Process Hacker
ntpebteb.h
Go to the documentation of this file.
1 #ifndef _NTPEBTEB_H
2 #define _NTPEBTEB_H
3 
4 typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
5 typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
6 
7 // symbols
8 typedef struct _PEB
9 {
10  BOOLEAN InheritedAddressSpace;
11  BOOLEAN ReadImageFileExecOptions;
12  BOOLEAN BeingDebugged;
13  union
14  {
15  BOOLEAN BitField;
16  struct
17  {
18  BOOLEAN ImageUsesLargePages : 1;
19  BOOLEAN IsProtectedProcess : 1;
20  BOOLEAN IsImageDynamicallyRelocated : 1;
21  BOOLEAN SkipPatchingUser32Forwarders : 1;
22  BOOLEAN IsPackagedProcess : 1;
23  BOOLEAN IsAppContainer : 1;
24  BOOLEAN IsProtectedProcessLight : 1;
25  BOOLEAN SpareBits : 1;
26  };
27  };
28  HANDLE Mutant;
29 
30  PVOID ImageBaseAddress;
31  PPEB_LDR_DATA Ldr;
32  PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
33  PVOID SubSystemData;
34  PVOID ProcessHeap;
35  PRTL_CRITICAL_SECTION FastPebLock;
36  PVOID AtlThunkSListPtr;
37  PVOID IFEOKey;
38  union
39  {
40  ULONG CrossProcessFlags;
41  struct
42  {
43  ULONG ProcessInJob : 1;
44  ULONG ProcessInitializing : 1;
45  ULONG ProcessUsingVEH : 1;
46  ULONG ProcessUsingVCH : 1;
47  ULONG ProcessUsingFTH : 1;
48  ULONG ReservedBits0 : 27;
49  };
50  ULONG EnvironmentUpdateCount;
51  };
52  union
53  {
54  PVOID KernelCallbackTable;
55  PVOID UserSharedInfoPtr;
56  };
57  ULONG SystemReserved[1];
58  ULONG AtlThunkSListPtr32;
59  PVOID ApiSetMap;
60  ULONG TlsExpansionCounter;
61  PVOID TlsBitmap;
62  ULONG TlsBitmapBits[2];
63  PVOID ReadOnlySharedMemoryBase;
64  PVOID HotpatchInformation;
65  PVOID *ReadOnlyStaticServerData;
66  PVOID AnsiCodePageData;
67  PVOID OemCodePageData;
68  PVOID UnicodeCaseTableData;
69 
70  ULONG NumberOfProcessors;
71  ULONG NtGlobalFlag;
72 
73  LARGE_INTEGER CriticalSectionTimeout;
74  SIZE_T HeapSegmentReserve;
75  SIZE_T HeapSegmentCommit;
76  SIZE_T HeapDeCommitTotalFreeThreshold;
77  SIZE_T HeapDeCommitFreeBlockThreshold;
78 
79  ULONG NumberOfHeaps;
80  ULONG MaximumNumberOfHeaps;
81  PVOID *ProcessHeaps;
82 
83  PVOID GdiSharedHandleTable;
84  PVOID ProcessStarterHelper;
85  ULONG GdiDCAttributeList;
86 
87  PRTL_CRITICAL_SECTION LoaderLock;
88 
89  ULONG OSMajorVersion;
90  ULONG OSMinorVersion;
91  USHORT OSBuildNumber;
92  USHORT OSCSDVersion;
93  ULONG OSPlatformId;
94  ULONG ImageSubsystem;
95  ULONG ImageSubsystemMajorVersion;
96  ULONG ImageSubsystemMinorVersion;
97  ULONG_PTR ImageProcessAffinityMask;
98  GDI_HANDLE_BUFFER GdiHandleBuffer;
99  PVOID PostProcessInitRoutine;
100 
101  PVOID TlsExpansionBitmap;
102  ULONG TlsExpansionBitmapBits[32];
103 
104  ULONG SessionId;
105 
106  ULARGE_INTEGER AppCompatFlags;
107  ULARGE_INTEGER AppCompatFlagsUser;
108  PVOID pShimData;
109  PVOID AppCompatInfo;
110 
111  UNICODE_STRING CSDVersion;
112 
113  PVOID ActivationContextData;
114  PVOID ProcessAssemblyStorageMap;
115  PVOID SystemDefaultActivationContextData;
116  PVOID SystemAssemblyStorageMap;
117 
118  SIZE_T MinimumStackCommit;
119 
120  PVOID *FlsCallback;
121  LIST_ENTRY FlsListHead;
122  PVOID FlsBitmap;
123  ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
124  ULONG FlsHighIndex;
125 
126  PVOID WerRegistrationData;
127  PVOID WerShipAssertPtr;
128  PVOID pContextData;
129  PVOID pImageHeaderHash;
130  union
131  {
132  ULONG TracingFlags;
133  struct
134  {
135  ULONG HeapTracingEnabled : 1;
136  ULONG CritSecTracingEnabled : 1;
137  ULONG LibLoaderTracingEnabled : 1;
138  ULONG SpareTracingBits : 29;
139  };
140  };
141  ULONGLONG CsrServerReadOnlySharedMemoryBase;
142 } PEB, *PPEB;
143 
144 #define GDI_BATCH_BUFFER_SIZE 310
145 
146 typedef struct _GDI_TEB_BATCH
147 {
148  ULONG Offset;
149  ULONG_PTR HDC;
150  ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
151 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
152 
153 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
154 {
155  ULONG Flags;
156  PSTR FrameName;
157 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
158 
159 typedef struct _TEB_ACTIVE_FRAME
160 {
161  ULONG Flags;
162  struct _TEB_ACTIVE_FRAME *Previous;
163  PTEB_ACTIVE_FRAME_CONTEXT Context;
164 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
165 
166 typedef struct _TEB
167 {
168  NT_TIB NtTib;
169 
170  PVOID EnvironmentPointer;
171  CLIENT_ID ClientId;
172  PVOID ActiveRpcHandle;
173  PVOID ThreadLocalStoragePointer;
174  PPEB ProcessEnvironmentBlock;
175 
176  ULONG LastErrorValue;
177  ULONG CountOfOwnedCriticalSections;
178  PVOID CsrClientThread;
179  PVOID Win32ThreadInfo;
180  ULONG User32Reserved[26];
181  ULONG UserReserved[5];
182  PVOID WOW32Reserved;
183  LCID CurrentLocale;
184  ULONG FpSoftwareStatusRegister;
185  PVOID SystemReserved1[54];
186  NTSTATUS ExceptionCode;
187  PVOID ActivationContextStackPointer;
188 #ifdef _WIN64
189  UCHAR SpareBytes[24];
190 #else
191  UCHAR SpareBytes[36];
192 #endif
193  ULONG TxFsContext;
194 
195  GDI_TEB_BATCH GdiTebBatch;
196  CLIENT_ID RealClientId;
197  HANDLE GdiCachedProcessHandle;
198  ULONG GdiClientPID;
199  ULONG GdiClientTID;
200  PVOID GdiThreadLocalInfo;
201  ULONG_PTR Win32ClientInfo[62];
202  PVOID glDispatchTable[233];
203  ULONG_PTR glReserved1[29];
204  PVOID glReserved2;
205  PVOID glSectionInfo;
206  PVOID glSection;
207  PVOID glTable;
208  PVOID glCurrentRC;
209  PVOID glContext;
210 
211  NTSTATUS LastStatusValue;
212  UNICODE_STRING StaticUnicodeString;
213  WCHAR StaticUnicodeBuffer[261];
214 
215  PVOID DeallocationStack;
216  PVOID TlsSlots[64];
217  LIST_ENTRY TlsLinks;
218 
219  PVOID Vdm;
220  PVOID ReservedForNtRpc;
221  PVOID DbgSsReserved[2];
222 
223  ULONG HardErrorMode;
224 #ifdef _WIN64
225  PVOID Instrumentation[11];
226 #else
227  PVOID Instrumentation[9];
228 #endif
229  GUID ActivityId;
230 
231  PVOID SubProcessTag;
232  PVOID EtwLocalData;
233  PVOID EtwTraceData;
234  PVOID WinSockData;
235  ULONG GdiBatchCount;
236 
237  union
238  {
239  PROCESSOR_NUMBER CurrentIdealProcessor;
240  ULONG IdealProcessorValue;
241  struct
242  {
243  UCHAR ReservedPad0;
244  UCHAR ReservedPad1;
245  UCHAR ReservedPad2;
246  UCHAR IdealProcessor;
247  };
248  };
249 
250  ULONG GuaranteedStackBytes;
251  PVOID ReservedForPerf;
252  PVOID ReservedForOle;
253  ULONG WaitingOnLoaderLock;
254  PVOID SavedPriorityState;
255  ULONG_PTR SoftPatchPtr1;
256  PVOID ThreadPoolData;
257  PVOID *TlsExpansionSlots;
258 #ifdef _WIN64
259  PVOID DeallocationBStore;
260  PVOID BStoreLimit;
261 #endif
262  ULONG MuiGeneration;
263  ULONG IsImpersonating;
264  PVOID NlsCache;
265  PVOID pShimData;
266  ULONG HeapVirtualAffinity;
267  HANDLE CurrentTransactionHandle;
268  PTEB_ACTIVE_FRAME ActiveFrame;
269  PVOID FlsData;
270 
271  PVOID PreferredLanguages;
272  PVOID UserPrefLanguages;
273  PVOID MergedPrefLanguages;
274  ULONG MuiImpersonation;
275 
276  union
277  {
278  USHORT CrossTebFlags;
279  USHORT SpareCrossTebBits : 16;
280  };
281  union
282  {
283  USHORT SameTebFlags;
284  struct
285  {
286  USHORT SafeThunkCall : 1;
287  USHORT InDebugPrint : 1;
288  USHORT HasFiberData : 1;
289  USHORT SkipThreadAttach : 1;
290  USHORT WerInShipAssertCode : 1;
291  USHORT RanProcessInit : 1;
292  USHORT ClonedThread : 1;
293  USHORT SuppressDebugMsg : 1;
294  USHORT DisableUserStackWalk : 1;
295  USHORT RtlExceptionAttached : 1;
296  USHORT InitialThread : 1;
297  USHORT SessionAware : 1;
298  USHORT SpareSameTebBits : 4;
299  };
300  };
301 
302  PVOID TxnScopeEnterCallback;
303  PVOID TxnScopeExitCallback;
304  PVOID TxnScopeContext;
305  ULONG LockCount;
306  ULONG SpareUlong0;
307  PVOID ResourceRetValue;
308  PVOID ReservedForWdf;
309 } TEB, *PTEB;
310 
311 #endif