From 9425bc91fb9970d5d1dbf77217293db8ba4ab931 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Fri, 9 Jul 2021 11:39:57 -0500 Subject: [PATCH] Update GetRtlUserProcessParameters.c --- .../GetRtlUserProcessParameters.c | 362 +----------------- 1 file changed, 2 insertions(+), 360 deletions(-) diff --git a/Library Management/GetRtlUserProcessParameters.c b/Library Management/GetRtlUserProcessParameters.c index a045cdc..c01e045 100644 --- a/Library Management/GetRtlUserProcessParameters.c +++ b/Library Management/GetRtlUserProcessParameters.c @@ -1,362 +1,4 @@ -#include - - -typedef struct _LSA_UNICODE_STRING { - USHORT Length; - USHORT MaximumLength; - PWSTR Buffer; -} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; - -typedef struct _STRING { - USHORT Length; - USHORT MaximumLength; - PCHAR Buffer; -} ANSI_STRING, * PANSI_STRING; - -typedef struct _RTL_DRIVE_LETTER_CURDIR { - WORD Flags; - WORD Length; - ULONG TimeStamp; - ANSI_STRING DosPath; -} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; - -typedef struct _CURDIR { - UNICODE_STRING DosPath; - PVOID Handle; -}CURDIR, * PCURDIR; - -typedef struct _RTL_USER_PROCESS_PARAMETERS { - ULONG MaximumLength; - ULONG Length; - ULONG Flags; - ULONG DebugFlags; - PVOID ConsoleHandle; - ULONG ConsoleFlags; - PVOID StandardInput; - PVOID StandardOutput; - PVOID StandardError; - CURDIR CurrentDirectory; - UNICODE_STRING DllPath; - UNICODE_STRING ImagePathName; - UNICODE_STRING CommandLine; - PVOID Environment; - ULONG StartingX; - ULONG StartingY; - ULONG CountX; - ULONG CountY; - ULONG CountCharsX; - ULONG CountCharsY; - ULONG FillAttribute; - ULONG WindowFlags; - ULONG ShowWindowFlags; - UNICODE_STRING WindowTitle; - UNICODE_STRING DesktopInfo; - UNICODE_STRING ShellInfo; - UNICODE_STRING RuntimeData; - RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; - ULONG EnvironmentSize; -}RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; - - -typedef struct _LDR_MODULE { - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; - PVOID BaseAddress; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - SHORT LoadCount; - SHORT TlsIndex; - LIST_ENTRY HashTableEntry; - ULONG TimeDateStamp; -} LDR_MODULE, * PLDR_MODULE; - -typedef struct _PEB_LDR_DATA { - ULONG Length; - ULONG Initialized; - PVOID SsHandle; - LIST_ENTRY InLoadOrderModuleList; - LIST_ENTRY InMemoryOrderModuleList; - LIST_ENTRY InInitializationOrderModuleList; -} PEB_LDR_DATA, * PPEB_LDR_DATA; - -typedef struct _PEB { - BOOLEAN InheritedAddressSpace; - BOOLEAN ReadImageFileExecOptions; - BOOLEAN BeingDebugged; - BOOLEAN Spare; - HANDLE Mutant; - PVOID ImageBase; - PPEB_LDR_DATA LoaderData; - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - PVOID SubSystemData; - PVOID ProcessHeap; - PVOID FastPebLock; - PVOID FastPebLockRoutine; - PVOID FastPebUnlockRoutine; - ULONG EnvironmentUpdateCount; - PVOID* KernelCallbackTable; - PVOID EventLogSection; - PVOID EventLog; - PVOID FreeList; - ULONG TlsExpansionCounter; - PVOID TlsBitmap; - ULONG TlsBitmapBits[0x2]; - PVOID ReadOnlySharedMemoryBase; - PVOID ReadOnlySharedMemoryHeap; - PVOID* ReadOnlyStaticServerData; - PVOID AnsiCodePageData; - PVOID OemCodePageData; - PVOID UnicodeCaseTableData; - ULONG NumberOfProcessors; - ULONG NtGlobalFlag; - BYTE Spare2[0x4]; - LARGE_INTEGER CriticalSectionTimeout; - ULONG HeapSegmentReserve; - ULONG HeapSegmentCommit; - ULONG HeapDeCommitTotalFreeThreshold; - ULONG HeapDeCommitFreeBlockThreshold; - ULONG NumberOfHeaps; - ULONG MaximumNumberOfHeaps; - PVOID** ProcessHeaps; - PVOID GdiSharedHandleTable; - PVOID ProcessStarterHelper; - PVOID GdiDCAttributeList; - PVOID LoaderLock; - ULONG OSMajorVersion; - ULONG OSMinorVersion; - ULONG OSBuildNumber; - ULONG OSPlatformId; - ULONG ImageSubSystem; - ULONG ImageSubSystemMajorVersion; - ULONG ImageSubSystemMinorVersion; - ULONG GdiHandleBuffer[0x22]; - ULONG PostProcessInitRoutine; - ULONG TlsExpansionBitmap; - BYTE TlsExpansionBitmapBits[0x80]; - ULONG SessionId; -} PEB, * PPEB; - -typedef struct __CLIENT_ID { - HANDLE UniqueProcess; - HANDLE UniqueThread; -}CLIENT_ID, * PCLIENT_ID; - -typedef PVOID PACTIVATION_CONTEXT; - -typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { - struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; - PACTIVATION_CONTEXT ActivationContext; - ULONG Flags; -} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; - -typedef struct _ACTIVATION_CONTEXT_STACK { - PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; - LIST_ENTRY FrameListCache; - ULONG Flags; - ULONG NextCookieSequenceNumber; - ULONG StackId; -} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; - -typedef struct _GDI_TEB_BATCH { - ULONG Offset; - ULONG HDC; - ULONG Buffer[310]; -} GDI_TEB_BATCH, * PGDI_TEB_BATCH; - -typedef struct _TEB_ACTIVE_FRAME_CONTEXT { - ULONG Flags; - PCHAR FrameName; -} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; - -typedef struct _TEB_ACTIVE_FRAME { - ULONG Flags; - struct _TEB_ACTIVE_FRAME* Previous; - PTEB_ACTIVE_FRAME_CONTEXT Context; -} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; - -typedef struct _TEB +PRTL_USER_PROCESS_PARAMETERS GetRtlUserProcessParameters(VOID) { - NT_TIB NtTib; - PVOID EnvironmentPointer; - CLIENT_ID ClientId; - PVOID ActiveRpcHandle; - PVOID ThreadLocalStoragePointer; - PPEB ProcessEnvironmentBlock; - ULONG LastErrorValue; - ULONG CountOfOwnedCriticalSections; - PVOID CsrClientThread; - PVOID Win32ThreadInfo; - ULONG User32Reserved[26]; - ULONG UserReserved[5]; - PVOID WOW32Reserved; - LCID CurrentLocale; - ULONG FpSoftwareStatusRegister; - PVOID SystemReserved1[54]; - LONG ExceptionCode; -#if (NTDDI_VERSION >= NTDDI_LONGHORN) - PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; - UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; - ULONG TxFsContext; -#elif (NTDDI_VERSION >= NTDDI_WS03) - PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; - UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; -#else - ACTIVATION_CONTEXT_STACK ActivationContextStack; - UCHAR SpareBytes1[24]; -#endif - GDI_TEB_BATCH GdiTebBatch; - CLIENT_ID RealClientId; - PVOID GdiCachedProcessHandle; - ULONG GdiClientPID; - ULONG GdiClientTID; - PVOID GdiThreadLocalInfo; - PSIZE_T Win32ClientInfo[62]; - PVOID glDispatchTable[233]; - PSIZE_T glReserved1[29]; - PVOID glReserved2; - PVOID glSectionInfo; - PVOID glSection; - PVOID glTable; - PVOID glCurrentRC; - PVOID glContext; - NTSTATUS LastStatusValue; - UNICODE_STRING StaticUnicodeString; - WCHAR StaticUnicodeBuffer[261]; - PVOID DeallocationStack; - PVOID TlsSlots[64]; - LIST_ENTRY TlsLinks; - PVOID Vdm; - PVOID ReservedForNtRpc; - PVOID DbgSsReserved[2]; -#if (NTDDI_VERSION >= NTDDI_WS03) - ULONG HardErrorMode; -#else - ULONG HardErrorsAreDisabled; -#endif -#if (NTDDI_VERSION >= NTDDI_LONGHORN) - PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; - GUID ActivityId; - PVOID SubProcessTag; - PVOID EtwLocalData; - PVOID EtwTraceData; -#elif (NTDDI_VERSION >= NTDDI_WS03) - PVOID Instrumentation[14]; - PVOID SubProcessTag; - PVOID EtwLocalData; -#else - PVOID Instrumentation[16]; -#endif - PVOID WinSockData; - ULONG GdiBatchCount; -#if (NTDDI_VERSION >= NTDDI_LONGHORN) - BOOLEAN SpareBool0; - BOOLEAN SpareBool1; - BOOLEAN SpareBool2; -#else - BOOLEAN InDbgPrint; - BOOLEAN FreeStackOnTermination; - BOOLEAN HasFiberData; -#endif - UCHAR IdealProcessor; -#if (NTDDI_VERSION >= NTDDI_WS03) - ULONG GuaranteedStackBytes; -#else - ULONG Spare3; -#endif - PVOID ReservedForPerf; - PVOID ReservedForOle; - ULONG WaitingOnLoaderLock; -#if (NTDDI_VERSION >= NTDDI_LONGHORN) - PVOID SavedPriorityState; - ULONG_PTR SoftPatchPtr1; - ULONG_PTR ThreadPoolData; -#elif (NTDDI_VERSION >= NTDDI_WS03) - ULONG_PTR SparePointer1; - ULONG_PTR SoftPatchPtr1; - ULONG_PTR SoftPatchPtr2; -#else - Wx86ThreadState Wx86Thread; -#endif - PVOID* TlsExpansionSlots; -#if defined(_WIN64) && !defined(EXPLICIT_32BIT) - PVOID DeallocationBStore; - PVOID BStoreLimit; -#endif - ULONG ImpersonationLocale; - ULONG IsImpersonating; - PVOID NlsCache; - PVOID pShimData; - ULONG HeapVirtualAffinity; - HANDLE CurrentTransactionHandle; - PTEB_ACTIVE_FRAME ActiveFrame; -#if (NTDDI_VERSION >= NTDDI_WS03) - PVOID FlsData; -#endif -#if (NTDDI_VERSION >= NTDDI_LONGHORN) - PVOID PreferredLangauges; - PVOID UserPrefLanguages; - PVOID MergedPrefLanguages; - ULONG MuiImpersonation; - union - { - struct - { - USHORT SpareCrossTebFlags : 16; - }; - USHORT CrossTebFlags; - }; - union - { - struct - { - USHORT DbgSafeThunkCall : 1; - USHORT DbgInDebugPrint : 1; - USHORT DbgHasFiberData : 1; - USHORT DbgSkipThreadAttach : 1; - USHORT DbgWerInShipAssertCode : 1; - USHORT DbgIssuedInitialBp : 1; - USHORT DbgClonedThread : 1; - USHORT SpareSameTebBits : 9; - }; - USHORT SameTebFlags; - }; - PVOID TxnScopeEntercallback; - PVOID TxnScopeExitCAllback; - PVOID TxnScopeContext; - ULONG LockCount; - ULONG ProcessRundown; - ULONG64 LastSwitchTime; - ULONG64 TotalSwitchOutTime; - LARGE_INTEGER WaitReasonBitMap; -#else - BOOLEAN SafeThunkCall; - BOOLEAN BooleanSpare[3]; -#endif -} TEB, * PTEB; - - -PPEB GetPeb(VOID) -{ -#if defined(_WIN64) - return (PPEB)__readgsqword(0x60); -#elif define(_WIN32) - return (PPEB)__readfsdword(0x30); -#endif + return GetPeb()->ProcessParameters; } - - -INT main(VOID) -{ - PPEB Peb; - PRTL_USER_PROCESS_PARAMETERS ProcessParameters; - - Peb = (PPEB)GetPeb(); - ProcessParameters = Peb->ProcessParameters; - - return ERROR_SUCCESS; -} -