📄 w2kundoc.inc
字号:
comment ^
Module Name:
w2kundoc.inc
Abstract:
This module defines some undocumented W2000 structures and constants.
Author:
Four-F (four-f@mail.ru)
Last Update:
03-October-2003
IMPORTANT:
Hand made -> Bugs are very possible :(
Your bug report is very welcome.
Comments:
Some fields name have been changed because of collision with masm reserved words.
All such words are prefixed with underscore ('_') symbol.
^
include native.inc
IFNDEF KAFFINITY
include ntddk.inc
ENDIF
;IFNDEF KPROCESSOR_MODE
; KPROCESSOR_MODE typedef BYTE
;ENDIF
;IFNDEF ULARGE_INTEGER
; include ntdef.inc
;ENDIF
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
KAPC_STATE STRUCT ; sizeof = 18h
ApcListHead LIST_ENTRY 2 dup(<?>)
Process PVOID ? ; 10h PTR KPROCESS
KernelApcInProgress BYTE ? ; 14h
KernelApcPending BYTE ? ; 15h
UserApcPending BYTE ? ; 16h
db ?
KAPC_STATE ENDS
PKAPC_STATE typedef PTR KAPC_STATE
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
KGDTENTRY STRUCT ; sizeof = 8
LimitLow WORD ?
BaseLow WORD ?
union _HighWord ; original HighWord
struct Bytes
BaseMid BYTE ?
Flags1 BYTE ?
Flags2 BYTE ?
BaseHi BYTE ?
ends
; Damn! ...record field names must be unique...
; kd displays it as __unnamed11, so i prepend each field name with 'u11'
Bits RECORD \
u11BaseHi:8, ; bits24-31 BaseHi
u11Granularity:1, ; bits23-23 Granularity
u11Default_Big:1, ; bits22-22 Default_Big
u11Reserved_0:1, ; bits21-21 Reserved_0
u11Sys:1, ; bits20-20 Sys
u11LimitHi:4, ; bits16-19 LimitHi
u11Pres:1, ; bits15-15 Pres
u11Dpl:2, ; bits13-14 Dpl
u11Type:5, ; bits8-12 Type
u11BaseMid:8 ; bits0-7 BaseMid
ends ; HighWord
KGDTENTRY ENDS
PKGDTENTRY typedef PTR KGDTENTRY
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
KIDTENTRY STRUCT ; sizeof = 8
_Offset WORD ? ; original name Offset
Selector WORD ?
Access WORD ?
ExtendedOffset WORD ?
KIDTENTRY ENDS
PKIDTENTRY typedef PTR KIDTENTRY
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PS_IMPERSONATION_INFORMATION STRUCT ; sizeof = 0Ch
Token PVOID ?
CopyOnOpen BYTE ? ; 4h
EffectiveOnly BYTE ? ; 5h
db 2 dup(?) ; padding
ImpersonationLevel UINT ? ; 8h
PS_IMPERSONATION_INFORMATION ENDS
PPS_IMPERSONATION_INFORMATION typedef PTR PS_IMPERSONATION_INFORMATION
WOW64_PROCESS STRUCT
Wow64 PVOID ?
WOW64_PROCESS ENDS
PWOW64_PROCESS typedef PTR WOW64_PROCESS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MMSUPPORT_FLAGS RECORD \
Filler:25, ; bits7-31 Filler
WriteWatch:1, ; bits6-6 WriteWatch
WorkingSetHard:1, ; bits5-5 WorkingSetHard
TrimHard:1, ; bits4-4 TrimHard
SessionLeader:1, ; bits3-3 SessionLeader
ProcessInSession:1, ; bits2-2 ProcessInSession
BeingTrimmed:1, ; bits1-1 BeingTrimmed
SessionSpace:1 ; bits0-0 SessionSpace
MMSUPPORT STRUCT ; sizeof = 48h
LastTrimTime LARGE_INTEGER <>
LastTrimFaultCount DWORD ? ; 08h
PageFaultCount DWORD ? ; 0Ch
PeakWorkingSetSize DWORD ? ; 10h
WorkingSetSize DWORD ? ; 14h
MinimumWorkingSetSize DWORD ? ; 18h
MaximumWorkingSetSize DWORD ? ; 1Ch
VmWorkingSetList PVOID ? ; 20h
WorkingSetExpansionLinks LIST_ENTRY <> ; 24h
AllowWorkingSetAdjustment BOOLEAN ? ; 2Ch
AddressSpaceBeingDeleted BOOLEAN ? ; 2Dh
ForegroundSwitchCount BYTE ? ; 2Eh
MemoryPriority BYTE ? ; 2Fh
union ; 30h
LongFlags DWORD ?
Flags MMSUPPORT_FLAGS <>
ends
Claim DWORD ? ; 34h
NextEstimationSlot DWORD ? ; 38h
NextAgingSlot DWORD ? ; 3Ch
EstimatedAvailable DWORD ? ; 40h
GrowthSinceLastEstimate DWORD ? ; 44h
MMSUPPORT ENDS
PMMSUPPORT typedef PTR MMSUPPORT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
comment ^
PDE_4M STRUCT ; page-directory entry (4-mB page)
union
dwPDE4k DWORD ? ; packed
btPDE4k RECORD \
pde4kPFN:20, ; bits12-31
pde4kReserved:3, ; bit9-11
pde4kGlobal:1, ; bit8
pde4kLargePage:1, ; bit7
pde4kDirty:1, ; bit6 Reserved ???
pde4kAccessed:1, ; bit5
pde4kCacheDisabled:1, ; bit4
pde4kWriteThrough:1, ; bit3
pde4kOwner:1, ; bit2
pde4kWrite:1, ; bit1
pde4kValid:1 ; bit0
ends
PDE_4M ENDS
PDE_4K STRUCT ; page-directory entry (4-kB page)
union
dwPDE4k DWORD ? ; packed
btPDE4k RECORD \
pde4kPFN:20, ; bits12-31
pde4kReserved:3, ; bit9-11
pde4kGlobal:1, ; bit8
pde4kLargePage:1, ; bit7
pde4kDirty:1, ; bit6 Reserved ???
pde4kAccessed:1, ; bit5
pde4kCacheDisabled:1, ; bit4
pde4kWriteThrough:1, ; bit3
pde4kOwner:1, ; bit2
pde4kWrite:1, ; bit1
pde4kValid:1 ; bit0
ends
PDE_4K ENDS
PTE_4K STRUCT
union
dwPTE4k DWORD ? ; packed
btPTE4k RECORD \
pte4kPFN:20, ; bits12-31
pte4kReserved2:3, ; bit9-11
pte4kGlobal:1, ; bit8
pte4kReserved:1, ; bit7
pte4kDirty:1, ; bit6
pte4kAccessed:1, ; bit5
pte4kCacheDisabled:1, ; bit4
pte4kWriteThrough:1, ; bit3
pte4kOwner:1, ; bit2
pte4kWrite:1, ; bit1
pte4kValid:1 ; bit0
ends
PTE_4K ENDS
^
; page directory entry (4-mB page)
; I've prefixed all fields with "pde4m"
HARDWARE_PDE4M RECORD \
pde4mPageFrameNumber:10, ; bits22-31 PageFrameNumber
pde4m_reserved:13, ; bits9-21 reserved
pde4mGlobal:1, ; bit8 Global
pde4mLargePage:1, ; bit7 LargePage
pde4mDirty:1, ; bit6 Dirty
pde4mAccessed:1, ; bit5 Accessed
pde4mCacheDisable:1, ; bit4 CacheDisable
pde4mWriteThrough:1, ; bit3 WriteThrough
pde4mOwner:1, ; bit2 Owner
pde4mWrite:1, ; bit1 Write
pde4mValid:1 ; bit0 Valid
; page directory entry (4-kB page)
; I've prefixed all fields with "pde4k"
HARDWARE_PDE4K RECORD \
pde4kPageFrameNumber:20,; bits12-31
pde4k_reserved:3, ; bit9-11
pde4kGlobal:1, ; bit8
pde4kLargePage:1, ; bit7
pde4kDirty:1, ; bit6 Reserved ???
pde4kAccessed:1, ; bit5
pde4kCacheDisable:1, ; bit4
pde4kWriteThrough:1, ; bit3
pde4kOwner:1, ; bit2
pde4kWrite:1, ; bit1
pde4kValid:1 ; bit0
; page table entry
; I've prefixed all fields with "pte"
HARDWARE_PTE RECORD \
ptePageFrameNumber:20, ; bits12-31 PageFrameNumber
pte_reserved:1, ; bit11 reserved
ptePrototype:1, ; bit10 Prototype
pteCopyOnWrite:1, ; bit9 CopyOnWrite
pteGlobal:1, ; bit8 Global
pteLargePage:1, ; bit7 LargePage
pteDirty:1, ; bit6 Dirty
pteAccessed:1, ; bit5 Accessed
pteCacheDisable:1, ; bit4 CacheDisable
pteWriteThrough:1, ; bit3 WriteThrough
pteOwner:1, ; bit2 Owner
pteWrite:1, ; bit1 Write
pteValid:1 ; bit0 Valid
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;HANDLE_TABLE_ENTRY STRUCT ; sizeof = 8
; Object PVOID ?
; ObAttributes DWORD ?
; GrantedAccess DWORD ?
; GrantedAccessIndex DWORD ?
; CreatorBackTraceIndex DWORD ?
; NextFreeTableEntry DWORD ?
HANDLE_TABLE STRUCT ; sizeof = 6Ch
Flags DWORD ?
HandleCount SDWORD ? ; 04h
Table PVOID ? ; 08h PTR PTR PTR HANDLE_TABLE_ENTRY
QuotaProcess PVOID ? ; 0Ch PTR EPROCESS
UniqueProcessId PVOID ? ; 10h
FirstFreeTableEntry SDWORD ? ; 14h
NextIndexNeedingPool SDWORD ? ; 18h
HandleTableLock ERESOURCE <> ; 1Ch
HandleTableList LIST_ENTRY <> ; 54h
HandleContentionEvent KEVENT <> ; 5Ch
HANDLE_TABLE ENDS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PAGEFAULT_HISTORY STRUCT ; sizeof = 18h
CurrentIndex DWORD ?
MaxIndex DWORD ? ; 04h
SpinLock DWORD ? ; 08h
Reserved PVOID ? ; 0Ch
WatchInfo PROCESS_WS_WATCH_INFORMATION <> ; 10h
PAGEFAULT_HISTORY ENDS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EPROCESS_QUOTA_BLOCK STRUCT ; sizeof = 2Ch
QuotaLock DWORD ?
ReferenceCount DWORD ? ; 04h
QuotaPeakPoolUsage DWORD 2 dup(?) ; 08h
QuotaPoolUsage DWORD 2 dup(?) ; 10h
QuotaPoolLimit DWORD 2 dup(?) ; 18h
PeakPagefileUsage DWORD ? ; 20h
PagefileUsage DWORD ? ; 24h
PagefileLimit DWORD ? ; 28h
EPROCESS_QUOTA_BLOCK ENDS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EJOB STRUCT ; sizeof = 170h
Event KEVENT <>
JobLinks LIST_ENTRY <> ; 010h
ProcessListHead LIST_ENTRY <> ; 018h
JobLock ERESOURCE <> ; 020h
TotalUserTime LARGE_INTEGER <> ; 058h
TotalKernelTime LARGE_INTEGER <> ; 060h
ThisPeriodTotalUserTime LARGE_INTEGER <> ; 068h
ThisPeriodTotalKernelTime LARGE_INTEGER <> ; 070h
TotalPageFaultCount DWORD ? ; 078h
TotalProcesses DWORD ? ; 07Ch
ActiveProcesses DWORD ? ; 080h
TotalTerminatedProcesses DWORD ? ; 084h
PerProcessUserTimeLimit LARGE_INTEGER <> ; 088h
PerJobUserTimeLimit LARGE_INTEGER <> ; 090h
LimitFlags DWORD ? ; 098h
MinimumWorkingSetSize DWORD ? ; 09Ch
MaximumWorkingSetSize DWORD ? ; 0A0h
ActiveProcessLimit DWORD ? ; 0A4h
Affinity DWORD ? ; 0A8h
PriorityClass BYTE ? ; 0ACh
db 3 dup(?) ; padding
UIRestrictionsClass DWORD ? ; 0B0h
SecurityLimitFlags DWORD ? ; 0B4h
Token PVOID ? ; 0B8h
Filter PVOID ? ; 0BCh PTR PS_JOB_TOKEN_FILTER
EndOfJobTimeAction DWORD ? ; 0C0h
CompletionPort PVOID ? ; 0C4h
CompletionKey PVOID ? ; 0C8h
SessionId DWORD ? ; 0CCh
SchedulingClass DWORD ? ; 0D0h
dd ? ; padding
ReadOperationCount QWORD ? ; 0D8h
WriteOperationCount QWORD ? ; 0E0h
OtherOperationCount QWORD ? ; 0E8h
ReadTransferCount QWORD ? ; 0F0h
WriteTransferCount QWORD ? ; 0F8h
OtherTransferCount QWORD ? ; 100h
IoInfo IO_COUNTERS <> ; 108h
ProcessMemoryLimit DWORD ? ; 138h
JobMemoryLimit DWORD ? ; 13Ch
PeakProcessMemoryUsed DWORD ? ; 140h
PeakJobMemoryUsed DWORD ? ; 144h
CurrentJobMemoryUsed DWORD ? ; 148h
MemoryLimitsLock FAST_MUTEX <> ; 14Ch
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -