Merge pull request #75 from hakril/new_pebldrdata_def

Improve tests stability + new PEB_LDR_DATA definition

Author: hakril

ctypes_generation/definitions/structures/winstruct.txt

@@ -4,11 +4,18 @@ typedef struct _LIST_ENTRY {
 } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
 
 
+/* Definition of WinXP : Still same base in win11 with some extra field */
 typedef struct _PEB_LDR_DATA {
-  BYTE       Reserved1[8];
-  PVOID      Reserved2[3];
-  LIST_ENTRY InMemoryOrderModuleList;
-} PEB_LDR_DATA, *PPEB_LDR_DATA;
+    ULONG               Length;
+    BYTE                Initialized;
+    PVOID               SsHandle;
+    _LIST_ENTRY         InLoadOrderModuleList;
+    _LIST_ENTRY         InMemoryOrderModuleList;
+    _LIST_ENTRY         InInitializationOrderModuleList;
+    PVOID               EntryInProgress;
+    // BYTE                ShutdownInProgress; // New field
+    // PVOID               ShutdownThreadId;   // New field
+}PEB_LDR_DATA, *PPEB_LDR_DATA;
 
 
 typedef struct _LSA_UNICODE_STRING {

docs/source/winstructs_generated.rst

@@ -10521,19 +10521,39 @@ _PEB_LDR_DATA
 
 .. class:: _PEB_LDR_DATA
 
-    .. attribute:: Reserved1
+    .. attribute:: Length
 
-        :class:`BYTE` ``[8]``
+        :class:`ULONG`
 
 
-    .. attribute:: Reserved2
+    .. attribute:: Initialized
 
-        :class:`PVOID` ``[3]``
+        :class:`BYTE`
+
+
+    .. attribute:: SsHandle
+
+        :class:`PVOID`
+
+
+    .. attribute:: InLoadOrderModuleList
+
+        :class:`_LIST_ENTRY`
 
 
     .. attribute:: InMemoryOrderModuleList
 
-        :class:`LIST_ENTRY`
+        :class:`_LIST_ENTRY`
+
+
+    .. attribute:: InInitializationOrderModuleList
+
+        :class:`_LIST_ENTRY`
+
+
+    .. attribute:: EntryInProgress
+
+        :class:`PVOID`
 
 _LSA_UNICODE_STRING
 '''''''''''''''''''

tests/test_debugger.py

@@ -376,22 +376,28 @@ def trigger(self, dbg, exc):
 @pytest.mark.parametrize("bptype", [windows.debug.FunctionParamDumpHXBP, windows.debug.FunctionParamDumpBP])
 def test_standard_breakpoint_self_remove(proc32_64_debug, bptype):
     data = set()
-
+    thread_exception = []
     def do_check():
         time.sleep(1)
-        print("[==================] LOADING PYTHON")
-        proc32_64_debug.execute_python_unsafe("1").wait()
-        print("[==================] OPEN SELF_FILENAME1")
-        proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME1')").wait()
-        time.sleep(0.1)
-        print("[==================] OPEN SELF_FILENAME2")
-        proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME2')").wait()
-        time.sleep(0.1)
-        print("[==================] OPEN SELF_FILENAME3")
-        proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME3')").wait()
-        time.sleep(0.1)
-        print("[==================] KILLING TARGET")
-        proc32_64_debug.exit()
+        try:
+            assert proc32_64_debug.peb.Ldr.contents.Initialized, "peb.Ldr not yet Initialized"
+            print("[==================] LOADING PYTHON")
+            proc32_64_debug.execute_python_unsafe("1").wait()
+            print("[==================] OPEN SELF_FILENAME1")
+            proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME1')").wait()
+            time.sleep(0.1)
+            print("[==================] OPEN SELF_FILENAME2")
+            proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME2')").wait()
+            time.sleep(0.1)
+            print("[==================] OPEN SELF_FILENAME3")
+            proc32_64_debug.execute_python_unsafe("open(u'SELF_FILENAME3')").wait()
+            time.sleep(0.1)
+            print("[==================] KILLING TARGET")
+        except Exception as e:
+            traceback.print_exc()
+            thread_exception.append(e)
+        finally:
+            proc32_64_debug.exit()
 
     class TSTBP(bptype):
         TARGET = windows.winproxy.CreateFileW
@@ -407,8 +413,13 @@ def trigger(self, dbg, exc):
 
     d = windows.debug.Debugger(proc32_64_debug)
     d.add_bp(TSTBP("kernelbase!CreateFileW"))
-    threading.Thread(target=do_check).start()
+    t = threading.Thread(target=do_check)
+    t.start()
     d.loop()
+    assert not t.is_alive()
+    if thread_exception:
+        raise thread_exception[0]
+
     assert data >= set([u"SELF_FILENAME1", u"SELF_FILENAME2"])
     assert u"SELF_FILENAME3" not in data
 
@@ -429,8 +440,9 @@ def test_standard_breakpoint_remove(proc32_64_debug, bptype):
     data = set()
     thread_exception = []
     def do_check():
-        time.sleep(1)
+        time.sleep(2)
         try:
+            assert proc32_64_debug.peb.Ldr.contents.Initialized, "peb.Ldr not yet Initialized"
             print("[==================] LOADING PYTHON")
             assert list(d.breakpoints.values())[0]
             proc32_64_debug.execute_python_unsafe("1").wait()

windows/generated_def/winstructs.py

@@ -5438,9 +5438,13 @@ class _LIST_ENTRY(Structure): pass
 
 class _PEB_LDR_DATA(Structure):
     _fields_ = [
-        ("Reserved1", BYTE * (8)),
-        ("Reserved2", PVOID * (3)),
-        ("InMemoryOrderModuleList", LIST_ENTRY),
+        ("Length", ULONG),
+        ("Initialized", BYTE),
+        ("SsHandle", PVOID),
+        ("InLoadOrderModuleList", _LIST_ENTRY),
+        ("InMemoryOrderModuleList", _LIST_ENTRY),
+        ("InInitializationOrderModuleList", _LIST_ENTRY),
+        ("EntryInProgress", PVOID),
     ]
 PEB_LDR_DATA = _PEB_LDR_DATA
 PPEB_LDR_DATA = POINTER(_PEB_LDR_DATA)