SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

LDR_DDAG_NODE

The LDR_DDAG_NODE structure extends the LDR_DATA_TABLE_ENTRY that represents a loaded module. It was introduced in Windows 8 to deal with age-old problems of tracking the dependencies of DLLs on one another as they get loaded and unloaded.

The following table shows the changing sizes:

Version Size (x86) Size (x64)
6.2 to 6.3 0x30 0x50
10.0 to 2004 0x2C 0x50

These sizes, and the offsets, types and names in the tables that follow, are from Microsoft’s symbol files for the kernel and NTDLL starting with Windows 8.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00 
LIST_ENTRY Modules;
 6.2 and higher
0x08 0x10 
LDR_SERVICE_TAG_RECORD *ServiceTagList;
 6.2 and higher
0x0C 0x18 
ULONG LoadCount;
 6.2 and higher
0x10 0x1C 
ULONG ReferenceCount;
 6.2 to 6.3 
ULONG LoadWhileUnloadingCount;
 10.0 and higher
0x14 0x20 
ULONG DependencyCount;
 6.2 to 6.3 
ULONG LowestLink;
 10.0 and higher
0x18 0x28 
union {
    LDRP_CSLIST Dependencies;
    SINGLE_LIST_ENTRY *RemovalLink;
;
 6.2 to 6.3 
LDRP_CSLIST Dependencies;
 10.0 and higher
0x1C 0x30 
LDRP_CSLIST IncomingDependencies;
 6.2 and higher
0x20 0x38 
LDR_DDAG_STATE State;
 6.2 and higher
0x24 0x40 
SINGLE_LIST_ENTRY *CondenseLink;
 6.2 and higher
0x28 0x48 
ULONG PreorderNumber;
 6.2 and higher
0x2C 0x4C 
ULONG LowestLink;
 6.2 to 6.3

This page was created on 14th June 2016 and was last modified on 29th December 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.