Geoff Chappell - Software Analyst
The MI_PARTITION_CORE structure (formally _MI_PARTITION_CORE) is here thought to exist only as a subdivision of the MI_PARTITION, specifically as the latter’s Core member. Even more specifically, it looks to be intended as the partition’s first member. See that it starts with the essential details of the partition as a partition among partitions: an identifier; flags; reference count; parent partition; and linkage into the list of all partitions.
The MI_PARTITION_CORE is highly susceptible to changing between builds. The following changes of size give some rough indication of the variability so far:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 | 0xE8 | 0x0168 |
| 1511 | 0xB8 | 0x0158 |
| 1607 | 0xBC | 0x0160 |
| 1703 | 0xF8 | 0x01C8 |
| 1709 to 1809 | 0xE4 | 0x01A8 |
| 1903 | 0xE4 | 0x01B0 |
| 2004 | 0xE8 | 0x01B8 |
The sizes in the preceding table and the offsets, names and types in the next are from type information in public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
USHORT PartitionId; |
10.0 and higher |
| 0x04 | 0x04 |
union {
ULONG LongFlags;
MI_PARTITION_FLAGS Flags;
} u;
|
10.0 and higher |
| 0x08 | 0x08 |
ULONG Signature; |
1607 and higher |
| 0x0C | 0x0C |
BOOLEAN MemoryConfigurationChanged; |
1703 and higher |
| 0x08 (10.0 to 1511); 0x0C (1607); 0x10 (1703) |
0x08 (10.0 to 1511); 0x10 (1607 to 1703) |
ULONG_PTR ReferenceCount; |
10.0 to 1703 |
| 0x0C (10.0 to 1511); 0x10 (1607); 0x14 (1703) |
0x10 (10.0 to 1511); 0x18 (1607 to 1703) |
MI_PARTITION *ParentPartition; |
10.0 to 1703 |
| 0x10 (10.0 to 1511); 0x14 (1607); 0x18 (1703) |
0x18 (10.0 to 1511); 0x20 (1607 to 1703) |
LIST_ENTRY ListEntry; |
10.0 to 1703 |
| 0x18 (10.0 to 1511); 0x1C (1607); 0x20 (1703); 0x10 |
0x28 (10.0 to 1511); 0x30 (1607 to 1703); 0x10 |
MI_NODE_INFORMATION *NodeInformation; |
10.0 and higher |
| 0x1C (10.0 to 1511) | 0x30 (10.0 to 1511) |
MDL *MdlPhysicalMemoryBlock; |
10.0 to 1511 |
| 0x20 (1607); 0x24 (1703); 0x14 |
0x38 (1607 to 1703); 0x18 |
RTL_AVL_TREE *PageRoot; |
1607 and higher |
| 0x20 (10.0 to 1511); 0x24 (1607); 0x28 (1703); 0x18 |
0x38 (10.0 to 1511); 0x40 (1607 to 1703); 0x20 |
PHYSICAL_MEMORY_DESCRIPTOR *MemoryNodeRuns; |
10.0 and higher |
| 0x24 (10.0) | 0x40 (10.0) |
MI_PARTITION_STATISTICS Stats; |
10.0 only |
| 0x24 (1511); 0x28 (1607); 0x2C (1703); 0x1C |
0x40 (1511); 0x48 (1607 to 1703); 0x28 |
ULONG_PTR MemoryBlockReferences; |
1511 and higher |
| 0x28 (1511); 0x2C (1607); 0x30 (1703); 0x20 |
0x48 (1511); 0x50 (1607 to 1703); 0x30 |
WORK_QUEUE_ITEM PfnUnmapWorkItem; |
1511 and higher |
| 0x38 (1511); 0x3C (1607) |
0x68 (1511); 0x70 (1607) |
BOOLEAN PfnUnmapActive; |
1511 to 1607 |
| 0x3C (1511); 0x40 (1607 to 1703); 0x30 |
0x70 (1511); 0x78 (1607); 0x70 (1703); 0x50 |
ULONG_PTR PfnUnmapCount; |
1511 and higher |
| 0x40 (1511); 0x44 (1607 to 1703); 0x34 |
0x78 (1511); 0x80 (1607); 0x78 (1703); 0x58 |
PVOID PfnUnmapWaitList; |
1511 and higher |
| 0x74 (10.0); 0x44 (1511); 0x48 (1607 to 1703); 0x38 |
0x90 (10.0); 0x80 (1511); 0x88 (1607); 0x80 (1703); 0x60 |
PHYSICAL_MEMORY_DESCRIPTOR *MemoryRuns; |
10.0 and higher |
| 0x78 (10.0); 0x48 (1511); 0x4C (1607 to 1703); 0x3C |
0x98 (10.0); 0x88 (1511); 0x90 (1607); 0x88 (1703); 0x68 |
KEVENT ExitEvent; |
10.0 and higher |
| 0x88 (10.0); 0x58 (1511); 0x5C (1607 to 1703); 0x4C |
0xB0 (10.0); 0xA0 (1511); 0xA8 (1607); 0xA0 (1703); 0x80 |
PVOID SystemThreadHandles [5]; |
10.0 to 1903 |
PVOID SystemThreadHandles [6]; |
2004 and higher | ||
| 0x9C (10.0); 0x6C (1511); 0x70 (1607 to 1703); 0x60 (1709 to 1903); 0x64 |
0xD8 (10.0); 0xC8 (1511); 0xD0 (1607); 0xC8 (1703); 0xA8 (1709 to 1903); 0xB0 |
PVOID PartitionObject; |
10.0 and higher |
| 0xA0 (10.0); 0x70 (1511); 0x74 (1607 to 1703) |
0xE0 (10.0); 0xD0 (1511); 0xD8 (1607); 0xD0 (1703) |
HANDLE PartitionObjectHandle; |
10.0 to 1703 |
| 0x78 (1703); 0x64 (1709 to 1903); 0x68 |
0xD8 (1703); 0xB0 (1709 to 1903); 0xB8 |
EX_PUSH_LOCK PartitionSystemThreadsLock; |
1703 and higher |
| 0xA4 (10.0); 0x74 (1511); 0x78 (1607); 0x7C (1703); 0x68 (1709 to 1903); 0x6C |
0xE8 (10.0); 0xD8 (1511); 0xE0 (1607 to 1703); 0xB8 (1709 to 1903); 0xC0 |
EX_PUSH_LOCK DynamicMemoryPushLock; |
10.0 and higher |
| 0xA8 (10.0); 0x78 (1511); 0x7C (1607); 0x80 (1703); 0x6C (1709 to 1903); 0x70 |
0xF0 (10.0); 0xE0 (1511); 0xE8 (1607 to 1703); 0xC0 (1709 to 1903); 0xC8 |
LONG volatile DynamicMemoryLock; |
10.0 and higher |
| 0x84 (1703); 0x70 (1709 to 1903); 0x74 |
0xEC (1703); 0xC4 (1709 to 1903); 0xCC |
BOOLEAN PfnUnmapActive; |
1703 and higher |
| 0xAC (10.0); 0x7C (1511); 0x80 (1607); 0x88 (1703); 0x74 (1709 to 1903); 0x78 |
0xF8 (10.0); 0xE8 (1511); 0xF0 (1607 to 1703); 0xC8 (1709 to 1903); 0xD0 |
KEVENT TemporaryMemoryEvent; |
10.0 and higher |
| 0x98 (1703); 0x84 (1709 to 1903); 0x88 |
0x0108 (1703); 0xE0 (1709 to 1903); 0xE8 |
HANDLE RootDirectory; |
1703 and higher |
| 0x9C (1703); 0x88 (1709 to 1903); 0x8C |
0x0110 (1703); 0xE8 (1709 to 1903); 0xF0 |
HANDLE KernelObjectsDirectory; |
1703 and higher |
| 0xBC (10.0); 0x8C (1511); 0x90 (1607); 0xA0 (1703); 0x8C (1709 to 1903); 0x90 |
0x0110 (10.0); 0x0100 (1511); 0x0108 (1607); 0x0118 (1703); 0xF0 (1709 to 1903); 0xF8 |
KEVENT *MemoryEvents [TotalNumberOfMemoryEvents]; |
10.0 and higher |
| 0xCC (1703); 0xB8 (1709 to 1903); 0xBC |
0x0170 (1703); 0x0148 (1709 to 1903); 0x0150 |
HANDLE MemoryEventHandles [TotalNumberOfMemoryEvents]; |
1703 and higher |
| 0x01A0 (1903); 0x01A8 |
ULONGLONG TotalHugeIoRanges; |
1903 and higher | |
| 0x01A0 (1709 to 1809); 0x01A8 (1903); 0x01B0 |
ULONGLONG NonChargedSecurePages; |
1709 and higher |
The MemoryEvents and MemoryEventHandles are indexed by the MI_MEMORY_EVENT_TYPES.