I would like to announce launch of my new web-based tool: Terminus Project. It’s automatically generated diff of Windows structures with nice (I hope!) presentation layer. Currently it contains only data gathered from NTDLL PDBs (281 dlls at the moment of writing this post), but it can be easily extended with other libraries. Idea behind this project was derived from my old research on PEB structure (link), which is still quite popular (comparing to the other posts on this blog). There are a few things that should be improved (for example, better support for structures with unions), but I decided to publish it now, so it won’t stay on my HDD for the next few months.
Navigation throughout the Terminus is very simple, on the main page, there is a list of all structures and the search input field:
There are three possible Views: x86, x64 and combined. Sometimes not all of them are available, but it is very easy to check it without navigating to the structure. When the link to the specific View is hovered, Terminus shows the preview of the structure:
Structure view is very simple. Except the table with structure definition, it contains navigation bar in the bottom left corner (so user can easily switch between x86/x64/combined view) and ZOOM slider in the bottom right corner (helpful for big structures).
Each field in the structure table has tooltip with size of the field and if the type of the field is a structure itself, it has preview similar to the one shown on the index page:
Table header contains Min version and Max version rows (combined view has also Architecture row), those are of course minimal and maximal supported Windows versions (Pre RTM denotes any version that was published before RTM). There is a tooltip for these rows as well, it shows the exact version number of minimal and maximal supported Windows (sometimes I don’t have all matching x86/x64 DLLs, in such cases it can show different version for x86 and different for x64 like on the picture below):
I think that’s all for now, no technical details this time :) I can recommend you looking at PEB and TEB:
Last, but not least, to show that not everything is as nice as it could(should?) be:
In case of EPROCESS/ETHREAD combined view seems like a total failure, but x86/x64 views are quite usable.
Really love this idea! Very helpful…
Excellent ReWolf! impressive and useful
This is one of the most fucking awesome and useful things on the internet right now. ;-)
Hi ReWolf: ” It’s automatically generated diff of Windows structures with nice (I hope!) presentation layer. ”
You said, but I can’t understand :( Diff of what? System calls before and after I run something?
diff of internal structures changes among windows versions.
This is a great tool. I am still trying to get my hands on the GDI handles table which seem to have changed quite a lot. So far no tool seem to work reliably anymore. Are you aware of an up to date description of the GDICELL64 to which the GdiSharedHandleTable of the PEB points to? When I iterate over it and count all fields with the current pid it reports ca. 20% less handles than the performance counter tells me. It would be great if GDICELL/64 would also make it into your tool if you have access to the pdbs containing its definition.
If the structure is in public PDB of one of the system libraries then I can help you.
When I lookup _KTHREAD_X64 structure,there are two “7 sp1” ,and their min and max versions are overlapped,the first one is “min:6.1.7601.17514,max:6.1.7601.21772”;the second is “min:6.1.7601.18205,max:6.1.7601.22436”.so,I want to know if my build num is “6.1.7601.18409”,which one “7 sp1” structure should I chose.Thanks!
Looks like some bug in the generator code, I’ll take look at it later. To verify which structure is used on your system, just check it in the PDB file for the ntoskrnl.
Hi ReWolf – terminus is excellent! Thank you for making it available for such convenient reference..I’ve returned to it many times over the last two years.
I’m currently building a corpus of corpus of PDB and DWARF files to do large-scale analysis of structure change over time. Will terminus (or parts of it) make it to your github eventually? I’m very interested in the code.
At this point I don’t plan to publish the code. It is a complete mess written in python with 0 documentation :D
If you ever do let it out (even if only upon request), keep me in mind? I think my email was added part of the comment.
After all, messy undocumented python is always better than no code :)
Just smack a “don’t blame me, and I probably don’t remember” note on there
Sure, I’ll keep you in mind ;)
Great project, I keep coming back to this from time to time. It’s a really handy reference. Can you tell me how did you manage to collect all of those pdb files for different versions? As far as I know you need to have some metadata (PDB signature, age, etc.) to query symbols server as there is no way to enumerate symbols by dll name. Am I unaware of something here or you have some other method to build your database?
You just need PE timestamp and PE image size.
Indeed, but that’s still an information you need to obtain somehow. For so many different OS versions, updates, service packs that seems to be quite a burden especially if one wants to rely on installing systems or downloading whole symbol packages. So are you doing just that or figured out something smarter to obtain symbols?
You can scrap timestamps from the web, this is all I can say :)
Hi, if you’ve scraping timestamps of ntdll.dll’s from the web, you could download the symbols for that DLL. However, even if you’ve been able to download the DLL/PDB, how did you obtain the information about the Windows version the DLL belongs to? A DLL can belong to either Windows 8.1 or Windows 10, not to mention there are many version of Windows 10 now. Is it possible to extract this information from DLL/PDB?
you can parse version information from the DLL resources