26 May 2008
typedef enum
    PAL_INDEXED         = 0x000001,
    PAL_BITFIELDS       = 0x000002,
    PAL_RGB             = 0x000004,
    PAL_BGR             = 0x000008,
    PAL_CMYK            = 0x000010,
    PAL_DC              = 0x000100,
    PAL_FIXED           = 0x000200,
    PAL_FREE            = 0x000400,
    PAL_MANAGED         = 0x000800,
    PAL_NOSTATIC        = 0x001000,
    PAL_MONOCHROME      = 0x002000,
    PAL_BRUSHHACK       = 0x004000,
    PAL_DIBSECTION      = 0x008000,
    PAL_HT              = 0x100000,
    PAL_RGB16_555       = 0x200000,
    PAL_RGB16_565       = 0x400000,

The EPALOBJ struct is of variable size. It has the pool tag 'Gh08' or 'Gla8' (allocated from lookaside list, size was in this case found to be 0x220, which would be 115 (0x73) PALETTEENTRYs)

typedef struct _EPALOBJ
    BASEOBJECT      BaseObject;    // 0x00

    FLONG           flPal;         // 0x10
    ULONG           cEntries;      // 0x14
    ULONG           ulUnique;      // 0x18, looks like a counter more than a time, like Yuan suggests
    HDC             hdcHead;       // 0x1c
    HDEVPPAL        hSelected;     // 0x20, same as hdcHead::ppdev
    ULONG           cRefhpal;      // 0x24
    ULONG           cRefRegular;   // 0x28
    PTRANSLATE      ptransFore;    // 0x2c
    PTRANSLATE      ptransCurrent; // 0x30
    PTRANSLATE      ptransOld;     // 0x34
    ULONG           unk_038;       // 0x38
    PFN             pGetNearest;   // 0x3c, points to win32k!ulIndexedGetNearestFromPalentry
    PFN             pGetMatch;     // 0x40, points to win32k!ulIndexedGetMatchFromPalentry
    ULONG           ulRGBTime;     // 0x44
    PRGB555XL       pRGBXlate;     // 0x48
    PALETTEENTRY    *pFirstColor;  // 0x4c, this->apalColors, attention!! Yuan is wrong here
    struct _EPALOBJ *pPalette;     // 0x50, this, attention!! Yuan is wrong here
    PALETTEENTRY    apalColors[1]; // 0x54