#pragma once #include // NOLINTBEGIN(modernize-use-using,cppcoreguidelines-avoid-c-arrays,hicpp-avoid-c-arrays,modernize-avoid-c-arrays) #ifndef NT_SUCCESS #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) #endif #define PROCESSOR_FEATURE_MAX 64 #define GDI_HANDLE_BUFFER_SIZE32 34 #define GDI_HANDLE_BUFFER_SIZE64 60 #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_RELEASE_ON_DEACTIVATION 0x00000001 #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NO_DEACTIVATE 0x00000002 #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_ON_FREE_LIST 0x00000004 #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_HEAP_ALLOCATED 0x00000008 #define RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_NOT_REALLY_ACTIVATED 0x00000010 #define ACTIVATION_CONTEXT_STACK_FLAG_QUERIES_DISABLED 0x00000001 #define GDI_BATCH_BUFFER_SIZE 310 #define WIN32_CLIENT_INFO_LENGTH 62 #define STATIC_UNICODE_BUFFER_LENGTH 261 #define TLS_MINIMUM_AVAILABLE 64 #define TLS_EXPANSION_SLOTS 1024 #ifndef OS_WINDOWS #define PF_FLOATING_POINT_PRECISION_ERRATA 0 #define PF_FLOATING_POINT_EMULATED 1 #define PF_COMPARE_EXCHANGE_DOUBLE 2 #define PF_MMX_INSTRUCTIONS_AVAILABLE 3 #define PF_PPC_MOVEMEM_64BIT_OK 4 #define PF_ALPHA_BYTE_INSTRUCTIONS 5 #define PF_XMMI_INSTRUCTIONS_AVAILABLE 6 #define PF_3DNOW_INSTRUCTIONS_AVAILABLE 7 #define PF_RDTSC_INSTRUCTION_AVAILABLE 8 #define PF_PAE_ENABLED 9 #define PF_XMMI64_INSTRUCTIONS_AVAILABLE 10 #define PF_SSE_DAZ_MODE_AVAILABLE 11 #define PF_NX_ENABLED 12 #define PF_SSE3_INSTRUCTIONS_AVAILABLE 13 #define PF_COMPARE_EXCHANGE128 14 #define PF_COMPARE64_EXCHANGE128 15 #define PF_CHANNELS_ENABLED 16 #define PF_XSAVE_ENABLED 17 #define PF_ARM_VFP_32_REGISTERS_AVAILABLE 18 #define PF_ARM_NEON_INSTRUCTIONS_AVAILABLE 19 #define PF_SECOND_LEVEL_ADDRESS_TRANSLATION 20 #define PF_VIRT_FIRMWARE_ENABLED 21 #define PF_RDWRFSGSBASE_AVAILABLE 22 #define PF_FASTFAIL_AVAILABLE 23 #define PF_ARM_DIVIDE_INSTRUCTION_AVAILABLE 24 #define PF_ARM_64BIT_LOADSTORE_ATOMIC 25 #define PF_ARM_EXTERNAL_CACHE_AVAILABLE 26 #define PF_ARM_FMAC_INSTRUCTIONS_AVAILABLE 27 #define PF_RDRAND_INSTRUCTION_AVAILABLE 28 #define PF_ARM_V8_INSTRUCTIONS_AVAILABLE 29 #define PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE 30 #define PF_ARM_V8_CRC32_INSTRUCTIONS_AVAILABLE 31 #define PF_RDTSCP_INSTRUCTION_AVAILABLE 32 #define PF_RDPID_INSTRUCTION_AVAILABLE 33 #define PF_ARM_V81_ATOMIC_INSTRUCTIONS_AVAILABLE 34 #define PF_MONITORX_INSTRUCTION_AVAILABLE 35 #define PF_SSSE3_INSTRUCTIONS_AVAILABLE 36 #define PF_SSE4_1_INSTRUCTIONS_AVAILABLE 37 #define PF_SSE4_2_INSTRUCTIONS_AVAILABLE 38 #define PF_AVX_INSTRUCTIONS_AVAILABLE 39 #define PF_AVX2_INSTRUCTIONS_AVAILABLE 40 #define PF_AVX512F_INSTRUCTIONS_AVAILABLE 41 #define PF_ERMS_AVAILABLE 42 #define PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE 43 #define PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE 44 #define PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE 45 #define PF_ARM_SVE_INSTRUCTIONS_AVAILABLE 46 #define PF_ARM_SVE2_INSTRUCTIONS_AVAILABLE 47 #define PF_ARM_SVE2_1_INSTRUCTIONS_AVAILABLE 48 #define PF_ARM_SVE_AES_INSTRUCTIONS_AVAILABLE 49 #define PF_ARM_SVE_PMULL128_INSTRUCTIONS_AVAILABLE 50 #define PF_ARM_SVE_BITPERM_INSTRUCTIONS_AVAILABLE 51 #define PF_ARM_SVE_BF16_INSTRUCTIONS_AVAILABLE 52 #define PF_ARM_SVE_EBF16_INSTRUCTIONS_AVAILABLE 53 #define PF_ARM_SVE_B16B16_INSTRUCTIONS_AVAILABLE 54 #define PF_ARM_SVE_SHA3_INSTRUCTIONS_AVAILABLE 55 #define PF_ARM_SVE_SM4_INSTRUCTIONS_AVAILABLE 56 #define PF_ARM_SVE_I8MM_INSTRUCTIONS_AVAILABLE 57 #define PF_ARM_SVE_F32MM_INSTRUCTIONS_AVAILABLE 58 #define PF_ARM_SVE_F64MM_INSTRUCTIONS_AVAILABLE 59 #define PF_BMI2_INSTRUCTIONS_AVAILABLE 60 #define PF_MOVDIR64B_INSTRUCTION_AVAILABLE 61 #define PF_ARM_LSE2_AVAILABLE 62 #define PF_RESERVED_FEATURE 63 #define PF_ARM_SHA3_INSTRUCTIONS_AVAILABLE 64 #define PF_ARM_SHA512_INSTRUCTIONS_AVAILABLE 65 #define PF_ARM_V82_I8MM_INSTRUCTIONS_AVAILABLE 66 #define PF_ARM_V82_FP16_INSTRUCTIONS_AVAILABLE 67 #define PF_ARM_V86_BF16_INSTRUCTIONS_AVAILABLE 68 #define PF_ARM_V86_EBF16_INSTRUCTIONS_AVAILABLE 69 #define PF_ARM_SME_INSTRUCTIONS_AVAILABLE 70 #define PF_ARM_SME2_INSTRUCTIONS_AVAILABLE 71 #define PF_ARM_SME2_1_INSTRUCTIONS_AVAILABLE 72 #define PF_ARM_SME2_2_INSTRUCTIONS_AVAILABLE 73 #define PF_ARM_SME_AES_INSTRUCTIONS_AVAILABLE 74 #define PF_ARM_SME_SBITPERM_INSTRUCTIONS_AVAILABLE 75 #define PF_ARM_SME_SF8MM4_INSTRUCTIONS_AVAILABLE 76 #define PF_ARM_SME_SF8MM8_INSTRUCTIONS_AVAILABLE 77 #define PF_ARM_SME_SF8DP2_INSTRUCTIONS_AVAILABLE 78 #define PF_ARM_SME_SF8DP4_INSTRUCTIONS_AVAILABLE 79 #define PF_ARM_SME_SF8FMA_INSTRUCTIONS_AVAILABLE 80 #define PF_ARM_SME_F8F32_INSTRUCTIONS_AVAILABLE 81 #define PF_ARM_SME_F8F16_INSTRUCTIONS_AVAILABLE 82 #define PF_ARM_SME_F16F16_INSTRUCTIONS_AVAILABLE 83 #define PF_ARM_SME_B16B16_INSTRUCTIONS_AVAILABLE 84 #define PF_ARM_SME_F64F64_INSTRUCTIONS_AVAILABLE 85 #define PF_ARM_SME_I16I64_INSTRUCTIONS_AVAILABLE 86 #define PF_ARM_SME_LUTv2_INSTRUCTIONS_AVAILABLE 87 #define PF_ARM_SME_FA64_INSTRUCTIONS_AVAILABLE 88 #endif typedef struct _EMU_NT_TIB64 { EMULATOR_CAST(std::uint64_t, struct _EXCEPTION_REGISTRATION_RECORD*) ExceptionList; std::uint64_t StackBase; std::uint64_t StackLimit; std::uint64_t SubSystemTib; std::uint64_t FiberData; std::uint64_t ArbitraryUserPointer; EMULATOR_CAST(std::uint64_t, struct _EMU_NT_TIB64*) Self; } EMU_NT_TIB64, *PEMU_NT_TIB64; typedef struct _EMU_NT_TIB32 { EMULATOR_CAST(std::uint32_t, struct _EXCEPTION_REGISTRATION_RECORD*) ExceptionList; std::uint32_t StackBase; std::uint32_t StackLimit; std::uint32_t SubSystemTib; std::uint32_t FiberData; std::uint32_t ArbitraryUserPointer; EMULATOR_CAST(std::uint32_t, struct _EMU_NT_TIB32*) Self; } EMU_NT_TIB32, *PEMU_NT_TIB32; union PEB_BITFIELD_UNION { BOOLEAN BitField; struct { BOOLEAN ImageUsesLargePages : 1; BOOLEAN IsProtectedProcess : 1; BOOLEAN IsImageDynamicallyRelocated : 1; BOOLEAN SkipPatchingUser32Forwarders : 1; BOOLEAN IsPackagedProcess : 1; BOOLEAN IsAppContainer : 1; BOOLEAN IsProtectedProcessLight : 1; BOOLEAN IsLongPathAwareProcess : 1; }; }; #ifndef OS_WINDOWS typedef struct _LIST_ENTRY64 { ULONGLONG Flink; ULONGLONG Blink; } LIST_ENTRY64, *PLIST_ENTRY64, *RESTRICTED_POINTER PRLIST_ENTRY64; typedef struct _LIST_ENTRY32 { ULONG Flink; ULONG Blink; } LIST_ENTRY32, *PLIST_ENTRY32, *RESTRICTED_POINTER PRLIST_ENTRY32; typedef enum _PROCESS_MITIGATION_POLICY { ProcessDEPPolicy, ProcessASLRPolicy, ProcessDynamicCodePolicy, ProcessStrictHandleCheckPolicy, ProcessSystemCallDisablePolicy, ProcessMitigationOptionsMask, ProcessExtensionPointDisablePolicy, ProcessControlFlowGuardPolicy, ProcessSignaturePolicy, ProcessFontDisablePolicy, ProcessImageLoadPolicy, ProcessSystemCallFilterPolicy, ProcessPayloadRestrictionPolicy, ProcessChildProcessPolicy, ProcessSideChannelIsolationPolicy, ProcessUserShadowStackPolicy, ProcessRedirectionTrustPolicy, ProcessUserPointerAuthPolicy, ProcessSEHOPPolicy, ProcessActivationContextTrustPolicy, MaxProcessMitigationPolicy } PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY; #define WOW64_SIZE_OF_80387_REGISTERS 80 #define WOW64_MAXIMUM_SUPPORTED_EXTENSION 512 typedef struct _WOW64_FLOATING_SAVE_AREA { DWORD ControlWord; DWORD StatusWord; DWORD TagWord; DWORD ErrorOffset; DWORD ErrorSelector; DWORD DataOffset; DWORD DataSelector; BYTE RegisterArea[WOW64_SIZE_OF_80387_REGISTERS]; DWORD Cr0NpxState; } WOW64_FLOATING_SAVE_AREA; typedef struct _WOW64_CONTEXT { DWORD ContextFlags; DWORD Dr0; DWORD Dr1; DWORD Dr2; DWORD Dr3; DWORD Dr6; DWORD Dr7; WOW64_FLOATING_SAVE_AREA FloatSave; DWORD SegGs; DWORD SegFs; DWORD SegEs; DWORD SegDs; DWORD Edi; DWORD Esi; DWORD Ebx; DWORD Edx; DWORD Ecx; DWORD Eax; DWORD Ebp; DWORD Eip; DWORD SegCs; DWORD EFlags; DWORD Esp; DWORD SegSs; BYTE ExtendedRegisters[WOW64_MAXIMUM_SUPPORTED_EXTENSION]; } WOW64_CONTEXT; #define MEM_EXTENDED_PARAMETER_GRAPHICS 0x00000001 #define MEM_EXTENDED_PARAMETER_NONPAGED 0x00000002 #define MEM_EXTENDED_PARAMETER_ZERO_PAGES_OPTIONAL 0x00000004 #define MEM_EXTENDED_PARAMETER_NONPAGED_LARGE 0x00000008 #define MEM_EXTENDED_PARAMETER_NONPAGED_HUGE 0x00000010 #define MEM_EXTENDED_PARAMETER_SOFT_FAULT_PAGES 0x00000020 #define MEM_EXTENDED_PARAMETER_EC_CODE 0x00000040 #define MEM_EXTENDED_PARAMETER_IMAGE_NO_HPAT 0x00000080 typedef enum MEM_EXTENDED_PARAMETER_TYPE { MemExtendedParameterInvalidType = 0, MemExtendedParameterAddressRequirements, MemExtendedParameterNumaNode, MemExtendedParameterPartitionHandle, MemExtendedParameterUserPhysicalHandle, MemExtendedParameterAttributeFlags, MemExtendedParameterImageMachine, MemExtendedParameterMax } MEM_EXTENDED_PARAMETER_TYPE, *PMEM_EXTENDED_PARAMETER_TYPE; #endif typedef struct _PEB_LDR_DATA64 { ULONG Length; BOOLEAN Initialized; EmulatorTraits::HANDLE SsHandle; LIST_ENTRY64 InLoadOrderModuleList; LIST_ENTRY64 InMemoryOrderModuleList; LIST_ENTRY64 InInitializationOrderModuleList; std::uint64_t EntryInProgress; BOOLEAN ShutdownInProgress; EmulatorTraits::HANDLE ShutdownThreadId; } PEB_LDR_DATA64, *PPEB_LDR_DATA64; typedef struct _PEB_LDR_DATA32 { ULONG Length; BOOLEAN Initialized; EmulatorTraits::HANDLE SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; std::uint32_t EntryInProgress; BOOLEAN ShutdownInProgress; EmulatorTraits::HANDLE ShutdownThreadId; } PEB_LDR_DATA32, *PPEB_LDR_DATA32; static_assert(sizeof(PEB_LDR_DATA32) == 48); using STRING64 = UNICODE_STRING>; using ANSI_STRING64 = STRING64; using OEM_STRING64 = STRING64; typedef struct _RTL_DRIVE_LETTER_CURDIR64 { USHORT Flags; USHORT Length; ULONG TimeStamp; STRING64 DosPath; } RTL_DRIVE_LETTER_CURDIR64, *PRTL_DRIVE_LETTER_CURDIR64; #define RTL_MAX_DRIVE_LETTERS 32 #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 template struct ARRAY_CONTAINER { T arr[Size]; }; typedef struct _CURDIR64 { UNICODE_STRING> DosPath; EmulatorTraits::HANDLE Handle; } CURDIR64, *PCURDIR64; #define RTL_USER_PROCESS_PARAMETERS_NORMALIZED 0x01 #define RTL_USER_PROCESS_PARAMETERS_PROFILE_USER 0x02 #define RTL_USER_PROCESS_PARAMETERS_PROFILE_KERNEL 0x04 #define RTL_USER_PROCESS_PARAMETERS_PROFILE_SERVER 0x08 #define RTL_USER_PROCESS_PARAMETERS_RESERVE_1MB 0x20 #define RTL_USER_PROCESS_PARAMETERS_RESERVE_16MB 0x40 #define RTL_USER_PROCESS_PARAMETERS_CASE_SENSITIVE 0x80 #define RTL_USER_PROCESS_PARAMETERS_DISABLE_HEAP_DECOMMIT 0x100 #define RTL_USER_PROCESS_PARAMETERS_DLL_REDIRECTION_LOCAL 0x1000 #define RTL_USER_PROCESS_PARAMETERS_APP_MANIFEST_PRESENT 0x2000 #define RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING 0x4000 #define RTL_USER_PROCESS_PARAMETERS_NX_OPTIN 0x20000 typedef struct _RTL_USER_PROCESS_PARAMETERS64 { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; EmulatorTraits::HANDLE ConsoleHandle; ULONG ConsoleFlags; EmulatorTraits::HANDLE StandardInput; EmulatorTraits::HANDLE StandardOutput; EmulatorTraits::HANDLE StandardError; CURDIR64 CurrentDirectory; UNICODE_STRING> DllPath; UNICODE_STRING> ImagePathName; UNICODE_STRING> CommandLine; std::uint64_t Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING> WindowTitle; UNICODE_STRING> DesktopInfo; UNICODE_STRING> ShellInfo; UNICODE_STRING> RuntimeData; ARRAY_CONTAINER CurrentDirectories; std::uint64_t EnvironmentSize; std::uint64_t EnvironmentVersion; std::uint64_t PackageDependencyData; ULONG ProcessGroupId; ULONG LoaderThreads; UNICODE_STRING> RedirectionDllName; // REDSTONE4 UNICODE_STRING> HeapPartitionName; // 19H1 std::uint64_t DefaultThreadpoolCpuSetMasks; ULONG DefaultThreadpoolCpuSetMaskCount; ULONG DefaultThreadpoolThreadMaximum; ULONG HeapMemoryTypeMask; // WIN11 } RTL_USER_PROCESS_PARAMETERS64, *PRTL_USER_PROCESS_PARAMETERS64; static_assert(sizeof(RTL_USER_PROCESS_PARAMETERS64) == 0x448); union PEB_CROSS_PROCESS_FLAGS_UNION { ULONG CrossProcessFlags; struct { ULONG ProcessInJob : 1; ULONG ProcessInitializing : 1; ULONG ProcessUsingVEH : 1; ULONG ProcessUsingVCH : 1; ULONG ProcessUsingFTH : 1; ULONG ProcessPreviouslyThrottled : 1; ULONG ProcessCurrentlyThrottled : 1; ULONG ProcessImagesHotPatched : 1; // REDSTONE5 ULONG ReservedBits0 : 24; }; }; union PEB_KERNEL_CALLBACK_TABLE_UNION64 { std::uint64_t KernelCallbackTable; std::uint64_t UserSharedInfoPtr; }; typedef struct _API_SET_NAMESPACE { ULONG Version; ULONG Size; ULONG Flags; ULONG Count; ULONG EntryOffset; ULONG HashOffset; ULONG HashFactor; } API_SET_NAMESPACE, *PAPI_SET_NAMESPACE; union PEB_CONTEXT_DATA_UNION64 { std::uint64_t pContextData; // WIN7 std::uint64_t pUnused; // WIN10 std::uint64_t EcCodeBitMap; // WIN11 }; union PEB_TRACING_FLAGS_UNION { ULONG TracingFlags; struct { ULONG HeapTracingEnabled : 1; ULONG CritSecTracingEnabled : 1; ULONG LibLoaderTracingEnabled : 1; ULONG SpareTracingBits : 29; }; }; union PEB_LEAP_SECONDS_FLAG_UNION { ULONG LeapSecondFlags; struct { ULONG SixtySecondEnabled : 1; ULONG Reserved : 31; }; }; #define MAXIMUM_LEADBYTES 12 typedef struct _CPTABLEINFO { USHORT CodePage; USHORT MaximumCharacterSize; USHORT DefaultChar; USHORT UniDefaultChar; USHORT TransDefaultChar; USHORT TransUniDefaultChar; USHORT DBCSCodePage; UCHAR LeadByte[MAXIMUM_LEADBYTES]; EMULATOR_CAST(uint64_t, USHORT*) MultiByteTable; EMULATOR_CAST(uint64_t, void*) WideCharTable; EMULATOR_CAST(uint64_t, USHORT*) DBCSRanges; EMULATOR_CAST(uint64_t, USHORT*) DBCSOffsets; } CPTABLEINFO, *PCPTABLEINFO; typedef struct _NLSTABLEINFO { CPTABLEINFO OemTableInfo; CPTABLEINFO AnsiTableInfo; EMULATOR_CAST(uint64_t, USHORT*) UpperCaseTable; EMULATOR_CAST(uint64_t, USHORT*) LowerCaseTable; } NLSTABLEINFO, *PNLSTABLEINFO; typedef struct _CURDIR32 { UNICODE_STRING> DosPath; EmulatorTraits::HANDLE Handle; } CURDIR32, *PCURDIR32; static_assert(sizeof(CURDIR32) == 12); typedef struct _RTL_DRIVE_LETTER_CURDIR32 { USHORT Flags; USHORT Length; ULONG TimeStamp; UNICODE_STRING> DosPath; } RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32; static_assert(sizeof(RTL_DRIVE_LETTER_CURDIR32) == 16); typedef struct _RTL_USER_PROCESS_PARAMETERS32 { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; EmulatorTraits::HANDLE ConsoleHandle; ULONG ConsoleFlags; EmulatorTraits::HANDLE StandardInput; EmulatorTraits::HANDLE StandardOutput; EmulatorTraits::HANDLE StandardError; CURDIR32 CurrentDirectory; UNICODE_STRING> DllPath; UNICODE_STRING> ImagePathName; UNICODE_STRING> CommandLine; std::uint32_t Environment; ULONG StartingX; ULONG StartingY; ULONG CountX; ULONG CountY; ULONG CountCharsX; ULONG CountCharsY; ULONG FillAttribute; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING> WindowTitle; UNICODE_STRING> DesktopInfo; UNICODE_STRING> ShellInfo; UNICODE_STRING> RuntimeData; RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; std::uint32_t EnvironmentSize; std::uint32_t EnvironmentVersion; std::uint32_t PackageDependencyData; ULONG ProcessGroupId; ULONG LoaderThreads; UNICODE_STRING> RedirectionDllName; // REDSTONE4 UNICODE_STRING> HeapPartitionName; // 19H1 std::uint32_t DefaultThreadpoolCpuSetMasks; ULONG DefaultThreadpoolCpuSetMaskCount; ULONG DefaultThreadpoolThreadMaximum; ULONG HeapMemoryTypeMask; // WIN11 } RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32; static_assert(sizeof(RTL_USER_PROCESS_PARAMETERS32) == 708); typedef struct _PEB64 { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; PEB_BITFIELD_UNION BitField; EmulatorTraits::HANDLE Mutant; std::uint64_t ImageBaseAddress; EMULATOR_CAST(std::uint64_t, PPEB_LDR_DATA64) Ldr; EMULATOR_CAST(std::uint64_t, PRTL_USER_PROCESS_PARAMETERS64) ProcessParameters; std::uint64_t SubSystemData; std::uint64_t ProcessHeap; EMULATOR_CAST(std::uint64_t, PRTL_CRITICAL_SECTION) FastPebLock; EMULATOR_CAST(std::uint64_t, PSLIST_HEADER) AtlThunkSListPtr; std::uint64_t IFEOKey; PEB_CROSS_PROCESS_FLAGS_UNION CrossProcessFlags; PEB_KERNEL_CALLBACK_TABLE_UNION64 KernelCallbackTable; ULONG SystemReserved; ULONG AtlThunkSListPtr32; EMULATOR_CAST(std::uint64_t, PAPI_SET_NAMESPACE) ApiSetMap; ULONG TlsExpansionCounter; EMULATOR_CAST(std::uint64_t, PRTL_BITMAP) TlsBitmap; ARRAY_CONTAINER TlsBitmapBits; // TLS_MINIMUM_AVAILABLE std::uint64_t ReadOnlySharedMemoryBase; EMULATOR_CAST(std::uint64_t, PSILO_USER_SHARED_DATA) SharedData; // HotpatchInformation std::uint64_t ReadOnlyStaticServerData; EMULATOR_CAST(EmulatorTraits::PVOID, PCPTABLEINFO) AnsiCodePageData; // PCPTABLEINFO EMULATOR_CAST(EmulatorTraits::PVOID, PCPTABLEINFO) OemCodePageData; // PCPTABLEINFO EMULATOR_CAST(EmulatorTraits::PVOID, PNLSTABLEINFO) UnicodeCaseTableData; // PNLSTABLEINFO ULONG NumberOfProcessors; ULONG NtGlobalFlag; ULARGE_INTEGER CriticalSectionTimeout; EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentReserve; EMULATOR_CAST(std::int64_t, SIZE_T) HeapSegmentCommit; EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitTotalFreeThreshold; EMULATOR_CAST(std::int64_t, SIZE_T) HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; std::uint64_t ProcessHeaps; // PHEAP std::uint64_t GdiSharedHandleTable; // PGDI_SHARED_MEMORY std::uint64_t ProcessStarterHelper; ULONG GdiDCAttributeList; EMULATOR_CAST(std::uint64_t, PRTL_CRITICAL_SECTION) LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; USHORT OSCSDVersion; ULONG OSPlatformId; ULONG ImageSubsystem; ULONG ImageSubsystemMajorVersion; ULONG ImageSubsystemMinorVersion; EMULATOR_CAST(std::uint64_t, KAFFINITY) ActiveProcessAffinityMask; ARRAY_CONTAINER GdiHandleBuffer; std::uint64_t PostProcessInitRoutine; EMULATOR_CAST(std::uint64_t, PRTL_BITMAP) TlsExpansionBitmap; ARRAY_CONTAINER TlsExpansionBitmapBits; // TLS_EXPANSION_SLOTS ULONG SessionId; ULARGE_INTEGER AppCompatFlags; // KACF_* ULARGE_INTEGER AppCompatFlagsUser; std::uint64_t pShimData; std::uint64_t AppCompatInfo; // APPCOMPAT_EXE_DATA UNICODE_STRING> CSDVersion; EMULATOR_CAST(std::uint64_t, PACTIVATION_CONTEXT_DATA) ActivationContextData; EMULATOR_CAST(std::uint64_t, PASSEMBLY_STORAGE_MAP) ProcessAssemblyStorageMap; EMULATOR_CAST(std::uint64_t, PACTIVATION_CONTEXT_DATA) SystemDefaultActivationContextData; EMULATOR_CAST(std::uint64_t, PASSEMBLY_STORAGE_MAP) SystemAssemblyStorageMap; EMULATOR_CAST(std::uint64_t, SIZE_T) MinimumStackCommit; ARRAY_CONTAINER SparePointers; // 19H1 (previously FlsCallback to FlsHighIndex) std::uint64_t PatchLoaderData; std::uint64_t ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO ULONG AppModelFeatureState; ARRAY_CONTAINER SpareUlongs; USHORT ActiveCodePage; USHORT OemCodePage; USHORT UseCaseMapping; USHORT UnusedNlsField; std::uint64_t WerRegistrationData; std::uint64_t WerShipAssertPtr; PEB_CONTEXT_DATA_UNION64 ContextData; std::uint64_t pImageHeaderHash; PEB_TRACING_FLAGS_UNION TracingFlags; ULONGLONG CsrServerReadOnlySharedMemoryBase; EMULATOR_CAST(std::uint64_t, PRTL_CRITICAL_SECTION) TppWorkerpListLock; LIST_ENTRY64 TppWorkerpList; ARRAY_CONTAINER WaitOnAddressHashTable; EMULATOR_CAST(std::uint64_t, PTELEMETRY_COVERAGE_HEADER) TelemetryCoverageHeader; // REDSTONE3 ULONG CloudFileFlags; ULONG CloudFileDiagFlags; // REDSTONE4 CHAR PlaceholderCompatibilityMode; ARRAY_CONTAINER PlaceholderCompatibilityModeReserved; EMULATOR_CAST(std::uint64_t, PLEAP_SECOND_DATA) LeapSecondData; // REDSTONE5 PEB_LEAP_SECONDS_FLAG_UNION LeapSecondFlags; ULONG NtGlobalFlag2; ULONGLONG ExtendedFeatureDisableMask; // since WIN11 } PEB64, *PPEB64; static_assert(sizeof(PEB64) == 0x7D0); typedef struct _PEB32 { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; union { BOOLEAN BitField; struct { BOOLEAN ImageUsesLargePages : 1; BOOLEAN IsProtectedProcess : 1; BOOLEAN IsImageDynamicallyRelocated : 1; BOOLEAN SkipPatchingUser32Forwarders : 1; BOOLEAN IsPackagedProcess : 1; BOOLEAN IsAppContainer : 1; BOOLEAN IsProtectedProcessLight : 1; BOOLEAN IsLongPathAwareProcess : 1; }; }; EmulatorTraits::HANDLE Mutant; std::uint32_t ImageBaseAddress; EMULATOR_CAST(std::uint32_t, PPEB_LDR_DATA32) Ldr; EMULATOR_CAST(std::uint32_t, struct _RTL_USER_PROCESS_PARAMETERS32*) ProcessParameters; EMULATOR_CAST(std::uint32_t, PVOID32) SubSystemData; EMULATOR_CAST(std::uint32_t, PVOID32) ProcessHeap; EMULATOR_CAST(std::uint32_t, struct _RTL_CRITICAL_SECTION32*) FastPebLock; EMULATOR_CAST(std::uint32_t, union _SLIST_HEADER*) AtlThunkSListPtr; EMULATOR_CAST(std::uint32_t, PVOID32) IFEOKey; union { ULONG CrossProcessFlags; struct { ULONG ProcessInJob : 1; ULONG ProcessInitializing : 1; ULONG ProcessUsingVEH : 1; ULONG ProcessUsingVCH : 1; ULONG ProcessUsingFTH : 1; ULONG ProcessPreviouslyThrottled : 1; ULONG ProcessCurrentlyThrottled : 1; ULONG ProcessImagesHotPatched : 1; // REDSTONE5 ULONG ReservedBits0 : 24; }; }; union { EMULATOR_CAST(std::uint32_t, PVOID32) KernelCallbackTable; EMULATOR_CAST(std::uint32_t, PVOID32) UserSharedInfoPtr; }; ULONG SystemReserved; ULONG AtlThunkSListPtr32; EMULATOR_CAST(std::uint32_t, struct _API_SET_NAMESPACE*) ApiSetMap; ULONG TlsExpansionCounter; EMULATOR_CAST(std::uint32_t, struct _RTL_BITMAP*) TlsBitmap; ARRAY_CONTAINER TlsBitmapBits; EMULATOR_CAST(std::uint32_t, PVOID32) ReadOnlySharedMemoryBase; EMULATOR_CAST(std::uint32_t, struct _SILO_USER_SHARED_DATA*) SharedData; // HotpatchInformation EMULATOR_CAST(std::uint32_t, PVOID32*) ReadOnlyStaticServerData; EMULATOR_CAST(std::uint32_t, PVOID32) AnsiCodePageData; // PCPTABLEINFO EMULATOR_CAST(std::uint32_t, PVOID32) OemCodePageData; // PCPTABLEINFO EMULATOR_CAST(std::uint32_t, PVOID32) UnicodeCaseTableData; // PNLSTABLEINFO ULONG NumberOfProcessors; ULONG NtGlobalFlag; ULARGE_INTEGER CriticalSectionTimeout; EMULATOR_CAST(std::uint32_t, SIZE_T32) HeapSegmentReserve; EMULATOR_CAST(std::uint32_t, SIZE_T32) HeapSegmentCommit; EMULATOR_CAST(std::uint32_t, SIZE_T32) HeapDeCommitTotalFreeThreshold; EMULATOR_CAST(std::uint32_t, SIZE_T32) HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; EMULATOR_CAST(std::uint32_t, PVOID32*) ProcessHeaps; // PHEAP EMULATOR_CAST(std::uint32_t, PVOID32) GdiSharedHandleTable; // PGDI_SHARED_MEMORY EMULATOR_CAST(std::uint32_t, PVOID32) ProcessStarterHelper; ULONG GdiDCAttributeList; EMULATOR_CAST(std::uint32_t, struct _RTL_CRITICAL_SECTION32*) LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; USHORT OSBuildNumber; USHORT OSCSDVersion; ULONG OSPlatformId; ULONG ImageSubsystem; ULONG ImageSubsystemMajorVersion; ULONG ImageSubsystemMinorVersion; EMULATOR_CAST(std::uint32_t, KAFFINITY32) ActiveProcessAffinityMask; ARRAY_CONTAINER GdiHandleBuffer; EMULATOR_CAST(std::uint32_t, PVOID32) PostProcessInitRoutine; EMULATOR_CAST(std::uint32_t, PVOID32) TlsExpansionBitmap; ARRAY_CONTAINER TlsExpansionBitmapBits; ULONG SessionId; ULARGE_INTEGER AppCompatFlags; ULARGE_INTEGER AppCompatFlagsUser; EMULATOR_CAST(std::uint32_t, PVOID32) pShimData; EMULATOR_CAST(std::uint32_t, PVOID32) AppCompatInfo; // APPCOMPAT_EXE_DATA UNICODE_STRING> CSDVersion; EMULATOR_CAST(std::uint32_t, struct _ACTIVATION_CONTEXT_DATA*) ActivationContextData; EMULATOR_CAST(std::uint32_t, struct _ASSEMBLY_STORAGE_MAP32*) ProcessAssemblyStorageMap; EMULATOR_CAST(std::uint32_t, struct _ACTIVATION_CONTEXT_DATA*) SystemDefaultActivationContextData; EMULATOR_CAST(std::uint32_t, struct _ASSEMBLY_STORAGE_MAP32*) SystemAssemblyStorageMap; EMULATOR_CAST(std::uint32_t, SIZE_T32) MinimumStackCommit; ARRAY_CONTAINER SparePointers; // 19H1 (previously FlsCallback to FlsHighIndex) EMULATOR_CAST(std::uint32_t, PVOID32) PatchLoaderData; EMULATOR_CAST(std::uint32_t, PVOID32) ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO ULONG AppModelFeatureState; ULONG SpareUlongs[2]; USHORT ActiveCodePage; USHORT OemCodePage; USHORT UseCaseMapping; USHORT UnusedNlsField; EMULATOR_CAST(std::uint32_t, PVOID32) WerRegistrationData; EMULATOR_CAST(std::uint32_t, PVOID32) WerShipAssertPtr; union { EMULATOR_CAST(std::uint32_t, PVOID32) pContextData; // WIN7 EMULATOR_CAST(std::uint32_t, PVOID32) pUnused; // WIN10 EMULATOR_CAST(std::uint32_t, PVOID32) EcCodeBitMap; // WIN11 }; EMULATOR_CAST(std::uint32_t, PVOID32) pImageHeaderHash; union { ULONG TracingFlags; struct { ULONG HeapTracingEnabled : 1; ULONG CritSecTracingEnabled : 1; ULONG LibLoaderTracingEnabled : 1; ULONG SpareTracingBits : 29; }; }; ULONGLONG CsrServerReadOnlySharedMemoryBase; EMULATOR_CAST(std::uint32_t, struct _RTL_CRITICAL_SECTION32*) TppWorkerpListLock; LIST_ENTRY32 TppWorkerpList; ARRAY_CONTAINER WaitOnAddressHashTable; EMULATOR_CAST(std::uint32_t, struct _PTELEMETRY_COVERAGE_HEADER*) TelemetryCoverageHeader; // REDSTONE3 ULONG CloudFileFlags; ULONG CloudFileDiagFlags; // REDSTONE4 CHAR PlaceholderCompatibilityMode; ARRAY_CONTAINER PlaceholderCompatibilityModeReserved; EMULATOR_CAST(std::uint32_t, struct _LEAP_SECOND_DATA*) LeapSecondData; // REDSTONE5 union { ULONG LeapSecondFlags; struct { ULONG SixtySecondEnabled : 1; ULONG Reserved : 31; }; }; ULONG NtGlobalFlag2; ULONGLONG ExtendedFeatureDisableMask; // since WIN11 } PEB32, *PPEB32; static_assert(sizeof(PEB32) == 0x488, "sizeof(PEB32) is incorrect"); // WIN11 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME64 { struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; EMULATOR_CAST(std::uint64_t, ACTIVATION_CONTEXT) ActivationContext; ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* } RTL_ACTIVATION_CONTEXT_STACK_FRAME64, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME64; typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY32 { ULONG Flags; UNICODE_STRING> DosPath; EMULATOR_CAST(std::uint32_t, HANDLE32) Handle; } ASSEMBLY_STORAGE_MAP_ENTRY32, *PASSEMBLY_STORAGE_MAP_ENTRY32; static_assert(sizeof(ASSEMBLY_STORAGE_MAP_ENTRY32) == 16); typedef struct _ASSEMBLY_STORAGE_MAP32 { ULONG Flags; ULONG AssemblyCount; EMULATOR_CAST(std::uint32_t, PASSEMBLY_STORAGE_MAP_ENTRY32*) AssemblyArray; } ASSEMBLY_STORAGE_MAP32, *PASSEMBLY_STORAGE_MAP32; static_assert(sizeof(ASSEMBLY_STORAGE_MAP32) == 12); typedef struct _ACTIVATION_CONTEXT32 { LONG RefCount; ULONG Flags; EMULATOR_CAST(std::uint32_t, struct _ACTIVATION_CONTEXT_DATA*) ActivationContextData; std::uint32_t /*PACTIVATION_CONTEXT_NOTIFY_ROUTINE*/ NotificationRoutine; std::uint32_t NotificationContext; ULONG SentNotifications[8]; ULONG DisabledNotifications[8]; ASSEMBLY_STORAGE_MAP32 StorageMap; EMULATOR_CAST(std::uint32_t, PASSEMBLY_STORAGE_MAP_ENTRY32) InlineStorageMapEntries[32]; } ACTIVATION_CONTEXT32, *PACTIVATION_CONTEXT32; static_assert(sizeof(ACTIVATION_CONTEXT32) == 224); typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME32 { EMULATOR_CAST(std::uint32_t, struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME32*) Previous; EMULATOR_CAST(std::uint32_t, PACTIVATION_CONTEXT32) ActivationContext; ULONG Flags; // RTL_ACTIVATION_CONTEXT_STACK_FRAME_FLAG_* } RTL_ACTIVATION_CONTEXT_STACK_FRAME32, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME32; static_assert(sizeof(RTL_ACTIVATION_CONTEXT_STACK_FRAME32) == 12); typedef struct _ACTIVATION_CONTEXT_STACK32 { EMULATOR_CAST(std::uint32_t, PRTL_ACTIVATION_CONTEXT_STACK_FRAME32) ActiveFrame; LIST_ENTRY32 FrameListCache; ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* ULONG NextCookieSequenceNumber; ULONG StackId; } ACTIVATION_CONTEXT_STACK32, *PACTIVATION_CONTEXT_STACK32; static_assert(sizeof(ACTIVATION_CONTEXT_STACK32) == 24); typedef struct _ACTIVATION_CONTEXT_STACK64 { EMULATOR_CAST(std::uint64_t, PRTL_ACTIVATION_CONTEXT_STACK_FRAME64) ActiveFrame; LIST_ENTRY64 FrameListCache; ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_* ULONG NextCookieSequenceNumber; ULONG StackId; } ACTIVATION_CONTEXT_STACK64, *PACTIVATION_CONTEXT_STACK64; typedef struct _GDI_TEB_BATCH64 { ULONG Offset; std::uint64_t HDC; ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH64, *PGDI_TEB_BATCH64; typedef struct _GDI_TEB_BATCH32 { ULONG Offset; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) HDC; ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; } GDI_TEB_BATCH32, *PGDI_TEB_BATCH32; static_assert(sizeof(GDI_TEB_BATCH32) == 1248, "sizeof(GDI_TEB_BATCH32) is incorrect"); #ifndef OS_WINDOWS typedef struct _GUID { uint32_t Data1; uint16_t Data2; uint16_t Data3; uint8_t Data4[8]; } GUID; typedef struct _PROCESSOR_NUMBER { WORD Group; BYTE Number; BYTE Reserved; } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; #endif union TEB_CURRENT_IDEAL_PROCESSOR_UNION { PROCESSOR_NUMBER CurrentIdealProcessor; ULONG IdealProcessorValue; struct { UCHAR ReservedPad0; UCHAR ReservedPad1; UCHAR ReservedPad2; UCHAR IdealProcessor; }; }; union TEB_CROSS_TEB_FLAGS_UNION { USHORT CrossTebFlags; USHORT SpareCrossTebBits : 16; }; union TEB_SAME_TEB_FLAGS_UNION { USHORT SameTebFlags; struct { USHORT SafeThunkCall : 1; USHORT InDebugPrint : 1; USHORT HasFiberData : 1; USHORT SkipThreadAttach : 1; USHORT WerInShipAssertCode : 1; USHORT RanProcessInit : 1; USHORT ClonedThread : 1; USHORT SuppressDebugMsg : 1; USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; USHORT InitialThread : 1; USHORT SessionAware : 1; USHORT LoadOwner : 1; USHORT LoaderWorker : 1; USHORT SkipLoaderInit : 1; USHORT SkipFileAPIBrokering : 1; }; }; #ifndef OS_WINDOWS using LCID = DWORD; using LANGID = WORD; #endif typedef struct _TEB64 { EMU_NT_TIB64 NtTib; std::uint64_t EnvironmentPointer; CLIENT_ID64 ClientId; std::uint64_t ActiveRpcHandle; std::uint64_t ThreadLocalStoragePointer; EMULATOR_CAST(std::uint64_t, PPEB64) ProcessEnvironmentBlock; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; std::uint64_t CsrClientThread; std::uint64_t Win32ThreadInfo; ARRAY_CONTAINER User32Reserved; ARRAY_CONTAINER UserReserved; std::uint64_t WOW32Reserved; LCID CurrentLocale; ULONG FpSoftwareStatusRegister; ARRAY_CONTAINER ReservedForDebuggerInstrumentation; ARRAY_CONTAINER SystemReserved1; std::uint64_t HeapFlsData; ARRAY_CONTAINER RngState; CHAR PlaceholderCompatibilityMode; BOOLEAN PlaceholderHydrationAlwaysExplicit; ARRAY_CONTAINER PlaceholderReserved; ULONG ProxiedProcessId; ACTIVATION_CONTEXT_STACK64 ActivationStack; ARRAY_CONTAINER WorkingOnBehalfTicket; NTSTATUS ExceptionCode; EMULATOR_CAST(std::uint64_t, PACTIVATION_CONTEXT_STACK64) ActivationContextStackPointer; std::uint64_t InstrumentationCallbackSp; std::uint64_t InstrumentationCallbackPreviousPc; std::uint64_t InstrumentationCallbackPreviousSp; ULONG TxFsContext; BOOLEAN InstrumentationCallbackDisabled; BOOLEAN UnalignedLoadStoreExceptions; GDI_TEB_BATCH64 GdiTebBatch; CLIENT_ID64 RealClientId; EmulatorTraits::HANDLE GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; std::uint64_t GdiThreadLocalInfo; ARRAY_CONTAINER Win32ClientInfo; ARRAY_CONTAINER glDispatchTable; ARRAY_CONTAINER glReserved1; std::uint64_t glReserved2; std::uint64_t glSectionInfo; std::uint64_t glSection; std::uint64_t glTable; std::uint64_t glCurrentRC; std::uint64_t glContext; NTSTATUS LastStatusValue; UNICODE_STRING> StaticUnicodeString; ARRAY_CONTAINER StaticUnicodeBuffer; std::uint64_t DeallocationStack; ARRAY_CONTAINER TlsSlots; LIST_ENTRY64 TlsLinks; std::uint64_t Vdm; std::uint64_t ReservedForNtRpc; ARRAY_CONTAINER DbgSsReserved; ULONG HardErrorMode; ARRAY_CONTAINER Instrumentation; GUID ActivityId; std::uint64_t SubProcessTag; std::uint64_t PerflibData; std::uint64_t EtwTraceData; std::uint64_t WinSockData; ULONG GdiBatchCount; TEB_CURRENT_IDEAL_PROCESSOR_UNION CurrentIdealProcessor; ULONG GuaranteedStackBytes; std::uint64_t ReservedForPerf; std::uint64_t ReservedForOle; // tagSOleTlsData ULONG WaitingOnLoaderLock; std::uint64_t SavedPriorityState; std::uint64_t ReservedForCodeCoverage; std::uint64_t ThreadPoolData; std::uint64_t TlsExpansionSlots; std::uint64_t ChpeV2CpuAreaInfo; // CHPEV2_CPUAREA_INFO // previously DeallocationBStore std::uint64_t Unused; // previously BStoreLimit ULONG MuiGeneration; ULONG IsImpersonating; std::uint64_t NlsCache; std::uint64_t pShimData; ULONG HeapData; EmulatorTraits::HANDLE CurrentTransactionHandle; EMULATOR_CAST(std::uint64_t, PTEB_ACTIVE_FRAME) ActiveFrame; std::uint64_t FlsData; std::uint64_t PreferredLanguages; std::uint64_t UserPrefLanguages; std::uint64_t MergedPrefLanguages; ULONG MuiImpersonation; TEB_CROSS_TEB_FLAGS_UNION CrossTebFlags; TEB_SAME_TEB_FLAGS_UNION SameTebFlags; std::uint64_t TxnScopeEnterCallback; std::uint64_t TxnScopeExitCallback; std::uint64_t TxnScopeContext; ULONG LockCount; LONG WowTebOffset; std::uint64_t ResourceRetValue; std::uint64_t ReservedForWdf; ULONGLONG ReservedForCrt; GUID EffectiveContainerId; ULONGLONG LastSleepCounter; // Win11 ULONG SpinCallCount; ULONGLONG ExtendedFeatureDisableMask; std::uint64_t SchedulerSharedDataSlot; // 24H2 std::uint64_t HeapWalkContext; EMU_GROUP_AFFINITY64 PrimaryGroupAffinity; ARRAY_CONTAINER Rcu; } TEB64, *PTEB64; static_assert(sizeof(TEB64) == 0x1878); #if defined(OS_WINDOWS) && defined(_WIN64) inline TEB64* NtCurrentTeb64() { return reinterpret_cast(__readgsqword(FIELD_OFFSET(EMU_NT_TIB64, Self))); } #endif typedef struct _TEB32 { EMU_NT_TIB32 NtTib; std::uint32_t EnvironmentPointer; CLIENT_ID32 ClientId; std::uint32_t ActiveRpcHandle; std::uint32_t ThreadLocalStoragePointer; EMULATOR_CAST(std::uint32_t, PPEB32) ProcessEnvironmentBlock; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; std::uint32_t CsrClientThread; std::uint32_t Win32ThreadInfo; ULONG User32Reserved[26]; ULONG UserReserved[5]; std::uint32_t WOW32Reserved; LCID CurrentLocale; ULONG FpSoftwareStatusRegister; std::uint32_t ReservedForDebuggerInstrumentation[16]; std::uint32_t SystemReserved1[26]; CHAR PlaceholderCompatibilityMode; BOOLEAN PlaceholderHydrationAlwaysExplicit; CHAR PlaceholderReserved[10]; ULONG ProxiedProcessId; ACTIVATION_CONTEXT_STACK32 ActivationStack; UCHAR WorkingOnBehalfTicket[8]; NTSTATUS ExceptionCode; EMULATOR_CAST(std::uint32_t, PACTIVATION_CONTEXT_STACK32) ActivationContextStackPointer; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) InstrumentationCallbackSp; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) InstrumentationCallbackPreviousPc; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) InstrumentationCallbackPreviousSp; BOOLEAN InstrumentationCallbackDisabled; UCHAR SpareBytes[23]; ULONG TxFsContext; GDI_TEB_BATCH32 GdiTebBatch; CLIENT_ID32 RealClientId; EmulatorTraits::HANDLE GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; std::uint32_t GdiThreadLocalInfo; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH]; std::uint32_t glDispatchTable[233]; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) glReserved1[29]; std::uint32_t glReserved2; std::uint32_t glSectionInfo; std::uint32_t glSection; std::uint32_t glTable; std::uint32_t glCurrentRC; std::uint32_t glContext; NTSTATUS LastStatusValue; UNICODE_STRING> StaticUnicodeString; WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; std::uint32_t DeallocationStack; ARRAY_CONTAINER TlsSlots; LIST_ENTRY32 TlsLinks; std::uint32_t Vdm; std::uint32_t ReservedForNtRpc; std::uint32_t DbgSsReserved[2]; ULONG HardErrorMode; std::uint32_t Instrumentation[9]; GUID ActivityId; std::uint32_t SubProcessTag; std::uint32_t PerflibData; std::uint32_t EtwTraceData; std::uint32_t WinSockData; ULONG GdiBatchCount; union { EMULATOR_CAST(std::uint32_t, PROCESSOR_NUMBER) CurrentIdealProcessor; ULONG IdealProcessorValue; struct { UCHAR ReservedPad0; UCHAR ReservedPad1; UCHAR ReservedPad2; UCHAR IdealProcessor; }; }; ULONG GuaranteedStackBytes; EMULATOR_CAST(std::uint32_t, PVOID32) ReservedForPerf; EMULATOR_CAST(std::uint32_t, PVOID32) ReservedForOle; // tagSOleTlsData32 ULONG WaitingOnLoaderLock; EMULATOR_CAST(std::uint32_t, PVOID32) SavedPriorityState; EMULATOR_CAST(std::uint32_t, ULONG_PTR32) ReservedForCodeCoverage; std::uint32_t ThreadPoolData; EMULATOR_CAST(std::uint32_t, PVOID32*) TlsExpansionSlots; ULONG MuiGeneration; ULONG IsImpersonating; std::uint32_t NlsCache; std::uint32_t pShimData; ULONG HeapData; EMULATOR_CAST(std::uint32_t, HANDLE32) CurrentTransactionHandle; EMULATOR_CAST(std::uint32_t, PTEB_ACTIVE_FRAME32) ActiveFrame; std::uint32_t FlsData; std::uint32_t PreferredLanguages; std::uint32_t UserPrefLanguages; std::uint32_t MergedPrefLanguages; ULONG MuiImpersonation; union { USHORT CrossTebFlags; USHORT SpareCrossTebBits : 16; }; union { USHORT SameTebFlags; struct { USHORT SafeThunkCall : 1; USHORT InDebugPrint : 1; USHORT HasFiberData : 1; USHORT SkipThreadAttach : 1; USHORT WerInShipAssertCode : 1; USHORT RanProcessInit : 1; USHORT ClonedThread : 1; USHORT SuppressDebugMsg : 1; USHORT DisableUserStackWalk : 1; USHORT RtlExceptionAttached : 1; USHORT InitialThread : 1; USHORT SessionAware : 1; USHORT LoadOwner : 1; USHORT LoaderWorker : 1; USHORT SkipLoaderInit : 1; USHORT SkipFileAPIBrokering : 1; }; }; std::uint32_t TxnScopeEnterCallback; std::uint32_t TxnScopeExitCallback; std::uint32_t TxnScopeContext; ULONG LockCount; LONG WowTebOffset; std::uint32_t ResourceRetValue; std::uint32_t ReservedForWdf; ULONGLONG ReservedForCrt; GUID EffectiveContainerId; ULONGLONG LastSleepCounter; // Win11 ULONG SpinCallCount; ULONGLONG ExtendedFeatureDisableMask; } TEB32, *PTEB32; static_assert(sizeof(TEB32) == 4120, "sizeof(TEB32) is incorrect"); #pragma pack(push, 4) typedef struct _KSYSTEM_TIME { ULONG LowPart; LONG High1Time; LONG High2Time; } KSYSTEM_TIME, *PKSYSTEM_TIME; #pragma pack(pop) typedef enum _NT_PRODUCT_TYPE { NtProductWinNt = 1, NtProductLanManNt, NtProductServer } NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE; typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE { StandardDesign, NEC98x86, EndAlternatives } ALTERNATIVE_ARCHITECTURE_TYPE; union KUSD_SHARED_DATA_FLAGS_UNION { ULONG SharedDataFlags; struct { // // The following bit fields are for the debugger only. Do not use. // Use the bit definitions instead. // ULONG DbgErrorPortPresent : 1; ULONG DbgElevationEnabled : 1; ULONG DbgVirtEnabled : 1; ULONG DbgInstallerDetectEnabled : 1; ULONG DbgLkgEnabled : 1; ULONG DbgDynProcessorEnabled : 1; ULONG DbgConsoleBrokerEnabled : 1; ULONG DbgSecureBootEnabled : 1; ULONG DbgMultiSessionSku : 1; ULONG DbgMultiUsersInSessionSku : 1; ULONG DbgStateSeparationEnabled : 1; ULONG DbgSplitTokenEnabled : 1; ULONG DbgShadowAdminEnabled : 1; ULONG SpareBits : 19; }; }; union KUSD_TICK_COUNT_UNION { volatile KSYSTEM_TIME TickCount; volatile std::uint64_t TickCountQuad; struct { ULONG ReservedTickCountOverlay[3]; ULONG TickCountPad[1]; }; }; union KUSD_VIRTUALIZATION_FLAGS_UNION { UCHAR VirtualizationFlags; }; union KUSD_MITIGATION_POLICIES_UNION { UCHAR MitigationPolicies; struct { UCHAR NXSupportPolicy : 2; UCHAR SEHValidationPolicy : 2; UCHAR CurDirDevicesSkippedForDlls : 2; UCHAR Reserved : 2; }; }; union KUSD_QPC_DATA_UNION { USHORT QpcData; struct { volatile UCHAR QpcBypassEnabled; UCHAR QpcReserved; }; }; #ifndef OS_WINDOWS #define MAXIMUM_XSTATE_FEATURES 64 typedef struct _XSTATE_FEATURE { ULONG Offset; ULONG Size; } XSTATE_FEATURE; typedef struct _XSTATE_CONFIGURATION { std::uint64_t EnabledFeatures; std::uint64_t EnabledVolatileFeatures; ULONG Size; union { ULONG ControlFlags; struct { ULONG OptimizedSave : 1; ULONG CompactionEnabled : 1; ULONG Reserved1 : 30; }; }; XSTATE_FEATURE Features[MAXIMUM_XSTATE_FEATURES]; std::uint64_t EnabledSupervisorFeatures; std::uint64_t AlignedFeatures; std::uint64_t AllFeatureSize; ULONG AllFeatures[MAXIMUM_XSTATE_FEATURES]; } XSTATE_CONFIGURATION, *PXSTATE_CONFIGURATION; #endif #define ORIGINALLY_VOLATILE /*volatile*/ typedef struct _KUSER_SHARED_DATA64 { ULONG TickCountLowDeprecated; ULONG TickCountMultiplier; ORIGINALLY_VOLATILE KSYSTEM_TIME InterruptTime; ORIGINALLY_VOLATILE KSYSTEM_TIME SystemTime; ORIGINALLY_VOLATILE KSYSTEM_TIME TimeZoneBias; USHORT ImageNumberLow; USHORT ImageNumberHigh; ARRAY_CONTAINER NtSystemRoot; ULONG MaxStackTraceDepth; ULONG CryptoExponent; ULONG TimeZoneId; ULONG LargePageMinimum; ULONG AitSamplingValue; ULONG AppCompatFlag; ULONGLONG RNGSeedVersion; ULONG GlobalValidationRunlevel; ORIGINALLY_VOLATILE LONG TimeZoneBiasStamp; ULONG NtBuildNumber; NT_PRODUCT_TYPE NtProductType; BOOLEAN ProductTypeIsValid; BOOLEAN Reserved0; USHORT NativeProcessorArchitecture; ULONG NtMajorVersion; ULONG NtMinorVersion; ARRAY_CONTAINER ProcessorFeatures; ULONG Reserved1; ULONG Reserved3; ORIGINALLY_VOLATILE ULONG TimeSlip; ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; ULONG BootId; LARGE_INTEGER SystemExpirationDate; ULONG SuiteMask; BOOLEAN KdDebuggerEnabled; KUSD_MITIGATION_POLICIES_UNION MitigationPolicies; USHORT CyclesPerYield; ORIGINALLY_VOLATILE ULONG ActiveConsoleId; ORIGINALLY_VOLATILE ULONG DismountCount; ULONG ComPlusPackage; ULONG LastSystemRITEventTickCount; ULONG NumberOfPhysicalPages; BOOLEAN SafeBootMode; KUSD_VIRTUALIZATION_FLAGS_UNION VirtualizationFlags; ARRAY_CONTAINER Reserved12; KUSD_SHARED_DATA_FLAGS_UNION SharedDataFlags; ULONG DataFlagsPad; ULONGLONG TestRetInstruction; LONGLONG QpcFrequency; ULONG SystemCall; ULONG Reserved2; ULONGLONG FullNumberOfPhysicalPages; ULONGLONG SystemCallPad; KUSD_TICK_COUNT_UNION TickCount; ULONG Cookie; ULONG CookiePad; LONGLONG ConsoleSessionForegroundProcessId; ULONGLONG TimeUpdateLock; ULONGLONG BaselineSystemTimeQpc; ULONGLONG BaselineInterruptTimeQpc; ULONGLONG QpcSystemTimeIncrement; ULONGLONG QpcInterruptTimeIncrement; UCHAR QpcSystemTimeIncrementShift; UCHAR QpcInterruptTimeIncrementShift; USHORT UnparkedProcessorCount; ARRAY_CONTAINER EnclaveFeatureMask; ULONG TelemetryCoverageRound; ARRAY_CONTAINER UserModeGlobalLogger; ULONG ImageFileExecutionOptions; ULONG LangGenerationCount; ULONGLONG Reserved4; ORIGINALLY_VOLATILE ULONGLONG InterruptTimeBias; ORIGINALLY_VOLATILE ULONGLONG QpcBias; ULONG ActiveProcessorCount; ORIGINALLY_VOLATILE UCHAR ActiveGroupCount; UCHAR Reserved9; KUSD_QPC_DATA_UNION QpcData; LARGE_INTEGER TimeZoneBiasEffectiveStart; LARGE_INTEGER TimeZoneBiasEffectiveEnd; XSTATE_CONFIGURATION XState; KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; std::uint64_t UserPointerAuthMask; ARRAY_CONTAINER Reserved10; } KUSER_SHARED_DATA64, *PKUSER_SHARED_DATA64; typedef struct _API_SET_NAMESPACE_ENTRY { ULONG Flags; ULONG NameOffset; ULONG NameLength; ULONG HashedLength; ULONG ValueOffset; ULONG ValueCount; } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; typedef struct _API_SET_HASH_ENTRY { ULONG Hash; ULONG Index; } API_SET_HASH_ENTRY, *PAPI_SET_HASH_ENTRY; typedef struct _API_SET_VALUE_ENTRY { ULONG Flags; ULONG NameOffset; ULONG NameLength; ULONG ValueOffset; ULONG ValueLength; } API_SET_VALUE_ENTRY, *PAPI_SET_VALUE_ENTRY; template struct PS_ATTRIBUTE { typename Traits::ULONG_PTR Attribute; typename Traits::SIZE_T Size; union { typename Traits::ULONG_PTR Value; typename Traits::PVOID ValuePtr; }; EMULATOR_CAST(uint64_t, typename Traits::SIZE_T*) ReturnLength; }; template struct PS_ATTRIBUTE_LIST { typename Traits::SIZE_T TotalLength; PS_ATTRIBUTE Attributes[1]; }; typedef struct _SYSTEM_TIMEOFDAY_INFORMATION64 { LARGE_INTEGER BootTime; LARGE_INTEGER CurrentTime; LARGE_INTEGER TimeZoneBias; ULONG TimeZoneId; ULONG Reserved; ULONGLONG BootTimeBias; ULONGLONG SleepTimeBias; } SYSTEM_TIMEOFDAY_INFORMATION64, *PSYSTEM_TIMEOFDAY_INFORMATION64; typedef struct _SYSTEMTIME64 { WORD wYear; WORD wMonth; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; WORD wDayOfWeek; } SYSTEMTIME64, *PSYSTEMTIME64, *LPSYSTEMTIME64; typedef struct _SYSTEM_TIMEZONE_INFORMATION { LONG Bias; ARRAY_CONTAINER StandardName; SYSTEMTIME64 StandardDate; LONG StandardBias; ARRAY_CONTAINER DaylightName; SYSTEMTIME64 DaylightDate; LONG DaylightBias; } SYSTEM_TIMEZONE_INFORMATION, *PSYSTEM_TIMEZONE_INFORMATION; typedef struct _SYSTEM_DYNAMIC_TIMEZONE_INFORMATION { LONG Bias; ARRAY_CONTAINER StandardName; SYSTEMTIME64 StandardDate; LONG StandardBias; ARRAY_CONTAINER DaylightName; SYSTEMTIME64 DaylightDate; LONG DaylightBias; ARRAY_CONTAINER TimeZoneKeyName; BOOLEAN DynamicDaylightTimeDisabled; } SYSTEM_DYNAMIC_TIMEZONE_INFORMATION, *PSYSTEM_DYNAMIC_TIMEZONE_INFORMATION; // Memory address requirements structure typedef struct _MEM_ADDRESS_REQUIREMENTS64 { EMULATOR_CAST(std::uint64_t, PVOID) LowestStartingAddress; EMULATOR_CAST(std::uint64_t, PVOID) HighestEndingAddress; EMULATOR_CAST(std::uint64_t, SIZE_T) Alignment; } MEM_ADDRESS_REQUIREMENTS64, *PMEM_ADDRESS_REQUIREMENTS64; // Extended memory parameter structure typedef struct _MEM_EXTENDED_PARAMETER64 { struct { ULONG64 Type : 8; // MEM_EXTENDED_PARAMETER_TYPE ULONG64 Reserved : 56; }; union { ULONG64 ULong64; EMULATOR_CAST(std::uint64_t, PVOID) Pointer; EMULATOR_CAST(std::uint64_t, SIZE_T) Size; EMULATOR_CAST(std::uint64_t, HANDLE) Handle; ULONG ULong; }; } MEM_EXTENDED_PARAMETER64, *PMEM_EXTENDED_PARAMETER64; typedef struct _PROCESS_BASIC_INFORMATION64 { NTSTATUS ExitStatus; EMULATOR_CAST(uint64_t, PPEB64) PebBaseAddress; EMULATOR_CAST(std::uint64_t, KAFFINITY) AffinityMask; EMULATOR_CAST(std::uint32_t, KPRIORITY) BasePriority; EMULATOR_CAST(std::uint64_t, HANDLE) UniqueProcessId; EMULATOR_CAST(std::uint64_t, HANDLE) InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION64, *PPROCESS_BASIC_INFORMATION64; typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION { EMULATOR_CAST(std::uint64_t, SIZE_T) Size; // Ignored as input, written with structure size on output PROCESS_BASIC_INFORMATION64 BasicInfo; union { ULONG Flags; struct { ULONG IsProtectedProcess : 1; ULONG IsWow64Process : 1; ULONG IsProcessDeleting : 1; ULONG IsCrossSessionCreate : 1; ULONG IsFrozen : 1; ULONG IsBackground : 1; ULONG IsStronglyNamed : 1; ULONG IsSecureProcess : 1; ULONG IsSubsystemProcess : 1; ULONG SpareBits : 23; }; }; } PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION; typedef struct _KERNEL_USER_TIMES { LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; } KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; struct THREAD_TLS_INFORMATION { ULONG Flags; uint32_t _Padding; union { EmulatorTraits::PVOID NewTlsData; EmulatorTraits::PVOID OldTlsData; }; uint64_t ThreadId; }; static_assert(sizeof(THREAD_TLS_INFORMATION) == 0x18); enum PROCESS_TLS_INFORMATION_TYPE { ProcessTlsReplaceIndex, ProcessTlsReplaceVector, MaxProcessTlsOperation }; struct PROCESS_TLS_INFORMATION { ULONG Flags; PROCESS_TLS_INFORMATION_TYPE OperationType; ULONG ThreadDataCount; union { ULONG TlsIndex; ULONG PreviousCount; }; THREAD_TLS_INFORMATION ThreadData[1]; }; static_assert(sizeof(PROCESS_TLS_INFORMATION) == 0x28); struct EMU_GENERIC_MAPPING { ACCESS_MASK GenericRead; ACCESS_MASK GenericWrite; ACCESS_MASK GenericExecute; ACCESS_MASK GenericAll; }; struct OBJECT_TYPES_INFORMATION { ULONG NumberOfTypes; }; struct OBJECT_TYPE_INFORMATION { STRING64 TypeName; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG TotalPagedPoolUsage; ULONG TotalNonPagedPoolUsage; ULONG TotalNamePoolUsage; ULONG TotalHandleTableUsage; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; ULONG HighWaterPagedPoolUsage; ULONG HighWaterNonPagedPoolUsage; ULONG HighWaterNamePoolUsage; ULONG HighWaterHandleTableUsage; ULONG InvalidAttributes; EMU_GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; UCHAR TypeIndex; // since WINBLUE CHAR ReservedByte; ULONG PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; }; // WIN8 to REDSTONE typedef struct _PS_MITIGATION_OPTIONS_MAP_V1 { ULONG64 Map[1]; } PS_MITIGATION_OPTIONS_MAP_V1, *PPS_MITIGATION_OPTIONS_MAP_V1; // private // REDSTONE2 to 19H2 typedef struct _PS_MITIGATION_OPTIONS_MAP_V2 { ULONG64 Map[2]; } PS_MITIGATION_OPTIONS_MAP_V2, *PPS_MITIGATION_OPTIONS_MAP_V2; // private // since 20H1 typedef struct _PS_MITIGATION_OPTIONS_MAP_V3 { ULONG64 Map[3]; } PS_MITIGATION_OPTIONS_MAP_V3, *PPS_MITIGATION_OPTIONS_MAP_V3; typedef PS_MITIGATION_OPTIONS_MAP_V3 PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP; // private // REDSTONE3 to 19H2 typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP_V2 { ULONG64 Map[2]; } PS_MITIGATION_AUDIT_OPTIONS_MAP_V2, *PPS_MITIGATION_AUDIT_OPTIONS_MAP_V2; // private // since 20H1 typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP_V3 { ULONG64 Map[3]; } PS_MITIGATION_AUDIT_OPTIONS_MAP_V3, *PPS_MITIGATION_AUDIT_OPTIONS_MAP_V3, PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP; // private // VISTA to WIN7 SP1 typedef enum class _WOW64_SHARED_INFORMATION_V1 { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32LdrHotPatchRoutine = 4, SharedNtdll32ExpInterlockedPopEntrySListFault = 5, SharedNtdll32ExpInterlockedPopEntrySListResume = 6, SharedNtdll32ExpInterlockedPopEntrySListEnd = 7, SharedNtdll32RtlUserThreadStart = 8, SharedNtdll32pQueryProcessDebugInformationRemote = 9, SharedNtdll32EtwpNotificationThread = 10, SharedNtdll32BaseAddress = 11, Wow64SharedPageEntriesCount = 12 } WOW64_SHARED_INFORMATION_V1; // private // WIN8 typedef enum class _WOW64_SHARED_INFORMATION_V2 { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32LdrHotPatchRoutine = 4, SharedNtdll32ExpInterlockedPopEntrySListFault = 5, SharedNtdll32ExpInterlockedPopEntrySListResume = 6, SharedNtdll32ExpInterlockedPopEntrySListEnd = 7, SharedNtdll32RtlUserThreadStart = 8, SharedNtdll32pQueryProcessDebugInformationRemote = 9, SharedNtdll32EtwpNotificationThread = 10, SharedNtdll32BaseAddress = 11, SharedNtdll32RtlpWnfNotificationThread = 12, SharedNtdll32LdrSystemDllInitBlock = 13, Wow64SharedPageEntriesCount = 14 } WOW64_SHARED_INFORMATION_V2; // private // WIN8.1 to THRESHOLD 1 typedef enum class _WOW64_SHARED_INFORMATION_V3 { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32ExpInterlockedPopEntrySListFault = 4, SharedNtdll32ExpInterlockedPopEntrySListResume = 5, SharedNtdll32ExpInterlockedPopEntrySListEnd = 6, SharedNtdll32RtlUserThreadStart = 7, SharedNtdll32pQueryProcessDebugInformationRemote = 8, SharedNtdll32BaseAddress = 9, SharedNtdll32LdrSystemDllInitBlock = 10, Wow64SharedPageEntriesCount = 11 } WOW64_SHARED_INFORMATION_V3; // private // THRESHOLD 2 to REDSTONE 2 typedef enum class _WOW64_SHARED_INFORMATION_V4 { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32RtlUserThreadStart = 4, SharedNtdll32pQueryProcessDebugInformationRemote = 5, SharedNtdll32BaseAddress = 6, SharedNtdll32LdrSystemDllInitBlock = 7, Wow64SharedPageEntriesCount = 8 } WOW64_SHARED_INFORMATION_V4; // private // REDSTONE 3 to 24H2 typedef enum class _WOW64_SHARED_INFORMATION_V5 { SharedNtdll32LdrInitializeThunk = 0, SharedNtdll32KiUserExceptionDispatcher = 1, SharedNtdll32KiUserApcDispatcher = 2, SharedNtdll32KiUserCallbackDispatcher = 3, SharedNtdll32RtlUserThreadStart = 4, SharedNtdll32pQueryProcessDebugInformationRemote = 5, SharedNtdll32BaseAddress = 6, SharedNtdll32LdrSystemDllInitBlock = 7, SharedNtdll32RtlpFreezeTimeBias = 8, Wow64SharedPageEntriesCount = 9 } WOW64_SHARED_INFORMATION_V5; // private // WIN8 to REDSTONE typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V1 { ULONG Size; ULONG SystemDllWowRelocation; ULONG64 SystemDllNativeRelocation; ULONG Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; // since REDSTONE ULONG Reserved : 31; }; }; ULONG64 MitigationOptions; ULONG64 CfgBitMap; // since WINBLUE ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; // since THRESHOLD ULONG64 Wow64CfgBitMapSize; } PS_SYSTEM_DLL_INIT_BLOCK_V1, *PPS_SYSTEM_DLL_INIT_BLOCK_V1; // RS2 - 19H2 typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V2 { ULONG Size; ULONG64 SystemDllWowRelocation; ULONG64 SystemDllNativeRelocation; ULONG64 Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; ULONG Reserved : 31; }; }; PS_MITIGATION_OPTIONS_MAP_V2 MitigationOptionsMap; ULONG64 CfgBitMap; ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; ULONG64 Wow64CfgBitMapSize; PS_MITIGATION_AUDIT_OPTIONS_MAP_V2 MitigationAuditOptionsMap; // since REDSTONE3 } PS_SYSTEM_DLL_INIT_BLOCK_V2, *PPS_SYSTEM_DLL_INIT_BLOCK_V2; // private // since 20H1 typedef struct _PS_SYSTEM_DLL_INIT_BLOCK_V3 { ULONG Size; ULONG64 SystemDllWowRelocation; // effectively since WIN8 ULONG64 SystemDllNativeRelocation; ULONG64 Wow64SharedInformation[16]; // use WOW64_SHARED_INFORMATION_V5 as index ULONG RngData; union { ULONG Flags; struct { ULONG CfgOverride : 1; // effectively since REDSTONE ULONG Reserved : 31; }; }; PS_MITIGATION_OPTIONS_MAP_V3 MitigationOptionsMap; ULONG64 CfgBitMap; // effectively since WINBLUE ULONG64 CfgBitMapSize; ULONG64 Wow64CfgBitMap; // effectively since THRESHOLD ULONG64 Wow64CfgBitMapSize; PS_MITIGATION_AUDIT_OPTIONS_MAP_V3 MitigationAuditOptionsMap; // effectively since REDSTONE3 ULONG64 ScpCfgCheckFunction; // since 24H2 ULONG64 ScpCfgCheckESFunction; ULONG64 ScpCfgDispatchFunction; ULONG64 ScpCfgDispatchESFunction; ULONG64 ScpArm64EcCallCheck; ULONG64 ScpArm64EcCfgCheckFunction; ULONG64 ScpArm64EcCfgCheckESFunction; } PS_SYSTEM_DLL_INIT_BLOCK_V3, *PPS_SYSTEM_DLL_INIT_BLOCK_V3, PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK; static_assert(sizeof(PS_SYSTEM_DLL_INIT_BLOCK_V3) == 0x128); // // Process mitigation policy information // NtSetInformationProcess using ProcessMitigationPolicy // typedef struct _PROCESS_MITIGATION_POLICY_RAW_DATA { PROCESS_MITIGATION_POLICY Policy; ULONG Value; } PROCESS_MITIGATION_POLICY_RAW_DATA, *PPROCESS_MITIGATION_POLICY_RAW_DATA; static_assert(sizeof(PROCESS_MITIGATION_POLICY_RAW_DATA) == 0x8); typedef struct _WOW64_CPURESERVED { USHORT Flags; // Initialised to 0x02 by ntdll.dll and periodically bitwise OR'd with WOW64_CPURESERVED_FLAG_RESET_STATE USHORT MachineType; // IMAGE_FILE_MACHINE_I386 (0x014C) for x86 architecture // Under IMAGE_FILE_MACHINE_I386 machine type, this is the WOW64_CONTEXT structure containing x86 architecture context WOW64_CONTEXT Context; // Padding to align WOW64 stack BYTE AlignmentPad[0x10]; } WOW64_CPURESERVED, *PWOW64_CPURESERVED; static_assert(sizeof(WOW64_CPURESERVED) == 0x2E0); #define WOW64_CPURESERVED_FLAG_RESET_STATE 1 typedef enum class _SECTION_INFORMATION_CLASS { SectionBasicInformation = 0, SectionImageInformation = 1, SectionRelocationInformation = 2, SectionOriginalBaseInformation = 3, SectionInternalImageInformation = 4 } SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; // NOLINTEND(modernize-use-using,cppcoreguidelines-avoid-c-arrays,hicpp-avoid-c-arrays,modernize-avoid-c-arrays)