📄 ntundoc.c
字号:
/******************************************************************/
/* */
/* Winpooch : Windows Watchdog */
/* Copyright (C) 2004-2006 Benoit Blanchon */
/* */
/* This program is free software; you can redistribute it */
/* and/or modify it under the terms of the GNU General Public */
/* License as published by the Free Software Foundation; either */
/* version 2 of the License, or (at your option) any later */
/* version. */
/* */
/* This program is distributed in the hope that it will be */
/* useful, but WITHOUT ANY WARRANTY; without even the implied */
/* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR */
/* PURPOSE. See the GNU General Public License for more */
/* details. */
/* */
/* You should have received a copy of the GNU General Public */
/* License along with this program; if not, write to the Free */
/* Software Foundation, Inc., */
/* 675 Mass Ave, Cambridge, MA 02139, USA. */
/* */
/******************************************************************/
/******************************************************************/
/* Build configuration */
/******************************************************************/
#define TRACE_LEVEL 2
/******************************************************************/
/* Includes */
/******************************************************************/
// module's interface
#define _NTUNDOC_C
#include "NtUndoc.h"
// project's headers
#include "ImgInfo.h"
#include "SystInfo.h"
#include "Trace.h"
/******************************************************************/
/* Exported data */
/******************************************************************/
NTUNDOC_NAMESPACE ntundoc ;
/******************************************************************/
/* Internal macros */
/******************************************************************/
#define arraysize(a) (sizeof(a)/sizeof((a)[0]))
/******************************************************************/
/* Internal data types */
/******************************************************************/
typedef struct {
LPCTSTR szOsVersion ;
LPCTSTR szSignature ;
NTUNDOC_NAMESPACE offsets ;
} NTUNDOC_OSVERSION ;
/******************************************************************/
/* Internal data */
/******************************************************************/
static NTUNDOC_OSVERSION g_aOsVersion[] =
{
{
TEXT("ntkrnlpa 5.00.2195.1 (english)"),
TEXT("384D5A86189840"),
{
.NtCreateProcess = (void*) 0x000DEE96,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000C6DCA,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000DFCA6,
.NtQueryInformationFile = (void*) 0x000A685A,
.NtQueryKey = (void*) 0x0010EB36,
.NtQueryValueKey = (void*) 0x0010EDCC,
.NtSetInformationFile = (void*) 0x000A6EA8,
.NtSetValueKey = (void*) 0x0010F45E,
.ObpFreeObject = (void*) 0x000D548E,
.PspTerminateProcess = (void*) 0x000DFE28,
.swprintf = (void*) 0x0005EC20,
.ZwOpenProcess = (void*) 0x0002E094,
.ZwProtectVirtualMemory = (void*) 0x0002E164,
.ZwReadVirtualMemory = (void*) 0x0002E434,
}
},
{
TEXT("ntkrnlpa 5.00.2195.1 (french)"),
TEXT("384D5A8618A6C0"),
{
.NtCreateProcess = (void*) 0x000DEE96,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000C6DCA,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000DFCA6,
.NtQueryInformationFile = (void*) 0x000A685A,
.NtQueryKey = (void*) 0x0010EB36,
.NtQueryValueKey = (void*) 0x0010EDCC,
.NtSetInformationFile = (void*) 0x000A6EA8,
.NtSetValueKey = (void*) 0x0010F45E,
.ObpFreeObject = (void*) 0x000D548E,
.PspTerminateProcess = (void*) 0x000DFE28,
.swprintf = (void*) 0x0005EC20,
.ZwOpenProcess = (void*) 0x0002E094,
.ZwProtectVirtualMemory = (void*) 0x0002E164,
.ZwReadVirtualMemory = (void*) 0x0002E434,
}
},
{
TEXT("ntkrnlpa 5.00.2195.1 (german)"),
TEXT("384D5A8618A200"),
{
.NtCreateProcess = (void*) 0x000DEE96,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000C6DCA,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000DFCA6,
.NtQueryInformationFile = (void*) 0x000A685A,
.NtQueryKey = (void*) 0x0010EB36,
.NtQueryValueKey = (void*) 0x0010EDCC,
.NtSetInformationFile = (void*) 0x000A6EA8,
.NtSetValueKey = (void*) 0x0010F45E,
.ObpFreeObject = (void*) 0x000D548E,
.PspTerminateProcess = (void*) 0x000DFE28,
.swprintf = (void*) 0x0005EC20,
.ZwOpenProcess = (void*) 0x0002E094,
.ZwProtectVirtualMemory = (void*) 0x0002E164,
.ZwReadVirtualMemory = (void*) 0x0002E434,
}
},
{
TEXT("ntkrnlpa 5.00.2195.1 (polish)"),
TEXT("384D5A86189E80"),
{
.NtCreateProcess = (void*) 0x000DEE96,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000C6DCA,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000DFCA6,
.NtQueryInformationFile = (void*) 0x000A685A,
.NtQueryKey = (void*) 0x0010EB36,
.NtQueryValueKey = (void*) 0x0010EDCC,
.NtSetInformationFile = (void*) 0x000A6EA8,
.NtSetValueKey = (void*) 0x0010F45E,
.ObpFreeObject = (void*) 0x000D548E,
.PspTerminateProcess = (void*) 0x000DFE28,
.swprintf = (void*) 0x0005EC20,
.ZwOpenProcess = (void*) 0x0002E094,
.ZwProtectVirtualMemory = (void*) 0x0002E164,
.ZwReadVirtualMemory = (void*) 0x0002E434,
}
},
{
TEXT("ntoskrnl 5.00.2195.1 (english)"),
TEXT("384D9B17190900"),
{
.NtCreateProcess = (void*) 0x000AD948,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000AEFF6,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000A2FAC,
.NtQueryInformationFile = (void*) 0x000AE525,
.NtQueryKey = (void*) 0x0009923A,
.NtQueryValueKey = (void*) 0x0009A077,
.NtSetInformationFile = (void*) 0x000C1308,
.NtSetValueKey = (void*) 0x000B8D90,
.ObpFreeObject = (void*) 0x00095B7F,
.PspTerminateProcess = (void*) 0x000FB3EB,
.swprintf = (void*) 0x0005DEE2,
.ZwOpenProcess = (void*) 0x00000E5A,
.ZwProtectVirtualMemory = (void*) 0x00000F2A,
.ZwReadVirtualMemory = (void*) 0x000011FA,
}
},
{
TEXT("ntoskrnl 5.00.2195.1 (french)"),
TEXT("384D9B17191780"),
{
.NtCreateProcess = (void*) 0x000AD948,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000AEFF6,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000A2FAC,
.NtQueryInformationFile = (void*) 0x000AE525,
.NtQueryKey = (void*) 0x0009923A,
.NtQueryValueKey = (void*) 0x0009A077,
.NtSetInformationFile = (void*) 0x000C1308,
.NtSetValueKey = (void*) 0x000B8D90,
.ObpFreeObject = (void*) 0x00095B7F,
.PspTerminateProcess = (void*) 0x000FB3EB,
.swprintf = (void*) 0x0005DEE2,
.ZwOpenProcess = (void*) 0x00000E5A,
.ZwProtectVirtualMemory = (void*) 0x00000F2A,
.ZwReadVirtualMemory = (void*) 0x000011FA,
}
},
{
TEXT("ntoskrnl 5.00.2195.1 (german)"),
TEXT("384D9B171912C0"),
{
.NtCreateProcess = (void*) 0x000AD948,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000AEFF6,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000A2FAC,
.NtQueryInformationFile = (void*) 0x000AE525,
.NtQueryKey = (void*) 0x0009923A,
.NtQueryValueKey = (void*) 0x0009A077,
.NtSetInformationFile = (void*) 0x000C1308,
.NtSetValueKey = (void*) 0x000B8D90,
.ObpFreeObject = (void*) 0x00095B7F,
.PspTerminateProcess = (void*) 0x000FB3EB,
.swprintf = (void*) 0x0005DEE2,
.ZwOpenProcess = (void*) 0x00000E5A,
.ZwProtectVirtualMemory = (void*) 0x00000F2A,
.ZwReadVirtualMemory = (void*) 0x000011FA,
}
},
{
TEXT("ntoskrnl 5.00.2195.1 (polish)"),
TEXT("384D9B17190F40"),
{
.NtCreateProcess = (void*) 0x000AD948,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000AEFF6,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000A2FAC,
.NtQueryInformationFile = (void*) 0x000AE525,
.NtQueryKey = (void*) 0x0009923A,
.NtQueryValueKey = (void*) 0x0009A077,
.NtSetInformationFile = (void*) 0x000C1308,
.NtSetValueKey = (void*) 0x000B8D90,
.ObpFreeObject = (void*) 0x00095B7F,
.PspTerminateProcess = (void*) 0x000FB3EB,
.swprintf = (void*) 0x0005DEE2,
.ZwOpenProcess = (void*) 0x00000E5A,
.ZwProtectVirtualMemory = (void*) 0x00000F2A,
.ZwReadVirtualMemory = (void*) 0x000011FA,
}
},
{
TEXT("ntkrnlpa 5.00.2195.2951 (french)"),
TEXT("3AD7789119C400"),
{
.NtCreateProcess = (void*) 0x000E21B4,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000C9C98,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000E2FC4,
.NtQueryInformationFile = (void*) 0x000A9C96,
.NtQueryKey = (void*) 0x00112128,
.NtQueryValueKey = (void*) 0x001123BE,
.NtSetInformationFile = (void*) 0x000AA2E4,
.NtSetValueKey = (void*) 0x00112A50,
.ObpFreeObject = (void*) 0x000D873C,
.PspTerminateProcess = (void*) 0x000E3146,
.swprintf = (void*) 0x00061B80,
.ZwOpenProcess = (void*) 0x0002E4B0,
.ZwProtectVirtualMemory = (void*) 0x0002E580,
.ZwReadVirtualMemory = (void*) 0x0002E850,
}
},
{
TEXT("ntoskrnl 5.00.2195.2951 (french)"),
TEXT("3AD7AD601A3280"),
{
.NtCreateProcess = (void*) 0x000C2408,
.NtCreateProcessEx = NULL,
.NtCreateSection = (void*) 0x000A6966,
.NtCreateUserProcess = NULL,
.NtTerminateProcess = (void*) 0x000C2D5E,
.NtQueryInformationFile = (void*) 0x000A5BA9,
.NtQueryKey = (void*) 0x000A73C5,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -