Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong offsets for KPCR::Prcb and others #19

Open
VelocityRa opened this issue Jul 6, 2020 · 5 comments
Open

Wrong offsets for KPCR::Prcb and others #19

VelocityRa opened this issue Jul 6, 2020 · 5 comments

Comments

@VelocityRa
Copy link

VelocityRa commented Jul 6, 2020
edited
Loading

And possibly others.

Take this example: https://github.com/ntdiff/headers/blob/master/Win10_1909_19H2/x64/System32/ntoskrnl.exe/Standalone/_KPCR.h#L1331

For all major compilers , the calculated offset is 0x178, not 0x180: https://godbolt.org/z/ZJ-DfV

Edit: And if I use #pragma pack, the size is 0x174.

Apparently the reason is:

Curiously, PcrAlign1 does not by itself align the Prcb that follows. That Prcb is meant to be cache-aligned
is certain: cache  alignment is plainly a recurring concern within the KPRCB and is obviously simpler to
arrange if the KPRCB is itself cache aligned (which it isn’t for 32-bit Windows).

Source
@VelocityRa VelocityRa changed the title Wrong offsets for _KPCR::Prcb Wrong offsets for KPCR::Prcb Jul 6, 2020
@VelocityRa
Copy link
Author

This is also wrong https://github.com/ntdiff/headers/blob/master/Win10_1909_19H2/x64/System32/ntoskrnl.exe/Standalone/_KPRCB.h#L915

It should be at offset 0xFA. Same for the following struct, since said struct has an alignment because of 2 because of the short in there.

@wbenny
Copy link
Owner

wbenny commented Jan 27, 2021

You're probably missing #pragma pack(1) - which is recommended to use with any structs on ntdiff.

@VelocityRa
Copy link
Author

@wbenny If I do this, it works in this case, but most other structs break.

For example _EPROCESS size is calculated as 0x868 instead of 0x880 as it says in the ntdiff headers.

@wbenny
Copy link
Owner

wbenny commented Jan 27, 2021

Yup, I've seen that some of the structures in newer Win10 builds are somewhat broken :/ I'll have to look into this.

@VelocityRa VelocityRa changed the title Wrong offsets for KPCR::Prcb Wrong offsets for KPCR::Prcb and others Jan 27, 2021
@john-8998
Copy link

any update on this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wbenny @VelocityRa @john-8998