From 0f2aa542d6c9be197af96aa1dee1a07e5644256f Mon Sep 17 00:00:00 2001 From: dmex Date: Wed, 8 Jan 2025 13:39:11 +1100 Subject: [PATCH] Update ntpebteb.h --- phnt/include/ntpebteb.h | 684 +++++++++++++++++++++++++++++++++++----- 1 file changed, 609 insertions(+), 75 deletions(-) diff --git a/phnt/include/ntpebteb.h b/phnt/include/ntpebteb.h index 0ccaa1a5d265..e7527802b1ae 100644 --- a/phnt/include/ntpebteb.h +++ b/phnt/include/ntpebteb.h @@ -13,6 +13,7 @@ typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS; typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION; typedef struct _SILO_USER_SHARED_DATA *PSILO_USER_SHARED_DATA; typedef struct _LEAP_SECOND_DATA *PLEAP_SECOND_DATA; +typedef struct _PEB_LDR_DATA PEB_LDR_DATA, *PPEB_LDR_DATA; // PEB->AppCompatFlags #define KACF_OLDGETSHORTPATHNAME 0x00000001 @@ -207,6 +208,10 @@ typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE]; typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32]; typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; +typedef VOID (NTAPI* PPS_POST_PROCESS_INIT_ROUTINE)( + VOID + ); + #ifndef FLS_MAXIMUM_AVAILABLE #define FLS_MAXIMUM_AVAILABLE 128 #endif @@ -217,211 +222,548 @@ typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64]; #define TLS_EXPANSION_SLOTS 1024 #endif -// symbols +/** + * Process Environment Block (PEB) structure. + * + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb + */ typedef struct _PEB { + // + // The process was cloned with an inherited address space. + // BOOLEAN InheritedAddressSpace; + + // + // The process has image file execution options (IFEO). + // BOOLEAN ReadImageFileExecOptions; + + // + // The process has a debugger attached. + // BOOLEAN BeingDebugged; + union { BOOLEAN BitField; struct { - BOOLEAN ImageUsesLargePages : 1; - BOOLEAN IsProtectedProcess : 1; - BOOLEAN IsImageDynamicallyRelocated : 1; - BOOLEAN SkipPatchingUser32Forwarders : 1; - BOOLEAN IsPackagedProcess : 1; - BOOLEAN IsAppContainer : 1; - BOOLEAN IsProtectedProcessLight : 1; - BOOLEAN IsLongPathAwareProcess : 1; + BOOLEAN ImageUsesLargePages : 1; // The process uses large image regions (4 MB). + BOOLEAN IsProtectedProcess : 1; // The process is a protected process. + BOOLEAN IsImageDynamicallyRelocated : 1; // The process image base address was relocated. + BOOLEAN SkipPatchingUser32Forwarders : 1; // The process skipped forwarders for User32.dll functions. 1 for 64-bit, 0 for 32-bit. + BOOLEAN IsPackagedProcess : 1; // The process is a packaged store process (APPX/MSIX). + BOOLEAN IsAppContainer : 1; // The process has an AppContainer token. + BOOLEAN IsProtectedProcessLight : 1; // The process is a protected process (light). + BOOLEAN IsLongPathAwareProcess : 1; // The process is long path aware. }; }; + + // + // Handle to a mutex for synchronization. + // HANDLE Mutant; + // + // Pointer to the base address of the process image. + // PVOID ImageBaseAddress; + + // + // Pointer to the process loader data. + // PPEB_LDR_DATA Ldr; + + // + // Pointer to the process parameters. + // PRTL_USER_PROCESS_PARAMETERS ProcessParameters; + + // + // Reserved. + // PVOID SubSystemData; + + // + // Pointer to the process default heap. + // PVOID ProcessHeap; + + // + // Pointer to a critical section used to synchronize access to the PEB. + // PRTL_CRITICAL_SECTION FastPebLock; + + // + // Pointer to a singly linked list used by ATL. + // PSLIST_HEADER AtlThunkSListPtr; + + // + // Pointer to the Image File Execution Options key. + // PVOID IFEOKey; + // + // Cross process flags. + // union { ULONG CrossProcessFlags; struct { - ULONG ProcessInJob : 1; - ULONG ProcessInitializing : 1; - ULONG ProcessUsingVEH : 1; - ULONG ProcessUsingVCH : 1; - ULONG ProcessUsingFTH : 1; - ULONG ProcessPreviouslyThrottled : 1; - ULONG ProcessCurrentlyThrottled : 1; - ULONG ProcessImagesHotPatched : 1; // REDSTONE5 + ULONG ProcessInJob : 1; // The process is part of a job. + ULONG ProcessInitializing : 1; // The process is initializing. + ULONG ProcessUsingVEH : 1; // The process is using VEH. + ULONG ProcessUsingVCH : 1; // The process is using VCH. + ULONG ProcessUsingFTH : 1; // The process is using FTH. + ULONG ProcessPreviouslyThrottled : 1; // The process was previously throttled. + ULONG ProcessCurrentlyThrottled : 1; // The process is currently throttled. + ULONG ProcessImagesHotPatched : 1; // The process images are hot patched. // RS5 ULONG ReservedBits0 : 24; }; }; + + // + // User32 KERNEL_CALLBACK_TABLE (ntuser.h) + // union { PVOID KernelCallbackTable; PVOID UserSharedInfoPtr; }; + // + // Reserved. + // ULONG SystemReserved; + + // + // Pointer to the Active Template Library (ATL) singly linked list (32-bit) + // ULONG AtlThunkSListPtr32; + + // + // Pointer to the API Set Schema. + // PAPI_SET_NAMESPACE ApiSetMap; + + // + // Counter for TLS expansion. + // ULONG TlsExpansionCounter; + + // + // Pointer to the TLS bitmap. + // PRTL_BITMAP TlsBitmap; - ULONG TlsBitmapBits[2]; // TLS_MINIMUM_AVAILABLE + // + // Bits for the TLS bitmap. + // + ULONG TlsBitmapBits[2]; + + // + // Reserved for CSRSS. + // PVOID ReadOnlySharedMemoryBase; - PSILO_USER_SHARED_DATA SharedData; // HotpatchInformation - PVOID *ReadOnlyStaticServerData; - PVOID AnsiCodePageData; // PCPTABLEINFO - PVOID OemCodePageData; // PCPTABLEINFO - PVOID UnicodeCaseTableData; // PNLSTABLEINFO + // + // Pointer to the USER_SHARED_DATA for the current SILO. + // + PSILO_USER_SHARED_DATA SharedData; + + // + // Reserved for CSRSS. + // + PVOID* ReadOnlyStaticServerData; + + // + // Pointer to the ANSI code page data. (PCPTABLEINFO) + // + PVOID AnsiCodePageData; + + // + // Pointer to the OEM code page data. (PCPTABLEINFO) + // + PVOID OemCodePageData; + + // + // Pointer to the Unicode case table data. (PNLSTABLEINFO) + // + PVOID UnicodeCaseTableData; - // Information for LdrpInitialize + // + // The total number of system processors. + // ULONG NumberOfProcessors; + + // + // Global flags for the system. + // ULONG NtGlobalFlag; - // Passed up from MmCreatePeb from Session Manager registry key + // + // Timeout for critical sections. + // LARGE_INTEGER CriticalSectionTimeout; + + // + // Reserved size for heap segments. + // SIZE_T HeapSegmentReserve; + + // + // Committed size for heap segments. + // SIZE_T HeapSegmentCommit; + + // + // Threshold for decommitting total free heap. + // SIZE_T HeapDeCommitTotalFreeThreshold; + + // + // Threshold for decommitting free heap blocks. + // SIZE_T HeapDeCommitFreeBlockThreshold; // - // Where heap manager keeps track of all heaps created for a process - // Fields initialized by MmCreatePeb. ProcessHeaps is initialized + // Number of process heaps. + // + ULONG NumberOfHeaps; + + // + // Maximum number of process heaps. + // + ULONG MaximumNumberOfHeaps; + + // + // Pointer to an array of process heaps. ProcessHeaps is initialized // to point to the first free byte after the PEB and MaximumNumberOfHeaps // is computed from the page size used to hold the PEB, less the fixed // size of this data structure. // - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - PVOID *ProcessHeaps; // PHEAP + PVOID* ProcessHeaps; + + // + // Pointer to the system GDI shared handle table. + // + PVOID GdiSharedHandleTable; - PVOID GdiSharedHandleTable; // PGDI_SHARED_MEMORY + // + // Pointer to the process starter helper. + // PVOID ProcessStarterHelper; + + // + // The maximum number of GDI function calls during batch operations (GdiSetBatchLimit) + // ULONG GdiDCAttributeList; + // + // Pointer to the loader lock critical section. + // PRTL_CRITICAL_SECTION LoaderLock; // - // Following fields filled in by MmCreatePeb from system values and/or - // image header. + // Major version of the operating system. // ULONG OSMajorVersion; + + // + // Minor version of the operating system. + // ULONG OSMinorVersion; + + // + // Build number of the operating system. + // USHORT OSBuildNumber; + + // + // CSD version of the operating system. + // USHORT OSCSDVersion; + + // + // Platform ID of the operating system. + // ULONG OSPlatformId; + + // + // Subsystem version of the current process image (PE Headers). + // ULONG ImageSubsystem; + + // + // Major version of the current process image subsystem (PE Headers). + // ULONG ImageSubsystemMajorVersion; + + // + // Minor version of the current process image subsystem (PE Headers). + // ULONG ImageSubsystemMinorVersion; + + // + // Affinity mask for the current process. + // KAFFINITY ActiveProcessAffinityMask; + + // + // Temporary buffer for GDI handles accumulated in the current batch. + // GDI_HANDLE_BUFFER GdiHandleBuffer; - PVOID PostProcessInitRoutine; + // + // Pointer to the post-process initialization routine available for use by the application. + // + PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; + + // + // Pointer to the TLS expansion bitmap. + // PRTL_BITMAP TlsExpansionBitmap; - ULONG TlsExpansionBitmapBits[32]; // TLS_EXPANSION_SLOTS + // + // Bits for the TLS expansion bitmap. TLS_EXPANSION_SLOTS + // + ULONG TlsExpansionBitmapBits[32]; + + // + // Session ID of the current process. + // ULONG SessionId; - ULARGE_INTEGER AppCompatFlags; // KACF_* + // + // Application compatibility flags. KACF_* + // + ULARGE_INTEGER AppCompatFlags; + + // + // Application compatibility flags. KACF_* + // ULARGE_INTEGER AppCompatFlagsUser; + + // + // Pointer to the Application SwitchBack Compatibility Engine. + // PVOID pShimData; - PVOID AppCompatInfo; // APPCOMPAT_EXE_DATA + // + // Pointer to the Application Compatibility Engine. // APPCOMPAT_EXE_DATA + // + PVOID AppCompatInfo; + + // + // CSD version string of the operating system. + // UNICODE_STRING CSDVersion; + // + // Pointer to the process activation context. + // PACTIVATION_CONTEXT_DATA ActivationContextData; + + // + // Pointer to the process assembly storage map. + // PASSEMBLY_STORAGE_MAP ProcessAssemblyStorageMap; + + // + // Pointer to the system default activation context. + // PACTIVATION_CONTEXT_DATA SystemDefaultActivationContextData; + + // + // Pointer to the system assembly storage map. + // PASSEMBLY_STORAGE_MAP SystemAssemblyStorageMap; + // + // Minimum stack commit size. + // SIZE_T MinimumStackCommit; - PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) + // + // since 19H1 (previously FlsCallback to FlsHighIndex) + // + PVOID SparePointers[2]; + + // + // Pointer to the patch loader data. + // PVOID PatchLoaderData; - PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO + // + // Pointer to the CHPE V2 process information. CHPEV2_PROCESS_INFO + // + PVOID ChpeV2ProcessInfo; + + // + // Packaged process feature state. + // ULONG AppModelFeatureState; + + // + // SpareUlongs + // ULONG SpareUlongs[2]; + // + // Active code page. + // USHORT ActiveCodePage; + + // + // OEM code page. + // USHORT OemCodePage; + + // + // Code page case mapping. + // USHORT UseCaseMapping; + + // + // Unused NLS field. + // USHORT UnusedNlsField; + // + // Pointer to the application WER registration data. + // PWER_PEB_HEADER_BLOCK WerRegistrationData; + + // + // Pointer to the application WER assert pointer. + // PVOID WerShipAssertPtr; + // + // Pointer to the EC bitmap on ARM64. (Windows 11 and above) + // union { - PVOID pContextData; // WIN7 - PVOID pUnused; // WIN10 - PVOID EcCodeBitMap; // WIN11 + PVOID pContextData; // Pointer to the switchback compatibility engine (Windows 7 and below) + PVOID EcCodeBitMap; // Pointer to the EC bitmap on ARM64 (Windows 11 and above) // since WIN11 }; + // + // Reserved. + // PVOID pImageHeaderHash; + + // + // ETW tracing flags. + // union { ULONG TracingFlags; struct { - ULONG HeapTracingEnabled : 1; - ULONG CritSecTracingEnabled : 1; - ULONG LibLoaderTracingEnabled : 1; + ULONG HeapTracingEnabled : 1; // ETW heap tracing enabled. + ULONG CritSecTracingEnabled : 1; // ETW lock tracing enabled. + ULONG LibLoaderTracingEnabled : 1; // ETW loader tracing enabled. ULONG SpareTracingBits : 29; }; }; + + // + // Reserved for CSRSS. + // ULONGLONG CsrServerReadOnlySharedMemoryBase; + + // + // Pointer to the thread pool worker list lock. + // PRTL_CRITICAL_SECTION TppWorkerpListLock; + + // + // Pointer to the thread pool worker list. + // LIST_ENTRY TppWorkerpList; + + // + // Wait on address hash table. (RtlWaitOnAddress) + // PVOID WaitOnAddressHashTable[128]; - PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader; // REDSTONE3 + + // + // Pointer to the telemetry coverage header. // since RS3 + // + PTELEMETRY_COVERAGE_HEADER TelemetryCoverageHeader; + + // + // Cloud file flags. (ProjFs and Cloud Files) // since RS4 + // ULONG CloudFileFlags; - ULONG CloudFileDiagFlags; // REDSTONE4 + + // + // Cloud file diagnostic flags. + // + ULONG CloudFileDiagFlags; + + // + // Placeholder compatibility mode. (ProjFs and Cloud Files) + // CHAR PlaceholderCompatibilityMode; + + // + // Reserved for placeholder compatibility mode. + // CHAR PlaceholderCompatibilityModeReserved[7]; - PLEAP_SECOND_DATA LeapSecondData; // REDSTONE5 + + // + // Pointer to leap second data. // since RS5 + // + PLEAP_SECOND_DATA LeapSecondData; + + // + // Leap second flags. + // union { ULONG LeapSecondFlags; struct { - ULONG SixtySecondEnabled : 1; + ULONG SixtySecondEnabled : 1; // Leap seconds enabled. ULONG Reserved : 31; }; }; + + // + // Global flags for the process. + // ULONG NtGlobalFlag2; - ULONGLONG ExtendedFeatureDisableMask; // since WIN11 -} PEB, *PPEB; + + // + // Extended feature disable mask (AVX). // since WIN11 + // + ULONGLONG ExtendedFeatureDisableMask; +} PEB, * PPEB; #ifdef _WIN64 -C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); -//C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 -//C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 -//C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 -C_ASSERT(sizeof(PEB) == 0x7d0); // WIN11 +static_assert(FIELD_OFFSET(PEB, SessionId) == 0x2C0); +//static_assert(sizeof(PEB) == 0x7B0); // REDSTONE3 +//static_assert(sizeof(PEB) == 0x7B8); // REDSTONE4 +//static_assert(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 +static_assert(sizeof(PEB) == 0x7d0); // WIN11 #else -C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); -//C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 -//C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4 -//C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 -C_ASSERT(sizeof(PEB) == 0x488); // WIN11 +static_assert(FIELD_OFFSET(PEB, SessionId) == 0x1D4); +//static_assert(sizeof(PEB) == 0x468); // REDSTONE3 +//static_assert(sizeof(PEB) == 0x470); // REDSTONE4 +//static_assert(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 +static_assert(sizeof(PEB) == 0x488); // WIN11 #endif #define GDI_BATCH_BUFFER_SIZE 310 +/** + * The GDI_TEB_BATCH structure is used to store information about GDI batch operations. + */ typedef struct _GDI_TEB_BATCH { ULONG Offset; @@ -431,12 +773,18 @@ typedef struct _GDI_TEB_BATCH #define TEB_ACTIVE_FRAME_CONTEXT_FLAG_EXTENDED (0x00000001) +/** + * The TEB_ACTIVE_FRAME_CONTEXT structure is used to store information about an active frame context. + */ typedef struct _TEB_ACTIVE_FRAME_CONTEXT { ULONG Flags; PCSTR FrameName; } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; +/** + * The TEB_ACTIVE_FRAME_CONTEXT_EX structure extends TEB_ACTIVE_FRAME_CONTEXT with additional information. + */ typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX { TEB_ACTIVE_FRAME_CONTEXT BasicContext; @@ -445,6 +793,9 @@ typedef struct _TEB_ACTIVE_FRAME_CONTEXT_EX #define TEB_ACTIVE_FRAME_FLAG_EXTENDED (0x00000001) +/** + * The TEB_ACTIVE_FRAME structure is used to store information about an active frame. + */ typedef struct _TEB_ACTIVE_FRAME { ULONG Flags; @@ -452,6 +803,9 @@ typedef struct _TEB_ACTIVE_FRAME PTEB_ACTIVE_FRAME_CONTEXT Context; } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; +/** + * The TEB_ACTIVE_FRAME_EX structure extends TEB_ACTIVE_FRAME with additional information. + */ typedef struct _TEB_ACTIVE_FRAME_EX { TEB_ACTIVE_FRAME BasicFrame; @@ -464,91 +818,195 @@ typedef struct _TEB_ACTIVE_FRAME_EX /** * Thread Environment Block (TEB) structure. * - * This structure contains information about the currently executing thread. + * \remarks https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb */ typedef struct _TEB { // // Thread Information Block (TIB) contains the thread's stack, base and limit addresses, the current stack pointer, and the exception list. // - NT_TIB NtTib; // - // A pointer to the environment block for the thread. + // Reserved. // - PVOID EnvironmentPointer; // // Client ID for this thread. // - CLIENT_ID ClientId; // // A handle to an active Remote Procedure Call (RPC) if the thread is currently involved in an RPC operation. // - PVOID ActiveRpcHandle; // // A pointer to the __declspec(thread) local storage array. // - PVOID ThreadLocalStoragePointer; // // A pointer to the Process Environment Block (PEB), which contains information about the process. // - PPEB ProcessEnvironmentBlock; + // + // The previous Win32 error value for this thread. + // ULONG LastErrorValue; + + // + // The number of critical sections currently owned by this thread. + // ULONG CountOfOwnedCriticalSections; + + // + // Reserved. + // PVOID CsrClientThread; + + // + // Reserved. + // PVOID Win32ThreadInfo; + + // + // Reserved. + // ULONG User32Reserved[26]; + + // + // Reserved. + // ULONG UserReserved[5]; + + // + // Reserved. + // PVOID WOW32Reserved; + + // + // The LCID of the current thread. (Kernel32!GetThreadLocale) + // LCID CurrentLocale; + + // + // Reserved. + // ULONG FpSoftwareStatusRegister; + + // + // Reserved. + // PVOID ReservedForDebuggerInstrumentation[16]; + #ifdef _WIN64 + // + // Reserved. + // PVOID SystemReserved1[25]; + // + // Per-thread fiber local storage. (Teb->HasFiberData) + // PVOID HeapFlsData; + // + // Reserved. + // ULONG_PTR RngState[4]; #else + // + // Reserved. + // PVOID SystemReserved1[26]; #endif + // + // Placeholder compatibility mode. (ProjFs and Cloud Files) + // CHAR PlaceholderCompatibilityMode; + + // + // Indicates whether placeholder hydration is always explicit. + // BOOLEAN PlaceholderHydrationAlwaysExplicit; + + // + // Reserved. + // CHAR PlaceholderReserved[10]; + // + // The process ID (PID) that the current COM server thread is acting on behalf of. + // ULONG ProxiedProcessId; + + // + // Pointer to the activation context stack for the current thread. + // ACTIVATION_CONTEXT_STACK ActivationStack; + // + // Opaque operation on behalf of another user or process. + // UCHAR WorkingOnBehalfTicket[8]; + // + // The last exception status for the current thread. + // NTSTATUS ExceptionCode; + // + // Pointer to the activation context stack for the current thread. + // PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; + + // + // The stack pointer (SP) of the current system call or exception during instrumentation. + // ULONG_PTR InstrumentationCallbackSp; + + // + // The program counter (PC) of the previous system call or exception during instrumentation. + // ULONG_PTR InstrumentationCallbackPreviousPc; + + // + // The stack pointer (SP) of the previous system call or exception during instrumentation. + // ULONG_PTR InstrumentationCallbackPreviousSp; + #ifdef _WIN64 + // + // The miniversion ID of the current transacted file operation. + // ULONG TxFsContext; #endif + // + // Indicates the state of the system call or exception instrumentation callback. + // BOOLEAN InstrumentationCallbackDisabled; + #ifdef _WIN64 + // + // Indicates the state of alignment exceptions for unaligned load/store operations. + // BOOLEAN UnalignedLoadStoreExceptions; #endif + #ifndef _WIN64 + // + // SpareBytes. + // UCHAR SpareBytes[23]; + + // + // The miniversion ID of the current transacted file operation. + // ULONG TxFsContext; #endif GDI_TEB_BATCH GdiTebBatch; @@ -568,34 +1026,98 @@ typedef struct _TEB PVOID glCurrentRC; PVOID glContext; + // + // The previous status value for this thread. + // NTSTATUS LastStatusValue; + // + // A static string for use by the application. + // UNICODE_STRING StaticUnicodeString; + + // + // A static buffer for use by the application. + // WCHAR StaticUnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; + // + // The maximum stack size and indicates the base of the stack. + // PVOID DeallocationStack; + // + // Data for Thread Local Storage. (TlsGetValue) + // PVOID TlsSlots[TLS_MINIMUM_AVAILABLE]; + + // + // Reserved. + // LIST_ENTRY TlsLinks; + // + // Reserved for NTVDM. + // PVOID Vdm; + + // + // Reserved. + // PVOID ReservedForNtRpc; + + // + // Reserved. + // PVOID DbgSsReserved[2]; + // + // The error mode for the current thread. (GetThreadErrorMode) + // ULONG HardErrorMode; + + // + // Reserved. + // #ifdef _WIN64 PVOID Instrumentation[11]; #else PVOID Instrumentation[9]; #endif + + // + // Reserved. + // GUID ActivityId; + // + // The service creating the thread (svchost). + // PVOID SubProcessTag; + + // + // Reserved. + // PVOID PerflibData; + + // + // Reserved. + // PVOID EtwTraceData; - PVOID WinSockData; + + // + // The address of a socket handle during a blocking socket operation. (WSAStartup) + // + HANDLE WinSockData; + + // + // The number of function calls accumulated in the current GDI batch. (GdiSetBatchLimit) + // ULONG GdiBatchCount; + // + // The preferred processor for the curremt thread. (SetThreadIdealProcessor/SetThreadIdealProcessorEx) + // union { PROCESSOR_NUMBER CurrentIdealProcessor; @@ -609,9 +1131,21 @@ typedef struct _TEB }; }; + // + // The minimum size of the stack available during any stack overflow exceptions. (SetThreadStackGuarantee) + // ULONG GuaranteedStackBytes; + + // + // Reserved. + // PVOID ReservedForPerf; - PVOID ReservedForOle; // tagSOleTlsData + + // + // tagSOleTlsData. + // + PVOID ReservedForOle; + ULONG WaitingOnLoaderLock; PVOID SavedPriorityState; ULONG_PTR ReservedForCodeCoverage; @@ -683,11 +1217,11 @@ typedef struct _TEB } TEB, *PTEB; #ifdef _WIN64 -//C_ASSERT(sizeof(TEB) == 0x1850); // WIN11 -C_ASSERT(sizeof(TEB) == 0x1878); // 24H2 +//static_assert(sizeof(TEB) == 0x1850); // WIN11 +static_assert(sizeof(TEB) == 0x1878); // 24H2 #else -//C_ASSERT(sizeof(TEB) == 0x1018); // WIN11 -C_ASSERT(sizeof(TEB) == 0x1038); // 24H2 +//static_assert(sizeof(TEB) == 0x1018); // WIN11 +static_assert(sizeof(TEB) == 0x1038); // 24H2 #endif #endif