├── PE-Runtime.graffle
├── PE-Runtime.jpg
├── PE-Runtime.pdf
└── README.md
/PE-Runtime.graffle:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ActiveLayerIndex
6 | 0
7 | ApplicationVersion
8 |
9 | com.omnigroup.OmniGrafflePro
10 | 139.18.0.187838
11 |
12 | AutoAdjust
13 |
14 | BackgroundGraphic
15 |
16 | Bounds
17 | {{0, 0}, {3688, 5348}}
18 | Class
19 | SolidGraphic
20 | ID
21 | 2
22 | Style
23 |
24 | fill
25 |
26 | FillType
27 | 2
28 | GradientAngle
29 | 90
30 | GradientColor
31 |
32 | w
33 | 0.666667
34 |
35 | MiddleFraction
36 | 0.59021580219268799
37 |
38 | shadow
39 |
40 | Draws
41 | NO
42 |
43 | stroke
44 |
45 | Draws
46 | NO
47 |
48 |
49 |
50 | BaseZoom
51 | 0
52 | CanvasOrigin
53 | {0, 0}
54 | CanvasSize
55 | {3688, 5348}
56 | ColumnAlign
57 | 1
58 | ColumnSpacing
59 | 36
60 | CreationDate
61 | 2013-07-19 20:50:54 +0000
62 | Creator
63 | Malware
64 | DisplayScale
65 | 1 0/72 in = 1 0/72 in
66 | GraphDocumentVersion
67 | 8
68 | GraphicsList
69 |
70 |
71 | Bounds
72 | {{200.5, 1076}, {245, 128}}
73 | Class
74 | ShapedGraphic
75 | ID
76 | 91
77 | Shape
78 | Rectangle
79 | Style
80 |
81 | fill
82 |
83 | Color
84 |
85 | b
86 | 0.84153
87 | g
88 | 1
89 | r
90 | 0.991234
91 |
92 |
93 |
94 |
95 |
96 | AllowConnections
97 | NO
98 | AllowToConnect
99 |
100 | Class
101 | LineGraphic
102 | ID
103 | 89
104 | Points
105 |
106 | {1083, 5006}
107 | {1332, 4923}
108 |
109 | Style
110 |
111 | stroke
112 |
113 | HeadArrow
114 | FilledArrow
115 | Legacy
116 |
117 | TailArrow
118 | 0
119 | Width
120 | 4
121 |
122 |
123 |
124 |
125 | AllowConnections
126 | NO
127 | AllowToConnect
128 |
129 | Class
130 | LineGraphic
131 | ID
132 | 88
133 | OrthogonalBarAutomatic
134 |
135 | OrthogonalBarPoint
136 | {0, 0}
137 | OrthogonalBarPosition
138 | -1
139 | Points
140 |
141 | {3548, 1901}
142 | {3628, 1904}
143 | {3583, 4336}
144 | {1863, 4336}
145 |
146 | Style
147 |
148 | stroke
149 |
150 | HeadArrow
151 | FilledArrow
152 | Legacy
153 |
154 | LineType
155 | 2
156 | TailArrow
157 | 0
158 | Width
159 | 4
160 |
161 |
162 |
163 |
164 | Bounds
165 | {{170.5, 882}, {291, 128}}
166 | Class
167 | ShapedGraphic
168 | ID
169 | 84
170 | Shape
171 | Circle
172 | Style
173 |
174 | fill
175 |
176 | Color
177 |
178 | b
179 | 1
180 | g
181 | 0.970601
182 | r
183 | 0.476019
184 |
185 |
186 |
187 | Text
188 |
189 | Align
190 | 0
191 | Text
192 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
193 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
194 | {\colortbl;\red255\green255\blue255;\red0\green128\blue0;}
195 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
196 |
197 | \f0\fs31 \cf2 // find BeingDebugged
198 | \fs36 \cf0 \
199 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qj
200 | \cf0 mov eax, dword ptr fs:[0x30\
201 | mov eax, [eax + 2]}
202 | VerticalPad
203 | 0
204 |
205 |
206 |
207 | AllowConnections
208 | NO
209 | AllowToConnect
210 |
211 | Class
212 | LineGraphic
213 | ID
214 | 83
215 | Points
216 |
217 | {1840, 2026.881583054228}
218 | {2081, 2404}
219 |
220 | Style
221 |
222 | stroke
223 |
224 | GapRatio
225 | 0.5
226 | HeadArrow
227 | FilledArrow
228 | Legacy
229 |
230 | TailArrow
231 | 0
232 | Width
233 | 16
234 |
235 |
236 |
237 |
238 | Bounds
239 | {{1730.5, 1863}, {205, 200}}
240 | Class
241 | ShapedGraphic
242 | ID
243 | 81
244 | Shape
245 | AdjustableStar
246 | ShapeData
247 |
248 | Style
249 |
250 | fill
251 |
252 | Color
253 |
254 | b
255 | 0.0941176
256 | g
257 | 0.917647
258 | r
259 | 1
260 |
261 |
262 |
263 | Text
264 |
265 | Text
266 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
267 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
268 | {\colortbl;\red255\green255\blue255;}
269 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
270 |
271 | \f0\fs36 \cf0 \
272 | mov eax, fs:[0]
273 | \fs72 \
274 | }
275 | VerticalPad
276 | 0
277 |
278 | TextRelativeArea
279 | {{0.13500000000000001, 0.115}, {0.75, 0.75}}
280 |
281 |
282 | AllowConnections
283 | NO
284 | AllowToConnect
285 |
286 | Class
287 | LineGraphic
288 | ID
289 | 80
290 | Points
291 |
292 | {2813.4590355951404, 2265.440791527114}
293 | {3018, 2422}
294 |
295 | Style
296 |
297 | stroke
298 |
299 | GapRatio
300 | 0.5
301 | HeadArrow
302 | FilledArrow
303 | Legacy
304 |
305 | TailArrow
306 | 0
307 | Width
308 | 16
309 |
310 |
311 |
312 |
313 | Bounds
314 | {{2520, 2127.5}, {337, 164}}
315 | Class
316 | ShapedGraphic
317 | ID
318 | 79
319 | Shape
320 | Circle
321 | Style
322 |
323 | fill
324 |
325 | Color
326 |
327 | b
328 | 1
329 | g
330 | 0.970601
331 | r
332 | 0.476019
333 |
334 |
335 |
336 | Text
337 |
338 | Align
339 | 0
340 | Text
341 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
342 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
343 | {\colortbl;\red255\green255\blue255;\red0\green128\blue0;}
344 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
345 |
346 | \f0\fs31 \cf2 // Install custom SEH at 0x010061c0
347 | \fs36 \cf0 \
348 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qj
349 | \cf0 push offset 0x010061c0\
350 | mov eax, dword ptr fs:[0]\
351 | push eax\
352 | mov fs[0], esp}
353 | VerticalPad
354 | 0
355 |
356 |
357 |
358 | AllowConnections
359 | NO
360 | AllowToConnect
361 |
362 | Class
363 | LineGraphic
364 | ID
365 | 78
366 | Points
367 |
368 | {1630.6476342279529, 3126}
369 | {1686, 2956}
370 |
371 | Style
372 |
373 | stroke
374 |
375 | GapRatio
376 | 0.5
377 | HeadArrow
378 | FilledArrow
379 | Legacy
380 |
381 | TailArrow
382 | 0
383 | Width
384 | 16
385 |
386 |
387 |
388 |
389 | Bounds
390 | {{1493, 3098}, {593.5, 218}}
391 | Class
392 | ShapedGraphic
393 | ID
394 | 77
395 | Shape
396 | Circle
397 | Style
398 |
399 | fill
400 |
401 | Color
402 |
403 | b
404 | 1
405 | g
406 | 0.970601
407 | r
408 | 0.476019
409 |
410 |
411 |
412 | Text
413 |
414 | Align
415 | 3
416 | Text
417 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
418 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
419 | {\colortbl;\red255\green255\blue255;\red0\green128\blue0;}
420 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
421 |
422 | \f0\fs31 \cf2 // find base addr of kernel32.dll\cf0 \
423 | mov ebx, fs:[edx + 0x30] ;ebx = ADDRESS of PEB\
424 | mov ecx, [ebx + 0xc] ;ecx = pointer to loader data\
425 | mov ecx, [ecx + 0x1c] ;ecx = first entry in initialization order list\
426 | mov ecx, [ecx] ;ecx = second entry in list (kernelab.dll)\
427 | mov ecx, [ecx] ;ecx = third entry in list (kernel32.dll)\
428 | mov ebp, [ecx + 0x08] ;ebp = base ADDRESS of kernel32.dll}
429 | VerticalPad
430 | 0
431 |
432 |
433 |
434 | AllowConnections
435 | NO
436 | AllowToConnect
437 |
438 | Class
439 | LineGraphic
440 | ID
441 | 76
442 | Points
443 |
444 | {1622.9180711902809, 2295}
445 | {1681.9180717468262, 2630}
446 |
447 | Style
448 |
449 | stroke
450 |
451 | GapRatio
452 | 0.5
453 | HeadArrow
454 | FilledArrow
455 | Legacy
456 |
457 | TailArrow
458 | 0
459 | Width
460 | 16
461 |
462 |
463 |
464 |
465 | AllowConnections
466 | NO
467 | AllowToConnect
468 |
469 | Class
470 | LineGraphic
471 | ID
472 | 75
473 | Points
474 |
475 | {1003.9069364097368, 2281}
476 | {1053, 2420}
477 |
478 | Style
479 |
480 | stroke
481 |
482 | GapRatio
483 | 0.5
