Alex Ionescu wrote:
Let's begin with the GDI Base Object, which is a header at the top of every GDI Object. The structure is called _BASEOBJECT (what you refer to as "GDIOBJHDR") and is defined as follows:
struct _BASEOBJECT { HANDLE hHmgr; ULONG ulShareCount; LONG cExclusiveLock; ULONG BaseFlags; PW32THREAD Tid; };
Your structure is 20 bytes long, I can say for sure that for all gdi objects I have seen the header is 16 bytes. Maybe you mean struct _BASEOBJECT { HANDLE hHmgr; ULONG ulShareCount; USHORT cExclusiveLock; USHORT BaseFlags; PW32THREAD Tid; }; This would match my findings with having 0x8000 in the BaseFlags field
The pointer to a _BASEOBJECT is known as a POBJ.
Now, how to get to this object? Well, dxg and win32k.sys now both implement different Hmhr's (Handle Managers).
In Win32K land, the handles come from gpentHmgr, and each handle is indexed from it. The resulting structure is called an _ENTRY, and is defined as follows:
struct _ENTRY { union { POBJ pobj; HANDLE hFree; }; union { ULONG ulObj; struct { USHORT Count:15; USHORT Lock:1; HANDLE Pid; }; } ObjectOwner; USHORT FullUnique; UCHAR Objt; UCHAR Flags; PVOID pUser; };
I remember a discussion about this some time ago, when I suggested something similar to this one and you were the one who disagreed and now you come up with this one ;-) (Everyone remember we have to deal with endianess.) I agree on most of it, but the second union: the structure consists of 16 bits + 32 bits. Can you explain the fields of the second union please.
Regards, Timo