diff options
| author | bitform <matt@exploit-monday.com> | 2013-01-19 18:59:40 -0500 |
|---|---|---|
| committer | bitform <matt@exploit-monday.com> | 2013-01-19 18:59:40 -0500 |
| commit | 3c87916e19a942d3168cbe8cf37d0e380cdd865b (patch) | |
| tree | 3e2d5d44dd2cedac7a1eded3bdde3ed618f53730 /ReverseEngineering/Get-PEB.format.ps1xml | |
| parent | fcb17a423678dbc5b6acf663df0ebe9d7cfbba17 (diff) | |
| download | PowerSploit-3c87916e19a942d3168cbe8cf37d0e380cdd865b.tar.gz PowerSploit-3c87916e19a942d3168cbe8cf37d0e380cdd865b.zip | |
Renamed RE_Tools. Now ReverseEngineering module
* I renamed RE_Tools to ReverseEngineering and made it a module.
* Slight consistency modifications were made to documentation.
* This is one step in the process of modularizing all of PowerSploit.
Diffstat (limited to 'ReverseEngineering/Get-PEB.format.ps1xml')
| -rw-r--r-- | ReverseEngineering/Get-PEB.format.ps1xml | 1099 |
1 files changed, 1099 insertions, 0 deletions
diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml new file mode 100644 index 0000000..9c25dc1 --- /dev/null +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -0,0 +1,1099 @@ +<?xml version="1.0" encoding="utf-8" ?>
+<Configuration>
+ <DefaultSettings>
+ <EnumerableExpansions>
+ <EnumerableExpansion>
+ <Expand>Both</Expand>
+ </EnumerableExpansion>
+ </EnumerableExpansions>
+ </DefaultSettings>
+ <ViewDefinitions>
+ <View>
+ <Name>ProcessEnvironmentBlock_VistaView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.Vista</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InheritedAddressSpace</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ReadImageFileExecOptions</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BeingDebugged</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageUsesLargePages</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsProtectedProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsLegacyProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsImageDynamicallyRelocated</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SkipPatchingUser32Forwarders</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsPackagedProcess</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>IsAppContainer</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AtlThunkSListPtr</Label>
+ <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>IFEOKey</Label>
+ <ScriptBlock>"0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessInJob</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessInitializing</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingVEH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingVCH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessUsingFTH</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HotpatchInformation</Label>
+ <ScriptBlock>"0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsCallback</Label>
+ <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsListHead</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmap</Label>
+ <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmapBits</Label>
+ <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsHighIndex</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>WerRegistrationData</Label>
+ <ScriptBlock>"0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>WerShipAssertPtr</Label>
+ <ScriptBlock>"0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>pUnused</Label>
+ <ScriptBlock>"0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>pImageHeaderHash</Label>
+ <ScriptBlock>"0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>HeapTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CritSecTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LibLoaderTracingEnabled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CsrServerReadOnlySharedMemoryBase</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_Server2003View</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.Server2003</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>InheritedAddressSpace</Label>
+ <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadImageFileExecOptions</Label>
+ <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BeingDebugged</Label>
+ <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageUsesLargePages</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AtlThunkSListPtr</Label>
+ <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SparePtr2</Label>
+ <ScriptBlock>"0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EnvironmentUpdateCount</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryHeap</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsCallback</Label>
+ <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsListHead</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmap</Label>
+ <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FlsBitmapBits</Label>
+ <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FlsHighIndex</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_XPView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.XP</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>ProcessName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>InheritedAddressSpace</Label>
+ <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadImageFileExecOptions</Label>
+ <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>BeingDebugged</Label>
+ <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>Mutant</Label>
+ <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ImageBaseAddress</Label>
+ <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Ldr</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessParameters</Label>
+ <ScriptBlock>"0x$($_.ProcessParameters.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SubSystemData</Label>
+ <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeap</Label>
+ <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLock</Label>
+ <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebLockRoutine</Label>
+ <ScriptBlock>"0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>FastPebUnlockRoutine</Label>
+ <ScriptBlock>"0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EnvironmentUpdateCount</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>KernelCallbackTable</Label>
+ <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SystemReserved</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AtlThunkSListPtr32</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ApiSetMap</Label>
+ <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsExpansionCounter</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsBitmapBits</Label>
+ <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryBase</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlySharedMemoryHeap</Label>
+ <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ReadOnlyStaticServerData</Label>
+ <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>AnsiCodePageData</Label>
+ <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>OemCodePageData</Label>
+ <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>UnicodeCaseTableData</Label>
+ <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfProcessors</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NtGlobalFlag</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CriticalSectionTimeout</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentReserve</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapSegmentCommit</Label>
+ <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitTotalFreeThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>HeapDeCommitFreeBlockThreshold</Label>
+ <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MaximumNumberOfHeaps</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessHeaps</Label>
+ <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiSharedHandleTable</Label>
+ <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessStarterHelper</Label>
+ <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>GdiDCAttributeList</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>LoaderLock</Label>
+ <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSBuildNumber</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSCSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>OSPlatformId</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystem</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMajorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageSubsystemMinorVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActiveProcessAffinityMask</Label>
+ <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>GdiHandleBuffer</Label>
+ <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PostProcessInitRoutine</Label>
+ <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmap</Label>
+ <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>TlsExpansionBitmapBits</Label>
+ <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SessionId</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlags</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatFlagsUser</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <Label>pShimData</Label>
+ <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>AppCompatInfo</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CSDVersion</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>ActivationContextData</Label>
+ <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ProcessAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemDefaultActivationContextData</Label>
+ <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SystemAssemblyStorageMap</Label>
+ <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>MinimumStackCommit</Label>
+ <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ <View>
+ <Name>ProcessEnvironmentBlock_ModuleEntryView</Name>
+ <ViewSelectedBy>
+ <TypeName>PEB.ModuleEntry</TypeName>
+ </ViewSelectedBy>
+ <ListControl>
+ <ListEntries>
+ <ListEntry>
+ <ListItems>
+ <ListItem>
+ <PropertyName>InLoadOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InMemoryOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InInitializationOrderModuleList</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>BaseAddress</Label>
+ <ScriptBlock>"0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>EntryPoint</Label>
+ <ScriptBlock>"0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>SizeOfImage</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>FullDllName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseDllName</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>PackagedBinary</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ImageDll</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadNotificationsSent</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TelemetryEntryProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessStaticImport</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InLegacyLists</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InIndexes</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ShimDll</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>InExceptionTable</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadInProgress</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>EntryProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DontCallForThreads</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessAttachCalled</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ProcessAttachFailed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorDeferredValidate</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorImage</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>DontRelocate</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CorILOnly</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>Redirected</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>CompatDatabaseProcessed</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>ObsoleteLoadCount</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TlsIndex</PropertyName>
+ <FormatString>0x{0:X4}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>HashLinks</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>TimeDateStamp</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>EntryPointActivationContext</Label>
+ <ScriptBlock>"0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>PatchInformation</Label>
+ <ScriptBlock>"0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>DdagNode</Label>
+ <ScriptBlock>"0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>NodeModuleLink</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>SnapContext</Label>
+ <ScriptBlock>"0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>ParentDllBase</Label>
+ <ScriptBlock>"0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <Label>SwitchBackContext</Label>
+ <ScriptBlock>"0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseAddressIndexNode</PropertyName>
+ </ListItem>
+ <ListItem>
+ <PropertyName>MappingInfoIndexNode</PropertyName>
+ </ListItem>
+ <ListItem>
+ <Label>OriginalBase</Label>
+ <ScriptBlock>"0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadTime</PropertyName>
+ <FormatString>0x{0:X16}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>BaseNameHashValue</PropertyName>
+ <FormatString>0x{0:X8}</FormatString>
+ </ListItem>
+ <ListItem>
+ <PropertyName>LoadReason</PropertyName>
+ </ListItem>
+ </ListItems>
+ </ListEntry>
+ </ListEntries>
+ </ListControl>
+ </View>
+ </ViewDefinitions>
+</Configuration>
\ No newline at end of file |