TEB defintion and Thread.teb field

.github/workflows/tests.yml

@@ -1,14 +1,18 @@
-# V0.1
 name: Pytest
 
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    branches:
+      - 'master'
+  pull_request:
   # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
 
 jobs:
   generate_ctypes:
     runs-on: windows-latest
     timeout-minutes: 5
-
     steps:
         - uses: actions/checkout@v4
         - uses: actions/setup-python@v5
@@ -19,7 +23,6 @@ jobs:
         - name: Check generated code can execute
           run: py -c "import windows.generated_def"
   tests:
-    # Not a real dependency : but starting tests when ctypes generation is broken is not useful
     strategy:
       fail-fast: false
       matrix:
@@ -32,7 +35,7 @@ jobs:
               python-architecture: x86
             - python-bitness-to-test: 64
               python-architecture: x64
-
+    # Not a real dependency : but starting tests when ctypes generation is broken is not useful
     needs: generate_ctypes
     timeout-minutes: 15
     runs-on: ${{ matrix.runs-on }}
@@ -76,11 +79,11 @@ jobs:
             py -${{ matrix.python-version}}-64 setup.py install
 
       - name: Installing pytest & capstone-windows
-        run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pip install pytest capstone-windows
+        run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pip install pytest pytest-timeout capstone-windows
 
       # Testing
       - name: Testing
-        run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest --junitxml=junit/test-results.xml -s -k "not known_to_fail" -v tests/
+        run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest --junitxml=junit/test-results.xml -s -v tests/
 
       - name: Publish PyTest Results
         uses: EnricoMi/publish-unit-test-result-action/windows@v2
@@ -90,4 +93,4 @@ jobs:
           check_name: PyTest Results for ${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}}
           secondary_rate_limit_wait_seconds: 90
           seconds_between_github_writes: 10
-          seconds_between_github_reads: 1
+          seconds_between_github_reads: 1

.gitignore

@@ -3,7 +3,12 @@ doctrees
 *.inv
 *.pickle
 *.ignore
+*.code-workspace
 
 .vscode/
 .cache/
-dist/
+dist/
+build/
+docs/BuildDocEnv/
+playground/
+*egg-info/

ctypes_generation/definitions/functions/process.txt

@@ -63,4 +63,10 @@ HMODULE LoadLibraryExW(
 
 BOOL FreeLibrary(
   HMODULE hLibModule
-);
+);
+
+
+/* Not documented by seems present since dawn of time (WRK)
+    I Prefere PVOID as a return value to allow simple cast to PEB subclass in process.py*/
+
+PVOID RtlGetCurrentPeb ();

ctypes_generation/definitions/structures/simple_structs.txt

@@ -0,0 +1,29 @@
+/* Structures that do not depends on anything other that basic type
+    Simplify structure dependancy file graph
+*/
+
+typedef struct _LIST_ENTRY {
+   struct _LIST_ENTRY *Flink;
+   struct _LIST_ENTRY *Blink;
+} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
+
+typedef struct _LSA_UNICODE_STRING {
+  USHORT Length;
+  USHORT MaximumLength;
+  PVOID  Buffer; // PVOID to prevent ctypes to automatically read the content of the buffer till a \0
+} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
+
+typedef struct _CLIENT_ID{
+   HANDLE UniqueProcess;
+   HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef struct _CLIENT_ID64{
+   ULONG64 UniqueProcess;
+   ULONG64 UniqueThread;
+} CLIENT_ID64, *PCLIENT_ID64;
+
+typedef struct _CLIENT_ID32{
+   ULONG UniqueProcess;
+   ULONG UniqueThread;
+} CLIENT_ID32, *PCLIENT_ID32;

ctypes_generation/definitions/structures/teb_peb.txt

@@ -0,0 +1,237 @@
+/*  This is the part of RTL_USER_PROCESS_PARAMETERS that works from XP to Windows 10
+    http://terminus.rewolf.pl/terminus/structures/ntdll/_RTL_USER_PROCESS_PARAMETERS_x86.html
+*/
+
+typedef struct _CURDIR
+{
+     UNICODE_STRING DosPath;
+     PVOID Handle;
+} CURDIR, *PCURDIR;
+
+typedef struct _RTL_DRIVE_LETTER_CURDIR
+{
+     WORD Flags;
+     WORD Length;
+     ULONG TimeStamp;
+     UNICODE_STRING DosPath;
+} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS
+{
+     ULONG MaximumLength;
+     ULONG Length;
+     ULONG Flags;
+     ULONG DebugFlags;
+     PVOID ConsoleHandle;
+     ULONG ConsoleFlags;
+     PVOID StandardInput;
+     PVOID StandardOutput;
+     PVOID StandardError;
+     CURDIR CurrentDirectory;
+     UNICODE_STRING DllPath;
+     UNICODE_STRING ImagePathName;
+     UNICODE_STRING CommandLine;
+     PVOID Environment;
+     ULONG StartingX;
+     ULONG StartingY;
+     ULONG CountX;
+     ULONG CountY;
+     ULONG CountCharsX;
+     ULONG CountCharsY;
+     ULONG FillAttribute;
+     ULONG WindowFlags;
+     ULONG ShowWindowFlags;
+     UNICODE_STRING WindowTitle;
+     UNICODE_STRING DesktopInfo;
+     UNICODE_STRING ShellInfo;
+     UNICODE_STRING RuntimeData;
+     RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
+} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
+
+// PEB: Thank to
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx
+// http://blog.rewolf.pl/blog/?p=573
+// http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+    PVOID Reserved1[2];
+    LIST_ENTRY InMemoryOrderLinks;
+    PVOID Reserved2[2];
+    PVOID DllBase;
+    PVOID EntryPoint;
+    PVOID SizeOfImage;
+    UNICODE_STRING FullDllName;
+    UNICODE_STRING BaseDllName;
+    PVOID Reserved5[3];
+    ULONG CheckSum;
+    ULONG TimeDateStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+/* Definition of WinXP : Still same base in win11 with some extra field */
+
+typedef struct _PEB_LDR_DATA {
+    ULONG               Length;
+    BYTE                Initialized;
+    PVOID               SsHandle;
+    _LIST_ENTRY         InLoadOrderModuleList;
+    _LIST_ENTRY         InMemoryOrderModuleList;
+    _LIST_ENTRY         InInitializationOrderModuleList;
+    PVOID               EntryInProgress;
+    // BYTE                ShutdownInProgress; // New field
+    // PVOID               ShutdownThreadId;   // New field
+}PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+
+
+typedef union _ANON_PEB_SYSTEM_DEPENDENT_02 {
+    PVOID FastPebLockRoutine;
+    PVOID SparePtr1;
+    PVOID AtlThunkSListPtr;
+};
+
+typedef union _ANON_PEB_SYSTEM_DEPENDENT_03 {
+    PVOID FastPebUnlockRoutine;
+    PVOID SparePtr2;
+    PVOID IFEOKey;
+};
+
+
+typedef union _ANON_PEB_SYSTEM_DEPENDENT_06 {
+    PVOID FreeList;
+    PVOID SparePebPtr0;
+    PVOID ApiSetMap;
+};
+
+typedef union _ANON_PEB_SYSTEM_DEPENDENT_07 {
+    PVOID ReadOnlySharedMemoryHeap;
+    PVOID HotpatchInformation;
+    PVOID SparePvoid0;
+};
+
+
+typedef union _ANON_PEB_UNION_1 {
+    PVOID KernelCallbackTable;
+    PVOID UserSharedInfoPtr;
+};
+
+typedef union _ANON_PEB_UNION_2 {
+    PVOID ImageProcessAffinityMask;
+    PVOID ActiveProcessAffinityMask;
+};
+
+typedef struct _PEB {
+  BYTE                          Reserved1[2];
+  BYTE                          BeingDebugged;
+  BYTE                          Reserved2[1];
+  PVOID                         Mutant;
+  PVOID                         ImageBaseAddress;
+  PPEB_LDR_DATA                 Ldr;
+  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
+  PVOID                         SubSystemData;
+  PVOID                         ProcessHeap;
+  PVOID                         FastPebLock;
+  _ANON_PEB_SYSTEM_DEPENDENT_02 _SYSTEM_DEPENDENT_02;
+  _ANON_PEB_SYSTEM_DEPENDENT_03 _SYSTEM_DEPENDENT_03;
+  PVOID                         _SYSTEM_DEPENDENT_04;
+  union {
+      PVOID KernelCallbackTable;
+      PVOID UserSharedInfoPtr;
+  };
+  DWORD                         SystemReserved;
+  DWORD                         _SYSTEM_DEPENDENT_05;
+  _ANON_PEB_SYSTEM_DEPENDENT_06 _SYSTEM_DEPENDENT_06;
+  PVOID                         TlsExpansionCounter;
+  PVOID                         TlsBitmap;
+  DWORD                         TlsBitmapBits[2];
+  PVOID                         ReadOnlySharedMemoryBase;
+  _ANON_PEB_SYSTEM_DEPENDENT_07 _SYSTEM_DEPENDENT_07;
+  PVOID                         ReadOnlyStaticServerData;
+  PVOID                         AnsiCodePageData;
+  PVOID                         OemCodePageData;
+  PVOID                         UnicodeCaseTableData;
+  DWORD                         NumberOfProcessors;
+  DWORD                         NtGlobalFlag;
+  LARGE_INTEGER                 CriticalSectionTimeout;
+  PVOID                         HeapSegmentReserve;
+  PVOID                         HeapSegmentCommit;
+  PVOID                         HeapDeCommitTotalFreeThreshold;
+  PVOID                         HeapDeCommitFreeBlockThreshold;
+  DWORD                         NumberOfHeaps;
+  DWORD                         MaximumNumberOfHeaps;
+  PVOID                         ProcessHeaps;
+  PVOID                         GdiSharedHandleTable;
+  PVOID                         ProcessStarterHelper;
+  PVOID                         GdiDCAttributeList;
+  PVOID                         LoaderLock;
+  DWORD                         OSMajorVersion;
+  DWORD                         OSMinorVersion;
+  WORD                          OSBuildNumber;
+  WORD                          OSCSDVersion;
+  DWORD                         OSPlatformId;
+  DWORD                         ImageSubsystem;
+  DWORD                         ImageSubsystemMajorVersion;
+  PVOID                         ImageSubsystemMinorVersion;
+  union {
+      PVOID ImageProcessAffinityMask;
+      PVOID ActiveProcessAffinityMask;
+  };
+  PVOID                         GdiHandleBuffer[26];
+  BYTE                          GdiHandleBuffer2[32];
+  PVOID                         PostProcessInitRoutine;
+  PVOID                         TlsExpansionBitmap;
+  DWORD                         TlsExpansionBitmapBits[32];
+  PVOID                         SessionId;
+  ULARGE_INTEGER                AppCompatFlags;
+  ULARGE_INTEGER                AppCompatFlagsUser;
+  PVOID                         pShimData;
+  PVOID                         AppCompatInfo;
+  UNICODE_STRING                CSDVersion;
+  PVOID                         ActivationContextData;
+  PVOID                         ProcessAssemblyStorageMap;
+  PVOID                         SystemDefaultActivationContextData;
+  PVOID                         SystemAssemblyStorageMap;
+  PVOID                         MinimumStackCommit;
+} PEB, *PPEB;
+
+
+/* Partial TEB description
+    Based on:
+        - fields that did not move since XP
+        - https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb
+*/
+
+typedef struct _EXCEPTION_REGISTRATION_RECORD {
+    _EXCEPTION_REGISTRATION_RECORD *Next;
+    PVOID               Handler;
+};
+
+typedef struct _NT_TIB {
+    struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
+    PVOID StackBase;
+    PVOID StackLimit;
+    PVOID SubSystemTib;
+    union {
+        PVOID FiberData;
+        ULONG Version;
+    };
+    PVOID ArbitraryUserPointer;
+    struct _NT_TIB *Self;
+} NT_TIB;
+
+typedef struct _TEB {
+    _NT_TIB             NtTib;
+    PVOID               EnvironmentPointer;
+    _CLIENT_ID          ClientId;
+    PVOID               ActiveRpcHandle;
+    PVOID               ThreadLocalStoragePointer;
+    _PEB                *ProcessEnvironmentBlock;
+    ULONG               LastErrorValue;
+    ULONG               CountOfOwnedCriticalSections;
+    PVOID               CsrClientThread;
+    PVOID               Win32ThreadInfo;
+    ULONG               User32Reserved[26];
+    ULONG               UserReserved[5];
+    PVOID               WOW32Reserved;
+    ULONG               CurrentLocale;
+    ULONG               FpSoftwareStatusRegister;
+} TEB;