Created
November 9, 2016 11:44
-
-
Save kmdnet/cb7dddfecf1bfcdec0862b6ff3f7b4e1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
typedef struct _PEB { | |
BYTE Reserved1[2]; | |
BYTE BeingDebugged; | |
BYTE Reserved2[1]; | |
PVOID Reserved3[2]; | |
PPEB_LDR_DATA Ldr; | |
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; | |
PVOID Reserved4[3]; | |
PVOID AtlThunkSListPtr; | |
PVOID Reserved5; | |
ULONG Reserved6; | |
PVOID Reserved7; | |
ULONG Reserved8; | |
ULONG AtlThunkSListPtr32; | |
PVOID Reserved9[45]; | |
BYTE Reserved10[96]; | |
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; | |
BYTE Reserved11[128]; | |
PVOID Reserved12[1]; | |
ULONG SessionId; | |
} PEB, *PPEB; | |
typedef struct _PEB_LDR_DATA { | |
BYTE Reserved1[8]; | |
PVOID Reserved2[3]; | |
LIST_ENTRY InMemoryOrderModuleList; | |
} PEB_LDR_DATA, *PPEB_LDR_DATA; | |
typedef struct _LIST_ENTRY { | |
struct _LIST_ENTRY *Flink; | |
struct _LIST_ENTRY *Blink; | |
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY; | |
typedef struct _LDR_DATA_TABLE_ENTRY { | |
PVOID Reserved1[2]; | |
LIST_ENTRY InMemoryOrderLinks; | |
PVOID Reserved2[2]; | |
PVOID DllBase; | |
PVOID Reserved3[2]; | |
UNICODE_STRING FullDllName; | |
BYTE Reserved4[8]; | |
PVOID Reserved5[3]; | |
union { | |
ULONG CheckSum; | |
PVOID Reserved6; | |
} DUMMYUNIONNAME; | |
ULONG TimeDateStamp; | |
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; | |
typedef struct _IMAGE_DATA_DIRECTORY { | |
DWORD VirtualAddress; | |
DWORD Size; | |
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; | |
typedef struct _IMAGE_EXPORT_DIRECTORY { | |
DWORD Characteristics; | |
DWORD TimeDateStamp; | |
WORD MajorVersion; | |
WORD MinorVersion; | |
DWORD Name; | |
DWORD Base; | |
DWORD NumberOfFunctions; | |
DWORD NumberOfNames; | |
DWORD AddressOfFunctions; // RVA from base of image | |
DWORD AddressOfNames; // RVA from base of image | |
DWORD AddressOfNameOrdinals; // RVA from base of image | |
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment