Add V1 of ctypes_definition for TEB

hakril · hakril · commit 3818bb2e3dc8 · 2025-01-31T13:46:11.000+01:00
diff --git a/ctypes_generation/definitions/functions/process.txt b/ctypes_generation/definitions/functions/process.txt
@@ -63,4 +63,10 @@ HMODULE LoadLibraryExW(
 
 BOOL FreeLibrary(
   HMODULE hLibModule
-);
+);
+
+
+/* Not documented by seems present since dawn of time (WRK)
+    I Prefere PVOID as a return value to allow simple cast to PEB subclass in process.py*/
+
+PVOID RtlGetCurrentPeb ();
diff --git a/ctypes_generation/definitions/structures/teb_peb.txt b/ctypes_generation/definitions/structures/teb_peb.txt
@@ -198,15 +198,17 @@ typedef struct _EXCEPTION_REGISTRATION_RECORD {
 };
 
 typedef struct _NT_TIB {
-    _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
-    PVOID               StackBase;
-    PVOID               StackLimit;
-    PVOID               SubSystemTib;
-    PVOID               FiberData;
-    ULONG               Version;
-    PVOID               ArbitraryUserPointer;
-    _NT_TIB             *Self;
-};
+    struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
+    PVOID StackBase;
+    PVOID StackLimit;
+    PVOID SubSystemTib;
+    union {
+        PVOID FiberData;
+        // ULONG Version; // Sub-union break remotectypes generation for now -> Ignore this field until fixed
+    };
+    PVOID ArbitraryUserPointer;
+    struct _NT_TIB *Self;
+} NT_TIB;
 
 typedef struct _TEB {
     _NT_TIB             NtTib;
diff --git a/ctypes_generation/winstruct.py b/ctypes_generation/winstruct.py
@@ -123,8 +123,9 @@ def prepare_anon_struct(self):
 
     def generate_selfref_ctypes_class(self):
         res = ["# Self referencing struct tricks"]
-        res += ["""class {0}(Structure): pass""".format(self.name)]
-        # res += [self.generate_anonymous_union()]
+        res += ["""class {0}(Structure):""".format(self.name)]
+        # We need some code in the def of anon is empty -> insert path
+        res += [self.generate_anonymous_union() or "    pass"]
         res += [self.generate_typedef_ctypes()]
 
         if self.pack:
diff --git a/docs/source/winfuncs_generated.rst b/docs/source/winfuncs_generated.rst
@@ -696,6 +696,8 @@ Functions
 
 .. function:: FreeLibrary(hLibModule)
 
+.. function:: RtlGetCurrentPeb()
+
 .. function:: RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData)
 
 .. function:: RegQueryValueExW(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData)
diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst
@@ -11066,6 +11066,10 @@ _EXCEPTION_REGISTRATION_RECORD
 
 _NT_TIB
 '''''''
+.. class:: NT_TIB
+
+    Alias for :class:`_NT_TIB`
+
 .. class:: _NT_TIB
 
     .. attribute:: ExceptionList
@@ -11088,14 +11092,9 @@ _NT_TIB
         :class:`PVOID`
 
 
-    .. attribute:: FiberData
-
-        :class:`PVOID`
-
-
-    .. attribute:: Version
+    .. attribute:: anon_01
 
-        :class:`ULONG`
+        :class:`_ANON__NT_TIB_SUB_UNION_1`
 
 
     .. attribute:: ArbitraryUserPointer
diff --git a/tests/test_generated_def.py b/tests/test_generated_def.py
@@ -12,11 +12,25 @@ def assert_struct_offset(struct, field, offset):
 if windows.current_process.bitness == 32:
     PEB32 = windows.generated_def.PEB
     PEB64 = rctypes.transform_type_to_remote64bits(windows.generated_def.PEB)
+    
+    TEB32 = windows.generated_def.TEB
+    TEB64 = rctypes.transform_type_to_remote64bits(windows.generated_def.TEB)
+    
+    NT_TIB32 = windows.generated_def.NT_TIB
+    NT_TIB64 = rctypes.transform_type_to_remote64bits(windows.generated_def.NT_TIB)
+    
     SYSTEM_PROCESS_INFORMATION32 = windows.generated_def.SYSTEM_PROCESS_INFORMATION
     SYSTEM_PROCESS_INFORMATION64 = rctypes.transform_type_to_remote64bits(windows.generated_def.SYSTEM_PROCESS_INFORMATION)
 else:
     PEB32 = rctypes.transform_type_to_remote32bits(windows.generated_def.PEB)
     PEB64 = windows.generated_def.PEB
+    
+    TEB32 = rctypes.transform_type_to_remote32bits(windows.generated_def.TEB)
+    TEB64 = windows.generated_def.TEB
+    
+    NT_TIB32 = rctypes.transform_type_to_remote32bits(windows.generated_def.NT_TIB)
+    NT_TIB64 = windows.generated_def.NT_TIB
+    
     SYSTEM_PROCESS_INFORMATION32 = rctypes.transform_type_to_remote32bits(windows.generated_def.SYSTEM_PROCESS_INFORMATION)
     SYSTEM_PROCESS_INFORMATION64 = windows.generated_def.SYSTEM_PROCESS_INFORMATION
 
@@ -53,6 +67,29 @@ def test_peb64_fields():
     assert_peb_offset("CSDVersion", 0x02E8)
     assert_peb_offset("MinimumStackCommit", 0x0318)
 
+# Important to the the current TEB via Self
+def test_nt_tib32_fields():
+    assert_nt_tib_offset = lambda field, offset: assert_struct_offset(NT_TIB32, field, offset)
+    assert_nt_tib_offset("ExceptionList", 0)
+    assert_nt_tib_offset("StackBase", 4)
+    assert_nt_tib_offset("StackLimit", 8)
+    assert_nt_tib_offset("SubSystemTib", 0xc)
+    assert_nt_tib_offset("FiberData", 0x10)
+    # assert_nt_tib_offset("Version", 0x14)
+    assert_nt_tib_offset("ArbitraryUserPointer",  0x14)
+    assert_nt_tib_offset("Self", 0x18) # Important !
+
+def test_nt_tib64_fields():
+    assert_nt_tib_offset = lambda field, offset: assert_struct_offset(NT_TIB64, field, offset)
+    assert_nt_tib_offset("ExceptionList", 0)
+    assert_nt_tib_offset("StackBase", 8)
+    assert_nt_tib_offset("StackLimit", 0x10)
+    assert_nt_tib_offset("SubSystemTib", 0x18)
+    assert_nt_tib_offset("FiberData", 0x20)
+    # assert_nt_tib_offset("Version", 0x28)
+    assert_nt_tib_offset("ArbitraryUserPointer",  0x28)
+    assert_nt_tib_offset("Self", 0x30) # Important !
+
 def test_system_process_information32_fields():
     assert_spi_offset = lambda field, offset: assert_struct_offset(SYSTEM_PROCESS_INFORMATION32, field, offset)
     # Mainly based on https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/process.htm
