겸손한 개발을 위한 자양분

출처 : http://www.nirsoft.net/kernel_struct/vista/index.html

Windows Vista Kernel Structures

This page provides links to more than 600 structures and enumerations of Windows Vista (32-bit) Kernel, in C/C++ format. Some of them are well-documented by Microsoft and appears in the header files of Microsoft Visual C++ and/or in the Windows Driver Development Kit (DDK). However, many of these kernel structures cannot be found in the C++ header files and are not offically documented by Microsoft.

How did I create this structures list ?

Microsoft provides symbol files of ntdll.dll and Windows Kernel for debugging purposes. These symbol files contains hundreds of internal data structures from Windows kernel, many of them are not documented. I used the WinDbg debugger to extract all kernel data structures, and then I created a complex script that converted these data structures into C/C++ format.

Known Problems & Limitations

  • These structures were created from the symbol files of Windows Vista (32-bit) . Be aware that these structures might be changed from one version of OS to another.
  • Due to some limitations of symbol files to C++ conversion, the converted structures might be a little different from the original header files. For example: WCHAR (2 bytes) data type in the original structure from the header files, may appear as WORD (also 2 bytes) in the converted structure.

Structures
ACCESS_STATE
ACL
ACTIVATION_CONTEXT_STACK
ALPC_PROCESS_CONTEXT
ALPHA_LOADER_BLOCK
AMD64_DBGKD_CONTROL_SET
ARBITER_ADD_RESERVED_PARAMETERS
ARBITER_ALLOCATION_STATE
ARBITER_ALTERNATIVE
ARBITER_BOOT_ALLOCATION_PARAMETERS
ARBITER_CONFLICT_INFO
ARBITER_INSTANCE
ARBITER_INTERFACE
ARBITER_LIST_ENTRY
ARBITER_ORDERING
ARBITER_ORDERING_LIST
ARBITER_PARAMETERS
ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS
ARBITER_QUERY_ARBITRATE_PARAMETERS
ARBITER_QUERY_CONFLICT_PARAMETERS
ARBITER_RETEST_ALLOCATION_PARAMETERS
ARBITER_TEST_ALLOCATION_PARAMETERS
ARC_DISK_INFORMATION
ARM_DBGKD_CONTROL_SET
BATTERY_REPORTING_SCALE
BITMAP_RANGE
BUS_EXTENSION_LIST
CACHE_DESCRIPTOR
CACHE_MANAGER_CALLBACKS
CACHE_UNINITIALIZE_EVENT
CACHED_CHILD_LIST
CACHED_KSTACK_LIST
CALL_HASH_ENTRY
CALL_PERFORMANCE_DATA
CELL_DATA
CHILD_LIST
CLIENT_ID
CLS_LSN
CM_BIG_DATA
CM_CACHED_VALUE_INDEX
CM_CELL_REMAP_BLOCK
CM_FULL_RESOURCE_DESCRIPTOR
CM_INDEX_HINT_BLOCK
CM_INTENT_LOCK
CM_KCB_UOW
CM_KEY_BODY
CM_KEY_CONTROL_BLOCK
CM_KEY_HASH
CM_KEY_INDEX
CM_KEY_NODE
CM_KEY_REFERENCE
CM_KEY_SECURITY
CM_KEY_SECURITY_CACHE
CM_KEY_SECURITY_CACHE_ENTRY
CM_KEY_VALUE
CM_NAME_CONTROL_BLOCK
CM_NAME_HASH
CM_NOTIFY_BLOCK
CM_PARTIAL_RESOURCE_DESCRIPTOR
CM_PARTIAL_RESOURCE_LIST
CM_RESOURCE_LIST
CM_RM
CM_TRANS
CM_VIEW_OF_FILE
CM_WORKITEM
CMHIVE
CMP_OFFSET_ARRAY
COMPRESSED_DATA_INFO
CONFIGURATION_COMPONENT
CONFIGURATION_COMPONENT_DATA
CONTEXT
CONTROL_AREA
CURDIR
DBGKD_ANY_CONTROL_SET
DBGKD_BREAKPOINTEX
DBGKD_CONTINUE
DBGKD_CONTINUE2
DBGKD_FILL_MEMORY
DBGKD_GET_CONTEXT
DBGKD_GET_INTERNAL_BREAKPOINT32
DBGKD_GET_INTERNAL_BREAKPOINT64
DBGKD_GET_SET_BUS_DATA
DBGKD_GET_VERSION32
DBGKD_GET_VERSION64
DBGKD_LOAD_SYMBOLS32
DBGKD_LOAD_SYMBOLS64
DBGKD_MANIPULATE_STATE32
DBGKD_MANIPULATE_STATE64
DBGKD_QUERY_MEMORY
DBGKD_QUERY_SPECIAL_CALLS
DBGKD_READ_MEMORY32
DBGKD_READ_MEMORY64
DBGKD_READ_WRITE_IO_EXTENDED32
DBGKD_READ_WRITE_IO_EXTENDED64
DBGKD_READ_WRITE_IO32
DBGKD_READ_WRITE_IO64
DBGKD_READ_WRITE_MSR
DBGKD_RESTORE_BREAKPOINT
DBGKD_SEARCH_MEMORY
DBGKD_SET_CONTEXT
DBGKD_SET_INTERNAL_BREAKPOINT32
DBGKD_SET_INTERNAL_BREAKPOINT64
DBGKD_SET_SPECIAL_CALL32
DBGKD_SET_SPECIAL_CALL64
DBGKD_SWITCH_PARTITION
DBGKD_WRITE_BREAKPOINT32
DBGKD_WRITE_BREAKPOINT64
DBGKD_WRITE_MEMORY32
DBGKD_WRITE_MEMORY64
DBGKM_EXCEPTION32
DBGKM_EXCEPTION64
DEFERRED_WRITE
DESCRIPTOR
DEVICE_CAPABILITIES
DEVICE_FLAGS
DEVICE_MAP
DEVICE_NODE
DEVICE_OBJECT
DEVICE_OBJECT_POWER_EXTENSION
DEVICE_RELATIONS
DEVOBJ_EXTENSION
DISPATCHER_HEADER
DPH_BLOCK_INFORMATION
DPH_HEAP_BLOCK
DPH_HEAP_ROOT
DRIVER_EXTENSION
DRIVER_OBJECT
DUAL
DUMP_INITIALIZATION_CONTEXT
DUMP_STACK_CONTEXT
EFI_FIRMWARE_INFORMATION
EJOB
EPROCESS
ERESOURCE
ETHREAD
ETIMER
ETW_BUFFER_CONTEXT
ETW_GUID_ENTRY
ETW_KERNEL_TRACE_TIMESTAMP
ETW_PROVIDER_TABLE_ENTRY
ETW_REF_CLOCK
ETW_REG_ENTRY
ETW_REPLY_QUEUE
ETW_SYSTEMTIME
EVENT_DATA_DESCRIPTOR
EVENT_DESCRIPTOR
EX_FAST_REF
EX_PUSH_LOCK
EX_PUSH_LOCK_CACHE_AWARE
EX_PUSH_LOCK_WAIT_BLOCK
EX_QUEUE_WORKER_INFO
EX_RUNDOWN_REF
EX_WORK_QUEUE
EXCEPTION_POINTERS
EXCEPTION_RECORD
EXCEPTION_RECORD32
EXCEPTION_RECORD64
EXCEPTION_REGISTRATION_RECORD
FAST_IO_DISPATCH
FAST_MUTEX
FILE_BASIC_INFORMATION
FILE_GET_QUOTA_INFORMATION
FILE_NETWORK_OPEN_INFORMATION
FILE_OBJECT
FILE_STANDARD_INFORMATION
FIRMWARE_INFORMATION_LOADER_BLOCK
FLOATING_SAVE_AREA
FNSAVE_FORMAT
FREE_DISPLAY
FS_FILTER_CALLBACK_DATA
FS_FILTER_CALLBACKS
FS_FILTER_PARAMETERS
FX_SAVE_AREA
FXSAVE_FORMAT
GDI_TEB_BATCH
GENERAL_LOOKASIDE
GENERAL_LOOKASIDE_POOL
GENERIC_MAPPING
GUID
HANDLE_TABLE
HANDLE_TABLE_ENTRY
HANDLE_TABLE_ENTRY_INFO
HANDLE_TRACE_DB_ENTRY
HANDLE_TRACE_DEBUG_INFO
HARDWARE_PTE
HARDWARE_PTE_X86
HBASE_BLOCK
HEADLESS_LOADER_BLOCK
HEAP
HEAP_BUCKET
HEAP_BUCKET_COUNTERS
HEAP_COUNTERS
HEAP_DEBUGGING_INFORMATION
HEAP_ENTRY
HEAP_ENTRY_EXTRA
HEAP_FAILURE_INFORMATION
HEAP_FREE_ENTRY
HEAP_FREE_ENTRY_EXTRA
HEAP_LIST_LOOKUP
HEAP_LOCAL_DATA
HEAP_LOCK
HEAP_LOOKASIDE
HEAP_PSEUDO_TAG_ENTRY
HEAP_SEGMENT
HEAP_STOP_ON_TAG
HEAP_STOP_ON_VALUES
HEAP_SUBSEGMENT
HEAP_TAG_ENTRY
HEAP_TUNING_PARAMETERS
HEAP_UCR_DESCRIPTOR
HEAP_USERDATA_HEADER
HEAP_VIRTUAL_ALLOC_ENTRY
HHIVE
HIVE_LIST_ENTRY
HMAP_DIRECTORY
HMAP_ENTRY
HMAP_TABLE
I386_LOADER_BLOCK
IA64_DBGKD_CONTROL_SET
IA64_LOADER_BLOCK
IMAGE_DATA_DIRECTORY
IMAGE_DEBUG_DIRECTORY
IMAGE_DOS_HEADER
IMAGE_FILE_HEADER
IMAGE_NT_HEADERS
IMAGE_OPTIONAL_HEADER
IMAGE_ROM_OPTIONAL_HEADER
IMAGE_SECTION_HEADER
IMAGE_SECURITY_CONTEXT
INITIAL_PRIVILEGE_SET
INTERFACE
INTERLOCK_SEQ
IO_CLIENT_EXTENSION
IO_COMPLETION_CONTEXT
IO_DRIVER_CREATE_CONTEXT
IO_PRIORITY_INFO
IO_RESOURCE_DESCRIPTOR
IO_RESOURCE_LIST
IO_RESOURCE_REQUIREMENTS_LIST
IO_SECURITY_CONTEXT
IO_STACK_LOCATION
IO_STATUS_BLOCK
IO_TIMER
iobuf
IOV_FORCED_PENDING_TRACE
IRP
KAPC
KAPC_STATE
KDEVICE_QUEUE
KDEVICE_QUEUE_ENTRY
KDPC
KDPC_DATA
KENLISTMENT
KENLISTMENT_HISTORY
KERNEL_STACK_CONTROL
KERNEL_STACK_SEGMENT
KEVENT
KEXECUTE_OPTIONS
KGATE
KGDTENTRY
KGUARDED_MUTEX
KIDTENTRY
KiIoAccessMap
KINTERRUPT
KLOCK_QUEUE_HANDLE
KMUTANT
KNODE
KPCR
KPRCB
KPROCESS
KPROCESSOR_STATE
KQUEUE
KRESOURCEMANAGER
KRESOURCEMANAGER_COMPLETION_BINDING
KSEMAPHORE
KSPECIAL_REGISTERS
KSPIN_LOCK_QUEUE
KSYSTEM_TIME
KTHREAD
KTIMER
KTIMER_TABLE_ENTRY
KTM
KTMOBJECT_NAMESPACE
KTMOBJECT_NAMESPACE_LINK
KTRANSACTION
KTRANSACTION_HISTORY
KTRAP_FRAME
KTSS
KUSER_SHARED_DATA
KWAIT_BLOCK
LARGE_INTEGER
LDR_DATA_TABLE_ENTRY
LFH_BLOCK_ZONE
LFH_HEAP
LIST_ENTRY
LIST_ENTRY32
LIST_ENTRY64
LOADER_PARAMETER_BLOCK
LOADER_PARAMETER_EXTENSION
LOADER_PERFORMANCE_DATA
LOOKASIDE_LIST_EX
LPCP_MESSAGE
LPCP_NONPAGED_PORT_QUEUE
LPCP_PORT_OBJECT
LPCP_PORT_QUEUE
LUID
LUID_AND_ATTRIBUTES
MAILSLOT_CREATE_PARAMETERS
MAPPED_FILE_SEGMENT
MBCB
MCA_EXCEPTION
MCI_ADDR
MCI_STATS
MDL
MEMORY_ALLOCATION_DESCRIPTOR
MI_COLOR_BASE
MI_EXTRA_IMAGE_INFORMATION
MI_IMAGE_SECURITY_REFERENCE
MI_PAGEFILE_TRACES
MI_PER_SESSION_PROTOS
MI_SECTION_CREATION_EVENT
MI_SECTION_IMAGE_INFORMATION
MI_SPECIAL_POOL
MI_SYSTEM_PTE_TYPE
MI_VERIFIER_DRIVER_ENTRY
MI_VERIFIER_POOL_HEADER
MM_AVL_TABLE
MM_DRIVER_VERIFIER_DATA
MM_PAGE_ACCESS_INFO
MM_PAGE_ACCESS_INFO_FLAGS
MM_PAGE_ACCESS_INFO_HEADER
MM_PAGED_POOL_INFO
MM_SESSION_SPACE
MM_SESSION_SPACE_FLAGS
MM_SUBSECTION_AVL_TABLE
MMADDRESS_LIST
MMADDRESS_NODE
MMBANKED_SECTION
MMEXTEND_INFO
MMMOD_WRITER_MDL_ENTRY
MMPAGING_FILE
MMPAGING_FILE_FREE_ENTRY
MMPFN
MMPFNENTRY
MMPFNLIST
MMPTE
MMPTE_HARDWARE
MMPTE_HIGHLOW
MMPTE_LIST
MMPTE_PROTOTYPE
MMPTE_SOFTWARE
MMPTE_SUBSECTION
MMPTE_TRANSITION
MMSECTION_FLAGS
MMSECURE_FLAGS
MMSESSION
MMSUBSECTION_FLAGS
MMSUBSECTION_NODE
MMSUPPORT
MMSUPPORT_FLAGS
MMVAD
MMVAD_FLAGS
MMVAD_FLAGS2
MMVAD_FLAGS3
MMVAD_LONG
MMVAD_SHORT
MMVIEW
MMWSL
MMWSLE
MMWSLE_FREE_ENTRY
MMWSLE_HASH
MMWSLE_NONDIRECT_HASH
MMWSLENTRY
MSUBSECTION
NAMED_PIPE_CREATE_PARAMETERS
NETWORK_LOADER_BLOCK
NLS_DATA_BLOCK
NPAGED_LOOKASIDE_LIST
NT_TIB
OBJECT_ATTRIBUTES
OBJECT_CREATE_INFORMATION
OBJECT_DIRECTORY
OBJECT_DIRECTORY_ENTRY
OBJECT_DUMP_CONTROL
OBJECT_HANDLE_COUNT_DATABASE
OBJECT_HANDLE_COUNT_ENTRY
OBJECT_HANDLE_INFORMATION
OBJECT_HEADER
OBJECT_HEADER_CREATOR_INFO
OBJECT_HEADER_HANDLE_INFO
OBJECT_HEADER_NAME_INFO
OBJECT_HEADER_QUOTA_INFO
OBJECT_NAME_INFORMATION
OBJECT_SYMBOLIC_LINK
OBJECT_TYPE
OBJECT_TYPE_INITIALIZER
OWNER_ENTRY
PAGED_LOOKASIDE_LIST
PCAT_FIRMWARE_INFORMATION
PCIE_DEVICE_ID
PEB
PEB_FREE_BLOCK
PEB_LDR_DATA
PERFINFO_GROUPMASK
PERFINFO_HARDPAGEFAULT_INFORMATION
PERFINFO_TRACE_HEADER
PF_HARD_FAULT_INFO
PF_KERNEL_GLOBALS
PHYSICAL_MEMORY_DESCRIPTOR
PHYSICAL_MEMORY_RUN
PI_BUS_EXTENSION
PI_RESOURCE_ARBITER_ENTRY
PLUGPLAY_EVENT_BLOCK
PNP_ASSIGN_RESOURCES_CONTEXT
PNP_DEVICE_COMPLETION_QUEUE
PNP_DEVICE_EVENT_ENTRY
PNP_DEVICE_EVENT_LIST
PNP_RESOURCE_REQUEST
PO_DEVICE_NOTIFY
PO_DEVICE_NOTIFY_ORDER
PO_HIBER_PERF
PO_IRP_MANAGER
PO_IRP_QUEUE
PO_MEMORY_IMAGE
PO_MEMORY_RANGE_ARRAY
PO_MEMORY_RANGE_ARRAY_LINK
PO_MEMORY_RANGE_ARRAY_RANGE
PO_NOTIFY_ORDER_LEVEL
POOL_BLOCK_HEAD
POOL_DESCRIPTOR
POOL_HACKER
POOL_HEADER
POOL_TRACKER_BIG_PAGES
POOL_TRACKER_TABLE
POP_ACTION_TRIGGER
POP_DEVICE_SYS_STATE
POP_DISPLAY_RESUME_CONTEXT
POP_HIBER_CONTEXT
POP_POWER_ACTION
POP_SHUTDOWN_BUG_CHECK
POP_THERMAL_ZONE
POP_TRIGGER_WAIT
PORT_MESSAGE
POWER_ACTION_POLICY
POWER_CHANNEL_SUMMARY
POWER_SEQUENCE
POWER_STATE
PP_LOOKASIDE_LIST
PPM_IDLE_ACCOUNTING
PPM_IDLE_STATE
PPM_IDLE_STATE_ACCOUNTING
PPM_IDLE_STATES
PPM_PERF_STATE
PPM_PERF_STATES
PRIVATE_CACHE_MAP
PRIVATE_CACHE_MAP_FLAGS
PRIVILEGE_SET
PROCESSOR_IDLE_TIMES
PROCESSOR_IDLESTATE_INFO
PROCESSOR_IDLESTATE_POLICY
PROCESSOR_PERFSTATE_POLICY
PROCESSOR_POWER_STATE
PROFILE_PARAMETER_BLOCK
PS_CLIENT_SECURITY_CONTEXT
PTE_QUEUE_POINTER
QUAD
RTL_ACTIVATION_CONTEXT_STACK_FRAME
RTL_ATOM_TABLE
RTL_ATOM_TABLE_ENTRY
RTL_AVL_TABLE
RTL_BALANCED_LINKS
RTL_BITMAP
RTL_CRITICAL_SECTION
RTL_CRITICAL_SECTION_DEBUG
RTL_DRIVE_LETTER_CURDIR
RTL_HANDLE_TABLE
RTL_HANDLE_TABLE_ENTRY
RTL_RANGE
RTL_RANGE_LIST
RTL_STACK_TRACE_ENTRY
RTL_TRACE_BLOCK
RTL_TRACE_DATABASE
RTL_TRACE_SEGMENT
RTL_USER_PROCESS_PARAMETERS
RTLP_RANGE_LIST_ENTRY
SE_AUDIT_PROCESS_CREATION_INFO
SECTION_IMAGE_INFORMATION
SECTION_OBJECT
SECTION_OBJECT_POINTERS
SECURITY_CLIENT_CONTEXT
SECURITY_DESCRIPTOR
SECURITY_DESCRIPTOR_RELATIVE
SECURITY_QUALITY_OF_SERVICE
SECURITY_SUBJECT_CONTEXT
SECURITY_TOKEN_AUDIT_DATA
SECURITY_TOKEN_PROXY_DATA
SEGMENT
SEGMENT_FLAGS
SEGMENT_OBJECT
SEP_AUDIT_POLICY
SEP_LOGON_SESSION_REFERENCES
SEP_TOKEN_PRIVILEGES
SHARED_CACHE_MAP
SHARED_CACHE_MAP_LIST_CURSOR
SID
SID_AND_ATTRIBUTES
SID_AND_ATTRIBUTES_HASH
SID_IDENTIFIER_AUTHORITY
SINGLE_LIST_ENTRY
SLIST_HEADER
STACK_TRACE_DATABASE
STRING
SUBSECTION
SYSPTES_HEADER
SYSTEM_POWER_CAPABILITIES
SYSTEM_POWER_LEVEL
SYSTEM_POWER_POLICY
SYSTEM_POWER_STATE_CONTEXT
SYSTEM_TRACE_HEADER
TEB
TEB_ACTIVE_FRAME
TEB_ACTIVE_FRAME_CONTEXT
TERMINATION_PORT
THERMAL_INFORMATION
THERMAL_INFORMATION_EX
TIME_FIELDS
TOKEN
TOKEN_AUDIT_POLICY
TOKEN_CONTROL
TOKEN_SOURCE
TP_CALLBACK_ENVIRON
TP_DIRECT
TP_TASK
TP_TASK_CALLBACKS
TRACE_ENABLE_CONTEXT
TRACE_ENABLE_INFO
TXN_PARAMETER_BLOCK
ULARGE_INTEGER
UNICODE_STRING
USER_MEMORY_CACHE_ENTRY
VACB
VACB_ARRAY_HEADER
VACB_LEVEL_REFERENCE
VF_BTS_DATA_MANAGEMENT_AREA
VF_BTS_RECORD
VF_POOL_TRACE
VF_TRACKER
VF_TRACKER_STAMP
VI_CANCEL_GLOBALS
VI_DEADLOCK_ADDRESS_RANGE
VI_DEADLOCK_GLOBALS
VI_DEADLOCK_NODE
VI_DEADLOCK_RESOURCE
VI_DEADLOCK_THREAD
VI_POOL_ENTRY
VI_POOL_ENTRY_INUSE
VI_POOL_PAGE_HEADER
VI_TRACK_IRQL
VI_VERIFIER_ISSUE
VIRTUAL_EFI_RUNTIME_SERVICES
VOLUME_CACHE_MAP
VPB
WAIT_CONTEXT_BLOCK
WHEA_ERROR_PACKET
WHEA_ERROR_RECORD
WHEA_ERROR_RECORD_HEADER
WHEA_ERROR_RECORD_SECTION_DESCRIPTOR
WHEA_ERROR_STATUS
WHEA_GENERIC_PROCESSOR_ERROR
WHEA_MEMORY_ERROR
WHEA_NMI_ERROR
WHEA_PCIEXPRESS_ERROR
WHEA_PCIX_BUS_ERROR
WHEA_PCIX_BUS_VALIDATION_BITS
WHEA_PCIX_DEV_VALIDATION_BITS
WHEA_PCIX_DEVICE_ERROR
WHEA_PERSISTENCE_INFO
WMI_BUFFER_HEADER
WMI_LOGGER_CONTEXT
WMI_TRACE_PACKET
WNODE_HEADER
WORK_QUEUE_ENTRY
WORK_QUEUE_ITEM
X86_DBGKD_CONTROL_SET

Enumerations
ALTERNATIVE_ARCHITECTURE_TYPE
ARBITER_ACTION
ARBITER_REQUEST_SOURCE
ARBITER_RESULT
BUS_QUERY_ID_TYPE
CONFIGURATION_CLASS
CONFIGURATION_TYPE
DEVICE_POWER_STATE
DEVICE_RELATION_TYPE
DEVICE_TEXT_TYPE
DEVICE_USAGE_NOTIFICATION_TYPE
DPFLTR_TYPE
ETW_BUFFER_STATE
ETW_GUID_TYPE
ETW_PROVIDER_STATE
ETW_RT_EVENT_LOSS
EVENT_TYPE
EXCEPTION_DISPOSITION
FILE_INFORMATION_CLASS
FS_FILTER_SECTION_SYNC_TYPE
FS_FILTER_STREAM_FO_NOTIFICATION_TYPE
FSINFOCLASS
HEAP_FAILURE_TYPE
HSTORAGE_TYPE
INTERFACE_TYPE
IO_ALLOCATION_ACTION
IO_PAGING_PRIORITY
IO_PRIORITY_HINT
IRQ_DEVICE_POLICY
IRQ_PRIORITY
KENLISTMENT_STATE
KINTERRUPT_MODE
KINTERRUPT_POLARITY
KOBJECTS
KRESOURCEMANAGER_STATE
KSPIN_LOCK_QUEUE_NUMBER
KTHREAD_STATE
KTM_STATE
KTRANSACTION_OUTCOME
KTRANSACTION_STATE
KWAIT_REASON
LSA_FOREST_TRUST_RECORD_TYPE
MCA_EXCEPTION_TYPE
MEMORY_CACHING_TYPE
MEMORY_CACHING_TYPE_ORIG
MI_PFN_CACHE_ATTRIBUTE
MI_SYSTEM_VA_TYPE
MI_VAD_TYPE
MM_PAGE_ACCESS_TYPE
MM_POOL_FAILURE_REASONS
MM_POOL_PRIORITIES
MM_POOL_TYPES
MM_PREEMPTIVE_TRIMS
MMLISTS
MODE
NT_PRODUCT_TYPE
OB_OPEN_REASON
PCI_EXPRESS_DEVICE_TYPE
PCI_HOTPLUG_SLOT_INTERRUPT
PF_FILE_ACCESS_TYPE
PLUGPLAY_EVENT_CATEGORY
PNP_DEVNODE_STATE
PNP_VETO_TYPE
POLICY_AUDIT_EVENT_TYPE
POOL_TYPE
POP_POLICY_DEVICE_TYPE
POWER_ACTION
POWER_STATE_TYPE
PP_NPAGED_LOOKASIDE_NUMBER
PROCESSOR_CACHE_TYPE
PROFILE_STATUS
PROXY_CLASS
PS_RESOURCE_TYPE
REG_NOTIFY_CLASS
ReplacesCorHdrNumericDefines
RTL_GENERIC_COMPARE_RESULTS
SECURITY_IMPERSONATION_LEVEL
SECURITY_OPERATION_CODE
SYSTEM_POWER_CONDITION
SYSTEM_POWER_STATE
TOKEN_TYPE
TYPE_OF_MEMORY
UoWActionType
VI_CNT_INDEX_TYPE
VI_DEADLOCK_RESOURCE_TYPE
WAIT_TYPE
WHEA_ERROR_SEVERITY
WHEA_ERROR_SOURCE_TYPE
WHEA_ERROR_STATUS_FORMAT
WHEA_ERROR_TYPE
WOW64_SHARED_INFORMATION

 1. EPROCESS의 ActiveProcessLinks Linked List를 이용해서 Traverse.
 ( 왠만한 루트킷들은 이 값을 조작하므로 별로 소용없을지도 모르지만,
  ZwQuerySystemInformation()을 후킹하여 결과값을 조작하는 식으로 숨기는 경우는
  이 방법으로 손쉽게 찾아낼 수 있습니다. )

 2. ZwOpenProcess() Brute-Force Detection
 유효 PID인 0L부터 0xFFFFL까지 4의 배수들을 모두 Open해서 성공적으로 열어지는 프로세스를
 감지합니다. 단, 프로세스가 종료되었으나 핸들이 닫히지 않은 경우에도 Open되므로 추가적인
 확인이 필요합니다.

 3. PspCidTable Traverse
 Windows NT에는 PspCidTable이라는 Unexported Symbol이 존재하는데, 프로세스와 스레드에
 대한 개체 포인터들을 저장하고 있는 핸들 테이블의 일종입니다. 이를 트레버싱하여 숨겨진
 프로세스를 찾을 수도 있습니다.
 ( 개체 포인터만 저장되어있으므로, 포인터-0x18 한 값이 가리키는 OBJECT_HEADER 헤더의
 Type 필드가 PsProcessType인지 검사해줄 필요가 있습니다. )

 4. Process Handle Table Link Traverse
 EPROCESS에는 HandleTable 필드가 존재하고 이 안에는 링크드 리스트가 존재합니다.
 이 리스트를 이용해서 트레버싱하면 모든 EPROCESS를 찾을 수 있습니다.

 5. CSRSS.EXE의 Handle Table Traversing
 CSRSS.EXE 프로세스는 프로세스 시작을 커널에 통지하고 그 뒷처리를 하는 역할을 하기도 합니다.
 (BaseSetProcessCreateNotify라는 Unexported/Undocumented Symbol을 이용합니다.

긴 인자를 갖는 OPCODE

MYDN2008. 5. 26. 11:08

EA 907CEF3D 927C             JMP FAR 7C92:3DEF7C90                    ; Far jump

8192 7C43D690 7CE94B92       ADC DWORD PTR DS:[EDX+90D6437C],924BE97C

6943 07 00895B07             IMUL EAX,DWORD PTR DS:[EBX+7],75B8900

C005 0010C105 00             ROL BYTE PTR DS:[5C11000],0              ; Shift constant out of range 1..31

699403 00889000 00EBE805     IMUL EDX,DWORD PTR DS:[EBX+EAX+908800],5>

8005 00B83A07 00             ADD BYTE PTR DS:[73AB800],0

C705 00B81C03 00A1C705       MOV DWORD PTR DS:[31CB800],5C7A100

9A 510000AB 5100             CALL FAR 0051:AB000051                    ; Far call

6980 00008280 00009880       IMUL EAX,DWORD PTR DS:[EAX+80820000],8098>

 



첨부된 레지스트리를 설치하면,
마우스 오른버튼 기능에 다음과 같이
"Delete Temp Files For SVN" 이라는 메뉴가 추가된다.

사용자 삽입 이미지


해당 기능을 실행하면,
프로젝트의 불필요한 파일들이 삭제된다.

삭제를 등록한 확장자는 다음과 같다.


Unnecessary Visual Studio Files

*.plg : ProgramLoG 파일. 컴파일과 링크 결과등의 정보 기록
*.ncb : Workspace View Class Browsing 파일. 소스 편집 정보를 담고 있음
*.aps
*.opt
*.clw


Intermediate Files

*.obj : .cpp의 컴파일 결과로 생성된 오브젝트 파일
*.idb : incremental link DataBase 파일
*.pch : PreCompiledHeader
*.res : .rc 의 컴파일 결과로 생성된 리소스 바이너리 파일
*.pdb : Program DataBase 파일
*.scc : SourceSafe 정보 파일
*.sbr
*.exp
*.bsc
*.ilk


etc
*.tmp : 임시파일
*.log : 각종 로그파일