📄 w2kundoc.inc
字号:
DWORD ? ; padding ???
EJOB ENDS
PEJOB typedef PTR EJOB
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; a part of EPROCESS structure (first member)
; also known as Process Control Block, PCB
KPROCESS STRUCT ; sizeof = 06Ch
Header DISPATCHER_HEADER <> ; 000h DO_TYPE_PROCESS (0x1B)
ProfileListHead LIST_ENTRY <> ; 010h
DirectoryTableBase DWORD ? ; 018h
PageTableBase DWORD ? ; 01Ch
LdtDescriptor KGDTENTRY <> ; 020h
Int21Descriptor KIDTENTRY <> ; 028h
IopmOffset WORD ? ; 030h
Iopl BYTE ? ; 032h
VdmFlag BOOLEAN ? ; 033h
ActiveProcessors DWORD ? ; 034h
KernelTime DWORD ? ; 038h ticks
UserTime DWORD ? ; 03Ch ticks
ReadyListHead LIST_ENTRY <> ; 040h
SwapListEntry LIST_ENTRY <> ; 048h
ThreadListHead LIST_ENTRY <> ; 050h KTHREAD.ThreadListEntry
ProcessLock PVOID ? ; 058h
Affinity KAFFINITY ? ; 05Ch
StackCount WORD ? ; 060h
BasePriority BYTE ? ; 062h
ThreadQuantum BYTE ? ; 063h
AutoAlignment BOOLEAN ? ; 064h
State BYTE ? ; 065h
ThreadSeed BYTE ? ; 066h
DisableBoost BOOLEAN ? ; 067h
PowerState BYTE ? ; 068h
DisableQuantum BOOLEAN ? ; 069h
Spare BYTE 2 dup(?) ; 06Ah
KPROCESS ENDS
PKPROCESS typedef PTR KPROCESS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EPROCESS STRUCT ; sizeof = 288h
Pcb KPROCESS <>
ExitStatus DWORD ? ; 06Ch
LockEvent KEVENT <> ; 070h
LockCount DWORD ? ; 080h
DWORD ? ; 084h padding
CreateTime LARGE_INTEGER <> ; 088h
ExitTime LARGE_INTEGER <> ; 090h
LockOwner PVOID ? ; 098h PTR KTHREAD
UniqueProcessId DWORD ? ; 09Ch
ActiveProcessLinks LIST_ENTRY <> ; 0A0h
QuotaPeakPoolUsage DWORD 2 dup(?) ; 0A8h NP, P
QuotaPoolUsage DWORD 2 dup(?) ; 0B0h NP, P
PagefileUsage DWORD ? ; 0B8h
CommitCharge DWORD ? ; 0BCh
PeakPagefileUsage DWORD ? ; 0C0h
PeakVirtualSize DWORD ? ; 0C4h
VirtualSize LARGE_INTEGER <> ; 0C8h
Vm MMSUPPORT <> ; 0D0h
SessionProcessLinks LIST_ENTRY <> ; 118h
DebugPort PVOID ? ; 120h
ExceptionPort PVOID ? ; 124h
ObjectTable PVOID ? ; 128h PTR HANDLE_TABLE
Token PVOID ? ; 12Ch
WorkingSetLock FAST_MUTEX <> ; 130h
WorkingSetPage DWORD ? ; 150h
ProcessOutswapEnabled BYTE ? ; 154h
ProcessOutswapped BYTE ? ; 155h
AddressSpaceInitialized BYTE ? ; 156h
AddressSpaceDeleted BYTE ? ; 157h
AddressCreationLock FAST_MUTEX <> ; 158h
HyperSpaceLock DWORD ? ; 178h
ForkInProgress PVOID ? ; 17Ch PTR ETHREAD
VmOperation WORD ? ; 180h
ForkWasSuccessful BYTE ? ; 182h
MmAgressiveWsTrimMask BYTE ? ; 183h
VmOperationEvent PVOID ? ; 184h PTR KEVENT
PaeTop PVOID ? ; 188h
LastFaultCount DWORD ? ; 18Ch
ModifiedPageCount DWORD ? ; 190h
VadRoot PVOID ? ; 194h
VadHint PVOID ? ; 198h
CloneRoot PVOID ? ; 19Ch
NumberOfPrivatePages DWORD ? ; 1A0h
NumberOfLockedPages DWORD ? ; 1A4h
NextPageColor WORD ? ; 1A8h
ExitProcessCalled BYTE ? ; 1AAh
CreateProcessReported BYTE ? ; 1ABh
SectionHandle PVOID ? ; 1ACh
Peb PVOID ? ; 1B0h PTR PEB
SectionBaseAddress PVOID ? ; 1B4h
QuotaBlock PVOID ? ; 1B8h PTR EPROCESS_QUOTA_BLOCK
LastThreadExitStatus DWORD ? ; 1BCh
WorkingSetWatch PVOID ? ; 1C0h PTR PAGEFAULT_HISTORY
Win32WindowStation PVOID ? ; 1C4h
InheritedFromUniqueProcessId PVOID ? ; 1C8h
GrantedAccess DWORD ? ; 1CCh
DefaultHardErrorProcessing DWORD ? ; 1D0h
LdtInformation PVOID ? ; 1D4h
VadFreeHint PVOID ? ; 1D8h
VdmObjects PVOID ? ; 1DCh
DeviceMap PVOID ? ; 1E0h
SessionId DWORD ? ; 1E4h
PhysicalVadList LIST_ENTRY <> ; 1E8h
union
PageDirectoryPte HARDWARE_PTE <> ; 1F0h
Filler QWORD ? ; 1F0h
ends
PaePageDirectoryPage DWORD ? ; 1F8h
ImageFileName BYTE 16 dup(?) ; 1FCh
VmTrimFaultValue DWORD ? ; 20Ch
SetTimerResolution BYTE ? ; 210h
PriorityClass BYTE ? ; 211h
union
struct
SubSystemMinorVersion BYTE ? ; 212h
SubSystemMajorVersion BYTE ? ; 213h
ends
SubSystemVersion WORD ? ; 212h
ends
Win32Process PVOID ? ; 214h
Job PVOID ? ; 218h PTR EJOB
JobStatus DWORD ? ; 21Ch
JobLinks LIST_ENTRY <> ; 220h
LockedPagesList PVOID ? ; 228h
SecurityPort PVOID ? ; 22Ch
Wow64Process PVOID ? ; 230h PTR WOW64_PROCESS
DWORD ? ; 234h ???
ReadOperationCount LARGE_INTEGER <> ; 238h
WriteOperationCount LARGE_INTEGER <> ; 240h
OtherOperationCount LARGE_INTEGER <> ; 248h
ReadTransferCount LARGE_INTEGER <> ; 250h
WriteTransferCount LARGE_INTEGER <> ; 258h
OtherTransferCount LARGE_INTEGER <> ; 260h
CommitChargeLimit DWORD ? ; 268h
CommitChargePeak DWORD ? ; 26Ch
ThreadListHead LIST_ENTRY <> ; 270h
VadPhysicalPagesBitMap PVOID ? ; 278h PTR RTL_BITMAP
VadPhysicalPages DWORD ? ; 27Ch
AweLock DWORD ? ; 280h
DWORD ? ; 284h padding
EPROCESS ENDS
PEPROCESS typedef PTR EPROCESS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; a part of ETHREAD structure (first member)
; also known as Thread Control Block, TCB
KTHREAD STRUCT ; sizeof = 1B0h
Header DISPATCHER_HEADER <> ; 000h DO_TYPE_THREAD (0x6C)
MutantListHead LIST_ENTRY <> ; 010h
InitialStack PVOID ? ; 018h
StackLimit PVOID ? ; 01Ch
Teb PVOID ? ; 020h PTR TEB
TlsArray PVOID ? ; 024h
KernelStack PVOID ? ; 028h
DebugActive BYTE ? ; 02Ch
State BYTE ? ; 02Dh THREAD_STATE_*
Alerted BYTE 2 dup(?) ; 02Eh
Iopl BYTE ? ; 030h
NpxState BYTE ? ; 031h
Saturation BYTE ? ; 032h
Priority BYTE ? ; 033h
ApcState KAPC_STATE <> ; 034h
ContextSwitches DWORD ? ; 04Ch
WaitStatus DWORD ? ; 050h
WaitIrql BYTE ? ; 054h
WaitMode BYTE ? ; 055h
WaitNext BYTE ? ; 056h
WaitReason BYTE ? ; 057h
WaitBlockList PVOID ? ; 058h PTR KWAIT_BLOCK
WaitListEntry LIST_ENTRY <> ; 05Ch
WaitTime DWORD ? ; 064h
BasePriority BYTE ? ; 068h
DecrementCount BYTE ? ; 069h
PriorityDecrement BYTE ? ; 06Ah
Quantum BYTE ? ; 06Bh
WaitBlock KWAIT_BLOCK 4 dup(<>) ; 06Ch
LegoData DWORD ? ; 0CCh
KernelApcDisable DWORD ? ; 0D0h
UserAffinity KAFFINITY ? ; 0D4h
SystemAffinityActive BYTE ? ; 0D8h
PowerState BYTE ? ; 0D9h
NpxIrql BYTE ? ; 0DAh
Pad BYTE ? ; 0DBh
ServiceTable PVOID ? ; 0DCh PTR SERVICE_DESCRIPTOR_TABLE
Queue PVOID ? ; 0E0h PTR KQUEUE
ApcQueueLock DWORD ? ; 0E4h
Timer KTIMER <> ; 0E8h
QueueListEntry LIST_ENTRY <> ; 110h
Affinity KAFFINITY ? ; 118h
Preempted BYTE ? ; 11Ch
ProcessReadyQueue BYTE ? ; 11Dh
KernelStackResident BYTE ? ; 11Eh
NextProcessor BYTE ? ; 11Fh
CallbackStack PVOID ? ; 120h
Win32Thread PVOID ? ; 124h PTR WIN32_THREAD ???
TrapFrame PVOID ? ; 128h PTR KTRAP_FRAME
ApcStatePointer PVOID 2 dup(?) ; 12Ch PTR KAPC_STATE
PreviousMode KPROCESSOR_MODE ? ; 134h
EnableStackSwap BOOLEAN ? ; 135h
LargeStack BOOLEAN ? ; 136h
ResourceIndex BYTE ? ; 137h
KernelTime DWORD ? ; 138h ticks
UserTime DWORD ? ; 13Ch ticks
SavedApcState KAPC_STATE <> ; 140h
Alertable BOOLEAN ? ; 158h
ApcStateIndex BYTE ? ; 159h
ApcQueueable BOOLEAN ? ; 15Ah
AutoAlignment BOOLEAN ? ; 15Bh
StackBase PVOID ? ; 15Ch
SuspendApc KAPC <> ; 160h
SuspendSemaphore KSEMAPHORE <> ; 190h
ThreadListEntry LIST_ENTRY <> ; 1A4h see KPROCESS
FreezeCount BYTE ? ; 1ACh
SuspendCount BYTE ? ; 1ADh
IdealProcessor BYTE ? ; 1AEh
DisableBoost BYTE ? ; 1AFh
KTHREAD ENDS
PKTHREAD typedef PTR KTHREAD
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; ...record field names must be unique...
; I named it as ETHREAD_BITS
ETHREAD_BITS RECORD \
EthreadBitsReserved:29, ; bits 3-31
ApcNeeded:1, ; bits 2-2
NestedFaultCount:2 ; bits 0-1
ETHREAD STRUCT ; sizeof = 248h
Tcb KTHREAD <> ; 000h
union
CreateTime LARGE_INTEGER <> ; 1B0h
EthreadBits ETHREAD_BITS <> ; 1B0h
ends
union
ExitTime LARGE_INTEGER <> ; 1B8h
LpcReplyChain LIST_ENTRY <> ; 1B8h
ends
union
ExitStatus DWORD ? ; 1C0h
OfsChain PVOID ? ; 1C0h
ends
PostBlockList LIST_ENTRY <> ; 1C4h
TerminationPortList LIST_ENTRY <> ; 1CCh
ActiveTimerListLock DWORD ? ; 1D4h
ActiveTimerListHead LIST_ENTRY <> ; 1D8h
Cid CLIENT_ID <> ; 1E0h
LpcReplySemaphore KSEMAPHORE <> ; 1E8h
LpcReplyMessage PVOID ? ; 1FCh
LpcReplyMessageId DWORD ? ; 200h
PerformanceCountLow DWORD ? ; 204h
ImpersonationInfo PVOID ? ; 208h PTR PS_IMPERSONATION_INFORMATION
IrpList LIST_ENTRY <> ; 20Ch
TopLevelIrp DWORD ? ; 214h
DeviceToVerify PVOID ? ; 218h PTR DEVICE_OBJECT
ReadClusterSize UINT ? ; 21Ch
ForwardClusterOnly BYTE ? ; 220h
DisablePageFaultClustering BYTE ? ; 221h
DeadThread BYTE ? ; 222h
HideFromDebugger BYTE ? ; 223h
HasTerminated DWORD ? ; 224h
GrantedAccess DWORD ? ; 228h
ThreadsProcess PVOID ? ; 22Ch PTR EPROCESS
StartAddress PVOID ? ; 230h
union
Win32StartAddress PVOID ? ; 234h
LpcReceivedMessageId DWORD ? ; 234h
ends
LpcExitThreadCalled BYTE ? ; 238h
HardErrorsAreDisabled BYTE ? ; 239h
LpcReceivedMsgIdValid BYTE ? ; 23Ah
ActiveImpersonationInfo BYTE ? ; 23Bh
PerformanceCountHigh SDWORD ? ; 23Ch
ThreadListEntry LIST_ENTRY <> ; 240h
ETHREAD ENDS
PETHREAD typedef PTR ETHREAD
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
KQUEUE STRUCT ;sizeof = 28h
Header DISPATCHER_HEADER <>
EntryListHead LIST_ENTRY <> ; 10h
CurrentCount DWORD ? ; 18h
MaximumCount DWORD ? ; 1Ch
ThreadListHead LIST_ENTRY <> ; 20h
KQUEUE ENDS
PKQUEUE typedef PTR KQUEUE
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PEB_LDR_DATA STRUCT ; sizeof = 24h
_Length DWORD ? ; original name Length
Initialized BYTE ? ; 04h
db 3 dup(?) ; padding
SsHandle PVOID ? ; 08h
InLoadOrderModuleList LIST_ENTRY <> ; 0Ch
InMemoryOrderModuleList LIST_ENTRY <> ; 14h
InInitializationOrderModuleList LIST_ENTRY <> ; 1Ch
PEB_LDR_DATA ENDS
PPEB_LDR_DATA typedef PTR PEB_LDR_DATA
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RTL_DRIVE_LETTER_CURDIR STRUCT ; sizeof = 10h
Flags WORD ? ; 00h
_Length WORD ? ; 02h original name Length
TimeStamp DWORD ? ; 04h
DosPath _STRING <> ; 08h
RTL_DRIVE_LETTER_CURDIR ENDS
PRTL_DRIVE_LETTER_CURDIR typedef PTR RTL_DRIVE_LETTER_CURDIR
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CURDIR STRUCT ; sizeof = 0Ch
DosPath UNICODE_STRING <> ; 0
Handle PVOID ? ; 8
CURDIR ENDS
PCURDIR typedef ptr CURDIR
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
PEB_FREE_BLOCK STRUCT ; sizeof = 8
Next PVOID ? ; PTR PEB_FREE_BLOCK
_Size DWORD ? ; original name Size
PEB_FREE_BLOCK ENDS
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RTL_USER_PROCESS_PARAMETERS STRUCT ; sizeof = 290h
MaximumLength DWORD ? ; 000h
_Length DWORD ? ; 004h original name Length
Flags DWORD ? ; 008h
DebugFlags DWORD ? ; 00Ch
ConsoleHandle PVOID ? ; 010h
ConsoleFlags DWORD ? ; 014h
StandardInput PVOID ? ; 018h
StandardOutput PVOID ? ; 01Ch
StandardError PVOID ? ; 020h
CurrentDirectory CURDIR <> ; 024h
DllPath UNICODE_STRING <> ; 030h
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -