Post

Undocumented Structures

Introduction

When referencing the Windows documentation for a structure, one may encounter several reserved members within the structure. These reserved members are often presented as arrays of BYTE or PVOID data types. This practice is implemented by Microsoft to maintain confidentiality and prevent users from understanding the structure t avoid modifications to these reserved members.

With that being said, it will be necessary to work with these undocumented members when developing malware. We can avoid Microsoft’s Documentation and instead use other website that have full undocumented structure, which was likely derived through reverse engineering.

PEB Structure

The Process Environment Block or PEB is a data structure that holds information about a Windows process. However Microsoft’s documentation on the PEB structure shows several reserved members. This makes it difficult to access the members of the structure.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  PVOID                         Reserved4[3];
  PVOID                         AtlThunkSListPtr;
  PVOID                         Reserved5;
  ULONG                         Reserved6;
  PVOID                         Reserved7;
  ULONG                         Reserved8;
  ULONG                         AtlThunkSListPtr32;
  PVOID                         Reserved9[45];
  BYTE                          Reserved10[96];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved11[128];
  PVOID                         Reserved12[1];
  ULONG                         SessionId;
} PEB, *PPEB;

Finding Reserved Members

One way to determine what the PEB’s reserved members hold is through the !peb command in WinDbg.

Alternative Documentation

Here’s some sources where we can check for undocumented structures:

Considerations

When choosing a structure definition, it’s important to be mindful of the following points.

  • Some structure definitions only work for a specific architecture, either x86 or x64. If that’s the case, ensure the appropriate structure definition is chosen.
  • In certain cases, it may be necessary to define multiple structures due to the concept of nested structures. For example, a structure such as PEB may contain a member that acts as a pointer to another structure. Therefore, it becomes important to include the definition of the latter structure to ensure its correctly interpreted by the program.
  • When using a custom definition of a structure, it is not possible to include its original definition found in the Windows SDK simultaneously. For example, Microsoft’s definition of the PEB structure is located in Winternl.h. If one intends to use a different definition from one of the above-mentioned documentation sources, then attempting to include Winternl.h in the program will result in redefinition errors thrown by Visual Studio’s compiler. To avoid this, select only one definition of the structure.
This post is licensed under CC BY 4.0 by the author.