📄 ntstruc.inc
字号:
RPC_TLS ENDS ;size 60H
;-----------------------------------------
SystemBasicInformation = 0
;EliCZ
SYSTEM_BASIC_INFORMATION STRUCT DWORD
Machine DWORD ? ;pure fantasy; 0 = local ??
MaximumIncrement DWORD ?
PageSize DWORD ? ;1000
PhysicalPages DWORD ? ;KiloBytes = NoPages*(PageSize >> 0A)
LowestPhysicalPage DWORD ? ;1
HighestPhysicalPage DWORD ? ;1FFF
AllocationGranularity DWORD ? ;10000
LowestUserAddress DWORD ? ;10000 ??
HighestUserAddress DWORD ? ;7FFEFFFF
ActiveProcessors DWORD ? ;mask
NumberProcessors BYTE ?
SYSTEM_BASIC_INFORMATION ENDS
;-----------------------------------------
SystemProcessorInformation = 1
;EliCZ
SYSTEM_PROCESSOR_INFORMATION STRUCT DWORD
Architecture WORD ?
Level WORD ?
Revision WORD ?
Reserved06 WORD ? ;alignment
FeatureBits DWORD ?
SYSTEM_PROCESSOR_INFORMATION ENDS
FB_FASTSYSCALL EQU 1000H
;-----------------------------------------
SystemPerformanceInformation = 2
;EliCZ
SYSTEM_PERFORMANCE_INFORMATION STRUCT DWORD
IdleTime QWORD ? ;00
ReadTransferCount QWORD ? ;08 ;Io data
WriteTransferCount QWORD ? ;10
OtherTransferCount QWORD ? ;18
ReadOperationCount DWORD ? ;20
WriteOperationCount DWORD ? ;24
OtherOperationCount DWORD ? ;28
AvailablePages DWORD ? ;2C ;Mm data
TotalCommittedPages DWORD ? ;30
TotalCommitLimit DWORD ? ;34
PeakCommitment DWORD ? ;38
MemInfoCounter00 DWORD ? ;3C
MemInfoCounter01 DWORD ? ;40
MemInfoCounter02 DWORD ? ;44
MemInfoCounter03 DWORD ? ;48
MemInfoCounter04 DWORD ? ;4C
MemInfoCounter05 DWORD ? ;50
MemInfoCounter06 DWORD ? ;54
MemInfoCounter07 DWORD ? ;58
MemInfoCounter08 DWORD ? ;5C
MemInfoCounter09 DWORD ? ;60
MemInfoCounter10 DWORD ? ;64
MemInfoCounter11 DWORD ? ;68
MemInfoCounter12 DWORD ? ;6C
PagedPoolSize DWORD ? ;70
NonpagedPoolSize DWORD ? ;74
PoolUsage02 DWORD ? ;78
PoolUsage03 DWORD ? ;7C
PoolUsage05 DWORD ? ;80
PoolUsage06 DWORD ? ;84
TotalFreeSystemPtes DWORD ? ;88
SystemCodePage DWORD ? ;8C
TotalSystemDriverPages DWORD ? ;90
TotalSystemCodePages DWORD ? ;94
PoolUsage07 DWORD ? ;98
PoolUsage04 DWORD ? ;9C
UnknownA0 DWORD ? ;A0
SystemCachePage DWORD ? ;A4
PagedPoolUsage DWORD ? ;A8
SystemDriverPage DWORD ? ;AC
FastReadNoWait DWORD ? ;B0 ;Cc data
FastReadWait DWORD ? ;B4
FastReadResourceMiss DWORD ? ;B8
FastReadNotPossible DWORD ? ;BC
FastMdlReadNoWait DWORD ? ;C0
FastMdlReadWait DWORD ? ;C4
FastMdlReadResourceMiss DWORD ? ;C8
FastMdlReadNotPossible DWORD ? ;CC
MapDataNoWait DWORD ? ;D0
MapDataWait DWORD ? ;D4
MapDataNoWaitMiss DWORD ? ;D8
MapDataWaitMiss DWORD ? ;DC
PinMappedDataCount DWORD ? ;E0
PinReadNoWait DWORD ? ;E4
PinReadWait DWORD ? ;E8
PinReadNoWaitMiss DWORD ? ;EC
PinReadWaitMiss DWORD ? ;F0
CopyReadNoWait DWORD ? ;F4
CopyReadWait DWORD ? ;F8
CopyReadNoWaitMiss DWORD ? ;FC
CopyReadWaitMiss DWORD ? ;100
MdlReadNoWait DWORD ? ;104
MdlReadWait DWORD ? ;108
MdlReadNoWaitMiss DWORD ? ;10C
MdlReadWaitMiss DWORD ? ;110
ReadAheadIos DWORD ? ;114
LazyWriteIos DWORD ? ;118
LazyWritePages DWORD ? ;11C
DataFlushes DWORD ? ;120
DataPages DWORD ? ;124
ContextSwaps DWORD ? ;128 yes!
PCRB4AC DWORD ? ;12C don't know
PCRB4B8 DWORD ? ;130 don't know
SyscallsCalled DWORD ? ;134 yes!
SYSTEM_PERFORMANCE_INFORMATION ENDS
;-----------------------------------------
SystemTimeInformation = 3
;EliCZ
SYSTEM_TIME_INFORMATION STRUCT
BootTime QWORD ?
SystemTime QWORD ?
TimeZoneBias QWORD ?
CurrentTimeZoneId QWORD ?
BootTimeBias QWORD ?
InterruptTimeBias QWORD ?
SYSTEM_TIME_INFORMATION ENDS
;-----------------------------------------
SystemPathInformation = 4 ;available via shared user data
;-----------------------------------------
SystemProcessInformation = 5
;EliCZ
THREAD_INFO_OFFSET EQU 024H
THREAD_INFO_SIZE EQU 040H
NT4_PROCESS_INFO_SIZE EQU 088H
NT5_PROCESS_INFO_SIZE EQU 0B8H
;Thread states:
TS_INITIALIZED EQU 0
TS_READY EQU 1
TS_RUNNING EQU 2
TS_STANDBY EQU 3
TS_TERMINATED EQU 4
TS_WAITING EQU 5
TS_TRANSITION EQU 6
TS_MAX EQU 7
;see KWAIT
;Wait reasons (TS_WAITING):
WR_EXECUTIVE EQU 0
WR_FREEPAGE EQU 1
WR_PAGEIN EQU 2
WR_POOLALLOC EQU 3
WR_DELAYEXEC EQU 4
WR_SUSPENDED EQU 5
WR_USERREQUEST EQU 6
;7=0, 8=1, ... 13=6
WR_EXECUTIVE_ EQU 7
WR_FREEPAGE_ EQU 8
WR_PAGEIN_ EQU 9
WR_POOLALLOC_ EQU 10
WR_DELAYEXEC_ EQU 11
WR_SUSPENDED_ EQU 12
WR_USERREQUEST_ EQU 13
WR_EVENTPAIRHIGH EQU 14
WR_EVENTPAIRLOW EQU 15 ;user wait for work queue
WR_LPCRECEIVE EQU 16
WR_LPCREPLY EQU 17
WR_VIRTMEMORY EQU 18
WR_PAGEOUT EQU 19
WR_SPARE1 EQU 20
WR_SPARE2 EQU 21
WR_SPARE3 EQU 22
WR_SPARE4 EQU 23
WR_SPARE5 EQU 24
WR_SPARE6 EQU 25
WR_SPARE7 EQU 26
WR_MAX EQU 27
SYSTEM_THREAD_INFORMATION STRUCT ;size THREAD_INFO_SIZE
KernelTime QWORD ? ;00
UserTime QWORD ? ;08
CreateTime QWORD ? ;10
TickCount DWORD ? ;18
StartAddress DWORD ? ;1C
ClientId CLIENT_ID <> ;20
DynamicPriority DWORD ? ;28
BasePriority DWORD ? ;2C
ContextSwitches DWORD ? ;30
State DWORD ? ;34
WaitReason DWORD ? ;38
Reserved3C DWORD ? ;3C
SYSTEM_THREAD_INFORMATION ENDS
;every process info is in block
;Unfortunately I lost my notes on missing structure members (context switches,
;faults, starting addresses, user and kernel time, working set size,number of handles..)
NT4_SYSTEM_PROCESS_INFORMATION STRUCT
SizeOfBlock DWORD ? ;00 NULL for info end
ThreadCount DWORD ? ;04 number of threads in this block
Reserved08 DWORD 06H DUP (?) ;08
CreateTime QWORD ? ;20
UserTime QWORD ? ;28
KernelTime QWORD ? ;30
ProcessName UNICODE_STRING <> ;38
Priority DWORD ? ;40
ProcessId DWORD ? ;44
ParentProcessId DWORD ? ;48
HandleCount DWORD ? ;4C
SessionId DWORD ? ;50 ??
Reserved54 DWORD ? ;54
PeakVirtualSize DWORD ? ;58
VirtualSize DWORD ? ;5C
PageFaultCount DWORD ? ;60
PeakWorkingSetSize DWORD ? ;64
WorkingSetSize DWORD ? ;68
QuotaPeakPagedPoolUsage DWORD ? ;6C
QuotaPagedPoolUsage DWORD ? ;70
QuotaPeakNonPagedPoolUsage DWORD ? ;74
QuotaNonPagedPoolUsage DWORD ? ;78
PagefileUsage DWORD ? ;7C
PeakPagefileUsage DWORD ? ;80
PrivatePages DWORD ? ;84
;follows array of SYSTEM_THREAD_INFORMATIONs
ThreadInformation SYSTEM_THREAD_INFORMATION <> ;88
NT4_SYSTEM_PROCESS_INFORMATION ENDS
NT5_SYSTEM_PROCESS_INFORMATION STRUCT
SizeOfBlock DWORD ? ;00 NULL for info end
ThreadCount DWORD ? ;04 number of threads in this block
Reserved08 DWORD 06H DUP (?) ;08
CreateTime QWORD ? ;20
UserTime QWORD ? ;28
KernelTime QWORD ? ;30
ProcessName UNICODE_STRING <> ;38
Priority DWORD ? ;40
ProcessId DWORD ? ;44
ParentProcessId DWORD ? ;48
HandleCount DWORD ? ;4C
SessionId DWORD ? ;50 ??
Reserved54 DWORD ? ;54
PeakVirtualSize DWORD ? ;58
VirtualSize DWORD ? ;5C
PageFaultCount DWORD ? ;60
PeakWorkingSetSize DWORD ? ;64
WorkingSetSize DWORD ? ;68
QuotaPeakPagedPoolUsage DWORD ? ;6C
QuotaPagedPoolUsage DWORD ? ;70
QuotaPeakNonPagedPoolUsage DWORD ? ;74
QuotaNonPagedPoolUsage DWORD ? ;78
PagefileUsage DWORD ? ;7C
PeakPagefileUsage DWORD ? ;80
PrivatePages DWORD ? ;84
ReadOperationCount QWORD ? ;88
WriteOperationCount QWORD ? ;90
OtherOperationCount QWORD ? ;98
ReadTransferCount QWORD ? ;A0
WriteTransferCount QWORD ? ;A8
OtherTransferCount QWORD ? ;B0
;follows array of SYSTEM_THREAD_INFORMATIONs
ThreadInformation SYSTEM_THREAD_INFORMATION <> ;B8
NT5_SYSTEM_PROCESS_INFORMATION ENDS
IFDEF NT4
SYSTEM_PROCESS_INFORMATION TEXTEQU <NT4_SYSTEM_PROCESS_INFORMATION>
ELSE
SYSTEM_PROCESS_INFORMATION TEXTEQU <NT5_SYSTEM_PROCESS_INFORMATION>
ENDIF
;-----------------------------------------
SystemSyscallInformation = 9
;Pointer in shadow table (at offset 4) must not be NULL (when this becomes?)
;Copied are dwords from this pointer
SYSTEM_SYSCALL_INFORMATION STRUCT ;EliCZ
SizeOfBlock DWORD ?
SyscallTables DWORD ?
SizeOfTable00 DWORD ? ;in dwords
;etc.. SizeOfTable(SyscallTables-1)
;follow copied tables:
;Table00 DWORD SizeOfTable00 DUP (?)
;etc.. Table(SyscallTables-1) DWORD SizeOfTable(SyscallTables-1) DUP (?)
SYSTEM_SYSCALL_INFORMATION ENDS
;-----------------------------------------
SystemGlobalFlagInformation = 9
GF_SOE = 00000001H ;Stop On Exception
GF_SLS = 00000002H ;Show Loader Snaps
GF_DIC = 00000004H ;Debug Initial Command
GF_SHG = 00000008H ;Stop on Hung GUI
GF_HTC = 00000010H ;Enable heap tail checking
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -