1 #pragma once 2 // ************************************************************* 3 // 4 // Licensed to the Apache Software Foundation (ASF) under one 5 // or more contributor license agreements. See the NOTICE file 6 // distributed with this work for additional information 7 // regarding copyright ownership. The ASF licenses this file 8 // to you under the Apache License, Version 2.0 (the 9 // "License"); you may not use this file except in compliance 10 // with the License. You may obtain a copy of the License at 11 // 12 // http://www.apache.org/licenses/LICENSE-2.0 13 // 14 // Unless required by applicable law or agreed to in writing, 15 // software distributed under the License is distributed on an 16 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 // KIND, either express or implied. See the License for the 18 // specific language governing permissions and limitations 19 // under the License. 20 // 21 // ************************************************************* 22 23 //Kernel32 objects 24 25 #define K32OBJ_SEMAPHORE 0x1 26 #define K32OBJ_EVENT 0x2 27 #define K32OBJ_MUTEX 0x3 28 #define K32OBJ_CRITICAL_SECTION 0x4 29 #define K32OBJ_PROCESS 0x5 30 #define K32OBJ_THREAD 0x6 31 #define K32OBJ_FILE 0x7 32 #define K32OBJ_CHANGE 0x8 33 #define K32OBJ_CONSOLE 0x9 34 #define K32OBJ_SCREEN_BUFFER 0xA 35 #define K32OBJ_MEM_MAPPED_FILE 0xB 36 #define K32OBJ_SERIAL 0xC 37 #define K32OBJ_DEVICE_IOCTL 0xD 38 #define K32OBJ_PIPE 0xE 39 #define K32OBJ_MAILSLOT 0xF 40 #define K32OBJ_TOOLHELP_SNAPSHOT 0x10 41 #define K32OBJ_SOCKET 0x11 42 43 44 //Process Database flags 45 46 #define fDebugSingle 0x00000001 47 #define fCreateProcessEvent 0x00000002 48 #define fExitProcessEvent 0x00000004 49 #define fWin16Process 0x00000008 50 #define fDosProcess 0x00000010 51 #define fConsoleProcess 0x00000020 52 #define fFileApisAreOem 0x00000040 53 #define fNukeProcess 0x00000080 54 #define fServiceProcess 0x00000100 55 #define fLoginScriptHack 0x00000800 56 57 58 //Thread Database flags 59 60 #define fCreateThreadEvent 0x00000001 61 #define fCancelExceptionAbort 0x00000002 62 #define fOnTempStack 0x00000004 63 #define fGrowableStack 0x00000008 64 #define fDelaySingleStep 0x00000010 65 #define fOpenExeAsImmovableFile 0x00000020 66 #define fCreateSuspended 0x00000040 67 #define fStackOverflow 0x00000080 68 #define fNestedCleanAPCs 0x00000100 69 #define fWasOemNowAnsi 0x00000200 70 #define fOKToSetThreadOem 0x00000400 71 72 #ifdef _MSC_VER 73 #pragma warning(disable:4103) 74 #endif 75 #pragma pack(1) 76 77 78 //MODREF and IMTE structures 79 80 typedef struct _MODREF { 81 struct _MODREF *pNextModRef; // 00h 82 DWORD un1; // 04h 83 DWORD un2; // 08h 84 DWORD un3; // 0Ch 85 WORD mteIndex; // 10h 86 WORD un4; // 12h 87 DWORD un5; // 14h 88 PVOID ppdb; // 18h Pointer to process database 89 DWORD un6; // 1Ch 90 DWORD un7; // 20h 91 DWORD un8; // 24h 92 } MODREF, *PMODREF; 93 94 typedef struct _IMTE { 95 DWORD un1; // 00h 96 PIMAGE_NT_HEADERS pNTHdr; // 04h 97 DWORD un2; // 08h 98 PSTR pszFileName; // 0Ch 99 PSTR pszModName; // 10h 100 WORD cbFileName; // 14h 101 WORD cbModName; // 16h 102 DWORD un3; // 18h 103 DWORD cSections; // 1Ch 104 DWORD un5; // 20h 105 DWORD baseAddress; // 24h 106 WORD hModule16; // 28h 107 WORD cUsage; // 2Ah 108 DWORD un7; // 2Ch 109 PSTR pszFileName2; // 30h 110 WORD cbFileName2; // 34h 111 DWORD pszModName2; // 36h 112 WORD cbModName2; // 3Ah 113 } IMTE, *PIMTE; 114 115 116 //Process Database structure 117 118 typedef struct _ENVIRONMENT_DATABASE { 119 PSTR pszEnvironment; // 00h Pointer to Environment 120 DWORD un1; // 04h 121 PSTR pszCmdLine; // 08h Pointer to command line 122 PSTR pszCurrDirectory; // 0Ch Pointer to current directory 123 LPSTARTUPINFOA pStartupInfo;// 10h Pointer to STARTUPINFOA struct 124 HANDLE hStdIn; // 14h Standard Input 125 HANDLE hStdOut; // 18h Standard Output 126 HANDLE hStdErr; // 1Ch Standard Error 127 DWORD un2; // 20h 128 DWORD InheritConsole; // 24h 129 DWORD BreakType; // 28h 130 DWORD BreakSem; // 2Ch 131 DWORD BreakEvent; // 30h 132 DWORD BreakThreadID; // 34h 133 DWORD BreakHandlers; // 38h 134 } ENVIRONMENT_DATABASE, *PENVIRONMENT_DATABASE; 135 136 typedef struct _KERNEL_OBJECT { 137 DWORD Type; // 00h KERNEL32 object type (5) 138 DWORD cReference; // 04h Number of references to process 139 } KERNEL_OBJECT, *PKERNEL_OBJECT; 140 141 typedef struct _HANDLE_TABLE_ENTRY { 142 DWORD flags; // Valid flags depend on what type of object this is 143 PKERNEL_OBJECT pObject; // Pointer to the object that the handle refers to 144 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; 145 146 typedef struct _HANDLE_TABLE { 147 DWORD cEntries; // Max number of handles in table 148 HANDLE_TABLE_ENTRY array[1]; // An array (number is given by cEntries) 149 } HANDLE_TABLE, *PHANDLE_TABLE; 150 151 152 typedef struct _PROCESS_DATABASE { 153 DWORD Type; // 00h KERNEL32 object type (5) 154 DWORD cReference; // 04h Number of references to process 155 DWORD un1; // 08h 156 DWORD someEvent; // 0Ch An event object (What's it used for???) 157 DWORD TerminationStatus; // 10h Returned by GetExitCodeProcess 158 DWORD un2; // 14h 159 DWORD DefaultHeap; // 18h Address of the process heap 160 DWORD MemoryContext; // 1Ch pointer to the process's context 161 DWORD flags; // 20h 162 // 0x00000001 - fDebugSingle 163 // 0x00000002 - fCreateProcessEvent 164 // 0x00000004 - fExitProcessEvent 165 // 0x00000008 - fWin16Process 166 // 0x00000010 - fDosProcess 167 // 0x00000020 - fConsoleProcess 168 // 0x00000040 - fFileApisAreOem 169 // 0x00000080 - fNukeProcess 170 // 0x00000100 - fServiceProcess 171 // 0x00000800 - fLoginScriptHack 172 DWORD pPSP; // 24h Linear address of PSP? 173 WORD PSPSelector; // 28h 174 WORD MTEIndex; // 2Ah 175 WORD cThreads; // 2Ch 176 WORD cNotTermThreads; // 2Eh 177 WORD un3; // 30h 178 WORD cRing0Threads; // 32h number of ring 0 threads 179 HANDLE HeapHandle; // 34h Heap to allocate handle tables out of 180 // This seems to always be the KERNEL32 heap 181 HTASK W16TDB; // 38h Win16 Task Database selector 182 DWORD MemMapFiles; // 3Ch memory mapped file list (?) 183 PENVIRONMENT_DATABASE pEDB; // 40h Pointer to Environment Database 184 PHANDLE_TABLE pHandleTable; // 44h Pointer to process handle table 185 struct _PROCESS_DATABASE *ParentPDB; // 48h Parent process database 186 PMODREF MODREFlist; // 4Ch Module reference list 187 DWORD ThreadList; // 50h Threads in this process 188 DWORD DebuggeeCB; // 54h Debuggee Context block? 189 DWORD LocalHeapFreeHead; // 58h Head of free list in process heap 190 DWORD InitialRing0ID; // 5Ch 191 CRITICAL_SECTION crst; // 60h 192 DWORD un4[3]; // 78h 193 DWORD pConsole; // 84h Pointer to console for process 194 DWORD tlsInUseBits1; // 88h // Represents TLS indices 0 - 31 195 DWORD tlsInUseBits2; // 8Ch // Represents TLS indices 32 - 63 196 DWORD ProcessDWORD; // 90h 197 struct _PROCESS_DATABASE *ProcessGroup; // 94h 198 DWORD pExeMODREF; // 98h pointer to EXE's MODREF 199 DWORD TopExcFilter; // 9Ch Top Exception Filter? 200 DWORD BasePriority; // A0h Base scheduling priority for process 201 DWORD HeapOwnList; // A4h Head of the list of process heaps 202 DWORD HeapHandleBlockList;// A8h Pointer to head of heap handle block list 203 DWORD pSomeHeapPtr; // ACh normally zero, but can a pointer to a 204 // moveable handle block in the heap 205 DWORD pConsoleProvider; // B0h Process that owns the console we're using? 206 WORD EnvironSelector; // B4h Selector containing process environment 207 WORD ErrorMode; // B6H SetErrorMode value (also thunks to Win16) 208 DWORD pevtLoadFinished; // B8h Pointer to event LoadFinished? 209 WORD UTState; // BCh 210 } PROCESS_DATABASE, *PPROCESS_DATABASE; 211 212 213 //TIB (Thread Information Block) structure 214 215 typedef struct _SEH_record { 216 struct _SEH_record *pNext; 217 FARPROC pfnHandler; 218 } SEH_record, *PSEH_record; 219 220 // This is semi-documented in the NTDDK.H file from the NT DDK 221 typedef struct _TIB { 222 PSEH_record pvExcept; // 00h Head of exception record list 223 PVOID pvStackUserTop; // 04h Top of user stack 224 PVOID pvStackUserBase; // 08h Base of user stack 225 WORD pvTDB; // 0Ch TDB 226 WORD pvThunksSS; // 0Eh SS selector used for thunking to 16 bits 227 DWORD SelmanList; // 10h 228 PVOID pvArbitrary; // 14h Available for application use 229 struct _tib *ptibSelf; // 18h Linear address of TIB structure 230 WORD TIBFlags; // 1Ch 231 WORD Win16MutexCount; // 1Eh 232 DWORD DebugContext; // 20h 233 DWORD pCurrentPriority; // 24h 234 DWORD pvQueue; // 28h Message Queue selector 235 PVOID *pvTLSArray; // 2Ch Thread Local Storage array 236 } TIB, *PTIB; 237 238 239 //TDBX structure 240 241 typedef struct _TDBX { 242 DWORD ptdb; // 00h // PTHREAD_DATABASE 243 DWORD ppdb; // 04h // PPROCESDS_DATABASE 244 DWORD ContextHandle; // 08h 245 DWORD un1; // 0Ch 246 DWORD TimeOutHandle; // 10h 247 DWORD WakeParam; // 14h 248 DWORD BlockHandle; // 18h 249 DWORD BlockState; // 1Ch 250 DWORD SuspendCount; // 20h 251 DWORD SuspendHandle; // 24h 252 DWORD MustCompleteCount; // 28h 253 DWORD WaitExFlags; // 2Ch 254 // 0x00000001 - WAITEXBIT 255 // 0x00000002 - WAITACKBIT 256 // 0x00000004 - SUSPEND_APC_PENDING 257 // 0x00000008 - SUSPEND_TERMINATED 258 // 0x00000010 - BLOCKED_FOR_TERMINATION 259 // 0x00000020 - EMULATE_NPX 260 // 0x00000040 - WIN32_NPX 261 // 0x00000080 - EXTENDED_HANDLES 262 // 0x00000100 - FROZEN 263 // 0x00000200 - DONT_FREEZE 264 // 0x00000400 - DONT_UNFREEZE 265 // 0x00000800 - DONT_TRACE 266 // 0x00001000 - STOP_TRACING 267 // 0x00002000 - WAITING_FOR_CRST_SAFE 268 // 0x00004000 - CRST_SAFE 269 // 0x00040000 - BLOCK_TERMINATE_APC 270 DWORD SyncWaitCount; // 30h 271 DWORD QueuedSyncFuncs; // 34h 272 DWORD UserAPCList; // 38h 273 DWORD KernAPCList; // 3Ch 274 DWORD pPMPSPSelector; // 40h 275 DWORD BlockedOnID; // 44h 276 DWORD un2[7]; // 48h 277 DWORD TraceRefData; // 64h 278 DWORD TraceCallBack; // 68h 279 DWORD TraceEventHandle; // 6Ch 280 WORD TraceOutLastCS; // 70h 281 WORD K16TDB; // 72h 282 WORD K16PDB; // 74h 283 WORD DosPDBSeg; // 76h 284 WORD ExceptionCount; // 78h 285 } TDBX, *PTDBX; 286 287 288 //Thread Database structure 289 290 typedef struct _THREAD_DATABASE { 291 DWORD Type; // 00h 292 DWORD cReference; // 04h 293 PPROCESS_DATABASE pProcess; // 08h 294 DWORD someEvent; // 0Ch An event object (What's it used for???) 295 DWORD pvExcept; // 10h This field through field 3CH is a TIB 296 // structure (see TIB.H) 297 DWORD TopOfStack; // 14h 298 DWORD StackLow; // 18h 299 WORD W16TDB; // 1Ch 300 WORD StackSelector16; // 1Eh Used when thunking down to 16 bits 301 DWORD SelmanList; // 20h 302 DWORD UserPointer; // 24h 303 PTIB pTIB; // 28h 304 WORD TIBFlags; // 2Ch TIBF_WIN32 = 1, TIBF_TRAP = 2 305 WORD Win16MutexCount; // 2Eh 306 DWORD DebugContext; // 30h 307 PDWORD pCurrentPriority; // 34h 308 DWORD MessageQueue; // 38h 309 DWORD pTLSArray; // 3Ch 310 PPROCESS_DATABASE pProcess2;// 40h Another copy of the thread's process??? 311 DWORD Flags; // 44h 312 // 0x00000001 - fCreateThreadEvent 313 // 0x00000002 - fCancelExceptionAbort 314 // 0x00000004 - fOnTempStack 315 // 0x00000008 - fGrowableStack 316 // 0x00000010 - fDelaySingleStep 317 // 0x00000020 - fOpenExeAsImmovableFile 318 // 0x00000040 - fCreateSuspended 319 // 0x00000080 - fStackOverflow 320 // 0x00000100 - fNestedCleanAPCs 321 // 0x00000200 - fWasOemNowAnsi 322 // 0x00000400 - fOKToSetThreadOem 323 DWORD TerminationStatus; // 48h Returned by GetExitCodeThread 324 WORD TIBSelector; // 4Ch 325 WORD EmulatorSelector; // 4Eh 326 DWORD cHandles; // 50h 327 DWORD WaitNodeList; // 54h 328 DWORD un4; // 58h 329 DWORD Ring0Thread; // 5Ch 330 PTDBX pTDBX; // 60 331 DWORD StackBase; // 64h 332 DWORD TerminationStack; // 68h 333 DWORD EmulatorData; // 6Ch 334 DWORD GetLastErrorCode; // 70h 335 DWORD DebuggerCB; // 74h 336 DWORD DebuggerThread; // 78h 337 PCONTEXT ThreadContext; // 7Ch // register context defined in WINNT.H 338 DWORD Except16List; // 80h 339 DWORD ThunkConnect; // 84h 340 DWORD NegStackBase; // 88h 341 DWORD CurrentSS; // 8Ch 342 DWORD SSTable; // 90h 343 DWORD ThunkSS16; // 94h 344 DWORD TLSArray[64]; // 98h 345 DWORD DeltaPriority; // 198h 346 347 // The retail version breaks off somewhere around here. 348 // All the remaining fields are most likely only in the debug version 349 350 DWORD un5[7]; // 19Ch 351 DWORD pCreateData16; // 1B8h 352 DWORD APISuspendCount; // 1BCh # of times SuspendThread has been called 353 DWORD un6; // 1C0h 354 DWORD WOWChain; // 1C4h 355 WORD wSSBig; // 1C8h 356 WORD un7; // 1CAh 357 DWORD lp16SwitchRec; // 1CCh 358 DWORD un8[6]; // 1D0h 359 DWORD pSomeCritSect1; // 1E8h 360 DWORD pWin16Mutex; // 1ECh 361 DWORD pWin32Mutex; // 1F0h 362 DWORD pSomeCritSect2; // 1F4h 363 DWORD un9; // 1F8h 364 DWORD ripString; // 1FCh 365 DWORD LastTlsSetValueEIP[64]; // 200h (parallel to TlsArray, contains EIP 366 // where TLS value was last set from) 367 } THREAD_DATABASE, *PTHREAD_DATABASE; 368 369