📄 w2k_def.h
字号:
// =================================================================
#define OBJ_INHERIT 0x00000002
#define OBJ_PERMANENT 0x00000010
#define OBJ_EXCLUSIVE 0x00000020
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_OPENIF 0x00000080
#define OBJ_OPENLINK 0x00000100
#define OBJ_KERNEL_HANDLE 0x00000200
#define OBJ_VALID_ATTRIBUTES 0x000003F2
typedef struct _OBJECT_ATTRIBUTES
{
/*000*/ DWORD Length; // 0x18
/*004*/ HANDLE RootDirectory;
/*008*/ PUNICODE_STRING ObjectName;
/*00C*/ DWORD Attributes;
/*010*/ PSECURITY_DESCRIPTOR SecurityDescriptor;
/*014*/ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
/*018*/ }
OBJECT_ATTRIBUTES,
* POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;
#define OBJECT_ATTRIBUTES_ \
sizeof (OBJECT_ATTRIBUTES)
// -----------------------------------------------------------------
#define OBJ_HANDLE_TAGBITS 0x00000003
typedef struct _OBJECT_HANDLE_INFORMATION // cf. HANDLE_ENTRY
{
/*000*/ DWORD HandleAttributes; // cf. HANDLE_ATTRIBUTE_MASK
/*004*/ ACCESS_MASK GrantedAccess;
/*008*/ }
OBJECT_HANDLE_INFORMATION,
* POBJECT_HANDLE_INFORMATION,
**PPOBJECT_HANDLE_INFORMATION;
#define OBJECT_HANDLE_INFORMATION_ \
sizeof (OBJECT_HANDLE_INFORMATION)
// -----------------------------------------------------------------
typedef struct _OBJECT_NAME_INFORMATION
{
/*000*/ UNICODE_STRING Name; // points to Buffer[]
/*008*/ WORD Buffer [];
/*???*/ }
OBJECT_NAME_INFORMATION,
* POBJECT_NAME_INFORMATION,
**PPOBJECT_NAME_INFORMATION;
#define OBJECT_NAME_INFORMATION_ \
sizeof (OBJECT_NAME_INFORMATION)
////////////////////////////////////////////////////////////////////
#else // #ifdef _USER_MODE_
////////////////////////////////////////////////////////////////////
// =================================================================
// SECURITY STRUCTURES
// =================================================================
typedef WORD
SECURITY_DESCRIPTOR_CONTROL,
* PSECURITY_DESCRIPTOR_CONTROL,
**PPSECURITY_DESCRIPTOR_CONTROL;
#define SECURITY_DESCRIPTOR_CONTROL_ \
sizeof (SECURITY_DESCRIPTOR_CONTROL)
// -----------------------------------------------------------------
typedef struct _SECURITY_DESCRIPTOR
{
/*000*/ BYTE Revision;
/*001*/ BYTE Sbz1;
/*002*/ SECURITY_DESCRIPTOR_CONTROL Control;
/*004*/ PSID Owner;
/*008*/ PSID Group;
/*00C*/ PACL Sacl;
/*010*/ PACL Dacl;
/*014*/ }
SECURITY_DESCRIPTOR,
ISECURITY_DESCRIPTOR,
* PISECURITY_DESCRIPTOR,
**PPISECURITY_DESCRIPTOR;
#define SECURITY_DESCRIPTOR_ \
sizeof (SECURITY_DESCRIPTOR)
// -----------------------------------------------------------------
#define RTL_CRITSECT_TYPE 0
#define RTL_RESOURCE_TYPE 1
typedef struct _RTL_CRITICAL_SECTION_DEBUG
{
/*000*/ WORD Type;
/*002*/ WORD CreatorBackTraceIndex;
/*004*/ struct _RTL_CRITICAL_SECTION *CriticalSection;
/*008*/ LIST_ENTRY ProcessLocksList;
/*010*/ DWORD EntryCount;
/*014*/ DWORD ContentionCount;
/*018*/ DWORD Spare [2];
/*020*/ }
RTL_CRITICAL_SECTION_DEBUG, RTL_RESOURCE_DEBUG,
* PRTL_CRITICAL_SECTION_DEBUG, * PRTL_RESOURCE_DEBUG,
**PPRTL_CRITICAL_SECTION_DEBUG, **PPRTL_RESOURCE_DEBUG;
#define RTL_CRITICAL_SECTION_DEBUG_ \
sizeof (RTL_CRITICAL_SECTION_DEBUG)
#define RTL_RESOURCE_DEBUG_ \
sizeof (RTL_RESOURCE_DEBUG)
// -----------------------------------------------------------------
typedef struct _RTL_CRITICAL_SECTION
{
/*000*/ PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
/*004*/ LONG LockCount;
/*008*/ LONG RecursionCount;
/*00C*/ HANDLE OwningThread;
/*010*/ HANDLE LockSemaphore;
/*014*/ DWORD_PTR SpinCount;
/*018*/ }
RTL_CRITICAL_SECTION, CRITICAL_SECTION,
* PRTL_CRITICAL_SECTION, * PCRITICAL_SECTION,
**PPRTL_CRITICAL_SECTION, **PPCRITICAL_SECTION;
#define RTL_CRITICAL_SECTION_ \
sizeof (RTL_CRITICAL_SECTION)
#define CRITICAL_SECTION_ \
sizeof (CRITICAL_SECTION)
////////////////////////////////////////////////////////////////////
#endif // #ifdef _USER_MODE_
////////////////////////////////////////////////////////////////////
// =================================================================
// FUNCTION TYPES
// =================================================================
typedef NTSTATUS (NTAPI *NTPROC) ();
typedef NTPROC *PNTPROC;
#define NTPROC_ sizeof (NTPROC)
typedef VOID (NTAPI *NTPROC_VOID) ();
typedef NTPROC_VOID *PNTPROC_VOID;
#define NTPROC_VOID_ sizeof (NTPROC_VOID)
typedef BOOLEAN (NTAPI *NTPROC_BOOLEAN) ();
typedef NTPROC_BOOLEAN *PNTPROC_BOOLEAN;
#define NTPROC_BOOLEAN_ sizeof (NTPROC_BOOLEAN)
// =================================================================
// ENUMERATIONS
// =================================================================
// see ExAllocateFromPPNPagedLookasideList()
// and ExFreeToPPNPagedLookasideList()
typedef enum _LOOKASIDE_LIST_ID
{
/*000*/ SmallIrpLookasideList,
/*001*/ LargeIrpLookasideList,
/*002*/ MdlLookasideList,
/*003*/ CreateInfoLookasideList,
/*004*/ NameBufferLookasideList,
/*005*/ TwilightLookasideList,
/*006*/ CompletionLookasideList
}
LOOKASIDE_LIST_ID,
* PLOOKASIDE_LIST_ID,
**PPLOOKASIDE_LIST_ID;
// =================================================================
// MISCELLANEOUS STRUCTURES
// =================================================================
// see PsChargeSharedPoolQuota()
// and PsReturnSharedPoolQuota()
typedef struct _QUOTA_BLOCK
{
/*000*/ DWORD Flags;
/*004*/ DWORD ChargeCount;
/*008*/ DWORD PeakPoolUsage [2]; // NonPagedPool, PagedPool
/*010*/ DWORD PoolUsage [2]; // NonPagedPool, PagedPool
/*018*/ DWORD PoolQuota [2]; // NonPagedPool, PagedPool
/*020*/ }
QUOTA_BLOCK,
* PQUOTA_BLOCK,
**PPQUOTA_BLOCK;
#define QUOTA_BLOCK_ \
sizeof (QUOTA_BLOCK)
// =================================================================
// API SERVICE STRUCTURES
// =================================================================
typedef struct _SYSTEM_SERVICE_TABLE
{
/*000*/ PNTPROC ServiceTable; // array of entry points
/*004*/ PDWORD CounterTable; // array of usage counters
/*008*/ DWORD ServiceLimit; // number of table entries
/*00C*/ PBYTE ArgumentTable; // array of byte counts
/*010*/ }
SYSTEM_SERVICE_TABLE,
* PSYSTEM_SERVICE_TABLE,
**PPSYSTEM_SERVICE_TABLE;
#define SYSTEM_SERVICE_TABLE_ \
sizeof (SYSTEM_SERVICE_TABLE)
// -----------------------------------------------------------------
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
/*000*/ SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe (native api)
/*010*/ SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user)
/*020*/ SYSTEM_SERVICE_TABLE Table3; // not used
/*030*/ SYSTEM_SERVICE_TABLE Table4; // not used
/*040*/ }
SERVICE_DESCRIPTOR_TABLE,
* PSERVICE_DESCRIPTOR_TABLE,
**PPSERVICE_DESCRIPTOR_TABLE;
#define SERVICE_DESCRIPTOR_TABLE_ \
sizeof (SERVICE_DESCRIPTOR_TABLE)
// =================================================================
// BASIC OBJECT STRUCTURES
// =================================================================
//
// OBJECT PARTS:
// -------------
// OBJECT_QUOTA_CHARGES if Header.QuotaChargesOffset != 0
// OBJECT_HANDLE_DB if Header.HandleDBOffset != 0
// OBJECT_NAME if Header.NameOffset != 0
// OBJECT_CREATOR_INFO if Header.ObjectFlags & OB_FLAG_CREATOR_INFO
// OBJECT_HEADER always present
// OBJECT OBJECT_TYPE specific
typedef PVOID POBJECT, *PPOBJECT;
// -----------------------------------------------------------------
// if (oti.MaintainHandleCount) ObpObjectsWithHandleDB++;
// if (oti.MaintainTypeList ) ObpObjectsWithCreatorInfo++;
typedef struct _OBJECT_TYPE_INITIALIZER
{
/*000*/ WORD Length; //0x004C
/*002*/ BOOLEAN UseDefaultObject;//OBJECT_TYPE.DefaultObject
/*003*/ BOOLEAN Reserved1;
/*004*/ DWORD InvalidAttributes;
/*008*/ GENERIC_MAPPING GenericMapping;
/*018*/ ACCESS_MASK ValidAccessMask;
/*01C*/ BOOLEAN SecurityRequired;
/*01D*/ BOOLEAN MaintainHandleCount; // OBJECT_HANDLE_DB
/*01E*/ BOOLEAN MaintainTypeList; // OBJECT_CREATOR_INFO
/*01F*/ BYTE Reserved2;
/*020*/ BOOL PagedPool;
/*024*/ DWORD DefaultPagedPoolCharge;
/*028*/ DWORD DefaultNonPagedPoolCharge;
/*02C*/ NTPROC DumpProcedure;
/*030*/ NTPROC OpenProcedure;
/*034*/ NTPROC CloseProcedure;
/*038*/ NTPROC DeleteProcedure;
/*03C*/ NTPROC_VOID ParseProcedure;
/*040*/ NTPROC_VOID SecurityProcedure; // SeDefaultObjectMethod
/*044*/ NTPROC_VOID QueryNameProcedure;
/*048*/ NTPROC_BOOLEAN OkayToCloseProcedure;
/*04C*/ }
OBJECT_TYPE_INITIALIZER,
* POBJECT_TYPE_INITIALIZER,
**PPOBJECT_TYPE_INITIALIZER;
#define OBJECT_TYPE_INITIALIZER_ \
sizeof (OBJECT_TYPE_INITIALIZER)
// -----------------------------------------------------------------
// see ObCreateObjectType()
// and ObpAllocateObject()
#define OB_TYPE_INDEX_TYPE 1 // [ObjT] "Type"
#define OB_TYPE_INDEX_DIRECTORY 2 // [Dire] "Directory"
#define OB_TYPE_INDEX_SYMBOLIC_LINK 3 // [Symb] "SymbolicLink"
#define OB_TYPE_INDEX_TOKEN 4 // [Toke] "Token"
#define OB_TYPE_INDEX_PROCESS 5 // [Proc] "Process"
#define OB_TYPE_INDEX_THREAD 6 // [Thre] "Thread"
#define OB_TYPE_INDEX_JOB 7 // [Job ] "Job"
#define OB_TYPE_INDEX_EVENT 8 // [Even] "Event"
#define OB_TYPE_INDEX_EVENT_PAIR 9 // [Even] "EventPair"
#define OB_TYPE_INDEX_MUTANT 10 // [Muta] "Mutant"
#define OB_TYPE_INDEX_CALLBACK 11 // [Call] "Callback"
#define OB_TYPE_INDEX_SEMAPHORE 12 // [Sema] "Semaphore"
#define OB_TYPE_INDEX_TIMER 13 // [Time] "Timer"
#define OB_TYPE_INDEX_PROFILE 14 // [Prof] "Profile"
#define OB_TYPE_INDEX_WINDOW_STATION 15 // [Wind] "WindowStation"
#define OB_TYPE_INDEX_DESKTOP 16 // [Desk] "Desktop"
#define OB_TYPE_INDEX_SECTION 17 // [Sect] "Section"
#define OB_TYPE_INDEX_KEY 18 // [Key ] "Key"
#define OB_TYPE_INDEX_PORT 19 // [Port] "Port"
#define OB_TYPE_INDEX_WAITABLE_PORT 20 // [Wait] "WaitablePort"
#define OB_TYPE_INDEX_ADAPTER 21 // [Adap] "Adapter"
#define OB_TYPE_INDEX_CONTROLLER 22 // [Cont] "Controller"
#define OB_TYPE_INDEX_DEVICE 23 // [Devi] "Device"
#define OB_TYPE_INDEX_DRIVER 24 // [Driv] "Driver"
#define OB_TYPE_INDEX_IO_COMPLETION 25 // [IoCo] "IoCompletion"
#define OB_TYPE_INDEX_FILE 26 // [File] "File"
#define OB_TYPE_INDEX_WMI_GUID 27 // [WmiG] "WmiGuid"
#define OB_TYPE_TAG_TYPE 'TjbO' // [ObjT] "Type"
#define OB_TYPE_TAG_DIRECTORY 'eriD' // [Dire] "Directory"
#define OB_TYPE_TAG_SYMBOLIC_LINK 'bmyS' // [Symb] "SymbolicLink"
#define OB_TYPE_TAG_TOKEN 'ekoT' // [Toke] "Token"
#define OB_TYPE_TAG_PROCESS 'corP' // [Proc] "Process"
#define OB_TYPE_TAG_THREAD 'erhT' // [Thre] "Thread"
#define OB_TYPE_TAG_JOB ' boJ' // [Job ] "Job"
#define OB_TYPE_TAG_EVENT 'nevE' // [Even] "Event"
#define OB_TYPE_TAG_EVENT_PAIR 'nevE' // [Even] "EventPair"
#define OB_TYPE_TAG_MUTANT 'atuM' // [Muta] "Mutant"
#define OB_TYPE_TAG_CALLBACK 'llaC' // [Call] "Callback"
#define OB_TYPE_TAG_SEMAPHORE 'ameS' // [Sema] "Semaphore"
#define OB_TYPE_TAG_TIMER 'emiT' // [Time] "Timer"
#define OB_TYPE_TAG_PROFILE 'forP' // [Prof] "Profile"
#define OB_TYPE_TAG_WINDOW_STATION 'dniW' // [Wind] "WindowStation"
#define OB_TYPE_TAG_DESKTOP 'kseD' // [Desk] "Desktop"
#define OB_TYPE_TAG_SECTION 'tceS' // [Sect] "Section"
#define OB_TYPE_TAG_KEY ' yeK' // [Key ] "Key"
#define OB_TYPE_TAG_PORT 'troP' // [Port] "Port"
#define OB_TYPE_TAG_WAITABLE_PORT 'tiaW' // [Wait] "WaitablePort"
#define OB_TYPE_TAG_ADAPTER 'padA' // [Adap] "Adapter"
#define OB_TYPE_TAG_CONTROLLER 'tnoC' // [Cont] "Controller"
#define OB_TYPE_TAG_DEVICE 'iveD' // [Devi] "Device"
#define OB_TYPE_TAG_DRIVER 'virD' // [Driv] "Driver"
#define OB_TYPE_TAG_IO_COMPLETION 'oCoI' // [IoCo] "IoCompletion"
#define OB_TYPE_TAG_FILE 'eliF' // [File] "File"
#define OB_TYPE_TAG_WMI_GUID 'GimW' // [WmiG] "WmiGuid"
typedef struct _OBJECT_TYPE
{
/*000*/ ERESOURCE Lock;
/*038*/ LIST_ENTRY ObjectListHead; // OBJECT_CREATOR_INFO
/*040*/ UNICODE_STRING ObjectTypeName; // see above
/*048*/ union
{
/*048*/ PVOID DefaultObject; // ObpDefaultObject
/*048*/ DWORD Code; // File: 5C, WaitablePort: A0
};
/*04C*/ DWORD ObjectTypeIndex; // OB_TYPE_INDEX_*
/*050*/ DWORD ObjectCount;
/*054*/ DWORD HandleCount;
/*058*/ DWORD PeakObjectCount;
/*05C*/ DWORD PeakHandleCount;
/*060*/ OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
/*0AC*/ DWORD ObjectTypeTag; // OB_TYPE_TAG_*
/*0B0*/ }
OBJECT_TYPE,
* POBJECT_TYPE,
**PPOBJECT_TYPE;
#define OBJECT_TYPE_ \
sizeof (OBJECT_TYPE)
// -----------------------------------------------------------------
// see ObCreateObjectType()
// and ObpObjectTypes
#define MAXIMUM_OBJECT_TYPES 23
typedef struct _OBJECT_TYPES
{
/*000*/ POBJECT_TYPE ObjectTypes [MAXIMUM_OBJECT_TYPES];
/*05C*/ }
OBJECT_TYPES,
* POBJECT_TYPES,
**PPOBJECT_TYPES;
#define OBJECT_TYPES_ \
sizeof (OBJECT_TYPES)
// -----------------------------------------------------------------
// see ObQueryTypeInfo()
typedef struct _OBJECT_TYPE_INFO
{
/*000*/ UNICODE_STRING ObjectTypeName; // points to Buffer[]
/*008*/ DWORD ObjectCount;
/*00C*/ DWORD HandleCount;
/*010*/ DWORD Reserved1 [4];
/*020*/ DWORD PeakObjectCount;
/*024*/ DWORD PeakHandleCount;
/*028*/ DWORD Reserved2 [4];
/*038*/ DWORD InvalidAttributes;
/*03C*/ GENERIC_MAPPING GenericMapping;
/*04C*/ ACCESS_MASK ValidAccessMask;
/*050*/ BOOLEAN SecurityRequired;
/*051*/ BOOLEAN MaintainHandleCount;
/*052*/ WORD Reserved3;
/*054*/ BOOL PagedPool;
/*058*/ DWORD DefaultPagedPoolCharge;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -