use core::mem::size_of;
use crate::ntapi_base::CLIENT_ID32;
use crate::ntldr::{LDR_DDAG_STATE, LDR_DLL_LOAD_REASON};
use crate::ntpsapi::GDI_HANDLE_BUFFER32;
use crate::ntrtl::RTL_MAX_DRIVE_LETTERS;
use crate::string::{UTF16Const, UTF8Const};
use winapi::shared::guiddef::GUID;
use winapi::shared::ntdef::{
BOOLEAN, CHAR, LARGE_INTEGER, LCID, LIST_ENTRY32, LONG, NTSTATUS, PROCESSOR_NUMBER,
SINGLE_LIST_ENTRY32, STRING32, UCHAR, ULARGE_INTEGER, ULONG, ULONGLONG, UNICODE_STRING,
UNICODE_STRING32, USHORT, WCHAR,
};
use winapi::um::winnt::{FLS_MAXIMUM_AVAILABLE, NT_TIB32};
pub const WOW64_SYSTEM_DIRECTORY: UTF8Const = UTF8Const("SysWOW64\0");
pub const WOW64_SYSTEM_DIRECTORY_U: UTF16Const = UTF16Const(&[
0x0053, 0x0079, 0x0073, 0x0057, 0x004F, 0x0057, 0x0036, 0x0034, 0u16,
]);
pub const WOW64_X86_TAG: UTF8Const = UTF8Const(" (x86)\0");
pub const WOW64_X86_TAG_U: UTF16Const = UTF16Const(&[
0x0020, 0x0028, 0x0078, 0x0038, 0x0036, 0x0029, 0u16,
]);
ENUM!{enum WOW64_SHARED_INFORMATION {
SharedNtdll32LdrInitializeThunk = 0,
SharedNtdll32KiUserExceptionDispatcher = 1,
SharedNtdll32KiUserApcDispatcher = 2,
SharedNtdll32KiUserCallbackDispatcher = 3,
SharedNtdll32ExpInterlockedPopEntrySListFault = 4,
SharedNtdll32ExpInterlockedPopEntrySListResume = 5,
SharedNtdll32ExpInterlockedPopEntrySListEnd = 6,
SharedNtdll32RtlUserThreadStart = 7,
SharedNtdll32pQueryProcessDebugInformationRemote = 8,
SharedNtdll32BaseAddress = 9,
SharedNtdll32LdrSystemDllInitBlock = 10,
Wow64SharedPageEntriesCount = 11,
}}
STRUCT!{struct RTL_BALANCED_NODE32_u_s {
Left: ULONG, Right: ULONG, }}
UNION!{union RTL_BALANCED_NODE32_u {
Children: [ULONG; 2], s: RTL_BALANCED_NODE32_u_s,
}}
STRUCT!{struct RTL_BALANCED_NODE32 {
u: RTL_BALANCED_NODE32_u,
ParentValue: ULONG,
}}
pub type PRTL_BALANCED_NODE32 = *mut RTL_BALANCED_NODE32;
STRUCT!{struct RTL_RB_TREE32 {
Root: ULONG, Min: ULONG, }}
pub type PRTL_RB_TREE32 = *mut RTL_RB_TREE32;
STRUCT!{struct PEB_LDR_DATA32 {
Length: ULONG,
Initialized: BOOLEAN,
SsHandle: ULONG,
InLoadOrderModuleList: LIST_ENTRY32,
InMemoryOrderModuleList: LIST_ENTRY32,
InInitializationOrderModuleList: LIST_ENTRY32,
EntryInProgress: ULONG,
ShutdownInProgress: BOOLEAN,
ShutdownThreadId: ULONG,
}}
pub type PPEB_LDR_DATA32 = *mut PEB_LDR_DATA32;
STRUCT!{struct LDR_SERVICE_TAG_RECORD32 {
Next: ULONG,
ServiceTag: ULONG,
}}
pub type PLDR_SERVICE_TAG_RECORD32 = *mut LDR_SERVICE_TAG_RECORD32;
STRUCT!{struct LDRP_CSLIST32 {
Tail: ULONG, }}
pub type PLDRP_CSLIST32 = *mut LDRP_CSLIST32;
UNION!{union LDR_DDAG_NODE32_u {
Dependencies: LDRP_CSLIST32,
RemovalLink: SINGLE_LIST_ENTRY32,
}}
STRUCT!{struct LDR_DDAG_NODE32 {
Modules: LIST_ENTRY32,
ServiceTagList: ULONG, LoadCount: ULONG,
LoadWhileUnloadingCount: ULONG,
LowestLink: ULONG,
u: LDR_DDAG_NODE32_u,
IncomingDependencies: LDRP_CSLIST32,
State: LDR_DDAG_STATE,
CondenseLink: SINGLE_LIST_ENTRY32,
PreorderNumber: ULONG,
}}
pub type PLDR_DDAG_NODE32 = *mut LDR_DDAG_NODE32;
pub const LDR_DATA_TABLE_ENTRY_SIZE_WINXP_32: usize = 80;
pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN7_32: usize = 144;
pub const LDR_DATA_TABLE_ENTRY_SIZE_WIN8_32: usize = 152;
UNION!{union LDR_DATA_TABLE_ENTRY32_u1 {
InInitializationOrderLinks: LIST_ENTRY32,
InProgressLinks: LIST_ENTRY32,
}}
UNION!{union LDR_DATA_TABLE_ENTRY32_u2 {
FlagGroup: [UCHAR; 4],
Flags: ULONG,
}}
STRUCT!{struct LDR_DATA_TABLE_ENTRY32 {
InLoadOrderLinks: LIST_ENTRY32,
InMemoryOrderLinks: LIST_ENTRY32,
u1: LDR_DATA_TABLE_ENTRY32_u1,
DllBase: ULONG, EntryPoint: ULONG, SizeOfImage: ULONG,
FullDllName: UNICODE_STRING32,
BaseDllName: UNICODE_STRING32,
u2: LDR_DATA_TABLE_ENTRY32_u2,
ObsoleteLoadCount: USHORT,
TlsIndex: USHORT,
HashLinks: LIST_ENTRY32,
TimeDateStamp: ULONG,
EntryPointActivationContext: ULONG, Lock: ULONG, DdagNode: ULONG, NodeModuleLink: LIST_ENTRY32,
LoadContext: ULONG, ParentDllBase: ULONG, SwitchBackContext: ULONG, BaseAddressIndexNode: RTL_BALANCED_NODE32,
MappingInfoIndexNode: RTL_BALANCED_NODE32,
OriginalBase: ULONG,
LoadTime: LARGE_INTEGER,
BaseNameHashValue: ULONG,
LoadReason: LDR_DLL_LOAD_REASON,
ImplicitPathOptions: ULONG,
ReferenceCount: ULONG,
DependentLoadFlags: ULONG,
SigningLevel: UCHAR,
}}
BITFIELD!{unsafe LDR_DATA_TABLE_ENTRY32_u2 Flags: ULONG [
PackagedBinary set_PackagedBinary[0..1],
MarkedForRemoval set_MarkedForRemoval[1..2],
ImageDll set_ImageDll[2..3],
LoadNotificationsSent set_LoadNotificationsSent[3..4],
TelemetryEntryProcessed set_TelemetryEntryProcessed[4..5],
ProcessStaticImport set_ProcessStaticImport[5..6],
InLegacyLists set_InLegacyLists[6..7],
InIndexes set_InIndexes[7..8],
ShimDll set_ShimDll[8..9],
InExceptionTable set_InExceptionTable[9..10],
ReservedFlags1 set_ReservedFlags1[10..12],
LoadInProgress set_LoadInProgress[12..13],
LoadConfigProcessed set_LoadConfigProcessed[13..14],
EntryProcessed set_EntryProcessed[14..15],
ProtectDelayLoad set_ProtectDelayLoad[15..16],
ReservedFlags3 set_ReservedFlags3[16..18],
DontCallForThreads set_DontCallForThreads[18..19],
ProcessAttachCalled set_ProcessAttachCalled[19..20],
ProcessAttachFailed set_ProcessAttachFailed[20..21],
CorDeferredValidate set_CorDeferredValidate[21..22],
CorImage set_CorImage[22..23],
DontRelocate set_DontRelocate[23..24],
CorILOnly set_CorILOnly[24..25],
ReservedFlags5 set_ReservedFlags5[25..28],
Redirected set_Redirected[28..29],
ReservedFlags6 set_ReservedFlags6[29..31],
CompatDatabaseProcessed set_CompatDatabaseProcessed[31..32],
]}
pub type PLDR_DATA_TABLE_ENTRY32 = *mut LDR_DATA_TABLE_ENTRY32;
STRUCT!{struct CURDIR32 {
DosPath: UNICODE_STRING32,
Handle: ULONG, }}
pub type PCURDIR32 = *mut CURDIR32;
STRUCT!{struct RTL_DRIVE_LETTER_CURDIR32 {
Flags: USHORT,
Length: USHORT,
TimeStamp: ULONG,
DosPath: STRING32,
}}
pub type PRTL_DRIVE_LETTER_CURDIR32 = *mut RTL_DRIVE_LETTER_CURDIR32;
STRUCT!{struct RTL_USER_PROCESS_PARAMETERS32 {
MaximumLength: ULONG,
Length: ULONG,
Flags: ULONG,
DebugFlags: ULONG,
ConsoleHandle: ULONG, ConsoleFlags: ULONG,
StandardInput: ULONG, StandardOutput: ULONG, StandardError: ULONG, CurrentDirectory: CURDIR32,
DllPath: UNICODE_STRING32,
ImagePathName: UNICODE_STRING32,
CommandLine: UNICODE_STRING32,
Environment: ULONG, StartingX: ULONG,
StartingY: ULONG,
CountX: ULONG,
CountY: ULONG,
CountCharsX: ULONG,
CountCharsY: ULONG,
FillAttribute: ULONG,
WindowFlags: ULONG,
ShowWindowFlags: ULONG,
WindowTitle: UNICODE_STRING32,
DesktopInfo: UNICODE_STRING32,
ShellInfo: UNICODE_STRING32,
RuntimeData: UNICODE_STRING32,
CurrentDirectories: [RTL_DRIVE_LETTER_CURDIR32; RTL_MAX_DRIVE_LETTERS],
EnvironmentSize: ULONG,
EnvironmentVersion: ULONG,
PackageDependencyData: ULONG, ProcessGroupId: ULONG,
LoaderThreads: ULONG,
}}
pub type PRTL_USER_PROCESS_PARAMETERS32 = *mut RTL_USER_PROCESS_PARAMETERS32;
UNION!{union PEB32_u {
KernelCallbackTable: ULONG, UserSharedInfoPtr: ULONG, }}
STRUCT!{struct PEB32 {
InheritedAddressSpace: BOOLEAN,
ReadImageFileExecOptions: BOOLEAN,
BeingDebugged: BOOLEAN,
BitField: BOOLEAN,
Mutant: ULONG, ImageBaseAddress: ULONG, Ldr: ULONG, ProcessParameters: ULONG, SubSystemData: ULONG, ProcessHeap: ULONG, FastPebLock: ULONG, AtlThunkSListPtr: ULONG, IFEOKey: ULONG, CrossProcessFlags: ULONG,
u: PEB32_u,
SystemReserved: [ULONG; 1],
AtlThunkSListPtr32: ULONG,
ApiSetMap: ULONG, TlsExpansionCounter: ULONG,
TlsBitmap: ULONG, TlsBitmapBits: [ULONG; 2],
ReadOnlySharedMemoryBase: ULONG, HotpatchInformation: ULONG, ReadOnlyStaticServerData: ULONG, AnsiCodePageData: ULONG, OemCodePageData: ULONG, UnicodeCaseTableData: ULONG, NumberOfProcessors: ULONG,
NtGlobalFlag: ULONG,
CriticalSectionTimeout: LARGE_INTEGER,
HeapSegmentReserve: ULONG,
HeapSegmentCommit: ULONG,
HeapDeCommitTotalFreeThreshold: ULONG,
HeapDeCommitFreeBlockThreshold: ULONG,
NumberOfHeaps: ULONG,
MaximumNumberOfHeaps: ULONG,
ProcessHeaps: ULONG, GdiSharedHandleTable: ULONG, ProcessStarterHelper: ULONG, GdiDCAttributeList: ULONG,
LoaderLock: ULONG, OSMajorVersion: ULONG,
OSMinorVersion: ULONG,
OSBuildNumber: USHORT,
OSCSDVersion: USHORT,
OSPlatformId: ULONG,
ImageSubsystem: ULONG,
ImageSubsystemMajorVersion: ULONG,
ImageSubsystemMinorVersion: ULONG,
ActiveProcessAffinityMask: ULONG,
GdiHandleBuffer: GDI_HANDLE_BUFFER32,
PostProcessInitRoutine: ULONG, TlsExpansionBitmap: ULONG, TlsExpansionBitmapBits: [ULONG; 32],
SessionId: ULONG,
AppCompatFlags: ULARGE_INTEGER,
AppCompatFlagsUser: ULARGE_INTEGER,
pShimData: ULONG, AppCompatInfo: ULONG, CSDVersion: UNICODE_STRING32,
ActivationContextData: ULONG, ProcessAssemblyStorageMap: ULONG, SystemDefaultActivationContextData: ULONG, SystemAssemblyStorageMap: ULONG, MinimumStackCommit: ULONG,
FlsCallback: ULONG, FlsListHead: LIST_ENTRY32,
FlsBitmap: ULONG, FlsBitmapBits: [ULONG; FLS_MAXIMUM_AVAILABLE as usize / (size_of::<ULONG>() * 8)],
FlsHighIndex: ULONG,
WerRegistrationData: ULONG, WerShipAssertPtr: ULONG, pContextData: ULONG, pImageHeaderHash: ULONG, TracingFlags: ULONG,
CsrServerReadOnlySharedMemoryBase: ULONGLONG,
TppWorkerpListLock: ULONG, TppWorkerpList: LIST_ENTRY32,
WaitOnAddressHashTable: [ULONG; 128], TelemetryCoverageHeader: ULONG, CloudFileFlags: ULONG,
CloudFileDiagFlags: ULONG,
PlaceholderCompatibilityMode: CHAR,
PlaceholderCompatibilityModeReserved: [CHAR; 7],
}}
BITFIELD!{PEB32 BitField: BOOLEAN [
ImageUsesLargePages set_ImageUsesLargePages[0..1],
IsProtectedProcess set_IsProtectedProcess[1..2],
IsImageDynamicallyRelocated set_IsImageDynamicallyRelocated[2..3],
SkipPatchingUser32Forwarders set_SkipPatchingUser32Forwarders[3..4],
IsPackagedProcess set_IsPackagedProcess[4..5],
IsAppContainer set_IsAppContainer[5..6],
IsProtectedProcessLight set_IsProtectedProcessLight[6..7],
IsLongPathAwareProcess set_IsLongPathAwareProcess[7..8],
]}
BITFIELD!{PEB32 CrossProcessFlags: ULONG [
ProcessInJob set_ProcessInJob[0..1],
ProcessInitializing set_ProcessInitializing[1..2],
ProcessUsingVEH set_ProcessUsingVEH[2..3],
ProcessUsingVCH set_ProcessUsingVCH[3..4],
ProcessUsingFTH set_ProcessUsingFTH[4..5],
ReservedBits0 set_ReservedBits0[5..32],
]}
BITFIELD!{PEB32 TracingFlags: ULONG [
HeapTracingEnabled set_HeapTracingEnabled[0..1],
CritSecTracingEnabled set_CritSecTracingEnabled[1..2],
LibLoaderTracingEnabled set_LibLoaderTracingEnabled[2..3],
SpareTracingBits set_SpareTracingBits[3..32],
]}
pub type PPEB32 = *mut PEB32;
pub const GDI_BATCH_BUFFER_SIZE: usize = 310;
STRUCT!{struct GDI_TEB_BATCH32 {
Offset: ULONG,
HDC: ULONG,
Buffer: [ULONG; GDI_BATCH_BUFFER_SIZE],
}}
pub type PGDI_TEB_BATCH32 = *mut GDI_TEB_BATCH32;
STRUCT!{struct TEB32_u_s {
ReservedPad0: UCHAR,
ReservedPad1: UCHAR,
ReservedPad2: UCHAR,
IdealProcessor: UCHAR,
}}
UNION!{union TEB32_u {
CurrentIdealProcessor: PROCESSOR_NUMBER,
IdealProcessorValue: ULONG,
s: TEB32_u_s,
}}
STRUCT!{struct TEB32 {
NtTib: NT_TIB32,
EnvironmentPointer: ULONG, ClientId: CLIENT_ID32,
ActiveRpcHandle: ULONG, ThreadLocalStoragePointer: ULONG, ProcessEnvironmentBlock: ULONG, LastErrorValue: ULONG,
CountOfOwnedCriticalSections: ULONG,
CsrClientThread: ULONG, Win32ThreadInfo: ULONG, User32Reserved: [ULONG; 26],
UserReserved: [ULONG; 5],
WOW32Reserved: ULONG, CurrentLocale: LCID,
FpSoftwareStatusRegister: ULONG,
ReservedForDebuggerInstrumentation: [ULONG; 16], SystemReserved1: [ULONG; 36], WorkingOnBehalfTicket: [UCHAR; 8],
ExceptionCode: NTSTATUS,
ActivationContextStackPointer: ULONG, InstrumentationCallbackSp: ULONG,
InstrumentationCallbackPreviousPc: ULONG,
InstrumentationCallbackPreviousSp: ULONG,
InstrumentationCallbackDisabled: BOOLEAN,
SpareBytes: [UCHAR; 23],
TxFsContext: ULONG,
GdiTebBatch: GDI_TEB_BATCH32,
RealClientId: CLIENT_ID32,
GdiCachedProcessHandle: ULONG, GdiClientPID: ULONG,
GdiClientTID: ULONG,
GdiThreadLocalInfo: ULONG, Win32ClientInfo: [ULONG; 62],
glDispatchTable: [ULONG; 233], glReserved1: [ULONG; 29], glReserved2: ULONG, glSectionInfo: ULONG, glSection: ULONG, glTable: ULONG, glCurrentRC: ULONG, glContext: ULONG, LastStatusValue: NTSTATUS,
StaticUnicodeString: UNICODE_STRING32,
StaticUnicodeBuffer: [WCHAR; 261],
DeallocationStack: ULONG, TlsSlots: [ULONG; 64], TlsLinks: LIST_ENTRY32,
Vdm: ULONG, ReservedForNtRpc: ULONG, DbgSsReserved: [ULONG; 2], HardErrorMode: ULONG,
Instrumentation: [ULONG; 9], ActivityId: GUID,
SubProcessTag: ULONG, PerflibData: ULONG, EtwTraceData: ULONG, WinSockData: ULONG, GdiBatchCount: ULONG,
u: TEB32_u,
GuaranteedStackBytes: ULONG,
ReservedForPerf: ULONG, ReservedForOle: ULONG, WaitingOnLoaderLock: ULONG,
SavedPriorityState: ULONG, ReservedForCodeCoverage: ULONG,
ThreadPoolData: ULONG, TlsExpansionSlots: ULONG, MuiGeneration: ULONG,
IsImpersonating: ULONG,
NlsCache: ULONG, pShimData: ULONG, HeapVirtualAffinity: USHORT,
LowFragHeapDataSlot: USHORT,
CurrentTransactionHandle: ULONG, ActiveFrame: ULONG, FlsData: ULONG, PreferredLanguages: ULONG, UserPrefLanguages: ULONG, MergedPrefLanguages: ULONG, MuiImpersonation: ULONG,
CrossTebFlags: USHORT,
SameTebFlags: USHORT,
TxnScopeEnterCallback: ULONG, TxnScopeExitCallback: ULONG, TxnScopeContext: ULONG, LockCount: ULONG,
WowTebOffset: LONG,
ResourceRetValue: ULONG, ReservedForWdf: ULONG, ReservedForCrt: ULONGLONG,
EffectiveContainerId: GUID,
}}
BITFIELD!{TEB32 SameTebFlags: USHORT [
SafeThunkCall set_SafeThunkCall[0..1],
InDebugPrint set_InDebugPrint[1..2],
HasFiberData set_HasFiberData[2..3],
SkipThreadAttach set_SkipThreadAttach[3..4],
WerInShipAssertCode set_WerInShipAssertCode[4..5],
RanProcessInit set_RanProcessInit[5..6],
ClonedThread set_ClonedThread[6..7],
SuppressDebugMsg set_SuppressDebugMsg[7..8],
DisableUserStackWalk set_DisableUserStackWalk[8..9],
RtlExceptionAttached set_RtlExceptionAttached[9..10],
InitialThread set_InitialThread[10..11],
SessionAware set_SessionAware[11..12],
LoadOwner set_LoadOwner[12..13],
LoaderWorker set_LoaderWorker[13..14],
SpareSameTebBits set_SpareSameTebBits[14..16],
]}
pub type PTEB32 = *mut TEB32;
#[inline]
pub fn UStr32ToUStr(
Destination: &mut UNICODE_STRING,
Source: &UNICODE_STRING32,
) {
Destination.Length = Source.Length;
Destination.MaximumLength = Source.MaximumLength;
Destination.Buffer = Source.Buffer as *mut u16;
}
#[inline]
pub fn UStrToUStr32(
Destination: &mut UNICODE_STRING32,
Source: &UNICODE_STRING,
) {
Destination.Length = Source.Length;
Destination.MaximumLength = Source.MaximumLength;
Destination.Buffer = Source.Buffer as u32;
}