1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
|
#pragma once
#include <ntddk.h>
#define GET_VAD_ROOT(Table) Table->BalancedRoot
typedef enum native_offsets {
VAD_TREE_1803 = 0x628
} native_offsets;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
UCHAR Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
PVOID Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
PVOID CrossProcessFlags;
PVOID KernelCallbackTable;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
} PEB, *PPEB;
typedef struct _PEB_LDR_DATA32
{
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32
{
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
typedef struct _PEB32
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG Ldr;
ULONG ProcessParameters;
ULONG SubSystemData;
ULONG ProcessHeap;
ULONG FastPebLock;
ULONG AtlThunkSListPtr;
ULONG IFEOKey;
ULONG CrossProcessFlags;
ULONG UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG ApiSetMap;
} PEB32, *PPEB32;
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
ULONG AllocationProtect;
SIZE_T RegionSize;
ULONG State;
ULONG Protect;
ULONG Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
#pragma warning(disable : 4214 4201)
#pragma pack(push, 1)
typedef struct _MM_AVL_NODE // Size=24
{
struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0
struct _MM_AVL_NODE * RightChild; // Size=8 Offset=8
union // Size=8
{
struct
{
__int64 Red : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
};
struct
{
__int64 Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
};
struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
};
} MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
union _EX_PUSH_LOCK // Size=8
{
struct
{
unsigned __int64 Locked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
unsigned __int64 Waiting : 1; // Size=8 Offset=0 BitOffset=1 BitCount=1
unsigned __int64 Waking : 1; // Size=8 Offset=0 BitOffset=2 BitCount=1
unsigned __int64 MultipleShared : 1; // Size=8 Offset=0 BitOffset=3 BitCount=1
unsigned __int64 Shared : 60; // Size=8 Offset=0 BitOffset=4 BitCount=60
};
unsigned __int64 Value; // Size=8 Offset=0
void * Ptr; // Size=8 Offset=0
};
struct _MMVAD_FLAGS // Size=4
{
unsigned long VadType : 3; // Size=4 Offset=0 BitOffset=0 BitCount=3
unsigned long Protection : 5; // Size=4 Offset=0 BitOffset=3 BitCount=5
unsigned long PreferredNode : 6; // Size=4 Offset=0 BitOffset=8 BitCount=6
unsigned long NoChange : 1; // Size=4 Offset=0 BitOffset=14 BitCount=1
unsigned long PrivateMemory : 1; // Size=4 Offset=0 BitOffset=15 BitCount=1
unsigned long Teb : 1; // Size=4 Offset=0 BitOffset=16 BitCount=1
unsigned long PrivateFixup : 1; // Size=4 Offset=0 BitOffset=17 BitCount=1
unsigned long ManySubsections : 1; // Size=4 Offset=0 BitOffset=18 BitCount=1
unsigned long Spare : 12; // Size=4 Offset=0 BitOffset=19 BitCount=12
unsigned long DeleteInProgress : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
};
struct _MMVAD_FLAGS1 // Size=4
{
unsigned long CommitCharge : 31; // Size=4 Offset=0 BitOffset=0 BitCount=31
unsigned long MemCommit : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
};
union MMVAD_SHORT_u1 // Size=4
{
unsigned long LongFlags; // Size=4 Offset=0
struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0
};
union MMVAD_SHORT_u2 // Size=4
{
unsigned long LongFlags1; // Size=4 Offset=0
struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0
};
typedef struct _MMVAD_SHORT // Size=64
{
union
{
struct _RTL_BALANCED_NODE VadNode; // Size=24 Offset=0
struct _MMVAD_SHORT * NextVad; // Size=8 Offset=0
};
unsigned long StartingVpn; // Size=4 Offset=24
unsigned long EndingVpn; // Size=4 Offset=28
unsigned char StartingVpnHigh; // Size=1 Offset=32
unsigned char EndingVpnHigh; // Size=1 Offset=33
unsigned char CommitChargeHigh; // Size=1 Offset=34
unsigned char SpareNT64VadUChar; // Size=1 Offset=35
long ReferenceCount; // Size=4 Offset=36
union _EX_PUSH_LOCK PushLock; // Size=8 Offset=40
union MMVAD_SHORT_u1 u; // Size=4 Offset=48
union MMVAD_SHORT_u2 u1; // Size=4 Offset=52
struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56
} MMVAD_SHORT, *PMMVAD_SHORT;
struct _MMVAD_FLAGS2 // Size=4
{
unsigned long FileOffset : 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
unsigned long Large : 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
unsigned long TrimBehind : 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
unsigned long Inherit : 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
unsigned long CopyOnWrite : 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
unsigned long NoValidationNeeded : 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
unsigned long Spare : 3; // Size=4 Offset=0 BitOffset=29 BitCount=3
};
struct _MI_VAD_SEQUENTIAL_INFO // Size=8
{
unsigned __int64 Length : 12; // Size=8 Offset=0 BitOffset=0 BitCount=12
unsigned __int64 Vpn : 52; // Size=8 Offset=0 BitOffset=12 BitCount=52
};
union ___unnamed2047 // Size=4
{
unsigned long LongFlags2; // Size=4 Offset=0
struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
};
union ___unnamed2048 // Size=8
{
struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0
struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
};
typedef union _EX_FAST_REF // Size=8
{
void * Object;
struct
{
unsigned __int64 RefCnt : 4;
};
unsigned __int64 Value;
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA // Size=120
{
struct _SEGMENT * Segment;
struct _LIST_ENTRY ListHead;
unsigned __int64 NumberOfSectionReferences;
unsigned __int64 NumberOfPfnReferences;
unsigned __int64 NumberOfMappedViews;
unsigned __int64 NumberOfUserReferences;
unsigned long f1;
unsigned long f2;
EX_FAST_REF FilePointer;
// Other fields
} CONTROL_AREA, *PCONTROL_AREA;
typedef struct _SUBSECTION // Size=56
{
PCONTROL_AREA ControlArea;
// Other fields
} SUBSECTION, *PSUBSECTION;
typedef struct _MMVAD // Size=128
{
struct _MMVAD_SHORT Core; // Size=64 Offset=0
union ___unnamed2047 u2; // Size=4 Offset=64
unsigned long pad0; // Size=4 Offset=68
struct _SUBSECTION * Subsection; // Size=8 Offset=72
struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
struct _EPROCESS * VadsProcess; // Size=8 Offset=112
union ___unnamed2048 u4; // Size=8 Offset=120
struct _FILE_OBJECT * FileObject; // Size=8 Offset=128
} MMVAD, *PMMVAD;
typedef enum _MI_VAD_TYPE
{
VadNone,
VadDevicePhysicalMemory,
VadImageMap,
VadAwe,
VadWriteWatch,
VadLargePages,
VadRotatePhysical,
VadLargePageSection
} MI_VAD_TYPE, *PMI_VAD_TYPE;
typedef struct _RTL_AVL_TREE // Size=8
{
PMM_AVL_NODE BalancedRoot;
void * NodeHint;
UINT64 NumberGenericTableElements;
} RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
typedef struct _HANDLE_TABLE_ENTRY_INFO {
UINT32 AuditMask;
UINT32 MaxRelativeAccessMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef struct _HANDLE_TABLE_ENTRY
{
union
{
PVOID Object;
ULONG ObAttributes;
PHANDLE_TABLE_ENTRY_INFO InfoTable;
ULONG Value;
};
union
{
ULONG GrantedAccess;
struct
{
SHORT GrantedAccessIndex;
SHORT CreatorBackTraceIndex;
};
LONG NextFreeTableEntry;
};
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE_FREE_LIST
{
EX_PUSH_LOCK FreeListLock;
PHANDLE_TABLE_ENTRY FirstFreeHandleEntry;
PHANDLE_TABLE_ENTRY LastFreeHandleEntry;
UINT32 HandleCount;
UINT32 HighWaterMark;
} HANDLE_TABLE_FREE_LIST, *PHANDLE_TABLE_FREE_LIST;
typedef struct _HANDLE_TABLE
{
UINT32 NextHandleNeedingPool;
UINT32 ExtraInfoPages;
UINT32 TableCode;
PEPROCESS QuotaProcess;
LIST_ENTRY HandleTableList;
UINT32 UniqueProcessId;
union {
UINT32 Flags;
struct {
UINT32 StrictFIFO : 1;
UINT32 EnableHandleExceptions : 1;
UINT32 Rundown : 1;
UINT32 Duplicated : 1;
UINT32 RaiseUMExceptionOnInvalidHandleClose : 1;
};
};
EX_PUSH_LOCK HandleContentionEvent;
EX_PUSH_LOCK HandleTableLock;
HANDLE_TABLE_FREE_LIST FreeLists;
UCHAR ActualEntry[32];
PVOID DebugInfo;
} PHANDLE_TABLE;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
UINT8 Reserved1[48];
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
ULONG Reserved2;
HANDLE UniqueProcessId;
PVOID Reserved3;
ULONG HandleCount;
ULONG SessionId;
PVOID Reserved4;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG Reserved5;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
PVOID Reserved6;
SIZE_T QuotaPagedPoolUsage;
PVOID Reserved7;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved8[6];
} SYSTEM_PROCESS_INFORMATION;
#pragma pack(pop)
#pragma warning(default : 4214 4201)
|