📄 w2kundoc.inc
字号:
ends
Win32Process PVOID ? ; 214h
Job PVOID ? ; 218h PTR EJOB
JobStatus DWORD ? ; 21Ch
JobLinks LIST_ENTRY <> ; 220h
LockedPagesList PVOID ? ; 228h
SecurityPort PVOID ? ; 22Ch
Wow64Process PVOID ? ; 230h PTR WOW64_PROCESS
DWORD ? ; 234h ???
ReadOperationCount LARGE_INTEGER <> ; 238h
WriteOperationCount LARGE_INTEGER <> ; 240h
OtherOperationCount LARGE_INTEGER <> ; 248h
ReadTransferCount LARGE_INTEGER <> ; 250h
WriteTransferCount LARGE_INTEGER <> ; 258h
OtherTransferCount LARGE_INTEGER <> ; 260h
CommitChargeLimit DWORD ? ; 268h
CommitChargePeak DWORD ? ; 26Ch
ThreadListHead LIST_ENTRY <> ; 270h
VadPhysicalPagesBitMap RTL_BITMAP <> ; 278h
VadPhysicalPages DWORD ? ; 27Ch
AweLock DWORD ? ; 280h
EPROCESS ENDS
PEPROCESS typedef PTR EPROCESS
;---------------------------------------------------------------------
; a part of ETHREAD structure (first member)
; also known as Thread Control Block, TCB
KTHREAD STRUCT ; sizeof = 1B0h
Header DISPATCHER_HEADER <> ; DO_TYPE_THREAD (0x6C)
MutantListHead LIST_ENTRY <> ; 010h
InitialStack PVOID ? ; 018h
StackLimit PVOID ? ; 01Ch
Teb PVOID ? ; PTR TEB
TlsArray PVOID ? ; 024h
KernelStack PVOID ? ; 028h
DebugActive BOOLEAN ? ; 02Ch
State BYTE ? ; THREAD_STATE_*
Alerted BOOLEAN 2 dup(?)
Iopl BYTE ? ; 030h
NpxState BYTE ?
Saturation BYTE ?
Priority BYTE ?
ApcState KAPC_STATE <> ; 034h
ContextSwitches DWORD ? ; 04Ch
WaitStatus DWORD ? ; 050h
WaitIrql BYTE ? ; 054h
WaitMode BYTE ?
WaitNext BYTE ? ; 056h
WaitReason BYTE ?
WaitBlockList PVOID ? ; 058h PTR KWAIT_BLOCK
WaitListEntry LIST_ENTRY <> ; 05Ch
WaitTime DWORD ? ; 064h
BasePriority BYTE ? ; 068h
DecrementCount BYTE ?
PriorityDecrement BYTE ?
Quantum BYTE ?
WaitBlock KWAIT_BLOCK 4 dup(<>) ; 06Ch
LegoData DWORD ? ; 0CCh
KernelApcDisable DWORD ? ; 0D0h
UserAffinity KAFFINITY ? ; 0D4h
SystemAffinityActive BOOLEAN ? ; 0d8H
PowerState BYTE ?
NpxIrql BYTE ?
Pad BYTE ?
ServiceTable PVOID ? ; 0DCh PTR SERVICE_DESCRIPTOR_TABLE
Queue PVOID ? ; 0E0h PTR KQUEUE
ApcQueueLock UINT ? ; 0E4h
Timer KTIMER <> ; 0E8h
QueueListEntry LIST_ENTRY <> ; 110h
Affinity KAFFINITY ? ; 118h
Preempted BOOLEAN ? ; 11Ch
ProcessReadyQueue BOOLEAN ?
KernelStackResident BOOLEAN ?
NextProcessor BYTE ?
CallbackStack PVOID ? ; 120h
Win32Thread PVOID ? ; 124h PTR WIN32_THREAD ???
TrapFrame PVOID ?
ApcStatePointer PVOID 2 dup(?) ; 12Ch PTR KAPC_STATE
PreviousMode KPROCESSOR_MODE ? ; 134h
EnableStackSwap BOOLEAN ? ; 135h
LargeStack BOOLEAN ? ; 136h
ResourceIndex BYTE ? ; 137h
comment ^
S. Shreiber
/*134*/ BOOLEAN EnableStackSwap;
/*135*/ BOOLEAN LargeStack;
/*136*/ BYTE ResourceIndex;
/*137*/ KPROCESSOR_MODE PreviousMode;
^
KernelTime DWORD ? ; 138h ticks
UserTime DWORD ? ; 13Ch ticks
SavedApcState KAPC_STATE <> ; 140h
;/*157*/ BYTE bReserved02;
Alertable BOOLEAN ? ; 158h
ApcStateIndex BYTE ? ; 159h
ApcQueueable BOOLEAN ? ; 15Ah
AutoAlignment BOOLEAN ? ; 15Bh
StackBase PVOID ? ; 15Ch
SuspendApc KAPC <> ; 160h
SuspendSemaphore KSEMAPHORE <> ; 190h
ThreadListEntry LIST_ENTRY <> ; 1A4h see KPROCESS
FreezeCount BYTE ? ; 1ACh
SuspendCount BYTE ? ; 1ADh
IdealProcessor BYTE ? ; 1AEh
DisableBoost BOOLEAN ? ; 1AFh
KTHREAD ENDS
PKTHREAD typedef PTR KTHREAD
;---------------------------------------------------------------------
ETHREAD STRUCT ; sizeof = 248h
Tcb KTHREAD <>
CreateTime LARGE_INTEGER <> ; 1B0h
; 1b0 bits0-1 NestedFaultCount
; 1b0 bits2-2 ApcNeeded
union
ExitTime LARGE_INTEGER <> ; 1B8h
LpcReplyChain LIST_ENTRY <> ; 1B8h
ends
union
ExitStatus DWORD ? ; 1C0h
OfsChain PVOID ? ; 1C0h
ends
PostBlockList LIST_ENTRY <> ; 1C4h
TerminationPortList LIST_ENTRY <> ; 1CCh
ActiveTimerListLock UINT ? ; 1D4h
ActiveTimerListHead LIST_ENTRY <> ; 1D8h
Cid CLIENT_ID <> ; 1E0h
LpcReplySemaphore KSEMAPHORE <> ; 1E8h
LpcReplyMessage PVOID ? ; 1FCh
LpcReplyMessageId UINT ? ; 200h
PerformanceCountLow UINT ? ; 204h
ImpersonationInfo PVOID ? ; 208h PTR PS_IMPERSONATION_INFORMATION
IrpList LIST_ENTRY <> ; 20Ch
TopLevelIrp UINT ? ; 214h
DeviceToVerify PVOID ? ; 218h PTR DEVICE_OBJECT
ReadClusterSize UINT ? ; 21Ch
ForwardClusterOnly BYTE ? ; 220h
DisablePageFaultClustering BYTE ? ; 221h
DeadThread BYTE ? ; 222h
HideFromDebugger BYTE ? ; 223h
HasTerminated UINT ? ; 224h
GrantedAccess UINT ? ; 228h
ThreadsProcess PVOID ? ; 22Ch PTR EPROCESS
StartAddress PVOID ? ; 230h
union
Win32StartAddress PVOID ? ; 234h
LpcReceivedMessageId UINT ? ; 234h
ends
LpcExitThreadCalled BYTE ? ; 238h
HardErrorsAreDisabled BYTE ? ; 239h
LpcReceivedMsgIdValid BYTE ? ; 23Ah
ActiveImpersonationInfo BYTE ? ; 23Bh
PerformanceCountHigh UINT ? ; 23Ch
ThreadListEntry LIST_ENTRY <> ; 240h
ETHREAD ENDS
PETHREAD typedef PTR ETHREAD
;---------------------------------------------------------------------
KQUEUE STRUCT ;sizeof = 28h
Header DISPATCHER_HEADER <>
EntryListHead LIST_ENTRY <> ; 10h
CurrentCount DWORD ? ; 18h
MaximumCount DWORD ? ; 1Ch
ThreadListHead LIST_ENTRY <> ; 20h
KQUEUE ENDS
PKQUEUE typedef PTR KQUEUE
;---------------------------------------------------------------------
; Process Environment Block (PEB)
;---------------------------------------------------------------------
comment ^
; Shreiber
MODULE_HEADER STRUCT ; sizeof = 20h
/*000*/ DWORD d000;
/*004*/ DWORD d004;
/*008*/ LIST_ENTRY List1;
/*010*/ LIST_ENTRY List2;
/*018*/ LIST_ENTRY List3;
MODULE_HEADER ENDS
PMODULE_HEADER typedef PTR MODULE_HEADER
PROCESS_MODULE_INFO STRUCT ; sizeof = 24h
dwSize DWORD ? ; 24h
ModuleHeader MODULE_HEADER <>
PROCESS_MODULE_INFO ENDS
PROCESS_MODULE_INFO typedef PTR PROCESS_MODULE_INFO
;---------------------------------------------------------------------
typedef struct _SYSTEM_STRINGS
{
/*000*/ UNICODE_STRING SystemRoot; // d:\WINNT
/*008*/ UNICODE_STRING System32Root; // d:\WINNT\System32
/*010*/ UNICODE_STRING BaseNamedObjects; // \BaseNamedObjects
/*018*/ }
SYSTEM_STRINGS,
* PSYSTEM_STRINGS,
**PPSYSTEM_STRINGS;
#define SYSTEM_STRINGS_ \
sizeof (SYSTEM_STRINGS)
// -----------------------------------------------------------------
typedef struct _TEXT_INFO
{
/*000*/ PVOID Reserved;
/*004*/ PSYSTEM_STRINGS SystemStrings;
/*008*/ }
TEXT_INFO,
* PTEXT_INFO,
^
;---------------------------------------------------------------------
PEB_LDR_DATA STRUCT ; sizeof = 24h
dwLength DWORD ? ; original name Length
Initialized BYTE ? ; 04h
db 3 dup(?) ; padding
SsHandle PVOID ? ; 08h
InLoadOrderModuleList LIST_ENTRY <> ; 0Ch
InMemoryOrderModuleList LIST_ENTRY <> ; 14h
InInitializationOrderModuleList LIST_ENTRY <> ; 1Ch
PEB_LDR_DATA ENDS
PPEB_LDR_DATA typedef PTR PEB_LDR_DATA
;---------------------------------------------------------------------
RTL_DRIVE_LETTER_CURDIR STRUCT ; sizeof = 10h
Flags WORD ?
woLength WORD ? ; 02h original name Length
TimeStamp DWORD ? ; 04h
DosPath _STRING <> ; 08h
RTL_DRIVE_LETTER_CURDIR ENDS
PRTL_DRIVE_LETTER_CURDIR typedef PTR RTL_DRIVE_LETTER_CURDIR
;---------------------------------------------------------------------
CURDIR STRUCT ; sizeof 0Ch
DosPath UNICODE_STRING <>
Handle PVOID ? ; 08h
CURDIR ENDS
;---------------------------------------------------------------------
PEB_FREE_BLOCK STRUCT ; sizeof = 8
Next PVOID ? ; PTR PEB_FREE_BLOCK
dwSize DWORD ? ; original name Size
PEB_FREE_BLOCK ENDS
;---------------------------------------------------------------------
RTL_USER_PROCESS_PARAMETERS STRUCT ; sizeof = 290h
MaximumLength DWORD ?
dwLength DWORD ? ; 004h original name Length
Flags DWORD ? ; 008h
DebugFlags DWORD ? ; 00Ch
ConsoleHandle PVOID ? ; 010h
ConsoleFlags DWORD ? ; 014h
StandardInput PVOID ? ; 018h
StandardOutput PVOID ? ; 01Ch
StandardError PVOID ? ; 020h
CurrentDirectory CURDIR <> ; 024h
DllPath UNICODE_STRING <> ; 030h
ImagePathName UNICODE_STRING <> ; 038h
CommandLine UNICODE_STRING <> ; 040h
Environment PVOID ? ; 048h
StartingX DWORD ? ; 04Ch
StartingY DWORD ? ; 050h
CountX DWORD ? ; 054h
CountY DWORD ? ; 058h
CountCharsX DWORD ? ; 05Ch
CountCharsY DWORD ? ; 060h
FillAttribute DWORD ? ; 064h
WindowFlags DWORD ? ; 068h
ShowWindowFlags DWORD ? ; 06Ch
WindowTitle UNICODE_STRING <> ; 070h
DesktopInfo UNICODE_STRING <> ; 078h
ShellInfo UNICODE_STRING <> ; 080h
RuntimeData UNICODE_STRING <> ; 088h
CurrentDirectores RTL_DRIVE_LETTER_CURDIR 32 dup(<>) ; 090h
RTL_USER_PROCESS_PARAMETERS ENDS
;---------------------------------------------------------------------
; located at 7FFDF000h
;---------------------------------------------------------------------
PEB STRUCT ; sizeof = 1E8h
InheritedAddressSpace BOOLEAN ?
ReadImageFileExecOptions BOOLEAN ? ; 001
BeingDebugged BOOLEAN ? ; 002
SpareBool BYTE ? ; 003
Mutant PVOID ? ; 004
ImageBaseAddress PVOID ? ; 008
Ldr PVOID ? ; 00Ch PTR PEB_LDR_DATA
ProcessParameters PVOID ? ; 010h PTR RTL_USER_PROCESS_PARAMETERS
SubSystemData PVOID ? ; 014h
ProcessHeap PVOID ? ; 018h
FastPebLock PVOID ? ; 01Ch
FastPebLockRoutine PVOID ? ; 020h
FastPebUnlockRoutine PVOID ? ; 024h
EnvironmentUpdateCount DWORD ? ; 028h
KernelCallbackTable PVOID ? ; 02Ch
SystemReserved DWORD 2 dup(?) ; 030h
FreeList PVOID ? ; 038h PTR PEB_FREE_BLOCK
TlsExpansionCounter DWORD ? ; 03Ch
TlsBitmap PVOID ? ; 040h
TlsBitmapBits DWORD 2 dup(?) ; 044h
ReadOnlySharedMemoryBase PVOID ? ; 04Ch
ReadOnlySharedMemoryHeap PVOID ? ; 050h
ReadOnlyStaticServerData PVOID ? ; 054h
AnsiCodePageData PVOID ? ; 058h
OemCodePageData PVOID ? ; 05Ch
UnicodeCaseTableData PVOID ? ; 060h
NumberOfProcessors DWORD ? ; 064h
NtGlobalFlag DWORD ? ; 068h
DWORD ? ; 064h
CriticalSectionTimeout LARGE_INTEGER <> ; 070h
HeapSegmentReserve DWORD ? ; 078h
HeapSegmentCommit DWORD ? ; 07Ch
HeapDeCommitTotalFreeThreshold DWORD ? ; 080h
HeapDeCommitFreeBlockThreshold DWORD ? ; 084h
NumberOfHeaps DWORD ? ; 088h
MaximumNumberOfHeaps DWORD ? ; 08Ch
ProcessHeaps PVOID ? ; 090h
GdiSharedHandleTable PVOID ? ; 094h
ProcessStarterHelper PVOID ? ; 098h
GdiDCAttributeList DWORD ? ; 09Ch
LoaderLock PVOID ? ; 0A0h
OSMajorVersion DWORD ? ; 0A4h
OSMinorVersion DWORD ? ; 0A8h
OSBuildNumber WORD ? ; 0ACh
OSCSDVersion WORD ? ; 0AEh
OSPlatformId DWORD ? ; 0B0h
ImageSubsystem DWORD ? ; 0B4h
ImageSubsystemMajorVersion DWORD ? ; 0B8h
ImageSubsystemMinorVersion DWORD ? ; 0BCh
ImageProcessAffinityMask DWORD ? ; 0C0h
GdiHandleBuffer DWORD 34 dup(?) ; 0C4h
PostProcessInitRoutine DWORD ? ; 14Ch
TlsExpansionBitmap PVOID ? ; 150h
TlsExpansionBitmapBits DWORD 32 dup(?) ; 154h
SessionId DWORD ? ; 1D4h
AppCompatInfo PVOID ? ; 1D8h
CSDVersion UNICODE_STRING <> ; 1DCh
DWORD ? ; ???
PEB ENDS
PPEB typedef PTR PEB
;---------------------------------------------------------------------
; Task Segment State
;---------------------------------------------------------------------
KiIoAccessMap STRUCT ; sizeof= 2024h
DirectionMap BYTE 32 dup(?)
IoMap BYTE 8196 dup(?) ; 020h
KiIoAccessMap ENDS
KTSS STRUCT ; sizeof = 20ACh
Backlink WORD ? ; 0000
Reserved0 WORD ? ; 0000
Esp0 DWORD ? ; 0004h
Ss0 WORD ? ; 0008h
Reserved1 WORD ? ; 000Ah
NotUsed1 DWORD 4 dup(?) ; 000Ch
rCR3 DWORD ? ; 001Ch original field name CR3
Eip DWORD ? ; 0020h
NotUsed2 DWORD 9 dup(?) ; 0024h
rEs WORD ? ; 0048h original field name Es
Reserved2 WORD ? ; 004Ah
rCs WORD ? ; 004Ch original field name Cs
Reserved3 WORD ? ; 004Eh
rSs WORD ? ; 0050h original field name Ss
Reserved4 WORD ? ; 0052h
rDs WORD ? ; 0054h original field name Ds
Reserved5 WORD ? ; 0056h
rFs WORD ? ; 0058h original field name Fs
Reserved6 WORD ? ; 005Ah
rGs WORD ? ; 005Ch original field name Gs
Reserved7 WORD ? ; 005Eh
LDT WORD ? ; 0060h
Reserved8 WORD ? ; 0062h
Flags WORD ? ; 0064h
IoMapBase WORD ? ; 0066h
IoMaps KiIoAccessMap <> ; 0068h
IntDirectionMap BYTE 32 dup(?) ; 208Ch
KTSS ENDS
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -