Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the HAL.H header at
d:\th\minkernel\ntos\inc
and draws from it the type definitions that are tablulated below.
The header HAL.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK), but all the types that the kernel’s public symbol file picks up from HAL.H are defined in the NTOSP.H which Microsoft looks to have published by oversight with the original and Version 1511 editions of the Windows 10 WDK. Two of these types are also defined in the standard headers of kernel-mode programming, WDM.H and NTDDK.H, one each. The line numbers on the left are from the unseen HAL.H but are known from the symbol file. Those on the right are from the published headers.
| Line Number | Type | WDM.H | NTDDK.H | NTOSP.H |
|---|---|---|---|---|
| 99 | struct _DEVICE_DESCRIPTION | 33221 | 34620 | |
| 931 | enum _IPI_TYPE | 35156 | ||
| 3983 | struct _HAL_NODE_RANGE | 37940 | ||
| 3998 | struct _HAL_CHANNEL_MEMORY_RANGES | 37955 | ||
| 4155 | enum HAL_APIC_DESTINATION_MODE | 12228 | 38080 | |
| 4188 | struct _INTERRUPT_REMAPPING_INFO | 38113 | ||
| 4193 | anonymous union u in struct _INTERRUPT_REMAPPING_INFO |
38118 | ||
| 4196 | anonymous struct Msi in anonymous union u in struct _INTERRUPT_REMAPPING_INFO |
38121 | ||
| 4235 | enum INTERRUPT_CONNECTION_TYPE | 38160 | ||
| 4246 | struct _INTERRUPT_HT_INTR_INFO | 38171 | ||
| 4248 | anonymous union LowPart in struct _INTERRUPT_HT_INTR_INFO |
38173 | ||
| 4249 | anonymouns struct bits in anonymous union LowPart in struct _INTERRUPT_HT_INTR_INFO |
38174 | ||
| 4265 | anonymous union HighPart in struct _INTERRUPT_HT_INTR_INFO |
38190 | ||
| 4266 | anonymous struct bits in anonymous union HighPart in struct _INTERRUPT_HT_INTR_INFO |
38191 | ||
| 4283 | struct _INTERRUPT_VECTOR_DATA | 38208 | ||
| 4303 | anonymous struct ControllerInput in struct _INTERRUPT_VECTOR_DATA |
38228 | ||
| 4310 | anonymous struct XapicMessage in struct _INTERRUPT_VECTOR_DATA |
32235 | ||
| 4315 | anonymous struct Hypertransport in struct _INTERRUPT_VECTOR_DATA |
38240 | ||
| 4319 | anonymous struct GenericMessage in struct _INTERRUPT_VECTOR_DATA |
38244 | ||
| 4324 | anonymous struct MessageRequest in struct _INTERRUPT_VECTOR_DATA |
38249 | ||
| 4337 | struct _INTERRUPT_CONNECTION_DATA | 38262 |
HAL.H line numbers for a few more types are known from the pubilc symbol file for Microsoft’s ACPI.SYS driver. Plainly, HAL.H defines many more types than show in public symbol files. Conversly, although WDM.H and NTDDK.H each have only one of the HAL.H types that show in the public symbol files for the kernel, even a brief look at surrounding lines suggests that both headers have yet more types from HAL.H—more, even, than show in any symbol files that Microsoft is known to have published.
By far the greatest disclosure of types that are defined in HAL.H is not from any symbol file or from any header for kernel-mode programming. It is instead from a statically linked library, named CLFSMGMT.LIB, which Microsoft distributes with the Software Development Kit (SDK) as if for user-mode programming. It has type information from archiving an object file that’s produced by making a pre-compiled header. This PCH will have saved time when compiling other source files for the library, but a side-effect is that type information, if there’s any, is for all the types that might be used, rather than just those that actually do get used. Microsoft surely didn’t mean it, but this publicly released library’s record of types and line numbers in the otherwise very private HAL.H is credibly complete.
A detraction of type information in libraries is that it can be, and often is, out of date. Symbol files for a binary that is distributed with the operating system are created with the binary and can be taken as definitive for this operating system. This is depended on vitally for the debugger’s location of internal functions and variables, if not for the debugger extensions’ interpretation of types. In contrast, a library may be targeted for an operating system but have been built even years before. It exists to help the linker resolve external references and it remains relevant for as long as do the references. Especially if type information is in the library only by oversight, it can be quite stale without any effect for the library’s intended use.
For instance, the CLFSMGMT.LIB in the SDK for Windows 7 was built on 11th June 2009, more than a month before the Windows 7 kernel on 14th July. The headers that were used when building the library can have been edited since. Type information from those headers as compiled for the library is still informative, even immensely so, but is not definitive for the not-quite-matching operating system.
It happens that no such delay affects the CLFSMGMT.LIB in the SDK for the original Windows 10. Indeed, this library was built a little later on the same day as the operating system. For all the types in the symbol files for the kernel and for drivers such as ACPI.SYS, the line numbers agree perfectly with those in the library. For the many more types that are known from the library, the line numbers almost certainly are correct. The CLFSMGMT.LIB from the original Windows 10 SDK plausibly contains a catalogue of all types that are defined in the unseen HAL.H in Microsoft’s source code for the original Windows 10.
Other published material allows for more than a catalogue of which types are defined in HAL.H and the line numbers at which those definitions start. Some of these types are also defined in one or more of the standard headers of kernel-mode programming, e.g., WDM.H and NTDDK.H. It may be that content is extracted from HAL.H to the standard headers. It may be that all are extracted from yet some other input. However it’s done, the effect looks to be that successive lines of HAL.H are appended to zero or more of the published headers, and each of the latter then has one contiguous region of lines that are each in HAL.H. Matching line numbers for type definitions as seen in the standard headers and deduced for HAL.H then supports a reasonable attempt at reconstructing much of what HAL.H must have between its type definitions. The table below is a skeleton for reconstructing the HAL.H from the original Windows 10.
Reconstruction is greatly helped by Microsoft’s disclosure of NTOSP.H. This header covers much more of HAL.H than do all the standard WDK headers in total. Between the type definitions are many function prototypes, macro definitions and even the occasional comment that might pass as informative. Without the C-language definitions in NTOSP.H and the type information in CLFSMGMT.LIB, hardly anything from HAL.H would ever have been known except through different reverse engineers' made-up definitions (or through leaked source code or, worse, through leaked definitions that are passed off as reverse engineering). With these disclosures by Microsoft, studies of the HAL and its interface with the kernel and a few drivers can share Microsoft’s definitions, which is no small help.
| HAL.H | Type | WDM.H | NTDDK.H | NTOSP.H |
|---|---|---|---|---|
| 53 | struct _OEM_FONT_FILE_HEADER | 34577 | ||
| 84 | unnamed struct Map in struct _OEM_FONT_FILE_HEADER |
34608 | ||
| 99 | struct _DEVICE_DESCRIPTION | 33221 | 34620 | |
| 153 | struct _DMA_ADAPTER_INFO_V1 | 33264 | 34674 | |
| 161 | struct _DMA_ADAPTER_INFO | 33272 | 34682 | |
| 163 | anonymous union in struct _DMA_ADAPTER_INFO |
33274 | 34684 | |
| 174 | struct _DMA_TRANSFER_INFO_V1 | 33285 | 34695 | |
| 180 | struct _DMA_TRANSFER_INFO | 33291 | 34701 | |
| 182 | anonymous union in struct _DMA_TRANSFER_INFO |
33293 | 34703 | |
| 218 | struct _PARTITION_DESCRIPTOR | 34739 | ||
| 769 | enum _HAL_DMA_CRASH_DUMP_REGISTER_TYPE | 11450 | 35046 | |
| 931 | enum _IPI_TYPE | 35156 | ||
| 983 | struct _HAL_LOG_REGISTER_CONTEXT | 35183 | ||
| 1131 | struct _SUPPORTED_RANGE | |||
| 1139 | struct _SUPPORTED_RANGES | |||
| 1163 | struct _BUS_HANDLER | |||
| 1318 | struct _HAL_STATE_ELEMENT | 35275 | ||
| 1325 | struct _HAL_STATE_ELEMENT_INFORMATION | 35282 | ||
| 1337 | enum _HAL_QUERY_INFORMATION_CLASS | 11557 | 35294 | |
| 1385 | enum _HAL_SET_INFORMATION_CLASS | 11605 | 35342 | |
| 1409 | struct _HAL_SET_I386_EXCEPTION_CHAIN_TERMINATOR_INFORMATION | 35366 | ||
| 1513 | struct _PM_DISPATCH_TABLE | 11700 | 35470 | |
| 1615 | struct _MAP_REGISTER_ENTRY | 11775 | 35572 | |
| 1687 | struct DEBUG_DEVICE_ADDRESS | 11829 | 35644 | |
| 1695 | struct DEBUG_MEMORY_REQUIREMENTS | 11837 | 35652 | |
| 1704 | enum KD_NAMESPACE_ENUM | 11846 | 35661 | |
| 1717 | enum KD_CALLBACK_ACTION | 11859 | 35674 | |
| 1728 | struct _DEBUG_TRANSPORT_DATA | 11870 | 35685 | |
| 1739 | struct _DEBUG_DEVICE_DESCRIPTOR | 11881 | 35696 | |
| 1748 | anonymous union in struct _DEBUG_DEVICE_DESCRIPTOR |
11890 | 35705 | |
| 1750 | anonymous struct in anonymous union in struct _DEBUG_DEVICE_DESCRIPTOR |
11892 | 35707 | |
| 1773 | struct _PCI_DEBUGGING_DEVICE_IN_USE | 11915 | 35730 | |
| 1779 | struct _ACPI_DEBUGGING_DEVICE_IN_USE | 11921 | 35736 | |
| 1784 | struct _DEBUGGING_DEVICE_IN_USE | 11926 | 35741 | |
| 1787 | anonymous union in struct _DEBUGGING_DEVICE_IN_USE |
11929 | 35744 | |
| 1793 | struct _DEBUGGING_DEVICE_IN_USE_INFORMATION | 11935 | 35750 | |
| 1991 | struct _HAL_DP_REPLACE_PARAMETERS | 35948 | ||
| 2194 | struct _HAL_CLOCK_TIMER_MODE | 36151 | ||
| 2204 | struct _HAL_CLOCK_TIMER_CONFIGURATION | 36161 | ||
| 2205 | anonymous union in struct _HAL_CLOCK_TIMER_CONFIGURATION |
36162 | ||
| 2207 | anonymous struct in anonymous union in struct _HAL_CLOCK_TIMER_CONFIGURATION |
36164 | ||
| 2556 | union _HAL_UNMASKED_INTERRUPT_FLAGS | 36513 | ||
| 2557 | anonymous struct in union _HAL_UNMASKED_INTERRUPT_FLAGS |
36514 | ||
| 2566 | struct _HAL_UNMASKED_INTERRUPT_INFORMATION | 36523 | ||
| 2726 | struct HAL_DISPATCH | 12060 | 36683 | |
| 2806 | struct HAL_PRIVATE_DISPATCH | 36763 | ||
| 3318 | struct _HAL_IOMMU_DISPATCH | 37275 | ||
| 3366 | struct _HAL_BUS_INFORMATION | 12138 | 37323 | |
| 3374 | struct _HAL_DISPLAY_BIOS_INFORMATION | 12146 | 37331 | |
| 3381 | struct _HAL_POWER_INFORMATION | 12153 | 37338 | |
| 3386 | struct _HAL_PROCESSOR_SPEED_INFO | 12158 | 37343 | |
| 3391 | struct _HAL_CALLBACKS | 12163 | 37348 | |
| 3397 | struct _HAL_PROCESSOR_FEATURE | 12168 | 37354 | |
| 3405 | struct _HAL_PROFILE_SOURCE_INFORMATION | 37362 | ||
| 3413 | struct _HAL_PROFILE_SOURCE_INFORMATION_EX | 37370 | ||
| 3423 | struct _HAL_PROFILE_SOURCE_INTERVAL | 37380 | ||
| 3429 | struct _HAL_PROFILE_SOURCE_LIST | 37386 | ||
| 3438 | enum _HAL_PLATFORM_TIMER_SOURCE | 37395 | ||
| 3459 | struct _HAL_PLATFORM_TIMER_INFORMATION | 37416 | ||
| 3467 | struct _HAL_ACPI_AUDIT_INFORMATION | 37424 | ||
| 3469 | anonymous struct in struct _HAL_ACPI_AUDIT_INFORMATION |
37426 | ||
| 3478 | struct _HAL_PARKING_PAGE_INFORMATION | 37435 | ||
| 3486 | struct _HAL_IOMMU_RESERVED_REGION_INFORMATION | 37443 | ||
| 3493 | struct _HAL_QUERY_PROCESSOR_EFFICIENCY_INFORMATION | 37450 | ||
| 3679 | union _HAL_X64_SEGMENT_SELECTOR | 37636 | ||
| 3681 | anonymous struct in _HAL_X64_SEGMENT_SELECTOR |
37638 | ||
| 3708 | struct _HAL_HV_SVM_SYSTEM_CAPABILITIES | 37665 | ||
| 3709 | anonymous struct in struct _HAL_HV_SVM_SYSTEM_CAPABILITIES |
37666 | ||
| 3735 | struct _HAL_HV_SVM_DEVICE_CAPABILITIES | 37692 | ||
| 3736 | anonymous struct in struct _HAL_HV_SVM_DEVICE_CAPABILITIES |
37693 | ||
| 3846 | struct _HAL_INTEL_ENLIGHTENMENT_INFORMATION | 37803 | ||
| 3970 | struct _HAL_NUMA_TOPOLOGY_INTERFACE | 37927 | ||
| 3983 | struct _HAL_NODE_RANGE | 37940 | ||
| 3990 | struct _HAL_IRT_INFORMATION | 37947 | ||
| 3998 | struct _HAL_CHANNEL_MEMORY_RANGES | 37955 | ||
| 4014 | enum HAL_PCC_CHANNEL_POWER_COMMAND | 37971 | ||
| 4022 | struct _HAL_CHANNEL_COMMAND | 37979 | ||
| 4035 | struct _HAL_EXTERNAL_CACHE_INFO | 37992 | ||
| 4044 | union _HAL_PSCI_INFO | 38001 | ||
| 4046 | anonymous struct in union _HAL_PSCI_INFO |
38003 | ||
| 4056 | union _INTERRUPT_CONTROLLER_INFO | 38013 | ||
| 4058 | anonymous struct in union _INTERRUPT_CONTROLLER_INFO |
38015 | ||
| 4071 | struct _ARM_ERRATA_INFO | 38028 | ||
| 4072 | anonymous union in struct _ARM_ERRATA_INFO |
38029 | ||
| 4074 | anonymous struct in anonymous union in struct _ARM_ERRATA_INFO |
38031 | ||
| 4096 | struct _HAL_AMLI_BAD_IO_ADDRESS_LIST | 12188 | 38053 | |
| 4130 | struct _HAL_MCA_INTERFACE | 12222 | ||
| 4142 | enum HAL_INTERRUPT_TARGET_TYPE | 38067 | ||
| 4155 | enum HAL_APIC_DESTINATION_MODE | 12228 | 38080 | |
| 4164 | struct _HAL_INTERRUPT_TARGET_INFORMATION | 38089 | ||
| 4169 | anonymous union in struct _HAL_INTERRUPT_TARGET_INFORMATION |
38094 | ||
| 4170 | unnamed struct Apic in anonymous union in struct _HAL_INTERRUPT_TARGET_INFORMATION |
38095 | ||
| 4176 | unnamed struct Irt in anonymous union in struct _HAL_INTERRUPT_TARGET_INFORMATION |
38101 | ||
| 4188 | struct _INTERRUPT_REMAPPING_INFO | 38113 | ||
| 4193 | unnamed union u in struct _INTERRUPT_REMAPPING_INFO |
38118 | ||
| 4196 | unnamed struct Msi in unnamed union u in struct _INTERRUPT_REMAPPING_INFO |
39121 | ||
| 4204 | struct _HAL_MESSAGE_TARGET_REQUEST | 38129 | ||
| 4207 | unnamed struct Apic in struct _HAL_MESSAGE_TARGET_REQUEST |
38132 | ||
| 4235 | enum INTERRUPT_CONNECTION_TYPE | 38160 | ||
| 4246 | struct _INTERRUPT_HT_INTR_INFO | 38171 | ||
| 4248 | unnamed union LowPart in struct _INTERRUPT_HT_INTR_INFO |
38173 | ||
| 4249 | unnamed struct bits in unnamed union LowPart in struct _INTERRUPT_HT_INTR_INFO |
38174 | ||
| 4265 | unnamed union HighPart in struct _INTERRUPT_HT_INTR_INFO |
38190 | ||
| 4266 | unnamed struct bits in unnamed union HighPart in struct _INTERRUPT_HT_INTR_INFO |
38191 | ||
| 4283 | struct _INTERRUPT_VECTOR_DATA | 38208 | ||
| 4303 | unnamed struct ControllerInput in struct _INTERRUPT_VECTOR_DATA |
38228 | ||
| 4309 | anonymous union in struct _INTERRUPT_VECTOR_DATA |
38234 | ||
| 4310 | unnamed struct XapicMessage in anonymous union in struct _INTERRUPT_VECTOR_DATA |
38235 | ||
| 4315 | unnamed struct Hypertransport in anonymous union in struct _INTERRUPT_VECTOR_DATA |
38240 | ||
| 4319 | unnamed struct GenericMessage in anonymous union in struct _INTERRUPT_VECTOR_DATA |
38244 | ||
| 4324 | unnamed struct MessageRequest in anonymous union in struct _INTERRUPT_VECTOR_DATA |
38249 | ||
| 4337 | struct _INTERRUPT_CONNECTION_DATA | 38262 | ||
| 4401 | struct _MCA_DRIVER_INFO | 12289 | ||
| 4412 | enum KERNEL_MCE_DELIVERY_OPERATION | |||
| 4428 | struct KERNEL_ERROR_HANDLER_INFO | |||
| 4467 | struct _HAL_ERROR_INFO | 12297 | ||
| 4560 | struct _CMC_DRIVER_INFO | 12379 | ||
| 4566 | struct _CPE_DRIVER_INFO | 12385 | ||
| 4572 | struct _HAL_PLATFORM_INFORMATION | 12391 | ||
| 4592 | struct _SCATTER_GATHER_ELEMENT | 33374 | 38272 | |
| 4604 | struct _SCATTER_GATHER_LIST | 33386 | 38284 | |
| 4628 | struct _DMA_ADAPTER | 33410 | 38308 | |
| 4635 | enum DMA_COMPLETION_STATUS | 33417 | 38315 | |
| 4956 | struct _DMA_OPERATIONS | 33738 | 38636 | |
| 5404 | struct _MEMORY_CACHING_REQUIREMENTS | |||
| 5422 | enum _PHYSICAL_COUNTER_RESOURCE_DESCRIPTOR_TYPE | 12598 | ||
| 5451 | struct _PHYSICAL_COUNTER_RESOURCE_DESCRIPTOR | 12627 | ||
| 5454 | unnamed union u in struct _PHYSICAL_COUNTER_RESOURCE_DESCRIPTOR |
12630 | ||
| 5457 | unnamed struct Range in unnamed union u in struct _PHYSICAL_COUNTER_RESOURCE_DESCRIPTOR |
12633 | ||
| 5484 | struct _PHYSICAL_COUNTER_RESOURCE_LIST | 12660 |