Hi,
As Timo pointed out, I made a typo. Here are the final structures
(the ones I wrote were pseudo-code to enduce your own thinking/ideas):
lkd> dt win32k!_ENTRY -r
+0x000 einfo : _EINFO
+0x000 pobj : Ptr32 _BASEOBJECT
+0x000 hHmgr : Ptr32 Void
+0x004 ulShareCount : Uint4B
+0x008 cExclusiveLock : Uint2B
+0x00a BaseFlags : Uint2B
+0x00c Tid : Ptr32 _W32THREAD
+0x000 hFree : Ptr32 HOBJ__
+0x000 unused : Int4B
+0x004 ObjectOwner : _OBJECTOWNER
+0x000 Share : _OBJECTOWNER_S
+0x000 Lock : Pos 0, 1 Bit
+0x000 Pid_Shifted : Pos 1, 31 Bits
+0x000 ulObj : Uint4B
+0x008 FullUnique : Uint2B
+0x00a Objt : UChar
+0x00b Flags : UChar
+0x00c pUser : Ptr32 Void
lkd> dt win32k!_BASEOBJECT -r
+0x000 hHmgr : Ptr32 Void
+0x004 ulShareCount : Uint4B
+0x008 cExclusiveLock : Uint2B
+0x00a BaseFlags : Uint2B
+0x00c Tid : Ptr32 _W32THREAD
+0x000 pEThread : Ptr32 _ETHREAD
+0x004 RefCount : Uint4B
+0x008 ptlW32 : Ptr32 _TL
+0x000 next : Ptr32 _TL
+0x004 pobj : Ptr32 Void
+0x008 pfnFree : Ptr32 void
+0x00c pgdiDcattr : Ptr32 Void
+0x010 pgdiBrushAttr : Ptr32 Void
+0x014 pUMPDObjs : Ptr32 Void
+0x018 pUMPDHeap : Ptr32 Void
+0x01c pUMPDObj : Ptr32 Void
+0x020 GdiTmpTgoList : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
lkd> dt GDIHandleBitFields
win32k!GDIHandleBitFields
+0x000 Index : Pos 0, 16 Bits
+0x000 Type : Pos 16, 5 Bits
+0x000 AltType : Pos 21, 2 Bits
+0x000 Stock : Pos 23, 1 Bit
+0x000 Unique : Pos 24, 8 Bits
lkd> dt GDIObjType
win32k!GDIObjType
GDIObjType_DEF_TYPE = 0
GDIObjType_DC_TYPE = 1
GDIObjType_UNUSED1_TYPE = 2
GDIObjType_UNUSED2_TYPE = 3
GDIObjType_RGN_TYPE = 4
GDIObjType_SURF_TYPE = 5
GDIObjType_CLIENTOBJ_TYPE = 6
GDIObjType_PATH_TYPE = 7
GDIObjType_PAL_TYPE = 8
GDIObjType_ICMLCS_TYPE = 9
GDIObjType_LFONT_TYPE = 10
GDIObjType_RFONT_TYPE = 11
GDIObjType_PFE_TYPE = 12
GDIObjType_PFT_TYPE = 13
GDIObjType_ICMCXF_TYPE = 14
GDIObjType_SPRITE_TYPE = 15
GDIObjType_BRUSH_TYPE = 16
GDIObjType_UMPD_TYPE = 17
GDIObjType_UNUSED4_TYPE = 18
GDIObjType_SPACE_TYPE = 19
GDIObjType_UNUSED5_TYPE = 20
GDIObjType_META_TYPE = 21
GDIObjType_EFSTATE_TYPE = 22
GDIObjType_BMFD_TYPE = 23
GDIObjType_VTFD_TYPE = 24
GDIObjType_TTFD_TYPE = 25
GDIObjType_RC_TYPE = 26
GDIObjType_TEMP_TYPE = 27
GDIObjType_DRVOBJ_TYPE = 28
GDIObjType_DCIOBJ_TYPE = 29
GDIObjType_SPOOL_TYPE = 30
GDIObjType_MAX_TYPE = 30
GDIObjTypeTotal = 31
lkd> dt GDILoObjType
win32k!GDILoObjType
GDILoObjType_LO_BRUSH_TYPE = 0x100000
GDILoObjType_LO_DC_TYPE = 0x10000
GDILoObjType_LO_BITMAP_TYPE = 0x50000
GDILoObjType_LO_PALETTE_TYPE = 0x80000
GDILoObjType_LO_FONT_TYPE = 0xa0000
GDILoObjType_LO_REGION_TYPE = 0x40000
GDILoObjType_LO_ICMLCS_TYPE = 0x90000
GDILoObjType_LO_CLIENTOBJ_TYPE = 0x60000
GDILoObjType_LO_ALTDC_TYPE = 0x210000
GDILoObjType_LO_PEN_TYPE = 0x300000
GDILoObjType_LO_EXTPEN_TYPE = 0x500000
GDILoObjType_LO_DIBSECTION_TYPE = 0x250000
GDILoObjType_LO_METAFILE16_TYPE = 0x260000
GDILoObjType_LO_METAFILE_TYPE = 0x460000
GDILoObjType_LO_METADC16_TYPE = 0x660000
Enjoy!
(PS. Why do you have "Teams" and "Reversers" when you can just use
WinDBG?)
On 30-Dec-07, at 1:53 PM, James Tabor wrote:
> Hi!
>> From my teams research they say this is still valid for xp. If the
> alignment is not correct? It would fubar the rest of the structure
> that has be verified as correct for XP. eg DCOBJ.
>> typedef struct _BASEOBJECT
> {
> HANDLE hHmgr; // 0x0 <- xp
> PVOID pEntry; // 0x4 <- No longer a pointer.
> LONG cExclusiveLock; // 0x8 <- xp
> PW32THREAD Tid; // 0xc <- xp
> } BASEOBJECT, *POBJ;
>> On Dec 30, 2007 7:52 AM, Alex Ionescu <ionucu at videotron.ca> wrote:
>> Let's begin with the GDI Base Object, which is a header at the top
>> of every
>> GDI Object. The structure is called _BASEOBJECT (what you refer to as
>> "GDIOBJHDR") and is defined as follows:
>>>> struct _BASEOBJECT
>> {
>> HANDLE hHmgr;
>> ULONG ulShareCount;
>> LONG cExclusiveLock;
>> ULONG BaseFlags;
>> PW32THREAD Tid;
>> };
>>>> The pointer to a _BASEOBJECT is known as a POBJ.
>>>> Now, how to get to this object? Well, dxg and win32k.sys now both
>> implement
>> different Hmhr's (Handle Managers).
>>>> In Win32K land, the handles come from gpentHmgr, and each handle
>> is indexed
>> from it. The resulting structure is called an _ENTRY, and is
>> defined as
>> follows:
>>>> struct _ENTRY
>> {
>> union
>> {
>> POBJ pobj;
>> HANDLE hFree;
>> };
>> union
>> {
>> ULONG ulObj;
>> struct
>> {
>> USHORT Count:15;
>> USHORT Lock:1;
>> HANDLE Pid;
>> };
>> } ObjectOwner;
>> USHORT FullUnique;
>> UCHAR Objt;
>> UCHAR Flags;
>> PVOID pUser;
>> };
>>>> DXG uses a DDENTRY structure, which is similar. Handles are
>> indexed from
>> gpentDdHmgr.
>>> This is correct too. xteam confirms it. I commit an update to our
> entry based on their research . Count and lock merged into Count.
> FullUnique and Objt are correct.
>>> What Greatlord hadn't noticed while reversing is that part of the
>> code was
>> dealing with the DD_ENTRY object, and part of it was dereferencing
>> the first
>> member of DD_ENTRY, which is the pObj (and was now dealing with the
>> _BASEOBJECT).
