hidden/Hidden/Helper.h

#pragma once

#include <Ntddk.h>

typedef enum _SYSTEM_INFORMATION_CLASS {
	SystemBasicInformation = 0,
	SystemPerformanceInformation = 2,
	SystemTimeOfDayInformation = 3,
	SystemProcessInformation = 5,
	SystemProcessorPerformanceInformation = 8,
	SystemInterruptInformation = 23,
	SystemExceptionInformation = 33,
	SystemRegistryQuotaInformation = 37,
	SystemLookasideInformation = 45,
	SystemPolicyInformation = 134,
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_PROCESS_INFORMATION {
	ULONG           NextEntryOffset;
	ULONG           NumberOfThreads;
	LARGE_INTEGER   Reserved[3];
	LARGE_INTEGER   CreateTime;
	LARGE_INTEGER   UserTime;
	LARGE_INTEGER   KernelTime;
	UNICODE_STRING  ImageName;
	KPRIORITY       BasePriority;
	HANDLE          ProcessId;
	HANDLE          InheritedFromProcessId;
	ULONG           HandleCount;
	UCHAR           Reserved4[4];
	PVOID           Reserved5[11];
	SIZE_T          PeakPagefileUsage;
	SIZE_T          PrivatePageCount;
	LARGE_INTEGER   Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_Inout_   PVOID                    SystemInformation,
	_In_      ULONG                    SystemInformationLength,
	_Out_opt_ PULONG                   ReturnLength
);

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(
	_In_      HANDLE                    ProcessHandle,
	_In_      PROCESSINFOCLASS          ProcessInformationClass,
	_Out_     PVOID                     ProcessInformation,
	_In_      ULONG                     ProcessInformationLength,
	_Out_opt_ PULONG                    ReturnLength
);

NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);
NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);
VOID FreeInformation(PVOID Buffer);

#define NORMALIZE_INCREAMENT (USHORT)128

NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);
initial commit 2016-07-21 23:02:31 +00:00			`#pragma once`

			`#include <Ntddk.h>`

			`typedef enum _SYSTEM_INFORMATION_CLASS {`
			`SystemBasicInformation = 0,`
			`SystemPerformanceInformation = 2,`
			`SystemTimeOfDayInformation = 3,`
			`SystemProcessInformation = 5,`
			`SystemProcessorPerformanceInformation = 8,`
			`SystemInterruptInformation = 23,`
			`SystemExceptionInformation = 33,`
			`SystemRegistryQuotaInformation = 37,`
			`SystemLookasideInformation = 45,`
			`SystemPolicyInformation = 134,`
			`} SYSTEM_INFORMATION_CLASS;`

			`typedef struct _SYSTEM_PROCESS_INFORMATION {`
			`ULONG NextEntryOffset;`
			`ULONG NumberOfThreads;`
			`LARGE_INTEGER Reserved[3];`
			`LARGE_INTEGER CreateTime;`
			`LARGE_INTEGER UserTime;`
			`LARGE_INTEGER KernelTime;`
			`UNICODE_STRING ImageName;`
			`KPRIORITY BasePriority;`
			`HANDLE ProcessId;`
			`HANDLE InheritedFromProcessId;`
			`ULONG HandleCount;`
			`UCHAR Reserved4[4];`
			`PVOID Reserved5[11];`
			`SIZE_T PeakPagefileUsage;`
			`SIZE_T PrivatePageCount;`
			`LARGE_INTEGER Reserved6[6];`
			`} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;`

Multiple changes - Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc 2016-10-18 21:28:55 +00:00			`NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(`
initial commit 2016-07-21 23:02:31 +00:00			`_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,`
			`_Inout_ PVOID SystemInformation,`
			`_In_ ULONG SystemInformationLength,`
			`_Out_opt_ PULONG ReturnLength`
			`);`

Multiple changes - Fixed issue with signing Release driver builds - Renamed all Nt* functions to Zw* (access denied fix, KTHREAD!PreviousMode) - Added "apply to all processes" feature for adding exluded\protected images api - Fixed sync issues for process table, sync primitives moved to external code etc 2016-10-18 21:28:55 +00:00			`NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(`
initial commit 2016-07-21 23:02:31 +00:00			`_In_ HANDLE ProcessHandle,`
			`_In_ PROCESSINFOCLASS ProcessInformationClass,`
			`_Out_ PVOID ProcessInformation,`
			`_In_ ULONG ProcessInformationLength,`
			`_Out_opt_ PULONG ReturnLength`
			`);`

			`NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize);`
			`NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize);`
			`VOID FreeInformation(PVOID Buffer);`

Major changes - Fixed BSOD on driver deinitialization step - Fixed resources leak in the reg filter - Fixed path normalization function - Added support for inherit type in predefined process monitor configs - Added support for opening protected processes by subsystem - Added tests for protected processes and other little fixes 2016-10-10 21:37:28 +00:00			`#define NORMALIZE_INCREAMENT (USHORT)128`
initial commit 2016-07-21 23:02:31 +00:00
			`NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized);`