forked from exotikcheat/Kernel_VADInjector
-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathntapi.h
More file actions
1343 lines (1258 loc) · 61.6 KB
/
Copy pathntapi.h
File metadata and controls
1343 lines (1258 loc) · 61.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#pragma once
#include <ntifs.h>
#include <ntddk.h>
#include <ntimage.h>
#include <fltKernel.h>
typedef unsigned char BYTE;
#define ABSOLUTE(wait) (wait)
#define RELATIVE(wait) (-(wait))
#define NANOSECONDS(nanos) \
(((signed __int64)(nanos)) / 100L)
#define MICROSECONDS(micros) \
(((signed __int64)(micros)) * NANOSECONDS(1000L))
#define MILLISECONDS(milli) \
(((signed __int64)(milli)) * MICROSECONDS(1000L))
#define SECONDS(seconds) \
(((signed __int64)(seconds)) * MILLISECONDS(1000L))
EXTERN_C NTKERNELAPI PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
EXTERN_C NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
EXTERN_C
NTKERNELAPI
NTSTATUS
NTAPI
MmCopyVirtualMemory(
_In_ PEPROCESS FromProcess,
_In_ PVOID FromAddress,
_In_ PEPROCESS ToProcess,
_Out_ PVOID ToAddress,
_In_ SIZE_T BufferSize,
_In_ KPROCESSOR_MODE PreviousMode,
_Out_ PSIZE_T NumberOfBytesCopied
);
EXTERN_C NTKERNELAPI
NTSTATUS
NTAPI
PsGetContextThread(_In_ PETHREAD Thread,
_Inout_ PCONTEXT ThreadContext,
_In_ KPROCESSOR_MODE Mode);
EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwLockVirtualMemory(_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_Inout_ PSIZE_T NumberOfBytesToLock,
_In_ ULONG MapType
);
EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwUnlockVirtualMemory(_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_Inout_ PSIZE_T NumberOfBytesToUnlock,
_In_ ULONG MapType
);
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0x0,
SystemProcessorInformation = 0x1,
SystemPerformanceInformation = 0x2,
SystemTimeOfDayInformation = 0x3,
SystemPathInformation = 0x4,
SystemProcessInformation = 0x5,
SystemCallCountInformation = 0x6,
SystemDeviceInformation = 0x7,
SystemProcessorPerformanceInformation = 0x8,
SystemFlagsInformation = 0x9,
SystemCallTimeInformation = 0xa,
SystemModuleInformation = 0xb,
SystemLocksInformation = 0xc,
SystemStackTraceInformation = 0xd,
SystemPagedPoolInformation = 0xe,
SystemNonPagedPoolInformation = 0xf,
SystemHandleInformation = 0x10,
SystemObjectInformation = 0x11,
SystemPageFileInformation = 0x12,
SystemVdmInstemulInformation = 0x13,
SystemVdmBopInformation = 0x14,
SystemFileCacheInformation = 0x15,
SystemPoolTagInformation = 0x16,
SystemInterruptInformation = 0x17,
SystemDpcBehaviorInformation = 0x18,
SystemFullMemoryInformation = 0x19,
SystemLoadGdiDriverInformation = 0x1a,
SystemUnloadGdiDriverInformation = 0x1b,
SystemTimeAdjustmentInformation = 0x1c,
SystemSummaryMemoryInformation = 0x1d,
SystemMirrorMemoryInformation = 0x1e,
SystemPerformanceTraceInformation = 0x1f,
SystemObsolete0 = 0x20,
SystemExceptionInformation = 0x21,
SystemCrashDumpStateInformation = 0x22,
SystemKernelDebuggerInformation = 0x23,
SystemContextSwitchInformation = 0x24,
SystemRegistryQuotaInformation = 0x25,
SystemExtendServiceTableInformation = 0x26,
SystemPrioritySeperation = 0x27,
SystemVerifierAddDriverInformation = 0x28,
SystemVerifierRemoveDriverInformation = 0x29,
SystemProcessorIdleInformation = 0x2a,
SystemLegacyDriverInformation = 0x2b,
SystemCurrentTimeZoneInformation = 0x2c,
SystemLookasideInformation = 0x2d,
SystemTimeSlipNotification = 0x2e,
SystemSessionCreate = 0x2f,
SystemSessionDetach = 0x30,
SystemSessionInformation = 0x31,
SystemRangeStartInformation = 0x32,
SystemVerifierInformation = 0x33,
SystemVerifierThunkExtend = 0x34,
SystemSessionProcessInformation = 0x35,
SystemLoadGdiDriverInSystemSpace = 0x36,
SystemNumaProcessorMap = 0x37,
SystemPrefetcherInformation = 0x38,
SystemExtendedProcessInformation = 0x39,
SystemRecommendedSharedDataAlignment = 0x3a,
SystemComPlusPackage = 0x3b,
SystemNumaAvailableMemory = 0x3c,
SystemProcessorPowerInformation = 0x3d,
SystemEmulationBasicInformation = 0x3e,
SystemEmulationProcessorInformation = 0x3f,
SystemExtendedHandleInformation = 0x40,
SystemLostDelayedWriteInformation = 0x41,
SystemBigPoolInformation = 0x42,
SystemSessionPoolTagInformation = 0x43,
SystemSessionMappedViewInformation = 0x44,
SystemHotpatchInformation = 0x45,
SystemObjectSecurityMode = 0x46,
SystemWatchdogTimerHandler = 0x47,
SystemWatchdogTimerInformation = 0x48,
SystemLogicalProcessorInformation = 0x49,
SystemWow64SharedInformationObsolete = 0x4a,
SystemRegisterFirmwareTableInformationHandler = 0x4b,
SystemFirmwareTableInformation = 0x4c,
SystemModuleInformationEx = 0x4d,
SystemVerifierTriageInformation = 0x4e,
SystemSuperfetchInformation = 0x4f,
SystemMemoryListInformation = 0x50,
SystemFileCacheInformationEx = 0x51,
SystemThreadPriorityClientIdInformation = 0x52,
SystemProcessorIdleCycleTimeInformation = 0x53,
SystemVerifierCancellationInformation = 0x54,
SystemProcessorPowerInformationEx = 0x55,
SystemRefTraceInformation = 0x56,
SystemSpecialPoolInformation = 0x57,
SystemProcessIdInformation = 0x58,
SystemErrorPortInformation = 0x59,
SystemBootEnvironmentInformation = 0x5a,
SystemHypervisorInformation = 0x5b,
SystemVerifierInformationEx = 0x5c,
SystemTimeZoneInformation = 0x5d,
SystemImageFileExecutionOptionsInformation = 0x5e,
SystemCoverageInformation = 0x5f,
SystemPrefetchPatchInformation = 0x60,
SystemVerifierFaultsInformation = 0x61,
SystemSystemPartitionInformation = 0x62,
SystemSystemDiskInformation = 0x63,
SystemProcessorPerformanceDistribution = 0x64,
SystemNumaProximityNodeInformation = 0x65,
SystemDynamicTimeZoneInformation = 0x66,
SystemCodeIntegrityInformation = 0x67,
SystemProcessorMicrocodeUpdateInformation = 0x68,
SystemProcessorBrandString = 0x69,
SystemVirtualAddressInformation = 0x6a,
SystemLogicalProcessorAndGroupInformation = 0x6b,
SystemProcessorCycleTimeInformation = 0x6c,
SystemStoreInformation = 0x6d,
SystemRegistryAppendString = 0x6e,
SystemAitSamplingValue = 0x6f,
SystemVhdBootInformation = 0x70,
SystemCpuQuotaInformation = 0x71,
SystemNativeBasicInformation = 0x72,
SystemErrorPortTimeouts = 0x73,
SystemLowPriorityIoInformation = 0x74,
SystemBootEntropyInformation = 0x75,
SystemVerifierCountersInformation = 0x76,
SystemPagedPoolInformationEx = 0x77,
SystemSystemPtesInformationEx = 0x78,
SystemNodeDistanceInformation = 0x79,
SystemAcpiAuditInformation = 0x7a,
SystemBasicPerformanceInformation = 0x7b,
SystemQueryPerformanceCounterInformation = 0x7c,
SystemSessionBigPoolInformation = 0x7d,
SystemBootGraphicsInformation = 0x7e,
SystemScrubPhysicalMemoryInformation = 0x7f,
SystemBadPageInformation = 0x80,
SystemProcessorProfileControlArea = 0x81,
SystemCombinePhysicalMemoryInformation = 0x82,
SystemEntropyInterruptTimingInformation = 0x83,
SystemConsoleInformation = 0x84,
SystemPlatformBinaryInformation = 0x85,
SystemThrottleNotificationInformation = 0x86,
SystemHypervisorProcessorCountInformation = 0x87,
SystemDeviceDataInformation = 0x88,
SystemDeviceDataEnumerationInformation = 0x89,
SystemMemoryTopologyInformation = 0x8a,
SystemMemoryChannelInformation = 0x8b,
SystemBootLogoInformation = 0x8c,
SystemProcessorPerformanceInformationEx = 0x8d,
SystemSpare0 = 0x8e,
SystemSecureBootPolicyInformation = 0x8f,
SystemPageFileInformationEx = 0x90,
SystemSecureBootInformation = 0x91,
SystemEntropyInterruptTimingRawInformation = 0x92,
SystemPortableWorkspaceEfiLauncherInformation = 0x93,
SystemFullProcessInformation = 0x94,
SystemKernelDebuggerInformationEx = 0x95,
SystemBootMetadataInformation = 0x96,
SystemSoftRebootInformation = 0x97,
SystemElamCertificateInformation = 0x98,
SystemOfflineDumpConfigInformation = 0x99,
SystemProcessorFeaturesInformation = 0x9a,
SystemRegistryReconciliationInformation = 0x9b,
MaxSystemInfoClass = 0x9c,
} SYSTEM_INFORMATION_CLASS;
EXTERN_C NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
EXTERN_C __declspec(dllimport)
PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(PVOID Base);
EXTERN_C NTKERNELAPI PVOID PsGetProcessWow64Process(__in PEPROCESS Process);
//0x18 bytes (sizeof)
typedef struct _POOL_TRACKER_BIG_PAGES
{
volatile ULONGLONG Va; //0x0
ULONG Key; //0x8
ULONG Pattern : 8; //0xc
ULONG PoolType : 12; //0xc
ULONG SlushSize : 12; //0xc
ULONGLONG NumberOfBytes; //0x10
}POOL_TRACKER_BIG_PAGES, *PPOOL_TRACKER_BIG_PAGES;
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
LONG Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION {
SYSTEM_THREAD_INFORMATION ThreadInfo;
PVOID StackBase;
PVOID StackLimit;
PVOID Win32StartAddress;
PVOID TebBase;
ULONG_PTR Reserved2;
ULONG_PTR Reserved3;
ULONG_PTR Reserved4;
}SYSTEM_EXTENDED_THREAD_INFORMATION, * PSYSTEM_EXTENDED_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef struct _PEB_LDR_DATA
{
ULONG Length; //0x0
UCHAR Initialized; //0x4
VOID* SsHandle; //0x8
struct _LIST_ENTRY InLoadOrderModuleList; //0x10
struct _LIST_ENTRY InMemoryOrderModuleList; //0x20
struct _LIST_ENTRY InInitializationOrderModuleList; //0x30
VOID* EntryInProgress; //0x40
UCHAR ShutdownInProgress; //0x48
VOID* ShutdownThreadId; //0x50
}PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _PEB_LDR_DATA32
{
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, * PPEB_LDR_DATA32;
typedef struct _PEB64
{
UCHAR InheritedAddressSpace; //0x0
UCHAR ReadImageFileExecOptions; //0x1
UCHAR BeingDebugged; //0x2
union
{
UCHAR BitField; //0x3
struct
{
UCHAR ImageUsesLargePages : 1; //0x3
UCHAR IsProtectedProcess : 1; //0x3
UCHAR IsImageDynamicallyRelocated : 1; //0x3
UCHAR SkipPatchingUser32Forwarders : 1; //0x3
UCHAR IsPackagedProcess : 1; //0x3
UCHAR IsAppContainer : 1; //0x3
UCHAR IsProtectedProcessLight : 1; //0x3
UCHAR IsLongPathAwareProcess : 1; //0x3
};
};
UCHAR Padding0[4]; //0x4
ULONGLONG Mutant; //0x8
ULONGLONG ImageBaseAddress; //0x10
PEB_LDR_DATA* Ldr; //0x18
ULONGLONG ProcessParameters; //0x20
ULONGLONG SubSystemData; //0x28
ULONGLONG ProcessHeap; //0x30
ULONGLONG FastPebLock; //0x38
ULONGLONG AtlThunkSListPtr; //0x40
ULONGLONG IFEOKey; //0x48
union
{
ULONG CrossProcessFlags; //0x50
struct
{
ULONG ProcessInJob : 1; //0x50
ULONG ProcessInitializing : 1; //0x50
ULONG ProcessUsingVEH : 1; //0x50
ULONG ProcessUsingVCH : 1; //0x50
ULONG ProcessUsingFTH : 1; //0x50
ULONG ProcessPreviouslyThrottled : 1; //0x50
ULONG ProcessCurrentlyThrottled : 1; //0x50
ULONG ProcessImagesHotPatched : 1; //0x50
ULONG ReservedBits0 : 24; //0x50
};
};
UCHAR Padding1[4]; //0x54
union
{
ULONGLONG KernelCallbackTable; //0x58
ULONGLONG UserSharedInfoPtr; //0x58
};
ULONG SystemReserved; //0x60
ULONG AtlThunkSListPtr32; //0x64
ULONGLONG ApiSetMap; //0x68
ULONG TlsExpansionCounter; //0x70
UCHAR Padding2[4]; //0x74
ULONGLONG TlsBitmap; //0x78
ULONG TlsBitmapBits[2]; //0x80
ULONGLONG ReadOnlySharedMemoryBase; //0x88
ULONGLONG SharedData; //0x90
ULONGLONG ReadOnlyStaticServerData; //0x98
ULONGLONG AnsiCodePageData; //0xa0
ULONGLONG OemCodePageData; //0xa8
ULONGLONG UnicodeCaseTableData; //0xb0
ULONG NumberOfProcessors; //0xb8
ULONG NtGlobalFlag; //0xbc
union _LARGE_INTEGER CriticalSectionTimeout; //0xc0
ULONGLONG HeapSegmentReserve; //0xc8
ULONGLONG HeapSegmentCommit; //0xd0
ULONGLONG HeapDeCommitTotalFreeThreshold; //0xd8
ULONGLONG HeapDeCommitFreeBlockThreshold; //0xe0
ULONG NumberOfHeaps; //0xe8
ULONG MaximumNumberOfHeaps; //0xec
ULONGLONG ProcessHeaps; //0xf0
ULONGLONG GdiSharedHandleTable; //0xf8
ULONGLONG ProcessStarterHelper; //0x100
ULONG GdiDCAttributeList; //0x108
UCHAR Padding3[4]; //0x10c
ULONGLONG LoaderLock; //0x110
ULONG OSMajorVersion; //0x118
ULONG OSMinorVersion; //0x11c
USHORT OSBuildNumber; //0x120
USHORT OSCSDVersion; //0x122
ULONG OSPlatformId; //0x124
ULONG ImageSubsystem; //0x128
ULONG ImageSubsystemMajorVersion; //0x12c
ULONG ImageSubsystemMinorVersion; //0x130
UCHAR Padding4[4]; //0x134
ULONGLONG ActiveProcessAffinityMask; //0x138
ULONG GdiHandleBuffer[60]; //0x140
ULONGLONG PostProcessInitRoutine; //0x230
ULONGLONG TlsExpansionBitmap; //0x238
ULONG TlsExpansionBitmapBits[32]; //0x240
ULONG SessionId; //0x2c0
UCHAR Padding5[4]; //0x2c4
union _ULARGE_INTEGER AppCompatFlags; //0x2c8
union _ULARGE_INTEGER AppCompatFlagsUser; //0x2d0
ULONGLONG pShimData; //0x2d8
ULONGLONG AppCompatInfo; //0x2e0
struct _STRING64 CSDVersion; //0x2e8
ULONGLONG ActivationContextData; //0x2f8
ULONGLONG ProcessAssemblyStorageMap; //0x300
ULONGLONG SystemDefaultActivationContextData; //0x308
ULONGLONG SystemAssemblyStorageMap; //0x310
ULONGLONG MinimumStackCommit; //0x318
ULONGLONG SparePointers[4]; //0x320
ULONG SpareUlongs[5]; //0x340
ULONGLONG WerRegistrationData; //0x358
ULONGLONG WerShipAssertPtr; //0x360
ULONGLONG pUnused; //0x368
ULONGLONG pImageHeaderHash; //0x370
union
{
ULONG TracingFlags; //0x378
struct
{
ULONG HeapTracingEnabled : 1; //0x378
ULONG CritSecTracingEnabled : 1; //0x378
ULONG LibLoaderTracingEnabled : 1; //0x378
ULONG SpareTracingBits : 29; //0x378
};
};
UCHAR Padding6[4]; //0x37c
ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x380
ULONGLONG TppWorkerpListLock; //0x388
struct LIST_ENTRY64 TppWorkerpList; //0x390
ULONGLONG WaitOnAddressHashTable[128]; //0x3a0
ULONGLONG TelemetryCoverageHeader; //0x7a0
ULONG CloudFileFlags; //0x7a8
ULONG CloudFileDiagFlags; //0x7ac
CHAR PlaceholderCompatibilityMode; //0x7b0
CHAR PlaceholderCompatibilityModeReserved[7]; //0x7b1
ULONGLONG LeapSecondData; //0x7b8
union
{
ULONG LeapSecondFlags; //0x7c0
struct
{
ULONG SixtySecondEnabled : 1; //0x7c0
ULONG Reserved : 31; //0x7c0
};
};
ULONG NtGlobalFlag2; //0x7c4
} PEB64, * PPEB64;
//0x480 bytes (sizeof)
typedef struct _PEB32
{
UCHAR InheritedAddressSpace; //0x0
UCHAR ReadImageFileExecOptions; //0x1
UCHAR BeingDebugged; //0x2
union
{
UCHAR BitField; //0x3
struct
{
UCHAR ImageUsesLargePages : 1; //0x3
UCHAR IsProtectedProcess : 1; //0x3
UCHAR IsImageDynamicallyRelocated : 1; //0x3
UCHAR SkipPatchingUser32Forwarders : 1; //0x3
UCHAR IsPackagedProcess : 1; //0x3
UCHAR IsAppContainer : 1; //0x3
UCHAR IsProtectedProcessLight : 1; //0x3
UCHAR IsLongPathAwareProcess : 1; //0x3
};
};
ULONG Mutant; //0x4
ULONG ImageBaseAddress; //0x8
ULONG Ldr; //0xc
ULONG ProcessParameters; //0x10
ULONG SubSystemData; //0x14
ULONG ProcessHeap; //0x18
ULONG FastPebLock; //0x1c
ULONG AtlThunkSListPtr; //0x20
ULONG IFEOKey; //0x24
union
{
ULONG CrossProcessFlags; //0x28
struct
{
ULONG ProcessInJob : 1; //0x28
ULONG ProcessInitializing : 1; //0x28
ULONG ProcessUsingVEH : 1; //0x28
ULONG ProcessUsingVCH : 1; //0x28
ULONG ProcessUsingFTH : 1; //0x28
ULONG ProcessPreviouslyThrottled : 1; //0x28
ULONG ProcessCurrentlyThrottled : 1; //0x28
ULONG ProcessImagesHotPatched : 1; //0x28
ULONG ReservedBits0 : 24; //0x28
};
};
union
{
ULONG KernelCallbackTable; //0x2c
ULONG UserSharedInfoPtr; //0x2c
};
ULONG SystemReserved; //0x30
ULONG AtlThunkSListPtr32; //0x34
ULONG ApiSetMap; //0x38
ULONG TlsExpansionCounter; //0x3c
ULONG TlsBitmap; //0x40
ULONG TlsBitmapBits[2]; //0x44
ULONG ReadOnlySharedMemoryBase; //0x4c
ULONG SharedData; //0x50
ULONG ReadOnlyStaticServerData; //0x54
ULONG AnsiCodePageData; //0x58
ULONG OemCodePageData; //0x5c
ULONG UnicodeCaseTableData; //0x60
ULONG NumberOfProcessors; //0x64
ULONG NtGlobalFlag; //0x68
union _LARGE_INTEGER CriticalSectionTimeout; //0x70
ULONG HeapSegmentReserve; //0x78
ULONG HeapSegmentCommit; //0x7c
ULONG HeapDeCommitTotalFreeThreshold; //0x80
ULONG HeapDeCommitFreeBlockThreshold; //0x84
ULONG NumberOfHeaps; //0x88
ULONG MaximumNumberOfHeaps; //0x8c
ULONG ProcessHeaps; //0x90
ULONG GdiSharedHandleTable; //0x94
ULONG ProcessStarterHelper; //0x98
ULONG GdiDCAttributeList; //0x9c
ULONG LoaderLock; //0xa0
ULONG OSMajorVersion; //0xa4
ULONG OSMinorVersion; //0xa8
USHORT OSBuildNumber; //0xac
USHORT OSCSDVersion; //0xae
ULONG OSPlatformId; //0xb0
ULONG ImageSubsystem; //0xb4
ULONG ImageSubsystemMajorVersion; //0xb8
ULONG ImageSubsystemMinorVersion; //0xbc
ULONG ActiveProcessAffinityMask; //0xc0
ULONG GdiHandleBuffer[34]; //0xc4
ULONG PostProcessInitRoutine; //0x14c
ULONG TlsExpansionBitmap; //0x150
ULONG TlsExpansionBitmapBits[32]; //0x154
ULONG SessionId; //0x1d4
union _ULARGE_INTEGER AppCompatFlags; //0x1d8
union _ULARGE_INTEGER AppCompatFlagsUser; //0x1e0
ULONG pShimData; //0x1e8
ULONG AppCompatInfo; //0x1ec
struct _STRING32 CSDVersion; //0x1f0
ULONG ActivationContextData; //0x1f8
ULONG ProcessAssemblyStorageMap; //0x1fc
ULONG SystemDefaultActivationContextData; //0x200
ULONG SystemAssemblyStorageMap; //0x204
ULONG MinimumStackCommit; //0x208
ULONG SparePointers[4]; //0x20c
ULONG SpareUlongs[5]; //0x21c
ULONG WerRegistrationData; //0x230
ULONG WerShipAssertPtr; //0x234
ULONG pUnused; //0x238
ULONG pImageHeaderHash; //0x23c
union
{
ULONG TracingFlags; //0x240
struct
{
ULONG HeapTracingEnabled : 1; //0x240
ULONG CritSecTracingEnabled : 1; //0x240
ULONG LibLoaderTracingEnabled : 1; //0x240
ULONG SpareTracingBits : 29; //0x240
};
};
ULONGLONG CsrServerReadOnlySharedMemoryBase; //0x248
ULONG TppWorkerpListLock; //0x250
struct LIST_ENTRY32 TppWorkerpList; //0x254
ULONG WaitOnAddressHashTable[128]; //0x25c
ULONG TelemetryCoverageHeader; //0x45c
ULONG CloudFileFlags; //0x460
ULONG CloudFileDiagFlags; //0x464
CHAR PlaceholderCompatibilityMode; //0x468
CHAR PlaceholderCompatibilityModeReserved[7]; //0x469
ULONG LeapSecondData; //0x470
union
{
ULONG LeapSecondFlags; //0x474
struct
{
ULONG SixtySecondEnabled : 1; //0x474
ULONG Reserved : 31; //0x474
};
};
ULONG NtGlobalFlag2; //0x478
}PEB32, * PPEB32;
typedef struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x10
struct _LIST_ENTRY InInitializationOrderLinks; //0x20
VOID* DllBase; //0x30
VOID* EntryPoint; //0x38
ULONG SizeOfImage; //0x40
struct _UNICODE_STRING FullDllName; //0x48
struct _UNICODE_STRING BaseDllName; //0x58
union
{
UCHAR FlagGroup[4]; //0x68
ULONG Flags; //0x68
struct
{
ULONG PackagedBinary : 1; //0x68
ULONG MarkedForRemoval : 1; //0x68
ULONG ImageDll : 1; //0x68
ULONG LoadNotificationsSent : 1; //0x68
ULONG TelemetryEntryProcessed : 1; //0x68
ULONG ProcessStaticImport : 1; //0x68
ULONG InLegacyLists : 1; //0x68
ULONG InIndexes : 1; //0x68
ULONG ShimDll : 1; //0x68
ULONG InExceptionTable : 1; //0x68
ULONG ReservedFlags1 : 2; //0x68
ULONG LoadInProgress : 1; //0x68
ULONG LoadConfigProcessed : 1; //0x68
ULONG EntryProcessed : 1; //0x68
ULONG ProtectDelayLoad : 1; //0x68
ULONG ReservedFlags3 : 2; //0x68
ULONG DontCallForThreads : 1; //0x68
ULONG ProcessAttachCalled : 1; //0x68
ULONG ProcessAttachFailed : 1; //0x68
ULONG CorDeferredValidate : 1; //0x68
ULONG CorImage : 1; //0x68
ULONG DontRelocate : 1; //0x68
ULONG CorILOnly : 1; //0x68
ULONG ChpeImage : 1; //0x68
ULONG ReservedFlags5 : 2; //0x68
ULONG Redirected : 1; //0x68
ULONG ReservedFlags6 : 2; //0x68
ULONG CompatDatabaseProcessed : 1; //0x68
};
};
USHORT ObsoleteLoadCount; //0x6c
USHORT TlsIndex; //0x6e
struct _LIST_ENTRY HashLinks; //0x70
ULONG TimeDateStamp; //0x80
struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88
VOID* Lock; //0x90
struct _LDR_DDAG_NODE* DdagNode; //0x98
struct _LIST_ENTRY NodeModuleLink; //0xa0
struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0
VOID* ParentDllBase; //0xb8
VOID* SwitchBackContext; //0xc0
struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8
struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0
ULONGLONG OriginalBase; //0xf8
union _LARGE_INTEGER LoadTime; //0x100
ULONG BaseNameHashValue; //0x108
enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c
ULONG ImplicitPathOptions; //0x110
ULONG ReferenceCount; //0x114
ULONG DependentLoadFlags; //0x118
UCHAR SigningLevel; //0x11c
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _LDR_DATA_TABLE_ENTRY32
{
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
//0x10 bytes (sizeof)
typedef struct _EWOW64PROCESS
{
VOID* Peb; //0x0
USHORT Machine; //0x8
enum _SYSTEM_DLL_TYPE NtdllType; //0xc
}EWOW64PROCESS, * PEWOW64PROCESS;
typedef struct _MEMORY_WORKING_SET_BLOCK {
ULONG_PTR Protection : 5;
ULONG_PTR ShareCount : 3;
ULONG_PTR Shared : 1;
ULONG_PTR Node : 3;
#ifdef _WIN64
ULONG_PTR VirtualPage : 52;
#else
ULONG VirtualPage : 20;
#endif
} MEMORY_WORKING_SET_BLOCK, * PMEMORY_WORKING_SET_BLOCK;
typedef struct _MEMORY_WORKING_SET_INFORMATION {
ULONG_PTR NumberOfEntries;
MEMORY_WORKING_SET_BLOCK WorkingSetInfo[1];
} MEMORY_WORKING_SET_INFORMATION, * PMEMORY_WORKING_SET_INFORMATION;
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
LONG Priority;
LONG BasePriority;
} THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
/*
*
*
*
*
* VIRTUAL ADDRESS DESCRIPTOR ( VAD ) Structures
*
*
*
*/
//0x4 bytes (sizeof)
typedef struct _MMSECTION_FLAGS
{
ULONG BeingDeleted : 1; //0x0
ULONG BeingCreated : 1; //0x0
ULONG BeingPurged : 1; //0x0
ULONG NoModifiedWriting : 1; //0x0
ULONG FailAllIo : 1; //0x0
ULONG Image : 1; //0x0
ULONG Based : 1; //0x0
ULONG File : 1; //0x0
ULONG AttemptingDelete : 1; //0x0
ULONG PrefetchCreated : 1; //0x0
ULONG PhysicalMemory : 1; //0x0
ULONG ImageControlAreaOnRemovableMedia : 1; //0x0
ULONG Reserve : 1; //0x0
ULONG Commit : 1; //0x0
ULONG NoChange : 1; //0x0
ULONG WasPurged : 1; //0x0
ULONG UserReference : 1; //0x0
ULONG GlobalMemory : 1; //0x0
ULONG DeleteOnClose : 1; //0x0
ULONG FilePointerNull : 1; //0x0
ULONG PreferredNode : 6; //0x0
ULONG GlobalOnlyPerSession : 1; //0x0
ULONG UserWritable : 1; //0x0
ULONG SystemVaAllocated : 1; //0x0
ULONG PreferredFsCompressionBoundary : 1; //0x0
ULONG UsingFileExtents : 1; //0x0
ULONG PageSize64K : 1; //0x0
};
//0x8 bytes (sizeof)
typedef struct _EX_FAST_REF
{
union
{
VOID* Object; //0x0
ULONGLONG RefCnt : 4; //0x0
ULONGLONG Value; //0x0
};
};
//0x4 bytes (sizeof)
typedef struct _MMSECTION_FLAGS2
{
USHORT PartitionId : 10; //0x0
UCHAR NoCrossPartitionAccess : 1; //0x2
UCHAR SubsectionCrossPartitionReferenceOverflow : 1; //0x2
};
typedef struct _MM_PRIVATE_VAD_FLAGS
{
ULONG Lock : 1; //0x0
ULONG LockContended : 1; //0x0
ULONG DeleteInProgress : 1; //0x0
ULONG NoChange : 1; //0x0
ULONG VadType : 3; //0x0
ULONG Protection : 5; //0x0
ULONG PreferredNode : 6; //0x0
ULONG PageSize : 2; //0x0
ULONG PrivateMemoryAlwaysSet : 1; //0x0
ULONG WriteWatch : 1; //0x0
ULONG FixedLargePageSize : 1; //0x0
ULONG ZeroFillPagesOptional : 1; //0x0
ULONG Graphics : 1; //0x0
ULONG Enclave : 1; //0x0
ULONG ShadowStack : 1; //0x0
ULONG PhysicalMemoryPfnsReferenced : 1; //0x0
};
//0x4 bytes (sizeof)
typedef struct _MM_GRAPHICS_VAD_FLAGS
{
ULONG Lock : 1; //0x0
ULONG LockContended : 1; //0x0
ULONG DeleteInProgress : 1; //0x0
ULONG NoChange : 1; //0x0
ULONG VadType : 3; //0x0
ULONG Protection : 5; //0x0
ULONG PreferredNode : 6; //0x0
ULONG PageSize : 2; //0x0
ULONG PrivateMemoryAlwaysSet : 1; //0x0
ULONG WriteWatch : 1; //0x0
ULONG FixedLargePageSize : 1; //0x0
ULONG ZeroFillPagesOptional : 1; //0x0
ULONG GraphicsAlwaysSet : 1; //0x0
ULONG GraphicsUseCoherentBus : 1; //0x0
ULONG GraphicsNoCache : 1; //0x0
ULONG GraphicsPageProtection : 3; //0x0
};
//0x4 bytes (sizeof)
typedef struct _MM_SHARED_VAD_FLAGS
{
ULONG Lock : 1; //0x0
ULONG LockContended : 1; //0x0
ULONG DeleteInProgress : 1; //0x0
ULONG NoChange : 1; //0x0
ULONG VadType : 3; //0x0
ULONG Protection : 5; //0x0
ULONG PreferredNode : 6; //0x0
ULONG PageSize : 2; //0x0
ULONG PrivateMemoryAlwaysClear : 1; //0x0
ULONG PrivateFixup : 1; //0x0
ULONG HotPatchAllowed : 1; //0x0
};
//0x8 bytes (sizeof)
typedef struct _EX_PUSH_LOCK
{
union
{
struct
{
ULONGLONG Locked : 1; //0x0
ULONGLONG Waiting : 1; //0x0
ULONGLONG Waking : 1; //0x0
ULONGLONG MultipleShared : 1; //0x0
ULONGLONG Shared : 60; //0x0
};
ULONGLONG Value; //0x0
VOID* Ptr; //0x0
};
};
// 0x80 bytes(sizeof)
typedef struct _CONTROL_AREA
{
struct _SEGMENT* Segment; //0x0
union
{
struct _LIST_ENTRY ListHead; //0x8
VOID* AweContext; //0x8
};
ULONGLONG NumberOfSectionReferences; //0x18
ULONGLONG NumberOfPfnReferences; //0x20
ULONGLONG NumberOfMappedViews; //0x28
ULONGLONG NumberOfUserReferences; //0x30
union
{
ULONG LongFlags; //0x38
struct _MMSECTION_FLAGS Flags; //0x38
} u; //0x38
union
{
ULONG LongFlags; //0x3c
struct _MMSECTION_FLAGS2 Flags; //0x3c
} u1; //0x3c
struct _EX_FAST_REF FilePointer; //0x40
volatile LONG ControlAreaLock; //0x48
ULONG ModifiedWriteCount; //0x4c
struct _MI_CONTROL_AREA_WAIT_BLOCK* WaitList; //0x50
union
{
struct
{
union
{
ULONG NumberOfSystemCacheViews; //0x58
ULONG ImageRelocationStartBit; //0x58
};
union
{
volatile LONG WritableUserReferences; //0x5c
struct
{
ULONG ImageRelocationSizeIn64k : 16; //0x5c
ULONG SystemImage : 1; //0x5c
ULONG CantMove : 1; //0x5c
ULONG StrongCode : 2; //0x5c
ULONG BitMap : 2; //0x5c
ULONG ImageActive : 1; //0x5c
ULONG ImageBaseOkToReuse : 1; //0x5c
};
};
union
{
ULONG FlushInProgressCount; //0x60
ULONG NumberOfSubsections; //0x60
struct _MI_IMAGE_SECURITY_REFERENCE* SeImageStub; //0x60
};
} e2; //0x58
} u2; //0x58
struct _EX_PUSH_LOCK FileObjectLock; //0x68
volatile ULONGLONG LockedPages; //0x70
union
{
ULONGLONG IoAttributionContext : 61; //0x78
ULONGLONG Spare : 3; //0x78
ULONGLONG ImageCrossPartitionCharge; //0x78
ULONGLONG CommittedPageCount : 36; //0x78
} u3; //0x78
}COONTROL_AREA, * PCONTROL_AREA;
//0x4 bytes (sizeof)
typedef struct _MMVAD_FLAGS2
{
ULONG FileOffset : 24; //0x0
ULONG Large : 1; //0x0
ULONG TrimBehind : 1; //0x0
ULONG Inherit : 1; //0x0
ULONG NoValidationNeeded : 1; //0x0
ULONG PrivateDemandZero : 1; //0x0
ULONG Spare : 3; //0x0
};
//0x8 bytes (sizeof)
typedef struct _MI_VAD_SEQUENTIAL_INFO
{
ULONGLONG Length : 12; //0x0
ULONGLONG Vpn : 52; //0x0
};
//0x4 bytes (sizeof)
typedef struct _MMVAD_FLAGS
{
ULONG Lock : 1; //0x0
ULONG LockContended : 1; //0x0
ULONG DeleteInProgress : 1; //0x0
ULONG NoChange : 1; //0x0
ULONG VadType : 3; //0x0