SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
ESERVERSILO_GLOBALS
The ESERVERSILO_GLOBALS (formally _ESERVERSILO_GLOBALS) holds the essence of system state that is presented differently to software in the corresponding server silo.
Variability
The ESERVERSILO_GLOBALS is highly susceptible to changing between builds. The following changes of size give some rough indication:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 to 1511 | 0x44 | 0x80 |
| 1607 | 0x0288 | 0x0430 |
| 1703 | 0x0290 | 0x0460 |
| 1709 to 1903 | 0x02A0 | 0x0480 |
| 2004 | 0x02A0 | 0x0490 |
Much of the expansion for Version 1607 came ultimately from one change. Earlier versions provide for arbitrary callers to obtain storage for their own context to associate with each server silo. The kernel used this internally to support the ETW_SILODRIVERSTATE, OBP_SILODRIVERSTATE, SEP_RM_LSA_CONNECTION_STATE, SEP_SILOSTATE and WNF_SILODRIVERSTATE structures as per-silo state for specialised purposes. Version 1607 moved all these, or at least a pointer to them, into the ESERVERSILO_GLOBALS as if built-in.
Layout
The sizes in the preceding table and the offsets, names and types in the next are from NTOSP.H for the first two releases of Windows 10 and are thereafter from type information in public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 (10.0 to 1511) | 0x00 (10.0 to 1511) |
ULONG ServiceSessionId; |
10.0 to 1511 | |
| 0x04 (10.0 to 1511) | 0x08 (10.0 to 1511) |
UNICODE_STRING SiloRootDirectoryName; |
10.0 to 1511 | next at 0x023C and 0x03C8 |
| 0x0C (10.0 to 1511) | 0x18 (10.0 to 1511) |
HANDLE SiloRootDirectoryHandle; |
10.0 to 1511 | |
| 0x10 (10.0 to 1511) | 0x20 (10.0 to 1511) |
ULONG HardErrorState; |
10.0 to 1511 | next at 0x01F8 and 0x0370 |
| 0x14 (10.0 to 1511) |
0x28 (10.0 to 1511) |
EPROCESS *ExpDefaultErrorPortProcess; |
10.0 to 1511 | next at 0x01F0 and 0x0360 |
| 0x18 (10.0 to 1511) |
0x30 (10.0 to 1511) |
HANDLE ExpDefaultErrorPort; |
10.0 to 1511 | next at 0x01F4 and 0x0368 |
| 0x1C (10.0 to 1511) | 0x38 (10.0 to 1511) |
EPROCESS *MiSessionLeaderProcess; |
10.0 to 1511 | next at 0x01EC and 0x0358 |
| 0x20 (10.0 to 1511) | 0x40 (10.0 to 1511) |
PVOID *MonitorContextArray; |
10.0 to 1511 | |
| 0x24 (10.0 to 1511) | 0x48 (10.0 to 1511) |
ULONG MonitorContextArrayLength; |
10.0 to 1511 |
In the first draft of support for server silos, calling PsRegisterMonitorServerSilo to register as a monitor of server silos creates a SERVER_SILO_MONITOR structure and allocates to it a slot in ever server silo’s MonitorContextArray. The monitor may then call PsAllocateMonitorContextServerSilo to obtain storage whose address the function puts into the monitor’s slot of a given server silo’s MonitorContextArray.
Version 1607 reworked this, arguably for better. The MonitorContextArray goes away but the structures that the kernel itself used to insert as monitor contexts were neither thrown away nor adapted to the replacement interface. They were instead absorbed into a reworked ESERVERSILO_GLOBALS:
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 | 0x00 |
OBP_SILODRIVERSTATE ObSiloState; |
1607 and higher | |
| 0x01A4 | 0x02E0 |
SEP_SILOSTATE SeSiloState; |
1607 and higher | |
| 0x01B8 (1607); 0x01C0 |
0x0300 (1607); 0x0310 |
SEP_RM_LSA_CONNECTION_STATE SeRmSiloState; |
1607 and higher | |
| 0x01E8 (1607); 0x01F0 |
0x0350 (1607); 0x0360 |
ETW_SILODRIVERSTATE *EtwSiloState; |
1607 and higher | |
| 0x01EC (1607); 0x01F4 |
0x0358 (1607); 0x0368 |
EPROCESS *MiSessionLeaderProcess; |
1607 and higher | previously at 0x1C and 0x38 |
| 0x01F0 (1607); 0x01F8 |
0x0360 (1607); 0x0370 |
EPROCESS *ExpDefaultErrorPortProcess; |
1607 and higher | previously at 0x14 and 0x28 |
| 0x01F4 (1607); 0x01FC |
0x0368 (1607); 0x0378 |
HANDLE ExpDefaultErrorPort; |
1607 and higher | previously at 0x18 and 0x30 |
| 0x01F8 (1607); 0x0200 |
0x0370 (1607); 0x0380 |
ULONG HardErrorState; |
1607 and higher | previously at 0x10 and 0x20 |
| 0x0204 | 0x0388 |
EXP_LICENSE_STATE *ExpLicenseState; |
2004 and higher | |
| 0x0200 (1607); 0x0208 |
0x0378 (1607); 0x0388 (1703 to 1903); 0x0390 |
WNF_SILODRIVERSTATE WnfSiloState; |
1607 and higher | |
| 0x0238 | 0x03C0 (1709 to 1903); 0x03C8 |
DBGK_SILOSTATE DbgkSiloState; |
1709 and higher | |
| 0x0238 (1703); 0x0248 |
0x03C0 (1703); 0x03E0 (1709 to 1903); 0x03E8 |
UNICODE_STRING PsProtectedCurrentDirectory; |
1703 and higher | |
| 0x0240 (1703); 0x0250 |
0x03D0 (1703); 0x03F0 (1709 to 1903); 0x03F8 |
UNICODE_STRING PsProtectedEnvironment; |
1703 and higher | |
| 0x0230 (1607); 0x0248 (1703); 0x0258 |
0x03B0 (1607); 0x03E0 (1703); 0x0400 (1709 to 1903); 0x0408 |
PVOID ApiSetSection; |
1607 and higher | |
| 0x0234 (1607); 0x024C (1703); 0x025C |
0x03B8 (1607); 0x03E8 (1703); 0x0408 (1709 to 1903); 0x0410 |
PVOID ApiSetSchema; |
1607 and higher | |
| 0x0238 (1607); 0x0250 (1703); 0x0260 |
0x03C0 (1607); 0x03F0 (1703); 0x0410 (1709 to 1903); 0x0418 |
BOOLEAN OneCoreForwardersEnabled; |
1607 and higher | |
| 0x0254 (1703); 0x0264 |
0x03F8 (1703); 0x0418 (1709 to 1903); 0x0420 |
UNICODE_STRING NtSystemRoot; |
1703 and higher | |
| 0x023C (1607); 0x025C (1703); 0x026C |
0x03C8 (1607); 0x0408 (1703); 0x0428 (1709 to 1903); 0x0430 |
UNICODE_STRING SiloRootDirectoryName; |
1607 and higher | previously at 0x04 and 0x08 |
| 0x0244 (1607); 0x0264 (1703); 0x0274 |
0x03D8 (1607); 0x0418 (1703); 0x0438 (1709 to 1903); 0x0440 |
PSP_STORAGE *Storage; |
1607 and higher | |
| 0x28 (10.0 to 1511) | 0x50 (10.0 to 1511) |
WORK_QUEUE_ITEM TerminateWorkItem; |
10.0 to 1511 | next at 0x0278 and 0x0410 |
| 0x38 (10.0 to 1511); 0x0248 (1607); 0x0268 (1703); 0x0278 |
0x70 (10.0 to 1511); 0x03E0 (1607); 0x0420 (1703); 0x0440 (1709 to 1903); 0x0448 |
SERVERSILO_STATE State; |
10.0 and higher | |
| 0x3C (10.0 to 1511); 0x024C (1607); 0x026C (1703); 0x027C |
0x74 (10.0 to 1511); 0x03E4 (1607); 0x0424 (1703); 0x0444 (1709 to 1903); 0x044C |
COMPARTMENT_ID DefaultCompartmentId; |
10.0 only | |
NTSTATUS ExitStatus; |
1511 and higher | |||
| 0x40 (10.0 to 1511) | 0x78 (10.0 to 1511) |
PVOID SystemProcessSecurityPort; |
10.0 to 1511 | |
| 0x0250 (1607); 0x0270 (1703); 0x0280 |
0x03E8 (1607); 0x0428 (1703); 0x0448 (1709 to 1903); 0x0450 |
KEVENT *DeleteEvent; |
1607 and higher | |
| 0x0258 (1607); 0x0274 (1703); 0x0284 |
0x03F0 (1607); 0x0430 (1703); 0x0450 (1709 to 1903); 0x0458 |
SILO_USER_SHARED_DATA UserSharedData; |
1607 only | |
SILO_USER_SHARED_DATA *UserSharedData; |
1703 and higher | |||
| 0x0278 (1703); 0x0288 |
0x0438 (1703); 0x0458 (1709 to 1903); 0x0460 |
PVOID UserSharedSection; |
1703 and higher | |
| 0x0278 (1607); 0x027C (1703); 0x028C |
0x0410 (1607); 0x0440 (1703); 0x0460 (1709 to 1903); 0x0468 |
EX_WORK_QUEUE_ITEM TerminateWorkItem; |
1607 and higher | previously at 0x28 and 0x50 |
| 0x029C | 0x0488 |
BOOLEAN IsDownlevelContainer; |
2004 and higher |