31 Dec
2007
31 Dec
'07
3:55 a.m.
Alex Ionescu wrote:
Let's begin with the GDI Base Object, which is a
header at the top of
every GDI Object. The structure is called _BASEOBJECT (what you refer
to as "GDIOBJHDR") and is defined as follows:
struct _BASEOBJECT
{
HANDLE hHmgr;
ULONG ulShareCount;
LONG cExclusiveLock;
ULONG BaseFlags;
PW32THREAD Tid;
};
Your structure is 20 bytes long, I can say for sure that for all gdi
objects I have seen the header is 16 bytes. Maybe you mean
struct _BASEOBJECT
{
HANDLE hHmgr;
ULONG ulShareCount;
USHORT cExclusiveLock;
USHORT BaseFlags;
PW32THREAD Tid;
};
This would match my findings with having 0x8000 in the BaseFlags field
The pointer to a _BASEOBJECT is known as a POBJ.
Now, how to get to this object? Well, dxg and win32k.sys now both
implement different Hmhr's (Handle Managers).
In Win32K land, the handles come from gpentHmgr, and each handle is
indexed from it. The resulting structure is called an _ENTRY, and is
defined as follows:
struct _ENTRY
{
union
{
POBJ pobj;
HANDLE hFree;
};
union
{
ULONG ulObj;
struct
{
USHORT Count:15;
USHORT Lock:1;
HANDLE Pid;
};
} ObjectOwner;
USHORT FullUnique;
UCHAR Objt;
UCHAR Flags;
PVOID pUser;
};
I remember a discussion about this some time ago, when I suggested
something similar to this one and you were the one who disagreed and now
you come up with this one ;-) (Everyone remember we have to deal with
endianess.)
I agree on most of it, but the second union: the structure consists of
16 bits + 32 bits.
Can you explain the fields of the second union please.
Regards,
Timo