ReverseEngineering/Get-PEB.format.ps1xml
|
<?xml version="1.0" encoding="utf-8" ?>
<Configuration> <DefaultSettings> <EnumerableExpansions> <EnumerableExpansion> <Expand>Both</Expand> </EnumerableExpansion> </EnumerableExpansions> </DefaultSettings> <ViewDefinitions> <View> <Name>ProcessEnvironmentBlock_VistaView</Name> <ViewSelectedBy> <TypeName>PEB.Vista</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>ProcessName</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessId</PropertyName> </ListItem> <ListItem> <PropertyName>InheritedAddressSpace</PropertyName> </ListItem> <ListItem> <PropertyName>ReadImageFileExecOptions</PropertyName> </ListItem> <ListItem> <PropertyName>BeingDebugged</PropertyName> </ListItem> <ListItem> <PropertyName>ImageUsesLargePages</PropertyName> </ListItem> <ListItem> <PropertyName>IsProtectedProcess</PropertyName> </ListItem> <ListItem> <PropertyName>IsLegacyProcess</PropertyName> </ListItem> <ListItem> <PropertyName>IsImageDynamicallyRelocated</PropertyName> </ListItem> <ListItem> <PropertyName>SkipPatchingUser32Forwarders</PropertyName> </ListItem> <ListItem> <PropertyName>IsPackagedProcess</PropertyName> </ListItem> <ListItem> <PropertyName>IsAppContainer</PropertyName> </ListItem> <ListItem> <Label>Mutant</Label> <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ImageBaseAddress</Label> <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>Ldr</PropertyName> </ListItem> <ListItem> <PropertyName>InLoadOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InMemoryOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InInitializationOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessParameters</PropertyName> </ListItem> <ListItem> <Label>SubSystemData</Label> <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessHeap</Label> <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FastPebLock</Label> <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>AtlThunkSListPtr</Label> <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>IFEOKey</Label> <ScriptBlock>"0x$($_.IFEOKey.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>ProcessInJob</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessInitializing</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessUsingVEH</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessUsingVCH</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessUsingFTH</PropertyName> </ListItem> <ListItem> <Label>KernelCallbackTable</Label> <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>SystemReserved</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AtlThunkSListPtr32</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ApiSetMap</Label> <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>TlsExpansionCounter</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>TlsBitmap</Label> <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsBitmapBits</Label> <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlySharedMemoryBase</Label> <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HotpatchInformation</Label> <ScriptBlock>"0x$($_.HotpatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlyStaticServerData</Label> <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>AnsiCodePageData</Label> <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>OemCodePageData</Label> <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>UnicodeCaseTableData</Label> <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfProcessors</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>NtGlobalFlag</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CriticalSectionTimeout</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>HeapSegmentReserve</Label> <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapSegmentCommit</Label> <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitTotalFreeThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitFreeBlockThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>MaximumNumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ProcessHeaps</Label> <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiSharedHandleTable</Label> <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessStarterHelper</Label> <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>GdiDCAttributeList</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>LoaderLock</Label> <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>OSMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSMinorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSBuildNumber</PropertyName> </ListItem> <ListItem> <PropertyName>OSCSDVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSPlatformId</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystem</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMinorVersion</PropertyName> </ListItem> <ListItem> <Label>ActiveProcessAffinityMask</Label> <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiHandleBuffer</Label> <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>PostProcessInitRoutine</Label> <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmap</Label> <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmapBits</Label> <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <PropertyName>SessionId</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlags</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlagsUser</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>pShimData</Label> <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>AppCompatInfo</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CSDVersion</PropertyName> </ListItem> <ListItem> <Label>ActivationContextData</Label> <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemDefaultActivationContextData</Label> <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>MinimumStackCommit</Label> <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FlsCallback</Label> <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>FlsListHead</PropertyName> </ListItem> <ListItem> <Label>FlsBitmap</Label> <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FlsBitmapBits</Label> <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <PropertyName>FlsHighIndex</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>WerRegistrationData</Label> <ScriptBlock>"0x$($_.WerRegistrationData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>WerShipAssertPtr</Label> <ScriptBlock>"0x$($_.WerShipAssertPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>pUnused</Label> <ScriptBlock>"0x$($_.pUnused.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>pImageHeaderHash</Label> <ScriptBlock>"0x$($_.pImageHeaderHash.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>HeapTracingEnabled</PropertyName> </ListItem> <ListItem> <PropertyName>CritSecTracingEnabled</PropertyName> </ListItem> <ListItem> <PropertyName>LibLoaderTracingEnabled</PropertyName> </ListItem> <ListItem> <PropertyName>CsrServerReadOnlySharedMemoryBase</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <View> <Name>ProcessEnvironmentBlock_Server2003View</Name> <ViewSelectedBy> <TypeName>PEB.Server2003</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>ProcessName</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessId</PropertyName> </ListItem> <ListItem> <Label>InheritedAddressSpace</Label> <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <Label>ReadImageFileExecOptions</Label> <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <Label>BeingDebugged</Label> <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <PropertyName>ImageUsesLargePages</PropertyName> </ListItem> <ListItem> <Label>Mutant</Label> <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ImageBaseAddress</Label> <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>Ldr</PropertyName> </ListItem> <ListItem> <PropertyName>InLoadOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InMemoryOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InInitializationOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessParameters</PropertyName> </ListItem> <ListItem> <Label>SubSystemData</Label> <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessHeap</Label> <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FastPebLock</Label> <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>AtlThunkSListPtr</Label> <ScriptBlock>"0x$($_.AtlThunkSListPtr.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SparePtr2</Label> <ScriptBlock>"0x$($_.SparePtr2.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>EnvironmentUpdateCount</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>KernelCallbackTable</Label> <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>SystemReserved</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AtlThunkSListPtr32</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ApiSetMap</Label> <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>TlsExpansionCounter</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>TlsBitmap</Label> <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsBitmapBits</Label> <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlySharedMemoryBase</Label> <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlySharedMemoryHeap</Label> <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlyStaticServerData</Label> <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>AnsiCodePageData</Label> <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>OemCodePageData</Label> <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>UnicodeCaseTableData</Label> <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfProcessors</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>NtGlobalFlag</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CriticalSectionTimeout</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>HeapSegmentReserve</Label> <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapSegmentCommit</Label> <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitTotalFreeThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitFreeBlockThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>MaximumNumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ProcessHeaps</Label> <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiSharedHandleTable</Label> <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessStarterHelper</Label> <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>GdiDCAttributeList</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>LoaderLock</Label> <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>OSMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSMinorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSBuildNumber</PropertyName> </ListItem> <ListItem> <PropertyName>OSCSDVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSPlatformId</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystem</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMinorVersion</PropertyName> </ListItem> <ListItem> <Label>ActiveProcessAffinityMask</Label> <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiHandleBuffer</Label> <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>PostProcessInitRoutine</Label> <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmap</Label> <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmapBits</Label> <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <PropertyName>SessionId</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlags</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlagsUser</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>pShimData</Label> <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>AppCompatInfo</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CSDVersion</PropertyName> </ListItem> <ListItem> <Label>ActivationContextData</Label> <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemDefaultActivationContextData</Label> <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>MinimumStackCommit</Label> <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FlsCallback</Label> <ScriptBlock>"0x$($_.FlsCallback.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>FlsListHead</PropertyName> </ListItem> <ListItem> <Label>FlsBitmap</Label> <ScriptBlock>"0x$($_.FlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FlsBitmapBits</Label> <ScriptBlock>($_.FlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <PropertyName>FlsHighIndex</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <View> <Name>ProcessEnvironmentBlock_XPView</Name> <ViewSelectedBy> <TypeName>PEB.XP</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>ProcessName</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessId</PropertyName> </ListItem> <ListItem> <Label>InheritedAddressSpace</Label> <ScriptBlock>if($_.InheritedAddressSpace -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <Label>ReadImageFileExecOptions</Label> <ScriptBlock>if($_.ReadImageFileExecOptions -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <Label>BeingDebugged</Label> <ScriptBlock>if($_.BeingDebugged -eq 0){$False}else{$True}</ScriptBlock> </ListItem> <ListItem> <Label>Mutant</Label> <ScriptBlock>"0x$($_.Mutant.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ImageBaseAddress</Label> <ScriptBlock>"0x$($_.ImageBaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>Ldr</PropertyName> </ListItem> <ListItem> <PropertyName>InLoadOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InMemoryOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InInitializationOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessParameters</PropertyName> </ListItem> <ListItem> <Label>SubSystemData</Label> <ScriptBlock>"0x$($_.SubSystemData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessHeap</Label> <ScriptBlock>"0x$($_.ProcessHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FastPebLock</Label> <ScriptBlock>"0x$($_.FastPebLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FastPebLockRoutine</Label> <ScriptBlock>"0x$($_.FastPebLockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>FastPebUnlockRoutine</Label> <ScriptBlock>"0x$($_.FastPebUnlockRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>EnvironmentUpdateCount</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>KernelCallbackTable</Label> <ScriptBlock>"0x$($_.KernelCallbackTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>SystemReserved</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AtlThunkSListPtr32</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ApiSetMap</Label> <ScriptBlock>"0x$($_.ApiSetMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>TlsExpansionCounter</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>TlsBitmap</Label> <ScriptBlock>"0x$($_.TlsBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsBitmapBits</Label> <ScriptBlock>($_.TlsBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlySharedMemoryBase</Label> <ScriptBlock>"0x$($_.ReadOnlySharedMemoryBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlySharedMemoryHeap</Label> <ScriptBlock>"0x$($_.ReadOnlySharedMemoryHeap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ReadOnlyStaticServerData</Label> <ScriptBlock>"0x$($_.ReadOnlyStaticServerData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>AnsiCodePageData</Label> <ScriptBlock>"0x$($_.AnsiCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>OemCodePageData</Label> <ScriptBlock>"0x$($_.OemCodePageData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>UnicodeCaseTableData</Label> <ScriptBlock>"0x$($_.UnicodeCaseTableData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfProcessors</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>NtGlobalFlag</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CriticalSectionTimeout</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>HeapSegmentReserve</Label> <ScriptBlock>"0x$($_.HeapSegmentReserve.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapSegmentCommit</Label> <ScriptBlock>"0x$($_.HeapSegmentCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitTotalFreeThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitTotalFreeThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>HeapDeCommitFreeBlockThreshold</Label> <ScriptBlock>"0x$($_.HeapDeCommitFreeBlockThreshold.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>MaximumNumberOfHeaps</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ProcessHeaps</Label> <ScriptBlock>"0x$($_.ProcessHeaps.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiSharedHandleTable</Label> <ScriptBlock>"0x$($_.GdiSharedHandleTable.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessStarterHelper</Label> <ScriptBlock>"0x$($_.ProcessStarterHelper.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>GdiDCAttributeList</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>LoaderLock</Label> <ScriptBlock>"0x$($_.LoaderLock.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>OSMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSMinorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSBuildNumber</PropertyName> </ListItem> <ListItem> <PropertyName>OSCSDVersion</PropertyName> </ListItem> <ListItem> <PropertyName>OSPlatformId</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystem</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMajorVersion</PropertyName> </ListItem> <ListItem> <PropertyName>ImageSubsystemMinorVersion</PropertyName> </ListItem> <ListItem> <Label>ActiveProcessAffinityMask</Label> <ScriptBlock>"0x$($_.ActiveProcessAffinityMask.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>GdiHandleBuffer</Label> <ScriptBlock>($_.GdiHandleBuffer | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <Label>PostProcessInitRoutine</Label> <ScriptBlock>"0x$($_.PostProcessInitRoutine.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmap</Label> <ScriptBlock>"0x$($_.TlsExpansionBitmap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>TlsExpansionBitmapBits</Label> <ScriptBlock>($_.TlsExpansionBitmapBits | % { "0x$($_.ToString('X8'))" }) -join ','</ScriptBlock> </ListItem> <ListItem> <PropertyName>SessionId</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlags</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <PropertyName>AppCompatFlagsUser</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <Label>pShimData</Label> <ScriptBlock>"0x$($_.pShimData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>AppCompatInfo</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CSDVersion</PropertyName> </ListItem> <ListItem> <Label>ActivationContextData</Label> <ScriptBlock>"0x$($_.ActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ProcessAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.ProcessAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemDefaultActivationContextData</Label> <ScriptBlock>"0x$($_.SystemDefaultActivationContextData.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SystemAssemblyStorageMap</Label> <ScriptBlock>"0x$($_.SystemAssemblyStorageMap.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>MinimumStackCommit</Label> <ScriptBlock>"0x$($_.MinimumStackCommit.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <View> <Name>ProcessEnvironmentBlock_ModuleEntryView</Name> <ViewSelectedBy> <TypeName>PEB.ModuleEntry</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>InLoadOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InMemoryOrderModuleList</PropertyName> </ListItem> <ListItem> <PropertyName>InInitializationOrderModuleList</PropertyName> </ListItem> <ListItem> <Label>BaseAddress</Label> <ScriptBlock>"0x$($_.BaseAddress.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>EntryPoint</Label> <ScriptBlock>"0x$($_.EntryPoint.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>SizeOfImage</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>FullDllName</PropertyName> </ListItem> <ListItem> <PropertyName>BaseDllName</PropertyName> </ListItem> <ListItem> <PropertyName>PackagedBinary</PropertyName> </ListItem> <ListItem> <PropertyName>ImageDll</PropertyName> </ListItem> <ListItem> <PropertyName>LoadNotificationsSent</PropertyName> </ListItem> <ListItem> <PropertyName>TelemetryEntryProcessed</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessStaticImport</PropertyName> </ListItem> <ListItem> <PropertyName>InLegacyLists</PropertyName> </ListItem> <ListItem> <PropertyName>InIndexes</PropertyName> </ListItem> <ListItem> <PropertyName>ShimDll</PropertyName> </ListItem> <ListItem> <PropertyName>InExceptionTable</PropertyName> </ListItem> <ListItem> <PropertyName>LoadInProgress</PropertyName> </ListItem> <ListItem> <PropertyName>EntryProcessed</PropertyName> </ListItem> <ListItem> <PropertyName>DontCallForThreads</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessAttachCalled</PropertyName> </ListItem> <ListItem> <PropertyName>ProcessAttachFailed</PropertyName> </ListItem> <ListItem> <PropertyName>CorDeferredValidate</PropertyName> </ListItem> <ListItem> <PropertyName>CorImage</PropertyName> </ListItem> <ListItem> <PropertyName>DontRelocate</PropertyName> </ListItem> <ListItem> <PropertyName>CorILOnly</PropertyName> </ListItem> <ListItem> <PropertyName>Redirected</PropertyName> </ListItem> <ListItem> <PropertyName>CompatDatabaseProcessed</PropertyName> </ListItem> <ListItem> <PropertyName>ObsoleteLoadCount</PropertyName> <FormatString>0x{0:X4}</FormatString> </ListItem> <ListItem> <PropertyName>TlsIndex</PropertyName> <FormatString>0x{0:X4}</FormatString> </ListItem> <ListItem> <PropertyName>HashLinks</PropertyName> </ListItem> <ListItem> <PropertyName>TimeDateStamp</PropertyName> </ListItem> <ListItem> <Label>EntryPointActivationContext</Label> <ScriptBlock>"0x$($_.EntryPointActivationContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>PatchInformation</Label> <ScriptBlock>"0x$($_.PatchInformation.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>DdagNode</Label> <ScriptBlock>"0x$($_.DdagNode.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>NodeModuleLink</PropertyName> </ListItem> <ListItem> <Label>SnapContext</Label> <ScriptBlock>"0x$($_.SnapContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>ParentDllBase</Label> <ScriptBlock>"0x$($_.ParentDllBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>SwitchBackContext</Label> <ScriptBlock>"0x$($_.SwitchBackContext.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>BaseAddressIndexNode</PropertyName> </ListItem> <ListItem> <PropertyName>MappingInfoIndexNode</PropertyName> </ListItem> <ListItem> <Label>OriginalBase</Label> <ScriptBlock>"0x$($_.OriginalBase.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>LoadTime</PropertyName> <FormatString>0x{0:X16}</FormatString> </ListItem> <ListItem> <PropertyName>BaseNameHashValue</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>LoadReason</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> <View> <Name>ProcessParameters</Name> <ViewSelectedBy> <TypeName>PEB.ProcessParameters</TypeName> </ViewSelectedBy> <ListControl> <ListEntries> <ListEntry> <ListItems> <ListItem> <PropertyName>MaximumLength</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>Length</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>Flags</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>DebugFlags</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>ConsoleHandle</Label> <ScriptBlock>"0x$($_.ConsoleHandle.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>ConsoleFlags</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <Label>StandardInput</Label> <ScriptBlock>"0x$($_.StandardInput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>StandardOutput</Label> <ScriptBlock>"0x$($_.StandardOutput.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <Label>StandardError</Label> <ScriptBlock>"0x$($_.StandardError.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>CurrentDirectory</PropertyName> </ListItem> <ListItem> <PropertyName>DllPath</PropertyName> </ListItem> <ListItem> <PropertyName>ImagePathName</PropertyName> </ListItem> <ListItem> <PropertyName>CommandLine</PropertyName> </ListItem> <ListItem> <Label>Environment</Label> <ScriptBlock>"0x$($_.Environment.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> </ListItem> <ListItem> <PropertyName>StartingX</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>StartingY</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CountX</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CountY</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CountCharsX</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>CountCharsY</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>FillAttribute</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>WindowFlags</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>ShowWindowFlags</PropertyName> <FormatString>0x{0:X8}</FormatString> </ListItem> <ListItem> <PropertyName>WindowTitle</PropertyName> </ListItem> <ListItem> <PropertyName>DesktopInfo</PropertyName> </ListItem> <ListItem> <PropertyName>ShellInfo</PropertyName> </ListItem> <ListItem> <PropertyName>RuntimeData</PropertyName> </ListItem> </ListItems> </ListEntry> </ListEntries> </ListControl> </View> </ViewDefinitions> </Configuration> |