unit In2kDataStruct;
interface
uses Windows;
type
PDESKTOPINFO = POINTER;
PPROCESSINFO = POINTER;
PTL = POINTER;
PQ = POINTER;
PKL = POINTER;
PDESKTOP = POINTER;
PCLIENTINFO = POINTER;
PSMS = POINTER;
PMENUSTATE = POINTER;
PTDB = POINTER;
PWINDOWSTATION = POINTER;
PSVR_INSTANCE_INFO= POINTER;
PMOVESIZEDATA = POINTER;
PSBTRACK = POINTER;
PKEVENT = POINTER;
PWND = POINTER;
PIMC = POINTER;
PQMSG = POINTER;
PCLS = POINTER;
PWOWPROCESSINFO = POINTER;
PDESKTOPVIEW = POINTER;
PCURSOR = POINTER;
PW32JOB = POINTER;
KERNEL_ULONG_PTR = POINTER;
USHORT = SHORT;
PWSTR = PWCHAR;
LONG = longint;
ULONG_PTR = POINTER;
int = Integer;
HANDLE = THANDLE;
POINT = TPOINT;
HMONITOR = THANDLE;
PVOID = POINTER;
const
{$define WINVER5}
{$ifdef WINVER5}
WH_MAX =12;
{$else}
WH_MAX =11;
{$endif}
WH_MIN =-1;
CLIBS =32;
CWINHOOKS =WH_MAX - WH_MIN + 1;
type
_UNICODE_STRING = record
Length : USHORT;
MaximumLength : USHORT;
Buffer : PWSTR;
end;
UNICODE_STRING = _UNICODE_STRING;
PUNICODE_STRING = ^UNICODE_STRING;
tagMLIST = record
pqmsgRead : PQMSG ;
pqmsgWriteLast: PQMSG ;
cMsgs : DWORD ;
end;
MLIST = tagMLIST;
PMLIST = ^MLIST;
_RTL_BITMAP = record
SizeOfBitMap : ULONG ; // Number of bits in bit map
Buffer : PULONG ; // Pointer to the bit map itself
end;
RTL_BITMAP = _RTL_BITMAP;
{*
* Private User Startupinfo
*}
tagUSERSTARTUPINFO = record
cb : DWORD;
dwX : DWORD;
dwY : DWORD;
dwXSize : DWORD;
dwYSize : DWORD;
dwFlags : DWORD;
wShowWindow : WORD;
cbReserved2 : WORD;
end;
USERSTARTUPINFO = tagUSERSTARTUPINFO;
PUSERSTARTUPINFO = ^USERSTARTUPINFO;
{*
* This structure contains information regarding the
* thread. This is viewable from both the client and
* kernel processes.
*}
tagCLIENTTHREADINFO = record
CTIF_flags : UINT;
fsChangeBits: WORD; // Bits changes since last compared
fsWakeBits : WORD; // Bits currently available
fsWakeBitsJournal : WORD; // Bits saved while journalling
fsWakeMask : WORD; // Bits looking for when asleep
timeLastRead: LONG; // Time of last input read
end;
CLIENTTHREADINFO = tagCLIENTTHREADINFO;
PCLIENTTHREADINFO = ^CLIENTTHREADINFO;
_HEAD = record
h : DWORD ; //<----------这里是我们得到的HHOOK
cLockObj : DWORD ;
end;
HEAD = _HEAD;
PHEAD = ^HEAD;
_THROBJHEAD = record
hdr : HEAD ;
pti : DWORD ;
end;
THROBJHEAD = _THROBJHEAD;
PTHROBJHEAD = ^THROBJHEAD;
_DESKHEAD = record
rpdesk : DWORD ;
pSelf : DWORD ;
end;
DESKHEAD = _DESKHEAD;
PDESKHEAD = ^DESKHEAD;
_THRDESKHEAD = record
tohdr : THROBJHEAD ;
dhdr : DESKHEAD ;
end;
THRDESKHEAD = _THRDESKHEAD;
PTHRDESKHEAD= ^THRDESKHEAD;
_LUID = record
LowPart : DWORD ;
HighPart : LONG ;
end;
LUID = _LUID;
PHOOK = ^tagHOOK;
tagHOOK = record // /* hk */
head : THRDESKHEAD ;
phkNext : PHOOK ;
iHook : int ; // WH_xxx hook type
offPfn : KERNEL_ULONG_PTR ;
flags : UINT ; // HF_xxx flags
ihmod : int ;
ptiHooked : POINTER{PTHREADINFO} ; // Thread hooked.
rpdesk : PDESKTOP ; // Global hook pdesk. Only used when
// hook is locked and owner is destroyed
{$ifdef HOOKBATCH}
cEventMessages : DWORD ; // Number of events in the cache
iCurrentEvent : DWORD ; // Current cache event
CacheTimeOut : DWORD ; // Timeout between keys
aEventCache : PEVENTMSG ; // The array of Events
{$endif} // HOOKBATCH
end;
HOOK = tagHOOK;
//====================================
PTHREADINFO = ^tagTHREADINFO;
tagTHREADINFO = record // W32THREAD;
//***************************************** begin: USER specific fields
ptl : PTL ; // Listhead for thread lock list
ppi : PPROCESSINFO ; // process info struct for this thread
pq : PQ ; // keyboard and mouse input queue
spklActive : PKL ; // active keyboard layout for this thread
pcti : PCLIENTTHREADINFO ; // Info that must be visible from client
rpdesk : PDESKTOP ;
pDeskInfo : PDESKTOPINFO ; // Desktop info visible to client
pClientInfo : PCLIENTINFO ; // Client info stored in TEB
TIF_flags : DWORD ; // TIF_ flags go here.
pstrAppName : PUNICODE_STRING ; // Application module name.
psmsSent : PSMS ; // Most recent SMS this thread has sent
psmsCurrent : PSMS ; // Received SMS this thread is currently processing
psmsReceiveList : PSMS ; // SMSs to be processed
timeLast : LONG ; // Time, position, and ID of last message
idLast : ULONG_PTR ;
cQuit : int ;
exitCode : int ;
hdesk : HDESK ; // Desktop handle
cPaintsReady : int ;
cTimersReady : UINT ;
pMenuState : PMENUSTATE ;
(*
union {
PTDB ptdb; // Win16Task Schedule data for WOW thread
PWINDOWSTATION pwinsta; // Window station for SYSTEM thread
};
*)
pwinsta : PWINDOWSTATION;
psiiList : PSVR_INSTANCE_INFO ; // thread DDEML instance list
dwExpWinVer : DWORD ;
dwCompatFlags : DWORD ; // The Win 3.1 Compat flags
dwCompatFlags2 : DWORD ; // new DWORD to extend compat flags for NT5+ features
pqAttach : PQ ; // calculation variabled used in
// zzzAttachThreadInput()
ptiSibling : PTHREADINFO ; // pointer to sibling thread info
pmsd : PMOVESIZEDATA ;
fsHooks : DWORD ; // WHF_ Flags for which hooks are installed
sphkCurrent : PHOOK ; // Hook this thread is currently processing
pSBTrack : PSBTRACK ;
hEventQueueClient : HANDLE ;
pEventQueueServer : PKEVENT ;
PtiLink : LIST_ENTRY ; // Link to other threads on desktop
iCursorLevel : int ; // keep track of each thread's level
ptLast : POINT ;
spwndDefaultIme : PWND ; // Default IME Window for this thread
spDefaultImc : PIMC ; // Default input context for this thread
hklPrev : HKL ; // Previous active keyboard layout
cEnterCount : int ;
mlPost : MLIST ; // posted message list.
fsChangeBitsRemoved : USHORT ;// Bits removed during PeekMessage
wchInjected : WCHAR ; // character from last VK_PACKET
fsReserveKeys : DWORD ; // Keys that must be sent to the active
// active console window.
apEvent : ^PKEVENT ; // Wait array for xxxPollAndWaitForSingleObject
amdesk : ACCESS_MASK ; // Granted desktop access
cWindows : UINT ; // Number of windows owned by this thread
cVisWindows : UINT ; // Number of visible windows on this thread
aphkStart : array[0..CWINHOOKS-1] of PHOOK; // Hooks registered for this thread
cti : CLIENTTHREADINFO ; // Use this when no desktop is available
end;
THREADINFO = tagTHREADINFO;
PROCESSINFO = ^tagPROCESSINFO;
tagPROCESSINFO = record //W32PROCESS;
//***************************************** begin: USER specific fields
ptiList : PTHREADINFO ; // threads in this process
ptiMainThread : PTHREADINFO ; // pti of "main thread"
rpdeskStartup : PDESKTOP ; // initial desktop
pclsPrivateList : PCLS ; // this processes' private classes
pclsPublicList : PCLS ; // this processes' public classes
pwpi : PWOWPROCESSINFO ; // Wow PerProcess Info
ppiNext : PPROCESSINFO ; // next ppi structure in start list
ppiNextRunning : PPROCESSINFO ;
cThreads : int ; // count of threads using this process info
hdeskStartup : HDESK ; // initial desktop handle
cSysExpunge : UINT ; // sys expunge counter
dwhmodLibLoadedMask : DWORD ; // bits describing loaded hook dlls
ahmodLibLoaded : array[0..CLIBS-1] of HANDLE; // process unique hmod array for hook dlls
prpwinsta : PWINDOWSTATION ; // process windowstation
hwinsta : HWINSTA ; // windowstation handle
amwinsta : ACCESS_MASK ; // windowstation accesses
dwHotkey : DWORD ; // hot key from progman
hMonitor : HMONITOR ; // monitor handle from CreateProcess
pdvList : PDESKTOPVIEW ; // list of desktop views
iClipSerialNumber : UINT ; // clipboard serial number
bmHandleFlags : RTL_BITMAP ; // per handle flags
pCursorCache : PCURSOR ; // process cursor/icon cache
pClientBase : PVOID ; // LEAVE THIS FOR HYDRA; offset to the shared section
dwLpkEntryPoints: DWORD ; // user mode language pack installed
pW32Job : PW32JOB ; // pointer to the W32JOB structure
dwImeCompatFlags: DWORD ; // per-process Ime Compatibility flags
luidSession : LUID ; // logon session id
usi : USERSTARTUPINFO ; // process startup info
{$ifdef VALIDATEHANDLEQUOTA}
lHandles : LONG ;
{$endif}
{$ifdef USE_MIRRORING}
dwLayout : DWORD ; // the default Window orientation for this process
{$endif}
end;
ROCESSINFO = tagPROCESSINFO;
_PEB_LDR_DATA = record
Length : ULONG ;
Initialized : BOOLEAN ;
SsHandle : PVOID ;
InLoadOrderModuleList : LIST_ENTRY ;
InMemoryOrderModuleList : LIST_ENTRY ;
InInitializationOrderModuleList : LIST_ENTRY ;
end;
PEB_LDR_DATA = _PEB_LDR_DATA;
PPEB_LDR_DATA = ^PEB_LDR_DATA;
_LDR_MODULE = record
InLoadOrderModuleList : LIST_ENTRY ;
InMemoryOrderModuleList : LIST_ENTRY ;
InInitializationOrderModuleList : LIST_ENTRY ;
BaseAddress : PVOID ;
EntryPoint : PVOID ;
SizeOfImage : ULONG ;
FullDllName : UNICODE_STRING ;
BaseDllName : UNICODE_STRING ;
Flags : ULONG ;
LoadCount : SHORT ;
TlsIndex : SHORT ;
HashTableEntry : LIST_ENTRY ;
TimeDateStamp : ULONG ;
end;
LDR_MODULE = _LDR_MODULE;
PLDR_MODULE = ^LDR_MODULE;
RTL_DRIVE_LETTER_CURDIR = record
Flags : USHORT ;
Length : USHORT ;
TimeStamp : ULONG ;
DosPath : UNICODE_STRING ;
end;
PRTL_DRIVE_LETTER_CURDIR= ^RTL_DRIVE_LETTER_CURDIR;
_RTL_USER_PROCESS_PARAMETERS = record
AllocationSize : ULONG ;
Size : ULONG ;
Flags : ULONG ;
DebugFlags : ULONG ;
hConsole : HANDLE ; // 10h
ProcessGroup : ULONG ;
hStdInput : HANDLE ;
hStdOutput : HANDLE ;
hStdError : HANDLE ; // 20h
CurrentDirectoryName: UNICODE_STRING ;
CurrentDirectoryHandle : HANDLE ;
DllPath : UNICODE_STRING ; // 30h
ImagePathName : UNICODE_STRING ;
CommandLine : UNICODE_STRING ; // 40h
Environment : PWSTR ;
dwX : ULONG ;
dwY : ULONG ; // 50h
dwXSize : ULONG ;
dwYSize : ULONG ;
dwXCountChars : ULONG ;
dwYCountChars : ULONG ; // 60h
dwFillAttribute : ULONG ;
dwFlags : ULONG ;
wShowWindow : ULONG ;
WindowTitle : UNICODE_STRING ; // 70h
Desktop : UNICODE_STRING ;
ShellInfo : UNICODE_STRING ; // 80h
RuntimeInfo : UNICODE_STRING ;
DLCurrentDirectory : array[0..$20-1] of RTL_DRIVE_LETTER_CURDIR; // 90h
end;
RTL_USER_PROCESS_PARAMETERS = _RTL_USER_PROCESS_PARAMETERS;
PRTL_USER_PROCESS_PARAMETERS= ^RTL_USER_PROCESS_PARAMETERS;
//typedef VOID (_stdcall *PPEBLOCKROUTINE)(PVOID);
PPEBLOCKROUTINE = procedure();stdcall;
PPEB_FREE_BLOCK = ^_PEB_FREE_BLOCK;
_PEB_FREE_BLOCK = record
Next : PPEB_FREE_BLOCK;
Size : ULONG ;
end;
PEB_FREE_BLOCK = _PEB_FREE_BLOCK;
PPEB = ^PEB;
PEB = record
InheritedAddressSpace : BOOLEAN ; // 00h
ReadImageFileExecOptions : BOOLEAN ; // 01h
BeingDebugged : BOOLEAN ;
Spare : BOOLEAN ;
Mutant : HANDLE ;
ImageBaseAddress : PVOID ; // 08h
LoaderData : PPEB_LDR_DATA ;
ProcessParameters : PRTL_USER_PROCESS_PARAMETERS ;
SubSystemData : PVOID ;
ProcessHeap : PVOID ;
FastPebLock : PVOID ;
FastPebLockRoutine : PPEBLOCKROUTINE ; // 20h
FastPebUnlockRoutine : PPEBLOCKROUTINE ;
EnvironmentUpdateCount : ULONG ;
KernelCallbackTable : ^PVOID;
EventLogSection : PVOID ; // 30h
EventLog : PVOID ;
FreeList : PPEB_FREE_BLOCK ;
TlsExpansionCounter : ULONG ;
TlsBitmap : PVOID ; // 40h
TlsBitmapBits : array[0..$2-1] of ULONG;
ReadOnlySharedMemoryBase : PVOID ;
ReadOnlySharedMemoryHeap : PVOID ; // 50h
ReadOnlyStaticServerData : ^PVOID;
AnsiCodePageData : PVOID ;
OemCodePageData : PVOID ;
UnicodeCaseTableData : PVOID ; // 60h
NumberOfProcessors : ULONG ;
NtGlobalFlag : ULONG ;
Spare2 : array[0..$4-1] of BYTE;
CriticalSectionTimeout : LARGE_INTEGER ; // 70h
HeapSegmentReserve : ULONG ;
HeapSegmentCommit : ULONG ;
HeapDeCommitTotalFreeThreshold : ULONG ; //80h
HeapDeCommitFreeBlockThreshold : ULONG ;
NumberOfHeaps : ULONG ;
MaximumNumberOfHeaps : ULONG ;
ProcessHeaps : POINTER; //90h
GdiSharedHandleTable : PVOID ;
ProcessStarterHelper : PVOID ;
GdiDCAttributeList : PVOID ;
LoaderLock : PVOID ; // A0h
OSMajorVersion : ULONG ;
OSMinorVersion : ULONG ;
OSBuildNumber : ULONG ;
OSPlatformId : ULONG ; // B0h
ImageSubSystem : ULONG ;
ImageSubSystemMajorVersion: ULONG ;
ImageSubSystemMinorVersion: ULONG ; // BCh
GdiHandleBuffer : array[0..$22-1] of ULONG;
PostProcessInitRoutine : ULONG ;
TlsExpansionBitmap : ULONG ;
TlsExpansionBitmapBits : array[0..$80] of BYTE;
SessionId : ULONG ;
end;
_CLIENT_ID = record
UniqueProcess : HANDLE ;
UniqueThread : HANDLE ;
end;
CLIENT_ID = _CLIENT_ID;
PCLIENT_ID = ^CLIENT_ID;
_GDI_TEB_BATCH = record
Offset : ULONG ;
HDC : ULONG ;
Buffer : array[0..$136-1] of ULONG;
end;
GDI_TEB_BATCH = _GDI_TEB_BATCH;
PGDI_TEB_BATCH = ^GDI_TEB_BATCH;
PEXCEPTION_REGISTRATION_RECORD = ^_EXCEPTION_REGISTRATION_RECORD;
_EXCEPTION_REGISTRATION_RECORD = record
pNext : PEXCEPTION_REGISTRATION_RECORD;
pfnHandler : FARPROC ;
end;
EXCEPTION_REGISTRATION_RECORD = _EXCEPTION_REGISTRATION_RECORD;
PNT_TIB = ^_NT_TIB;
_NT_TIB = record
ExceptionList : PEXCEPTION_REGISTRATION_RECORD;
StackBase : PVOID ;
StackLimit : PVOID ;
SubSystemTib : PVOID ;
Version : DWORD ;
ArbitraryUserPointer : PVOID ;
_Self : PNT_TIB; //18h // PNT_TIB //PTEB
end;
NT_TIB = _NT_TIB;
TEB = record
Tib : NT_TIB ; //* 00h */
EnvironmentPointer : PVOID ; //* 1Ch */
Cid : CLIENT_ID ; //* 20h */
ActiveRpcInfo : PVOID ; //* 28h */
ThreadLocalStoragePointer : PVOID ; //* 2Ch */
Peb : PPEB; //* 30h */
LastErrorValue : ULONG ; //* 34h */
CountOfOwnedCriticalSections : ULONG ; //* 38h */
CsrClientThread : PVOID ; //* 3Ch */
Win32ThreadInfo : POINTER ; //* 40h */
Win32ClientInfo : array[0..$1F-1] of ULONG; //* 44h */
WOW32Reserved : PVOID ; //* C0h */
CurrentLocale : LCID ; //* C4h */
FpSoftwareStatusRegister : ULONG ; //* C8h */
SystemReserved1 : array[0..$36-1] of PVOID; //* CCh */
Spare1 : PVOID ; //* 1A4h */
ExceptionCode : LONG ; //* 1A8h */
SpareBytes1 : array[0..$28-1] of UCHAR; //* 1ACh */
SystemReserved2 : array[0..$0A-1] of PVOID; //* 1D4h */
GdiTebBatch : GDI_TEB_BATCH ; //* 1FCh */
gdiRgn : ULONG ; //* 6DCh */
gdiPen : ULONG ; //* 6E0h */
gdiBrush : ULONG ; //* 6E4h */
RealClientId : CLIENT_ID ; //* 6E8h */
GdiCachedProcessHandle: PVOID ; //* 6F0h */
GdiClientPID : ULONG ; //* 6F4h */
GdiClientTID : ULONG ; //* 6F8h */
GdiThreadLocaleInfo : PVOID ; //* 6FCh */
UserReserved : array[0..5-1] of PVOID; //* 700h */
glDispatchTable : array[0..$118] of PVOID; //* 714h */
glReserved1 : array[0..$1A-1] of ULONG; //* B74h */
glReserved2 : PVOID ; //* BDCh */
glSectionInfo : PVOID ; //* BE0h */
glSection : PVOID ; //* BE4h */
glTable : PVOID ; //* BE8h */
glCurrentRC : PVOID ; //* BECh */
glContext : PVOID ; //* BF0h */
LastStatusValue : LONG ; //* BF4h */
StaticUnicodeString : UNICODE_STRING ; //* BF8h */
StaticUnicodeBuffer : array[0..$105-1] of WCHAR; //* C00h */
DeallocationStack : PVOID ; //* E0Ch */
TlsSlots : array[0..$40-1] of PVOID; //* E10h */
TlsLinks : LIST_ENTRY ; //* F10h */
Vdm : PVOID ; //* F18h */
ReservedForNtRpc : PVOID ; //* F1Ch */
DbgSsReserved : array[0..$2-1] of PVOID; //* F20h */
HardErrorDisabled : ULONG ; //* F28h */
Instrumentation : array[0..$10-1] of PVOID; //* F2Ch */
WinSockData : PVOID ; //* F6Ch */
GdiBatchCount : ULONG ; //* F70h */
Spare2 : USHORT ; //* F74h */
IsFiber : BOOLEAN ; //* F76h */
Spare3 : UCHAR ; //* F77h */
Spare4 : ULONG ; //* F78h */
Spare5 : ULONG ; //* F7Ch */
ReservedForOle : PVOID ; //* F80h */
WaitingOnLoaderLock : ULONG ; //* F84h */
Unknown : array[0..11-1] of ULONG; //* F88h */
FlsSlots : PVOID ; //* FB4h */
WineDebugInfo : PVOID ; //* Needed for WINE DLL's */' + '' +
end;
{
function GetCurrentPEB():PPEB;
function GetCurrentThreadinfo():PTHREADINFO;
function GetCurrentProcessinfo():PPROCESSINFO;
}
implementation
{
function GetCurrentPEB():PPEB;
begin
asm
mov eax,fs:[$30]
mov result,eax
end;
end;
function GetCurrentThreadinfo():PTHREADINFO;
begin
asm
mov eax,fs:[$18]
mov eax,[eax].TEB.Win32ThreadInfo
mov result,eax
end;
end;
function GetCurrentProcessinfo():PPROCESSINFO;
begin
asm
mov eax,fs:[$18]
mov eax,[eax+$40]
mov eax,[eax].THREADINFO.ppi
mov result,eax
end;
end;
}
end.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
