Skip to content

Instantly share code, notes, and snippets.

@andreafioraldi

andreafioraldi/peb_defs.h

Last active February 7, 2020 13:28
Show Gist options
  • Save andreafioraldi/c87810dc8e1896dbf104ec4c7a36743d to your computer and use it in GitHub Desktop.
Save andreafioraldi/c87810dc8e1896dbf104ec4c7a36743d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
peb_defs.h
// -----------------------------------------------------
// Common definitions outside Ghidra
// -----------------------------------------------------
typedef unsigned char byte;
typedef long long longlong;
typedef unsigned char uchar;
typedef unsigned int uint;
typedef unsigned long ulong;
typedef unsigned long long ulonglong;
typedef unsigned char undefined;
typedef unsigned char undefined1;
typedef unsigned short undefined2;
typedef unsigned int undefined4;
typedef unsigned long long undefined6;
typedef unsigned long long undefined8;
typedef unsigned short ushort;
typedef short wchar_t;
// -----------------------------------------------------
// Common typedefs
// -----------------------------------------------------
typedef union _LARGE_INTEGER _LARGE_INTEGER, *P_LARGE_INTEGER;
typedef union _ULARGE_INTEGER _ULARGE_INTEGER, *P_ULARGE_INTEGER;
typedef struct _STRING _STRING, *P_STRING;
typedef struct _UNICODE_STRING _UNICODE_STRING, *P_UNICODE_STRING;
typedef struct _LIST_ENTRY _LIST_ENTRY, *P_LIST_ENTRY;
typedef struct _SINGLE_LIST_ENTRY _SINGLE_LIST_ENTRY, *P_SINGLE_LIST_ENTRY;
typedef union _SLIST_HEADER _SLIST_HEADER, *P_SLIST_HEADER;
typedef struct _ACTIVATION_CONTEXT _ACTIVATION_CONTEXT, *P_ACTIVATION_CONTEXT;
typedef struct _ACTIVATION_CONTEXT_DATA _ACTIVATION_CONTEXT_DATA, *P_ACTIVATION_CONTEXT_DATA;
typedef struct _ASSEMBLY_STORAGE_MAP _ASSEMBLY_STORAGE_MAP, *P_ASSEMBLY_STORAGE_MAP;
typedef struct _FLS_CALLBACK_INFO _FLS_CALLBACK_INFO, *P_FLS_CALLBACK_INFO;
typedef struct _LEAP_SECOND_DATA _LEAP_SECOND_DATA, *P_LEAP_SECOND_DATA;
// -----------------------------------------------------
// Common structures
// -----------------------------------------------------
struct _struct_1262 {
ulong LowPart;
long HighPart;
};
struct _struct_1263 {
ulong LowPart;
long HighPart;
};
union _union_1261 {
struct _struct_1262 field0;
struct _struct_1263 u;
longlong QuadPart;
};
union _LARGE_INTEGER {
union _union_1261 field0;
};
struct _struct_1319 {
ulong LowPart;
ulong HighPart;
};
struct _struct_1320 {
ulong LowPart;
ulong HighPart;
};
union _union_1318 {
struct _struct_1319 field0;
struct _struct_1320 u;
ulonglong QuadPart;
};
union _ULARGE_INTEGER {
union _union_1318 field0;
};
struct _STRING {
ushort Length;
ushort MaximumLength;
char * Buffer;
};
struct _UNICODE_STRING {
ushort Length;
ushort MaximumLength;
wchar_t * Buffer;
};
struct _LIST_ENTRY {
struct _LIST_ENTRY * Flink;
struct _LIST_ENTRY * Blink;
};
struct _SINGLE_LIST_ENTRY {
struct _SINGLE_LIST_ENTRY * Next;
};
struct _struct_1271 {
struct _SINGLE_LIST_ENTRY Next;
ushort Depth;
ushort CpuId;
};
union _union_1270 {
ulonglong Alignment;
struct _struct_1271 field1;
};
union _SLIST_HEADER {
union _union_1270 field0;
};
struct _ACTIVATION_CONTEXT {
};
struct _ACTIVATION_CONTEXT_DATA {
};
struct _ASSEMBLY_STORAGE_MAP {
};
struct _FLS_CALLBACK_INFO {
};
struct _LEAP_SECOND_DATA {
uchar Enabled;
char Padding_35[3];
ulong Count;
union _LARGE_INTEGER Data[1];
};
// -----------------------------------------------------
// RTL typedefs
// -----------------------------------------------------
typedef struct _RTL_BALANCED_NODE _RTL_BALANCED_NODE, *P_RTL_BALANCED_NODE;
typedef struct _CURDIR _CURDIR, *P_CURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS _RTL_USER_PROCESS_PARAMETERS, *P_RTL_USER_PROCESS_PARAMETERS;
typedef struct _RTL_DRIVE_LETTER_CURDIR _RTL_DRIVE_LETTER_CURDIR, *P_RTL_DRIVE_LETTER_CURDIR;
typedef struct _RTL_CRITICAL_SECTION _RTL_CRITICAL_SECTION, *P_RTL_CRITICAL_SECTION;
typedef struct _RTL_CRITICAL_SECTION_DEBUG _RTL_CRITICAL_SECTION_DEBUG, *P_RTL_CRITICAL_SECTION_DEBUG;
// -----------------------------------------------------
// RTL structures
// -----------------------------------------------------
union _union_9975 {
uchar Red:1; // : bits 0
uchar Balance:2; // : bits 1-2
ulong ParentValue;
};
struct _struct_9972 {
struct _RTL_BALANCED_NODE * Left;
struct _RTL_BALANCED_NODE * Right;
};
union _union_9970 {
struct _RTL_BALANCED_NODE * Children[2];
struct _struct_9972 field1;
};
struct _RTL_BALANCED_NODE {
union _union_9970 field_0x0;
union _union_9975 field_0x8;
};
struct _CURDIR {
struct _UNICODE_STRING DosPath;
void * Handle;
};
struct _RTL_DRIVE_LETTER_CURDIR {
ushort Flags;
ushort Length;
ulong TimeStamp;
struct _STRING DosPath;
};
struct _RTL_USER_PROCESS_PARAMETERS {
ulong MaximumLength;
ulong Length;
ulong Flags;
ulong DebugFlags;
void * ConsoleHandle;
ulong ConsoleFlags;
void * StandardInput;
void * StandardOutput;
void * StandardError;
struct _CURDIR CurrentDirectory;
struct _UNICODE_STRING DllPath;
struct _UNICODE_STRING ImagePathName;
struct _UNICODE_STRING CommandLine;
void * Environment;
ulong StartingX;
ulong StartingY;
ulong CountX;
ulong CountY;
ulong CountCharsX;
ulong CountCharsY;
ulong FillAttribute;
ulong WindowFlags;
ulong ShowWindowFlags;
struct _UNICODE_STRING WindowTitle;
struct _UNICODE_STRING DesktopInfo;
struct _UNICODE_STRING ShellInfo;
struct _UNICODE_STRING RuntimeData;
struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
ulong EnvironmentSize;
ulong EnvironmentVersion;
void * PackageDependencyData;
ulong ProcessGroupId;
ulong LoaderThreads;
struct _UNICODE_STRING RedirectionDllName;
};
struct _RTL_CRITICAL_SECTION_DEBUG {
ushort Type;
ushort CreatorBackTraceIndex;
struct _RTL_CRITICAL_SECTION * CriticalSection;
struct _LIST_ENTRY ProcessLocksList;
ulong EntryCount;
ulong ContentionCount;
ulong Flags;
ushort CreatorBackTraceIndexHigh;
ushort SpareUSHORT;
};
struct _RTL_CRITICAL_SECTION {
struct _RTL_CRITICAL_SECTION_DEBUG * DebugInfo;
long LockCount;
long RecursionCount;
void * OwningThread;
void * LockSemaphore;
ulong SpinCount;
};
// -----------------------------------------------------
// LDR typedefs
