Jump to content
ionut97

Catalog of key Windows kernel data structures

By ionut97, in Programe utile

Recommended Posts

ionut97 Newbie

ionut97

Posted
Posted

Catalog of key Windows kernel data structures

During our Windows internals and debugging classes, students frequently ask us questions along the lines of - "What data structure does the Windows kernel use for a mutex?". This article attempts to answer such questions by describing some of the key data structures that are used by the Windows kernel and device drivers.

This article lays emphasis on the relationship of a structure with others in the system, helping the reader navigate through these structures in the kernel debugger. While reading this article, the reader is encouraged to have a kernel debugger readily available to try out the debugger commands and examine the structures and their fields. This article is intended to be a reference, not a tutorial.

For each structure, this article provides a high level description of the structure, followed by details of some of the important fields that point to other structures. If applicable, debugger commands that apply to the structure and functions that manipulate the structure are provided. Most of the data structures mentioned in this article are allocated by the kernel from paged or non-paged pool, which is a part of the kernel virtual address space.

The following data structures are discussed in this document, click on any of them to directly go to the description.

Doubly Linked List : LIST_ENTRY

Process and Thread : EPROCESS, KPROCESS, ETHREAD, KTHREAD

Kernel and HAL : KPCR, KINTERRUPT, CONTEXT, KTRAP_FRAME, KDPC, KAPC, KAPC_STATE

Synchronization Objects : DISPATCHER_HEADER, KEVENT, KSEMAPHORE, KMUTANT, KTIMER, KGATE, KQUEUE

Executive & RTL : IO_WORKITEM

I/O Manager : IRP, IO_STACK_LOCATION, DRIVER_OBJECT, DEVICE_OBJECT, DEVICE_NODE, FILE_OBJECT

Objects and Handles : OBJECT_HEADER, OBJECT_TYPE, HANDLE_TABLE_ENTRY

Memory Manager : MDL, MMPTE, MMPFN, MMPFNLIST, MMWSL, MMWSLE, POOL_HEADER, MMVAD

Cache Manager : VACB, VACB_ARRAY_HEADER, SHARED_CACHE_MAP, PRIVATE_CACHE_MAP, SECTION_OBJECT_POINTERS

Gasiti tot aici:

CodeMachine - Article - Catalog of key Windows kernel data structures

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...