#pragma once #include namespace nt { using WORD = short; using BYTE = unsigned char; using DWORD = unsigned long; typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[ 16 ]; } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER; typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; typedef struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER OptionalHeader; } IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS; typedef struct _IMAGE_EXPORT_DIRECTORY { uint32_t Characteristics; uint32_t TimeDateStamp; uint16_t MajorVersion; uint16_t MinorVersion; uint32_t Name; uint32_t Base; uint32_t NumberOfFunctions; uint32_t NumberOfNames; uint32_t AddressOfFunctions; // RVA from base of image uint32_t AddressOfNames; // RVA from base of image uint32_t AddressOfNameOrdinals; // RVA from base of image } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; typedef struct _IMAGE_DOS_HEADER { WORD e_magic; WORD e_cblp; WORD e_cp; WORD e_crlc; WORD e_cparhdr; WORD e_minalloc; WORD e_maxalloc; WORD e_ss; WORD e_sp; WORD e_csum; WORD e_ip; WORD e_cs; WORD e_lfarlc; WORD e_ovno; WORD e_res[ 4 ]; WORD e_oemid; WORD e_oeminfo; WORD e_res2[ 10 ]; long e_lfanew; } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY; struct PEB_LDR_DATA { uint32_t Length; uint8_t Initialized; uintptr_t SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; uintptr_t EntryInProgress; uint8_t ShutdownInProgress; uintptr_t ShutdownThreadId; }; struct UNICODE_STRING { uint16_t Length; uint16_t MaximumLength; wchar_t *Buffer; }; struct STRING { uint16_t Length; uint16_t MaximumLength; char *Buffer; }; struct CURDIR { UNICODE_STRING DosPath; uintptr_t Handle; }; struct RTL_DRIVE_LETTER_CURDIR { uint16_t Flags; uint16_t Length; uint32_t TimeStamp; STRING DosPath; }; struct RTL_USER_PROCESS_PARAMETERS { uint32_t MaximumLength; uint32_t Length; uint32_t Flags; uint32_t DebugFlags; uintptr_t ConsoleHandle; uint32_t ConsoleFlags; uintptr_t StandardInput; uintptr_t StandardOutput; uintptr_t StandardError; CURDIR CurrentDirectory; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; uintptr_t Environment; uint32_t StartingX; uint32_t StartingY; uint32_t CountX; uint32_t CountY; uint32_t CountCharsX; uint32_t CountCharsY; uint32_t FillAttribute; uint32_t WindowFlags; uint32_t ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ 32 ]; uintptr_t EnvironmentSize; uintptr_t EnvironmentVersion; uintptr_t PackageDependencyData; uint32_t ProcessGroupId; uint32_t LoaderThreads; }; struct RTL_BALANCED_NODE { RTL_BALANCED_NODE *Children[ 2 ]; RTL_BALANCED_NODE *Left; RTL_BALANCED_NODE *Right; uintptr_t ParentValue; }; struct _PEB { uint8_t InheritedAddressSpace; uint8_t ReadImageFileExecOptions; uint8_t BeingDebugged; uint8_t BitField; //uchar Padding0[ 4 ]; uintptr_t Mutant; uintptr_t ImageBaseAddress; PEB_LDR_DATA *Ldr; RTL_USER_PROCESS_PARAMETERS *ProcessParameters; uintptr_t SubSystemData; uintptr_t ProcessHeap; uintptr_t *FastPebLock; uintptr_t AtlThunkSListPtr; uintptr_t IFEOKey; uint32_t CrossProcessFlags; uint8_t Padding1[ 4 ]; uintptr_t KernelCallbackTable; uintptr_t UserSharedInfoPtr; uint32_t SystemReserved[ 1 ]; uint32_t AtlThunkSListPtr32; uintptr_t ApiSetMap; uint32_t TlsExpansionCounter; uint8_t Padding2[ 4 ]; uintptr_t TlsBitmap; uint32_t TlsBitmapBits[ 2 ]; uintptr_t ReadOnlySharedMemoryBase; uintptr_t SparePvoid0; uintptr_t ReadOnlyStaticServerData; uintptr_t AnsiCodePageData; uintptr_t OemCodePageData; uintptr_t UnicodeCaseTableData; uint32_t NumberOfProcessors; uint32_t NtGlobalFlag; uint64_t CriticalSectionTimeout; uintptr_t HeapSegmentReserve; uintptr_t HeapSegmentCommit; uintptr_t HeapDeCommitTotalFreeThreshold; uintptr_t HeapDeCommitFreeBlockThreshold; uint32_t NumberOfHeaps; uint32_t MaximumNumberOfHeaps; uintptr_t ProcessHeaps; uintptr_t GdiSharedHandleTable; uintptr_t ProcessStarterHelper; uint32_t GdiDCAttributeList; uint8_t Padding3[ 4 ]; uintptr_t *LoaderLock; uint32_t OSMajorVersion; uint32_t OSMinorVersion; uint16_t OSBuildNumber; uint16_t OSCSDVersion; uint32_t OSPlatformId; uint32_t ImageSubsystem; uint32_t ImageSubsystemMajorVersion; uint32_t ImageSubsystemMinorVersion; uint8_t Padding4[ 4 ]; uintptr_t ActiveProcessAffinityMask; #ifdef _WIN32 uint32_t GdiHandleBuffer[ 34 ]; #else uint32_t GdiHandleBuffer[ 60 ]; #endif uintptr_t PostProcessInitRoutine; uintptr_t TlsExpansionBitmap; uint32_t TlsExpansionBitmapBits[ 32 ]; uint32_t SessionId; uint8_t Padding5[ 4 ]; uint64_t AppCompatFlags; uint64_t AppCompatFlagsUser; uintptr_t pShimData; uintptr_t AppCompatInfo; UNICODE_STRING CSDVersion; uintptr_t ActivationContextData; uintptr_t ProcessAssemblyStorageMap; uintptr_t SystemDefaultActivationContextData; uintptr_t SystemAssemblyStorageMap; uintptr_t MinimumStackCommit; uintptr_t FlsCallback; LIST_ENTRY FlsListHead; uintptr_t FlsBitmap; uint32_t FlsBitmapBits[ 4 ]; uint32_t FlsHighIndex; uintptr_t WerRegistrationData; uintptr_t WerShipAssertPtr; uintptr_t pUnused; uintptr_t pImageHeaderHash; uint32_t TracingFlags; uint8_t Padding6[ 4 ]; uint64_t CsrServerReadOnlySharedMemoryBase; uintptr_t TppWorkerpListLock; LIST_ENTRY TppWorkerpList; uintptr_t WaitOnAddressHashTable[ 128 ]; }; struct LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; uintptr_t DllBase; uintptr_t EntryPoint; uint32_t SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; uint8_t FlagGroup[ 4 ]; uint32_t Flags; uint16_t ObsoleteLoadCount; uint16_t TlsIndex; LIST_ENTRY HashLinks; uint32_t TimeDateStamp; uintptr_t EntryPointActivationContext; uintptr_t Lock; uintptr_t DdagNode; LIST_ENTRY NodeModuleLink; uintptr_t LoadContext; uintptr_t ParentDllBase; uintptr_t SwitchBackContext; RTL_BALANCED_NODE BaseAddressIndexNode; RTL_BALANCED_NODE MappingInfoIndexNode; uintptr_t OriginalBase; int64_t LoadTime; uint32_t BaseNameHashValue; uint32_t LoadReason; uint32_t ImplicitPathOptions; uint32_t ReferenceCount; }; };