moon-struct 0.1.1

Windows Kernel Struct offset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

use wdk_sys::PAGE_SIZE;

#[repr(C)]
pub union VmmEptDynamicSplitU {
    pub entry: u64,
    pub _pointer: u64,
}

#[repr(C)]
pub struct Split2mbPagingTo4kbPage {
    pub pml_1: [u64; 512],
    pub u: VmmEptDynamicSplitU,
    pub is_busy: bool,
}

#[repr(C)]
pub struct EptTrampoline {
    pub data: [u8; 50],
    pub is_busy: bool,
}

impl EptTrampoline {
    pub fn as_ptr(&mut self) -> *mut u8 {
        (&mut self.data[0]) as *mut _ as *mut _
    }
}

#[repr(C, align(0x1000))]
pub struct EptHookedPageDetail {
    // Hook后的页面值
    pub fake_page_contents: [u8; PAGE_SIZE as _],

    // 虚拟地址
    // pub virtual_address: u64,

    // 原始物理页面pfn
    // pub physical_base_address: usize,

    // 新页面pfn
    pub physical_base_address_of_fake_page_contents: usize,

    // Hook项当前的PML1地址
    // pub entry_address: *mut u64,

    // 原始页面的PML1值
    // pub original_entry: u64,

    // 修改后的PML1值
    // pub changed_entry: u64,

    // 原函数头地址,页面InlineHook后,你可能只想对Hook的函数做个过滤而已.还是要去调用原函数
    pub trampoline: *mut u8,

    // 是否是执行hook
    pub is_execution_hook: bool,

    // 是否
    pub is_busy: bool,
}

impl Drop for EptHookedPageDetail {
    fn drop(&mut self) {}
}