Geoff Chappell - Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
The DEVICE_MAP structure (formally _DEVICE_MAP) is where the Object Manager arranges that the \DosDevices directory in the object namespace can refer to a local directory object instead of the global one.
The DEVICE_MAP is highly susceptible to changing between builds. The following changes of size give some rough indication:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 5.0 | 0x2C | |
| 5.1 to 6.0 | 0x30 | 0x38 |
| 6.1 to 1511 | 0x34 | 0x40 |
| 1607 to 2004 | 0x38 | 0x48 |
The sizes in the preceding table and the offsets, names and types in the next are from type information in public symbol files for the kernel, starting from Windows 2000 SP3.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 (5.0) |
ULONG ReferenceCout; |
5.0 only | next at 0x08 | |
| 0x04 (5.0); 0x00 |
0x00 |
OBJECT_DIRECTORY *DosDevicesDirectory; |
5.0 and higher | |
| 0x04 | 0x08 |
OBJECT_DIRECTORY *GlobalDosDevicesDirectory; |
5.1 and higher | |
| 0x08 | 0x10 |
HANDLE DosDevicesDirectoryHandle; |
6.1 and higher | |
| 0x08 (5.1 to 6.0); 0x0C |
0x10 (late 5.2 to 6.0); 0x18 |
ULONG ReferenceCount; |
5.1 and higher | previously at 0x00 |
| 0x08 (5.0); 0x0C (5.1 to 6.0); 0x10 |
0x14 (late 5.2 to 6.0); 0x1C |
ULONG DriveMap; |
5.0 and higher | |
| 0x0C (5.0); 0x10 (5.1 to 6.0); 0x14 |
0x18 (late 5.2 to 6.0); 0x20 |
UCHAR DriveType [0x20]; |
5.0 and higher | |
| 0x34 | 0x40 |
EJOB *ServerSilo; |
1607 and higher |