Add all samples and scripts

sample/lul/peb.h

@@ -0,0 +1,449 @@
+#pragma once
+
+#include <Windows.h>
+
+typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
+
+typedef enum _PROCESSINFOCLASS
+{
+	ProcessBasicInformation = 0,
+	ProcessDebugPort = 7,
+	ProcessWow64Information = 26,
+	ProcessImageFileName = 27,
+	ProcessBreakOnTermination = 29,
+	ProcessImageFileNameWin32 = 43,
+} PROCESSINFOCLASS;
+
+struct RTL_USER_PROCESS_PARAMETERS;
+
+typedef struct _LSA_UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+		PWSTR  Buffer;
+} UNICODE_STRING;
+
+typedef struct _LDR_MODULE
+{
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID BaseAddress;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	SHORT LoadCount;
+	SHORT TlsIndex;
+	LIST_ENTRY HashTableEntry;
+	ULONG TimeDateStamp;
+} LDR_MODULE, *PLDR_MODULE;
+
+typedef struct _PEB_LDR_DATA
+{
+	ULONG Length;
+	BOOLEAN Initialized;
+	HANDLE SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID EntryInProgress;
+	BOOLEAN ShutdownInProgress;
+	HANDLE ShutdownThreadId;
+} PEB_LDR_DATA, *PPEB_LDR_DATA;
+
+#define GDI_HANDLE_BUFFER_SIZE32 34
+#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
+typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
+
+typedef struct _PEB
+{
+	BOOLEAN InheritedAddressSpace;
+	BOOLEAN ReadImageFileExecOptions;
+	BOOLEAN BeingDebugged;
+
+	union
+	{
+		BOOLEAN BitField;
+
+		struct
+		{
+			BOOLEAN ImageUsesLargePages : 1;
+			BOOLEAN IsProtectedProcess : 1;
+			BOOLEAN IsImageDynamicallyRelocated : 1;
+			BOOLEAN SkipPatchingUser32Forwarders : 1;
+			BOOLEAN IsPackagedProcess : 1;
+			BOOLEAN IsAppContainer : 1;
+			BOOLEAN IsProtectedProcessLight : 1;
+			BOOLEAN IsLongPathAwareProcess : 1;
+		};
+	};
+
+	HANDLE Mutant;
+
+	PVOID ImageBaseAddress;
+	PPEB_LDR_DATA Ldr;
+	RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
+	PVOID SubSystemData;
+	PVOID ProcessHeap;
+	PRTL_CRITICAL_SECTION FastPebLock;
+	PSLIST_HEADER AtlThunkSListPtr;
+	PVOID IFEOKey;
+
+	union
+	{
+		ULONG CrossProcessFlags;
+
+		struct
+		{
+			ULONG ProcessInJob : 1;
+			ULONG ProcessInitializing : 1;
+			ULONG ProcessUsingVEH : 1;
+			ULONG ProcessUsingVCH : 1;
+			ULONG ProcessUsingFTH : 1;
+			ULONG ProcessPreviouslyThrottled : 1;
+			ULONG ProcessCurrentlyThrottled : 1;
+			ULONG ProcessImagesHotPatched : 1; // REDSTONE5
+			ULONG ReservedBits0 : 24;
+		};
+	};
+
+	union
+	{
+		PVOID KernelCallbackTable;
+		PVOID UserSharedInfoPtr;
+	};
+
+	ULONG SystemReserved;
+	ULONG AtlThunkSListPtr32;
+	void* ApiSetMap;
+	ULONG TlsExpansionCounter;
+	PVOID TlsBitmap;
+	ULONG TlsBitmapBits[2]; // TLS_MINIMUM_AVAILABLE
+
+	PVOID ReadOnlySharedMemoryBase;
+	void* SharedData; // HotpatchInformation
+	PVOID* ReadOnlyStaticServerData;
+
+	PVOID AnsiCodePageData; // PCPTABLEINFO
+	PVOID OemCodePageData; // PCPTABLEINFO
+	PVOID UnicodeCaseTableData; // PNLSTABLEINFO
+
+	ULONG NumberOfProcessors;
+	ULONG NtGlobalFlag;
+
+	ULARGE_INTEGER CriticalSectionTimeout;
+	SIZE_T HeapSegmentReserve;
+	SIZE_T HeapSegmentCommit;
+	SIZE_T HeapDeCommitTotalFreeThreshold;
+	SIZE_T HeapDeCommitFreeBlockThreshold;
+
+	ULONG NumberOfHeaps;
+	ULONG MaximumNumberOfHeaps;
+	PVOID* ProcessHeaps; // PHEAP
+
+	PVOID GdiSharedHandleTable; // PGDI_SHARED_MEMORY
+	PVOID ProcessStarterHelper;
+	ULONG GdiDCAttributeList;
+
+	PRTL_CRITICAL_SECTION LoaderLock;
+
+	ULONG OSMajorVersion;
+	ULONG OSMinorVersion;
+	USHORT OSBuildNumber;
+	USHORT OSCSDVersion;
+	ULONG OSPlatformId;
+	ULONG ImageSubsystem;
+	ULONG ImageSubsystemMajorVersion;
+	ULONG ImageSubsystemMinorVersion;
+	KAFFINITY ActiveProcessAffinityMask;
+	GDI_HANDLE_BUFFER GdiHandleBuffer;
+	PVOID PostProcessInitRoutine;
+
+	PVOID TlsExpansionBitmap;
+	ULONG TlsExpansionBitmapBits[32]; // TLS_EXPANSION_SLOTS
+
+	ULONG SessionId;
+
+	ULARGE_INTEGER AppCompatFlags; // KACF_*
+	ULARGE_INTEGER AppCompatFlagsUser;
+	PVOID pShimData;
+	PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA
+
+	UNICODE_STRING CSDVersion;
+
+	void* ActivationContextData;
+	void* ProcessAssemblyStorageMap;
+	void* SystemDefaultActivationContextData;
+	void* SystemAssemblyStorageMap;
+
+	SIZE_T MinimumStackCommit;
+
+	PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex)
+	PVOID PatchLoaderData;
+	PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO
+
+	ULONG AppModelFeatureState;
+	ULONG SpareUlongs[2];
+
+	USHORT ActiveCodePage;
+	USHORT OemCodePage;
+	USHORT UseCaseMapping;
+	USHORT UnusedNlsField;
+
+	PVOID WerRegistrationData;
+	PVOID WerShipAssertPtr;
+
+	union
+	{
+		PVOID pContextData; // WIN7
+		PVOID pUnused; // WIN10
+		PVOID EcCodeBitMap; // WIN11
+	};
+
+	PVOID pImageHeaderHash;
+
+	union
+	{
+		ULONG TracingFlags;
+
+		struct
+		{
+			ULONG HeapTracingEnabled : 1;
+			ULONG CritSecTracingEnabled : 1;
+			ULONG LibLoaderTracingEnabled : 1;
+			ULONG SpareTracingBits : 29;
+		};
+	};
+
+	ULONGLONG CsrServerReadOnlySharedMemoryBase;
+	PRTL_CRITICAL_SECTION TppWorkerpListLock;
+	LIST_ENTRY TppWorkerpList;
+	PVOID WaitOnAddressHashTable[128];
+	void* TelemetryCoverageHeader; // REDSTONE3
+	ULONG CloudFileFlags;
+	ULONG CloudFileDiagFlags; // REDSTONE4
+	CHAR PlaceholderCompatibilityMode;
+	CHAR PlaceholderCompatibilityModeReserved[7];
+	void* LeapSecondData; // REDSTONE5
+	union
+	{
+		ULONG LeapSecondFlags;
+
+		struct
+		{
+			ULONG SixtySecondEnabled : 1;
+			ULONG Reserved : 31;
+		};
+	};
+
+	ULONG NtGlobalFlag2;
+	ULONGLONG ExtendedFeatureDisableMask; // since WIN11
+} PEB, *PPEB;
+
+
+typedef struct _CLIENT_ID
+{
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, * PCLIENT_ID;
+
+typedef struct _ACTIVATION_CONTEXT_STACK
+{
+	void* ActiveFrame;
+	LIST_ENTRY FrameListCache;
+	ULONG Flags; // ACTIVATION_CONTEXT_STACK_FLAG_*
+	ULONG NextCookieSequenceNumber;
+	ULONG StackId;
+} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
+
+#define GDI_BATCH_BUFFER_SIZE 310
+#define WIN32_CLIENT_INFO_LENGTH 62
+#define STATIC_UNICODE_BUFFER_LENGTH 261
+
+typedef struct _GDI_TEB_BATCH
+{
+	ULONG Offset;
+	ULONG_PTR HDC;
+	ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
+} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
+
+typedef struct _TEB
+{
+	NT_TIB NtTib;
+
+	PVOID EnvironmentPointer;
+	CLIENT_ID ClientId;
+	PVOID ActiveRpcHandle;
+	PVOID ThreadLocalStoragePointer;
+	PPEB ProcessEnvironmentBlock;
+
+	ULONG LastErrorValue;
+	ULONG CountOfOwnedCriticalSections;
+	PVOID CsrClientThread;
+	PVOID Win32ThreadInfo;
+	ULONG User32Reserved[26];
+	ULONG UserReserved[5];
+	PVOID WOW32Reserved;
+	LCID CurrentLocale;
+	ULONG FpSoftwareStatusRegister;
+	PVOID ReservedForDebuggerInstrumentation[16];
+#ifdef _WIN64
+	PVOID SystemReserved1[30];
+#else
+	PVOID SystemReserved1[26];
+#endif
+
+	CHAR PlaceholderCompatibilityMode;
+	BOOLEAN PlaceholderHydrationAlwaysExplicit;
+	CHAR PlaceholderReserved[10];
+
+	ULONG ProxiedProcessId;
+	ACTIVATION_CONTEXT_STACK ActivationStack;
+
+	UCHAR WorkingOnBehalfTicket[8];
+	NTSTATUS ExceptionCode;
+
+	PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
+	ULONG_PTR InstrumentationCallbackSp;
+	ULONG_PTR InstrumentationCallbackPreviousPc;
+	ULONG_PTR InstrumentationCallbackPreviousSp;
+#ifdef _WIN64
+	ULONG TxFsContext;
+#endif
+
+	BOOLEAN InstrumentationCallbackDisabled;
+#ifdef _WIN64
+	BOOLEAN UnalignedLoadStoreExceptions;
+#endif
+#ifndef _WIN64
+	UCHAR SpareBytes[23];
+	ULONG TxFsContext;
+#endif
+	GDI_TEB_BATCH GdiTebBatch;
+	CLIENT_ID RealClientId;
+	HANDLE GdiCachedProcessHandle;
+	ULONG GdiClientPID;
+	ULONG GdiClientTID;
+	PVOID GdiThreadLocalInfo;
+	ULONG_PTR Win32ClientInfo[WIN32_CLIENT_INFO_LENGTH];
+
+	PVOID glDispatchTable[233];
+	ULONG_PTR glReserved1[29];
+	PVOID glReserved2;
+	PVOID glSectionInfo;
+	PVOID glSection;
+	PVOID glTable;
+	PVOID glCurrentRC;
+	PVOID glContext;
+
+	NTSTATUS LastStatusValue;
+	UNICODE_STRING StaticUnicodeString;
+	WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH];
+
+	PVOID DeallocationStack;
+	PVOID TlsSlots[TLS_MINIMUM_AVAILABLE];
+	LIST_ENTRY TlsLinks;
+
+	PVOID Vdm;
+	PVOID ReservedForNtRpc;
+	PVOID DbgSsReserved[2];
+
+	ULONG HardErrorMode;
+#ifdef _WIN64
+	PVOID Instrumentation[11];
+#else
+	PVOID Instrumentation[9];
+#endif
+	GUID ActivityId;
+
+	PVOID SubProcessTag;
+	PVOID PerflibData;
+	PVOID EtwTraceData;
+	PVOID WinSockData;
+	ULONG GdiBatchCount;
+
+	union
+	{
+		PROCESSOR_NUMBER CurrentIdealProcessor;
+		ULONG IdealProcessorValue;
+
+		struct
+		{
+			UCHAR ReservedPad0;
+			UCHAR ReservedPad1;
+			UCHAR ReservedPad2;
+			UCHAR IdealProcessor;
+		};
+	};
+
+	ULONG GuaranteedStackBytes;
+	PVOID ReservedForPerf;
+	PVOID ReservedForOle; // tagSOleTlsData
+	ULONG WaitingOnLoaderLock;
+	PVOID SavedPriorityState;
+	ULONG_PTR ReservedForCodeCoverage;
+	PVOID ThreadPoolData;
+	PVOID* TlsExpansionSlots;
+#ifdef _WIN64
+	PVOID DeallocationBStore;
+	PVOID BStoreLimit;
+#endif
+	ULONG MuiGeneration;
+	ULONG IsImpersonating;
+	PVOID NlsCache;
+	PVOID pShimData;
+	ULONG HeapData;
+	HANDLE CurrentTransactionHandle;
+	void* ActiveFrame;
+	PVOID FlsData;
+
+	PVOID PreferredLanguages;
+	PVOID UserPrefLanguages;
+	PVOID MergedPrefLanguages;
+	ULONG MuiImpersonation;
+
+	union
+	{
+		USHORT CrossTebFlags;
+		USHORT SpareCrossTebBits : 16;
+	};
+
+	union
+	{
+		USHORT SameTebFlags;
+
+		struct
+		{
+			USHORT SafeThunkCall : 1;
+			USHORT InDebugPrint : 1;
+			USHORT HasFiberData : 1;
+			USHORT SkipThreadAttach : 1;
+			USHORT WerInShipAssertCode : 1;
+			USHORT RanProcessInit : 1;
+			USHORT ClonedThread : 1;
+			USHORT SuppressDebugMsg : 1;
+			USHORT DisableUserStackWalk : 1;
+			USHORT RtlExceptionAttached : 1;
+			USHORT InitialThread : 1;
+			USHORT SessionAware : 1;
+			USHORT LoadOwner : 1;
+			USHORT LoaderWorker : 1;
+			USHORT SkipLoaderInit : 1;
+			USHORT SkipFileAPIBrokering : 1;
+		};
+	};
+
+	PVOID TxnScopeEnterCallback;
+	PVOID TxnScopeExitCallback;
+	PVOID TxnScopeContext;
+	ULONG LockCount;
+	LONG WowTebOffset;
+	PVOID ResourceRetValue;
+	PVOID ReservedForWdf;
+	ULONGLONG ReservedForCrt;
+	GUID EffectiveContainerId;
+	ULONGLONG LastSleepCounter; // Win11
+	ULONG SpinCallCount;
+	ULONGLONG ExtendedFeatureDisableMask;
+} TEB, * PTEB;