Geoff Chappell - Software Analyst
The OBJECT_DIRECTORY_ENTRY structure (formally _OBJECT_DIRECTORY_ENTRY) is a directory object’s record of an object’s presence in the directory.
The OBJECT_DIRECTORY_ENTRY is highly susceptible to changing between builds. The following changes of size give some rough indication:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 3.10 to early 5.2 (before SP1) | 0x08 | |
| late 5.2 to 2004 | 0x0C | 0x18 |
The sizes in the preceding table and the offsets, names and types in the next are from type information in public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
OBJECT_DIRECTORY_ENTRY *ChainLink; |
all |
| 0x04 | 0x08 |
PVOID Object; |
all |
| 0x08 | 0x10 |
ULONG HashValue; |
late 5.2 and higher |
The ChainLink, if not NULL, points to the entry for another object whose name within the directory has the same hash index. Through the whole history of Windows (so far), the hash index is the remainder from dividing the HashValue by 37, this being the number of separate chains that start in the OBJECT_DIRECTORY structure’s array of HashBuckets. For the first decade, however, the quotient from this division was discarded. Apparently it was not until the development of 64-bit Windows that MIcrosoft realised (or got round to acting on the obvious) that searching any one chain would be faster if the different hash values for different names were retained.