1 use crate::ntapi_base::{CLIENT_ID, KPRIORITY, PCLIENT_ID};
2 use crate::ntexapi::{PROCESS_DISK_COUNTERS, PROCESS_ENERGY_VALUES};
3 use crate::ntpebteb::{PPEB, PTEB};
4 use winapi::ctypes::c_void;
5 use winapi::shared::basetsd::{PSIZE_T, SIZE_T, ULONG64, ULONG_PTR};
6 use winapi::shared::ntdef::{
7 BOOLEAN, HANDLE, LARGE_INTEGER, LIST_ENTRY, LONG, LONGLONG, NTSTATUS, NT_PRODUCT_TYPE,
8 PHANDLE, PLARGE_INTEGER, POBJECT_ATTRIBUTES, PROCESSOR_NUMBER, PSINGLE_LIST_ENTRY, PULONG,
9 PVOID, SINGLE_LIST_ENTRY, UCHAR, ULONG, ULONGLONG, UNICODE_STRING, USHORT, WCHAR,
10 };
11 use winapi::um::winnt::{
12 ACCESS_MASK, CONTEXT, HARDWARE_COUNTER_TYPE, IO_COUNTERS, JOBOBJECTINFOCLASS,
13 JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, LDT_ENTRY, MAX_HW_COUNTERS, PCONTEXT, PJOB_SET_ARRAY,
14 PROCESS_MITIGATION_ASLR_POLICY, PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY,
15 PROCESS_MITIGATION_CHILD_PROCESS_POLICY, PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY,
16 PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY,
17 PROCESS_MITIGATION_FONT_DISABLE_POLICY, PROCESS_MITIGATION_IMAGE_LOAD_POLICY,
18 PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY, PROCESS_MITIGATION_POLICY,
19 PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY,
20 PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY, PSECURITY_QUALITY_OF_SERVICE,
21 };
22 #[cfg(all(feature = "nightly", not(target_arch = "aarch64")))]
23 use crate::winapi_local::um::winnt::NtCurrentTeb;
24 pub const GDI_HANDLE_BUFFER_SIZE32: usize = 34;
25 pub const GDI_HANDLE_BUFFER_SIZE64: usize = 60;
26 #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
27 pub const GDI_HANDLE_BUFFER_SIZE: usize = GDI_HANDLE_BUFFER_SIZE64;
28 #[cfg(target_arch = "x86")]
29 pub const GDI_HANDLE_BUFFER_SIZE: usize = GDI_HANDLE_BUFFER_SIZE32;
30 pub type GDI_HANDLE_BUFFER = [ULONG; GDI_HANDLE_BUFFER_SIZE];
31 pub type GDI_HANDLE_BUFFER32 = [ULONG; GDI_HANDLE_BUFFER_SIZE32];
32 pub type GDI_HANDLE_BUFFER64 = [ULONG; GDI_HANDLE_BUFFER_SIZE];
33 pub const TLS_EXPANSION_SLOTS: usize = 1024;
34 STRUCT!{struct PEB_LDR_DATA {
35 Length: ULONG,
36 Initialized: BOOLEAN,
37 SsHandle: HANDLE,
38 InLoadOrderModuleList: LIST_ENTRY,
39 InMemoryOrderModuleList: LIST_ENTRY,
40 InInitializationOrderModuleList: LIST_ENTRY,
41 EntryInProgress: PVOID,
42 ShutdownInProgress: BOOLEAN,
43 ShutdownThreadId: HANDLE,
44 }}
45 pub type PPEB_LDR_DATA = *mut PEB_LDR_DATA;
46 STRUCT!{struct INITIAL_TEB_OldInitialTeb {
47 OldStackBase: PVOID,
48 OldStackLimit: PVOID,
49 }}
50 STRUCT!{struct INITIAL_TEB {
51 OldInitialTeb: INITIAL_TEB_OldInitialTeb,
52 StackBase: PVOID,
53 StackLimit: PVOID,
54 StackAllocationBase: PVOID,
55 }}
56 pub type PINITIAL_TEB = *mut INITIAL_TEB;
57 STRUCT!{struct WOW64_PROCESS {
58 Wow64: PVOID,
59 }}
60 pub type PWOW64_PROCESS = *mut WOW64_PROCESS;
61 ENUM!{enum PROCESSINFOCLASS {
62 ProcessBasicInformation = 0,
63 ProcessQuotaLimits = 1,
64 ProcessIoCounters = 2,
65 ProcessVmCounters = 3,
66 ProcessTimes = 4,
67 ProcessBasePriority = 5,
68 ProcessRaisePriority = 6,
69 ProcessDebugPort = 7,
70 ProcessExceptionPort = 8,
71 ProcessAccessToken = 9,
72 ProcessLdtInformation = 10,
73 ProcessLdtSize = 11,
74 ProcessDefaultHardErrorMode = 12,
75 ProcessIoPortHandlers = 13,
76 ProcessPooledUsageAndLimits = 14,
77 ProcessWorkingSetWatch = 15,
78 ProcessUserModeIOPL = 16,
79 ProcessEnableAlignmentFaultFixup = 17,
80 ProcessPriorityClass = 18,
81 ProcessWx86Information = 19,
82 ProcessHandleCount = 20,
83 ProcessAffinityMask = 21,
84 ProcessPriorityBoost = 22,
85 ProcessDeviceMap = 23,
86 ProcessSessionInformation = 24,
87 ProcessForegroundInformation = 25,
88 ProcessWow64Information = 26,
89 ProcessImageFileName = 27,
90 ProcessLUIDDeviceMapsEnabled = 28,
91 ProcessBreakOnTermination = 29,
92 ProcessDebugObjectHandle = 30,
93 ProcessDebugFlags = 31,
94 ProcessHandleTracing = 32,
95 ProcessIoPriority = 33,
96 ProcessExecuteFlags = 34,
97 ProcessResourceManagement = 35,
98 ProcessCookie = 36,
99 ProcessImageInformation = 37,
100 ProcessCycleTime = 38,
101 ProcessPagePriority = 39,
102 ProcessInstrumentationCallback = 40,
103 ProcessThreadStackAllocation = 41,
104 ProcessWorkingSetWatchEx = 42,
105 ProcessImageFileNameWin32 = 43,
106 ProcessImageFileMapping = 44,
107 ProcessAffinityUpdateMode = 45,
108 ProcessMemoryAllocationMode = 46,
109 ProcessGroupInformation = 47,
110 ProcessTokenVirtualizationEnabled = 48,
111 ProcessConsoleHostProcess = 49,
112 ProcessWindowInformation = 50,
113 ProcessHandleInformation = 51,
114 ProcessMitigationPolicy = 52,
115 ProcessDynamicFunctionTableInformation = 53,
116 ProcessHandleCheckingMode = 54,
117 ProcessKeepAliveCount = 55,
118 ProcessRevokeFileHandles = 56,
119 ProcessWorkingSetControl = 57,
120 ProcessHandleTable = 58,
121 ProcessCheckStackExtentsMode = 59,
122 ProcessCommandLineInformation = 60,
123 ProcessProtectionInformation = 61,
124 ProcessMemoryExhaustion = 62,
125 ProcessFaultInformation = 63,
126 ProcessTelemetryIdInformation = 64,
127 ProcessCommitReleaseInformation = 65,
128 ProcessDefaultCpuSetsInformation = 66,
129 ProcessAllowedCpuSetsInformation = 67,
130 ProcessSubsystemProcess = 68,
131 ProcessJobMemoryInformation = 69,
132 ProcessInPrivate = 70,
133 ProcessRaiseUMExceptionOnInvalidHandleClose = 71,
134 ProcessIumChallengeResponse = 72,
135 ProcessChildProcessInformation = 73,
136 ProcessHighGraphicsPriorityInformation = 74,
137 ProcessSubsystemInformation = 75,
138 ProcessEnergyValues = 76,
139 ProcessActivityThrottleState = 77,
140 ProcessActivityThrottlePolicy = 78,
141 ProcessWin32kSyscallFilterInformation = 79,
142 ProcessDisableSystemAllowedCpuSets = 80,
143 ProcessWakeInformation = 81,
144 ProcessEnergyTrackingState = 82,
145 ProcessManageWritesToExecutableMemory = 83,
146 ProcessCaptureTrustletLiveDump = 84,
147 ProcessTelemetryCoverage = 85,
148 ProcessEnclaveInformation = 86,
149 ProcessEnableReadWriteVmLogging = 87,
150 ProcessUptimeInformation = 88,
151 ProcessImageSection = 89,
152 ProcessDebugAuthInformation = 90,
153 ProcessSystemResourceManagement = 91,
154 ProcessSequenceNumber = 92,
155 ProcessLoaderDetour = 93,
156 ProcessSecurityDomainInformation = 94,
157 ProcessCombineSecurityDomainsInformation = 95,
158 ProcessEnableLogging = 96,
159 ProcessLeapSecondInformation = 97,
160 MaxProcessInfoClass = 98,
161 }}
162 ENUM!{enum THREADINFOCLASS {
163 ThreadBasicInformation = 0,
164 ThreadTimes = 1,
165 ThreadPriority = 2,
166 ThreadBasePriority = 3,
167 ThreadAffinityMask = 4,
168 ThreadImpersonationToken = 5,
169 ThreadDescriptorTableEntry = 6,
170 ThreadEnableAlignmentFaultFixup = 7,
171 ThreadEventPair = 8,
172 ThreadQuerySetWin32StartAddress = 9,
173 ThreadZeroTlsCell = 10,
174 ThreadPerformanceCount = 11,
175 ThreadAmILastThread = 12,
176 ThreadIdealProcessor = 13,
177 ThreadPriorityBoost = 14,
178 ThreadSetTlsArrayAddress = 15,
179 ThreadIsIoPending = 16,
180 ThreadHideFromDebugger = 17,
181 ThreadBreakOnTermination = 18,
182 ThreadSwitchLegacyState = 19,
183 ThreadIsTerminated = 20,
184 ThreadLastSystemCall = 21,
185 ThreadIoPriority = 22,
186 ThreadCycleTime = 23,
187 ThreadPagePriority = 24,
188 ThreadActualBasePriority = 25,
189 ThreadTebInformation = 26,
190 ThreadCSwitchMon = 27,
191 ThreadCSwitchPmu = 28,
192 ThreadWow64Context = 29,
193 ThreadGroupInformation = 30,
194 ThreadUmsInformation = 31,
195 ThreadCounterProfiling = 32,
196 ThreadIdealProcessorEx = 33,
197 ThreadCpuAccountingInformation = 34,
198 ThreadSuspendCount = 35,
199 ThreadHeterogeneousCpuPolicy = 36,
200 ThreadContainerId = 37,
201 ThreadNameInformation = 38,
202 ThreadSelectedCpuSets = 39,
203 ThreadSystemThreadInformation = 40,
204 ThreadActualGroupAffinity = 41,
205 ThreadDynamicCodePolicyInfo = 42,
206 ThreadExplicitCaseSensitivity = 43,
207 ThreadWorkOnBehalfTicket = 44,
208 ThreadSubsystemInformation = 45,
209 ThreadDbgkWerReportActive = 46,
210 ThreadAttachContainer = 47,
211 ThreadManageWritesToExecutableMemory = 48,
212 ThreadPowerThrottlingState = 49,
213 ThreadWorkloadClass = 50,
214 MaxThreadInfoClass = 51,
215 }}
216 STRUCT!{struct PAGE_PRIORITY_INFORMATION {
217 PagePriority: ULONG,
218 }}
219 pub type PPAGE_PRIORITY_INFORMATION = *mut PAGE_PRIORITY_INFORMATION;
220 STRUCT!{struct PROCESS_BASIC_INFORMATION {
221 ExitStatus: NTSTATUS,
222 PebBaseAddress: PPEB,
223 AffinityMask: ULONG_PTR,
224 BasePriority: KPRIORITY,
225 UniqueProcessId: HANDLE,
226 InheritedFromUniqueProcessId: HANDLE,
227 }}
228 pub type PPROCESS_BASIC_INFORMATION = *mut PROCESS_BASIC_INFORMATION;
229 STRUCT!{struct PROCESS_EXTENDED_BASIC_INFORMATION {
230 Size: SIZE_T,
231 BasicInfo: PROCESS_BASIC_INFORMATION,
232 Flags: ULONG,
233 }}
234 BITFIELD!{PROCESS_EXTENDED_BASIC_INFORMATION Flags: ULONG [
235 IsProtectedProcess set_IsProtectedProcess[0..1],
236 IsWow64Process set_IsWow64Process[1..2],
237 IsProcessDeleting set_IsProcessDeleting[2..3],
238 IsCrossSessionCreate set_IsCrossSessionCreate[3..4],
239 IsFrozen set_IsFrozen[4..5],
240 IsBackground set_IsBackground[5..6],
241 IsStronglyNamed set_IsStronglyNamed[6..7],
242 IsSecureProcess set_IsSecureProcess[7..8],
243 IsSubsystemProcess set_IsSubsystemProcess[8..9],
244 SpareBits set_SpareBits[9..32],
245 ]}
246 pub type PPROCESS_EXTENDED_BASIC_INFORMATION = *mut PROCESS_EXTENDED_BASIC_INFORMATION;
247 STRUCT!{struct VM_COUNTERS {
248 PeakVirtualSize: SIZE_T,
249 VirtualSize: SIZE_T,
250 PageFaultCount: ULONG,
251 PeakWorkingSetSize: SIZE_T,
252 WorkingSetSize: SIZE_T,
253 QuotaPeakPagedPoolUsage: SIZE_T,
254 QuotaPagedPoolUsage: SIZE_T,
255 QuotaPeakNonPagedPoolUsage: SIZE_T,
256 QuotaNonPagedPoolUsage: SIZE_T,
257 PagefileUsage: SIZE_T,
258 PeakPagefileUsage: SIZE_T,
259 }}
260 pub type PVM_COUNTERS = *mut VM_COUNTERS;
261 STRUCT!{struct VM_COUNTERS_EX {
262 PeakVirtualSize: SIZE_T,
263 VirtualSize: SIZE_T,
264 PageFaultCount: ULONG,
265 PeakWorkingSetSize: SIZE_T,
266 WorkingSetSize: SIZE_T,
267 QuotaPeakPagedPoolUsage: SIZE_T,
268 QuotaPagedPoolUsage: SIZE_T,
269 QuotaPeakNonPagedPoolUsage: SIZE_T,
270 QuotaNonPagedPoolUsage: SIZE_T,
271 PagefileUsage: SIZE_T,
272 PeakPagefileUsage: SIZE_T,
273 PrivateUsage: SIZE_T,
274 }}
275 pub type PVM_COUNTERS_EX = *mut VM_COUNTERS_EX;
276 STRUCT!{struct VM_COUNTERS_EX2 {
277 CountersEx: VM_COUNTERS_EX,
278 PrivateWorkingSetSize: SIZE_T,
279 SharedCommitUsage: SIZE_T,
280 }}
281 pub type PVM_COUNTERS_EX2 = *mut VM_COUNTERS_EX2;
282 STRUCT!{struct KERNEL_USER_TIMES {
283 CreateTime: LARGE_INTEGER,
284 ExitTime: LARGE_INTEGER,
285 KernelTime: LARGE_INTEGER,
286 UserTime: LARGE_INTEGER,
287 }}
288 pub type PKERNEL_USER_TIMES = *mut KERNEL_USER_TIMES;
289 STRUCT!{struct POOLED_USAGE_AND_LIMITS {
290 PeakPagedPoolUsage: SIZE_T,
291 PagedPoolUsage: SIZE_T,
292 PagedPoolLimit: SIZE_T,
293 PeakNonPagedPoolUsage: SIZE_T,
294 NonPagedPoolUsage: SIZE_T,
295 NonPagedPoolLimit: SIZE_T,
296 PeakPagefileUsage: SIZE_T,
297 PagefileUsage: SIZE_T,
298 PagefileLimit: SIZE_T,
299 }}
300 pub type PPOOLED_USAGE_AND_LIMITS = *mut POOLED_USAGE_AND_LIMITS;
301 pub const PROCESS_EXCEPTION_PORT_ALL_STATE_BITS: ULONG_PTR = 0x00000003;
302 pub const PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS: ULONG_PTR =
303 (1 << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1;
304 STRUCT!{struct PROCESS_EXCEPTION_PORT {
305 ExceptionPortHandle: HANDLE,
306 StateFlags: ULONG,
307 }}
308 pub type PPROCESS_EXCEPTION_PORT = *mut PROCESS_EXCEPTION_PORT;
309 STRUCT!{struct PROCESS_ACCESS_TOKEN {
310 Token: HANDLE,
311 Thread: HANDLE,
312 }}
313 pub type PPROCESS_ACCESS_TOKEN = *mut PROCESS_ACCESS_TOKEN;
314 STRUCT!{struct PROCESS_LDT_INFORMATION {
315 Start: ULONG,
316 Length: ULONG,
317 LdtEntries: [LDT_ENTRY; 1],
318 }}
319 pub type PPROCESS_LDT_INFORMATION = *mut PROCESS_LDT_INFORMATION;
320 STRUCT!{struct PROCESS_LDT_SIZE {
321 Length: ULONG,
322 }}
323 pub type PPROCESS_LDT_SIZE = *mut PROCESS_LDT_SIZE;
324 STRUCT!{struct PROCESS_WS_WATCH_INFORMATION {
325 FaultingPc: PVOID,
326 FaultingVa: PVOID,
327 }}
328 pub type PPROCESS_WS_WATCH_INFORMATION = *mut PROCESS_WS_WATCH_INFORMATION;
329 STRUCT!{struct PROCESS_WS_WATCH_INFORMATION_EX {
330 BasicInfo: PROCESS_WS_WATCH_INFORMATION,
331 FaultingThreadId: ULONG_PTR,
332 Flags: ULONG_PTR,
333 }}
334 pub type PPROCESS_WS_WATCH_INFORMATION_EX = *mut PROCESS_WS_WATCH_INFORMATION_EX;
335 pub const PROCESS_PRIORITY_CLASS_UNKNOWN: u32 = 0;
336 pub const PROCESS_PRIORITY_CLASS_IDLE: u32 = 1;
337 pub const PROCESS_PRIORITY_CLASS_NORMAL: u32 = 2;
338 pub const PROCESS_PRIORITY_CLASS_HIGH: u32 = 3;
339 pub const PROCESS_PRIORITY_CLASS_REALTIME: u32 = 4;
340 pub const PROCESS_PRIORITY_CLASS_BELOW_NORMAL: u32 = 5;
341 pub const PROCESS_PRIORITY_CLASS_ABOVE_NORMAL: u32 = 6;
342 STRUCT!{struct PROCESS_PRIORITY_CLASS {
343 Foreground: BOOLEAN,
344 PriorityClass: UCHAR,
345 }}
346 pub type PPROCESS_PRIORITY_CLASS = *mut PROCESS_PRIORITY_CLASS;
347 STRUCT!{struct PROCESS_FOREGROUND_BACKGROUND {
348 Foreground: BOOLEAN,
349 }}
350 pub type PPROCESS_FOREGROUND_BACKGROUND = *mut PROCESS_FOREGROUND_BACKGROUND;
351 STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_Set {
352 DirectoryHandle: HANDLE,
353 }}
354 STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_Query {
355 DriveMap: ULONG,
356 DriveType: [UCHAR; 32],
357 }}
358 UNION!{union PROCESS_DEVICEMAP_INFORMATION {
359 Set: PROCESS_DEVICEMAP_INFORMATION_Set,
360 Query: PROCESS_DEVICEMAP_INFORMATION_Query,
361 }}
362 pub type PPROCESS_DEVICEMAP_INFORMATION = *mut PROCESS_DEVICEMAP_INFORMATION;
363 pub const PROCESS_LUID_DOSDEVICES_ONLY: ULONG = 0x00000001;
364 STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX_u_Set {
365 DirectoryHandle: HANDLE,
366 }}
367 STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX_u_Query {
368 DriveMap: ULONG,
369 DriveType: [UCHAR; 32],
370 }}
371 UNION!{union PROCESS_DEVICEMAP_INFORMATION_EX_u {
372 Set: PROCESS_DEVICEMAP_INFORMATION_EX_u_Set,
373 Query: PROCESS_DEVICEMAP_INFORMATION_EX_u_Query,
374 }}
375 STRUCT!{struct PROCESS_DEVICEMAP_INFORMATION_EX {
376 u: PROCESS_DEVICEMAP_INFORMATION_EX_u,
377 Flags: ULONG,
378 }}
379 pub type PPROCESS_DEVICEMAP_INFORMATION_EX = *mut PROCESS_DEVICEMAP_INFORMATION_EX;
380 STRUCT!{struct PROCESS_SESSION_INFORMATION {
381 SessionId: ULONG,
382 }}
383 pub type PPROCESS_SESSION_INFORMATION = *mut PROCESS_SESSION_INFORMATION;
384 pub const PROCESS_HANDLE_EXCEPTIONS_ENABLED: ULONG = 0x00000001;
385 pub const PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_DISABLED: ULONG = 0x00000000;
386 pub const PROCESS_HANDLE_RAISE_EXCEPTION_ON_INVALID_HANDLE_CLOSE_ENABLED: ULONG = 0x00000001;
387 STRUCT!{struct PROCESS_HANDLE_TRACING_ENABLE {
388 Flags: ULONG,
389 }}
390 pub type PPROCESS_HANDLE_TRACING_ENABLE = *mut PROCESS_HANDLE_TRACING_ENABLE;
391 pub const PROCESS_HANDLE_TRACING_MAX_SLOTS: ULONG = 0x20000;
392 STRUCT!{struct PROCESS_HANDLE_TRACING_ENABLE_EX {
393 Flags: ULONG,
394 TotalSlots: ULONG,
395 }}
396 pub type PPROCESS_HANDLE_TRACING_ENABLE_EX = *mut PROCESS_HANDLE_TRACING_ENABLE_EX;
397 pub const PROCESS_HANDLE_TRACING_MAX_STACKS: usize = 16;
398 pub const PROCESS_HANDLE_TRACE_TYPE_OPEN: ULONG = 1;
399 pub const PROCESS_HANDLE_TRACE_TYPE_CLOSE: ULONG = 2;
400 pub const PROCESS_HANDLE_TRACE_TYPE_BADREF: ULONG = 3;
401 STRUCT!{struct PROCESS_HANDLE_TRACING_ENTRY {
402 Handle: HANDLE,
403 ClientId: CLIENT_ID,
404 Type: ULONG,
405 Stacks: [PVOID; PROCESS_HANDLE_TRACING_MAX_STACKS],
406 }}
407 pub type PPROCESS_HANDLE_TRACING_ENTRY = *mut PROCESS_HANDLE_TRACING_ENTRY;
408 STRUCT!{struct PROCESS_HANDLE_TRACING_QUERY {
409 Handle: HANDLE,
410 TotalTraces: ULONG,
411 HandleTrace: [PROCESS_HANDLE_TRACING_ENTRY; 1],
412 }}
413 pub type PPROCESS_HANDLE_TRACING_QUERY = *mut PROCESS_HANDLE_TRACING_QUERY;
414 STRUCT!{struct THREAD_TLS_INFORMATION {
415 Flags: ULONG,
416 NewTlsData: PVOID,
417 OldTlsData: PVOID,
418 ThreadId: HANDLE,
419 }}
420 pub type PTHREAD_TLS_INFORMATION = *mut THREAD_TLS_INFORMATION;
421 ENUM!{enum PROCESS_TLS_INFORMATION_TYPE {
422 ProcessTlsReplaceIndex = 0,
423 ProcessTlsReplaceVector = 1,
424 MaxProcessTlsOperation = 2,
425 }}
426 pub type PPROCESS_TLS_INFORMATION_TYPE = *mut PROCESS_TLS_INFORMATION_TYPE;
427 STRUCT!{struct PROCESS_TLS_INFORMATION {
428 Flags: ULONG,
429 OperationType: ULONG,
430 ThreadDataCount: ULONG,
431 TlsIndex: ULONG,
432 PreviousCount: ULONG,
433 ThreadData: [THREAD_TLS_INFORMATION; 1],
434 }}
435 pub type PPROCESS_TLS_INFORMATION = *mut PROCESS_TLS_INFORMATION;
436 STRUCT!{struct PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION {
437 Version: ULONG,
438 Reserved: ULONG,
439 Callback: PVOID,
440 }}
441 pub type PPROCESS_INSTRUMENTATION_CALLBACK_INFORMATION =
442 *mut PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION;
443 STRUCT!{struct PROCESS_STACK_ALLOCATION_INFORMATION {
444 ReserveSize: SIZE_T,
445 ZeroBits: SIZE_T,
446 StackBase: PVOID,
447 }}
448 pub type PPROCESS_STACK_ALLOCATION_INFORMATION = *mut PROCESS_STACK_ALLOCATION_INFORMATION;
449 STRUCT!{struct PROCESS_STACK_ALLOCATION_INFORMATION_EX {
450 PreferredNode: ULONG,
451 Reserved0: ULONG,
452 Reserved1: ULONG,
453 Reserved2: ULONG,
454 AllocInfo: PROCESS_STACK_ALLOCATION_INFORMATION,
455 }}
456 pub type PPROCESS_STACK_ALLOCATION_INFORMATION_EX = *mut PROCESS_STACK_ALLOCATION_INFORMATION_EX;
457 STRUCT!{struct PROCESS_AFFINITY_UPDATE_MODE {
458 Flags: ULONG,
459 }}
460 BITFIELD!{PROCESS_AFFINITY_UPDATE_MODE Flags: ULONG [
461 EnableAutoUpdate set_EnableAutoUpdate[0..1],
462 Permanent set_Permanent[1..2],
463 Reserved set_Reserved[2..32],
464 ]}
465 pub type PPROCESS_AFFINITY_UPDATE_MODE = *mut PROCESS_AFFINITY_UPDATE_MODE;
466 STRUCT!{struct PROCESS_MEMORY_ALLOCATION_MODE {
467 Flags: ULONG,
468 }}
469 BITFIELD!{PROCESS_MEMORY_ALLOCATION_MODE Flags: ULONG [
470 TopDown set_TopDown[0..1],
471 Reserved set_Reserved[1..32],
472 ]}
473 pub type PPROCESS_MEMORY_ALLOCATION_MODE = *mut PROCESS_MEMORY_ALLOCATION_MODE;
474 STRUCT!{struct PROCESS_HANDLE_INFORMATION {
475 HandleCount: ULONG,
476 HandleCountHighWatermark: ULONG,
477 }}
478 pub type PPROCESS_HANDLE_INFORMATION = *mut PROCESS_HANDLE_INFORMATION;
479 STRUCT!{struct PROCESS_CYCLE_TIME_INFORMATION {
480 AccumulatedCycles: ULONGLONG,
481 CurrentCycleCount: ULONGLONG,
482 }}
483 pub type PPROCESS_CYCLE_TIME_INFORMATION = *mut PROCESS_CYCLE_TIME_INFORMATION;
484 STRUCT!{struct PROCESS_WINDOW_INFORMATION {
485 WindowFlags: ULONG,
486 WindowTitleLength: USHORT,
487 WindowTitle: [WCHAR; 1],
488 }}
489 pub type PPROCESS_WINDOW_INFORMATION = *mut PROCESS_WINDOW_INFORMATION;
490 STRUCT!{struct PROCESS_HANDLE_TABLE_ENTRY_INFO {
491 HandleValue: HANDLE,
492 HandleCount: ULONG_PTR,
493 PointerCount: ULONG_PTR,
494 GrantedAccess: ULONG,
495 ObjectTypeIndex: ULONG,
496 HandleAttributes: ULONG,
497 Reserved: ULONG,
498 }}
499 pub type PPROCESS_HANDLE_TABLE_ENTRY_INFO = *mut PROCESS_HANDLE_TABLE_ENTRY_INFO;
500 STRUCT!{struct PROCESS_HANDLE_SNAPSHOT_INFORMATION {
501 NumberOfHandles: ULONG_PTR,
502 Reserved: ULONG_PTR,
503 Handles: [PROCESS_HANDLE_TABLE_ENTRY_INFO; 1],
504 }}
505 pub type PPROCESS_HANDLE_SNAPSHOT_INFORMATION = *mut PROCESS_HANDLE_SNAPSHOT_INFORMATION;
506 UNION!{union PROCESS_MITIGATION_POLICY_INFORMATION_u {
507 ASLRPolicy: PROCESS_MITIGATION_ASLR_POLICY,
508 StrictHandleCheckPolicy: PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY,
509 SystemCallDisablePolicy: PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY,
510 ExtensionPointDisablePolicy: PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY,
511 DynamicCodePolicy: PROCESS_MITIGATION_DYNAMIC_CODE_POLICY,
512 ControlFlowGuardPolicy: PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY,
513 SignaturePolicy: PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY,
514 FontDisablePolicy: PROCESS_MITIGATION_FONT_DISABLE_POLICY,
515 ImageLoadPolicy: PROCESS_MITIGATION_IMAGE_LOAD_POLICY,
516 SystemCallFilterPolicy: PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY,
517 PayloadRestrictionPolicy: PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY,
518 ChildProcessPolicy: PROCESS_MITIGATION_CHILD_PROCESS_POLICY,
519 // SideChannelIsolationPolicy: PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY, //TODO
520 }}
521 STRUCT!{struct PROCESS_MITIGATION_POLICY_INFORMATION {
522 Policy: PROCESS_MITIGATION_POLICY,
523 u: PROCESS_MITIGATION_POLICY_INFORMATION_u,
524 }}
525 pub type PPROCESS_MITIGATION_POLICY_INFORMATION = *mut PROCESS_MITIGATION_POLICY_INFORMATION;
526 STRUCT!{struct PROCESS_KEEPALIVE_COUNT_INFORMATION {
527 WakeCount: ULONG,
528 NoWakeCount: ULONG,
529 }}
530 pub type PPROCESS_KEEPALIVE_COUNT_INFORMATION = *mut PROCESS_KEEPALIVE_COUNT_INFORMATION;
531 STRUCT!{struct PROCESS_REVOKE_FILE_HANDLES_INFORMATION {
532 TargetDevicePath: UNICODE_STRING,
533 }}
534 pub type PPROCESS_REVOKE_FILE_HANDLES_INFORMATION = *mut PROCESS_REVOKE_FILE_HANDLES_INFORMATION;
535 ENUM!{enum PROCESS_WORKING_SET_OPERATION {
536 ProcessWorkingSetSwap = 0,
537 ProcessWorkingSetEmpty = 1,
538 ProcessWorkingSetOperationMax = 2,
539 }}
540 STRUCT!{struct PROCESS_WORKING_SET_CONTROL {
541 Version: ULONG,
542 Operation: PROCESS_WORKING_SET_OPERATION,
543 Flags: ULONG,
544 }}
545 pub type PPROCESS_WORKING_SET_CONTROL = *mut PROCESS_WORKING_SET_CONTROL;
546 ENUM!{enum PS_PROTECTED_TYPE {
547 PsProtectedTypeNone = 0,
548 PsProtectedTypeProtectedLight = 1,
549 PsProtectedTypeProtected = 2,
550 PsProtectedTypeMax = 3,
551 }}
552 ENUM!{enum PS_PROTECTED_SIGNER {
553 PsProtectedSignerNone = 0,
554 PsProtectedSignerAuthenticode = 1,
555 PsProtectedSignerCodeGen = 2,
556 PsProtectedSignerAntimalware = 3,
557 PsProtectedSignerLsa = 4,
558 PsProtectedSignerWindows = 5,
559 PsProtectedSignerWinTcb = 6,
560 PsProtectedSignerWinSystem = 7,
561 PsProtectedSignerApp = 8,
562 PsProtectedSignerMax = 9,
563 }}
564 pub const PS_PROTECTED_SIGNER_MASK: UCHAR = 0xFF;
565 pub const PS_PROTECTED_AUDIT_MASK: UCHAR = 0x08;
566 pub const PS_PROTECTED_TYPE_MASK: UCHAR = 0x07;
567 #[inline]
PsProtectedValue( aSigner: PS_PROTECTED_SIGNER, aAudit: u8, aType: PS_PROTECTED_TYPE, ) -> UCHAR568 pub const fn PsProtectedValue(
569 aSigner: PS_PROTECTED_SIGNER,
570 aAudit: u8,
571 aType: PS_PROTECTED_TYPE,
572 ) -> UCHAR {
573 (aSigner as u8 & PS_PROTECTED_SIGNER_MASK) << 4 | (aAudit & PS_PROTECTED_AUDIT_MASK) << 3
574 | (aType as u8 & PS_PROTECTED_TYPE_MASK)
575 }
576 #[inline]
InitializePsProtection( aProtectionLevelPtr: &mut PS_PROTECTION, aSigner: PS_PROTECTED_SIGNER, aAudit: u8, aType: PS_PROTECTED_TYPE, )577 pub fn InitializePsProtection(
578 aProtectionLevelPtr: &mut PS_PROTECTION,
579 aSigner: PS_PROTECTED_SIGNER,
580 aAudit: u8,
581 aType: PS_PROTECTED_TYPE,
582 ) {
583 aProtectionLevelPtr.set_Signer(aSigner as u8);
584 aProtectionLevelPtr.set_Audit(aAudit);
585 aProtectionLevelPtr.set_Type(aType as u8);
586 }
587 STRUCT!{struct PS_PROTECTION {
588 Level: UCHAR,
589 }}
590 pub type PPS_PROTECTION = *mut PS_PROTECTION;
591 BITFIELD!{PS_PROTECTION Level: UCHAR [
592 Type set_Type[0..3],
593 Audit set_Audit[3..4],
594 Signer set_Signer[4..8],
595 ]}
596 STRUCT!{struct PROCESS_FAULT_INFORMATION {
597 FaultFlags: ULONG,
598 AdditionalInfo: ULONG,
599 }}
600 pub type PPROCESS_FAULT_INFORMATION = *mut PROCESS_FAULT_INFORMATION;
601 STRUCT!{struct PROCESS_TELEMETRY_ID_INFORMATION {
602 HeaderSize: ULONG,
603 ProcessId: ULONG,
604 ProcessStartKey: ULONGLONG,
605 CreateTime: ULONGLONG,
606 CreateInterruptTime: ULONGLONG,
607 CreateUnbiasedInterruptTime: ULONGLONG,
608 ProcessSequenceNumber: ULONGLONG,
609 SessionCreateTime: ULONGLONG,
610 SessionId: ULONG,
611 BootId: ULONG,
612 ImageChecksum: ULONG,
613 ImageTimeDateStamp: ULONG,
614 UserSidOffset: ULONG,
615 ImagePathOffset: ULONG,
616 PackageNameOffset: ULONG,
617 RelativeAppNameOffset: ULONG,
618 CommandLineOffset: ULONG,
619 }}
620 pub type PPROCESS_TELEMETRY_ID_INFORMATION = *mut PROCESS_TELEMETRY_ID_INFORMATION;
621 STRUCT!{struct PROCESS_COMMIT_RELEASE_INFORMATION {
622 Version: ULONG,
623 s: ULONG,
624 CommitDebt: SIZE_T,
625 CommittedMemResetSize: SIZE_T,
626 RepurposedMemResetSize: SIZE_T,
627 }}
628 BITFIELD!{PROCESS_COMMIT_RELEASE_INFORMATION s: ULONG [
629 Eligible set_Eligible[0..1],
630 ReleaseRepurposedMemResetCommit set_ReleaseRepurposedMemResetCommit[1..2],
631 ForceReleaseMemResetCommit set_ForceReleaseMemResetCommit[2..3],
632 Spare set_Spare[3..32],
633 ]}
634 pub type PPROCESS_COMMIT_RELEASE_INFORMATION = *mut PROCESS_COMMIT_RELEASE_INFORMATION;
635 STRUCT!{struct PROCESS_JOB_MEMORY_INFO {
636 SharedCommitUsage: ULONGLONG,
637 PrivateCommitUsage: ULONGLONG,
638 PeakPrivateCommitUsage: ULONGLONG,
639 PrivateCommitLimit: ULONGLONG,
640 TotalCommitLimit: ULONGLONG,
641 }}
642 pub type PPROCESS_JOB_MEMORY_INFO = *mut PROCESS_JOB_MEMORY_INFO;
643 STRUCT!{struct PROCESS_CHILD_PROCESS_INFORMATION {
644 ProhibitChildProcesses: BOOLEAN,
645 AlwaysAllowSecureChildProcess: BOOLEAN,
646 AuditProhibitChildProcesses: BOOLEAN,
647 }}
648 pub type PPROCESS_CHILD_PROCESS_INFORMATION = *mut PROCESS_CHILD_PROCESS_INFORMATION;
649 STRUCT!{struct PROCESS_WAKE_INFORMATION {
650 NotificationChannel: ULONGLONG,
651 WakeCounters: [ULONG; 7],
652 WakeFilter: *mut JOBOBJECT_WAKE_FILTER,
653 }}
654 pub type PPROCESS_WAKE_INFORMATION = *mut PROCESS_WAKE_INFORMATION;
655 STRUCT!{struct PROCESS_ENERGY_TRACKING_STATE {
656 StateUpdateMask: ULONG,
657 StateDesiredValue: ULONG,
658 StateSequence: ULONG,
659 UpdateTag: ULONG,
660 Tag: [WCHAR; 64],
661 }}
662 pub type PPROCESS_ENERGY_TRACKING_STATE = *mut PROCESS_ENERGY_TRACKING_STATE;
663 BITFIELD!{PROCESS_ENERGY_TRACKING_STATE UpdateTag: ULONG [
664 UpdateTag set_UpdateTag[0..1],
665 ]}
666 STRUCT!{struct MANAGE_WRITES_TO_EXECUTABLE_MEMORY {
667 BitFields: ULONG,
668 }}
669 BITFIELD!{MANAGE_WRITES_TO_EXECUTABLE_MEMORY BitFields: ULONG [
670 Machine set_Machine[0..16],
671 KernelMode set_KernelMode[16..17],
672 UserMode set_UserMode[17..18],
673 Native set_Native[18..19],
674 Process set_Process[19..20],
675 ReservedZero0 set_ReservedZero0[20..32],
676 ]}
677 pub type PMANAGE_WRITES_TO_EXECUTABLE_MEMORY = *mut MANAGE_WRITES_TO_EXECUTABLE_MEMORY;
678 pub const PROCESS_READWRITEVM_LOGGING_ENABLE_READVM: UCHAR = 1;
679 pub const PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM: UCHAR = 2;
680 pub const PROCESS_READWRITEVM_LOGGING_ENABLE_READVM_V: UCHAR = 1;
681 pub const PROCESS_READWRITEVM_LOGGING_ENABLE_WRITEVM_V: UCHAR = 2;
682 STRUCT!{struct PROCESS_READWRITEVM_LOGGING_INFORMATION {
683 Flags: UCHAR,
684 }}
685 BITFIELD!{PROCESS_READWRITEVM_LOGGING_INFORMATION Flags: UCHAR [
686 EnableReadVmLogging set_EnableReadVmLogging[0..1],
687 EnableWriteVmLogging set_EnableWriteVmLogging[1..2],
688 Unused set_Unused[2..8],
689 ]}
690 UNION!{union PROCESS_UPTIME_INFORMATION_u {
691 HangCount: ULONG,
692 GhostCount: ULONG,
693 Crashed: ULONG,
694 Terminated: ULONG,
695 }}
696 pub type PPROCESS_READWRITEVM_LOGGING_INFORMATION = *mut PROCESS_READWRITEVM_LOGGING_INFORMATION;
697 STRUCT!{struct PROCESS_UPTIME_INFORMATION {
698 QueryInterruptTime: ULONGLONG,
699 QueryUnbiasedTime: ULONGLONG,
700 EndInterruptTime: ULONGLONG,
701 TimeSinceCreation: ULONGLONG,
702 Uptime: ULONGLONG,
703 SuspendedTime: ULONGLONG,
704 u: PROCESS_UPTIME_INFORMATION_u,
705 }}
706 pub type PPROCESS_UPTIME_INFORMATION = *mut PROCESS_UPTIME_INFORMATION;
707 STRUCT!{struct PROCESS_SYSTEM_RESOURCE_MANAGEMENT {
708 Flags: ULONG,
709 }}
710 pub type PPROCESS_SYSTEM_RESOURCE_MANAGEMENT = *mut PROCESS_SYSTEM_RESOURCE_MANAGEMENT;
711 BITFIELD!{PROCESS_SYSTEM_RESOURCE_MANAGEMENT Flags: ULONG [
712 Foreground set_Foreground[0..1],
713 Reserved set_Reserved[1..32],
714 ]}
715 STRUCT!{struct PROCESS_SECURITY_DOMAIN_INFORMATION {
716 SecurityDomain: ULONGLONG,
717 }}
718 pub type PPROCESS_SECURITY_DOMAIN_INFORMATION = *mut PROCESS_SECURITY_DOMAIN_INFORMATION;
719 STRUCT!{struct PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION {
720 ProcessHandle: HANDLE,
721 }}
722 pub type PPROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION =
723 *mut PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION;
724 STRUCT!{struct PROCESS_LOGGING_INFORMATION {
725 Flags: ULONG,
726 BitFields: ULONG,
727 }}
728 BITFIELD!{PROCESS_LOGGING_INFORMATION BitFields: ULONG [
729 EnableReadVmLogging set_EnableReadVmLogging[0..1],
730 EnableWriteVmLogging set_EnableWriteVmLogging[1..2],
731 EnableProcessSuspendResumeLogging set_EnableProcessSuspendResumeLogging[2..3],
732 EnableThreadSuspendResumeLogging set_EnableThreadSuspendResumeLogging[3..4],
733 Reserved set_Reserved[4..32],
734 ]}
735 pub type PPROCESS_LOGGING_INFORMATION = *mut PROCESS_LOGGING_INFORMATION;
736 STRUCT!{struct PROCESS_LEAP_SECOND_INFORMATION {
737 Flags: ULONG,
738 Reserved: ULONG,
739 }}
740 pub type PPROCESS_LEAP_SECOND_INFORMATION = *mut PROCESS_LEAP_SECOND_INFORMATION;
741 STRUCT!{struct THREAD_BASIC_INFORMATION {
742 ExitStatus: NTSTATUS,
743 TebBaseAddress: PTEB,
744 ClientId: CLIENT_ID,
745 AffinityMask: ULONG_PTR,
746 Priority: KPRIORITY,
747 BasePriority: LONG,
748 }}
749 pub type PTHREAD_BASIC_INFORMATION = *mut THREAD_BASIC_INFORMATION;
750 STRUCT!{struct THREAD_LAST_SYSCALL_INFORMATION {
751 FirstArgument: PVOID,
752 SystemCallNumber: USHORT,
753 Pad: [USHORT; 1],
754 WaitTime: ULONG64,
755 }}
756 pub type PTHREAD_LAST_SYSCALL_INFORMATION = *mut THREAD_LAST_SYSCALL_INFORMATION;
757 STRUCT!{struct THREAD_CYCLE_TIME_INFORMATION {
758 AccumulatedCycles: ULONGLONG,
759 CurrentCycleCount: ULONGLONG,
760 }}
761 pub type PTHREAD_CYCLE_TIME_INFORMATION = *mut THREAD_CYCLE_TIME_INFORMATION;
762 STRUCT!{struct THREAD_TEB_INFORMATION {
763 TebInformation: PVOID,
764 TebOffset: ULONG,
765 BytesToRead: ULONG,
766 }}
767 pub type PTHREAD_TEB_INFORMATION = *mut THREAD_TEB_INFORMATION;
768 STRUCT!{struct COUNTER_READING {
769 Type: HARDWARE_COUNTER_TYPE,
770 Index: ULONG,
771 Start: ULONG64,
772 Total: ULONG64,
773 }}
774 pub type PCOUNTER_READING = *mut COUNTER_READING;
775 STRUCT!{struct THREAD_PERFORMANCE_DATA {
776 Size: USHORT,
777 Version: USHORT,
778 ProcessorNumber: PROCESSOR_NUMBER,
779 ContextSwitches: ULONG,
780 HwCountersCount: ULONG,
781 UpdateCount: ULONG64,
782 WaitReasonBitMap: ULONG64,
783 HardwareCounters: ULONG64,
784 CycleTime: COUNTER_READING,
785 HwCounters: [COUNTER_READING; MAX_HW_COUNTERS],
786 }}
787 pub type PTHREAD_PERFORMANCE_DATA = *mut THREAD_PERFORMANCE_DATA;
788 STRUCT!{struct THREAD_PROFILING_INFORMATION {
789 HardwareCounters: ULONG64,
790 Flags: ULONG,
791 Enable: ULONG,
792 PerformanceData: PTHREAD_PERFORMANCE_DATA,
793 }}
794 pub type PTHREAD_PROFILING_INFORMATION = *mut THREAD_PROFILING_INFORMATION;
795 #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))]
796 STRUCT!{#[repr(align(16))] struct RTL_UMS_CONTEXT {
797 Link: SINGLE_LIST_ENTRY,
798 __padding: u64,
799 Context: CONTEXT,
800 Teb: PVOID,
801 UserContext: PVOID,
802 ScheduledThread: ULONG,
803 Suspended: ULONG,
804 VolatileContext: ULONG,
805 Terminated: ULONG,
806 DebugActive: ULONG,
807 RunningOnSelfThread: ULONG,
808 DenyRunningOnSelfThread: ULONG,
809 Flags: LONG,
810 KernelUpdateLock: ULONG64,
811 PrimaryClientID: ULONG64,
812 ContextLock: ULONG64,
813 PrimaryUmsContext: *mut RTL_UMS_CONTEXT,
814 SwitchCount: ULONG,
815 KernelYieldCount: ULONG,
816 MixedYieldCount: ULONG,
817 YieldCount: ULONG,
818 }}
819 #[cfg(target_arch = "x86")]
820 STRUCT!{struct RTL_UMS_CONTEXT {
821 Link: SINGLE_LIST_ENTRY,
822 Context: CONTEXT,
823 Teb: PVOID,
824 UserContext: PVOID,
825 ScheduledThread: ULONG,
826 Suspended: ULONG,
827 VolatileContext: ULONG,
828 Terminated: ULONG,
829 DebugActive: ULONG,
830 RunningOnSelfThread: ULONG,
831 DenyRunningOnSelfThread: ULONG,
832 Flags: LONG,
833 KernelUpdateLock: ULONG64,
834 PrimaryClientID: ULONG64,
835 ContextLock: ULONG64,
836 PrimaryUmsContext: *mut RTL_UMS_CONTEXT,
837 SwitchCount: ULONG,
838 KernelYieldCount: ULONG,
839 MixedYieldCount: ULONG,
840 YieldCount: ULONG,
841 __padding: u32,
842 }}
843 pub type PRTL_UMS_CONTEXT = *mut RTL_UMS_CONTEXT;
844 ENUM!{enum THREAD_UMS_INFORMATION_COMMAND {
845 UmsInformationCommandInvalid = 0,
846 UmsInformationCommandAttach = 1,
847 UmsInformationCommandDetach = 2,
848 UmsInformationCommandQuery = 3,
849 }}
850 STRUCT!{struct RTL_UMS_COMPLETION_LIST {
851 ThreadListHead: PSINGLE_LIST_ENTRY,
852 CompletionEvent: PVOID,
853 CompletionFlags: ULONG,
854 InternalListHead: SINGLE_LIST_ENTRY,
855 }}
856 pub type PRTL_UMS_COMPLETION_LIST = *mut RTL_UMS_COMPLETION_LIST;
857 STRUCT!{struct THREAD_UMS_INFORMATION {
858 Command: THREAD_UMS_INFORMATION_COMMAND,
859 CompletionList: PRTL_UMS_COMPLETION_LIST,
860 UmsContext: PRTL_UMS_CONTEXT,
861 Flags: ULONG,
862 }}
863 BITFIELD!{THREAD_UMS_INFORMATION Flags: ULONG [
864 IsUmsSchedulerThread set_IsUmsSchedulerThread[0..1],
865 IsUmsWorkerThread set_IsUmsWorkerThread[1..2],
866 SpareBits set_SpareBits[2..32],
867 ]}
868 pub type PTHREAD_UMS_INFORMATION = *mut THREAD_UMS_INFORMATION;
869 STRUCT!{struct THREAD_NAME_INFORMATION {
870 ThreadName: UNICODE_STRING,
871 }}
872 pub type PTHREAD_NAME_INFORMATION = *mut THREAD_NAME_INFORMATION;
873 ENUM!{enum SUBSYSTEM_INFORMATION_TYPE {
874 SubsystemInformationTypeWin32 = 0,
875 SubsystemInformationTypeWSL = 1,
876 MaxSubsystemInformationType = 2,
877 }}
878 ENUM!{enum THREAD_WORKLOAD_CLASS {
879 ThreadWorkloadClassDefault = 0,
880 ThreadWorkloadClassGraphics = 1,
881 MaxThreadWorkloadClass = 2,
882 }}
883 EXTERN!{extern "system" {
884 fn NtCreateProcess(
885 ProcessHandle: PHANDLE,
886 DesiredAccess: ACCESS_MASK,
887 ObjectAttributes: POBJECT_ATTRIBUTES,
888 ParentProcess: HANDLE,
889 InheritObjectTable: BOOLEAN,
890 SectionHandle: HANDLE,
891 DebugPort: HANDLE,
892 ExceptionPort: HANDLE,
893 ) -> NTSTATUS;
894 }}
895 pub const PROCESS_CREATE_FLAGS_BREAKAWAY: ULONG = 0x00000001;
896 pub const PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT: ULONG = 0x00000002;
897 pub const PROCESS_CREATE_FLAGS_INHERIT_HANDLES: ULONG = 0x00000004;
898 pub const PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE: ULONG = 0x00000008;
899 pub const PROCESS_CREATE_FLAGS_LARGE_PAGES: ULONG = 0x00000010;
900 EXTERN!{extern "system" {
901 fn NtCreateProcessEx(
902 ProcessHandle: PHANDLE,
903 DesiredAccess: ACCESS_MASK,
904 ObjectAttributes: POBJECT_ATTRIBUTES,
905 ParentProcess: HANDLE,
906 Flags: ULONG,
907 SectionHandle: HANDLE,
908 DebugPort: HANDLE,
909 ExceptionPort: HANDLE,
910 JobMemberLevel: ULONG,
911 ) -> NTSTATUS;
912 fn NtOpenProcess(
913 ProcessHandle: PHANDLE,
914 DesiredAccess: ACCESS_MASK,
915 ObjectAttributes: POBJECT_ATTRIBUTES,
916 ClientId: PCLIENT_ID,
917 ) -> NTSTATUS;
918 fn NtTerminateProcess(
919 ProcessHandle: HANDLE,
920 ExitStatus: NTSTATUS,
921 ) -> NTSTATUS;
922 fn NtSuspendProcess(
923 ProcessHandle: HANDLE,
924 ) -> NTSTATUS;
925 fn NtResumeProcess(
926 ProcessHandle: HANDLE,
927 ) -> NTSTATUS;
928 }}
929 pub const NtCurrentProcess: HANDLE = -1isize as *mut c_void;
930 pub const ZwCurrentProcess: HANDLE = NtCurrentProcess;
931 pub const NtCurrentThread: HANDLE = -2isize as *mut c_void;
932 pub const ZwCurrentThread: HANDLE = NtCurrentThread;
933 pub const NtCurrentSession: HANDLE = -3isize as *mut c_void;
934 pub const ZwCurrentSession: HANDLE = NtCurrentSession;
935 #[inline] #[cfg(all(feature = "nightly", not(target_arch = "aarch64")))]
NtCurrentPeb() -> PPEB936 pub unsafe fn NtCurrentPeb() -> PPEB {
937 (*NtCurrentTeb()).ProcessEnvironmentBlock
938 }
939 pub const NtCurrentProcessToken: HANDLE = -4isize as *mut c_void;
940 pub const NtCurrentThreadToken: HANDLE = -5isize as *mut c_void;
941 pub const NtCurrentEffectiveToken: HANDLE = -6isize as *mut c_void;
942 pub const NtCurrentSilo: HANDLE = -1isize as *mut c_void;
943 #[inline] #[cfg(all(feature = "nightly", not(target_arch = "aarch64")))]
NtCurrentProcessId() -> HANDLE944 pub unsafe fn NtCurrentProcessId() -> HANDLE {
945 (*NtCurrentTeb()).ClientId.UniqueProcess
946 }
947 #[inline] #[cfg(all(feature = "nightly", not(target_arch = "aarch64")))]
NtCurrentThreadId() -> HANDLE948 pub unsafe fn NtCurrentThreadId() -> HANDLE {
949 (*NtCurrentTeb()).ClientId.UniqueThread
950 }
951 EXTERN!{extern "system" {
952 fn NtQueryInformationProcess(
953 ProcessHandle: HANDLE,
954 ProcessInformationClass: PROCESSINFOCLASS,
955 ProcessInformation: PVOID,
956 ProcessInformationLength: ULONG,
957 ReturnLength: PULONG,
958 ) -> NTSTATUS;
959 fn NtGetNextProcess(
960 ProcessHandle: HANDLE,
961 DesiredAccess: ACCESS_MASK,
962 HandleAttributes: ULONG,
963 Flags: ULONG,
964 NewProcessHandle: PHANDLE,
965 ) -> NTSTATUS;
966 fn NtGetNextThread(
967 ProcessHandle: HANDLE,
968 ThreadHandle: HANDLE,
969 DesiredAccess: ACCESS_MASK,
970 HandleAttributes: ULONG,
971 Flags: ULONG,
972 NewThreadHandle: PHANDLE,
973 ) -> NTSTATUS;
974 fn NtSetInformationProcess(
975 ProcessHandle: HANDLE,
976 ProcessInformationClass: PROCESSINFOCLASS,
977 ProcessInformation: PVOID,
978 ProcessInformationLength: ULONG,
979 ) -> NTSTATUS;
980 fn NtQueryPortInformationProcess() -> NTSTATUS;
981 fn NtCreateThread(
982 ThreadHandle: PHANDLE,
983 DesiredAccess: ACCESS_MASK,
984 ObjectAttributes: POBJECT_ATTRIBUTES,
985 ProcessHandle: HANDLE,
986 ClientId: PCLIENT_ID,
987 ThreadContext: PCONTEXT,
988 InitialTeb: PINITIAL_TEB,
989 CreateSuspended: BOOLEAN,
990 ) -> NTSTATUS;
991 fn NtOpenThread(
992 ThreadHandle: PHANDLE,
993 DesiredAccess: ACCESS_MASK,
994 ObjectAttributes: POBJECT_ATTRIBUTES,
995 ClientId: PCLIENT_ID,
996 ) -> NTSTATUS;
997 fn NtTerminateThread(
998 ThreadHandle: HANDLE,
999 ExitStatus: NTSTATUS,
1000 ) -> NTSTATUS;
1001 fn NtSuspendThread(
1002 ThreadHandle: HANDLE,
1003 PreviousSuspendCount: PULONG,
1004 ) -> NTSTATUS;
1005 fn NtResumeThread(
1006 ThreadHandle: HANDLE,
1007 PreviousSuspendCount: PULONG,
1008 ) -> NTSTATUS;
1009 fn NtGetCurrentProcessorNumber() -> ULONG;
1010 fn NtGetContextThread(
1011 ThreadHandle: HANDLE,
1012 ThreadContext: PCONTEXT,
1013 ) -> NTSTATUS;
1014 fn NtSetContextThread(
1015 ThreadHandle: HANDLE,
1016 ThreadContext: PCONTEXT,
1017 ) -> NTSTATUS;
1018 fn NtQueryInformationThread(
1019 ThreadHandle: HANDLE,
1020 ThreadInformationClass: THREADINFOCLASS,
1021 ThreadInformation: PVOID,
1022 ThreadInformationLength: ULONG,
1023 ReturnLength: PULONG,
1024 ) -> NTSTATUS;
1025 fn NtSetInformationThread(
1026 ThreadHandle: HANDLE,
1027 ThreadInformationClass: THREADINFOCLASS,
1028 ThreadInformation: PVOID,
1029 ThreadInformationLength: ULONG,
1030 ) -> NTSTATUS;
1031 fn NtAlertThread(
1032 ThreadHandle: HANDLE,
1033 ) -> NTSTATUS;
1034 fn NtAlertResumeThread(
1035 ThreadHandle: HANDLE,
1036 PreviousSuspendCount: PULONG,
1037 ) -> NTSTATUS;
1038 fn NtTestAlert() -> NTSTATUS;
1039 fn NtImpersonateThread(
1040 ServerThreadHandle: HANDLE,
1041 ClientThreadHandle: HANDLE,
1042 SecurityQos: PSECURITY_QUALITY_OF_SERVICE,
1043 ) -> NTSTATUS;
1044 fn NtRegisterThreadTerminatePort(
1045 PortHandle: HANDLE,
1046 ) -> NTSTATUS;
1047 fn NtSetLdtEntries(
1048 Selector0: ULONG,
1049 Entry0Low: ULONG,
1050 Entry0Hi: ULONG,
1051 Selector1: ULONG,
1052 Entry1Low: ULONG,
1053 Entry1Hi: ULONG,
1054 ) -> NTSTATUS;
1055 }}
1056 FN!{cdecl PPS_APC_ROUTINE(
1057 ApcArgument1: PVOID,
1058 ApcArgument2: PVOID,
1059 ApcArgument3: PVOID,
1060 ) -> ()}
1061 EXTERN!{extern "system" {
1062 fn NtQueueApcThread(
1063 ThreadHandle: HANDLE,
1064 ApcRoutine: PPS_APC_ROUTINE,
1065 ApcArgument1: PVOID,
1066 ApcArgument2: PVOID,
1067 ApcArgument3: PVOID,
1068 ) -> NTSTATUS;
1069 }}
1070 pub const APC_FORCE_THREAD_SIGNAL: HANDLE = 1 as *mut c_void;
1071 EXTERN!{extern "system" {
1072 fn NtQueueApcThreadEx(
1073 ThreadHandle: HANDLE,
1074 UserApcReserveHandle: HANDLE,
1075 ApcRoutine: PPS_APC_ROUTINE,
1076 ApcArgument1: PVOID,
1077 ApcArgument2: PVOID,
1078 ApcArgument3: PVOID,
1079 ) -> NTSTATUS;
1080 fn NtAlertThreadByThreadId(
1081 ThreadId: HANDLE,
1082 ) -> NTSTATUS;
1083 fn NtWaitForAlertByThreadId(
1084 Address: PVOID,
1085 Timeout: PLARGE_INTEGER,
1086 ) -> NTSTATUS;
1087 }}
1088 pub const PS_ATTRIBUTE_NUMBER_MASK: u32 = 0x0000ffff;
1089 pub const PS_ATTRIBUTE_THREAD: u32 = 0x00010000;
1090 pub const PS_ATTRIBUTE_INPUT: u32 = 0x00020000;
1091 pub const PS_ATTRIBUTE_ADDITIVE: u32 = 0x00040000;
1092 ENUM!{enum PS_ATTRIBUTE_NUM {
1093 PsAttributeParentProcess = 0,
1094 PsAttributeDebugPort = 1,
1095 PsAttributeToken = 2,
1096 PsAttributeClientId = 3,
1097 PsAttributeTebAddress = 4,
1098 PsAttributeImageName = 5,
1099 PsAttributeImageInfo = 6,
1100 PsAttributeMemoryReserve = 7,
1101 PsAttributePriorityClass = 8,
1102 PsAttributeErrorMode = 9,
1103 PsAttributeStdHandleInfo = 10,
1104 PsAttributeHandleList = 11,
1105 PsAttributeGroupAffinity = 12,
1106 PsAttributePreferredNode = 13,
1107 PsAttributeIdealProcessor = 14,
1108 PsAttributeUmsThread = 15,
1109 PsAttributeMitigationOptions = 16,
1110 PsAttributeProtectionLevel = 17,
1111 PsAttributeSecureProcess = 18,
1112 PsAttributeJobList = 19,
1113 PsAttributeChildProcessPolicy = 20,
1114 PsAttributeAllApplicationPackagesPolicy = 21,
1115 PsAttributeWin32kFilter = 22,
1116 PsAttributeSafeOpenPromptOriginClaim = 23,
1117 PsAttributeBnoIsolation = 24,
1118 PsAttributeDesktopAppPolicy = 25,
1119 PsAttributeChpe = 26,
1120 PsAttributeMax = 27,
1121 }}
1122 #[inline]
PsAttributeValue( Number: PS_ATTRIBUTE_NUM, Thread: bool, Input: bool, Additive: bool, ) -> ULONG_PTR1123 pub const fn PsAttributeValue(
1124 Number: PS_ATTRIBUTE_NUM,
1125 Thread: bool,
1126 Input: bool,
1127 Additive: bool,
1128 ) -> ULONG_PTR { //fixme
1129 (Number & PS_ATTRIBUTE_NUMBER_MASK | [0, PS_ATTRIBUTE_THREAD][Thread as usize]
1130 | [0, PS_ATTRIBUTE_INPUT][Input as usize] | [0, PS_ATTRIBUTE_ADDITIVE][Additive as usize]
1131 ) as usize
1132 }
1133 pub const PS_ATTRIBUTE_PARENT_PROCESS: ULONG_PTR = 0x00060000;
1134 pub const PS_ATTRIBUTE_DEBUG_PORT: ULONG_PTR = 0x00060001;
1135 pub const PS_ATTRIBUTE_TOKEN: ULONG_PTR = 0x00060002;
1136 pub const PS_ATTRIBUTE_CLIENT_ID: ULONG_PTR = 0x00010003;
1137 pub const PS_ATTRIBUTE_TEB_ADDRESS: ULONG_PTR = 0x00010004;
1138 pub const PS_ATTRIBUTE_IMAGE_NAME: ULONG_PTR = 0x00020005;
1139 pub const PS_ATTRIBUTE_IMAGE_INFO: ULONG_PTR = 0x00000006;
1140 pub const PS_ATTRIBUTE_MEMORY_RESERVE: ULONG_PTR = 0x00020007;
1141 pub const PS_ATTRIBUTE_PRIORITY_CLASS: ULONG_PTR = 0x00020008;
1142 pub const PS_ATTRIBUTE_ERROR_MODE: ULONG_PTR = 0x00020009;
1143 pub const PS_ATTRIBUTE_STD_HANDLE_INFO: ULONG_PTR = 0x0002000a;
1144 pub const PS_ATTRIBUTE_HANDLE_LIST: ULONG_PTR = 0x0002000b;
1145 pub const PS_ATTRIBUTE_GROUP_AFFINITY: ULONG_PTR = 0x0003000c;
1146 pub const PS_ATTRIBUTE_PREFERRED_NODE: ULONG_PTR = 0x0002000d;
1147 pub const PS_ATTRIBUTE_IDEAL_PROCESSOR: ULONG_PTR = 0x0003000e;
1148 pub const PS_ATTRIBUTE_UMS_THREAD: ULONG_PTR = 0x0003000f;
1149 pub const PS_ATTRIBUTE_MITIGATION_OPTIONS: ULONG_PTR = 0x00060010;
1150 pub const PS_ATTRIBUTE_PROTECTION_LEVEL: ULONG_PTR = 0x00060011;
1151 pub const PS_ATTRIBUTE_SECURE_PROCESS: ULONG_PTR = 0x00020012;
1152 pub const PS_ATTRIBUTE_JOB_LIST: ULONG_PTR = 0x00020013;
1153 pub const PS_ATTRIBUTE_CHILD_PROCESS_POLICY: ULONG_PTR = 0x00020014;
1154 pub const PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY: ULONG_PTR = 0x00020015;
1155 pub const PS_ATTRIBUTE_WIN32K_FILTER: ULONG_PTR = 0x00020016;
1156 pub const PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM: ULONG_PTR = 0x00020017;
1157 pub const PS_ATTRIBUTE_BNO_ISOLATION: ULONG_PTR = 0x00020018;
1158 pub const PS_ATTRIBUTE_DESKTOP_APP_POLICY: ULONG_PTR = 0x00020019;
1159 UNION!{union PS_ATTRIBUTE_u {
1160 Value: ULONG_PTR,
1161 ValuePtr: PVOID,
1162 }}
1163 STRUCT!{struct PS_ATTRIBUTE {
1164 Attribute: ULONG_PTR,
1165 Size: SIZE_T,
1166 u: PS_ATTRIBUTE_u,
1167 ReturnLength: PSIZE_T,
1168 }}
1169 pub type PPS_ATTRIBUTE = *mut PS_ATTRIBUTE;
1170 STRUCT!{struct PS_ATTRIBUTE_LIST {
1171 TotalLength: SIZE_T,
1172 Attributes: [PS_ATTRIBUTE; 1],
1173 }}
1174 pub type PPS_ATTRIBUTE_LIST = *mut PS_ATTRIBUTE_LIST;
1175 STRUCT!{struct PS_MEMORY_RESERVE {
1176 ReserveAddress: PVOID,
1177 ReserveSize: SIZE_T,
1178 }}
1179 pub type PPS_MEMORY_RESERVE = *mut PS_MEMORY_RESERVE;
1180 ENUM!{enum PS_STD_HANDLE_STATE {
1181 PsNeverDuplicate = 0,
1182 PsRequestDuplicate = 1,
1183 PsAlwaysDuplicate = 2,
1184 PsMaxStdHandleStates = 3,
1185 }}
1186 pub const PS_STD_INPUT_HANDLE: u32 = 0x1;
1187 pub const PS_STD_OUTPUT_HANDLE: u32 = 0x2;
1188 pub const PS_STD_ERROR_HANDLE: u32 = 0x4;
1189 STRUCT!{struct PS_STD_HANDLE_INFO {
1190 Flags: ULONG,
1191 StdHandleSubsystemType: ULONG,
1192 }}
1193 pub type PPS_STD_HANDLE_INFO = *mut PS_STD_HANDLE_INFO;
1194 BITFIELD!{PS_STD_HANDLE_INFO Flags: ULONG [
1195 StdHandleState set_StdHandleState[0..2],
1196 PseudoHandleMask set_PseudoHandleMask[2..5],
1197 ]}
1198 STRUCT!{struct PS_BNO_ISOLATION_PARAMETERS {
1199 IsolationPrefix: UNICODE_STRING,
1200 HandleCount: ULONG,
1201 Handles: *mut PVOID,
1202 IsolationEnabled: BOOLEAN,
1203 }}
1204 pub type PPS_BNO_ISOLATION_PARAMETERS = *mut PS_BNO_ISOLATION_PARAMETERS;
1205 ENUM!{enum PS_MITIGATION_OPTION {
1206 PS_MITIGATION_OPTION_NX = 0,
1207 PS_MITIGATION_OPTION_SEHOP = 1,
1208 PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES = 2,
1209 PS_MITIGATION_OPTION_HEAP_TERMINATE = 3,
1210 PS_MITIGATION_OPTION_BOTTOM_UP_ASLR = 4,
1211 PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR = 5,
1212 PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS = 6,
1213 PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE = 7,
1214 PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE = 8,
1215 PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE = 9,
1216 PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD = 10,
1217 PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES = 11,
1218 PS_MITIGATION_OPTION_FONT_DISABLE = 12,
1219 PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE = 13,
1220 PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL = 14,
1221 PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32 = 15,
1222 PS_MITIGATION_OPTION_RETURN_FLOW_GUARD = 16,
1223 PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY = 17,
1224 PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD = 18,
1225 PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT = 19,
1226 PS_MITIGATION_OPTION_ROP_STACKPIVOT = 20,
1227 PS_MITIGATION_OPTION_ROP_CALLER_CHECK = 21,
1228 PS_MITIGATION_OPTION_ROP_SIMEXEC = 22,
1229 PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER = 23,
1230 PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS = 24,
1231 PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION = 25,
1232 PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER = 26,
1233 PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION = 27,
1234 PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION = 28,
1235 PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE = 29,
1236 PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY = 30,
1237 PS_MITIGATION_OPTION_CET_SHADOW_STACKS = 31,
1238 }}
1239 ENUM!{enum PS_CREATE_STATE {
1240 PsCreateInitialState = 0,
1241 PsCreateFailOnFileOpen = 1,
1242 PsCreateFailOnSectionCreate = 2,
1243 PsCreateFailExeFormat = 3,
1244 PsCreateFailMachineMismatch = 4,
1245 PsCreateFailExeName = 5,
1246 PsCreateSuccess = 6,
1247 PsCreateMaximumStates = 7,
1248 }}
1249 STRUCT!{struct PS_CREATE_INFO_u_InitState {
1250 InitFlags: ULONG,
1251 AdditionalFileAccess: ACCESS_MASK,
1252 }}
1253 BITFIELD!{PS_CREATE_INFO_u_InitState InitFlags: ULONG [
1254 WriteOutputOnExit set_WriteOutputOnExit[0..1],
1255 DetectManifest set_DetectManifest[1..2],
1256 IFEOSkipDebugger set_IFEOSkipDebugger[2..3],
1257 IFEODoNotPropagateKeyState set_IFEODoNotPropagateKeyState[3..4],
1258 SpareBits1 set_SpareBits1[4..8],
1259 SpareBits2 set_SpareBits2[8..16],
1260 ProhibitedImageCharacteristics set_ProhibitedImageCharacteristics[16..32],
1261 ]}
1262 STRUCT!{struct PS_CREATE_INFO_u_SuccessState {
1263 OutputFlags: ULONG,
1264 FileHandle: HANDLE,
1265 SectionHandle: HANDLE,
1266 UserProcessParametersNative: ULONGLONG,
1267 UserProcessParametersWow64: ULONG,
1268 CurrentParameterFlags: ULONG,
1269 PebAddressNative: ULONGLONG,
1270 PebAddressWow64: ULONG,
1271 ManifestAddress: ULONGLONG,
1272 ManifestSize: ULONG,
1273 }}
1274 BITFIELD!{PS_CREATE_INFO_u_SuccessState OutputFlags: ULONG [
1275 ProtectedProcess set_ProtectedProcess[0..1],
1276 AddressSpaceOverride set_AddressSpaceOverride[1..2],
1277 DevOverrideEnabled set_DevOverrideEnabled[2..3],
1278 ManifestDetected set_ManifestDetected[3..4],
1279 ProtectedProcessLight set_ProtectedProcessLight[4..5],
1280 SpareBits1 set_SpareBits1[5..8],
1281 SpareBits2 set_SpareBits2[8..16],
1282 SpareBits3 set_SpareBits3[16..32],
1283 ]}
1284 UNION!{union PS_CREATE_INFO_u {
1285 InitState: PS_CREATE_INFO_u_InitState,
1286 FileHandle: HANDLE,
1287 DllCharacteristics: USHORT,
1288 IFEOKey: HANDLE,
1289 SuccessState: PS_CREATE_INFO_u_SuccessState,
1290 }}
1291 STRUCT!{struct PS_CREATE_INFO {
1292 Size: SIZE_T,
1293 State: PS_CREATE_STATE,
1294 u: PS_CREATE_INFO_u,
1295 }}
1296 pub type PPS_CREATE_INFO = *mut PS_CREATE_INFO;
1297 pub const PROCESS_CREATE_FLAGS_LARGE_PAGE_SYSTEM_DLL: ULONG = 0x00000020;
1298 pub const PROCESS_CREATE_FLAGS_PROTECTED_PROCESS: ULONG = 0x00000040;
1299 pub const PROCESS_CREATE_FLAGS_CREATE_SESSION: ULONG = 0x00000080;
1300 pub const PROCESS_CREATE_FLAGS_INHERIT_FROM_PARENT: ULONG = 0x00000100;
1301 pub const PROCESS_CREATE_FLAGS_SUSPENDED: ULONG = 0x00000200;
1302 pub const PROCESS_CREATE_FLAGS_EXTENDED_UNKNOWN: ULONG = 0x00000400;
1303 EXTERN!{extern "system" {
1304 fn NtCreateUserProcess(
1305 ProcessHandle: PHANDLE,
1306 ThreadHandle: PHANDLE,
1307 ProcessDesiredAccess: ACCESS_MASK,
1308 ThreadDesiredAccess: ACCESS_MASK,
1309 ProcessObjectAttributes: POBJECT_ATTRIBUTES,
1310 ThreadObjectAttributes: POBJECT_ATTRIBUTES,
1311 ProcessFlags: ULONG,
1312 ThreadFlags: ULONG,
1313 ProcessParameters: PVOID,
1314 CreateInfo: PPS_CREATE_INFO,
1315 AttributeList: PPS_ATTRIBUTE_LIST,
1316 ) -> NTSTATUS;
1317 }}
1318 pub const THREAD_CREATE_FLAGS_CREATE_SUSPENDED: ULONG = 0x00000001;
1319 pub const THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH: ULONG = 0x00000002;
1320 pub const THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER: ULONG = 0x00000004;
1321 pub const THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR: ULONG = 0x00000010;
1322 pub const THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET: ULONG = 0x00000020;
1323 pub const THREAD_CREATE_FLAGS_INITIAL_THREAD: ULONG = 0x00000080;
1324 EXTERN!{extern "system" {
1325 fn NtCreateThreadEx(
1326 ThreadHandle: PHANDLE,
1327 DesiredAccess: ACCESS_MASK,
1328 ObjectAttributes: POBJECT_ATTRIBUTES,
1329 ProcessHandle: HANDLE,
1330 StartRoutine: PVOID,
1331 Argument: PVOID,
1332 CreateFlags: ULONG,
1333 ZeroBits: SIZE_T,
1334 StackSize: SIZE_T,
1335 MaximumStackSize: SIZE_T,
1336 AttributeList: PPS_ATTRIBUTE_LIST,
1337 ) -> NTSTATUS;
1338 }}
1339 STRUCT!{struct JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION {
1340 BasicInfo: JOBOBJECT_BASIC_ACCOUNTING_INFORMATION,
1341 IoInfo: IO_COUNTERS,
1342 DiskIoInfo: PROCESS_DISK_COUNTERS,
1343 ContextSwitches: ULONG64,
1344 TotalCycleTime: LARGE_INTEGER,
1345 ReadyTime: ULONG64,
1346 EnergyValues: PROCESS_ENERGY_VALUES,
1347 }}
1348 pub type PJOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION =
1349 *mut JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION;
1350 STRUCT!{struct JOBOBJECT_WAKE_INFORMATION {
1351 NotificationChannel: HANDLE,
1352 WakeCounters: [ULONG64; 7],
1353 }}
1354 pub type PJOBOBJECT_WAKE_INFORMATION = *mut JOBOBJECT_WAKE_INFORMATION;
1355 STRUCT!{struct JOBOBJECT_WAKE_INFORMATION_V1 {
1356 NotificationChannel: HANDLE,
1357 WakeCounters: [ULONG64; 4],
1358 }}
1359 pub type PJOBOBJECT_WAKE_INFORMATION_V1 = *mut JOBOBJECT_WAKE_INFORMATION_V1;
1360 STRUCT!{struct JOBOBJECT_INTERFERENCE_INFORMATION {
1361 Count: ULONG64,
1362 }}
1363 pub type PJOBOBJECT_INTERFERENCE_INFORMATION = *mut JOBOBJECT_INTERFERENCE_INFORMATION;
1364 STRUCT!{struct JOBOBJECT_WAKE_FILTER {
1365 HighEdgeFilter: ULONG,
1366 LowEdgeFilter: ULONG,
1367 }}
1368 pub type PJOBOBJECT_WAKE_FILTER = *mut JOBOBJECT_WAKE_FILTER;
1369 STRUCT!{struct JOBOBJECT_FREEZE_INFORMATION {
1370 Flags: ULONG,
1371 Freeze: BOOLEAN,
1372 Swap: BOOLEAN,
1373 Reserved0: [UCHAR; 2],
1374 WakeFilter: JOBOBJECT_WAKE_FILTER,
1375 }}
1376 pub type PJOBOBJECT_FREEZE_INFORMATION = *mut JOBOBJECT_FREEZE_INFORMATION;
1377 BITFIELD!{JOBOBJECT_FREEZE_INFORMATION Flags: ULONG [
1378 FreezeOperation set_FreezeOperation[0..1],
1379 FilterOperation set_FilterOperation[1..2],
1380 SwapOperation set_SwapOperation[2..3],
1381 Reserved set_Reserved[3..32],
1382 ]}
1383 STRUCT!{struct JOBOBJECT_MEMORY_USAGE_INFORMATION {
1384 JobMemory: ULONG64,
1385 PeakJobMemoryUsed: ULONG64,
1386 }}
1387 pub type PJOBOBJECT_MEMORY_USAGE_INFORMATION = *mut JOBOBJECT_MEMORY_USAGE_INFORMATION;
1388 STRUCT!{struct JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 {
1389 BasicInfo: JOBOBJECT_MEMORY_USAGE_INFORMATION,
1390 JobSharedMemory: ULONG64,
1391 Reserved: [ULONG64; 2],
1392 }}
1393 pub type PJOBOBJECT_MEMORY_USAGE_INFORMATION_V2 = *mut JOBOBJECT_MEMORY_USAGE_INFORMATION_V2;
1394 STRUCT!{struct SILO_USER_SHARED_DATA {
1395 ServiceSessionId: ULONG64,
1396 ActiveConsoleId: ULONG,
1397 ConsoleSessionForegroundProcessId: LONGLONG,
1398 NtProductType: NT_PRODUCT_TYPE,
1399 SuiteMask: ULONG,
1400 SharedUserSessionId: ULONG,
1401 IsMultiSessionSku: BOOLEAN,
1402 NtSystemRoot: [WCHAR; 260],
1403 UserModeGlobalLogger: [USHORT; 16],
1404 }}
1405 pub type PSILO_USER_SHARED_DATA = *mut SILO_USER_SHARED_DATA;
1406 STRUCT!{struct SILOOBJECT_ROOT_DIRECTORY {
1407 ControlFlags: ULONG,
1408 Path: UNICODE_STRING,
1409 }}
1410 pub type PSILOOBJECT_ROOT_DIRECTORY = *mut SILOOBJECT_ROOT_DIRECTORY;
1411 STRUCT!{struct JOBOBJECT_ENERGY_TRACKING_STATE {
1412 Value: ULONG64,
1413 UpdateMask: ULONG,
1414 DesiredState: ULONG,
1415 }}
1416 pub type PJOBOBJECT_ENERGY_TRACKING_STATE = *mut JOBOBJECT_ENERGY_TRACKING_STATE;
1417 EXTERN!{extern "system" {
1418 fn NtCreateJobObject(
1419 JobHandle: PHANDLE,
1420 DesiredAccess: ACCESS_MASK,
1421 ObjectAttributes: POBJECT_ATTRIBUTES,
1422 ) -> NTSTATUS;
1423 fn NtOpenJobObject(
1424 JobHandle: PHANDLE,
1425 DesiredAccess: ACCESS_MASK,
1426 ObjectAttributes: POBJECT_ATTRIBUTES,
1427 ) -> NTSTATUS;
1428 fn NtAssignProcessToJobObject(
1429 JobHandle: HANDLE,
1430 ProcessHandle: HANDLE,
1431 ) -> NTSTATUS;
1432 fn NtTerminateJobObject(
1433 JobHandle: HANDLE,
1434 ExitStatus: NTSTATUS,
1435 ) -> NTSTATUS;
1436 fn NtIsProcessInJob(
1437 ProcessHandle: HANDLE,
1438 JobHandle: HANDLE,
1439 ) -> NTSTATUS;
1440 fn NtQueryInformationJobObject(
1441 JobHandle: HANDLE,
1442 JobObjectInformationClass: JOBOBJECTINFOCLASS,
1443 JobObjectInformation: PVOID,
1444 JobObjectInformationLength: ULONG,
1445 ReturnLength: PULONG,
1446 ) -> NTSTATUS;
1447 fn NtSetInformationJobObject(
1448 JobHandle: HANDLE,
1449 JobObjectInformationClass: JOBOBJECTINFOCLASS,
1450 JobObjectInformation: PVOID,
1451 JobObjectInformationLength: ULONG,
1452 ) -> NTSTATUS;
1453 fn NtCreateJobSet(
1454 NumJob: ULONG,
1455 UserJobSet: PJOB_SET_ARRAY,
1456 Flags: ULONG,
1457 ) -> NTSTATUS;
1458 fn NtRevertContainerImpersonation() -> NTSTATUS;
1459 }}
1460 ENUM!{enum MEMORY_RESERVE_TYPE {
1461 MemoryReserveUserApc = 0,
1462 MemoryReserveIoCompletion = 1,
1463 MemoryReserveTypeMax = 2,
1464 }}
1465 EXTERN!{extern "system" {
1466 fn NtAllocateReserveObject(
1467 MemoryReserveHandle: PHANDLE,
1468 ObjectAttributes: POBJECT_ATTRIBUTES,
1469 Type: MEMORY_RESERVE_TYPE,
1470 ) -> NTSTATUS;
1471 }}
1472