w2kundoc.inc

这是asm驱动的开发包

	ImagePathName		UNICODE_STRING	<>	; 038h
	CommandLine			UNICODE_STRING	<>	; 040h
	Environment			PVOID			?	; 048h
	StartingX			DWORD			?	; 04Ch
	StartingY			DWORD			?	; 050h
	CountX				DWORD			?	; 054h
	CountY				DWORD			?	; 058h
	CountCharsX			DWORD			?	; 05Ch
	CountCharsY			DWORD			?	; 060h
	FillAttribute		DWORD			?	; 064h
	WindowFlags			DWORD			?	; 068h
	ShowWindowFlags		DWORD			?	; 06Ch
	WindowTitle			UNICODE_STRING	<>	; 070h
	DesktopInfo			UNICODE_STRING	<>	; 078h
	ShellInfo			UNICODE_STRING	<>	; 080h
	RuntimeData			UNICODE_STRING	<>	; 088h
	CurrentDirectores	RTL_DRIVE_LETTER_CURDIR 32 dup(<>)	; 090h
RTL_USER_PROCESS_PARAMETERS ENDS
PRTL_USER_PROCESS_PARAMETERS typedef ptr RTL_USER_PROCESS_PARAMETERS

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Process Environment Block (PEB)
; located at 7FFDF000h (pointed by fs:[30] in user mode)
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PEB STRUCT							; sizeof = 1E8h
	InheritedAddressSpace			BYTE		?		; 0000h
	ReadImageFileExecOptions		BYTE		?		; 0001h
	BeingDebugged					BYTE		?		; 0002h
	SpareBool						BYTE		?		; 0003h
	Mutant							PVOID		?		; 0004h
	ImageBaseAddress				PVOID		?		; 0008h
	Ldr								PVOID		?		; 000Ch PTR PEB_LDR_DATA
	ProcessParameters				PVOID		?		; 0010h PTR RTL_USER_PROCESS_PARAMETERS
	SubSystemData					PVOID		?		; 0014h
	ProcessHeap						PVOID		?		; 0018h
	FastPebLock						PVOID		?		; 001Ch
	FastPebLockRoutine				PVOID		?		; 0020h
	FastPebUnlockRoutine			PVOID		?		; 0024h
	EnvironmentUpdateCount			DWORD		?		; 0028h
	KernelCallbackTable				PVOID		?		; 002Ch
	SystemReserved					DWORD	2 dup(?)	; 0030h
	FreeList						PVOID		?		; 0038h PTR PEB_FREE_BLOCK
	TlsExpansionCounter				DWORD		?		; 003Ch
	TlsBitmap						PVOID		?		; 0040h
	TlsBitmapBits					DWORD	2 dup(?)	; 0044h
	ReadOnlySharedMemoryBase		PVOID		?		; 004Ch
	ReadOnlySharedMemoryHeap		PVOID		?		; 0050h
	ReadOnlyStaticServerData		PVOID		?		; 0054h
	AnsiCodePageData				PVOID		?		; 0058h
	OemCodePageData					PVOID		?		; 005Ch
	UnicodeCaseTableData			PVOID		?		; 0060h
	NumberOfProcessors				DWORD		?		; 0064h
	NtGlobalFlag					DWORD		?		; 0068h
									DWORD		?		; 006Ch
	CriticalSectionTimeout			LARGE_INTEGER	<>	; 0070h
	HeapSegmentReserve				DWORD		?		; 0078h
	HeapSegmentCommit				DWORD		?		; 007Ch
	HeapDeCommitTotalFreeThreshold	DWORD		?		; 0080h
	HeapDeCommitFreeBlockThreshold	DWORD		?		; 0084h
	NumberOfHeaps					DWORD		?		; 0088h
	MaximumNumberOfHeaps			DWORD		?		; 008Ch
	ProcessHeaps					PVOID		?		; 0090h
	GdiSharedHandleTable			PVOID		?		; 0094h
	ProcessStarterHelper			PVOID		?		; 0098h
	GdiDCAttributeList				DWORD		?		; 009Ch
	LoaderLock						PVOID		?		; 00A0h
	OSMajorVersion					DWORD		?		; 00A4h
	OSMinorVersion					DWORD		?		; 00A8h
	OSBuildNumber					WORD		?		; 00ACh
	OSCSDVersion					WORD		?		; 00AEh
	OSPlatformId					DWORD		?		; 00B0h
	ImageSubsystem					DWORD		?		; 00B4h
	ImageSubsystemMajorVersion		DWORD		?		; 00B8h
	ImageSubsystemMinorVersion		DWORD		?		; 00BCh
	ImageProcessAffinityMask		DWORD		?		; 00C0h
	GdiHandleBuffer					DWORD	34 dup(?)	; 00C4h
	PostProcessInitRoutine			DWORD		?		; 014Ch
	TlsExpansionBitmap				PVOID		?		; 0150h
	TlsExpansionBitmapBits			DWORD	32 dup(?)	; 0154h
	SessionId						DWORD		?		; 01D4h
	AppCompatInfo					PVOID		?		; 01D8h
	CSDVersion						UNICODE_STRING	<>	; 01DCh
									DWORD		?		; 01E4h
PEB ENDS
PPEB typedef PTR PEB

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Thread Environment Block (TEB)
; First Teb located at 7FFDE000h (pointed by fs:[18] in user mode)
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

; This structure is not present even in PDB files. I found it somewhere.

TEB STRUCT
	Tib								NT_TIB		<>		; 000h
	EnvironmentPointer				PVOID		?		; 01Ch
	Cid								CLIENT_ID	<>		; 020h
	ActiveRpcInfo					PVOID		?		; 028h
	ThreadLocalStoragePointer		PVOID		?		; 02Ch
	Peb								PVOID		?		; 030h PTR PEB
	LastErrorValue					DWORD		?		; 034h
	CountOfOwnedCriticalSections	DWORD		?		; 038h
	CsrClientThread					PVOID		?		; 03Ch
	Win32ThreadInfo					PVOID		?		; 040h
	Win32ClientInfo					DWORD	1Fh dup(?)	; 044h
	WOW32Reserved					PVOID		?		; 0C0h
	CurrentLocale					DWORD		?		; 0C4
	FpSoftwareStatusRegister		DWORD		?		; 0C8
	SystemReserved1					PVOID	36h dup(?)	; 0CC
	Spare1							PVOID		?		; 1A4
	ExceptionCode					DWORD		?		; 1A8
	SpareBytes1						DWORD	28h dup(?)	; 1AC
	SystemReserved2					PVOID	0Ah dup(?)	; 24C
	GdiRgn							DWORD		?		; 274
	GdiPen							DWORD		?		; 278
	GdiBrush						DWORD		?		; 27C
	RealClientId					CLIENT_ID	<>		; 6B4h
	GdiCachedProcessHandle			PVOID		?		; 
	GdiClientPID					DWORD		?		; 
	GdiClientTID					DWORD		?		; 
	GdiThreadLocaleInfo				PVOID		?		; 
	UserReserved					PVOID	5 dup(?)	; 
	GlDispatchTable					PVOID	118h dup(?)	; 
	GlReserved1						DWORD	1Ah dup(?)	; 
	GlReserved2						PVOID		?		; 
	GlSectionInfo					PVOID		?		; 
	GlSection						PVOID		?		; 
	GlTable							PVOID		?		; 
	GlCurrentRC						PVOID		?		; 
	GlContext						PVOID		?		; 
	LastStatusValue					DWORD		?		; BF4h NTSTATUS  !!! 100%
	StaticUnicodeString				UNICODE_STRING	<>	; 
	StaticUnicodeBuffer				WORD	105h dup(?)	; WCHAR
	DeallocationStack				PVOID		?		; 
	TlsSlots						PVOID	40h dup(?)	; 
	TlsLinks						LIST_ENTRY	<>		; 0
	Vdm								PVOID		?		; 
	ReservedForNtRpc				PVOID		?		; 
	DbgSsReserved					PVOID	2 dup(?)	; 
	HardErrorDisabled				DWORD		?		; F28h HardErrorsMode 100%
	Instrumentation					PVOID	10h dup(?)	; 
	WinSockData						PVOID		?		; 
	GdiBatchCount					DWORD		?		; 
	Spare2							DWORD		?		; 
	Spare3							DWORD		?		; 
	Spare4							DWORD		?		; 
	ReservedForOle					PVOID		?		; 
	WaitingOnLoaderLock				DWORD		?		; 
	StackCommit						PVOID		?		; 
	StackCommitMax					PVOID		?		; 
	StackReserved					PVOID		?		; 
TEB ENDS
PTEB typedef PTR TEB

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Task Segment State
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

KiIoAccessMap STRUCT		; sizeof= 2024h
	DirectionMap	BYTE 32 dup(?)
	IoMap			BYTE 8196 dup(?)	; 020h
KiIoAccessMap ENDS

KTSS STRUCT			; sizeof = 20ACh
	Backlink		WORD		?	; 0000
	Reserved0		WORD		?	; 0000
	Esp0			DWORD		?	; 0004h
	Ss0				WORD		?	; 0008h
	Reserved1		WORD		?	; 000Ah
	NotUsed1		DWORD 4 dup(?)	; 000Ch
	rCR3			DWORD		?	; 001Ch original field name CR3
	Eip				DWORD		?	; 0020h
	NotUsed2		DWORD 9 dup(?)	; 0024h
	rEs				WORD		?	; 0048h original field name Es
	Reserved2		WORD		?	; 004Ah
	rCs				WORD		?	; 004Ch original field name Cs
	Reserved3		WORD		?	; 004Eh
	rSs				WORD		?	; 0050h original field name Ss
	Reserved4		WORD		?	; 0052h
	rDs				WORD		?	; 0054h original field name Ds
	Reserved5		WORD		?	; 0056h
	rFs				WORD		?	; 0058h original field name Fs
	Reserved6		WORD		?	; 005Ah
	rGs				WORD		?	; 005Ch original field name Gs
	Reserved7		WORD		?	; 005Eh
	LDT				WORD		?	; 0060h
	Reserved8		WORD		?	; 0062h
	Flags			WORD		?	; 0064h
	IoMapBase		WORD		?	; 0066h
	IoMaps			KiIoAccessMap	<>	; 0068h
	IntDirectionMap	BYTE 32 dup(?)	; 208Ch
KTSS ENDS

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

OBJECT_NAME STRUCT				; sizeof = 10h	 (by Nebbett)
	Directory	PVOID			?	; 0000h  PTR OBJECT_DIRECTORY
	_Name		UNICODE_STRING	<>	; 0004h
				DWORD			?	; 000Ch Reserved
OBJECT_NAME ENDS

OBJECT_TYPE_INITIALIZER STRUCT		; sizeof = 04Ch
	_Length						WORD		?	; 0000h  (org name Length)
	UseDefaultObject			BYTE		?	; 0002h
	Reserved					BYTE		?	; 0003h
	InvalidAttributes			DWORD		?	; 0004h
	GenericMapping				GENERIC_MAPPING <>	; 0008h
	ValidAccessMask				DWORD		?	; 0018h
	SecurityRequired			BYTE		?	; 001Ch
	MaintainHandleCount			BYTE		?	; 001Dh
	MaintainTypeList			BYTE		?	; 001Eh
								db 1 dup(?)	; padding
	PoolType					SDWORD		?	; 0020h
	DefaultPagedPoolCharge		DWORD		?	; 0024h
	DefaultNonPagedPoolCharge	DWORD		?	; 0028h
	DumpProcedure				PVOID		?	; 002Ch
	OpenProcedure				PVOID		?	; 0030h
	CloseProcedure				PVOID		?	; 0034h
	DeleteProcedure				PVOID		?	; 0038h
	ParseProcedure				PVOID		?	; 003Ch
	SecurityProcedure			PVOID		?	; 0040h
	QueryNameProcedure			PVOID		?	; 0044h
	OkayToCloseProcedure		PVOID		?	; 0048h
OBJECT_TYPE_INITIALIZER ENDS

OBJECT_TYPE STRUCT				; sizeof = 0B0h
	Mutex						ERESOURCE 		<>	; 0000h
	TypeList					LIST_ENTRY 		<>	; 0038h
	_Name						UNICODE_STRING 	<>	; 0040h  (org name Name)
	DefaultObject				PVOID			?	; 0048h
	Index						DWORD			?	; 004Ch
	TotalNumberOfObjects		DWORD			?	; 0050h
	TotalNumberOfHandles		DWORD			?	; 0054h
	HighWaterNumberOfObjects	DWORD			?	; 0058h
	HighWaterNumberOfHandles	DWORD			?	; 005Ch
	TypeInfo					OBJECT_TYPE_INITIALIZER <>	; 0060h
	Key							DWORD			?	; 00ACh
OBJECT_TYPE ENDS

OBJECT_CREATE_INFORMATION STRUCT			; sizeof = 030h
	Attributes					DWORD		?	; 0000h
	RootDirectory				PVOID		?	; 0004h
	ParseContext				PVOID		?	; 0008h
	ProbeMode					BYTE		?	; 000Ch
								db 	3 dup(?)	; padding
	PagedPoolCharge				DWORD		?	; 0010h
	NonPagedPoolCharge			DWORD		?	; 0014h
	SecurityDescriptorCharge	DWORD		?	; 0018h
	SecurityDescriptor			PVOID		?	; 001Ch
	SecurityQos					PVOID		?	; 0020h PTR SECURITY_QUALITY_OF_SERVICE
	SecurityQualityOfService	SECURITY_QUALITY_OF_SERVICE <>	; 0024h
OBJECT_CREATE_INFORMATION ENDS

OBJECT_HEADER STRUCT						; sizeof = 018h
	PointerCount			SDWORD		?	; 0000h
	union
		HandleCount			SDWORD		?	; 0004h
		SEntry				PVOID		?	; 0004h PTR SINGLE_LIST_ENTRY
	ends
	_Type					PVOID		?	; 0008h PTR OBJECT_TYPE  (original name Type)
	NameInfoOffset			BYTE		?	; 000Ch
	HandleInfoOffset		BYTE		?	; 000Dh
	QuotaInfoOffset			BYTE		?	; 000Eh
	Flags					BYTE		?	; 000Fh
	union
		ObjectCreateInfo	PVOID		?	; 0010h PTR OBJECT_CREATE_INFORMATION
		QuotaBlockCharged	PVOID		?	; 0010h
	ends
	SecurityDescriptor		PVOID		?	; 0014h
;	Body					QUAD 		<>	; 0018h
OBJECT_HEADER ENDS

; Processor Control Block (PRCB)

PRCB_MINOR_VERSION		equ 1
PRCB_MAJOR_VERSION		equ 1
PRCB_BUILD_DEBUG		equ 1
PRCB_BUILD_UNIPROCESSOR	equ 2

; KPRCB base address is 0FFDFF120h

KPRCB STRUCT		; sizeof = XXX

	; Major and minor version numbers of the PCR.

	MinorVersion	WORD	?
	MajorVersion	WORD	?

	; Start of the architecturally defined section of the PRCB. This section
	; may be directly addressed by vendor/platform specific HAL code and will
	; not change from version to version of NT.

	CurrentThread	PVOID		? ; 04h PTR KTHREAD
	NextThread		PVOID		? ; 08h PTR KTHREAD
	IdleThread		PVOID		? ; 0Ch PTR KTHREAD
	Number			CHAR 		? ; 10h
	Reserved		CHAR 		? ; 11h
	BuildType		WORD		? ; 12h
	SetMember		KAFFINITY	? ; 14h

	; End of the architecturally defined section of the PRCB. This section
	; may be directly addressed by vendor/platform specific HAL code and will
	; not change from version to version of NT.

	; To be continued...

KPRCB ENDS
PKPRCB typedef PTR KPRCB

VAD STRUCT
	StartingPageAddress		PVOID	?	; 0000h in pages
	EndingPageAddress		PVOID	?	; 0004h in pages
	ParentLink				PVOID	?	; 0008h PTR VAD
	LeftLink				PVOID	?	; 000Ch PTR VAD
	RightLink				PVOID	?	; 0010h PTR VAD
	Commit					WORD	?	; 0014h number of pages
	Flags					WORD	?	; 0016h
	ControlArea				PVOID	?	; 0018h PTR CONTROL_AREA
	ThePtes					PVOID	?	; 001C; PTR _MMPTE  SEGMENT.ThePtes[1]
VAD ENDS
PVAD typedef ptr VAD


SUBSECTION STRUCT
	ControlArea				PVOID	?	; 0000h PTR CONTROL_AREA
	union
	Flags					DWORD	?	; 0004h
	ssBits RECORD \
		ssfUnknown2:24,		; bits 8-31
		Protection:4,		; bits 4-7
		ssfUnknown1:4		; bits 0-3
	ends
	StartingSector			DWORD	?	; 0008h
	NumberOfSectors			DWORD	?	; 000Ch
	BasePte					DWORD	?	; 0010h
	UnusedPtes				DWORD	?	; 0014h
	PtesInSubsect			DWORD	?	; 0018h
	Next					PVOID	?	; 001Ch PTR SUBSECTION if any NULL if last
SUBSECTION ENDS
PSUBSECTION typedef ptr SUBSECTION