#pragma once #include #define GET_VAD_ROOT(Table) Table->BalancedRoot typedef enum native_offsets { VAD_TREE_1803 = 0x628 } native_offsets; typedef struct _PEB_LDR_DATA { ULONG Length; UCHAR Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _PEB { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; PVOID Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; PVOID ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PVOID AtlThunkSListPtr; PVOID IFEOKey; PVOID CrossProcessFlags; PVOID KernelCallbackTable; ULONG SystemReserved; ULONG AtlThunkSListPtr32; PVOID ApiSetMap; } PEB, *PPEB; typedef struct _PEB_LDR_DATA32 { ULONG Length; UCHAR Initialized; ULONG SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; } PEB_LDR_DATA32, *PPEB_LDR_DATA32; typedef struct _LDR_DATA_TABLE_ENTRY32 { LIST_ENTRY32 InLoadOrderLinks; LIST_ENTRY32 InMemoryOrderLinks; LIST_ENTRY32 InInitializationOrderLinks; ULONG DllBase; ULONG EntryPoint; ULONG SizeOfImage; UNICODE_STRING32 FullDllName; UNICODE_STRING32 BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY32 HashLinks; ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; typedef struct _PEB32 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32, *PPEB32; typedef struct _MEMORY_BASIC_INFORMATION { PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; SIZE_T RegionSize; ULONG State; ULONG Protect; ULONG Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION; typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; PVOID GpValue; PVOID NonPagedDebugInfo; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Unused; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID PatchInformation; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; #pragma warning(disable : 4214 4201) #pragma pack(push, 1) typedef struct _MM_AVL_NODE // Size=24 { struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0 struct _MM_AVL_NODE * RightChild; // Size=8 Offset=8 union // Size=8 { struct { __int64 Red : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1 }; struct { __int64 Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2 }; struct _MM_AVL_NODE * Parent; // Size=8 Offset=0 }; } MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE; union _EX_PUSH_LOCK // Size=8 { struct { unsigned __int64 Locked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1 unsigned __int64 Waiting : 1; // Size=8 Offset=0 BitOffset=1 BitCount=1 unsigned __int64 Waking : 1; // Size=8 Offset=0 BitOffset=2 BitCount=1 unsigned __int64 MultipleShared : 1; // Size=8 Offset=0 BitOffset=3 BitCount=1 unsigned __int64 Shared : 60; // Size=8 Offset=0 BitOffset=4 BitCount=60 }; unsigned __int64 Value; // Size=8 Offset=0 void * Ptr; // Size=8 Offset=0 }; struct _MMVAD_FLAGS // Size=4 { unsigned long VadType : 3; // Size=4 Offset=0 BitOffset=0 BitCount=3 unsigned long Protection : 5; // Size=4 Offset=0 BitOffset=3 BitCount=5 unsigned long PreferredNode : 6; // Size=4 Offset=0 BitOffset=8 BitCount=6 unsigned long NoChange : 1; // Size=4 Offset=0 BitOffset=14 BitCount=1 unsigned long PrivateMemory : 1; // Size=4 Offset=0 BitOffset=15 BitCount=1 unsigned long Teb : 1; // Size=4 Offset=0 BitOffset=16 BitCount=1 unsigned long PrivateFixup : 1; // Size=4 Offset=0 BitOffset=17 BitCount=1 unsigned long ManySubsections : 1; // Size=4 Offset=0 BitOffset=18 BitCount=1 unsigned long Spare : 12; // Size=4 Offset=0 BitOffset=19 BitCount=12 unsigned long DeleteInProgress : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1 }; struct _MMVAD_FLAGS1 // Size=4 { unsigned long CommitCharge : 31; // Size=4 Offset=0 BitOffset=0 BitCount=31 unsigned long MemCommit : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1 }; union MMVAD_SHORT_u1 // Size=4 { unsigned long LongFlags; // Size=4 Offset=0 struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0 }; union MMVAD_SHORT_u2 // Size=4 { unsigned long LongFlags1; // Size=4 Offset=0 struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0 }; typedef struct _MMVAD_SHORT // Size=64 { union { struct _RTL_BALANCED_NODE VadNode; // Size=24 Offset=0 struct _MMVAD_SHORT * NextVad; // Size=8 Offset=0 }; unsigned long StartingVpn; // Size=4 Offset=24 unsigned long EndingVpn; // Size=4 Offset=28 unsigned char StartingVpnHigh; // Size=1 Offset=32 unsigned char EndingVpnHigh; // Size=1 Offset=33 unsigned char CommitChargeHigh; // Size=1 Offset=34 unsigned char SpareNT64VadUChar; // Size=1 Offset=35 long ReferenceCount; // Size=4 Offset=36 union _EX_PUSH_LOCK PushLock; // Size=8 Offset=40 union MMVAD_SHORT_u1 u; // Size=4 Offset=48 union MMVAD_SHORT_u2 u1; // Size=4 Offset=52 struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56 } MMVAD_SHORT, *PMMVAD_SHORT; struct _MMVAD_FLAGS2 // Size=4 { unsigned long FileOffset : 24; // Size=4 Offset=0 BitOffset=0 BitCount=24 unsigned long Large : 1; // Size=4 Offset=0 BitOffset=24 BitCount=1 unsigned long TrimBehind : 1; // Size=4 Offset=0 BitOffset=25 BitCount=1 unsigned long Inherit : 1; // Size=4 Offset=0 BitOffset=26 BitCount=1 unsigned long CopyOnWrite : 1; // Size=4 Offset=0 BitOffset=27 BitCount=1 unsigned long NoValidationNeeded : 1; // Size=4 Offset=0 BitOffset=28 BitCount=1 unsigned long Spare : 3; // Size=4 Offset=0 BitOffset=29 BitCount=3 }; struct _MI_VAD_SEQUENTIAL_INFO // Size=8 { unsigned __int64 Length : 12; // Size=8 Offset=0 BitOffset=0 BitCount=12 unsigned __int64 Vpn : 52; // Size=8 Offset=0 BitOffset=12 BitCount=52 }; union ___unnamed2047 // Size=4 { unsigned long LongFlags2; // Size=4 Offset=0 struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0 }; union ___unnamed2048 // Size=8 { struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0 struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0 }; typedef union _EX_FAST_REF // Size=8 { void * Object; struct { unsigned __int64 RefCnt : 4; }; unsigned __int64 Value; } EX_FAST_REF, *PEX_FAST_REF; typedef struct _CONTROL_AREA // Size=120 { struct _SEGMENT * Segment; struct _LIST_ENTRY ListHead; unsigned __int64 NumberOfSectionReferences; unsigned __int64 NumberOfPfnReferences; unsigned __int64 NumberOfMappedViews; unsigned __int64 NumberOfUserReferences; unsigned long f1; unsigned long f2; EX_FAST_REF FilePointer; // Other fields } CONTROL_AREA, *PCONTROL_AREA; typedef struct _SUBSECTION // Size=56 { PCONTROL_AREA ControlArea; // Other fields } SUBSECTION, *PSUBSECTION; typedef struct _MMVAD // Size=128 { struct _MMVAD_SHORT Core; // Size=64 Offset=0 union ___unnamed2047 u2; // Size=4 Offset=64 unsigned long pad0; // Size=4 Offset=68 struct _SUBSECTION * Subsection; // Size=8 Offset=72 struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80 struct _MMPTE * LastContiguousPte; // Size=8 Offset=88 struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96 struct _EPROCESS * VadsProcess; // Size=8 Offset=112 union ___unnamed2048 u4; // Size=8 Offset=120 struct _FILE_OBJECT * FileObject; // Size=8 Offset=128 } MMVAD, *PMMVAD; typedef enum _MI_VAD_TYPE { VadNone, VadDevicePhysicalMemory, VadImageMap, VadAwe, VadWriteWatch, VadLargePages, VadRotatePhysical, VadLargePageSection } MI_VAD_TYPE, *PMI_VAD_TYPE; typedef struct _RTL_AVL_TREE // Size=8 { PMM_AVL_NODE BalancedRoot; void * NodeHint; UINT64 NumberGenericTableElements; } RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE; typedef struct _HANDLE_TABLE_ENTRY_INFO { UINT32 AuditMask; UINT32 MaxRelativeAccessMask; } HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO; typedef struct _HANDLE_TABLE_ENTRY { union { PVOID Object; ULONG ObAttributes; PHANDLE_TABLE_ENTRY_INFO InfoTable; ULONG Value; }; union { ULONG GrantedAccess; struct { SHORT GrantedAccessIndex; SHORT CreatorBackTraceIndex; }; LONG NextFreeTableEntry; }; } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; typedef struct _HANDLE_TABLE_FREE_LIST { EX_PUSH_LOCK FreeListLock; PHANDLE_TABLE_ENTRY FirstFreeHandleEntry; PHANDLE_TABLE_ENTRY LastFreeHandleEntry; UINT32 HandleCount; UINT32 HighWaterMark; } HANDLE_TABLE_FREE_LIST, *PHANDLE_TABLE_FREE_LIST; typedef struct _HANDLE_TABLE { UINT32 NextHandleNeedingPool; UINT32 ExtraInfoPages; UINT32 TableCode; PEPROCESS QuotaProcess; LIST_ENTRY HandleTableList; UINT32 UniqueProcessId; union { UINT32 Flags; struct { UINT32 StrictFIFO : 1; UINT32 EnableHandleExceptions : 1; UINT32 Rundown : 1; UINT32 Duplicated : 1; UINT32 RaiseUMExceptionOnInvalidHandleClose : 1; }; }; EX_PUSH_LOCK HandleContentionEvent; EX_PUSH_LOCK HandleTableLock; HANDLE_TABLE_FREE_LIST FreeLists; UCHAR ActualEntry[32]; PVOID DebugInfo; } PHANDLE_TABLE; #pragma pack(pop) #pragma warning(default : 4214 4201)