-
Notifications
You must be signed in to change notification settings - Fork 21
/
WDK.h
194 lines (159 loc) · 5.85 KB
/
WDK.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#pragma once
#pragma warning(push)
#pragma warning(disable: 4201)
namespace wdk
{
enum class SystemVersion : UINT32
{
Unknown,
WindowsXP, // 5.1.2600
WindowsXP64, // 5.2.3790
WindowsVista, // 6.0.6000
WindowsVista_SP1, // 6.0.6001
WindowsVista_SP2, // 6.0.6002
Windows7, // 6.1.7600
Windows7_SP1, // 6.1.7601
Windows8, // 6.2.9200
Windows8_1, // 6.3.9600
Windows10,
Windows10_1507 = Windows10, // 10.0.10240
Windows10_1511, // 10.0.10586
Windows10_1607, // 10.0.14393
Windows10_1703, // 10.0.15063
Windows10_1709, // 10.0.16299
Windows10_1803, // 10.0.17134
Windows10_1809, // 10.0.17741
WindowsMax,
};
typedef enum _POOL_TYPE {
NonPagedPool,
NonPagedPoolExecute = NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed = NonPagedPool + 2,
DontUseThisType,
NonPagedPoolCacheAligned = NonPagedPool + 4,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
MaxPoolType,
//
// Define base types for NonPaged (versus Paged) pool, for use in cracking
// the underlying pool type.
//
NonPagedPoolBase = 0,
NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
//
// Note these per session types are carefully chosen so that the appropriate
// masking still applies as well as MaxPoolType above.
//
NonPagedPoolSession = 32,
PagedPoolSession = NonPagedPoolSession + 1,
NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
NonPagedPoolNx = 512,
NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
NonPagedPoolSessionNx = NonPagedPoolNx + 32,
} POOL_TYPE;
typedef union _KIDTENTRY64 {
struct {
UINT16 OffsetLow;
UINT16 Selector;
UINT16 IstIndex : 3;
UINT16 Reserved0 : 5;
UINT16 Type : 5;
UINT16 Dpl : 2;
UINT16 Present : 1;
UINT16 OffsetMiddle;
UINT32 OffsetHigh;
UINT32 Reserved1;
};
UINT64 Alignment;
} KIDTENTRY64, *PKIDTENTRY64;
typedef struct _POOL_TRACKER_BIG_PAGES
{
PVOID Va;
ULONG Tag;
ULONG PoolType;
SIZE_T NumberOfBytes;
} POOL_TRACKER_BIG_PAGES, *PPOOL_TRACKER_BIG_PAGES;
static_assert(sizeof(POOL_TRACKER_BIG_PAGES) == 0x18, "sizeof(POOL_TRACKER_BIG_PAGES) != 0x18");
typedef struct _MMPFN
{
union {
UINT64 Flink;
ULONG32 WsIndex; // WorkSet Index
struct _KEVENT * Event;
VOID* Next;
VOID* VolatileNext;
struct _KTHREAD * KernelStackOwner;
SINGLE_LIST_ENTRY NextStackPfn;
} u1;
union {
UINT64 Blink;
struct _MMPTE * ImageProtoPte;
UINT64 ShareCount;
} u2;
union {
struct _MMPTE * PteAddress;
VOID * VolatilePteAddress;
LONG32 Lock;
UINT64 PteLong;
};
UINT64 DontUseThis[3];
} MMPFN, *PMMPFN;
static_assert(sizeof(MMPFN) == sizeof(void *) * 6, "sizeof(MMPFN) != sizeof(void *) * 6");
namespace build_10240
{
typedef struct _POOL_TRACKER_BIG_PAGES
{
PVOID Va;
ULONG Tag;
struct
{
ULONG Pattern : 8;
ULONG PoolType : 12;
ULONG SlushSize : 12;
};
SIZE_T NumberOfBytes;
} POOL_TRACKER_BIG_PAGES, *PPOOL_TRACKER_BIG_PAGES;
static_assert(sizeof(POOL_TRACKER_BIG_PAGES) == 0x18, "sizeof(build_10240::POOL_TRACKER_BIG_PAGES) != 0x18");
typedef struct _MMPFN
{
union {
LIST_ENTRY ListEntry;
//struct _RTL_BALANCED_NODE TreeNode; // sizeof(_RTL_BALANCED_NODE) == 24
struct
{
union {
struct
{
UINT64 Flink : 36;
UINT64 NodeFlinkHigh : 28;
};
UINT64 WsIndex; // WorkSet Index
struct _KEVENT *Event;
VOID * Next;
VOID * VolatileNext;
struct _KTHREAD*KernelStackOwner;
SINGLE_LIST_ENTRY NextStackPfn;
} u1;
union {
struct _MMPTE * PteAddress;
VOID * VolatilePteAddress;
UINT64 PteLong;
};
UINT64 OriginalPte;
}; // sizeof(unname) == 24
};
UINT64 DontUseThis[3];
} MMPFN, *PMMPFN;
static_assert(sizeof(MMPFN) == sizeof(void *) * 6, "sizeof(build_10240::MMPFN) != sizeof(void *) * 6");
}
}
#pragma warning(pop)
#include "WDK.PTE.h"
#include "WDK.PGContext.h"