Last active
February 7, 2020 13:28
-
-
Save andreafioraldi/c87810dc8e1896dbf104ec4c7a36743d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ----------------------------------------------------- | |
| // Common definitions outside Ghidra | |
| // ----------------------------------------------------- | |
| typedef unsigned char byte; | |
| typedef long long longlong; | |
| typedef unsigned char uchar; | |
| typedef unsigned int uint; | |
| typedef unsigned long ulong; | |
| typedef unsigned long long ulonglong; | |
| typedef unsigned char undefined; | |
| typedef unsigned char undefined1; | |
| typedef unsigned short undefined2; | |
| typedef unsigned int undefined4; | |
| typedef unsigned long long undefined6; | |
| typedef unsigned long long undefined8; | |
| typedef unsigned short ushort; | |
| typedef short wchar_t; | |
| // ----------------------------------------------------- | |
| // Common typedefs | |
| // ----------------------------------------------------- | |
| typedef union _LARGE_INTEGER _LARGE_INTEGER, *P_LARGE_INTEGER; | |
| typedef union _ULARGE_INTEGER _ULARGE_INTEGER, *P_ULARGE_INTEGER; | |
| typedef struct _STRING _STRING, *P_STRING; | |
| typedef struct _UNICODE_STRING _UNICODE_STRING, *P_UNICODE_STRING; | |
| typedef struct _LIST_ENTRY _LIST_ENTRY, *P_LIST_ENTRY; | |
| typedef struct _SINGLE_LIST_ENTRY _SINGLE_LIST_ENTRY, *P_SINGLE_LIST_ENTRY; | |
| typedef union _SLIST_HEADER _SLIST_HEADER, *P_SLIST_HEADER; | |
| typedef struct _ACTIVATION_CONTEXT _ACTIVATION_CONTEXT, *P_ACTIVATION_CONTEXT; | |
| typedef struct _ACTIVATION_CONTEXT_DATA _ACTIVATION_CONTEXT_DATA, *P_ACTIVATION_CONTEXT_DATA; | |
| typedef struct _ASSEMBLY_STORAGE_MAP _ASSEMBLY_STORAGE_MAP, *P_ASSEMBLY_STORAGE_MAP; | |
| typedef struct _FLS_CALLBACK_INFO _FLS_CALLBACK_INFO, *P_FLS_CALLBACK_INFO; | |
| typedef struct _LEAP_SECOND_DATA _LEAP_SECOND_DATA, *P_LEAP_SECOND_DATA; | |
| // ----------------------------------------------------- | |
| // Common structures | |
| // ----------------------------------------------------- | |
| struct _struct_1262 { | |
| ulong LowPart; | |
| long HighPart; | |
| }; | |
| struct _struct_1263 { | |
| ulong LowPart; | |
| long HighPart; | |
| }; | |
| union _union_1261 { | |
| struct _struct_1262 field0; | |
| struct _struct_1263 u; | |
| longlong QuadPart; | |
| }; | |
| union _LARGE_INTEGER { | |
| union _union_1261 field0; | |
| }; | |
| struct _struct_1319 { | |
| ulong LowPart; | |
| ulong HighPart; | |
| }; | |
| struct _struct_1320 { | |
| ulong LowPart; | |
| ulong HighPart; | |
| }; | |
| union _union_1318 { | |
| struct _struct_1319 field0; | |
| struct _struct_1320 u; | |
| ulonglong QuadPart; | |
| }; | |
| union _ULARGE_INTEGER { | |
| union _union_1318 field0; | |
| }; | |
| struct _STRING { | |
| ushort Length; | |
| ushort MaximumLength; | |
| char * Buffer; | |
| }; | |
| struct _UNICODE_STRING { | |
| ushort Length; | |
| ushort MaximumLength; | |
| wchar_t * Buffer; | |
| }; | |
| struct _LIST_ENTRY { | |
| struct _LIST_ENTRY * Flink; | |
| struct _LIST_ENTRY * Blink; | |
| }; | |
| struct _SINGLE_LIST_ENTRY { | |
| struct _SINGLE_LIST_ENTRY * Next; | |
| }; | |
| struct _struct_1271 { | |
| struct _SINGLE_LIST_ENTRY Next; | |
| ushort Depth; | |
| ushort CpuId; | |
| }; | |
| union _union_1270 { | |
| ulonglong Alignment; | |
| struct _struct_1271 field1; | |
| }; | |
| union _SLIST_HEADER { | |
| union _union_1270 field0; | |
| }; | |
| struct _ACTIVATION_CONTEXT { | |
| }; | |
| struct _ACTIVATION_CONTEXT_DATA { | |
| }; | |
| struct _ASSEMBLY_STORAGE_MAP { | |
| }; | |
| struct _FLS_CALLBACK_INFO { | |
| }; | |
| struct _LEAP_SECOND_DATA { | |
| uchar Enabled; | |
| char Padding_35[3]; | |
| ulong Count; | |
| union _LARGE_INTEGER Data[1]; | |
| }; | |
| // ----------------------------------------------------- | |
| // RTL typedefs | |
| // ----------------------------------------------------- | |
| typedef struct _RTL_BALANCED_NODE _RTL_BALANCED_NODE, *P_RTL_BALANCED_NODE; | |
| typedef struct _CURDIR _CURDIR, *P_CURDIR; | |
| typedef struct _RTL_USER_PROCESS_PARAMETERS _RTL_USER_PROCESS_PARAMETERS, *P_RTL_USER_PROCESS_PARAMETERS; | |
| typedef struct _RTL_DRIVE_LETTER_CURDIR _RTL_DRIVE_LETTER_CURDIR, *P_RTL_DRIVE_LETTER_CURDIR; | |
| typedef struct _RTL_CRITICAL_SECTION _RTL_CRITICAL_SECTION, *P_RTL_CRITICAL_SECTION; | |
| typedef struct _RTL_CRITICAL_SECTION_DEBUG _RTL_CRITICAL_SECTION_DEBUG, *P_RTL_CRITICAL_SECTION_DEBUG; | |
| // ----------------------------------------------------- | |
| // RTL structures | |
| // ----------------------------------------------------- | |
| union _union_9975 { | |
| uchar Red:1; // : bits 0 | |
| uchar Balance:2; // : bits 1-2 | |
| ulong ParentValue; | |
| }; | |
| struct _struct_9972 { | |
| struct _RTL_BALANCED_NODE * Left; | |
| struct _RTL_BALANCED_NODE * Right; | |
| }; | |
| union _union_9970 { | |
| struct _RTL_BALANCED_NODE * Children[2]; | |
| struct _struct_9972 field1; | |
| }; | |
| struct _RTL_BALANCED_NODE { | |
| union _union_9970 field_0x0; | |
| union _union_9975 field_0x8; | |
| }; | |
| struct _CURDIR { | |
| struct _UNICODE_STRING DosPath; | |
| void * Handle; | |
| }; | |
| struct _RTL_DRIVE_LETTER_CURDIR { | |
| ushort Flags; | |
| ushort Length; | |
| ulong TimeStamp; | |
| struct _STRING DosPath; | |
| }; | |
| struct _RTL_USER_PROCESS_PARAMETERS { | |
| ulong MaximumLength; | |
| ulong Length; | |
| ulong Flags; | |
| ulong DebugFlags; | |
| void * ConsoleHandle; | |
| ulong ConsoleFlags; | |
| void * StandardInput; | |
| void * StandardOutput; | |
| void * StandardError; | |
| struct _CURDIR CurrentDirectory; | |
| struct _UNICODE_STRING DllPath; | |
| struct _UNICODE_STRING ImagePathName; | |
| struct _UNICODE_STRING CommandLine; | |
| void * Environment; | |
| ulong StartingX; | |
| ulong StartingY; | |
| ulong CountX; | |
| ulong CountY; | |
| ulong CountCharsX; | |
| ulong CountCharsY; | |
| ulong FillAttribute; | |
| ulong WindowFlags; | |
| ulong ShowWindowFlags; | |
| struct _UNICODE_STRING WindowTitle; | |
| struct _UNICODE_STRING DesktopInfo; | |
| struct _UNICODE_STRING ShellInfo; | |
| struct _UNICODE_STRING RuntimeData; | |
| struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; | |
| ulong EnvironmentSize; | |
| ulong EnvironmentVersion; | |
| void * PackageDependencyData; | |
| ulong ProcessGroupId; | |
| ulong LoaderThreads; | |
| struct _UNICODE_STRING RedirectionDllName; | |
| }; | |
| struct _RTL_CRITICAL_SECTION_DEBUG { | |
| ushort Type; | |
| ushort CreatorBackTraceIndex; | |
| struct _RTL_CRITICAL_SECTION * CriticalSection; | |
| struct _LIST_ENTRY ProcessLocksList; | |
| ulong EntryCount; | |
| ulong ContentionCount; | |
| ulong Flags; | |
| ushort CreatorBackTraceIndexHigh; | |
| ushort SpareUSHORT; | |
| }; | |
| struct _RTL_CRITICAL_SECTION { | |
| struct _RTL_CRITICAL_SECTION_DEBUG * DebugInfo; | |
| long LockCount; | |
| long RecursionCount; | |
| void * OwningThread; | |
| void * LockSemaphore; | |
| ulong SpinCount; | |
| }; | |
| // ----------------------------------------------------- | |
| // LDR typedefs | |
| // ----------------------------------------------------- | |
| typedef struct _LDR_DATA_TABLE_ENTRY _LDR_DATA_TABLE_ENTRY, *P_LDR_DATA_TABLE_ENTRY; | |
| typedef struct _LDR_DATA_TABLE_ENTRY_0x8 _LDR_DATA_TABLE_ENTRY_0x8, *P_LDR_DATA_TABLE_ENTRY_0x8; | |
| typedef struct _LDR_DATA_TABLE_ENTRY_0x10 _LDR_DATA_TABLE_ENTRY_0x10, *P_LDR_DATA_TABLE_ENTRY_0x10; | |
| typedef struct _LDR_SERVICE_TAG_RECORD _LDR_SERVICE_TAG_RECORD, *P_LDR_SERVICE_TAG_RECORD; | |
| typedef struct _LDR_DDAG_NODE _LDR_DDAG_NODE, *P_LDR_DDAG_NODE; | |
| typedef struct _LDRP_LOAD_CONTEXT _LDRP_LOAD_CONTEXT, *P_LDRP_LOAD_CONTEXT; | |
| typedef enum _LDR_DLL_LOAD_REASON { | |
| LoadReasonAsDataLoad=6, | |
| LoadReasonAsImageLoad=5, | |
| LoadReasonDelayloadDependency=3, | |
| LoadReasonDynamicForwarderDependency=2, | |
| LoadReasonDynamicLoad=4, | |
| LoadReasonEnclaveDependency=8, | |
| LoadReasonEnclavePrimary=7, | |
| LoadReasonStaticDependency=0, | |
| LoadReasonStaticForwarderDependency=1, | |
| LoadReasonUnknown=9 | |
| } _LDR_DLL_LOAD_REASON; | |
| typedef enum _LDR_DDAG_STATE { | |
| LdrModulesCondensed=6, | |
| LdrModulesInitError=1, | |
| LdrModulesInitializing=8, | |
| LdrModulesMapped=2, | |
| LdrModulesMapping=1, | |
| LdrModulesMerged=0, | |
| LdrModulesPlaceHolder=0, | |
| LdrModulesReadyToInit=7, | |
| LdrModulesReadyToRun=9, | |
| LdrModulesSnapError=2, | |
| LdrModulesSnapped=5, | |
| LdrModulesSnapping=4, | |
| LdrModulesUnloaded=3, | |
| LdrModulesUnloading=4, | |
| LdrModulesWaitingForDependencies=3 | |
| } _LDR_DDAG_STATE; | |
| // ----------------------------------------------------- | |
| // LDR structures | |
| // ----------------------------------------------------- | |
| struct _LDRP_CSLIST { | |
| struct _SINGLE_LIST_ENTRY * Tail; | |
| }; | |
| struct _LDR_SERVICE_TAG_RECORD { | |
| struct _LDR_SERVICE_TAG_RECORD * Next; | |
| ulong ServiceTag; | |
| }; | |
| struct _LDR_DDAG_NODE { | |
| struct _LIST_ENTRY Modules; | |
| struct _LDR_SERVICE_TAG_RECORD * ServiceTagList; | |
| ulong LoadCount; | |
| ulong LoadWhileUnloadingCount; | |
| ulong LowestLink; | |
| struct _LDRP_CSLIST Dependencies; | |
| struct _LDRP_CSLIST IncomingDependencies; | |
| enum _LDR_DDAG_STATE State; | |
| struct _SINGLE_LIST_ENTRY CondenseLink; | |
| ulong PreorderNumber; | |
| }; | |
| struct _LDR_DATA_TABLE_ENTRY { | |
| struct _LIST_ENTRY InLoadOrderLinks; | |
| struct _LIST_ENTRY InMemoryOrderLinks; | |
| struct _LIST_ENTRY InInitializationOrderLinks; | |
| void * DllBase; | |
| void * EntryPoint; | |
| ulong SizeOfImage; | |
| struct _UNICODE_STRING FullDllName; | |
| struct _UNICODE_STRING BaseDllName; | |
| union _union_9066 field_0x24; | |
| ushort ObsoleteLoadCount; | |
| ushort TlsIndex; | |
| struct _LIST_ENTRY HashLinks; | |
| ulong TimeDateStamp; | |
| struct _ACTIVATION_CONTEXT * EntryPointActivationContext; | |
| void * Lock; | |
| struct _LDR_DDAG_NODE * DdagNode; | |
| struct _LIST_ENTRY NodeModuleLink; | |
| struct _LDRP_LOAD_CONTEXT * LoadContext; | |
| void * ParentDllBase; | |
| void * SwitchBackContext; | |
| struct _RTL_BALANCED_NODE BaseAddressIndexNode; | |
| struct _RTL_BALANCED_NODE MappingInfoIndexNode; | |
| ulong OriginalBase; | |
| long Padding_84; | |
| union _LARGE_INTEGER LoadTime; | |
| ulong BaseNameHashValue; | |
| enum _LDR_DLL_LOAD_REASON LoadReason; | |
| ulong ImplicitPathOptions; | |
| ulong ReferenceCount; | |
| ulong DependentLoadFlags; | |
| uchar SigningLevel; | |
| char __PADDING__[3]; | |
| }; | |
| struct _LDR_DATA_TABLE_ENTRY_0x8 { | |
| struct _LIST_ENTRY InMemoryOrderLinks; | |
| struct _LIST_ENTRY InInitializationOrderLinks; | |
| void * DllBase; | |
| void * EntryPoint; | |
| ulong SizeOfImage; | |
| struct _UNICODE_STRING FullDllName; | |
| struct _UNICODE_STRING BaseDllName; | |
| union _union_9066 field_0x24; | |
| ushort ObsoleteLoadCount; | |
| ushort TlsIndex; | |
| struct _LIST_ENTRY HashLinks; | |
| ulong TimeDateStamp; | |
| struct _ACTIVATION_CONTEXT * EntryPointActivationContext; | |
| void * Lock; | |
| struct _LDR_DDAG_NODE * DdagNode; | |
| struct _LIST_ENTRY NodeModuleLink; | |
| struct _LDRP_LOAD_CONTEXT * LoadContext; | |
| void * ParentDllBase; | |
| void * SwitchBackContext; | |
| struct _RTL_BALANCED_NODE BaseAddressIndexNode; | |
| struct _RTL_BALANCED_NODE MappingInfoIndexNode; | |
| ulong OriginalBase; | |
| long Padding_84; | |
| union _LARGE_INTEGER LoadTime; | |
| ulong BaseNameHashValue; | |
| enum _LDR_DLL_LOAD_REASON LoadReason; | |
| ulong ImplicitPathOptions; | |
| ulong ReferenceCount; | |
| ulong DependentLoadFlags; | |
| uchar SigningLevel; | |
| char __PADDING__[3]; | |
| }; | |
| struct _LDR_DATA_TABLE_ENTRY_0x10 { | |
| struct _LIST_ENTRY InInitializationOrderLinks; | |
| void * DllBase; | |
| void * EntryPoint; | |
| ulong SizeOfImage; | |
| struct _UNICODE_STRING FullDllName; | |
| struct _UNICODE_STRING BaseDllName; | |
| union _union_9066 field_0x24; | |
| ushort ObsoleteLoadCount; | |
| ushort TlsIndex; | |
| struct _LIST_ENTRY HashLinks; | |
| ulong TimeDateStamp; | |
| struct _ACTIVATION_CONTEXT * EntryPointActivationContext; | |
| void * Lock; | |
| struct _LDR_DDAG_NODE * DdagNode; | |
| struct _LIST_ENTRY NodeModuleLink; | |
| struct _LDRP_LOAD_CONTEXT * LoadContext; | |
| void * ParentDllBase; | |
| void * SwitchBackContext; | |
| struct _RTL_BALANCED_NODE BaseAddressIndexNode; | |
| struct _RTL_BALANCED_NODE MappingInfoIndexNode; | |
| ulong OriginalBase; | |
| long Padding_84; | |
| union _LARGE_INTEGER LoadTime; | |
| ulong BaseNameHashValue; | |
| enum _LDR_DLL_LOAD_REASON LoadReason; | |
| ulong ImplicitPathOptions; | |
| ulong ReferenceCount; | |
| ulong DependentLoadFlags; | |
| uchar SigningLevel; | |
| char __PADDING__[3]; | |
| }; | |
| // ----------------------------------------------------- | |
| // PEB typedefs | |
| // ----------------------------------------------------- | |
| typedef struct _PEB _PEB, *P_PEB; | |
| typedef struct _PEB_LDR_DATA _PEB_LDR_DATA, *P_PEB_LDR_DATA; | |
| // ----------------------------------------------------- | |
| // PEB structures | |
| // ----------------------------------------------------- | |
| union anon__struct_7914_bitfield_1 { | |
| ulong ProcessInJob:1; // : bits 0 | |
| ulong ProcessInitializing:1; // : bits 1 | |
| ulong ProcessUsingVEH:1; // : bits 2 | |
| ulong ProcessUsingVCH:1; // : bits 3 | |
| ulong ProcessUsingFTH:1; // : bits 4 | |
| ulong ProcessPreviouslyThrottled:1; // : bits 5 | |
| ulong ProcessCurrentlyThrottled:1; // : bits 6 | |
| ulong ProcessImagesHotPatched:1; // : bits 7 | |
| ulong ReservedBits0:24; // : bits 8-31 | |
| }; | |
| struct _struct_7914 { | |
| union anon__struct_7914_bitfield_1 field_0x0; | |
| }; | |
| union _union_7913 { | |
| ulong CrossProcessFlags; | |
| struct _struct_7914 field1; | |
| }; | |
| union _union_7915 { | |
| void * KernelCallbackTable; | |
| void * UserSharedInfoPtr; | |
| }; | |
| union anon__struct_7929_bitfield_1 { | |
| ulong HeapTracingEnabled:1; // : bits 0 | |
| ulong CritSecTracingEnabled:1; // : bits 1 | |
| ulong LibLoaderTracingEnabled:1; // : bits 2 | |
| ulong SpareTracingBits:29; // : bits 3-31 | |
| }; | |
| struct _struct_7929 { | |
| union anon__struct_7929_bitfield_1 field_0x0; | |
| }; | |
| union _union_7928 { | |
| ulong TracingFlags; | |
| struct _struct_7929 field1; | |
| }; | |
| struct _PEB { | |
| uchar InheritedAddressSpace; | |
| uchar ReadImageFileExecOptions; | |
| uchar BeingDebugged; | |
| union _union_7907 field_0x3; | |
| void * Mutant; | |
| void * ImageBaseAddress; | |
| struct _PEB_LDR_DATA * Ldr; | |
| struct _RTL_USER_PROCESS_PARAMETERS * ProcessParameters; | |
| void * SubSystemData; | |
| void * ProcessHeap; | |
| struct _RTL_CRITICAL_SECTION * FastPebLock; | |
| union _SLIST_HEADER * AtlThunkSListPtr; | |
| void * IFEOKey; | |
| union _union_7913 field_0x28; | |
| union _union_7915 field_0x2c; | |
| ulong SystemReserved; | |
| union _SLIST_HEADER * AtlThunkSListPtr32; | |
| void * ApiSetMap; | |
| ulong TlsExpansionCounter; | |
| void * TlsBitmap; | |
| ulong TlsBitmapBits[2]; | |
| void * ReadOnlySharedMemoryBase; | |
| void * SharedData; | |
| void * * ReadOnlyStaticServerData; | |
| void * AnsiCodePageData; | |
| void * OemCodePageData; | |
| void * UnicodeCaseTableData; | |
| ulong NumberOfProcessors; | |
| ulong NtGlobalFlag; | |
| long Padding_30; | |
| union _LARGE_INTEGER CriticalSectionTimeout; | |
| ulong HeapSegmentReserve; | |
| ulong HeapSegmentCommit; | |
| ulong HeapDeCommitTotalFreeThreshold; | |
| ulong HeapDeCommitFreeBlockThreshold; | |
| ulong NumberOfHeaps; | |
| ulong MaximumNumberOfHeaps; | |
| void * * ProcessHeaps; | |
| void * GdiSharedHandleTable; | |
| void * ProcessStarterHelper; | |
| ulong GdiDCAttributeList; | |
| struct _RTL_CRITICAL_SECTION * LoaderLock; | |
| ulong OSMajorVersion; | |
| ulong OSMinorVersion; | |
| ushort OSBuildNumber; | |
| ushort OSCSDVersion; | |
| ulong OSPlatformId; | |
| ulong ImageSubsystem; | |
| ulong ImageSubsystemMajorVersion; | |
| ulong ImageSubsystemMinorVersion; | |
| ulong ActiveProcessAffinityMask; | |
| ulong GdiHandleBuffer[34]; | |
| void * PostProcessInitRoutine; | |
| void * TlsExpansionBitmap; | |
| ulong TlsExpansionBitmapBits[32]; | |
| ulong SessionId; | |
| union _ULARGE_INTEGER AppCompatFlags; | |
| union _ULARGE_INTEGER AppCompatFlagsUser; | |
| void * pShimData; | |
| void * AppCompatInfo; | |
| struct _UNICODE_STRING CSDVersion; | |
| struct _ACTIVATION_CONTEXT_DATA * ActivationContextData; | |
| struct _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap; | |
| struct _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData; | |
| struct _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap; | |
| ulong MinimumStackCommit; | |
| struct _FLS_CALLBACK_INFO * FlsCallback; | |
| struct _LIST_ENTRY FlsListHead; | |
| void * FlsBitmap; | |
| ulong FlsBitmapBits[4]; | |
| ulong FlsHighIndex; | |
| void * WerRegistrationData; | |
| void * WerShipAssertPtr; | |
| void * pUnused; | |
| void * pImageHeaderHash; | |
| union _union_7928 field_0x240; | |
| long Padding_31; | |
| ulonglong CsrServerReadOnlySharedMemoryBase; | |
| ulong TppWorkerpListLock; | |
| struct _LIST_ENTRY TppWorkerpList; | |
| void * WaitOnAddressHashTable[128]; | |
| void * TelemetryCoverageHeader; | |
| ulong CloudFileFlags; | |
| ulong CloudFileDiagFlags; | |
| char PlaceholderCompatibilityMode; | |
| char PlaceholderCompatibilityModeReserved[7]; | |
| struct _LEAP_SECOND_DATA * LeapSecondData; | |
| union _union_7932 field_0x474; | |
| ulong NtGlobalFlag2; | |
| long __PADDING__[1]; | |
| }; | |
| struct _PEB_LDR_DATA { | |
| ulong Length; | |
| uchar Initialized; | |
| char Padding_32[3]; | |
| void * SsHandle; | |
| struct _LIST_ENTRY InLoadOrderModuleList; | |
| struct _LIST_ENTRY InMemoryOrderModuleList; | |
| struct _LIST_ENTRY InInitializationOrderModuleList; | |
| void * EntryInProgress; | |
| uchar ShutdownInProgress; | |
| char Padding_33[3]; | |
| void * ShutdownThreadId; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment