Undocumented structures for W2k-Win10

Forum for discussion about kernel-mode development.
User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Undocumented structures for W2k-Win10

Post by rkhunter » Fri Aug 12, 2011 4:04 pm

Structures for various operating systems, that can be very usefull in research.

Obtained with SymbolTypeViewer (free tool).
http://www.laboskopia.com/download/Symb ... 0_beta.zip

Features of tool:
• download the symbols (pdb) very simply.
• sail and visualize in a detailed way the types and their members in the form of tree structure
• easily find the unused areas in the structures (padding). These areas are theoretically usable to put personal data there
• translate the structures for the C Language (.h) and for IDA script (.idc) of DataRescue (http://www.datarescue.com/idabase/)
• personalize the formatting: addition of suffix in the names of types, freeze the sizes of structures and members (the pointers become ULONG32 for a 32bit system and UINT64 for a 64bit system)
• apply searchs of texts or regular expressions
• do a batch processing by treating all modules met in a directory and its under-directories. For example: C:\Windows;)
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Fri Aug 12, 2011 4:11 pm

Another structures.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Mon Sep 19, 2011 11:50 am

Windows 8 developer preview, build 6.2.8102.101.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Mon Sep 19, 2011 12:08 pm

Windows 8 developer preview, build 6.2.8102.101.
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Wed Sep 21, 2011 11:07 am

Build 8102:

Added fields in _kprocess:

/*0x05C*/ LONG32 AffinitySet : 1; // 3 BitPosition
/*0x05C*/ ULONG32 DeepFreeze : 1; // 4 BitPosition
/*0x05C*/ ULONG32 IdleAware : 1; // 5 BitPosition
/*0x05C*/ ULONG32 TimerVirtualization : 1; // 6 BitPosition

New flags in _EPROCESS (randomization of element offsets cmp with 7):

/*0x264*/ ULONG32 ExplicitAffinity : 1; // 21 BitPosition
/*0x264*/ ULONG32 LowVaAccessible : 1; // 22 BitPosition
/*0x264*/ ULONG32 ForceRelocateImages : 1; // 23 BitPosition
/*0x264*/ ULONG32 DisallowStrippedImages : 1; // 24 BitPosition
/*0x264*/ ULONG32 HighEntropyASLREnabled : 1; // 25 BitPosition
/*0x264*/ ULONG32 ForceStackCheck : 1; // 26 BitPosition
/*0x264*/ ULONG32 ProcessDeepFrozen : 1; // 27 BitPosition
/*0x264*/ ULONG32 ProcessDeepFreezeRequest : 1; // 28 BitPosition
/*0x264*/ ULONG32 ProcessDeepFreezeInProgress : 1; // 29 BitPosition
/*0x264*/ ULONG32 DisallowWin32kSystemCalls : 1; // 30 BitPosition

/*0x288*/ ULONG32 VadPhysicalPages;
/*0x28C*/ ULONG32 VadPhysicalPagesLimit;

/*0x2C8*/ VOID* WnfContext;

/*0x2CC*/ enum _SE_SIGNING_LEVEL SignatureLevel;

/*0x2D0*/ ULONG32 KeepAliveCounter;
/*0x2D4*/ struct _PROCESS_DISK_COUNTERS* DiskCounters;

Added fields in _kthread:

/*0x040*/ ULONG32 CurrentRunTime;
/*0x044*/ ULONG32 ExpectedRunTime;
/*0x04C*/ struct _XSAVE_FORMAT* StateSaveArea;
/*0x050*/ struct _KSCHEDULING_GROUP* SchedulingGroup;

/*0x058*/ ULONG32 CodePatchInProgress : 1; // 6 BitPosition
/*0x058*/ ULONG32 SystemThread : 1; // 12 BitPosition
/*0x058*/ ULONG32 ProcessDetachActive : 1; // 13 BitPosition
/*0x058*/ ULONG32 ScbReadyQueue : 1; // 15 BitPosition
/*0x058*/ ULONG32 ReservedStackInUse : 1; // 17 BitPosition
/*0x058*/ ULONG32 DisableStackCheck : 1; // 19 BitPosition

Added fields in TEB:

/*0xFCA*/ UINT16 SessionAware : 1; // 11 BitPosition
/*0xFCA*/ UINT16 DisabledStackCheck : 1;

PEB:

/*0x248*/ UINT64 CsrServerReadOnlySharedMemoryBase;

Introduces new object types:

DxgkSharedAllocation
CompositionSurface
WaitCompletionPacket

Functions in SSDT follow in reverse mode (Z-A).

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Mon Sep 26, 2011 9:04 am

Collection of ntos kernels; by link archive with names file_version+MD5.
Includes versions:

5.0.2195.1_d7697fad3df8494ac35f23c0c87c240e
5.0.2195.6717_383b8a84d4bf7c2e3c868e104a1dfbac
5.0.2195.6717_61a2dcfce1abf5340d2128e45b5f52b7
5.0.2195.7376_6010ebb09018a61302cdf0b8ac649474
5.0.2195.7376_92f7588187a67356226a72442a38c253
5.1.2600.0_a29222d5281056e497408fcc9062f749
5.1.2600.1106_b9080d97dbd631aadf9128f7316958d2
5.1.2600.5512_0c89243c7c3ee199b96fcc16990e0679
5.2.3790.0_b83b5d40c77727c64fc299112a0a31aa
5.2.3790.1830_a4830f20b522c3b14335db03d4e3f8fa
5.2.3790.3959_97b946d49ee16357535d433ce7096560
6.0.6000.16386_883d5b644bfa3dc7298d4731b13af499
6.0.6001.18000_6700f35eba206e5c89ac27c9a124dc01
6.0.6001.18000_6760643d6400ca78640e9dd3824115b1
6.0.6002.18005_6798dbf3f25721637aef5b6c69911c9c
6.1.7100.0_55b63dc54e773f64c344cff0974f3d53
6.1.7201.0_ddaf73ad668ecccb57e9b19a0205e5ad
6.1.7600.16385_9e722b768e33d26ad8fa7d642e707443
6.1.7600.16385_b9d673f7707219dfd264891a26c21ecb
6.1.7601.17592_102a6182087b18c795664bcd22eb52e9
6.2.8102.101_a7dd0728bcc75bcc0ff25e4b57a320fd
6.2.8102.101_c768ef231338bf5ea6876e0cec939273

~36 MB
http://narod.ru/disk/26358003001/ntos_kernels.zip.html

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Fri Jun 28, 2013 12:00 pm

Windows 8.1 dev preview (ntoskrnl 6.3.9431.0 symbols)
.h + .idc in attach
You do not have the required permissions to view the files attached to this post.

User avatar
redp
Posts: 67
Joined: Sun Aug 14, 2011 1:07 pm
Contact:

Re: Undocumented structures for W2k-Win7

Post by redp » Sat Jun 29, 2013 5:06 am

Nice work, can you do the same for ndis.sys ?
Check Wincheck

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Mon Jul 01, 2013 7:30 am

redp wrote:Nice work, can you do the same for ndis.sys ?
I can't translate it for ndis.sys.
Just attached .pdb file of ndis.sys, if it will useful...
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Undocumented structures for W2k-Win7

Post by rkhunter » Mon Jul 01, 2013 9:04 am

Updated collection of ntos kernels; by link archive with names file_version+MD5.
Includes versions:

5.0.2195.1_d7697fad3df8494ac35f23c0c87c240e
5.0.2195.6717_383b8a84d4bf7c2e3c868e104a1dfbac
5.0.2195.6717_61a2dcfce1abf5340d2128e45b5f52b7
5.0.2195.7376_6010ebb09018a61302cdf0b8ac649474
5.0.2195.7376_92f7588187a67356226a72442a38c253
5.1.2600.0_a29222d5281056e497408fcc9062f749
5.1.2600.1106_b9080d97dbd631aadf9128f7316958d2
5.1.2600.5512_0c89243c7c3ee199b96fcc16990e0679
5.2.3790.0_b83b5d40c77727c64fc299112a0a31aa
5.2.3790.1830_a4830f20b522c3b14335db03d4e3f8fa
5.2.3790.3959_97b946d49ee16357535d433ce7096560
6.0.6000.16386_883d5b644bfa3dc7298d4731b13af499
6.0.6001.18000_6700f35eba206e5c89ac27c9a124dc01
6.0.6001.18000_6760643d6400ca78640e9dd3824115b1
6.0.6002.18005_6798dbf3f25721637aef5b6c69911c9c
6.1.7100.0_55b63dc54e773f64c344cff0974f3d53
6.1.7201.0_ddaf73ad668ecccb57e9b19a0205e5ad
6.1.7600.16385_9e722b768e33d26ad8fa7d642e707443
6.1.7600.16385_b9d673f7707219dfd264891a26c21ecb
6.1.7601.17592_102a6182087b18c795664bcd22eb52e9
6.2.8102.101_a7dd0728bcc75bcc0ff25e4b57a320fd
6.2.8102.101_c768ef231338bf5ea6876e0cec939273
[+] 6.1.7601.18147_575DDD83B40880E1DEB48758673BDA71
[+] 6.2.9200.16604_032AD1C6E1DE36386961DA1879A090AE
[+] 6.3.9431.0_5525D22C4B11B299F170C8D4C8C4007E

~43 MB

http://artemonsecurity.com/ntos_kernels.zip

Post Reply