class LdrDataEntry(MemStruct): """ +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B +0x038 LoadCount : Uint2B +0x03a TlsIndex : Uint2B +0x03c HashLinks : _LIST_ENTRY +0x03c SectionPointer : Ptr32 Void +0x040 CheckSum : Uint4B +0x044 TimeDateStamp : Uint4B +0x044 LoadedImports : Ptr32 Void +0x048 EntryPointActivationContext : Ptr32 Void +0x04c PatchInformation : Ptr32 Void """ fields = [ ("InLoadOrderLinks", ListEntry), ("InMemoryOrderLinks", ListEntry), ("InInitializationOrderLinks", ListEntry), ("DllBase", Ptr("<I", Void())), ("EntryPoint", Ptr("<I", Void())), ("SizeOfImage", Num("<I")), ("FullDllName", UnicodeString), ("BaseDllName", UnicodeString), ("Flags", Array(Num("B"), 4)), ("LoadCount", Num("H")), ("TlsIndex", Num("H")), ("union1", Union([ ("HashLinks", Ptr("<I", Void())), ("SectionPointer", Ptr("<I", Void())), ])), ("CheckSum", Num("<I")), ("union2", Union([ ("TimeDateStamp", Num("<I")), ("LoadedImports", Ptr("<I", Void())), ])), ("EntryPointActivationContext", Ptr("<I", Void())), ("PatchInformation", Ptr("<I", Void())), ]
class UniStruct(MemStruct): fields = [ ("one", Num("B")), ("union", Union([ ("instruct", InStruct), ("i", Num(">I")), ])), ("last", Num("B")), ]
class Anon(MemStruct): fields = [ ("a", Num("B")), # If a field name evaluates to False ("" or None for example) and the # field type is a Struct subclass (Struct, Union, BitField), the field # is considered as an anonymous struct or union. Therefore, Anon will # have b1, b2 and c1, c2 attributes in that case. ("", Union([("b1", Num("B")), ("b2", Num("H"))])), ("", Struct("", [("c1", Num("B")), ("c2", Num("B"))])), ("d", Num("B")), ]
class NT_TIB(MemStruct): """ +00 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList +04 void *StackBase +08 void *StackLimit +0c void *SubSystemTib +10 void *FiberData +10 uint32 Version +14 void *ArbitraryUserPointer +18 struct _NT_TIB *Self """ fields = [ ("ExceptionList", Ptr("<I", EXCEPTION_REGISTRATION_RECORD)), ("StackBase", Ptr("<I", Void())), ("StackLimit", Ptr("<I", Void())), ("SubSystemTib", Ptr("<I", Void())), (None, Union([("FiberData", Ptr("<I", Void())), ("Version", Num("<I"))])), ("ArbitraryUserPointer", Ptr("<I", Void())), ("Self", Ptr("<I", Self())), ]
assert Ptr(">I", MyStruct) != Ptr("<I", MyStruct) assert Ptr("I", MyStruct) != Ptr("I", MyStruct2) assert MyStruct.get_type() == MyStruct.get_type() assert MyStruct.get_type() != MyStruct2.get_type() assert Array(Num("H"), 12) == Array(Num("H"), 12) assert Array(Num("H"), 11) != Array(Num("H"), 12) assert Array(Num("I"), 12) != Array(Num("H"), 12) assert Struct("a", [("f1", Num("B")), ("f2", Num("H"))]) == \ Struct("a", [("f1", Num("B")), ("f2", Num("H"))]) assert Struct("a", [("f2", Num("B")), ("f2", Num("H"))]) != \ Struct("a", [("f1", Num("B")), ("f2", Num("H"))]) assert Struct("a", [("f1", Num("B")), ("f2", Num("H"))]) != \ Struct("a", [("f1", Num("I")), ("f2", Num("H"))]) assert Struct("a", [("f1", Num("B")), ("f2", Num("H"))]) != \ Struct("b", [("f1", Num("B")), ("f2", Num("H"))]) assert Union([("f1", Num("B")), ("f2", Num("H"))]) == \ Union([("f1", Num("B")), ("f2", Num("H"))]) assert Union([("f2", Num("B")), ("f2", Num("H"))]) != \ Union([("f1", Num("B")), ("f2", Num("H"))]) assert Union([("f1", Num("B")), ("f2", Num("H"))]) != \ Union([("f1", Num("I")), ("f2", Num("H"))]) assert Bits(Num("I"), 3, 8) == Bits(Num("I"), 3, 8) assert (Bits(Num("I"), 3, 8) != Bits(Num("I"), 3, 8)) is False assert Bits(Num("H"), 2, 8) != Bits(Num("I"), 3, 8) assert Bits(Num("I"), 3, 7) != Bits(Num("I"), 3, 8) assert BitField(Num("B"), [("f1", 2), ("f2", 4), ("f3", 1)]) == \ BitField(Num("B"), [("f1", 2), ("f2", 4), ("f3", 1)]) assert BitField(Num("H"), [("f1", 2), ("f2", 4), ("f3", 1)]) != \ BitField(Num("B"), [("f1", 2), ("f2", 4), ("f3", 1)]) assert BitField(Num("B"), [("f2", 2), ("f2", 4), ("f3", 1)]) != \ BitField(Num("B"), [("f1", 2), ("f2", 4), ("f3", 1)])