📄 ntstruc.inc
字号:
;-----------------------------------------
CLIENT_ID STRUCT ;NTDDK
UniqueProcess DWORD ?
UniqueThread DWORD ?
CLIENT_ID ENDS
;-----------------------------------------
OBJ_INHERIT = 00000002H
OBJ_PERMANENT = 00000010H
OBJ_EXCLUSIVE = 00000020H
OBJ_CASE_INSENSITIVE = 00000040H
OBJ_OPENIF = 00000080H
OBJ_OPENLINK = 00000100H
OBJ_VALID_ATTRIBUTES = 000001F2H
OBJECT_ATTRIBUTES STRUCT ;NTDDK
Length_ DWORD ?
RootDirectory DWORD ?
ObjectName DWORD ?
Attributes DWORD ?
SecurityDescriptor DWORD ?
SecurityQualityOfService DWORD ?
OBJECT_ATTRIBUTES ENDS
;-----------------------------------------
TIME_FIELDS STRUC DWORD ;NTDDK
Year WORD ? ;range [1601...]
Month WORD ? ;range [1..12]
Day WORD ? ;range [1..31]
Hour WORD ? ;range [0..23]
Minute WORD ? ;range [0..59]
Second WORD ? ;range [0..59]
Milliseconds WORD ? ;range [0..999]
Weekday WORD ? ;range [0..6] == [Sunday..Saturday]
TIME_FIELDS ENDS
;-----------------------------------------
ELAPSED_TIME_FIELDS STRUCT DWORD ;EliCZ
Years WORD ? ;RtlTTETF sets to 0
Months WORD ? ;RtlTTETF sets to 0
Days WORD ?
Hours WORD ?
Minutes WORD ?
Seconds WORD ?
Milliseconds WORD ?
ELAPSED_TIME_FIELDS ENDS
;-----------------------------------------
CurrentThread EQU -2 ;in both 9x and NT
NtCurrentProcess EQU -1 ;in NT
W9xCurrentProcess EQU 7FFFFFFFH ;in W9X
;-----------------------------------------
LPWSTR TYPEDEF DWORD
UNICODE_STRING STRUCT ;NTDDK
Length_ USHORT ?
MaximumLength USHORT ?
Buffer LPWSTR ?
UNICODE_STRING ENDS
;-----------------------------------------
;Flags:
LDR_INITIALIZED EQU 1
PEB_LDR_DATA STRUCT ;EliCZ
cbsize DWORD ? ;00 == 24H
Flags DWORD ? ;04
Unknown8 DWORD ? ;08
InLoadOrderModuleListHead DWORD ? ;0C
PreviousInLoadOrderLdrEntry DWORD ? ;10
InMemoryOrderModuleListHead DWORD ? ;14
PreviousInMemoryOrderLdrEntry DWORD ? ;18
InInitializationOrderModuleListHead DWORD ? ;1C
PreviousInInitializationOrderLdrEntry DWORD ? ;20
PEB_LDR_DATA ENDS ;size 24H
;-----------------------------------------
;Flags:
LDRP_STATIC_LINK = 00000002H
LDRP_IMAGE_DLL = 00000004H
LDRP_LOAD_IN_PROGRESS = 00001000H
LDRP_UNLOAD_IN_PROGRESS = 00002000H
LDRP_ENTRY_PROCESSED = 00004000H
LDRP_ENTRY_INSERTED = 00008000H
LDRP_CURRENT_LOAD = 00010000H
LDRP_FAILED_BUILTIN_LOAD = 00020000H
LDRP_DONT_CALL_FOR_THREADS = 00040000H
LDRP_PROCESS_ATTACH_CALLED = 00080000H
LDRP_DEBUG_SYMBOLS_LOADED = 00100000H
LDRP_IMAGE_NOT_AT_BASE = 00200000H
LDRP_WX86_IGNORE_MACHINETYPE = 00400000H
LDR_ENTRY STRUCT ;EliCZ
NextInLoadOrderLdrEntry DWORD ? ;00
PreviousInLoadOrderLdrEntry DWORD ? ;04
NextInMemoryOrderLdrEntry DWORD ? ;08
PreviousInMemoryOrderLdrEntry DWORD ? ;0C
NextInInitializationOrderLdrEntry DWORD ? ;10
PreviousInInitializationOrderLdrEntry DWORD ? ;14
ModuleBase DWORD ? ;18
EntryPoint DWORD ? ;1C
ModuleSize DWORD ? ;20
ModuleFileName UNICODE_STRING <> ;24
ModuleBaseName UNICODE_STRING <> ;2C
Flags DWORD ? ;34
LoadCount WORD ? ;38
TlsIndex WORD ? ;3A
LdrpHashTableEntry0 DWORD ? ;3C
LdrpHashTableEntry1 DWORD ? ;40
TimeStamp DWORD ? ;44
LDR_ENTRY ENDS ;size 48H
;-----------------------------------------
;Flags:
PROCESS_PARAMETERS_NORMALIZED = 1 ;pointers in structure are absolute
;if PP is denormalized, pointers are self-relative
PROCESS_PARAMETERS STRUCT ;EliCZ
Unknown00 DWORD ? ;00 == 1000H
Unknown04 DWORD ? ;04
Flags DWORD ? ;08
Unknown0C DWORD ? ;0C
CsrConsoleInfo DWORD ? ;10 for Csr calls
Unknown14 DWORD ? ;14
StdInputHandle DWORD ? ;18
StdOutputHandle DWORD ? ;1C
StdErrorHandle DWORD ? ;20
CurrentDirectory UNICODE_STRING <> ;24
DirectoryFlags DWORD ? ;2C == 18H
SearchPath UNICODE_STRING <> ;30
ImagePath UNICODE_STRING <> ;38
CommandLine UNICODE_STRING <> ;40
Environment DWORD ? ;48
Unknown4C DWORD ? ;4C
Unknown50 DWORD ? ;50
Unknown54 DWORD ? ;54
Unknown58 DWORD ? ;58
Unknown5C DWORD ? ;5C
Unknown60 DWORD ? ;60
Unknown64 DWORD ? ;64
Unknown68 DWORD ? ;68
Unknown6C DWORD ? ;6C
WindowTitle UNICODE_STRING <> ;70
WindowStation UNICODE_STRING <> ;78
CommandLine2 UNICODE_STRING <> ;80 ??
Unknown88 DWORD 82H DUP (?) ;88
PROCESS_PARAMETERS ENDS ;size 290H
;-----------------------------------------
;dwFlags:
INHERITED_ADDRESS_SPACE = 00000001H
READ_IMAGEFILE_EXEC_OPTIONS = 00000100H
BEING_DEBUGGED = 00010000H
PEB STRUCT ;EliCZ
dwFlags DWORD ? ;00
Unknown04 DWORD ? ;04 == -1
ImageBaseAddress DWORD ? ;08
PebLdrData DWORD ? ;0C == *PEB_LDR_DATA
ProcessParameters DWORD ? ;10 == *PROCESS_PARAMETERS
SubSystemData DWORD ? ;14 == 0
ProgramHeap DWORD ? ;18
LockingContext DWORD ? ;1C == FastPebLock
LockRoutine DWORD ? ;20 == RtlEnterCriticalSection
UnlockRoutine DWORD ? ;24 == RtlLeaveCriticalSection
DirChange DWORD ? ;28 == 1
Unknown2C DWORD ? ;2C == apfnDispatch
Unknown30 DWORD ? ;30 == 0
Unknown34 DWORD ? ;34 == 0
Unknown38 DWORD ? ;38 == 0
Unknown3C DWORD ? ;3C == 0
Unknown40 DWORD ? ;40 == TlsBitMap
Unknown44 DWORD ? ;44 == 3FH
Unknown48 DWORD ? ;48 == 0
ProgramHeap02 DWORD ? ;4C
ProgramHeap02a DWORD ? ;50
InProgramHeap02 DWORD ? ;54
AnsiCodePage DWORD ? ;58
OemCodePage DWORD ? ;5C
UnicodeCodePage DWORD ? ;60
NumberProcessors DWORD ? ;64
GlobalFlag DWORD ? ;68
Unknown6C DWORD ? ;6C == 0
CritSectTimeout DWORD ? ;70
Unknown74 DWORD ? ;74
HeapSegmentReserve DWORD ? ;78
HeapSegementCommit DWORD ? ;7C
HeapDeCommitTotalFreeTreshold DWORD ? ;80 == 10000H
HeapDeCommitFreeBlockTreshold DWORD ? ;84 == 1000H
Unknown88 DWORD ? ;88
Unknown8C DWORD ? ;8C == 386H
Unknown90 DWORD ? ;90 == RtlpProcessHeapsListBuffer
Unknown94 DWORD ? ;94
Unknown98 DWORD ? ;98 == 0
Unknown9C DWORD ? ;9C == 14H
UnknownA0 DWORD ? ;A0 == LoaderLock
dwMajorVersion DWORD ? ;A4
dwMinorVersion DWORD ? ;A8
dwBuildNumber WORD ? ;AC
CSDVersion WORD ? ;AE
dwPlatformId DWORD ? ;B0
Subsystem DWORD ? ;B4
MajorSusbsytemVersion DWORD ? ;B8
MinorSusbsytemVersion DWORD ? ;BC
ProcessAffinityMask DWORD ? ;C0
UnknownC4 DWORD 044H DUP (?) ;C4
SessionId DWORD ? ;1D4
Unknown1D8 DWORD ? ;1D8
Unknown1DC DWORD ? ;1DC
Unknown1E0 DWORD ? ;1E0
Unknown1E4 DWORD ? ;1E4
PEB ENDS ;size 1E8H, NT4 size 150H
;-----------------------------------------
TEB STRUCT ;NTDDK + EliCZ
ExceptionList DWORD ? ;00
StackBase DWORD ? ;04
StackLimit DWORD ? ;08
SubSystemTib DWORD ? ;0C
UNION
FiberData DWORD ? ;10
Version DWORD ? ;10
ENDS
ArbitraryUserPointer DWORD ? ;14
Self DWORD ? ;18
EnvironmentPtr DWORD ? ;1C
ClientId CLIENT_ID <> ;20
RpcHandle DWORD ? ;28
TlsStorage DWORD ? ;2C
pPEB DWORD ? ;30
LastErrorValue DWORD ? ;34 Get/SetLastError
OwnedLocksCount DWORD ? ;38 aka CountOfOwnedCriticalSections
Unknown3C DWORD ? ;3C
Win32ThreadInfo DWORD ? ;40
Unknown44 DWORD 020H DUP (?) ;44
Locale DWORD ? ;C4
UnknownC8 DWORD 17BH DUP (?) ;C8
RealClientId CLIENT_ID <> ;6B4
Unknown6BC DWORD ? ;6BC
GdiClientId CLIENT_ID <> ;6C0
GdiThreadLocalInfo DWORD ? ;6C8
Win32ClientInfo DWORD ? ;6CC probably array
Unknown6D0 DWORD 149H DUP (?) ;6D0
LastStatusValue DWORD ? ;BF4
WindowStation UNICODE_STRING <> ;BF8
UnknownC00 DWORD 083H DUP (?) ;C00
ThreadStack DWORD ? ;E0C
UnknownE10 DWORD 043H DUP (?) ;E10
RpcTls DWORD ? ;F1C ptr to RPC_TLS
UnknownF20 DWORD ? ;F20
UnknownF24 DWORD ? ;F24
HardErrorsMode DWORD ? ;F28
UnknownF2C DWORD 01BH DUP (?) ;F2C
LogonLocale DWORD ? ;F98
LogonLocale2 DWORD ? ;F9C
UnknownFA0 DWORD ? ;FA0
TEB ENDS ;size FA4H, NT4 size F88H
;-----------------------------------------
;Shared area in UM at 7FFE0000H, in KM at FFDF0000H
;of course read-only
UP_KUSER_SHARED_DATA = 7FFE0000H
KUSER_SHARED_DATA STRUCT ;EliCZ
TickCount DWORD ? ;00
TickCountMultiplier DWORD ? ;04 ??
ElapsedTime QWORD ? ;08
ElapsedTimeCompareHigh DWORD ? ;10
SystemTime QWORD ? ;14 LocalTime = SystemTime - TimeZoneBias
SystemTimeCompareHigh DWORD ? ;1C
TimeZoneBias QWORD ? ;20
TimeZoneBiasCompareHigh DWORD ? ;28
ImageNumberLow WORD ? ;2C
ImageNumberHigh WORD ? ;2E
SystemRoot WCHAR MAX_PATH DUP (?) ;30
Unknown238 DWORD ? ;238
CryptoExponent DWORD ? ;23C
TimeZoneId DWORD ? ;240
Unknown244 DWORD 25H DUP (?) ;244
KUSER_SHARED_DATA ENDS ;size 2D8
;-----------------------------------------
RPC_TLS STRUCT ;EliCZ
fAsync DWORD ? ;00
HandleToThread DWORD ? ;04
HandleToThreadEvent DWORD ? ;08
Context DWORD ? ;0C
SecurityContext DWORD ? ;10
BufferCacheArray DWORD 008H DUP (?) ;14
CancelTimeout DWORD ? ;34
fCallCanceled DWORD ? ;38
Unknown3C DWORD ? ;3C
ExtendedStatus DWORD ? ;40
SavedProcedure DWORD ? ;44
SavedParameter DWORD ? ;48
ActiveCall DWORD ? ;4C
Unknown50 DWORD 004H DUP (?) ;50
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -