hidden/Hidden/PsTable.h

#pragma once

#include <Ntddk.h>
#include "Helper.h"

typedef struct _ProcessTableEntry {
	HANDLE      processId;

	BOOLEAN     excluded;
	ULONG       inheritExclusion;

	BOOLEAN     protected;
	ULONG       inheritProtection;

	BOOLEAN     hidden;
	BOOLEAN     postponeHiding;
	ULONG       inheritStealth;
	PEPROCESS   reference;
	HANDLE_TABLE_ENTRY cidEntryBackup;
	PHANDLE_TABLE_ENTRY cidEntry;

	BOOLEAN     subsystem;
	BOOLEAN     inited;

} ProcessTableEntry, *PProcessTableEntry;

NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));
VOID ClearProcessTable(VOID(*CleanupCallback)(PProcessTableEntry));
VOID EnumProcessTable(VOID(*EnumCallback)(PProcessTableEntry));

// Important notice:
// Keep in mind that internal sync mechanisms removed from functions below (including DestroyProcessTable) 
// because in some situations we need to perform two operation under one lock, for instance we should 
// perform GetProcessInProcessTable and UpdateProcessInProcessTable under one lock. So in this case all 
// functions, excluding InitializeProcessTable, should be synced manualy from external code

BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);
BOOLEAN RemoveProcessFromProcessTable(HANDLE ProcessId);
PProcessTableEntry GetProcessInProcessTable(HANDLE ProcessId);
initial commit 2016-07-21 23:02:31 +00:00			`#pragma once`

			`#include <Ntddk.h>`
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`#include "Helper.h"`
initial commit 2016-07-21 23:02:31 +00:00
Major changes - Fixed BSOD on driver deinitialization step - Fixed resources leak in the reg filter - Fixed path normalization function - Added support for inherit type in predefined process monitor configs - Added support for opening protected processes by subsystem - Added tests for protected processes and other little fixes 2016-10-10 21:37:28 +00:00			`typedef struct _ProcessTableEntry {`
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`HANDLE processId;`
Added protected & excluded process lists 2016-08-27 20:18:54 +00:00
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`BOOLEAN excluded;`
			`ULONG inheritExclusion;`
Added protected & excluded process lists 2016-08-27 20:18:54 +00:00
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`BOOLEAN protected;`
			`ULONG inheritProtection;`
Added protected & excluded process lists 2016-08-27 20:18:54 +00:00
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`BOOLEAN hidden;`
Fixed a bug with a process initialization flag in PsMonitor 2021-08-24 20:25:12 +00:00			`BOOLEAN postponeHiding;`
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`ULONG inheritStealth;`
			`PEPROCESS reference;`
			`HANDLE_TABLE_ENTRY cidEntryBackup;`
			`PHANDLE_TABLE_ENTRY cidEntry;`
Kernel level configuration for hidden processes 2021-07-25 20:15:08 +00:00
The first working implementation of the hiding PspCidTable stuff (Win8+) 2021-08-21 20:21:18 +00:00			`BOOLEAN subsystem;`
			`BOOLEAN inited;`
Major changes - Fixed BSOD on driver deinitialization step - Fixed resources leak in the reg filter - Fixed path normalization function - Added support for inherit type in predefined process monitor configs - Added support for opening protected processes by subsystem - Added tests for protected processes and other little fixes 2016-10-10 21:37:28 +00:00
initial commit 2016-07-21 23:02:31 +00:00			`} ProcessTableEntry, *PProcessTableEntry;`

			`NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEntry, PCUNICODE_STRING, HANDLE));`
Process table optimization for hidden processes 2021-07-30 00:06:02 +00:00			`VOID ClearProcessTable(VOID(*CleanupCallback)(PProcessTableEntry));`
			`VOID EnumProcessTable(VOID(*EnumCallback)(PProcessTableEntry));`
initial commit 2016-07-21 23:02:31 +00:00
Multiple changes - Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc 2016-10-18 21:28:55 +00:00			`// Important notice:`
			`// Keep in mind that internal sync mechanisms removed from functions below (including DestroyProcessTable)`
			`// because in some situations we need to perform two operation under one lock, for instance we should`
			`// perform GetProcessInProcessTable and UpdateProcessInProcessTable under one lock. So in this case all`
			`// functions, excluding InitializeProcessTable, should be synced manualy from external code`

initial commit 2016-07-21 23:02:31 +00:00			`BOOLEAN AddProcessToProcessTable(PProcessTableEntry entry);`
Optimized process table access 2021-08-15 00:18:23 +00:00			`BOOLEAN RemoveProcessFromProcessTable(HANDLE ProcessId);`
			`PProcessTableEntry GetProcessInProcessTable(HANDLE ProcessId);`