You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 lines
3.1 KiB
89 lines
3.1 KiB
3 years ago
|
#pragma once
|
||
|
#include <Windows.h>
|
||
|
#include <winternl.h>
|
||
|
|
||
|
#pragma comment(lib, "ntdll.lib")
|
||
|
#define PAGE_4KB 0x1000
|
||
|
|
||
|
constexpr auto SystemModuleInformation = 11;
|
||
|
typedef struct _RTL_PROCESS_MODULE_INFORMATION
|
||
|
{
|
||
|
HANDLE Section;
|
||
|
PVOID MappedBase;
|
||
|
PVOID ImageBase;
|
||
|
ULONG ImageSize;
|
||
|
ULONG Flags;
|
||
|
USHORT LoadOrderIndex;
|
||
|
USHORT InitOrderIndex;
|
||
|
USHORT LoadCount;
|
||
|
USHORT OffsetToFileName;
|
||
|
UCHAR FullPathName[256];
|
||
|
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
|
||
|
|
||
|
typedef struct _RTL_PROCESS_MODULES
|
||
|
{
|
||
|
ULONG NumberOfModules;
|
||
|
RTL_PROCESS_MODULE_INFORMATION Modules[1];
|
||
|
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
|
||
|
|
||
|
typedef LARGE_INTEGER PHYSICAL_ADDRESS, * PPHYSICAL_ADDRESS;
|
||
|
|
||
|
using PEPROCESS = PVOID;
|
||
|
using PsLookupProcessByProcessId = NTSTATUS(__fastcall*)(
|
||
|
HANDLE ProcessId,
|
||
|
PEPROCESS* Process
|
||
|
);
|
||
|
|
||
|
typedef union
|
||
|
{
|
||
|
std::uint64_t flags;
|
||
|
struct
|
||
|
{
|
||
|
std::uint64_t reserved1 : 3;
|
||
|
|
||
|
/**
|
||
|
* @brief Page-level Write-Through
|
||
|
*
|
||
|
* [Bit 3] Controls the memory type used to access the first paging structure of the current paging-structure hierarchy.
|
||
|
* This bit is not used if paging is disabled, with PAE paging, or with 4-level paging if CR4.PCIDE=1.
|
||
|
*
|
||
|
* @see Vol3A[4.9(PAGING AND MEMORY TYPING)]
|
||
|
*/
|
||
|
std::uint64_t page_level_write_through : 1;
|
||
|
#define CR3_PAGE_LEVEL_WRITE_THROUGH_BIT 3
|
||
|
#define CR3_PAGE_LEVEL_WRITE_THROUGH_FLAG 0x08
|
||
|
#define CR3_PAGE_LEVEL_WRITE_THROUGH_MASK 0x01
|
||
|
#define CR3_PAGE_LEVEL_WRITE_THROUGH(_) (((_) >> 3) & 0x01)
|
||
|
|
||
|
/**
|
||
|
* @brief Page-level Cache Disable
|
||
|
*
|
||
|
* [Bit 4] Controls the memory type used to access the first paging structure of the current paging-structure hierarchy.
|
||
|
* This bit is not used if paging is disabled, with PAE paging, or with 4-level paging2 if CR4.PCIDE=1.
|
||
|
*
|
||
|
* @see Vol3A[4.9(PAGING AND MEMORY TYPING)]
|
||
|
*/
|
||
|
std::uint64_t page_level_cache_disable : 1;
|
||
|
#define CR3_PAGE_LEVEL_CACHE_DISABLE_BIT 4
|
||
|
#define CR3_PAGE_LEVEL_CACHE_DISABLE_FLAG 0x10
|
||
|
#define CR3_PAGE_LEVEL_CACHE_DISABLE_MASK 0x01
|
||
|
#define CR3_PAGE_LEVEL_CACHE_DISABLE(_) (((_) >> 4) & 0x01)
|
||
|
std::uint64_t reserved2 : 7;
|
||
|
|
||
|
/**
|
||
|
* @brief Address of page directory
|
||
|
*
|
||
|
* [Bits 47:12] Physical address of the 4-KByte aligned page directory (32-bit paging) or PML4 table (64-bit paging) used
|
||
|
* for linear-address translation.
|
||
|
*
|
||
|
* @see Vol3A[4.3(32-BIT PAGING)]
|
||
|
* @see Vol3A[4.5(4-LEVEL PAGING)]
|
||
|
*/
|
||
|
std::uint64_t pml4_pfn : 36;
|
||
|
#define CR3_ADDRESS_OF_PAGE_DIRECTORY_BIT 12
|
||
|
#define CR3_ADDRESS_OF_PAGE_DIRECTORY_FLAG 0xFFFFFFFFF000
|
||
|
#define CR3_ADDRESS_OF_PAGE_DIRECTORY_MASK 0xFFFFFFFFF
|
||
|
#define CR3_ADDRESS_OF_PAGE_DIRECTORY(_) (((_) >> 12) & 0xFFFFFFFFF)
|
||
|
std::uint64_t reserved3 : 16;
|
||
|
};
|
||
|
} cr3;
|