1 use core::mem::size_of; 2 use crate::ntapi_base::CLIENT_ID; 3 use crate::ntpsapi::{GDI_HANDLE_BUFFER, PPEB_LDR_DATA}; 4 use crate::ntrtl::PRTL_USER_PROCESS_PARAMETERS; 5 use winapi::shared::basetsd::{SIZE_T, ULONG_PTR}; 6 use winapi::shared::guiddef::GUID; 7 use winapi::shared::ntdef::{ 8 BOOLEAN, CHAR, HANDLE, LCID, LIST_ENTRY, LONG, NTSTATUS, PROCESSOR_NUMBER, PSTR, PVOID, UCHAR, 9 ULARGE_INTEGER, ULONG, ULONGLONG, UNICODE_STRING, USHORT, WCHAR, 10 }; 11 use winapi::um::winnt::{ 12 ACTIVATION_CONTEXT, FLS_MAXIMUM_AVAILABLE, NT_TIB, PRTL_CRITICAL_SECTION, PSLIST_HEADER, 13 }; 14 STRUCT!{struct RTL_ACTIVATION_CONTEXT_STACK_FRAME { 15 Previous: PRTL_ACTIVATION_CONTEXT_STACK_FRAME, 16 ActivationContext: *mut ACTIVATION_CONTEXT, 17 Flags: ULONG, 18 }} 19 pub type PRTL_ACTIVATION_CONTEXT_STACK_FRAME = *mut RTL_ACTIVATION_CONTEXT_STACK_FRAME; 20 STRUCT!{struct ACTIVATION_CONTEXT_STACK { 21 ActiveFrame: *mut RTL_ACTIVATION_CONTEXT_STACK_FRAME, 22 FrameListCache: LIST_ENTRY, 23 Flags: ULONG, 24 NextCookieSequenceNumber: ULONG, 25 StackId: ULONG, 26 }} 27 pub type PACTIVATION_CONTEXT_STACK = *mut ACTIVATION_CONTEXT_STACK; 28 STRUCT!{struct API_SET_NAMESPACE { 29 Version: ULONG, 30 Size: ULONG, 31 Flags: ULONG, 32 Count: ULONG, 33 EntryOffset: ULONG, 34 HashOffset: ULONG, 35 HashFactor: ULONG, 36 }} 37 pub type PAPI_SET_NAMESPACE = *mut API_SET_NAMESPACE; 38 STRUCT!{struct API_SET_HASH_ENTRY { 39 Hash: ULONG, 40 Index: ULONG, 41 }} 42 pub type PAPI_SET_HASH_ENTRY = *mut API_SET_HASH_ENTRY; 43 STRUCT!{struct API_SET_NAMESPACE_ENTRY { 44 Flags: ULONG, 45 NameOffset: ULONG, 46 NameLength: ULONG, 47 HashedLength: ULONG, 48 ValueOffset: ULONG, 49 ValueCount: ULONG, 50 }} 51 pub type PAPI_SET_NAMESPACE_ENTRY = *mut API_SET_NAMESPACE_ENTRY; 52 STRUCT!{struct API_SET_VALUE_ENTRY { 53 Flags: ULONG, 54 NameOffset: ULONG, 55 NameLength: ULONG, 56 ValueOffset: ULONG, 57 ValueLength: ULONG, 58 }} 59 pub type PAPI_SET_VALUE_ENTRY = *mut API_SET_VALUE_ENTRY; 60 UNION!{union PEB_u { 61 KernelCallbackTable: PVOID, 62 UserSharedInfoPtr: PVOID, 63 }} 64 #[repr(C)] 65 pub struct LEAP_SECOND_DATA([u8; 0]); //fixme 66 STRUCT!{struct PEB { 67 InheritedAddressSpace: BOOLEAN, 68 ReadImageFileExecOptions: BOOLEAN, 69 BeingDebugged: BOOLEAN, 70 BitField: BOOLEAN, 71 Mutant: HANDLE, 72 ImageBaseAddress: PVOID, 73 Ldr: PPEB_LDR_DATA, 74 ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, 75 SubSystemData: PVOID, 76 ProcessHeap: PVOID, 77 FastPebLock: PRTL_CRITICAL_SECTION, 78 IFEOKey: PVOID, 79 AtlThunkSListPtr: PSLIST_HEADER, 80 CrossProcessFlags: ULONG, 81 u: PEB_u, 82 SystemReserved: [ULONG; 1], 83 AtlThunkSListPtr32: ULONG, 84 ApiSetMap: PAPI_SET_NAMESPACE, 85 TlsExpansionCounter: ULONG, 86 TlsBitmap: PVOID, 87 TlsBitmapBits: [ULONG; 2], 88 ReadOnlySharedMemoryBase: PVOID, 89 SharedData: PVOID, 90 ReadOnlyStaticServerData: *mut PVOID, 91 AnsiCodePageData: PVOID, 92 OemCodePageData: PVOID, 93 UnicodeCaseTableData: PVOID, 94 NumberOfProcessors: ULONG, 95 NtGlobalFlag: ULONG, 96 CriticalSectionTimeout: ULARGE_INTEGER, 97 HeapSegmentReserve: SIZE_T, 98 HeapSegmentCommit: SIZE_T, 99 HeapDeCommitTotalFreeThreshold: SIZE_T, 100 HeapDeCommitFreeBlockThreshold: SIZE_T, 101 NumberOfHeaps: ULONG, 102 MaximumNumberOfHeaps: ULONG, 103 ProcessHeaps: *mut PVOID, 104 GdiSharedHandleTable: PVOID, 105 ProcessStarterHelper: PVOID, 106 GdiDCAttributeList: ULONG, 107 LoaderLock: PRTL_CRITICAL_SECTION, 108 OSMajorVersion: ULONG, 109 OSMinorVersion: ULONG, 110 OSBuildNumber: USHORT, 111 OSCSDVersion: USHORT, 112 OSPlatformId: ULONG, 113 ImageSubsystem: ULONG, 114 ImageSubsystemMajorVersion: ULONG, 115 ImageSubsystemMinorVersion: ULONG, 116 ActiveProcessAffinityMask: ULONG_PTR, 117 GdiHandleBuffer: GDI_HANDLE_BUFFER, 118 PostProcessInitRoutine: PVOID, 119 TlsExpansionBitmap: PVOID, 120 TlsExpansionBitmapBits: [ULONG; 32], 121 SessionId: ULONG, 122 AppCompatFlags: ULARGE_INTEGER, 123 AppCompatFlagsUser: ULARGE_INTEGER, 124 pShimData: PVOID, 125 AppCompatInfo: PVOID, 126 CSDVersion: UNICODE_STRING, 127 ActivationContextData: PVOID, 128 ProcessAssemblyStorageMap: PVOID, 129 SystemDefaultActivationContextData: PVOID, 130 SystemAssemblyStorageMap: PVOID, 131 MinimumStackCommit: SIZE_T, 132 FlsCallback: *mut PVOID, 133 FlsListHead: LIST_ENTRY, 134 FlsBitmap: PVOID, 135 FlsBitmapBits: [ULONG; FLS_MAXIMUM_AVAILABLE as usize / (size_of::<ULONG>() * 8)], 136 FlsHighIndex: ULONG, 137 WerRegistrationData: PVOID, 138 WerShipAssertPtr: PVOID, 139 pUnused: PVOID, 140 pImageHeaderHash: PVOID, 141 TracingFlags: ULONG, 142 CsrServerReadOnlySharedMemoryBase: ULONGLONG, 143 TppWorkerpListLock: PRTL_CRITICAL_SECTION, 144 TppWorkerpList: LIST_ENTRY, 145 WaitOnAddressHashTable: [PVOID; 128], 146 TelemetryCoverageHeader: PVOID, 147 CloudFileFlags: ULONG, 148 CloudFileDiagFlags: ULONG, 149 PlaceholderCompatibilityMode: CHAR, 150 PlaceholderCompatibilityModeReserved: [CHAR; 7], 151 LeapSecondData: *mut LEAP_SECOND_DATA, 152 LeapSecondFlags: ULONG, 153 NtGlobalFlag2: ULONG, 154 }} 155 BITFIELD!{PEB BitField: BOOLEAN [ 156 ImageUsesLargePages set_ImageUsesLargePages[0..1], 157 IsProtectedProcess set_IsProtectedProcess[1..2], 158 IsImageDynamicallyRelocated set_IsImageDynamicallyRelocated[2..3], 159 SkipPatchingUser32Forwarders set_SkipPatchingUser32Forwarders[3..4], 160 IsPackagedProcess set_IsPackagedProcess[4..5], 161 IsAppContainer set_IsAppContainer[5..6], 162 IsProtectedProcessLight set_IsProtectedProcessLight[6..7], 163 IsLongPathAwareProcess set_IsLongPathAwareProcess[7..8], 164 ]} 165 BITFIELD!{PEB CrossProcessFlags: ULONG [ 166 ProcessInJob set_ProcessInJob[0..1], 167 ProcessInitializing set_ProcessInitializing[1..2], 168 ProcessUsingVEH set_ProcessUsingVEH[2..3], 169 ProcessUsingVCH set_ProcessUsingVCH[3..4], 170 ProcessUsingFTH set_ProcessUsingFTH[4..5], 171 ProcessPreviouslyThrottled set_ProcessPreviouslyThrottled[5..6], 172 ProcessCurrentlyThrottled set_ProcessCurrentlyThrottled[6..7], 173 ProcessImagesHotPatched set_ProcessImagesHotPatched[7..8], 174 ReservedBits0 set_ReservedBits0[8..32], 175 ]} 176 BITFIELD!{PEB TracingFlags: ULONG [ 177 HeapTracingEnabled set_HeapTracingEnabled[0..1], 178 CritSecTracingEnabled set_CritSecTracingEnabled[1..2], 179 LibLoaderTracingEnabled set_LibLoaderTracingEnabled[2..3], 180 SpareTracingBits set_SpareTracingBits[3..32], 181 ]} 182 BITFIELD!{PEB LeapSecondFlags: ULONG [ 183 SixtySecondEnabled set_SixtySecondEnabled[0..1], 184 Reserved set_Reserved[1..32], 185 ]} 186 pub type PPEB = *mut PEB; 187 pub const GDI_BATCH_BUFFER_SIZE: usize = 310; 188 STRUCT!{struct GDI_TEB_BATCH { 189 Offset: ULONG, 190 HDC: ULONG_PTR, 191 Buffer: [ULONG; GDI_BATCH_BUFFER_SIZE], 192 }} 193 pub type PGDI_TEB_BATCH = *mut GDI_TEB_BATCH; 194 STRUCT!{struct TEB_ACTIVE_FRAME_CONTEXT { 195 Flags: ULONG, 196 FrameName: PSTR, 197 }} 198 pub type PTEB_ACTIVE_FRAME_CONTEXT = *mut TEB_ACTIVE_FRAME_CONTEXT; 199 STRUCT!{struct TEB_ACTIVE_FRAME { 200 Flags: ULONG, 201 Previous: *mut TEB_ACTIVE_FRAME, 202 Context: PTEB_ACTIVE_FRAME_CONTEXT, 203 }} 204 pub type PTEB_ACTIVE_FRAME = *mut TEB_ACTIVE_FRAME; 205 STRUCT!{struct TEB_u_s { 206 ReservedPad0: UCHAR, 207 ReservedPad1: UCHAR, 208 ReservedPad2: UCHAR, 209 IdealProcessor: UCHAR, 210 }} 211 UNION!{union TEB_u { 212 CurrentIdealProcessor: PROCESSOR_NUMBER, 213 IdealProcessorValue: ULONG, 214 s: TEB_u_s, 215 }} 216 #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] 217 STRUCT!{struct TEB { 218 NtTib: NT_TIB, 219 EnvironmentPointer: PVOID, 220 ClientId: CLIENT_ID, 221 ActiveRpcHandle: PVOID, 222 ThreadLocalStoragePointer: PVOID, 223 ProcessEnvironmentBlock: PPEB, 224 LastErrorValue: ULONG, 225 CountOfOwnedCriticalSections: ULONG, 226 CsrClientThread: PVOID, 227 Win32ThreadInfo: PVOID, 228 User32Reserved: [ULONG; 26], 229 UserReserved: [ULONG; 5], 230 WOW32Reserved: PVOID, 231 CurrentLocale: LCID, 232 FpSoftwareStatusRegister: ULONG, 233 ReservedForDebuggerInstrumentation: [PVOID; 16], 234 SystemReserved1: [PVOID; 30], 235 PlaceholderCompatibilityMode: CHAR, 236 PlaceholderReserved: [CHAR; 11], 237 ProxiedProcessId: ULONG, 238 ActivationStack: ACTIVATION_CONTEXT_STACK, 239 WorkingOnBehalfTicket: [UCHAR; 8], 240 ExceptionCode: NTSTATUS, 241 ActivationContextStackPointer: PACTIVATION_CONTEXT_STACK, 242 InstrumentationCallbackSp: ULONG_PTR, 243 InstrumentationCallbackPreviousPc: ULONG_PTR, 244 InstrumentationCallbackPreviousSp: ULONG_PTR, 245 TxFsContext: ULONG, 246 InstrumentationCallbackDisabled: BOOLEAN, 247 GdiTebBatch: GDI_TEB_BATCH, 248 RealClientId: CLIENT_ID, 249 GdiCachedProcessHandle: HANDLE, 250 GdiClientPID: ULONG, 251 GdiClientTID: ULONG, 252 GdiThreadLocalInfo: PVOID, 253 Win32ClientInfo: [ULONG_PTR; 62], 254 glDispatchTable: [PVOID; 233], 255 glReserved1: [ULONG_PTR; 29], 256 glReserved2: PVOID, 257 glSectionInfo: PVOID, 258 glSection: PVOID, 259 glTable: PVOID, 260 glCurrentRC: PVOID, 261 glContext: PVOID, 262 LastStatusValue: NTSTATUS, 263 StaticUnicodeString: UNICODE_STRING, 264 StaticUnicodeBuffer: [WCHAR; 261], 265 DeallocationStack: PVOID, 266 TlsSlots: [PVOID; 64], 267 TlsLinks: LIST_ENTRY, 268 Vdm: PVOID, 269 ReservedForNtRpc: PVOID, 270 DbgSsReserved: [PVOID; 2], 271 HardErrorMode: ULONG, 272 Instrumentation: [PVOID; 11], 273 ActivityId: GUID, 274 SubProcessTag: PVOID, 275 PerflibData: PVOID, 276 EtwTraceData: PVOID, 277 WinSockData: PVOID, 278 GdiBatchCount: ULONG, 279 u: TEB_u, 280 GuaranteedStackBytes: ULONG, 281 ReservedForPerf: PVOID, 282 ReservedForOle: PVOID, 283 WaitingOnLoaderLock: ULONG, 284 SavedPriorityState: PVOID, 285 ReservedForCodeCoverage: ULONG_PTR, 286 ThreadPoolData: PVOID, 287 TlsExpansionSlots: *mut PVOID, 288 DeallocationBStore: PVOID, 289 BStoreLimit: PVOID, 290 MuiGeneration: ULONG, 291 IsImpersonating: ULONG, 292 NlsCache: PVOID, 293 pShimData: PVOID, 294 HeapVirtualAffinity: USHORT, 295 LowFragHeapDataSlot: USHORT, 296 CurrentTransactionHandle: HANDLE, 297 ActiveFrame: PTEB_ACTIVE_FRAME, 298 FlsData: PVOID, 299 PreferredLanguages: PVOID, 300 UserPrefLanguages: PVOID, 301 MergedPrefLanguages: PVOID, 302 MuiImpersonation: ULONG, 303 CrossTebFlags: USHORT, 304 SameTebFlags: USHORT, 305 TxnScopeEnterCallback: PVOID, 306 TxnScopeExitCallback: PVOID, 307 TxnScopeContext: PVOID, 308 LockCount: ULONG, 309 WowTebOffset: LONG, 310 ResourceRetValue: PVOID, 311 ReservedForWdf: PVOID, 312 ReservedForCrt: ULONGLONG, 313 EffectiveContainerId: GUID, 314 }} 315 #[cfg(target_arch = "x86")] 316 STRUCT!{struct TEB { 317 NtTib: NT_TIB, 318 EnvironmentPointer: PVOID, 319 ClientId: CLIENT_ID, 320 ActiveRpcHandle: PVOID, 321 ThreadLocalStoragePointer: PVOID, 322 ProcessEnvironmentBlock: PPEB, 323 LastErrorValue: ULONG, 324 CountOfOwnedCriticalSections: ULONG, 325 CsrClientThread: PVOID, 326 Win32ThreadInfo: PVOID, 327 User32Reserved: [ULONG; 26], 328 UserReserved: [ULONG; 5], 329 WOW32Reserved: PVOID, 330 CurrentLocale: LCID, 331 FpSoftwareStatusRegister: ULONG, 332 ReservedForDebuggerInstrumentation: [PVOID; 16], 333 SystemReserved1: [PVOID; 26], 334 PlaceholderCompatibilityMode: CHAR, 335 PlaceholderReserved: [CHAR; 11], 336 ProxiedProcessId: ULONG, 337 ActivationStack: ACTIVATION_CONTEXT_STACK, 338 WorkingOnBehalfTicket: [UCHAR; 8], 339 ExceptionCode: NTSTATUS, 340 ActivationContextStackPointer: PACTIVATION_CONTEXT_STACK, 341 InstrumentationCallbackSp: ULONG_PTR, 342 InstrumentationCallbackPreviousPc: ULONG_PTR, 343 InstrumentationCallbackPreviousSp: ULONG_PTR, 344 InstrumentationCallbackDisabled: BOOLEAN, 345 SpareBytes: [UCHAR; 23], 346 TxFsContext: ULONG, 347 GdiTebBatch: GDI_TEB_BATCH, 348 RealClientId: CLIENT_ID, 349 GdiCachedProcessHandle: HANDLE, 350 GdiClientPID: ULONG, 351 GdiClientTID: ULONG, 352 GdiThreadLocalInfo: PVOID, 353 Win32ClientInfo: [ULONG_PTR; 62], 354 glDispatchTable: [PVOID; 233], 355 glReserved1: [ULONG_PTR; 29], 356 glReserved2: PVOID, 357 glSectionInfo: PVOID, 358 glSection: PVOID, 359 glTable: PVOID, 360 glCurrentRC: PVOID, 361 glContext: PVOID, 362 LastStatusValue: NTSTATUS, 363 StaticUnicodeString: UNICODE_STRING, 364 StaticUnicodeBuffer: [WCHAR; 261], 365 DeallocationStack: PVOID, 366 TlsSlots: [PVOID; 64], 367 TlsLinks: LIST_ENTRY, 368 Vdm: PVOID, 369 ReservedForNtRpc: PVOID, 370 DbgSsReserved: [PVOID; 2], 371 HardErrorMode: ULONG, 372 Instrumentation: [PVOID; 9], 373 ActivityId: GUID, 374 SubProcessTag: PVOID, 375 PerflibData: PVOID, 376 EtwTraceData: PVOID, 377 WinSockData: PVOID, 378 GdiBatchCount: ULONG, 379 u: TEB_u, 380 GuaranteedStackBytes: ULONG, 381 ReservedForPerf: PVOID, 382 ReservedForOle: PVOID, 383 WaitingOnLoaderLock: ULONG, 384 SavedPriorityState: PVOID, 385 ReservedForCodeCoverage: ULONG_PTR, 386 ThreadPoolData: PVOID, 387 TlsExpansionSlots: *mut PVOID, 388 MuiGeneration: ULONG, 389 IsImpersonating: ULONG, 390 NlsCache: PVOID, 391 pShimData: PVOID, 392 HeapVirtualAffinity: USHORT, 393 LowFragHeapDataSlot: USHORT, 394 CurrentTransactionHandle: HANDLE, 395 ActiveFrame: PTEB_ACTIVE_FRAME, 396 FlsData: PVOID, 397 PreferredLanguages: PVOID, 398 UserPrefLanguages: PVOID, 399 MergedPrefLanguages: PVOID, 400 MuiImpersonation: ULONG, 401 CrossTebFlags: USHORT, 402 SameTebFlags: USHORT, 403 TxnScopeEnterCallback: PVOID, 404 TxnScopeExitCallback: PVOID, 405 TxnScopeContext: PVOID, 406 LockCount: ULONG, 407 WowTebOffset: LONG, 408 ResourceRetValue: PVOID, 409 ReservedForWdf: PVOID, 410 ReservedForCrt: ULONGLONG, 411 EffectiveContainerId: GUID, 412 }} 413 BITFIELD!{TEB SameTebFlags: USHORT [ 414 SafeThunkCall set_SafeThunkCall[0..1], 415 InDebugPrint set_InDebugPrint[1..2], 416 HasFiberData set_HasFiberData[2..3], 417 SkipThreadAttach set_SkipThreadAttach[3..4], 418 WerInShipAssertCode set_WerInShipAssertCode[4..5], 419 RanProcessInit set_RanProcessInit[5..6], 420 ClonedThread set_ClonedThread[6..7], 421 SuppressDebugMsg set_SuppressDebugMsg[7..8], 422 DisableUserStackWalk set_DisableUserStackWalk[8..9], 423 RtlExceptionAttached set_RtlExceptionAttached[9..10], 424 InitialThread set_InitialThread[10..11], 425 SessionAware set_SessionAware[11..12], 426 LoadOwner set_LoadOwner[12..13], 427 LoaderWorker set_LoaderWorker[13..14], 428 SkipLoaderInit set_SkipLoaderInit[14..15], 429 SpareSameTebBits set_SpareSameTebBits[15..16], 430 ]} 431 pub type PTEB = *mut TEB; 432