5 #define K32OBJ_SEMAPHORE 0x1
6 #define K32OBJ_EVENT 0x2
7 #define K32OBJ_MUTEX 0x3
8 #define K32OBJ_CRITICAL_SECTION 0x4
9 #define K32OBJ_PROCESS 0x5
10 #define K32OBJ_THREAD 0x6
11 #define K32OBJ_FILE 0x7
12 #define K32OBJ_CHANGE 0x8
13 #define K32OBJ_CONSOLE 0x9
14 #define K32OBJ_SCREEN_BUFFER 0xA
15 #define K32OBJ_MEM_MAPPED_FILE 0xB
16 #define K32OBJ_SERIAL 0xC
17 #define K32OBJ_DEVICE_IOCTL 0xD
18 #define K32OBJ_PIPE 0xE
19 #define K32OBJ_MAILSLOT 0xF
20 #define K32OBJ_TOOLHELP_SNAPSHOT 0x10
21 #define K32OBJ_SOCKET 0x11
24 //Process Database flags
26 #define fDebugSingle 0x00000001
27 #define fCreateProcessEvent 0x00000002
28 #define fExitProcessEvent 0x00000004
29 #define fWin16Process 0x00000008
30 #define fDosProcess 0x00000010
31 #define fConsoleProcess 0x00000020
32 #define fFileApisAreOem 0x00000040
33 #define fNukeProcess 0x00000080
34 #define fServiceProcess 0x00000100
35 #define fLoginScriptHack 0x00000800
38 //Thread Database flags
40 #define fCreateThreadEvent 0x00000001
41 #define fCancelExceptionAbort 0x00000002
42 #define fOnTempStack 0x00000004
43 #define fGrowableStack 0x00000008
44 #define fDelaySingleStep 0x00000010
45 #define fOpenExeAsImmovableFile 0x00000020
46 #define fCreateSuspended 0x00000040
47 #define fStackOverflow 0x00000080
48 #define fNestedCleanAPCs 0x00000100
49 #define fWasOemNowAnsi 0x00000200
50 #define fOKToSetThreadOem 0x00000400
53 #pragma warning(disable:4103)
58 //MODREF and IMTE structures
60 typedef struct _MODREF
{
61 struct _MODREF
*pNextModRef
; // 00h
68 PVOID ppdb
; // 18h Pointer to process database
74 typedef struct _IMTE
{
76 PIMAGE_NT_HEADERS pNTHdr
; // 04h
78 PSTR pszFileName
; // 0Ch
79 PSTR pszModName
; // 10h
80 WORD cbFileName
; // 14h
81 WORD cbModName
; // 16h
83 DWORD cSections
; // 1Ch
85 DWORD baseAddress
; // 24h
86 WORD hModule16
; // 28h
89 PSTR pszFileName2
; // 30h
90 WORD cbFileName2
; // 34h
91 DWORD pszModName2
; // 36h
92 WORD cbModName2
; // 3Ah
96 //Process Database structure
98 typedef struct _ENVIRONMENT_DATABASE
{
99 PSTR pszEnvironment
; // 00h Pointer to Environment
101 PSTR pszCmdLine
; // 08h Pointer to command line
102 PSTR pszCurrDirectory
; // 0Ch Pointer to current directory
103 LPSTARTUPINFOA pStartupInfo
;// 10h Pointer to STARTUPINFOA struct
104 HANDLE hStdIn
; // 14h Standard Input
105 HANDLE hStdOut
; // 18h Standard Output
106 HANDLE hStdErr
; // 1Ch Standard Error
108 DWORD InheritConsole
; // 24h
109 DWORD BreakType
; // 28h
110 DWORD BreakSem
; // 2Ch
111 DWORD BreakEvent
; // 30h
112 DWORD BreakThreadID
; // 34h
113 DWORD BreakHandlers
; // 38h
114 } ENVIRONMENT_DATABASE
, *PENVIRONMENT_DATABASE
;
116 typedef struct _KERNEL_OBJECT
{
117 DWORD Type
; // 00h KERNEL32 object type (5)
118 DWORD cReference
; // 04h Number of references to process
119 } KERNEL_OBJECT
, *PKERNEL_OBJECT
;
121 typedef struct _HANDLE_TABLE_ENTRY
{
122 DWORD flags
; // Valid flags depend on what type of object this is
123 PKERNEL_OBJECT pObject
; // Pointer to the object that the handle refers to
124 } HANDLE_TABLE_ENTRY
, *PHANDLE_TABLE_ENTRY
;
126 typedef struct _HANDLE_TABLE
{
127 DWORD cEntries
; // Max number of handles in table
128 HANDLE_TABLE_ENTRY array
[1]; // An array (number is given by cEntries)
129 } HANDLE_TABLE
, *PHANDLE_TABLE
;
132 typedef struct _PROCESS_DATABASE
{
133 DWORD Type
; // 00h KERNEL32 object type (5)
134 DWORD cReference
; // 04h Number of references to process
136 DWORD someEvent
; // 0Ch An event object (What's it used for???)
137 DWORD TerminationStatus
; // 10h Returned by GetExitCodeProcess
139 DWORD DefaultHeap
; // 18h Address of the process heap
140 DWORD MemoryContext
; // 1Ch pointer to the process's context
142 // 0x00000001 - fDebugSingle
143 // 0x00000002 - fCreateProcessEvent
144 // 0x00000004 - fExitProcessEvent
145 // 0x00000008 - fWin16Process
146 // 0x00000010 - fDosProcess
147 // 0x00000020 - fConsoleProcess
148 // 0x00000040 - fFileApisAreOem
149 // 0x00000080 - fNukeProcess
150 // 0x00000100 - fServiceProcess
151 // 0x00000800 - fLoginScriptHack
152 DWORD pPSP
; // 24h Linear address of PSP?
153 WORD PSPSelector
; // 28h
154 WORD MTEIndex
; // 2Ah
155 WORD cThreads
; // 2Ch
156 WORD cNotTermThreads
; // 2Eh
158 WORD cRing0Threads
; // 32h number of ring 0 threads
159 HANDLE HeapHandle
; // 34h Heap to allocate handle tables out of
160 // This seems to always be the KERNEL32 heap
161 HTASK W16TDB
; // 38h Win16 Task Database selector
162 DWORD MemMapFiles
; // 3Ch memory mapped file list (?)
163 PENVIRONMENT_DATABASE pEDB
; // 40h Pointer to Environment Database
164 PHANDLE_TABLE pHandleTable
; // 44h Pointer to process handle table
165 struct _PROCESS_DATABASE
*ParentPDB
; // 48h Parent process database
166 PMODREF MODREFlist
; // 4Ch Module reference list
167 DWORD ThreadList
; // 50h Threads in this process
168 DWORD DebuggeeCB
; // 54h Debuggee Context block?
169 DWORD LocalHeapFreeHead
; // 58h Head of free list in process heap
170 DWORD InitialRing0ID
; // 5Ch
171 CRITICAL_SECTION crst
; // 60h
173 DWORD pConsole
; // 84h Pointer to console for process
174 DWORD tlsInUseBits1
; // 88h // Represents TLS indices 0 - 31
175 DWORD tlsInUseBits2
; // 8Ch // Represents TLS indices 32 - 63
176 DWORD ProcessDWORD
; // 90h
177 struct _PROCESS_DATABASE
*ProcessGroup
; // 94h
178 DWORD pExeMODREF
; // 98h pointer to EXE's MODREF
179 DWORD TopExcFilter
; // 9Ch Top Exception Filter?
180 DWORD BasePriority
; // A0h Base scheduling priority for process
181 DWORD HeapOwnList
; // A4h Head of the list of process heaps
182 DWORD HeapHandleBlockList
;// A8h Pointer to head of heap handle block list
183 DWORD pSomeHeapPtr
; // ACh normally zero, but can a pointer to a
184 // moveable handle block in the heap
185 DWORD pConsoleProvider
; // B0h Process that owns the console we're using?
186 WORD EnvironSelector
; // B4h Selector containing process environment
187 WORD ErrorMode
; // B6H SetErrorMode value (also thunks to Win16)
188 DWORD pevtLoadFinished
; // B8h Pointer to event LoadFinished?
190 } PROCESS_DATABASE
, *PPROCESS_DATABASE
;
193 //TIB (Thread Information Block) structure
195 typedef struct _SEH_record
{
196 struct _SEH_record
*pNext
;
198 } SEH_record
, *PSEH_record
;
200 // This is semi-documented in the NTDDK.H file from the NT DDK
201 typedef struct _TIB
{
202 PSEH_record pvExcept
; // 00h Head of exception record list
203 PVOID pvStackUserTop
; // 04h Top of user stack
204 PVOID pvStackUserBase
; // 08h Base of user stack
205 WORD pvTDB
; // 0Ch TDB
206 WORD pvThunksSS
; // 0Eh SS selector used for thunking to 16 bits
207 DWORD SelmanList
; // 10h
208 PVOID pvArbitrary
; // 14h Available for application use
209 struct _tib
*ptibSelf
; // 18h Linear address of TIB structure
210 WORD TIBFlags
; // 1Ch
211 WORD Win16MutexCount
; // 1Eh
212 DWORD DebugContext
; // 20h
213 DWORD pCurrentPriority
; // 24h
214 DWORD pvQueue
; // 28h Message Queue selector
215 PVOID
*pvTLSArray
; // 2Ch Thread Local Storage array
221 typedef struct _TDBX
{
222 DWORD ptdb
; // 00h // PTHREAD_DATABASE
223 DWORD ppdb
; // 04h // PPROCESDS_DATABASE
224 DWORD ContextHandle
; // 08h
226 DWORD TimeOutHandle
; // 10h
227 DWORD WakeParam
; // 14h
228 DWORD BlockHandle
; // 18h
229 DWORD BlockState
; // 1Ch
230 DWORD SuspendCount
; // 20h
231 DWORD SuspendHandle
; // 24h
232 DWORD MustCompleteCount
; // 28h
233 DWORD WaitExFlags
; // 2Ch
234 // 0x00000001 - WAITEXBIT
235 // 0x00000002 - WAITACKBIT
236 // 0x00000004 - SUSPEND_APC_PENDING
237 // 0x00000008 - SUSPEND_TERMINATED
238 // 0x00000010 - BLOCKED_FOR_TERMINATION
239 // 0x00000020 - EMULATE_NPX
240 // 0x00000040 - WIN32_NPX
241 // 0x00000080 - EXTENDED_HANDLES
242 // 0x00000100 - FROZEN
243 // 0x00000200 - DONT_FREEZE
244 // 0x00000400 - DONT_UNFREEZE
245 // 0x00000800 - DONT_TRACE
246 // 0x00001000 - STOP_TRACING
247 // 0x00002000 - WAITING_FOR_CRST_SAFE
248 // 0x00004000 - CRST_SAFE
249 // 0x00040000 - BLOCK_TERMINATE_APC
250 DWORD SyncWaitCount
; // 30h
251 DWORD QueuedSyncFuncs
; // 34h
252 DWORD UserAPCList
; // 38h
253 DWORD KernAPCList
; // 3Ch
254 DWORD pPMPSPSelector
; // 40h
255 DWORD BlockedOnID
; // 44h
257 DWORD TraceRefData
; // 64h
258 DWORD TraceCallBack
; // 68h
259 DWORD TraceEventHandle
; // 6Ch
260 WORD TraceOutLastCS
; // 70h
263 WORD DosPDBSeg
; // 76h
264 WORD ExceptionCount
; // 78h
268 //Thread Database structure
270 typedef struct _THREAD_DATABASE
{
272 DWORD cReference
; // 04h
273 PPROCESS_DATABASE pProcess
; // 08h
274 DWORD someEvent
; // 0Ch An event object (What's it used for???)
275 DWORD pvExcept
; // 10h This field through field 3CH is a TIB
276 // structure (see TIB.H)
277 DWORD TopOfStack
; // 14h
278 DWORD StackLow
; // 18h
280 WORD StackSelector16
; // 1Eh Used when thunking down to 16 bits
281 DWORD SelmanList
; // 20h
282 DWORD UserPointer
; // 24h
284 WORD TIBFlags
; // 2Ch TIBF_WIN32 = 1, TIBF_TRAP = 2
285 WORD Win16MutexCount
; // 2Eh
286 DWORD DebugContext
; // 30h
287 PDWORD pCurrentPriority
; // 34h
288 DWORD MessageQueue
; // 38h
289 DWORD pTLSArray
; // 3Ch
290 PPROCESS_DATABASE pProcess2
;// 40h Another copy of the thread's process???
292 // 0x00000001 - fCreateThreadEvent
293 // 0x00000002 - fCancelExceptionAbort
294 // 0x00000004 - fOnTempStack
295 // 0x00000008 - fGrowableStack
296 // 0x00000010 - fDelaySingleStep
297 // 0x00000020 - fOpenExeAsImmovableFile
298 // 0x00000040 - fCreateSuspended
299 // 0x00000080 - fStackOverflow
300 // 0x00000100 - fNestedCleanAPCs
301 // 0x00000200 - fWasOemNowAnsi
302 // 0x00000400 - fOKToSetThreadOem
303 DWORD TerminationStatus
; // 48h Returned by GetExitCodeThread
304 WORD TIBSelector
; // 4Ch
305 WORD EmulatorSelector
; // 4Eh
306 DWORD cHandles
; // 50h
307 DWORD WaitNodeList
; // 54h
309 DWORD Ring0Thread
; // 5Ch
311 DWORD StackBase
; // 64h
312 DWORD TerminationStack
; // 68h
313 DWORD EmulatorData
; // 6Ch
314 DWORD GetLastErrorCode
; // 70h
315 DWORD DebuggerCB
; // 74h
316 DWORD DebuggerThread
; // 78h
317 PCONTEXT ThreadContext
; // 7Ch // register context defined in WINNT.H
318 DWORD Except16List
; // 80h
319 DWORD ThunkConnect
; // 84h
320 DWORD NegStackBase
; // 88h
321 DWORD CurrentSS
; // 8Ch
322 DWORD SSTable
; // 90h
323 DWORD ThunkSS16
; // 94h
324 DWORD TLSArray
[64]; // 98h
325 DWORD DeltaPriority
; // 198h
327 // The retail version breaks off somewhere around here.
328 // All the remaining fields are most likely only in the debug version
330 DWORD un5
[7]; // 19Ch
331 DWORD pCreateData16
; // 1B8h
332 DWORD APISuspendCount
; // 1BCh # of times SuspendThread has been called
334 DWORD WOWChain
; // 1C4h
337 DWORD lp16SwitchRec
; // 1CCh
338 DWORD un8
[6]; // 1D0h
339 DWORD pSomeCritSect1
; // 1E8h
340 DWORD pWin16Mutex
; // 1ECh
341 DWORD pWin32Mutex
; // 1F0h
342 DWORD pSomeCritSect2
; // 1F4h
344 DWORD ripString
; // 1FCh
345 DWORD LastTlsSetValueEIP
[64]; // 200h (parallel to TlsArray, contains EIP
346 // where TLS value was last set from)
347 } THREAD_DATABASE
, *PTHREAD_DATABASE
;