五、杂项信息流(MiscInfoStream)

在系统信息流后紧挨着的就是杂项信息流。而系统信息流信息如下

0xEC+0n56=0x124

而杂项信息流如下:

可知偏移是0x124,即证明杂项信息流是紧挨着系统信息流,大小有1364字节。

MiscInfoStream包含各种信息。数据结构如下:

typedef struct_MINIDUMP_MISC_INFO_5 {

    ULONG32 SizeOfInfo;

    ULONG32 Flags1;

    ULONG32 ProcessId;

    ULONG32 ProcessCreateTime;

    ULONG32 ProcessUserTime;

    ULONG32 ProcessKernelTime;

    ULONG32 ProcessorMaxMhz;

    ULONG32 ProcessorCurrentMhz;

    ULONG32 ProcessorMhzLimit;

    ULONG32 ProcessorMaxIdleState;

    ULONG32 ProcessorCurrentIdleState;

    ULONG32 ProcessIntegrityLevel;

    ULONG32 ProcessExecuteFlags;

    ULONG32 ProtectedProcess;

    ULONG32 TimeZoneId;

    TIME_ZONE_INFORMATION TimeZone;

    WCHAR   BuildString[MAX_PATH];

    WCHAR   DbgBldStr[40];

    XSTATE_CONFIG_FEATURE_MSC_INFO XStateData;    

    ULONG32 ProcessCookie;

} MINIDUMP_MISC_INFO_5,*PMINIDUMP_MISC_INFO_5;



typedefstruct_TIME_ZONE_INFORMATION {

  LONG       Bias;

  WCHAR      StandardName[32];

  SYSTEMTIME StandardDate;

  LONG       StandardBias;

  WCHAR      DaylightName[32];

  SYSTEMTIME DaylightDate;

  LONG       DaylightBias;

} TIME_ZONE_INFORMATION,*PTIME_ZONE_INFORMATION, *LPTIME_ZONE_INFORMATION;



typedefstruct_XSTATE_CONFIG_FEATURE_MSC_INFO

{

    ULONG32 SizeOfInfo;

    ULONG32 ContextSize;

    ULONG64 EnabledFeatures;                

    XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES];

} XSTATE_CONFIG_FEATURE_MSC_INFO,*PXSTATE_CONFIG_FEATURE_MSC_INFO;

标签: none

添加新评论