Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Tools / ApiHooks 3.0 / NtStruc.inc < prev next >

Wrap

Text File | 2000-06-19 | 10.2 KB | 255 lines

;----------------------------------------- CLIENT_ID STRUCT ;NTDDK UniqueProcess DWORD ? UniqueThread DWORD ? CLIENT_ID ENDS ;----------------------------------------- ProcessBasicInformation = 0 PROCESS_BASIC_INFORMATION STRUCT ;NTDDK ExitStatus DWORD ? PebBaseAddress DWORD ? AffinityMask DWORD ? BasePriority DWORD ? UniqueProcessId DWORD ? InheritedFromUniqueProcessId DWORD ? PROCESS_BASIC_INFORMATION ENDS ;----------------------------------------- ThreadBasicInformation = 0 THREAD_BASIC_INFORMATION STRUCT ;EliCZ ExitStatus DWORD ? TebBaseAddress DWORD ? ClientId CLIENT_ID <> AffinityMask DWORD ? BasePriority DWORD ? DynamicPriority DWORD ? THREAD_BASIC_INFORMATION ENDS ;----------------------------------------- LPWSTR TYPEDEF DWORD UNICODE_STRING STRUCT ;NTDDK Length_ USHORT ? MaximumLength USHORT ? Buffer LPWSTR ? UNICODE_STRING ENDS ;----------------------------------------- ;usually: ModEntry0 + 8 == ModEntry2 and ModEntry2 + 8 == DllEntry ; ModEntry1 + 8 == ModEntry3 and ModEntry3 + 8 == ModEntry4 PROCESS_PARAMETERS STRUCT ;EliCZ cbsize DWORD ? ;00 == 24H Unknown4 DWORD ? ;04 Unknown8 DWORD ? ;08 pFirstModEntry0 DWORD ? ;0C pFirstModEntry1 DWORD ? ;10 pFirstModEntry2 DWORD ? ;14 pFirstModEntry3 DWORD ? ;18 pFirstDllEntry DWORD ? ;1C pFirstModEntry4 DWORD ? ;20 PROCESS_PARAMETERS ENDS ;----------------------------------------- PEB_MODULE_ENTRY0 STRUCT ;EliCZ pNextModEntry0 DWORD ? ;00 pNextModEntry1 DWORD ? ;04 pNextModEntry2 DWORD ? ;08 pNextModEntry3 DWORD ? ;0C pNextDllEntry DWORD ? ;10 pNextModEntry4 DWORD ? ;14 ImageBase DWORD ? ;18 ImageEntry DWORD ? ;1C ImageSize DWORD ? ;20 ModuleFileName UNICODE_STRING <> ;24 ModuleBaseName UNICODE_STRING <> ;2C dwFlags DWORD ? ;34 RefCount WORD ? ;38 TlsCallbacks WORD ? ;3A pTIBarea0 DWORD ? ;3C pTIBarea1 DWORD ? ;40 ImageTimeStamp DWORD ? ;44 PEB_MODULE_ENTRY0 ENDS ;----------------------------------------- PEB_DLL_ENTRY STRUCT ;EliCZ pNextDllEntry DWORD ? ;00 pNextModEntry4 DWORD ? ;04 ImageBase DWORD ? ;08 ImageEntry DWORD ? ;0C ImageSize DWORD ? ;10 ModuleFileName UNICODE_STRING <> ;14 ModuleBaseName UNICODE_STRING <> ;1C dwFlags DWORD ? ;24 RefCount WORD ? ;28 TlsCallbacks WORD ? ;2A pTIBarea0 DWORD ? ;3C pTIBarea1 DWORD ? ;40 ImageTimeStamp DWORD ? ;34 PEB_DLL_ENTRY ENDS ;----------------------------------------- ENVIRONMENT_INFORMATION STRUCT ;EliCZ cbsize DWORD ? ;00 == 1000H Unknown04 DWORD ? ;04 Unknown08 DWORD ? ;08 Unknown0C DWORD ? ;0C Unknown10 DWORD ? ;10 Unknown14 DWORD ? ;14 Unknown18 DWORD ? ;18 Unknown1C DWORD ? ;1C Unknown20 DWORD ? ;20 CurrentDirectory UNICODE_STRING <> ;24 Unknown2C DWORD ? ;2C == 18H PATHvariable UNICODE_STRING <> ;30 ExeFileName UNICODE_STRING <> ;38 CommandLine UNICODE_STRING <> ;40 Unknown48 DWORD ? ;48 Unknown4C DWORD ? ;4C Unknown50 DWORD ? ;50 Unknown54 DWORD ? ;54 Unknown58 DWORD ? ;58 Unknown5C DWORD ? ;5C Unknown60 DWORD ? ;60 Unknown64 DWORD ? ;64 Unknown68 DWORD ? ;68 Unknown6C DWORD ? ;6C CommandLine2 UNICODE_STRING <> ;70 WinStation UNICODE_STRING <> ;78 Unknown80 UNICODE_STRING <> ;80 ;etc... ENVIRONMENT_INFORMATION ENDS ;----------------------------------------- OBJECT_ATTRIBUTES STRUCT ;NTDDK Length_ DWORD ? RootDirectory DWORD ? ObjectName DWORD ? Attributes DWORD ? SecurityDescriptor DWORD ? SecurityQualityOfService DWORD ? OBJECT_ATTRIBUTES ENDS ;----------------------------------------- SystemProcessInformation = 5 ;EliCZ THREAD_INFO_OFFSET EQU 024H THREAD_INFO_SIZE EQU 040H NT4_PROCESS_INFO_SIZE EQU 088H NT5_PROCESS_INFO_SIZE EQU 0B8H SYSTEM_THREAD_INFORMATION STRUCT ;size THREAD_INFO_SIZE DWORD 08H DUP (?) ;... fill in threads times, etc... ClientId CLIENT_ID <> DWORD 06H DUP (?) ;... fill in threads times, etc... SYSTEM_THREAD_INFORMATION ENDS ;every process info is in block ;Unfortunately I lost my notes on missing structure members (context switches, ;faults, starting addresses, user and kernel time, working set size,number of handles..) NT4_SYSTEM_PROCESS_INFORMATION STRUCT ;undoc by me SizeOfBlock DWORD ? ;00 NULL for info end ThreadCount DWORD ? ;04 number of threads in this block DWORD 0CH DUP (?) ;08 ... fill process times, etc... ProcessName UNICODE_STRING <> ;38 Priority DWORD ? ;40 ProcessId DWORD ? ;44 ParentProcessId DWORD ? ;48 DWORD 0FH DUP (?) ;4C ... fill in NT4 process times, page faults, etc... ;follows array of SYSTEM_THREAD_INFORMATIONs ThreadInformation SYSTEM_THREAD_INFORMATION <> ;88 NT4_SYSTEM_PROCESS_INFORMATION ENDS NT5_SYSTEM_PROCESS_INFORMATION STRUCT ;undoc by me SizeOfBlock DWORD ? ;00 NULL for info end ThreadCount DWORD ? ;04 number of threads in this block DWORD 0CH DUP (?) ;08 ... fill process times, etc... ProcessName UNICODE_STRING <> ;38 Priority DWORD ? ;40 ProcessId DWORD ? ;44 ParentProcessId DWORD ? ;48 DWORD 1BH DUP (?) ;4C ... fill in W2K process times, page faults, etc... ;follows array of SYSTEM_THREAD_INFORMATIONs ThreadInformation SYSTEM_THREAD_INFORMATION <> ;B8 NT5_SYSTEM_PROCESS_INFORMATION ENDS IFNDEF NT4 SYSTEM_PROCESS_INFORMATION TEXTEQU <NT5_SYSTEM_PROCESS_INFORMATION> ENDIF ;----------------------------------------- PEB STRUCT ;EliCZ Unknown00 DWORD ? ;00 == 0 Unknown04 DWORD ? ;04 == -1 MainImageBase DWORD ? ;08 pProcParameters DWORD ? ;0C == *PROCESS_PARAMETERS Environment DWORD ? ;10 == *PENVIRONMENT_INFORMATION Unknown14 DWORD ? ;14 == 0 ProgramHeap01 DWORD ? ;18 LockingContext DWORD ? ;1C == FastPebLock LockRoutine DWORD ? ;20 == RtlEnterCriticalSection UnlockRoutine DWORD ? ;24 == RtlLeaveCriticalSection Unknown28 DWORD ? ;28 == 1 Unknown2C DWORD ? ;2C == apfnDispatch Unknown30 DWORD ? ;30 == 0 Unknown34 DWORD ? ;34 == 0 Unknown38 DWORD ? ;38 == 0 Unknown3C DWORD ? ;3C == 0 Unknown40 DWORD ? ;40 == TlsBitMap Unknown44 DWORD ? ;44 == 3FH Unknown48 DWORD ? ;48 == 0 ProgramHeap02 DWORD ? ;4C ProgramHeap02a DWORD ? ;50 InProgramHeap02 DWORD ? ;54 AnsiCodePage0 DWORD ? ;58 AnsiCodePage1 DWORD ? ;5C AnsiCodePage2 DWORD ? ;60 Unknown64 DWORD ? ;64 == 1 Unknown68 DWORD ? ;68 == 0 Unknown6C DWORD ? ;6C == 0 Unknown70 DWORD ? ;70 == 0 Unknown74 DWORD ? ;74 == 0 Unknown78 DWORD ? ;78 == 0 Unknown7C DWORD ? ;7C == 0 Unknown80 DWORD ? ;80 == 10000H Unknown84 DWORD ? ;84 == 1000H Unknown88 DWORD ? ;88 Unknown8C DWORD ? ;8C == 10H Unknown90 DWORD ? ;90 == RtlpProcessHeapsListBuffer Unknown94 DWORD ? ;94 Unknown98 DWORD ? ;98 == 0 Unknown9C DWORD ? ;9C == 14H UnknownA0 DWORD ? ;A0 == LoaderLock UnknownA4 DWORD ? ;A4 UnknownA8 DWORD ? ;A8 OSBuild DWORD ? ;AC == 2195 UnknownB0 DWORD ? ;B0 UnknownB4 DWORD ? ;B4 UnknownB8 DWORD ? ;B8 UnknownBC DWORD ? ;BC PEB ENDS ;----------------------------------------- TEB STRUCT ;NTDDK + EliCZ ExceptionList DWORD ? ;00 StackBase DWORD ? ;04 StackLimit DWORD ? ;08 SubSystemTib DWORD ? ;0C UNION FiberData DWORD ? ;10 Version DWORD ? ;10 ENDS ArbitraryUserPointer DWORD ? ;14 Self DWORD ? ;18 Unknown1C DWORD ? ;1C ClientId CLIENT_ID <> ;20 Unknown28 DWORD ? ;28 pTlsArray DWORD ? ;2C pPEB DWORD ? ;30 Unknown34 DWORD 024H DUP (?) ;34 Locale DWORD ? ;C4 UnknownC8 DWORD 2CCH DUP (?) ;C8 WinStation UNICODE_STRING <> ;BF8 UnknownC00 DWORD 083H DUP (?) ;C00 ThreadStack DWORD ? ;E0C UnknownE10 DWORD 07CH DUP (?) ;E10 TEB ENDS ;----------------------------------------- CurrentThread EQU -2 ;in both 9x and NT ABOVE2GB EQU 08000000H ;for Windows 9x VirtualAlloc. (c) Matt Pietrek