📄 wxpundoc.inc
字号:
ProcessExiting:1, ; bits 2
NoDebugInherit:1, ; bits 1
CreateReported:1 ; bits 0
^
ends
ExitStatus SDWORD ? ; 024ch
NextPageColor WORD ? ; 0250h
SubSystemMinorVersion BYTE ? ; 0252h
SubSystemMajorVersion BYTE ? ; 0253h
SubSystemVersion WORD ? ; 0252h
PriorityClass BYTE ? ; 0254h
WorkingSetAcquiredUnsafe BYTE ? ; 0255h
EPROCESS ENDS
PEPROCESS typedef PTR EPROCESS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
KAPC_STATE STRUCT ; sizeof = 018h
ApcListHead LIST_ENTRY 2 dup(<>) ; 0000h
Process PVOID ? ; 0010h PTR KPROCESS
KernelApcInProgress BYTE ? ; 0014h
KernelApcPending BYTE ? ; 0015h
UserApcPending BYTE ? ; 0016h
BYTE ? ; 0017h padding
KAPC_STATE ENDS
KTHREAD STRUCT ; sizeof = 01C0h
Header DISPATCHER_HEADER <> ; 0000h
MutantListHead LIST_ENTRY <> ; 0010h
InitialStack PVOID ? ; 0018h
StackLimit PVOID ? ; 001Ch
Teb PVOID ? ; 0020h
TlsArray PVOID ? ; 0024h
KernelStack PVOID ? ; 0028h
DebugActive BYTE ? ; 002Ch
State BYTE ? ; 002Dh
Alerted BYTE 2 dup(?) ; 002Eh
Iopl BYTE ? ; 0030h
NpxState BYTE ? ; 0031h
Saturation BYTE ? ; 0032h
Priority BYTE ? ; 0033h
ApcState KAPC_STATE <> ; 0034h
ContextSwitches DWORD ? ; 004Ch
IdleSwapBlock BYTE ? ; 0050h
Spare0 BYTE 3 dup(?) ; 0051h
WaitStatus SDWORD ? ; 0054h
WaitIrql BYTE ? ; 0058h
WaitMode BYTE ? ; 0059h
WaitNext BYTE ? ; 005Ah
WaitReason BYTE ? ; 005Bh
WaitBlockList PVOID ? ; 005Ch PTR KWAIT_BLOCK
union
WaitListEntry LIST_ENTRY <> ; 0060h
struct
SwapListEntry SINGLE_LIST_ENTRY <> ; 0060h
db 4 dup(?) ; padding
ends
ends
WaitTime DWORD ? ; 0068h
BasePriority BYTE ? ; 006Ch
DecrementCount BYTE ? ; 006Dh
PriorityDecrement BYTE ? ; 006Eh
Quantum BYTE ? ; 006Fh
WaitBlock KWAIT_BLOCK 4 dup(<>) ; 0070h
LegoData PVOID ? ; 00D0h
KernelApcDisable DWORD ? ; 00D4h
UserAffinity DWORD ? ; 00D8h
SystemAffinityActive BYTE ? ; 00DCh
PowerState BYTE ? ; 00DDh
NpxIrql BYTE ? ; 00DEh
InitialNode BYTE ? ; 00DFh
ServiceTable PVOID ? ; 00E0h
Queue PVOID ? ; 00E4h PTR KQUEUE
ApcQueueLock DWORD ? ; 00E8h
db 4 dup(?) ; padding
Timer KTIMER <> ; 00F0h
QueueListEntry LIST_ENTRY <> ; 0118h
SoftAffinity DWORD ? ; 0120h
Affinity DWORD ? ; 0124h
Preempted BYTE ? ; 0128h
ProcessReadyQueue BYTE ? ; 0129h
KernelStackResident BYTE ? ; 012Ah
NextProcessor BYTE ? ; 012Bh
CallbackStack PVOID ? ; 012Ch
Win32Thread PVOID ? ; 0130h
TrapFrame PVOID ? ; 0134h PTR KTRAP_FRAME
ApcStatePointer PVOID 2 dup(?) ; 0138h
PreviousMode BYTE ? ; 0140h
EnableStackSwap BYTE ? ; 0141h
LargeStack BYTE ? ; 0142h
ResourceIndex BYTE ? ; 0143h
KernelTime DWORD ? ; 0144h
UserTime DWORD ? ; 0148h
SavedApcState KAPC_STATE <> ; 014Ch
Alertable BYTE ? ; 0164h
ApcStateIndex BYTE ? ; 0165h
ApcQueueable BYTE ? ; 0166h
AutoAlignment BYTE ? ; 0167h
StackBase PVOID ? ; 0168h
SuspendApc KAPC <> ; 016Ch
SuspendSemaphore KSEMAPHORE <> ; 019Ch
ThreadListEntry LIST_ENTRY <> ; 01B0h
FreezeCount BYTE ? ; 01B8h
SuspendCount BYTE ? ; 01B9h
IdealProcessor BYTE ? ; 01BAh
DisableBoost BYTE ? ; 01BBh
DWORD ? ; 01BCh padding
KTHREAD ENDS
PKTHREAD typedef PTR KTHREAD
ETHREAD STRUCT ; sizeof = 0258h
Tcb KTHREAD <> ; 0000h
union
CreateTime LARGE_INTEGER <> ; 01C0h
struct
ct RECORD \ ; 01C0h
ctUnused:29, ; bit 3-31
ApcNeeded:1, ; bit 2
NestedFaultCount:2 ; bit 0-1
db 7 dup(?); padding
ends
ends
union
ExitTime LARGE_INTEGER <> ; 01C8h
LpcReplyChain LIST_ENTRY <> ; 01C8h
KeyedWaitChain LIST_ENTRY <> ; 01C8h
ends
union
ExitStatus SDWORD ? ; 01D0h
OfsChain PVOID ? ; 01D0h
ends
PostBlockList LIST_ENTRY <> ; 01D4h
union
TerminationPort PVOID ? ; 01DCh PTR TERMINATION_PORT
ReaperLink PVOID ? ; 01DCh PTR ETHREAD
KeyedWaitValue PVOID ? ; 01DCh
ends
ActiveTimerListLock DWORD ? ; 01E0h
ActiveTimerListHead LIST_ENTRY <> ; 01E4h
Cid CLIENT_ID <> ; 01ECh
union
LpcReplySemaphore KSEMAPHORE <> ; 01F4h
KeyedWaitSemaphore KSEMAPHORE <> ; 01F4h
ends
union
LpcReplyMessage PVOID ? ; 0208h
LpcWaitingOnPort PVOID ? ; 0208h
ends
ImpersonationInfo PVOID ? ; 020Ch PTR PS_IMPERSONATION_INFORMATION
IrpList LIST_ENTRY <> ; 0210h
TopLevelIrp DWORD ? ; 0218h
DeviceToVerify PVOID ? ; 021Ch PTR DEVICE_OBJECT
ThreadsProcess PVOID ? ; 0220h PTR EPROCESS
StartAddress PVOID ? ; 0224h
union
Win32StartAddress PVOID ? ; 0228h
LpcReceivedMessageId DWORD ? ; 0228h
ends
ThreadListEntry LIST_ENTRY <> ; 022Ch
RundownProtect EX_RUNDOWN_REF <> ; 0234h
ThreadLock EX_PUSH_LOCK <> ; 0238h
LpcReplyMessageId DWORD ? ; 023Ch
ReadClusterSize DWORD ? ; 0240h
GrantedAccess DWORD ? ; 0244h
union
CrossThreadFlags DWORD ? ; 0248h
struct
ctFlags RECORD \ ; 0248h
SkipTerminationMsg:1, ; bit 8
SkipCreationMsg:1, ; bit 7
BreakOnTermination:1, ; bit 6
HardErrorsAreDisabled:1, ; bit 5
SystemThread:1, ; bit 4
ActiveImpersonationInfo:1, ; bit 3
HideFromDebugger:1, ; bit 2
DeadThread:1, ; bit 1
Terminated:1 ; bit 0
db 3 dup(?); padding
ends
ends
union
SameThreadPassiveFlags DWORD ? ; 024Ch
struct
stpFlags RECORD \ ; 024Ch
stpUnused:29, ; bit 3-31
MemoryMaker:1, ; bit 2
ExWorkerCanWaitUser:1, ; bit 1
ActiveExWorker:1 ; bit 0
db 3 dup(?); padding
ends
ends
union
SameThreadApcFlags DWORD ? ; 0250h
struct
stapcFlags RECORD \ ; 0250h
stapcUnused:29, ; bit 3-31
AddressSpaceOwner:1, ; bit 2
LpcExitThreadCalled:1, ; bit 1
LpcReceivedMsgIdValid:1 ; bit 0
db 3 dup(?); padding
ends
ends
ForwardClusterOnly BYTE ? ; 0254h
DisablePageFaultClustering BYTE ? ; 0255h
db 2 dup(?); padding
ETHREAD ENDS
PETHREAD typedef PTR ETHREAD
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Process Environment Block (PEB)
; located at 7FFDF000h (pointed by fs:[30] in user mode)
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; ...record field names must be unique...
; I named it as PEB_BITS
PEB_BITS RECORD \
SpareBits:30, ; bits 2-31
ExecuteOptions:2 ; bits 0-1
PEB STRUCT ; sizeof = 0210h
InheritedAddressSpace BYTE ? ; 0000h
ReadImageFileExecOptions BYTE ? ; 0001h
BeingDebugged BYTE ? ; 0002h
SpareBool BYTE ? ; 0003h
Mutant PVOID ? ; 0004h
ImageBaseAddress PVOID ? ; 0008h
Ldr PVOID ? ; 000Ch PTR PEB_LDR_DATA
ProcessParameters PVOID ? ; 0010h PTR RTL_USER_PROCESS_PARAMETERS
SubSystemData PVOID ? ; 0014h
ProcessHeap PVOID ? ; 0018h
FastPebLock PVOID ? ; 001Ch PTR RTL_CRITICAL_SECTION
FastPebLockRoutine PVOID ? ; 0020h
FastPebUnlockRoutine PVOID ? ; 0024h
EnvironmentUpdateCount DWORD ? ; 0028h
KernelCallbackTable PVOID ? ; 002Ch
SystemReserved DWORD 1 dup(?) ; 0030h
PebBits PEB_BITS <> ; 0034h named by me
FreeList PVOID ? ; 0038h PTR PEB_FREE_BLOCK
TlsExpansionCounter DWORD ? ; 003Ch
TlsBitmap PVOID ? ; 0040h
TlsBitmapBits DWORD 2 dup(?) ; 0044h
ReadOnlySharedMemoryBase PVOID ? ; 004Ch
ReadOnlySharedMemoryHeap PVOID ? ; 0050h
ReadOnlyStaticServerData PVOID ? ; 0054h
AnsiCodePageData PVOID ? ; 0058h
OemCodePageData PVOID ? ; 005Ch
UnicodeCaseTableData PVOID ? ; 0060h
NumberOfProcessors DWORD ? ; 0064h
NtGlobalFlag DWORD ? ; 0068h
DWORD ? ; 0064h padding
CriticalSectionTimeout LARGE_INTEGER <> ; 0070h
HeapSegmentReserve DWORD ? ; 0078h
HeapSegmentCommit DWORD ? ; 007Ch
HeapDeCommitTotalFreeThreshold DWORD ? ; 0080h
HeapDeCommitFreeBlockThreshold DWORD ? ; 0084h
NumberOfHeaps DWORD ? ; 0088h
MaximumNumberOfHeaps DWORD ? ; 008Ch
ProcessHeaps PVOID ? ; 0090h
GdiSharedHandleTable PVOID ? ; 0094h
ProcessStarterHelper PVOID ? ; 0098h
GdiDCAttributeList DWORD ? ; 009Ch
LoaderLock PVOID ? ; 00A0h
OSMajorVersion DWORD ? ; 00A4h
OSMinorVersion DWORD ? ; 00A8h
OSBuildNumber WORD ? ; 00ACh
OSCSDVersion WORD ? ; 00AEh
OSPlatformId DWORD ? ; 00B0h
ImageSubsystem DWORD ? ; 00B4h
ImageSubsystemMajorVersion DWORD ? ; 00B8h
ImageSubsystemMinorVersion DWORD ? ; 00BCh
ImageProcessAffinityMask DWORD ? ; 00C0h
GdiHandleBuffer DWORD 34 dup(?) ; 00C4h
PostProcessInitRoutine PVOID ? ; 014Ch
TlsExpansionBitmap PVOID ? ; 0150h
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0154h
SessionId DWORD ? ; 01D4h
AppCompatFlags ULARGE_INTEGER <> ; 01D8h
AppCompatFlagsUser ULARGE_INTEGER <> ; 01E0h
pShimData PVOID ? ; 01E8h
AppCompatInfo PVOID ? ; 01ECh
CSDVersion UNICODE_STRING <> ; 01F0h
ActivationContextData PVOID ? ; 01F8h
ProcessAssemblyStorageMap PVOID ? ; 01FCh
SystemDefaultActivationContextData PVOID ? ; 0200h
SystemAssemblyStorageMap PVOID ? ; 0204h
MinimumStackCommit DWORD ? ; 0208h
DWORD ? ; 020Ch padding
PEB ENDS
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -