// Windows 8 x86
typedef struct _PO_MEMORY_IMAGE // 38 elements, 0x2C8 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ ULONG32 PageSelf;
/*0x014*/ ULONG32 PageSize;
/*0x018*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x020*/ UINT64 InterruptTime;
/*0x028*/ ULONG32 FeatureFlags;
/*0x02C*/ UINT8 HiberFlags;
/*0x02D*/ UINT8 spare[3];
/*0x030*/ ULONG32 NoHiberPtes;
/*0x034*/ ULONG32 HiberVa;
/*0x038*/ ULONG32 NoFreePages;
/*0x03C*/ ULONG32 FreeMapCheck;
/*0x040*/ ULONG32 WakeCheck;
/*0x044*/ UINT8 _PADDING0_[0x4];
/*0x048*/ UINT64 NumPagesForLoader;
/*0x050*/ ULONG32 FirstBootRestorePage;
/*0x054*/ ULONG32 FirstKernelRestorePage;
/*0x058*/ struct _PO_HIBER_PERF PerfInfo; // 56 elements, 0x1A8 bytes (sizeof)
/*0x200*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x204*/ ULONG32 FirmwareRuntimeInformation[1];
/*0x208*/ ULONG32 SiLogOffset;
/*0x20C*/ ULONG32 NoBootLoaderLogPages;
/*0x210*/ ULONG32 BootLoaderLogPages[24];
/*0x270*/ ULONG32 NotUsed;
/*0x274*/ ULONG32 ResumeContextCheck;
/*0x278*/ ULONG32 ResumeContextPages;
/*0x27C*/ UINT8 Hiberboot;
/*0x27D*/ UINT8 _PADDING1_[0x3];
/*0x280*/ UINT64 HvCr3;
/*0x288*/ UINT64 HvEntryPoint;
/*0x290*/ UINT64 HvReservedTransitionAddress;
/*0x298*/ UINT64 HvReservedTransitionAddressSize;
/*0x2A0*/ UINT64 BootFlags;
/*0x2A8*/ UINT64 HalEntryPointPhysical;
/*0x2B0*/ ULONG32 HighestPhysicalPage;
/*0x2B4*/ ULONG32 BitlockerKeyPfns[4];
/*0x2C4*/ ULONG32 HardwareSignature;
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 8 x64
typedef struct _PO_MEMORY_IMAGE // 38 elements, 0x360 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ UINT64 PageSelf;
/*0x018*/ ULONG32 PageSize;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x028*/ UINT64 InterruptTime;
/*0x030*/ ULONG32 FeatureFlags;
/*0x034*/ UINT8 HiberFlags;
/*0x035*/ UINT8 spare[3];
/*0x038*/ ULONG32 NoHiberPtes;
/*0x03C*/ UINT8 _PADDING1_[0x4];
/*0x040*/ UINT64 HiberVa;
/*0x048*/ ULONG32 NoFreePages;
/*0x04C*/ ULONG32 FreeMapCheck;
/*0x050*/ ULONG32 WakeCheck;
/*0x054*/ UINT8 _PADDING2_[0x4];
/*0x058*/ UINT64 NumPagesForLoader;
/*0x060*/ UINT64 FirstBootRestorePage;
/*0x068*/ UINT64 FirstKernelRestorePage;
/*0x070*/ struct _PO_HIBER_PERF PerfInfo; // 56 elements, 0x1A8 bytes (sizeof)
/*0x218*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x21C*/ UINT8 _PADDING3_[0x4];
/*0x220*/ UINT64 FirmwareRuntimeInformation[1];
/*0x228*/ ULONG32 SiLogOffset;
/*0x22C*/ ULONG32 NoBootLoaderLogPages;
/*0x230*/ UINT64 BootLoaderLogPages[24];
/*0x2F0*/ ULONG32 NotUsed;
/*0x2F4*/ ULONG32 ResumeContextCheck;
/*0x2F8*/ ULONG32 ResumeContextPages;
/*0x2FC*/ UINT8 Hiberboot;
/*0x2FD*/ UINT8 _PADDING4_[0x3];
/*0x300*/ UINT64 HvCr3;
/*0x308*/ UINT64 HvEntryPoint;
/*0x310*/ UINT64 HvReservedTransitionAddress;
