I would like to announce launch of my new web-based tool: Terminus Project. It’s automatically generated diff of Windows structures with nice (I hope!) presentation layer. Currently it contains only data gathered from NTDLL PDBs (281 dlls at the moment of writing this post), but it can be easily extended with other libraries. Idea behind this project was derived from my old research on PEB structure (link), which is still quite popular (comparing to the other posts on this blog). There are a few things that should be improved (for example, better support for structures with unions), but I decided to publish it now, so it won’t stay on my HDD for the next few months.
Navigation throughout the Terminus is very simple, on the main page, there is a list of all structures and the search input field:
There are three possible Views: x86, x64 and combined. Sometimes not all of them are available, but it is very easy to check it without navigating to the structure. When the link to the specific View is hovered, Terminus shows the preview of the structure:
Structure view is very simple. Except the table with structure definition, it contains navigation bar in the bottom left corner (so user can easily switch between x86/x64/combined view) and ZOOM slider in the bottom right corner (helpful for big structures).
Each field in the structure table has tooltip with size of the field and if the type of the field is a structure itself, it has preview similar to the one shown on the index page:
Table header contains Min version and Max version rows (combined view has also Architecture row), those are of course minimal and maximal supported Windows versions (Pre RTM denotes any version that was published before RTM). There is a tooltip for these rows as well, it shows the exact version number of minimal and maximal supported Windows (sometimes I don’t have all matching x86/x64 DLLs, in such cases it can show different version for x86 and different for x64 like on the picture below):
I think that’s all for now, no technical details this time :) I can recommend you looking at PEB and TEB:
Last, but not least, to show that not everything is as nice as it could(should?) be:
In case of EPROCESS/ETHREAD combined view seems like a total failure, but x86/x64 views are quite usable.