📄 rk_process.h
字号:
#define JOB_OBJECT_SECURITY_ONLY_TOKEN 0x00000004
#define JOB_OBJECT_SECURITY_FILTER_TOKENS 0x00000008
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationJobObject(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
OUT PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength,
OUT PULONG BytesReturned
);
typedef
NTSTATUS
(NTAPI *PFNNTQUERYINFORMATIONJOBOBJECT)(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
OUT PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength,
OUT PULONG BytesReturned
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationJobObject(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
OUT PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength,
OUT PULONG BytesReturned
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationJobObject(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
IN PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength
);
typedef
NTSTATUS
(NTAPI *PFNNTSETINFORMATIONJOBOBJECT)(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
IN PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationJobObject(
IN HANDLE hJob,
IN JOBOBJECTINFOCLASS JobObjectInfoClass,
IN PVOID JobObjectInfoBuffer,
IN ULONG JobObjectInfoBufferLength
);
/* ____________________________________________________________________
. Process Control
. ____________________________________________________________________ */
NTSYSAPI
NTSTATUS
NTAPI
NtCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwCreateProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE hParentProcess,
IN BOOLEAN bInheritParentHandles,
IN HANDLE hSection OPTIONAL,
IN HANDLE hDebugPort OPTIONAL,
IN HANDLE hExceptionPort OPTIONAL
);
/*ExitProcess makes two calls to this system service. first time it
passes 0 as the process handle and exitcode and second time, it passes
current process handle (0xFFFFFFFF) and exitcode.
TerminateProcess makes only one call passing the process handle and
exit code as the parameter
*/
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE hProcess,
IN ULONG ExitCode
);
NTSYSAPI
NTSTATUS
NTAPI
ZwTerminateProcess(
IN HANDLE hProcess,
IN ULONG ExitCode
);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID pClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenProcess(
OUT PHANDLE phProcess,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID pClientId
);
typedef enum _NT2000PROCESSINFOCLASS {
ProcessDeviceMap=MaxProcessInfoClass,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
} NT2000PROCESSINFOCLASS;
/*
Following information classes are valid for NtQueryInformationProcess
ProcessBasicInformation
ProcessQuotaLimits
ProcessIoCounters
ProcessVmCounters
ProcessTimes
ProcessDebugPort
ProcessLdtInformation
ProcessDefaultHardErrorMode
ProcessPooledUsageAndLimits
ProcessWorkingSetWatch
ProcessPriorityClass
ProcessWx86Information
ProcessHandleCount
ProcessPriorityBoost
ProcessDeviceMap
ProcessSessionInformation
ProcessWow64Information
Following information classes are valid for NtSetInformationProcess
ProcessQuotaLimits
ProcessBasePriority
ProcessRaisePriority
ProcessDebugPort
ProcessExceptionPort
ProcessAccessToken
ProcessLdtInformation
ProcessLdtSize
ProcessDefaultHardErrorMode
ProcessIoPortHandlers
ProcessWorkingSetWatch
ProcessUserModeIOPL
ProcessEnableAlignmentFaultFixup
ProcessPriorityClass
ProcessAffinityMask
ProcessPriorityBoost
ProcessDeviceMap
ProcessSessionInformation
ProcessForegroundInformation
ProcessWow64Information
*/
//Undocumented structure layouts returned by various process information classes
//ProcessBasePriority
typedef struct BasePriority_t {
ULONG BasePriority;
} BASEPRIORITYINFO, *PBASEPRIORITYINFO;
//ProcessRaisePriority
typedef struct RaisePriority_t {
ULONG RaisePriority;
} RAISEPRIORITYINFO, *PRAISEPRIORITYINFO;
//ProcessDebugPort
typedef struct DebugPort_t {
HANDLE hDebugPort;
} DEBUGPORTINFO, *PDEBUGPORTINFO;
//ProcessExceptionPort
typedef struct ExceptionPort_t {
HANDLE hExceptionPort;
} EXCEPTIONPORTINFO, *PEXCEPTIONPORTINFO;
//ProcessLdtInformation
typedef struct _LDT_ENTRY {
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMid;
UCHAR Flags1;
UCHAR Flags2;
UCHAR BaseHi;
} Bytes;
struct {
ULONG BaseMid : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Pres : 1;
ULONG LimitHi : 4;
ULONG Sys : 1;
ULONG Reserved_0 : 1;
ULONG Default_Big : 1;
ULONG Granularity : 1;
ULONG BaseHi : 8;
} Bits;
} HighWord;
} LDT_ENTRY, *PLDT_ENTRY;
#define LDT_TABLE_SIZE ( 8 * 1024 * sizeof(LDT_ENTRY) )
typedef struct _LDT_INFORMATION {
ULONG Start;
ULONG Length;
LDT_ENTRY LdtEntries[1];
} PROCESS_LDT_INFORMATION, *PPROCESS_LDT_INFORMATION;
//ProcessLdtSize
typedef struct _LDT_SIZE {
ULONG Length;
} PROCESS_LDT_SIZE, *PPROCESS_LDT_SIZE;
#define SEM_FAILCRITICALERRORS 0x0001
#define SEM_NOGPFAULTERRORBOX 0x0002
#define SEM_NOALIGNMENTFAULTEXCEPT 0x0004
#define SEM_NOOPENFILEERRORBOX 0x8000
//ProcessDefaultHardErrorMode
typedef struct HardErrorMode_t {
ULONG HardErrorMode;
} HARDERRORMODEINFO, *PHARDERRORMODEINFO;
//ProcessUserModeIOPL
typedef struct Iopl_t {
ULONG Iopl;
} IOPLINFO, *PIOPLINFO;
//ProcessEnableAlignmentFaultFixup
typedef struct AllignmentFault_t {
BOOLEAN bEnableAllignmentFaultFixup;
} ALLIGNMENTFAULTFIXUPINFO, *PALLIGNMENTFAULTFIXUPINFO;
#define KRNL_NORMAL_PRIORITY_CLASS 0x02
#define KRNL_IDLE_PRIORITY_CLASS 0x01
#define KRNL_HIGH_PRIORITY_CLASS 0x03
#define KRNL_REALTIME_PRIORITY_CLASS 0x04
//ProcessPriorityClass
typedef struct PriorityClass_t {
UCHAR Unknown;
UCHAR PriorityClass;
} PRIORITYCLASSINFO, *PPRIORITYCLASSINFO;
//ProcessWx86Information
typedef struct x86_t {
ULONG x86Info;
} X86INFO, *PX86INFO;
//ProcessHandleCount
typedef struct HandleCount_t {
ULONG HandleCount;
} HANDLECOUNTINFO, *PHANDLECOUNTINFO;
//ProcessAffinityMask
typedef struct AffinityMask_t {
ULONG AffinityMask;
} AFFINITYMASKINFO, *PAFFINITYMASKINFO;
//ProcessPriorityBoost
typedef struct PriorityBoost_t {
ULONG bPriorityBoostEnabled;
} PRIORITYBOOSTINFO, *PPRIORITYBOOSTINFO;
//ProcessDeviceMap
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
union {
struct {
HANDLE DirectoryHandle;
} Set;
struct {
ULONG DriveMap;
UCHAR DriveType[ 32 ];
} Query;
};
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
#define DRIVE_UNKNOWN 0
#define DRIVE_NO_ROOT_DIR 1
#define DRIVE_REMOVABLE 2
#define DRIVE_FIXED 3
#define DRIVE_REMOTE 4
#define DRIVE_CDROM 5
#define DRIVE_RAMDISK 6
//ProcessSessionInformation
typedef struct _PROCESS_SESSION_INFORMATION {
ULONG SessionId;
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationProcess(
IN HANDLE hProcess,
IN PROCESSINFOCLASS ProcessInfoClass,
OUT PVOID ProcessInfoBuffer,
IN ULONG ProcessInfoBufferLength,
OUT PULONG BytesReturned OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
IN HANDLE hProcess,
IN PROCESSINFOCLASS ProcessInfoClass,
OUT PVOID ProcessInfoBuffer,
IN ULONG ProcessInfoBufferLength,
OUT PULONG BytesReturned OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationProcess(
IN HANDLE hProcess,
IN PROCESSINFOCLASS ProcessInfoClass,
IN PVOID ProcessInfoBuffer,
IN ULONG ProcessInfoBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationProcess(
IN HANDLE hProcess,
IN PROCESSINFOCLASS ProcessInfoClass,
IN PVOID ProcessInfoBuffer,
IN ULONG ProcessInfoBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
NtQueryInformationThread(
IN HANDLE hThread,
IN THREADINFOCLASS ThreadInfoClass,
OUT PVOID ThreadInfoBuffer,
IN ULONG ThreadInfoBufferLength,
OUT PULONG BytesReturned OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationThread(
IN HANDLE hThread,
IN THREADINFOCLASS ThreadInfoClass,
OUT PVOID ThreadInfoBuffer,
IN ULONG ThreadInfoBufferLength,
OUT PULONG BytesReturned OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
NtSetInformationThread(
IN HANDLE hThread,
IN THREADINFOCLASS ThreadInfoClass,
IN PVOID ThreadInfoBuffer,
IN ULONG ThreadInfoBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetInformationThread(
IN HANDLE hThread,
IN THREADINFOCLASS ThreadInfoClass,
IN PVOID ThreadInfoBuffer,
IN ULONG ThreadInfoBufferLength
);
/*
Following information classes are valid for NtQueryInformationProcess
ThreadBasicInformation
ThreadTimes
ThreadDescriptorTableEntry
ThreadQuerySetWin32StartAddress
ThreadPerformanceCount
ThreadAmILastThread
ThreadPriorityBoost
ThreadIsIoPending
Following information classes are valid for NtSetInformationProcess
ThreadPriority
ThreadBasePriority
ThreadAffinityMask
ThreadImpersonationToken
ThreadEnableAlignmentFaultFixup
ThreadEventPair
ThreadQuerySetWin32StartAddress
ThreadZeroTlsCell
ThreadIdealProcessor
ThreadPriorityBoost
ThreadSetTlsArrayAddress
ThreadHideFromDebugger
*/
//Undocumented structure layouts returned by various process information classes
//ThreadBasicInformation
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
ULONG UniqueProcessId;
ULONG UniqueThreadId;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG DiffProcessPriority;
} THREAD_BASIC_INFORMATION;
//ThreadPriority
typedef struct _THREAD_PRIORITY {
ULONG Priority;
} THREAD_PRIORITY, *PTHREAD_PRIORITY;
//ThreadBasePriority
typedef struct _THREAD_BASE_PRIORITY {
ULONG IncBasePriority;
} THREAD_BASE_PRIORITY, *PTHREAD_BASE_PRIORITY;
//ThreadAffinityMask
typedef struct ThreadAffinityMask_t {
ULONG ThreadAffinityMask;
} THREADAFFINITYMASKINFO, *PTHREADAFFINITYMASKINFO;
//ThreadDescriptorTableEntry
typedef struct _DESCRIPTOR_TABLE_ENTRY {
ULONG Selector;
LDT_ENTRY Descriptor;
} DESCRIPTOR_TABLE_ENTRY, *PDESCRIPTOR_TABLE_ENTRY;
//ThreadEventPair
typedef struct _EVENT_PAIR {
HANDLE hEventPair;
} EVENTPAIRINFO, *PEVENTPAIRINFO;
//ThreadQuerySetWin32StartAddress
typedef struct _WIN32_START_ADDRESS {
PVOID Win32StartAddress;
} WIN32_START_ADDRESS, *PWIN32_START_ADDRESS;
//ThreadZeroTlsCell
typedef struct _ZERO_TLSCELL {
ULONG TlsIndex;
} ZERO_TLSCELL, *PZERO_TLSCELL;
//ThreadPerformanceCount
typedef struct _PERFORMANCE_COUNTER {
ULONG Count1;
ULONG Count2;
} PERFORMANCE_COUNTER_INFO, *PPERFORMANCE_COUNTER_INFO;
//ThreadAmILastThread
typedef struct _AMI_LAST_THREAD {
ULONG bAmILastThread;
} AMI_LAST_THREADINFO, *PAMI_LAST_THREADINFO;
//ThreadIdealProcessor
typedef struct _IDEAL_PROCESSOR {
ULONG IdealProcessor;
} IDEAL_PROCESSORINFO, *PIDEAL_PROCESSORINFO;
//ThreadSetTlsArrayAddress
typedef struct _TLS_ARRAY {
ULONG *pTlsArray;
} TLS_ARRAYINFO, PTLS_ARRAYINFO;
typedef enum _NT2000THREADINFOCLASS {
ThreadIsIoPending=MaxThreadInfoClass,
ThreadHideFromDebugger
} NT2000PROCESSINFOCLASS;
//ThreadIsIoPending
typedef struct _IS_IO_PENDING {
ULONG bIsIOPending;
} IS_IO_PENDINGINFO, PIS_IO_PENDINGINFO;
//ThreadHideFromDebugger
typedef struct _HIDE_FROM_DEBUGGER {
ULONG bHideFromDebugger;
} HIDE_FROM_DEBUGGERINFO, PHIDE_FROM_DEBUGGERINFO;
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters; //windows 2000 only
struct _SYSTEM_THREADS Threads[1];
};
#endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -