From 0306d7788bc4db9636d155a288133c75a09285be Mon Sep 17 00:00:00 2001 From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:32:11 +0200 Subject: [PATCH] More reversed TEB64 structure --- r5dev/public/tier0/module.h | 3 ++ r5dev/windows/tebpeb64.h | 78 ++++++++++++++++++++++++++++--------- 2 files changed, 62 insertions(+), 19 deletions(-) diff --git a/r5dev/public/tier0/module.h b/r5dev/public/tier0/module.h index ac5e1d0d..299b3662 100644 --- a/r5dev/public/tier0/module.h +++ b/r5dev/public/tier0/module.h @@ -64,6 +64,9 @@ public: inline static PEB64* GetProcessEnvironmentBlock() { return reinterpret_cast(__readgsqword(0x60)); } + inline static TEB64* GetThreadEnvironmentBlock() + { return reinterpret_cast(NtCurrentTeb()); } + void UnlinkFromPEB(void) const; private: diff --git a/r5dev/windows/tebpeb64.h b/r5dev/windows/tebpeb64.h index 634a8447..a091bac2 100644 --- a/r5dev/windows/tebpeb64.h +++ b/r5dev/windows/tebpeb64.h @@ -246,25 +246,65 @@ struct PEB64 // struct TEB64 { - BYTE NtTib[56]; //0x0000 / NT_TIB64 structure - PTR64 EnvironmentPointer; //0x0038 + NT_TIB64 NtTib; //0x0000 + PVOID EnvironmentPointer; //0x0038 CLIENT_ID64 ClientId; //0x0040 - PTR64 ActiveRpcHandle; //0x0050 - PTR64 ThreadLocalStoragePointer; //0x0058 - PTR64 ProcessEnvironmentBlock; //0x0060 / ptr to PEB64 - DWORD LastErrorValue; //0x0068 - DWORD CountOfOwnedCriticalSections; //0x006C - PTR64 CsrClientThread; //0x0070 - PTR64 Win32ThreadInfo; //0x0078 - DWORD User32Reserved[26]; //0x0080 - DWORD UserReserved[6]; //0x00E8 - PTR64 WOW32Reserved; //0x0100 - DWORD CurrentLocale; //0x0108 - DWORD FpSoftwareStatusRegister; //0x010C - PTR64 SystemReserved1[54]; //0x0110 - DWORD ExceptionCode; //0x02C0 - PTR64 ActivationContextStackPointer; //0x02C8 - -}; //struct TEB64 + PVOID ActiveRpcInfo; //0x0050 + PVOID ThreadLocalStoragePointer; //0x0058 + PEB64* ProcessEnvironmentBlock; //0x0060 + ULONG LastErrorValue; //0x0068 + ULONG CountOfOwnedCriticalSections; //0x006C + PVOID CsrClientThread; //0x0070 + PVOID Win32ThreadInfo; //0x0078 + ULONG Win32ClientInfo[0x1F]; //0x0080 + PVOID WOW32Reserved; //0x0100 + ULONG CurrentLocale; //0x0108 + ULONG FpSoftwareStatusRegister; //0x010C + PVOID SystemReserved1[0x36]; //0x0110 + PVOID Spare1; //0x02C0 + ULONG ExceptionCode; //0x02C8 + PVOID ActivationContextStackPointer; //0x02D0 + ULONG SpareBytes1[0x26]; //0x02D8 + PVOID SystemReserved2[0xA]; //0x0370 + ULONG GdiRgn; //0x03C0 + ULONG GdiPen; //0x03C4 + ULONG GdiBrush; //0x03C8 + CLIENT_ID64 RealClientId; //0x03D0 + PVOID GdiCachedProcessHandle; //0x03E0 + ULONG GdiClientPID; //0x03E8 + ULONG GdiClientTID; //0x03EC + PVOID GdiThreadLocaleInfo; //0x03F0 + PVOID UserReserved[5]; //0x03F8 + PVOID GlDispatchTable[0x118]; //0x0420 + ULONG GlReserved1[0x1A]; //0x0CE0 + PVOID GlReserved2; //0x0D48 + PVOID GlSectionInfo; //0x0D50 + PVOID GlSection; //0x0D58 + PVOID GlTable; //0x0D60 + PVOID GlCurrentRC; //0x0D68 + PVOID GlContext; //0x0D70 + NTSTATUS LastStatusValue; //0x0D78 + UNICODE_STRING64 StaticUnicodeString; //0x0D80 + WCHAR StaticUnicodeBuffer[0x105]; //0x0D90 + PVOID DeallocationStack; //0x0FA0 + PVOID TlsSlots[0x40]; //0x0FA9 + LIST_ENTRY TlsLinks; //0x11A8 + PVOID Vdm; //0x11B8 + PVOID ReservedForNtRpc; //0x11C0 + PVOID DbgSsReserved[0x2]; //0x11C8 + ULONG HardErrorDisabled; //0x11D8 + PVOID Instrumentation[0x10]; //0x11E0 + PVOID WinSockData; //0x1260 + ULONG GdiBatchCount; //0x1268 + ULONG Spare2; //0x126C + ULONG Spare3; //0x1270 + ULONG Spare4; //0x1274 + PVOID ReservedForOle; //0x1278 + ULONG WaitingOnLoaderLock; //0x1280 + PVOID StackCommit; //0x1288 + PVOID StackCommitMax; //0x1290 + PVOID StackReserved; //0x1298 + PVOID TlsExpansionSlots; //0x12A0 +}; #endif // TEBPEB_64_H