-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathStructs.nim
139 lines (131 loc) · 3.89 KB
/
Structs.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
import winim/lean
type
LDR_DATA_TABLE_ENTRY* {.bycopy.} = object
InLoadOrderModuleList*: LIST_ENTRY
InMemoryOrderModuleList*: LIST_ENTRY
InInitializationOrderModuleList*: LIST_ENTRY
DllBase*: PVOID
EntryPoint*: PVOID
SizeOfImage*: ULONG ## in bytes
FullDllName*: UNICODE_STRING
BaseDllName*: UNICODE_STRING
Flags*: ULONG ## LDR_*
LoadCount*: USHORT
TlsIndex*: USHORT
HashLinks*: LIST_ENTRY
SectionPointer*: PVOID
CheckSum*: ULONG
TimeDateStamp*: ULONG ## PVOID LoadedImports; // seems they are exist only on XP !!!
## PVOID EntryPointActivationContext; // -same-
PLDR_DATA_TABLE_ENTRY* = ptr LDR_DATA_TABLE_ENTRY
PEB_LDR_DATA* {.bycopy.} = object
Length*: ULONG
Initialized*: BOOLEAN
SsHandle*: PVOID
InLoadOrderModuleList*: LIST_ENTRY
InMemoryOrderModuleList*: LIST_ENTRY
InInitializationOrderModuleList*: LIST_ENTRY
PPEB_LDR_DATA* = ptr PEB_LDR_DATA
RTL_DRIVE_LETTER_CURDIR* {.bycopy.} = object
Flags*: USHORT
Length*: USHORT
TimeStamp*: ULONG
DosPath*: UNICODE_STRING
RTL_USER_PROCESS_PARAMETERS* {.bycopy.} = object
MaximumLength*: ULONG
Length*: ULONG
Flags*: ULONG
DebugFlags*: ULONG
ConsoleHandle*: PVOID
ConsoleFlags*: ULONG
StdInputHandle*: HANDLE
StdOutputHandle*: HANDLE
StdErrorHandle*: HANDLE
CurrentDirectoryPath*: UNICODE_STRING
CurrentDirectoryHandle*: HANDLE
DllPath*: UNICODE_STRING
ImagePathName*: UNICODE_STRING
CommandLine*: UNICODE_STRING
Environment*: PVOID
StartingPositionLeft*: ULONG
StartingPositionTop*: ULONG
Width*: ULONG
Height*: ULONG
CharWidth*: ULONG
CharHeight*: ULONG
ConsoleTextAttributes*: ULONG
WindowFlags*: ULONG
ShowWindowFlags*: ULONG
WindowTitle*: UNICODE_STRING
DesktopName*: UNICODE_STRING
ShellInfo*: UNICODE_STRING
RuntimeData*: UNICODE_STRING
DLCurrentDirectory*: array[0x20, RTL_DRIVE_LETTER_CURDIR]
PEB* {.bycopy.} = object
InheritedAddressSpace*: BOOLEAN
ReadImageFileExecOptions*: BOOLEAN
BeingDebugged*: BOOLEAN
Spare*: BOOLEAN
Mutant*: HANDLE
ImageBaseAddress*: PVOID
Ldr*: PPEB_LDR_DATA
ProcessParameters*: PRTL_USER_PROCESS_PARAMETERS
SubSystemData*: PVOID
ProcessHeap*: PVOID
FastPebLock*: PVOID
FastPebLockRoutine*: PVOID
FastPebUnlockRoutine*: PVOID
EnvironmentUpdateCount*: ULONG
KernelCallbackTable*: PVOID
EventLogSection*: PVOID
EventLog*: PVOID
FreeList*: PVOID
TlsExpansionCounter*: ULONG
TlsBitmap*: PVOID
TlsBitmapBits*: array[0x2, ULONG]
ReadOnlySharedMemoryBase*: PVOID
ReadOnlySharedMemoryHeap*: PVOID
ReadOnlyStaticServerData*: PVOID
AnsiCodePageData*: PVOID
OemCodePageData*: PVOID
UnicodeCaseTableData*: PVOID
NumberOfProcessors*: ULONG
NtGlobalFlag*: ULONG
Spare2*: array[0x4, BYTE]
CriticalSectionTimeout*: LARGE_INTEGER
HeapSegmentReserve*: ULONG
HeapSegmentCommit*: ULONG
HeapDeCommitTotalFreeThreshold*: ULONG
HeapDeCommitFreeBlockThreshold*: ULONG
NumberOfHeaps*: ULONG
MaximumNumberOfHeaps*: ULONG
ProcessHeaps*: ptr PVOID
GdiSharedHandleTable*: PVOID
ProcessStarterHelper*: PVOID
GdiDCAttributeList*: PVOID
LoaderLock*: PVOID
OSMajorVersion*: ULONG
OSMinorVersion*: ULONG
OSBuildNumber*: ULONG
OSPlatformId*: ULONG
ImageSubSystem*: ULONG
ImageSubSystemMajorVersion*: ULONG
ImageSubSystemMinorVersion*: ULONG
GdiHandleBuffer*: array[0x22, ULONG]
PostProcessInitRoutine*: ULONG
TlsExpansionBitmap*: ULONG
TlsExpansionBitmapBits*: array[0x80, BYTE]
SessionId*: ULONG
PPEB* = ptr PEB
proc GetPEB*(): PPEB =
# GetPEBAsm64 proc
asm """
push rbx
xor rbx,rbx
xor rax,rax
mov rbx, qword ptr gs:[0x60]
mov rax, rbx
pop rbx
ret
"""
# GetPEBAsm64 endp