From 1c498aa0e97c8d61d46e9fbdcb6355e3680a9245 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 00:05:33 +0100 Subject: [PATCH 01/70] Trying to setup simple ARM64 CI --- .github/workflows/tests.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 01d07a21..979683e1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -23,6 +23,8 @@ jobs: - name: Check generated code can execute run: py -c "import windows.generated_def" tests: + # Not a real dependency : but starting tests when ctypes generation is broken is not useful + if: false # Disable during ARM64 CI tests strategy: fail-fast: false matrix: @@ -94,3 +96,14 @@ jobs: secondary_rate_limit_wait_seconds: 90 seconds_between_github_writes: 10 seconds_between_github_reads: 1 + + tests_arm64: + needs: generate_ctypes + timeout-minutes: 15 + runs-on: windows-ARM64 + + steps: + - uses: actions/checkout@v4 + + - name: Listing python versions availables + run: py -0 From 57076b84dd8a12bce68e77acf0d3a54b129ab082 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 19:32:37 +0100 Subject: [PATCH 02/70] [CI] Playing/Testing CI on Windows-ARM64 --- .github/workflows/tests.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 979683e1..954644b3 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -102,8 +102,31 @@ jobs: timeout-minutes: 15 runs-on: windows-ARM64 + strategy: + fail-fast: false + matrix: + python-version: 3.11 + python-architecture: [x86, x64, arm64] + include: + # Translate architecture to bitness for py.exe commandline + - python-bitness-to-test: 32 + python-architecture: x86 + - python-bitness-to-test: 64 + python-architecture: x64 + - python-bitness-to-test: arm64 + python-architecture: arm64 + steps: - uses: actions/checkout@v4 - name: Listing python versions availables run: py -0 + + - name: Installing pytest + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pip install pytest + + - name: Printing version + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -VV + + - name: Testing PFW execute + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" From 533cddae9727d078c1f7eb40786f662cf8696f03 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 19:34:10 +0100 Subject: [PATCH 03/70] [CI] Playing/Testing CI on Windows-ARM64 (Fix yml) --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 954644b3..1af550af 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -105,7 +105,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: 3.11 + python-version: '3.11' python-architecture: [x86, x64, arm64] include: # Translate architecture to bitness for py.exe commandline From fd00e97d8014c727898b5725139a676950719e84 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 19:34:58 +0100 Subject: [PATCH 04/70] [CI] Playing/Testing CI on Windows-ARM64 (Fix yml2) --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1af550af..90ae2801 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -105,7 +105,7 @@ jobs: strategy: fail-fast: false matrix: - python-version: '3.11' + python-version: [3.11] python-architecture: [x86, x64, arm64] include: # Translate architecture to bitness for py.exe commandline From 458774f1ac83c0491acf01191419be272fd739a3 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 21:34:01 +0100 Subject: [PATCH 05/70] [CI] more arm64 tests --- .github/workflows/tests.yml | 3 --- tests/test_syswow.py | 11 +++++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 90ae2801..ca33e0b6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -122,9 +122,6 @@ jobs: - name: Listing python versions availables run: py -0 - - name: Installing pytest - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pip install pytest - - name: Printing version run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -VV diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 7f87961b..f679c8cc 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -11,6 +11,17 @@ pytestmark = pytest.mark.usefixtures('check_for_gc_garbage') +def test_print_syswow_state(): + import platform + print("") + env = windows.system.environ + print(f"{platform.machine()=}") + print(f"{platform.architecture()=}") + print(f"{windows.system.bitness=}") + print(f"{windows.current_process.bitness=}") + print(f"{windows.current_process.is_wow_64=}") + print(f"{env['PROCESSOR_ARCHITECTURE']=}") + print(f"{env.get('PROCESSOR_ARCHITEW6432')=}") @process_syswow_only class TestSyswowCurrentProcess(object): From b22c5d60553b9e89d383811997e17eff7d444ea5 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 21:56:45 +0100 Subject: [PATCH 06/70] [CI] more arm fun --- .github/workflows/tests.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ca33e0b6..b1381345 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -116,6 +116,9 @@ jobs: - python-bitness-to-test: arm64 python-architecture: arm64 + env: + pyver_str: -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} + steps: - uses: actions/checkout@v4 @@ -123,7 +126,10 @@ jobs: run: py -0 - name: Printing version - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -VV + run: py ${{pyver_str}} -VV - name: Testing PFW execute run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" + + - name: Testing PFW execute + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k test_print_syswow_state -v -x -s From 6eb31e9205ed4b6fc4dc48dde7a2041296bda1a4 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:00:07 +0100 Subject: [PATCH 07/70] [CI] more arm fun --- .github/workflows/tests.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b1381345..594ad961 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -116,18 +116,12 @@ jobs: - python-bitness-to-test: arm64 python-architecture: arm64 - env: - pyver_str: -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} - steps: - uses: actions/checkout@v4 - name: Listing python versions availables run: py -0 - - name: Printing version - run: py ${{pyver_str}} -VV - - name: Testing PFW execute run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" From e37f87c35c726c5eafac84f5109ef43173e0301e Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:04:06 +0100 Subject: [PATCH 08/70] Adapt test_syswow.py for arm exploration --- tests/test_syswow.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/test_syswow.py b/tests/test_syswow.py index f679c8cc..c19c809b 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -8,8 +8,7 @@ from .pfwtest import * -pytestmark = pytest.mark.usefixtures('check_for_gc_garbage') - +# pytestmark = pytest.mark.usefixtures('check_for_gc_garbage') def test_print_syswow_state(): import platform From 1a9b680fbafa927ecf1a9685faf63692f1be2ec5 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:18:05 +0100 Subject: [PATCH 09/70] Added some wow64 definition + created functions/syswow64.txt --- .../definitions/functions/syswow64.txt | 83 +++++++++++++ .../definitions/functions/winfunc.txt | 36 +----- windows/generated_def/meta.py | 9 ++ windows/generated_def/winfuncs.py | 115 ++++++++++++------ windows/winproxy/apis/kernel32.py | 35 ++++++ 5 files changed, 208 insertions(+), 70 deletions(-) create mode 100644 ctypes_generation/definitions/functions/syswow64.txt diff --git a/ctypes_generation/definitions/functions/syswow64.txt b/ctypes_generation/definitions/functions/syswow64.txt new file mode 100644 index 00000000..3663990f --- /dev/null +++ b/ctypes_generation/definitions/functions/syswow64.txt @@ -0,0 +1,83 @@ +BOOL IsWow64Process( + [in] HANDLE hProcess, + [out] PBOOL Wow64Process +); + +BOOL IsWow64Process2( + [in] HANDLE hProcess, + [out] USHORT *pProcessMachine, + [out, optional] USHORT *pNativeMachine +); + +HRESULT IsWow64GuestMachineSupported( + [in] USHORT WowGuestMachine, + [out] BOOL *MachineIsSupported +); + +UINT GetSystemWow64DirectoryA( + [out] LPSTR lpBuffer, + [in] UINT uSize +); + +UINT GetSystemWow64DirectoryW( + [out] LPWSTR lpBuffer, + [in] UINT uSize +); + +UINT GetSystemWow64Directory2A( + [out] LPSTR lpBuffer, + [in] UINT uSize, + [in] WORD ImageFileMachineType +); + +UINT GetSystemWow64Directory2W( + [out] LPWSTR lpBuffer, + [in] UINT uSize, + [in] WORD ImageFileMachineType +); + +BOOL Wow64DisableWow64FsRedirection( + [out] PVOID *OldValue +); + +BOOLEAN Wow64EnableWow64FsRedirection( + BOOLEAN Wow64FsEnableRedirection +); + +BOOL Wow64RevertWow64FsRedirection( + [in] PVOID OlValue +); + +BOOL Wow64GetThreadContext( + HANDLE hThread, + PWOW64_CONTEXT lpContext +); + +BOOL Wow64SetThreadContext( + HANDLE hThread, + WOW64_CONTEXT *lpContext +); + +USHORT Wow64SetThreadDefaultGuestMachine( + USHORT Machine +); + +DWORD Wow64SuspendThread( + HANDLE hThread +); + +NTSTATUS WINAPI NtWow64ReadVirtualMemory64( + _In_ HANDLE hProcess, + _In_ ULONG64 lpBaseAddress, + _Out_ LPVOID lpBuffer, + _In_ ULONG64 nSize, + _Out_ PULONG64 lpNumberOfBytesRead +); + +NTSTATUS WINAPI NtWow64WriteVirtualMemory64( + _In_ HANDLE hProcess, + _In_ ULONG64 lpBaseAddress, + _Out_ LPVOID lpBuffer, + _In_ ULONG64 nSize, + _Out_ PULONG64 lpNumberOfBytesWritten +); \ No newline at end of file diff --git a/ctypes_generation/definitions/functions/winfunc.txt b/ctypes_generation/definitions/functions/winfunc.txt index 3b223245..cc4d6960 100644 --- a/ctypes_generation/definitions/functions/winfunc.txt +++ b/ctypes_generation/definitions/functions/winfunc.txt @@ -242,13 +242,6 @@ BOOL WINAPI ReadProcessMemory( _Out_ SIZE_T *lpNumberOfBytesRead ); -NTSTATUS WINAPI NtWow64ReadVirtualMemory64( - _In_ HANDLE hProcess, - _In_ ULONG64 lpBaseAddress, - _Out_ LPVOID lpBuffer, - _In_ ULONG64 nSize, - _Out_ PULONG64 lpNumberOfBytesRead -); BOOL WINAPI WriteProcessMemory( @@ -260,13 +253,7 @@ BOOL WINAPI WriteProcessMemory( ); -NTSTATUS WINAPI NtWow64WriteVirtualMemory64( - _In_ HANDLE hProcess, - _In_ ULONG64 lpBaseAddress, - _Out_ LPVOID lpBuffer, - _In_ ULONG64 nSize, - _Out_ PULONG64 lpNumberOfBytesWritten -); + @@ -518,23 +505,6 @@ BOOL WINAPI DeviceIoControl( ); -BOOL WINAPI Wow64DisableWow64FsRedirection( - _Out_ PVOID *OldValue -); - -BOOL WINAPI Wow64RevertWow64FsRedirection( - _In_ PVOID OldValue -); - -BOOLEAN WINAPI Wow64EnableWow64FsRedirection( - _In_ BOOLEAN Wow64FsEnableRedirection -); - -BOOL WINAPI Wow64GetThreadContext( - _In_ HANDLE hThread, - _Inout_ PWOW64_CONTEXT lpContext -); - BOOL WINAPI SetConsoleCtrlHandler( _In_opt_ PHANDLER_ROUTINE HandlerRoutine, _In_ BOOL Add @@ -669,10 +639,6 @@ DWORD WINAPI GetProcessId( _In_ HANDLE Process ); -BOOL WINAPI Wow64SetThreadContext( - __in HANDLE hThread, - __in CONST WOW64_CONTEXT *lpContext -); DWORD WINAPI GetMappedFileNameW ( __in HANDLE hProcess, diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index 7a50a52e..30b6a0ac 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -14843,6 +14843,10 @@ 'GetSystemTime', 'GetSystemTimeAsFileTime', 'GetSystemTimes', +'GetSystemWow64Directory2A', +'GetSystemWow64Directory2W', +'GetSystemWow64DirectoryA', +'GetSystemWow64DirectoryW', 'GetThreadContext', 'GetThreadId', 'GetTickCount', @@ -14901,6 +14905,9 @@ 'IsDebuggerPresent', 'IsOS', 'IsValidSecurityDescriptor', +'IsWow64GuestMachineSupported', +'IsWow64Process', +'IsWow64Process2', 'LdrLoadDll', 'LoadLibraryA', 'LoadLibraryExA', @@ -15304,6 +15311,8 @@ 'Wow64GetThreadContext', 'Wow64RevertWow64FsRedirection', 'Wow64SetThreadContext', +'Wow64SetThreadDefaultGuestMachine', +'Wow64SuspendThread', 'WriteFile', 'WriteProcessMemory', 'ZwDuplicateObject', diff --git a/windows/generated_def/winfuncs.py b/windows/generated_def/winfuncs.py index 2e9a353a..e98da0c0 100644 --- a/windows/generated_def/winfuncs.py +++ b/windows/generated_def/winfuncs.py @@ -3030,6 +3030,86 @@ LookupAccountNameWPrototype = WINFUNCTYPE(BOOL, LPCWSTR, LPCWSTR, PSID, LPDWORD, LPWSTR, LPDWORD, PSID_NAME_USE) LookupAccountNameWParams = ((1, 'lpSystemName'), (1, 'lpAccountName'), (1, 'Sid'), (1, 'cbSid'), (1, 'ReferencedDomainName'), (1, 'cchReferencedDomainName'), (1, 'peUse')) +#def IsWow64Process(hProcess, Wow64Process): +# return IsWow64Process.ctypes_function(hProcess, Wow64Process) +IsWow64ProcessPrototype = WINFUNCTYPE(BOOL, HANDLE, PBOOL) +IsWow64ProcessParams = ((1, 'hProcess'), (1, 'Wow64Process')) + +#def IsWow64Process2(hProcess, pProcessMachine, pNativeMachine): +# return IsWow64Process2.ctypes_function(hProcess, pProcessMachine, pNativeMachine) +IsWow64Process2Prototype = WINFUNCTYPE(BOOL, HANDLE, POINTER(USHORT), POINTER(USHORT)) +IsWow64Process2Params = ((1, 'hProcess'), (1, 'pProcessMachine'), (1, 'pNativeMachine')) + +#def IsWow64GuestMachineSupported(WowGuestMachine, MachineIsSupported): +# return IsWow64GuestMachineSupported.ctypes_function(WowGuestMachine, MachineIsSupported) +IsWow64GuestMachineSupportedPrototype = WINFUNCTYPE(HRESULT, USHORT, POINTER(BOOL)) +IsWow64GuestMachineSupportedParams = ((1, 'WowGuestMachine'), (1, 'MachineIsSupported')) + +#def GetSystemWow64DirectoryA(lpBuffer, uSize): +# return GetSystemWow64DirectoryA.ctypes_function(lpBuffer, uSize) +GetSystemWow64DirectoryAPrototype = WINFUNCTYPE(UINT, LPSTR, UINT) +GetSystemWow64DirectoryAParams = ((1, 'lpBuffer'), (1, 'uSize')) + +#def GetSystemWow64DirectoryW(lpBuffer, uSize): +# return GetSystemWow64DirectoryW.ctypes_function(lpBuffer, uSize) +GetSystemWow64DirectoryWPrototype = WINFUNCTYPE(UINT, LPWSTR, UINT) +GetSystemWow64DirectoryWParams = ((1, 'lpBuffer'), (1, 'uSize')) + +#def GetSystemWow64Directory2A(lpBuffer, uSize, ImageFileMachineType): +# return GetSystemWow64Directory2A.ctypes_function(lpBuffer, uSize, ImageFileMachineType) +GetSystemWow64Directory2APrototype = WINFUNCTYPE(UINT, LPSTR, UINT, WORD) +GetSystemWow64Directory2AParams = ((1, 'lpBuffer'), (1, 'uSize'), (1, 'ImageFileMachineType')) + +#def GetSystemWow64Directory2W(lpBuffer, uSize, ImageFileMachineType): +# return GetSystemWow64Directory2W.ctypes_function(lpBuffer, uSize, ImageFileMachineType) +GetSystemWow64Directory2WPrototype = WINFUNCTYPE(UINT, LPWSTR, UINT, WORD) +GetSystemWow64Directory2WParams = ((1, 'lpBuffer'), (1, 'uSize'), (1, 'ImageFileMachineType')) + +#def Wow64DisableWow64FsRedirection(OldValue): +# return Wow64DisableWow64FsRedirection.ctypes_function(OldValue) +Wow64DisableWow64FsRedirectionPrototype = WINFUNCTYPE(BOOL, POINTER(PVOID)) +Wow64DisableWow64FsRedirectionParams = ((1, 'OldValue'),) + +#def Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection): +# return Wow64EnableWow64FsRedirection.ctypes_function(Wow64FsEnableRedirection) +Wow64EnableWow64FsRedirectionPrototype = WINFUNCTYPE(BOOLEAN, BOOLEAN) +Wow64EnableWow64FsRedirectionParams = ((1, 'Wow64FsEnableRedirection'),) + +#def Wow64RevertWow64FsRedirection(OlValue): +# return Wow64RevertWow64FsRedirection.ctypes_function(OlValue) +Wow64RevertWow64FsRedirectionPrototype = WINFUNCTYPE(BOOL, PVOID) +Wow64RevertWow64FsRedirectionParams = ((1, 'OlValue'),) + +#def Wow64GetThreadContext(hThread, lpContext): +# return Wow64GetThreadContext.ctypes_function(hThread, lpContext) +Wow64GetThreadContextPrototype = WINFUNCTYPE(BOOL, HANDLE, PWOW64_CONTEXT) +Wow64GetThreadContextParams = ((1, 'hThread'), (1, 'lpContext')) + +#def Wow64SetThreadContext(hThread, lpContext): +# return Wow64SetThreadContext.ctypes_function(hThread, lpContext) +Wow64SetThreadContextPrototype = WINFUNCTYPE(BOOL, HANDLE, POINTER(WOW64_CONTEXT)) +Wow64SetThreadContextParams = ((1, 'hThread'), (1, 'lpContext')) + +#def Wow64SetThreadDefaultGuestMachine(Machine): +# return Wow64SetThreadDefaultGuestMachine.ctypes_function(Machine) +Wow64SetThreadDefaultGuestMachinePrototype = WINFUNCTYPE(USHORT, USHORT) +Wow64SetThreadDefaultGuestMachineParams = ((1, 'Machine'),) + +#def Wow64SuspendThread(hThread): +# return Wow64SuspendThread.ctypes_function(hThread) +Wow64SuspendThreadPrototype = WINFUNCTYPE(DWORD, HANDLE) +Wow64SuspendThreadParams = ((1, 'hThread'),) + +#def NtWow64ReadVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead): +# return NtWow64ReadVirtualMemory64.ctypes_function(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead) +NtWow64ReadVirtualMemory64Prototype = WINFUNCTYPE(NTSTATUS, HANDLE, ULONG64, LPVOID, ULONG64, PULONG64) +NtWow64ReadVirtualMemory64Params = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesRead')) + +#def NtWow64WriteVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten): +# return NtWow64WriteVirtualMemory64.ctypes_function(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) +NtWow64WriteVirtualMemory64Prototype = WINFUNCTYPE(NTSTATUS, HANDLE, ULONG64, LPVOID, ULONG64, PULONG64) +NtWow64WriteVirtualMemory64Params = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesWritten')) + #def FileTimeToSystemTime(lpFileTime, lpSystemTime): # return FileTimeToSystemTime.ctypes_function(lpFileTime, lpSystemTime) FileTimeToSystemTimePrototype = WINFUNCTYPE(BOOL, POINTER(FILETIME), LPSYSTEMTIME) @@ -3420,21 +3500,11 @@ ReadProcessMemoryPrototype = WINFUNCTYPE(BOOL, HANDLE, LPCVOID, LPVOID, SIZE_T, POINTER(SIZE_T)) ReadProcessMemoryParams = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesRead')) -#def NtWow64ReadVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead): -# return NtWow64ReadVirtualMemory64.ctypes_function(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead) -NtWow64ReadVirtualMemory64Prototype = WINFUNCTYPE(NTSTATUS, HANDLE, ULONG64, LPVOID, ULONG64, PULONG64) -NtWow64ReadVirtualMemory64Params = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesRead')) - #def WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten): # return WriteProcessMemory.ctypes_function(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) WriteProcessMemoryPrototype = WINFUNCTYPE(BOOL, HANDLE, LPVOID, LPCVOID, SIZE_T, POINTER(SIZE_T)) WriteProcessMemoryParams = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesWritten')) -#def NtWow64WriteVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten): -# return NtWow64WriteVirtualMemory64.ctypes_function(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) -NtWow64WriteVirtualMemory64Prototype = WINFUNCTYPE(NTSTATUS, HANDLE, ULONG64, LPVOID, ULONG64, PULONG64) -NtWow64WriteVirtualMemory64Params = ((1, 'hProcess'), (1, 'lpBaseAddress'), (1, 'lpBuffer'), (1, 'nSize'), (1, 'lpNumberOfBytesWritten')) - #def GetCurrentProcess(): # return GetCurrentProcess.ctypes_function() GetCurrentProcessPrototype = WINFUNCTYPE(HANDLE) @@ -3665,26 +3735,6 @@ DeviceIoControlPrototype = WINFUNCTYPE(BOOL, HANDLE, DWORD, LPVOID, DWORD, LPVOID, DWORD, LPDWORD, LPOVERLAPPED) DeviceIoControlParams = ((1, 'hDevice'), (1, 'dwIoControlCode'), (1, 'lpInBuffer'), (1, 'nInBufferSize'), (1, 'lpOutBuffer'), (1, 'nOutBufferSize'), (1, 'lpBytesReturned'), (1, 'lpOverlapped')) -#def Wow64DisableWow64FsRedirection(OldValue): -# return Wow64DisableWow64FsRedirection.ctypes_function(OldValue) -Wow64DisableWow64FsRedirectionPrototype = WINFUNCTYPE(BOOL, POINTER(PVOID)) -Wow64DisableWow64FsRedirectionParams = ((1, 'OldValue'),) - -#def Wow64RevertWow64FsRedirection(OldValue): -# return Wow64RevertWow64FsRedirection.ctypes_function(OldValue) -Wow64RevertWow64FsRedirectionPrototype = WINFUNCTYPE(BOOL, PVOID) -Wow64RevertWow64FsRedirectionParams = ((1, 'OldValue'),) - -#def Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection): -# return Wow64EnableWow64FsRedirection.ctypes_function(Wow64FsEnableRedirection) -Wow64EnableWow64FsRedirectionPrototype = WINFUNCTYPE(BOOLEAN, BOOLEAN) -Wow64EnableWow64FsRedirectionParams = ((1, 'Wow64FsEnableRedirection'),) - -#def Wow64GetThreadContext(hThread, lpContext): -# return Wow64GetThreadContext.ctypes_function(hThread, lpContext) -Wow64GetThreadContextPrototype = WINFUNCTYPE(BOOL, HANDLE, PWOW64_CONTEXT) -Wow64GetThreadContextParams = ((1, 'hThread'), (1, 'lpContext')) - #def SetConsoleCtrlHandler(HandlerRoutine, Add): # return SetConsoleCtrlHandler.ctypes_function(HandlerRoutine, Add) SetConsoleCtrlHandlerPrototype = WINFUNCTYPE(BOOL, PHANDLER_ROUTINE, BOOL) @@ -3820,11 +3870,6 @@ GetProcessIdPrototype = WINFUNCTYPE(DWORD, HANDLE) GetProcessIdParams = ((1, 'Process'),) -#def Wow64SetThreadContext(hThread, lpContext): -# return Wow64SetThreadContext.ctypes_function(hThread, lpContext) -Wow64SetThreadContextPrototype = WINFUNCTYPE(BOOL, HANDLE, POINTER(WOW64_CONTEXT)) -Wow64SetThreadContextParams = ((1, 'hThread'), (1, 'lpContext')) - #def GetMappedFileNameW(hProcess, lpv, lpFilename, nSize): # return GetMappedFileNameW.ctypes_function(hProcess, lpv, lpFilename, nSize) GetMappedFileNameWPrototype = WINFUNCTYPE(DWORD, HANDLE, LPVOID, PVOID, DWORD) diff --git a/windows/winproxy/apis/kernel32.py b/windows/winproxy/apis/kernel32.py index 09179c00..93178a22 100644 --- a/windows/winproxy/apis/kernel32.py +++ b/windows/winproxy/apis/kernel32.py @@ -503,6 +503,41 @@ def Wow64GetThreadContext(hThread, lpContext): def Wow64SetThreadContext(hThread, lpContext): return Wow64SetThreadContext.ctypes_function(hThread, lpContext) +@Kernel32Proxy() +def IsWow64Process(hProcess, Wow64Process): + return IsWow64Process.ctypes_function(hProcess, Wow64Process) + +@Kernel32Proxy() +def IsWow64Process2(hProcess, pProcessMachine, pNativeMachine): + return IsWow64Process2.ctypes_function(hProcess, pProcessMachine, pNativeMachine) + +@Kernel32Proxy() +def IsWow64GuestMachineSupported(WowGuestMachine, MachineIsSupported): + return IsWow64GuestMachineSupported.ctypes_function(WowGuestMachine, MachineIsSupported) + +@Kernel32Proxy() +def GetSystemWow64DirectoryA(lpBuffer, uSize): + return GetSystemWow64DirectoryA.ctypes_function(lpBuffer, uSize) + +@Kernel32Proxy() +def GetSystemWow64DirectoryW(lpBuffer, uSize): + return GetSystemWow64DirectoryW.ctypes_function(lpBuffer, uSize) + +@Kernel32Proxy() +def GetSystemWow64Directory2A(lpBuffer, uSize, ImageFileMachineType): + return GetSystemWow64Directory2A.ctypes_function(lpBuffer, uSize, ImageFileMachineType) + +@Kernel32Proxy() +def GetSystemWow64Directory2W(lpBuffer, uSize, ImageFileMachineType): + return GetSystemWow64Directory2W.ctypes_function(lpBuffer, uSize, ImageFileMachineType) + +@Kernel32Proxy() +def Wow64SetThreadDefaultGuestMachine(Machine): + return Wow64SetThreadDefaultGuestMachine.ctypes_function(Machine) + +@Kernel32Proxy() +def Wow64SuspendThread(hThread): + return Wow64SuspendThread.ctypes_function(hThread) ## File From 12979967254f15aea7b3ba1d5cbade27b096db81 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:23:25 +0100 Subject: [PATCH 10/70] New implem of is_wow_64(handle) --- windows/utils/winutils.py | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index 1f803f13..1d93fae9 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -36,17 +36,13 @@ def get_remote_func_addr(target, dll_name, func_name): return mod.pe.exports[func_name] -def is_wow_64(hProcess): - try: - fnIsWow64Process = get_func_addr("kernel32.dll", "IsWow64Process") - except winproxy.WinproxyError: +def is_wow_64(handle): + import pdb;pdb.set_trace() + if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process): return False - IsWow64Process = ctypes.WINFUNCTYPE(BOOL, HANDLE, ctypes.POINTER(BOOL))(fnIsWow64Process) - Wow64Process = BOOL() - res = IsWow64Process(hProcess, ctypes.byref(Wow64Process)) - if res: - return bool(Wow64Process) - raise ctypes.WinError() + Wow64Process = gdef.BOOL() + windows.winproxy.IsWow64Process(handle, Wow64Process) + return bool(Wow64Process) def create_file_from_handle(handle, mode="r"): From 234844cf1237049528585162af9c3c8fe0e7f322 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:25:34 +0100 Subject: [PATCH 11/70] Remove breakpoint --- windows/utils/winutils.py | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index 1d93fae9..1d28e818 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -37,7 +37,6 @@ def get_remote_func_addr(target, dll_name, func_name): def is_wow_64(handle): - import pdb;pdb.set_trace() if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process): return False Wow64Process = gdef.BOOL() From 3a3e6bc931baa5e08ddf4c67728c977705a2ce06 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 16 Jan 2025 22:31:33 +0100 Subject: [PATCH 12/70] improve conftest --- tests/conftest.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index e429b231..7dfb5203 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -103,16 +103,14 @@ def print_new_handle_type(self): print(self.handles_types(self.get_new_handle())) -current_process_hdebugger = HandleDebugger(windows.current_process.pid) -current_process_hdebugger.refresh_handles() class NoLeakAssert(AssertionError): pass - @pytest.fixture() def check_for_handle_leak(request): + current_process_hdebugger = HandleDebugger(windows.current_process.pid) x = current_process_hdebugger.refresh_handles() yield None leaked_handles = current_process_hdebugger.get_new_handle(x) From 314cd2b862941c666040ad5425c883ff2d1d2dbe Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 18:08:20 +0100 Subject: [PATCH 13/70] More arm exploration of api responses --- .../definitions/functions/sysinfo.txt | 8 ++ .../definitions/structures/system_info.txt | 19 ++++ docs/source/winfuncs_generated.rst | 50 ++++++--- docs/source/winstructs_generated.rst | 61 ++++++++++ tests/test_syswow.py | 7 ++ windows/generated_def/meta.py | 5 + windows/generated_def/winfuncs.py | 10 ++ windows/generated_def/winstructs.py | 106 ++++++++++++++++++ windows/utils/winutils.py | 8 ++ windows/winproxy/apis/kernel32.py | 8 ++ 10 files changed, 268 insertions(+), 14 deletions(-) diff --git a/ctypes_generation/definitions/functions/sysinfo.txt b/ctypes_generation/definitions/functions/sysinfo.txt index dc3ed306..e76183e1 100644 --- a/ctypes_generation/definitions/functions/sysinfo.txt +++ b/ctypes_generation/definitions/functions/sysinfo.txt @@ -59,4 +59,12 @@ BOOL LookupAccountNameW( LPWSTR ReferencedDomainName, LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse +); + +PVOID GetNativeSystemInfo( + [out] LPSYSTEM_INFO lpSystemInfo +); + +PVOID GetSystemInfo( + [out] LPSYSTEM_INFO lpSystemInfo ); \ No newline at end of file diff --git a/ctypes_generation/definitions/structures/system_info.txt b/ctypes_generation/definitions/structures/system_info.txt index 53d85700..3516d6d5 100644 --- a/ctypes_generation/definitions/structures/system_info.txt +++ b/ctypes_generation/definitions/structures/system_info.txt @@ -67,3 +67,22 @@ typedef enum _COMPUTER_NAME_FORMAT { ComputerNamePhysicalDnsFullyQualified, ComputerNameMax } COMPUTER_NAME_FORMAT; + +typedef struct _SYSTEM_INFO { + union { + DWORD dwOemId; + struct { + WORD wProcessorArchitecture; + WORD wReserved; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + DWORD dwPageSize; + LPVOID lpMinimumApplicationAddress; + LPVOID lpMaximumApplicationAddress; + DWORD_PTR dwActiveProcessorMask; + DWORD dwNumberOfProcessors; + DWORD dwProcessorType; + DWORD dwAllocationGranularity; + WORD wProcessorLevel; + WORD wProcessorRevision; +} SYSTEM_INFO, *LPSYSTEM_INFO; \ No newline at end of file diff --git a/docs/source/winfuncs_generated.rst b/docs/source/winfuncs_generated.rst index bc279eed..2a6706f0 100644 --- a/docs/source/winfuncs_generated.rst +++ b/docs/source/winfuncs_generated.rst @@ -1214,6 +1214,42 @@ Functions .. function:: LookupAccountNameW(lpSystemName, lpAccountName, Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse) +.. function:: GetNativeSystemInfo(lpSystemInfo) + +.. function:: GetSystemInfo(lpSystemInfo) + +.. function:: IsWow64Process(hProcess, Wow64Process) + +.. function:: IsWow64Process2(hProcess, pProcessMachine, pNativeMachine) + +.. function:: IsWow64GuestMachineSupported(WowGuestMachine, MachineIsSupported) + +.. function:: GetSystemWow64DirectoryA(lpBuffer, uSize) + +.. function:: GetSystemWow64DirectoryW(lpBuffer, uSize) + +.. function:: GetSystemWow64Directory2A(lpBuffer, uSize, ImageFileMachineType) + +.. function:: GetSystemWow64Directory2W(lpBuffer, uSize, ImageFileMachineType) + +.. function:: Wow64DisableWow64FsRedirection(OldValue) + +.. function:: Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection) + +.. function:: Wow64RevertWow64FsRedirection(OlValue) + +.. function:: Wow64GetThreadContext(hThread, lpContext) + +.. function:: Wow64SetThreadContext(hThread, lpContext) + +.. function:: Wow64SetThreadDefaultGuestMachine(Machine) + +.. function:: Wow64SuspendThread(hThread) + +.. function:: NtWow64ReadVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead) + +.. function:: NtWow64WriteVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) + .. function:: FileTimeToSystemTime(lpFileTime, lpSystemTime) .. function:: SystemTimeToFileTime(lpSystemTime, lpFileTime) @@ -1370,12 +1406,8 @@ Functions .. function:: ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead) -.. function:: NtWow64ReadVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead) - .. function:: WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) -.. function:: NtWow64WriteVirtualMemory64(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten) - .. function:: GetCurrentProcess() .. function:: CreateFileA(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile) @@ -1468,14 +1500,6 @@ Functions .. function:: DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped) -.. function:: Wow64DisableWow64FsRedirection(OldValue) - -.. function:: Wow64RevertWow64FsRedirection(OldValue) - -.. function:: Wow64EnableWow64FsRedirection(Wow64FsEnableRedirection) - -.. function:: Wow64GetThreadContext(hThread, lpContext) - .. function:: SetConsoleCtrlHandler(HandlerRoutine, Add) .. function:: GlobalAlloc(uFlags, dwBytes) @@ -1530,8 +1554,6 @@ Functions .. function:: GetProcessId(Process) -.. function:: Wow64SetThreadContext(hThread, lpContext) - .. function:: GetMappedFileNameW(hProcess, lpv, lpFilename, nSize) .. function:: GetMappedFileNameA(hProcess, lpv, lpFilename, nSize) diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst index 9abcbe32..86e7fb27 100644 --- a/docs/source/winstructs_generated.rst +++ b/docs/source/winstructs_generated.rst @@ -25769,6 +25769,67 @@ _EXPLICIT_ACCESS_W :class:`TRUSTEE_W` +_SYSTEM_INFO +'''''''''''' +.. class:: LPSYSTEM_INFO + + Pointer to :class:`_SYSTEM_INFO` + +.. class:: SYSTEM_INFO + + Alias for :class:`_SYSTEM_INFO` + +.. class:: _SYSTEM_INFO + + .. attribute:: DUMMYUNIONNAME + + :class:`_ANON__SYSTEM_INFO_SUB_UNION_1` + + + .. attribute:: dwPageSize + + :class:`DWORD` + + + .. attribute:: lpMinimumApplicationAddress + + :class:`LPVOID` + + + .. attribute:: lpMaximumApplicationAddress + + :class:`LPVOID` + + + .. attribute:: dwActiveProcessorMask + + :class:`DWORD_PTR` + + + .. attribute:: dwNumberOfProcessors + + :class:`DWORD` + + + .. attribute:: dwProcessorType + + :class:`DWORD` + + + .. attribute:: dwAllocationGranularity + + :class:`DWORD` + + + .. attribute:: wProcessorLevel + + :class:`WORD` + + + .. attribute:: wProcessorRevision + + :class:`WORD` + _TIME_ZONE_INFORMATION '''''''''''''''''''''' .. class:: LPTIME_ZONE_INFORMATION diff --git a/tests/test_syswow.py b/tests/test_syswow.py index c19c809b..3e614afd 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -22,6 +22,13 @@ def test_print_syswow_state(): print(f"{env['PROCESSOR_ARCHITECTURE']=}") print(f"{env.get('PROCESSOR_ARCHITEW6432')=}") + print("") + print("GetSystemInfo") + windows.utils.sprint(windows.utils.get_system_info(native=False), name="SystemInfo") + print("") + print("GetNativeSystemInfo") + windows.utils.sprint(windows.utils.get_system_info(native=True), name="NativeSystemInfo") + @process_syswow_only class TestSyswowCurrentProcess(object): def test_exec_syswow(self): diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index 30b6a0ac..dcb35c47 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -12641,6 +12641,7 @@ 'LPSTARTUPINFOEXW', 'LPSTARTUPINFOW', 'LPSYSTEMTIME', +'LPSYSTEM_INFO', 'LPTHREADENTRY32', 'LPTIME_ZONE_INFORMATION', 'LPTLIBATTR', @@ -13459,6 +13460,7 @@ 'SYSTEM_HANDLE64', 'SYSTEM_HANDLE_INFORMATION', 'SYSTEM_HANDLE_INFORMATION64', +'SYSTEM_INFO', 'SYSTEM_MANDATORY_LABEL_ACE', 'SYSTEM_MODULE32', 'SYSTEM_MODULE64', @@ -14038,6 +14040,7 @@ '_SYSTEM_HANDLE64', '_SYSTEM_HANDLE_INFORMATION', '_SYSTEM_HANDLE_INFORMATION64', +'_SYSTEM_INFO', '_SYSTEM_MANDATORY_LABEL_ACE', '_SYSTEM_MODULE32', '_SYSTEM_MODULE64', @@ -14803,6 +14806,7 @@ 'GetModuleHandleW', 'GetNamedSecurityInfoA', 'GetNamedSecurityInfoW', +'GetNativeSystemInfo', 'GetNumberOfEventLogRecords', 'GetOverlappedResult', 'GetParent', @@ -14839,6 +14843,7 @@ 'GetSidSubAuthorityCount', 'GetStdHandle', 'GetStringConditionFromBinary', +'GetSystemInfo', 'GetSystemMetrics', 'GetSystemTime', 'GetSystemTimeAsFileTime', diff --git a/windows/generated_def/winfuncs.py b/windows/generated_def/winfuncs.py index e98da0c0..79e8135d 100644 --- a/windows/generated_def/winfuncs.py +++ b/windows/generated_def/winfuncs.py @@ -3030,6 +3030,16 @@ LookupAccountNameWPrototype = WINFUNCTYPE(BOOL, LPCWSTR, LPCWSTR, PSID, LPDWORD, LPWSTR, LPDWORD, PSID_NAME_USE) LookupAccountNameWParams = ((1, 'lpSystemName'), (1, 'lpAccountName'), (1, 'Sid'), (1, 'cbSid'), (1, 'ReferencedDomainName'), (1, 'cchReferencedDomainName'), (1, 'peUse')) +#def GetNativeSystemInfo(lpSystemInfo): +# return GetNativeSystemInfo.ctypes_function(lpSystemInfo) +GetNativeSystemInfoPrototype = WINFUNCTYPE(PVOID, LPSYSTEM_INFO) +GetNativeSystemInfoParams = ((1, 'lpSystemInfo'),) + +#def GetSystemInfo(lpSystemInfo): +# return GetSystemInfo.ctypes_function(lpSystemInfo) +GetSystemInfoPrototype = WINFUNCTYPE(PVOID, LPSYSTEM_INFO) +GetSystemInfoParams = ((1, 'lpSystemInfo'),) + #def IsWow64Process(hProcess, Wow64Process): # return IsWow64Process.ctypes_function(hProcess, Wow64Process) IsWow64ProcessPrototype = WINFUNCTYPE(BOOL, HANDLE, PBOOL) diff --git a/windows/generated_def/winstructs.py b/windows/generated_def/winstructs.py index 90a373a2..49179ca3 100644 --- a/windows/generated_def/winstructs.py +++ b/windows/generated_def/winstructs.py @@ -11227,6 +11227,112 @@ class _EXPLICIT_ACCESS_W(Structure): PEXPLICIT_ACCESSW = POINTER(_EXPLICIT_ACCESS_W) PEXPLICIT_ACCESS_W = POINTER(_EXPLICIT_ACCESS_W) +ComputerNameNetBIOS = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameNetBIOS", 0x0) +ComputerNameDnsHostname = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsHostname", 0x1) +ComputerNameDnsDomain = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsDomain", 0x2) +ComputerNameDnsFullyQualified = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsFullyQualified", 0x3) +ComputerNamePhysicalNetBIOS = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalNetBIOS", 0x4) +ComputerNamePhysicalDnsHostname = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsHostname", 0x5) +ComputerNamePhysicalDnsDomain = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsDomain", 0x6) +ComputerNamePhysicalDnsFullyQualified = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsFullyQualified", 0x7) +ComputerNameMax = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameMax", 0x8) +class _COMPUTER_NAME_FORMAT(EnumType): + values = [ComputerNameNetBIOS, ComputerNameDnsHostname, ComputerNameDnsDomain, ComputerNameDnsFullyQualified, ComputerNamePhysicalNetBIOS, ComputerNamePhysicalDnsHostname, ComputerNamePhysicalDnsDomain, ComputerNamePhysicalDnsFullyQualified, ComputerNameMax] + mapper = FlagMapper(*values) +COMPUTER_NAME_FORMAT = _COMPUTER_NAME_FORMAT + + +class _SYSTEM_PROCESS_INFORMATION(Structure): + _fields_ = [ + ("NextEntryOffset", ULONG), + ("NumberOfThreads", ULONG), + ("Reserved1", BYTE * (24)), + ("CreateTime", LARGE_INTEGER), + ("UserTime", LARGE_INTEGER), + ("KernelTime", LARGE_INTEGER), + ("ImageName", UNICODE_STRING), + ("BasePriority", LONG), + ("UniqueProcessId", HANDLE), + ("InheritedFromUniqueProcessId", PVOID), + ("HandleCount", ULONG), + ("Reserved4", BYTE * (4)), + ("Reserved5", PVOID * (1)), + ("PeakVirtualSize", PVOID), + ("VirtualSize", PVOID), + ("PageFaultCount", PVOID), + ("PeakWorkingSetSize", PVOID), + ("WorkingSetSize", PVOID), + ("QuotaPeakPagedPoolUsage", PVOID), + ("QuotaPagedPoolUsage", PVOID), + ("QuotaPeakNonPagedPoolUsage", PVOID), + ("QuotaNonPagedPoolUsage", PVOID), + ("PagefileUsage", PVOID), + ("PeakPagefileUsage", SIZE_T), + ("PrivatePageCount", SIZE_T), + ("Reserved6", LARGE_INTEGER * (6)), + ] +PSYSTEM_PROCESS_INFORMATION = POINTER(_SYSTEM_PROCESS_INFORMATION) +SYSTEM_PROCESS_INFORMATION = _SYSTEM_PROCESS_INFORMATION + +class _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION(Structure): + _fields_ = [ + ("IdleTime", LARGE_INTEGER), + ("KernelTime", LARGE_INTEGER), + ("UserTime", LARGE_INTEGER), + ("Reserved1", LARGE_INTEGER * (2)), + ("Reserved2", ULONG), + ] +PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION = POINTER(_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) +SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION = _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION + +class _SYSTEM_REGISTRY_QUOTA_INFORMATION(Structure): + _fields_ = [ + ("RegistryQuotaAllowed", ULONG), + ("RegistryQuotaUsed", ULONG), + ("Reserved1", PVOID), + ] +PSYSTEM_REGISTRY_QUOTA_INFORMATION = POINTER(_SYSTEM_REGISTRY_QUOTA_INFORMATION) +SYSTEM_REGISTRY_QUOTA_INFORMATION = _SYSTEM_REGISTRY_QUOTA_INFORMATION + +class _SYSTEM_BASIC_INFORMATION(Structure): + _fields_ = [ + ("Reserved1", BYTE * (24)), + ("Reserved2", PVOID * (4)), + ("NumberOfProcessors", CHAR), + ] +PSYSTEM_BASIC_INFORMATION = POINTER(_SYSTEM_BASIC_INFORMATION) +SYSTEM_BASIC_INFORMATION = _SYSTEM_BASIC_INFORMATION + +class _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1(Structure): + _fields_ = [ + ("wProcessorArchitecture", WORD), + ("wReserved", WORD), + ] + +class _ANON__SYSTEM_INFO_SUB_UNION_1(Union): + _anonymous_ = ("DUMMYSTRUCTNAME",) + _fields_ = [ + ("dwOemId", DWORD), + ("DUMMYSTRUCTNAME", _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1), + ] + +class _SYSTEM_INFO(Structure): + _anonymous_ = ("DUMMYUNIONNAME",) + _fields_ = [ + ("DUMMYUNIONNAME", _ANON__SYSTEM_INFO_SUB_UNION_1), + ("dwPageSize", DWORD), + ("lpMinimumApplicationAddress", LPVOID), + ("lpMaximumApplicationAddress", LPVOID), + ("dwActiveProcessorMask", DWORD_PTR), + ("dwNumberOfProcessors", DWORD), + ("dwProcessorType", DWORD), + ("dwAllocationGranularity", DWORD), + ("wProcessorLevel", WORD), + ("wProcessorRevision", WORD), + ] +LPSYSTEM_INFO = POINTER(_SYSTEM_INFO) +SYSTEM_INFO = _SYSTEM_INFO + class _TIME_ZONE_INFORMATION(Structure): _fields_ = [ ("Bias", LONG), diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index 1d28e818..12203336 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -552,6 +552,14 @@ def create_file(name, access=gdef.GENERIC_READ, share=gdef.FILE_SHARE_READ, secu # addr = windows.winproxy.MapViewOfFile(h, dwDesiredAccess=FILE_MAP_READ, dwNumberOfBytesToMap=1) # return addr +def get_system_info(native=False): + res = gdef.SYSTEM_INFO() + if native: + windows.winproxy.GetNativeSystemInfo(res) + else: + windows.winproxy.GetSystemInfo(res) + return res + def decompress_buffer(buffer, comptype=gdef.COMPRESSION_FORMAT_LZNT1, uncompress_size=None): if uncompress_size is None: uncompress_size = len(buffer) * 10 diff --git a/windows/winproxy/apis/kernel32.py b/windows/winproxy/apis/kernel32.py index 93178a22..9623981e 100644 --- a/windows/winproxy/apis/kernel32.py +++ b/windows/winproxy/apis/kernel32.py @@ -407,6 +407,14 @@ def GetWindowsDirectoryW(lpBuffer, uSize=None): def GetProductInfo(dwOSMajorVersion, dwOSMinorVersion, dwSpMajorVersion, dwSpMinorVersion, pdwReturnedProductType): return GetProductInfo.ctypes_function(dwOSMajorVersion, dwOSMinorVersion, dwSpMajorVersion, dwSpMinorVersion, pdwReturnedProductType) +@Kernel32Proxy(error_check=no_error_check) +def GetNativeSystemInfo(lpSystemInfo): + return GetNativeSystemInfo.ctypes_function(lpSystemInfo) + +@Kernel32Proxy(error_check=no_error_check) +def GetSystemInfo(lpSystemInfo): + return GetSystemInfo.ctypes_function(lpSystemInfo) + ## Io @Kernel32Proxy() From ea6b7b932df0f90c70da44cd13b7c6ddb242ca7f Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 18:17:16 +0100 Subject: [PATCH 14/70] arm64: more api tests --- tests/test_syswow.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 3e614afd..8591d0d2 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -22,6 +22,14 @@ def test_print_syswow_state(): print(f"{env['PROCESSOR_ARCHITECTURE']=}") print(f"{env.get('PROCESSOR_ARCHITEW6432')=}") + print("") + print("IsWow64Process2") + processMachine = gdef.USHORT() + nativeMachine = gdef.USHORT() + windows.winproxy.IsWow64Process2(windows.current_process.handle, processMachine, nativeMachine) + print(f"{hex(processMachine.value)=}") + print(f"{hex(nativeMachine.value)=}") + print("") print("GetSystemInfo") windows.utils.sprint(windows.utils.get_system_info(native=False), name="SystemInfo") From 2c9a159a81af31f4e80f864852bbba2c30287bae Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 22:31:21 +0100 Subject: [PATCH 15/70] Add system.architecture & process.architecture --- .../definitions/defines/processor.txt | 38 +++++++++++++ .../definitions/defines/windef_pe.txt | 4 +- docs/source/windef_generated.rst | 38 +++++++++++++ tests/test_syswow.py | 9 +--- windows/generated_def/__init__.py | 54 ++++++++++++++++++- windows/generated_def/meta.py | 38 +++++++++++++ windows/generated_def/windef.py | 38 +++++++++++++ windows/winobject/process.py | 36 ++++++++++++- windows/winobject/system.py | 19 ++++++- 9 files changed, 262 insertions(+), 12 deletions(-) create mode 100644 ctypes_generation/definitions/defines/processor.txt diff --git a/ctypes_generation/definitions/defines/processor.txt b/ctypes_generation/definitions/defines/processor.txt new file mode 100644 index 00000000..d82a4399 --- /dev/null +++ b/ctypes_generation/definitions/defines/processor.txt @@ -0,0 +1,38 @@ +#define PROCESSOR_INTEL_386 386 +#define PROCESSOR_INTEL_486 486 +#define PROCESSOR_INTEL_PENTIUM 586 +#define PROCESSOR_INTEL_IA64 2200 +#define PROCESSOR_MIPS_R4000 4000 // incl R4101 & R3910 for Windows CE +#define PROCESSOR_ALPHA_21064 21064 +#define PROCESSOR_PPC_601 601 +#define PROCESSOR_PPC_603 603 +#define PROCESSOR_PPC_604 604 +#define PROCESSOR_PPC_620 620 +#define PROCESSOR_HITACHI_SH3 10003 // Windows CE +#define PROCESSOR_HITACHI_SH3E 10004 // Windows CE +#define PROCESSOR_HITACHI_SH4 10005 // Windows CE +#define PROCESSOR_MOTOROLA_821 821 // Windows CE +#define PROCESSOR_SHx_SH3 103 // Windows CE +#define PROCESSOR_SHx_SH4 104 // Windows CE +#define PROCESSOR_STRONGARM 2577 // Windows CE - 0xA11 +#define PROCESSOR_ARM720 1824 // Windows CE - 0x720 +#define PROCESSOR_ARM820 2080 // Windows CE - 0x820 +#define PROCESSOR_ARM920 2336 // Windows CE - 0x920 +#define PROCESSOR_ARM_7TDMI 70001 // Windows CE +#define PROCESSOR_OPTIL 0x494f // MSIL + +#define PROCESSOR_ARCHITECTURE_INTEL 0 +#define PROCESSOR_ARCHITECTURE_MIPS 1 +#define PROCESSOR_ARCHITECTURE_ALPHA 2 +#define PROCESSOR_ARCHITECTURE_PPC 3 +#define PROCESSOR_ARCHITECTURE_SHX 4 +#define PROCESSOR_ARCHITECTURE_ARM 5 +#define PROCESSOR_ARCHITECTURE_IA64 6 +#define PROCESSOR_ARCHITECTURE_ALPHA64 7 +#define PROCESSOR_ARCHITECTURE_MSIL 8 +#define PROCESSOR_ARCHITECTURE_AMD64 9 +#define PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 10 +#define PROCESSOR_ARCHITECTURE_NEUTRAL 11 +#define PROCESSOR_ARCHITECTURE_ARM64 12 +#define PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64 13 +#define PROCESSOR_ARCHITECTURE_UNKNOWN 0xFFFF \ No newline at end of file diff --git a/ctypes_generation/definitions/defines/windef_pe.txt b/ctypes_generation/definitions/defines/windef_pe.txt index fe7767a7..9ace7993 100644 --- a/ctypes_generation/definitions/defines/windef_pe.txt +++ b/ctypes_generation/definitions/defines/windef_pe.txt @@ -100,4 +100,6 @@ #define IMAGE_FILE_MACHINE_AMD64 0x8664 #define IMAGE_FILE_MACHINE_M32R 0x9041 #define IMAGE_FILE_MACHINE_CEE 0xC0EE -#define IMAGE_FILE_MACHINE_ARM64 0xAA64 \ No newline at end of file +#define IMAGE_FILE_MACHINE_ARM64 0xAA64 + +#define IMAGE_FILE_MACHINE_TARGET_HOST 0x0001 // Useful for indicating we want to interact with the host and not a WoW guest. \ No newline at end of file diff --git a/docs/source/windef_generated.rst b/docs/source/windef_generated.rst index 731b3af9..3f211d35 100644 --- a/docs/source/windef_generated.rst +++ b/docs/source/windef_generated.rst @@ -1145,6 +1145,43 @@ WinDef .. autodata:: NMPWAIT_WAIT_FOREVER .. autodata:: NMPWAIT_NOWAIT .. autodata:: NMPWAIT_USE_DEFAULT_WAIT +.. autodata:: PROCESSOR_INTEL_386 +.. autodata:: PROCESSOR_INTEL_486 +.. autodata:: PROCESSOR_INTEL_PENTIUM +.. autodata:: PROCESSOR_INTEL_IA64 +.. autodata:: PROCESSOR_MIPS_R4000 +.. autodata:: PROCESSOR_ALPHA_21064 +.. autodata:: PROCESSOR_PPC_601 +.. autodata:: PROCESSOR_PPC_603 +.. autodata:: PROCESSOR_PPC_604 +.. autodata:: PROCESSOR_PPC_620 +.. autodata:: PROCESSOR_HITACHI_SH3 +.. autodata:: PROCESSOR_HITACHI_SH3E +.. autodata:: PROCESSOR_HITACHI_SH4 +.. autodata:: PROCESSOR_MOTOROLA_821 +.. autodata:: PROCESSOR_SHx_SH3 +.. autodata:: PROCESSOR_SHx_SH4 +.. autodata:: PROCESSOR_STRONGARM +.. autodata:: PROCESSOR_ARM720 +.. autodata:: PROCESSOR_ARM820 +.. autodata:: PROCESSOR_ARM920 +.. autodata:: PROCESSOR_ARM_7TDMI +.. autodata:: PROCESSOR_OPTIL +.. autodata:: PROCESSOR_ARCHITECTURE_INTEL +.. autodata:: PROCESSOR_ARCHITECTURE_MIPS +.. autodata:: PROCESSOR_ARCHITECTURE_ALPHA +.. autodata:: PROCESSOR_ARCHITECTURE_PPC +.. autodata:: PROCESSOR_ARCHITECTURE_SHX +.. autodata:: PROCESSOR_ARCHITECTURE_ARM +.. autodata:: PROCESSOR_ARCHITECTURE_IA64 +.. autodata:: PROCESSOR_ARCHITECTURE_ALPHA64 +.. autodata:: PROCESSOR_ARCHITECTURE_MSIL +.. autodata:: PROCESSOR_ARCHITECTURE_AMD64 +.. autodata:: PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 +.. autodata:: PROCESSOR_ARCHITECTURE_NEUTRAL +.. autodata:: PROCESSOR_ARCHITECTURE_ARM64 +.. autodata:: PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64 +.. autodata:: PROCESSOR_ARCHITECTURE_UNKNOWN .. autodata:: HKEY_CLASSES_ROOT .. autodata:: HKEY_CURRENT_USER .. autodata:: HKEY_LOCAL_MACHINE @@ -2922,6 +2959,7 @@ WinDef .. autodata:: IMAGE_FILE_MACHINE_M32R .. autodata:: IMAGE_FILE_MACHINE_CEE .. autodata:: IMAGE_FILE_MACHINE_ARM64 +.. autodata:: IMAGE_FILE_MACHINE_TARGET_HOST .. autodata:: CERT_QUERY_OBJECT_FILE .. autodata:: CERT_QUERY_OBJECT_BLOB .. autodata:: CERT_QUERY_CONTENT_CERT diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 8591d0d2..248c3833 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -17,8 +17,9 @@ def test_print_syswow_state(): print(f"{platform.machine()=}") print(f"{platform.architecture()=}") print(f"{windows.system.bitness=}") + print(f"{windows.system.architecture=}") print(f"{windows.current_process.bitness=}") - print(f"{windows.current_process.is_wow_64=}") + print(f"{windows.current_process.architecture=}") print(f"{env['PROCESSOR_ARCHITECTURE']=}") print(f"{env.get('PROCESSOR_ARCHITEW6432')=}") @@ -30,12 +31,6 @@ def test_print_syswow_state(): print(f"{hex(processMachine.value)=}") print(f"{hex(nativeMachine.value)=}") - print("") - print("GetSystemInfo") - windows.utils.sprint(windows.utils.get_system_info(native=False), name="SystemInfo") - print("") - print("GetNativeSystemInfo") - windows.utils.sprint(windows.utils.get_system_info(native=True), name="NativeSystemInfo") @process_syswow_only class TestSyswowCurrentProcess(object): diff --git a/windows/generated_def/__init__.py b/windows/generated_def/__init__.py index af1f9a2f..f6c1ef76 100644 --- a/windows/generated_def/__init__.py +++ b/windows/generated_def/__init__.py @@ -67,5 +67,57 @@ def bitness(): from .windef import * from .interfaces import * - +# Define custom Flag mappers for define list that should be enums + +PROCESSOR_ARCHITECTURE_MAPPER = FlagMapper( + PROCESSOR_ARCHITECTURE_INTEL, + PROCESSOR_ARCHITECTURE_MIPS, + PROCESSOR_ARCHITECTURE_ALPHA, + PROCESSOR_ARCHITECTURE_PPC, + PROCESSOR_ARCHITECTURE_SHX, + PROCESSOR_ARCHITECTURE_ARM, + PROCESSOR_ARCHITECTURE_IA64, + PROCESSOR_ARCHITECTURE_ALPHA64, + PROCESSOR_ARCHITECTURE_MSIL, + PROCESSOR_ARCHITECTURE_AMD64, + PROCESSOR_ARCHITECTURE_IA32_ON_WIN64, + PROCESSOR_ARCHITECTURE_NEUTRAL, + PROCESSOR_ARCHITECTURE_ARM64, + PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64, + PROCESSOR_ARCHITECTURE_UNKNOWN, + IMAGE_FILE_MACHINE_TARGET_HOST +) + +IMAGE_FILE_MACHINE_MAPPER = FlagMapper( + IMAGE_FILE_MACHINE_UNKNOWN, + IMAGE_FILE_MACHINE_I386, + IMAGE_FILE_MACHINE_R3000, + IMAGE_FILE_MACHINE_R4000, + IMAGE_FILE_MACHINE_R10000, + IMAGE_FILE_MACHINE_WCEMIPSV2, + IMAGE_FILE_MACHINE_ALPHA, + IMAGE_FILE_MACHINE_SH3, + IMAGE_FILE_MACHINE_SH3DSP, + IMAGE_FILE_MACHINE_SH3E, + IMAGE_FILE_MACHINE_SH4, + IMAGE_FILE_MACHINE_SH5, + IMAGE_FILE_MACHINE_ARM, + IMAGE_FILE_MACHINE_THUMB, + IMAGE_FILE_MACHINE_ARMNT, + IMAGE_FILE_MACHINE_AM33, + IMAGE_FILE_MACHINE_POWERPC, + IMAGE_FILE_MACHINE_POWERPCFP, + IMAGE_FILE_MACHINE_IA64, + IMAGE_FILE_MACHINE_MIPS16, + IMAGE_FILE_MACHINE_ALPHA64, + IMAGE_FILE_MACHINE_MIPSFPU, + IMAGE_FILE_MACHINE_MIPSFPU16, + IMAGE_FILE_MACHINE_TRICORE, + IMAGE_FILE_MACHINE_CEF, + IMAGE_FILE_MACHINE_EBC, + IMAGE_FILE_MACHINE_AMD64, + IMAGE_FILE_MACHINE_M32R, + IMAGE_FILE_MACHINE_CEE, + IMAGE_FILE_MACHINE_ARM64 +) diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index dcb35c47..049e6dab 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -1722,6 +1722,7 @@ 'IMAGE_FILE_MACHINE_SH3E', 'IMAGE_FILE_MACHINE_SH4', 'IMAGE_FILE_MACHINE_SH5', +'IMAGE_FILE_MACHINE_TARGET_HOST', 'IMAGE_FILE_MACHINE_THUMB', 'IMAGE_FILE_MACHINE_TRICORE', 'IMAGE_FILE_MACHINE_UNKNOWN', @@ -2421,7 +2422,44 @@ 'PRIORITY_BIT', 'PRIORITY_EQUAL_FIRST', 'PRIORITY_EQUAL_LAST', +'PROCESSOR_ALPHA_21064', +'PROCESSOR_ARCHITECTURE_ALPHA', +'PROCESSOR_ARCHITECTURE_ALPHA64', +'PROCESSOR_ARCHITECTURE_AMD64', +'PROCESSOR_ARCHITECTURE_ARM', +'PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64', +'PROCESSOR_ARCHITECTURE_ARM64', +'PROCESSOR_ARCHITECTURE_IA32_ON_WIN64', +'PROCESSOR_ARCHITECTURE_IA64', +'PROCESSOR_ARCHITECTURE_INTEL', +'PROCESSOR_ARCHITECTURE_MIPS', +'PROCESSOR_ARCHITECTURE_MSIL', +'PROCESSOR_ARCHITECTURE_NEUTRAL', +'PROCESSOR_ARCHITECTURE_PPC', +'PROCESSOR_ARCHITECTURE_SHX', +'PROCESSOR_ARCHITECTURE_UNKNOWN', +'PROCESSOR_ARM720', +'PROCESSOR_ARM820', +'PROCESSOR_ARM920', +'PROCESSOR_ARM_7TDMI', 'PROCESSOR_FEATURE_MAX', +'PROCESSOR_HITACHI_SH3', +'PROCESSOR_HITACHI_SH3E', +'PROCESSOR_HITACHI_SH4', +'PROCESSOR_INTEL_386', +'PROCESSOR_INTEL_486', +'PROCESSOR_INTEL_IA64', +'PROCESSOR_INTEL_PENTIUM', +'PROCESSOR_MIPS_R4000', +'PROCESSOR_MOTOROLA_821', +'PROCESSOR_OPTIL', +'PROCESSOR_PPC_601', +'PROCESSOR_PPC_603', +'PROCESSOR_PPC_604', +'PROCESSOR_PPC_620', +'PROCESSOR_SHx_SH3', +'PROCESSOR_SHx_SH4', +'PROCESSOR_STRONGARM', 'PROCESS_ALL_ACCESS', 'PROCESS_CREATE_PROCESS', 'PROCESS_CREATE_THREAD', diff --git a/windows/generated_def/windef.py b/windows/generated_def/windef.py index 00ae16dd..2f358dac 100644 --- a/windows/generated_def/windef.py +++ b/windows/generated_def/windef.py @@ -1169,6 +1169,43 @@ def HRESULT_FACILITY(hr): NMPWAIT_WAIT_FOREVER = make_flag("NMPWAIT_WAIT_FOREVER", 0xffffffff) NMPWAIT_NOWAIT = make_flag("NMPWAIT_NOWAIT", 0x00000001) NMPWAIT_USE_DEFAULT_WAIT = make_flag("NMPWAIT_USE_DEFAULT_WAIT", 0x00000000) +PROCESSOR_INTEL_386 = make_flag("PROCESSOR_INTEL_386", 386) +PROCESSOR_INTEL_486 = make_flag("PROCESSOR_INTEL_486", 486) +PROCESSOR_INTEL_PENTIUM = make_flag("PROCESSOR_INTEL_PENTIUM", 586) +PROCESSOR_INTEL_IA64 = make_flag("PROCESSOR_INTEL_IA64", 2200) +PROCESSOR_MIPS_R4000 = make_flag("PROCESSOR_MIPS_R4000", 4000) +PROCESSOR_ALPHA_21064 = make_flag("PROCESSOR_ALPHA_21064", 21064) +PROCESSOR_PPC_601 = make_flag("PROCESSOR_PPC_601", 601) +PROCESSOR_PPC_603 = make_flag("PROCESSOR_PPC_603", 603) +PROCESSOR_PPC_604 = make_flag("PROCESSOR_PPC_604", 604) +PROCESSOR_PPC_620 = make_flag("PROCESSOR_PPC_620", 620) +PROCESSOR_HITACHI_SH3 = make_flag("PROCESSOR_HITACHI_SH3", 10003) +PROCESSOR_HITACHI_SH3E = make_flag("PROCESSOR_HITACHI_SH3E", 10004) +PROCESSOR_HITACHI_SH4 = make_flag("PROCESSOR_HITACHI_SH4", 10005) +PROCESSOR_MOTOROLA_821 = make_flag("PROCESSOR_MOTOROLA_821", 821) +PROCESSOR_SHx_SH3 = make_flag("PROCESSOR_SHx_SH3", 103) +PROCESSOR_SHx_SH4 = make_flag("PROCESSOR_SHx_SH4", 104) +PROCESSOR_STRONGARM = make_flag("PROCESSOR_STRONGARM", 2577) +PROCESSOR_ARM720 = make_flag("PROCESSOR_ARM720", 1824) +PROCESSOR_ARM820 = make_flag("PROCESSOR_ARM820", 2080) +PROCESSOR_ARM920 = make_flag("PROCESSOR_ARM920", 2336) +PROCESSOR_ARM_7TDMI = make_flag("PROCESSOR_ARM_7TDMI", 70001) +PROCESSOR_OPTIL = make_flag("PROCESSOR_OPTIL", 0x494f) +PROCESSOR_ARCHITECTURE_INTEL = make_flag("PROCESSOR_ARCHITECTURE_INTEL", 0) +PROCESSOR_ARCHITECTURE_MIPS = make_flag("PROCESSOR_ARCHITECTURE_MIPS", 1) +PROCESSOR_ARCHITECTURE_ALPHA = make_flag("PROCESSOR_ARCHITECTURE_ALPHA", 2) +PROCESSOR_ARCHITECTURE_PPC = make_flag("PROCESSOR_ARCHITECTURE_PPC", 3) +PROCESSOR_ARCHITECTURE_SHX = make_flag("PROCESSOR_ARCHITECTURE_SHX", 4) +PROCESSOR_ARCHITECTURE_ARM = make_flag("PROCESSOR_ARCHITECTURE_ARM", 5) +PROCESSOR_ARCHITECTURE_IA64 = make_flag("PROCESSOR_ARCHITECTURE_IA64", 6) +PROCESSOR_ARCHITECTURE_ALPHA64 = make_flag("PROCESSOR_ARCHITECTURE_ALPHA64", 7) +PROCESSOR_ARCHITECTURE_MSIL = make_flag("PROCESSOR_ARCHITECTURE_MSIL", 8) +PROCESSOR_ARCHITECTURE_AMD64 = make_flag("PROCESSOR_ARCHITECTURE_AMD64", 9) +PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 = make_flag("PROCESSOR_ARCHITECTURE_IA32_ON_WIN64", 10) +PROCESSOR_ARCHITECTURE_NEUTRAL = make_flag("PROCESSOR_ARCHITECTURE_NEUTRAL", 11) +PROCESSOR_ARCHITECTURE_ARM64 = make_flag("PROCESSOR_ARCHITECTURE_ARM64", 12) +PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64 = make_flag("PROCESSOR_ARCHITECTURE_ARM32_ON_WIN64", 13) +PROCESSOR_ARCHITECTURE_UNKNOWN = make_flag("PROCESSOR_ARCHITECTURE_UNKNOWN", 0xFFFF) HKEY_CLASSES_ROOT = make_flag("HKEY_CLASSES_ROOT", ( 0x80000000 )) HKEY_CURRENT_USER = make_flag("HKEY_CURRENT_USER", ( 0x80000001 )) HKEY_LOCAL_MACHINE = make_flag("HKEY_LOCAL_MACHINE", ( 0x80000002 )) @@ -2946,6 +2983,7 @@ def HRESULT_FACILITY(hr): IMAGE_FILE_MACHINE_M32R = make_flag("IMAGE_FILE_MACHINE_M32R", 0x9041) IMAGE_FILE_MACHINE_CEE = make_flag("IMAGE_FILE_MACHINE_CEE", 0xC0EE) IMAGE_FILE_MACHINE_ARM64 = make_flag("IMAGE_FILE_MACHINE_ARM64", 0xAA64) +IMAGE_FILE_MACHINE_TARGET_HOST = make_flag("IMAGE_FILE_MACHINE_TARGET_HOST", 0x0001) CERT_QUERY_OBJECT_FILE = make_flag("CERT_QUERY_OBJECT_FILE", 0x00000001) CERT_QUERY_OBJECT_BLOB = make_flag("CERT_QUERY_OBJECT_BLOB", 0x00000002) CERT_QUERY_CONTENT_CERT = make_flag("CERT_QUERY_CONTENT_CERT", 1) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index facacd84..08734423 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -70,8 +70,24 @@ def is_wow_64(self): :type: :class:`bool` """ - # return utils.is_wow_64(self.handle) - return utils.is_wow_64(self.limited_handle) + if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process): + return False + Wow64Process = gdef.BOOL() + windows.winproxy.IsWow64Process(self.handle, Wow64Process) + return bool(Wow64Process) + + + + @utils.fixedproperty + def is_wow_64_2(self): + if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2): + return None, None + processMachine = gdef.USHORT() + nativeMachine = gdef.USHORT() + windows.winproxy.IsWow64Process2(self.handle, processMachine, nativeMachine) + return (gdef.IMAGE_FILE_MACHINE_MAPPER[processMachine.value], + gdef.IMAGE_FILE_MACHINE_MAPPER[nativeMachine.value]) + @utils.fixedproperty def bitness(self): @@ -86,6 +102,22 @@ def bitness(self): return 64 @utils.fixedproperty + def architecture(self): + # Syswow2 will exactly tell us the architecture + if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2): + process_machine, native_machine = self.is_wow_64_2 + try: + return utils.image_file_machine_to_processor_architecture(process_machine) + except KeyError as e: + raise ValueError("Unknown IsWow64Process2(process_machine:#x) -> {0}".format(process_machine)) + + # No IsWow64Process2 -> No ARM64 + # So its up on x86 -> x64 based on process bitness + if self.bitness == 32: + return gdef.PROCESSOR_ARCHITECTURE_INTEL + return gdef.PROCESSOR_ARCHITECTURE_AMD64 + + @utils.fixedpropety def limited_handle(self): if windows.system.version[0] <= 5: # Windows XP | Serveur 2003 diff --git a/windows/winobject/system.py b/windows/winobject/system.py index 257f0bce..06bd0fb0 100644 --- a/windows/winobject/system.py +++ b/windows/winobject/system.py @@ -10,7 +10,6 @@ import windows.generated_def as gdef - from windows.winobject import process from windows.winobject import network from windows.winobject import registry @@ -586,6 +585,24 @@ def kuser_shared_data(self): # These are the part that do not move much between XP & Win10 return gdef.PFW_MINIMAL_KUSER_SHARED_DATA.from_address(gdef.MM_SHARED_USER_DATA_VA) + @utils.fixedproperty + def architecture(self): + # Retrieve system processor architecture + # It's not that easy as x64-on-ARM64 will lie on most API except IsWow64Process2 + # EX: GetNativeSystemInfo will returns PROCESSOR_ARCHITECTURE_AMD64 + if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2): + process_machine, native_machine = windows.current_process.is_wow_64_2 + try: + return utils.image_file_machine_to_processor_architecture(native_machine) + except KeyError as e: + raise ValueError("Unknown IsWow64Process2(native_machine:#x) -> {0}".format(native_machine)) + + # No IsWow64Process2 -> assert it cannot be ARM64 and thus GetNativeSystemInfo will not lie ? + sysinfo = gdef.SYSTEM_INFO() + windows.winproxy.GetNativeSystemInfo(sysinfo) + return gdef.PROCESSOR_ARCHITECTURE_MAPPER[sysinfo.wProcessorArchitecture] + + @staticmethod def enumerate_processes(): From 00a2f1a7d68f4c4bd0b67cfde319661d1d5220c3 Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 22:35:38 +0100 Subject: [PATCH 16/70] add utils.image_file_machine_to_processor_architecture() --- windows/utils/winutils.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index 12203336..f7ffee3a 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -36,14 +36,6 @@ def get_remote_func_addr(target, dll_name, func_name): return mod.pe.exports[func_name] -def is_wow_64(handle): - if not windows.winproxy.is_implemented(windows.winproxy.IsWow64Process): - return False - Wow64Process = gdef.BOOL() - windows.winproxy.IsWow64Process(handle, Wow64Process) - return bool(Wow64Process) - - def create_file_from_handle(handle, mode="r"): """Return a Python :class:`file` around a ``Windows`` HANDLE""" flags = os.O_BINARY if "b" in mode else os.O_TEXT @@ -295,6 +287,16 @@ def datetime_from_systemtime(systime): microsecond=systime.wMilliseconds * 1000, ) +IMAGE_FILE_MACHINE_TO_PROC_ARCH = { + gdef.IMAGE_FILE_MACHINE_I386: gdef.PROCESSOR_ARCHITECTURE_INTEL, + gdef.IMAGE_FILE_MACHINE_AMD64: gdef.PROCESSOR_ARCHITECTURE_AMD64, + gdef.IMAGE_FILE_MACHINE_ARM64: gdef.PROCESSOR_ARCHITECTURE_ARM64, + gdef:IMAGE_FILE_MACHINE_UNKNOWN: gdef.PROCESSOR_ARCHITECTURE_UNKNOWN +} + +def image_file_machine_to_processor_architecture(image_file_machine): + return IMAGE_FILE_MACHINE_TO_PROC_ARCH[image_file_machine] + class FixedInteractiveConsole(code.InteractiveConsole): def raw_input(self, prompt=">>>"): sys.stdout.write(prompt) From 646e55c7409a9f068547dcd58bd25b4f95fafc9f Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 22:36:48 +0100 Subject: [PATCH 17/70] fix typo --- windows/utils/winutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index f7ffee3a..7121702d 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -291,7 +291,7 @@ def datetime_from_systemtime(systime): gdef.IMAGE_FILE_MACHINE_I386: gdef.PROCESSOR_ARCHITECTURE_INTEL, gdef.IMAGE_FILE_MACHINE_AMD64: gdef.PROCESSOR_ARCHITECTURE_AMD64, gdef.IMAGE_FILE_MACHINE_ARM64: gdef.PROCESSOR_ARCHITECTURE_ARM64, - gdef:IMAGE_FILE_MACHINE_UNKNOWN: gdef.PROCESSOR_ARCHITECTURE_UNKNOWN + gdef.IMAGE_FILE_MACHINE_UNKNOWN: gdef.PROCESSOR_ARCHITECTURE_UNKNOWN } def image_file_machine_to_processor_architecture(image_file_machine): From 8151292042967a1d5b878907d613652b48a76fc6 Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 23:24:12 +0100 Subject: [PATCH 18/70] Adding ctypes defintion associated with process & architecture --- .../definitions/functions/process.txt | 16 +- .../definitions/structures/winstruct.txt | 107 +------ windows/generated_def/meta.py | 8 + windows/generated_def/winfuncs.py | 13 +- windows/generated_def/winstructs.py | 270 ++++++++++-------- windows/winproxy/apis/kernel32.py | 12 + 6 files changed, 195 insertions(+), 231 deletions(-) diff --git a/ctypes_generation/definitions/functions/process.txt b/ctypes_generation/definitions/functions/process.txt index 36f4c212..dce498ff 100644 --- a/ctypes_generation/definitions/functions/process.txt +++ b/ctypes_generation/definitions/functions/process.txt @@ -65,8 +65,16 @@ BOOL FreeLibrary( HMODULE hLibModule ); +BOOL GetProcessInformation( + [in] HANDLE hProcess, + [in] PROCESS_INFORMATION_CLASS ProcessInformationClass, + LPVOID ProcessInformation, + [in] DWORD ProcessInformationSize +); -/* Not documented by seems present since dawn of time (WRK) - I Prefere PVOID as a return value to allow simple cast to PEB subclass in process.py*/ - -PVOID RtlGetCurrentPeb (); \ No newline at end of file +BOOL SetProcessInformation( + [in] HANDLE hProcess, + [in] PROCESS_INFORMATION_CLASS ProcessInformationClass, + LPVOID ProcessInformation, + [in] DWORD ProcessInformationSize +); \ No newline at end of file diff --git a/ctypes_generation/definitions/structures/winstruct.txt b/ctypes_generation/definitions/structures/winstruct.txt index 713e17ae..cd462b53 100644 --- a/ctypes_generation/definitions/structures/winstruct.txt +++ b/ctypes_generation/definitions/structures/winstruct.txt @@ -380,112 +380,7 @@ typedef enum _SECTION_INHERIT { ViewUnmap = 2 } SECTION_INHERIT; -typedef enum _PROCESSINFOCLASS { - ProcessBasicInformation = 0, - ProcessQuotaLimits = 1, - ProcessIoCounters = 2, - ProcessVmCounters = 3, - ProcessTimes = 4, - ProcessBasePriority = 5, - ProcessRaisePriority = 6, - ProcessDebugPort = 7, - ProcessExceptionPort = 8, - ProcessAccessToken = 9, - ProcessLdtInformation = 10, - ProcessLdtSize = 11, - ProcessDefaultHardErrorMode = 12, - ProcessIoPortHandlers = 13, // Note: this is kernel mode only - ProcessPooledUsageAndLimits = 14, - ProcessWorkingSetWatch = 15, - ProcessUserModeIOPL = 16, - ProcessEnableAlignmentFaultFixup = 17, - ProcessPriorityClass = 18, - ProcessWx86Information = 19, - ProcessHandleCount = 20, - ProcessAffinityMask = 21, - ProcessPriorityBoost = 22, - ProcessDeviceMap = 23, - ProcessSessionInformation = 24, - ProcessForegroundInformation = 25, - ProcessWow64Information = 26, - ProcessImageFileName = 27, - ProcessLUIDDeviceMapsEnabled = 28, - ProcessBreakOnTermination = 29, - ProcessDebugObjectHandle = 30, - ProcessDebugFlags = 31, - ProcessHandleTracing = 32, - ProcessIoPriority = 33, - ProcessExecuteFlags = 34, - ProcessTlsInformation = 35, - ProcessCookie = 36, - ProcessImageInformation = 37, - ProcessCycleTime = 38, - ProcessPagePriority = 39, - ProcessInstrumentationCallback = 40, - ProcessThreadStackAllocation = 41, - ProcessWorkingSetWatchEx = 42, - ProcessImageFileNameWin32 = 43, - ProcessImageFileMapping = 44, - ProcessAffinityUpdateMode = 45, - ProcessMemoryAllocationMode = 46, - ProcessGroupInformation = 47, - ProcessTokenVirtualizationEnabled = 48, - ProcessOwnerInformation = 49, - ProcessWindowInformation = 50, - ProcessHandleInformation = 51, - ProcessMitigationPolicy = 52, - ProcessDynamicFunctionTableInformation = 53, - ProcessHandleCheckingMode = 54, - ProcessKeepAliveCount = 55, - ProcessRevokeFileHandles = 56, - ProcessWorkingSetControl = 57, - ProcessHandleTable = 58, - ProcessCheckStackExtentsMode = 59, - ProcessCommandLineInformation = 60, - ProcessProtectionInformation = 61, - ProcessMemoryExhaustion = 62, - ProcessFaultInformation = 63, - ProcessTelemetryIdInformation = 64, - ProcessCommitReleaseInformation = 65, - ProcessReserved1Information = 66, - ProcessReserved2Information = 67, - ProcessSubsystemProcess = 68, - ProcessInPrivate = 70, - ProcessRaiseUMExceptionOnInvalidHandleClose = 71, - ProcessSubsystemInformation = 75, - ProcessWin32kSyscallFilterInformation = 79, - ProcessEnergyTrackingState = 82, - MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum -} PROCESSINFOCLASS; - -typedef enum _MEMORY_INFORMATION_CLASS { - MemoryBasicInformation, - MemoryWorkingSetList, - MemorySectionName, - MemoryBasicVlmInformation, - MemoryWorkingSetListEx -} MEMORY_INFORMATION_CLASS; - -typedef enum _THREAD_INFORMATION_CLASS { - ThreadBasicInformation, - ThreadTimes, - ThreadPriority, - ThreadBasePriority, - ThreadAffinityMask, - ThreadImpersonationToken, - ThreadDescriptorTableEntry, - ThreadEnableAlignmentFaultFixup, - ThreadEventPair, - ThreadQuerySetWin32StartAddress, - ThreadZeroTlsCell, - ThreadPerformanceCount, - ThreadAmILastThread, - ThreadIdealProcessor, - ThreadPriorityBoost, - ThreadSetTlsArrayAddress, - ThreadIsIoPending, - ThreadHideFromDebugger -} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS; + diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index 049e6dab..e53ff9a4 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -13277,6 +13277,7 @@ 'PROCESS_BASIC_INFORMATION', 'PROCESS_INFORMATION', 'PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION', +'PROCESS_MACHINE_INFORMATION', 'PROCESS_MEMORY_COUNTERS', 'PROCESS_MEMORY_COUNTERS_EX', 'PROCESS_MITIGATION_ASLR_POLICY', @@ -13998,6 +13999,7 @@ '_PROCESS_BASIC_INFORMATION', '_PROCESS_INFORMATION', '_PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION', +'_PROCESS_MACHINE_INFORMATION', '_PROCESS_MEMORY_COUNTERS', '_PROCESS_MEMORY_COUNTERS_EX', '_PROCESS_MITIGATION_ASLR_POLICY', @@ -14302,6 +14304,7 @@ 'KEY_INFORMATION_CLASS', 'KEY_VALUE_INFORMATION_CLASS', 'LocalServerType', +'MACHINE_ATTRIBUTES', 'MEMORY_INFORMATION_CLASS', 'MEM_EXTENDED_PARAMETER_TYPE', 'MIB_TCP_STATE', @@ -14336,6 +14339,7 @@ 'PPROCESS_MITIGATION_POLICY', 'PREAD_DIRECTORY_NOTIFY_INFORMATION_CLASS', 'PROCESSINFOCLASS', +'PROCESS_INFORMATION_CLASS', 'PROCESS_MITIGATION_POLICY', 'PSECURITY_IMPERSONATION_LEVEL', 'PSID_NAME_USE', @@ -14435,6 +14439,7 @@ '_IO_PRIORITY_HINT', '_KEY_INFORMATION_CLASS', '_KEY_VALUE_INFORMATION_CLASS', +'_MACHINE_ATTRIBUTES', '_MEMORY_INFORMATION_CLASS', '_MIB_TCP_STATE', '_MULTIPLE_TRUSTEE_OPERATION', @@ -14445,6 +14450,7 @@ '_POLICY_INFORMATION_CLASS', '_POLICY_LSA_SERVER_ROLE', '_PROCESSINFOCLASS', +'_PROCESS_INFORMATION_CLASS', '_PROCESS_MITIGATION_POLICY', '_READ_DIRECTORY_NOTIFY_INFORMATION_CLASS', '_RTL_PATH_TYPE', @@ -14855,6 +14861,7 @@ 'GetProcessId', 'GetProcessImageFileNameA', 'GetProcessImageFileNameW', +'GetProcessInformation', 'GetProcessMemoryInfo', 'GetProcessMitigationPolicy', 'GetProcessTimes', @@ -15200,6 +15207,7 @@ 'SetNamedSecurityInfoA', 'SetNamedSecurityInfoW', 'SetPriorityClass', +'SetProcessInformation', 'SetProcessMitigationPolicy', 'SetSecurityDescriptorDacl', 'SetSecurityDescriptorOwner', diff --git a/windows/generated_def/winfuncs.py b/windows/generated_def/winfuncs.py index 79e8135d..2049300f 100644 --- a/windows/generated_def/winfuncs.py +++ b/windows/generated_def/winfuncs.py @@ -1735,10 +1735,15 @@ FreeLibraryPrototype = WINFUNCTYPE(BOOL, HMODULE) FreeLibraryParams = ((1, 'hLibModule'),) -#def RtlGetCurrentPeb(): -# return RtlGetCurrentPeb.ctypes_function() -RtlGetCurrentPebPrototype = WINFUNCTYPE(PVOID) -RtlGetCurrentPebParams = () +#def GetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize): +# return GetProcessInformation.ctypes_function(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) +GetProcessInformationPrototype = WINFUNCTYPE(BOOL, HANDLE, PROCESS_INFORMATION_CLASS, LPVOID, DWORD) +GetProcessInformationParams = ((1, 'hProcess'), (1, 'ProcessInformationClass'), (1, 'ProcessInformation'), (1, 'ProcessInformationSize')) + +#def SetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize): +# return SetProcessInformation.ctypes_function(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) +SetProcessInformationPrototype = WINFUNCTYPE(BOOL, HANDLE, PROCESS_INFORMATION_CLASS, LPVOID, DWORD) +SetProcessInformationParams = ((1, 'hProcess'), (1, 'ProcessInformationClass'), (1, 'ProcessInformation'), (1, 'ProcessInformationSize')) #def RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData): # return RegQueryValueExA.ctypes_function(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData) diff --git a/windows/generated_def/winstructs.py b/windows/generated_def/winstructs.py index 49179ca3..faf9e3e9 100644 --- a/windows/generated_def/winstructs.py +++ b/windows/generated_def/winstructs.py @@ -3595,6 +3595,159 @@ class _IMAGE_LOAD_CONFIG_DIRECTORY64(Structure): IMAGE_LOAD_CONFIG_DIRECTORY64 = _IMAGE_LOAD_CONFIG_DIRECTORY64 PIMAGE_LOAD_CONFIG_DIRECTORY64 = POINTER(_IMAGE_LOAD_CONFIG_DIRECTORY64) +MemoryBasicInformation = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryBasicInformation", 0x0) +MemoryWorkingSetList = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryWorkingSetList", 0x1) +MemorySectionName = EnumValue("_MEMORY_INFORMATION_CLASS", "MemorySectionName", 0x2) +MemoryBasicVlmInformation = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryBasicVlmInformation", 0x3) +MemoryWorkingSetListEx = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryWorkingSetListEx", 0x4) +class _MEMORY_INFORMATION_CLASS(EnumType): + values = [MemoryBasicInformation, MemoryWorkingSetList, MemorySectionName, MemoryBasicVlmInformation, MemoryWorkingSetListEx] + mapper = FlagMapper(*values) +MEMORY_INFORMATION_CLASS = _MEMORY_INFORMATION_CLASS + + +ThreadBasicInformation = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadBasicInformation", 0x0) +ThreadTimes = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadTimes", 0x1) +ThreadPriority = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPriority", 0x2) +ThreadBasePriority = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadBasePriority", 0x3) +ThreadAffinityMask = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadAffinityMask", 0x4) +ThreadImpersonationToken = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadImpersonationToken", 0x5) +ThreadDescriptorTableEntry = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadDescriptorTableEntry", 0x6) +ThreadEnableAlignmentFaultFixup = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadEnableAlignmentFaultFixup", 0x7) +ThreadEventPair = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadEventPair", 0x8) +ThreadQuerySetWin32StartAddress = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadQuerySetWin32StartAddress", 0x9) +ThreadZeroTlsCell = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadZeroTlsCell", 0xa) +ThreadPerformanceCount = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPerformanceCount", 0xb) +ThreadAmILastThread = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadAmILastThread", 0xc) +ThreadIdealProcessor = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadIdealProcessor", 0xd) +ThreadPriorityBoost = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPriorityBoost", 0xe) +ThreadSetTlsArrayAddress = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadSetTlsArrayAddress", 0xf) +ThreadIsIoPending = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadIsIoPending", 0x10) +ThreadHideFromDebugger = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadHideFromDebugger", 0x11) +class _THREAD_INFORMATION_CLASS(EnumType): + values = [ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger] + mapper = FlagMapper(*values) +PTHREAD_INFORMATION_CLASS = POINTER(_THREAD_INFORMATION_CLASS) +THREAD_INFORMATION_CLASS = _THREAD_INFORMATION_CLASS + + +ProcessBasicInformation = EnumValue("_PROCESSINFOCLASS", "ProcessBasicInformation", 0x0) +ProcessQuotaLimits = EnumValue("_PROCESSINFOCLASS", "ProcessQuotaLimits", 0x1) +ProcessIoCounters = EnumValue("_PROCESSINFOCLASS", "ProcessIoCounters", 0x2) +ProcessVmCounters = EnumValue("_PROCESSINFOCLASS", "ProcessVmCounters", 0x3) +ProcessTimes = EnumValue("_PROCESSINFOCLASS", "ProcessTimes", 0x4) +ProcessBasePriority = EnumValue("_PROCESSINFOCLASS", "ProcessBasePriority", 0x5) +ProcessRaisePriority = EnumValue("_PROCESSINFOCLASS", "ProcessRaisePriority", 0x6) +ProcessDebugPort = EnumValue("_PROCESSINFOCLASS", "ProcessDebugPort", 0x7) +ProcessExceptionPort = EnumValue("_PROCESSINFOCLASS", "ProcessExceptionPort", 0x8) +ProcessAccessToken = EnumValue("_PROCESSINFOCLASS", "ProcessAccessToken", 0x9) +ProcessLdtInformation = EnumValue("_PROCESSINFOCLASS", "ProcessLdtInformation", 0xa) +ProcessLdtSize = EnumValue("_PROCESSINFOCLASS", "ProcessLdtSize", 0xb) +ProcessDefaultHardErrorMode = EnumValue("_PROCESSINFOCLASS", "ProcessDefaultHardErrorMode", 0xc) +ProcessIoPortHandlers = EnumValue("_PROCESSINFOCLASS", "ProcessIoPortHandlers", 0xd) +ProcessPooledUsageAndLimits = EnumValue("_PROCESSINFOCLASS", "ProcessPooledUsageAndLimits", 0xe) +ProcessWorkingSetWatch = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetWatch", 0xf) +ProcessUserModeIOPL = EnumValue("_PROCESSINFOCLASS", "ProcessUserModeIOPL", 0x10) +ProcessEnableAlignmentFaultFixup = EnumValue("_PROCESSINFOCLASS", "ProcessEnableAlignmentFaultFixup", 0x11) +ProcessPriorityClass = EnumValue("_PROCESSINFOCLASS", "ProcessPriorityClass", 0x12) +ProcessWx86Information = EnumValue("_PROCESSINFOCLASS", "ProcessWx86Information", 0x13) +ProcessHandleCount = EnumValue("_PROCESSINFOCLASS", "ProcessHandleCount", 0x14) +ProcessAffinityMask = EnumValue("_PROCESSINFOCLASS", "ProcessAffinityMask", 0x15) +ProcessPriorityBoost = EnumValue("_PROCESSINFOCLASS", "ProcessPriorityBoost", 0x16) +ProcessDeviceMap = EnumValue("_PROCESSINFOCLASS", "ProcessDeviceMap", 0x17) +ProcessSessionInformation = EnumValue("_PROCESSINFOCLASS", "ProcessSessionInformation", 0x18) +ProcessForegroundInformation = EnumValue("_PROCESSINFOCLASS", "ProcessForegroundInformation", 0x19) +ProcessWow64Information = EnumValue("_PROCESSINFOCLASS", "ProcessWow64Information", 0x1a) +ProcessImageFileName = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileName", 0x1b) +ProcessLUIDDeviceMapsEnabled = EnumValue("_PROCESSINFOCLASS", "ProcessLUIDDeviceMapsEnabled", 0x1c) +ProcessBreakOnTermination = EnumValue("_PROCESSINFOCLASS", "ProcessBreakOnTermination", 0x1d) +ProcessDebugObjectHandle = EnumValue("_PROCESSINFOCLASS", "ProcessDebugObjectHandle", 0x1e) +ProcessDebugFlags = EnumValue("_PROCESSINFOCLASS", "ProcessDebugFlags", 0x1f) +ProcessHandleTracing = EnumValue("_PROCESSINFOCLASS", "ProcessHandleTracing", 0x20) +ProcessIoPriority = EnumValue("_PROCESSINFOCLASS", "ProcessIoPriority", 0x21) +ProcessExecuteFlags = EnumValue("_PROCESSINFOCLASS", "ProcessExecuteFlags", 0x22) +ProcessTlsInformation = EnumValue("_PROCESSINFOCLASS", "ProcessTlsInformation", 0x23) +ProcessCookie = EnumValue("_PROCESSINFOCLASS", "ProcessCookie", 0x24) +ProcessImageInformation = EnumValue("_PROCESSINFOCLASS", "ProcessImageInformation", 0x25) +ProcessCycleTime = EnumValue("_PROCESSINFOCLASS", "ProcessCycleTime", 0x26) +ProcessPagePriority = EnumValue("_PROCESSINFOCLASS", "ProcessPagePriority", 0x27) +ProcessInstrumentationCallback = EnumValue("_PROCESSINFOCLASS", "ProcessInstrumentationCallback", 0x28) +ProcessThreadStackAllocation = EnumValue("_PROCESSINFOCLASS", "ProcessThreadStackAllocation", 0x29) +ProcessWorkingSetWatchEx = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetWatchEx", 0x2a) +ProcessImageFileNameWin32 = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileNameWin32", 0x2b) +ProcessImageFileMapping = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileMapping", 0x2c) +ProcessAffinityUpdateMode = EnumValue("_PROCESSINFOCLASS", "ProcessAffinityUpdateMode", 0x2d) +ProcessMemoryAllocationMode = EnumValue("_PROCESSINFOCLASS", "ProcessMemoryAllocationMode", 0x2e) +ProcessGroupInformation = EnumValue("_PROCESSINFOCLASS", "ProcessGroupInformation", 0x2f) +ProcessTokenVirtualizationEnabled = EnumValue("_PROCESSINFOCLASS", "ProcessTokenVirtualizationEnabled", 0x30) +ProcessOwnerInformation = EnumValue("_PROCESSINFOCLASS", "ProcessOwnerInformation", 0x31) +ProcessWindowInformation = EnumValue("_PROCESSINFOCLASS", "ProcessWindowInformation", 0x32) +ProcessHandleInformation = EnumValue("_PROCESSINFOCLASS", "ProcessHandleInformation", 0x33) +ProcessMitigationPolicy = EnumValue("_PROCESSINFOCLASS", "ProcessMitigationPolicy", 0x34) +ProcessDynamicFunctionTableInformation = EnumValue("_PROCESSINFOCLASS", "ProcessDynamicFunctionTableInformation", 0x35) +ProcessHandleCheckingMode = EnumValue("_PROCESSINFOCLASS", "ProcessHandleCheckingMode", 0x36) +ProcessKeepAliveCount = EnumValue("_PROCESSINFOCLASS", "ProcessKeepAliveCount", 0x37) +ProcessRevokeFileHandles = EnumValue("_PROCESSINFOCLASS", "ProcessRevokeFileHandles", 0x38) +ProcessWorkingSetControl = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetControl", 0x39) +ProcessHandleTable = EnumValue("_PROCESSINFOCLASS", "ProcessHandleTable", 0x3a) +ProcessCheckStackExtentsMode = EnumValue("_PROCESSINFOCLASS", "ProcessCheckStackExtentsMode", 0x3b) +ProcessCommandLineInformation = EnumValue("_PROCESSINFOCLASS", "ProcessCommandLineInformation", 0x3c) +ProcessProtectionInformation = EnumValue("_PROCESSINFOCLASS", "ProcessProtectionInformation", 0x3d) +ProcessMemoryExhaustion = EnumValue("_PROCESSINFOCLASS", "ProcessMemoryExhaustion", 0x3e) +ProcessFaultInformation = EnumValue("_PROCESSINFOCLASS", "ProcessFaultInformation", 0x3f) +ProcessTelemetryIdInformation = EnumValue("_PROCESSINFOCLASS", "ProcessTelemetryIdInformation", 0x40) +ProcessCommitReleaseInformation = EnumValue("_PROCESSINFOCLASS", "ProcessCommitReleaseInformation", 0x41) +ProcessReserved1Information = EnumValue("_PROCESSINFOCLASS", "ProcessReserved1Information", 0x42) +ProcessReserved2Information = EnumValue("_PROCESSINFOCLASS", "ProcessReserved2Information", 0x43) +ProcessSubsystemProcess = EnumValue("_PROCESSINFOCLASS", "ProcessSubsystemProcess", 0x44) +ProcessInPrivate = EnumValue("_PROCESSINFOCLASS", "ProcessInPrivate", 0x46) +ProcessRaiseUMExceptionOnInvalidHandleClose = EnumValue("_PROCESSINFOCLASS", "ProcessRaiseUMExceptionOnInvalidHandleClose", 0x47) +ProcessSubsystemInformation = EnumValue("_PROCESSINFOCLASS", "ProcessSubsystemInformation", 0x4b) +ProcessWin32kSyscallFilterInformation = EnumValue("_PROCESSINFOCLASS", "ProcessWin32kSyscallFilterInformation", 0x4f) +ProcessEnergyTrackingState = EnumValue("_PROCESSINFOCLASS", "ProcessEnergyTrackingState", 0x52) +MaxProcessInfoClass = EnumValue("_PROCESSINFOCLASS", "MaxProcessInfoClass", 0x53) +class _PROCESSINFOCLASS(EnumType): + values = [ProcessBasicInformation, ProcessQuotaLimits, ProcessIoCounters, ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort, ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessUserModeIOPL, ProcessEnableAlignmentFaultFixup, ProcessPriorityClass, ProcessWx86Information, ProcessHandleCount, ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessTlsInformation, ProcessCookie, ProcessImageInformation, ProcessCycleTime, ProcessPagePriority, ProcessInstrumentationCallback, ProcessThreadStackAllocation, ProcessWorkingSetWatchEx, ProcessImageFileNameWin32, ProcessImageFileMapping, ProcessAffinityUpdateMode, ProcessMemoryAllocationMode, ProcessGroupInformation, ProcessTokenVirtualizationEnabled, ProcessOwnerInformation, ProcessWindowInformation, ProcessHandleInformation, ProcessMitigationPolicy, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, ProcessWorkingSetControl, ProcessHandleTable, ProcessCheckStackExtentsMode, ProcessCommandLineInformation, ProcessProtectionInformation, ProcessMemoryExhaustion, ProcessFaultInformation, ProcessTelemetryIdInformation, ProcessCommitReleaseInformation, ProcessReserved1Information, ProcessReserved2Information, ProcessSubsystemProcess, ProcessInPrivate, ProcessRaiseUMExceptionOnInvalidHandleClose, ProcessSubsystemInformation, ProcessWin32kSyscallFilterInformation, ProcessEnergyTrackingState, MaxProcessInfoClass] + mapper = FlagMapper(*values) +PROCESSINFOCLASS = _PROCESSINFOCLASS + + +ProcessMemoryPriority = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessMemoryPriority", 0x0) +ProcessMemoryExhaustionInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessMemoryExhaustionInfo", 0x1) +ProcessAppMemoryInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessAppMemoryInfo", 0x2) +ProcessInPrivateInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessInPrivateInfo", 0x3) +ProcessPowerThrottling = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessPowerThrottling", 0x4) +ProcessReservedValue1 = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessReservedValue1", 0x5) +ProcessTelemetryCoverageInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessTelemetryCoverageInfo", 0x6) +ProcessProtectionLevelInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessProtectionLevelInfo", 0x7) +ProcessLeapSecondInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessLeapSecondInfo", 0x8) +ProcessMachineTypeInfo = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessMachineTypeInfo", 0x9) +ProcessOverrideSubsequentPrefetchParameter = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessOverrideSubsequentPrefetchParameter", 0xa) +ProcessMaxOverridePrefetchParameter = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessMaxOverridePrefetchParameter", 0xb) +ProcessInformationClassMax = EnumValue("_PROCESS_INFORMATION_CLASS", "ProcessInformationClassMax", 0xc) +class _PROCESS_INFORMATION_CLASS(EnumType): + values = [ProcessMemoryPriority, ProcessMemoryExhaustionInfo, ProcessAppMemoryInfo, ProcessInPrivateInfo, ProcessPowerThrottling, ProcessReservedValue1, ProcessTelemetryCoverageInfo, ProcessProtectionLevelInfo, ProcessLeapSecondInfo, ProcessMachineTypeInfo, ProcessOverrideSubsequentPrefetchParameter, ProcessMaxOverridePrefetchParameter, ProcessInformationClassMax] + mapper = FlagMapper(*values) +PROCESS_INFORMATION_CLASS = _PROCESS_INFORMATION_CLASS + + +UserEnabled = EnumValue("_MACHINE_ATTRIBUTES", "UserEnabled", 0x1) +KernelEnabled = EnumValue("_MACHINE_ATTRIBUTES", "KernelEnabled", 0x2) +Wow64Container = EnumValue("_MACHINE_ATTRIBUTES", "Wow64Container", 0x4) +class _MACHINE_ATTRIBUTES(EnumType): + values = [UserEnabled, KernelEnabled, Wow64Container] + mapper = FlagMapper(*values) +MACHINE_ATTRIBUTES = _MACHINE_ATTRIBUTES + + +class _PROCESS_MACHINE_INFORMATION(Structure): + _fields_ = [ + ("ProcessMachine", USHORT), + ("Res0", USHORT), + ("MachineAttributes", MACHINE_ATTRIBUTES), + ] +PROCESS_MACHINE_INFORMATION = _PROCESS_MACHINE_INFORMATION + MemExtendedParameterInvalidType = EnumValue("MEM_EXTENDED_PARAMETER_TYPE", "MemExtendedParameterInvalidType", 0x0) MemExtendedParameterAddressRequirements = EnumValue("MEM_EXTENDED_PARAMETER_TYPE", "MemExtendedParameterAddressRequirements", 0x1) MemExtendedParameterNumaNode = EnumValue("MEM_EXTENDED_PARAMETER_TYPE", "MemExtendedParameterNumaNode", 0x2) @@ -5495,123 +5648,6 @@ class _SECTION_INHERIT(EnumType): SECTION_INHERIT = _SECTION_INHERIT -ProcessBasicInformation = EnumValue("_PROCESSINFOCLASS", "ProcessBasicInformation", 0x0) -ProcessQuotaLimits = EnumValue("_PROCESSINFOCLASS", "ProcessQuotaLimits", 0x1) -ProcessIoCounters = EnumValue("_PROCESSINFOCLASS", "ProcessIoCounters", 0x2) -ProcessVmCounters = EnumValue("_PROCESSINFOCLASS", "ProcessVmCounters", 0x3) -ProcessTimes = EnumValue("_PROCESSINFOCLASS", "ProcessTimes", 0x4) -ProcessBasePriority = EnumValue("_PROCESSINFOCLASS", "ProcessBasePriority", 0x5) -ProcessRaisePriority = EnumValue("_PROCESSINFOCLASS", "ProcessRaisePriority", 0x6) -ProcessDebugPort = EnumValue("_PROCESSINFOCLASS", "ProcessDebugPort", 0x7) -ProcessExceptionPort = EnumValue("_PROCESSINFOCLASS", "ProcessExceptionPort", 0x8) -ProcessAccessToken = EnumValue("_PROCESSINFOCLASS", "ProcessAccessToken", 0x9) -ProcessLdtInformation = EnumValue("_PROCESSINFOCLASS", "ProcessLdtInformation", 0xa) -ProcessLdtSize = EnumValue("_PROCESSINFOCLASS", "ProcessLdtSize", 0xb) -ProcessDefaultHardErrorMode = EnumValue("_PROCESSINFOCLASS", "ProcessDefaultHardErrorMode", 0xc) -ProcessIoPortHandlers = EnumValue("_PROCESSINFOCLASS", "ProcessIoPortHandlers", 0xd) -ProcessPooledUsageAndLimits = EnumValue("_PROCESSINFOCLASS", "ProcessPooledUsageAndLimits", 0xe) -ProcessWorkingSetWatch = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetWatch", 0xf) -ProcessUserModeIOPL = EnumValue("_PROCESSINFOCLASS", "ProcessUserModeIOPL", 0x10) -ProcessEnableAlignmentFaultFixup = EnumValue("_PROCESSINFOCLASS", "ProcessEnableAlignmentFaultFixup", 0x11) -ProcessPriorityClass = EnumValue("_PROCESSINFOCLASS", "ProcessPriorityClass", 0x12) -ProcessWx86Information = EnumValue("_PROCESSINFOCLASS", "ProcessWx86Information", 0x13) -ProcessHandleCount = EnumValue("_PROCESSINFOCLASS", "ProcessHandleCount", 0x14) -ProcessAffinityMask = EnumValue("_PROCESSINFOCLASS", "ProcessAffinityMask", 0x15) -ProcessPriorityBoost = EnumValue("_PROCESSINFOCLASS", "ProcessPriorityBoost", 0x16) -ProcessDeviceMap = EnumValue("_PROCESSINFOCLASS", "ProcessDeviceMap", 0x17) -ProcessSessionInformation = EnumValue("_PROCESSINFOCLASS", "ProcessSessionInformation", 0x18) -ProcessForegroundInformation = EnumValue("_PROCESSINFOCLASS", "ProcessForegroundInformation", 0x19) -ProcessWow64Information = EnumValue("_PROCESSINFOCLASS", "ProcessWow64Information", 0x1a) -ProcessImageFileName = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileName", 0x1b) -ProcessLUIDDeviceMapsEnabled = EnumValue("_PROCESSINFOCLASS", "ProcessLUIDDeviceMapsEnabled", 0x1c) -ProcessBreakOnTermination = EnumValue("_PROCESSINFOCLASS", "ProcessBreakOnTermination", 0x1d) -ProcessDebugObjectHandle = EnumValue("_PROCESSINFOCLASS", "ProcessDebugObjectHandle", 0x1e) -ProcessDebugFlags = EnumValue("_PROCESSINFOCLASS", "ProcessDebugFlags", 0x1f) -ProcessHandleTracing = EnumValue("_PROCESSINFOCLASS", "ProcessHandleTracing", 0x20) -ProcessIoPriority = EnumValue("_PROCESSINFOCLASS", "ProcessIoPriority", 0x21) -ProcessExecuteFlags = EnumValue("_PROCESSINFOCLASS", "ProcessExecuteFlags", 0x22) -ProcessTlsInformation = EnumValue("_PROCESSINFOCLASS", "ProcessTlsInformation", 0x23) -ProcessCookie = EnumValue("_PROCESSINFOCLASS", "ProcessCookie", 0x24) -ProcessImageInformation = EnumValue("_PROCESSINFOCLASS", "ProcessImageInformation", 0x25) -ProcessCycleTime = EnumValue("_PROCESSINFOCLASS", "ProcessCycleTime", 0x26) -ProcessPagePriority = EnumValue("_PROCESSINFOCLASS", "ProcessPagePriority", 0x27) -ProcessInstrumentationCallback = EnumValue("_PROCESSINFOCLASS", "ProcessInstrumentationCallback", 0x28) -ProcessThreadStackAllocation = EnumValue("_PROCESSINFOCLASS", "ProcessThreadStackAllocation", 0x29) -ProcessWorkingSetWatchEx = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetWatchEx", 0x2a) -ProcessImageFileNameWin32 = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileNameWin32", 0x2b) -ProcessImageFileMapping = EnumValue("_PROCESSINFOCLASS", "ProcessImageFileMapping", 0x2c) -ProcessAffinityUpdateMode = EnumValue("_PROCESSINFOCLASS", "ProcessAffinityUpdateMode", 0x2d) -ProcessMemoryAllocationMode = EnumValue("_PROCESSINFOCLASS", "ProcessMemoryAllocationMode", 0x2e) -ProcessGroupInformation = EnumValue("_PROCESSINFOCLASS", "ProcessGroupInformation", 0x2f) -ProcessTokenVirtualizationEnabled = EnumValue("_PROCESSINFOCLASS", "ProcessTokenVirtualizationEnabled", 0x30) -ProcessOwnerInformation = EnumValue("_PROCESSINFOCLASS", "ProcessOwnerInformation", 0x31) -ProcessWindowInformation = EnumValue("_PROCESSINFOCLASS", "ProcessWindowInformation", 0x32) -ProcessHandleInformation = EnumValue("_PROCESSINFOCLASS", "ProcessHandleInformation", 0x33) -ProcessMitigationPolicy = EnumValue("_PROCESSINFOCLASS", "ProcessMitigationPolicy", 0x34) -ProcessDynamicFunctionTableInformation = EnumValue("_PROCESSINFOCLASS", "ProcessDynamicFunctionTableInformation", 0x35) -ProcessHandleCheckingMode = EnumValue("_PROCESSINFOCLASS", "ProcessHandleCheckingMode", 0x36) -ProcessKeepAliveCount = EnumValue("_PROCESSINFOCLASS", "ProcessKeepAliveCount", 0x37) -ProcessRevokeFileHandles = EnumValue("_PROCESSINFOCLASS", "ProcessRevokeFileHandles", 0x38) -ProcessWorkingSetControl = EnumValue("_PROCESSINFOCLASS", "ProcessWorkingSetControl", 0x39) -ProcessHandleTable = EnumValue("_PROCESSINFOCLASS", "ProcessHandleTable", 0x3a) -ProcessCheckStackExtentsMode = EnumValue("_PROCESSINFOCLASS", "ProcessCheckStackExtentsMode", 0x3b) -ProcessCommandLineInformation = EnumValue("_PROCESSINFOCLASS", "ProcessCommandLineInformation", 0x3c) -ProcessProtectionInformation = EnumValue("_PROCESSINFOCLASS", "ProcessProtectionInformation", 0x3d) -ProcessMemoryExhaustion = EnumValue("_PROCESSINFOCLASS", "ProcessMemoryExhaustion", 0x3e) -ProcessFaultInformation = EnumValue("_PROCESSINFOCLASS", "ProcessFaultInformation", 0x3f) -ProcessTelemetryIdInformation = EnumValue("_PROCESSINFOCLASS", "ProcessTelemetryIdInformation", 0x40) -ProcessCommitReleaseInformation = EnumValue("_PROCESSINFOCLASS", "ProcessCommitReleaseInformation", 0x41) -ProcessReserved1Information = EnumValue("_PROCESSINFOCLASS", "ProcessReserved1Information", 0x42) -ProcessReserved2Information = EnumValue("_PROCESSINFOCLASS", "ProcessReserved2Information", 0x43) -ProcessSubsystemProcess = EnumValue("_PROCESSINFOCLASS", "ProcessSubsystemProcess", 0x44) -ProcessInPrivate = EnumValue("_PROCESSINFOCLASS", "ProcessInPrivate", 0x46) -ProcessRaiseUMExceptionOnInvalidHandleClose = EnumValue("_PROCESSINFOCLASS", "ProcessRaiseUMExceptionOnInvalidHandleClose", 0x47) -ProcessSubsystemInformation = EnumValue("_PROCESSINFOCLASS", "ProcessSubsystemInformation", 0x4b) -ProcessWin32kSyscallFilterInformation = EnumValue("_PROCESSINFOCLASS", "ProcessWin32kSyscallFilterInformation", 0x4f) -ProcessEnergyTrackingState = EnumValue("_PROCESSINFOCLASS", "ProcessEnergyTrackingState", 0x52) -MaxProcessInfoClass = EnumValue("_PROCESSINFOCLASS", "MaxProcessInfoClass", 0x53) -class _PROCESSINFOCLASS(EnumType): - values = [ProcessBasicInformation, ProcessQuotaLimits, ProcessIoCounters, ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort, ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessUserModeIOPL, ProcessEnableAlignmentFaultFixup, ProcessPriorityClass, ProcessWx86Information, ProcessHandleCount, ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information, ProcessImageFileName, ProcessLUIDDeviceMapsEnabled, ProcessBreakOnTermination, ProcessDebugObjectHandle, ProcessDebugFlags, ProcessHandleTracing, ProcessIoPriority, ProcessExecuteFlags, ProcessTlsInformation, ProcessCookie, ProcessImageInformation, ProcessCycleTime, ProcessPagePriority, ProcessInstrumentationCallback, ProcessThreadStackAllocation, ProcessWorkingSetWatchEx, ProcessImageFileNameWin32, ProcessImageFileMapping, ProcessAffinityUpdateMode, ProcessMemoryAllocationMode, ProcessGroupInformation, ProcessTokenVirtualizationEnabled, ProcessOwnerInformation, ProcessWindowInformation, ProcessHandleInformation, ProcessMitigationPolicy, ProcessDynamicFunctionTableInformation, ProcessHandleCheckingMode, ProcessKeepAliveCount, ProcessRevokeFileHandles, ProcessWorkingSetControl, ProcessHandleTable, ProcessCheckStackExtentsMode, ProcessCommandLineInformation, ProcessProtectionInformation, ProcessMemoryExhaustion, ProcessFaultInformation, ProcessTelemetryIdInformation, ProcessCommitReleaseInformation, ProcessReserved1Information, ProcessReserved2Information, ProcessSubsystemProcess, ProcessInPrivate, ProcessRaiseUMExceptionOnInvalidHandleClose, ProcessSubsystemInformation, ProcessWin32kSyscallFilterInformation, ProcessEnergyTrackingState, MaxProcessInfoClass] - mapper = FlagMapper(*values) -PROCESSINFOCLASS = _PROCESSINFOCLASS - - -MemoryBasicInformation = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryBasicInformation", 0x0) -MemoryWorkingSetList = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryWorkingSetList", 0x1) -MemorySectionName = EnumValue("_MEMORY_INFORMATION_CLASS", "MemorySectionName", 0x2) -MemoryBasicVlmInformation = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryBasicVlmInformation", 0x3) -MemoryWorkingSetListEx = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryWorkingSetListEx", 0x4) -class _MEMORY_INFORMATION_CLASS(EnumType): - values = [MemoryBasicInformation, MemoryWorkingSetList, MemorySectionName, MemoryBasicVlmInformation, MemoryWorkingSetListEx] - mapper = FlagMapper(*values) -MEMORY_INFORMATION_CLASS = _MEMORY_INFORMATION_CLASS - - -ThreadBasicInformation = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadBasicInformation", 0x0) -ThreadTimes = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadTimes", 0x1) -ThreadPriority = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPriority", 0x2) -ThreadBasePriority = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadBasePriority", 0x3) -ThreadAffinityMask = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadAffinityMask", 0x4) -ThreadImpersonationToken = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadImpersonationToken", 0x5) -ThreadDescriptorTableEntry = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadDescriptorTableEntry", 0x6) -ThreadEnableAlignmentFaultFixup = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadEnableAlignmentFaultFixup", 0x7) -ThreadEventPair = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadEventPair", 0x8) -ThreadQuerySetWin32StartAddress = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadQuerySetWin32StartAddress", 0x9) -ThreadZeroTlsCell = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadZeroTlsCell", 0xa) -ThreadPerformanceCount = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPerformanceCount", 0xb) -ThreadAmILastThread = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadAmILastThread", 0xc) -ThreadIdealProcessor = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadIdealProcessor", 0xd) -ThreadPriorityBoost = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadPriorityBoost", 0xe) -ThreadSetTlsArrayAddress = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadSetTlsArrayAddress", 0xf) -ThreadIsIoPending = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadIsIoPending", 0x10) -ThreadHideFromDebugger = EnumValue("_THREAD_INFORMATION_CLASS", "ThreadHideFromDebugger", 0x11) -class _THREAD_INFORMATION_CLASS(EnumType): - values = [ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger] - mapper = FlagMapper(*values) -PTHREAD_INFORMATION_CLASS = POINTER(_THREAD_INFORMATION_CLASS) -THREAD_INFORMATION_CLASS = _THREAD_INFORMATION_CLASS - - VT_EMPTY = EnumValue("_VARENUM", "VT_EMPTY", 0x0) VT_NULL = EnumValue("_VARENUM", "VT_NULL", 0x1) VT_I2 = EnumValue("_VARENUM", "VT_I2", 0x2) diff --git a/windows/winproxy/apis/kernel32.py b/windows/winproxy/apis/kernel32.py index 9623981e..9cb36937 100644 --- a/windows/winproxy/apis/kernel32.py +++ b/windows/winproxy/apis/kernel32.py @@ -81,6 +81,18 @@ def GetPriorityClass(hProcess): def SetPriorityClass(hProcess, dwPriorityClass): return SetPriorityClass.ctypes_function(hProcess, dwPriorityClass) +@Kernel32Proxy() +def GetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize=None): + if ProcessInformationSize is None: + ProcessInformationSize = ctypes.sizeof(ProcessInformation) + return GetProcessInformation.ctypes_function(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) + +@Kernel32Proxy() +def SetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize): + if ProcessInformationSize is None: + ProcessInformationSize = ctypes.sizeof(ProcessInformation) + return SetProcessInformation.ctypes_function(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) + PROCESS_MITIGATION_STUCTS = (gdef.PROCESS_MITIGATION_ASLR_POLICY, gdef.PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY, From ce13bf08e387ac2bb52ded0c0dda53706c99924d Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 23:31:30 +0100 Subject: [PATCH 19/70] First try at WinProcess.architecture --- windows/winobject/process.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 08734423..66999a5f 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -106,12 +106,19 @@ def architecture(self): # Syswow2 will exactly tell us the architecture if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2): process_machine, native_machine = self.is_wow_64_2 - try: - return utils.image_file_machine_to_processor_architecture(process_machine) - except KeyError as e: - raise ValueError("Unknown IsWow64Process2(process_machine:#x) -> {0}".format(process_machine)) - - # No IsWow64Process2 -> No ARM64 + if process_machine != gdef.PROCESSOR_ARCHITECTURE_UNKNOWN: + try: + return utils.image_file_machine_to_processor_architecture(process_machine) + except KeyError as e: + raise ValueError("Unknown IsWow64Process2(process_machine:#x) -> {0}".format(process_machine)) + + if windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_ARM64: + # May be ARM64 or AMD64 as X64TA64 is not considered WOW64 + machine_archi = gdef.PROCESS_MACHINE_INFORMATION() + windows.winproxy.GetProcessInformation(self.handle, gdef.ProcessMachineTypeInfo, machine_archi) + return utils.image_file_machine_to_processor_architecture(machine_archi.ProcessMachine) + + # No IsWow64Process2 -> No ARM # So its up on x86 -> x64 based on process bitness if self.bitness == 32: return gdef.PROCESSOR_ARCHITECTURE_INTEL From 2cef60377ffb2805f9c85cef3a74646741d7b0fb Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 23:33:51 +0100 Subject: [PATCH 20/70] Add some ctypes definition --- .../definitions/structures/process.txt | 124 ++++++++++++++++++ .../definitions/structures/processor.txt | 11 ++ 2 files changed, 135 insertions(+) create mode 100644 ctypes_generation/definitions/structures/process.txt create mode 100644 ctypes_generation/definitions/structures/processor.txt diff --git a/ctypes_generation/definitions/structures/process.txt b/ctypes_generation/definitions/structures/process.txt new file mode 100644 index 00000000..d5494d28 --- /dev/null +++ b/ctypes_generation/definitions/structures/process.txt @@ -0,0 +1,124 @@ +typedef enum _MEMORY_INFORMATION_CLASS { + MemoryBasicInformation, + MemoryWorkingSetList, + MemorySectionName, + MemoryBasicVlmInformation, + MemoryWorkingSetListEx +} MEMORY_INFORMATION_CLASS; + +typedef enum _THREAD_INFORMATION_CLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger +} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS; + +// For NtQueryInformationProcess +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation = 0, + ProcessQuotaLimits = 1, + ProcessIoCounters = 2, + ProcessVmCounters = 3, + ProcessTimes = 4, + ProcessBasePriority = 5, + ProcessRaisePriority = 6, + ProcessDebugPort = 7, + ProcessExceptionPort = 8, + ProcessAccessToken = 9, + ProcessLdtInformation = 10, + ProcessLdtSize = 11, + ProcessDefaultHardErrorMode = 12, + ProcessIoPortHandlers = 13, // Note: this is kernel mode only + ProcessPooledUsageAndLimits = 14, + ProcessWorkingSetWatch = 15, + ProcessUserModeIOPL = 16, + ProcessEnableAlignmentFaultFixup = 17, + ProcessPriorityClass = 18, + ProcessWx86Information = 19, + ProcessHandleCount = 20, + ProcessAffinityMask = 21, + ProcessPriorityBoost = 22, + ProcessDeviceMap = 23, + ProcessSessionInformation = 24, + ProcessForegroundInformation = 25, + ProcessWow64Information = 26, + ProcessImageFileName = 27, + ProcessLUIDDeviceMapsEnabled = 28, + ProcessBreakOnTermination = 29, + ProcessDebugObjectHandle = 30, + ProcessDebugFlags = 31, + ProcessHandleTracing = 32, + ProcessIoPriority = 33, + ProcessExecuteFlags = 34, + ProcessTlsInformation = 35, + ProcessCookie = 36, + ProcessImageInformation = 37, + ProcessCycleTime = 38, + ProcessPagePriority = 39, + ProcessInstrumentationCallback = 40, + ProcessThreadStackAllocation = 41, + ProcessWorkingSetWatchEx = 42, + ProcessImageFileNameWin32 = 43, + ProcessImageFileMapping = 44, + ProcessAffinityUpdateMode = 45, + ProcessMemoryAllocationMode = 46, + ProcessGroupInformation = 47, + ProcessTokenVirtualizationEnabled = 48, + ProcessOwnerInformation = 49, + ProcessWindowInformation = 50, + ProcessHandleInformation = 51, + ProcessMitigationPolicy = 52, + ProcessDynamicFunctionTableInformation = 53, + ProcessHandleCheckingMode = 54, + ProcessKeepAliveCount = 55, + ProcessRevokeFileHandles = 56, + ProcessWorkingSetControl = 57, + ProcessHandleTable = 58, + ProcessCheckStackExtentsMode = 59, + ProcessCommandLineInformation = 60, + ProcessProtectionInformation = 61, + ProcessMemoryExhaustion = 62, + ProcessFaultInformation = 63, + ProcessTelemetryIdInformation = 64, + ProcessCommitReleaseInformation = 65, + ProcessReserved1Information = 66, + ProcessReserved2Information = 67, + ProcessSubsystemProcess = 68, + ProcessInPrivate = 70, + ProcessRaiseUMExceptionOnInvalidHandleClose = 71, + ProcessSubsystemInformation = 75, + ProcessWin32kSyscallFilterInformation = 79, + ProcessEnergyTrackingState = 82, + MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum +} PROCESSINFOCLASS; + +// GetProcessInfo +typedef enum _PROCESS_INFORMATION_CLASS { + ProcessMemoryPriority, + ProcessMemoryExhaustionInfo, + ProcessAppMemoryInfo, + ProcessInPrivateInfo, + ProcessPowerThrottling, + ProcessReservedValue1, + ProcessTelemetryCoverageInfo, + ProcessProtectionLevelInfo, + ProcessLeapSecondInfo, + ProcessMachineTypeInfo, // Map to 0xe6(230) for the syscall NtQueryInformationProcess + ProcessOverrideSubsequentPrefetchParameter, + ProcessMaxOverridePrefetchParameter, + ProcessInformationClassMax +} PROCESS_INFORMATION_CLASS; \ No newline at end of file diff --git a/ctypes_generation/definitions/structures/processor.txt b/ctypes_generation/definitions/structures/processor.txt new file mode 100644 index 00000000..4f8a9830 --- /dev/null +++ b/ctypes_generation/definitions/structures/processor.txt @@ -0,0 +1,11 @@ +typedef enum _MACHINE_ATTRIBUTES { + UserEnabled = 0x00000001, + KernelEnabled = 0x00000002, + Wow64Container = 0x00000004 +} MACHINE_ATTRIBUTES; + +typedef struct _PROCESS_MACHINE_INFORMATION { + USHORT ProcessMachine; + USHORT Res0; + MACHINE_ATTRIBUTES MachineAttributes; +} PROCESS_MACHINE_INFORMATION; \ No newline at end of file From 720385d15add53acea62294700ac4f0a1122dffd Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 23:44:15 +0100 Subject: [PATCH 21/70] Still playing with process.architecture --- windows/winobject/process.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 66999a5f..a05ba75c 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -106,23 +106,22 @@ def architecture(self): # Syswow2 will exactly tell us the architecture if windows.winproxy.is_implemented(windows.winproxy.IsWow64Process2): process_machine, native_machine = self.is_wow_64_2 - if process_machine != gdef.PROCESSOR_ARCHITECTURE_UNKNOWN: - try: - return utils.image_file_machine_to_processor_architecture(process_machine) - except KeyError as e: - raise ValueError("Unknown IsWow64Process2(process_machine:#x) -> {0}".format(process_machine)) + if process_machine != gdef.IMAGE_FILE_MACHINE_UNKNOWN: + return process_machine if windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_ARM64: # May be ARM64 or AMD64 as X64TA64 is not considered WOW64 + # ProcessMachineTypeInfo is from build 22000 + # What if not implemented ? parse target main binary PE ? machine_archi = gdef.PROCESS_MACHINE_INFORMATION() windows.winproxy.GetProcessInformation(self.handle, gdef.ProcessMachineTypeInfo, machine_archi) - return utils.image_file_machine_to_processor_architecture(machine_archi.ProcessMachine) + return machine_archi.ProcessMachine # No IsWow64Process2 -> No ARM # So its up on x86 -> x64 based on process bitness if self.bitness == 32: - return gdef.PROCESSOR_ARCHITECTURE_INTEL - return gdef.PROCESSOR_ARCHITECTURE_AMD64 + return gdef.IMAGE_FILE_MACHINE_I386 + return gdef.IMAGE_FILE_MACHINE_AMD64 @utils.fixedpropety def limited_handle(self): From 9b5be5ffd56eaf8e7a87ed25c1baf924924143ba Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 18 Jan 2025 23:47:13 +0100 Subject: [PATCH 22/70] more arm testing of process.architecture --- windows/winobject/process.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index a05ba75c..a8fa0946 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -114,7 +114,7 @@ def architecture(self): # ProcessMachineTypeInfo is from build 22000 # What if not implemented ? parse target main binary PE ? machine_archi = gdef.PROCESS_MACHINE_INFORMATION() - windows.winproxy.GetProcessInformation(self.handle, gdef.ProcessMachineTypeInfo, machine_archi) + windows.winproxy.GetProcessInformation(self.handle, gdef.ProcessMachineTypeInfo, ctypes.byref(machine_archi), ctypes.sizeof(machine_archi)) return machine_archi.ProcessMachine # No IsWow64Process2 -> No ARM From 4e5325c8eabf70696cce2f627e5c7fa35cdbd547 Mon Sep 17 00:00:00 2001 From: hakril Date: Sun, 19 Jan 2025 18:03:47 +0100 Subject: [PATCH 23/70] Process.architecture now returns flags --- windows/winobject/process.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index a8fa0946..1d8facde 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -115,7 +115,7 @@ def architecture(self): # What if not implemented ? parse target main binary PE ? machine_archi = gdef.PROCESS_MACHINE_INFORMATION() windows.winproxy.GetProcessInformation(self.handle, gdef.ProcessMachineTypeInfo, ctypes.byref(machine_archi), ctypes.sizeof(machine_archi)) - return machine_archi.ProcessMachine + return gdef.IMAGE_FILE_MACHINE_MAPPER[machine_archi.ProcessMachine] # No IsWow64Process2 -> No ARM # So its up on x86 -> x64 based on process bitness From e7679ecfcff5b0ca384daa290f391b2d9c6bb6ee Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 23 Jan 2025 09:17:23 +0100 Subject: [PATCH 24/70] [WIP] simple_arm64 + testsuite --- tests/test_simple_arm64.py | 108 +++++++++++++++ windows/native_exec/simple_arm64.py | 203 ++++++++++++++++++++++++++++ 2 files changed, 311 insertions(+) create mode 100644 tests/test_simple_arm64.py create mode 100644 windows/native_exec/simple_arm64.py diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py new file mode 100644 index 00000000..af3e6590 --- /dev/null +++ b/tests/test_simple_arm64.py @@ -0,0 +1,108 @@ +try: + import capstone +except ImportError as e: + capstone = None +import pytest + +import windows.native_exec.simple_arm64 as arm64 +from windows.native_exec.simple_arm64 import * + +from windows.pycompat import int_types + +if capstone: + disassembleur = capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM) + disassembleur.detail = True + +@pytest.fixture +def need_capstone(): + if capstone is None: + raise pytest.skip("Capstone is not installed") + return True + +pytestmark = pytest.mark.usefixtures("need_capstone") + + +def disas(x): + return list(disassembleur.disasm(x, 0)) + +mnemonic_name_exception = {'movabs': 'mov'} + + +class CheckInstr(object): + def __init__(self, instr_to_test, expected_result=None, immediat_accepted=None, must_fail=None, debug=False): + self.instr_to_test = instr_to_test + self.immediat_accepted = immediat_accepted + self.expected_result = expected_result + self.must_fail = must_fail + self.debug = debug + + def __call__(self, *args): + try: + if self.debug: + import pdb;pdb.set_trace() + pdb.DONE = True + arm64.DEBUG = self.debug + res = bytes(self.instr_to_test(*args).get_code()) + if self.debug: + print(repr(res)) + except ValueError as e: + if self.must_fail == True: + return True + else: + raise + else: + if self.must_fail: + raise ValueError("Instruction did not failed as expected") + capres_list = disas(res) + if len(capres_list) != 1: + raise AssertionError("Trying to disas an instruction resulted in multiple disassembled instrs") + capres = capres_list[0] + print("{0} {1}".format(capres.mnemonic, capres.op_str)) + if self.expected_result is not None: + if "{0} {1}".format(capres.mnemonic, capres.op_str) == self.expected_result: + return True + else: + raise AssertionError("Expected result <{0}> got <{1}>".format(self.expected_result, "{0} {1}".format(capres.mnemonic, capres.op_str))) + if len(res) != len(capres.bytes): + print("<{0}> vs <{1}>".format(repr(res), repr(capres.bytes))) + raise AssertionError("Not all bytes have been used by the disassembler") + self.compare_mnemo(capres) + self.compare_args(args, capres) + + def compare_mnemo(self, capres): + expected = self.instr_to_test.__name__.lower() + cap_mnemo = mnemonic_name_exception.get(str(capres.mnemonic), str(capres.mnemonic)) + if expected != cap_mnemo: + raise AssertionError("Expected menmo {0} got {1}".format(expected, str(capres.mnemonic))) + return True + + def compare_args(self, args, capres): + capres_op = list(capres.operands) + if len(args) != len(capres_op): + raise AssertionError("Expected {0} operands got {1}".format(len(args), len(capres_op))) + for op_args, cap_op in zip(args, capres_op): + if isinstance(op_args, str): # Register + if cap_op.type != capstone.arm64.ARM64_OP_REG: + raise AssertionError("Expected args {0} operands got {1}".format(op_args, capres_op)) + if op_args.lower() != capres.reg_name(cap_op.reg).lower(): + raise AssertionError("Expected register <{0}> got {1}".format(op_args.lower(), capres.reg_name(cap_op.reg).lower())) + elif isinstance(op_args, int_types): + if (op_args != cap_op.imm) and not (self.immediat_accepted and self.immediat_accepted == cap_op.imm): + raise AssertionError("Expected Immediat <{0}> got {1}".format(op_args, cap_op.imm)) + else: + raise ValueError("Unknow argument {0} of type {1}".format(op_args, type(op_args))) + +def test_assembler(): + CheckInstr(Add)('W0', 'W0', 0) + CheckInstr(Add)('W1', 'W0', 0) + CheckInstr(Add)('W30', 'W12', 0) + CheckInstr(Add)('W0', 'W0', 1) + + CheckInstr(Add)('X0', 'X0', 0) + CheckInstr(Add)('X30', 'X12', 0) + CheckInstr(Add)('X0', 'X0', 1) + CheckInstr(Add)('X11', 'X12', 0x123) + + # Error test todo + # CheckInstr(Add)('X11', 'W12', 0x123) + CheckInstr(Add)('X11', 'X12', 0x12345678) \ No newline at end of file diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py new file mode 100644 index 00000000..5e0287fa --- /dev/null +++ b/windows/native_exec/simple_arm64.py @@ -0,0 +1,203 @@ +import sys +import collections +import struct +import binascii +import operator + + +# py3 +is_py3 = (sys.version_info.major >= 3) +if is_py3: + basestring = str + int_types = int +else: + int_types = (int, long) + +# https://documentation-service.arm.com/static/67581b3355451e3c38d97c22 +# Chapter C4: A64 Instruction Set Encoding: : + +## C2.1.3 +# 32-bit variant (sf = 0). +# 64-bit variant (sf = 1). + +## C2.1.5 +# The following symbol conventions are used: +# The 64-bit name of a general-purpose register (X0-X30) or the zero register (XZR). +# The 32-bit name of a general-purpose register (W0-W30) or the zero register (WZR). +# The 64-bit name of a general-purpose register (X0-X30) or the current stack pointer (SP). +# The 32-bit name of a general-purpose register (W0-W30) or the current stack pointer (WSP). +# , , , , +# The 8, 16, 32, 64, or 128-bit name of a SIMD and floating-point register in a scalar context, as +# described in Register names. +# The name of a SIMD and floating-point register in a vector context, as described in Register names. +# The name of an SVE scalable vector register, as described in Treatment of SVE scalable vector +# registers. +# The name of an SVE scalable predicate register, as described in Vector predication + + +# Make a special memoryview that match what is show in the ARM Chapter C4 ? + +XREGISTER = {'X0', 'X1', 'X2', 'X3', 'X4', 'X5', 'X6', 'X7', 'X8', 'X9', 'X10', 'X11', 'X12', 'X13', 'X14', 'X15', 'X16', 'X17', 'X18', 'X19', 'X20', 'X21', 'X22', 'X23', 'X24', 'X25', 'X26', 'X27', 'X28', 'X29', 'X30'} +WREGISTER = {'W0', 'W1', 'W2', 'W3', 'W4', 'W5', 'W6', 'W7', 'W8', 'W9', 'W10', 'W11', 'W12', 'W13', 'W14', 'W15', 'W16', 'W17', 'W18', 'W19', 'W20', 'W21', 'W22', 'W23', 'W24', 'W25', 'W26', 'W27', 'W28', 'W29', 'W30'} +ALL_REGISTER = XREGISTER | WREGISTER +SP = "SP" +WSP = "WSP" + + +class InstructionEncoding(object): + def __init__(self): + super(InstructionEncoding, self).__init__() + # Bits are in + # 0 1 2 3 4 ... 31 + # Translation to real little-endian is done last + self.bytearray = bytearray(32) + self.bits = memoryview(self.bytearray) + + # Disable with SF = FALSE ? + self.bitness = None + + @classmethod + def is_register(self, arg, accept_sp): + arg = arg.upper() + return (accept_sp and (arg in [SP, WSP])) or arg in ALL_REGISTER + + @classmethod + def is_imm12(self, arg): + try: + value = int(arg) + except (ValueError, TypeError): + return False + return True # Check size max ? + + @classmethod + def is_shift(self, arg): + return True + + @classmethod + def gen(cls, **encoding_array): + class GeneratedEncoding(cls): + ENCODING_VALUES = encoding_array + return GeneratedEncoding + + # Instruction filing at instanciation + + def binencode_imm(self, immediat, outsize): + binstr = "{:0{outsize}b}".format(immediat, outsize=outsize) + assert len(binstr) == outsize, "Could not encode immediat {0} in {1} bits. Value take {2} bits".format(immediat, outsize, len(binstr)) + binlist = [int(c) for c in reversed(binstr)] + return bytearray(binlist) + + def setup_bitness(self, bitness): + assert bitness in (32, 64) + if self.bitness is None: + self.bitness = bitness + if bitness == 32: + self.sf[:] = b"\x00" + else: # bitness == 64: + self.sf[:] = b"\x01" + assert self.bitness == bitness, "bitness mismatch in instruction" + + def encode_register(self, register, outsize=5): + register = register.upper() + assert register in ALL_REGISTER + if register in XREGISTER: + self.setup_bitness(64) + else: + self.setup_bitness(32) + return self.binencode_imm(int(register[1:]), outsize) + + def setup_register(self, regfield, register): + encoded = self.encode_register(register) + regfield[:] = encoded + + # Instruction filing at instanciation + def setup_immediat(self, immfield, value): + immsize = len(immfield) + immfield[:] = self.binencode_imm(value, immsize) + return True + + + +# C4.1.93 Data Processing - Immediate + +class DataProcessingImmediate(InstructionEncoding): + def __init__(self): + super(DataProcessingImmediate, self).__init__() + self.bits[26:29] = bytearray((0,0,1)) + self.op0 = self.bits[29:31] + self.op1 = self.bits[22:26] + +class AddSubtractImmediate(DataProcessingImmediate): + SF = True + RD = True + RN = True + IMM12 = True + SH = True + + def __init__(self, argsdict): + super(AddSubtractImmediate, self).__init__() + self.sf = self.bits[31:32] # Keep it a memoryview + self.op = self.bits[30:31] # Keep it a memoryview + self.S = self.bits[29:30] # Keep it a memoryview + self.bits[23:29] = bytearray((0, 1, 0, 0, 0, 1)) + self.sh = self.bits[22:23] + self.imm12 = self.bits[10:22] + self.rn = self.bits[5:10] + self.rd = self.bits[0:5] + + for name, value in self.ENCODING_VALUES.items(): + print("{0} setting {1} to {2}".format(type(self).__name__, name, value)) + if isinstance(value, int): + value = bytearray((value,)) + # self.x[:] = value + getattr(self, name)[:] = value + + # Change instruction based of parameter + self.setup_register(self.rd, argsdict[0]) + self.setup_register(self.rn, argsdict[1]) + self.setup_immediat(self.imm12, argsdict[2]) + + + + + + @classmethod + def accept_arg(cls, argsdict): + return (cls.is_register(argsdict[0], accept_sp=True) and + cls.is_register(argsdict[1], accept_sp=True) and + cls.is_imm12(argsdict[2]) and + cls.is_shift(argsdict.get(3))) + +class Instruction(object): + encoding = [] + + def __init__(self, *args): + argsdict = dict(enumerate(args)) # Like a list but allow arg.get(4) + for encodcls in self.encoding: + if encodcls.accept_arg(argsdict): + self.encoded = encodcls(argsdict) + return + raise ValueError("Cannot encode <{0} {1}>:(".format(type(self).__name__, args)) + + def get_code(self): + intlist = list(self.encoded.bits) + if not is_py3: + intlist = [ord(x) for x in intlist] + # Our encoding to real little-endian + encoding_getter = operator.itemgetter(7, 6, 5, 4, 3, 2, 1, 0, 15, 14, 13, 12, 11, 10, 9, 8, 23, 22, 21, 20, 19, 18, 17, 16, 31, 30, 29, 28, 27, 26, 25, 24) + dword = 0 + for bit in encoding_getter(intlist): + assert bit in (0, 1), "Unexpected bite value in encoding of {0} : {1} in {2}".format(type(self).__name__, bit, intlist) + dword = (dword << 1) | bit + return struct.pack(">I", dword) # We already have handled endianess + + + + # Fix endianned + + +class Add(Instruction): + encoding = [AddSubtractImmediate.gen(op=0, S=0)] + +class Subs(Instruction): + encoding = [AddSubtractImmediate.gen(op=1, S=1)] From a7b6ddedd64b31d491127f058876c0b94444369a Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 23 Jan 2025 09:17:57 +0100 Subject: [PATCH 25/70] Add generated sources --- docs/source/winfuncs_generated.rst | 4 +- docs/source/winstructs_generated.rst | 1608 ++++++++++++++------------ 2 files changed, 851 insertions(+), 761 deletions(-) diff --git a/docs/source/winfuncs_generated.rst b/docs/source/winfuncs_generated.rst index 2a6706f0..64035bd8 100644 --- a/docs/source/winfuncs_generated.rst +++ b/docs/source/winfuncs_generated.rst @@ -696,7 +696,9 @@ Functions .. function:: FreeLibrary(hLibModule) -.. function:: RtlGetCurrentPeb() +.. function:: GetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) + +.. function:: SetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) .. function:: RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData) diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst index 86e7fb27..562a0389 100644 --- a/docs/source/winstructs_generated.rst +++ b/docs/source/winstructs_generated.rst @@ -7956,6 +7956,28 @@ _IMAGE_LOAD_CONFIG_DIRECTORY64 :class:`ULONGLONG` +_PROCESS_MACHINE_INFORMATION +'''''''''''''''''''''''''''' +.. class:: PROCESS_MACHINE_INFORMATION + + Alias for :class:`_PROCESS_MACHINE_INFORMATION` + +.. class:: _PROCESS_MACHINE_INFORMATION + + .. attribute:: ProcessMachine + + :class:`USHORT` + + + .. attribute:: Res0 + + :class:`USHORT` + + + .. attribute:: MachineAttributes + + :class:`MACHINE_ATTRIBUTES` + _MEM_ADDRESS_REQUIREMENTS ''''''''''''''''''''''''' .. class:: MEM_ADDRESS_REQUIREMENTS @@ -29416,2106 +29438,2172 @@ _KEY_INFORMATION_CLASS .. attribute:: MaxKeyInfoClass(10) -MEM_EXTENDED_PARAMETER_TYPE -''''''''''''''''''''''''''' -.. class:: PMEM_EXTENDED_PARAMETER_TYPE +_MEMORY_INFORMATION_CLASS +''''''''''''''''''''''''' +.. class:: MEMORY_INFORMATION_CLASS - Pointer to :class:`MEM_EXTENDED_PARAMETER_TYPE` + Alias for :class:`_MEMORY_INFORMATION_CLASS` -.. class:: MEM_EXTENDED_PARAMETER_TYPE +.. class:: _MEMORY_INFORMATION_CLASS - .. attribute:: MemExtendedParameterInvalidType(0) + .. attribute:: MemoryBasicInformation(0) - .. attribute:: MemExtendedParameterAddressRequirements(1) + .. attribute:: MemoryWorkingSetList(1) - .. attribute:: MemExtendedParameterNumaNode(2) + .. attribute:: MemorySectionName(2) - .. attribute:: MemExtendedParameterPartitionHandle(3) + .. attribute:: MemoryBasicVlmInformation(3) - .. attribute:: MemExtendedParameterUserPhysicalHandle(4) + .. attribute:: MemoryWorkingSetListEx(4) +_THREAD_INFORMATION_CLASS +''''''''''''''''''''''''' +.. class:: PTHREAD_INFORMATION_CLASS - .. attribute:: MemExtendedParameterAttributeFlags(5) + Pointer to :class:`_THREAD_INFORMATION_CLASS` - .. attribute:: MemExtendedParameterImageMachine(6) +.. class:: THREAD_INFORMATION_CLASS + Alias for :class:`_THREAD_INFORMATION_CLASS` - .. attribute:: MemExtendedParameterMax(7) -_SC_STATUS_TYPE -''''''''''''''' -.. class:: SC_STATUS_TYPE +.. class:: _THREAD_INFORMATION_CLASS - Alias for :class:`_SC_STATUS_TYPE` + .. attribute:: ThreadBasicInformation(0) -.. class:: _SC_STATUS_TYPE + .. attribute:: ThreadTimes(1) - .. attribute:: SC_STATUS_PROCESS_INFO(0) -_SC_ENUM_TYPE -''''''''''''' -.. class:: SC_ENUM_TYPE + .. attribute:: ThreadPriority(2) - Alias for :class:`_SC_ENUM_TYPE` + .. attribute:: ThreadBasePriority(3) -.. class:: _SC_ENUM_TYPE + .. attribute:: ThreadAffinityMask(4) - .. attribute:: SC_ENUM_PROCESS_INFO(0) -ACTIVATEOPTIONS -''''''''''''''' -.. class:: ACTIVATEOPTIONS + .. attribute:: ThreadImpersonationToken(5) - .. attribute:: AO_NONE(0) + .. attribute:: ThreadDescriptorTableEntry(6) - .. attribute:: AO_DESIGNMODE(1) + .. attribute:: ThreadEnableAlignmentFaultFixup(7) - .. attribute:: AO_NOERRORUI(2) + .. attribute:: ThreadEventPair(8) - .. attribute:: AO_NOSPLASHSCREEN(4) + .. attribute:: ThreadQuerySetWin32StartAddress(9) - .. attribute:: AO_PRELAUNCH(33554432) + .. attribute:: ThreadZeroTlsCell(10) -PACKAGE_EXECUTION_STATE -''''''''''''''''''''''' -.. class:: PACKAGE_EXECUTION_STATE + .. attribute:: ThreadPerformanceCount(11) - .. attribute:: PES_UNKNOWN(0) + .. attribute:: ThreadAmILastThread(12) - .. attribute:: PES_RUNNING(1) + .. attribute:: ThreadIdealProcessor(13) - .. attribute:: PES_SUSPENDING(2) + .. attribute:: ThreadPriorityBoost(14) - .. attribute:: PES_SUSPENDED(3) + .. attribute:: ThreadSetTlsArrayAddress(15) - .. attribute:: PES_TERMINATED(4) -SYM_TYPE -'''''''' -.. class:: SYM_TYPE + .. attribute:: ThreadIsIoPending(16) - .. attribute:: SymNone(0) + .. attribute:: ThreadHideFromDebugger(17) +_PROCESSINFOCLASS +''''''''''''''''' +.. class:: PROCESSINFOCLASS - .. attribute:: SymCoff(1) + Alias for :class:`_PROCESSINFOCLASS` - .. attribute:: SymCv(2) +.. class:: _PROCESSINFOCLASS - .. attribute:: SymPdb(3) + .. attribute:: ProcessBasicInformation(0) - .. attribute:: SymExport(4) + .. attribute:: ProcessQuotaLimits(1) - .. attribute:: SymDeferred(5) + .. attribute:: ProcessIoCounters(2) - .. attribute:: SymSym(6) + .. attribute:: ProcessVmCounters(3) - .. attribute:: SymDia(7) + .. attribute:: ProcessTimes(4) - .. attribute:: SymVirtual(8) + .. attribute:: ProcessBasePriority(5) - .. attribute:: NumSymTypes(9) + .. attribute:: ProcessRaisePriority(6) -BasicType -''''''''' -.. class:: BasicType + .. attribute:: ProcessDebugPort(7) - .. attribute:: btNoType(0) + .. attribute:: ProcessExceptionPort(8) - .. attribute:: btVoid(1) + .. attribute:: ProcessAccessToken(9) - .. attribute:: btChar(2) + .. attribute:: ProcessLdtInformation(10) - .. attribute:: btWChar(3) + .. attribute:: ProcessLdtSize(11) - .. attribute:: btInt(6) + .. attribute:: ProcessDefaultHardErrorMode(12) - .. attribute:: btUInt(7) + .. attribute:: ProcessIoPortHandlers(13) - .. attribute:: btFloat(8) + .. attribute:: ProcessPooledUsageAndLimits(14) - .. attribute:: btBCD(9) + .. attribute:: ProcessWorkingSetWatch(15) - .. attribute:: btBool(10) + .. attribute:: ProcessUserModeIOPL(16) - .. attribute:: btLong(13) + .. attribute:: ProcessEnableAlignmentFaultFixup(17) - .. attribute:: btULong(14) + .. attribute:: ProcessPriorityClass(18) - .. attribute:: btCurrency(25) + .. attribute:: ProcessWx86Information(19) - .. attribute:: btDate(26) + .. attribute:: ProcessHandleCount(20) - .. attribute:: btVariant(27) + .. attribute:: ProcessAffinityMask(21) - .. attribute:: btComplex(28) + .. attribute:: ProcessPriorityBoost(22) - .. attribute:: btBit(29) + .. attribute:: ProcessDeviceMap(23) - .. attribute:: btBSTR(30) + .. attribute:: ProcessSessionInformation(24) - .. attribute:: btHresult(31) -DataKind -'''''''' -.. class:: DataKind + .. attribute:: ProcessForegroundInformation(25) - .. attribute:: DataIsUnknown(0) + .. attribute:: ProcessWow64Information(26) - .. attribute:: DataIsLocal(1) + .. attribute:: ProcessImageFileName(27) - .. attribute:: DataIsStaticLocal(2) + .. attribute:: ProcessLUIDDeviceMapsEnabled(28) - .. attribute:: DataIsParam(3) + .. attribute:: ProcessBreakOnTermination(29) - .. attribute:: DataIsObjectPtr(4) + .. attribute:: ProcessDebugObjectHandle(30) - .. attribute:: DataIsFileStatic(5) + .. attribute:: ProcessDebugFlags(31) - .. attribute:: DataIsGlobal(6) + .. attribute:: ProcessHandleTracing(32) - .. attribute:: DataIsMember(7) + .. attribute:: ProcessIoPriority(33) - .. attribute:: DataIsStaticMember(8) + .. attribute:: ProcessExecuteFlags(34) - .. attribute:: DataIsConstant(9) + .. attribute:: ProcessTlsInformation(35) -UdtKind -''''''' -.. class:: UdtKind + .. attribute:: ProcessCookie(36) - .. attribute:: UdtStruct(0) + .. attribute:: ProcessImageInformation(37) - .. attribute:: UdtClass(1) + .. attribute:: ProcessCycleTime(38) - .. attribute:: UdtUnion(2) -_SymTagEnum -''''''''''' -.. class:: SymTagEnum + .. attribute:: ProcessPagePriority(39) - Alias for :class:`_SymTagEnum` + .. attribute:: ProcessInstrumentationCallback(40) -.. class:: _SymTagEnum + .. attribute:: ProcessThreadStackAllocation(41) - .. attribute:: SymTagNull(0) + .. attribute:: ProcessWorkingSetWatchEx(42) - .. attribute:: SymTagExe(1) + .. attribute:: ProcessImageFileNameWin32(43) - .. attribute:: SymTagCompiland(2) + .. attribute:: ProcessImageFileMapping(44) - .. attribute:: SymTagCompilandDetails(3) + .. attribute:: ProcessAffinityUpdateMode(45) - .. attribute:: SymTagCompilandEnv(4) + .. attribute:: ProcessMemoryAllocationMode(46) - .. attribute:: SymTagFunction(5) + .. attribute:: ProcessGroupInformation(47) - .. attribute:: SymTagBlock(6) + .. attribute:: ProcessTokenVirtualizationEnabled(48) - .. attribute:: SymTagData(7) + .. attribute:: ProcessOwnerInformation(49) - .. attribute:: SymTagAnnotation(8) + .. attribute:: ProcessWindowInformation(50) - .. attribute:: SymTagLabel(9) + .. attribute:: ProcessHandleInformation(51) - .. attribute:: SymTagPublicSymbol(10) + .. attribute:: ProcessMitigationPolicy(52) - .. attribute:: SymTagUDT(11) + .. attribute:: ProcessDynamicFunctionTableInformation(53) - .. attribute:: SymTagEnum(12) + .. attribute:: ProcessHandleCheckingMode(54) - .. attribute:: SymTagFunctionType(13) + .. attribute:: ProcessKeepAliveCount(55) - .. attribute:: SymTagPointerType(14) + .. attribute:: ProcessRevokeFileHandles(56) - .. attribute:: SymTagArrayType(15) + .. attribute:: ProcessWorkingSetControl(57) - .. attribute:: SymTagBaseType(16) + .. attribute:: ProcessHandleTable(58) - .. attribute:: SymTagTypedef(17) + .. attribute:: ProcessCheckStackExtentsMode(59) - .. attribute:: SymTagBaseClass(18) + .. attribute:: ProcessCommandLineInformation(60) - .. attribute:: SymTagFriend(19) + .. attribute:: ProcessProtectionInformation(61) - .. attribute:: SymTagFunctionArgType(20) + .. attribute:: ProcessMemoryExhaustion(62) - .. attribute:: SymTagFuncDebugStart(21) + .. attribute:: ProcessFaultInformation(63) - .. attribute:: SymTagFuncDebugEnd(22) + .. attribute:: ProcessTelemetryIdInformation(64) - .. attribute:: SymTagUsingNamespace(23) + .. attribute:: ProcessCommitReleaseInformation(65) - .. attribute:: SymTagVTableShape(24) + .. attribute:: ProcessReserved1Information(66) - .. attribute:: SymTagVTable(25) + .. attribute:: ProcessReserved2Information(67) - .. attribute:: SymTagCustom(26) + .. attribute:: ProcessSubsystemProcess(68) - .. attribute:: SymTagThunk(27) + .. attribute:: ProcessInPrivate(70) - .. attribute:: SymTagCustomType(28) + .. attribute:: ProcessRaiseUMExceptionOnInvalidHandleClose(71) - .. attribute:: SymTagManagedType(29) + .. attribute:: ProcessSubsystemInformation(75) - .. attribute:: SymTagDimension(30) -_IMAGEHLP_EXTENDED_OPTIONS -'''''''''''''''''''''''''' -.. class:: IMAGEHLP_EXTENDED_OPTIONS + .. attribute:: ProcessWin32kSyscallFilterInformation(79) - Alias for :class:`_IMAGEHLP_EXTENDED_OPTIONS` + .. attribute:: ProcessEnergyTrackingState(82) -.. class:: _IMAGEHLP_EXTENDED_OPTIONS + .. attribute:: MaxProcessInfoClass(83) - .. attribute:: SYMOPT_EX_DISABLEACCESSTIMEUPDATE(0) +_PROCESS_INFORMATION_CLASS +'''''''''''''''''''''''''' +.. class:: PROCESS_INFORMATION_CLASS + Alias for :class:`_PROCESS_INFORMATION_CLASS` - .. attribute:: SYMOPT_EX_MAX(1) +.. class:: _PROCESS_INFORMATION_CLASS - .. attribute:: SYMOPT_EX_LASTVALIDDEBUGDIRECTORY(2) -_IMAGEHLP_SYMBOL_TYPE_INFO -'''''''''''''''''''''''''' -.. class:: IMAGEHLP_SYMBOL_TYPE_INFO + .. attribute:: ProcessMemoryPriority(0) - Alias for :class:`_IMAGEHLP_SYMBOL_TYPE_INFO` + .. attribute:: ProcessMemoryExhaustionInfo(1) -.. class:: _IMAGEHLP_SYMBOL_TYPE_INFO + .. attribute:: ProcessAppMemoryInfo(2) - .. attribute:: TI_GET_SYMTAG(0) + .. attribute:: ProcessInPrivateInfo(3) - .. attribute:: TI_GET_SYMNAME(1) + .. attribute:: ProcessPowerThrottling(4) - .. attribute:: TI_GET_LENGTH(2) + .. attribute:: ProcessReservedValue1(5) - .. attribute:: TI_GET_TYPE(3) + .. attribute:: ProcessTelemetryCoverageInfo(6) - .. attribute:: TI_GET_TYPEID(4) + .. attribute:: ProcessProtectionLevelInfo(7) - .. attribute:: TI_GET_BASETYPE(5) + .. attribute:: ProcessLeapSecondInfo(8) - .. attribute:: TI_GET_ARRAYINDEXTYPEID(6) + .. attribute:: ProcessMachineTypeInfo(9) - .. attribute:: TI_FINDCHILDREN(7) + .. attribute:: ProcessOverrideSubsequentPrefetchParameter(10) - .. attribute:: TI_GET_DATAKIND(8) + .. attribute:: ProcessMaxOverridePrefetchParameter(11) - .. attribute:: TI_GET_ADDRESSOFFSET(9) + .. attribute:: ProcessInformationClassMax(12) - .. attribute:: TI_GET_OFFSET(10) +_MACHINE_ATTRIBUTES +''''''''''''''''''' +.. class:: MACHINE_ATTRIBUTES + Alias for :class:`_MACHINE_ATTRIBUTES` - .. attribute:: TI_GET_VALUE(11) +.. class:: _MACHINE_ATTRIBUTES - .. attribute:: TI_GET_COUNT(12) + .. attribute:: UserEnabled(1) - .. attribute:: TI_GET_CHILDRENCOUNT(13) + .. attribute:: KernelEnabled(2) - .. attribute:: TI_GET_BITPOSITION(14) + .. attribute:: Wow64Container(4) - .. attribute:: TI_GET_VIRTUALBASECLASS(15) +MEM_EXTENDED_PARAMETER_TYPE +''''''''''''''''''''''''''' +.. class:: PMEM_EXTENDED_PARAMETER_TYPE + Pointer to :class:`MEM_EXTENDED_PARAMETER_TYPE` - .. attribute:: TI_GET_VIRTUALTABLESHAPEID(16) +.. class:: MEM_EXTENDED_PARAMETER_TYPE - .. attribute:: TI_GET_VIRTUALBASEPOINTEROFFSET(17) + .. attribute:: MemExtendedParameterInvalidType(0) - .. attribute:: TI_GET_CLASSPARENTID(18) + .. attribute:: MemExtendedParameterAddressRequirements(1) - .. attribute:: TI_GET_NESTED(19) + .. attribute:: MemExtendedParameterNumaNode(2) - .. attribute:: TI_GET_SYMINDEX(20) + .. attribute:: MemExtendedParameterPartitionHandle(3) - .. attribute:: TI_GET_LEXICALPARENT(21) + .. attribute:: MemExtendedParameterUserPhysicalHandle(4) - .. attribute:: TI_GET_ADDRESS(22) + .. attribute:: MemExtendedParameterAttributeFlags(5) - .. attribute:: TI_GET_THISADJUST(23) + .. attribute:: MemExtendedParameterImageMachine(6) - .. attribute:: TI_GET_UDTKIND(24) + .. attribute:: MemExtendedParameterMax(7) - .. attribute:: TI_IS_EQUIV_TO(25) +_SC_STATUS_TYPE +''''''''''''''' +.. class:: SC_STATUS_TYPE + Alias for :class:`_SC_STATUS_TYPE` - .. attribute:: TI_GET_CALLING_CONVENTION(26) +.. class:: _SC_STATUS_TYPE - .. attribute:: TI_IS_CLOSE_EQUIV_TO(27) + .. attribute:: SC_STATUS_PROCESS_INFO(0) - .. attribute:: TI_GTIEX_REQS_VALID(28) +_SC_ENUM_TYPE +''''''''''''' +.. class:: SC_ENUM_TYPE + Alias for :class:`_SC_ENUM_TYPE` - .. attribute:: TI_GET_VIRTUALBASEOFFSET(29) +.. class:: _SC_ENUM_TYPE - .. attribute:: TI_GET_VIRTUALBASEDISPINDEX(30) + .. attribute:: SC_ENUM_PROCESS_INFO(0) - .. attribute:: TI_GET_IS_REFERENCE(31) +ACTIVATEOPTIONS +''''''''''''''' +.. class:: ACTIVATEOPTIONS - .. attribute:: TI_GET_INDIRECTVIRTUALBASECLASS(32) + .. attribute:: AO_NONE(0) - .. attribute:: IMAGEHLP_SYMBOL_TYPE_INFO_MAX(33) + .. attribute:: AO_DESIGNMODE(1) -_CBA_EVENT_SEVERITY -''''''''''''''''''' -.. class:: CBA_EVENT_SEVERITY - Alias for :class:`_CBA_EVENT_SEVERITY` + .. attribute:: AO_NOERRORUI(2) -.. class:: _CBA_EVENT_SEVERITY + .. attribute:: AO_NOSPLASHSCREEN(4) - .. attribute:: sevInfo(0) + .. attribute:: AO_PRELAUNCH(33554432) +PACKAGE_EXECUTION_STATE +''''''''''''''''''''''' +.. class:: PACKAGE_EXECUTION_STATE - .. attribute:: sevProblem(1) + .. attribute:: PES_UNKNOWN(0) - .. attribute:: sevAttn(2) + .. attribute:: PES_RUNNING(1) - .. attribute:: sevFatal(3) + .. attribute:: PES_SUSPENDING(2) - .. attribute:: sevMax(4) -ADDRESS_MODE -'''''''''''' -.. class:: ADDRESS_MODE + .. attribute:: PES_SUSPENDED(3) - .. attribute:: AddrMode1616(0) + .. attribute:: PES_TERMINATED(4) +SYM_TYPE +'''''''' +.. class:: SYM_TYPE - .. attribute:: AddrMode1632(1) + .. attribute:: SymNone(0) - .. attribute:: AddrModeReal(2) + .. attribute:: SymCoff(1) - .. attribute:: AddrModeFlat(3) -_COMPUTER_NAME_FORMAT -''''''''''''''''''''' -.. class:: COMPUTER_NAME_FORMAT + .. attribute:: SymCv(2) - Alias for :class:`_COMPUTER_NAME_FORMAT` + .. attribute:: SymPdb(3) -.. class:: _COMPUTER_NAME_FORMAT + .. attribute:: SymExport(4) - .. attribute:: ComputerNameNetBIOS(0) + .. attribute:: SymDeferred(5) - .. attribute:: ComputerNameDnsHostname(1) + .. attribute:: SymSym(6) - .. attribute:: ComputerNameDnsDomain(2) + .. attribute:: SymDia(7) - .. attribute:: ComputerNameDnsFullyQualified(3) + .. attribute:: SymVirtual(8) - .. attribute:: ComputerNamePhysicalNetBIOS(4) + .. attribute:: NumSymTypes(9) - .. attribute:: ComputerNamePhysicalDnsHostname(5) +BasicType +''''''''' +.. class:: BasicType - .. attribute:: ComputerNamePhysicalDnsDomain(6) + .. attribute:: btNoType(0) - .. attribute:: ComputerNamePhysicalDnsFullyQualified(7) + .. attribute:: btVoid(1) - .. attribute:: ComputerNameMax(8) + .. attribute:: btChar(2) -_TASK_ACTION_TYPE -''''''''''''''''' -.. class:: TASK_ACTION_TYPE - Alias for :class:`_TASK_ACTION_TYPE` + .. attribute:: btWChar(3) -.. class:: _TASK_ACTION_TYPE + .. attribute:: btInt(6) - .. attribute:: TASK_ACTION_EXEC(0) + .. attribute:: btUInt(7) - .. attribute:: TASK_ACTION_COM_HANDLER(5) + .. attribute:: btFloat(8) - .. attribute:: TASK_ACTION_SEND_EMAIL(6) + .. attribute:: btBCD(9) - .. attribute:: TASK_ACTION_SHOW_MESSAGE(7) + .. attribute:: btBool(10) -_TASK_RUNLEVEL_TYPE -''''''''''''''''''' -.. class:: TASK_RUNLEVEL_TYPE - Alias for :class:`_TASK_RUNLEVEL_TYPE` + .. attribute:: btLong(13) -.. class:: _TASK_RUNLEVEL_TYPE + .. attribute:: btULong(14) - .. attribute:: TASK_RUNLEVEL_LUA(0) + .. attribute:: btCurrency(25) - .. attribute:: TASK_RUNLEVEL_HIGHEST(1) + .. attribute:: btDate(26) -_TASK_LOGON_TYPE -'''''''''''''''' -.. class:: TASK_LOGON_TYPE - Alias for :class:`_TASK_LOGON_TYPE` + .. attribute:: btVariant(27) -.. class:: _TASK_LOGON_TYPE + .. attribute:: btComplex(28) - .. attribute:: TASK_LOGON_NONE(0) + .. attribute:: btBit(29) - .. attribute:: TASK_LOGON_PASSWORD(1) + .. attribute:: btBSTR(30) - .. attribute:: TASK_LOGON_S4U(2) + .. attribute:: btHresult(31) +DataKind +'''''''' +.. class:: DataKind - .. attribute:: TASK_LOGON_INTERACTIVE_TOKEN(3) + .. attribute:: DataIsUnknown(0) - .. attribute:: TASK_LOGON_GROUP(4) + .. attribute:: DataIsLocal(1) - .. attribute:: TASK_LOGON_SERVICE_ACCOUNT(5) + .. attribute:: DataIsStaticLocal(2) - .. attribute:: TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD(6) -_TASK_STATE -''''''''''' -.. class:: TASK_STATE + .. attribute:: DataIsParam(3) - Alias for :class:`_TASK_STATE` + .. attribute:: DataIsObjectPtr(4) -.. class:: _TASK_STATE + .. attribute:: DataIsFileStatic(5) - .. attribute:: TASK_STATE_UNKNOWN(0) + .. attribute:: DataIsGlobal(6) - .. attribute:: TASK_STATE_DISABLED(1) + .. attribute:: DataIsMember(7) - .. attribute:: TASK_STATE_QUEUED(2) + .. attribute:: DataIsStaticMember(8) - .. attribute:: TASK_STATE_READY(3) + .. attribute:: DataIsConstant(9) - .. attribute:: TASK_STATE_RUNNING(4) +UdtKind +''''''' +.. class:: UdtKind -_TASK_INSTANCES_POLICY -'''''''''''''''''''''' -.. class:: TASK_INSTANCES_POLICY - Alias for :class:`_TASK_INSTANCES_POLICY` + .. attribute:: UdtStruct(0) -.. class:: _TASK_INSTANCES_POLICY + .. attribute:: UdtClass(1) - .. attribute:: TASK_INSTANCES_PARALLEL(0) + .. attribute:: UdtUnion(2) +_SymTagEnum +''''''''''' +.. class:: SymTagEnum - .. attribute:: TASK_INSTANCES_QUEUE(1) + Alias for :class:`_SymTagEnum` - .. attribute:: TASK_INSTANCES_IGNORE_NEW(2) +.. class:: _SymTagEnum - .. attribute:: TASK_INSTANCES_STOP_EXISTING(3) + .. attribute:: SymTagNull(0) -_TASK_COMPATIBILITY -''''''''''''''''''' -.. class:: TASK_COMPATIBILITY - Alias for :class:`_TASK_COMPATIBILITY` + .. attribute:: SymTagExe(1) -.. class:: _TASK_COMPATIBILITY + .. attribute:: SymTagCompiland(2) - .. attribute:: TASK_COMPATIBILITY_AT(0) + .. attribute:: SymTagCompilandDetails(3) - .. attribute:: TASK_COMPATIBILITY_V1(1) + .. attribute:: SymTagCompilandEnv(4) - .. attribute:: TASK_COMPATIBILITY_V2(2) + .. attribute:: SymTagFunction(5) -_TASK_TRIGGER_TYPE2 -''''''''''''''''''' -.. class:: TASK_TRIGGER_TYPE2 - Alias for :class:`_TASK_TRIGGER_TYPE2` + .. attribute:: SymTagBlock(6) -.. class:: _TASK_TRIGGER_TYPE2 + .. attribute:: SymTagData(7) - .. attribute:: TASK_TRIGGER_EVENT(0) + .. attribute:: SymTagAnnotation(8) - .. attribute:: TASK_TRIGGER_TIME(1) + .. attribute:: SymTagLabel(9) - .. attribute:: TASK_TRIGGER_DAILY(2) + .. attribute:: SymTagPublicSymbol(10) - .. attribute:: TASK_TRIGGER_WEEKLY(3) + .. attribute:: SymTagUDT(11) - .. attribute:: TASK_TRIGGER_MONTHLY(4) + .. attribute:: SymTagEnum(12) - .. attribute:: TASK_TRIGGER_MONTHLYDOW(5) + .. attribute:: SymTagFunctionType(13) - .. attribute:: TASK_TRIGGER_IDLE(6) + .. attribute:: SymTagPointerType(14) - .. attribute:: TASK_TRIGGER_REGISTRATION(7) + .. attribute:: SymTagArrayType(15) - .. attribute:: TASK_TRIGGER_BOOT(8) + .. attribute:: SymTagBaseType(16) - .. attribute:: TASK_TRIGGER_LOGON(9) + .. attribute:: SymTagTypedef(17) - .. attribute:: TASK_TRIGGER_SESSION_STATE_CHANGE(11) + .. attribute:: SymTagBaseClass(18) -_TASK_ENUM_FLAGS -'''''''''''''''' -.. class:: TASK_ENUM_FLAGS - Alias for :class:`_TASK_ENUM_FLAGS` + .. attribute:: SymTagFriend(19) -.. class:: _TASK_ENUM_FLAGS + .. attribute:: SymTagFunctionArgType(20) - .. attribute:: TASK_ENUM_HIDDEN(1) + .. attribute:: SymTagFuncDebugStart(21) -_TASK_CREATION -'''''''''''''' -.. class:: TASK_CREATION - Alias for :class:`_TASK_CREATION` + .. attribute:: SymTagFuncDebugEnd(22) -.. class:: _TASK_CREATION + .. attribute:: SymTagUsingNamespace(23) - .. attribute:: TASK_VALIDATE_ONLY(1) + .. attribute:: SymTagVTableShape(24) - .. attribute:: TASK_CREATE(2) + .. attribute:: SymTagVTable(25) - .. attribute:: TASK_UPDATE(4) + .. attribute:: SymTagCustom(26) - .. attribute:: TASK_CREATE_OR_UPDATE(6) + .. attribute:: SymTagThunk(27) - .. attribute:: TASK_DISABLE(8) + .. attribute:: SymTagCustomType(28) - .. attribute:: TASK_DONT_ADD_PRINCIPAL_ACE(16) + .. attribute:: SymTagManagedType(29) - .. attribute:: TASK_IGNORE_REGISTRATION_TRIGGERS(32) + .. attribute:: SymTagDimension(30) -TASK_RUN_FLAGS -'''''''''''''' -.. class:: TASK_RUN_FLAGS +_IMAGEHLP_EXTENDED_OPTIONS +'''''''''''''''''''''''''' +.. class:: IMAGEHLP_EXTENDED_OPTIONS + Alias for :class:`_IMAGEHLP_EXTENDED_OPTIONS` - .. attribute:: TASK_RUN_NO_FLAGS(0) +.. class:: _IMAGEHLP_EXTENDED_OPTIONS - .. attribute:: TASK_RUN_AS_SELF(1) + .. attribute:: SYMOPT_EX_DISABLEACCESSTIMEUPDATE(0) - .. attribute:: TASK_RUN_IGNORE_CONSTRAINTS(2) + .. attribute:: SYMOPT_EX_MAX(1) - .. attribute:: TASK_RUN_USE_SESSION_ID(4) + .. attribute:: SYMOPT_EX_LASTVALIDDEBUGDIRECTORY(2) - .. attribute:: TASK_RUN_USER_SID(8) +_IMAGEHLP_SYMBOL_TYPE_INFO +'''''''''''''''''''''''''' +.. class:: IMAGEHLP_SYMBOL_TYPE_INFO -_SYSTEM_INFORMATION_CLASS -''''''''''''''''''''''''' -.. class:: SYSTEM_INFORMATION_CLASS + Alias for :class:`_IMAGEHLP_SYMBOL_TYPE_INFO` - Alias for :class:`_SYSTEM_INFORMATION_CLASS` +.. class:: _IMAGEHLP_SYMBOL_TYPE_INFO -.. class:: _SYSTEM_INFORMATION_CLASS + .. attribute:: TI_GET_SYMTAG(0) - .. attribute:: SystemBasicInformation(0) + .. attribute:: TI_GET_SYMNAME(1) - .. attribute:: SystemProcessorInformation(1) + .. attribute:: TI_GET_LENGTH(2) - .. attribute:: SystemPerformanceInformation(2) + .. attribute:: TI_GET_TYPE(3) - .. attribute:: SystemTimeOfDayInformation(3) + .. attribute:: TI_GET_TYPEID(4) - .. attribute:: SystemPathInformation(4) + .. attribute:: TI_GET_BASETYPE(5) - .. attribute:: SystemProcessInformation(5) + .. attribute:: TI_GET_ARRAYINDEXTYPEID(6) - .. attribute:: SystemCallCountInformation(6) + .. attribute:: TI_FINDCHILDREN(7) - .. attribute:: SystemDeviceInformation(7) + .. attribute:: TI_GET_DATAKIND(8) - .. attribute:: SystemProcessorPerformanceInformation(8) + .. attribute:: TI_GET_ADDRESSOFFSET(9) - .. attribute:: SystemFlagsInformation(9) + .. attribute:: TI_GET_OFFSET(10) - .. attribute:: SystemCallTimeInformation(10) + .. attribute:: TI_GET_VALUE(11) - .. attribute:: SystemModuleInformation(11) + .. attribute:: TI_GET_COUNT(12) - .. attribute:: SystemLocksInformation(12) + .. attribute:: TI_GET_CHILDRENCOUNT(13) - .. attribute:: SystemStackTraceInformation(13) + .. attribute:: TI_GET_BITPOSITION(14) - .. attribute:: SystemPagedPoolInformation(14) + .. attribute:: TI_GET_VIRTUALBASECLASS(15) - .. attribute:: SystemNonPagedPoolInformation(15) + .. attribute:: TI_GET_VIRTUALTABLESHAPEID(16) - .. attribute:: SystemHandleInformation(16) + .. attribute:: TI_GET_VIRTUALBASEPOINTEROFFSET(17) - .. attribute:: SystemObjectInformation(17) + + .. attribute:: TI_GET_CLASSPARENTID(18) - .. attribute:: SystemPageFileInformation(18) + .. attribute:: TI_GET_NESTED(19) - .. attribute:: SystemVdmInstemulInformation(19) + .. attribute:: TI_GET_SYMINDEX(20) - .. attribute:: SystemVdmBopInformation(20) + .. attribute:: TI_GET_LEXICALPARENT(21) - .. attribute:: SystemFileCacheInformation(21) + .. attribute:: TI_GET_ADDRESS(22) - .. attribute:: SystemPoolTagInformation(22) + .. attribute:: TI_GET_THISADJUST(23) - .. attribute:: SystemInterruptInformation(23) + .. attribute:: TI_GET_UDTKIND(24) - .. attribute:: SystemDpcBehaviorInformation(24) + .. attribute:: TI_IS_EQUIV_TO(25) - .. attribute:: SystemFullMemoryInformation(25) + .. attribute:: TI_GET_CALLING_CONVENTION(26) - .. attribute:: SystemLoadGdiDriverInformation(26) + .. attribute:: TI_IS_CLOSE_EQUIV_TO(27) - .. attribute:: SystemUnloadGdiDriverInformation(27) + .. attribute:: TI_GTIEX_REQS_VALID(28) - .. attribute:: SystemTimeAdjustmentInformation(28) + .. attribute:: TI_GET_VIRTUALBASEOFFSET(29) - .. attribute:: SystemSummaryMemoryInformation(29) + .. attribute:: TI_GET_VIRTUALBASEDISPINDEX(30) - .. attribute:: SystemMirrorMemoryInformation(30) + .. attribute:: TI_GET_IS_REFERENCE(31) - .. attribute:: SystemPerformanceTraceInformation(31) + .. attribute:: TI_GET_INDIRECTVIRTUALBASECLASS(32) - .. attribute:: SystemObsolete0(32) + .. attribute:: IMAGEHLP_SYMBOL_TYPE_INFO_MAX(33) +_CBA_EVENT_SEVERITY +''''''''''''''''''' +.. class:: CBA_EVENT_SEVERITY - .. attribute:: SystemExceptionInformation(33) + Alias for :class:`_CBA_EVENT_SEVERITY` - .. attribute:: SystemCrashDumpStateInformation(34) +.. class:: _CBA_EVENT_SEVERITY - .. attribute:: SystemKernelDebuggerInformation(35) + .. attribute:: sevInfo(0) - .. attribute:: SystemContextSwitchInformation(36) + .. attribute:: sevProblem(1) - .. attribute:: SystemRegistryQuotaInformation(37) + .. attribute:: sevAttn(2) - .. attribute:: SystemExtendServiceTableInformation(38) + .. attribute:: sevFatal(3) - .. attribute:: SystemPrioritySeperation(39) + .. attribute:: sevMax(4) +ADDRESS_MODE +'''''''''''' +.. class:: ADDRESS_MODE - .. attribute:: SystemVerifierAddDriverInformation(40) + .. attribute:: AddrMode1616(0) - .. attribute:: SystemVerifierRemoveDriverInformation(41) + .. attribute:: AddrMode1632(1) - .. attribute:: SystemProcessorIdleInformation(42) + .. attribute:: AddrModeReal(2) - .. attribute:: SystemLegacyDriverInformation(43) + .. attribute:: AddrModeFlat(3) - .. attribute:: SystemCurrentTimeZoneInformation(44) +_COMPUTER_NAME_FORMAT +''''''''''''''''''''' +.. class:: COMPUTER_NAME_FORMAT + Alias for :class:`_COMPUTER_NAME_FORMAT` - .. attribute:: SystemLookasideInformation(45) +.. class:: _COMPUTER_NAME_FORMAT - .. attribute:: SystemTimeSlipNotification(46) + .. attribute:: ComputerNameNetBIOS(0) - .. attribute:: SystemSessionCreate(47) + .. attribute:: ComputerNameDnsHostname(1) - .. attribute:: SystemSessionDetach(48) + .. attribute:: ComputerNameDnsDomain(2) - .. attribute:: SystemSessionInformation(49) + .. attribute:: ComputerNameDnsFullyQualified(3) - .. attribute:: SystemRangeStartInformation(50) + .. attribute:: ComputerNamePhysicalNetBIOS(4) - .. attribute:: SystemVerifierInformation(51) + .. attribute:: ComputerNamePhysicalDnsHostname(5) - .. attribute:: SystemVerifierThunkExtend(52) + .. attribute:: ComputerNamePhysicalDnsDomain(6) - .. attribute:: SystemSessionProcessInformation(53) + .. attribute:: ComputerNamePhysicalDnsFullyQualified(7) - .. attribute:: SystemLoadGdiDriverInSystemSpace(54) + .. attribute:: ComputerNameMax(8) - .. attribute:: SystemNumaProcessorMap(55) +_TASK_ACTION_TYPE +''''''''''''''''' +.. class:: TASK_ACTION_TYPE + Alias for :class:`_TASK_ACTION_TYPE` - .. attribute:: SystemPrefetcherInformation(56) +.. class:: _TASK_ACTION_TYPE - .. attribute:: SystemExtendedProcessInformation(57) + .. attribute:: TASK_ACTION_EXEC(0) - .. attribute:: SystemRecommendedSharedDataAlignment(58) + .. attribute:: TASK_ACTION_COM_HANDLER(5) - .. attribute:: SystemComPlusPackage(59) + .. attribute:: TASK_ACTION_SEND_EMAIL(6) - .. attribute:: SystemNumaAvailableMemory(60) + .. attribute:: TASK_ACTION_SHOW_MESSAGE(7) - .. attribute:: SystemProcessorPowerInformation(61) +_TASK_RUNLEVEL_TYPE +''''''''''''''''''' +.. class:: TASK_RUNLEVEL_TYPE + Alias for :class:`_TASK_RUNLEVEL_TYPE` - .. attribute:: SystemEmulationBasicInformation(62) +.. class:: _TASK_RUNLEVEL_TYPE - .. attribute:: SystemEmulationProcessorInformation(63) + .. attribute:: TASK_RUNLEVEL_LUA(0) - .. attribute:: SystemExtendedHandleInformation(64) + .. attribute:: TASK_RUNLEVEL_HIGHEST(1) - .. attribute:: SystemLostDelayedWriteInformation(65) +_TASK_LOGON_TYPE +'''''''''''''''' +.. class:: TASK_LOGON_TYPE + Alias for :class:`_TASK_LOGON_TYPE` - .. attribute:: SystemBigPoolInformation(66) +.. class:: _TASK_LOGON_TYPE - .. attribute:: SystemSessionPoolTagInformation(67) + .. attribute:: TASK_LOGON_NONE(0) - .. attribute:: SystemSessionMappedViewInformation(68) + + .. attribute:: TASK_LOGON_PASSWORD(1) + + + .. attribute:: TASK_LOGON_S4U(2) + + + .. attribute:: TASK_LOGON_INTERACTIVE_TOKEN(3) + + + .. attribute:: TASK_LOGON_GROUP(4) + + + .. attribute:: TASK_LOGON_SERVICE_ACCOUNT(5) + + + .. attribute:: TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD(6) + +_TASK_STATE +''''''''''' +.. class:: TASK_STATE + + Alias for :class:`_TASK_STATE` + + +.. class:: _TASK_STATE + + + .. attribute:: TASK_STATE_UNKNOWN(0) + + + .. attribute:: TASK_STATE_DISABLED(1) + + + .. attribute:: TASK_STATE_QUEUED(2) + + + .. attribute:: TASK_STATE_READY(3) + + + .. attribute:: TASK_STATE_RUNNING(4) + +_TASK_INSTANCES_POLICY +'''''''''''''''''''''' +.. class:: TASK_INSTANCES_POLICY + + Alias for :class:`_TASK_INSTANCES_POLICY` + + +.. class:: _TASK_INSTANCES_POLICY + + + .. attribute:: TASK_INSTANCES_PARALLEL(0) + + + .. attribute:: TASK_INSTANCES_QUEUE(1) + + + .. attribute:: TASK_INSTANCES_IGNORE_NEW(2) + + + .. attribute:: TASK_INSTANCES_STOP_EXISTING(3) + +_TASK_COMPATIBILITY +''''''''''''''''''' +.. class:: TASK_COMPATIBILITY + + Alias for :class:`_TASK_COMPATIBILITY` - .. attribute:: SystemHotpatchInformation(69) +.. class:: _TASK_COMPATIBILITY - .. attribute:: SystemObjectSecurityMode(70) + .. attribute:: TASK_COMPATIBILITY_AT(0) - .. attribute:: SystemWatchdogTimerHandler(71) + .. attribute:: TASK_COMPATIBILITY_V1(1) - .. attribute:: SystemWatchdogTimerInformation(72) + .. attribute:: TASK_COMPATIBILITY_V2(2) +_TASK_TRIGGER_TYPE2 +''''''''''''''''''' +.. class:: TASK_TRIGGER_TYPE2 - .. attribute:: SystemLogicalProcessorInformation(73) + Alias for :class:`_TASK_TRIGGER_TYPE2` - .. attribute:: SystemWow64SharedInformationObsolete(74) +.. class:: _TASK_TRIGGER_TYPE2 - .. attribute:: SystemRegisterFirmwareTableInformationHandler(75) + .. attribute:: TASK_TRIGGER_EVENT(0) - .. attribute:: SystemFirmwareTableInformation(76) + .. attribute:: TASK_TRIGGER_TIME(1) - .. attribute:: SystemModuleInformationEx(77) + .. attribute:: TASK_TRIGGER_DAILY(2) - .. attribute:: SystemVerifierTriageInformation(78) + .. attribute:: TASK_TRIGGER_WEEKLY(3) - .. attribute:: SystemSuperfetchInformation(79) + .. attribute:: TASK_TRIGGER_MONTHLY(4) - .. attribute:: SystemMemoryListInformation(80) + .. attribute:: TASK_TRIGGER_MONTHLYDOW(5) - .. attribute:: SystemFileCacheInformationEx(81) + .. attribute:: TASK_TRIGGER_IDLE(6) - .. attribute:: SystemThreadPriorityClientIdInformation(82) + .. attribute:: TASK_TRIGGER_REGISTRATION(7) - .. attribute:: SystemProcessorIdleCycleTimeInformation(83) + .. attribute:: TASK_TRIGGER_BOOT(8) - .. attribute:: SystemVerifierCancellationInformation(84) + .. attribute:: TASK_TRIGGER_LOGON(9) - .. attribute:: SystemProcessorPowerInformationEx(85) + .. attribute:: TASK_TRIGGER_SESSION_STATE_CHANGE(11) +_TASK_ENUM_FLAGS +'''''''''''''''' +.. class:: TASK_ENUM_FLAGS - .. attribute:: SystemRefTraceInformation(86) + Alias for :class:`_TASK_ENUM_FLAGS` - .. attribute:: SystemSpecialPoolInformation(87) +.. class:: _TASK_ENUM_FLAGS - .. attribute:: SystemProcessIdInformation(88) + .. attribute:: TASK_ENUM_HIDDEN(1) +_TASK_CREATION +'''''''''''''' +.. class:: TASK_CREATION - .. attribute:: SystemErrorPortInformation(89) + Alias for :class:`_TASK_CREATION` - .. attribute:: SystemBootEnvironmentInformation(90) +.. class:: _TASK_CREATION - .. attribute:: SystemHypervisorInformation(91) + .. attribute:: TASK_VALIDATE_ONLY(1) - .. attribute:: SystemVerifierInformationEx(92) + .. attribute:: TASK_CREATE(2) - .. attribute:: SystemTimeZoneInformation(93) + .. attribute:: TASK_UPDATE(4) - .. attribute:: SystemImageFileExecutionOptionsInformation(94) + .. attribute:: TASK_CREATE_OR_UPDATE(6) - .. attribute:: SystemCoverageInformation(95) + .. attribute:: TASK_DISABLE(8) - .. attribute:: SystemPrefetchPatchInformation(96) + .. attribute:: TASK_DONT_ADD_PRINCIPAL_ACE(16) - .. attribute:: SystemVerifierFaultsInformation(97) + .. attribute:: TASK_IGNORE_REGISTRATION_TRIGGERS(32) +TASK_RUN_FLAGS +'''''''''''''' +.. class:: TASK_RUN_FLAGS - .. attribute:: SystemSystemPartitionInformation(98) + .. attribute:: TASK_RUN_NO_FLAGS(0) - .. attribute:: SystemSystemDiskInformation(99) + .. attribute:: TASK_RUN_AS_SELF(1) - .. attribute:: SystemProcessorPerformanceDistribution(100) + .. attribute:: TASK_RUN_IGNORE_CONSTRAINTS(2) - .. attribute:: SystemNumaProximityNodeInformation(101) + .. attribute:: TASK_RUN_USE_SESSION_ID(4) - .. attribute:: SystemDynamicTimeZoneInformation(102) + .. attribute:: TASK_RUN_USER_SID(8) - .. attribute:: SystemCodeIntegrityInformation(103) +_SYSTEM_INFORMATION_CLASS +''''''''''''''''''''''''' +.. class:: SYSTEM_INFORMATION_CLASS + Alias for :class:`_SYSTEM_INFORMATION_CLASS` - .. attribute:: SystemProcessorMicrocodeUpdateInformation(104) +.. class:: _SYSTEM_INFORMATION_CLASS - .. attribute:: SystemProcessorBrandString(105) + .. attribute:: SystemBasicInformation(0) - .. attribute:: SystemVirtualAddressInformation(106) + .. attribute:: SystemProcessorInformation(1) - .. attribute:: SystemLogicalProcessorAndGroupInformation(107) + .. attribute:: SystemPerformanceInformation(2) - .. attribute:: SystemProcessorCycleTimeInformation(108) + .. attribute:: SystemTimeOfDayInformation(3) - .. attribute:: SystemStoreInformation(109) + .. attribute:: SystemPathInformation(4) - .. attribute:: SystemRegistryAppendString(110) + .. attribute:: SystemProcessInformation(5) - .. attribute:: SystemAitSamplingValue(111) + .. attribute:: SystemCallCountInformation(6) - .. attribute:: SystemVhdBootInformation(112) + .. attribute:: SystemDeviceInformation(7) - .. attribute:: SystemCpuQuotaInformation(113) + .. attribute:: SystemProcessorPerformanceInformation(8) - .. attribute:: SystemNativeBasicInformation(114) + .. attribute:: SystemFlagsInformation(9) - .. attribute:: SystemErrorPortTimeouts(115) + .. attribute:: SystemCallTimeInformation(10) - .. attribute:: SystemLowPriorityIoInformation(116) + .. attribute:: SystemModuleInformation(11) - .. attribute:: SystemBootEntropyInformation(117) + .. attribute:: SystemLocksInformation(12) - .. attribute:: SystemVerifierCountersInformation(118) + .. attribute:: SystemStackTraceInformation(13) - .. attribute:: SystemPagedPoolInformationEx(119) + .. attribute:: SystemPagedPoolInformation(14) - .. attribute:: SystemSystemPtesInformationEx(120) + .. attribute:: SystemNonPagedPoolInformation(15) - .. attribute:: SystemNodeDistanceInformation(121) + .. attribute:: SystemHandleInformation(16) - .. attribute:: SystemAcpiAuditInformation(122) + .. attribute:: SystemObjectInformation(17) - .. attribute:: SystemBasicPerformanceInformation(123) + .. attribute:: SystemPageFileInformation(18) - .. attribute:: SystemQueryPerformanceCounterInformation(124) + .. attribute:: SystemVdmInstemulInformation(19) - .. attribute:: SystemSessionBigPoolInformation(125) + .. attribute:: SystemVdmBopInformation(20) - .. attribute:: SystemBootGraphicsInformation(126) + .. attribute:: SystemFileCacheInformation(21) - .. attribute:: SystemScrubPhysicalMemoryInformation(127) + .. attribute:: SystemPoolTagInformation(22) - .. attribute:: SystemBadPageInformation(128) + .. attribute:: SystemInterruptInformation(23) - .. attribute:: SystemProcessorProfileControlArea(129) + .. attribute:: SystemDpcBehaviorInformation(24) - .. attribute:: SystemCombinePhysicalMemoryInformation(130) + .. attribute:: SystemFullMemoryInformation(25) - .. attribute:: SystemEntropyInterruptTimingInformation(131) + .. attribute:: SystemLoadGdiDriverInformation(26) - .. attribute:: SystemConsoleInformation(132) + .. attribute:: SystemUnloadGdiDriverInformation(27) - .. attribute:: SystemPlatformBinaryInformation(133) + .. attribute:: SystemTimeAdjustmentInformation(28) - .. attribute:: SystemPolicyInformation(134) + .. attribute:: SystemSummaryMemoryInformation(29) - .. attribute:: SystemHypervisorProcessorCountInformation(135) + .. attribute:: SystemMirrorMemoryInformation(30) - .. attribute:: SystemDeviceDataInformation(136) + .. attribute:: SystemPerformanceTraceInformation(31) - .. attribute:: SystemDeviceDataEnumerationInformation(137) + .. attribute:: SystemObsolete0(32) - .. attribute:: SystemMemoryTopologyInformation(138) + .. attribute:: SystemExceptionInformation(33) - .. attribute:: SystemMemoryChannelInformation(139) + .. attribute:: SystemCrashDumpStateInformation(34) - .. attribute:: SystemBootLogoInformation(140) + .. attribute:: SystemKernelDebuggerInformation(35) - .. attribute:: SystemProcessorPerformanceInformationEx(141) + .. attribute:: SystemContextSwitchInformation(36) - .. attribute:: SystemCriticalProcessErrorLogInformation(142) + .. attribute:: SystemRegistryQuotaInformation(37) - .. attribute:: SystemSecureBootPolicyInformation(143) + .. attribute:: SystemExtendServiceTableInformation(38) - .. attribute:: SystemPageFileInformationEx(144) + .. attribute:: SystemPrioritySeperation(39) - .. attribute:: SystemSecureBootInformation(145) + .. attribute:: SystemVerifierAddDriverInformation(40) - .. attribute:: SystemEntropyInterruptTimingRawInformation(146) + .. attribute:: SystemVerifierRemoveDriverInformation(41) - .. attribute:: SystemPortableWorkspaceEfiLauncherInformation(147) + .. attribute:: SystemProcessorIdleInformation(42) - .. attribute:: SystemFullProcessInformation(148) + .. attribute:: SystemLegacyDriverInformation(43) - .. attribute:: SystemKernelDebuggerInformationEx(149) + .. attribute:: SystemCurrentTimeZoneInformation(44) - .. attribute:: SystemBootMetadataInformation(150) + .. attribute:: SystemLookasideInformation(45) - .. attribute:: SystemSoftRebootInformation(151) + .. attribute:: SystemTimeSlipNotification(46) - .. attribute:: SystemElamCertificateInformation(152) + .. attribute:: SystemSessionCreate(47) - .. attribute:: SystemOfflineDumpConfigInformation(153) + .. attribute:: SystemSessionDetach(48) - .. attribute:: SystemProcessorFeaturesInformation(154) + .. attribute:: SystemSessionInformation(49) - .. attribute:: SystemRegistryReconciliationInformation(155) + .. attribute:: SystemRangeStartInformation(50) - .. attribute:: SystemEdidInformation(156) + .. attribute:: SystemVerifierInformation(51) - .. attribute:: SystemManufacturingInformation(157) + .. attribute:: SystemVerifierThunkExtend(52) - .. attribute:: SystemEnergyEstimationConfigInformation(158) + .. attribute:: SystemSessionProcessInformation(53) - .. attribute:: SystemHypervisorDetailInformation(159) + .. attribute:: SystemLoadGdiDriverInSystemSpace(54) - .. attribute:: SystemProcessorCycleStatsInformation(160) + .. attribute:: SystemNumaProcessorMap(55) - .. attribute:: SystemVmGenerationCountInformation(161) + .. attribute:: SystemPrefetcherInformation(56) - .. attribute:: SystemTrustedPlatformModuleInformation(162) + .. attribute:: SystemExtendedProcessInformation(57) - .. attribute:: SystemKernelDebuggerFlags(163) + .. attribute:: SystemRecommendedSharedDataAlignment(58) - .. attribute:: SystemCodeIntegrityPolicyInformation(164) + .. attribute:: SystemComPlusPackage(59) - .. attribute:: SystemIsolatedUserModeInformation(165) + .. attribute:: SystemNumaAvailableMemory(60) - .. attribute:: SystemHardwareSecurityTestInterfaceResultsInformation(166) + .. attribute:: SystemProcessorPowerInformation(61) - .. attribute:: SystemSingleModuleInformation(167) + .. attribute:: SystemEmulationBasicInformation(62) - .. attribute:: SystemAllowedCpuSetsInformation(168) + .. attribute:: SystemEmulationProcessorInformation(63) - .. attribute:: SystemVsmProtectionInformation(169) + .. attribute:: SystemExtendedHandleInformation(64) - .. attribute:: SystemInterruptCpuSetsInformation(170) + .. attribute:: SystemLostDelayedWriteInformation(65) - .. attribute:: SystemSecureBootPolicyFullInformation(171) + .. attribute:: SystemBigPoolInformation(66) - .. attribute:: SystemCodeIntegrityPolicyFullInformation(172) + .. attribute:: SystemSessionPoolTagInformation(67) - .. attribute:: SystemAffinitizedInterruptProcessorInformation(173) + .. attribute:: SystemSessionMappedViewInformation(68) - .. attribute:: SystemRootSiloInformation(174) + .. attribute:: SystemHotpatchInformation(69) - .. attribute:: SystemCpuSetInformation(175) + .. attribute:: SystemObjectSecurityMode(70) - .. attribute:: SystemCpuSetTagInformation(176) + .. attribute:: SystemWatchdogTimerHandler(71) - .. attribute:: SystemWin32WerStartCallout(177) + .. attribute:: SystemWatchdogTimerInformation(72) - .. attribute:: SystemSecureKernelProfileInformation(178) + .. attribute:: SystemLogicalProcessorInformation(73) - .. attribute:: SystemCodeIntegrityPlatformManifestInformation(179) + .. attribute:: SystemWow64SharedInformationObsolete(74) - .. attribute:: SystemInterruptSteeringInformation(180) + .. attribute:: SystemRegisterFirmwareTableInformationHandler(75) - .. attribute:: SystemSupportedProcessorArchitectures(181) + .. attribute:: SystemFirmwareTableInformation(76) - .. attribute:: SystemMemoryUsageInformation(182) + .. attribute:: SystemModuleInformationEx(77) - .. attribute:: SystemCodeIntegrityCertificateInformation(183) + .. attribute:: SystemVerifierTriageInformation(78) - .. attribute:: SystemPhysicalMemoryInformation(184) + .. attribute:: SystemSuperfetchInformation(79) - .. attribute:: SystemControlFlowTransition(185) + .. attribute:: SystemMemoryListInformation(80) - .. attribute:: SystemKernelDebuggingAllowed(186) + .. attribute:: SystemFileCacheInformationEx(81) - .. attribute:: SystemActivityModerationExeState(187) + .. attribute:: SystemThreadPriorityClientIdInformation(82) - .. attribute:: SystemActivityModerationUserSettings(188) + .. attribute:: SystemProcessorIdleCycleTimeInformation(83) - .. attribute:: SystemCodeIntegrityPoliciesFullInformation(189) + .. attribute:: SystemVerifierCancellationInformation(84) - .. attribute:: SystemCodeIntegrityUnlockInformation(190) + .. attribute:: SystemProcessorPowerInformationEx(85) - .. attribute:: SystemIntegrityQuotaInformation(191) + .. attribute:: SystemRefTraceInformation(86) - .. attribute:: SystemFlushInformation(192) + .. attribute:: SystemSpecialPoolInformation(87) - .. attribute:: SystemProcessorIdleMaskInformation(193) + .. attribute:: SystemProcessIdInformation(88) - .. attribute:: SystemSecureDumpEncryptionInformation(194) + .. attribute:: SystemErrorPortInformation(89) - .. attribute:: SystemWriteConstraintInformation(195) + .. attribute:: SystemBootEnvironmentInformation(90) - .. attribute:: SystemKernelVaShadowInformation(196) + .. attribute:: SystemHypervisorInformation(91) - .. attribute:: SystemHypervisorSharedPageInformation(197) + .. attribute:: SystemVerifierInformationEx(92) - .. attribute:: SystemFirmwareBootPerformanceInformation(198) + .. attribute:: SystemTimeZoneInformation(93) - .. attribute:: SystemCodeIntegrityVerificationInformation(199) + .. attribute:: SystemImageFileExecutionOptionsInformation(94) - .. attribute:: SystemFirmwarePartitionInformation(200) + .. attribute:: SystemCoverageInformation(95) - .. attribute:: SystemSpeculationControlInformation(201) + .. attribute:: SystemPrefetchPatchInformation(96) - .. attribute:: SystemDmaGuardPolicyInformation(202) + .. attribute:: SystemVerifierFaultsInformation(97) - .. attribute:: SystemEnclaveLaunchControlInformation(203) + .. attribute:: SystemSystemPartitionInformation(98) - .. attribute:: SystemWorkloadAllowedCpuSetsInformation(204) + .. attribute:: SystemSystemDiskInformation(99) - .. attribute:: SystemCodeIntegrityUnlockModeInformation(205) + .. attribute:: SystemProcessorPerformanceDistribution(100) - .. attribute:: SystemLeapSecondInformation(206) + .. attribute:: SystemNumaProximityNodeInformation(101) - .. attribute:: SystemFlags2Information(207) + .. attribute:: SystemDynamicTimeZoneInformation(102) - .. attribute:: SystemSecurityModelInformation(208) + .. attribute:: SystemCodeIntegrityInformation(103) - .. attribute:: SystemCodeIntegritySyntheticCacheInformation(209) + .. attribute:: SystemProcessorMicrocodeUpdateInformation(104) - .. attribute:: SystemFeatureConfigurationInformation(210) + .. attribute:: SystemProcessorBrandString(105) - .. attribute:: SystemFeatureConfigurationSectionInformation(211) + .. attribute:: SystemVirtualAddressInformation(106) - .. attribute:: SystemFeatureUsageSubscriptionInformation(212) + .. attribute:: SystemLogicalProcessorAndGroupInformation(107) - .. attribute:: SystemSecureSpeculationControlInformation(213) + .. attribute:: SystemProcessorCycleTimeInformation(108) - .. attribute:: SystemSpacesBootInformation(214) + .. attribute:: SystemStoreInformation(109) - .. attribute:: SystemFwRamdiskInformation(215) + .. attribute:: SystemRegistryAppendString(110) - .. attribute:: SystemWheaIpmiHardwareInformation(216) + .. attribute:: SystemAitSamplingValue(111) - .. attribute:: SystemDifSetRuleClassInformation(217) + .. attribute:: SystemVhdBootInformation(112) - .. attribute:: SystemDifClearRuleClassInformation(218) + .. attribute:: SystemCpuQuotaInformation(113) - .. attribute:: SystemDifApplyPluginVerificationOnDriver(219) + .. attribute:: SystemNativeBasicInformation(114) - .. attribute:: SystemDifRemovePluginVerificationOnDriver(220) + .. attribute:: SystemErrorPortTimeouts(115) - .. attribute:: SystemShadowStackInformation(221) + .. attribute:: SystemLowPriorityIoInformation(116) - .. attribute:: SystemBuildVersionInformation(222) + .. attribute:: SystemBootEntropyInformation(117) - .. attribute:: SystemPoolLimitInformation(223) + .. attribute:: SystemVerifierCountersInformation(118) - .. attribute:: SystemCodeIntegrityAddDynamicStore(224) + .. attribute:: SystemPagedPoolInformationEx(119) - .. attribute:: SystemCodeIntegrityClearDynamicStores(225) + .. attribute:: SystemSystemPtesInformationEx(120) - .. attribute:: SystemPoolZeroingInformation(227) + .. attribute:: SystemNodeDistanceInformation(121) - .. attribute:: MaxSystemInfoClass(228) -_WELL_KNOWN_SID_TYPE -'''''''''''''''''''' -.. class:: WELL_KNOWN_SID_TYPE + .. attribute:: SystemAcpiAuditInformation(122) - Alias for :class:`_WELL_KNOWN_SID_TYPE` + .. attribute:: SystemBasicPerformanceInformation(123) -.. class:: _WELL_KNOWN_SID_TYPE + .. attribute:: SystemQueryPerformanceCounterInformation(124) - .. attribute:: WinNullSid(0) + .. attribute:: SystemSessionBigPoolInformation(125) - .. attribute:: WinWorldSid(1) + .. attribute:: SystemBootGraphicsInformation(126) - .. attribute:: WinLocalSid(2) + .. attribute:: SystemScrubPhysicalMemoryInformation(127) - .. attribute:: WinCreatorOwnerSid(3) + .. attribute:: SystemBadPageInformation(128) - .. attribute:: WinCreatorGroupSid(4) + .. attribute:: SystemProcessorProfileControlArea(129) - .. attribute:: WinCreatorOwnerServerSid(5) + .. attribute:: SystemCombinePhysicalMemoryInformation(130) - .. attribute:: WinCreatorGroupServerSid(6) + .. attribute:: SystemEntropyInterruptTimingInformation(131) - .. attribute:: WinNtAuthoritySid(7) + .. attribute:: SystemConsoleInformation(132) - .. attribute:: WinDialupSid(8) + .. attribute:: SystemPlatformBinaryInformation(133) - .. attribute:: WinNetworkSid(9) + .. attribute:: SystemPolicyInformation(134) - .. attribute:: WinBatchSid(10) + .. attribute:: SystemHypervisorProcessorCountInformation(135) - .. attribute:: WinInteractiveSid(11) + .. attribute:: SystemDeviceDataInformation(136) - .. attribute:: WinServiceSid(12) + .. attribute:: SystemDeviceDataEnumerationInformation(137) - .. attribute:: WinAnonymousSid(13) + .. attribute:: SystemMemoryTopologyInformation(138) - .. attribute:: WinProxySid(14) + .. attribute:: SystemMemoryChannelInformation(139) - .. attribute:: WinEnterpriseControllersSid(15) + .. attribute:: SystemBootLogoInformation(140) - .. attribute:: WinSelfSid(16) + .. attribute:: SystemProcessorPerformanceInformationEx(141) - .. attribute:: WinAuthenticatedUserSid(17) + .. attribute:: SystemCriticalProcessErrorLogInformation(142) - .. attribute:: WinRestrictedCodeSid(18) + .. attribute:: SystemSecureBootPolicyInformation(143) - .. attribute:: WinTerminalServerSid(19) + .. attribute:: SystemPageFileInformationEx(144) - .. attribute:: WinRemoteLogonIdSid(20) + .. attribute:: SystemSecureBootInformation(145) - .. attribute:: WinLogonIdsSid(21) + .. attribute:: SystemEntropyInterruptTimingRawInformation(146) - .. attribute:: WinLocalSystemSid(22) + .. attribute:: SystemPortableWorkspaceEfiLauncherInformation(147) - .. attribute:: WinLocalServiceSid(23) + .. attribute:: SystemFullProcessInformation(148) - .. attribute:: WinNetworkServiceSid(24) + .. attribute:: SystemKernelDebuggerInformationEx(149) - .. attribute:: WinBuiltinDomainSid(25) + .. attribute:: SystemBootMetadataInformation(150) - .. attribute:: WinBuiltinAdministratorsSid(26) + .. attribute:: SystemSoftRebootInformation(151) - .. attribute:: WinBuiltinUsersSid(27) + .. attribute:: SystemElamCertificateInformation(152) - .. attribute:: WinBuiltinGuestsSid(28) + .. attribute:: SystemOfflineDumpConfigInformation(153) - .. attribute:: WinBuiltinPowerUsersSid(29) + .. attribute:: SystemProcessorFeaturesInformation(154) - .. attribute:: WinBuiltinAccountOperatorsSid(30) + .. attribute:: SystemRegistryReconciliationInformation(155) - .. attribute:: WinBuiltinSystemOperatorsSid(31) + .. attribute:: SystemEdidInformation(156) - .. attribute:: WinBuiltinPrintOperatorsSid(32) + .. attribute:: SystemManufacturingInformation(157) - .. attribute:: WinBuiltinBackupOperatorsSid(33) + .. attribute:: SystemEnergyEstimationConfigInformation(158) - .. attribute:: WinBuiltinReplicatorSid(34) + .. attribute:: SystemHypervisorDetailInformation(159) - .. attribute:: WinBuiltinPreWindows2000CompatibleAccessSid(35) + .. attribute:: SystemProcessorCycleStatsInformation(160) - .. attribute:: WinBuiltinRemoteDesktopUsersSid(36) + .. attribute:: SystemVmGenerationCountInformation(161) - .. attribute:: WinBuiltinNetworkConfigurationOperatorsSid(37) + .. attribute:: SystemTrustedPlatformModuleInformation(162) - .. attribute:: WinAccountAdministratorSid(38) + .. attribute:: SystemKernelDebuggerFlags(163) - .. attribute:: WinAccountGuestSid(39) + .. attribute:: SystemCodeIntegrityPolicyInformation(164) - .. attribute:: WinAccountKrbtgtSid(40) + .. attribute:: SystemIsolatedUserModeInformation(165) - .. attribute:: WinAccountDomainAdminsSid(41) + .. attribute:: SystemHardwareSecurityTestInterfaceResultsInformation(166) - .. attribute:: WinAccountDomainUsersSid(42) + .. attribute:: SystemSingleModuleInformation(167) - .. attribute:: WinAccountDomainGuestsSid(43) + .. attribute:: SystemAllowedCpuSetsInformation(168) - .. attribute:: WinAccountComputersSid(44) + .. attribute:: SystemVsmProtectionInformation(169) - .. attribute:: WinAccountControllersSid(45) + .. attribute:: SystemInterruptCpuSetsInformation(170) - .. attribute:: WinAccountCertAdminsSid(46) + .. attribute:: SystemSecureBootPolicyFullInformation(171) - .. attribute:: WinAccountSchemaAdminsSid(47) + .. attribute:: SystemCodeIntegrityPolicyFullInformation(172) - .. attribute:: WinAccountEnterpriseAdminsSid(48) + .. attribute:: SystemAffinitizedInterruptProcessorInformation(173) - .. attribute:: WinAccountPolicyAdminsSid(49) + .. attribute:: SystemRootSiloInformation(174) - .. attribute:: WinAccountRasAndIasServersSid(50) + .. attribute:: SystemCpuSetInformation(175) - .. attribute:: WinNTLMAuthenticationSid(51) + .. attribute:: SystemCpuSetTagInformation(176) - .. attribute:: WinDigestAuthenticationSid(52) + .. attribute:: SystemWin32WerStartCallout(177) - .. attribute:: WinSChannelAuthenticationSid(53) + .. attribute:: SystemSecureKernelProfileInformation(178) - .. attribute:: WinThisOrganizationSid(54) + .. attribute:: SystemCodeIntegrityPlatformManifestInformation(179) - .. attribute:: WinOtherOrganizationSid(55) + .. attribute:: SystemInterruptSteeringInformation(180) - .. attribute:: WinBuiltinIncomingForestTrustBuildersSid(56) + .. attribute:: SystemSupportedProcessorArchitectures(181) - .. attribute:: WinBuiltinPerfMonitoringUsersSid(57) + .. attribute:: SystemMemoryUsageInformation(182) - .. attribute:: WinBuiltinPerfLoggingUsersSid(58) + .. attribute:: SystemCodeIntegrityCertificateInformation(183) - .. attribute:: WinBuiltinAuthorizationAccessSid(59) + .. attribute:: SystemPhysicalMemoryInformation(184) - .. attribute:: WinBuiltinTerminalServerLicenseServersSid(60) + .. attribute:: SystemControlFlowTransition(185) - .. attribute:: WinBuiltinDCOMUsersSid(61) + .. attribute:: SystemKernelDebuggingAllowed(186) - .. attribute:: WinBuiltinIUsersSid(62) + .. attribute:: SystemActivityModerationExeState(187) - .. attribute:: WinIUserSid(63) + .. attribute:: SystemActivityModerationUserSettings(188) - .. attribute:: WinBuiltinCryptoOperatorsSid(64) + .. attribute:: SystemCodeIntegrityPoliciesFullInformation(189) - .. attribute:: WinUntrustedLabelSid(65) + .. attribute:: SystemCodeIntegrityUnlockInformation(190) - .. attribute:: WinLowLabelSid(66) + .. attribute:: SystemIntegrityQuotaInformation(191) - .. attribute:: WinMediumLabelSid(67) + .. attribute:: SystemFlushInformation(192) - .. attribute:: WinHighLabelSid(68) + .. attribute:: SystemProcessorIdleMaskInformation(193) - .. attribute:: WinSystemLabelSid(69) + .. attribute:: SystemSecureDumpEncryptionInformation(194) - .. attribute:: WinWriteRestrictedCodeSid(70) + .. attribute:: SystemWriteConstraintInformation(195) - .. attribute:: WinCreatorOwnerRightsSid(71) + .. attribute:: SystemKernelVaShadowInformation(196) - .. attribute:: WinCacheablePrincipalsGroupSid(72) + .. attribute:: SystemHypervisorSharedPageInformation(197) - .. attribute:: WinNonCacheablePrincipalsGroupSid(73) + .. attribute:: SystemFirmwareBootPerformanceInformation(198) - .. attribute:: WinEnterpriseReadonlyControllersSid(74) + .. attribute:: SystemCodeIntegrityVerificationInformation(199) - .. attribute:: WinAccountReadonlyControllersSid(75) + .. attribute:: SystemFirmwarePartitionInformation(200) - .. attribute:: WinBuiltinEventLogReadersGroup(76) + .. attribute:: SystemSpeculationControlInformation(201) - .. attribute:: WinNewEnterpriseReadonlyControllersSid(77) + .. attribute:: SystemDmaGuardPolicyInformation(202) - .. attribute:: WinBuiltinCertSvcDComAccessGroup(78) + .. attribute:: SystemEnclaveLaunchControlInformation(203) - .. attribute:: WinMediumPlusLabelSid(79) + .. attribute:: SystemWorkloadAllowedCpuSetsInformation(204) - .. attribute:: WinLocalLogonSid(80) + .. attribute:: SystemCodeIntegrityUnlockModeInformation(205) - .. attribute:: WinConsoleLogonSid(81) + .. attribute:: SystemLeapSecondInformation(206) - .. attribute:: WinThisOrganizationCertificateSid(82) + .. attribute:: SystemFlags2Information(207) - .. attribute:: WinApplicationPackageAuthoritySid(83) + .. attribute:: SystemSecurityModelInformation(208) - .. attribute:: WinBuiltinAnyPackageSid(84) + .. attribute:: SystemCodeIntegritySyntheticCacheInformation(209) - .. attribute:: WinCapabilityInternetClientSid(85) + .. attribute:: SystemFeatureConfigurationInformation(210) - .. attribute:: WinCapabilityInternetClientServerSid(86) + .. attribute:: SystemFeatureConfigurationSectionInformation(211) - .. attribute:: WinCapabilityPrivateNetworkClientServerSid(87) + .. attribute:: SystemFeatureUsageSubscriptionInformation(212) - .. attribute:: WinCapabilityPicturesLibrarySid(88) + .. attribute:: SystemSecureSpeculationControlInformation(213) - .. attribute:: WinCapabilityVideosLibrarySid(89) + .. attribute:: SystemSpacesBootInformation(214) - .. attribute:: WinCapabilityMusicLibrarySid(90) + .. attribute:: SystemFwRamdiskInformation(215) - .. attribute:: WinCapabilityDocumentsLibrarySid(91) + .. attribute:: SystemWheaIpmiHardwareInformation(216) - .. attribute:: WinCapabilitySharedUserCertificatesSid(92) + .. attribute:: SystemDifSetRuleClassInformation(217) - .. attribute:: WinCapabilityEnterpriseAuthenticationSid(93) + .. attribute:: SystemDifClearRuleClassInformation(218) - .. attribute:: WinCapabilityRemovableStorageSid(94) -_SECTION_INHERIT -'''''''''''''''' -.. class:: SECTION_INHERIT + .. attribute:: SystemDifApplyPluginVerificationOnDriver(219) - Alias for :class:`_SECTION_INHERIT` + .. attribute:: SystemDifRemovePluginVerificationOnDriver(220) -.. class:: _SECTION_INHERIT + .. attribute:: SystemShadowStackInformation(221) - .. attribute:: ViewShare(1) + .. attribute:: SystemBuildVersionInformation(222) - .. attribute:: ViewUnmap(2) -_PROCESSINFOCLASS -''''''''''''''''' -.. class:: PROCESSINFOCLASS + .. attribute:: SystemPoolLimitInformation(223) - Alias for :class:`_PROCESSINFOCLASS` + .. attribute:: SystemCodeIntegrityAddDynamicStore(224) -.. class:: _PROCESSINFOCLASS + .. attribute:: SystemCodeIntegrityClearDynamicStores(225) - .. attribute:: ProcessBasicInformation(0) + .. attribute:: SystemPoolZeroingInformation(227) - .. attribute:: ProcessQuotaLimits(1) + .. attribute:: MaxSystemInfoClass(228) - .. attribute:: ProcessIoCounters(2) +_WELL_KNOWN_SID_TYPE +'''''''''''''''''''' +.. class:: WELL_KNOWN_SID_TYPE + Alias for :class:`_WELL_KNOWN_SID_TYPE` - .. attribute:: ProcessVmCounters(3) +.. class:: _WELL_KNOWN_SID_TYPE - .. attribute:: ProcessTimes(4) + .. attribute:: WinNullSid(0) - .. attribute:: ProcessBasePriority(5) + .. attribute:: WinWorldSid(1) - .. attribute:: ProcessRaisePriority(6) + .. attribute:: WinLocalSid(2) - .. attribute:: ProcessDebugPort(7) + .. attribute:: WinCreatorOwnerSid(3) - .. attribute:: ProcessExceptionPort(8) + .. attribute:: WinCreatorGroupSid(4) - .. attribute:: ProcessAccessToken(9) + .. attribute:: WinCreatorOwnerServerSid(5) - .. attribute:: ProcessLdtInformation(10) + .. attribute:: WinCreatorGroupServerSid(6) - .. attribute:: ProcessLdtSize(11) + .. attribute:: WinNtAuthoritySid(7) - .. attribute:: ProcessDefaultHardErrorMode(12) + .. attribute:: WinDialupSid(8) - .. attribute:: ProcessIoPortHandlers(13) + .. attribute:: WinNetworkSid(9) - .. attribute:: ProcessPooledUsageAndLimits(14) + .. attribute:: WinBatchSid(10) - .. attribute:: ProcessWorkingSetWatch(15) + .. attribute:: WinInteractiveSid(11) - .. attribute:: ProcessUserModeIOPL(16) + .. attribute:: WinServiceSid(12) - .. attribute:: ProcessEnableAlignmentFaultFixup(17) + .. attribute:: WinAnonymousSid(13) - .. attribute:: ProcessPriorityClass(18) + .. attribute:: WinProxySid(14) - .. attribute:: ProcessWx86Information(19) + .. attribute:: WinEnterpriseControllersSid(15) - .. attribute:: ProcessHandleCount(20) + .. attribute:: WinSelfSid(16) - .. attribute:: ProcessAffinityMask(21) + .. attribute:: WinAuthenticatedUserSid(17) - .. attribute:: ProcessPriorityBoost(22) + .. attribute:: WinRestrictedCodeSid(18) - .. attribute:: ProcessDeviceMap(23) + .. attribute:: WinTerminalServerSid(19) - .. attribute:: ProcessSessionInformation(24) + .. attribute:: WinRemoteLogonIdSid(20) - .. attribute:: ProcessForegroundInformation(25) + .. attribute:: WinLogonIdsSid(21) - .. attribute:: ProcessWow64Information(26) + .. attribute:: WinLocalSystemSid(22) - .. attribute:: ProcessImageFileName(27) + .. attribute:: WinLocalServiceSid(23) - .. attribute:: ProcessLUIDDeviceMapsEnabled(28) + .. attribute:: WinNetworkServiceSid(24) - .. attribute:: ProcessBreakOnTermination(29) + .. attribute:: WinBuiltinDomainSid(25) - .. attribute:: ProcessDebugObjectHandle(30) + .. attribute:: WinBuiltinAdministratorsSid(26) - .. attribute:: ProcessDebugFlags(31) + .. attribute:: WinBuiltinUsersSid(27) - .. attribute:: ProcessHandleTracing(32) + .. attribute:: WinBuiltinGuestsSid(28) - .. attribute:: ProcessIoPriority(33) + .. attribute:: WinBuiltinPowerUsersSid(29) - .. attribute:: ProcessExecuteFlags(34) + .. attribute:: WinBuiltinAccountOperatorsSid(30) - .. attribute:: ProcessTlsInformation(35) + .. attribute:: WinBuiltinSystemOperatorsSid(31) - .. attribute:: ProcessCookie(36) + .. attribute:: WinBuiltinPrintOperatorsSid(32) - .. attribute:: ProcessImageInformation(37) + .. attribute:: WinBuiltinBackupOperatorsSid(33) - .. attribute:: ProcessCycleTime(38) + .. attribute:: WinBuiltinReplicatorSid(34) - .. attribute:: ProcessPagePriority(39) + .. attribute:: WinBuiltinPreWindows2000CompatibleAccessSid(35) - .. attribute:: ProcessInstrumentationCallback(40) + .. attribute:: WinBuiltinRemoteDesktopUsersSid(36) - .. attribute:: ProcessThreadStackAllocation(41) + .. attribute:: WinBuiltinNetworkConfigurationOperatorsSid(37) - .. attribute:: ProcessWorkingSetWatchEx(42) + .. attribute:: WinAccountAdministratorSid(38) - .. attribute:: ProcessImageFileNameWin32(43) + .. attribute:: WinAccountGuestSid(39) - .. attribute:: ProcessImageFileMapping(44) + .. attribute:: WinAccountKrbtgtSid(40) - .. attribute:: ProcessAffinityUpdateMode(45) + .. attribute:: WinAccountDomainAdminsSid(41) - .. attribute:: ProcessMemoryAllocationMode(46) + .. attribute:: WinAccountDomainUsersSid(42) - .. attribute:: ProcessGroupInformation(47) + .. attribute:: WinAccountDomainGuestsSid(43) - .. attribute:: ProcessTokenVirtualizationEnabled(48) + .. attribute:: WinAccountComputersSid(44) - .. attribute:: ProcessOwnerInformation(49) + .. attribute:: WinAccountControllersSid(45) - .. attribute:: ProcessWindowInformation(50) + .. attribute:: WinAccountCertAdminsSid(46) - .. attribute:: ProcessHandleInformation(51) + .. attribute:: WinAccountSchemaAdminsSid(47) - .. attribute:: ProcessMitigationPolicy(52) + .. attribute:: WinAccountEnterpriseAdminsSid(48) - .. attribute:: ProcessDynamicFunctionTableInformation(53) + .. attribute:: WinAccountPolicyAdminsSid(49) - .. attribute:: ProcessHandleCheckingMode(54) + .. attribute:: WinAccountRasAndIasServersSid(50) - .. attribute:: ProcessKeepAliveCount(55) + .. attribute:: WinNTLMAuthenticationSid(51) - .. attribute:: ProcessRevokeFileHandles(56) + .. attribute:: WinDigestAuthenticationSid(52) - .. attribute:: ProcessWorkingSetControl(57) + .. attribute:: WinSChannelAuthenticationSid(53) - .. attribute:: ProcessHandleTable(58) + .. attribute:: WinThisOrganizationSid(54) - .. attribute:: ProcessCheckStackExtentsMode(59) + .. attribute:: WinOtherOrganizationSid(55) - .. attribute:: ProcessCommandLineInformation(60) + .. attribute:: WinBuiltinIncomingForestTrustBuildersSid(56) - .. attribute:: ProcessProtectionInformation(61) + .. attribute:: WinBuiltinPerfMonitoringUsersSid(57) - .. attribute:: ProcessMemoryExhaustion(62) + .. attribute:: WinBuiltinPerfLoggingUsersSid(58) - .. attribute:: ProcessFaultInformation(63) + .. attribute:: WinBuiltinAuthorizationAccessSid(59) - .. attribute:: ProcessTelemetryIdInformation(64) + .. attribute:: WinBuiltinTerminalServerLicenseServersSid(60) - .. attribute:: ProcessCommitReleaseInformation(65) + .. attribute:: WinBuiltinDCOMUsersSid(61) - .. attribute:: ProcessReserved1Information(66) + .. attribute:: WinBuiltinIUsersSid(62) - .. attribute:: ProcessReserved2Information(67) + .. attribute:: WinIUserSid(63) - .. attribute:: ProcessSubsystemProcess(68) + .. attribute:: WinBuiltinCryptoOperatorsSid(64) - .. attribute:: ProcessInPrivate(70) + .. attribute:: WinUntrustedLabelSid(65) - .. attribute:: ProcessRaiseUMExceptionOnInvalidHandleClose(71) + .. attribute:: WinLowLabelSid(66) - .. attribute:: ProcessSubsystemInformation(75) + .. attribute:: WinMediumLabelSid(67) - .. attribute:: ProcessWin32kSyscallFilterInformation(79) + .. attribute:: WinHighLabelSid(68) - .. attribute:: ProcessEnergyTrackingState(82) + .. attribute:: WinSystemLabelSid(69) - .. attribute:: MaxProcessInfoClass(83) -_MEMORY_INFORMATION_CLASS -''''''''''''''''''''''''' -.. class:: MEMORY_INFORMATION_CLASS + .. attribute:: WinWriteRestrictedCodeSid(70) - Alias for :class:`_MEMORY_INFORMATION_CLASS` + .. attribute:: WinCreatorOwnerRightsSid(71) -.. class:: _MEMORY_INFORMATION_CLASS + .. attribute:: WinCacheablePrincipalsGroupSid(72) - .. attribute:: MemoryBasicInformation(0) + .. attribute:: WinNonCacheablePrincipalsGroupSid(73) - .. attribute:: MemoryWorkingSetList(1) + .. attribute:: WinEnterpriseReadonlyControllersSid(74) - .. attribute:: MemorySectionName(2) + .. attribute:: WinAccountReadonlyControllersSid(75) - .. attribute:: MemoryBasicVlmInformation(3) + .. attribute:: WinBuiltinEventLogReadersGroup(76) - .. attribute:: MemoryWorkingSetListEx(4) -_THREAD_INFORMATION_CLASS -''''''''''''''''''''''''' -.. class:: PTHREAD_INFORMATION_CLASS + .. attribute:: WinNewEnterpriseReadonlyControllersSid(77) - Pointer to :class:`_THREAD_INFORMATION_CLASS` + .. attribute:: WinBuiltinCertSvcDComAccessGroup(78) -.. class:: THREAD_INFORMATION_CLASS - Alias for :class:`_THREAD_INFORMATION_CLASS` + .. attribute:: WinMediumPlusLabelSid(79) -.. class:: _THREAD_INFORMATION_CLASS + .. attribute:: WinLocalLogonSid(80) - .. attribute:: ThreadBasicInformation(0) + .. attribute:: WinConsoleLogonSid(81) - .. attribute:: ThreadTimes(1) + .. attribute:: WinThisOrganizationCertificateSid(82) - .. attribute:: ThreadPriority(2) + .. attribute:: WinApplicationPackageAuthoritySid(83) - .. attribute:: ThreadBasePriority(3) + .. attribute:: WinBuiltinAnyPackageSid(84) - .. attribute:: ThreadAffinityMask(4) + .. attribute:: WinCapabilityInternetClientSid(85) - .. attribute:: ThreadImpersonationToken(5) + .. attribute:: WinCapabilityInternetClientServerSid(86) - .. attribute:: ThreadDescriptorTableEntry(6) + .. attribute:: WinCapabilityPrivateNetworkClientServerSid(87) - .. attribute:: ThreadEnableAlignmentFaultFixup(7) + .. attribute:: WinCapabilityPicturesLibrarySid(88) - .. attribute:: ThreadEventPair(8) + .. attribute:: WinCapabilityVideosLibrarySid(89) - .. attribute:: ThreadQuerySetWin32StartAddress(9) + .. attribute:: WinCapabilityMusicLibrarySid(90) - .. attribute:: ThreadZeroTlsCell(10) + .. attribute:: WinCapabilityDocumentsLibrarySid(91) - .. attribute:: ThreadPerformanceCount(11) + .. attribute:: WinCapabilitySharedUserCertificatesSid(92) - .. attribute:: ThreadAmILastThread(12) + .. attribute:: WinCapabilityEnterpriseAuthenticationSid(93) - .. attribute:: ThreadIdealProcessor(13) + .. attribute:: WinCapabilityRemovableStorageSid(94) +_SECTION_INHERIT +'''''''''''''''' +.. class:: SECTION_INHERIT - .. attribute:: ThreadPriorityBoost(14) + Alias for :class:`_SECTION_INHERIT` - .. attribute:: ThreadSetTlsArrayAddress(15) +.. class:: _SECTION_INHERIT - .. attribute:: ThreadIsIoPending(16) + .. attribute:: ViewShare(1) - .. attribute:: ThreadHideFromDebugger(17) + .. attribute:: ViewUnmap(2) _VARENUM '''''''' From 493fe75be8f08427f512cdf98341b5e137cc13b5 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 24 Jan 2025 13:48:19 +0100 Subject: [PATCH 26/70] arm64: Ret() encoded \o/ time to tests functions calls --- tests/test_simple_arm64.py | 17 +++++- windows/native_exec/simple_arm64.py | 82 ++++++++++++++++++++++------- 2 files changed, 79 insertions(+), 20 deletions(-) diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py index af3e6590..9d4b0ed1 100644 --- a/tests/test_simple_arm64.py +++ b/tests/test_simple_arm64.py @@ -54,8 +54,10 @@ def __call__(self, *args): if self.must_fail: raise ValueError("Instruction did not failed as expected") capres_list = disas(res) + if not capres_list: + raise AssertionError("Trying to disas an instruction resulted no disassembled instr") if len(capres_list) != 1: - raise AssertionError("Trying to disas an instruction resulted in multiple disassembled instrs") + raise AssertionError("Trying to disas an instruction resulted in multiple disassembled instrs: {0}".format(capres_list)) capres = capres_list[0] print("{0} {1}".format(capres.mnemonic, capres.op_str)) if self.expected_result is not None: @@ -105,4 +107,15 @@ def test_assembler(): # Error test todo # CheckInstr(Add)('X11', 'W12', 0x123) - CheckInstr(Add)('X11', 'X12', 0x12345678) \ No newline at end of file + with pytest.raises(ValueError): + CheckInstr(Add)('BADREG', 'X12', 0) + + with pytest.raises(ValueError): + # Immediat too big for encoding + CheckInstr(Add)('X11', 'X12', 0x12345678) + + CheckInstr(Ret)("X0") + CheckInstr(Ret, expected_result="ret ")("X30") + CheckInstr(Ret)() + with pytest.raises(ValueError): + CheckInstr(Ret)("W0") diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index 5e0287fa..fe74e9ae 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -37,6 +37,13 @@ # Make a special memoryview that match what is show in the ARM Chapter C4 ? +# A lot of hardcoded bits are filled this way: + +## self.bits[24:32] = reversed(bytearray(XXX)) + +# This allow to write the bits in the same order as the ARM manual which is describe with most significant bit first +# Whereas our internal structure is reverse for simplicity of mapping it on list index + XREGISTER = {'X0', 'X1', 'X2', 'X3', 'X4', 'X5', 'X6', 'X7', 'X8', 'X9', 'X10', 'X11', 'X12', 'X13', 'X14', 'X15', 'X16', 'X17', 'X18', 'X19', 'X20', 'X21', 'X22', 'X23', 'X24', 'X25', 'X26', 'X27', 'X28', 'X29', 'X30'} WREGISTER = {'W0', 'W1', 'W2', 'W3', 'W4', 'W5', 'W6', 'W7', 'W8', 'W9', 'W10', 'W11', 'W12', 'W13', 'W14', 'W15', 'W16', 'W17', 'W18', 'W19', 'W20', 'W21', 'W22', 'W23', 'W24', 'W25', 'W26', 'W27', 'W28', 'W29', 'W30'} ALL_REGISTER = XREGISTER | WREGISTER @@ -45,6 +52,9 @@ class InstructionEncoding(object): + # Sub classes can force 32/64 only instrs by setting this to 32 or 64 + BITNESS = None + def __init__(self): super(InstructionEncoding, self).__init__() # Bits are in @@ -53,8 +63,7 @@ def __init__(self): self.bytearray = bytearray(32) self.bits = memoryview(self.bytearray) - # Disable with SF = FALSE ? - self.bitness = None + self.bitness = self.BITNESS @classmethod def is_register(self, arg, accept_sp): @@ -81,9 +90,17 @@ class GeneratedEncoding(cls): # Instruction filing at instanciation + def setup_fixed_values(self): + # Setup the values registered by InstructionEncoding.gen(x=1, y=2) + for name, value in self.ENCODING_VALUES.items(): + assert isinstance(value, int) + self.setup_immediat(getattr(self, name), value) + def binencode_imm(self, immediat, outsize): binstr = "{:0{outsize}b}".format(immediat, outsize=outsize) - assert len(binstr) == outsize, "Could not encode immediat {0} in {1} bits. Value take {2} bits".format(immediat, outsize, len(binstr)) + if len(binstr) != outsize: + raise ValueError("Could not encode immediat {0} in {1} bits. Value take {2} bits".format(immediat, outsize, len(binstr))) + binlist = [int(c) for c in reversed(binstr)] return bytearray(binlist) @@ -95,7 +112,8 @@ def setup_bitness(self, bitness): self.sf[:] = b"\x00" else: # bitness == 64: self.sf[:] = b"\x01" - assert self.bitness == bitness, "bitness mismatch in instruction" + if self.bitness != bitness: + raise ValueError("Bitness mismatch on <{0}> encoding, instruction is alredy {1} cannot set as {2}".format(type(self).__name__, self.bitness, bitness)) def encode_register(self, register, outsize=5): register = register.upper() @@ -128,12 +146,6 @@ def __init__(self): self.op1 = self.bits[22:26] class AddSubtractImmediate(DataProcessingImmediate): - SF = True - RD = True - RN = True - IMM12 = True - SH = True - def __init__(self, argsdict): super(AddSubtractImmediate, self).__init__() self.sf = self.bits[31:32] # Keep it a memoryview @@ -145,20 +157,14 @@ def __init__(self, argsdict): self.rn = self.bits[5:10] self.rd = self.bits[0:5] - for name, value in self.ENCODING_VALUES.items(): - print("{0} setting {1} to {2}".format(type(self).__name__, name, value)) - if isinstance(value, int): - value = bytearray((value,)) - # self.x[:] = value - getattr(self, name)[:] = value + self.setup_fixed_values() # Change instruction based of parameter self.setup_register(self.rd, argsdict[0]) self.setup_register(self.rn, argsdict[1]) self.setup_immediat(self.imm12, argsdict[2]) - - + assert argsdict.get(3) is None, "SHIFT NOT IMPLEMENTED YET" @classmethod @@ -168,6 +174,41 @@ def accept_arg(cls, argsdict): cls.is_imm12(argsdict[2]) and cls.is_shift(argsdict.get(3))) + +### C4.1.94.13 Unconditional branch (register) + +class UnconditionalBranchRegister(InstructionEncoding): + BITNESS = 64 + + def __init__(self, argsdict): + super(UnconditionalBranchRegister, self).__init__() + # Allow to fill it in the same order as the ARM manual + self.bits[25:32] = bytearray(reversed((1, 1, 0, 1, 0, 1, 1))) + self.opc = self.bits[21:25] + self.op2 = self.bits[16:21] + self.op3 = self.bits[10:16] + self.rn = self.bits[5:10] + self.op4 = self.bits[0:5] + + self.setup_fixed_values() + self.setup_register(self.rn, argsdict[0]) + + @classmethod + def accept_arg(cls, argsdict): + return (cls.is_register(argsdict[0], accept_sp=True)) + + +class RetEncoding(UnconditionalBranchRegister.gen(opc=0b10, op2=0b11111, op3=0, op4=0)): + # Ret can accept no register and default to X30 + def __init__(self, argsdict): + if not argsdict: + argsdict[0] = "X30" + super(RetEncoding, self).__init__(argsdict) + + @classmethod + def accept_arg(cls, argsdict): + return not argsdict or cls.is_register(argsdict[0], accept_sp=True) + class Instruction(object): encoding = [] @@ -201,3 +242,8 @@ class Add(Instruction): class Subs(Instruction): encoding = [AddSubtractImmediate.gen(op=1, S=1)] + +### C6.2.307 RET (page 2203) (11010110010111110000000000000000) + +class Ret(Instruction): + encoding = [RetEncoding] \ No newline at end of file From 458a0d05583de429957c8fa6cdc1ffde2f862449 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 24 Jan 2025 13:52:42 +0100 Subject: [PATCH 27/70] First implem of arm64.assemble() --- windows/native_exec/simple_arm64.py | 145 +++++++++++++++++++++++++++- 1 file changed, 144 insertions(+), 1 deletion(-) diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index fe74e9ae..4873b7b4 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -246,4 +246,147 @@ class Subs(Instruction): ### C6.2.307 RET (page 2203) (11010110010111110000000000000000) class Ret(Instruction): - encoding = [RetEncoding] \ No newline at end of file + encoding = [RetEncoding] + + + +class MultipleInstr(object): + INSTRUCTION_SIZE = 4 + + def __init__(self, init_instrs=()): + self.instrs = {} + self.labels = {} + self.expected_labels = {} + # List of all labeled jump already resolved + # Will be used for 'relocation' + self.computed_jump = [] + self.size = 0 + for i in init_instrs: + self += i + + def get_code(self): + if self.expected_labels: + raise ValueError("Unresolved labels: {0}".format(self.expected_labels.keys())) + return b"".join([x[1].get_code() for x in sorted(self.instrs.items())]) + + def add_instruction(self, instruction): + # if isinstance(instruction, Label): + # return self.add_label(instruction) + # # Change DelayedJump to LabeledJump ? + # if isinstance(instruction, DelayedJump): + # return self.add_delayed_jump(instruction) + if isinstance(instruction, Instruction): + self.instrs[self.size] = instruction + self.size += self.INSTRUCTION_SIZE + return + raise ValueError("Don't know what to do with {0} of type {1}".format(instruction, type(instruction))) + + def add_label(self, label): + if label.name not in self.expected_labels: + # Label that have no jump before definition + # Just registed the address of the label + self.labels[label.name] = self.size + return + # Label with jmp before definition + # Lot of stuff todo: + # Find all delayed jump that refer to this jump + # Replace them with real jump + # If size of jump < JUMP_SIZE: relocate everything we can + # Update expected_labels + for jump_to_label in self.expected_labels[label.name]: + if jump_to_label.offset in self.instrs: + raise ValueError("WTF REPLACE EXISTING INSTR...") + distance = self.size - jump_to_label.offset + real_jump = jump_to_label.type(distance) + self.instrs[jump_to_label.offset] = real_jump + self.computed_jump.append((jump_to_label.offset, self.size)) + for i in range(self.JUMP_SIZE - len(real_jump.get_code())): + self.instrs[jump_to_label.offset + len(real_jump.get_code()) + i] = _NopArtifact() + del self.expected_labels[label.name] + self.labels[label.name] = self.size + if not self.expected_labels: + # No more un-resolved label (for now): time to reduce the shellcode + self._reduce_shellcode() + + def add_delayed_jump(self, jump): + dst = jump.label + if dst in self.labels: + # Jump to already defined labels + # Nothing fancy: get offset of label and jump to it ! + distance = self.size - self.labels[dst] + jump_instruction = jump.type(-distance) + self.computed_jump.append((self.size, self.labels[dst])) + return self.add_instruction(jump_instruction) + # Jump to undefined label + # Add label to expected ones + # Add jump info -> offset of jump | type + # Reserve space for call ! + jump.offset = self.size + self.expected_labels.setdefault(dst, []).append(jump) + self.size += self.JUMP_SIZE + return + + def merge_shellcode(self, other): + shared_labels = set(self.labels) & set(other.labels) + if shared_labels: + raise ValueError("Cannot merge shellcode: shared labels {0}".format(shared_labels)) + for offset, instr in sorted(other.instrs.items()): + for label_name in [name for name, label_offset in other.labels.items() if label_offset == offset]: + self.add_instruction(Label(label_name)) + self.add_instruction(instr) + + def __iadd__(self, other): + if isinstance(other, MultipleInstr): + self.merge_shellcode(other) + elif isinstance(other, basestring): + self.assemble(other) + else: + self.add_instruction(other) + return self + + def assemble(self, code): + for instr in assemble_instructions_generator(code): + self.add_instruction(instr) + + +def split_in_instruction(str): + for line in str.split("\n"): + if not line: + continue + for instr in line.split(";"): + if not instr: + continue + yield instr.strip() + +def assemble_instructions_generator(str): + for instr in split_in_instruction(str): + data = instr.split(" ", 1) + mnemo, args_raw = data[0], data[1:] + try: + instr_object = globals()[mnemo.capitalize()] + except: + raise ValueError("Unknow mnemonic <{0}>".format(mnemo)) + + # if issubclass(instr_object, Raw): + # # Raw should received the raw buffer as it expect encoded hex + # # The transformation may transform 'raw 9090' (nopnop) as 0n9090 + # # If other fake-instr need this : make a class attribute + # yield instr_object(*args_raw) + # continue + + args = [] + if args_raw: + for arg in args_raw[0].split(","): + arg = arg.strip() + try: + arg = int(arg, 0) + except ValueError: + pass + args.append(arg) + yield instr_object(*args) + +def assemble(str): + """Play test""" + shellcode = MultipleInstr() + shellcode += str + return shellcode.get_code() \ No newline at end of file From 7c96da8c7544363291f5c80d166fe97507ca9712 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 24 Jan 2025 19:11:46 +0100 Subject: [PATCH 28/70] Working on simple_arm64.py --- tests/test_simple_arm64.py | 20 ++++++ windows/native_exec/simple_arm64.py | 105 +++++++++++++++++++++++++++- 2 files changed, 123 insertions(+), 2 deletions(-) diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py index 9d4b0ed1..cab9de41 100644 --- a/tests/test_simple_arm64.py +++ b/tests/test_simple_arm64.py @@ -94,6 +94,22 @@ def compare_args(self, args, capres): else: raise ValueError("Unknow argument {0} of type {1}".format(op_args, type(op_args))) +def test_shift_parsing(): + assert Shift.parse("LSL #0") + assert Shift.parse("LSL #12") + assert Shift.parse("LSL #1") + assert Shift.parse("LSR #1") + + assert Shift.parse("ROR #0").type == "ROR" + assert Shift.parse("LSL #0").type == "LSL" + assert Shift.parse("LSL #0").value == 0 + assert Shift.parse("LSL #1").type == "LSL" + assert Shift.parse("LSL #1").value == 1 + + assert not Shift.parse("LSX #1") + assert not Shift.parse("LSX ##1") + assert not Shift.parse("LSX #") + def test_assembler(): CheckInstr(Add)('W0', 'W0', 0) CheckInstr(Add)('W1', 'W0', 0) @@ -104,11 +120,15 @@ def test_assembler(): CheckInstr(Add)('X30', 'X12', 0) CheckInstr(Add)('X0', 'X0', 1) CheckInstr(Add)('X11', 'X12', 0x123) + # CheckInstr(Add)('X11', 'X12', 0x123, "LSL #0") + CheckInstr(Add)('X11', 'X12', 0x123, "LSL #12") # Error test todo # CheckInstr(Add)('X11', 'W12', 0x123) with pytest.raises(ValueError): CheckInstr(Add)('BADREG', 'X12', 0) + with pytest.raises(ValueError): + CheckInstr(Add)('X11', 'X12', 0x123, "LSL #1234") with pytest.raises(ValueError): # Immediat too big for encoding diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index 4873b7b4..6b53634d 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -50,6 +50,48 @@ SP = "SP" WSP = "WSP" +# Argument class +class Shift(object): + """Represent a shift parameter of an instruction. + Allow to JIT shift at instruction crafting time without string manipulation for the #XXX""" + def __init__(self, type, value): + assert isinstance(type, str) + assert isinstance(value, int) + type = type.upper() + assert type in ("LSL", "LSR", "ASR", "ROR") + self.type = type + self.value = value + + def __eq__(self, other): + if not isinstance(other, Shift): # Allow compare to tuple & iterable + return ((len(other) == 2) and + (self.type == other[0]) and + (self.value == other[1])) + return (self.type == other.type) and (self.value == other.value) + + def __repr__(self): + return """{0}(type={1}, value={2})""".format(type(self).__name__, self.type, self.value) + + @classmethod + def parse(cls, shiftstr): + if not isinstance(shiftstr, str): + return None + if not shiftstr.count(" ") == 1: + return None + stype, svalue = shiftstr.split(" ", 1) + stype = stype.upper() + if stype not in ("LSL", "LSR", "ASR", "ROR"): + return None + if len(svalue) <= 1: + return None + if not svalue.startswith("#"): + return None + try: + intvalue = int(svalue[1:]) + except ValueError: + return None + return cls(stype, intvalue) +# instruction Encoding class InstructionEncoding(object): # Sub classes can force 32/64 only instrs by setting this to 32 or 64 @@ -80,7 +122,8 @@ def is_imm12(self, arg): @classmethod def is_shift(self, arg): - return True + return (arg is None) or isinstance(arg, Shift) or Shift.parse(arg) + @classmethod def gen(cls, **encoding_array): @@ -164,7 +207,15 @@ def __init__(self, argsdict): self.setup_register(self.rn, argsdict[1]) self.setup_immediat(self.imm12, argsdict[2]) - assert argsdict.get(3) is None, "SHIFT NOT IMPLEMENTED YET" + shift = Shift.parse(argsdict.get(3)) + if not shift: + return + + if shift not in [("LSL", 0), ("LSL", 12)]: + raise ValueError("Invalid shift for instruction: {0}".format(shift)) + if shift == ("LSL", 12): + import pdb;pdb.set_trace() + self.sh[:] = bytearray((1,)) @classmethod @@ -175,6 +226,33 @@ def accept_arg(cls, argsdict): cls.is_shift(argsdict.get(3))) +class MovWideImmediat(DataProcessingImmediate): + def __init__(self, argsdict): + super(MovWideImmediat, self).__init__() + self.sf = self.bits[31:32] + self.opc = self.bits[29:31] + self.bits[23:29] = bytearray(reversed((1, 0, 0, 1, 0, 1))) + self.hw = self.bits[21:23] + self.imm16 = self.bits[5:21] + self.rd = self.bits[0:5] + + + self.setup_fixed_values() + # Change instruction based of parameter + self.setup_register(self.rd, argsdict[0]) + self.setup_immediat(self.imm16, argsdict[1]) + + assert argsdict.get(3) is None, "SHIFT NOT IMPLEMENTED YET" + + + @classmethod + def accept_arg(cls, argsdict): + return (cls.is_register(argsdict[0], accept_sp=True) and + cls.is_imm12(argsdict[1]) and + cls.is_shift(argsdict.get(2))) + + + ### C4.1.94.13 Unconditional branch (register) class UnconditionalBranchRegister(InstructionEncoding): @@ -209,6 +287,24 @@ def __init__(self, argsdict): def accept_arg(cls, argsdict): return not argsdict or cls.is_register(argsdict[0], accept_sp=True) + +# C4.1.95 Data Processing – Register + +class DataProcessingRegister(InstructionEncoding): + def __init__(self): + super(DataProcessingRegister, self).__init__() + self.bits[26:29] = bytearray((0,0,1)) + self.op0 = self.bits[30:31] + self.op1 = self.bits[28:29] + self.bits[25:28] = bytearray(reversed((1, 0, 1))) + self.op2 = self.bits[21:25] + self.op3 = self.bits[10:16] + +# An instruction is a Name that can have multiple encoding +# It's the class we instanciate to assemble instructions +# Add X0, X0, IMM +# Add X0, X0, X0 + class Instruction(object): encoding = [] @@ -248,6 +344,11 @@ class Subs(Instruction): class Ret(Instruction): encoding = [RetEncoding] +# C6.2.254 + +class MovZ(Instruction): + encoding = [MovWideImmediat.gen(opc=0b10)] + class MultipleInstr(object): From 1bc7818552b47670da9a61d671c5c1af7f1660e9 Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 25 Jan 2025 00:50:25 +0100 Subject: [PATCH 29/70] Still playing with simple_arm64 --- tests/test_simple_arm64.py | 119 +++++++++++++++++++-------- windows/native_exec/simple_arm64.py | 122 +++++++++++++++++++++++++--- 2 files changed, 197 insertions(+), 44 deletions(-) diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py index cab9de41..ee5fa190 100644 --- a/tests/test_simple_arm64.py +++ b/tests/test_simple_arm64.py @@ -35,8 +35,22 @@ def __init__(self, instr_to_test, expected_result=None, immediat_accepted=None, self.expected_result = expected_result self.must_fail = must_fail self.debug = debug + self.callargs = None + def __call__(self, *args): + assert args is not None + self.callargs = args + return self + + def __repr__(self): + if self.must_fail: + return "MustFail:{0}{1}".format(self.instr_to_test.__name__, self.callargs) + return "{0}{1}".format(self.instr_to_test.__name__, self.callargs) + + def dotest(self): + assert self.callargs is not None + args = self.callargs try: if self.debug: import pdb;pdb.set_trace() @@ -70,6 +84,7 @@ def __call__(self, *args): raise AssertionError("Not all bytes have been used by the disassembler") self.compare_mnemo(capres) self.compare_args(args, capres) + return True def compare_mnemo(self, capres): expected = self.instr_to_test.__name__.lower() @@ -80,9 +95,15 @@ def compare_mnemo(self, capres): def compare_args(self, args, capres): capres_op = list(capres.operands) - if len(args) != len(capres_op): - raise AssertionError("Expected {0} operands got {1}".format(len(args), len(capres_op))) - for op_args, cap_op in zip(args, capres_op): + # We may have != number of operand as shift are: + # - arguments for simple_arm64 + # - atribute of immediat for capstone + if not len(capres_op) <= len(args): + raise AssertionError("Expected at most {0} operands got {1}".format(len(args), len(capres_op))) + + opargit = iter(args) # allow manually using next() to get next simple_arm64 arg for shift compare + # capres_op must be first in zip (as its smaller) or last next(opargit) will be consommed by zip + for cap_op, op_args in zip(capres_op, opargit): if isinstance(op_args, str): # Register if cap_op.type != capstone.arm64.ARM64_OP_REG: raise AssertionError("Expected args {0} operands got {1}".format(op_args, capres_op)) @@ -91,9 +112,39 @@ def compare_args(self, args, capres): elif isinstance(op_args, int_types): if (op_args != cap_op.imm) and not (self.immediat_accepted and self.immediat_accepted == cap_op.imm): raise AssertionError("Expected Immediat <{0}> got {1}".format(op_args, cap_op.imm)) + cap_shift = cap_op.shift + if not (cap_shift.type == cap_shift.value == 0): + self.compare_shift(next(opargit), cap_shift) else: raise ValueError("Unknow argument {0} of type {1}".format(op_args, type(op_args))) + # Check that no argument were unused in args + # As args + shift should perfectly match the capres_op + sentinel = object() + nextarg = next(opargit, sentinel) + if nextarg != sentinel: + # Ignore a leading LSL #0 shift, as it should be authorized but not displayed by disassembler + shift = Shift.parse(nextarg) + if not (shift.type == "LSL" and shift.value == 0): + raise ValueError("Non consomated argument: {0} (probable non-encoded shift)".format(nextarg)) + + SHIFT_TYPE_TO_CAPSTONE = { + "LSL": capstone.arm64.ARM64_SFT_LSL, + "LSR": capstone.arm64.ARM64_SFT_LSR, + "ASR": capstone.arm64.ARM64_SFT_ASR, + "ROR": capstone.arm64.ARM64_SFT_ROR, + # "MSL": apstone.arm64.ARM64_SFT_MSL # Not yet used in PFW + } + + def compare_shift(self, shiftstr, cap_shift): + shift = Shift.parse(shiftstr) + if not self.SHIFT_TYPE_TO_CAPSTONE[shift.type] == cap_shift.type: + raise ValueError("Shift type mismatch: expected {0} got {1}".format(shift.type, cap_shift.type)) + if not shift.value == cap_shift.value: + raise ValueError("Shift value mismatch: expected {0} got {1}".format(shift.value, cap_shift.value)) + return True + + def test_shift_parsing(): assert Shift.parse("LSL #0") assert Shift.parse("LSL #12") @@ -110,32 +161,36 @@ def test_shift_parsing(): assert not Shift.parse("LSX ##1") assert not Shift.parse("LSX #") -def test_assembler(): - CheckInstr(Add)('W0', 'W0', 0) - CheckInstr(Add)('W1', 'W0', 0) - CheckInstr(Add)('W30', 'W12', 0) - CheckInstr(Add)('W0', 'W0', 1) - - CheckInstr(Add)('X0', 'X0', 0) - CheckInstr(Add)('X30', 'X12', 0) - CheckInstr(Add)('X0', 'X0', 1) - CheckInstr(Add)('X11', 'X12', 0x123) - # CheckInstr(Add)('X11', 'X12', 0x123, "LSL #0") - CheckInstr(Add)('X11', 'X12', 0x123, "LSL #12") - - # Error test todo - # CheckInstr(Add)('X11', 'W12', 0x123) - with pytest.raises(ValueError): - CheckInstr(Add)('BADREG', 'X12', 0) - with pytest.raises(ValueError): - CheckInstr(Add)('X11', 'X12', 0x123, "LSL #1234") - - with pytest.raises(ValueError): - # Immediat too big for encoding - CheckInstr(Add)('X11', 'X12', 0x12345678) - - CheckInstr(Ret)("X0") - CheckInstr(Ret, expected_result="ret ")("X30") - CheckInstr(Ret)() - with pytest.raises(ValueError): - CheckInstr(Ret)("W0") +@pytest.mark.parametrize("checkinstr", [ + CheckInstr(Add)('W0', 'W0', 0), + CheckInstr(Add)('W1', 'W0', 0), + CheckInstr(Add)('W30', 'W12', 0), + CheckInstr(Add)('W0', 'W0', 1), + CheckInstr(Add)('X0', 'X0', 0), + CheckInstr(Add)('X30', 'X12', 0), + CheckInstr(Add)('X0', 'X0', 1), + CheckInstr(Add)('X11', 'X12', 0x123), + CheckInstr(Add)('X11', 'X12', 0x123, "LSL #0"), + CheckInstr(Add)('X11', 'X12', 0x123, "LSL #12"), + CheckInstr(Add, must_fail=True)('X11', 'W12', 0x123), # Bitness mismatch + CheckInstr(Add, must_fail=True)('BADREG', 'X12', 0), + CheckInstr(Add, must_fail=True)('X11', 'X12', 0x123, "LSL #1234"), + CheckInstr(Add, must_fail=True)('X11', 'X12', 0x12345678), + + CheckInstr(Movz)('X0', 0), + CheckInstr(Movz)('X0', 0, "LSL #32"), + CheckInstr(Movz)('X18', 0, "LSL #48"), + CheckInstr(Movz)('W18', 0, "LSL #16"), + CheckInstr(Movz, must_fail=True)('X0', 0, "LSL #12"), # Invalid LSL for MovWideImmediat + CheckInstr(Movz, must_fail=True)('W0', 0, "LSL #32"), + CheckInstr(Movz, must_fail=True)('X0', 0, "ROR #32"), + + CheckInstr(Movk)('X0', 0x1234, "LSL #32"), + CheckInstr(Movk)('X18', 0x5678, "LSL #48"), + + CheckInstr(Ret)("X0"), + CheckInstr(Ret, expected_result="ret ")("X30"), + CheckInstr(Ret)(), +], ids=CheckInstr.__repr__) +def test_instruction_assembling(checkinstr): + assert checkinstr.dotest() \ No newline at end of file diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index 6b53634d..ea3803c3 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -113,7 +113,7 @@ def is_register(self, arg, accept_sp): return (accept_sp and (arg in [SP, WSP])) or arg in ALL_REGISTER @classmethod - def is_imm12(self, arg): + def is_imm(self, arg): try: value = int(arg) except (ValueError, TypeError): @@ -127,9 +127,9 @@ def is_shift(self, arg): @classmethod def gen(cls, **encoding_array): - class GeneratedEncoding(cls): + class GeneratedEncodingCls(cls): ENCODING_VALUES = encoding_array - return GeneratedEncoding + return GeneratedEncodingCls # Instruction filing at instanciation @@ -214,7 +214,6 @@ def __init__(self, argsdict): if shift not in [("LSL", 0), ("LSL", 12)]: raise ValueError("Invalid shift for instruction: {0}".format(shift)) if shift == ("LSL", 12): - import pdb;pdb.set_trace() self.sh[:] = bytearray((1,)) @@ -222,10 +221,45 @@ def __init__(self, argsdict): def accept_arg(cls, argsdict): return (cls.is_register(argsdict[0], accept_sp=True) and cls.is_register(argsdict[1], accept_sp=True) and - cls.is_imm12(argsdict[2]) and + cls.is_imm(argsdict[2]) and cls.is_shift(argsdict.get(3))) +# C4.1.93.6 Logical (immediate) +# Wtf : https://kddnewton.com/2022/08/11/aarch64-bitmask-immediates.html + +class DataProcessingLogicalImmediate(DataProcessingImmediate): + def __init__(self, argsdict): + super(DataProcessingLogicalImmediate, self).__init__() + self.sf = self.bits[31:32] + self.opc = self.bits[29:31] + self.bits[23:29] = bytearray(reversed((1, 0, 0, 1, 0, 0))) + self.N = self.bits[22:23] + self.immr = self.bits[16:22] + self.imms = self.bits[10:16] + self.rn = self.bits[5:10] + self.rd = self.bits[0:5] + + self.setup_fixed_values() + # Change instruction based of parameter + self.setup_register(self.rd, argsdict[0]) + self.setup_register(self.rn, argsdict[1]) + self.setup_bitmask_imm(self.imm12, argsdict[2]) + + @classmethod + def accept_arg(cls, argsdict): + return (cls.is_register(argsdict[0], accept_sp=True) and + cls.is_register(argsdict[1], accept_sp=True) and + cls.is_bitmask_imm(argsdict[2])) + + @classmethod + def is_bitmask_imm(*args, **kwargs): + raise NotImplementedError("is_bitmask_imm") + + def setup_bitmask_imm(*args, **kwargs): + raise NotImplementedError("setup_bitmask_imm") + + class MovWideImmediat(DataProcessingImmediate): def __init__(self, argsdict): super(MovWideImmediat, self).__init__() @@ -242,13 +276,23 @@ def __init__(self, argsdict): self.setup_register(self.rd, argsdict[0]) self.setup_immediat(self.imm16, argsdict[1]) - assert argsdict.get(3) is None, "SHIFT NOT IMPLEMENTED YET" + shift = Shift.parse(argsdict.get(2)) + if not shift: + return + if shift.type != "LSL": + raise ValueError("Invalid shift type for {0} : {1}".format(type(self).__name__, shift.value)) + if shift.value not in (0, 16 ,32, 48): + raise ValueError("Invalid shift value for {0} : {1}".format(type(self).__name__, shift.value)) + if self.bitness == 32 and shift.value > 16: + raise ValueError("Invalid shift value for 32bits encoding of {0} : {1}".format(type(self).__name__, shift.value)) + + self.setup_immediat(self.hw, shift.value // 16) @classmethod def accept_arg(cls, argsdict): return (cls.is_register(argsdict[0], accept_sp=True) and - cls.is_imm12(argsdict[1]) and + cls.is_imm(argsdict[1]) and cls.is_shift(argsdict.get(2))) @@ -293,24 +337,71 @@ def accept_arg(cls, argsdict): class DataProcessingRegister(InstructionEncoding): def __init__(self): super(DataProcessingRegister, self).__init__() - self.bits[26:29] = bytearray((0,0,1)) self.op0 = self.bits[30:31] self.op1 = self.bits[28:29] self.bits[25:28] = bytearray(reversed((1, 0, 1))) self.op2 = self.bits[21:25] self.op3 = self.bits[10:16] +class DataProcessingLogicalShiftedRegister(DataProcessingRegister): + def __init__(self, argsdict): + super(DataProcessingLogicalShiftedRegister, self).__init__() + self.sf = self.bits[31:32] + self.opc = self.bits[29:31] + self.bits[24:29] = bytearray(reversed((0, 1, 0, 1, 0))) + self.shift = self.bits[22:24] + self.N = self.bits[21:22] + self.rm = self.bits[16:21] + self.imm6 = self.bits[10:16] + self.rn = self.bits[5:10] + self.rd = self.bits[0:5] + + self.setup_fixed_values() + # Change instruction based of parameter + self.setup_register(self.rd, argsdict[0]) + self.setup_register(self.rn, argsdict[1]) + self.setup_register(self.rm, argsdict[2]) + + shift = Shift.parse(argsdict.get(3)) + if not shift: + return + # Is this mapping generic ? Store ir somewhere ? + # Is the shift size logic repeatable and factorisable ? + if self.bitness == 32 and shift.value > 31: + raise ValueError("Invalid shift value for 32bits encoding of {0} : {1}".format(type(self).__name__, shift.value)) + + SHIFT_MAPPING = {"LSL": 0b00, "LSR": 0b01, "ASR": 0b10, "ROR": 0b11} + self.setup_immediat(self.shift, SHIFT_MAPPING[shift.type]) + self.setup_immediat(self.imm6, shift.value) + + + @classmethod + def accept_arg(cls, argsdict): + return (cls.is_register(argsdict[0]) and + cls.is_register(argsdict[1]) and + cls.is_register(argsdict[2]) and + cls.is_shift(argsdict.get(3))) + # An instruction is a Name that can have multiple encoding # It's the class we instanciate to assemble instructions -# Add X0, X0, IMM -# Add X0, X0, X0 +# C6.2.270 ORR (immediate) +# C6.2.271 ORR (shifted register) + +# there also seem to exist "alias instructions" like "mov" +# That just map to others instruction when specific condition are met on the params + class Instruction(object): encoding = [] def __init__(self, *args): argsdict = dict(enumerate(args)) # Like a list but allow arg.get(4) - for encodcls in self.encoding: + for i, encodcls in enumerate(self.encoding): + # Late rewrite of GeneratedEncodingCls classname for better message error + if encodcls.__name__ == "GeneratedEncodingCls": + encodcls.__name__ = "{0}Encoding{1}".format(type(self).__name__, i) + + if encodcls.accept_arg(argsdict): self.encoded = encodcls(argsdict) return @@ -346,10 +437,17 @@ class Ret(Instruction): # C6.2.254 -class MovZ(Instruction): +class Movz(Instruction): encoding = [MovWideImmediat.gen(opc=0b10)] +class Movk(Instruction): + encoding = [MovWideImmediat.gen(opc=0b11)] +# The encoding for "mov reg, reg" :D +# C6.2.271 +# Todo: Instruction like "mov" that dispatch to other instruction encoding based on more precise condition on param ? +class Orr(Instruction): + encoding = [DataProcessingLogicalShiftedRegister.gen(opc=0b01)] class MultipleInstr(object): INSTRUCTION_SIZE = 4 From 1889899535a8866f5f5d7f989826054d02d6d0fe Mon Sep 17 00:00:00 2001 From: hakril Date: Sun, 2 Feb 2025 19:28:16 +0100 Subject: [PATCH 30/70] Readd RtlGetCurrentPeb lost in rebase --- .../definitions/functions/process.txt | 7 +- docs/source/winfuncs_generated.rst | 2 + docs/source/winstructs_generated.rst | 122 ++++++++-------- windows/generated_def/winfuncs.py | 5 + windows/generated_def/winstructs.py | 136 ++++-------------- 5 files changed, 104 insertions(+), 168 deletions(-) diff --git a/ctypes_generation/definitions/functions/process.txt b/ctypes_generation/definitions/functions/process.txt index dce498ff..0eb7c908 100644 --- a/ctypes_generation/definitions/functions/process.txt +++ b/ctypes_generation/definitions/functions/process.txt @@ -77,4 +77,9 @@ BOOL SetProcessInformation( [in] PROCESS_INFORMATION_CLASS ProcessInformationClass, LPVOID ProcessInformation, [in] DWORD ProcessInformationSize -); \ No newline at end of file +); + +/* Not documented by seems present since dawn of time (WRK) + I Prefere PVOID as a return value to allow simple cast to PEB subclass in process.py*/ + +PVOID RtlGetCurrentPeb (); \ No newline at end of file diff --git a/docs/source/winfuncs_generated.rst b/docs/source/winfuncs_generated.rst index 64035bd8..eef30e15 100644 --- a/docs/source/winfuncs_generated.rst +++ b/docs/source/winfuncs_generated.rst @@ -700,6 +700,8 @@ Functions .. function:: SetProcessInformation(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationSize) +.. function:: RtlGetCurrentPeb() + .. function:: RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData) .. function:: RegQueryValueExW(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData) diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst index 562a0389..949233d7 100644 --- a/docs/source/winstructs_generated.rst +++ b/docs/source/winstructs_generated.rst @@ -10344,6 +10344,67 @@ _SYSTEM_BASIC_INFORMATION :class:`CHAR` +_SYSTEM_INFO +'''''''''''' +.. class:: LPSYSTEM_INFO + + Pointer to :class:`_SYSTEM_INFO` + +.. class:: SYSTEM_INFO + + Alias for :class:`_SYSTEM_INFO` + +.. class:: _SYSTEM_INFO + + .. attribute:: DUMMYUNIONNAME + + :class:`_ANON__SYSTEM_INFO_SUB_UNION_1` + + + .. attribute:: dwPageSize + + :class:`DWORD` + + + .. attribute:: lpMinimumApplicationAddress + + :class:`LPVOID` + + + .. attribute:: lpMaximumApplicationAddress + + :class:`LPVOID` + + + .. attribute:: dwActiveProcessorMask + + :class:`DWORD_PTR` + + + .. attribute:: dwNumberOfProcessors + + :class:`DWORD` + + + .. attribute:: dwProcessorType + + :class:`DWORD` + + + .. attribute:: dwAllocationGranularity + + :class:`DWORD` + + + .. attribute:: wProcessorLevel + + :class:`WORD` + + + .. attribute:: wProcessorRevision + + :class:`WORD` + _CURDIR ''''''' .. class:: CURDIR @@ -25791,67 +25852,6 @@ _EXPLICIT_ACCESS_W :class:`TRUSTEE_W` -_SYSTEM_INFO -'''''''''''' -.. class:: LPSYSTEM_INFO - - Pointer to :class:`_SYSTEM_INFO` - -.. class:: SYSTEM_INFO - - Alias for :class:`_SYSTEM_INFO` - -.. class:: _SYSTEM_INFO - - .. attribute:: DUMMYUNIONNAME - - :class:`_ANON__SYSTEM_INFO_SUB_UNION_1` - - - .. attribute:: dwPageSize - - :class:`DWORD` - - - .. attribute:: lpMinimumApplicationAddress - - :class:`LPVOID` - - - .. attribute:: lpMaximumApplicationAddress - - :class:`LPVOID` - - - .. attribute:: dwActiveProcessorMask - - :class:`DWORD_PTR` - - - .. attribute:: dwNumberOfProcessors - - :class:`DWORD` - - - .. attribute:: dwProcessorType - - :class:`DWORD` - - - .. attribute:: dwAllocationGranularity - - :class:`DWORD` - - - .. attribute:: wProcessorLevel - - :class:`WORD` - - - .. attribute:: wProcessorRevision - - :class:`WORD` - _TIME_ZONE_INFORMATION '''''''''''''''''''''' .. class:: LPTIME_ZONE_INFORMATION diff --git a/windows/generated_def/winfuncs.py b/windows/generated_def/winfuncs.py index 2049300f..9127a71c 100644 --- a/windows/generated_def/winfuncs.py +++ b/windows/generated_def/winfuncs.py @@ -1745,6 +1745,11 @@ SetProcessInformationPrototype = WINFUNCTYPE(BOOL, HANDLE, PROCESS_INFORMATION_CLASS, LPVOID, DWORD) SetProcessInformationParams = ((1, 'hProcess'), (1, 'ProcessInformationClass'), (1, 'ProcessInformation'), (1, 'ProcessInformationSize')) +#def RtlGetCurrentPeb(): +# return RtlGetCurrentPeb.ctypes_function() +RtlGetCurrentPebPrototype = WINFUNCTYPE(PVOID) +RtlGetCurrentPebParams = () + #def RegQueryValueExA(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData): # return RegQueryValueExA.ctypes_function(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData) RegQueryValueExAPrototype = WINFUNCTYPE(LSTATUS, HKEY, LPCSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD) diff --git a/windows/generated_def/winstructs.py b/windows/generated_def/winstructs.py index faf9e3e9..750bce54 100644 --- a/windows/generated_def/winstructs.py +++ b/windows/generated_def/winstructs.py @@ -4783,6 +4783,36 @@ class _SYSTEM_BASIC_INFORMATION(Structure): PSYSTEM_BASIC_INFORMATION = POINTER(_SYSTEM_BASIC_INFORMATION) SYSTEM_BASIC_INFORMATION = _SYSTEM_BASIC_INFORMATION +class _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1(Structure): + _fields_ = [ + ("wProcessorArchitecture", WORD), + ("wReserved", WORD), + ] + +class _ANON__SYSTEM_INFO_SUB_UNION_1(Union): + _anonymous_ = ("DUMMYSTRUCTNAME",) + _fields_ = [ + ("dwOemId", DWORD), + ("DUMMYSTRUCTNAME", _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1), + ] + +class _SYSTEM_INFO(Structure): + _anonymous_ = ("DUMMYUNIONNAME",) + _fields_ = [ + ("DUMMYUNIONNAME", _ANON__SYSTEM_INFO_SUB_UNION_1), + ("dwPageSize", DWORD), + ("lpMinimumApplicationAddress", LPVOID), + ("lpMaximumApplicationAddress", LPVOID), + ("dwActiveProcessorMask", DWORD_PTR), + ("dwNumberOfProcessors", DWORD), + ("dwProcessorType", DWORD), + ("dwAllocationGranularity", DWORD), + ("wProcessorLevel", WORD), + ("wProcessorRevision", WORD), + ] +LPSYSTEM_INFO = POINTER(_SYSTEM_INFO) +SYSTEM_INFO = _SYSTEM_INFO + TASK_ACTION_EXEC = EnumValue("_TASK_ACTION_TYPE", "TASK_ACTION_EXEC", 0x0) TASK_ACTION_COM_HANDLER = EnumValue("_TASK_ACTION_TYPE", "TASK_ACTION_COM_HANDLER", 0x5) TASK_ACTION_SEND_EMAIL = EnumValue("_TASK_ACTION_TYPE", "TASK_ACTION_SEND_EMAIL", 0x6) @@ -11263,112 +11293,6 @@ class _EXPLICIT_ACCESS_W(Structure): PEXPLICIT_ACCESSW = POINTER(_EXPLICIT_ACCESS_W) PEXPLICIT_ACCESS_W = POINTER(_EXPLICIT_ACCESS_W) -ComputerNameNetBIOS = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameNetBIOS", 0x0) -ComputerNameDnsHostname = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsHostname", 0x1) -ComputerNameDnsDomain = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsDomain", 0x2) -ComputerNameDnsFullyQualified = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameDnsFullyQualified", 0x3) -ComputerNamePhysicalNetBIOS = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalNetBIOS", 0x4) -ComputerNamePhysicalDnsHostname = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsHostname", 0x5) -ComputerNamePhysicalDnsDomain = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsDomain", 0x6) -ComputerNamePhysicalDnsFullyQualified = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNamePhysicalDnsFullyQualified", 0x7) -ComputerNameMax = EnumValue("_COMPUTER_NAME_FORMAT", "ComputerNameMax", 0x8) -class _COMPUTER_NAME_FORMAT(EnumType): - values = [ComputerNameNetBIOS, ComputerNameDnsHostname, ComputerNameDnsDomain, ComputerNameDnsFullyQualified, ComputerNamePhysicalNetBIOS, ComputerNamePhysicalDnsHostname, ComputerNamePhysicalDnsDomain, ComputerNamePhysicalDnsFullyQualified, ComputerNameMax] - mapper = FlagMapper(*values) -COMPUTER_NAME_FORMAT = _COMPUTER_NAME_FORMAT - - -class _SYSTEM_PROCESS_INFORMATION(Structure): - _fields_ = [ - ("NextEntryOffset", ULONG), - ("NumberOfThreads", ULONG), - ("Reserved1", BYTE * (24)), - ("CreateTime", LARGE_INTEGER), - ("UserTime", LARGE_INTEGER), - ("KernelTime", LARGE_INTEGER), - ("ImageName", UNICODE_STRING), - ("BasePriority", LONG), - ("UniqueProcessId", HANDLE), - ("InheritedFromUniqueProcessId", PVOID), - ("HandleCount", ULONG), - ("Reserved4", BYTE * (4)), - ("Reserved5", PVOID * (1)), - ("PeakVirtualSize", PVOID), - ("VirtualSize", PVOID), - ("PageFaultCount", PVOID), - ("PeakWorkingSetSize", PVOID), - ("WorkingSetSize", PVOID), - ("QuotaPeakPagedPoolUsage", PVOID), - ("QuotaPagedPoolUsage", PVOID), - ("QuotaPeakNonPagedPoolUsage", PVOID), - ("QuotaNonPagedPoolUsage", PVOID), - ("PagefileUsage", PVOID), - ("PeakPagefileUsage", SIZE_T), - ("PrivatePageCount", SIZE_T), - ("Reserved6", LARGE_INTEGER * (6)), - ] -PSYSTEM_PROCESS_INFORMATION = POINTER(_SYSTEM_PROCESS_INFORMATION) -SYSTEM_PROCESS_INFORMATION = _SYSTEM_PROCESS_INFORMATION - -class _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION(Structure): - _fields_ = [ - ("IdleTime", LARGE_INTEGER), - ("KernelTime", LARGE_INTEGER), - ("UserTime", LARGE_INTEGER), - ("Reserved1", LARGE_INTEGER * (2)), - ("Reserved2", ULONG), - ] -PSYSTEM_PROCESSOR_PERFORMANCE_INFORMATION = POINTER(_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION) -SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION = _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION - -class _SYSTEM_REGISTRY_QUOTA_INFORMATION(Structure): - _fields_ = [ - ("RegistryQuotaAllowed", ULONG), - ("RegistryQuotaUsed", ULONG), - ("Reserved1", PVOID), - ] -PSYSTEM_REGISTRY_QUOTA_INFORMATION = POINTER(_SYSTEM_REGISTRY_QUOTA_INFORMATION) -SYSTEM_REGISTRY_QUOTA_INFORMATION = _SYSTEM_REGISTRY_QUOTA_INFORMATION - -class _SYSTEM_BASIC_INFORMATION(Structure): - _fields_ = [ - ("Reserved1", BYTE * (24)), - ("Reserved2", PVOID * (4)), - ("NumberOfProcessors", CHAR), - ] -PSYSTEM_BASIC_INFORMATION = POINTER(_SYSTEM_BASIC_INFORMATION) -SYSTEM_BASIC_INFORMATION = _SYSTEM_BASIC_INFORMATION - -class _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1(Structure): - _fields_ = [ - ("wProcessorArchitecture", WORD), - ("wReserved", WORD), - ] - -class _ANON__SYSTEM_INFO_SUB_UNION_1(Union): - _anonymous_ = ("DUMMYSTRUCTNAME",) - _fields_ = [ - ("dwOemId", DWORD), - ("DUMMYSTRUCTNAME", _ANON__ANON__SYSTEM_INFO_SUB_UNION_1_SUB_STRUCTURE_1), - ] - -class _SYSTEM_INFO(Structure): - _anonymous_ = ("DUMMYUNIONNAME",) - _fields_ = [ - ("DUMMYUNIONNAME", _ANON__SYSTEM_INFO_SUB_UNION_1), - ("dwPageSize", DWORD), - ("lpMinimumApplicationAddress", LPVOID), - ("lpMaximumApplicationAddress", LPVOID), - ("dwActiveProcessorMask", DWORD_PTR), - ("dwNumberOfProcessors", DWORD), - ("dwProcessorType", DWORD), - ("dwAllocationGranularity", DWORD), - ("wProcessorLevel", WORD), - ("wProcessorRevision", WORD), - ] -LPSYSTEM_INFO = POINTER(_SYSTEM_INFO) -SYSTEM_INFO = _SYSTEM_INFO - class _TIME_ZONE_INFORMATION(Structure): _fields_ = [ ("Bias", LONG), From bce15d0d3c13d73322fc56f62c3299255f19537c Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 3 Feb 2025 09:11:01 +0100 Subject: [PATCH 31/70] simple_arm64.Mov(reg, reg) that redirect to Orr(reg, zero, reg) --- tests/test_simple_arm64.py | 21 ++++++++++++++-- windows/native_exec/simple_arm64.py | 39 +++++++++++++++++++++++++++-- 2 files changed, 56 insertions(+), 4 deletions(-) diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py index ee5fa190..a0c73572 100644 --- a/tests/test_simple_arm64.py +++ b/tests/test_simple_arm64.py @@ -75,7 +75,7 @@ def dotest(self): capres = capres_list[0] print("{0} {1}".format(capres.mnemonic, capres.op_str)) if self.expected_result is not None: - if "{0} {1}".format(capres.mnemonic, capres.op_str) == self.expected_result: + if "{0} {1}".format(capres.mnemonic, capres.op_str).strip() == self.expected_result: return True else: raise AssertionError("Expected result <{0}> got <{1}>".format(self.expected_result, "{0} {1}".format(capres.mnemonic, capres.op_str))) @@ -185,12 +185,29 @@ def test_shift_parsing(): CheckInstr(Movz, must_fail=True)('W0', 0, "LSL #32"), CheckInstr(Movz, must_fail=True)('X0', 0, "ROR #32"), + + CheckInstr(Orr)('X0', 'X18', 'XZR'), + # Official encoding for this in ARM64 ref + CheckInstr(Orr, expected_result="mov x0, x18")('X0', 'XZR', 'X18'), + CheckInstr(Orr, must_fail=True)('X0', 'WZR', 'X18'), # Size mismatch + CheckInstr(Orr, must_fail=True)('W0', 'XZR', 'W18'), # Size mismatch + CheckInstr(Movk)('X0', 0x1234, "LSL #32"), CheckInstr(Movk)('X18', 0x5678, "LSL #48"), CheckInstr(Ret)("X0"), - CheckInstr(Ret, expected_result="ret ")("X30"), + CheckInstr(Ret, expected_result="ret")("X30"), CheckInstr(Ret)(), + + # Virtual instruction that dispatch to something else: + # Ex: "mov reg1, re2" -> "orr reg1, xzr, reg2" + + CheckInstr(Mov)('X0', 'X18'), + CheckInstr(Mov)('W0', 'W18'), + CheckInstr(Mov, must_fail=True)('X0', 'W18'), + CheckInstr(Mov, must_fail=True)('X0', 'X18', 'X12'), + + ], ids=CheckInstr.__repr__) def test_instruction_assembling(checkinstr): assert checkinstr.dotest() \ No newline at end of file diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index ea3803c3..6ecfc4d8 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -47,9 +47,18 @@ XREGISTER = {'X0', 'X1', 'X2', 'X3', 'X4', 'X5', 'X6', 'X7', 'X8', 'X9', 'X10', 'X11', 'X12', 'X13', 'X14', 'X15', 'X16', 'X17', 'X18', 'X19', 'X20', 'X21', 'X22', 'X23', 'X24', 'X25', 'X26', 'X27', 'X28', 'X29', 'X30'} WREGISTER = {'W0', 'W1', 'W2', 'W3', 'W4', 'W5', 'W6', 'W7', 'W8', 'W9', 'W10', 'W11', 'W12', 'W13', 'W14', 'W15', 'W16', 'W17', 'W18', 'W19', 'W20', 'W21', 'W22', 'W23', 'W24', 'W25', 'W26', 'W27', 'W28', 'W29', 'W30'} ALL_REGISTER = XREGISTER | WREGISTER + SP = "SP" WSP = "WSP" +ZR = "XZR" +WZR = "WZR" +# Special register name for simple_arm64 that do not setup bitness +# Bitness will depends on others registers in the instruction +ZERO = "ZERO" + +SPECIAL_X31 = set((SP, WSP, ZR, WZR, ZERO)) + # Argument class class Shift(object): """Represent a shift parameter of an instruction. @@ -108,9 +117,11 @@ def __init__(self): self.bitness = self.BITNESS @classmethod - def is_register(self, arg, accept_sp): + def is_register(self, arg, accept_sp=False): arg = arg.upper() - return (accept_sp and (arg in [SP, WSP])) or arg in ALL_REGISTER + return (arg in ALL_REGISTER or + (accept_sp and (arg in [SP, WSP])) or + (not accept_sp and (arg in [ZR, WZR, ZERO]))) @classmethod def is_imm(self, arg): @@ -160,6 +171,15 @@ def setup_bitness(self, bitness): def encode_register(self, register, outsize=5): register = register.upper() + if register in SPECIAL_X31: + if register == ZERO: + pass # Special simple_arm64 value that do not setup bitness + elif register.startswith("W"): + self.setup_bitness(32) + else: + self.setup_bitness(64) + return self.binencode_imm(31, outsize) + assert register in ALL_REGISTER if register in XREGISTER: self.setup_bitness(64) @@ -449,6 +469,21 @@ class Movk(Instruction): class Orr(Instruction): encoding = [DataProcessingLogicalShiftedRegister.gen(opc=0b01)] + +# Meta Instruction that can dispatch to others Instruction/Encoding based on special case +# Ex: "mov reg1, re2" -> "orr reg1, xzr, reg2" + +class Mov(Instruction): # VirtualInstruction ? + def __new__(self, *args): + argsdict = dict(enumerate(args)) # Like a list but allow arg.get(4) + if (set(argsdict) == {0, 1} and # Only 2 args + InstructionEncoding.is_register(argsdict[0]) and + InstructionEncoding.is_register(argsdict[1])): + return Orr(argsdict[0], ZERO, argsdict[1]) + + raise ValueError("Cannot encode <{0} {1}>:(".format(type(self).__name__, args)) + + class MultipleInstr(object): INSTRUCTION_SIZE = 4 From 5352013a8fa961cda6e682e671c5c3d565d01fc9 Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 3 Feb 2025 13:36:32 +0100 Subject: [PATCH 32/70] Fix tests/test_simple_arm64.py error when capstone is not installed --- tests/test_simple_arm64.py | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/tests/test_simple_arm64.py b/tests/test_simple_arm64.py index a0c73572..cfc65422 100644 --- a/tests/test_simple_arm64.py +++ b/tests/test_simple_arm64.py @@ -25,8 +25,6 @@ def need_capstone(): def disas(x): return list(disassembleur.disasm(x, 0)) -mnemonic_name_exception = {'movabs': 'mov'} - class CheckInstr(object): def __init__(self, instr_to_test, expected_result=None, immediat_accepted=None, must_fail=None, debug=False): @@ -88,8 +86,7 @@ def dotest(self): def compare_mnemo(self, capres): expected = self.instr_to_test.__name__.lower() - cap_mnemo = mnemonic_name_exception.get(str(capres.mnemonic), str(capres.mnemonic)) - if expected != cap_mnemo: + if expected != capres.mnemonic: raise AssertionError("Expected menmo {0} got {1}".format(expected, str(capres.mnemonic))) return True @@ -128,13 +125,14 @@ def compare_args(self, args, capres): if not (shift.type == "LSL" and shift.value == 0): raise ValueError("Non consomated argument: {0} (probable non-encoded shift)".format(nextarg)) - SHIFT_TYPE_TO_CAPSTONE = { - "LSL": capstone.arm64.ARM64_SFT_LSL, - "LSR": capstone.arm64.ARM64_SFT_LSR, - "ASR": capstone.arm64.ARM64_SFT_ASR, - "ROR": capstone.arm64.ARM64_SFT_ROR, - # "MSL": apstone.arm64.ARM64_SFT_MSL # Not yet used in PFW - } + if capstone: + SHIFT_TYPE_TO_CAPSTONE = { + "LSL": capstone.arm64.ARM64_SFT_LSL, + "LSR": capstone.arm64.ARM64_SFT_LSR, + "ASR": capstone.arm64.ARM64_SFT_ASR, + "ROR": capstone.arm64.ARM64_SFT_ROR, + # "MSL": apstone.arm64.ARM64_SFT_MSL # Not yet used in PFW + } def compare_shift(self, shiftstr, cap_shift): shift = Shift.parse(shiftstr) From b1d2d5719b3fd8fc2cab07f3a482d3d5b0ac6487 Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 3 Feb 2025 13:47:08 +0100 Subject: [PATCH 33/70] Improve range of arm64 testing --- .github/workflows/tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 594ad961..08bc7a99 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -125,5 +125,5 @@ jobs: - name: Testing PFW execute run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - - name: Testing PFW execute - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k test_print_syswow_state -v -x -s + - name: Arm64 pytests + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "test_print_syswow_state or teb or peb" -v -x -s From 6ade13d6bba53e3dc9b555beced4f7f9f79c8e01 Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 3 Feb 2025 13:53:18 +0100 Subject: [PATCH 34/70] Fix pytest commandline --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 08bc7a99..4eabc600 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -126,4 +126,4 @@ jobs: run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - name: Arm64 pytests - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "test_print_syswow_state or teb or peb" -v -x -s + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "test_print_syswow_state or teb or peb" -v -s From 2a1217e7b8b99256496d5dcb1008f90b771cc564 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 4 Feb 2025 20:00:58 +0100 Subject: [PATCH 35/70] Implem current_thread.teb for ARM64 + recognize ARM64 PE in pe_parse --- windows/pe_parse.py | 5 +++-- windows/winobject/process.py | 14 ++++++-------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/windows/pe_parse.py b/windows/pe_parse.py index b677626c..a19eb748 100644 --- a/windows/pe_parse.py +++ b/windows/pe_parse.py @@ -3,6 +3,7 @@ import windows.hooks as hooks import windows.utils as utils +import windows.generated_def as gdef from windows.generated_def.winstructs import * from windows.utils import transform_ctypes_fields import windows.remotectypes as rctypes @@ -38,9 +39,9 @@ def get_pe_bitness(baseaddr, target): # We can force bitness as the field we access are bitness-independant pe = GetPEFile(baseaddr, target, force_bitness=32) machine = pe.get_NT_HEADER().FileHeader.Machine - if machine == 0x14c: + if machine == gdef.IMAGE_FILE_MACHINE_I386: return 32 - elif machine == 0x8664: + elif machine in (gdef.IMAGE_FILE_MACHINE_AMD64, gdef.IMAGE_FILE_MACHINE_ARM64): return 64 else: raise ValueError("Unknow PE target machine <0x{0:x}>".format(machine)) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 1d8facde..397fd99b 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -95,9 +95,7 @@ def bitness(self): :returns: :class:`int` -- 32 or 64 """ - if windows.system.bitness == 32: - return 32 - if self.is_wow_64: + if windows.system.bitness == 32 or self.is_wow_64: return 32 return 64 @@ -609,10 +607,10 @@ def set_token(self, token): class CurrentThread(Thread): """The current thread""" - get_teb_code_by_bitness = { - 32: x86.assemble("mov eax, fs:[0x18]; ret"), - 64: x64.assemble("mov rax, gs:[0x30]; ret") - + get_teb_code_by_architecture = { + gdef.IMAGE_FILE_MACHINE_I386: x86.assemble("mov eax, fs:[0x18]; ret"), + gdef.IMAGE_FILE_MACHINE_AMD64: x64.assemble("mov rax, gs:[0x30]; ret"), + gdef.IMAGE_FILE_MACHINE_ARM64: x64.assemble("mov x0, x18; ret") } @property #It's not a fixedproperty because executing thread might change @@ -625,7 +623,7 @@ def tid(self): @property #It's not a fixedproperty because executing thread might change def teb_base(self): - get_teb_base_code = self.get_teb_code_by_bitness[self.owner.bitness] + get_teb_base_code = self.get_teb_code_by_architecture[self.owner.architecture] return self.owner.execute(get_teb_base_code) @property From 6a54bca39a606e5f9606fd61c53db886b4fb03b1 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 4 Feb 2025 20:02:43 +0100 Subject: [PATCH 36/70] Fix process.py simple_arm64 import --- windows/winobject/process.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 397fd99b..9e3f719c 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -12,6 +12,7 @@ import windows import windows.native_exec.simple_x86 as x86 import windows.native_exec.simple_x64 as x64 +import windows.native_exec.simple_arm64 as arm64 import windows.remotectypes as rctypes import windows.generated_def as gdef @@ -610,7 +611,7 @@ class CurrentThread(Thread): get_teb_code_by_architecture = { gdef.IMAGE_FILE_MACHINE_I386: x86.assemble("mov eax, fs:[0x18]; ret"), gdef.IMAGE_FILE_MACHINE_AMD64: x64.assemble("mov rax, gs:[0x30]; ret"), - gdef.IMAGE_FILE_MACHINE_ARM64: x64.assemble("mov x0, x18; ret") + gdef.IMAGE_FILE_MACHINE_ARM64: arm64.assemble("mov x0, x18; ret") } @property #It's not a fixedproperty because executing thread might change From 013c35bf40f8e554b3474481e275366a7ce11c22 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:05:58 +0100 Subject: [PATCH 37/70] Improve sample\find_value.py to search in Enums --- samples/find_value.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/samples/find_value.py b/samples/find_value.py index 6e09bfad..e7f2d401 100644 --- a/samples/find_value.py +++ b/samples/find_value.py @@ -18,6 +18,11 @@ def search_name_in_enum(target): for name, enum in meta.enums_walker(): if match(target, name): print(name, enum) + if not issubclass(enum, gdef.EnumType): + continue + for enumvalue in enum.values: + if match(target, enumvalue.name): + print("Enum <{0!r}>".format(enumvalue)) def search_name_in_struct(target): for name, struct in meta.structs_walker(): @@ -78,6 +83,13 @@ def search_value(target): if target == windef: print(repr(windef)) + for name, enum in meta.enums_walker(): + if not issubclass(enum, gdef.EnumType): + continue + for enumvalue in enum.values: + if target == enumvalue: + print("Enum <{0!r}>".format(enumvalue)) + parser = argparse.ArgumentParser(prog=__file__) parser.add_argument('target', help='The name or value to research in PythonForWindows generated definition') res = parser.parse_args() From d7ff43a8296f48b21428bfd514d5f05edf72fcb5 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:09:02 +0100 Subject: [PATCH 38/70] Working on expliciting limitation of x86-on-arm64 NotImplementedError --- windows/winobject/process.py | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 9e3f719c..be48b84f 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -122,6 +122,25 @@ def architecture(self): return gdef.IMAGE_FILE_MACHINE_I386 return gdef.IMAGE_FILE_MACHINE_AMD64 + @utils.fixedproperty + def _is_x86_on_arm64(self): + return (windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_ARM64 and + self.architecture == gdef.IMAGE_FILE_MACHINE_I386) + + @utils.fixedproperty + def _is_x86_on_x64(self): + return (windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_AMD64 and + self.architecture == gdef.IMAGE_FILE_MACHINE_I386) + + @utils.fixedproperty + def _is_native_architecture(self): + return ((windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_INTEL and + self.architecture == gdef.IMAGE_FILE_MACHINE_I386) or + (windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_AMD64 and + self.architecture == gdef.IMAGE_FILE_MACHINE_AMD64) or + (windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_ARM64 and + self.architecture == gdef.IMAGE_FILE_MACHINE_ARM64)) + @utils.fixedpropety def limited_handle(self): if windows.system.version[0] <= 5: @@ -1186,26 +1205,27 @@ def execute_python_unsafe(self, pycode): @utils.fixedproperty def peb_addr(self): - """The address of the PEB + """The address of the PEB. :type: :class:`int` """ - if windows.current_process.bitness == 32 and self.bitness == 64: + if windows.current_process._is_x86_on_arm64 and not self.bitness == 32: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") + + if windows.current_process.bitness == 32 and self.bitness == 64: # Intel to Intel x = windows.remotectypes.transform_type_to_remote64bits(PROCESS_BASIC_INFORMATION) # Fuck-it <3 data = (ctypes.c_char * ctypes.sizeof(x))() - windows.syswow64.NtQueryInformationProcess_32_to_64(self.handle, ProcessInformation=data, ProcessInformationLength=ctypes.sizeof(x)) + windows.syswow64.NtQueryInformationProcess_32_to_64(self.handle, gdef.ProcessBasicInformation, ProcessInformation=data) peb_offset = x.PebBaseAddress.offset peb_addr = struct.unpack(" Date: Wed, 5 Feb 2025 22:24:40 +0100 Subject: [PATCH 39/70] More raise NotImplementedError on x86 -> arm64 heaven gate --- windows/winobject/process.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index be48b84f..24075d85 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -925,6 +925,9 @@ def _get_principal_teb_addr(self): # - Want the TEB of a 64b process # - Want the TEB64 of a Wowprocess # It's the same code for both + if windows.current_process._is_x86_on_arm64 and not self.bitness == 32: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") + if windows.current_process.is_wow_64: restype = rctypes.transform_type_to_remote64bits(THREAD_BASIC_INFORMATION) ressize = (ctypes.sizeof(restype)) From 017867d79db2b453f4bd9073cc9ef2aee4481884 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:30:51 +0100 Subject: [PATCH 40/70] Fox typo --- windows/winobject/process.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 24075d85..830531b1 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -925,7 +925,7 @@ def _get_principal_teb_addr(self): # - Want the TEB of a 64b process # - Want the TEB64 of a Wowprocess # It's the same code for both - if windows.current_process._is_x86_on_arm64 and not self.bitness == 32: + if windows.current_process._is_x86_on_arm64 and not self.owner.bitness == 32: raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") if windows.current_process.is_wow_64: From d094fb8209c5aae1a5fcc6f6f908dc653fef13de Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:40:12 +0100 Subject: [PATCH 41/70] More limitation identification for x86 on arm64 heaven gate --- windows/winobject/process.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 830531b1..fd5e2627 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -780,6 +780,8 @@ def peb_syswow(self): """ if not self.is_wow_64: raise ValueError("Not a syswow process") + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") return windows.syswow64.get_current_process_syswow_peb() # TODO: use ctypes.string_at / ctypes.wstring_at for read_string / read_wstring ? @@ -1252,6 +1254,10 @@ def peb(self): def peb_syswow_addr(self): if not self.is_wow_64: raise ValueError("Not a syswow process") + + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") + if windows.current_process.bitness == 64: information_type = 0 x = PROCESS_BASIC_INFORMATION() From 54b518ca5f1261fa2bfbf5aeab98f3060438298c Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:52:06 +0100 Subject: [PATCH 42/70] More x86->arm64 limitation exploration --- windows/winobject/process.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index fd5e2627..688ca695 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -927,7 +927,7 @@ def _get_principal_teb_addr(self): # - Want the TEB of a 64b process # - Want the TEB64 of a Wowprocess # It's the same code for both - if windows.current_process._is_x86_on_arm64 and not self.owner.bitness == 32: + if windows.current_process._is_x86_on_arm64: raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") if windows.current_process.is_wow_64: @@ -1034,8 +1034,6 @@ def _get_thread_id_by_api(handle): @staticmethod def _get_thread_id_manual(handle): - if windows.current_process.bitness == 32 and self.owner.bitness == 64: - raise NotImplementedError("[_get_thread_id_manual] 32 -> 64 (XP64 bits + Syswow process ?)") res = THREAD_BASIC_INFORMATION() windows.winproxy.NtQueryInformationThread(handle, ThreadBasicInformation, byref(res), ctypes.sizeof(res)) id2 = res.ClientId.UniqueThread From 5c25e333e62f057117529881d43b5c876adabd6d Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 22:57:18 +0100 Subject: [PATCH 43/70] Full test suite on arm64 for the lol --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4eabc600..0cb761d9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -126,4 +126,4 @@ jobs: run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - name: Arm64 pytests - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "test_print_syswow_state or teb or peb" -v -s + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -v -s From 75f112118204f40a98b62eba95ec2bf804092396 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 5 Feb 2025 23:14:41 +0100 Subject: [PATCH 44/70] more arm64 CI tests --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 0cb761d9..d70bec4c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -126,4 +126,4 @@ jobs: run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - name: Arm64 pytests - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -v -s + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "not test_debugger" -v -s From 4113d8ad3f74a7f68bd71b3593c8110890ac7f0d Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 6 Feb 2025 21:02:46 +0100 Subject: [PATCH 45/70] Reactivate full intel. Check we broke nothing --- .github/workflows/tests.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d70bec4c..9cf2cf4b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -23,8 +23,6 @@ jobs: - name: Check generated code can execute run: py -c "import windows.generated_def" tests: - # Not a real dependency : but starting tests when ctypes generation is broken is not useful - if: false # Disable during ARM64 CI tests strategy: fail-fast: false matrix: From 13f2993cf131346701d618d641fba810f069ffc8 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 6 Feb 2025 21:59:44 +0100 Subject: [PATCH 46/70] Fix tests for older python --- tests/test_syswow.py | 20 ++++++++++---------- windows/native_exec/simple_arm64.py | 1 + 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 248c3833..5d214d87 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -14,22 +14,22 @@ def test_print_syswow_state(): import platform print("") env = windows.system.environ - print(f"{platform.machine()=}") - print(f"{platform.architecture()=}") - print(f"{windows.system.bitness=}") - print(f"{windows.system.architecture=}") - print(f"{windows.current_process.bitness=}") - print(f"{windows.current_process.architecture=}") - print(f"{env['PROCESSOR_ARCHITECTURE']=}") - print(f"{env.get('PROCESSOR_ARCHITEW6432')=}") + print("platform.machine()={0}".format(platform.machine())) + print("platform.architecture()={0}".format(platform.architecture())) + print("windows.system.bitness={0}".format(windows.system.bitness)) + print("windows.system.architecture={0}".format(windows.system.architecture)) + print("windows.current_process.bitness={0}".format(windows.current_process.bitness)) + print("windows.current_process.architecture={0}".format(windows.current_process.architecture)) + print("env['PROCESSOR_ARCHITECTURE']={0}".format(env['PROCESSOR_ARCHITECTURE'])) + print("env.get('PROCESSOR_ARCHITEW6432')={0}".format(env.get('PROCESSOR_ARCHITEW6432'))) print("") print("IsWow64Process2") processMachine = gdef.USHORT() nativeMachine = gdef.USHORT() windows.winproxy.IsWow64Process2(windows.current_process.handle, processMachine, nativeMachine) - print(f"{hex(processMachine.value)=}") - print(f"{hex(nativeMachine.value)=}") + print("hex(processMachine.value)={0}".format(hex(processMachine.value))) + print("hex(nativeMachine.value)={0}".format(hex(nativeMachine.value))) @process_syswow_only diff --git a/windows/native_exec/simple_arm64.py b/windows/native_exec/simple_arm64.py index 6ecfc4d8..d7674732 100644 --- a/windows/native_exec/simple_arm64.py +++ b/windows/native_exec/simple_arm64.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- import sys import collections import struct From 26b42a05875d4cb251dbf7cd087961f6cc72d683 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 6 Feb 2025 22:53:42 +0100 Subject: [PATCH 47/70] Adding ctypes_generation for PROC_THREAD_ATTRIBUTE_X --- .../defines/proc_thread_attributes.txt | 79 +++++++++++++++++++ .../definitions/defines/template.py | 16 ++++ .../structures/proc_thread_attributes.txt | 24 ++++++ docs/source/windef_generated.rst | 46 +++++++++++ docs/source/winstructs_generated.rst | 75 ++++++++++++++++++ tests/test_generated_def.py | 3 + windows/generated_def/meta.py | 48 +++++++++++ windows/generated_def/windef.py | 62 +++++++++++++++ windows/generated_def/winstructs.py | 28 +++++++ windows/winproxy/apis/kernel32.py | 3 +- 10 files changed, 383 insertions(+), 1 deletion(-) create mode 100644 ctypes_generation/definitions/defines/proc_thread_attributes.txt create mode 100644 ctypes_generation/definitions/structures/proc_thread_attributes.txt diff --git a/ctypes_generation/definitions/defines/proc_thread_attributes.txt b/ctypes_generation/definitions/defines/proc_thread_attributes.txt new file mode 100644 index 00000000..015aebe9 --- /dev/null +++ b/ctypes_generation/definitions/defines/proc_thread_attributes.txt @@ -0,0 +1,79 @@ +// We have a rare case of defines that depends on an enum +// Which is PROC_THREAD_ATTRIBUTE_NUM +// So i Will just define a copy of those as define here +// Define version copied from: https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntpsapi.h#L2666 +// Thx to them, as always :) + +#define ProcThreadAttributeParentProcess 0 // in HANDLE +#define ProcThreadAttributeExtendedFlags 1 // in ULONG (EXTENDED_PROCESS_CREATION_FLAG_*) +#define ProcThreadAttributeHandleList 2 // in HANDLE[] +#define ProcThreadAttributeGroupAffinity 3 // in GROUP_AFFINITY // since WIN7 +#define ProcThreadAttributePreferredNode 4 // in USHORT +#define ProcThreadAttributeIdealProcessor 5 // in PROCESSOR_NUMBER +#define ProcThreadAttributeUmsThread 6 // in UMS_CREATE_THREAD_ATTRIBUTES +#define ProcThreadAttributeMitigationPolicy 7 // in ULONG, ULONG64, or ULONG64[2] +#define ProcThreadAttributePackageFullName 8 // in WCHAR[] // since WIN8 +#define ProcThreadAttributeSecurityCapabilities 9 // in SECURITY_CAPABILITIES +#define ProcThreadAttributeConsoleReference 10 // BaseGetConsoleReference (kernelbase.dll) +#define ProcThreadAttributeProtectionLevel 11 // in ULONG (PROTECTION_LEVEL_*) // since WINBLUE +#define ProcThreadAttributeOsMaxVersionTested 12 // in MAXVERSIONTESTED_INFO // since THRESHOLD // (from exe.manifest) +#define ProcThreadAttributeJobList 13 // in HANDLE[] +#define ProcThreadAttributeChildProcessPolicy 14 // in ULONG (PROCESS_CREATION_CHILD_PROCESS_*) // since THRESHOLD2 +#define ProcThreadAttributeAllApplicationPackagesPolicy 15 // in ULONG (PROCESS_CREATION_ALL_APPLICATION_PACKAGES_*) // since REDSTONE +#define ProcThreadAttributeWin32kFilter 16 // in WIN32K_SYSCALL_FILTER +#define ProcThreadAttributeSafeOpenPromptOriginClaim 17 // in SE_SAFE_OPEN_PROMPT_RESULTS +#define ProcThreadAttributeDesktopAppPolicy 18 // in ULONG (PROCESS_CREATION_DESKTOP_APP_*) // since RS2 +#define ProcThreadAttributeBnoIsolation 19 // in PROC_THREAD_BNOISOLATION_ATTRIBUTE +#define ProcThreadAttributePseudoConsole 22 // in HANDLE (HPCON) // since RS5 +#define ProcThreadAttributeIsolationManifest 23 // in ISOLATION_MANIFEST_PROPERTIES // rev (diversenok) // since 19H2+ +#define ProcThreadAttributeMitigationAuditPolicy 24 // in ULONG, ULONG64, or ULONG64[2] // since 21H1 +#define ProcThreadAttributeMachineType 25 // in USHORT // since 21H2 +#define ProcThreadAttributeComponentFilter 26 // in ULONG +#define ProcThreadAttributeEnableOptionalXStateFeatures 27 // in ULONG64 // since WIN11 +#define ProcThreadAttributeCreateStore 28 // ULONG // rev (diversenok) +#define ProcThreadAttributeTrustedApp 29 +#define ProcThreadAttributeSveVectorLength 30 + +// Real definition of value usef by API +// From: https://github.com/microsoft/win32metadata/blob/6af96d8470751e13a4e3f579f84b7b8b3ca398e1/generation/WinSDK/RecompiledIdlHeaders/um/WinBase.h#L3568 +// macro ProcThreadAttributeValue is recoded in python in template.py +// I replace TRUE by True && FALSE by False for native python compat :) + +#define PROC_THREAD_ATTRIBUTE_NUMBER 0x0000FFFF +#define PROC_THREAD_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation +#define PROC_THREAD_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only +#define PROC_THREAD_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated," e.g. bitmasks, + +#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS \ + ProcThreadAttributeValue (ProcThreadAttributeParentProcess, False, True, False) +#define PROC_THREAD_ATTRIBUTE_HANDLE_LIST \ + ProcThreadAttributeValue (ProcThreadAttributeHandleList, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY \ + ProcThreadAttributeValue (ProcThreadAttributeGroupAffinity, True, True, False) +#define PROC_THREAD_ATTRIBUTE_PREFERRED_NODE \ + ProcThreadAttributeValue (ProcThreadAttributePreferredNode, False, True, False) +#define PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR \ + ProcThreadAttributeValue (ProcThreadAttributeIdealProcessor, True, True, False) +#define PROC_THREAD_ATTRIBUTE_UMS_THREAD \ + ProcThreadAttributeValue (ProcThreadAttributeUmsThread, True, True, False) +#define PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY \ + ProcThreadAttributeValue (ProcThreadAttributeMitigationPolicy, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES \ + ProcThreadAttributeValue (ProcThreadAttributeSecurityCapabilities, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL \ + ProcThreadAttributeValue (ProcThreadAttributeProtectionLevel, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE \ + ProcThreadAttributeValue (ProcThreadAttributePseudoConsole, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_MACHINE_TYPE \ + ProcThreadAttributeValue (ProcThreadAttributeMachineType, False, True, False) + +#define PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES \ + ProcThreadAttributeValue (ProcThreadAttributeEnableOptionalXStateFeatures, True, True, False) + +#define PROC_THREAD_ATTRIBUTE_SVE_VECTOR_LENGTH \ + ProcThreadAttributeValue (ProcThreadAttributeSveVectorLength, False, True, False) \ No newline at end of file diff --git a/ctypes_generation/definitions/defines/template.py b/ctypes_generation/definitions/defines/template.py index 182bddf6..e17e2c7f 100644 --- a/ctypes_generation/definitions/defines/template.py +++ b/ctypes_generation/definitions/defines/template.py @@ -24,3 +24,19 @@ def CTL_CODE(DeviceType, Function, Method, Access): def HRESULT_FACILITY(hr): return (((hr) >> 16) & 0x1fff) + +# https://github.com/microsoft/win32metadata/blob/6af96d8470751e13a4e3f579f84b7b8b3ca398e1/generation/WinSDK/RecompiledIdlHeaders/um/WinBase.h#L3562 +# Original MACRO: + +#define ProcThreadAttributeValue(Number, Thread, Input, Additive) \ +# (((Number) & PROC_THREAD_ATTRIBUTE_NUMBER) | \ +# ((Thread != FALSE) ? PROC_THREAD_ATTRIBUTE_THREAD : 0) | \ +# ((Input != FALSE) ? PROC_THREAD_ATTRIBUTE_INPUT : 0) | \ +# ((Additive != FALSE) ? PROC_THREAD_ATTRIBUTE_ADDITIVE : 0)) + +def ProcThreadAttributeValue(Number, Thread, Input, Additive): + return ((Number & PROC_THREAD_ATTRIBUTE_NUMBER) | + (Thread and PROC_THREAD_ATTRIBUTE_THREAD) | + (Input and PROC_THREAD_ATTRIBUTE_INPUT) | + (Additive and PROC_THREAD_ATTRIBUTE_ADDITIVE)) + diff --git a/ctypes_generation/definitions/structures/proc_thread_attributes.txt b/ctypes_generation/definitions/structures/proc_thread_attributes.txt new file mode 100644 index 00000000..f5714936 --- /dev/null +++ b/ctypes_generation/definitions/structures/proc_thread_attributes.txt @@ -0,0 +1,24 @@ +typedef enum _PROC_THREAD_ATTRIBUTE_NUM { + ProcThreadAttributeParentProcess = 0, + ProcThreadAttributeHandleList = 2, + ProcThreadAttributeGroupAffinity = 3, + ProcThreadAttributePreferredNode = 4, + ProcThreadAttributeIdealProcessor = 5, + ProcThreadAttributeUmsThread = 6, + ProcThreadAttributeMitigationPolicy = 7, + ProcThreadAttributeSecurityCapabilities = 9, + ProcThreadAttributeProtectionLevel = 11, + ProcThreadAttributeJobList = 13, + ProcThreadAttributeChildProcessPolicy = 14, + ProcThreadAttributeAllApplicationPackagesPolicy = 15, + ProcThreadAttributeWin32kFilter = 16, + ProcThreadAttributeSafeOpenPromptOriginClaim = 17, + ProcThreadAttributeDesktopAppPolicy = 18, + ProcThreadAttributePseudoConsole = 22, + ProcThreadAttributeMitigationAuditPolicy = 24, + ProcThreadAttributeMachineType = 25, + ProcThreadAttributeComponentFilter = 26, + ProcThreadAttributeEnableOptionalXStateFeatures = 27, + ProcThreadAttributeTrustedApp = 29, + ProcThreadAttributeSveVectorLength = 30, +} PROC_THREAD_ATTRIBUTE_NUM; \ No newline at end of file diff --git a/docs/source/windef_generated.rst b/docs/source/windef_generated.rst index 3f211d35..5ef88a57 100644 --- a/docs/source/windef_generated.rst +++ b/docs/source/windef_generated.rst @@ -1145,6 +1145,52 @@ WinDef .. autodata:: NMPWAIT_WAIT_FOREVER .. autodata:: NMPWAIT_NOWAIT .. autodata:: NMPWAIT_USE_DEFAULT_WAIT +.. autodata:: ProcThreadAttributeParentProcess +.. autodata:: ProcThreadAttributeExtendedFlags +.. autodata:: ProcThreadAttributeHandleList +.. autodata:: ProcThreadAttributeGroupAffinity +.. autodata:: ProcThreadAttributePreferredNode +.. autodata:: ProcThreadAttributeIdealProcessor +.. autodata:: ProcThreadAttributeUmsThread +.. autodata:: ProcThreadAttributeMitigationPolicy +.. autodata:: ProcThreadAttributePackageFullName +.. autodata:: ProcThreadAttributeSecurityCapabilities +.. autodata:: ProcThreadAttributeConsoleReference +.. autodata:: ProcThreadAttributeProtectionLevel +.. autodata:: ProcThreadAttributeOsMaxVersionTested +.. autodata:: ProcThreadAttributeJobList +.. autodata:: ProcThreadAttributeChildProcessPolicy +.. autodata:: ProcThreadAttributeAllApplicationPackagesPolicy +.. autodata:: ProcThreadAttributeWin32kFilter +.. autodata:: ProcThreadAttributeSafeOpenPromptOriginClaim +.. autodata:: ProcThreadAttributeDesktopAppPolicy +.. autodata:: ProcThreadAttributeBnoIsolation +.. autodata:: ProcThreadAttributePseudoConsole +.. autodata:: ProcThreadAttributeIsolationManifest +.. autodata:: ProcThreadAttributeMitigationAuditPolicy +.. autodata:: ProcThreadAttributeMachineType +.. autodata:: ProcThreadAttributeComponentFilter +.. autodata:: ProcThreadAttributeEnableOptionalXStateFeatures +.. autodata:: ProcThreadAttributeCreateStore +.. autodata:: ProcThreadAttributeTrustedApp +.. autodata:: ProcThreadAttributeSveVectorLength +.. autodata:: PROC_THREAD_ATTRIBUTE_NUMBER +.. autodata:: PROC_THREAD_ATTRIBUTE_THREAD +.. autodata:: PROC_THREAD_ATTRIBUTE_INPUT +.. autodata:: PROC_THREAD_ATTRIBUTE_ADDITIVE +.. autodata:: PROC_THREAD_ATTRIBUTE_PARENT_PROCESS +.. autodata:: PROC_THREAD_ATTRIBUTE_HANDLE_LIST +.. autodata:: PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY +.. autodata:: PROC_THREAD_ATTRIBUTE_PREFERRED_NODE +.. autodata:: PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR +.. autodata:: PROC_THREAD_ATTRIBUTE_UMS_THREAD +.. autodata:: PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY +.. autodata:: PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES +.. autodata:: PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL +.. autodata:: PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE +.. autodata:: PROC_THREAD_ATTRIBUTE_MACHINE_TYPE +.. autodata:: PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES +.. autodata:: PROC_THREAD_ATTRIBUTE_SVE_VECTOR_LENGTH .. autodata:: PROCESSOR_INTEL_386 .. autodata:: PROCESSOR_INTEL_486 .. autodata:: PROCESSOR_INTEL_PENTIUM diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst index 949233d7..240a2ece 100644 --- a/docs/source/winstructs_generated.rst +++ b/docs/source/winstructs_generated.rst @@ -29438,6 +29438,81 @@ _KEY_INFORMATION_CLASS .. attribute:: MaxKeyInfoClass(10) +_PROC_THREAD_ATTRIBUTE_NUM +'''''''''''''''''''''''''' +.. class:: PROC_THREAD_ATTRIBUTE_NUM + + Alias for :class:`_PROC_THREAD_ATTRIBUTE_NUM` + + +.. class:: _PROC_THREAD_ATTRIBUTE_NUM + + + .. attribute:: ProcThreadAttributeParentProcess(0) + + + .. attribute:: ProcThreadAttributeHandleList(2) + + + .. attribute:: ProcThreadAttributeGroupAffinity(3) + + + .. attribute:: ProcThreadAttributePreferredNode(4) + + + .. attribute:: ProcThreadAttributeIdealProcessor(5) + + + .. attribute:: ProcThreadAttributeUmsThread(6) + + + .. attribute:: ProcThreadAttributeMitigationPolicy(7) + + + .. attribute:: ProcThreadAttributeSecurityCapabilities(9) + + + .. attribute:: ProcThreadAttributeProtectionLevel(11) + + + .. attribute:: ProcThreadAttributeJobList(13) + + + .. attribute:: ProcThreadAttributeChildProcessPolicy(14) + + + .. attribute:: ProcThreadAttributeAllApplicationPackagesPolicy(15) + + + .. attribute:: ProcThreadAttributeWin32kFilter(16) + + + .. attribute:: ProcThreadAttributeSafeOpenPromptOriginClaim(17) + + + .. attribute:: ProcThreadAttributeDesktopAppPolicy(18) + + + .. attribute:: ProcThreadAttributePseudoConsole(22) + + + .. attribute:: ProcThreadAttributeMitigationAuditPolicy(24) + + + .. attribute:: ProcThreadAttributeMachineType(25) + + + .. attribute:: ProcThreadAttributeComponentFilter(26) + + + .. attribute:: ProcThreadAttributeEnableOptionalXStateFeatures(27) + + + .. attribute:: ProcThreadAttributeTrustedApp(29) + + + .. attribute:: ProcThreadAttributeSveVectorLength(30) + _MEMORY_INFORMATION_CLASS ''''''''''''''''''''''''' .. class:: MEMORY_INFORMATION_CLASS diff --git a/tests/test_generated_def.py b/tests/test_generated_def.py index b061912f..76efd0d2 100644 --- a/tests/test_generated_def.py +++ b/tests/test_generated_def.py @@ -156,6 +156,9 @@ def test_HRESULT_FACILITY_macro(): # RPC_E_INVALID_HEADER(0x80010111) assert gdef.HRESULT_FACILITY(gdef.RPC_E_INVALID_HEADER) == gdef.FACILITY_RPC == 1 +def test_ProcThreadAttributeValue_results(): + assert gdef.PROC_THREAD_ATTRIBUTE_PARENT_PROCESS == 0x20000 + assert gdef.PROC_THREAD_ATTRIBUTE_MACHINE_TYPE == 0x20019 # typedef struct _DnsRecordFlags # { diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index e53ff9a4..9c6cc789 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -2481,6 +2481,23 @@ 'PROCESS_VM_OPERATION', 'PROCESS_VM_READ', 'PROCESS_VM_WRITE', +'PROC_THREAD_ATTRIBUTE_ADDITIVE', +'PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES', +'PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY', +'PROC_THREAD_ATTRIBUTE_HANDLE_LIST', +'PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR', +'PROC_THREAD_ATTRIBUTE_INPUT', +'PROC_THREAD_ATTRIBUTE_MACHINE_TYPE', +'PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY', +'PROC_THREAD_ATTRIBUTE_NUMBER', +'PROC_THREAD_ATTRIBUTE_PARENT_PROCESS', +'PROC_THREAD_ATTRIBUTE_PREFERRED_NODE', +'PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL', +'PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE', +'PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES', +'PROC_THREAD_ATTRIBUTE_SVE_VECTOR_LENGTH', +'PROC_THREAD_ATTRIBUTE_THREAD', +'PROC_THREAD_ATTRIBUTE_UMS_THREAD', 'PRODUCT_BUSINESS', 'PRODUCT_BUSINESS_N', 'PRODUCT_CLUSTER_SERVER', @@ -2590,6 +2607,35 @@ 'PROV_RSA_SIG', 'PROV_SPYRUS_LYNKS', 'PROV_SSL', +'ProcThreadAttributeAllApplicationPackagesPolicy', +'ProcThreadAttributeBnoIsolation', +'ProcThreadAttributeChildProcessPolicy', +'ProcThreadAttributeComponentFilter', +'ProcThreadAttributeConsoleReference', +'ProcThreadAttributeCreateStore', +'ProcThreadAttributeDesktopAppPolicy', +'ProcThreadAttributeEnableOptionalXStateFeatures', +'ProcThreadAttributeExtendedFlags', +'ProcThreadAttributeGroupAffinity', +'ProcThreadAttributeHandleList', +'ProcThreadAttributeIdealProcessor', +'ProcThreadAttributeIsolationManifest', +'ProcThreadAttributeJobList', +'ProcThreadAttributeMachineType', +'ProcThreadAttributeMitigationAuditPolicy', +'ProcThreadAttributeMitigationPolicy', +'ProcThreadAttributeOsMaxVersionTested', +'ProcThreadAttributePackageFullName', +'ProcThreadAttributeParentProcess', +'ProcThreadAttributePreferredNode', +'ProcThreadAttributeProtectionLevel', +'ProcThreadAttributePseudoConsole', +'ProcThreadAttributeSafeOpenPromptOriginClaim', +'ProcThreadAttributeSecurityCapabilities', +'ProcThreadAttributeSveVectorLength', +'ProcThreadAttributeTrustedApp', +'ProcThreadAttributeUmsThread', +'ProcThreadAttributeWin32kFilter', 'READ_CONTROL', 'REALTIME_PRIORITY_CLASS', 'REG_BINARY', @@ -14341,6 +14387,7 @@ 'PROCESSINFOCLASS', 'PROCESS_INFORMATION_CLASS', 'PROCESS_MITIGATION_POLICY', +'PROC_THREAD_ATTRIBUTE_NUM', 'PSECURITY_IMPERSONATION_LEVEL', 'PSID_NAME_USE', 'PTHREAD_INFORMATION_CLASS', @@ -14452,6 +14499,7 @@ '_PROCESSINFOCLASS', '_PROCESS_INFORMATION_CLASS', '_PROCESS_MITIGATION_POLICY', +'_PROC_THREAD_ATTRIBUTE_NUM', '_READ_DIRECTORY_NOTIFY_INFORMATION_CLASS', '_RTL_PATH_TYPE', '_SC_ENUM_TYPE', diff --git a/windows/generated_def/windef.py b/windows/generated_def/windef.py index 2f358dac..d21e344f 100644 --- a/windows/generated_def/windef.py +++ b/windows/generated_def/windef.py @@ -24,6 +24,22 @@ def CTL_CODE(DeviceType, Function, Method, Access): def HRESULT_FACILITY(hr): return (((hr) >> 16) & 0x1fff) + +# https://github.com/microsoft/win32metadata/blob/6af96d8470751e13a4e3f579f84b7b8b3ca398e1/generation/WinSDK/RecompiledIdlHeaders/um/WinBase.h#L3562 +# Original MACRO: + +#define ProcThreadAttributeValue(Number, Thread, Input, Additive) \ +# (((Number) & PROC_THREAD_ATTRIBUTE_NUMBER) | \ +# ((Thread != FALSE) ? PROC_THREAD_ATTRIBUTE_THREAD : 0) | \ +# ((Input != FALSE) ? PROC_THREAD_ATTRIBUTE_INPUT : 0) | \ +# ((Additive != FALSE) ? PROC_THREAD_ATTRIBUTE_ADDITIVE : 0)) + +def ProcThreadAttributeValue(Number, Thread, Input, Additive): + return ((Number & PROC_THREAD_ATTRIBUTE_NUMBER) | + (Thread and PROC_THREAD_ATTRIBUTE_THREAD) | + (Input and PROC_THREAD_ATTRIBUTE_INPUT) | + (Additive and PROC_THREAD_ATTRIBUTE_ADDITIVE)) + from .ntstatus import * from .winerror import * BG_JOB_ENUM_ALL_USERS = make_flag("BG_JOB_ENUM_ALL_USERS", 0x0001) @@ -1169,6 +1185,52 @@ def HRESULT_FACILITY(hr): NMPWAIT_WAIT_FOREVER = make_flag("NMPWAIT_WAIT_FOREVER", 0xffffffff) NMPWAIT_NOWAIT = make_flag("NMPWAIT_NOWAIT", 0x00000001) NMPWAIT_USE_DEFAULT_WAIT = make_flag("NMPWAIT_USE_DEFAULT_WAIT", 0x00000000) +ProcThreadAttributeParentProcess = make_flag("ProcThreadAttributeParentProcess", 0) +ProcThreadAttributeExtendedFlags = make_flag("ProcThreadAttributeExtendedFlags", 1) +ProcThreadAttributeHandleList = make_flag("ProcThreadAttributeHandleList", 2) +ProcThreadAttributeGroupAffinity = make_flag("ProcThreadAttributeGroupAffinity", 3) +ProcThreadAttributePreferredNode = make_flag("ProcThreadAttributePreferredNode", 4) +ProcThreadAttributeIdealProcessor = make_flag("ProcThreadAttributeIdealProcessor", 5) +ProcThreadAttributeUmsThread = make_flag("ProcThreadAttributeUmsThread", 6) +ProcThreadAttributeMitigationPolicy = make_flag("ProcThreadAttributeMitigationPolicy", 7) +ProcThreadAttributePackageFullName = make_flag("ProcThreadAttributePackageFullName", 8) +ProcThreadAttributeSecurityCapabilities = make_flag("ProcThreadAttributeSecurityCapabilities", 9) +ProcThreadAttributeConsoleReference = make_flag("ProcThreadAttributeConsoleReference", 10) +ProcThreadAttributeProtectionLevel = make_flag("ProcThreadAttributeProtectionLevel", 11) +ProcThreadAttributeOsMaxVersionTested = make_flag("ProcThreadAttributeOsMaxVersionTested", 12) +ProcThreadAttributeJobList = make_flag("ProcThreadAttributeJobList", 13) +ProcThreadAttributeChildProcessPolicy = make_flag("ProcThreadAttributeChildProcessPolicy", 14) +ProcThreadAttributeAllApplicationPackagesPolicy = make_flag("ProcThreadAttributeAllApplicationPackagesPolicy", 15) +ProcThreadAttributeWin32kFilter = make_flag("ProcThreadAttributeWin32kFilter", 16) +ProcThreadAttributeSafeOpenPromptOriginClaim = make_flag("ProcThreadAttributeSafeOpenPromptOriginClaim", 17) +ProcThreadAttributeDesktopAppPolicy = make_flag("ProcThreadAttributeDesktopAppPolicy", 18) +ProcThreadAttributeBnoIsolation = make_flag("ProcThreadAttributeBnoIsolation", 19) +ProcThreadAttributePseudoConsole = make_flag("ProcThreadAttributePseudoConsole", 22) +ProcThreadAttributeIsolationManifest = make_flag("ProcThreadAttributeIsolationManifest", 23) +ProcThreadAttributeMitigationAuditPolicy = make_flag("ProcThreadAttributeMitigationAuditPolicy", 24) +ProcThreadAttributeMachineType = make_flag("ProcThreadAttributeMachineType", 25) +ProcThreadAttributeComponentFilter = make_flag("ProcThreadAttributeComponentFilter", 26) +ProcThreadAttributeEnableOptionalXStateFeatures = make_flag("ProcThreadAttributeEnableOptionalXStateFeatures", 27) +ProcThreadAttributeCreateStore = make_flag("ProcThreadAttributeCreateStore", 28) +ProcThreadAttributeTrustedApp = make_flag("ProcThreadAttributeTrustedApp", 29) +ProcThreadAttributeSveVectorLength = make_flag("ProcThreadAttributeSveVectorLength", 30) +PROC_THREAD_ATTRIBUTE_NUMBER = make_flag("PROC_THREAD_ATTRIBUTE_NUMBER", 0x0000FFFF) +PROC_THREAD_ATTRIBUTE_THREAD = make_flag("PROC_THREAD_ATTRIBUTE_THREAD", 0x00010000) +PROC_THREAD_ATTRIBUTE_INPUT = make_flag("PROC_THREAD_ATTRIBUTE_INPUT", 0x00020000) +PROC_THREAD_ATTRIBUTE_ADDITIVE = make_flag("PROC_THREAD_ATTRIBUTE_ADDITIVE", 0x00040000) +PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = make_flag("PROC_THREAD_ATTRIBUTE_PARENT_PROCESS", ProcThreadAttributeValue ( ProcThreadAttributeParentProcess , False , True , False )) +PROC_THREAD_ATTRIBUTE_HANDLE_LIST = make_flag("PROC_THREAD_ATTRIBUTE_HANDLE_LIST", ProcThreadAttributeValue ( ProcThreadAttributeHandleList , False , True , False )) +PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY = make_flag("PROC_THREAD_ATTRIBUTE_GROUP_AFFINITY", ProcThreadAttributeValue ( ProcThreadAttributeGroupAffinity , True , True , False )) +PROC_THREAD_ATTRIBUTE_PREFERRED_NODE = make_flag("PROC_THREAD_ATTRIBUTE_PREFERRED_NODE", ProcThreadAttributeValue ( ProcThreadAttributePreferredNode , False , True , False )) +PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR = make_flag("PROC_THREAD_ATTRIBUTE_IDEAL_PROCESSOR", ProcThreadAttributeValue ( ProcThreadAttributeIdealProcessor , True , True , False )) +PROC_THREAD_ATTRIBUTE_UMS_THREAD = make_flag("PROC_THREAD_ATTRIBUTE_UMS_THREAD", ProcThreadAttributeValue ( ProcThreadAttributeUmsThread , True , True , False )) +PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = make_flag("PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY", ProcThreadAttributeValue ( ProcThreadAttributeMitigationPolicy , False , True , False )) +PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES = make_flag("PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES", ProcThreadAttributeValue ( ProcThreadAttributeSecurityCapabilities , False , True , False )) +PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL = make_flag("PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL", ProcThreadAttributeValue ( ProcThreadAttributeProtectionLevel , False , True , False )) +PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE = make_flag("PROC_THREAD_ATTRIBUTE_PSEUDOCONSOLE", ProcThreadAttributeValue ( ProcThreadAttributePseudoConsole , False , True , False )) +PROC_THREAD_ATTRIBUTE_MACHINE_TYPE = make_flag("PROC_THREAD_ATTRIBUTE_MACHINE_TYPE", ProcThreadAttributeValue ( ProcThreadAttributeMachineType , False , True , False )) +PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES = make_flag("PROC_THREAD_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES", ProcThreadAttributeValue ( ProcThreadAttributeEnableOptionalXStateFeatures , True , True , False )) +PROC_THREAD_ATTRIBUTE_SVE_VECTOR_LENGTH = make_flag("PROC_THREAD_ATTRIBUTE_SVE_VECTOR_LENGTH", ProcThreadAttributeValue ( ProcThreadAttributeSveVectorLength , False , True , False )) PROCESSOR_INTEL_386 = make_flag("PROCESSOR_INTEL_386", 386) PROCESSOR_INTEL_486 = make_flag("PROCESSOR_INTEL_486", 486) PROCESSOR_INTEL_PENTIUM = make_flag("PROCESSOR_INTEL_PENTIUM", 586) diff --git a/windows/generated_def/winstructs.py b/windows/generated_def/winstructs.py index 750bce54..b1204dfe 100644 --- a/windows/generated_def/winstructs.py +++ b/windows/generated_def/winstructs.py @@ -3595,6 +3595,34 @@ class _IMAGE_LOAD_CONFIG_DIRECTORY64(Structure): IMAGE_LOAD_CONFIG_DIRECTORY64 = _IMAGE_LOAD_CONFIG_DIRECTORY64 PIMAGE_LOAD_CONFIG_DIRECTORY64 = POINTER(_IMAGE_LOAD_CONFIG_DIRECTORY64) +ProcThreadAttributeParentProcess = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeParentProcess", 0x0) +ProcThreadAttributeHandleList = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeHandleList", 0x2) +ProcThreadAttributeGroupAffinity = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeGroupAffinity", 0x3) +ProcThreadAttributePreferredNode = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributePreferredNode", 0x4) +ProcThreadAttributeIdealProcessor = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeIdealProcessor", 0x5) +ProcThreadAttributeUmsThread = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeUmsThread", 0x6) +ProcThreadAttributeMitigationPolicy = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeMitigationPolicy", 0x7) +ProcThreadAttributeSecurityCapabilities = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeSecurityCapabilities", 0x9) +ProcThreadAttributeProtectionLevel = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeProtectionLevel", 0xb) +ProcThreadAttributeJobList = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeJobList", 0xd) +ProcThreadAttributeChildProcessPolicy = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeChildProcessPolicy", 0xe) +ProcThreadAttributeAllApplicationPackagesPolicy = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeAllApplicationPackagesPolicy", 0xf) +ProcThreadAttributeWin32kFilter = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeWin32kFilter", 0x10) +ProcThreadAttributeSafeOpenPromptOriginClaim = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeSafeOpenPromptOriginClaim", 0x11) +ProcThreadAttributeDesktopAppPolicy = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeDesktopAppPolicy", 0x12) +ProcThreadAttributePseudoConsole = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributePseudoConsole", 0x16) +ProcThreadAttributeMitigationAuditPolicy = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeMitigationAuditPolicy", 0x18) +ProcThreadAttributeMachineType = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeMachineType", 0x19) +ProcThreadAttributeComponentFilter = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeComponentFilter", 0x1a) +ProcThreadAttributeEnableOptionalXStateFeatures = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeEnableOptionalXStateFeatures", 0x1b) +ProcThreadAttributeTrustedApp = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeTrustedApp", 0x1d) +ProcThreadAttributeSveVectorLength = EnumValue("_PROC_THREAD_ATTRIBUTE_NUM", "ProcThreadAttributeSveVectorLength", 0x1e) +class _PROC_THREAD_ATTRIBUTE_NUM(EnumType): + values = [ProcThreadAttributeParentProcess, ProcThreadAttributeHandleList, ProcThreadAttributeGroupAffinity, ProcThreadAttributePreferredNode, ProcThreadAttributeIdealProcessor, ProcThreadAttributeUmsThread, ProcThreadAttributeMitigationPolicy, ProcThreadAttributeSecurityCapabilities, ProcThreadAttributeProtectionLevel, ProcThreadAttributeJobList, ProcThreadAttributeChildProcessPolicy, ProcThreadAttributeAllApplicationPackagesPolicy, ProcThreadAttributeWin32kFilter, ProcThreadAttributeSafeOpenPromptOriginClaim, ProcThreadAttributeDesktopAppPolicy, ProcThreadAttributePseudoConsole, ProcThreadAttributeMitigationAuditPolicy, ProcThreadAttributeMachineType, ProcThreadAttributeComponentFilter, ProcThreadAttributeEnableOptionalXStateFeatures, ProcThreadAttributeTrustedApp, ProcThreadAttributeSveVectorLength] + mapper = FlagMapper(*values) +PROC_THREAD_ATTRIBUTE_NUM = _PROC_THREAD_ATTRIBUTE_NUM + + MemoryBasicInformation = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryBasicInformation", 0x0) MemoryWorkingSetList = EnumValue("_MEMORY_INFORMATION_CLASS", "MemoryWorkingSetList", 0x1) MemorySectionName = EnumValue("_MEMORY_INFORMATION_CLASS", "MemorySectionName", 0x2) diff --git a/windows/winproxy/apis/kernel32.py b/windows/winproxy/apis/kernel32.py index 9cb36937..de603fdc 100644 --- a/windows/winproxy/apis/kernel32.py +++ b/windows/winproxy/apis/kernel32.py @@ -6,7 +6,8 @@ no_error_check, result_is_handle, succeed_on_zero, - fail_on_minus_one) + fail_on_minus_one, + WinproxyError) class Kernel32Proxy(ApiProxy): From b51a6e180864e90f2a70ff50046dd4e20fd761a3 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 7 Feb 2025 13:39:00 +0100 Subject: [PATCH 48/70] Adding CreateRemoteThreadEx definition --- ctypes_generation/definitions/functions/winfunc.txt | 11 +++++++++++ docs/source/winfuncs_generated.rst | 2 ++ windows/generated_def/meta.py | 1 + windows/generated_def/winfuncs.py | 5 +++++ windows/winproxy/apis/kernel32.py | 12 ++++++------ 5 files changed, 25 insertions(+), 6 deletions(-) diff --git a/ctypes_generation/definitions/functions/winfunc.txt b/ctypes_generation/definitions/functions/winfunc.txt index cc4d6960..637c5ae5 100644 --- a/ctypes_generation/definitions/functions/winfunc.txt +++ b/ctypes_generation/definitions/functions/winfunc.txt @@ -150,6 +150,17 @@ HANDLE WINAPI CreateRemoteThread( _Out_ LPDWORD lpThreadId ); +HANDLE CreateRemoteThreadEx( + [in] HANDLE hProcess, + [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, + [in] SIZE_T dwStackSize, + [in] LPTHREAD_START_ROUTINE lpStartAddress, + [in, optional] LPVOID lpParameter, + [in] DWORD dwCreationFlags, + [in, optional] LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList, + [out, optional] LPDWORD lpThreadId +); + BOOL WINAPI CreateProcessA( __in_opt LPCSTR lpApplicationName, __inout_opt LPSTR lpCommandLine, diff --git a/docs/source/winfuncs_generated.rst b/docs/source/winfuncs_generated.rst index eef30e15..9005838e 100644 --- a/docs/source/winfuncs_generated.rst +++ b/docs/source/winfuncs_generated.rst @@ -1390,6 +1390,8 @@ Functions .. function:: CreateRemoteThread(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId) +.. function:: CreateRemoteThreadEx(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpAttributeList, lpThreadId) + .. function:: CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation) .. function:: CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation) diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index 9c6cc789..9dea2ff4 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -14680,6 +14680,7 @@ 'CreateProcessAsUserW', 'CreateProcessW', 'CreateRemoteThread', +'CreateRemoteThreadEx', 'CreateServiceA', 'CreateServiceW', 'CreateStreamOnHGlobal', diff --git a/windows/generated_def/winfuncs.py b/windows/generated_def/winfuncs.py index 9127a71c..0f7f87d0 100644 --- a/windows/generated_def/winfuncs.py +++ b/windows/generated_def/winfuncs.py @@ -3470,6 +3470,11 @@ CreateRemoteThreadPrototype = WINFUNCTYPE(HANDLE, HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD) CreateRemoteThreadParams = ((1, 'hProcess'), (1, 'lpThreadAttributes'), (1, 'dwStackSize'), (1, 'lpStartAddress'), (1, 'lpParameter'), (1, 'dwCreationFlags'), (1, 'lpThreadId')) +#def CreateRemoteThreadEx(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpAttributeList, lpThreadId): +# return CreateRemoteThreadEx.ctypes_function(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpAttributeList, lpThreadId) +CreateRemoteThreadExPrototype = WINFUNCTYPE(HANDLE, HANDLE, LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPPROC_THREAD_ATTRIBUTE_LIST, LPDWORD) +CreateRemoteThreadExParams = ((1, 'hProcess'), (1, 'lpThreadAttributes'), (1, 'dwStackSize'), (1, 'lpStartAddress'), (1, 'lpParameter'), (1, 'dwCreationFlags'), (1, 'lpAttributeList'), (1, 'lpThreadId')) + #def CreateProcessA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation): # return CreateProcessA.ctypes_function(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation) CreateProcessAPrototype = WINFUNCTYPE(BOOL, LPCSTR, LPSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCSTR, LPSTARTUPINFOA, LPPROCESS_INFORMATION) diff --git a/windows/winproxy/apis/kernel32.py b/windows/winproxy/apis/kernel32.py index de603fdc..13401035 100644 --- a/windows/winproxy/apis/kernel32.py +++ b/windows/winproxy/apis/kernel32.py @@ -214,6 +214,11 @@ def CreateRemoteThread(hProcess=NeededParameter, lpThreadAttributes=None, dwStac lpStartAddress=NeededParameter, lpParameter=NeededParameter, dwCreationFlags=0, lpThreadId=None): return CreateRemoteThread.ctypes_function(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId) +@Kernel32Proxy() +def CreateRemoteThreadEx(hProcess, lpThreadAttributes=None, dwStackSize=0, lpStartAddress=NeededParameter, lpParameter=NeededParameter, dwCreationFlags=0, lpAttributeList=None, lpThreadId=None): + return CreateRemoteThreadEx.ctypes_function(hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpAttributeList, lpThreadId) + + @Kernel32Proxy() def GetThreadContext(hThread, lpContext): # TODO: RM ME IF TEST PASS @@ -661,12 +666,7 @@ def FindNextChangeNotification(hChangeHandle): @Kernel32Proxy() def FindCloseChangeNotification(hChangeHandle): - return FindCloseChange - Notification.ctypes_function(hChangeHandle) - -@Kernel32Proxy() -def FindNextChangeNotification(hChangeHandle): - return FindNextChangeNotification.ctypes_function(hChangeHandle) + return FindCloseChangeNotification.ctypes_function(hChangeHandle) @Kernel32Proxy() def ReadDirectoryChangesW(hDirectory, lpBuffer, nBufferLength, bWatchSubtree, dwNotifyFilter, lpBytesReturned, lpOverlapped, lpCompletionRoutine): From 06b96e65d0d2f135721636ade5209219e44d8b95 Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 8 Feb 2025 13:12:05 +0100 Subject: [PATCH 49/70] More NotImplementedError for ARM64 --- windows/injection.py | 4 ++++ windows/winobject/process.py | 11 ++++++++--- windows/winproxy/apis/ntdll.py | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/windows/injection.py b/windows/injection.py index 203ff885..be542e7d 100644 --- a/windows/injection.py +++ b/windows/injection.py @@ -184,6 +184,8 @@ def perform_manual_getproc_loadlib(target, *args, **kwargs): def load_dll_in_remote_process(target, dll_path): + if target.architecture == gdef.IMAGE_FILE_MACHINE_ARM64: + raise NotImplementedError("Injection in ARM64 target process is not implemented") rpeb = target.peb if rpeb.Ldr: # LDR est parcourable, ca va etre deja plus simple.. @@ -372,6 +374,8 @@ def generate_python_exec_shellcode_64(target, PyDll): def inject_python_command(target, code_injected, PYDLL): """Postulate: PYDLL is already loaded in target process""" + if target.architecture == gdef.IMAGE_FILE_MACHINE_ARM64: + raise NotImplementedError("Injection in ARM64 target process is not implemented") PYCODE = code_injected + "\x00" # TODO: free this (how ? when ?) remote_python_code_addr = target.virtual_alloc(len(PYCODE)) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 688ca695..b910b64d 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -1168,11 +1168,16 @@ def create_thread(self, addr, param): :rtype: :class:`WinThread` or :class:`DeadThread` """ + # We are using NtCreateThreadEx as its more permissive about cross-bitness / cross-architecture + # And we can asume we known what we are doing -> So no safeguard ;) + thread_handle = HANDLE() if windows.current_process.bitness == 32 and self.bitness == 64: - thread_handle = HANDLE() + if self._is_x86_on_arm64(): + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") windows.syswow64.NtCreateThreadEx_32_to_64(ThreadHandle=byref(thread_handle) ,ProcessHandle=self.handle, lpStartAddress=addr, lpParameter=param) - return WinThread._from_handle(thread_handle.value) - return WinThread._from_handle(winproxy.CreateRemoteThread(hProcess=self.handle, lpStartAddress=addr, lpParameter=param)) + else: + windows.winproxy.NtCreateThreadEx(ThreadHandle=byref(thread_handle) ,ProcessHandle=self.handle, lpStartAddress=addr, lpParameter=param) + return WinThread._from_handle(thread_handle.value) def load_library(self, dll_path): """Load the library in remote process diff --git a/windows/winproxy/apis/ntdll.py b/windows/winproxy/apis/ntdll.py index d09bef50..5d4179fa 100644 --- a/windows/winproxy/apis/ntdll.py +++ b/windows/winproxy/apis/ntdll.py @@ -148,7 +148,7 @@ def NtCreateProcessEx(ProcessHandle, DesiredAccess, ObjectAttributes=None, Paren return NtCreateProcessEx.ctypes_function(ProcessHandle, DesiredAccess, ObjectAttributes, ParentProcess, Flags, SectionHandle, DebugPort, ExceptionPort, InJob) @NtdllProxy() -def NtCreateThreadEx(ThreadHandle=None, DesiredAccess=0x1fffff, ObjectAttributes=0, ProcessHandle=NeededParameter, lpStartAddress=NeededParameter, lpParameter=NeededParameter, CreateSuspended=0, dwStackSize=0, Unknown1=0, Unknown2=0, Unknown=0): +def NtCreateThreadEx(ThreadHandle=None, DesiredAccess=0x1fffff, ObjectAttributes=0, ProcessHandle=NeededParameter, lpStartAddress=NeededParameter, lpParameter=NeededParameter, CreateSuspended=0, dwStackSize=0, Unknown1=0, Unknown2=0, Unknown3=0): if ThreadHandle is None: ThreadHandle = ctypes.byref(gdef.HANDLE()) return NtCreateThreadEx.ctypes_function(ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter, CreateSuspended, dwStackSize, Unknown1, Unknown2, Unknown3) From a93c9b7f114ff640e205d9e74d16984fb30b9809 Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 8 Feb 2025 19:31:45 +0100 Subject: [PATCH 50/70] Fix typo --- windows/winobject/process.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index b910b64d..56286c9c 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -1172,7 +1172,7 @@ def create_thread(self, addr, param): # And we can asume we known what we are doing -> So no safeguard ;) thread_handle = HANDLE() if windows.current_process.bitness == 32 and self.bitness == 64: - if self._is_x86_on_arm64(): + if self._is_x86_on_arm64: raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") windows.syswow64.NtCreateThreadEx_32_to_64(ThreadHandle=byref(thread_handle) ,ProcessHandle=self.handle, lpStartAddress=addr, lpParameter=param) else: From 405616290f8a5285c29b7b1e4a8499c73eee838c Mon Sep 17 00:00:00 2001 From: hakril Date: Sat, 8 Feb 2025 19:44:39 +0100 Subject: [PATCH 51/70] Improve test_pe fixture stability --- tests/test_parse_pe.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/test_parse_pe.py b/tests/test_parse_pe.py index 6fe6c3c6..853a8913 100644 --- a/tests/test_parse_pe.py +++ b/tests/test_parse_pe.py @@ -16,8 +16,16 @@ def pe(request): pop_proc = request.param proc = pop_proc() - time.sleep(0.01) - yield proc.peb.modules[2].pe + for i in range(10): + try: + time.sleep(0.1) + yield proc.peb.modules[2].pe + break + except ValueError: + if i == 9: + # Last change failed + raise + continue # PEB.Ldr not ready yet proc.exit(0) PE_DOTNET32_DLL_NAME = "test_pe_dotnet32.dll" From 909669321b10040fe5b6777994391395b1c446db Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 10 Feb 2025 08:50:08 +0100 Subject: [PATCH 52/70] Improve pipe tests stability / error trigger --- tests/test_pipe.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/test_pipe.py b/tests/test_pipe.py index c05a49c5..1ae61f93 100644 --- a/tests/test_pipe.py +++ b/tests/test_pipe.py @@ -33,6 +33,8 @@ def test_ipc_pipe(proc32_64): @python_injection def test_pipe_echo_server(proc32_64): + # Verify that injection / load of Pfw in remote works with a first safe stub + proc32_64.execute_python("import windows") t = proc32_64.execute_python_unsafe(rcode_test_echo_pipe.format(pipe=PIPE_NAME)) time.sleep(0.5) assert not t.is_exit @@ -45,6 +47,8 @@ def test_pipe_echo_server(proc32_64): @python_injection def test_pipe_recv_object(proc32_64): + # Verify that injection / load of Pfw in remote works with a first safe stub + proc32_64.execute_python("import windows") # not the good way to do the exchange (race possible) # Just for the sake of the test proc32_64.execute_python_unsafe(rcode_test_ipc_pipe.format(pipe=PIPE_NAME)) From 064b22f99e47c5b1b01c81c56b6821978a954564 Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 10 Feb 2025 10:01:55 +0100 Subject: [PATCH 53/70] Still improving tests for ARM64 --- tests/pfwtest.py | 4 ++++ tests/test_cpuid.py | 5 +++++ tests/test_native_utils.py | 14 ++++++++------ tests/test_process.py | 2 ++ tests/test_syswow.py | 2 ++ 5 files changed, 21 insertions(+), 6 deletions(-) diff --git a/tests/pfwtest.py b/tests/pfwtest.py index 923a02d7..2e3969ba 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -24,6 +24,10 @@ process_syswow_only = pytest.mark.skipif(not is_process_syswow, reason="Test for syswow process only") require_admin = pytest.mark.skipif(not is_admin, reason="Test must be launched as admin") +def process_architecture_only(target_archi): + return pytest.mark.skipif(windows.current_process.architecture != target_archi, + reason="Test for {0} architecture process only".format(target_archi)) + check_for_gc_garbage = pytest.mark.usefixtures("check_for_gc_garbage") check_for_handle_leak = pytest.mark.usefixtures("check_for_handle_leak") diff --git a/tests/test_cpuid.py b/tests/test_cpuid.py index 004fe95a..105ec2ec 100644 --- a/tests/test_cpuid.py +++ b/tests/test_cpuid.py @@ -1,6 +1,11 @@ +import pytest + import windows +import windows.generated_def as gdef import windows.native_exec.cpuid def test_native_exec_cpuid(): + if windows.current_process.architecture == gdef.IMAGE_FILE_MACHINE_ARM64: + pytest.skip("CPUID not testable on ARM64") assert windows.native_exec.cpuid.do_cpuid(0) assert windows.native_exec.cpuid.get_proc_family_model() \ No newline at end of file diff --git a/tests/test_native_utils.py b/tests/test_native_utils.py index d20a275a..9f31f5ff 100644 --- a/tests/test_native_utils.py +++ b/tests/test_native_utils.py @@ -8,21 +8,23 @@ from .pfwtest import * + + @check_for_gc_garbage class TestNativeUtils(object): - @process_64bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_AMD64) def test_strlenw64(self): strlenw64 = windows.native_exec.create_function(nativeutils.StrlenW64.get_code(), [gdef.UINT, gdef.LPCWSTR]) assert strlenw64("YOLO") == 4 assert strlenw64("") == 0 - @process_64bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_AMD64) def test_strlena64(self): strlena64 = windows.native_exec.create_function(nativeutils.StrlenA64.get_code(), [gdef.UINT, gdef.LPCSTR]) assert strlena64(b"YOLO") == 4 assert strlena64(b"") == 0 - @process_64bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_AMD64) def test_getprocaddr64(self): getprocaddr64 = windows.native_exec.create_function(nativeutils.GetProcAddress64.get_code(), [gdef.ULONG64, gdef.LPCWSTR, gdef.LPCSTR]) k32 = [mod for mod in windows.current_process.peb.modules if mod.name == "kernel32.dll"][0] @@ -37,19 +39,19 @@ def test_getprocaddr64(self): assert getprocaddr64("YOLO.DLL", b"whatever") == 0xfffffffffffffffe assert getprocaddr64("KERNEL32.DLL", b"YOLOAPI") == 0xffffffffffffffff - @process_32bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_I386) def test_strlenw32(self): strlenw32 = windows.native_exec.create_function(nativeutils.StrlenW32.get_code(), [gdef.UINT, gdef.LPCWSTR]) assert strlenw32("YOLO") == 4 assert strlenw32("") == 0 - @process_32bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_I386) def test_strlena32(self): strlena32 = windows.native_exec.create_function(nativeutils.StrlenA32.get_code(), [gdef.UINT, gdef.LPCSTR]) assert strlena32(b"YOLO") == 4 assert strlena32(b"") == 0 - @process_32bit_only + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_I386) def test_getprocaddr32(self): getprocaddr32 = windows.native_exec.create_function(nativeutils.GetProcAddress32.get_code(), [gdef.UINT, gdef.LPCWSTR, gdef.LPCSTR]) k32 = [mod for mod in windows.current_process.peb.modules if mod.name == "kernel32.dll"][0] diff --git a/tests/test_process.py b/tests/test_process.py index 2552f9a4..db8b0015 100644 --- a/tests/test_process.py +++ b/tests/test_process.py @@ -195,6 +195,7 @@ def test_execute_to_proc32(self, proc32): @windows_64bit_only def test_execute_to_64(self, proc64): + assert proc64.architecture == gdef.IMAGE_FILE_MACHINE_AMD64, "TODO: better machine fixture for ARM64" with proc64.allocated_memory(0x1000) as addr: shellcode = x64.MultipleInstr() shellcode += x64.Mov('RAX', 0x4242424243434343) @@ -351,6 +352,7 @@ def test_set_thread_context_32(self, proc32): @windows_64bit_only def test_set_thread_context_64(self, proc64): + assert proc64.architecture == gdef.IMAGE_FILE_MACHINE_AMD64, "TODO: better machine fixture for ARM64" code = x64.MultipleInstr() code += x64.Label(":LOOP") code += x64.Jmp(":LOOP") diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 5d214d87..4a321dd2 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -69,6 +69,8 @@ def test_getset_syswow_context(self, proc32): windows.current_process.write_qword({0}, res) """.format(addr) + # Execute the import safely so that the test will not hang if import fails + proc32.execute_python("import windows") t = proc32.execute_python_unsafe(textwrap.dedent(remote_python_code)) # Wait for python execution while proc32.read_qword(addr) != 0x8877665544332211: From bd52b1a5a3100daff8a937aa7ead4222af4ed66a Mon Sep 17 00:00:00 2001 From: hakril Date: Mon, 10 Feb 2025 15:26:41 +0100 Subject: [PATCH 54/70] More tests adaptation for arm64 --- tests/pfwtest.py | 2 +- windows/winobject/handle.py | 2 ++ windows/winobject/system_module.py | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/pfwtest.py b/tests/pfwtest.py index 2e3969ba..e0fad45d 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -21,7 +21,7 @@ process_32bit_only = pytest.mark.skipif(not is_process_32_bits, reason="Test for 32bits process only") process_64bit_only = pytest.mark.skipif(not is_process_64_bits, reason="Test for 64bits process only") -process_syswow_only = pytest.mark.skipif(not is_process_syswow, reason="Test for syswow process only") +process_syswow_only = pytest.mark.skipif((not is_process_syswow) or windows.current_process._is_x86_on_arm64, reason="Test for syswow process only (ARM64 computer not supported)") require_admin = pytest.mark.skipif(not is_admin, reason="Test must be launched as admin") def process_architecture_only(target_archi): diff --git a/windows/winobject/handle.py b/windows/winobject/handle.py index 03ba471a..eb4deea4 100644 --- a/windows/winobject/handle.py +++ b/windows/winobject/handle.py @@ -144,6 +144,8 @@ def enumerate_handles(): def enumerate_handles_syswow64(): + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") size_needed = gdef.ULONG() # Should at least be sizeof(gdef.SYSTEM_HANDLE_INFORMATION) tmp_buffer = windows.utils.BUFFER(gdef.SYSTEM_HANDLE_INFORMATION64)() diff --git a/windows/winobject/system_module.py b/windows/winobject/system_module.py index cb65ff2f..5d8977ee 100644 --- a/windows/winobject/system_module.py +++ b/windows/winobject/system_module.py @@ -44,6 +44,8 @@ def enumerate_kernel_modules(): return list(modules) def enumerate_kernel_modules_syswow64(): + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") cbsize = gdef.DWORD() windows.syswow64.NtQuerySystemInformation_32_to_64(gdef.SystemModuleInformation, None, 0, ctypes.addressof(cbsize)) raw_buffer = (cbsize.value * gdef.BYTE)() From fc0c81eb70457ec15c0754cde39b26610a19e068 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 10:37:00 +0100 Subject: [PATCH 55/70] Fix pe parsing for section with 8bytes name --- tests/test_parse_pe.py | 24 +++++++++++++++++++++--- windows/pe_parse.py | 17 +++++++++++++++-- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/tests/test_parse_pe.py b/tests/test_parse_pe.py index 853a8913..91b1ed01 100644 --- a/tests/test_parse_pe.py +++ b/tests/test_parse_pe.py @@ -91,9 +91,6 @@ def test_pe_parsing_strange_optional_header_size(tmp_path, proc32): # Also check that section retrieval works (as its position is based on OptionalHeader Size) assert set(s.name for s in mod.pe.sections) == {".text", ".data", ".l1"} - - - # Make a test from current_process parsing ? def test_pe_parsing_dotnet32_process_64(proc64, pe_dotnet32): # .NET pe32 loadable in 64bit process -> rewrite of the OptionalHeader @@ -126,6 +123,27 @@ def test_pe_parsing_dotnet32_current_process_64(proc64, pe_dotnet32): assert imported_dlls == ['mscoree.dll'] assert ".text" in sections_names +# PE header of Syschpe32\ntdll.dll with a 8 chars sections .hexpthk that broke the parseur +# This PE as 8 bytes sections name + VirtualSize non aligned on 0x100 so there is a non-null non-ascii byte after the name +PE_SECTION_8CHARS = b""" +eJzzjZrAwMzAwMACxP//MzDsYIAABwbC4AMRagYbCHBlYPBhZEYRu8HAxMjNyMnAwMQAwSAgAMUK +II4DhA2UY4VKw2hwQLFAmBBTFSBqQYQAwig4MECyg4ogAGiuMRZxvQgIuMDIAPcDAxuqGgUGhgS9 +SAjQhgqA1XGgqnNgYDigFwUBYHmYX7gwzHtAmW9GwSgYBfQAnU8b3zAAy4aMr/+BQNTGwIGht0aF +IwMkF54BKg0yGBQcGAL+izoApTrfHJ4wvMAAB/+AA4/UnJx8hfL8opwUhbSi/FyFRIWAypKM/Dy3 +/KLwzLyU/PJihZLU4hIFUMU5CoYd0DBAsJuAbBsD7OpA7YsEIM4B4goD3GIMDO6pJcElKR6JeSk5 +qSB+eFFmSapbJpgTlJqYAmUyAFOXa0VqMkN2alFeao6xkV5KTg6NPDkKcAIAM7/CEw==""" + +def test_pe_parsing_section_8_chars(proc32, tmp_path): + pe_path = (tmp_path / "pe_parsing_8chars_section.exe") + pe_data = pe_data = zlib.decompress(b64decode(PE_SECTION_8CHARS)) + + with pe_path.open("wb") as f: + f.write(pe_data) + + mod = proc32.load_library(str(pe_path)) + # check that section retrieval works + assert set(s.name for s in mod.pe.sections) == {u".XXXXXXX", u".YYYYYYY", u".ZZZZZZZ"} + # A "Portable Executable 32 .NET Assembly" DLL # Result of compiling a simple hello-world # Can be loaded into a 64b process to witness 32 -> 64b PE conversion at load time diff --git a/windows/pe_parse.py b/windows/pe_parse.py index a19eb748..ec092a44 100644 --- a/windows/pe_parse.py +++ b/windows/pe_parse.py @@ -109,7 +109,7 @@ def name(self): if self.target is None: name = get_string(self.target, ctypes.addressof(self.Name))[:8] else: - name = get_string(self.target, self._base_addr)[:8] + name = self.target.read_memory(self._base_addr, 8).split(b"\x00", 1)[0].decode("ascii") # Decode as UTF-8 as the MS doc say ? return name @@ -451,4 +451,17 @@ def imports(self): iat_entry.name = str(name) if name else "" name = get_string(self.target, self.baseaddr + import_descriptor.Name) res.setdefault(name.lower(), []).extend(IAT) - return res \ No newline at end of file + return res + + @utils.fixedpropety + def binid(self): + """Return the hex-string {TimeStamp}{SizeOfCode} used by PDB to identify a PE. + + I do not know the official name of this value... + + :type: :class:`str` + """ + nth = self.get_NT_HEADER() + timestamp = nth.FileHeader.TimeDateStamp + image_size = nth.OptionalHeader.SizeOfImage + return "{timestamp:08x}{image_size:x}".format(timestamp=timestamp, image_size=image_size) \ No newline at end of file From d4952e21ba82f4a2a7ca871302908407c85ace57 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 14:03:35 +0100 Subject: [PATCH 56/70] More arm64 heaven gate NotImplementedError() --- windows/winobject/process.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/winobject/process.py b/windows/winobject/process.py index 56286c9c..c74f0b2c 100644 --- a/windows/winobject/process.py +++ b/windows/winobject/process.py @@ -166,6 +166,8 @@ def ppid(self): :type: :class:`int` """ if windows.current_process.bitness == 32 and self.bitness == 64: + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") xtype = windows.remotectypes.transform_type_to_remote64bits(PROCESS_BASIC_INFORMATION) # Fuck-it <3 data = (ctypes.c_char * ctypes.sizeof(xtype))() @@ -236,6 +238,8 @@ def virtual_protected(self, addr, size, protect): def virtual_protect(self, addr, size, protect, old_protect=None): """Change the access right of one or more page of the process""" if windows.current_process.bitness == 32 and self.bitness == 64: + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") if size & 0x0fff: size = ((size >> 12) + 1) << 12 if old_protect is None: @@ -266,6 +270,8 @@ def query_memory(self, addr): :rtype: :class:`~windows.generated_def.winstructs.MEMORY_BASIC_INFORMATION` """ if windows.current_process.bitness == 32 and self.bitness == 64: + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") res = MEMORY_BASIC_INFORMATION64() try: v = windows.syswow64.NtQueryVirtualMemory_32_to_64(ProcessHandle=self.handle, BaseAddress=addr, MemoryInformationClass=MemoryBasicInformation, MemoryInformation=res) @@ -346,6 +352,8 @@ def query_working_setex(self, addresses): for i, data in enumerate(info_array): info_array[i].VirtualAddress = addresses[i] if windows.current_process.bitness == 32 and self.bitness == 64: + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") windows.syswow64.NtQueryVirtualMemory_32_to_64(self.handle, 0, MemoryWorkingSetListEx, info_array) else: winproxy.QueryWorkingSetEx(self.handle, ctypes.byref(info_array), ctypes.sizeof(info_array)) @@ -908,6 +916,8 @@ def start_address(self): :type: :class:`int` """ if windows.current_process.bitness == 32 and self.owner.bitness == 64: + if windows.current_process._is_x86_on_arm64: + raise NotImplementedError("Crossing heaven gate x86 -> arm64 not implemented") res = ULONGLONG() windows.syswow64.NtQueryInformationThread_32_to_64(self.handle, ThreadQuerySetWin32StartAddress, byref(res), ctypes.sizeof(res)) return res.value From e3c6deeee786f592caf47311dafca5b7922266c6 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 14:37:44 +0100 Subject: [PATCH 57/70] Fix hang in test_getset_syswow_context on ARM64 --- tests/test_syswow.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 4a321dd2..8ea25611 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -59,6 +59,7 @@ def test_remote_pebsyswow(self, proc32): assert "Wow64LdrpInitialize" in wow64.pe.exports + @process_architecture_only(gdef.IMAGE_FILE_MACHINE_AMD64) def test_getset_syswow_context(self, proc32): addr = proc32.virtual_alloc(0x1000) remote_python_code = """ From a418035e1e49f7174c10058e33c4f466b26b51cd Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 15:37:09 +0100 Subject: [PATCH 58/70] More test stability --- tests/test_syswow.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 8ea25611..c857d7eb 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -1,6 +1,8 @@ -import pytest +import time import textwrap +import pytest + import windows import windows.generated_def as gdef import windows.native_exec.simple_x86 as x86 @@ -108,7 +110,6 @@ def loop_query_ppid(proc, target_ppid): assert proc.read_memory(i.BaseAddress, 0x1000) # assert False, "LOL" except Exception as e: - # import traceback; traceback.print( threads_error[windows.current_thread.tid] = e raise return True @@ -122,6 +123,7 @@ def test_syswow_call_multithread(): # Old version of PFW did not handled that thus generating invalid result / crash for tnb in range(10): new_proc = windows.test.pop_proc_64() + time.sleep(0.1) new_proc_pid = new_proc.ppid all_procs.append(new_proc) t = threading.Thread(target=loop_query_ppid, args=(new_proc, new_proc_pid)) From ebded59c43c8136e090774cc211d78bdfa4904da Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 17:12:22 +0100 Subject: [PATCH 59/70] More test stability for ARM64 --- tests/pfwtest.py | 3 +++ tests/test_syswow.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/pfwtest.py b/tests/pfwtest.py index e0fad45d..8357c6a3 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -28,6 +28,9 @@ def process_architecture_only(target_archi): return pytest.mark.skipif(windows.current_process.architecture != target_archi, reason="Test for {0} architecture process only".format(target_archi)) +def system_architecture_only(target_archi): + return pytest.mark.skipif(windows.system.architecture != target_archi, + reason="Test for {0} architecture system only".format(target_archi)) check_for_gc_garbage = pytest.mark.usefixtures("check_for_gc_garbage") check_for_handle_leak = pytest.mark.usefixtures("check_for_handle_leak") diff --git a/tests/test_syswow.py b/tests/test_syswow.py index c857d7eb..56c7014c 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -61,7 +61,7 @@ def test_remote_pebsyswow(self, proc32): assert "Wow64LdrpInitialize" in wow64.pe.exports - @process_architecture_only(gdef.IMAGE_FILE_MACHINE_AMD64) + @system_architecture_only(gdef.PROCESSOR_ARCHITECTURE_AMD64) def test_getset_syswow_context(self, proc32): addr = proc32.virtual_alloc(0x1000) remote_python_code = """ From 16e10af8d8a7fccdffb70a49d217f63896c09033 Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 17:41:19 +0100 Subject: [PATCH 60/70] Testing ARM64 CI continue-on-error --- .github/workflows/tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 9cf2cf4b..c09018a6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -99,6 +99,7 @@ jobs: needs: generate_ctypes timeout-minutes: 15 runs-on: windows-ARM64 + continue-on-error: true strategy: fail-fast: false From 1ad456049a13e4626d2358194ed826cbcabcae4a Mon Sep 17 00:00:00 2001 From: hakril Date: Tue, 11 Feb 2025 18:24:46 +0100 Subject: [PATCH 61/70] Improve stubborn stability on Windows 17763 --- windows/rpc/stubborn.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/rpc/stubborn.py b/windows/rpc/stubborn.py index 30f7ffea..22d86520 100644 --- a/windows/rpc/stubborn.py +++ b/windows/rpc/stubborn.py @@ -62,10 +62,14 @@ def stubborn_create_instance(clsid, iid): # resolver_info.OxidInfo.containerVersion.version is part of OxidInfo.ipidRemUnknown on PPRIV_RESOLVER_INFO_LEGACY # And this part of ipidRemUnknown is a PID # So a good value to check for > 3 :) + # On 2019 IT IS NOT :( as it's its own struct. So I will hardcod this one. # Bad alignemetn of containerVersion -> its an older version - if resolver_info.OxidInfo.containerVersion.version > 3: - dcomversionstruct = resolver_info.OxidInfo.dcomVersion + dcomversionstruct = resolver_info.OxidInfo.dcomVersion + if windows.system.build_number == 17763: + resolver_info = ctypes.cast(rpiv_infoptr, gdef.PPRIV_RESOLVER_INFO_17763)[0] + elif resolver_info.OxidInfo.containerVersion.version > 3: # If 5,7 -> good alignement of dcomversion so we know its PRIV_RESOLVER_INFO_17763 + # Should never happen as its now covered by the `windows.system.build_number == 17763` check dcomversion = (dcomversionstruct.MajorVersion, dcomversionstruct.MinorVersion) if dcomversion == (5, 7): resolver_info = ctypes.cast(rpiv_infoptr, gdef.PPRIV_RESOLVER_INFO_17763)[0] From 8a14cc5b3a616742f9dfa8b4319b0fc74af61949 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 12 Feb 2025 09:51:56 +0100 Subject: [PATCH 62/70] Automatic xfail on python injection for ARM64 target process --- tests/pfwtest.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/pfwtest.py b/tests/pfwtest.py index 8357c6a3..473a3f2a 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -32,6 +32,17 @@ def system_architecture_only(target_archi): return pytest.mark.skipif(windows.system.architecture != target_archi, reason="Test for {0} architecture system only".format(target_archi)) +@pytest.fixture(scope="function") +def check_cross_heaven_gate_arm64_xfail(request): + """Mark test crossing the heaven gate as xfail on x86 to arm64""" + if windows.current_process._is_x86_on_arm64: + request.applymarker("xfail") + +def cross_heaven_gates(tstfunc): + tstfunc = pytest.mark.usefixtures("check_cross_heaven_gate_arm64_xfail")(tstfunc) + tstfunc = pytest.mark.cross_heaven_gate(tstfunc) + return tstfunc + check_for_gc_garbage = pytest.mark.usefixtures("check_for_gc_garbage") check_for_handle_leak = pytest.mark.usefixtures("check_for_handle_leak") @@ -62,6 +73,9 @@ def check_injected_python_installed(request): proc = request.getfixturevalue(procparam) if not windows.injection.find_python_dll_to_inject(proc.bitness): pytest.skip("Python {0}b not installed -> skipping test with python injection into {0}b process".format(proc.bitness)) + # xfail ARM64 injection as its not implemented + if proc.architecture == gdef.IMAGE_FILE_MACHINE_ARM64: + request.applymarker("xfail") return None From be935b0f68e68eec8db812e5b94c195e397b28df Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 12 Feb 2025 10:26:41 +0100 Subject: [PATCH 63/70] Improve test marking --- .github/workflows/tests.yml | 2 +- tests/conftest.py | 2 -- tests/pfwtest.py | 15 +++++++++++++-- tests/test_handle.py | 4 +++- tests/test_injection.py | 5 ++++- tests/test_process.py | 6 +++++- 6 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c09018a6..f4707d7f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -125,4 +125,4 @@ jobs: run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - name: Arm64 pytests - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "not test_debugger" -v -s + run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "not test_debugger" -v -s -r fEsx diff --git a/tests/conftest.py b/tests/conftest.py index 7dfb5203..34e5e07a 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -159,11 +159,9 @@ def pytest_configure(config): @pytest.hookimpl(hookwrapper=True, trylast=True) def pytest_runtest_makereport(item, call): outcome = yield - # print("Make report {0} | {1}".format(item, call)) if call.when == "teardown" and call.excinfo and type(call.excinfo.value) == NoLeakAssert: x = outcome.get_result() x.outcome = "failed" - # import pdb;pdb.set_trace() x.LEAK = call.excinfo.value.args[0] diff --git a/tests/pfwtest.py b/tests/pfwtest.py index 473a3f2a..578faac0 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -73,13 +73,24 @@ def check_injected_python_installed(request): proc = request.getfixturevalue(procparam) if not windows.injection.find_python_dll_to_inject(proc.bitness): pytest.skip("Python {0}b not installed -> skipping test with python injection into {0}b process".format(proc.bitness)) + return None + +@pytest.fixture +def check_dll_injection_target_architecture(request): + # Find the process parameter + procparams = [argname for argname in request.fixturenames if argname.startswith("proc")] + if len(procparams) != 1: + raise ValueError("Could not find the fixture name of the injected python") + procparam = procparams[0] + proc = request.getfixturevalue(procparam) # xfail ARM64 injection as its not implemented if proc.architecture == gdef.IMAGE_FILE_MACHINE_ARM64: request.applymarker("xfail") - return None -python_injection = pytest.mark.usefixtures("check_injected_python_installed") + +dll_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture") +python_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture", "check_injected_python_installed") ## P2 VS PY3 diff --git a/tests/test_handle.py b/tests/test_handle.py index 8008d7c2..c39c1d03 100644 --- a/tests/test_handle.py +++ b/tests/test_handle.py @@ -1,6 +1,8 @@ import windows import windows.pipe +from .pfwtest import * + def test_handle_process_id(): handle_with_process = [h for h in windows.system.handles if h.dwProcessId] handle = handle_with_process[-1] @@ -19,8 +21,8 @@ def test_local_handle_type(): PIPE_NAME = "PFW_Test_handle_Pipe" TEST_FILE_FOR_HANDLE = r"C:\Windows\explorer.exe" +@python_injection def test_remote_handle_type_and_name(proc32_64): - # tmpfile proc32_64.execute_python("import windows; import windows.pipe") # A filename that a normal process should not have a handle on (to be sur) proc32_64.execute_python(r"""f = open(r"{filename}")""".format(filename=TEST_FILE_FOR_HANDLE)) diff --git a/tests/test_injection.py b/tests/test_injection.py index 7008e07e..bbf99b41 100644 --- a/tests/test_injection.py +++ b/tests/test_injection.py @@ -10,7 +10,7 @@ import windows.generated_def as gdef from .conftest import pop_proc_32, pop_proc_64 -from .pfwtest import DEFAULT_CREATION_FLAGS +from .pfwtest import DEFAULT_CREATION_FLAGS, dll_injection @pytest.fixture(params= [(pop_proc_32, DEFAULT_CREATION_FLAGS), @@ -34,17 +34,20 @@ def proc_3264_runsus(request): del proc # Its really the same test as test_process.test_load_library but with suspended process as well +@dll_injection def test_dll_injection(proc_3264_runsus): assert (not proc_3264_runsus.peb.Ldr) or ("wintrust.dll" not in [mod.name for mod in proc_3264_runsus.peb.modules]) modaddr = windows.injection.load_dll_in_remote_process(proc_3264_runsus, "wintrust.dll") wintrustmod = [mod for mod in proc_3264_runsus.peb.modules if mod.name == "wintrust.dll"][0] assert wintrustmod.baseaddr == modaddr +@dll_injection def test_dll_injection_error_reporting(proc_3264_runsus): with pytest.raises(windows.injection.InjectionFailedError) as excinfo: windows.injection.load_dll_in_remote_process(proc_3264_runsus, "NO_A_DLL.dll") assert excinfo.value.__cause__.winerror == gdef.ERROR_MOD_NOT_FOUND +@dll_injection def test_dll_injection_access_denied(proc_3264_runsus, tmpdir): """Emulate injection of MsStore python, were its DLL are not executable by any other append See: https://github.com/hakril/PythonForWindows/issues/72 diff --git a/tests/test_process.py b/tests/test_process.py index db8b0015..0ffe322f 100644 --- a/tests/test_process.py +++ b/tests/test_process.py @@ -214,6 +214,7 @@ def test_execute_python(self, proc32_64): dword = proc32_64.read_dword(addr) assert dword == 0x42424242 + @python_injection def test_execute_python_good_version(self, proc32_64): PIPE_NAME = "PFW_TEST_Pipe" rcode = r"""import sys; import windows; import windows.pipe; windows.pipe.send_object("{pipe}", list(sys.version_info))""" @@ -293,6 +294,7 @@ def test_execute_python_raises(self, proc32_64): # Check the RemotePythonError contains the remote exception text assert b"ValueError: EXCEPTION_MESSAGE" in ar.value.args[0] + @python_injection def test_execute_python_create_console(self, proc32_64): res = proc32_64.execute_python("import windows; windows.utils.create_console()") @@ -370,17 +372,19 @@ def test_set_thread_context_64(self, proc64): time.sleep(0.1) assert t.exit_code == 0x11223344 - + @dll_injection def test_load_library(self, proc32_64): DLL = "wintrust.dll" proc32_64.load_library(DLL) assert DLL in [m.name for m in proc32_64.peb.modules] + @dll_injection def test_load_library_suspended(self, proc32_64_suspended): DLL = "wintrust.dll" proc32_64_suspended.load_library(DLL) assert DLL in [m.name for m in proc32_64_suspended.peb.modules] + @dll_injection def test_load_library_unicode_name(self, proc32_64, tmpdir): mybitness = windows.current_process.bitness UNICODE_FILENAME = u'\u4e2d\u56fd\u94f6\u884c\u7f51\u94f6\u52a9\u624b.dll' From 83af73a8721d06d5556c010e701f019dc40aa9a6 Mon Sep 17 00:00:00 2001 From: hakril Date: Wed, 12 Feb 2025 12:18:38 +0100 Subject: [PATCH 64/70] Fix tests\test_injection.py --- tests/test_injection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_injection.py b/tests/test_injection.py index bbf99b41..fd388481 100644 --- a/tests/test_injection.py +++ b/tests/test_injection.py @@ -10,7 +10,7 @@ import windows.generated_def as gdef from .conftest import pop_proc_32, pop_proc_64 -from .pfwtest import DEFAULT_CREATION_FLAGS, dll_injection +from .pfwtest import * @pytest.fixture(params= [(pop_proc_32, DEFAULT_CREATION_FLAGS), From 45b781b96cd5b701e5e37bcb5b1ae83e5079b826 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 13 Feb 2025 20:53:03 +0100 Subject: [PATCH 65/70] Still playing with xfail identification for arm64 tests --- tests/conftest.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/conftest.py b/tests/conftest.py index 34e5e07a..e99bd232 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -44,6 +44,9 @@ def generate_pop_and_exit_fixtures(proc_popers, ids=[], dwCreationFlags=DEFAULT_ def pop_and_exit_process(request): proc_poper = request.param proc = proc_poper(dwCreationFlags=dwCreationFlags) + # Apply manually the xfail marker for a test on x86_on_arm64 for pe64 target (cross-heaven gate) + if windows.current_process._is_x86_on_arm64 and proc.bitness == 64: + request.applymarker("xfail") # Cross Heaven gate time.sleep(0.2) # Give time to the process to load :) print("Created {0} ({1}bits) for test".format(proc, proc.bitness)) yield weakref.proxy(proc) # provide the fixture value From 11665c4608fdfe0ae3f604bc9f2357f4a2d3a864 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 14 Feb 2025 16:52:04 +0100 Subject: [PATCH 66/70] More xfail for ARM64 -> @cross_heaven_gates --- tests/test_handle.py | 3 ++- tests/test_parse_pe.py | 4 +++- tests/test_process.py | 4 ++++ tests/test_system.py | 3 +++ tests/test_system_modules.py | 3 +++ tests/test_syswow.py | 1 + tests/test_wmi.py | 1 + 7 files changed, 17 insertions(+), 2 deletions(-) diff --git a/tests/test_handle.py b/tests/test_handle.py index c39c1d03..feda7818 100644 --- a/tests/test_handle.py +++ b/tests/test_handle.py @@ -3,13 +3,14 @@ from .pfwtest import * +@cross_heaven_gates # windows.system.handles def test_handle_process_id(): handle_with_process = [h for h in windows.system.handles if h.dwProcessId] handle = handle_with_process[-1] proc = handle.process assert proc.pid == handle.dwProcessId == handle.pid - +@cross_heaven_gates # windows.current_process.handles def test_local_handle_type(): t = windows.current_process.threads[0] th = t.handle diff --git a/tests/test_parse_pe.py b/tests/test_parse_pe.py index 91b1ed01..fa88f790 100644 --- a/tests/test_parse_pe.py +++ b/tests/test_parse_pe.py @@ -16,6 +16,7 @@ def pe(request): pop_proc = request.param proc = pop_proc() + for i in range(10): try: time.sleep(0.1) @@ -91,7 +92,7 @@ def test_pe_parsing_strange_optional_header_size(tmp_path, proc32): # Also check that section retrieval works (as its position is based on OptionalHeader Size) assert set(s.name for s in mod.pe.sections) == {".text", ".data", ".l1"} -# Make a test from current_process parsing ? +@dll_injection def test_pe_parsing_dotnet32_process_64(proc64, pe_dotnet32): # .NET pe32 loadable in 64bit process -> rewrite of the OptionalHeader mod = proc64.load_library(pe_dotnet32) @@ -108,6 +109,7 @@ def test_pe_parsing_dotnet32_process_64(proc64, pe_dotnet32): assert mod.pe.sections assert ".text" in set(s.name for s in mod.pe.sections) +@dll_injection def test_pe_parsing_dotnet32_current_process_64(proc64, pe_dotnet32): # .NET pe32 loadable in 64bit process -> rewrite of the OptionalHeader # So we injecte python code in a the remote proc64 to test the parsing from itself diff --git a/tests/test_process.py b/tests/test_process.py index 0ffe322f..10f80cd3 100644 --- a/tests/test_process.py +++ b/tests/test_process.py @@ -487,10 +487,12 @@ def test_current_thread_teb(self): # Check type of teb.peb is the correct subclass (with modules & co) assert teb.peb.modules + @cross_heaven_gates def test_thread_teb_base(self, proc32_64): t = proc32_64.threads[0] assert t.teb_base != 0 + @cross_heaven_gates def test_teb(self, proc32_64): teb = proc32_64.threads[0].teb if proc32_64.bitness == 32: @@ -503,6 +505,7 @@ def test_teb(self, proc32_64): assert teb.peb.modules @windows_64bit_only + @cross_heaven_gates def test_thread_teb_syswow_base(self, proc32): t = proc32.threads[0] assert t.teb_base != 0 @@ -510,6 +513,7 @@ def test_thread_teb_syswow_base(self, proc32): assert t.teb_base == t.teb_syswow_base + 0x2000 @windows_64bit_only + @cross_heaven_gates def test_thread_teb_syswow(self, proc32): teb_syswow = proc32.threads[0].teb_syswow assert type(teb_syswow) == windows.winobject.process.RemoteTEB64 diff --git a/tests/test_system.py b/tests/test_system.py index 09bb5022..ecd07a86 100644 --- a/tests/test_system.py +++ b/tests/test_system.py @@ -51,6 +51,7 @@ def test_logicaldrives(self): def test_wmi(self): assert windows.system.wmi is not None + @cross_heaven_gates def test_handles(self): assert windows.system.handles @@ -66,6 +67,7 @@ def test_task_scheduler(self): def test_task_object_manager(self): assert windows.system.object_manager + @cross_heaven_gates def test_system_modules_ntosk(self): # NtQuerySystemInformation(gdef.SystemModuleInformation) returns CHAR so not unicode # Another Nt API that returns unicode ? @@ -83,6 +85,7 @@ def test_processes(self): assert windows.current_process.pid in [p.pid for p in procs] assert is_unicode(windows.system.processes[0].name) + @cross_heaven_gates def test_system_modules(self): assert windows.system.modules diff --git a/tests/test_system_modules.py b/tests/test_system_modules.py index 352bd4d6..480a03e9 100644 --- a/tests/test_system_modules.py +++ b/tests/test_system_modules.py @@ -1,6 +1,9 @@ import windows import ctypes +from pfwtest import * + +@cross_heaven_gates def test_system_module_gc(): # Test for issue 12 (Py3) # https://github.com/hakril/PythonForWindows/issues/12 diff --git a/tests/test_syswow.py b/tests/test_syswow.py index 56c7014c..b1ac1d52 100644 --- a/tests/test_syswow.py +++ b/tests/test_syswow.py @@ -52,6 +52,7 @@ def test_self_pebsyswow(self): @python_injection @windows_64bit_only class TestSyswowRemoteProcess(object): + @cross_heaven_gates def test_remote_pebsyswow(self, proc32): peb64 = proc32.peb_syswow modules_names = [m.name for m in peb64.modules] diff --git a/tests/test_wmi.py b/tests/test_wmi.py index a65a3f5f..943edfa8 100644 --- a/tests/test_wmi.py +++ b/tests/test_wmi.py @@ -75,6 +75,7 @@ def test_get_object(name, cls): # Todo: test # - put_instance +@cross_heaven_gates # proc.peb.commandline.str == cmdline @pytest.mark.parametrize("cmdline", [r"winver.exe test_string_pfw"]) def test_exec_method_Win32_Process_create(cmdline): namespace = windows.system.wmi["root\\cimv2"] From b4c0223377f2c6dedfa309e1094a4ec3050c62ec Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 14 Feb 2025 17:01:00 +0100 Subject: [PATCH 67/70] Fix typo in test import --- tests/test_system_modules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_system_modules.py b/tests/test_system_modules.py index 480a03e9..150973c4 100644 --- a/tests/test_system_modules.py +++ b/tests/test_system_modules.py @@ -1,7 +1,7 @@ import windows import ctypes -from pfwtest import * +from .pfwtest import * @cross_heaven_gates def test_system_module_gc(): From 8eb3384fcf100934f1072715150535f67a84630d Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 14 Feb 2025 18:52:22 +0100 Subject: [PATCH 68/70] Change test exe to msiexec.exe + pop_proc64 force machine AMD64 with PROC_THREAD_ATTRIBUTE_MACHINE_TYPE --- tests/conftest.py | 5 ++++- tests/pfwtest.py | 10 +++++++--- tests/test_parse_pe.py | 8 +++++--- windows/utils/winutils.py | 31 +++++++++++++++++++++++++++---- 4 files changed, 43 insertions(+), 11 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index e99bd232..11c302d4 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -30,8 +30,11 @@ def pop_proc_64(dwCreationFlags=DEFAULT_CREATION_FLAGS): assert p.bitness == 64 return p else: + # Force creation of AMD64 process on arm system + # TODO: also pop an ARM64 process when code works better with it + machine = gdef.IMAGE_FILE_MACHINE_AMD64 if windows.system.architecture == gdef.PROCESSOR_ARCHITECTURE_ARM64 else None def pop_proc_64(dwCreationFlags=DEFAULT_CREATION_FLAGS): - p = windows.utils.create_process(r"C:\Windows\system32\{0}".format(test_binary_name).encode("ascii"), dwCreationFlags=dwCreationFlags, show_windows=True) + p = windows.utils.create_process(r"C:\Windows\system32\{0}".format(test_binary_name).encode("ascii"), dwCreationFlags=dwCreationFlags, show_windows=True, machine=machine) assert p.bitness == 64 return p diff --git a/tests/pfwtest.py b/tests/pfwtest.py index 578faac0..cc353afc 100644 --- a/tests/pfwtest.py +++ b/tests/pfwtest.py @@ -46,7 +46,11 @@ def cross_heaven_gates(tstfunc): check_for_gc_garbage = pytest.mark.usefixtures("check_for_gc_garbage") check_for_handle_leak = pytest.mark.usefixtures("check_for_handle_leak") -test_binary_name = "winver.exe" +# msiexec.exe is new best choice: +# - a real process (looking at calc.exe) +# - GUI and wait for a click to close when no param +# - Is ARM64CE on arm -> can be exec as AMD64 or ARM64 with `machine`` param +test_binary_name = "msiexec.exe" DEFAULT_CREATION_FLAGS = gdef.CREATE_NEW_CONSOLE @@ -89,8 +93,8 @@ def check_dll_injection_target_architecture(request): -dll_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture") -python_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture", "check_injected_python_installed") +dll_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture", "check_cross_heaven_gate_arm64_xfail") +python_injection = pytest.mark.usefixtures("check_dll_injection_target_architecture", "check_injected_python_installed", "check_cross_heaven_gate_arm64_xfail") ## P2 VS PY3 diff --git a/tests/test_parse_pe.py b/tests/test_parse_pe.py index fa88f790..728c54d1 100644 --- a/tests/test_parse_pe.py +++ b/tests/test_parse_pe.py @@ -9,9 +9,10 @@ @pytest.fixture(params=[None, pop_proc_32, pop_proc_64], ids=["local-pe", "remote-pe32", "remote-pe64"]) def pe(request): - # Pe will be kernelbase.dll + # Pe will be kernelbase.dll or kernel32.dll + # Cannot hardcode peb.modules[2] as it may be xtajitX.dll on arm64 if request.param is None: - yield windows.current_process.peb.modules[2].pe + yield [mod for mod in windows.current_process.peb.modules if mod.name.lower().startswith("kernel")][0].pe return pop_proc = request.param @@ -20,7 +21,8 @@ def pe(request): for i in range(10): try: time.sleep(0.1) - yield proc.peb.modules[2].pe + # Pe will be kernelbase.dll or kernel32.dll + yield [mod for mod in windows.current_process.peb.modules if mod.name.lower().startswith("kernel")][0].pe break except ValueError: if i == 9: diff --git a/windows/utils/winutils.py b/windows/utils/winutils.py index 7121702d..8b5c0ef1 100644 --- a/windows/utils/winutils.py +++ b/windows/utils/winutils.py @@ -73,14 +73,35 @@ def create_console(): sys.stderr = console_stderr -def create_process(path, args=None, dwCreationFlags=0, show_windows=True): - """A convenient wrapper arround :func:`windows.winproxy.CreateProcessW`""" +def create_process(path, args=None, dwCreationFlags=0, show_windows=True, machine=None): + """A convenient wrapper arround :func:`windows.winproxy.CreateProcessW` + ..note: + The machine param only works starting at vista and should be used on arm64 computer + """ proc_info = PROCESS_INFORMATION() + StartupInfo = None lpStartupInfo = None + + if machine is not None: + buffer = ctypes.create_string_buffer(0x100) + size = gdef.DWORD64(len(buffer)) + machine = gdef.WORD(machine) + windows.winproxy.InitializeProcThreadAttributeList(buffer, 1, 0, size) + windows.winproxy.UpdateProcThreadAttribute(buffer, 0, gdef.PROC_THREAD_ATTRIBUTE_MACHINE_TYPE, ctypes.addressof(machine), ctypes.sizeof(machine), None, None) + + startup_infoex = gdef.STARTUPINFOEXW() + startup_infoex.StartupInfo.cb = ctypes.sizeof(gdef.STARTUPINFOEXW) + startup_infoex.lpAttributeList = ctypes.cast(buffer, gdef.PVOID) + StartupInfo = startup_infoex.StartupInfo + + dwCreationFlags |= gdef.EXTENDED_STARTUPINFO_PRESENT + if show_windows: - StartupInfo = STARTUPINFOW() - StartupInfo.cb = ctypes.sizeof(StartupInfo) + if StartupInfo is None: + StartupInfo = STARTUPINFOW() + StartupInfo.cb = ctypes.sizeof(StartupInfo) StartupInfo.dwFlags = 0 + if StartupInfo: lpStartupInfo = ctypes.byref(StartupInfo) lpCommandLine = None if isinstance(path, bytes): @@ -97,6 +118,8 @@ def create_process(path, args=None, dwCreationFlags=0, show_windows=True): dbgprint("CreateProcessW new thread handle {:#x}".format(proc_info.hThread), "HANDLE") dbgprint("Automatic close of thread handle {:#x}".format(proc_info.hThread), "HANDLE") windows.winproxy.CloseHandle(proc_info.hThread) # Give access to a WinThread in addition of the WinProcess ? + if machine: + windows.winproxy.DeleteProcThreadAttributeList(buffer) return windows.winobject.process.WinProcess(pid=proc_info.dwProcessId, handle=proc_info.hProcess) From 6c588cf723973063f433de8a853864113350fc95 Mon Sep 17 00:00:00 2001 From: hakril Date: Thu, 6 Mar 2025 10:30:00 +0100 Subject: [PATCH 69/70] Improve thread CONTEXT defitions + ARM64_CONTEXT --- .../definitions/defines/thread_context.txt | 61 + .../definitions/defines/windef.txt | 16 - .../definitions/structures/thread_context.txt | 347 +++ .../definitions/structures/winstruct.txt | 227 +- docs/source/windef_generated.rst | 52 +- docs/source/winstructs_generated.rst | 2083 ++++++++--------- windows/generated_def/meta.py | 36 +- windows/generated_def/windef.py | 52 +- windows/generated_def/winstructs.py | 535 +++-- 9 files changed, 1864 insertions(+), 1545 deletions(-) create mode 100644 ctypes_generation/definitions/defines/thread_context.txt create mode 100644 ctypes_generation/definitions/structures/thread_context.txt diff --git a/ctypes_generation/definitions/defines/thread_context.txt b/ctypes_generation/definitions/defines/thread_context.txt new file mode 100644 index 00000000..5c0d2ab5 --- /dev/null +++ b/ctypes_generation/definitions/defines/thread_context.txt @@ -0,0 +1,61 @@ +// Atrget architecture description + +#define CONTEXT_I386 0x00010000 // An old PFW error in case ? +#define CONTEXT_AMD64 0x00100000 +#define CONTEXT_ARM 0x00200000 +#define CONTEXT_ARM64 0x00400000 +#define CONTEXT_i386 0x00010000L // this assumes that i386 and +#define CONTEXT_i486 0x00010000L // i486 have identical context records +#define WOW64_CONTEXT_i386 0x00010000 // this assumes that i386 and +#define WOW64_CONTEXT_i486 0x00010000 // i486 have identical context records + +// Not perfect, should be explicitly for an architecture + +#define CONTEXT_CONTROL 0x00000001L +#define CONTEXT_INTEGER 0x00000002L +#define CONTEXT_SEGMENTS 0x00000004L +#define CONTEXT_FLOATING_POINT 0x00000008L +#define CONTEXT_DEBUG_REGISTERS 0x00000010L +#define CONTEXT_EXTENDED_REGISTERS 0x00000020L +#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS) +#define CONTEXT_ALL (CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS) + +#define CONTEXT_XSTATE (CONTEXT_I386 | 0x00000040L) + +// WOW64 + + + +#define WOW64_CONTEXT_CONTROL (WOW64_CONTEXT_i386 | 0x00000001L) // SS:SP, CS:IP, FLAGS, BP +#define WOW64_CONTEXT_INTEGER (WOW64_CONTEXT_i386 | 0x00000002L) // AX, BX, CX, DX, SI, DI +#define WOW64_CONTEXT_SEGMENTS (WOW64_CONTEXT_i386 | 0x00000004L) // DS, ES, FS, GS +#define WOW64_CONTEXT_FLOATING_POINT (WOW64_CONTEXT_i386 | 0x00000008L) // 387 state +#define WOW64_CONTEXT_DEBUG_REGISTERS (WOW64_CONTEXT_i386 | 0x00000010L) // DB 0-3,6,7 +#define WOW64_CONTEXT_EXTENDED_REGISTERS (WOW64_CONTEXT_i386 | 0x00000020L) // cpu specific extensions + +#define WOW64_CONTEXT_FULL (WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS) + +#define WOW64_CONTEXT_ALL (WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS | \ + WOW64_CONTEXT_FLOATING_POINT | WOW64_CONTEXT_DEBUG_REGISTERS | \ + WOW64_CONTEXT_EXTENDED_REGISTERS) + +#define WOW64_CONTEXT_XSTATE (WOW64_CONTEXT_i386 | 0x00000040L) + +#define WOW64_CONTEXT_EXCEPTION_ACTIVE 0x08000000 +#define WOW64_CONTEXT_SERVICE_ACTIVE 0x10000000 +#define WOW64_CONTEXT_EXCEPTION_REQUEST 0x40000000 +#define WOW64_CONTEXT_EXCEPTION_REPORTING 0x80000000 + +// ARM64 + +#define CONTEXT_ARM64_CONTROL (CONTEXT_ARM64 | 0x1L) +#define CONTEXT_ARM64_INTEGER (CONTEXT_ARM64 | 0x2L) +#define CONTEXT_ARM64_FLOATING_POINT (CONTEXT_ARM64 | 0x4L) +#define CONTEXT_ARM64_DEBUG_REGISTERS (CONTEXT_ARM64 | 0x8L) +#define CONTEXT_ARM64_X18 (CONTEXT_ARM64 | 0x10L) + +#define CONTEXT_UNWOUND_TO_CALL 0x20000000 +#define CONTEXT_RET_TO_GUEST 0x04000000 + +#define ARM64_MAX_BREAKPOINTS 8 +#define ARM64_MAX_WATCHPOINTS 2 \ No newline at end of file diff --git a/ctypes_generation/definitions/defines/windef.txt b/ctypes_generation/definitions/defines/windef.txt index 6595c2ee..cdea7922 100644 --- a/ctypes_generation/definitions/defines/windef.txt +++ b/ctypes_generation/definitions/defines/windef.txt @@ -130,22 +130,6 @@ #define TH32CS_SNAPALL (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE) #define TH32CS_INHERIT 0x80000000 -#define CONTEXT_I386 0x00010000 -#define CONTEXT_AMD64 0x00100000 -#define CONTEXT_ARM 0x00200000 -#define CONTEXT_ARM64 0x00400000 - -#define CONTEXT_CONTROL 0x00000001L -#define CONTEXT_INTEGER 0x00000002L -#define CONTEXT_SEGMENTS 0x00000004L -#define CONTEXT_FLOATING_POINT 0x00000008L -#define CONTEXT_DEBUG_REGISTERS 0x00000010L -#define CONTEXT_EXTENDED_REGISTERS 0x00000020L -#define CONTEXT_FULL (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS) -#define CONTEXT_ALL (CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS) - -#define CONTEXT_XSTATE (CONTEXT_I386 | 0x00000040L) - #define PAGE_NOACCESS 0x01 #define PAGE_READONLY 0x02 diff --git a/ctypes_generation/definitions/structures/thread_context.txt b/ctypes_generation/definitions/structures/thread_context.txt new file mode 100644 index 00000000..ac22e1f6 --- /dev/null +++ b/ctypes_generation/definitions/structures/thread_context.txt @@ -0,0 +1,347 @@ +typedef union _ARM64_NT_NEON128 { + struct { + ULONGLONG Low; + LONGLONG High; + } DUMMYSTRUCTNAME; + DOUBLE D[2]; + FLOAT S[4]; + WORD H[8]; + BYTE B[16]; +} ARM64_NT_NEON128, *PARM64_NT_NEON128; + +typedef struct _ARM64_NT_CONTEXT { + + // + // Control flags. + // + + /* +0x000 */ DWORD ContextFlags; + + // + // Integer registers + // + + /* +0x004 */ DWORD Cpsr; // NZVF + DAIF + CurrentEL + SPSel + /* +0x008 */ union { + struct { + DWORD64 X0; + DWORD64 X1; + DWORD64 X2; + DWORD64 X3; + DWORD64 X4; + DWORD64 X5; + DWORD64 X6; + DWORD64 X7; + DWORD64 X8; + DWORD64 X9; + DWORD64 X10; + DWORD64 X11; + DWORD64 X12; + DWORD64 X13; + DWORD64 X14; + DWORD64 X15; + DWORD64 X16; + DWORD64 X17; + DWORD64 X18; + DWORD64 X19; + DWORD64 X20; + DWORD64 X21; + DWORD64 X22; + DWORD64 X23; + DWORD64 X24; + DWORD64 X25; + DWORD64 X26; + DWORD64 X27; + DWORD64 X28; + /* +0x0f0 */ DWORD64 Fp; + /* +0x0f8 */ DWORD64 Lr; + } DUMMYSTRUCTNAME; + DWORD64 X[31]; + } DUMMYUNIONNAME; + /* +0x100 */ DWORD64 Sp; + /* +0x108 */ DWORD64 Pc; + + // + // Floating Point/NEON Registers + // + + /* +0x110 */ ARM64_NT_NEON128 V[32]; + /* +0x310 */ DWORD Fpcr; + /* +0x314 */ DWORD Fpsr; + + // + // Debug registers + // + + /* +0x318 */ DWORD Bcr[ARM64_MAX_BREAKPOINTS]; + /* +0x338 */ DWORD64 Bvr[ARM64_MAX_BREAKPOINTS]; + /* +0x378 */ DWORD Wcr[ARM64_MAX_WATCHPOINTS]; + /* +0x380 */ DWORD64 Wvr[ARM64_MAX_WATCHPOINTS]; + /* +0x390 */ + +} ARM64_NT_CONTEXT, *PARM64_NT_CONTEXT; + + + + +typedef struct _FLOATING_SAVE_AREA { + DWORD ControlWord; + DWORD StatusWord; + DWORD TagWord; + DWORD ErrorOffset; + DWORD ErrorSelector; + DWORD DataOffset; + DWORD DataSelector; + BYTE RegisterArea[80]; + DWORD Cr0NpxState; +} FLOATING_SAVE_AREA; + +typedef struct _CONTEXT32 { + + DWORD ContextFlags; + + DWORD Dr0; + DWORD Dr1; + DWORD Dr2; + DWORD Dr3; + DWORD Dr6; + DWORD Dr7; + + FLOATING_SAVE_AREA FloatSave; + + DWORD SegGs; + DWORD SegFs; + DWORD SegEs; + DWORD SegDs; + + DWORD Edi; + DWORD Esi; + DWORD Ebx; + DWORD Edx; + DWORD Ecx; + DWORD Eax; + + DWORD Ebp; + DWORD Eip; + DWORD SegCs; + DWORD EFlags; + DWORD Esp; + DWORD SegSs; + + BYTE ExtendedRegisters[512]; + +} CONTEXT32, *PCONTEXT32, *LPCONTEXT32; + +typedef struct _WOW64_FLOATING_SAVE_AREA { + DWORD ControlWord; + DWORD StatusWord; + DWORD TagWord; + DWORD ErrorOffset; + DWORD ErrorSelector; + DWORD DataOffset; + DWORD DataSelector; + BYTE RegisterArea[WOW64_SIZE_OF_80387_REGISTERS]; + DWORD Cr0NpxState; +} WOW64_FLOATING_SAVE_AREA; + +typedef struct _WOW64_CONTEXT { + + DWORD ContextFlags; + + DWORD Dr0; + DWORD Dr1; + DWORD Dr2; + DWORD Dr3; + DWORD Dr6; + DWORD Dr7; + + WOW64_FLOATING_SAVE_AREA FloatSave; + + DWORD SegGs; + DWORD SegFs; + DWORD SegEs; + DWORD SegDs; + + DWORD Edi; + DWORD Esi; + DWORD Ebx; + DWORD Edx; + DWORD Ecx; + DWORD Eax; + DWORD Ebp; + DWORD Eip; + DWORD SegCs; + DWORD EFlags; + DWORD Esp; + DWORD SegSs; + + BYTE ExtendedRegisters[WOW64_MAXIMUM_SUPPORTED_EXTENSION]; + +} WOW64_CONTEXT, *PWOW64_CONTEXT; + + +typedef struct _M128A { + ULONGLONG Low; + LONGLONG High; +} M128A, *PM128A; + +typedef struct _XSAVE_FORMAT_64 { + WORD ControlWord; + WORD StatusWord; + BYTE TagWord; + BYTE Reserved1; + WORD ErrorOpcode; + DWORD ErrorOffset; + WORD ErrorSelector; + WORD Reserved2; + DWORD DataOffset; + WORD DataSelector; + WORD Reserved3; + DWORD MxCsr; + DWORD MxCsr_Mask; + M128A FloatRegisters[8]; + M128A XmmRegisters[16]; + BYTE Reserved4[96]; +} XSAVE_FORMAT_64, *PXSAVE_FORMAT_64; + +typedef struct _XSAVE_FORMAT_32 { + WORD ControlWord; + WORD StatusWord; + BYTE TagWord; + BYTE Reserved1; + WORD ErrorOpcode; + DWORD ErrorOffset; + WORD ErrorSelector; + WORD Reserved2; + DWORD DataOffset; + WORD DataSelector; + WORD Reserved3; + DWORD MxCsr; + DWORD MxCsr_Mask; + M128A FloatRegisters[8]; + M128A XmmRegisters[8]; + BYTE Reserved4[192]; + DWORD StackControl[7]; + DWORD Cr0NpxState; +} XSAVE_FORMAT_32, *PXSAVE_FORMAT_32; + + +typedef struct _CONTEXT64 { + + // + // Register parameter home addresses. + // + // N.B. These fields are for convience - they could be used to extend the + // context record in the future. + // + + DWORD64 P1Home; + DWORD64 P2Home; + DWORD64 P3Home; + DWORD64 P4Home; + DWORD64 P5Home; + DWORD64 P6Home; + + // + // Control flags. + // + + DWORD ContextFlags; + DWORD MxCsr; + + // + // Segment Registers and processor flags. + // + + WORD SegCs; + WORD SegDs; + WORD SegEs; + WORD SegFs; + WORD SegGs; + WORD SegSs; + DWORD EFlags; + + // + // Debug registers + // + + DWORD64 Dr0; + DWORD64 Dr1; + DWORD64 Dr2; + DWORD64 Dr3; + DWORD64 Dr6; + DWORD64 Dr7; + + // + // Integer registers. + // + + DWORD64 Rax; + DWORD64 Rcx; + DWORD64 Rdx; + DWORD64 Rbx; + DWORD64 Rsp; + DWORD64 Rbp; + DWORD64 Rsi; + DWORD64 Rdi; + DWORD64 R8; + DWORD64 R9; + DWORD64 R10; + DWORD64 R11; + DWORD64 R12; + DWORD64 R13; + DWORD64 R14; + DWORD64 R15; + + // + // Program counter. + // + + DWORD64 Rip; + + // + // Floating point state. + // + + union { + XSAVE_FORMAT_64 FltSave; + struct { + M128A Header[2]; + M128A Legacy[8]; + M128A Xmm0; + M128A Xmm1; + M128A Xmm2; + M128A Xmm3; + M128A Xmm4; + M128A Xmm5; + M128A Xmm6; + M128A Xmm7; + M128A Xmm8; + M128A Xmm9; + M128A Xmm10; + M128A Xmm11; + M128A Xmm12; + M128A Xmm13; + M128A Xmm14; + M128A Xmm15; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; + + // + // Vector registers. + // + + M128A VectorRegister[26]; + DWORD64 VectorControl; + + // + // Special debug control registers. + // + + DWORD64 DebugControl; + DWORD64 LastBranchToRip; + DWORD64 LastBranchFromRip; + DWORD64 LastExceptionToRip; + DWORD64 LastExceptionFromRip; + +} CONTEXT64, *PCONTEXT64, *LPCONTEXT64; \ No newline at end of file diff --git a/ctypes_generation/definitions/structures/winstruct.txt b/ctypes_generation/definitions/structures/winstruct.txt index cd462b53..ae2589d2 100644 --- a/ctypes_generation/definitions/structures/winstruct.txt +++ b/ctypes_generation/definitions/structures/winstruct.txt @@ -737,232 +737,7 @@ typedef struct _PROCESS_INFORMATION { } PROCESS_INFORMATION, *PPROCESS_INFORMATION, *LPPROCESS_INFORMATION; -typedef struct _FLOATING_SAVE_AREA { - DWORD ControlWord; - DWORD StatusWord; - DWORD TagWord; - DWORD ErrorOffset; - DWORD ErrorSelector; - DWORD DataOffset; - DWORD DataSelector; - BYTE RegisterArea[80]; - DWORD Cr0NpxState; -} FLOATING_SAVE_AREA; - -typedef struct _CONTEXT32 { - - DWORD ContextFlags; - - DWORD Dr0; - DWORD Dr1; - DWORD Dr2; - DWORD Dr3; - DWORD Dr6; - DWORD Dr7; - - FLOATING_SAVE_AREA FloatSave; - - DWORD SegGs; - DWORD SegFs; - DWORD SegEs; - DWORD SegDs; - - DWORD Edi; - DWORD Esi; - DWORD Ebx; - DWORD Edx; - DWORD Ecx; - DWORD Eax; - - DWORD Ebp; - DWORD Eip; - DWORD SegCs; - DWORD EFlags; - DWORD Esp; - DWORD SegSs; - - BYTE ExtendedRegisters[512]; - -} CONTEXT32, *PCONTEXT32, *LPCONTEXT32; - -typedef struct _WOW64_FLOATING_SAVE_AREA { - DWORD ControlWord; - DWORD StatusWord; - DWORD TagWord; - DWORD ErrorOffset; - DWORD ErrorSelector; - DWORD DataOffset; - DWORD DataSelector; - BYTE RegisterArea[WOW64_SIZE_OF_80387_REGISTERS]; - DWORD Cr0NpxState; -} WOW64_FLOATING_SAVE_AREA; - -typedef struct _WOW64_CONTEXT { - - DWORD ContextFlags; - - DWORD Dr0; - DWORD Dr1; - DWORD Dr2; - DWORD Dr3; - DWORD Dr6; - DWORD Dr7; - - WOW64_FLOATING_SAVE_AREA FloatSave; - - DWORD SegGs; - DWORD SegFs; - DWORD SegEs; - DWORD SegDs; - - DWORD Edi; - DWORD Esi; - DWORD Ebx; - DWORD Edx; - DWORD Ecx; - DWORD Eax; - DWORD Ebp; - DWORD Eip; - DWORD SegCs; - DWORD EFlags; - DWORD Esp; - DWORD SegSs; - - BYTE ExtendedRegisters[WOW64_MAXIMUM_SUPPORTED_EXTENSION]; - -} WOW64_CONTEXT, *PWOW64_CONTEXT; - - -typedef struct _M128A { - ULONGLONG Low; - LONGLONG High; -} M128A, *PM128A; - -typedef struct _XSAVE_FORMAT_64 { - WORD ControlWord; - WORD StatusWord; - BYTE TagWord; - BYTE Reserved1; - WORD ErrorOpcode; - DWORD ErrorOffset; - WORD ErrorSelector; - WORD Reserved2; - DWORD DataOffset; - WORD DataSelector; - WORD Reserved3; - DWORD MxCsr; - DWORD MxCsr_Mask; - M128A FloatRegisters[8]; - M128A XmmRegisters[16]; - BYTE Reserved4[96]; -} XSAVE_FORMAT_64, *PXSAVE_FORMAT_64; - -typedef struct _XSAVE_FORMAT_32 { - WORD ControlWord; - WORD StatusWord; - BYTE TagWord; - BYTE Reserved1; - WORD ErrorOpcode; - DWORD ErrorOffset; - WORD ErrorSelector; - WORD Reserved2; - DWORD DataOffset; - WORD DataSelector; - WORD Reserved3; - DWORD MxCsr; - DWORD MxCsr_Mask; - M128A FloatRegisters[8]; - M128A XmmRegisters[8]; - BYTE Reserved4[192]; - DWORD StackControl[7]; - DWORD Cr0NpxState; -} XSAVE_FORMAT_32, *PXSAVE_FORMAT_32; - -typedef struct _TMP_DUMMYSTRUCTNAME { - M128A Header[2]; - M128A Legacy[8]; - M128A Xmm0; - M128A Xmm1; - M128A Xmm2; - M128A Xmm3; - M128A Xmm4; - M128A Xmm5; - M128A Xmm6; - M128A Xmm7; - M128A Xmm8; - M128A Xmm9; - M128A Xmm10; - M128A Xmm11; - M128A Xmm12; - M128A Xmm13; - M128A Xmm14; - M128A Xmm15; -} TMP_DUMMYSTRUCTNAME; - - -typedef union _TMP_CONTEXT64_SUBUNION { - XSAVE_FORMAT_64 FltSave; - TMP_DUMMYSTRUCTNAME DUMMYSTRUCTNAME; -} TMP_CONTEXT64_SUBUNION; - -typedef struct _CONTEXT64 { - - DWORD64 P1Home; - DWORD64 P2Home; - DWORD64 P3Home; - DWORD64 P4Home; - DWORD64 P5Home; - DWORD64 P6Home; - - DWORD ContextFlags; - DWORD MxCsr; - - WORD SegCs; - WORD SegDs; - WORD SegEs; - WORD SegFs; - WORD SegGs; - WORD SegSs; - DWORD EFlags; - - DWORD64 Dr0; - DWORD64 Dr1; - DWORD64 Dr2; - DWORD64 Dr3; - DWORD64 Dr6; - DWORD64 Dr7; - - - DWORD64 Rax; - DWORD64 Rcx; - DWORD64 Rdx; - DWORD64 Rbx; - DWORD64 Rsp; - DWORD64 Rbp; - DWORD64 Rsi; - DWORD64 Rdi; - DWORD64 R8; - DWORD64 R9; - DWORD64 R10; - DWORD64 R11; - DWORD64 R12; - DWORD64 R13; - DWORD64 R14; - DWORD64 R15; - - DWORD64 Rip; - - TMP_CONTEXT64_SUBUNION DUMMYUNIONNAME; - - M128A VectorRegister[26]; - DWORD64 VectorControl; - - DWORD64 DebugControl; - DWORD64 LastBranchToRip; - DWORD64 LastBranchFromRip; - DWORD64 LastExceptionToRip; - DWORD64 LastExceptionFromRip; -} CONTEXT64, *PCONTEXT64, *LPCONTEXT64; + typedef struct tagPROCESSENTRY32W diff --git a/docs/source/windef_generated.rst b/docs/source/windef_generated.rst index 5ef88a57..45b20144 100644 --- a/docs/source/windef_generated.rst +++ b/docs/source/windef_generated.rst @@ -1849,6 +1849,45 @@ WinDef .. autodata:: SPC_FINANCIAL_CRITERIA_OBJID .. autodata:: SPC_LINK_OBJID .. autodata:: SPC_SIGINFO_OBJID +.. autodata:: CONTEXT_I386 +.. autodata:: CONTEXT_AMD64 +.. autodata:: CONTEXT_ARM +.. autodata:: CONTEXT_ARM64 +.. autodata:: CONTEXT_i386 +.. autodata:: CONTEXT_i486 +.. autodata:: WOW64_CONTEXT_i386 +.. autodata:: WOW64_CONTEXT_i486 +.. autodata:: CONTEXT_CONTROL +.. autodata:: CONTEXT_INTEGER +.. autodata:: CONTEXT_SEGMENTS +.. autodata:: CONTEXT_FLOATING_POINT +.. autodata:: CONTEXT_DEBUG_REGISTERS +.. autodata:: CONTEXT_EXTENDED_REGISTERS +.. autodata:: CONTEXT_FULL +.. autodata:: CONTEXT_ALL +.. autodata:: CONTEXT_XSTATE +.. autodata:: WOW64_CONTEXT_CONTROL +.. autodata:: WOW64_CONTEXT_INTEGER +.. autodata:: WOW64_CONTEXT_SEGMENTS +.. autodata:: WOW64_CONTEXT_FLOATING_POINT +.. autodata:: WOW64_CONTEXT_DEBUG_REGISTERS +.. autodata:: WOW64_CONTEXT_EXTENDED_REGISTERS +.. autodata:: WOW64_CONTEXT_FULL +.. autodata:: WOW64_CONTEXT_ALL +.. autodata:: WOW64_CONTEXT_XSTATE +.. autodata:: WOW64_CONTEXT_EXCEPTION_ACTIVE +.. autodata:: WOW64_CONTEXT_SERVICE_ACTIVE +.. autodata:: WOW64_CONTEXT_EXCEPTION_REQUEST +.. autodata:: WOW64_CONTEXT_EXCEPTION_REPORTING +.. autodata:: CONTEXT_ARM64_CONTROL +.. autodata:: CONTEXT_ARM64_INTEGER +.. autodata:: CONTEXT_ARM64_FLOATING_POINT +.. autodata:: CONTEXT_ARM64_DEBUG_REGISTERS +.. autodata:: CONTEXT_ARM64_X18 +.. autodata:: CONTEXT_UNWOUND_TO_CALL +.. autodata:: CONTEXT_RET_TO_GUEST +.. autodata:: ARM64_MAX_BREAKPOINTS +.. autodata:: ARM64_MAX_WATCHPOINTS .. autodata:: FILE_VER_GET_LOCALISED .. autodata:: FILE_VER_GET_NEUTRAL .. autodata:: FILE_VER_GET_PREFETCHED @@ -1960,19 +1999,6 @@ WinDef .. autodata:: TH32CS_SNAPMODULE32 .. autodata:: TH32CS_SNAPALL .. autodata:: TH32CS_INHERIT -.. autodata:: CONTEXT_I386 -.. autodata:: CONTEXT_AMD64 -.. autodata:: CONTEXT_ARM -.. autodata:: CONTEXT_ARM64 -.. autodata:: CONTEXT_CONTROL -.. autodata:: CONTEXT_INTEGER -.. autodata:: CONTEXT_SEGMENTS -.. autodata:: CONTEXT_FLOATING_POINT -.. autodata:: CONTEXT_DEBUG_REGISTERS -.. autodata:: CONTEXT_EXTENDED_REGISTERS -.. autodata:: CONTEXT_FULL -.. autodata:: CONTEXT_ALL -.. autodata:: CONTEXT_XSTATE .. autodata:: PAGE_NOACCESS .. autodata:: PAGE_READONLY .. autodata:: PAGE_READWRITE diff --git a/docs/source/winstructs_generated.rst b/docs/source/winstructs_generated.rst index 240a2ece..77d6560c 100644 --- a/docs/source/winstructs_generated.rst +++ b/docs/source/winstructs_generated.rst @@ -11291,2347 +11291,2340 @@ _TEB :class:`ULONG` -_TRACE_PROVIDER_INFO -'''''''''''''''''''' -.. class:: TRACE_PROVIDER_INFO +_ARM64_NT_NEON128 +''''''''''''''''' +.. class:: ARM64_NT_NEON128 - Alias for :class:`_TRACE_PROVIDER_INFO` + Alias for :class:`_ARM64_NT_NEON128` -.. class:: _TRACE_PROVIDER_INFO +.. class:: PARM64_NT_NEON128 - .. attribute:: ProviderGuid + Pointer to :class:`_ARM64_NT_NEON128` - :class:`GUID` +.. class:: _ARM64_NT_NEON128 + .. attribute:: DUMMYSTRUCTNAME - .. attribute:: SchemaSource + :class:`_ANON__ARM64_NT_NEON128_SUB_STRUCTURE_1` - :class:`ULONG` + .. attribute:: D - .. attribute:: ProviderNameOffset + :class:`DOUBLE` ``[2]`` - :class:`ULONG` -_PROVIDER_ENUMERATION_INFO -'''''''''''''''''''''''''' -.. class:: PPROVIDER_ENUMERATION_INFO + .. attribute:: S - Pointer to :class:`_PROVIDER_ENUMERATION_INFO` + :class:`FLOAT` ``[4]`` -.. class:: PROVIDER_ENUMERATION_INFO - Alias for :class:`_PROVIDER_ENUMERATION_INFO` + .. attribute:: H -.. class:: _PROVIDER_ENUMERATION_INFO + :class:`WORD` ``[8]`` - .. attribute:: NumberOfProviders - :class:`ULONG` + .. attribute:: B + :class:`BYTE` ``[16]`` - .. attribute:: Reserved +_ARM64_NT_CONTEXT +''''''''''''''''' +.. class:: ARM64_NT_CONTEXT - :class:`ULONG` + Alias for :class:`_ARM64_NT_CONTEXT` +.. class:: PARM64_NT_CONTEXT - .. attribute:: TraceProviderInfoArray + Pointer to :class:`_ARM64_NT_CONTEXT` - :class:`TRACE_PROVIDER_INFO` ``[ANYSIZE_ARRAY]`` +.. class:: _ARM64_NT_CONTEXT -tagRGBTRIPLE -'''''''''''' -.. class:: LPRGBTRIPLE + .. attribute:: ContextFlags - Pointer to :class:`tagRGBTRIPLE` + :class:`DWORD` -.. class:: NPRGBTRIPLE - Pointer to :class:`tagRGBTRIPLE` + .. attribute:: Cpsr -.. class:: PRGBTRIPLE + :class:`DWORD` - Pointer to :class:`tagRGBTRIPLE` -.. class:: RGBTRIPLE + .. attribute:: DUMMYUNIONNAME - Alias for :class:`tagRGBTRIPLE` + :class:`_ANON__ARM64_NT_CONTEXT_SUB_UNION_1` -.. class:: tagRGBTRIPLE - .. attribute:: rgbtBlue + .. attribute:: Sp - :class:`BYTE` + :class:`DWORD64` - .. attribute:: rgbtGreen + .. attribute:: Pc - :class:`BYTE` + :class:`DWORD64` - .. attribute:: rgbtRed + .. attribute:: V - :class:`BYTE` + :class:`ARM64_NT_NEON128` ``[32]`` -tagBITMAPFILEHEADER -''''''''''''''''''' -.. class:: BITMAPFILEHEADER - Alias for :class:`tagBITMAPFILEHEADER` + .. attribute:: Fpcr -.. class:: LPBITMAPFILEHEADER + :class:`DWORD` - Pointer to :class:`tagBITMAPFILEHEADER` -.. class:: PBITMAPFILEHEADER + .. attribute:: Fpsr - Pointer to :class:`tagBITMAPFILEHEADER` + :class:`DWORD` -.. class:: tagBITMAPFILEHEADER - .. attribute:: bfType + .. attribute:: Bcr - :class:`WORD` + :class:`DWORD` ``[ARM64_MAX_BREAKPOINTS]`` - .. attribute:: bfSize + .. attribute:: Bvr - :class:`DWORD` + :class:`DWORD64` ``[ARM64_MAX_BREAKPOINTS]`` - .. attribute:: bfReserved1 + .. attribute:: Wcr - :class:`WORD` + :class:`DWORD` ``[ARM64_MAX_WATCHPOINTS]`` - .. attribute:: bfReserved2 + .. attribute:: Wvr - :class:`WORD` + :class:`DWORD64` ``[ARM64_MAX_WATCHPOINTS]`` + +_FLOATING_SAVE_AREA +''''''''''''''''''' +.. class:: FLOATING_SAVE_AREA + + Alias for :class:`_FLOATING_SAVE_AREA` +.. class:: _FLOATING_SAVE_AREA - .. attribute:: bfOffBits + .. attribute:: ControlWord :class:`DWORD` -tagBITMAPCOREHEADER -''''''''''''''''''' -.. class:: BITMAPCOREHEADER - Alias for :class:`tagBITMAPCOREHEADER` + .. attribute:: StatusWord -.. class:: LPBITMAPCOREHEADER + :class:`DWORD` - Pointer to :class:`tagBITMAPCOREHEADER` -.. class:: PBITMAPCOREHEADER + .. attribute:: TagWord - Pointer to :class:`tagBITMAPCOREHEADER` + :class:`DWORD` -.. class:: tagBITMAPCOREHEADER - .. attribute:: bcSize + .. attribute:: ErrorOffset :class:`DWORD` - .. attribute:: bcWidth + .. attribute:: ErrorSelector - :class:`WORD` + :class:`DWORD` - .. attribute:: bcHeight + .. attribute:: DataOffset - :class:`WORD` + :class:`DWORD` - .. attribute:: bcPlanes + .. attribute:: DataSelector - :class:`WORD` + :class:`DWORD` - .. attribute:: bcBitCount + .. attribute:: RegisterArea - :class:`WORD` + :class:`BYTE` ``[80]`` -tagBITMAP -''''''''' -.. class:: BITMAP - Alias for :class:`tagBITMAP` + .. attribute:: Cr0NpxState -.. class:: LPBITMAP + :class:`DWORD` - Pointer to :class:`tagBITMAP` +_CONTEXT32 +'''''''''' +.. class:: CONTEXT32 -.. class:: NPBITMAP + Alias for :class:`_CONTEXT32` - Pointer to :class:`tagBITMAP` +.. class:: LPCONTEXT32 -.. class:: PBITMAP + Pointer to :class:`_CONTEXT32` - Pointer to :class:`tagBITMAP` +.. class:: PCONTEXT32 -.. class:: tagBITMAP + Pointer to :class:`_CONTEXT32` - .. attribute:: bmType +.. class:: _CONTEXT32 - :class:`LONG` + .. attribute:: ContextFlags + :class:`DWORD` - .. attribute:: bmWidth - :class:`LONG` + .. attribute:: Dr0 + :class:`DWORD` - .. attribute:: bmHeight - :class:`LONG` + .. attribute:: Dr1 + :class:`DWORD` - .. attribute:: bmWidthBytes - :class:`LONG` + .. attribute:: Dr2 + :class:`DWORD` - .. attribute:: bmPlanes - :class:`WORD` + .. attribute:: Dr3 + :class:`DWORD` - .. attribute:: bmBitsPixel - :class:`WORD` + .. attribute:: Dr6 + :class:`DWORD` - .. attribute:: bmBits - :class:`LPVOID` + .. attribute:: Dr7 -tagBITMAPINFOHEADER -''''''''''''''''''' -.. class:: BITMAPINFOHEADER + :class:`DWORD` - Alias for :class:`tagBITMAPINFOHEADER` -.. class:: LPBITMAPINFOHEADER + .. attribute:: FloatSave - Pointer to :class:`tagBITMAPINFOHEADER` + :class:`FLOATING_SAVE_AREA` -.. class:: PBITMAPINFOHEADER - Pointer to :class:`tagBITMAPINFOHEADER` + .. attribute:: SegGs -.. class:: tagBITMAPINFOHEADER + :class:`DWORD` - .. attribute:: biSize + + .. attribute:: SegFs :class:`DWORD` - .. attribute:: biWidth + .. attribute:: SegEs - :class:`LONG` + :class:`DWORD` - .. attribute:: biHeight + .. attribute:: SegDs - :class:`LONG` + :class:`DWORD` - .. attribute:: biPlanes + .. attribute:: Edi - :class:`WORD` + :class:`DWORD` - .. attribute:: biBitCount + .. attribute:: Esi - :class:`WORD` + :class:`DWORD` - .. attribute:: biCompression + .. attribute:: Ebx :class:`DWORD` - .. attribute:: biSizeImage + .. attribute:: Edx :class:`DWORD` - .. attribute:: biXPelsPerMeter + .. attribute:: Ecx - :class:`LONG` + :class:`DWORD` - .. attribute:: biYPelsPerMeter + .. attribute:: Eax - :class:`LONG` + :class:`DWORD` - .. attribute:: biClrUsed + .. attribute:: Ebp :class:`DWORD` - .. attribute:: biClrImportant + .. attribute:: Eip :class:`DWORD` -tagRGBQUAD -'''''''''' -.. class:: RGBQUAD - Alias for :class:`tagRGBQUAD` + .. attribute:: SegCs -.. class:: tagRGBQUAD + :class:`DWORD` - .. attribute:: rgbBlue - :class:`BYTE` + .. attribute:: EFlags + :class:`DWORD` - .. attribute:: rgbGreen - :class:`BYTE` + .. attribute:: Esp + :class:`DWORD` - .. attribute:: rgbRed - :class:`BYTE` + .. attribute:: SegSs + :class:`DWORD` - .. attribute:: rgbReserved - :class:`BYTE` + .. attribute:: ExtendedRegisters -tagBITMAPINFO -''''''''''''' -.. class:: BITMAPINFO + :class:`BYTE` ``[512]`` - Alias for :class:`tagBITMAPINFO` +_WOW64_FLOATING_SAVE_AREA +''''''''''''''''''''''''' +.. class:: WOW64_FLOATING_SAVE_AREA -.. class:: LPBITMAPINFO + Alias for :class:`_WOW64_FLOATING_SAVE_AREA` - Pointer to :class:`tagBITMAPINFO` +.. class:: _WOW64_FLOATING_SAVE_AREA -.. class:: PBITMAPINFO + .. attribute:: ControlWord - Pointer to :class:`tagBITMAPINFO` + :class:`DWORD` -.. class:: tagBITMAPINFO - .. attribute:: bmiHeader + .. attribute:: StatusWord - :class:`BITMAPINFOHEADER` + :class:`DWORD` - .. attribute:: bmiColors + .. attribute:: TagWord - :class:`RGBQUAD` + :class:`DWORD` -tagBITMAPCOREINFO -''''''''''''''''' -.. class:: BITMAPCOREINFO - Alias for :class:`tagBITMAPCOREINFO` + .. attribute:: ErrorOffset -.. class:: LPBITMAPCOREINFO + :class:`DWORD` - Pointer to :class:`tagBITMAPCOREINFO` -.. class:: PBITMAPCOREINFO + .. attribute:: ErrorSelector - Pointer to :class:`tagBITMAPCOREINFO` + :class:`DWORD` -.. class:: tagBITMAPCOREINFO - .. attribute:: bmciHeader + .. attribute:: DataOffset - :class:`BITMAPCOREHEADER` + :class:`DWORD` - .. attribute:: bmciColors + .. attribute:: DataSelector - :class:`RGBTRIPLE` + :class:`DWORD` -tagWNDCLASSEXA -'''''''''''''' -.. class:: LPWNDCLASSEXA - Pointer to :class:`tagWNDCLASSEXA` + .. attribute:: RegisterArea -.. class:: PWNDCLASSEXA + :class:`BYTE` ``[WOW64_SIZE_OF_80387_REGISTERS]`` - Pointer to :class:`tagWNDCLASSEXA` -.. class:: WNDCLASSEXA + .. attribute:: Cr0NpxState - Alias for :class:`tagWNDCLASSEXA` + :class:`DWORD` -.. class:: tagWNDCLASSEXA +_WOW64_CONTEXT +'''''''''''''' +.. class:: PWOW64_CONTEXT - .. attribute:: cbSize + Pointer to :class:`_WOW64_CONTEXT` - :class:`UINT` +.. class:: WOW64_CONTEXT + Alias for :class:`_WOW64_CONTEXT` - .. attribute:: style +.. class:: _WOW64_CONTEXT - :class:`UINT` + .. attribute:: ContextFlags + :class:`DWORD` - .. attribute:: lpfnWndProc - :class:`WNDPROC` + .. attribute:: Dr0 + :class:`DWORD` - .. attribute:: cbClsExtra - :class:`INT` + .. attribute:: Dr1 + :class:`DWORD` - .. attribute:: cbWndExtra - :class:`INT` + .. attribute:: Dr2 + :class:`DWORD` - .. attribute:: hInstance - :class:`HINSTANCE` + .. attribute:: Dr3 + :class:`DWORD` - .. attribute:: hIcon - :class:`HICON` + .. attribute:: Dr6 + :class:`DWORD` - .. attribute:: hCursor - :class:`HCURSOR` + .. attribute:: Dr7 + :class:`DWORD` - .. attribute:: hbrBackground - :class:`HBRUSH` + .. attribute:: FloatSave + :class:`WOW64_FLOATING_SAVE_AREA` - .. attribute:: lpszMenuName - :class:`LPCSTR` + .. attribute:: SegGs + :class:`DWORD` - .. attribute:: lpszClassName - :class:`LPCSTR` + .. attribute:: SegFs + :class:`DWORD` - .. attribute:: hIconSm - :class:`HICON` + .. attribute:: SegEs -tagWNDCLASSEXW -'''''''''''''' -.. class:: LPWNDCLASSEXW + :class:`DWORD` - Pointer to :class:`tagWNDCLASSEXW` -.. class:: PWNDCLASSEXW + .. attribute:: SegDs - Pointer to :class:`tagWNDCLASSEXW` + :class:`DWORD` -.. class:: WNDCLASSEXW - Alias for :class:`tagWNDCLASSEXW` + .. attribute:: Edi -.. class:: tagWNDCLASSEXW + :class:`DWORD` - .. attribute:: cbSize - :class:`UINT` + .. attribute:: Esi + :class:`DWORD` - .. attribute:: style - :class:`UINT` + .. attribute:: Ebx + :class:`DWORD` - .. attribute:: lpfnWndProc - :class:`WNDPROC` + .. attribute:: Edx + :class:`DWORD` - .. attribute:: cbClsExtra - :class:`INT` + .. attribute:: Ecx + :class:`DWORD` - .. attribute:: cbWndExtra - :class:`INT` + .. attribute:: Eax + :class:`DWORD` - .. attribute:: hInstance - :class:`HINSTANCE` + .. attribute:: Ebp + :class:`DWORD` - .. attribute:: hIcon - :class:`HICON` + .. attribute:: Eip + :class:`DWORD` - .. attribute:: hCursor - :class:`HCURSOR` + .. attribute:: SegCs + :class:`DWORD` - .. attribute:: hbrBackground - :class:`HBRUSH` + .. attribute:: EFlags + :class:`DWORD` - .. attribute:: lpszMenuName - :class:`LPWSTR` + .. attribute:: Esp + :class:`DWORD` - .. attribute:: lpszClassName - :class:`LPWSTR` + .. attribute:: SegSs + :class:`DWORD` - .. attribute:: hIconSm - :class:`HICON` + .. attribute:: ExtendedRegisters -_SECURITY_ATTRIBUTES -'''''''''''''''''''' -.. class:: LPSECURITY_ATTRIBUTES + :class:`BYTE` ``[WOW64_MAXIMUM_SUPPORTED_EXTENSION]`` - Pointer to :class:`_SECURITY_ATTRIBUTES` +_M128A +'''''' +.. class:: M128A -.. class:: PSECURITY_ATTRIBUTES + Alias for :class:`_M128A` - Pointer to :class:`_SECURITY_ATTRIBUTES` +.. class:: PM128A -.. class:: SECURITY_ATTRIBUTES + Pointer to :class:`_M128A` - Alias for :class:`_SECURITY_ATTRIBUTES` +.. class:: _M128A -.. class:: _SECURITY_ATTRIBUTES + .. attribute:: Low - .. attribute:: nLength + :class:`ULONGLONG` - :class:`DWORD` + .. attribute:: High - .. attribute:: lpSecurityDescriptor + :class:`LONGLONG` - :class:`LPVOID` +_XSAVE_FORMAT_64 +'''''''''''''''' +.. class:: PXSAVE_FORMAT_64 + Pointer to :class:`_XSAVE_FORMAT_64` - .. attribute:: bInheritHandle +.. class:: XSAVE_FORMAT_64 - :class:`BOOL` + Alias for :class:`_XSAVE_FORMAT_64` -_SYSTEM_VERIFIER_INFORMATION -'''''''''''''''''''''''''''' -.. class:: PSYSTEM_VERIFIER_INFORMATION +.. class:: _XSAVE_FORMAT_64 - Pointer to :class:`_SYSTEM_VERIFIER_INFORMATION` + .. attribute:: ControlWord -.. class:: SYSTEM_VERIFIER_INFORMATION + :class:`WORD` - Alias for :class:`_SYSTEM_VERIFIER_INFORMATION` -.. class:: _SYSTEM_VERIFIER_INFORMATION + .. attribute:: StatusWord - .. attribute:: NextEntryOffset + :class:`WORD` - :class:`ULONG` + .. attribute:: TagWord - .. attribute:: Level + :class:`BYTE` - :class:`ULONG` + .. attribute:: Reserved1 - .. attribute:: DriverName + :class:`BYTE` - :class:`UNICODE_STRING` + .. attribute:: ErrorOpcode - .. attribute:: RaiseIrqls + :class:`WORD` - :class:`ULONG` + .. attribute:: ErrorOffset - .. attribute:: AcquireSpinLocks + :class:`DWORD` - :class:`ULONG` + .. attribute:: ErrorSelector - .. attribute:: SynchronizeExecutions + :class:`WORD` - :class:`ULONG` + .. attribute:: Reserved2 - .. attribute:: AllocationsAttempted + :class:`WORD` - :class:`ULONG` + .. attribute:: DataOffset - .. attribute:: AllocationsSucceeded + :class:`DWORD` - :class:`ULONG` + .. attribute:: DataSelector - .. attribute:: AllocationsSucceededSpecialPool + :class:`WORD` - :class:`ULONG` + .. attribute:: Reserved3 - .. attribute:: AllocationsWithNoTag + :class:`WORD` - :class:`ULONG` + .. attribute:: MxCsr - .. attribute:: TrimRequests + :class:`DWORD` - :class:`ULONG` + .. attribute:: MxCsr_Mask - .. attribute:: Trims + :class:`DWORD` - :class:`ULONG` + .. attribute:: FloatRegisters - .. attribute:: AllocationsFailed + :class:`M128A` ``[8]`` - :class:`ULONG` + .. attribute:: XmmRegisters - .. attribute:: AllocationsFailedDeliberately + :class:`M128A` ``[16]`` - :class:`ULONG` + .. attribute:: Reserved4 - .. attribute:: Loads + :class:`BYTE` ``[96]`` - :class:`ULONG` +_XSAVE_FORMAT_32 +'''''''''''''''' +.. class:: PXSAVE_FORMAT_32 + Pointer to :class:`_XSAVE_FORMAT_32` - .. attribute:: Unloads +.. class:: XSAVE_FORMAT_32 - :class:`ULONG` - - - .. attribute:: UnTrackedPool + Alias for :class:`_XSAVE_FORMAT_32` - :class:`ULONG` +.. class:: _XSAVE_FORMAT_32 + .. attribute:: ControlWord - .. attribute:: CurrentPagedPoolAllocations + :class:`WORD` - :class:`ULONG` + .. attribute:: StatusWord - .. attribute:: CurrentNonPagedPoolAllocations + :class:`WORD` - :class:`ULONG` + .. attribute:: TagWord - .. attribute:: PeakPagedPoolAllocations + :class:`BYTE` - :class:`ULONG` + .. attribute:: Reserved1 - .. attribute:: PeakNonPagedPoolAllocations + :class:`BYTE` - :class:`ULONG` + .. attribute:: ErrorOpcode - .. attribute:: PagedPoolUsageInBytes + :class:`WORD` - :class:`SIZE_T` + .. attribute:: ErrorOffset - .. attribute:: NonPagedPoolUsageInBytes + :class:`DWORD` - :class:`SIZE_T` + .. attribute:: ErrorSelector - .. attribute:: PeakPagedPoolUsageInBytes + :class:`WORD` - :class:`SIZE_T` + .. attribute:: Reserved2 - .. attribute:: PeakNonPagedPoolUsageInBytes + :class:`WORD` - :class:`SIZE_T` -_SYSTEM_PROCESS_ID_INFORMATION -'''''''''''''''''''''''''''''' -.. class:: PSYSTEM_PROCESS_ID_INFORMATION + .. attribute:: DataOffset - Pointer to :class:`_SYSTEM_PROCESS_ID_INFORMATION` + :class:`DWORD` -.. class:: SYSTEM_PROCESS_ID_INFORMATION - Alias for :class:`_SYSTEM_PROCESS_ID_INFORMATION` + .. attribute:: DataSelector -.. class:: _SYSTEM_PROCESS_ID_INFORMATION + :class:`WORD` - .. attribute:: ProcessId - :class:`HANDLE` + .. attribute:: Reserved3 + :class:`WORD` - .. attribute:: ImageName - :class:`UNICODE_STRING` + .. attribute:: MxCsr -_MEMORY_BASIC_INFORMATION -''''''''''''''''''''''''' -.. class:: MEMORY_BASIC_INFORMATION + :class:`DWORD` - Alias for :class:`_MEMORY_BASIC_INFORMATION` -.. class:: PMEMORY_BASIC_INFORMATION + .. attribute:: MxCsr_Mask - Pointer to :class:`_MEMORY_BASIC_INFORMATION` + :class:`DWORD` -.. class:: _MEMORY_BASIC_INFORMATION - .. attribute:: BaseAddress + .. attribute:: FloatRegisters - :class:`PVOID` + :class:`M128A` ``[8]`` - .. attribute:: AllocationBase + .. attribute:: XmmRegisters - :class:`PVOID` + :class:`M128A` ``[8]`` - .. attribute:: AllocationProtect + .. attribute:: Reserved4 - :class:`DWORD` + :class:`BYTE` ``[192]`` - .. attribute:: RegionSize + .. attribute:: StackControl - :class:`SIZE_T` + :class:`DWORD` ``[7]`` - .. attribute:: State + .. attribute:: Cr0NpxState :class:`DWORD` +_CONTEXT64 +'''''''''' +.. class:: CONTEXT64 - .. attribute:: Protect + Alias for :class:`_CONTEXT64` - :class:`DWORD` +.. class:: LPCONTEXT64 + Pointer to :class:`_CONTEXT64` - .. attribute:: Type +.. class:: PCONTEXT64 - :class:`DWORD` + Pointer to :class:`_CONTEXT64` -_THREAD_BASIC_INFORMATION -''''''''''''''''''''''''' -.. class:: PTHREAD_BASIC_INFORMATION +.. class:: _CONTEXT64 - Pointer to :class:`_THREAD_BASIC_INFORMATION` + .. attribute:: P1Home -.. class:: THREAD_BASIC_INFORMATION + :class:`DWORD64` - Alias for :class:`_THREAD_BASIC_INFORMATION` -.. class:: _THREAD_BASIC_INFORMATION + .. attribute:: P2Home - .. attribute:: ExitStatus + :class:`DWORD64` - :class:`NTSTATUS` + .. attribute:: P3Home + + :class:`DWORD64` - .. attribute:: TebBaseAddress - :class:`PVOID` + .. attribute:: P4Home + :class:`DWORD64` - .. attribute:: ClientId - :class:`CLIENT_ID` + .. attribute:: P5Home + :class:`DWORD64` - .. attribute:: AffinityMask - :class:`KAFFINITY` + .. attribute:: P6Home + :class:`DWORD64` - .. attribute:: Priority - :class:`KPRIORITY` + .. attribute:: ContextFlags + :class:`DWORD` - .. attribute:: BasePriority - :class:`KPRIORITY` + .. attribute:: MxCsr -_MEMORY_BASIC_INFORMATION32 -''''''''''''''''''''''''''' -.. class:: MEMORY_BASIC_INFORMATION32 + :class:`DWORD` - Alias for :class:`_MEMORY_BASIC_INFORMATION32` -.. class:: PMEMORY_BASIC_INFORMATION32 + .. attribute:: SegCs - Pointer to :class:`_MEMORY_BASIC_INFORMATION32` + :class:`WORD` -.. class:: _MEMORY_BASIC_INFORMATION32 - .. attribute:: BaseAddress + .. attribute:: SegDs - :class:`DWORD` + :class:`WORD` - .. attribute:: AllocationBase + .. attribute:: SegEs - :class:`DWORD` + :class:`WORD` - .. attribute:: AllocationProtect + .. attribute:: SegFs - :class:`DWORD` + :class:`WORD` - .. attribute:: RegionSize + .. attribute:: SegGs - :class:`DWORD` + :class:`WORD` - .. attribute:: State + .. attribute:: SegSs - :class:`DWORD` + :class:`WORD` - .. attribute:: Protect + .. attribute:: EFlags :class:`DWORD` - .. attribute:: Type + .. attribute:: Dr0 - :class:`DWORD` + :class:`DWORD64` -_MEMORY_BASIC_INFORMATION64 -''''''''''''''''''''''''''' -.. class:: MEMORY_BASIC_INFORMATION64 - Alias for :class:`_MEMORY_BASIC_INFORMATION64` + .. attribute:: Dr1 -.. class:: PMEMORY_BASIC_INFORMATION64 + :class:`DWORD64` - Pointer to :class:`_MEMORY_BASIC_INFORMATION64` -.. class:: _MEMORY_BASIC_INFORMATION64 + .. attribute:: Dr2 - .. attribute:: BaseAddress + :class:`DWORD64` - :class:`ULONGLONG` + .. attribute:: Dr3 - .. attribute:: AllocationBase + :class:`DWORD64` - :class:`ULONGLONG` + .. attribute:: Dr6 - .. attribute:: AllocationProtect + :class:`DWORD64` - :class:`DWORD` + .. attribute:: Dr7 - .. attribute:: __alignment1 + :class:`DWORD64` - :class:`DWORD` + .. attribute:: Rax - .. attribute:: RegionSize + :class:`DWORD64` - :class:`ULONGLONG` + .. attribute:: Rcx - .. attribute:: State + :class:`DWORD64` - :class:`DWORD` + .. attribute:: Rdx - .. attribute:: Protect + :class:`DWORD64` - :class:`DWORD` + .. attribute:: Rbx - .. attribute:: Type + :class:`DWORD64` - :class:`DWORD` + .. attribute:: Rsp - .. attribute:: __alignment2 + :class:`DWORD64` - :class:`DWORD` -_PSAPI_WORKING_SET_BLOCK -'''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_BLOCK + .. attribute:: Rbp - Pointer to :class:`_PSAPI_WORKING_SET_BLOCK` + :class:`DWORD64` -.. class:: PSAPI_WORKING_SET_BLOCK - Alias for :class:`_PSAPI_WORKING_SET_BLOCK` + .. attribute:: Rsi -.. class:: _PSAPI_WORKING_SET_BLOCK + :class:`DWORD64` - .. attribute:: Flags - :class:`PVOID` + .. attribute:: Rdi -_PSAPI_WORKING_SET_BLOCK32 -'''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_BLOCK32 + :class:`DWORD64` - Pointer to :class:`_PSAPI_WORKING_SET_BLOCK32` -.. class:: PSAPI_WORKING_SET_BLOCK32 + .. attribute:: R8 - Alias for :class:`_PSAPI_WORKING_SET_BLOCK32` + :class:`DWORD64` -.. class:: _PSAPI_WORKING_SET_BLOCK32 - .. attribute:: Flags + .. attribute:: R9 - :class:`DWORD` + :class:`DWORD64` -_PSAPI_WORKING_SET_BLOCK64 -'''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_BLOCK64 - Pointer to :class:`_PSAPI_WORKING_SET_BLOCK64` + .. attribute:: R10 -.. class:: PSAPI_WORKING_SET_BLOCK64 + :class:`DWORD64` - Alias for :class:`_PSAPI_WORKING_SET_BLOCK64` -.. class:: _PSAPI_WORKING_SET_BLOCK64 + .. attribute:: R11 - .. attribute:: Flags + :class:`DWORD64` - :class:`ULONG64` -_PSAPI_WORKING_SET_INFORMATION -'''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_INFORMATION - - Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION` - -.. class:: PSAPI_WORKING_SET_INFORMATION - - Alias for :class:`_PSAPI_WORKING_SET_INFORMATION` - -.. class:: _PSAPI_WORKING_SET_INFORMATION - - .. attribute:: NumberOfEntries - - :class:`PVOID` - - - .. attribute:: WorkingSetInfo - - :class:`PSAPI_WORKING_SET_BLOCK` + .. attribute:: R12 -_PSAPI_WORKING_SET_INFORMATION32 -'''''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_INFORMATION32 + :class:`DWORD64` - Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION32` -.. class:: PSAPI_WORKING_SET_INFORMATION32 + .. attribute:: R13 - Alias for :class:`_PSAPI_WORKING_SET_INFORMATION32` + :class:`DWORD64` -.. class:: _PSAPI_WORKING_SET_INFORMATION32 - .. attribute:: NumberOfEntries + .. attribute:: R14 - :class:`DWORD` + :class:`DWORD64` - .. attribute:: WorkingSetInfo + .. attribute:: R15 - :class:`PSAPI_WORKING_SET_BLOCK32` + :class:`DWORD64` -_PSAPI_WORKING_SET_INFORMATION64 -'''''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_INFORMATION64 - Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION64` + .. attribute:: Rip -.. class:: PSAPI_WORKING_SET_INFORMATION64 + :class:`DWORD64` - Alias for :class:`_PSAPI_WORKING_SET_INFORMATION64` -.. class:: _PSAPI_WORKING_SET_INFORMATION64 + .. attribute:: DUMMYUNIONNAME - .. attribute:: NumberOfEntries + :class:`_ANON__CONTEXT64_SUB_UNION_1` - :class:`ULONG64` + .. attribute:: VectorRegister - .. attribute:: WorkingSetInfo + :class:`M128A` ``[26]`` - :class:`PSAPI_WORKING_SET_BLOCK64` -_PSAPI_WORKING_SET_EX_BLOCK -''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_BLOCK + .. attribute:: VectorControl - Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK` + :class:`DWORD64` -.. class:: PSAPI_WORKING_SET_EX_BLOCK - Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK` + .. attribute:: DebugControl -.. class:: _PSAPI_WORKING_SET_EX_BLOCK + :class:`DWORD64` - .. attribute:: Flags - :class:`PVOID` + .. attribute:: LastBranchToRip -_PSAPI_WORKING_SET_EX_BLOCK32 -''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_BLOCK32 + :class:`DWORD64` - Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK32` -.. class:: PSAPI_WORKING_SET_EX_BLOCK32 + .. attribute:: LastBranchFromRip - Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK32` + :class:`DWORD64` -.. class:: _PSAPI_WORKING_SET_EX_BLOCK32 - .. attribute:: Flags + .. attribute:: LastExceptionToRip - :class:`DWORD` + :class:`DWORD64` -_PSAPI_WORKING_SET_EX_BLOCK64 -''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_BLOCK64 - Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK64` + .. attribute:: LastExceptionFromRip -.. class:: PSAPI_WORKING_SET_EX_BLOCK64 + :class:`DWORD64` - Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK64` +_TRACE_PROVIDER_INFO +'''''''''''''''''''' +.. class:: TRACE_PROVIDER_INFO -.. class:: _PSAPI_WORKING_SET_EX_BLOCK64 + Alias for :class:`_TRACE_PROVIDER_INFO` - .. attribute:: Flags +.. class:: _TRACE_PROVIDER_INFO - :class:`ULONG64` + .. attribute:: ProviderGuid -_PSAPI_WORKING_SET_EX_INFORMATION -''''''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_INFORMATION + :class:`GUID` - Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION` -.. class:: PSAPI_WORKING_SET_EX_INFORMATION + .. attribute:: SchemaSource - Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION` + :class:`ULONG` -.. class:: _PSAPI_WORKING_SET_EX_INFORMATION - .. attribute:: VirtualAddress + .. attribute:: ProviderNameOffset - :class:`PVOID` + :class:`ULONG` +_PROVIDER_ENUMERATION_INFO +'''''''''''''''''''''''''' +.. class:: PPROVIDER_ENUMERATION_INFO - .. attribute:: VirtualAttributes + Pointer to :class:`_PROVIDER_ENUMERATION_INFO` - :class:`PSAPI_WORKING_SET_EX_BLOCK` +.. class:: PROVIDER_ENUMERATION_INFO -_PSAPI_WORKING_SET_EX_INFORMATION32 -''''''''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_INFORMATION32 + Alias for :class:`_PROVIDER_ENUMERATION_INFO` - Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION32` +.. class:: _PROVIDER_ENUMERATION_INFO -.. class:: PSAPI_WORKING_SET_EX_INFORMATION32 + .. attribute:: NumberOfProviders - Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION32` + :class:`ULONG` -.. class:: _PSAPI_WORKING_SET_EX_INFORMATION32 - .. attribute:: VirtualAddress + .. attribute:: Reserved - :class:`DWORD` + :class:`ULONG` - .. attribute:: VirtualAttributes + .. attribute:: TraceProviderInfoArray - :class:`PSAPI_WORKING_SET_EX_BLOCK32` + :class:`TRACE_PROVIDER_INFO` ``[ANYSIZE_ARRAY]`` -_PSAPI_WORKING_SET_EX_INFORMATION64 -''''''''''''''''''''''''''''''''''' -.. class:: PPSAPI_WORKING_SET_EX_INFORMATION64 +tagRGBTRIPLE +'''''''''''' +.. class:: LPRGBTRIPLE - Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION64` + Pointer to :class:`tagRGBTRIPLE` -.. class:: PSAPI_WORKING_SET_EX_INFORMATION64 +.. class:: NPRGBTRIPLE - Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION64` + Pointer to :class:`tagRGBTRIPLE` -.. class:: _PSAPI_WORKING_SET_EX_INFORMATION64 +.. class:: PRGBTRIPLE - .. attribute:: VirtualAddress + Pointer to :class:`tagRGBTRIPLE` - :class:`ULONG64` +.. class:: RGBTRIPLE + Alias for :class:`tagRGBTRIPLE` - .. attribute:: VirtualAttributes +.. class:: tagRGBTRIPLE - :class:`PSAPI_WORKING_SET_EX_BLOCK64` + .. attribute:: rgbtBlue -_STARTUPINFOA -''''''''''''' -.. class:: LPSTARTUPINFOA + :class:`BYTE` - Pointer to :class:`_STARTUPINFOA` -.. class:: STARTUPINFOA + .. attribute:: rgbtGreen - Alias for :class:`_STARTUPINFOA` + :class:`BYTE` -.. class:: _STARTUPINFOA - .. attribute:: cb + .. attribute:: rgbtRed - :class:`DWORD` + :class:`BYTE` +tagBITMAPFILEHEADER +''''''''''''''''''' +.. class:: BITMAPFILEHEADER - .. attribute:: lpReserved + Alias for :class:`tagBITMAPFILEHEADER` - :class:`LPSTR` +.. class:: LPBITMAPFILEHEADER + Pointer to :class:`tagBITMAPFILEHEADER` - .. attribute:: lpDesktop +.. class:: PBITMAPFILEHEADER - :class:`LPSTR` + Pointer to :class:`tagBITMAPFILEHEADER` +.. class:: tagBITMAPFILEHEADER - .. attribute:: lpTitle + .. attribute:: bfType - :class:`LPSTR` + :class:`WORD` - .. attribute:: dwX + .. attribute:: bfSize :class:`DWORD` - .. attribute:: dwY + .. attribute:: bfReserved1 - :class:`DWORD` + :class:`WORD` - .. attribute:: dwXSize + .. attribute:: bfReserved2 - :class:`DWORD` + :class:`WORD` - .. attribute:: dwYSize + .. attribute:: bfOffBits :class:`DWORD` +tagBITMAPCOREHEADER +''''''''''''''''''' +.. class:: BITMAPCOREHEADER - .. attribute:: dwXCountChars + Alias for :class:`tagBITMAPCOREHEADER` - :class:`DWORD` +.. class:: LPBITMAPCOREHEADER + Pointer to :class:`tagBITMAPCOREHEADER` - .. attribute:: dwYCountChars +.. class:: PBITMAPCOREHEADER - :class:`DWORD` + Pointer to :class:`tagBITMAPCOREHEADER` +.. class:: tagBITMAPCOREHEADER - .. attribute:: dwFillAttribute + .. attribute:: bcSize :class:`DWORD` - .. attribute:: dwFlags + .. attribute:: bcWidth - :class:`DWORD` + :class:`WORD` - .. attribute:: wShowWindow + .. attribute:: bcHeight :class:`WORD` - .. attribute:: cbReserved2 + .. attribute:: bcPlanes :class:`WORD` - .. attribute:: lpReserved2 + .. attribute:: bcBitCount - :class:`LPBYTE` + :class:`WORD` +tagBITMAP +''''''''' +.. class:: BITMAP - .. attribute:: hStdInput + Alias for :class:`tagBITMAP` - :class:`HANDLE` +.. class:: LPBITMAP + Pointer to :class:`tagBITMAP` - .. attribute:: hStdOutput +.. class:: NPBITMAP - :class:`HANDLE` + Pointer to :class:`tagBITMAP` +.. class:: PBITMAP - .. attribute:: hStdError + Pointer to :class:`tagBITMAP` - :class:`HANDLE` +.. class:: tagBITMAP -_STARTUPINFOW -''''''''''''' -.. class:: LPSTARTUPINFOW + .. attribute:: bmType - Pointer to :class:`_STARTUPINFOW` + :class:`LONG` -.. class:: STARTUPINFOW - Alias for :class:`_STARTUPINFOW` + .. attribute:: bmWidth -.. class:: _STARTUPINFOW + :class:`LONG` - .. attribute:: cb - :class:`DWORD` + .. attribute:: bmHeight + :class:`LONG` - .. attribute:: lpReserved - :class:`LPWSTR` + .. attribute:: bmWidthBytes + :class:`LONG` - .. attribute:: lpDesktop - :class:`LPWSTR` + .. attribute:: bmPlanes + :class:`WORD` - .. attribute:: lpTitle - :class:`LPWSTR` + .. attribute:: bmBitsPixel + :class:`WORD` - .. attribute:: dwX - :class:`DWORD` + .. attribute:: bmBits + :class:`LPVOID` - .. attribute:: dwY +tagBITMAPINFOHEADER +''''''''''''''''''' +.. class:: BITMAPINFOHEADER - :class:`DWORD` + Alias for :class:`tagBITMAPINFOHEADER` +.. class:: LPBITMAPINFOHEADER - .. attribute:: dwXSize + Pointer to :class:`tagBITMAPINFOHEADER` - :class:`DWORD` +.. class:: PBITMAPINFOHEADER + Pointer to :class:`tagBITMAPINFOHEADER` - .. attribute:: dwYSize +.. class:: tagBITMAPINFOHEADER + + .. attribute:: biSize :class:`DWORD` - .. attribute:: dwXCountChars + .. attribute:: biWidth - :class:`DWORD` + :class:`LONG` - .. attribute:: dwYCountChars + .. attribute:: biHeight - :class:`DWORD` + :class:`LONG` - .. attribute:: dwFillAttribute + .. attribute:: biPlanes - :class:`DWORD` + :class:`WORD` - .. attribute:: dwFlags + .. attribute:: biBitCount - :class:`DWORD` + :class:`WORD` - .. attribute:: wShowWindow + .. attribute:: biCompression - :class:`WORD` + :class:`DWORD` - .. attribute:: cbReserved2 + .. attribute:: biSizeImage - :class:`WORD` + :class:`DWORD` - .. attribute:: lpReserved2 + .. attribute:: biXPelsPerMeter - :class:`LPBYTE` + :class:`LONG` - .. attribute:: hStdInput + .. attribute:: biYPelsPerMeter - :class:`HANDLE` + :class:`LONG` - .. attribute:: hStdOutput + .. attribute:: biClrUsed - :class:`HANDLE` + :class:`DWORD` - .. attribute:: hStdError + .. attribute:: biClrImportant - :class:`HANDLE` + :class:`DWORD` -_STARTUPINFOEXA -''''''''''''''' -.. class:: LPSTARTUPINFOEXA +tagRGBQUAD +'''''''''' +.. class:: RGBQUAD - Pointer to :class:`_STARTUPINFOEXA` + Alias for :class:`tagRGBQUAD` -.. class:: STARTUPINFOEXA +.. class:: tagRGBQUAD - Alias for :class:`_STARTUPINFOEXA` + .. attribute:: rgbBlue -.. class:: _STARTUPINFOEXA + :class:`BYTE` - .. attribute:: StartupInfo - :class:`STARTUPINFOA` + .. attribute:: rgbGreen + :class:`BYTE` - .. attribute:: lpAttributeList - :class:`LPPROC_THREAD_ATTRIBUTE_LIST` + .. attribute:: rgbRed -_STARTUPINFOEXW -''''''''''''''' -.. class:: LPSTARTUPINFOEXW + :class:`BYTE` - Pointer to :class:`_STARTUPINFOEXW` -.. class:: STARTUPINFOEXW + .. attribute:: rgbReserved - Alias for :class:`_STARTUPINFOEXW` + :class:`BYTE` -.. class:: _STARTUPINFOEXW +tagBITMAPINFO +''''''''''''' +.. class:: BITMAPINFO - .. attribute:: StartupInfo + Alias for :class:`tagBITMAPINFO` - :class:`STARTUPINFOW` +.. class:: LPBITMAPINFO + Pointer to :class:`tagBITMAPINFO` - .. attribute:: lpAttributeList +.. class:: PBITMAPINFO - :class:`LPPROC_THREAD_ATTRIBUTE_LIST` + Pointer to :class:`tagBITMAPINFO` -_PROCESS_INFORMATION -'''''''''''''''''''' -.. class:: LPPROCESS_INFORMATION +.. class:: tagBITMAPINFO - Pointer to :class:`_PROCESS_INFORMATION` + .. attribute:: bmiHeader -.. class:: PPROCESS_INFORMATION + :class:`BITMAPINFOHEADER` - Pointer to :class:`_PROCESS_INFORMATION` -.. class:: PROCESS_INFORMATION + .. attribute:: bmiColors - Alias for :class:`_PROCESS_INFORMATION` + :class:`RGBQUAD` -.. class:: _PROCESS_INFORMATION +tagBITMAPCOREINFO +''''''''''''''''' +.. class:: BITMAPCOREINFO - .. attribute:: hProcess + Alias for :class:`tagBITMAPCOREINFO` - :class:`HANDLE` +.. class:: LPBITMAPCOREINFO + Pointer to :class:`tagBITMAPCOREINFO` - .. attribute:: hThread +.. class:: PBITMAPCOREINFO - :class:`HANDLE` + Pointer to :class:`tagBITMAPCOREINFO` +.. class:: tagBITMAPCOREINFO - .. attribute:: dwProcessId + .. attribute:: bmciHeader - :class:`DWORD` + :class:`BITMAPCOREHEADER` - .. attribute:: dwThreadId + .. attribute:: bmciColors - :class:`DWORD` + :class:`RGBTRIPLE` -_FLOATING_SAVE_AREA -''''''''''''''''''' -.. class:: FLOATING_SAVE_AREA +tagWNDCLASSEXA +'''''''''''''' +.. class:: LPWNDCLASSEXA - Alias for :class:`_FLOATING_SAVE_AREA` + Pointer to :class:`tagWNDCLASSEXA` -.. class:: _FLOATING_SAVE_AREA +.. class:: PWNDCLASSEXA - .. attribute:: ControlWord + Pointer to :class:`tagWNDCLASSEXA` - :class:`DWORD` +.. class:: WNDCLASSEXA + Alias for :class:`tagWNDCLASSEXA` - .. attribute:: StatusWord +.. class:: tagWNDCLASSEXA - :class:`DWORD` + .. attribute:: cbSize + :class:`UINT` - .. attribute:: TagWord - :class:`DWORD` + .. attribute:: style + :class:`UINT` - .. attribute:: ErrorOffset - :class:`DWORD` + .. attribute:: lpfnWndProc + :class:`WNDPROC` - .. attribute:: ErrorSelector - :class:`DWORD` + .. attribute:: cbClsExtra + :class:`INT` - .. attribute:: DataOffset - :class:`DWORD` + .. attribute:: cbWndExtra + :class:`INT` - .. attribute:: DataSelector - :class:`DWORD` + .. attribute:: hInstance + :class:`HINSTANCE` - .. attribute:: RegisterArea - :class:`BYTE` ``[80]`` + .. attribute:: hIcon + :class:`HICON` - .. attribute:: Cr0NpxState - :class:`DWORD` + .. attribute:: hCursor -_CONTEXT32 -'''''''''' -.. class:: CONTEXT32 + :class:`HCURSOR` - Alias for :class:`_CONTEXT32` -.. class:: LPCONTEXT32 + .. attribute:: hbrBackground - Pointer to :class:`_CONTEXT32` + :class:`HBRUSH` -.. class:: PCONTEXT32 - Pointer to :class:`_CONTEXT32` + .. attribute:: lpszMenuName -.. class:: _CONTEXT32 + :class:`LPCSTR` - .. attribute:: ContextFlags - :class:`DWORD` + .. attribute:: lpszClassName + :class:`LPCSTR` - .. attribute:: Dr0 - :class:`DWORD` + .. attribute:: hIconSm + :class:`HICON` - .. attribute:: Dr1 +tagWNDCLASSEXW +'''''''''''''' +.. class:: LPWNDCLASSEXW - :class:`DWORD` + Pointer to :class:`tagWNDCLASSEXW` +.. class:: PWNDCLASSEXW - .. attribute:: Dr2 + Pointer to :class:`tagWNDCLASSEXW` - :class:`DWORD` +.. class:: WNDCLASSEXW + Alias for :class:`tagWNDCLASSEXW` - .. attribute:: Dr3 +.. class:: tagWNDCLASSEXW - :class:`DWORD` + .. attribute:: cbSize + :class:`UINT` - .. attribute:: Dr6 - :class:`DWORD` + .. attribute:: style + :class:`UINT` - .. attribute:: Dr7 - :class:`DWORD` + .. attribute:: lpfnWndProc + :class:`WNDPROC` - .. attribute:: FloatSave - :class:`FLOATING_SAVE_AREA` + .. attribute:: cbClsExtra + :class:`INT` - .. attribute:: SegGs - :class:`DWORD` + .. attribute:: cbWndExtra + :class:`INT` - .. attribute:: SegFs - :class:`DWORD` + .. attribute:: hInstance + :class:`HINSTANCE` - .. attribute:: SegEs - :class:`DWORD` + .. attribute:: hIcon + :class:`HICON` - .. attribute:: SegDs - :class:`DWORD` + .. attribute:: hCursor + :class:`HCURSOR` - .. attribute:: Edi - :class:`DWORD` + .. attribute:: hbrBackground + :class:`HBRUSH` - .. attribute:: Esi - :class:`DWORD` + .. attribute:: lpszMenuName + :class:`LPWSTR` - .. attribute:: Ebx - :class:`DWORD` + .. attribute:: lpszClassName + :class:`LPWSTR` - .. attribute:: Edx - :class:`DWORD` + .. attribute:: hIconSm + :class:`HICON` - .. attribute:: Ecx +_SECURITY_ATTRIBUTES +'''''''''''''''''''' +.. class:: LPSECURITY_ATTRIBUTES - :class:`DWORD` + Pointer to :class:`_SECURITY_ATTRIBUTES` +.. class:: PSECURITY_ATTRIBUTES - .. attribute:: Eax + Pointer to :class:`_SECURITY_ATTRIBUTES` - :class:`DWORD` +.. class:: SECURITY_ATTRIBUTES + Alias for :class:`_SECURITY_ATTRIBUTES` - .. attribute:: Ebp +.. class:: _SECURITY_ATTRIBUTES + + .. attribute:: nLength :class:`DWORD` - .. attribute:: Eip + .. attribute:: lpSecurityDescriptor - :class:`DWORD` + :class:`LPVOID` - .. attribute:: SegCs + .. attribute:: bInheritHandle - :class:`DWORD` + :class:`BOOL` +_SYSTEM_VERIFIER_INFORMATION +'''''''''''''''''''''''''''' +.. class:: PSYSTEM_VERIFIER_INFORMATION - .. attribute:: EFlags + Pointer to :class:`_SYSTEM_VERIFIER_INFORMATION` - :class:`DWORD` +.. class:: SYSTEM_VERIFIER_INFORMATION + Alias for :class:`_SYSTEM_VERIFIER_INFORMATION` - .. attribute:: Esp +.. class:: _SYSTEM_VERIFIER_INFORMATION - :class:`DWORD` + .. attribute:: NextEntryOffset + :class:`ULONG` - .. attribute:: SegSs - :class:`DWORD` + .. attribute:: Level + :class:`ULONG` - .. attribute:: ExtendedRegisters - :class:`BYTE` ``[512]`` + .. attribute:: DriverName -_WOW64_FLOATING_SAVE_AREA -''''''''''''''''''''''''' -.. class:: WOW64_FLOATING_SAVE_AREA + :class:`UNICODE_STRING` - Alias for :class:`_WOW64_FLOATING_SAVE_AREA` -.. class:: _WOW64_FLOATING_SAVE_AREA + .. attribute:: RaiseIrqls - .. attribute:: ControlWord + :class:`ULONG` - :class:`DWORD` + .. attribute:: AcquireSpinLocks - .. attribute:: StatusWord + :class:`ULONG` - :class:`DWORD` + .. attribute:: SynchronizeExecutions - .. attribute:: TagWord + :class:`ULONG` - :class:`DWORD` + .. attribute:: AllocationsAttempted - .. attribute:: ErrorOffset + :class:`ULONG` - :class:`DWORD` + .. attribute:: AllocationsSucceeded - .. attribute:: ErrorSelector + :class:`ULONG` - :class:`DWORD` + .. attribute:: AllocationsSucceededSpecialPool - .. attribute:: DataOffset + :class:`ULONG` - :class:`DWORD` + .. attribute:: AllocationsWithNoTag - .. attribute:: DataSelector + :class:`ULONG` - :class:`DWORD` + .. attribute:: TrimRequests - .. attribute:: RegisterArea + :class:`ULONG` - :class:`BYTE` ``[WOW64_SIZE_OF_80387_REGISTERS]`` + .. attribute:: Trims - .. attribute:: Cr0NpxState + :class:`ULONG` - :class:`DWORD` -_WOW64_CONTEXT -'''''''''''''' -.. class:: PWOW64_CONTEXT + .. attribute:: AllocationsFailed - Pointer to :class:`_WOW64_CONTEXT` + :class:`ULONG` -.. class:: WOW64_CONTEXT - Alias for :class:`_WOW64_CONTEXT` + .. attribute:: AllocationsFailedDeliberately -.. class:: _WOW64_CONTEXT + :class:`ULONG` - .. attribute:: ContextFlags - :class:`DWORD` + .. attribute:: Loads + :class:`ULONG` - .. attribute:: Dr0 - :class:`DWORD` + .. attribute:: Unloads + :class:`ULONG` - .. attribute:: Dr1 - :class:`DWORD` + .. attribute:: UnTrackedPool + :class:`ULONG` - .. attribute:: Dr2 - :class:`DWORD` + .. attribute:: CurrentPagedPoolAllocations + :class:`ULONG` - .. attribute:: Dr3 - :class:`DWORD` + .. attribute:: CurrentNonPagedPoolAllocations + :class:`ULONG` - .. attribute:: Dr6 - :class:`DWORD` + .. attribute:: PeakPagedPoolAllocations + :class:`ULONG` - .. attribute:: Dr7 - :class:`DWORD` + .. attribute:: PeakNonPagedPoolAllocations + :class:`ULONG` - .. attribute:: FloatSave - :class:`WOW64_FLOATING_SAVE_AREA` + .. attribute:: PagedPoolUsageInBytes + :class:`SIZE_T` - .. attribute:: SegGs - :class:`DWORD` + .. attribute:: NonPagedPoolUsageInBytes + :class:`SIZE_T` - .. attribute:: SegFs - :class:`DWORD` + .. attribute:: PeakPagedPoolUsageInBytes + :class:`SIZE_T` - .. attribute:: SegEs - :class:`DWORD` + .. attribute:: PeakNonPagedPoolUsageInBytes + :class:`SIZE_T` - .. attribute:: SegDs +_SYSTEM_PROCESS_ID_INFORMATION +'''''''''''''''''''''''''''''' +.. class:: PSYSTEM_PROCESS_ID_INFORMATION - :class:`DWORD` + Pointer to :class:`_SYSTEM_PROCESS_ID_INFORMATION` +.. class:: SYSTEM_PROCESS_ID_INFORMATION - .. attribute:: Edi + Alias for :class:`_SYSTEM_PROCESS_ID_INFORMATION` - :class:`DWORD` +.. class:: _SYSTEM_PROCESS_ID_INFORMATION + .. attribute:: ProcessId - .. attribute:: Esi + :class:`HANDLE` - :class:`DWORD` + .. attribute:: ImageName - .. attribute:: Ebx + :class:`UNICODE_STRING` - :class:`DWORD` +_MEMORY_BASIC_INFORMATION +''''''''''''''''''''''''' +.. class:: MEMORY_BASIC_INFORMATION + Alias for :class:`_MEMORY_BASIC_INFORMATION` - .. attribute:: Edx +.. class:: PMEMORY_BASIC_INFORMATION - :class:`DWORD` + Pointer to :class:`_MEMORY_BASIC_INFORMATION` +.. class:: _MEMORY_BASIC_INFORMATION - .. attribute:: Ecx + .. attribute:: BaseAddress - :class:`DWORD` + :class:`PVOID` - .. attribute:: Eax + .. attribute:: AllocationBase - :class:`DWORD` + :class:`PVOID` - .. attribute:: Ebp + .. attribute:: AllocationProtect :class:`DWORD` - .. attribute:: Eip + .. attribute:: RegionSize - :class:`DWORD` + :class:`SIZE_T` - .. attribute:: SegCs + .. attribute:: State :class:`DWORD` - .. attribute:: EFlags + .. attribute:: Protect :class:`DWORD` - .. attribute:: Esp + .. attribute:: Type :class:`DWORD` +_THREAD_BASIC_INFORMATION +''''''''''''''''''''''''' +.. class:: PTHREAD_BASIC_INFORMATION - .. attribute:: SegSs + Pointer to :class:`_THREAD_BASIC_INFORMATION` - :class:`DWORD` +.. class:: THREAD_BASIC_INFORMATION + Alias for :class:`_THREAD_BASIC_INFORMATION` - .. attribute:: ExtendedRegisters +.. class:: _THREAD_BASIC_INFORMATION - :class:`BYTE` ``[WOW64_MAXIMUM_SUPPORTED_EXTENSION]`` + .. attribute:: ExitStatus -_M128A -'''''' -.. class:: M128A + :class:`NTSTATUS` - Alias for :class:`_M128A` -.. class:: PM128A + .. attribute:: TebBaseAddress - Pointer to :class:`_M128A` + :class:`PVOID` -.. class:: _M128A - .. attribute:: Low + .. attribute:: ClientId - :class:`ULONGLONG` + :class:`CLIENT_ID` - .. attribute:: High + .. attribute:: AffinityMask - :class:`LONGLONG` + :class:`KAFFINITY` -_XSAVE_FORMAT_64 -'''''''''''''''' -.. class:: PXSAVE_FORMAT_64 - Pointer to :class:`_XSAVE_FORMAT_64` + .. attribute:: Priority -.. class:: XSAVE_FORMAT_64 + :class:`KPRIORITY` - Alias for :class:`_XSAVE_FORMAT_64` -.. class:: _XSAVE_FORMAT_64 + .. attribute:: BasePriority - .. attribute:: ControlWord + :class:`KPRIORITY` - :class:`WORD` +_MEMORY_BASIC_INFORMATION32 +''''''''''''''''''''''''''' +.. class:: MEMORY_BASIC_INFORMATION32 + Alias for :class:`_MEMORY_BASIC_INFORMATION32` - .. attribute:: StatusWord +.. class:: PMEMORY_BASIC_INFORMATION32 - :class:`WORD` + Pointer to :class:`_MEMORY_BASIC_INFORMATION32` +.. class:: _MEMORY_BASIC_INFORMATION32 - .. attribute:: TagWord + .. attribute:: BaseAddress - :class:`BYTE` + :class:`DWORD` - .. attribute:: Reserved1 + .. attribute:: AllocationBase - :class:`BYTE` + :class:`DWORD` - .. attribute:: ErrorOpcode + .. attribute:: AllocationProtect - :class:`WORD` + :class:`DWORD` - .. attribute:: ErrorOffset + .. attribute:: RegionSize :class:`DWORD` - .. attribute:: ErrorSelector + .. attribute:: State - :class:`WORD` + :class:`DWORD` - .. attribute:: Reserved2 + .. attribute:: Protect - :class:`WORD` + :class:`DWORD` - .. attribute:: DataOffset + .. attribute:: Type :class:`DWORD` +_MEMORY_BASIC_INFORMATION64 +''''''''''''''''''''''''''' +.. class:: MEMORY_BASIC_INFORMATION64 - .. attribute:: DataSelector + Alias for :class:`_MEMORY_BASIC_INFORMATION64` - :class:`WORD` +.. class:: PMEMORY_BASIC_INFORMATION64 + + Pointer to :class:`_MEMORY_BASIC_INFORMATION64` +.. class:: _MEMORY_BASIC_INFORMATION64 - .. attribute:: Reserved3 + .. attribute:: BaseAddress - :class:`WORD` + :class:`ULONGLONG` - .. attribute:: MxCsr + .. attribute:: AllocationBase - :class:`DWORD` + :class:`ULONGLONG` - .. attribute:: MxCsr_Mask + .. attribute:: AllocationProtect :class:`DWORD` - .. attribute:: FloatRegisters - - :class:`M128A` ``[8]`` + .. attribute:: __alignment1 + :class:`DWORD` - .. attribute:: XmmRegisters - :class:`M128A` ``[16]`` + .. attribute:: RegionSize + :class:`ULONGLONG` - .. attribute:: Reserved4 - :class:`BYTE` ``[96]`` + .. attribute:: State -_XSAVE_FORMAT_32 -'''''''''''''''' -.. class:: PXSAVE_FORMAT_32 + :class:`DWORD` - Pointer to :class:`_XSAVE_FORMAT_32` -.. class:: XSAVE_FORMAT_32 + .. attribute:: Protect - Alias for :class:`_XSAVE_FORMAT_32` + :class:`DWORD` -.. class:: _XSAVE_FORMAT_32 - .. attribute:: ControlWord + .. attribute:: Type - :class:`WORD` + :class:`DWORD` - .. attribute:: StatusWord + .. attribute:: __alignment2 - :class:`WORD` + :class:`DWORD` +_PSAPI_WORKING_SET_BLOCK +'''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_BLOCK - .. attribute:: TagWord + Pointer to :class:`_PSAPI_WORKING_SET_BLOCK` - :class:`BYTE` +.. class:: PSAPI_WORKING_SET_BLOCK + Alias for :class:`_PSAPI_WORKING_SET_BLOCK` - .. attribute:: Reserved1 +.. class:: _PSAPI_WORKING_SET_BLOCK - :class:`BYTE` + .. attribute:: Flags + :class:`PVOID` - .. attribute:: ErrorOpcode +_PSAPI_WORKING_SET_BLOCK32 +'''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_BLOCK32 - :class:`WORD` + Pointer to :class:`_PSAPI_WORKING_SET_BLOCK32` +.. class:: PSAPI_WORKING_SET_BLOCK32 - .. attribute:: ErrorOffset + Alias for :class:`_PSAPI_WORKING_SET_BLOCK32` - :class:`DWORD` +.. class:: _PSAPI_WORKING_SET_BLOCK32 + .. attribute:: Flags - .. attribute:: ErrorSelector + :class:`DWORD` - :class:`WORD` +_PSAPI_WORKING_SET_BLOCK64 +'''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_BLOCK64 + Pointer to :class:`_PSAPI_WORKING_SET_BLOCK64` - .. attribute:: Reserved2 +.. class:: PSAPI_WORKING_SET_BLOCK64 - :class:`WORD` + Alias for :class:`_PSAPI_WORKING_SET_BLOCK64` +.. class:: _PSAPI_WORKING_SET_BLOCK64 - .. attribute:: DataOffset + .. attribute:: Flags - :class:`DWORD` + :class:`ULONG64` +_PSAPI_WORKING_SET_INFORMATION +'''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_INFORMATION - .. attribute:: DataSelector + Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION` - :class:`WORD` +.. class:: PSAPI_WORKING_SET_INFORMATION + Alias for :class:`_PSAPI_WORKING_SET_INFORMATION` - .. attribute:: Reserved3 +.. class:: _PSAPI_WORKING_SET_INFORMATION - :class:`WORD` + .. attribute:: NumberOfEntries + :class:`PVOID` - .. attribute:: MxCsr - :class:`DWORD` + .. attribute:: WorkingSetInfo + :class:`PSAPI_WORKING_SET_BLOCK` - .. attribute:: MxCsr_Mask +_PSAPI_WORKING_SET_INFORMATION32 +'''''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_INFORMATION32 - :class:`DWORD` + Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION32` +.. class:: PSAPI_WORKING_SET_INFORMATION32 - .. attribute:: FloatRegisters + Alias for :class:`_PSAPI_WORKING_SET_INFORMATION32` - :class:`M128A` ``[8]`` +.. class:: _PSAPI_WORKING_SET_INFORMATION32 + .. attribute:: NumberOfEntries - .. attribute:: XmmRegisters + :class:`DWORD` - :class:`M128A` ``[8]`` + .. attribute:: WorkingSetInfo - .. attribute:: Reserved4 + :class:`PSAPI_WORKING_SET_BLOCK32` - :class:`BYTE` ``[192]`` +_PSAPI_WORKING_SET_INFORMATION64 +'''''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_INFORMATION64 + Pointer to :class:`_PSAPI_WORKING_SET_INFORMATION64` - .. attribute:: StackControl +.. class:: PSAPI_WORKING_SET_INFORMATION64 - :class:`DWORD` ``[7]`` + Alias for :class:`_PSAPI_WORKING_SET_INFORMATION64` +.. class:: _PSAPI_WORKING_SET_INFORMATION64 - .. attribute:: Cr0NpxState + .. attribute:: NumberOfEntries - :class:`DWORD` + :class:`ULONG64` -_TMP_DUMMYSTRUCTNAME -'''''''''''''''''''' -.. class:: TMP_DUMMYSTRUCTNAME - Alias for :class:`_TMP_DUMMYSTRUCTNAME` + .. attribute:: WorkingSetInfo -.. class:: _TMP_DUMMYSTRUCTNAME + :class:`PSAPI_WORKING_SET_BLOCK64` - .. attribute:: Header +_PSAPI_WORKING_SET_EX_BLOCK +''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_BLOCK - :class:`M128A` ``[2]`` + Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK` +.. class:: PSAPI_WORKING_SET_EX_BLOCK - .. attribute:: Legacy + Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK` - :class:`M128A` ``[8]`` +.. class:: _PSAPI_WORKING_SET_EX_BLOCK + .. attribute:: Flags - .. attribute:: Xmm0 + :class:`PVOID` - :class:`M128A` +_PSAPI_WORKING_SET_EX_BLOCK32 +''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_BLOCK32 + Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK32` - .. attribute:: Xmm1 +.. class:: PSAPI_WORKING_SET_EX_BLOCK32 - :class:`M128A` + Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK32` +.. class:: _PSAPI_WORKING_SET_EX_BLOCK32 - .. attribute:: Xmm2 + .. attribute:: Flags - :class:`M128A` + :class:`DWORD` +_PSAPI_WORKING_SET_EX_BLOCK64 +''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_BLOCK64 - .. attribute:: Xmm3 + Pointer to :class:`_PSAPI_WORKING_SET_EX_BLOCK64` - :class:`M128A` +.. class:: PSAPI_WORKING_SET_EX_BLOCK64 + Alias for :class:`_PSAPI_WORKING_SET_EX_BLOCK64` - .. attribute:: Xmm4 +.. class:: _PSAPI_WORKING_SET_EX_BLOCK64 - :class:`M128A` + .. attribute:: Flags + :class:`ULONG64` - .. attribute:: Xmm5 +_PSAPI_WORKING_SET_EX_INFORMATION +''''''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_INFORMATION - :class:`M128A` + Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION` +.. class:: PSAPI_WORKING_SET_EX_INFORMATION - .. attribute:: Xmm6 + Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION` - :class:`M128A` +.. class:: _PSAPI_WORKING_SET_EX_INFORMATION + .. attribute:: VirtualAddress - .. attribute:: Xmm7 + :class:`PVOID` - :class:`M128A` + .. attribute:: VirtualAttributes - .. attribute:: Xmm8 + :class:`PSAPI_WORKING_SET_EX_BLOCK` - :class:`M128A` +_PSAPI_WORKING_SET_EX_INFORMATION32 +''''''''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_INFORMATION32 + Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION32` - .. attribute:: Xmm9 +.. class:: PSAPI_WORKING_SET_EX_INFORMATION32 - :class:`M128A` + Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION32` +.. class:: _PSAPI_WORKING_SET_EX_INFORMATION32 - .. attribute:: Xmm10 + .. attribute:: VirtualAddress - :class:`M128A` + :class:`DWORD` - .. attribute:: Xmm11 + .. attribute:: VirtualAttributes - :class:`M128A` + :class:`PSAPI_WORKING_SET_EX_BLOCK32` +_PSAPI_WORKING_SET_EX_INFORMATION64 +''''''''''''''''''''''''''''''''''' +.. class:: PPSAPI_WORKING_SET_EX_INFORMATION64 - .. attribute:: Xmm12 + Pointer to :class:`_PSAPI_WORKING_SET_EX_INFORMATION64` - :class:`M128A` +.. class:: PSAPI_WORKING_SET_EX_INFORMATION64 + Alias for :class:`_PSAPI_WORKING_SET_EX_INFORMATION64` - .. attribute:: Xmm13 +.. class:: _PSAPI_WORKING_SET_EX_INFORMATION64 - :class:`M128A` + .. attribute:: VirtualAddress + :class:`ULONG64` - .. attribute:: Xmm14 - :class:`M128A` + .. attribute:: VirtualAttributes + :class:`PSAPI_WORKING_SET_EX_BLOCK64` - .. attribute:: Xmm15 +_STARTUPINFOA +''''''''''''' +.. class:: LPSTARTUPINFOA - :class:`M128A` + Pointer to :class:`_STARTUPINFOA` -_TMP_CONTEXT64_SUBUNION -''''''''''''''''''''''' -.. class:: TMP_CONTEXT64_SUBUNION +.. class:: STARTUPINFOA - Alias for :class:`_TMP_CONTEXT64_SUBUNION` + Alias for :class:`_STARTUPINFOA` -.. class:: _TMP_CONTEXT64_SUBUNION +.. class:: _STARTUPINFOA - .. attribute:: FltSave + .. attribute:: cb - :class:`XSAVE_FORMAT_64` + :class:`DWORD` - .. attribute:: DUMMYSTRUCTNAME + .. attribute:: lpReserved - :class:`TMP_DUMMYSTRUCTNAME` + :class:`LPSTR` -_CONTEXT64 -'''''''''' -.. class:: CONTEXT64 - Alias for :class:`_CONTEXT64` + .. attribute:: lpDesktop -.. class:: LPCONTEXT64 + :class:`LPSTR` - Pointer to :class:`_CONTEXT64` -.. class:: PCONTEXT64 + .. attribute:: lpTitle - Pointer to :class:`_CONTEXT64` + :class:`LPSTR` -.. class:: _CONTEXT64 - .. attribute:: P1Home + .. attribute:: dwX - :class:`DWORD64` + :class:`DWORD` - .. attribute:: P2Home + .. attribute:: dwY - :class:`DWORD64` + :class:`DWORD` - .. attribute:: P3Home + .. attribute:: dwXSize - :class:`DWORD64` + :class:`DWORD` - .. attribute:: P4Home + .. attribute:: dwYSize - :class:`DWORD64` + :class:`DWORD` - .. attribute:: P5Home + .. attribute:: dwXCountChars - :class:`DWORD64` + :class:`DWORD` - .. attribute:: P6Home + .. attribute:: dwYCountChars - :class:`DWORD64` + :class:`DWORD` - .. attribute:: ContextFlags + .. attribute:: dwFillAttribute :class:`DWORD` - .. attribute:: MxCsr + .. attribute:: dwFlags :class:`DWORD` - .. attribute:: SegCs + .. attribute:: wShowWindow :class:`WORD` - .. attribute:: SegDs + .. attribute:: cbReserved2 :class:`WORD` - .. attribute:: SegEs + .. attribute:: lpReserved2 - :class:`WORD` + :class:`LPBYTE` - .. attribute:: SegFs + .. attribute:: hStdInput - :class:`WORD` + :class:`HANDLE` - .. attribute:: SegGs + .. attribute:: hStdOutput - :class:`WORD` + :class:`HANDLE` - .. attribute:: SegSs + .. attribute:: hStdError - :class:`WORD` + :class:`HANDLE` +_STARTUPINFOW +''''''''''''' +.. class:: LPSTARTUPINFOW - .. attribute:: EFlags + Pointer to :class:`_STARTUPINFOW` - :class:`DWORD` +.. class:: STARTUPINFOW + Alias for :class:`_STARTUPINFOW` - .. attribute:: Dr0 +.. class:: _STARTUPINFOW - :class:`DWORD64` + .. attribute:: cb + :class:`DWORD` - .. attribute:: Dr1 - :class:`DWORD64` + .. attribute:: lpReserved + :class:`LPWSTR` - .. attribute:: Dr2 - :class:`DWORD64` + .. attribute:: lpDesktop + :class:`LPWSTR` - .. attribute:: Dr3 - :class:`DWORD64` + .. attribute:: lpTitle + :class:`LPWSTR` - .. attribute:: Dr6 - :class:`DWORD64` + .. attribute:: dwX + :class:`DWORD` - .. attribute:: Dr7 - :class:`DWORD64` + .. attribute:: dwY + :class:`DWORD` - .. attribute:: Rax - :class:`DWORD64` + .. attribute:: dwXSize + :class:`DWORD` - .. attribute:: Rcx - :class:`DWORD64` + .. attribute:: dwYSize + :class:`DWORD` - .. attribute:: Rdx - :class:`DWORD64` + .. attribute:: dwXCountChars + :class:`DWORD` - .. attribute:: Rbx - :class:`DWORD64` + .. attribute:: dwYCountChars + :class:`DWORD` - .. attribute:: Rsp - :class:`DWORD64` + .. attribute:: dwFillAttribute + :class:`DWORD` - .. attribute:: Rbp - :class:`DWORD64` + .. attribute:: dwFlags + :class:`DWORD` - .. attribute:: Rsi - :class:`DWORD64` + .. attribute:: wShowWindow + :class:`WORD` - .. attribute:: Rdi - :class:`DWORD64` + .. attribute:: cbReserved2 + :class:`WORD` - .. attribute:: R8 - :class:`DWORD64` + .. attribute:: lpReserved2 + :class:`LPBYTE` - .. attribute:: R9 - :class:`DWORD64` + .. attribute:: hStdInput + :class:`HANDLE` - .. attribute:: R10 - :class:`DWORD64` + .. attribute:: hStdOutput + :class:`HANDLE` - .. attribute:: R11 - :class:`DWORD64` + .. attribute:: hStdError + :class:`HANDLE` - .. attribute:: R12 +_STARTUPINFOEXA +''''''''''''''' +.. class:: LPSTARTUPINFOEXA - :class:`DWORD64` + Pointer to :class:`_STARTUPINFOEXA` +.. class:: STARTUPINFOEXA - .. attribute:: R13 + Alias for :class:`_STARTUPINFOEXA` - :class:`DWORD64` +.. class:: _STARTUPINFOEXA + .. attribute:: StartupInfo - .. attribute:: R14 + :class:`STARTUPINFOA` - :class:`DWORD64` + .. attribute:: lpAttributeList - .. attribute:: R15 + :class:`LPPROC_THREAD_ATTRIBUTE_LIST` - :class:`DWORD64` +_STARTUPINFOEXW +''''''''''''''' +.. class:: LPSTARTUPINFOEXW + Pointer to :class:`_STARTUPINFOEXW` - .. attribute:: Rip +.. class:: STARTUPINFOEXW - :class:`DWORD64` + Alias for :class:`_STARTUPINFOEXW` +.. class:: _STARTUPINFOEXW - .. attribute:: DUMMYUNIONNAME + .. attribute:: StartupInfo - :class:`TMP_CONTEXT64_SUBUNION` + :class:`STARTUPINFOW` - .. attribute:: VectorRegister + .. attribute:: lpAttributeList - :class:`M128A` ``[26]`` + :class:`LPPROC_THREAD_ATTRIBUTE_LIST` +_PROCESS_INFORMATION +'''''''''''''''''''' +.. class:: LPPROCESS_INFORMATION - .. attribute:: VectorControl + Pointer to :class:`_PROCESS_INFORMATION` - :class:`DWORD64` +.. class:: PPROCESS_INFORMATION + Pointer to :class:`_PROCESS_INFORMATION` - .. attribute:: DebugControl +.. class:: PROCESS_INFORMATION - :class:`DWORD64` + Alias for :class:`_PROCESS_INFORMATION` +.. class:: _PROCESS_INFORMATION - .. attribute:: LastBranchToRip + .. attribute:: hProcess - :class:`DWORD64` + :class:`HANDLE` - .. attribute:: LastBranchFromRip + .. attribute:: hThread - :class:`DWORD64` + :class:`HANDLE` - .. attribute:: LastExceptionToRip + .. attribute:: dwProcessId - :class:`DWORD64` + :class:`DWORD` - .. attribute:: LastExceptionFromRip + .. attribute:: dwThreadId - :class:`DWORD64` + :class:`DWORD` tagPROCESSENTRY32W '''''''''''''''''' diff --git a/windows/generated_def/meta.py b/windows/generated_def/meta.py index 9dea2ff4..a13d471e 100644 --- a/windows/generated_def/meta.py +++ b/windows/generated_def/meta.py @@ -191,6 +191,8 @@ 'API_SET_SCHEMA_VERSION_V3', 'API_SET_SCHEMA_VERSION_V4', 'APPLICATION_ERROR_MASK', +'ARM64_MAX_BREAKPOINTS', +'ARM64_MAX_WATCHPOINTS', 'ASYNC_MODE_COMPATIBILITY', 'ASYNC_MODE_DEFAULT', 'ATM_ADDR_SIZE', @@ -661,6 +663,11 @@ 'CONTEXT_AMD64', 'CONTEXT_ARM', 'CONTEXT_ARM64', +'CONTEXT_ARM64_CONTROL', +'CONTEXT_ARM64_DEBUG_REGISTERS', +'CONTEXT_ARM64_FLOATING_POINT', +'CONTEXT_ARM64_INTEGER', +'CONTEXT_ARM64_X18', 'CONTEXT_CONTROL', 'CONTEXT_DEBUG_REGISTERS', 'CONTEXT_EXTENDED_REGISTERS', @@ -668,8 +675,12 @@ 'CONTEXT_FULL', 'CONTEXT_I386', 'CONTEXT_INTEGER', +'CONTEXT_RET_TO_GUEST', 'CONTEXT_SEGMENTS', +'CONTEXT_UNWOUND_TO_CALL', 'CONTEXT_XSTATE', +'CONTEXT_i386', +'CONTEXT_i486', 'CONTROL_C_EXIT', 'CREATE_ALWAYS', 'CREATE_BREAKAWAY_FROM_JOB', @@ -3281,6 +3292,21 @@ 'WIN_CERT_TYPE_RESERVED_1', 'WIN_CERT_TYPE_TS_STACK_SIGNED', 'WIN_CERT_TYPE_X509', +'WOW64_CONTEXT_ALL', +'WOW64_CONTEXT_CONTROL', +'WOW64_CONTEXT_DEBUG_REGISTERS', +'WOW64_CONTEXT_EXCEPTION_ACTIVE', +'WOW64_CONTEXT_EXCEPTION_REPORTING', +'WOW64_CONTEXT_EXCEPTION_REQUEST', +'WOW64_CONTEXT_EXTENDED_REGISTERS', +'WOW64_CONTEXT_FLOATING_POINT', +'WOW64_CONTEXT_FULL', +'WOW64_CONTEXT_INTEGER', +'WOW64_CONTEXT_SEGMENTS', +'WOW64_CONTEXT_SERVICE_ACTIVE', +'WOW64_CONTEXT_XSTATE', +'WOW64_CONTEXT_i386', +'WOW64_CONTEXT_i486', 'WOW64_MAXIMUM_SUPPORTED_EXTENSION', 'WOW64_SIZE_OF_80387_REGISTERS', 'WRITE_DAC', @@ -12257,6 +12283,8 @@ 'API_SET_VALUE_ARRAY_V4', 'API_SET_VALUE_ENTRY', 'API_SET_VALUE_ENTRY_V2', +'ARM64_NT_CONTEXT', +'ARM64_NT_NEON128', 'ARRAYDESC', 'ATTACH_VIRTUAL_DISK_PARAMETERS', 'BG_AUTH_CREDENTIALS', @@ -12887,6 +12915,8 @@ 'PAPI_SET_VALUE_ENTRY_V2', 'PARAMDESC', 'PARAMDESCEX', +'PARM64_NT_CONTEXT', +'PARM64_NT_NEON128', 'PATTACH_VIRTUAL_DISK_PARAMETERS', 'PBITMAP', 'PBITMAPCOREHEADER', @@ -13570,8 +13600,6 @@ 'TMPUNION_CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO', 'TMP_CERT_STRONG_SIGN_PARA_UNION_TYPE', 'TMP_CMSG_RECIPIENT_ENCODE_INFO_UNION', -'TMP_CONTEXT64_SUBUNION', -'TMP_DUMMYSTRUCTNAME', 'TMP_SPC_LINK_UNION', 'TMP_TYPEDESC_UNION', 'TMP_UNION_DEBUG_INFO', @@ -13712,6 +13740,8 @@ '_API_SET_VALUE_ARRAY_V4', '_API_SET_VALUE_ENTRY', '_API_SET_VALUE_ENTRY_V2', +'_ARM64_NT_CONTEXT', +'_ARM64_NT_NEON128', '_ATTACH_VIRTUAL_DISK_PARAMETERS', '_BG_FILE_INFO', '_BG_FILE_PROGRESS', @@ -14148,8 +14178,6 @@ '_TMPUNION_CMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO', '_TMPUNION_CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO', '_TMP_CMSG_RECIPIENT_ENCODE_INFO_UNION', -'_TMP_CONTEXT64_SUBUNION', -'_TMP_DUMMYSTRUCTNAME', '_TMP_SPC_LINK_UNION', '_TMP_TYPEDESC_UNION', '_TMP_UNION_DEBUG_INFO', diff --git a/windows/generated_def/windef.py b/windows/generated_def/windef.py index d21e344f..7a457031 100644 --- a/windows/generated_def/windef.py +++ b/windows/generated_def/windef.py @@ -1889,6 +1889,45 @@ def ProcThreadAttributeValue(Number, Thread, Input, Additive): SPC_FINANCIAL_CRITERIA_OBJID = make_flag("SPC_FINANCIAL_CRITERIA_OBJID", "1.3.6.1.4.1.311.2.1.27") SPC_LINK_OBJID = make_flag("SPC_LINK_OBJID", "1.3.6.1.4.1.311.2.1.28") SPC_SIGINFO_OBJID = make_flag("SPC_SIGINFO_OBJID", "1.3.6.1.4.1.311.2.1.30") +CONTEXT_I386 = make_flag("CONTEXT_I386", 0x00010000) +CONTEXT_AMD64 = make_flag("CONTEXT_AMD64", 0x00100000) +CONTEXT_ARM = make_flag("CONTEXT_ARM", 0x00200000) +CONTEXT_ARM64 = make_flag("CONTEXT_ARM64", 0x00400000) +CONTEXT_i386 = make_flag("CONTEXT_i386", 0x00010000) +CONTEXT_i486 = make_flag("CONTEXT_i486", 0x00010000) +WOW64_CONTEXT_i386 = make_flag("WOW64_CONTEXT_i386", 0x00010000) +WOW64_CONTEXT_i486 = make_flag("WOW64_CONTEXT_i486", 0x00010000) +CONTEXT_CONTROL = make_flag("CONTEXT_CONTROL", 0x00000001) +CONTEXT_INTEGER = make_flag("CONTEXT_INTEGER", 0x00000002) +CONTEXT_SEGMENTS = make_flag("CONTEXT_SEGMENTS", 0x00000004) +CONTEXT_FLOATING_POINT = make_flag("CONTEXT_FLOATING_POINT", 0x00000008) +CONTEXT_DEBUG_REGISTERS = make_flag("CONTEXT_DEBUG_REGISTERS", 0x00000010) +CONTEXT_EXTENDED_REGISTERS = make_flag("CONTEXT_EXTENDED_REGISTERS", 0x00000020) +CONTEXT_FULL = make_flag("CONTEXT_FULL", ( CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS )) +CONTEXT_ALL = make_flag("CONTEXT_ALL", ( CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS )) +CONTEXT_XSTATE = make_flag("CONTEXT_XSTATE", ( CONTEXT_I386 | 0x00000040 )) +WOW64_CONTEXT_CONTROL = make_flag("WOW64_CONTEXT_CONTROL", ( WOW64_CONTEXT_i386 | 0x00000001 )) +WOW64_CONTEXT_INTEGER = make_flag("WOW64_CONTEXT_INTEGER", ( WOW64_CONTEXT_i386 | 0x00000002 )) +WOW64_CONTEXT_SEGMENTS = make_flag("WOW64_CONTEXT_SEGMENTS", ( WOW64_CONTEXT_i386 | 0x00000004 )) +WOW64_CONTEXT_FLOATING_POINT = make_flag("WOW64_CONTEXT_FLOATING_POINT", ( WOW64_CONTEXT_i386 | 0x00000008 )) +WOW64_CONTEXT_DEBUG_REGISTERS = make_flag("WOW64_CONTEXT_DEBUG_REGISTERS", ( WOW64_CONTEXT_i386 | 0x00000010 )) +WOW64_CONTEXT_EXTENDED_REGISTERS = make_flag("WOW64_CONTEXT_EXTENDED_REGISTERS", ( WOW64_CONTEXT_i386 | 0x00000020 )) +WOW64_CONTEXT_FULL = make_flag("WOW64_CONTEXT_FULL", ( WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS )) +WOW64_CONTEXT_ALL = make_flag("WOW64_CONTEXT_ALL", ( WOW64_CONTEXT_CONTROL | WOW64_CONTEXT_INTEGER | WOW64_CONTEXT_SEGMENTS | WOW64_CONTEXT_FLOATING_POINT | WOW64_CONTEXT_DEBUG_REGISTERS | WOW64_CONTEXT_EXTENDED_REGISTERS )) +WOW64_CONTEXT_XSTATE = make_flag("WOW64_CONTEXT_XSTATE", ( WOW64_CONTEXT_i386 | 0x00000040 )) +WOW64_CONTEXT_EXCEPTION_ACTIVE = make_flag("WOW64_CONTEXT_EXCEPTION_ACTIVE", 0x08000000) +WOW64_CONTEXT_SERVICE_ACTIVE = make_flag("WOW64_CONTEXT_SERVICE_ACTIVE", 0x10000000) +WOW64_CONTEXT_EXCEPTION_REQUEST = make_flag("WOW64_CONTEXT_EXCEPTION_REQUEST", 0x40000000) +WOW64_CONTEXT_EXCEPTION_REPORTING = make_flag("WOW64_CONTEXT_EXCEPTION_REPORTING", 0x80000000) +CONTEXT_ARM64_CONTROL = make_flag("CONTEXT_ARM64_CONTROL", ( CONTEXT_ARM64 | 0x1 )) +CONTEXT_ARM64_INTEGER = make_flag("CONTEXT_ARM64_INTEGER", ( CONTEXT_ARM64 | 0x2 )) +CONTEXT_ARM64_FLOATING_POINT = make_flag("CONTEXT_ARM64_FLOATING_POINT", ( CONTEXT_ARM64 | 0x4 )) +CONTEXT_ARM64_DEBUG_REGISTERS = make_flag("CONTEXT_ARM64_DEBUG_REGISTERS", ( CONTEXT_ARM64 | 0x8 )) +CONTEXT_ARM64_X18 = make_flag("CONTEXT_ARM64_X18", ( CONTEXT_ARM64 | 0x10 )) +CONTEXT_UNWOUND_TO_CALL = make_flag("CONTEXT_UNWOUND_TO_CALL", 0x20000000) +CONTEXT_RET_TO_GUEST = make_flag("CONTEXT_RET_TO_GUEST", 0x04000000) +ARM64_MAX_BREAKPOINTS = make_flag("ARM64_MAX_BREAKPOINTS", 8) +ARM64_MAX_WATCHPOINTS = make_flag("ARM64_MAX_WATCHPOINTS", 2) FILE_VER_GET_LOCALISED = make_flag("FILE_VER_GET_LOCALISED", 0x01) FILE_VER_GET_NEUTRAL = make_flag("FILE_VER_GET_NEUTRAL", 0x02) FILE_VER_GET_PREFETCHED = make_flag("FILE_VER_GET_PREFETCHED", 0x04) @@ -2000,19 +2039,6 @@ def ProcThreadAttributeValue(Number, Thread, Input, Additive): TH32CS_SNAPMODULE32 = make_flag("TH32CS_SNAPMODULE32", 0x00000010) TH32CS_SNAPALL = make_flag("TH32CS_SNAPALL", ( TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE )) TH32CS_INHERIT = make_flag("TH32CS_INHERIT", 0x80000000) -CONTEXT_I386 = make_flag("CONTEXT_I386", 0x00010000) -CONTEXT_AMD64 = make_flag("CONTEXT_AMD64", 0x00100000) -CONTEXT_ARM = make_flag("CONTEXT_ARM", 0x00200000) -CONTEXT_ARM64 = make_flag("CONTEXT_ARM64", 0x00400000) -CONTEXT_CONTROL = make_flag("CONTEXT_CONTROL", 0x00000001) -CONTEXT_INTEGER = make_flag("CONTEXT_INTEGER", 0x00000002) -CONTEXT_SEGMENTS = make_flag("CONTEXT_SEGMENTS", 0x00000004) -CONTEXT_FLOATING_POINT = make_flag("CONTEXT_FLOATING_POINT", 0x00000008) -CONTEXT_DEBUG_REGISTERS = make_flag("CONTEXT_DEBUG_REGISTERS", 0x00000010) -CONTEXT_EXTENDED_REGISTERS = make_flag("CONTEXT_EXTENDED_REGISTERS", 0x00000020) -CONTEXT_FULL = make_flag("CONTEXT_FULL", ( CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS )) -CONTEXT_ALL = make_flag("CONTEXT_ALL", ( CONTEXT_FULL | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS )) -CONTEXT_XSTATE = make_flag("CONTEXT_XSTATE", ( CONTEXT_I386 | 0x00000040 )) PAGE_NOACCESS = make_flag("PAGE_NOACCESS", 0x01) PAGE_READONLY = make_flag("PAGE_READONLY", 0x02) PAGE_READWRITE = make_flag("PAGE_READWRITE", 0x04) diff --git a/windows/generated_def/winstructs.py b/windows/generated_def/winstructs.py index b1204dfe..2e67b772 100644 --- a/windows/generated_def/winstructs.py +++ b/windows/generated_def/winstructs.py @@ -5212,6 +5212,313 @@ class _TEB(Structure): ] TEB = _TEB +class _ANON__ARM64_NT_NEON128_SUB_STRUCTURE_1(Structure): + _fields_ = [ + ("Low", ULONGLONG), + ("High", LONGLONG), + ] + +class _ARM64_NT_NEON128(Union): + _anonymous_ = ("DUMMYSTRUCTNAME",) + _fields_ = [ + ("DUMMYSTRUCTNAME", _ANON__ARM64_NT_NEON128_SUB_STRUCTURE_1), + ("D", DOUBLE * (2)), + ("S", FLOAT * (4)), + ("H", WORD * (8)), + ("B", BYTE * (16)), + ] +ARM64_NT_NEON128 = _ARM64_NT_NEON128 +PARM64_NT_NEON128 = POINTER(_ARM64_NT_NEON128) + +class _ANON__ANON__ARM64_NT_CONTEXT_SUB_UNION_1_SUB_STRUCTURE_1(Structure): + _fields_ = [ + ("X0", DWORD64), + ("X1", DWORD64), + ("X2", DWORD64), + ("X3", DWORD64), + ("X4", DWORD64), + ("X5", DWORD64), + ("X6", DWORD64), + ("X7", DWORD64), + ("X8", DWORD64), + ("X9", DWORD64), + ("X10", DWORD64), + ("X11", DWORD64), + ("X12", DWORD64), + ("X13", DWORD64), + ("X14", DWORD64), + ("X15", DWORD64), + ("X16", DWORD64), + ("X17", DWORD64), + ("X18", DWORD64), + ("X19", DWORD64), + ("X20", DWORD64), + ("X21", DWORD64), + ("X22", DWORD64), + ("X23", DWORD64), + ("X24", DWORD64), + ("X25", DWORD64), + ("X26", DWORD64), + ("X27", DWORD64), + ("X28", DWORD64), + ("Fp", DWORD64), + ("Lr", DWORD64), + ] + +class _ANON__ARM64_NT_CONTEXT_SUB_UNION_1(Union): + _anonymous_ = ("DUMMYSTRUCTNAME",) + _fields_ = [ + ("DUMMYSTRUCTNAME", _ANON__ANON__ARM64_NT_CONTEXT_SUB_UNION_1_SUB_STRUCTURE_1), + ("X", DWORD64 * (31)), + ] + +class _ARM64_NT_CONTEXT(Structure): + _anonymous_ = ("DUMMYUNIONNAME",) + _fields_ = [ + ("ContextFlags", DWORD), + ("Cpsr", DWORD), + ("DUMMYUNIONNAME", _ANON__ARM64_NT_CONTEXT_SUB_UNION_1), + ("Sp", DWORD64), + ("Pc", DWORD64), + ("V", ARM64_NT_NEON128 * (32)), + ("Fpcr", DWORD), + ("Fpsr", DWORD), + ("Bcr", DWORD * (ARM64_MAX_BREAKPOINTS)), + ("Bvr", DWORD64 * (ARM64_MAX_BREAKPOINTS)), + ("Wcr", DWORD * (ARM64_MAX_WATCHPOINTS)), + ("Wvr", DWORD64 * (ARM64_MAX_WATCHPOINTS)), + ] +ARM64_NT_CONTEXT = _ARM64_NT_CONTEXT +PARM64_NT_CONTEXT = POINTER(_ARM64_NT_CONTEXT) + +class _FLOATING_SAVE_AREA(Structure): + _fields_ = [ + ("ControlWord", DWORD), + ("StatusWord", DWORD), + ("TagWord", DWORD), + ("ErrorOffset", DWORD), + ("ErrorSelector", DWORD), + ("DataOffset", DWORD), + ("DataSelector", DWORD), + ("RegisterArea", BYTE * (80)), + ("Cr0NpxState", DWORD), + ] +FLOATING_SAVE_AREA = _FLOATING_SAVE_AREA + +class _CONTEXT32(Structure): + _fields_ = [ + ("ContextFlags", DWORD), + ("Dr0", DWORD), + ("Dr1", DWORD), + ("Dr2", DWORD), + ("Dr3", DWORD), + ("Dr6", DWORD), + ("Dr7", DWORD), + ("FloatSave", FLOATING_SAVE_AREA), + ("SegGs", DWORD), + ("SegFs", DWORD), + ("SegEs", DWORD), + ("SegDs", DWORD), + ("Edi", DWORD), + ("Esi", DWORD), + ("Ebx", DWORD), + ("Edx", DWORD), + ("Ecx", DWORD), + ("Eax", DWORD), + ("Ebp", DWORD), + ("Eip", DWORD), + ("SegCs", DWORD), + ("EFlags", DWORD), + ("Esp", DWORD), + ("SegSs", DWORD), + ("ExtendedRegisters", BYTE * (512)), + ] +CONTEXT32 = _CONTEXT32 +LPCONTEXT32 = POINTER(_CONTEXT32) +PCONTEXT32 = POINTER(_CONTEXT32) + +class _WOW64_FLOATING_SAVE_AREA(Structure): + _fields_ = [ + ("ControlWord", DWORD), + ("StatusWord", DWORD), + ("TagWord", DWORD), + ("ErrorOffset", DWORD), + ("ErrorSelector", DWORD), + ("DataOffset", DWORD), + ("DataSelector", DWORD), + ("RegisterArea", BYTE * (WOW64_SIZE_OF_80387_REGISTERS)), + ("Cr0NpxState", DWORD), + ] +WOW64_FLOATING_SAVE_AREA = _WOW64_FLOATING_SAVE_AREA + +class _WOW64_CONTEXT(Structure): + _fields_ = [ + ("ContextFlags", DWORD), + ("Dr0", DWORD), + ("Dr1", DWORD), + ("Dr2", DWORD), + ("Dr3", DWORD), + ("Dr6", DWORD), + ("Dr7", DWORD), + ("FloatSave", WOW64_FLOATING_SAVE_AREA), + ("SegGs", DWORD), + ("SegFs", DWORD), + ("SegEs", DWORD), + ("SegDs", DWORD), + ("Edi", DWORD), + ("Esi", DWORD), + ("Ebx", DWORD), + ("Edx", DWORD), + ("Ecx", DWORD), + ("Eax", DWORD), + ("Ebp", DWORD), + ("Eip", DWORD), + ("SegCs", DWORD), + ("EFlags", DWORD), + ("Esp", DWORD), + ("SegSs", DWORD), + ("ExtendedRegisters", BYTE * (WOW64_MAXIMUM_SUPPORTED_EXTENSION)), + ] +PWOW64_CONTEXT = POINTER(_WOW64_CONTEXT) +WOW64_CONTEXT = _WOW64_CONTEXT + +class _M128A(Structure): + _fields_ = [ + ("Low", ULONGLONG), + ("High", LONGLONG), + ] +M128A = _M128A +PM128A = POINTER(_M128A) + +class _XSAVE_FORMAT_64(Structure): + _fields_ = [ + ("ControlWord", WORD), + ("StatusWord", WORD), + ("TagWord", BYTE), + ("Reserved1", BYTE), + ("ErrorOpcode", WORD), + ("ErrorOffset", DWORD), + ("ErrorSelector", WORD), + ("Reserved2", WORD), + ("DataOffset", DWORD), + ("DataSelector", WORD), + ("Reserved3", WORD), + ("MxCsr", DWORD), + ("MxCsr_Mask", DWORD), + ("FloatRegisters", M128A * (8)), + ("XmmRegisters", M128A * (16)), + ("Reserved4", BYTE * (96)), + ] +PXSAVE_FORMAT_64 = POINTER(_XSAVE_FORMAT_64) +XSAVE_FORMAT_64 = _XSAVE_FORMAT_64 + +class _XSAVE_FORMAT_32(Structure): + _fields_ = [ + ("ControlWord", WORD), + ("StatusWord", WORD), + ("TagWord", BYTE), + ("Reserved1", BYTE), + ("ErrorOpcode", WORD), + ("ErrorOffset", DWORD), + ("ErrorSelector", WORD), + ("Reserved2", WORD), + ("DataOffset", DWORD), + ("DataSelector", WORD), + ("Reserved3", WORD), + ("MxCsr", DWORD), + ("MxCsr_Mask", DWORD), + ("FloatRegisters", M128A * (8)), + ("XmmRegisters", M128A * (8)), + ("Reserved4", BYTE * (192)), + ("StackControl", DWORD * (7)), + ("Cr0NpxState", DWORD), + ] +PXSAVE_FORMAT_32 = POINTER(_XSAVE_FORMAT_32) +XSAVE_FORMAT_32 = _XSAVE_FORMAT_32 + +class _ANON__ANON__CONTEXT64_SUB_UNION_1_SUB_STRUCTURE_1(Structure): + _fields_ = [ + ("Header", M128A * (2)), + ("Legacy", M128A * (8)), + ("Xmm0", M128A), + ("Xmm1", M128A), + ("Xmm2", M128A), + ("Xmm3", M128A), + ("Xmm4", M128A), + ("Xmm5", M128A), + ("Xmm6", M128A), + ("Xmm7", M128A), + ("Xmm8", M128A), + ("Xmm9", M128A), + ("Xmm10", M128A), + ("Xmm11", M128A), + ("Xmm12", M128A), + ("Xmm13", M128A), + ("Xmm14", M128A), + ("Xmm15", M128A), + ] + +class _ANON__CONTEXT64_SUB_UNION_1(Union): + _anonymous_ = ("DUMMYSTRUCTNAME",) + _fields_ = [ + ("FltSave", XSAVE_FORMAT_64), + ("DUMMYSTRUCTNAME", _ANON__ANON__CONTEXT64_SUB_UNION_1_SUB_STRUCTURE_1), + ] + +class _CONTEXT64(Structure): + _anonymous_ = ("DUMMYUNIONNAME",) + _fields_ = [ + ("P1Home", DWORD64), + ("P2Home", DWORD64), + ("P3Home", DWORD64), + ("P4Home", DWORD64), + ("P5Home", DWORD64), + ("P6Home", DWORD64), + ("ContextFlags", DWORD), + ("MxCsr", DWORD), + ("SegCs", WORD), + ("SegDs", WORD), + ("SegEs", WORD), + ("SegFs", WORD), + ("SegGs", WORD), + ("SegSs", WORD), + ("EFlags", DWORD), + ("Dr0", DWORD64), + ("Dr1", DWORD64), + ("Dr2", DWORD64), + ("Dr3", DWORD64), + ("Dr6", DWORD64), + ("Dr7", DWORD64), + ("Rax", DWORD64), + ("Rcx", DWORD64), + ("Rdx", DWORD64), + ("Rbx", DWORD64), + ("Rsp", DWORD64), + ("Rbp", DWORD64), + ("Rsi", DWORD64), + ("Rdi", DWORD64), + ("R8", DWORD64), + ("R9", DWORD64), + ("R10", DWORD64), + ("R11", DWORD64), + ("R12", DWORD64), + ("R13", DWORD64), + ("R14", DWORD64), + ("R15", DWORD64), + ("Rip", DWORD64), + ("DUMMYUNIONNAME", _ANON__CONTEXT64_SUB_UNION_1), + ("VectorRegister", M128A * (26)), + ("VectorControl", DWORD64), + ("DebugControl", DWORD64), + ("LastBranchToRip", DWORD64), + ("LastBranchFromRip", DWORD64), + ("LastExceptionToRip", DWORD64), + ("LastExceptionFromRip", DWORD64), + ] +CONTEXT64 = _CONTEXT64 +LPCONTEXT64 = POINTER(_CONTEXT64) +PCONTEXT64 = POINTER(_CONTEXT64) + class _TRACE_PROVIDER_INFO(Structure): _fields_ = [ ("ProviderGuid", GUID), @@ -6321,234 +6628,6 @@ class _PROCESS_INFORMATION(Structure): PPROCESS_INFORMATION = POINTER(_PROCESS_INFORMATION) PROCESS_INFORMATION = _PROCESS_INFORMATION -class _FLOATING_SAVE_AREA(Structure): - _fields_ = [ - ("ControlWord", DWORD), - ("StatusWord", DWORD), - ("TagWord", DWORD), - ("ErrorOffset", DWORD), - ("ErrorSelector", DWORD), - ("DataOffset", DWORD), - ("DataSelector", DWORD), - ("RegisterArea", BYTE * (80)), - ("Cr0NpxState", DWORD), - ] -FLOATING_SAVE_AREA = _FLOATING_SAVE_AREA - -class _CONTEXT32(Structure): - _fields_ = [ - ("ContextFlags", DWORD), - ("Dr0", DWORD), - ("Dr1", DWORD), - ("Dr2", DWORD), - ("Dr3", DWORD), - ("Dr6", DWORD), - ("Dr7", DWORD), - ("FloatSave", FLOATING_SAVE_AREA), - ("SegGs", DWORD), - ("SegFs", DWORD), - ("SegEs", DWORD), - ("SegDs", DWORD), - ("Edi", DWORD), - ("Esi", DWORD), - ("Ebx", DWORD), - ("Edx", DWORD), - ("Ecx", DWORD), - ("Eax", DWORD), - ("Ebp", DWORD), - ("Eip", DWORD), - ("SegCs", DWORD), - ("EFlags", DWORD), - ("Esp", DWORD), - ("SegSs", DWORD), - ("ExtendedRegisters", BYTE * (512)), - ] -CONTEXT32 = _CONTEXT32 -LPCONTEXT32 = POINTER(_CONTEXT32) -PCONTEXT32 = POINTER(_CONTEXT32) - -class _WOW64_FLOATING_SAVE_AREA(Structure): - _fields_ = [ - ("ControlWord", DWORD), - ("StatusWord", DWORD), - ("TagWord", DWORD), - ("ErrorOffset", DWORD), - ("ErrorSelector", DWORD), - ("DataOffset", DWORD), - ("DataSelector", DWORD), - ("RegisterArea", BYTE * (WOW64_SIZE_OF_80387_REGISTERS)), - ("Cr0NpxState", DWORD), - ] -WOW64_FLOATING_SAVE_AREA = _WOW64_FLOATING_SAVE_AREA - -class _WOW64_CONTEXT(Structure): - _fields_ = [ - ("ContextFlags", DWORD), - ("Dr0", DWORD), - ("Dr1", DWORD), - ("Dr2", DWORD), - ("Dr3", DWORD), - ("Dr6", DWORD), - ("Dr7", DWORD), - ("FloatSave", WOW64_FLOATING_SAVE_AREA), - ("SegGs", DWORD), - ("SegFs", DWORD), - ("SegEs", DWORD), - ("SegDs", DWORD), - ("Edi", DWORD), - ("Esi", DWORD), - ("Ebx", DWORD), - ("Edx", DWORD), - ("Ecx", DWORD), - ("Eax", DWORD), - ("Ebp", DWORD), - ("Eip", DWORD), - ("SegCs", DWORD), - ("EFlags", DWORD), - ("Esp", DWORD), - ("SegSs", DWORD), - ("ExtendedRegisters", BYTE * (WOW64_MAXIMUM_SUPPORTED_EXTENSION)), - ] -PWOW64_CONTEXT = POINTER(_WOW64_CONTEXT) -WOW64_CONTEXT = _WOW64_CONTEXT - -class _M128A(Structure): - _fields_ = [ - ("Low", ULONGLONG), - ("High", LONGLONG), - ] -M128A = _M128A -PM128A = POINTER(_M128A) - -class _XSAVE_FORMAT_64(Structure): - _fields_ = [ - ("ControlWord", WORD), - ("StatusWord", WORD), - ("TagWord", BYTE), - ("Reserved1", BYTE), - ("ErrorOpcode", WORD), - ("ErrorOffset", DWORD), - ("ErrorSelector", WORD), - ("Reserved2", WORD), - ("DataOffset", DWORD), - ("DataSelector", WORD), - ("Reserved3", WORD), - ("MxCsr", DWORD), - ("MxCsr_Mask", DWORD), - ("FloatRegisters", M128A * (8)), - ("XmmRegisters", M128A * (16)), - ("Reserved4", BYTE * (96)), - ] -PXSAVE_FORMAT_64 = POINTER(_XSAVE_FORMAT_64) -XSAVE_FORMAT_64 = _XSAVE_FORMAT_64 - -class _XSAVE_FORMAT_32(Structure): - _fields_ = [ - ("ControlWord", WORD), - ("StatusWord", WORD), - ("TagWord", BYTE), - ("Reserved1", BYTE), - ("ErrorOpcode", WORD), - ("ErrorOffset", DWORD), - ("ErrorSelector", WORD), - ("Reserved2", WORD), - ("DataOffset", DWORD), - ("DataSelector", WORD), - ("Reserved3", WORD), - ("MxCsr", DWORD), - ("MxCsr_Mask", DWORD), - ("FloatRegisters", M128A * (8)), - ("XmmRegisters", M128A * (8)), - ("Reserved4", BYTE * (192)), - ("StackControl", DWORD * (7)), - ("Cr0NpxState", DWORD), - ] -PXSAVE_FORMAT_32 = POINTER(_XSAVE_FORMAT_32) -XSAVE_FORMAT_32 = _XSAVE_FORMAT_32 - -class _TMP_DUMMYSTRUCTNAME(Structure): - _fields_ = [ - ("Header", M128A * (2)), - ("Legacy", M128A * (8)), - ("Xmm0", M128A), - ("Xmm1", M128A), - ("Xmm2", M128A), - ("Xmm3", M128A), - ("Xmm4", M128A), - ("Xmm5", M128A), - ("Xmm6", M128A), - ("Xmm7", M128A), - ("Xmm8", M128A), - ("Xmm9", M128A), - ("Xmm10", M128A), - ("Xmm11", M128A), - ("Xmm12", M128A), - ("Xmm13", M128A), - ("Xmm14", M128A), - ("Xmm15", M128A), - ] -TMP_DUMMYSTRUCTNAME = _TMP_DUMMYSTRUCTNAME - -class _TMP_CONTEXT64_SUBUNION(Union): - _fields_ = [ - ("FltSave", XSAVE_FORMAT_64), - ("DUMMYSTRUCTNAME", TMP_DUMMYSTRUCTNAME), - ] -TMP_CONTEXT64_SUBUNION = _TMP_CONTEXT64_SUBUNION - -class _CONTEXT64(Structure): - _fields_ = [ - ("P1Home", DWORD64), - ("P2Home", DWORD64), - ("P3Home", DWORD64), - ("P4Home", DWORD64), - ("P5Home", DWORD64), - ("P6Home", DWORD64), - ("ContextFlags", DWORD), - ("MxCsr", DWORD), - ("SegCs", WORD), - ("SegDs", WORD), - ("SegEs", WORD), - ("SegFs", WORD), - ("SegGs", WORD), - ("SegSs", WORD), - ("EFlags", DWORD), - ("Dr0", DWORD64), - ("Dr1", DWORD64), - ("Dr2", DWORD64), - ("Dr3", DWORD64), - ("Dr6", DWORD64), - ("Dr7", DWORD64), - ("Rax", DWORD64), - ("Rcx", DWORD64), - ("Rdx", DWORD64), - ("Rbx", DWORD64), - ("Rsp", DWORD64), - ("Rbp", DWORD64), - ("Rsi", DWORD64), - ("Rdi", DWORD64), - ("R8", DWORD64), - ("R9", DWORD64), - ("R10", DWORD64), - ("R11", DWORD64), - ("R12", DWORD64), - ("R13", DWORD64), - ("R14", DWORD64), - ("R15", DWORD64), - ("Rip", DWORD64), - ("DUMMYUNIONNAME", TMP_CONTEXT64_SUBUNION), - ("VectorRegister", M128A * (26)), - ("VectorControl", DWORD64), - ("DebugControl", DWORD64), - ("LastBranchToRip", DWORD64), - ("LastBranchFromRip", DWORD64), - ("LastExceptionToRip", DWORD64), - ("LastExceptionFromRip", DWORD64), - ] -CONTEXT64 = _CONTEXT64 -LPCONTEXT64 = POINTER(_CONTEXT64) -PCONTEXT64 = POINTER(_CONTEXT64) - class tagPROCESSENTRY32W(Structure): _fields_ = [ ("dwSize", DWORD), From 520fa864b8ff09ce294038d0227ef0eb1fc6b009 Mon Sep 17 00:00:00 2001 From: hakril Date: Fri, 7 Mar 2025 15:28:54 +0100 Subject: [PATCH 70/70] Disable ARM64 tests until github publish ARM64 github runners --- .github/workflows/tests.yml | 62 ++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f4707d7f..a11bca06 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -95,34 +95,34 @@ jobs: seconds_between_github_writes: 10 seconds_between_github_reads: 1 - tests_arm64: - needs: generate_ctypes - timeout-minutes: 15 - runs-on: windows-ARM64 - continue-on-error: true - - strategy: - fail-fast: false - matrix: - python-version: [3.11] - python-architecture: [x86, x64, arm64] - include: - # Translate architecture to bitness for py.exe commandline - - python-bitness-to-test: 32 - python-architecture: x86 - - python-bitness-to-test: 64 - python-architecture: x64 - - python-bitness-to-test: arm64 - python-architecture: arm64 - - steps: - - uses: actions/checkout@v4 - - - name: Listing python versions availables - run: py -0 - - - name: Testing PFW execute - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" - - - name: Arm64 pytests - run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "not test_debugger" -v -s -r fEsx +# tests_arm64: +# needs: generate_ctypes +# timeout-minutes: 15 +# runs-on: windows-ARM64 +# continue-on-error: true +# +# strategy: +# fail-fast: false +# matrix: +# python-version: [3.11] +# python-architecture: [x86, x64, arm64] +# include: +# # Translate architecture to bitness for py.exe commandline +# - python-bitness-to-test: 32 +# python-architecture: x86 +# - python-bitness-to-test: 64 +# python-architecture: x64 +# - python-bitness-to-test: arm64 +# python-architecture: arm64 +# +# steps: +# - uses: actions/checkout@v4 +# +# - name: Listing python versions availables +# run: py -0 +# +# - name: Testing PFW execute +# run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -c "import windows; print(windows)" +# +# - name: Arm64 pytests +# run: py -${{ matrix.python-version}}-${{ matrix.python-bitness-to-test}} -m pytest tests -k "not test_debugger" -v -s -r fEsx \ No newline at end of file