1 #pragma once 2 3 //Kernel32 objects 4 5 #define K32OBJ_SEMAPHORE 0x1 6 #define K32OBJ_EVENT 0x2 7 #define K32OBJ_MUTEX 0x3 8 #define K32OBJ_CRITICAL_SECTION 0x4 9 #define K32OBJ_PROCESS 0x5 10 #define K32OBJ_THREAD 0x6 11 #define K32OBJ_FILE 0x7 12 #define K32OBJ_CHANGE 0x8 13 #define K32OBJ_CONSOLE 0x9 14 #define K32OBJ_SCREEN_BUFFER 0xA 15 #define K32OBJ_MEM_MAPPED_FILE 0xB 16 #define K32OBJ_SERIAL 0xC 17 #define K32OBJ_DEVICE_IOCTL 0xD 18 #define K32OBJ_PIPE 0xE 19 #define K32OBJ_MAILSLOT 0xF 20 #define K32OBJ_TOOLHELP_SNAPSHOT 0x10 21 #define K32OBJ_SOCKET 0x11 22 23 24 //Process Database flags 25 26 #define fDebugSingle 0x00000001 27 #define fCreateProcessEvent 0x00000002 28 #define fExitProcessEvent 0x00000004 29 #define fWin16Process 0x00000008 30 #define fDosProcess 0x00000010 31 #define fConsoleProcess 0x00000020 32 #define fFileApisAreOem 0x00000040 33 #define fNukeProcess 0x00000080 34 #define fServiceProcess 0x00000100 35 #define fLoginScriptHack 0x00000800 36 37 38 //Thread Database flags 39 40 #define fCreateThreadEvent 0x00000001 41 #define fCancelExceptionAbort 0x00000002 42 #define fOnTempStack 0x00000004 43 #define fGrowableStack 0x00000008 44 #define fDelaySingleStep 0x00000010 45 #define fOpenExeAsImmovableFile 0x00000020 46 #define fCreateSuspended 0x00000040 47 #define fStackOverflow 0x00000080 48 #define fNestedCleanAPCs 0x00000100 49 #define fWasOemNowAnsi 0x00000200 50 #define fOKToSetThreadOem 0x00000400 51 52 #ifdef _MSC_VER 53 #pragma warning(disable:4103) 54 #endif 55 #pragma pack(1) 56 57 58 //MODREF and IMTE structures 59 60 typedef struct _MODREF { 61 struct _MODREF *pNextModRef; // 00h 62 DWORD un1; // 04h 63 DWORD un2; // 08h 64 DWORD un3; // 0Ch 65 WORD mteIndex; // 10h 66 WORD un4; // 12h 67 DWORD un5; // 14h 68 PVOID ppdb; // 18h Pointer to process database 69 DWORD un6; // 1Ch 70 DWORD un7; // 20h 71 DWORD un8; // 24h 72 } MODREF, *PMODREF; 73 74 typedef struct _IMTE { 75 DWORD un1; // 00h 76 PIMAGE_NT_HEADERS pNTHdr; // 04h 77 DWORD un2; // 08h 78 PSTR pszFileName; // 0Ch 79 PSTR pszModName; // 10h 80 WORD cbFileName; // 14h 81 WORD cbModName; // 16h 82 DWORD un3; // 18h 83 DWORD cSections; // 1Ch 84 DWORD un5; // 20h 85 DWORD baseAddress; // 24h 86 WORD hModule16; // 28h 87 WORD cUsage; // 2Ah 88 DWORD un7; // 2Ch 89 PSTR pszFileName2; // 30h 90 WORD cbFileName2; // 34h 91 DWORD pszModName2; // 36h 92 WORD cbModName2; // 3Ah 93 } IMTE, *PIMTE; 94 95 96 //Process Database structure 97 98 typedef struct _ENVIRONMENT_DATABASE { 99 PSTR pszEnvironment; // 00h Pointer to Environment 100 DWORD un1; // 04h 101 PSTR pszCmdLine; // 08h Pointer to command line 102 PSTR pszCurrDirectory; // 0Ch Pointer to current directory 103 LPSTARTUPINFOA pStartupInfo;// 10h Pointer to STARTUPINFOA struct 104 HANDLE hStdIn; // 14h Standard Input 105 HANDLE hStdOut; // 18h Standard Output 106 HANDLE hStdErr; // 1Ch Standard Error 107 DWORD un2; // 20h 108 DWORD InheritConsole; // 24h 109 DWORD BreakType; // 28h 110 DWORD BreakSem; // 2Ch 111 DWORD BreakEvent; // 30h 112 DWORD BreakThreadID; // 34h 113 DWORD BreakHandlers; // 38h 114 } ENVIRONMENT_DATABASE, *PENVIRONMENT_DATABASE; 115 116 typedef struct _KERNEL_OBJECT { 117 DWORD Type; // 00h KERNEL32 object type (5) 118 DWORD cReference; // 04h Number of references to process 119 } KERNEL_OBJECT, *PKERNEL_OBJECT; 120 121 typedef struct _HANDLE_TABLE_ENTRY { 122 DWORD flags; // Valid flags depend on what type of object this is 123 PKERNEL_OBJECT pObject; // Pointer to the object that the handle refers to 124 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; 125 126 typedef struct _HANDLE_TABLE { 127 DWORD cEntries; // Max number of handles in table 128 HANDLE_TABLE_ENTRY array[1]; // An array (number is given by cEntries) 129 } HANDLE_TABLE, *PHANDLE_TABLE; 130 131 132 typedef struct _PROCESS_DATABASE { 133 DWORD Type; // 00h KERNEL32 object type (5) 134 DWORD cReference; // 04h Number of references to process 135 DWORD un1; // 08h 136 DWORD someEvent; // 0Ch An event object (What's it used for???) 137 DWORD TerminationStatus; // 10h Returned by GetExitCodeProcess 138 DWORD un2; // 14h 139 DWORD DefaultHeap; // 18h Address of the process heap 140 DWORD MemoryContext; // 1Ch pointer to the process's context 141 DWORD flags; // 20h 142 // 0x00000001 - fDebugSingle 143 // 0x00000002 - fCreateProcessEvent 144 // 0x00000004 - fExitProcessEvent 145 // 0x00000008 - fWin16Process 146 // 0x00000010 - fDosProcess 147 // 0x00000020 - fConsoleProcess 148 // 0x00000040 - fFileApisAreOem 149 // 0x00000080 - fNukeProcess 150 // 0x00000100 - fServiceProcess 151 // 0x00000800 - fLoginScriptHack 152 DWORD pPSP; // 24h Linear address of PSP? 153 WORD PSPSelector; // 28h 154 WORD MTEIndex; // 2Ah 155 WORD cThreads; // 2Ch 156 WORD cNotTermThreads; // 2Eh 157 WORD un3; // 30h 158 WORD cRing0Threads; // 32h number of ring 0 threads 159 HANDLE HeapHandle; // 34h Heap to allocate handle tables out of 160 // This seems to always be the KERNEL32 heap 161 HTASK W16TDB; // 38h Win16 Task Database selector 162 DWORD MemMapFiles; // 3Ch memory mapped file list (?) 163 PENVIRONMENT_DATABASE pEDB; // 40h Pointer to Environment Database 164 PHANDLE_TABLE pHandleTable; // 44h Pointer to process handle table 165 struct _PROCESS_DATABASE *ParentPDB; // 48h Parent process database 166 PMODREF MODREFlist; // 4Ch Module reference list 167 DWORD ThreadList; // 50h Threads in this process 168 DWORD DebuggeeCB; // 54h Debuggee Context block? 169 DWORD LocalHeapFreeHead; // 58h Head of free list in process heap 170 DWORD InitialRing0ID; // 5Ch 171 CRITICAL_SECTION crst; // 60h 172 DWORD un4[3]; // 78h 173 DWORD pConsole; // 84h Pointer to console for process 174 DWORD tlsInUseBits1; // 88h // Represents TLS indices 0 - 31 175 DWORD tlsInUseBits2; // 8Ch // Represents TLS indices 32 - 63 176 DWORD ProcessDWORD; // 90h 177 struct _PROCESS_DATABASE *ProcessGroup; // 94h 178 DWORD pExeMODREF; // 98h pointer to EXE's MODREF 179 DWORD TopExcFilter; // 9Ch Top Exception Filter? 180 DWORD BasePriority; // A0h Base scheduling priority for process 181 DWORD HeapOwnList; // A4h Head of the list of process heaps 182 DWORD HeapHandleBlockList;// A8h Pointer to head of heap handle block list 183 DWORD pSomeHeapPtr; // ACh normally zero, but can a pointer to a 184 // moveable handle block in the heap 185 DWORD pConsoleProvider; // B0h Process that owns the console we're using? 186 WORD EnvironSelector; // B4h Selector containing process environment 187 WORD ErrorMode; // B6H SetErrorMode value (also thunks to Win16) 188 DWORD pevtLoadFinished; // B8h Pointer to event LoadFinished? 189 WORD UTState; // BCh 190 } PROCESS_DATABASE, *PPROCESS_DATABASE; 191 192 193 //TIB (Thread Information Block) structure 194 195 typedef struct _SEH_record { 196 struct _SEH_record *pNext; 197 FARPROC pfnHandler; 198 } SEH_record, *PSEH_record; 199 200 // This is semi-documented in the NTDDK.H file from the NT DDK 201 typedef struct _TIB { 202 PSEH_record pvExcept; // 00h Head of exception record list 203 PVOID pvStackUserTop; // 04h Top of user stack 204 PVOID pvStackUserBase; // 08h Base of user stack 205 WORD pvTDB; // 0Ch TDB 206 WORD pvThunksSS; // 0Eh SS selector used for thunking to 16 bits 207 DWORD SelmanList; // 10h 208 PVOID pvArbitrary; // 14h Available for application use 209 struct _tib *ptibSelf; // 18h Linear address of TIB structure 210 WORD TIBFlags; // 1Ch 211 WORD Win16MutexCount; // 1Eh 212 DWORD DebugContext; // 20h 213 DWORD pCurrentPriority; // 24h 214 DWORD pvQueue; // 28h Message Queue selector 215 PVOID *pvTLSArray; // 2Ch Thread Local Storage array 216 } TIB, *PTIB; 217 218 219 //TDBX structure 220 221 typedef struct _TDBX { 222 DWORD ptdb; // 00h // PTHREAD_DATABASE 223 DWORD ppdb; // 04h // PPROCESDS_DATABASE 224 DWORD ContextHandle; // 08h 225 DWORD un1; // 0Ch 226 DWORD TimeOutHandle; // 10h 227 DWORD WakeParam; // 14h 228 DWORD BlockHandle; // 18h 229 DWORD BlockState; // 1Ch 230 DWORD SuspendCount; // 20h 231 DWORD SuspendHandle; // 24h 232 DWORD MustCompleteCount; // 28h 233 DWORD WaitExFlags; // 2Ch 234 // 0x00000001 - WAITEXBIT 235 // 0x00000002 - WAITACKBIT 236 // 0x00000004 - SUSPEND_APC_PENDING 237 // 0x00000008 - SUSPEND_TERMINATED 238 // 0x00000010 - BLOCKED_FOR_TERMINATION 239 // 0x00000020 - EMULATE_NPX 240 // 0x00000040 - WIN32_NPX 241 // 0x00000080 - EXTENDED_HANDLES 242 // 0x00000100 - FROZEN 243 // 0x00000200 - DONT_FREEZE 244 // 0x00000400 - DONT_UNFREEZE 245 // 0x00000800 - DONT_TRACE 246 // 0x00001000 - STOP_TRACING 247 // 0x00002000 - WAITING_FOR_CRST_SAFE 248 // 0x00004000 - CRST_SAFE 249 // 0x00040000 - BLOCK_TERMINATE_APC 250 DWORD SyncWaitCount; // 30h 251 DWORD QueuedSyncFuncs; // 34h 252 DWORD UserAPCList; // 38h 253 DWORD KernAPCList; // 3Ch 254 DWORD pPMPSPSelector; // 40h 255 DWORD BlockedOnID; // 44h 256 DWORD un2[7]; // 48h 257 DWORD TraceRefData; // 64h 258 DWORD TraceCallBack; // 68h 259 DWORD TraceEventHandle; // 6Ch 260 WORD TraceOutLastCS; // 70h 261 WORD K16TDB; // 72h 262 WORD K16PDB; // 74h 263 WORD DosPDBSeg; // 76h 264 WORD ExceptionCount; // 78h 265 } TDBX, *PTDBX; 266 267 268 //Thread Database structure 269 270 typedef struct _THREAD_DATABASE { 271 DWORD Type; // 00h 272 DWORD cReference; // 04h 273 PPROCESS_DATABASE pProcess; // 08h 274 DWORD someEvent; // 0Ch An event object (What's it used for???) 275 DWORD pvExcept; // 10h This field through field 3CH is a TIB 276 // structure (see TIB.H) 277 DWORD TopOfStack; // 14h 278 DWORD StackLow; // 18h 279 WORD W16TDB; // 1Ch 280 WORD StackSelector16; // 1Eh Used when thunking down to 16 bits 281 DWORD SelmanList; // 20h 282 DWORD UserPointer; // 24h 283 PTIB pTIB; // 28h 284 WORD TIBFlags; // 2Ch TIBF_WIN32 = 1, TIBF_TRAP = 2 285 WORD Win16MutexCount; // 2Eh 286 DWORD DebugContext; // 30h 287 PDWORD pCurrentPriority; // 34h 288 DWORD MessageQueue; // 38h 289 DWORD pTLSArray; // 3Ch 290 PPROCESS_DATABASE pProcess2;// 40h Another copy of the thread's process??? 291 DWORD Flags; // 44h 292 // 0x00000001 - fCreateThreadEvent 293 // 0x00000002 - fCancelExceptionAbort 294 // 0x00000004 - fOnTempStack 295 // 0x00000008 - fGrowableStack 296 // 0x00000010 - fDelaySingleStep 297 // 0x00000020 - fOpenExeAsImmovableFile 298 // 0x00000040 - fCreateSuspended 299 // 0x00000080 - fStackOverflow 300 // 0x00000100 - fNestedCleanAPCs 301 // 0x00000200 - fWasOemNowAnsi 302 // 0x00000400 - fOKToSetThreadOem 303 DWORD TerminationStatus; // 48h Returned by GetExitCodeThread 304 WORD TIBSelector; // 4Ch 305 WORD EmulatorSelector; // 4Eh 306 DWORD cHandles; // 50h 307 DWORD WaitNodeList; // 54h 308 DWORD un4; // 58h 309 DWORD Ring0Thread; // 5Ch 310 PTDBX pTDBX; // 60 311 DWORD StackBase; // 64h 312 DWORD TerminationStack; // 68h 313 DWORD EmulatorData; // 6Ch 314 DWORD GetLastErrorCode; // 70h 315 DWORD DebuggerCB; // 74h 316 DWORD DebuggerThread; // 78h 317 PCONTEXT ThreadContext; // 7Ch // register context defined in WINNT.H 318 DWORD Except16List; // 80h 319 DWORD ThunkConnect; // 84h 320 DWORD NegStackBase; // 88h 321 DWORD CurrentSS; // 8Ch 322 DWORD SSTable; // 90h 323 DWORD ThunkSS16; // 94h 324 DWORD TLSArray[64]; // 98h 325 DWORD DeltaPriority; // 198h 326 327 // The retail version breaks off somewhere around here. 328 // All the remaining fields are most likely only in the debug version 329 330 DWORD un5[7]; // 19Ch 331 DWORD pCreateData16; // 1B8h 332 DWORD APISuspendCount; // 1BCh # of times SuspendThread has been called 333 DWORD un6; // 1C0h 334 DWORD WOWChain; // 1C4h 335 WORD wSSBig; // 1C8h 336 WORD un7; // 1CAh 337 DWORD lp16SwitchRec; // 1CCh 338 DWORD un8[6]; // 1D0h 339 DWORD pSomeCritSect1; // 1E8h 340 DWORD pWin16Mutex; // 1ECh 341 DWORD pWin32Mutex; // 1F0h 342 DWORD pSomeCritSect2; // 1F4h 343 DWORD un9; // 1F8h 344 DWORD ripString; // 1FCh 345 DWORD LastTlsSetValueEIP[64]; // 200h (parallel to TlsArray, contains EIP 346 // where TLS value was last set from) 347 } THREAD_DATABASE, *PTHREAD_DATABASE; 348 349