Skip to content

Commit 9179e5e

Browse files
dmexdmex
authored
PHNT header fixes (winsiderss#60)
This commit fixes the following PHNT header issues: * Updates PEB, PEB32, TEB, TEB32, KUSER_SHARED_DATA, LDR_DDAG_NODE and LDR_DATA_TABLE_ENTRY structures for Windows 10 builds 10240, 10586 and 14393 (at present these structures only support Windows 8 and require these fixes). * Fixes some PROCESSINFOCLASS fields using the wrong IDs. * Updates THREADINFOCLASS with new IDs. * Removes an incorrect ifdef for some functions that exist on XP and above * Removes a field from the PEB32 structure that does not exist. * Fixes all inconsistencies with the PEB32 structure. * Adds extra C_ASSERTs for reliability.
1 parent 1e1151e commit 9179e5e

File tree

5 files changed

+179
-42
lines changed

5 files changed

+179
-42
lines changed

phnt/include/ntexapi.h

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,6 @@ NtSetSystemEnvironmentValue(
3535
_In_ PUNICODE_STRING VariableValue
3636
);
3737

38-
#if (PHNT_VERSION >= PHNT_WIN8)
39-
4038
NTSYSCALLAPI
4139
NTSTATUS
4240
NTAPI
@@ -68,8 +66,6 @@ NtEnumerateSystemEnvironmentValuesEx(
6866
_Inout_ PULONG BufferLength
6967
);
7068

71-
#endif
72-
7369
// EFI
7470

7571
// private
@@ -2619,8 +2615,8 @@ typedef struct _KUSER_SHARED_DATA
26192615
ULONGLONG RNGSeedVersion;
26202616
ULONG GlobalValidationRunlevel;
26212617
LONG TimeZoneBiasStamp;
2622-
ULONG Reserved2;
26232618

2619+
ULONG NtBuildNumber;
26242620
ULONG NtProductType;
26252621
BOOLEAN ProductTypeIsValid;
26262622
UCHAR Reserved0[1];
@@ -2637,7 +2633,7 @@ typedef struct _KUSER_SHARED_DATA
26372633
volatile ULONG TimeSlip;
26382634

26392635
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
2640-
ULONG AltArchitecturePad[1];
2636+
ULONG BootId;
26412637

26422638
LARGE_INTEGER SystemExpirationDate;
26432639

@@ -2668,7 +2664,8 @@ typedef struct _KUSER_SHARED_DATA
26682664
ULONG NumberOfPhysicalPages;
26692665

26702666
BOOLEAN SafeBootMode;
2671-
UCHAR Reserved12[3];
2667+
UCHAR VirtualizationFlags;
2668+
UCHAR Reserved12[2];
26722669

26732670
union
26742671
{
@@ -2683,14 +2680,18 @@ typedef struct _KUSER_SHARED_DATA
26832680
ULONG DbgDynProcessorEnabled : 1;
26842681
ULONG DbgConsoleBrokerEnabled : 1;
26852682
ULONG DbgSecureBootEnabled : 1;
2686-
ULONG SpareBits : 24;
2683+
ULONG DbgMultiSessionSku : 1;
2684+
ULONG DbgMultiUsersInSessionSku : 1;
2685+
ULONG SpareBits : 22;
26872686
};
26882687
};
26892688
ULONG DataFlagsPad[1];
26902689

26912690
ULONGLONG TestRetInstruction;
2692-
ULONGLONG QpcFrequency;
2693-
ULONGLONG SystemCallPad[3];
2691+
LONGLONG QpcFrequency;
2692+
ULONG SystemCall;
2693+
ULONG SystemCallPad0;
2694+
ULONGLONG SystemCallPad[2];
26942695

26952696
union
26962697
{
@@ -2709,12 +2710,12 @@ typedef struct _KUSER_SHARED_DATA
27092710
ULONGLONG BaselineInterruptTimeQpc;
27102711
ULONGLONG QpcSystemTimeIncrement;
27112712
ULONGLONG QpcInterruptTimeIncrement;
2712-
ULONG QpcSystemTimeIncrement32;
2713-
ULONG QpcInterruptTimeIncrement32;
27142713
UCHAR QpcSystemTimeIncrementShift;
27152714
UCHAR QpcInterruptTimeIncrementShift;
2716-
UCHAR Reserved8[14];
27172715

2716+
USHORT UnparkedProcessorCount;
2717+
ULONG EnclaveFeatureMask[4];
2718+
ULONG Reserved8;
27182719
USHORT UserModeGlobalLogger[16];
27192720
ULONG ImageFileExecutionOptions;
27202721

@@ -2723,7 +2724,7 @@ typedef struct _KUSER_SHARED_DATA
27232724
volatile ULONG64 InterruptTimeBias;
27242725
volatile ULONG64 QpcBias;
27252726

2726-
volatile ULONG ActiveProcessorCount;
2727+
ULONG ActiveProcessorCount;
27272728
volatile UCHAR ActiveGroupCount;
27282729
UCHAR Reserved9;
27292730
union
@@ -2772,10 +2773,11 @@ C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LastSystemRITEventTickCount) == 0x2e4);
27722773
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8);
27732774
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec);
27742775
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TestRetInstruction) == 0x2f8);
2775-
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x308);
2776+
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);
27762777
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);
27772778
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);
27782779
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
2780+
C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x708);
27792781

27802782
#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)0x7ffe0000)
27812783

phnt/include/ntldr.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,8 @@ typedef struct _LDR_DDAG_NODE
4444
LIST_ENTRY Modules;
4545
PLDR_SERVICE_TAG_RECORD ServiceTagList;
4646
ULONG LoadCount;
47-
ULONG ReferenceCount;
48-
ULONG DependencyCount;
47+
ULONG LoadWhileUnloadingCount;
48+
ULONG LowestLink;
4949
union
5050
{
5151
LDRP_CSLIST Dependencies;
@@ -55,7 +55,6 @@ typedef struct _LDR_DDAG_NODE
5555
LDR_DDAG_STATE State;
5656
SINGLE_LIST_ENTRY CondenseLink;
5757
ULONG PreorderNumber;
58-
ULONG LowestLink;
5958
} LDR_DDAG_NODE, *PLDR_DDAG_NODE;
6059

6160
// rev
@@ -167,6 +166,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY
167166
LDR_DLL_LOAD_REASON LoadReason;
168167
ULONG ImplicitPathOptions;
169168
ULONG ReferenceCount;
169+
ULONG DependentLoadFlags;
170170
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
171171

172172
typedef BOOLEAN (NTAPI *PDLL_INIT_ROUTINE)(

phnt/include/ntpebteb.h

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,10 @@ typedef struct _PEB
2222
BOOLEAN IsPackagedProcess : 1;
2323
BOOLEAN IsAppContainer : 1;
2424
BOOLEAN IsProtectedProcessLight : 1;
25-
BOOLEAN SpareBits : 1;
25+
BOOLEAN IsLongPathAwareProcess : 1;
2626
};
2727
};
28+
2829
HANDLE Mutant;
2930

3031
PVOID ImageBaseAddress;
@@ -93,7 +94,7 @@ typedef struct _PEB
9394
ULONG ImageSubsystem;
9495
ULONG ImageSubsystemMajorVersion;
9596
ULONG ImageSubsystemMinorVersion;
96-
ULONG_PTR ImageProcessAffinityMask;
97+
ULONG_PTR ActiveProcessAffinityMask;
9798
GDI_HANDLE_BUFFER GdiHandleBuffer;
9899
PVOID PostProcessInitRoutine;
99100

@@ -138,6 +139,9 @@ typedef struct _PEB
138139
};
139140
};
140141
ULONGLONG CsrServerReadOnlySharedMemoryBase;
142+
PVOID TppWorkerpListLock;
143+
LIST_ENTRY TppWorkerpList;
144+
PVOID WaitOnAddressHashTable[128];
141145
} PEB, *PPEB;
142146

143147
#define GDI_BATCH_BUFFER_SIZE 310
@@ -181,16 +185,18 @@ typedef struct _TEB
181185
PVOID WOW32Reserved;
182186
LCID CurrentLocale;
183187
ULONG FpSoftwareStatusRegister;
184-
PVOID SystemReserved1[54];
188+
PVOID ReservedForDebuggerInstrumentation[16];
189+
PVOID SystemReserved1[37];
190+
UCHAR WorkingOnBehalfTicket[8];
185191
NTSTATUS ExceptionCode;
192+
186193
PVOID ActivationContextStackPointer;
187-
#ifdef _WIN64
188-
UCHAR SpareBytes[24];
189-
#else
190-
UCHAR SpareBytes[36];
191-
#endif
194+
ULONG_PTR InstrumentationCallbackSp;
195+
ULONG_PTR InstrumentationCallbackPreviousPc;
196+
ULONG_PTR InstrumentationCallbackPreviousSp;
192197
ULONG TxFsContext;
193198

199+
BOOLEAN InstrumentationCallbackDisabled;
194200
GDI_TEB_BATCH GdiTebBatch;
195201
CLIENT_ID RealClientId;
196202
HANDLE GdiCachedProcessHandle;
@@ -228,7 +234,7 @@ typedef struct _TEB
228234
GUID ActivityId;
229235

230236
PVOID SubProcessTag;
231-
PVOID EtwLocalData;
237+
PVOID PerflibData;
232238
PVOID EtwTraceData;
233239
PVOID WinSockData;
234240
ULONG GdiBatchCount;
@@ -251,7 +257,7 @@ typedef struct _TEB
251257
PVOID ReservedForOle;
252258
ULONG WaitingOnLoaderLock;
253259
PVOID SavedPriorityState;
254-
ULONG_PTR SoftPatchPtr1;
260+
ULONG_PTR ReservedForCodeCoverage;
255261
PVOID ThreadPoolData;
256262
PVOID *TlsExpansionSlots;
257263
#ifdef _WIN64
@@ -262,7 +268,8 @@ typedef struct _TEB
262268
ULONG IsImpersonating;
263269
PVOID NlsCache;
264270
PVOID pShimData;
265-
ULONG HeapVirtualAffinity;
271+
USHORT HeapVirtualAffinity;
272+
USHORT LowFragHeapDataSlot;
266273
HANDLE CurrentTransactionHandle;
267274
PTEB_ACTIVE_FRAME ActiveFrame;
268275
PVOID FlsData;
@@ -294,17 +301,21 @@ typedef struct _TEB
294301
USHORT RtlExceptionAttached : 1;
295302
USHORT InitialThread : 1;
296303
USHORT SessionAware : 1;
297-
USHORT SpareSameTebBits : 4;
304+
USHORT LoadOwner : 1;
305+
USHORT LoaderWorker : 1;
306+
USHORT SpareSameTebBits : 2;
298307
};
299308
};
300309

301310
PVOID TxnScopeEnterCallback;
302311
PVOID TxnScopeExitCallback;
303312
PVOID TxnScopeContext;
304313
ULONG LockCount;
305-
ULONG SpareUlong0;
314+
LONG WowTebOffset;
306315
PVOID ResourceRetValue;
307316
PVOID ReservedForWdf;
317+
ULONGLONG ReservedForCrt;
318+
GUID EffectiveContainerId;
308319
} TEB, *PTEB;
309320

310321
#endif

phnt/include/ntpsapi.h

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -165,9 +165,7 @@ typedef enum _PROCESSINFOCLASS
165165
ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
166166
ProcessDefaultCpuSetsInformation,
167167
ProcessAllowedCpuSetsInformation,
168-
ProcessReserved1Information,
169-
ProcessReserved2Information,
170-
ProcessSubsystemProcess, // 70
168+
ProcessSubsystemProcess, // 68
171169
ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO
172170
ProcessInPrivate, // since THRESHOLD2
173171
ProcessRaiseUMExceptionOnInvalidHandleClose,
@@ -220,6 +218,7 @@ typedef enum _THREADINFOCLASS
220218
ThreadSelectedCpuSets,
221219
ThreadSystemThreadInformation, // q: SYSTEM_THREAD_INFORMATION // 40
222220
ThreadActualGroupAffinity, // since THRESHOLD2
221+
ThreadDynamicCodePolicyInfo,
223222
MaxThreadInfoClass
224223
} THREADINFOCLASS;
225224
#endif

0 commit comments

Comments
 (0)