diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-29 18:32:24 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-29 18:32:24 -0400 |
| commit | 9b4b3dcc739b684326243d95da1982651bc95d19 (patch) | |
| tree | 7ffe6feba20eae27c9db8ce8e3815222956055c1 | |
| parent | 7d5e884c3f0c1359fb9e9e4829188c8bdc57b23f (diff) | |
| download | PowerSploit-9b4b3dcc739b684326243d95da1982651bc95d19.tar.gz PowerSploit-9b4b3dcc739b684326243d95da1982651bc95d19.zip | |
Silly me. Just discovered the SetOffset method.
Thanks @JosephBialek!
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 152 |
1 files changed, 75 insertions, 77 deletions
diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 37412fe..e004b87 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -151,8 +151,6 @@ $FlagsConstructor = [FlagsAttribute].GetConstructor(@()) $FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @()) - $FieldOffsetConstructor = [Runtime.InteropServices.FieldOffsetAttribute].GetConstructor([Int]) - $MarshalAsConstructor = [Runtime.InteropServices.MarshalAsAttribute].GetConstructor([Runtime.InteropServices.UnmanagedType]) $SizeConst = [Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst') @@ -345,22 +343,22 @@ $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 16) $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(2)))) + $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) + $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) + $BufferField.SetOffset(8) } else { $TypeBuilder = $ModuleBuilder.DefineType('_UNICODE_STRING', $StructAttributes, [ValueType], 2, 8) $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(2)))) + $TypeBuilder.DefineField('Length', [UInt16], 'Public').SetOffset(0) + $TypeBuilder.DefineField('MaximumLength', [UInt16], 'Public').SetOffset(2) $BufferField = $TypeBuilder.DefineField('Buffer', [String], 'Public, HasFieldMarshal') $BufferField.SetCustomAttribute($MarshalAsCustomAttribute) - $BufferField.SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) + $BufferField.SetOffset(4) } $UnicodeStringClass = $TypeBuilder.CreateType() @@ -439,29 +437,29 @@ if ([IntPtr]::Size -eq 8) { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(10)))) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(36)))) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(40)))) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(44)))) + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(8) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(10) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(16) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(24) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(28) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(32) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(36) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(40) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(44) } else { - $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) - $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(6)))) - $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) - $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(12)))) - $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) - $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(20)))) - $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) - $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) - $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetOffset(0) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetOffset(4) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetOffset(6) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetOffset(8) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetOffset(12) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetOffset(16) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetOffset(20) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetOffset(24) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetOffset(28) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetOffset(32) } $LockInfoClass = $TypeBuilder.CreateType() @@ -474,23 +472,23 @@ if ([IntPtr]::Size -eq 8) { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) + $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) + $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) + $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(16) + $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(24) + $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(28) + $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(32) } else { - $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) - $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) - $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) - $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(12)))) - $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) - $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(20)))) - $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) + $TypeBuilder.DefineField('TagValue', [UInt32], 'Public, HasFieldMarshal').SetOffset(0) + $TypeBuilder.DefineField('PagedPoolAllocs', [UInt32], 'Public').SetOffset(4) + $TypeBuilder.DefineField('PagedPoolFrees', [UInt32], 'Public').SetOffset(8) + $TypeBuilder.DefineField('PagedPoolUsage', [UInt32], 'Public').SetOffset(12) + $TypeBuilder.DefineField('NonPagedPoolAllocs', [UInt32], 'Public').SetOffset(16) + $TypeBuilder.DefineField('NonPagedPoolFrees', [UInt32], 'Public').SetOffset(20) + $TypeBuilder.DefineField('NonPagedPoolUsage', [UInt32], 'Public').SetOffset(24) } $PoolTagInfoClass = $TypeBuilder.CreateType() @@ -501,17 +499,17 @@ $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_OBJECTTYPE_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_OBJECTTYPE_INFORMATION) $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x00)))) - $TypeBuilder.DefineField('NumberOfObjects', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x04)))) - $TypeBuilder.DefineField('NumberOfHandles', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x08)))) - $TypeBuilder.DefineField('TypeIndex', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x0C)))) - $TypeBuilder.DefineField('InvalidAttributes', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x10)))) - $TypeBuilder.DefineField('GenericMapping', $GenericMappingClass, 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x14)))) - $TypeBuilder.DefineField('ValidAccessMask', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x24)))) - $TypeBuilder.DefineField('PoolType', $PoolType, 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x28)))) - $TypeBuilder.DefineField('SecurityRequired', [Byte], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x2C)))) - $TypeBuilder.DefineField('WaitableObject', [Byte], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x2D)))) - $TypeBuilder.DefineField('TypeName', $UnicodeStringClass, 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x30)))) + $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) + $TypeBuilder.DefineField('NumberOfObjects', [UInt32], 'Public').SetOffset(0x04) + $TypeBuilder.DefineField('NumberOfHandles', [UInt32], 'Public').SetOffset(0x08) + $TypeBuilder.DefineField('TypeIndex', [UInt32], 'Public').SetOffset(0x0C) + $TypeBuilder.DefineField('InvalidAttributes', [UInt32], 'Public').SetOffset(0x10) + $TypeBuilder.DefineField('GenericMapping', $GenericMappingClass, 'Public').SetOffset(0x14) + $TypeBuilder.DefineField('ValidAccessMask', [UInt32], 'Public').SetOffset(0x24) + $TypeBuilder.DefineField('PoolType', $PoolType, 'Public').SetOffset(0x28) + $TypeBuilder.DefineField('SecurityRequired', [Byte], 'Public').SetOffset(0x2C) + $TypeBuilder.DefineField('WaitableObject', [Byte], 'Public').SetOffset(0x2D) + $TypeBuilder.DefineField('TypeName', $UnicodeStringClass, 'Public').SetOffset(0x30) $ObjectTypeClass = $TypeBuilder.CreateType() } @@ -523,33 +521,33 @@ if ([IntPtr]::Size -eq 8) { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x00)))) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x08)))) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x10)))) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x018)))) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x1A)))) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x1C)))) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x20)))) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x24)))) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x28)))) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x30)))) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x38)))) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x40)))) + $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) + $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x08) + $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x10) + $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x018) + $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x1A) + $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x1C) + $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x20) + $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x24) + $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x28) + $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x30) + $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x38) + $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x40) } else { - $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x00)))) - $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x04)))) - $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x08)))) - $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x0C)))) - $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x0E)))) - $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x10)))) - $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x14)))) - $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x18)))) - $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x1C)))) - $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x20)))) - $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x24)))) - $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0x28)))) + $TypeBuilder.DefineField('NextEntryOffset', [UInt32], 'Public').SetOffset(0x00) + $TypeBuilder.DefineField('Object', [IntPtr], 'Public').SetOffset(0x04) + $TypeBuilder.DefineField('CreatorUniqueProcess', [IntPtr], 'Public').SetOffset(0x08) + $TypeBuilder.DefineField('CreatorBackTraceIndex', [UInt16], 'Public').SetOffset(0x0C) + $TypeBuilder.DefineField('Flags', [UInt16], 'Public').SetOffset(0x0E) + $TypeBuilder.DefineField('PointerCount', [Int32], 'Public').SetOffset(0x10) + $TypeBuilder.DefineField('HandleCount', [Int32], 'Public').SetOffset(0x14) + $TypeBuilder.DefineField('PagedPoolCharge', [UInt32], 'Public').SetOffset(0x18) + $TypeBuilder.DefineField('NonPagedPoolCharge', [UInt32], 'Public').SetOffset(0x1C) + $TypeBuilder.DefineField('ExclusiveProcessId', [IntPtr], 'Public').SetOffset(0x20) + $TypeBuilder.DefineField('SecurityDescriptor', [IntPtr], 'Public').SetOffset(0x24) + $TypeBuilder.DefineField('NameInfo', $UnicodeStringClass, 'Public').SetOffset(0x28) } $ObjectClass = $TypeBuilder.CreateType() |