wraith/structures/offsets/
mod.rs

1//! Version-specific structure offsets
2
3mod win7;
4mod win10;
5mod win11;
6
7use crate::error::Result;
8use crate::version::{WindowsRelease, WindowsVersion};
9
10/// PEB field offsets
11#[derive(Debug, Clone, Copy)]
12pub struct PebOffsets {
13    pub being_debugged: usize,
14    pub ldr: usize,
15    pub process_parameters: usize,
16    pub image_base: usize,
17    pub nt_global_flag: usize,
18    pub process_heap: usize,
19    pub number_of_processors: usize,
20    pub os_major_version: usize,
21    pub os_minor_version: usize,
22    pub os_build_number: usize,
23}
24
25/// TEB field offsets
26#[derive(Debug, Clone, Copy)]
27pub struct TebOffsets {
28    pub seh_frame: usize, // ExceptionList
29    pub stack_base: usize,
30    pub stack_limit: usize,
31    pub tls_slots: usize,
32    pub peb: usize,
33    pub client_id: usize,
34    pub last_error: usize,
35}
36
37impl PebOffsets {
38    /// get offsets for given Windows version
39    pub fn for_version(version: &WindowsVersion) -> Result<&'static Self> {
40        let release = version.release();
41
42        if release == WindowsRelease::Windows7 {
43            Ok(&win7::PEB_OFFSETS)
44        } else if release >= WindowsRelease::Windows11_21H2 {
45            Ok(&win11::PEB_OFFSETS)
46        } else {
47            // Win8, Win8.1, Win10 all use similar offsets
48            Ok(&win10::PEB_OFFSETS)
49        }
50    }
51}
52
53impl TebOffsets {
54    /// get offsets for given Windows version
55    pub fn for_version(version: &WindowsVersion) -> Result<&'static Self> {
56        match version.release() {
57            WindowsRelease::Windows7 => Ok(&win7::TEB_OFFSETS),
58            _ => Ok(&win10::TEB_OFFSETS), // TEB is more stable across versions
59        }
60    }
61}
wraith/structures/offsets/mod.rs

wraith/structures/offsets/
mod.rs
