Geoff Chappell - Software Analyst
The MMWSL_INSTANCE is the second part of an MMWSL_FULL, which is in turn the continuation of the ancient MMWSL structure after its separation into parts for the 1607 release of Windows 10.
As an internal structure with little, if any, visibility outside the kernel, the MMWSL_SHARED varies greatly between versions and even between builds.
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 1607 | 0x40 | 0x60 |
These sizes, and the names, offsets and types in the tables that follow, are from Microsoft’s symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
ULONG_PTR FirstFree; |
1607 and higher | previously at 0x00 in MMWSL |
| 0x04 | 0x08 |
ULONG_PTR FirstDynamic; |
1607 and higher | previously at 0x04 and 0x08 in MMWSL |
| 0x08 | 0x10 |
ULONG_PTR LastEntry; |
1607 and higher | previously at 0x08 and 0x10 in MMWSL |
| 0x0C | 0x18 |
ULONG_PTR LastInitializedWsle; |
1607 and higher | previously at 0x10 and 0x20 in MMWSL |
| 0x10 | 0x20 |
ULONG WsleSize; |
1607 and higher | previously at 0x24 and 0x40 in MMWSL |
| 0x14 | 0x28 |
ULONG_PTR NonDirectCount; |
1607 and higher | previously at 0x28 and 0x48 in MMWSL |
| 0x18 | 0x30 |
PVOID LowestPagableAddress; |
1607 and higher | previously at 0x2C and 0x50 in MMWSL |
| 0x1C | 0x38 |
MMWSLE_NONDIRECT_HASH *NonDirectHash; |
1607 and higher | previously at 0x30 and 0x58 in MMWSL |
| 0x20 | 0x40 |
MMWSLE_HASH *HashTableStart; |
1607 and higher | previously at 0x34 and 0x60 in MMWSL |
| 0x24 | 0x48 |
MMWSLE_HASH *HighestPermittedHashAddress; |
1607 and higher | previously at 0x38 and 0x68 in MMWSL |
| 0x30 | 0x50 |
MMWSLE *Wsle; |
1607 and higher | previously at 0xFC and 0x01F0 in MMWSL |
If the type information from symbol files is to be believed (as complete), then Wsle must have 16-byte alignment for 32-bit Windows and the whole structure must for 64-bit Windows (perhaps from Wsle having 16-byte alignment in 64-bit Windows too).