Add Windows Kernel structs

[HackingFrogWithSunglasses]

As per #1217 this is the WIndows kernel structures PR

Checklist

Which kind of PR do you create?

• This PR only contains minor fixes.
• This PR contains major feature update.
• [ * ] This PR introduces a new function/api for Qiling Framework.

Coding convention?

• [ * ] The new code conforms to Qiling Framework naming convention.
• [ * ] The imports are arranged properly.
• [ * ] Essential comments are added.
• The reference of the new code is pointed out.

Extra tests?

• No extra tests are needed for this PR.
• I have added enough tests for this PR.
• [ * ] Tests will be added after some discussion and review.

Changelog?

• This PR doesn't need to update Changelog.
• Changelog will be updated after some proper review.
• [ * ] Changelog has been updated in my PR.

Target branch?

• [ * ] The target branch is dev branch.

One last thing

• [ * ] I have read the contribution guide

---

[elicn]

Thanks for the contribution.
As mentioned on the previous PR you opened, the additional structures are not defined in a correct way. Please see BaseStruct documentation and how other Windows structures are defined to get the idea.

[elicn]

UC_X86_REG_GS is imported but never used.

[HackingFrogWithSunglasses]

I think this should be used to write the kernel structures pointers to the GS register with their correct offset but I didn't manage to get it working so I wrote to the value manually.

[elicn]

Please refrain from using magic numbers; there is a constant for GS that can be used.

[HackingFrogWithSunglasses]

This is not a magic number. That is the exact offset for the KPRCB pointer in Windows KM. I agree that the constant + offset should be used, though.

[elicn]

Great, that's what I meant.

[elicn]

This structure is initialized with magic numbers whose origin is unclear.
Is there a place [a Qilign object] we can take the values from? Consistency is key.

[HackingFrogWithSunglasses]

I am not sure which numbers you're referring to are magic here.

[HackingFrogWithSunglasses]

Oh if you mean the 0x188 for GS, then same as above. Should be changed to constant + offset

[elicn]

I actually referred to the kthread_obj fields values: 11, 0x1000, 0x1500, 0x2000?

[elicn]

The value of MiscFlags is OR-ed with the existing one, but what is it...? That field was never initialized.

[HackingFrogWithSunglasses]

MiscFlags can be removed in this instance, I was using this for my own purpose and it won't be useful for Qiling generically.

[elicn]

What this is about? Why is it so important it shouldn't be removed?
Also, Qiling debugging info should be logged as debug rather than warn.

[HackingFrogWithSunglasses]

You can remove these debug statements, I just had those there for my local branch and forgot to remove them when I submitted PR.

[elicn]

This is not how bit fields are defined.
To keep it simple, just keep the encapsulating field and do not define bit fields.

[elicn]

From the same reason mentioned above (avoiding structures definitions getting affected by the hosting arch), we should use only known size types, like c_uint32 and c_uint16 instead of long and short.

[elicn]

Is there any specific reason for this change?

[HackingFrogWithSunglasses]

No specific reason relevant to Qiling. Was for my own testing purposes.

[elicn]

Is there any specific reason you removed the existing value and took the commented one?
Qiling doesn't have a concept of virtual and physical addresses, and this is the main reason why the value was changed in the first place.

[HackingFrogWithSunglasses]

No specific reason, again for my own testing.

[HackingFrogWithSunglasses]

I agree with the requested changes.

[HackingFrogWithSunglasses]

Agree, can be removed.

[HackingFrogWithSunglasses]

👍

[HackingFrogWithSunglasses]

Agree, can be removed.

[HackingFrogWithSunglasses]

The output is not needed but please be aware that with certain kernel structures you cannot just have a "link" to them because they are undocumented. In this case the output can be deleted though.

[HackingFrogWithSunglasses]

I think this should be used to write the kernel structures pointers to the GS register with their correct offset but I didn't manage to get it working so I wrote to the value manually.

[HackingFrogWithSunglasses]

I am not sure which numbers you're referring to are magic here.

[HackingFrogWithSunglasses]

Oh if you mean the 0x188 for GS, then same as above. Should be changed to constant + offset

[elicn]

I took the liberty to edit some of the files and apply the fixes myself.
Also added a few responses.

[elicn]

I actually referred to the kthread_obj fields values: 11, 0x1000, 0x1500, 0x2000?

[elicn]

Yes, I am aware.. if there is an unformal documentation you can link to, that's perfectly fine.

[HackingFrogWithSunglasses]

That's absolutely fine as I don't have time myself to maintain this. Thanks!