moon-struct 0.1.1

Windows Kernel Struct offset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212

#![allow(non_snake_case)]

use wdk_sys::{_CONTEXT__bindgen_ty_1, CONTEXT, M128A, UNICODE_STRING, USHORT, _LIST_ENTRY};

use crate::list_entry::ListEntryOffset;

#[repr(C)]
#[derive(Default)]
pub struct KDESCRIPTOR {
    pub Pad: [u16; 3],
    pub Limit: u16,
    pub Base: u64,
}
pub type PKDESCRIPTOR = *mut KDESCRIPTOR;

#[repr(C)]
#[derive(Default)]
#[allow(non_camel_case_types)]
pub struct KSPECIAL_REGISTERS {
    pub Cr0: u64,
    pub Cr2: u64,
    pub Cr3: u64,
    pub Cr4: u64,
    pub KernelDr0: u64,
    pub KernelDr1: u64,
    pub KernelDr2: u64,
    pub KernelDr3: u64,
    pub KernelDr6: u64,
    pub KernelDr7: u64,
    pub Gdtr: KDESCRIPTOR,
    pub Idtr: KDESCRIPTOR,
    pub Tr: u16,
    pub Ldtr: u16,
    pub MxCsr: u32,
    pub DebugControl: u64,
    pub LastBranchToRip: u64,
    pub LastBranchFromRip: u64,
    pub LastExceptionToRip: u64,
    pub LastExceptionFromRip: u64,
    pub Cr8: u64,
    pub MsrGsBase: u64,
    pub MsrGsSwap: u64,
    pub MsrStar: u64,
    pub MsrLStar: u64,
    pub MsrCStar: u64,
    pub MsrSyscallMask: u64,
    pub Xcr0: u64,
}

#[allow(non_camel_case_types)]
pub type PKSPECIAL_REGISTERS = *mut KSPECIAL_REGISTERS;

#[repr(C)]
#[derive(Default)]
pub struct _CONTEXT {
    pub P1Home: u64,
    pub P2Home: u64,
    pub P3Home: u64,
    pub P4Home: u64,
    pub P5Home: u64,
    pub P6Home: u64,
    pub ContextFlags: u32,
    pub MxCsr: u32,
    pub SegCs: u16,
    pub SegDs: u16,
    pub SegEs: u16,
    pub SegFs: u16,
    pub SegGs: u16,
    pub SegSs: u16,
    pub EFlags: u32,
    pub Dr0: u64,
    pub Dr1: u64,
    pub Dr2: u64,
    pub Dr3: u64,
    pub Dr6: u64,
    pub Dr7: u64,
    pub Rax: u64,
    pub Rcx: u64,
    pub Rdx: u64,
    pub Rbx: u64,
    pub Rsp: u64,
    pub Rbp: u64,
    pub Rsi: u64,
    pub Rdi: u64,
    pub R8: u64,
    pub R9: u64,
    pub R10: u64,
    pub R11: u64,
    pub R12: u64,
    pub R13: u64,
    pub R14: u64,
    pub R15: u64,
    pub Rip: u64,
    pub __bindgen_anon_1: _CONTEXT__bindgen_ty_1,
    pub VectorRegister: [M128A; 26usize],
    pub VectorControl: u64,
    pub DebugControl: u64,
    pub LastBranchToRip: u64,
    pub LastBranchFromRip: u64,
    pub LastExceptionToRip: u64,
    pub LastExceptionFromRip: u64,
}

#[repr(C)]
#[derive(Default)]
#[allow(non_camel_case_types)]
pub struct KPROCESSOR_STATE {
    pub SpecialRegisters: KSPECIAL_REGISTERS,
    pub Context_frame: CONTEXT,
}

#[allow(non_camel_case_types)]
pub type PKPROCESSOR_STATE = *mut KPROCESSOR_STATE;

#[repr(C)]
#[derive(Copy, Clone)]
#[allow(non_camel_case_types)]
#[allow(non_snake_case)]
pub struct GDTENTRY64_ACCESS_RIGHTS_BYTES {
    pub flags1: u8,
    pub flags2: u8,
    pub flags3: u8,
    pub flags4: u8,
}

#[repr(C)]
#[derive(Copy, Clone)]
pub union GDTENTRY64_ACCESS_RIGHTS {
    pub access_rights: u32,
    pub bytes: GDTENTRY64_ACCESS_RIGHTS_BYTES,
    pub bits: u16,
}

#[repr(C)]
#[derive(Copy, Clone)]
#[allow(non_camel_case_types)]
pub struct GdtEntry64 {
    pub selector: USHORT,
    pub limit: u32,
    pub access_rights: GDTENTRY64_ACCESS_RIGHTS,
    pub base: u64,
}

#[repr(C)]
#[derive(Copy, Clone)]
#[allow(non_camel_case_types)]
pub struct KGDTENTRY64_U_BYTES {
    pub BaseMiddle: u8,
    pub Flags1: u8,
    pub Flags2: u8,
    pub BaseHigh: u8,
}

#[repr(C)]
#[derive(Copy, Clone)]
pub union KGDTENTRY64_U {
    pub bytes: KGDTENTRY64_U_BYTES,
    pub bits: u32,
}

#[repr(C)]
#[derive(Copy, Clone)]
#[allow(non_camel_case_types)]
pub struct KGDTENTRY64_A {
    pub limit_low: u16,
    pub base_low: u16,
    pub u: KGDTENTRY64_U,
    pub base_upper: u32,
    pub must_be_zero: u32,
}

#[repr(C)]
#[derive(Copy, Clone)]
pub union KGDTENTRY64 {
    pub alignment: u64,
    pub dummy: KGDTENTRY64_A,
}

#[repr(C)]
#[allow(non_camel_case_types)]
pub struct KLDR_DATA_TABLE_ENTRY {
    pub InLoadOrderLinks: _LIST_ENTRY,
    pub ExceptionTable: *mut core::ffi::c_void,
    pub ExceptionTableSize: u32,
    pub GpValue: *mut core::ffi::c_void,
    pub NonPagedDebugInfo: *mut core::ffi::c_void,
    pub DllBase: *mut core::ffi::c_void,
    pub EntryPoint: *mut core::ffi::c_void,
    pub SizeOfImage: u32,
    pub FullDllName: UNICODE_STRING,
    pub BaseDllName: UNICODE_STRING,
    pub Flags: u32,
    pub LoadCount: u16,
    pub __Unused5: u16,
    pub SectionPointer: *mut core::ffi::c_void,
    pub CheckSum: u32,
    pub LoadedImports: *mut core::ffi::c_void,
    pub PatchInformation: *mut core::ffi::c_void,
}

impl ListEntryOffset for KLDR_DATA_TABLE_ENTRY {
    fn get_list_entry_offset() -> usize {
        0
    }
}

#[repr(C)]
#[allow(non_camel_case_types)]
pub struct DIRECTORY_BASIC_INFORMATION {
    pub object_name: UNICODE_STRING,
    pub object_type_name: UNICODE_STRING,
}