📄 ntstruc.inc
字号:
GF_HFC = 00000020H ;Enable heap free checking
GF_HPC = 00000040H ;Enable heap parameter checking
GF_HVC = 00000080H ;Enable heap validation on call
GF_PTC = 00000100H ;Enable pool tail checking
GF_PFC = 00000200H ;Enable pool free checking
GF_PTG = 00000400H ;Enable pool tagging
GF_HTG = 00000800H ;Enable heap tagging
GF_UST = 00001000H ;Create user mode stack trace DB
GF_KST = 00002000H ;Create kernel mode stack trace DB
GF_OTL = 00004000H ;Maintain a list of objects for each type
GF_HTD = 00008000H ;Enable Heap Tagging By DLL
GF_IDP = 00010000H ;unused
GF_D32 = 00020000H ;Enable debugging of Win32 Subsystem
GF_KSL = 00040000H ;Enable loading of kernel debugger symbols
GF_DPS = 00080000H ;Disable paging of kernel stacks
GF_HAT = 00100000H ;Enable Heap API Call Tracing
GF_DHC = 00200000H ;Disable Heap Coalesce on Free
GF_ECE = 00400000H ;Enable Close Exception
GF_EEL = 00800000H ;Enable Exception Logging
GF_EOT = 01000000H ;Enable Object Handle Type Tagging
GF_HPA = 02000000H ;Place heap allocations at ends of pages
GF_DWL = 04000000H ;Debug WINLOGON
GF_DDP = 08000000H ;Disable kernel mode DbgPrint output
GF_ECC = 10000000H ;Early CritSec Event Creation
GF_DPD = 80000000H ;Disable protected DLL verification
FLG_STOP_ON_EXCEPTION = GF_SOE
FLG_SHOW_LDR_SNAPS = GF_SLS
FLG_DEBUG_INITIAL_COMMAND = GF_DIC
FLG_STOP_ON_HUNG_GUI = GF_SHG
FLG_HEAP_ENABLE_TAIL_CHECK = GF_HTC ;user mode only
FLG_HEAP_ENABLE_FREE_CHECK = GF_HFC ;user mode only
FLG_HEAP_VALIDATE_PARAMETERS = GF_HPC ;user mode only
FLG_HEAP_VALIDATE_ALL = GF_HVC ;user mode only
FLG_POOL_ENABLE_TAIL_CHECK = GF_PTC ;kernel mode only
FLG_POOL_ENABLE_FREE_CHECK = GF_PFC ;kernel mode only
FLG_POOL_ENABLE_TAGGING = GF_PTG ;kernel mode only
FLG_USER_STACK_TRACE_DB = GF_UST ;user mode and x86 only
FLG_KERNEL_STACK_TRACE_DB = GF_KST ;kernel mode and x86 only
FLG_MAINTAIN_OBJECT_TYPELIST = GF_OTL ;kernel mode only
FLG_WIN95_MODE = GF_HTD ;user mode and kernel mode
FLG_IGNORE_DEBUG_PRIV = GF_IDP ;kernel mode only
FLG_ENABLE_CSRDEBUG = GF_D32
FLG_ENABLE_KDEBUG_SYMBOL_LOAD = GF_KSL
FLG_DISABLE_PAGE_KERNEL_STACKS = GF_DPS
FLG_VALID_BITS = 000FF7FFH
SYSTEM_GLOBALFLAG_INFORMATION STRUCT ;EliCZ
GlobalFlag DWORD ?
SYSTEM_GLOBALFLAG_INFORMATION ENDS
;-----------------------------------------
SystemLoadedModuleInformation = 11
SYSTEM_LOADEDMODULE STRUCT ;EliCZ
Unknown00 DWORD ? ;00
Unknown04 DWORD ? ;04
ModuleBase DWORD ? ;08
ModuleSize DWORD ? ;0C
Unknown10 DWORD ? ;10
Unknown14 DWORD ? ;14
Unknown18 WORD ? ;18
BaseNameOffset WORD ? ;1A
ModuleFileName CHAR 100H DUP (?) ;1C always ansi
SYSTEM_LOADEDMODULE ENDS
SYSTEM_LOADEDMODULE_INFORMATION STRUCT
ModuleCount DWORD ?
;follows array of SYSTEM_LOADEDMODULE structures
ModuleInformation SYSTEM_LOADEDMODULE <> ;04
SYSTEM_LOADEDMODULE_INFORMATION ENDS
;-----------------------------------------
SystemHandleInformation = 16
OT_DIRECTORY = 02
OT_SYMLINK = 03
OT_TOKEN = 04
OT_PROCESS = 05
OT_THREAD = 06
OT_JOB = 07
OT_EVENT = 08
OT_EVENTPAIR = 09
OT_MUTANT = 10
;channel auditalarm ?
OT_SEMAPHORE = 12
OT_TIMER = 13
OT_PROFILE = 14
OT_WINSTATION = 15
OT_DESKTOP = 16
OT_SECTION = 17
OT_KEY = 18
OT_PORT = 19
OT_WAIT = 20
OT_ADAPTER = 21
OT_CONTINUATION = 22
OT_DEVICE = 23
;channel auditalarm ?
OT_IOCOMPLETION = 25
OT_FILE = 26
SYSTEM_HANDLE STRUCT ;EliCZ
ProcessId DWORD ?
ObjectType BYTE ?
Flags BYTE ? ;0..7
Handle WORD ?
ObjectPointer DWORD ?
Access DWORD ?
SYSTEM_HANDLE ENDS
SYSTEM_HANDLE_INFORMATION STRUCT
HandleCount DWORD ?
;follows array of SYSTEM_HANDLE structures
HandleInformation SYSTEM_HANDLE <>
SYSTEM_HANDLE_INFORMATION ENDS
;-----------------------------------------
SystemObjectInformation = 17 ;to be done
SYSTEM_OBJECT_INFORMATION STRUCT ;EliCZ
SYSTEM_OBJECT_INFORMATION ENDS
;-----------------------------------------
SystemPageFileInformation = 18
SYSTEM_PAGEFILE_INFORMATION STRUCT ;EliCZ
SizeOfBlock DWORD ? ;00 NULL for info end
CurrentSize DWORD ? ;04 in pages
TotalUsedPages DWORD ? ;08 in pages
PeakUsedPages DWORD ? ;0C in pages
PagefileName UNICODE_STRING <> ;10
SYSTEM_PAGEFILE_INFORMATION ENDS
;-----------------------------------------
SystemDebuggerInformation = 35
SYSTEM_DEBUGGER_INFORMATION STRUCT ;EliCZ
KernelDebuggerEnabled BYTE ? ;i386kd
KernelDebuggerNotPresent BYTE ?
SYSTEM_DEBUGGER_INFORMATION ENDS
;-----------------------------------------
SystemSingleProcessInformation = 53 ;NT5+
SYSTEM_SESSIONPROCESS_INFORMATION STRUCT ;EliCZ
SessionId DWORD ?
BufferSize DWORD ?
Buffer DWORD ? ;ptr to SYSTEM_PROCESS_INFORMATION
SYSTEM_SESSIONPROCESS_INFORMATION ENDS
;-----------------------------------------
ProcessBasicInformation = 0
PROCESS_BASIC_INFORMATION STRUCT ;NTDDK
ExitStatus DWORD ?
PebBaseAddress DWORD ?
AffinityMask DWORD ?
BasePriority DWORD ?
UniqueProcessId DWORD ?
InheritedFromUniqueProcessId DWORD ?
PROCESS_BASIC_INFORMATION ENDS
;-----------------------------------------
ProcessQuotaLimits = 1
QUOTA_LIMITS STRUCT ;NTDDK corrected by EliCZ: size must be 20H
PagedPoolLimit DWORD ?
NonPagedPoolLimit DWORD ?
MinimumWorkingSetSize DWORD ?
MaximumWorkingSetSize DWORD ?
PagefileLimit DWORD ?
Reserved14 DWORD ? ;added (probably qword alignment)
TimeLimit QWORD ?
QUOTA_LIMITS ENDS
;-----------------------------------------
ProcessIoCounters = 2
IO_COUNTERS STRUCT ;NTDDK corrected by EliCZ: NT4 :NOT_SUPPORTED, NT5: long integers
ReadOperationCount QWORD ? ;DWORD ?
WriteOperationCount QWORD ? ;DWORD ?
OtherOperationCount QWORD ? ;DWORD ?
ReadTransferCount QWORD ?
WriteTransferCount QWORD ?
OtherTransferCount QWORD ?
IO_COUNTERS ENDS
;-----------------------------------------
ProcessVmCounters = 3
VM_COUNTERS STRUCT ;NTDDK
PeakVirtualSize DWORD ?
VirtualSize DWORD ?
PageFaultCount DWORD ?
PeakWorkingSetSize DWORD ?
WorkingSetSize DWORD ?
QuotaPeakPagedPoolUsage DWORD ?
QuotaPagedPoolUsage DWORD ?
QuotaPeakNonPagedPoolUsage DWORD ?
QuotaNonPagedPoolUsage DWORD ?
PagefileUsage DWORD ?
PeakPagefileUsage DWORD ?
VM_COUNTERS ENDS
;-----------------------------------------
ProcessTimes = 4
KERNEL_USER_TIMES STRUCT ;NTDDK
CreateTime QWORD ?
ExitTime QWORD ?
KernelTime QWORD ?
UserTime QWORD ?
KERNEL_USER_TIMES ENDS
;-----------------------------------------
ProcessPooledUsageAndLimits = 14
POOLED_USAGE_AND_LIMITS STRUCT ;NTDDK
PeakPagedPoolUsage DWORD ?
PagedPoolUsage DWORD ?
PagedPoolLimit DWORD ?
PeakNonPagedPoolUsage DWORD ?
NonPagedPoolUsage DWORD ?
NonPagedPoolLimit DWORD ?
PeakPagefileUsage DWORD ?
PagefileUsage DWORD ?
PagefileLimit DWORD ?
POOLED_USAGE_AND_LIMITS ENDS
;-----------------------------------------
ProcessWorkingSetWatch = 15
PROCESS_WS_WATCH_INFORMATION STRUCT ;NTDDK
FaultingPc DWORD ?
FaultingVa DWORD ?
PROCESS_WS_WATCH_INFORMATION ENDS
;-----------------------------------------
ProcessDeviceMap = 23
PROCESS_DEVICEMAP_INFORMATION STRUCT ;NTDDK
DriveMap DWORD ?
DriveType WCHAR 32 DUP (?)
PROCESS_DEVICEMAP_INFORMATION ENDS
;-----------------------------------------
ThreadBasicInformation = 0
THREAD_BASIC_INFORMATION STRUCT ;EliCZ
ExitStatus DWORD ?
TebBaseAddress DWORD ?
ClientId CLIENT_ID <>
AffinityMask DWORD ?
BasePriority DWORD ?
DynamicPriority DWORD ?
THREAD_BASIC_INFORMATION ENDS
;-----------------------------------------
ABOVE2GB EQU 08000000H ;for Windows 9x VirtualAlloc. (c) Matt Pietrek
;-----------------------------------------
SE_MIN_WELL_KNOWN_PRIVILEGE = 2
SE_CREATE_TOKEN_PRIVILEGE = 2
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE = 3
SE_LOCK_MEMORY_PRIVILEGE = 4
SE_INCREASE_QUOTA_PRIVILEGE = 5
SE_UNSOLICITED_INPUT_PRIVILEGE = 6
SE_MACHINE_ACCOUNT_PRIVILEGE = 6
SE_TCB_PRIVILEGE = 7
SE_SECURITY_PRIVILEGE = 8
SE_TAKE_OWNERSHIP_PRIVILEGE = 9
SE_LOAD_DRIVER_PRIVILEGE = 10
SE_SYSTEM_PROFILE_PRIVILEGE = 11
SE_SYSTEMTIME_PRIVILEGE = 12
SE_PROF_SINGLE_PROCESS_PRIVILEGE = 13
SE_INC_BASE_PRIORITY_PRIVILEGE = 14
SE_CREATE_PAGEFILE_PRIVILEGE = 15
SE_CREATE_PERMANENT_PRIVILEGE = 16
SE_BACKUP_PRIVILEGE = 17
SE_RESTORE_PRIVILEGE = 18
SE_SHUTDOWN_PRIVILEGE = 19
SE_DEBUG_PRIVILEGE = 20
SE_AUDIT_PRIVILEGE = 21
SE_SYSTEM_ENVIRONMENT_PRIVILEGE = 22
SE_CHANGE_NOTIFY_PRIVILEGE = 23
SE_REMOTE_SHUTDOWN_PRIVILEGE = 24
SE_UNDOCK_PRIVILEGE = 25
SE_SYNC_AGENT_PRIVILEGE = 26
SE_ENABLE_DELEGATION_PRIVILEGE = 27
SE_MAX_WELL_KNOWN_PRIVILEGE = SE_ENABLE_DELEGATION_PRIVILEGE
;For RtlAdjustPrivilege:
ADJUST_CURRENT_PROCESS = 0
ADJUST_CURRENT_THREAD = 1
;-----------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -