Index
> Macroinstructions > Structure problem |
| Author |
|
|
LocoDelAssembly 26 Aug 2006, 00:29
Code: include 'win32a.inc' struct LIST_ENTRY Flink dd ? Blink dd ? ends struct PEB_LDR_DATA ; sizeof = 24h _Length dd ? ; original name Length Initialized db ? ; 04h db 3 dup(?) ; padding SsHandle dd ? ; 08h InLoadOrderModuleList LIST_ENTRY ; 0Ch InMemoryOrderModuleList LIST_ENTRY ; 14h InInitializationOrderModuleList LIST_ENTRY ; 1Ch ends struc LARGE_INTEGER value {. dq value } struct PEB ; sizeof = 0230h InheritedAddressSpace db ? ; 0000h ReadImageFileExecOptions db ? ; 0001h BeingDebugged db ? ; 0002h SpareBool db ? ; 0003h Mutant dd ? ; 0004h ImageBaseAddress dd ? ; 0008h Ldr PEB_LDR_DATA ; 000Ch PTR PEB_LDR_DATA ProcessParameters dd ? ; 0010h PTR RTL_USER_PROCESS_PARAMETERS SubSystemData dd ? ; 0014h ProcessHeap dd ? ; 0018h FastPebLock dd ? ; 001Ch PTR RTL_CRITICAL_SECTION SparePtr1 dd ? ; 0020h SparePtr2 dd ? ; 0024h EnvironmentUpdateCount dd ? ; 0028h KernelCallbackTable dd ? ; 002Ch SystemReserved dd 1 dup(?) ; 0030h PebBits dd ? ; 0034h named by me FreeList dd ? ; 0038h PTR PEB_FREE_BLOCK TlsExpansionCounter dd ? ; 003Ch TlsBitmap dd ? ; 0040h TlsBitmapBits dd 2 dup(?) ; 0044h ReadOnlySharedMemoryBase dd ? ; 004Ch ReadOnlySharedMemoryHeap dd ? ; 0050h ReadOnlyStaticServerData dd ? ; 0054h AnsiCodePageData dd ? ; 0058h OemCodePageData dd ? ; 005Ch UnicodeCaseTableData dd ? ; 0060h NumberOfProcessors dd ? ; 0064h NtGlobalFlag dd ? ; 0068h dd ? ; 006Ch padding CriticalSectionTimeout LARGE_INTEGER ? ; 0070h HeapSegmentReserve dd ? ; 0078h HeapSegmentCommit dd ? ; 007Ch HeapDeCommitTotalFreeThreshold dd ? ; 0080h HeapDeCommitFreeBlockThreshold dd ? ; 0084h NumberOfHeaps dd ? ; 0088h MaximumNumberOfHeaps dd ? ; 008Ch ProcessHeaps dd ? ; 0090h GdiSharedHandleTable dd ? ; 0094h ProcessStarterHelper dd ? ; 0098h GdiDCAttributeList dd ? ; 009Ch LoaderLock dd ? ; 00A0h PTR RTL_CRITICAL_SECTION OSMajorVersion dd ? ; 00A4h OSMinorVersion dd ? ; 00A8h OSBuildNumber dw ? ; 00ACh OSCSDVersion dw ? ; 00AEh OSPlatformId dd ? ; 00B0h ImageSubsystem dd ? ; 00B4h ImageSubsystemMajorVersion dd ? ; 00B8h ImageSubsystemMinorVersion dd ? ; 00BCh ImageProcessAffinityMask dd ? ; 00C0h GdiHandleBuffer dd 34 dup(?) ; 00C4h PostProcessInitRoutine dd ? ; 014Ch TlsExpansionBitmap dd ? ; 0150h TlsExpansionBitmapBits dd 32 dup(?) ; 0154h SessionId dd ? ; 01D4h ends Assembles but I don't know if it produce your desired output BTW, why I get the error "Error: definition of PEB contains illegal instructions." if I use "LARGE_INTEGER equ dq" instead of "struc LARGE_INTEGER value {. dq value }"? Regards PS: Also I don't know what's your problem because you didn't tell which is so I assumed that it was an assembling problem... |
|||
26 Aug 2006, 00:29 |
|
|
okasvi 26 Aug 2006, 02:47
I'm tired and a bit drunk atm., but atleast you got few things wrong there, ie.
Ldr PEB_LDR_DATA ; 000Ch PTR PEB_LDR_DATA which, as reads on comment, should be pointer to it. for correct typedef of struct PEB: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html PEB_LDR_DATA: http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html for rest, see the bottom of the first page 'See also:' or something... I should go to sleep now, talk to you tomorrow Shism on msn  _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
|
26 Aug 2006, 02:47 |
|
|
chris 29 Aug 2006, 03:52
I think the most reliable way to get some of the undocumented types and structrures is to install WinDbg and the symbol files for hal.dll, ntoskrnl.exe and ntdll.dll. Then the command dt(display type) reveals a lot of internals of Windows.
|
|||
|
29 Aug 2006, 03:52 |
|
< Last Thread | Next Thread > |
Forum Rules:
|