Skip to content

Commit 2b64a6d

Browse files
hakrilhakril
committed
Add definition for _TEB
1 parent 5d7e074 commit 2b64a6d

6 files changed

Lines changed: 1916 additions & 1719 deletions

File tree

ctypes_generation/definitions/structures/simple_structs.txt

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
/* Structures that do not depends on anything other that basic type
2+
Simplify structure dependancy file graph
3+
*/
4+
5+
typedef struct _LIST_ENTRY {
6+
struct _LIST_ENTRY *Flink;
7+
struct _LIST_ENTRY *Blink;
8+
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
9+
10+
typedef struct _LSA_UNICODE_STRING {
11+
USHORT Length;
12+
USHORT MaximumLength;
13+
PVOID Buffer; // PVOID to prevent ctypes to automatically read the content of the buffer till a \0
14+
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
15+
16+
typedef struct _CLIENT_ID{
17+
HANDLE UniqueProcess;
18+
HANDLE UniqueThread;
19+
} CLIENT_ID, *PCLIENT_ID;
20+
21+
typedef struct _CLIENT_ID64{
22+
ULONG64 UniqueProcess;
23+
ULONG64 UniqueThread;
24+
} CLIENT_ID64, *PCLIENT_ID64;
25+
26+
typedef struct _CLIENT_ID32{
27+
ULONG UniqueProcess;
28+
ULONG UniqueThread;
29+
} CLIENT_ID32, *PCLIENT_ID32;

ctypes_generation/definitions/structures/teb_peb.txt

Lines changed: 227 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,227 @@
1+
/* This is the part of RTL_USER_PROCESS_PARAMETERS that works from XP to Windows 10
2+
http://terminus.rewolf.pl/terminus/structures/ntdll/_RTL_USER_PROCESS_PARAMETERS_x86.html
3+
*/
4+
5+
typedef struct _CURDIR
6+
{
7+
UNICODE_STRING DosPath;
8+
PVOID Handle;
9+
} CURDIR, *PCURDIR;
10+
11+
typedef struct _RTL_DRIVE_LETTER_CURDIR
12+
{
13+
WORD Flags;
14+
WORD Length;
15+
ULONG TimeStamp;
16+
UNICODE_STRING DosPath;
17+
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
18+
19+
typedef struct _RTL_USER_PROCESS_PARAMETERS
20+
{
21+
ULONG MaximumLength;
22+
ULONG Length;
23+
ULONG Flags;
24+
ULONG DebugFlags;
25+
PVOID ConsoleHandle;
26+
ULONG ConsoleFlags;
27+
PVOID StandardInput;
28+
PVOID StandardOutput;
29+
PVOID StandardError;
30+
CURDIR CurrentDirectory;
31+
UNICODE_STRING DllPath;
32+
UNICODE_STRING ImagePathName;
33+
UNICODE_STRING CommandLine;
34+
PVOID Environment;
35+
ULONG StartingX;
36+
ULONG StartingY;
37+
ULONG CountX;
38+
ULONG CountY;
39+
ULONG CountCharsX;
40+
ULONG CountCharsY;
41+
ULONG FillAttribute;
42+
ULONG WindowFlags;
43+
ULONG ShowWindowFlags;
44+
UNICODE_STRING WindowTitle;
45+
UNICODE_STRING DesktopInfo;
46+
UNICODE_STRING ShellInfo;
47+
UNICODE_STRING RuntimeData;
48+
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
49+
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
50+
51+
// PEB: Thank to
52+
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
53+
// http://blog.rewolf.pl/blog/?p=573
54+
// http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html
55+
56+
typedef struct _LDR_DATA_TABLE_ENTRY {
57+
PVOID Reserved1[2];
58+
LIST_ENTRY InMemoryOrderLinks;
59+
PVOID Reserved2[2];
60+
PVOID DllBase;
61+
PVOID EntryPoint;
62+
PVOID SizeOfImage;
63+
UNICODE_STRING FullDllName;
64+
UNICODE_STRING BaseDllName;
65+
PVOID Reserved5[3];
66+
ULONG CheckSum;
67+
ULONG TimeDateStamp;
68+
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
69+
70+
typedef struct _PEB_LDR_DATA {
71+
BYTE Reserved1[8];
72+
PVOID Reserved2[3];
73+
LIST_ENTRY InMemoryOrderModuleList;
74+
} PEB_LDR_DATA, *PPEB_LDR_DATA;
75+
76+
77+
78+
typedef union _ANON_PEB_SYSTEM_DEPENDENT_02 {
79+
PVOID FastPebLockRoutine;
80+
PVOID SparePtr1;
81+
PVOID AtlThunkSListPtr;
82+
};
83+
84+
typedef union _ANON_PEB_SYSTEM_DEPENDENT_03 {
85+
PVOID FastPebUnlockRoutine;
86+
PVOID SparePtr2;
87+
PVOID IFEOKey;
88+
};
89+
90+
91+
typedef union _ANON_PEB_SYSTEM_DEPENDENT_06 {
92+
PVOID FreeList;
93+
PVOID SparePebPtr0;
94+
PVOID ApiSetMap;
95+
};
96+
97+
typedef union _ANON_PEB_SYSTEM_DEPENDENT_07 {
98+
PVOID ReadOnlySharedMemoryHeap;
99+
PVOID HotpatchInformation;
100+
PVOID SparePvoid0;
101+
};
102+
103+
104+
typedef union _ANON_PEB_UNION_1 {
105+
PVOID KernelCallbackTable;
106+
PVOID UserSharedInfoPtr;
107+
};
108+
109+
typedef union _ANON_PEB_UNION_2 {
110+
PVOID ImageProcessAffinityMask;
111+
PVOID ActiveProcessAffinityMask;
112+
};
113+
114+
typedef struct _PEB {
115+
BYTE Reserved1[2];
116+
BYTE BeingDebugged;
117+
BYTE Reserved2[1];
118+
PVOID Mutant;
119+
PVOID ImageBaseAddress;
120+
PPEB_LDR_DATA Ldr;
121+
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
122+
PVOID SubSystemData;
123+
PVOID ProcessHeap;
124+
PVOID FastPebLock;
125+
_ANON_PEB_SYSTEM_DEPENDENT_02 _SYSTEM_DEPENDENT_02;
126+
_ANON_PEB_SYSTEM_DEPENDENT_03 _SYSTEM_DEPENDENT_03;
127+
PVOID _SYSTEM_DEPENDENT_04;
128+
union {
129+
PVOID KernelCallbackTable;
130+
PVOID UserSharedInfoPtr;
131+
};
132+
DWORD SystemReserved;
133+
DWORD _SYSTEM_DEPENDENT_05;
134+
_ANON_PEB_SYSTEM_DEPENDENT_06 _SYSTEM_DEPENDENT_06;
135+
PVOID TlsExpansionCounter;
136+
PVOID TlsBitmap;
137+
DWORD TlsBitmapBits[2];
138+
PVOID ReadOnlySharedMemoryBase;
139+
_ANON_PEB_SYSTEM_DEPENDENT_07 _SYSTEM_DEPENDENT_07;
140+
PVOID ReadOnlyStaticServerData;
141+
PVOID AnsiCodePageData;
142+
PVOID OemCodePageData;
143+
PVOID UnicodeCaseTableData;
144+
DWORD NumberOfProcessors;
145+
DWORD NtGlobalFlag;
146+
LARGE_INTEGER CriticalSectionTimeout;
147+
PVOID HeapSegmentReserve;
148+
PVOID HeapSegmentCommit;
149+
PVOID HeapDeCommitTotalFreeThreshold;
150+
PVOID HeapDeCommitFreeBlockThreshold;
151+
DWORD NumberOfHeaps;
152+
DWORD MaximumNumberOfHeaps;
153+
PVOID ProcessHeaps;
154+
PVOID GdiSharedHandleTable;
155+
PVOID ProcessStarterHelper;
156+
PVOID GdiDCAttributeList;
157+
PVOID LoaderLock;
158+
DWORD OSMajorVersion;
159+
DWORD OSMinorVersion;
160+
WORD OSBuildNumber;
161+
WORD OSCSDVersion;
162+
DWORD OSPlatformId;
163+
DWORD ImageSubsystem;
164+
DWORD ImageSubsystemMajorVersion;
165+
PVOID ImageSubsystemMinorVersion;
166+
union {
167+
PVOID ImageProcessAffinityMask;
168+
PVOID ActiveProcessAffinityMask;
169+
};
170+
PVOID GdiHandleBuffer[26];
171+
BYTE GdiHandleBuffer2[32];
172+
PVOID PostProcessInitRoutine;
173+
PVOID TlsExpansionBitmap;
174+
DWORD TlsExpansionBitmapBits[32];
175+
PVOID SessionId;
176+
ULARGE_INTEGER AppCompatFlags;
177+
ULARGE_INTEGER AppCompatFlagsUser;
178+
PVOID pShimData;
179+
PVOID AppCompatInfo;
180+
UNICODE_STRING CSDVersion;
181+
PVOID ActivationContextData;
182+
PVOID ProcessAssemblyStorageMap;
183+
PVOID SystemDefaultActivationContextData;
184+
PVOID SystemAssemblyStorageMap;
185+
PVOID MinimumStackCommit;
186+
} PEB, *PPEB;
187+
188+
189+
/* Partial TEB description
190+
Based on:
191+
- fields that did not move since XP
192+
- https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb
193+
*/
194+
195+
typedef struct _EXCEPTION_REGISTRATION_RECORD {
196+
_EXCEPTION_REGISTRATION_RECORD *Next;
197+
PVOID Handler;
198+
};
199+
200+
typedef struct _NT_TIB {
201+
_EXCEPTION_REGISTRATION_RECORD *ExceptionList;
202+
PVOID StackBase;
203+
PVOID StackLimit;
204+
PVOID SubSystemTib;
205+
PVOID FiberData;
206+
ULONG Version;
207+
PVOID ArbitraryUserPointer;
208+
_NT_TIB *Self;
209+
};
210+
211+
typedef struct _TEB {
212+
_NT_TIB NtTib;
213+
PVOID EnvironmentPointer;
214+
_CLIENT_ID ClientId;
215+
PVOID ActiveRpcHandle;
216+
PVOID ThreadLocalStoragePointer;
217+
_PEB *ProcessEnvironmentBlock;
218+
ULONG LastErrorValue;
219+
ULONG CountOfOwnedCriticalSections;
220+
PVOID CsrClientThread;
221+
PVOID Win32ThreadInfo;
222+
ULONG User32Reserved[26];
223+
ULONG UserReserved[5];
224+
PVOID WOW32Reserved;
225+
ULONG CurrentLocale;
226+
ULONG FpSoftwareStatusRegister;
227+
} TEB;

0 commit comments

Comments
 (0)