>>>> Objt is where the object type is defined -- you already seem to
>> know the
>> Win32K Objects. Here are the DXG objects:
>>>> DD_MOTIONCOMP_TYPE
>> DD_VIDEOPORT_TYPE
>> D3D_HANDLE_TYPE
>> DD_SURFACE_TYPE
>> DD_DIRECTDRAW_TYPE
>> DD_DEF_TYPE.
>>>> So how exactly then does DdHmgrLock work? Quite similarly to
>> HmgrLock:
>>>>>> POBJ
>> FASTCALL
>> DdHmgLock(HDD_OBJ DdHandle,
>> UCHAR ObjectType,
>> BOOLEAN LockOwned)
>> {
>> POBJ Object = NULL;
>> PDD_ENTRY Entry;
>> ULONG Index;
>>>> //
>> // Acquire the DirectX Handle Manager Lock
>> //
>> if (!LockOwned) DdHmgAcquireHmgrSemaphore();
>>>> //
>> // Get the handle index and validate it
>> //
>> Index = DdHandle & 0x1FFFFF;
>> if (Index < gcMaxDdHmgr)
>> {
>> //
>> // Get the entry
>> //
>> Entry = gpentDdHmgr[Index];
>>>> //
>> // Validate the owner
>> //
>> if ((Entry->ObjectOwner.Pid = PsGetCurrentProcessId() &
>> 0xFFFFFFFC)
>> ||
>> !(Entry->ObjectOwner.Pid))
>> {
>> //
>> // Validate the object type
>> //
>> if (Entry->Objt == ObjectType)
>> {
>> //
>> // Validate the handle type
>> //
>> if (Entry->FullUnique == ((DdHandle >> 21) & 0x7FF))
>> {
>> //
>> // Get the GDI Object
>> //
>> Object = DdEntry->pObj;
>>>> //
>> // Make sure we can lock it
>> //
>> if (!(Object->cExclusiveLock) ||
>> (Object->Tid == (PW32THREAD)
>> PsGetCurrentThread()))
>> {
>> //
>> // Acquire the lock
>> //
>> InterlockedIncrement(&Object-
>> >cExclusiveLock);
>> Object->Tid = (PW32THREAD)
>> PsGetCurrentThread();
>> }
>> else
>> {
>> //
>> // Already locked by someone else
>> //
>> Object = NULL;
>> }
>> }
>> }
>> }
>> }
>>>> //
>> // Release the lock
>> //
>> if (!LockOwned) DdHmgReleaseHmgrSemaphore();
>>>> //
>> // Return the object
>> //
>> return Object;
>> }
>>>>>> I am looking forward to compatible Hmgr implementation in win32k!
>>>> Me too! One of our most needed things todo! 8^) HmgLock anyone?
>>> Any questions?
>>>>>>>>>> Best regards,
>> Alex Ionescu
>>> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
Best regards,
Alex Ionescu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.reactos.org/pipermail/ros-dev/attachments/20071230/4e9c818e/attachment-0001.html
More information about the Ros-dev
mailing list
CHAPTER VII. THE FOUR CLASSES OF SOCIETY. THE FOUR CLASSES OF SOCIETY. "After the herald had given the names of the wrestlers who were to make the first round, the fellows came in. They were dressed without any clothes to speak of, or rather they were quite undressed, with the exception of a cloth around their loins. They came in on opposite sides of the ring, and stood there about five feet apart, each man resting his hands on his knees, and glaring at the other like a wild beast. They[Pg 231] looked more like a pair of tigers than human beings, and for a moment I thought it was not at all unlike what a bull-fight in Spain might be. I turned upon her choking with anger, but her melting beauty rendered me helpless. Black woods were on our left. "Shall we turn in here?" I asked. "None of that with me," he growled. "Do you know who I am, Countess Lalage? I am Leon Lagage, Count of the Holy Roman Empire, and your husband. Incomparable woman, you cannot alter that fact. For better or worse, for richer or poorer, till death do us part!" I have in this way imperfectly indicated a methodical plan of generating a design, as far as words alone will serve, beginning with certain premises based upon a particular work to be performed, and then proceeding to consider in consecutive order the general character of the machine, mode of operation, movements and adjustments, general arrangement, strains, special arrangement, and proportions. ‘Alas! what is life, what is death, what are we, 11th January two best dresses. Commencement was as usual, with a few showers “All right,” agreed Sandy. “Dick, you and I are the ground crew. As soon as you’re ready, Mr. Whiteside, we’ll take hold!” Effects of Walpole's Administration—Formation of the new Ministry—Attitude of the Malcontents—Committee of Inquiry into Walpole's Administration—Walpole's Protectors—Ministerial Measures—Prorogation of Parliament—Disasters of the French—British Division in the Netherlands—Opening of Parliament—The German Mercenaries—Amendment of the Gin Act—George goes to Germany—Stair and De Noailles in Franconia—Stair in a Trap—Bold Resolution of King George—The Battle of Dettingen—Resignation of Stair—Retreat of the French—Negotiations for Peace—Treaty of Worms—Pelham becomes Prime Minister—The Attacks of Pitt on Carteret—Attempted Invasion of England—Its Failure—Progress of the French Arms—Frederick II. invades Bohemia—His Retirement—Resignation of Carteret—Pelham strengthens his Ministry—Death of the Emperor—Campaign in Flanders—Battle of Fontenoy—Campaign of Frederick II.—The Young Pretender's Preparations—Loss of the Elizabeth—Landing in the Hebrides—The Highland Clans join him—The First Brush—Raising of the Standard—Cope's Mistake—He turns aside at Dalwhinnie—Charles makes a Dash for Edinburgh—The March to Stirling—Right of the Dragoons—The "Canter of Coltbridge"—Edinburgh surprised by the Highlanders—Charles marching against Cope—Battle of Prestonpans—Delay in marching South—Discontent of the Highland Chiefs—The Start—Preparations in England—Apathy of the Aristocracy—Arrival of the Duke of Cumberland—Charles crosses the Border—Capture of Carlisle—The March to Derby—Resolution to retreat—"Black Friday"—The Retreat—Recapture of Carlisle—Siege of Stirling—Battle of Falkirk—Retreat to the Highlands—Cumberland's Pursuit—Gradual Collapse of the Highlanders—Battle of Culloden—Termination of the Rebellion—Cruelty of the Duke of Cumberland—Adventures of the Young Pretender—Trials and Executions—Ministerial Crisis. The next morning he was up betimes, and cooked the boys as good a breakfast as he could out of the remainder of his store and what he could get from the hospital, and then gave what was left to whoever came. The comfortable crib, which had cost the Deacon so much labor, had been pre-empted by the Surgeon for some of his weakest patients. "You two step forward one pace," he commanded. "Gentleman, I've got my six. The rest are yours." "Where are you goin'?" he said sternly. Every now and then the crowd would break into the latest rhymings of MacKinnon's poet: A large thicket, at this moment, gave the dusty foot an opportunity of doubling, and, for an instant, diverging from the straightforward course, though it availed him little, he seemed to feel the breath of his pursuer on the back of his neck; his foot sounded as if at his heels; he drew his garment closely around him, turned suddenly to the right, and, bounding from the ground, the next instant a splash was heard in the little river, and the fugitive was safe from his pursuer. HoME明日之后怎么免费刷一级纳米材料
ENTER NUMBET 0018yumur.com.cn vst-toy.com.cn happykylin.com.cn www.deshenglou.com.cn shjoye.com.cn www.wrasse.com.cn www.hxqq.com.cn www.itebay.com.cn kmlqc.com.cn ertrtdf.net.cn