Difference between revisions of "Techwiki:Win32k/LDEVOBJ"
ThePhysicist (talk | contribs) |
|||
| (10 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
Representation of a GDI driver. | Representation of a GDI driver. | ||
| − | typedef struct | + | typedef struct _SYSTEM_GDI_DRIVER_INFORMATION |
| − | { | + | { |
| − | UNICODE_STRING | + | UNICODE_STRING DriverName; |
| − | PVOID | + | PVOID ImageAddress; |
| − | PVOID | + | PVOID SectionPointer; |
| − | PVOID | + | PVOID EntryPoint; |
| − | + | PIMAGE_EXPORT_DIRECTORY ExportSectionPointer; | |
| − | ULONG | + | ULONG ImageLength; |
| − | + | } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; | |
| − | } | ||
| − | '' | + | ''DriverName'' |
:Full path of the drivers dll. Example: '\SystemRoot\System32\ATMFD.DLL' | :Full path of the drivers dll. Example: '\SystemRoot\System32\ATMFD.DLL' | ||
| − | '' | + | ''ImageAddress'' |
:Pointer to the beginning of the driver mapping. | :Pointer to the beginning of the driver mapping. | ||
| − | '' | + | ''SectionPointer'' |
| − | :Pointer to 'MmLd' Mm load module database. | + | :Pointer to 'MmLd' Mm load module database. |
| − | '' | + | ''EntryPoint'' |
:Pointer to the drivers entry point. | :Pointer to the drivers entry point. | ||
| − | '' | + | ''ImageLength'' |
:Size of the DLL in bytes. | :Size of the DLL in bytes. | ||
typedef struct _LDEV | typedef struct _LDEV | ||
| − | { // | + | { // W2k WXP |
| − | struct _LDEVOBJ *pldevNext; | + | struct _LDEVOBJ *pldevNext; // 000 000 |
| − | struct _LDEVOBJ *pldevPrev; | + | struct _LDEVOBJ *pldevPrev; // 004 004 |
| − | + | #if (_WIN32_WINNT >= 0x501) | |
| − | ULONG ldevtype; | + | SYSTEM_GDI_DRIVER_INFORMATION pGdiDriverInfo; // --- 008 |
| − | ULONG cRefs; | + | #endif |
| − | + | ULONG ldevtype; // 008 00C | |
| − | + | ULONG cRefs; // 00C 010 | |
| − | ULONG ulDriverVersion; // 018 01C | + | DWORD dwUnknown1; // 010 014 |
| − | ULONG unk_020; | + | #if (_WIN32_WINNT >= 0x501) |
| − | PFN apfn[93]; | + | DWORD ulDriverVersion; // --- 018 |
| − | PFN apfnOrig[93]; | + | #else |
| − | // size | + | SYSTEM_GDI_DRIVER_INFORMATION pGdiDriverInfo; // 014 --- |
| + | #endif | ||
| + | ULONG ulDriverVersion; // 018 | ||
| + | PPROCESSINFO ppi; // 01C XP, W2k3, Vista & W7U | ||
| + | ULONG unk_020; // 020 XP: first and last LDEV have 0xFFFFFFFF, other 0x30000 | ||
| + | PFN apfn[93]; // 024 | ||
| + | PFN apfnOrig[93]; // 198 | ||
| + | // size 310 | ||
} LDEV, *PLDEV; | } LDEV, *PLDEV; | ||
| Line 48: | Line 54: | ||
''pldevPrev'' | ''pldevPrev'' | ||
:Pointer to the previous LDEV in the global list. NULL if this is the first LDEVOBJ. | :Pointer to the previous LDEV in the global list. NULL if this is the first LDEVOBJ. | ||
| + | |||
| + | ''pGdiDriverInfo'' | ||
| + | :Pointer to a SYSTEM_GDI_DRIVER_INFORMATION structure, if the LDEV is associated with a dll file. NULL if the LDEV describes a driver located inside win32k. | ||
''ldevtype'' | ''ldevtype'' | ||
| Line 70: | Line 79: | ||
All LDEVOBJs are kept in a global list. | All LDEVOBJs are kept in a global list. | ||
Both structures have the tag 'Gldv' | Both structures have the tag 'Gldv' | ||
| − | Total size of | + | Total size of LDEV is 0x310 Bytes |
Latest revision as of 21:18, 8 May 2019
Representation of a GDI driver.
typedef struct _SYSTEM_GDI_DRIVER_INFORMATION
{
UNICODE_STRING DriverName;
PVOID ImageAddress;
PVOID SectionPointer;
PVOID EntryPoint;
PIMAGE_EXPORT_DIRECTORY ExportSectionPointer;
ULONG ImageLength;
} SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION;
DriverName
- Full path of the drivers dll. Example: '\SystemRoot\System32\ATMFD.DLL'
ImageAddress
- Pointer to the beginning of the driver mapping.
SectionPointer
- Pointer to 'MmLd' Mm load module database.
EntryPoint
- Pointer to the drivers entry point.
ImageLength
- Size of the DLL in bytes.
typedef struct _LDEV
{ // W2k WXP
struct _LDEVOBJ *pldevNext; // 000 000
struct _LDEVOBJ *pldevPrev; // 004 004
#if (_WIN32_WINNT >= 0x501)
SYSTEM_GDI_DRIVER_INFORMATION pGdiDriverInfo; // --- 008
#endif
ULONG ldevtype; // 008 00C
ULONG cRefs; // 00C 010
DWORD dwUnknown1; // 010 014
#if (_WIN32_WINNT >= 0x501)
DWORD ulDriverVersion; // --- 018
#else
SYSTEM_GDI_DRIVER_INFORMATION pGdiDriverInfo; // 014 ---
#endif
ULONG ulDriverVersion; // 018
PPROCESSINFO ppi; // 01C XP, W2k3, Vista & W7U
ULONG unk_020; // 020 XP: first and last LDEV have 0xFFFFFFFF, other 0x30000
PFN apfn[93]; // 024
PFN apfnOrig[93]; // 198
// size 310
} LDEV, *PLDEV;
pldevNext
- Pointer to the next LDEV in the global list. NULL if this is the last LDEVOBJ.
pldevPrev
- Pointer to the previous LDEV in the global list. NULL if this is the first LDEVOBJ.
pGdiDriverInfo
- Pointer to a SYSTEM_GDI_DRIVER_INFORMATION structure, if the LDEV is associated with a dll file. NULL if the LDEV describes a driver located inside win32k.
ldevtype
- Can be one of:
typedef enum
{
LDEV_DEVICE_DISPLAY = 1,
LDEV_DEVICE_PRINTER = 2,
LDEV_DEVICE_META = 3,
LDEV_DEVICE_MIRROR = 4,
LDEV_IMAGE = 5,
LDEV_FONT = 6
} LDEVTYPE;
apfn
- Array of pointers to the according driver functions or win32k!WatchDogXxx interceptions.
apfnOrig
- The original function pointer that were returned from the driver entry.
Remarks
All LDEVOBJs are kept in a global list. Both structures have the tag 'Gldv' Total size of LDEV is 0x310 Bytes
