Process Hacker
ntwow64.h
Go to the documentation of this file.
1 #ifndef _NTWOW64_H
2 #define _NTWOW64_H
3 
4 #define WOW64_SYSTEM_DIRECTORY "SysWOW64"
5 #define WOW64_SYSTEM_DIRECTORY_U L"SysWOW64"
6 #define WOW64_X86_TAG " (x86)"
7 #define WOW64_X86_TAG_U L" (x86)"
8 
9 // In USER_SHARED_DATA
10 typedef enum _WOW64_SHARED_INFORMATION
11 {
12  SharedNtdll32LdrInitializeThunk,
13  SharedNtdll32KiUserExceptionDispatcher,
14  SharedNtdll32KiUserApcDispatcher,
15  SharedNtdll32KiUserCallbackDispatcher,
16  SharedNtdll32ExpInterlockedPopEntrySListFault,
17  SharedNtdll32ExpInterlockedPopEntrySListResume,
18  SharedNtdll32ExpInterlockedPopEntrySListEnd,
19  SharedNtdll32RtlUserThreadStart,
20  SharedNtdll32pQueryProcessDebugInformationRemote,
21  SharedNtdll32BaseAddress,
22  SharedNtdll32LdrSystemDllInitBlock,
23  Wow64SharedPageEntriesCount
24 } WOW64_SHARED_INFORMATION;
25 
26 // 32-bit definitions
27 
28 #define WOW64_POINTER(Type) ULONG
29 
30 typedef struct _RTL_BALANCED_NODE32
31 {
32  union
33  {
34  WOW64_POINTER(struct _RTL_BALANCED_NODE *) Children[2];
35  struct
36  {
37  WOW64_POINTER(struct _RTL_BALANCED_NODE *) Left;
38  WOW64_POINTER(struct _RTL_BALANCED_NODE *) Right;
39  };
40  };
41  union
42  {
43  WOW64_POINTER(UCHAR) Red : 1;
44  WOW64_POINTER(UCHAR) Balance : 2;
45  WOW64_POINTER(ULONG_PTR) ParentValue;
46  };
47 } RTL_BALANCED_NODE32, *PRTL_BALANCED_NODE32;
48 
49 typedef struct _RTL_RB_TREE32
50 {
51  WOW64_POINTER(PRTL_BALANCED_NODE) Root;
52  WOW64_POINTER(PRTL_BALANCED_NODE) Min;
53 } RTL_RB_TREE32, *PRTL_RB_TREE32;
54 
55 typedef struct _PEB_LDR_DATA32
56 {
57  ULONG Length;
58  BOOLEAN Initialized;
59  WOW64_POINTER(HANDLE) SsHandle;
60  LIST_ENTRY32 InLoadOrderModuleList;
61  LIST_ENTRY32 InMemoryOrderModuleList;
62  LIST_ENTRY32 InInitializationOrderModuleList;
63  WOW64_POINTER(PVOID) EntryInProgress;
64  BOOLEAN ShutdownInProgress;
65  WOW64_POINTER(HANDLE) ShutdownThreadId;
66 } PEB_LDR_DATA32, *PPEB_LDR_DATA32;
67 
68 typedef struct _LDR_SERVICE_TAG_RECORD32
69 {
70  WOW64_POINTER(struct _LDR_SERVICE_TAG_RECORD *) Next;
71  ULONG ServiceTag;
72 } LDR_SERVICE_TAG_RECORD32, *PLDR_SERVICE_TAG_RECORD32;
73 
74 typedef struct _LDRP_CSLIST32
75 {
76  WOW64_POINTER(PSINGLE_LIST_ENTRY) Tail;
77 } LDRP_CSLIST32, *PLDRP_CSLIST32;
78 
79 typedef struct _LDR_DDAG_NODE32
80 {
81  LIST_ENTRY32 Modules;
82  WOW64_POINTER(PLDR_SERVICE_TAG_RECORD) ServiceTagList;
83  ULONG LoadCount;
84  ULONG ReferenceCount;
85  ULONG DependencyCount;
86  union
87  {
88  LDRP_CSLIST32 Dependencies;
89  SINGLE_LIST_ENTRY32 RemovalLink;
90  };
91  LDRP_CSLIST32 IncomingDependencies;
92  LDR_DDAG_STATE State;
93  SINGLE_LIST_ENTRY32 CondenseLink;
94  ULONG PreorderNumber;
95  ULONG LowestLink;
96 } LDR_DDAG_NODE32, *PLDR_DDAG_NODE32;
97 
98 #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, DdagNode)
99 #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, BaseNameHashValue)
100 #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY32, ImplicitPathOptions)
101 
102 typedef struct _LDR_DATA_TABLE_ENTRY32
103 {
104  LIST_ENTRY32 InLoadOrderLinks;
105  LIST_ENTRY32 InMemoryOrderLinks;
106  union
107  {
108  LIST_ENTRY32 InInitializationOrderLinks;
109  LIST_ENTRY32 InProgressLinks;
110  };
111  WOW64_POINTER(PVOID) DllBase;
112  WOW64_POINTER(PVOID) EntryPoint;
113  ULONG SizeOfImage;
