1 #pragma once
2 // *************************************************************
3 //
4 //  Licensed to the Apache Software Foundation (ASF) under one
5 //  or more contributor license agreements.  See the NOTICE file
6 //  distributed with this work for additional information
7 //  regarding copyright ownership.  The ASF licenses this file
8 //  to you under the Apache License, Version 2.0 (the
9 //  "License"); you may not use this file except in compliance
10 //  with the License.  You may obtain a copy of the License at
11 //
12 //    http://www.apache.org/licenses/LICENSE-2.0
13 //
14 //  Unless required by applicable law or agreed to in writing,
15 //  software distributed under the License is distributed on an
16 //  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 //  KIND, either express or implied.  See the License for the
18 //  specific language governing permissions and limitations
19 //  under the License.
20 //
21 // *************************************************************
22 
23 //Kernel32 objects
24 
25 #define K32OBJ_SEMAPHORE			0x1
26 #define K32OBJ_EVENT				0x2
27 #define K32OBJ_MUTEX				0x3
28 #define K32OBJ_CRITICAL_SECTION     0x4
29 #define K32OBJ_PROCESS				0x5
30 #define K32OBJ_THREAD				0x6
31 #define K32OBJ_FILE					0x7
32 #define K32OBJ_CHANGE				0x8
33 #define K32OBJ_CONSOLE				0x9
34 #define K32OBJ_SCREEN_BUFFER	    0xA
35 #define K32OBJ_MEM_MAPPED_FILE	    0xB
36 #define K32OBJ_SERIAL				0xC
37 #define K32OBJ_DEVICE_IOCTL			0xD
38 #define K32OBJ_PIPE					0xE
39 #define K32OBJ_MAILSLOT 			0xF
40 #define K32OBJ_TOOLHELP_SNAPSHOT    0x10
41 #define K32OBJ_SOCKET				0x11
42 
43 
44 //Process Database flags
45 
46 #define fDebugSingle		0x00000001
47 #define fCreateProcessEvent	0x00000002
48 #define fExitProcessEvent	0x00000004
49 #define fWin16Process		0x00000008
50 #define fDosProcess			0x00000010
51 #define fConsoleProcess 	0x00000020
52 #define fFileApisAreOem 	0x00000040
53 #define fNukeProcess		0x00000080
54 #define fServiceProcess 	0x00000100
55 #define fLoginScriptHack	0x00000800
56 
57 
58 //Thread Database flags
59 
60 #define fCreateThreadEvent		0x00000001
61 #define fCancelExceptionAbort	0x00000002
62 #define fOnTempStack			0x00000004
63 #define fGrowableStack			0x00000008
64 #define fDelaySingleStep		0x00000010
65 #define fOpenExeAsImmovableFile 0x00000020
66 #define fCreateSuspended		0x00000040
67 #define fStackOverflow			0x00000080
68 #define fNestedCleanAPCs		0x00000100
69 #define fWasOemNowAnsi			0x00000200
70 #define fOKToSetThreadOem		0x00000400
71 
72 #ifdef _MSC_VER
73 #pragma warning(disable:4103)
74 #endif
75 #pragma pack(1)
76 
77 
78 //MODREF and IMTE structures
79 
80 typedef struct _MODREF {
81     struct _MODREF *pNextModRef;    // 00h
82     DWORD	    un1;	    // 04h
83     DWORD	    un2;	    // 08h
84     DWORD	    un3;	    // 0Ch
85     WORD	    mteIndex;	// 10h
86     WORD	    un4;	    // 12h
87     DWORD	    un5;	    // 14h
88     PVOID	    ppdb;	    // 18h Pointer to process database
89     DWORD	    un6;	    // 1Ch
90     DWORD	    un7;	    // 20h
91     DWORD	    un8;	    // 24h
92 } MODREF, *PMODREF;
93 
94 typedef struct _IMTE {
95     DWORD	    un1;			// 00h
96     PIMAGE_NT_HEADERS	pNTHdr; // 04h
97     DWORD	    un2;			// 08h
98     PSTR	    pszFileName;    // 0Ch
99     PSTR	    pszModName;     // 10h
100     WORD	    cbFileName;     // 14h
101     WORD	    cbModName;	    // 16h
102     DWORD	    un3;			// 18h
103     DWORD	    cSections;	    // 1Ch
104     DWORD	    un5;			// 20h
105     DWORD	    baseAddress;    // 24h
106     WORD	    hModule16;	    // 28h
107     WORD	    cUsage;			// 2Ah
108     DWORD	    un7;			// 2Ch
109     PSTR	    pszFileName2;   // 30h
110     WORD	    cbFileName2;    // 34h
111     DWORD	    pszModName2;    // 36h
112     WORD	    cbModName2;     // 3Ah
113 } IMTE, *PIMTE;
114 
115 
116 //Process Database structure
117 
118 typedef struct _ENVIRONMENT_DATABASE {
119 PSTR	pszEnvironment;     // 00h Pointer to Environment
120 DWORD	un1;				// 04h
121 PSTR	pszCmdLine;			// 08h Pointer to command line
122 PSTR	pszCurrDirectory;   // 0Ch Pointer to current directory
123 LPSTARTUPINFOA pStartupInfo;// 10h Pointer to STARTUPINFOA struct
124 HANDLE	hStdIn; 			// 14h Standard Input
125 HANDLE	hStdOut;			// 18h Standard Output
126 HANDLE	hStdErr;			// 1Ch Standard Error
127 DWORD	un2;				// 20h
128 DWORD	InheritConsole;     // 24h
129 DWORD	BreakType;			// 28h
130 DWORD	BreakSem;			// 2Ch
131 DWORD	BreakEvent;			// 30h
132 DWORD	BreakThreadID;	    // 34h
133 DWORD	BreakHandlers;	    // 38h
134 } ENVIRONMENT_DATABASE, *PENVIRONMENT_DATABASE;
135 
136 typedef struct _KERNEL_OBJECT {
137 DWORD	Type;		    // 00h KERNEL32 object type (5)
138 DWORD	cReference;	    // 04h Number of references to process
139 } KERNEL_OBJECT, *PKERNEL_OBJECT;
140 
141 typedef struct _HANDLE_TABLE_ENTRY {
142     DWORD   flags;		// Valid flags depend on what type of object this is
143     PKERNEL_OBJECT   pObject;	// Pointer to the object that the handle refers to
144 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
145 
146 typedef struct _HANDLE_TABLE {
147     DWORD   cEntries;				// Max number of handles in table
148     HANDLE_TABLE_ENTRY array[1];    // An array (number is given by cEntries)
149 } HANDLE_TABLE, *PHANDLE_TABLE;
150 
151 
152 typedef struct _PROCESS_DATABASE {
153 DWORD	Type;		    // 00h KERNEL32 object type (5)
154 DWORD	cReference;	    // 04h Number of references to process
155 DWORD	un1;		    // 08h
156 DWORD	someEvent;	    // 0Ch An event object (What's it used for???)
157 DWORD	TerminationStatus;  // 10h Returned by GetExitCodeProcess
158 DWORD	un2;		    // 14h
159 DWORD	DefaultHeap;	    // 18h Address of the process heap
160 DWORD	MemoryContext;	    // 1Ch pointer to the process's context
161 DWORD	flags;		    // 20h
162 			    // 0x00000001 - fDebugSingle
163 			    // 0x00000002 - fCreateProcessEvent
164 			    // 0x00000004 - fExitProcessEvent
165 			    // 0x00000008 - fWin16Process
166 			    // 0x00000010 - fDosProcess
167 			    // 0x00000020 - fConsoleProcess
168 			    // 0x00000040 - fFileApisAreOem
169 			    // 0x00000080 - fNukeProcess
170 			    // 0x00000100 - fServiceProcess
171 			    // 0x00000800 - fLoginScriptHack
172 DWORD	pPSP;		    // 24h Linear address of PSP?
173 WORD	PSPSelector;	    // 28h
174 WORD	MTEIndex;	    // 2Ah
175 WORD	cThreads;	    // 2Ch
176 WORD	cNotTermThreads;    // 2Eh
177 WORD	un3;		    // 30h
178 WORD	cRing0Threads;	    // 32h number of ring 0 threads
179 HANDLE	HeapHandle;	    // 34h Heap to allocate handle tables out of
180 			    //	   This seems to always be the KERNEL32 heap
181 HTASK	W16TDB; 	    // 38h Win16 Task Database selector
182 DWORD	MemMapFiles;	    // 3Ch memory mapped file list (?)
183 PENVIRONMENT_DATABASE pEDB; // 40h Pointer to Environment Database
184 PHANDLE_TABLE pHandleTable; // 44h Pointer to process handle table
185 struct _PROCESS_DATABASE *ParentPDB;   // 48h Parent process database
186 PMODREF MODREFlist;	    // 4Ch Module reference list
187 DWORD	ThreadList;	    // 50h Threads in this process
188 DWORD	DebuggeeCB;	    // 54h Debuggee Context block?
189 DWORD	LocalHeapFreeHead;  // 58h Head of free list in process heap
190 DWORD	InitialRing0ID;     // 5Ch
191 CRITICAL_SECTION    crst;   // 60h
192 DWORD	un4[3]; 	    // 78h
193 DWORD	pConsole;	    // 84h Pointer to console for process
194 DWORD	tlsInUseBits1;	    // 88h  // Represents TLS indices 0 - 31
195 DWORD	tlsInUseBits2;	    // 8Ch  // Represents TLS indices 32 - 63
196 DWORD	ProcessDWORD;	    // 90h
197 struct _PROCESS_DATABASE *ProcessGroup;    // 94h
198 DWORD	pExeMODREF;	    // 98h pointer to EXE's MODREF
199 DWORD	TopExcFilter;	    // 9Ch Top Exception Filter?
200 DWORD	BasePriority;	    // A0h Base scheduling priority for process
201 DWORD	HeapOwnList;	    // A4h Head of the list of process heaps
202 DWORD	HeapHandleBlockList;// A8h Pointer to head of heap handle block list
203 DWORD	pSomeHeapPtr;	    // ACh normally zero, but can a pointer to a
204 			    // moveable handle block in the heap
205 DWORD	pConsoleProvider;   // B0h Process that owns the console we're using?
206 WORD	EnvironSelector;    // B4h Selector containing process environment
207 WORD	ErrorMode;	    // B6H SetErrorMode value (also thunks to Win16)
208 DWORD	pevtLoadFinished;   // B8h Pointer to event LoadFinished?
209 WORD	UTState;	    // BCh
210 } PROCESS_DATABASE, *PPROCESS_DATABASE;
211 
212 
213 //TIB (Thread Information Block) structure
214 
215 typedef struct _SEH_record {
216     struct _SEH_record *pNext;
217     FARPROC		pfnHandler;
218 } SEH_record, *PSEH_record;
219 
220 // This is semi-documented in the NTDDK.H file from the NT DDK
221 typedef struct _TIB {
222 PSEH_record pvExcept;	    // 00h Head of exception record list
223 PVOID	pvStackUserTop;     // 04h Top of user stack
224 PVOID	pvStackUserBase;    // 08h Base of user stack
225 WORD	pvTDB;		    // 0Ch TDB
226 WORD	pvThunksSS;	    // 0Eh SS selector used for thunking to 16 bits
227 DWORD	SelmanList;	    // 10h
228 PVOID	pvArbitrary;	    // 14h Available for application use
229 struct _tib *ptibSelf;	    // 18h Linear address of TIB structure
230 WORD	TIBFlags;	    // 1Ch
231 WORD	Win16MutexCount;    // 1Eh
232 DWORD	DebugContext;	    // 20h
233 DWORD	pCurrentPriority;   // 24h
234 DWORD	pvQueue;	    // 28h Message Queue selector
235 PVOID  *pvTLSArray;	    // 2Ch Thread Local Storage array
236 } TIB, *PTIB;
237 
238 
239 //TDBX structure
240 
241 typedef struct _TDBX {
242     DWORD   ptdb;		// 00h	// PTHREAD_DATABASE
243     DWORD   ppdb;		// 04h	// PPROCESDS_DATABASE
244     DWORD   ContextHandle;	// 08h
245     DWORD   un1;		// 0Ch
246     DWORD   TimeOutHandle;	// 10h
247     DWORD   WakeParam;		// 14h
248     DWORD   BlockHandle;	// 18h
249     DWORD   BlockState; 	// 1Ch
250     DWORD   SuspendCount;	// 20h
251     DWORD   SuspendHandle;	// 24h
252     DWORD   MustCompleteCount;	// 28h
253     DWORD   WaitExFlags;	// 2Ch
254 				// 0x00000001 - WAITEXBIT
255 				// 0x00000002 - WAITACKBIT
256 				// 0x00000004 - SUSPEND_APC_PENDING
257 				// 0x00000008 - SUSPEND_TERMINATED
258 				// 0x00000010 - BLOCKED_FOR_TERMINATION
259 				// 0x00000020 - EMULATE_NPX
260 				// 0x00000040 - WIN32_NPX
261 				// 0x00000080 - EXTENDED_HANDLES
262 				// 0x00000100 - FROZEN
263 				// 0x00000200 - DONT_FREEZE
264 				// 0x00000400 - DONT_UNFREEZE
265 				// 0x00000800 - DONT_TRACE
266 				// 0x00001000 - STOP_TRACING
267 				// 0x00002000 - WAITING_FOR_CRST_SAFE
268 				// 0x00004000 - CRST_SAFE
269 				// 0x00040000 - BLOCK_TERMINATE_APC
270     DWORD   SyncWaitCount;	// 30h
271     DWORD   QueuedSyncFuncs;	// 34h
272     DWORD   UserAPCList;	// 38h
273     DWORD   KernAPCList;	// 3Ch
274     DWORD   pPMPSPSelector;	// 40h
275     DWORD   BlockedOnID;	// 44h
276     DWORD   un2[7];		// 48h
277     DWORD   TraceRefData;	// 64h
278     DWORD   TraceCallBack;	// 68h
279     DWORD   TraceEventHandle;	// 6Ch
280     WORD    TraceOutLastCS;	// 70h
281     WORD    K16TDB;		// 72h
282     WORD    K16PDB;		// 74h
283     WORD    DosPDBSeg;		// 76h
284     WORD    ExceptionCount;	// 78h
285 } TDBX, *PTDBX;
286 
287 
288 //Thread Database structure
289 
290 typedef struct _THREAD_DATABASE {
291 DWORD	Type;		    // 00h
292 DWORD	cReference;	    // 04h
293 PPROCESS_DATABASE pProcess; // 08h
294 DWORD	someEvent;	    // 0Ch An event object (What's it used for???)
295 DWORD	pvExcept;	    // 10h This field through field 3CH is a TIB
296 			    //	    structure (see TIB.H)
297 DWORD	TopOfStack;	    // 14h
298 DWORD	StackLow;	    // 18h
299 WORD	W16TDB; 	    // 1Ch
300 WORD	StackSelector16;    // 1Eh Used when thunking down to 16 bits
301 DWORD	SelmanList;	    // 20h
302 DWORD	UserPointer;	    // 24h
303 PTIB	pTIB;		    // 28h
304 WORD	TIBFlags;	    // 2Ch  TIBF_WIN32 = 1, TIBF_TRAP = 2
305 WORD	Win16MutexCount;    // 2Eh
306 DWORD	DebugContext;	    // 30h
307 PDWORD	pCurrentPriority;   // 34h
308 DWORD	MessageQueue;	    // 38h
309 DWORD	pTLSArray;	    // 3Ch
310 PPROCESS_DATABASE pProcess2;// 40h Another copy of the thread's process???
311 DWORD	Flags;		    // 44h
312 			    // 0x00000001 - fCreateThreadEvent
313 			    // 0x00000002 - fCancelExceptionAbort
314 			    // 0x00000004 - fOnTempStack
315 			    // 0x00000008 - fGrowableStack
316 			    // 0x00000010 - fDelaySingleStep
317 			    // 0x00000020 - fOpenExeAsImmovableFile
318 			    // 0x00000040 - fCreateSuspended
319 			    // 0x00000080 - fStackOverflow
320 			    // 0x00000100 - fNestedCleanAPCs
321 			    // 0x00000200 - fWasOemNowAnsi
322 			    // 0x00000400 - fOKToSetThreadOem
323 DWORD	TerminationStatus;  // 48h Returned by GetExitCodeThread
324 WORD	TIBSelector;	    // 4Ch
325 WORD	EmulatorSelector;   // 4Eh
326 DWORD	cHandles;	    // 50h
327 DWORD	WaitNodeList;	    // 54h
328 DWORD	un4;		    // 58h
329 DWORD	Ring0Thread;	    // 5Ch
330 PTDBX	pTDBX;		    // 60
331 DWORD	StackBase;	    // 64h
332 DWORD	TerminationStack;   // 68h
333 DWORD	EmulatorData;	    // 6Ch
334 DWORD	GetLastErrorCode;   // 70h
335 DWORD	DebuggerCB;	    // 74h
336 DWORD	DebuggerThread;     // 78h
337 PCONTEXT    ThreadContext;  // 7Ch  // register context defined in WINNT.H
338 DWORD	Except16List;	    // 80h
339 DWORD	ThunkConnect;	    // 84h
340 DWORD	NegStackBase;	    // 88h
341 DWORD	CurrentSS;	    // 8Ch
342 DWORD	SSTable;	    // 90h
343 DWORD	ThunkSS16;	    // 94h
344 DWORD	TLSArray[64];	    // 98h
345 DWORD	DeltaPriority;	    // 198h
346 
347 // The retail version breaks off somewhere around here.
348 // All the remaining fields are most likely only in the debug version
349 
350 DWORD	un5[7]; 	    // 19Ch
351 DWORD	pCreateData16;	    // 1B8h
352 DWORD	APISuspendCount;    // 1BCh # of times SuspendThread has been called
353 DWORD	un6;		    // 1C0h
354 DWORD	WOWChain;	    // 1C4h
355 WORD	wSSBig; 	    // 1C8h
356 WORD	un7;		    // 1CAh
357 DWORD	lp16SwitchRec;	    // 1CCh
358 DWORD	un8[6]; 	    // 1D0h
359 DWORD	pSomeCritSect1;     // 1E8h
360 DWORD	pWin16Mutex;	    // 1ECh
361 DWORD	pWin32Mutex;	    // 1F0h
362 DWORD	pSomeCritSect2;     // 1F4h
363 DWORD	un9;		    // 1F8h
364 DWORD	ripString;	    // 1FCh
365 DWORD	LastTlsSetValueEIP[64]; // 200h (parallel to TlsArray, contains EIP
366 				//	where TLS value was last set from)
367 } THREAD_DATABASE, *PTHREAD_DATABASE;
368 
369