1 #define PASTE2(x,y) x##y 2 #define PASTE(x,y) PASTE2(x,y) 3 4 #ifdef EXPLICIT_32BIT 5 #define STRUCT(x) PASTE(x,32) 6 #define PTR(x) ULONG 7 #elif defined(EXPLICIT_64BIT) 8 #define STRUCT(x) PASTE(x,64) 9 #define PTR(x) ULONG64 10 #else 11 #define STRUCT(x) x 12 #define PTR(x) x 13 #endif 14 15 #if (defined(_WIN64) && !defined(EXPLICIT_32BIT)) || defined(EXPLICIT_64BIT) 16 #define GDI_HANDLE_BUFFER_SIZE 60 17 #else 18 #define GDI_HANDLE_BUFFER_SIZE 34 19 #endif 20 21 #if defined(_NTDDK_INCLUDED_) || defined(_NTIFS_) 22 #define PPEB PPEB_RENAMED 23 #endif 24 25 typedef struct STRUCT(_PEB) 26 { 27 BOOLEAN InheritedAddressSpace; 28 BOOLEAN ReadImageFileExecOptions; 29 BOOLEAN BeingDebugged; 30 #if (NTDDI_VERSION >= NTDDI_WS03) 31 union 32 { 33 BOOLEAN BitField; 34 struct 35 { 36 BOOLEAN ImageUsesLargePages:1; 37 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 38 BOOLEAN IsProtectedProcess:1; 39 BOOLEAN IsLegacyProcess:1; 40 BOOLEAN IsImageDynamicallyRelocated:1; 41 BOOLEAN SkipPatchingUser32Forwarders:1; 42 BOOLEAN SpareBits:3; 43 #else 44 BOOLEAN SpareBits:7; 45 #endif 46 }; 47 }; 48 #else 49 BOOLEAN SpareBool; 50 #endif 51 PTR(HANDLE) Mutant; 52 PTR(PVOID) ImageBaseAddress; 53 PTR(PPEB_LDR_DATA) Ldr; 54 PTR(struct _RTL_USER_PROCESS_PARAMETERS*) ProcessParameters; 55 PTR(PVOID) SubSystemData; 56 PTR(PVOID) ProcessHeap; 57 PTR(struct _RTL_CRITICAL_SECTION*) FastPebLock; 58 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 59 PTR(PVOID) AltThunkSListPtr; 60 PTR(PVOID) IFEOKey; 61 union 62 { 63 ULONG CrossProcessFlags; 64 struct 65 { 66 ULONG ProcessInJob:1; 67 ULONG ProcessInitializing:1; 68 ULONG ProcessUsingVEH:1; 69 ULONG ProcessUsingVCH:1; 70 ULONG ReservedBits0:28; 71 }; 72 }; 73 union 74 { 75 PTR(PVOID) KernelCallbackTable; 76 PTR(PVOID) UserSharedInfoPtr; 77 }; 78 #elif (NTDDI_VERSION >= NTDDI_WS03) 79 PTR(PVOID) AltThunkSListPtr; 80 PTR(PVOID) SparePtr2; 81 ULONG EnvironmentUpdateCount; 82 PTR(PVOID) KernelCallbackTable; 83 #else 84 PTR(PPEBLOCKROUTINE) FastPebLockRoutine; 85 PTR(PPEBLOCKROUTINE) FastPebUnlockRoutine; 86 ULONG EnvironmentUpdateCount; 87 PTR(PVOID) KernelCallbackTable; 88 #endif 89 ULONG SystemReserved[1]; 90 ULONG SpareUlong; // AtlThunkSListPtr32 91 PTR(PPEB_FREE_BLOCK) FreeList; 92 ULONG TlsExpansionCounter; 93 PTR(PVOID) TlsBitmap; 94 ULONG TlsBitmapBits[2]; 95 PTR(PVOID) ReadOnlySharedMemoryBase; 96 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 97 PTR(PVOID) HotpatchInformation; 98 #else 99 PTR(PVOID) ReadOnlySharedMemoryHeap; 100 #endif 101 PTR(PVOID*) ReadOnlyStaticServerData; 102 PTR(PVOID) AnsiCodePageData; 103 PTR(PVOID) OemCodePageData; 104 PTR(PVOID) UnicodeCaseTableData; 105 ULONG NumberOfProcessors; 106 ULONG NtGlobalFlag; 107 LARGE_INTEGER CriticalSectionTimeout; 108 PTR(ULONG_PTR) HeapSegmentReserve; 109 PTR(ULONG_PTR) HeapSegmentCommit; 110 PTR(ULONG_PTR) HeapDeCommitTotalFreeThreshold; 111 PTR(ULONG_PTR) HeapDeCommitFreeBlockThreshold; 112 ULONG NumberOfHeaps; 113 ULONG MaximumNumberOfHeaps; 114 PTR(PVOID*) ProcessHeaps; 115 PTR(PVOID) GdiSharedHandleTable; 116 PTR(PVOID) ProcessStarterHelper; 117 ULONG GdiDCAttributeList; 118 PTR(struct _RTL_CRITICAL_SECTION*) LoaderLock; 119 ULONG OSMajorVersion; 120 ULONG OSMinorVersion; 121 USHORT OSBuildNumber; 122 USHORT OSCSDVersion; 123 ULONG OSPlatformId; 124 ULONG ImageSubsystem; 125 ULONG ImageSubsystemMajorVersion; 126 ULONG ImageSubsystemMinorVersion; 127 PTR(ULONG_PTR) ImageProcessAffinityMask; 128 ULONG GdiHandleBuffer[GDI_HANDLE_BUFFER_SIZE]; 129 PTR(PPOST_PROCESS_INIT_ROUTINE) PostProcessInitRoutine; 130 PTR(PVOID) TlsExpansionBitmap; 131 ULONG TlsExpansionBitmapBits[32]; 132 ULONG SessionId; 133 #if (NTDDI_VERSION >= NTDDI_WINXP) 134 ULARGE_INTEGER AppCompatFlags; 135 ULARGE_INTEGER AppCompatFlagsUser; 136 PTR(PVOID) pShimData; 137 PTR(PVOID) AppCompatInfo; 138 STRUCT(UNICODE_STRING) CSDVersion; 139 PTR(struct _ACTIVATION_CONTEXT_DATA*) ActivationContextData; 140 PTR(struct _ASSEMBLY_STORAGE_MAP*) ProcessAssemblyStorageMap; 141 PTR(struct _ACTIVATION_CONTEXT_DATA*) SystemDefaultActivationContextData; 142 PTR(struct _ASSEMBLY_STORAGE_MAP*) SystemAssemblyStorageMap; 143 PTR(ULONG_PTR) MinimumStackCommit; 144 #endif 145 #if (NTDDI_VERSION >= NTDDI_WS03) 146 PTR(PVOID*) FlsCallback; 147 STRUCT(LIST_ENTRY) FlsListHead; 148 PTR(PVOID) FlsBitmap; 149 ULONG FlsBitmapBits[4]; // [FLS_MAXIMUM_AVAILABLE/(sizeof(ULONG)*8)]; 150 ULONG FlsHighIndex; 151 #endif 152 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 153 PTR(PVOID) WerRegistrationData; 154 PTR(PVOID) WerShipAssertPtr; 155 #endif 156 } STRUCT(PEB), *STRUCT(PPEB); 157 158 #undef PPEB 159 160 #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 161 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), Mutant) == 0x08); 162 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), Ldr) == 0x18); 163 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), FastPebLock) == 0x038); 164 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), TlsExpansionCounter) == 0x070); 165 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), NtGlobalFlag) == 0x0BC); 166 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), GdiSharedHandleTable) == 0x0F8); 167 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), LoaderLock) == 0x110); 168 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), ImageSubsystem) == 0x128); 169 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), ImageProcessAffinityMask) == 0x138); 170 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), PostProcessInitRoutine) == 0x230); 171 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), SessionId) == 0x2C0); 172 #if (NTDDI_VERSION >= NTDDI_WS03) 173 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), FlsHighIndex) == 0x350); 174 #endif 175 #else 176 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), Mutant) == 0x04); 177 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), Ldr) == 0x0C); 178 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), FastPebLock) == 0x01C); 179 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), TlsExpansionCounter) == 0x03C); 180 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), NtGlobalFlag) == 0x068); 181 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), GdiSharedHandleTable) == 0x094); 182 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), LoaderLock) == 0x0A0); 183 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), ImageSubsystem) == 0x0B4); 184 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), ImageProcessAffinityMask) == 0x0C0); 185 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), PostProcessInitRoutine) == 0x14C); 186 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), SessionId) == 0x1D4); 187 #if (NTDDI_VERSION >= NTDDI_WS03) 188 C_ASSERT(FIELD_OFFSET(STRUCT(PEB), FlsHighIndex) == 0x22C); 189 #endif 190 #endif 191 192 #define GDI_BATCH_BUFFER_SIZE 0x136 193 // 194 // GDI Batch Descriptor 195 // 196 typedef struct STRUCT(_GDI_TEB_BATCH) 197 { 198 ULONG Offset; 199 PTR(HANDLE) HDC; 200 ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 201 } STRUCT(GDI_TEB_BATCH), *STRUCT(PGDI_TEB_BATCH); 202 203 // 204 // Thread Environment Block (TEB) 205 // 206 typedef struct STRUCT(_TEB) 207 { 208 STRUCT(NT_TIB) NtTib; 209 PTR(PVOID) EnvironmentPointer; 210 STRUCT(CLIENT_ID) ClientId; 211 PTR(PVOID) ActiveRpcHandle; 212 PTR(PVOID) ThreadLocalStoragePointer; 213 PTR(STRUCT(PPEB)) ProcessEnvironmentBlock; 214 ULONG LastErrorValue; 215 ULONG CountOfOwnedCriticalSections; 216 PTR(PVOID) CsrClientThread; 217 PTR(PVOID) Win32ThreadInfo; 218 ULONG User32Reserved[26]; 219 ULONG UserReserved[5]; 220 PTR(PVOID) WOW32Reserved; 221 LCID CurrentLocale; 222 ULONG FpSoftwareStatusRegister; 223 PTR(PVOID) SystemReserved1[54]; 224 LONG ExceptionCode; 225 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 226 PTR(struct _ACTIVATION_CONTEXT_STACK*) ActivationContextStackPointer; 227 UCHAR SpareBytes1[0x30 - 3 * sizeof(PTR(PVOID))]; 228 ULONG TxFsContext; 229 #elif (NTDDI_VERSION >= NTDDI_WS03) 230 PTR(struct _ACTIVATION_CONTEXT_STACK*) ActivationContextStackPointer; 231 UCHAR SpareBytes1[0x34 - 3 * sizeof(PTR(PVOID))]; 232 #else 233 ACTIVATION_CONTEXT_STACK ActivationContextStack; 234 UCHAR SpareBytes1[24]; 235 #endif 236 STRUCT(GDI_TEB_BATCH) GdiTebBatch; 237 STRUCT(CLIENT_ID) RealClientId; 238 PTR(PVOID) GdiCachedProcessHandle; 239 ULONG GdiClientPID; 240 ULONG GdiClientTID; 241 PTR(PVOID) GdiThreadLocalInfo; 242 PTR(SIZE_T) Win32ClientInfo[62]; 243 PTR(PVOID) glDispatchTable[233]; 244 PTR(SIZE_T) glReserved1[29]; 245 PTR(PVOID) glReserved2; 246 PTR(PVOID) glSectionInfo; 247 PTR(PVOID) glSection; 248 PTR(PVOID) glTable; 249 PTR(PVOID) glCurrentRC; 250 PTR(PVOID) glContext; 251 NTSTATUS LastStatusValue; 252 STRUCT(UNICODE_STRING) StaticUnicodeString; 253 WCHAR StaticUnicodeBuffer[261]; 254 PTR(PVOID) DeallocationStack; 255 PTR(PVOID) TlsSlots[64]; 256 STRUCT(LIST_ENTRY) TlsLinks; 257 PTR(PVOID) Vdm; 258 PTR(PVOID) ReservedForNtRpc; 259 PTR(PVOID) DbgSsReserved[2]; 260 #if (NTDDI_VERSION >= NTDDI_WS03) 261 ULONG HardErrorMode; 262 #else 263 ULONG HardErrorsAreDisabled; 264 #endif 265 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 266 PTR(PVOID) Instrumentation[13 - sizeof(GUID)/sizeof(PTR(PVOID))]; 267 GUID ActivityId; 268 PTR(PVOID) SubProcessTag; 269 PTR(PVOID) EtwLocalData; 270 PTR(PVOID) EtwTraceData; 271 #elif (NTDDI_VERSION >= NTDDI_WS03) 272 PTR(PVOID) Instrumentation[14]; 273 PTR(PVOID) SubProcessTag; 274 PTR(PVOID) EtwLocalData; 275 #else 276 PTR(PVOID) Instrumentation[16]; 277 #endif 278 PTR(PVOID) WinSockData; 279 ULONG GdiBatchCount; 280 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 281 BOOLEAN SpareBool0; 282 BOOLEAN SpareBool1; 283 BOOLEAN SpareBool2; 284 #else 285 BOOLEAN InDbgPrint; 286 BOOLEAN FreeStackOnTermination; 287 BOOLEAN HasFiberData; 288 #endif 289 UCHAR IdealProcessor; 290 #if (NTDDI_VERSION >= NTDDI_WS03) 291 ULONG GuaranteedStackBytes; 292 #else 293 ULONG Spare3; 294 #endif 295 PTR(PVOID) ReservedForPerf; 296 PTR(PVOID) ReservedForOle; 297 ULONG WaitingOnLoaderLock; 298 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 299 PTR(PVOID) SavedPriorityState; 300 PTR(ULONG_PTR) SoftPatchPtr1; 301 PTR(ULONG_PTR) ThreadPoolData; 302 #elif (NTDDI_VERSION >= NTDDI_WS03) 303 PTR(ULONG_PTR) SparePointer1; 304 PTR(ULONG_PTR) SoftPatchPtr1; 305 PTR(ULONG_PTR) SoftPatchPtr2; 306 #else 307 Wx86ThreadState Wx86Thread; 308 #endif 309 PTR(PVOID*) TlsExpansionSlots; 310 #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 311 PTR(PVOID) DeallocationBStore; 312 PTR(PVOID) BStoreLimit; 313 #endif 314 ULONG ImpersonationLocale; 315 ULONG IsImpersonating; 316 PTR(PVOID) NlsCache; 317 PTR(PVOID) pShimData; 318 ULONG HeapVirtualAffinity; 319 PTR(HANDLE) CurrentTransactionHandle; 320 PTR(PTEB_ACTIVE_FRAME) ActiveFrame; 321 #if (NTDDI_VERSION >= NTDDI_WS03) 322 PVOID FlsData; 323 #endif 324 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 325 PVOID PreferredLangauges; 326 PVOID UserPrefLanguages; 327 PVOID MergedPrefLanguages; 328 ULONG MuiImpersonation; 329 union 330 { 331 struct 332 { 333 USHORT SpareCrossTebFlags:16; 334 }; 335 USHORT CrossTebFlags; 336 }; 337 union 338 { 339 struct 340 { 341 USHORT DbgSafeThunkCall:1; 342 USHORT DbgInDebugPrint:1; 343 USHORT DbgHasFiberData:1; 344 USHORT DbgSkipThreadAttach:1; 345 USHORT DbgWerInShipAssertCode:1; 346 USHORT DbgIssuedInitialBp:1; 347 USHORT DbgClonedThread:1; 348 USHORT SpareSameTebBits:9; 349 }; 350 USHORT SameTebFlags; 351 }; 352 PTR(PVOID) TxnScopeEntercallback; 353 PTR(PVOID) TxnScopeExitCAllback; 354 PTR(PVOID) TxnScopeContext; 355 ULONG LockCount; 356 ULONG ProcessRundown; 357 ULONG64 LastSwitchTime; 358 ULONG64 TotalSwitchOutTime; 359 LARGE_INTEGER WaitReasonBitMap; 360 #else 361 BOOLEAN SafeThunkCall; 362 BOOLEAN BooleanSpare[3]; 363 #endif 364 } STRUCT(TEB), *STRUCT(PTEB); 365 366 #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 367 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), EnvironmentPointer) == 0x038); 368 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), ExceptionCode) == 0x2C0); 369 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), GdiTebBatch) == 0x2F0); 370 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), LastStatusValue) == 0x1250); 371 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), Vdm) == 0x1690); 372 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), HardErrorMode) == 0x16B0); 373 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), GdiBatchCount) == 0x1740); 374 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), IdealProcessor) == 0x1747); 375 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), WaitingOnLoaderLock) == 0x1760); 376 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), TlsExpansionSlots) == 0x1780); 377 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), WaitingOnLoaderLock) == 0x1760); 378 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), ActiveFrame) == 0x17C0); 379 #else 380 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), EnvironmentPointer) == 0x01C); 381 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), ExceptionCode) == 0x1A4); 382 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), GdiTebBatch) == 0x1D4); 383 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), LastStatusValue) == 0xBF4); 384 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), Vdm) == 0xF18); 385 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), GdiBatchCount) == 0xF70); 386 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), TlsExpansionSlots) == 0xF94); 387 C_ASSERT(FIELD_OFFSET(STRUCT(TEB), ActiveFrame) == 0xFB0); 388 #endif 389 390 #undef PTR 391 #undef STRUCT 392 #undef PASTE 393 #undef PASTE2 394 #undef GDI_HANDLE_BUFFER_SIZE 395