📄 w2kundoc.inc
字号:
comment ^
Module Name:
w2kundoc.inc
Abstract:
This module defines some undocumented W2000 structures and constants.
Author:
Four-F (four-f@mail.ru) 07-Dec-2002
Hand made -> Bugs are very possible ;(
Your bug report is very welcome.
^
IFNDEF KAFFINITY
include ntddk.inc
ENDIF
;IFNDEF KPROCESSOR_MODE
; KPROCESSOR_MODE typedef BYTE
;ENDIF
;IFNDEF ULARGE_INTEGER
; include ntdef.inc
;ENDIF
;---------------------------------------------------------------------
KAPC_STATE STRUCT ; sizeof = 18h
ApcListHead LIST_ENTRY 2 dup(<?>)
Process PVOID ? ; 10h PTR KPROCESS
KernelApcInProgress BYTE ? ; 14h
KernelApcPending BYTE ? ; 15h
UserApcPending BYTE ? ; 16h
db ?
KAPC_STATE ENDS
PKAPC_STATE typedef PTR KAPC_STATE
;---------------------------------------------------------------------
KGDTENTRY STRUCT ; sizeof = 8
LimitLow WORD ?
BaseLow WORD ?
union dwHighWord ; original HighWord
struct Bytes
BaseMid BYTE ?
Flags1 BYTE ?
Flags2 BYTE ?
BaseHi BYTE ?
ends
; Damn! ...record field names must be unique...
; kd displays it as __unnamed11, so i prepend each field name with 'u11'
Bits RECORD \
u11BaseHi:8, ; bits24-31 BaseHi
u11Granularity:1, ; bits23-23 Granularity
u11Default_Big:1, ; bits22-22 Default_Big
u11Reserved_0:1, ; bits21-21 Reserved_0
u11Sys:1, ; bits20-20 Sys
u11LimitHi:4, ; bits16-19 LimitHi
u11Pres:1, ; bits15-15 Pres
u11Dpl:2, ; bits13-14 Dpl
u11Type:5, ; bits8-12 Type
u11BaseMid:8 ; bits0-7 BaseMid
ends ; HighWord
KGDTENTRY ENDS
PKGDTENTRY typedef PTR KGDTENTRY
;---------------------------------------------------------------------
KIDTENTRY STRUCT ; sizeof = 8
woOffset WORD ? ; original name Offset
Selector WORD ?
Access WORD ?
ExtendedOffset WORD ?
KIDTENTRY ENDS
PKIDTENTRY typedef PTR KIDTENTRY
;---------------------------------------------------------------------
PS_IMPERSONATION_INFORMATION STRUCT ; sizeof = 0Ch
Token PVOID ?
CopyOnOpen BYTE ? ; 4h
EffectiveOnly BYTE ? ; 5h
db 2 dup(?) ; padding
ImpersonationLevel UINT ? ; 8h
PS_IMPERSONATION_INFORMATION ENDS
PPS_IMPERSONATION_INFORMATION typedef PTR PS_IMPERSONATION_INFORMATION
WOW64_PROCESS STRUCT
Wow64 PVOID ?
WOW64_PROCESS ENDS
PWOW64_PROCESS typedef PTR WOW64_PROCESS
;---------------------------------------------------------------------
MMSUPPORT_FLAGS RECORD \
Filler:25, ; bits7-31 Filler
WriteWatch:1, ; bits6-6 WriteWatch
WorkingSetHard:1, ; bits5-5 WorkingSetHard
TrimHard:1, ; bits4-4 TrimHard
SessionLeader:1, ; bits3-3 SessionLeader
ProcessInSession:1, ; bits2-2 ProcessInSession
BeingTrimmed:1, ; bits1-1 BeingTrimmed
SessionSpace:1 ; bits0-0 SessionSpace
MMSUPPORT STRUCT ; sizeof = 48h
;db 48h dup(?)
LastTrimTime LARGE_INTEGER <>
LastTrimFaultCount DWORD ? ; 08h
PageFaultCount DWORD ? ; 0Ch
PeakWorkingSetSize DWORD ? ; 10h
WorkingSetSize DWORD ? ; 14h
MinimumWorkingSetSize DWORD ? ; 18h
MaximumWorkingSetSize DWORD ? ; 1Ch
VmWorkingSetList PVOID ? ; 20h
WorkingSetExpansionLinks LIST_ENTRY <> ; 24h
AllowWorkingSetAdjustment BOOLEAN ? ; 2Ch
AddressSpaceBeingDeleted BOOLEAN ? ; 2Dh
ForegroundSwitchCount BYTE ? ; 2Eh
MemoryPriority BYTE ? ; 2Fh
union ; 30h
LongFlags DWORD ?
Flags MMSUPPORT_FLAGS <>
ends
Claim DWORD ? ; 34h
NextEstimationSlot DWORD ? ; 38h
NextAgingSlot DWORD ? ; 3Ch
EstimatedAvailable DWORD ? ; 40h
GrowthSinceLastEstimate DWORD ? ; 44h
MMSUPPORT ENDS
PMMSUPPORT typedef PTR MMSUPPORT
;---------------------------------------------------------------------
OWNER_ENTRY STRUCT ; sizeof = 8
OwnerThread DWORD ?
union
OwnerCount SDWORD ?
TableSize DWORD ?
ends
OWNER_ENTRY ENDS
POWNER_ENTRY typedef PTR OWNER_ENTRY
;---------------------------------------------------------------------
ERESOURCE STRUCT ; sizeof = 38h
SystemResourcesList LIST_ENTRY <>
OwnerTable PVOID ? ; 08h PTR OWNER_ENTRY
ActiveCount WORD ? ; 0Ch
Flag WORD ? ; 0Eh
SharedWaiters PVOID ? ; 10h PTR KSEMAPHORE
ExclusiveWaiters PVOID ? ; 14h PTR KEVENT
OwnerThreads OWNER_ENTRY 2 dup(<>) ; 18h
ContentionCount DWORD ? ; 28h
NumberOfSharedWaiters WORD ? ; 2Ch
NumberOfExclusiveWaiters WORD ? ; 2Eh
union
Address PVOID ? ; 30h
CreatorBackTraceIndex DWORD ? ; 30
ends
SpinLock DWORD ? ; 34h
ERESOURCE ENDS
PERESOURCE typedef PTR ERESOURCE
;---------------------------------------------------------------------
HARDWARE_PTE_X86 RECORD \
PageFrameNumber:20, ; bits12-31 PageFrameNumber
_reserved:1, ; bits11-11 reserved
Prototype:1, ; bits10-10 Prototype
CopyOnWrite:1, ; bits9-9 CopyOnWrite
Global:1, ; bits8-8 Global
LargePage:1, ; bits7-7 LargePage
Dirty:1, ; bits6-6 Dirty
Accessed:1, ; bits5-5 Accessed
CacheDisable:1, ; bits4-4 CacheDisable
WriteThrough:1, ; bits3-3 WriteThrough
Owner:1, ; bits2-2 Owner
Write:1, ; bits1-1 Write
Valid:1 ; bits0-0 Valid
;---------------------------------------------------------------------
HANDLE_TABLE STRUCT ; sizeof = 6Ch
Flags DWORD ?
HandleCount SDWORD ? ; 04h
Table PVOID ? ; 08h PTR PTR PTR HANDLE_TABLE_ENTRY
QuotaProcess PVOID ? ; 0Ch PTR EPROCESS
UniqueProcessId PVOID ? ; 10h
FirstFreeTableEntry SDWORD ? ; 14h
NextIndexNeedingPool SDWORD ? ; 18h
HandleTableLock ERESOURCE <> ; 1Ch
HandleTableList LIST_ENTRY <> ; 54h
HandleContentionEvent KEVENT <> ; 5Ch
HANDLE_TABLE ENDS
;---------------------------------------------------------------------
OBJECT_NAME_INFORMATION STRUCT ; sizeof = 8
usName UNICODE_STRING <> ; original name Name
OBJECT_NAME_INFORMATION ENDS
;---------------------------------------------------------------------
PAGEFAULT_HISTORY STRUCT ; sizeof = 18h
CurrentIndex DWORD ?
MaxIndex DWORD ? ; 04h
SpinLock DWORD ? ; 08h
Reserved PVOID ? ; 0Ch
WatchInfo PROCESS_WS_WATCH_INFORMATION <> ; 10h
PAGEFAULT_HISTORY ENDS
;---------------------------------------------------------------------
EPROCESS_QUOTA_BLOCK STRUCT ; sizeof = 2Ch
QuotaLock DWORD ?
ReferenceCount DWORD ? ; 04h
QuotaPeakPoolUsage DWORD 2 dup(?) ; 08h
QuotaPoolUsage DWORD 2 dup(?) ; 10h
QuotaPoolLimit DWORD 2 dup(?) ; 18h
PeakPagefileUsage DWORD ? ; 20h
PagefileUsage DWORD ? ; 24h
PagefileLimit DWORD ? ; 28h
EPROCESS_QUOTA_BLOCK ENDS
;---------------------------------------------------------------------
EJOB STRUCT ; sizeof = 170h
Event KEVENT <>
JobLinks LIST_ENTRY <> ; 010h
ProcessListHead LIST_ENTRY <> ; 018h
JobLock ERESOURCE <> ; 020h
TotalUserTime LARGE_INTEGER <> ; 058h
TotalKernelTime LARGE_INTEGER <> ; 060h
ThisPeriodTotalUserTime LARGE_INTEGER <> ; 068h
ThisPeriodTotalKernelTime LARGE_INTEGER <> ; 070h
TotalPageFaultCount DWORD ? ; 078h
TotalProcesses DWORD ? ; 07Ch
ActiveProcesses DWORD ? ; 080h
TotalTerminatedProcesses DWORD ? ; 084h
PerProcessUserTimeLimit LARGE_INTEGER <> ; 088h
PerJobUserTimeLimit LARGE_INTEGER <> ; 090h
LimitFlags DWORD ? ; 098h
MinimumWorkingSetSize DWORD ? ; 09Ch
MaximumWorkingSetSize DWORD ? ; 0A0h
ActiveProcessLimit DWORD ? ; 0A4h
Affinity DWORD ? ; 0A8h
PriorityClass BYTE ? ; 0ACh
db 3 dup(?) ; padding
UIRestrictionsClass DWORD ? ; 0B0h
SecurityLimitFlags DWORD ? ; 0B4h
Token PVOID ? ; 0B8h
Filter PVOID ? ; 0BCh PTR PS_JOB_TOKEN_FILTER
EndOfJobTimeAction DWORD ? ; 0C0h
CompletionPort PVOID ? ; 0C4h
CompletionKey PVOID ? ; 0C8h
SessionId DWORD ? ; 0CCh
SchedulingClass DWORD ? ; 0D0h
dd ? ; padding
ReadOperationCount QWORD ? ; 0D8h
WriteOperationCount QWORD ? ; 0E0h
OtherOperationCount QWORD ? ; 0E8h
ReadTransferCount QWORD ? ; 0F0h
WriteTransferCount QWORD ? ; 0F8h
OtherTransferCount QWORD ? ; 100h
IoInfo IO_COUNTERS <> ; 108h
ProcessMemoryLimit DWORD ? ; 138h
JobMemoryLimit DWORD ? ; 13Ch
PeakProcessMemoryUsed DWORD ? ; 140h
PeakJobMemoryUsed DWORD ? ; 144h
CurrentJobMemoryUsed DWORD ? ; 148h
MemoryLimitsLock FAST_MUTEX <> ; 14Ch
DWORD ? ; padding ???
EJOB ENDS
PEJOB typedef PTR EJOB
;---------------------------------------------------------------------
; a part of EPROCESS structure (first member)
; also known as Process Control Block, PCB
KPROCESS STRUCT ; sizeof = 06Ch
Header DISPATCHER_HEADER <> ; DO_TYPE_PROCESS (0x1B)
ProfileListHead LIST_ENTRY <>
DirectoryTableBase DWORD ? ; 018h
PageTableBase DWORD ? ; 01Ch
LdtDescriptor KGDTENTRY <> ; 020h
Int21Descriptor KIDTENTRY <> ; 028h
IopmOffset WORD ? ; 030h
Iopl BYTE ? ; 032h
VdmFlag BOOLEAN ? ; 033h
ActiveProcessors DWORD ? ; 034h
KernelTime DWORD ? ; ticks
UserTime DWORD ? ; ticks
ReadyListHead LIST_ENTRY <> ; 040h
SwapListEntry LIST_ENTRY <>
ThreadListHead LIST_ENTRY <> ; KTHREAD.ThreadListEntry
ProcessLock PVOID ? ; 058h
Affinity KAFFINITY ? ; 05Ch
StackCount WORD ? ; 060h
BasePriority BYTE ? ; 062h
ThreadQuantum BYTE ? ; 063h
AutoAlignment BOOLEAN ? ; 064h
State BYTE ? ; 065h
ThreadSeed BYTE ? ; 066h
DisableBoost BOOLEAN ? ; 067h
PowerState BYTE ? ; 068h
DisableQuantum BYTE ? ; 069h
; IdealNode BYTE ? ; ???
Spare BYTE 2 dup(?) ; 06Ah
KPROCESS ENDS
PKPROCESS typedef PTR KPROCESS
;---------------------------------------------------------------------
EPROCESS STRUCT ; sizeof = 288h
Pcb KPROCESS <>
ExitStatus DWORD ? ; 06Ch
LockEvent KEVENT <> ; 070h
LockCount DWORD ? ; 080h
DWORD ? ; 084h ???
CreateTime LARGE_INTEGER <> ; 088h
ExitTime LARGE_INTEGER <> ; 090h
LockOwner PVOID ? ; 098h PTR KTHREAD
UniqueProcessId DWORD ? ; 09Ch
ActiveProcessLinks LIST_ENTRY <> ; 0A0h
QuotaPeakPoolUsage DWORD 2 dup(?) ; 0A8h NP, P
QuotaPoolUsage DWORD 2 dup(?) ; 0B0h NP, P
PagefileUsage DWORD ? ; 0B8h
CommitCharge DWORD ? ; 0BCh
PeakPagefileUsage DWORD ? ; 0C0h
PeakVirtualSize DWORD ? ; 0C4h
VirtualSize DWORD ? ; 0C8h
Vm MMSUPPORT <> ; 0D0h
SessionProcessLinks LIST_ENTRY <> ; 118h
DebugPort PVOID ? ; 120h
ExceptionPort PVOID ? ; 124h
ObjectTable PVOID ? ; 128h PTR HANDLE_TABLE
Token PVOID ? ; 12Ch
WorkingSetLock FAST_MUTEX <> ; 130h
OldIrql DWORD ? ; 14Ch
WorkingSetPage DWORD ? ; 150h
ProcessOutswapEnabled BYTE ? ; 154h
ProcessOutswapped BYTE ? ; 155h
AddressSpaceInitialized BYTE ? ; 156h
AddressSpaceDeleted BYTE ? ; 157h
AddressCreationLock FAST_MUTEX <> ; 158h
HyperSpaceLock DWORD ? ; 178h
ForkInProgress PVOID ? ; 17Ch PTR ETHREAD
VmOperation WORD ? ; 180h
ForkWasSuccessful BYTE ? ; 182h
MmAgressiveWsTrimMask BYTE ? ; 183h
VmOperationEvent PVOID ? ; 184h PTR KEVENT
PaeTop PVOID ? ; 188h
LastFaultCount DWORD ? ; 18Ch
ModifiedPageCount DWORD ? ; 190h
VadRoot PVOID ? ; 194h
VadHint PVOID ? ; 198h
CloneRoot PVOID ? ; 19Ch
NumberOfPrivatePages DWORD ? ; 1A0h
NumberOfLockedPages DWORD ? ; 1A4h
NextPageColor WORD ? ; 1A8h
ExitProcessCalled BYTE ? ; 1AAh
CreateProcessReported BYTE ? ; 1ABh
SectionHandle PVOID ? ; 1ACh
Peb PVOID ? ; 1B0h PTR PEB
SectionBaseAddress PVOID ? ; 1B4h
QuotaBlock PVOID ? ; 1B8h PTR EPROCESS_QUOTA_BLOCK
LastThreadExitStatus DWORD ? ; 1BCh
WorkingSetWatch PVOID ? ; 1C0h PTR PAGEFAULT_HISTORY
Win32WindowStation PVOID ? ; 1C4h
InheritedFromUniqueProcessId PVOID ? ; 1C8h
GrantedAccess DWORD ? ; 1CCh
DefaultHardErrorProcessing DWORD ? ; 1D0h
LdtInformation PVOID ? ; 1D4h
VadFreeHint PVOID ? ; 1D8h
VdmObjects PVOID ? ; 1DCh
DeviceMap PVOID ? ; 1E0h
SessionId DWORD ? ; 1E4h
PhysicalVadList LIST_ENTRY <> ; 1E8h
union
PageDirectoryPte HARDWARE_PTE_X86 <> ; 1F0h
Filler QWORD ? ; 1F0h
ends
PaePageDirectoryPage DWORD ? ; 1F8h
ImageFileName BYTE 16 dup(?) ; 1FCh
VmTrimFaultValue DWORD ? ; 20Ch
SetTimerResolution BYTE ? ; 210h
PriorityClass BYTE ? ; 211h
union
struct
SubSystemMinorVersion BYTE ? ; 212h
SubSystemMajorVersion BYTE ? ; 213h
ends
SubSystemVersion WORD ? ; 212h
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -