search

VergiliusProject / vergilius-project

This project provides a collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches.
https://www.vergiliusproject.com
159 stars 32 forks source link

struct _MIPFNBLINK incorrect offsets. #10

Open M3ikShizuka opened 3 years ago

M3ikShizuka commented 3 years ago

Version

Edition Windows 10 Pro Version 20H2 OS build 19042.746

lkd> version
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406

Problem

Home / Kernels / x64 / Windows 10 | 2016 / 2009 20H2 (October 2020 Update) / _MIPFNBLINK build: 10.0.19041.508 - I'm not sure if the reason for the change is in the build version.
date: 2020-09-27

Described structure

incorrect offsets

Fix solution

Move the fields ShareCount, PageShareCountDeleteBit, PageShareCountLockBit to a separate structure inside the union. 

//0x8 bytes (sizeof)
    struct _MIPFNBLINK
    {
        union
        {
            struct
            {
                ULONGLONG Blink : 36;                                             //0x0
                ULONGLONG NodeBlinkHigh : 20;                                     //0x0
                ULONGLONG TbFlushStamp : 4;                                       //0x0
                ULONGLONG Unused : 2;                                             //0x0
                ULONGLONG PageBlinkDeleteBit : 1;                                 //0x0
                ULONGLONG PageBlinkLockBit : 1;                                   //0x0
            };
            struct
            {
                ULONGLONG ShareCount : 62;                                        //0x0
                ULONGLONG PageShareCountDeleteBit : 1;                            //0x0
                ULONGLONG PageShareCountLockBit : 1;                              //0x0
            };
            ULONGLONG EntireField;                                              //0x0
            volatile LONGLONG Lock;                                             //0x0
            struct
            {
                ULONGLONG LockNotUsed : 62;                                       //0x0
                ULONGLONG DeleteBit : 1;                                          //0x0
                ULONGLONG LockBit : 1;                                            //0x0
            };
        };
    };

fixed offsets

SergiusTheBest commented 3 years ago

Thank you for reporting this! We'll take a look.