// -----------------------------------------------------
typedef struct _LDR_DATA_TABLE_ENTRY _LDR_DATA_TABLE_ENTRY, *P_LDR_DATA_TABLE_ENTRY;
typedef struct _LDR_DATA_TABLE_ENTRY_0x8 _LDR_DATA_TABLE_ENTRY_0x8, *P_LDR_DATA_TABLE_ENTRY_0x8;
typedef struct _LDR_DATA_TABLE_ENTRY_0x10 _LDR_DATA_TABLE_ENTRY_0x10, *P_LDR_DATA_TABLE_ENTRY_0x10;
typedef struct _LDR_SERVICE_TAG_RECORD _LDR_SERVICE_TAG_RECORD, *P_LDR_SERVICE_TAG_RECORD;
typedef struct _LDR_DDAG_NODE _LDR_DDAG_NODE, *P_LDR_DDAG_NODE;
typedef struct _LDRP_LOAD_CONTEXT _LDRP_LOAD_CONTEXT, *P_LDRP_LOAD_CONTEXT;
typedef enum _LDR_DLL_LOAD_REASON {
LoadReasonAsDataLoad=6,
LoadReasonAsImageLoad=5,
LoadReasonDelayloadDependency=3,
LoadReasonDynamicForwarderDependency=2,
LoadReasonDynamicLoad=4,
LoadReasonEnclaveDependency=8,
LoadReasonEnclavePrimary=7,
LoadReasonStaticDependency=0,
LoadReasonStaticForwarderDependency=1,
LoadReasonUnknown=9
} _LDR_DLL_LOAD_REASON;
typedef enum _LDR_DDAG_STATE {
LdrModulesCondensed=6,
LdrModulesInitError=1,
LdrModulesInitializing=8,
LdrModulesMapped=2,
LdrModulesMapping=1,
LdrModulesMerged=0,
LdrModulesPlaceHolder=0,
LdrModulesReadyToInit=7,
LdrModulesReadyToRun=9,
LdrModulesSnapError=2,
LdrModulesSnapped=5,
LdrModulesSnapping=4,
LdrModulesUnloaded=3,
LdrModulesUnloading=4,
LdrModulesWaitingForDependencies=3
} _LDR_DDAG_STATE;
// -----------------------------------------------------
// LDR structures
// -----------------------------------------------------
struct _LDRP_CSLIST {
struct _SINGLE_LIST_ENTRY * Tail;
};
struct _LDR_SERVICE_TAG_RECORD {
struct _LDR_SERVICE_TAG_RECORD * Next;
ulong ServiceTag;
};
struct _LDR_DDAG_NODE {
struct _LIST_ENTRY Modules;
struct _LDR_SERVICE_TAG_RECORD * ServiceTagList;
ulong LoadCount;
ulong LoadWhileUnloadingCount;
ulong LowestLink;
struct _LDRP_CSLIST Dependencies;
struct _LDRP_CSLIST IncomingDependencies;
enum _LDR_DDAG_STATE State;
struct _SINGLE_LIST_ENTRY CondenseLink;
ulong PreorderNumber;
};
struct _LDR_DATA_TABLE_ENTRY {
struct _LIST_ENTRY InLoadOrderLinks;
struct _LIST_ENTRY InMemoryOrderLinks;
struct _LIST_ENTRY InInitializationOrderLinks;
void * DllBase;
void * EntryPoint;
ulong SizeOfImage;
struct _UNICODE_STRING FullDllName;
struct _UNICODE_STRING BaseDllName;
union _union_9066 field_0x24;
ushort ObsoleteLoadCount;
ushort TlsIndex;
struct _LIST_ENTRY HashLinks;
ulong TimeDateStamp;
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
void * Lock;
struct _LDR_DDAG_NODE * DdagNode;
struct _LIST_ENTRY NodeModuleLink;
struct _LDRP_LOAD_CONTEXT * LoadContext;
void * ParentDllBase;
void * SwitchBackContext;
struct _RTL_BALANCED_NODE BaseAddressIndexNode;
struct _RTL_BALANCED_NODE MappingInfoIndexNode;
ulong OriginalBase;
long Padding_84;
union _LARGE_INTEGER LoadTime;
ulong BaseNameHashValue;
enum _LDR_DLL_LOAD_REASON LoadReason;
ulong ImplicitPathOptions;
ulong ReferenceCount;
ulong DependentLoadFlags;
uchar SigningLevel;
char __PADDING__[3];
};
struct _LDR_DATA_TABLE_ENTRY_0x8 {
struct _LIST_ENTRY InMemoryOrderLinks;
struct _LIST_ENTRY InInitializationOrderLinks;
void * DllBase;
void * EntryPoint;
ulong SizeOfImage;
struct _UNICODE_STRING FullDllName;
struct _UNICODE_STRING BaseDllName;
union _union_9066 field_0x24;
ushort ObsoleteLoadCount;
ushort TlsIndex;
struct _LIST_ENTRY HashLinks;
ulong TimeDateStamp;
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
void * Lock;
struct _LDR_DDAG_NODE * DdagNode;
struct _LIST_ENTRY NodeModuleLink;
struct _LDRP_LOAD_CONTEXT * LoadContext;
void * ParentDllBase;
void * SwitchBackContext;
struct _RTL_BALANCED_NODE BaseAddressIndexNode;
struct _RTL_BALANCED_NODE MappingInfoIndexNode;
ulong OriginalBase;
long Padding_84;
union _LARGE_INTEGER LoadTime;
ulong BaseNameHashValue;
enum _LDR_DLL_LOAD_REASON LoadReason;
ulong ImplicitPathOptions;
ulong ReferenceCount;
ulong DependentLoadFlags;
uchar SigningLevel;
char __PADDING__[3];
};
struct _LDR_DATA_TABLE_ENTRY_0x10 {
struct _LIST_ENTRY InInitializationOrderLinks;
void * DllBase;
void * EntryPoint;
ulong SizeOfImage;
struct _UNICODE_STRING FullDllName;
struct _UNICODE_STRING BaseDllName;
union _union_9066 field_0x24;
ushort ObsoleteLoadCount;
ushort TlsIndex;
struct _LIST_ENTRY HashLinks;
ulong TimeDateStamp;
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
void * Lock;
struct _LDR_DDAG_NODE * DdagNode;
struct _LIST_ENTRY NodeModuleLink;
struct _LDRP_LOAD_CONTEXT * LoadContext;
void * ParentDllBase;
void * SwitchBackContext;
struct _RTL_BALANCED_NODE BaseAddressIndexNode;
struct _RTL_BALANCED_NODE MappingInfoIndexNode;
ulong OriginalBase;
long Padding_84;
union _LARGE_INTEGER LoadTime;
ulong BaseNameHashValue;
enum _LDR_DLL_LOAD_REASON LoadReason;
ulong ImplicitPathOptions;
ulong ReferenceCount;
ulong DependentLoadFlags;
uchar SigningLevel;
char __PADDING__[3];
};
// -----------------------------------------------------
// PEB typedefs
// -----------------------------------------------------
typedef struct _PEB _PEB, *P_PEB;
typedef struct _PEB_LDR_DATA _PEB_LDR_DATA, *P_PEB_LDR_DATA;
// -----------------------------------------------------
// PEB structures
// -----------------------------------------------------
union anon__struct_7914_bitfield_1 {
ulong ProcessInJob:1; // : bits 0
ulong ProcessInitializing:1; // : bits 1
ulong ProcessUsingVEH:1; // : bits 2
ulong ProcessUsingVCH:1; // : bits 3
ulong ProcessUsingFTH:1; // : bits 4
ulong ProcessPreviouslyThrottled:1; // : bits 5
ulong ProcessCurrentlyThrottled:1; // : bits 6
ulong ProcessImagesHotPatched:1; // : bits 7
ulong ReservedBits0:24; // : bits 8-31
};
struct _struct_7914 {
union anon__struct_7914_bitfield_1 field_0x0;
};
union _union_7913 {
ulong CrossProcessFlags;
struct _struct_7914 field1;
};
union _union_7915 {
void * KernelCallbackTable;
void * UserSharedInfoPtr;
};
union anon__struct_7929_bitfield_1 {
ulong HeapTracingEnabled:1; // : bits 0
ulong CritSecTracingEnabled:1; // : bits 1
ulong LibLoaderTracingEnabled:1; // : bits 2
ulong SpareTracingBits:29; // : bits 3-31
};
struct _struct_7929 {
union anon__struct_7929_bitfield_1 field_0x0;
};
union _union_7928 {
ulong TracingFlags;
struct _struct_7929 field1;
};
struct _PEB {
uchar InheritedAddressSpace;
uchar ReadImageFileExecOptions;
uchar BeingDebugged;
union _union_7907 field_0x3;
void * Mutant;
void * ImageBaseAddress;
struct _PEB_LDR_DATA * Ldr;
struct _RTL_USER_PROCESS_PARAMETERS * ProcessParameters;
void * SubSystemData;
void * ProcessHeap;
struct _RTL_CRITICAL_SECTION * FastPebLock;
union _SLIST_HEADER * AtlThunkSListPtr;
void * IFEOKey;
union _union_7913 field_0x28;
union _union_7915 field_0x2c;
ulong SystemReserved;
union _SLIST_HEADER * AtlThunkSListPtr32;
void * ApiSetMap;
ulong TlsExpansionCounter;
void * TlsBitmap;
ulong TlsBitmapBits[2];
void * ReadOnlySharedMemoryBase;
void * SharedData;
void * * ReadOnlyStaticServerData;
void * AnsiCodePageData;
void * OemCodePageData;
void * UnicodeCaseTableData;
ulong NumberOfProcessors;
ulong NtGlobalFlag;
long Padding_30;
union _LARGE_INTEGER CriticalSectionTimeout;
ulong HeapSegmentReserve;
ulong HeapSegmentCommit;
ulong HeapDeCommitTotalFreeThreshold;
ulong HeapDeCommitFreeBlockThreshold;
ulong NumberOfHeaps;
ulong MaximumNumberOfHeaps;
void * * ProcessHeaps;
void * GdiSharedHandleTable;
void * ProcessStarterHelper;
ulong GdiDCAttributeList;
struct _RTL_CRITICAL_SECTION * LoaderLock;
ulong OSMajorVersion;
ulong OSMinorVersion;
ushort OSBuildNumber;
ushort OSCSDVersion;
ulong OSPlatformId;
ulong ImageSubsystem;
ulong ImageSubsystemMajorVersion;
ulong ImageSubsystemMinorVersion;
ulong ActiveProcessAffinityMask;
ulong GdiHandleBuffer[34];
void * PostProcessInitRoutine;
void * TlsExpansionBitmap;
ulong TlsExpansionBitmapBits[32];
ulong SessionId;
union _ULARGE_INTEGER AppCompatFlags;
union _ULARGE_INTEGER AppCompatFlagsUser;
void * pShimData;
void * AppCompatInfo;
struct _UNICODE_STRING CSDVersion;
struct _ACTIVATION_CONTEXT_DATA * ActivationContextData;
struct _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap;
struct _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData;
struct _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap;
ulong MinimumStackCommit;
struct _FLS_CALLBACK_INFO * FlsCallback;
struct _LIST_ENTRY FlsListHead;
void * FlsBitmap;
ulong FlsBitmapBits[4];
ulong FlsHighIndex;
void * WerRegistrationData;
void * WerShipAssertPtr;
void * pUnused;
void * pImageHeaderHash;
union _union_7928 field_0x240;
long Padding_31;
ulonglong CsrServerReadOnlySharedMemoryBase;
ulong TppWorkerpListLock;
struct _LIST_ENTRY TppWorkerpList;
void * WaitOnAddressHashTable[128];
void * TelemetryCoverageHeader;
ulong CloudFileFlags;
ulong CloudFileDiagFlags;
char PlaceholderCompatibilityMode;
char PlaceholderCompatibilityModeReserved[7];
struct _LEAP_SECOND_DATA * LeapSecondData;
union _union_7932 field_0x474;
ulong NtGlobalFlag2;
long __PADDING__[1];
};
struct _PEB_LDR_DATA {
ulong Length;
uchar Initialized;
char Padding_32[3];
void * SsHandle;
struct _LIST_ENTRY InLoadOrderModuleList;
struct _LIST_ENTRY InMemoryOrderModuleList;
struct _LIST_ENTRY InInitializationOrderModuleList;
void * EntryInProgress;
uchar ShutdownInProgress;
char Padding_33[3];
void * ShutdownThreadId;
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment