mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
900263ea6f
n/a
435 lines
11 KiB
C
435 lines
11 KiB
C
/*
|
|
* This file is part of the Process Hacker project - https://processhacker.sourceforge.io/
|
|
*
|
|
* You can redistribute this file and/or modify it under the terms of the
|
|
* Attribution 4.0 International (CC BY 4.0) license.
|
|
*
|
|
* You must give appropriate credit, provide a link to the license, and
|
|
* indicate if changes were made. You may do so in any reasonable manner, but
|
|
* not in any way that suggests the licensor endorses you or your use.
|
|
*/
|
|
|
|
#ifndef _NTPEBTEB_H
|
|
#define _NTPEBTEB_H
|
|
|
|
typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
|
|
typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
|
|
|
|
// private
|
|
typedef struct _ACTIVATION_CONTEXT_STACK
|
|
{
|
|
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
|
|
LIST_ENTRY FrameListCache;
|
|
ULONG Flags;
|
|
ULONG NextCookieSequenceNumber;
|
|
ULONG StackId;
|
|
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
|
|
|
|
// private
|
|
typedef struct _API_SET_NAMESPACE
|
|
{
|
|
ULONG Version;
|
|
ULONG Size;
|
|
ULONG Flags;
|
|
ULONG Count;
|
|
ULONG EntryOffset;
|
|
ULONG HashOffset;
|
|
ULONG HashFactor;
|
|
} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;
|
|
|
|
// private
|
|
typedef struct _API_SET_HASH_ENTRY
|
|
{
|
|
ULONG Hash;
|
|
ULONG Index;
|
|
} API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY;
|
|
|
|
// private
|
|
typedef struct _API_SET_NAMESPACE_ENTRY
|
|
{
|
|
ULONG Flags;
|
|
ULONG NameOffset;
|
|
ULONG NameLength;
|
|
ULONG HashedLength;
|
|
ULONG ValueOffset;
|
|
ULONG ValueCount;
|
|
} API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY;
|
|
|
|
// private
|
|
typedef struct _API_SET_VALUE_ENTRY
|
|
{
|
|
ULONG Flags;
|
|
ULONG NameOffset;
|
|
ULONG NameLength;
|
|
ULONG ValueOffset;
|
|
ULONG ValueLength;
|
|
} API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY;
|
|
|
|
// symbols
|
|
typedef struct _PEB
|
|
{
|
|
BOOLEAN InheritedAddressSpace;
|
|
BOOLEAN ReadImageFileExecOptions;
|
|
BOOLEAN BeingDebugged;
|
|
union
|
|
{
|
|
BOOLEAN BitField;
|
|
struct
|
|
{
|
|
BOOLEAN ImageUsesLargePages : 1;
|
|
BOOLEAN IsProtectedProcess : 1;
|
|
BOOLEAN IsImageDynamicallyRelocated : 1;
|
|
BOOLEAN SkipPatchingUser32Forwarders : 1;
|
|
BOOLEAN IsPackagedProcess : 1;
|
|
BOOLEAN IsAppContainer : 1;
|
|
BOOLEAN IsProtectedProcessLight : 1;
|
|
BOOLEAN IsLongPathAwareProcess : 1;
|
|
};
|
|
};
|
|
|
|
HANDLE Mutant;
|
|
|
|
PVOID ImageBaseAddress;
|
|
PPEB_LDR_DATA Ldr;
|
|
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
|
|
PVOID SubSystemData;
|
|
PVOID ProcessHeap;
|
|
PRTL_CRITICAL_SECTION FastPebLock;
|
|
PVOID IFEOKey;
|
|
PSLIST_HEADER AtlThunkSListPtr;
|
|
union
|
|
{
|
|
ULONG CrossProcessFlags;
|
|
struct
|
|
{
|
|
ULONG ProcessInJob : 1;
|
|
ULONG ProcessInitializing : 1;
|
|
ULONG ProcessUsingVEH : 1;
|
|
ULONG ProcessUsingVCH : 1;
|
|
ULONG ProcessUsingFTH : 1;
|
|
ULONG ProcessPreviouslyThrottled : 1;
|
|
ULONG ProcessCurrentlyThrottled : 1;
|
|
ULONG ProcessImagesHotPatched : 1; // REDSTONE5
|
|
ULONG ReservedBits0 : 24;
|
|
};
|
|
};
|
|
union
|
|
{
|
|
PVOID KernelCallbackTable;
|
|
PVOID UserSharedInfoPtr;
|
|
};
|
|
ULONG SystemReserved;
|
|
ULONG AtlThunkSListPtr32;
|
|
PAPI_SET_NAMESPACE ApiSetMap;
|
|
ULONG TlsExpansionCounter;
|
|
PVOID TlsBitmap;
|
|
ULONG TlsBitmapBits[2];
|
|
|
|
PVOID ReadOnlySharedMemoryBase;
|
|
PVOID SharedData; // HotpatchInformation
|
|
PVOID *ReadOnlyStaticServerData;
|
|
|
|
PVOID AnsiCodePageData; // PCPTABLEINFO
|
|
PVOID OemCodePageData; // PCPTABLEINFO
|
|
PVOID UnicodeCaseTableData; // PNLSTABLEINFO
|
|
|
|
ULONG NumberOfProcessors;
|
|
ULONG NtGlobalFlag;
|
|
|
|
ULARGE_INTEGER CriticalSectionTimeout;
|
|
SIZE_T HeapSegmentReserve;
|
|
SIZE_T HeapSegmentCommit;
|
|
SIZE_T HeapDeCommitTotalFreeThreshold;
|
|
SIZE_T HeapDeCommitFreeBlockThreshold;
|
|
|
|
ULONG NumberOfHeaps;
|
|
ULONG MaximumNumberOfHeaps;
|
|
PVOID *ProcessHeaps; // PHEAP
|
|
|
|
PVOID GdiSharedHandleTable;
|
|
PVOID ProcessStarterHelper;
|
|
ULONG GdiDCAttributeList;
|
|
|
|
PRTL_CRITICAL_SECTION LoaderLock;
|
|
|
|
ULONG OSMajorVersion;
|
|
ULONG OSMinorVersion;
|
|
USHORT OSBuildNumber;
|
|
USHORT OSCSDVersion;
|
|
ULONG OSPlatformId;
|
|
ULONG ImageSubsystem;
|
|
ULONG ImageSubsystemMajorVersion;
|
|
ULONG ImageSubsystemMinorVersion;
|
|
ULONG_PTR ActiveProcessAffinityMask;
|
|
GDI_HANDLE_BUFFER GdiHandleBuffer;
|
|
PVOID PostProcessInitRoutine;
|
|
|
|
PVOID TlsExpansionBitmap;
|
|
ULONG TlsExpansionBitmapBits[32];
|
|
|
|
ULONG SessionId;
|
|
|
|
ULARGE_INTEGER AppCompatFlags;
|
|
ULARGE_INTEGER AppCompatFlagsUser;
|
|
PVOID pShimData;
|
|
PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
|
|
|
|
UNICODE_STRING CSDVersion;
|
|
|
|
PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATA
|
|
PVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
|
|
PVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATA
|
|
PVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAP
|
|
|
|
SIZE_T MinimumStackCommit;
|
|
|
|
PVOID SparePointers[4]; // 19H1 (previously FlsCallback to FlsHighIndex)
|
|
ULONG SpareUlongs[5]; // 19H1
|
|
//PVOID* FlsCallback;
|
|
//LIST_ENTRY FlsListHead;
|
|
//PVOID FlsBitmap;
|
|
//ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
|
|
//ULONG FlsHighIndex;
|
|
|
|
PVOID WerRegistrationData;
|
|
PVOID WerShipAssertPtr;
|
|
PVOID pUnused; // pContextData
|
|
PVOID pImageHeaderHash;
|
|
union
|
|
{
|
|
ULONG TracingFlags;
|
|
struct
|
|
{
|
|
ULONG HeapTracingEnabled : 1;
|
|
ULONG CritSecTracingEnabled : 1;
|
|
ULONG LibLoaderTracingEnabled : 1;
|
|
ULONG SpareTracingBits : 29;
|
|
};
|
|
};
|
|
ULONGLONG CsrServerReadOnlySharedMemoryBase;
|
|
PRTL_CRITICAL_SECTION TppWorkerpListLock;
|
|
LIST_ENTRY TppWorkerpList;
|
|
PVOID WaitOnAddressHashTable[128];
|
|
PVOID TelemetryCoverageHeader; // REDSTONE3
|
|
ULONG CloudFileFlags;
|
|
ULONG CloudFileDiagFlags; // REDSTONE4
|
|
CHAR PlaceholderCompatibilityMode;
|
|
CHAR PlaceholderCompatibilityModeReserved[7];
|
|
struct _LEAP_SECOND_DATA *LeapSecondData; // REDSTONE5
|
|
union
|
|
{
|
|
ULONG LeapSecondFlags;
|
|
struct
|
|
{
|
|
ULONG SixtySecondEnabled : 1;
|
|
ULONG Reserved : 31;
|
|
};
|
|
};
|
|
ULONG NtGlobalFlag2;
|
|
} PEB, *PPEB;
|
|
|
|
#ifdef _WIN64
|
|
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0);
|
|
//C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3
|
|
//C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4
|
|
C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1
|
|
#else
|
|
C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4);
|
|
//C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3
|
|
//C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4
|
|
C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1
|
|
#endif
|
|
|
|
#define GDI_BATCH_BUFFER_SIZE 310
|
|
|
|
typedef struct _GDI_TEB_BATCH
|
|
{
|
|
ULONG Offset;
|
|
ULONG_PTR HDC;
|
|
ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
|
|
} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
|
|
|
|
typedef struct _TEB_ACTIVE_FRAME_CONTEXT
|
|
{
|
|
ULONG Flags;
|
|
PSTR FrameName;
|
|
} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
|
|
|
|
typedef struct _TEB_ACTIVE_FRAME
|
|
{
|
|
ULONG Flags;
|
|
struct _TEB_ACTIVE_FRAME *Previous;
|
|
PTEB_ACTIVE_FRAME_CONTEXT Context;
|
|
} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
|
|
|
|
typedef struct _TEB
|
|
{
|
|
NT_TIB NtTib;
|
|
|
|
PVOID EnvironmentPointer;
|
|
CLIENT_ID ClientId;
|
|
PVOID ActiveRpcHandle;
|
|
PVOID ThreadLocalStoragePointer;
|
|
PPEB ProcessEnvironmentBlock;
|
|
|
|
ULONG LastErrorValue;
|
|
ULONG CountOfOwnedCriticalSections;
|
|
PVOID CsrClientThread;
|
|
PVOID Win32ThreadInfo;
|
|
ULONG User32Reserved[26];
|
|
ULONG UserReserved[5];
|
|
PVOID WOW32Reserved;
|
|
LCID CurrentLocale;
|
|
ULONG FpSoftwareStatusRegister;
|
|
PVOID ReservedForDebuggerInstrumentation[16];
|
|
#ifdef _WIN64
|
|
PVOID SystemReserved1[30];
|
|
#else
|
|
PVOID SystemReserved1[26];
|
|
#endif
|
|
|
|
CHAR PlaceholderCompatibilityMode;
|
|
CHAR PlaceholderReserved[11];
|
|
ULONG ProxiedProcessId;
|
|
ACTIVATION_CONTEXT_STACK ActivationStack;
|
|
|
|
UCHAR WorkingOnBehalfTicket[8];
|
|
NTSTATUS ExceptionCode;
|
|
|
|
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
|
|
ULONG_PTR InstrumentationCallbackSp;
|
|
ULONG_PTR InstrumentationCallbackPreviousPc;
|
|
ULONG_PTR InstrumentationCallbackPreviousSp;
|
|
#ifdef _WIN64
|
|
ULONG TxFsContext;
|
|
#endif
|
|
|
|
BOOLEAN InstrumentationCallbackDisabled;
|
|
#ifndef _WIN64
|
|
UCHAR SpareBytes[23];
|
|
ULONG TxFsContext;
|
|
#endif
|
|
GDI_TEB_BATCH GdiTebBatch;
|
|
CLIENT_ID RealClientId;
|
|
HANDLE GdiCachedProcessHandle;
|
|
ULONG GdiClientPID;
|
|
ULONG GdiClientTID;
|
|
PVOID GdiThreadLocalInfo;
|
|
ULONG_PTR Win32ClientInfo[62];
|
|
PVOID glDispatchTable[233];
|
|
ULONG_PTR glReserved1[29];
|
|
PVOID glReserved2;
|
|
PVOID glSectionInfo;
|
|
PVOID glSection;
|
|
PVOID glTable;
|
|
PVOID glCurrentRC;
|
|
PVOID glContext;
|
|
|
|
NTSTATUS LastStatusValue;
|
|
UNICODE_STRING StaticUnicodeString;
|
|
WCHAR StaticUnicodeBuffer[261];
|
|
|
|
PVOID DeallocationStack;
|
|
PVOID TlsSlots[64];
|
|
LIST_ENTRY TlsLinks;
|
|
|
|
PVOID Vdm;
|
|
PVOID ReservedForNtRpc;
|
|
PVOID DbgSsReserved[2];
|
|
|
|
ULONG HardErrorMode;
|
|
#ifdef _WIN64
|
|
PVOID Instrumentation[11];
|
|
#else
|
|
PVOID Instrumentation[9];
|
|
#endif
|
|
GUID ActivityId;
|
|
|
|
PVOID SubProcessTag;
|
|
PVOID PerflibData;
|
|
PVOID EtwTraceData;
|
|
PVOID WinSockData;
|
|
ULONG GdiBatchCount;
|
|
|
|
union
|
|
{
|
|
PROCESSOR_NUMBER CurrentIdealProcessor;
|
|
ULONG IdealProcessorValue;
|
|
struct
|
|
{
|
|
UCHAR ReservedPad0;
|
|
UCHAR ReservedPad1;
|
|
UCHAR ReservedPad2;
|
|
UCHAR IdealProcessor;
|
|
};
|
|
};
|
|
|
|
ULONG GuaranteedStackBytes;
|
|
PVOID ReservedForPerf;
|
|
PVOID ReservedForOle;
|
|
ULONG WaitingOnLoaderLock;
|
|
PVOID SavedPriorityState;
|
|
ULONG_PTR ReservedForCodeCoverage;
|
|
PVOID ThreadPoolData;
|
|
PVOID *TlsExpansionSlots;
|
|
#ifdef _WIN64
|
|
PVOID DeallocationBStore;
|
|
PVOID BStoreLimit;
|
|
#endif
|
|
ULONG MuiGeneration;
|
|
ULONG IsImpersonating;
|
|
PVOID NlsCache;
|
|
PVOID pShimData;
|
|
USHORT HeapVirtualAffinity;
|
|
USHORT LowFragHeapDataSlot;
|
|
HANDLE CurrentTransactionHandle;
|
|
PTEB_ACTIVE_FRAME ActiveFrame;
|
|
PVOID FlsData;
|
|
|
|
PVOID PreferredLanguages;
|
|
PVOID UserPrefLanguages;
|
|
PVOID MergedPrefLanguages;
|
|
ULONG MuiImpersonation;
|
|
|
|
union
|
|
{
|
|
USHORT CrossTebFlags;
|
|
USHORT SpareCrossTebBits : 16;
|
|
};
|
|
union
|
|
{
|
|
USHORT SameTebFlags;
|
|
struct
|
|
{
|
|
USHORT SafeThunkCall : 1;
|
|
USHORT InDebugPrint : 1;
|
|
USHORT HasFiberData : 1;
|
|
USHORT SkipThreadAttach : 1;
|
|
USHORT WerInShipAssertCode : 1;
|
|
USHORT RanProcessInit : 1;
|
|
USHORT ClonedThread : 1;
|
|
USHORT SuppressDebugMsg : 1;
|
|
USHORT DisableUserStackWalk : 1;
|
|
USHORT RtlExceptionAttached : 1;
|
|
USHORT InitialThread : 1;
|
|
USHORT SessionAware : 1;
|
|
USHORT LoadOwner : 1;
|
|
USHORT LoaderWorker : 1;
|
|
USHORT SkipLoaderInit : 1;
|
|
USHORT SpareSameTebBits : 1;
|
|
};
|
|
};
|
|
|
|
PVOID TxnScopeEnterCallback;
|
|
PVOID TxnScopeExitCallback;
|
|
PVOID TxnScopeContext;
|
|
ULONG LockCount;
|
|
LONG WowTebOffset;
|
|
PVOID ResourceRetValue;
|
|
PVOID ReservedForWdf;
|
|
ULONGLONG ReservedForCrt;
|
|
GUID EffectiveContainerId;
|
|
} TEB, *PTEB;
|
|
|
|
#endif
|