreadHandle,
743  __in ACCESS_MASK DesiredAccess,
744  __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
745  __in HANDLE ProcessHandle,
746  __out PCLIENT_ID ClientId,
747  __in PCONTEXT ThreadContext,
748  __in PINITIAL_TEB InitialTeb,
749  __in BOOLEAN CreateSuspended
750  );
751 
752 NTSYSCALLAPI
753 NTSTATUS
754 NTAPI
755 NtOpenThread(
756  __out PHANDLE ThreadHandle,
757  __in ACCESS_MASK DesiredAccess,
758  __in POBJECT_ATTRIBUTES ObjectAttributes,
759  __in_opt PCLIENT_ID ClientId
760  );
761 
762 NTSYSCALLAPI
763 NTSTATUS
764 NTAPI
765 NtTerminateThread(
766  __in_opt HANDLE ThreadHandle,
767  __in NTSTATUS ExitStatus
768  );
769 
770 NTSYSCALLAPI
771 NTSTATUS
772 NTAPI
773 NtSuspendThread(
774  __in HANDLE ThreadHandle,
775  __out_opt PULONG PreviousSuspendCount
776  );
777 
778 NTSYSCALLAPI
779 NTSTATUS
780 NTAPI
781 NtResumeThread(
782  __in HANDLE ThreadHandle,
783  __out_opt PULONG PreviousSuspendCount
784  );
785 
786 NTSYSCALLAPI
787 ULONG
788 NTAPI
789 NtGetCurrentProcessorNumber(
790  VOID
791  );
792 
793 NTSYSCALLAPI
794 NTSTATUS
795 NTAPI
796 NtGetContextThread(
797  __in HANDLE ThreadHandle,
798  __inout PCONTEXT ThreadContext
799  );
800 
801 NTSYSCALLAPI
802 NTSTATUS
803 NTAPI
804 NtSetContextThread(
805  __in HANDLE ThreadHandle,
806  __in PCONTEXT ThreadContext
807  );
808 
809 NTSYSCALLAPI
810 NTSTATUS
811 NTAPI
812 NtQueryInformationThread(
813  __in HANDLE ThreadHandle,
814  __in THREADINFOCLASS ThreadInformationClass,
815  __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
816  __in ULONG ThreadInformationLength,
817  __out_opt PULONG ReturnLength
818  );
819 
820 NTSYSCALLAPI
821 NTSTATUS
822 NTAPI
823 NtSetInformationThread(
824  __in HANDLE ThreadHandle,
825  __in THREADINFOCLASS ThreadInformationClass,
826  __in_bcount(ThreadInformationLength) PVOID ThreadInformation,
827  __in ULONG ThreadInformationLength
828  );
829 
830 NTSYSCALLAPI
831 NTSTATUS
832 NTAPI
833 NtAlertThread(
834  __in HANDLE ThreadHandle
835  );
836 
837 NTSYSCALLAPI
838 NTSTATUS
839 NTAPI
840 NtAlertResumeThread(
841  __in HANDLE ThreadHandle,
842  __out_opt PULONG PreviousSuspendCount
843  );
844 
845 NTSYSCALLAPI
846 NTSTATUS
847 NTAPI
848 NtTestAlert(
849  VOID
850  );
851 
852 NTSYSCALLAPI
853 NTSTATUS
854 NTAPI
855 NtImpersonateThread(
856  __in HANDLE ServerThreadHandle,
857  __in HANDLE ClientThreadHandle,
858  __in PSECURITY_QUALITY_OF_SERVICE SecurityQos
859  );
860 
861 NTSYSCALLAPI
862 NTSTATUS
863 NTAPI
864 NtRegisterThreadTerminatePort(
865  __in HANDLE PortHandle
866  );
867 
868 NTSYSCALLAPI
869 NTSTATUS
870 NTAPI
871 NtSetLdtEntries(
872  __in ULONG Selector0,
873  __in ULONG Entry0Low,
874  __in ULONG Entry0Hi,
875  __in ULONG Selector1,
876  __in ULONG Entry1Low,
877  __in ULONG Entry1Hi
878  );
879 
880 typedef VOID (*PPS_APC_ROUTINE)(
881  __in_opt PVOID ApcArgument1,
882  __in_opt PVOID ApcArgument2,
883  __in_opt PVOID ApcArgument3
884  );
885 
886 NTSYSCALLAPI
887 NTSTATUS
888 NTAPI
889 NtQueueApcThread(
890  __in HANDLE ThreadHandle,
891  __in PPS_APC_ROUTINE ApcRoutine,
892  __in_opt PVOID ApcArgument1,
893  __in_opt PVOID ApcArgument2,
894  __in_opt PVOID ApcArgument3
895  );
896 
897 #endif
898 
899 // User processes and threads
900 
901 #if (PHNT_MODE != PHNT_MODE_KERNEL)
902 
903 // Attributes
904 
905 // begin_rev
906 #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
907 #define PS_ATTRIBUTE_THREAD 0x00010000 // can be used with threads
908 #define PS_ATTRIBUTE_INPUT 0x00020000 // input only
909 #define PS_ATTRIBUTE_UNKNOWN 0x00040000
910 // end_rev
911 
912 // private
913 typedef enum _PS_ATTRIBUTE_NUM
914 {
915  PsAttributeParentProcess, // in HANDLE
916  PsAttributeDebugPort, // in HANDLE
917  PsAttributeToken, // in HANDLE
918  PsAttributeClientId, // out PCLIENT_ID
919  PsAttributeTebAddress, // out PTEB *
920  PsAttributeImageName, // in PWSTR
921  PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
922  PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
923  PsAttributePriorityClass, // in UCHAR
924  PsAttributeErrorMode, // in ULONG
925  PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
926  PsAttributeHandleList, // in PHANDLE
927  PsAttributeGroupAffinity, // in PGROUP_AFFINITY
928  PsAttributePreferredNode, // in PUSHORT
929  PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
930  PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
931  PsAttributeMitigationOptions, // in UCHAR
932  PsAttributeSecurityCapabilities,
933  PsAttributeMax
934 } PS_ATTRIBUTE_NUM;
935 
936 // begin_rev
937 
938 #define PsAttributeValue(Number, Thread, Input, Unknown) \
939  (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
940  ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
941  ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
942  ((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0))
943 
944 #define PS_ATTRIBUTE_PARENT_PROCESS \
945  PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
946 #define PS_ATTRIBUTE_DEBUG_PORT \
947  PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
948 #define PS_ATTRIBUTE_TOKEN \
949  PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
950 #define PS_ATTRIBUTE_CLIENT_ID \
951  PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
952 #define PS_ATTRIBUTE_TEB_ADDRESS \
953  PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
954 #define PS_ATTRIBUTE_IMAGE_NAME \
955  PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
956 #define PS_ATTRIBUTE_IMAGE_INFO \
957  PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
958 #define PS_ATTRIBUTE_MEMORY_RESERVE \
959  PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
960 #define PS_ATTRIBUTE_PRIORITY_CLASS \
961  PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
962 #define PS_ATTRIBUTE_ERROR_MODE \
963  PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
964 #define PS_ATTRIBUTE_STD_HANDLE_INFO \
965  PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
966 #define PS_ATTRIBUTE_HANDLE_LIST \
967  PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
968 #define PS_ATTRIBUTE_GROUP_AFFINITY \
969  PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
970 #define PS_ATTRIBUTE_PREFERRED_NODE \
971  PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
972 #define PS_ATTRIBUTE_IDEAL_PROCESSOR \
973  PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
974 #define PS_ATTRIBUTE_MITIGATION_OPTIONS \
975  PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
976 
977 // end_rev
978 
979 // begin_private
980 
981 typedef struct _PS_ATTRIBUTE
982 {
983  ULONG Attribute;
984  SIZE_T Size;
985  union
986  {
987  ULONG Value;
988  PVOID ValuePtr;
989  };
990  PSIZE_T ReturnLength;
991 } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
992 
993 typedef struct _PS_ATTRIBUTE_LIST
994 {
995  SIZE_T TotalLength;
996  PS_ATTRIBUTE Attributes[1];
997 } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
998 
999 typedef struct _PS_MEMORY_RESERVE
1000 {
1001  PVOID ReserveAddress;
1002  SIZE_T ReserveSize;
1003 } PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE;
1004 
1005 typedef enum _PS_STD_HANDLE_STATE
1006 {
1007  PsNeverDuplicate,
1008  PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem
1009  PsAlwaysDuplicate, // always duplicate standard handles
1010  PsMaxStdHandleStates
1011 } PS_STD_HANDLE_STATE;
1012 
1013 // begin_rev
1014 #define PS_STD_INPUT_HANDLE 0x1
1015 #define PS_STD_OUTPUT_HANDLE 0x2
1016 #define PS_STD_ERROR_HANDLE 0x4
1017 // end_rev
1018 
1019 typedef struct _PS_STD_HANDLE_INFO
1020 {
1021  union
1022  {
1023  ULONG Flags;
1024  struct
1025  {
1026  ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE
1027  ULONG PseudoHandleMask : 3; // PS_STD_*
1028  };
1029  };
1030  ULONG StdHandleSubsystemType;
1031 } PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO;
1032 
1033 // windows-internals-book:"Chapter 5"
1034 typedef enum _PS_CREATE_STATE
1035 {
1036  PsCreateInitialState,
1037  PsCreateFailOnFileOpen,
1038  PsCreateFailOnSectionCreate,
1039  PsCreateFailExeFormat,
1040  PsCreateFailMachineMismatch,
1041  PsCreateFailExeName, // Debugger specified
1042  PsCreateSuccess,
1043  PsCreateMaximumStates
1044 } PS_CREATE_STATE;
1045 
1046 typedef enum _PS_IFEO_KEY_STATE
1047 {
1048  PsReadIFEOAllValues,
1049  PsSkipIFEODebugger,
1050  PsSkipAllIFEO,
1051  PsMaxIFEOKeyStates
1052 } PS_IFEO_KEY_STATE, *PPS_IFEO_KEY_STATE;
1053 
1054 typedef struct _PS_CREATE_INFO
1055 {
1056  SIZE_T Size;
1057  PS_CREATE_STATE State;
1058  union
1059  {
1060  // PsCreateInitialState
1061  struct
1062  {
1063  union
1064  {
1065  ULONG InitFlags;
1066  struct
1067  {
1068  UCHAR WriteOutputOnExit : 1;
1069  UCHAR DetectManifest : 1;
1070  UCHAR SpareBits1 : 6;
1071  UCHAR IFEOKeyState : 2; // PS_IFEO_KEY_STATE
1072  UCHAR SpareBits2 : 6;
1073  USHORT ProhibitedImageCharacteristics : 16;
1074  };
1075  };
1076  ACCESS_MASK AdditionalFileAccess;
1077  } InitState;
1078 
1079  // PsCreateFailOnSectionCreate
1080  struct
1081  {
1082  HANDLE FileHandle;
1083  } FailSection;
1084 
1085  // PsCreateFailExeName
1086  struct
1087  {
1088  HANDLE IFEOKey;
1089  } ExeName;
1090 
1091  // PsCreateSuccess
1092  struct
1093  {
1094  union
1095  {
1096  ULONG OutputFlags;
1097  struct
1098  {
1099  UCHAR ProtectedProcess : 1;
1100  UCHAR AddressSpaceOverride : 1;
1101  UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
1102  UCHAR ManifestDetected : 1;
1103  UCHAR SpareBits1 : 4;
1104  UCHAR SpareBits2 : 8;
1105  USHORT SpareBits3 : 16;
1106  };
1107  };
1108  HANDLE FileHandle;
1109  HANDLE SectionHandle;
1110  ULONGLONG UserProcessParametersNative;
1111  ULONG UserProcessParametersWow64;
1112  ULONG CurrentParameterFlags;
1113  ULONGLONG PebAddressNative;
1114  ULONG PebAddressWow64;
1115  ULONGLONG ManifestAddress;
1116  ULONG ManifestSize;
1117  } SuccessState;
1118  };
1119 } PS_CREATE_INFO, *PPS_CREATE_INFO;
1120 
1121 // end_private
1122 
1123 // Extended PROCESS_CREATE_FLAGS_*
1124 // begin_rev
1125 #define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020
1126 #define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040
1127 #define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // ?
1128 #define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100
1129 // end_rev
1130 
1131 #if (PHNT_VERSION >= PHNT_VISTA)
1132 // private
1133 NTSYSCALLAPI
1134 NTSTATUS
1135 NTAPI
1136 NtCreateUserProcess(
1137  __out PHANDLE ProcessHandle,
1138  __out PHANDLE ThreadHandle,
1139  __in ACCESS_MASK ProcessDesiredAccess,
1140  __in ACCESS_MASK ThreadDesiredAccess,
1141  __in_opt POBJECT_ATTRIBUTES ProcessObjectAttributes,
1142  __in_opt POBJECT_ATTRIBUTES ThreadObjectAttributes,
1143  __in ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
1144  __in ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
1145  __in_opt PVOID ProcessParameters,
1146  __inout PPS_CREATE_INFO CreateInfo,
1147  __in_opt PPS_ATTRIBUTE_LIST AttributeList
1148  );
1149 #endif
1150 
1151 // begin_rev
1152 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
1153 #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // ?
1154 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
1155 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ?
1156 #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ?
1157 #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
1158 // end_rev
1159 
1160 #if (PHNT_VERSION >= PHNT_VISTA)
1161 // private
1162 NTSYSCALLAPI
1163 NTSTATUS
1164 NTAPI
1165 NtCreateThreadEx(
1166  __out PHANDLE ThreadHandle,
1167  __in ACCESS_MASK DesiredAccess,
1168  __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1169  __in HANDLE ProcessHandle,
1170  __in PVOID StartRoutine,
1171  __in_opt PVOID Argument,
1172  __in ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
1173  __in_opt ULONG_PTR ZeroBits,
1174  __in_opt SIZE_T StackSize,
1175  __in_opt SIZE_T MaximumStackSize,
1176  __in_opt PPS_ATTRIBUTE_LIST AttributeList
1177  );
1178 #endif
1179 
1180 #endif
1181 
1182 // Reserve objects
1183 
1184 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1185 
1186 // private
1187 typedef enum _MEMORY_RESERVE_TYPE
1188 {
1189  MemoryReserveUserApc,
1190  MemoryReserveIoCompletion,
1191  MemoryReserveTypeMax
1192 } MEMORY_RESERVE_TYPE;
1193 
1194 // begin_rev
1195 
1196 #if (PHNT_VERSION >= PHNT_WIN7)
1197 NTSYSCALLAPI
1198 NTSTATUS
1199 NTAPI
1200 NtAllocateReserveObject(
1201  __out PHANDLE MemoryReserveHandle,
1202  __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1203  __in MEMORY_RESERVE_TYPE Type
1204  );
1205 #endif
1206 
1207 #if (PHNT_VERSION >= PHNT_WIN7)
1208 NTSYSCALLAPI
1209 NTSTATUS
1210 NTAPI
1211 NtQueueApcThreadEx(
1212  __in HANDLE ThreadHandle,
1213  __in_opt HANDLE UserApcReserveHandle,
1214  __in PPS_APC_ROUTINE ApcRoutine,
1215  __in_opt PVOID ApcArgument1,
1216  __in_opt PVOID ApcArgument2,
1217  __in_opt PVOID ApcArgument3
1218  );
1219 #endif
1220 
1221 // end_rev
1222 
1223 #endif
1224 
1225 // Job Objects
1226 
1227 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1228 
1229 NTSYSCALLAPI
1230 NTSTATUS
1231 NTAPI
1232 NtCreateJobObject(
1233  __out PHANDLE JobHandle,
1234  __in ACCESS_MASK DesiredAccess,
1235  __in_opt POBJECT_ATTRIBUTES ObjectAttributes
1236  );
1237 
1238 NTSYSCALLAPI
1239 NTSTATUS
1240 NTAPI
1241 NtOpenJobObject(
1242  __out PHANDLE JobHandle,
1243  __in ACCESS_MASK DesiredAccess,
1244  __in POBJECT_ATTRIBUTES ObjectAttributes
1245  );
1246 
1247 NTSYSCALLAPI
1248 NTSTATUS
1249 NTAPI
1250 NtAssignProcessToJobObject(
1251  __in HANDLE JobHandle,
1252  __in HANDLE ProcessHandle
1253  );
1254 
1255 NTSYSCALLAPI
1256 NTSTATUS
1257 NTAPI
1258 NtTerminateJobObject(
1259  __in HANDLE JobHandle,
1260  __in NTSTATUS ExitStatus
1261  );
1262 
1263 NTSYSCALLAPI
1264 NTSTATUS
1265 NTAPI
1266 NtIsProcessInJob(
1267  __in HANDLE ProcessHandle,
1268  __in_opt HANDLE JobHandle
1269  );
1270 
1271 NTSYSCALLAPI
1272 NTSTATUS
1273 NTAPI
1274 NtQueryInformationJobObject(
1275  __in_opt HANDLE JobHandle,
1276  __in JOBOBJECTINFOCLASS JobObjectInformationClass,
1277  __out_bcount(JobObjectInformationLength) PVOID JobObjectInformation,
1278  __in ULONG JobObjectInformationLength,
1279  __out_opt PULONG ReturnLength
1280  );
1281 
1282 NTSYSCALLAPI
1283 NTSTATUS
1284 NTAPI
1285 NtSetInformationJobObject(
1286  __in HANDLE JobHandle,
1287  __in JOBOBJECTINFOCLASS JobObjectInformationClass,
1288  __in_bcount(JobObjectInformationLength) PVOID JobObjectInformation,
1289  __in ULONG JobObjectInformationLength
1290  );
1291 
1292 NTSYSCALLAPI
1293 NTSTATUS
1294 NTAPI
1295 NtCreateJobSet(
1296  __in ULONG NumJob,
1297  __in_ecount(NumJob) PJOB_SET_ARRAY UserJobSet,
1298  __in ULONG Flags
1299  );
1300 
1301 #endif
1302 
1303 #endif