| Home | Trees | Indices | Help |
|
|---|
|
|
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 # Copyright (c) 2009-2014, Mario Vilas
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions are met:
9 #
10 # * Redistributions of source code must retain the above copyright notice,
11 # this list of conditions and the following disclaimer.
12 # * Redistributions in binary form must reproduce the above copyright
13 # notice,this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
15 # * Neither the name of the copyright holder nor the names of its
16 # contributors may be used to endorse or promote products derived from
17 # this software without specific prior written permission.
18 #
19 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 # POSSIBILITY OF SUCH DAMAGE.
30
31 """
32 PEB and TEB structures, constants and data types.
33 """
34
35 __revision__ = "$Id: peb_teb.py 1299 2013-12-20 09:30:55Z qvasimodo $"
36
37 from defines import *
38 from version import os
39
40 #==============================================================================
41 # This is used later on to calculate the list of exported symbols.
42 _all = None
43 _all = set(vars().keys())
44 #==============================================================================
45
46 #--- PEB and TEB structures, constants and data types -------------------------
47
48 # From http://www.nirsoft.net/kernel_struct/vista/CLIENT_ID.html
49 #
50 # typedef struct _CLIENT_ID
51 # {
52 # PVOID UniqueProcess;
53 # PVOID UniqueThread;
54 # } CLIENT_ID, *PCLIENT_ID;
60
61 # From MSDN:
62 #
63 # typedef struct _LDR_DATA_TABLE_ENTRY {
64 # BYTE Reserved1[2];
65 # LIST_ENTRY InMemoryOrderLinks;
66 # PVOID Reserved2[2];
67 # PVOID DllBase;
68 # PVOID EntryPoint;
69 # PVOID Reserved3;
70 # UNICODE_STRING FullDllName;
71 # BYTE Reserved4[8];
72 # PVOID Reserved5[3];
73 # union {
74 # ULONG CheckSum;
75 # PVOID Reserved6;
76 # };
77 # ULONG TimeDateStamp;
78 # } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
79 ##class LDR_DATA_TABLE_ENTRY(Structure):
80 ## _fields_ = [
81 ## ("Reserved1", BYTE * 2),
82 ## ("InMemoryOrderLinks", LIST_ENTRY),
83 ## ("Reserved2", PVOID * 2),
84 ## ("DllBase", PVOID),
85 ## ("EntryPoint", PVOID),
86 ## ("Reserved3", PVOID),
87 ## ("FullDllName", UNICODE_STRING),
88 ## ("Reserved4", BYTE * 8),
89 ## ("Reserved5", PVOID * 3),
90 ## ("CheckSum", ULONG),
91 ## ("TimeDateStamp", ULONG),
92 ##]
93
94 # From MSDN:
95 #
96 # typedef struct _PEB_LDR_DATA {
97 # BYTE Reserved1[8];
98 # PVOID Reserved2[3];
99 # LIST_ENTRY InMemoryOrderModuleList;
100 # } PEB_LDR_DATA,
101 # *PPEB_LDR_DATA;
102 ##class PEB_LDR_DATA(Structure):
103 ## _fields_ = [
104 ## ("Reserved1", BYTE),
105 ## ("Reserved2", PVOID),
106 ## ("InMemoryOrderModuleList", LIST_ENTRY),
107 ##]
108
109 # From http://undocumented.ntinternals.net/UserMode/Structures/RTL_USER_PROCESS_PARAMETERS.html
110 # typedef struct _RTL_USER_PROCESS_PARAMETERS {
111 # ULONG MaximumLength;
112 # ULONG Length;
113 # ULONG Flags;
114 # ULONG DebugFlags;
115 # PVOID ConsoleHandle;
116 # ULONG ConsoleFlags;
117 # HANDLE StdInputHandle;
118 # HANDLE StdOutputHandle;
119 # HANDLE StdErrorHandle;
120 # UNICODE_STRING CurrentDirectoryPath;
121 # HANDLE CurrentDirectoryHandle;
122 # UNICODE_STRING DllPath;
123 # UNICODE_STRING ImagePathName;
124 # UNICODE_STRING CommandLine;
125 # PVOID Environment;
126 # ULONG StartingPositionLeft;
127 # ULONG StartingPositionTop;
128 # ULONG Width;
129 # ULONG Height;
130 # ULONG CharWidth;
131 # ULONG CharHeight;
132 # ULONG ConsoleTextAttributes;
133 # ULONG WindowFlags;
134 # ULONG ShowWindowFlags;
135 # UNICODE_STRING WindowTitle;
136 # UNICODE_STRING DesktopName;
137 # UNICODE_STRING ShellInfo;
138 # UNICODE_STRING RuntimeData;
139 # RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
140 # } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
141
142 # kd> dt _RTL_USER_PROCESS_PARAMETERS
143 # ntdll!_RTL_USER_PROCESS_PARAMETERS
144 # +0x000 MaximumLength : Uint4B
145 # +0x004 Length : Uint4B
146 # +0x008 Flags : Uint4B
147 # +0x00c DebugFlags : Uint4B
148 # +0x010 ConsoleHandle : Ptr32 Void
149 # +0x014 ConsoleFlags : Uint4B
150 # +0x018 StandardInput : Ptr32 Void
151 # +0x01c StandardOutput : Ptr32 Void
152 # +0x020 StandardError : Ptr32 Void
153 # +0x024 CurrentDirectory : _CURDIR
154 # +0x030 DllPath : _UNICODE_STRING
155 # +0x038 ImagePathName : _UNICODE_STRING
156 # +0x040 CommandLine : _UNICODE_STRING
157 # +0x048 Environment : Ptr32 Void
158 # +0x04c StartingX : Uint4B
159 # +0x050 StartingY : Uint4B
160 # +0x054 CountX : Uint4B
161 # +0x058 CountY : Uint4B
162 # +0x05c CountCharsX : Uint4B
163 # +0x060 CountCharsY : Uint4B
164 # +0x064 FillAttribute : Uint4B
165 # +0x068 WindowFlags : Uint4B
166 # +0x06c ShowWindowFlags : Uint4B
167 # +0x070 WindowTitle : _UNICODE_STRING
168 # +0x078 DesktopInfo : _UNICODE_STRING
169 # +0x080 ShellInfo : _UNICODE_STRING
170 # +0x088 RuntimeData : _UNICODE_STRING
171 # +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
172 # +0x290 EnvironmentSize : Uint4B
173 ##class RTL_USER_PROCESS_PARAMETERS(Structure):
174 ## _fields_ = [
175 ## ("MaximumLength", ULONG),
176 ## ("Length", ULONG),
177 ## ("Flags", ULONG),
178 ## ("DebugFlags", ULONG),
179 ## ("ConsoleHandle", PVOID),
180 ## ("ConsoleFlags", ULONG),
181 ## ("StandardInput", HANDLE),
182 ## ("StandardOutput", HANDLE),
183 ## ("StandardError", HANDLE),
184 ## ("CurrentDirectory", CURDIR),
185 ## ("DllPath", UNICODE_STRING),
186 ## ("ImagePathName", UNICODE_STRING),
187 ## ("CommandLine", UNICODE_STRING),
188 ## ("Environment", PVOID),
189 ## ("StartingX", ULONG),
190 ## ("StartingY", ULONG),
191 ## ("CountX", ULONG),
192 ## ("CountY", ULONG),
193 ## ("CountCharsX", ULONG),
194 ## ("CountCharsY", ULONG),
195 ## ("FillAttribute", ULONG),
196 ## ("WindowFlags", ULONG),
197 ## ("ShowWindowFlags", ULONG),
198 ## ("WindowTitle", UNICODE_STRING),
199 ## ("DesktopInfo", UNICODE_STRING),
200 ## ("ShellInfo", UNICODE_STRING),
201 ## ("RuntimeData", UNICODE_STRING),
202 ## ("CurrentDirectores", RTL_DRIVE_LETTER_CURDIR * 32), # typo here?
203 ##
204 ## # Windows 2008 and Vista
205 ## ("EnvironmentSize", ULONG),
206 ##]
207 ## @property
208 ## def CurrentDirectories(self):
209 ## return self.CurrentDirectores
210
211 # From MSDN:
212 #
213 # typedef struct _RTL_USER_PROCESS_PARAMETERS {
214 # BYTE Reserved1[16];
215 # PVOID Reserved2[10];
216 # UNICODE_STRING ImagePathName;
217 # UNICODE_STRING CommandLine;
218 # } RTL_USER_PROCESS_PARAMETERS,
219 # *PRTL_USER_PROCESS_PARAMETERS;
221 _fields_ = [
222 ("Reserved1", BYTE * 16),
223 ("Reserved2", PVOID * 10),
224 ("ImagePathName", UNICODE_STRING),
225 ("CommandLine", UNICODE_STRING),
226 ("Environment", PVOID), # undocumented!
227 #
228 # XXX TODO
229 # This structure should be defined with all undocumented fields for
230 # each version of Windows, just like it's being done for PEB and TEB.
231 #
232 ]
233
234 PPS_POST_PROCESS_INIT_ROUTINE = PVOID
235
236 #from MSDN:
237 #
238 # typedef struct _PEB {
239 # BYTE Reserved1[2];
240 # BYTE BeingDebugged;
241 # BYTE Reserved2[21];
242 # PPEB_LDR_DATA LoaderData;
243 # PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
244 # BYTE Reserved3[520];
245 # PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
246 # BYTE Reserved4[136];
247 # ULONG SessionId;
248 # } PEB;
249 ##class PEB(Structure):
250 ## _fields_ = [
251 ## ("Reserved1", BYTE * 2),
252 ## ("BeingDebugged", BYTE),
253 ## ("Reserved2", BYTE * 21),
254 ## ("LoaderData", PVOID, # PPEB_LDR_DATA
255 ## ("ProcessParameters", PVOID, # PRTL_USER_PROCESS_PARAMETERS
256 ## ("Reserved3", BYTE * 520),
257 ## ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
258 ## ("Reserved4", BYTE),
259 ## ("SessionId", ULONG),
260 ##]
261
262 # from MSDN:
263 #
264 # typedef struct _TEB {
265 # BYTE Reserved1[1952];
266 # PVOID Reserved2[412];
267 # PVOID TlsSlots[64];
268 # BYTE Reserved3[8];
269 # PVOID Reserved4[26];
270 # PVOID ReservedForOle;
271 # PVOID Reserved5[4];
272 # PVOID TlsExpansionSlots;
273 # } TEB,
274 # *PTEB;
275 ##class TEB(Structure):
276 ## _fields_ = [
277 ## ("Reserved1", PVOID * 1952),
278 ## ("Reserved2", PVOID * 412),
279 ## ("TlsSlots", PVOID * 64),
280 ## ("Reserved3", BYTE * 8),
281 ## ("Reserved4", PVOID * 26),
282 ## ("ReservedForOle", PVOID),
283 ## ("Reserved5", PVOID * 4),
284 ## ("TlsExpansionSlots", PVOID),
285 ##]
286
287 # from http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html
288 #
289 # typedef struct _LDR_MODULE {
290 # LIST_ENTRY InLoadOrderModuleList;
291 # LIST_ENTRY InMemoryOrderModuleList;
292 # LIST_ENTRY InInitializationOrderModuleList;
293 # PVOID BaseAddress;
294 # PVOID EntryPoint;
295 # ULONG SizeOfImage;
296 # UNICODE_STRING FullDllName;
297 # UNICODE_STRING BaseDllName;
298 # ULONG Flags;
299 # SHORT LoadCount;
300 # SHORT TlsIndex;
301 # LIST_ENTRY HashTableEntry;
302 # ULONG TimeDateStamp;
303 # } LDR_MODULE, *PLDR_MODULE;
305 _fields_ = [
306 ("InLoadOrderModuleList", LIST_ENTRY),
307 ("InMemoryOrderModuleList", LIST_ENTRY),
308 ("InInitializationOrderModuleList", LIST_ENTRY),
309 ("BaseAddress", PVOID),
310 ("EntryPoint", PVOID),
311 ("SizeOfImage", ULONG),
312 ("FullDllName", UNICODE_STRING),
313 ("BaseDllName", UNICODE_STRING),
314 ("Flags", ULONG),
315 ("LoadCount", SHORT),
316 ("TlsIndex", SHORT),
317 ("HashTableEntry", LIST_ENTRY),
318 ("TimeDateStamp", ULONG),
319 ]
320
321 # from http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html
322 #
323 # typedef struct _PEB_LDR_DATA {
324 # ULONG Length;
325 # BOOLEAN Initialized;
326 # PVOID SsHandle;
327 # LIST_ENTRY InLoadOrderModuleList;
328 # LIST_ENTRY InMemoryOrderModuleList;
329 # LIST_ENTRY InInitializationOrderModuleList;
330 # } PEB_LDR_DATA, *PPEB_LDR_DATA;
332 _fields_ = [
333 ("Length", ULONG),
334 ("Initialized", BOOLEAN),
335 ("SsHandle", PVOID),
336 ("InLoadOrderModuleList", LIST_ENTRY),
337 ("InMemoryOrderModuleList", LIST_ENTRY),
338 ("InInitializationOrderModuleList", LIST_ENTRY),
339 ]
340
341 # From http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB_FREE_BLOCK.html
342 #
343 # typedef struct _PEB_FREE_BLOCK {
344 # PEB_FREE_BLOCK *Next;
345 # ULONG Size;
346 # } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
349
350 ##PPEB_FREE_BLOCK = POINTER(PEB_FREE_BLOCK)
351 PPEB_FREE_BLOCK = PVOID
352
353 PEB_FREE_BLOCK._fields_ = [
354 ("Next", PPEB_FREE_BLOCK),
355 ("Size", ULONG),
356 ]
357
358 # From http://undocumented.ntinternals.net/UserMode/Structures/RTL_DRIVE_LETTER_CURDIR.html
359 #
360 # typedef struct _RTL_DRIVE_LETTER_CURDIR {
361 # USHORT Flags;
362 # USHORT Length;
363 # ULONG TimeStamp;
364 # UNICODE_STRING DosPath;
365 # } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
367 _fields_ = [
368 ("Flags", USHORT),
369 ("Length", USHORT),
370 ("TimeStamp", ULONG),
371 ("DosPath", UNICODE_STRING),
372 ]
373
374 # From http://www.nirsoft.net/kernel_struct/vista/CURDIR.html
375 #
376 # typedef struct _CURDIR
377 # {
378 # UNICODE_STRING DosPath;
379 # PVOID Handle;
380 # } CURDIR, *PCURDIR;
386
387 # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION_DEBUG.html
388 #
389 # typedef struct _RTL_CRITICAL_SECTION_DEBUG
390 # {
391 # WORD Type;
392 # WORD CreatorBackTraceIndex;
393 # PRTL_CRITICAL_SECTION CriticalSection;
394 # LIST_ENTRY ProcessLocksList;
395 # ULONG EntryCount;
396 # ULONG ContentionCount;
397 # ULONG Flags;
398 # WORD CreatorBackTraceIndexHigh;
399 # WORD SpareUSHORT;
400 # } RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG;
401 #
402 # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION.html
403 #
404 # typedef struct _RTL_CRITICAL_SECTION
405 # {
406 # PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
407 # LONG LockCount;
408 # LONG RecursionCount;
409 # PVOID OwningThread;
410 # PVOID LockSemaphore;
411 # ULONG SpinCount;
412 # } RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION;
413 #
415 _fields_ = [
416 ("DebugInfo", PVOID), # PRTL_CRITICAL_SECTION_DEBUG
417 ("LockCount", LONG),
418 ("RecursionCount", LONG),
419 ("OwningThread", PVOID),
420 ("LockSemaphore", PVOID),
421 ("SpinCount", ULONG),
422 ]
424 _fields_ = [
425 ("Type", WORD),
426 ("CreatorBackTraceIndex", WORD),
427 ("CriticalSection", PVOID), # PRTL_CRITICAL_SECTION
428 ("ProcessLocksList", LIST_ENTRY),
429 ("EntryCount", ULONG),
430 ("ContentionCount", ULONG),
431 ("Flags", ULONG),
432 ("CreatorBackTraceIndexHigh", WORD),
433 ("SpareUSHORT", WORD),
434 ]
435 PRTL_CRITICAL_SECTION = POINTER(RTL_CRITICAL_SECTION)
436 PRTL_CRITICAL_SECTION_DEBUG = POINTER(RTL_CRITICAL_SECTION_DEBUG)
437
438 PPEB_LDR_DATA = POINTER(PEB_LDR_DATA)
439 PRTL_USER_PROCESS_PARAMETERS = POINTER(RTL_USER_PROCESS_PARAMETERS)
440
441 PPEBLOCKROUTINE = PVOID
442
443 # BitField
444 ImageUsesLargePages = 1 << 0
445 IsProtectedProcess = 1 << 1
446 IsLegacyProcess = 1 << 2
447 IsImageDynamicallyRelocated = 1 << 3
448 SkipPatchingUser32Forwarders = 1 << 4
449
450 # CrossProcessFlags
451 ProcessInJob = 1 << 0
452 ProcessInitializing = 1 << 1
453 ProcessUsingVEH = 1 << 2
454 ProcessUsingVCH = 1 << 3
455 ProcessUsingFTH = 1 << 4
456
457 # TracingFlags
458 HeapTracingEnabled = 1 << 0
459 CritSecTracingEnabled = 1 << 1
460
461 # NtGlobalFlags
462 FLG_VALID_BITS = 0x003FFFFF # not a flag
463 FLG_STOP_ON_EXCEPTION = 0x00000001
464 FLG_SHOW_LDR_SNAPS = 0x00000002
465 FLG_DEBUG_INITIAL_COMMAND = 0x00000004
466 FLG_STOP_ON_HUNG_GUI = 0x00000008
467 FLG_HEAP_ENABLE_TAIL_CHECK = 0x00000010
468 FLG_HEAP_ENABLE_FREE_CHECK = 0x00000020
469 FLG_HEAP_VALIDATE_PARAMETERS = 0x00000040
470 FLG_HEAP_VALIDATE_ALL = 0x00000080
471 FLG_POOL_ENABLE_TAIL_CHECK = 0x00000100
472 FLG_POOL_ENABLE_FREE_CHECK = 0x00000200
473 FLG_POOL_ENABLE_TAGGING = 0x00000400
474 FLG_HEAP_ENABLE_TAGGING = 0x00000800
475 FLG_USER_STACK_TRACE_DB = 0x00001000
476 FLG_KERNEL_STACK_TRACE_DB = 0x00002000
477 FLG_MAINTAIN_OBJECT_TYPELIST = 0x00004000
478 FLG_HEAP_ENABLE_TAG_BY_DLL = 0x00008000
479 FLG_IGNORE_DEBUG_PRIV = 0x00010000
480 FLG_ENABLE_CSRDEBUG = 0x00020000
481 FLG_ENABLE_KDEBUG_SYMBOL_LOAD = 0x00040000
482 FLG_DISABLE_PAGE_KERNEL_STACKS = 0x00080000
483 FLG_HEAP_ENABLE_CALL_TRACING = 0x00100000
484 FLG_HEAP_DISABLE_COALESCING = 0x00200000
485 FLG_ENABLE_CLOSE_EXCEPTION = 0x00400000
486 FLG_ENABLE_EXCEPTION_LOGGING = 0x00800000
487 FLG_ENABLE_HANDLE_TYPE_TAGGING = 0x01000000
488 FLG_HEAP_PAGE_ALLOCS = 0x02000000
489 FLG_DEBUG_WINLOGON = 0x04000000
490 FLG_ENABLE_DBGPRINT_BUFFERING = 0x08000000
491 FLG_EARLY_CRITICAL_SECTION_EVT = 0x10000000
492 FLG_DISABLE_DLL_VERIFICATION = 0x80000000
493
495 _pack_ = 4
496 _fields_ = [
497 ("InheritedAddressSpace", BOOLEAN),
498 ("ReadImageFileExecOptions", UCHAR),
499 ("BeingDebugged", BOOLEAN),
500 ("BitField", UCHAR),
501 ("Mutant", HANDLE),
502 ("ImageBaseAddress", PVOID),
503 ("Ldr", PVOID), # PPEB_LDR_DATA
504 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
505 ("SubSystemData", PVOID),
506 ("ProcessHeap", PVOID),
507 ("FastPebLock", PVOID),
508 ("FastPebLockRoutine", PVOID), # PPEBLOCKROUTINE
509 ("FastPebUnlockRoutine", PVOID), # PPEBLOCKROUTINE
510 ("EnvironmentUpdateCount", ULONG),
511 ("KernelCallbackTable", PVOID), # Ptr32 Ptr32 Void
512 ("EventLogSection", PVOID),
513 ("EventLog", PVOID),
514 ("FreeList", PVOID), # PPEB_FREE_BLOCK
515 ("TlsExpansionCounter", ULONG),
516 ("TlsBitmap", PVOID),
517 ("TlsBitmapBits", ULONG * 2),
518 ("ReadOnlySharedMemoryBase", PVOID),
519 ("ReadOnlySharedMemoryHeap", PVOID),
520 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
521 ("AnsiCodePageData", PVOID),
522 ("OemCodePageData", PVOID),
523 ("UnicodeCaseTableData", PVOID),
524 ("NumberOfProcessors", ULONG),
525 ("NtGlobalFlag", ULONG),
526 ("Spare2", BYTE * 4),
527 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
528 ("HeapSegmentReserve", ULONG),
529 ("HeapSegmentCommit", ULONG),
530 ("HeapDeCommitTotalFreeThreshold", ULONG),
531 ("HeapDeCommitFreeBlockThreshold", ULONG),
532 ("NumberOfHeaps", ULONG),
533 ("MaximumNumberOfHeaps", ULONG),
534 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
535 ("GdiSharedHandleTable", PVOID),
536 ("ProcessStarterHelper", PVOID),
537 ("GdiDCAttributeList", PVOID),
538 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
539 ("OSMajorVersion", ULONG),
540 ("OSMinorVersion", ULONG),
541 ("OSBuildNumber", ULONG),
542 ("OSPlatformId", ULONG),
543 ("ImageSubSystem", ULONG),
544 ("ImageSubSystemMajorVersion", ULONG),
545 ("ImageSubSystemMinorVersion", ULONG),
546 ("ImageProcessAffinityMask", ULONG),
547 ("GdiHandleBuffer", ULONG * 34),
548 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
549 ("TlsExpansionBitmap", ULONG),
550 ("TlsExpansionBitmapBits", BYTE * 128),
551 ("SessionId", ULONG),
552 ]
553
554 # not really, but "dt _PEB" in w2k isn't working for me :(
555 _PEB_2000 = _PEB_NT
556
557 # +0x000 InheritedAddressSpace : UChar
558 # +0x001 ReadImageFileExecOptions : UChar
559 # +0x002 BeingDebugged : UChar
560 # +0x003 SpareBool : UChar
561 # +0x004 Mutant : Ptr32 Void
562 # +0x008 ImageBaseAddress : Ptr32 Void
563 # +0x00c Ldr : Ptr32 _PEB_LDR_DATA
564 # +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
565 # +0x014 SubSystemData : Ptr32 Void
566 # +0x018 ProcessHeap : Ptr32 Void
567 # +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
568 # +0x020 FastPebLockRoutine : Ptr32 Void
569 # +0x024 FastPebUnlockRoutine : Ptr32 Void
570 # +0x028 EnvironmentUpdateCount : Uint4B
571 # +0x02c KernelCallbackTable : Ptr32 Void
572 # +0x030 SystemReserved : [1] Uint4B
573 # +0x034 AtlThunkSListPtr32 : Uint4B
574 # +0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
575 # +0x03c TlsExpansionCounter : Uint4B
576 # +0x040 TlsBitmap : Ptr32 Void
577 # +0x044 TlsBitmapBits : [2] Uint4B
578 # +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
579 # +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
580 # +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
581 # +0x058 AnsiCodePageData : Ptr32 Void
582 # +0x05c OemCodePageData : Ptr32 Void
583 # +0x060 UnicodeCaseTableData : Ptr32 Void
584 # +0x064 NumberOfProcessors : Uint4B
585 # +0x068 NtGlobalFlag : Uint4B
586 # +0x070 CriticalSectionTimeout : _LARGE_INTEGER
587 # +0x078 HeapSegmentReserve : Uint4B
588 # +0x07c HeapSegmentCommit : Uint4B
589 # +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
590 # +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
591 # +0x088 NumberOfHeaps : Uint4B
592 # +0x08c MaximumNumberOfHeaps : Uint4B
593 # +0x090 ProcessHeaps : Ptr32 Ptr32 Void
594 # +0x094 GdiSharedHandleTable : Ptr32 Void
595 # +0x098 ProcessStarterHelper : Ptr32 Void
596 # +0x09c GdiDCAttributeList : Uint4B
597 # +0x0a0 LoaderLock : Ptr32 Void
598 # +0x0a4 OSMajorVersion : Uint4B
599 # +0x0a8 OSMinorVersion : Uint4B
600 # +0x0ac OSBuildNumber : Uint2B
601 # +0x0ae OSCSDVersion : Uint2B
602 # +0x0b0 OSPlatformId : Uint4B
603 # +0x0b4 ImageSubsystem : Uint4B
604 # +0x0b8 ImageSubsystemMajorVersion : Uint4B
605 # +0x0bc ImageSubsystemMinorVersion : Uint4B
606 # +0x0c0 ImageProcessAffinityMask : Uint4B
607 # +0x0c4 GdiHandleBuffer : [34] Uint4B
608 # +0x14c PostProcessInitRoutine : Ptr32 void
609 # +0x150 TlsExpansionBitmap : Ptr32 Void
610 # +0x154 TlsExpansionBitmapBits : [32] Uint4B
611 # +0x1d4 SessionId : Uint4B
612 # +0x1d8 AppCompatFlags : _ULARGE_INTEGER
613 # +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
614 # +0x1e8 pShimData : Ptr32 Void
615 # +0x1ec AppCompatInfo : Ptr32 Void
616 # +0x1f0 CSDVersion : _UNICODE_STRING
617 # +0x1f8 ActivationContextData : Ptr32 Void
618 # +0x1fc ProcessAssemblyStorageMap : Ptr32 Void
619 # +0x200 SystemDefaultActivationContextData : Ptr32 Void
620 # +0x204 SystemAssemblyStorageMap : Ptr32 Void
621 # +0x208 MinimumStackCommit : Uint4B
623 _pack_ = 8
624 _fields_ = [
625 ("InheritedAddressSpace", BOOLEAN),
626 ("ReadImageFileExecOptions", UCHAR),
627 ("BeingDebugged", BOOLEAN),
628 ("SpareBool", UCHAR),
629 ("Mutant", HANDLE),
630 ("ImageBaseAddress", PVOID),
631 ("Ldr", PVOID), # PPEB_LDR_DATA
632 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
633 ("SubSystemData", PVOID),
634 ("ProcessHeap", PVOID),
635 ("FastPebLock", PVOID),
636 ("FastPebLockRoutine", PVOID),
637 ("FastPebUnlockRoutine", PVOID),
638 ("EnvironmentUpdateCount", DWORD),
639 ("KernelCallbackTable", PVOID),
640 ("SystemReserved", DWORD),
641 ("AtlThunkSListPtr32", DWORD),
642 ("FreeList", PVOID), # PPEB_FREE_BLOCK
643 ("TlsExpansionCounter", DWORD),
644 ("TlsBitmap", PVOID),
645 ("TlsBitmapBits", DWORD * 2),
646 ("ReadOnlySharedMemoryBase", PVOID),
647 ("ReadOnlySharedMemoryHeap", PVOID),
648 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
649 ("AnsiCodePageData", PVOID),
650 ("OemCodePageData", PVOID),
651 ("UnicodeCaseTableData", PVOID),
652 ("NumberOfProcessors", DWORD),
653 ("NtGlobalFlag", DWORD),
654 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
655 ("HeapSegmentReserve", DWORD),
656 ("HeapSegmentCommit", DWORD),
657 ("HeapDeCommitTotalFreeThreshold", DWORD),
658 ("HeapDeCommitFreeBlockThreshold", DWORD),
659 ("NumberOfHeaps", DWORD),
660 ("MaximumNumberOfHeaps", DWORD),
661 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
662 ("GdiSharedHandleTable", PVOID),
663 ("ProcessStarterHelper", PVOID),
664 ("GdiDCAttributeList", DWORD),
665 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
666 ("OSMajorVersion", DWORD),
667 ("OSMinorVersion", DWORD),
668 ("OSBuildNumber", WORD),
669 ("OSCSDVersion", WORD),
670 ("OSPlatformId", DWORD),
671 ("ImageSubsystem", DWORD),
672 ("ImageSubsystemMajorVersion", DWORD),
673 ("ImageSubsystemMinorVersion", DWORD),
674 ("ImageProcessAffinityMask", DWORD),
675 ("GdiHandleBuffer", DWORD * 34),
676 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
677 ("TlsExpansionBitmap", PVOID),
678 ("TlsExpansionBitmapBits", DWORD * 32),
679 ("SessionId", DWORD),
680 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
681 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
682 ("pShimData", PVOID),
683 ("AppCompatInfo", PVOID),
684 ("CSDVersion", UNICODE_STRING),
685 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
686 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
687 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
688 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
689 ("MinimumStackCommit", DWORD),
690 ]
691
692 # +0x000 InheritedAddressSpace : UChar
693 # +0x001 ReadImageFileExecOptions : UChar
694 # +0x002 BeingDebugged : UChar
695 # +0x003 BitField : UChar
696 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
697 # +0x003 SpareBits : Pos 1, 7 Bits
698 # +0x008 Mutant : Ptr64 Void
699 # +0x010 ImageBaseAddress : Ptr64 Void
700 # +0x018 Ldr : Ptr64 _PEB_LDR_DATA
701 # +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
702 # +0x028 SubSystemData : Ptr64 Void
703 # +0x030 ProcessHeap : Ptr64 Void
704 # +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
705 # +0x040 AtlThunkSListPtr : Ptr64 Void
706 # +0x048 SparePtr2 : Ptr64 Void
707 # +0x050 EnvironmentUpdateCount : Uint4B
708 # +0x058 KernelCallbackTable : Ptr64 Void
709 # +0x060 SystemReserved : [1] Uint4B
710 # +0x064 SpareUlong : Uint4B
711 # +0x068 FreeList : Ptr64 _PEB_FREE_BLOCK
712 # +0x070 TlsExpansionCounter : Uint4B
713 # +0x078 TlsBitmap : Ptr64 Void
714 # +0x080 TlsBitmapBits : [2] Uint4B
715 # +0x088 ReadOnlySharedMemoryBase : Ptr64 Void
716 # +0x090 ReadOnlySharedMemoryHeap : Ptr64 Void
717 # +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
718 # +0x0a0 AnsiCodePageData : Ptr64 Void
719 # +0x0a8 OemCodePageData : Ptr64 Void
720 # +0x0b0 UnicodeCaseTableData : Ptr64 Void
721 # +0x0b8 NumberOfProcessors : Uint4B
722 # +0x0bc NtGlobalFlag : Uint4B
723 # +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
724 # +0x0c8 HeapSegmentReserve : Uint8B
725 # +0x0d0 HeapSegmentCommit : Uint8B
726 # +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
727 # +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
728 # +0x0e8 NumberOfHeaps : Uint4B
729 # +0x0ec MaximumNumberOfHeaps : Uint4B
730 # +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
731 # +0x0f8 GdiSharedHandleTable : Ptr64 Void
732 # +0x100 ProcessStarterHelper : Ptr64 Void
733 # +0x108 GdiDCAttributeList : Uint4B
734 # +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
735 # +0x118 OSMajorVersion : Uint4B
736 # +0x11c OSMinorVersion : Uint4B
737 # +0x120 OSBuildNumber : Uint2B
738 # +0x122 OSCSDVersion : Uint2B
739 # +0x124 OSPlatformId : Uint4B
740 # +0x128 ImageSubsystem : Uint4B
741 # +0x12c ImageSubsystemMajorVersion : Uint4B
742 # +0x130 ImageSubsystemMinorVersion : Uint4B
743 # +0x138 ImageProcessAffinityMask : Uint8B
744 # +0x140 GdiHandleBuffer : [60] Uint4B
745 # +0x230 PostProcessInitRoutine : Ptr64 void
746 # +0x238 TlsExpansionBitmap : Ptr64 Void
747 # +0x240 TlsExpansionBitmapBits : [32] Uint4B
748 # +0x2c0 SessionId : Uint4B
749 # +0x2c8 AppCompatFlags : _ULARGE_INTEGER
750 # +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
751 # +0x2d8 pShimData : Ptr64 Void
752 # +0x2e0 AppCompatInfo : Ptr64 Void
753 # +0x2e8 CSDVersion : _UNICODE_STRING
754 # +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
755 # +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
756 # +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
757 # +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
758 # +0x318 MinimumStackCommit : Uint8B
759 # +0x320 FlsCallback : Ptr64 Ptr64 Void
760 # +0x328 FlsListHead : _LIST_ENTRY
761 # +0x338 FlsBitmap : Ptr64 Void
762 # +0x340 FlsBitmapBits : [4] Uint4B
763 # +0x350 FlsHighIndex : Uint4B
765 _pack_ = 8
766 _fields_ = [
767 ("InheritedAddressSpace", BOOLEAN),
768 ("ReadImageFileExecOptions", UCHAR),
769 ("BeingDebugged", BOOLEAN),
770 ("BitField", UCHAR),
771 ("Mutant", HANDLE),
772 ("ImageBaseAddress", PVOID),
773 ("Ldr", PVOID), # PPEB_LDR_DATA
774 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
775 ("SubSystemData", PVOID),
776 ("ProcessHeap", PVOID),
777 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
778 ("AtlThunkSListPtr", PVOID),
779 ("SparePtr2", PVOID),
780 ("EnvironmentUpdateCount", DWORD),
781 ("KernelCallbackTable", PVOID),
782 ("SystemReserved", DWORD),
783 ("SpareUlong", DWORD),
784 ("FreeList", PVOID), # PPEB_FREE_BLOCK
785 ("TlsExpansionCounter", DWORD),
786 ("TlsBitmap", PVOID),
787 ("TlsBitmapBits", DWORD * 2),
788 ("ReadOnlySharedMemoryBase", PVOID),
789 ("ReadOnlySharedMemoryHeap", PVOID),
790 ("ReadOnlyStaticServerData", PVOID), # Ptr64 Ptr64 Void
791 ("AnsiCodePageData", PVOID),
792 ("OemCodePageData", PVOID),
793 ("UnicodeCaseTableData", PVOID),
794 ("NumberOfProcessors", DWORD),
795 ("NtGlobalFlag", DWORD),
796 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
797 ("HeapSegmentReserve", QWORD),
798 ("HeapSegmentCommit", QWORD),
799 ("HeapDeCommitTotalFreeThreshold", QWORD),
800 ("HeapDeCommitFreeBlockThreshold", QWORD),
801 ("NumberOfHeaps", DWORD),
802 ("MaximumNumberOfHeaps", DWORD),
803 ("ProcessHeaps", PVOID), # Ptr64 Ptr64 Void
804 ("GdiSharedHandleTable", PVOID),
805 ("ProcessStarterHelper", PVOID),
806 ("GdiDCAttributeList", DWORD),
807 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
808 ("OSMajorVersion", DWORD),
809 ("OSMinorVersion", DWORD),
810 ("OSBuildNumber", WORD),
811 ("OSCSDVersion", WORD),
812 ("OSPlatformId", DWORD),
813 ("ImageSubsystem", DWORD),
814 ("ImageSubsystemMajorVersion", DWORD),
815 ("ImageSubsystemMinorVersion", DWORD),
816 ("ImageProcessAffinityMask", QWORD),
817 ("GdiHandleBuffer", DWORD * 60),
818 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
819 ("TlsExpansionBitmap", PVOID),
820 ("TlsExpansionBitmapBits", DWORD * 32),
821 ("SessionId", DWORD),
822 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
823 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
824 ("pShimData", PVOID),
825 ("AppCompatInfo", PVOID),
826 ("CSDVersion", UNICODE_STRING),
827 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
828 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
829 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
830 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
831 ("MinimumStackCommit", QWORD),
832 ("FlsCallback", PVOID), # Ptr64 Ptr64 Void
833 ("FlsListHead", LIST_ENTRY),
834 ("FlsBitmap", PVOID),
835 ("FlsBitmapBits", DWORD * 4),
836 ("FlsHighIndex", DWORD),
837 ]
838
839 # +0x000 InheritedAddressSpace : UChar
840 # +0x001 ReadImageFileExecOptions : UChar
841 # +0x002 BeingDebugged : UChar
842 # +0x003 BitField : UChar
843 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
844 # +0x003 SpareBits : Pos 1, 7 Bits
845 # +0x004 Mutant : Ptr32 Void
846 # +0x008 ImageBaseAddress : Ptr32 Void
847 # +0x00c Ldr : Ptr32 _PEB_LDR_DATA
848 # +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
849 # +0x014 SubSystemData : Ptr32 Void
850 # +0x018 ProcessHeap : Ptr32 Void
851 # +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
852 # +0x020 AtlThunkSListPtr : Ptr32 Void
853 # +0x024 SparePtr2 : Ptr32 Void
854 # +0x028 EnvironmentUpdateCount : Uint4B
855 # +0x02c KernelCallbackTable : Ptr32 Void
856 # +0x030 SystemReserved : [1] Uint4B
857 # +0x034 SpareUlong : Uint4B
858 # +0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
859 # +0x03c TlsExpansionCounter : Uint4B
860 # +0x040 TlsBitmap : Ptr32 Void
861 # +0x044 TlsBitmapBits : [2] Uint4B
862 # +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
863 # +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
864 # +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
865 # +0x058 AnsiCodePageData : Ptr32 Void
866 # +0x05c OemCodePageData : Ptr32 Void
867 # +0x060 UnicodeCaseTableData : Ptr32 Void
868 # +0x064 NumberOfProcessors : Uint4B
869 # +0x068 NtGlobalFlag : Uint4B
870 # +0x070 CriticalSectionTimeout : _LARGE_INTEGER
871 # +0x078 HeapSegmentReserve : Uint4B
872 # +0x07c HeapSegmentCommit : Uint4B
873 # +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
874 # +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
875 # +0x088 NumberOfHeaps : Uint4B
876 # +0x08c MaximumNumberOfHeaps : Uint4B
877 # +0x090 ProcessHeaps : Ptr32 Ptr32 Void
878 # +0x094 GdiSharedHandleTable : Ptr32 Void
879 # +0x098 ProcessStarterHelper : Ptr32 Void
880 # +0x09c GdiDCAttributeList : Uint4B
881 # +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
882 # +0x0a4 OSMajorVersion : Uint4B
883 # +0x0a8 OSMinorVersion : Uint4B
884 # +0x0ac OSBuildNumber : Uint2B
885 # +0x0ae OSCSDVersion : Uint2B
886 # +0x0b0 OSPlatformId : Uint4B
887 # +0x0b4 ImageSubsystem : Uint4B
888 # +0x0b8 ImageSubsystemMajorVersion : Uint4B
889 # +0x0bc ImageSubsystemMinorVersion : Uint4B
890 # +0x0c0 ImageProcessAffinityMask : Uint4B
891 # +0x0c4 GdiHandleBuffer : [34] Uint4B
892 # +0x14c PostProcessInitRoutine : Ptr32 void
893 # +0x150 TlsExpansionBitmap : Ptr32 Void
894 # +0x154 TlsExpansionBitmapBits : [32] Uint4B
895 # +0x1d4 SessionId : Uint4B
896 # +0x1d8 AppCompatFlags : _ULARGE_INTEGER
897 # +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
898 # +0x1e8 pShimData : Ptr32 Void
899 # +0x1ec AppCompatInfo : Ptr32 Void
900 # +0x1f0 CSDVersion : _UNICODE_STRING
901 # +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
902 # +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
903 # +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
904 # +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
905 # +0x208 MinimumStackCommit : Uint4B
906 # +0x20c FlsCallback : Ptr32 Ptr32 Void
907 # +0x210 FlsListHead : _LIST_ENTRY
908 # +0x218 FlsBitmap : Ptr32 Void
909 # +0x21c FlsBitmapBits : [4] Uint4B
910 # +0x22c FlsHighIndex : Uint4B
912 _pack_ = 8
913 _fields_ = [
914 ("InheritedAddressSpace", BOOLEAN),
915 ("ReadImageFileExecOptions", UCHAR),
916 ("BeingDebugged", BOOLEAN),
917 ("BitField", UCHAR),
918 ("Mutant", HANDLE),
919 ("ImageBaseAddress", PVOID),
920 ("Ldr", PVOID), # PPEB_LDR_DATA
921 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
922 ("SubSystemData", PVOID),
923 ("ProcessHeap", PVOID),
924 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
925 ("AtlThunkSListPtr", PVOID),
926 ("SparePtr2", PVOID),
927 ("EnvironmentUpdateCount", DWORD),
928 ("KernelCallbackTable", PVOID),
929 ("SystemReserved", DWORD),
930 ("SpareUlong", DWORD),
931 ("FreeList", PVOID), # PPEB_FREE_BLOCK
932 ("TlsExpansionCounter", DWORD),
933 ("TlsBitmap", PVOID),
934 ("TlsBitmapBits", DWORD * 2),
935 ("ReadOnlySharedMemoryBase", PVOID),
936 ("ReadOnlySharedMemoryHeap", PVOID),
937 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
938 ("AnsiCodePageData", PVOID),
939 ("OemCodePageData", PVOID),
940 ("UnicodeCaseTableData", PVOID),
941 ("NumberOfProcessors", DWORD),
942 ("NtGlobalFlag", DWORD),
943 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
944 ("HeapSegmentReserve", DWORD),
945 ("HeapSegmentCommit", DWORD),
946 ("HeapDeCommitTotalFreeThreshold", DWORD),
947 ("HeapDeCommitFreeBlockThreshold", DWORD),
948 ("NumberOfHeaps", DWORD),
949 ("MaximumNumberOfHeaps", DWORD),
950 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
951 ("GdiSharedHandleTable", PVOID),
952 ("ProcessStarterHelper", PVOID),
953 ("GdiDCAttributeList", DWORD),
954 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
955 ("OSMajorVersion", DWORD),
956 ("OSMinorVersion", DWORD),
957 ("OSBuildNumber", WORD),
958 ("OSCSDVersion", WORD),
959 ("OSPlatformId", DWORD),
960 ("ImageSubsystem", DWORD),
961 ("ImageSubsystemMajorVersion", DWORD),
962 ("ImageSubsystemMinorVersion", DWORD),
963 ("ImageProcessAffinityMask", DWORD),
964 ("GdiHandleBuffer", DWORD * 34),
965 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
966 ("TlsExpansionBitmap", PVOID),
967 ("TlsExpansionBitmapBits", DWORD * 32),
968 ("SessionId", DWORD),
969 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
970 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
971 ("pShimData", PVOID),
972 ("AppCompatInfo", PVOID),
973 ("CSDVersion", UNICODE_STRING),
974 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
975 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
976 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
977 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
978 ("MinimumStackCommit", QWORD),
979 ("FlsCallback", PVOID), # Ptr32 Ptr32 Void
980 ("FlsListHead", LIST_ENTRY),
981 ("FlsBitmap", PVOID),
982 ("FlsBitmapBits", DWORD * 4),
983 ("FlsHighIndex", DWORD),
984 ]
985
986 _PEB_2003_64 = _PEB_XP_64
987 _PEB_2003_R2 = _PEB_2003
988 _PEB_2003_R2_64 = _PEB_2003_64
989
990 # +0x000 InheritedAddressSpace : UChar
991 # +0x001 ReadImageFileExecOptions : UChar
992 # +0x002 BeingDebugged : UChar
993 # +0x003 BitField : UChar
994 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
995 # +0x003 IsProtectedProcess : Pos 1, 1 Bit
996 # +0x003 IsLegacyProcess : Pos 2, 1 Bit
997 # +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
998 # +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
999 # +0x003 SpareBits : Pos 5, 3 Bits
1000 # +0x004 Mutant : Ptr32 Void
1001 # +0x008 ImageBaseAddress : Ptr32 Void
1002 # +0x00c Ldr : Ptr32 _PEB_LDR_DATA
1003 # +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
1004 # +0x014 SubSystemData : Ptr32 Void
1005 # +0x018 ProcessHeap : Ptr32 Void
1006 # +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
1007 # +0x020 AtlThunkSListPtr : Ptr32 Void
1008 # +0x024 IFEOKey : Ptr32 Void
1009 # +0x028 CrossProcessFlags : Uint4B
1010 # +0x028 ProcessInJob : Pos 0, 1 Bit
1011 # +0x028 ProcessInitializing : Pos 1, 1 Bit
1012 # +0x028 ProcessUsingVEH : Pos 2, 1 Bit
1013 # +0x028 ProcessUsingVCH : Pos 3, 1 Bit
1014 # +0x028 ReservedBits0 : Pos 4, 28 Bits
1015 # +0x02c KernelCallbackTable : Ptr32 Void
1016 # +0x02c UserSharedInfoPtr : Ptr32 Void
1017 # +0x030 SystemReserved : [1] Uint4B
1018 # +0x034 SpareUlong : Uint4B
1019 # +0x038 SparePebPtr0 : Uint4B
1020 # +0x03c TlsExpansionCounter : Uint4B
1021 # +0x040 TlsBitmap : Ptr32 Void
1022 # +0x044 TlsBitmapBits : [2] Uint4B
1023 # +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
1024 # +0x050 HotpatchInformation : Ptr32 Void
1025 # +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
1026 # +0x058 AnsiCodePageData : Ptr32 Void
1027 # +0x05c OemCodePageData : Ptr32 Void
1028 # +0x060 UnicodeCaseTableData : Ptr32 Void
1029 # +0x064 NumberOfProcessors : Uint4B
1030 # +0x068 NtGlobalFlag : Uint4B
1031 # +0x070 CriticalSectionTimeout : _LARGE_INTEGER
1032 # +0x078 HeapSegmentReserve : Uint4B
1033 # +0x07c HeapSegmentCommit : Uint4B
1034 # +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
1035 # +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
1036 # +0x088 NumberOfHeaps : Uint4B
1037 # +0x08c MaximumNumberOfHeaps : Uint4B
1038 # +0x090 ProcessHeaps : Ptr32 Ptr32 Void
1039 # +0x094 GdiSharedHandleTable : Ptr32 Void
1040 # +0x098 ProcessStarterHelper : Ptr32 Void
1041 # +0x09c GdiDCAttributeList : Uint4B
1042 # +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
1043 # +0x0a4 OSMajorVersion : Uint4B
1044 # +0x0a8 OSMinorVersion : Uint4B
1045 # +0x0ac OSBuildNumber : Uint2B
1046 # +0x0ae OSCSDVersion : Uint2B
1047 # +0x0b0 OSPlatformId : Uint4B
1048 # +0x0b4 ImageSubsystem : Uint4B
1049 # +0x0b8 ImageSubsystemMajorVersion : Uint4B
1050 # +0x0bc ImageSubsystemMinorVersion : Uint4B
1051 # +0x0c0 ActiveProcessAffinityMask : Uint4B
1052 # +0x0c4 GdiHandleBuffer : [34] Uint4B
1053 # +0x14c PostProcessInitRoutine : Ptr32 void
1054 # +0x150 TlsExpansionBitmap : Ptr32 Void
1055 # +0x154 TlsExpansionBitmapBits : [32] Uint4B
1056 # +0x1d4 SessionId : Uint4B
1057 # +0x1d8 AppCompatFlags : _ULARGE_INTEGER
1058 # +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
1059 # +0x1e8 pShimData : Ptr32 Void
1060 # +0x1ec AppCompatInfo : Ptr32 Void
1061 # +0x1f0 CSDVersion : _UNICODE_STRING
1062 # +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1063 # +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1064 # +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1065 # +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1066 # +0x208 MinimumStackCommit : Uint4B
1067 # +0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO
1068 # +0x210 FlsListHead : _LIST_ENTRY
1069 # +0x218 FlsBitmap : Ptr32 Void
1070 # +0x21c FlsBitmapBits : [4] Uint4B
1071 # +0x22c FlsHighIndex : Uint4B
1072 # +0x230 WerRegistrationData : Ptr32 Void
1073 # +0x234 WerShipAssertPtr : Ptr32 Void
1075 _pack_ = 8
1076 _fields_ = [
1077 ("InheritedAddressSpace", BOOLEAN),
1078 ("ReadImageFileExecOptions", UCHAR),
1079 ("BeingDebugged", BOOLEAN),
1080 ("BitField", UCHAR),
1081 ("Mutant", HANDLE),
1082 ("ImageBaseAddress", PVOID),
1083 ("Ldr", PVOID), # PPEB_LDR_DATA
1084 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
1085 ("SubSystemData", PVOID),
1086 ("ProcessHeap", PVOID),
1087 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
1088 ("AtlThunkSListPtr", PVOID),
1089 ("IFEOKey", PVOID),
1090 ("CrossProcessFlags", DWORD),
1091 ("KernelCallbackTable", PVOID),
1092 ("SystemReserved", DWORD),
1093 ("SpareUlong", DWORD),
1094 ("SparePebPtr0", PVOID),
1095 ("TlsExpansionCounter", DWORD),
1096 ("TlsBitmap", PVOID),
1097 ("TlsBitmapBits", DWORD * 2),
1098 ("ReadOnlySharedMemoryBase", PVOID),
1099 ("HotpatchInformation", PVOID),
1100 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
1101 ("AnsiCodePageData", PVOID),
1102 ("OemCodePageData", PVOID),
1103 ("UnicodeCaseTableData", PVOID),
1104 ("NumberOfProcessors", DWORD),
1105 ("NtGlobalFlag", DWORD),
1106 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
1107 ("HeapSegmentReserve", DWORD),
1108 ("HeapSegmentCommit", DWORD),
1109 ("HeapDeCommitTotalFreeThreshold", DWORD),
1110 ("HeapDeCommitFreeBlockThreshold", DWORD),
1111 ("NumberOfHeaps", DWORD),
1112 ("MaximumNumberOfHeaps", DWORD),
1113 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
1114 ("GdiSharedHandleTable", PVOID),
1115 ("ProcessStarterHelper", PVOID),
1116 ("GdiDCAttributeList", DWORD),
1117 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
1118 ("OSMajorVersion", DWORD),
1119 ("OSMinorVersion", DWORD),
1120 ("OSBuildNumber", WORD),
1121 ("OSCSDVersion", WORD),
1122 ("OSPlatformId", DWORD),
1123 ("ImageSubsystem", DWORD),
1124 ("ImageSubsystemMajorVersion", DWORD),
1125 ("ImageSubsystemMinorVersion", DWORD),
1126 ("ActiveProcessAffinityMask", DWORD),
1127 ("GdiHandleBuffer", DWORD * 34),
1128 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
1129 ("TlsExpansionBitmap", PVOID),
1130 ("TlsExpansionBitmapBits", DWORD * 32),
1131 ("SessionId", DWORD),
1132 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
1133 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
1134 ("pShimData", PVOID),
1135 ("AppCompatInfo", PVOID),
1136 ("CSDVersion", UNICODE_STRING),
1137 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1138 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1139 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1140 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1141 ("MinimumStackCommit", DWORD),
1142 ("FlsCallback", PVOID), # PFLS_CALLBACK_INFO
1143 ("FlsListHead", LIST_ENTRY),
1144 ("FlsBitmap", PVOID),
1145 ("FlsBitmapBits", DWORD * 4),
1146 ("FlsHighIndex", DWORD),
1147 ("WerRegistrationData", PVOID),
1148 ("WerShipAssertPtr", PVOID),
1149 ]
1154 UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr)
1155
1156 # +0x000 InheritedAddressSpace : UChar
1157 # +0x001 ReadImageFileExecOptions : UChar
1158 # +0x002 BeingDebugged : UChar
1159 # +0x003 BitField : UChar
1160 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
1161 # +0x003 IsProtectedProcess : Pos 1, 1 Bit
1162 # +0x003 IsLegacyProcess : Pos 2, 1 Bit
1163 # +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
1164 # +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
1165 # +0x003 SpareBits : Pos 5, 3 Bits
1166 # +0x008 Mutant : Ptr64 Void
1167 # +0x010 ImageBaseAddress : Ptr64 Void
1168 # +0x018 Ldr : Ptr64 _PEB_LDR_DATA
1169 # +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
1170 # +0x028 SubSystemData : Ptr64 Void
1171 # +0x030 ProcessHeap : Ptr64 Void
1172 # +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
1173 # +0x040 AtlThunkSListPtr : Ptr64 Void
1174 # +0x048 IFEOKey : Ptr64 Void
1175 # +0x050 CrossProcessFlags : Uint4B
1176 # +0x050 ProcessInJob : Pos 0, 1 Bit
1177 # +0x050 ProcessInitializing : Pos 1, 1 Bit
1178 # +0x050 ProcessUsingVEH : Pos 2, 1 Bit
1179 # +0x050 ProcessUsingVCH : Pos 3, 1 Bit
1180 # +0x050 ReservedBits0 : Pos 4, 28 Bits
1181 # +0x058 KernelCallbackTable : Ptr64 Void
1182 # +0x058 UserSharedInfoPtr : Ptr64 Void
1183 # +0x060 SystemReserved : [1] Uint4B
1184 # +0x064 SpareUlong : Uint4B
1185 # +0x068 SparePebPtr0 : Uint8B
1186 # +0x070 TlsExpansionCounter : Uint4B
1187 # +0x078 TlsBitmap : Ptr64 Void
1188 # +0x080 TlsBitmapBits : [2] Uint4B
1189 # +0x088 ReadOnlySharedMemoryBase : Ptr64 Void
1190 # +0x090 HotpatchInformation : Ptr64 Void
1191 # +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
1192 # +0x0a0 AnsiCodePageData : Ptr64 Void
1193 # +0x0a8 OemCodePageData : Ptr64 Void
1194 # +0x0b0 UnicodeCaseTableData : Ptr64 Void
1195 # +0x0b8 NumberOfProcessors : Uint4B
1196 # +0x0bc NtGlobalFlag : Uint4B
1197 # +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
1198 # +0x0c8 HeapSegmentReserve : Uint8B
1199 # +0x0d0 HeapSegmentCommit : Uint8B
1200 # +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
1201 # +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
1202 # +0x0e8 NumberOfHeaps : Uint4B
1203 # +0x0ec MaximumNumberOfHeaps : Uint4B
1204 # +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
1205 # +0x0f8 GdiSharedHandleTable : Ptr64 Void
1206 # +0x100 ProcessStarterHelper : Ptr64 Void
1207 # +0x108 GdiDCAttributeList : Uint4B
1208 # +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
1209 # +0x118 OSMajorVersion : Uint4B
1210 # +0x11c OSMinorVersion : Uint4B
1211 # +0x120 OSBuildNumber : Uint2B
1212 # +0x122 OSCSDVersion : Uint2B
1213 # +0x124 OSPlatformId : Uint4B
1214 # +0x128 ImageSubsystem : Uint4B
1215 # +0x12c ImageSubsystemMajorVersion : Uint4B
1216 # +0x130 ImageSubsystemMinorVersion : Uint4B
1217 # +0x138 ActiveProcessAffinityMask : Uint8B
1218 # +0x140 GdiHandleBuffer : [60] Uint4B
1219 # +0x230 PostProcessInitRoutine : Ptr64 void
1220 # +0x238 TlsExpansionBitmap : Ptr64 Void
1221 # +0x240 TlsExpansionBitmapBits : [32] Uint4B
1222 # +0x2c0 SessionId : Uint4B
1223 # +0x2c8 AppCompatFlags : _ULARGE_INTEGER
1224 # +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
1225 # +0x2d8 pShimData : Ptr64 Void
1226 # +0x2e0 AppCompatInfo : Ptr64 Void
1227 # +0x2e8 CSDVersion : _UNICODE_STRING
1228 # +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
1229 # +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
1230 # +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
1231 # +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
1232 # +0x318 MinimumStackCommit : Uint8B
1233 # +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO
1234 # +0x328 FlsListHead : _LIST_ENTRY
1235 # +0x338 FlsBitmap : Ptr64 Void
1236 # +0x340 FlsBitmapBits : [4] Uint4B
1237 # +0x350 FlsHighIndex : Uint4B
1238 # +0x358 WerRegistrationData : Ptr64 Void
1239 # +0x360 WerShipAssertPtr : Ptr64 Void
1241 _pack_ = 8
1242 _fields_ = [
1243 ("InheritedAddressSpace", BOOLEAN),
1244 ("ReadImageFileExecOptions", UCHAR),
1245 ("BeingDebugged", BOOLEAN),
1246 ("BitField", UCHAR),
1247 ("Mutant", HANDLE),
1248 ("ImageBaseAddress", PVOID),
1249 ("Ldr", PVOID), # PPEB_LDR_DATA
1250 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
1251 ("SubSystemData", PVOID),
1252 ("ProcessHeap", PVOID),
1253 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
1254 ("AtlThunkSListPtr", PVOID),
1255 ("IFEOKey", PVOID),
1256 ("CrossProcessFlags", DWORD),
1257 ("KernelCallbackTable", PVOID),
1258 ("SystemReserved", DWORD),
1259 ("SpareUlong", DWORD),
1260 ("SparePebPtr0", PVOID),
1261 ("TlsExpansionCounter", DWORD),
1262 ("TlsBitmap", PVOID),
1263 ("TlsBitmapBits", DWORD * 2),
1264 ("ReadOnlySharedMemoryBase", PVOID),
1265 ("HotpatchInformation", PVOID),
1266 ("ReadOnlyStaticServerData", PVOID), # Ptr64 Ptr64 Void
1267 ("AnsiCodePageData", PVOID),
1268 ("OemCodePageData", PVOID),
1269 ("UnicodeCaseTableData", PVOID),
1270 ("NumberOfProcessors", DWORD),
1271 ("NtGlobalFlag", DWORD),
1272 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
1273 ("HeapSegmentReserve", QWORD),
1274 ("HeapSegmentCommit", QWORD),
1275 ("HeapDeCommitTotalFreeThreshold", QWORD),
1276 ("HeapDeCommitFreeBlockThreshold", QWORD),
1277 ("NumberOfHeaps", DWORD),
1278 ("MaximumNumberOfHeaps", DWORD),
1279 ("ProcessHeaps", PVOID), # Ptr64 Ptr64 Void
1280 ("GdiSharedHandleTable", PVOID),
1281 ("ProcessStarterHelper", PVOID),
1282 ("GdiDCAttributeList", DWORD),
1283 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
1284 ("OSMajorVersion", DWORD),
1285 ("OSMinorVersion", DWORD),
1286 ("OSBuildNumber", WORD),
1287 ("OSCSDVersion", WORD),
1288 ("OSPlatformId", DWORD),
1289 ("ImageSubsystem", DWORD),
1290 ("ImageSubsystemMajorVersion", DWORD),
1291 ("ImageSubsystemMinorVersion", DWORD),
1292 ("ActiveProcessAffinityMask", QWORD),
1293 ("GdiHandleBuffer", DWORD * 60),
1294 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
1295 ("TlsExpansionBitmap", PVOID),
1296 ("TlsExpansionBitmapBits", DWORD * 32),
1297 ("SessionId", DWORD),
1298 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
1299 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
1300 ("pShimData", PVOID),
1301 ("AppCompatInfo", PVOID),
1302 ("CSDVersion", UNICODE_STRING),
1303 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1304 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1305 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1306 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1307 ("MinimumStackCommit", QWORD),
1308 ("FlsCallback", PVOID), # PFLS_CALLBACK_INFO
1309 ("FlsListHead", LIST_ENTRY),
1310 ("FlsBitmap", PVOID),
1311 ("FlsBitmapBits", DWORD * 4),
1312 ("FlsHighIndex", DWORD),
1313 ("WerRegistrationData", PVOID),
1314 ("WerShipAssertPtr", PVOID),
1315 ]
1320 UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr)
1321
1322 # +0x000 InheritedAddressSpace : UChar
1323 # +0x001 ReadImageFileExecOptions : UChar
1324 # +0x002 BeingDebugged : UChar
1325 # +0x003 BitField : UChar
1326 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
1327 # +0x003 IsProtectedProcess : Pos 1, 1 Bit
1328 # +0x003 IsLegacyProcess : Pos 2, 1 Bit
1329 # +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
1330 # +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
1331 # +0x003 SpareBits : Pos 5, 3 Bits
1332 # +0x004 Mutant : Ptr32 Void
1333 # +0x008 ImageBaseAddress : Ptr32 Void
1334 # +0x00c Ldr : Ptr32 _PEB_LDR_DATA
1335 # +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
1336 # +0x014 SubSystemData : Ptr32 Void
1337 # +0x018 ProcessHeap : Ptr32 Void
1338 # +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
1339 # +0x020 AtlThunkSListPtr : Ptr32 Void
1340 # +0x024 IFEOKey : Ptr32 Void
1341 # +0x028 CrossProcessFlags : Uint4B
1342 # +0x028 ProcessInJob : Pos 0, 1 Bit
1343 # +0x028 ProcessInitializing : Pos 1, 1 Bit
1344 # +0x028 ProcessUsingVEH : Pos 2, 1 Bit
1345 # +0x028 ProcessUsingVCH : Pos 3, 1 Bit
1346 # +0x028 ProcessUsingFTH : Pos 4, 1 Bit
1347 # +0x028 ReservedBits0 : Pos 5, 27 Bits
1348 # +0x02c KernelCallbackTable : Ptr32 Void
1349 # +0x02c UserSharedInfoPtr : Ptr32 Void
1350 # +0x030 SystemReserved : [1] Uint4B
1351 # +0x034 AtlThunkSListPtr32 : Uint4B
1352 # +0x038 ApiSetMap : Ptr32 Void
1353 # +0x03c TlsExpansionCounter : Uint4B
1354 # +0x040 TlsBitmap : Ptr32 Void
1355 # +0x044 TlsBitmapBits : [2] Uint4B
1356 # +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
1357 # +0x050 HotpatchInformation : Ptr32 Void
1358 # +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
1359 # +0x058 AnsiCodePageData : Ptr32 Void
1360 # +0x05c OemCodePageData : Ptr32 Void
1361 # +0x060 UnicodeCaseTableData : Ptr32 Void
1362 # +0x064 NumberOfProcessors : Uint4B
1363 # +0x068 NtGlobalFlag : Uint4B
1364 # +0x070 CriticalSectionTimeout : _LARGE_INTEGER
1365 # +0x078 HeapSegmentReserve : Uint4B
1366 # +0x07c HeapSegmentCommit : Uint4B
1367 # +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
1368 # +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
1369 # +0x088 NumberOfHeaps : Uint4B
1370 # +0x08c MaximumNumberOfHeaps : Uint4B
1371 # +0x090 ProcessHeaps : Ptr32 Ptr32 Void
1372 # +0x094 GdiSharedHandleTable : Ptr32 Void
1373 # +0x098 ProcessStarterHelper : Ptr32 Void
1374 # +0x09c GdiDCAttributeList : Uint4B
1375 # +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
1376 # +0x0a4 OSMajorVersion : Uint4B
1377 # +0x0a8 OSMinorVersion : Uint4B
1378 # +0x0ac OSBuildNumber : Uint2B
1379 # +0x0ae OSCSDVersion : Uint2B
1380 # +0x0b0 OSPlatformId : Uint4B
1381 # +0x0b4 ImageSubsystem : Uint4B
1382 # +0x0b8 ImageSubsystemMajorVersion : Uint4B
1383 # +0x0bc ImageSubsystemMinorVersion : Uint4B
1384 # +0x0c0 ActiveProcessAffinityMask : Uint4B
1385 # +0x0c4 GdiHandleBuffer : [34] Uint4B
1386 # +0x14c PostProcessInitRoutine : Ptr32 void
1387 # +0x150 TlsExpansionBitmap : Ptr32 Void
1388 # +0x154 TlsExpansionBitmapBits : [32] Uint4B
1389 # +0x1d4 SessionId : Uint4B
1390 # +0x1d8 AppCompatFlags : _ULARGE_INTEGER
1391 # +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
1392 # +0x1e8 pShimData : Ptr32 Void
1393 # +0x1ec AppCompatInfo : Ptr32 Void
1394 # +0x1f0 CSDVersion : _UNICODE_STRING
1395 # +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1396 # +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1397 # +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1398 # +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1399 # +0x208 MinimumStackCommit : Uint4B
1400 # +0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO
1401 # +0x210 FlsListHead : _LIST_ENTRY
1402 # +0x218 FlsBitmap : Ptr32 Void
1403 # +0x21c FlsBitmapBits : [4] Uint4B
1404 # +0x22c FlsHighIndex : Uint4B
1405 # +0x230 WerRegistrationData : Ptr32 Void
1406 # +0x234 WerShipAssertPtr : Ptr32 Void
1407 # +0x238 pContextData : Ptr32 Void
1408 # +0x23c pImageHeaderHash : Ptr32 Void
1409 # +0x240 TracingFlags : Uint4B
1410 # +0x240 HeapTracingEnabled : Pos 0, 1 Bit
1411 # +0x240 CritSecTracingEnabled : Pos 1, 1 Bit
1412 # +0x240 SpareTracingBits : Pos 2, 30 Bits
1414 _pack_ = 8
1415 _fields_ = [
1416 ("InheritedAddressSpace", BOOLEAN),
1417 ("ReadImageFileExecOptions", UCHAR),
1418 ("BeingDebugged", BOOLEAN),
1419 ("BitField", UCHAR),
1420 ("Mutant", HANDLE),
1421 ("ImageBaseAddress", PVOID),
1422 ("Ldr", PVOID), # PPEB_LDR_DATA
1423 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
1424 ("SubSystemData", PVOID),
1425 ("ProcessHeap", PVOID),
1426 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
1427 ("AtlThunkSListPtr", PVOID),
1428 ("IFEOKey", PVOID),
1429 ("CrossProcessFlags", DWORD),
1430 ("KernelCallbackTable", PVOID),
1431 ("SystemReserved", DWORD),
1432 ("AtlThunkSListPtr32", PVOID),
1433 ("ApiSetMap", PVOID),
1434 ("TlsExpansionCounter", DWORD),
1435 ("TlsBitmap", PVOID),
1436 ("TlsBitmapBits", DWORD * 2),
1437 ("ReadOnlySharedMemoryBase", PVOID),
1438 ("HotpatchInformation", PVOID),
1439 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
1440 ("AnsiCodePageData", PVOID),
1441 ("OemCodePageData", PVOID),
1442 ("UnicodeCaseTableData", PVOID),
1443 ("NumberOfProcessors", DWORD),
1444 ("NtGlobalFlag", DWORD),
1445 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
1446 ("HeapSegmentReserve", DWORD),
1447 ("HeapSegmentCommit", DWORD),
1448 ("HeapDeCommitTotalFreeThreshold", DWORD),
1449 ("HeapDeCommitFreeBlockThreshold", DWORD),
1450 ("NumberOfHeaps", DWORD),
1451 ("MaximumNumberOfHeaps", DWORD),
1452 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
1453 ("GdiSharedHandleTable", PVOID),
1454 ("ProcessStarterHelper", PVOID),
1455 ("GdiDCAttributeList", DWORD),
1456 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
1457 ("OSMajorVersion", DWORD),
1458 ("OSMinorVersion", DWORD),
1459 ("OSBuildNumber", WORD),
1460 ("OSCSDVersion", WORD),
1461 ("OSPlatformId", DWORD),
1462 ("ImageSubsystem", DWORD),
1463 ("ImageSubsystemMajorVersion", DWORD),
1464 ("ImageSubsystemMinorVersion", DWORD),
1465 ("ActiveProcessAffinityMask", DWORD),
1466 ("GdiHandleBuffer", DWORD * 34),
1467 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
1468 ("TlsExpansionBitmap", PVOID),
1469 ("TlsExpansionBitmapBits", DWORD * 32),
1470 ("SessionId", DWORD),
1471 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
1472 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
1473 ("pShimData", PVOID),
1474 ("AppCompatInfo", PVOID),
1475 ("CSDVersion", UNICODE_STRING),
1476 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1477 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1478 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1479 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1480 ("MinimumStackCommit", DWORD),
1481 ("FlsCallback", PVOID), # PFLS_CALLBACK_INFO
1482 ("FlsListHead", LIST_ENTRY),
1483 ("FlsBitmap", PVOID),
1484 ("FlsBitmapBits", DWORD * 4),
1485 ("FlsHighIndex", DWORD),
1486 ("WerRegistrationData", PVOID),
1487 ("WerShipAssertPtr", PVOID),
1488 ("pContextData", PVOID),
1489 ("pImageHeaderHash", PVOID),
1490 ("TracingFlags", DWORD),
1491 ]
1496 UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr)
1497
1498 # +0x000 InheritedAddressSpace : UChar
1499 # +0x001 ReadImageFileExecOptions : UChar
1500 # +0x002 BeingDebugged : UChar
1501 # +0x003 BitField : UChar
1502 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
1503 # +0x003 IsProtectedProcess : Pos 1, 1 Bit
1504 # +0x003 IsLegacyProcess : Pos 2, 1 Bit
1505 # +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
1506 # +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
1507 # +0x003 SpareBits : Pos 5, 3 Bits
1508 # +0x008 Mutant : Ptr64 Void
1509 # +0x010 ImageBaseAddress : Ptr64 Void
1510 # +0x018 Ldr : Ptr64 _PEB_LDR_DATA
1511 # +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
1512 # +0x028 SubSystemData : Ptr64 Void
1513 # +0x030 ProcessHeap : Ptr64 Void
1514 # +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
1515 # +0x040 AtlThunkSListPtr : Ptr64 Void
1516 # +0x048 IFEOKey : Ptr64 Void
1517 # +0x050 CrossProcessFlags : Uint4B
1518 # +0x050 ProcessInJob : Pos 0, 1 Bit
1519 # +0x050 ProcessInitializing : Pos 1, 1 Bit
1520 # +0x050 ProcessUsingVEH : Pos 2, 1 Bit
1521 # +0x050 ProcessUsingVCH : Pos 3, 1 Bit
1522 # +0x050 ProcessUsingFTH : Pos 4, 1 Bit
1523 # +0x050 ReservedBits0 : Pos 5, 27 Bits
1524 # +0x058 KernelCallbackTable : Ptr64 Void
1525 # +0x058 UserSharedInfoPtr : Ptr64 Void
1526 # +0x060 SystemReserved : [1] Uint4B
1527 # +0x064 AtlThunkSListPtr32 : Uint4B
1528 # +0x068 ApiSetMap : Ptr64 Void
1529 # +0x070 TlsExpansionCounter : Uint4B
1530 # +0x078 TlsBitmap : Ptr64 Void
1531 # +0x080 TlsBitmapBits : [2] Uint4B
1532 # +0x088 ReadOnlySharedMemoryBase : Ptr64 Void
1533 # +0x090 HotpatchInformation : Ptr64 Void
1534 # +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
1535 # +0x0a0 AnsiCodePageData : Ptr64 Void
1536 # +0x0a8 OemCodePageData : Ptr64 Void
1537 # +0x0b0 UnicodeCaseTableData : Ptr64 Void
1538 # +0x0b8 NumberOfProcessors : Uint4B
1539 # +0x0bc NtGlobalFlag : Uint4B
1540 # +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
1541 # +0x0c8 HeapSegmentReserve : Uint8B
1542 # +0x0d0 HeapSegmentCommit : Uint8B
1543 # +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
1544 # +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
1545 # +0x0e8 NumberOfHeaps : Uint4B
1546 # +0x0ec MaximumNumberOfHeaps : Uint4B
1547 # +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
1548 # +0x0f8 GdiSharedHandleTable : Ptr64 Void
1549 # +0x100 ProcessStarterHelper : Ptr64 Void
1550 # +0x108 GdiDCAttributeList : Uint4B
1551 # +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
1552 # +0x118 OSMajorVersion : Uint4B
1553 # +0x11c OSMinorVersion : Uint4B
1554 # +0x120 OSBuildNumber : Uint2B
1555 # +0x122 OSCSDVersion : Uint2B
1556 # +0x124 OSPlatformId : Uint4B
1557 # +0x128 ImageSubsystem : Uint4B
1558 # +0x12c ImageSubsystemMajorVersion : Uint4B
1559 # +0x130 ImageSubsystemMinorVersion : Uint4B
1560 # +0x138 ActiveProcessAffinityMask : Uint8B
1561 # +0x140 GdiHandleBuffer : [60] Uint4B
1562 # +0x230 PostProcessInitRoutine : Ptr64 void
1563 # +0x238 TlsExpansionBitmap : Ptr64 Void
1564 # +0x240 TlsExpansionBitmapBits : [32] Uint4B
1565 # +0x2c0 SessionId : Uint4B
1566 # +0x2c8 AppCompatFlags : _ULARGE_INTEGER
1567 # +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
1568 # +0x2d8 pShimData : Ptr64 Void
1569 # +0x2e0 AppCompatInfo : Ptr64 Void
1570 # +0x2e8 CSDVersion : _UNICODE_STRING
1571 # +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
1572 # +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
1573 # +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
1574 # +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
1575 # +0x318 MinimumStackCommit : Uint8B
1576 # +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO
1577 # +0x328 FlsListHead : _LIST_ENTRY
1578 # +0x338 FlsBitmap : Ptr64 Void
1579 # +0x340 FlsBitmapBits : [4] Uint4B
1580 # +0x350 FlsHighIndex : Uint4B
1581 # +0x358 WerRegistrationData : Ptr64 Void
1582 # +0x360 WerShipAssertPtr : Ptr64 Void
1583 # +0x368 pContextData : Ptr64 Void
1584 # +0x370 pImageHeaderHash : Ptr64 Void
1585 # +0x378 TracingFlags : Uint4B
1586 # +0x378 HeapTracingEnabled : Pos 0, 1 Bit
1587 # +0x378 CritSecTracingEnabled : Pos 1, 1 Bit
1588 # +0x378 SpareTracingBits : Pos 2, 30 Bits
1590 _pack_ = 8
1591 _fields_ = [
1592 ("InheritedAddressSpace", BOOLEAN),
1593 ("ReadImageFileExecOptions", UCHAR),
1594 ("BeingDebugged", BOOLEAN),
1595 ("BitField", UCHAR),
1596 ("Mutant", HANDLE),
1597 ("ImageBaseAddress", PVOID),
1598 ("Ldr", PVOID), # PPEB_LDR_DATA
1599 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
1600 ("SubSystemData", PVOID),
1601 ("ProcessHeap", PVOID),
1602 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
1603 ("AtlThunkSListPtr", PVOID),
1604 ("IFEOKey", PVOID),
1605 ("CrossProcessFlags", DWORD),
1606 ("KernelCallbackTable", PVOID),
1607 ("SystemReserved", DWORD),
1608 ("AtlThunkSListPtr32", DWORD),
1609 ("ApiSetMap", PVOID),
1610 ("TlsExpansionCounter", DWORD),
1611 ("TlsBitmap", PVOID),
1612 ("TlsBitmapBits", DWORD * 2),
1613 ("ReadOnlySharedMemoryBase", PVOID),
1614 ("HotpatchInformation", PVOID),
1615 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
1616 ("AnsiCodePageData", PVOID),
1617 ("OemCodePageData", PVOID),
1618 ("UnicodeCaseTableData", PVOID),
1619 ("NumberOfProcessors", DWORD),
1620 ("NtGlobalFlag", DWORD),
1621 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
1622 ("HeapSegmentReserve", QWORD),
1623 ("HeapSegmentCommit", QWORD),
1624 ("HeapDeCommitTotalFreeThreshold", QWORD),
1625 ("HeapDeCommitFreeBlockThreshold", QWORD),
1626 ("NumberOfHeaps", DWORD),
1627 ("MaximumNumberOfHeaps", DWORD),
1628 ("ProcessHeaps", PVOID), # Ptr64 Ptr64 Void
1629 ("GdiSharedHandleTable", PVOID),
1630 ("ProcessStarterHelper", PVOID),
1631 ("GdiDCAttributeList", DWORD),
1632 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
1633 ("OSMajorVersion", DWORD),
1634 ("OSMinorVersion", DWORD),
1635 ("OSBuildNumber", WORD),
1636 ("OSCSDVersion", WORD),
1637 ("OSPlatformId", DWORD),
1638 ("ImageSubsystem", DWORD),
1639 ("ImageSubsystemMajorVersion", DWORD),
1640 ("ImageSubsystemMinorVersion", DWORD),
1641 ("ActiveProcessAffinityMask", QWORD),
1642 ("GdiHandleBuffer", DWORD * 60),
1643 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
1644 ("TlsExpansionBitmap", PVOID),
1645 ("TlsExpansionBitmapBits", DWORD * 32),
1646 ("SessionId", DWORD),
1647 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
1648 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
1649 ("pShimData", PVOID),
1650 ("AppCompatInfo", PVOID),
1651 ("CSDVersion", UNICODE_STRING),
1652 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1653 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1654 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1655 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1656 ("MinimumStackCommit", QWORD),
1657 ("FlsCallback", PVOID), # PFLS_CALLBACK_INFO
1658 ("FlsListHead", LIST_ENTRY),
1659 ("FlsBitmap", PVOID),
1660 ("FlsBitmapBits", DWORD * 4),
1661 ("FlsHighIndex", DWORD),
1662 ("WerRegistrationData", PVOID),
1663 ("WerShipAssertPtr", PVOID),
1664 ("pContextData", PVOID),
1665 ("pImageHeaderHash", PVOID),
1666 ("TracingFlags", DWORD),
1667 ]
1672 UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr)
1673
1674 _PEB_Vista = _PEB_2008
1675 _PEB_Vista_64 = _PEB_2008_64
1676 _PEB_W7 = _PEB_2008_R2
1677 _PEB_W7_64 = _PEB_2008_R2_64
1678
1679 # +0x000 InheritedAddressSpace : UChar
1680 # +0x001 ReadImageFileExecOptions : UChar
1681 # +0x002 BeingDebugged : UChar
1682 # +0x003 BitField : UChar
1683 # +0x003 ImageUsesLargePages : Pos 0, 1 Bit
1684 # +0x003 IsProtectedProcess : Pos 1, 1 Bit
1685 # +0x003 IsLegacyProcess : Pos 2, 1 Bit
1686 # +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
1687 # +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
1688 # +0x003 SpareBits : Pos 5, 3 Bits
1689 # +0x004 Mutant : Ptr32 Void
1690 # +0x008 ImageBaseAddress : Ptr32 Void
1691 # +0x00c Ldr : Ptr32 _PEB_LDR_DATA
1692 # +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
1693 # +0x014 SubSystemData : Ptr32 Void
1694 # +0x018 ProcessHeap : Ptr32 Void
1695 # +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
1696 # +0x020 AtlThunkSListPtr : Ptr32 Void
1697 # +0x024 IFEOKey : Ptr32 Void
1698 # +0x028 CrossProcessFlags : Uint4B
1699 # +0x028 ProcessInJob : Pos 0, 1 Bit
1700 # +0x028 ProcessInitializing : Pos 1, 1 Bit
1701 # +0x028 ProcessUsingVEH : Pos 2, 1 Bit
1702 # +0x028 ProcessUsingVCH : Pos 3, 1 Bit
1703 # +0x028 ProcessUsingFTH : Pos 4, 1 Bit
1704 # +0x028 ReservedBits0 : Pos 5, 27 Bits
1705 # +0x02c KernelCallbackTable : Ptr32 Void
1706 # +0x02c UserSharedInfoPtr : Ptr32 Void
1707 # +0x030 SystemReserved : [1] Uint4B
1708 # +0x034 TracingFlags : Uint4B
1709 # +0x034 HeapTracingEnabled : Pos 0, 1 Bit
1710 # +0x034 CritSecTracingEnabled : Pos 1, 1 Bit
1711 # +0x034 SpareTracingBits : Pos 2, 30 Bits
1712 # +0x038 ApiSetMap : Ptr32 Void
1713 # +0x03c TlsExpansionCounter : Uint4B
1714 # +0x040 TlsBitmap : Ptr32 Void
1715 # +0x044 TlsBitmapBits : [2] Uint4B
1716 # +0x04c ReadOnlySharedMemoryBase : Ptr32 Void
1717 # +0x050 HotpatchInformation : Ptr32 Void
1718 # +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
1719 # +0x058 AnsiCodePageData : Ptr32 Void
1720 # +0x05c OemCodePageData : Ptr32 Void
1721 # +0x060 UnicodeCaseTableData : Ptr32 Void
1722 # +0x064 NumberOfProcessors : Uint4B
1723 # +0x068 NtGlobalFlag : Uint4B
1724 # +0x070 CriticalSectionTimeout : _LARGE_INTEGER
1725 # +0x078 HeapSegmentReserve : Uint4B
1726 # +0x07c HeapSegmentCommit : Uint4B
1727 # +0x080 HeapDeCommitTotalFreeThreshold : Uint4B
1728 # +0x084 HeapDeCommitFreeBlockThreshold : Uint4B
1729 # +0x088 NumberOfHeaps : Uint4B
1730 # +0x08c MaximumNumberOfHeaps : Uint4B
1731 # +0x090 ProcessHeaps : Ptr32 Ptr32 Void
1732 # +0x094 GdiSharedHandleTable : Ptr32 Void
1733 # +0x098 ProcessStarterHelper : Ptr32 Void
1734 # +0x09c GdiDCAttributeList : Uint4B
1735 # +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
1736 # +0x0a4 OSMajorVersion : Uint4B
1737 # +0x0a8 OSMinorVersion : Uint4B
1738 # +0x0ac OSBuildNumber : Uint2B
1739 # +0x0ae OSCSDVersion : Uint2B
1740 # +0x0b0 OSPlatformId : Uint4B
1741 # +0x0b4 ImageSubsystem : Uint4B
1742 # +0x0b8 ImageSubsystemMajorVersion : Uint4B
1743 # +0x0bc ImageSubsystemMinorVersion : Uint4B
1744 # +0x0c0 ActiveProcessAffinityMask : Uint4B
1745 # +0x0c4 GdiHandleBuffer : [34] Uint4B
1746 # +0x14c PostProcessInitRoutine : Ptr32 void
1747 # +0x150 TlsExpansionBitmap : Ptr32 Void
1748 # +0x154 TlsExpansionBitmapBits : [32] Uint4B
1749 # +0x1d4 SessionId : Uint4B
1750 # +0x1d8 AppCompatFlags : _ULARGE_INTEGER
1751 # +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
1752 # +0x1e8 pShimData : Ptr32 Void
1753 # +0x1ec AppCompatInfo : Ptr32 Void
1754 # +0x1f0 CSDVersion : _UNICODE_STRING
1755 # +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1756 # +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1757 # +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
1758 # +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
1759 # +0x208 MinimumStackCommit : Uint4B
1760 # +0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO
1761 # +0x210 FlsListHead : _LIST_ENTRY
1762 # +0x218 FlsBitmap : Ptr32 Void
1763 # +0x21c FlsBitmapBits : [4] Uint4B
1764 # +0x22c FlsHighIndex : Uint4B
1765 # +0x230 WerRegistrationData : Ptr32 Void
1766 # +0x234 WerShipAssertPtr : Ptr32 Void
1767 # +0x238 pContextData : Ptr32 Void
1768 # +0x23c pImageHeaderHash : Ptr32 Void
1770 """
1771 This definition of the PEB structure is only valid for the beta versions
1772 of Windows 7. For the final version of Windows 7 use L{_PEB_W7} instead.
1773 This structure is not chosen automatically.
1774 """
1775 _pack_ = 8
1776 _fields_ = [
1777 ("InheritedAddressSpace", BOOLEAN),
1778 ("ReadImageFileExecOptions", UCHAR),
1779 ("BeingDebugged", BOOLEAN),
1780 ("BitField", UCHAR),
1781 ("Mutant", HANDLE),
1782 ("ImageBaseAddress", PVOID),
1783 ("Ldr", PVOID), # PPEB_LDR_DATA
1784 ("ProcessParameters", PVOID), # PRTL_USER_PROCESS_PARAMETERS
1785 ("SubSystemData", PVOID),
1786 ("ProcessHeap", PVOID),
1787 ("FastPebLock", PVOID), # PRTL_CRITICAL_SECTION
1788 ("AtlThunkSListPtr", PVOID),
1789 ("IFEOKey", PVOID),
1790 ("CrossProcessFlags", DWORD),
1791 ("KernelCallbackTable", PVOID),
1792 ("SystemReserved", DWORD),
1793 ("TracingFlags", DWORD),
1794 ("ApiSetMap", PVOID),
1795 ("TlsExpansionCounter", DWORD),
1796 ("TlsBitmap", PVOID),
1797 ("TlsBitmapBits", DWORD * 2),
1798 ("ReadOnlySharedMemoryBase", PVOID),
1799 ("HotpatchInformation", PVOID),
1800 ("ReadOnlyStaticServerData", PVOID), # Ptr32 Ptr32 Void
1801 ("AnsiCodePageData", PVOID),
1802 ("OemCodePageData", PVOID),
1803 ("UnicodeCaseTableData", PVOID),
1804 ("NumberOfProcessors", DWORD),
1805 ("NtGlobalFlag", DWORD),
1806 ("CriticalSectionTimeout", LONGLONG), # LARGE_INTEGER
1807 ("HeapSegmentReserve", DWORD),
1808 ("HeapSegmentCommit", DWORD),
1809 ("HeapDeCommitTotalFreeThreshold", DWORD),
1810 ("HeapDeCommitFreeBlockThreshold", DWORD),
1811 ("NumberOfHeaps", DWORD),
1812 ("MaximumNumberOfHeaps", DWORD),
1813 ("ProcessHeaps", PVOID), # Ptr32 Ptr32 Void
1814 ("GdiSharedHandleTable", PVOID),
1815 ("ProcessStarterHelper", PVOID),
1816 ("GdiDCAttributeList", DWORD),
1817 ("LoaderLock", PVOID), # PRTL_CRITICAL_SECTION
1818 ("OSMajorVersion", DWORD),
1819 ("OSMinorVersion", DWORD),
1820 ("OSBuildNumber", WORD),
1821 ("OSCSDVersion", WORD),
1822 ("OSPlatformId", DWORD),
1823 ("ImageSubsystem", DWORD),
1824 ("ImageSubsystemMajorVersion", DWORD),
1825 ("ImageSubsystemMinorVersion", DWORD),
1826 ("ActiveProcessAffinityMask", DWORD),
1827 ("GdiHandleBuffer", DWORD * 34),
1828 ("PostProcessInitRoutine", PPS_POST_PROCESS_INIT_ROUTINE),
1829 ("TlsExpansionBitmap", PVOID),
1830 ("TlsExpansionBitmapBits", DWORD * 32),
1831 ("SessionId", DWORD),
1832 ("AppCompatFlags", ULONGLONG), # ULARGE_INTEGER
1833 ("AppCompatFlagsUser", ULONGLONG), # ULARGE_INTEGER
1834 ("pShimData", PVOID),
1835 ("AppCompatInfo", PVOID),
1836 ("CSDVersion", UNICODE_STRING),
1837 ("ActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1838 ("ProcessAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1839 ("SystemDefaultActivationContextData", PVOID), # ACTIVATION_CONTEXT_DATA
1840 ("SystemAssemblyStorageMap", PVOID), # ASSEMBLY_STORAGE_MAP
1841 ("MinimumStackCommit", DWORD),
1842 ("FlsCallback", PVOID), # PFLS_CALLBACK_INFO
1843 ("FlsListHead", LIST_ENTRY),
1844 ("FlsBitmap", PVOID),
1845 ("FlsBitmapBits", DWORD * 4),
1846 ("FlsHighIndex", DWORD),
1847 ("WerRegistrationData", PVOID),
1848 ("WerShipAssertPtr", PVOID),
1849 ("pContextData", PVOID),
1850 ("pImageHeaderHash", PVOID),
1851 ]
1856 UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr)
1857
1858 # Use the correct PEB structure definition.
1859 # Defaults to the latest Windows version.
1861 _pack_ = 8
1862 if os == 'Windows NT':
1863 _pack_ = _PEB_NT._pack_
1864 _fields_ = _PEB_NT._fields_
1865 elif os == 'Windows 2000':
1866 _pack_ = _PEB_2000._pack_
1867 _fields_ = _PEB_2000._fields_
1868 elif os == 'Windows XP':
1869 _fields_ = _PEB_XP._fields_
1870 elif os == 'Windows XP (64 bits)':
1871 _fields_ = _PEB_XP_64._fields_
1872 elif os == 'Windows 2003':
1873 _fields_ = _PEB_2003._fields_
1874 elif os == 'Windows 2003 (64 bits)':
1875 _fields_ = _PEB_2003_64._fields_
1876 elif os == 'Windows 2003 R2':
1877 _fields_ = _PEB_2003_R2._fields_
1878 elif os == 'Windows 2003 R2 (64 bits)':
1879 _fields_ = _PEB_2003_R2_64._fields_
1880 elif os == 'Windows 2008':
1881 _fields_ = _PEB_2008._fields_
1882 elif os == 'Windows 2008 (64 bits)':
1883 _fields_ = _PEB_2008_64._fields_
1884 elif os == 'Windows 2008 R2':
1885 _fields_ = _PEB_2008_R2._fields_
1886 elif os == 'Windows 2008 R2 (64 bits)':
1887 _fields_ = _PEB_2008_R2_64._fields_
1888 elif os == 'Windows Vista':
1889 _fields_ = _PEB_Vista._fields_
1890 elif os == 'Windows Vista (64 bits)':
1891 _fields_ = _PEB_Vista_64._fields_
1892 elif os == 'Windows 7':
1893 _fields_ = _PEB_W7._fields_
1894 elif os == 'Windows 7 (64 bits)':
1895 _fields_ = _PEB_W7_64._fields_
1896 elif sizeof(SIZE_T) == sizeof(DWORD):
1897 _fields_ = _PEB_W7._fields_
1898 else:
1899 _fields_ = _PEB_W7_64._fields_
1900 PPEB = POINTER(PEB)
1901
1902 # PEB structure for WOW64 processes.
1904 _pack_ = 8
1905 if os == 'Windows NT':
1906 _pack_ = _PEB_NT._pack_
1907 _fields_ = _PEB_NT._fields_
1908 elif os == 'Windows 2000':
1909 _pack_ = _PEB_2000._pack_
1910 _fields_ = _PEB_2000._fields_
1911 elif os.startswith('Windows XP'):
1912 _fields_ = _PEB_XP._fields_
1913 elif os.startswith('Windows 2003 R2'):
1914 _fields_ = _PEB_2003_R2._fields_
1915 elif os.startswith('Windows 2003'):
1916 _fields_ = _PEB_2003._fields_
1917 elif os.startswith('Windows 2008 R2'):
1918 _fields_ = _PEB_2008_R2._fields_
1919 elif os.startswith('Windows 2008'):
1920 _fields_ = _PEB_2008._fields_
1921 elif os.startswith('Windows Vista'):
1922 _fields_ = _PEB_Vista._fields_
1923 else: #if os.startswith('Windows 7'):
1924 _fields_ = _PEB_W7._fields_
1925
1926 # from https://vmexplorer.svn.codeplex.com/svn/VMExplorer/src/Win32/Threads.cs
1927 #
1928 # [StructLayout (LayoutKind.Sequential, Size = 0x0C)]
1929 # public struct Wx86ThreadState
1930 # {
1931 # public IntPtr CallBx86Eip; // Ptr32 to Uint4B
1932 # public IntPtr DeallocationCpu; // Ptr32 to Void
1933 # public Byte UseKnownWx86Dll; // UChar
1934 # public Byte OleStubInvoked; // Char
1935 # };
1937 _fields_ = [
1938 ("CallBx86Eip", PVOID),
1939 ("DeallocationCpu", PVOID),
1940 ("UseKnownWx86Dll", UCHAR),
1941 ("OleStubInvoked", CHAR),
1942 ]
1943
1944 # ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
1945 # +0x000 Previous : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME
1946 # +0x008 ActivationContext : Ptr64 _ACTIVATION_CONTEXT
1947 # +0x010 Flags : Uint4B
1949 _fields_ = [
1950 ("Previous", PVOID),
1951 ("ActivationContext", PVOID),
1952 ("Flags", DWORD),
1953 ]
1954
1955 # ntdll!_ACTIVATION_CONTEXT_STACK
1956 # +0x000 ActiveFrame : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME
1957 # +0x008 FrameListCache : _LIST_ENTRY
1958 # +0x018 Flags : Uint4B
1959 # +0x01c NextCookieSequenceNumber : Uint4B
1960 # +0x020 StackId : Uint4B
1962 _fields_ = [
1963 ("ActiveFrame", PVOID),
1964 ("FrameListCache", LIST_ENTRY),
1965 ("Flags", DWORD),
1966 ("NextCookieSequenceNumber", DWORD),
1967 ("StackId", DWORD),
1968 ]
1969
1970 # typedef struct _PROCESSOR_NUMBER {
1971 # WORD Group;
1972 # BYTE Number;
1973 # BYTE Reserved;
1974 # }PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
1981
1982 # from http://www.nirsoft.net/kernel_struct/vista/NT_TIB.html
1983 #
1984 # typedef struct _NT_TIB
1985 # {
1986 # PEXCEPTION_REGISTRATION_RECORD ExceptionList;
1987 # PVOID StackBase;
1988 # PVOID StackLimit;
1989 # PVOID SubSystemTib;
1990 # union
1991 # {
1992 # PVOID FiberData;
1993 # ULONG Version;
1994 # };
1995 # PVOID ArbitraryUserPointer;
1996 # PNT_TIB Self;
1997 # } NT_TIB, *PNT_TIB;
2004 _fields_ = [
2005 ("ExceptionList", PVOID), # PEXCEPTION_REGISTRATION_RECORD
2006 ("StackBase", PVOID),
2007 ("StackLimit", PVOID),
2008 ("SubSystemTib", PVOID),
2009 ("u", _NT_TIB_UNION),
2010 ("ArbitraryUserPointer", PVOID),
2011 ("Self", PVOID), # PNTTIB
2012 ]
2013
2018 FiberData = property(__get_FiberData, __set_FiberData)
2019
2024 Version = property(__get_Version, __set_Version)
2025
2026 PNTTIB = POINTER(NT_TIB)
2027
2028 # From http://www.nirsoft.net/kernel_struct/vista/EXCEPTION_REGISTRATION_RECORD.html
2029 #
2030 # typedef struct _EXCEPTION_REGISTRATION_RECORD
2031 # {
2032 # PEXCEPTION_REGISTRATION_RECORD Next;
2033 # PEXCEPTION_DISPOSITION Handler;
2034 # } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
2037
2038 EXCEPTION_DISPOSITION = DWORD
2039 ##PEXCEPTION_DISPOSITION = POINTER(EXCEPTION_DISPOSITION)
2040 ##PEXCEPTION_REGISTRATION_RECORD = POINTER(EXCEPTION_REGISTRATION_RECORD)
2041 PEXCEPTION_DISPOSITION = PVOID
2042 PEXCEPTION_REGISTRATION_RECORD = PVOID
2043
2044 EXCEPTION_REGISTRATION_RECORD._fields_ = [
2045 ("Next", PEXCEPTION_REGISTRATION_RECORD),
2046 ("Handler", PEXCEPTION_DISPOSITION),
2047 ]
2048
2049 ##PPEB = POINTER(PEB)
2050 PPEB = PVOID
2051
2052 # From http://www.nirsoft.net/kernel_struct/vista/GDI_TEB_BATCH.html
2053 #
2054 # typedef struct _GDI_TEB_BATCH
2055 # {
2056 # ULONG Offset;
2057 # ULONG HDC;
2058 # ULONG Buffer[310];
2059 # } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
2066
2067 # ntdll!_TEB_ACTIVE_FRAME_CONTEXT
2068 # +0x000 Flags : Uint4B
2069 # +0x008 FrameName : Ptr64 Char
2075 PTEB_ACTIVE_FRAME_CONTEXT = POINTER(TEB_ACTIVE_FRAME_CONTEXT)
2076
2077 # ntdll!_TEB_ACTIVE_FRAME
2078 # +0x000 Flags : Uint4B
2079 # +0x008 Previous : Ptr64 _TEB_ACTIVE_FRAME
2080 # +0x010 Context : Ptr64 _TEB_ACTIVE_FRAME_CONTEXT
2082 _fields_ = [
2083 ("Flags", DWORD),
2084 ("Previous", LPVOID), # PTEB_ACTIVE_FRAME
2085 ("Context", LPVOID), # PTEB_ACTIVE_FRAME_CONTEXT
2086 ]
2087 PTEB_ACTIVE_FRAME = POINTER(TEB_ACTIVE_FRAME)
2088
2089 # SameTebFlags
2090 DbgSafeThunkCall = 1 << 0
2091 DbgInDebugPrint = 1 << 1
2092 DbgHasFiberData = 1 << 2
2093 DbgSkipThreadAttach = 1 << 3
2094 DbgWerInShipAssertCode = 1 << 4
2095 DbgRanProcessInit = 1 << 5
2096 DbgClonedThread = 1 << 6
2097 DbgSuppressDebugMsg = 1 << 7
2098 RtlDisableUserStackWalk = 1 << 8
2099 RtlExceptionAttached = 1 << 9
2100 RtlInitialThread = 1 << 10
2101
2102 # XXX This is quite wrong :P
2104 _pack_ = 4
2105 _fields_ = [
2106 ("NtTib", NT_TIB),
2107 ("EnvironmentPointer", PVOID),
2108 ("ClientId", CLIENT_ID),
2109 ("ActiveRpcHandle", HANDLE),
2110 ("ThreadLocalStoragePointer", PVOID),
2111 ("ProcessEnvironmentBlock", PPEB),
2112 ("LastErrorValue", ULONG),
2113 ("CountOfOwnedCriticalSections", ULONG),
2114 ("CsrClientThread", PVOID),
2115 ("Win32ThreadInfo", PVOID),
2116 ("User32Reserved", ULONG * 26),
2117 ("UserReserved", ULONG * 5),
2118 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2119 ("CurrentLocale", ULONG),
2120 ("FpSoftwareStatusRegister", ULONG),
2121 ("SystemReserved1", PVOID * 54),
2122 ("Spare1", PVOID),
2123 ("ExceptionCode", ULONG),
2124 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2125 ("SpareBytes1", ULONG * 36),
2126 ("TxFsContext", ULONG),
2127 ("GdiTebBatch", GDI_TEB_BATCH),
2128 ("RealClientId", CLIENT_ID),
2129 ("GdiCachedProcessHandle", PVOID),
2130 ("GdiClientPID", ULONG),
2131 ("GdiClientTID", ULONG),
2132 ("GdiThreadLocalInfo", PVOID),
2133 ("Win32ClientInfo", PVOID * 62),
2134 ("glDispatchTable", PVOID * 233),
2135 ("glReserved1", ULONG * 29),
2136 ("glReserved2", PVOID),
2137 ("glSectionInfo", PVOID),
2138 ("glSection", PVOID),
2139 ("glTable", PVOID),
2140 ("glCurrentRC", PVOID),
2141 ("glContext", PVOID),
2142 ("LastStatusValue", NTSTATUS),
2143 ("StaticUnicodeString", UNICODE_STRING),
2144 ("StaticUnicodeBuffer", WCHAR * 261),
2145 ("DeallocationStack", PVOID),
2146 ("TlsSlots", PVOID * 64),
2147 ("TlsLinks", LIST_ENTRY),
2148 ("Vdm", PVOID),
2149 ("ReservedForNtRpc", PVOID),
2150 ("DbgSsReserved", PVOID * 2),
2151 ("HardErrorDisabled", ULONG),
2152 ("Instrumentation", PVOID * 9),
2153 ("ActivityId", GUID),
2154 ("SubProcessTag", PVOID),
2155 ("EtwLocalData", PVOID),
2156 ("EtwTraceData", PVOID),
2157 ("WinSockData", PVOID),
2158 ("GdiBatchCount", ULONG),
2159 ("SpareBool0", BOOLEAN),
2160 ("SpareBool1", BOOLEAN),
2161 ("SpareBool2", BOOLEAN),
2162 ("IdealProcessor", UCHAR),
2163 ("GuaranteedStackBytes", ULONG),
2164 ("ReservedForPerf", PVOID),
2165 ("ReservedForOle", PVOID),
2166 ("WaitingOnLoaderLock", ULONG),
2167 ("StackCommit", PVOID),
2168 ("StackCommitMax", PVOID),
2169 ("StackReserved", PVOID),
2170 ]
2171
2172 # not really, but "dt _TEB" in w2k isn't working for me :(
2173 _TEB_2000 = _TEB_NT
2174
2175 # +0x000 NtTib : _NT_TIB
2176 # +0x01c EnvironmentPointer : Ptr32 Void
2177 # +0x020 ClientId : _CLIENT_ID
2178 # +0x028 ActiveRpcHandle : Ptr32 Void
2179 # +0x02c ThreadLocalStoragePointer : Ptr32 Void
2180 # +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
2181 # +0x034 LastErrorValue : Uint4B
2182 # +0x038 CountOfOwnedCriticalSections : Uint4B
2183 # +0x03c CsrClientThread : Ptr32 Void
2184 # +0x040 Win32ThreadInfo : Ptr32 Void
2185 # +0x044 User32Reserved : [26] Uint4B
2186 # +0x0ac UserReserved : [5] Uint4B
2187 # +0x0c0 WOW32Reserved : Ptr32 Void
2188 # +0x0c4 CurrentLocale : Uint4B
2189 # +0x0c8 FpSoftwareStatusRegister : Uint4B
2190 # +0x0cc SystemReserved1 : [54] Ptr32 Void
2191 # +0x1a4 ExceptionCode : Int4B
2192 # +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK
2193 # +0x1bc SpareBytes1 : [24] UChar
2194 # +0x1d4 GdiTebBatch : _GDI_TEB_BATCH
2195 # +0x6b4 RealClientId : _CLIENT_ID
2196 # +0x6bc GdiCachedProcessHandle : Ptr32 Void
2197 # +0x6c0 GdiClientPID : Uint4B
2198 # +0x6c4 GdiClientTID : Uint4B
2199 # +0x6c8 GdiThreadLocalInfo : Ptr32 Void
2200 # +0x6cc Win32ClientInfo : [62] Uint4B
2201 # +0x7c4 glDispatchTable : [233] Ptr32 Void
2202 # +0xb68 glReserved1 : [29] Uint4B
2203 # +0xbdc glReserved2 : Ptr32 Void
2204 # +0xbe0 glSectionInfo : Ptr32 Void
2205 # +0xbe4 glSection : Ptr32 Void
2206 # +0xbe8 glTable : Ptr32 Void
2207 # +0xbec glCurrentRC : Ptr32 Void
2208 # +0xbf0 glContext : Ptr32 Void
2209 # +0xbf4 LastStatusValue : Uint4B
2210 # +0xbf8 StaticUnicodeString : _UNICODE_STRING
2211 # +0xc00 StaticUnicodeBuffer : [261] Uint2B
2212 # +0xe0c DeallocationStack : Ptr32 Void
2213 # +0xe10 TlsSlots : [64] Ptr32 Void
2214 # +0xf10 TlsLinks : _LIST_ENTRY
2215 # +0xf18 Vdm : Ptr32 Void
2216 # +0xf1c ReservedForNtRpc : Ptr32 Void
2217 # +0xf20 DbgSsReserved : [2] Ptr32 Void
2218 # +0xf28 HardErrorsAreDisabled : Uint4B
2219 # +0xf2c Instrumentation : [16] Ptr32 Void
2220 # +0xf6c WinSockData : Ptr32 Void
2221 # +0xf70 GdiBatchCount : Uint4B
2222 # +0xf74 InDbgPrint : UChar
2223 # +0xf75 FreeStackOnTermination : UChar
2224 # +0xf76 HasFiberData : UChar
2225 # +0xf77 IdealProcessor : UChar
2226 # +0xf78 Spare3 : Uint4B
2227 # +0xf7c ReservedForPerf : Ptr32 Void
2228 # +0xf80 ReservedForOle : Ptr32 Void
2229 # +0xf84 WaitingOnLoaderLock : Uint4B
2230 # +0xf88 Wx86Thread : _Wx86ThreadState
2231 # +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
2232 # +0xf98 ImpersonationLocale : Uint4B
2233 # +0xf9c IsImpersonating : Uint4B
2234 # +0xfa0 NlsCache : Ptr32 Void
2235 # +0xfa4 pShimData : Ptr32 Void
2236 # +0xfa8 HeapVirtualAffinity : Uint4B
2237 # +0xfac CurrentTransactionHandle : Ptr32 Void
2238 # +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
2239 # +0xfb4 SafeThunkCall : UChar
2240 # +0xfb5 BooleanSpare : [3] UChar
2242 _pack_ = 8
2243 _fields_ = [
2244 ("NtTib", NT_TIB),
2245 ("EnvironmentPointer", PVOID),
2246 ("ClientId", CLIENT_ID),
2247 ("ActiveRpcHandle", HANDLE),
2248 ("ThreadLocalStoragePointer", PVOID),
2249 ("ProcessEnvironmentBlock", PVOID), # PPEB
2250 ("LastErrorValue", DWORD),
2251 ("CountOfOwnedCriticalSections", DWORD),
2252 ("CsrClientThread", PVOID),
2253 ("Win32ThreadInfo", PVOID),
2254 ("User32Reserved", DWORD * 26),
2255 ("UserReserved", DWORD * 5),
2256 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2257 ("CurrentLocale", DWORD),
2258 ("FpSoftwareStatusRegister", DWORD),
2259 ("SystemReserved1", PVOID * 54),
2260 ("ExceptionCode", SDWORD),
2261 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2262 ("SpareBytes1", UCHAR * 24),
2263 ("TxFsContext", DWORD),
2264 ("GdiTebBatch", GDI_TEB_BATCH),
2265 ("RealClientId", CLIENT_ID),
2266 ("GdiCachedProcessHandle", HANDLE),
2267 ("GdiClientPID", DWORD),
2268 ("GdiClientTID", DWORD),
2269 ("GdiThreadLocalInfo", PVOID),
2270 ("Win32ClientInfo", DWORD * 62),
2271 ("glDispatchTable", PVOID * 233),
2272 ("glReserved1", DWORD * 29),
2273 ("glReserved2", PVOID),
2274 ("glSectionInfo", PVOID),
2275 ("glSection", PVOID),
2276 ("glTable", PVOID),
2277 ("glCurrentRC", PVOID),
2278 ("glContext", PVOID),
2279 ("LastStatusValue", NTSTATUS),
2280 ("StaticUnicodeString", UNICODE_STRING),
2281 ("StaticUnicodeBuffer", WCHAR * 261),
2282 ("DeallocationStack", PVOID),
2283 ("TlsSlots", PVOID * 64),
2284 ("TlsLinks", LIST_ENTRY),
2285 ("Vdm", PVOID),
2286 ("ReservedForNtRpc", PVOID),
2287 ("DbgSsReserved", PVOID * 2),
2288 ("HardErrorsAreDisabled", DWORD),
2289 ("Instrumentation", PVOID * 16),
2290 ("WinSockData", PVOID),
2291 ("GdiBatchCount", DWORD),
2292 ("InDbgPrint", BOOLEAN),
2293 ("FreeStackOnTermination", BOOLEAN),
2294 ("HasFiberData", BOOLEAN),
2295 ("IdealProcessor", UCHAR),
2296 ("Spare3", DWORD),
2297 ("ReservedForPerf", PVOID),
2298 ("ReservedForOle", PVOID),
2299 ("WaitingOnLoaderLock", DWORD),
2300 ("Wx86Thread", Wx86ThreadState),
2301 ("TlsExpansionSlots", PVOID), # Ptr32 Ptr32 Void
2302 ("ImpersonationLocale", DWORD),
2303 ("IsImpersonating", BOOL),
2304 ("NlsCache", PVOID),
2305 ("pShimData", PVOID),
2306 ("HeapVirtualAffinity", DWORD),
2307 ("CurrentTransactionHandle", HANDLE),
2308 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
2309 ("SafeThunkCall", BOOLEAN),
2310 ("BooleanSpare", BOOLEAN * 3),
2311 ]
2312
2313 # +0x000 NtTib : _NT_TIB
2314 # +0x038 EnvironmentPointer : Ptr64 Void
2315 # +0x040 ClientId : _CLIENT_ID
2316 # +0x050 ActiveRpcHandle : Ptr64 Void
2317 # +0x058 ThreadLocalStoragePointer : Ptr64 Void
2318 # +0x060 ProcessEnvironmentBlock : Ptr64 _PEB
2319 # +0x068 LastErrorValue : Uint4B
2320 # +0x06c CountOfOwnedCriticalSections : Uint4B
2321 # +0x070 CsrClientThread : Ptr64 Void
2322 # +0x078 Win32ThreadInfo : Ptr64 Void
2323 # +0x080 User32Reserved : [26] Uint4B
2324 # +0x0e8 UserReserved : [5] Uint4B
2325 # +0x100 WOW32Reserved : Ptr64 Void
2326 # +0x108 CurrentLocale : Uint4B
2327 # +0x10c FpSoftwareStatusRegister : Uint4B
2328 # +0x110 SystemReserved1 : [54] Ptr64 Void
2329 # +0x2c0 ExceptionCode : Int4B
2330 # +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK
2331 # +0x2d0 SpareBytes1 : [28] UChar
2332 # +0x2f0 GdiTebBatch : _GDI_TEB_BATCH
2333 # +0x7d8 RealClientId : _CLIENT_ID
2334 # +0x7e8 GdiCachedProcessHandle : Ptr64 Void
2335 # +0x7f0 GdiClientPID : Uint4B
2336 # +0x7f4 GdiClientTID : Uint4B
2337 # +0x7f8 GdiThreadLocalInfo : Ptr64 Void
2338 # +0x800 Win32ClientInfo : [62] Uint8B
2339 # +0x9f0 glDispatchTable : [233] Ptr64 Void
2340 # +0x1138 glReserved1 : [29] Uint8B
2341 # +0x1220 glReserved2 : Ptr64 Void
2342 # +0x1228 glSectionInfo : Ptr64 Void
2343 # +0x1230 glSection : Ptr64 Void
2344 # +0x1238 glTable : Ptr64 Void
2345 # +0x1240 glCurrentRC : Ptr64 Void
2346 # +0x1248 glContext : Ptr64 Void
2347 # +0x1250 LastStatusValue : Uint4B
2348 # +0x1258 StaticUnicodeString : _UNICODE_STRING
2349 # +0x1268 StaticUnicodeBuffer : [261] Uint2B
2350 # +0x1478 DeallocationStack : Ptr64 Void
2351 # +0x1480 TlsSlots : [64] Ptr64 Void
2352 # +0x1680 TlsLinks : _LIST_ENTRY
2353 # +0x1690 Vdm : Ptr64 Void
2354 # +0x1698 ReservedForNtRpc : Ptr64 Void
2355 # +0x16a0 DbgSsReserved : [2] Ptr64 Void
2356 # +0x16b0 HardErrorMode : Uint4B
2357 # +0x16b8 Instrumentation : [14] Ptr64 Void
2358 # +0x1728 SubProcessTag : Ptr64 Void
2359 # +0x1730 EtwTraceData : Ptr64 Void
2360 # +0x1738 WinSockData : Ptr64 Void
2361 # +0x1740 GdiBatchCount : Uint4B
2362 # +0x1744 InDbgPrint : UChar
2363 # +0x1745 FreeStackOnTermination : UChar
2364 # +0x1746 HasFiberData : UChar
2365 # +0x1747 IdealProcessor : UChar
2366 # +0x1748 GuaranteedStackBytes : Uint4B
2367 # +0x1750 ReservedForPerf : Ptr64 Void
2368 # +0x1758 ReservedForOle : Ptr64 Void
2369 # +0x1760 WaitingOnLoaderLock : Uint4B
2370 # +0x1768 SparePointer1 : Uint8B
2371 # +0x1770 SoftPatchPtr1 : Uint8B
2372 # +0x1778 SoftPatchPtr2 : Uint8B
2373 # +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void
2374 # +0x1788 DeallocationBStore : Ptr64 Void
2375 # +0x1790 BStoreLimit : Ptr64 Void
2376 # +0x1798 ImpersonationLocale : Uint4B
2377 # +0x179c IsImpersonating : Uint4B
2378 # +0x17a0 NlsCache : Ptr64 Void
2379 # +0x17a8 pShimData : Ptr64 Void
2380 # +0x17b0 HeapVirtualAffinity : Uint4B
2381 # +0x17b8 CurrentTransactionHandle : Ptr64 Void
2382 # +0x17c0 ActiveFrame : Ptr64 _TEB_ACTIVE_FRAME
2383 # +0x17c8 FlsData : Ptr64 Void
2384 # +0x17d0 SafeThunkCall : UChar
2385 # +0x17d1 BooleanSpare : [3] UChar
2387 _pack_ = 8
2388 _fields_ = [
2389 ("NtTib", NT_TIB),
2390 ("EnvironmentPointer", PVOID),
2391 ("ClientId", CLIENT_ID),
2392 ("ActiveRpcHandle", PVOID),
2393 ("ThreadLocalStoragePointer", PVOID),
2394 ("ProcessEnvironmentBlock", PVOID), # PPEB
2395 ("LastErrorValue", DWORD),
2396 ("CountOfOwnedCriticalSections", DWORD),
2397 ("CsrClientThread", PVOID),
2398 ("Win32ThreadInfo", PVOID),
2399 ("User32Reserved", DWORD * 26),
2400 ("UserReserved", DWORD * 5),
2401 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2402 ("CurrentLocale", DWORD),
2403 ("FpSoftwareStatusRegister", DWORD),
2404 ("SystemReserved1", PVOID * 54),
2405 ("ExceptionCode", SDWORD),
2406 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2407 ("SpareBytes1", UCHAR * 28),
2408 ("GdiTebBatch", GDI_TEB_BATCH),
2409 ("RealClientId", CLIENT_ID),
2410 ("GdiCachedProcessHandle", HANDLE),
2411 ("GdiClientPID", DWORD),
2412 ("GdiClientTID", DWORD),
2413 ("GdiThreadLocalInfo", PVOID),
2414 ("Win32ClientInfo", QWORD * 62),
2415 ("glDispatchTable", PVOID * 233),
2416 ("glReserved1", QWORD * 29),
2417 ("glReserved2", PVOID),
2418 ("glSectionInfo", PVOID),
2419 ("glSection", PVOID),
2420 ("glTable", PVOID),
2421 ("glCurrentRC", PVOID),
2422 ("glContext", PVOID),
2423 ("LastStatusValue", NTSTATUS),
2424 ("StaticUnicodeString", UNICODE_STRING),
2425 ("StaticUnicodeBuffer", WCHAR * 261),
2426 ("DeallocationStack", PVOID),
2427 ("TlsSlots", PVOID * 64),
2428 ("TlsLinks", LIST_ENTRY),
2429 ("Vdm", PVOID),
2430 ("ReservedForNtRpc", PVOID),
2431 ("DbgSsReserved", PVOID * 2),
2432 ("HardErrorMode", DWORD),
2433 ("Instrumentation", PVOID * 14),
2434 ("SubProcessTag", PVOID),
2435 ("EtwTraceData", PVOID),
2436 ("WinSockData", PVOID),
2437 ("GdiBatchCount", DWORD),
2438 ("InDbgPrint", BOOLEAN),
2439 ("FreeStackOnTermination", BOOLEAN),
2440 ("HasFiberData", BOOLEAN),
2441 ("IdealProcessor", UCHAR),
2442 ("GuaranteedStackBytes", DWORD),
2443 ("ReservedForPerf", PVOID),
2444 ("ReservedForOle", PVOID),
2445 ("WaitingOnLoaderLock", DWORD),
2446 ("SparePointer1", PVOID),
2447 ("SoftPatchPtr1", PVOID),
2448 ("SoftPatchPtr2", PVOID),
2449 ("TlsExpansionSlots", PVOID), # Ptr64 Ptr64 Void
2450 ("DeallocationBStore", PVOID),
2451 ("BStoreLimit", PVOID),
2452 ("ImpersonationLocale", DWORD),
2453 ("IsImpersonating", BOOL),
2454 ("NlsCache", PVOID),
2455 ("pShimData", PVOID),
2456 ("HeapVirtualAffinity", DWORD),
2457 ("CurrentTransactionHandle", HANDLE),
2458 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
2459 ("FlsData", PVOID),
2460 ("SafeThunkCall", BOOLEAN),
2461 ("BooleanSpare", BOOLEAN * 3),
2462 ]
2463
2464 # +0x000 NtTib : _NT_TIB
2465 # +0x01c EnvironmentPointer : Ptr32 Void
2466 # +0x020 ClientId : _CLIENT_ID
2467 # +0x028 ActiveRpcHandle : Ptr32 Void
2468 # +0x02c ThreadLocalStoragePointer : Ptr32 Void
2469 # +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
2470 # +0x034 LastErrorValue : Uint4B
2471 # +0x038 CountOfOwnedCriticalSections : Uint4B
2472 # +0x03c CsrClientThread : Ptr32 Void
2473 # +0x040 Win32ThreadInfo : Ptr32 Void
2474 # +0x044 User32Reserved : [26] Uint4B
2475 # +0x0ac UserReserved : [5] Uint4B
2476 # +0x0c0 WOW32Reserved : Ptr32 Void
2477 # +0x0c4 CurrentLocale : Uint4B
2478 # +0x0c8 FpSoftwareStatusRegister : Uint4B
2479 # +0x0cc SystemReserved1 : [54] Ptr32 Void
2480 # +0x1a4 ExceptionCode : Int4B
2481 # +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK
2482 # +0x1ac SpareBytes1 : [40] UChar
2483 # +0x1d4 GdiTebBatch : _GDI_TEB_BATCH
2484 # +0x6b4 RealClientId : _CLIENT_ID
2485 # +0x6bc GdiCachedProcessHandle : Ptr32 Void
2486 # +0x6c0 GdiClientPID : Uint4B
2487 # +0x6c4 GdiClientTID : Uint4B
2488 # +0x6c8 GdiThreadLocalInfo : Ptr32 Void
2489 # +0x6cc Win32ClientInfo : [62] Uint4B
2490 # +0x7c4 glDispatchTable : [233] Ptr32 Void
2491 # +0xb68 glReserved1 : [29] Uint4B
2492 # +0xbdc glReserved2 : Ptr32 Void
2493 # +0xbe0 glSectionInfo : Ptr32 Void
2494 # +0xbe4 glSection : Ptr32 Void
2495 # +0xbe8 glTable : Ptr32 Void
2496 # +0xbec glCurrentRC : Ptr32 Void
2497 # +0xbf0 glContext : Ptr32 Void
2498 # +0xbf4 LastStatusValue : Uint4B
2499 # +0xbf8 StaticUnicodeString : _UNICODE_STRING
2500 # +0xc00 StaticUnicodeBuffer : [261] Uint2B
2501 # +0xe0c DeallocationStack : Ptr32 Void
2502 # +0xe10 TlsSlots : [64] Ptr32 Void
2503 # +0xf10 TlsLinks : _LIST_ENTRY
2504 # +0xf18 Vdm : Ptr32 Void
2505 # +0xf1c ReservedForNtRpc : Ptr32 Void
2506 # +0xf20 DbgSsReserved : [2] Ptr32 Void
2507 # +0xf28 HardErrorMode : Uint4B
2508 # +0xf2c Instrumentation : [14] Ptr32 Void
2509 # +0xf64 SubProcessTag : Ptr32 Void
2510 # +0xf68 EtwTraceData : Ptr32 Void
2511 # +0xf6c WinSockData : Ptr32 Void
2512 # +0xf70 GdiBatchCount : Uint4B
2513 # +0xf74 InDbgPrint : UChar
2514 # +0xf75 FreeStackOnTermination : UChar
2515 # +0xf76 HasFiberData : UChar
2516 # +0xf77 IdealProcessor : UChar
2517 # +0xf78 GuaranteedStackBytes : Uint4B
2518 # +0xf7c ReservedForPerf : Ptr32 Void
2519 # +0xf80 ReservedForOle : Ptr32 Void
2520 # +0xf84 WaitingOnLoaderLock : Uint4B
2521 # +0xf88 SparePointer1 : Uint4B
2522 # +0xf8c SoftPatchPtr1 : Uint4B
2523 # +0xf90 SoftPatchPtr2 : Uint4B
2524 # +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
2525 # +0xf98 ImpersonationLocale : Uint4B
2526 # +0xf9c IsImpersonating : Uint4B
2527 # +0xfa0 NlsCache : Ptr32 Void
2528 # +0xfa4 pShimData : Ptr32 Void
2529 # +0xfa8 HeapVirtualAffinity : Uint4B
2530 # +0xfac CurrentTransactionHandle : Ptr32 Void
2531 # +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
2532 # +0xfb4 FlsData : Ptr32 Void
2533 # +0xfb8 SafeThunkCall : UChar
2534 # +0xfb9 BooleanSpare : [3] UChar
2536 _pack_ = 8
2537 _fields_ = [
2538 ("NtTib", NT_TIB),
2539 ("EnvironmentPointer", PVOID),
2540 ("ClientId", CLIENT_ID),
2541 ("ActiveRpcHandle", HANDLE),
2542 ("ThreadLocalStoragePointer", PVOID),
2543 ("ProcessEnvironmentBlock", PVOID), # PPEB
2544 ("LastErrorValue", DWORD),
2545 ("CountOfOwnedCriticalSections", DWORD),
2546 ("CsrClientThread", PVOID),
2547 ("Win32ThreadInfo", PVOID),
2548 ("User32Reserved", DWORD * 26),
2549 ("UserReserved", DWORD * 5),
2550 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2551 ("CurrentLocale", DWORD),
2552 ("FpSoftwareStatusRegister", DWORD),
2553 ("SystemReserved1", PVOID * 54),
2554 ("ExceptionCode", SDWORD),
2555 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2556 ("SpareBytes1", UCHAR * 40),
2557 ("GdiTebBatch", GDI_TEB_BATCH),
2558 ("RealClientId", CLIENT_ID),
2559 ("GdiCachedProcessHandle", HANDLE),
2560 ("GdiClientPID", DWORD),
2561 ("GdiClientTID", DWORD),
2562 ("GdiThreadLocalInfo", PVOID),
2563 ("Win32ClientInfo", DWORD * 62),
2564 ("glDispatchTable", PVOID * 233),
2565 ("glReserved1", DWORD * 29),
2566 ("glReserved2", PVOID),
2567 ("glSectionInfo", PVOID),
2568 ("glSection", PVOID),
2569 ("glTable", PVOID),
2570 ("glCurrentRC", PVOID),
2571 ("glContext", PVOID),
2572 ("LastStatusValue", NTSTATUS),
2573 ("StaticUnicodeString", UNICODE_STRING),
2574 ("StaticUnicodeBuffer", WCHAR * 261),
2575 ("DeallocationStack", PVOID),
2576 ("TlsSlots", PVOID * 64),
2577 ("TlsLinks", LIST_ENTRY),
2578 ("Vdm", PVOID),
2579 ("ReservedForNtRpc", PVOID),
2580 ("DbgSsReserved", PVOID * 2),
2581 ("HardErrorMode", DWORD),
2582 ("Instrumentation", PVOID * 14),
2583 ("SubProcessTag", PVOID),
2584 ("EtwTraceData", PVOID),
2585 ("WinSockData", PVOID),
2586 ("GdiBatchCount", DWORD),
2587 ("InDbgPrint", BOOLEAN),
2588 ("FreeStackOnTermination", BOOLEAN),
2589 ("HasFiberData", BOOLEAN),
2590 ("IdealProcessor", UCHAR),
2591 ("GuaranteedStackBytes", DWORD),
2592 ("ReservedForPerf", PVOID),
2593 ("ReservedForOle", PVOID),
2594 ("WaitingOnLoaderLock", DWORD),
2595 ("SparePointer1", PVOID),
2596 ("SoftPatchPtr1", PVOID),
2597 ("SoftPatchPtr2", PVOID),
2598 ("TlsExpansionSlots", PVOID), # Ptr32 Ptr32 Void
2599 ("ImpersonationLocale", DWORD),
2600 ("IsImpersonating", BOOL),
2601 ("NlsCache", PVOID),
2602 ("pShimData", PVOID),
2603 ("HeapVirtualAffinity", DWORD),
2604 ("CurrentTransactionHandle", HANDLE),
2605 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
2606 ("FlsData", PVOID),
2607 ("SafeThunkCall", BOOLEAN),
2608 ("BooleanSpare", BOOLEAN * 3),
2609 ]
2610
2611 _TEB_2003_64 = _TEB_XP_64
2612 _TEB_2003_R2 = _TEB_2003
2613 _TEB_2003_R2_64 = _TEB_2003_64
2614
2615 # +0x000 NtTib : _NT_TIB
2616 # +0x01c EnvironmentPointer : Ptr32 Void
2617 # +0x020 ClientId : _CLIENT_ID
2618 # +0x028 ActiveRpcHandle : Ptr32 Void
2619 # +0x02c ThreadLocalStoragePointer : Ptr32 Void
2620 # +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
2621 # +0x034 LastErrorValue : Uint4B
2622 # +0x038 CountOfOwnedCriticalSections : Uint4B
2623 # +0x03c CsrClientThread : Ptr32 Void
2624 # +0x040 Win32ThreadInfo : Ptr32 Void
2625 # +0x044 User32Reserved : [26] Uint4B
2626 # +0x0ac UserReserved : [5] Uint4B
2627 # +0x0c0 WOW32Reserved : Ptr32 Void
2628 # +0x0c4 CurrentLocale : Uint4B
2629 # +0x0c8 FpSoftwareStatusRegister : Uint4B
2630 # +0x0cc SystemReserved1 : [54] Ptr32 Void
2631 # +0x1a4 ExceptionCode : Int4B
2632 # +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK
2633 # +0x1ac SpareBytes1 : [36] UChar
2634 # +0x1d0 TxFsContext : Uint4B
2635 # +0x1d4 GdiTebBatch : _GDI_TEB_BATCH
2636 # +0x6b4 RealClientId : _CLIENT_ID
2637 # +0x6bc GdiCachedProcessHandle : Ptr32 Void
2638 # +0x6c0 GdiClientPID : Uint4B
2639 # +0x6c4 GdiClientTID : Uint4B
2640 # +0x6c8 GdiThreadLocalInfo : Ptr32 Void
2641 # +0x6cc Win32ClientInfo : [62] Uint4B
2642 # +0x7c4 glDispatchTable : [233] Ptr32 Void
2643 # +0xb68 glReserved1 : [29] Uint4B
2644 # +0xbdc glReserved2 : Ptr32 Void
2645 # +0xbe0 glSectionInfo : Ptr32 Void
2646 # +0xbe4 glSection : Ptr32 Void
2647 # +0xbe8 glTable : Ptr32 Void
2648 # +0xbec glCurrentRC : Ptr32 Void
2649 # +0xbf0 glContext : Ptr32 Void
2650 # +0xbf4 LastStatusValue : Uint4B
2651 # +0xbf8 StaticUnicodeString : _UNICODE_STRING
2652 # +0xc00 StaticUnicodeBuffer : [261] Wchar
2653 # +0xe0c DeallocationStack : Ptr32 Void
2654 # +0xe10 TlsSlots : [64] Ptr32 Void
2655 # +0xf10 TlsLinks : _LIST_ENTRY
2656 # +0xf18 Vdm : Ptr32 Void
2657 # +0xf1c ReservedForNtRpc : Ptr32 Void
2658 # +0xf20 DbgSsReserved : [2] Ptr32 Void
2659 # +0xf28 HardErrorMode : Uint4B
2660 # +0xf2c Instrumentation : [9] Ptr32 Void
2661 # +0xf50 ActivityId : _GUID
2662 # +0xf60 SubProcessTag : Ptr32 Void
2663 # +0xf64 EtwLocalData : Ptr32 Void
2664 # +0xf68 EtwTraceData : Ptr32 Void
2665 # +0xf6c WinSockData : Ptr32 Void
2666 # +0xf70 GdiBatchCount : Uint4B
2667 # +0xf74 SpareBool0 : UChar
2668 # +0xf75 SpareBool1 : UChar
2669 # +0xf76 SpareBool2 : UChar
2670 # +0xf77 IdealProcessor : UChar
2671 # +0xf78 GuaranteedStackBytes : Uint4B
2672 # +0xf7c ReservedForPerf : Ptr32 Void
2673 # +0xf80 ReservedForOle : Ptr32 Void
2674 # +0xf84 WaitingOnLoaderLock : Uint4B
2675 # +0xf88 SavedPriorityState : Ptr32 Void
2676 # +0xf8c SoftPatchPtr1 : Uint4B
2677 # +0xf90 ThreadPoolData : Ptr32 Void
2678 # +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
2679 # +0xf98 ImpersonationLocale : Uint4B
2680 # +0xf9c IsImpersonating : Uint4B
2681 # +0xfa0 NlsCache : Ptr32 Void
2682 # +0xfa4 pShimData : Ptr32 Void
2683 # +0xfa8 HeapVirtualAffinity : Uint4B
2684 # +0xfac CurrentTransactionHandle : Ptr32 Void
2685 # +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
2686 # +0xfb4 FlsData : Ptr32 Void
2687 # +0xfb8 PreferredLanguages : Ptr32 Void
2688 # +0xfbc UserPrefLanguages : Ptr32 Void
2689 # +0xfc0 MergedPrefLanguages : Ptr32 Void
2690 # +0xfc4 MuiImpersonation : Uint4B
2691 # +0xfc8 CrossTebFlags : Uint2B
2692 # +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits
2693 # +0xfca SameTebFlags : Uint2B
2694 # +0xfca DbgSafeThunkCall : Pos 0, 1 Bit
2695 # +0xfca DbgInDebugPrint : Pos 1, 1 Bit
2696 # +0xfca DbgHasFiberData : Pos 2, 1 Bit
2697 # +0xfca DbgSkipThreadAttach : Pos 3, 1 Bit
2698 # +0xfca DbgWerInShipAssertCode : Pos 4, 1 Bit
2699 # +0xfca DbgRanProcessInit : Pos 5, 1 Bit
2700 # +0xfca DbgClonedThread : Pos 6, 1 Bit
2701 # +0xfca DbgSuppressDebugMsg : Pos 7, 1 Bit
2702 # +0xfca RtlDisableUserStackWalk : Pos 8, 1 Bit
2703 # +0xfca RtlExceptionAttached : Pos 9, 1 Bit
2704 # +0xfca SpareSameTebBits : Pos 10, 6 Bits
2705 # +0xfcc TxnScopeEnterCallback : Ptr32 Void
2706 # +0xfd0 TxnScopeExitCallback : Ptr32 Void
2707 # +0xfd4 TxnScopeContext : Ptr32 Void
2708 # +0xfd8 LockCount : Uint4B
2709 # +0xfdc ProcessRundown : Uint4B
2710 # +0xfe0 LastSwitchTime : Uint8B
2711 # +0xfe8 TotalSwitchOutTime : Uint8B
2712 # +0xff0 WaitReasonBitMap : _LARGE_INTEGER
2714 _pack_ = 8
2715 _fields_ = [
2716 ("NtTib", NT_TIB),
2717 ("EnvironmentPointer", PVOID),
2718 ("ClientId", CLIENT_ID),
2719 ("ActiveRpcHandle", HANDLE),
2720 ("ThreadLocalStoragePointer", PVOID),
2721 ("ProcessEnvironmentBlock", PVOID), # PPEB
2722 ("LastErrorValue", DWORD),
2723 ("CountOfOwnedCriticalSections", DWORD),
2724 ("CsrClientThread", PVOID),
2725 ("Win32ThreadInfo", PVOID),
2726 ("User32Reserved", DWORD * 26),
2727 ("UserReserved", DWORD * 5),
2728 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2729 ("CurrentLocale", DWORD),
2730 ("FpSoftwareStatusRegister", DWORD),
2731 ("SystemReserved1", PVOID * 54),
2732 ("ExceptionCode", SDWORD),
2733 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2734 ("SpareBytes1", UCHAR * 36),
2735 ("TxFsContext", DWORD),
2736 ("GdiTebBatch", GDI_TEB_BATCH),
2737 ("RealClientId", CLIENT_ID),
2738 ("GdiCachedProcessHandle", HANDLE),
2739 ("GdiClientPID", DWORD),
2740 ("GdiClientTID", DWORD),
2741 ("GdiThreadLocalInfo", PVOID),
2742 ("Win32ClientInfo", DWORD * 62),
2743 ("glDispatchTable", PVOID * 233),
2744 ("glReserved1", DWORD * 29),
2745 ("glReserved2", PVOID),
2746 ("glSectionInfo", PVOID),
2747 ("glSection", PVOID),
2748 ("glTable", PVOID),
2749 ("glCurrentRC", PVOID),
2750 ("glContext", PVOID),
2751 ("LastStatusValue", NTSTATUS),
2752 ("StaticUnicodeString", UNICODE_STRING),
2753 ("StaticUnicodeBuffer", WCHAR * 261),
2754 ("DeallocationStack", PVOID),
2755 ("TlsSlots", PVOID * 64),
2756 ("TlsLinks", LIST_ENTRY),
2757 ("Vdm", PVOID),
2758 ("ReservedForNtRpc", PVOID),
2759 ("DbgSsReserved", PVOID * 2),
2760 ("HardErrorMode", DWORD),
2761 ("Instrumentation", PVOID * 9),
2762 ("ActivityId", GUID),
2763 ("SubProcessTag", PVOID),
2764 ("EtwLocalData", PVOID),
2765 ("EtwTraceData", PVOID),
2766 ("WinSockData", PVOID),
2767 ("GdiBatchCount", DWORD),
2768 ("SpareBool0", BOOLEAN),
2769 ("SpareBool1", BOOLEAN),
2770 ("SpareBool2", BOOLEAN),
2771 ("IdealProcessor", UCHAR),
2772 ("GuaranteedStackBytes", DWORD),
2773 ("ReservedForPerf", PVOID),
2774 ("ReservedForOle", PVOID),
2775 ("WaitingOnLoaderLock", DWORD),
2776 ("SavedPriorityState", PVOID),
2777 ("SoftPatchPtr1", PVOID),
2778 ("ThreadPoolData", PVOID),
2779 ("TlsExpansionSlots", PVOID), # Ptr32 Ptr32 Void
2780 ("ImpersonationLocale", DWORD),
2781 ("IsImpersonating", BOOL),
2782 ("NlsCache", PVOID),
2783 ("pShimData", PVOID),
2784 ("HeapVirtualAffinity", DWORD),
2785 ("CurrentTransactionHandle", HANDLE),
2786 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
2787 ("FlsData", PVOID),
2788 ("PreferredLanguages", PVOID),
2789 ("UserPrefLanguages", PVOID),
2790 ("MergedPrefLanguages", PVOID),
2791 ("MuiImpersonation", BOOL),
2792 ("CrossTebFlags", WORD),
2793 ("SameTebFlags", WORD),
2794 ("TxnScopeEnterCallback", PVOID),
2795 ("TxnScopeExitCallback", PVOID),
2796 ("TxnScopeContext", PVOID),
2797 ("LockCount", DWORD),
2798 ("ProcessRundown", DWORD),
2799 ("LastSwitchTime", QWORD),
2800 ("TotalSwitchOutTime", QWORD),
2801 ("WaitReasonBitMap", LONGLONG), # LARGE_INTEGER
2802 ]
2803
2804 # +0x000 NtTib : _NT_TIB
2805 # +0x038 EnvironmentPointer : Ptr64 Void
2806 # +0x040 ClientId : _CLIENT_ID
2807 # +0x050 ActiveRpcHandle : Ptr64 Void
2808 # +0x058 ThreadLocalStoragePointer : Ptr64 Void
2809 # +0x060 ProcessEnvironmentBlock : Ptr64 _PEB
2810 # +0x068 LastErrorValue : Uint4B
2811 # +0x06c CountOfOwnedCriticalSections : Uint4B
2812 # +0x070 CsrClientThread : Ptr64 Void
2813 # +0x078 Win32ThreadInfo : Ptr64 Void
2814 # +0x080 User32Reserved : [26] Uint4B
2815 # +0x0e8 UserReserved : [5] Uint4B
2816 # +0x100 WOW32Reserved : Ptr64 Void
2817 # +0x108 CurrentLocale : Uint4B
2818 # +0x10c FpSoftwareStatusRegister : Uint4B
2819 # +0x110 SystemReserved1 : [54] Ptr64 Void
2820 # +0x2c0 ExceptionCode : Int4B
2821 # +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK
2822 # +0x2d0 SpareBytes1 : [24] UChar
2823 # +0x2e8 TxFsContext : Uint4B
2824 # +0x2f0 GdiTebBatch : _GDI_TEB_BATCH
2825 # +0x7d8 RealClientId : _CLIENT_ID
2826 # +0x7e8 GdiCachedProcessHandle : Ptr64 Void
2827 # +0x7f0 GdiClientPID : Uint4B
2828 # +0x7f4 GdiClientTID : Uint4B
2829 # +0x7f8 GdiThreadLocalInfo : Ptr64 Void
2830 # +0x800 Win32ClientInfo : [62] Uint8B
2831 # +0x9f0 glDispatchTable : [233] Ptr64 Void
2832 # +0x1138 glReserved1 : [29] Uint8B
2833 # +0x1220 glReserved2 : Ptr64 Void
2834 # +0x1228 glSectionInfo : Ptr64 Void
2835 # +0x1230 glSection : Ptr64 Void
2836 # +0x1238 glTable : Ptr64 Void
2837 # +0x1240 glCurrentRC : Ptr64 Void
2838 # +0x1248 glContext : Ptr64 Void
2839 # +0x1250 LastStatusValue : Uint4B
2840 # +0x1258 StaticUnicodeString : _UNICODE_STRING
2841 # +0x1268 StaticUnicodeBuffer : [261] Wchar
2842 # +0x1478 DeallocationStack : Ptr64 Void
2843 # +0x1480 TlsSlots : [64] Ptr64 Void
2844 # +0x1680 TlsLinks : _LIST_ENTRY
2845 # +0x1690 Vdm : Ptr64 Void
2846 # +0x1698 ReservedForNtRpc : Ptr64 Void
2847 # +0x16a0 DbgSsReserved : [2] Ptr64 Void
2848 # +0x16b0 HardErrorMode : Uint4B
2849 # +0x16b8 Instrumentation : [11] Ptr64 Void
2850 # +0x1710 ActivityId : _GUID
2851 # +0x1720 SubProcessTag : Ptr64 Void
2852 # +0x1728 EtwLocalData : Ptr64 Void
2853 # +0x1730 EtwTraceData : Ptr64 Void
2854 # +0x1738 WinSockData : Ptr64 Void
2855 # +0x1740 GdiBatchCount : Uint4B
2856 # +0x1744 SpareBool0 : UChar
2857 # +0x1745 SpareBool1 : UChar
2858 # +0x1746 SpareBool2 : UChar
2859 # +0x1747 IdealProcessor : UChar
2860 # +0x1748 GuaranteedStackBytes : Uint4B
2861 # +0x1750 ReservedForPerf : Ptr64 Void
2862 # +0x1758 ReservedForOle : Ptr64 Void
2863 # +0x1760 WaitingOnLoaderLock : Uint4B
2864 # +0x1768 SavedPriorityState : Ptr64 Void
2865 # +0x1770 SoftPatchPtr1 : Uint8B
2866 # +0x1778 ThreadPoolData : Ptr64 Void
2867 # +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void
2868 # +0x1788 DeallocationBStore : Ptr64 Void
2869 # +0x1790 BStoreLimit : Ptr64 Void
2870 # +0x1798 ImpersonationLocale : Uint4B
2871 # +0x179c IsImpersonating : Uint4B
2872 # +0x17a0 NlsCache : Ptr64 Void
2873 # +0x17a8 pShimData : Ptr64 Void
2874 # +0x17b0 HeapVirtualAffinity : Uint4B
2875 # +0x17b8 CurrentTransactionHandle : Ptr64 Void
2876 # +0x17c0 ActiveFrame : Ptr64 _TEB_ACTIVE_FRAME
2877 # +0x17c8 FlsData : Ptr64 Void
2878 # +0x17d0 PreferredLanguages : Ptr64 Void
2879 # +0x17d8 UserPrefLanguages : Ptr64 Void
2880 # +0x17e0 MergedPrefLanguages : Ptr64 Void
2881 # +0x17e8 MuiImpersonation : Uint4B
2882 # +0x17ec CrossTebFlags : Uint2B
2883 # +0x17ec SpareCrossTebBits : Pos 0, 16 Bits
2884 # +0x17ee SameTebFlags : Uint2B
2885 # +0x17ee DbgSafeThunkCall : Pos 0, 1 Bit
2886 # +0x17ee DbgInDebugPrint : Pos 1, 1 Bit
2887 # +0x17ee DbgHasFiberData : Pos 2, 1 Bit
2888 # +0x17ee DbgSkipThreadAttach : Pos 3, 1 Bit
2889 # +0x17ee DbgWerInShipAssertCode : Pos 4, 1 Bit
2890 # +0x17ee DbgRanProcessInit : Pos 5, 1 Bit
2891 # +0x17ee DbgClonedThread : Pos 6, 1 Bit
2892 # +0x17ee DbgSuppressDebugMsg : Pos 7, 1 Bit
2893 # +0x17ee RtlDisableUserStackWalk : Pos 8, 1 Bit
2894 # +0x17ee RtlExceptionAttached : Pos 9, 1 Bit
2895 # +0x17ee SpareSameTebBits : Pos 10, 6 Bits
2896 # +0x17f0 TxnScopeEnterCallback : Ptr64 Void
2897 # +0x17f8 TxnScopeExitCallback : Ptr64 Void
2898 # +0x1800 TxnScopeContext : Ptr64 Void
2899 # +0x1808 LockCount : Uint4B
2900 # +0x180c ProcessRundown : Uint4B
2901 # +0x1810 LastSwitchTime : Uint8B
2902 # +0x1818 TotalSwitchOutTime : Uint8B
2903 # +0x1820 WaitReasonBitMap : _LARGE_INTEGER
2905 _pack_ = 8
2906 _fields_ = [
2907 ("NtTib", NT_TIB),
2908 ("EnvironmentPointer", PVOID),
2909 ("ClientId", CLIENT_ID),
2910 ("ActiveRpcHandle", HANDLE),
2911 ("ThreadLocalStoragePointer", PVOID),
2912 ("ProcessEnvironmentBlock", PVOID), # PPEB
2913 ("LastErrorValue", DWORD),
2914 ("CountOfOwnedCriticalSections", DWORD),
2915 ("CsrClientThread", PVOID),
2916 ("Win32ThreadInfo", PVOID),
2917 ("User32Reserved", DWORD * 26),
2918 ("UserReserved", DWORD * 5),
2919 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
2920 ("CurrentLocale", DWORD),
2921 ("FpSoftwareStatusRegister", DWORD),
2922 ("SystemReserved1", PVOID * 54),
2923 ("ExceptionCode", SDWORD),
2924 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
2925 ("SpareBytes1", UCHAR * 24),
2926 ("TxFsContext", DWORD),
2927 ("GdiTebBatch", GDI_TEB_BATCH),
2928 ("RealClientId", CLIENT_ID),
2929 ("GdiCachedProcessHandle", HANDLE),
2930 ("GdiClientPID", DWORD),
2931 ("GdiClientTID", DWORD),
2932 ("GdiThreadLocalInfo", PVOID),
2933 ("Win32ClientInfo", QWORD * 62),
2934 ("glDispatchTable", PVOID * 233),
2935 ("glReserved1", QWORD * 29),
2936 ("glReserved2", PVOID),
2937 ("glSectionInfo", PVOID),
2938 ("glSection", PVOID),
2939 ("glTable", PVOID),
2940 ("glCurrentRC", PVOID),
2941 ("glContext", PVOID),
2942 ("LastStatusValue", NTSTATUS),
2943 ("StaticUnicodeString", UNICODE_STRING),
2944 ("StaticUnicodeBuffer", WCHAR * 261),
2945 ("DeallocationStack", PVOID),
2946 ("TlsSlots", PVOID * 64),
2947 ("TlsLinks", LIST_ENTRY),
2948 ("Vdm", PVOID),
2949 ("ReservedForNtRpc", PVOID),
2950 ("DbgSsReserved", PVOID * 2),
2951 ("HardErrorMode", DWORD),
2952 ("Instrumentation", PVOID * 11),
2953 ("ActivityId", GUID),
2954 ("SubProcessTag", PVOID),
2955 ("EtwLocalData", PVOID),
2956 ("EtwTraceData", PVOID),
2957 ("WinSockData", PVOID),
2958 ("GdiBatchCount", DWORD),
2959 ("SpareBool0", BOOLEAN),
2960 ("SpareBool1", BOOLEAN),
2961 ("SpareBool2", BOOLEAN),
2962 ("IdealProcessor", UCHAR),
2963 ("GuaranteedStackBytes", DWORD),
2964 ("ReservedForPerf", PVOID),
2965 ("ReservedForOle", PVOID),
2966 ("WaitingOnLoaderLock", DWORD),
2967 ("SavedPriorityState", PVOID),
2968 ("SoftPatchPtr1", PVOID),
2969 ("ThreadPoolData", PVOID),
2970 ("TlsExpansionSlots", PVOID), # Ptr64 Ptr64 Void
2971 ("DeallocationBStore", PVOID),
2972 ("BStoreLimit", PVOID),
2973 ("ImpersonationLocale", DWORD),
2974 ("IsImpersonating", BOOL),
2975 ("NlsCache", PVOID),
2976 ("pShimData", PVOID),
2977 ("HeapVirtualAffinity", DWORD),
2978 ("CurrentTransactionHandle", HANDLE),
2979 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
2980 ("FlsData", PVOID),
2981 ("PreferredLanguages", PVOID),
2982 ("UserPrefLanguages", PVOID),
2983 ("MergedPrefLanguages", PVOID),
2984 ("MuiImpersonation", BOOL),
2985 ("CrossTebFlags", WORD),
2986 ("SameTebFlags", WORD),
2987 ("TxnScopeEnterCallback", PVOID),
2988 ("TxnScopeExitCallback", PVOID),
2989 ("TxnScopeContext", PVOID),
2990 ("LockCount", DWORD),
2991 ("ProcessRundown", DWORD),
2992 ("LastSwitchTime", QWORD),
2993 ("TotalSwitchOutTime", QWORD),
2994 ("WaitReasonBitMap", LONGLONG), # LARGE_INTEGER
2995 ]
2996
2997 # +0x000 NtTib : _NT_TIB
2998 # +0x01c EnvironmentPointer : Ptr32 Void
2999 # +0x020 ClientId : _CLIENT_ID
3000 # +0x028 ActiveRpcHandle : Ptr32 Void
3001 # +0x02c ThreadLocalStoragePointer : Ptr32 Void
3002 # +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
3003 # +0x034 LastErrorValue : Uint4B
3004 # +0x038 CountOfOwnedCriticalSections : Uint4B
3005 # +0x03c CsrClientThread : Ptr32 Void
3006 # +0x040 Win32ThreadInfo : Ptr32 Void
3007 # +0x044 User32Reserved : [26] Uint4B
3008 # +0x0ac UserReserved : [5] Uint4B
3009 # +0x0c0 WOW32Reserved : Ptr32 Void
3010 # +0x0c4 CurrentLocale : Uint4B
3011 # +0x0c8 FpSoftwareStatusRegister : Uint4B
3012 # +0x0cc SystemReserved1 : [54] Ptr32 Void
3013 # +0x1a4 ExceptionCode : Int4B
3014 # +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK
3015 # +0x1ac SpareBytes : [36] UChar
3016 # +0x1d0 TxFsContext : Uint4B
3017 # +0x1d4 GdiTebBatch : _GDI_TEB_BATCH
3018 # +0x6b4 RealClientId : _CLIENT_ID
3019 # +0x6bc GdiCachedProcessHandle : Ptr32 Void
3020 # +0x6c0 GdiClientPID : Uint4B
3021 # +0x6c4 GdiClientTID : Uint4B
3022 # +0x6c8 GdiThreadLocalInfo : Ptr32 Void
3023 # +0x6cc Win32ClientInfo : [62] Uint4B
3024 # +0x7c4 glDispatchTable : [233] Ptr32 Void
3025 # +0xb68 glReserved1 : [29] Uint4B
3026 # +0xbdc glReserved2 : Ptr32 Void
3027 # +0xbe0 glSectionInfo : Ptr32 Void
3028 # +0xbe4 glSection : Ptr32 Void
3029 # +0xbe8 glTable : Ptr32 Void
3030 # +0xbec glCurrentRC : Ptr32 Void
3031 # +0xbf0 glContext : Ptr32 Void
3032 # +0xbf4 LastStatusValue : Uint4B
3033 # +0xbf8 StaticUnicodeString : _UNICODE_STRING
3034 # +0xc00 StaticUnicodeBuffer : [261] Wchar
3035 # +0xe0c DeallocationStack : Ptr32 Void
3036 # +0xe10 TlsSlots : [64] Ptr32 Void
3037 # +0xf10 TlsLinks : _LIST_ENTRY
3038 # +0xf18 Vdm : Ptr32 Void
3039 # +0xf1c ReservedForNtRpc : Ptr32 Void
3040 # +0xf20 DbgSsReserved : [2] Ptr32 Void
3041 # +0xf28 HardErrorMode : Uint4B
3042 # +0xf2c Instrumentation : [9] Ptr32 Void
3043 # +0xf50 ActivityId : _GUID
3044 # +0xf60 SubProcessTag : Ptr32 Void
3045 # +0xf64 EtwLocalData : Ptr32 Void
3046 # +0xf68 EtwTraceData : Ptr32 Void
3047 # +0xf6c WinSockData : Ptr32 Void
3048 # +0xf70 GdiBatchCount : Uint4B
3049 # +0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
3050 # +0xf74 IdealProcessorValue : Uint4B
3051 # +0xf74 ReservedPad0 : UChar
3052 # +0xf75 ReservedPad1 : UChar
3053 # +0xf76 ReservedPad2 : UChar
3054 # +0xf77 IdealProcessor : UChar
3055 # +0xf78 GuaranteedStackBytes : Uint4B
3056 # +0xf7c ReservedForPerf : Ptr32 Void
3057 # +0xf80 ReservedForOle : Ptr32 Void
3058 # +0xf84 WaitingOnLoaderLock : Uint4B
3059 # +0xf88 SavedPriorityState : Ptr32 Void
3060 # +0xf8c SoftPatchPtr1 : Uint4B
3061 # +0xf90 ThreadPoolData : Ptr32 Void
3062 # +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
3063 # +0xf98 MuiGeneration : Uint4B
3064 # +0xf9c IsImpersonating : Uint4B
3065 # +0xfa0 NlsCache : Ptr32 Void
3066 # +0xfa4 pShimData : Ptr32 Void
3067 # +0xfa8 HeapVirtualAffinity : Uint4B
3068 # +0xfac CurrentTransactionHandle : Ptr32 Void
3069 # +0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
3070 # +0xfb4 FlsData : Ptr32 Void
3071 # +0xfb8 PreferredLanguages : Ptr32 Void
3072 # +0xfbc UserPrefLanguages : Ptr32 Void
3073 # +0xfc0 MergedPrefLanguages : Ptr32 Void
3074 # +0xfc4 MuiImpersonation : Uint4B
3075 # +0xfc8 CrossTebFlags : Uint2B
3076 # +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits
3077 # +0xfca SameTebFlags : Uint2B
3078 # +0xfca SafeThunkCall : Pos 0, 1 Bit
3079 # +0xfca InDebugPrint : Pos 1, 1 Bit
3080 # +0xfca HasFiberData : Pos 2, 1 Bit
3081 # +0xfca SkipThreadAttach : Pos 3, 1 Bit
3082 # +0xfca WerInShipAssertCode : Pos 4, 1 Bit
3083 # +0xfca RanProcessInit : Pos 5, 1 Bit
3084 # +0xfca ClonedThread : Pos 6, 1 Bit
3085 # +0xfca SuppressDebugMsg : Pos 7, 1 Bit
3086 # +0xfca DisableUserStackWalk : Pos 8, 1 Bit
3087 # +0xfca RtlExceptionAttached : Pos 9, 1 Bit
3088 # +0xfca InitialThread : Pos 10, 1 Bit
3089 # +0xfca SpareSameTebBits : Pos 11, 5 Bits
3090 # +0xfcc TxnScopeEnterCallback : Ptr32 Void
3091 # +0xfd0 TxnScopeExitCallback : Ptr32 Void
3092 # +0xfd4 TxnScopeContext : Ptr32 Void
3093 # +0xfd8 LockCount : Uint4B
3094 # +0xfdc SpareUlong0 : Uint4B
3095 # +0xfe0 ResourceRetValue : Ptr32 Void
3097 _pack_ = 8
3098 _fields_ = [
3099 ("NtTib", NT_TIB),
3100 ("EnvironmentPointer", PVOID),
3101 ("ClientId", CLIENT_ID),
3102 ("ActiveRpcHandle", HANDLE),
3103 ("ThreadLocalStoragePointer", PVOID),
3104 ("ProcessEnvironmentBlock", PVOID), # PPEB
3105 ("LastErrorValue", DWORD),
3106 ("CountOfOwnedCriticalSections", DWORD),
3107 ("CsrClientThread", PVOID),
3108 ("Win32ThreadInfo", PVOID),
3109 ("User32Reserved", DWORD * 26),
3110 ("UserReserved", DWORD * 5),
3111 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
3112 ("CurrentLocale", DWORD),
3113 ("FpSoftwareStatusRegister", DWORD),
3114 ("SystemReserved1", PVOID * 54),
3115 ("ExceptionCode", SDWORD),
3116 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
3117 ("SpareBytes", UCHAR * 36),
3118 ("TxFsContext", DWORD),
3119 ("GdiTebBatch", GDI_TEB_BATCH),
3120 ("RealClientId", CLIENT_ID),
3121 ("GdiCachedProcessHandle", HANDLE),
3122 ("GdiClientPID", DWORD),
3123 ("GdiClientTID", DWORD),
3124 ("GdiThreadLocalInfo", PVOID),
3125 ("Win32ClientInfo", DWORD * 62),
3126 ("glDispatchTable", PVOID * 233),
3127 ("glReserved1", DWORD * 29),
3128 ("glReserved2", PVOID),
3129 ("glSectionInfo", PVOID),
3130 ("glSection", PVOID),
3131 ("glTable", PVOID),
3132 ("glCurrentRC", PVOID),
3133 ("glContext", PVOID),
3134 ("LastStatusValue", NTSTATUS),
3135 ("StaticUnicodeString", UNICODE_STRING),
3136 ("StaticUnicodeBuffer", WCHAR * 261),
3137 ("DeallocationStack", PVOID),
3138 ("TlsSlots", PVOID * 64),
3139 ("TlsLinks", LIST_ENTRY),
3140 ("Vdm", PVOID),
3141 ("ReservedForNtRpc", PVOID),
3142 ("DbgSsReserved", PVOID * 2),
3143 ("HardErrorMode", DWORD),
3144 ("Instrumentation", PVOID * 9),
3145 ("ActivityId", GUID),
3146 ("SubProcessTag", PVOID),
3147 ("EtwLocalData", PVOID),
3148 ("EtwTraceData", PVOID),
3149 ("WinSockData", PVOID),
3150 ("GdiBatchCount", DWORD),
3151 ("CurrentIdealProcessor", PROCESSOR_NUMBER),
3152 ("IdealProcessorValue", DWORD),
3153 ("ReservedPad0", UCHAR),
3154 ("ReservedPad1", UCHAR),
3155 ("ReservedPad2", UCHAR),
3156 ("IdealProcessor", UCHAR),
3157 ("GuaranteedStackBytes", DWORD),
3158 ("ReservedForPerf", PVOID),
3159 ("ReservedForOle", PVOID),
3160 ("WaitingOnLoaderLock", DWORD),
3161 ("SavedPriorityState", PVOID),
3162 ("SoftPatchPtr1", PVOID),
3163 ("ThreadPoolData", PVOID),
3164 ("TlsExpansionSlots", PVOID), # Ptr32 Ptr32 Void
3165 ("MuiGeneration", DWORD),
3166 ("IsImpersonating", BOOL),
3167 ("NlsCache", PVOID),
3168 ("pShimData", PVOID),
3169 ("HeapVirtualAffinity", DWORD),
3170 ("CurrentTransactionHandle", HANDLE),
3171 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
3172 ("FlsData", PVOID),
3173 ("PreferredLanguages", PVOID),
3174 ("UserPrefLanguages", PVOID),
3175 ("MergedPrefLanguages", PVOID),
3176 ("MuiImpersonation", BOOL),
3177 ("CrossTebFlags", WORD),
3178 ("SameTebFlags", WORD),
3179 ("TxnScopeEnterCallback", PVOID),
3180 ("TxnScopeExitCallback", PVOID),
3181 ("TxnScopeContext", PVOID),
3182 ("LockCount", DWORD),
3183 ("SpareUlong0", ULONG),
3184 ("ResourceRetValue", PVOID),
3185 ]
3186
3187 # +0x000 NtTib : _NT_TIB
3188 # +0x038 EnvironmentPointer : Ptr64 Void
3189 # +0x040 ClientId : _CLIENT_ID
3190 # +0x050 ActiveRpcHandle : Ptr64 Void
3191 # +0x058 ThreadLocalStoragePointer : Ptr64 Void
3192 # +0x060 ProcessEnvironmentBlock : Ptr64 _PEB
3193 # +0x068 LastErrorValue : Uint4B
3194 # +0x06c CountOfOwnedCriticalSections : Uint4B
3195 # +0x070 CsrClientThread : Ptr64 Void
3196 # +0x078 Win32ThreadInfo : Ptr64 Void
3197 # +0x080 User32Reserved : [26] Uint4B
3198 # +0x0e8 UserReserved : [5] Uint4B
3199 # +0x100 WOW32Reserved : Ptr64 Void
3200 # +0x108 CurrentLocale : Uint4B
3201 # +0x10c FpSoftwareStatusRegister : Uint4B
3202 # +0x110 SystemReserved1 : [54] Ptr64 Void
3203 # +0x2c0 ExceptionCode : Int4B
3204 # +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK
3205 # +0x2d0 SpareBytes : [24] UChar
3206 # +0x2e8 TxFsContext : Uint4B
3207 # +0x2f0 GdiTebBatch : _GDI_TEB_BATCH
3208 # +0x7d8 RealClientId : _CLIENT_ID
3209 # +0x7e8 GdiCachedProcessHandle : Ptr64 Void
3210 # +0x7f0 GdiClientPID : Uint4B
3211 # +0x7f4 GdiClientTID : Uint4B
3212 # +0x7f8 GdiThreadLocalInfo : Ptr64 Void
3213 # +0x800 Win32ClientInfo : [62] Uint8B
3214 # +0x9f0 glDispatchTable : [233] Ptr64 Void
3215 # +0x1138 glReserved1 : [29] Uint8B
3216 # +0x1220 glReserved2 : Ptr64 Void
3217 # +0x1228 glSectionInfo : Ptr64 Void
3218 # +0x1230 glSection : Ptr64 Void
3219 # +0x1238 glTable : Ptr64 Void
3220 # +0x1240 glCurrentRC : Ptr64 Void
3221 # +0x1248 glContext : Ptr64 Void
3222 # +0x1250 LastStatusValue : Uint4B
3223 # +0x1258 StaticUnicodeString : _UNICODE_STRING
3224 # +0x1268 StaticUnicodeBuffer : [261] Wchar
3225 # +0x1478 DeallocationStack : Ptr64 Void
3226 # +0x1480 TlsSlots : [64] Ptr64 Void
3227 # +0x1680 TlsLinks : _LIST_ENTRY
3228 # +0x1690 Vdm : Ptr64 Void
3229 # +0x1698 ReservedForNtRpc : Ptr64 Void
3230 # +0x16a0 DbgSsReserved : [2] Ptr64 Void
3231 # +0x16b0 HardErrorMode : Uint4B
3232 # +0x16b8 Instrumentation : [11] Ptr64 Void
3233 # +0x1710 ActivityId : _GUID
3234 # +0x1720 SubProcessTag : Ptr64 Void
3235 # +0x1728 EtwLocalData : Ptr64 Void
3236 # +0x1730 EtwTraceData : Ptr64 Void
3237 # +0x1738 WinSockData : Ptr64 Void
3238 # +0x1740 GdiBatchCount : Uint4B
3239 # +0x1744 CurrentIdealProcessor : _PROCESSOR_NUMBER
3240 # +0x1744 IdealProcessorValue : Uint4B
3241 # +0x1744 ReservedPad0 : UChar
3242 # +0x1745 ReservedPad1 : UChar
3243 # +0x1746 ReservedPad2 : UChar
3244 # +0x1747 IdealProcessor : UChar
3245 # +0x1748 GuaranteedStackBytes : Uint4B
3246 # +0x1750 ReservedForPerf : Ptr64 Void
3247 # +0x1758 ReservedForOle : Ptr64 Void
3248 # +0x1760 WaitingOnLoaderLock : Uint4B
3249 # +0x1768 SavedPriorityState : Ptr64 Void
3250 # +0x1770 SoftPatchPtr1 : Uint8B
3251 # +0x1778 ThreadPoolData : Ptr64 Void
3252 # +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void
3253 # +0x1788 DeallocationBStore : Ptr64 Void
3254 # +0x1790 BStoreLimit : Ptr64 Void
3255 # +0x1798 MuiGeneration : Uint4B
3256 # +0x179c IsImpersonating : Uint4B
3257 # +0x17a0 NlsCache : Ptr64 Void
3258 # +0x17a8 pShimData : Ptr64 Void
3259 # +0x17b0 HeapVirtualAffinity : Uint4B
3260 # +0x17b8 CurrentTransactionHandle : Ptr64 Void
3261 # +0x17c0 ActiveFrame : Ptr64 _TEB_ACTIVE_FRAME
3262 # +0x17c8 FlsData : Ptr64 Void
3263 # +0x17d0 PreferredLanguages : Ptr64 Void
3264 # +0x17d8 UserPrefLanguages : Ptr64 Void
3265 # +0x17e0 MergedPrefLanguages : Ptr64 Void
3266 # +0x17e8 MuiImpersonation : Uint4B
3267 # +0x17ec CrossTebFlags : Uint2B
3268 # +0x17ec SpareCrossTebBits : Pos 0, 16 Bits
3269 # +0x17ee SameTebFlags : Uint2B
3270 # +0x17ee SafeThunkCall : Pos 0, 1 Bit
3271 # +0x17ee InDebugPrint : Pos 1, 1 Bit
3272 # +0x17ee HasFiberData : Pos 2, 1 Bit
3273 # +0x17ee SkipThreadAttach : Pos 3, 1 Bit
3274 # +0x17ee WerInShipAssertCode : Pos 4, 1 Bit
3275 # +0x17ee RanProcessInit : Pos 5, 1 Bit
3276 # +0x17ee ClonedThread : Pos 6, 1 Bit
3277 # +0x17ee SuppressDebugMsg : Pos 7, 1 Bit
3278 # +0x17ee DisableUserStackWalk : Pos 8, 1 Bit
3279 # +0x17ee RtlExceptionAttached : Pos 9, 1 Bit
3280 # +0x17ee InitialThread : Pos 10, 1 Bit
3281 # +0x17ee SpareSameTebBits : Pos 11, 5 Bits
3282 # +0x17f0 TxnScopeEnterCallback : Ptr64 Void
3283 # +0x17f8 TxnScopeExitCallback : Ptr64 Void
3284 # +0x1800 TxnScopeContext : Ptr64 Void
3285 # +0x1808 LockCount : Uint4B
3286 # +0x180c SpareUlong0 : Uint4B
3287 # +0x1810 ResourceRetValue : Ptr64 Void
3289 _pack_ = 8
3290 _fields_ = [
3291 ("NtTib", NT_TIB),
3292 ("EnvironmentPointer", PVOID),
3293 ("ClientId", CLIENT_ID),
3294 ("ActiveRpcHandle", HANDLE),
3295 ("ThreadLocalStoragePointer", PVOID),
3296 ("ProcessEnvironmentBlock", PVOID), # PPEB
3297 ("LastErrorValue", DWORD),
3298 ("CountOfOwnedCriticalSections", DWORD),
3299 ("CsrClientThread", PVOID),
3300 ("Win32ThreadInfo", PVOID),
3301 ("User32Reserved", DWORD * 26),
3302 ("UserReserved", DWORD * 5),
3303 ("WOW32Reserved", PVOID), # ptr to wow64cpu!X86SwitchTo64BitMode
3304 ("CurrentLocale", DWORD),
3305 ("FpSoftwareStatusRegister", DWORD),
3306 ("SystemReserved1", PVOID * 54),
3307 ("ExceptionCode", SDWORD),
3308 ("ActivationContextStackPointer", PVOID), # PACTIVATION_CONTEXT_STACK
3309 ("SpareBytes", UCHAR * 24),
3310 ("TxFsContext", DWORD),
3311 ("GdiTebBatch", GDI_TEB_BATCH),
3312 ("RealClientId", CLIENT_ID),
3313 ("GdiCachedProcessHandle", HANDLE),
3314 ("GdiClientPID", DWORD),
3315 ("GdiClientTID", DWORD),
3316 ("GdiThreadLocalInfo", PVOID),
3317 ("Win32ClientInfo", DWORD * 62),
3318 ("glDispatchTable", PVOID * 233),
3319 ("glReserved1", QWORD * 29),
3320 ("glReserved2", PVOID),
3321 ("glSectionInfo", PVOID),
3322 ("glSection", PVOID),
3323 ("glTable", PVOID),
3324 ("glCurrentRC", PVOID),
3325 ("glContext", PVOID),
3326 ("LastStatusValue", NTSTATUS),
3327 ("StaticUnicodeString", UNICODE_STRING),
3328 ("StaticUnicodeBuffer", WCHAR * 261),
3329 ("DeallocationStack", PVOID),
3330 ("TlsSlots", PVOID * 64),
3331 ("TlsLinks", LIST_ENTRY),
3332 ("Vdm", PVOID),
3333 ("ReservedForNtRpc", PVOID),
3334 ("DbgSsReserved", PVOID * 2),
3335 ("HardErrorMode", DWORD),
3336 ("Instrumentation", PVOID * 11),
3337 ("ActivityId", GUID),
3338 ("SubProcessTag", PVOID),
3339 ("EtwLocalData", PVOID),
3340 ("EtwTraceData", PVOID),
3341 ("WinSockData", PVOID),
3342 ("GdiBatchCount", DWORD),
3343 ("CurrentIdealProcessor", PROCESSOR_NUMBER),
3344 ("IdealProcessorValue", DWORD),
3345 ("ReservedPad0", UCHAR),
3346 ("ReservedPad1", UCHAR),
3347 ("ReservedPad2", UCHAR),
3348 ("IdealProcessor", UCHAR),
3349 ("GuaranteedStackBytes", DWORD),
3350 ("ReservedForPerf", PVOID),
3351 ("ReservedForOle", PVOID),
3352 ("WaitingOnLoaderLock", DWORD),
3353 ("SavedPriorityState", PVOID),
3354 ("SoftPatchPtr1", PVOID),
3355 ("ThreadPoolData", PVOID),
3356 ("TlsExpansionSlots", PVOID), # Ptr64 Ptr64 Void
3357 ("DeallocationBStore", PVOID),
3358 ("BStoreLimit", PVOID),
3359 ("MuiGeneration", DWORD),
3360 ("IsImpersonating", BOOL),
3361 ("NlsCache", PVOID),
3362 ("pShimData", PVOID),
3363 ("HeapVirtualAffinity", DWORD),
3364 ("CurrentTransactionHandle", HANDLE),
3365 ("ActiveFrame", PVOID), # PTEB_ACTIVE_FRAME
3366 ("FlsData", PVOID),
3367 ("PreferredLanguages", PVOID),
3368 ("UserPrefLanguages", PVOID),
3369 ("MergedPrefLanguages", PVOID),
3370 ("MuiImpersonation", BOOL),
3371 ("CrossTebFlags", WORD),
3372 ("SameTebFlags", WORD),
3373 ("TxnScopeEnterCallback", PVOID),
3374 ("TxnScopeExitCallback", PVOID),
3375 ("TxnScopeContext", PVOID),
3376 ("LockCount", DWORD),
3377 ("SpareUlong0", ULONG),
3378 ("ResourceRetValue", PVOID),
3379 ]
3380
3381 _TEB_Vista = _TEB_2008
3382 _TEB_Vista_64 = _TEB_2008_64
3383 _TEB_W7 = _TEB_2008_R2
3384 _TEB_W7_64 = _TEB_2008_R2_64
3385
3386 # Use the correct TEB structure definition.
3387 # Defaults to the latest Windows version.
3389 _pack_ = 8
3390 if os == 'Windows NT':
3391 _pack_ = _TEB_NT._pack_
3392 _fields_ = _TEB_NT._fields_
3393 elif os == 'Windows 2000':
3394 _pack_ = _TEB_2000._pack_
3395 _fields_ = _TEB_2000._fields_
3396 elif os == 'Windows XP':
3397 _fields_ = _TEB_XP._fields_
3398 elif os == 'Windows XP (64 bits)':
3399 _fields_ = _TEB_XP_64._fields_
3400 elif os == 'Windows 2003':
3401 _fields_ = _TEB_2003._fields_
3402 elif os == 'Windows 2003 (64 bits)':
3403 _fields_ = _TEB_2003_64._fields_
3404 elif os == 'Windows 2008':
3405 _fields_ = _TEB_2008._fields_
3406 elif os == 'Windows 2008 (64 bits)':
3407 _fields_ = _TEB_2008_64._fields_
3408 elif os == 'Windows 2003 R2':
3409 _fields_ = _TEB_2003_R2._fields_
3410 elif os == 'Windows 2003 R2 (64 bits)':
3411 _fields_ = _TEB_2003_R2_64._fields_
3412 elif os == 'Windows 2008 R2':
3413 _fields_ = _TEB_2008_R2._fields_
3414 elif os == 'Windows 2008 R2 (64 bits)':
3415 _fields_ = _TEB_2008_R2_64._fields_
3416 elif os == 'Windows Vista':
3417 _fields_ = _TEB_Vista._fields_
3418 elif os == 'Windows Vista (64 bits)':
3419 _fields_ = _TEB_Vista_64._fields_
3420 elif os == 'Windows 7':
3421 _fields_ = _TEB_W7._fields_
3422 elif os == 'Windows 7 (64 bits)':
3423 _fields_ = _TEB_W7_64._fields_
3424 elif sizeof(SIZE_T) == sizeof(DWORD):
3425 _fields_ = _TEB_W7._fields_
3426 else:
3427 _fields_ = _TEB_W7_64._fields_
3428 PTEB = POINTER(TEB)
3429
3430 #==============================================================================
3431 # This calculates the list of exported symbols.
3432 _all = set(vars().keys()).difference(_all)
3433 __all__ = [_x for _x in _all if not _x.startswith('_')]
3434 __all__.sort()
3435 #==============================================================================
3436
| Home | Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Fri Dec 20 17:55:22 2013 | http://epydoc.sourceforge.net |