📄 ntdll.h
字号:
ULONG NtGlobalFlag; // 68
DWORD d6C; // 6C
LARGE_INTEGER MmCriticalSectionTimeout; // 70
ULONG MmHeapSegmentReserve; // 78
ULONG MmHeapSegmentCommit; // 7C
ULONG MmHeapDeCommitTotalFreeThreshold; // 80
ULONG MmHeapDeCommitFreeBlockThreshold; // 84
ULONG NumberOfHeaps; // 88
ULONG AvailableHeaps; // 8C
PHANDLE ProcessHeapsListBuffer; // 90
PVOID GdiSharedHandleTable; // 94
PVOID ProcessStarterHelper; // 98
PVOID GdiDCAttributeList; // 9C
KSPIN_LOCK LoaderLock; // A0
ULONG NtMajorVersion; // A4
ULONG NtMinorVersion; // A8
USHORT NtBuildNumber; // AC
USHORT NtCSDVersion; // AE
ULONG PlatformId; // B0
ULONG Subsystem; // B4
ULONG MajorSubsystemVersion; // B8
ULONG MinorSubsystemVersion; // BC
KAFFINITY AffinityMask; // C0
ULONG GdiHandleBuffer[0x22]; // C4
ULONG PostProcessInitRoutine; // 14C
ULONG TlsExpansionBitmap; // 150
UCHAR TlsExpansionBitmapBits[0x80]; // 154
ULONG SessionId; // 1D4
ULARGE_INTEGER AppCompatFlags; // 1D8
PWORD CSDVersion; // 1E0
/* PVOID AppCompatInfo; // 1E4
UNICODE_STRING usCSDVersion;
PVOID ActivationContextData;
PVOID ProcessAssemblyStorageMap;
PVOID SystemDefaultActivationContextData;
PVOID SystemAssemblyStorageMap;
ULONG MinimumStackCommit; */
} PEB, *PPEB;
typedef struct _TEB
{
NT_TIB Tib;
PVOID EnvironmentPointer;
CLIENT_ID Cid;
PVOID ActiveRpcInfo;
PVOID ThreadLocalStoragePointer;
PPEB Peb;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG Win32ClientInfo[0x1F];
PVOID WOW32Reserved;
ULONG CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[0x36];
PVOID Spare1;
LONG ExceptionCode;
ULONG SpareBytes1[0x28];
PVOID SystemReserved2[0xA];
ULONG gdiRgn;
ULONG gdiPen;
ULONG gdiBrush;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocaleInfo;
PVOID UserReserved[5];
PVOID glDispatchTable[0x118];
ULONG glReserved1[0x1A];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[0x105];
PVOID DeallocationStack;
PVOID TlsSlots[0x40];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[0x2];
ULONG HardErrorDisabled;
PVOID Instrumentation[0x10];
PVOID WinSockData;
ULONG GdiBatchCount;
ULONG Spare2;
ULONG Spare3;
ULONG Spare4;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserve;
} TEB, *PTEB;
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS,
MaxPoolType
} POOL_TYPE, *PPOOL_TYPE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel,
MaximumWaitReason
} KWAIT_REASON, *PKWAIT_REASON;
typedef struct _DISPATCHER_HEADER
{
BYTE uType; //DO_TYPE_*
BYTE uAbsolute;
BYTE uSize; // number of DWORDs
BYTE uInserted;
LONG lSignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER, *PDISPATCHER_HEADER;
typedef struct _KPROCESS
{
DISPATCHER_HEADER Header; // DO_TYPE_PROCESS (0x1A)
LIST_ENTRY le10;
DWORD d18;
DWORD d1C;
DWORD d20;
DWORD d24;
DWORD d28;
DWORD d2C;
DWORD d30;
DWORD d34;
DWORD dKernelTime; // ticks
DWORD dUserTime; // ticks
LIST_ENTRY le40;
LIST_ENTRY OutSwapList;
LIST_ENTRY ThreadListHead; // KTHREAD.ThreadList
DWORD d58;
KAFFINITY AffinityMask;
WORD w60;
BYTE bBasePriority;
BYTE b63;
WORD w64;
BYTE b66;
BOOLEAN fPriorityBoost;
} KPROCESS, *PKPROCESS;
typedef struct _PORT_MESSAGE
{
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT VirtualRangesOffset;
CLIENT_ID ClientId;
ULONG MessageId;
ULONG SectionSize;
// UCHAR Data[];
} PORT_MESSAGE, *PPORT_MESSAGE;
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PNTSYSCALL ServiceTable; // array of entrypoints
PULONG puCounterTable; // array of counters
ULONG uTableSize; // number of table entries
PBYTE pbArgumentTable; // array of byte counts
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
typedef struct _KSEMAPHORE
{
DISPATCHER_HEADER Header;
LONG lLimit;
} KSEMAPHORE, *PKSEMAPHORE;
typedef struct _KTHREAD
{
DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C)
LIST_ENTRY le010;
DWORD d018;
DWORD d01C;
PTEB pTeb;
DWORD d024;
DWORD d028;
BYTE b02C;
BYTE bThreadState; // THREAD_STATE_*
WORD w02E;
WORD w030;
BYTE b032;
BYTE bPriority;
LIST_ENTRY le034;
LIST_ENTRY le03C;
PKPROCESS pProcess;
DWORD d048;
DWORD dContextSwitches;
DWORD d050;
WORD w054;
BYTE b056;
BYTE bWaitReason;
DWORD d058;
PLIST_ENTRY ple05C;
PLIST_ENTRY ple060;
DWORD d064;
BYTE bBasePriority;
BYTE b069;
WORD w06A;
DWORD d06C;
DWORD d070;
DWORD d074;
DWORD d078;
DWORD d07C;
DWORD d080;
DWORD d084;
DWORD d088;
DWORD d08C;
DWORD d090;
DWORD d094;
DWORD d098;
DWORD d09C;
DWORD d0A0;
DWORD d0A4;
DWORD d0A8;
DWORD d0AC;
DWORD d0B0;
DWORD d0B4;
DWORD d0B8;
DWORD d0BC;
DWORD d0C0;
DWORD d0C4;
DWORD d0C8;
DWORD d0CC;
DWORD d0D0;
DWORD d0D4;
DWORD d0D8;
PSERVICE_DESCRIPTOR_TABLE pServiceDescriptorTable;
DWORD d0E0;
DWORD d0E4;
DWORD d0E8;
DWORD d0EC;
LIST_ENTRY le0F0;
DWORD d0F8;
DWORD d0FC;
DWORD d100;
DWORD d104;
DWORD d108;
DWORD d10C;
DWORD d110;
DWORD d114;
DWORD d118;
BYTE b11C;
BYTE b11D;
WORD w11E;
DWORD d120;
DWORD d124;
DWORD d128;
DWORD d12C;
DWORD d130;
WORD w134;
BYTE b136;
KPROCESSOR_MODE ProcessorMode;
DWORD dKernelTime; // ticks
DWORD dUserTime; // ticks
DWORD d140;
DWORD d144;
DWORD d148;
DWORD d14C;
DWORD d150;
DWORD d154;
DWORD d158;
DWORD d15C;
DWORD d160;
DWORD d164;
DWORD d168;
DWORD d16C;
DWORD d170;
PROC SuspendNop;
DWORD d178;
DWORD d17C;
DWORD d180;
DWORD d184;
DWORD d188;
DWORD d18C;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadList; // KPROCESS.ThreadListHead
DWORD d1AC;
} KTHREAD, *PKTHREAD;
typedef struct _ETHREAD
{
KTHREAD Tcb;
LARGE_INTEGER liCreateTime;
LARGE_INTEGER liExitTime;
NTSTATUS ExitStatus;
LIST_ENTRY PostBlockList;
LIST_ENTRY TerminationPortList;
ULONG uActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
KSEMAPHORE LpcReplySemaphore;
ULONG uLpcReplyMessage;
LARGE_INTEGER liLpcReplyMessageId;
ULONG uImpersonationInfo;
LIST_ENTRY IrpList;
LIST_ENTRY TopLevelIrp;
ULONG uReadClusterSize;
BOOLEAN fForwardClusterOnly;
BOOLEAN fDisablePageFaultClustering;
BOOLEAN fDeadThread;
BOOLEAN fHasTerminated;
ULONG uEventPair;
ULONG uGrantedAccess;
ULONG uThreadsProcess;
PVOID pStartAddress;
PVOID Win32StartAddress;
BOOLEAN fLpcExitThreadCalled;
BOOLEAN fHardErrorsAreDisabled;
WORD wUknown1;
DWORD dwUknown2;
} ETHREAD, *PETHREAD;
typedef PETHREAD ERESOURCE_THREAD,
*PERESOURCE_THREAD;
typedef struct _KEVENT
{
DISPATCHER_HEADER Header;
} KEVENT, *PKEVENT;
typedef struct _ERESOURCE_OLD
{
LIST_ENTRY SystemResourcesList;
PERESOURCE_THREAD OwnerThreads;
PBYTE pbOwnerCounts;
WORD wTableSize;
WORD wActiveCount;
WORD wFlag;
WORD wTableRover;
BYTE bInitialOwnerCounts[4];
ERESOURCE_THREAD InitialOwnerThreads[4];
DWORD dwUknown1;
ULONG uContentionCount;
WORD wNumberOfExclusiveWaiters;
WORD wNumberOfSharedWaiters;
KSEMAPHORE SharedWaiters;
KEVENT ExclusiveWaiters;
KSPIN_LOCK SpinLock;
ULONG uCreatorBackTraceIndex;
WORD wDepth;
WORD wUknown2;
PVOID pOwnerBackTrace[4];
} ERESOURCE_OLD, *PERESOURCE_OLD;
typedef struct _OWNER_ENTRY
{
ERESOURCE_THREAD OwnerThread;
SHORT sOwnerCount;
WORD wTableSize;
} OWNER_ENTRY, *POWNER_ENTRY;
typedef struct _ERESOURCE_LITE
{
LIST_ENTRY SystemResourcesList;
POWNER_ENTRY OwnerTable;
SHORT sActiveCount;
WORD wFlag;
PKSEMAPHORE SharedWaiters;
PKEVENT ExclusiveWaiters;
OWNER_ENTRY OwnerThreads[2];
ULONG uContentionCount;
WORD wNumberOfSharedWaiters;
WORD wNumberOfExclusiveWaiters;
union
{
PVOID pAddress;
ULONG uCreatorBackTraceIndex;
};
KSPIN_LOCK SpinLock;
} ERESOURCE_LITE, *PERESOURCE_LITE;
typedef ERESOURCE_LITE ERESOURCE,
*PERESOURCE;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG uInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
/* Defined in Winnt.h
typedef struct _QUOTA_LIMITS {
SIZE_T PagedPoolLimit;
SIZE_T NonPagedPoolLimit;
SIZE_T MinimumWorkingSetSize;
SIZE_T MaximumWorkingSetSize;
SIZE_T PagefileLimit;
LARGE_INTEGER TimeLimit;
} QUOTA_LIMITS, *PQUOTA_LIMITS;
*/
typedef struct _IOCOUNTERS
{
ULONG uReadOperationCount;
ULONG uWriteOperationCount;
ULONG uOtherOperationCount;
LARGE_INTEGER liReadTransferCount;
LARGE_INTEGER liWriteTransferCount;
LARGE_INTEGER liOtherTransferCount;
} IOCOUNTERS, *PIOCOUNTERS;
typedef struct _VM_COUNTERS
{
ULONG uPeakVirtualSize;
ULONG uVirtualSize;
ULONG uPageFaultCount;
ULONG uPeakWorkingSetSize;
ULONG uWorkingSetSize;
ULONG uQuotaPeakPagedPoolUsage;
ULONG uQuotaPagedPoolUsage;
ULONG uQuotaPeakNonPagedPoolUsage;
ULONG uQuotaNonPagedPoolUsage;
ULONG uPagefileUsage;
ULONG uPeakPagefileUsage;
} VM_COUNTERS, *PVM_COUNTERS;
typedef struct _KERNEL_USER_TIMES
{
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -