Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTLDR.H header at
d:\th.public.fre\internal\sdk\inc
and draws from it the type definitions that are tabulated below. The header NTLDR.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
| Line Number | Type |
|---|---|
| 100 | struct _LDR_SERVICE_TAG_RECORD |
| 105 | enum _LDR_DDAG_STATE |
| 127 | struct _LDRP_CSLIST |
| 135 | struct _LDR_DDAG_NODE |
| 152 | enum _LDR_DLL_LOAD_REASON |
| 167 | struct _LDR_DATA_TABLE_ENTRY |
| 248 | struct _KLDR_DATA_TABLE_ENTRY |
| 263 | unnamed union u1 in struct _KLDR_DATA_TABLE_ENTRY |
Note that several of these structures are shared with—indeed, used more by—NTDLL in user mode. Though it’s plain as day that the user-mode LDR_DATA_TABLE_ENTRY and kernel-mode KLDR_DATA_TABLE_ENTRY have a common origin, confirmation that they are defined in the same header is welcome: guessing it would never have been safe.
More types from NTLDR.H show in symbol files for other modules. Some of these others are public symbols for kernel-mode drivers, especially for processor power management. Some are private symbols for user-mode DLLs. Among these are some that are very far removed from system programming, e.g., URLMON.DLL from Internet Explorer. If inclusion of these unusually detailed symbol files in downloadable packages of public symbols for all off Windows was at first an oversight, it has been left to stand for years, though not for all modules. For instance, it ceased for URLMON.DLL after the 1709 edition of Windows 10.
For the record, here are the types that Microsoft’s freely published URLMON.PDB reveals were accessible to the source code for URLMON.DLL from including NTLDR.H when building for the original release of 32-bit Windows 10:
| Line Number | Type |
|---|---|
| 100 | struct _LDR_SERVICE_TAG_RECORD |
| 105 | enum _LDR_DDAG_STATE |
| 127 | struct _LDRP_CSLIST |
| 135 | struct _LDR_DDAG_NODE |
| 152 | enum _LDR_DLL_LOAD_REASON |
| 167 | struct _LDR_DATA_TABLE_ENTRY |
| 248 | struct _KLDR_DATA_TABLE_ENTRY |
| 263 | unnamed union u1 in struct _KLDR_DATA_TABLE_ENTRY |
| 282 | struct _LDR_DATA_TABLE_ENTRY32 |
| 317 | struct _LDR_DATA_TABLE_ENTRY64 |
| 352 | struct _KLDR_DATA_TABLE_ENTRY32 |
| 377 | struct _KLDR_DATA_TABLE_ENTRY64 |
| 622 | struct _LDR_IMPORT_CALLBACK_INFO |
| 627 | struct _LDR_SECTION_INFO |
| 639 | struct _LDR_VERIFY_IMAGE_INFO |
| 776 | struct _COVERAGE_SECTION_HEADER |
| 832 | struct _LDR_ENUM_RESOURCE_ENTRY |
| 833 | unnamed union for Path in struct _LDR_ENUM_RESOURCE_ENTRY |
| 894 | struct _RTL_MODULE_BASIC_INFO |
| 898 | struct _RTL_MODULE_EXTENDED_INFO |
| 916 | struct _RTL_PROCESS_MODULE_INFORMATION |
| 929 | struct _RTL_PROCESS_MODULE_INFORMATION_EX |
| 937 | struct _RTL_PROCESS_MODULES |
| 1069 | struct _LOAD_ASDATA_TABLE |
| 1198 | struct _LDR_DLL_LOADED_NOTIFICATION_DATA |
| 1210 | struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA |
| 1220 | union _LDR_DLL_NOTIFICATION_DATA |
| 1429 | struct _LDR_FAILURE_DATA |
| 1442 | unnamed enum |