Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Package winappdbg :: Package win32 :: Module peb_teb
[hide private]
[frames] | no frames]

Source Code for Module winappdbg.win32.peb_teb

   1  # Copyright (c) 2009-2010, Mario Vilas 
   2  # All rights reserved. 
   3  # 
   4  # Redistribution and use in source and binary forms, with or without 
   5  # modification, are permitted provided that the following conditions are met: 
   6  # 
   7  #     * Redistributions of source code must retain the above copyright notice, 
   8  #       this list of conditions and the following disclaimer. 
   9  #     * Redistributions in binary form must reproduce the above copyright 
  10  #       notice,this list of conditions and the following disclaimer in the 
  11  #       documentation and/or other materials provided with the distribution. 
  12  #     * Neither the name of the copyright holder nor the names of its 
  13  #       contributors may be used to endorse or promote products derived from 
  14  #       this software without specific prior written permission. 
  15  # 
  16  # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
  17  # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
  18  # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
  19  # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
  20  # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
  21  # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
  22  # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
  23  # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
  24  # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
  25  # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
  26  # POSSIBILITY OF SUCH DAMAGE. 
  27   
  28  """ 
  29  PEB and TEB structures, constants and data types. 
  30  """ 
  31   
  32  __revision__ = "$Id: peb_teb.py 666 2010-04-25 14:46:25Z qvasimodo $" 
  33   
  34  from defines import * 
  35  from version import os 
  36   
  37  #--- PEB and TEB structures, constants and data types ------------------------- 
  38   
  39  # From http://www.nirsoft.net/kernel_struct/vista/CLIENT_ID.html 
  40  # 
  41  # typedef struct _CLIENT_ID 
  42  # { 
  43  #     PVOID UniqueProcess; 
  44  #     PVOID UniqueThread; 
  45  # } CLIENT_ID, *PCLIENT_ID; 

  46 -class CLIENT_ID(Structure): 

  47      _fields_ = [ 
  48          ("UniqueProcess",   PVOID), 
  49          ("UniqueThread",    PVOID), 
  50  ] 

  51   
  52  # From MSDN: 
  53  # 
  54  # typedef struct _LDR_DATA_TABLE_ENTRY { 
  55  #     BYTE Reserved1[2]; 
  56  #     LIST_ENTRY InMemoryOrderLinks; 
  57  #     PVOID Reserved2[2]; 
  58  #     PVOID DllBase; 
  59  #     PVOID EntryPoint; 
  60  #     PVOID Reserved3; 
  61  #     UNICODE_STRING FullDllName; 
  62  #     BYTE Reserved4[8]; 
  63  #     PVOID Reserved5[3]; 
  64  #     union { 
  65  #         ULONG CheckSum; 
  66  #         PVOID Reserved6; 
  67  #     }; 
  68  #     ULONG TimeDateStamp; 
  69  # } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 
  70  ##class LDR_DATA_TABLE_ENTRY(Structure): 
  71  ##    _fields_ = [ 
  72  ##        ("Reserved1",           BYTE * 2), 
  73  ##        ("InMemoryOrderLinks",  LIST_ENTRY), 
  74  ##        ("Reserved2",           PVOID * 2), 
  75  ##        ("DllBase",             PVOID), 
  76  ##        ("EntryPoint",          PVOID), 
  77  ##        ("Reserved3",           PVOID), 
  78  ##        ("FullDllName",           UNICODE_STRING), 
  79  ##        ("Reserved4",           BYTE * 8), 
  80  ##        ("Reserved5",           PVOID * 3), 
  81  ##        ("CheckSum",            ULONG), 
  82  ##        ("TimeDateStamp",       ULONG), 
  83  ##] 
  84   
  85  # From MSDN: 
  86  # 
  87  # typedef struct _PEB_LDR_DATA { 
  88  #   BYTE         Reserved1[8]; 
  89  #   PVOID        Reserved2[3]; 
  90  #   LIST_ENTRY   InMemoryOrderModuleList; 
  91  # } PEB_LDR_DATA, 
  92  #  *PPEB_LDR_DATA; 
  93  ##class PEB_LDR_DATA(Structure): 
  94  ##    _fields_ = [ 
  95  ##        ("Reserved1",               BYTE), 
  96  ##        ("Reserved2",               PVOID), 
  97  ##        ("InMemoryOrderModuleList", LIST_ENTRY), 
  98  ##] 
  99   
 100  # From MSDN: 
 101  # 
 102  # typedef struct _RTL_USER_PROCESS_PARAMETERS { 
 103  #   BYTE             Reserved1[16]; 
 104  #   PVOID            Reserved2[10]; 
 105  #   UNICODE_STRING   ImagePathName; 
 106  #   UNICODE_STRING   CommandLine; 
 107  # } RTL_USER_PROCESS_PARAMETERS, 
 108  #  *PRTL_USER_PROCESS_PARAMETERS; 

 109 -class RTL_USER_PROCESS_PARAMETERS(Structure): 

 110      _fields_ = [ 
 111          ("Reserved1",               BYTE * 16), 
 112          ("Reserved2",               PVOID * 10), 
 113          ("ImagePathName",           UNICODE_STRING), 
 114          ("CommandLine",             UNICODE_STRING), 
 115          ("Environment",             PVOID),             # undocumented! 
 116          # 
 117          # XXX TODO 
 118          # This structure should be defined with all undocumented fields for 
 119          # each version of Windows, just like it's being done for PEB and TEB. 
 120          # 
 121  ] 

 122   
 123  PPS_POST_PROCESS_INIT_ROUTINE = PVOID 
 124   
 125  #from MSDN: 
 126  # 
 127  # typedef struct _PEB { 
 128  #     BYTE Reserved1[2]; 
 129  #     BYTE BeingDebugged; 
 130  #     BYTE Reserved2[21]; 
 131  #     PPEB_LDR_DATA LoaderData; 
 132  #     PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 
 133  #     BYTE Reserved3[520]; 
 134  #     PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine; 
 135  #     BYTE Reserved4[136]; 
 136  #     ULONG SessionId; 
 137  # } PEB; 
 138  ##class PEB(Structure): 
 139  ##    _fields_ = [ 
 140  ##        ("Reserved1",               BYTE * 2), 
 141  ##        ("BeingDebugged",           BYTE), 
 142  ##        ("Reserved2",               BYTE * 21), 
 143  ##        ("LoaderData",              PVOID,    # PPEB_LDR_DATA 
 144  ##        ("ProcessParameters",       PVOID,    # PRTL_USER_PROCESS_PARAMETERS 
 145  ##        ("Reserved3",               BYTE * 520), 
 146  ##        ("PostProcessInitRoutine",  PPS_POST_PROCESS_INIT_ROUTINE), 
 147  ##        ("Reserved4",               BYTE), 
 148  ##        ("SessionId",               ULONG), 
 149  ##] 
 150   
 151  # from MSDN: 
 152  # 
 153  # typedef struct _TEB { 
 154  #   BYTE    Reserved1[1952]; 
 155  #   PVOID   Reserved2[412]; 
 156  #   PVOID   TlsSlots[64]; 
 157  #   BYTE    Reserved3[8]; 
 158  #   PVOID   Reserved4[26]; 
 159  #   PVOID   ReservedForOle; 
 160  #   PVOID   Reserved5[4]; 
 161  #   PVOID   TlsExpansionSlots; 
 162  # } TEB, 
 163  #  *PTEB; 
 164  ##class TEB(Structure): 
 165  ##    _fields_ = [ 
 166  ##        ("Reserved1",           PVOID * 1952), 
 167  ##        ("Reserved2",           PVOID * 412), 
 168  ##        ("TlsSlots",            PVOID * 64), 
 169  ##        ("Reserved3",           BYTE  * 8), 
 170  ##        ("Reserved4",           PVOID * 26), 
 171  ##        ("ReservedForOle",      PVOID), 
 172  ##        ("Reserved5",           PVOID * 4), 
 173  ##        ("TlsExpansionSlots",   PVOID), 
 174  ##] 
 175   
 176  # from http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html 
 177  # 
 178  # typedef struct _LDR_MODULE { 
 179  #   LIST_ENTRY InLoadOrderModuleList; 
 180  #   LIST_ENTRY InMemoryOrderModuleList; 
 181  #   LIST_ENTRY InInitializationOrderModuleList; 
 182  #   PVOID BaseAddress; 
 183  #   PVOID EntryPoint; 
 184  #   ULONG SizeOfImage; 
 185  #   UNICODE_STRING FullDllName; 
 186  #   UNICODE_STRING BaseDllName; 
 187  #   ULONG Flags; 
 188  #   SHORT LoadCount; 
 189  #   SHORT TlsIndex; 
 190  #   LIST_ENTRY HashTableEntry; 
 191  #   ULONG TimeDateStamp; 
 192  # } LDR_MODULE, *PLDR_MODULE; 

 193 -class LDR_MODULE(Structure): 

 194      _fields_ = [ 
 195          ("InLoadOrderModuleList",           LIST_ENTRY), 
 196          ("InMemoryOrderModuleList",         LIST_ENTRY), 
 197          ("InInitializationOrderModuleList", LIST_ENTRY), 
 198          ("BaseAddress",                     PVOID), 
 199          ("EntryPoint",                      PVOID), 
 200          ("SizeOfImage",                     ULONG), 
 201          ("FullDllName",                     UNICODE_STRING), 
 202          ("BaseDllName",                     UNICODE_STRING), 
 203          ("Flags",                           ULONG), 
 204          ("LoadCount",                       SHORT), 
 205          ("TlsIndex",                        SHORT), 
 206          ("HashTableEntry",                  LIST_ENTRY), 
 207          ("TimeDateStamp",                   ULONG), 
 208  ] 

 209   
 210  # from http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html 
 211  # 
 212  # typedef struct _PEB_LDR_DATA { 
 213  #   ULONG Length; 
 214  #   BOOLEAN Initialized; 
 215  #   PVOID SsHandle; 
 216  #   LIST_ENTRY InLoadOrderModuleList; 
 217  #   LIST_ENTRY InMemoryOrderModuleList; 
 218  #   LIST_ENTRY InInitializationOrderModuleList; 
 219  # } PEB_LDR_DATA, *PPEB_LDR_DATA; 

 220 -class PEB_LDR_DATA(Structure): 

 221      _fields_ = [ 
 222          ("Length",                          ULONG), 
 223          ("Initialized",                     BOOLEAN), 
 224          ("SsHandle",                        PVOID), 
 225          ("InLoadOrderModuleList",           LIST_ENTRY), 
 226          ("InMemoryOrderModuleList",         LIST_ENTRY), 
 227          ("InInitializationOrderModuleList", LIST_ENTRY), 
 228  ] 

 229   
 230  # From http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB_FREE_BLOCK.html 
 231  # 
 232  # typedef struct _PEB_FREE_BLOCK { 
 233  #   PEB_FREE_BLOCK *Next; 
 234  #   ULONG Size; 
 235  # } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; 

 236 -class PEB_FREE_BLOCK(Structure): 

 237      pass 

 238   
 239  ##PPEB_FREE_BLOCK = POINTER(PEB_FREE_BLOCK) 
 240  PPEB_FREE_BLOCK = PVOID 
 241   
 242  PEB_FREE_BLOCK._fields_ = [ 
 243          ("Next", PPEB_FREE_BLOCK), 
 244          ("Size", ULONG), 
 245  ] 
 246   
 247  # From http://undocumented.ntinternals.net/UserMode/Structures/RTL_DRIVE_LETTER_CURDIR.html 
 248  # 
 249  # typedef struct _RTL_DRIVE_LETTER_CURDIR { 
 250  #   USHORT Flags; 
 251  #   USHORT Length; 
 252  #   ULONG TimeStamp; 
 253  #   UNICODE_STRING DosPath; 
 254  # } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 

 255 -class RTL_DRIVE_LETTER_CURDIR(Structure): 

 256      _fields_ = [ 
 257          ("Flags",       USHORT), 
 258          ("Length",      USHORT), 
 259          ("TimeStamp",   ULONG), 
 260          ("DosPath",     UNICODE_STRING), 
 261  ] 

 262   
 263  # From http://www.nirsoft.net/kernel_struct/vista/CURDIR.html 
 264  # 
 265  # typedef struct _CURDIR 
 266  # { 
 267  #      UNICODE_STRING DosPath; 
 268  #      PVOID Handle; 
 269  # } CURDIR, *PCURDIR; 

 270 -class CURDIR(Structure): 

 271      _fields_ = [ 
 272          ("DosPath", UNICODE_STRING), 
 273          ("Handle",  PVOID), 
 274  ] 

 275   
 276  # From MSDN: 
 277  # 
 278  # typedef struct _RTL_USER_PROCESS_PARAMETERS { 
 279  #   BYTE           Reserved1[16]; 
 280  #   PVOID          Reserved2[10]; 
 281  #   UNICODE_STRING ImagePathName; 
 282  #   UNICODE_STRING CommandLine; 
 283  # } RTL_USER_PROCESS_PARAMETERS, 
 284  # *PRTL_USER_PROCESS_PARAMETERS; 
 285  ##class RTL_USER_PROCESS_PARAMETERS(Structure): 
 286  ##    _fields_ = [ 
 287  ##        ("Reserved1",       BYTE * 16), 
 288  ##        ("Reserved2",       PVOID * 10), 
 289  ##        ("ImagePathName",   UNICODE_STRING), 
 290  ##        ("CommandLine",     UNICODE_STRING), 
 291  ##] 
 292   
 293  # kd> dt _RTL_USER_PROCESS_PARAMETERS 
 294  # ntdll!_RTL_USER_PROCESS_PARAMETERS 
 295  #    +0x000 MaximumLength    : Uint4B 
 296  #    +0x004 Length           : Uint4B 
 297  #    +0x008 Flags            : Uint4B 
 298  #    +0x00c DebugFlags       : Uint4B 
 299  #    +0x010 ConsoleHandle    : Ptr32 Void 
 300  #    +0x014 ConsoleFlags     : Uint4B 
 301  #    +0x018 StandardInput    : Ptr32 Void 
 302  #    +0x01c StandardOutput   : Ptr32 Void 
 303  #    +0x020 StandardError    : Ptr32 Void 
 304  #    +0x024 CurrentDirectory : _CURDIR 
 305  #    +0x030 DllPath          : _UNICODE_STRING 
 306  #    +0x038 ImagePathName    : _UNICODE_STRING 
 307  #    +0x040 CommandLine      : _UNICODE_STRING 
 308  #    +0x048 Environment      : Ptr32 Void 
 309  #    +0x04c StartingX        : Uint4B 
 310  #    +0x050 StartingY        : Uint4B 
 311  #    +0x054 CountX           : Uint4B 
 312  #    +0x058 CountY           : Uint4B 
 313  #    +0x05c CountCharsX      : Uint4B 
 314  #    +0x060 CountCharsY      : Uint4B 
 315  #    +0x064 FillAttribute    : Uint4B 
 316  #    +0x068 WindowFlags      : Uint4B 
 317  #    +0x06c ShowWindowFlags  : Uint4B 
 318  #    +0x070 WindowTitle      : _UNICODE_STRING 
 319  #    +0x078 DesktopInfo      : _UNICODE_STRING 
 320  #    +0x080 ShellInfo        : _UNICODE_STRING 
 321  #    +0x088 RuntimeData      : _UNICODE_STRING 
 322  #    +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR 
 323  #    +0x290 EnvironmentSize  : Uint4B 
 324  ##class RTL_USER_PROCESS_PARAMETERS(Structure): 
 325  ##    _fields_ = [ 
 326  ##        ("MaximumLength",           ULONG), 
 327  ##        ("Length",                  ULONG), 
 328  ##        ("Flags",                   ULONG), 
 329  ##        ("DebugFlags",              ULONG), 
 330  ##        ("ConsoleHandle",           PVOID), 
 331  ##        ("ConsoleFlags",            ULONG), 
 332  ##        ("StandardInput",           HANDLE), 
 333  ##        ("StandardOutput",          HANDLE), 
 334  ##        ("StandardError",           HANDLE), 
 335  ##        ("CurrentDirectory",        CURDIR), 
 336  ##        ("DllPath",                 UNICODE_STRING), 
 337  ##        ("ImagePathName",           UNICODE_STRING), 
 338  ##        ("CommandLine",             UNICODE_STRING), 
 339  ##        ("Environment",             PVOID), 
 340  ##        ("StartingX",               ULONG), 
 341  ##        ("StartingY",               ULONG), 
 342  ##        ("CountX",                  ULONG), 
 343  ##        ("CountY",                  ULONG), 
 344  ##        ("CountCharsX",             ULONG), 
 345  ##        ("CountCharsY",             ULONG), 
 346  ##        ("FillAttribute",           ULONG), 
 347  ##        ("WindowFlags",             ULONG), 
 348  ##        ("ShowWindowFlags",         ULONG), 
 349  ##        ("WindowTitle",             UNICODE_STRING), 
 350  ##        ("DesktopInfo",             UNICODE_STRING), 
 351  ##        ("ShellInfo",               UNICODE_STRING), 
 352  ##        ("RuntimeData",             UNICODE_STRING), 
 353  ##        ("CurrentDirectores",       RTL_DRIVE_LETTER_CURDIR * 32), # typo here? 
 354  ## 
 355  ##        # Windows 2008 and Vista 
 356  ##        ("EnvironmentSize",         ULONG), 
 357  ##] 
 358  ##    @property 
 359  ##    def CurrentDirectories(self): 
 360  ##        return self.CurrentDirectores 
 361   
 362  # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION_DEBUG.html 
 363  # 
 364  # typedef struct _RTL_CRITICAL_SECTION_DEBUG 
 365  # { 
 366  #      WORD Type; 
 367  #      WORD CreatorBackTraceIndex; 
 368  #      PRTL_CRITICAL_SECTION CriticalSection; 
 369  #      LIST_ENTRY ProcessLocksList; 
 370  #      ULONG EntryCount; 
 371  #      ULONG ContentionCount; 
 372  #      ULONG Flags; 
 373  #      WORD CreatorBackTraceIndexHigh; 
 374  #      WORD SpareUSHORT; 
 375  # } RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG; 
 376  # 
 377  # From http://www.nirsoft.net/kernel_struct/vista/RTL_CRITICAL_SECTION.html 
 378  # 
 379  # typedef struct _RTL_CRITICAL_SECTION 
 380  # { 
 381  #      PRTL_CRITICAL_SECTION_DEBUG DebugInfo; 
 382  #      LONG LockCount; 
 383  #      LONG RecursionCount; 
 384  #      PVOID OwningThread; 
 385  #      PVOID LockSemaphore; 
 386  #      ULONG SpinCount; 
 387  # } RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION; 
 388  # 

 389 -class RTL_CRITICAL_SECTION(Structure): 

 390      _fields_ = [ 
 391          ("DebugInfo",       PVOID),     # PRTL_CRITICAL_SECTION_DEBUG 
 392          ("LockCount",       LONG), 
 393          ("RecursionCount",  LONG), 
 394          ("OwningThread",    PVOID), 
 395          ("LockSemaphore",   PVOID), 
 396          ("SpinCount",       ULONG), 
 397  ] 

 398 -class RTL_CRITICAL_SECTION_DEBUG(Structure): 

 399      _fields_ = [ 
 400          ("Type",                        WORD), 
 401          ("CreatorBackTraceIndex",       WORD), 
 402          ("CriticalSection",             PVOID),         # PRTL_CRITICAL_SECTION 
 403          ("ProcessLocksList",            LIST_ENTRY), 
 404          ("EntryCount",                  ULONG), 
 405          ("ContentionCount",             ULONG), 
 406          ("Flags",                       ULONG), 
 407          ("CreatorBackTraceIndexHigh",   WORD), 
 408          ("SpareUSHORT",                 WORD), 
 409  ] 

 410  PRTL_CRITICAL_SECTION       = POINTER(RTL_CRITICAL_SECTION) 
 411  PRTL_CRITICAL_SECTION_DEBUG = POINTER(RTL_CRITICAL_SECTION_DEBUG) 
 412   
 413  PPEB_LDR_DATA                   = POINTER(PEB_LDR_DATA) 
 414  PRTL_USER_PROCESS_PARAMETERS    = POINTER(RTL_USER_PROCESS_PARAMETERS) 
 415   
 416  PPEBLOCKROUTINE                 = PVOID 
 417   
 418  # BitField 
 419  ImageUsesLargePages             = 1 << 0 
 420  IsProtectedProcess              = 1 << 1 
 421  IsLegacyProcess                 = 1 << 2 
 422  IsImageDynamicallyRelocated     = 1 << 3 
 423  SkipPatchingUser32Forwarders    = 1 << 4 
 424   
 425  # CrossProcessFlags 
 426  ProcessInJob                    = 1 << 0 
 427  ProcessInitializing             = 1 << 1 
 428  ProcessUsingVEH                 = 1 << 2 
 429  ProcessUsingVCH                 = 1 << 3 
 430  ProcessUsingFTH                 = 1 << 4 
 431   
 432  # TracingFlags 
 433  HeapTracingEnabled              = 1 << 0 
 434  CritSecTracingEnabled           = 1 << 1 
 435   
 436  # NtGlobalFlags 
 437  FLG_VALID_BITS                  = 0x003FFFFF    # not a flag 
 438  FLG_STOP_ON_EXCEPTION           = 0x00000001 
 439  FLG_SHOW_LDR_SNAPS              = 0x00000002 
 440  FLG_DEBUG_INITIAL_COMMAND       = 0x00000004 
 441  FLG_STOP_ON_HUNG_GUI            = 0x00000008 
 442  FLG_HEAP_ENABLE_TAIL_CHECK      = 0x00000010 
 443  FLG_HEAP_ENABLE_FREE_CHECK      = 0x00000020 
 444  FLG_HEAP_VALIDATE_PARAMETERS    = 0x00000040 
 445  FLG_HEAP_VALIDATE_ALL           = 0x00000080 
 446  FLG_POOL_ENABLE_TAIL_CHECK      = 0x00000100 
 447  FLG_POOL_ENABLE_FREE_CHECK      = 0x00000200 
 448  FLG_POOL_ENABLE_TAGGING         = 0x00000400 
 449  FLG_HEAP_ENABLE_TAGGING         = 0x00000800 
 450  FLG_USER_STACK_TRACE_DB         = 0x00001000 
 451  FLG_KERNEL_STACK_TRACE_DB       = 0x00002000 
 452  FLG_MAINTAIN_OBJECT_TYPELIST    = 0x00004000 
 453  FLG_HEAP_ENABLE_TAG_BY_DLL      = 0x00008000 
 454  FLG_IGNORE_DEBUG_PRIV           = 0x00010000 
 455  FLG_ENABLE_CSRDEBUG             = 0x00020000 
 456  FLG_ENABLE_KDEBUG_SYMBOL_LOAD   = 0x00040000 
 457  FLG_DISABLE_PAGE_KERNEL_STACKS  = 0x00080000 
 458  FLG_HEAP_ENABLE_CALL_TRACING    = 0x00100000 
 459  FLG_HEAP_DISABLE_COALESCING     = 0x00200000 
 460  FLG_ENABLE_CLOSE_EXCEPTION      = 0x00400000 
 461  FLG_ENABLE_EXCEPTION_LOGGING    = 0x00800000 
 462  FLG_ENABLE_HANDLE_TYPE_TAGGING  = 0x01000000 
 463  FLG_HEAP_PAGE_ALLOCS            = 0x02000000 
 464  FLG_DEBUG_WINLOGON              = 0x04000000 
 465  FLG_ENABLE_DBGPRINT_BUFFERING   = 0x08000000 
 466  FLG_EARLY_CRITICAL_SECTION_EVT  = 0x10000000 
 467  FLG_DISABLE_DLL_VERIFICATION    = 0x80000000 
 468   

 469 -class _PEB_NT(Structure): 

 470      _pack_   = 4 
 471      _fields_ = [ 
 472          ("InheritedAddressSpace",               BOOLEAN), 
 473          ("ReadImageFileExecOptions",            UCHAR), 
 474          ("BeingDebugged",                       BOOLEAN), 
 475          ("BitField",                            UCHAR), 
 476          ("Mutant",                              HANDLE), 
 477          ("ImageBaseAddress",                    PVOID), 
 478          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 479          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 480          ("SubSystemData",                       PVOID), 
 481          ("ProcessHeap",                         PVOID), 
 482          ("FastPebLock",                         PVOID), 
 483          ("FastPebLockRoutine",                  PVOID), # PPEBLOCKROUTINE 
 484          ("FastPebUnlockRoutine",                PVOID), # PPEBLOCKROUTINE 
 485          ("EnvironmentUpdateCount",              ULONG), 
 486          ("KernelCallbackTable",                 PVOID), # Ptr32 Ptr32 Void 
 487          ("EventLogSection",                     PVOID), 
 488          ("EventLog",                            PVOID), 
 489          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 490          ("TlsExpansionCounter",                 ULONG), 
 491          ("TlsBitmap",                           PVOID), 
 492          ("TlsBitmapBits",                       ULONG * 2), 
 493          ("ReadOnlySharedMemoryBase",            PVOID), 
 494          ("ReadOnlySharedMemoryHeap",            PVOID), 
 495          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 496          ("AnsiCodePageData",                    PVOID), 
 497          ("OemCodePageData",                     PVOID), 
 498          ("UnicodeCaseTableData",                PVOID), 
 499          ("NumberOfProcessors",                  ULONG), 
 500          ("NtGlobalFlag",                        ULONG), 
 501          ("Spare2",                              BYTE * 4), 
 502          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 503          ("HeapSegmentReserve",                  ULONG), 
 504          ("HeapSegmentCommit",                   ULONG), 
 505          ("HeapDeCommitTotalFreeThreshold",      ULONG), 
 506          ("HeapDeCommitFreeBlockThreshold",      ULONG), 
 507          ("NumberOfHeaps",                       ULONG), 
 508          ("MaximumNumberOfHeaps",                ULONG), 
 509          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 510          ("GdiSharedHandleTable",                PVOID), 
 511          ("ProcessStarterHelper",                PVOID), 
 512          ("GdiDCAttributeList",                  PVOID), 
 513          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 514          ("OSMajorVersion",                      ULONG), 
 515          ("OSMinorVersion",                      ULONG), 
 516          ("OSBuildNumber",                       ULONG), 
 517          ("OSPlatformId",                        ULONG), 
 518          ("ImageSubSystem",                      ULONG), 
 519          ("ImageSubSystemMajorVersion",          ULONG), 
 520          ("ImageSubSystemMinorVersion",          ULONG), 
 521          ("ImageProcessAffinityMask",            ULONG), 
 522          ("GdiHandleBuffer",                     ULONG * 34), 
 523          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 524          ("TlsExpansionBitmap",                  ULONG), 
 525          ("TlsExpansionBitmapBits",              BYTE * 128), 
 526          ("SessionId",                           ULONG), 
 527      ] 

 528   
 529  # not really, but "dt _PEB" in w2k isn't working for me :( 
 530  _PEB_2000 = _PEB_NT 
 531   
 532  #    +0x000 InheritedAddressSpace : UChar 
 533  #    +0x001 ReadImageFileExecOptions : UChar 
 534  #    +0x002 BeingDebugged    : UChar 
 535  #    +0x003 SpareBool        : UChar 
 536  #    +0x004 Mutant           : Ptr32 Void 
 537  #    +0x008 ImageBaseAddress : Ptr32 Void 
 538  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
 539  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
 540  #    +0x014 SubSystemData    : Ptr32 Void 
 541  #    +0x018 ProcessHeap      : Ptr32 Void 
 542  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
 543  #    +0x020 FastPebLockRoutine : Ptr32 Void 
 544  #    +0x024 FastPebUnlockRoutine : Ptr32 Void 
 545  #    +0x028 EnvironmentUpdateCount : Uint4B 
 546  #    +0x02c KernelCallbackTable : Ptr32 Void 
 547  #    +0x030 SystemReserved   : [1] Uint4B 
 548  #    +0x034 AtlThunkSListPtr32 : Uint4B 
 549  #    +0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK 
 550  #    +0x03c TlsExpansionCounter : Uint4B 
 551  #    +0x040 TlsBitmap        : Ptr32 Void 
 552  #    +0x044 TlsBitmapBits    : [2] Uint4B 
 553  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
 554  #    +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void 
 555  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
 556  #    +0x058 AnsiCodePageData : Ptr32 Void 
 557  #    +0x05c OemCodePageData  : Ptr32 Void 
 558  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
 559  #    +0x064 NumberOfProcessors : Uint4B 
 560  #    +0x068 NtGlobalFlag     : Uint4B 
 561  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
 562  #    +0x078 HeapSegmentReserve : Uint4B 
 563  #    +0x07c HeapSegmentCommit : Uint4B 
 564  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
 565  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
 566  #    +0x088 NumberOfHeaps    : Uint4B 
 567  #    +0x08c MaximumNumberOfHeaps : Uint4B 
 568  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
 569  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
 570  #    +0x098 ProcessStarterHelper : Ptr32 Void 
 571  #    +0x09c GdiDCAttributeList : Uint4B 
 572  #    +0x0a0 LoaderLock       : Ptr32 Void 
 573  #    +0x0a4 OSMajorVersion   : Uint4B 
 574  #    +0x0a8 OSMinorVersion   : Uint4B 
 575  #    +0x0ac OSBuildNumber    : Uint2B 
 576  #    +0x0ae OSCSDVersion     : Uint2B 
 577  #    +0x0b0 OSPlatformId     : Uint4B 
 578  #    +0x0b4 ImageSubsystem   : Uint4B 
 579  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
 580  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
 581  #    +0x0c0 ImageProcessAffinityMask : Uint4B 
 582  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
 583  #    +0x14c PostProcessInitRoutine : Ptr32     void 
 584  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
 585  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
 586  #    +0x1d4 SessionId        : Uint4B 
 587  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
 588  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
 589  #    +0x1e8 pShimData        : Ptr32 Void 
 590  #    +0x1ec AppCompatInfo    : Ptr32 Void 
 591  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
 592  #    +0x1f8 ActivationContextData : Ptr32 Void 
 593  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 Void 
 594  #    +0x200 SystemDefaultActivationContextData : Ptr32 Void 
 595  #    +0x204 SystemAssemblyStorageMap : Ptr32 Void 
 596  #    +0x208 MinimumStackCommit : Uint4B 

 597 -class _PEB_XP(Structure): 

 598      _pack_   = 8 
 599      _fields_ = [ 
 600          ("InheritedAddressSpace",               BOOLEAN), 
 601          ("ReadImageFileExecOptions",            UCHAR), 
 602          ("BeingDebugged",                       BOOLEAN), 
 603          ("SpareBool",                           UCHAR), 
 604          ("Mutant",                              HANDLE), 
 605          ("ImageBaseAddress",                    PVOID), 
 606          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 607          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 608          ("SubSystemData",                       PVOID), 
 609          ("ProcessHeap",                         PVOID), 
 610          ("FastPebLock",                         PVOID), 
 611          ("FastPebLockRoutine",                  PVOID), 
 612          ("FastPebUnlockRoutine",                PVOID), 
 613          ("EnvironmentUpdateCount",              DWORD), 
 614          ("KernelCallbackTable",                 PVOID), 
 615          ("SystemReserved",                      DWORD), 
 616          ("AtlThunkSListPtr32",                  DWORD), 
 617          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 618          ("TlsExpansionCounter",                 DWORD), 
 619          ("TlsBitmap",                           PVOID), 
 620          ("TlsBitmapBits",                       DWORD * 2), 
 621          ("ReadOnlySharedMemoryBase",            PVOID), 
 622          ("ReadOnlySharedMemoryHeap",            PVOID), 
 623          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 624          ("AnsiCodePageData",                    PVOID), 
 625          ("OemCodePageData",                     PVOID), 
 626          ("UnicodeCaseTableData",                PVOID), 
 627          ("NumberOfProcessors",                  DWORD), 
 628          ("NtGlobalFlag",                        DWORD), 
 629          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 630          ("HeapSegmentReserve",                  DWORD), 
 631          ("HeapSegmentCommit",                   DWORD), 
 632          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
 633          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
 634          ("NumberOfHeaps",                       DWORD), 
 635          ("MaximumNumberOfHeaps",                DWORD), 
 636          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 637          ("GdiSharedHandleTable",                PVOID), 
 638          ("ProcessStarterHelper",                PVOID), 
 639          ("GdiDCAttributeList",                  DWORD), 
 640          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 641          ("OSMajorVersion",                      DWORD), 
 642          ("OSMinorVersion",                      DWORD), 
 643          ("OSBuildNumber",                       WORD), 
 644          ("OSCSDVersion",                        WORD), 
 645          ("OSPlatformId",                        DWORD), 
 646          ("ImageSubsystem",                      DWORD), 
 647          ("ImageSubsystemMajorVersion",          DWORD), 
 648          ("ImageSubsystemMinorVersion",          DWORD), 
 649          ("ImageProcessAffinityMask",            DWORD), 
 650          ("GdiHandleBuffer",                     DWORD * 34), 
 651          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 652          ("TlsExpansionBitmap",                  PVOID), 
 653          ("TlsExpansionBitmapBits",              DWORD * 32), 
 654          ("SessionId",                           DWORD), 
 655          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 656          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 657          ("pShimData",                           PVOID), 
 658          ("AppCompatInfo",                       PVOID), 
 659          ("CSDVersion",                          UNICODE_STRING), 
 660          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 661          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 662          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 663          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 664          ("MinimumStackCommit",                  DWORD), 
 665      ] 

 666   
 667  #    +0x000 InheritedAddressSpace : UChar 
 668  #    +0x001 ReadImageFileExecOptions : UChar 
 669  #    +0x002 BeingDebugged    : UChar 
 670  #    +0x003 BitField         : UChar 
 671  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 672  #    +0x003 SpareBits        : Pos 1, 7 Bits 
 673  #    +0x008 Mutant           : Ptr64 Void 
 674  #    +0x010 ImageBaseAddress : Ptr64 Void 
 675  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
 676  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
 677  #    +0x028 SubSystemData    : Ptr64 Void 
 678  #    +0x030 ProcessHeap      : Ptr64 Void 
 679  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
 680  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
 681  #    +0x048 SparePtr2        : Ptr64 Void 
 682  #    +0x050 EnvironmentUpdateCount : Uint4B 
 683  #    +0x058 KernelCallbackTable : Ptr64 Void 
 684  #    +0x060 SystemReserved   : [1] Uint4B 
 685  #    +0x064 SpareUlong       : Uint4B 
 686  #    +0x068 FreeList         : Ptr64 _PEB_FREE_BLOCK 
 687  #    +0x070 TlsExpansionCounter : Uint4B 
 688  #    +0x078 TlsBitmap        : Ptr64 Void 
 689  #    +0x080 TlsBitmapBits    : [2] Uint4B 
 690  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
 691  #    +0x090 ReadOnlySharedMemoryHeap : Ptr64 Void 
 692  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
 693  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
 694  #    +0x0a8 OemCodePageData  : Ptr64 Void 
 695  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
 696  #    +0x0b8 NumberOfProcessors : Uint4B 
 697  #    +0x0bc NtGlobalFlag     : Uint4B 
 698  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
 699  #    +0x0c8 HeapSegmentReserve : Uint8B 
 700  #    +0x0d0 HeapSegmentCommit : Uint8B 
 701  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
 702  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
 703  #    +0x0e8 NumberOfHeaps    : Uint4B 
 704  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
 705  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
 706  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
 707  #    +0x100 ProcessStarterHelper : Ptr64 Void 
 708  #    +0x108 GdiDCAttributeList : Uint4B 
 709  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
 710  #    +0x118 OSMajorVersion   : Uint4B 
 711  #    +0x11c OSMinorVersion   : Uint4B 
 712  #    +0x120 OSBuildNumber    : Uint2B 
 713  #    +0x122 OSCSDVersion     : Uint2B 
 714  #    +0x124 OSPlatformId     : Uint4B 
 715  #    +0x128 ImageSubsystem   : Uint4B 
 716  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
 717  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
 718  #    +0x138 ImageProcessAffinityMask : Uint8B 
 719  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
 720  #    +0x230 PostProcessInitRoutine : Ptr64     void 
 721  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
 722  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
 723  #    +0x2c0 SessionId        : Uint4B 
 724  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
 725  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
 726  #    +0x2d8 pShimData        : Ptr64 Void 
 727  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
 728  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
 729  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
 730  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
 731  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
 732  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
 733  #    +0x318 MinimumStackCommit : Uint8B 
 734  #    +0x320 FlsCallback      : Ptr64 Ptr64 Void 
 735  #    +0x328 FlsListHead      : _LIST_ENTRY 
 736  #    +0x338 FlsBitmap        : Ptr64 Void 
 737  #    +0x340 FlsBitmapBits    : [4] Uint4B 
 738  #    +0x350 FlsHighIndex     : Uint4B 

 739 -class _PEB_XP_64(Structure): 

 740      _pack_   = 8 
 741      _fields_ = [ 
 742          ("InheritedAddressSpace",               BOOLEAN), 
 743          ("ReadImageFileExecOptions",            UCHAR), 
 744          ("BeingDebugged",                       BOOLEAN), 
 745          ("BitField",                            UCHAR), 
 746          ("Mutant",                              HANDLE), 
 747          ("ImageBaseAddress",                    PVOID), 
 748          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 749          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 750          ("SubSystemData",                       PVOID), 
 751          ("ProcessHeap",                         PVOID), 
 752          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
 753          ("AtlThunkSListPtr",                    PVOID), 
 754          ("SparePtr2",                           PVOID), 
 755          ("EnvironmentUpdateCount",              DWORD), 
 756          ("KernelCallbackTable",                 PVOID), 
 757          ("SystemReserved",                      DWORD), 
 758          ("SpareUlong",                          DWORD), 
 759          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 760          ("TlsExpansionCounter",                 DWORD), 
 761          ("TlsBitmap",                           PVOID), 
 762          ("TlsBitmapBits",                       DWORD * 2), 
 763          ("ReadOnlySharedMemoryBase",            PVOID), 
 764          ("ReadOnlySharedMemoryHeap",            PVOID), 
 765          ("ReadOnlyStaticServerData",            PVOID), # Ptr64 Ptr64 Void 
 766          ("AnsiCodePageData",                    PVOID), 
 767          ("OemCodePageData",                     PVOID), 
 768          ("UnicodeCaseTableData",                PVOID), 
 769          ("NumberOfProcessors",                  DWORD), 
 770          ("NtGlobalFlag",                        DWORD), 
 771          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 772          ("HeapSegmentReserve",                  QWORD), 
 773          ("HeapSegmentCommit",                   QWORD), 
 774          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
 775          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
 776          ("NumberOfHeaps",                       DWORD), 
 777          ("MaximumNumberOfHeaps",                DWORD), 
 778          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
 779          ("GdiSharedHandleTable",                PVOID), 
 780          ("ProcessStarterHelper",                PVOID), 
 781          ("GdiDCAttributeList",                  DWORD), 
 782          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 783          ("OSMajorVersion",                      DWORD), 
 784          ("OSMinorVersion",                      DWORD), 
 785          ("OSBuildNumber",                       WORD), 
 786          ("OSCSDVersion",                        WORD), 
 787          ("OSPlatformId",                        DWORD), 
 788          ("ImageSubsystem",                      DWORD), 
 789          ("ImageSubsystemMajorVersion",          DWORD), 
 790          ("ImageSubsystemMinorVersion",          DWORD), 
 791          ("ImageProcessAffinityMask",            QWORD), 
 792          ("GdiHandleBuffer",                     DWORD * 60), 
 793          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 794          ("TlsExpansionBitmap",                  PVOID), 
 795          ("TlsExpansionBitmapBits",              DWORD * 32), 
 796          ("SessionId",                           DWORD), 
 797          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 798          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 799          ("pShimData",                           PVOID), 
 800          ("AppCompatInfo",                       PVOID), 
 801          ("CSDVersion",                          UNICODE_STRING), 
 802          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 803          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 804          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 805          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 806          ("MinimumStackCommit",                  QWORD), 
 807          ("FlsCallback",                         PVOID), # Ptr64 Ptr64 Void 
 808          ("FlsListHead",                         LIST_ENTRY), 
 809          ("FlsBitmap",                           PVOID), 
 810          ("FlsBitmapBits",                       DWORD * 4), 
 811          ("FlsHighIndex",                        DWORD), 
 812      ] 

 813   
 814  #    +0x000 InheritedAddressSpace : UChar 
 815  #    +0x001 ReadImageFileExecOptions : UChar 
 816  #    +0x002 BeingDebugged    : UChar 
 817  #    +0x003 BitField         : UChar 
 818  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 819  #    +0x003 SpareBits        : Pos 1, 7 Bits 
 820  #    +0x004 Mutant           : Ptr32 Void 
 821  #    +0x008 ImageBaseAddress : Ptr32 Void 
 822  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
 823  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
 824  #    +0x014 SubSystemData    : Ptr32 Void 
 825  #    +0x018 ProcessHeap      : Ptr32 Void 
 826  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
 827  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
 828  #    +0x024 SparePtr2        : Ptr32 Void 
 829  #    +0x028 EnvironmentUpdateCount : Uint4B 
 830  #    +0x02c KernelCallbackTable : Ptr32 Void 
 831  #    +0x030 SystemReserved   : [1] Uint4B 
 832  #    +0x034 SpareUlong       : Uint4B 
 833  #    +0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK 
 834  #    +0x03c TlsExpansionCounter : Uint4B 
 835  #    +0x040 TlsBitmap        : Ptr32 Void 
 836  #    +0x044 TlsBitmapBits    : [2] Uint4B 
 837  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
 838  #    +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void 
 839  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
 840  #    +0x058 AnsiCodePageData : Ptr32 Void 
 841  #    +0x05c OemCodePageData  : Ptr32 Void 
 842  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
 843  #    +0x064 NumberOfProcessors : Uint4B 
 844  #    +0x068 NtGlobalFlag     : Uint4B 
 845  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
 846  #    +0x078 HeapSegmentReserve : Uint4B 
 847  #    +0x07c HeapSegmentCommit : Uint4B 
 848  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
 849  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
 850  #    +0x088 NumberOfHeaps    : Uint4B 
 851  #    +0x08c MaximumNumberOfHeaps : Uint4B 
 852  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
 853  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
 854  #    +0x098 ProcessStarterHelper : Ptr32 Void 
 855  #    +0x09c GdiDCAttributeList : Uint4B 
 856  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
 857  #    +0x0a4 OSMajorVersion   : Uint4B 
 858  #    +0x0a8 OSMinorVersion   : Uint4B 
 859  #    +0x0ac OSBuildNumber    : Uint2B 
 860  #    +0x0ae OSCSDVersion     : Uint2B 
 861  #    +0x0b0 OSPlatformId     : Uint4B 
 862  #    +0x0b4 ImageSubsystem   : Uint4B 
 863  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
 864  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
 865  #    +0x0c0 ImageProcessAffinityMask : Uint4B 
 866  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
 867  #    +0x14c PostProcessInitRoutine : Ptr32     void 
 868  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
 869  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
 870  #    +0x1d4 SessionId        : Uint4B 
 871  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
 872  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
 873  #    +0x1e8 pShimData        : Ptr32 Void 
 874  #    +0x1ec AppCompatInfo    : Ptr32 Void 
 875  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
 876  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
 877  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
 878  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
 879  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
 880  #    +0x208 MinimumStackCommit : Uint4B 
 881  #    +0x20c FlsCallback      : Ptr32 Ptr32 Void 
 882  #    +0x210 FlsListHead      : _LIST_ENTRY 
 883  #    +0x218 FlsBitmap        : Ptr32 Void 
 884  #    +0x21c FlsBitmapBits    : [4] Uint4B 
 885  #    +0x22c FlsHighIndex     : Uint4B 

 886 -class _PEB_2003(Structure): 

 887      _pack_   = 8 
 888      _fields_ = [ 
 889          ("InheritedAddressSpace",               BOOLEAN), 
 890          ("ReadImageFileExecOptions",            UCHAR), 
 891          ("BeingDebugged",                       BOOLEAN), 
 892          ("BitField",                            UCHAR), 
 893          ("Mutant",                              HANDLE), 
 894          ("ImageBaseAddress",                    PVOID), 
 895          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
 896          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
 897          ("SubSystemData",                       PVOID), 
 898          ("ProcessHeap",                         PVOID), 
 899          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
 900          ("AtlThunkSListPtr",                    PVOID), 
 901          ("SparePtr2",                           PVOID), 
 902          ("EnvironmentUpdateCount",              DWORD), 
 903          ("KernelCallbackTable",                 PVOID), 
 904          ("SystemReserved",                      DWORD), 
 905          ("SpareUlong",                          DWORD), 
 906          ("FreeList",                            PVOID), # PPEB_FREE_BLOCK 
 907          ("TlsExpansionCounter",                 DWORD), 
 908          ("TlsBitmap",                           PVOID), 
 909          ("TlsBitmapBits",                       DWORD * 2), 
 910          ("ReadOnlySharedMemoryBase",            PVOID), 
 911          ("ReadOnlySharedMemoryHeap",            PVOID), 
 912          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
 913          ("AnsiCodePageData",                    PVOID), 
 914          ("OemCodePageData",                     PVOID), 
 915          ("UnicodeCaseTableData",                PVOID), 
 916          ("NumberOfProcessors",                  DWORD), 
 917          ("NtGlobalFlag",                        DWORD), 
 918          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
 919          ("HeapSegmentReserve",                  DWORD), 
 920          ("HeapSegmentCommit",                   DWORD), 
 921          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
 922          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
 923          ("NumberOfHeaps",                       DWORD), 
 924          ("MaximumNumberOfHeaps",                DWORD), 
 925          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
 926          ("GdiSharedHandleTable",                PVOID), 
 927          ("ProcessStarterHelper",                PVOID), 
 928          ("GdiDCAttributeList",                  DWORD), 
 929          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
 930          ("OSMajorVersion",                      DWORD), 
 931          ("OSMinorVersion",                      DWORD), 
 932          ("OSBuildNumber",                       WORD), 
 933          ("OSCSDVersion",                        WORD), 
 934          ("OSPlatformId",                        DWORD), 
 935          ("ImageSubsystem",                      DWORD), 
 936          ("ImageSubsystemMajorVersion",          DWORD), 
 937          ("ImageSubsystemMinorVersion",          DWORD), 
 938          ("ImageProcessAffinityMask",            DWORD), 
 939          ("GdiHandleBuffer",                     DWORD * 34), 
 940          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
 941          ("TlsExpansionBitmap",                  PVOID), 
 942          ("TlsExpansionBitmapBits",              DWORD * 32), 
 943          ("SessionId",                           DWORD), 
 944          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
 945          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
 946          ("pShimData",                           PVOID), 
 947          ("AppCompatInfo",                       PVOID), 
 948          ("CSDVersion",                          UNICODE_STRING), 
 949          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
 950          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
 951          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
 952          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
 953          ("MinimumStackCommit",                  QWORD), 
 954          ("FlsCallback",                         PVOID), # Ptr32 Ptr32 Void 
 955          ("FlsListHead",                         LIST_ENTRY), 
 956          ("FlsBitmap",                           PVOID), 
 957          ("FlsBitmapBits",                       DWORD * 4), 
 958          ("FlsHighIndex",                        DWORD), 
 959      ] 

 960   
 961  _PEB_2003_64    = _PEB_XP_64 
 962  _PEB_2003_R2    = _PEB_2003 
 963  _PEB_2003_R2_64 = _PEB_2003_64 
 964   
 965  #    +0x000 InheritedAddressSpace : UChar 
 966  #    +0x001 ReadImageFileExecOptions : UChar 
 967  #    +0x002 BeingDebugged    : UChar 
 968  #    +0x003 BitField         : UChar 
 969  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
 970  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
 971  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
 972  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
 973  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
 974  #    +0x003 SpareBits        : Pos 5, 3 Bits 
 975  #    +0x004 Mutant           : Ptr32 Void 
 976  #    +0x008 ImageBaseAddress : Ptr32 Void 
 977  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
 978  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
 979  #    +0x014 SubSystemData    : Ptr32 Void 
 980  #    +0x018 ProcessHeap      : Ptr32 Void 
 981  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
 982  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
 983  #    +0x024 IFEOKey          : Ptr32 Void 
 984  #    +0x028 CrossProcessFlags : Uint4B 
 985  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
 986  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
 987  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
 988  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
 989  #    +0x028 ReservedBits0    : Pos 4, 28 Bits 
 990  #    +0x02c KernelCallbackTable : Ptr32 Void 
 991  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
 992  #    +0x030 SystemReserved   : [1] Uint4B 
 993  #    +0x034 SpareUlong       : Uint4B 
 994  #    +0x038 SparePebPtr0     : Uint4B 
 995  #    +0x03c TlsExpansionCounter : Uint4B 
 996  #    +0x040 TlsBitmap        : Ptr32 Void 
 997  #    +0x044 TlsBitmapBits    : [2] Uint4B 
 998  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
 999  #    +0x050 HotpatchInformation : Ptr32 Void 
1000  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1001  #    +0x058 AnsiCodePageData : Ptr32 Void 
1002  #    +0x05c OemCodePageData  : Ptr32 Void 
1003  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1004  #    +0x064 NumberOfProcessors : Uint4B 
1005  #    +0x068 NtGlobalFlag     : Uint4B 
1006  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1007  #    +0x078 HeapSegmentReserve : Uint4B 
1008  #    +0x07c HeapSegmentCommit : Uint4B 
1009  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1010  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1011  #    +0x088 NumberOfHeaps    : Uint4B 
1012  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1013  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1014  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1015  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1016  #    +0x09c GdiDCAttributeList : Uint4B 
1017  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1018  #    +0x0a4 OSMajorVersion   : Uint4B 
1019  #    +0x0a8 OSMinorVersion   : Uint4B 
1020  #    +0x0ac OSBuildNumber    : Uint2B 
1021  #    +0x0ae OSCSDVersion     : Uint2B 
1022  #    +0x0b0 OSPlatformId     : Uint4B 
1023  #    +0x0b4 ImageSubsystem   : Uint4B 
1024  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1025  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1026  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1027  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1028  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1029  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1030  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1031  #    +0x1d4 SessionId        : Uint4B 
1032  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1033  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1034  #    +0x1e8 pShimData        : Ptr32 Void 
1035  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1036  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1037  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1038  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1039  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1040  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1041  #    +0x208 MinimumStackCommit : Uint4B 
1042  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1043  #    +0x210 FlsListHead      : _LIST_ENTRY 
1044  #    +0x218 FlsBitmap        : Ptr32 Void 
1045  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1046  #    +0x22c FlsHighIndex     : Uint4B 
1047  #    +0x230 WerRegistrationData : Ptr32 Void 
1048  #    +0x234 WerShipAssertPtr : Ptr32 Void 

1049 -class _PEB_2008(Structure): 

1050      _pack_   = 8 
1051      _fields_ = [ 
1052          ("InheritedAddressSpace",               BOOLEAN), 
1053          ("ReadImageFileExecOptions",            UCHAR), 
1054          ("BeingDebugged",                       BOOLEAN), 
1055          ("BitField",                            UCHAR), 
1056          ("Mutant",                              HANDLE), 
1057          ("ImageBaseAddress",                    PVOID), 
1058          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1059          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1060          ("SubSystemData",                       PVOID), 
1061          ("ProcessHeap",                         PVOID), 
1062          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1063          ("AtlThunkSListPtr",                    PVOID), 
1064          ("IFEOKey",                             PVOID), 
1065          ("CrossProcessFlags",                   DWORD), 
1066          ("KernelCallbackTable",                 PVOID), 
1067          ("SystemReserved",                      DWORD), 
1068          ("SpareUlong",                          DWORD), 
1069          ("SparePebPtr0",                        PVOID), 
1070          ("TlsExpansionCounter",                 DWORD), 
1071          ("TlsBitmap",                           PVOID), 
1072          ("TlsBitmapBits",                       DWORD * 2), 
1073          ("ReadOnlySharedMemoryBase",            PVOID), 
1074          ("HotpatchInformation",                 PVOID), 
1075          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1076          ("AnsiCodePageData",                    PVOID), 
1077          ("OemCodePageData",                     PVOID), 
1078          ("UnicodeCaseTableData",                PVOID), 
1079          ("NumberOfProcessors",                  DWORD), 
1080          ("NtGlobalFlag",                        DWORD), 
1081          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1082          ("HeapSegmentReserve",                  DWORD), 
1083          ("HeapSegmentCommit",                   DWORD), 
1084          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1085          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1086          ("NumberOfHeaps",                       DWORD), 
1087          ("MaximumNumberOfHeaps",                DWORD), 
1088          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1089          ("GdiSharedHandleTable",                PVOID), 
1090          ("ProcessStarterHelper",                PVOID), 
1091          ("GdiDCAttributeList",                  DWORD), 
1092          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1093          ("OSMajorVersion",                      DWORD), 
1094          ("OSMinorVersion",                      DWORD), 
1095          ("OSBuildNumber",                       WORD), 
1096          ("OSCSDVersion",                        WORD), 
1097          ("OSPlatformId",                        DWORD), 
1098          ("ImageSubsystem",                      DWORD), 
1099          ("ImageSubsystemMajorVersion",          DWORD), 
1100          ("ImageSubsystemMinorVersion",          DWORD), 
1101          ("ActiveProcessAffinityMask",           DWORD), 
1102          ("GdiHandleBuffer",                     DWORD * 34), 
1103          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1104          ("TlsExpansionBitmap",                  PVOID), 
1105          ("TlsExpansionBitmapBits",              DWORD * 32), 
1106          ("SessionId",                           DWORD), 
1107          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1108          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1109          ("pShimData",                           PVOID), 
1110          ("AppCompatInfo",                       PVOID), 
1111          ("CSDVersion",                          UNICODE_STRING), 
1112          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1113          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1114          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1115          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1116          ("MinimumStackCommit",                  DWORD), 
1117          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1118          ("FlsListHead",                         LIST_ENTRY), 
1119          ("FlsBitmap",                           PVOID), 
1120          ("FlsBitmapBits",                       DWORD * 4), 
1121          ("FlsHighIndex",                        DWORD), 
1122          ("WerRegistrationData",                 PVOID), 
1123          ("WerShipAssertPtr",                    PVOID), 
1124      ] 

1125 -    def __get_UserSharedInfoPtr(self): 

1126          return self.KernelCallbackTable 

1127 -    def __set_UserSharedInfoPtr(self, value): 

1128          self.KernelCallbackTable = value 

1129      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 

1130   
1131  #    +0x000 InheritedAddressSpace : UChar 
1132  #    +0x001 ReadImageFileExecOptions : UChar 
1133  #    +0x002 BeingDebugged    : UChar 
1134  #    +0x003 BitField         : UChar 
1135  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1136  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1137  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1138  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1139  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1140  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1141  #    +0x008 Mutant           : Ptr64 Void 
1142  #    +0x010 ImageBaseAddress : Ptr64 Void 
1143  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
1144  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
1145  #    +0x028 SubSystemData    : Ptr64 Void 
1146  #    +0x030 ProcessHeap      : Ptr64 Void 
1147  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
1148  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
1149  #    +0x048 IFEOKey          : Ptr64 Void 
1150  #    +0x050 CrossProcessFlags : Uint4B 
1151  #    +0x050 ProcessInJob     : Pos 0, 1 Bit 
1152  #    +0x050 ProcessInitializing : Pos 1, 1 Bit 
1153  #    +0x050 ProcessUsingVEH  : Pos 2, 1 Bit 
1154  #    +0x050 ProcessUsingVCH  : Pos 3, 1 Bit 
1155  #    +0x050 ReservedBits0    : Pos 4, 28 Bits 
1156  #    +0x058 KernelCallbackTable : Ptr64 Void 
1157  #    +0x058 UserSharedInfoPtr : Ptr64 Void 
1158  #    +0x060 SystemReserved   : [1] Uint4B 
1159  #    +0x064 SpareUlong       : Uint4B 
1160  #    +0x068 SparePebPtr0     : Uint8B 
1161  #    +0x070 TlsExpansionCounter : Uint4B 
1162  #    +0x078 TlsBitmap        : Ptr64 Void 
1163  #    +0x080 TlsBitmapBits    : [2] Uint4B 
1164  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
1165  #    +0x090 HotpatchInformation : Ptr64 Void 
1166  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
1167  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
1168  #    +0x0a8 OemCodePageData  : Ptr64 Void 
1169  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
1170  #    +0x0b8 NumberOfProcessors : Uint4B 
1171  #    +0x0bc NtGlobalFlag     : Uint4B 
1172  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
1173  #    +0x0c8 HeapSegmentReserve : Uint8B 
1174  #    +0x0d0 HeapSegmentCommit : Uint8B 
1175  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
1176  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
1177  #    +0x0e8 NumberOfHeaps    : Uint4B 
1178  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
1179  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
1180  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
1181  #    +0x100 ProcessStarterHelper : Ptr64 Void 
1182  #    +0x108 GdiDCAttributeList : Uint4B 
1183  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
1184  #    +0x118 OSMajorVersion   : Uint4B 
1185  #    +0x11c OSMinorVersion   : Uint4B 
1186  #    +0x120 OSBuildNumber    : Uint2B 
1187  #    +0x122 OSCSDVersion     : Uint2B 
1188  #    +0x124 OSPlatformId     : Uint4B 
1189  #    +0x128 ImageSubsystem   : Uint4B 
1190  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
1191  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
1192  #    +0x138 ActiveProcessAffinityMask : Uint8B 
1193  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
1194  #    +0x230 PostProcessInitRoutine : Ptr64     void 
1195  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
1196  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
1197  #    +0x2c0 SessionId        : Uint4B 
1198  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
1199  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
1200  #    +0x2d8 pShimData        : Ptr64 Void 
1201  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
1202  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
1203  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1204  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1205  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1206  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1207  #    +0x318 MinimumStackCommit : Uint8B 
1208  #    +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO 
1209  #    +0x328 FlsListHead      : _LIST_ENTRY 
1210  #    +0x338 FlsBitmap        : Ptr64 Void 
1211  #    +0x340 FlsBitmapBits    : [4] Uint4B 
1212  #    +0x350 FlsHighIndex     : Uint4B 
1213  #    +0x358 WerRegistrationData : Ptr64 Void 
1214  #    +0x360 WerShipAssertPtr : Ptr64 Void 

1215 -class _PEB_2008_64(Structure): 

1216      _pack_   = 8 
1217      _fields_ = [ 
1218          ("InheritedAddressSpace",               BOOLEAN), 
1219          ("ReadImageFileExecOptions",            UCHAR), 
1220          ("BeingDebugged",                       BOOLEAN), 
1221          ("BitField",                            UCHAR), 
1222          ("Mutant",                              HANDLE), 
1223          ("ImageBaseAddress",                    PVOID), 
1224          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1225          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1226          ("SubSystemData",                       PVOID), 
1227          ("ProcessHeap",                         PVOID), 
1228          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1229          ("AtlThunkSListPtr",                    PVOID), 
1230          ("IFEOKey",                             PVOID), 
1231          ("CrossProcessFlags",                   DWORD), 
1232          ("KernelCallbackTable",                 PVOID), 
1233          ("SystemReserved",                      DWORD), 
1234          ("SpareUlong",                          DWORD), 
1235          ("SparePebPtr0",                        PVOID), 
1236          ("TlsExpansionCounter",                 DWORD), 
1237          ("TlsBitmap",                           PVOID), 
1238          ("TlsBitmapBits",                       DWORD * 2), 
1239          ("ReadOnlySharedMemoryBase",            PVOID), 
1240          ("HotpatchInformation",                 PVOID), 
1241          ("ReadOnlyStaticServerData",            PVOID), # Ptr64 Ptr64 Void 
1242          ("AnsiCodePageData",                    PVOID), 
1243          ("OemCodePageData",                     PVOID), 
1244          ("UnicodeCaseTableData",                PVOID), 
1245          ("NumberOfProcessors",                  DWORD), 
1246          ("NtGlobalFlag",                        DWORD), 
1247          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1248          ("HeapSegmentReserve",                  QWORD), 
1249          ("HeapSegmentCommit",                   QWORD), 
1250          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
1251          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
1252          ("NumberOfHeaps",                       DWORD), 
1253          ("MaximumNumberOfHeaps",                DWORD), 
1254          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
1255          ("GdiSharedHandleTable",                PVOID), 
1256          ("ProcessStarterHelper",                PVOID), 
1257          ("GdiDCAttributeList",                  DWORD), 
1258          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1259          ("OSMajorVersion",                      DWORD), 
1260          ("OSMinorVersion",                      DWORD), 
1261          ("OSBuildNumber",                       WORD), 
1262          ("OSCSDVersion",                        WORD), 
1263          ("OSPlatformId",                        DWORD), 
1264          ("ImageSubsystem",                      DWORD), 
1265          ("ImageSubsystemMajorVersion",          DWORD), 
1266          ("ImageSubsystemMinorVersion",          DWORD), 
1267          ("ActiveProcessAffinityMask",           QWORD), 
1268          ("GdiHandleBuffer",                     DWORD * 60), 
1269          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1270          ("TlsExpansionBitmap",                  PVOID), 
1271          ("TlsExpansionBitmapBits",              DWORD * 32), 
1272          ("SessionId",                           DWORD), 
1273          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1274          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1275          ("pShimData",                           PVOID), 
1276          ("AppCompatInfo",                       PVOID), 
1277          ("CSDVersion",                          UNICODE_STRING), 
1278          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1279          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1280          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1281          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1282          ("MinimumStackCommit",                  QWORD), 
1283          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1284          ("FlsListHead",                         LIST_ENTRY), 
1285          ("FlsBitmap",                           PVOID), 
1286          ("FlsBitmapBits",                       DWORD * 4), 
1287          ("FlsHighIndex",                        DWORD), 
1288          ("WerRegistrationData",                 PVOID), 
1289          ("WerShipAssertPtr",                    PVOID), 
1290      ] 

1291 -    def __get_UserSharedInfoPtr(self): 

1292          return self.KernelCallbackTable 

1293 -    def __set_UserSharedInfoPtr(self, value): 

1294          self.KernelCallbackTable = value 

1295      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 

1296   
1297  #    +0x000 InheritedAddressSpace : UChar 
1298  #    +0x001 ReadImageFileExecOptions : UChar 
1299  #    +0x002 BeingDebugged    : UChar 
1300  #    +0x003 BitField         : UChar 
1301  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1302  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1303  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1304  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1305  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1306  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1307  #    +0x004 Mutant           : Ptr32 Void 
1308  #    +0x008 ImageBaseAddress : Ptr32 Void 
1309  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1310  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1311  #    +0x014 SubSystemData    : Ptr32 Void 
1312  #    +0x018 ProcessHeap      : Ptr32 Void 
1313  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1314  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1315  #    +0x024 IFEOKey          : Ptr32 Void 
1316  #    +0x028 CrossProcessFlags : Uint4B 
1317  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1318  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1319  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1320  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1321  #    +0x028 ProcessUsingFTH  : Pos 4, 1 Bit 
1322  #    +0x028 ReservedBits0    : Pos 5, 27 Bits 
1323  #    +0x02c KernelCallbackTable : Ptr32 Void 
1324  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1325  #    +0x030 SystemReserved   : [1] Uint4B 
1326  #    +0x034 AtlThunkSListPtr32 : Uint4B 
1327  #    +0x038 ApiSetMap        : Ptr32 Void 
1328  #    +0x03c TlsExpansionCounter : Uint4B 
1329  #    +0x040 TlsBitmap        : Ptr32 Void 
1330  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1331  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1332  #    +0x050 HotpatchInformation : Ptr32 Void 
1333  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1334  #    +0x058 AnsiCodePageData : Ptr32 Void 
1335  #    +0x05c OemCodePageData  : Ptr32 Void 
1336  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1337  #    +0x064 NumberOfProcessors : Uint4B 
1338  #    +0x068 NtGlobalFlag     : Uint4B 
1339  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1340  #    +0x078 HeapSegmentReserve : Uint4B 
1341  #    +0x07c HeapSegmentCommit : Uint4B 
1342  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1343  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1344  #    +0x088 NumberOfHeaps    : Uint4B 
1345  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1346  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1347  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1348  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1349  #    +0x09c GdiDCAttributeList : Uint4B 
1350  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1351  #    +0x0a4 OSMajorVersion   : Uint4B 
1352  #    +0x0a8 OSMinorVersion   : Uint4B 
1353  #    +0x0ac OSBuildNumber    : Uint2B 
1354  #    +0x0ae OSCSDVersion     : Uint2B 
1355  #    +0x0b0 OSPlatformId     : Uint4B 
1356  #    +0x0b4 ImageSubsystem   : Uint4B 
1357  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1358  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1359  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1360  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1361  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1362  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1363  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1364  #    +0x1d4 SessionId        : Uint4B 
1365  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1366  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1367  #    +0x1e8 pShimData        : Ptr32 Void 
1368  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1369  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1370  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1371  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1372  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1373  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1374  #    +0x208 MinimumStackCommit : Uint4B 
1375  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1376  #    +0x210 FlsListHead      : _LIST_ENTRY 
1377  #    +0x218 FlsBitmap        : Ptr32 Void 
1378  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1379  #    +0x22c FlsHighIndex     : Uint4B 
1380  #    +0x230 WerRegistrationData : Ptr32 Void 
1381  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1382  #    +0x238 pContextData     : Ptr32 Void 
1383  #    +0x23c pImageHeaderHash : Ptr32 Void 
1384  #    +0x240 TracingFlags     : Uint4B 
1385  #    +0x240 HeapTracingEnabled : Pos 0, 1 Bit 
1386  #    +0x240 CritSecTracingEnabled : Pos 1, 1 Bit 
1387  #    +0x240 SpareTracingBits : Pos 2, 30 Bits 

1388 -class _PEB_2008_R2(Structure): 

1389      _pack_   = 8 
1390      _fields_ = [ 
1391          ("InheritedAddressSpace",               BOOLEAN), 
1392          ("ReadImageFileExecOptions",            UCHAR), 
1393          ("BeingDebugged",                       BOOLEAN), 
1394          ("BitField",                            UCHAR), 
1395          ("Mutant",                              HANDLE), 
1396          ("ImageBaseAddress",                    PVOID), 
1397          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1398          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1399          ("SubSystemData",                       PVOID), 
1400          ("ProcessHeap",                         PVOID), 
1401          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1402          ("AtlThunkSListPtr",                    PVOID), 
1403          ("IFEOKey",                             PVOID), 
1404          ("CrossProcessFlags",                   DWORD), 
1405          ("KernelCallbackTable",                 PVOID), 
1406          ("SystemReserved",                      DWORD), 
1407          ("AtlThunkSListPtr32",                  PVOID), 
1408          ("ApiSetMap",                           PVOID), 
1409          ("TlsExpansionCounter",                 DWORD), 
1410          ("TlsBitmap",                           PVOID), 
1411          ("TlsBitmapBits",                       DWORD * 2), 
1412          ("ReadOnlySharedMemoryBase",            PVOID), 
1413          ("HotpatchInformation",                 PVOID), 
1414          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1415          ("AnsiCodePageData",                    PVOID), 
1416          ("OemCodePageData",                     PVOID), 
1417          ("UnicodeCaseTableData",                PVOID), 
1418          ("NumberOfProcessors",                  DWORD), 
1419          ("NtGlobalFlag",                        DWORD), 
1420          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1421          ("HeapSegmentReserve",                  DWORD), 
1422          ("HeapSegmentCommit",                   DWORD), 
1423          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1424          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1425          ("NumberOfHeaps",                       DWORD), 
1426          ("MaximumNumberOfHeaps",                DWORD), 
1427          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1428          ("GdiSharedHandleTable",                PVOID), 
1429          ("ProcessStarterHelper",                PVOID), 
1430          ("GdiDCAttributeList",                  DWORD), 
1431          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1432          ("OSMajorVersion",                      DWORD), 
1433          ("OSMinorVersion",                      DWORD), 
1434          ("OSBuildNumber",                       WORD), 
1435          ("OSCSDVersion",                        WORD), 
1436          ("OSPlatformId",                        DWORD), 
1437          ("ImageSubsystem",                      DWORD), 
1438          ("ImageSubsystemMajorVersion",          DWORD), 
1439          ("ImageSubsystemMinorVersion",          DWORD), 
1440          ("ActiveProcessAffinityMask",           DWORD), 
1441          ("GdiHandleBuffer",                     DWORD * 34), 
1442          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1443          ("TlsExpansionBitmap",                  PVOID), 
1444          ("TlsExpansionBitmapBits",              DWORD * 32), 
1445          ("SessionId",                           DWORD), 
1446          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1447          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1448          ("pShimData",                           PVOID), 
1449          ("AppCompatInfo",                       PVOID), 
1450          ("CSDVersion",                          UNICODE_STRING), 
1451          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1452          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1453          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1454          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1455          ("MinimumStackCommit",                  DWORD), 
1456          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1457          ("FlsListHead",                         LIST_ENTRY), 
1458          ("FlsBitmap",                           PVOID), 
1459          ("FlsBitmapBits",                       DWORD * 4), 
1460          ("FlsHighIndex",                        DWORD), 
1461          ("WerRegistrationData",                 PVOID), 
1462          ("WerShipAssertPtr",                    PVOID), 
1463          ("pContextData",                        PVOID), 
1464          ("pImageHeaderHash",                    PVOID), 
1465          ("TracingFlags",                        DWORD), 
1466      ] 

1467 -    def __get_UserSharedInfoPtr(self): 

1468          return self.KernelCallbackTable 

1469 -    def __set_UserSharedInfoPtr(self, value): 

1470          self.KernelCallbackTable = value 

1471      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 

1472   
1473  #    +0x000 InheritedAddressSpace : UChar 
1474  #    +0x001 ReadImageFileExecOptions : UChar 
1475  #    +0x002 BeingDebugged    : UChar 
1476  #    +0x003 BitField         : UChar 
1477  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1478  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1479  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1480  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1481  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1482  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1483  #    +0x008 Mutant           : Ptr64 Void 
1484  #    +0x010 ImageBaseAddress : Ptr64 Void 
1485  #    +0x018 Ldr              : Ptr64 _PEB_LDR_DATA 
1486  #    +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS 
1487  #    +0x028 SubSystemData    : Ptr64 Void 
1488  #    +0x030 ProcessHeap      : Ptr64 Void 
1489  #    +0x038 FastPebLock      : Ptr64 _RTL_CRITICAL_SECTION 
1490  #    +0x040 AtlThunkSListPtr : Ptr64 Void 
1491  #    +0x048 IFEOKey          : Ptr64 Void 
1492  #    +0x050 CrossProcessFlags : Uint4B 
1493  #    +0x050 ProcessInJob     : Pos 0, 1 Bit 
1494  #    +0x050 ProcessInitializing : Pos 1, 1 Bit 
1495  #    +0x050 ProcessUsingVEH  : Pos 2, 1 Bit 
1496  #    +0x050 ProcessUsingVCH  : Pos 3, 1 Bit 
1497  #    +0x050 ProcessUsingFTH  : Pos 4, 1 Bit 
1498  #    +0x050 ReservedBits0    : Pos 5, 27 Bits 
1499  #    +0x058 KernelCallbackTable : Ptr64 Void 
1500  #    +0x058 UserSharedInfoPtr : Ptr64 Void 
1501  #    +0x060 SystemReserved   : [1] Uint4B 
1502  #    +0x064 AtlThunkSListPtr32 : Uint4B 
1503  #    +0x068 ApiSetMap        : Ptr64 Void 
1504  #    +0x070 TlsExpansionCounter : Uint4B 
1505  #    +0x078 TlsBitmap        : Ptr64 Void 
1506  #    +0x080 TlsBitmapBits    : [2] Uint4B 
1507  #    +0x088 ReadOnlySharedMemoryBase : Ptr64 Void 
1508  #    +0x090 HotpatchInformation : Ptr64 Void 
1509  #    +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void 
1510  #    +0x0a0 AnsiCodePageData : Ptr64 Void 
1511  #    +0x0a8 OemCodePageData  : Ptr64 Void 
1512  #    +0x0b0 UnicodeCaseTableData : Ptr64 Void 
1513  #    +0x0b8 NumberOfProcessors : Uint4B 
1514  #    +0x0bc NtGlobalFlag     : Uint4B 
1515  #    +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 
1516  #    +0x0c8 HeapSegmentReserve : Uint8B 
1517  #    +0x0d0 HeapSegmentCommit : Uint8B 
1518  #    +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B 
1519  #    +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B 
1520  #    +0x0e8 NumberOfHeaps    : Uint4B 
1521  #    +0x0ec MaximumNumberOfHeaps : Uint4B 
1522  #    +0x0f0 ProcessHeaps     : Ptr64 Ptr64 Void 
1523  #    +0x0f8 GdiSharedHandleTable : Ptr64 Void 
1524  #    +0x100 ProcessStarterHelper : Ptr64 Void 
1525  #    +0x108 GdiDCAttributeList : Uint4B 
1526  #    +0x110 LoaderLock       : Ptr64 _RTL_CRITICAL_SECTION 
1527  #    +0x118 OSMajorVersion   : Uint4B 
1528  #    +0x11c OSMinorVersion   : Uint4B 
1529  #    +0x120 OSBuildNumber    : Uint2B 
1530  #    +0x122 OSCSDVersion     : Uint2B 
1531  #    +0x124 OSPlatformId     : Uint4B 
1532  #    +0x128 ImageSubsystem   : Uint4B 
1533  #    +0x12c ImageSubsystemMajorVersion : Uint4B 
1534  #    +0x130 ImageSubsystemMinorVersion : Uint4B 
1535  #    +0x138 ActiveProcessAffinityMask : Uint8B 
1536  #    +0x140 GdiHandleBuffer  : [60] Uint4B 
1537  #    +0x230 PostProcessInitRoutine : Ptr64     void 
1538  #    +0x238 TlsExpansionBitmap : Ptr64 Void 
1539  #    +0x240 TlsExpansionBitmapBits : [32] Uint4B 
1540  #    +0x2c0 SessionId        : Uint4B 
1541  #    +0x2c8 AppCompatFlags   : _ULARGE_INTEGER 
1542  #    +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 
1543  #    +0x2d8 pShimData        : Ptr64 Void 
1544  #    +0x2e0 AppCompatInfo    : Ptr64 Void 
1545  #    +0x2e8 CSDVersion       : _UNICODE_STRING 
1546  #    +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1547  #    +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1548  #    +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA 
1549  #    +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP 
1550  #    +0x318 MinimumStackCommit : Uint8B 
1551  #    +0x320 FlsCallback      : Ptr64 _FLS_CALLBACK_INFO 
1552  #    +0x328 FlsListHead      : _LIST_ENTRY 
1553  #    +0x338 FlsBitmap        : Ptr64 Void 
1554  #    +0x340 FlsBitmapBits    : [4] Uint4B 
1555  #    +0x350 FlsHighIndex     : Uint4B 
1556  #    +0x358 WerRegistrationData : Ptr64 Void 
1557  #    +0x360 WerShipAssertPtr : Ptr64 Void 
1558  #    +0x368 pContextData     : Ptr64 Void 
1559  #    +0x370 pImageHeaderHash : Ptr64 Void 
1560  #    +0x378 TracingFlags     : Uint4B 
1561  #    +0x378 HeapTracingEnabled : Pos 0, 1 Bit 
1562  #    +0x378 CritSecTracingEnabled : Pos 1, 1 Bit 
1563  #    +0x378 SpareTracingBits : Pos 2, 30 Bits 

1564 -class _PEB_2008_R2_64(Structure): 

1565      _pack_   = 8 
1566      _fields_ = [ 
1567          ("InheritedAddressSpace",               BOOLEAN), 
1568          ("ReadImageFileExecOptions",            UCHAR), 
1569          ("BeingDebugged",                       BOOLEAN), 
1570          ("BitField",                            UCHAR), 
1571          ("Mutant",                              HANDLE), 
1572          ("ImageBaseAddress",                    PVOID), 
1573          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1574          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1575          ("SubSystemData",                       PVOID), 
1576          ("ProcessHeap",                         PVOID), 
1577          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1578          ("AtlThunkSListPtr",                    PVOID), 
1579          ("IFEOKey",                             PVOID), 
1580          ("CrossProcessFlags",                   DWORD), 
1581          ("KernelCallbackTable",                 PVOID), 
1582          ("SystemReserved",                      DWORD), 
1583          ("AtlThunkSListPtr32",                  DWORD), 
1584          ("ApiSetMap",                           PVOID), 
1585          ("TlsExpansionCounter",                 DWORD), 
1586          ("TlsBitmap",                           PVOID), 
1587          ("TlsBitmapBits",                       DWORD * 2), 
1588          ("ReadOnlySharedMemoryBase",            PVOID), 
1589          ("HotpatchInformation",                 PVOID), 
1590          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1591          ("AnsiCodePageData",                    PVOID), 
1592          ("OemCodePageData",                     PVOID), 
1593          ("UnicodeCaseTableData",                PVOID), 
1594          ("NumberOfProcessors",                  DWORD), 
1595          ("NtGlobalFlag",                        DWORD), 
1596          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1597          ("HeapSegmentReserve",                  QWORD), 
1598          ("HeapSegmentCommit",                   QWORD), 
1599          ("HeapDeCommitTotalFreeThreshold",      QWORD), 
1600          ("HeapDeCommitFreeBlockThreshold",      QWORD), 
1601          ("NumberOfHeaps",                       DWORD), 
1602          ("MaximumNumberOfHeaps",                DWORD), 
1603          ("ProcessHeaps",                        PVOID), # Ptr64 Ptr64 Void 
1604          ("GdiSharedHandleTable",                PVOID), 
1605          ("ProcessStarterHelper",                PVOID), 
1606          ("GdiDCAttributeList",                  DWORD), 
1607          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1608          ("OSMajorVersion",                      DWORD), 
1609          ("OSMinorVersion",                      DWORD), 
1610          ("OSBuildNumber",                       WORD), 
1611          ("OSCSDVersion",                        WORD), 
1612          ("OSPlatformId",                        DWORD), 
1613          ("ImageSubsystem",                      DWORD), 
1614          ("ImageSubsystemMajorVersion",          DWORD), 
1615          ("ImageSubsystemMinorVersion",          DWORD), 
1616          ("ActiveProcessAffinityMask",           QWORD), 
1617          ("GdiHandleBuffer",                     DWORD * 60), 
1618          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1619          ("TlsExpansionBitmap",                  PVOID), 
1620          ("TlsExpansionBitmapBits",              DWORD * 32), 
1621          ("SessionId",                           DWORD), 
1622          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1623          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1624          ("pShimData",                           PVOID), 
1625          ("AppCompatInfo",                       PVOID), 
1626          ("CSDVersion",                          UNICODE_STRING), 
1627          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1628          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1629          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1630          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1631          ("MinimumStackCommit",                  QWORD), 
1632          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1633          ("FlsListHead",                         LIST_ENTRY), 
1634          ("FlsBitmap",                           PVOID), 
1635          ("FlsBitmapBits",                       DWORD * 4), 
1636          ("FlsHighIndex",                        DWORD), 
1637          ("WerRegistrationData",                 PVOID), 
1638          ("WerShipAssertPtr",                    PVOID), 
1639          ("pContextData",                        PVOID), 
1640          ("pImageHeaderHash",                    PVOID), 
1641          ("TracingFlags",                        DWORD), 
1642      ] 

1643 -    def __get_UserSharedInfoPtr(self): 

1644          return self.KernelCallbackTable 

1645 -    def __set_UserSharedInfoPtr(self, value): 

1646          self.KernelCallbackTable = value 

1647      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 

1648   
1649  _PEB_Vista      = _PEB_2008 
1650  _PEB_Vista_64   = _PEB_2008_64 
1651  _PEB_W7         = _PEB_2008_R2 
1652  _PEB_W7_64      = _PEB_2008_R2_64 
1653   
1654  #    +0x000 InheritedAddressSpace : UChar 
1655  #    +0x001 ReadImageFileExecOptions : UChar 
1656  #    +0x002 BeingDebugged    : UChar 
1657  #    +0x003 BitField         : UChar 
1658  #    +0x003 ImageUsesLargePages : Pos 0, 1 Bit 
1659  #    +0x003 IsProtectedProcess : Pos 1, 1 Bit 
1660  #    +0x003 IsLegacyProcess  : Pos 2, 1 Bit 
1661  #    +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit 
1662  #    +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit 
1663  #    +0x003 SpareBits        : Pos 5, 3 Bits 
1664  #    +0x004 Mutant           : Ptr32 Void 
1665  #    +0x008 ImageBaseAddress : Ptr32 Void 
1666  #    +0x00c Ldr              : Ptr32 _PEB_LDR_DATA 
1667  #    +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 
1668  #    +0x014 SubSystemData    : Ptr32 Void 
1669  #    +0x018 ProcessHeap      : Ptr32 Void 
1670  #    +0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION 
1671  #    +0x020 AtlThunkSListPtr : Ptr32 Void 
1672  #    +0x024 IFEOKey          : Ptr32 Void 
1673  #    +0x028 CrossProcessFlags : Uint4B 
1674  #    +0x028 ProcessInJob     : Pos 0, 1 Bit 
1675  #    +0x028 ProcessInitializing : Pos 1, 1 Bit 
1676  #    +0x028 ProcessUsingVEH  : Pos 2, 1 Bit 
1677  #    +0x028 ProcessUsingVCH  : Pos 3, 1 Bit 
1678  #    +0x028 ProcessUsingFTH  : Pos 4, 1 Bit 
1679  #    +0x028 ReservedBits0    : Pos 5, 27 Bits 
1680  #    +0x02c KernelCallbackTable : Ptr32 Void 
1681  #    +0x02c UserSharedInfoPtr : Ptr32 Void 
1682  #    +0x030 SystemReserved   : [1] Uint4B 
1683  #    +0x034 TracingFlags     : Uint4B 
1684  #    +0x034 HeapTracingEnabled : Pos 0, 1 Bit 
1685  #    +0x034 CritSecTracingEnabled : Pos 1, 1 Bit 
1686  #    +0x034 SpareTracingBits : Pos 2, 30 Bits 
1687  #    +0x038 ApiSetMap        : Ptr32 Void 
1688  #    +0x03c TlsExpansionCounter : Uint4B 
1689  #    +0x040 TlsBitmap        : Ptr32 Void 
1690  #    +0x044 TlsBitmapBits    : [2] Uint4B 
1691  #    +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 
1692  #    +0x050 HotpatchInformation : Ptr32 Void 
1693  #    +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 
1694  #    +0x058 AnsiCodePageData : Ptr32 Void 
1695  #    +0x05c OemCodePageData  : Ptr32 Void 
1696  #    +0x060 UnicodeCaseTableData : Ptr32 Void 
1697  #    +0x064 NumberOfProcessors : Uint4B 
1698  #    +0x068 NtGlobalFlag     : Uint4B 
1699  #    +0x070 CriticalSectionTimeout : _LARGE_INTEGER 
1700  #    +0x078 HeapSegmentReserve : Uint4B 
1701  #    +0x07c HeapSegmentCommit : Uint4B 
1702  #    +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 
1703  #    +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 
1704  #    +0x088 NumberOfHeaps    : Uint4B 
1705  #    +0x08c MaximumNumberOfHeaps : Uint4B 
1706  #    +0x090 ProcessHeaps     : Ptr32 Ptr32 Void 
1707  #    +0x094 GdiSharedHandleTable : Ptr32 Void 
1708  #    +0x098 ProcessStarterHelper : Ptr32 Void 
1709  #    +0x09c GdiDCAttributeList : Uint4B 
1710  #    +0x0a0 LoaderLock       : Ptr32 _RTL_CRITICAL_SECTION 
1711  #    +0x0a4 OSMajorVersion   : Uint4B 
1712  #    +0x0a8 OSMinorVersion   : Uint4B 
1713  #    +0x0ac OSBuildNumber    : Uint2B 
1714  #    +0x0ae OSCSDVersion     : Uint2B 
1715  #    +0x0b0 OSPlatformId     : Uint4B 
1716  #    +0x0b4 ImageSubsystem   : Uint4B 
1717  #    +0x0b8 ImageSubsystemMajorVersion : Uint4B 
1718  #    +0x0bc ImageSubsystemMinorVersion : Uint4B 
1719  #    +0x0c0 ActiveProcessAffinityMask : Uint4B 
1720  #    +0x0c4 GdiHandleBuffer  : [34] Uint4B 
1721  #    +0x14c PostProcessInitRoutine : Ptr32     void 
1722  #    +0x150 TlsExpansionBitmap : Ptr32 Void 
1723  #    +0x154 TlsExpansionBitmapBits : [32] Uint4B 
1724  #    +0x1d4 SessionId        : Uint4B 
1725  #    +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 
1726  #    +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 
1727  #    +0x1e8 pShimData        : Ptr32 Void 
1728  #    +0x1ec AppCompatInfo    : Ptr32 Void 
1729  #    +0x1f0 CSDVersion       : _UNICODE_STRING 
1730  #    +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1731  #    +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1732  #    +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA 
1733  #    +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP 
1734  #    +0x208 MinimumStackCommit : Uint4B 
1735  #    +0x20c FlsCallback      : Ptr32 _FLS_CALLBACK_INFO 
1736  #    +0x210 FlsListHead      : _LIST_ENTRY 
1737  #    +0x218 FlsBitmap        : Ptr32 Void 
1738  #    +0x21c FlsBitmapBits    : [4] Uint4B 
1739  #    +0x22c FlsHighIndex     : Uint4B 
1740  #    +0x230 WerRegistrationData : Ptr32 Void 
1741  #    +0x234 WerShipAssertPtr : Ptr32 Void 
1742  #    +0x238 pContextData     : Ptr32 Void 
1743  #    +0x23c pImageHeaderHash : Ptr32 Void 

1744 -class _PEB_W7_Beta(Structure): 

1745      """ 
1746      This definition of the PEB structure is only valid for the beta versions 
1747      of Windows 7. For the final version of Windows 7 use L{_PEB_W7} instead. 
1748      This structure is not chosen automatically. 
1749      """ 
1750      _pack_   = 8 
1751      _fields_ = [ 
1752          ("InheritedAddressSpace",               BOOLEAN), 
1753          ("ReadImageFileExecOptions",            UCHAR), 
1754          ("BeingDebugged",                       BOOLEAN), 
1755          ("BitField",                            UCHAR), 
1756          ("Mutant",                              HANDLE), 
1757          ("ImageBaseAddress",                    PVOID), 
1758          ("Ldr",                                 PVOID), # PPEB_LDR_DATA 
1759          ("ProcessParameters",                   PVOID), # PRTL_USER_PROCESS_PARAMETERS 
1760          ("SubSystemData",                       PVOID), 
1761          ("ProcessHeap",                         PVOID), 
1762          ("FastPebLock",                         PVOID), # PRTL_CRITICAL_SECTION 
1763          ("AtlThunkSListPtr",                    PVOID), 
1764          ("IFEOKey",                             PVOID), 
1765          ("CrossProcessFlags",                   DWORD), 
1766          ("KernelCallbackTable",                 PVOID), 
1767          ("SystemReserved",                      DWORD), 
1768          ("TracingFlags",                        DWORD), 
1769          ("ApiSetMap",                           PVOID), 
1770          ("TlsExpansionCounter",                 DWORD), 
1771          ("TlsBitmap",                           PVOID), 
1772          ("TlsBitmapBits",                       DWORD * 2), 
1773          ("ReadOnlySharedMemoryBase",            PVOID), 
1774          ("HotpatchInformation",                 PVOID), 
1775          ("ReadOnlyStaticServerData",            PVOID), # Ptr32 Ptr32 Void 
1776          ("AnsiCodePageData",                    PVOID), 
1777          ("OemCodePageData",                     PVOID), 
1778          ("UnicodeCaseTableData",                PVOID), 
1779          ("NumberOfProcessors",                  DWORD), 
1780          ("NtGlobalFlag",                        DWORD), 
1781          ("CriticalSectionTimeout",              LONGLONG),  # LARGE_INTEGER 
1782          ("HeapSegmentReserve",                  DWORD), 
1783          ("HeapSegmentCommit",                   DWORD), 
1784          ("HeapDeCommitTotalFreeThreshold",      DWORD), 
1785          ("HeapDeCommitFreeBlockThreshold",      DWORD), 
1786          ("NumberOfHeaps",                       DWORD), 
1787          ("MaximumNumberOfHeaps",                DWORD), 
1788          ("ProcessHeaps",                        PVOID), # Ptr32 Ptr32 Void 
1789          ("GdiSharedHandleTable",                PVOID), 
1790          ("ProcessStarterHelper",                PVOID), 
1791          ("GdiDCAttributeList",                  DWORD), 
1792          ("LoaderLock",                          PVOID), # PRTL_CRITICAL_SECTION 
1793          ("OSMajorVersion",                      DWORD), 
1794          ("OSMinorVersion",                      DWORD), 
1795          ("OSBuildNumber",                       WORD), 
1796          ("OSCSDVersion",                        WORD), 
1797          ("OSPlatformId",                        DWORD), 
1798          ("ImageSubsystem",                      DWORD), 
1799          ("ImageSubsystemMajorVersion",          DWORD), 
1800          ("ImageSubsystemMinorVersion",          DWORD), 
1801          ("ActiveProcessAffinityMask",           DWORD), 
1802          ("GdiHandleBuffer",                     DWORD * 34), 
1803          ("PostProcessInitRoutine",              PPS_POST_PROCESS_INIT_ROUTINE), 
1804          ("TlsExpansionBitmap",                  PVOID), 
1805          ("TlsExpansionBitmapBits",              DWORD * 32), 
1806          ("SessionId",                           DWORD), 
1807          ("AppCompatFlags",                      ULONGLONG), # ULARGE_INTEGER 
1808          ("AppCompatFlagsUser",                  ULONGLONG), # ULARGE_INTEGER 
1809          ("pShimData",                           PVOID), 
1810          ("AppCompatInfo",                       PVOID), 
1811          ("CSDVersion",                          UNICODE_STRING), 
1812          ("ActivationContextData",               PVOID), # ACTIVATION_CONTEXT_DATA 
1813          ("ProcessAssemblyStorageMap",           PVOID), # ASSEMBLY_STORAGE_MAP 
1814          ("SystemDefaultActivationContextData",  PVOID), # ACTIVATION_CONTEXT_DATA 
1815          ("SystemAssemblyStorageMap",            PVOID), # ASSEMBLY_STORAGE_MAP 
1816          ("MinimumStackCommit",                  DWORD), 
1817          ("FlsCallback",                         PVOID), # PFLS_CALLBACK_INFO 
1818          ("FlsListHead",                         LIST_ENTRY), 
1819          ("FlsBitmap",                           PVOID), 
1820          ("FlsBitmapBits",                       DWORD * 4), 
1821          ("FlsHighIndex",                        DWORD), 
1822          ("WerRegistrationData",                 PVOID), 
1823          ("WerShipAssertPtr",                    PVOID), 
1824          ("pContextData",                        PVOID), 
1825          ("pImageHeaderHash",                    PVOID), 
1826      ] 

1827 -    def __get_UserSharedInfoPtr(self): 

1828          return self.KernelCallbackTable 

1829 -    def __set_UserSharedInfoPtr(self, value): 

1830          self.KernelCallbackTable = value 

1831      UserSharedInfoPtr = property(__get_UserSharedInfoPtr, __set_UserSharedInfoPtr) 

1832   
1833  # Use the correct PEB structure definition. 
1834  # Defaults to the latest Windows version. 

1835 -class PEB(Structure): 

1836      _pack_ = 8 
1837      if os == 'Windows NT': 
1838          _pack_   = _PEB_NT._pack_ 
1839          _fields_ = _PEB_NT._fields_ 
1840      elif os == 'Windows 2000': 
1841          _pack_   = _PEB_2000._pack_ 
1842          _fields_ = _PEB_2000._fields_ 
1843      elif os == 'Windows XP': 
1844          _fields_ = _PEB_XP._fields_ 
1845      elif os == 'Windows XP (64 bits)': 
1846          _fields_ = _PEB_XP_64._fields_ 
1847      elif os == 'Windows 2003': 
1848          _fields_ = _PEB_2003._fields_ 
1849      elif os == 'Windows 2003 (64 bits)': 
1850          _fields_ = _PEB_2003_64._fields_ 
1851      elif os == 'Windows 2003 R2': 
1852          _fields_ = _PEB_2003_R2._fields_ 
1853      elif os == 'Windows 2003 R2 (64 bits)': 
1854          _fields_ = _PEB_2003_R2_64._fields_ 
1855      elif os == 'Windows 2008': 
1856          _fields_ = _PEB_2008._fields_ 
1857      elif os == 'Windows 2008 (64 bits)': 
1858          _fields_ = _PEB_2008_64._fields_ 
1859      elif os == 'Windows 2008 R2': 
1860          _fields_ = _PEB_2008_R2._fields_ 
1861      elif os == 'Windows 2008 R2 (64 bits)': 
1862          _fields_ = _PEB_2008_R2_64._fields_ 
1863      elif os == 'Windows Vista': 
1864          _fields_ = _PEB_Vista._fields_ 
1865      elif os == 'Windows Vista (64 bits)': 
1866          _fields_ = _PEB_Vista_64._fields_ 
1867      elif os == 'Windows 7': 
1868          _fields_ = _PEB_W7._fields_ 
1869      elif os == 'Windows 7 (64 bits)': 
1870          _fields_ = _PEB_W7_64._fields_ 
1871      elif sizeof(SIZE_T) == sizeof(DWORD): 
1872          _fields_ = _PEB_W7._fields_ 
1873      else: 
1874          _fields_ = _PEB_W7_64._fields_ 

1875  PPEB = POINTER(PEB) 
1876   
1877  # from https://vmexplorer.svn.codeplex.com/svn/VMExplorer/src/Win32/Threads.cs 
1878  # 
1879  # [StructLayout (LayoutKind.Sequential, Size = 0x0C)] 
1880  # public struct Wx86ThreadState 
1881  # { 
1882  #       public IntPtr  CallBx86Eip; // Ptr32 to Uint4B 
1883  #       public IntPtr  DeallocationCpu; // Ptr32 to Void 
1884  #       public Byte  UseKnownWx86Dll; // UChar 
1885  #       public Byte  OleStubInvoked; // Char 
1886  # }; 

1887 -class Wx86ThreadState(Structure): 

1888      _fields_ = [ 
1889          ("CallBx86Eip",             PVOID), 
1890          ("DeallocationCpu",         PVOID), 
1891          ("UseKnownWx86Dll",         UCHAR), 
1892          ("OleStubInvoked",          CHAR), 
1893  ] 

1894   
1895  # ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME 
1896  #    +0x000 Previous         : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME 
1897  #    +0x008 ActivationContext : Ptr64 _ACTIVATION_CONTEXT 
1898  #    +0x010 Flags            : Uint4B 

1899 -class RTL_ACTIVATION_CONTEXT_STACK_FRAME(Structure): 

1900      _fields_ = [ 
1901          ("Previous",                    PVOID), 
1902          ("ActivationContext",           PVOID), 
1903          ("Flags",                       DWORD), 
1904  ] 

1905   
1906  # ntdll!_ACTIVATION_CONTEXT_STACK 
1907  #    +0x000 ActiveFrame      : Ptr64 _RTL_ACTIVATION_CONTEXT_STACK_FRAME 
1908  #    +0x008 FrameListCache   : _LIST_ENTRY 
1909  #    +0x018 Flags            : Uint4B 
1910  #    +0x01c NextCookieSequenceNumber : Uint4B 
1911  #    +0x020 StackId          : Uint4B 

1912 -class ACTIVATION_CONTEXT_STACK(Structure): 

1913      _fields_ = [ 
1914          ("ActiveFrame",                 PVOID), 
1915          ("FrameListCache",              LIST_ENTRY), 
1916          ("Flags",                       DWORD), 
1917          ("NextCookieSequenceNumber",    DWORD), 
1918          ("StackId",                     DWORD), 
1919  ] 

1920   
1921  # typedef struct _PROCESSOR_NUMBER { 
1922  #   WORD Group; 
1923  #   BYTE Number; 
1924  #   BYTE Reserved; 
1925  # }PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; 

1926 -class PROCESSOR_NUMBER(Structure): 

1927      _fields_ = [ 
1928          ("Group",       WORD), 
1929          ("Number",      BYTE), 
1930          ("Reserved",    BYTE), 
1931  ] 

1932   
1933  # from http://www.nirsoft.net/kernel_struct/vista/NT_TIB.html 
1934  # 
1935  # typedef struct _NT_TIB 
1936  # { 
1937  #      PEXCEPTION_REGISTRATION_RECORD ExceptionList; 
1938  #      PVOID StackBase; 
1939  #      PVOID StackLimit; 
1940  #      PVOID SubSystemTib; 
1941  #      union 
1942  #      { 
1943  #           PVOID FiberData; 
1944  #           ULONG Version; 
1945  #      }; 
1946  #      PVOID ArbitraryUserPointer; 
1947  #      PNT_TIB Self; 
1948  # } NT_TIB, *PNT_TIB; 

1949 -class _NT_TIB_UNION(Union): 

1950      _fields_ = [ 
1951          ("FiberData",   PVOID), 
1952          ("Version",     ULONG), 
1953      ] 

1954 -class NT_TIB(Structure): 

1955      _fields_ = [ 
1956          ("ExceptionList",           PVOID), # PEXCEPTION_REGISTRATION_RECORD 
1957          ("StackBase",               PVOID), 
1958          ("StackLimit",              PVOID), 
1959          ("SubSystemTib",            PVOID), 
1960          ("u",                       _NT_TIB_UNION), 
1961          ("ArbitraryUserPointer",    PVOID), 
1962          ("Self",                    PVOID), # PNTTIB 
1963      ] 
1964   

1965 -    def __get_FiberData(self): 

1966          return self.u.FiberData 

1967 -    def __set_FiberData(self, value): 

1968          self.u.FiberData = value 

1969      FiberData = property(__get_FiberData, __set_FiberData) 
1970   

1971 -    def __get_Version(self): 

1972          return self.u.Version 

1973 -    def __set_Version(self, value): 

1974          self.u.Version = value 

1975      Version = property(__get_Version, __set_Version) 

1976   
1977  PNTTIB = POINTER(NT_TIB) 
1978   
1979  # From http://www.nirsoft.net/kernel_struct/vista/EXCEPTION_REGISTRATION_RECORD.html 
1980  # 
1981  # typedef struct _EXCEPTION_REGISTRATION_RECORD 
1982  # { 
1983  #      PEXCEPTION_REGISTRATION_RECORD Next; 
1984  #      PEXCEPTION_DISPOSITION Handler; 
1985  # } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD; 

1986 -class EXCEPTION_REGISTRATION_RECORD(Structure): 

1987      pass 

1988   
1989  EXCEPTION_DISPOSITION           = DWORD 
1990  ##PEXCEPTION_DISPOSITION          = POINTER(EXCEPTION_DISPOSITION) 
1991  ##PEXCEPTION_REGISTRATION_RECORD  = POINTER(EXCEPTION_REGISTRATION_RECORD) 
1992  PEXCEPTION_DISPOSITION          = PVOID 
1993  PEXCEPTION_REGISTRATION_RECORD  = PVOID 
1994   
1995  EXCEPTION_REGISTRATION_RECORD._fields_ = [ 
1996          ("Next",    PEXCEPTION_REGISTRATION_RECORD), 
1997          ("Handler", PEXCEPTION_DISPOSITION), 
1998  ] 
1999   
2000  ##PPEB = POINTER(PEB) 
2001  PPEB = PVOID 
2002   
2003  # From http://www.nirsoft.net/kernel_struct/vista/GDI_TEB_BATCH.html 
2004  # 
2005  # typedef struct _GDI_TEB_BATCH 
2006  # { 
2007  #      ULONG Offset; 
2008  #      ULONG HDC; 
2009  #      ULONG Buffer[310]; 
2010  # } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 

2011 -class GDI_TEB_BATCH(Structure): 

2012      _fields_ = [ 
2013          ("Offset",  ULONG), 
2014          ("HDC",     ULONG), 
2015          ("Buffer",  ULONG * 310), 
2016  ] 

2017   
2018  # ntdll!_TEB_ACTIVE_FRAME_CONTEXT 
2019  #    +0x000 Flags            : Uint4B 
2020  #    +0x008 FrameName        : Ptr64 Char 

2021 -class TEB_ACTIVE_FRAME_CONTEXT(Structure): 

2022      _fields_ = [ 
2023          ("Flags",       DWORD), 
2024          ("FrameName",   LPVOID),    # LPCHAR 
2025  ] 

2026  PTEB_ACTIVE_FRAME_CONTEXT = POINTER(TEB_ACTIVE_FRAME_CONTEXT) 
2027   
2028  # ntdll!_TEB_ACTIVE_FRAME 
2029  #    +0x000 Flags            : Uint4B 
2030  #    +0x008 Previous         : Ptr64 _TEB_ACTIVE_FRAME 
2031  #    +0x010 Context          : Ptr64 _TEB_ACTIVE_FRAME_CONTEXT 

2032 -class TEB_ACTIVE_FRAME(Structure): 

2033      _fields_ = [ 
2034          ("Flags",       DWORD), 
2035          ("Previous",    LPVOID),    # PTEB_ACTIVE_FRAME 
2036          ("Context",     LPVOID),    # PTEB_ACTIVE_FRAME_CONTEXT 
2037  ] 

2038  PTEB_ACTIVE_FRAME = POINTER(TEB_ACTIVE_FRAME) 
2039   
2040  # SameTebFlags 
2041  DbgSafeThunkCall        = 1 << 0 
2042  DbgInDebugPrint         = 1 << 1 
2043  DbgHasFiberData         = 1 << 2 
2044  DbgSkipThreadAttach     = 1 << 3 
2045  DbgWerInShipAssertCode  = 1 << 4 
2046  DbgRanProcessInit       = 1 << 5 
2047  DbgClonedThread         = 1 << 6 
2048  DbgSuppressDebugMsg     = 1 << 7 
2049  RtlDisableUserStackWalk = 1 << 8 
2050  RtlExceptionAttached    = 1 << 9 
2051  RtlInitialThread        = 1 << 10 
2052   
2053  # XXX This is quite wrong :P 

2054 -class _TEB_NT(Structure): 

2055      _pack_ = 4 
2056      _fields_ = [ 
2057          ("NtTib",                           NT_TIB), 
2058          ("EnvironmentPointer",              PVOID), 
2059          ("ClientId",                        CLIENT_ID), 
2060          ("ActiveRpcHandle",                 HANDLE), 
2061          ("ThreadLocalStoragePointer",       PVOID), 
2062          ("ProcessEnvironmentBlock",         PPEB), 
2063          ("LastErrorValue",                  ULONG), 
2064          ("CountOfOwnedCriticalSections",    ULONG), 
2065          ("CsrClientThread",                 PVOID), 
2066          ("Win32ThreadInfo",                 PVOID), 
2067          ("User32Reserved",                  ULONG * 26), 
2068          ("UserReserved",                    ULONG * 5), 
2069          ("WOW32Reserved",                   PVOID), 
2070          ("CurrentLocale",                   ULONG), 
2071          ("FpSoftwareStatusRegister",        ULONG), 
2072          ("SystemReserved1",                 PVOID * 54), 
2073          ("Spare1",                          PVOID), 
2074          ("ExceptionCode",                   ULONG), 
2075          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2076          ("SpareBytes1",                     ULONG * 36), 
2077          ("TxFsContext",                     ULONG), 
2078          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2079          ("RealClientId",                    CLIENT_ID), 
2080          ("GdiCachedProcessHandle",          PVOID), 
2081          ("GdiClientPID",                    ULONG), 
2082          ("GdiClientTID",                    ULONG), 
2083          ("GdiThreadLocalInfo",              PVOID), 
2084          ("Win32ClientInfo",                 PVOID * 62), 
2085          ("glDispatchTable",                 PVOID * 233), 
2086          ("glReserved1",                     ULONG * 29), 
2087          ("glReserved2",                     PVOID), 
2088          ("glSectionInfo",                   PVOID), 
2089          ("glSection",                       PVOID), 
2090          ("glTable",                         PVOID), 
2091          ("glCurrentRC",                     PVOID), 
2092          ("glContext",                       PVOID), 
2093          ("LastStatusValue",                 NTSTATUS), 
2094          ("StaticUnicodeString",             UNICODE_STRING), 
2095          ("StaticUnicodeBuffer",             WCHAR * 261), 
2096          ("DeallocationStack",               PVOID), 
2097          ("TlsSlots",                        PVOID * 64), 
2098          ("TlsLinks",                        LIST_ENTRY), 
2099          ("Vdm",                             PVOID), 
2100          ("ReservedForNtRpc",                PVOID), 
2101          ("DbgSsReserved",                   PVOID * 2), 
2102          ("HardErrorDisabled",               ULONG), 
2103          ("Instrumentation",                 PVOID * 9), 
2104          ("ActivityId",                      GUID), 
2105          ("SubProcessTag",                   PVOID), 
2106          ("EtwLocalData",                    PVOID), 
2107          ("EtwTraceData",                    PVOID), 
2108          ("WinSockData",                     PVOID), 
2109          ("GdiBatchCount",                   ULONG), 
2110          ("SpareBool0",                      BOOLEAN), 
2111          ("SpareBool1",                      BOOLEAN), 
2112          ("SpareBool2",                      BOOLEAN), 
2113          ("IdealProcessor",                  UCHAR), 
2114          ("GuaranteedStackBytes",            ULONG), 
2115          ("ReservedForPerf",                 PVOID), 
2116          ("ReservedForOle",                  PVOID), 
2117          ("WaitingOnLoaderLock",             ULONG), 
2118          ("StackCommit",                     PVOID), 
2119          ("StackCommitMax",                  PVOID), 
2120          ("StackReserved",                   PVOID), 
2121  ] 

2122   
2123  # not really, but "dt _TEB" in w2k isn't working for me :( 
2124  _TEB_2000 = _TEB_NT 
2125   
2126  #    +0x000 NtTib            : _NT_TIB 
2127  #    +0x01c EnvironmentPointer : Ptr32 Void 
2128  #    +0x020 ClientId         : _CLIENT_ID 
2129  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2130  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2131  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2132  #    +0x034 LastErrorValue   : Uint4B 
2133  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2134  #    +0x03c CsrClientThread  : Ptr32 Void 
2135  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2136  #    +0x044 User32Reserved   : [26] Uint4B 
2137  #    +0x0ac UserReserved     : [5] Uint4B 
2138  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2139  #    +0x0c4 CurrentLocale    : Uint4B 
2140  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2141  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2142  #    +0x1a4 ExceptionCode    : Int4B 
2143  #    +0x1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK 
2144  #    +0x1bc SpareBytes1      : [24] UChar 
2145  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2146  #    +0x6b4 RealClientId     : _CLIENT_ID 
2147  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2148  #    +0x6c0 GdiClientPID     : Uint4B 
2149  #    +0x6c4 GdiClientTID     : Uint4B 
2150  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2151  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2152  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2153  #    +0xb68 glReserved1      : [29] Uint4B 
2154  #    +0xbdc glReserved2      : Ptr32 Void 
2155  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2156  #    +0xbe4 glSection        : Ptr32 Void 
2157  #    +0xbe8 glTable          : Ptr32 Void 
2158  #    +0xbec glCurrentRC      : Ptr32 Void 
2159  #    +0xbf0 glContext        : Ptr32 Void 
2160  #    +0xbf4 LastStatusValue  : Uint4B 
2161  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2162  #    +0xc00 StaticUnicodeBuffer : [261] Uint2B 
2163  #    +0xe0c DeallocationStack : Ptr32 Void 
2164  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2165  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2166  #    +0xf18 Vdm              : Ptr32 Void 
2167  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2168  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2169  #    +0xf28 HardErrorsAreDisabled : Uint4B 
2170  #    +0xf2c Instrumentation  : [16] Ptr32 Void 
2171  #    +0xf6c WinSockData      : Ptr32 Void 
2172  #    +0xf70 GdiBatchCount    : Uint4B 
2173  #    +0xf74 InDbgPrint       : UChar 
2174  #    +0xf75 FreeStackOnTermination : UChar 
2175  #    +0xf76 HasFiberData     : UChar 
2176  #    +0xf77 IdealProcessor   : UChar 
2177  #    +0xf78 Spare3           : Uint4B 
2178  #    +0xf7c ReservedForPerf  : Ptr32 Void 
2179  #    +0xf80 ReservedForOle   : Ptr32 Void 
2180  #    +0xf84 WaitingOnLoaderLock : Uint4B 
2181  #    +0xf88 Wx86Thread       : _Wx86ThreadState 
2182  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
2183  #    +0xf98 ImpersonationLocale : Uint4B 
2184  #    +0xf9c IsImpersonating  : Uint4B 
2185  #    +0xfa0 NlsCache         : Ptr32 Void 
2186  #    +0xfa4 pShimData        : Ptr32 Void 
2187  #    +0xfa8 HeapVirtualAffinity : Uint4B 
2188  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
2189  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
2190  #    +0xfb4 SafeThunkCall    : UChar 
2191  #    +0xfb5 BooleanSpare     : [3] UChar 

2192 -class _TEB_XP(Structure): 

2193      _pack_ = 8 
2194      _fields_ = [ 
2195          ("NtTib",                           NT_TIB), 
2196          ("EnvironmentPointer",              PVOID), 
2197          ("ClientId",                        CLIENT_ID), 
2198          ("ActiveRpcHandle",                 HANDLE), 
2199          ("ThreadLocalStoragePointer",       PVOID), 
2200          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2201          ("LastErrorValue",                  DWORD), 
2202          ("CountOfOwnedCriticalSections",    DWORD), 
2203          ("CsrClientThread",                 PVOID), 
2204          ("Win32ThreadInfo",                 PVOID), 
2205          ("User32Reserved",                  DWORD * 26), 
2206          ("UserReserved",                    DWORD * 5), 
2207          ("WOW32Reserved",                   PVOID), 
2208          ("CurrentLocale",                   DWORD), 
2209          ("FpSoftwareStatusRegister",        DWORD), 
2210          ("SystemReserved1",                 PVOID * 54), 
2211          ("ExceptionCode",                   SDWORD), 
2212          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2213          ("SpareBytes1",                     UCHAR * 24), 
2214          ("TxFsContext",                     DWORD), 
2215          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2216          ("RealClientId",                    CLIENT_ID), 
2217          ("GdiCachedProcessHandle",          HANDLE), 
2218          ("GdiClientPID",                    DWORD), 
2219          ("GdiClientTID",                    DWORD), 
2220          ("GdiThreadLocalInfo",              PVOID), 
2221          ("Win32ClientInfo",                 DWORD * 62), 
2222          ("glDispatchTable",                 PVOID * 233), 
2223          ("glReserved1",                     DWORD * 29), 
2224          ("glReserved2",                     PVOID), 
2225          ("glSectionInfo",                   PVOID), 
2226          ("glSection",                       PVOID), 
2227          ("glTable",                         PVOID), 
2228          ("glCurrentRC",                     PVOID), 
2229          ("glContext",                       PVOID), 
2230          ("LastStatusValue",                 NTSTATUS), 
2231          ("StaticUnicodeString",             UNICODE_STRING), 
2232          ("StaticUnicodeBuffer",             WCHAR * 261), 
2233          ("DeallocationStack",               PVOID), 
2234          ("TlsSlots",                        PVOID * 64), 
2235          ("TlsLinks",                        LIST_ENTRY), 
2236          ("Vdm",                             PVOID), 
2237          ("ReservedForNtRpc",                PVOID), 
2238          ("DbgSsReserved",                   PVOID * 2), 
2239          ("HardErrorsAreDisabled",           DWORD), 
2240          ("Instrumentation",                 PVOID * 16), 
2241          ("WinSockData",                     PVOID), 
2242          ("GdiBatchCount",                   DWORD), 
2243          ("InDbgPrint",                      BOOLEAN), 
2244          ("FreeStackOnTermination",          BOOLEAN), 
2245          ("HasFiberData",                    BOOLEAN), 
2246          ("IdealProcessor",                  UCHAR), 
2247          ("Spare3",                          DWORD), 
2248          ("ReservedForPerf",                 PVOID), 
2249          ("ReservedForOle",                  PVOID), 
2250          ("WaitingOnLoaderLock",             DWORD), 
2251          ("Wx86Thread",                      Wx86ThreadState), 
2252          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
2253          ("ImpersonationLocale",             DWORD), 
2254          ("IsImpersonating",                 BOOL), 
2255          ("NlsCache",                        PVOID), 
2256          ("pShimData",                       PVOID), 
2257          ("HeapVirtualAffinity",             DWORD), 
2258          ("CurrentTransactionHandle",        HANDLE), 
2259          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2260          ("SafeThunkCall",                   BOOLEAN), 
2261          ("BooleanSpare",                    BOOLEAN * 3), 
2262  ] 

2263   
2264  #    +0x000 NtTib            : _NT_TIB 
2265  #    +0x038 EnvironmentPointer : Ptr64 Void 
2266  #    +0x040 ClientId         : _CLIENT_ID 
2267  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
2268  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
2269  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
2270  #    +0x068 LastErrorValue   : Uint4B 
2271  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
2272  #    +0x070 CsrClientThread  : Ptr64 Void 
2273  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
2274  #    +0x080 User32Reserved   : [26] Uint4B 
2275  #    +0x0e8 UserReserved     : [5] Uint4B 
2276  #    +0x100 WOW32Reserved    : Ptr64 Void 
2277  #    +0x108 CurrentLocale    : Uint4B 
2278  #    +0x10c FpSoftwareStatusRegister : Uint4B 
2279  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
2280  #    +0x2c0 ExceptionCode    : Int4B 
2281  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
2282  #    +0x2d0 SpareBytes1      : [28] UChar 
2283  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
2284  #    +0x7d8 RealClientId     : _CLIENT_ID 
2285  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
2286  #    +0x7f0 GdiClientPID     : Uint4B 
2287  #    +0x7f4 GdiClientTID     : Uint4B 
2288  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
2289  #    +0x800 Win32ClientInfo  : [62] Uint8B 
2290  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
2291  #    +0x1138 glReserved1      : [29] Uint8B 
2292  #    +0x1220 glReserved2      : Ptr64 Void 
2293  #    +0x1228 glSectionInfo    : Ptr64 Void 
2294  #    +0x1230 glSection        : Ptr64 Void 
2295  #    +0x1238 glTable          : Ptr64 Void 
2296  #    +0x1240 glCurrentRC      : Ptr64 Void 
2297  #    +0x1248 glContext        : Ptr64 Void 
2298  #    +0x1250 LastStatusValue  : Uint4B 
2299  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
2300  #    +0x1268 StaticUnicodeBuffer : [261] Uint2B 
2301  #    +0x1478 DeallocationStack : Ptr64 Void 
2302  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
2303  #    +0x1680 TlsLinks         : _LIST_ENTRY 
2304  #    +0x1690 Vdm              : Ptr64 Void 
2305  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
2306  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
2307  #    +0x16b0 HardErrorMode    : Uint4B 
2308  #    +0x16b8 Instrumentation  : [14] Ptr64 Void 
2309  #    +0x1728 SubProcessTag    : Ptr64 Void 
2310  #    +0x1730 EtwTraceData     : Ptr64 Void 
2311  #    +0x1738 WinSockData      : Ptr64 Void 
2312  #    +0x1740 GdiBatchCount    : Uint4B 
2313  #    +0x1744 InDbgPrint       : UChar 
2314  #    +0x1745 FreeStackOnTermination : UChar 
2315  #    +0x1746 HasFiberData     : UChar 
2316  #    +0x1747 IdealProcessor   : UChar 
2317  #    +0x1748 GuaranteedStackBytes : Uint4B 
2318  #    +0x1750 ReservedForPerf  : Ptr64 Void 
2319  #    +0x1758 ReservedForOle   : Ptr64 Void 
2320  #    +0x1760 WaitingOnLoaderLock : Uint4B 
2321  #    +0x1768 SparePointer1    : Uint8B 
2322  #    +0x1770 SoftPatchPtr1    : Uint8B 
2323  #    +0x1778 SoftPatchPtr2    : Uint8B 
2324  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
2325  #    +0x1788 DeallocationBStore : Ptr64 Void 
2326  #    +0x1790 BStoreLimit      : Ptr64 Void 
2327  #    +0x1798 ImpersonationLocale : Uint4B 
2328  #    +0x179c IsImpersonating  : Uint4B 
2329  #    +0x17a0 NlsCache         : Ptr64 Void 
2330  #    +0x17a8 pShimData        : Ptr64 Void 
2331  #    +0x17b0 HeapVirtualAffinity : Uint4B 
2332  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
2333  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
2334  #    +0x17c8 FlsData          : Ptr64 Void 
2335  #    +0x17d0 SafeThunkCall    : UChar 
2336  #    +0x17d1 BooleanSpare     : [3] UChar 

2337 -class _TEB_XP_64(Structure): 

2338      _pack_ = 8 
2339      _fields_ = [ 
2340          ("NtTib",                           NT_TIB), 
2341          ("EnvironmentPointer",              PVOID), 
2342          ("ClientId",                        CLIENT_ID), 
2343          ("ActiveRpcHandle",                 PVOID), 
2344          ("ThreadLocalStoragePointer",       PVOID), 
2345          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2346          ("LastErrorValue",                  DWORD), 
2347          ("CountOfOwnedCriticalSections",    DWORD), 
2348          ("CsrClientThread",                 PVOID), 
2349          ("Win32ThreadInfo",                 PVOID), 
2350          ("User32Reserved",                  DWORD * 26), 
2351          ("UserReserved",                    DWORD * 5), 
2352          ("WOW32Reserved",                   PVOID), 
2353          ("CurrentLocale",                   DWORD), 
2354          ("FpSoftwareStatusRegister",        DWORD), 
2355          ("SystemReserved1",                 PVOID * 54), 
2356          ("ExceptionCode",                   SDWORD), 
2357          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2358          ("SpareBytes1",                     UCHAR * 28), 
2359          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2360          ("RealClientId",                    CLIENT_ID), 
2361          ("GdiCachedProcessHandle",          HANDLE), 
2362          ("GdiClientPID",                    DWORD), 
2363          ("GdiClientTID",                    DWORD), 
2364          ("GdiThreadLocalInfo",              PVOID), 
2365          ("Win32ClientInfo",                 QWORD * 62), 
2366          ("glDispatchTable",                 PVOID * 233), 
2367          ("glReserved1",                     QWORD * 29), 
2368          ("glReserved2",                     PVOID), 
2369          ("glSectionInfo",                   PVOID), 
2370          ("glSection",                       PVOID), 
2371          ("glTable",                         PVOID), 
2372          ("glCurrentRC",                     PVOID), 
2373          ("glContext",                       PVOID), 
2374          ("LastStatusValue",                 NTSTATUS), 
2375          ("StaticUnicodeString",             UNICODE_STRING), 
2376          ("StaticUnicodeBuffer",             WCHAR * 261), 
2377          ("DeallocationStack",               PVOID), 
2378          ("TlsSlots",                        PVOID * 64), 
2379          ("TlsLinks",                        LIST_ENTRY), 
2380          ("Vdm",                             PVOID), 
2381          ("ReservedForNtRpc",                PVOID), 
2382          ("DbgSsReserved",                   PVOID * 2), 
2383          ("HardErrorMode",                   DWORD), 
2384          ("Instrumentation",                 PVOID * 14), 
2385          ("SubProcessTag",                   PVOID), 
2386          ("EtwTraceData",                    PVOID), 
2387          ("WinSockData",                     PVOID), 
2388          ("GdiBatchCount",                   DWORD), 
2389          ("InDbgPrint",                      BOOLEAN), 
2390          ("FreeStackOnTermination",          BOOLEAN), 
2391          ("HasFiberData",                    BOOLEAN), 
2392          ("IdealProcessor",                  UCHAR), 
2393          ("GuaranteedStackBytes",            DWORD), 
2394          ("ReservedForPerf",                 PVOID), 
2395          ("ReservedForOle",                  PVOID), 
2396          ("WaitingOnLoaderLock",             DWORD), 
2397          ("SparePointer1",                   PVOID), 
2398          ("SoftPatchPtr1",                   PVOID), 
2399          ("SoftPatchPtr2",                   PVOID), 
2400          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
2401          ("DeallocationBStore",              PVOID), 
2402          ("BStoreLimit",                     PVOID), 
2403          ("ImpersonationLocale",             DWORD), 
2404          ("IsImpersonating",                 BOOL), 
2405          ("NlsCache",                        PVOID), 
2406          ("pShimData",                       PVOID), 
2407          ("HeapVirtualAffinity",             DWORD), 
2408          ("CurrentTransactionHandle",        HANDLE), 
2409          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2410          ("FlsData",                         PVOID), 
2411          ("SafeThunkCall",                   BOOLEAN), 
2412          ("BooleanSpare",                    BOOLEAN * 3), 
2413  ] 

2414   
2415  #    +0x000 NtTib            : _NT_TIB 
2416  #    +0x01c EnvironmentPointer : Ptr32 Void 
2417  #    +0x020 ClientId         : _CLIENT_ID 
2418  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2419  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2420  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2421  #    +0x034 LastErrorValue   : Uint4B 
2422  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2423  #    +0x03c CsrClientThread  : Ptr32 Void 
2424  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2425  #    +0x044 User32Reserved   : [26] Uint4B 
2426  #    +0x0ac UserReserved     : [5] Uint4B 
2427  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2428  #    +0x0c4 CurrentLocale    : Uint4B 
2429  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2430  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2431  #    +0x1a4 ExceptionCode    : Int4B 
2432  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
2433  #    +0x1ac SpareBytes1      : [40] UChar 
2434  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2435  #    +0x6b4 RealClientId     : _CLIENT_ID 
2436  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2437  #    +0x6c0 GdiClientPID     : Uint4B 
2438  #    +0x6c4 GdiClientTID     : Uint4B 
2439  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2440  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2441  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2442  #    +0xb68 glReserved1      : [29] Uint4B 
2443  #    +0xbdc glReserved2      : Ptr32 Void 
2444  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2445  #    +0xbe4 glSection        : Ptr32 Void 
2446  #    +0xbe8 glTable          : Ptr32 Void 
2447  #    +0xbec glCurrentRC      : Ptr32 Void 
2448  #    +0xbf0 glContext        : Ptr32 Void 
2449  #    +0xbf4 LastStatusValue  : Uint4B 
2450  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2451  #    +0xc00 StaticUnicodeBuffer : [261] Uint2B 
2452  #    +0xe0c DeallocationStack : Ptr32 Void 
2453  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2454  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2455  #    +0xf18 Vdm              : Ptr32 Void 
2456  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2457  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2458  #    +0xf28 HardErrorMode    : Uint4B 
2459  #    +0xf2c Instrumentation  : [14] Ptr32 Void 
2460  #    +0xf64 SubProcessTag    : Ptr32 Void 
2461  #    +0xf68 EtwTraceData     : Ptr32 Void 
2462  #    +0xf6c WinSockData      : Ptr32 Void 
2463  #    +0xf70 GdiBatchCount    : Uint4B 
2464  #    +0xf74 InDbgPrint       : UChar 
2465  #    +0xf75 FreeStackOnTermination : UChar 
2466  #    +0xf76 HasFiberData     : UChar 
2467  #    +0xf77 IdealProcessor   : UChar 
2468  #    +0xf78 GuaranteedStackBytes : Uint4B 
2469  #    +0xf7c ReservedForPerf  : Ptr32 Void 
2470  #    +0xf80 ReservedForOle   : Ptr32 Void 
2471  #    +0xf84 WaitingOnLoaderLock : Uint4B 
2472  #    +0xf88 SparePointer1    : Uint4B 
2473  #    +0xf8c SoftPatchPtr1    : Uint4B 
2474  #    +0xf90 SoftPatchPtr2    : Uint4B 
2475  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
2476  #    +0xf98 ImpersonationLocale : Uint4B 
2477  #    +0xf9c IsImpersonating  : Uint4B 
2478  #    +0xfa0 NlsCache         : Ptr32 Void 
2479  #    +0xfa4 pShimData        : Ptr32 Void 
2480  #    +0xfa8 HeapVirtualAffinity : Uint4B 
2481  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
2482  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
2483  #    +0xfb4 FlsData          : Ptr32 Void 
2484  #    +0xfb8 SafeThunkCall    : UChar 
2485  #    +0xfb9 BooleanSpare     : [3] UChar 

2486 -class _TEB_2003(Structure): 

2487      _pack_ = 8 
2488      _fields_ = [ 
2489          ("NtTib",                           NT_TIB), 
2490          ("EnvironmentPointer",              PVOID), 
2491          ("ClientId",                        CLIENT_ID), 
2492          ("ActiveRpcHandle",                 HANDLE), 
2493          ("ThreadLocalStoragePointer",       PVOID), 
2494          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2495          ("LastErrorValue",                  DWORD), 
2496          ("CountOfOwnedCriticalSections",    DWORD), 
2497          ("CsrClientThread",                 PVOID), 
2498          ("Win32ThreadInfo",                 PVOID), 
2499          ("User32Reserved",                  DWORD * 26), 
2500          ("UserReserved",                    DWORD * 5), 
2501          ("WOW32Reserved",                   PVOID), 
2502          ("CurrentLocale",                   DWORD), 
2503          ("FpSoftwareStatusRegister",        DWORD), 
2504          ("SystemReserved1",                 PVOID * 54), 
2505          ("ExceptionCode",                   SDWORD), 
2506          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2507          ("SpareBytes1",                     UCHAR * 40), 
2508          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2509          ("RealClientId",                    CLIENT_ID), 
2510          ("GdiCachedProcessHandle",          HANDLE), 
2511          ("GdiClientPID",                    DWORD), 
2512          ("GdiClientTID",                    DWORD), 
2513          ("GdiThreadLocalInfo",              PVOID), 
2514          ("Win32ClientInfo",                 DWORD * 62), 
2515          ("glDispatchTable",                 PVOID * 233), 
2516          ("glReserved1",                     DWORD * 29), 
2517          ("glReserved2",                     PVOID), 
2518          ("glSectionInfo",                   PVOID), 
2519          ("glSection",                       PVOID), 
2520          ("glTable",                         PVOID), 
2521          ("glCurrentRC",                     PVOID), 
2522          ("glContext",                       PVOID), 
2523          ("LastStatusValue",                 NTSTATUS), 
2524          ("StaticUnicodeString",             UNICODE_STRING), 
2525          ("StaticUnicodeBuffer",             WCHAR * 261), 
2526          ("DeallocationStack",               PVOID), 
2527          ("TlsSlots",                        PVOID * 64), 
2528          ("TlsLinks",                        LIST_ENTRY), 
2529          ("Vdm",                             PVOID), 
2530          ("ReservedForNtRpc",                PVOID), 
2531          ("DbgSsReserved",                   PVOID * 2), 
2532          ("HardErrorMode",                   DWORD), 
2533          ("Instrumentation",                 PVOID * 14), 
2534          ("SubProcessTag",                   PVOID), 
2535          ("EtwTraceData",                    PVOID), 
2536          ("WinSockData",                     PVOID), 
2537          ("GdiBatchCount",                   DWORD), 
2538          ("InDbgPrint",                      BOOLEAN), 
2539          ("FreeStackOnTermination",          BOOLEAN), 
2540          ("HasFiberData",                    BOOLEAN), 
2541          ("IdealProcessor",                  UCHAR), 
2542          ("GuaranteedStackBytes",            DWORD), 
2543          ("ReservedForPerf",                 PVOID), 
2544          ("ReservedForOle",                  PVOID), 
2545          ("WaitingOnLoaderLock",             DWORD), 
2546          ("SparePointer1",                   PVOID), 
2547          ("SoftPatchPtr1",                   PVOID), 
2548          ("SoftPatchPtr2",                   PVOID), 
2549          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
2550          ("ImpersonationLocale",             DWORD), 
2551          ("IsImpersonating",                 BOOL), 
2552          ("NlsCache",                        PVOID), 
2553          ("pShimData",                       PVOID), 
2554          ("HeapVirtualAffinity",             DWORD), 
2555          ("CurrentTransactionHandle",        HANDLE), 
2556          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2557          ("FlsData",                         PVOID), 
2558          ("SafeThunkCall",                   BOOLEAN), 
2559          ("BooleanSpare",                    BOOLEAN * 3), 
2560  ] 

2561   
2562  _TEB_2003_64    = _TEB_XP_64 
2563  _TEB_2003_R2    = _TEB_2003 
2564  _TEB_2003_R2_64 = _TEB_2003_64 
2565   
2566  #    +0x000 NtTib            : _NT_TIB 
2567  #    +0x01c EnvironmentPointer : Ptr32 Void 
2568  #    +0x020 ClientId         : _CLIENT_ID 
2569  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2570  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2571  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2572  #    +0x034 LastErrorValue   : Uint4B 
2573  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2574  #    +0x03c CsrClientThread  : Ptr32 Void 
2575  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2576  #    +0x044 User32Reserved   : [26] Uint4B 
2577  #    +0x0ac UserReserved     : [5] Uint4B 
2578  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2579  #    +0x0c4 CurrentLocale    : Uint4B 
2580  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2581  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2582  #    +0x1a4 ExceptionCode    : Int4B 
2583  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
2584  #    +0x1ac SpareBytes1      : [36] UChar 
2585  #    +0x1d0 TxFsContext      : Uint4B 
2586  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2587  #    +0x6b4 RealClientId     : _CLIENT_ID 
2588  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2589  #    +0x6c0 GdiClientPID     : Uint4B 
2590  #    +0x6c4 GdiClientTID     : Uint4B 
2591  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2592  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2593  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2594  #    +0xb68 glReserved1      : [29] Uint4B 
2595  #    +0xbdc glReserved2      : Ptr32 Void 
2596  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2597  #    +0xbe4 glSection        : Ptr32 Void 
2598  #    +0xbe8 glTable          : Ptr32 Void 
2599  #    +0xbec glCurrentRC      : Ptr32 Void 
2600  #    +0xbf0 glContext        : Ptr32 Void 
2601  #    +0xbf4 LastStatusValue  : Uint4B 
2602  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2603  #    +0xc00 StaticUnicodeBuffer : [261] Wchar 
2604  #    +0xe0c DeallocationStack : Ptr32 Void 
2605  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2606  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2607  #    +0xf18 Vdm              : Ptr32 Void 
2608  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2609  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2610  #    +0xf28 HardErrorMode    : Uint4B 
2611  #    +0xf2c Instrumentation  : [9] Ptr32 Void 
2612  #    +0xf50 ActivityId       : _GUID 
2613  #    +0xf60 SubProcessTag    : Ptr32 Void 
2614  #    +0xf64 EtwLocalData     : Ptr32 Void 
2615  #    +0xf68 EtwTraceData     : Ptr32 Void 
2616  #    +0xf6c WinSockData      : Ptr32 Void 
2617  #    +0xf70 GdiBatchCount    : Uint4B 
2618  #    +0xf74 SpareBool0       : UChar 
2619  #    +0xf75 SpareBool1       : UChar 
2620  #    +0xf76 SpareBool2       : UChar 
2621  #    +0xf77 IdealProcessor   : UChar 
2622  #    +0xf78 GuaranteedStackBytes : Uint4B 
2623  #    +0xf7c ReservedForPerf  : Ptr32 Void 
2624  #    +0xf80 ReservedForOle   : Ptr32 Void 
2625  #    +0xf84 WaitingOnLoaderLock : Uint4B 
2626  #    +0xf88 SavedPriorityState : Ptr32 Void 
2627  #    +0xf8c SoftPatchPtr1    : Uint4B 
2628  #    +0xf90 ThreadPoolData   : Ptr32 Void 
2629  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
2630  #    +0xf98 ImpersonationLocale : Uint4B 
2631  #    +0xf9c IsImpersonating  : Uint4B 
2632  #    +0xfa0 NlsCache         : Ptr32 Void 
2633  #    +0xfa4 pShimData        : Ptr32 Void 
2634  #    +0xfa8 HeapVirtualAffinity : Uint4B 
2635  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
2636  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
2637  #    +0xfb4 FlsData          : Ptr32 Void 
2638  #    +0xfb8 PreferredLanguages : Ptr32 Void 
2639  #    +0xfbc UserPrefLanguages : Ptr32 Void 
2640  #    +0xfc0 MergedPrefLanguages : Ptr32 Void 
2641  #    +0xfc4 MuiImpersonation : Uint4B 
2642  #    +0xfc8 CrossTebFlags    : Uint2B 
2643  #    +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits 
2644  #    +0xfca SameTebFlags     : Uint2B 
2645  #    +0xfca DbgSafeThunkCall : Pos 0, 1 Bit 
2646  #    +0xfca DbgInDebugPrint  : Pos 1, 1 Bit 
2647  #    +0xfca DbgHasFiberData  : Pos 2, 1 Bit 
2648  #    +0xfca DbgSkipThreadAttach : Pos 3, 1 Bit 
2649  #    +0xfca DbgWerInShipAssertCode : Pos 4, 1 Bit 
2650  #    +0xfca DbgRanProcessInit : Pos 5, 1 Bit 
2651  #    +0xfca DbgClonedThread  : Pos 6, 1 Bit 
2652  #    +0xfca DbgSuppressDebugMsg : Pos 7, 1 Bit 
2653  #    +0xfca RtlDisableUserStackWalk : Pos 8, 1 Bit 
2654  #    +0xfca RtlExceptionAttached : Pos 9, 1 Bit 
2655  #    +0xfca SpareSameTebBits : Pos 10, 6 Bits 
2656  #    +0xfcc TxnScopeEnterCallback : Ptr32 Void 
2657  #    +0xfd0 TxnScopeExitCallback : Ptr32 Void 
2658  #    +0xfd4 TxnScopeContext  : Ptr32 Void 
2659  #    +0xfd8 LockCount        : Uint4B 
2660  #    +0xfdc ProcessRundown   : Uint4B 
2661  #    +0xfe0 LastSwitchTime   : Uint8B 
2662  #    +0xfe8 TotalSwitchOutTime : Uint8B 
2663  #    +0xff0 WaitReasonBitMap : _LARGE_INTEGER 

2664 -class _TEB_2008(Structure): 

2665      _pack_ = 8 
2666      _fields_ = [ 
2667          ("NtTib",                           NT_TIB), 
2668          ("EnvironmentPointer",              PVOID), 
2669          ("ClientId",                        CLIENT_ID), 
2670          ("ActiveRpcHandle",                 HANDLE), 
2671          ("ThreadLocalStoragePointer",       PVOID), 
2672          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2673          ("LastErrorValue",                  DWORD), 
2674          ("CountOfOwnedCriticalSections",    DWORD), 
2675          ("CsrClientThread",                 PVOID), 
2676          ("Win32ThreadInfo",                 PVOID), 
2677          ("User32Reserved",                  DWORD * 26), 
2678          ("UserReserved",                    DWORD * 5), 
2679          ("WOW32Reserved",                   PVOID), 
2680          ("CurrentLocale",                   DWORD), 
2681          ("FpSoftwareStatusRegister",        DWORD), 
2682          ("SystemReserved1",                 PVOID * 54), 
2683          ("ExceptionCode",                   SDWORD), 
2684          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2685          ("SpareBytes1",                     UCHAR * 36), 
2686          ("TxFsContext",                     DWORD), 
2687          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2688          ("RealClientId",                    CLIENT_ID), 
2689          ("GdiCachedProcessHandle",          HANDLE), 
2690          ("GdiClientPID",                    DWORD), 
2691          ("GdiClientTID",                    DWORD), 
2692          ("GdiThreadLocalInfo",              PVOID), 
2693          ("Win32ClientInfo",                 DWORD * 62), 
2694          ("glDispatchTable",                 PVOID * 233), 
2695          ("glReserved1",                     DWORD * 29), 
2696          ("glReserved2",                     PVOID), 
2697          ("glSectionInfo",                   PVOID), 
2698          ("glSection",                       PVOID), 
2699          ("glTable",                         PVOID), 
2700          ("glCurrentRC",                     PVOID), 
2701          ("glContext",                       PVOID), 
2702          ("LastStatusValue",                 NTSTATUS), 
2703          ("StaticUnicodeString",             UNICODE_STRING), 
2704          ("StaticUnicodeBuffer",             WCHAR * 261), 
2705          ("DeallocationStack",               PVOID), 
2706          ("TlsSlots",                        PVOID * 64), 
2707          ("TlsLinks",                        LIST_ENTRY), 
2708          ("Vdm",                             PVOID), 
2709          ("ReservedForNtRpc",                PVOID), 
2710          ("DbgSsReserved",                   PVOID * 2), 
2711          ("HardErrorMode",                   DWORD), 
2712          ("Instrumentation",                 PVOID * 9), 
2713          ("ActivityId",                      GUID), 
2714          ("SubProcessTag",                   PVOID), 
2715          ("EtwLocalData",                    PVOID), 
2716          ("EtwTraceData",                    PVOID), 
2717          ("WinSockData",                     PVOID), 
2718          ("GdiBatchCount",                   DWORD), 
2719          ("SpareBool0",                      BOOLEAN), 
2720          ("SpareBool1",                      BOOLEAN), 
2721          ("SpareBool2",                      BOOLEAN), 
2722          ("IdealProcessor",                  UCHAR), 
2723          ("GuaranteedStackBytes",            DWORD), 
2724          ("ReservedForPerf",                 PVOID), 
2725          ("ReservedForOle",                  PVOID), 
2726          ("WaitingOnLoaderLock",             DWORD), 
2727          ("SavedPriorityState",              PVOID), 
2728          ("SoftPatchPtr1",                   PVOID), 
2729          ("ThreadPoolData",                  PVOID), 
2730          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
2731          ("ImpersonationLocale",             DWORD), 
2732          ("IsImpersonating",                 BOOL), 
2733          ("NlsCache",                        PVOID), 
2734          ("pShimData",                       PVOID), 
2735          ("HeapVirtualAffinity",             DWORD), 
2736          ("CurrentTransactionHandle",        HANDLE), 
2737          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2738          ("FlsData",                         PVOID), 
2739          ("PreferredLanguages",              PVOID), 
2740          ("UserPrefLanguages",               PVOID), 
2741          ("MergedPrefLanguages",             PVOID), 
2742          ("MuiImpersonation",                BOOL), 
2743          ("CrossTebFlags",                   WORD), 
2744          ("SameTebFlags",                    WORD), 
2745          ("TxnScopeEnterCallback",           PVOID), 
2746          ("TxnScopeExitCallback",            PVOID), 
2747          ("TxnScopeContext",                 PVOID), 
2748          ("LockCount",                       DWORD), 
2749          ("ProcessRundown",                  DWORD), 
2750          ("LastSwitchTime",                  QWORD), 
2751          ("TotalSwitchOutTime",              QWORD), 
2752          ("WaitReasonBitMap",                LONGLONG),  # LARGE_INTEGER 
2753  ] 

2754   
2755  #    +0x000 NtTib            : _NT_TIB 
2756  #    +0x038 EnvironmentPointer : Ptr64 Void 
2757  #    +0x040 ClientId         : _CLIENT_ID 
2758  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
2759  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
2760  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
2761  #    +0x068 LastErrorValue   : Uint4B 
2762  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
2763  #    +0x070 CsrClientThread  : Ptr64 Void 
2764  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
2765  #    +0x080 User32Reserved   : [26] Uint4B 
2766  #    +0x0e8 UserReserved     : [5] Uint4B 
2767  #    +0x100 WOW32Reserved    : Ptr64 Void 
2768  #    +0x108 CurrentLocale    : Uint4B 
2769  #    +0x10c FpSoftwareStatusRegister : Uint4B 
2770  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
2771  #    +0x2c0 ExceptionCode    : Int4B 
2772  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
2773  #    +0x2d0 SpareBytes1      : [24] UChar 
2774  #    +0x2e8 TxFsContext      : Uint4B 
2775  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
2776  #    +0x7d8 RealClientId     : _CLIENT_ID 
2777  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
2778  #    +0x7f0 GdiClientPID     : Uint4B 
2779  #    +0x7f4 GdiClientTID     : Uint4B 
2780  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
2781  #    +0x800 Win32ClientInfo  : [62] Uint8B 
2782  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
2783  #    +0x1138 glReserved1      : [29] Uint8B 
2784  #    +0x1220 glReserved2      : Ptr64 Void 
2785  #    +0x1228 glSectionInfo    : Ptr64 Void 
2786  #    +0x1230 glSection        : Ptr64 Void 
2787  #    +0x1238 glTable          : Ptr64 Void 
2788  #    +0x1240 glCurrentRC      : Ptr64 Void 
2789  #    +0x1248 glContext        : Ptr64 Void 
2790  #    +0x1250 LastStatusValue  : Uint4B 
2791  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
2792  #    +0x1268 StaticUnicodeBuffer : [261] Wchar 
2793  #    +0x1478 DeallocationStack : Ptr64 Void 
2794  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
2795  #    +0x1680 TlsLinks         : _LIST_ENTRY 
2796  #    +0x1690 Vdm              : Ptr64 Void 
2797  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
2798  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
2799  #    +0x16b0 HardErrorMode    : Uint4B 
2800  #    +0x16b8 Instrumentation  : [11] Ptr64 Void 
2801  #    +0x1710 ActivityId       : _GUID 
2802  #    +0x1720 SubProcessTag    : Ptr64 Void 
2803  #    +0x1728 EtwLocalData     : Ptr64 Void 
2804  #    +0x1730 EtwTraceData     : Ptr64 Void 
2805  #    +0x1738 WinSockData      : Ptr64 Void 
2806  #    +0x1740 GdiBatchCount    : Uint4B 
2807  #    +0x1744 SpareBool0       : UChar 
2808  #    +0x1745 SpareBool1       : UChar 
2809  #    +0x1746 SpareBool2       : UChar 
2810  #    +0x1747 IdealProcessor   : UChar 
2811  #    +0x1748 GuaranteedStackBytes : Uint4B 
2812  #    +0x1750 ReservedForPerf  : Ptr64 Void 
2813  #    +0x1758 ReservedForOle   : Ptr64 Void 
2814  #    +0x1760 WaitingOnLoaderLock : Uint4B 
2815  #    +0x1768 SavedPriorityState : Ptr64 Void 
2816  #    +0x1770 SoftPatchPtr1    : Uint8B 
2817  #    +0x1778 ThreadPoolData   : Ptr64 Void 
2818  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
2819  #    +0x1788 DeallocationBStore : Ptr64 Void 
2820  #    +0x1790 BStoreLimit      : Ptr64 Void 
2821  #    +0x1798 ImpersonationLocale : Uint4B 
2822  #    +0x179c IsImpersonating  : Uint4B 
2823  #    +0x17a0 NlsCache         : Ptr64 Void 
2824  #    +0x17a8 pShimData        : Ptr64 Void 
2825  #    +0x17b0 HeapVirtualAffinity : Uint4B 
2826  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
2827  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
2828  #    +0x17c8 FlsData          : Ptr64 Void 
2829  #    +0x17d0 PreferredLanguages : Ptr64 Void 
2830  #    +0x17d8 UserPrefLanguages : Ptr64 Void 
2831  #    +0x17e0 MergedPrefLanguages : Ptr64 Void 
2832  #    +0x17e8 MuiImpersonation : Uint4B 
2833  #    +0x17ec CrossTebFlags    : Uint2B 
2834  #    +0x17ec SpareCrossTebBits : Pos 0, 16 Bits 
2835  #    +0x17ee SameTebFlags     : Uint2B 
2836  #    +0x17ee DbgSafeThunkCall : Pos 0, 1 Bit 
2837  #    +0x17ee DbgInDebugPrint  : Pos 1, 1 Bit 
2838  #    +0x17ee DbgHasFiberData  : Pos 2, 1 Bit 
2839  #    +0x17ee DbgSkipThreadAttach : Pos 3, 1 Bit 
2840  #    +0x17ee DbgWerInShipAssertCode : Pos 4, 1 Bit 
2841  #    +0x17ee DbgRanProcessInit : Pos 5, 1 Bit 
2842  #    +0x17ee DbgClonedThread  : Pos 6, 1 Bit 
2843  #    +0x17ee DbgSuppressDebugMsg : Pos 7, 1 Bit 
2844  #    +0x17ee RtlDisableUserStackWalk : Pos 8, 1 Bit 
2845  #    +0x17ee RtlExceptionAttached : Pos 9, 1 Bit 
2846  #    +0x17ee SpareSameTebBits : Pos 10, 6 Bits 
2847  #    +0x17f0 TxnScopeEnterCallback : Ptr64 Void 
2848  #    +0x17f8 TxnScopeExitCallback : Ptr64 Void 
2849  #    +0x1800 TxnScopeContext  : Ptr64 Void 
2850  #    +0x1808 LockCount        : Uint4B 
2851  #    +0x180c ProcessRundown   : Uint4B 
2852  #    +0x1810 LastSwitchTime   : Uint8B 
2853  #    +0x1818 TotalSwitchOutTime : Uint8B 
2854  #    +0x1820 WaitReasonBitMap : _LARGE_INTEGER 

2855 -class _TEB_2008_64(Structure): 

2856      _pack_ = 8 
2857      _fields_ = [ 
2858          ("NtTib",                           NT_TIB), 
2859          ("EnvironmentPointer",              PVOID), 
2860          ("ClientId",                        CLIENT_ID), 
2861          ("ActiveRpcHandle",                 HANDLE), 
2862          ("ThreadLocalStoragePointer",       PVOID), 
2863          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
2864          ("LastErrorValue",                  DWORD), 
2865          ("CountOfOwnedCriticalSections",    DWORD), 
2866          ("CsrClientThread",                 PVOID), 
2867          ("Win32ThreadInfo",                 PVOID), 
2868          ("User32Reserved",                  DWORD * 26), 
2869          ("UserReserved",                    DWORD * 5), 
2870          ("WOW32Reserved",                   PVOID), 
2871          ("CurrentLocale",                   DWORD), 
2872          ("FpSoftwareStatusRegister",        DWORD), 
2873          ("SystemReserved1",                 PVOID * 54), 
2874          ("ExceptionCode",                   SDWORD), 
2875          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
2876          ("SpareBytes1",                     UCHAR * 24), 
2877          ("TxFsContext",                     DWORD), 
2878          ("GdiTebBatch",                     GDI_TEB_BATCH), 
2879          ("RealClientId",                    CLIENT_ID), 
2880          ("GdiCachedProcessHandle",          HANDLE), 
2881          ("GdiClientPID",                    DWORD), 
2882          ("GdiClientTID",                    DWORD), 
2883          ("GdiThreadLocalInfo",              PVOID), 
2884          ("Win32ClientInfo",                 QWORD * 62), 
2885          ("glDispatchTable",                 PVOID * 233), 
2886          ("glReserved1",                     QWORD * 29), 
2887          ("glReserved2",                     PVOID), 
2888          ("glSectionInfo",                   PVOID), 
2889          ("glSection",                       PVOID), 
2890          ("glTable",                         PVOID), 
2891          ("glCurrentRC",                     PVOID), 
2892          ("glContext",                       PVOID), 
2893          ("LastStatusValue",                 NTSTATUS), 
2894          ("StaticUnicodeString",             UNICODE_STRING), 
2895          ("StaticUnicodeBuffer",             WCHAR * 261), 
2896          ("DeallocationStack",               PVOID), 
2897          ("TlsSlots",                        PVOID * 64), 
2898          ("TlsLinks",                        LIST_ENTRY), 
2899          ("Vdm",                             PVOID), 
2900          ("ReservedForNtRpc",                PVOID), 
2901          ("DbgSsReserved",                   PVOID * 2), 
2902          ("HardErrorMode",                   DWORD), 
2903          ("Instrumentation",                 PVOID * 11), 
2904          ("ActivityId",                      GUID), 
2905          ("SubProcessTag",                   PVOID), 
2906          ("EtwLocalData",                    PVOID), 
2907          ("EtwTraceData",                    PVOID), 
2908          ("WinSockData",                     PVOID), 
2909          ("GdiBatchCount",                   DWORD), 
2910          ("SpareBool0",                      BOOLEAN), 
2911          ("SpareBool1",                      BOOLEAN), 
2912          ("SpareBool2",                      BOOLEAN), 
2913          ("IdealProcessor",                  UCHAR), 
2914          ("GuaranteedStackBytes",            DWORD), 
2915          ("ReservedForPerf",                 PVOID), 
2916          ("ReservedForOle",                  PVOID), 
2917          ("WaitingOnLoaderLock",             DWORD), 
2918          ("SavedPriorityState",              PVOID), 
2919          ("SoftPatchPtr1",                   PVOID), 
2920          ("ThreadPoolData",                  PVOID), 
2921          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
2922          ("DeallocationBStore",              PVOID), 
2923          ("BStoreLimit",                     PVOID), 
2924          ("ImpersonationLocale",             DWORD), 
2925          ("IsImpersonating",                 BOOL), 
2926          ("NlsCache",                        PVOID), 
2927          ("pShimData",                       PVOID), 
2928          ("HeapVirtualAffinity",             DWORD), 
2929          ("CurrentTransactionHandle",        HANDLE), 
2930          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
2931          ("FlsData",                         PVOID), 
2932          ("PreferredLanguages",              PVOID), 
2933          ("UserPrefLanguages",               PVOID), 
2934          ("MergedPrefLanguages",             PVOID), 
2935          ("MuiImpersonation",                BOOL), 
2936          ("CrossTebFlags",                   WORD), 
2937          ("SameTebFlags",                    WORD), 
2938          ("TxnScopeEnterCallback",           PVOID), 
2939          ("TxnScopeExitCallback",            PVOID), 
2940          ("TxnScopeContext",                 PVOID), 
2941          ("LockCount",                       DWORD), 
2942          ("ProcessRundown",                  DWORD), 
2943          ("LastSwitchTime",                  QWORD), 
2944          ("TotalSwitchOutTime",              QWORD), 
2945          ("WaitReasonBitMap",                LONGLONG),  # LARGE_INTEGER 
2946  ] 

2947   
2948  #    +0x000 NtTib            : _NT_TIB 
2949  #    +0x01c EnvironmentPointer : Ptr32 Void 
2950  #    +0x020 ClientId         : _CLIENT_ID 
2951  #    +0x028 ActiveRpcHandle  : Ptr32 Void 
2952  #    +0x02c ThreadLocalStoragePointer : Ptr32 Void 
2953  #    +0x030 ProcessEnvironmentBlock : Ptr32 _PEB 
2954  #    +0x034 LastErrorValue   : Uint4B 
2955  #    +0x038 CountOfOwnedCriticalSections : Uint4B 
2956  #    +0x03c CsrClientThread  : Ptr32 Void 
2957  #    +0x040 Win32ThreadInfo  : Ptr32 Void 
2958  #    +0x044 User32Reserved   : [26] Uint4B 
2959  #    +0x0ac UserReserved     : [5] Uint4B 
2960  #    +0x0c0 WOW32Reserved    : Ptr32 Void 
2961  #    +0x0c4 CurrentLocale    : Uint4B 
2962  #    +0x0c8 FpSoftwareStatusRegister : Uint4B 
2963  #    +0x0cc SystemReserved1  : [54] Ptr32 Void 
2964  #    +0x1a4 ExceptionCode    : Int4B 
2965  #    +0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK 
2966  #    +0x1ac SpareBytes       : [36] UChar 
2967  #    +0x1d0 TxFsContext      : Uint4B 
2968  #    +0x1d4 GdiTebBatch      : _GDI_TEB_BATCH 
2969  #    +0x6b4 RealClientId     : _CLIENT_ID 
2970  #    +0x6bc GdiCachedProcessHandle : Ptr32 Void 
2971  #    +0x6c0 GdiClientPID     : Uint4B 
2972  #    +0x6c4 GdiClientTID     : Uint4B 
2973  #    +0x6c8 GdiThreadLocalInfo : Ptr32 Void 
2974  #    +0x6cc Win32ClientInfo  : [62] Uint4B 
2975  #    +0x7c4 glDispatchTable  : [233] Ptr32 Void 
2976  #    +0xb68 glReserved1      : [29] Uint4B 
2977  #    +0xbdc glReserved2      : Ptr32 Void 
2978  #    +0xbe0 glSectionInfo    : Ptr32 Void 
2979  #    +0xbe4 glSection        : Ptr32 Void 
2980  #    +0xbe8 glTable          : Ptr32 Void 
2981  #    +0xbec glCurrentRC      : Ptr32 Void 
2982  #    +0xbf0 glContext        : Ptr32 Void 
2983  #    +0xbf4 LastStatusValue  : Uint4B 
2984  #    +0xbf8 StaticUnicodeString : _UNICODE_STRING 
2985  #    +0xc00 StaticUnicodeBuffer : [261] Wchar 
2986  #    +0xe0c DeallocationStack : Ptr32 Void 
2987  #    +0xe10 TlsSlots         : [64] Ptr32 Void 
2988  #    +0xf10 TlsLinks         : _LIST_ENTRY 
2989  #    +0xf18 Vdm              : Ptr32 Void 
2990  #    +0xf1c ReservedForNtRpc : Ptr32 Void 
2991  #    +0xf20 DbgSsReserved    : [2] Ptr32 Void 
2992  #    +0xf28 HardErrorMode    : Uint4B 
2993  #    +0xf2c Instrumentation  : [9] Ptr32 Void 
2994  #    +0xf50 ActivityId       : _GUID 
2995  #    +0xf60 SubProcessTag    : Ptr32 Void 
2996  #    +0xf64 EtwLocalData     : Ptr32 Void 
2997  #    +0xf68 EtwTraceData     : Ptr32 Void 
2998  #    +0xf6c WinSockData      : Ptr32 Void 
2999  #    +0xf70 GdiBatchCount    : Uint4B 
3000  #    +0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER 
3001  #    +0xf74 IdealProcessorValue : Uint4B 
3002  #    +0xf74 ReservedPad0     : UChar 
3003  #    +0xf75 ReservedPad1     : UChar 
3004  #    +0xf76 ReservedPad2     : UChar 
3005  #    +0xf77 IdealProcessor   : UChar 
3006  #    +0xf78 GuaranteedStackBytes : Uint4B 
3007  #    +0xf7c ReservedForPerf  : Ptr32 Void 
3008  #    +0xf80 ReservedForOle   : Ptr32 Void 
3009  #    +0xf84 WaitingOnLoaderLock : Uint4B 
3010  #    +0xf88 SavedPriorityState : Ptr32 Void 
3011  #    +0xf8c SoftPatchPtr1    : Uint4B 
3012  #    +0xf90 ThreadPoolData   : Ptr32 Void 
3013  #    +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void 
3014  #    +0xf98 MuiGeneration    : Uint4B 
3015  #    +0xf9c IsImpersonating  : Uint4B 
3016  #    +0xfa0 NlsCache         : Ptr32 Void 
3017  #    +0xfa4 pShimData        : Ptr32 Void 
3018  #    +0xfa8 HeapVirtualAffinity : Uint4B 
3019  #    +0xfac CurrentTransactionHandle : Ptr32 Void 
3020  #    +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME 
3021  #    +0xfb4 FlsData          : Ptr32 Void 
3022  #    +0xfb8 PreferredLanguages : Ptr32 Void 
3023  #    +0xfbc UserPrefLanguages : Ptr32 Void 
3024  #    +0xfc0 MergedPrefLanguages : Ptr32 Void 
3025  #    +0xfc4 MuiImpersonation : Uint4B 
3026  #    +0xfc8 CrossTebFlags    : Uint2B 
3027  #    +0xfc8 SpareCrossTebBits : Pos 0, 16 Bits 
3028  #    +0xfca SameTebFlags     : Uint2B 
3029  #    +0xfca SafeThunkCall    : Pos 0, 1 Bit 
3030  #    +0xfca InDebugPrint     : Pos 1, 1 Bit 
3031  #    +0xfca HasFiberData     : Pos 2, 1 Bit 
3032  #    +0xfca SkipThreadAttach : Pos 3, 1 Bit 
3033  #    +0xfca WerInShipAssertCode : Pos 4, 1 Bit 
3034  #    +0xfca RanProcessInit   : Pos 5, 1 Bit 
3035  #    +0xfca ClonedThread     : Pos 6, 1 Bit 
3036  #    +0xfca SuppressDebugMsg : Pos 7, 1 Bit 
3037  #    +0xfca DisableUserStackWalk : Pos 8, 1 Bit 
3038  #    +0xfca RtlExceptionAttached : Pos 9, 1 Bit 
3039  #    +0xfca InitialThread    : Pos 10, 1 Bit 
3040  #    +0xfca SpareSameTebBits : Pos 11, 5 Bits 
3041  #    +0xfcc TxnScopeEnterCallback : Ptr32 Void 
3042  #    +0xfd0 TxnScopeExitCallback : Ptr32 Void 
3043  #    +0xfd4 TxnScopeContext  : Ptr32 Void 
3044  #    +0xfd8 LockCount        : Uint4B 
3045  #    +0xfdc SpareUlong0      : Uint4B 
3046  #    +0xfe0 ResourceRetValue : Ptr32 Void 

3047 -class _TEB_2008_R2(Structure): 

3048      _pack_ = 8 
3049      _fields_ = [ 
3050          ("NtTib",                           NT_TIB), 
3051          ("EnvironmentPointer",              PVOID), 
3052          ("ClientId",                        CLIENT_ID), 
3053          ("ActiveRpcHandle",                 HANDLE), 
3054          ("ThreadLocalStoragePointer",       PVOID), 
3055          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3056          ("LastErrorValue",                  DWORD), 
3057          ("CountOfOwnedCriticalSections",    DWORD), 
3058          ("CsrClientThread",                 PVOID), 
3059          ("Win32ThreadInfo",                 PVOID), 
3060          ("User32Reserved",                  DWORD * 26), 
3061          ("UserReserved",                    DWORD * 5), 
3062          ("WOW32Reserved",                   PVOID), 
3063          ("CurrentLocale",                   DWORD), 
3064          ("FpSoftwareStatusRegister",        DWORD), 
3065          ("SystemReserved1",                 PVOID * 54), 
3066          ("ExceptionCode",                   SDWORD), 
3067          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3068          ("SpareBytes",                      UCHAR * 36), 
3069          ("TxFsContext",                     DWORD), 
3070          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3071          ("RealClientId",                    CLIENT_ID), 
3072          ("GdiCachedProcessHandle",          HANDLE), 
3073          ("GdiClientPID",                    DWORD), 
3074          ("GdiClientTID",                    DWORD), 
3075          ("GdiThreadLocalInfo",              PVOID), 
3076          ("Win32ClientInfo",                 DWORD * 62), 
3077          ("glDispatchTable",                 PVOID * 233), 
3078          ("glReserved1",                     DWORD * 29), 
3079          ("glReserved2",                     PVOID), 
3080          ("glSectionInfo",                   PVOID), 
3081          ("glSection",                       PVOID), 
3082          ("glTable",                         PVOID), 
3083          ("glCurrentRC",                     PVOID), 
3084          ("glContext",                       PVOID), 
3085          ("LastStatusValue",                 NTSTATUS), 
3086          ("StaticUnicodeString",             UNICODE_STRING), 
3087          ("StaticUnicodeBuffer",             WCHAR * 261), 
3088          ("DeallocationStack",               PVOID), 
3089          ("TlsSlots",                        PVOID * 64), 
3090          ("TlsLinks",                        LIST_ENTRY), 
3091          ("Vdm",                             PVOID), 
3092          ("ReservedForNtRpc",                PVOID), 
3093          ("DbgSsReserved",                   PVOID * 2), 
3094          ("HardErrorMode",                   DWORD), 
3095          ("Instrumentation",                 PVOID * 9), 
3096          ("ActivityId",                      GUID), 
3097          ("SubProcessTag",                   PVOID), 
3098          ("EtwLocalData",                    PVOID), 
3099          ("EtwTraceData",                    PVOID), 
3100          ("WinSockData",                     PVOID), 
3101          ("GdiBatchCount",                   DWORD), 
3102          ("CurrentIdealProcessor",           PROCESSOR_NUMBER), 
3103          ("IdealProcessorValue",             DWORD), 
3104          ("ReservedPad0",                    UCHAR), 
3105          ("ReservedPad1",                    UCHAR), 
3106          ("ReservedPad2",                    UCHAR), 
3107          ("IdealProcessor",                  UCHAR), 
3108          ("GuaranteedStackBytes",            DWORD), 
3109          ("ReservedForPerf",                 PVOID), 
3110          ("ReservedForOle",                  PVOID), 
3111          ("WaitingOnLoaderLock",             DWORD), 
3112          ("SavedPriorityState",              PVOID), 
3113          ("SoftPatchPtr1",                   PVOID), 
3114          ("ThreadPoolData",                  PVOID), 
3115          ("TlsExpansionSlots",               PVOID), # Ptr32 Ptr32 Void 
3116          ("MuiGeneration",                   DWORD), 
3117          ("IsImpersonating",                 BOOL), 
3118          ("NlsCache",                        PVOID), 
3119          ("pShimData",                       PVOID), 
3120          ("HeapVirtualAffinity",             DWORD), 
3121          ("CurrentTransactionHandle",        HANDLE), 
3122          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3123          ("FlsData",                         PVOID), 
3124          ("PreferredLanguages",              PVOID), 
3125          ("UserPrefLanguages",               PVOID), 
3126          ("MergedPrefLanguages",             PVOID), 
3127          ("MuiImpersonation",                BOOL), 
3128          ("CrossTebFlags",                   WORD), 
3129          ("SameTebFlags",                    WORD), 
3130          ("TxnScopeEnterCallback",           PVOID), 
3131          ("TxnScopeExitCallback",            PVOID), 
3132          ("TxnScopeContext",                 PVOID), 
3133          ("LockCount",                       DWORD), 
3134          ("SpareUlong0",                     ULONG), 
3135          ("ResourceRetValue",                PVOID), 
3136  ] 

3137   
3138  #    +0x000 NtTib            : _NT_TIB 
3139  #    +0x038 EnvironmentPointer : Ptr64 Void 
3140  #    +0x040 ClientId         : _CLIENT_ID 
3141  #    +0x050 ActiveRpcHandle  : Ptr64 Void 
3142  #    +0x058 ThreadLocalStoragePointer : Ptr64 Void 
3143  #    +0x060 ProcessEnvironmentBlock : Ptr64 _PEB 
3144  #    +0x068 LastErrorValue   : Uint4B 
3145  #    +0x06c CountOfOwnedCriticalSections : Uint4B 
3146  #    +0x070 CsrClientThread  : Ptr64 Void 
3147  #    +0x078 Win32ThreadInfo  : Ptr64 Void 
3148  #    +0x080 User32Reserved   : [26] Uint4B 
3149  #    +0x0e8 UserReserved     : [5] Uint4B 
3150  #    +0x100 WOW32Reserved    : Ptr64 Void 
3151  #    +0x108 CurrentLocale    : Uint4B 
3152  #    +0x10c FpSoftwareStatusRegister : Uint4B 
3153  #    +0x110 SystemReserved1  : [54] Ptr64 Void 
3154  #    +0x2c0 ExceptionCode    : Int4B 
3155  #    +0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK 
3156  #    +0x2d0 SpareBytes       : [24] UChar 
3157  #    +0x2e8 TxFsContext      : Uint4B 
3158  #    +0x2f0 GdiTebBatch      : _GDI_TEB_BATCH 
3159  #    +0x7d8 RealClientId     : _CLIENT_ID 
3160  #    +0x7e8 GdiCachedProcessHandle : Ptr64 Void 
3161  #    +0x7f0 GdiClientPID     : Uint4B 
3162  #    +0x7f4 GdiClientTID     : Uint4B 
3163  #    +0x7f8 GdiThreadLocalInfo : Ptr64 Void 
3164  #    +0x800 Win32ClientInfo  : [62] Uint8B 
3165  #    +0x9f0 glDispatchTable  : [233] Ptr64 Void 
3166  #    +0x1138 glReserved1      : [29] Uint8B 
3167  #    +0x1220 glReserved2      : Ptr64 Void 
3168  #    +0x1228 glSectionInfo    : Ptr64 Void 
3169  #    +0x1230 glSection        : Ptr64 Void 
3170  #    +0x1238 glTable          : Ptr64 Void 
3171  #    +0x1240 glCurrentRC      : Ptr64 Void 
3172  #    +0x1248 glContext        : Ptr64 Void 
3173  #    +0x1250 LastStatusValue  : Uint4B 
3174  #    +0x1258 StaticUnicodeString : _UNICODE_STRING 
3175  #    +0x1268 StaticUnicodeBuffer : [261] Wchar 
3176  #    +0x1478 DeallocationStack : Ptr64 Void 
3177  #    +0x1480 TlsSlots         : [64] Ptr64 Void 
3178  #    +0x1680 TlsLinks         : _LIST_ENTRY 
3179  #    +0x1690 Vdm              : Ptr64 Void 
3180  #    +0x1698 ReservedForNtRpc : Ptr64 Void 
3181  #    +0x16a0 DbgSsReserved    : [2] Ptr64 Void 
3182  #    +0x16b0 HardErrorMode    : Uint4B 
3183  #    +0x16b8 Instrumentation  : [11] Ptr64 Void 
3184  #    +0x1710 ActivityId       : _GUID 
3185  #    +0x1720 SubProcessTag    : Ptr64 Void 
3186  #    +0x1728 EtwLocalData     : Ptr64 Void 
3187  #    +0x1730 EtwTraceData     : Ptr64 Void 
3188  #    +0x1738 WinSockData      : Ptr64 Void 
3189  #    +0x1740 GdiBatchCount    : Uint4B 
3190  #    +0x1744 CurrentIdealProcessor : _PROCESSOR_NUMBER 
3191  #    +0x1744 IdealProcessorValue : Uint4B 
3192  #    +0x1744 ReservedPad0     : UChar 
3193  #    +0x1745 ReservedPad1     : UChar 
3194  #    +0x1746 ReservedPad2     : UChar 
3195  #    +0x1747 IdealProcessor   : UChar 
3196  #    +0x1748 GuaranteedStackBytes : Uint4B 
3197  #    +0x1750 ReservedForPerf  : Ptr64 Void 
3198  #    +0x1758 ReservedForOle   : Ptr64 Void 
3199  #    +0x1760 WaitingOnLoaderLock : Uint4B 
3200  #    +0x1768 SavedPriorityState : Ptr64 Void 
3201  #    +0x1770 SoftPatchPtr1    : Uint8B 
3202  #    +0x1778 ThreadPoolData   : Ptr64 Void 
3203  #    +0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void 
3204  #    +0x1788 DeallocationBStore : Ptr64 Void 
3205  #    +0x1790 BStoreLimit      : Ptr64 Void 
3206  #    +0x1798 MuiGeneration    : Uint4B 
3207  #    +0x179c IsImpersonating  : Uint4B 
3208  #    +0x17a0 NlsCache         : Ptr64 Void 
3209  #    +0x17a8 pShimData        : Ptr64 Void 
3210  #    +0x17b0 HeapVirtualAffinity : Uint4B 
3211  #    +0x17b8 CurrentTransactionHandle : Ptr64 Void 
3212  #    +0x17c0 ActiveFrame      : Ptr64 _TEB_ACTIVE_FRAME 
3213  #    +0x17c8 FlsData          : Ptr64 Void 
3214  #    +0x17d0 PreferredLanguages : Ptr64 Void 
3215  #    +0x17d8 UserPrefLanguages : Ptr64 Void 
3216  #    +0x17e0 MergedPrefLanguages : Ptr64 Void 
3217  #    +0x17e8 MuiImpersonation : Uint4B 
3218  #    +0x17ec CrossTebFlags    : Uint2B 
3219  #    +0x17ec SpareCrossTebBits : Pos 0, 16 Bits 
3220  #    +0x17ee SameTebFlags     : Uint2B 
3221  #    +0x17ee SafeThunkCall    : Pos 0, 1 Bit 
3222  #    +0x17ee InDebugPrint     : Pos 1, 1 Bit 
3223  #    +0x17ee HasFiberData     : Pos 2, 1 Bit 
3224  #    +0x17ee SkipThreadAttach : Pos 3, 1 Bit 
3225  #    +0x17ee WerInShipAssertCode : Pos 4, 1 Bit 
3226  #    +0x17ee RanProcessInit   : Pos 5, 1 Bit 
3227  #    +0x17ee ClonedThread     : Pos 6, 1 Bit 
3228  #    +0x17ee SuppressDebugMsg : Pos 7, 1 Bit 
3229  #    +0x17ee DisableUserStackWalk : Pos 8, 1 Bit 
3230  #    +0x17ee RtlExceptionAttached : Pos 9, 1 Bit 
3231  #    +0x17ee InitialThread    : Pos 10, 1 Bit 
3232  #    +0x17ee SpareSameTebBits : Pos 11, 5 Bits 
3233  #    +0x17f0 TxnScopeEnterCallback : Ptr64 Void 
3234  #    +0x17f8 TxnScopeExitCallback : Ptr64 Void 
3235  #    +0x1800 TxnScopeContext  : Ptr64 Void 
3236  #    +0x1808 LockCount        : Uint4B 
3237  #    +0x180c SpareUlong0      : Uint4B 
3238  #    +0x1810 ResourceRetValue : Ptr64 Void 

3239 -class _TEB_2008_R2_64(Structure): 

3240      _pack_ = 8 
3241      _fields_ = [ 
3242          ("NtTib",                           NT_TIB), 
3243          ("EnvironmentPointer",              PVOID), 
3244          ("ClientId",                        CLIENT_ID), 
3245          ("ActiveRpcHandle",                 HANDLE), 
3246          ("ThreadLocalStoragePointer",       PVOID), 
3247          ("ProcessEnvironmentBlock",         PVOID), # PPEB 
3248          ("LastErrorValue",                  DWORD), 
3249          ("CountOfOwnedCriticalSections",    DWORD), 
3250          ("CsrClientThread",                 PVOID), 
3251          ("Win32ThreadInfo",                 PVOID), 
3252          ("User32Reserved",                  DWORD * 26), 
3253          ("UserReserved",                    DWORD * 5), 
3254          ("WOW32Reserved",                   PVOID), 
3255          ("CurrentLocale",                   DWORD), 
3256          ("FpSoftwareStatusRegister",        DWORD), 
3257          ("SystemReserved1",                 PVOID * 54), 
3258          ("ExceptionCode",                   SDWORD), 
3259          ("ActivationContextStackPointer",   PVOID), # PACTIVATION_CONTEXT_STACK 
3260          ("SpareBytes",                      UCHAR * 24), 
3261          ("TxFsContext",                     DWORD), 
3262          ("GdiTebBatch",                     GDI_TEB_BATCH), 
3263          ("RealClientId",                    CLIENT_ID), 
3264          ("GdiCachedProcessHandle",          HANDLE), 
3265          ("GdiClientPID",                    DWORD), 
3266          ("GdiClientTID",                    DWORD), 
3267          ("GdiThreadLocalInfo",              PVOID), 
3268          ("Win32ClientInfo",                 DWORD * 62), 
3269          ("glDispatchTable",                 PVOID * 233), 
3270          ("glReserved1",                     QWORD * 29), 
3271          ("glReserved2",                     PVOID), 
3272          ("glSectionInfo",                   PVOID), 
3273          ("glSection",                       PVOID), 
3274          ("glTable",                         PVOID), 
3275          ("glCurrentRC",                     PVOID), 
3276          ("glContext",                       PVOID), 
3277          ("LastStatusValue",                 NTSTATUS), 
3278          ("StaticUnicodeString",             UNICODE_STRING), 
3279          ("StaticUnicodeBuffer",             WCHAR * 261), 
3280          ("DeallocationStack",               PVOID), 
3281          ("TlsSlots",                        PVOID * 64), 
3282          ("TlsLinks",                        LIST_ENTRY), 
3283          ("Vdm",                             PVOID), 
3284          ("ReservedForNtRpc",                PVOID), 
3285          ("DbgSsReserved",                   PVOID * 2), 
3286          ("HardErrorMode",                   DWORD), 
3287          ("Instrumentation",                 PVOID * 11), 
3288          ("ActivityId",                      GUID), 
3289          ("SubProcessTag",                   PVOID), 
3290          ("EtwLocalData",                    PVOID), 
3291          ("EtwTraceData",                    PVOID), 
3292          ("WinSockData",                     PVOID), 
3293          ("GdiBatchCount",                   DWORD), 
3294          ("CurrentIdealProcessor",           PROCESSOR_NUMBER), 
3295          ("IdealProcessorValue",             DWORD), 
3296          ("ReservedPad0",                    UCHAR), 
3297          ("ReservedPad1",                    UCHAR), 
3298          ("ReservedPad2",                    UCHAR), 
3299          ("IdealProcessor",                  UCHAR), 
3300          ("GuaranteedStackBytes",            DWORD), 
3301          ("ReservedForPerf",                 PVOID), 
3302          ("ReservedForOle",                  PVOID), 
3303          ("WaitingOnLoaderLock",             DWORD), 
3304          ("SavedPriorityState",              PVOID), 
3305          ("SoftPatchPtr1",                   PVOID), 
3306          ("ThreadPoolData",                  PVOID), 
3307          ("TlsExpansionSlots",               PVOID), # Ptr64 Ptr64 Void 
3308          ("DeallocationBStore",              PVOID), 
3309          ("BStoreLimit",                     PVOID), 
3310          ("MuiGeneration",                   DWORD), 
3311          ("IsImpersonating",                 BOOL), 
3312          ("NlsCache",                        PVOID), 
3313          ("pShimData",                       PVOID), 
3314          ("HeapVirtualAffinity",             DWORD), 
3315          ("CurrentTransactionHandle",        HANDLE), 
3316          ("ActiveFrame",                     PVOID), # PTEB_ACTIVE_FRAME 
3317          ("FlsData",                         PVOID), 
3318          ("PreferredLanguages",              PVOID), 
3319          ("UserPrefLanguages",               PVOID), 
3320          ("MergedPrefLanguages",             PVOID), 
3321          ("MuiImpersonation",                BOOL), 
3322          ("CrossTebFlags",                   WORD), 
3323          ("SameTebFlags",                    WORD), 
3324          ("TxnScopeEnterCallback",           PVOID), 
3325          ("TxnScopeExitCallback",            PVOID), 
3326          ("TxnScopeContext",                 PVOID), 
3327          ("LockCount",                       DWORD), 
3328          ("SpareUlong0",                     ULONG), 
3329          ("ResourceRetValue",                PVOID), 
3330  ] 

3331   
3332  _TEB_Vista      = _TEB_2008 
3333  _TEB_Vista_64   = _TEB_2008_64 
3334  _TEB_W7         = _TEB_2008_R2 
3335  _TEB_W7_64      = _TEB_2008_R2_64 
3336   
3337  # Use the correct TEB structure definition. 
3338  # Defaults to the latest Windows version. 

3339 -class TEB(Structure): 

3340      _pack_ = 8 
3341      if os == 'Windows NT': 
3342          _pack_   = _TEB_NT._pack_ 
3343          _fields_ = _TEB_NT._fields_ 
3344      elif os == 'Windows 2000': 
3345          _pack_   = _TEB_2000._pack_ 
3346          _fields_ = _TEB_2000._fields_ 
3347      elif os == 'Windows XP': 
3348          _fields_ = _TEB_XP._fields_ 
3349      elif os == 'Windows XP (64 bits)': 
3350          _fields_ = _TEB_XP_64._fields_ 
3351      elif os == 'Windows 2003': 
3352          _fields_ = _TEB_2003._fields_ 
3353      elif os == 'Windows 2003 (64 bits)': 
3354          _fields_ = _TEB_2003_64._fields_ 
3355      elif os == 'Windows 2008': 
3356          _fields_ = _TEB_2008._fields_ 
3357      elif os == 'Windows 2008 (64 bits)': 
3358          _fields_ = _TEB_2008_64._fields_ 
3359      elif os == 'Windows 2003 R2': 
3360          _fields_ = _TEB_2003_R2._fields_ 
3361      elif os == 'Windows 2003 R2 (64 bits)': 
3362          _fields_ = _TEB_2003_R2_64._fields_ 
3363      elif os == 'Windows 2008 R2': 
3364          _fields_ = _TEB_2008_R2._fields_ 
3365      elif os == 'Windows 2008 R2 (64 bits)': 
3366          _fields_ = _TEB_2008_R2_64._fields_ 
3367      elif os == 'Windows Vista': 
3368          _fields_ = _TEB_Vista._fields_ 
3369      elif os == 'Windows Vista (64 bits)': 
3370          _fields_ = _TEB_Vista_64._fields_ 
3371      elif os == 'Windows 7': 
3372          _fields_ = _TEB_W7._fields_ 
3373      elif os == 'Windows 7 (64 bits)': 
3374          _fields_ = _TEB_W7_64._fields_ 
3375      elif sizeof(SIZE_T) == sizeof(DWORD): 
3376          _fields_ = _TEB_W7._fields_ 
3377      else: 
3378          _fields_ = _TEB_W7_64._fields_ 

3379  PTEB = POINTER(TEB) 
3380

   Home       Trees       Indices       Help   
WinAppDbg - Programming Reference
Generated by Epydoc 3.0.1 on Tue Jul 20 14:32:26 2010 http://epydoc.sourceforge.net