[GamingMasteR]

Hi,

You can also use SymbolTypeViewer, it can convert the symbols into C/C++ & IDA Pro readable formats .

[xqrzd]

Thank you EP_X0FF and GamingMasteR :mrgreen:
This will be interesting, I have never used undocumented structures before, this will open up some opportunities :shock: I have one last question, how often does Microsoft change these structures? Have they ever changed them with a service pack or hotfix? I'm just wondering if checking the OS version (XP, Vista, 7) is enough to make sure I am using the right structure.

[GamingMasteR]

It depends !
For example, Vista Build 6000/6001/6002 have no change in EPROCESS/ETHREAD structures, while they have major changes in Object Manager related structures (OBJECT_TYPE/OBJECT_TYPE_INITIALIZER) .
You have to check the structures you want to use if it have major changes cross service packs .
But usually, changes made on different windows releases only (XP/Vista/7).

[xqrzd]

sorry to bump this old topic but I have another question. I've been using EP_X0FF's method on Win XP and it has been working well, but just recently I tried it on Win7 and it appears that FilePointer in the CONTROL_AREA structure is no longer a PFILE_OBJECT, but EX_FAST_REF. I use it like this, but it gives me a BSOD:

Code: Select all

PSECTION_OBJECT sectionObject;
PFILE_OBJECT file;

sectionObject = (PSECTION_OBJECT)((PEPROCESS)process)->SectionObject;
file = ((PSEGMENT)sectionObject->Segment)->ControlArea->FilePointer.Object;

if (file && MmIsAddressValid(file))
{
//anything done with file causes BSOD
}

and 1 last question, what is the best way to store all of these structures? right now my code looks like this, and it causes a LOT of copy-paste:

if (WIN_VER == XP_SP3_32)
{
#include "struct_XP_SP3_32.h"
PEPROCESS process;
PSECTION_OBJECT;
...
}
else if (WIN_VER == VISTA_SP2_32)
{
#include "struct_VISTA_SP2_32.h"
PEPROCESS process;
PSECTION_OBJECT;
...
}

[GamingMasteR]

Code: Select all

#define MAX_FAST_REFS 7

file = (PFILE_OBJECT)(((PSEGMENT)sectionObject->Segment)->ControlArea->FilePointer.Value & ~MAX_FAST_REFS);

What is the best way to store all of these structures?

Pack common used offsets in structure and initialize it in driver startup, I use something like this :

Code: Select all

struct {
    USHORT ProcProcessName;
    USHORT ProcSectionObject;
    ...
} OffsetStruct;

#define	GetMember(__Object, __Type, __Member)((__Type*)((ULONG_PTR)__Object + OffsetStruct.##__Member))

[xqrzd]

thanks gamingmaster :)

edit: could you explain why you clear bits 0,1,2? I don't understand how its done without damaging the pointer...

edit again: I just found this, I think it will help explain: http://koala.cs.pub.ro/lxr/#wrk/ntos/ob/fastref.c

[EP_X0FF]

I tried it on Win7 and it appears that FilePointer in the CONTROL_AREA structure is no longer a PFILE_OBJECT, but EX_FAST_REF

This is started from Vista RTM (6000).