484 | HeadArrow
485 | FilledArrow
486 | Legacy
487 |
488 | TailArrow
489 | 0
490 | Width
491 | 16
492 |
493 |
494 |
495 |
496 | Bounds
497 | {{862, 2162}, {337, 119}}
498 | Class
499 | ShapedGraphic
500 | ID
501 | 74
502 | Shape
503 | Circle
504 | Style
505 |
506 | fill
507 |
508 | Color
509 |
510 | b
511 | 1
512 | g
513 | 0.970601
514 | r
515 | 0.476019
516 |
517 |
518 |
519 | Text
520 |
521 | Align
522 | 0
523 | Text
524 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
525 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
526 | {\colortbl;\red255\green255\blue255;\red0\green128\blue0;}
527 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
528 |
529 | \f0\fs31 \cf2 // find BeingDebugged
530 | \fs36 \cf0 \
531 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qj
532 | \cf0 mov eax, dword ptr fs:[0x30\
533 | mov eax, [eax + 2]}
534 | VerticalPad
535 | 0
536 |
537 |
538 |
539 | Bounds
540 | {{1437.5, 2176}, {337, 119}}
541 | Class
542 | ShapedGraphic
543 | ID
544 | 73
545 | Shape
546 | Circle
547 | Style
548 |
549 | fill
550 |
551 | Color
552 |
553 | b
554 | 1
555 | g
556 | 0.970601
557 | r
558 | 0.476019
559 |
560 |
561 |
562 | Text
563 |
564 | Align
565 | 0
566 | Text
567 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
568 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
569 | {\colortbl;\red255\green255\blue255;\red0\green128\blue0;}
570 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
571 |
572 | \f0\fs31 \cf2 // PEB_LDR_DATA
573 | \fs36 \cf0 \
574 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qj
575 | \cf0 mov eax, dword ptr fs:[0x30]\
576 | mov eax, [eax + 0xc]}
577 | VerticalPad
578 | 0
579 |
580 |
581 |
582 | AllowConnections
583 | NO
584 | AllowToConnect
585 |
586 | Class
587 | LineGraphic
588 | ID
589 | 72
590 | Points
591 |
592 | {2017, 2744}
593 | {2070, 2744}
594 | {2070, 2934}
595 | {2011, 2933}
596 |
597 | Style
598 |
599 | stroke
600 |
601 | HeadArrow
602 | FilledArrow
603 | Legacy
604 |
605 | TailArrow
606 | 0
607 | Width
608 | 4
609 |
610 |
611 |
612 |
613 | Bounds
614 | {{1686, 2853}, {331, 164}}
615 | Class
616 | ShapedGraphic
617 | ID
618 | 71
619 | Shape
620 | Rectangle
621 | Text
622 |
623 | Text
624 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
625 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
626 | {\colortbl;\red255\green255\blue255;}
627 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
628 |
629 | \f0\fs48 \cf0 LDR_MODULE\
630 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
631 |
632 | \fs24 \
633 | +0x000 InLoadOrder : LIST_ENTRY\
634 | +0x008 InMemOrder : LIST_ENTRY\
635 |
636 | \b +0x010 InInitOrder : LIST_ENTRY\
637 |
638 | \b0 +0x018 DllBase : uint32_t\
639 | +0x01c EntryPoint : uint32_t\
640 | +0x01f Reserved : uint32_t\
641 | +0x024 FullDllName : UNICODE_STRING\
642 | +0x02c BaseDllName : UNICODE_STRING}
643 |
644 |
645 |
646 | AllowConnections
647 | NO
648 | AllowToConnect
649 |
650 | Class
651 | LineGraphic
652 | ID
653 | 70
654 | Points
655 |
656 | {1572, 2631}
657 | {1686, 2646}
658 |
659 | Style
660 |
661 | stroke
662 |
663 | HeadArrow
664 | FilledArrow
665 | Legacy
666 |
667 | TailArrow
668 | 0
669 | Width
670 | 4
671 |
672 |
673 |
674 |
675 | Bounds
676 | {{1686, 2614}, {331, 200}}
677 | Class
678 | ShapedGraphic
679 | ID
680 | 69
681 | Shape
682 | Rectangle
683 | Text
684 |
685 | Text
686 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
687 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
688 | {\colortbl;\red255\green255\blue255;}
689 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
690 |
691 | \f0\fs48 \cf0 PEB_LDR_DATA\
692 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
693 |
694 | \fs24 \
695 | +0x000 Length : Uint4B\
696 | +0x004 Initialized : UChar\
697 | +0x008 SsHandle : Ptr64 Void\
698 | +0x010 InLoadOrderModuleList : LIST_ENTRY\
699 | +0x020 InMemoryOrderModuleList : LIST_ENTRY\
700 |
701 | \b +0x030 InInitializationOrderModuleList : LIST_ENTRY\
702 |
703 | \b0 +0x040 EntryInProgress : Ptr64 Void\
704 | +0x048 ShutdownInProgress : UChar\
705 | +0x050 ShutdownThreadId : Ptr64 Void\
706 | }
707 |
708 |
709 |
710 | AllowConnections
711 | NO
712 | AllowLabelDrop
713 |
714 | AllowToConnect
715 |
716 | Class
717 | LineGraphic
718 | ID
719 | 67
720 | Points
721 |
722 | {1825, 2245}
723 | {2094, 2445}
724 |
725 | Style
726 |
727 | stroke
728 |
729 | Color
730 |
731 | a
732 | 0
733 | b
734 | 1
735 | g
736 | 1
737 | r
738 | 0.507692
739 |
740 | HeadArrow
741 | FilledArrow
742 | Legacy
743 |
744 | TailArrow
745 | 0
746 | Width
747 | 4
748 |
749 |
750 |
751 |
752 | Class
753 | Group
754 | Graphics
755 |
756 |
757 | AllowConnections
758 | NO
759 | AllowLabelDrop
760 |
761 | AllowToConnect
762 |
763 | Class
764 | LineGraphic
765 | ID
766 | 86
767 | Points
768 |
769 | {236, 752.61248779296875}
770 | {408, 726.9999885559082}
771 |
772 | Style
773 |
774 | stroke
775 |
776 | HeadArrow
777 | 0
778 | Legacy
779 |
780 | Pattern
781 | 1
782 | TailArrow
783 | 0
784 | Width
785 | 4
786 |
787 |
788 |
789 |
790 | AllowConnections
791 | NO
792 | AllowLabelDrop
793 |
794 | AllowToConnect
795 |
796 | Class
797 | LineGraphic
798 | ID
799 | 87
800 | Points
801 |
802 | {236, 771.61248779296875}
803 | {404, 807.61248779296875}
804 |
805 | Style
806 |
807 | stroke
808 |
809 | HeadArrow
810 | 0
811 | Legacy
812 |
813 | Pattern
814 | 1
815 | TailArrow
816 | 0
817 | Width
818 | 4
819 |
820 |
821 |
822 |
823 | ID
824 | 85
825 |
826 |
827 | AllowConnections
828 | NO
829 | AllowLabelDrop
830 |
831 | AllowToConnect
832 |
833 | Class
834 | LineGraphic
835 | ID
836 | 63
837 | Points
838 |
839 | {225, 594}
840 | {419, 595}
841 |
842 | Style
843 |
844 | stroke
845 |
846 | HeadArrow
847 | FilledArrow
848 | Legacy
849 |
850 | TailArrow
851 | 0
852 | Width
853 | 4
854 |
855 |
856 |
857 |
858 | Bounds
859 | {{164, 511}, {781, 845}}
860 | Class
861 | ShapedGraphic
862 | ID
863 | 61
864 | Shape
865 | Rectangle
866 | Style
867 |
868 | fill
869 |
870 | FillType
871 | 2
872 | GradientAngle
873 | 90
874 | GradientColor
875 |
876 | w
877 | 0.666667
878 |
879 | MiddleFraction
880 | 0.819072425365448
881 |
882 |
883 | Text
884 |
885 | Align
886 | 0
887 | Text
888 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
889 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
890 | {\colortbl;\red255\green255\blue255;}
891 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
892 |
893 | \f0\fs96 \cf0 \
894 | \
895 |
896 | \b Pointed to
897 | \b0 \
898 | \
899 | \
900 |
901 | \b Contained within\
902 | \
903 | \
904 | Shellcode\
905 | \
906 | \
907 | User space\
908 | \
909 | \
910 | \
911 | }
912 |
913 |
914 |
915 | Bounds
916 | {{748, 98}, {2188, 173}}
917 | Class
918 | ShapedGraphic
919 | FitText
920 | Vertical
921 | Flow
922 | Resize
923 | ID
924 | 60
925 | Shape
926 | Rectangle
927 | Style
928 |
929 | fill
930 |
931 | Draws
932 | NO
933 |
934 | shadow
935 |
936 | Draws
937 | NO
938 |
939 | stroke
940 |
941 | Draws
942 | NO
943 |
944 |
945 | Text
946 |
947 | Pad
948 | 0
949 | Text
950 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
951 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
952 | {\colortbl;\red255\green255\blue255;}
953 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
954 |
955 | \f0\b\fs288 \cf0 PE Execution Data Structures}
956 | VerticalPad
957 | 0
958 |
959 |
960 |
961 | AllowConnections
962 | NO
963 | AllowToConnect
964 |
965 | Class
966 | LineGraphic
967 | ID
968 | 59
969 | Points
970 |
971 | {2626, 796}
972 | {3002, 540}
973 |
974 | Style
975 |
976 | stroke
977 |
978 | HeadArrow
979 | 0
980 | Legacy
981 |
982 | Pattern
983 | 1
984 | TailArrow
985 | 0
986 | Width
987 | 4
988 |
989 |
990 |
991 |
992 | AllowConnections
993 | NO
994 | AllowToConnect
995 |
996 | Class
997 | LineGraphic
998 | ID
999 | 58
1000 | Points
1001 |
1002 | {2626, 811}
1003 | {3018, 2228}
1004 |
1005 | Style
1006 |
1007 | stroke
1008 |
1009 | HeadArrow
1010 | 0
1011 | Legacy
1012 |
1013 | Pattern
1014 | 1
1015 | TailArrow
1016 | 0
1017 | Width
1018 | 4
1019 |
1020 |
1021 |
1022 |
1023 | AllowConnections
1024 | NO
1025 | AllowToConnect
1026 |
1027 | Class
1028 | LineGraphic
1029 | ID
1030 | 57
1031 | Points
1032 |
1033 | {1577, 1660}
1034 | {2094, 780}
1035 |
1036 | Style
1037 |
1038 | stroke
1039 |
1040 | HeadArrow
1041 | FilledArrow
1042 | Legacy
1043 |
1044 | TailArrow
1045 | 0
1046 | Width
1047 | 4
1048 |
1049 |
1050 |
1051 |
1052 | AllowConnections
1053 | NO
1054 | AllowToConnect
1055 |
1056 | Class
1057 | LineGraphic
1058 | ID
1059 | 56
1060 | Points
1061 |
1062 | {2105, 2555}
1063 | {1579, 2424}
1064 |
1065 | Style
1066 |
1067 | stroke
1068 |
1069 | HeadArrow
1070 | FilledArrow
1071 | Legacy
1072 |
1073 | TailArrow
1074 | 0
1075 | Width
1076 | 4
1077 |
1078 |
1079 |
1080 |
1081 | AllowConnections
1082 | NO
1083 | AllowToConnect
1084 |
1085 | Class
1086 | LineGraphic
1087 | ID
1088 | 54
1089 | Points
1090 |
1091 | {2629, 2481}
1092 | {3028, 2595}
1093 |
1094 | Style
1095 |
1096 | stroke
1097 |
1098 | HeadArrow
1099 | 0
1100 | Legacy
1101 |
1102 | Pattern
1103 | 1
1104 | TailArrow
1105 | 0
1106 | Width
1107 | 4
1108 |
1109 |
1110 |
1111 |
1112 | AllowConnections
1113 | NO
1114 | AllowToConnect
1115 |
1116 | Class
1117 | LineGraphic
1118 | ID
1119 | 53
1120 | Points
1121 |
1122 | {2629, 2468}
1123 | {3022, 2404}
1124 |
1125 | Style
1126 |
1127 | stroke
1128 |
1129 | HeadArrow
1130 | 0
1131 | Legacy
1132 |
1133 | Pattern
1134 | 1
1135 | TailArrow
1136 | 0
1137 | Width
1138 | 4
1139 |
1140 |
1141 |
1142 |
1143 | AllowConnections
1144 | NO
1145 | AllowToConnect
1146 |
1147 | Class
1148 | LineGraphic
1149 | Head
1150 |
1151 | ID
1152 | 36
1153 |
1154 | ID
1155 | 52
1156 | OrthogonalBarAutomatic
1157 |
1158 | OrthogonalBarPoint
1159 | {0, 0}
1160 | OrthogonalBarPosition
1161 | -1
1162 | Points
1163 |
1164 | {594, 2019}
1165 | {803.31408408675975, 4289.5021112331478}
1166 |
1167 | Style
1168 |
1169 | stroke
1170 |
1171 | HeadArrow
1172 | FilledArrow
1173 | Legacy
1174 |
1175 | LineType
1176 | 2
1177 | TailArrow
1178 | 0
1179 | Width
1180 | 4
1181 |
1182 |
1183 |
1184 |
1185 | AllowConnections
1186 | NO
1187 | AllowToConnect
1188 |
1189 | Class
1190 | LineGraphic
1191 | ID
1192 | 48
1193 | Points
1194 |
1195 | {594, 1587}
1196 | {1046, 1549.5}
1197 |
1198 | Style
1199 |
1200 | stroke
1201 |
1202 | HeadArrow
1203 | 0
1204 | Legacy
1205 |
1206 | Pattern
1207 | 1
1208 | TailArrow
1209 | 0
1210 | Width
1211 | 4
1212 |
1213 |
1214 |
1215 |
1216 | AllowConnections
1217 | NO
1218 | AllowToConnect
1219 |
1220 | Class
1221 | LineGraphic
1222 | ID
1223 | 41
1224 | Points
1225 |
1226 | {594, 2432}
1227 | {1046, 2432}
1228 |
1229 | Style
1230 |
1231 | stroke
1232 |
1233 | HeadArrow
1234 | FilledArrow
1235 | Legacy
1236 |
1237 | TailArrow
1238 | 0
1239 | Width
1240 | 4
1241 |
1242 |
1243 |
1244 |
1245 | AllowConnections
1246 | NO
1247 | AllowToConnect
1248 |
1249 | Class
1250 | LineGraphic
1251 | ID
1252 | 40
1253 | Points
1254 |
1255 | {594, 1604}
1256 | {1046, 2069}
1257 |
1258 | Style
1259 |
1260 | stroke
1261 |
1262 | HeadArrow
1263 | 0
1264 | Legacy
1265 |
1266 | Pattern
1267 | 1
1268 | TailArrow
1269 | 0
1270 | Width
1271 | 4
1272 |
1273 |
1274 |
1275 |
1276 | Bounds
1277 | {{1332, 4888}, {526, 188}}
1278 | Class
1279 | ShapedGraphic
1280 | ID
1281 | 39
1282 | Shape
1283 | Rectangle
1284 | Text
1285 |
1286 | Text
1287 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1288 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1289 | {\colortbl;\red255\green255\blue255;}
1290 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1291 |
1292 | \f0\fs72 \cf0 CSR_THREAD\
1293 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1294 |
1295 | \fs24 \cf0 +0x000 CreateTime : _LARGE_INTEGER\
1296 | +0x008 Link : _LIST_ENTRY \
1297 | +0x018 HashLinks : _LIST_ENTRY\
1298 | +0x028 ClientId : _CLIENT_ID\
1299 | +0x038 Process : \
1300 | +0x040 ThreadHandle : \
1301 | +0x048 Flags : \
1302 | +0x04c ReferenceCount : \
1303 | +0x050 ImpersonateCount :}
1304 |
1305 |
1306 |
1307 | Bounds
1308 | {{1332, 4302}, {526, 407}}
1309 | Class
1310 | ShapedGraphic
1311 | ID
1312 | 38
1313 | Shape
1314 | Rectangle
1315 | Text
1316 |
1317 | Text
1318 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1319 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1320 | {\colortbl;\red255\green255\blue255;}
1321 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1322 |
1323 | \f0\fs72 \cf0 W32THREAD\
1324 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1325 |
1326 | \fs24 \cf0 +0x000 pEThread : Ptr64 _ETHREAD\
1327 | +0x008 RefCount : Uint4B\
1328 | +0x010 ptlW32 : Ptr64 _TL\
1329 | +0x018 pgdiDcattr : Ptr64 Void\
1330 | +0x020 pgdiBrushAttr : Ptr64 Void\
1331 | +0x028 pUMPDObjs : Ptr64 Void\
1332 | +0x030 pUMPDHeap : Ptr64 Void\
1333 | +0x038 pUMPDObj : Ptr64 Void\
1334 | +0x040 pProxyPort : Ptr64 Void\
1335 | +0x048 pClientID : Ptr64 Void\
1336 | +0x050 GdiTmpTgoList : _LIST_ENTRY\
1337 | +0x060 pRBRecursionCount : Uint4B\
1338 | +0x064 pNonRBRecursionCount : Uint4B\
1339 | +0x068 tlSpriteState : _TLSPRITESTATE\
1340 | +0x110 pSpriteState : Ptr64 Void\
1341 | +0x118 pDevHTInfo : Ptr64 Void\
1342 | +0x120 ulDevHTInfoUniqueness : Uint4B\
1343 | +0x128 pdcoAA : Ptr64 Void\
1344 | +0x130 pdcoRender : Ptr64 Void\
1345 | +0x138 pdcoSrc : Ptr64 Void\
1346 | +0x140 bEnableEngUpdateDeviceSurface : UChar\
1347 | +0x141 bIncludeSprites : UChar\
1348 | +0x144 ulWindowSystemRendering : Uint4B\
1349 | +0x148 iVisRgnUniqueness : Uint4B}
1350 |
1351 |
1352 |
1353 | Bounds
1354 | {{557, 4892}, {526, 384}}
1355 | Class
1356 | ShapedGraphic
1357 | ID
1358 | 37
1359 | Shape
1360 | Rectangle
1361 | Text
1362 |
1363 | Text
1364 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1365 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1366 | {\colortbl;\red255\green255\blue255;}
1367 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1368 |
1369 | \f0\fs72 \cf0 CSR_PROCESS\
1370 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1371 |
1372 | \fs24 \cf0 \
1373 | +0x000 ClientId : _CLIENT_ID\
1374 | +0x010 ListLink : _LIST_ENTRY \
1375 |
1376 | \b +0x020 ThreadList : _LIST_ENTRY
1377 | \b0 \
1378 | +0x030 NtSession : _CSR_NT_SESSION\
1379 | +0x038 ClientPort : \
1380 | +0x040 ClientViewBase :\
1381 | +0x048 ClientViewBounds : \
1382 | +0x050 ProcessHandle : \
1383 | +0x058 SequenceNumber : \
1384 | +0x05c Flags : \
1385 | +0x060 DebugFlags : \
1386 | +0x064 ReferenceCount : \
1387 | +0x068 ProcessGroupId : \
1388 | +0x06c ProcessGroupSequence : \
1389 | +0x070 LastMessageSequence : \
1390 | +0x074 NumOutstandingMessages : \
1391 | +0x078 ShutdownLevel : \
1392 | +0x07c ShutdownFlags : \
1393 | +0x080 Luid : _LUID\
1394 | +0x088 ServerDllPerProcessData : }
1395 |
1396 |
1397 |
1398 | Bounds
1399 | {{557, 4290}, {526, 361}}
1400 | Class
1401 | ShapedGraphic
1402 | ID
1403 | 36
1404 | Shape
1405 | Rectangle
1406 | Text
1407 |
1408 | Text
1409 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1410 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1411 | {\colortbl;\red255\green255\blue255;}
1412 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1413 |
1414 | \f0\fs72 \cf0 W32PROCESS\
1415 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1416 |
1417 | \fs24 +0x000 Process : Ptr64 _EPROCESS\
1418 | +0x008 RefCount : Uint4B\
1419 | +0x00c W32PF_Flags : Uint4B\
1420 | +0x010 InputIdleEvent : Ptr64 _KEVENT\
1421 | +0x018 StartCursorHideTime : Uint4B\
1422 | +0x020 NextStart : Ptr64 _W32PROCESS\
1423 | +0x028 pDCAttrList : Ptr64 Void\
1424 | +0x030 pBrushAttrList : Ptr64 Void\
1425 | +0x038 W32Pid : Uint4B\
1426 | +0x03c GDIHandleCount : Int4B\
1427 | +0x040 GDIHandleCountPeak : Uint4B\
1428 | +0x044 UserHandleCount : Int4B\
1429 | +0x048 UserHandleCountPeak : Uint4B\
1430 | +0x050 GDIPushLock : _EX_PUSH_LOCK\
1431 | +0x058 GDIEngUserMemAllocTable : _RTL_AVL_TABLE\
1432 | +0x0c0 GDIDcAttrFreeList : _LIST_ENTRY\
1433 | +0x0d0 GDIBrushAttrFreeList : _LIST_ENTRY\
1434 | +0x0e0 GDIW32PIDLockedBitmaps : _LIST_ENTRY\
1435 | +0x0f0 hSecureGdiSharedHandleTable : Ptr64 Void\
1436 | +0x0f8 DxProcess : Ptr64 Void}
1437 |
1438 |
1439 |
1440 | Bounds
1441 | {{3022, 2392}, {526, 194}}
1442 | Class
1443 | ShapedGraphic
1444 | ID
1445 | 29
1446 | Shape
1447 | Rectangle
1448 | Text
1449 |
1450 | Text
1451 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1452 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1453 | {\colortbl;\red255\green255\blue255;}
1454 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1455 |
1456 | \f0\fs72 \cf0 TIB
1457 | \fs24 \
1458 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1459 | \
1460 | +0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD\
1461 | +0x004 StackBase : Ptr32 Void\
1462 | +0x008 StackLimit : Ptr32 Void\
1463 | +0x00c SubSystemTib : Ptr32 Void\
1464 | +0x010 FiberData : Ptr32 Void\
1465 | +0x010 Version : Uint4B\
1466 | +0x014 ArbitraryUserPointer : Ptr32 Void\
1467 | +0x018 Self : Ptr32 _NT_TIB}
1468 |
1469 |
1470 |
1471 | Bounds
1472 | {{2098, 2392}, {526, 1498}}
1473 | Class
1474 | ShapedGraphic
1475 | ID
1476 | 28
1477 | Shape
1478 | Rectangle
1479 | Text
1480 |
1481 | Text
1482 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1483 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1484 | {\colortbl;\red255\green255\blue255;}
1485 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1486 |
1487 | \f0\fs72 \cf0 TEB
1488 | \fs24 \
1489 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1490 | \
1491 |
1492 | \b +0x000 NtTib : _NT_TIB
1493 | \b0 \
1494 | +0x01c EnvironmentPointer : Ptr32 Void\
1495 | +0x020 ClientId : _CLIENT_ID\
1496 | +0x028 ActiveRpcHandle : Ptr32 Void\
1497 | +0x02c ThreadLocalStoragePointer : Ptr32 Void\
1498 |
1499 | \b +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
1500 | \b0 \
1501 | +0x034 LastErrorValue : Uint4B\
1502 | +0x038 CountOfOwnedCriticalSections : Uint4B\
1503 | +0x03c CsrClientThread : Ptr32 Void\
1504 | +0x040 Win32ThreadInfo : Ptr32 Void\
1505 | +0x044 User32Reserved : [26] Uint4B\
1506 | +0x0ac UserReserved : [5] Uint4B\
1507 | +0x0c0 WOW32Reserved : Ptr32 Void\
1508 | +0x0c4 CurrentLocale : Uint4B\
1509 | +0x0c8 FpSoftwareStatusRegister : Uint4B\
1510 | +0x0cc SystemReserved1 : [54] Ptr32 Void\
1511 | +0x1a4 ExceptionCode : Int4B\
1512 | +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK\
1513 | +0x1ac SpareBytes : [36] UChar\
1514 | +0x1d0 TxFsContext : Uint4B\
1515 | +0x1d4 GdiTebBatch : _GDI_TEB_BATCH\
1516 | +0x6b4 RealClientId : _CLIENT_ID\
1517 | +0x6bc GdiCachedProcessHandle : Ptr32 Void\
1518 | +0x6c0 GdiClientPID : Uint4B\
1519 | +0x6c4 GdiClientTID : Uint4B\
1520 | +0x6c8 GdiThreadLocalInfo : Ptr32 Void\
1521 | +0x6cc Win32ClientInfo : [62] Uint4B\
1522 | +0x7c4 glDispatchTable : [233] Ptr32 Void\
1523 | +0xb68 glReserved1 : [29] Uint4B\
1524 | +0xbdc glReserved2 : Ptr32 Void\
1525 | +0xbe0 glSectionInfo : Ptr32 Void\
1526 | +0xbe4 glSection : Ptr32 Void\
1527 | +0xbe8 glTable : Ptr32 Void\
1528 | +0xbec glCurrentRC : Ptr32 Void\
1529 | +0xbf0 glContext : Ptr32 Void\
1530 | +0xbf4 LastStatusValue : Uint4B\
1531 | +0xbf8 StaticUnicodeString : _UNICODE_STRING\
1532 | +0xc00 StaticUnicodeBuffer : [261] Wchar\
1533 | +0xe0c DeallocationStack : Ptr32 Void\
1534 | +0xe10 TlsSlots : [64] Ptr32 Void\
1535 | +0xf10 TlsLinks : _LIST_ENTRY\
1536 | +0xf18 Vdm : Ptr32 Void\
1537 | +0xf1c ReservedForNtRpc : Ptr32 Void\
1538 | +0xf20 DbgSsReserved : [2] Ptr32 Void\
1539 | +0xf28 HardErrorMode : Uint4B\
1540 | +0xf2c Instrumentation : [9] Ptr32 Void\
1541 | +0xf50 ActivityId : _GUID\
1542 | +0xf60 SubProcessTag : Ptr32 Void\
1543 | +0xf64 EtwLocalData : Ptr32 Void\
1544 | +0xf68 EtwTraceData : Ptr32 Void\
1545 | +0xf6c WinSockData : Ptr32 Void\
1546 | +0xf70 GdiBatchCount : Uint4B\
1547 | +0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER\
1548 | +0xf74 IdealProcessorValue : Uint4B\
1549 | +0xf74 ReservedPad0 : UChar\
1550 | +0xf75 ReservedPad1 : UChar\
1551 | +0xf76 ReservedPad2 : UChar\
1552 | +0xf77 IdealProcessor : UChar\
1553 | +0xf78 GuaranteedStackBytes : Uint4B\
1554 | +0xf7c ReservedForPerf : Ptr32 Void\
1555 | +0xf80 ReservedForOle : Ptr32 Void\
1556 | +0xf84 WaitingOnLoaderLock : Uint4B\
1557 | +0xf88 SavedPriorityState : Ptr32 Void\
1558 | +0xf8c SoftPatchPtr1 : Uint4B\
1559 | +0xf90 ThreadPoolData : Ptr32 Void\
1560 | +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void\
1561 | +0xf98 MuiGeneration : Uint4B\
1562 | +0xf9c IsImpersonating : Uint4B\
1563 | +0xfa0 NlsCache : Ptr32 Void\
1564 | +0xfa4 pShimData : Ptr32 Void\
1565 | +0xfa8 HeapVirtualAffinity : Uint4B\
1566 | +0xfac CurrentTransactionHandle : Ptr32 Void\
1567 | +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME\
1568 | +0xfb4 FlsData : Ptr32 Void\
1569 | +0xfb8 PreferredLanguages : Ptr32 Void\
1570 | +0xfbc UserPrefLanguages : Ptr32 Void\
1571 | +0xfc0 MergedPrefLanguages : Ptr32 Void\
1572 | +0xfc4 MuiImpersonation : Uint4B\
1573 | +0xfc8 CrossTebFlags : Uint2B\
1574 | +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits\
1575 | +0xfca SameTebFlags : Uint2B\
1576 | +0xfca SafeThunkCall : Pos 0, 1 Bit\
1577 | +0xfca InDebugPrint : Pos 1, 1 Bit\
1578 | +0xfca HasFiberData : Pos 2, 1 Bit\
1579 | +0xfca SkipThreadAttach : Pos 3, 1 Bit\
1580 | +0xfca WerInShipAssertCode : Pos 4, 1 Bit\
1581 | +0xfca RanProcessInit : Pos 5, 1 Bit\
1582 | +0xfca ClonedThread : Pos 6, 1 Bit\
1583 | +0xfca SuppressDebugMsg : Pos 7, 1 Bit\
1584 | +0xfca DisableUserStackWalk : Pos 8, 1 Bit\
1585 | +0xfca RtlExceptionAttached : Pos 9, 1 Bit\
1586 | +0xfca InitialThread : Pos 10, 1 Bit\
1587 | +0xfca SpareSameTebBits : Pos 11, 5 Bits\
1588 | +0xfcc TxnScopeEnterCallback : Ptr32 Void\
1589 | +0xfd0 TxnScopeExitCallback : Ptr32 Void\
1590 | +0xfd4 TxnScopeContext : Ptr32 Void\
1591 | +0xfd8 LockCount : Uint4B\
1592 | +0xfdc SpareUlong0 : Uint4B\
1593 | +0xfe0 ResourceRetValue : Ptr32 Void}
1594 |
1595 |
1596 |
1597 | Bounds
1598 | {{3022, 528}, {526, 1713}}
1599 | Class
1600 | ShapedGraphic
1601 | ID
1602 | 27
1603 | Shape
1604 | Rectangle
1605 | Text
1606 |
1607 | Text
1608 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1609 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1610 | {\colortbl;\red255\green255\blue255;}
1611 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1612 |
1613 | \f0\fs72 \cf0 Tcb : KTHREAD
1614 | \fs24 \
1615 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1616 | \
1617 | +0x000 Header : _DISPATCHER_HEADER\
1618 | +0x010 CycleTime : Uint8B\
1619 | +0x018 HighCycleTime : Uint4B\
1620 | +0x020 QuantumTarget : Uint8B\
1621 | +0x028 InitialStack : Ptr32 Void\
1622 | +0x02c StackLimit : Ptr32 Void\
1623 | +0x030 KernelStack : Ptr32 Void\
1624 | +0x034 ThreadLock : Uint4B\
1625 | +0x038 WaitRegister : _KWAIT_STATUS_REGISTER\
1626 | +0x039 Running : UChar\
1627 | +0x03a Alerted : [2] UChar\
1628 | +0x03c KernelStackResident : Pos 0, 1 Bit\
1629 | +0x03c ReadyTransition : Pos 1, 1 Bit\
1630 | +0x03c ProcessReadyQueue : Pos 2, 1 Bit\
1631 | +0x03c WaitNext : Pos 3, 1 Bit\
1632 | +0x03c SystemAffinityActive : Pos 4, 1 Bit\
1633 | +0x03c Alertable : Pos 5, 1 Bit\
1634 | +0x03c GdiFlushActive : Pos 6, 1 Bit\
1635 | +0x03c UserStackWalkActive : Pos 7, 1 Bit\
1636 | +0x03c ApcInterruptRequest : Pos 8, 1 Bit\
1637 | +0x03c ForceDeferSchedule : Pos 9, 1 Bit\
1638 | +0x03c QuantumEndMigrate : Pos 10, 1 Bit\
1639 | +0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit\
1640 | +0x03c TimerActive : Pos 12, 1 Bit\
1641 | +0x03c SystemThread : Pos 13, 1 Bit\
1642 | +0x03c Reserved : Pos 14, 18 Bits\
1643 | +0x03c MiscFlags : Int4B\
1644 | +0x040 ApcState : _KAPC_STATE\
1645 | +0x040 ApcStateFill : [23] UChar\
1646 | +0x057 Priority : Char\
1647 | +0x058 NextProcessor : Uint4B\
1648 | +0x05c DeferredProcessor : Uint4B\
1649 | +0x060 ApcQueueLock : Uint4B\
1650 | +0x064 ContextSwitches : Uint4B\
1651 | +0x068 State : UChar\
1652 | +0x069 NpxState : Char\
1653 | +0x06a WaitIrql : UChar\
1654 | +0x06b WaitMode : Char\
1655 | +0x06c WaitStatus : Int4B\
1656 | +0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK\
1657 | +0x074 WaitListEntry : _LIST_ENTRY\
1658 | +0x074 SwapListEntry : _SINGLE_LIST_ENTRY\
1659 | +0x07c Queue : Ptr32 _KQUEUE\
1660 | +0x080 WaitTime : Uint4B\
1661 | +0x084 KernelApcDisable : Int2B\
1662 | +0x086 SpecialApcDisable : Int2B\
1663 | +0x084 CombinedApcDisable : Uint4B\
1664 | +0x088 Teb : Ptr32 Void\
1665 | +0x090 Timer : _KTIMER\
1666 | +0x0b8 AutoAlignment : Pos 0, 1 Bit\
1667 | +0x0b8 DisableBoost : Pos 1, 1 Bit\
1668 | +0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit\
1669 | +0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit\
1670 | +0x0b8 CalloutActive : Pos 4, 1 Bit\
1671 | +0x0b8 ApcQueueable : Pos 5, 1 Bit\
1672 | +0x0b8 EnableStackSwap : Pos 6, 1 Bit\
1673 | +0x0b8 GuiThread : Pos 7, 1 Bit\
1674 | +0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit\
1675 | +0x0b8 VdmSafe : Pos 9, 1 Bit\
1676 | +0x0b8 UmsDispatched : Pos 10, 1 Bit\
1677 | +0x0b8 ReservedFlags : Pos 11, 21 Bits\
1678 | +0x0b8 ThreadFlags : Int4B\
1679 | +0x0bc ServiceTable : Ptr32 Void\
1680 | +0x0c0 WaitBlock : [4] _KWAIT_BLOCK\
1681 | +0x120 QueueListEntry : _LIST_ENTRY\
1682 | +0x128 TrapFrame : Ptr32 _KTRAP_FRAME\
1683 | +0x12c FirstArgument : Ptr32 Void\
1684 | +0x130 CallbackStack : Ptr32 Void\
1685 | +0x130 CallbackDepth : Uint4B\
1686 | +0x134 ApcStateIndex : UChar\
1687 | +0x135 BasePriority : Char\
1688 | +0x136 PriorityDecrement : Char\
1689 | +0x136 ForegroundBoost : Pos 0, 4 Bits\
1690 | +0x136 UnusualBoost : Pos 4, 4 Bits\
1691 | +0x137 Preempted : UChar\
1692 | +0x138 AdjustReason : UChar\
1693 | +0x139 AdjustIncrement : Char\
1694 | +0x13a PreviousMode : Char\
1695 | +0x13b Saturation : Char\
1696 | +0x13c SystemCallNumber : Uint4B\
1697 | +0x140 FreezeCount : Uint4B\
1698 | +0x144 UserAffinity : _GROUP_AFFINITY\
1699 | +0x150 Process : Ptr32 _KPROCESS\
1700 | +0x154 Affinity : _GROUP_AFFINITY\
1701 | +0x160 IdealProcessor : Uint4B\
1702 | +0x164 UserIdealProcessor : Uint4B\
1703 | +0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE\
1704 | +0x170 SavedApcState : _KAPC_STATE\
1705 | +0x170 SavedApcStateFill : [23] UChar\
1706 | +0x187 WaitReason : UChar\
1707 | +0x188 SuspendCount : Char\
1708 | +0x189 Spare1 : Char\
1709 | +0x18a OtherPlatformFill : UChar\
1710 |
1711 | \b +0x18c Win32Thread : Ptr32 Void
1712 | \b0 \
1713 | +0x190 StackBase : Ptr32 Void\
1714 | +0x194 SuspendApc : _KAPC\
1715 | +0x194 SuspendApcFill0 : [1] UChar\
1716 | +0x195 ResourceIndex : UChar\
1717 | +0x194 SuspendApcFill1 : [3] UChar\
1718 | +0x197 QuantumReset : UChar\
1719 | +0x194 SuspendApcFill2 : [4] UChar\
1720 | +0x198 KernelTime : Uint4B\
1721 | +0x194 SuspendApcFill3 : [36] UChar\
1722 | +0x1b8 WaitPrcb : Ptr32 _KPRCB\
1723 | +0x194 SuspendApcFill4 : [40] UChar\
1724 | +0x1bc LegoData : Ptr32 Void\
1725 | +0x194 SuspendApcFill5 : [47] UChar\
1726 | +0x1c3 LargeStack : UChar\
1727 | +0x1c4 UserTime : Uint4B\
1728 | +0x1c8 SuspendSemaphore : _KSEMAPHORE\
1729 | +0x1c8 SuspendSemaphorefill : [20] UChar\
1730 | +0x1dc SListFaultCount : Uint4B\
1731 | +0x1e0 ThreadListEntry : _LIST_ENTRY\
1732 | +0x1e8 MutantListHead : _LIST_ENTRY\
1733 | +0x1f0 SListFaultAddress : Ptr32 Void\
1734 | +0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS\
1735 | +0x1f8 XStateSave : Ptr32 _XSTATE_SAVE}
1736 |
1737 |
1738 |
1739 | Bounds
1740 | {{2094, 727}, {526, 1342}}
1741 | Class
1742 | ShapedGraphic
1743 | ID
1744 | 26
1745 | Shape
1746 | Rectangle
1747 | Text
1748 |
1749 | Text
1750 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1751 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1752 | {\colortbl;\red255\green255\blue255;}
1753 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1754 |
1755 | \f0\fs24 \cf0
1756 | \fs72 ETHREAD
1757 | \fs24 \
1758 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1759 | \
1760 |
1761 | \b +0x000 Tcb : _KTHREAD
1762 | \b0 \
1763 | +0x200 CreateTime : _LARGE_INTEGER\
1764 | +0x208 ExitTime : _LARGE_INTEGER\
1765 | +0x208 KeyedWaitChain : _LIST_ENTRY\
1766 | +0x210 ExitStatus : Int4B\
1767 | +0x214 PostBlockList : _LIST_ENTRY\
1768 | +0x214 ForwardLinkShadow : Ptr32 Void\
1769 | +0x218 StartAddress : Ptr32 Void\
1770 | +0x21c TerminationPort : Ptr32 _TERMINATION_PORT\
1771 | +0x21c ReaperLink : Ptr32 _ETHREAD\
1772 | +0x21c KeyedWaitValue : Ptr32 Void\
1773 | +0x220 ActiveTimerListLock : Uint4B\
1774 | +0x224 ActiveTimerListHead : _LIST_ENTRY\
1775 | +0x22c Cid : _CLIENT_ID\
1776 | +0x234 KeyedWaitSemaphore : _KSEMAPHORE\
1777 | +0x234 AlpcWaitSemaphore : _KSEMAPHORE\
1778 | +0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT\
1779 | +0x24c IrpList : _LIST_ENTRY\
1780 | +0x254 TopLevelIrp : Uint4B\
1781 | +0x258 DeviceToVerify : Ptr32 _DEVICE_OBJECT\
1782 | +0x25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC\
1783 | +0x260 Win32StartAddress : Ptr32 Void\
1784 | +0x264 LegacyPowerObject : Ptr32 Void\
1785 | +0x268 ThreadListEntry : _LIST_ENTRY\
1786 | +0x270 RundownProtect : _EX_RUNDOWN_REF\
1787 | +0x274 ThreadLock : _EX_PUSH_LOCK\
1788 | +0x278 ReadClusterSize : Uint4B\
1789 | +0x27c MmLockOrdering : Int4B\
1790 | +0x280 CrossThreadFlags : Uint4B\
1791 | +0x280 Terminated : Pos 0, 1 Bit\
1792 | +0x280 ThreadInserted : Pos 1, 1 Bit\
1793 | +0x280 HideFromDebugger : Pos 2, 1 Bit\
1794 | +0x280 ActiveImpersonationInfo : Pos 3, 1 Bit\
1795 | +0x280 Reserved : Pos 4, 1 Bit\
1796 | +0x280 HardErrorsAreDisabled : Pos 5, 1 Bit\
1797 | +0x280 BreakOnTermination : Pos 6, 1 Bit\
1798 | +0x280 SkipCreationMsg : Pos 7, 1 Bit\
1799 | +0x280 SkipTerminationMsg : Pos 8, 1 Bit\
1800 | +0x280 CopyTokenOnOpen : Pos 9, 1 Bit\
1801 | +0x280 ThreadIoPriority : Pos 10, 3 Bits\
1802 | +0x280 ThreadPagePriority : Pos 13, 3 Bits\
1803 | +0x280 RundownFail : Pos 16, 1 Bit\
1804 | +0x280 NeedsWorkingSetAging : Pos 17, 1 Bit\
1805 | +0x284 SameThreadPassiveFlags : Uint4B\
1806 | +0x284 ActiveExWorker : Pos 0, 1 Bit\
1807 | +0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit\
1808 | +0x284 MemoryMaker : Pos 2, 1 Bit\
1809 | +0x284 ClonedThread : Pos 3, 1 Bit\
1810 | +0x284 KeyedEventInUse : Pos 4, 1 Bit\
1811 | +0x284 RateApcState : Pos 5, 2 Bits\
1812 | +0x284 SelfTerminate : Pos 7, 1 Bit\
1813 | +0x288 SameThreadApcFlags : Uint4B\
1814 | +0x288 Spare : Pos 0, 1 Bit\
1815 | +0x288 StartAddressInvalid : Pos 1, 1 Bit\
1816 | +0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit\
1817 | +0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit\
1818 | +0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit\
1819 | +0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit\
1820 | +0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit\
1821 | +0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit\
1822 | +0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit\
1823 | +0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit\
1824 | +0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit\
1825 | +0x289 SuppressSymbolLoad : Pos 3, 1 Bit\
1826 | +0x289 Prefetching : Pos 4, 1 Bit\
1827 | +0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit\
1828 | +0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit\
1829 | +0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit\
1830 | +0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit\
1831 | +0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit\
1832 | +0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit\
1833 | +0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit\
1834 | +0x28a TrimTrigger : Pos 4, 2 Bits\
1835 | +0x28a Spare1 : Pos 6, 2 Bits\
1836 | +0x28b PriorityRegionActive : UChar\
1837 | +0x28c CacheManagerActive : UChar\
1838 | +0x28d DisablePageFaultClustering : UChar\
1839 | +0x28e ActiveFaultCount : UChar\
1840 | +0x28f LockOrderState : UChar\
1841 | +0x290 AlpcMessageId : Uint4B\
1842 | +0x294 AlpcMessage : Ptr32 Void\
1843 | +0x294 AlpcReceiveAttributeSet : Uint4B\
1844 | +0x298 AlpcWaitListEntry : _LIST_ENTRY\
1845 | +0x2a0 CacheManagerCount : Uint4B\
1846 | +0x2a4 IoBoostCount : Uint4B\
1847 | +0x2a8 IrpListLock : Uint4B\
1848 | +0x2ac ReservedForSynchTracking : Ptr32 Void\
1849 | +0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY}
1850 |
1851 |
1852 |
1853 | Bounds
1854 | {{1046, 2381}, {526, 1372}}
1855 | Class
1856 | ShapedGraphic
1857 | ID
1858 | 25
1859 | Shape
1860 | Rectangle
1861 | Text
1862 |
1863 | Text
1864 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1865 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1866 | {\colortbl;\red255\green255\blue255;\red0\green0\blue0;}
1867 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1868 |
1869 | \f0\fs24 \cf0
1870 | \fs72 PEB
1871 | \fs24 \
1872 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1873 | \
1874 | +0x000 InheritedAddressSpace : UChar\
1875 | +0x001 ReadImageFileExecOptions : UChar\
1876 | +0x002 BeingDebugged : UChar\
1877 | +0x003 BitField : UChar\
1878 | +0x003 ImageUsesLargePages : Pos 0, 1 Bit\
1879 | +0x003 IsProtectedProcess : Pos 1, 1 Bit\
1880 | +0x003 IsLegacyProcess : Pos 2, 1 Bit\
1881 | +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit\
1882 | +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit\
1883 | +0x003 SpareBits : Pos 5, 3 Bits\
1884 | +0x004 Mutant : Ptr32 Void\
1885 | +0x008 ImageBaseAddress : Ptr32 Void\
1886 | \cf2
1887 | \b +0x00c Ldr : Ptr32 _PEB_LDR_DATA\cf0 \
1888 |
1889 | \b0 +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS\
1890 | +0x014 SubSystemData : Ptr32 Void\
1891 | +0x018 ProcessHeap : Ptr32 Void\
1892 | +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION\
1893 | +0x020 AtlThunkSListPtr : Ptr32 Void\
1894 | +0x024 IFEOKey : Ptr32 Void\
1895 | +0x028 CrossProcessFlags : Uint4B\
1896 | +0x028 ProcessInJob : Pos 0, 1 Bit\
1897 | +0x028 ProcessInitializing : Pos 1, 1 Bit\
1898 | +0x028 ProcessUsingVEH : Pos 2, 1 Bit\
1899 | +0x028 ProcessUsingVCH : Pos 3, 1 Bit\
1900 | +0x028 ProcessUsingFTH : Pos 4, 1 Bit\
1901 | +0x028 ReservedBits0 : Pos 5, 27 Bits\
1902 | +0x02c KernelCallbackTable : Ptr32 Void\
1903 | +0x02c UserSharedInfoPtr : Ptr32 Void\
1904 | +0x030 SystemReserved : [1] Uint4B\
1905 | +0x034 AtlThunkSListPtr32 : Uint4B\
1906 | +0x038 ApiSetMap : Ptr32 Void\
1907 | +0x03c TlsExpansionCounter : Uint4B\
1908 | +0x040 TlsBitmap : Ptr32 Void\
1909 | +0x044 TlsBitmapBits : [2] Uint4B\
1910 | +0x04c ReadOnlySharedMemoryBase : Ptr32 Void\
1911 | +0x050 HotpatchInformation : Ptr32 Void\
1912 | +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void\
1913 | +0x058 AnsiCodePageData : Ptr32 Void\
1914 | +0x05c OemCodePageData : Ptr32 Void\
1915 | +0x060 UnicodeCaseTableData : Ptr32 Void\
1916 | +0x064 NumberOfProcessors : Uint4B\
1917 | +0x068 NtGlobalFlag : Uint4B\
1918 | +0x070 CriticalSectionTimeout : _LARGE_INTEGER\
1919 | +0x078 HeapSegmentReserve : Uint4B\
1920 | +0x07c HeapSegmentCommit : Uint4B\
1921 | +0x080 HeapDeCommitTotalFreeThreshold : Uint4B\
1922 | +0x084 HeapDeCommitFreeBlockThreshold : Uint4B\
1923 | +0x088 NumberOfHeaps : Uint4B\
1924 | +0x08c MaximumNumberOfHeaps : Uint4B\
1925 | +0x090 ProcessHeaps : Ptr32 Ptr32 Void\
1926 | +0x094 GdiSharedHandleTable : Ptr32 Void\
1927 | +0x098 ProcessStarterHelper : Ptr32 Void\
1928 | +0x09c GdiDCAttributeList : Uint4B\
1929 | +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION\
1930 | +0x0a4 OSMajorVersion : Uint4B\
1931 | +0x0a8 OSMinorVersion : Uint4B\
1932 | +0x0ac OSBuildNumber : Uint2B\
1933 | +0x0ae OSCSDVersion : Uint2B\
1934 | +0x0b0 OSPlatformId : Uint4B\
1935 | +0x0b4 ImageSubsystem : Uint4B\
1936 | +0x0b8 ImageSubsystemMajorVersion : Uint4B\
1937 | +0x0bc ImageSubsystemMinorVersion : Uint4B\
1938 | +0x0c0 ActiveProcessAffinityMask : Uint4B\
1939 | +0x0c4 GdiHandleBuffer : [34] Uint4B\
1940 | +0x14c PostProcessInitRoutine : Ptr32 void \
1941 | +0x150 TlsExpansionBitmap : Ptr32 Void\
1942 | +0x154 TlsExpansionBitmapBits : [32] Uint4B\
1943 | +0x1d4 SessionId : Uint4B\
1944 | +0x1d8 AppCompatFlags : _ULARGE_INTEGER\
1945 | +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER\
1946 | +0x1e8 pShimData : Ptr32 Void\
1947 | +0x1ec AppCompatInfo : Ptr32 Void\
1948 | +0x1f0 CSDVersion : _UNICODE_STRING\
1949 | +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA\
1950 | +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP\
1951 | +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA\
1952 | +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP\
1953 | +0x208 MinimumStackCommit : Uint4B\
1954 | +0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO\
1955 | +0x210 FlsListHead : _LIST_ENTRY\
1956 | +0x218 FlsBitmap : Ptr32 Void\
1957 | +0x21c FlsBitmapBits : [4] Uint4B\
1958 | +0x22c FlsHighIndex : Uint4B\
1959 | +0x230 WerRegistrationData : Ptr32 Void\
1960 | +0x234 WerShipAssertPtr : Ptr32 Void\
1961 | +0x238 pContextData : Ptr32 Void\
1962 | +0x23c pImageHeaderHash : Ptr32 Void\
1963 | +0x240 TracingFlags : Uint4B\
1964 | +0x240 HeapTracingEnabled : Pos 0, 1 Bit\
1965 | +0x240 CritSecTracingEnabled : Pos 1, 1 Bit\
1966 | +0x240 SpareTracingBits : Pos 2, 30 Bits}
1967 |
1968 |
1969 |
1970 | Bounds
1971 | {{1046, 1522}, {526, 547}}
1972 | Class
1973 | ShapedGraphic
1974 | ID
1975 | 22
1976 | Shape
1977 | Rectangle
1978 | Text
1979 |
1980 | Align
1981 | 0
1982 | Text
1983 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
1984 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
1985 | {\colortbl;\red255\green255\blue255;}
1986 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1987 |
1988 | \f0\fs24 \cf0
\
1989 | \
1990 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
1991 |
1992 | \fs72 Pcb : KPROCESS
1993 | \fs24 \
1994 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
1995 | \
1996 | +0x000 Header : _DISPATCHER_HEADER
\
1997 | +0x010 ProfileListHead : _LIST_ENTRY
\
1998 | +0x018 DirectoryTableBase : Uint4B
\
1999 | +0x01c LdtDescriptor : _KGDTENTRY
\
2000 | +0x024 Int21Descriptor : _KIDTENTRY
\
2001 | +0x02c ThreadListHead : _LIST_ENTRY
\
2002 | +0x034 ProcessLock : Uint4B
\
2003 | +0x038 Affinity : _KAFFINITY_EX
\
2004 | +0x050 ReadyListHead : _LIST_ENTRY
\
2005 | +0x058 SwapListEntry : _SINGLE_LIST_ENTRY
\
2006 | +0x05c ActiveProcessors : _KAFFINITY_EX
\
2007 | +0x074 AutoAlignment : Pos 0, 1 Bit
\
2008 | +0x074 DisableBoost : Pos 1, 1 Bit
\
2009 | +0x074 DisableQuantum : Pos 2, 1 Bit
\
2010 | +0x074 ActiveGroupsMask : Pos 3, 4 Bits
\
2011 | +0x074 ReservedFlags : Pos 7, 25 Bits
\
2012 | +0x074 ProcessFlags : Int4B
\
2013 | +0x078 BasePriority : Char
\
2014 | +0x079 QuantumReset : Char
\
2015 | +0x07a Visited : UChar
\
2016 | +0x07b Unused3 : UChar
\
2017 | +0x07c ThreadSeed : [4] Uint4B
\
2018 | +0x08c IdealNode : [4] Uint2B
\
2019 | +0x094 IdealGlobalNode : Uint2B
\
2020 | +0x096 Flags : _KEXECUTE_OPTIONS
\
2021 | +0x097 Unused1 : UChar
\
2022 | +0x098 IopmOffset : Uint2B
\
2023 | +0x09c Unused4 : Uint4B
\
2024 | +0x0a0 StackCount : _KSTACK_COUNT
\
2025 | +0x0a4 ProcessListEntry : _LIST_ENTRY
\
2026 | +0x0b0 CycleTime : Uint8B
\
2027 | +0x0b8 KernelTime : Uint4B
\
2028 | +0x0bc UserTime : Uint4B
\
2029 | +0x0c0 VdmTrapcHandler : Ptr32 Void
\
2030 | }
2031 |
2032 |
2033 |
2034 | Bounds
2035 | {{60, 1537}, {526, 1945}}
2036 | Class
2037 | ShapedGraphic
2038 | ID
2039 | 1
2040 | Shape
2041 | Rectangle
2042 | Style
2043 |
2044 | fill
2045 |
2046 | Color
2047 |
2048 | b
2049 | 0.999878
2050 | g
2051 | 1
2052 | r
2053 | 0.99991
2054 |
2055 |
2056 |
2057 | Text
2058 |
2059 | Text
2060 | {\rtf1\ansi\ansicpg1252\cocoartf1187\cocoasubrtf390
2061 | \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
2062 | {\colortbl;\red255\green255\blue255;}
2063 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural\qc
2064 |
2065 | \f0\fs24 \cf0 \
2066 |
2067 | \fs72 EPROCESS\
2068 |
2069 | \fs24 \
2070 | \pard\tx560\tx1120\tx1680\tx2240\tx2800\tx3360\tx3920\tx4480\tx5040\tx5600\tx6160\tx6720\pardirnatural
2071 |
2072 | \b +0x000 Pcb : _KPROCESS
2073 | \b0 \
2074 | +0x0c8 ProcessLock : _EX_PUSH_LOCK\
2075 | +0x0d0 CreateTime : _LARGE_INTEGER\
2076 | +0x0d8 ExitTime : _LARGE_INTEGER\
2077 | +0x0e0 RundownProtect : _EX_RUNDOWN_REF\
2078 | +0x0e4 UniqueProcessId : Ptr32 Void\
2079 | +0x0e8 ActiveProcessLinks : _LIST_ENTRY\
2080 | +0x0f0 ProcessQuotaUsage : [2] Uint4B\
2081 | +0x0f8 ProcessQuotaPeak : [2] Uint4B\
2082 | +0x100 CommitCharge : Uint4B\
2083 | +0x104 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK\
2084 | +0x108 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK\
2085 | +0x10c PeakVirtualSize : Uint4B\
2086 | +0x110 VirtualSize : Uint4B\
2087 | +0x114 SessionProcessLinks : _LIST_ENTRY\
2088 | +0x11c DebugPort : Ptr32 Void\
2089 | +0x120 ExceptionPortData : Ptr32 Void\
2090 | +0x120 ExceptionPortValue : Uint4B\
2091 | +0x120 ExceptionPortState : Pos 0, 3 Bits\
2092 | +0x124 ObjectTable : Ptr32 _HANDLE_TABLE\
2093 | +0x128 Token : _EX_FAST_REF\
2094 | +0x12c WorkingSetPage : Uint4B\
2095 | +0x130 AddressCreationLock : _EX_PUSH_LOCK\
2096 | +0x134 RotateInProgress : Ptr32 _ETHREAD\
2097 | +0x138 ForkInProgress : Ptr32 _ETHREAD\
2098 | +0x13c HardwareTrigger : Uint4B\
2099 | +0x140 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE\
2100 | +0x144 CloneRoot : Ptr32 Void\
2101 | +0x148 NumberOfPrivatePages : Uint4B\
2102 | +0x14c NumberOfLockedPages : Uint4B\
2103 |
2104 | \b +0x150 Win32Process : Ptr32 Void
2105 | \b0 \
2106 | +0x154 Job : Ptr32 _EJOB\
2107 | +0x158 SectionObject : Ptr32 Void\
2108 | +0x15c SectionBaseAddress : Ptr32 Void\
2109 | +0x160 Cookie : Uint4B\
2110 | +0x164 Spare8 : Uint4B\
2111 | +0x168 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY\
2112 | +0x16c Win32WindowStation : Ptr32 Void\
2113 | +0x170 InheritedFromUniqueProcessId : Ptr32 Void\
2114 | +0x174 LdtInformation : Ptr32 Void\
2115 | +0x178 VdmObjects : Ptr32 Void\
2116 | +0x17c ConsoleHostProcess : Uint4B\
2117 | +0x180 DeviceMap : Ptr32 Void\
2118 | +0x184 EtwDataSource : Ptr32 Void\
2119 | +0x188 FreeTebHint : Ptr32 Void\
2120 | +0x190 PageDirectoryPte : _HARDWARE_PTE_X86\
2121 | +0x190 Filler : Uint8B\
2122 | +0x198 Session : Ptr32 Void\
2123 | +0x19c ImageFileName : [15] UChar\
2124 | +0x1ab PriorityClass : UChar\
2125 | +0x1ac JobLinks : _LIST_ENTRY\
2126 | +0x1b4 LockedPagesList : Ptr32 Void\
2127 | +0x1b8 ThreadListHead : _LIST_ENTRY\
2128 | +0x1c0 SecurityPort : Ptr32 Void\
2129 | +0x1c4 PaeTop : Ptr32 Void\
2130 | +0x1c8 ActiveThreads : Uint4B\
2131 | +0x1cc ImagePathHash : Uint4B\
2132 | +0x1d0 DefaultHardErrorProcessing : Uint4B\
2133 | +0x1d4 LastThreadExitStatus : Int4B\
2134 |
2135 | \b +0x1d8 Peb : Ptr32 _PEB
2136 | \b0 \
2137 | +0x1dc PrefetchTrace : _EX_FAST_REF\
2138 | +0x1e0 ReadOperationCount : _LARGE_INTEGER\
2139 | +0x1e8 WriteOperationCount : _LARGE_INTEGER\
2140 | +0x1f0 OtherOperationCount : _LARGE_INTEGER\
2141 | +0x1f8 ReadTransferCount : _LARGE_INTEGER\
2142 | +0x200 WriteTransferCount : _LARGE_INTEGER\
2143 | +0x208 OtherTransferCount : _LARGE_INTEGER\
2144 | +0x210 CommitChargeLimit : Uint4B\
2145 | +0x214 CommitChargePeak : Uint4B\
2146 | +0x218 AweInfo : Ptr32 Void\
2147 | +0x21c SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO\
2148 | +0x220 Vm : _MMSUPPORT\
2149 | +0x28c MmProcessLinks : _LIST_ENTRY\
2150 | +0x294 HighestUserAddress : Ptr32 Void\
2151 | +0x298 ModifiedPageCount : Uint4B\
2152 | +0x29c Flags2 : Uint4B\
2153 | +0x29c JobNotReallyActive : Pos 0, 1 Bit\
2154 | +0x29c AccountingFolded : Pos 1, 1 Bit\
2155 | +0x29c NewProcessReported : Pos 2, 1 Bit\
2156 | +0x29c ExitProcessReported : Pos 3, 1 Bit\
2157 | +0x29c ReportCommitChanges : Pos 4, 1 Bit\
2158 | +0x29c LastReportMemory : Pos 5, 1 Bit\
2159 | +0x29c ReportPhysicalPageChanges : Pos 6, 1 Bit\
2160 | +0x29c HandleTableRundown : Pos 7, 1 Bit\
2161 | +0x29c NeedsHandleRundown : Pos 8, 1 Bit\
2162 | +0x29c RefTraceEnabled : Pos 9, 1 Bit\
2163 | +0x29c NumaAware : Pos 10, 1 Bit\
2164 | +0x29c ProtectedProcess : Pos 11, 1 Bit\
2165 | +0x29c DefaultPagePriority : Pos 12, 3 Bits\
2166 | +0x29c PrimaryTokenFrozen : Pos 15, 1 Bit\
2167 | +0x29c ProcessVerifierTarget : Pos 16, 1 Bit\
2168 | +0x29c StackRandomizationDisabled : Pos 17, 1 Bit\
2169 | +0x29c AffinityPermanent : Pos 18, 1 Bit\
2170 | +0x29c AffinityUpdateEnable : Pos 19, 1 Bit\
2171 | +0x29c PropagateNode : Pos 20, 1 Bit\
2172 | +0x29c ExplicitAffinity : Pos 21, 1 Bit\
2173 | +0x2a0 Flags : Uint4B\
2174 | +0x2a0 CreateReported : Pos 0, 1 Bit\
2175 | +0x2a0 NoDebugInherit : Pos 1, 1 Bit\
2176 | +0x2a0 ProcessExiting : Pos 2, 1 Bit\
2177 | +0x2a0 ProcessDelete : Pos 3, 1 Bit\
2178 | +0x2a0 Wow64SplitPages : Pos 4, 1 Bit\
2179 | +0x2a0 VmDeleted : Pos 5, 1 Bit\
2180 | +0x2a0 OutswapEnabled : Pos 6, 1 Bit\
2181 | +0x2a0 Outswapped : Pos 7, 1 Bit\
2182 | +0x2a0 ForkFailed : Pos 8, 1 Bit\
2183 | +0x2a0 Wow64VaSpace4Gb : Pos 9, 1 Bit\
2184 | +0x2a0 AddressSpaceInitialized : Pos 10, 2 Bits\
2185 | +0x2a0 SetTimerResolution : Pos 12, 1 Bit\
2186 | +0x2a0 BreakOnTermination : Pos 13, 1 Bit\
2187 | +0x2a0 DeprioritizeViews : Pos 14, 1 Bit\
2188 | +0x2a0 WriteWatch : Pos 15, 1 Bit\
2189 | +0x2a0 ProcessInSession : Pos 16, 1 Bit\
2190 | +0x2a0 OverrideAddressSpace : Pos 17, 1 Bit\
2191 | +0x2a0 HasAddressSpace : Pos 18, 1 Bit\
2192 | +0x2a0 LaunchPrefetched : Pos 19, 1 Bit\
2193 | +0x2a0 InjectInpageErrors : Pos 20, 1 Bit\
2194 | +0x2a0 VmTopDown : Pos 21, 1 Bit\
2195 | +0x2a0 ImageNotifyDone : Pos 22, 1 Bit\
2196 | +0x2a0 PdeUpdateNeeded : Pos 23, 1 Bit\
2197 | +0x2a0 VdmAllowed : Pos 24, 1 Bit\
2198 | +0x2a0 CrossSessionCreate : Pos 25, 1 Bit\
2199 | +0x2a0 ProcessInserted : Pos 26, 1 Bit\
2200 | +0x2a0 DefaultIoPriority : Pos 27, 3 Bits\
2201 | +0x2a0 ProcessSelfDelete : Pos 30, 1 Bit\
2202 | +0x2a0 SetTimerResolutionLink : Pos 31, 1 Bit\
2203 | +0x2a4 ExitStatus : Int4B\
2204 | +0x2a8 VadRoot : _MM_AVL_TABLE\
2205 | +0x2c8 AlpcContext : _ALPC_PROCESS_CONTEXT\
2206 | +0x2d8 TimerResolutionLink : _LIST_ENTRY\
2207 | +0x2e0 RequestedTimerResolution : Uint4B\
2208 | +0x2e4 ActiveThreadsHighWatermark : Uint4B\
2209 | +0x2e8 SmallestTimerResolution : Uint4B\
2210 | +0x2ec TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD\
2211 | }
2212 |
2213 |
2214 |
2215 | Bounds
2216 | {{878, 2308}, {2712, 1915}}
2217 | Class
2218 | ShapedGraphic
2219 | ID
2220 | 90
2221 | Shape
2222 | Rectangle
2223 | Style
2224 |
2225 | fill
2226 |
2227 | Color
2228 |
2229 | b
2230 | 0.84153
2231 | g
2232 | 1
2233 | r
2234 | 0.991234
2235 |
2236 |
2237 |
2238 |
2239 |
2240 | GridInfo
2241 |
2242 | DrawMajorGrid
2243 | NO
2244 |
2245 | GuidesLocked
2246 | NO
2247 | GuidesVisible
2248 | YES
2249 | HPages
2250 | 7
2251 | ImageCounter
2252 | 1
2253 | KeepToScale
2254 |
2255 | Layers
2256 |
2257 |
2258 | Lock
2259 | NO
2260 | Name
2261 | Layer 1
2262 | Print
2263 | YES
2264 | View
2265 | YES
2266 |
2267 |
2268 | LayoutInfo
2269 |
2270 | Animate
2271 | NO
2272 | circoMinDist
2273 | 18
2274 | circoSeparation
2275 | 0.0
2276 | layoutEngine
2277 | dot
2278 | neatoSeparation
2279 | 0.0
2280 | twopiSeparation
2281 | 0.0
2282 |
2283 | LinksVisible
2284 | NO
2285 | MagnetsVisible
2286 | NO
2287 | MasterSheets
2288 |
2289 | ModificationDate
2290 | 2013-07-22 19:43:29 +0000
2291 | Modifier
2292 | Malware
2293 | NotesVisible
2294 | NO
2295 | Orientation
2296 | 2
2297 | OriginVisible
2298 | NO
2299 | PageBreaks
2300 | NO
2301 | PrintInfo
2302 |
2303 | NSBottomMargin
2304 |
2305 | float
2306 | 41
2307 |
2308 | NSHorizonalPagination
2309 |
2310 | coded
2311 | BAtzdHJlYW10eXBlZIHoA4QBQISEhAhOU051bWJlcgCEhAdOU1ZhbHVlAISECE5TT2JqZWN0AIWEASqEhAFxlwCG
2312 |
2313 | NSLeftMargin
2314 |
2315 | float
2316 | 18
2317 |
2318 | NSPaperSize
2319 |
2320 | size
2321 | {612, 792}
2322 |
2323 | NSPrintReverseOrientation
2324 |
2325 | int
2326 | 0
2327 |
2328 | NSRightMargin
2329 |
2330 | float
2331 | 18
2332 |
2333 | NSTopMargin
2334 |
2335 | float
2336 | 18
2337 |
2338 |
2339 | PrintOnePage
2340 |
2341 | ReadOnly
2342 | NO
2343 | RowAlign
2344 | 1
2345 | RowSpacing
2346 | 36
2347 | SheetTitle
2348 | Canvas 1
2349 | SmartAlignmentGuidesActive
2350 | YES
2351 | SmartDistanceGuidesActive
2352 | YES
2353 | UniqueID
2354 | 1
2355 | UseEntirePage
2356 |
2357 | VPages
2358 | 8
2359 | WindowInfo
2360 |
2361 | CurrentSheet
2362 | 0
2363 | ExpandedCanvases
2364 |
2365 |
2366 | name
2367 | Canvas 1
2368 |
2369 |
2370 | Frame
2371 | {{-128, 108}, {2597, 1438}}
2372 | ListView
2373 |
2374 | OutlineWidth
2375 | 142
2376 | RightSidebar
2377 |
2378 | ShowRuler
2379 |
2380 | Sidebar
2381 |
2382 | SidebarWidth
2383 | 159
2384 | VisibleRegion
2385 | {{-2974, 32}, {9636, 5196}}
2386 | Zoom
2387 | 0.25
2388 | ZoomValues
2389 |
2390 |
2391 | Canvas 1
2392 | 0.25
2393 | 0.5
2394 |
2395 |
2396 |
2397 |
2398 |
2399 |
--------------------------------------------------------------------------------
/PE-Runtime.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JeremyBlackthorne/PE-Runtime-Data-Structures/8bddd60ba4a177afe2150d90fb73d96d0ac6a285/PE-Runtime.jpg
--------------------------------------------------------------------------------
/PE-Runtime.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/JeremyBlackthorne/PE-Runtime-Data-Structures/8bddd60ba4a177afe2150d90fb73d96d0ac6a285/PE-Runtime.pdf
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 | Originally posted by me in 2013: http://uncomputable.blogspot.com/2013/08/pe-runtime-data-structures-v1.html, just migrating it to a better home.
6 |
7 | This is a diagram of PE runtime data structures created using WinDbg and OmniGraffle. I have included jpg and PDF versions in the repository.
8 |
9 | I was inspired by Ero Carrera's [1] diagrams and Corkami [2]. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from WinDbg and Windows Internals 6 by Russinovich, Solomon, and Ionescu [3].
10 |
11 | I figured I should just upload it now instead of whenever I get around to finishing it. Hopefully I haven't made any mistakes. It will probably go through many iterations, maybe end up being interactive.
12 |
13 | # References
14 |
15 | [1] Ero Carrea - http://blog.dkbza.org/2012/08/pe-file-format-graphs.html
16 | [2] Corkami - https://code.google.com/p/corkami/
17 | [3] Windows Internals -http://www.amazon.com/Windows-Internals-Part-Covering-Server/dp/0735648735
18 |
--------------------------------------------------------------------------------