type
{ NOTE: the following data structure is also found on the net with the name }
{ _LDR_MODULE }
{ ALSO: this structure is also used by LdrFindEntryForAddress }
{ the layout of the structure below is from Geoff Chappell }
{ see: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntldr/ldr_data_table_entry.htm }
{ minor changes made due to Pascal not allowing unnamed unions }
PPLDR_DATA_TABLE_ENTRY = ^PLDR_DATA_TABLE_ENTRY;
PLDR_DATA_TABLE_ENTRY = ^TLDR_DATA_TABLE_ENTRY;
TLDR_DATA_TABLE_ENTRY = record { _LDR_DATA_TABLE_ENTRY }
{ offsets }
{ 32b 64b }
{ 0 0 } InLoadOrderLinks : TLIST_ENTRY; { 3.10 and higher }
{ 8 10 } InMemoryOrderLinks : TLIST_ENTRY; { 3.10 and higher }
{ 10 20 } LinksUnion : record
case integer of
1 : (
InInitializationOrderLinks : TLIST_ENTRY; { 3.10 to 6.1 }
);
2 : (
InProgressLinks : TLIST_ENTRY; { 6.2 and higher }
);
end;
{ 18 30 } DllBase : pointer ; { 3.10 and higher }
{ 1C 38 } EntryPoint : PLDR_INIT_ROUTINE; { 3.10 and higher }
{ 20 40 } SizeOfImage : DWORD ; { 3.10 and higher }
{ 24 48 } FullDllName : TUNICODE_STRING ; { 3.10 and higher }
{ 2C 58 } BaseDllName : TUNICODE_STRING ; { 3.10 and higher }
{ 34 68 } FlagsUnion : {$ifdef FPC} bitpacked {$endif} record
case integer of
1 : (
Flags : DWORD; { 3.10 to 6.1 }
);
2 : (
{ 6.2 and higher }
FlagGroup : array[0..3] of byte;
);
{$ifdef FPC}
2 : (
{ 6.2 and higher }
PackagedBinary : _1bit;
MarkedForRemoval : _1bit;
ImageDll : _1bit;
LoadNotificationsSent : _1bit;
TelemetryEntryProcessed : _1bit;
ProcessStaticImport : _1bit;
InLegacyLists : _1bit;
InIndexes : _1bit;
ShimDll : _1bit;
InExceptionTable : _1bit;
ReservedFlags1 : _2bits;
LoadInProgress : _1bit;
LoadConfigProcessed : _1bit;
EntryProcessed : _1bit;
ProtectDelayLoad : _1bit;
ReservedFlags3 : _2bits;
DontCallForThreads : _1bit;
ProcessAttachCalled : _1bit;
ProcessAttachFailed : _1bit;
CorDeferredValidate : _1bit;
CorImage : _1bit;
DontRelocate : _1bit;
CorILOnly : _1bit;
ChpeImage : _1bit;
ReservedFlags5 : _2bits;
Redirected : _1bit;
ReservedFlags6 : _2bits;
CompatDatabaseProcessed : _1bit;
);
{$endif}
end;
{ 38 6C } LoadCount : word ; { 3.10 to 6.1 }
{ renamed ObsoleteLoadCount 6.2 and higher }
{ 3A 6E } TlsIndex : word ; { all }
{ 3C 70 } HashUnion : record { 3.10 to 6.1 }
case integer of
1 : (
{ 3C 70 } HashLinks : TLIST_ENTRY ; { 3.10 and higher }
);
2 : ( { 3.10 to 6.1 only }
{ 3C 70 } SectionPointer : pointer;
{ 40 78 } CheckSum : DWORD;
);
end;
{---------------------------------------------------------- }
{ appended for Windows NT 4 }
{ 44 80 } Nt4Union : record
case integer of
1 : (
{ 44 80 } TimeDateStamp : DWORD; { 4.0 and higher }
{$ifdef WIN64}
BadFood : DWORD;
{$endif}
);
{ LoadedImports field exists only up to 6.1 }
2 : (
{ 44 80 } LoadedImports : pointer; { 4.0 to 6.1 }
);
end;
{---------------------------------------------------------- }
{ appended for Windows XP }
{ the following pointer is a PACTIVATION_CONTEXT }
{ 48 88 } EntryPointActivationContext : pointer; { 5.1 and higher }
{ 4C 90 } XpUnion : record
case integer of
1 : (
PatchInformation : pointer; { 5.1 from Windows XP SP2 to 6.2 }
);
2 : (
{ 4C 90 } Spare : pointer; { 6.3 only }
);
3 : (
{ the following pointer is a PRTL_SRWLOCK }
{ 4C 90 } Lock : pointer; { 10.0 and higher }
);
end;
{ 50 98 } VersionUnion : record
case integer of
1 : (
{ appended for Windows Vista }
Vista : record
{ 50 98 } ForwarderLinks : TLIST_ENTRY; { 6.0 to 6.1 }
{ 58 A8 } ServiceTagLinks : TLIST_ENTRY; { 6.0 to 6.1 }
{ 60 B8 } StaticLinks : TLIST_ENTRY; { 6.0 to 6.1 }
end;
);
2 : (
{ Windows 7 fields }
Win7 : record
{ the Vista fields defined above (case 1) }
{ 50 98 } VistaForwarderLinks : TLIST_ENTRY; { 6.0 to 6.1 }
{ 58 A8 } VistaServiceTagLinks : TLIST_ENTRY; { 6.0 to 6.1 }
{ 60 B8 } VistaStaticLinks : TLIST_ENTRY; { 6.0 to 6.1 }
{ fields appended for Windows 7 }
{ 68 C8 } ContextInformation : pointer; { 6.1 only }
{ 6C D0 } OriginalBase : pointer;
{ 70 D8 } LoadTime : TLARGE_INTEGER; { 6.1 and higher }
end;
);
3 : (
{ Win8 field reorganization }
Win8 : record
{ 50 98 } DdagNode : PLDR_DDAG_NODE;
{ 54 A0 } NodeModuleLink : TLIST_ENTRY;
{ 5C B0 } ContextUnion : record
case integer of
1 : (
{ 5C B0 } SnapContext : PLDRP_DLL_SNAP_CONTEXT; { 6.2 to 6.3 }
);
2 : (
{ 5C B0 } LoadContext : PLDRP_LOAD_CONTEXT; { Win10 and higher }
);
end;
{ 60 B8 } ParentDllBase : pointer; { 6.2 and higher }
{ 64 C0 } SwitchBackContext : pointer; { 6.2 and higher }
{ 68 C8 } BaseAddressIndexNode : TRTL_BALANCED_NODE; { 6.2 and higher }
{ 74 E0 } MappingInfoIndexNode : TRTL_BALANCED_NODE; { 6.2 and higher }
end;
);
end;
{ 80 F8 } OriginalBase : pointer; { 6.2 and higer }
{$ifdef DELPHIv2}
ForceLoadTimeAlignment8 : DWORD; { Delphi v2 alignment }
{$endif}
{ 88 100 } LoadTime : TLARGE_INTEGER; { 6.2 and higer }
{---------------------------------------------------------- }
{ appended for Windows 8 }
{ 90 108 } BaseNameHashValue : DWORD; { 6.2 and higer }
{ 94 10C } LoadReason : TLDR_DLL_LOAD_REASON; { 6.2 and higer }
{---------------------------------------------------------- }
{ appended for Windows 8.1 }
{ 98 110 } ImplicitPathOptions : DWORD; { 6.3 and higer }
{---------------------------------------------------------- }
{ appended for Windows 10 }
{ 9C 114 } ReferenceCount : DWORD; { 10.0 and higher }
{ A0 118 } DependentLoadFlags : DWORD; { 1607 and higher }
{ A4 11C } SigningLevel : byte; { 1703 and higher }
end;