windows几个重要的内核数据结构虽然网上也有相关的定义,但个人觉得不齐全定义不规范,因此用一天时间使用WinDbg+Win2000sourcecode重新定义了常用的内核数据结构,并尽可能还原微软的原结构定义,每个结构都递归到最子层的结构并且通过了测试。通过这次工作过程不仅使自己得到一次学习的机会,而且提高了自己的整体软件架构规划设计水平。
(如果转帖请著名出处,谢谢。)
{*********************************************************}
{* *}
{* Windows Kernel Struct Define *}
{* *}
{* [uWindowsKernelStruct.pas] *}
{* *}
{* Copyright (c)2010 codegame *}
{* Update: 2010-04-09 23:51:44 *}
{*********************************************************}type PEXCEPTION_DISPOSITION = ^TEXCEPTION_DISPOSITION;
TEXCEPTION_DISPOSITION = (
ExceptionContinueExecution = 0,
ExceptionContinueSearch = 1,
ExceptionNestedException = 2,
ExceptionCollidedUnwind = 3); PSECURITY_IMPERSONATION_LEVEL = ^TSECURITY_IMPERSONATION_LEVEL;
TSECURITY_IMPERSONATION_LEVEL = (
SecurityAnonymous = 0,
SecurityIdentification = 1,
SecurityImpersonation = 2,
SecurityDelegation = 3); PUNICODE_STRING = ^TUNICODE_STRING;
TUNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: Pointer;
end; PLIST_ENTRY = ^TLIST_ENTRY;
TLIST_ENTRY = packed record
Flink: PLIST_ENTRY;
Blink: PLIST_ENTRY;
end; TDISPATCHER_HEADER = packed record
bType: byte;
bAbsolute: byte;
Size: byte;
Inserted: byte;
SignalState: DWORD;
WaitListHead: TLIST_ENTRY;
end; TKGDTENTRY = packed record
LimitLow: Word;
BaseLow: Word;
HighWord: packed record
BaseMid: Byte;
Flags1: Byte;
Flags2: Byte;
BaseHi: Byte;
end;
end; TKIDTENTRY = packed record
Offset: Word;
Selector: Word;
Access: Word;
ExtendedOffset: Word;
end; PSINGLE_LIST_ENTRY = ^TSINGLE_LIST_ENTRY;
TSINGLE_LIST_ENTRY = packed record
Next: PSINGLE_LIST_ENTRY;
end; PCLIENT_ID = ^TCLIENT_ID;
TCLIENT_ID = packed record
UniqueProcess: Dword;
UniqueThread: Dword;
end; PKPROCESS = ^TKPROCESS;
TKPROCESS = packed record
Header: TDISPATCHER_HEADER;
ProfileListHead: TLIST_ENTRY;
DirectoryTableBase: array[0..1] of Dword;
LdtDescriptor: TKGDTENTRY;
Int21Descriptor: TKIDTENTRY;
IopmOffset: Word;
Iopl: Byte;
Unused: Byte;
ActiveProcessors: DWORD;
KernelTime: DWORD;
UserTime: DWORD;
ReadyListHead: TLIST_ENTRY;
SwapListEntry: TSINGLE_LIST_ENTRY;
VdmTrapcHandler: Pointer;
ThreadListHead: TLIST_ENTRY;
ProcessLock: DWORD;
Affinity: DWORD;
StackCount: Word;
BasePriority: Char;
ThreadQuantum: Char;
AutoAlignment: Byte;
State: Byte;
ThreadSeed: Byte;
DisableBoost: Byte;
PowerState: Byte;
DisableQuantum: Byte;
IdealNode: Byte;
case Integer of
0: (Flags: byte);
1: (ExecuteOptions: byte);
end; PKAPC_STATE = ^TKAPC_STATE;
TKAPC_STATE = packed record
ApcListHead: array[0..1] of TLIST_ENTRY;
Process: PKPROCESS;
KernelApcInProgress: Byte;
KernelApcPending: Byte;
UserApcPending: Word;
end; PKTHREAD = ^TKTHREAD;
PKWAIT_BLOCK = ^TKWAIT_BLOCK;
TKWAIT_BLOCK = packed record
WaitListEntry: TLIST_ENTRY;
Thread: PKTHREAD;
pObject: Pointer;
NextWaitBlock: PKWAIT_BLOCK;
WaitKey: Word;
WaitType: Word;
end; PKQUEUE = ^TKQUEUE;
TKQUEUE = packed record
Header: TDISPATCHER_HEADER;
EntryListHead: TLIST_ENTRY;
CurrentCount: Dword;
MaximumCount: Dword;
ThreadListHead: TLIST_ENTRY;
end; PKDPC = ^TKDPC;
TKDPC = packed record
wType: word;
Number: Byte;
Importance: Byte;
DpcListEntry: TLIST_ENTRY;
DeferredRoutine: Pointer;
DeferredContext: Pointer;
SystemArgument1: Pointer;
SystemArgument2: Pointer;
Lock: PDWORD;
end; PKTIMER = ^TKTIMER;
TKTIMER = packed record
Header: TDISPATCHER_HEADER;
DueTime: Int64;
TimerListEntry: TLIST_ENTRY;
Dpc: PKDPC;
Period: DWORD;
end; PEXCEPTION_REGISTRATION_RECORD = ^TPEXCEPTION_REGISTRATION_RECORD;
TPEXCEPTION_REGISTRATION_RECORD = packed record
Next: PEXCEPTION_REGISTRATION_RECORD;
Handler: PEXCEPTION_DISPOSITION;
end; PKTRAP_FRAME = ^TKTRAP_FRAME;
TKTRAP_FRAME = packed record
DbgEbp: Dword;
DbgEip: Dword;
DbgArgMark: Dword;
DbgArgPointer: Dword;
TempSegCs: Dword;
TempEsp: Dword;
Dr0: Dword;
Dr1: Dword;
Dr2: Dword;
Dr3: Dword;
Dr6: Dword;
Dr7: Dword;
SegGs: Dword;
SegEs: Dword;
SegDs: Dword;
Edx: Dword;
Ecx: Dword;
Eax: Dword;
PreviousPreviousMode: Dword;
ExceptionList: PEXCEPTION_REGISTRATION_RECORD;
SegFs: Dword;
Edi: Dword;
Esi: Dword;
Ebx: Dword;
Ebp: Dword;
ErrCode: Dword;
Eip: Dword;
SegCs: Dword;
EFlags: Dword;
HardwareEsp: Dword;
HardwareSegSs: Dword;
V86Es: Dword;
V86Ds: Dword;
V86Fs: Dword;
V86Gs: Dword;
end; PKAPC = ^TKAPC;
TKAPC = packed record
wType: word;
Size: word;
Spare0: DWORD;
Thread: PKTHREAD;
ApcListEntry: TLIST_ENTRY;
KernelRoutine: Pointer;
RundownRoutine: Pointer;
NormalRoutine: Pointer;
NormalContext: Pointer;
SystemArgument1: Pointer;
SystemArgument2: Pointer;
ApcStateIndex: Char;
ApcMode: Char;
Inserted: Word;
end; PKSEMAPHORE = ^TKSEMAPHORE;
TKSEMAPHORE = packed record
Header: TDISPATCHER_HEADER;
Limit: Cardinal;
end;
(如果转帖请著名出处,谢谢。)
{*********************************************************}
{* *}
{* Windows Kernel Struct Define *}
{* *}
{* [uWindowsKernelStruct.pas] *}
{* *}
{* Copyright (c)2010 codegame *}
{* Update: 2010-04-09 23:51:44 *}
{*********************************************************}type PEXCEPTION_DISPOSITION = ^TEXCEPTION_DISPOSITION;
TEXCEPTION_DISPOSITION = (
ExceptionContinueExecution = 0,
ExceptionContinueSearch = 1,
ExceptionNestedException = 2,
ExceptionCollidedUnwind = 3); PSECURITY_IMPERSONATION_LEVEL = ^TSECURITY_IMPERSONATION_LEVEL;
TSECURITY_IMPERSONATION_LEVEL = (
SecurityAnonymous = 0,
SecurityIdentification = 1,
SecurityImpersonation = 2,
SecurityDelegation = 3); PUNICODE_STRING = ^TUNICODE_STRING;
TUNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: Pointer;
end; PLIST_ENTRY = ^TLIST_ENTRY;
TLIST_ENTRY = packed record
Flink: PLIST_ENTRY;
Blink: PLIST_ENTRY;
end; TDISPATCHER_HEADER = packed record
bType: byte;
bAbsolute: byte;
Size: byte;
Inserted: byte;
SignalState: DWORD;
WaitListHead: TLIST_ENTRY;
end; TKGDTENTRY = packed record
LimitLow: Word;
BaseLow: Word;
HighWord: packed record
BaseMid: Byte;
Flags1: Byte;
Flags2: Byte;
BaseHi: Byte;
end;
end; TKIDTENTRY = packed record
Offset: Word;
Selector: Word;
Access: Word;
ExtendedOffset: Word;
end; PSINGLE_LIST_ENTRY = ^TSINGLE_LIST_ENTRY;
TSINGLE_LIST_ENTRY = packed record
Next: PSINGLE_LIST_ENTRY;
end; PCLIENT_ID = ^TCLIENT_ID;
TCLIENT_ID = packed record
UniqueProcess: Dword;
UniqueThread: Dword;
end; PKPROCESS = ^TKPROCESS;
TKPROCESS = packed record
Header: TDISPATCHER_HEADER;
ProfileListHead: TLIST_ENTRY;
DirectoryTableBase: array[0..1] of Dword;
LdtDescriptor: TKGDTENTRY;
Int21Descriptor: TKIDTENTRY;
IopmOffset: Word;
Iopl: Byte;
Unused: Byte;
ActiveProcessors: DWORD;
KernelTime: DWORD;
UserTime: DWORD;
ReadyListHead: TLIST_ENTRY;
SwapListEntry: TSINGLE_LIST_ENTRY;
VdmTrapcHandler: Pointer;
ThreadListHead: TLIST_ENTRY;
ProcessLock: DWORD;
Affinity: DWORD;
StackCount: Word;
BasePriority: Char;
ThreadQuantum: Char;
AutoAlignment: Byte;
State: Byte;
ThreadSeed: Byte;
DisableBoost: Byte;
PowerState: Byte;
DisableQuantum: Byte;
IdealNode: Byte;
case Integer of
0: (Flags: byte);
1: (ExecuteOptions: byte);
end; PKAPC_STATE = ^TKAPC_STATE;
TKAPC_STATE = packed record
ApcListHead: array[0..1] of TLIST_ENTRY;
Process: PKPROCESS;
KernelApcInProgress: Byte;
KernelApcPending: Byte;
UserApcPending: Word;
end; PKTHREAD = ^TKTHREAD;
PKWAIT_BLOCK = ^TKWAIT_BLOCK;
TKWAIT_BLOCK = packed record
WaitListEntry: TLIST_ENTRY;
Thread: PKTHREAD;
pObject: Pointer;
NextWaitBlock: PKWAIT_BLOCK;
WaitKey: Word;
WaitType: Word;
end; PKQUEUE = ^TKQUEUE;
TKQUEUE = packed record
Header: TDISPATCHER_HEADER;
EntryListHead: TLIST_ENTRY;
CurrentCount: Dword;
MaximumCount: Dword;
ThreadListHead: TLIST_ENTRY;
end; PKDPC = ^TKDPC;
TKDPC = packed record
wType: word;
Number: Byte;
Importance: Byte;
DpcListEntry: TLIST_ENTRY;
DeferredRoutine: Pointer;
DeferredContext: Pointer;
SystemArgument1: Pointer;
SystemArgument2: Pointer;
Lock: PDWORD;
end; PKTIMER = ^TKTIMER;
TKTIMER = packed record
Header: TDISPATCHER_HEADER;
DueTime: Int64;
TimerListEntry: TLIST_ENTRY;
Dpc: PKDPC;
Period: DWORD;
end; PEXCEPTION_REGISTRATION_RECORD = ^TPEXCEPTION_REGISTRATION_RECORD;
TPEXCEPTION_REGISTRATION_RECORD = packed record
Next: PEXCEPTION_REGISTRATION_RECORD;
Handler: PEXCEPTION_DISPOSITION;
end; PKTRAP_FRAME = ^TKTRAP_FRAME;
TKTRAP_FRAME = packed record
DbgEbp: Dword;
DbgEip: Dword;
DbgArgMark: Dword;
DbgArgPointer: Dword;
TempSegCs: Dword;
TempEsp: Dword;
Dr0: Dword;
Dr1: Dword;
Dr2: Dword;
Dr3: Dword;
Dr6: Dword;
Dr7: Dword;
SegGs: Dword;
SegEs: Dword;
SegDs: Dword;
Edx: Dword;
Ecx: Dword;
Eax: Dword;
PreviousPreviousMode: Dword;
ExceptionList: PEXCEPTION_REGISTRATION_RECORD;
SegFs: Dword;
Edi: Dword;
Esi: Dword;
Ebx: Dword;
Ebp: Dword;
ErrCode: Dword;
Eip: Dword;
SegCs: Dword;
EFlags: Dword;
HardwareEsp: Dword;
HardwareSegSs: Dword;
V86Es: Dword;
V86Ds: Dword;
V86Fs: Dword;
V86Gs: Dword;
end; PKAPC = ^TKAPC;
TKAPC = packed record
wType: word;
Size: word;
Spare0: DWORD;
Thread: PKTHREAD;
ApcListEntry: TLIST_ENTRY;
KernelRoutine: Pointer;
RundownRoutine: Pointer;
NormalRoutine: Pointer;
NormalContext: Pointer;
SystemArgument1: Pointer;
SystemArgument2: Pointer;
ApcStateIndex: Char;
ApcMode: Char;
Inserted: Word;
end; PKSEMAPHORE = ^TKSEMAPHORE;
TKSEMAPHORE = packed record
Header: TDISPATCHER_HEADER;
Limit: Cardinal;
end;
解决方案 »
- 关于消息处理句柄的问题?谢谢!
- 哪有Tfreport,Tfrxreport,TfrxHTML,TfrxXLSE 控件下载??(急)
- 300分求一题,此题和前面两题一样,急急急,求各位大虾帮忙看一题(用行列法求最小割集),分不够发帖再加
- delphi怎样创建最小的exe 30k
- 如何在已经存在的ACCESS数据库中的表中用SQL语句添加字段?
- 若你有系统分析经验,请留意...
- 今天很高兴。散分!!!!!!!!!!!!!
- 关于DELPHI的问题
- 老鱼,老鱼,偶还有个关于窗体关闭后确认的问题
- 在WIN2000下怎才能把键盘锁住?至少能锁住CTRL、ALT、DEL、WIN开始键
- delphi中sqlite 删除关联表数据的语句怎么写
- 如何获取我的文档内所有文件夹的名字?
Header: TDISPATCHER_HEADER;
MutantListHead: TLIST_ENTRY;
InitialStack: Pointer;
StackLimit: Pointer;
Teb: Pointer;
TlsArray: Pointer;
KernelStack: Pointer;
DebugActive: Byte;
State: Byte;
Alerted: array[0..1] of Byte;
Iopl: Byte;
NpxState: Byte;
Saturation: Char;
Priority: Char;
ApcState: TKAPC_STATE;
ContextSwitches: DWORD;
IdleSwapBlock: Byte;
Spare0: array[0..2] of Byte;
WaitStatus: Cardinal;
WaitIrql: Byte;
WaitMode: Char;
WaitNext: Byte;
WaitReason: Byte;
WaitBlockList: PKWAIT_BLOCK;
Union: record case integer of
0: (WaitListEntry: TLIST_ENTRY);
1: (SwapListEntry: TSINGLE_LIST_ENTRY);
end;
WaitTime: Dword;
BasePriority: Char;
DecrementCount: Byte;
PriorityDecrement: Char;
Quantum: Char;
WaitBlock: array[0..3] of TKWAIT_BLOCK;
LegoData: Pointer;
KernelApcDisable: Dword;
UserAffinity: Dword;
SystemAffinityActive: Byte;
PowerState: Byte;
NpxIrql: Byte;
InitialNode: Byte;
ServiceTable: Pointer;
Queue: PKQUEUE;
ApcQueueLock: DWORD;
Timer: TKTIMER;
Gap1: Dword; //间隙1
QueueListEntry: TLIST_ENTRY;
SoftAffinity: Dword;
Affinity: Dword;
Preempted: Byte;
ProcessReadyQueue: Byte;
KernelStackResident: Byte;
NextProcessor: Byte;
CallbackStack: Pointer;
Win32Thread: Pointer;
TrapFrame: PKTRAP_FRAME;
ApcStatePointer: array[0..1] of PKAPC_STATE;
PreviousMode: Char;
EnableStackSwap: Byte;
LargeStack: Byte;
ResourceIndex: Byte;
KernelTime: Dword;
UserTime: Dword;
SavedApcState: TKAPC_STATE;
Alertable: Byte;
ApcStateIndex: Byte;
ApcQueueable: Byte;
AutoAlignment: Byte;
StackBase: Pointer;
SuspendApc: TKAPC;
SuspendSemaphore: TKSEMAPHORE;
ThreadListEntry: TLIST_ENTRY;
FreezeCount: Char;
SuspendCount: Char;
IdealProcessor: Byte;
DisableBoost: Byte;
Gap2: DWORD; //间隙
end; PTERMINATION_PORT = ^TTERMINATION_PORT;
TTERMINATION_PORT = packed record
Next: PTERMINATION_PORT;
Port: Pointer;
end; PPS_IMPERSONATION_INFORMATION = ^TPS_IMPERSONATION_INFORMATION;
TPS_IMPERSONATION_INFORMATION = packed record
Token: Pointer;
CopyOnOpen: byte;
EffectiveOnly: Byte;
ImpersonationLevel: TSECURITY_IMPERSONATION_LEVEL;
end; PIO_STATUS_BLOCK = ^TIO_STATUS_BLOCK;
TIO_STATUS_BLOCK = packed record
Union: record case integer of
0: (Status: Cardinal);
1: (Pointer: Pointer);
end;
Information: Dword;
end; PEPROCESS = ^TEPROCESS;
PMDL = ^TMDL;
TMDL = packed record
Next: PMDL;
Size: word;
MdlFlags: word;
Process: PEPROCESS;
MappedSystemVa: Pointer;
StartVa: Pointer;
ByteCount: Dword;
ByteOffset: Dword;
end; PKEVENT = ^TKEVENT;
TKEVENT = packed record
Header: TDISPATCHER_HEADER;
end; PIRP = ^TIRP;
TIRP = packed record
bType: Word;
Size: word;
MdlAddress: PMDL;
Flags: Dword;
AssociatedIrp: DWORD; //3 elements
ThreadListEntry: TLIST_ENTRY;
IoStatus: TIO_STATUS_BLOCK;
RequestorMode: Char;
PendingReturned: Byte;
StackCount: Char;
CurrentLocation: Char;
Cancel: Byte;
CancelIrql: Byte;
ApcEnvironment: Char;
AllocationFlags: Byte;
UserIosb: PIO_STATUS_BLOCK;
UserEvent: PKEVENT;
Overlay: array[0..1] of dword;
CancelRoutine: Pointer;
UserBuffer: Pointer;
Tail: array[0..11] of dword; //$30byte
end; PDEVICE_OBJECT = ^TDEVICE_OBJECT;
PIO_TIMER = ^TIO_TIMER;
TIO_TIMER = packed record //Size $18
bType: word;
TimerFlag: word;
TimerList: TLIST_ENTRY;
TimerRoutine: Pointer;
Context: Pointer;
DeviceObject: PDEVICE_OBJECT;
end; PVPB = ^TVPB;
TVPB = packed record //Size $58
bType: word;
Size: word;
Flags: Dword;
VolumeLabelLength: word;
DeviceObject: PDEVICE_OBJECT;
RealDevice: PDEVICE_OBJECT;
SerialNumber: Dword;
ReferenceCount: Dword;
VolumeLabel: array[0..31] of Word;
end; PKDEVICE_QUEUE = ^TKDEVICE_QUEUE;
TKDEVICE_QUEUE = packed record //Size $14
bType: word;
Size: word;
DeviceListHead: TLIST_ENTRY;
Lock: Word;
Busy: Byte;
Gap: array[0..2] of byte;
end; PDEVOBJ_EXTENSION = ^TDEVOBJ_EXTENSION;
TDEVOBJ_EXTENSION = packed record //Size $2C
btype: Word;
Size: Word;
DeviceObject: PDEVICE_OBJECT;
PowerFlags: DWord;
Dope: Pointer; //_DEVICE_OBJECT_POWER_EXTENSION
ExtensionFlags: DWord;
DeviceNode: Pointer;
AttachedTo: PDEVICE_OBJECT;
StartIoCount: DWord;
StartIoKey: DWord;
StartIoFlags: DWord;
Vpb: PVPB;
end; TDEVICE_OBJECT = packed record
bType: Word;
Size: word;
ReferenceCount: dword;
DriverObject: PDEVICE_OBJECT;
NextDevice: PDEVICE_OBJECT;
AttachedDevice: PDEVICE_OBJECT;
CurrentIrp: PIRP;
Timer: PIO_TIMER;
Flags: Dword;
Characteristics: Dword;
Vpb: PVPB;
DeviceExtension: Pointer;
DeviceType: Dword;
StackSize: Char;
Queue: array[0..39] of byte;
AlignmentRequirement: DWORD;
DeviceQueue: TKDEVICE_QUEUE;
Dpc: TKDPC;
ActiveThreadCount: Dword;
SecurityDescriptor: Pointer;
DeviceLock: TKEVENT;
SectorSize: word;
Spare1: word;
DeviceObjectExtension: PDEVOBJ_EXTENSION;
Reserved: Pointer;
end; PEX_RUNDOWN_REF = ^TEX_RUNDOWN_REF;
TEX_RUNDOWN_REF = packed record
case integer of
0: (Count: Cardinal);
1: (Ptr: Pointer);
end; PEX_PUSH_LOCK = ^TEX_PUSH_LOCK;
TEX_PUSH_LOCK = packed record
case integer of
0: (Value: Cardinal); //Waiting:Pos 0,1Bit; Exclusive:Pos 1,1Bit ; Shared:Pos 2,30Bit
1: (Ptr: Pointer);
end; PEThread = ^TEThread;
TEThread = packed record //Size:$258
TCB: TKTHREAD;
CreateTime: Int64; // bit0-1 - NestedFaultCount bit2 - ApcNeeded
Union1: record case integer of
0: (ExitTime: Int64);
1: (LpcReplyChain: TLIST_ENTRY);
2: (KeyedWaitChain: TLIST_ENTRY);
end;
Union2: record case integer of
0: (ExitStatus: Cardinal);
1: (OfsChain: Pointer);
end;
PostBlockList: TLIST_ENTRY;
Union3: record case integer of
0: (TerminationPort: PTERMINATION_PORT);
1: (ReaperLink: PETHREAD);
2: (KeyedWaitValue: Pointer);
end;
ActiveTimerListLock: Dword;
ActiveTimerListHead: TLIST_ENTRY;
Cid: TCLIENT_ID;
Union4: record case integer of
0: (LpcReplySemaphore: TKSEMAPHORE);
1: (KeyedWaitSemaphore: TKSEMAPHORE);
end;
Union5: record case integer of
0: (LpcReplyMessage: Pointer);
1: (LpcWaitingOnPort: Pointer);
end;
ImpersonationInfo: PPS_IMPERSONATION_INFORMATION;
IrpList: TLIST_ENTRY;
TopLevelIrp: Dword;
DeviceToVerify: PDEVICE_OBJECT;
ThreadsProcess: PEPROCESS;
StartAddress: Pointer;
Union6: record case integer of
0: (Win32StartAddress: Pointer);
1: (LpcReceivedMessageId: Dword);
end;
ThreadListEntry: TLIST_ENTRY;
RundownProtect: TEX_RUNDOWN_REF;
ThreadLock: TEX_PUSH_LOCK;
LpcReplyMessageId: Dword;
ReadClusterSize: DWORD;
GrantedAccess: DWORD;
CrossThreadFlags: DWORD;
SameThreadPassiveFlags: DWORD;
SameThreadApcFlags: DWORD;
ForwardClusterOnly: byte;
DisablePageFaultClustering: byte;
Gap: Word; //间隙
end;
PPEB_LDR_DATA = ^TPEB_LDR_DATA;
TPEB_LDR_DATA = packed record // Size: $28
Length: dword;
Initialized: byte;
SsHandle: Pointer;
InLoadOrderModuleList: TLIST_ENTRY;
InMemoryOrderModuleList: TLIST_ENTRY;
InInitializationOrderModuleList: TLIST_ENTRY;
EntryInProgress: Pointer;
end; PCURDIR = ^TCURDIR;
TCURDIR = packed record
DosPath: TUNICODE_STRING;
Handle: Pointer;
end; PRTL_DRIVE_LETTER_CURDIR = ^TRTL_DRIVE_LETTER_CURDIR;
TRTL_DRIVE_LETTER_CURDIR = packed record
Flags: word;
Length: word;
TimeStamp: Dword;
DosPath: TUNICODE_STRING;
end; PRTL_USER_PROCESS_PARAMETERS = ^TRTL_USER_PROCESS_PARAMETERS;
TRTL_USER_PROCESS_PARAMETERS = packed record
MaximumLength: Dword;
Length: Dword;
Flags: Dword;
DebugFlags: Dword;
ConsoleHandle: Pointer;
ConsoleFlags: Dword;
StandardInput: Pointer;
StandardOutput: Pointer;
StandardError: Pointer;
CurrentDirectory: TCURDIR;
DllPath: TUNICODE_STRING;
ImagePathName: TUNICODE_STRING;
CommandLine: TUNICODE_STRING;
Environment: Pointer;
StartingX: Dword;
StartingY: Dword;
CountX: Dword;
CountY: Dword;
CountCharsX: Dword;
CountCharsY: Dword;
FillAttribute: Dword;
WindowFlags: Dword;
ShowWindowFlags: Dword;
WindowTitle: TUNICODE_STRING;
DesktopInfo: TUNICODE_STRING;
ShellInfo: TUNICODE_STRING;
RuntimeData: TUNICODE_STRING;
CurrentDirectores: array[0..31] of TRTL_DRIVE_LETTER_CURDIR;
end; PRTL_CRITICAL_SECTION = ^TRTL_CRITICAL_SECTION;
PRTL_CRITICAL_SECTION_DEBUG = ^TRTL_CRITICAL_SECTION_DEBUG;
TRTL_CRITICAL_SECTION_DEBUG = record
Type_18: Word;
CreatorBackTraceIndex: Word;
CriticalSection: PRTL_CRITICAL_SECTION;
ProcessLocksList: TLIST_ENTRY;
EntryCount: DWORD;
ContentionCount: DWORD;
Spare: array[0..1] of DWORD;
end; TRTL_CRITICAL_SECTION = record
DebugInfo: PRTL_CRITICAL_SECTION_DEBUG;
LockCount: Longint;
RecursionCount: Longint;
OwningThread: THandle;
LockSemaphore: THandle;
Reserved: DWORD;
end; PPEB_FREE_BLOCK = ^TPEB_FREE_BLOCK;
TPEB_FREE_BLOCK = record
Next: PPEB_FREE_BLOCK;
Size: Cardinal;
end;
PPeb = ^TPeb;
TPeb = packed record
InheritedAddressSpace: Byte;
ReadImageFileExecOptions: Byte;
BeingDebugged: Byte;
SpareBool: Byte;
Mutant: Pointer;
ImageBaseAddress: Pointer;
Ldr: PPEB_LDR_DATA;
ProcessParameters: PRTL_USER_PROCESS_PARAMETERS;
SubSystemData: Pointer;
ProcessHeap: Pointer;
FastPebLock: PRTL_CRITICAL_SECTION;
FastPebLockRoutine: Pointer;
FastPebUnlockRoutine: Pointer;
EnvironmentUpdateCount: Cardinal;
KernelCallbackTable: Pointer;
SystemReserved: Dword;
AtlThunkSListPtr32: Dword;
FreeList: PPEB_FREE_BLOCK;
TlsExpansionCounter: Cardinal;
TlsBitmap: Pointer;
TlsBitmapBits: array[0..1] of Cardinal;
ReadOnlySharedMemoryBase: Pointer;
ReadOnlySharedMemoryHeap: Pointer;
ReadOnlyStaticServerData: PPointer;
AnsiCodePageData: Pointer;
OemCodePageData: Pointer;
UnicodeCaseTableData: Pointer;
NumberOfProcessors: Cardinal;
NtGlobalFlag: Cardinal;
Gap1: Dword; //间隙
CriticalSectionTimeout: Int64;
HeapSegmentReserve: DWORD;
HeapSegmentCommit: DWORD;
HeapDeCommitTotalFreeThreshold: DWORD;
HeapDeCommitFreeBlockThreshold: DWORD;
NumberOfHeaps: DWORD;
MaximumNumberOfHeaps: DWORD;
ProcessHeaps: PPointer;
GdiSharedHandleTable: Pointer;
ProcessStarterHelper: Pointer;
GdiDCAttributeList: DWORD;
LoaderLock: Pointer;
OSMajorVersion: DWORD;
OSMinorVersion: DWORD;
OSBuildNumber: word;
OSCSDVersion: word;
OSPlatformId: DWORD;
ImageSubsystem: DWORD;
ImageSubsystemMajorVersion: DWORD;
ImageSubsystemMinorVersion: DWORD;
ImageProcessAffinityMask: DWORD;
GdiHandleBuffer: array[0..33] of Dword;
PostProcessInitRoutine: Pointer;
TlsExpansionBitmap: Pointer;
TlsExpansionBitmapBits: array[0..31] of Dword;
SessionId: DWORD;
AppCompatInfo: Int64;
AppCompatFlagsUser: Int64;
pShimData: Pointer;
AppCompInfo: Pointer;
CSDVersion: TUNICODE_STRING;
ActivationContextData: Pointer;
ProcessAssemblyStorageMap: Pointer;
SystemDefaultActivationContextData: Pointer;
SystemAssemblyStorageMap: Pointer;
MinimumStackCommit: DWORD;
Gap2: Dword; //间隙
end;
PHANDLE_TRACE_DB_ENTRY = ^THANDLE_TRACE_DB_ENTRY;
THANDLE_TRACE_DB_ENTRY = packed record //size : $50 byte
ClientId: TCLIENT_ID;
Handle: Pointer;
dType: Dword;
StackTrace: array[0..15] of Pointer;
end; PHANDLE_TRACE_DEBUG_INFO = ^THANDLE_TRACE_DEBUG_INFO;
THANDLE_TRACE_DEBUG_INFO = packed record //size : $50004 byte
CurrentStackIndex: Dword;
TraceDb: array[0..4095] of THANDLE_TRACE_DB_ENTRY;
end; PHANDLE_TABLE = ^THANDLE_TABLE;
THANDLE_TABLE = packed record
TableCode: Dword;
QuotaProcess: PEPROCESS;
UniqueProcessId: Pointer;
HandleTableLock: array[0..3] of TEX_PUSH_LOCK;
HandleTableList: TLIST_ENTRY;
HandleContentionEvent: TEX_PUSH_LOCK;
DebugInfo: PHANDLE_TRACE_DEBUG_INFO;
ExtraInfoPages: Dword;
FirstFree: Dword;
LastFree: Dword;
NextHandleNeedingPool: Dword;
HandleCount: Dword;
Flags: Dword;
end;
TEX_FAST_REF = packed record
case Integer of
0: (pObject: Pointer);
1: (Value: DWORD);
end; PFAST_MUTEX = ^TFAST_MUTEX;
TFAST_MUTEX = packed record
Count: Cardinal;
Owner: PKTHREAD;
Contention: DWORD;
Event: TKEVENT;
OldIrql: DWORD;
end; POWNER_ENTRY = ^TOWNER_ENTRY;
TOWNER_ENTRY = packed record
OwnerThread: Dword;
case Integer of
0: (OwnerCount: DWORD);
1: (TableSize: DWORD);
end; PERESOURCE = ^TERESOURCE;
TERESOURCE = packed record
SystemResourcesList: TLIST_ENTRY;
OwnerTable: POWNER_ENTRY;
ActiveCount: word;
Flag: word;
SharedWaiters: PKSEMAPHORE;
ExclusiveWaiters: PKEVENT;
OwnerThreads: array[0..1] of TOWNER_ENTRY;
ContentionCount: Dword;
NumberOfSharedWaiters: word;
NumberOfExclusiveWaiters: word;
Address: Pointer;
CreatorBackTraceIndex: Dword;
SpinLock: Dword;
end; PSID_AND_ATTRIBUTES = ^TSID_AND_ATTRIBUTES;
TSID_AND_ATTRIBUTES = packed record
Sid: Pointer;
Attributes: dword;
end; PPS_JOB_TOKEN_FILTER = ^TPS_JOB_TOKEN_FILTER;
TPS_JOB_TOKEN_FILTER = packed record
CapturedSidCount: Cardinal;
CapturedSids: PSID_AND_ATTRIBUTES;
CapturedSidsLength: Cardinal;
CapturedGroupCount: Cardinal;
CapturedGroups: PSID_AND_ATTRIBUTES;
CapturedGroupsLength: Cardinal;
CapturedPrivilegeCount: Cardinal;
CapturedPrivileges: PSID_AND_ATTRIBUTES;
CapturedPrivilegesLength: Cardinal;
end; PIO_COUNTERS = ^TIO_COUNTERS;
TIO_COUNTERS = packed record
ReadOperationCount: Int64;
WriteOperationCount: Int64;
OtherOperationCount: Int64;
ReadTransferCount: Int64;
WriteTransferCount: Int64;
OtherTransferCount: Int64;
end; PEJOB = ^TEJOB;
TEJOB = packed record //size: $180 bytes
Event: TKEVENT;
JobLinks: TLIST_ENTRY;
ProcessListHead: TLIST_ENTRY;
JobLock: TERESOURCE;
TotalUserTime: Int64;
TotalKernelTime: Int64;
ThisPeriodTotalUserTime: Int64;
ThisPeriodTotalKernelTime: Int64;
TotalPageFaultCount: Dword;
TotalProcesses: Dword;
ActiveProcesses: Dword;
TotalTerminatedProcesses: Dword;
PerProcessUserTimeLimit: Int64;
PerJobUserTimeLimit: Int64;
LimitFlags: Dword;
MinimumWorkingSetSize: Dword;
MaximumWorkingSetSize: Dword;
ActiveProcessLimit: Dword;
Affinity: Dword;
PriorityClass: Byte;
UIRestrictionsClass: Dword;
SecurityLimitFlags: Dword;
Token: Pointer;
Filter: PPS_JOB_TOKEN_FILTER;
EndOfJobTimeAction: Dword;
CompletionPort: Pointer;
CompletionKey: Pointer;
SessionId: Dword;
SchedulingClass: Dword;
ReadOperationCount: Int64;
WriteOperationCount: Int64;
OtherOperationCount: Int64;
ReadTransferCount: Int64;
WriteTransferCount: Int64;
OtherTransferCount: Int64;
IoInfo: TIO_COUNTERS;
ProcessMemoryLimit: Dword;
JobMemoryLimit: Dword;
PeakProcessMemoryUsed: Dword;
PeakJobMemoryUsed: Dword;
CurrentJobMemoryUsed: Dword;
MemoryLimitsLock: TFAST_MUTEX;
JobSetLinks: TLIST_ENTRY;
MemberLevel: Dword;
JobFlags: Dword;
end; PEPROCESS_QUOTA_ENTRY = ^TEPROCESS_QUOTA_ENTRY;
TEPROCESS_QUOTA_ENTRY = packed record
Usage: DWORD;
Limit: DWORD;
Peak: DWORD;
Return: DWORD;
end; PEPROCESS_QUOTA_BLOCK = ^TEPROCESS_QUOTA_BLOCK;
TEPROCESS_QUOTA_BLOCK = packed record
QuotaEntry: array[0..3] of TEPROCESS_QUOTA_ENTRY;
QuotaList: TLIST_ENTRY;
ReferenceCount: Cardinal;
ProcessCount: Cardinal;
end; PPROCESS_WS_WATCH_INFORMATION = ^TPROCESS_WS_WATCH_INFORMATION;
TPROCESS_WS_WATCH_INFORMATION = packed record
FaultingPc: Pointer;
FaultingVa: Pointer;
end; PPAGEFAULT_HISTORY = ^TPAGEFAULT_HISTORY;
TPAGEFAULT_HISTORY = packed record
CurrentIndex: DWORD;
MaxIndex: DWORD;
SpinLock: DWORD;
Reserved: Pointer;
WatchInfo: TPROCESS_WS_WATCH_INFORMATION;
end; PHARDWARE_PTE_X86 = ^THARDWARE_PTE_X86;
THARDWARE_PTE_X86 = packed record
Bit: Dword;
// Valid: Bitfield Pos 0, 1 Bit
// Write: Bitfield Pos 1, 1 Bit
// Owner: Bitfield Pos 2, 1 Bit
// WriteThrough: Bitfield Pos 3, 1 Bit
// CacheDisable: Bitfield Pos 4, 1 Bit
// Accessed: Bitfield Pos 5, 1 Bit
// Dirty: Bitfield Pos 6, 1 Bit
// LargePage: Bitfield Pos 7, 1 Bit
// Global: Bitfield Pos 8, 1 Bit
// CopyOnWrite: Bitfield Pos 9, 1 Bit
// Prototype: Bitfield Pos 10, 1 Bit
// reserved: Bitfield Pos 11, 1 Bit
// PageFrameNumber: Bitfield Pos 12, 20 Bits
end;
POBJECT_NAME_INFORMATION = ^TOBJECT_NAME_INFORMATION;
TOBJECT_NAME_INFORMATION = packed record
Name: TUNICODE_STRING;
end; PSE_AUDIT_PROCESS_CREATION_INFO = ^TSE_AUDIT_PROCESS_CREATION_INFO;
TSE_AUDIT_PROCESS_CREATION_INFO = packed record
ImageFileName: POBJECT_NAME_INFORMATION;
end; PMMSUPPORT_FLAGS = ^TMMSUPPORT_FLAGS;
TMMSUPPORT_FLAGS = packed record
Bit: DWORD;
//SessionSpace : Bitfield Pos 0, 1 Bit
//BeingTrimmed : Bitfield Pos 1, 1 Bit
//SessionLeader : Bitfield Pos 2, 1 Bit
//TrimHard : Bitfield Pos 3, 1 Bit
//WorkingSetHard : Bitfield Pos 4, 1 Bit
//AddressSpaceBeingDeleted : Bitfield Pos 5, 1 Bit
//Available : Bitfield Pos 6, 10 Bits
//AllowWorkingSetAdjustment : Bitfield Pos 16, 8 Bits
//MemoryPriority : Bitfield Pos 24, 8 Bits
end; PMMWSL = ^TMMWSL;
TMMWSL = packed record
//MS Undefined
end; PMMSUPPORT = ^TMMSUPPORT;
TMMSUPPORT = packed record
LastTrimTime: Int64;
Flags: TMMSUPPORT_FLAGS;
PageFaultCount: Dword;
PeakWorkingSetSize: Dword;
WorkingSetSize: Dword;
MinimumWorkingSetSize: Dword;
MaximumWorkingSetSize: Dword;
VmWorkingSetList: PMMWSL;
WorkingSetExpansionLinks: TLIST_ENTRY;
Claim: Dword;
NextEstimationSlot: Dword;
NextAgingSlot: Dword;
EstimatedAvailable: Dword;
GrowthSinceLastEstimate: Dword;
end; TEPROCESS = packed record
Pcb: TKPROCESS;
ProcessLock: TEX_PUSH_LOCK;
CreateTime: Int64;
ExitTime: Int64;
RundownProtect: TEX_RUNDOWN_REF;
UniqueProcessId: Integer;
ActiveProcessLinks: TLIST_ENTRY;
QuotaUsage: array[0..2] of Cardinal;
QuotaPeak: array[0..2] of Cardinal;
CommitCharge: Cardinal;
PeakVirtualSize: Cardinal;
VirtualSize: Cardinal;
SessionProcessLinks: TLIST_ENTRY;
DebugPort: Pointer;
ExceptionPort: Pointer;
ObjectTable: PHANDLE_TABLE;
Token: TEX_FAST_REF;
WorkingSetLock: TFAST_MUTEX;
WorkingSetPage: Cardinal;
AddressCreationLock: TFAST_MUTEX;
HyperSpaceLock: Cardinal;
ForkInProgress: PEThread;
HardwareTrigger: Cardinal;
VadRoot: Pointer;
VadHint: Pointer;
CloneRoot: Pointer;
NumberOfPrivatePages: Cardinal;
NumberOfLockedPages: Cardinal;
Win32Process: Pointer;
Job: PEJOB;
SectionObject: Pointer;
SectionBaseAddress: Pointer;
QuotaBlock: PEPROCESS_QUOTA_BLOCK;
WorkingSetWatch: PPAGEFAULT_HISTORY;
Win32WindowStation: Pointer;
InheritedFromUniqueProcessId: Cardinal;
LdtInformation: Pointer;
VadFreeHint: Pointer;
VdmObjects: Pointer;
DeviceMap: Pointer;
PhysicalVadList: TLIST_ENTRY;
Union1: record case integer of
0: (PageDirectoryPte: THARDWARE_PTE_X86);
1: (Filler: Int64);
end;
Session: Pointer;
ImageFileName: array[0..$F] of Char;
JobLinks: TLIST_ENTRY;
LockedPagesList: Pointer;
ThreadListHead: TLIST_ENTRY;
SecurityPort: Pointer;
PaeTop: Pointer;
ActiveThreads: Cardinal;
GrantedAccess: Cardinal;
DefaultHardErrorProcessing: Cardinal;
LastThreadExitStatus: Dword;
Peb: PPeb;
PrefetchTrace: TEX_FAST_REF;
ReadOperationCount: Int64;
WriteOperationCount: Int64;
OtherOperationCount: Int64;
ReadTransferCount: Int64;
WriteTransferCount: Int64;
OtherTransferCount: Int64;
CommitChargeLimit: Cardinal;
CommitChargePeak: Cardinal;
AweInfo: Pointer;
SeAuditProcessCreationInfo: TSE_AUDIT_PROCESS_CREATION_INFO;
Vm: TMMSUPPORT;
LastFaultCount: Cardinal;
ModifiedPageCount: Cardinal;
NumberOfVads: Cardinal;
JobStatus: Cardinal;
Flags: Cardinal;
ExitStatus: DWORD;
NextPageColor: Word;
Union2: record case integer of
0: (SSV: record SubSystemMinorVersion: Byte; SubSystemMajorVersion: Byte; end);
1: (SubSystemVersion: Word);
end;
SubSystemVersion: Word;
PriorityClass: Byte;
WorkingSetAcquiredUnsafe: Byte;
Cookie: Cardinal;
Gap: DWORD; //间隙
end;
================完==================
http://download.csdn.net/source/2223863
不过也赞赏一下楼主的不辞辛苦
略微有点杂乱,看着有点晕,不过总体来说还是很不错的