#pragma once #ifndef STRUCTS_H #define STRUCTS_H typedef struct SyscallEntry { INT SSN; PVOID Address; PVOID Syscall; }; //0x18 bytes (sizeof) struct _RTL_BALANCED_NODE { union { struct _RTL_BALANCED_NODE* Children[2]; //0x0 struct { struct _RTL_BALANCED_NODE* Left; //0x0 struct _RTL_BALANCED_NODE* Right; //0x8 }; }; union { struct { UCHAR Red : 1; //0x10 UCHAR Balance : 2; //0x10 }; ULONGLONG ParentValue; //0x10 }; }; //0x138 bytes (sizeof) typedef struct _LDR_DATA_TABLE_ENTRY_MODIFIED { struct _LIST_ENTRY InLoadOrderLinks; //0x0 struct _LIST_ENTRY InMemoryOrderLinks; //0x10 struct _LIST_ENTRY InInitializationOrderLinks; //0x20 PVOID DllBase; //0x30 PVOID EntryPoint; //0x38 ULONG SizeOfImage; //0x40 struct _UNICODE_STRING FullDllName; //0x48 struct _UNICODE_STRING BaseDllName; //0x58 union { UCHAR FlagGroup[4]; //0x68 ULONG Flags; //0x68 struct { ULONG PackagedBinary : 1; //0x68 ULONG MarkedForRemoval : 1; //0x68 ULONG ImageDll : 1; //0x68 ULONG LoadNotificationsSent : 1; //0x68 ULONG TelemetryEntryProcessed : 1; //0x68 ULONG ProcessStaticImport : 1; //0x68 ULONG InLegacyLists : 1; //0x68 ULONG InIndexes : 1; //0x68 ULONG ShimDll : 1; //0x68 ULONG InExceptionTable : 1; //0x68 ULONG ReservedFlags1 : 2; //0x68 ULONG LoadInProgress : 1; //0x68 ULONG LoadConfigProcessed : 1; //0x68 ULONG EntryProcessed : 1; //0x68 ULONG ProtectDelayLoad : 1; //0x68 ULONG ReservedFlags3 : 2; //0x68 ULONG DontCallForThreads : 1; //0x68 ULONG ProcessAttachCalled : 1; //0x68 ULONG ProcessAttachFailed : 1; //0x68 ULONG CorDeferredValidate : 1; //0x68 ULONG CorImage : 1; //0x68 ULONG DontRelocate : 1; //0x68 ULONG CorILOnly : 1; //0x68 ULONG ChpeImage : 1; //0x68 ULONG ChpeEmulatorImage : 1; //0x68 ULONG ReservedFlags5 : 1; //0x68 ULONG Redirected : 1; //0x68 ULONG ReservedFlags6 : 2; //0x68 ULONG CompatDatabaseProcessed : 1; //0x68 }; }; USHORT ObsoleteLoadCount; //0x6c USHORT TlsIndex; //0x6e struct _LIST_ENTRY HashLinks; //0x70 ULONG TimeDateStamp; //0x80 struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x88 PVOID Lock; //0x90 struct _LDR_DDAG_NODE* DdagNode; //0x98 struct _LIST_ENTRY NodeModuleLink; //0xa0 struct _LDRP_LOAD_CONTEXT* LoadContext; //0xb0 PVOID ParentDllBase; //0xb8 PVOID SwitchBackContext; //0xc0 struct _RTL_BALANCED_NODE BaseAddressIndexNode; //0xc8 struct _RTL_BALANCED_NODE MappingInfoIndexNode; //0xe0 ULONGLONG OriginalBase; //0xf8 union _LARGE_INTEGER LoadTime; //0x100 ULONG BaseNameHashValue; //0x108 enum _LDR_DLL_LOAD_REASON LoadReason; //0x10c ULONG ImplicitPathOptions; //0x110 ULONG ReferenceCount; //0x114 ULONG DependentLoadFlags; //0x118 UCHAR SigningLevel; //0x11c ULONG CheckSum; //0x120 PVOID ActivePatchImageBase; //0x128 enum _LDR_HOT_PATCH_STATE HotPatchState; //0x130 } LDR_DATA_TABLE_ENTRY_MODIFIED, * PLDR_DATA_TABLE_ENTRY_MODIFIED; // Define call stack spoofing structs typedef struct { PVOID Fixup; // 0 PVOID OG_retaddr; // 8 PVOID rbx; // 16 PVOID rdi; // 24 PVOID BTIT_ss; // 32 PVOID BTIT_retaddr; // 40 PVOID Gadget_ss; // 48 PVOID RUTS_ss; // 56 PVOID RUTS_retaddr; // 64 PVOID ssn; // 72 PVOID trampoline; // 80 PVOID rsi; // 88 PVOID r12; // 96 PVOID r13; // 104 PVOID r14; // 112 PVOID r15; // 120 } PRM, * PPRM; typedef union _UNWIND_CODE { struct { BYTE CodeOffset; BYTE UnwindOp : 4; BYTE OpInfo : 4; }; USHORT FrameOffset; } UNWIND_CODE, * PUNWIND_CODE; typedef struct _UNWIND_INFO { BYTE Version : 3; BYTE Flags : 5; BYTE SizeOfProlog; BYTE CountOfCodes; BYTE FrameRegister : 4; BYTE FrameOffset : 4; UNWIND_CODE UnwindCode[1]; } UNWIND_INFO, * PUNWIND_INFO; typedef struct _EXCEPTION_INFO { UINT64 hModule; UINT64 pExceptionDirectory; DWORD dwRuntimeFunctionCount; }EXCEPTION_INFO, * PEXCEPTION_INFO; typedef struct { LPCWSTR dllPath; ULONG offset; ULONG totalStackSize; BOOL requiresLoadLibrary; BOOL setsFramePointer; PVOID returnAddress; BOOL pushRbp; ULONG countOfCodes; BOOL pushRbpIndex; } StackFrame, * PStackFrame; typedef struct _FILE_STANDARD_INFORMATION { LARGE_INTEGER AllocationSize; // The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. LARGE_INTEGER EndOfFile; // The end of file location as a byte offset. ULONG NumberOfLinks; // The number of hard links to the file. BOOLEAN DeletePending; // The delete pending status. TRUE indicates that a file deletion has been requested. BOOLEAN Directory; // The file directory status. TRUE indicates the file object represents a directory. } FILE_STANDARD_INFORMATION, * PFILE_STANDARD_INFORMATION; typedef struct _FILE_RENAME_INFORMATION_EX { ULONG Flags; HANDLE RootDirectory; ULONG FileNameLength; _Field_size_bytes_(FileNameLength) WCHAR FileName[1]; } FILE_RENAME_INFORMATION_EX, * PFILE_RENAME_INFORMATION_EX; typedef struct _FILE_DISPOSITION_INFORMATION { BOOLEAN DeleteFile; } FILE_DISPOSITION_INFORMATION, * PFILE_DISPOSITION_INFORMATION; typedef struct _KSYSTEM_TIME { ULONG LowPart; LONG High1Time; LONG High2Time; } KSYSTEM_TIME, * PKSYSTEM_TIME; typedef struct _KUSER_SHARED_DATA { ULONG TickCountLowDeprecated; ULONG TickCountMultiplier; KSYSTEM_TIME InterruptTime; KSYSTEM_TIME SystemTime; KSYSTEM_TIME TimeZoneBias; USHORT ImageNumberLow; USHORT ImageNumberHigh; WCHAR NtSystemRoot[260]; ULONG MaxStackTraceDepth; ULONG CryptoExponent; ULONG TimeZoneId; ULONG LargePageMinimum; ULONG AitSamplingValue; ULONG AppCompatFlag; ULONGLONG RNGSeedVersion; ULONG GlobalValidationRunlevel; LONG TimeZoneBiasStamp; ULONG NtBuildNumber; NT_PRODUCT_TYPE NtProductType; BOOLEAN ProductTypeIsValid; BOOLEAN Reserved0[1]; USHORT NativeProcessorArchitecture; ULONG NtMajorVersion; ULONG NtMinorVersion; BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; ULONG Reserved1; ULONG Reserved3; ULONG TimeSlip; ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; ULONG BootId; LARGE_INTEGER SystemExpirationDate; ULONG SuiteMask; BOOLEAN KdDebuggerEnabled; union { UCHAR MitigationPolicies; struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; USHORT CyclesPerYield; ULONG ActiveConsoleId; ULONG DismountCount; ULONG ComPlusPackage; ULONG LastSystemRITEventTickCount; ULONG NumberOfPhysicalPages; BOOLEAN SafeBootMode; union { UCHAR VirtualizationFlags; struct { UCHAR ArchStartedInEl2 : 1; UCHAR QcSlIsSupported : 1; }; }; UCHAR Reserved12[2]; union { ULONG SharedDataFlags; struct { ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG DbgMultiSessionSku : 1; ULONG DbgMultiUsersInSessionSku : 1; ULONG DbgStateSeparationEnabled : 1; ULONG SpareBits : 21; } DUMMYSTRUCTNAME2; } DUMMYUNIONNAME2; ULONG DataFlagsPad[1]; ULONGLONG TestRetInstruction; LONGLONG QpcFrequency; ULONG SystemCall; ULONG Reserved2; ULONGLONG FullNumberOfPhysicalPages; ULONGLONG SystemCallPad[1]; union { KSYSTEM_TIME TickCount; ULONG64 TickCountQuad; struct { ULONG ReservedTickCountOverlay[3]; ULONG TickCountPad[1]; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME3; ULONG Cookie; ULONG CookiePad[1]; LONGLONG ConsoleSessionForegroundProcessId; ULONGLONG TimeUpdateLock; ULONGLONG BaselineSystemTimeQpc; ULONGLONG BaselineInterruptTimeQpc; ULONGLONG QpcSystemTimeIncrement; ULONGLONG QpcInterruptTimeIncrement; UCHAR QpcSystemTimeIncrementShift; UCHAR QpcInterruptTimeIncrementShift; USHORT UnparkedProcessorCount; ULONG EnclaveFeatureMask[4]; ULONG TelemetryCoverageRound; USHORT UserModeGlobalLogger[16]; ULONG ImageFileExecutionOptions; ULONG LangGenerationCount; ULONGLONG Reserved4; ULONGLONG InterruptTimeBias; ULONGLONG QpcBias; ULONG ActiveProcessorCount; UCHAR ActiveGroupCount; UCHAR Reserved9; union { USHORT QpcData; struct { UCHAR QpcBypassEnabled; UCHAR QpcReserved; }; }; LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; XSTATE_CONFIGURATION XState; KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; ULONG64 UserPointerAuthMask; XSTATE_CONFIGURATION XStateArm64; ULONG Reserved10[210]; } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA; #endif