Process Hacker
ntpsapi.h
Go to the documentation of this file.
1 #ifndef _NTPSAPI_H
2 #define _NTPSAPI_H
3 
4 #if (PHNT_MODE == PHNT_MODE_KERNEL)
5 #define PROCESS_TERMINATE 0x0001
6 #define PROCESS_CREATE_THREAD 0x0002
7 #define PROCESS_SET_SESSIONID 0x0004
8 #define PROCESS_VM_OPERATION 0x0008
9 #define PROCESS_VM_READ 0x0010
10 #define PROCESS_VM_WRITE 0x0020
11 #define PROCESS_CREATE_PROCESS 0x0080
12 #define PROCESS_SET_QUOTA 0x0100
13 #define PROCESS_SET_INFORMATION 0x0200
14 #define PROCESS_QUERY_INFORMATION 0x0400
15 #define PROCESS_SET_PORT 0x0800
16 #define PROCESS_SUSPEND_RESUME 0x0800
17 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
18 #else
19 #ifndef PROCESS_SET_PORT
20 #define PROCESS_SET_PORT 0x0800
21 #endif
22 #endif
23 
24 #if (PHNT_MODE == PHNT_MODE_KERNEL)
25 #define THREAD_QUERY_INFORMATION 0x0040
26 #define THREAD_SET_THREAD_TOKEN 0x0080
27 #define THREAD_IMPERSONATE 0x0100
28 #define THREAD_DIRECT_IMPERSONATION 0x0200
29 #else
30 #ifndef THREAD_ALERT
31 #define THREAD_ALERT 0x0004
32 #endif
33 #endif
34 
35 #if (PHNT_MODE == PHNT_MODE_KERNEL)
36 #define JOB_OBJECT_ASSIGN_PROCESS 0x0001
37 #define JOB_OBJECT_SET_ATTRIBUTES 0x0002
38 #define JOB_OBJECT_QUERY 0x0004
39 #define JOB_OBJECT_TERMINATE 0x0008
40 #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x0010
41 #define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1f)
42 #endif
43 
44 #define GDI_HANDLE_BUFFER_SIZE32 34
45 #define GDI_HANDLE_BUFFER_SIZE64 60
46 
47 #ifndef WIN64
48 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
49 #else
50 #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
51 #endif
52 
54 
57 
58 #define FLS_MAXIMUM_AVAILABLE 128
59 #define TLS_MINIMUM_AVAILABLE 64
60 #define TLS_EXPANSION_SLOTS 1024
61 
62 // symbols
63 typedef struct _PEB_LDR_DATA
64 {
65  ULONG Length;
66  BOOLEAN Initialized;
67  HANDLE SsHandle;
75 
76 typedef struct _INITIAL_TEB
77 {
78  struct
79  {
80  PVOID OldStackBase;
82  } OldInitialTeb;
83  PVOID StackBase;
84  PVOID StackLimit;
87 
88 typedef struct _WOW64_PROCESS
89 {
90  PVOID Wow64;
92 
93 #include <ntpebteb.h>
94 
95 // source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx
96 
97 #if (PHNT_MODE != PHNT_MODE_KERNEL)
98 typedef enum _PROCESSINFOCLASS
99 {
100  ProcessBasicInformation, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
101  ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
102  ProcessIoCounters, // q: IO_COUNTERS
103  ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX
104  ProcessTimes, // q: KERNEL_USER_TIMES
105  ProcessBasePriority, // s: KPRIORITY
106  ProcessRaisePriority, // s: ULONG
107  ProcessDebugPort, // q: HANDLE
108  ProcessExceptionPort, // s: HANDLE
109  ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
110  ProcessLdtInformation, // 10, qs: PROCESS_LDT_INFORMATION
111  ProcessLdtSize, // s: PROCESS_LDT_SIZE
112  ProcessDefaultHardErrorMode, // qs: ULONG
113  ProcessIoPortHandlers, // (kernel-mode only)
114  ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
115  ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
116  ProcessUserModeIOPL,
117  ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
118  ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
119  ProcessWx86Information,
120  ProcessHandleCount, // 20, q: ULONG, PROCESS_HANDLE_INFORMATION
121  ProcessAffinityMask, // s: KAFFINITY
122  ProcessPriorityBoost, // qs: ULONG
123  ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
124  ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
125  ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
126  ProcessWow64Information, // q: ULONG_PTR
127  ProcessImageFileName, // q: UNICODE_STRING
128  ProcessLUIDDeviceMapsEnabled, // q: ULONG
129  ProcessBreakOnTermination, // qs: ULONG
130  ProcessDebugObjectHandle, // 30, q: HANDLE
131  ProcessDebugFlags, // qs: ULONG
132  ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
133  ProcessIoPriority, // qs: ULONG
134  ProcessExecuteFlags, // qs: ULONG
135  ProcessResourceManagement,
136  ProcessCookie, // q: ULONG
137  ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
138  ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
139  ProcessPagePriority, // q: ULONG
140  ProcessInstrumentationCallback, // 40
141  ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
142  ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
143  ProcessImageFileNameWin32, // q: UNICODE_STRING
144  ProcessImageFileMapping, // q: HANDLE (input)
145  ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
146  ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
147  ProcessGroupInformation, // q: USHORT[]
148  ProcessTokenVirtualizationEnabled, // s: ULONG
149  ProcessConsoleHostProcess, // q: ULONG_PTR
150  ProcessWindowInformation, // 50, q: PROCESS_WINDOW_INFORMATION
151  ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
152  ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
153  ProcessDynamicFunctionTableInformation,
154  ProcessHandleCheckingMode,
155  ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
156  ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
157  ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
158  ProcessHandleTable, // since WINBLUE
159  ProcessCheckStackExtentsMode,
160  ProcessCommandLineInformation, // 60, q: UNICODE_STRING
161  ProcessProtectionInformation, // q: PS_PROTECTION
162  MaxProcessInfoClass
163 } PROCESSINFOCLASS;
164 #endif
165 
166 #if (PHNT_MODE != PHNT_MODE_KERNEL)
167 typedef enum _THREADINFOCLASS
168 {
169  ThreadBasicInformation, // q: THREAD_BASIC_INFORMATION
170  ThreadTimes, // q: KERNEL_USER_TIMES
171  ThreadPriority, // s: KPRIORITY
172  ThreadBasePriority, // s: LONG
173  ThreadAffinityMask, // s: KAFFINITY
174  ThreadImpersonationToken, // s: HANDLE
175  ThreadDescriptorTableEntry, // q: DESCRIPTOR_TABLE_ENTRY (or WOW64_DESCRIPTOR_TABLE_ENTRY)
176  ThreadEnableAlignmentFaultFixup, // s: BOOLEAN
177  ThreadEventPair,
178  ThreadQuerySetWin32StartAddress, // q: PVOID
179  ThreadZeroTlsCell, // 10
180  ThreadPerformanceCount, // q: LARGE_INTEGER
181  ThreadAmILastThread, // q: ULONG
182  ThreadIdealProcessor, // s: ULONG
183  ThreadPriorityBoost, // qs: ULONG
184  ThreadSetTlsArrayAddress,
185  ThreadIsIoPending, // q: ULONG
186  ThreadHideFromDebugger, // s: void
187  ThreadBreakOnTermination, // qs: ULONG
188  ThreadSwitchLegacyState,
189  ThreadIsTerminated, // 20, q: ULONG
190  ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION
191  ThreadIoPriority, // qs: ULONG
192  ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION
193  ThreadPagePriority, // q: ULONG
194  ThreadActualBasePriority,
195  ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT)
196  ThreadCSwitchMon,
197  ThreadCSwitchPmu,
198  ThreadWow64Context, // q: WOW64_CONTEXT
199  ThreadGroupInformation, // 30, q: GROUP_AFFINITY
200  ThreadUmsInformation,
201  ThreadCounterProfiling,
202  ThreadIdealProcessorEx, // q: PROCESSOR_NUMBER
203  ThreadCpuAccountingInformation, // since WIN8
204  ThreadSuspendCount, // since WINBLUE
205  MaxThreadInfoClass
206 } THREADINFOCLASS;
207 #endif
208 
209 #if (PHNT_MODE != PHNT_MODE_KERNEL)
210 // Use with both ProcessPagePriority and ThreadPagePriority
211 typedef struct _PAGE_PRIORITY_INFORMATION
212 {
213  ULONG PagePriority;
214 } PAGE_PRIORITY_INFORMATION, *PPAGE_PRIORITY_INFORMATION;
215 #endif
216 
217 // Process information structures
218 
219 #if (PHNT_MODE != PHNT_MODE_KERNEL)
220 
221 typedef struct _PROCESS_BASIC_INFORMATION
222 {
223  NTSTATUS ExitStatus;
224  PPEB PebBaseAddress;
225  ULONG_PTR AffinityMask;
226  KPRIORITY BasePriority;
227  HANDLE UniqueProcessId;
228  HANDLE InheritedFromUniqueProcessId;
229 } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
230 
231 typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
232 {
233  SIZE_T Size; // set to sizeof structure on input
234  PROCESS_BASIC_INFORMATION BasicInfo;
235  union
236  {
237  ULONG Flags;
238  struct
239  {
240  ULONG IsProtectedProcess : 1;
241  ULONG IsWow64Process : 1;
242  ULONG IsProcessDeleting : 1;
243  ULONG IsCrossSessionCreate : 1;
244  ULONG IsFrozen : 1;
245  ULONG IsBackground : 1;
246  ULONG IsStronglyNamed : 1;
247  ULONG SpareBits : 25;
248  };
249  };
250 } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
251 
252 typedef struct _VM_COUNTERS
253 {
254  SIZE_T PeakVirtualSize;
255  SIZE_T VirtualSize;
256  ULONG PageFaultCount;
257  SIZE_T PeakWorkingSetSize;
258  SIZE_T WorkingSetSize;
259  SIZE_T QuotaPeakPagedPoolUsage;
260  SIZE_T QuotaPagedPoolUsage;
261  SIZE_T QuotaPeakNonPagedPoolUsage;
262  SIZE_T QuotaNonPagedPoolUsage;
263  SIZE_T PagefileUsage;
264  SIZE_T PeakPagefileUsage;
265 } VM_COUNTERS, *PVM_COUNTERS;
266 
267 typedef struct _VM_COUNTERS_EX
268 {
269  SIZE_T PeakVirtualSize;
270  SIZE_T VirtualSize;
271  ULONG PageFaultCount;
272  SIZE_T PeakWorkingSetSize;
273  SIZE_T WorkingSetSize;
274  SIZE_T QuotaPeakPagedPoolUsage;
275  SIZE_T QuotaPagedPoolUsage;
276  SIZE_T QuotaPeakNonPagedPoolUsage;
277  SIZE_T QuotaNonPagedPoolUsage;
278  SIZE_T PagefileUsage;
279  SIZE_T PeakPagefileUsage;
280  SIZE_T PrivateUsage;
281 } VM_COUNTERS_EX, *PVM_COUNTERS_EX;
282 
283 typedef struct _KERNEL_USER_TIMES
284 {
285  LARGE_INTEGER CreateTime;
286  LARGE_INTEGER ExitTime;
287  LARGE_INTEGER KernelTime;
288  LARGE_INTEGER UserTime;
289 } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
290 
291 typedef struct _POOLED_USAGE_AND_LIMITS
292 {
293  SIZE_T PeakPagedPoolUsage;
294  SIZE_T PagedPoolUsage;
295  SIZE_T PagedPoolLimit;
296  SIZE_T PeakNonPagedPoolUsage;
297  SIZE_T NonPagedPoolUsage;
298  SIZE_T NonPagedPoolLimit;
299  SIZE_T PeakPagefileUsage;
300  SIZE_T PagefileUsage;
301  SIZE_T PagefileLimit;
302 } POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
303 
304 typedef struct _PROCESS_ACCESS_TOKEN
305 {
306  HANDLE Token; // needs TOKEN_ASSIGN_PRIMARY access
307  HANDLE Thread; // handle to initial/only thread; needs THREAD_QUERY_INFORMATION access
308 } PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
309 
310 typedef struct _PROCESS_LDT_INFORMATION
311 {
312  ULONG Start;
313  ULONG Length;
314  LDT_ENTRY LdtEntries[1];
315 } PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;
316 
317 typedef struct _PROCESS_LDT_SIZE
318 {
319  ULONG Length;
320 } PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE;
321 
322 typedef struct _PROCESS_WS_WATCH_INFORMATION
323 {
324  PVOID FaultingPc;
325  PVOID FaultingVa;
326 } PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
327 
328 #endif
329 
330 // psapi:PSAPI_WS_WATCH_INFORMATION_EX
332 {
333  PROCESS_WS_WATCH_INFORMATION BasicInfo;
334  ULONG_PTR FaultingThreadId;
335  ULONG_PTR Flags;
337 
338 #define PROCESS_PRIORITY_CLASS_UNKNOWN 0
339 #define PROCESS_PRIORITY_CLASS_IDLE 1
340 #define PROCESS_PRIORITY_CLASS_NORMAL 2
341 #define PROCESS_PRIORITY_CLASS_HIGH 3
342 #define PROCESS_PRIORITY_CLASS_REALTIME 4
343 #define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
344 #define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
345 
347 {
348  BOOLEAN Foreground;
351 
353 {
354  BOOLEAN Foreground;
356 
357 #if (PHNT_MODE != PHNT_MODE_KERNEL)
358 
359 typedef struct _PROCESS_DEVICEMAP_INFORMATION
360 {
361  union
362  {
363  struct
364  {
365  HANDLE DirectoryHandle;
366  } Set;
367  struct
368  {
369  ULONG DriveMap;
370  UCHAR DriveType[32];
371  } Query;
372  };
373 } PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
374 
375 #define PROCESS_LUID_DOSDEVICES_ONLY 0x00000001
376 
377 typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
378 {
379  union
380  {
381  struct
382  {
383  HANDLE DirectoryHandle;
384  } Set;
385  struct
386  {
387  ULONG DriveMap;
388  UCHAR DriveType[32];
389  } Query;
390  };
391  ULONG Flags; // PROCESS_LUID_DOSDEVICES_ONLY
392 } PROCESS_DEVICEMAP_INFORMATION_EX, *PPROCESS_DEVICEMAP_INFORMATION_EX;
393 
394 typedef struct _PROCESS_SESSION_INFORMATION
395 {
396  ULONG SessionId;
397 } PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
398 
399 typedef struct _PROCESS_HANDLE_TRACING_ENABLE
400 {
401  ULONG Flags; // 0 to disable, 1 to enable
402 } PROCESS_HANDLE_TRACING_ENABLE, *PPROCESS_HANDLE_TRACING_ENABLE;
403 
404 typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
405 {
406  ULONG Flags; // 0 to disable, 1 to enable
407  ULONG TotalSlots;
408 } PROCESS_HANDLE_TRACING_ENABLE_EX, *PPROCESS_HANDLE_TRACING_ENABLE_EX;
409 
410 #define PROCESS_HANDLE_TRACING_MAX_STACKS 16
411 #define HANDLE_TRACE_DB_OPEN 1
412 #define HANDLE_TRACE_DB_CLOSE 2
413 #define HANDLE_TRACE_DB_BADREF 3
414 
415 typedef struct _PROCESS_HANDLE_TRACING_ENTRY
416 {
417  HANDLE Handle;
418  CLIENT_ID ClientId;
419  ULONG Type;
420  PVOID Stacks[PROCESS_HANDLE_TRACING_MAX_STACKS];
421 } PROCESS_HANDLE_TRACING_ENTRY, *PPROCESS_HANDLE_TRACING_ENTRY;
422 
423 typedef struct _PROCESS_HANDLE_TRACING_QUERY
424 {
425  HANDLE Handle;
426  ULONG TotalTraces;
427  PROCESS_HANDLE_TRACING_ENTRY HandleTrace[1];
428 } PROCESS_HANDLE_TRACING_QUERY, *PPROCESS_HANDLE_TRACING_QUERY;
429 
430 #endif
431 
432 // private
434 {
435  SIZE_T ReserveSize;
436  SIZE_T ZeroBits;
437  PVOID StackBase;
439 
440 // private
442 {
444  ULONG Reserved0;
445  ULONG Reserved1;
446  ULONG Reserved2;
449 
450 // private
452 {
453  ULONG Flags;
454  struct
455  {
456  ULONG EnableAutoUpdate : 1;
457  ULONG Permanent : 1;
458  ULONG Reserved : 30;
459  };
461 
462 // private
464 {
465  ULONG Flags;
466  struct
467  {
468  ULONG TopDown : 1;
469  ULONG Reserved : 31;
470  };
472 
473 // private
475 {
476  ULONG HandleCount;
479 
480 // private
482 {
483  ULONGLONG AccumulatedCycles;
484  ULONGLONG CurrentCycleCount;
486 
487 // private
489 {
490  ULONG WindowFlags;
492  WCHAR WindowTitle[1];
494 
495 // private
497 {
498  HANDLE HandleValue;
499  ULONG_PTR HandleCount;
500  ULONG_PTR PointerCount;
504  ULONG Reserved;
506 
507 // private
509 {
510  ULONG_PTR NumberOfHandles;
511  ULONG_PTR Reserved;
514 
515 #if (PHNT_MODE != PHNT_MODE_KERNEL)
516 
517 // private
518 typedef struct _PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY
519 {
520  union
521  {
522  ULONG Flags;
523  struct
524  {
525  ULONG EnableControlFlowGuard : 1;
526  ULONG ReservedFlags : 31;
527  };
528  };
529 } PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY;
530 
531 // private
532 typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
533 {
534  PROCESS_MITIGATION_POLICY Policy;
535  union
536  {
537  PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
538  PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
539  PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
540  PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
541  PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
542  PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
543  PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
544  };
545 } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
546 
547 typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
548 {
549  ULONG WakeCount;
550  ULONG NoWakeCount;
551 } PROCESS_KEEPALIVE_COUNT_INFORMATION, *PPROCESS_KEEPALIVE_COUNT_INFORMATION;
552 
553 typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
554 {
555  UNICODE_STRING TargetDevicePath;
556 } PROCESS_REVOKE_FILE_HANDLES_INFORMATION, *PPROCESS_REVOKE_FILE_HANDLES_INFORMATION;
557 
558 // begin_private
559 
560 typedef enum _PROCESS_WORKING_SET_OPERATION
561 {
562  ProcessWorkingSetSwap,
563  ProcessWorkingSetEmpty,
564  ProcessWorkingSetOperationMax
565 } PROCESS_WORKING_SET_OPERATION;
566 
567 typedef struct _PROCESS_WORKING_SET_CONTROL
568 {
569  ULONG Version;
570  PROCESS_WORKING_SET_OPERATION Operation;
571  ULONG Flags;
572 } PROCESS_WORKING_SET_CONTROL, *PPROCESS_WORKING_SET_CONTROL;
573 
574 typedef enum _PS_PROTECTED_TYPE
575 {
576  PsProtectedTypeNone,
577  PsProtectedTypeProtectedLight,
578  PsProtectedTypeProtected,
579  PsProtectedTypeMax
580 } PS_PROTECTED_TYPE;
581 
582 typedef enum _PS_PROTECTED_SIGNER
583 {
584  PsProtectedSignerNone,
585  PsProtectedSignerAuthenticode,
586  PsProtectedSignerCodeGen,
587  PsProtectedSignerAntimalware,
588  PsProtectedSignerLsa,
589  PsProtectedSignerWindows,
590  PsProtectedSignerWinTcb,
591  PsProtectedSignerMax
592 } PS_PROTECTED_SIGNER;
593 
594 typedef struct _PS_PROTECTION
595 {
596  union
597  {
598  UCHAR Level;
599  struct
600  {
601  UCHAR Type : 3;
602  UCHAR Audit : 1;
603  UCHAR Signer : 4;
604  };
605  };
606 } PS_PROTECTION, *PPS_PROTECTION;
607 
608 // end_private
609 
610 #endif
611 
612 // Thread information structures
613 
615 {
616  NTSTATUS ExitStatus;
619  ULONG_PTR AffinityMask;
623 
624 // private
626 {
630 
631 // private
633 {
634  ULONGLONG AccumulatedCycles;
635  ULONGLONG CurrentCycleCount;
637 
638 // private
640 {
641  PVOID TebInformation; // buffer to place data in
642  ULONG TebOffset; // offset in TEB to begin reading from
643  ULONG BytesToRead; // number of bytes to read
645 
646 // symbols
647 typedef struct _COUNTER_READING
648 {
649  HARDWARE_COUNTER_TYPE Type;
650  ULONG Index;
651  ULONG64 Start;
652  ULONG64 Total;
654 
655 // symbols
657 {
658  USHORT Size;
659  USHORT Version;
660  PROCESSOR_NUMBER ProcessorNumber;
663  ULONG64 UpdateCount;
667  COUNTER_READING HwCounters[MAX_HW_COUNTERS];
669 
670 // private
672 {
674  ULONG Flags;
675  ULONG Enable;
676  PTHREAD_PERFORMANCE_DATA PerformanceData;
678 
679 // System calls
680 
681 // Processes
682 
683 #if (PHNT_MODE != PHNT_MODE_KERNEL)
684 
685 NTSYSCALLAPI
686 NTSTATUS
687 NTAPI
688 NtCreateProcess(
689  _Out_ PHANDLE ProcessHandle,
690  _In_ ACCESS_MASK DesiredAccess,
691  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
692  _In_ HANDLE ParentProcess,
693  _In_ BOOLEAN InheritObjectTable,
694  _In_opt_ HANDLE SectionHandle,
695  _In_opt_ HANDLE DebugPort,
696  _In_opt_ HANDLE ExceptionPort
697  );
698 
699 #define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
700 #define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
701 #define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
702 #define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
703 #define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
704 
705 NTSYSCALLAPI
706 NTSTATUS
707 NTAPI
708 NtCreateProcessEx(
709  _Out_ PHANDLE ProcessHandle,
710  _In_ ACCESS_MASK DesiredAccess,
711  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
712  _In_ HANDLE ParentProcess,
713  _In_ ULONG Flags,
714  _In_opt_ HANDLE SectionHandle,
715  _In_opt_ HANDLE DebugPort,
716  _In_opt_ HANDLE ExceptionPort,
717  _In_ ULONG JobMemberLevel
718  );
719 
720 NTSYSCALLAPI
721 NTSTATUS
722 NTAPI
723 NtOpenProcess(
724  _Out_ PHANDLE ProcessHandle,
725  _In_ ACCESS_MASK DesiredAccess,
726  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
727  _In_opt_ PCLIENT_ID ClientId
728  );
729 
730 NTSYSCALLAPI
731 NTSTATUS
732 NTAPI
733 NtTerminateProcess(
734  _In_opt_ HANDLE ProcessHandle,
735  _In_ NTSTATUS ExitStatus
736  );
737 
738 NTSYSCALLAPI
739 NTSTATUS
740 NTAPI
741 NtSuspendProcess(
742  _In_ HANDLE ProcessHandle
743  );
744 
745 NTSYSCALLAPI
746 NTSTATUS
747 NTAPI
748 NtResumeProcess(
749  _In_ HANDLE ProcessHandle
750  );
751 
752 #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
753 #define ZwCurrentProcess() NtCurrentProcess()
754 #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
755 #define ZwCurrentThread() NtCurrentThread()
756 #define NtCurrentPeb() (NtCurrentTeb()->ProcessEnvironmentBlock)
757 
758 // Not NT, but useful.
759 #define NtCurrentProcessId() (NtCurrentTeb()->ClientId.UniqueProcess)
760 #define NtCurrentThreadId() (NtCurrentTeb()->ClientId.UniqueThread)
761 
762 
763 NTSYSCALLAPI
764 NTSTATUS
765 NTAPI
766 NtQueryInformationProcess(
767  _In_ HANDLE ProcessHandle,
768  _In_ PROCESSINFOCLASS ProcessInformationClass,
769  _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
770  _In_ ULONG ProcessInformationLength,
771  _Out_opt_ PULONG ReturnLength
772  );
773 
774 #if (PHNT_VERSION >= PHNT_WS03)
775 NTSYSCALLAPI
776 NTSTATUS
777 NTAPI
778 NtGetNextProcess(
779  _In_ HANDLE ProcessHandle,
780  _In_ ACCESS_MASK DesiredAccess,
781  _In_ ULONG HandleAttributes,
782  _In_ ULONG Flags,
783  _Out_ PHANDLE NewProcessHandle
784  );
785 #endif
786 
787 #if (PHNT_VERSION >= PHNT_WS03)
788 NTSYSCALLAPI
789 NTSTATUS
790 NTAPI
791 NtGetNextThread(
792  _In_ HANDLE ProcessHandle,
793  _In_ HANDLE ThreadHandle,
794  _In_ ACCESS_MASK DesiredAccess,
795  _In_ ULONG HandleAttributes,
796  _In_ ULONG Flags,
797  _Out_ PHANDLE NewThreadHandle
798  );
799 #endif
800 
801 NTSYSCALLAPI
802 NTSTATUS
803 NTAPI
804 NtSetInformationProcess(
805  _In_ HANDLE ProcessHandle,
806  _In_ PROCESSINFOCLASS ProcessInformationClass,
807  _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
808  _In_ ULONG ProcessInformationLength
809  );
810 
811 NTSYSCALLAPI
812 NTSTATUS
813 NTAPI
814 NtQueryPortInformationProcess(
815  VOID
816  );
817 
818 #endif
819 
820 // Threads
821 
822 #if (PHNT_MODE != PHNT_MODE_KERNEL)
823 
824 NTSYSCALLAPI
825 NTSTATUS
826 NTAPI
827 NtCreateThread(
828  _Out_ PHANDLE ThreadHandle,
829  _In_ ACCESS_MASK DesiredAccess,
830  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
831  _In_ HANDLE ProcessHandle,
832  _Out_ PCLIENT_ID ClientId,
833  _In_ PCONTEXT ThreadContext,
834  _In_ PINITIAL_TEB InitialTeb,
835  _In_ BOOLEAN CreateSuspended
836  );
837 
838 NTSYSCALLAPI
839 NTSTATUS
840 NTAPI
841 NtOpenThread(
842  _Out_ PHANDLE ThreadHandle,
843  _In_ ACCESS_MASK DesiredAccess,
844  _In_ POBJECT_ATTRIBUTES ObjectAttributes,
845  _In_opt_ PCLIENT_ID ClientId
846  );
847 
848 NTSYSCALLAPI
849 NTSTATUS
850 NTAPI
851 NtTerminateThread(
852  _In_opt_ HANDLE ThreadHandle,
853  _In_ NTSTATUS ExitStatus
854  );
855 
856 NTSYSCALLAPI
857 NTSTATUS
858 NTAPI
859 NtSuspendThread(
860  _In_ HANDLE ThreadHandle,
861  _Out_opt_ PULONG PreviousSuspendCount
862  );
863 
864 NTSYSCALLAPI
865 NTSTATUS
866 NTAPI
867 NtResumeThread(
868  _In_ HANDLE ThreadHandle,
869  _Out_opt_ PULONG PreviousSuspendCount
870  );
871 
872 NTSYSCALLAPI
873 ULONG
874 NTAPI
875 NtGetCurrentProcessorNumber(
876  VOID
877  );
878 
879 NTSYSCALLAPI
880 NTSTATUS
881 NTAPI
882 NtGetContextThread(
883  _In_ HANDLE ThreadHandle,
884  _Inout_ PCONTEXT ThreadContext
885  );
886 
887 NTSYSCALLAPI
888 NTSTATUS
889 NTAPI
890 NtSetContextThread(
891  _In_ HANDLE ThreadHandle,
892  _In_ PCONTEXT ThreadContext
893  );
894 
895 NTSYSCALLAPI
896 NTSTATUS
897 NTAPI
898 NtQueryInformationThread(
899  _In_ HANDLE ThreadHandle,
900  _In_ THREADINFOCLASS ThreadInformationClass,
901  _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
902  _In_ ULONG ThreadInformationLength,
903  _Out_opt_ PULONG ReturnLength
904  );
905 
906 NTSYSCALLAPI
907 NTSTATUS
908 NTAPI
909 NtSetInformationThread(
910  _In_ HANDLE ThreadHandle,
911  _In_ THREADINFOCLASS ThreadInformationClass,
912  _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
913  _In_ ULONG ThreadInformationLength
914  );
915 
916 NTSYSCALLAPI
917 NTSTATUS
918 NTAPI
919 NtAlertThread(
920  _In_ HANDLE ThreadHandle
921  );
922 
923 NTSYSCALLAPI
924 NTSTATUS
925 NTAPI
926 NtAlertResumeThread(
927  _In_ HANDLE ThreadHandle,
928  _Out_opt_ PULONG PreviousSuspendCount
929  );
930 
931 NTSYSCALLAPI
932 NTSTATUS
933 NTAPI
934 NtTestAlert(
935  VOID
936  );
937 
938 NTSYSCALLAPI
939 NTSTATUS
940 NTAPI
941 NtImpersonateThread(
942  _In_ HANDLE ServerThreadHandle,
943  _In_ HANDLE ClientThreadHandle,
944  _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
945  );
946 
947 NTSYSCALLAPI
948 NTSTATUS
949 NTAPI
950 NtRegisterThreadTerminatePort(
951  _In_ HANDLE PortHandle
952  );
953 
954 NTSYSCALLAPI
955 NTSTATUS
956 NTAPI
957 NtSetLdtEntries(
958  _In_ ULONG Selector0,
959  _In_ ULONG Entry0Low,
960  _In_ ULONG Entry0Hi,
961  _In_ ULONG Selector1,
962  _In_ ULONG Entry1Low,
963  _In_ ULONG Entry1Hi
964  );
965 
966 typedef VOID (*PPS_APC_ROUTINE)(
967  _In_opt_ PVOID ApcArgument1,
968  _In_opt_ PVOID ApcArgument2,
969  _In_opt_ PVOID ApcArgument3
970  );
971 
972 NTSYSCALLAPI
973 NTSTATUS
974 NTAPI
975 NtQueueApcThread(
976  _In_ HANDLE ThreadHandle,
977  _In_ PPS_APC_ROUTINE ApcRoutine,
978  _In_opt_ PVOID ApcArgument1,
979  _In_opt_ PVOID ApcArgument2,
980  _In_opt_ PVOID ApcArgument3
981  );
982 
983 #endif
984 
985 // User processes and threads
986 
987 #if (PHNT_MODE != PHNT_MODE_KERNEL)
988 
989 // Attributes
990 
991 // begin_rev
992 #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
993 #define PS_ATTRIBUTE_THREAD 0x00010000 // can be used with threads
994 #define PS_ATTRIBUTE_INPUT 0x00020000 // input only
995 #define PS_ATTRIBUTE_UNKNOWN 0x00040000
996 // end_rev
997 
998 // private
999 typedef enum _PS_ATTRIBUTE_NUM
1000 {
1001  PsAttributeParentProcess, // in HANDLE
1002  PsAttributeDebugPort, // in HANDLE
1003  PsAttributeToken, // in HANDLE
1004  PsAttributeClientId, // out PCLIENT_ID
1005  PsAttributeTebAddress, // out PTEB *
1006  PsAttributeImageName, // in PWSTR
1007  PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
1008  PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
1009  PsAttributePriorityClass, // in UCHAR
1010  PsAttributeErrorMode, // in ULONG
1011  PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
1012  PsAttributeHandleList, // in PHANDLE
1013  PsAttributeGroupAffinity, // in PGROUP_AFFINITY
1014  PsAttributePreferredNode, // in PUSHORT
1015  PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
1016  PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
1017  PsAttributeMitigationOptions, // in UCHAR
1018  PsAttributeProtectionLevel,
1019  PsAttributeMax
1020 } PS_ATTRIBUTE_NUM;
1021 
1022 // begin_rev
1023 
1024 #define PsAttributeValue(Number, Thread, Input, Unknown) \
1025  (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
1026  ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
1027  ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
1028  ((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0))
1029 
1030 #define PS_ATTRIBUTE_PARENT_PROCESS \
1031  PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
1032 #define PS_ATTRIBUTE_DEBUG_PORT \
1033  PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
1034 #define PS_ATTRIBUTE_TOKEN \
1035  PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
1036 #define PS_ATTRIBUTE_CLIENT_ID \
1037  PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
1038 #define PS_ATTRIBUTE_TEB_ADDRESS \
1039  PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
1040 #define PS_ATTRIBUTE_IMAGE_NAME \
1041  PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
1042 #define PS_ATTRIBUTE_IMAGE_INFO \
1043  PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
1044 #define PS_ATTRIBUTE_MEMORY_RESERVE \
1045  PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
1046 #define PS_ATTRIBUTE_PRIORITY_CLASS \
1047  PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
1048 #define PS_ATTRIBUTE_ERROR_MODE \
1049  PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
1050 #define PS_ATTRIBUTE_STD_HANDLE_INFO \
1051  PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
1052 #define PS_ATTRIBUTE_HANDLE_LIST \
1053  PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
1054 #define PS_ATTRIBUTE_GROUP_AFFINITY \
1055  PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
1056 #define PS_ATTRIBUTE_PREFERRED_NODE \
1057  PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
1058 #define PS_ATTRIBUTE_IDEAL_PROCESSOR \
1059  PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
1060 #define PS_ATTRIBUTE_MITIGATION_OPTIONS \
1061  PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
1062 
1063 // end_rev
1064 
1065 // begin_private
1066 
1067 typedef struct _PS_ATTRIBUTE
1068 {
1069  ULONG Attribute;
1070  SIZE_T Size;
1071  union
1072  {
1073  ULONG Value;
1074  PVOID ValuePtr;
1075  };
1076  PSIZE_T ReturnLength;
1077 } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
1078 
1079 typedef struct _PS_ATTRIBUTE_LIST
1080 {
1081  SIZE_T TotalLength;
1082  PS_ATTRIBUTE Attributes[1];
1083 } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
1084 
1085 typedef struct _PS_MEMORY_RESERVE
1086 {
1087  PVOID ReserveAddress;
1088  SIZE_T ReserveSize;
1089 } PS_MEMORY_RESERVE, *PPS_MEMORY_RESERVE;
1090 
1091 typedef enum _PS_STD_HANDLE_STATE
1092 {
1093  PsNeverDuplicate,
1094  PsRequestDuplicate, // duplicate standard handles specified by PseudoHandleMask, and only if StdHandleSubsystemType matches the image subsystem
1095  PsAlwaysDuplicate, // always duplicate standard handles
1096  PsMaxStdHandleStates
1097 } PS_STD_HANDLE_STATE;
1098 
1099 // begin_rev
1100 #define PS_STD_INPUT_HANDLE 0x1
1101 #define PS_STD_OUTPUT_HANDLE 0x2
1102 #define PS_STD_ERROR_HANDLE 0x4
1103 // end_rev
1104 
1105 typedef struct _PS_STD_HANDLE_INFO
1106 {
1107  union
1108  {
1109  ULONG Flags;
1110  struct
1111  {
1112  ULONG StdHandleState : 2; // PS_STD_HANDLE_STATE
1113  ULONG PseudoHandleMask : 3; // PS_STD_*
1114  };
1115  };
1116  ULONG StdHandleSubsystemType;
1117 } PS_STD_HANDLE_INFO, *PPS_STD_HANDLE_INFO;
1118 
1119 // windows-internals-book:"Chapter 5"
1120 typedef enum _PS_CREATE_STATE
1121 {
1122  PsCreateInitialState,
1123  PsCreateFailOnFileOpen,
1124  PsCreateFailOnSectionCreate,
1125  PsCreateFailExeFormat,
1126  PsCreateFailMachineMismatch,
1127  PsCreateFailExeName, // Debugger specified
1128  PsCreateSuccess,
1129  PsCreateMaximumStates
1130 } PS_CREATE_STATE;
1131 
1132 typedef enum _PS_IFEO_KEY_STATE
1133 {
1134  PsReadIFEOAllValues,
1135  PsSkipIFEODebugger,
1136  PsSkipAllIFEO,
1137  PsMaxIFEOKeyStates
1138 } PS_IFEO_KEY_STATE, *PPS_IFEO_KEY_STATE;
1139 
1140 typedef struct _PS_CREATE_INFO
1141 {
1142  SIZE_T Size;
1143  PS_CREATE_STATE State;
1144  union
1145  {
1146  // PsCreateInitialState
1147  struct
1148  {
1149  union
1150  {
1151  ULONG InitFlags;
1152  struct
1153  {
1154  UCHAR WriteOutputOnExit : 1;
1155  UCHAR DetectManifest : 1;
1156  UCHAR SpareBits1 : 6;
1157  UCHAR IFEOKeyState : 2; // PS_IFEO_KEY_STATE
1158  UCHAR SpareBits2 : 6;
1159  USHORT ProhibitedImageCharacteristics : 16;
1160  };
1161  };
1162  ACCESS_MASK AdditionalFileAccess;
1163  } InitState;
1164 
1165  // PsCreateFailOnSectionCreate
1166  struct
1167  {
1168  HANDLE FileHandle;
1169  } FailSection;
1170 
1171  // PsCreateFailExeName
1172  struct
1173  {
1174  HANDLE IFEOKey;
1175  } ExeName;
1176 
1177  // PsCreateSuccess
1178  struct
1179  {
1180  union
1181  {
1182  ULONG OutputFlags;
1183  struct
1184  {
1185  UCHAR ProtectedProcess : 1;
1186  UCHAR AddressSpaceOverride : 1;
1187  UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
1188  UCHAR ManifestDetected : 1;
1189  UCHAR SpareBits1 : 4;
1190  UCHAR SpareBits2 : 8;
1191  USHORT SpareBits3 : 16;
1192  };
1193  };
1194  HANDLE FileHandle;
1195  HANDLE SectionHandle;
1196  ULONGLONG UserProcessParametersNative;
1197  ULONG UserProcessParametersWow64;
1198  ULONG CurrentParameterFlags;
1199  ULONGLONG PebAddressNative;
1200  ULONG PebAddressWow64;
1201  ULONGLONG ManifestAddress;
1202  ULONG ManifestSize;
1203  } SuccessState;
1204  };
1205 } PS_CREATE_INFO, *PPS_CREATE_INFO;
1206 
1207 // end_private
1208 
1209 // Extended PROCESS_CREATE_FLAGS_*
1210 // begin_rev
1211 #define PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL 0x00000020
1212 #define PROCESS_CREATE_FLAGS_PROTECTED_PROCESS 0x00000040
1213 #define PROCESS_CREATE_FLAGS_CREATE_SESSION 0x00000080 // ?
1214 #define PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT 0x00000100
1215 // end_rev
1216 
1217 #if (PHNT_VERSION >= PHNT_VISTA)
1218 // private
1219 NTSYSCALLAPI
1220 NTSTATUS
1221 NTAPI
1222 NtCreateUserProcess(
1223  _Out_ PHANDLE ProcessHandle,
1224  _Out_ PHANDLE ThreadHandle,
1225  _In_ ACCESS_MASK ProcessDesiredAccess,
1226  _In_ ACCESS_MASK ThreadDesiredAccess,
1227  _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
1228  _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
1229  _In_ ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_*
1230  _In_ ULONG ThreadFlags, // THREAD_CREATE_FLAGS_*
1231  _In_opt_ PVOID ProcessParameters,
1232  _Inout_ PPS_CREATE_INFO CreateInfo,
1233  _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
1234  );
1235 #endif
1236 
1237 // begin_rev
1238 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
1239 #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 // ?
1240 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
1241 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 // ?
1242 #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 // ?
1243 #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
1244 // end_rev
1245 
1246 #if (PHNT_VERSION >= PHNT_VISTA)
1247 // private
1248 NTSYSCALLAPI
1249 NTSTATUS
1250 NTAPI
1251 NtCreateThreadEx(
1252  _Out_ PHANDLE ThreadHandle,
1253  _In_ ACCESS_MASK DesiredAccess,
1254  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
1255  _In_ HANDLE ProcessHandle,
1256  _In_ PVOID StartRoutine,
1257  _In_opt_ PVOID Argument,
1258  _In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
1259  _In_opt_ ULONG_PTR ZeroBits,
1260  _In_opt_ SIZE_T StackSize,
1261  _In_opt_ SIZE_T MaximumStackSize,
1262  _In_opt_ PPS_ATTRIBUTE_LIST AttributeList
1263  );
1264 #endif
1265 
1266 #endif
1267 
1268 // Reserve objects
1269 
1270 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1271 
1272 // private
1273 typedef enum _MEMORY_RESERVE_TYPE
1274 {
1275  MemoryReserveUserApc,
1276  MemoryReserveIoCompletion,
1277  MemoryReserveTypeMax
1278 } MEMORY_RESERVE_TYPE;
1279 
1280 // begin_rev
1281 
1282 #if (PHNT_VERSION >= PHNT_WIN7)
1283 NTSYSCALLAPI
1284 NTSTATUS
1285 NTAPI
1286 NtAllocateReserveObject(
1287  _Out_ PHANDLE MemoryReserveHandle,
1288  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
1289  _In_ MEMORY_RESERVE_TYPE Type
1290  );
1291 #endif
1292 
1293 #if (PHNT_VERSION >= PHNT_WIN7)
1294 NTSYSCALLAPI
1295 NTSTATUS
1296 NTAPI
1297 NtQueueApcThreadEx(
1298  _In_ HANDLE ThreadHandle,
1299  _In_opt_ HANDLE UserApcReserveHandle,
1300  _In_ PPS_APC_ROUTINE ApcRoutine,
1301  _In_opt_ PVOID ApcArgument1,
1302  _In_opt_ PVOID ApcArgument2,
1303  _In_opt_ PVOID ApcArgument3
1304  );
1305 #endif
1306 
1307 // end_rev
1308 
1309 #endif
1310 
1311 // Job Objects
1312 
1313 #if (PHNT_MODE != PHNT_MODE_KERNEL)
1314 
1315 NTSYSCALLAPI
1316 NTSTATUS
1317 NTAPI
1318 NtCreateJobObject(
1319  _Out_ PHANDLE JobHandle,
1320  _In_ ACCESS_MASK DesiredAccess,
1321  _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
1322  );
1323 
1324 NTSYSCALLAPI
1325 NTSTATUS
1326 NTAPI
1327 NtOpenJobObject(
1328  _Out_ PHANDLE JobHandle,
1329  _In_ ACCESS_MASK DesiredAccess,
1330  _In_ POBJECT_ATTRIBUTES ObjectAttributes
1331  );
1332 
1333 NTSYSCALLAPI
1334 NTSTATUS
1335 NTAPI
1336 NtAssignProcessToJobObject(
1337  _In_ HANDLE JobHandle,
1338  _In_ HANDLE ProcessHandle
1339  );
1340 
1341 NTSYSCALLAPI
1342 NTSTATUS
1343 NTAPI
1344 NtTerminateJobObject(
1345  _In_ HANDLE JobHandle,
1346  _In_ NTSTATUS ExitStatus
1347  );
1348 
1349 NTSYSCALLAPI
1350 NTSTATUS
1351 NTAPI
1352 NtIsProcessInJob(
1353  _In_ HANDLE ProcessHandle,
1354  _In_opt_ HANDLE JobHandle
1355  );
1356 
1357 NTSYSCALLAPI
1358 NTSTATUS
1359 NTAPI
1360 NtQueryInformationJobObject(
1361  _In_opt_ HANDLE JobHandle,
1362  _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
1363  _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
1364  _In_ ULONG JobObjectInformationLength,
1365  _Out_opt_ PULONG ReturnLength
1366  );
1367 
1368 NTSYSCALLAPI
1369 NTSTATUS
1370 NTAPI
1371 NtSetInformationJobObject(
1372  _In_ HANDLE JobHandle,
1373  _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
1374  _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
1375  _In_ ULONG JobObjectInformationLength
1376  );
1377 
1378 NTSYSCALLAPI
1379 NTSTATUS
1380 NTAPI
1381 NtCreateJobSet(
1382  _In_ ULONG NumJob,
1383  _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
1384  _In_ ULONG Flags
1385  );
1386 
1387 #endif
1388 
1389 #endif