Ghidra is missing winternl.h definitions

[huettenhain]

In malware analysis in particular, it is sometimes useful to have predefined structures for the PEB and related structures. These definitions are in winternl.h according to MSDN, they are missing from Ghidras library of structures.

I am suggesting to add the structure definitions from winternl.h to Ghidra's default database of Windows structures.

[0x6d696368]

I support this.

However, I guess that is what the https://github.com/NationalSecurityAgency/ghidra-data repo is for.

As a workaround you can try my fork of said repo, which should have winternl.h and other headers in winapi_{32,64}.gdt: https://github.com/0x6d696368/ghidra-data/tree/master/typeinfo (but please note these were generated from MinGW headers, and due to issues with the Ghidra's C parser have all datatypes in one file so you won't see a separate winternl.h folder in the data type archive).

[mrexodia]

There was some discussion at https://github.com/mrexodia/phnt-single-header/issues/10. It looks like Ghidra can correctly parse this header, so creating type libraries from it is possible.