go my file uploader

KProcessHacker/include/dyndata.h

@@ -0,0 +1,47 @@
+#ifndef DYNDATA_H
+#define DYNDATA_H
+
+#ifdef EXT
+#undef EXT
+#endif
+
+#ifdef _DYNDATA_PRIVATE
+#define EXT
+#define OFFDEFAULT = -1
+#else
+#define EXT extern
+#define OFFDEFAULT
+#endif
+
+EXT ULONG KphDynNtVersion;
+EXT RTL_OSVERSIONINFOEXW KphDynOsVersionInfo;
+
+// Structures
+// Ege: ETW_GUID_ENTRY
+// Ep: EPROCESS
+// Ere: ETW_REG_ENTRY
+// Et: ETHREAD
+// Ht: HANDLE_TABLE
+// Oh: OBJECT_HEADER
+// Ot: OBJECT_TYPE
+// Oti: OBJECT_TYPE_INITIALIZER, offset measured from an OBJECT_TYPE
+// ObDecodeShift: shift value in ObpDecodeObject
+// ObAttributesShift: shift value in ObpGetHandleAttributes
+EXT ULONG KphDynEgeGuid OFFDEFAULT;
+EXT ULONG KphDynEpObjectTable OFFDEFAULT;
+EXT ULONG KphDynEreGuidEntry OFFDEFAULT;
+EXT ULONG KphDynHtHandleContentionEvent OFFDEFAULT;
+EXT ULONG KphDynOtName OFFDEFAULT;
+EXT ULONG KphDynOtIndex OFFDEFAULT;
+EXT ULONG KphDynObDecodeShift OFFDEFAULT;
+EXT ULONG KphDynObAttributesShift OFFDEFAULT;
+
+NTSTATUS KphDynamicDataInitialization(
+    VOID
+    );
+
+NTSTATUS KphReadDynamicDataParameters(
+    __in_opt HANDLE KeyHandle
+    );
+
+#endif

KProcessHacker/include/kph.h

@@ -0,0 +1,365 @@
+#ifndef KPH_H
+#define KPH_H
+
+#include <ntifs.h>
+#define PHNT_MODE PHNT_MODE_KERNEL
+#include <phnt.h>
+#include <ntfill.h>
+#include <bcrypt.h>
+#include <kphapi.h>
+
+// Debugging
+
+#ifdef DBG
+#define dprintf(Format, ...) DbgPrint("KProcessHacker: " Format, __VA_ARGS__)
+#else
+#define dprintf
+#endif
+
+typedef struct _KPH_CLIENT
+{
+    struct
+    {
+        ULONG VerificationPerformed : 1;
+        ULONG VerificationSucceeded : 1;
+        ULONG KeysGenerated : 1;
+        ULONG SpareBits : 29;
+    };
+    FAST_MUTEX StateMutex;
+    NTSTATUS VerificationStatus;
+    PVOID VerifiedProcess; // EPROCESS (for equality checking only - do not access contents)
+    HANDLE VerifiedProcessId;
+    PVOID VerifiedRangeBase;
+    SIZE_T VerifiedRangeSize;
+    // Level 1 and 2 secret keys
+    FAST_MUTEX KeyBackoffMutex;
+    KPH_KEY L1Key;
+    KPH_KEY L2Key;
+} KPH_CLIENT, *PKPH_CLIENT;
+
+typedef struct _KPH_PARAMETERS
+{
+    KPH_SECURITY_LEVEL SecurityLevel;
+} KPH_PARAMETERS, *PKPH_PARAMETERS;
+
+// main
+
+extern ULONG KphFeatures;
+extern KPH_PARAMETERS KphParameters;
+
+NTSTATUS KpiGetFeatures(
+    __out PULONG Features,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// devctrl
+
+__drv_dispatchType(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH KphDispatchDeviceControl;
+
+NTSTATUS KphDispatchDeviceControl(
+    __in PDEVICE_OBJECT DeviceObject,
+    __in PIRP Irp
+    );
+
+// dynimp
+
+VOID KphDynamicImport(
+    VOID
+    );
+
+PVOID KphGetSystemRoutineAddress(
+    __in PWSTR SystemRoutineName
+    );
+
+// object
+
+PHANDLE_TABLE KphReferenceProcessHandleTable(
+    __in PEPROCESS Process
+    );
+
+VOID KphDereferenceProcessHandleTable(
+    __in PEPROCESS Process
+    );
+
+VOID KphUnlockHandleTableEntry(
+    __in PHANDLE_TABLE HandleTable,
+    __in PHANDLE_TABLE_ENTRY HandleTableEntry
+    );
+
+NTSTATUS KpiEnumerateProcessHandles(
+    __in HANDLE ProcessHandle,
+    __out_bcount(BufferLength) PVOID Buffer,
+    __in_opt ULONG BufferLength,
+    __out_opt PULONG ReturnLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KphQueryNameObject(
+    __in PVOID Object,
+    __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer,
+    __in ULONG BufferLength,
+    __out PULONG ReturnLength
+    );
+
+NTSTATUS KphQueryNameFileObject(
+    __in PFILE_OBJECT FileObject,
+    __out_bcount(BufferLength) POBJECT_NAME_INFORMATION Buffer,
+    __in ULONG BufferLength,
+    __out PULONG ReturnLength
+    );
+
+NTSTATUS KpiQueryInformationObject(
+    __in HANDLE ProcessHandle,
+    __in HANDLE Handle,
+    __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass,
+    __out_bcount(ObjectInformationLength) PVOID ObjectInformation,
+    __in ULONG ObjectInformationLength,
+    __out_opt PULONG ReturnLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiSetInformationObject(
+    __in HANDLE ProcessHandle,
+    __in HANDLE Handle,
+    __in KPH_OBJECT_INFORMATION_CLASS ObjectInformationClass,
+    __in_bcount(ObjectInformationLength) PVOID ObjectInformation,
+    __in ULONG ObjectInformationLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KphOpenNamedObject(
+    __out PHANDLE ObjectHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __in POBJECT_ATTRIBUTES ObjectAttributes,
+    __in POBJECT_TYPE ObjectType,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// process
+
+NTSTATUS KpiOpenProcess(
+    __out PHANDLE ProcessHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __in PCLIENT_ID ClientId,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiOpenProcessToken(
+    __in HANDLE ProcessHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __out PHANDLE TokenHandle,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiOpenProcessJob(
+    __in HANDLE ProcessHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __out PHANDLE JobHandle,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiTerminateProcess(
+    __in HANDLE ProcessHandle,
+    __in NTSTATUS ExitStatus,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiQueryInformationProcess(
+    __in HANDLE ProcessHandle,
+    __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass,
+    __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
+    __in ULONG ProcessInformationLength,
+    __out_opt PULONG ReturnLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiSetInformationProcess(
+    __in HANDLE ProcessHandle,
+    __in KPH_PROCESS_INFORMATION_CLASS ProcessInformationClass,
+    __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
+    __in ULONG ProcessInformationLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// qrydrv
+
+NTSTATUS KpiOpenDriver(
+    __out PHANDLE DriverHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __in POBJECT_ATTRIBUTES ObjectAttributes,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiQueryInformationDriver(
+    __in HANDLE DriverHandle,
+    __in DRIVER_INFORMATION_CLASS DriverInformationClass,
+    __out_bcount(DriverInformationLength) PVOID DriverInformation,
+    __in ULONG DriverInformationLength,
+    __out_opt PULONG ReturnLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// thread
+
+NTSTATUS KpiOpenThread(
+    __out PHANDLE ThreadHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __in PCLIENT_ID ClientId,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiOpenThreadProcess(
+    __in HANDLE ThreadHandle,
+    __in ACCESS_MASK DesiredAccess,
+    __out PHANDLE ProcessHandle,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+ULONG KphCaptureStackBackTrace(
+    __in ULONG FramesToSkip,
+    __in ULONG FramesToCapture,
+    __in_opt ULONG Flags,
+    __out_ecount(FramesToCapture) PVOID *BackTrace,
+    __out_opt PULONG BackTraceHash
+    );
+
+NTSTATUS KphCaptureStackBackTraceThread(
+    __in PETHREAD Thread,
+    __in ULONG FramesToSkip,
+    __in ULONG FramesToCapture,
+    __out_ecount(FramesToCapture) PVOID *BackTrace,
+    __out_opt PULONG CapturedFrames,
+    __out_opt PULONG BackTraceHash,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiCaptureStackBackTraceThread(
+    __in HANDLE ThreadHandle,
+    __in ULONG FramesToSkip,
+    __in ULONG FramesToCapture,
+    __out_ecount(FramesToCapture) PVOID *BackTrace,
+    __out_opt PULONG CapturedFrames,
+    __out_opt PULONG BackTraceHash,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiQueryInformationThread(
+    __in HANDLE ThreadHandle,
+    __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass,
+    __out_bcount(ProcessInformationLength) PVOID ThreadInformation,
+    __in ULONG ThreadInformationLength,
+    __out_opt PULONG ReturnLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+NTSTATUS KpiSetInformationThread(
+    __in HANDLE ThreadHandle,
+    __in KPH_THREAD_INFORMATION_CLASS ThreadInformationClass,
+    __in_bcount(ThreadInformationLength) PVOID ThreadInformation,
+    __in ULONG ThreadInformationLength,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// util
+
+VOID KphFreeCapturedUnicodeString(
+    __in PUNICODE_STRING CapturedUnicodeString
+    );
+
+NTSTATUS KphCaptureUnicodeString(
+    __in PUNICODE_STRING UnicodeString,
+    __out PUNICODE_STRING CapturedUnicodeString
+    );
+
+NTSTATUS KphEnumerateSystemModules(
+    __out PRTL_PROCESS_MODULES *Modules
+    );
+
+NTSTATUS KphValidateAddressForSystemModules(
+    __in PVOID Address,
+    __in SIZE_T Length
+    );
+
+NTSTATUS KphGetProcessMappedFileName(
+    __in HANDLE ProcessHandle,
+    __in PVOID BaseAddress,
+    __out PUNICODE_STRING *FileName
+    );
+
+// verify
+
+NTSTATUS KphHashFile(
+    __in PUNICODE_STRING FileName,
+    __out PVOID *Hash,
+    __out PULONG HashSize
+    );
+
+NTSTATUS KphVerifyFile(
+    __in PUNICODE_STRING FileName,
+    __in_bcount(SignatureSize) PUCHAR Signature,
+    __in ULONG SignatureSize
+    );
+
+VOID KphVerifyClient(
+    __inout PKPH_CLIENT Client,
+    __in PVOID CodeAddress,
+    __in_bcount(SignatureSize) PUCHAR Signature,
+    __in ULONG SignatureSize
+    );
+
+NTSTATUS KpiVerifyClient(
+    __in PVOID CodeAddress,
+    __in_bcount(SignatureSize) PUCHAR Signature,
+    __in ULONG SignatureSize,
+    __in PKPH_CLIENT Client
+    );
+
+VOID KphGenerateKeysClient(
+    __inout PKPH_CLIENT Client
+    );
+
+NTSTATUS KphRetrieveKeyViaApc(
+    __inout PKPH_CLIENT Client,
+    __in KPH_KEY_LEVEL KeyLevel,
+    __inout PIRP Irp
+    );
+
+NTSTATUS KphValidateKey(
+    __in KPH_KEY_LEVEL RequiredKeyLevel,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+// vm
+
+NTSTATUS KphCopyVirtualMemory(
+    __in PEPROCESS FromProcess,
+    __in PVOID FromAddress,
+    __in PEPROCESS ToProcess,
+    __in PVOID ToAddress,
+    __in SIZE_T BufferLength,
+    __in KPROCESSOR_MODE AccessMode,
+    __out PSIZE_T ReturnLength
+    );
+
+NTSTATUS KpiReadVirtualMemoryUnsafe(
+    __in_opt HANDLE ProcessHandle,
+    __in PVOID BaseAddress,
+    __out_bcount(BufferSize) PVOID Buffer,
+    __in SIZE_T BufferSize,
+    __out_opt PSIZE_T NumberOfBytesRead,
+    __in_opt KPH_KEY Key,
+    __in PKPH_CLIENT Client,
+    __in KPROCESSOR_MODE AccessMode
+    );
+
+#endif

KProcessHacker/include/ntfill.h

@@ -0,0 +1,351 @@
+#ifndef NTFILL_H
+#define NTFILL_H
+
+extern ULONG KphDynNtVersion;
+extern ULONG KphDynObDecodeShift;
+extern ULONG KphDynObAttributesShift;
+
+// EX
+
+typedef struct _EX_PUSH_LOCK_WAIT_BLOCK *PEX_PUSH_LOCK_WAIT_BLOCK;
+
+NTKERNELAPI
+VOID
+FASTCALL
+ExfUnblockPushLock(
+    __inout PEX_PUSH_LOCK PushLock,
+    __inout_opt PEX_PUSH_LOCK_WAIT_BLOCK WaitBlock
+    );
+
+typedef struct _HANDLE_TABLE_ENTRY
+{
+    union
+    {
+        PVOID Object;
+        ULONG ObAttributes;
+        ULONG_PTR Value;
+    };
+    union
+    {
+        ACCESS_MASK GrantedAccess;
+        LONG NextFreeTableEntry;
+    };
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+
+typedef struct _HANDLE_TABLE HANDLE_TABLE, *PHANDLE_TABLE;
+
+typedef BOOLEAN (NTAPI *PEX_ENUM_HANDLE_CALLBACK_61)(
+    __inout PHANDLE_TABLE_ENTRY HandleTableEntry,
+    __in HANDLE Handle,
+    __in PVOID Context
+    );
+
+// since WIN8
+typedef BOOLEAN (NTAPI *PEX_ENUM_HANDLE_CALLBACK)(
+    __in PHANDLE_TABLE HandleTable,
+    __inout PHANDLE_TABLE_ENTRY HandleTableEntry,
+    __in HANDLE Handle,
+    __in PVOID Context
+    );
+
+NTKERNELAPI
+BOOLEAN
+NTAPI
+ExEnumHandleTable(
+    __in PHANDLE_TABLE HandleTable,
+    __in PEX_ENUM_HANDLE_CALLBACK EnumHandleProcedure,
+    __inout PVOID Context,
+    __out_opt PHANDLE Handle
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwQuerySystemInformation(
+    __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
+    __out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
+    __in ULONG SystemInformationLength,
+    __out_opt PULONG ReturnLength
+    );
+
+// IO
+
+extern POBJECT_TYPE *IoDriverObjectType;
+
+// KE
+
+typedef enum _KAPC_ENVIRONMENT
+{
+    OriginalApcEnvironment,
+    AttachedApcEnvironment,
+    CurrentApcEnvironment,
+    InsertApcEnvironment
+} KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT;
+
+typedef VOID (NTAPI *PKNORMAL_ROUTINE)(
+    __in PVOID NormalContext,
+    __in PVOID SystemArgument1,
+    __in PVOID SystemArgument2
+    );
+
+typedef VOID KKERNEL_ROUTINE(
+    __in PRKAPC Apc,
+    __inout PKNORMAL_ROUTINE *NormalRoutine,
+    __inout PVOID *NormalContext,
+    __inout PVOID *SystemArgument1,
+    __inout PVOID *SystemArgument2
+    );
+
+typedef KKERNEL_ROUTINE (NTAPI *PKKERNEL_ROUTINE);
+
+typedef VOID (NTAPI *PKRUNDOWN_ROUTINE)(
+    __in PRKAPC Apc
+    );
+
+NTKERNELAPI
+VOID
+NTAPI
+KeInitializeApc(
+    __out PRKAPC Apc,
+    __in PRKTHREAD Thread,
+    __in KAPC_ENVIRONMENT Environment,
+    __in PKKERNEL_ROUTINE KernelRoutine,
+    __in_opt PKRUNDOWN_ROUTINE RundownRoutine,
+    __in_opt PKNORMAL_ROUTINE NormalRoutine,
+    __in_opt KPROCESSOR_MODE ProcessorMode,
+    __in_opt PVOID NormalContext
+    );
+
+NTKERNELAPI
+BOOLEAN
+NTAPI
+KeInsertQueueApc(
+    __inout PRKAPC Apc,
+    __in_opt PVOID SystemArgument1,
+    __in_opt PVOID SystemArgument2,
+    __in KPRIORITY Increment
+    );
+
+// MM
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwQueryVirtualMemory(
+    __in HANDLE ProcessHandle,
+    __in PVOID BaseAddress,
+    __in MEMORY_INFORMATION_CLASS MemoryInformationClass,
+    __out_bcount(MemoryInformationLength) PVOID MemoryInformation,
+    __in SIZE_T MemoryInformationLength,
+    __out_opt PSIZE_T ReturnLength
+    );
+
+// OB
+
+// These definitions are no longer correct, but they produce correct results.
+
+#define OBJ_PROTECT_CLOSE 0x00000001
+#define OBJ_HANDLE_ATTRIBUTES (OBJ_PROTECT_CLOSE | OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)
+
+// This attribute is now stored in the GrantedAccess field.
+#define ObpAccessProtectCloseBit 0x2000000
+
+#define ObpDecodeGrantedAccess(Access) \
+    ((Access) & ~ObpAccessProtectCloseBit)
+
+FORCEINLINE PVOID ObpDecodeObject(PVOID Object)
+{
+#ifdef _M_X64
+    if (KphDynNtVersion >= PHNT_WIN8)
+    {
+        if (KphDynObDecodeShift != -1)
+            return (PVOID)(((LONG_PTR)Object >> KphDynObDecodeShift) & ~(ULONG_PTR)0xf);
+        else
+            return NULL;
+    }
+    else
+    {
+        return (PVOID)((ULONG_PTR)Object & ~OBJ_HANDLE_ATTRIBUTES);
+    }
+#else
+    return (PVOID)((ULONG_PTR)Object & ~OBJ_HANDLE_ATTRIBUTES);
+#endif
+}
+
+FORCEINLINE ULONG ObpGetHandleAttributes(PHANDLE_TABLE_ENTRY HandleTableEntry)
+{
+#ifdef _M_X64
+    if (KphDynNtVersion >= PHNT_WIN8)
+    {
+        if (KphDynObAttributesShift != -1)
+            return (ULONG)(HandleTableEntry->Value >> KphDynObAttributesShift) & 0x3;
+        else
+            return 0;
+    }
+    else
+    {
+        return (HandleTableEntry->ObAttributes & (OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)) |
+            ((HandleTableEntry->GrantedAccess & ObpAccessProtectCloseBit) ? OBJ_PROTECT_CLOSE : 0);
+    }
+#else
+    return (HandleTableEntry->ObAttributes & (OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)) |
+        ((HandleTableEntry->GrantedAccess & ObpAccessProtectCloseBit) ? OBJ_PROTECT_CLOSE : 0);
+#endif
+}
+
+typedef struct _OBJECT_CREATE_INFORMATION OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
+
+// This is incorrect as of Windows 8.1, but the size of the structure is still correct.
+typedef struct _OBJECT_HEADER
+{
+    LONG PointerCount;
+    union
+    {
+        LONG HandleCount;
+        PVOID NextToFree;
+    };
+    POBJECT_TYPE Type;
+    UCHAR NameInfoOffset;
+    UCHAR HandleInfoOffset;
+    UCHAR QuotaInfoOffset;
+    UCHAR Flags;
+    union
+    {
+        POBJECT_CREATE_INFORMATION ObjectCreateInfo;
+        PVOID QuotaBlockCharged;
+    };
+    PVOID SecurityDescriptor;
+    QUAD Body;
+} OBJECT_HEADER, *POBJECT_HEADER;
+
+#define OBJECT_TO_OBJECT_HEADER(Object) CONTAINING_RECORD((Object), OBJECT_HEADER, Body)
+
+NTKERNELAPI
+POBJECT_TYPE
+NTAPI
+ObGetObjectType(
+    __in PVOID Object
+    );
+
+NTKERNELAPI
+NTSTATUS
+NTAPI
+ObOpenObjectByName(
+    __in POBJECT_ATTRIBUTES ObjectAttributes,
+    __in POBJECT_TYPE ObjectType,
+    __in KPROCESSOR_MODE PreviousMode,
+    __in_opt PACCESS_STATE AccessState,
+    __in_opt ACCESS_MASK DesiredAccess,
+    __in PVOID ParseContext,
+    __out PHANDLE Handle
+    );
+
+NTKERNELAPI
+NTSTATUS
+NTAPI
+ObSetHandleAttributes(
+    __in HANDLE Handle,
+    __in POBJECT_HANDLE_FLAG_INFORMATION HandleFlags,
+    __in KPROCESSOR_MODE PreviousMode
+    );
+
+NTKERNELAPI
+NTSTATUS
+ObCloseHandle(
+    __in HANDLE Handle,
+    __in KPROCESSOR_MODE PreviousMode
+    );
+
+// PS
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationProcess(
+    __in HANDLE ProcessHandle,
+    __in PROCESSINFOCLASS ProcessInformationClass,
+    __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
+    __in ULONG ProcessInformationLength,
+    __out_opt PULONG ReturnLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwSetInformationProcess(
+    __in HANDLE ProcessHandle,
+    __in PROCESSINFOCLASS ProcessInformationClass,
+    __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
+    __in ULONG ProcessInformationLength
+    );
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+ZwQueryInformationThread(
+    __in HANDLE ThreadHandle,
+    __in THREADINFOCLASS ThreadInformationClass,
+    __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
+    __in ULONG ThreadInformationLength,
+    __out_opt PULONG ReturnLength
+    );
+
+NTKERNELAPI
+NTSTATUS
+NTAPI
+PsLookupProcessThreadByCid(
+    __in PCLIENT_ID ClientId,
+    __out_opt PEPROCESS *Process,
+    __out PETHREAD *Thread
+    );
+
+NTKERNELAPI
+PVOID
+NTAPI
+PsGetThreadWin32Thread(
+    __in PETHREAD Thread
+    );
+
+typedef struct _EJOB *PEJOB;
+
+extern POBJECT_TYPE *PsJobType;
+
+NTKERNELAPI
+PEJOB
+NTAPI
+PsGetProcessJob(
+    __in PEPROCESS Process
+    );
+
+NTKERNELAPI
+NTSTATUS
+NTAPI
+PsAcquireProcessExitSynchronization(
+    __in PEPROCESS Process
+    );
+
+NTKERNELAPI
+VOID
+NTAPI
+PsReleaseProcessExitSynchronization(
+    __in PEPROCESS Process
+    );
+
+// RTL
+
+// Sensible limit that may or may not correspond to the actual Windows value.
+#define MAX_STACK_DEPTH 256
+
+#define RTL_WALK_USER_MODE_STACK 0x00000001
+#define RTL_WALK_VALID_FLAGS 0x00000001
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlWalkFrameChain(
+    __out PVOID *Callers,
+    __in ULONG Count,
+    __in ULONG Flags
+    );
+
+#endif