Difference between revisions of "Techwiki:Win32k/ENTRY"
DangerGround (talk | contribs) m (Techwiki/win32k/ENTRY moved to Techwiki:Win32k/ENTRY) |
ThePhysicist (talk | contribs) |
||
| Line 1: | Line 1: | ||
In Win32K land, the handles come from gpentHmgr, and each handle is indexed from it. The resulting structure is called an _ENTRY, and is defined as follows (dumped from win32k.sys symbol file): | In Win32K land, the handles come from gpentHmgr, and each handle is indexed from it. The resulting structure is called an _ENTRY, and is defined as follows (dumped from win32k.sys symbol file): | ||
| − | + | <source lang="c"> | |
| − | + | struct _ENTRY // XP32 Vista64 | |
| − | + | { | |
| − | + | union _EINFO // 0x00 0x00 | |
| − | + | { | |
| − | + | POBJ pobj; | |
| − | + | HGDIOBJ hFree; | |
| − | + | } einfo; | |
| − | + | union _OBJECTOWNER // 0x04 0x08 | |
| − | + | { | |
| − | + | struct _OBJECTOWNER_S | |
| − | + | { | |
| − | + | unsigned Lock:1; | |
| − | + | unsigned Pid_Shifted:31; | |
| − | + | } Share; | |
| − | + | ULONG ulObj; | |
| − | + | } ObjectOwner; | |
| − | + | USHORT FullUnique; // 0x08 0x0c | |
| − | + | UCHAR Objt; // 0x0a 0x0e | |
| − | + | UCHAR Flags; // 0x0b 0x0f | |
| − | + | PVOID pUser; // 0x0c 0x10 | |
| − | + | }; | |
| − | + | </source> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
''pobj'' | ''pobj'' | ||
| Line 65: | Line 43: | ||
:The type of object. 0 for deleted objects. | :The type of object. 0 for deleted objects. | ||
| + | <source lang="c"> | ||
| + | typedef enum GDIObjType | ||
| + | { | ||
| + | GDIObjType_DEF_TYPE = 0x00, | ||
| + | GDIObjType_DC_TYPE = 0x01, | ||
| + | GDIObjType_UNUSED1_TYPE = 0x02, | ||
| + | GDIObjType_UNUSED2_TYPE = 0x03, | ||
| + | GDIObjType_RGN_TYPE = 0x04, | ||
| + | GDIObjType_SURF_TYPE = 0x05, | ||
| + | GDIObjType_CLIENTOBJ_TYPE = 0x06, | ||
| + | GDIObjType_PATH_TYPE = 0x07, | ||
| + | GDIObjType_PAL_TYPE = 0x08, | ||
| + | GDIObjType_ICMLCS_TYPE = 0x09, | ||
| + | GDIObjType_LFONT_TYPE = 0x0a, | ||
| + | GDIObjType_RFONT_TYPE = 0x0b, | ||
| + | GDIObjType_PFE_TYPE = 0x0c, | ||
| + | GDIObjType_PFT_TYPE = 0x0d, | ||
| + | GDIObjType_ICMCXF_TYPE = 0x0e, | ||
| + | GDIObjType_SPRITE_TYPE = 0x0f, | ||
| + | GDIObjType_BRUSH_TYPE = 0x10, | ||
| + | GDIObjType_UMPD_TYPE = 0x11, | ||
| + | GDIObjType_UNUSED4_TYPE = 0x12, | ||
| + | GDIObjType_SPACE_TYPE = 0x13, | ||
| + | GDIObjType_UNUSED5_TYPE = 0x14, | ||
| + | GDIObjType_META_TYPE = 0x15, | ||
| + | GDIObjType_EFSTATE_TYPE = 0x16, | ||
| + | GDIObjType_BMFD_TYPE = 0x17, | ||
| + | GDIObjType_VTFD_TYPE = 0x18, | ||
| + | GDIObjType_TTFD_TYPE = 0x19, | ||
| + | GDIObjType_RC_TYPE = 0x1a, | ||
| + | GDIObjType_TEMP_TYPE = 0x1b, | ||
| + | GDIObjType_DRVOBJ_TYPE = 0x1c, | ||
| + | GDIObjType_DCIOBJ_TYPE = 0x1d, | ||
| + | GDIObjType_SPOOL_TYPE = 0x1e, | ||
| + | GDIObjType_MAX_TYPE = 0x1e, | ||
| + | GDIObjTypeTotal = 0x1f, | ||
| + | } GDIOBJTYPE, *PGDIOBJTYPE; | ||
| + | </source> | ||
'''Flags''' | '''Flags''' | ||
:0x01 is set for several different kernel objects | :0x01 is set for several different kernel objects | ||
:0x04 is set for DCs got with GetDC(), also found a kernel DC (Display DC?) | :0x04 is set for DCs got with GetDC(), also found a kernel DC (Display DC?) | ||
Latest revision as of 14:54, 3 April 2011
In Win32K land, the handles come from gpentHmgr, and each handle is indexed from it. The resulting structure is called an _ENTRY, and is defined as follows (dumped from win32k.sys symbol file):
struct _ENTRY // XP32 Vista64
{
union _EINFO // 0x00 0x00
{
POBJ pobj;
HGDIOBJ hFree;
} einfo;
union _OBJECTOWNER // 0x04 0x08
{
struct _OBJECTOWNER_S
{
unsigned Lock:1;
unsigned Pid_Shifted:31;
} Share;
ULONG ulObj;
} ObjectOwner;
USHORT FullUnique; // 0x08 0x0c
UCHAR Objt; // 0x0a 0x0e
UCHAR Flags; // 0x0b 0x0f
PVOID pUser; // 0x0c 0x10
};
pobj
- The pointer to a _BASEOBJECT is known as a POBJ.
hFree'
- If the slot is deleted, it stores the handle (or rather the index) of the next free slot in the list.
Lock
- Set for objects that have an exclusive lock.
Shifted
- Shifted (by 1 to the right) Process Id of the process that owns the objects. 0 For kernel handles. Can have the highest bit set for some special objects, like saved DCs.
FullUnique
- Identical to the upper 16 bits of the handle.
Objt
- The type of object. 0 for deleted objects.
typedef enum GDIObjType
{
GDIObjType_DEF_TYPE = 0x00,
GDIObjType_DC_TYPE = 0x01,
GDIObjType_UNUSED1_TYPE = 0x02,
GDIObjType_UNUSED2_TYPE = 0x03,
GDIObjType_RGN_TYPE = 0x04,
GDIObjType_SURF_TYPE = 0x05,
GDIObjType_CLIENTOBJ_TYPE = 0x06,
GDIObjType_PATH_TYPE = 0x07,
GDIObjType_PAL_TYPE = 0x08,
GDIObjType_ICMLCS_TYPE = 0x09,
GDIObjType_LFONT_TYPE = 0x0a,
GDIObjType_RFONT_TYPE = 0x0b,
GDIObjType_PFE_TYPE = 0x0c,
GDIObjType_PFT_TYPE = 0x0d,
GDIObjType_ICMCXF_TYPE = 0x0e,
GDIObjType_SPRITE_TYPE = 0x0f,
GDIObjType_BRUSH_TYPE = 0x10,
GDIObjType_UMPD_TYPE = 0x11,
GDIObjType_UNUSED4_TYPE = 0x12,
GDIObjType_SPACE_TYPE = 0x13,
GDIObjType_UNUSED5_TYPE = 0x14,
GDIObjType_META_TYPE = 0x15,
GDIObjType_EFSTATE_TYPE = 0x16,
GDIObjType_BMFD_TYPE = 0x17,
GDIObjType_VTFD_TYPE = 0x18,
GDIObjType_TTFD_TYPE = 0x19,
GDIObjType_RC_TYPE = 0x1a,
GDIObjType_TEMP_TYPE = 0x1b,
GDIObjType_DRVOBJ_TYPE = 0x1c,
GDIObjType_DCIOBJ_TYPE = 0x1d,
GDIObjType_SPOOL_TYPE = 0x1e,
GDIObjType_MAX_TYPE = 0x1e,
GDIObjTypeTotal = 0x1f,
} GDIOBJTYPE, *PGDIOBJTYPE;
Flags
- 0x01 is set for several different kernel objects
- 0x04 is set for DCs got with GetDC(), also found a kernel DC (Display DC?)
