use core::mem::size_of; use crate::ntapi_base::CLIENT_ID32; use crate::ntldr::{LDR_DDAG_STATE, LDR_DLL_LOAD_REASON}; use crate::ntpsapi::GDI_HANDLE_BUFFER32; use crate::ntrtl::RTL_MAX_DRIVE_LETTERS; use crate::string::{UTF16Const, UTF8Const}; use winapi::shared::guiddef::GUID; use winapi::shared::ntdef::{ BOOLEAN, CHAR, LARGE_INTEGER, LCID, LIST_ENTRY32, LONG, NTSTATUS, PROCESSOR_NUMBER, SINGLE_LIST_ENTRY32, STRING32, UCHAR, ULARGE_INTEGER, ULONG, ULONGLONG, UNICODE_STRING, UNICODE_STRING32, USHORT, WCHAR, }; use winapi::um::winnt::{FLS_MAXIMUM_AVAILABLE, NT_TIB32}; pub const WOW64_SYSTEM_DIRECTORY: UTF8Const = UTF8Const("SysWOW64\0"); /// "SysWOW64" pub const WOW64_SYSTEM_DIRECTORY_U: UTF16Const = UTF16Const(&[ 0x0053, 0x0079, 0x0073, 0x0057, 0x004F, 0x0057, 0x0036, 0x0034, 0u16, ]); pub const WOW64_X86_TAG: UTF8Const = UTF8Const(" (x86)\0"); /// " (x86)" pub const WOW64_X86_TAG_U: UTF16Const = UTF16Const(&[ 0x0020, 0x0028, 0x0078, 0x0038, 0x0036, 0x0029, 0u16, ]); ENUM!{enum WOW64_SHARED_INFORMATION { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32ExpInterlockedPopEntrySListFault = 4, SharedNtdll32ExpInterlockedPopEntrySListResume = 5, SharedNtdll32ExpInterlockedPopEntrySListEnd = 6, SharedNtdll32RtlUserThreadStart = 7, SharedNtdll32pQueryProcessDebugInformationRemote = 8, SharedNtdll32BaseAddress = 9, SharedNtdll32LdrSystemDllInitBlock = 10, Wow64SharedPageEntriesCount = 11, }} STRUCT!{struct RTL_BALANCED_NODE32_u_s { Left: ULONG, // WOW64_POINTER Right: ULONG, // WOW64_POINTER }} UNION!{union RTL_BALANCED_NODE32_u { Children: [ULONG; 2], // WOW64_POINTER s: RTL_BALANCED_NODE32_u_s, }} STRUCT!{struct RTL_BALANCED_NODE32 { u: RTL_BALANCED_NODE32_u, ParentValue: ULONG, }} pub type PRTL_BALANCED_NODE32 = *mut RTL_BALANCED_NODE32; STRUCT!{struct RTL_RB_TREE32 { Root: ULONG, // WOW64_POINTER Min: ULONG, // WOW64_POINTER }} pub type PRTL_RB_TREE32 = *mut RTL_RB_TREE32; STRUCT!{struct PEB_LDR_DATA32 { Length: ULONG, Initialized: BOOLEAN, SsHandle: ULONG, InLoadOrderModuleList: LIST_ENTRY32, InMemoryOrderModuleList: LIST_ENTRY32, InInitializationOrderModuleList: LIST_ENTRY32, EntryInProgress: ULONG, ShutdownInProgress: BOOLEAN, ShutdownThreadId: ULONG, }} pub type PPEB_LDR_DATA32 = *mut PEB_LDR_DATA32; STRUCT!{struct LDR_SERVICE_TAG_RECORD32 { Next: ULONG, ServiceTag: ULONG, }} pub type PLDR_SERVICE_TAG_RECORD32 = *mut LDR_SERVICE_TAG_RECORD32; STRUCT!{struct LDRP_CSLIST32 { Tail: ULONG, // WOW64_POINTER }} pub type PLDRP_CSLIST32 = *mut LDRP_CSLIST32; UNION!{union LDR_DDAG_NODE32_u { Dependencies: LDRP_CSLIST32, RemovalLink: SINGLE_LIST_ENTRY32, }} STRUCT!{struct LDR_DDAG_NODE32 { Modules: LIST_ENTRY32, ServiceTagList: ULONG, // WOW64_POINTER LoadCount: ULONG, LoadWhileUnloadingCount: ULONG, LowestLink: ULONG, u: LDR_DDAG_NODE32_u, IncomingDependencies: LDRP_CSLIST32, State: LDR_DDAG_STATE, CondenseLink: SINGLE_LIST_ENTRY32, PreorderNumber: ULONG, }} pub type PLDR_DDAG_NODE32 = *mut LDR_DDAG_NODE32; pub const LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32: usize = 80; pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32: usize = 144; pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32: usize = 152; UNION!{union LDR_DATA_TABLE_ENTRY32_u1 { InInitializationOrderLinks: LIST_ENTRY32, InProgressLinks: LIST_ENTRY32, }} UNION!{union LDR_DATA_TABLE_ENTRY32_u2 { FlagGroup: [UCHAR; 4], Flags: ULONG, }} STRUCT!{struct LDR_DATA_TABLE_ENTRY32 { InLoadOrderLinks: LIST_ENTRY32, InMemoryOrderLinks: LIST_ENTRY32, u1: LDR_DATA_TABLE_ENTRY32_u1, DllBase: ULONG, // WOW64_POINTER EntryPoint: ULONG, // WOW64_POINTER SizeOfImage: ULONG, FullDllName: UNICODE_STRING32, BaseDllName: UNICODE_STRING32, u2: LDR_DATA_TABLE_ENTRY32_u2, ObsoleteLoadCount: USHORT, TlsIndex: USHORT, HashLinks: LIST_ENTRY32, TimeDateStamp: ULONG, EntryPointActivationContext: ULONG, // WOW64_POINTER Lock: ULONG, // WOW64_POINTER DdagNode: ULONG, // WOW64_POINTER NodeModuleLink: LIST_ENTRY32, LoadContext: ULONG, // WOW64_POINTER ParentDllBase: ULONG, // WOW64_POINTER SwitchBackContext: ULONG, // WOW64_POINTER BaseAddressIndexNode: RTL_BALANCED_NODE32, MappingInfoIndexNode: RTL_BALANCED_NODE32, OriginalBase: ULONG, LoadTime: LARGE_INTEGER, BaseNameHashValue: ULONG, LoadReason: LDR_DLL_LOAD_REASON, ImplicitPathOptions: ULONG, ReferenceCount: ULONG, DependentLoadFlags: ULONG, SigningLevel: UCHAR, }} BITFIELD!{unsafe LDR_DATA_TABLE_ENTRY32_u2 Flags: ULONG [ PackagedBinary set_PackagedBinary[0..1], MarkedForRemoval set_MarkedForRemoval[1..2], ImageDll set_ImageDll[2..3], LoadNotificationsSent set_LoadNotificationsSent[3..4], TelemetryEntryProcessed set_TelemetryEntryProcessed[4..5], ProcessStaticImport set_ProcessStaticImport[5..6], InLegacyLists set_InLegacyLists[6..7], InIndexes set_InIndexes[7..8], ShimDll set_ShimDll[8..9], InExceptionTable set_InExceptionTable[9..10], ReservedFlags1 set_ReservedFlags1[10..12], LoadInProgress set_LoadInProgress[12..13], LoadConfigProcessed set_LoadConfigProcessed[13..14], EntryProcessed set_EntryProcessed[14..15], ProtectDelayLoad set_ProtectDelayLoad[15..16], ReservedFlags3 set_ReservedFlags3[16..18], DontCallForThreads set_DontCallForThreads[18..19], ProcessAttachCalled set_ProcessAttachCalled[19..20], ProcessAttachFailed set_ProcessAttachFailed[20..21], CorDeferredValidate set_CorDeferredValidate[21..22], CorImage set_CorImage[22..23], DontRelocate set_DontRelocate[23..24], CorILOnly set_CorILOnly[24..25], ReservedFlags5 set_ReservedFlags5[25..28], Redirected set_Redirected[28..29], ReservedFlags6 set_ReservedFlags6[29..31], CompatDatabaseProcessed set_CompatDatabaseProcessed[31..32], ]} pub type PLDR_DATA_TABLE_ENTRY32 = *mut LDR_DATA_TABLE_ENTRY32; STRUCT!{struct CURDIR32 { DosPath: UNICODE_STRING32, Handle: ULONG, // WOW64_POINTER }} pub type PCURDIR32 = *mut CURDIR32; STRUCT!{struct RTL_DRIVE_LETTER_CURDIR32 { Flags: USHORT, Length: USHORT, TimeStamp: ULONG, DosPath: STRING32, }} pub type PRTL_DRIVE_LETTER_CURDIR32 = *mut RTL_DRIVE_LETTER_CURDIR32; STRUCT!{struct RTL_USER_PROCESS_PARAMETERS32 { MaximumLength: ULONG, Length: ULONG, Flags: ULONG, DebugFlags: ULONG, ConsoleHandle: ULONG, // WOW64_POINTER ConsoleFlags: ULONG, StandardInput: ULONG, // WOW64_POINTER StandardOutput: ULONG, // WOW64_POINTER StandardError: ULONG, // WOW64_POINTER CurrentDirectory: CURDIR32, DllPath: UNICODE_STRING32, ImagePathName: UNICODE_STRING32, CommandLine: UNICODE_STRING32, Environment: ULONG, // WOW64_POINTER StartingX: ULONG, StartingY: ULONG, CountX: ULONG, CountY: ULONG, CountCharsX: ULONG, CountCharsY: ULONG, FillAttribute: ULONG, WindowFlags: ULONG, ShowWindowFlags: ULONG, WindowTitle: UNICODE_STRING32, DesktopInfo: UNICODE_STRING32, ShellInfo: UNICODE_STRING32, RuntimeData: UNICODE_STRING32, CurrentDirectories: [RTL_DRIVE_LETTER_CURDIR32; RTL_MAX_DRIVE_LETTERS], EnvironmentSize: ULONG, EnvironmentVersion: ULONG, PackageDependencyData: ULONG, // WOW64_POINTER ProcessGroupId: ULONG, LoaderThreads: ULONG, }} pub type PRTL_USER_PROCESS_PARAMETERS32 = *mut RTL_USER_PROCESS_PARAMETERS32; UNION!{union PEB32_u { KernelCallbackTable: ULONG, // WOW64_POINTER UserSharedInfoPtr: ULONG, // WOW64_POINTER }} STRUCT!{struct PEB32 { InheritedAddressSpace: BOOLEAN, ReadImageFileExecOptions: BOOLEAN, BeingDebugged: BOOLEAN, BitField: BOOLEAN, Mutant: ULONG, // WOW64_POINTER ImageBaseAddress: ULONG, // WOW64_POINTER Ldr: ULONG, // WOW64_POINTER ProcessParameters: ULONG, // WOW64_POINTER SubSystemData: ULONG, // WOW64_POINTER ProcessHeap: ULONG, // WOW64_POINTER FastPebLock: ULONG, // WOW64_POINTER AtlThunkSListPtr: ULONG, // WOW64_POINTER IFEOKey: ULONG, // WOW64_POINTER CrossProcessFlags: ULONG, u: PEB32_u, SystemReserved: [ULONG; 1], AtlThunkSListPtr32: ULONG, ApiSetMap: ULONG, // WOW64_POINTER TlsExpansionCounter: ULONG, TlsBitmap: ULONG, // WOW64_POINTER TlsBitmapBits: [ULONG; 2], ReadOnlySharedMemoryBase: ULONG, // WOW64_POINTER HotpatchInformation: ULONG, // WOW64_POINTER ReadOnlyStaticServerData: ULONG, // WOW64_POINTER AnsiCodePageData: ULONG, // WOW64_POINTER OemCodePageData: ULONG, // WOW64_POINTER UnicodeCaseTableData: ULONG, // WOW64_POINTER NumberOfProcessors: ULONG, NtGlobalFlag: ULONG, CriticalSectionTimeout: LARGE_INTEGER, HeapSegmentReserve: ULONG, HeapSegmentCommit: ULONG, HeapDeCommitTotalFreeThreshold: ULONG, HeapDeCommitFreeBlockThreshold: ULONG, NumberOfHeaps: ULONG, MaximumNumberOfHeaps: ULONG, ProcessHeaps: ULONG, // WOW64_POINTER GdiSharedHandleTable: ULONG, // WOW64_POINTER ProcessStarterHelper: ULONG, // WOW64_POINTER GdiDCAttributeList: ULONG, LoaderLock: ULONG, // WOW64_POINTER OSMajorVersion: ULONG, OSMinorVersion: ULONG, OSBuildNumber: USHORT, OSCSDVersion: USHORT, OSPlatformId: ULONG, ImageSubsystem: ULONG, ImageSubsystemMajorVersion: ULONG, ImageSubsystemMinorVersion: ULONG, ActiveProcessAffinityMask: ULONG, GdiHandleBuffer: GDI_HANDLE_BUFFER32, PostProcessInitRoutine: ULONG, // WOW64_POINTER TlsExpansionBitmap: ULONG, // WOW64_POINTER TlsExpansionBitmapBits: [ULONG; 32], SessionId: ULONG, AppCompatFlags: ULARGE_INTEGER, AppCompatFlagsUser: ULARGE_INTEGER, pShimData: ULONG, // WOW64_POINTER AppCompatInfo: ULONG, // WOW64_POINTER CSDVersion: UNICODE_STRING32, ActivationContextData: ULONG, // WOW64_POINTER ProcessAssemblyStorageMap: ULONG, // WOW64_POINTER SystemDefaultActivationContextData: ULONG, // WOW64_POINTER SystemAssemblyStorageMap: ULONG, // WOW64_POINTER MinimumStackCommit: ULONG, FlsCallback: ULONG, // WOW64_POINTER FlsListHead: LIST_ENTRY32, FlsBitmap: ULONG, // WOW64_POINTER FlsBitmapBits: [ULONG; FLS_MAXIMUM_AVAILABLE as usize / (size_of::() * 8)], FlsHighIndex: ULONG, WerRegistrationData: ULONG, // WOW64_POINTER WerShipAssertPtr: ULONG, // WOW64_POINTER pContextData: ULONG, // WOW64_POINTER pImageHeaderHash: ULONG, // WOW64_POINTER TracingFlags: ULONG, CsrServerReadOnlySharedMemoryBase: ULONGLONG, TppWorkerpListLock: ULONG, // WOW64_POINTER TppWorkerpList: LIST_ENTRY32, WaitOnAddressHashTable: [ULONG; 128], // WOW64_POINTER TelemetryCoverageHeader: ULONG, // WOW64_POINTER CloudFileFlags: ULONG, CloudFileDiagFlags: ULONG, PlaceholderCompatibilityMode: CHAR, PlaceholderCompatibilityModeReserved: [CHAR; 7], }} BITFIELD!{PEB32 BitField: BOOLEAN [ ImageUsesLargePages set_ImageUsesLargePages[0..1], IsProtectedProcess set_IsProtectedProcess[1..2], IsImageDynamicallyRelocated set_IsImageDynamicallyRelocated[2..3], SkipPatchingUser32Forwarders set_SkipPatchingUser32Forwarders[3..4], IsPackagedProcess set_IsPackagedProcess[4..5], IsAppContainer set_IsAppContainer[5..6], IsProtectedProcessLight set_IsProtectedProcessLight[6..7], IsLongPathAwareProcess set_IsLongPathAwareProcess[7..8], ]} BITFIELD!{PEB32 CrossProcessFlags: ULONG [ ProcessInJob set_ProcessInJob[0..1], ProcessInitializing set_ProcessInitializing[1..2], ProcessUsingVEH set_ProcessUsingVEH[2..3], ProcessUsingVCH set_ProcessUsingVCH[3..4], ProcessUsingFTH set_ProcessUsingFTH[4..5], ReservedBits0 set_ReservedBits0[5..32], ]} BITFIELD!{PEB32 TracingFlags: ULONG [ HeapTracingEnabled set_HeapTracingEnabled[0..1], CritSecTracingEnabled set_CritSecTracingEnabled[1..2], LibLoaderTracingEnabled set_LibLoaderTracingEnabled[2..3], SpareTracingBits set_SpareTracingBits[3..32], ]} pub type PPEB32 = *mut PEB32; pub const GDI_BATCH_BUFFER_SIZE: usize = 310; STRUCT!{struct GDI_TEB_BATCH32 { Offset: ULONG, HDC: ULONG, Buffer: [ULONG; GDI_BATCH_BUFFER_SIZE], }} pub type PGDI_TEB_BATCH32 = *mut GDI_TEB_BATCH32; STRUCT!{struct TEB32_u_s { ReservedPad0: UCHAR, ReservedPad1: UCHAR, ReservedPad2: UCHAR, IdealProcessor: UCHAR, }} UNION!{union TEB32_u { CurrentIdealProcessor: PROCESSOR_NUMBER, IdealProcessorValue: ULONG, s: TEB32_u_s, }} STRUCT!{struct TEB32 { NtTib: NT_TIB32, EnvironmentPointer: ULONG, // WOW64_POINTER ClientId: CLIENT_ID32, ActiveRpcHandle: ULONG, // WOW64_POINTER ThreadLocalStoragePointer: ULONG, // WOW64_POINTER ProcessEnvironmentBlock: ULONG, // WOW64_POINTER LastErrorValue: ULONG, CountOfOwnedCriticalSections: ULONG, CsrClientThread: ULONG, // WOW64_POINTER Win32ThreadInfo: ULONG, // WOW64_POINTER User32Reserved: [ULONG; 26], UserReserved: [ULONG; 5], WOW32Reserved: ULONG, // WOW64_POINTER CurrentLocale: LCID, FpSoftwareStatusRegister: ULONG, ReservedForDebuggerInstrumentation: [ULONG; 16], // WOW64_POINTER SystemReserved1: [ULONG; 36], // WOW64_POINTER WorkingOnBehalfTicket: [UCHAR; 8], ExceptionCode: NTSTATUS, ActivationContextStackPointer: ULONG, // WOW64_POINTER InstrumentationCallbackSp: ULONG, InstrumentationCallbackPreviousPc: ULONG, InstrumentationCallbackPreviousSp: ULONG, InstrumentationCallbackDisabled: BOOLEAN, SpareBytes: [UCHAR; 23], TxFsContext: ULONG, GdiTebBatch: GDI_TEB_BATCH32, RealClientId: CLIENT_ID32, GdiCachedProcessHandle: ULONG, // WOW64_POINTER GdiClientPID: ULONG, GdiClientTID: ULONG, GdiThreadLocalInfo: ULONG, // WOW64_POINTER Win32ClientInfo: [ULONG; 62], glDispatchTable: [ULONG; 233], // WOW64_POINTER glReserved1: [ULONG; 29], // WOW64_POINTER glReserved2: ULONG, // WOW64_POINTER glSectionInfo: ULONG, // WOW64_POINTER glSection: ULONG, // WOW64_POINTER glTable: ULONG, // WOW64_POINTER glCurrentRC: ULONG, // WOW64_POINTER glContext: ULONG, // WOW64_POINTER LastStatusValue: NTSTATUS, StaticUnicodeString: UNICODE_STRING32, StaticUnicodeBuffer: [WCHAR; 261], DeallocationStack: ULONG, // WOW64_POINTER TlsSlots: [ULONG; 64], // WOW64_POINTER TlsLinks: LIST_ENTRY32, Vdm: ULONG, // WOW64_POINTER ReservedForNtRpc: ULONG, // WOW64_POINTER DbgSsReserved: [ULONG; 2], // WOW64_POINTER HardErrorMode: ULONG, Instrumentation: [ULONG; 9], // WOW64_POINTER ActivityId: GUID, SubProcessTag: ULONG, // WOW64_POINTER PerflibData: ULONG, // WOW64_POINTER EtwTraceData: ULONG, // WOW64_POINTER WinSockData: ULONG, // WOW64_POINTER GdiBatchCount: ULONG, u: TEB32_u, GuaranteedStackBytes: ULONG, ReservedForPerf: ULONG, // WOW64_POINTER ReservedForOle: ULONG, // WOW64_POINTER WaitingOnLoaderLock: ULONG, SavedPriorityState: ULONG, // WOW64_POINTER ReservedForCodeCoverage: ULONG, ThreadPoolData: ULONG, // WOW64_POINTER TlsExpansionSlots: ULONG, // WOW64_POINTER MuiGeneration: ULONG, IsImpersonating: ULONG, NlsCache: ULONG, // WOW64_POINTER pShimData: ULONG, // WOW64_POINTER HeapVirtualAffinity: USHORT, LowFragHeapDataSlot: USHORT, CurrentTransactionHandle: ULONG, // WOW64_POINTER ActiveFrame: ULONG, // WOW64_POINTER FlsData: ULONG, // WOW64_POINTER PreferredLanguages: ULONG, // WOW64_POINTER UserPrefLanguages: ULONG, // WOW64_POINTER MergedPrefLanguages: ULONG, // WOW64_POINTER MuiImpersonation: ULONG, CrossTebFlags: USHORT, SameTebFlags: USHORT, TxnScopeEnterCallback: ULONG, // WOW64_POINTER TxnScopeExitCallback: ULONG, // WOW64_POINTER TxnScopeContext: ULONG, // WOW64_POINTER LockCount: ULONG, WowTebOffset: LONG, ResourceRetValue: ULONG, // WOW64_POINTER ReservedForWdf: ULONG, // WOW64_POINTER ReservedForCrt: ULONGLONG, EffectiveContainerId: GUID, }} BITFIELD!{TEB32 SameTebFlags: USHORT [ SafeThunkCall set_SafeThunkCall[0..1], InDebugPrint set_InDebugPrint[1..2], HasFiberData set_HasFiberData[2..3], SkipThreadAttach set_SkipThreadAttach[3..4], WerInShipAssertCode set_WerInShipAssertCode[4..5], RanProcessInit set_RanProcessInit[5..6], ClonedThread set_ClonedThread[6..7], SuppressDebugMsg set_SuppressDebugMsg[7..8], DisableUserStackWalk set_DisableUserStackWalk[8..9], RtlExceptionAttached set_RtlExceptionAttached[9..10], InitialThread set_InitialThread[10..11], SessionAware set_SessionAware[11..12], LoadOwner set_LoadOwner[12..13], LoaderWorker set_LoaderWorker[13..14], SpareSameTebBits set_SpareSameTebBits[14..16], ]} pub type PTEB32 = *mut TEB32; #[inline] pub fn UStr32ToUStr( Destination: &mut UNICODE_STRING, Source: &UNICODE_STRING32, ) { Destination.Length = Source.Length; Destination.MaximumLength = Source.MaximumLength; Destination.Buffer = Source.Buffer as *mut u16; } #[inline] pub fn UStrToUStr32( Destination: &mut UNICODE_STRING32, Source: &UNICODE_STRING, ) { Destination.Length = Source.Length; Destination.MaximumLength = Source.MaximumLength; Destination.Buffer = Source.Buffer as u32; }