#include <PROCESS.hh>

Inheritance diagram for introvirt::windows::nt::PROCESS:

[legend]

Collaboration diagram for introvirt::windows::nt::PROCESS:

[legend]

Public Member Functions
virtual const PEB *	Peb () const =0

virtual PEB *	Peb ()=0

virtual const PEB *	WoW64Process () const =0

virtual PEB *	WoW64Process ()=0

virtual const std::string &	ImageFileName () const =0

virtual void	ImageFileName (const std::string &value)=0

virtual const std::string &	full_path () const =0
	Get the full path of the image.

virtual std::unique_ptr< HANDLE_TABLE >	ObjectTable ()=0
	Get the handle table for this process, used for looking up objects by handle number.

virtual std::unique_ptr< const HANDLE_TABLE >	ObjectTable () const =0
	Get the handle table for this process, used for looking up objects by handle number.

virtual uint64_t	UniqueProcessId () const =0

virtual uint64_t	InheritedFromUniqueProcessId () const =0

virtual void	InheritedFromUniqueProcessId (uint64_t pid)=0

virtual std::shared_ptr< const MMVAD >	VadRoot () const =0

virtual TOKEN &	Token ()=0

virtual const TOKEN &	Token () const =0

virtual uint64_t	DirectoryTableBase () const =0

virtual uint64_t	UserDirectoryTableBase () const =0

virtual uint32_t	Cookie () const =0

virtual uint64_t	SectionBaseAddress () const =0

virtual std::vector< std::shared_ptr< THREAD > >	ThreadList ()=0

virtual std::vector< std::shared_ptr< const THREAD > >	ThreadList () const =0

virtual const MM_SESSION_SPACE *	Session () const =0

virtual bool	isWow64Process () const =0

virtual bool	DisableDynamicCode () const =0

virtual void	DisableDynamicCode (bool DisableDynamicCode)=0

virtual bool	DisableDynamicCodeAllowOptOut () const =0

virtual void	DisableDynamicCodeAllowOptOut (bool DisableDynamicCodeAllowOptOut)=0

virtual uint32_t	ModifiedPageCount () const =0

virtual void	ModifiedPageCount (uint32_t ModifiedPageCount)=0

virtual WindowsTime	CreateTime () const =0

virtual void	CreateTime (const WindowsTime &time)=0

virtual uint64_t	MinimumWorkingSetSize () const =0

virtual void	MinimumWorkingSetSize (uint64_t MinimumWorkingSetSize)=0

virtual uint64_t	MaximumWorkingSetSize () const =0

virtual void	MaximumWorkingSetSize (uint64_t MaximumWorkingSetSize)=0

virtual uint8_t	ProtectionLevel () const =0

virtual void	ProtectionLevel (uint8_t Level)=0

virtual guest_ptr< void >	Win32Process () const =0
	Get the Win32Process pointer.

virtual	~PROCESS ()=default

Public Member Functions inherited from introvirt::windows::nt::DISPATCHER_OBJECT
virtual DISPATCHER_HEADER &	DispatcherHeader ()=0

virtual const DISPATCHER_HEADER &	DispatcherHeader () const =0

virtual	~DISPATCHER_OBJECT ()=default

Public Member Functions inherited from introvirt::windows::nt::OBJECT
virtual const OBJECT_HEADER &	header () const =0
	Get the OBJECT_HEADER for this object.

virtual guest_ptr< void >	ptr () const =0

virtual	~OBJECT ()=default
	Destroy the instance.

Static Public Member Functions
static std::shared_ptr< PROCESS >	make_shared (const NtKernel &kernel, const guest_ptr< void > &ptr)

static std::shared_ptr< PROCESS >	make_shared (const NtKernel &kernel, std::unique_ptr< OBJECT_HEADER > &&header)

Static Public Member Functions inherited from introvirt::windows::nt::OBJECT
static std::shared_ptr< OBJECT >	make_shared (const NtKernel &kernel, const guest_ptr< void > &ptr)

static std::shared_ptr< OBJECT >	make_shared (const NtKernel &kernel, std::unique_ptr< OBJECT_HEADER > &&object_header)

Detailed Description

Examples: ivprocinfo.cc.

Constructor & Destructor Documentation

◆ ~PROCESS()

virtual introvirt::windows::nt::PROCESS::~PROCESS ( )

virtualdefault

Member Function Documentation

◆ Cookie()

virtual uint32_t introvirt::windows::nt::PROCESS::Cookie ( ) const

pure virtual

◆ CreateTime() [1/2]

virtual WindowsTime introvirt::windows::nt::PROCESS::CreateTime ( ) const

pure virtual

◆ CreateTime() [2/2]

virtual void introvirt::windows::nt::PROCESS::CreateTime ( const WindowsTime & time )

pure virtual

◆ DirectoryTableBase()

virtual uint64_t introvirt::windows::nt::PROCESS::DirectoryTableBase ( ) const

pure virtual

◆ DisableDynamicCode() [1/2]

virtual bool introvirt::windows::nt::PROCESS::DisableDynamicCode ( ) const

pure virtual

◆ DisableDynamicCode() [2/2]

virtual void introvirt::windows::nt::PROCESS::DisableDynamicCode ( bool DisableDynamicCode )

pure virtual

◆ DisableDynamicCodeAllowOptOut() [1/2]

virtual bool introvirt::windows::nt::PROCESS::DisableDynamicCodeAllowOptOut ( ) const

pure virtual

◆ DisableDynamicCodeAllowOptOut() [2/2]

virtual void introvirt::windows::nt::PROCESS::DisableDynamicCodeAllowOptOut ( bool DisableDynamicCodeAllowOptOut )

pure virtual

◆ full_path()

virtual const std::string & introvirt::windows::nt::PROCESS::full_path ( ) const

pure virtual

Get the full path of the image.

There isn't a simple field to retreive this value. The operation is expensive, but cached.

Returns: The full path to the executable ("c:\windows\system32\notepad.exe")

◆ ImageFileName() [1/2]

virtual const std::string & introvirt::windows::nt::PROCESS::ImageFileName ( ) const

pure virtual

ImageFileName is a field in the EPROCESS structure which has a short name for the process.

Returns: The ImageFileName string associated with this process.

Examples: ivprocinfo.cc.

◆ ImageFileName() [2/2]

virtual void introvirt::windows::nt::PROCESS::ImageFileName ( const std::string & value )

pure virtual

◆ InheritedFromUniqueProcessId() [1/2]

virtual uint64_t introvirt::windows::nt::PROCESS::InheritedFromUniqueProcessId ( ) const

pure virtual

Returns: The unique process ID of this process' parent

Examples: ivprocinfo.cc.

◆ InheritedFromUniqueProcessId() [2/2]

virtual void introvirt::windows::nt::PROCESS::InheritedFromUniqueProcessId ( uint64_t pid )

pure virtual

◆ isWow64Process()

virtual bool introvirt::windows::nt::PROCESS::isWow64Process ( ) const

pure virtual

Returns: True if this is a 32-bit process running on 64-bit Windows

Examples: ivprocinfo.cc.

◆ make_shared() [1/2]

static std::shared_ptr< PROCESS > introvirt::windows::nt::PROCESS::make_shared	(	const NtKernel &	kernel,
		const guest_ptr< void > &	ptr
	)

static

◆ make_shared() [2/2]

static std::shared_ptr< PROCESS > introvirt::windows::nt::PROCESS::make_shared	(	const NtKernel &	kernel,
		std::unique_ptr< OBJECT_HEADER > &&	header
	)

static

◆ MaximumWorkingSetSize() [1/2]

virtual uint64_t introvirt::windows::nt::PROCESS::MaximumWorkingSetSize ( ) const

pure virtual

◆ MaximumWorkingSetSize() [2/2]

virtual void introvirt::windows::nt::PROCESS::MaximumWorkingSetSize ( uint64_t MaximumWorkingSetSize )

pure virtual

◆ MinimumWorkingSetSize() [1/2]

virtual uint64_t introvirt::windows::nt::PROCESS::MinimumWorkingSetSize ( ) const

pure virtual

◆ MinimumWorkingSetSize() [2/2]

virtual void introvirt::windows::nt::PROCESS::MinimumWorkingSetSize ( uint64_t MinimumWorkingSetSize )

pure virtual

◆ ModifiedPageCount() [1/2]

virtual uint32_t introvirt::windows::nt::PROCESS::ModifiedPageCount ( ) const

pure virtual

◆ ModifiedPageCount() [2/2]

virtual void introvirt::windows::nt::PROCESS::ModifiedPageCount ( uint32_t ModifiedPageCount )

pure virtual

◆ ObjectTable() [1/2]

virtual std::unique_ptr< const HANDLE_TABLE > introvirt::windows::nt::PROCESS::ObjectTable ( ) const

pure virtual

Get the handle table for this process, used for looking up objects by handle number.

Returns: The handle table for this process

Exceptions

InvalidStructureException If the HANDLE_TABLE is null

◆ ObjectTable() [2/2]

virtual std::unique_ptr< HANDLE_TABLE > introvirt::windows::nt::PROCESS::ObjectTable ( )

pure virtual

Get the handle table for this process, used for looking up objects by handle number.

Returns: The handle table for this process

Exceptions

InvalidStructureException If the HANDLE_TABLE is null

Examples: ivexec.cc, and ivprocinfo.cc.

◆ Peb() [1/2]

virtual const PEB * introvirt::windows::nt::PROCESS::Peb ( ) const

pure virtual

the Process Environment Block (PEB) for this process. The PEB contains information about loaded modules and the process image itself.

Returns: The Process Environment Block for this process

Examples: ivprocinfo.cc.

◆ Peb() [2/2]

virtual PEB * introvirt::windows::nt::PROCESS::Peb ( )

pure virtual

◆ ProtectionLevel() [1/2]

virtual uint8_t introvirt::windows::nt::PROCESS::ProtectionLevel ( ) const

pure virtual

◆ ProtectionLevel() [2/2]

virtual void introvirt::windows::nt::PROCESS::ProtectionLevel ( uint8_t Level )

pure virtual

◆ SectionBaseAddress()

virtual uint64_t introvirt::windows::nt::PROCESS::SectionBaseAddress ( ) const

pure virtual

◆ Session()

virtual const MM_SESSION_SPACE * introvirt::windows::nt::PROCESS::Session ( ) const

pure virtual

Returns: A session information object

Examples: ivprocinfo.cc.

◆ ThreadList() [1/2]

virtual std::vector< std::shared_ptr< const THREAD > > introvirt::windows::nt::PROCESS::ThreadList ( ) const

pure virtual

◆ ThreadList() [2/2]

virtual std::vector< std::shared_ptr< THREAD > > introvirt::windows::nt::PROCESS::ThreadList ( )

pure virtual

Returns: A vector of threads belonging to this process

Examples: ivprocinfo.cc.

◆ Token() [1/2]

virtual const TOKEN & introvirt::windows::nt::PROCESS::Token ( ) const

pure virtual

◆ Token() [2/2]

virtual TOKEN & introvirt::windows::nt::PROCESS::Token ( )

pure virtual

Examples: ivprocinfo.cc.

◆ UniqueProcessId()

virtual uint64_t introvirt::windows::nt::PROCESS::UniqueProcessId ( ) const

pure virtual

Returns: The unique process ID associated with this process

Examples: ivprocinfo.cc, and ivprocmemdump.cc.

◆ UserDirectoryTableBase()

virtual uint64_t introvirt::windows::nt::PROCESS::UserDirectoryTableBase ( ) const

pure virtual

◆ VadRoot()

virtual std::shared_ptr< const MMVAD > introvirt::windows::nt::PROCESS::VadRoot ( ) const

pure virtual

Examples: ivprocinfo.cc.

◆ Win32Process()

virtual guest_ptr< void > introvirt::windows::nt::PROCESS::Win32Process ( ) const

pure virtual

Get the Win32Process pointer.

Returns: The Win32Process pointer from the EPROCESS structure

◆ WoW64Process() [1/2]

virtual const PEB * introvirt::windows::nt::PROCESS::WoW64Process ( ) const

pure virtual

If this process is a Wow64 process, return the 32-bit version of the PEB.

Returns: The 32-bit PEB, or NULL if not available.

Examples: ivprocinfo.cc.

◆ WoW64Process() [2/2]

virtual PEB * introvirt::windows::nt::PROCESS::WoW64Process ( )

pure virtual

The documentation for this class was generated from the following file:

/home/runner/work/IntroVirt/IntroVirt/include/introvirt/windows/kernel/nt/types/objects/PROCESS.hh

Public Member Functions

Static Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ ~PROCESS()

Member Function Documentation

◆ Cookie()

◆ CreateTime() [1/2]

◆ CreateTime() [2/2]

◆ DirectoryTableBase()

◆ DisableDynamicCode() [1/2]

◆ DisableDynamicCode() [2/2]

◆ DisableDynamicCodeAllowOptOut() [1/2]

◆ DisableDynamicCodeAllowOptOut() [2/2]

◆ full_path()

◆ ImageFileName() [1/2]

◆ ImageFileName() [2/2]

◆ InheritedFromUniqueProcessId() [1/2]

◆ InheritedFromUniqueProcessId() [2/2]

◆ isWow64Process()

◆ make_shared() [1/2]

◆ make_shared() [2/2]

◆ MaximumWorkingSetSize() [1/2]

◆ MaximumWorkingSetSize() [2/2]

◆ MinimumWorkingSetSize() [1/2]

◆ MinimumWorkingSetSize() [2/2]

◆ ModifiedPageCount() [1/2]

◆ ModifiedPageCount() [2/2]

◆ ObjectTable() [1/2]

◆ ObjectTable() [2/2]

◆ Peb() [1/2]

◆ Peb() [2/2]

◆ ProtectionLevel() [1/2]

◆ ProtectionLevel() [2/2]

◆ SectionBaseAddress()

◆ Session()

◆ ThreadList() [1/2]

◆ ThreadList() [2/2]

◆ Token() [1/2]

◆ Token() [2/2]

◆ UniqueProcessId()

◆ UserDirectoryTableBase()

◆ VadRoot()

◆ Win32Process()

◆ WoW64Process() [1/2]

◆ WoW64Process() [2/2]