Source Code for Module winappdbg.win32.peb_teb

   1  # Copyright (c) 2009, Mario Vilas 
   2  # All rights reserved. 
   3  # 
   4  # Redistribution and use in source and binary forms, with or without 
   5  # modification, are permitted provided that the following conditions are met: 
   6  # 
   7  #     * Redistributions of source code must retain the above copyright notice, 
   8  #       this list of conditions and the following disclaimer. 
   9  #     * Redistributions in binary form must reproduce the above copyright 
  10  #       notice,this list of conditions and the following disclaimer in the 
  11  #       documentation and/or other materials provided with the distribution. 
  12  #     * Neither the name of the copyright holder nor the names of its 
  13  #       contributors may be used to endorse or promote products derived from 
  14  #       this software without specific prior written permission. 
  15  # 
  16  # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
  17  # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
  18  # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
  19  # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
  20  # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
  21  # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
  22  # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
  23  # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
  24  # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
  25  # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
  26  # POSSIBILITY OF SUCH DAMAGE. 
  27   
  28  """ 
  29  Debugging API wrappers in ctypes. 
  30   
  31  @see: U{http://apps.sourceforge.net/trac/winappdbg/wiki/Win32APIWrappers} 
  32  """ 
  33   
  34  __revision__ = "$Id: peb_teb.py 462 2009-11-25 18:58:02Z qvasimodo $" 
  35   
  36  from defines import * 
  37  from version import arch, os 
  38   
  39  #--- PEB and TEB structures, constants and data types ------------------------- 
  40   
  41  # From http://www.nirsoft.net/kernel_struct/vista/CLIENT_ID.html 
  42  # 
  43  # typedef struct _CLIENT_ID 
  44  # { 
  45  #     PVOID UniqueProcess; 
  46  #     PVOID UniqueThread; 
  47  # } CLIENT_ID, *PCLIENT_ID; 
  48 -class CLIENT_ID(Structure): 
  49      _fields_ = [ 
  50          ("UniqueProcess",   PVOID), 
  51          ("UniqueThread",    PVOID), 
  52  ] 
  53   
  54  # From MSDN: 
  55  # 
  56  # typedef struct _LDR_DATA_TABLE_ENTRY { 
  57  #     BYTE Reserved1[2]; 
  58  #     LIST_ENTRY InMemoryOrderLinks; 
  59  #     PVOID Reserved2[2]; 
  60  #     PVOID DllBase; 
  61  #     PVOID EntryPoint; 
  62  #     PVOID Reserved3; 
  63  #     UNICODE_STRING FullDllName; 
  64  #     BYTE Reserved4[8]; 
  65  #     PVOID Reserved5[3]; 
  66  #     union { 
  67  #         ULONG CheckSum; 
  68  #         PVOID Reserved6; 
  69  #     }; 
  70  #     ULONG TimeDateStamp; 
  71  # } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 
  72  ##class LDR_DATA_TABLE_ENTRY(Structure): 
  73  ##    _fields_ = [ 
  74  ##        ("Reserved1",           BYTE * 2), 
  75  ##        ("InMemoryOrderLinks",  LIST_ENTRY), 
  76  ##        ("Reserved2",           PVOID * 2), 
  77  ##        ("DllBase",             PVOID), 
  78  ##        ("EntryPoint",          PVOID), 
  79  ##        ("Reserved3",           PVOID), 
  80  ##        ("FullDllName",           UNICODE_STRING), 
  81  ##        ("Reserved4",           BYTE * 8), 
  82  ##        ("Reserved5",           PVOID * 3), 
  83  ##        ("CheckSum",            ULONG), 
  84  ##        ("TimeDateStamp",       ULONG), 
  85  ##] 
  86   
  87  # From MSDN: 
  88  # 
  89  # typedef struct _PEB_LDR_DATA { 
  90  #   BYTE         Reserved1[8]; 
  91  #   PVOID        Reserved2[3]; 
  92  #   LIST_ENTRY   InMemoryOrderModuleList; 
  93  # } PEB_LDR_DATA, 
  94  #  *PPEB_LDR_DATA; 
  95  ##class PEB_LDR_DATA(Structure): 
  96  ##    _fields_ = [ 
  97  ##        ("Reserved1",               BYTE), 
  98  ##        ("Reserved2",               PVOID), 
  99  ##        ("InMemoryOrderModuleList", LIST_ENTRY), 
 100  ##] 
 101   
 102  # From MSDN: 
 103  # 
 104  # typedef struct _RTL_USER_PROCESS_PARAMETERS { 
 105  #   BYTE             Reserved1[16]; 
 106  #   PVOID            Reserved2[10]; 
 107  #   UNICODE_STRING   ImagePathName; 
 108  #   UNICODE_STRING   CommandLine; 
 109  # } RTL_USER_PROCESS_PARAMETERS, 
 110  #  *PRTL_USER_PROCESS_PARAMETERS; 
 111  ##class RTL_USER_PROCESS_PARAMETERS(Structure): 
 112  ##    _fields_ = [ 
 113  ##        ("Reserved1",               BYTE * 16), 
 114  ##        ("Reserved2",               PVOID * 10), 
 115  ##        ("ImagePathName",           UNICODE_STRING), 
 116  ##        ("CommandLine",             UNICODE_STRING), 
 117  ##] 
 118   
 119  PPS_POST_PROCESS_INIT_ROUTINE = PVOID 
 120   
 121  #from MSDN: 
 122  # 
 123  # typedef struct _PEB { 
 124  #     BYTE Reserved1[2]; 
 125  #     BYTE BeingDebugged; 
 126  #     BYTE Reserved2[21]; 
 127  #     PPEB_LDR_DATA LoaderData; 
 128  #     PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 
 129  #     BYTE Reserved3[520]; 
 130  #     PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 
 131  #     BYTE Reserved4[136]; 
 132  #     ULONG SessionId; 
 133  # } PEB; 
 134  ##class PEB(Structure): 
 135  ##    _fields_ = [ 
 136  ##        ("Reserved1",               BYTE * 2), 
 137  ##        ("BeingDebugged",           BYTE), 
 138  ##        ("Reserved2",               BYTE * 21), 
 139  ##        ("LoaderData",              PVOID,    # PPEB_LDR_DATA 
 140  ##        ("ProcessParameters",       PVOID,    # PRTL_USER_PROCESS_PARAMETERS 
 141  ##        ("Reserved3",               BYTE * 520), 
 142  ##        ("PostProcessInitRoutine",  PPS_POST_PROCESS_INIT_ROUTINE), 
 143  ##        ("Reserved4",               BYTE), 
 144  ##        ("SessionId",               ULONG), 
 145  ##] 
 146   
 147  # from MSDN: 
 148  # 
 149  # typedef struct _TEB { 
 150  #   BYTE    Reserved1[1952]; 
 151  #   PVOID   Reserved2[412]; 
 152  #   PVOID   TlsSlots[64]; 
 153  #   BYTE    Reserved3[8]; 
 154  #   PVOID   Reserved4[26]; 
 155  #   PVOID   ReservedForOle; 
 156  #   PVOID   Reserved5[4]; 
 157  #   PVOID   TlsExpansionSlots; 
 158  # } TEB, 
 159  #  *PTEB; 
 160  ##class TEB(Structure): 
 161  ##    _fields_ = [ 
 162  ##        ("Reserved1",           PVOID * 1952), 
 163  ##        ("Reserved2",           PVOID * 412), 
 164  ##        ("TlsSlots",            PVOID * 64), 
 165  ##        ("Reserved3",           BYTE  * 8), 
 166  ##        ("Reserved4",           PVOID * 26), 
 167  ##        ("ReservedForOle",      PVOID), 
 168  ##        ("Reserved5",           PVOID * 4), 
 169  ##        ("TlsExpansionSlots",   PVOID), 
 170  ##] 
 171   
 172  # from http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html 
 173  # 
 174  # typedef struct _LDR_MODULE { 
 175  #   LIST_ENTRY InLoadOrderModuleList; 
 176  #   LIST_ENTRY InMemoryOrderModuleList; 
 177  #   LIST_ENTRY InInitializationOrderModuleList; 
 178  #   PVOID BaseAddress; 
 179  #   PVOID EntryPoint; 
 180  #   ULONG SizeOfImage; 
 181  #   UNICODE_STRING FullDllName; 
 182  #   UNICODE_STRING BaseDllName; 
 183  #   ULONG Flags; 
 184  #   SHORT LoadCount; 
 185  #   SHORT TlsIndex; 
 186  #   LIST_ENTRY HashTableEntry; 
 187  #   ULONG TimeDateStamp; 
 188  # } LDR_MODULE, *PLDR_MODULE; 
 189 -class LDR_MODULE(Structure): 
 190      _fields_ = [ 
 191          ("InLoadOrderModuleList",           LIST_ENTRY), 
 192          ("InMemoryOrderModuleList",         LIST_ENTRY), 
 193          ("InInitializationOrderModuleList", LIST_ENTRY), 
 194          ("BaseAddress",                     PVOID), 
 195          ("EntryPoint",                      PVOID), 
 196          ("SizeOfImage",                     ULONG), 
 197          ("FullDllName",                     UNICODE_STRING), 
 198          ("BaseDllName",                     UNICODE_STRING), 
 199          ("Flags",                           ULONG), 
 200          ("LoadCount",                       SHORT), 
 201          ("TlsIndex",                        SHORT), 
 202          ("HashTableEntry",                  LIST_ENTRY), 
 203          ("TimeDateStamp",                   ULONG), 
 204  ] 
 205   
 206  # from http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html 
 207  # 
 208  # typedef struct _PEB_LDR_DATA { 
 209  #   ULONG Length; 
 210  #   BOOLEAN Initialized; 
 211  #   PVOID SsHandle; 
 212  #   LIST_ENTRY InLoadOrderModuleList; 
 213  #   LIST_ENTRY InMemoryOrderModuleList; 
 214  #   LIST_ENTRY InInitializationOrderModuleList; 
 215  # } PEB_LDR_DATA, *PPEB_LDR_DATA; 
 216 -class PEB_LDR_DATA(Structure): 
 217      _fields_ = [ 
 218          ("Length",                          ULONG), 
 219          ("Initialized",                     BOOLEAN), 
 220          ("SsHandle",                        PVOID), 
 221          ("InLoadOrderModuleList",           LIST_ENTRY), 
 222          ("InMemoryOrderModuleList",         LIST_ENTRY), 
 223          ("InInitializationOrderModuleList", LIST_ENTRY), 
 224  ] 
 225   
 226  # From http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB_FREE_BLOCK.html 
 227  # 
 228  # typedef struct _PEB_FREE_BLOCK { 
 229  #   PEB_FREE_BLOCK *Next; 
 230  #   ULONG Size; 
 231  # } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 
 232 -class PEB_FREE_BLOCK(Structure): 
 233      pass 
 234   
 235  ##PPEB_FREE_BLOCK = POINTER(PEB_FREE_BLOCK) 
 236  PPEB_FREE_BLOCK = PVOID 
 237   
 238  PEB_FREE_BLOCK._fields_ = [ 
 239          ("Next", PPEB_FREE_BLOCK), 
 240          ("Size", ULONG), 
 241  ] 
 242   
 243  # From http://undocumented.ntinternals.net/UserMode/Structures/RTL_DRIVE_LETTER_CURDIR.html 
 244  # 
 245  # typedef struct _RTL_DRIVE_LETTER_CURDIR { 
 246  #   USHORT Flags; 
 247  #   USHORT Length; 
 248  #   ULONG TimeStamp; 
 249  #   UNICODE_STRING DosPath; 
 250  # } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 
 251 -class RTL_DRIVE_LETTER_CURDIR(Structure): 
 252      _fields_ = [ 
 253          ("Flags",       USHORT), 
 254          ("Length",      USHORT), 
 255          ("TimeStamp",   ULONG), 
 256          ("DosPath",     UNICODE_STRING), 
 257  ] 
 258   
 259  # From http://www.nirsoft.net/kernel_struct/vista/CURDIR.html 
 260  # 
 261  # typedef struct _CURDIR 
 262  # { 
 263  #      UNICODE_STRING DosPath; 
 264  #      PVOID Handle; 
 265  # } CURDIR, *PCURDIR; 
 266 -class CURDIR(Structure): 
 267      _fields_ = [ 
 268          ("DosPath", UNICODE_STRING), 
 269          ("Handle",  PVOID), 
 270  ] 
 271   
 272  # From MSDN: 
 273  # 
 274  # typedef struct _RTL_USER_PROCESS_PARAMETERS { 
 275  #   BYTE           Reserved1[16]; 
 276  #   PVOID          Reserved2[10]; 
 277  #   UNICODE_STRING ImagePathName; 
 278  #   UNICODE_STRING CommandLine; 
 279  # } RTL_USER_PROCESS_PARAMETERS, 
 280  # *PRTL_USER_PROCESS_PARAMETERS; 
 281 -class RTL_USER_PROCESS_PARAMETERS(Structure): 
 282      _fields_ = [ 
 283          ("Reserved1",       BYTE * 16), 
 284          ("Reserved2",       PVOID * 10), 
 285          ("ImagePathName",   UNICODE_STRING), 
 286          ("CommandLine",     UNICODE_STRING), 
 287  ] 
 288   
 289  # kd> dt _RTL_USER_PROCESS_PARAMETERS 
 290  # ntdll!_RTL_USER_PROCESS_PARAMETERS 
 291  #    +0x000 MaximumLength    : Uint4B 
 292  #    +0x004 Length           : Uint4B 
 293  #    +0x008 Flags            : Uint4B 
 294  #    +0x00c DebugFlags       : Uint4B 
 295  #    +0x010 ConsoleHandle    : Ptr32 Void 
 296  #    +0x014 ConsoleFlags     : Uint4B 
 297  #    +0x018 StandardInput    : Ptr32 Void 
 298  #    +0x01c StandardOutput   : Ptr32 Void 
 299  #    +0x020 StandardError    : Ptr32 Void 
 300  #    +0x024 CurrentDirectory : _CURDIR 
 301  #    +0x030 DllPath          : _UNICODE_STRING 
 302  #    +0x038 ImagePathName    : _UNICODE_STRING 
 303  #    +0x040 CommandLine      : _UNICODE_STRING 
 304  #    +0x048 Environment      : Ptr32 Void 
 305  #    +0x04c StartingX        : Uint4B 
 306  #    +0x050 StartingY        : Uint4B 
 307  #    +0x054 CountX           : Uint4B 
 308  #    +0x058 CountY           : Uint4B 
 309  #    +0x05c CountCharsX      : Uint4B 
 310  #    +0x060 CountCharsY      : Uint4B 
 311  #    +0x064 FillAttribute    : Uint4B 
 312  #    +0x068 WindowFlags      : Uint4B 
 313  #    +0x06c ShowWindowFlags  : Uint4B 
 314  #    +0x070 WindowTitle      : _UNICODE_STRING 
 315  #    +0x078 DesktopInfo      : _UNICODE_STRING 
 316  #    +0x080 ShellInfo        : _UNICODE_STRING 
 317  #    +0x088 RuntimeData      : _UNICODE_STRING 
 318  #    +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR 
 319  #    +0x290 EnvironmentSize  : Uint4B 
 320  ##class RTL_USER_PROCESS_PARAMETERS(Structure): 
 321  ##    _fields_ = [ 
 322  ##        ("MaximumLength",           ULONG), 
 323  ##        ("Length",                  ULONG), 
 324  ##        ("Flags",                   ULONG), 
 325  ##        ("DebugFlags",              ULONG), 
 326  ##        ("ConsoleHandle",           PVOID), 
 327  ##        ("ConsoleFlags",            ULONG), 
 328  ##        ("StandardInput",           HANDLE), 
 329  ##        ("StandardOutput",          HANDLE), 
 330  ##        ("StandardError",           HANDLE), 
 331  ##        ("CurrentDirectory",        CURDIR), 
 332  ##        ("DllPath",                 UNICODE_STRING), 
 333  ##        ("ImagePathName",           UNICODE_STRING), 
 334  ##        ("CommandLine",             UNICODE_STRING), 
 335  ##        ("Environment",             PVOID), 
 336  ##        ("StartingX",               ULONG), 
 337  ##        ("StartingY",               ULONG), 
 338  ##        ("CountX",                  ULONG), 
 339  ##        ("CountY",                  ULONG), 
 340  ##        ("CountCharsX",             ULONG), 
 341  ##        ("CountCharsY",             ULONG), 
 342  ##        ("FillAttribute",           ULONG), 
 343  ##        ("WindowFlags",             ULONG), 
 344  ##        ("ShowWindowFlags",         ULONG), 
 345  ##        ("WindowTitle",             UNICODE_STRING), 
 346  ##        ("DesktopInfo",             UNICODE_STRING), 
 347  ##        ("ShellInfo",               UNICODE_STRING), 
 348  ##        ("RuntimeData",             UNICODE_STRING), 
 349  ##        ("CurrentDirectores",       RTL_DRIVE_LETTER_CURDIR * 32), # typo here? 
 350  ## 
 351  ##        # Windows 2008 and Vista 
 352  ##        ("EnvironmentSize",         ULONG), 
 353  ##] 
 354  ##    @property 
 355  ##    def CurrentDirectories(self): 
 356  ##        return self.CurrentDirectores 
 357   
 358  # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION_DEBUG.html 
 359  # 
 360  # typedef struct _RTL_CRITICAL_SECTION_DEBUG 
 361  # { 
 362  #      WORD Type; 
 363  #      WORD CreatorBackTraceIndex; 
 364  #      PRTL_CRITICAL_SECTION CriticalSection; 
 365  #      LIST_ENTRY ProcessLocksList; 
 366  #      ULONG EntryCount; 
 367  #      ULONG ContentionCount; 
 368  #      ULONG Flags; 
 369  #      WORD CreatorBackTraceIndexHigh; 
 370  #      WORD SpareUSHORT; 
 371  # } RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG; 
 372  # 
 373  # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION.html 
 374  # 
 375  # typedef struct _RTL_CRITICAL_SECTION 
 376  # { 
 377  #      PRTL_CRITICAL_SECTION_DEBUG DebugInfo; 
 378  #      LONG LockCount; 
 379  #      LONG RecursionCount; 
 380  #      PVOID OwningThread; 
 381  #      PVOID LockSemaphore; 
 382  #      ULONG SpinCount; 
 383  # } RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION; 
 384  # 
 385 -class RTL_CRITICAL_SECTION(Structure): 
 386      _fields_ = [ 
 387          ("DebugInfo",       PVOID),     # PRTL_CRITICAL_SECTION_DEBUG 
 388          ("LockCount",       LONG), 
 389          ("RecursionCount",  LONG), 
 390          ("OwningThread",    PVOID), 
 391          ("LockSemaphore",   PVOID), 
 392          ("SpinCount",       ULONG), 
 393  ] 
 394 -class RTL_CRITICAL_SECTION_DEBUG(Structure): 
 395      _fields_ = [ 
 396          ("Type",                        WORD), 
 397          ("CreatorBackTraceIndex",       WORD), 
 398          ("CriticalSection",             PVOID),         # PRTL_CRITICAL_SECTION 
 399          ("ProcessLocksList",            LIST_ENTRY), 
 400          ("EntryCount",                  ULONG), 
 401          ("ContentionCount",             ULONG), 
 402          ("Flags",                       ULONG), 
 403          ("CreatorBackTraceIndexHigh",   WORD), 
 404          ("SpareUSHORT",                 WORD), 
 405  ] 
 406  PRTL_CRITICAL_SECTION       = POINTER(RTL_CRITICAL_SECTION) 
 407  PRTL_CRITICAL_SECTION_DEBUG = POINTER(RTL_CRITICAL_SECTION_DEBUG) 
 408   
 409  PPEB_LDR_DATA                   = POINTER(PEB_LDR_DATA) 
 410  PRTL_USER_PROCESS_PARAMETERS    = POINTER(RTL_USER_PROCESS_PARAMETERS) 
 411   
 412  PPEBLOCKROUTINE                 = PVOID 
 413   
 414  # BitField 
 415  ImageUsesLargePages             = 1 << 0 
 416  IsProtectedProcess              = 1 << 1 
 417  IsLegacyProcess                 = 1 << 2 
 418  IsImageDynamicallyRelocated     = 1 << 3 
 419  SkipPatchingUser32Forwarders    = 1 << 4 
 420   
 421  # CrossProcessFlags 
 422  ProcessInJob                    = 1 << 0 
 423  ProcessInitializing             = 1 << 1 
 424  ProcessUsingVEH                 = 1 << 2 
 425  ProcessUsingVCH                 = 1 << 3 
 426  ProcessUsingFTH                 = 1 << 4 
 427   
 428  # TracingFlags 
 429  HeapTracingEnabled              = 1 << 0 
 430  CritSecTracingEnabled           = 1 << 1 
 431   
 432  # NtGlobalFlags 
 433  FLG_VALID_BITS                  = 0x003FFFFF    # not a flag 
 434  FLG_STOP_ON_EXCEPTION           = 0x00000001 
 435  FLG_SHOW_LDR_SNAPS              = 0x00000002 
 436  FLG_DEBUG_INITIAL_COMMAND       = 0x00000004 
 437  FLG_STOP_ON_HUNG_GUI            = 0x00000008 
 438  FLG_HEAP_ENABLE_TAIL_CHECK      = 0x00000010 
 439  FLG_HEAP_ENABLE_FREE_CHECK      = 0x00000020 
 440  FLG_HEAP_VALIDATE_PARAMETERS    = 0x00000040 
 441  FLG_HEAP_VALIDATE_ALL           = 0x00000080 
 442  FLG_POOL_ENABLE_TAIL_CHECK      = 0x00000100 
 443  FLG_POOL_ENABLE_FREE_CHECK      = 0x00000200 
 444  FLG_POOL_ENABLE_TAGGING         = 0x00000400 
 445  FLG_HEAP_ENABLE_TAGGING         = 0x00000800 
 446  FLG_USER_STACK_TRACE_DB         = 0x00001000 
 447  FLG_KERNEL_STACK_TRACE_DB       = 0x00002000 
 448  FLG_MAINTAIN_OBJECT_TYPELIST    = 0x00004000 
 449  FLG_HEAP_ENABLE_TAG_BY_DLL      = 0x00008000 
 450  FLG_IGNORE_DEBUG_PRIV           = 0x00010000 
 451  FLG_ENABLE_CSRDEBUG             = 0x00020000 
 452  FLG_ENABLE_KDEBUG_SYMBOL_LOAD   = 0x00040000 
 453  FLG_DISABLE_PAGE_KERNEL_STACKS  = 0x00080000 
 454  FLG_HEAP_ENABLE_CALL_TRACING    = 0x00100000 
 455  FLG_HEAP_DISABLE_COALESCING     = 0x00200000 
 456  FLG_ENABLE_CLOSE_EXCEPTION      = 0x00400000 
 457  FLG_ENABLE_EXCEPTION_LOGGING    = 0x00800000 
 458  FLG_ENABLE_HANDLE_TYPE_TAGGING  = 0x01000000 
 459  FLG_HEAP_PAGE_ALLOCS            = 0x02000000 
 460  FLG_DEBUG_WINLOGON              = 0x04000000 
 461  FLG_ENABLE_DBGPRINT_BUFFERING   = 0x08000000 
 462  FLG_EARLY_CRITICAL_SECTION_EVT  = 0x10000000 
 463  FLG_DISABLE_DLL_VERIFICATION    = 0x80000000 
 464   
 465 -class _PEB_NT(Structure): 
 466      _pack_   = 4 
 467      _fields_ = [ 
 468          ("InheritedAddressSpace",               BOOLEAN), 
 469          ("ReadImageFileExecOptions",            UCHAR), 
 470          ("BeingDebugged",                       BOOLEAN), 
 471          ("BitField",                            UCHAR), 
 472          ("Mutant",                              HANDLE), 
 473          ("ImageBaseAddress",                    PVOID), 
 474          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 475          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 476          ("SubSystemData",                       PVOID), 
 477          ("ProcessHeap",                         PVOID), 
 478          ("FastPebLock",                         PVOID), 
 479          ("FastPebLockRoutine",                  PVOID), # PPEBLOCKROUTINE 
 480          ("FastPebUnlockRoutine",                PVOID), # PPEBLOCKROUTINE 
 481          ("EnvironmentUpdateCount",              ULONG), 
 482          ("KernelCallbackTable",                 PVOID), # Ptr32 Ptr32 Void 
 483          ("EventLogSection",                     PVOID), 
 484          ("EventLog",                            PVOID), 
 485          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 486          ("TlsExpansionCounter",                 ULONG), 
 487          ("TlsBitmap",                           PVOID), 
 488          ("TlsBitmapBits",                       ULONG * 2), 
 489          ("ReadOnlySharedMemoryBase",            PVOID), 
 490          ("ReadOnlySharedMemoryHeap",            PVOID), 
 491          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 492          ("AnsiCodePageData",                    PVOID), 
 493          ("OemCodePageData",                     PVOID), 
 494          ("UnicodeCaseTableData",                PVOID), 
 495          ("NumberOfProcessors",                  ULONG), 
 496          ("NtGlobalFlag",                        ULONG), 
 497          ("Spare2",                              BYTE * 4), 
 498          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 499          ("HeapSegmentReserve",                  ULONG), 
 500          ("HeapSegmentCommit",                   ULONG), 
 501          ("HeapDeCommitTotalFreeThreshold",      ULONG), 
 502          ("HeapDeCommitFreeBlockThreshold",      ULONG), 
 503          ("NumberOfHeaps",                       ULONG), 
 504          ("MaximumNumberOfHeaps",                ULONG), 
 505          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 506          ("GdiSharedHandleTable",                PVOID), 
 507          ("ProcessStarterHelper",                PVOID), 
 508          ("GdiDCAttributeList",                  PVOID), 
 509          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 510          ("OSMajorVersion",                      ULONG), 
 511          ("OSMinorVersion",                      ULONG), 
 512          ("OSBuildNumber",                       ULONG), 
 513          ("OSPlatformId",                        ULONG), 
 514          ("ImageSubSystem",                      ULONG), 
 515          ("ImageSubSystemMajorVersion",          ULONG), 
 516          ("ImageSubSystemMinorVersion",          ULONG), 
 517          ("ImageProcessAffinityMask",            ULONG), 
 518          ("GdiHandleBuffer",                     ULONG * 34), 
 519          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 520          ("TlsExpansionBitmap",                  ULONG), 
 521          ("TlsExpansionBitmapBits",              BYTE * 128), 
 522          ("SessionId",                           ULONG), 
 523      ] 
 524   
 525  # not really, but "dt _PEB" in w2k isn't working for me :( 
 526  _PEB_2000 = _PEB_NT 
 527   
 528  #    +0x000 InheritedAddressSpace : UChar 
 529  #    +0x001 ReadImageFileExecOptions : UChar 
 530  #    +0x002 BeingDebugged    : UChar 
 531  #    +0x003 SpareBool        : UChar 
 532  #    +0x004 Mutant           : Ptr32 Void 
 533  #    +0x008 ImageBaseAddress : Ptr32 Void 
 534  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
 535  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
 536  #    +0x014 SubSystemData    : Ptr32 Void 
 537  #    +0x018 ProcessHeap      : Ptr32 Void 
 538  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
 539  #    +0x020 FastPebLockRoutine : Ptr32 Void 
 540  #    +0x024 FastPebUnlockRoutine : Ptr32 Void 
 541  #    +0x028 EnvironmentUpdateCount : Uint4B 
 542  #    +0x02c KernelCallbackTable : Ptr32 Void 
 543  #    +0x030 SystemReserved   : [1] Uint4B 
 544  #    +0x034 AtlThunkSListPtr32 : Uint4B 
 545  #    +0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK 
 546  #    +0x03c TlsExpansionCounter : Uint4B 
 547  #    +0x040 TlsBitmap        : Ptr32 Void 
 548  #    +0x044 TlsBitmapBits    : [2] Uint4B 
 549  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
 550  #    +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void 
 551  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
 552  #    +0x058 AnsiCodePageData : Ptr32 Void 
 553  #    +0x05c OemCodePageData  : Ptr32 Void 
 554  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
 555  #    +0x064 NumberOfProcessors : Uint4B 
 556  #    +0x068 NtGlobalFlag     : Uint4B 
 557  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
 558  #    +0x078 HeapSegmentReserve : Uint4B 
 559  #    +0x07c HeapSegmentCommit : Uint4B 
 560  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
 561  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
 562  #    +0x088 NumberOfHeaps    : Uint4B 
 563  #    +0x08c MaximumNumberOfHeaps : Uint4B 
 564  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
 565  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
 566  #    +0x098 ProcessStarterHelper : Ptr32 Void 
 567  #    +0x09c GdiDCAttributeList : Uint4B 
 568  #    +0x0a0 LoaderLock       : Ptr32 Void 
 569  #    +0x0a4 OSMajorVersion   : Uint4B 
 570  #    +0x0a8 OSMinorVersion   : Uint4B 
 571  #    +0x0ac OSBuildNumber    : Uint2B 
 572  #    +0x0ae OSCSDVersion     : Uint2B 
 573  #    +0x0b0 OSPlatformId     : Uint4B 
 574  #    +0x0b4 ImageSubsystem   : Uint4B 
 575  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
 576  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
 577  #    +0x0c0 ImageProcessAffinityMask : Uint4B 
 578  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
 579  #    +0x14c PostProcessInitRoutine : Ptr32     void 
 580  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
 581  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
 582  #    +0x1d4 SessionId        : Uint4B 
 583  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
 584  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
 585  #    +0x1e8 pShimData        : Ptr32 Void 
 586  #    +0x1ec AppCompatInfo    : Ptr32 Void 
 587  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
 588  #    +0x1f8 ActivationContextData : Ptr32 Void 
 589  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 Void 
 590  #    +0x200 SystemDefaultActivationContextData : Ptr32 Void 
 591  #    +0x204 SystemAssemblyStorageMap : Ptr32 Void 
 592  #    +0x208 MinimumStackCommit : Uint4B 
 593 -class _PEB_XP(Structure): 
 594      _pack_   = 8 
 595      _fields_ = [ 
 596          ("InheritedAddressSpace",               BOOLEAN), 
 597          ("ReadImageFileExecOptions",            UCHAR), 
 598          ("BeingDebugged",                       BOOLEAN), 
 599          ("SpareBool",                           UCHAR), 
 600          ("Mutant",                              HANDLE), 
 601          ("ImageBaseAddress",                    PVOID), 
 602          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 603          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 604          ("SubSystemData",                       PVOID), 
 605          ("ProcessHeap",                         PVOID), 
 606          ("FastPebLock",                         PVOID), 
 607          ("FastPebLockRoutine",                  PVOID), 
 608          ("FastPebUnlockRoutine",                PVOID), 
 609          ("EnvironmentUpdateCount",              DWORD), 
 610          ("KernelCallbackTable",                 PVOID), 
 611          ("SystemReserved",                      DWORD), 
 612          ("AtlThunkSListPtr32",                  DWORD), 
 613          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 614          ("TlsExpansionCounter",                 DWORD), 
 615          ("TlsBitmap",                           PVOID), 
 616          ("TlsBitmapBits",                       DWORD * 2), 
 617          ("ReadOnlySharedMemoryBase",            PVOID), 
 618          ("ReadOnlySharedMemoryHeap",            PVOID), 
 619          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 620          ("AnsiCodePageData",                    PVOID), 
 621          ("OemCodePageData",                     PVOID), 
 622          ("UnicodeCaseTableData",                PVOID), 
 623          ("NumberOfProcessors",                  DWORD), 
 624          ("NtGlobalFlag",                        DWORD), 
 625          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 626          ("HeapSegmentReserve",                  DWORD), 
 627          ("HeapSegmentCommit",                   DWORD), 
 628          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
 629          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
 630          ("NumberOfHeaps",                       DWORD), 
 631          ("MaximumNumberOfHeaps",                DWORD), 
 632          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 633          ("GdiSharedHandleTable",                PVOID), 
 634          ("ProcessStarterHelper",                PVOID), 
 635          ("GdiDCAttributeList",                  DWORD), 
 636          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 637          ("OSMajorVersion",                      DWORD), 
 638          ("OSMinorVersion",                      DWORD), 
 639          ("OSBuildNumber",                       WORD), 
 640          ("OSCSDVersion",                        WORD), 
 641          ("OSPlatformId",                        DWORD), 
 642          ("ImageSubsystem",                      DWORD), 
 643          ("ImageSubsystemMajorVersion",          DWORD), 
 644          ("ImageSubsystemMinorVersion",          DWORD), 
 645          ("ImageProcessAffinityMask",            DWORD), 
 646          ("GdiHandleBuffer",                     DWORD * 34), 
 647          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 648          ("TlsExpansionBitmap",                  PVOID), 
 649          ("TlsExpansionBitmapBits",              DWORD * 32), 
 650          ("SessionId",                           DWORD), 
 651          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 652          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 653          ("pShimData",                           PVOID), 
 654          ("AppCompatInfo",                       PVOID), 
 655          ("CSDVersion",                          UNICODE_STRING), 
 656          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 657          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 658          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 659          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 660          ("MinimumStackCommit",                  DWORD), 
 661      ] 
 662   
 663  #    +0x000 InheritedAddressSpace : UChar 
 664  #    +0x001 ReadImageFileExecOptions : UChar 
 665  #    +0x002 BeingDebugged    : UChar 
 666  #    +0x003 BitField         : UChar 
 667  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 668  #    +0x003 SpareBits        : Pos 1, 7 Bits 
 669  #    +0x008 Mutant           : Ptr64 Void 
 670  #    +0x010 ImageBaseAddress : Ptr64 Void 
 671  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
 672  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
 673  #    +0x028 SubSystemData    : Ptr64 Void 
 674  #    +0x030 ProcessHeap      : Ptr64 Void 
 675  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
 676  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
 677  #    +0x048 SparePtr2        : Ptr64 Void 
 678  #    +0x050 EnvironmentUpdateCount : Uint4B 
 679  #    +0x058 KernelCallbackTable : Ptr64 Void 
 680  #    +0x060 SystemReserved   : [1] Uint4B 
 681  #    +0x064 SpareUlong       : Uint4B 
 682  #    +0x068 FreeList         : Ptr64 _PEB_FREE_BLOCK 
 683  #    +0x070 TlsExpansionCounter : Uint4B 
 684  #    +0x078 TlsBitmap        : Ptr64 Void 
 685  #    +0x080 TlsBitmapBits    : [2] Uint4B 
 686  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
 687  #    +0x090 ReadOnlySharedMemoryHeap : Ptr64 Void 
 688  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
 689  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
 690  #    +0x0a8 OemCodePageData  : Ptr64 Void 
 691  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
 692  #    +0x0b8 NumberOfProcessors : Uint4B 
 693  #    +0x0bc NtGlobalFlag     : Uint4B 
 694  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
 695  #    +0x0c8 HeapSegmentReserve : Uint8B 
 696  #    +0x0d0 HeapSegmentCommit : Uint8B 
 697  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
 698  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
 699  #    +0x0e8 NumberOfHeaps    : Uint4B 
 700  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
 701  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
 702  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
 703  #    +0x100 ProcessStarterHelper : Ptr64 Void 
 704  #    +0x108 GdiDCAttributeList : Uint4B 
 705  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
 706  #    +0x118 OSMajorVersion   : Uint4B 
 707  #    +0x11c OSMinorVersion   : Uint4B 
 708  #    +0x120 OSBuildNumber    : Uint2B 
 709  #    +0x122 OSCSDVersion     : Uint2B 
 710  #    +0x124 OSPlatformId     : Uint4B 
 711  #    +0x128 ImageSubsystem   : Uint4B 
 712  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
 713  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
 714  #    +0x138 ImageProcessAffinityMask : Uint8B 
 715  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
 716  #    +0x230 PostProcessInitRoutine : Ptr64     void 
 717  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
 718  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
 719  #    +0x2c0 SessionId        : Uint4B 
 720  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
 721  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
 722  #    +0x2d8 pShimData        : Ptr64 Void 
 723  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
 724  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
 725  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
 726  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
 727  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
 728  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
 729  #    +0x318 MinimumStackCommit : Uint8B 
 730  #    +0x320 FlsCallback      : Ptr64 Ptr64 Void 
 731  #    +0x328 FlsListHead      : _LIST_ENTRY 
 732  #    +0x338 FlsBitmap        : Ptr64 Void 
 733  #    +0x340 FlsBitmapBits    : [4] Uint4B 
 734  #    +0x350 FlsHighIndex     : Uint4B 
 735 -class _PEB_XP_64(Structure): 
 736      _pack_   = 8 
 737      _fields_ = [ 
 738          ("InheritedAddressSpace",               BOOLEAN), 
 739          ("ReadImageFileExecOptions",            UCHAR), 
 740          ("BeingDebugged",                       BOOLEAN), 
 741          ("BitField",                            UCHAR), 
 742          ("Mutant",                              HANDLE), 
 743          ("ImageBaseAddress",                    PVOID), 
 744          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 745          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 746          ("SubSystemData",                       PVOID), 
 747          ("ProcessHeap",                         PVOID), 
 748          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
 749          ("AtlThunkSListPtr",                    PVOID), 
 750          ("SparePtr2",                           PVOID), 
 751          ("EnvironmentUpdateCount",              DWORD), 
 752          ("KernelCallbackTable",                 PVOID), 
 753          ("SystemReserved",                      DWORD), 
 754          ("SpareUlong",                          DWORD), 
 755          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 756          ("TlsExpansionCounter",                 DWORD), 
 757          ("TlsBitmap",                           PVOID), 
 758          ("TlsBitmapBits",                       DWORD * 2), 
 759          ("ReadOnlySharedMemoryBase",            PVOID), 
 760          ("ReadOnlySharedMemoryHeap",            PVOID), 
 761          ("ReadOnlyStaticServerData",            PVOID), # Ptr64 Ptr64 Void 
 762          ("AnsiCodePageData",                    PVOID), 
 763          ("OemCodePageData",                     PVOID), 
 764          ("UnicodeCaseTableData",                PVOID), 
 765          ("NumberOfProcessors",                  DWORD), 
 766          ("NtGlobalFlag",                        DWORD), 
 767          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 768          ("HeapSegmentReserve",                  QWORD), 
 769          ("HeapSegmentCommit",                   QWORD), 
 770          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
 771          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
 772          ("NumberOfHeaps",                       DWORD), 
 773          ("MaximumNumberOfHeaps",                DWORD), 
 774          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
 775          ("GdiSharedHandleTable",                PVOID), 
 776          ("ProcessStarterHelper",                PVOID), 
 777          ("GdiDCAttributeList",                  DWORD), 
 778          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 779          ("OSMajorVersion",                      DWORD), 
 780          ("OSMinorVersion",                      DWORD), 
 781          ("OSBuildNumber",                       WORD), 
 782          ("OSCSDVersion",                        WORD), 
 783          ("OSPlatformId",                        DWORD), 
 784          ("ImageSubsystem",                      DWORD), 
 785          ("ImageSubsystemMajorVersion",          DWORD), 
 786          ("ImageSubsystemMinorVersion",          DWORD), 
 787          ("ImageProcessAffinityMask",            QWORD), 
 788          ("GdiHandleBuffer",                     DWORD * 60), 
 789          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 790          ("TlsExpansionBitmap",                  PVOID), 
 791          ("TlsExpansionBitmapBits",              DWORD * 32), 
 792          ("SessionId",                           DWORD), 
 793          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 794          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 795          ("pShimData",                           PVOID), 
 796          ("AppCompatInfo",                       PVOID), 
 797          ("CSDVersion",                          UNICODE_STRING), 
 798          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 799          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 800          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 801          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 802          ("MinimumStackCommit",                  QWORD), 
 803          ("FlsCallback",                         PVOID), # Ptr64 Ptr64 Void 
 804          ("FlsListHead",                         LIST_ENTRY), 
 805          ("FlsBitmap",                           PVOID), 
 806          ("FlsBitmapBits",                       DWORD * 4), 
 807          ("FlsHighIndex",                        DWORD), 
 808      ] 
 809   
 810  #    +0x000 InheritedAddressSpace : UChar 
 811  #    +0x001 ReadImageFileExecOptions : UChar 
 812  #    +0x002 BeingDebugged    : UChar 
 813  #    +0x003 BitField         : UChar 
 814  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 815  #    +0x003 SpareBits        : Pos 1, 7 Bits 
 816  #    +0x004 Mutant           : Ptr32 Void 
 817  #    +0x008 ImageBaseAddress : Ptr32 Void 
 818  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
 819  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
 820  #    +0x014 SubSystemData    : Ptr32 Void 
 821  #    +0x018 ProcessHeap      : Ptr32 Void 
 822  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
 823  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
 824  #    +0x024 SparePtr2        : Ptr32 Void 
 825  #    +0x028 EnvironmentUpdateCount : Uint4B 
 826  #    +0x02c KernelCallbackTable : Ptr32 Void 
 827  #    +0x030 SystemReserved   : [1] Uint4B 
 828  #    +0x034 SpareUlong       : Uint4B 
 829  #    +0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK 
 830  #    +0x03c TlsExpansionCounter : Uint4B 
 831  #    +0x040 TlsBitmap        : Ptr32 Void 
 832  #    +0x044 TlsBitmapBits    : [2] Uint4B 
 833  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
 834  #    +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void 
 835  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
 836  #    +0x058 AnsiCodePageData : Ptr32 Void 
 837  #    +0x05c OemCodePageData  : Ptr32 Void 
 838  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
 839  #    +0x064 NumberOfProcessors : Uint4B 
 840  #    +0x068 NtGlobalFlag     : Uint4B 
 841  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
 842  #    +0x078 HeapSegmentReserve : Uint4B 
 843  #    +0x07c HeapSegmentCommit : Uint4B 
 844  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
 845  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
 846  #    +0x088 NumberOfHeaps    : Uint4B 
 847  #    +0x08c MaximumNumberOfHeaps : Uint4B 
 848  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
 849  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
 850  #    +0x098 ProcessStarterHelper : Ptr32 Void 
 851  #    +0x09c GdiDCAttributeList : Uint4B 
 852  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
 853  #    +0x0a4 OSMajorVersion   : Uint4B 
 854  #    +0x0a8 OSMinorVersion   : Uint4B 
 855  #    +0x0ac OSBuildNumber    : Uint2B 
 856  #    +0x0ae OSCSDVersion     : Uint2B 
 857  #    +0x0b0 OSPlatformId     : Uint4B 
 858  #    +0x0b4 ImageSubsystem   : Uint4B 
 859  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
 860  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
 861  #    +0x0c0 ImageProcessAffinityMask : Uint4B 
 862  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
 863  #    +0x14c PostProcessInitRoutine : Ptr32     void 
 864  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
 865  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
 866  #    +0x1d4 SessionId        : Uint4B 
 867  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
 868  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
 869  #    +0x1e8 pShimData        : Ptr32 Void 
 870  #    +0x1ec AppCompatInfo    : Ptr32 Void 
 871  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
 872  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
 873  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
 874  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
 875  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
 876  #    +0x208 MinimumStackCommit : Uint4B 
 877  #    +0x20c FlsCallback      : Ptr32 Ptr32 Void 
 878  #    +0x210 FlsListHead      : _LIST_ENTRY 
 879  #    +0x218 FlsBitmap        : Ptr32 Void 
 880  #    +0x21c FlsBitmapBits    : [4] Uint4B 
 881  #    +0x22c FlsHighIndex     : Uint4B 
 882 -class _PEB_2003(Structure): 
 883      _pack_   = 8 
 884      _fields_ = [ 
 885          ("InheritedAddressSpace",               BOOLEAN), 
 886          ("ReadImageFileExecOptions",            UCHAR), 
 887          ("BeingDebugged",                       BOOLEAN), 
 888          ("BitField",                            UCHAR), 
 889          ("Mutant",                              HANDLE), 
 890          ("ImageBaseAddress",                    PVOID), 
 891          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 892          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 893          ("SubSystemData",                       PVOID), 
 894          ("ProcessHeap",                         PVOID), 
 895          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
 896          ("AtlThunkSListPtr",                    PVOID), 
 897          ("SparePtr2",                           PVOID), 
 898          ("EnvironmentUpdateCount",              DWORD), 
 899          ("KernelCallbackTable",                 PVOID), 
 900          ("SystemReserved",                      DWORD), 
 901          ("SpareUlong",                          DWORD), 
 902          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 903          ("TlsExpansionCounter",                 DWORD), 
 904          ("TlsBitmap",                           PVOID), 
 905          ("TlsBitmapBits",                       DWORD * 2), 
 906          ("ReadOnlySharedMemoryBase",            PVOID), 
 907          ("ReadOnlySharedMemoryHeap",            PVOID), 
 908          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 909          ("AnsiCodePageData",                    PVOID), 
 910          ("OemCodePageData",                     PVOID), 
 911          ("UnicodeCaseTableData",                PVOID), 
 912          ("NumberOfProcessors",                  DWORD), 
 913          ("NtGlobalFlag",                        DWORD), 
 914          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 915          ("HeapSegmentReserve",                  DWORD), 
 916          ("HeapSegmentCommit",                   DWORD), 
 917          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
 918          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
 919          ("NumberOfHeaps",                       DWORD), 
 920          ("MaximumNumberOfHeaps",                DWORD), 
 921          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 922          ("GdiSharedHandleTable",                PVOID), 
 923          ("ProcessStarterHelper",                PVOID), 
 924          ("GdiDCAttributeList",                  DWORD), 
 925          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 926          ("OSMajorVersion",                      DWORD), 
 927          ("OSMinorVersion",                      DWORD), 
 928          ("OSBuildNumber",                       WORD), 
 929          ("OSCSDVersion",                        WORD), 
 930          ("OSPlatformId",                        DWORD), 
 931          ("ImageSubsystem",                      DWORD), 
 932          ("ImageSubsystemMajorVersion",          DWORD), 
 933          ("ImageSubsystemMinorVersion",          DWORD), 
 934          ("ImageProcessAffinityMask",            DWORD), 
 935          ("GdiHandleBuffer",                     DWORD * 34), 
 936          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 937          ("TlsExpansionBitmap",                  PVOID), 
 938          ("TlsExpansionBitmapBits",              DWORD * 32), 
 939          ("SessionId",                           DWORD), 
 940          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 941          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 942          ("pShimData",                           PVOID), 
 943          ("AppCompatInfo",                       PVOID), 
 944          ("CSDVersion",                          UNICODE_STRING), 
 945          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 946          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 947          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 948          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 949          ("MinimumStackCommit",                  QWORD), 
 950          ("FlsCallback",                         PVOID), # Ptr32 Ptr32 Void 
 951          ("FlsListHead",                         LIST_ENTRY), 
 952          ("FlsBitmap",                           PVOID), 
 953          ("FlsBitmapBits",                       DWORD * 4), 
 954          ("FlsHighIndex",                        DWORD), 
 955      ] 
 956   
 957  #    +0x000 InheritedAddressSpace : UChar 
 958  #    +0x001 ReadImageFileExecOptions : UChar 
 959  #    +0x002 BeingDebugged    : UChar 
 960  #    +0x003 BitField         : UChar 
 961  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 962  #    +0x003 SpareBits        : Pos 1, 7 Bits 
 963  #    +0x008 Mutant           : Ptr64 Void 
 964  #    +0x010 ImageBaseAddress : Ptr64 Void 
 965  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
 966  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
 967  #    +0x028 SubSystemData    : Ptr64 Void 
 968  #    +0x030 ProcessHeap      : Ptr64 Void 
 969  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
 970  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
 971  #    +0x048 SparePtr2        : Ptr64 Void 
 972  #    +0x050 EnvironmentUpdateCount : Uint4B 
 973  #    +0x058 KernelCallbackTable : Ptr64 Void 
 974  #    +0x060 SystemReserved   : [1] Uint4B 
 975  #    +0x064 SpareUlong       : Uint4B 
 976  #    +0x068 FreeList         : Ptr64 _PEB_FREE_BLOCK 
 977  #    +0x070 TlsExpansionCounter : Uint4B 
 978  #    +0x078 TlsBitmap        : Ptr64 Void 
 979  #    +0x080 TlsBitmapBits    : [2] Uint4B 
 980  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
 981  #    +0x090 ReadOnlySharedMemoryHeap : Ptr64 Void 
 982  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
 983  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
 984  #    +0x0a8 OemCodePageData  : Ptr64 Void 
 985  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
 986  #    +0x0b8 NumberOfProcessors : Uint4B 
 987  #    +0x0bc NtGlobalFlag     : Uint4B 
 988  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
 989  #    +0x0c8 HeapSegmentReserve : Uint8B 
 990  #    +0x0d0 HeapSegmentCommit : Uint8B 
 991  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
 992  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
 993  #    +0x0e8 NumberOfHeaps    : Uint4B 
 994  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
 995  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
 996  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
 997  #    +0x100 ProcessStarterHelper : Ptr64 Void 
 998  #    +0x108 GdiDCAttributeList : Uint4B 
 999  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
1000  #    +0x118 OSMajorVersion   : Uint4B 
1001  #    +0x11c OSMinorVersion   : Uint4B 
1002  #    +0x120 OSBuildNumber    : Uint2B 
1003  #    +0x122 OSCSDVersion     : Uint2B 
1004  #    +0x124 OSPlatformId     : Uint4B 
1005  #    +0x128 ImageSubsystem   : Uint4B 
1006  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
1007  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
1008  #    +0x138 ImageProcessAffinityMask : Uint8B 
1009  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
1010  #    +0x230 PostProcessInitRoutine : Ptr64     void 
1011  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
1012  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
1013  #    +0x2c0 SessionId        : Uint4B 
1014  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
1015  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
1016  #    +0x2d8 pShimData        : Ptr64 Void 
1017  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
1018  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
1019  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1020  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1021  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1022  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1023  #    +0x318 MinimumStackCommit : Uint8B 
1024  #    +0x320 FlsCallback      : Ptr64 Ptr64 Void 
1025  #    +0x328 FlsListHead      : _LIST_ENTRY 
1026  #    +0x338 FlsBitmap        : Ptr64 Void 
1027  #    +0x340 FlsBitmapBits    : [4] Uint4B 
1028  #    +0x350 FlsHighIndex     : Uint4B 
1029 -class _PEB_2003_64(Structure): 
1030      _pack_   = 8 
1031      _fields_ = [ 
1032          ("InheritedAddressSpace",               BOOLEAN), 
1033          ("ReadImageFileExecOptions",            UCHAR), 
1034          ("BeingDebugged",                       BOOLEAN), 
1035          ("BitField",                            UCHAR), 
1036          ("Mutant",                              HANDLE), 
1037          ("ImageBaseAddress",                    PVOID), 
1038          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1039          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1040          ("SubSystemData",                       PVOID), 
1041          ("ProcessHeap",                         PVOID), 
1042          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1043          ("AtlThunkSListPtr",                    PVOID), 
1044          ("SparePtr2",                           PVOID), 
1045          ("EnvironmentUpdateCount",              DWORD), 
1046          ("KernelCallbackTable",                 PVOID), 
1047          ("SystemReserved",                      DWORD), 
1048          ("SpareUlong",                          DWORD), 
1049          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
1050          ("TlsExpansionCounter",                 DWORD), 
1051          ("TlsBitmap",                           PVOID), 
1052          ("TlsBitmapBits",                       DWORD * 2), 
1053          ("ReadOnlySharedMemoryBase",            PVOID), 
1054          ("ReadOnlySharedMemoryHeap",            PVOID), 
1055          ("ReadOnlyStaticServerData",            PVOID), # Ptr64 Ptr64 Void 
1056          ("AnsiCodePageData",                    PVOID), 
1057          ("OemCodePageData",                     PVOID), 
1058          ("UnicodeCaseTableData",                PVOID), 
1059          ("NumberOfProcessors",                  DWORD), 
1060          ("NtGlobalFlag",                        DWORD), 
1061          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1062          ("HeapSegmentReserve",                  QWORD), 
1063          ("HeapSegmentCommit",                   QWORD), 
1064          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
1065          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
1066          ("NumberOfHeaps",                       DWORD), 
1067          ("MaximumNumberOfHeaps",                DWORD), 
1068          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
1069          ("GdiSharedHandleTable",                PVOID), 
1070          ("ProcessStarterHelper",                PVOID), 
1071          ("GdiDCAttributeList",                  DWORD), 
1072          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1073          ("OSMajorVersion",                      DWORD), 
1074          ("OSMinorVersion",                      DWORD), 
1075          ("OSBuildNumber",                       WORD), 
1076          ("OSCSDVersion",                        WORD), 
1077          ("OSPlatformId",                        DWORD), 
1078          ("ImageSubsystem",                      DWORD), 
1079          ("ImageSubsystemMajorVersion",          DWORD), 
1080          ("ImageSubsystemMinorVersion",          DWORD), 
1081          ("ImageProcessAffinityMask",            QWORD), 
1082          ("GdiHandleBuffer",                     DWORD * 60), 
1083          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1084          ("TlsExpansionBitmap",                  PVOID), 
1085          ("TlsExpansionBitmapBits",              DWORD * 32), 
1086          ("SessionId",                           DWORD), 
1087          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1088          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1089          ("pShimData",                           PVOID), 
1090          ("AppCompatInfo",                       PVOID), 
1091          ("CSDVersion",                          UNICODE_STRING), 
1092          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1093          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1094          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1095          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1096          ("MinimumStackCommit",                  QWORD), 
1097          ("FlsCallback",                         PVOID), # Ptr64 Ptr64 Void 
1098          ("FlsListHead",                         LIST_ENTRY), 
1099          ("FlsBitmap",                           PVOID), 
1100          ("FlsBitmapBits",                       DWORD * 4), 
1101          ("FlsHighIndex",                        DWORD), 
1102      ] 
1103   
1104  #    +0x000 InheritedAddressSpace : UChar 
1105  #    +0x001 ReadImageFileExecOptions : UChar 
1106  #    +0x002 BeingDebugged    : UChar 
1107  #    +0x003 BitField         : UChar 
1108  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1109  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1110  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1111  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1112  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1113  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1114  #    +0x004 Mutant           : Ptr32 Void 
1115  #    +0x008 ImageBaseAddress : Ptr32 Void 
1116  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1117  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1118  #    +0x014 SubSystemData    : Ptr32 Void 
1119  #    +0x018 ProcessHeap      : Ptr32 Void 
1120  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1121  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1122  #    +0x024 IFEOKey          : Ptr32 Void 
1123  #    +0x028 CrossProcessFlags : Uint4B 
1124  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1125  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1126  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1127  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1128  #    +0x028 ReservedBits0    : Pos 4, 28 Bits 
1129  #    +0x02c KernelCallbackTable : Ptr32 Void 
1130  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1131  #    +0x030 SystemReserved   : [1] Uint4B 
1132  #    +0x034 SpareUlong       : Uint4B 
1133  #    +0x038 SparePebPtr0     : Uint4B 
1134  #    +0x03c TlsExpansionCounter : Uint4B 
1135  #    +0x040 TlsBitmap        : Ptr32 Void 
1136  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1137  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1138  #    +0x050 HotpatchInformation : Ptr32 Void 
1139  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1140  #    +0x058 AnsiCodePageData : Ptr32 Void 
1141  #    +0x05c OemCodePageData  : Ptr32 Void 
1142  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1143  #    +0x064 NumberOfProcessors : Uint4B 
1144  #    +0x068 NtGlobalFlag     : Uint4B 
1145  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1146  #    +0x078 HeapSegmentReserve : Uint4B 
1147  #    +0x07c HeapSegmentCommit : Uint4B 
1148  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1149  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1150  #    +0x088 NumberOfHeaps    : Uint4B 
1151  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1152  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1153  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1154  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1155  #    +0x09c GdiDCAttributeList : Uint4B 
1156  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1157  #    +0x0a4 OSMajorVersion   : Uint4B 
1158  #    +0x0a8 OSMinorVersion   : Uint4B 
1159  #    +0x0ac OSBuildNumber    : Uint2B 
1160  #    +0x0ae OSCSDVersion     : Uint2B 
1161  #    +0x0b0 OSPlatformId     : Uint4B 
1162  #    +0x0b4 ImageSubsystem   : Uint4B 
1163  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1164  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1165  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1166  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1167  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1168  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1169  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1170  #    +0x1d4 SessionId        : Uint4B 
1171  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1172  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1173  #    +0x1e8 pShimData        : Ptr32 Void 
1174  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1175  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1176  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1177  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1178  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1179  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1180  #    +0x208 MinimumStackCommit : Uint4B 
1181  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1182  #    +0x210 FlsListHead      : _LIST_ENTRY 
1183  #    +0x218 FlsBitmap        : Ptr32 Void 
1184  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1185  #    +0x22c FlsHighIndex     : Uint4B 
1186  #    +0x230 WerRegistrationData : Ptr32 Void 
1187  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1188 -class _PEB_2008(Structure): 
1189      _pack_   = 8 
1190      _fields_ = [ 
1191          ("InheritedAddressSpace",               BOOLEAN), 
1192          ("ReadImageFileExecOptions",            UCHAR), 
1193          ("BeingDebugged",                       BOOLEAN), 
1194          ("BitField",                            UCHAR), 
1195          ("Mutant",                              HANDLE), 
1196          ("ImageBaseAddress",                    PVOID), 
1197          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1198          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1199          ("SubSystemData",                       PVOID), 
1200          ("ProcessHeap",                         PVOID), 
1201          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1202          ("AtlThunkSListPtr",                    PVOID), 
1203          ("IFEOKey",                             PVOID), 
1204          ("CrossProcessFlags",                   DWORD), 
1205          ("KernelCallbackTable",                 PVOID), 
1206          ("SystemReserved",                      DWORD), 
1207          ("SpareUlong",                          DWORD), 
1208          ("SparePebPtr0",                        PVOID), 
1209          ("TlsExpansionCounter",                 DWORD), 
1210          ("TlsBitmap",                           PVOID), 
1211          ("TlsBitmapBits",                       DWORD * 2), 
1212          ("ReadOnlySharedMemoryBase",            PVOID), 
1213          ("HotpatchInformation",                 PVOID), 
1214          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1215          ("AnsiCodePageData",                    PVOID), 
1216          ("OemCodePageData",                     PVOID), 
1217          ("UnicodeCaseTableData",                PVOID), 
1218          ("NumberOfProcessors",                  DWORD), 
1219          ("NtGlobalFlag",                        DWORD), 
1220          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1221          ("HeapSegmentReserve",                  DWORD), 
1222          ("HeapSegmentCommit",                   DWORD), 
1223          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1224          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1225          ("NumberOfHeaps",                       DWORD), 
1226          ("MaximumNumberOfHeaps",                DWORD), 
1227          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1228          ("GdiSharedHandleTable",                PVOID), 
1229          ("ProcessStarterHelper",                PVOID), 
1230          ("GdiDCAttributeList",                  DWORD), 
1231          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1232          ("OSMajorVersion",                      DWORD), 
1233          ("OSMinorVersion",                      DWORD), 
1234          ("OSBuildNumber",                       WORD), 
1235          ("OSCSDVersion",                        WORD), 
1236          ("OSPlatformId",                        DWORD), 
1237          ("ImageSubsystem",                      DWORD), 
1238          ("ImageSubsystemMajorVersion",          DWORD), 
1239          ("ImageSubsystemMinorVersion",          DWORD), 
1240          ("ActiveProcessAffinityMask",           DWORD), 
1241          ("GdiHandleBuffer",                     DWORD * 34), 
1242          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1243          ("TlsExpansionBitmap",                  PVOID), 
1244          ("TlsExpansionBitmapBits",              DWORD * 32), 
1245          ("SessionId",                           DWORD), 
1246          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1247          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1248          ("pShimData",                           PVOID), 
1249          ("AppCompatInfo",                       PVOID), 
1250          ("CSDVersion",                          UNICODE_STRING), 
1251          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1252          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1253          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1254          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1255          ("MinimumStackCommit",                  DWORD), 
1256          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1257          ("FlsListHead",                         LIST_ENTRY), 
1258          ("FlsBitmap",                           PVOID), 
1259          ("FlsBitmapBits",                       DWORD * 4), 
1260          ("FlsHighIndex",                        DWORD), 
1261          ("WerRegistrationData",                 PVOID), 
1262          ("WerShipAssertPtr",                    PVOID), 
1263      ] 
1264 -    def __get_UserSharedInfoPtr(self): 
1265          return self.KernelCallbackTable 
1266 -    def __set_UserSharedInfoPtr(self, value): 
1267          self.KernelCallbackTable = value 
1268      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
1269   
1270  #    +0x000 InheritedAddressSpace : UChar 
1271  #    +0x001 ReadImageFileExecOptions : UChar 
1272  #    +0x002 BeingDebugged    : UChar 
1273  #    +0x003 BitField         : UChar 
1274  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1275  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1276  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1277  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1278  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1279  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1280  #    +0x004 Mutant           : Ptr32 Void 
1281  #    +0x008 ImageBaseAddress : Ptr32 Void 
1282  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1283  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1284  #    +0x014 SubSystemData    : Ptr32 Void 
1285  #    +0x018 ProcessHeap      : Ptr32 Void 
1286  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1287  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1288  #    +0x024 IFEOKey          : Ptr32 Void 
1289  #    +0x028 CrossProcessFlags : Uint4B 
1290  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1291  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1292  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1293  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1294  #    +0x028 ReservedBits0    : Pos 4, 28 Bits 
1295  #    +0x02c KernelCallbackTable : Ptr32 Void 
1296  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1297  #    +0x030 SystemReserved   : [1] Uint4B 
1298  #    +0x034 SpareUlong       : Uint4B 
1299  #    +0x038 SparePebPtr0     : Uint4B 
1300  #    +0x03c TlsExpansionCounter : Uint4B 
1301  #    +0x040 TlsBitmap        : Ptr32 Void 
1302  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1303  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1304  #    +0x050 HotpatchInformation : Ptr32 Void 
1305  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1306  #    +0x058 AnsiCodePageData : Ptr32 Void 
1307  #    +0x05c OemCodePageData  : Ptr32 Void 
1308  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1309  #    +0x064 NumberOfProcessors : Uint4B 
1310  #    +0x068 NtGlobalFlag     : Uint4B 
1311  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1312  #    +0x078 HeapSegmentReserve : Uint4B 
1313  #    +0x07c HeapSegmentCommit : Uint4B 
1314  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1315  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1316  #    +0x088 NumberOfHeaps    : Uint4B 
1317  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1318  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1319  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1320  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1321  #    +0x09c GdiDCAttributeList : Uint4B 
1322  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1323  #    +0x0a4 OSMajorVersion   : Uint4B 
1324  #    +0x0a8 OSMinorVersion   : Uint4B 
1325  #    +0x0ac OSBuildNumber    : Uint2B 
1326  #    +0x0ae OSCSDVersion     : Uint2B 
1327  #    +0x0b0 OSPlatformId     : Uint4B 
1328  #    +0x0b4 ImageSubsystem   : Uint4B 
1329  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1330  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1331  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1332  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1333  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1334  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1335  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1336  #    +0x1d4 SessionId        : Uint4B 
1337  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1338  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1339  #    +0x1e8 pShimData        : Ptr32 Void 
1340  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1341  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1342  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1343  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1344  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1345  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1346  #    +0x208 MinimumStackCommit : Uint4B 
1347  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1348  #    +0x210 FlsListHead      : _LIST_ENTRY 
1349  #    +0x218 FlsBitmap        : Ptr32 Void 
1350  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1351  #    +0x22c FlsHighIndex     : Uint4B 
1352  #    +0x230 WerRegistrationData : Ptr32 Void 
1353  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1354 -class _PEB_Vista(Structure): 
1355      _pack_   = 8 
1356      _fields_ = [ 
1357          ("InheritedAddressSpace",               BOOLEAN), 
1358          ("ReadImageFileExecOptions",            UCHAR), 
1359          ("BeingDebugged",                       BOOLEAN), 
1360          ("BitField",                            UCHAR), 
1361          ("Mutant",                              HANDLE), 
1362          ("ImageBaseAddress",                    PVOID), 
1363          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1364          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1365          ("SubSystemData",                       PVOID), 
1366          ("ProcessHeap",                         PVOID), 
1367          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1368          ("AtlThunkSListPtr",                    PVOID), 
1369          ("IFEOKey",                             PVOID), 
1370          ("CrossProcessFlags",                   DWORD), 
1371          ("KernelCallbackTable",                 PVOID), 
1372          ("SystemReserved",                      DWORD), 
1373          ("SpareUlong",                          DWORD), 
1374          ("SparePebPtr0",                        PVOID), 
1375          ("TlsExpansionCounter",                 DWORD), 
1376          ("TlsBitmap",                           PVOID), 
1377          ("TlsBitmapBits",                       DWORD * 2), 
1378          ("ReadOnlySharedMemoryBase",            PVOID), 
1379          ("HotpatchInformation",                 PVOID), 
1380          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1381          ("AnsiCodePageData",                    PVOID), 
1382          ("OemCodePageData",                     PVOID), 
1383          ("UnicodeCaseTableData",                PVOID), 
1384          ("NumberOfProcessors",                  DWORD), 
1385          ("NtGlobalFlag",                        DWORD), 
1386          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1387          ("HeapSegmentReserve",                  DWORD), 
1388          ("HeapSegmentCommit",                   DWORD), 
1389          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1390          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1391          ("NumberOfHeaps",                       DWORD), 
1392          ("MaximumNumberOfHeaps",                DWORD), 
1393          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1394          ("GdiSharedHandleTable",                PVOID), 
1395          ("ProcessStarterHelper",                PVOID), 
1396          ("GdiDCAttributeList",                  DWORD), 
1397          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1398          ("OSMajorVersion",                      DWORD), 
1399          ("OSMinorVersion",                      DWORD), 
1400          ("OSBuildNumber",                       WORD), 
1401          ("OSCSDVersion",                        WORD), 
1402          ("OSPlatformId",                        DWORD), 
1403          ("ImageSubsystem",                      DWORD), 
1404          ("ImageSubsystemMajorVersion",          DWORD), 
1405          ("ImageSubsystemMinorVersion",          DWORD), 
1406          ("ImageProcessAffinityMask",            DWORD), 
1407          ("GdiHandleBuffer",                     DWORD * 34), 
1408          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1409          ("TlsExpansionBitmap",                  PVOID), 
1410          ("TlsExpansionBitmapBits",              DWORD * 32), 
1411          ("SessionId",                           DWORD), 
1412          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1413          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1414          ("pShimData",                           PVOID), 
1415          ("AppCompatInfo",                       PVOID), 
1416          ("CSDVersion",                          UNICODE_STRING), 
1417          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1418          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1419          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1420          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1421          ("MinimumStackCommit",                  DWORD), 
1422          ("FlsCallback",                         PVOID), # Ptr32 Ptr32 Void 
1423          ("FlsListHead",                         LIST_ENTRY), 
1424          ("FlsBitmap",                           PVOID), 
1425          ("FlsBitmapBits",                       DWORD * 4), 
1426          ("FlsHighIndex",                        DWORD), 
1427          ("WerRegistrationData",                 PVOID), 
1428          ("WerShipAssertPtr",                    PVOID), 
1429      ] 
1430 -    def __get_UserSharedInfoPtr(self): 
1431          return self.KernelCallbackTable 
1432 -    def __set_UserSharedInfoPtr(self, value): 
1433          self.KernelCallbackTable = value 
1434      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
1435   
1436  #    +0x000 InheritedAddressSpace : UChar 
1437  #    +0x001 ReadImageFileExecOptions : UChar 
1438  #    +0x002 BeingDebugged    : UChar 
1439  #    +0x003 BitField         : UChar 
1440  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1441  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1442  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1443  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1444  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1445  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1446  #    +0x008 Mutant           : Ptr64 Void 
1447  #    +0x010 ImageBaseAddress : Ptr64 Void 
1448  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
1449  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
1450  #    +0x028 SubSystemData    : Ptr64 Void 
1451  #    +0x030 ProcessHeap      : Ptr64 Void 
1452  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
1453  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
1454  #    +0x048 IFEOKey          : Ptr64 Void 
1455  #    +0x050 CrossProcessFlags : Uint4B 
1456  #    +0x050 ProcessInJob     : Pos 0, 1 Bit 
1457  #    +0x050 ProcessInitializing : Pos 1, 1 Bit 
1458  #    +0x050 ProcessUsingVEH  : Pos 2, 1 Bit 
1459  #    +0x050 ProcessUsingVCH  : Pos 3, 1 Bit 
1460  #    +0x050 ReservedBits0    : Pos 4, 28 Bits 
1461  #    +0x058 KernelCallbackTable : Ptr64 Void 
1462  #    +0x058 UserSharedInfoPtr : Ptr64 Void 
1463  #    +0x060 SystemReserved   : [1] Uint4B 
1464  #    +0x064 SpareUlong       : Uint4B 
1465  #    +0x068 SparePebPtr0     : Uint8B 
1466  #    +0x070 TlsExpansionCounter : Uint4B 
1467  #    +0x078 TlsBitmap        : Ptr64 Void 
1468  #    +0x080 TlsBitmapBits    : [2] Uint4B 
1469  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
1470  #    +0x090 HotpatchInformation : Ptr64 Void 
1471  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
1472  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
1473  #    +0x0a8 OemCodePageData  : Ptr64 Void 
1474  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
1475  #    +0x0b8 NumberOfProcessors : Uint4B 
1476  #    +0x0bc NtGlobalFlag     : Uint4B 
1477  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
1478  #    +0x0c8 HeapSegmentReserve : Uint8B 
1479  #    +0x0d0 HeapSegmentCommit : Uint8B 
1480  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
1481  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
1482  #    +0x0e8 NumberOfHeaps    : Uint4B 
1483  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
1484  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
1485  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
1486  #    +0x100 ProcessStarterHelper : Ptr64 Void 
1487  #    +0x108 GdiDCAttributeList : Uint4B 
1488  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
1489  #    +0x118 OSMajorVersion   : Uint4B 
1490  #    +0x11c OSMinorVersion   : Uint4B 
1491  #    +0x120 OSBuildNumber    : Uint2B 
1492  #    +0x122 OSCSDVersion     : Uint2B 
1493  #    +0x124 OSPlatformId     : Uint4B 
1494  #    +0x128 ImageSubsystem   : Uint4B 
1495  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
1496  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
1497  #    +0x138 ActiveProcessAffinityMask : Uint8B 
1498  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
1499  #    +0x230 PostProcessInitRoutine : Ptr64     void 
1500  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
1501  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
1502  #    +0x2c0 SessionId        : Uint4B 
1503  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
1504  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
1505  #    +0x2d8 pShimData        : Ptr64 Void 
1506  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
1507  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
1508  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1509  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1510  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1511  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1512  #    +0x318 MinimumStackCommit : Uint8B 
1513  #    +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO 
1514  #    +0x328 FlsListHead      : _LIST_ENTRY 
1515  #    +0x338 FlsBitmap        : Ptr64 Void 
1516  #    +0x340 FlsBitmapBits    : [4] Uint4B 
1517  #    +0x350 FlsHighIndex     : Uint4B 
1518  #    +0x358 WerRegistrationData : Ptr64 Void 
1519  #    +0x360 WerShipAssertPtr : Ptr64 Void 
1520 -class _PEB_Vista_64(Structure): 
1521      _pack_   = 8 
1522      _fields_ = [ 
1523          ("InheritedAddressSpace",               BOOLEAN), 
1524          ("ReadImageFileExecOptions",            UCHAR), 
1525          ("BeingDebugged",                       BOOLEAN), 
1526          ("BitField",                            UCHAR), 
1527          ("Mutant",                              HANDLE), 
1528          ("ImageBaseAddress",                    PVOID), 
1529          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1530          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1531          ("SubSystemData",                       PVOID), 
1532          ("ProcessHeap",                         PVOID), 
1533          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1534          ("AtlThunkSListPtr",                    PVOID), 
1535          ("IFEOKey",                             PVOID), 
1536          ("CrossProcessFlags",                   DWORD), 
1537          ("KernelCallbackTable",                 PVOID), 
1538          ("SystemReserved",                      DWORD), 
1539          ("SpareUlong",                          DWORD), 
1540          ("SparePebPtr0",                        PVOID), 
1541          ("TlsExpansionCounter",                 DWORD), 
1542          ("TlsBitmap",                           PVOID), 
1543          ("TlsBitmapBits",                       DWORD * 2), 
1544          ("ReadOnlySharedMemoryBase",            PVOID), 
1545          ("HotpatchInformation",                 PVOID), 
1546          ("ReadOnlyStaticServerData",            PVOID), # Ptr64 Ptr64 Void 
1547          ("AnsiCodePageData",                    PVOID), 
1548          ("OemCodePageData",                     PVOID), 
1549          ("UnicodeCaseTableData",                PVOID), 
1550          ("NumberOfProcessors",                  DWORD), 
1551          ("NtGlobalFlag",                        DWORD), 
1552          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1553          ("HeapSegmentReserve",                  QWORD), 
1554          ("HeapSegmentCommit",                   QWORD), 
1555          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
1556          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
1557          ("NumberOfHeaps",                       DWORD), 
1558          ("MaximumNumberOfHeaps",                DWORD), 
1559          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
1560          ("GdiSharedHandleTable",                PVOID), 
1561          ("ProcessStarterHelper",                PVOID), 
1562          ("GdiDCAttributeList",                  DWORD), 
1563          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1564          ("OSMajorVersion",                      DWORD), 
1565          ("OSMinorVersion",                      DWORD), 
1566          ("OSBuildNumber",                       WORD), 
1567          ("OSCSDVersion",                        WORD), 
1568          ("OSPlatformId",                        DWORD), 
1569          ("ImageSubsystem",                      DWORD), 
1570          ("ImageSubsystemMajorVersion",          DWORD), 
1571          ("ImageSubsystemMinorVersion",          DWORD), 
1572          ("ActiveProcessAffinityMask",           QWORD), 
1573          ("GdiHandleBuffer",                     DWORD * 60), 
1574          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1575          ("TlsExpansionBitmap",                  PVOID), 
1576          ("TlsExpansionBitmapBits",              DWORD * 32), 
1577          ("SessionId",                           DWORD), 
1578          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1579          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1580          ("pShimData",                           PVOID), 
1581          ("AppCompatInfo",                       PVOID), 
1582          ("CSDVersion",                          UNICODE_STRING), 
1583          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1584          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1585          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1586          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1587          ("MinimumStackCommit",                  QWORD), 
1588          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1589          ("FlsListHead",                         LIST_ENTRY), 
1590          ("FlsBitmap",                           PVOID), 
1591          ("FlsBitmapBits",                       DWORD * 4), 
1592          ("FlsHighIndex",                        DWORD), 
1593          ("WerRegistrationData",                 PVOID), 
1594          ("WerShipAssertPtr",                    PVOID), 
1595      ] 
1596 -    def __get_UserSharedInfoPtr(self): 
1597          return self.KernelCallbackTable 
1598 -    def __set_UserSharedInfoPtr(self, value): 
1599          self.KernelCallbackTable = value 
1600      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
1601   
1602  #    +0x000 InheritedAddressSpace : UChar 
1603  #    +0x001 ReadImageFileExecOptions : UChar 
1604  #    +0x002 BeingDebugged    : UChar 
1605  #    +0x003 BitField         : UChar 
1606  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1607  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1608  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1609  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1610  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1611  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1612  #    +0x004 Mutant           : Ptr32 Void 
1613  #    +0x008 ImageBaseAddress : Ptr32 Void 
1614  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1615  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1616  #    +0x014 SubSystemData    : Ptr32 Void 
1617  #    +0x018 ProcessHeap      : Ptr32 Void 
1618  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1619  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1620  #    +0x024 IFEOKey          : Ptr32 Void 
1621  #    +0x028 CrossProcessFlags : Uint4B 
1622  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1623  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1624  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1625  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1626  #    +0x028 ProcessUsingFTH  : Pos 4, 1 Bit 
1627  #    +0x028 ReservedBits0    : Pos 5, 27 Bits 
1628  #    +0x02c KernelCallbackTable : Ptr32 Void 
1629  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1630  #    +0x030 SystemReserved   : [1] Uint4B 
1631  #    +0x034 TracingFlags     : Uint4B 
1632  #    +0x034 HeapTracingEnabled : Pos 0, 1 Bit 
1633  #    +0x034 CritSecTracingEnabled : Pos 1, 1 Bit 
1634  #    +0x034 SpareTracingBits : Pos 2, 30 Bits 
1635  #    +0x038 ApiSetMap        : Ptr32 Void 
1636  #    +0x03c TlsExpansionCounter : Uint4B 
1637  #    +0x040 TlsBitmap        : Ptr32 Void 
1638  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1639  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1640  #    +0x050 HotpatchInformation : Ptr32 Void 
1641  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1642  #    +0x058 AnsiCodePageData : Ptr32 Void 
1643  #    +0x05c OemCodePageData  : Ptr32 Void 
1644  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1645  #    +0x064 NumberOfProcessors : Uint4B 
1646  #    +0x068 NtGlobalFlag     : Uint4B 
1647  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1648  #    +0x078 HeapSegmentReserve : Uint4B 
1649  #    +0x07c HeapSegmentCommit : Uint4B 
1650  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1651  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1652  #    +0x088 NumberOfHeaps    : Uint4B 
1653  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1654  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1655  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1656  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1657  #    +0x09c GdiDCAttributeList : Uint4B 
1658  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1659  #    +0x0a4 OSMajorVersion   : Uint4B 
1660  #    +0x0a8 OSMinorVersion   : Uint4B 
1661  #    +0x0ac OSBuildNumber    : Uint2B 
1662  #    +0x0ae OSCSDVersion     : Uint2B 
1663  #    +0x0b0 OSPlatformId     : Uint4B 
1664  #    +0x0b4 ImageSubsystem   : Uint4B 
1665  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1666  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1667  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1668  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1669  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1670  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1671  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1672  #    +0x1d4 SessionId        : Uint4B 
1673  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1674  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1675  #    +0x1e8 pShimData        : Ptr32 Void 
1676  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1677  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1678  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1679  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1680  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1681  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1682  #    +0x208 MinimumStackCommit : Uint4B 
1683  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1684  #    +0x210 FlsListHead      : _LIST_ENTRY 
1685  #    +0x218 FlsBitmap        : Ptr32 Void 
1686  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1687  #    +0x22c FlsHighIndex     : Uint4B 
1688  #    +0x230 WerRegistrationData : Ptr32 Void 
1689  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1690  #    +0x238 pContextData     : Ptr32 Void 
1691  #    +0x23c pImageHeaderHash : Ptr32 Void 
1692 -class _PEB_W7_Beta(Structure): 
1693      """ 
1694      This definition of the PEB structure is only valid for the beta versions 
1695      of Windows 7. For the final version of Windows 7 use L{_PEB_W7} instead. 
1696      This structure is not chosen automatically. 
1697      """ 
1698      _pack_   = 8 
1699      _fields_ = [ 
1700          ("InheritedAddressSpace",               BOOLEAN), 
1701          ("ReadImageFileExecOptions",            UCHAR), 
1702          ("BeingDebugged",                       BOOLEAN), 
1703          ("BitField",                            UCHAR), 
1704          ("Mutant",                              HANDLE), 
1705          ("ImageBaseAddress",                    PVOID), 
1706          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1707          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1708          ("SubSystemData",                       PVOID), 
1709          ("ProcessHeap",                         PVOID), 
1710          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1711          ("AtlThunkSListPtr",                    PVOID), 
1712          ("IFEOKey",                             PVOID), 
1713          ("CrossProcessFlags",                   DWORD), 
1714          ("KernelCallbackTable",                 PVOID), 
1715          ("SystemReserved",                      DWORD), 
1716          ("TracingFlags",                        DWORD), 
1717          ("ApiSetMap",                           PVOID), 
1718          ("TlsExpansionCounter",                 DWORD), 
1719          ("TlsBitmap",                           PVOID), 
1720          ("TlsBitmapBits",                       DWORD * 2), 
1721          ("ReadOnlySharedMemoryBase",            PVOID), 
1722          ("HotpatchInformation",                 PVOID), 
1723          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1724          ("AnsiCodePageData",                    PVOID), 
1725          ("OemCodePageData",                     PVOID), 
1726          ("UnicodeCaseTableData",                PVOID), 
1727          ("NumberOfProcessors",                  DWORD), 
1728          ("NtGlobalFlag",                        DWORD), 
1729          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1730          ("HeapSegmentReserve",                  DWORD), 
1731          ("HeapSegmentCommit",                   DWORD), 
1732          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1733          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1734          ("NumberOfHeaps",                       DWORD), 
1735          ("MaximumNumberOfHeaps",                DWORD), 
1736          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1737          ("GdiSharedHandleTable",                PVOID), 
1738          ("ProcessStarterHelper",                PVOID), 
1739          ("GdiDCAttributeList",                  DWORD), 
1740          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1741          ("OSMajorVersion",                      DWORD), 
1742          ("OSMinorVersion",                      DWORD), 
1743          ("OSBuildNumber",                       WORD), 
1744          ("OSCSDVersion",                        WORD), 
1745          ("OSPlatformId",                        DWORD), 
1746          ("ImageSubsystem",                      DWORD), 
1747          ("ImageSubsystemMajorVersion",          DWORD), 
1748          ("ImageSubsystemMinorVersion",          DWORD), 
1749          ("ActiveProcessAffinityMask",           DWORD), 
1750          ("GdiHandleBuffer",                     DWORD * 34), 
1751          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1752          ("TlsExpansionBitmap",                  PVOID), 
1753          ("TlsExpansionBitmapBits",              DWORD * 32), 
1754          ("SessionId",                           DWORD), 
1755          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1756          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1757          ("pShimData",                           PVOID), 
1758          ("AppCompatInfo",                       PVOID), 
1759          ("CSDVersion",                          UNICODE_STRING), 
1760          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1761          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1762          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1763          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1764          ("MinimumStackCommit",                  DWORD), 
1765          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1766          ("FlsListHead",                         LIST_ENTRY), 
1767          ("FlsBitmap",                           PVOID), 
1768          ("FlsBitmapBits",                       DWORD * 4), 
1769          ("FlsHighIndex",                        DWORD), 
1770          ("WerRegistrationData",                 PVOID), 
1771          ("WerShipAssertPtr",                    PVOID), 
1772          ("pContextData",                        PVOID), 
1773          ("pImageHeaderHash",                    PVOID), 
1774      ] 
1775 -    def __get_UserSharedInfoPtr(self): 
1776          return self.KernelCallbackTable 
1777 -    def __set_UserSharedInfoPtr(self, value): 
1778          self.KernelCallbackTable = value 
1779      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
1780   
1781  #    +0x000 InheritedAddressSpace : UChar 
1782  #    +0x001 ReadImageFileExecOptions : UChar 
1783  #    +0x002 BeingDebugged    : UChar 
1784  #    +0x003 BitField         : UChar 
1785  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1786  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1787  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1788  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1789  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1790  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1791  #    +0x004 Mutant           : Ptr32 Void 
1792  #    +0x008 ImageBaseAddress : Ptr32 Void 
1793  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1794  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1795  #    +0x014 SubSystemData    : Ptr32 Void 
1796  #    +0x018 ProcessHeap      : Ptr32 Void 
1797  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1798  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1799  #    +0x024 IFEOKey          : Ptr32 Void 
1800  #    +0x028 CrossProcessFlags : Uint4B 
1801  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1802  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1803  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1804  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1805  #    +0x028 ProcessUsingFTH  : Pos 4, 1 Bit 
1806  #    +0x028 ReservedBits0    : Pos 5, 27 Bits 
1807  #    +0x02c KernelCallbackTable : Ptr32 Void 
1808  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1809  #    +0x030 SystemReserved   : [1] Uint4B 
1810  #    +0x034 AtlThunkSListPtr32 : Uint4B 
1811  #    +0x038 ApiSetMap        : Ptr32 Void 
1812  #    +0x03c TlsExpansionCounter : Uint4B 
1813  #    +0x040 TlsBitmap        : Ptr32 Void 
1814  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1815  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1816  #    +0x050 HotpatchInformation : Ptr32 Void 
1817  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1818  #    +0x058 AnsiCodePageData : Ptr32 Void 
1819  #    +0x05c OemCodePageData  : Ptr32 Void 
1820  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1821  #    +0x064 NumberOfProcessors : Uint4B 
1822  #    +0x068 NtGlobalFlag     : Uint4B 
1823  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1824  #    +0x078 HeapSegmentReserve : Uint4B 
1825  #    +0x07c HeapSegmentCommit : Uint4B 
1826  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1827  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1828  #    +0x088 NumberOfHeaps    : Uint4B 
1829  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1830  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1831  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1832  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1833  #    +0x09c GdiDCAttributeList : Uint4B 
1834  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1835  #    +0x0a4 OSMajorVersion   : Uint4B 
1836  #    +0x0a8 OSMinorVersion   : Uint4B 
1837  #    +0x0ac OSBuildNumber    : Uint2B 
1838  #    +0x0ae OSCSDVersion     : Uint2B 
1839  #    +0x0b0 OSPlatformId     : Uint4B 
1840  #    +0x0b4 ImageSubsystem   : Uint4B 
1841  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1842  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1843  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1844  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1845  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1846  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1847  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1848  #    +0x1d4 SessionId        : Uint4B 
1849  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1850  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1851  #    +0x1e8 pShimData        : Ptr32 Void 
1852  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1853  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1854  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1855  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1856  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1857  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1858  #    +0x208 MinimumStackCommit : Uint4B 
1859  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1860  #    +0x210 FlsListHead      : _LIST_ENTRY 
1861  #    +0x218 FlsBitmap        : Ptr32 Void 
1862  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1863  #    +0x22c FlsHighIndex     : Uint4B 
1864  #    +0x230 WerRegistrationData : Ptr32 Void 
1865  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1866  #    +0x238 pContextData     : Ptr32 Void 
1867  #    +0x23c pImageHeaderHash : Ptr32 Void 
1868  #    +0x240 TracingFlags     : Uint4B 
1869  #    +0x240 HeapTracingEnabled : Pos 0, 1 Bit 
1870  #    +0x240 CritSecTracingEnabled : Pos 1, 1 Bit 
1871  #    +0x240 SpareTracingBits : Pos 2, 30 Bits 
1872 -class _PEB_W7(Structure): 
1873      _pack_   = 8 
1874      _fields_ = [ 
1875          ("InheritedAddressSpace",               BOOLEAN), 
1876          ("ReadImageFileExecOptions",            UCHAR), 
1877          ("BeingDebugged",                       BOOLEAN), 
1878          ("BitField",                            UCHAR), 
1879          ("Mutant",                              HANDLE), 
1880          ("ImageBaseAddress",                    PVOID), 
1881          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1882          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1883          ("SubSystemData",                       PVOID), 
1884          ("ProcessHeap",                         PVOID), 
1885          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1886          ("AtlThunkSListPtr",                    PVOID), 
1887          ("IFEOKey",                             PVOID), 
1888          ("CrossProcessFlags",                   DWORD), 
1889          ("KernelCallbackTable",                 PVOID), 
1890          ("SystemReserved",                      DWORD), 
1891          ("AtlThunkSListPtr32",                  PVOID), 
1892          ("ApiSetMap",                           PVOID), 
1893          ("TlsExpansionCounter",                 DWORD), 
1894          ("TlsBitmap",                           PVOID), 
1895          ("TlsBitmapBits",                       DWORD * 2), 
1896          ("ReadOnlySharedMemoryBase",            PVOID), 
1897          ("HotpatchInformation",                 PVOID), 
1898          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1899          ("AnsiCodePageData",                    PVOID), 
1900          ("OemCodePageData",                     PVOID), 
1901          ("UnicodeCaseTableData",                PVOID), 
1902          ("NumberOfProcessors",                  DWORD), 
1903          ("NtGlobalFlag",                        DWORD), 
1904          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1905          ("HeapSegmentReserve",                  DWORD), 
1906          ("HeapSegmentCommit",                   DWORD), 
1907          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1908          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1909          ("NumberOfHeaps",                       DWORD), 
1910          ("MaximumNumberOfHeaps",                DWORD), 
1911          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1912          ("GdiSharedHandleTable",                PVOID), 
1913          ("ProcessStarterHelper",                PVOID), 
1914          ("GdiDCAttributeList",                  DWORD), 
1915          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1916          ("OSMajorVersion",                      DWORD), 
1917          ("OSMinorVersion",                      DWORD), 
1918          ("OSBuildNumber",                       WORD), 
1919          ("OSCSDVersion",                        WORD), 
1920          ("OSPlatformId",                        DWORD), 
1921          ("ImageSubsystem",                      DWORD), 
1922          ("ImageSubsystemMajorVersion",          DWORD), 
1923          ("ImageSubsystemMinorVersion",          DWORD), 
1924          ("ActiveProcessAffinityMask",           DWORD), 
1925          ("GdiHandleBuffer",                     DWORD * 34), 
1926          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1927          ("TlsExpansionBitmap",                  PVOID), 
1928          ("TlsExpansionBitmapBits",              DWORD * 32), 
1929          ("SessionId",                           DWORD), 
1930          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1931          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1932          ("pShimData",                           PVOID), 
1933          ("AppCompatInfo",                       PVOID), 
1934          ("CSDVersion",                          UNICODE_STRING), 
1935          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1936          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1937          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1938          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1939          ("MinimumStackCommit",                  DWORD), 
1940          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1941          ("FlsListHead",                         LIST_ENTRY), 
1942          ("FlsBitmap",                           PVOID), 
1943          ("FlsBitmapBits",                       DWORD * 4), 
1944          ("FlsHighIndex",                        DWORD), 
1945          ("WerRegistrationData",                 PVOID), 
1946          ("WerShipAssertPtr",                    PVOID), 
1947          ("pContextData",                        PVOID), 
1948          ("pImageHeaderHash",                    PVOID), 
1949          ("TracingFlags",                        DWORD), 
1950      ] 
1951 -    def __get_UserSharedInfoPtr(self): 
1952          return self.KernelCallbackTable 
1953 -    def __set_UserSharedInfoPtr(self, value): 
1954          self.KernelCallbackTable = value 
1955      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
1956   
1957  #    +0x000 InheritedAddressSpace : UChar 
1958  #    +0x001 ReadImageFileExecOptions : UChar 
1959  #    +0x002 BeingDebugged    : UChar 
1960  #    +0x003 BitField         : UChar 
1961  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1962  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1963  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1964  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1965  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1966  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1967  #    +0x008 Mutant           : Ptr64 Void 
1968  #    +0x010 ImageBaseAddress : Ptr64 Void 
1969  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
1970  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
1971  #    +0x028 SubSystemData    : Ptr64 Void 
1972  #    +0x030 ProcessHeap      : Ptr64 Void 
1973  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
1974  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
1975  #    +0x048 IFEOKey          : Ptr64 Void 
1976  #    +0x050 CrossProcessFlags : Uint4B 
1977  #    +0x050 ProcessInJob     : Pos 0, 1 Bit 
1978  #    +0x050 ProcessInitializing : Pos 1, 1 Bit 
1979  #    +0x050 ProcessUsingVEH  : Pos 2, 1 Bit 
1980  #    +0x050 ProcessUsingVCH  : Pos 3, 1 Bit 
1981  #    +0x050 ProcessUsingFTH  : Pos 4, 1 Bit 
1982  #    +0x050 ReservedBits0    : Pos 5, 27 Bits 
1983  #    +0x058 KernelCallbackTable : Ptr64 Void 
1984  #    +0x058 UserSharedInfoPtr : Ptr64 Void 
1985  #    +0x060 SystemReserved   : [1] Uint4B 
1986  #    +0x064 AtlThunkSListPtr32 : Uint4B 
1987  #    +0x068 ApiSetMap        : Ptr64 Void 
1988  #    +0x070 TlsExpansionCounter : Uint4B 
1989  #    +0x078 TlsBitmap        : Ptr64 Void 
1990  #    +0x080 TlsBitmapBits    : [2] Uint4B 
1991  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
1992  #    +0x090 HotpatchInformation : Ptr64 Void 
1993  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
1994  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
1995  #    +0x0a8 OemCodePageData  : Ptr64 Void 
1996  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
1997  #    +0x0b8 NumberOfProcessors : Uint4B 
1998  #    +0x0bc NtGlobalFlag     : Uint4B 
1999  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
2000  #    +0x0c8 HeapSegmentReserve : Uint8B 
2001  #    +0x0d0 HeapSegmentCommit : Uint8B 
2002  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
2003  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
2004  #    +0x0e8 NumberOfHeaps    : Uint4B 
2005  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
2006  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
2007  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
2008  #    +0x100 ProcessStarterHelper : Ptr64 Void 
2009  #    +0x108 GdiDCAttributeList : Uint4B 
2010  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
2011  #    +0x118 OSMajorVersion   : Uint4B 
2012  #    +0x11c OSMinorVersion   : Uint4B 
2013  #    +0x120 OSBuildNumber    : Uint2B 
2014  #    +0x122 OSCSDVersion     : Uint2B 
2015  #    +0x124 OSPlatformId     : Uint4B 
2016  #    +0x128 ImageSubsystem   : Uint4B 
2017  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
2018  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
2019  #    +0x138 ActiveProcessAffinityMask : Uint8B 
2020  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
2021  #    +0x230 PostProcessInitRoutine : Ptr64     void 
2022  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
2023  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
2024  #    +0x2c0 SessionId        : Uint4B 
2025  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
2026  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
2027  #    +0x2d8 pShimData        : Ptr64 Void 
2028  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
2029  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
2030  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
2031  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
2032  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
2033  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
2034  #    +0x318 MinimumStackCommit : Uint8B 
2035  #    +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO 
2036  #    +0x328 FlsListHead      : _LIST_ENTRY 
2037  #    +0x338 FlsBitmap        : Ptr64 Void 
2038  #    +0x340 FlsBitmapBits    : [4] Uint4B 
2039  #    +0x350 FlsHighIndex     : Uint4B 
2040  #    +0x358 WerRegistrationData : Ptr64 Void 
2041  #    +0x360 WerShipAssertPtr : Ptr64 Void 
2042  #    +0x368 pContextData     : Ptr64 Void 
2043  #    +0x370 pImageHeaderHash : Ptr64 Void 
2044  #    +0x378 TracingFlags     : Uint4B 
2045  #    +0x378 HeapTracingEnabled : Pos 0, 1 Bit 
2046  #    +0x378 CritSecTracingEnabled : Pos 1, 1 Bit 
2047  #    +0x378 SpareTracingBits : Pos 2, 30 Bits 
2048 -class _PEB_W7_64(Structure): 
2049      _pack_   = 8 
2050      _fields_ = [ 
2051          ("InheritedAddressSpace",               BOOLEAN), 
2052          ("ReadImageFileExecOptions",            UCHAR), 
2053          ("BeingDebugged",                       BOOLEAN), 
2054          ("BitField",                            UCHAR), 
2055          ("Mutant",                              HANDLE), 
2056          ("ImageBaseAddress",                    PVOID), 
2057          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
2058          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
2059          ("SubSystemData",                       PVOID), 
2060          ("ProcessHeap",                         PVOID), 
2061          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
2062          ("AtlThunkSListPtr",                    PVOID), 
2063          ("IFEOKey",                             PVOID), 
2064          ("CrossProcessFlags",                   DWORD), 
2065          ("KernelCallbackTable",                 PVOID), 
2066          ("SystemReserved",                      DWORD), 
2067          ("AtlThunkSListPtr32",                  DWORD), 
2068          ("ApiSetMap",                           PVOID), 
2069          ("TlsExpansionCounter",                 DWORD), 
2070          ("TlsBitmap",                           PVOID), 
2071          ("TlsBitmapBits",                       DWORD * 2), 
2072          ("ReadOnlySharedMemoryBase",            PVOID), 
2073          ("HotpatchInformation",                 PVOID), 
2074          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
2075          ("AnsiCodePageData",                    PVOID), 
2076          ("OemCodePageData",                     PVOID), 
2077          ("UnicodeCaseTableData",                PVOID), 
2078          ("NumberOfProcessors",                  DWORD), 
2079          ("NtGlobalFlag",                        DWORD), 
2080          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
2081          ("HeapSegmentReserve",                  QWORD), 
2082          ("HeapSegmentCommit",                   QWORD), 
2083          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
2084          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
2085          ("NumberOfHeaps",                       DWORD), 
2086          ("MaximumNumberOfHeaps",                DWORD), 
2087          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
2088          ("GdiSharedHandleTable",                PVOID), 
2089          ("ProcessStarterHelper",                PVOID), 
2090          ("GdiDCAttributeList",                  DWORD), 
2091          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
2092          ("OSMajorVersion",                      DWORD), 
2093          ("OSMinorVersion",                      DWORD), 
2094          ("OSBuildNumber",                       WORD), 
2095          ("OSCSDVersion",                        WORD), 
2096          ("OSPlatformId",                        DWORD), 
2097          ("ImageSubsystem",                      DWORD), 
2098          ("ImageSubsystemMajorVersion",          DWORD), 
2099          ("ImageSubsystemMinorVersion",          DWORD), 
2100          ("ActiveProcessAffinityMask",           QWORD), 
2101          ("GdiHandleBuffer",                     DWORD * 60), 
2102          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
2103          ("TlsExpansionBitmap",                  PVOID), 
2104          ("TlsExpansionBitmapBits",              DWORD * 32), 
2105          ("SessionId",                           DWORD), 
2106          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
2107          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
2108          ("pShimData",                           PVOID), 
2109          ("AppCompatInfo",                       PVOID), 
2110          ("CSDVersion",                          UNICODE_STRING), 
2111          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
2112          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
2113          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
2114          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
2115          ("MinimumStackCommit",                  QWORD), 
2116          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
2117          ("FlsListHead",                         LIST_ENTRY), 
2118          ("FlsBitmap",                           PVOID), 
2119          ("FlsBitmapBits",                       DWORD * 4), 
2120          ("FlsHighIndex",                        DWORD), 
2121          ("WerRegistrationData",                 PVOID), 
2122          ("WerShipAssertPtr",                    PVOID), 
2123          ("pContextData",                        PVOID), 
2124          ("pImageHeaderHash",                    PVOID), 
2125          ("TracingFlags",                        DWORD), 
2126      ] 
2127 -    def __get_UserSharedInfoPtr(self): 
2128          return self.KernelCallbackTable 
2129 -    def __set_UserSharedInfoPtr(self, value): 
2130          self.KernelCallbackTable = value 
2131      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 
2132   
2133  # Use the correct PEB structure definition. 
2134  # Defaults to the latest Windows version. 
2135 -class PEB(Structure): 
2136      _pack_ = 8 
2137      if os == 'Windows NT': 
2138          _pack_ = _PEB_NT._pack_ 
2139          _fields_ = _PEB_NT._fields_ 
2140      elif os == 'Windows 2000': 
2141          _fields_ = _PEB_2000._fields_ 
2142      elif os == 'Windows XP': 
2143          _fields_ = _PEB_XP._fields_ 
2144      elif os == 'Windows XP (64 bits)': 
2145          _fields_ = _PEB_XP_64._fields_ 
2146      elif os == 'Windows 2003': 
2147          _fields_ = _PEB_2003._fields_ 
2148      elif os == 'Windows 2003 (64 bits)': 
2149          _fields_ = _PEB_2003_64._fields_ 
2150      elif os == 'Windows 2008': 
2151          _fields_ = _PEB_2008._fields_ 
2152      elif os == 'Windows 2008 (64 bits)': 
2153          _fields_ = _PEB_2008_64._fields_ 
2154      elif os == 'Windows Vista': 
2155          _fields_ = _PEB_Vista._fields_ 
2156      elif os == 'Windows Vista (64 bits)': 
2157          _fields_ = _PEB_Vista_64._fields_ 
2158      elif os == 'Windows 7': 
2159          _fields_ = _PEB_W7._fields_ 
2160      elif os == 'Windows 7 (64 bits)': 
2161          _fields_ = _PEB_W7_64._fields_ 
2162      elif sizeof(SIZE_T) == sizeof(DWORD): 
2163          _fields_ = _PEB_W7._fields_ 
2164      else: 
2165          _fields_ = _PEB_W7_64._fields_ 
2166  PPEB = POINTER(PEB) 
2167   
2168  # from https://vmexplorer.svn.codeplex.com/svn/VMExplorer/src/Win32/Threads.cs 
2169  # 
2170  # [StructLayout (LayoutKind.Sequential, Size = 0x0C)] 
2171  # public struct Wx86ThreadState 
2172  # { 
2173  #       public IntPtr  CallBx86Eip; // Ptr32 to Uint4B 
2174  #       public IntPtr  DeallocationCpu; // Ptr32 to Void 
2175  #       public Byte  UseKnownWx86Dll; // UChar 
2176  #       public Byte  OleStubInvoked; // Char 
2177  # }; 
2178 -class Wx86ThreadState(Structure): 
2179      _fields_ = [ 
2180          ("CallBx86Eip",             PVOID), 
2181          ("DeallocationCpu",         PVOID), 
2182          ("UseKnownWx86Dll",         UCHAR), 
2183          ("OleStubInvoked",          CHAR), 
2184  ] 
2185   
2186  # ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME 
2187  #    +0x000 Previous         : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME 
2188  #    +0x008 ActivationContext : Ptr64 _ACTIVATION_CONTEXT 
2189  #    +0x010 Flags            : Uint4B 
2190 -class RTL_ACTIVATION_CONTEXT_STACK_FRAME(Structure): 
2191      _fields_ = [ 
2192          ("Previous",                    PVOID), 
2193          ("ActivationContext",           PVOID), 
2194          ("Flags",                       DWORD), 
2195  ] 
2196   
2197  # ntdll!_ACTIVATION_CONTEXT_STACK 
2198  #    +0x000 ActiveFrame      : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME 
2199  #    +0x008 FrameListCache   : _LIST_ENTRY 
2200  #    +0x018 Flags            : Uint4B 
2201  #    +0x01c NextCookieSequenceNumber : Uint4B 
2202  #    +0x020 StackId          : Uint4B 
2203 -class ACTIVATION_CONTEXT_STACK(Structure): 
2204      _fields_ = [ 
2205          ("ActiveFrame",                 PVOID), 
2206          ("FrameListCache",              LIST_ENTRY), 
2207          ("Flags",                       DWORD), 
2208          ("NextCookieSequenceNumber",    DWORD), 
2209          ("StackId",                     DWORD), 
2210  ] 
2211   
2212  # typedef struct _PROCESSOR_NUMBER { 
2213  #   WORD Group; 
2214  #   BYTE Number; 
2215  #   BYTE Reserved; 
2216  # }PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; 
2217 -class PROCESSOR_NUMBER(Structure): 
2218      _fields_ = [ 
2219          ("Group",       WORD), 
2220          ("Number",      BYTE), 
2221          ("Reserved",    BYTE), 
2222  ] 
2223   
2224  # from http://www.nirsoft.net/kernel_struct/vista/NT_TIB.html 
2225  # 
2226  # typedef struct _NT_TIB 
2227  # { 
2228  #      PEXCEPTION_REGISTRATION_RECORD ExceptionList; 
2229  #      PVOID StackBase; 
2230  #      PVOID StackLimit; 
2231  #      PVOID SubSystemTib; 
2232  #      union 
2233  #      { 
2234  #           PVOID FiberData; 
2235  #           ULONG Version; 
2236  #      }; 
2237  #      PVOID ArbitraryUserPointer; 
2238  #      PNT_TIB Self; 
2239  # } NT_TIB, *PNT_TIB; 
2240 -class _NT_TIB_UNION(Union): 
2241      _fields_ = [ 
2242          ("FiberData",   PVOID), 
2243          ("Version",     ULONG), 
2244      ] 
2245 -class NT_TIB(Structure): 
2246      _fields_ = [ 
2247          ("ExceptionList",           PVOID), # PEXCEPTION_REGISTRATION_RECORD 
2248          ("StackBase",               PVOID), 
2249          ("StackLimit",              PVOID), 
2250          ("SubSystemTib",            PVOID), 
2251          ("u",                       _NT_TIB_UNION), 
2252          ("ArbitraryUserPointer",    PVOID), 
2253          ("Self",                    PVOID), # PNTTIB 
2254      ] 
2255   
2256 -    def __get_FiberData(self): 
2257          return self.u.FiberData 
2258 -    def __set_FiberData(self, value): 
2259          self.u.FiberData = value 
2260      FiberData = property(__get_FiberData, __set_FiberData) 
2261   
2262 -    def __get_Version(self): 
2263          return self.u.Version 
2264 -    def __set_Version(self, value): 
2265          self.u.Version = value 
2266      Version = property(__get_Version, __set_Version) 
2267   
2268  PNTTIB = POINTER(NT_TIB) 
2269   
2270  # From http://www.nirsoft.net/kernel_struct/vista/EXCEPTION_REGISTRATION_RECORD.html 
2271  # 
2272  # typedef struct _EXCEPTION_REGISTRATION_RECORD 
2273  # { 
2274  #      PEXCEPTION_REGISTRATION_RECORD Next; 
2275  #      PEXCEPTION_DISPOSITION Handler; 
2276  # } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; 
2277 -class EXCEPTION_REGISTRATION_RECORD(Structure): 
2278      pass 
2279   
2280  EXCEPTION_DISPOSITION           = DWORD 
2281  ##PEXCEPTION_DISPOSITION          = POINTER(EXCEPTION_DISPOSITION) 
2282  ##PEXCEPTION_REGISTRATION_RECORD  = POINTER(EXCEPTION_REGISTRATION_RECORD) 
2283  PEXCEPTION_DISPOSITION          = PVOID 
2284  PEXCEPTION_REGISTRATION_RECORD  = PVOID 
2285   
2286  EXCEPTION_REGISTRATION_RECORD._fields_ = [ 
2287          ("Next",    PEXCEPTION_REGISTRATION_RECORD), 
2288          ("Handler", PEXCEPTION_DISPOSITION), 
2289  ] 
2290   
2291  ##PPEB = POINTER(PEB) 
2292  PPEB = PVOID 
2293   
2294  # From http://www.nirsoft.net/kernel_struct/vista/GDI_TEB_BATCH.html 
2295  # 
2296  # typedef struct _GDI_TEB_BATCH 
2297  # { 
2298  #      ULONG Offset; 
2299  #      ULONG HDC; 
2300  #      ULONG Buffer[310]; 
2301  # } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 
2302 -class GDI_TEB_BATCH(Structure): 
2303      _fields_ = [ 
2304          ("Offset",  ULONG), 
2305          ("HDC",     ULONG), 
2306          ("Buffer",  ULONG * 310), 
2307  ] 
2308   
2309  # ntdll!_TEB_ACTIVE_FRAME_CONTEXT 
2310  #    +0x000 Flags            : Uint4B 
2311  #    +0x008 FrameName        : Ptr64 Char 
2312 -class TEB_ACTIVE_FRAME_CONTEXT(Structure): 
2313      _fields_ = [ 
2314          ("Flags",       DWORD), 
2315          ("FrameName",   LPVOID),    # LPCHAR 
2316  ] 
2317  PTEB_ACTIVE_FRAME_CONTEXT = POINTER(TEB_ACTIVE_FRAME_CONTEXT) 
2318   
2319  # ntdll!_TEB_ACTIVE_FRAME 
2320  #    +0x000 Flags            : Uint4B 
2321  #    +0x008 Previous         : Ptr64 _TEB_ACTIVE_FRAME 
2322  #    +0x010 Context          : Ptr64 _TEB_ACTIVE_FRAME_CONTEXT 
2323 -class TEB_ACTIVE_FRAME(Structure): 
2324      _fields_ = [ 
2325          ("Flags",       DWORD), 
2326          ("Previous",    LPVOID),    # PTEB_ACTIVE_FRAME 
2327          ("Context",     LPVOID),    # PTEB_ACTIVE_FRAME_CONTEXT 
2328  ] 
2329  PTEB_ACTIVE_FRAME = POINTER(TEB_ACTIVE_FRAME) 
2330   
2331  # SameTebFlags 
2332  DbgSafeThunkCall        = 1 << 0 
2333  DbgInDebugPrint         = 1 << 1 
2334  DbgHasFiberData         = 1 << 2 
2335  DbgSkipThreadAttach     = 1 << 3 
2336  DbgWerInShipAssertCode  = 1 << 4 
2337  DbgRanProcessInit       = 1 << 5 
2338  DbgClonedThread         = 1 << 6 
2339  DbgSuppressDebugMsg     = 1 << 7 
2340  RtlDisableUserStackWalk = 1 << 8 
2341  RtlExceptionAttached    = 1 << 9 
2342  RtlInitialThread        = 1 << 10 
2343   
2344  # XXX This is quite wrong :P 
2345 -class _TEB_NT(Structure): 
2346      _pack_ = 4 
2347      _fields_ = [ 
2348          ("NtTib",                           NT_TIB), 
2349          ("EnvironmentPointer",              PVOID), 
2350          ("ClientId",                        CLIENT_ID), 
2351          ("ActiveRpcHandle",                 HANDLE), 
2352          ("ThreadLocalStoragePointer",       PVOID), 
2353          ("ProcessEnvironmentBlock",         PPEB), 
2354          ("LastErrorValue",                  ULONG), 
2355          ("CountOfOwnedCriticalSections",    ULONG), 
2356          ("CsrClientThread",                 PVOID), 
2357          ("Win32ThreadInfo",                 PVOID), 
2358          ("User32Reserved",                  ULONG * 26), 
2359          ("UserReserved",                    ULONG * 5), 
2360          ("WOW32Reserved",                   PVOID), 
2361          ("CurrentLocale",                   ULONG), 
2362          ("FpSoftwareStatusRegister",        ULONG), 
2363          ("SystemReserved1",                 PVOID * 54), 
2364          ("Spare1",                          PVOID), 
2365          ("ExceptionCode",                   ULONG), 
2366          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2367          ("SpareBytes1",                     ULONG * 36), 
2368          ("TxFsContext",                     ULONG), 
2369          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2370          ("RealClientId",                    CLIENT_ID), 
2371          ("GdiCachedProcessHandle",          PVOID), 
2372          ("GdiClientPID",                    ULONG), 
2373          ("GdiClientTID",                    ULONG), 
2374          ("GdiThreadLocalInfo",              PVOID), 
2375          ("Win32ClientInfo",                 PVOID * 62), 
2376          ("glDispatchTable",                 PVOID * 233), 
2377          ("glReserved1",                     ULONG * 29), 
2378          ("glReserved2",                     PVOID), 
2379          ("glSectionInfo",                   PVOID), 
2380          ("glSection",                       PVOID), 
2381          ("glTable",                         PVOID), 
2382          ("glCurrentRC",                     PVOID), 
2383          ("glContext",                       PVOID), 
2384          ("LastStatusValue",                 NTSTATUS), 
2385          ("StaticUnicodeString",             UNICODE_STRING), 
2386          ("StaticUnicodeBuffer",             WCHAR * 261), 
2387          ("DeallocationStack",               PVOID), 
2388          ("TlsSlots",                        PVOID * 64), 
2389          ("TlsLinks",                        LIST_ENTRY), 
2390          ("Vdm",                             PVOID), 
2391          ("ReservedForNtRpc",                PVOID), 
2392          ("DbgSsReserved",                   PVOID * 2), 
2393          ("HardErrorDisabled",               ULONG), 
2394          ("Instrumentation",                 PVOID * 9), 
2395          ("ActivityId",                      GUID), 
2396          ("SubProcessTag",                   PVOID), 
2397          ("EtwLocalData",                    PVOID), 
2398          ("EtwTraceData",                    PVOID), 
2399          ("WinSockData",                     PVOID), 
2400          ("GdiBatchCount",                   ULONG), 
2401          ("SpareBool0",                      BOOLEAN), 
2402          ("SpareBool1",                      BOOLEAN), 
2403          ("SpareBool2",                      BOOLEAN), 
2404          ("IdealProcessor",                  UCHAR), 
2405          ("GuaranteedStackBytes",            ULONG), 
2406          ("ReservedForPerf",                 PVOID), 
2407          ("ReservedForOle",                  PVOID), 
2408          ("WaitingOnLoaderLock",             ULONG), 
2409          ("StackCommit",                     PVOID), 
2410          ("StackCommitMax",                  PVOID), 
2411          ("StackReserved",                   PVOID), 
2412  ] 
2413   
2414  # not really, but "dt _TEB" in w2k isn't working for me :( 
2415  _TEB_2000 = _TEB_NT 
2416   
2417  #    +0x000 NtTib            : _NT_TIB 
2418  #    +0x01c EnvironmentPointer : Ptr32 Void 
2419  #    +0x020 ClientId         : _CLIENT_ID 
2420  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2421  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2422  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2423  #    +0x034 LastErrorValue   : Uint4B 
2424  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2425  #    +0x03c CsrClientThread  : Ptr32 Void 
2426  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2427  #    +0x044 User32Reserved   : [26] Uint4B 
2428  #    +0x0ac UserReserved     : [5] Uint4B 
2429  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2430  #    +0x0c4 CurrentLocale    : Uint4B 
2431  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2432  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2433  #    +0x1a4 ExceptionCode    : Int4B 
2434  #    +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK 
2435  #    +0x1bc SpareBytes1      : [24] UChar 
2436  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2437  #    +0x6b4 RealClientId     : _CLIENT_ID 
2438  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2439  #    +0x6c0 GdiClientPID     : Uint4B 
2440  #    +0x6c4 GdiClientTID     : Uint4B 
2441  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2442  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2443  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2444  #    +0xb68 glReserved1      : [29] Uint4B 
2445  #    +0xbdc glReserved2      : Ptr32 Void 
2446  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2447  #    +0xbe4 glSection        : Ptr32 Void 
2448  #    +0xbe8 glTable          : Ptr32 Void 
2449  #    +0xbec glCurrentRC      : Ptr32 Void 
2450  #    +0xbf0 glContext        : Ptr32 Void 
2451  #    +0xbf4 LastStatusValue  : Uint4B 
2452  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2453  #    +0xc00 StaticUnicodeBuffer : [261] Uint2B 
2454  #    +0xe0c DeallocationStack : Ptr32 Void 
2455  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2456  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2457  #    +0xf18 Vdm              : Ptr32 Void 
2458  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2459  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2460  #    +0xf28 HardErrorsAreDisabled : Uint4B 
2461  #    +0xf2c Instrumentation  : [16] Ptr32 Void 
2462  #    +0xf6c WinSockData      : Ptr32 Void 
2463  #    +0xf70 GdiBatchCount    : Uint4B 
2464  #    +0xf74 InDbgPrint       : UChar 
2465  #    +0xf75 FreeStackOnTermination : UChar 
2466  #    +0xf76 HasFiberData     : UChar 
2467  #    +0xf77 IdealProcessor   : UChar 
2468  #    +0xf78 Spare3           : Uint4B 
2469  #    +0xf7c ReservedForPerf  : Ptr32 Void 
2470  #    +0xf80 ReservedForOle   : Ptr32 Void 
2471  #    +0xf84 WaitingOnLoaderLock : Uint4B 
2472  #    +0xf88 Wx86Thread       : _Wx86ThreadState 
2473  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
2474  #    +0xf98 ImpersonationLocale : Uint4B 
2475  #    +0xf9c IsImpersonating  : Uint4B 
2476  #    +0xfa0 NlsCache         : Ptr32 Void 
2477  #    +0xfa4 pShimData        : Ptr32 Void 
2478  #    +0xfa8 HeapVirtualAffinity : Uint4B 
2479  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
2480  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
2481  #    +0xfb4 SafeThunkCall    : UChar 
2482  #    +0xfb5 BooleanSpare     : [3] UChar 
2483 -class _TEB_XP(Structure): 
2484      _pack_ = 8 
2485      _fields_ = [ 
2486          ("NtTib",                           NT_TIB), 
2487          ("EnvironmentPointer",              PVOID), 
2488          ("ClientId",                        CLIENT_ID), 
2489          ("ActiveRpcHandle",                 HANDLE), 
2490          ("ThreadLocalStoragePointer",       PVOID), 
2491          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2492          ("LastErrorValue",                  DWORD), 
2493          ("CountOfOwnedCriticalSections",    DWORD), 
2494          ("CsrClientThread",                 PVOID), 
2495          ("Win32ThreadInfo",                 PVOID), 
2496          ("User32Reserved",                  DWORD * 26), 
2497          ("UserReserved",                    DWORD * 5), 
2498          ("WOW32Reserved",                   PVOID), 
2499          ("CurrentLocale",                   DWORD), 
2500          ("FpSoftwareStatusRegister",        DWORD), 
2501          ("SystemReserved1",                 PVOID * 54), 
2502          ("ExceptionCode",                   SDWORD), 
2503          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2504          ("SpareBytes1",                     UCHAR * 24), 
2505          ("TxFsContext",                     DWORD), 
2506          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2507          ("RealClientId",                    CLIENT_ID), 
2508          ("GdiCachedProcessHandle",          HANDLE), 
2509          ("GdiClientPID",                    DWORD), 
2510          ("GdiClientTID",                    DWORD), 
2511          ("GdiThreadLocalInfo",              PVOID), 
2512          ("Win32ClientInfo",                 DWORD * 62), 
2513          ("glDispatchTable",                 PVOID * 233), 
2514          ("glReserved1",                     DWORD * 29), 
2515          ("glReserved2",                     PVOID), 
2516          ("glSectionInfo",                   PVOID), 
2517          ("glSection",                       PVOID), 
2518          ("glTable",                         PVOID), 
2519          ("glCurrentRC",                     PVOID), 
2520          ("glContext",                       PVOID), 
2521          ("LastStatusValue",                 NTSTATUS), 
2522          ("StaticUnicodeString",             UNICODE_STRING), 
2523          ("StaticUnicodeBuffer",             WCHAR * 261), 
2524          ("DeallocationStack",               PVOID), 
2525          ("TlsSlots",                        PVOID * 64), 
2526          ("TlsLinks",                        LIST_ENTRY), 
2527          ("Vdm",                             PVOID), 
2528          ("ReservedForNtRpc",                PVOID), 
2529          ("DbgSsReserved",                   PVOID * 2), 
2530          ("HardErrorsAreDisabled",           DWORD), 
2531          ("Instrumentation",                 PVOID * 16), 
2532          ("WinSockData",                     PVOID), 
2533          ("GdiBatchCount",                   DWORD), 
2534          ("InDbgPrint",                      BOOLEAN), 
2535          ("FreeStackOnTermination",          BOOLEAN), 
2536          ("HasFiberData",                    BOOLEAN), 
2537          ("IdealProcessor",                  UCHAR), 
2538          ("Spare3",                          DWORD), 
2539          ("ReservedForPerf",                 PVOID), 
2540          ("ReservedForOle",                  PVOID), 
2541          ("WaitingOnLoaderLock",             DWORD), 
2542          ("Wx86Thread",                      Wx86ThreadState), 
2543          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
2544          ("ImpersonationLocale",             DWORD), 
2545          ("IsImpersonating",                 BOOL), 
2546          ("NlsCache",                        PVOID), 
2547          ("pShimData",                       PVOID), 
2548          ("HeapVirtualAffinity",             DWORD), 
2549          ("CurrentTransactionHandle",        HANDLE), 
2550          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2551          ("SafeThunkCall",                   BOOLEAN), 
2552          ("BooleanSpare",                    BOOLEAN * 3), 
2553  ] 
2554   
2555  #    +0x000 NtTib            : _NT_TIB 
2556  #    +0x038 EnvironmentPointer : Ptr64 Void 
2557  #    +0x040 ClientId         : _CLIENT_ID 
2558  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
2559  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
2560  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
2561  #    +0x068 LastErrorValue   : Uint4B 
2562  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
2563  #    +0x070 CsrClientThread  : Ptr64 Void 
2564  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
2565  #    +0x080 User32Reserved   : [26] Uint4B 
2566  #    +0x0e8 UserReserved     : [5] Uint4B 
2567  #    +0x100 WOW32Reserved    : Ptr64 Void 
2568  #    +0x108 CurrentLocale    : Uint4B 
2569  #    +0x10c FpSoftwareStatusRegister : Uint4B 
2570  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
2571  #    +0x2c0 ExceptionCode    : Int4B 
2572  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
2573  #    +0x2d0 SpareBytes1      : [28] UChar 
2574  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
2575  #    +0x7d8 RealClientId     : _CLIENT_ID 
2576  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
2577  #    +0x7f0 GdiClientPID     : Uint4B 
2578  #    +0x7f4 GdiClientTID     : Uint4B 
2579  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
2580  #    +0x800 Win32ClientInfo  : [62] Uint8B 
2581  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
2582  #    +0x1138 glReserved1      : [29] Uint8B 
2583  #    +0x1220 glReserved2      : Ptr64 Void 
2584  #    +0x1228 glSectionInfo    : Ptr64 Void 
2585  #    +0x1230 glSection        : Ptr64 Void 
2586  #    +0x1238 glTable          : Ptr64 Void 
2587  #    +0x1240 glCurrentRC      : Ptr64 Void 
2588  #    +0x1248 glContext        : Ptr64 Void 
2589  #    +0x1250 LastStatusValue  : Uint4B 
2590  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
2591  #    +0x1268 StaticUnicodeBuffer : [261] Uint2B 
2592  #    +0x1478 DeallocationStack : Ptr64 Void 
2593  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
2594  #    +0x1680 TlsLinks         : _LIST_ENTRY 
2595  #    +0x1690 Vdm              : Ptr64 Void 
2596  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
2597  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
2598  #    +0x16b0 HardErrorMode    : Uint4B 
2599  #    +0x16b8 Instrumentation  : [14] Ptr64 Void 
2600  #    +0x1728 SubProcessTag    : Ptr64 Void 
2601  #    +0x1730 EtwTraceData     : Ptr64 Void 
2602  #    +0x1738 WinSockData      : Ptr64 Void 
2603  #    +0x1740 GdiBatchCount    : Uint4B 
2604  #    +0x1744 InDbgPrint       : UChar 
2605  #    +0x1745 FreeStackOnTermination : UChar 
2606  #    +0x1746 HasFiberData     : UChar 
2607  #    +0x1747 IdealProcessor   : UChar 
2608  #    +0x1748 GuaranteedStackBytes : Uint4B 
2609  #    +0x1750 ReservedForPerf  : Ptr64 Void 
2610  #    +0x1758 ReservedForOle   : Ptr64 Void 
2611  #    +0x1760 WaitingOnLoaderLock : Uint4B 
2612  #    +0x1768 SparePointer1    : Uint8B 
2613  #    +0x1770 SoftPatchPtr1    : Uint8B 
2614  #    +0x1778 SoftPatchPtr2    : Uint8B 
2615  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
2616  #    +0x1788 DeallocationBStore : Ptr64 Void 
2617  #    +0x1790 BStoreLimit      : Ptr64 Void 
2618  #    +0x1798 ImpersonationLocale : Uint4B 
2619  #    +0x179c IsImpersonating  : Uint4B 
2620  #    +0x17a0 NlsCache         : Ptr64 Void 
2621  #    +0x17a8 pShimData        : Ptr64 Void 
2622  #    +0x17b0 HeapVirtualAffinity : Uint4B 
2623  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
2624  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
2625  #    +0x17c8 FlsData          : Ptr64 Void 
2626  #    +0x17d0 SafeThunkCall    : UChar 
2627  #    +0x17d1 BooleanSpare     : [3] UChar 
2628 -class _TEB_XP_64(Structure): 
2629      _pack_ = 8 
2630      _fields_ = [ 
2631          ("NtTib",                           NT_TIB), 
2632          ("EnvironmentPointer",              PVOID), 
2633          ("ClientId",                        CLIENT_ID), 
2634          ("ActiveRpcHandle",                 PVOID), 
2635          ("ThreadLocalStoragePointer",       PVOID), 
2636          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2637          ("LastErrorValue",                  DWORD), 
2638          ("CountOfOwnedCriticalSections",    DWORD), 
2639          ("CsrClientThread",                 PVOID), 
2640          ("Win32ThreadInfo",                 PVOID), 
2641          ("User32Reserved",                  DWORD * 26), 
2642          ("UserReserved",                    DWORD * 5), 
2643          ("WOW32Reserved",                   PVOID), 
2644          ("CurrentLocale",                   DWORD), 
2645          ("FpSoftwareStatusRegister",        DWORD), 
2646          ("SystemReserved1",                 PVOID * 54), 
2647          ("ExceptionCode",                   SDWORD), 
2648          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2649          ("SpareBytes1",                     UCHAR * 28), 
2650          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2651          ("RealClientId",                    CLIENT_ID), 
2652          ("GdiCachedProcessHandle",          HANDLE), 
2653          ("GdiClientPID",                    DWORD), 
2654          ("GdiClientTID",                    DWORD), 
2655          ("GdiThreadLocalInfo",              PVOID), 
2656          ("Win32ClientInfo",                 QWORD * 62), 
2657          ("glDispatchTable",                 PVOID * 233), 
2658          ("glReserved1",                     QWORD * 29), 
2659          ("glReserved2",                     PVOID), 
2660          ("glSectionInfo",                   PVOID), 
2661          ("glSection",                       PVOID), 
2662          ("glTable",                         PVOID), 
2663          ("glCurrentRC",                     PVOID), 
2664          ("glContext",                       PVOID), 
2665          ("LastStatusValue",                 NTSTATUS), 
2666          ("StaticUnicodeString",             UNICODE_STRING), 
2667          ("StaticUnicodeBuffer",             WCHAR * 261), 
2668          ("DeallocationStack",               PVOID), 
2669          ("TlsSlots",                        PVOID * 64), 
2670          ("TlsLinks",                        LIST_ENTRY), 
2671          ("Vdm",                             PVOID), 
2672          ("ReservedForNtRpc",                PVOID), 
2673          ("DbgSsReserved",                   PVOID * 2), 
2674          ("HardErrorMode",                   DWORD), 
2675          ("Instrumentation",                 PVOID * 14), 
2676          ("SubProcessTag",                   PVOID), 
2677          ("EtwTraceData",                    PVOID), 
2678          ("WinSockData",                     PVOID), 
2679          ("GdiBatchCount",                   DWORD), 
2680          ("InDbgPrint",                      BOOLEAN), 
2681          ("FreeStackOnTermination",          BOOLEAN), 
2682          ("HasFiberData",                    BOOLEAN), 
2683          ("IdealProcessor",                  UCHAR), 
2684          ("GuaranteedStackBytes",            DWORD), 
2685          ("ReservedForPerf",                 PVOID), 
2686          ("ReservedForOle",                  PVOID), 
2687          ("WaitingOnLoaderLock",             DWORD), 
2688          ("SparePointer1",                   PVOID), 
2689          ("SoftPatchPtr1",                   PVOID), 
2690          ("SoftPatchPtr2",                   PVOID), 
2691          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
2692          ("DeallocationBStore",              PVOID), 
2693          ("BStoreLimit",                     PVOID), 
2694          ("ImpersonationLocale",             DWORD), 
2695          ("IsImpersonating",                 BOOL), 
2696          ("NlsCache",                        PVOID), 
2697          ("pShimData",                       PVOID), 
2698          ("HeapVirtualAffinity",             DWORD), 
2699          ("CurrentTransactionHandle",        HANDLE), 
2700          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2701          ("FlsData",                         PVOID), 
2702          ("SafeThunkCall",                   BOOLEAN), 
2703          ("BooleanSpare",                    BOOLEAN * 3), 
2704  ] 
2705   
2706  #    +0x000 NtTib            : _NT_TIB 
2707  #    +0x01c EnvironmentPointer : Ptr32 Void 
2708  #    +0x020 ClientId         : _CLIENT_ID 
2709  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2710  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2711  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2712  #    +0x034 LastErrorValue   : Uint4B 
2713  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2714  #    +0x03c CsrClientThread  : Ptr32 Void 
2715  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2716  #    +0x044 User32Reserved   : [26] Uint4B 
2717  #    +0x0ac UserReserved     : [5] Uint4B 
2718  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2719  #    +0x0c4 CurrentLocale    : Uint4B 
2720  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2721  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2722  #    +0x1a4 ExceptionCode    : Int4B 
2723  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
2724  #    +0x1ac SpareBytes1      : [40] UChar 
2725  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2726  #    +0x6b4 RealClientId     : _CLIENT_ID 
2727  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2728  #    +0x6c0 GdiClientPID     : Uint4B 
2729  #    +0x6c4 GdiClientTID     : Uint4B 
2730  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2731  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2732  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2733  #    +0xb68 glReserved1      : [29] Uint4B 
2734  #    +0xbdc glReserved2      : Ptr32 Void 
2735  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2736  #    +0xbe4 glSection        : Ptr32 Void 
2737  #    +0xbe8 glTable          : Ptr32 Void 
2738  #    +0xbec glCurrentRC      : Ptr32 Void 
2739  #    +0xbf0 glContext        : Ptr32 Void 
2740  #    +0xbf4 LastStatusValue  : Uint4B 
2741  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2742  #    +0xc00 StaticUnicodeBuffer : [261] Uint2B 
2743  #    +0xe0c DeallocationStack : Ptr32 Void 
2744  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2745  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2746  #    +0xf18 Vdm              : Ptr32 Void 
2747  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2748  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2749  #    +0xf28 HardErrorMode    : Uint4B 
2750  #    +0xf2c Instrumentation  : [14] Ptr32 Void 
2751  #    +0xf64 SubProcessTag    : Ptr32 Void 
2752  #    +0xf68 EtwTraceData     : Ptr32 Void 
2753  #    +0xf6c WinSockData      : Ptr32 Void 
2754  #    +0xf70 GdiBatchCount    : Uint4B 
2755  #    +0xf74 InDbgPrint       : UChar 
2756  #    +0xf75 FreeStackOnTermination : UChar 
2757  #    +0xf76 HasFiberData     : UChar 
2758  #    +0xf77 IdealProcessor   : UChar 
2759  #    +0xf78 GuaranteedStackBytes : Uint4B 
2760  #    +0xf7c ReservedForPerf  : Ptr32 Void 
2761  #    +0xf80 ReservedForOle   : Ptr32 Void 
2762  #    +0xf84 WaitingOnLoaderLock : Uint4B 
2763  #    +0xf88 SparePointer1    : Uint4B 
2764  #    +0xf8c SoftPatchPtr1    : Uint4B 
2765  #    +0xf90 SoftPatchPtr2    : Uint4B 
2766  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
2767  #    +0xf98 ImpersonationLocale : Uint4B 
2768  #    +0xf9c IsImpersonating  : Uint4B 
2769  #    +0xfa0 NlsCache         : Ptr32 Void 
2770  #    +0xfa4 pShimData        : Ptr32 Void 
2771  #    +0xfa8 HeapVirtualAffinity : Uint4B 
2772  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
2773  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
2774  #    +0xfb4 FlsData          : Ptr32 Void 
2775  #    +0xfb8 SafeThunkCall    : UChar 
2776  #    +0xfb9 BooleanSpare     : [3] UChar 
2777 -class _TEB_2003(Structure): 
2778      _pack_ = 8 
2779      _fields_ = [ 
2780          ("NtTib",                           NT_TIB), 
2781          ("EnvironmentPointer",              PVOID), 
2782          ("ClientId",                        CLIENT_ID), 
2783          ("ActiveRpcHandle",                 HANDLE), 
2784          ("ThreadLocalStoragePointer",       PVOID), 
2785          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2786          ("LastErrorValue",                  DWORD), 
2787          ("CountOfOwnedCriticalSections",    DWORD), 
2788          ("CsrClientThread",                 PVOID), 
2789          ("Win32ThreadInfo",                 PVOID), 
2790          ("User32Reserved",                  DWORD * 26), 
2791          ("UserReserved",                    DWORD * 5), 
2792          ("WOW32Reserved",                   PVOID), 
2793          ("CurrentLocale",                   DWORD), 
2794          ("FpSoftwareStatusRegister",        DWORD), 
2795          ("SystemReserved1",                 PVOID * 54), 
2796          ("ExceptionCode",                   SDWORD), 
2797          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2798          ("SpareBytes1",                     UCHAR * 40), 
2799          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2800          ("RealClientId",                    CLIENT_ID), 
2801          ("GdiCachedProcessHandle",          HANDLE), 
2802          ("GdiClientPID",                    DWORD), 
2803          ("GdiClientTID",                    DWORD), 
2804          ("GdiThreadLocalInfo",              PVOID), 
2805          ("Win32ClientInfo",                 DWORD * 62), 
2806          ("glDispatchTable",                 PVOID * 233), 
2807          ("glReserved1",                     DWORD * 29), 
2808          ("glReserved2",                     PVOID), 
2809          ("glSectionInfo",                   PVOID), 
2810          ("glSection",                       PVOID), 
2811          ("glTable",                         PVOID), 
2812          ("glCurrentRC",                     PVOID), 
2813          ("glContext",                       PVOID), 
2814          ("LastStatusValue",                 NTSTATUS), 
2815          ("StaticUnicodeString",             UNICODE_STRING), 
2816          ("StaticUnicodeBuffer",             WCHAR * 261), 
2817          ("DeallocationStack",               PVOID), 
2818          ("TlsSlots",                        PVOID * 64), 
2819          ("TlsLinks",                        LIST_ENTRY), 
2820          ("Vdm",                             PVOID), 
2821          ("ReservedForNtRpc",                PVOID), 
2822          ("DbgSsReserved",                   PVOID * 2), 
2823          ("HardErrorMode",                   DWORD), 
2824          ("Instrumentation",                 PVOID * 14), 
2825          ("SubProcessTag",                   PVOID), 
2826          ("EtwTraceData",                    PVOID), 
2827          ("WinSockData",                     PVOID), 
2828          ("GdiBatchCount",                   DWORD), 
2829          ("InDbgPrint",                      BOOLEAN), 
2830          ("FreeStackOnTermination",          BOOLEAN), 
2831          ("HasFiberData",                    BOOLEAN), 
2832          ("IdealProcessor",                  UCHAR), 
2833          ("GuaranteedStackBytes",            DWORD), 
2834          ("ReservedForPerf",                 PVOID), 
2835          ("ReservedForOle",                  PVOID), 
2836          ("WaitingOnLoaderLock",             DWORD), 
2837          ("SparePointer1",                   PVOID), 
2838          ("SoftPatchPtr1",                   PVOID), 
2839          ("SoftPatchPtr2",                   PVOID), 
2840          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
2841          ("ImpersonationLocale",             DWORD), 
2842          ("IsImpersonating",                 BOOL), 
2843          ("NlsCache",                        PVOID), 
2844          ("pShimData",                       PVOID), 
2845          ("HeapVirtualAffinity",             DWORD), 
2846          ("CurrentTransactionHandle",        HANDLE), 
2847          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2848          ("FlsData",                         PVOID), 
2849          ("SafeThunkCall",                   BOOLEAN), 
2850          ("BooleanSpare",                    BOOLEAN * 3), 
2851  ] 
2852   
2853  #    +0x000 NtTib            : _NT_TIB 
2854  #    +0x038 EnvironmentPointer : Ptr64 Void 
2855  #    +0x040 ClientId         : _CLIENT_ID 
2856  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
2857  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
2858  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
2859  #    +0x068 LastErrorValue   : Uint4B 
2860  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
2861  #    +0x070 CsrClientThread  : Ptr64 Void 
2862  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
2863  #    +0x080 User32Reserved   : [26] Uint4B 
2864  #    +0x0e8 UserReserved     : [5] Uint4B 
2865  #    +0x100 WOW32Reserved    : Ptr64 Void 
2866  #    +0x108 CurrentLocale    : Uint4B 
2867  #    +0x10c FpSoftwareStatusRegister : Uint4B 
2868  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
2869  #    +0x2c0 ExceptionCode    : Int4B 
2870  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
2871  #    +0x2d0 SpareBytes1      : [28] UChar 
2872  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
2873  #    +0x7d8 RealClientId     : _CLIENT_ID 
2874  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
2875  #    +0x7f0 GdiClientPID     : Uint4B 
2876  #    +0x7f4 GdiClientTID     : Uint4B 
2877  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
2878  #    +0x800 Win32ClientInfo  : [62] Uint8B 
2879  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
2880  #    +0x1138 glReserved1      : [29] Uint8B 
2881  #    +0x1220 glReserved2      : Ptr64 Void 
2882  #    +0x1228 glSectionInfo    : Ptr64 Void 
2883  #    +0x1230 glSection        : Ptr64 Void 
2884  #    +0x1238 glTable          : Ptr64 Void 
2885  #    +0x1240 glCurrentRC      : Ptr64 Void 
2886  #    +0x1248 glContext        : Ptr64 Void 
2887  #    +0x1250 LastStatusValue  : Uint4B 
2888  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
2889  #    +0x1268 StaticUnicodeBuffer : [261] Uint2B 
2890  #    +0x1478 DeallocationStack : Ptr64 Void 
2891  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
2892  #    +0x1680 TlsLinks         : _LIST_ENTRY 
2893  #    +0x1690 Vdm              : Ptr64 Void 
2894  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
2895  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
2896  #    +0x16b0 HardErrorMode    : Uint4B 
2897  #    +0x16b8 Instrumentation  : [14] Ptr64 Void 
2898  #    +0x1728 SubProcessTag    : Ptr64 Void 
2899  #    +0x1730 EtwTraceData     : Ptr64 Void 
2900  #    +0x1738 WinSockData      : Ptr64 Void 
2901  #    +0x1740 GdiBatchCount    : Uint4B 
2902  #    +0x1744 InDbgPrint       : UChar 
2903  #    +0x1745 FreeStackOnTermination : UChar 
2904  #    +0x1746 HasFiberData     : UChar 
2905  #    +0x1747 IdealProcessor   : UChar 
2906  #    +0x1748 GuaranteedStackBytes : Uint4B 
2907  #    +0x1750 ReservedForPerf  : Ptr64 Void 
2908  #    +0x1758 ReservedForOle   : Ptr64 Void 
2909  #    +0x1760 WaitingOnLoaderLock : Uint4B 
2910  #    +0x1768 SparePointer1    : Uint8B 
2911  #    +0x1770 SoftPatchPtr1    : Uint8B 
2912  #    +0x1778 SoftPatchPtr2    : Uint8B 
2913  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
2914  #    +0x1788 DeallocationBStore : Ptr64 Void 
2915  #    +0x1790 BStoreLimit      : Ptr64 Void 
2916  #    +0x1798 ImpersonationLocale : Uint4B 
2917  #    +0x179c IsImpersonating  : Uint4B 
2918  #    +0x17a0 NlsCache         : Ptr64 Void 
2919  #    +0x17a8 pShimData        : Ptr64 Void 
2920  #    +0x17b0 HeapVirtualAffinity : Uint4B 
2921  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
2922  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
2923  #    +0x17c8 FlsData          : Ptr64 Void 
2924  #    +0x17d0 SafeThunkCall    : UChar 
2925  #    +0x17d1 BooleanSpare     : [3] UChar 
2926 -class _TEB_2003_64(Structure): 
2927      _pack_ = 8 
2928      _fields_ = [ 
2929          ("NtTib",                           NT_TIB), 
2930          ("EnvironmentPointer",              PVOID), 
2931          ("ClientId",                        CLIENT_ID), 
2932          ("ActiveRpcHandle",                 PVOID), 
2933          ("ThreadLocalStoragePointer",       PVOID), 
2934          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2935          ("LastErrorValue",                  DWORD), 
2936          ("CountOfOwnedCriticalSections",    DWORD), 
2937          ("CsrClientThread",                 PVOID), 
2938          ("Win32ThreadInfo",                 PVOID), 
2939          ("User32Reserved",                  DWORD * 26), 
2940          ("UserReserved",                    DWORD * 5), 
2941          ("WOW32Reserved",                   PVOID), 
2942          ("CurrentLocale",                   DWORD), 
2943          ("FpSoftwareStatusRegister",        DWORD), 
2944          ("SystemReserved1",                 PVOID * 54), 
2945          ("ExceptionCode",                   SDWORD), 
2946          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2947          ("SpareBytes1",                     UCHAR * 28), 
2948          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2949          ("RealClientId",                    CLIENT_ID), 
2950          ("GdiCachedProcessHandle",          HANDLE), 
2951          ("GdiClientPID",                    DWORD), 
2952          ("GdiClientTID",                    DWORD), 
2953          ("GdiThreadLocalInfo",              PVOID), 
2954          ("Win32ClientInfo",                 QWORD * 62), 
2955          ("glDispatchTable",                 PVOID * 233), 
2956          ("glReserved1",                     QWORD * 29), 
2957          ("glReserved2",                     PVOID), 
2958          ("glSectionInfo",                   PVOID), 
2959          ("glSection",                       PVOID), 
2960          ("glTable",                         PVOID), 
2961          ("glCurrentRC",                     PVOID), 
2962          ("glContext",                       PVOID), 
2963          ("LastStatusValue",                 NTSTATUS), 
2964          ("StaticUnicodeString",             UNICODE_STRING), 
2965          ("StaticUnicodeBuffer",             WCHAR * 261), 
2966          ("DeallocationStack",               PVOID), 
2967          ("TlsSlots",                        PVOID * 64), 
2968          ("TlsLinks",                        LIST_ENTRY), 
2969          ("Vdm",                             PVOID), 
2970          ("ReservedForNtRpc",                PVOID), 
2971          ("DbgSsReserved",                   PVOID * 2), 
2972          ("HardErrorMode",                   DWORD), 
2973          ("Instrumentation",                 PVOID * 14), 
2974          ("SubProcessTag",                   PVOID), 
2975          ("EtwTraceData",                    PVOID), 
2976          ("WinSockData",                     PVOID), 
2977          ("GdiBatchCount",                   DWORD), 
2978          ("InDbgPrint",                      BOOLEAN), 
2979          ("FreeStackOnTermination",          BOOLEAN), 
2980          ("HasFiberData",                    BOOLEAN), 
2981          ("IdealProcessor",                  UCHAR), 
2982          ("GuaranteedStackBytes",            DWORD), 
2983          ("ReservedForPerf",                 PVOID), 
2984          ("ReservedForOle",                  PVOID), 
2985          ("WaitingOnLoaderLock",             DWORD), 
2986          ("SparePointer1",                   PVOID), 
2987          ("SoftPatchPtr1",                   PVOID), 
2988          ("SoftPatchPtr2",                   PVOID), 
2989          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
2990          ("DeallocationBStore",              PVOID), 
2991          ("BStoreLimit",                     PVOID), 
2992          ("ImpersonationLocale",             DWORD), 
2993          ("IsImpersonating",                 BOOL), 
2994          ("NlsCache",                        PVOID), 
2995          ("pShimData",                       PVOID), 
2996          ("HeapVirtualAffinity",             DWORD), 
2997          ("CurrentTransactionHandle",        HANDLE), 
2998          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2999          ("FlsData",                         PVOID), 
3000          ("SafeThunkCall",                   BOOLEAN), 
3001          ("BooleanSpare",                    BOOLEAN * 3), 
3002  ] 
3003   
3004  #    +0x000 NtTib            : _NT_TIB 
3005  #    +0x01c EnvironmentPointer : Ptr32 Void 
3006  #    +0x020 ClientId         : _CLIENT_ID 
3007  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
3008  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
3009  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
3010  #    +0x034 LastErrorValue   : Uint4B 
3011  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
3012  #    +0x03c CsrClientThread  : Ptr32 Void 
3013  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
3014  #    +0x044 User32Reserved   : [26] Uint4B 
3015  #    +0x0ac UserReserved     : [5] Uint4B 
3016  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
3017  #    +0x0c4 CurrentLocale    : Uint4B 
3018  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
3019  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
3020  #    +0x1a4 ExceptionCode    : Int4B 
3021  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
3022  #    +0x1ac SpareBytes1      : [36] UChar 
3023  #    +0x1d0 TxFsContext      : Uint4B 
3024  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
3025  #    +0x6b4 RealClientId     : _CLIENT_ID 
3026  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
3027  #    +0x6c0 GdiClientPID     : Uint4B 
3028  #    +0x6c4 GdiClientTID     : Uint4B 
3029  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
3030  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
3031  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
3032  #    +0xb68 glReserved1      : [29] Uint4B 
3033  #    +0xbdc glReserved2      : Ptr32 Void 
3034  #    +0xbe0 glSectionInfo    : Ptr32 Void 
3035  #    +0xbe4 glSection        : Ptr32 Void 
3036  #    +0xbe8 glTable          : Ptr32 Void 
3037  #    +0xbec glCurrentRC      : Ptr32 Void 
3038  #    +0xbf0 glContext        : Ptr32 Void 
3039  #    +0xbf4 LastStatusValue  : Uint4B 
3040  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
3041  #    +0xc00 StaticUnicodeBuffer : [261] Wchar 
3042  #    +0xe0c DeallocationStack : Ptr32 Void 
3043  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
3044  #    +0xf10 TlsLinks         : _LIST_ENTRY 
3045  #    +0xf18 Vdm              : Ptr32 Void 
3046  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
3047  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
3048  #    +0xf28 HardErrorMode    : Uint4B 
3049  #    +0xf2c Instrumentation  : [9] Ptr32 Void 
3050  #    +0xf50 ActivityId       : _GUID 
3051  #    +0xf60 SubProcessTag    : Ptr32 Void 
3052  #    +0xf64 EtwLocalData     : Ptr32 Void 
3053  #    +0xf68 EtwTraceData     : Ptr32 Void 
3054  #    +0xf6c WinSockData      : Ptr32 Void 
3055  #    +0xf70 GdiBatchCount    : Uint4B 
3056  #    +0xf74 SpareBool0       : UChar 
3057  #    +0xf75 SpareBool1       : UChar 
3058  #    +0xf76 SpareBool2       : UChar 
3059  #    +0xf77 IdealProcessor   : UChar 
3060  #    +0xf78 GuaranteedStackBytes : Uint4B 
3061  #    +0xf7c ReservedForPerf  : Ptr32 Void 
3062  #    +0xf80 ReservedForOle   : Ptr32 Void 
3063  #    +0xf84 WaitingOnLoaderLock : Uint4B 
3064  #    +0xf88 SavedPriorityState : Ptr32 Void 
3065  #    +0xf8c SoftPatchPtr1    : Uint4B 
3066  #    +0xf90 ThreadPoolData   : Ptr32 Void 
3067  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
3068  #    +0xf98 ImpersonationLocale : Uint4B 
3069  #    +0xf9c IsImpersonating  : Uint4B 
3070  #    +0xfa0 NlsCache         : Ptr32 Void 
3071  #    +0xfa4 pShimData        : Ptr32 Void 
3072  #    +0xfa8 HeapVirtualAffinity : Uint4B 
3073  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
3074  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
3075  #    +0xfb4 FlsData          : Ptr32 Void 
3076  #    +0xfb8 PreferredLanguages : Ptr32 Void 
3077  #    +0xfbc UserPrefLanguages : Ptr32 Void 
3078  #    +0xfc0 MergedPrefLanguages : Ptr32 Void 
3079  #    +0xfc4 MuiImpersonation : Uint4B 
3080  #    +0xfc8 CrossTebFlags    : Uint2B 
3081  #    +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits 
3082  #    +0xfca SameTebFlags     : Uint2B 
3083  #    +0xfca DbgSafeThunkCall : Pos 0, 1 Bit 
3084  #    +0xfca DbgInDebugPrint  : Pos 1, 1 Bit 
3085  #    +0xfca DbgHasFiberData  : Pos 2, 1 Bit 
3086  #    +0xfca DbgSkipThreadAttach : Pos 3, 1 Bit 
3087  #    +0xfca DbgWerInShipAssertCode : Pos 4, 1 Bit 
3088  #    +0xfca DbgRanProcessInit : Pos 5, 1 Bit 
3089  #    +0xfca DbgClonedThread  : Pos 6, 1 Bit 
3090  #    +0xfca DbgSuppressDebugMsg : Pos 7, 1 Bit 
3091  #    +0xfca RtlDisableUserStackWalk : Pos 8, 1 Bit 
3092  #    +0xfca RtlExceptionAttached : Pos 9, 1 Bit 
3093  #    +0xfca SpareSameTebBits : Pos 10, 6 Bits 
3094  #    +0xfcc TxnScopeEnterCallback : Ptr32 Void 
3095  #    +0xfd0 TxnScopeExitCallback : Ptr32 Void 
3096  #    +0xfd4 TxnScopeContext  : Ptr32 Void 
3097  #    +0xfd8 LockCount        : Uint4B 
3098  #    +0xfdc ProcessRundown   : Uint4B 
3099  #    +0xfe0 LastSwitchTime   : Uint8B 
3100  #    +0xfe8 TotalSwitchOutTime : Uint8B 
3101  #    +0xff0 WaitReasonBitMap : _LARGE_INTEGER 
3102 -class _TEB_2008(Structure): 
3103      _pack_ = 8 
3104      _fields_ = [ 
3105          ("NtTib",                           NT_TIB), 
3106          ("EnvironmentPointer",              PVOID), 
3107          ("ClientId",                        CLIENT_ID), 
3108          ("ActiveRpcHandle",                 HANDLE), 
3109          ("ThreadLocalStoragePointer",       PVOID), 
3110          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3111          ("LastErrorValue",                  DWORD), 
3112          ("CountOfOwnedCriticalSections",    DWORD), 
3113          ("CsrClientThread",                 PVOID), 
3114          ("Win32ThreadInfo",                 PVOID), 
3115          ("User32Reserved",                  DWORD * 26), 
3116          ("UserReserved",                    DWORD * 5), 
3117          ("WOW32Reserved",                   PVOID), 
3118          ("CurrentLocale",                   DWORD), 
3119          ("FpSoftwareStatusRegister",        DWORD), 
3120          ("SystemReserved1",                 PVOID * 54), 
3121          ("ExceptionCode",                   SDWORD), 
3122          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3123          ("SpareBytes1",                     UCHAR * 36), 
3124          ("TxFsContext",                     DWORD), 
3125          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3126          ("RealClientId",                    CLIENT_ID), 
3127          ("GdiCachedProcessHandle",          HANDLE), 
3128          ("GdiClientPID",                    DWORD), 
3129          ("GdiClientTID",                    DWORD), 
3130          ("GdiThreadLocalInfo",              PVOID), 
3131          ("Win32ClientInfo",                 DWORD * 62), 
3132          ("glDispatchTable",                 PVOID * 233), 
3133          ("glReserved1",                     DWORD * 29), 
3134          ("glReserved2",                     PVOID), 
3135          ("glSectionInfo",                   PVOID), 
3136          ("glSection",                       PVOID), 
3137          ("glTable",                         PVOID), 
3138          ("glCurrentRC",                     PVOID), 
3139          ("glContext",                       PVOID), 
3140          ("LastStatusValue",                 NTSTATUS), 
3141          ("StaticUnicodeString",             UNICODE_STRING), 
3142          ("StaticUnicodeBuffer",             WCHAR * 261), 
3143          ("DeallocationStack",               PVOID), 
3144          ("TlsSlots",                        PVOID * 64), 
3145          ("TlsLinks",                        LIST_ENTRY), 
3146          ("Vdm",                             PVOID), 
3147          ("ReservedForNtRpc",                PVOID), 
3148          ("DbgSsReserved",                   PVOID * 2), 
3149          ("HardErrorMode",                   DWORD), 
3150          ("Instrumentation",                 PVOID * 9), 
3151          ("ActivityId",                      GUID), 
3152          ("SubProcessTag",                   PVOID), 
3153          ("EtwLocalData",                    PVOID), 
3154          ("EtwTraceData",                    PVOID), 
3155          ("WinSockData",                     PVOID), 
3156          ("GdiBatchCount",                   DWORD), 
3157          ("SpareBool0",                      BOOLEAN), 
3158          ("SpareBool1",                      BOOLEAN), 
3159          ("SpareBool2",                      BOOLEAN), 
3160          ("IdealProcessor",                  UCHAR), 
3161          ("GuaranteedStackBytes",            DWORD), 
3162          ("ReservedForPerf",                 PVOID), 
3163          ("ReservedForOle",                  PVOID), 
3164          ("WaitingOnLoaderLock",             DWORD), 
3165          ("SavedPriorityState",              PVOID), 
3166          ("SoftPatchPtr1",                   PVOID), 
3167          ("ThreadPoolData",                  PVOID), 
3168          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
3169          ("ImpersonationLocale",             DWORD), 
3170          ("IsImpersonating",                 BOOL), 
3171          ("NlsCache",                        PVOID), 
3172          ("pShimData",                       PVOID), 
3173          ("HeapVirtualAffinity",             DWORD), 
3174          ("CurrentTransactionHandle",        HANDLE), 
3175          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3176          ("FlsData",                         PVOID), 
3177          ("PreferredLanguages",              PVOID), 
3178          ("UserPrefLanguages",               PVOID), 
3179          ("MergedPrefLanguages",             PVOID), 
3180          ("MuiImpersonation",                BOOL), 
3181          ("CrossTebFlags",                   WORD), 
3182          ("SameTebFlags",                    WORD), 
3183          ("TxnScopeEnterCallback",           PVOID), 
3184          ("TxnScopeExitCallback",            PVOID), 
3185          ("TxnScopeContext",                 PVOID), 
3186          ("LockCount",                       DWORD), 
3187          ("ProcessRundown",                  DWORD), 
3188          ("LastSwitchTime",                  QWORD), 
3189          ("TotalSwitchOutTime",              QWORD), 
3190          ("WaitReasonBitMap",                LONGLONG),  # LARGE_INTEGER 
3191  ] 
3192   
3193  #    +0x000 NtTib            : _NT_TIB 
3194  #    +0x01c EnvironmentPointer : Ptr32 Void 
3195  #    +0x020 ClientId         : _CLIENT_ID 
3196  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
3197  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
3198  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
3199  #    +0x034 LastErrorValue   : Uint4B 
3200  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
3201  #    +0x03c CsrClientThread  : Ptr32 Void 
3202  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
3203  #    +0x044 User32Reserved   : [26] Uint4B 
3204  #    +0x0ac UserReserved     : [5] Uint4B 
3205  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
3206  #    +0x0c4 CurrentLocale    : Uint4B 
3207  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
3208  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
3209  #    +0x1a4 ExceptionCode    : Int4B 
3210  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
3211  #    +0x1ac SpareBytes1      : [36] UChar 
3212  #    +0x1d0 TxFsContext      : Uint4B 
3213  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
3214  #    +0x6b4 RealClientId     : _CLIENT_ID 
3215  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
3216  #    +0x6c0 GdiClientPID     : Uint4B 
3217  #    +0x6c4 GdiClientTID     : Uint4B 
3218  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
3219  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
3220  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
3221  #    +0xb68 glReserved1      : [29] Uint4B 
3222  #    +0xbdc glReserved2      : Ptr32 Void 
3223  #    +0xbe0 glSectionInfo    : Ptr32 Void 
3224  #    +0xbe4 glSection        : Ptr32 Void 
3225  #    +0xbe8 glTable          : Ptr32 Void 
3226  #    +0xbec glCurrentRC      : Ptr32 Void 
3227  #    +0xbf0 glContext        : Ptr32 Void 
3228  #    +0xbf4 LastStatusValue  : Uint4B 
3229  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
3230  #    +0xc00 StaticUnicodeBuffer : [261] Wchar 
3231  #    +0xe0c DeallocationStack : Ptr32 Void 
3232  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
3233  #    +0xf10 TlsLinks         : _LIST_ENTRY 
3234  #    +0xf18 Vdm              : Ptr32 Void 
3235  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
3236  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
3237  #    +0xf28 HardErrorMode    : Uint4B 
3238  #    +0xf2c Instrumentation  : [9] Ptr32 Void 
3239  #    +0xf50 ActivityId       : _GUID 
3240  #    +0xf60 SubProcessTag    : Ptr32 Void 
3241  #    +0xf64 EtwLocalData     : Ptr32 Void 
3242  #    +0xf68 EtwTraceData     : Ptr32 Void 
3243  #    +0xf6c WinSockData      : Ptr32 Void 
3244  #    +0xf70 GdiBatchCount    : Uint4B 
3245  #    +0xf74 SpareBool0       : UChar 
3246  #    +0xf75 SpareBool1       : UChar 
3247  #    +0xf76 SpareBool2       : UChar 
3248  #    +0xf77 IdealProcessor   : UChar 
3249  #    +0xf78 GuaranteedStackBytes : Uint4B 
3250  #    +0xf7c ReservedForPerf  : Ptr32 Void 
3251  #    +0xf80 ReservedForOle   : Ptr32 Void 
3252  #    +0xf84 WaitingOnLoaderLock : Uint4B 
3253  #    +0xf88 SavedPriorityState : Ptr32 Void 
3254  #    +0xf8c SoftPatchPtr1    : Uint4B 
3255  #    +0xf90 ThreadPoolData   : Ptr32 Void 
3256  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
3257  #    +0xf98 ImpersonationLocale : Uint4B 
3258  #    +0xf9c IsImpersonating  : Uint4B 
3259  #    +0xfa0 NlsCache         : Ptr32 Void 
3260  #    +0xfa4 pShimData        : Ptr32 Void 
3261  #    +0xfa8 HeapVirtualAffinity : Uint4B 
3262  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
3263  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
3264  #    +0xfb4 FlsData          : Ptr32 Void 
3265  #    +0xfb8 PreferredLanguages : Ptr32 Void 
3266  #    +0xfbc UserPrefLanguages : Ptr32 Void 
3267  #    +0xfc0 MergedPrefLanguages : Ptr32 Void 
3268  #    +0xfc4 MuiImpersonation : Uint4B 
3269  #    +0xfc8 CrossTebFlags    : Uint2B 
3270  #    +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits 
3271  #    +0xfca SameTebFlags     : Uint2B 
3272  #    +0xfca DbgSafeThunkCall : Pos 0, 1 Bit 
3273  #    +0xfca DbgInDebugPrint  : Pos 1, 1 Bit 
3274  #    +0xfca DbgHasFiberData  : Pos 2, 1 Bit 
3275  #    +0xfca DbgSkipThreadAttach : Pos 3, 1 Bit 
3276  #    +0xfca DbgWerInShipAssertCode : Pos 4, 1 Bit 
3277  #    +0xfca DbgRanProcessInit : Pos 5, 1 Bit 
3278  #    +0xfca DbgClonedThread  : Pos 6, 1 Bit 
3279  #    +0xfca DbgSuppressDebugMsg : Pos 7, 1 Bit 
3280  #    +0xfca RtlDisableUserStackWalk : Pos 8, 1 Bit 
3281  #    +0xfca RtlExceptionAttached : Pos 9, 1 Bit 
3282  #    +0xfca SpareSameTebBits : Pos 10, 6 Bits 
3283  #    +0xfcc TxnScopeEnterCallback : Ptr32 Void 
3284  #    +0xfd0 TxnScopeExitCallback : Ptr32 Void 
3285  #    +0xfd4 TxnScopeContext  : Ptr32 Void 
3286  #    +0xfd8 LockCount        : Uint4B 
3287  #    +0xfdc ProcessRundown   : Uint4B 
3288  #    +0xfe0 LastSwitchTime   : Uint8B 
3289  #    +0xfe8 TotalSwitchOutTime : Uint8B 
3290  #    +0xff0 WaitReasonBitMap : _LARGE_INTEGER 
3291 -class _TEB_Vista(Structure): 
3292      _pack_ = 8 
3293      _fields_ = [ 
3294          ("NtTib",                           NT_TIB), 
3295          ("EnvironmentPointer",              PVOID), 
3296          ("ClientId",                        CLIENT_ID), 
3297          ("ActiveRpcHandle",                 HANDLE), 
3298          ("ThreadLocalStoragePointer",       PVOID), 
3299          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3300          ("LastErrorValue",                  DWORD), 
3301          ("CountOfOwnedCriticalSections",    DWORD), 
3302          ("CsrClientThread",                 PVOID), 
3303          ("Win32ThreadInfo",                 PVOID), 
3304          ("User32Reserved",                  DWORD * 26), 
3305          ("UserReserved",                    DWORD * 5), 
3306          ("WOW32Reserved",                   PVOID), 
3307          ("CurrentLocale",                   DWORD), 
3308          ("FpSoftwareStatusRegister",        DWORD), 
3309          ("SystemReserved1",                 PVOID * 54), 
3310          ("ExceptionCode",                   SDWORD), 
3311          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3312          ("SpareBytes1",                     UCHAR * 36), 
3313          ("TxFsContext",                     DWORD), 
3314          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3315          ("RealClientId",                    CLIENT_ID), 
3316          ("GdiCachedProcessHandle",          HANDLE), 
3317          ("GdiClientPID",                    DWORD), 
3318          ("GdiClientTID",                    DWORD), 
3319          ("GdiThreadLocalInfo",              PVOID), 
3320          ("Win32ClientInfo",                 DWORD * 62), 
3321          ("glDispatchTable",                 PVOID * 233), 
3322          ("glReserved1",                     DWORD * 29), 
3323          ("glReserved2",                     PVOID), 
3324          ("glSectionInfo",                   PVOID), 
3325          ("glSection",                       PVOID), 
3326          ("glTable",                         PVOID), 
3327          ("glCurrentRC",                     PVOID), 
3328          ("glContext",                       PVOID), 
3329          ("LastStatusValue",                 NTSTATUS), 
3330          ("StaticUnicodeString",             UNICODE_STRING), 
3331          ("StaticUnicodeBuffer",             WCHAR * 261), 
3332          ("DeallocationStack",               PVOID), 
3333          ("TlsSlots",                        PVOID * 64), 
3334          ("TlsLinks",                        LIST_ENTRY), 
3335          ("Vdm",                             PVOID), 
3336          ("ReservedForNtRpc",                PVOID), 
3337          ("DbgSsReserved",                   PVOID * 2), 
3338          ("HardErrorMode",                   DWORD), 
3339          ("Instrumentation",                 PVOID * 9), 
3340          ("ActivityId",                      GUID), 
3341          ("SubProcessTag",                   PVOID), 
3342          ("EtwLocalData",                    PVOID), 
3343          ("EtwTraceData",                    PVOID), 
3344          ("WinSockData",                     PVOID), 
3345          ("GdiBatchCount",                   DWORD), 
3346          ("SpareBool0",                      BOOLEAN), 
3347          ("SpareBool1",                      BOOLEAN), 
3348          ("SpareBool2",                      BOOLEAN), 
3349          ("IdealProcessor",                  UCHAR), 
3350          ("GuaranteedStackBytes",            DWORD), 
3351          ("ReservedForPerf",                 PVOID), 
3352          ("ReservedForOle",                  PVOID), 
3353          ("WaitingOnLoaderLock",             DWORD), 
3354          ("SavedPriorityState",              PVOID), 
3355          ("SoftPatchPtr1",                   PVOID), 
3356          ("ThreadPoolData",                  PVOID), 
3357          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
3358          ("ImpersonationLocale",             DWORD), 
3359          ("IsImpersonating",                 BOOL), 
3360          ("NlsCache",                        PVOID), 
3361          ("pShimData",                       PVOID), 
3362          ("HeapVirtualAffinity",             DWORD), 
3363          ("CurrentTransactionHandle",        HANDLE), 
3364          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3365          ("FlsData",                         PVOID), 
3366          ("PreferredLanguages",              PVOID), 
3367          ("UserPrefLanguages",               PVOID), 
3368          ("MergedPrefLanguages",             PVOID), 
3369          ("MuiImpersonation",                BOOL), 
3370          ("CrossTebFlags",                   WORD), 
3371          ("SameTebFlags",                    WORD), 
3372          ("TxnScopeEnterCallback",           PVOID), 
3373          ("TxnScopeExitCallback",            PVOID), 
3374          ("TxnScopeContext",                 PVOID), 
3375          ("LockCount",                       DWORD), 
3376          ("ProcessRundown",                  DWORD), 
3377          ("LastSwitchTime",                  QWORD), 
3378          ("TotalSwitchOutTime",              QWORD), 
3379          ("WaitReasonBitMap",                LONGLONG),  # LARGE_INTEGER 
3380  ] 
3381   
3382  #    +0x000 NtTib            : _NT_TIB 
3383  #    +0x038 EnvironmentPointer : Ptr64 Void 
3384  #    +0x040 ClientId         : _CLIENT_ID 
3385  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
3386  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
3387  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
3388  #    +0x068 LastErrorValue   : Uint4B 
3389  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
3390  #    +0x070 CsrClientThread  : Ptr64 Void 
3391  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
3392  #    +0x080 User32Reserved   : [26] Uint4B 
3393  #    +0x0e8 UserReserved     : [5] Uint4B 
3394  #    +0x100 WOW32Reserved    : Ptr64 Void 
3395  #    +0x108 CurrentLocale    : Uint4B 
3396  #    +0x10c FpSoftwareStatusRegister : Uint4B 
3397  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
3398  #    +0x2c0 ExceptionCode    : Int4B 
3399  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
3400  #    +0x2d0 SpareBytes1      : [24] UChar 
3401  #    +0x2e8 TxFsContext      : Uint4B 
3402  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
3403  #    +0x7d8 RealClientId     : _CLIENT_ID 
3404  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
3405  #    +0x7f0 GdiClientPID     : Uint4B 
3406  #    +0x7f4 GdiClientTID     : Uint4B 
3407  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
3408  #    +0x800 Win32ClientInfo  : [62] Uint8B 
3409  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
3410  #    +0x1138 glReserved1      : [29] Uint8B 
3411  #    +0x1220 glReserved2      : Ptr64 Void 
3412  #    +0x1228 glSectionInfo    : Ptr64 Void 
3413  #    +0x1230 glSection        : Ptr64 Void 
3414  #    +0x1238 glTable          : Ptr64 Void 
3415  #    +0x1240 glCurrentRC      : Ptr64 Void 
3416  #    +0x1248 glContext        : Ptr64 Void 
3417  #    +0x1250 LastStatusValue  : Uint4B 
3418  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
3419  #    +0x1268 StaticUnicodeBuffer : [261] Wchar 
3420  #    +0x1478 DeallocationStack : Ptr64 Void 
3421  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
3422  #    +0x1680 TlsLinks         : _LIST_ENTRY 
3423  #    +0x1690 Vdm              : Ptr64 Void 
3424  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
3425  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
3426  #    +0x16b0 HardErrorMode    : Uint4B 
3427  #    +0x16b8 Instrumentation  : [11] Ptr64 Void 
3428  #    +0x1710 ActivityId       : _GUID 
3429  #    +0x1720 SubProcessTag    : Ptr64 Void 
3430  #    +0x1728 EtwLocalData     : Ptr64 Void 
3431  #    +0x1730 EtwTraceData     : Ptr64 Void 
3432  #    +0x1738 WinSockData      : Ptr64 Void 
3433  #    +0x1740 GdiBatchCount    : Uint4B 
3434  #    +0x1744 SpareBool0       : UChar 
3435  #    +0x1745 SpareBool1       : UChar 
3436  #    +0x1746 SpareBool2       : UChar 
3437  #    +0x1747 IdealProcessor   : UChar 
3438  #    +0x1748 GuaranteedStackBytes : Uint4B 
3439  #    +0x1750 ReservedForPerf  : Ptr64 Void 
3440  #    +0x1758 ReservedForOle   : Ptr64 Void 
3441  #    +0x1760 WaitingOnLoaderLock : Uint4B 
3442  #    +0x1768 SavedPriorityState : Ptr64 Void 
3443  #    +0x1770 SoftPatchPtr1    : Uint8B 
3444  #    +0x1778 ThreadPoolData   : Ptr64 Void 
3445  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
3446  #    +0x1788 DeallocationBStore : Ptr64 Void 
3447  #    +0x1790 BStoreLimit      : Ptr64 Void 
3448  #    +0x1798 ImpersonationLocale : Uint4B 
3449  #    +0x179c IsImpersonating  : Uint4B 
3450  #    +0x17a0 NlsCache         : Ptr64 Void 
3451  #    +0x17a8 pShimData        : Ptr64 Void 
3452  #    +0x17b0 HeapVirtualAffinity : Uint4B 
3453  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
3454  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
3455  #    +0x17c8 FlsData          : Ptr64 Void 
3456  #    +0x17d0 PreferredLanguages : Ptr64 Void 
3457  #    +0x17d8 UserPrefLanguages : Ptr64 Void 
3458  #    +0x17e0 MergedPrefLanguages : Ptr64 Void 
3459  #    +0x17e8 MuiImpersonation : Uint4B 
3460  #    +0x17ec CrossTebFlags    : Uint2B 
3461  #    +0x17ec SpareCrossTebBits : Pos 0, 16 Bits 
3462  #    +0x17ee SameTebFlags     : Uint2B 
3463  #    +0x17ee DbgSafeThunkCall : Pos 0, 1 Bit 
3464  #    +0x17ee DbgInDebugPrint  : Pos 1, 1 Bit 
3465  #    +0x17ee DbgHasFiberData  : Pos 2, 1 Bit 
3466  #    +0x17ee DbgSkipThreadAttach : Pos 3, 1 Bit 
3467  #    +0x17ee DbgWerInShipAssertCode : Pos 4, 1 Bit 
3468  #    +0x17ee DbgRanProcessInit : Pos 5, 1 Bit 
3469  #    +0x17ee DbgClonedThread  : Pos 6, 1 Bit 
3470  #    +0x17ee DbgSuppressDebugMsg : Pos 7, 1 Bit 
3471  #    +0x17ee RtlDisableUserStackWalk : Pos 8, 1 Bit 
3472  #    +0x17ee RtlExceptionAttached : Pos 9, 1 Bit 
3473  #    +0x17ee SpareSameTebBits : Pos 10, 6 Bits 
3474  #    +0x17f0 TxnScopeEnterCallback : Ptr64 Void 
3475  #    +0x17f8 TxnScopeExitCallback : Ptr64 Void 
3476  #    +0x1800 TxnScopeContext  : Ptr64 Void 
3477  #    +0x1808 LockCount        : Uint4B 
3478  #    +0x180c ProcessRundown   : Uint4B 
3479  #    +0x1810 LastSwitchTime   : Uint8B 
3480  #    +0x1818 TotalSwitchOutTime : Uint8B 
3481  #    +0x1820 WaitReasonBitMap : _LARGE_INTEGER 
3482 -class _TEB_Vista_64(Structure): 
3483      _pack_ = 8 
3484      _fields_ = [ 
3485          ("NtTib",                           NT_TIB), 
3486          ("EnvironmentPointer",              PVOID), 
3487          ("ClientId",                        CLIENT_ID), 
3488          ("ActiveRpcHandle",                 HANDLE), 
3489          ("ThreadLocalStoragePointer",       PVOID), 
3490          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3491          ("LastErrorValue",                  DWORD), 
3492          ("CountOfOwnedCriticalSections",    DWORD), 
3493          ("CsrClientThread",                 PVOID), 
3494          ("Win32ThreadInfo",                 PVOID), 
3495          ("User32Reserved",                  DWORD * 26), 
3496          ("UserReserved",                    DWORD * 5), 
3497          ("WOW32Reserved",                   PVOID), 
3498          ("CurrentLocale",                   DWORD), 
3499          ("FpSoftwareStatusRegister",        DWORD), 
3500          ("SystemReserved1",                 PVOID * 54), 
3501          ("ExceptionCode",                   SDWORD), 
3502          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3503          ("SpareBytes1",                     UCHAR * 24), 
3504          ("TxFsContext",                     DWORD), 
3505          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3506          ("RealClientId",                    CLIENT_ID), 
3507          ("GdiCachedProcessHandle",          HANDLE), 
3508          ("GdiClientPID",                    DWORD), 
3509          ("GdiClientTID",                    DWORD), 
3510          ("GdiThreadLocalInfo",              PVOID), 
3511          ("Win32ClientInfo",                 QWORD * 62), 
3512          ("glDispatchTable",                 PVOID * 233), 
3513          ("glReserved1",                     QWORD * 29), 
3514          ("glReserved2",                     PVOID), 
3515          ("glSectionInfo",                   PVOID), 
3516          ("glSection",                       PVOID), 
3517          ("glTable",                         PVOID), 
3518          ("glCurrentRC",                     PVOID), 
3519          ("glContext",                       PVOID), 
3520          ("LastStatusValue",                 NTSTATUS), 
3521          ("StaticUnicodeString",             UNICODE_STRING), 
3522          ("StaticUnicodeBuffer",             WCHAR * 261), 
3523          ("DeallocationStack",               PVOID), 
3524          ("TlsSlots",                        PVOID * 64), 
3525          ("TlsLinks",                        LIST_ENTRY), 
3526          ("Vdm",                             PVOID), 
3527          ("ReservedForNtRpc",                PVOID), 
3528          ("DbgSsReserved",                   PVOID * 2), 
3529          ("HardErrorMode",                   DWORD), 
3530          ("Instrumentation",                 PVOID * 11), 
3531          ("ActivityId",                      GUID), 
3532          ("SubProcessTag",                   PVOID), 
3533          ("EtwLocalData",                    PVOID), 
3534          ("EtwTraceData",                    PVOID), 
3535          ("WinSockData",                     PVOID), 
3536          ("GdiBatchCount",                   DWORD), 
3537          ("SpareBool0",                      BOOLEAN), 
3538          ("SpareBool1",                      BOOLEAN), 
3539          ("SpareBool2",                      BOOLEAN), 
3540          ("IdealProcessor",                  UCHAR), 
3541          ("GuaranteedStackBytes",            DWORD), 
3542          ("ReservedForPerf",                 PVOID), 
3543          ("ReservedForOle",                  PVOID), 
3544          ("WaitingOnLoaderLock",             DWORD), 
3545          ("SavedPriorityState",              PVOID), 
3546          ("SoftPatchPtr1",                   PVOID), 
3547          ("ThreadPoolData",                  PVOID), 
3548          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
3549          ("DeallocationBStore",              PVOID), 
3550          ("BStoreLimit",                     PVOID), 
3551          ("ImpersonationLocale",             DWORD), 
3552          ("IsImpersonating",                 BOOL), 
3553          ("NlsCache",                        PVOID), 
3554          ("pShimData",                       PVOID), 
3555          ("HeapVirtualAffinity",             DWORD), 
3556          ("CurrentTransactionHandle",        HANDLE), 
3557          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3558          ("FlsData",                         PVOID), 
3559          ("PreferredLanguages",              PVOID), 
3560          ("UserPrefLanguages",               PVOID), 
3561          ("MergedPrefLanguages",             PVOID), 
3562          ("MuiImpersonation",                BOOL), 
3563          ("CrossTebFlags",                   WORD), 
3564          ("SameTebFlags",                    WORD), 
3565          ("TxnScopeEnterCallback",           PVOID), 
3566          ("TxnScopeExitCallback",            PVOID), 
3567          ("TxnScopeContext",                 PVOID), 
3568          ("LockCount",                       DWORD), 
3569          ("ProcessRundown",                  DWORD), 
3570          ("LastSwitchTime",                  QWORD), 
3571          ("TotalSwitchOutTime",              QWORD), 
3572          ("WaitReasonBitMap",                LONGLONG),  # LARGE_INTEGER 
3573  ] 
3574   
3575  #    +0x000 NtTib            : _NT_TIB 
3576  #    +0x01c EnvironmentPointer : Ptr32 Void 
3577  #    +0x020 ClientId         : _CLIENT_ID 
3578  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
3579  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
3580  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
3581  #    +0x034 LastErrorValue   : Uint4B 
3582  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
3583  #    +0x03c CsrClientThread  : Ptr32 Void 
3584  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
3585  #    +0x044 User32Reserved   : [26] Uint4B 
3586  #    +0x0ac UserReserved     : [5] Uint4B 
3587  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
3588  #    +0x0c4 CurrentLocale    : Uint4B 
3589  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
3590  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
3591  #    +0x1a4 ExceptionCode    : Int4B 
3592  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
3593  #    +0x1ac SpareBytes       : [36] UChar 
3594  #    +0x1d0 TxFsContext      : Uint4B 
3595  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
3596  #    +0x6b4 RealClientId     : _CLIENT_ID 
3597  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
3598  #    +0x6c0 GdiClientPID     : Uint4B 
3599  #    +0x6c4 GdiClientTID     : Uint4B 
3600  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
3601  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
3602  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
3603  #    +0xb68 glReserved1      : [29] Uint4B 
3604  #    +0xbdc glReserved2      : Ptr32 Void 
3605  #    +0xbe0 glSectionInfo    : Ptr32 Void 
3606  #    +0xbe4 glSection        : Ptr32 Void 
3607  #    +0xbe8 glTable          : Ptr32 Void 
3608  #    +0xbec glCurrentRC      : Ptr32 Void 
3609  #    +0xbf0 glContext        : Ptr32 Void 
3610  #    +0xbf4 LastStatusValue  : Uint4B 
3611  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
3612  #    +0xc00 StaticUnicodeBuffer : [261] Wchar 
3613  #    +0xe0c DeallocationStack : Ptr32 Void 
3614  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
3615  #    +0xf10 TlsLinks         : _LIST_ENTRY 
3616  #    +0xf18 Vdm              : Ptr32 Void 
3617  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
3618  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
3619  #    +0xf28 HardErrorMode    : Uint4B 
3620  #    +0xf2c Instrumentation  : [9] Ptr32 Void 
3621  #    +0xf50 ActivityId       : _GUID 
3622  #    +0xf60 SubProcessTag    : Ptr32 Void 
3623  #    +0xf64 EtwLocalData     : Ptr32 Void 
3624  #    +0xf68 EtwTraceData     : Ptr32 Void 
3625  #    +0xf6c WinSockData      : Ptr32 Void 
3626  #    +0xf70 GdiBatchCount    : Uint4B 
3627  #    +0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER 
3628  #    +0xf74 IdealProcessorValue : Uint4B 
3629  #    +0xf74 ReservedPad0     : UChar 
3630  #    +0xf75 ReservedPad1     : UChar 
3631  #    +0xf76 ReservedPad2     : UChar 
3632  #    +0xf77 IdealProcessor   : UChar 
3633  #    +0xf78 GuaranteedStackBytes : Uint4B 
3634  #    +0xf7c ReservedForPerf  : Ptr32 Void 
3635  #    +0xf80 ReservedForOle   : Ptr32 Void 
3636  #    +0xf84 WaitingOnLoaderLock : Uint4B 
3637  #    +0xf88 SavedPriorityState : Ptr32 Void 
3638  #    +0xf8c SoftPatchPtr1    : Uint4B 
3639  #    +0xf90 ThreadPoolData   : Ptr32 Void 
3640  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
3641  #    +0xf98 MuiGeneration    : Uint4B 
3642  #    +0xf9c IsImpersonating  : Uint4B 
3643  #    +0xfa0 NlsCache         : Ptr32 Void 
3644  #    +0xfa4 pShimData        : Ptr32 Void 
3645  #    +0xfa8 HeapVirtualAffinity : Uint4B 
3646  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
3647  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
3648  #    +0xfb4 FlsData          : Ptr32 Void 
3649  #    +0xfb8 PreferredLanguages : Ptr32 Void 
3650  #    +0xfbc UserPrefLanguages : Ptr32 Void 
3651  #    +0xfc0 MergedPrefLanguages : Ptr32 Void 
3652  #    +0xfc4 MuiImpersonation : Uint4B 
3653  #    +0xfc8 CrossTebFlags    : Uint2B 
3654  #    +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits 
3655  #    +0xfca SameTebFlags     : Uint2B 
3656  #    +0xfca SafeThunkCall    : Pos 0, 1 Bit 
3657  #    +0xfca InDebugPrint     : Pos 1, 1 Bit 
3658  #    +0xfca HasFiberData     : Pos 2, 1 Bit 
3659  #    +0xfca SkipThreadAttach : Pos 3, 1 Bit 
3660  #    +0xfca WerInShipAssertCode : Pos 4, 1 Bit 
3661  #    +0xfca RanProcessInit   : Pos 5, 1 Bit 
3662  #    +0xfca ClonedThread     : Pos 6, 1 Bit 
3663  #    +0xfca SuppressDebugMsg : Pos 7, 1 Bit 
3664  #    +0xfca DisableUserStackWalk : Pos 8, 1 Bit 
3665  #    +0xfca RtlExceptionAttached : Pos 9, 1 Bit 
3666  #    +0xfca InitialThread    : Pos 10, 1 Bit 
3667  #    +0xfca SpareSameTebBits : Pos 11, 5 Bits 
3668  #    +0xfcc TxnScopeEnterCallback : Ptr32 Void 
3669  #    +0xfd0 TxnScopeExitCallback : Ptr32 Void 
3670  #    +0xfd4 TxnScopeContext  : Ptr32 Void 
3671  #    +0xfd8 LockCount        : Uint4B 
3672  #    +0xfdc SpareUlong0      : Uint4B 
3673  #    +0xfe0 ResourceRetValue : Ptr32 Void 
3674 -class _TEB_W7(Structure): 
3675      _pack_ = 8 
3676      _fields_ = [ 
3677          ("NtTib",                           NT_TIB), 
3678          ("EnvironmentPointer",              PVOID), 
3679          ("ClientId",                        CLIENT_ID), 
3680          ("ActiveRpcHandle",                 HANDLE), 
3681          ("ThreadLocalStoragePointer",       PVOID), 
3682          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3683          ("LastErrorValue",                  DWORD), 
3684          ("CountOfOwnedCriticalSections",    DWORD), 
3685          ("CsrClientThread",                 PVOID), 
3686          ("Win32ThreadInfo",                 PVOID), 
3687          ("User32Reserved",                  DWORD * 26), 
3688          ("UserReserved",                    DWORD * 5), 
3689          ("WOW32Reserved",                   PVOID), 
3690          ("CurrentLocale",                   DWORD), 
3691          ("FpSoftwareStatusRegister",        DWORD), 
3692          ("SystemReserved1",                 PVOID * 54), 
3693          ("ExceptionCode",                   SDWORD), 
3694          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3695          ("SpareBytes",                      UCHAR * 36), 
3696          ("TxFsContext",                     DWORD), 
3697          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3698          ("RealClientId",                    CLIENT_ID), 
3699          ("GdiCachedProcessHandle",          HANDLE), 
3700          ("GdiClientPID",                    DWORD), 
3701          ("GdiClientTID",                    DWORD), 
3702          ("GdiThreadLocalInfo",              PVOID), 
3703          ("Win32ClientInfo",                 DWORD * 62), 
3704          ("glDispatchTable",                 PVOID * 233), 
3705          ("glReserved1",                     DWORD * 29), 
3706          ("glReserved2",                     PVOID), 
3707          ("glSectionInfo",                   PVOID), 
3708          ("glSection",                       PVOID), 
3709          ("glTable",                         PVOID), 
3710          ("glCurrentRC",                     PVOID), 
3711          ("glContext",                       PVOID), 
3712          ("LastStatusValue",                 NTSTATUS), 
3713          ("StaticUnicodeString",             UNICODE_STRING), 
3714          ("StaticUnicodeBuffer",             WCHAR * 261), 
3715          ("DeallocationStack",               PVOID), 
3716          ("TlsSlots",                        PVOID * 64), 
3717          ("TlsLinks",                        LIST_ENTRY), 
3718          ("Vdm",                             PVOID), 
3719          ("ReservedForNtRpc",                PVOID), 
3720          ("DbgSsReserved",                   PVOID * 2), 
3721          ("HardErrorMode",                   DWORD), 
3722          ("Instrumentation",                 PVOID * 9), 
3723          ("ActivityId",                      GUID), 
3724          ("SubProcessTag",                   PVOID), 
3725          ("EtwLocalData",                    PVOID), 
3726          ("EtwTraceData",                    PVOID), 
3727          ("WinSockData",                     PVOID), 
3728          ("GdiBatchCount",                   DWORD), 
3729          ("CurrentIdealProcessor",           PROCESSOR_NUMBER), 
3730          ("IdealProcessorValue",             DWORD), 
3731          ("ReservedPad0",                    UCHAR), 
3732          ("ReservedPad1",                    UCHAR), 
3733          ("ReservedPad2",                    UCHAR), 
3734          ("IdealProcessor",                  UCHAR), 
3735          ("GuaranteedStackBytes",            DWORD), 
3736          ("ReservedForPerf",                 PVOID), 
3737          ("ReservedForOle",                  PVOID), 
3738          ("WaitingOnLoaderLock",             DWORD), 
3739          ("SavedPriorityState",              PVOID), 
3740          ("SoftPatchPtr1",                   PVOID), 
3741          ("ThreadPoolData",                  PVOID), 
3742          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
3743          ("MuiGeneration",                   DWORD), 
3744          ("IsImpersonating",                 BOOL), 
3745          ("NlsCache",                        PVOID), 
3746          ("pShimData",                       PVOID), 
3747          ("HeapVirtualAffinity",             DWORD), 
3748          ("CurrentTransactionHandle",        HANDLE), 
3749          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3750          ("FlsData",                         PVOID), 
3751          ("PreferredLanguages",              PVOID), 
3752          ("UserPrefLanguages",               PVOID), 
3753          ("MergedPrefLanguages",             PVOID), 
3754          ("MuiImpersonation",                BOOL), 
3755          ("CrossTebFlags",                   WORD), 
3756          ("SameTebFlags",                    WORD), 
3757          ("TxnScopeEnterCallback",           PVOID), 
3758          ("TxnScopeExitCallback",            PVOID), 
3759          ("TxnScopeContext",                 PVOID), 
3760          ("LockCount",                       DWORD), 
3761          ("SpareUlong0",                     ULONG), 
3762          ("ResourceRetValue",                PVOID), 
3763  ] 
3764   
3765  #    +0x000 NtTib            : _NT_TIB 
3766  #    +0x038 EnvironmentPointer : Ptr64 Void 
3767  #    +0x040 ClientId         : _CLIENT_ID 
3768  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
3769  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
3770  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
3771  #    +0x068 LastErrorValue   : Uint4B 
3772  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
3773  #    +0x070 CsrClientThread  : Ptr64 Void 
3774  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
3775  #    +0x080 User32Reserved   : [26] Uint4B 
3776  #    +0x0e8 UserReserved     : [5] Uint4B 
3777  #    +0x100 WOW32Reserved    : Ptr64 Void 
3778  #    +0x108 CurrentLocale    : Uint4B 
3779  #    +0x10c FpSoftwareStatusRegister : Uint4B 
3780  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
3781  #    +0x2c0 ExceptionCode    : Int4B 
3782  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
3783  #    +0x2d0 SpareBytes       : [24] UChar 
3784  #    +0x2e8 TxFsContext      : Uint4B 
3785  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
3786  #    +0x7d8 RealClientId     : _CLIENT_ID 
3787  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
3788  #    +0x7f0 GdiClientPID     : Uint4B 
3789  #    +0x7f4 GdiClientTID     : Uint4B 
3790  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
3791  #    +0x800 Win32ClientInfo  : [62] Uint8B 
3792  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
3793  #    +0x1138 glReserved1      : [29] Uint8B 
3794  #    +0x1220 glReserved2      : Ptr64 Void 
3795  #    +0x1228 glSectionInfo    : Ptr64 Void 
3796  #    +0x1230 glSection        : Ptr64 Void 
3797  #    +0x1238 glTable          : Ptr64 Void 
3798  #    +0x1240 glCurrentRC      : Ptr64 Void 
3799  #    +0x1248 glContext        : Ptr64 Void 
3800  #    +0x1250 LastStatusValue  : Uint4B 
3801  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
3802  #    +0x1268 StaticUnicodeBuffer : [261] Wchar 
3803  #    +0x1478 DeallocationStack : Ptr64 Void 
3804  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
3805  #    +0x1680 TlsLinks         : _LIST_ENTRY 
3806  #    +0x1690 Vdm              : Ptr64 Void 
3807  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
3808  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
3809  #    +0x16b0 HardErrorMode    : Uint4B 
3810  #    +0x16b8 Instrumentation  : [11] Ptr64 Void 
3811  #    +0x1710 ActivityId       : _GUID 
3812  #    +0x1720 SubProcessTag    : Ptr64 Void 
3813  #    +0x1728 EtwLocalData     : Ptr64 Void 
3814  #    +0x1730 EtwTraceData     : Ptr64 Void 
3815  #    +0x1738 WinSockData      : Ptr64 Void 
3816  #    +0x1740 GdiBatchCount    : Uint4B 
3817  #    +0x1744 CurrentIdealProcessor : _PROCESSOR_NUMBER 
3818  #    +0x1744 IdealProcessorValue : Uint4B 
3819  #    +0x1744 ReservedPad0     : UChar 
3820  #    +0x1745 ReservedPad1     : UChar 
3821  #    +0x1746 ReservedPad2     : UChar 
3822  #    +0x1747 IdealProcessor   : UChar 
3823  #    +0x1748 GuaranteedStackBytes : Uint4B 
3824  #    +0x1750 ReservedForPerf  : Ptr64 Void 
3825  #    +0x1758 ReservedForOle   : Ptr64 Void 
3826  #    +0x1760 WaitingOnLoaderLock : Uint4B 
3827  #    +0x1768 SavedPriorityState : Ptr64 Void 
3828  #    +0x1770 SoftPatchPtr1    : Uint8B 
3829  #    +0x1778 ThreadPoolData   : Ptr64 Void 
3830  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
3831  #    +0x1788 DeallocationBStore : Ptr64 Void 
3832  #    +0x1790 BStoreLimit      : Ptr64 Void 
3833  #    +0x1798 MuiGeneration    : Uint4B 
3834  #    +0x179c IsImpersonating  : Uint4B 
3835  #    +0x17a0 NlsCache         : Ptr64 Void 
3836  #    +0x17a8 pShimData        : Ptr64 Void 
3837  #    +0x17b0 HeapVirtualAffinity : Uint4B 
3838  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
3839  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
3840  #    +0x17c8 FlsData          : Ptr64 Void 
3841  #    +0x17d0 PreferredLanguages : Ptr64 Void 
3842  #    +0x17d8 UserPrefLanguages : Ptr64 Void 
3843  #    +0x17e0 MergedPrefLanguages : Ptr64 Void 
3844  #    +0x17e8 MuiImpersonation : Uint4B 
3845  #    +0x17ec CrossTebFlags    : Uint2B 
3846  #    +0x17ec SpareCrossTebBits : Pos 0, 16 Bits 
3847  #    +0x17ee SameTebFlags     : Uint2B 
3848  #    +0x17ee SafeThunkCall    : Pos 0, 1 Bit 
3849  #    +0x17ee InDebugPrint     : Pos 1, 1 Bit 
3850  #    +0x17ee HasFiberData     : Pos 2, 1 Bit 
3851  #    +0x17ee SkipThreadAttach : Pos 3, 1 Bit 
3852  #    +0x17ee WerInShipAssertCode : Pos 4, 1 Bit 
3853  #    +0x17ee RanProcessInit   : Pos 5, 1 Bit 
3854  #    +0x17ee ClonedThread     : Pos 6, 1 Bit 
3855  #    +0x17ee SuppressDebugMsg : Pos 7, 1 Bit 
3856  #    +0x17ee DisableUserStackWalk : Pos 8, 1 Bit 
3857  #    +0x17ee RtlExceptionAttached : Pos 9, 1 Bit 
3858  #    +0x17ee InitialThread    : Pos 10, 1 Bit 
3859  #    +0x17ee SpareSameTebBits : Pos 11, 5 Bits 
3860  #    +0x17f0 TxnScopeEnterCallback : Ptr64 Void 
3861  #    +0x17f8 TxnScopeExitCallback : Ptr64 Void 
3862  #    +0x1800 TxnScopeContext  : Ptr64 Void 
3863  #    +0x1808 LockCount        : Uint4B 
3864  #    +0x180c SpareUlong0      : Uint4B 
3865  #    +0x1810 ResourceRetValue : Ptr64 Void 
3866 -class _TEB_W7_64(Structure): 
3867      _pack_ = 8 
3868      _fields_ = [ 
3869          ("NtTib",                           NT_TIB), 
3870          ("EnvironmentPointer",              PVOID), 
3871          ("ClientId",                        CLIENT_ID), 
3872          ("ActiveRpcHandle",                 HANDLE), 
3873          ("ThreadLocalStoragePointer",       PVOID), 
3874          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3875          ("LastErrorValue",                  DWORD), 
3876          ("CountOfOwnedCriticalSections",    DWORD), 
3877          ("CsrClientThread",                 PVOID), 
3878          ("Win32ThreadInfo",                 PVOID), 
3879          ("User32Reserved",                  DWORD * 26), 
3880          ("UserReserved",                    DWORD * 5), 
3881          ("WOW32Reserved",                   PVOID), 
3882          ("CurrentLocale",                   DWORD), 
3883          ("FpSoftwareStatusRegister",        DWORD), 
3884          ("SystemReserved1",                 PVOID * 54), 
3885          ("ExceptionCode",                   SDWORD), 
3886          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3887          ("SpareBytes",                      UCHAR * 24), 
3888          ("TxFsContext",                     DWORD), 
3889          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3890          ("RealClientId",                    CLIENT_ID), 
3891          ("GdiCachedProcessHandle",          HANDLE), 
3892          ("GdiClientPID",                    DWORD), 
3893          ("GdiClientTID",                    DWORD), 
3894          ("GdiThreadLocalInfo",              PVOID), 
3895          ("Win32ClientInfo",                 DWORD * 62), 
3896          ("glDispatchTable",                 PVOID * 233), 
3897          ("glReserved1",                     QWORD * 29), 
3898          ("glReserved2",                     PVOID), 
3899          ("glSectionInfo",                   PVOID), 
3900          ("glSection",                       PVOID), 
3901          ("glTable",                         PVOID), 
3902          ("glCurrentRC",                     PVOID), 
3903          ("glContext",                       PVOID), 
3904          ("LastStatusValue",                 NTSTATUS), 
3905          ("StaticUnicodeString",             UNICODE_STRING), 
3906          ("StaticUnicodeBuffer",             WCHAR * 261), 
3907          ("DeallocationStack",               PVOID), 
3908          ("TlsSlots",                        PVOID * 64), 
3909          ("TlsLinks",                        LIST_ENTRY), 
3910          ("Vdm",                             PVOID), 
3911          ("ReservedForNtRpc",                PVOID), 
3912          ("DbgSsReserved",                   PVOID * 2), 
3913          ("HardErrorMode",                   DWORD), 
3914          ("Instrumentation",                 PVOID * 11), 
3915          ("ActivityId",                      GUID), 
3916          ("SubProcessTag",                   PVOID), 
3917          ("EtwLocalData",                    PVOID), 
3918          ("EtwTraceData",                    PVOID), 
3919          ("WinSockData",                     PVOID), 
3920          ("GdiBatchCount",                   DWORD), 
3921          ("CurrentIdealProcessor",           PROCESSOR_NUMBER), 
3922          ("IdealProcessorValue",             DWORD), 
3923          ("ReservedPad0",                    UCHAR), 
3924          ("ReservedPad1",                    UCHAR), 
3925          ("ReservedPad2",                    UCHAR), 
3926          ("IdealProcessor",                  UCHAR), 
3927          ("GuaranteedStackBytes",            DWORD), 
3928          ("ReservedForPerf",                 PVOID), 
3929          ("ReservedForOle",                  PVOID), 
3930          ("WaitingOnLoaderLock",             DWORD), 
3931          ("SavedPriorityState",              PVOID), 
3932          ("SoftPatchPtr1",                   PVOID), 
3933          ("ThreadPoolData",                  PVOID), 
3934          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
3935          ("DeallocationBStore",              PVOID), 
3936          ("BStoreLimit",                     PVOID), 
3937          ("MuiGeneration",                   DWORD), 
3938          ("IsImpersonating",                 BOOL), 
3939          ("NlsCache",                        PVOID), 
3940          ("pShimData",                       PVOID), 
3941          ("HeapVirtualAffinity",             DWORD), 
3942          ("CurrentTransactionHandle",        HANDLE), 
3943          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3944          ("FlsData",                         PVOID), 
3945          ("PreferredLanguages",              PVOID), 
3946          ("UserPrefLanguages",               PVOID), 
3947          ("MergedPrefLanguages",             PVOID), 
3948          ("MuiImpersonation",                BOOL), 
3949          ("CrossTebFlags",                   WORD), 
3950          ("SameTebFlags",                    WORD), 
3951          ("TxnScopeEnterCallback",           PVOID), 
3952          ("TxnScopeExitCallback",            PVOID), 
3953          ("TxnScopeContext",                 PVOID), 
3954          ("LockCount",                       DWORD), 
3955          ("SpareUlong0",                     ULONG), 
3956          ("ResourceRetValue",                PVOID), 
3957  ] 
3958   
3959  # Use the correct TEB structure definition. 
3960  # Defaults to the latest Windows version. 
3961 -class TEB(Structure): 
3962      _pack_ = 8 
3963      if os == 'Windows NT': 
3964          _pack_   = _TEB_NT._pack_ 
3965          _fields_ = _TEB_NT._fields_ 
3966      elif os == 'Windows 2000': 
3967          _fields_ = _TEB_2000._fields_ 
3968      elif os == 'Windows XP': 
3969          _fields_ = _TEB_XP._fields_ 
3970      elif os == 'Windows XP (64 bits)': 
3971          _fields_ = _TEB_XP_64._fields_ 
3972      elif os == 'Windows 2003': 
3973          _fields_ = _TEB_2003._fields_ 
3974      elif os == 'Windows 2003 (64 bits)': 
3975          _fields_ = _TEB_2003_64._fields_ 
3976      elif os == 'Windows 2008': 
3977          _fields_ = _TEB_2008._fields_ 
3978      elif os == 'Windows 2008 (64 bits)': 
3979          _fields_ = _TEB_2008_64._fields_ 
3980      elif os == 'Windows Vista': 
3981          _fields_ = _TEB_Vista._fields_ 
3982      elif os == 'Windows Vista (64 bits)': 
3983          _fields_ = _TEB_Vista_64._fields_ 
3984      elif os == 'Windows 7': 
3985          _fields_ = _TEB_W7._fields_ 
3986      elif os == 'Windows 7 (64 bits)': 
3987          _fields_ = _TEB_W7_64._fields_ 
3988      elif sizeof(SIZE_T) == sizeof(DWORD): 
3989          _fields_ = _TEB_W7._fields_ 
3990      else: 
3991          _fields_ = _TEB_W7_64._fields_ 
3992  PTEB = POINTER(TEB) 
3993