📄 ntdll.h
字号:
LARGE_INTEGER liCreateTime;
LARGE_INTEGER liExitTime;
LARGE_INTEGER liKernelTime;
LARGE_INTEGER liUserTime;
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
typedef struct _BASE_PRIORITY_INFORMATION
{
KPRIORITY BasePriority;
} BASE_PRIORITY_INFORMATION, *PBASE_PRIORITY_INFORMATION;
typedef struct _AFFINITY_MASK
{
KAFFINITY AffinityMask;
} AFFINITY_MASK, *PAFFINITY_MASK;
typedef struct _TIME_FIELDS
{
WORD wYear;
WORD wMonth;
WORD wDay;
WORD wHour;
WORD wMinute;
WORD wSecond;
WORD wMilliseconds;
WORD wWeekday;
} TIME_FIELDS, *PTIME_FIELDS;
typedef void (*PIO_APC_ROUTINE) (PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG Reserved);
#if(_WIN32_WINNT < 0x0400)
typedef struct _NTFS_VOLUME_DATA_BUFFER
{
LARGE_INTEGER liSerialNumber;
LARGE_INTEGER liNumberOfSectors;
LARGE_INTEGER liTotalClusters;
LARGE_INTEGER liFreeClusters;
LARGE_INTEGER liReserved;
ULONG uBytesPerSector;
ULONG uBytesPerCluster;
ULONG uBytesPerMFTRecord;
ULONG uClustersPerMFTRecord;
LARGE_INTEGER liMFTLength;
LARGE_INTEGER liMFTStart;
LARGE_INTEGER liMFTMirrorStart;
LARGE_INTEGER liMFTZoneStart;
LARGE_INTEGER liMFTZoneEnd;
} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;
#endif
typedef struct _OBJDIR_INFORMATION
{
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName; // e.g. Directory, Device ...
UCHAR Data[1]; // variable length
} OBJDIR_INFORMATION, *POBJDIR_INFORMATION;
// Define the file system information class values
typedef enum _FSINFOCLASS {
FileFsVolumeInformation = 1,
FileFsLabelInformation, // 2
FileFsSizeInformation, // 3
FileFsDeviceInformation, // 4
FileFsAttributeInformation, // 5
FileFsControlInformation, // 6
FileFsFullSizeInformation, // 7
FileFsObjectIdInformation, // 8
FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
typedef struct _FILE_FS_VOLUME_INFORMATION {
LARGE_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
typedef struct _FILE_FS_LABEL_INFORMATION {
ULONG VolumeLabelLength;
WCHAR VolumeLabel[1];
} FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION;
typedef struct _FILE_FS_SIZE_INFORMATION {
LARGE_INTEGER TotalAllocationUnits;
LARGE_INTEGER AvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION;
typedef struct _FILE_FS_DEVICE_INFORMATION {
DEVICE_TYPE DeviceType;
ULONG Characteristics;
} FILE_FS_DEVICE_INFORMATION, *PFILE_FS_DEVICE_INFORMATION;
typedef struct _FILE_FS_ATTRIBUTE_INFORMATION {
ULONG FileSystemAttributes;
LONG MaximumComponentNameLength;
ULONG FileSystemNameLength;
WCHAR FileSystemName[1];
} FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION;
typedef struct _FILE_FS_CONTROL_INFORMATION {
LARGE_INTEGER FreeSpaceStartFiltering;
LARGE_INTEGER FreeSpaceThreshold;
LARGE_INTEGER FreeSpaceStopFiltering;
LARGE_INTEGER DefaultQuotaThreshold;
LARGE_INTEGER DefaultQuotaLimit;
ULONG FileSystemControlFlags;
} FILE_FS_CONTROL_INFORMATION, *PFILE_FS_CONTROL_INFORMATION;
typedef struct _FILE_FS_FULL_SIZE_INFORMATION {
LARGE_INTEGER TotalQuotaAllocationUnits;
LARGE_INTEGER AvailableQuotaAllocationUnits;
LARGE_INTEGER AvailableAllocationUnits;
ULONG SectorsPerAllocationUnit;
ULONG BytesPerSector;
} FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION;
typedef struct _FILE_FS_OBJECT_ID_INFORMATION {
GUID VolumeObjectId;
ULONG VolumeObjectIdExtendedInfo[12];
} FILE_FS_OBJECT_ID_INFORMATION, *PFILE_FS_OBJECT_ID_INFORMATION;
typedef enum _SYSTEMINFOCLASS
{
SystemBasicInformation, // 0x002C
SystemProcessorInformation, // 0x000C
SystemPerformanceInformation, // 0x0138
SystemTimeInformation, // 0x0020
SystemPathInformation, // not implemented
SystemProcessInformation, // 0x00C8+ per process
SystemCallInformation, // 0x0018 + (n * 0x0004)
SystemConfigurationInformation, // 0x0018
SystemProcessorCounters, // 0x0030 per cpu
SystemGlobalFlag, // 0x0004 (fails if size != 4)
SystemCallTimeInformation, // not implemented
SystemModuleInformation, // 0x0004 + (n * 0x011C)
SystemLockInformation, // 0x0004 + (n * 0x0024)
SystemStackTraceInformation, // not implemented
SystemPagedPoolInformation, // checked build only
SystemNonPagedPoolInformation, // checked build only
SystemHandleInformation, // 0x0004 + (n * 0x0010)
SystemObjectTypeInformation, // 0x0038+ + (n * 0x0030+)
SystemPageFileInformation, // 0x0018+ per page file
SystemVdmInstemulInformation, // 0x0088
SystemVdmBopInformation, // invalid info class
SystemCacheInformation, // 0x0024
SystemPoolTagInformation, // 0x0004 + (n * 0x001C)
SystemInterruptInformation, // 0x0000, or 0x0018 per cpu
SystemDpcInformation, // 0x0014
SystemFullMemoryInformation, // checked build only
SystemLoadDriver, // 0x0018, set mode only
SystemUnloadDriver, // 0x0004, set mode only
SystemTimeAdjustmentInformation, // 0x000C, 0x0008 writeable
SystemSummaryMemoryInformation, // checked build only
SystemNextEventIdInformation, // checked build only
SystemEventIdsInformation, // checked build only
SystemCrashDumpInformation, // 0x0004
SystemExceptionInformation, // 0x0010
SystemCrashDumpStateInformation, // 0x0004
SystemDebuggerInformation, // 0x0002
SystemContextSwitchInformation, // 0x0030
SystemRegistryQuotaInformation, // 0x000C
SystemAddDriver, // 0x0008, set mode only
SystemPrioritySeparationInformation,// 0x0004, set mode only
SystemPlugPlayBusInformation, // not implemented
SystemDockInformation, // not implemented
SystemPowerInfo, // 0x0060 (XP only!)
SystemProcessorSpeedInformation, // 0x000C (XP only!)
SystemTimeZoneInformation, // 0x00AC
SystemLookasideInformation, // n * 0x0020
SystemSetTimeSlipEvent,
SystemCreateSession, // set mode only
SystemDeleteSession, // set mode only
SystemInvalidInfoClass1, // invalid info class
SystemRangeStartInformation, // 0x0004 (fails if size != 4)
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation, // checked build only
MaxSystemInfoClass
} SYSTEMINFOCLASS, *PSYSTEMINFOCLASS;
typedef struct _SYSTEM_BASIC_INFORMATION
{
DWORD dwUnknown1; // 0
ULONG uKeMaximumIncrement; // x86: 0x0002625A or 0x00018730
ULONG uPageSize; // bytes
ULONG uMmNumberOfPhysicalPages;
ULONG uMmLowestPhysicalPage;
ULONG uMmHighestPhysicalPage;
ULONG uAllocationGranularity; // bytes
PVOID pLowestUserAddress;
PVOID pMmHighestUserAddress;
KAFFINITY uKeActiveProcessors;
BYTE bKeNumberProcessors;
BYTE bUnknown2;
WORD wUnknown3;
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_INFORMATION
{
WORD wKeProcessorArchitecture; // PROCESSOR_ARCHITECTURE_* (PROCESSOR_ARCHITECTURE_INTEL)
WORD wKeProcessorLevel; // PROCESSOR_* (PROCESSOR_INTEL_PENTIUM)
WORD wKeProcessorRevision; // Pentium: H=model, L=stepping
WORD wUnknown1; // 0
ULONG uKeFeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
typedef struct _MM_INFO_COUNTERS
{
ULONG uPageFaults;
ULONG uWriteCopyFaults;
ULONG uTransistionFaults;
ULONG uCacheTransitionCount;
ULONG uDemandZeroFaults;
ULONG uPagesRead;
ULONG uPageReadIos;
ULONG uCacheReadCount;
ULONG uCacheIoCount;
ULONG uPagefilePagesWritten;
ULONG uPagefilePageWriteIos;
ULONG uMappedFilePagesWritten;
ULONG uMappedFilePageWriteIos;
} MM_INFO_COUNTERS, *PMM_INFO_COUNTERS;
typedef struct _SYSTEM_PERFORMANCE_INFORMATION
{
LARGE_INTEGER liIdleTime; // 100 nsec units
LARGE_INTEGER liIoReadTransferCount;
LARGE_INTEGER liIoWriteTransferCount;
LARGE_INTEGER liIoOtherTransferCount;
ULONG uIoReadOperationCount;
ULONG uIoWriteOperationCount;
ULONG uIoOtherOperationCount;
ULONG uMmAvailablePages;
ULONG uMmTotalCommittedPages;
ULONG uMmTotalCommitLimit; // pages
ULONG uMmPeakCommitLimit; // pages
MM_INFO_COUNTERS MmInfoCounters;
ULONG uPoolPaged; // pages
ULONG uPoolNonPaged; // pages
ULONG uPagedPoolAllocs;
ULONG uPagedPoolFrees;
ULONG uNonPagedPoolAllocs;
ULONG uNonPagedPoolFrees;
ULONG uMmTotalFreeSystemPages;
ULONG uMmSystemCodePage;
ULONG uMmTotalSystemDriverPages;
ULONG uMmTotalSystemCodePages;
ULONG uSmallNonPagedLookasideListAllocateHits;
ULONG uSmallPagedLookasideListAllocateHits;
DWORD dwUnknown1;
ULONG uMmSystemCachePage;
ULONG uMmPagedPoolPage;
ULONG uMmSystemDriverPage;
ULONG uCcFastReadNoWait;
ULONG uCcFastReadWait;
ULONG uCcFastReadResourceMiss;
ULONG uCcFastReadNotPossible;
ULONG uCcFastMdlReadNoWait;
ULONG uCcFastMdlReadWait;
ULONG uCcFastMdlReadResourceMiss;
ULONG uCcFastMdlReadNotPossible;
ULONG uCcMapDataNoWait;
ULONG uCcMapDataWait;
ULONG uCcMapDataNoWaitMiss;
ULONG uCcMapDataWaitMiss;
ULONG uCcPinMappedDataCount;
ULONG uCcPinReadNoWait;
ULONG uCcPinReadWait;
ULONG uCcPinReadNoWaitMiss;
ULONG uCcPinReadWaitMiss;
ULONG uCcCopyReadNoWait;
ULONG uCcCopyReadWait;
ULONG uCcCopyReadNoWaitMiss;
ULONG uCcCopyReadWaitMiss;
ULONG uCcMdlReadNoWait;
ULONG uCcMdlReadWait;
ULONG uCcMdlReadNoWaitMiss;
ULONG uCcMdlReadWaitMiss;
ULONG uCcReadAheadIos;
ULONG uCcLazyWriteIos;
ULONG uCcLazyWritePages;
ULONG uCcDataFlushes;
ULONG uCcDataPages;
ULONG uTotalContextSwitches; // total across cpus
ULONG uFirstLevelTbFills;
ULONG uSecondLevelTbFills;
ULONG uSystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
typedef struct _SYSTEM_TIME_INFORMATION
{
LARGE_INTEGER liKeBootTime; // relative to 01-01-1601
LARGE_INTEGER liKeSystemTime; // relative to 01-01-1601
LARGE_INTEGER liExpTimeZoneBias; // utc time = local time + bias
ULONG uExpCurrentTimeZoneId; // TIME_ZONE_ID_* (TIME_ZONE_ID_UNKNOWN, etc.)
DWORD dwUnknown1;
} SYSTEM_TIME_INFORMATION, *PSYSTEM_TIME_INFORMATION;
typedef enum
{
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef struct _SYSTEM_THREAD
{
LARGE_INTEGER liKernelTime; // 100 nsec units
LARGE_INTEGER liUserTime; // 100 nsec units
LARGE_INTEGER liCreateTime; // relative to 01-01-1601
ULONG WaitTime; // ticks
PVOID pStartAddress; // EIP
CLIENT_ID Cid; // process/thread ids
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitches;
THREAD_STATE ThreadState;
KWAIT_REASON WaitReason;
// DWORD dwUnknown2; // maybe it not exists !!!
} SYSTEM_THREAD, *PSYSTEM_THREAD;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG uNext; // relative offset
ULONG uThreadCount;
LARGE_INTEGER liUnknown1;
LARGE_INTEGER liUnknown2;
LARGE_INTEGER liUnknown3;
LARGE_INTEGER liCreateTime; // relative to 01-01-1601
LARGE_INTEGER liUserTime; // 100 nsec units
LARGE_INTEGER liKernelTime; // 100 nsec units
UNICODE_STRING usName;
KPRIORITY BasePriority;
ULONG uUniqueProcessId;
ULONG uInheritedFromUniqueProcessId;
ULONG uHandleCount;
ULONG uSessionId; // W2K Only!
DWORD dwUnknown5;
VM_COUNTERS VmCounters;
ULONG uCommitCharge; // bytes
SYSTEM_THREAD aST[];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _IO_COUNTERSEX
{
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
} IO_COUNTERSEX, *PIO_COUNTERSEX;
typedef struct _SYSTEM_PROCESS_INFORMATION_2000
{
ULONG uNext; // relative offset
ULONG uThreadCount;
LARGE_INTEGER liUnknown1;
LARGE_INTEGER liUnknown2;
LARGE_INTEGER liUnknown3;
LARGE_INTEGER liCreateTime; // relative to 01-01-1601
LARGE_INTEGER liUserTime; // 100 nsec units
LARGE_INTEGER liKernelTime; // 100 nsec units
UNICODE_STRING usName;
KPRIORITY BasePriority;
ULONG uUniqueProcessId;
ULONG uInheritedFromUniqueProcessId;
ULONG uHandleCount;
ULONG uSessionId; // W2K Only!
DWORD dwUnknown5;
VM_COUNTERS VmCounters;
ULONG uCommitCharge; // bytes
IO_COUNTERSEX IoCounters;
SYSTEM_THREAD aST[];
} SYSTEM_PROCESS_INFORMATION_2000, *PSYSTEM_PROCESS_INFORMATION_2000;
typedef struct _SYSTEM_CALL_INFORMATION
{
ULONG Length;
ULONG NumberOfTables;
// ULONG NumberOfEntries[NumberOfTables]
// ULONG CallCounts[NumberOfTables][NumberOfEntries];
} SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION;
typedef struct _SYSTEM_CONFIGURATION_INFORMATION
{
ULONG uDiskCount;
ULONG uFloppyCount;
ULONG uCDRomCount;
ULONG uTapeCount;
ULONG uSerialCount; // com port with mouse not included
ULONG uParallelCount;
} SYSTEM_CONFIGURATION_INFORMATION, *PSYSTEM_CONFIGURATION_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_COUNTERS
{
LARGE_INTEGER liProcessorTime; // 100 nsec units
LARGE_INTEGER liKernelTime; // 100 nsec units
LARGE_INTEGER liUserTime; // 100 nsec units
LARGE_INTEGER liDpcTime; // 100 nsec units
LARGE_INTEGER liInterruptTime; // 100 nsec units
ULONG uInterruptCount;
DWORD dwUnknown1;
} SYSTEM_PROCESSOR_COUNTERS, *PSYSTEM_PROCESSOR_COUNTERS;
typedef struct _SYSTEM_GLOBAL_FLAG
{
ULONG NtGlobalFlag; // see Q147314, Q102985, Q105677
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
typedef struct _SYSTEM_CALL_TIME_INFORMATION
{
ULONG Length;
ULONG TotalCalls;
LARGE_INTEGER TimeOfCalls[1];
} SYSTEM_CALL_TIME_INFORMATION, *PSYSTEM_CALL_TIME_INFORMATION;
typedef struct _SYSTEM_MODULE
{
ULONG Reserved[2];
ULONG Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG uCount;
SYSTEM_MODULE aSM[];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_LOCK
{
union
{
PERESOURCE_OLD pEResourceOld; // old ERESOURCE format
PERESOURCE_LITE pEResourceLite; // new "lite" format
PERESOURCE pEResource; // current format
};
WORD wUnknown1; // 1
WORD wUnknown2; // 0
ULONG ExclusiveOwnerThreadId;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -