Undocumented Structures
Introduction
When referencing the Windows documentation for a structure, one may encounter several reserved members within the structure. These reserved members are often presented as arrays of BYTE
or PVOID
data types. This practice is implemented by Microsoft to maintain confidentiality and prevent users from understanding the structure t avoid modifications to these reserved members.
With that being said, it will be necessary to work with these undocumented members when developing malware. We can avoid Microsoft’s Documentation and instead use other website that have full undocumented structure, which was likely derived through reverse engineering.
PEB Structure
The Process Environment Block or PEB is a data structure that holds information about a Windows process. However Microsoft’s documentation on the PEB structure shows several reserved members. This makes it difficult to access the members of the structure.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
Finding Reserved Members
One way to determine what the PEB’s reserved members hold is through the !peb
command in WinDbg.
Alternative Documentation
Here’s some sources where we can check for undocumented structures:
- Process Hacker’s Header Files
- undocumented.ntinternals.net - Some structures may be outdated
- ReactOS’s Documentation
- Vergilius Project - Although mainly for Windows kernel structures, it remains a valuable resource.
- NtDoc
Considerations
When choosing a structure definition, it’s important to be mindful of the following points.
- Some structure definitions only work for a specific architecture, either x86 or x64. If that’s the case, ensure the appropriate structure definition is chosen.
- In certain cases, it may be necessary to define multiple structures due to the concept of nested structures. For example, a structure such as PEB may contain a member that acts as a pointer to another structure. Therefore, it becomes important to include the definition of the latter structure to ensure its correctly interpreted by the program.
- When using a custom definition of a structure, it is not possible to include its original definition found in the Windows SDK simultaneously. For example, Microsoft’s definition of the PEB structure is located in Winternl.h. If one intends to use a different definition from one of the above-mentioned documentation sources, then attempting to include
Winternl.h
in the program will result in redefinition errors thrown by Visual Studio’s compiler. To avoid this, select only one definition of the structure.