-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathwindefs.h
139 lines (125 loc) · 3.5 KB
/
windefs.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#pragma once
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
// ======================
// For programs whose bitness is the same as that of the kernel
// i.e. 32bit program on 32bit kernel, 64bit program on 64 bit kernel
// ======================
// we only need the structure up to ProcessParameters
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _CURDIR
{
UNICODE_STRING DosPath;
PVOID Handle;
} CURDIR, *PCURDIR;
//we only need the structure up to CurrentDirectory
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
PVOID ConsoleFlags;
PVOID StandardInput;
PVOID StandardOutput;
PVOID StandardError;
CURDIR CurrentDirectory;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
//ref: http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html
//we only need the structure up to ProcessParameters
typedef struct _PEB {
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE Reserved;
PVOID Mutant; /* +0x4 */
PVOID ImageBaseAddress; /* +0x8 */
PVOID Ldr; /* +0xc */
PVOID ProcessParameters; /* +0x10 */
} PEB;
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PVOID PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
typedef NTSTATUS(NTAPI* NtQueryInformationProcessFunc)(
IN HANDLE ProcessHandle,
ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(NTAPI* NtReadVirtualMemoryFunc)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN SIZE_T Size,
OUT PSIZE_T NumberOfBytesRead
);
// ======================
// For 32bit programs under 64bit kernels (Wow64)
// ======================
// we only need the structure up to ProcessParameters
typedef struct _UNICODE_STRING_WOW64 {
USHORT Length;
USHORT MaximumLength;
DWORD _padding;
PVOID64 Buffer;
} UNICODE_STRING_WOW64;
typedef struct _CURDIR_WOW64
{
UNICODE_STRING_WOW64 DosPath;
ULONG Handle;
} CURDIR_WOW64, *PCURDIR_WOW64;
//we only need the structure up to CurrentDirectory
typedef struct _RTL_USER_PROCESS_PARAMETERS_WOW64
{
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID64 ConsoleHandle;
PVOID64 ConsoleFlags;
PVOID64 StandardInput;
PVOID64 StandardOutput;
PVOID64 StandardError;
CURDIR_WOW64 CurrentDirectory;
} RTL_USER_PROCESS_PARAMETERS_WOW64, *PRTL_USER_PROCESS_PARAMETERS_WOW64;
//ref: http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html
//we only need the structure up to ProcessParameters
typedef struct _PEB_WOW64 {
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE Reserved;
PVOID64 Mutant; /* +0x4 */
PVOID64 ImageBaseAddress; /* +0x10 */
PVOID64 Ldr; /* +0x18 */
PVOID64 ProcessParameters; /* +0x20 */
} PEB_WOW64, *PPEB_WOW64;
typedef struct _PROCESS_BASIC_INFORMATION_WOW64 {
PVOID64 Reserved1;
PVOID64 PebBaseAddress;
PVOID64 Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID64 Reserved3;
} PROCESS_BASIC_INFORMATION_WOW64;
typedef NTSTATUS(NTAPI* NtWow64ReadVirtualMemory64Func)(
IN HANDLE ProcessHandle,
IN PVOID64 BaseAddress,
OUT PVOID Buffer,
IN ULONG64 Size,
OUT PULONG64 NumberOfBytesRead
);