Skip to content

Instantly share code, notes, and snippets.

@utkonos

utkonos/Generate _PEB32 x64dbg struct.ipynb Secret

Last active February 17, 2022 11:25
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save utkonos/7f82d27a389222352a671b2135aacb38 to your computer and use it in GitHub Desktop.
Save utkonos/7f82d27a389222352a671b2135aacb38 to your computer and use it in GitHub Desktop.
Download ZIP
Generate types.json from documentation
Display the source blob
Display the rendered blob
Raw
Generate _PEB32 x64dbg struct.ipynb
{
"cells": [
{
"cell_type": "code",
"execution_count": 1,
"metadata": {},
"outputs": [],
"source": [
"import collections\n",
"import json\n",
"import pathlib"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The following is based on structs from:\n",
"\n",
"https://github.com/volatilityfoundation/volatility/blob/4cafa31ca3e4374c60c53a528497b2a1664e6a6b/volatility/plugins/overlays/windows/win10_x64_18362_vtypes.py\n",
"\n",
"Changes:\n",
"\n",
"1. First three bytes are native x64dbg `bool` types\n",
"2. Mutant is type `HANDLE`\n",
"3. Ldr is type `_PEB32_LDR_DATA`\n",
"4. `BitField` are ignored\n",
"5. `PADDING` and `PADDING2` added due to apparent bug in `offset` key in JSON schema\n",
"6. `HighPart` member of both unions is incorrect due to apparent bug\n",
"\n",
"More documentation on this PEB:\n",
"\n",
"http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB32_x64.html\n",
"\n",
"`HANDLE` type from:\n",
"\n",
"http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FPEB.html\n",
"\n",
"Other documentation on different PEBs:\n",
"\n",
"http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_x86.html\n",
"\n",
"http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_x64.html\n",
"\n",
"http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB32_x86.html\n",
"\n",
"x64dbg authors examples for struct feature input:\n",
"\n",
"https://gist.github.com/mrexodia/e949ab26d5986a5fc1fa4944ac68147a\n",
"\n",
"x64dbg type system commands:\n",
"\n",
"https://help.x64dbg.com/en/latest/commands/types/index.html\n",
"\n",
"RE Stack Exchange entry on x64dbg struct:\n",
"\n",
"https://reverseengineering.stackexchange.com/questions/17203/how-can-i-define-a-struct-in-x64-x32dbg\n",
"\n",
"x64dbg Blogs about struct and types:\n",
"\n",
"https://x64dbg.com/blog/2016/11/27/weekly-digest-14.html#types\n",
"\n",
"https://x64dbg.com/blog/2016/12/04/type-system.html"
]
},
{
"cell_type": "code",
"execution_count": 2,
"metadata": {},
"outputs": [],
"source": [
"peb32 = collections.OrderedDict(\n",
" [('InheritedAddressSpace', [0, ['bool']]),\n",
" ('ReadImageFileExecOptions', [1, ['bool']]),\n",
" ('BeingDebugged', [2, ['bool']]),\n",
" ('BitField', [3, ['unsigned char']]),\n",
" ('ImageUsesLargePages',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 0, 'end_bit': 1, 'native_type': 'unsigned char'}]]),\n",
" ('IsProtectedProcess',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 1, 'end_bit': 2, 'native_type': 'unsigned char'}]]),\n",
" ('IsImageDynamicallyRelocated',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 2, 'end_bit': 3, 'native_type': 'unsigned char'}]]),\n",
" ('SkipPatchingUser32Forwarders',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 3, 'end_bit': 4, 'native_type': 'unsigned char'}]]),\n",
" ('IsPackagedProcess',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 4, 'end_bit': 5, 'native_type': 'unsigned char'}]]),\n",
" ('IsAppContainer',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 5, 'end_bit': 6, 'native_type': 'unsigned char'}]]),\n",
" ('IsProtectedProcessLight',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 6, 'end_bit': 7, 'native_type': 'unsigned char'}]]),\n",
" ('IsLongPathAwareProcess',\n",
" [3,\n",
" ['BitField',\n",
" {'start_bit': 7, 'end_bit': 8, 'native_type': 'unsigned char'}]]),\n",
" ('Mutant', [4, ['HANDLE']]),\n",
" ('ImageBaseAddress', [8, ['unsigned long']]),\n",
" ('Ldr', [12, ['_PEB32_LDR_DATA']]),\n",
" ('ProcessParameters', [16, ['unsigned long']]),\n",
" ('SubSystemData', [20, ['unsigned long']]),\n",
" ('ProcessHeap', [24, ['unsigned long']]),\n",
" ('FastPebLock', [28, ['unsigned long']]),\n",
" ('AtlThunkSListPtr', [32, ['unsigned long']]),\n",
" ('IFEOKey', [36, ['unsigned long']]),\n",
" ('CrossProcessFlags', [40, ['unsigned long']]),\n",
" ('ProcessInJob',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 0, 'end_bit': 1, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessInitializing',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 1, 'end_bit': 2, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessUsingVEH',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 2, 'end_bit': 3, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessUsingVCH',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 3, 'end_bit': 4, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessUsingFTH',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 4, 'end_bit': 5, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessPreviouslyThrottled',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 5, 'end_bit': 6, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessCurrentlyThrottled',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 6, 'end_bit': 7, 'native_type': 'unsigned long'}]]),\n",
" ('ProcessImagesHotPatched',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 7, 'end_bit': 8, 'native_type': 'unsigned long'}]]),\n",
" ('ReservedBits0',\n",
" [40,\n",
" ['BitField',\n",
" {'start_bit': 8, 'end_bit': 32, 'native_type': 'unsigned long'}]]),\n",
" ('KernelCallbackTable', [44, ['unsigned long']]),\n",
" ('UserSharedInfoPtr', [44, ['unsigned long']]),\n",
" ('SystemReserved', [48, ['unsigned long']]),\n",
" ('AtlThunkSListPtr32', [52, ['unsigned long']]),\n",
" ('ApiSetMap', [56, ['unsigned long']]),\n",
" ('TlsExpansionCounter', [60, ['unsigned long']]),\n",
" ('TlsBitmap', [64, ['unsigned long']]),\n",
" ('TlsBitmapBits', [68, ['array', 2, ['unsigned long']]]),\n",
" ('ReadOnlySharedMemoryBase', [76, ['unsigned long']]),\n",
" ('SharedData', [80, ['unsigned long']]),\n",
" ('ReadOnlyStaticServerData', [84, ['unsigned long']]),\n",
" ('AnsiCodePageData', [88, ['unsigned long']]),\n",
" ('OemCodePageData', [92, ['unsigned long']]),\n",
" ('UnicodeCaseTableData', [96, ['unsigned long']]),\n",
" ('NumberOfProcessors', [100, ['unsigned long']]),\n",
" ('NtGlobalFlag', [104, ['unsigned long']]),\n",
" ('PADDING', [108, ['unsigned long']]),\n",
" ('CriticalSectionTimeout', [112, ['_LARGE_INTEGER']]),\n",
" ('HeapSegmentReserve', [120, ['unsigned long']]),\n",
" ('HeapSegmentCommit', [124, ['unsigned long']]),\n",
" ('HeapDeCommitTotalFreeThreshold', [128, ['unsigned long']]),\n",
" ('HeapDeCommitFreeBlockThreshold', [132, ['unsigned long']]),\n",
" ('NumberOfHeaps', [136, ['unsigned long']]),\n",
" ('MaximumNumberOfHeaps', [140, ['unsigned long']]),\n",
" ('ProcessHeaps', [144, ['unsigned long']]),\n",
" ('GdiSharedHandleTable', [148, ['unsigned long']]),\n",
" ('ProcessStarterHelper', [152, ['unsigned long']]),\n",
" ('GdiDCAttributeList', [156, ['unsigned long']]),\n",
" ('LoaderLock', [160, ['unsigned long']]),\n",
" ('OSMajorVersion', [164, ['unsigned long']]),\n",
" ('OSMinorVersion', [168, ['unsigned long']]),\n",
" ('OSBuildNumber', [172, ['unsigned short']]),\n",
" ('OSCSDVersion', [174, ['unsigned short']]),\n",
" ('OSPlatformId', [176, ['unsigned long']]),\n",
" ('ImageSubsystem', [180, ['unsigned long']]),\n",
" ('ImageSubsystemMajorVersion', [184, ['unsigned long']]),\n",
" ('ImageSubsystemMinorVersion', [188, ['unsigned long']]),\n",
" ('ActiveProcessAffinityMask', [192, ['unsigned long']]),\n",
" ('GdiHandleBuffer', [196, ['array', 34, ['unsigned long']]]),\n",
" ('PostProcessInitRoutine', [332, ['unsigned long']]),\n",
" ('TlsExpansionBitmap', [336, ['unsigned long']]),\n",
" ('TlsExpansionBitmapBits', [340, ['array', 32, ['unsigned long']]]),\n",
" ('SessionId', [468, ['unsigned long']]),\n",
" ('AppCompatFlags', [472, ['_ULARGE_INTEGER']]),\n",
" ('AppCompatFlagsUser', [480, ['_ULARGE_INTEGER']]),\n",
" ('pShimData', [488, ['unsigned long']]),\n",
" ('AppCompatInfo', [492, ['unsigned long']]),\n",
" ('CSDVersion', [496, ['_STRING32']]),\n",
" ('ActivationContextData', [504, ['unsigned long']]),\n",
" ('ProcessAssemblyStorageMap', [508, ['unsigned long']]),\n",
" ('SystemDefaultActivationContextData', [512, ['unsigned long']]),\n",
" ('SystemAssemblyStorageMap', [516, ['unsigned long']]),\n",
" ('MinimumStackCommit', [520, ['unsigned long']]),\n",
" ('SparePointers', [524, ['array', 4, ['unsigned long']]]),\n",
" ('SpareUlongs', [540, ['array', 5, ['unsigned long']]]),\n",
" ('WerRegistrationData', [560, ['unsigned long']]),\n",
" ('WerShipAssertPtr', [564, ['unsigned long']]),\n",
" ('pUnused', [568, ['unsigned long']]),\n",
" ('pImageHeaderHash', [572, ['unsigned long']]),\n",
" ('TracingFlags', [576, ['unsigned long']]),\n",
" ('HeapTracingEnabled',\n",
" [576,\n",
" ['BitField',\n",
" {'start_bit': 0, 'end_bit': 1, 'native_type': 'unsigned long'}]]),\n",
" ('CritSecTracingEnabled',\n",
" [576,\n",
" ['BitField',\n",
" {'start_bit': 1, 'end_bit': 2, 'native_type': 'unsigned long'}]]),\n",
" ('LibLoaderTracingEnabled',\n",
" [576,\n",
" ['BitField',\n",
" {'start_bit': 2, 'end_bit': 3, 'native_type': 'unsigned long'}]]),\n",
" ('SpareTracingBits',\n",
" [576,\n",
" ['BitField',\n",
" {'start_bit': 3, 'end_bit': 32, 'native_type': 'unsigned long'}]]),\n",
" ('PADDING2', [580, ['unsigned long']]),\n",
" ('CsrServerReadOnlySharedMemoryBase', [584, ['unsigned long long']]),\n",
" ('TppWorkerpListLock', [592, ['unsigned long']]),\n",
" ('TppWorkerpList', [596, ['LIST_ENTRY32']]),\n",
" ('WaitOnAddressHashTable', [604, ['array', 128, ['unsigned long']]]),\n",
" ('TelemetryCoverageHeader', [1116, ['unsigned long']]),\n",
" ('CloudFileFlags', [1120, ['unsigned long']]),\n",
" ('CloudFileDiagFlags', [1124, ['unsigned long']]),\n",
" ('PlaceholderCompatibilityMode', [1128, ['unsigned char']]),\n",
" ('PlaceholderCompatibilityModeReserved',\n",
" [1129, ['array', 7, ['unsigned char']]]),\n",
" ('LeapSecondData', [1136, ['unsigned long']]),\n",
" ('LeapSecondFlags', [1140, ['unsigned long']]),\n",
" ('SixtySecondEnabled',\n",
" [1140,\n",
" ['BitField',\n",
" {'start_bit': 0, 'end_bit': 1, 'native_type': 'unsigned long'}]]),\n",
" ('Reserved',\n",
" [1140,\n",
" ['BitField',\n",
" {'start_bit': 1, 'end_bit': 32, 'native_type': 'unsigned long'}]]),\n",
" ('NtGlobalFlag2', [1144, ['unsigned long']])]\n",
")"
]
},
{
"cell_type": "code",
"execution_count": 3,
"metadata": {},
"outputs": [],
"source": [
"types = {\n",
" 'types': [\n",
" {\n",
" 'name': 'HANDLE',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': '_PEB32_LDR_DATA',\n",
" 'type': 'ptr'\n",
" }\n",
" ],\n",
" 'structs': [\n",
" {\n",
" 'name': '_PEB32'\n",
" },\n",
" {\n",
" 'name': '_STRING32',\n",
" 'members': [\n",
" {\n",
" 'name': 'Length',\n",
" 'type': 'unsigned short'\n",
" },\n",
" {\n",
" 'name': 'MaximumLength',\n",
" 'type': 'unsigned short'\n",
" },\n",
" {\n",
" 'name': 'Buffer',\n",
" 'type': 'unsigned long'\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" 'name': 'LIST_ENTRY32',\n",
" 'members': [\n",
" {\n",
" 'name': 'Flink',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': 'Blink',\n",
" 'type': 'unsigned long'\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" 'name': '__unnamed_1119',\n",
" 'members': [\n",
" {\n",
" 'name': 'LowPart',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': 'HighPart',\n",
" 'type': 'long'\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" 'name': '__unnamed_108b',\n",
" 'members': [\n",
" {\n",
" 'name': 'LowPart',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': 'HighPart',\n",
" 'type': 'unsigned long'\n",
" }\n",
" ]\n",
" }\n",
" ],\n",
" 'unions': [\n",
" {\n",
" 'name': '_LARGE_INTEGER',\n",
" 'members': [\n",
" {\n",
" 'name': 'LowPart',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': 'QuadPart',\n",
" 'type': 'long long'\n",
" },\n",
" {\n",
" 'name': 'u',\n",
" 'type': '__unnamed_1119'\n",
" },\n",
" {\n",
" 'name': 'HighPart',\n",
" 'type': 'long'\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" 'name': '_ULARGE_INTEGER',\n",
" 'members': [\n",
" {\n",
" 'name': 'LowPart',\n",
" 'type': 'unsigned long'\n",
" },\n",
" {\n",
" 'name': 'QuadPart',\n",
" 'type': 'unsigned long long'\n",
" },\n",
" {\n",
" 'name': 'u',\n",
" 'type': '__unnamed_108b'\n",
" },\n",
" {\n",
" 'name': 'HighPart',\n",
" 'type': 'unsigned long'\n",
" }\n",
" ]\n",
" }\n",
" ]\n",
"}"
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {},
"outputs": [],
"source": [
"members = list()\n",
"last_offset = None\n",
"\n",
"for member_name, member_info in peb32.items():\n",
" # Exclude Bitfields\n",
" if member_info[1][0] != 'BitField':\n",
"\n",
" # Exclude overlapping struct members according to x64dbg documentation:\n",
" # https://help.x64dbg.com/en/latest/commands/types/AddMember.html\n",
" if member_info[0] == last_offset:\n",
" continue\n",
" else:\n",
" last_offset = member_info[0]\n",
"\n",
" member = {'name': member_name}\n",
"# member['offset'] = member_info[0] # There appears to be a bug in the handling of the offset key in the JSON schema\n",
"\n",
" if member_info[1][0] == 'array':\n",
" member['arrsize'] = member_info[1][1]\n",
" member['type'] = member_info[1][2][0]\n",
" else:\n",
" member['type'] = member_info[1][0]\n",
"\n",
" members.append(member)"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {},
"outputs": [
{
"data": {
"text/plain": [
"[{'name': 'InheritedAddressSpace', 'type': 'bool'},\n",
" {'name': 'ReadImageFileExecOptions', 'type': 'bool'},\n",
" {'name': 'BeingDebugged', 'type': 'bool'},\n",
" {'name': 'BitField', 'type': 'unsigned char'},\n",
" {'name': 'Mutant', 'type': 'HANDLE'},\n",
" {'name': 'ImageBaseAddress', 'type': 'unsigned long'},\n",
" {'name': 'Ldr', 'type': '_PEB32_LDR_DATA'},\n",
" {'name': 'ProcessParameters', 'type': 'unsigned long'},\n",
" {'name': 'SubSystemData', 'type': 'unsigned long'},\n",
" {'name': 'ProcessHeap', 'type': 'unsigned long'},\n",
" {'name': 'FastPebLock', 'type': 'unsigned long'},\n",
" {'name': 'AtlThunkSListPtr', 'type': 'unsigned long'},\n",
" {'name': 'IFEOKey', 'type': 'unsigned long'},\n",
" {'name': 'CrossProcessFlags', 'type': 'unsigned long'},\n",
" {'name': 'KernelCallbackTable', 'type': 'unsigned long'},\n",
" {'name': 'SystemReserved', 'type': 'unsigned long'},\n",
" {'name': 'AtlThunkSListPtr32', 'type': 'unsigned long'},\n",
" {'name': 'ApiSetMap', 'type': 'unsigned long'},\n",
" {'name': 'TlsExpansionCounter', 'type': 'unsigned long'},\n",
" {'name': 'TlsBitmap', 'type': 'unsigned long'},\n",
" {'name': 'TlsBitmapBits', 'arrsize': 2, 'type': 'unsigned long'},\n",
" {'name': 'ReadOnlySharedMemoryBase', 'type': 'unsigned long'},\n",
" {'name': 'SharedData', 'type': 'unsigned long'},\n",
" {'name': 'ReadOnlyStaticServerData', 'type': 'unsigned long'},\n",
" {'name': 'AnsiCodePageData', 'type': 'unsigned long'},\n",
" {'name': 'OemCodePageData', 'type': 'unsigned long'},\n",
" {'name': 'UnicodeCaseTableData', 'type': 'unsigned long'},\n",
" {'name': 'NumberOfProcessors', 'type': 'unsigned long'},\n",
" {'name': 'NtGlobalFlag', 'type': 'unsigned long'},\n",
" {'name': 'PADDING', 'type': 'unsigned long'},\n",
" {'name': 'CriticalSectionTimeout', 'type': '_LARGE_INTEGER'},\n",
" {'name': 'HeapSegmentReserve', 'type': 'unsigned long'},\n",
" {'name': 'HeapSegmentCommit', 'type': 'unsigned long'},\n",
" {'name': 'HeapDeCommitTotalFreeThreshold', 'type': 'unsigned long'},\n",
" {'name': 'HeapDeCommitFreeBlockThreshold', 'type': 'unsigned long'},\n",
" {'name': 'NumberOfHeaps', 'type': 'unsigned long'},\n",
" {'name': 'MaximumNumberOfHeaps', 'type': 'unsigned long'},\n",
" {'name': 'ProcessHeaps', 'type': 'unsigned long'},\n",
" {'name': 'GdiSharedHandleTable', 'type': 'unsigned long'},\n",
" {'name': 'ProcessStarterHelper', 'type': 'unsigned long'},\n",
" {'name': 'GdiDCAttributeList', 'type': 'unsigned long'},\n",
" {'name': 'LoaderLock', 'type': 'unsigned long'},\n",
" {'name': 'OSMajorVersion', 'type': 'unsigned long'},\n",
" {'name': 'OSMinorVersion', 'type': 'unsigned long'},\n",
" {'name': 'OSBuildNumber', 'type': 'unsigned short'},\n",
" {'name': 'OSCSDVersion', 'type': 'unsigned short'},\n",
" {'name': 'OSPlatformId', 'type': 'unsigned long'},\n",
" {'name': 'ImageSubsystem', 'type': 'unsigned long'},\n",
" {'name': 'ImageSubsystemMajorVersion', 'type': 'unsigned long'},\n",
" {'name': 'ImageSubsystemMinorVersion', 'type': 'unsigned long'},\n",
" {'name': 'ActiveProcessAffinityMask', 'type': 'unsigned long'},\n",
" {'name': 'GdiHandleBuffer', 'arrsize': 34, 'type': 'unsigned long'},\n",
" {'name': 'PostProcessInitRoutine', 'type': 'unsigned long'},\n",
" {'name': 'TlsExpansionBitmap', 'type': 'unsigned long'},\n",
" {'name': 'TlsExpansionBitmapBits', 'arrsize': 32, 'type': 'unsigned long'},\n",
" {'name': 'SessionId', 'type': 'unsigned long'},\n",
" {'name': 'AppCompatFlags', 'type': '_ULARGE_INTEGER'},\n",
" {'name': 'AppCompatFlagsUser', 'type': '_ULARGE_INTEGER'},\n",
" {'name': 'pShimData', 'type': 'unsigned long'},\n",
" {'name': 'AppCompatInfo', 'type': 'unsigned long'},\n",
" {'name': 'CSDVersion', 'type': '_STRING32'},\n",
" {'name': 'ActivationContextData', 'type': 'unsigned long'},\n",
" {'name': 'ProcessAssemblyStorageMap', 'type': 'unsigned long'},\n",
" {'name': 'SystemDefaultActivationContextData', 'type': 'unsigned long'},\n",
" {'name': 'SystemAssemblyStorageMap', 'type': 'unsigned long'},\n",
" {'name': 'MinimumStackCommit', 'type': 'unsigned long'},\n",
" {'name': 'SparePointers', 'arrsize': 4, 'type': 'unsigned long'},\n",
" {'name': 'SpareUlongs', 'arrsize': 5, 'type': 'unsigned long'},\n",
" {'name': 'WerRegistrationData', 'type': 'unsigned long'},\n",
" {'name': 'WerShipAssertPtr', 'type': 'unsigned long'},\n",
" {'name': 'pUnused', 'type': 'unsigned long'},\n",
" {'name': 'pImageHeaderHash', 'type': 'unsigned long'},\n",
" {'name': 'TracingFlags', 'type': 'unsigned long'},\n",
" {'name': 'PADDING2', 'type': 'unsigned long'},\n",
" {'name': 'CsrServerReadOnlySharedMemoryBase', 'type': 'unsigned long long'},\n",
" {'name': 'TppWorkerpListLock', 'type': 'unsigned long'},\n",
" {'name': 'TppWorkerpList', 'type': 'LIST_ENTRY32'},\n",
" {'name': 'WaitOnAddressHashTable', 'arrsize': 128, 'type': 'unsigned long'},\n",
" {'name': 'TelemetryCoverageHeader', 'type': 'unsigned long'},\n",
" {'name': 'CloudFileFlags', 'type': 'unsigned long'},\n",
" {'name': 'CloudFileDiagFlags', 'type': 'unsigned long'},\n",
" {'name': 'PlaceholderCompatibilityMode', 'type': 'unsigned char'},\n",
" {'name': 'PlaceholderCompatibilityModeReserved',\n",
" 'arrsize': 7,\n",
" 'type': 'unsigned char'},\n",
" {'name': 'LeapSecondData', 'type': 'unsigned long'},\n",
" {'name': 'LeapSecondFlags', 'type': 'unsigned long'},\n",
" {'name': 'NtGlobalFlag2', 'type': 'unsigned long'}]"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"members"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {},
"outputs": [],
"source": [
"types['structs'][0]['members'] = members"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"{\n",
" \"types\": [\n",
" {\n",
" \"name\": \"HANDLE\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"_PEB32_LDR_DATA\",\n",
" \"type\": \"ptr\"\n",
" }\n",
" ],\n",
" \"structs\": [\n",
" {\n",
" \"name\": \"_PEB32\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"InheritedAddressSpace\",\n",
" \"type\": \"bool\"\n",
" },\n",
" {\n",
" \"name\": \"ReadImageFileExecOptions\",\n",
" \"type\": \"bool\"\n",
" },\n",
" {\n",
" \"name\": \"BeingDebugged\",\n",
" \"type\": \"bool\"\n",
" },\n",
" {\n",
" \"name\": \"BitField\",\n",
" \"type\": \"unsigned char\"\n",
" },\n",
" {\n",
" \"name\": \"Mutant\",\n",
" \"type\": \"HANDLE\"\n",
" },\n",
" {\n",
" \"name\": \"ImageBaseAddress\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"Ldr\",\n",
" \"type\": \"_PEB32_LDR_DATA\"\n",
" },\n",
" {\n",
" \"name\": \"ProcessParameters\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SubSystemData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ProcessHeap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"FastPebLock\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"AtlThunkSListPtr\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"IFEOKey\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CrossProcessFlags\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"KernelCallbackTable\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SystemReserved\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"AtlThunkSListPtr32\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ApiSetMap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TlsExpansionCounter\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TlsBitmap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TlsBitmapBits\",\n",
" \"arrsize\": 2,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ReadOnlySharedMemoryBase\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SharedData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ReadOnlyStaticServerData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"AnsiCodePageData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"OemCodePageData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"UnicodeCaseTableData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"NumberOfProcessors\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"NtGlobalFlag\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"PADDING\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CriticalSectionTimeout\",\n",
" \"type\": \"_LARGE_INTEGER\"\n",
" },\n",
" {\n",
" \"name\": \"HeapSegmentReserve\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"HeapSegmentCommit\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"HeapDeCommitTotalFreeThreshold\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"HeapDeCommitFreeBlockThreshold\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"NumberOfHeaps\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"MaximumNumberOfHeaps\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ProcessHeaps\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"GdiSharedHandleTable\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ProcessStarterHelper\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"GdiDCAttributeList\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"LoaderLock\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"OSMajorVersion\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"OSMinorVersion\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"OSBuildNumber\",\n",
" \"type\": \"unsigned short\"\n",
" },\n",
" {\n",
" \"name\": \"OSCSDVersion\",\n",
" \"type\": \"unsigned short\"\n",
" },\n",
" {\n",
" \"name\": \"OSPlatformId\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ImageSubsystem\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ImageSubsystemMajorVersion\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ImageSubsystemMinorVersion\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ActiveProcessAffinityMask\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"GdiHandleBuffer\",\n",
" \"arrsize\": 34,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"PostProcessInitRoutine\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TlsExpansionBitmap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TlsExpansionBitmapBits\",\n",
" \"arrsize\": 32,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SessionId\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"AppCompatFlags\",\n",
" \"type\": \"_ULARGE_INTEGER\"\n",
" },\n",
" {\n",
" \"name\": \"AppCompatFlagsUser\",\n",
" \"type\": \"_ULARGE_INTEGER\"\n",
" },\n",
" {\n",
" \"name\": \"pShimData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"AppCompatInfo\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CSDVersion\",\n",
" \"type\": \"_STRING32\"\n",
" },\n",
" {\n",
" \"name\": \"ActivationContextData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"ProcessAssemblyStorageMap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SystemDefaultActivationContextData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SystemAssemblyStorageMap\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"MinimumStackCommit\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SparePointers\",\n",
" \"arrsize\": 4,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"SpareUlongs\",\n",
" \"arrsize\": 5,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"WerRegistrationData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"WerShipAssertPtr\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"pUnused\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"pImageHeaderHash\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TracingFlags\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"PADDING2\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CsrServerReadOnlySharedMemoryBase\",\n",
" \"type\": \"unsigned long long\"\n",
" },\n",
" {\n",
" \"name\": \"TppWorkerpListLock\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TppWorkerpList\",\n",
" \"type\": \"LIST_ENTRY32\"\n",
" },\n",
" {\n",
" \"name\": \"WaitOnAddressHashTable\",\n",
" \"arrsize\": 128,\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"TelemetryCoverageHeader\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CloudFileFlags\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"CloudFileDiagFlags\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"PlaceholderCompatibilityMode\",\n",
" \"type\": \"unsigned char\"\n",
" },\n",
" {\n",
" \"name\": \"PlaceholderCompatibilityModeReserved\",\n",
" \"arrsize\": 7,\n",
" \"type\": \"unsigned char\"\n",
" },\n",
" {\n",
" \"name\": \"LeapSecondData\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"LeapSecondFlags\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"NtGlobalFlag2\",\n",
" \"type\": \"unsigned long\"\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" \"name\": \"_STRING32\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"Length\",\n",
" \"type\": \"unsigned short\"\n",
" },\n",
" {\n",
" \"name\": \"MaximumLength\",\n",
" \"type\": \"unsigned short\"\n",
" },\n",
" {\n",
" \"name\": \"Buffer\",\n",
" \"type\": \"unsigned long\"\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" \"name\": \"LIST_ENTRY32\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"Flink\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"Blink\",\n",
" \"type\": \"unsigned long\"\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" \"name\": \"__unnamed_1119\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"LowPart\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"HighPart\",\n",
" \"type\": \"long\"\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" \"name\": \"__unnamed_108b\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"LowPart\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"HighPart\",\n",
" \"type\": \"unsigned long\"\n",
" }\n",
" ]\n",
" }\n",
" ],\n",
" \"unions\": [\n",
" {\n",
" \"name\": \"_LARGE_INTEGER\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"LowPart\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"QuadPart\",\n",
" \"type\": \"long long\"\n",
" },\n",
" {\n",
" \"name\": \"u\",\n",
" \"type\": \"__unnamed_1119\"\n",
" },\n",
" {\n",
" \"name\": \"HighPart\",\n",
" \"type\": \"long\"\n",
" }\n",
" ]\n",
" },\n",
" {\n",
" \"name\": \"_ULARGE_INTEGER\",\n",
" \"members\": [\n",
" {\n",
" \"name\": \"LowPart\",\n",
" \"type\": \"unsigned long\"\n",
" },\n",
" {\n",
" \"name\": \"QuadPart\",\n",
" \"type\": \"unsigned long long\"\n",
" },\n",
" {\n",
" \"name\": \"u\",\n",
" \"type\": \"__unnamed_108b\"\n",
" },\n",
" {\n",
" \"name\": \"HighPart\",\n",
" \"type\": \"unsigned long\"\n",
" }\n",
" ]\n",
" }\n",
" ]\n",
"}\n"
]
}
],
"source": [
"print(json.dumps(types, indent=4))"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {},
"outputs": [],
"source": [
"types_file_path = pathlib.Path().home().joinpath('Desktop').joinpath('types.json')"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {},
"outputs": [],
"source": [
"with open(types_file_path, 'w') as fh:\n",
" fh.write(json.dumps(types, sort_keys=True, indent=4))"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.8.2"
}
},
"nbformat": 4,
"nbformat_minor": 4
}
Raw
types.json
{
"structs": [
{
"members": [
{
"name": "InheritedAddressSpace",
"type": "bool"
},
{
"name": "ReadImageFileExecOptions",
"type": "bool"
},
{
"name": "BeingDebugged",
"type": "bool"
},
{
"name": "BitField",
"type": "unsigned char"
},
{
"name": "Mutant",
"type": "HANDLE"
},
{
"name": "ImageBaseAddress",
"type": "unsigned long"
},
{
"name": "Ldr",
"type": "_PEB32_LDR_DATA"
},
{
"name": "ProcessParameters",
"type": "unsigned long"
},
{
"name": "SubSystemData",
"type": "unsigned long"
},
{
"name": "ProcessHeap",
"type": "unsigned long"
},
{
"name": "FastPebLock",
"type": "unsigned long"
},
{
"name": "AtlThunkSListPtr",
"type": "unsigned long"
},
{
"name": "IFEOKey",
"type": "unsigned long"
},
{
"name": "CrossProcessFlags",
"type": "unsigned long"
},
{
"name": "KernelCallbackTable",
"type": "unsigned long"
},
{
"name": "SystemReserved",
"type": "unsigned long"
},
{
"name": "AtlThunkSListPtr32",
"type": "unsigned long"
},
{
"name": "ApiSetMap",
"type": "unsigned long"
},
{
"name": "TlsExpansionCounter",
"type": "unsigned long"
},
{
"name": "TlsBitmap",
"type": "unsigned long"
},
{
"arrsize": 2,
"name": "TlsBitmapBits",
"type": "unsigned long"
},
{
"name": "ReadOnlySharedMemoryBase",
"type": "unsigned long"
},
{
"name": "SharedData",
"type": "unsigned long"
},
{
"name": "ReadOnlyStaticServerData",
"type": "unsigned long"
},
{
"name": "AnsiCodePageData",
"type": "unsigned long"
},
{
"name": "OemCodePageData",
"type": "unsigned long"
},
{
"name": "UnicodeCaseTableData",
"type": "unsigned long"
},
{
"name": "NumberOfProcessors",
"type": "unsigned long"
},
{
"name": "NtGlobalFlag",
"type": "unsigned long"
},
{
"name": "PADDING",
"type": "unsigned long"
},
{
"name": "CriticalSectionTimeout",
"type": "_LARGE_INTEGER"
},
{
"name": "HeapSegmentReserve",
"type": "unsigned long"
},
{
"name": "HeapSegmentCommit",
"type": "unsigned long"
},
{
"name": "HeapDeCommitTotalFreeThreshold",
"type": "unsigned long"
},
{
"name": "HeapDeCommitFreeBlockThreshold",
"type": "unsigned long"
},
{
"name": "NumberOfHeaps",
"type": "unsigned long"
},
{
"name": "MaximumNumberOfHeaps",
"type": "unsigned long"
},
{
"name": "ProcessHeaps",
"type": "unsigned long"
},
{
"name": "GdiSharedHandleTable",
"type": "unsigned long"
},
{
"name": "ProcessStarterHelper",
"type": "unsigned long"
},
{
"name": "GdiDCAttributeList",
"type": "unsigned long"
},
{
"name": "LoaderLock",
"type": "unsigned long"
},
{
"name": "OSMajorVersion",
"type": "unsigned long"
},
{
"name": "OSMinorVersion",
"type": "unsigned long"
},
{
"name": "OSBuildNumber",
"type": "unsigned short"
},
{
"name": "OSCSDVersion",
"type": "unsigned short"
},
{
"name": "OSPlatformId",
"type": "unsigned long"
},
{
"name": "ImageSubsystem",
"type": "unsigned long"
},
{
"name": "ImageSubsystemMajorVersion",
"type": "unsigned long"
},
{
"name": "ImageSubsystemMinorVersion",
"type": "unsigned long"
},
{
"name": "ActiveProcessAffinityMask",
"type": "unsigned long"
},
{
"arrsize": 34,
"name": "GdiHandleBuffer",
"type": "unsigned long"
},
{
"name": "PostProcessInitRoutine",
"type": "unsigned long"
},
{
"name": "TlsExpansionBitmap",
"type": "unsigned long"
},
{
"arrsize": 32,
"name": "TlsExpansionBitmapBits",
"type": "unsigned long"
},
{
"name": "SessionId",
"type": "unsigned long"
},
{
"name": "AppCompatFlags",
"type": "_ULARGE_INTEGER"
},
{
"name": "AppCompatFlagsUser",
"type": "_ULARGE_INTEGER"
},
{
"name": "pShimData",
"type": "unsigned long"
},
{
"name": "AppCompatInfo",
"type": "unsigned long"
},
{
"name": "CSDVersion",
"type": "_STRING32"
},
{
"name": "ActivationContextData",
"type": "unsigned long"
},
{
"name": "ProcessAssemblyStorageMap",
"type": "unsigned long"
},
{
"name": "SystemDefaultActivationContextData",
"type": "unsigned long"
},
{
"name": "SystemAssemblyStorageMap",
"type": "unsigned long"
},
{
"name": "MinimumStackCommit",
"type": "unsigned long"
},
{
"arrsize": 4,
"name": "SparePointers",
"type": "unsigned long"
},
{
"arrsize": 5,
"name": "SpareUlongs",
"type": "unsigned long"
},
{
"name": "WerRegistrationData",
"type": "unsigned long"
},
{
"name": "WerShipAssertPtr",
"type": "unsigned long"
},
{
"name": "pUnused",
"type": "unsigned long"
},
{
"name": "pImageHeaderHash",
"type": "unsigned long"
},
{
"name": "TracingFlags",
"type": "unsigned long"
},
{
"name": "PADDING2",
"type": "unsigned long"
},
{
"name": "CsrServerReadOnlySharedMemoryBase",
"type": "unsigned long long"
},
{
"name": "TppWorkerpListLock",
"type": "unsigned long"
},
{
"name": "TppWorkerpList",
"type": "LIST_ENTRY32"
},
{
"arrsize": 128,
"name": "WaitOnAddressHashTable",
"type": "unsigned long"
},
{
"name": "TelemetryCoverageHeader",
"type": "unsigned long"
},
{
"name": "CloudFileFlags",
"type": "unsigned long"
},
{
"name": "CloudFileDiagFlags",
"type": "unsigned long"
},
{
"name": "PlaceholderCompatibilityMode",
"type": "unsigned char"
},
{
"arrsize": 7,
"name": "PlaceholderCompatibilityModeReserved",
"type": "unsigned char"
},
{
"name": "LeapSecondData",
"type": "unsigned long"
},
{
"name": "LeapSecondFlags",
"type": "unsigned long"
},
{
"name": "NtGlobalFlag2",
"type": "unsigned long"
}
],
"name": "_PEB32"
},
{
"members": [
{
"name": "Length",
"type": "unsigned short"
},
{
"name": "MaximumLength",
"type": "unsigned short"
},
{
"name": "Buffer",
"type": "unsigned long"
}
],
"name": "_STRING32"
},
{
"members": [
{
"name": "Flink",
"type": "unsigned long"
},
{
"name": "Blink",
"type": "unsigned long"
}
],
"name": "LIST_ENTRY32"
},
{
"members": [
{
"name": "LowPart",
"type": "unsigned long"
},
{
"name": "HighPart",
"type": "long"
}
],
"name": "__unnamed_1119"
},
{
"members": [
{
"name": "LowPart",
"type": "unsigned long"
},
{
"name": "HighPart",
"type": "unsigned long"
}
],
"name": "__unnamed_108b"
}
],
"types": [
{
"name": "HANDLE",
"type": "unsigned long"
},
{
"name": "_PEB32_LDR_DATA",
"type": "ptr"
}
],
"unions": [
{
"members": [
{
"name": "LowPart",
"type": "unsigned long"
},
{
"name": "QuadPart",
"type": "long long"
},
{
"name": "u",
"type": "__unnamed_1119"
},
{
"name": "HighPart",
"type": "long"
}
],
"name": "_LARGE_INTEGER"
},
{
"members": [
{
"name": "LowPart",
"type": "unsigned long"
},
{
"name": "QuadPart",
"type": "unsigned long long"
},
{
"name": "u",
"type": "__unnamed_108b"
},
{
"name": "HighPart",
"type": "unsigned long"
}
],
"name": "_ULARGE_INTEGER"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment