301 lines
8.4 KiB
C++
301 lines
8.4 KiB
C++
#ifndef _UNDOCUMENTED_H
|
|
#define _UNDOCUMENTED_H
|
|
|
|
#include <windows.h>
|
|
|
|
//Thanks to: https://github.com/zer0fl4g/Nanomite
|
|
|
|
typedef LONG NTSTATUS;
|
|
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
|
|
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
|
|
|
|
typedef struct _UNICODE_STRING
|
|
{
|
|
USHORT Length;
|
|
USHORT MaximumLength;
|
|
PWSTR Buffer;
|
|
} UNICODE_STRING;
|
|
|
|
typedef struct _CLIENT_ID
|
|
{
|
|
HANDLE UniqueProcess;
|
|
HANDLE UniqueThread;
|
|
} CLIENT_ID;
|
|
|
|
typedef struct _RTL_USER_PROCESS_PARAMETERS
|
|
{
|
|
BYTE Reserved1[16];
|
|
PVOID Reserved2[10];
|
|
UNICODE_STRING ImagePathName;
|
|
UNICODE_STRING CommandLine;
|
|
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
|
|
|
|
#pragma pack(push)
|
|
#pragma pack(1)
|
|
template <class T>
|
|
struct LIST_ENTRY_T
|
|
{
|
|
T Flink;
|
|
T Blink;
|
|
};
|
|
|
|
template <class T>
|
|
struct UNICODE_STRING_T
|
|
{
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
WORD Length;
|
|
WORD MaximumLength;
|
|
};
|
|
T dummy;
|
|
};
|
|
T _Buffer;
|
|
};
|
|
template <class T, class NGF, int A>
|
|
struct _PEB_T
|
|
{
|
|
union
|
|
{
|
|
struct
|
|
{
|
|
BYTE InheritedAddressSpace;
|
|
BYTE ReadImageFileExecOptions;
|
|
BYTE BeingDebugged;
|
|
BYTE BitField;
|
|
};
|
|
T dummy01;
|
|
};
|
|
T Mutant;
|
|
T ImageBaseAddress;
|
|
T Ldr;
|
|
T ProcessParameters;
|
|
T SubSystemData;
|
|
T ProcessHeap;
|
|
T FastPebLock;
|
|
T AtlThunkSListPtr;
|
|
T IFEOKey;
|
|
T CrossProcessFlags;
|
|
T UserSharedInfoPtr;
|
|
DWORD SystemReserved;
|
|
DWORD AtlThunkSListPtr32;
|
|
T ApiSetMap;
|
|
T TlsExpansionCounter;
|
|
T TlsBitmap;
|
|
DWORD TlsBitmapBits[2];
|
|
T ReadOnlySharedMemoryBase;
|
|
T HotpatchInformation;
|
|
T ReadOnlyStaticServerData;
|
|
T AnsiCodePageData;
|
|
T OemCodePageData;
|
|
T UnicodeCaseTableData;
|
|
DWORD NumberOfProcessors;
|
|
union
|
|
{
|
|
DWORD NtGlobalFlag;
|
|
NGF dummy02;
|
|
};
|
|
LARGE_INTEGER CriticalSectionTimeout;
|
|
T HeapSegmentReserve;
|
|
T HeapSegmentCommit;
|
|
T HeapDeCommitTotalFreeThreshold;
|
|
T HeapDeCommitFreeBlockThreshold;
|
|
DWORD NumberOfHeaps;
|
|
DWORD MaximumNumberOfHeaps;
|
|
T ProcessHeaps;
|
|
T GdiSharedHandleTable;
|
|
T ProcessStarterHelper;
|
|
T GdiDCAttributeList;
|
|
T LoaderLock;
|
|
DWORD OSMajorVersion;
|
|
DWORD OSMinorVersion;
|
|
WORD OSBuildNumber;
|
|
WORD OSCSDVersion;
|
|
DWORD OSPlatformId;
|
|
DWORD ImageSubsystem;
|
|
DWORD ImageSubsystemMajorVersion;
|
|
T ImageSubsystemMinorVersion;
|
|
T ActiveProcessAffinityMask;
|
|
T GdiHandleBuffer[A];
|
|
T PostProcessInitRoutine;
|
|
T TlsExpansionBitmap;
|
|
DWORD TlsExpansionBitmapBits[32];
|
|
T SessionId;
|
|
ULARGE_INTEGER AppCompatFlags;
|
|
ULARGE_INTEGER AppCompatFlagsUser;
|
|
T pShimData;
|
|
T AppCompatInfo;
|
|
UNICODE_STRING_T<T> CSDVersion;
|
|
T ActivationContextData;
|
|
T ProcessAssemblyStorageMap;
|
|
T SystemDefaultActivationContextData;
|
|
T SystemAssemblyStorageMap;
|
|
T MinimumStackCommit;
|
|
T FlsCallback;
|
|
LIST_ENTRY_T<T> FlsListHead;
|
|
T FlsBitmap;
|
|
DWORD FlsBitmapBits[4];
|
|
T FlsHighIndex;
|
|
T WerRegistrationData;
|
|
T WerShipAssertPtr;
|
|
T pContextData;
|
|
T pImageHeaderHash;
|
|
T TracingFlags;
|
|
};
|
|
|
|
typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
|
|
typedef _PEB_T<DWORD64, DWORD, 30> PEB64;
|
|
|
|
#pragma pack(pop)
|
|
|
|
#ifdef _WIN64 //x64
|
|
typedef PEB64 PEB;
|
|
#else //x86
|
|
typedef PEB32 PEB;
|
|
#endif //_WIN64
|
|
|
|
typedef PEB* PPEB;
|
|
|
|
typedef struct _TEB
|
|
{
|
|
NT_TIB Tib;
|
|
PVOID EnvironmentPointer;
|
|
CLIENT_ID Cid;
|
|
PVOID ActiveRpcInfo;
|
|
PVOID ThreadLocalStoragePointer;
|
|
PPEB Peb;
|
|
ULONG LastErrorValue;
|
|
ULONG CountOfOwnedCriticalSections;
|
|
PVOID CsrClientThread;
|
|
PVOID Win32ThreadInfo;
|
|
ULONG Win32ClientInfo[0x1F];
|
|
PVOID WOW32Reserved;
|
|
ULONG CurrentLocale;
|
|
ULONG FpSoftwareStatusRegister;
|
|
PVOID SystemReserved1[0x36];
|
|
PVOID Spare1;
|
|
ULONG ExceptionCode;
|
|
ULONG SpareBytes1[0x28];
|
|
PVOID SystemReserved2[0xA];
|
|
ULONG GdiRgn;
|
|
ULONG GdiPen;
|
|
ULONG GdiBrush;
|
|
CLIENT_ID RealClientId;
|
|
PVOID GdiCachedProcessHandle;
|
|
ULONG GdiClientPID;
|
|
ULONG GdiClientTID;
|
|
PVOID GdiThreadLocaleInfo;
|
|
PVOID UserReserved[5];
|
|
PVOID GlDispatchTable[0x118];
|
|
ULONG GlReserved1[0x1A];
|
|
PVOID GlReserved2;
|
|
PVOID GlSectionInfo;
|
|
PVOID GlSection;
|
|
PVOID GlTable;
|
|
PVOID GlCurrentRC;
|
|
PVOID GlContext;
|
|
NTSTATUS LastStatusValue;
|
|
UNICODE_STRING StaticUnicodeString;
|
|
WCHAR StaticUnicodeBuffer[0x105];
|
|
PVOID DeallocationStack;
|
|
PVOID TlsSlots[0x40];
|
|
LIST_ENTRY TlsLinks;
|
|
PVOID Vdm;
|
|
PVOID ReservedForNtRpc;
|
|
PVOID DbgSsReserved[0x2];
|
|
ULONG HardErrorDisabled;
|
|
PVOID Instrumentation[0x10];
|
|
PVOID WinSockData;
|
|
ULONG GdiBatchCount;
|
|
ULONG Spare2;
|
|
ULONG Spare3;
|
|
ULONG Spare4;
|
|
PVOID ReservedForOle;
|
|
ULONG WaitingOnLoaderLock;
|
|
PVOID StackCommit;
|
|
PVOID StackCommitMax;
|
|
PVOID StackReserved;
|
|
} TEB, *PTEB;
|
|
|
|
// https://stackoverflow.com/questions/36961152/detect-windows-kit-8-0-and-windows-kit-8-1-sdks
|
|
#if defined(WINAPI_PARTITION_APP)
|
|
#if (WINAPI_PARTITION_APP == 0x00000002)
|
|
#define USING_WINDOWS_8_0_SDK
|
|
#define USING_WINDOWS_8_x_SDK
|
|
#endif
|
|
#if defined(WINAPI_FAMILY_SYSTEM)
|
|
#define USING_WINDOWS_10_SDK
|
|
#else
|
|
#if (WINAPI_PARTITION_APP == 1)
|
|
#define USING_WINDOWS_8_1_SDK
|
|
#define USING_WINDOWS_8_x_SDK
|
|
#endif
|
|
#endif
|
|
#endif
|
|
|
|
// This struct was included in winnt.h starting in the windows 8 toolkit
|
|
#if !(defined(USING_WINDOWS_8_x_SDK) || defined(USING_WINDOWS_10_SDK))
|
|
typedef struct _EXCEPTION_REGISTRATION_RECORD
|
|
{
|
|
_EXCEPTION_REGISTRATION_RECORD* Next;
|
|
_EXCEPTION_DISPOSITION Handler;
|
|
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
|
|
#endif
|
|
|
|
typedef struct _SYSTEM_THREAD_INFORMATION
|
|
{
|
|
LARGE_INTEGER KernelTime;
|
|
LARGE_INTEGER UserTime;
|
|
LARGE_INTEGER CreateTime;
|
|
ULONG WaitTime;
|
|
PVOID StartAddress;
|
|
CLIENT_ID ClientId;
|
|
LONG Priority;
|
|
LONG BasePriority;
|
|
ULONG ContextSwitches;
|
|
ULONG ThreadState;
|
|
ULONG WaitReason;
|
|
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
|
|
|
|
typedef struct _SYSTEM_PROCESS_INFORMATION
|
|
{
|
|
ULONG NextEntryOffset;
|
|
ULONG NumberOfThreads;
|
|
LARGE_INTEGER SpareLi1;
|
|
LARGE_INTEGER SpareLi2;
|
|
LARGE_INTEGER SpareLi3;
|
|
LARGE_INTEGER CreateTime;
|
|
LARGE_INTEGER UserTime;
|
|
LARGE_INTEGER KernelTime;
|
|
UNICODE_STRING ImageName;
|
|
LONG BasePriority;
|
|
HANDLE UniqueProcessId;
|
|
HANDLE InheritedFromUniqueProcessId;
|
|
ULONG HandleCount;
|
|
ULONG SessionId;
|
|
ULONG_PTR PageDirectoryBase;
|
|
SIZE_T PeakVirtualSize;
|
|
SIZE_T VirtualSize;
|
|
ULONG PageFaultCount;
|
|
SIZE_T PeakWorkingSetSize;
|
|
SIZE_T WorkingSetSize;
|
|
SIZE_T QuotaPeakPagedPoolUsage;
|
|
SIZE_T QuotaPagedPoolUsage;
|
|
SIZE_T QuotaPeakNonPagedPoolUsage;
|
|
SIZE_T QuotaNonPagedPoolUsage;
|
|
SIZE_T PagefileUsage;
|
|
SIZE_T PeakPagefileUsage;
|
|
SIZE_T PrivatePageCount;
|
|
LARGE_INTEGER ReadOperationCount;
|
|
LARGE_INTEGER WriteOperationCount;
|
|
LARGE_INTEGER OtherOperationCount;
|
|
LARGE_INTEGER ReadTransferCount;
|
|
LARGE_INTEGER WriteTransferCount;
|
|
LARGE_INTEGER OtherTransferCount;
|
|
SYSTEM_THREAD_INFORMATION Threads[1];
|
|
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
|
|
|
|
#define SystemProcessInformation 5 // For use with NtQuerySystemInformation
|
|
|
|
#endif // _UNDOCUMENTED_H
|