Created
July 20, 2024 09:39
-
-
Save w1redch4d/b59a5673f704911e0de9db356a7f9055 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _PS_ATTRIBUTE | |
| { | |
| ULONG_PTR Attribute; // PROC_THREAD_ATTRIBUTE_XXX | PROC_THREAD_ATTRIBUTE_XXX modifiers, see ProcThreadAttributeValue macro and Windows Internals 6 (372) | |
| SIZE_T Size; // Size of Value or *ValuePtr | |
| union | |
| { | |
| ULONG_PTR Value; // Reserve 8 bytes for data (such as a Handle or a data pointer) | |
| PVOID ValuePtr; // data pointer | |
| }; | |
| PSIZE_T ReturnLength; // Either 0 or specifies size of data returned to caller via "ValuePtr" | |
| } PS_ATTRIBUTE, * PPS_ATTRIBUTE; | |
| typedef struct _PS_ATTRIBUTE_LIST | |
| { | |
| SIZE_T TotalLength; // sizeof(PS_ATTRIBUTE_LIST) | |
| PS_ATTRIBUTE Attributes[2]; // Depends on how many attribute entries should be supplied to NtCreateUserProcess | |
| } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _PS_CREATE_INFO | |
| { | |
| SIZE_T Size; | |
| PS_CREATE_STATE State; | |
| union | |
| { | |
| // PsCreateInitialState | |
| struct | |
| { | |
| union | |
| { | |
| ULONG InitFlags; | |
| struct | |
| { | |
| UCHAR WriteOutputOnExit : 1; | |
| UCHAR DetectManifest : 1; | |
| UCHAR IFEOSkipDebugger : 1; | |
| UCHAR IFEODoNotPropagateKeyState : 1; | |
| UCHAR SpareBits1 : 4; | |
| UCHAR SpareBits2 : 8; | |
| USHORT ProhibitedImageCharacteristics : 16; | |
| } s1; | |
| } u1; | |
| ACCESS_MASK AdditionalFileAccess; | |
| } InitState; | |
| // PsCreateFailOnSectionCreate | |
| struct | |
| { | |
| HANDLE FileHandle; | |
| } FailSection; | |
| // PsCreateFailExeFormat | |
| struct | |
| { | |
| USHORT DllCharacteristics; | |
| } ExeFormat; | |
| // PsCreateFailExeName | |
| struct | |
| { | |
| HANDLE IFEOKey; | |
| } ExeName; | |
| // PsCreateSuccess | |
| struct | |
| { | |
| union | |
| { | |
| ULONG OutputFlags; | |
| struct | |
| { | |
| UCHAR ProtectedProcess : 1; | |
| UCHAR AddressSpaceOverride : 1; | |
| UCHAR DevOverrideEnabled : 1; // From Image File Execution Options | |
| UCHAR ManifestDetected : 1; | |
| UCHAR ProtectedProcessLight : 1; | |
| UCHAR SpareBits1 : 3; | |
| UCHAR SpareBits2 : 8; | |
| USHORT SpareBits3 : 16; | |
| } s2; | |
| } u2; | |
| HANDLE FileHandle; | |
| HANDLE SectionHandle; | |
| ULONGLONG UserProcessParametersNative; | |
| ULONG UserProcessParametersWow64; | |
| ULONG CurrentParameterFlags; | |
| ULONGLONG PebAddressNative; | |
| ULONG PebAddressWow64; | |
| ULONGLONG ManifestAddress; | |
| ULONG ManifestSize; | |
| } SuccessState; | |
| }; | |
| } PS_CREATE_INFO, * PPS_CREATE_INFO; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment