use core::mem::size_of; use crate::ntapi_base::CLIENT_ID; use crate::ntpsapi::{GDI_HANDLE_BUFFER, PPEB_LDR_DATA}; use crate::ntrtl::PRTL_USER_PROCESS_PARAMETERS; use winapi::shared::basetsd::{SIZE_T, ULONG_PTR}; use winapi::shared::guiddef::GUID; use winapi::shared::ntdef::{ BOOLEAN, CHAR, HANDLE, LCID, LIST_ENTRY, LONG, NTSTATUS, PROCESSOR_NUMBER, PSTR, PVOID, UCHAR, ULARGE_INTEGER, ULONG, ULONGLONG, UNICODE_STRING, USHORT, WCHAR, }; use winapi::um::winnt::{ ACTIVATION_CONTEXT, FLS_MAXIMUM_AVAILABLE, NT_TIB, PRTL_CRITICAL_SECTION, PSLIST_HEADER, }; STRUCT!{struct RTL_ACTIVATION_CONTEXT_STACK_FRAME { Previous: PRTL_ACTIVATION_CONTEXT_STACK_FRAME, ActivationContext: *mut ACTIVATION_CONTEXT, Flags: ULONG, }} pub type PRTL_ACTIVATION_CONTEXT_STACK_FRAME = *mut RTL_ACTIVATION_CONTEXT_STACK_FRAME; STRUCT!{struct ACTIVATION_CONTEXT_STACK { ActiveFrame: *mut RTL_ACTIVATION_CONTEXT_STACK_FRAME, FrameListCache: LIST_ENTRY, Flags: ULONG, NextCookieSequenceNumber: ULONG, StackId: ULONG, }} pub type PACTIVATION_CONTEXT_STACK = *mut ACTIVATION_CONTEXT_STACK; STRUCT!{struct API_SET_NAMESPACE { Version: ULONG, Size: ULONG, Flags: ULONG, Count: ULONG, EntryOffset: ULONG, HashOffset: ULONG, HashFactor: ULONG, }} pub type PAPI_SET_NAMESPACE = *mut API_SET_NAMESPACE; STRUCT!{struct API_SET_HASH_ENTRY { Hash: ULONG, Index: ULONG, }} pub type PAPI_SET_HASH_ENTRY = *mut API_SET_HASH_ENTRY; STRUCT!{struct API_SET_NAMESPACE_ENTRY { Flags: ULONG, NameOffset: ULONG, NameLength: ULONG, HashedLength: ULONG, ValueOffset: ULONG, ValueCount: ULONG, }} pub type PAPI_SET_NAMESPACE_ENTRY = *mut API_SET_NAMESPACE_ENTRY; STRUCT!{struct API_SET_VALUE_ENTRY { Flags: ULONG, NameOffset: ULONG, NameLength: ULONG, ValueOffset: ULONG, ValueLength: ULONG, }} pub type PAPI_SET_VALUE_ENTRY = *mut API_SET_VALUE_ENTRY; UNION!{union PEB_u { KernelCallbackTable: PVOID, UserSharedInfoPtr: PVOID, }} #[repr(C)] pub struct LEAP_SECOND_DATA([u8; 0]); //fixme STRUCT!{struct PEB { InheritedAddressSpace: BOOLEAN, ReadImageFileExecOptions: BOOLEAN, BeingDebugged: BOOLEAN, BitField: BOOLEAN, Mutant: HANDLE, ImageBaseAddress: PVOID, Ldr: PPEB_LDR_DATA, ProcessParameters: PRTL_USER_PROCESS_PARAMETERS, SubSystemData: PVOID, ProcessHeap: PVOID, FastPebLock: PRTL_CRITICAL_SECTION, IFEOKey: PVOID, AtlThunkSListPtr: PSLIST_HEADER, CrossProcessFlags: ULONG, u: PEB_u, SystemReserved: [ULONG; 1], AtlThunkSListPtr32: ULONG, ApiSetMap: PAPI_SET_NAMESPACE, TlsExpansionCounter: ULONG, TlsBitmap: PVOID, TlsBitmapBits: [ULONG; 2], ReadOnlySharedMemoryBase: PVOID, SharedData: PVOID, ReadOnlyStaticServerData: *mut PVOID, AnsiCodePageData: PVOID, OemCodePageData: PVOID, UnicodeCaseTableData: PVOID, NumberOfProcessors: ULONG, NtGlobalFlag: ULONG, CriticalSectionTimeout: ULARGE_INTEGER, HeapSegmentReserve: SIZE_T, HeapSegmentCommit: SIZE_T, HeapDeCommitTotalFreeThreshold: SIZE_T, HeapDeCommitFreeBlockThreshold: SIZE_T, NumberOfHeaps: ULONG, MaximumNumberOfHeaps: ULONG, ProcessHeaps: *mut PVOID, GdiSharedHandleTable: PVOID, ProcessStarterHelper: PVOID, GdiDCAttributeList: ULONG, LoaderLock: PRTL_CRITICAL_SECTION, OSMajorVersion: ULONG, OSMinorVersion: ULONG, OSBuildNumber: USHORT, OSCSDVersion: USHORT, OSPlatformId: ULONG, ImageSubsystem: ULONG, ImageSubsystemMajorVersion: ULONG, ImageSubsystemMinorVersion: ULONG, ActiveProcessAffinityMask: ULONG_PTR, GdiHandleBuffer: GDI_HANDLE_BUFFER, PostProcessInitRoutine: PVOID, TlsExpansionBitmap: PVOID, TlsExpansionBitmapBits: [ULONG; 32], SessionId: ULONG, AppCompatFlags: ULARGE_INTEGER, AppCompatFlagsUser: ULARGE_INTEGER, pShimData: PVOID, AppCompatInfo: PVOID, CSDVersion: UNICODE_STRING, ActivationContextData: PVOID, ProcessAssemblyStorageMap: PVOID, SystemDefaultActivationContextData: PVOID, SystemAssemblyStorageMap: PVOID, MinimumStackCommit: SIZE_T, FlsCallback: *mut PVOID, FlsListHead: LIST_ENTRY, FlsBitmap: PVOID, FlsBitmapBits: [ULONG; FLS_MAXIMUM_AVAILABLE as usize / (size_of::() * 8)], FlsHighIndex: ULONG, WerRegistrationData: PVOID, WerShipAssertPtr: PVOID, pUnused: PVOID, pImageHeaderHash: PVOID, TracingFlags: ULONG, CsrServerReadOnlySharedMemoryBase: ULONGLONG, TppWorkerpListLock: PRTL_CRITICAL_SECTION, TppWorkerpList: LIST_ENTRY, WaitOnAddressHashTable: [PVOID; 128], TelemetryCoverageHeader: PVOID, CloudFileFlags: ULONG, CloudFileDiagFlags: ULONG, PlaceholderCompatibilityMode: CHAR, PlaceholderCompatibilityModeReserved: [CHAR; 7], LeapSecondData: *mut LEAP_SECOND_DATA, LeapSecondFlags: ULONG, NtGlobalFlag2: ULONG, }} BITFIELD!{PEB BitField: BOOLEAN [ ImageUsesLargePages set_ImageUsesLargePages[0..1], IsProtectedProcess set_IsProtectedProcess[1..2], IsImageDynamicallyRelocated set_IsImageDynamicallyRelocated[2..3], SkipPatchingUser32Forwarders set_SkipPatchingUser32Forwarders[3..4], IsPackagedProcess set_IsPackagedProcess[4..5], IsAppContainer set_IsAppContainer[5..6], IsProtectedProcessLight set_IsProtectedProcessLight[6..7], IsLongPathAwareProcess set_IsLongPathAwareProcess[7..8], ]} BITFIELD!{PEB CrossProcessFlags: ULONG [ ProcessInJob set_ProcessInJob[0..1], ProcessInitializing set_ProcessInitializing[1..2], ProcessUsingVEH set_ProcessUsingVEH[2..3], ProcessUsingVCH set_ProcessUsingVCH[3..4], ProcessUsingFTH set_ProcessUsingFTH[4..5], ProcessPreviouslyThrottled set_ProcessPreviouslyThrottled[5..6], ProcessCurrentlyThrottled set_ProcessCurrentlyThrottled[6..7], ProcessImagesHotPatched set_ProcessImagesHotPatched[7..8], ReservedBits0 set_ReservedBits0[8..32], ]} BITFIELD!{PEB TracingFlags: ULONG [ HeapTracingEnabled set_HeapTracingEnabled[0..1], CritSecTracingEnabled set_CritSecTracingEnabled[1..2], LibLoaderTracingEnabled set_LibLoaderTracingEnabled[2..3], SpareTracingBits set_SpareTracingBits[3..32], ]} BITFIELD!{PEB LeapSecondFlags: ULONG [ SixtySecondEnabled set_SixtySecondEnabled[0..1], Reserved set_Reserved[1..32], ]} pub type PPEB = *mut PEB; pub const GDI_BATCH_BUFFER_SIZE: usize = 310; STRUCT!{struct GDI_TEB_BATCH { Offset: ULONG, HDC: ULONG_PTR, Buffer: [ULONG; GDI_BATCH_BUFFER_SIZE], }} pub type PGDI_TEB_BATCH = *mut GDI_TEB_BATCH; STRUCT!{struct TEB_ACTIVE_FRAME_CONTEXT { Flags: ULONG, FrameName: PSTR, }} pub type PTEB_ACTIVE_FRAME_CONTEXT = *mut TEB_ACTIVE_FRAME_CONTEXT; STRUCT!{struct TEB_ACTIVE_FRAME { Flags: ULONG, Previous: *mut TEB_ACTIVE_FRAME, Context: PTEB_ACTIVE_FRAME_CONTEXT, }} pub type PTEB_ACTIVE_FRAME = *mut TEB_ACTIVE_FRAME; STRUCT!{struct TEB_u_s { ReservedPad0: UCHAR, ReservedPad1: UCHAR, ReservedPad2: UCHAR, IdealProcessor: UCHAR, }} UNION!{union TEB_u { CurrentIdealProcessor: PROCESSOR_NUMBER, IdealProcessorValue: ULONG, s: TEB_u_s, }} #[cfg(any(target_arch = "x86_64", target_arch = "aarch64"))] STRUCT!{struct TEB { NtTib: NT_TIB, EnvironmentPointer: PVOID, ClientId: CLIENT_ID, ActiveRpcHandle: PVOID, ThreadLocalStoragePointer: PVOID, ProcessEnvironmentBlock: PPEB, LastErrorValue: ULONG, CountOfOwnedCriticalSections: ULONG, CsrClientThread: PVOID, Win32ThreadInfo: PVOID, User32Reserved: [ULONG; 26], UserReserved: [ULONG; 5], WOW32Reserved: PVOID, CurrentLocale: LCID, FpSoftwareStatusRegister: ULONG, ReservedForDebuggerInstrumentation: [PVOID; 16], SystemReserved1: [PVOID; 30], PlaceholderCompatibilityMode: CHAR, PlaceholderReserved: [CHAR; 11], ProxiedProcessId: ULONG, ActivationStack: ACTIVATION_CONTEXT_STACK, WorkingOnBehalfTicket: [UCHAR; 8], ExceptionCode: NTSTATUS, ActivationContextStackPointer: PACTIVATION_CONTEXT_STACK, InstrumentationCallbackSp: ULONG_PTR, InstrumentationCallbackPreviousPc: ULONG_PTR, InstrumentationCallbackPreviousSp: ULONG_PTR, TxFsContext: ULONG, InstrumentationCallbackDisabled: BOOLEAN, GdiTebBatch: GDI_TEB_BATCH, RealClientId: CLIENT_ID, GdiCachedProcessHandle: HANDLE, GdiClientPID: ULONG, GdiClientTID: ULONG, GdiThreadLocalInfo: PVOID, Win32ClientInfo: [ULONG_PTR; 62], glDispatchTable: [PVOID; 233], glReserved1: [ULONG_PTR; 29], glReserved2: PVOID, glSectionInfo: PVOID, glSection: PVOID, glTable: PVOID, glCurrentRC: PVOID, glContext: PVOID, LastStatusValue: NTSTATUS, StaticUnicodeString: UNICODE_STRING, StaticUnicodeBuffer: [WCHAR; 261], DeallocationStack: PVOID, TlsSlots: [PVOID; 64], TlsLinks: LIST_ENTRY, Vdm: PVOID, ReservedForNtRpc: PVOID, DbgSsReserved: [PVOID; 2], HardErrorMode: ULONG, Instrumentation: [PVOID; 11], ActivityId: GUID, SubProcessTag: PVOID, PerflibData: PVOID, EtwTraceData: PVOID, WinSockData: PVOID, GdiBatchCount: ULONG, u: TEB_u, GuaranteedStackBytes: ULONG, ReservedForPerf: PVOID, ReservedForOle: PVOID, WaitingOnLoaderLock: ULONG, SavedPriorityState: PVOID, ReservedForCodeCoverage: ULONG_PTR, ThreadPoolData: PVOID, TlsExpansionSlots: *mut PVOID, DeallocationBStore: PVOID, BStoreLimit: PVOID, MuiGeneration: ULONG, IsImpersonating: ULONG, NlsCache: PVOID, pShimData: PVOID, HeapVirtualAffinity: USHORT, LowFragHeapDataSlot: USHORT, CurrentTransactionHandle: HANDLE, ActiveFrame: PTEB_ACTIVE_FRAME, FlsData: PVOID, PreferredLanguages: PVOID, UserPrefLanguages: PVOID, MergedPrefLanguages: PVOID, MuiImpersonation: ULONG, CrossTebFlags: USHORT, SameTebFlags: USHORT, TxnScopeEnterCallback: PVOID, TxnScopeExitCallback: PVOID, TxnScopeContext: PVOID, LockCount: ULONG, WowTebOffset: LONG, ResourceRetValue: PVOID, ReservedForWdf: PVOID, ReservedForCrt: ULONGLONG, EffectiveContainerId: GUID, }} #[cfg(target_arch = "x86")] STRUCT!{struct TEB { NtTib: NT_TIB, EnvironmentPointer: PVOID, ClientId: CLIENT_ID, ActiveRpcHandle: PVOID, ThreadLocalStoragePointer: PVOID, ProcessEnvironmentBlock: PPEB, LastErrorValue: ULONG, CountOfOwnedCriticalSections: ULONG, CsrClientThread: PVOID, Win32ThreadInfo: PVOID, User32Reserved: [ULONG; 26], UserReserved: [ULONG; 5], WOW32Reserved: PVOID, CurrentLocale: LCID, FpSoftwareStatusRegister: ULONG, ReservedForDebuggerInstrumentation: [PVOID; 16], SystemReserved1: [PVOID; 26], PlaceholderCompatibilityMode: CHAR, PlaceholderReserved: [CHAR; 11], ProxiedProcessId: ULONG, ActivationStack: ACTIVATION_CONTEXT_STACK, WorkingOnBehalfTicket: [UCHAR; 8], ExceptionCode: NTSTATUS, ActivationContextStackPointer: PACTIVATION_CONTEXT_STACK, InstrumentationCallbackSp: ULONG_PTR, InstrumentationCallbackPreviousPc: ULONG_PTR, InstrumentationCallbackPreviousSp: ULONG_PTR, InstrumentationCallbackDisabled: BOOLEAN, SpareBytes: [UCHAR; 23], TxFsContext: ULONG, GdiTebBatch: GDI_TEB_BATCH, RealClientId: CLIENT_ID, GdiCachedProcessHandle: HANDLE, GdiClientPID: ULONG, GdiClientTID: ULONG, GdiThreadLocalInfo: PVOID, Win32ClientInfo: [ULONG_PTR; 62], glDispatchTable: [PVOID; 233], glReserved1: [ULONG_PTR; 29], glReserved2: PVOID, glSectionInfo: PVOID, glSection: PVOID, glTable: PVOID, glCurrentRC: PVOID, glContext: PVOID, LastStatusValue: NTSTATUS, StaticUnicodeString: UNICODE_STRING, StaticUnicodeBuffer: [WCHAR; 261], DeallocationStack: PVOID, TlsSlots: [PVOID; 64], TlsLinks: LIST_ENTRY, Vdm: PVOID, ReservedForNtRpc: PVOID, DbgSsReserved: [PVOID; 2], HardErrorMode: ULONG, Instrumentation: [PVOID; 9], ActivityId: GUID, SubProcessTag: PVOID, PerflibData: PVOID, EtwTraceData: PVOID, WinSockData: PVOID, GdiBatchCount: ULONG, u: TEB_u, GuaranteedStackBytes: ULONG, ReservedForPerf: PVOID, ReservedForOle: PVOID, WaitingOnLoaderLock: ULONG, SavedPriorityState: PVOID, ReservedForCodeCoverage: ULONG_PTR, ThreadPoolData: PVOID, TlsExpansionSlots: *mut PVOID, MuiGeneration: ULONG, IsImpersonating: ULONG, NlsCache: PVOID, pShimData: PVOID, HeapVirtualAffinity: USHORT, LowFragHeapDataSlot: USHORT, CurrentTransactionHandle: HANDLE, ActiveFrame: PTEB_ACTIVE_FRAME, FlsData: PVOID, PreferredLanguages: PVOID, UserPrefLanguages: PVOID, MergedPrefLanguages: PVOID, MuiImpersonation: ULONG, CrossTebFlags: USHORT, SameTebFlags: USHORT, TxnScopeEnterCallback: PVOID, TxnScopeExitCallback: PVOID, TxnScopeContext: PVOID, LockCount: ULONG, WowTebOffset: LONG, ResourceRetValue: PVOID, ReservedForWdf: PVOID, ReservedForCrt: ULONGLONG, EffectiveContainerId: GUID, }} BITFIELD!{TEB SameTebFlags: USHORT [ SafeThunkCall set_SafeThunkCall[0..1], InDebugPrint set_InDebugPrint[1..2], HasFiberData set_HasFiberData[2..3], SkipThreadAttach set_SkipThreadAttach[3..4], WerInShipAssertCode set_WerInShipAssertCode[4..5], RanProcessInit set_RanProcessInit[5..6], ClonedThread set_ClonedThread[6..7], SuppressDebugMsg set_SuppressDebugMsg[7..8], DisableUserStackWalk set_DisableUserStackWalk[8..9], RtlExceptionAttached set_RtlExceptionAttached[9..10], InitialThread set_InitialThread[10..11], SessionAware set_SessionAware[11..12], LoadOwner set_LoadOwner[12..13], LoaderWorker set_LoaderWorker[13..14], SkipLoaderInit set_SkipLoaderInit[14..15], SpareSameTebBits set_SpareSameTebBits[15..16], ]} pub type PTEB = *mut TEB;