477 lines
17 KiB
Rust
477 lines
17 KiB
Rust
use core::mem::size_of;
|
|
use crate::ntapi_base::CLIENT_ID32;
|
|
use crate::ntldr::{LDR_DDAG_STATE, LDR_DLL_LOAD_REASON};
|
|
use crate::ntpsapi::GDI_HANDLE_BUFFER32;
|
|
use crate::ntrtl::RTL_MAX_DRIVE_LETTERS;
|
|
use crate::string::{UTF16Const, UTF8Const};
|
|
use winapi::shared::guiddef::GUID;
|
|
use winapi::shared::ntdef::{
|
|
BOOLEAN, CHAR, LARGE_INTEGER, LCID, LIST_ENTRY32, LONG, NTSTATUS, PROCESSOR_NUMBER,
|
|
SINGLE_LIST_ENTRY32, STRING32, UCHAR, ULARGE_INTEGER, ULONG, ULONGLONG, UNICODE_STRING,
|
|
UNICODE_STRING32, USHORT, WCHAR,
|
|
};
|
|
use winapi::um::winnt::{FLS_MAXIMUM_AVAILABLE, NT_TIB32};
|
|
pub const WOW64_SYSTEM_DIRECTORY: UTF8Const = UTF8Const("SysWOW64\0");
|
|
/// "SysWOW64"
|
|
pub const WOW64_SYSTEM_DIRECTORY_U: UTF16Const = UTF16Const(&[
|
|
0x0053, 0x0079, 0x0073, 0x0057, 0x004F, 0x0057, 0x0036, 0x0034, 0u16,
|
|
]);
|
|
pub const WOW64_X86_TAG: UTF8Const = UTF8Const(" (x86)\0");
|
|
/// " (x86)"
|
|
pub const WOW64_X86_TAG_U: UTF16Const = UTF16Const(&[
|
|
0x0020, 0x0028, 0x0078, 0x0038, 0x0036, 0x0029, 0u16,
|
|
]);
|
|
ENUM!{enum WOW64_SHARED_INFORMATION {
|
|
SharedNtdll32LdrInitializeThunk = 0,
|
|
SharedNtdll32KiUserExceptionDispatcher = 1,
|
|
SharedNtdll32KiUserApcDispatcher = 2,
|
|
SharedNtdll32KiUserCallbackDispatcher = 3,
|
|
SharedNtdll32ExpInterlockedPopEntrySListFault = 4,
|
|
SharedNtdll32ExpInterlockedPopEntrySListResume = 5,
|
|
SharedNtdll32ExpInterlockedPopEntrySListEnd = 6,
|
|
SharedNtdll32RtlUserThreadStart = 7,
|
|
SharedNtdll32pQueryProcessDebugInformationRemote = 8,
|
|
SharedNtdll32BaseAddress = 9,
|
|
SharedNtdll32LdrSystemDllInitBlock = 10,
|
|
Wow64SharedPageEntriesCount = 11,
|
|
}}
|
|
STRUCT!{struct RTL_BALANCED_NODE32_u_s {
|
|
Left: ULONG, // WOW64_POINTER
|
|
Right: ULONG, // WOW64_POINTER
|
|
}}
|
|
UNION!{union RTL_BALANCED_NODE32_u {
|
|
Children: [ULONG; 2], // WOW64_POINTER
|
|
s: RTL_BALANCED_NODE32_u_s,
|
|
}}
|
|
STRUCT!{struct RTL_BALANCED_NODE32 {
|
|
u: RTL_BALANCED_NODE32_u,
|
|
ParentValue: ULONG,
|
|
}}
|
|
pub type PRTL_BALANCED_NODE32 = *mut RTL_BALANCED_NODE32;
|
|
STRUCT!{struct RTL_RB_TREE32 {
|
|
Root: ULONG, // WOW64_POINTER
|
|
Min: ULONG, // WOW64_POINTER
|
|
}}
|
|
pub type PRTL_RB_TREE32 = *mut RTL_RB_TREE32;
|
|
STRUCT!{struct PEB_LDR_DATA32 {
|
|
Length: ULONG,
|
|
Initialized: BOOLEAN,
|
|
SsHandle: ULONG,
|
|
InLoadOrderModuleList: LIST_ENTRY32,
|
|
InMemoryOrderModuleList: LIST_ENTRY32,
|
|
InInitializationOrderModuleList: LIST_ENTRY32,
|
|
EntryInProgress: ULONG,
|
|
ShutdownInProgress: BOOLEAN,
|
|
ShutdownThreadId: ULONG,
|
|
}}
|
|
pub type PPEB_LDR_DATA32 = *mut PEB_LDR_DATA32;
|
|
STRUCT!{struct LDR_SERVICE_TAG_RECORD32 {
|
|
Next: ULONG,
|
|
ServiceTag: ULONG,
|
|
}}
|
|
pub type PLDR_SERVICE_TAG_RECORD32 = *mut LDR_SERVICE_TAG_RECORD32;
|
|
STRUCT!{struct LDRP_CSLIST32 {
|
|
Tail: ULONG, // WOW64_POINTER
|
|
}}
|
|
pub type PLDRP_CSLIST32 = *mut LDRP_CSLIST32;
|
|
UNION!{union LDR_DDAG_NODE32_u {
|
|
Dependencies: LDRP_CSLIST32,
|
|
RemovalLink: SINGLE_LIST_ENTRY32,
|
|
}}
|
|
STRUCT!{struct LDR_DDAG_NODE32 {
|
|
Modules: LIST_ENTRY32,
|
|
ServiceTagList: ULONG, // WOW64_POINTER
|
|
LoadCount: ULONG,
|
|
LoadWhileUnloadingCount: ULONG,
|
|
LowestLink: ULONG,
|
|
u: LDR_DDAG_NODE32_u,
|
|
IncomingDependencies: LDRP_CSLIST32,
|
|
State: LDR_DDAG_STATE,
|
|
CondenseLink: SINGLE_LIST_ENTRY32,
|
|
PreorderNumber: ULONG,
|
|
}}
|
|
pub type PLDR_DDAG_NODE32 = *mut LDR_DDAG_NODE32;
|
|
pub const LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32: usize = 80;
|
|
pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32: usize = 144;
|
|
pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32: usize = 152;
|
|
UNION!{union LDR_DATA_TABLE_ENTRY32_u1 {
|
|
InInitializationOrderLinks: LIST_ENTRY32,
|
|
InProgressLinks: LIST_ENTRY32,
|
|
}}
|
|
UNION!{union LDR_DATA_TABLE_ENTRY32_u2 {
|
|
FlagGroup: [UCHAR; 4],
|
|
Flags: ULONG,
|
|
}}
|
|
STRUCT!{struct LDR_DATA_TABLE_ENTRY32 {
|
|
InLoadOrderLinks: LIST_ENTRY32,
|
|
InMemoryOrderLinks: LIST_ENTRY32,
|
|
u1: LDR_DATA_TABLE_ENTRY32_u1,
|
|
DllBase: ULONG, // WOW64_POINTER
|
|
EntryPoint: ULONG, // WOW64_POINTER
|
|
SizeOfImage: ULONG,
|
|
FullDllName: UNICODE_STRING32,
|
|
BaseDllName: UNICODE_STRING32,
|
|
u2: LDR_DATA_TABLE_ENTRY32_u2,
|
|
ObsoleteLoadCount: USHORT,
|
|
TlsIndex: USHORT,
|
|
HashLinks: LIST_ENTRY32,
|
|
TimeDateStamp: ULONG,
|
|
EntryPointActivationContext: ULONG, // WOW64_POINTER
|
|
Lock: ULONG, // WOW64_POINTER
|
|
DdagNode: ULONG, // WOW64_POINTER
|
|
NodeModuleLink: LIST_ENTRY32,
|
|
LoadContext: ULONG, // WOW64_POINTER
|
|
ParentDllBase: ULONG, // WOW64_POINTER
|
|
SwitchBackContext: ULONG, // WOW64_POINTER
|
|
BaseAddressIndexNode: RTL_BALANCED_NODE32,
|
|
MappingInfoIndexNode: RTL_BALANCED_NODE32,
|
|
OriginalBase: ULONG,
|
|
LoadTime: LARGE_INTEGER,
|
|
BaseNameHashValue: ULONG,
|
|
LoadReason: LDR_DLL_LOAD_REASON,
|
|
ImplicitPathOptions: ULONG,
|
|
ReferenceCount: ULONG,
|
|
DependentLoadFlags: ULONG,
|
|
SigningLevel: UCHAR,
|
|
}}
|
|
BITFIELD!{unsafe LDR_DATA_TABLE_ENTRY32_u2 Flags: ULONG [
|
|
PackagedBinary set_PackagedBinary[0..1],
|
|
MarkedForRemoval set_MarkedForRemoval[1..2],
|
|
ImageDll set_ImageDll[2..3],
|
|
LoadNotificationsSent set_LoadNotificationsSent[3..4],
|
|
TelemetryEntryProcessed set_TelemetryEntryProcessed[4..5],
|
|
ProcessStaticImport set_ProcessStaticImport[5..6],
|
|
InLegacyLists set_InLegacyLists[6..7],
|
|
InIndexes set_InIndexes[7..8],
|
|
ShimDll set_ShimDll[8..9],
|
|
InExceptionTable set_InExceptionTable[9..10],
|
|
ReservedFlags1 set_ReservedFlags1[10..12],
|
|
LoadInProgress set_LoadInProgress[12..13],
|
|
LoadConfigProcessed set_LoadConfigProcessed[13..14],
|
|
EntryProcessed set_EntryProcessed[14..15],
|
|
ProtectDelayLoad set_ProtectDelayLoad[15..16],
|
|
ReservedFlags3 set_ReservedFlags3[16..18],
|
|
DontCallForThreads set_DontCallForThreads[18..19],
|
|
ProcessAttachCalled set_ProcessAttachCalled[19..20],
|
|
ProcessAttachFailed set_ProcessAttachFailed[20..21],
|
|
CorDeferredValidate set_CorDeferredValidate[21..22],
|
|
CorImage set_CorImage[22..23],
|
|
DontRelocate set_DontRelocate[23..24],
|
|
CorILOnly set_CorILOnly[24..25],
|
|
ReservedFlags5 set_ReservedFlags5[25..28],
|
|
Redirected set_Redirected[28..29],
|
|
ReservedFlags6 set_ReservedFlags6[29..31],
|
|
CompatDatabaseProcessed set_CompatDatabaseProcessed[31..32],
|
|
]}
|
|
pub type PLDR_DATA_TABLE_ENTRY32 = *mut LDR_DATA_TABLE_ENTRY32;
|
|
STRUCT!{struct CURDIR32 {
|
|
DosPath: UNICODE_STRING32,
|
|
Handle: ULONG, // WOW64_POINTER
|
|
}}
|
|
pub type PCURDIR32 = *mut CURDIR32;
|
|
STRUCT!{struct RTL_DRIVE_LETTER_CURDIR32 {
|
|
Flags: USHORT,
|
|
Length: USHORT,
|
|
TimeStamp: ULONG,
|
|
DosPath: STRING32,
|
|
}}
|
|
pub type PRTL_DRIVE_LETTER_CURDIR32 = *mut RTL_DRIVE_LETTER_CURDIR32;
|
|
STRUCT!{struct RTL_USER_PROCESS_PARAMETERS32 {
|
|
MaximumLength: ULONG,
|
|
Length: ULONG,
|
|
Flags: ULONG,
|
|
DebugFlags: ULONG,
|
|
ConsoleHandle: ULONG, // WOW64_POINTER
|
|
ConsoleFlags: ULONG,
|
|
StandardInput: ULONG, // WOW64_POINTER
|
|
StandardOutput: ULONG, // WOW64_POINTER
|
|
StandardError: ULONG, // WOW64_POINTER
|
|
CurrentDirectory: CURDIR32,
|
|
DllPath: UNICODE_STRING32,
|
|
ImagePathName: UNICODE_STRING32,
|
|
CommandLine: UNICODE_STRING32,
|
|
Environment: ULONG, // WOW64_POINTER
|
|
StartingX: ULONG,
|
|
StartingY: ULONG,
|
|
CountX: ULONG,
|
|
CountY: ULONG,
|
|
CountCharsX: ULONG,
|
|
CountCharsY: ULONG,
|
|
FillAttribute: ULONG,
|
|
WindowFlags: ULONG,
|
|
ShowWindowFlags: ULONG,
|
|
WindowTitle: UNICODE_STRING32,
|
|
DesktopInfo: UNICODE_STRING32,
|
|
ShellInfo: UNICODE_STRING32,
|
|
RuntimeData: UNICODE_STRING32,
|
|
CurrentDirectories: [RTL_DRIVE_LETTER_CURDIR32; RTL_MAX_DRIVE_LETTERS],
|
|
EnvironmentSize: ULONG,
|
|
EnvironmentVersion: ULONG,
|
|
PackageDependencyData: ULONG, // WOW64_POINTER
|
|
ProcessGroupId: ULONG,
|
|
LoaderThreads: ULONG,
|
|
}}
|
|
pub type PRTL_USER_PROCESS_PARAMETERS32 = *mut RTL_USER_PROCESS_PARAMETERS32;
|
|
UNION!{union PEB32_u {
|
|
KernelCallbackTable: ULONG, // WOW64_POINTER
|
|
UserSharedInfoPtr: ULONG, // WOW64_POINTER
|
|
}}
|
|
STRUCT!{struct PEB32 {
|
|
InheritedAddressSpace: BOOLEAN,
|
|
ReadImageFileExecOptions: BOOLEAN,
|
|
BeingDebugged: BOOLEAN,
|
|
BitField: BOOLEAN,
|
|
Mutant: ULONG, // WOW64_POINTER
|
|
ImageBaseAddress: ULONG, // WOW64_POINTER
|
|
Ldr: ULONG, // WOW64_POINTER
|
|
ProcessParameters: ULONG, // WOW64_POINTER
|
|
SubSystemData: ULONG, // WOW64_POINTER
|
|
ProcessHeap: ULONG, // WOW64_POINTER
|
|
FastPebLock: ULONG, // WOW64_POINTER
|
|
AtlThunkSListPtr: ULONG, // WOW64_POINTER
|
|
IFEOKey: ULONG, // WOW64_POINTER
|
|
CrossProcessFlags: ULONG,
|
|
u: PEB32_u,
|
|
SystemReserved: [ULONG; 1],
|
|
AtlThunkSListPtr32: ULONG,
|
|
ApiSetMap: ULONG, // WOW64_POINTER
|
|
TlsExpansionCounter: ULONG,
|
|
TlsBitmap: ULONG, // WOW64_POINTER
|
|
TlsBitmapBits: [ULONG; 2],
|
|
ReadOnlySharedMemoryBase: ULONG, // WOW64_POINTER
|
|
HotpatchInformation: ULONG, // WOW64_POINTER
|
|
ReadOnlyStaticServerData: ULONG, // WOW64_POINTER
|
|
AnsiCodePageData: ULONG, // WOW64_POINTER
|
|
OemCodePageData: ULONG, // WOW64_POINTER
|
|
UnicodeCaseTableData: ULONG, // WOW64_POINTER
|
|
NumberOfProcessors: ULONG,
|
|
NtGlobalFlag: ULONG,
|
|
CriticalSectionTimeout: LARGE_INTEGER,
|
|
HeapSegmentReserve: ULONG,
|
|
HeapSegmentCommit: ULONG,
|
|
HeapDeCommitTotalFreeThreshold: ULONG,
|
|
HeapDeCommitFreeBlockThreshold: ULONG,
|
|
NumberOfHeaps: ULONG,
|
|
MaximumNumberOfHeaps: ULONG,
|
|
ProcessHeaps: ULONG, // WOW64_POINTER
|
|
GdiSharedHandleTable: ULONG, // WOW64_POINTER
|
|
ProcessStarterHelper: ULONG, // WOW64_POINTER
|
|
GdiDCAttributeList: ULONG,
|
|
LoaderLock: ULONG, // WOW64_POINTER
|
|
OSMajorVersion: ULONG,
|
|
OSMinorVersion: ULONG,
|
|
OSBuildNumber: USHORT,
|
|
OSCSDVersion: USHORT,
|
|
OSPlatformId: ULONG,
|
|
ImageSubsystem: ULONG,
|
|
ImageSubsystemMajorVersion: ULONG,
|
|
ImageSubsystemMinorVersion: ULONG,
|
|
ActiveProcessAffinityMask: ULONG,
|
|
GdiHandleBuffer: GDI_HANDLE_BUFFER32,
|
|
PostProcessInitRoutine: ULONG, // WOW64_POINTER
|
|
TlsExpansionBitmap: ULONG, // WOW64_POINTER
|
|
TlsExpansionBitmapBits: [ULONG; 32],
|
|
SessionId: ULONG,
|
|
AppCompatFlags: ULARGE_INTEGER,
|
|
AppCompatFlagsUser: ULARGE_INTEGER,
|
|
pShimData: ULONG, // WOW64_POINTER
|
|
AppCompatInfo: ULONG, // WOW64_POINTER
|
|
CSDVersion: UNICODE_STRING32,
|
|
ActivationContextData: ULONG, // WOW64_POINTER
|
|
ProcessAssemblyStorageMap: ULONG, // WOW64_POINTER
|
|
SystemDefaultActivationContextData: ULONG, // WOW64_POINTER
|
|
SystemAssemblyStorageMap: ULONG, // WOW64_POINTER
|
|
MinimumStackCommit: ULONG,
|
|
FlsCallback: ULONG, // WOW64_POINTER
|
|
FlsListHead: LIST_ENTRY32,
|
|
FlsBitmap: ULONG, // WOW64_POINTER
|
|
FlsBitmapBits: [ULONG; FLS_MAXIMUM_AVAILABLE as usize / (size_of::<ULONG>() * 8)],
|
|
FlsHighIndex: ULONG,
|
|
WerRegistrationData: ULONG, // WOW64_POINTER
|
|
WerShipAssertPtr: ULONG, // WOW64_POINTER
|
|
pContextData: ULONG, // WOW64_POINTER
|
|
pImageHeaderHash: ULONG, // WOW64_POINTER
|
|
TracingFlags: ULONG,
|
|
CsrServerReadOnlySharedMemoryBase: ULONGLONG,
|
|
TppWorkerpListLock: ULONG, // WOW64_POINTER
|
|
TppWorkerpList: LIST_ENTRY32,
|
|
WaitOnAddressHashTable: [ULONG; 128], // WOW64_POINTER
|
|
TelemetryCoverageHeader: ULONG, // WOW64_POINTER
|
|
CloudFileFlags: ULONG,
|
|
CloudFileDiagFlags: ULONG,
|
|
PlaceholderCompatibilityMode: CHAR,
|
|
PlaceholderCompatibilityModeReserved: [CHAR; 7],
|
|
}}
|
|
BITFIELD!{PEB32 BitField: BOOLEAN [
|
|
ImageUsesLargePages set_ImageUsesLargePages[0..1],
|
|
IsProtectedProcess set_IsProtectedProcess[1..2],
|
|
IsImageDynamicallyRelocated set_IsImageDynamicallyRelocated[2..3],
|
|
SkipPatchingUser32Forwarders set_SkipPatchingUser32Forwarders[3..4],
|
|
IsPackagedProcess set_IsPackagedProcess[4..5],
|
|
IsAppContainer set_IsAppContainer[5..6],
|
|
IsProtectedProcessLight set_IsProtectedProcessLight[6..7],
|
|
IsLongPathAwareProcess set_IsLongPathAwareProcess[7..8],
|
|
]}
|
|
BITFIELD!{PEB32 CrossProcessFlags: ULONG [
|
|
ProcessInJob set_ProcessInJob[0..1],
|
|
ProcessInitializing set_ProcessInitializing[1..2],
|
|
ProcessUsingVEH set_ProcessUsingVEH[2..3],
|
|
ProcessUsingVCH set_ProcessUsingVCH[3..4],
|
|
ProcessUsingFTH set_ProcessUsingFTH[4..5],
|
|
ReservedBits0 set_ReservedBits0[5..32],
|
|
]}
|
|
BITFIELD!{PEB32 TracingFlags: ULONG [
|
|
HeapTracingEnabled set_HeapTracingEnabled[0..1],
|
|
CritSecTracingEnabled set_CritSecTracingEnabled[1..2],
|
|
LibLoaderTracingEnabled set_LibLoaderTracingEnabled[2..3],
|
|
SpareTracingBits set_SpareTracingBits[3..32],
|
|
]}
|
|
pub type PPEB32 = *mut PEB32;
|
|
pub const GDI_BATCH_BUFFER_SIZE: usize = 310;
|
|
STRUCT!{struct GDI_TEB_BATCH32 {
|
|
Offset: ULONG,
|
|
HDC: ULONG,
|
|
Buffer: [ULONG; GDI_BATCH_BUFFER_SIZE],
|
|
}}
|
|
pub type PGDI_TEB_BATCH32 = *mut GDI_TEB_BATCH32;
|
|
STRUCT!{struct TEB32_u_s {
|
|
ReservedPad0: UCHAR,
|
|
ReservedPad1: UCHAR,
|
|
ReservedPad2: UCHAR,
|
|
IdealProcessor: UCHAR,
|
|
}}
|
|
UNION!{union TEB32_u {
|
|
CurrentIdealProcessor: PROCESSOR_NUMBER,
|
|
IdealProcessorValue: ULONG,
|
|
s: TEB32_u_s,
|
|
}}
|
|
STRUCT!{struct TEB32 {
|
|
NtTib: NT_TIB32,
|
|
EnvironmentPointer: ULONG, // WOW64_POINTER
|
|
ClientId: CLIENT_ID32,
|
|
ActiveRpcHandle: ULONG, // WOW64_POINTER
|
|
ThreadLocalStoragePointer: ULONG, // WOW64_POINTER
|
|
ProcessEnvironmentBlock: ULONG, // WOW64_POINTER
|
|
LastErrorValue: ULONG,
|
|
CountOfOwnedCriticalSections: ULONG,
|
|
CsrClientThread: ULONG, // WOW64_POINTER
|
|
Win32ThreadInfo: ULONG, // WOW64_POINTER
|
|
User32Reserved: [ULONG; 26],
|
|
UserReserved: [ULONG; 5],
|
|
WOW32Reserved: ULONG, // WOW64_POINTER
|
|
CurrentLocale: LCID,
|
|
FpSoftwareStatusRegister: ULONG,
|
|
ReservedForDebuggerInstrumentation: [ULONG; 16], // WOW64_POINTER
|
|
SystemReserved1: [ULONG; 36], // WOW64_POINTER
|
|
WorkingOnBehalfTicket: [UCHAR; 8],
|
|
ExceptionCode: NTSTATUS,
|
|
ActivationContextStackPointer: ULONG, // WOW64_POINTER
|
|
InstrumentationCallbackSp: ULONG,
|
|
InstrumentationCallbackPreviousPc: ULONG,
|
|
InstrumentationCallbackPreviousSp: ULONG,
|
|
InstrumentationCallbackDisabled: BOOLEAN,
|
|
SpareBytes: [UCHAR; 23],
|
|
TxFsContext: ULONG,
|
|
GdiTebBatch: GDI_TEB_BATCH32,
|
|
RealClientId: CLIENT_ID32,
|
|
GdiCachedProcessHandle: ULONG, // WOW64_POINTER
|
|
GdiClientPID: ULONG,
|
|
GdiClientTID: ULONG,
|
|
GdiThreadLocalInfo: ULONG, // WOW64_POINTER
|
|
Win32ClientInfo: [ULONG; 62],
|
|
glDispatchTable: [ULONG; 233], // WOW64_POINTER
|
|
glReserved1: [ULONG; 29], // WOW64_POINTER
|
|
glReserved2: ULONG, // WOW64_POINTER
|
|
glSectionInfo: ULONG, // WOW64_POINTER
|
|
glSection: ULONG, // WOW64_POINTER
|
|
glTable: ULONG, // WOW64_POINTER
|
|
glCurrentRC: ULONG, // WOW64_POINTER
|
|
glContext: ULONG, // WOW64_POINTER
|
|
LastStatusValue: NTSTATUS,
|
|
StaticUnicodeString: UNICODE_STRING32,
|
|
StaticUnicodeBuffer: [WCHAR; 261],
|
|
DeallocationStack: ULONG, // WOW64_POINTER
|
|
TlsSlots: [ULONG; 64], // WOW64_POINTER
|
|
TlsLinks: LIST_ENTRY32,
|
|
Vdm: ULONG, // WOW64_POINTER
|
|
ReservedForNtRpc: ULONG, // WOW64_POINTER
|
|
DbgSsReserved: [ULONG; 2], // WOW64_POINTER
|
|
HardErrorMode: ULONG,
|
|
Instrumentation: [ULONG; 9], // WOW64_POINTER
|
|
ActivityId: GUID,
|
|
SubProcessTag: ULONG, // WOW64_POINTER
|
|
PerflibData: ULONG, // WOW64_POINTER
|
|
EtwTraceData: ULONG, // WOW64_POINTER
|
|
WinSockData: ULONG, // WOW64_POINTER
|
|
GdiBatchCount: ULONG,
|
|
u: TEB32_u,
|
|
GuaranteedStackBytes: ULONG,
|
|
ReservedForPerf: ULONG, // WOW64_POINTER
|
|
ReservedForOle: ULONG, // WOW64_POINTER
|
|
WaitingOnLoaderLock: ULONG,
|
|
SavedPriorityState: ULONG, // WOW64_POINTER
|
|
ReservedForCodeCoverage: ULONG,
|
|
ThreadPoolData: ULONG, // WOW64_POINTER
|
|
TlsExpansionSlots: ULONG, // WOW64_POINTER
|
|
MuiGeneration: ULONG,
|
|
IsImpersonating: ULONG,
|
|
NlsCache: ULONG, // WOW64_POINTER
|
|
pShimData: ULONG, // WOW64_POINTER
|
|
HeapVirtualAffinity: USHORT,
|
|
LowFragHeapDataSlot: USHORT,
|
|
CurrentTransactionHandle: ULONG, // WOW64_POINTER
|
|
ActiveFrame: ULONG, // WOW64_POINTER
|
|
FlsData: ULONG, // WOW64_POINTER
|
|
PreferredLanguages: ULONG, // WOW64_POINTER
|
|
UserPrefLanguages: ULONG, // WOW64_POINTER
|
|
MergedPrefLanguages: ULONG, // WOW64_POINTER
|
|
MuiImpersonation: ULONG,
|
|
CrossTebFlags: USHORT,
|
|
SameTebFlags: USHORT,
|
|
TxnScopeEnterCallback: ULONG, // WOW64_POINTER
|
|
TxnScopeExitCallback: ULONG, // WOW64_POINTER
|
|
TxnScopeContext: ULONG, // WOW64_POINTER
|
|
LockCount: ULONG,
|
|
WowTebOffset: LONG,
|
|
ResourceRetValue: ULONG, // WOW64_POINTER
|
|
ReservedForWdf: ULONG, // WOW64_POINTER
|
|
ReservedForCrt: ULONGLONG,
|
|
EffectiveContainerId: GUID,
|
|
}}
|
|
BITFIELD!{TEB32 SameTebFlags: USHORT [
|
|
SafeThunkCall set_SafeThunkCall[0..1],
|
|
InDebugPrint set_InDebugPrint[1..2],
|
|
HasFiberData set_HasFiberData[2..3],
|
|
SkipThreadAttach set_SkipThreadAttach[3..4],
|
|
WerInShipAssertCode set_WerInShipAssertCode[4..5],
|
|
RanProcessInit set_RanProcessInit[5..6],
|
|
ClonedThread set_ClonedThread[6..7],
|
|
SuppressDebugMsg set_SuppressDebugMsg[7..8],
|
|
DisableUserStackWalk set_DisableUserStackWalk[8..9],
|
|
RtlExceptionAttached set_RtlExceptionAttached[9..10],
|
|
InitialThread set_InitialThread[10..11],
|
|
SessionAware set_SessionAware[11..12],
|
|
LoadOwner set_LoadOwner[12..13],
|
|
LoaderWorker set_LoaderWorker[13..14],
|
|
SpareSameTebBits set_SpareSameTebBits[14..16],
|
|
]}
|
|
pub type PTEB32 = *mut TEB32;
|
|
#[inline]
|
|
pub fn UStr32ToUStr(
|
|
Destination: &mut UNICODE_STRING,
|
|
Source: &UNICODE_STRING32,
|
|
) {
|
|
Destination.Length = Source.Length;
|
|
Destination.MaximumLength = Source.MaximumLength;
|
|
Destination.Buffer = Source.Buffer as *mut u16;
|
|
}
|
|
#[inline]
|
|
pub fn UStrToUStr32(
|
|
Destination: &mut UNICODE_STRING32,
|
|
Source: &UNICODE_STRING,
|
|
) {
|
|
Destination.Length = Source.Length;
|
|
Destination.MaximumLength = Source.MaximumLength;
|
|
Destination.Buffer = Source.Buffer as u32;
|
|
}
|