forked from JKornev/hidden
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPsMonitor.h
33 lines (26 loc) · 1.45 KB
/
PsMonitor.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#pragma once
#include <Ntddk.h>
typedef struct _ProcessId {
HANDLE id;
LARGE_INTEGER creationTime;
} ProcessId, *PProcessId;
NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject);
NTSTATUS DestroyPsMonitor();
BOOLEAN IsProcessExcluded(HANDLE ProcessId);
BOOLEAN IsProcessProtected(HANDLE ProcessId);
NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId);
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
NTSTATUS RemoveProtectedImage(ULONGLONG ObjId);
NTSTATUS RemoveAllProtectedImages();
NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId);
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
NTSTATUS RemoveExcludedImage(ULONGLONG ObjId);
NTSTATUS RemoveAllExcludedImages();
NTSTATUS AddHiddenImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN ApplyForProcesses, PULONGLONG ObjId);
NTSTATUS GetHiddenProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable);
NTSTATUS SetHiddenProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN Enable);
NTSTATUS RemoveHiddenImage(ULONGLONG ObjId);
NTSTATUS RemoveAllHiddenImages();
NTSTATUS RemoveAllHiddenProcesses();