{$APPTYPE CONSOLE}
{$TYPEDADDRESS ON}
{$LONGSTRINGS OFF}
{ --------------------------------------------------------------------------- }
program _PebOffsets;
{ program to verify the offsets of the PEB structure }
uses
_8905_Utils,
_9000_000_ntdll
;
function sprintf(
{ _out_ } OutAsciizBuffer : pchar;
{ _in_ } InAsciizFormat : pchar;
{ _in_ } InFieldName : pchar
)
: integer; cdecl; external ntdll;
{ used to left justify the field name in a field of spaces }
procedure WriteOffset(FieldName : pchar; Offset : ptruint);
{ output the field name and its offset in hex and decimal }
const
WIDTH = 5;
var
Name : packed array[0..255] of char;
WorkBuf : packed array[0..255] of char;
begin
sprintf(Name, ' %-40s : ', FieldName);
writeln(Name, DToHexD(Offset, 0, WorkBuf):WIDTH, ' ', Offset:WIDTH);
end;
var
WorkBuf : packed array[0..255] of char;
begin
writeln;
writeln;
case sizeof(pointer) of
4 : write(' 32bit PEB');
8 : write(' 64bit PEB');
end;
writeln(' - sizeof(PEB) = ', DToHexD(sizeof(TPEB), 0, WorkBuf), ' ', sizeof(TPEB), 'd');
writeln;
WriteOffset('InheritedAddressSpace ', ptruint(@TPEB(nil^).InheritedAddressSpace ));
WriteOffset('ReadImageFileExecOptions ', ptruint(@TPEB(nil^).ReadImageFileExecOptions ));
WriteOffset('BeingDebugged ', ptruint(@TPEB(nil^).BeingDebugged ));
writeln;
WriteOffset('UnionA ', ptruint(@TPEB(nil^).UnionA ));
WriteOffset('UnionA.SpareBool ', ptruint(@TPEB(nil^).UnionA.SpareBool ));
WriteOffset('UnionA.Bitfields ', ptruint(@TPEB(nil^).UnionA.Bitfields ));
{$ifdef FPC}
WriteOffset('UnionA.BitFlags ', ptruint(@TPEB(nil^).UnionA.BitFlags ));
{$endif}
writeln;
WriteOffset('Mutant ', ptruint(@TPEB(nil^).Mutant ));
< additional fields removed to make acceptable to forum software >
{ ------------------------------------------------------------------------- }
{ fields appended for NT 4.0 and above }
writeln;
WriteOffset('ProcessStarterHelper ', ptruint(@TPEB(nil^).ProcessStarterHelper ));
WriteOffset('GdiDCAttributeList ', ptruint(@TPEB(nil^).GdiDCAttributeList ));
writeln;
WriteOffset('UnionI ', ptruint(@TPEB(nil^).UnionI ));
WriteOffset('UnionI.LoaderLockPointer ', ptruint(@TPEB(nil^).UnionI.LoaderLockPointer ));
WriteOffset('UnionI.LoaderLock ', ptruint(@TPEB(nil^).UnionI.LoaderLock ));
writeln;
WriteOffset('OSMajorVersion ', ptruint(@TPEB(nil^).OSMajorVersion ));
WriteOffset('OSMinorVersion ', ptruint(@TPEB(nil^).OSMinorVersion ));
WriteOffset('OSBuildNumber ', ptruint(@TPEB(nil^).OSBuildNumber ));
WriteOffset('OSCSDVersion ', ptruint(@TPEB(nil^).OSCSDVersion ));
WriteOffset('OSPlatformId ', ptruint(@TPEB(nil^).OSPlatformId ));
WriteOffset('ImageSubsystem ', ptruint(@TPEB(nil^).ImageSubsystem ));
WriteOffset('ImageSubsystemMajorVersion ', ptruint(@TPEB(nil^).ImageSubsystemMajorVersion ));
WriteOffset('ImageSubsystemMinorVersion ', ptruint(@TPEB(nil^).ImageSubsystemMinorVersion ));
writeln;
WriteOffset('UnionJ ', ptruint(@TPEB(nil^).UnionJ ));
WriteOffset('UnionJ.ImageProcessAffinityMask ', ptruint(@TPEB(nil^).UnionJ.ImageProcessAffinityMask ));
WriteOffset('UnionJ.ActiveProcessAffinityMask ', ptruint(@TPEB(nil^).UnionJ.ActiveProcessAffinityMask ));
writeln;
{$ifdef WIN32}
WriteOffset('GdiHandleBuffer ', ptruint(@TPEB(nil^).GdiHandleBuffer ));
{$endif}
{$ifdef WIN64}
WriteOffset('GdiHandleBuffer ', ptruint(@TPEB(nil^).GdiHandleBuffer ));
{$endif}
writeln;
WriteOffset('PostProcessInitRoutine ', ptruint(@TPEB(nil^).PostProcessInitRoutine ));
{ ------------------------------------------------------------------------- }
{ fields appended for Window 2000 and above }
writeln;
WriteOffset('TlsExpansionBitmap ', ptruint(@TPEB(nil^).TlsExpansionBitmap ));
WriteOffset('TlsExpansionBitmapBits ', ptruint(@TPEB(nil^).TlsExpansionBitmapBits ));
writeln;
WriteOffset('SessionId ', ptruint(@TPEB(nil^).SessionId ));
writeln;
WriteOffset('AppCompatFlags ', ptruint(@TPEB(nil^).AppCompatFlags ));
WriteOffset('AppCompatFlagsUser ', ptruint(@TPEB(nil^).AppCompatFlagsUser ));
WriteOffset('pShimData ', ptruint(@TPEB(nil^).pShimData ));
WriteOffset('AppCompatInfo ', ptruint(@TPEB(nil^).AppCompatInfo ));
WriteOffset('CSDVersion ', ptruint(@TPEB(nil^).CSDVersion ));
{ ------------------------------------------------------------------------- }
{ fields appended for Window XP and above }
writeln;
WriteOffset('ActivationContextData ', ptruint(@TPEB(nil^).ActivationContextData ));
WriteOffset('ProcessAssemblyStorageMap ', ptruint(@TPEB(nil^).ProcessAssemblyStorageMap ));
WriteOffset('SystemDefaultActivationContextData ', ptruint(@TPEB(nil^).SystemDefaultActivationContextData ));
WriteOffset('SystemAssemblyStorageMap ', ptruint(@TPEB(nil^).SystemAssemblyStorageMap ));
writeln;
WriteOffset('MinimumStackCommit ', ptruint(@TPEB(nil^).MinimumStackCommit ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows server 2003 and above }
writeln;
WriteOffset('UnionK ', ptruint(@TPEB(nil^).UnionK ));
WriteOffset('UnionK.FlsCallback ', ptruint(@TPEB(nil^).UnionK.FlsCallback ));
WriteOffset('UnionK.FlsListHead ', ptruint(@TPEB(nil^).UnionK.FlsListHead ));
WriteOffset('UnionK.FlsBitmap ', ptruint(@TPEB(nil^).UnionK.FlsBitmap ));
WriteOffset('UnionK.FlsBitmapBits ', ptruint(@TPEB(nil^).UnionK.FlsBitmapBits ));
WriteOffset('UnionK.FlsHighIndex ', ptruint(@TPEB(nil^).UnionK.FlsHighIndex ));
writeln;
WriteOffset('UnionK.SparePointers ', ptruint(@TPEB(nil^).UnionK.SparePointers ));
WriteOffset('UnionK.SpareUlongs ', ptruint(@TPEB(nil^).UnionK.SpareUlongs ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows Vista and above }
writeln;
WriteOffset('WerRegistrationData ', ptruint(@TPEB(nil^).WerRegistrationData ));
WriteOffset('WerShipAssertPtr ', ptruint(@TPEB(nil^).WerShipAssertPtr ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows 7 beta and up }
writeln;
WriteOffset('UnionL ', ptruint(@TPEB(nil^).UnionL ));
WriteOffset('UnionL.pContextData ', ptruint(@TPEB(nil^).UnionL.pContextData ));
WriteOffset('UnionL.pUnused ', ptruint(@TPEB(nil^).UnionL.pUnused ));
writeln;
WriteOffset('pImageHeaderHash ', ptruint(@TPEB(nil^).pImageHeaderHash ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows 7 RTM and above }
writeln;
WriteOffset('TracingFlagsUnion ', ptruint(@TPEB(nil^).TracingFlagsUnion ));
WriteOffset('TracingFlagsUnion.TracingFlags ', ptruint(@TPEB(nil^).TracingFlagsUnion.TracingFlags ));
{$ifdef FPC}
WriteOffset('TracingFlagsUnion.BitFlags ', ptruint(@TPEB(nil^).TracingFlagsUnion.BitFlags ));
{$endif}
writeln;
WriteOffset('AlignmentFiller ', ptruint(@TPEB(nil^).AlignmentFiller ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows 8 and above }
writeln;
WriteOffset('CsrServerReadOnlySharedMemoryBase ', ptruint(@TPEB(nil^).CsrServerReadOnlySharedMemoryBase ));
{ ------------------------------------------------------------------------- }
{ fields appended for Windows 10 and above }
writeln;
WriteOffset('TppWorkerpListLock ', ptruint(@TPEB(nil^).TppWorkerpListLock ));
writeln;
WriteOffset('UnionM ', ptruint(@TPEB(nil^).UnionM ));
WriteOffset('UnionM.TppWorkerpList ', ptruint(@TPEB(nil^).UnionM.TppWorkerpList ));
WriteOffset('UnionM.dwSystemCallMode ', ptruint(@TPEB(nil^).UnionM.dwSystemCallMode ));
writeln;
WriteOffset('WaitOnAddressHashTable ', ptruint(@TPEB(nil^).WaitOnAddressHashTable ));
writeln;
WriteOffset('TelemetryCoverageHeader ', ptruint(@TPEB(nil^).TelemetryCoverageHeader ));
WriteOffset('CloudFileFlags ', ptruint(@TPEB(nil^).CloudFileFlags ));
writeln;
WriteOffset('CloudFileDiagFlags ', ptruint(@TPEB(nil^).CloudFileDiagFlags ));
WriteOffset('PlaceholderCompatibilityMode ', ptruint(@TPEB(nil^).PlaceholderCompatibilityMode ));
WriteOffset('PlaceholderCompatibilityModeReserved ', ptruint(@TPEB(nil^).PlaceholderCompatibilityModeReserved ));
writeln;
WriteOffset('LeapSecondData ', ptruint(@TPEB(nil^).LeapSecondData ));
writeln;
WriteOffset('UnionN ', ptruint(@TPEB(nil^).UnionN ));
WriteOffset('UnionN.LeapSecondFlags ', ptruint(@TPEB(nil^).UnionN.LeapSecondFlags ));
{$ifdef FPC}
WriteOffset('UnionN.BitFields ', ptruint(@TPEB(nil^).UnionN.BitFields ));
{$endif}
writeln;
WriteOffset('NtGlobalFlag2 ', ptruint(@TPEB(nil^).NtGlobalFlag2 ));
writeln;
writeln;
writeln('press ENTER/RETURN to end this program');
readln;
end.