legacy/injector/pe.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309

#pragma once
#include <cstdint>

namespace nt {
	using WORD = short;
	using BYTE = unsigned char;
	using DWORD = unsigned long;

	typedef struct _IMAGE_DATA_DIRECTORY {
		DWORD VirtualAddress;
		DWORD Size;
	} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;

	typedef struct _IMAGE_OPTIONAL_HEADER {
		WORD                 Magic;
		BYTE                 MajorLinkerVersion;
		BYTE                 MinorLinkerVersion;
		DWORD                SizeOfCode;
		DWORD                SizeOfInitializedData;
		DWORD                SizeOfUninitializedData;
		DWORD                AddressOfEntryPoint;
		DWORD                BaseOfCode;
		DWORD                BaseOfData;
		DWORD                ImageBase;
		DWORD                SectionAlignment;
		DWORD                FileAlignment;
		WORD                 MajorOperatingSystemVersion;
		WORD                 MinorOperatingSystemVersion;
		WORD                 MajorImageVersion;
		WORD                 MinorImageVersion;
		WORD                 MajorSubsystemVersion;
		WORD                 MinorSubsystemVersion;
		DWORD                Win32VersionValue;
		DWORD                SizeOfImage;
		DWORD                SizeOfHeaders;
		DWORD                CheckSum;
		WORD                 Subsystem;
		WORD                 DllCharacteristics;
		DWORD                SizeOfStackReserve;
		DWORD                SizeOfStackCommit;
		DWORD                SizeOfHeapReserve;
		DWORD                SizeOfHeapCommit;
		DWORD                LoaderFlags;
		DWORD                NumberOfRvaAndSizes;
		IMAGE_DATA_DIRECTORY DataDirectory[ 16 ];
	} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;

	typedef struct _IMAGE_FILE_HEADER {
		WORD  Machine;
		WORD  NumberOfSections;
		DWORD TimeDateStamp;
		DWORD PointerToSymbolTable;
		DWORD NumberOfSymbols;
		WORD  SizeOfOptionalHeader;
		WORD  Characteristics;
	} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

	typedef struct _IMAGE_NT_HEADERS {
		DWORD                 Signature;
		IMAGE_FILE_HEADER     FileHeader;
		IMAGE_OPTIONAL_HEADER OptionalHeader;
	} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;

	typedef struct _IMAGE_EXPORT_DIRECTORY {
		uint32_t Characteristics;
		uint32_t TimeDateStamp;
		uint16_t MajorVersion;
		uint16_t MinorVersion;
		uint32_t Name;
		uint32_t Base;
		uint32_t NumberOfFunctions;
		uint32_t NumberOfNames;
		uint32_t AddressOfFunctions;     // RVA from base of image
		uint32_t AddressOfNames;     // RVA from base of image
		uint32_t AddressOfNameOrdinals;  // RVA from base of image
	} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

	typedef struct _IMAGE_DOS_HEADER {
		WORD e_magic;
		WORD e_cblp;
		WORD e_cp;
		WORD e_crlc;
		WORD e_cparhdr;
		WORD e_minalloc;
		WORD e_maxalloc;
		WORD e_ss;
		WORD e_sp;
		WORD e_csum;
		WORD e_ip;
		WORD e_cs;
		WORD e_lfarlc;
		WORD e_ovno;
		WORD e_res[ 4 ];
		WORD e_oemid;
		WORD e_oeminfo;
		WORD e_res2[ 10 ];
		long e_lfanew;
	} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

	typedef struct _LIST_ENTRY {
		struct _LIST_ENTRY  *Flink;
		struct _LIST_ENTRY  *Blink;
	} LIST_ENTRY, *PLIST_ENTRY;

	struct PEB_LDR_DATA {
		uint32_t		Length;
		uint8_t			Initialized;
		uintptr_t		SsHandle;
		LIST_ENTRY		InLoadOrderModuleList;
		LIST_ENTRY		InMemoryOrderModuleList;
		LIST_ENTRY		InInitializationOrderModuleList;
		uintptr_t		EntryInProgress;
		uint8_t			ShutdownInProgress;
		uintptr_t		ShutdownThreadId;
	};

	struct UNICODE_STRING {
		uint16_t	Length;
		uint16_t	MaximumLength;
		wchar_t		*Buffer;
	};

	struct STRING {
		uint16_t	Length;
		uint16_t	MaximumLength;
		char		*Buffer;
	};

	struct CURDIR {
		UNICODE_STRING	DosPath;
		uintptr_t		Handle;
	};

	struct RTL_DRIVE_LETTER_CURDIR {
		uint16_t	Flags;
		uint16_t	Length;
		uint32_t	TimeStamp;
		STRING		DosPath;
	};

	struct RTL_USER_PROCESS_PARAMETERS {
		uint32_t					MaximumLength;
		uint32_t					Length;
		uint32_t					Flags;
		uint32_t					DebugFlags;
		uintptr_t					ConsoleHandle;
		uint32_t					ConsoleFlags;
		uintptr_t					StandardInput;
		uintptr_t					StandardOutput;
		uintptr_t					StandardError;
		CURDIR						CurrentDirectory;
		UNICODE_STRING				DllPath;
		UNICODE_STRING				ImagePathName;
		UNICODE_STRING				CommandLine;
		uintptr_t					Environment;
		uint32_t					StartingX;
		uint32_t					StartingY;
		uint32_t					CountX;
		uint32_t					CountY;
		uint32_t					CountCharsX;
		uint32_t					CountCharsY;
		uint32_t					FillAttribute;
		uint32_t					WindowFlags;
		uint32_t					ShowWindowFlags;
		UNICODE_STRING				WindowTitle;
		UNICODE_STRING				DesktopInfo;
		UNICODE_STRING				ShellInfo;
		UNICODE_STRING				RuntimeData;
		RTL_DRIVE_LETTER_CURDIR		CurrentDirectores[ 32 ];
		uintptr_t					EnvironmentSize;
		uintptr_t					EnvironmentVersion;
		uintptr_t					PackageDependencyData;
		uint32_t					ProcessGroupId;
		uint32_t					LoaderThreads;
	};

	struct RTL_BALANCED_NODE {
		RTL_BALANCED_NODE	*Children[ 2 ];
		RTL_BALANCED_NODE	*Left;
		RTL_BALANCED_NODE	*Right;
		uintptr_t			ParentValue;
	};

	struct _PEB {
		uint8_t							InheritedAddressSpace;
		uint8_t							ReadImageFileExecOptions;
		uint8_t							BeingDebugged;
		uint8_t							BitField;
		//uchar							Padding0[ 4 ];
		uintptr_t						Mutant;
		uintptr_t						ImageBaseAddress;
		PEB_LDR_DATA					*Ldr;
		RTL_USER_PROCESS_PARAMETERS		*ProcessParameters;
		uintptr_t						SubSystemData;
		uintptr_t						ProcessHeap;
		uintptr_t						*FastPebLock;
		uintptr_t						AtlThunkSListPtr;
		uintptr_t						IFEOKey;
		uint32_t						CrossProcessFlags;
		uint8_t							Padding1[ 4 ];
		uintptr_t						KernelCallbackTable;
		uintptr_t						UserSharedInfoPtr;
		uint32_t						SystemReserved[ 1 ];
		uint32_t						AtlThunkSListPtr32;
		uintptr_t						ApiSetMap;
		uint32_t						TlsExpansionCounter;
		uint8_t							Padding2[ 4 ];
		uintptr_t						TlsBitmap;
		uint32_t						TlsBitmapBits[ 2 ];
		uintptr_t						ReadOnlySharedMemoryBase;
		uintptr_t						SparePvoid0;
		uintptr_t						ReadOnlyStaticServerData;
		uintptr_t						AnsiCodePageData;
		uintptr_t						OemCodePageData;
		uintptr_t						UnicodeCaseTableData;
		uint32_t						NumberOfProcessors;
		uint32_t						NtGlobalFlag;
		uint64_t						CriticalSectionTimeout;
		uintptr_t						HeapSegmentReserve;
		uintptr_t						HeapSegmentCommit;
		uintptr_t						HeapDeCommitTotalFreeThreshold;
		uintptr_t						HeapDeCommitFreeBlockThreshold;
		uint32_t						NumberOfHeaps;
		uint32_t						MaximumNumberOfHeaps;
		uintptr_t						ProcessHeaps;
		uintptr_t						GdiSharedHandleTable;
		uintptr_t						ProcessStarterHelper;
		uint32_t						GdiDCAttributeList;
		uint8_t							Padding3[ 4 ];
		uintptr_t						*LoaderLock;
		uint32_t						OSMajorVersion;
		uint32_t						OSMinorVersion;
		uint16_t						OSBuildNumber;
		uint16_t						OSCSDVersion;
		uint32_t						OSPlatformId;
		uint32_t						ImageSubsystem;
		uint32_t						ImageSubsystemMajorVersion;
		uint32_t						ImageSubsystemMinorVersion;
		uint8_t							Padding4[ 4 ];
		uintptr_t						ActiveProcessAffinityMask;
#ifdef _WIN32
		uint32_t						GdiHandleBuffer[ 34 ];
#else
		uint32_t						GdiHandleBuffer[ 60 ];
#endif
		uintptr_t						PostProcessInitRoutine;
		uintptr_t						TlsExpansionBitmap;
		uint32_t						TlsExpansionBitmapBits[ 32 ];
		uint32_t						SessionId;
		uint8_t							Padding5[ 4 ];
		uint64_t						AppCompatFlags;
		uint64_t						AppCompatFlagsUser;
		uintptr_t						pShimData;
		uintptr_t						AppCompatInfo;
		UNICODE_STRING					CSDVersion;
		uintptr_t						ActivationContextData;
		uintptr_t						ProcessAssemblyStorageMap;
		uintptr_t						SystemDefaultActivationContextData;
		uintptr_t						SystemAssemblyStorageMap;
		uintptr_t						MinimumStackCommit;
		uintptr_t						FlsCallback;
		LIST_ENTRY						FlsListHead;
		uintptr_t						FlsBitmap;
		uint32_t						FlsBitmapBits[ 4 ];
		uint32_t						FlsHighIndex;
		uintptr_t						WerRegistrationData;
		uintptr_t						WerShipAssertPtr;
		uintptr_t						pUnused;
		uintptr_t						pImageHeaderHash;
		uint32_t						TracingFlags;
		uint8_t							Padding6[ 4 ];
		uint64_t						CsrServerReadOnlySharedMemoryBase;
		uintptr_t						TppWorkerpListLock;
		LIST_ENTRY						TppWorkerpList;
		uintptr_t						WaitOnAddressHashTable[ 128 ];
	};

	struct LDR_DATA_TABLE_ENTRY {
		LIST_ENTRY				InLoadOrderLinks;
		LIST_ENTRY				InMemoryOrderLinks;
		LIST_ENTRY				InInitializationOrderLinks;
		uintptr_t				DllBase;
		uintptr_t				EntryPoint;
		uint32_t				SizeOfImage;
		UNICODE_STRING			FullDllName;
		UNICODE_STRING			BaseDllName;
		uint8_t					FlagGroup[ 4 ];
		uint32_t				Flags;
		uint16_t				ObsoleteLoadCount;
		uint16_t				TlsIndex;
		LIST_ENTRY				HashLinks;
		uint32_t				TimeDateStamp;
		uintptr_t				EntryPointActivationContext;
		uintptr_t				Lock;
		uintptr_t				DdagNode;
		LIST_ENTRY				NodeModuleLink;
		uintptr_t				LoadContext;
		uintptr_t				ParentDllBase;
		uintptr_t				SwitchBackContext;
		RTL_BALANCED_NODE		BaseAddressIndexNode;
		RTL_BALANCED_NODE		MappingInfoIndexNode;
		uintptr_t				OriginalBase;
		int64_t					LoadTime;
		uint32_t				BaseNameHashValue;
		uint32_t				LoadReason;
		uint32_t				ImplicitPathOptions;
		uint32_t				ReferenceCount;
	};
};