114  UNICODE_STRING32 FullDllName;
115  UNICODE_STRING32 BaseDllName;
116  union
117  {
118  UCHAR FlagGroup[4];
119  ULONG Flags;
120  struct
121  {
122  ULONG PackagedBinary : 1;
123  ULONG MarkedForRemoval : 1;
124  ULONG ImageDll : 1;
125  ULONG LoadNotificationsSent : 1;
126  ULONG TelemetryEntryProcessed : 1;
127  ULONG ProcessStaticImport : 1;
128  ULONG InLegacyLists : 1;
129  ULONG InIndexes : 1;
130  ULONG ShimDll : 1;
131  ULONG InExceptionTable : 1;
132  ULONG ReservedFlags1 : 2;
133  ULONG LoadInProgress : 1;
134  ULONG LoadConfigProcessed : 1;
135  ULONG EntryProcessed : 1;
136  ULONG ProtectDelayLoad : 1;
137  ULONG ReservedFlags3 : 2;
138  ULONG DontCallForThreads : 1;
139  ULONG ProcessAttachCalled : 1;
140  ULONG ProcessAttachFailed : 1;
141  ULONG CorDeferredValidate : 1;
142  ULONG CorImage : 1;
143  ULONG DontRelocate : 1;
144  ULONG CorILOnly : 1;
145  ULONG ReservedFlags5 : 3;
146  ULONG Redirected : 1;
147  ULONG ReservedFlags6 : 2;
148  ULONG CompatDatabaseProcessed : 1;
149  };
150  };
151  USHORT ObsoleteLoadCount;
152  USHORT TlsIndex;
153  LIST_ENTRY32 HashLinks;
154  ULONG TimeDateStamp;
155  WOW64_POINTER(struct _ACTIVATION_CONTEXT *) EntryPointActivationContext;
156  WOW64_POINTER(PVOID) Lock;
157  WOW64_POINTER(PLDR_DDAG_NODE) DdagNode;
158  LIST_ENTRY32 NodeModuleLink;
159  WOW64_POINTER(struct _LDRP_LOAD_CONTEXT *) LoadContext;
160  WOW64_POINTER(PVOID) ParentDllBase;
161  WOW64_POINTER(PVOID) SwitchBackContext;
162  RTL_BALANCED_NODE32 BaseAddressIndexNode;
163  RTL_BALANCED_NODE32 MappingInfoIndexNode;
164  WOW64_POINTER(ULONG_PTR) OriginalBase;
165  LARGE_INTEGER LoadTime;
166  ULONG BaseNameHashValue;
167  LDR_DLL_LOAD_REASON LoadReason;
168  ULONG ImplicitPathOptions;
169  ULONG ReferenceCount;
170 } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
171 
172 typedef struct _CURDIR32
173 {
174  UNICODE_STRING32 DosPath;
175  WOW64_POINTER(HANDLE) Handle;
176 } CURDIR32, *PCURDIR32;
177 
178 typedef struct _RTL_DRIVE_LETTER_CURDIR32
179 {
180  USHORT Flags;
181  USHORT Length;
182  ULONG TimeStamp;
183  STRING32 DosPath;
184 } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
185 
186 typedef struct _RTL_USER_PROCESS_PARAMETERS32
187 {
188  ULONG MaximumLength;
189  ULONG Length;
190 
191  ULONG Flags;
192  ULONG DebugFlags;
193 
194  WOW64_POINTER(HANDLE) ConsoleHandle;
195  ULONG ConsoleFlags;
196  WOW64_POINTER(HANDLE) StandardInput;
197  WOW64_POINTER(HANDLE) StandardOutput;
198  WOW64_POINTER(HANDLE) StandardError;
199 
200  CURDIR32 CurrentDirectory;
201  UNICODE_STRING32 DllPath;
202  UNICODE_STRING32 ImagePathName;
203  UNICODE_STRING32 CommandLine;
204  WOW64_POINTER(PVOID) Environment;
205 
206  ULONG StartingX;
207  ULONG StartingY;
208  ULONG CountX;
209  ULONG CountY;
210  ULONG CountCharsX;
211  ULONG CountCharsY;
212  ULONG FillAttribute;
213 
214  ULONG WindowFlags;
215  ULONG ShowWindowFlags;
216  UNICODE_STRING32 WindowTitle;
217  UNICODE_STRING32 DesktopInfo;
218  UNICODE_STRING32 ShellInfo;
219  UNICODE_STRING32 RuntimeData;
220  RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
221 
222  ULONG EnvironmentSize;
223  ULONG EnvironmentVersion;
224  WOW64_POINTER(PVOID) PackageDependencyData;
225  ULONG ProcessGroupId;
226  ULONG LoaderThreads;
227 } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
228 
229 typedef struct _PEB32
230 {
231  BOOLEAN InheritedAddressSpace;
232  BOOLEAN ReadImageFileExecOptions;
233  BOOLEAN BeingDebugged;
234  union
235  {
236  BOOLEAN BitField;
237  struct
238  {
239  BOOLEAN ImageUsesLargePages : 1;
240  BOOLEAN IsProtectedProcess : 1;
241  BOOLEAN IsLegacyProcess : 1;
242  BOOLEAN IsImageDynamicallyRelocated : 1;
243  BOOLEAN SkipPatchingUser32Forwarders : 1;
244  BOOLEAN IsPackagedProcess : 1;
245  BOOLEAN IsAppContainer : 1;
246  BOOLEAN SpareBits : 1;
247  };
248  };
249  WOW64_POINTER(HANDLE) Mutant;
250 
251  WOW64_POINTER(PVOID) ImageBaseAddress;
252  WOW64_POINTER(PPEB_LDR_DATA) Ldr;
253  WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
254  WOW64_POINTER(PVOID) SubSystemData;
255  WOW64_POINTER(PVOID) ProcessHeap;
256  WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
257  WOW64_POINTER(PVOID) AtlThunkSListPtr;
258  WOW64_POINTER(PVOID) IFEOKey;
259  union
260  {
261  ULONG CrossProcessFlags;
262  struct
263  {
264  ULONG ProcessInJob : 1;
265  ULONG ProcessInitializing : 1;
266  ULONG ProcessUsingVEH : 1;
267  ULONG ProcessUsingVCH : 1;
268  ULONG ProcessUsingFTH : 1;
269  ULONG ReservedBits0 : 27;
270  };
271  ULONG EnvironmentUpdateCount;
272  };
273  union
274  {
275  WOW64_POINTER(PVOID) KernelCallbackTable;
276  WOW64_POINTER(PVOID) UserSharedInfoPtr;
277  };
278  ULONG SystemReserved[1];
279  ULONG AtlThunkSListPtr32;
280  WOW64_POINTER(PVOID) ApiSetMap;
281  ULONG TlsExpansionCounter;
282  WOW64_POINTER(PVOID) TlsBitmap;
283  ULONG TlsBitmapBits[2];
284  WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
285  WOW64_POINTER(PVOID) HotpatchInformation;
286  WOW64_POINTER(PVOID *) ReadOnlyStaticServerData;
287  WOW64_POINTER(PVOID) AnsiCodePageData;
288  WOW64_POINTER(PVOID) OemCodePageData;
289  WOW64_POINTER(PVOID) UnicodeCaseTableData;
290 
291  ULONG NumberOfProcessors;
292  ULONG NtGlobalFlag;
293 
294  LARGE_INTEGER CriticalSectionTimeout;
295  WOW64_POINTER(SIZE_T) HeapSegmentReserve;
296  WOW64_POINTER(SIZE_T) HeapSegmentCommit;
297  WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
298  WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
299 
300  ULONG NumberOfHeaps;
301  ULONG MaximumNumberOfHeaps;
302  WOW64_POINTER(PVOID *) ProcessHeaps;
303 
304  WOW64_POINTER(PVOID) GdiSharedHandleTable;
305  WOW64_POINTER(PVOID) ProcessStarterHelper;
306  ULONG GdiDCAttributeList;
307 
308  WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
309 
310  ULONG OSMajorVersion;
311  ULONG OSMinorVersion;
312  USHORT OSBuildNumber;
313  USHORT OSCSDVersion;
314  ULONG OSPlatformId;
315  ULONG ImageSubsystem;
316  ULONG ImageSubsystemMajorVersion;
317  ULONG ImageSubsystemMinorVersion;
318  WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;
319  GDI_HANDLE_BUFFER32 GdiHandleBuffer;
320  WOW64_POINTER(PVOID) PostProcessInitRoutine;
321 
322  WOW64_POINTER(PVOID) TlsExpansionBitmap;
323  ULONG TlsExpansionBitmapBits[32];
324 
325  ULONG SessionId;
326 
327  ULARGE_INTEGER AppCompatFlags;
328  ULARGE_INTEGER AppCompatFlagsUser;
329  WOW64_POINTER(PVOID) pShimData;
330  WOW64_POINTER(PVOID) AppCompatInfo;
331 
332  UNICODE_STRING32 CSDVersion;
333 
334  WOW64_POINTER(PVOID) ActivationContextData;
335  WOW64_POINTER(PVOID) ProcessAssemblyStorageMap;
336  WOW64_POINTER(PVOID) SystemDefaultActivationContextData;
337  WOW64_POINTER(PVOID) SystemAssemblyStorageMap;
338 
339  WOW64_POINTER(SIZE_T) MinimumStackCommit;
340 
341  WOW64_POINTER(PVOID *) FlsCallback;
342  LIST_ENTRY32 FlsListHead;
343  WOW64_POINTER(PVOID) FlsBitmap;
344  ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
345  ULONG FlsHighIndex;
346 
347  WOW64_POINTER(PVOID) WerRegistrationData;
348  WOW64_POINTER(PVOID) WerShipAssertPtr;
349  WOW64_POINTER(PVOID) pContextData;
350  WOW64_POINTER(PVOID) pImageHeaderHash;
351  union
352  {
353  ULONG TracingFlags;
354  struct
355  {
356  ULONG HeapTracingEnabled : 1;
357  ULONG CritSecTracingEnabled : 1;
358  ULONG LibLoaderTracingEnabled : 1;
359  ULONG SpareTracingBits : 29;
360  };
361  };
362  ULONGLONG CsrServerReadOnlySharedMemoryBase;
363 } PEB32, *PPEB32;
364 
365 #define GDI_BATCH_BUFFER_SIZE 310
366 
367 typedef struct _GDI_TEB_BATCH32
368 {
369  ULONG Offset;
370  WOW64_POINTER(ULONG_PTR) HDC;
371  ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
372 } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
373 
374 typedef struct _TEB32
375 {
376  NT_TIB32 NtTib;
377 
378  WOW64_POINTER(PVOID) EnvironmentPointer;
379  CLIENT_ID32 ClientId;
380  WOW64_POINTER(PVOID) ActiveRpcHandle;
381  WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
382  WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
383 
384  ULONG LastErrorValue;
385  ULONG CountOfOwnedCriticalSections;
386  WOW64_POINTER(PVOID) CsrClientThread;
387  WOW64_POINTER(PVOID) Win32ThreadInfo;
388  ULONG User32Reserved[26];
389  ULONG UserReserved[5];
390  WOW64_POINTER(PVOID) WOW32Reserved;
391  LCID CurrentLocale;
392  ULONG FpSoftwareStatusRegister;
393  WOW64_POINTER(PVOID) SystemReserved1[54];
394  NTSTATUS ExceptionCode;
395  WOW64_POINTER(PVOID) ActivationContextStackPointer;
396  BYTE SpareBytes[36];
397  ULONG TxFsContext;
398 
399  GDI_TEB_BATCH32 GdiTebBatch;
400  CLIENT_ID32 RealClientId;
401  WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
402  ULONG GdiClientPID;
403  ULONG GdiClientTID;
404  WOW64_POINTER(PVOID) GdiThreadLocalInfo;
405  WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
406  WOW64_POINTER(PVOID) glDispatchTable[233];
407  WOW64_POINTER(ULONG_PTR) glReserved1[29];
408  WOW64_POINTER(PVOID) glReserved2;
409  WOW64_POINTER(PVOID) glSectionInfo;
410  WOW64_POINTER(PVOID) glSection;
411  WOW64_POINTER(PVOID) glTable;
412  WOW64_POINTER(PVOID) glCurrentRC;
413  WOW64_POINTER(PVOID) glContext;
414 
415  NTSTATUS LastStatusValue;
416  UNICODE_STRING32 StaticUnicodeString;
417  WCHAR StaticUnicodeBuffer[261];
418 
419  WOW64_POINTER(PVOID) DeallocationStack;
420  WOW64_POINTER(PVOID) TlsSlots[64];
421  LIST_ENTRY32 TlsLinks;
422 } TEB32, *PTEB32;
423 
424 // Conversion
425 
426 FORCEINLINE VOID UStr32ToUStr(
427  _Out_ PUNICODE_STRING Destination,
428  _In_ PUNICODE_STRING32 Source
429  )
430 {
431  Destination->Length = Source->Length;
432  Destination->MaximumLength = Source->MaximumLength;
433  Destination->Buffer = (PWCH)UlongToPtr(Source->Buffer);
434 }
435 
436 FORCEINLINE VOID UStrToUStr32(
437  _Out_ PUNICODE_STRING32 Destination,
438  _In_ PUNICODE_STRING Source
439  )
440 {
441  Destination->Length = Source->Length;
442  Destination->MaximumLength = Source->MaximumLength;
443  Destination->Buffer = PtrToUlong(Source->Buffer);
444 }
445 
446 #endif