struct ALPC_PROCESS_CONTEXT windows 內核數據結構及第三方逆向網站
typedef struct _ALPC_PROCESS_CONTEXT
{
EX_PUSH_LOCK Lock;
LIST_ENTRY ViewListHead;
ULONG PagedPoolQuotaCache;
} ALPC_PROCESS_CONTEXT, *PALPC_PROCESS_CONTEXT;
Windows Vista Kernel Structureshtml
http://www.nirsoft.netapp
http://www.geoffchappell.com/ide
pstypes.hfetch
/*++ NDK Version: 0098
Copyright (c) Alex Ionescu. All rights reserved.
Header Name:
pstypes.h
Abstract:
Type definitions for the Process Manager
Author:
Alex Ionescu (alexi@tinykrnl.org) - Updated - 27-Feb-2006
--*/
#ifndef _PSTYPES_H
#define _PSTYPES_H
//
// Dependencies
//
#include <umtypes.h>
#include <ldrtypes.h>
#include <mmtypes.h>
#include <obtypes.h>
#include <rtltypes.h>
#ifndef NTOS_MODE_USER
#include <extypes.h>
#include <setypes.h>
#endif
#ifdef __cplusplus
extern "C" {
#endif
#ifndef NTOS_MODE_USER
//
// Kernel Exported Object Types
//
extern POBJECT_TYPE NTSYSAPI PsJobType;
#endif // !NTOS_MODE_USER
//
// KUSER_SHARED_DATA location in User Mode
//
#define USER_SHARED_DATA (0x7FFE0000)
//
// Global Flags
//
#define FLG_STOP_ON_EXCEPTION 0x00000001
#define FLG_SHOW_LDR_SNAPS 0x00000002
#define FLG_DEBUG_INITIAL_COMMAND 0x00000004
#define FLG_STOP_ON_HUNG_GUI 0x00000008
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x00000010
#define FLG_HEAP_ENABLE_FREE_CHECK 0x00000020
#define FLG_HEAP_VALIDATE_PARAMETERS 0x00000040
#define FLG_HEAP_VALIDATE_ALL 0x00000080
#define FLG_APPLICATION_VERIFIER 0x00000100
#define FLG_POOL_ENABLE_TAGGING 0x00000400
#define FLG_HEAP_ENABLE_TAGGING 0x00000800
#define FLG_USER_STACK_TRACE_DB 0x00001000
#define FLG_KERNEL_STACK_TRACE_DB 0x00002000
#define FLG_MAINTAIN_OBJECT_TYPELIST 0x00004000
#define FLG_HEAP_ENABLE_TAG_BY_DLL 0x00008000
#define FLG_DISABLE_STACK_EXTENSION 0x00010000
#define FLG_ENABLE_CSRDEBUG 0x00020000
#define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x00040000
#define FLG_DISABLE_PAGE_KERNEL_STACKS 0x00080000
#if (NTDDI_VERSION < NTDDI_WINXP)
#define FLG_HEAP_ENABLE_CALL_TRACING 0x00100000
#else
#define FLG_ENABLE_SYSTEM_CRIT_BREAKS 0x00100000
#endif
#define FLG_HEAP_DISABLE_COALESCING 0x00200000
#define FLG_ENABLE_CLOSE_EXCEPTIONS 0x00400000
#define FLG_ENABLE_EXCEPTION_LOGGING 0x00800000
#define FLG_ENABLE_HANDLE_TYPE_TAGGING 0x01000000
#define FLG_HEAP_PAGE_ALLOCS 0x02000000
#define FLG_DEBUG_INITIAL_COMMAND_EX 0x04000000
#define FLG_VALID_BITS 0x07FFFFFF
//
// Flags for NtCreateProcessEx
//
#define PROCESS_CREATE_FLAGS_BREAKAWAY 0x00000001
#define PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT 0x00000002
#define PROCESS_CREATE_FLAGS_INHERIT_HANDLES 0x00000004
#define PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00000008
#define PROCESS_CREATE_FLAGS_LARGE_PAGES 0x00000010
#define PROCESS_CREATE_FLAGS_ALL_LARGE_PAGE_FLAGS PROCESS_CREATE_FLAGS_LARGE_PAGES
#define PROCESS_CREATE_FLAGS_LEGAL_MASK (PROCESS_CREATE_FLAGS_BREAKAWAY | \
PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT | \
PROCESS_CREATE_FLAGS_INHERIT_HANDLES | \
PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE | \
PROCESS_CREATE_FLAGS_ALL_LARGE_PAGE_FLAGS)
//
// Process priority classes
//
#define PROCESS_PRIORITY_CLASS_INVALID 0
#define PROCESS_PRIORITY_CLASS_IDLE 1
#define PROCESS_PRIORITY_CLASS_NORMAL 2
#define PROCESS_PRIORITY_CLASS_HIGH 3
#define PROCESS_PRIORITY_CLASS_REALTIME 4
#define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5
#define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
//
// Process base priorities
//
#define PROCESS_PRIORITY_IDLE 3
#define PROCESS_PRIORITY_NORMAL 8
#define PROCESS_PRIORITY_NORMAL_FOREGROUND 9
//
// Process memory priorities
//
#define MEMORY_PRIORITY_BACKGROUND 0
#define MEMORY_PRIORITY_UNKNOWN 1
#define MEMORY_PRIORITY_FOREGROUND 2
//
// Process Priority Separation Values (OR)
//
#define PSP_DEFAULT_QUANTUMS 0x00
#define PSP_VARIABLE_QUANTUMS 0x04
#define PSP_FIXED_QUANTUMS 0x08
#define PSP_LONG_QUANTUMS 0x10
#define PSP_SHORT_QUANTUMS 0x20
#ifndef NTOS_MODE_USER
//
// Thread Access Types
//
#define THREAD_QUERY_INFORMATION 0x0040
#define THREAD_SET_THREAD_TOKEN 0x0080
#define THREAD_IMPERSONATE 0x0100
#define THREAD_DIRECT_IMPERSONATION 0x0200
//
// Process Access Types
//
#define PROCESS_TERMINATE 0x0001
#define PROCESS_CREATE_THREAD 0x0002
#define PROCESS_SET_SESSIONID 0x0004
#define PROCESS_VM_OPERATION 0x0008
#define PROCESS_VM_READ 0x0010
#define PROCESS_VM_WRITE 0x0020
#define PROCESS_CREATE_PROCESS 0x0080
#define PROCESS_SET_QUOTA 0x0100
#define PROCESS_SET_INFORMATION 0x0200
#define PROCESS_QUERY_INFORMATION 0x0400
#define PROCESS_SUSPEND_RESUME 0x0800
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
SYNCHRONIZE | \
0xFFFF)
#else
#define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
SYNCHRONIZE | \
0xFFF)
#endif
//
// Thread Base Priorities
//
#define THREAD_BASE_PRIORITY_LOWRT 15
#define THREAD_BASE_PRIORITY_MAX 2
#define THREAD_BASE_PRIORITY_MIN -2
#define THREAD_BASE_PRIORITY_IDLE -15
//
// TLS Slots
//
#define TLS_MINIMUM_AVAILABLE 64
//
// TEB Active Frame Flags
//
#define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED 0x1
//
// Job Access Types
//
#define JOB_OBJECT_ASSIGN_PROCESS 0x1
#define JOB_OBJECT_SET_ATTRIBUTES 0x2
#define JOB_OBJECT_QUERY 0x4
#define JOB_OBJECT_TERMINATE 0x8
#define JOB_OBJECT_SET_SECURITY_ATTRIBUTES 0x10
#define JOB_OBJECT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
SYNCHRONIZE | \
31)
//
// Job Limit Flags
//
#define JOB_OBJECT_LIMIT_WORKINGSET 0x1
#define JOB_OBJECT_LIMIT_PROCESS_TIME 0x2
#define JOB_OBJECT_LIMIT_JOB_TIME 0x4
#define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x8
#define JOB_OBJECT_LIMIT_AFFINITY 0x10
#define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x20
#define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x40
#define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x80
#define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x100
#define JOB_OBJECT_LIMIT_JOB_MEMORY 0x200
#define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x400
#define JOB_OBJECT_LIMIT_BREAKAWAY_OK 0x800
#define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK 0x1000
#define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE 0x2000
//
// Cross Thread Flags
//
#define CT_TERMINATED_BIT 0x1
#define CT_DEAD_THREAD_BIT 0x2
#define CT_HIDE_FROM_DEBUGGER_BIT 0x4
#define CT_ACTIVE_IMPERSONATION_INFO_BIT 0x8
#define CT_SYSTEM_THREAD_BIT 0x10
#define CT_HARD_ERRORS_ARE_DISABLED_BIT 0x20
#define CT_BREAK_ON_TERMINATION_BIT 0x40
#define CT_SKIP_CREATION_MSG_BIT 0x80
#define CT_SKIP_TERMINATION_MSG_BIT 0x100
//
// Same Thread Passive Flags
//
#define STP_ACTIVE_EX_WORKER_BIT 0x1
#define STP_EX_WORKER_CAN_WAIT_USER_BIT 0x2
#define STP_MEMORY_MAKER_BIT 0x4
#define STP_KEYED_EVENT_IN_USE_BIT 0x8
//
// Same Thread APC Flags
//
#define STA_LPC_RECEIVED_MSG_ID_VALID_BIT 0x1
#define STA_LPC_EXIT_THREAD_CALLED_BIT 0x2
#define STA_ADDRESS_SPACE_OWNER_BIT 0x4
#define STA_OWNS_WORKING_SET_BITS 0x1F8
//
// Kernel Process flags (maybe in ketypes.h?)
//
#define KPSF_AUTO_ALIGNMENT_BIT 0
#define KPSF_DISABLE_BOOST_BIT 1
//
// Process Flags
//
#define PSF_CREATE_REPORTED_BIT 0x1
#define PSF_NO_DEBUG_INHERIT_BIT 0x2
#define PSF_PROCESS_EXITING_BIT 0x4
#define PSF_PROCESS_DELETE_BIT 0x8
#define PSF_WOW64_SPLIT_PAGES_BIT 0x10
#define PSF_VM_DELETED_BIT 0x20
#define PSF_OUTSWAP_ENABLED_BIT 0x40
#define PSF_OUTSWAPPED_BIT 0x80
#define PSF_FORK_FAILED_BIT 0x100
#define PSF_WOW64_VA_SPACE_4GB_BIT 0x200
#define PSF_ADDRESS_SPACE_INITIALIZED_BIT 0x400
#define PSF_SET_TIMER_RESOLUTION_BIT 0x1000
#define PSF_BREAK_ON_TERMINATION_BIT 0x2000
#define PSF_SESSION_CREATION_UNDERWAY_BIT 0x4000
#define PSF_WRITE_WATCH_BIT 0x8000
#define PSF_PROCESS_IN_SESSION_BIT 0x10000
#define PSF_OVERRIDE_ADDRESS_SPACE_BIT 0x20000
#define PSF_HAS_ADDRESS_SPACE_BIT 0x40000
#define PSF_LAUNCH_PREFETCHED_BIT 0x80000
#define PSF_INJECT_INPAGE_ERRORS_BIT 0x100000
#define PSF_VM_TOP_DOWN_BIT 0x200000
#define PSF_IMAGE_NOTIFY_DONE_BIT 0x400000
#define PSF_PDE_UPDATE_NEEDED_BIT 0x800000
#define PSF_VDM_ALLOWED_BIT 0x1000000
#define PSF_SWAP_ALLOWED_BIT 0x2000000
#define PSF_CREATE_FAILED_BIT 0x4000000
#define PSF_DEFAULT_IO_PRIORITY_BIT 0x8000000
//
// Vista Process Flags
//
#define PSF2_PROTECTED_BIT 0x800
#endif
//
// TLS/FLS Defines
//
#define TLS_EXPANSION_SLOTS 1024
#ifdef NTOS_MODE_USER
//
// Thread Native Base Priorities
//
#define LOW_PRIORITY 0
#define LOW_REALTIME_PRIORITY 16
#define HIGH_PRIORITY 31
#define MAXIMUM_PRIORITY 32
//
// Current Process/Thread built-in 'special' handles
//
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define ZwCurrentProcess() NtCurrentProcess()
#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
#define ZwCurrentThread() NtCurrentThread()
//
// Process/Thread/Job Information Classes for NtQueryInformationProcess/Thread/Job
//
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessTlsInformation,
ProcessCookie,
ProcessImageInformation,
ProcessCycleTime,
ProcessPagePriority,
ProcessInstrumentationCallback,
ProcessThreadStackAllocation,
ProcessWorkingSetWatchEx,
ProcessImageFileNameWin32,
ProcessImageFileMapping,
ProcessAffinityUpdateMode,
ProcessMemoryAllocationMode,
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
ThreadLastSystemCall,
ThreadIoPriority,
ThreadCycleTime,
ThreadPagePriority,
ThreadActualBasePriority,
ThreadTebInformation,
ThreadCSwitchMon,
MaxThreadInfoClass
} THREADINFOCLASS;
#else
typedef enum _PSPROCESSPRIORITYMODE
{
PsProcessPriorityForeground,
PsProcessPriorityBackground,
PsProcessPrioritySpinning
} PSPROCESSPRIORITYMODE;
typedef enum _JOBOBJECTINFOCLASS
{
JobObjectBasicAccountingInformation = 1,
JobObjectBasicLimitInformation,
JobObjectBasicProcessIdList,
JobObjectBasicUIRestrictions,
JobObjectSecurityLimitInformation,
JobObjectEndOfJobTimeInformation,
JobObjectAssociateCompletionPortInformation,
JobObjectBasicAndIoAccountingInformation,
JobObjectExtendedLimitInformation,
JobObjectJobSetInformation,
MaxJobObjectInfoClass
} JOBOBJECTINFOCLASS;
//
// Power Event Events for Win32K Power Event Callback
//
typedef enum _PSPOWEREVENTTYPE
{
PsW32FullWake = 0,
PsW32EventCode = 1,
PsW32PowerPolicyChanged = 2,
PsW32SystemPowerState = 3,
PsW32SystemTime = 4,
PsW32DisplayState = 5,
PsW32CapabilitiesChanged = 6,
PsW32SetStateFailed = 7,
PsW32GdiOff = 8,
PsW32GdiOn = 9,
PsW32GdiPrepareResumeUI = 10,
PsW32GdiOffRequest = 11,
PsW32MonitorOff = 12,
} PSPOWEREVENTTYPE;
//
// Power State Tasks for Win32K Power State Callback
//
typedef enum _POWERSTATETASK
{
PowerState_BlockSessionSwitch = 0,
PowerState_Init = 1,
PowerState_QueryApps = 2,
PowerState_QueryServices = 3,
PowerState_QueryAppsFailed = 4,
PowerState_QueryServicesFailed = 5,
PowerState_SuspendApps = 6,
PowerState_SuspendServices = 7,
PowerState_ShowUI = 8,
PowerState_NotifyWL = 9,
PowerState_ResumeApps = 10,
PowerState_ResumeServices = 11,
PowerState_UnBlockSessionSwitch = 12,
PowerState_End = 13,
PowerState_BlockInput = 14,
PowerState_UnblockInput = 15,
} POWERSTATETASK;
//
// Win32K Job Callback Types
//
typedef enum _PSW32JOBCALLOUTTYPE
{
PsW32JobCalloutSetInformation = 0,
PsW32JobCalloutAddProcess = 1,
PsW32JobCalloutTerminate = 2,
} PSW32JOBCALLOUTTYPE;
//
// Win32K Thread Callback Types
//
typedef enum _PSW32THREADCALLOUTTYPE
{
PsW32ThreadCalloutInitialize,
PsW32ThreadCalloutExit,
} PSW32THREADCALLOUTTYPE;
//
// Declare empty structure definitions so that they may be referenced by
// routines before they are defined
//
struct _W32THREAD;
struct _W32PROCESS;
//struct _ETHREAD;
struct _WIN32_POWEREVENT_PARAMETERS;
struct _WIN32_POWERSTATE_PARAMETERS;
struct _WIN32_JOBCALLOUT_PARAMETERS;
struct _WIN32_OPENMETHOD_PARAMETERS;
struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS;
struct _WIN32_CLOSEMETHOD_PARAMETERS;
struct _WIN32_DELETEMETHOD_PARAMETERS;
struct _WIN32_PARSEMETHOD_PARAMETERS;
//
// Win32K Process and Thread Callbacks
//
typedef
NTSTATUS
(NTAPI *PKWIN32_PROCESS_CALLOUT)(
_In_ struct _EPROCESS *Process,
_In_ BOOLEAN Create
);
typedef
NTSTATUS
(NTAPI *PKWIN32_THREAD_CALLOUT)(
_In_ struct _ETHREAD *Thread,
_In_ PSW32THREADCALLOUTTYPE Type
);
typedef
NTSTATUS
(NTAPI *PKWIN32_GLOBALATOMTABLE_CALLOUT)(
VOID
);
typedef
NTSTATUS
(NTAPI *PKWIN32_POWEREVENT_CALLOUT)(
_In_ struct _WIN32_POWEREVENT_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_POWERSTATE_CALLOUT)(
_In_ struct _WIN32_POWERSTATE_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_JOB_CALLOUT)(
_In_ struct _WIN32_JOBCALLOUT_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PGDI_BATCHFLUSH_ROUTINE)(
VOID
);
typedef
NTSTATUS
(NTAPI *PKWIN32_OPENMETHOD_CALLOUT)(
_In_ struct _WIN32_OPENMETHOD_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_OKTOCLOSEMETHOD_CALLOUT)(
_In_ struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_CLOSEMETHOD_CALLOUT)(
_In_ struct _WIN32_CLOSEMETHOD_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_DELETEMETHOD_CALLOUT)(
_In_ struct _WIN32_DELETEMETHOD_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_PARSEMETHOD_CALLOUT)(
_In_ struct _WIN32_PARSEMETHOD_PARAMETERS *Parameters
);
typedef
NTSTATUS
(NTAPI *PKWIN32_SESSION_CALLOUT)(
_In_ PVOID Parameter
);
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
typedef
NTSTATUS
(NTAPI *PKWIN32_WIN32DATACOLLECTION_CALLOUT)(
_In_ struct _EPROCESS *Process,
_In_ PVOID Callback,
_In_ PVOID Context
);
#endif
//
// Lego Callback
//
typedef
VOID
(NTAPI *PLEGO_NOTIFY_ROUTINE)(
_In_ PKTHREAD Thread
);
#endif
typedef NTSTATUS
(NTAPI *PPOST_PROCESS_INIT_ROUTINE)(
VOID
);
//
// Descriptor Table Entry Definition
//
#if (_M_IX86)
#define _DESCRIPTOR_TABLE_ENTRY_DEFINED
typedef struct _DESCRIPTOR_TABLE_ENTRY
{
ULONG Selector;
LDT_ENTRY Descriptor;
} DESCRIPTOR_TABLE_ENTRY, *PDESCRIPTOR_TABLE_ENTRY;
#endif
//
// PEB Lock Routine
//
typedef VOID
(NTAPI *PPEBLOCKROUTINE)(
PVOID PebLock
);
//
// PEB Free Block Descriptor
//
typedef struct _PEB_FREE_BLOCK
{
struct _PEB_FREE_BLOCK* Next;
ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
//
// Initial PEB
//
typedef struct _INITIAL_PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
#if (NTDDI_VERSION >= NTDDI_WS03)
struct
{
BOOLEAN ImageUsesLargePages:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
BOOLEAN IsProtectedProcess:1;
BOOLEAN IsLegacyProcess:1;
BOOLEAN SpareBits:5;
#else
BOOLEAN SpareBits:7;
#endif
};
#else
BOOLEAN SpareBool;
#endif
};
HANDLE Mutant;
} INITIAL_PEB, *PINITIAL_PEB;
//
// Initial TEB
//
typedef struct _INITIAL_TEB
{
PVOID PreviousStackBase;
PVOID PreviousStackLimit;
PVOID StackBase;
PVOID StackLimit;
PVOID AllocatedStackBase;
} INITIAL_TEB, *PINITIAL_TEB;
//
// TEB Active Frame Structures
//
typedef struct _TEB_ACTIVE_FRAME_CONTEXT
{
ULONG Flags;
LPSTR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
typedef const struct _TEB_ACTIVE_FRAME_CONTEXT *PCTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX
{
TEB_ACTIVE_FRAME_CONTEXT BasicContext;
PCSTR SourceLocation;
} TEB_ACTIVE_FRAME_CONTEXT_EX, *PTEB_ACTIVE_FRAME_CONTEXT_EX;
typedef const struct _TEB_ACTIVE_FRAME_CONTEXT_EX *PCTEB_ACTIVE_FRAME_CONTEXT_EX;
typedef struct _TEB_ACTIVE_FRAME
{
ULONG Flags;
struct _TEB_ACTIVE_FRAME *Previous;
PCTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
typedef const struct _TEB_ACTIVE_FRAME *PCTEB_ACTIVE_FRAME;
typedef struct _TEB_ACTIVE_FRAME_EX
{
TEB_ACTIVE_FRAME BasicFrame;
PVOID ExtensionIdentifier;
} TEB_ACTIVE_FRAME_EX, *PTEB_ACTIVE_FRAME_EX;
typedef const struct _TEB_ACTIVE_FRAME_EX *PCTEB_ACTIVE_FRAME_EX;
typedef struct _CLIENT_ID32
{
ULONG UniqueProcess;
ULONG UniqueThread;
} CLIENT_ID32, *PCLIENT_ID32;
typedef struct _CLIENT_ID64
{
ULONG64 UniqueProcess;
ULONG64 UniqueThread;
} CLIENT_ID64, *PCLIENT_ID64;
#if (NTDDI_VERSION < NTDDI_WS03)
typedef struct _Wx86ThreadState
{
PULONG CallBx86Eip;
PVOID DeallocationCpu;
BOOLEAN UseKnownWx86Dll;
CHAR OleStubInvoked;
} Wx86ThreadState, *PWx86ThreadState;
#endif
//
// PEB.AppCompatFlags
// Tag FLAG_MASK_KERNEL
//
typedef enum _APPCOMPAT_FLAGS
{
GetShortPathNameNT4 = 0x1,
GetDiskFreeSpace2GB = 0x8,
FTMFromCurrentAPI = 0x20,
DisallowCOMBindingNotifications = 0x40,
Ole32ValidatePointers = 0x80,
DisableCicero = 0x100,
Ole32EnableAsyncDocFile = 0x200,
EnableLegacyExceptionHandlinginOLE = 0x400,
DisableAdvanceRPCClientHardening = 0x800,
DisableMaybeNULLSizeisConsistencycheck = 0x1000,
DisableAdvancedRPCrangeCheck = 0x4000,
EnableLegacyExceptionHandlingInRPC = 0x8000,
EnableLegacyNTFSFlagsForDocfileOpens = 0x10000,
DisableNDRIIDConsistencyCheck = 0x20000,
UserDisableForwarderPatch = 0x40000,
DisableNewWMPAINTDispatchInOLE = 0x100000,
DoNotAddToCache = 0x80000000,
} APPCOMPAT_FLAGS;
//
// PEB.AppCompatFlagsUser.LowPart
// Tag FLAG_MASK_USER
//
typedef enum _APPCOMPAT_USERFLAGS
{
DisableAnimation = 0x1,
DisableKeyboardCues = 0x2,
No50StylebitsInSetWindowLong = 0x4,
DisableDrawPatternRect = 0x8,
MSShellDialog = 0x10,
NoDDETerminateDuringDestroy = 0x20,
GiveupForeground = 0x40,
AlwaysActiveMenus = 0x80,
NoMouseHideInEdit = 0x100,
NoGdiBatching = 0x200,
FontSubstitution = 0x400,
No50StylebitsInCreateWindow = 0x800,
NoCustomPaperSizes = 0x1000,
AllTheDdeHacks = 0x2000,
UseDefaultCharset = 0x4000,
NoCharDeadKey = 0x8000,
NoTryExceptForWindowProc = 0x10000,
NoInitInsertReplaceFlags = 0x20000,
NoDdeSync = 0x40000,
NoGhost = 0x80000,
NoDdeAsyncReg = 0x100000,
StrictLLHook = 0x200000,
NoShadow = 0x400000,
NoTimerCallbackProtection = 0x1000000,
HighDpiAware = 0x2000000,
OpenGLEmfAware = 0x4000000,
EnableTransparantBltMirror = 0x8000000,
NoPaddedBorder = 0x10000000,
ForceLegacyResizeCM = 0x20000000,
HardwareAudioMixer = 0x40000000,
DisableSWCursorOnMoveSize = 0x80000000,
#if 0
DisableWindowArrangement = 0x100000000,
ReorderWaveForCommunications = 0x200000000,
NoGdiHwAcceleration = 0x400000000,
#endif
} APPCOMPAT_USERFLAGS;
//
// PEB.AppCompatFlagsUser.HighPart
// Tag FLAG_MASK_USER
//
typedef enum _APPCOMPAT_USERFLAGS_HIGHPART
{
DisableWindowArrangement = 0x1,
ReorderWaveForCommunications = 0x2,
NoGdiHwAcceleration = 0x4,
} APPCOMPAT_USERFLAGS_HIGHPART;
//
// Process Environment Block (PEB)
// Thread Environment Block (TEB)
//
#include "peb_teb.h"
#ifdef _WIN64
//
// Explicit 32 bit PEB/TEB
//
#define EXPLICIT_32BIT
#include "peb_teb.h"
#undef EXPLICIT_32BIT
//
// Explicit 64 bit PEB/TEB
//
#define EXPLICIT_64BIT
#include "peb_teb.h"
#undef EXPLICIT_64BIT
#endif
#ifdef NTOS_MODE_USER
//
// Process Information Structures for NtQueryProcessInformation
//
typedef struct _PROCESS_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _PROCESS_ACCESS_TOKEN
{
HANDLE Token;
HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
typedef struct _PROCESS_DEVICEMAP_INFORMATION
{
union
{
struct
{
HANDLE DirectoryHandle;
} Set;
struct
{
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
typedef struct _KERNEL_USER_TIMES
{
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
typedef struct _POOLED_USAGE_AND_LIMITS
{
SIZE_T PeakPagedPoolUsage;
SIZE_T PagedPoolUsage;
SIZE_T PagedPoolLimit;
SIZE_T PeakNonPagedPoolUsage;
SIZE_T NonPagedPoolUsage;
SIZE_T NonPagedPoolLimit;
SIZE_T PeakPagefileUsage;
SIZE_T PagefileUsage;
SIZE_T PagefileLimit;
} POOLED_USAGE_AND_LIMITS, *PPOOLED_USAGE_AND_LIMITS;
typedef struct _PROCESS_SESSION_INFORMATION
{
ULONG SessionId;
} PROCESS_SESSION_INFORMATION, *PPROCESS_SESSION_INFORMATION;
#endif
typedef struct _PROCESS_PRIORITY_CLASS
{
BOOLEAN Foreground;
UCHAR PriorityClass;
} PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS;
typedef struct _PROCESS_FOREGROUND_BACKGROUND
{
BOOLEAN Foreground;
} PROCESS_FOREGROUND_BACKGROUND, *PPROCESS_FOREGROUND_BACKGROUND;
//
// Apphelp SHIM Cache
//
typedef enum _APPHELPCACHESERVICECLASS
{
ApphelpCacheServiceLookup = 0,
ApphelpCacheServiceRemove = 1,
ApphelpCacheServiceUpdate = 2,
ApphelpCacheServiceFlush = 3,
ApphelpCacheServiceDump = 4,
ApphelpDBGReadRegistry = 0x100,
ApphelpDBGWriteRegistry = 0x101,
} APPHELPCACHESERVICECLASS;
typedef struct _APPHELP_CACHE_SERVICE_LOOKUP
{
UNICODE_STRING ImageName;
HANDLE ImageHandle;
} APPHELP_CACHE_SERVICE_LOOKUP, *PAPPHELP_CACHE_SERVICE_LOOKUP;
//
// Thread Information Structures for NtQueryProcessInformation
//
typedef struct _THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
#ifndef NTOS_MODE_USER
//
// Job Set Array
//
typedef struct _JOB_SET_ARRAY
{
HANDLE JobHandle;
ULONG MemberLevel;
ULONG Flags;
} JOB_SET_ARRAY, *PJOB_SET_ARRAY;
//
// EPROCESS Quota Structures
//
typedef struct _EPROCESS_QUOTA_ENTRY
{
SIZE_T Usage;
SIZE_T Limit;
SIZE_T Peak;
SIZE_T Return;
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
typedef struct _EPROCESS_QUOTA_BLOCK
{
EPROCESS_QUOTA_ENTRY QuotaEntry[3];
LIST_ENTRY QuotaList;
ULONG ReferenceCount;
ULONG ProcessCount;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
//
// Process Pagefault History
//
typedef struct _PAGEFAULT_HISTORY
{
ULONG CurrentIndex;
ULONG MapIndex;
KSPIN_LOCK SpinLock;
PVOID Reserved;
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
//
// Process Impersonation Information
//
typedef struct _PS_IMPERSONATION_INFORMATION
{
PACCESS_TOKEN Token;
BOOLEAN CopyOnOpen;
BOOLEAN EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
//
// Process Termination Port
//
typedef struct _TERMINATION_PORT
{
struct _TERMINATION_PORT *Next;
PVOID Port;
} TERMINATION_PORT, *PTERMINATION_PORT;
//
// Per-Process APC Rate Limiting
//
typedef struct _PSP_RATE_APC
{
union
{
SINGLE_LIST_ENTRY NextApc;
ULONGLONG ExcessCycles;
};
ULONGLONG TargetGEneration;
KAPC RateApc;
} PSP_RATE_APC, *PPSP_RATE_APC;
//
// Executive Thread (ETHREAD)
//
typedef struct _ETHREAD
{
KTHREAD Tcb;
LARGE_INTEGER CreateTime;
union
{
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
LIST_ENTRY KeyedWaitChain;
};
union
{
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
union
{
struct _TERMINATION_PORT *TerminationPort;
struct _ETHREAD *ReaperLink;
PVOID KeyedWaitValue;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID Win32StartParameter;
#endif
};
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
KSEMAPHORE KeyedWaitSemaphore;
#else
union
{
KSEMAPHORE LpcReplySemaphore;
KSEMAPHORE KeyedWaitSemaphore;
};
union
{
PVOID LpcReplyMessage;
PVOID LpcWaitingOnPort;
};
#endif
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
ULONG_PTR TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PPSP_RATE_APC RateControlApc;
#else
struct _EPROCESS *ThreadsProcess;
#endif
PVOID Win32StartAddress;
union
{
PKSTART_ROUTINE StartAddress;
ULONG LpcReceivedMessageId;
};
LIST_ENTRY ThreadListEntry;
EX_RUNDOWN_REF RundownProtect;
EX_PUSH_LOCK ThreadLock;
#if (NTDDI_VERSION < NTDDI_LONGHORN)
ULONG LpcReplyMessageId;
#endif
ULONG ReadClusterSize;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG SpareUlong0;
#else
ACCESS_MASK GrantedAccess;
#endif
union
{
struct
{
ULONG Terminated:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG ThreadInserted:1;
#else
ULONG DeadThread:1;
#endif
ULONG HideFromDebugger:1;
ULONG ActiveImpersonationInfo:1;
ULONG SystemThread:1;
ULONG HardErrorsAreDisabled:1;
ULONG BreakOnTermination:1;
ULONG SkipCreationMsg:1;
ULONG SkipTerminationMsg:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG CreateMsgSent:1;
ULONG ThreadIoPriority:3;
ULONG ThreadPagePriority:3;
ULONG PendingRatecontrol:1;
#endif
};
ULONG CrossThreadFlags;
};
union
{
struct
{
ULONG ActiveExWorker:1;
ULONG ExWorkerCanWaitUser:1;
ULONG MemoryMaker:1;
ULONG KeyedEventInUse:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG RateApcState:2;
#endif
};
ULONG SameThreadPassiveFlags;
};
union
{
struct
{
ULONG LpcReceivedMsgIdValid:1;
ULONG LpcExitThreadCalled:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG Spare:1;
#else
ULONG AddressSpaceOwner:1;
#endif
ULONG OwnsProcessWorkingSetExclusive:1;
ULONG OwnsProcessWorkingSetShared:1;
ULONG OwnsSystemWorkingSetExclusive:1;
ULONG OwnsSystemWorkingSetShared:1;
ULONG OwnsSessionWorkingSetExclusive:1;
ULONG OwnsSessionWorkingSetShared:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG SuppressSymbolLoad:1;
ULONG Spare1:3;
ULONG PriorityRegionActive:4;
#else
ULONG ApcNeeded:1;
#endif
};
ULONG SameThreadApcFlags;
};
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
UCHAR CacheManagerActive;
#else
UCHAR ForwardClusterOnly;
#endif
UCHAR DisablePageFaultClustering;
UCHAR ActiveFaultCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG AlpcMessageId;
union
{
PVOID AlpcMessage;
ULONG AlpcReceiveAttributeSet;
};
LIST_ENTRY AlpcWaitListEntry;
KSEMAPHORE AlpcWaitSemaphore;
ULONG CacheManagerCount;
#endif
} ETHREAD;
//
// Executive Process (EPROCESS)
//
typedef struct _EPROCESS
{
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
HANDLE UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
SIZE_T QuotaUsage[3]; /* 0=PagedPool, 1=NonPagedPool, 2=Pagefile */
SIZE_T QuotaPeak[3]; /* ditto */
SIZE_T CommitCharge;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
union
{
PVOID ExceptionPortData;
ULONG ExceptionPortValue;
UCHAR ExceptionPortState:3;
};
#else
PVOID ExceptionPort;
#endif
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
PFN_NUMBER WorkingSetPage;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
EX_PUSH_LOCK AddressCreationLock;
PETHREAD RotateInProgress;
#else
KGUARDED_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
#endif
PETHREAD ForkInProgress;
ULONG_PTR HardwareTrigger;
PMM_AVL_TABLE PhysicalVadRoot;
PVOID CloneRoot;
PFN_NUMBER NumberOfPrivatePages;
PFN_NUMBER NumberOfLockedPages;
PVOID *Win32Process;
struct _EJOB *Job;
PVOID SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID EtwDataSource;
PVOID FreeTebHint;
#else
PVOID Spare0[3];
#endif
union
{
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
CHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
#ifdef _M_AMD64
struct _WOW64_PROCESS *Wow64Process;
#else
PVOID PaeTop;
#endif
ULONG ActiveThreads;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG ImagePathHash;
#else
ACCESS_MASK GrantedAccess;
#endif
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
struct _PEB* Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SIZE_T CommitChargeLimit;
SIZE_T CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
#ifdef _M_AMD64
ULONG Spares[2];
#else
LIST_ENTRY MmProcessLinks;
#endif
ULONG ModifiedPageCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
union
{
struct
{
ULONG JobNotReallyActive:1;
ULONG AccountingFolded:1;
ULONG NewProcessReported:1;
ULONG ExitProcessReported:1;
ULONG ReportCommitChanges:1;
ULONG LastReportMemory:1;
ULONG ReportPhysicalPageChanges:1;
ULONG HandleTableRundown:1;
ULONG NeedsHandleRundown:1;
ULONG RefTraceEnabled:1;
ULONG NumaAware:1;
ULONG ProtectedProcess:1;
ULONG DefaultPagePriority:3;
ULONG ProcessDeleteSelf:1;
ULONG ProcessVerifierTarget:1;
};
ULONG Flags2;
};
#else
ULONG JobStatus;
#endif
union
{
struct
{
ULONG CreateReported:1;
ULONG NoDebugInherit:1;
ULONG ProcessExiting:1;
ULONG ProcessDelete:1;
ULONG Wow64SplitPages:1;
ULONG VmDeleted:1;
ULONG OutswapEnabled:1;
ULONG Outswapped:1;
ULONG ForkFailed:1;
ULONG Wow64VaSpace4Gb:1;
ULONG AddressSpaceInitialized:2;
ULONG SetTimerResolution:1;
ULONG BreakOnTermination:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG DeprioritizeViews:1;
#else
ULONG SessionCreationUnderway:1;
#endif
ULONG WriteWatch:1;
ULONG ProcessInSession:1;
ULONG OverrideAddressSpace:1;
ULONG HasAddressSpace:1;
ULONG LaunchPrefetched:1;
ULONG InjectInpageErrors:1;
ULONG VmTopDown:1;
ULONG ImageNotifyDone:1;
ULONG PdeUpdateNeeded:1;
ULONG VdmAllowed:1;
ULONG SmapAllowed:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG ProcessInserted:1;
#else
ULONG CreateFailed:1;
#endif
ULONG DefaultIoPriority:3;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG SparePsFlags1:2;
#else
ULONG Spare1:1;
ULONG Spare2:1;
#endif
};
ULONG Flags;
};
NTSTATUS ExitStatus;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
USHORT Spare7;
#else
USHORT NextPageColor;
#endif
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
MM_AVL_TABLE VadRoot;
ULONG Cookie;
} EPROCESS;
//
// Job Token Filter Data
//
#include <pshpack1.h>
typedef struct _PS_JOB_TOKEN_FILTER
{
ULONG CapturedSidCount;
PSID_AND_ATTRIBUTES CapturedSids;
ULONG CapturedSidsLength;
ULONG CapturedGroupCount;
PSID_AND_ATTRIBUTES CapturedGroups;
ULONG CapturedGroupsLength;
ULONG CapturedPrivilegeCount;
PLUID_AND_ATTRIBUTES CapturedPrivileges;
ULONG CapturedPrivilegesLength;
} PS_JOB_TOKEN_FILTER, *PPS_JOB_TOKEN_FILTER;
//
// Executive Job (EJOB)
//
typedef struct _EJOB
{
KEVENT Event;
LIST_ENTRY JobLinks;
LIST_ENTRY ProcessListHead;
ERESOURCE JobLock;
LARGE_INTEGER TotalUserTime;
LARGE_INTEGER TotalKernelTime;
LARGE_INTEGER ThisPeriodTotalUserTime;
LARGE_INTEGER ThisPeriodTotalKernelTime;
ULONG TotalPageFaultCount;
ULONG TotalProcesses;
ULONG ActiveProcesses;
ULONG TotalTerminatedProcesses;
LARGE_INTEGER PerProcessUserTimeLimit;
LARGE_INTEGER PerJobUserTimeLimit;
ULONG LimitFlags;
ULONG MinimumWorkingSetSize;
ULONG MaximumWorkingSetSize;
ULONG ActiveProcessLimit;
ULONG Affinity;
UCHAR PriorityClass;
ULONG UIRestrictionsClass;
ULONG SecurityLimitFlags;
PVOID Token;
PPS_JOB_TOKEN_FILTER Filter;
ULONG EndOfJobTimeAction;
PVOID CompletionPort;
PVOID CompletionKey;
ULONG SessionId;
ULONG SchedulingClass;
ULONGLONG ReadOperationCount;
ULONGLONG WriteOperationCount;
ULONGLONG OtherOperationCount;
ULONGLONG ReadTransferCount;
ULONGLONG WriteTransferCount;
ULONGLONG OtherTransferCount;
IO_COUNTERS IoInfo;
ULONG ProcessMemoryLimit;
ULONG JobMemoryLimit;
ULONG PeakProcessMemoryUsed;
ULONG PeakJobMemoryUsed;
ULONG CurrentJobMemoryUsed;
#if (NTDDI_VERSION >= NTDDI_WINXP) && (NTDDI_VERSION < NTDDI_WS03)
FAST_MUTEX MemoryLimitsLock;
#elif (NTDDI_VERSION >= NTDDI_WS03) && (NTDDI_VERSION < NTDDI_LONGHORN)
KGUARDED_MUTEX MemoryLimitsLock;
#elif (NTDDI_VERSION >= NTDDI_LONGHORN)
EX_PUSH_LOCK MemoryLimitsLock;
#endif
LIST_ENTRY JobSetLinks;
ULONG MemberLevel;
ULONG JobFlags;
} EJOB, *PEJOB;
#include <poppack.h>
//
// Job Information Structures for NtQueryInformationJobObject
//
typedef struct _JOBOBJECT_BASIC_ACCOUNTING_INFORMATION
{
LARGE_INTEGER TotalUserTime;
LARGE_INTEGER TotalKernelTime;
LARGE_INTEGER ThisPeriodTotalUserTime;
LARGE_INTEGER ThisPeriodTotalKernelTime;
ULONG TotalPageFaultCount;
ULONG TotalProcesses;
ULONG ActiveProcesses;
ULONG TotalTerminatedProcesses;
} JOBOBJECT_BASIC_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_ACCOUNTING_INFORMATION;
typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION
{
LARGE_INTEGER PerProcessUserTimeLimit;
LARGE_INTEGER PerJobUserTimeLimit;
ULONG LimitFlags;
SIZE_T MinimumWorkingSetSize;
SIZE_T MaximumWorkingSetSize;
ULONG ActiveProcessLimit;
ULONG_PTR Affinity;
ULONG PriorityClass;
ULONG SchedulingClass;
} JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION;
typedef struct _JOBOBJECT_BASIC_PROCESS_ID_LIST
{
ULONG NumberOfAssignedProcesses;
ULONG NumberOfProcessIdsInList;
ULONG_PTR ProcessIdList[1];
} JOBOBJECT_BASIC_PROCESS_ID_LIST, *PJOBOBJECT_BASIC_PROCESS_ID_LIST;
typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS
{
ULONG UIRestrictionsClass;
} JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS;
typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION
{
ULONG SecurityLimitFlags;
HANDLE JobToken;
PTOKEN_GROUPS SidsToDisable;
PTOKEN_PRIVILEGES PrivilegesToDelete;
PTOKEN_GROUPS RestrictedSids;
} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION;
typedef struct _JOBOBJECT_END_OF_JOB_TIME_INFORMATION
{
ULONG EndOfJobTimeAction;
} JOBOBJECT_END_OF_JOB_TIME_INFORMATION, PJOBOBJECT_END_OF_JOB_TIME_INFORMATION;
typedef struct _JOBOBJECT_ASSOCIATE_COMPLETION_PORT
{
PVOID CompletionKey;
HANDLE CompletionPort;
} JOBOBJECT_ASSOCIATE_COMPLETION_PORT, *PJOBOBJECT_ASSOCIATE_COMPLETION_PORT;
typedef struct JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION
{
JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo;
IO_COUNTERS IoInfo;
} JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION, *PJOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION;
typedef struct _JOBOBJECT_EXTENDED_LIMIT_INFORMATION
{
JOBOBJECT_BASIC_LIMIT_INFORMATION BasicLimitInformation;
IO_COUNTERS IoInfo;
SIZE_T ProcessMemoryLimit;
SIZE_T JobMemoryLimit;
SIZE_T PeakProcessMemoryUsed;
SIZE_T PeakJobMemoryUsed;
} JOBOBJECT_EXTENDED_LIMIT_INFORMATION, *PJOBOBJECT_EXTENDED_LIMIT_INFORMATION;
//
// Win32K Callback Registration Data
//
typedef struct _WIN32_POWEREVENT_PARAMETERS
{
PSPOWEREVENTTYPE EventNumber;
ULONG Code;
} WIN32_POWEREVENT_PARAMETERS, *PWIN32_POWEREVENT_PARAMETERS;
typedef struct _WIN32_POWERSTATE_PARAMETERS
{
UCHAR Promotion;
POWER_ACTION SystemAction;
SYSTEM_POWER_STATE MinSystemState;
ULONG Flags;
POWERSTATETASK PowerStateTask;
} WIN32_POWERSTATE_PARAMETERS, *PWIN32_POWERSTATE_PARAMETERS;
typedef struct _WIN32_JOBCALLOUT_PARAMETERS
{
PVOID Job;
PSW32JOBCALLOUTTYPE CalloutType;
PVOID Data;
} WIN32_JOBCALLOUT_PARAMETERS, *PWIN32_JOBCALLOUT_PARAMETERS;
typedef struct _WIN32_OPENMETHOD_PARAMETERS
{
OB_OPEN_REASON OpenReason;
PEPROCESS Process;
PVOID Object;
ULONG GrantedAccess;
ULONG HandleCount;
} WIN32_OPENMETHOD_PARAMETERS, *PWIN32_OPENMETHOD_PARAMETERS;
typedef struct _WIN32_OKAYTOCLOSEMETHOD_PARAMETERS
{
PEPROCESS Process;
PVOID Object;
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
} WIN32_OKAYTOCLOSEMETHOD_PARAMETERS, *PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS;
typedef struct _WIN32_CLOSEMETHOD_PARAMETERS
{
PEPROCESS Process;
PVOID Object;
ACCESS_MASK AccessMask;
ULONG ProcessHandleCount;
ULONG SystemHandleCount;
} WIN32_CLOSEMETHOD_PARAMETERS, *PWIN32_CLOSEMETHOD_PARAMETERS;
typedef struct _WIN32_DELETEMETHOD_PARAMETERS
{
PVOID Object;
} WIN32_DELETEMETHOD_PARAMETERS, *PWIN32_DELETEMETHOD_PARAMETERS;
typedef struct _WIN32_PARSEMETHOD_PARAMETERS
{
PVOID ParseObject;
PVOID ObjectType;
PACCESS_STATE AccessState;
KPROCESSOR_MODE AccessMode;
ULONG Attributes;
_Out_ PUNICODE_STRING CompleteName;
PUNICODE_STRING RemainingName;
PVOID Context;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
PVOID *Object;
} WIN32_PARSEMETHOD_PARAMETERS, *PWIN32_PARSEMETHOD_PARAMETERS;
typedef struct _WIN32_CALLOUTS_FPNS
{
PKWIN32_PROCESS_CALLOUT ProcessCallout;
PKWIN32_THREAD_CALLOUT ThreadCallout;
PKWIN32_GLOBALATOMTABLE_CALLOUT GlobalAtomTableCallout;
PKWIN32_POWEREVENT_CALLOUT PowerEventCallout;
PKWIN32_POWERSTATE_CALLOUT PowerStateCallout;
PKWIN32_JOB_CALLOUT JobCallout;
PGDI_BATCHFLUSH_ROUTINE BatchFlushRoutine;
PKWIN32_SESSION_CALLOUT DesktopOpenProcedure;
PKWIN32_SESSION_CALLOUT DesktopOkToCloseProcedure;
PKWIN32_SESSION_CALLOUT DesktopCloseProcedure;
PKWIN32_SESSION_CALLOUT DesktopDeleteProcedure;
PKWIN32_SESSION_CALLOUT WindowStationOkToCloseProcedure;
PKWIN32_SESSION_CALLOUT WindowStationCloseProcedure;
PKWIN32_SESSION_CALLOUT WindowStationDeleteProcedure;
PKWIN32_SESSION_CALLOUT WindowStationParseProcedure;
PKWIN32_SESSION_CALLOUT WindowStationOpenProcedure;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PKWIN32_WIN32DATACOLLECTION_CALLOUT Win32DataCollectionProcedure;
#endif
} WIN32_CALLOUTS_FPNS, *PWIN32_CALLOUTS_FPNS;
#endif // !NTOS_MODE_USER
#ifdef __cplusplus
}; // extern "C"
#endif
#endif // _PSTYPES_H
相關文章
- 1. 內核數據結構
- 2. Windows內核結構
- 3. delphi字符串數據結構逆向
- 4. 網絡數據包內核探險記(一) —— linux內核網絡分層結構
- 5. Linux內核數據結構
- 6. linux內核數據結構之鏈表
- 7. Linux內核hlist數據結構分析
- 8. Linux內核數據結構之鏈表
- 9. linux內核數據結構之kfifo
- 10. Linux 內核101:進程數據結構
- 更多相關文章...
- • C# 結構體(Struct) - C#教程
- • 網站 數據庫 - 網站主機教程
- • Flink 數據傳輸及反壓詳解
- • TiDB 在摩拜單車在線數據業務的應用和實踐
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 內核數據結構
- 2. Windows內核結構
- 3. delphi字符串數據結構逆向
- 4. 網絡數據包內核探險記(一) —— linux內核網絡分層結構
- 5. Linux內核數據結構
- 6. linux內核數據結構之鏈表
- 7. Linux內核hlist數據結構分析
- 8. Linux內核數據結構之鏈表
- 9. linux內核數據結構之kfifo
- 10. Linux 內核101:進程數據結構