forked from JKornev/hidden
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPsRules.h
34 lines (25 loc) · 1.09 KB
/
PsRules.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#pragma once
#include <Ntddk.h>
typedef PVOID PsRulesContext;
typedef PsRulesContext* PPsRulesContext;
typedef ULONGLONG PsRuleEntryId;
typedef PsRuleEntryId* PPsRuleEntryId;
enum PsRuleInheritTypes {
PsRuleTypeWithoutInherit = 0,
PsRuleTypeInherit,
PsRuleTypeInheritOnce,
PsRuleTypeMax
};
typedef struct _PsRuleEntry {
ULONGLONG guid;
UNICODE_STRING imagePath;
ULONG inheritType;
ULONG len;
} PsRuleEntry, *PPsRuleEntry;
NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext);
VOID DestroyPsRuleListContext(PsRulesContext RuleContext);
NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId);
NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId EntryId);
NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext);
NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PPsRuleEntry Rule, ULONG RuleSize, PULONG OutSize);
BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance);