PROCESS_DEBUG_AUTH_INFORMATION - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTPSAPI_H
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * The PROCESS_DEBUG_AUTH_INFORMATION structure contains the debug authorization token.
 *
 * CI treats this as a tagged byte value.
 * The low 3 bits are a type tag; the upper 5 bits are an opaque selector/ID.
 *
 * Usage flow:
 * 1) A debug-auth token is generated via the "CiTool.exe --device-id" command for signing.
 * 2) The signed token is added to the CI policy store using "CiTool.exe --add-token"
 * 3) CI validates the token and updates policy data (\System32\CodeIntegrity\CiPolicies\Active).
 * 4) NtSetInformationProcess(ProcessDebugAuthInformation) activates the debug authorization token.
 * 5) CI caches the authorization by process handle, this tagged byte references the policy.
 * 6) NtOpenProcess(PsProtectedSignerAntimalware) == STATUS_SUCCESS
 *
 * Notes:
 * - This structure carries only the tagged byte selector for the type of PPL bypass.
 * - This call does not configure the token or policy string/signature.
 */
typedef struct _PROCESS_DEBUG_AUTH_INFORMATION
{
    union
    {
        UCHAR Value;
        struct
        {
            UCHAR TypeTag : 3;
            UCHAR Selector : 5;
        };
    };
} PROCESS_DEBUG_AUTH_INFORMATION, *PPROCESS_DEBUG_AUTH_INFORMATION;

#endif
#endif

View code on GitHub

NtDoc

No description available.

Edit description on GitHub