Geoff Chappell - Software Analyst
The SYSTEM_VDM_INSTEMUL_INFO structure (formally _SYSTEM_VDM_INSTEMUL_INFO) is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemVdmInstemulInformation (0x13).
The x64 builds reject this information class as not implemented.
The SYSTEM_VDM_INSTEMUL_INFO structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in symbol files—not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for a handful of higher-level DLLs that might ordinarily be thought very distant from any involvement with the structure. Perhaps only by oversight, but starting as long ago as Windows 8, Microsoft’s downloadable packages of public symbols have included a smattering of private symbol files and these continue to be available through the public symbol server. Precisely which DLLs have the type information varies between versions. COMBASE.DLL is among the more reliable nowadays. Disclosure in symbol files for URLMON.DLL stopped for the 1803 release of Windows 10 but is specially notable because of this DLL’s origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use (including by the programmers of competing web browsers).
Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_VDM_INSTEMUL_INFO is 0x88 bytes in both 32-bit and 64-bit Windows in all known versions.
| Offset | Definition |
|---|---|
| 0x00 |
ULONG SegmentNotPresent; |
| 0x04 |
ULONG VdmOpcode0F; |
| 0x08 |
ULONG OpcodeESPrefix; |
| 0x0C |
ULONG OpcodeCSPrefix; |
| 0x10 |
ULONG OpcodeSSPrefix; |
| 0x14 |
ULONG OpcodeDSPrefix; |
| 0x18 |
ULONG OpcodeFSPrefix; |
| 0x1C |
ULONG OpcodeGSPrefix; |
| 0x20 |
ULONG OpcodeOPER32Prefix; |
| 0x24 |
ULONG OpcodeADDR32Prefix; |
| 0x28 |
ULONG OpcodeINSB; |
| 0x2C |
ULONG OpcodeINSW; |
| 0x30 |
ULONG OpcodeOUTSB; |
| 0x34 |
ULONG OpcodeOUTSW; |
| 0x38 |
ULONG OpcodePUSHF; |
| 0x3C |
ULONG OpcodePOPF; |
| 0x40 |
ULONG OpcodeINTnn; |
| 0x44 |
ULONG OpcodeINTO; |
| 0x48 |
ULONG OpcodeIRET; |
| 0x4C |
ULONG OpcodeINBimm; |
| 0x50 |
ULONG OpcodeINWimm; |
| 0x54 |
ULONG OpcodeOUTBimm; |
| 0x58 |
ULONG OpcodeOUTWimm; |
| 0x5C |
ULONG OpcodeINB; |
| 0x60 |
ULONG OpcodeINW; |
| 0x64 |
ULONG OpcodeOUTB; |
| 0x68 |
ULONG OpcodeOUTW; |
| 0x6C |
ULONG OpcodeLOCKPrefix; |
| 0x70 |
ULONG OpcodeREPNEPrefix; |
| 0x74 |
ULONG OpcodeREPPrefix; |
| 0x78 |
ULONG OpcodeHLT; |
| 0x7C |
ULONG OpcodeCLI; |
| 0x80 |
ULONG OpcodeSTI; |
| 0x84 |
ULONG BopCount; |
Each member is a dispatch count, mostly for a corresponding opcode whose virtual-8086 execution is handled first in ring 0.