Skip to content

Instantly share code, notes, and snippets.

@wbenny

wbenny/PS_SYSTEM_DLL_DATA.h

Created October 30, 2018 01:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save wbenny/c36e75881da6af097ae7bca6c7671b13 to your computer and use it in GitHub Desktop.
Save wbenny/c36e75881da6af097ae7bca6c7671b13 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PS_SYSTEM_DLL_DATA.h
//
// sizeof=0x50, align=0x8
//
typedef struct _PS_SYSTEM_DLL_DATA {
//
// +0x00
//
// _SECTION* object of the DLL.
// Initialized at runtime by PspLocateSystemDll.
//
union {
EX_FAST_REF SectionObjectFastRef;
PVOID SectionObject;
};
//
// +0x08
// Push lock.
//
EX_PUSH_LOCK PushLock;
//
// +0x10
// Flags.
// Initialized statically.
//
USHORT Flags;
//
// +0x12
// Machine type of this WoW64 NTDLL.
// Initialized statically.
// Examples:
// - IMAGE_FILE_MACHINE_I386
// - IMAGE_FILE_MACHINE_ARMNT
//
USHORT MachineType;
//
// +0x14
// Unused, always 0.
//
ULONG Reserved1;
//
// +0x18
// Path to the WoW64 NTDLL.
// Initialized statically.
// Examples:
// - "\\SystemRoot\\SysWOW64\\ntdll.dll"
// - "\\SystemRoot\\SysArm32\\ntdll.dll"
//
UNICODE_STRING Ntdll32Path;
//
// +0x28
// Image base of the DLL.
// Initialized at runtime by PspMapSystemDll.
// Equivalent of:
// RtlImageNtHeader(BaseAddress)->
// OptionalHeader.ImageBase;
//
PVOID ImageBase;
//
// +0x30
// Contains DLL name (such as "ntdll.dll" or
// "ntdll32.dll") before runtime initialization.
// Initialized at runtime by MmMapViewOfSectionEx,
// called from PspMapSystemDll.
//
union {
PVOID BaseAddress;
PWCHAR DllName;
};
//
// +0x38
// Unused, always 0.
//
PVOID Reserved2;
//
// +0x40
// Section relocation information.
//
PVOID SectionRelocationInformation;
//
// +0x48
// Unused, always 0.
//
PVOID Reserved3;
} PS_SYSTEM_DLL_DATA, *PPS_SYSTEM_DLL_DATA;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment