Updated in September 2018

Not all undocumented Windows structures are equally undocumented. Most prominent ones have some official disclosure—certainly not documentation, but disclosure nonetheless—through type information in the public symbol files. For a handful of prominent ones type information has made it into the public symbol files only for a smattering of versions. The structure in which WIN32K.SYS keeps what it knows of a process surely counts as prominent. Yet the public symbol files for WIN32K have type information for this structure in version 6.1 only. Worse, this type information is incorrect even though the symbol files do match the executables. So it’s big news, relatively speaking, that the public symbol files in the 1803 release of Windows 10 have type information for the sub-structure at this one’s start.

It turns out that a few structures that have never or only rarely had type information in public symbol files have it for the 1803 release. I attended to some of that back in July, just as fallout from my articles on driver signing, but clearly it’s (past) time for a round of updating the bookkeeping. Where are the research students to do this?

Having Microsoft’s names and types is always welcome. Understanding anyone else’s code is very much harder when you have to make up names for everything. Of course, having the manufacturer’s names doesn’t mean you should trust that what’s named truly does what the name suggests (any more than having source code would give you the luxury of believing the comments). But a little extra watchfulness against being misled is nothing against the extra work of inventing good names and tracking all your changes of them as your understanding develops.

The ideal, of course, is to have not just a bare catalogue of offsets, types and names, but some level of informed annotation—and to have it as basic, common knowledge for all who study Windows. Why is some sort of curation not organised by someone who has the resources to do it more frequently?

Kernel

Kernel
- Structures
  - DISPATCHER_HEADER
    - Thread Control Flags
  - EPROCESS
    - Flags
    - Flags2
    - Flags3
    - MitigationFlags (new)
    - MitigationFlags2 (new)
  - ETHREAD
  - HAL_PRIVATE_DISPATCH
  - KPRCB
    - 32-bit (i386)
    - 64-bit (amd64)
  - KPROCESS
    - ProcessFlags
  - KTHREAD
    - ThreadFlags
  - KTRAP_FRAME
  - KUSER_SHARED_DATA
  - MEMORY_ALLOCATION_DESCRIPTOR
  - PROCESSOR_POWER_STATE
Win32k
- Structures
  - PROCESSINFO
  - THREADINFO

Win32

NTDLL
- Structures

The good and bad in this is that I find small mistakes. Good because mistakes don’t quite mortify me, but do very nearly, and it’s vital that they get corrected. Bad because I wonder how it is that my errors aren’t pointed out much sooner (and more frequently, for surely there are many more than I yet know). Does anyone actually read any of this material?