项目刚完, 比较空闲, 翻出以前写的一个DDK辅助定义文件, 自己命名为ntddkex.h, 主要给出xpsp2的未公开核心数据结构的定义(_EPROCESS etc.).
没法上传附件, 直接贴在下面:
// ntddkex.h
//
//
// Author: Eddy Zhang
// Create Date: 2006/01/7
// Contact: eddyz@126.com
// Usage: Declare Undocument Kernel Data Structure
//
//
#ifndef _NTDDK_EX_
#define _NTDDK_EX_
#include <ntddk.h>
#ifndef _KERNEL_2600_ // xp sp2
#define _KERNEL_2600_
typedef struct _KTHREAD* PKTHREAD;
typedef struct _MMWSLE* PMMWSLE;
//typedef struct _MMWSLE
//{
// UINT32 FirstFree;
// UINT32 FirstDynamic;
// UINT32 LastEntry;
// UINT32 NextSlot;
// UINT32 LastInitialized;
// UINT32 NonDirect;
// PVOID HashTable;
// UINT32 HashTableSize;
//} MMWSLE;
typedef struct _KGDTENTRY
{
USHORT LimitLow;
USHORT BaseLow;
struct
{
UCHAR BaseMid;
UCHAR Flags1; // bit0-4 - Type
// bit5-6 - Dpl
// bit7 - Pres
UCHAR Flags2; // bit0-3 - LimitHi
// bit4 - Sys
// bit5 - Reserved_0
// bit6 - Default_Big
// bit7 - Granularity
UCHAR BaseHi;
} HighWord;
} KGDTENTRY, *PKGDTENTRY;
typedef struct _KIDTENTRY
{
USHORT Offset;
USHORT Selector;
USHORT Access;
USHORT ExtendedOffset;
} KIDTENTRY, *PKIDTENTRY;
typedef struct _KEXECUTE_OPTIONS
{
UCHAR Value; // bit0 - ExecuteEnable
// bit1 - DisableThunkEmulation
// bit3 - Permanent
// bit4 - ExecuteDispatchEnable
// bit5 - ImageDispatchEnable
// bit6,7 - Spare
} KEXECUTE_OPTIONS;
typedef struct _KPROCESS
{
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
UINT32 DirectoryTableBase[2];
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
UCHAR Unused;
ULONG ActiveProcessors;
ULONG KernelTime;
ULONG UserTime;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
PVOID VdmTrapcHandler;
LIST_ENTRY ThreadListHead;
ULONG ProcessLock;
ULONG Affinity;
USHORT StackCount;
CHAR BasePriority;
CHAR ThreadQuantum;
UCHAR AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
UCHAR DisableBoost;
UCHAR PowerState;
UCHAR DisableQuantum;
UCHAR IdealNode;
union
{
KEXECUTE_OPTIONS Flags;
UCHAR ExecuteOptions;
};
} KPROCESS, *PKPROCESS;
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PKPROCESS Process;
UCHAR KernelApcInProgress;
UCHAR KernelApcPending;
UCHAR UserApcPending;
} KAPC_STATE, *PKAPC_STATE;
typedef struct _KQUEUE
{
DISPATCHER_HEADER Header;
LIST_ENTRY EntryListHead;
UINT32 CurrentCount;
UINT32 MaximumCount;
LIST_ENTRY ThreadListHead;
} KQUEUE, *PKQUEUE;
typedef struct _EXCEPTION_REGISTRATION_RECORD
{
struct _EXCEPTION_REGISTRATION_RECORD *Next;
PVOID Handler;
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
typedef struct _KTRAP_FRAME
{
UINT32 DbgEbp;
UINT32 DbgEip;
UINT32 DbgArgMark;
UINT32 DbgArgPointer;
UINT32 TempSegCs;
UINT32 TempEsp;
UINT32 Dr0;
UINT32 Dr1;
UINT32 Dr2;
UINT32 Dr3;
UINT32 Dr6;
UINT32 Dr7;
UINT32 SegGs;
UINT32 SegEs;
UINT32 SegDs;
UINT32 Edx;
UINT32 Ecx;
UINT32 Eax;
UINT32 PreviousPreviousMode;
PEXCEPTION_REGISTRATION_RECORD ExceptionList;
UINT32 SegFs;
UINT32 Edi;
UINT32 Esi;
UINT32 Ebx;
UINT32 Ebp;
UINT32 ErrCode;
UINT32 Eip;
UINT32 SegCs;
UINT32 EFlags;
UINT32 HardwareEsp;
UINT32 HardwareSegSs;
UINT32 V86Es;
UINT32 V86Ds;
UINT32 V86Fs;
UINT32 V86Gs;
} KTRAP_FRAME, *PKTRAP_FRAME;
typedef struct _KTHREAD
{
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
PVOID Teb;
PVOID TlsArray;
PVOID KernelStack;
UCHAR DebugActive;
UCHAR State;
UCHAR Alerted[2];
UCHAR Iopl;
UCHAR NpxState;
CHAR Saturation;
CHAR Priority;
KAPC_STATE ApcState;
UINT32 ContextSwitches;
UCHAR IdleSwapBlock;
UCHAR Spare0[3];
INT32 WaitStatus;
UCHAR WaitIrql;
CHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
union
{
LIST_ENTRY WaitListEntry;
SINGLE_LIST_ENTRY SwapListEntry;
};
UINT32 WaitTime;
CHAR BasePriority;
UCHAR DecrementCount;
CHAR PriorityDecrement;
CHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
PVOID LegoData;
UINT32 KernelApcDisable;
UINT32 UserAffinity;
UCHAR SystemAffinityActive;
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR InitialNode;
PVOID ServiceTable;
PKQUEUE Queue;
UINT32 ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
UINT32 SoftAffinity;
UINT32 Affinity;
UCHAR Preempted;
UCHAR ProcessReadyQueue;
UCHAR KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
CHAR PreviousMode;
UCHAR EnableStackSwap;
UCHAR LargeStack;
UCHAR ResourceIndex;
UINT32 KernelTime;
UINT32 UserTime;
KAPC_STATE SavedApcState;
UCHAR Alertable;
UCHAR ApcStateIndex;
UCHAR ApcQueueable;
UCHAR AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
CHAR FreezeCount;
CHAR SuspendCount;
UCHAR IdealProcessor;
UCHAR DisableBoost;
} KTHREAD;
typedef struct _TERMINATION_PORT
{
struct _TERMINATION_PORT *Next;
PVOID Port;
}TERMINATION_PORT, *PTERMINATION_PORT;
typedef struct _PS_IMPERSONATION_INFORMATION
{
PVOID Token;
UCHAR CopyOnOpen;
UCHAR EffectiveOnly;
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;
typedef struct _EX_RUNDOWN_REF
{
UINT32 Count;
PVOID Ptr;
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
typedef union _EX_PUSH_LOCK
{
UINT32 Value; // bit0 - Waiting
// bit1 - Exclusive
// bit2-31 - Shared
PVOID Ptr;
} EX_PUSH_LOCK;
typedef struct _ETHREAD
{
KTHREAD Tcb;
LARGE_INTEGER CreateTime; // bit0-1 - NestedFaultCount
// bit2 - ApcNeeded
union
{
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
LIST_ENTRY KeyedWaitChain;
};
union
{
INT32 ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
union
{
TERMINATION_PORT TerminationPort;
struct _ETHREAD* ReaperLink;
PVOID KeyedWaitValue;
};
UINT32 ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
union
{
KSEMAPHORE LpcReplySemaphore;
KSEMAPHORE KeyedWaitSemaphore;
};
union
{
PVOID LpcReplyMessage;
PVOID LpcWaitingOnPort;
};
PS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
UINT32 TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
PEPROCESS ThreadsProcess;
PVOID StartAddress;
union
{
PVOID Win32StartAddress;
UINT32 LpcReceivedMessageId;
};
LIST_ENTRY ThreadListEntry;
EX_RUNDOWN_REF RundownProtect;
EX_PUSH_LOCK ThreadLock;
UINT32 LpcReplyMessageId;
UINT32 ReadClusterSize;
UINT32 GrantedAccess;
UINT32 CrossThreadFlags; // bit0 - Terminated
// bit1 - DeadThread
// bit2 - HideFromDebugger
// bit3 - ActiveImpersonationInfo
// bit4 - SystemThread
// bit5 - HardErrorsAreDisabled
// bit6 - BreakOnTermination
// bit7 - SkipCreationMsg
// bit8 - SkipTerminationMsg
UINT32 SameThreadPassiveFlags; // bit0 - ActiveExWorker;
// bit1 - ExWorkerCanWaitUser;
// bit2 - MemoryMaker;
UINT32 SameThreadApcFlags; // bit0 - LpcReceivedMsgIdValid;
// bit1 - LpcExitThreadCalled;
// bit2 - AddressSpaceOwner;
UCHAR ForwardClusterOnly;
UCHAR DisablePageFaultClustering;
} ETHREAD;
typedef struct _SID_AND_ATTRIBUTES
{
PSID Sid;
UINT32 Attributes;
} SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;
typedef struct _PS_JOB_TOKEN_FILTER
{
UINT32 CapturedSidCount;
PSID_AND_ATTRIBUTES CapturedSids;
UINT32 CapturedSidsLength;
UINT32 CapturedGroupCount;
PSID_AND_ATTRIBUTES CapturedGroups;
UINT32 CapturedGroupsLength;
UINT32 CapturedPrivilegeCount;
PLUID_AND_ATTRIBUTES CapturedPrivileges;
UINT32 CapturedPrivilegesLength;
} PS_JOB_TOKEN_FILTER, *PPS_JOB_TOKEN_FILTER;
typedef struct _EJOB
{
KEVENT Event;
LIST_ENTRY JobLinks;
LIST_ENTRY ProcessListHead;
ERESOURCE JobLock;
LARGE_INTEGER TotalUserTime;
LARGE_INTEGER TotalKernelTime;
LARGE_INTEGER ThisPeriodTotalUserTime;
LARGE_INTEGER ThisPeriodTotalKernelTime;
UINT32 TotalPageFaultCount;
UINT32 TotalProcesses;
UINT32 ActiveProcesses;
UINT32 TotalTerminatedProcesses;
LARGE_INTEGER PerProcessUserTimeLimit;
LARGE_INTEGER PerJobUserTimeLimit;
UINT32 LimitFlags;
UINT32 MinimumWorkingSetSize;
UINT32 MaximumWorkingSetSize;
UINT32 ActiveProcessLimit;
UINT32 Affinity;
UCHAR PriorityClass;
UINT32 UIRestrictionsClass;
UINT32 SecurityLimitFlags;
PVOID Token;
PPS_JOB_TOKEN_FILTER Filter;
UINT32 EndOfJobTimeAction;
PVOID CompletionPort;
PVOID CompletionKey;
UINT32 SessionId;
UINT32 SchedulingClass;
UINT64 ReadOperationCount;
UINT64 WriteOperationCount;
UINT64 OtherOperationCount;
UINT64 ReadTransferCount;
UINT64 WriteTransferCount;
UINT64 OtherTransferCount;
IO_COUNTERS IoInfo;
UINT32 ProcessMemoryLimit;
UINT32 JobMemoryLimit;
UINT32 PeakProcessMemoryUsed;
UINT32 PeakJobMemoryUsed;
UINT32 CurrentJobMemoryUsed;
FAST_MUTEX MemoryLimitsLock;
LIST_ENTRY JobSetLinks;
UINT32 MemberLevel;
UINT32 JobFlags;
} EJOB, *PEJOB;
typedef struct _EPROCESS_QUOTA_ENTRY
{
UINT32 Usage;
UINT32 Limit;
UINT32 Peak;
UINT32 Return;
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;
typedef struct _EPROCESS_QUOTA_BLOCK
{
EPROCESS_QUOTA_ENTRY QuotaEntry;
LIST_ENTRY QuotaList;
UINT32 ReferenceCount;
UINT32 ProcessCount;
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;
typedef struct _PAGEFAULT_HISTORY
{
UINT32 CurrentIndex;
UINT32 MaxIndex;
UINT32 SpinLock;
PVOID Reserved;
PROCESS_WS_WATCH_INFORMATION WatchInfo[1];
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;
typedef struct _HARDWARE_PTE_X86
{
UINT32 Value; // bit0 - Valid
// bit1 - Write
// bit2 - Owner
// bit3 - WriteThrough
// bit4 - CacheDisable
// bit5 - Accessed
// bit6 - Dirty
// bit7 - LargePage
// bit8 - Global
// bit9 - CopyOnWrite
// bit10 - Prototype
// bit11 - reserved
// bit12-31 - PageFrameNumber
} HARDWARE_PTE_X86;
typedef struct _EX_FAST_REF
{
PVOID Object;
UINT32 Value; //bit0-2 - RefCnt
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
{
POBJECT_NAME_INFORMATION ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO;
typedef struct _MMSUPPORT_FLAGS
{
UINT32 Value; // bit0 - SessionSpace
// bit1 - BeingTrimmed
// bit2 - SessionLeader
// bit3 - TrimHard
// bit4 - WorkingSetHard
// bit5 - AddressSpaceBeingDeleted
// bit6-15 - Available
// bit16-23 - AllowWorkingSetAdjustment
// bit24-31 - MemoryPriority
} MMSUPPORT_FLAGS;
typedef struct _MMWSLE_HASH
{
PVOID Key;
UINT32 Index;
} MMWSLE_HASH, *PMMWSLE_HASH;
typedef struct _MMWSL
{
UINT32 Quota;
UINT32 FirstFree;
UINT32 FirstDynamic;
UINT32 LastEntry;
UINT32 NextSlot;
PMMWSLE Wsle;
UINT32 LastInitializedWsle;
UINT32 NonDirectCount;
PMMWSLE_HASH HashTable;
UINT32 HashTableSize;
UINT32 NumberOfCommittedPageTables;
PVOID HashTableStart;
PVOID HighestPermittedHashAddress;
UINT32 NumberOfImageWaiters;
UINT32 VadBitMapHint;
union
{
USHORT UsedPageTableEntries[1536];
UINT32 CommittedPageTables[48];
};
} MMWSL, *PMMWSL;
typedef struct _MMSUPPORT
{
LARGE_INTEGER LastTrimTime;
MMSUPPORT_FLAGS Flags;
UINT32 PageFaultCount;
UINT32 PeakWorkingSetSize;
UINT32 WorkingSetSize;
UINT32 MinimumWorkingSetSize;
UINT32 MaximumWorkingSetSize;
PMMWSL VmWorkingSetList;
LIST_ENTRY WorkingSetExpansionLinks;
UINT32 Claim;
UINT32 NextEstimationSlot;
UINT32 NextAgingSlot;
UINT32 EstimatedAvailable;
UINT32 GrowthSinceLastEstimate;
} MMSUPPORT;
typedef struct _HANDLE_TRACE_DB_ENTRY
{
CLIENT_ID ClientId;
PVOID Handle;
UINT32 Type;
PVOID StackTrace;
} HANDLE_TRACE_DB_ENTRY, *PHANDLE_TRACE_DB_ENTRY;
typedef struct _HANDLE_TRACE_DEBUG_INFO
{
UINT32 CurrentStackIndex;
HANDLE_TRACE_DB_ENTRY TraceDb[4096];
} HANDLE_TRACE_DEBUG_INFO, *PHANDLE_TRACE_DEBUG_INFO;
typedef struct _HANDLE_TABLE_ENTRY
{
union
{
PVOID Object;
UINT32 ObAttributes;
struct _HANDLE_TABLE_ENTRY *InfoTable;
UINT32 Value;
};
union
{
UINT32 GrantedAccess;
struct
{
USHORT GrantedAccessIndex;
USHORT CreatorBackTraceIndex;
};
INT32 NextFreeTableEntry;
};
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE
{
UINT32 TableCode;
PEPROCESS QuotaProcess;
PVOID UniqueProcessId;
EX_PUSH_LOCK HandleTableLock[4];
LIST_ENTRY HandleTableList;
EX_PUSH_LOCK HandleContentionEvent;
PHANDLE_TRACE_DEBUG_INFO DebugInfo;
UINT32 FirstFree;
UINT32 LastFree;
UINT32 NextHandleNeedingPool;
INT32 HandleCount;
UINT32 Flags; // bit0 - StrictFIFO
} HANDLE_TABLE, *PHANDLE_TABLE;
typedef struct _EPROCESS
{
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
UINT32 QuotaUsage[3];
UINT32 QuotaPeak[3];
UINT32 CommitCharge;
UINT32 PeakVirtualSize;
UINT32 VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
FAST_MUTEX WorkingSetLock;
UINT32 WorkingSetPage;
FAST_MUTEX AddressCreationLock;
UINT32 HyperSpaceLock;
PETHREAD ForkInProgress;
UINT32 HardwareTrigger;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
UINT32 NumberOfPrivatePages;
UINT32 NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PVOID SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;
LIST_ENTRY PhysicalVadList;
union
{
HARDWARE_PTE_X86 PageDirectoryPte;
UINT64 Filler;
};
PVOID Session;
UCHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
UINT32 ActiveThreads;
UINT32 GrantedAccess;
UINT32 DefaultHardErrorProcessing;
INT32 LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
UINT32 CommitChargeLimit;
UINT32 CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
UINT32 LastFaultCount;
UINT32 ModifiedPageCount;
UINT32 NumberOfVads;
UINT32 JobStatus;
UINT32 Flags; // bit0 - CreateReported
// bit1 - NoDebugInherit
// bit2 - ProcessExiting
// bit3 - ProcessDelete
// bit4 - Wow64SplitPages
// bit5 - VmDeleted
// bit6 - OutswapEnabled
// bit7 - Outswapped
// bit8 - ForkFailed
// bit9 - HasPhysicalVad
// bit10-11 - AddressSpaceInitialized
// bit12 - SetTimerResolution
// bit13 - BreakOnTermination
// bit14 - SessionCreationUnderway
// bit15 - WriteWatch
// bit16 - ProcessInSession
// bit17 - OverrideAddressSpace
// bit18 - HasAddressSpace
// bit19 - LaunchPrefetched
// bit20 - InjectInpageErrors
// bit21 - VmTopDown
// bit22 - Unused3
// bit23 - Unused4
// bit24 - VdmAllowed
// bit25-29 - Unused
// bit30 - Unused1
// bit31 - Unused2
INT32 ExitStatus;
USHORT NextPageColor;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
UCHAR WorkingSetAcquiredUnsafe;
UCHAR Unknow1;
UCHAR Unknow2;
UINT32 Cookie;
} EPROCESS, *PEPROCESS;
#endif
#endif