1 #define PASTE2(x,y) x##y
2 #define PASTE(x,y) PASTE2(x,y)
5 #define STRUCT(x) PASTE(x,32)
7 #elif defined(EXPLICIT_64BIT)
8 #define STRUCT(x) PASTE(x,64)
15 #if (defined(_WIN64) && !defined(EXPLICIT_32BIT)) || defined(EXPLICIT_64BIT)
16 #define GDI_HANDLE_BUFFER_SIZE 60
18 #define GDI_HANDLE_BUFFER_SIZE 34
21 #if defined(_NTDDK_INCLUDED_) || defined(_NTIFS_)
22 #define PPEB PPEB_RENAMED
25 typedef struct STRUCT(_PEB
)
27 BOOLEAN InheritedAddressSpace
;
28 BOOLEAN ReadImageFileExecOptions
;
29 BOOLEAN BeingDebugged
;
30 #if (NTDDI_VERSION >= NTDDI_WS03)
36 BOOLEAN ImageUsesLargePages
:1;
37 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
38 BOOLEAN IsProtectedProcess
:1;
39 BOOLEAN IsLegacyProcess
:1;
40 BOOLEAN IsImageDynamicallyRelocated
:1;
41 BOOLEAN SkipPatchingUser32Forwarders
:1;
52 PTR(PVOID
) ImageBaseAddress
;
53 PTR(PPEB_LDR_DATA
) Ldr
;
54 PTR(struct _RTL_USER_PROCESS_PARAMETERS
*) ProcessParameters
;
55 PTR(PVOID
) SubSystemData
;
56 PTR(PVOID
) ProcessHeap
;
57 PTR(struct _RTL_CRITICAL_SECTION
*) FastPebLock
;
58 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
59 PTR(PVOID
) AltThunkSListPtr
;
63 ULONG CrossProcessFlags
;
67 ULONG ProcessInitializing
:1;
68 ULONG ProcessUsingVEH
:1;
69 ULONG ProcessUsingVCH
:1;
70 ULONG ReservedBits0
:28;
75 PTR(PVOID
) KernelCallbackTable
;
76 PTR(PVOID
) UserSharedInfoPtr
;
78 #elif (NTDDI_VERSION >= NTDDI_WS03)
79 PTR(PVOID
) AltThunkSListPtr
;
81 ULONG EnvironmentUpdateCount
;
82 PTR(PVOID
) KernelCallbackTable
;
84 PTR(PPEBLOCKROUTINE
) FastPebLockRoutine
;
85 PTR(PPEBLOCKROUTINE
) FastPebUnlockRoutine
;
86 ULONG EnvironmentUpdateCount
;
87 PTR(PVOID
) KernelCallbackTable
;
89 ULONG SystemReserved
[1];
90 ULONG SpareUlong
; // AtlThunkSListPtr32
91 PTR(PPEB_FREE_BLOCK
) FreeList
;
92 ULONG TlsExpansionCounter
;
94 ULONG TlsBitmapBits
[2];
95 PTR(PVOID
) ReadOnlySharedMemoryBase
;
96 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
97 PTR(PVOID
) HotpatchInformation
;
99 PTR(PVOID
) ReadOnlySharedMemoryHeap
;
101 PTR(PVOID
*) ReadOnlyStaticServerData
;
102 PTR(PVOID
) AnsiCodePageData
;
103 PTR(PVOID
) OemCodePageData
;
104 PTR(PVOID
) UnicodeCaseTableData
;
105 ULONG NumberOfProcessors
;
107 LARGE_INTEGER CriticalSectionTimeout
;
108 PTR(ULONG_PTR
) HeapSegmentReserve
;
109 PTR(ULONG_PTR
) HeapSegmentCommit
;
110 PTR(ULONG_PTR
) HeapDeCommitTotalFreeThreshold
;
111 PTR(ULONG_PTR
) HeapDeCommitFreeBlockThreshold
;
113 ULONG MaximumNumberOfHeaps
;
114 PTR(PVOID
*) ProcessHeaps
;
115 PTR(PVOID
) GdiSharedHandleTable
;
116 PTR(PVOID
) ProcessStarterHelper
;
117 ULONG GdiDCAttributeList
;
118 PTR(struct _RTL_CRITICAL_SECTION
*) LoaderLock
;
119 ULONG OSMajorVersion
;
120 ULONG OSMinorVersion
;
121 USHORT OSBuildNumber
;
124 ULONG ImageSubsystem
;
125 ULONG ImageSubsystemMajorVersion
;
126 ULONG ImageSubsystemMinorVersion
;
127 PTR(ULONG_PTR
) ImageProcessAffinityMask
;
128 ULONG GdiHandleBuffer
[GDI_HANDLE_BUFFER_SIZE
];
129 PTR(PPOST_PROCESS_INIT_ROUTINE
) PostProcessInitRoutine
;
130 PTR(PVOID
) TlsExpansionBitmap
;
131 ULONG TlsExpansionBitmapBits
[32];
133 #if (NTDDI_VERSION >= NTDDI_WINXP)
134 ULARGE_INTEGER AppCompatFlags
;
135 ULARGE_INTEGER AppCompatFlagsUser
;
136 PTR(PVOID
) pShimData
;
137 PTR(PVOID
) AppCompatInfo
;
138 STRUCT(UNICODE_STRING
) CSDVersion
;
139 PTR(struct _ACTIVATION_CONTEXT_DATA
*) ActivationContextData
;
140 PTR(struct _ASSEMBLY_STORAGE_MAP
*) ProcessAssemblyStorageMap
;
141 PTR(struct _ACTIVATION_CONTEXT_DATA
*) SystemDefaultActivationContextData
;
142 PTR(struct _ASSEMBLY_STORAGE_MAP
*) SystemAssemblyStorageMap
;
143 PTR(ULONG_PTR
) MinimumStackCommit
;
145 #if (NTDDI_VERSION >= NTDDI_WS03)
146 PTR(PVOID
*) FlsCallback
;
147 STRUCT(LIST_ENTRY
) FlsListHead
;
148 PTR(PVOID
) FlsBitmap
;
149 ULONG FlsBitmapBits
[4]; // [FLS_MAXIMUM_AVAILABLE/(sizeof(ULONG)*8)];
152 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
153 PTR(PVOID
) WerRegistrationData
;
154 PTR(PVOID
) WerShipAssertPtr
;
156 } STRUCT(PEB
), *STRUCT(PPEB
);
160 #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
161 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), Mutant
) == 0x08);
162 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), Ldr
) == 0x18);
163 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), FastPebLock
) == 0x038);
164 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), TlsExpansionCounter
) == 0x070);
165 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), NtGlobalFlag
) == 0x0BC);
166 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), GdiSharedHandleTable
) == 0x0F8);
167 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), LoaderLock
) == 0x110);
168 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), ImageSubsystem
) == 0x128);
169 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), ImageProcessAffinityMask
) == 0x138);
170 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), PostProcessInitRoutine
) == 0x230);
171 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), SessionId
) == 0x2C0);
172 #if (NTDDI_VERSION >= NTDDI_WS03)
173 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), FlsHighIndex
) == 0x350);
176 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), Mutant
) == 0x04);
177 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), Ldr
) == 0x0C);
178 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), FastPebLock
) == 0x01C);
179 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), TlsExpansionCounter
) == 0x03C);
180 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), NtGlobalFlag
) == 0x068);
181 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), GdiSharedHandleTable
) == 0x094);
182 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), LoaderLock
) == 0x0A0);
183 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), ImageSubsystem
) == 0x0B4);
184 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), ImageProcessAffinityMask
) == 0x0C0);
185 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), PostProcessInitRoutine
) == 0x14C);
186 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), SessionId
) == 0x1D4);
187 #if (NTDDI_VERSION >= NTDDI_WS03)
188 C_ASSERT(FIELD_OFFSET(STRUCT(PEB
), FlsHighIndex
) == 0x22C);
192 #define GDI_BATCH_BUFFER_SIZE 0x136
194 // GDI Batch Descriptor
196 typedef struct STRUCT(_GDI_TEB_BATCH
)
200 ULONG Buffer
[GDI_BATCH_BUFFER_SIZE
];
201 } STRUCT(GDI_TEB_BATCH
), *STRUCT(PGDI_TEB_BATCH
);
204 // Thread Environment Block (TEB)
206 typedef struct STRUCT(_TEB
)
208 STRUCT(NT_TIB
) NtTib
;
209 PTR(PVOID
) EnvironmentPointer
;
210 STRUCT(CLIENT_ID
) ClientId
;
211 PTR(PVOID
) ActiveRpcHandle
;
212 PTR(PVOID
) ThreadLocalStoragePointer
;
213 PTR(STRUCT(PPEB
)) ProcessEnvironmentBlock
;
214 ULONG LastErrorValue
;
215 ULONG CountOfOwnedCriticalSections
;
216 PTR(PVOID
) CsrClientThread
;
217 PTR(PVOID
) Win32ThreadInfo
;
218 ULONG User32Reserved
[26];
219 ULONG UserReserved
[5];
220 PTR(PVOID
) WOW32Reserved
;
222 ULONG FpSoftwareStatusRegister
;
223 PTR(PVOID
) SystemReserved1
[54];
225 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
226 PTR(struct _ACTIVATION_CONTEXT_STACK
*) ActivationContextStackPointer
;
227 UCHAR SpareBytes1
[0x30 - 3 * sizeof(PTR(PVOID
))];
229 #elif (NTDDI_VERSION >= NTDDI_WS03)
230 PTR(struct _ACTIVATION_CONTEXT_STACK
*) ActivationContextStackPointer
;
231 UCHAR SpareBytes1
[0x34 - 3 * sizeof(PTR(PVOID
))];
233 ACTIVATION_CONTEXT_STACK ActivationContextStack
;
234 UCHAR SpareBytes1
[24];
236 STRUCT(GDI_TEB_BATCH
) GdiTebBatch
;
237 STRUCT(CLIENT_ID
) RealClientId
;
238 PTR(PVOID
) GdiCachedProcessHandle
;
241 PTR(PVOID
) GdiThreadLocalInfo
;
242 PTR(SIZE_T
) Win32ClientInfo
[62];
243 PTR(PVOID
) glDispatchTable
[233];
244 PTR(SIZE_T
) glReserved1
[29];
245 PTR(PVOID
) glReserved2
;
246 PTR(PVOID
) glSectionInfo
;
247 PTR(PVOID
) glSection
;
249 PTR(PVOID
) glCurrentRC
;
250 PTR(PVOID
) glContext
;
251 NTSTATUS LastStatusValue
;
252 STRUCT(UNICODE_STRING
) StaticUnicodeString
;
253 WCHAR StaticUnicodeBuffer
[261];
254 PTR(PVOID
) DeallocationStack
;
255 PTR(PVOID
) TlsSlots
[64];
256 STRUCT(LIST_ENTRY
) TlsLinks
;
258 PTR(PVOID
) ReservedForNtRpc
;
259 PTR(PVOID
) DbgSsReserved
[2];
260 #if (NTDDI_VERSION >= NTDDI_WS03)
263 ULONG HardErrorsAreDisabled
;
265 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
266 PTR(PVOID
) Instrumentation
[13 - sizeof(GUID
)/sizeof(PTR(PVOID
))];
268 PTR(PVOID
) SubProcessTag
;
269 PTR(PVOID
) EtwLocalData
;
270 PTR(PVOID
) EtwTraceData
;
271 #elif (NTDDI_VERSION >= NTDDI_WS03)
272 PTR(PVOID
) Instrumentation
[14];
273 PTR(PVOID
) SubProcessTag
;
274 PTR(PVOID
) EtwLocalData
;
276 PTR(PVOID
) Instrumentation
[16];
278 PTR(PVOID
) WinSockData
;
280 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
286 BOOLEAN FreeStackOnTermination
;
287 BOOLEAN HasFiberData
;
289 UCHAR IdealProcessor
;
290 #if (NTDDI_VERSION >= NTDDI_WS03)
291 ULONG GuaranteedStackBytes
;
295 PTR(PVOID
) ReservedForPerf
;
296 PTR(PVOID
) ReservedForOle
;
297 ULONG WaitingOnLoaderLock
;
298 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
299 PTR(PVOID
) SavedPriorityState
;
300 PTR(ULONG_PTR
) SoftPatchPtr1
;
301 PTR(ULONG_PTR
) ThreadPoolData
;
302 #elif (NTDDI_VERSION >= NTDDI_WS03)
303 PTR(ULONG_PTR
) SparePointer1
;
304 PTR(ULONG_PTR
) SoftPatchPtr1
;
305 PTR(ULONG_PTR
) SoftPatchPtr2
;
307 Wx86ThreadState Wx86Thread
;
309 PTR(PVOID
*) TlsExpansionSlots
;
310 #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
311 PTR(PVOID
) DeallocationBStore
;
312 PTR(PVOID
) BStoreLimit
;
314 ULONG ImpersonationLocale
;
315 ULONG IsImpersonating
;
317 PTR(PVOID
) pShimData
;
318 ULONG HeapVirtualAffinity
;
319 PTR(HANDLE
) CurrentTransactionHandle
;
320 PTR(PTEB_ACTIVE_FRAME
) ActiveFrame
;
321 #if (NTDDI_VERSION >= NTDDI_WS03)
324 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
325 PVOID PreferredLangauges
;
326 PVOID UserPrefLanguages
;
327 PVOID MergedPrefLanguages
;
328 ULONG MuiImpersonation
;
333 USHORT SpareCrossTebFlags
:16;
335 USHORT CrossTebFlags
;
341 USHORT DbgSafeThunkCall
:1;
342 USHORT DbgInDebugPrint
:1;
343 USHORT DbgHasFiberData
:1;
344 USHORT DbgSkipThreadAttach
:1;
345 USHORT DbgWerInShipAssertCode
:1;
346 USHORT DbgIssuedInitialBp
:1;
347 USHORT DbgClonedThread
:1;
348 USHORT SpareSameTebBits
:9;
352 PTR(PVOID
) TxnScopeEntercallback
;
353 PTR(PVOID
) TxnScopeExitCAllback
;
354 PTR(PVOID
) TxnScopeContext
;
356 ULONG ProcessRundown
;
357 ULONG64 LastSwitchTime
;
358 ULONG64 TotalSwitchOutTime
;
359 LARGE_INTEGER WaitReasonBitMap
;
361 BOOLEAN SafeThunkCall
;
362 BOOLEAN BooleanSpare
[3];
364 } STRUCT(TEB
), *STRUCT(PTEB
);
366 #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
367 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), EnvironmentPointer
) == 0x038);
368 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), ExceptionCode
) == 0x2C0);
369 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), GdiTebBatch
) == 0x2F0);
370 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), LastStatusValue
) == 0x1250);
371 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), Vdm
) == 0x1690);
372 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), HardErrorMode
) == 0x16B0);
373 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), GdiBatchCount
) == 0x1740);
374 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), IdealProcessor
) == 0x1747);
375 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), WaitingOnLoaderLock
) == 0x1760);
376 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), TlsExpansionSlots
) == 0x1780);
377 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), WaitingOnLoaderLock
) == 0x1760);
378 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), ActiveFrame
) == 0x17C0);
380 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), EnvironmentPointer
) == 0x01C);
381 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), ExceptionCode
) == 0x1A4);
382 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), GdiTebBatch
) == 0x1D4);
383 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), LastStatusValue
) == 0xBF4);
384 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), Vdm
) == 0xF18);
385 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), GdiBatchCount
) == 0xF70);
386 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), TlsExpansionSlots
) == 0xF94);
387 C_ASSERT(FIELD_OFFSET(STRUCT(TEB
), ActiveFrame
) == 0xFB0);
394 #undef GDI_HANDLE_BUFFER_SIZE