/*0x318*/ UINT64 HvReservedTransitionAddressSize;
/*0x320*/ UINT64 BootFlags;
/*0x328*/ UINT64 HalEntryPointPhysical;
/*0x330*/ UINT64 HighestPhysicalPage;
/*0x338*/ UINT64 BitlockerKeyPfns[4];
/*0x358*/ ULONG32 HardwareSignature;
/*0x35C*/ UINT8 _PADDING5_[0x4];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 8.1 x86
typedef struct _PO_MEMORY_IMAGE // 38 elements, 0x2C8 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ ULONG32 PageSelf;
/*0x014*/ ULONG32 PageSize;
/*0x018*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x020*/ UINT64 InterruptTime;
/*0x028*/ ULONG32 FeatureFlags;
/*0x02C*/ UINT8 HiberFlags;
/*0x02D*/ UINT8 spare[3];
/*0x030*/ ULONG32 NoHiberPtes;
/*0x034*/ ULONG32 HiberVa;
/*0x038*/ ULONG32 NoFreePages;
/*0x03C*/ ULONG32 FreeMapCheck;
/*0x040*/ ULONG32 WakeCheck;
/*0x044*/ UINT8 _PADDING0_[0x4];
/*0x048*/ UINT64 NumPagesForLoader;
/*0x050*/ ULONG32 FirstBootRestorePage;
/*0x054*/ ULONG32 FirstKernelRestorePage;
/*0x058*/ struct _PO_HIBER_PERF PerfInfo; // 56 elements, 0x1A8 bytes (sizeof)
/*0x200*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x204*/ ULONG32 FirmwareRuntimeInformation[1];
/*0x208*/ ULONG32 SiLogOffset;
/*0x20C*/ ULONG32 NoBootLoaderLogPages;
/*0x210*/ ULONG32 BootLoaderLogPages[24];
/*0x270*/ ULONG32 NotUsed;
/*0x274*/ ULONG32 ResumeContextCheck;
/*0x278*/ ULONG32 ResumeContextPages;
/*0x27C*/ UINT8 Hiberboot;
/*0x27D*/ UINT8 _PADDING1_[0x3];
/*0x280*/ UINT64 HvCr3;
/*0x288*/ UINT64 HvEntryPoint;
/*0x290*/ UINT64 HvReservedTransitionAddress;
/*0x298*/ UINT64 HvReservedTransitionAddressSize;
/*0x2A0*/ UINT64 BootFlags;
/*0x2A8*/ UINT64 HalEntryPointPhysical;
/*0x2B0*/ ULONG32 HighestPhysicalPage;
/*0x2B4*/ ULONG32 BitlockerKeyPfns[4];
/*0x2C4*/ ULONG32 HardwareSignature;
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 8.1 x64
typedef struct _PO_MEMORY_IMAGE // 38 elements, 0x360 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ UINT64 PageSelf;
/*0x018*/ ULONG32 PageSize;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x028*/ UINT64 InterruptTime;
/*0x030*/ UINT64 FeatureFlags;
/*0x038*/ UINT8 HiberFlags;
/*0x039*/ UINT8 spare[3];
/*0x03C*/ ULONG32 NoHiberPtes;
/*0x040*/ UINT64 HiberVa;
/*0x048*/ ULONG32 NoFreePages;
/*0x04C*/ ULONG32 FreeMapCheck;
/*0x050*/ ULONG32 WakeCheck;
/*0x054*/ UINT8 _PADDING1_[0x4];
/*0x058*/ UINT64 NumPagesForLoader;
/*0x060*/ UINT64 FirstBootRestorePage;
/*0x068*/ UINT64 FirstKernelRestorePage;
/*0x070*/ struct _PO_HIBER_PERF PerfInfo; // 56 elements, 0x1A8 bytes (sizeof)
/*0x218*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x21C*/ UINT8 _PADDING2_[0x4];
/*0x220*/ UINT64 FirmwareRuntimeInformation[1];
/*0x228*/ ULONG32 SiLogOffset;
/*0x22C*/ ULONG32 NoBootLoaderLogPages;
/*0x230*/ UINT64 BootLoaderLogPages[24];
/*0x2F0*/ ULONG32 NotUsed;
/*0x2F4*/ ULONG32 ResumeContextCheck;
/*0x2F8*/ ULONG32 ResumeContextPages;
/*0x2FC*/ UINT8 Hiberboot;
/*0x2FD*/ UINT8 _PADDING3_[0x3];
/*0x300*/ UINT64 HvCr3;
/*0x308*/ UINT64 HvEntryPoint;
/*0x310*/ UINT64 HvReservedTransitionAddress;
/*0x318*/ UINT64 HvReservedTransitionAddressSize;
/*0x320*/ UINT64 BootFlags;
/*0x328*/ UINT64 HalEntryPointPhysical;
/*0x330*/ UINT64 HighestPhysicalPage;
/*0x338*/ UINT64 BitlockerKeyPfns[4];
/*0x358*/ ULONG32 HardwareSignature;
/*0x35C*/ UINT8 _PADDING4_[0x4];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 x86
typedef struct _PO_MEMORY_IMAGE // 40 elements, 0x310 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ ULONG32 PageSelf;
/*0x014*/ ULONG32 PageSize;
/*0x018*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x020*/ UINT64 InterruptTime;
/*0x028*/ UINT64 FeatureFlags;
/*0x030*/ UINT8 HiberFlags;
/*0x031*/ UINT8 spare[3];
/*0x034*/ ULONG32 NoHiberPtes;
/*0x038*/ ULONG32 HiberVa;
/*0x03C*/ ULONG32 NoFreePages;
/*0x040*/ ULONG32 FreeMapCheck;
/*0x044*/ ULONG32 WakeCheck;
/*0x048*/ UINT64 NumPagesForLoader;
/*0x050*/ ULONG32 FirstBootRestorePage;
/*0x054*/ ULONG32 FirstKernelRestorePage;
/*0x058*/ ULONG32 FirstChecksumRestorePage;
/*0x05C*/ UINT8 _PADDING0_[0x4];
/*0x060*/ UINT64 NoChecksumEntries;
/*0x068*/ struct _PO_HIBER_PERF PerfInfo; // 63 elements, 0x1E0 bytes (sizeof)
/*0x248*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x24C*/ ULONG32 FirmwareRuntimeInformation[1];
/*0x250*/ ULONG32 SiLogOffset;
/*0x254*/ ULONG32 NoBootLoaderLogPages;
/*0x258*/ ULONG32 BootLoaderLogPages[24];
/*0x2B8*/ ULONG32 NotUsed;
/*0x2BC*/ ULONG32 ResumeContextCheck;
/*0x2C0*/ ULONG32 ResumeContextPages;
/*0x2C4*/ UINT8 Hiberboot;
/*0x2C5*/ UINT8 _PADDING1_[0x3];
/*0x2C8*/ UINT64 HvCr3;
/*0x2D0*/ UINT64 HvEntryPoint;
/*0x2D8*/ UINT64 HvReservedTransitionAddress;
/*0x2E0*/ UINT64 HvReservedTransitionAddressSize;
/*0x2E8*/ UINT64 BootFlags;
/*0x2F0*/ UINT64 HalEntryPointPhysical;
/*0x2F8*/ ULONG32 HighestPhysicalPage;
/*0x2FC*/ ULONG32 BitlockerKeyPfns[4];
/*0x30C*/ ULONG32 HardwareSignature;
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 x64
typedef struct _PO_MEMORY_IMAGE // 41 elements, 0x3B0 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ UINT64 PageSelf;
/*0x018*/ ULONG32 PageSize;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x028*/ UINT64 InterruptTime;
/*0x030*/ UINT64 FeatureFlags;
/*0x038*/ UINT8 HiberFlags;
/*0x039*/ UINT8 spare[3];
/*0x03C*/ ULONG32 NoHiberPtes;
/*0x040*/ UINT64 HiberVa;
/*0x048*/ ULONG32 NoFreePages;
/*0x04C*/ ULONG32 FreeMapCheck;
/*0x050*/ ULONG32 WakeCheck;
/*0x054*/ UINT8 _PADDING1_[0x4];
/*0x058*/ UINT64 NumPagesForLoader;
/*0x060*/ UINT64 FirstSecureRestorePage;
/*0x068*/ UINT64 FirstBootRestorePage;
/*0x070*/ UINT64 FirstKernelRestorePage;
/*0x078*/ UINT64 FirstChecksumRestorePage;
/*0x080*/ UINT64 NoChecksumEntries;
/*0x088*/ struct _PO_HIBER_PERF PerfInfo; // 63 elements, 0x1E0 bytes (sizeof)
/*0x268*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x26C*/ UINT8 _PADDING2_[0x4];
/*0x270*/ UINT64 FirmwareRuntimeInformation[1];
/*0x278*/ ULONG32 SiLogOffset;
/*0x27C*/ ULONG32 NoBootLoaderLogPages;
/*0x280*/ UINT64 BootLoaderLogPages[24];
/*0x340*/ ULONG32 NotUsed;
/*0x344*/ ULONG32 ResumeContextCheck;
/*0x348*/ ULONG32 ResumeContextPages;
/*0x34C*/ UINT8 Hiberboot;
/*0x34D*/ UINT8 _PADDING3_[0x3];
/*0x350*/ UINT64 HvCr3;
/*0x358*/ UINT64 HvEntryPoint;
/*0x360*/ UINT64 HvReservedTransitionAddress;
/*0x368*/ UINT64 HvReservedTransitionAddressSize;
/*0x370*/ UINT64 BootFlags;
/*0x378*/ UINT64 HalEntryPointPhysical;
/*0x380*/ UINT64 HighestPhysicalPage;
/*0x388*/ UINT64 BitlockerKeyPfns[4];
/*0x3A8*/ ULONG32 HardwareSignature;
/*0x3AC*/ UINT8 _PADDING4_[0x4];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 v1511 x86
typedef struct _PO_MEMORY_IMAGE // 40 elements, 0x310 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ ULONG32 PageSelf;
/*0x014*/ ULONG32 PageSize;
/*0x018*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x020*/ UINT64 InterruptTime;
/*0x028*/ UINT64 FeatureFlags;
/*0x030*/ UINT8 HiberFlags;
/*0x031*/ UINT8 spare[3];
/*0x034*/ ULONG32 NoHiberPtes;
/*0x038*/ ULONG32 HiberVa;
/*0x03C*/ ULONG32 NoFreePages;
/*0x040*/ ULONG32 FreeMapCheck;
/*0x044*/ ULONG32 WakeCheck;
/*0x048*/ UINT64 NumPagesForLoader;
/*0x050*/ ULONG32 FirstBootRestorePage;
/*0x054*/ ULONG32 FirstKernelRestorePage;
/*0x058*/ ULONG32 FirstChecksumRestorePage;
/*0x05C*/ UINT8 _PADDING0_[0x4];
/*0x060*/ UINT64 NoChecksumEntries;
/*0x068*/ struct _PO_HIBER_PERF PerfInfo; // 63 elements, 0x1E0 bytes (sizeof)
/*0x248*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x24C*/ ULONG32 FirmwareRuntimeInformation[1];
/*0x250*/ ULONG32 SiLogOffset;
/*0x254*/ ULONG32 NoBootLoaderLogPages;
/*0x258*/ ULONG32 BootLoaderLogPages[24];
/*0x2B8*/ ULONG32 NotUsed;
/*0x2BC*/ ULONG32 ResumeContextCheck;
/*0x2C0*/ ULONG32 ResumeContextPages;
/*0x2C4*/ UINT8 Hiberboot;
/*0x2C5*/ UINT8 _PADDING1_[0x3];
/*0x2C8*/ UINT64 HvCr3;
/*0x2D0*/ UINT64 HvEntryPoint;
/*0x2D8*/ UINT64 HvReservedTransitionAddress;
/*0x2E0*/ UINT64 HvReservedTransitionAddressSize;
/*0x2E8*/ UINT64 BootFlags;
/*0x2F0*/ UINT64 HalEntryPointPhysical;
/*0x2F8*/ ULONG32 HighestPhysicalPage;
/*0x2FC*/ ULONG32 BitlockerKeyPfns[4];
/*0x30C*/ ULONG32 HardwareSignature;
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 v1511 x64
typedef struct _PO_MEMORY_IMAGE // 41 elements, 0x3B0 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ UINT64 PageSelf;
/*0x018*/ ULONG32 PageSize;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x028*/ UINT64 InterruptTime;
/*0x030*/ UINT64 FeatureFlags;
/*0x038*/ UINT8 HiberFlags;
/*0x039*/ UINT8 spare[3];
/*0x03C*/ ULONG32 NoHiberPtes;
/*0x040*/ UINT64 HiberVa;
/*0x048*/ ULONG32 NoFreePages;
/*0x04C*/ ULONG32 FreeMapCheck;
/*0x050*/ ULONG32 WakeCheck;
/*0x054*/ UINT8 _PADDING1_[0x4];
/*0x058*/ UINT64 NumPagesForLoader;
/*0x060*/ UINT64 FirstSecureRestorePage;
/*0x068*/ UINT64 FirstBootRestorePage;
/*0x070*/ UINT64 FirstKernelRestorePage;
/*0x078*/ UINT64 FirstChecksumRestorePage;
/*0x080*/ UINT64 NoChecksumEntries;
/*0x088*/ struct _PO_HIBER_PERF PerfInfo; // 63 elements, 0x1E0 bytes (sizeof)
/*0x268*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x26C*/ UINT8 _PADDING2_[0x4];
/*0x270*/ UINT64 FirmwareRuntimeInformation[1];
/*0x278*/ ULONG32 SiLogOffset;
/*0x27C*/ ULONG32 NoBootLoaderLogPages;
/*0x280*/ UINT64 BootLoaderLogPages[24];
/*0x340*/ ULONG32 NotUsed;
/*0x344*/ ULONG32 ResumeContextCheck;
/*0x348*/ ULONG32 ResumeContextPages;
/*0x34C*/ UINT8 Hiberboot;
/*0x34D*/ UINT8 _PADDING3_[0x3];
/*0x350*/ UINT64 HvCr3;
/*0x358*/ UINT64 HvEntryPoint;
/*0x360*/ UINT64 HvReservedTransitionAddress;
/*0x368*/ UINT64 HvReservedTransitionAddressSize;
/*0x370*/ UINT64 BootFlags;
/*0x378*/ UINT64 HalEntryPointPhysical;
/*0x380*/ UINT64 HighestPhysicalPage;
/*0x388*/ UINT64 BitlockerKeyPfns[4];
/*0x3A8*/ ULONG32 HardwareSignature;
/*0x3AC*/ UINT8 _PADDING4_[0x4];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 v1607 x86
typedef struct _PO_MEMORY_IMAGE // 44 elements, 0x328 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ ULONG32 PageSelf;
/*0x014*/ ULONG32 PageSize;
/*0x018*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x020*/ UINT64 InterruptTime;
/*0x028*/ UINT64 FeatureFlags;
/*0x030*/ UINT8 HiberFlags;
/*0x031*/ UINT8 spare[3];
/*0x034*/ ULONG32 NoHiberPtes;
/*0x038*/ ULONG32 HiberVa;
/*0x03C*/ ULONG32 NoFreePages;
/*0x040*/ ULONG32 FreeMapCheck;
/*0x044*/ ULONG32 WakeCheck;
/*0x048*/ UINT64 NumPagesForLoader;
/*0x050*/ ULONG32 FirstBootRestorePage;
/*0x054*/ ULONG32 FirstKernelRestorePage;
/*0x058*/ ULONG32 FirstChecksumRestorePage;
/*0x05C*/ UINT8 _PADDING0_[0x4];
/*0x060*/ UINT64 NoChecksumEntries;
/*0x068*/ struct _PO_HIBER_PERF PerfInfo; // 64 elements, 0x1E8 bytes (sizeof)
/*0x250*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x254*/ ULONG32 FirmwareRuntimeInformation[1];
/*0x258*/ ULONG32 SiLogOffset;
/*0x25C*/ ULONG32 NoBootLoaderLogPages;
/*0x260*/ ULONG32 BootLoaderLogPages[24];
/*0x2C0*/ ULONG32 NotUsed;
/*0x2C4*/ ULONG32 ResumeContextCheck;
/*0x2C8*/ ULONG32 ResumeContextPages;
/*0x2CC*/ UINT8 Hiberboot;
/*0x2CD*/ UINT8 _PADDING1_[0x3];
/*0x2D0*/ UINT64 HvCr3;
/*0x2D8*/ UINT64 HvEntryPoint;
/*0x2E0*/ UINT64 HvReservedTransitionAddress;
/*0x2E8*/ UINT64 HvReservedTransitionAddressSize;
/*0x2F0*/ UINT64 BootFlags;
/*0x2F8*/ UINT64 HalEntryPointPhysical;
/*0x300*/ ULONG32 HighestPhysicalPage;
/*0x304*/ ULONG32 BitlockerKeyPfns[4];
/*0x314*/ ULONG32 HardwareSignature;
/*0x318*/ union _LARGE_INTEGER SMBiosTablePhysicalAddress; // 4 elements, 0x8 bytes (sizeof)
/*0x320*/ ULONG32 SMBiosTableLength;
/*0x324*/ UINT8 SMBiosMajorVersion;
/*0x325*/ UINT8 SMBiosMinorVersion;
/*0x326*/ UINT8 _PADDING2_[0x2];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
// Windows 10 v1607 x64
typedef struct _PO_MEMORY_IMAGE // 45 elements, 0x3C8 bytes (sizeof)
{
/*0x000*/ ULONG32 Signature;
/*0x004*/ ULONG32 ImageType;
/*0x008*/ ULONG32 CheckSum;
/*0x00C*/ ULONG32 LengthSelf;
/*0x010*/ UINT64 PageSelf;
/*0x018*/ ULONG32 PageSize;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ union _LARGE_INTEGER SystemTime; // 4 elements, 0x8 bytes (sizeof)
/*0x028*/ UINT64 InterruptTime;
/*0x030*/ UINT64 FeatureFlags;
/*0x038*/ UINT8 HiberFlags;
/*0x039*/ UINT8 spare[3];
/*0x03C*/ ULONG32 NoHiberPtes;
/*0x040*/ UINT64 HiberVa;
/*0x048*/ ULONG32 NoFreePages;
/*0x04C*/ ULONG32 FreeMapCheck;
/*0x050*/ ULONG32 WakeCheck;
/*0x054*/ UINT8 _PADDING1_[0x4];
/*0x058*/ UINT64 NumPagesForLoader;
/*0x060*/ UINT64 FirstSecureRestorePage;
/*0x068*/ UINT64 FirstBootRestorePage;
/*0x070*/ UINT64 FirstKernelRestorePage;
/*0x078*/ UINT64 FirstChecksumRestorePage;
/*0x080*/ UINT64 NoChecksumEntries;
/*0x088*/ struct _PO_HIBER_PERF PerfInfo; // 64 elements, 0x1E8 bytes (sizeof)
/*0x270*/ ULONG32 FirmwareRuntimeInformationPages;
/*0x274*/ UINT8 _PADDING2_[0x4];
/*0x278*/ UINT64 FirmwareRuntimeInformation[1];
/*0x280*/ ULONG32 SiLogOffset;
/*0x284*/ ULONG32 NoBootLoaderLogPages;
/*0x288*/ UINT64 BootLoaderLogPages[24];
/*0x348*/ ULONG32 NotUsed;
/*0x34C*/ ULONG32 ResumeContextCheck;
/*0x350*/ ULONG32 ResumeContextPages;
/*0x354*/ UINT8 Hiberboot;
/*0x355*/ UINT8 _PADDING3_[0x3];
/*0x358*/ UINT64 HvCr3;
/*0x360*/ UINT64 HvEntryPoint;
/*0x368*/ UINT64 HvReservedTransitionAddress;
/*0x370*/ UINT64 HvReservedTransitionAddressSize;
/*0x378*/ UINT64 BootFlags;
/*0x380*/ UINT64 HalEntryPointPhysical;
/*0x388*/ UINT64 HighestPhysicalPage;
/*0x390*/ UINT64 BitlockerKeyPfns[4];
/*0x3B0*/ ULONG32 HardwareSignature;
/*0x3B4*/ UINT8 _PADDING4_[0x4];
/*0x3B8*/ union _LARGE_INTEGER SMBiosTablePhysicalAddress; // 4 elements, 0x8 bytes (sizeof)
/*0x3C0*/ ULONG32 SMBiosTableLength;
/*0x3C4*/ UINT8 SMBiosMajorVersion;
/*0x3C5*/ UINT8 SMBiosMinorVersion;
/*0x3C6*/ UINT8 _PADDING5_[0x2];
}PO_MEMORY_IMAGE, *PPO_MEMORY_IMAGE;
Last active
February 2, 2017 17:21
-
-
Save jtsylve/9d889483de62f85561ea9cf2878ef84e to your computer and use it in GitHub Desktop.
Modern Windows Hibernation File Headers
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment