| use crate::ntapi_base::{CLIENT_ID, KPRIORITY, PCLIENT_ID}; |
| use crate::ntexapi::{PROCESS_DISK_COUNTERS, PROCESS_ENERGY_VALUES}; |
| use crate::ntpebteb::{PPEB, PTEB}; |
| use winapi::ctypes::c_void; |
| use winapi::shared::basetsd::{PSIZE_T, SIZE_T, ULONG64, ULONG_PTR}; |
| use winapi::shared::ntdef::{ |
| BOOLEAN, HANDLE, LARGE_INTEGER, LIST_ENTRY, LONG, LONGLONG, NTSTATUS, NT_PRODUCT_TYPE, |
| PHANDLE, PLARGE_INTEGER, POBJECT_ATTRIBUTES, PROCESSOR_NUMBER, PSINGLE_LIST_ENTRY, PULONG, |
| PVOID, SINGLE_LIST_ENTRY, UCHAR, ULONG, ULONGLONG, UNICODE_STRING, USHORT, WCHAR, |
| }; |
| use winapi::um::winnt::{ |
| ACCESS_MASK, CONTEXT, HARDWARE_COUNTER_TYPE, IO_COUNTERS, JOBOBJECTINFOCLASS, |
| JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, LDT_ENTRY, MAX_HW_COUNTERS, PCONTEXT, PJOB_SET_ARRAY, |
| PROCESS_MITIGATION_ASLR_POLICY, PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, |
| PROCESS_MITIGATION_CHILD_PROCESS_POLICY, PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, |
| PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, |
| PROCESS_MITIGATION_FONT_DISABLE_POLICY, PROCESS_MITIGATION_IMAGE_LOAD_POLICY, |
| PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY, PROCESS_MITIGATION_POLICY, |
| PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, |
| PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY, PSECURITY_QUALITY_OF_SERVICE, |
| }; |
| #[cfg(not(target_arch = "aarch64"))] |
| use crate::winapi_local::um::winnt::NtCurrentTeb; |
| pub const GDI_HANDLE_BUFFER_SIZE32: usize = 34; |
| pub const GDI_HANDLE_BUFFER_SIZE64: usize = 60; |
| #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] |
| pub const GDI_HANDLE_BUFFER_SIZE: usize = GDI_HANDLE_BUFFER_SIZE64; |
| #[cfg(target_arch = "x86")] |
| pub const GDI_HANDLE_BUFFER_SIZE: usize = GDI_HANDLE_BUFFER_SIZE32; |
| pub type GDI_HANDLE_BUFFER = [ULONG; GDI_HANDLE_BUFFER_SIZE]; |
| pub type GDI_HANDLE_BUFFER32 = [ULONG; GDI_HANDLE_BUFFER_SIZE32]; |
| pub type GDI_HANDLE_BUFFER64 = [ULONG; GDI_HANDLE_BUFFER_SIZE]; |
| pub const TLS_EXPANSION_SLOTS: usize = 1024; |
| STRUCT!{struct PEB_LDR_DATA { |
| Length: ULONG, |
| Initialized: BOOLEAN, |
| SsHandle: HANDLE, |
| InLoadOrderModuleList: LIST_ENTRY, |
| InMemoryOrderModuleList: LIST_ENTRY, |
| InInitializationOrderModuleList: LIST_ENTRY, |
| EntryInProgress: PVOID, |
| ShutdownInProgress: BOOLEAN, |
| ShutdownThreadId: HANDLE, |
| }} |
| pub type PPEB_LDR_DATA = *mut PEB_LDR_DATA; |
| STRUCT!{struct INITIAL_TEB_OldInitialTeb { |
| OldStackBase: PVOID, |
| OldStackLimit: PVOID, |
| }} |
| STRUCT!{struct INITIAL_TEB { |
| OldInitialTeb: INITIAL_TEB_OldInitialTeb, |
| StackBase: PVOID, |
| StackLimit: PVOID, |
| StackAllocationBase: PVOID, |
| }} |
| pub type PINITIAL_TEB = *mut INITIAL_TEB; |
| STRUCT!{struct WOW64_PROCESS { |
| Wow64: PVOID, |
| }} |
| pub type PWOW64_PROCESS = *mut WOW64_PROCESS; |
| ENUM!{enum PROCESSINFOCLASS { |
| ProcessBasicInformation = 0, |
| ProcessQuotaLimits = 1, |
| ProcessIoCounters = 2, |
| ProcessVmCounters = 3, |
| ProcessTimes = 4, |
| ProcessBasePriority = 5, |
| ProcessRaisePriority = 6, |
| ProcessDebugPort = 7, |
| ProcessExceptionPort = 8, |
| ProcessAccessToken = 9, |
| ProcessLdtInformation = 10, |
| ProcessLdtSize = 11, |
| ProcessDefaultHardErrorMode = 12, |
| ProcessIoPortHandlers = 13, |
| ProcessPooledUsageAndLimits = 14, |
| ProcessWorkingSetWatch = 15, |
| ProcessUserModeIOPL = 16, |
| ProcessEnableAlignmentFaultFixup = 17, |
| ProcessPriorityClass = 18, |
| ProcessWx86Information = 19, |
| ProcessHandleCount = 20, |
| ProcessAffinityMask = 21, |
| ProcessPriorityBoost = 22, |
| ProcessDeviceMap = 23, |
| ProcessSessionInformation = 24, |
| ProcessForegroundInformation = 25, |
| ProcessWow64Information = 26, |
| ProcessImageFileName = 27, |
| ProcessLUIDDeviceMapsEnabled = 28, |
| ProcessBreakOnTermination = 29, |
| ProcessDebugObjectHandle = 30, |
| ProcessDebugFlags = 31, |
| ProcessHandleTracing = 32, |
| ProcessIoPriority = 33, |
| ProcessExecuteFlags = 34, |
| ProcessResourceManagement = 35, |
| ProcessCookie = 36, |
| ProcessImageInformation = 37, |
| ProcessCycleTime = 38, |
| ProcessPagePriority = 39, |
| ProcessInstrumentationCallback = 40, |
| ProcessThreadStackAllocation = 41, |
| ProcessWorkingSetWatchEx = 42, |
| ProcessImageFileNameWin32 = 43, |
| ProcessImageFileMapping = 44, |
| ProcessAffinityUpdateMode = 45, |
| ProcessMemoryAllocationMode = 46, |
| ProcessGroupInformation = 47, |
| ProcessTokenVirtualizationEnabled = 48, |
| ProcessConsoleHostProcess = 49, |
| ProcessWindowInformation = 50, |
| ProcessHandleInformation = 51, |
| ProcessMitigationPolicy = 52, |
| ProcessDynamicFunctionTableInformation = 53, |
| ProcessHandleCheckingMode = 54, |
| ProcessKeepAliveCount = 55, |
| ProcessRevokeFileHandles = 56, |
| ProcessWorkingSetControl = 57, |
| ProcessHandleTable = 58, |
| ProcessCheckStackExtentsMode = 59, |
| ProcessCommandLineInformation = 60, |
| ProcessProtectionInformation = 61, |
| ProcessMemoryExhaustion = 62, |
| ProcessFaultInformation = 63, |
| ProcessTelemetryIdInformation = 64, |
| ProcessCommitReleaseInformation = 65, |
| ProcessDefaultCpuSetsInformation = 66, |
| ProcessAllowedCpuSetsInformation = 67, |
| ProcessSubsystemProcess = 68, |
| ProcessJobMemoryInformation = 69, |
| ProcessInPrivate = 70, |
| ProcessRaiseUMExceptionOnInvalidHandleClose = 71, |
| ProcessIumChallengeResponse = 72, |
| ProcessChildProcessInformation = 73, |
| ProcessHighGraphicsPriorityInformation = 74, |
| ProcessSubsystemInformation = 75, |
| ProcessEnergyValues = 76, |
| ProcessActivityThrottleState = 77, |
| ProcessActivityThrottlePolicy = 78, |
| ProcessWin32kSyscallFilterInformation = 79, |
| ProcessDisableSystemAllowedCpuSets = 80, |
| ProcessWakeInformation = 81, |
| ProcessEnergyTrackingState = 82, |
| ProcessManageWritesToExecutableMemory = 83, |
| ProcessCaptureTrustletLiveDump = 84, |
| ProcessTelemetryCoverage = 85, |
| ProcessEnclaveInformation = 86, |
| ProcessEnableReadWriteVmLogging = 87, |
| ProcessUptimeInformation = 88, |
| ProcessImageSection = 89, |
| ProcessDebugAuthInformation = 90, |
| ProcessSystemResourceManagement = 91, |
| ProcessSequenceNumber = 92, |
| ProcessLoaderDetour = 93, |
| ProcessSecurityDomainInformation = 94, |
| ProcessCombineSecurityDomainsInformation = 95, |
| ProcessEnableLogging = 96, |
| ProcessLeapSecondInformation = 97, |
| MaxProcessInfoClass = 98, |
| }} |
| ENUM!{enum THREADINFOCLASS { |
| ThreadBasicInformation = 0, |
| ThreadTimes = 1, |
| ThreadPriority = 2, |
| ThreadBasePriority = 3, |
| ThreadAffinityMask = 4, |
| ThreadImpersonationToken = 5, |
| ThreadDescriptorTableEntry = 6, |
| ThreadEnableAlignmentFaultFixup = 7, |
| ThreadEventPair = 8, |
| ThreadQuerySetWin32StartAddress = 9, |
| ThreadZeroTlsCell = 10, |
| ThreadPerformanceCount = 11, |
| ThreadAmILastThread = 12, |
| ThreadIdealProcessor = 13, |
| ThreadPriorityBoost = 14, |
| ThreadSetTlsArrayAddress = 15, |
| ThreadIsIoPending = 16, |
| ThreadHideFromDebugger = 17, |
| ThreadBreakOnTermination = 18, |
| ThreadSwitchLegacyState = 19, |
| ThreadIsTerminated = 20, |
| ThreadLastSystemCall = 21, |
| ThreadIoPriority = 22, |
| ThreadCycleTime = 23, |
| ThreadPagePriority = 24, |
| ThreadActualBasePriority = 25, |
| ThreadTebInformation = 26, |
| ThreadCSwitchMon = 27, |
| ThreadCSwitchPmu = 28, |
| ThreadWow64Context = 29, |
| ThreadGroupInformation = 30, |
| ThreadUmsInformation = 31, |
| ThreadCounterProfiling = 32, |
| ThreadIdealProcessorEx = 33, |
| ThreadCpuAccountingInformation = 34, |
| ThreadSuspendCount = 35, |
| ThreadHeterogeneousCpuPolicy = 36, |
| ThreadContainerId = 37, |
| ThreadNameInformation = 38, |
| ThreadSelectedCpuSets = 39, |
| ThreadSystemThreadInformation = 40, |
| ThreadActualGroupAffinity = 41, |
| ThreadDynamicCodePolicyInfo = 42, |
| ThreadExplicitCaseSensitivity = 43, |
| ThreadWorkOnBehalfTicket = 44, |
| ThreadSubsystemInformation = 45, |
| ThreadDbgkWerReportActive = 46, |
| ThreadAttachContainer = 47, |
| ThreadManageWritesToExecutableMemory = 48, |
| ThreadPowerThrottlingState = 49, |
| ThreadWorkloadClass = 50, |
| MaxThreadInfoClass = 51, |
| }} |
| STRUCT!{struct PAGE_PRIORITY_INFORMATION { |
| PagePriority: ULONG, |
| }} |
| pub type PPAGE_PRIORITY_INFORMATION = *mut PAGE_PRIORITY_INFORMATION; |
| STRUCT!{struct PROCESS_BASIC_INFORMATION { |
| ExitStatus: NTSTATUS, |
| PebBaseAddress: PPEB, |
| AffinityMask: ULONG_PTR, |
| BasePriority: KPRIORITY, |
| UniqueProcessId: HANDLE, |
| InheritedFromUniqueProcessId: HANDLE, |
| }} |
| pub type PPROCESS_BASIC_INFORMATION = *mut PROCESS_BASIC_INFORMATION; |
| STRUCT!{struct PROCESS_EXTENDED_BASIC_INFORMATION { |
| Size: SIZE_T, |
| BasicInfo: PROCESS_BASIC_INFORMATION, |
| Flags: ULONG, |
| }} |
| BITFIELD!{PROCESS_EXTENDED_BASIC_INFORMATION Flags: ULONG [ |
| IsProtectedProcess set_IsProtectedProcess[0..1], |
| IsWow64Process set_IsWow64Process[1..2], |
| IsProcessDeleting set_IsProcessDeleting[2..3], |
| IsCrossSessionCreate set_IsCrossSessionCreate[3..4], |
| IsFrozen set_IsFrozen[4..5], |
| IsBackground set_IsBackground[5..6], |
| IsStronglyNamed set_IsStronglyNamed[6..7], |
| IsSecureProcess set_IsSecureProcess[7..8], |
| IsSubsystemProcess set_IsSubsystemProcess[8..9], |
| SpareBits set_SpareBits[9..32], |
| ]} |
| pub type PPROCESS_EXTENDED_BASIC_INFORMATION = *mut PROCESS_EXTENDED_BASIC_INFORMATION; |
| STRUCT!{struct VM_COUNTERS { |
| PeakVirtualSize: SIZE_T, |
| VirtualSize: SIZE_T, |
| PageFaultCount: ULONG, |
| PeakWorkingSetSize: SIZE_T, |
| WorkingSetSize: SIZE_T, |
| QuotaPeakPagedPoolUsage: SIZE_T, |
| QuotaPagedPoolUsage: SIZE_T, |
| QuotaPeakNonPagedPoolUsage: SIZE_T, |
| QuotaNonPagedPoolUsage: SIZE_T, |
| PagefileUsage: SIZE_T, |
| PeakPagefileUsage: SIZE_T, |
| }} |
| pub type PVM_COUNTERS = *mut VM_COUNTERS; |
| STRUCT!{struct VM_COUNTERS_EX { |
| PeakVirtualSize: SIZE_T, |
| VirtualSize: SIZE_T, |
| PageFaultCount: ULONG, |
| PeakWorkingSetSize: SIZE_T, |
| WorkingSetSize: SIZE_T, |
| QuotaPeakPagedPoolUsage: SIZE_T, |
| QuotaPagedPoolUsage: SIZE_T, |
| QuotaPeakNonPagedPoolUsage: SIZE_T, |
| QuotaNonPagedPoolUsage: SIZE_T, |
| PagefileUsage: SIZE_T, |
| PeakPagefileUsage: SIZE_T, |
| PrivateUsage: SIZE_T, |
| }} |
| pub type PVM_COUNTERS_EX = *mut VM_COUNTERS_EX; |
| STRUCT!{struct VM_COUNTERS_EX2 { |
| CountersEx: VM_COUNTERS_EX, |
| PrivateWorkingSetSize: SIZE_T, |
| SharedCommitUsage: SIZE_T, |
| }} |
| pub type PVM_COUNTERS_EX2 = *mut VM_COUNTERS_EX2; |
| STRUCT!{struct KERNEL_USER_TIMES { |
| CreateTime: LARGE_INTEGER, |
| ExitTime: LARGE_INTEGER, |
| KernelTime: LARGE_INTEGER, |
| UserTime: LARGE_INTEGER, |
| }} |
| pub type PKERNEL_USER_TIMES = *mut KERNEL_USER_TIMES; |
| STRUCT!{struct POOLED_USAGE_AND_LIMITS { |
| PeakPagedPoolUsage: SIZE_T, |
| PagedPoolUsage: SIZE_T, |
| PagedPoolLimit: SIZE_T, |
| PeakNonPagedPoolUsage: SIZE_T, |
| NonPagedPoolUsage: SIZE_T, |
| NonPagedPoolLimit: SIZE_T, |
| PeakPagefileUsage: SIZE_T, |
| PagefileUsage: SIZE_T, |
| PagefileLimit: SIZE_T, |
| }} |
| pub type PPOOLED_USAGE_AND_LIMITS = *mut POOLED_USAGE_AND_LIMITS; |
| pub const PROCESS_EXCEPTION_PORT_ALL_STATE_BITS: ULONG_PTR = 0x00000003; |
| pub const PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS: ULONG_PTR = |
| (1 << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1; |
| STRUCT!{struct PROCESS_EXCEPTION_PORT { |
| ExceptionPortHandle: HANDLE, |
| StateFlags: ULONG, |
| }} |
| pub type PPROCESS_EXCEPTION_PORT = *mut PROCESS_EXCEPTION_PORT; |
| STRUCT!{struct PROCESS_ACCESS_TOKEN { |
| Token: HANDLE, |
| Thread: HANDLE, |
| }} |
| pub type PPROCESS_ACCESS_TOKEN = *mut PROCESS_ACCESS_TOKEN; |
| STRUCT!{struct PROCESS_LDT_INFORMATION { |
| Start: ULONG, |
| Length: ULONG, |
| LdtEntries: [LDT_ENTRY; 1], |
| }} |
| pub type PPROCESS_LDT_INFORMATION = *mut PROCESS_LDT_INFORMATION; |
| STRUCT!{struct PROCESS_LDT_SIZE { |
| Length: ULONG, |
| }} |
| pub type PPROCESS_LDT_SIZE = *mut PROCESS_LDT_SIZE; |
| STRUCT!{struct PROCESS_WS_WATCH_INFORMATION { |
| FaultingPc: PVOID, |
| FaultingVa: PVOID, |
| }} |
| pub type PPROCESS_WS_WATCH_INFORMATION = *mut PROCESS_WS_WATCH_INFORMATION; |
| STRUCT!{struct PROCESS_WS_WATCH_INFORMATION_EX { |
| BasicInfo: PROCESS_WS_WATCH_INFORMATION, |
| FaultingThreadId: ULONG_PTR, |
| Flags: ULONG_PTR, |
| }} |
| pub type PPROCESS_WS_WATCH_INFORMATION_EX = *mut PROCESS_WS_WATCH_INFORMATION_EX; |
| pub const PROCESS_PRIORITY_CLASS_UNKNOWN: u32 = 0; |
| pub const PROCESS_PRIORITY_CLASS_IDLE: u32 = 1; |
| pub const PROCESS_PRIORITY_CLASS_NORMAL: u32 = 2; |
| pub const PROCESS_PRIORITY_CLASS_HIGH: u32 = 3; |
| pub const PROCESS_PRIORITY_CLASS_REALTIME: u32 = 4; |
| pub const PROCESS_PRIORITY_CLASS_BELOW_NORMAL: u32 = 5; |
| pub const PROCESS_PRIORITY_CLASS_ABOVE_NORMAL: u32 = 6; |
| STRUCT!{struct PROCESS_PRIORITY_CLASS { |
| Foreground: BOOLEAN, |
| PriorityClass: UCHAR, |
| }} |
| pub type PPROCESS_PRIORITY_CLASS = *mut PROCESS_PRIORITY_CLASS; |
| STRUCT!{struct PROCESS_FOREGROUND_BACKGROUND { |
| Foreground: BOOLEAN, |
| }} |
| pub type PPROCESS_FOREGROUND_BACKGROUND = *mut PROCESS_FOREGROUND_BACKGROUND; |
| STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_Set { |
| DirectoryHandle: HANDLE, |
| }} |
| STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_Query { |
| DriveMap: ULONG, |
| DriveType: [UCHAR; 32], |
| }} |
| UNION!{union PROCESS_DEVICEMAP_INFORMATION { |
| Set: PROCESS_DEVICEMAP_INFORMATION_Set, |
| Query: PROCESS_DEVICEMAP_INFORMATION_Query, |
| }} |
| pub type PPROCESS_DEVICEMAP_INFORMATION = *mut PROCESS_DEVICEMAP_INFORMATION; |
| pub const PROCESS_LUID_DOSDEVICES_ONLY: ULONG = 0x00000001; |
| STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX_u_Set { |
| DirectoryHandle: HANDLE, |
| }} |
| STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX_u_Query { |
| DriveMap: ULONG, |
| DriveType: [UCHAR; 32], |
| }} |
| UNION!{union PROCESS_DEVICEMAP_INFORMATION_EX_u { |
| Set: PROCESS_DEVICEMAP_INFORMATION_EX_u_Set, |
| Query: PROCESS_DEVICEMAP_INFORMATION_EX_u_Query, |
| }} |
| STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX { |
| u: PROCESS_DEVICEMAP_INFORMATION_EX_u, |
| Flags: ULONG, |
| }} |
| pub type PPROCESS_DEVICEMAP_INFORMATION_EX = *mut PROCESS_DEVICEMAP_INFORMATION_EX; |
| STRUCT!{struct PROCESS_SESSION_INFORMATION { |
| SessionId: ULONG, |
| }} |
| pub type PPROCESS_SESSION_INFORMATION = *mut PROCESS_SESSION_INFORMATION; |
| pub const PROCESS_HANDLE_EXCEPTIONS_ENABLED: ULONG = 0x00000001; |
| pub const PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED: ULONG = 0x00000000; |
| pub const PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED: ULONG = 0x00000001; |
| STRUCT!{struct PROCESS_HANDLE_TRACING_ENABLE { |
| Flags: ULONG, |
| }} |
| pub type PPROCESS_HANDLE_TRACING_ENABLE = *mut PROCESS_HANDLE_TRACING_ENABLE; |
| pub const PROCESS_HANDLE_TRACING_MAX_SLOTS: ULONG = 0x20000; |
| STRUCT!{struct PROCESS_HANDLE_TRACING_ENABLE_EX { |
| Flags: ULONG, |
| TotalSlots: ULONG, |
| }} |
| pub type PPROCESS_HANDLE_TRACING_ENABLE_EX = *mut PROCESS_HANDLE_TRACING_ENABLE_EX; |
| pub const PROCESS_HANDLE_TRACING_MAX_STACKS: usize = 16; |
| pub const PROCESS_HANDLE_TRACE_TYPE_OPEN: ULONG = 1; |
| pub const PROCESS_HANDLE_TRACE_TYPE_CLOSE: ULONG = 2; |
| pub const PROCESS_HANDLE_TRACE_TYPE_BADREF: ULONG = 3; |
| STRUCT!{struct PROCESS_HANDLE_TRACING_ENTRY { |
| Handle: HANDLE, |
| ClientId: CLIENT_ID, |
| Type: ULONG, |
| Stacks: [PVOID; PROCESS_HANDLE_TRACING_MAX_STACKS], |
| }} |
| pub type PPROCESS_HANDLE_TRACING_ENTRY = *mut PROCESS_HANDLE_TRACING_ENTRY; |
| STRUCT!{struct PROCESS_HANDLE_TRACING_QUERY { |
| Handle: HANDLE, |
| TotalTraces: ULONG, |
| HandleTrace: [PROCESS_HANDLE_TRACING_ENTRY; 1], |
| }} |
| pub type PPROCESS_HANDLE_TRACING_QUERY = *mut PROCESS_HANDLE_TRACING_QUERY; |
| STRUCT!{struct THREAD_TLS_INFORMATION { |
| Flags: ULONG, |
| NewTlsData: PVOID, |
| OldTlsData: PVOID, |
| ThreadId: HANDLE, |
| }} |
| pub type PTHREAD_TLS_INFORMATION = *mut THREAD_TLS_INFORMATION; |
| ENUM!{enum PROCESS_TLS_INFORMATION_TYPE { |
| ProcessTlsReplaceIndex = 0, |
| ProcessTlsReplaceVector = 1, |
| MaxProcessTlsOperation = 2, |
| }} |
| pub type PPROCESS_TLS_INFORMATION_TYPE = *mut PROCESS_TLS_INFORMATION_TYPE; |
| STRUCT!{struct PROCESS_TLS_INFORMATION { |
| Flags: ULONG, |
| OperationType: ULONG, |
| ThreadDataCount: ULONG, |
| TlsIndex: ULONG, |
| PreviousCount: ULONG, |
| ThreadData: [THREAD_TLS_INFORMATION; 1], |
| }} |
| pub type PPROCESS_TLS_INFORMATION = *mut PROCESS_TLS_INFORMATION; |
| STRUCT!{struct PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION { |
| Version: ULONG, |
| Reserved: ULONG, |
| Callback: PVOID, |
| }} |
| pub type PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION = |
| *mut PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; |
| STRUCT!{struct PROCESS_STACK_ALLOCATION_INFORMATION { |
| ReserveSize: SIZE_T, |
| ZeroBits: SIZE_T, |
| StackBase: PVOID, |
| }} |
| pub type PPROCESS_STACK_ALLOCATION_INFORMATION = *mut PROCESS_STACK_ALLOCATION_INFORMATION; |
| STRUCT!{struct PROCESS_STACK_ALLOCATION_INFORMATION_EX { |
| PreferredNode: ULONG, |
| Reserved0: ULONG, |
| Reserved1: ULONG, |
| Reserved2: ULONG, |
| AllocInfo: PROCESS_STACK_ALLOCATION_INFORMATION, |
| }} |
| pub type PPROCESS_STACK_ALLOCATION_INFORMATION_EX = *mut PROCESS_STACK_ALLOCATION_INFORMATION_EX; |
| STRUCT!{struct PROCESS_AFFINITY_UPDATE_MODE { |
| Flags: ULONG, |
| }} |
| BITFIELD!{PROCESS_AFFINITY_UPDATE_MODE Flags: ULONG [ |
| EnableAutoUpdate set_EnableAutoUpdate[0..1], |
| Permanent set_Permanent[1..2], |
| Reserved set_Reserved[2..32], |
| ]} |
| pub type PPROCESS_AFFINITY_UPDATE_MODE = *mut PROCESS_AFFINITY_UPDATE_MODE; |
| STRUCT!{struct PROCESS_MEMORY_ALLOCATION_MODE { |
| Flags: ULONG, |
| }} |
| BITFIELD!{PROCESS_MEMORY_ALLOCATION_MODE Flags: ULONG [ |
| TopDown set_TopDown[0..1], |
| Reserved set_Reserved[1..32], |
| ]} |
| pub type PPROCESS_MEMORY_ALLOCATION_MODE = *mut PROCESS_MEMORY_ALLOCATION_MODE; |
| STRUCT!{struct PROCESS_HANDLE_INFORMATION { |
| HandleCount: ULONG, |
| HandleCountHighWatermark: ULONG, |
| }} |
| pub type PPROCESS_HANDLE_INFORMATION = *mut PROCESS_HANDLE_INFORMATION; |
| STRUCT!{struct PROCESS_CYCLE_TIME_INFORMATION { |
| AccumulatedCycles: ULONGLONG, |
| CurrentCycleCount: ULONGLONG, |
| }} |
| pub type PPROCESS_CYCLE_TIME_INFORMATION = *mut PROCESS_CYCLE_TIME_INFORMATION; |
| STRUCT!{struct PROCESS_WINDOW_INFORMATION { |
| WindowFlags: ULONG, |
| WindowTitleLength: USHORT, |
| WindowTitle: [WCHAR; 1], |
| }} |
| pub type PPROCESS_WINDOW_INFORMATION = *mut PROCESS_WINDOW_INFORMATION; |
| STRUCT!{struct PROCESS_HANDLE_TABLE_ENTRY_INFO { |
| HandleValue: HANDLE, |
| HandleCount: ULONG_PTR, |
| PointerCount: ULONG_PTR, |
| GrantedAccess: ULONG, |
| ObjectTypeIndex: ULONG, |
| HandleAttributes: ULONG, |
| Reserved: ULONG, |
| }} |
| pub type PPROCESS_HANDLE_TABLE_ENTRY_INFO = *mut PROCESS_HANDLE_TABLE_ENTRY_INFO; |
| STRUCT!{struct PROCESS_HANDLE_SNAPSHOT_INFORMATION { |
| NumberOfHandles: ULONG_PTR, |
| Reserved: ULONG_PTR, |
| Handles: [PROCESS_HANDLE_TABLE_ENTRY_INFO; 1], |
| }} |
| pub type PPROCESS_HANDLE_SNAPSHOT_INFORMATION = *mut PROCESS_HANDLE_SNAPSHOT_INFORMATION; |
| UNION!{union PROCESS_MITIGATION_POLICY_INFORMATION_u { |
| ASLRPolicy: PROCESS_MITIGATION_ASLR_POLICY, |
| StrictHandleCheckPolicy: PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, |
| SystemCallDisablePolicy: PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, |
| ExtensionPointDisablePolicy: PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, |
| DynamicCodePolicy: PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, |
| ControlFlowGuardPolicy: PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY, |
| SignaturePolicy: PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, |
| FontDisablePolicy: PROCESS_MITIGATION_FONT_DISABLE_POLICY, |
| ImageLoadPolicy: PROCESS_MITIGATION_IMAGE_LOAD_POLICY, |
| SystemCallFilterPolicy: PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY, |
| PayloadRestrictionPolicy: PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY, |
| ChildProcessPolicy: PROCESS_MITIGATION_CHILD_PROCESS_POLICY, |
| // SideChannelIsolationPolicy: PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY, //TODO |
| }} |
| STRUCT!{struct PROCESS_MITIGATION_POLICY_INFORMATION { |
| Policy: PROCESS_MITIGATION_POLICY, |
| u: PROCESS_MITIGATION_POLICY_INFORMATION_u, |
| }} |
| pub type PPROCESS_MITIGATION_POLICY_INFORMATION = *mut PROCESS_MITIGATION_POLICY_INFORMATION; |
| STRUCT!{struct PROCESS_KEEPALIVE_COUNT_INFORMATION { |
| WakeCount: ULONG, |
| NoWakeCount: ULONG, |
| }} |
| pub type PPROCESS_KEEPALIVE_COUNT_INFORMATION = *mut PROCESS_KEEPALIVE_COUNT_INFORMATION; |
| STRUCT!{struct PROCESS_REVOKE_FILE_HANDLES_INFORMATION { |
| TargetDevicePath: UNICODE_STRING, |
| }} |
| pub type PPROCESS_REVOKE_FILE_HANDLES_INFORMATION = *mut PROCESS_REVOKE_FILE_HANDLES_INFORMATION; |
| ENUM!{enum PROCESS_WORKING_SET_OPERATION { |
| ProcessWorkingSetSwap = 0, |
| ProcessWorkingSetEmpty = 1, |
| ProcessWorkingSetOperationMax = 2, |
| }} |
| STRUCT!{struct PROCESS_WORKING_SET_CONTROL { |
| Version: ULONG, |
| Operation: PROCESS_WORKING_SET_OPERATION, |
| Flags: ULONG, |
| }} |
| pub type PPROCESS_WORKING_SET_CONTROL = *mut PROCESS_WORKING_SET_CONTROL; |
| ENUM!{enum PS_PROTECTED_TYPE { |
| PsProtectedTypeNone = 0, |
| PsProtectedTypeProtectedLight = 1, |
| PsProtectedTypeProtected = 2, |
| PsProtectedTypeMax = 3, |
| }} |
| ENUM!{enum PS_PROTECTED_SIGNER { |
| PsProtectedSignerNone = 0, |
| PsProtectedSignerAuthenticode = 1, |
| PsProtectedSignerCodeGen = 2, |
| PsProtectedSignerAntimalware = 3, |
| PsProtectedSignerLsa = 4, |
| PsProtectedSignerWindows = 5, |
| PsProtectedSignerWinTcb = 6, |
| PsProtectedSignerWinSystem = 7, |
| PsProtectedSignerApp = 8, |
| PsProtectedSignerMax = 9, |
| }} |
| pub const PS_PROTECTED_SIGNER_MASK: UCHAR = 0xFF; |
| pub const PS_PROTECTED_AUDIT_MASK: UCHAR = 0x08; |
| pub const PS_PROTECTED_TYPE_MASK: UCHAR = 0x07; |
| #[inline] |
| pub const fn PsProtectedValue( |
| aSigner: PS_PROTECTED_SIGNER, |
| aAudit: u8, |
| aType: PS_PROTECTED_TYPE, |
| ) -> UCHAR { |
| (aSigner as u8 & PS_PROTECTED_SIGNER_MASK) << 4 | (aAudit & PS_PROTECTED_AUDIT_MASK) << 3 |
| | (aType as u8 & PS_PROTECTED_TYPE_MASK) |
| } |
| #[inline] |
| pub fn InitializePsProtection( |
| aProtectionLevelPtr: &mut PS_PROTECTION, |
| aSigner: PS_PROTECTED_SIGNER, |
| aAudit: u8, |
| aType: PS_PROTECTED_TYPE, |
| ) { |
| aProtectionLevelPtr.set_Signer(aSigner as u8); |
| aProtectionLevelPtr.set_Audit(aAudit); |
| aProtectionLevelPtr.set_Type(aType as u8); |
| } |
| STRUCT!{struct PS_PROTECTION { |
| Level: UCHAR, |
| }} |
| pub type PPS_PROTECTION = *mut PS_PROTECTION; |
| BITFIELD!{PS_PROTECTION Level: UCHAR [ |
| Type set_Type[0..3], |
| Audit set_Audit[3..4], |
| Signer set_Signer[4..8], |
| ]} |
| STRUCT!{struct PROCESS_FAULT_INFORMATION { |
| FaultFlags: ULONG, |
| AdditionalInfo: ULONG, |
| }} |
| pub type PPROCESS_FAULT_INFORMATION = *mut PROCESS_FAULT_INFORMATION; |
| STRUCT!{struct PROCESS_TELEMETRY_ID_INFORMATION { |
| HeaderSize: ULONG, |
| ProcessId: ULONG, |
| ProcessStartKey: ULONGLONG, |
| CreateTime: ULONGLONG, |
| CreateInterruptTime: ULONGLONG, |
| CreateUnbiasedInterruptTime: ULONGLONG, |
| ProcessSequenceNumber: ULONGLONG, |
| SessionCreateTime: ULONGLONG, |
| SessionId: ULONG, |
| BootId: ULONG, |
| ImageChecksum: ULONG, |
| ImageTimeDateStamp: ULONG, |
| UserSidOffset: ULONG, |
| ImagePathOffset: ULONG, |
| PackageNameOffset: ULONG, |
| RelativeAppNameOffset: ULONG, |
| CommandLineOffset: ULONG, |
| }} |
| pub type PPROCESS_TELEMETRY_ID_INFORMATION = *mut PROCESS_TELEMETRY_ID_INFORMATION; |
| STRUCT!{struct PROCESS_COMMIT_RELEASE_INFORMATION { |
| Version: ULONG, |
| s: ULONG, |
| CommitDebt: SIZE_T, |
| CommittedMemResetSize: SIZE_T, |
| RepurposedMemResetSize: SIZE_T, |
| }} |
| BITFIELD!{PROCESS_COMMIT_RELEASE_INFORMATION s: ULONG [ |
| Eligible set_Eligible[0..1], |
| ReleaseRepurposedMemResetCommit set_ReleaseRepurposedMemResetCommit[1..2], |
| ForceReleaseMemResetCommit set_ForceReleaseMemResetCommit[2..3], |
| Spare set_Spare[3..32], |
| ]} |
| pub type PPROCESS_COMMIT_RELEASE_INFORMATION = *mut PROCESS_COMMIT_RELEASE_INFORMATION; |
| STRUCT!{struct PROCESS_JOB_MEMORY_INFO { |
| SharedCommitUsage: ULONGLONG, |
| PrivateCommitUsage: ULONGLONG, |
| PeakPrivateCommitUsage: ULONGLONG, |
| PrivateCommitLimit: ULONGLONG, |
| TotalCommitLimit: ULONGLONG, |
| }} |
| pub type PPROCESS_JOB_MEMORY_INFO = *mut PROCESS_JOB_MEMORY_INFO; |
| STRUCT!{struct PROCESS_CHILD_PROCESS_INFORMATION { |
| ProhibitChildProcesses: BOOLEAN, |
| AlwaysAllowSecureChildProcess: BOOLEAN, |
| AuditProhibitChildProcesses: BOOLEAN, |
| }} |
| pub type PPROCESS_CHILD_PROCESS_INFORMATION = *mut PROCESS_CHILD_PROCESS_INFORMATION; |
| STRUCT!{struct PROCESS_WAKE_INFORMATION { |
| NotificationChannel: ULONGLONG, |
| WakeCounters: [ULONG; 7], |
| WakeFilter: *mut JOBOBJECT_WAKE_FILTER, |
| }} |
| pub type PPROCESS_WAKE_INFORMATION = *mut PROCESS_WAKE_INFORMATION; |
| STRUCT!{struct PROCESS_ENERGY_TRACKING_STATE { |
| StateUpdateMask: ULONG, |
| StateDesiredValue: ULONG, |
| StateSequence: ULONG, |
| UpdateTag: ULONG, |
| Tag: [WCHAR; 64], |
| }} |
| pub type PPROCESS_ENERGY_TRACKING_STATE = *mut PROCESS_ENERGY_TRACKING_STATE; |
| BITFIELD!{PROCESS_ENERGY_TRACKING_STATE UpdateTag: ULONG [ |
| UpdateTag set_UpdateTag[0..1], |
| ]} |
| STRUCT!{struct MANAGE_WRITES_TO_EXECUTABLE_MEMORY { |
| BitFields: ULONG, |
| }} |
| BITFIELD!{MANAGE_WRITES_TO_EXECUTABLE_MEMORY BitFields: ULONG [ |
| Machine set_Machine[0..16], |
| KernelMode set_KernelMode[16..17], |
| UserMode set_UserMode[17..18], |
| Native set_Native[18..19], |
| Process set_Process[19..20], |
| ReservedZero0 set_ReservedZero0[20..32], |
| ]} |
| pub type PMANAGE_WRITES_TO_EXECUTABLE_MEMORY = *mut MANAGE_WRITES_TO_EXECUTABLE_MEMORY; |
| pub const PROCESS_READWRITEVM_LOGGING_ENABLE_READVM: UCHAR = 1; |
| pub const PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM: UCHAR = 2; |
| pub const PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V: UCHAR = 1; |
| pub const PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V: UCHAR = 2; |
| STRUCT!{struct PROCESS_READWRITEVM_LOGGING_INFORMATION { |
| Flags: UCHAR, |
| }} |
| BITFIELD!{PROCESS_READWRITEVM_LOGGING_INFORMATION Flags: UCHAR [ |
| EnableReadVmLogging set_EnableReadVmLogging[0..1], |
| EnableWriteVmLogging set_EnableWriteVmLogging[1..2], |
| Unused set_Unused[2..8], |
| ]} |
| UNION!{union PROCESS_UPTIME_INFORMATION_u { |
| HangCount: ULONG, |
| GhostCount: ULONG, |
| Crashed: ULONG, |
| Terminated: ULONG, |
| }} |
| pub type PPROCESS_READWRITEVM_LOGGING_INFORMATION = *mut PROCESS_READWRITEVM_LOGGING_INFORMATION; |
| STRUCT!{struct PROCESS_UPTIME_INFORMATION { |
| QueryInterruptTime: ULONGLONG, |
| QueryUnbiasedTime: ULONGLONG, |
| EndInterruptTime: ULONGLONG, |
| TimeSinceCreation: ULONGLONG, |
| Uptime: ULONGLONG, |
| SuspendedTime: ULONGLONG, |
| u: PROCESS_UPTIME_INFORMATION_u, |
| }} |
| pub type PPROCESS_UPTIME_INFORMATION = *mut PROCESS_UPTIME_INFORMATION; |
| STRUCT!{struct PROCESS_SYSTEM_RESOURCE_MANAGEMENT { |
| Flags: ULONG, |
| }} |
| pub type PPROCESS_SYSTEM_RESOURCE_MANAGEMENT = *mut PROCESS_SYSTEM_RESOURCE_MANAGEMENT; |
| BITFIELD!{PROCESS_SYSTEM_RESOURCE_MANAGEMENT Flags: ULONG [ |
| Foreground set_Foreground[0..1], |
| Reserved set_Reserved[1..32], |
| ]} |
| STRUCT!{struct PROCESS_SECURITY_DOMAIN_INFORMATION { |
| SecurityDomain: ULONGLONG, |
| }} |
| pub type PPROCESS_SECURITY_DOMAIN_INFORMATION = *mut PROCESS_SECURITY_DOMAIN_INFORMATION; |
| STRUCT!{struct PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION { |
| ProcessHandle: HANDLE, |
| }} |
| pub type PPROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION = |
| *mut PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION; |
| STRUCT!{struct PROCESS_LOGGING_INFORMATION { |
| Flags: ULONG, |
| BitFields: ULONG, |
| }} |
| BITFIELD!{PROCESS_LOGGING_INFORMATION BitFields: ULONG [ |
| EnableReadVmLogging set_EnableReadVmLogging[0..1], |
| EnableWriteVmLogging set_EnableWriteVmLogging[1..2], |
| EnableProcessSuspendResumeLogging set_EnableProcessSuspendResumeLogging[2..3], |
| EnableThreadSuspendResumeLogging set_EnableThreadSuspendResumeLogging[3..4], |
| Reserved set_Reserved[4..32], |
| ]} |
| pub type PPROCESS_LOGGING_INFORMATION = *mut PROCESS_LOGGING_INFORMATION; |
| STRUCT!{struct PROCESS_LEAP_SECOND_INFORMATION { |
| Flags: ULONG, |
| Reserved: ULONG, |
| }} |
| pub type PPROCESS_LEAP_SECOND_INFORMATION = *mut PROCESS_LEAP_SECOND_INFORMATION; |
| STRUCT!{struct THREAD_BASIC_INFORMATION { |
| ExitStatus: NTSTATUS, |
| TebBaseAddress: PTEB, |
| ClientId: CLIENT_ID, |
| AffinityMask: ULONG_PTR, |
| Priority: KPRIORITY, |
| BasePriority: LONG, |
| }} |
| pub type PTHREAD_BASIC_INFORMATION = *mut THREAD_BASIC_INFORMATION; |
| STRUCT!{struct THREAD_LAST_SYSCALL_INFORMATION { |
| FirstArgument: PVOID, |
| SystemCallNumber: USHORT, |
| Pad: [USHORT; 1], |
| WaitTime: ULONG64, |
| }} |
| pub type PTHREAD_LAST_SYSCALL_INFORMATION = *mut THREAD_LAST_SYSCALL_INFORMATION; |
| STRUCT!{struct THREAD_CYCLE_TIME_INFORMATION { |
| AccumulatedCycles: ULONGLONG, |
| CurrentCycleCount: ULONGLONG, |
| }} |
| pub type PTHREAD_CYCLE_TIME_INFORMATION = *mut THREAD_CYCLE_TIME_INFORMATION; |
| STRUCT!{struct THREAD_TEB_INFORMATION { |
| TebInformation: PVOID, |
| TebOffset: ULONG, |
| BytesToRead: ULONG, |
| }} |
| pub type PTHREAD_TEB_INFORMATION = *mut THREAD_TEB_INFORMATION; |
| STRUCT!{struct COUNTER_READING { |
| Type: HARDWARE_COUNTER_TYPE, |
| Index: ULONG, |
| Start: ULONG64, |
| Total: ULONG64, |
| }} |
| pub type PCOUNTER_READING = *mut COUNTER_READING; |
| STRUCT!{struct THREAD_PERFORMANCE_DATA { |
| Size: USHORT, |
| Version: USHORT, |
| ProcessorNumber: PROCESSOR_NUMBER, |
| ContextSwitches: ULONG, |
| HwCountersCount: ULONG, |
| UpdateCount: ULONG64, |
| WaitReasonBitMap: ULONG64, |
| HardwareCounters: ULONG64, |
| CycleTime: COUNTER_READING, |
| HwCounters: [COUNTER_READING; MAX_HW_COUNTERS], |
| }} |
| pub type PTHREAD_PERFORMANCE_DATA = *mut THREAD_PERFORMANCE_DATA; |
| STRUCT!{struct THREAD_PROFILING_INFORMATION { |
| HardwareCounters: ULONG64, |
| Flags: ULONG, |
| Enable: ULONG, |
| PerformanceData: PTHREAD_PERFORMANCE_DATA, |
| }} |
| pub type PTHREAD_PROFILING_INFORMATION = *mut THREAD_PROFILING_INFORMATION; |
| #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] |
| STRUCT!{#[repr(align(16))] struct RTL_UMS_CONTEXT { |
| Link: SINGLE_LIST_ENTRY, |
| __padding: u64, |
| Context: CONTEXT, |
| Teb: PVOID, |
| UserContext: PVOID, |
| ScheduledThread: ULONG, |
| Suspended: ULONG, |
| VolatileContext: ULONG, |
| Terminated: ULONG, |
| DebugActive: ULONG, |
| RunningOnSelfThread: ULONG, |
| DenyRunningOnSelfThread: ULONG, |
| Flags: LONG, |
| KernelUpdateLock: ULONG64, |
| PrimaryClientID: ULONG64, |
| ContextLock: ULONG64, |
| PrimaryUmsContext: *mut RTL_UMS_CONTEXT, |
| SwitchCount: ULONG, |
| KernelYieldCount: ULONG, |
| MixedYieldCount: ULONG, |
| YieldCount: ULONG, |
| }} |
| #[cfg(target_arch = "x86")] |
| STRUCT!{struct RTL_UMS_CONTEXT { |
| Link: SINGLE_LIST_ENTRY, |
| Context: CONTEXT, |
| Teb: PVOID, |
| UserContext: PVOID, |
| ScheduledThread: ULONG, |
| Suspended: ULONG, |
| VolatileContext: ULONG, |
| Terminated: ULONG, |
| DebugActive: ULONG, |
| RunningOnSelfThread: ULONG, |
| DenyRunningOnSelfThread: ULONG, |
| Flags: LONG, |
| KernelUpdateLock: ULONG64, |
| PrimaryClientID: ULONG64, |
| ContextLock: ULONG64, |
| PrimaryUmsContext: *mut RTL_UMS_CONTEXT, |
| SwitchCount: ULONG, |
| KernelYieldCount: ULONG, |
| MixedYieldCount: ULONG, |
| YieldCount: ULONG, |
| __padding: u32, |
| }} |
| pub type PRTL_UMS_CONTEXT = *mut RTL_UMS_CONTEXT; |
| ENUM!{enum THREAD_UMS_INFORMATION_COMMAND { |
| UmsInformationCommandInvalid = 0, |
| UmsInformationCommandAttach = 1, |
| UmsInformationCommandDetach = 2, |
| UmsInformationCommandQuery = 3, |
| }} |
| STRUCT!{struct RTL_UMS_COMPLETION_LIST { |
| ThreadListHead: PSINGLE_LIST_ENTRY, |
| CompletionEvent: PVOID, |
| CompletionFlags: ULONG, |
| InternalListHead: SINGLE_LIST_ENTRY, |
| }} |
| pub type PRTL_UMS_COMPLETION_LIST = *mut RTL_UMS_COMPLETION_LIST; |
| STRUCT!{struct THREAD_UMS_INFORMATION { |
| Command: THREAD_UMS_INFORMATION_COMMAND, |
| CompletionList: PRTL_UMS_COMPLETION_LIST, |
| UmsContext: PRTL_UMS_CONTEXT, |
| Flags: ULONG, |
| }} |
| BITFIELD!{THREAD_UMS_INFORMATION Flags: ULONG [ |
| IsUmsSchedulerThread set_IsUmsSchedulerThread[0..1], |
| IsUmsWorkerThread set_IsUmsWorkerThread[1..2], |
| SpareBits set_SpareBits[2..32], |
| ]} |
| pub type PTHREAD_UMS_INFORMATION = *mut THREAD_UMS_INFORMATION; |
| STRUCT!{struct THREAD_NAME_INFORMATION { |
| ThreadName: UNICODE_STRING, |
| }} |
| pub type PTHREAD_NAME_INFORMATION = *mut THREAD_NAME_INFORMATION; |
| ENUM!{enum SUBSYSTEM_INFORMATION_TYPE { |
| SubsystemInformationTypeWin32 = 0, |
| SubsystemInformationTypeWSL = 1, |
| MaxSubsystemInformationType = 2, |
| }} |
| ENUM!{enum THREAD_WORKLOAD_CLASS { |
| ThreadWorkloadClassDefault = 0, |
| ThreadWorkloadClassGraphics = 1, |
| MaxThreadWorkloadClass = 2, |
| }} |
| EXTERN!{extern "system" { |
| fn NtCreateProcess( |
| ProcessHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ParentProcess: HANDLE, |
| InheritObjectTable: BOOLEAN, |
| SectionHandle: HANDLE, |
| DebugPort: HANDLE, |
| ExceptionPort: HANDLE, |
| ) -> NTSTATUS; |
| }} |
| pub const PROCESS_CREATE_FLAGS_BREAKAWAY: ULONG = 0x00000001; |
| pub const PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT: ULONG = 0x00000002; |
| pub const PROCESS_CREATE_FLAGS_INHERIT_HANDLES: ULONG = 0x00000004; |
| pub const PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE: ULONG = 0x00000008; |
| pub const PROCESS_CREATE_FLAGS_LARGE_PAGES: ULONG = 0x00000010; |
| EXTERN!{extern "system" { |
| fn NtCreateProcessEx( |
| ProcessHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ParentProcess: HANDLE, |
| Flags: ULONG, |
| SectionHandle: HANDLE, |
| DebugPort: HANDLE, |
| ExceptionPort: HANDLE, |
| JobMemberLevel: ULONG, |
| ) -> NTSTATUS; |
| fn NtOpenProcess( |
| ProcessHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ClientId: PCLIENT_ID, |
| ) -> NTSTATUS; |
| fn NtTerminateProcess( |
| ProcessHandle: HANDLE, |
| ExitStatus: NTSTATUS, |
| ) -> NTSTATUS; |
| fn NtSuspendProcess( |
| ProcessHandle: HANDLE, |
| ) -> NTSTATUS; |
| fn NtResumeProcess( |
| ProcessHandle: HANDLE, |
| ) -> NTSTATUS; |
| }} |
| pub const NtCurrentProcess: HANDLE = -1isize as *mut c_void; |
| pub const ZwCurrentProcess: HANDLE = NtCurrentProcess; |
| pub const NtCurrentThread: HANDLE = -2isize as *mut c_void; |
| pub const ZwCurrentThread: HANDLE = NtCurrentThread; |
| pub const NtCurrentSession: HANDLE = -3isize as *mut c_void; |
| pub const ZwCurrentSession: HANDLE = NtCurrentSession; |
| #[inline] #[cfg(not(target_arch = "aarch64"))] |
| pub unsafe fn NtCurrentPeb() -> PPEB { |
| (*NtCurrentTeb()).ProcessEnvironmentBlock |
| } |
| pub const NtCurrentProcessToken: HANDLE = -4isize as *mut c_void; |
| pub const NtCurrentThreadToken: HANDLE = -5isize as *mut c_void; |
| pub const NtCurrentEffectiveToken: HANDLE = -6isize as *mut c_void; |
| pub const NtCurrentSilo: HANDLE = -1isize as *mut c_void; |
| #[inline] #[cfg(not(target_arch = "aarch64"))] |
| pub unsafe fn NtCurrentProcessId() -> HANDLE { |
| (*NtCurrentTeb()).ClientId.UniqueProcess |
| } |
| #[inline] #[cfg(not(target_arch = "aarch64"))] |
| pub unsafe fn NtCurrentThreadId() -> HANDLE { |
| (*NtCurrentTeb()).ClientId.UniqueThread |
| } |
| EXTERN!{extern "system" { |
| fn NtQueryInformationProcess( |
| ProcessHandle: HANDLE, |
| ProcessInformationClass: PROCESSINFOCLASS, |
| ProcessInformation: PVOID, |
| ProcessInformationLength: ULONG, |
| ReturnLength: PULONG, |
| ) -> NTSTATUS; |
| fn NtGetNextProcess( |
| ProcessHandle: HANDLE, |
| DesiredAccess: ACCESS_MASK, |
| HandleAttributes: ULONG, |
| Flags: ULONG, |
| NewProcessHandle: PHANDLE, |
| ) -> NTSTATUS; |
| fn NtGetNextThread( |
| ProcessHandle: HANDLE, |
| ThreadHandle: HANDLE, |
| DesiredAccess: ACCESS_MASK, |
| HandleAttributes: ULONG, |
| Flags: ULONG, |
| NewThreadHandle: PHANDLE, |
| ) -> NTSTATUS; |
| fn NtSetInformationProcess( |
| ProcessHandle: HANDLE, |
| ProcessInformationClass: PROCESSINFOCLASS, |
| ProcessInformation: PVOID, |
| ProcessInformationLength: ULONG, |
| ) -> NTSTATUS; |
| fn NtQueryPortInformationProcess() -> NTSTATUS; |
| fn NtCreateThread( |
| ThreadHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ProcessHandle: HANDLE, |
| ClientId: PCLIENT_ID, |
| ThreadContext: PCONTEXT, |
| InitialTeb: PINITIAL_TEB, |
| CreateSuspended: BOOLEAN, |
| ) -> NTSTATUS; |
| fn NtOpenThread( |
| ThreadHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ClientId: PCLIENT_ID, |
| ) -> NTSTATUS; |
| fn NtTerminateThread( |
| ThreadHandle: HANDLE, |
| ExitStatus: NTSTATUS, |
| ) -> NTSTATUS; |
| fn NtSuspendThread( |
| ThreadHandle: HANDLE, |
| PreviousSuspendCount: PULONG, |
| ) -> NTSTATUS; |
| fn NtResumeThread( |
| ThreadHandle: HANDLE, |
| PreviousSuspendCount: PULONG, |
| ) -> NTSTATUS; |
| fn NtGetCurrentProcessorNumber() -> ULONG; |
| fn NtGetContextThread( |
| ThreadHandle: HANDLE, |
| ThreadContext: PCONTEXT, |
| ) -> NTSTATUS; |
| fn NtSetContextThread( |
| ThreadHandle: HANDLE, |
| ThreadContext: PCONTEXT, |
| ) -> NTSTATUS; |
| fn NtQueryInformationThread( |
| ThreadHandle: HANDLE, |
| ThreadInformationClass: THREADINFOCLASS, |
| ThreadInformation: PVOID, |
| ThreadInformationLength: ULONG, |
| ReturnLength: PULONG, |
| ) -> NTSTATUS; |
| fn NtSetInformationThread( |
| ThreadHandle: HANDLE, |
| ThreadInformationClass: THREADINFOCLASS, |
| ThreadInformation: PVOID, |
| ThreadInformationLength: ULONG, |
| ) -> NTSTATUS; |
| fn NtAlertThread( |
| ThreadHandle: HANDLE, |
| ) -> NTSTATUS; |
| fn NtAlertResumeThread( |
| ThreadHandle: HANDLE, |
| PreviousSuspendCount: PULONG, |
| ) -> NTSTATUS; |
| fn NtTestAlert() -> NTSTATUS; |
| fn NtImpersonateThread( |
| ServerThreadHandle: HANDLE, |
| ClientThreadHandle: HANDLE, |
| SecurityQos: PSECURITY_QUALITY_OF_SERVICE, |
| ) -> NTSTATUS; |
| fn NtRegisterThreadTerminatePort( |
| PortHandle: HANDLE, |
| ) -> NTSTATUS; |
| fn NtSetLdtEntries( |
| Selector0: ULONG, |
| Entry0Low: ULONG, |
| Entry0Hi: ULONG, |
| Selector1: ULONG, |
| Entry1Low: ULONG, |
| Entry1Hi: ULONG, |
| ) -> NTSTATUS; |
| }} |
| FN!{cdecl PPS_APC_ROUTINE( |
| ApcArgument1: PVOID, |
| ApcArgument2: PVOID, |
| ApcArgument3: PVOID, |
| ) -> ()} |
| EXTERN!{extern "system" { |
| fn NtQueueApcThread( |
| ThreadHandle: HANDLE, |
| ApcRoutine: PPS_APC_ROUTINE, |
| ApcArgument1: PVOID, |
| ApcArgument2: PVOID, |
| ApcArgument3: PVOID, |
| ) -> NTSTATUS; |
| }} |
| pub const APC_FORCE_THREAD_SIGNAL: HANDLE = 1 as *mut c_void; |
| EXTERN!{extern "system" { |
| fn NtQueueApcThreadEx( |
| ThreadHandle: HANDLE, |
| UserApcReserveHandle: HANDLE, |
| ApcRoutine: PPS_APC_ROUTINE, |
| ApcArgument1: PVOID, |
| ApcArgument2: PVOID, |
| ApcArgument3: PVOID, |
| ) -> NTSTATUS; |
| fn NtAlertThreadByThreadId( |
| ThreadId: HANDLE, |
| ) -> NTSTATUS; |
| fn NtWaitForAlertByThreadId( |
| Address: PVOID, |
| Timeout: PLARGE_INTEGER, |
| ) -> NTSTATUS; |
| }} |
| pub const PS_ATTRIBUTE_NUMBER_MASK: u32 = 0x0000ffff; |
| pub const PS_ATTRIBUTE_THREAD: u32 = 0x00010000; |
| pub const PS_ATTRIBUTE_INPUT: u32 = 0x00020000; |
| pub const PS_ATTRIBUTE_ADDITIVE: u32 = 0x00040000; |
| ENUM!{enum PS_ATTRIBUTE_NUM { |
| PsAttributeParentProcess = 0, |
| PsAttributeDebugPort = 1, |
| PsAttributeToken = 2, |
| PsAttributeClientId = 3, |
| PsAttributeTebAddress = 4, |
| PsAttributeImageName = 5, |
| PsAttributeImageInfo = 6, |
| PsAttributeMemoryReserve = 7, |
| PsAttributePriorityClass = 8, |
| PsAttributeErrorMode = 9, |
| PsAttributeStdHandleInfo = 10, |
| PsAttributeHandleList = 11, |
| PsAttributeGroupAffinity = 12, |
| PsAttributePreferredNode = 13, |
| PsAttributeIdealProcessor = 14, |
| PsAttributeUmsThread = 15, |
| PsAttributeMitigationOptions = 16, |
| PsAttributeProtectionLevel = 17, |
| PsAttributeSecureProcess = 18, |
| PsAttributeJobList = 19, |
| PsAttributeChildProcessPolicy = 20, |
| PsAttributeAllApplicationPackagesPolicy = 21, |
| PsAttributeWin32kFilter = 22, |
| PsAttributeSafeOpenPromptOriginClaim = 23, |
| PsAttributeBnoIsolation = 24, |
| PsAttributeDesktopAppPolicy = 25, |
| PsAttributeChpe = 26, |
| PsAttributeMax = 27, |
| }} |
| #[inline] |
| pub const fn PsAttributeValue( |
| mut Number: PS_ATTRIBUTE_NUM, |
| Thread: bool, |
| Input: bool, |
| Additive: bool, |
| ) -> ULONG_PTR { |
| Number &= PS_ATTRIBUTE_NUMBER_MASK; |
| if Thread { |
| Number |= PS_ATTRIBUTE_THREAD; |
| } |
| if Input { |
| Number |= PS_ATTRIBUTE_INPUT; |
| } |
| if Additive { |
| Number |= PS_ATTRIBUTE_ADDITIVE; |
| } |
| Number as _ |
| } |
| pub const PS_ATTRIBUTE_PARENT_PROCESS: ULONG_PTR = 0x00060000; |
| pub const PS_ATTRIBUTE_DEBUG_PORT: ULONG_PTR = 0x00060001; |
| pub const PS_ATTRIBUTE_TOKEN: ULONG_PTR = 0x00060002; |
| pub const PS_ATTRIBUTE_CLIENT_ID: ULONG_PTR = 0x00010003; |
| pub const PS_ATTRIBUTE_TEB_ADDRESS: ULONG_PTR = 0x00010004; |
| pub const PS_ATTRIBUTE_IMAGE_NAME: ULONG_PTR = 0x00020005; |
| pub const PS_ATTRIBUTE_IMAGE_INFO: ULONG_PTR = 0x00000006; |
| pub const PS_ATTRIBUTE_MEMORY_RESERVE: ULONG_PTR = 0x00020007; |
| pub const PS_ATTRIBUTE_PRIORITY_CLASS: ULONG_PTR = 0x00020008; |
| pub const PS_ATTRIBUTE_ERROR_MODE: ULONG_PTR = 0x00020009; |
| pub const PS_ATTRIBUTE_STD_HANDLE_INFO: ULONG_PTR = 0x0002000a; |
| pub const PS_ATTRIBUTE_HANDLE_LIST: ULONG_PTR = 0x0002000b; |
| pub const PS_ATTRIBUTE_GROUP_AFFINITY: ULONG_PTR = 0x0003000c; |
| pub const PS_ATTRIBUTE_PREFERRED_NODE: ULONG_PTR = 0x0002000d; |
| pub const PS_ATTRIBUTE_IDEAL_PROCESSOR: ULONG_PTR = 0x0003000e; |
| pub const PS_ATTRIBUTE_UMS_THREAD: ULONG_PTR = 0x0003000f; |
| pub const PS_ATTRIBUTE_MITIGATION_OPTIONS: ULONG_PTR = 0x00060010; |
| pub const PS_ATTRIBUTE_PROTECTION_LEVEL: ULONG_PTR = 0x00060011; |
| pub const PS_ATTRIBUTE_SECURE_PROCESS: ULONG_PTR = 0x00020012; |
| pub const PS_ATTRIBUTE_JOB_LIST: ULONG_PTR = 0x00020013; |
| pub const PS_ATTRIBUTE_CHILD_PROCESS_POLICY: ULONG_PTR = 0x00020014; |
| pub const PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY: ULONG_PTR = 0x00020015; |
| pub const PS_ATTRIBUTE_WIN32K_FILTER: ULONG_PTR = 0x00020016; |
| pub const PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM: ULONG_PTR = 0x00020017; |
| pub const PS_ATTRIBUTE_BNO_ISOLATION: ULONG_PTR = 0x00020018; |
| pub const PS_ATTRIBUTE_DESKTOP_APP_POLICY: ULONG_PTR = 0x00020019; |
| UNION!{union PS_ATTRIBUTE_u { |
| Value: ULONG_PTR, |
| ValuePtr: PVOID, |
| }} |
| STRUCT!{struct PS_ATTRIBUTE { |
| Attribute: ULONG_PTR, |
| Size: SIZE_T, |
| u: PS_ATTRIBUTE_u, |
| ReturnLength: PSIZE_T, |
| }} |
| pub type PPS_ATTRIBUTE = *mut PS_ATTRIBUTE; |
| STRUCT!{struct PS_ATTRIBUTE_LIST { |
| TotalLength: SIZE_T, |
| Attributes: [PS_ATTRIBUTE; 1], |
| }} |
| pub type PPS_ATTRIBUTE_LIST = *mut PS_ATTRIBUTE_LIST; |
| STRUCT!{struct PS_MEMORY_RESERVE { |
| ReserveAddress: PVOID, |
| ReserveSize: SIZE_T, |
| }} |
| pub type PPS_MEMORY_RESERVE = *mut PS_MEMORY_RESERVE; |
| ENUM!{enum PS_STD_HANDLE_STATE { |
| PsNeverDuplicate = 0, |
| PsRequestDuplicate = 1, |
| PsAlwaysDuplicate = 2, |
| PsMaxStdHandleStates = 3, |
| }} |
| pub const PS_STD_INPUT_HANDLE: u32 = 0x1; |
| pub const PS_STD_OUTPUT_HANDLE: u32 = 0x2; |
| pub const PS_STD_ERROR_HANDLE: u32 = 0x4; |
| STRUCT!{struct PS_STD_HANDLE_INFO { |
| Flags: ULONG, |
| StdHandleSubsystemType: ULONG, |
| }} |
| pub type PPS_STD_HANDLE_INFO = *mut PS_STD_HANDLE_INFO; |
| BITFIELD!{PS_STD_HANDLE_INFO Flags: ULONG [ |
| StdHandleState set_StdHandleState[0..2], |
| PseudoHandleMask set_PseudoHandleMask[2..5], |
| ]} |
| STRUCT!{struct PS_BNO_ISOLATION_PARAMETERS { |
| IsolationPrefix: UNICODE_STRING, |
| HandleCount: ULONG, |
| Handles: *mut PVOID, |
| IsolationEnabled: BOOLEAN, |
| }} |
| pub type PPS_BNO_ISOLATION_PARAMETERS = *mut PS_BNO_ISOLATION_PARAMETERS; |
| ENUM!{enum PS_MITIGATION_OPTION { |
| PS_MITIGATION_OPTION_NX = 0, |
| PS_MITIGATION_OPTION_SEHOP = 1, |
| PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES = 2, |
| PS_MITIGATION_OPTION_HEAP_TERMINATE = 3, |
| PS_MITIGATION_OPTION_BOTTOM_UP_ASLR = 4, |
| PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR = 5, |
| PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS = 6, |
| PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE = 7, |
| PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE = 8, |
| PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE = 9, |
| PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD = 10, |
| PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES = 11, |
| PS_MITIGATION_OPTION_FONT_DISABLE = 12, |
| PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE = 13, |
| PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL = 14, |
| PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32 = 15, |
| PS_MITIGATION_OPTION_RETURN_FLOW_GUARD = 16, |
| PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY = 17, |
| PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD = 18, |
| PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT = 19, |
| PS_MITIGATION_OPTION_ROP_STACKPIVOT = 20, |
| PS_MITIGATION_OPTION_ROP_CALLER_CHECK = 21, |
| PS_MITIGATION_OPTION_ROP_SIMEXEC = 22, |
| PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER = 23, |
| PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS = 24, |
| PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION = 25, |
| PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER = 26, |
| PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION = 27, |
| PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION = 28, |
| PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE = 29, |
| PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY = 30, |
| PS_MITIGATION_OPTION_CET_SHADOW_STACKS = 31, |
| }} |
| ENUM!{enum PS_CREATE_STATE { |
| PsCreateInitialState = 0, |
| PsCreateFailOnFileOpen = 1, |
| PsCreateFailOnSectionCreate = 2, |
| PsCreateFailExeFormat = 3, |
| PsCreateFailMachineMismatch = 4, |
| PsCreateFailExeName = 5, |
| PsCreateSuccess = 6, |
| PsCreateMaximumStates = 7, |
| }} |
| STRUCT!{struct PS_CREATE_INFO_u_InitState { |
| InitFlags: ULONG, |
| AdditionalFileAccess: ACCESS_MASK, |
| }} |
| BITFIELD!{PS_CREATE_INFO_u_InitState InitFlags: ULONG [ |
| WriteOutputOnExit set_WriteOutputOnExit[0..1], |
| DetectManifest set_DetectManifest[1..2], |
| IFEOSkipDebugger set_IFEOSkipDebugger[2..3], |
| IFEODoNotPropagateKeyState set_IFEODoNotPropagateKeyState[3..4], |
| SpareBits1 set_SpareBits1[4..8], |
| SpareBits2 set_SpareBits2[8..16], |
| ProhibitedImageCharacteristics set_ProhibitedImageCharacteristics[16..32], |
| ]} |
| STRUCT!{struct PS_CREATE_INFO_u_SuccessState { |
| OutputFlags: ULONG, |
| FileHandle: HANDLE, |
| SectionHandle: HANDLE, |
| UserProcessParametersNative: ULONGLONG, |
| UserProcessParametersWow64: ULONG, |
| CurrentParameterFlags: ULONG, |
| PebAddressNative: ULONGLONG, |
| PebAddressWow64: ULONG, |
| ManifestAddress: ULONGLONG, |
| ManifestSize: ULONG, |
| }} |
| BITFIELD!{PS_CREATE_INFO_u_SuccessState OutputFlags: ULONG [ |
| ProtectedProcess set_ProtectedProcess[0..1], |
| AddressSpaceOverride set_AddressSpaceOverride[1..2], |
| DevOverrideEnabled set_DevOverrideEnabled[2..3], |
| ManifestDetected set_ManifestDetected[3..4], |
| ProtectedProcessLight set_ProtectedProcessLight[4..5], |
| SpareBits1 set_SpareBits1[5..8], |
| SpareBits2 set_SpareBits2[8..16], |
| SpareBits3 set_SpareBits3[16..32], |
| ]} |
| UNION!{union PS_CREATE_INFO_u { |
| InitState: PS_CREATE_INFO_u_InitState, |
| FileHandle: HANDLE, |
| DllCharacteristics: USHORT, |
| IFEOKey: HANDLE, |
| SuccessState: PS_CREATE_INFO_u_SuccessState, |
| }} |
| STRUCT!{struct PS_CREATE_INFO { |
| Size: SIZE_T, |
| State: PS_CREATE_STATE, |
| u: PS_CREATE_INFO_u, |
| }} |
| pub type PPS_CREATE_INFO = *mut PS_CREATE_INFO; |
| pub const PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL: ULONG = 0x00000020; |
| pub const PROCESS_CREATE_FLAGS_PROTECTED_PROCESS: ULONG = 0x00000040; |
| pub const PROCESS_CREATE_FLAGS_CREATE_SESSION: ULONG = 0x00000080; |
| pub const PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT: ULONG = 0x00000100; |
| pub const PROCESS_CREATE_FLAGS_SUSPENDED: ULONG = 0x00000200; |
| pub const PROCESS_CREATE_FLAGS_EXTENDED_UNKNOWN: ULONG = 0x00000400; |
| EXTERN!{extern "system" { |
| fn NtCreateUserProcess( |
| ProcessHandle: PHANDLE, |
| ThreadHandle: PHANDLE, |
| ProcessDesiredAccess: ACCESS_MASK, |
| ThreadDesiredAccess: ACCESS_MASK, |
| ProcessObjectAttributes: POBJECT_ATTRIBUTES, |
| ThreadObjectAttributes: POBJECT_ATTRIBUTES, |
| ProcessFlags: ULONG, |
| ThreadFlags: ULONG, |
| ProcessParameters: PVOID, |
| CreateInfo: PPS_CREATE_INFO, |
| AttributeList: PPS_ATTRIBUTE_LIST, |
| ) -> NTSTATUS; |
| }} |
| pub const THREAD_CREATE_FLAGS_CREATE_SUSPENDED: ULONG = 0x00000001; |
| pub const THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH: ULONG = 0x00000002; |
| pub const THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER: ULONG = 0x00000004; |
| pub const THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR: ULONG = 0x00000010; |
| pub const THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET: ULONG = 0x00000020; |
| pub const THREAD_CREATE_FLAGS_INITIAL_THREAD: ULONG = 0x00000080; |
| EXTERN!{extern "system" { |
| fn NtCreateThreadEx( |
| ThreadHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ProcessHandle: HANDLE, |
| StartRoutine: PVOID, |
| Argument: PVOID, |
| CreateFlags: ULONG, |
| ZeroBits: SIZE_T, |
| StackSize: SIZE_T, |
| MaximumStackSize: SIZE_T, |
| AttributeList: PPS_ATTRIBUTE_LIST, |
| ) -> NTSTATUS; |
| }} |
| STRUCT!{struct JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION { |
| BasicInfo: JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, |
| IoInfo: IO_COUNTERS, |
| DiskIoInfo: PROCESS_DISK_COUNTERS, |
| ContextSwitches: ULONG64, |
| TotalCycleTime: LARGE_INTEGER, |
| ReadyTime: ULONG64, |
| EnergyValues: PROCESS_ENERGY_VALUES, |
| }} |
| pub type PJOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION = |
| *mut JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION; |
| STRUCT!{struct JOBOBJECT_WAKE_INFORMATION { |
| NotificationChannel: HANDLE, |
| WakeCounters: [ULONG64; 7], |
| }} |
| pub type PJOBOBJECT_WAKE_INFORMATION = *mut JOBOBJECT_WAKE_INFORMATION; |
| STRUCT!{struct JOBOBJECT_WAKE_INFORMATION_V1 { |
| NotificationChannel: HANDLE, |
| WakeCounters: [ULONG64; 4], |
| }} |
| pub type PJOBOBJECT_WAKE_INFORMATION_V1 = *mut JOBOBJECT_WAKE_INFORMATION_V1; |
| STRUCT!{struct JOBOBJECT_INTERFERENCE_INFORMATION { |
| Count: ULONG64, |
| }} |
| pub type PJOBOBJECT_INTERFERENCE_INFORMATION = *mut JOBOBJECT_INTERFERENCE_INFORMATION; |
| STRUCT!{struct JOBOBJECT_WAKE_FILTER { |
| HighEdgeFilter: ULONG, |
| LowEdgeFilter: ULONG, |
| }} |
| pub type PJOBOBJECT_WAKE_FILTER = *mut JOBOBJECT_WAKE_FILTER; |
| STRUCT!{struct JOBOBJECT_FREEZE_INFORMATION { |
| Flags: ULONG, |
| Freeze: BOOLEAN, |
| Swap: BOOLEAN, |
| Reserved0: [UCHAR; 2], |
| WakeFilter: JOBOBJECT_WAKE_FILTER, |
| }} |
| pub type PJOBOBJECT_FREEZE_INFORMATION = *mut JOBOBJECT_FREEZE_INFORMATION; |
| BITFIELD!{JOBOBJECT_FREEZE_INFORMATION Flags: ULONG [ |
| FreezeOperation set_FreezeOperation[0..1], |
| FilterOperation set_FilterOperation[1..2], |
| SwapOperation set_SwapOperation[2..3], |
| Reserved set_Reserved[3..32], |
| ]} |
| STRUCT!{struct JOBOBJECT_MEMORY_USAGE_INFORMATION { |
| JobMemory: ULONG64, |
| PeakJobMemoryUsed: ULONG64, |
| }} |
| pub type PJOBOBJECT_MEMORY_USAGE_INFORMATION = *mut JOBOBJECT_MEMORY_USAGE_INFORMATION; |
| STRUCT!{struct JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 { |
| BasicInfo: JOBOBJECT_MEMORY_USAGE_INFORMATION, |
| JobSharedMemory: ULONG64, |
| Reserved: [ULONG64; 2], |
| }} |
| pub type PJOBOBJECT_MEMORY_USAGE_INFORMATION_V2 = *mut JOBOBJECT_MEMORY_USAGE_INFORMATION_V2; |
| STRUCT!{struct SILO_USER_SHARED_DATA { |
| ServiceSessionId: ULONG64, |
| ActiveConsoleId: ULONG, |
| ConsoleSessionForegroundProcessId: LONGLONG, |
| NtProductType: NT_PRODUCT_TYPE, |
| SuiteMask: ULONG, |
| SharedUserSessionId: ULONG, |
| IsMultiSessionSku: BOOLEAN, |
| NtSystemRoot: [WCHAR; 260], |
| UserModeGlobalLogger: [USHORT; 16], |
| }} |
| pub type PSILO_USER_SHARED_DATA = *mut SILO_USER_SHARED_DATA; |
| STRUCT!{struct SILOOBJECT_ROOT_DIRECTORY { |
| ControlFlags: ULONG, |
| Path: UNICODE_STRING, |
| }} |
| pub type PSILOOBJECT_ROOT_DIRECTORY = *mut SILOOBJECT_ROOT_DIRECTORY; |
| STRUCT!{struct JOBOBJECT_ENERGY_TRACKING_STATE { |
| Value: ULONG64, |
| UpdateMask: ULONG, |
| DesiredState: ULONG, |
| }} |
| pub type PJOBOBJECT_ENERGY_TRACKING_STATE = *mut JOBOBJECT_ENERGY_TRACKING_STATE; |
| EXTERN!{extern "system" { |
| fn NtCreateJobObject( |
| JobHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ) -> NTSTATUS; |
| fn NtOpenJobObject( |
| JobHandle: PHANDLE, |
| DesiredAccess: ACCESS_MASK, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| ) -> NTSTATUS; |
| fn NtAssignProcessToJobObject( |
| JobHandle: HANDLE, |
| ProcessHandle: HANDLE, |
| ) -> NTSTATUS; |
| fn NtTerminateJobObject( |
| JobHandle: HANDLE, |
| ExitStatus: NTSTATUS, |
| ) -> NTSTATUS; |
| fn NtIsProcessInJob( |
| ProcessHandle: HANDLE, |
| JobHandle: HANDLE, |
| ) -> NTSTATUS; |
| fn NtQueryInformationJobObject( |
| JobHandle: HANDLE, |
| JobObjectInformationClass: JOBOBJECTINFOCLASS, |
| JobObjectInformation: PVOID, |
| JobObjectInformationLength: ULONG, |
| ReturnLength: PULONG, |
| ) -> NTSTATUS; |
| fn NtSetInformationJobObject( |
| JobHandle: HANDLE, |
| JobObjectInformationClass: JOBOBJECTINFOCLASS, |
| JobObjectInformation: PVOID, |
| JobObjectInformationLength: ULONG, |
| ) -> NTSTATUS; |
| fn NtCreateJobSet( |
| NumJob: ULONG, |
| UserJobSet: PJOB_SET_ARRAY, |
| Flags: ULONG, |
| ) -> NTSTATUS; |
| fn NtRevertContainerImpersonation() -> NTSTATUS; |
| }} |
| ENUM!{enum MEMORY_RESERVE_TYPE { |
| MemoryReserveUserApc = 0, |
| MemoryReserveIoCompletion = 1, |
| MemoryReserveTypeMax = 2, |
| }} |
| EXTERN!{extern "system" { |
| fn NtAllocateReserveObject( |
| MemoryReserveHandle: PHANDLE, |
| ObjectAttributes: POBJECT_ATTRIBUTES, |
| Type: MEMORY_RESERVE_TYPE, |
| ) -> NTSTATUS; |
| }} |
